Tech

OMB issues another draft memo pushing IPv6, but will agencies react this time?

The White House is clear about what it wants, but the switch to IPv6 has been in the works for a long time already.

March 3, 2020

Suzette Kent speaks Jan. 28, 2020, at the Zero Trust Security Summit presented by Duo Security and produced by FedScoop and CyberScoop. (Scoop News Group)

The Office of Management and Budget wants agencies to set timelines for finishing the move to Internet Protocol version 6 (IPv6), but chief information officers have been slow to react previously.

OMB updated requirements for agencies to switch to IPv6-only information systems and services in a draft memo released Monday on the Federal Register. The current standard for identifying entities communicating via the internet, IPv4, was developed in 1983.

IPv4 uses 32-bit addresses comprised of four numbers ranging from zero to 255 and separated by periods. The available, free pool of IPv4 addresses ran out in 2015, with technical and economic stopgaps proving costly to network infrastructure and innovation. IPv6 uses 128-bit addresses for 340 undecillion combinations and supports end-to-end encryption as well as more secure name resolution.

Adoption of IPv6 by large network operators, software vendors, service providers, enterprises, and state and foreign governments “dramatically increased” in the last five years, wrote Suzette Kent, the Federal CIO, in supplementary information.

“Mobile networks, data centers and leading-edge enterprise networks, for example, have been evolving to IPv6-only networks,” Kent wrote. “It is essential for the federal government to expand and enhance its strategic commitment to the transition to IPv6 in order to keep pace with and capitalize on industry trends.”

An OMB memo from August 2005 required agencies to enable IPv6 on their backbone networks by June 2008. And a September 2010 memo required agencies to upgrade public- and external-facing servers and services like web and email to use IPv6 by the end of fiscal 2012, as well as client applications that communicate with public internet servers and supporting networks by fiscal 2014.

Every deadline was missed.

Department of Commerce CIO André Mendes didn’t think widespread IPv6 adoption was likely to happen anytime soon.

“I think that is going to be a long-term transition,” Mendes said at the AFFIRM event on Feb. 20. “As much as one might hope that would be a fast transition, it’s going to be a long-term transition.”

But the Trump administration’s proposed fiscal 2021 budget listed an IPv6-only environment as a federal priority, and the “Completing the Transition to IPv6” draft memo sets new benchmarks while rescinding previous memos.

Many agencies currently maintain two distinct network infrastructures, or dual stacks, for IPv4 and IPv6.

The draft memo would require agencies to designate an integrated IPv6 governance team within 45 days of issuance and post an IPv6 policy — either moving to IPv6-only directly or else phasing out IPv4 — on its website within 180 days.

Every agency would be required to complete at least one pilot of an IPv6-only operational system and develop an IPv6 implementation plan by the end of fiscal 2021. The memo sets the milestones that 20% of IP-enabled assets be IPv6-only by fiscal 2023, 50% by fiscal 2024 and 80% by fiscal 2025 with those that can’t be converted scheduled for replacement and retirement.

Agencies would be expected to include IPv6 requirements in all acquisitions of networked information technologies and services in accordance with the National Institute of Standards and Technology’s “USGv6 Profile.” The memo would allow agency CIOs to waive the requirement on a case-by-case basis if a timeline for IPv6 migration is provided.

NIST’s USGv6 Test Program would continue to provide agencies with basic conformance and interoperability testing of commercial products.

The memo also would require agencies to ensure IT security plans, architectures and acquisitions include full support for production IPv6 services and all systems that support enterprise security services can operate in an IPv6-only environment.

While IPv6 lends itself to better security than IPv4, Mendes questioned the immediate need for the change. He noted that most breaches are due to mistakes: shoddy engineering, successful phishing attacks or poor patching.

“We tend to focus on the really esoteric levels of the cybersecurity arena, but unfortunately most of the major breaks are driven by either stupidity or human error,” Mendes said. “So I think it’s high time that we really start focusing a lot of effort on making sure those particular issues are taken care of because sometimes, when you’re looking at the esoteric, you miss the really simple.”