New bugs for feds to fight in transition to Internet 2.0

The Internet's administrator last week finished allocating space for new Internet subscribers and Web-enabled devices, bringing federal agencies closer to the culmination of a half-decade of preparatory work to make systems compatible with Internet 2.0. Still, the transition will not be without risks that will require immediate attention, many federal officials say.

On Feb. 3, the Internet Corporation for Assigned Names and Numbers doled out the last batch of identification numbers -- Internet protocol addresses -- for devices linked to the current Web, Internet Protocol version 4. Though the United States has not exhausted its supply of allotted IPv4 addresses, the proliferation of mobile devices is straining reserves. So tech companies are ramping up a migration to the next-generation Internet, IPv6, which has capacity for a billion-trillion times more addresses than the current pool of Internet connection points, according to the nonprofit ICANN.

The state of affairs should not be compared to the Y2K problem, in which agencies had to scramble to ensure their computers did not go on the fritz when internal clocks hit the digits 2000, experts noted. "Our clocks won't stop working," said Sheila Frankel, a computer scientist in the computer security division at the National Institute of Standards and Technology. "The sky is not falling."

The move, however, has precipitated new security threats and financial worries.

Steven Pirzchalski, IPv6 transition program manager at the Veterans Affairs Department, agrees that the switch over is not a "sky-is-falling event," but he views the task of continuing to serve citizens online, without hiccups, as a critical issue governmentwide. The department is in good shape because VA leadership is willing to devote the time and budget necessary to meet the challenges of transitioning, he said.

Outside of VA "many agencies are understaffed and underbudgeted for the work they are trying to perform, and while much has been accomplished from the federal perspective on IPv6, we as a community should be further along," he said on Monday. "The federal community needs to keep a strong focus on IPv6 over the next four to six years to ensure we do not reach a sky-is-falling scenario, or the cost and implications of transitioning to IPv6 will become very high."

When systems reach the end of their useful lives, agencies are supposed to replace them with technology that is compatible with IPv4 and IPv6, Office of Management and Budget officials said. Agencies have been instructed to include migration planning in their IT budgets labeled as, for example, IT infrastructure investments.

Systems at major agencies have been connected to both networks concurrently since at least 2008, which was the federal target date for acquiring IPv6-compatible products. "A lot of things that government has, like Windows 7, can do both," Frankel said. Plus, "here in the United States, government and the business will be OK. We have plenty of IPv4 addresses to get us through."

But agencies might not realize that their dual-track devices are now open to traffic -- including viruses -- flowing on IPv6. "The truth is hackers have been attacking v6 for years already," she said. "People didn't realize they had v6 running. Because their firewall wasn't checking for v6 traffic," the hackers could exploit that vulnerability.

In January, NIST recommended agencies block all IPv6 traffic and disable IPv6 compatible-outlets and services, if systems aren't yet protected by intrusion-detection software and firewalls for IPv6.

Agencies have until the end of September 2012 to shift public websites, e-mail and other online services to actively use IPv6, according to a September 2010 OMB memo By October 2014, they must change over all internal applications that interface with the Internet.

Veterans Affairs realized early that transitioning would be a challenge because the department has so much networked technology nationwide, including medical devices, patient records that must remain protected under federal privacy laws and IT infrastructure at remote VA facilities. The department set up labs to experiment with IPv6 technology in 2005 soon after OMB required all agencies to begin migrating to IPv6.

"VA knows they have a problem, so they have been proactively working on it," Frankel said.

One of the less obvious tricks to transitioning will be accommodating citizens whose newly networked computers are not configured to work with the old Internet, federal officials said. High-speed Internet access now being rolled out to underserved areas, as part of the government's national broadband plan, likely will rely on IPv6. During the conversion, IPv4 and IPv6 will have to co-exist.

"We also see the looming problem of veterans with IPv6-only connectivity in the coming years," Pirzchalski said. Department officials "want to ensure we can not only continue to reach those veterans who use the Internet today to access services . . . but [that we ] greatly expand to reach many of those rural veterans who do not currently have broadband access."