Back in November, I wrote about the US Government mandate on defense and civilian agencies to move to IPv6 by June 2008. Now, six months later, I figure it's time for an update.
First of all, let's understand the basics, which come from the National Institute of Standards and Technology (NIST) Special Publication 500-267, formally titled "A Profile for IPv6 in the U.S. Government - Version 1.0" and published January 31 2007. This is a draft profile that is intended to assist federal agencies in developing plans to acquire and deploy products that implement IPv6. It recommends IPv6 capabilities for common network devices, including hosts, routers, intrusion detection systems, and firewalls, and includes a selection of IPv6 standards and specifications needed to meet the minimum operational requirements of most federal agencies. It was developed to help insure that IPv6-enabled federal information systems are interoperable and secure and addresses how such systems can interoperate and co-exist with the current IPv4 systems. The draft was open for comments for 30 days, and updates were posted March 22.
And therein lies the rub. It has not yet been determined whether it will be required for vendors to pass IPv6 conformance testing in order to sell to the federal government, or whether the agencies would have to conform to the NIST 500-267 coexistence recommendations. This is a who-blinks-first game of chicken.
NIST wants the Federal IPv6 implementations to
- pass conformance tests
- support IPSec v3, IKE, HMAC-SHA-256 and IPv6 Management Information Base (MIB) specified in RFC 4293, with routers supporting Forwarding Table and Tunnel MIBs.
- feature network devices that are just as capable as IPv4 devices
- allow for dual IPv6 and IPv4 stacks and to handle all IPv6/4 tunneling schemes
- to provide a configurable capability to detect suspicious traffic based on known attack patterns, detected malformed packet types, port scanning and to detect threat patterns even when packet data contents are embedded with multiple headers
- Include IPv6 intrusion prevention systems that provide the means to stop or attenuate detected attacks
But in the meantime, some vendors are proceeding with IPv6 security-conforming products.
From a Network World report on the subject, comes this table of Department of Defense IPv6-approved products:
| Defense Department IPv6-capable approved products list |
| Product type | Vendor product | Date approved |
| Host software | Microsoft Vista Enterprise | 2/16/07 |
| Mail client | Microsoft Outlook | 2/16/07 |
| Application Web browser | Microsoft IE 7.0 | 2/16/07 |
| Simple network appliance | TechGuard PoliWall | 2/23/07 |
| Router | Juniper JUNOS 7.6 M20, M120, M7i, M10i, M20, M40e | 12/15/06 |
| Network server | HP Jet Director 635n IPv6/IPSEC Printer Server card | 7/23/06 |
| Note: There are no approved IPv6 products listed for the categories that the Defense Department lists as "network appliances, cell phones, network sensors, PDAs, mobile router, Layer 3 switch, optical networking switch, security device, intrusion-detection system, intrusion-prevention system, encryptor, authentication server and advanced server." |
I especially like the note. Seems to be a rather lengthy list of things not yet approved. Hmmm.
NIST undertook an effort to evaluate the need for additional standards and testing infrastructures to support emerging U.S. Government (USG) plans for IPv6 deployment. The NIST executive summary provides the following findings:
- A core set of IPv6 standards have stabilized and operationally viable commercial implementations of these specifications are emerging. Agency budgeting, procurement and deployment planning, could benefit from a common identification and definition of these base IPv6 capabilities.
- While significant commercial implementations have and continue to emerge, broad vendor product lines are currently at varying levels of maturity and completeness. Until there is time for significant market forces to effectively define de facto standard levels of completeness and correctness, product testing services may be necessary to ensure the confidence and to protect the investment of early IPv6 adopters.
- The current state of IPv6 security technologies and operational knowledge typically lags behind that of IPv4 and the existing Internet. Additional efforts are required to "raise the bar" in these areas to ensure the safety of IPv6 deployments in operational Federal IT systems. (The underlining is mine.)
- While, in general, the proliferation of technology standards are to be avoided, the existing DoD and industry profiling and testing efforts are not well suited in content, nor governance, for the perceived requirements of the USG as a whole. In the near term, the broad requirements of civilian agencies can be best met by a distinct profile and testing program. In the long term, it would be desirable to converge and harmonize these efforts into broader user/vendor initiatives in which the technical and process requirements of the USG can be accommodated.
- Some key IPv6 design issues remain unresolved. As the USG begins to undertake significant operational deployments and investments in IPv6 technology, additional efforts are warranted to ensure that the eventual resolution of these design issues remains consistent with USG requirements and investments.
It does seem that the DoD is maintaining its commitment to be IPv6 capable by the deadline of June 2008, but with 14 months to go, it sure seems like a race against the clock. I'll make a note to report again in six months to see if we've made any progress. (Earlier if warranted, of course.)