Officials: Federal Shift to IPv6 Brings New Cybersecurity Options and Risks

The push to move the entire federal government to an IPv6-only architecture will be an enabler of cybersecurity capabilities like zero trust but can also open agency networks to new threats, officials leading transition efforts said Wednesday.

Federal agencies are under a new mandate to transition the majority of internet-connected systems from IPv4 to IPv6 by the end of fiscal 2025. Federal officials leading this effort have stressed the importance of making the transition, not only for ensuring systems can communicate with IPv6 devices, but also to improve modernization efforts and the cybersecurity of government networks.

“It’s not an easy transition and it’s going to take a lot of work,” Deputy Federal Chief Information Officer Maria Roat said Wednesday during an event hosted by the General Services Administration. “There are tools and techniques that have kept IPv4 viable, [but] it can’t keep up with the continued growth of the number of users on the internet and the explosion of connected [internet of things] technologies.”

Internet Protocol, or IP, addresses are unique identifiers that direct information from one internet-connected device to another.

The previous standard, IPv4, created addresses using a 32-bit format, capping the total number of addresses at 2^32, or just shy of 4.3 billion. The IPv6 schema is 128-bit, enabling more than 340 undecillion, or 340,000,000,000,000,000,000,000,000,000,000,000,000 addresses.

The shift to IPv6 adds significantly more addresses to the global pool, as well as a different numbering format. While IPv4 shows addresses as four sets of one to three digits, IPv6 uses eight sets of four digits. For organizations—including federal agencies—the new format requires recoding systems that run network infrastructure to understand and ingest IPv6 addresses.

IPv6 “solves the scalability issue of IPv4 by providing, essentially, an unlimited supply of IP addresses,” Roat said.

“We’re operating on a network protocol that’s 40 years old,” said Carol Bales, a senior policy analyst in the Office of Management and Budget who has been working on the IPv6 transition in government for 16 years. “We talk a lot about modernizing our infrastructure, and I think that transitioning to IPv6 is a critical part of this. It’s an important component of innovation.”

Bales and Roat both said the shift to IPv6 supports the new cybersecurity mandates issued by the Biden administration.

“By providing end-to-end network paths and better support of microsegmentation, the transition to IPv6 only is going to be a key component of ZTA—zero trust architecture—which is one of the key pillars in the executive order,” Roat said.

Branko Bokan, a cybersecurity specialist with the Cybersecurity and Infrastructure Security Agency, agreed but noted the transition will also bring new security concerns.

IPv6 “not only introduces and adds to the security of our networks and improves the security of networks,” he said, “IPv6 also opens up this whole new world of new threat landscapes and threat service that we didn’t have to deal with.”

As the agency charged with leading cybersecurity efforts for the entire government, Bokan said CISA is working on three tasks to ensure IPv6 is a boon for agency security instead of a liability.

Those tasks include:

• Guidance for federal agencies on implementing IPv6, including the Trusted Internet Connection 3.0 initiative.
• Making sure all programs and services provided by or through CISA fully support IPv6.
• Ensure that tools and services enable measuring the implementation of IPv6 across the federal enterprise.

“IPv6 is well on its way to becoming the dominant and necessary internet protocol,” Bales said, and agencies need to be ready.

Roat noted federal agencies should be in process today in order to comply with the November 2020 memo requiring agencies to have 80% of IP-enabled assets operating in IPv6-only environments by the end of 2025.

“When you think about that in the cycles—in the budget and the planning cycles—we’re already moving into FY ’23 planning,” she said, adding that this effort will require more than just IT shops. “This is not a CIO thing. This involves key stakeholders, as well as industry, your [chief financial officers] and others in the planning.”

Audience members Wednesday noted that the 2020 memo was not the first attempt to get all of the federal government moving toward IPv6. But this time will be different, according to Doug Montgomery, manager of Internet and Scalable Systems Research at the National Institute for Standards and Technology.

“In 2010, we were pushing the envelope [with regard to] the state of the technology and the product industry,” he wrote in response to a question. “Today, every common [operating system]/platform on the market have mature IPv6 implementations.”

With industry leading the way, “Much more is known about how to transition v4 to v6 and address security issues at scale,” he said.

Montgomery also challenged the notion that previous efforts failed.

While federal agencies still use systems configured for IPv4, around “2014 the USG IPv6 deployment was the largest enterprise deployment in the world,” he said. “What has happened in the years since, is the private industry has caught up to and passed the USG in IPv6 adoption.”

The federal government has been working on this problem since 2005, when then-Administrator of the Office of E-Government and Information Technology Karen Evans issued a memo pushing agencies to begin the transition. At that time, Evans established a deadline of June 2008 for all agencies’ infrastructure to be using IPv6 and able to “interface with this infrastructure.”

A follow-up memo was issued in 2010 requiring any new “public internet servers and internal applications that communicate with public servers” deployed by agencies to use IPv6 by default.

“The intent of the newly proposed policy … is to communicate the requirements for completing the operational deployment of IPv6 across all federal information systems and services, and help agencies overcome barriers that prevent them from migrating to IPv6-only systems,” then-Federal CIO Suzette Kent said in March 2020 when the draft guidance was released.