Internet Protocol Version 6
Federal Government in Early Stages of Transition and Key Challenges Remain Gao ID: GAO-06-675 June 30, 2006The Internet protocol (IP) provides the addressing mechanism that defines how and where information such as text, voice, music, and video move across interconnected networks. IP version 4 (IPv4), which is widely used today, may not be able to accommodate the increasing number of global users and devices that are connecting to the Internet. As a result, Internet version 6 (IPv6) was developed to increase the amount of available address space. In August 2005, the Office of Management and Budget (OMB) issued a memorandum specifying activities and time frames for federal agencies to transition to IPv6. GAO was asked to determine (1) the status of federal agencies' efforts to transition to IPv6; (2) what emerging applications are being planned or implemented that take advantage of IPv6 features; and (3) key challenges industry and government agencies face as they transition to the new protocol.
Federal agencies have taken steps in planning for the transition to IPv6, but several have not completed key activities. For example, almost all of the 24 major agencies have assigned an official to lead and coordinate the IPv6 transition. However, ten agencies had not developed IPv6-related policies and enforcement mechanisms. Until agencies complete key activities, their transition planning efforts risk not being successful. To help address this risk, agencies are required to report their progress in completing key planning activities to OMB. Applications that take advantage of IPv6 features are being planned or implemented both within and outside of the federal government, including applications to support emergency response, enhance warfighting capabilities, and facilitate continuity of operations planning. However, these applications are few, in large part because organizations are still in the early stages of the transition or because they lack incentives to use the new protocol. Transitioning to IPv6 presents several challenges. Significant challenges include managing information security in an environment that is more vulnerable to threats; incorporating IPv6 features into applications' business cases to identify new and better ways of meeting mission goals; and interfacing with partners that may be in various stages of the transition. Other challenges include maintaining dual IPv4 and IPv6 environments for an extended period of time and implementing standards required by the use of the new protocol. All of these challenges could impede progress if they are not addressed by agencies as they proceed with the transition.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-675, Internet Protocol Version 6: Federal Government in Early Stages of Transition and Key Challenges Remain
This is the accessible text file for GAO report number GAO-06-675
entitled 'Internet Protocol Version 6: Federal Government in early
Stages of Transition and Key Challenges Remain' which was released on
July 31, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Committee on Government Reform, House of
Representatives:
United States Government Accountability Office:
GAO:
June 2006:
Internet Protocol Version 6:
Federal Government in Early Stages of Transition and Key Challenges
Remain:
Internet Protocol:
GAO-06-675:
GAO Highlights:
Highlights of GAO-06-675, a report to the Chairman, Committee on
Government Reform, House of Representatives
Why GAO Did This Study:
The Internet protocol (IP) provides the addressing mechanism that
defines how and where information such as text, voice, music, and video
move across interconnected networks. IP version 4 (IPv4), which is
widely used today, may not be able to accommodate the increasing number
of global users and devices that are connecting to the Internet. As a
result, Internet version 6 (IPv6) was developed to increase the amount
of available address space. In August 2005, the Office of Management
and Budget (OMB) issued a memorandum specifying activities and time
frames for federal agencies to transition to IPv6. GAO was asked to
determine (1) the status of federal agencies‘ efforts to transition to
IPv6; (2) what emerging applications are being planned or implemented
that take advantage of IPv6 features; and (3) key challenges industry
and government agencies face as they transition to the new protocol.
What GAO Found:
Federal agencies have taken steps in planning for the transition to
IPv6, but several have not completed key activities. For example,
almost all of the 24 major agencies have assigned an official to lead
and coordinate the IPv6 transition. However, ten agencies had not
developed IPv6-related policies and enforcement mechanisms. (See figure
for the status as of April 2006 of agencies‘ efforts in meeting OMB
required activities.) Until agencies complete key activities, their
transition planning efforts risk not being successful. To help address
this risk, agencies are required to report their progress in completing
key planning activities to OMB.
Figure: Status of Agencies' Efforts to Complete Activities Required by
February 2006:
[see PDF for Image]
Source: GAO analysis of agency data.
[End of Figure]
Applications that take advantage of IPv6 features are being planned or
implemented both within and outside of the federal government,
including applications to support emergency response, enhance
warfighting capabilities, and facilitate continuity of operations
planning. However, these applications are few, in large part because
organizations are still in the early stages of the transition or
because they lack incentives to use the new protocol.
Transitioning to IPv6 presents several challenges. Significant
challenges include managing information security in an environment that
is more vulnerable to threats; incorporating IPv6 features into
applications‘ business cases to identify new and better ways of meeting
mission goals; and interfacing with partners that may be in various
stages of the transition. Other challenges include maintaining dual
IPv4 and IPv6 environments for an extended period of time and
implementing standards required by the use of the new protocol. All of
these challenges could impede progress if they are not addressed by
agencies as they proceed with the transition.
What GAO Recommends:
GAO recommends that federal agencies work through two of the groups
that play key roles in transitioning the federal government to IPv6 to
address key challenges they face as they proceed with the transition.
In oral comments on a draft of this report, OMB generally agreed with
the results and described actions being taken to address GAO‘s
recommendation.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-675].
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact David A. Powner at (202) 512-9286 or
pownerd@gao.gov or Keith A. Rhodes at (202) 512-6412 or
rhodesk@gao.gov.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
Federal Agencies Are in the Early Stages of Transitioning to IPv6:
Applications Taking Advantage of IPv6 Features Are Being Planned and
Implemented, but They Are Few:
Several Challenges Exist for Industry, Government Agencies during the
IPv6 Transition:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: GAO Contacts and Staff Acknowledgments:
Table:
Table 1: IPv6 Transition Activities Defined by OMB:
Figures:
Figure 1: Internet Protocol Version 4 Address:
Figure 2: An Internet Protocol Header Contains IP Addresses for the
Source and Destination of Information Transmitted across the Internet:
Figure 3: Comparison of IPv4 and IPv6 Address Schema:
Figure 4: Status of Agencies' Efforts to Address Activities Required by
November 15, 2005:
Figure 5: Status of Agencies' Efforts to Address Activities Required by
February 2006:
Abbreviations:
CIO: chief information officer:
DOD: Department of Defense:
IETF: Internet Engineering Task Force:
IP: Internet protocol:
IPv4: Internet protocol version 4:
IPv6: Internet protocol version 6:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
June 30, 2006:
The Honorable Tom Davis:
Chairman:
Committee on Government Reform:
House of Representatives:
Dear Mr. Chairman:
The Internet protocol (IP) defines how and where information such as
text, voice, music, and video moves across networks. Internet protocol
version 4 (IPv4), which is widely used today, may not be able to
accommodate the increasing number of devices that are using the
Internet. As a result, IP version 6 (IPv6) was developed to allow
millions more users by increasing the amount of available IP address
space.
In May 2005, we reported on the key characteristics of IPv6 and
identified important planning considerations for federal agencies in
transitioning to IPv6[Footnote 1]. The Office of Management and Budget
(OMB) subsequently specified activities and milestones for federal
agencies to follow to transition their network backbones to IPv6 by
June 2008.
As agreed with your office, our objectives were to determine (1) the
status of federal agencies' efforts to transition to IPv6; (2) what
emerging applications are being planned or implemented that take
advantage of IPv6 features; and (3) key challenges industry and
government agencies face as they transition to the new protocol.
To conduct our work, we distributed a structured data collection
instrument to the 24 major agencies[Footnote 2] to determine their
efforts in completing key transition activities. We also obtained and
reviewed supporting documentation, including agencies' IPv6 transition
plans, to validate their responses. To identify emerging applications
that are being planned and challenges organizations are facing in the
transition, we researched and analyzed technical documents, reviewed
relevant publications, and interviewed IPv6 experts in government and
industry. We performed our work from August 2005 through May 2006 in
accordance with generally accepted government auditing standards.
Details of our objectives, scope, and methodology are included in
appendix I.
Results in Brief:
Federal agencies have taken steps to plan for the transition to IPv6,
but several agencies have not completed key activities. For example, as
of April 2006, almost all of the 24 major agencies have assigned an
official to lead and coordinate the IPv6 transition. However, ten
agencies had not developed IPv6-related policies and enforcement
mechanisms. Until agencies complete key planning activities, their
transition efforts risk not being successful. To help address this,
agencies are required to report to OMB their status in completing
these.
Applications that take advantage of IPv6 features are being planned or
implemented both within and outside of the federal government,
including applications to support emergency response, enhance
warfighting capabilities, and facilitate continuity of operations
planning. However, these applications are few, in large part because
organizations are still in the early stages of the transition or
because they lack incentives to use the new protocol.
Transitioning to IPv6 presents several challenges. Significant ones
include managing information security in an environment that is more
vulnerable to threats; incorporating IPv6 features into applications'
business cases to identify new and better ways of meeting mission
goals; and interfacing with partners that may be in various stages of
the transition. Other challenges include maintaining dual IPv4 and IPv6
environments for an extended period of time and implementing standards
required by the use of the new protocol. All of these challenges could
impede progress in transitioning to IPv6 if agencies do not address
them as they proceed with the transition.
To strengthen agencies' IPv6 transition planning efforts, we recommend
that the Director of OMB direct federal agencies to work through the
CIO Council Architecture and Infrastructure Committee and the IPv6
Working Group, two of the groups that play key roles in transitioning
the federal government to IPv6, to address key challenges that they
face as they proceed with the transition.
Representatives of OMB's Office of Information and Regulatory Affairs
and Office of the General Counsel provided oral comments on a draft of
this report. In these comments, OMB generally agreed with the report
results and described actions being taken to address our
recommendation. Specifically, they stated that IPv6 Working Group
subcommittees were established in May 2006 to begin addressing
challenges including security, testing, and standards, and that
agencies were working with these subcommittees to find solutions to the
challenges. OMB also provided technical corrections, which we
incorporated as appropriate.
Background:
Since the early 1990s, increasing computer interconnectivity--most
notably in the use of the Internet--has revolutionized the way that our
government, our nation, and much of the world communicate and conduct
business. A key factor in the growth of the Internet has been the
protocols-such as the Internet protocol-that enable the transmission of
information across a global network of networks. Currently, the most
widely used version of IP is version 4 (IPv4).
Internet Protocol Aids in the Transmission of Information across the
Internet:
The two basic functions of IP include (1) addressing and (2)
fragmentation of data, so that information can move across networks. An
IP address consists of a fixed sequence of numbers. The current IP
version most widely used is IPv4, which uses a 32-bit address format
and provides approximately 4.3 billion unique IP addresses. Figure 1
provides a conceptual illustration of an IPv4 address.
Figure 1: Figure 1: Internet Protocol Version 4 Address:
[See PDF for image]
Source: GAO.
[End of figure]
By providing a numerical description of the location of networked
computers, addresses distinguish one computer from another on the
Internet. In some ways, an IP address is like a physical street
address. For example, in the physical world, if a letter is going to be
sent from one location to another, the contents of the letter must be
placed in an envelope that contains addresses for the sender and
receiver. Similarly, if data is going to be transmitted across the
Internet from a source to a destination, IP addresses must be placed in
an IP header. Figure 2 provides a simplified illustration of this
concept. In addition to containing the addresses of sender and
receiver, the header also contains a series of fields that provide
information about what is being transmitted.
Figure 2: Figure 2: An Internet Protocol Header Contains IP Addresses
for the Source and Destination of Information Transmitted across the
Internet:
[See PDF for image]
Source: GAO.
[End of figure]
The limited address space in IPv4 prompted organizations that need
large amounts of IP addresses to implement technical solutions to
compensate. In 1994, the Internet Engineering Task Force (IETF) began
reviewing proposals for a successor to IPv4 that would increase IP
address space and simplify routing. IETF established a working group to
be specifically responsible for developing the specifications for and
standardization of IPv6.
Key Characteristics of IPv6 Increase Address Space and Improve
Functionality:
The key characteristics of IPv6 include:
* a dramatic increase in IP address space,
* a simplified IP header for flexibility and functionality,
* improved routing of data,
* enhanced mobility features,
* easier configuration capabilities,
* improved quality of service, and:
* integrated Internet protocol security.
These key characteristics of IPv6 offer various enhancements relative
to IPv4 and are expected to increase Internet services and enable
advanced Internet communications that could foster new software
applications for federal agencies.
IPv6 Dramatically Increases Address Space:
IPv6 dramatically increases the amount of IP address space available
from the approximately 4.3 billion addresses in IPv4 to approximately
3.4 × 1038. Because IPv6 uses a 128-bit address scheme rather than the
32-bit address scheme used in IPv4, it is able to allow many more
possible addresses. The increase in the actual bits in the address and
the immense number of possible combinations of numbers make the
dramatic number of unique addresses a possibility. Figure 3 shows the
difference between the length of an IPv4 address and that of an IPv6
address.
Figure 3: Figure 3: Comparison of IPv4 and IPv6 Address Schema:
[See PDF for image]
Source: GAO.
[End of figure]
Simplified Header Intended to Promote Flexibility and Functionality:
The IP header contains information such as the source and destination
addressee, used to transmit data across the Internet. Simplifying the
IPv6 header promotes flexibility and functionality for two reasons.
First, the header size is fixed in IPv6. In the previous version,
header sizes could vary, which could slow routing of information.
Second, the structure of the header itself has been simplified. While
the IPv6 addresses are significantly larger than in IPv4, the header
containing the address and other information about the data being
transmitted has been simplified. Another benefit of the simplified
header is its ability to accommodate new features, or extensions. For
example, the next header field provides instructions to the routers
transmitting the data across the Internet about how to manage the
information.
Improved Routing Offers More Efficient Movement of Information:
The improved routing, or movement of information from a source to a
destination, is more efficient in IPv6 because it incorporates a
hierarchal addressing structure and has a simplified header. The large
amount of address space allows organizations with large numbers of
employees to obtain blocks of contiguous address space. Contiguous
address space allows organizations to aggregate addresses under one
prefix for identification on the Internet. This structured approach to
addressing reduces the amount of information Internet routers must
maintain and store and promotes faster routing of data. In addition, as
previously mentioned, IPv6 has a simplified header because of the
elimination of six fields from the IPv4 header. The simplified header
also contributes to faster routing.
Enhanced Mobility Features Provide Seamless Connectivity:
IPv6 improves mobility features by allowing each device (wired or
wireless) to have a unique IP address independent of its current point
of attachment to the Internet. As previously discussed, the IPv6
address allows computers and other devices to have a static interface
ID. The interface ID does not change as the device transitions among
various networks. This enables mobile IPv6 users to move from network
to network while keeping the same unique IP address. The ability to
maintain a constant IP address while switching networks is cited as a
key factor for the success of a number of evolving capabilities, such
as telephone technologies, personal digital assistants, laptop
computers, and automobiles.
Enhanced Configuration Capabilities Can Ease Aspects of Network
Administration:
IPv6 enhancements can ease difficult and time-consuming aspects of
network administration tasks in today's IPv4 networks. For example, two
new configuration enhancements of IPv6 include automatic address
configuration and neighbor discovery. These enhancements may reduce
network administration burdens by providing the ability to more easily
deploy and manage networks. IPv6 supports two types of automatic
configuration: stateful and stateless. Stateful configuration uses the
dynamic host configuration protocol. This stateful configuration
requires another computer, such as a server, to reconfigure or assign
numbers to network devices for routing of information, which is similar
to how IPv4 handles renumbering. Stateless automatic configuration is a
new feature in IPv6 and does not require a separate dynamic host
configuration protocol server as in IPv4. Stateless configuration
occurs automatically for routers and hosts. Another configuration
feature--neighbor discovery--enables hosts and routers to determine the
address of a neighbor or an adjacent computer or router. Together,
automatic configuration and neighbor discovery help support a plug-and-
play Internet deployment for many devices, such as cell phones,
wireless devices, and home appliances. These enhancements help reduce
the administrative burdens of network administrators by allowing the
IPv6-enabled devices to automatically assign themselves IP addresses
and find compatible devices with which to communicate.
Enhanced Quality of Service Can Prioritize Information Delivery:
IPv6's enhanced quality of service feature can help prioritize the
delivery of information. The flow label is a new field in the IPv6
header. This field can contain a label identifying or prioritizing a
certain packet flow, such as a video stream or a videoconference, and
allows devices on the same path to read the flow label and take
appropriate action based on the label. For example, IP audio and video
services can be enhanced by the data in the flow label because it
ensures that all packets are sent to the appropriate destination
without significant delay or disruption.
Enhanced Integration of IP Security Can Assist in Data Protection:
IP security--a means of authenticating the sender and encrypting the
transmitted data--is better integrated into IPv6 than it was in IPv4.
This improved integration, which helps make IP security easier to use,
can help support broader data protection efforts. IP security consists
of two header extensions that can be used together or separately to
improve authentication and confidentiality of data being sent via the
Internet. The authentication extension header provides the receiver
with greater assurance of who sent the data. The encapsulating security
header provides confidentiality to messages using encrypted security
payload extension headers.
Previous GAO Work Noted Little Progress in Planning to Transition to
IPv6:
In May 2005, we reported that, with the exception of DOD, the majority
of the 24 major federal agencies reported that they had not yet
initiated key planning efforts for IPv6[Footnote 3]. Among other
things,
* 21 agencies reported not having plans for transitioning their
infrastructure and applications to IPv6,
* 19 agencies reported not having inventoried their IPv6-capable
equipment, and:
* 22 agencies reported not having estimated costs for the transition.
Although agencies had done little to prepare for the transition to
IPv6, the transition was already under way for many federal agencies
because their networks already contained IPv6-capable software and
equipment. Introducing this equipment into an organization allows the
organization to have the capability to carry IPv6 traffic. Therefore,
we recommended that the Director of OMB instruct federal agencies to
acknowledge that a key step in addressing planning and security
challenges includes the recognition that IPv6-capable software and
equipment exists in agency networks and that agencies follow this five-
step process to guide their IPv6 planning and transitioning:
1. develop inventories and assess risks,
2. create business cases for an IPv6 transition,
3. establish policies and enforcement mechanisms,
4. determine the costs, and:
5. identify timelines and methods for the transition.
We further recommended that agencies take immediate action to ensure
that their systems were not compromised as a result of not effectively
recognizing and managing IPv6-capable software and hardware.
OMB Specifies Activities, Deadlines for IPv6 Transition:
Following the issuance of our May 2005 report on IPv6, OMB issued a
memorandum[Footnote 4] to federal chief information officers (CIO)
specifying a series of activities and associated deadlines for federal
agencies to configure their infrastructure (network backbones) to carry
IPv6 traffic by June 2008. For example, the memorandum required
agencies to assign an official to lead and coordinate IPv6 transition
planning efforts; conduct an inventory of existing routers, switches,
and hardware firewalls; and begin an analysis of fiscal and operational
impacts and risks of transitioning to IPv6 by November 15, 2005. The
development of policies and enforcement mechanisms, training material,
and the initiation of activities including maintaining and monitoring
agency networks were to be documented in a transition plan. This
transition plan was to be associated with the agencies' enterprise
architecture and submitted to OMB by February 2006. The impact analysis
and inventory started in November are to be completed by June 30, 2006.
Table 1 lists the transition activities and deadlines defined in the
OMB memorandum.
Table 1: Table 1: IPv6 Transition Activities Defined by OMB:
Activity: Activities due by November 15, 2005.
(1) Assign an official to lead and coordinate IPv6 transition planning.
(2) Complete an inventory of existing routers, switches, and hardware
firewalls.
(3) Begin an inventory of all other existing IP-compliant devices and
technologies not captured in the first inventory.
(4) Begin an impact analysis to determine fiscal and operational
impacts and risks of transitioning to IPv6.
Activity: Activities to be addressed by February 2006[A].
(5) Conduct a requirements analysis to identify current scope of IPv6
within the agency, current challenges using IPv4, and target
requirements.
(6) Develop a sequencing plan for IPv6 implementation, integrated with
the agency's enterprise architecture.
(7) Develop IPv6-related policies and enforcement mechanisms.
(8) Develop IPv6-related training material for stakeholders.
(9) Develop and implement a test plan for IPv6 compatibility/
interoperability.
(10) Begin migration to IPv6 using a phased approach.
(11) Begin IPv6-related maintenance and monitoring of the agency's
networks.
(12) Begin updating IPv6 requirements and target architecture.
Activity: Activities due by June 30, 2006.
(13) Complete an inventory of existing IP-compliant devices and
technologies not captured in the first inventory.
(14) Complete impact analysis of fiscal and operational risks.
Activity: Activities due by June 2008.
(15) All agency infrastructures (network backbones) must be using IPv6
and agency networks must interface with this infrastructure. Agencies
will include progress reports on meeting this target date as part of
their enterprise architecture transition strategy.
Source: OMB.
[A] OMB asked agencies to address these actions to the extent they
could in a transition plan that was due to OMB by February 2006.
[End of table]
Collectively, the activities specified in the memorandum address four
of the five planning steps we recommended agencies take to prepare for
the IPv6 transition: developing inventories and assessing risks,
establishing policies and enforcement mechanisms, determining
transition costs, and identifying timelines and methods for the
transition. The transition costs are to be identified in the impact
analysis agencies were to start working on in November 2005.
Federal agencies are to report their progress in completing the
required activities to OMB. Specifically, according to the IPv6
Transition Guidance document issued by the CIO Council Architecture and
Infrastructure Committee[Footnote 5] in February 2006, agencies were to
submit to OMB a progress report containing the following:
* status of the second IP devices and technologies inventory;
* status of the IPv6 impact analysis;
* overall agency progress toward an IPv6 transition;
* interim milestones and dates for each of the deadlines specified by
OMB; and:
* challenges, issues, or risks agencies are facing with completion of
the second inventory, impact analysis, or other aspects of the agency's
transition to IPv6.
Following this initial submission, agencies are to submit quarterly
IPv6 status reports to OMB showing progress against previously
established milestones and updated transition plans.
In addition to establishing milestones for the IPv6 transition, OMB has
tasked the CIO Council's Architecture and Infrastructure Committee with
establishing IPv6 transition guidance for all federal agencies. As
noted above, the Committee recently issued this guidance[Footnote 6].
The Committee is to disseminate the guidance it issues and other
information to agencies through the agency leads and the Council's Web
site. OMB also established the IPv6 Working Group, which is comprised
of the IPv6 lead personnel for all federal agencies as well as subject
matter experts. The IPv6 Working Group meets to share lessons learned
and provide seminars on functional areas relevant to the federal
government transition, including standards, testing, and training.
Federal Agencies Are in the Early Stages of Transitioning to IPv6:
Federal agencies have taken steps to plan for the transition to IPv6,
but several have not completed key planning activities by February 2006
as required by the OMB memorandum. Until agencies complete key planning
activities, their transition planning efforts risk not being
successful.
In response to OMB's memorandum, federal agencies have taken steps to
plan for the transition to IPv6. Specifically, almost all of the 24
major agencies have assigned an official to lead and coordinate the
IPv6 transition, have conducted an inventory of all routers and
switches and hardware firewalls, and have begun a financial and
operational impact analysis, in accordance with the requirements of the
OMB memorandum. Figure 4 depicts the agencies' status as of April 2006
with completion of the OMB activities that were due by November 15,
2005.
Figure 4: Figure 4: Status of Agencies' Efforts to Address Activities
Required by November 15, 2005:
[See PDF for image]
Source: GAO analysis of agency data.
[End of figure]
Much remains to be accomplished before agencies will have completed key
planning activities. Specifically, as of February, only 9 of the 23
agencies that reported having begun an impact analysis had developed
preliminary costs for the transition as required as part of this
analysis. These costs ranged from $960,000 to more than $20 million.
Agencies stated a variety of reasons for not being able to develop
preliminary costs at this stage in the transition, including the many
unknowns of the transition, the need to first complete a business case
and a requirements analysis before a cost estimate was developed, and
finally, the anticipation that the funding for the IPv6 transition
would be accomplished using the existing agency budget. Nevertheless,
until agencies can determine all costs associated with the transition
as we previously recommended, they may not be able to adequately
budget, among other things, for the infrastructure and application
upgrades, training, and operation of multiple IP environments that are
associated with IPv6 transition efforts.
In addition, as of April 2006, at least one-third of the 24 major
agencies had not completed 7 of the 8 activities that OMB required to
be completed by February. For example,
* 9 agencies did not conduct a requirements analysis to identify the
current scope of IPv6 within their agencies, current challenges using
IPv4, and target requirements;
* 10 agencies did not develop IPv6 policies and enforcement mechanisms,
which, as previously noted, we also recommended in our prior IPv6
report[Footnote 7]; and:
* 14 agencies did not begin IPv6-related maintenance and monitoring of
their networks.
Figure 5 depicts the agencies' status as of April 2006.
Figure 5: Figure 5: Status of Agencies' Efforts to Address Activities
Required by February 2006:
[See PDF for image]
Source: GAO analysis of agency data.
[End of figure]
In accordance with the OMB memorandum, agencies are to complete two
other activities by June 30, 2006: agencies are to complete an
inventory of existing IP-compliant devices and technology not captured
in the first inventory that was due in November 2005 and complete an
impact analysis of fiscal and operational risks. According to the 24
major agencies, as of April, all have begun their inventories and all
but one has begun to conduct an impact analysis.
Until agencies complete key planning activities, their transition
efforts risk not being successful. To help address this, as previously
noted, agencies are required to report their progress quarterly to OMB.
Applications Taking Advantage of IPv6 Features Are Being Planned and
Implemented, but They Are Few:
Applications that take advantage of IPv6 features are being planned or
implemented both within and outside of the federal government,
including applications to support emergency response and warfighting
capabilities[Footnote 8]. However, these applications are few largely
because organizations are still in the early stages of the transition
or because they lack incentives to use the new protocol.
Applications within the Federal Government:
Within the federal government, the Department of Defense (DOD) has
begun to develop applications that use IPv6 features to enhance
warfighting capabilities[Footnote 9]. The new protocol is to improve
interoperability among many information and weapons systems, known as
the Global Information Grid (GIG). The IPv6 component of GIG is to
facilitate DOD's goal of achieving network-centric operations by
exploiting these key characteristics of IPv6:
* increased address space,
* enhanced mobility features,
* enhanced configuration features,
* enhanced quality of service, and:
* enhanced security features.
The increased address space of IPv6 will provide DOD with an
opportunity to reconstitute its address space architecture to better
respond to the future proliferation of numerous unmanned sensors and
mobile assets. For example, although no final decisions have been made,
DOD could use the increased address space to render a three-dimensional
map of the globe, or theater of combat, using IP addresses as
coordinates. This, along with other GIG components, would allow
tracking movements of, and maintaining detailed information on military
vehicles and individual soldiers in real time.
Permitting devices to directly communicate on the move is essential
because DOD wants to use the enhanced mobility and automatic
configuration to rapidly deploy networks across the globe. Further, DOD
believes that the return to an end-to-end communications security model
will allow it to provide greater information assurance by, among other
things, providing for more secure peer-to-peer communications. Finally,
DOD is developing applications that take advantage of IPv6's improved
quality of service features to enhance many of its other initiatives,
such as voice over IP, which is the transmission of voice data over an
IP-based network instead of the traditional transmission over a general
purpose circuit-switched network.
Beyond DOD, applications that other agencies have begun to consider
that use IPv6 features include:
* hand-held devices that take advantage of IPv6's mobility feature to
expedite the delivery of real time data gathered during field surveys
and questionnaires, on-site investigations of industry and the work of
revenue officers, security officers, auditors, and inspectors;
* the use of the IPv6 auto-configuration feature to enhance continuity
of operations planning and to improve technology response time;
* the use of the end-to-end security feature of IPv6 to build more
secure retail and wholesale transactions, including securities and
commemoratives; and:
* the use of IPv6's collective characteristics to improve existing
network management schemas and reduce IT infrastructure costs.
Applications Outside the Federal Government:
Through research and interviews with experts, we identified
applications that are being planned or developed outside the federal
government. They include the following:
* One broadband/cable provider is currently planning to migrate to IPv6
by 2008 to use the increased address space for better management of its
cable equipment.
* The telecommunications industry is working on improving customer
services by developing the next generation network. This is a new
network model that is based on the extensive use of Internet protocols-
particularly IPv6-to accommodate the diversity of applications inherent
in emerging broadband technologies. The next generation network is
characterized, among other things, by a shared core network for all
access and service types, packet-based transport technologies, open
standardized interfaces among the different network layers (transport,
control, and services), support for user-adaptable interfaces, and
variable access network capacity and type. This means that a single
infrastructure would be used to support multiple services and that
users would be able to access these services--Web pages, e- mail,
movies, or a video conference--from one mobile device.
* The North American and California IPv6 Task Forces are making plans
to develop a metropolitan network in Sacramento, California, called
MetroNet6 using IPv6 to enhance first responder technologies. MetroNet6
is an effort to use voice, video, graphics, intelligence, medical, and
other forms of data through multimedia communications for first
responders. MetroNet6 would be connected over the Internet to the
Department of Homeland Security for communications updates.
* The Japanese government reported making progress in implementing
several IPv6 applications to improve existing operations. According to
the Japanese IPv6 Promotion Council, Japan plans to have almost all of
its telecommunications run on IPv6 to support applications that would
improve telephone, cable, and facility management (e.g., security and
electricity) services. For example, the use of an IPv6 infrastructure
for facility management would support applications that minimize energy
use in industrial buildings.
Few Applications Are Being Planned and Implemented:
While applications that take advantage of IPv6 features exist, they are
few. Specifically, as of February 2006, of the 24 major agencies, only
DOD reported that it was developing IPv6 applications; 4 agencies
stated they were considering applications; and none reported having
implemented any[Footnote 10]. Several federal agencies reported that,
because they are in the early stages of transitioning to IPv6, they
have not yet considered how IPv6 applications could be used to improve
their ability to meet their missions. They added that they will begin
thinking of this once they have a better understanding of the benefits
they can derive from using the protocol. Our review of technical
publications and interviews with IPv6 experts did not identify many
IPv6 applications, either. According to these sources, this is in large
part because organizations outside the federal government currently
have little incentive to transition their infrastructures and thereby
implement applications to take advantage of IPv6.
Several Challenges Exist for Industry, Government Agencies during the
IPv6 Transition:
Transitioning to IPv6 presents several challenges. Significant
challenges include managing information security in an environment that
is more vulnerable to threats; incorporating IPv6 features in
application business cases to identify new and better ways of meeting
mission goals; and interfacing with partners that may be in various
stages of the transition. Other challenges include maintaining dual
IPv4 and IPv6 environments for an extended period of time and
implementing standards required by the use of the new protocol. All of
these challenges could impede progress if they are not addressed by
agencies as they proceed with the transition.
Managing Information Security:
Federal agencies are required by law to take a risk-based approach to
managing information security[Footnote 11]. Further, OMB guidance
requires agencies to indicate whether their security policies include
special procedures for using emerging technologies including
IPv6[Footnote 12]. Nevertheless, for federal agencies, as well as for
other organizations, managing the information security risks of IPv6 is
a difficult challenge to address for the following reasons:
* Using IPv6 features during transition could make agencies more
vulnerable to security threats. We previously reported that, as IPv6-
capable software and devices accumulate in agency networks, they could
be abused by attackers if not managed properly. For example, IPv6 is
included in most computer operating systems and, if it is not enabled
by default, it is easy for administrators to enable either
intentionally or as an unintentional by-product of running a program.
We previously reported on our tests of two IPv6 features--automatic
configuration and tunneling--and determined that, if not properly
managed, they could present serious risks to federal agencies[Footnote
13]. Accordingly, we recommended that agency heads take immediate
actions to manage near-term security risks, including determining what
IPv6 capabilities they may have, and initiate steps to ensure that they
can control and monitor IPv6 traffic.
* Many of the current security tools are not mature enough to protect
against breaches in IPv6 security. A recent federal plan on cyber
security research concluded that the immaturity of current security
tools (e.g., firewall software and intrusion detection systems) results
in high levels of risk for breaches of security with IPv6[Footnote 14].
The report noted that not enough research has been done yet to provide
a full suite of security tools and support to make IPv6 as secure as
IPv4 and to fully assess the security implications of widespread IPv6
implementation. Taking the immaturity of current security tools into
consideration will be critical to ensuring organizations' networks are
adequately secure.
* Adopting end-to-end security-based models will become critical
whereas perimeter-based approaches were previously more widely used.
End-to-end based networking models lend themselves better to the
implementation of IPv6 features and mobile technologies such as IP
phones than the perimeter-based approaches that are more widely used.
This presents a challenge in that many organizations will need to
rethink the way they currently secure their networks. According to the
Department of Commerce, most enterprises currently implement security
measures at the perimeter of their corporate networks using firewalls,
etc[Footnote 15]. This perimeter approach to protect a network means
there are very few devices on an enterprise's network that are
connected directly to the Internet. Most devices are connected to a
central location where IP traffic travels through firewalls and
intrusion detection systems. However, with the transition to IPv6 and
the proliferation of laptop computers, personal directory assistants,
and IP phones, more and more devices will be connected directly to each
other without traveling through the enterprise perimeter firewall and
securing this new topology will require a lot of effort.
Incorporating IPv6 Features into Application Business Cases:
Incorporating IPv6 features into application business cases can be
challenging because, as discussed earlier, there are currently few IPv6
applications available and, therefore, it is difficult for agencies to
envision how IPv6 features could help them achieve their missions more
efficiently or effectively. In addition, it may be very difficult for
people in organizations who have been performing functions for a long
time to think of how the protocol could be used to perform those
functions in new ways. Further, the business executives who should be
involved in determining how to incorporate IPv6 into their
applications' business cases may be reluctant to commit their time to
doing this if they do not see any immediate business benefit.
Nevertheless, incorporating IPv6 features into applications' business
cases as appropriate, as we have previously recommended, is important
because it could serve to maximize the benefits of transitioning to
IPv6.
Interfacing with External Partners during the Transition Period:
Interfacing with external partners during the transition can be
challenging in that a great level of coordination and testing among all
players involved needs to occur to ensure that problems-for example,
connection delays and network insecurity-are minimized. In addition,
benefits that cannot be realized until all parties are communicating
using IPv6 can be difficult to attain because external partners can be
in various stages of transitioning to IPv6. While operating in dual-
stack mode is expected to alleviate problems with interfacing,
coordinating transition plans with external partners and running
appropriate tests is critical to helping identify and resolve issues
and ensure that key benefits are realized.
Other Challenges:
Other challenges industry and government agencies face as they
transition include the following:
* Dual IPv4 and IPv6 environments will be maintained for an extended
period of time. Maintaining two network protocols is challenging in
that it adds complexity to network maintenance and associated costs are
higher. In addition, it requires skilled personnel. Further, it may be
difficult to maintain hardware and software interoperability across
dual environments.
* Multi-homing using IPv6 will be a challenge. Multi-homing occurs when
a host is assigned an IP address from more than one Internet service
provider providing the host with more than one IP address. Multi-homing
gives an organization greater reliability because, if one provider
stops working, it can rely on the other provider. However, the method
used to implement multi-homing in an IPv4 environment creates routing
issues in an IPv6 environment. Various proposals are being explored to
address this challenge including a new standard developed by the
Internet Engineering Task Force.
* Implementing the new IPv6 standards will be a challenge because (1)
IPv6 standards are less mature than IPv4 standards and (2) some IPv6
standards are still evolving.
Because IPv6 standards are less mature than IPv4 standards, different
vendors may interpret and implement the standards in a slightly
different way and this could lead to interoperability problems. In a
recent report, the Alliance for Telecommunications Industry Solutions
stated that certain tests (known as conformance tests) can measure how
vendors' products conform to various standards, but they also noted
that these tests rarely measure every nuance of a protocol[Footnote
16].
With IPv6 standards evolving, it is important for organizations to
ensure that the IPv6 capabilities they are implementing can be upgraded
to incorporate newer standards. OMB acknowledged this challenge in its
IPv6 Transition Guidance and asked that agencies consider these
challenges in developing their transition plans.
Conclusions:
Federal agencies have taken steps to transition to IPv6, but several
have not completed key activities, including determining transition
costs as part of their impact analysis and developing IPv6-related
policies and enforcement mechanisms. By missing deadlines for
completing key activities, agencies risk jeopardizing their ability to
successfully transition their infrastructures to IPv6 by the June 2008
target specified by OMB. OMB has the means to stay abreast of the
status of agencies' efforts through quarterly progress reviews these
agencies are required to submit.
Applications are being planned or implemented to take advantage of IPv6
both within and outside the federal government. However, they are few,
in large part because organizations are either too early in their
transition efforts to begin considering them or they currently lack the
incentive to do so. Nevertheless, with its key characteristics, IPv6
holds much promise for organizations as they better understand how they
can take advantage of the new protocol.
Transitioning to IPv6 presents several challenges to industry and
government agencies. Some of the more significant challenges include
managing information security in an environment that is vulnerable to
threats, incorporating IPv6 features into applications' business cases
to identify new and better ways of meeting mission goals, and
interfacing with partners that are in various stages of the transition.
Others include maintaining dual IPv4 and IPv6 environments for an
extended period of time and implementing standards required by the use
of the new protocol. All of these challenges could impede progress if
they are not addressed by agencies as they proceed with the transition.
Recommendation for Executive Action:
To strengthen agencies' IPv6 transition planning efforts, we recommend
that the Director of OMB direct federal agencies to work through the
CIO Council Architecture and Infrastructure Committee and the IPv6
Working Group to address challenges agencies face such as interfacing
with external partners during the transition period as they proceed
with the transition.
We have previously made recommendations that agencies take action to
address security risks, determine transition costs, and develop
business cases. We are, therefore, not making new recommendations on
these issues in this report.
Agency Comments and Our Evaluation:
Representatives of OMB's Office of Information and Regulatory Affairs
and Office of the General Counsel provided oral comments on a draft of
this report. In these comments, OMB generally agreed with the report
results and described actions being taken to address our
recommendation. Specifically, they stated that IPv6 Working Group
subcommittees were established in May 2006 to begin addressing
challenges including security, testing, and standards, and that
agencies were working with these committees to find solutions to the
challenges. OMB also provided technical corrections, which we
incorporated in the report as appropriate.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from the date of this letter. At that time, we will send copies to
interested congressional committees and to the Director, Office of
Management and Budget. Copies of this report will be made available to
others on request. In addition, the report will be available at no
charge on GAO's Web site at [Hyperlink, http://www.gao.gov].
If you have any questions about this report, please contact David
Powner at (202) 512-9286, or pownerd@gao.gov; or Keith Rhodes at (202)
512-6412, or rhodesk@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. Major contributors to this report are listed in
appendix II.
Sincerely yours,
Signed by:
David A. Powner, Director,
Information Technology Management Issues:
Signed by:
Keith A. Rhodes, Chief Technologist, Director,
Center for Technology and Engineering:
Footnotes
[1] GAO, Internet Protocol Version 6: Federal Agencies Need to Plan for
Transition and Manage Security Risks, GAO-05-471 (Washington, D.C.: May
2005).
[2] The 24 major agencies are the Departments of Agriculture, Commerce,
Defense,Education, Energy, Health and Human Services, Homeland
Security, Housing and Urban development, the Interior, Justice, Labor,
State, Transportation, the Treasury, and Veterans Affairs; and the
Environmental Protection Agency, General Services Administration,
National Aeronautics and Space administration, National Science
Foundation, Nuclear regulatory Commission, Office of personnel
management, Small Business Administration, Social Security
Administration, and U.S. Agency for International Development.
[3] GAO-05-471.
[4] OMB, Memorandum for Chief Information Officers: Transition Planning
for Internet Protocol Version 6 (IPv6), m-05-22 (August 2005).
[5] Federal CIO Council Architecture and Infrastructure Committee, IPv6
Transition Guidance version 1.0. The document was issued in draft form
in February 2006 and released in final form in May 2006.
[6] A representative from OMB's Office of Information and Regulatory
Affairs noted that additional guidance will be issued as deemed
necessary.
[7] GAO-05-471.
[8] We are using the term "application" to refer to software that runs
on the IPv6 infrastructure. We are not including systems software such
as operating systems and other software used to manage computer
networks.
[9] DOD has been planning these applications since 2003.
[10] These numbers reflect February 2006 responses to our information
request to the 24 major agencies. When we met with OMB staff at the end
of our review, they indicated that a few more agencies were considering
applications as a result of developing a better understanding of the
key characteristics of the new protocol.
[11] Federal Information Security Management Act, Title III, E-
Government Act of 2002, Pub. L. 107-347 (Dec. 17, 2002).
[12] OMB, Memorandum for the Heads of Departments and Agencies: FY 2005
Reporting instructions for the Federal Information Security Management
Act and Agency Privacy Management, M-05-15 (June 2005).
[13]GAO-05-471.
[14] Interagency Working Group on Cyber Security and Information
Assurance, Federal Plan for Cyber Security and Information assurance
Research and Development (Washington, D.C.: April 2006).
[15] U.S. Department of Commerce, Technical and Economic Assessment of
Internet Protocol Version 6 (IPv6) (Washington, D.C.: January 2006).
[16] Alliance for Telecommunications Industry Solutions, Internet
protocol Version 6 Report and Recommendation (Washington, D.C.: May
2006).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
