FOSE 2009 – Risks and Benefits of Next Generation Internet

March 11th, 2009 by Julia Lim

With the specter of IPv6 still looming over federal agencies, I sat in on a panel at FOSE 2009 this morning that discussed the impact of IPv6 from a security standpoint, and how the challenges posed by transitional security risks are impeding adoption of the protocol.

Moderated by Casey Dunlevy, technical director, strategic security programs for the Global Analysis Division of BAE Systems IT, “Risks and Benefits of Next Generation Internet” aimed to explain the security challenges (and advantages) posed by IPv6, strategies for adoption and transition and the payoffs for investing in IPv6.

On the panel were:

• Charles Lee, CTO of Verizon’s federal government segment
• Sheila Frankel, computer scientist and researcher in the Computer Security Division of NIST
• Patrick Beggs, director of critical infrastructure protection – cyber security with DHS

Dunlevy started the panel by providing an overview of the current state of the IPv6 transition on a global scale.  Surprisingly (or not surprisingly) no country has over 1 percent of their Internet users transitioned to the new Internet, with Russia leading the pack at .76 percent.  The United States ranked fifth with under half of users on IPv6 (.45 percent), behind the likes of France, Ukraine and…Norway.  Dunlevy did not predict any kind of “full” transition until at least 2018.

Next to speak was Charles Lee, who said that the time to do something about next-generation networking has passed – the question we should be asking is no longer “what can I do on IPv6” but rather “what CAN’T I do on IPv4.”  He stated that IPv4 is an application killer and that many of the new administration’s technology goals, from green computing and smart power grids to environmental and remote sensor networks, cannot be achieved on IPv4.

He also talked about Verizon’s goal to move Verizon’s share of global Internet traffic (50 percent) to IPv6 by 2010.  Charles’ point is that public/private Internet transmissions will be made needlessly complex if public IPv6 adoptions vastly outweighs government.

Sheila Frankel with NIST presented next and provided a deeper dive into the security concerns around the IPv6 transition.  Sheila explained that many of the purported benefits of IPv6 can actually be achieved on IPv4, which has seriously impacted agency commitment to make the transition – which I can completely understand.  If it works now on a platform that you fully understand, why make the change?

She brought up the issues of complexity around a transition, especially with the necessary support of both the IPv4 and IPv6 platforms in the foreseeable future.  This complexity brings previously unknown interactions to light, requiring near constant development on the security side to remedy.

Sheila also debunked some of the myths around IPv6 adoption, including the “resurrection of end-to-end communications.”  Due to the topology-defined networks of today, such communications between users is impossible, simply because one doesn’t know who is actually receiving the message.

Finally, Sheila discussed NIST’s activities in IPv6, which centers around defining what “IPv6-capable” means for government agencies.  Their end goal is to make IPv6 devices “plug and play,” but it won’t be to that level for some time – although NIST does have a testing program in the works, complete with multiple testing labs and vendor SDOCs to prove compliance.

Last up to present was Patrick Beggs.  Patrick’s discussion focused on the importance of the public and private sectors working together to fix the potential security issues in the IPv6 transition.  He brought up the fact that most people in the room didn’t even know that DHS and the private sector had been working together for the past two years to develop a critical infrastructure assessment to show that their needs to be even more collaboration on this issue.

Patrick explained that a risk profile is being developed for an IPv6 transition, complete with best practices and assessments from private sector organizations already making the transition.  The report will be publically available in April, and will detail what DHS sees as the biggest threats (and defenses) during an IPv6 transition.

The moderator then opened the floor up to questions, with the first question poking the elephant in the room.  The attendee had been at FOSE four years ago when IPv6 was THE big issue, and wanted to know what happened since then to encourage agencies to comfortably make the transition.

Sheila fielded the question first and said that two factors are preventing agencies from making the transition – being able to purchase IPv6-enabled equipment and then being able to turn that equipment on.  She pointed out that an IPv6 mandate on routers had resulted in agencies setting up labs to test v6-enabled devices, but that was it – so there is some experience and comfort there, albeit on a small scale.  Sheila also said that a lack of edge devices (firewalls and gateways) is impacting the ability to provide the proper levels of security during a transition.

Charles Lee went a bit further and said that when the government made the Internet public last decade, that they gave up the ability to control or enforce future iterations of the technology.  While it was the right thing to do (commercialization), they now lack the ability to force their own agencies, or anyone else, to adopt new standards in IT.

Casey gave a much simpler prediction on IPv6 within government IT – as the Department of Defense goes, so does the rest of the government IT world.  When BAE or other large integrators start seeking out IPv6-trained and experience folks to transition networks, the experience and comfort will start to show up internally at government agencies as well.

The next question asked if there were any technologies that could potentially leapfrog or parallel IPv6, further reducing the need to transition.  The panelists generally dismissed this concept, saying that IP is now a global standard, and that time to have a competing technology would have been when the Internet was US-centric.

Question three was actually more of a statement – one of the founders of ARIN (the American Registry for Internet Numbers) was also in the audience, and brought up the fact that at current rates, ARIN only has enough IPv4 IP addresses to last 762 days.  He says that they expect a “cliff function” to occur – on demand until IPv4 address run out, then enormous demand developing for IPv6 addresses.  The panelists generally agreed with this assessment, and Charles went on to say that IPv4 and IPv6 will have to coexist for a long time, possibly longer than his lifetime, making security and interoperability even harder on network engineers.

All in all, the panel was an interesting look at a much-discussed but little-realized federal IT need  – the transition to IPv6.  The comments from ARIN make the need for a smooth and swift transition that much more glaring, as there is essentially now a ticking clock on the ability of business and government to innovate on IPv4.

Popularity: 2% [?]

Related Posts

• No Related Post

3 comments