Internet Protocol Version 6
Federal Agencies Need to Plan for Transition and Manage Security Risks Gao ID: GAO-05-471 May 20, 2005The Internet protocol (IP) provides the addressing mechanism that defines how and where information such as text, voice, and video move across interconnected networks. Internet protocol version 4 (IPv4), which is widely used today, may not be able to accommodate the increasing number of global users and devices that are connecting to the Internet. As a result, IP version 6 (IPv6) was developed to increase the amount of available IP address space. It is gaining momentum globally from regions with limited address space. GAO was asked to (1) describe the key characteristics of IPv6; (2) identify the key planning considerations for federal agencies in transitioning to IPv6; and (3) determine the progress made by the Department of Defense (DOD) and other major agencies to transition to IPv6.
The key characteristics of IPv6 are designed to increase address space, promote flexibility and functionality, and enhance security. For example, by using 128-bit addresses rather than 32-bit addresses, IPv6 dramatically increases the available Internet address space from approximately 4.3 billion addresses in IPv4 to approximately 3.4 x 10^38 in IPv6. Key planning considerations for federal agencies include recognizing that the transition is already under way, because IPv6-capable software and equipment already exists in agency networks. Other important agency planning considerations include developing inventories and assessing risks; creating business cases that identify organizational needs and goals; establishing policies and enforcement mechanisms; determining costs; and identifying timelines and methods for transition. In addition, managing the security aspects of an IPv6 transition is another consideration since IPv6 can introduce additional security risks to agency information. For example, attackers of federal networks could abuse IPv6 features to allow unauthorized traffic or make agency computers directly accessible from the Internet. DOD has made progress in developing a business case, policies, timelines, and processes for transitioning to IPv6. Despite these efforts, challenges remain, including finalizing plans, enforcing policy, and monitoring for unauthorized IPv6 traffic. Unlike DOD, the majority of other major federal agencies reported not yet having initiated key planning efforts for IPv6. For example, 22 agencies lack business cases; 21 lack transition plans; 19 have not inventoried IPv6 software and equipment; and none had developed cost estimates.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-471, Internet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage Security Risks
This is the accessible text file for GAO report number GAO-05-471
entitled 'Internet Protocol Version 6: Federal Agencies Need to Plan
for Transition and Manage Security Risks' which was released on May 24,
2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
May 2005:
Internet Protocol Version 6:
Federal Agencies Need to Plan for Transition and Manage Security Risks:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-471]:
GAO Highlights:
Highlights of GAO-05-471, a report to congressional requesters:
Why GAO Did This Study:
The Internet protocol (IP) provides the addressing mechanism that
defines how and where information such as text, voice, and video move
across interconnected networks. Internet protocol version 4 (IPv4),
which is widely used today, may not be able to accommodate the
increasing number of global users and devices that are connecting to
the Internet. As a result, IP version 6 (IPv6) was developed to
increase the amount of available IP address space. It is gaining
momentum globally from regions with limited address space.
GAO was asked to (1) describe the key characteristics of IPv6; (2)
identify the key planning considerations for federal agencies in
transitioning to IPv6; and (3) determine the progress made by the
Department of Defense (DOD) and other major agencies to transition to
IPv6.
What GAO Found:
The key characteristics of IPv6 are designed to increase address space,
promote flexibility and functionality, and enhance security. For
example, by using 128-bit addresses rather than 32-bit addresses, IPv6
dramatically increases the available Internet address space from
approximately 4.3 billion addresses in IPv4 to approximately 3.4 × 1038
in IPv6 (see figure).
Comparison of IPv4 and IPv6 Address Spaces:
[See PDF for image]
[End of figure]
Key planning considerations for federal agencies include recognizing
that the transition is already under way, because IPv6-capable software
and equipment already exists in agency networks. Other important agency
planning considerations include developing inventories and assessing
risks; creating business cases that identify organizational needs and
goals; establishing policies and enforcement mechanisms; determining
costs; and identifying timelines and methods for transition. In
addition, managing the security aspects of an IPv6 transition is
another consideration since IPv6 can introduce additional security
risks to agency information. For example, attackers of federal networks
could abuse IPv6 features to allow unauthorized traffic or make agency
computers directly accessible from the Internet.
DOD has made progress in developing a business case, policies,
timelines, and processes for transitioning to IPv6. Despite these
efforts, challenges remain, including finalizing plans, enforcing
policy, and monitoring for unauthorized IPv6 traffic. Unlike DOD, the
majority of other major federal agencies reported not yet having
initiated key planning efforts for IPv6. For example, 22 agencies lack
business cases; 21 lack transition plans; 19 have not inventoried IPv6
software and equipment; and none had developed cost estimates.
What GAO Recommends:
GAO recommends, among other things, that the Director of the Office of
Management and Budget (OMB) instruct agencies to begin to address key
planning considerations for the IPv6 transition, and that agencies act
to mitigate near-term IPv6 security risks.
Officials from OMB, DOD, and Commerce generally agreed with the
contents of this report and provided technical corrections, which were
incorporated as appropriate.
www.gao.gov/cgi-bin/getrpt?GAO-05-471.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact David Powner at (202) 512-
9286 or Keith Rhodes at (202) 512-6412.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
IPv6 Key Characteristics Increase Address Space, Improve Functionality,
Ease Network Administration, and Enhance Security:
IPv6 Considerations Include Significant Planning Efforts and Immediate
Actions to Ensure Security:
Progress Has Been Made at Defense but Is Lacking at Other Federal
Agencies:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: GAO Contacts and Staff Acknowledgments:
Table:
Table 1: IPv6 Reported Actions of 23 CFO Agencies to Address an IPv6
Transition:
Figures:
Figure 1: Internet Protocol Version 4 Address:
Figure 2: An Internet Protocol Header Contains IP Addresses for the
Source and Destination of Information Transmitted across the Internet:
Figure 3: An Example of a Network Address Translation:
Figure 4: Comparison of IPv6 and IPv4 Address Scheme:
Figure 5: Major Differences between the IPv6 and IPv4 Headers:
Figure 6: Example of a Dual Stack Network:
Figure 7: Example of Tunneling IPv6 Traffic inside an IPv4-Only
Internet:
Figure 8: DOD Envisions Mapping the Globe with Unique IP Addresses:
Figure 9: DOD's Schedule for Transitioning to IPv6:
Abbreviations:
CFO: chief financial officer:
DOD: Department of Defense:
FAR: Federal Acquisition Regulation:
GIG: global information grid:
ICANN: Internet Corporation for Assigned Names and Numbers:
ID: identification:
IETF: Internet Engineering Task Force:
IP: Internet protocol:
IPv4: Internet protocol version 4:
IPv6: Internet protocol version 6:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
TCP: transmission control protocol:
Y2K: year 2000:
US CERT: United States Computer Emergency Response Team:
Letter May 20, 2005:
The Honorable Tom Davis:
Chairman:
Committee on Government Reform:
House of Representatives:
The Honorable Adam H. Putnam:
House of Representatives:
In 2003, the President's National Strategy to Secure Cyberspace
[Footnote 1] identified the development of secure and robust Internet
mechanisms as important goals because of the nation's growing
dependence on cyberspace. The Internet protocol (IP) is one of the
primary mechanisms that defines how and where information such as text,
voice, and video moves across networks. Internet protocol version 4
(IPv4), which is widely used today, may not be able to accommodate the
increasing number of global users and devices that are connecting to
the Internet. As a result, IP version 6 (IPv6) was developed to
increase the amount of available IP address space. There has been
increasing interest in this new version of IP and its implications for
federal agencies.
As agreed with your office, our objectives were to (1) describe the key
characteristics of IPv6, (2) identify the key planning considerations
for federal agencies in transitioning to IPv6, and (3) determine the
progress made by the Department of Defense (DOD) and other major
federal agencies to transition to IPv6.
To accomplish these objectives, we researched and documented key IPv6
attributes, including security features, and analyzed technical and
planning information from experts in government and industry.
Additionally, we obtained and analyzed documents from the Department of
Commerce. We also studied DOD plans, procedures, and actions for
transitioning to IPv6. Finally, we identified efforts undertaken by the
other 23 Chief Financial Officer (CFO) Act agencies[Footnote 2] to
determine their progress in addressing IPv6 transition challenges. We
conducted our work from August 2004 through April 2005 in accordance
with generally accepted government auditing standards. Details of our
objectives, scope, and methodology are included in appendix I.
Results in Brief:
The key characteristics of IPv6 are designed to increase address space,
promote flexibility and functionality, and enhance security. For
example, using 128-bit addresses rather than 32-bit addresses
dramatically increases the available Internet address space from
approximately 4.3 billion in IPv4 to approximately 3.4 × 1038 in IPv6.
Other characteristics increase flexibility and functionality, including
improved routing of data, enhanced mobility features for wireless,
configuration capabilities to ease network administration, and improved
quality of service. Further, IPv6 integrates Internet protocol security
to improve authentication and confidentiality of information being
transmitted. These characteristics offer various enhancements relative
to IPv4 and are expected to enable advanced Internet communications and
foster new software applications.
Key planning considerations for federal agencies include recognizing
that an IPv6 transition is already under way because IPv6-capable
software and equipment exist in agency networks. Other important agency
planning considerations include: developing inventories and assessing
risks; creating business cases that identify organizational needs and
goals; establishing policies and enforcement mechanisms; determining
costs; and identifying timelines and methods for transition. As we have
previously reported, planning for system migration and security are
often problematic in federal agencies. However, proactive integration
of IPv6 requirements into federal contracts may reduce the costs and
complexity of transition by ensuring that federal applications can
operate in an IPv6 environment without costly upgrades. Managing the
security aspects of the transition is another consideration, since IPv6
can introduce additional security risks to agency information. For
example, attackers of federal networks could abuse features to allow
unauthorized traffic or make agency computers directly accessible from
the Internet.
Recognizing the importance of planning, DOD has made progress in
developing a business case, policies, timelines, and methods for
transitioning to IPv6. These efforts include creating a transition
office, developing guidance and policies, drafting transition plans,
and fielding a pilot. Despite these accomplishments, challenges remain,
including finalizing plans, enforcing policy, and monitoring for
unauthorized IPv6 traffic. Regarding other major federal agencies, most
report little progress in planning for an IPv6 transition. For example,
22 agencies lack business cases; 21 lack transition plans; 19 have not
inventoried IPv6 software and equipment; and 22 have not developed cost
estimates.
Transitioning to IPv6 is a pervasive and significant challenge for
federal agencies that could result in significant benefits to agency
services. But such benefits may not be realized if action is not taken
to ensure that agencies are addressing key planning considerations or
security issues. Accordingly, we are recommending, among other things,
that the Director of the Office of Management and Budget (OMB) instruct
the federal agencies to begin addressing key IPv6 planning
considerations, and that federal agency heads take immediate actions to
address the near-term security risks.
In commenting on a draft of this report, officials from OMB, DOD, and
Commerce generally agreed with its contents and provided technical
corrections, which we incorporated, as appropriate.
Background:
The Internet is a worldwide network of networks comprised of servers,
routers, and backbone networks. Network addresses are used to help send
information from one computer to another over the Internet by routing
the information to its final destination. The protocol that enables the
administration of these addresses is the Internet protocol (IP). The
most widely deployed version of IP is version 4 (IPv4).
Internet Protocol Transmits Information across Interconnected Networks:
The two basic functions of IP include (1) addressing and (2)
fragmentation of data, so that information can move across networks. An
IP address consists of a fixed sequence of numbers. IPv4 uses a 32-bit
address format, which provides approximately 4.3 billion unique IP
addresses. Figure 1 provides a conceptual illustration of an IPv4
address.
Figure 1: Internet Protocol Version 4 Address:
[See PDF for image]
[End of figure]
By providing a numerical description of the location of networked
computers, addresses distinguish one computer from another on the
Internet. In some ways, an IP address is like a physical street
address. For example, in the physical world, if a letter is going to be
sent from one location to another, the contents of the letter must be
placed in an envelope that contains addresses for the sender and
receiver. Similarly, if data is going to be transmitted across the
Internet from a source to a destination, IP addresses must be placed in
an IP header. Figure 2 provides a simplified illustration of this
concept. In addition to containing the addresses of sender and
receiver, the header also contains a series of fields that provide
information about what is being transmitted.
Figure 2: An Internet Protocol Header Contains IP Addresses for the
Source and Destination of Information Transmitted across the Internet:
[See PDF for image]
[End of figure]
The fields in the header are important to the protocol's second main
function: fragmentation of data. IP fragments information by breaking
it into manageable parts. Each part has its own header that contains
the sender's address, destination address, and other information that
guides it through the Internet to its intended destination. When the
various packets arrive at the final destination, they are put back
together into their original form.
Internet and Protocol Management and Development Involve Several Key
Organizations:
Several key organizations play a role in coordinating protocol
development and Internet management issues, including the following:
* The Internet Corporation for Assigned Names and Numbers, (ICANN), is
a nonprofit corporation responsible for Internet address space
allocation and management of the Internet domain name system.[Footnote
3]
* Regional Internet Registries allocate Internet address blocks from
ICANN in various parts of the world and engage in joint projects,
liaison activities, and policy coordination. The registries include the
African Network Information Center, Asia Pacific Network Information
Centre, American Registry for Internet Numbers, Latin American and
Caribbean Internet Addresses Registry, and Réseaux IP Européens Network
Coordination Centre.
* Competing companies known as registrars are able to assign domain
names, the mnemonic devices used to represent the numerical IP
addresses on the Internet (for example, [Hyperlink,
http://www.google.com]). More than 300 registrars have been accredited
by ICANN and are authorized to register domain names ending in .biz,
.com, .coop, .info, .name, .net, .org, or .pro. A complete listing is
maintained on the InterNIC[Footnote 4] Web site.
* The Internet Society is a large, international, professional
organization that provides leadership in addressing issues that may
affect the future of the Internet and assists the groups responsible
for Internet infrastructure standards. The Internet Society also
provides legal, financial, and administrative support to the Internet
Engineering Task Force (IETF).[Footnote 5]
* IETF is the principal body engaged in the development of Internet
standards. It is composed of working groups that are organized by topic
into several areas (e.g., routing, transport, security, etc.)[Footnote
6]
IPv4 Address Limitations and Mitigation Efforts:
Limited IPv4 address space prompted organizations that need large
amounts of IP addresses to implement technical solutions to compensate.
For example, network administrators began to use one unique IP address
to represent a large number of users. By employing network address
translation, an enterprise such as a federal agency or a company could
have large numbers of internal IP addresses, but still use a single
unique address that can be reached from the Internet. In other words,
all computers behind the network address translation router appear to
have the same address to the outside world. Figure 3 depicts this type
of network configuration.
Figure 3: An Example of a Network Address Translation:
[See PDF for image]
[End of figure]
While network address translation has enabled organizations to
compensate for the limited number of globally unique IP addresses
available with IPv4, the resulting network structure has eliminated the
original end-to-end communications model of the Internet. Network
address translation complicates the delivery of real-time
communications over the Internet.
In 1994, IETF began reviewing proposals for a successor to IPv4 that
would increase IP address space and simplify routing. IETF established
a working group to be specifically responsible for developing the
specifications for and standardization of IPv6. Over the past 10 years,
IPv6 has evolved into a mature standard. A complete list of IPv6
documents can be found at the IETF Web site.[Footnote 7]
IPv6 Is Gaining Momentum Globally:
Interest in IPv6 is gaining momentum around the world, particularly in
parts of the world that have limited IPv4 address space to meet their
industry and consumer communications needs. Regions that have limited
IPv4 address space such as Asia and Europe have undertaken efforts to
develop, test, and implement IPv6.
Asia:
As a region, Asia controls only about 9 percent of the allocated IPv4
addresses, and yet has more than half of the world's population. As a
result, the region is investing in IPv6 development, testing, and
implementation. For example, the Japanese government's e-Japan Priority
Policy Program mandated the incorporation of IPv6 and set a deadline of
2005 to upgrade existing systems in both the public and private sector.
The government has helped to support the establishment of the IPv6
Promotion Council to facilitate issues related to development and
deployment and to provide tax incentives to promote deployment. In
addition, major Japanese corporations in the communications and
consumer electronics sectors are also developing IPv6 networks and
products.
The Chinese government's interest in IPv6 resulted in an effort by the
China Education and Research Network Information Center to establish an
IPv6 network linking 25 universities in 20 cities across China. In
addition, China has reportedly set aside approximately $170 million to
develop an IPv6-capable infrastructure.
Taiwan has also started to work on developing IPv6 products and
services. For example, the Taiwanese government announced that it would
begin developing an IPv6-capable national information infrastructure
project. The planned initiative is intended to deploy an infrastructure
capable of supporting 6 million users by 2007.
In September 2000, public and private entities in India established the
Indian IPv6 Forum to help coordinate the country's efforts to develop
and implement IPv6 capabilities and services. The forum hosted an IPv6
summit in 2005.
Europe:
The European Commission initiated a task force in April 2001 to design
an IPv6 Roadmap. The Roadmap serves as an update and plan of action for
the development and future perspectives of IPv6. It also serves as a
way to coordinate European efforts for developing, testing, and
deploying IPv6. Europe currently has a task force that has the dual
mandate of initiating country/regional IPv6 task forces across European
states and seeking global cooperation around the world. Europe's task
force and the Japanese IPv6 Promotion Council forged an alliance to
foster worldwide deployment.
Latin America:
Latin America also has begun developing projects involving IPv6. Some
of these projects include an IPv6 interconnection among all the
6Bone[Footnote 8] sites of Latin America and a Native IPv6 Network via
Internet2.[Footnote 9] Also in Mexico, the National Autonomous
University of Mexico has been conducting research. In 1999, the
university acquired a block of address space to provide IPv6-enabled
service to Mexico and Latin America.
North America:
Established in 2001, the North American IPv6 Task Force promotes the
use of IPv6 within industry and government and provides technical and
business expertise for the deployment of IPv6 networks.[Footnote 10]
The task force is composed of individual members from the United States
and Canada who develop white papers and deployment guides, sponsor test
and interoperability events, and collaborate with other task forces
from around the world. Currently, the task force, the University of New
Hampshire, and DOD are collaborating on a national IPv6 demonstration/
test network.
Initial Governmentwide Efforts to Address IPv6 Began in 2003:
In 2003, the President's National Strategy to Secure
Cyberspace[Footnote 11] identified the development of secure and robust
Internet mechanisms as important goals because of the nation's growing
dependence on cyberspace. The strategy stated that the United States
must understand the merits of, and the obstacles to, moving to IPv6
and, based on that understanding, identify a process for moving to an
IPv6-based infrastructure.
To better understand these challenges, the Department of Commerce
formed a task force to examine the deployment of IPv6 in the United
States. As co-chairs of that task force, the Commerce Department's
National Institute of Standards and Technology (NIST) and the National
Telecommunications and Information Administration invited interested
parties to comment on a variety of IPv6-related issues, including: (1)
the benefits and possible uses; (2) current domestic and international
conditions regarding the deployment; (3) economic, technical, and other
barriers to the deployment; and (4) the appropriate role for the U.S.
government in the deployment. As part of the task force's work, the
Department of Commerce issued a draft report in July 2004, Technical
and Economic Assessment of Internet Protocol Version 6,[Footnote 12]
that was based on the response to their request for comment. Many
organizations and individuals--such as private sector software,
hardware, and communications firms, and technical experts--responded,
providing their views on the benefits and challenges of adopting the
new protocol.
IPv6 Key Characteristics Increase Address Space, Improve Functionality,
Ease Network Administration, and Enhance Security:
The key characteristics of IPv6 include:
* a dramatic increase in IP address space,
* a simplified IP header for flexibility and functionality,
* improved routing of data,
* enhanced mobility features,
* easier configuration capabilities,
* improved quality of service, and:
* integrated Internet protocol security.
These key characteristics of IPv6 offer various enhancements relative
to IPv4 and are expected to increase Internet services and enable
advanced Internet communications that could foster new software
applications for federal agencies.
IPv6 Dramatically Increases Address Space:
IPv6 dramatically increases the amount of IP address space available
from the approximately 4.3 billion addresses in IPv4 to approximately
3.4 × 1038. Because IPv6 uses a 128-bit address scheme rather than the
32-bit address scheme used in IPv4, it is able to allow many more
possible addresses. The increase in the actual bits in the address and
the immense number of possible combinations of numbers make the
dramatic number of unique addresses a possibility. Figure 4 shows the
difference between the length of an IPv4 address and that of an IPv6
address.
Figure 4: Comparison of IPv6 and IPv4 Address Scheme:
[See PDF for image]
[End of figure]
This large number of IPv6 addresses means that almost any electronic
device can have its own address. While IP addresses are commonly
associated with computers, they are increasingly being assigned to
communications devices such as phones and other items such as consumer
electronics and automobiles.
IPv6 addresses are characterized by a network prefix that describes the
location of an IPv6-capable device in a network and an interface ID
that provides a unique identification number (ID) for the device. The
network prefix will change based on the user's location in a network,
while the interface ID can remain static. The static interface ID
allows a device with a unique address to maintain a consistent identity
despite its location in a network. In IPv4, the limited address space
has resulted in a plethora of network address translation devices,
which severely limits the possibilities for end-to-end communications.
In contrast, the massive address space available in IPv6 will allow
virtually any device to be assigned a globally reachable address. This
change fosters greater end-to-end communication abilities between
devices with unique IP addresses and can better support the delivery of
data-rich content such as voice and video.
Simplified Header Intended to Promote Flexibility and Functionality:
Simplifying the IPv6 header promotes flexibility and functionality for
two reasons. First, the header size is fixed in IPv6. In the previous
version, header sizes could vary, which could slow routing of
information. Second, the structure of the header itself has been
simplified. While the IPv6 addresses are significantly larger than in
IPv4, the header containing the address and other information about the
data being transmitted has been simplified. The 14 header fields from
IPv4 have been simplified to 8 fields in IPv6. Figure 5 illustrates the
differences between the two IP headers, including the various data
fields that were eliminated, renamed, or reorganized.
Another benefit of the simplified header is its ability to accommodate
new features, or extensions. For example, the next header field
provides instructions to the routers transmitting the data across the
Internet about how to manage the information.
Figure 5: Major Differences between the IPv6 and IPv4 Headers:
[See PDF for image]
[End of figure]
Improved Routing Offers More Efficient Movement of Information:
The improved routing, or movement of information from a source to a
destination, is more efficient in IPv6 because it incorporates a
hierarchal addressing structure and has a simplified header. The large
amount of address space allows organizations with large numbers of
employees to obtain blocks of contiguous address space. Contiguous
address space allows organizations to aggregate addresses under one
prefix for identification on the Internet. This structured approach to
addressing reduces the amount of information Internet routers must
maintain and store and promotes faster routing of data. In addition, as
shown in figure 5, IPv6 has a simplified header because of the
elimination of six fields from the IPv4 header. The simplified header
also contributes to faster routing.
Enhanced Mobility Features Provide Seamless Connectivity:
IPv6 improves mobility features by allowing each device (wired or
wireless) to have a unique IP address independent of its current point
of attachment to the Internet. As previously discussed, the IPv6
address allows computers and other devices to have a static interface
ID. The interface ID does not change as the device transitions among
various networks. This enables mobile IPv6 users to move from network
to network while keeping the same unique IP address. The ability to
maintain a constant IP address while switching networks is cited as a
key factor for the success of a number of evolving capabilities, such
as evolving telephone technologies, personal digital assistants, laptop
computers, and automobiles.
Enhanced Configuration Capabilities Can Ease Aspects of Network
Administration:
IPv6 enhancements can ease difficult and time-consuming aspects of
network administration tasks in today's IPv4 networks. For example, two
new configuration enhancements of IPv6 include automatic address
configuration and neighbor discovery. These enhancements may reduce
network administration burdens by providing the ability to more easily
deploy and manage networks.
IPv6 supports two types of automatic configuration: stateful and
stateless. Stateful configuration uses the dynamic host configuration
protocol. This stateful configuration requires another computer, such
as a server, to reconfigure or assign numbers to network devices for
routing of information, which is similar to how IPv4 handles
renumbering.
Stateless automatic configuration is a new feature in IPv6 and does not
require a separate dynamic host configuration protocol server as in
IPv4. Stateless configuration occurs automatically for routers and
hosts. Another configuration feature--neighbor discovery--enables hosts
and routers to determine the address of a neighbor or an adjacent
computer or router.
Together, automatic configuration and neighbor discovery help support a
plug-and-play Internet deployment for many devices, such as cell
phones, wireless devices, and home appliances. These enhancements help
reduce the administrative burdens of network administrators by allowing
the IPv6-enabled devices to automatically assign themselves IP
addresses and find compatible devices with which to communicate.
Enhanced Quality of Service Can Prioritize Information Delivery:
IPv6's enhanced quality of service feature can help prioritize the
delivery of information. The flow label is a new field in the IPv6
header. This field can contain a label identifying or prioritizing a
certain packet flow, such as a video stream or a videoconference, and
allows devices on the same path to read the flow label and take
appropriate action based on the label. For example, IP audio and video
services can be enhanced by the data in the flow label because it
ensures that all packets are sent to the appropriate destination
without significant delay or disruption.
Enhanced Integration of IP Security Can Assist in Data Protection:
IP Security--a means of authenticating the sender and encrypting the
transmitted data--is better integrated into IPv6 than it was in IPv4.
This improved integration, which helps make IP Security easier to use,
can help support broader data protection efforts.
IP Security consists of two header extensions that can be used together
or separately to improve authentication and confidentiality of data
being sent via the Internet. The authentication extension header
provides the receiver with greater assurance of who sent the data. The
encapsulating security header provides confidentiality to messages
using encrypted security payload extension headers.
IPv6 Characteristics Can Contribute to More Advanced Communications and
Applications:
IPv6's increased address space, functionality, flexibility, and
security help to support more advanced communications and software
applications than are thought to be possible with the current version
of IP. For example, the ability to assign an IP address to a wide range
of devices beyond computers creates many new possibilities for direct
communication. While applications that fully exploit IPv6 are still in
development, industry experts have identified various federal functions
that might benefit from IPv6-enabled applications:
* Border security: could deploy wireless sensors with IPv6 to help
provide situational awareness about movements on the nation's borders.
* First responders: could exploit the hierarchal addressing of IPv6 to
promote interoperability and rapid network configuration in responding
to emergencies.
* Public health and safety: could exploit IPv6 end-to-end
communications to deliver secure telemedicine applications and
interactive diagnoses.
* Information sharing: could benefit from various features of IPv6,
including securing data in end-to-end communications, quality of
service, and the extensibility of the header to accommodate new
functions.
IPv6 Considerations Include Significant Planning Efforts and Immediate
Actions to Ensure Security:
Key planning considerations for federal agencies include recognizing
that an IPv6 transition is already under way because IPv6-capable
software and equipment exist in agency networks. Other key
considerations for federal agencies to address in an IPv6 transition
include significant IT planning efforts and immediate actions to ensure
the security of agency information and networks. Important planning
considerations include:
* developing inventories and assessing risks,
* creating business cases for an IPv6 transition,
* establishing policies and enforcement mechanisms,
* determining costs, and:
* identifying timelines and methods for the transition.
Furthermore, specific security risks could result from not managing
IPv6 software and equipment in federal agency networks.
Recognizing That an IPv6 Transition Is Already Under Way for the
Federal Government:
The transition to IPv6 is under way for many federal agencies because
their networks already contain IPv6-capable software and equipment; for
example, most major operating systems currently support IPv6, including
Microsoft Windows, Apple OS X, Cisco IOS, mainframe software, and UNIX
variants including Sun Solaris and Linux. In addition, many routers,
printers, and other devices are now capable of being configured for
IPv6 traffic.
The transition to IPv6 is different from a software upgrade because the
protocol's capability is being integrated into the software and
hardware. As a result, agencies do not have to make a concerted effort
to acquire it because it will be built into agencies' core
communications infrastructure. However, as IPv6-capable software and
hardware accumulates in agency networks, it can introduce risks that
may not be immediately obvious to the network administrators or program
officials. For example, agency employees might begin using certain IPv6
features that are not addressed in agency security programs and could
therefore inadvertently place agency information at risk of disclosure.
Developing an Inventory and Risk Assessment:
Developing an IPv6 inventory and risk assessment is an important action
for agencies to consider in addressing IPv6 decision making. An
inventory of equipment (software and hardware) provides management with
an understanding of the scope of an IPv6 transition occurring at the
agency and assists in focusing agency risk assessments.
Risk assessments are essential steps in determining what controls are
required to protect a network and what level of resources should be
expended on controls. Moreover, risk assessments contribute to the
development of effective security controls for information systems and
much of the information needed for the agency's system security plans.
These assessments are even more important when transitioning to a new
technology such as IPv6. Knowing what risks there are and how to
mitigate them appropriately will lessen problems in the future.
Creating a Business Case for Transition:
Creating a business case for transition to IPv6 is another important
consideration for agency management officials to address. A business
case usually identifies the organizational need for the system and
provides a clear statement of the high-level system goals.[Footnote 13]
Best practices for IT investment recommend that, prior to making any
significant project investment, information about the benefits and
costs of the investment should be analyzed and assessed in detail. One
key aspect to consider while drafting the business case for IPv6 is to
understand how many devices an agency wants to connect to the Internet.
This will help in determining how much IPv6 address space is needed for
the agency. Within the business case, it is crucial to include how the
new technology will integrate with the agency's existing enterprise
architecture.
Establishing Policies and Enforcement Mechanisms:
Developing and establishing IPv6 transition policies and enforcement
mechanisms are important considerations for ensuring an efficient and
effective transition. For example, IPv6 policies can address:
* agency management of the IPv6 transition,
* roles and responsibilities of key officials and program managers,
* guidance on planning and investment,
* authorization for using IPv6 features, and:
* configuration management requirements and monitoring efforts.
Further, because of the scope, complexities, and costs involved in an
IPv6 transition, effective enforcement of agency IPv6 policies is an
important consideration for management officials. Enforcement
considerations could include:
* collaboration among the chief information officer and senior
contracting officials to ensure IPv6 issues are addressed in
information technology acquisitions in accordance with agency policy;
* role definitions for the chief information officer, inspector
general, and program officials, to review current IPv6 capabilities in
agency systems and what, if any, future requirements might be needed;
and:
* policies for configuration management methods, to ensure that agency
information and systems are not compromised because of improper
management of information technology and systems.
Without appropriate policies and effective enforcement mechanisms,
federal agencies could incur significant cost and security risks. As we
have previously reported,[Footnote 14] planning for system migration
and security are often problematic in federal agencies. IPv6 planning
efforts and security measures can be managed using the federal
government's existing framework, which includes enterprise
architecture, investment management processes, and security policies,
plans, and risk assessments. The potential scope of an IPv6 transition
makes development of robust policies and enforcement mechanisms
essential.
Determining IPv6 Costs:
Considering the costs of IPv6 and estimating the impact on agency IT
investments can be challenging. Cost benefit analyses and return-on-
investment calculations are the normal methods used to justify
investments.[Footnote 15] Initially, IPv6 may appear to have a minimal
cost impact on an organization because IPv6 functionality is being
built into operating systems and routers. However, the costs to upgrade
existing software applications so they can benefit from IPv6
functionality could be significant. Additional costs to consider
include:
* human capital costs associated with training,
* operational costs of multiple IP environments,
* existing IT infrastructure, and:
* timing of an IPv6 transition.
These costs can be managed through a gradual, rather than an
accelerated, transition process. For example, long-range planning can
help to mitigate costs and position an agency to benefit from IPv6's
characteristics and applications. Early adopters of IPv6 have
determined that transitioning can be coordinated with an organization's
ongoing technical refreshments or upgrades. Accordingly, agencies can
ensure that IPv6 compatibility is integrated into their IT contracts
and acquisition process. Officials from OMB's Office of E-Government
and Information Technology stated that they recognize the challenges
associated with determining cost and are taking action. For example,
OMB required federal agencies to submit the following items by January
31, 2005:
* an updated enterprise architecture documentation and a revised
Information Resource Management strategic plan to illustrate how IPv6
is being incorporated into the agency's plans and:
* a joint memorandum from the agency's chief information officer and
chief procurement official describing how the agency will address the
acquisition of technology with IPv6 as part of the life cycle of
existing investments.
During the year 2000 (Y2K) technology challenge, the federal government
amended the Federal Acquisition Regulation (FAR) and mandated that all
contracts for IT include a clause requiring the delivered systems or
service to be ready for the Y2K date change.[Footnote 16] This helped
prevent the federal government from procuring systems and services that
might have been obsolete or that required costly upgrades. Similarly,
proactive integration of IPv6 requirements into federal acquisition
requirements can reduce the costs and complexity of the IPv6 transition
of the federal agencies and ensure that federal applications are able
to operate in an IPv6 environment without costly upgrades.
Identifying Timelines and Methods for Transition:
Identifying timelines and the various methods available to agencies for
transitioning to IPv6 are important management considerations. The
timeline can help keep transition efforts on schedule and can provide
for status updates to upper management. Having a timeline and
transition management strategy in place early is important to
mitigating risks and ensuring a successful transition to IPv6. Such
timelines and process management can help a federal agency determine
when to authorize its various component organizations to allow IPv6
traffic and features.
Various transition methods exist to ensure that a computer running IPv6
can communicate with a computer running IPv4. These transition methods
or techniques include the following:
Dual Stack Networks:
In a dual stack network, hosts and routers implement both IPv4 and
IPv6. Figure 6 depicts how dual stack networks can support both IPv4
and IPv6 services and applications during the transition period.
Currently, dual stack networks are the preferred mechanism for
transitioning to IPv6.
Figure 6: Example of a Dual Stack Network:
[See PDF for image]
[End of figure]
Tunneling:
Tunneling allows separate IPv6 networks to communicate via an IPv4
network. For example, for one type of tunneling method, IPv6 packets
are encapsulated by a border router, sent across an IPv4 network, and
decoded by a border router on the receiving IPv6 network. Figure 7
depicts the tunneling process of IPv6 data inside an IPv4 network.
Figure 7: Example of Tunneling IPv6 Traffic inside an IPv4-Only
Internet:
[See PDF for image]
[End of figure]
Translation:
Translation allows networks using only IPv4 and networks using only
IPv6 to communicate with each other by translating IPv6 packets to IPv4
packets. The use of a translator allows new systems to be deployed as
IPv6 only, while older systems remain IPv4 only. While this method may
result in bottlenecks while packets are being translated, it can
provide a high level of interoperability.
These transition methods represent a few of the common approaches for
ensuring interoperability between IPv6 and IPv4 communications. They
can be used alone or in concert to enable communication among IPv4 and
IPv6 networks. However, while such techniques mitigate interoperability
challenges, in some instances, they may result in increased security
risks if not analyzed and managed.
IPv6 Creates New Opportunities for Network Abuse:
As IPv6-capable software and devices accumulate in agency networks,
they could be abused by attackers if not managed properly. For example,
IPv6 is included in most computer operating systems and, if not enabled
by default, is easy for administrators to enable either intentionally
or as an unintentional byproduct of running a program. We tested two
IPv6 features--automatic configuration and tunneling--and found that,
if not properly managed, they could present serious risks to federal
agencies.
Automatic Configuration Can Facilitate Network Attacks If Not Managed:
Automatic configuration can facilitate attacks because a rogue or
unauthorized router may reconfigure neighboring devices by assigning
them new addresses and routes. Once IPv6 is enabled, almost all
operating systems will automatically configure IPv6 addresses, and most
will automatically configure additional IPv6 addresses (including
global ones) and routes provided by IPv6 routers. For example, with
IPv6 enabled, most systems we tested would automatically accept IPv6
router advertisements. This results in hosts automatically adding IPv6
addresses and routes. This can be mitigated by the signing of router
renumbering updates with IP Security. We tested the security issues
surrounding the automatic configuration and found that, if a computer
on the internal network had turned IPv6 on, that computer could use
IPv6 services on other systems using IPv6 locally. This activity would
not be seen by a typical IPv4 network intrusion detection system,
because it would only be looking for anomalous or inappropriate IPv4
behavior and would not detect the IPv6 activity.
Tunneling Can Permit Unauthorized Traffic:
As previously discussed, tunneling is a transition mechanism that
allows IPv6 packets to be sent between computers via IPv4 traffic. When
IPv6 packets are tunneled through IPv4, they are invisible to typical
network intrusion detection systems and firewalls that are configured
for IPv4 traffic but not for IPv6 traffic. As a result, intrusion
detection systems and firewalls configured for IPv4 may not identify or
prevent tunneled traffic. Once tunnels are established, traffic can
penetrate the network undetected. This can allow attackers to access
agency information and resources that are protected only by IPv4
filters and tools. Even worse, if a computer on an internal network
acted as an IPv6 router and was able to tunnel IPv6 to the IPv4
Internet, other nearby machines could be automatically configured with
global IP addresses. As a result, internal agency computers--never
intended to directly provide services to other computers on the
Internet--are suddenly globally reachable and may lack the requisite
security for Internet-accessible hosts.
Although new tools are being developed, the security considerations
associated with an IPv6 transition make configuration management of
federal systems extremely important. We determined that common IPv6
tunneling techniques could be controlled by implementing best practices
for IPv4 security, specifically by tightening the firewalls to deny
direct outbound connections and by requiring proxies for allowed
protocols and ports. We also noted that tighter configuration
management, including restricting user privileges, could help control
IPv6 usage by end hosts and that network intrusion detection systems
could be tuned to detect IPv6 traffic and common tunneling techniques.
US-CERT Issued a Security Alert for Federal Agencies:
In April 2005, the United States Computer Emergency Response Team (US-
CERT), located at the Department of Homeland Security, issued an IPv6
cyber security alert to federal agencies based on our testing and
discussions with DHS officials. The alert warned federal agencies that
unmanaged, or rogue, implementations of IPv6 present network management
security risks. Specifically, the US-CERT notice informed agencies that
some firewalls and network intrusion detection systems do not provide
IPv6 detection or filtering capability, and malicious users might be
able to tunnel IPv6 traffic through these security devices undetected.
US-CERT provides agencies with a series of short-term solutions,
including:
* determining if firewalls and intrusion detection systems support IPv6
and implement additional IPv6 security measures and:
* identifying IPv6 devices and disabling if not necessary.[Footnote 17]
Progress Has Been Made at Defense but Is Lacking at Other Federal
Agencies:
Recognizing the importance of planning, DOD has made progress in
developing a business case, policies, a timeline, and methods for
transitioning to IPv6, but similar efforts at the majority of the other
CFO agencies are lacking. Despite these efforts, Defense still faces
major challenges in managing its transition to IPv6. The majority of
the other CFO agencies report they have not begun to address key
transition planning issues, such as developing plans, business cases,
and estimating costs.
DOD Has Established a Business Case for Transitioning to IPv6:
Defense's transition to IPv6 is a key component of its business case to
improve interoperability among many information and weapons systems,
known as the Global Information Grid (GIG). The IPv6 component of GIG
is to facilitate DOD's goal of achieving network-centric operations by
exploiting these key characteristics of IPv6:
* increased address space,
* enhanced mobility features,
* enhanced configuration features,
* enhanced quality of service, and:
* enhanced security features.
The increased address space provides DOD with an opportunity to
reconstitute its address space architecture to better address the
future proliferation of numerous unmanned sensors and mobile assets.
Using this architecture, the department plans to use IPv6 as part of
the GIG. Although no final decisions have been made, DOD could use the
increased address space to render a three-dimensional map of the globe,
or theater of combat, using IP addresses as coordinates. This, along
with other GIG components, would allow tracking movements of, and
maintain detailed information on, military vehicles and individual
soldiers in real time.
Figure 8: DOD Envisions Mapping the Globe with Unique IP Addresses:
[See PDF for image]
[End of figure]
Permitting devices to directly communicate on the move is essential,
because DOD wants to use the enhanced mobility and automatic
configuration to rapidly deploy networks across the globe. Further,
Defense believes that the return to an end-to-end communications
security model will allow it to provide greater information assurance
by, among other things, providing for more secure peer-to-peer
communications. Finally, Defense requires IPv6's improved quality of
service features to enhance many of its other initiatives, such as
voice over IP.
DOD Has Made Progress Developing Policies, a Timeline, and Methods for
Transition:
DOD's efforts to develop policies, timelines, and methods for
transitioning to IPv6 are progressing. Some of the department's efforts
to transition to IPv6 have been under way for approximately 10 years,
including the following:
* In 1995, the Department of the Navy first began working with IPv6,
and subsequently deployed IPv6 test beds in 2000 and 2001.
* In 1998, DOD began, along with our North Atlantic Treaty Organization
partners, joint action on IPv6-related issues.
* In 2003, one of the Navy's early test beds, the Defense Research and
Engineering Network, was selected to be the overall DOD IPv6 pilot.
* In 2003, the Office of the DOD Chief Information Officer issued a
mandate that, as of October 2003, all assets developed, procured, or
acquired must be IPv6-capable and, in addition, the assets must
maintain interoperability with IPv4 systems capabilities.
* In 2004, Defense established an IPv6 transition office to provide the
overall coordination, common engineering solutions, and technical
guidance across the department to support an integrated and coherent
transition to IPv6.
IPv6 Transition Office Performs Central Role in Coordination of
Transition Planning:
DOD's Transition Office performs a central role in coordination of IPv6
planning, including developing detailed guidance and policies for
implementing schedules and designs for DOD. This guidance includes
deriving departmentwide requirements, technical guidance--including
IPv6 addressing--transition techniques, network architecture guidance,
and applications development guidance. While the Transition Office
provides the overall planning framework, the accountability for the
actual transition resides within each of the individual services and
defense agencies. These DOD components are to use the core planning
guidance, time frames, and metrics that the Transition Office develops
within their respective transition models.
The Transition Office, under the authority of the Defense Information
Systems Agency, is in the early stages of its work and has developed an
early set of work products, including a draft system engineering
management plan, risk management planning documentation, budgetary
documentation, requirements criteria, and a master schedule. The
management schedule includes a set of implementation milestones that
include DOD's goal of transitioning to IPv6 by fiscal year 2008. A
senior Transition Office official stated that the department plans to
develop an end-to-end communications security model by fiscal year 2008
as well.
Figure 9: DOD's Schedule for Transitioning to IPv6:
[See PDF for image]
[End of figure]
In addition to its internal IPv6 coordination-related activities, the
Transition Office has built relationships with other federal agencies,
North Atlantic Treaty Organization partners and coalition allies, IETF,
and academic institutions, and is currently working with the American
Registry of Internet numbers to allocate the requisite IPv6 address
space for the department.
In parallel with the Transition Office's efforts, the Office of the DOD
Chief Information Officer has created a transition plan that includes
sections on transition governance, acquisition and procurement,
transition tasks and milestones, and program and budget. The Chief
Information Officer has responsibility for ensuring a coherent and
timely transition, establishing and maintaining the overall
departmental transition plan, and is the final approval authority for
any IPv6 transition waivers. Other key players in the department's
transition are the Defense Information Systems Agency, Joint Forces
Command, the National Security Agency, and the Defense Intelligence
Agency.
DOD IPv6 Efforts Face Challenges:
Although DOD has made substantial progress in developing a planning
framework for transitioning to IPv6, it still faces challenges,
including:
* developing an inventory of GIG systems that have IPv6-capable
software and hardware,
* finalizing its IPv6 transition plans,
* monitoring its operational networks for unauthorized IPv6 traffic,
and:
* developing a comprehensive enforcement strategy, including leveraging
its existing budgetary and acquisition review process.
According to DOD officials, the department recognizes the need to
monitor IPv6 traffic and has taken steps to minimize this risk. For
example, it has established policies addressing IPv6 use in an
operational environment.
Majority of Federal Agencies Have Not Initiated Transition Planning
Efforts:
Unlike DOD, the majority of other federal agencies reporting have not
yet initiated transition planning efforts for IPv6. For example, of the
22 agencies that responded, only 4 agencies reported having established
a date or goal for transitioning to IPv6. The majority of agencies have
not addressed key planning considerations (see table 1). For example,
* 22 agencies report not having developed a business case,
* 21 agencies report not having plans,
* 19 agencies report not having inventoried their IPv6-capable
equipment, and:
* 22 agencies report not having estimated costs.
Agency responses demonstrate that few efforts outside of DOD have been
initiated to address IPv6. If agency planning is not carefully
monitored, it could result in significant and unexpected costs for the
federal government.
Table 1: IPv6 Reported Actions of 23 CFO Agencies to Address an IPv6
Transition:
Department or agency: Agriculture;
Business case: °;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Commerce;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Education;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Energy;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Health and Human Services;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Homeland Security;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Housing and Urban Development;
Business case: No response ;
Plan: No response;
Inventory: No response;
Estimated costs: No response.
Department or agency: Interior;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Justice;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Labor;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: State;
Business case: No;
Plan: No;
Inventory: Yes;
Estimated costs: No.
Department or agency: Transportation;
Business case: No;
Plan: No;
Inventory: Yes;
Estimated costs: No.
Department or agency: Treasury;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Veterans Affairs;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Environmental Protection Agency;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: General Services Administration;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: National Aeronautics and Space Administration;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: National Science Foundation;
Business case: No;
Plan: Yes;
Inventory: No;
Estimated costs: No.
Department or agency: Nuclear Regulatory Commission;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Office of Personnel Management;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: Small Business Administration;
Business case: No;
Plan: No;
Inventory: Yes;
Estimated costs: No.
Department or agency: Social Security Administration;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Department or agency: U.S. Agency for International Development;
Business case: No;
Plan: No;
Inventory: No;
Estimated costs: No.
Source: GAO analysis of agency data.
[End of table]
Conclusions:
The increase in IPv6 address space and the other new features of the
protocol are designed to promote flexibility, functionality, and
security in networks. IPv6 can facilitate the development of a variety
of new applications that take advantage of the end-to-end
communications it provides. Through the use of IPv6 and associated new
applications, federal agencies can have new ways of delivering business
service and conducting operations.
Nevertheless, transitioning to IPv6 presents federal agencies with
challenges, including addressing key planning considerations and taking
immediate actions to ensure the security of agency information and
networks. By recognizing that an IPv6 transition is under way, agencies
can begin developing risk assessments, business cases, policies, cost
estimates, timelines, and methods for the transition. If agencies do
not address these key planning issues and seek to understand the
potential scope and complexities of IPv6 issues--whether agencies plan
to transition immediately or not--they will face potentially increased
costs and security risks. For example, if federal contracts for IT
systems and services do not require IPv6 compatibility, agencies may
need to make costly upgrades. Finally, if not managed, existing IPv6
features in agency networks can be abused by attackers who have access
to federal information and resources without being detected. Undetected
penetrations of federal networks can have far-reaching impacts on the
security of both information and the operations it supports.
Transitioning to IPv6 is a pervasive challenge for federal agencies
that could result in significant benefits to agency services. But such
benefits may not be realized if action is not taken to ensure that
agencies are addressing the attendant challenges. Recognizing the
importance of planning, DOD has made progress addressing some key
planning considerations, but still faces challenges. However, the vast
majority of federal agencies have not yet started this process. If
their respective progress is not monitored closely, it could result in
significant costs for the federal government.
Recommendations for Executive Action:
We recommend that the Director of OMB take the following two actions:
1. Instruct federal agencies to begin addressing key IPv6 planning
considerations, including:
* developing inventories and assessing risks,
* creating business cases for the IPv6 transition,
* establishing policies and enforcement mechanisms,
* determining costs, and:
* identifying timelines and methods for transition, as appropriate.
2. Amend the Federal Acquisition Regulation with specific language that
requires that all information technology systems and applications
purchased by the federal government be able to operate in an IPv6
environment.
Because of the immediate risk that poorly configured and unmanaged IPv6
capabilities present to federal agency networks, we are recommending
that agency heads take immediate actions to address the near-term
security risks, including determining what IPv6 capabilities they may
have, and initiate steps to ensure that they can control and monitor
IPv6 traffic.
Agency Comments and Our Evaluation:
We provided a draft of this report to DOD, Commerce, and OMB for review
and comment. In providing oral comments, officials from DOD's IPv6
Transition Office, Commerce's National Institute of Standards and
Technology, and OMB's Offices of Information and Regulatory Affairs and
General Counsel generally agreed with the contents of the report and
provided technical corrections, which we incorporated, as appropriate.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies to interested
congressional committees; the Director, Office of Management and
Budget; and the heads of all major departments and agencies. Copies of
this report will be made available to others on request. In addition,
the report will be available at no charge on GAO's Web site at
[Hyperlink, http://www.gao.gov].
If you have any questions about this report, please contact David
Powner at (202) 512-9286, or [Hyperlink, pownerd@gao.gov]; Keith Rhodes
at (202) 512-6412, or [Hyperlink, rhodesk@gao.gov]; or J. Paul Nicholas
at (202) 512-4457, or [Hyperlink, nicholasj@gao.gov]. Major
contributors to this report are listed in appendix II.
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
Signed by:
Keith A. Rhodes:
Chief Technologist:
Director, Center for Technology and Engineering:
[End of section]
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to:
* describe the key characteristics of Internet Protocol version 6
(IPv6);
* identify the key planning considerations for federal agencies in
transitioning to IPv6; and:
* determine the progress made by the Department of Defense (DOD) and
other major federal agencies to transition to IPv6.
For our first two objectives, the scope included the Department of
Commerce, the Office of Management and Budget, and various federal and
nonfederal technical experts. For our third objective, we focused on
DOD and the other 23 major federal departments and agencies.
To describe the key characteristics of IPv6 and identify the key
considerations for the federal agencies in transitioning to IPv6, we
researched and analyzed technical documents and gathered data from IPv6
experts in government and industry. Specifically, we reviewed a number
of key documents and text, including IPv6-related documents from the
Internet Engineering Task Force, technical papers on IPv6 capabilities
and security issues, the President's National Strategy to Secure
Cyberspace, and responses to the Department of Commerce's request for
comment on the IPv6 transition. In addition, we documented IPv6
characteristics and transition considerations with officials from the
National Institute of Standards and Technology, the National
Telecommunication and Information Administration, the chief technical
officer of the IPv6 Forum, a co-author of the TCP/IP protocol suite,
key members of the telecommunications industry, members of the Internet
Engineering Task Force and Internet Society, and officials from major
software and hardware vendors. Further, we conducted computer security
tests using our lab to identify potential IPv6 security challenges,
including testing stateful packet filtering firewalls, network
intrusion detection systems, and hosts representing a variety of
operating systems, including Windows XP/2003, Sun Solaris, Linux
variants, and IBM z/OS. We used IPv4 firewall rules that "default deny
all" inbound and "default permit all" outbound, and network intrusion
detection systems with default signatures.
To determine the progress made by DOD and other relevant federal
agencies to transition to IPv6, we analyzed DOD's IPv6 transition
plans, guidelines, and transition schedule. In addition, we met with
the Office of the DOD Chief Information Officer, members of the DOD
IPv6 Transition Office, and the Defense Information Systems Agency, and
reviewed transition challenges and approaches being undertaken by DOD.
We also surveyed the other 23 chief financial officer agencies to
determine the extent to which they had established a transition date
for converting to IPv6; developed IPv6 business cases or transition
plans; estimated costs or allocated money for the transition; and
identified resource challenges.
We performed our work from August 2004 through April 2005 in accordance
with generally accepted government auditing standards.
[End of section]
Appendix II: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Dave A. Powner, (202) 512-9286;
Keith A. Rhodes, (202) 512-6412;
J. Paul Nicholas, (202) 512-4457:
Staff Acknowledgments:
Camille Chaires, West Coile, Jamey Collins, John Dale, Neil Doherty,
Nancy Glover, Richard Hung, Hal Lewis, Harold Podell, David Plocher,
and Eric Winter made key contributions to this report.
(310474):
FOOTNOTES
[1] President George W. Bush, The National Strategy to Secure
Cyberspace (Washington, D.C.: February 2003).
[2] The 24 CFO departments and agencies are the Departments of
Agriculture, Commerce, Defense, Education, Energy, Health and Human
Services, Homeland Security, Housing and Urban Development, the
Interior, Justice, Labor, State, Transportation, the Treasury, and
Veterans Affairs, the Environmental Protection Agency, General Services
Administration, National Aeronautics and Space Administration, National
Science Foundation, Nuclear Regulatory Commission, Office of Personnel
Management, Small Business Administration, Social Security
Administration, and U.S. Agency for International Development.
[3] The Web site for ICANN is www.icann.org.
[4] InterNIC is a registered service of the U.S. Department of
Commerce. It is licensed to ICANN, which operates the InterNIC Web
site: http://www.internic.net/.
[5] The Web site for the Internet Society is www.isoc.org.
[6] The Web site for IETF is www.ietf.org.
[7] The Web site for IETF is http://www.ietf.org/iesg/1rfc_index.txt.
[8] The 6bone is an IPv6 test bed created to assist in the evolution
and deployment of IPv6.
[9] Internet2 is a consortium led by 207 universities working in
partnership with industry and government to develop and deploy advanced
network applications and technologies.
[10] The Web site for NAv6TF is http://www.nav6tf.org/.
[11] Bush, The National Strategy.
[12] Department of Commerce, Technical and Economic Assessment of
Internet Protocol Version 6 (IPv6) (Washington, D.C.; July 2004).
[13] GAO, Technology Assessment, Cybersecurity for Critical
Infrastructure Protection, GAO-04-321 (Washington, D.C.: May 2004).
[14] GAO, Business Systems Modernization: Internal Revenue Service
Needs to Further Strengthen Program Management, GAO-04-438T
(Washington, D.C.: Feb. 12, 2004); and Information Technology: DOD's
Acquisition Policies and Guidance Need to Incorporate Additional Best
Practices and Controls, GAO-04-722 (Washington, D.C.: July 30, 2004).
[15] GAO, DOD Business Systems Modernization: Longstanding Management
and Oversight Weaknesses Continue to Put Investments at Risk, GAO-03-
553T (Washington, D.C.: March 31, 2003).
[16] 48 C.F.R. 39.106.
[17] US-CERT Federal Informational Notice FIN05-095 (Arlington,
Virginia; April 2004).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
