Officials: Federal Shift to IPv6 Brings New Cybersecurity Options and Risks

Asawin_Klabma/iStock.com

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
Aaron Boyd By Aaron Boyd,
Senior Editor, Nextgov

By Aaron Boyd

|

Agencies should be planning now to meet new IPv6 requirements by 2025.

The push to move the entire federal government to an IPv6-only architecture will be an enabler of cybersecurity capabilities like zero trust but can also open agency networks to new threats, officials leading transition efforts said Wednesday.

Federal agencies are under a new mandate to transition the majority of internet-connected systems from IPv4 to IPv6 by the end of fiscal 2025. Federal officials leading this effort have stressed the importance of making the transition, not only for ensuring systems can communicate with IPv6 devices, but also to improve modernization efforts and the cybersecurity of government networks.

“It’s not an easy transition and it’s going to take a lot of work,” Deputy Federal Chief Information Officer Maria Roat said Wednesday during an event hosted by the General Services Administration. “There are tools and techniques that have kept IPv4 viable, [but] it can’t keep up with the continued growth of the number of users on the internet and the explosion of connected [internet of things] technologies.”

Internet Protocol, or IP, addresses are unique identifiers that direct information from one internet-connected device to another.

The previous standard, IPv4, created addresses using a 32-bit format, capping the total number of addresses at 2^32, or just shy of 4.3 billion. The IPv6 schema is 128-bit, enabling more than 340 undecillion, or 340,000,000,000,000,000,000,000,000,000,000,000,000 addresses.

The shift to IPv6 adds significantly more addresses to the global pool, as well as a different numbering format. While IPv4 shows addresses as four sets of one to three digits, IPv6 uses eight sets of four digits. For organizations—including federal agencies—the new format requires recoding systems that run network infrastructure to understand and ingest IPv6 addresses.

IPv6 “solves the scalability issue of IPv4 by providing, essentially, an unlimited supply of IP addresses,” Roat said.

“We’re operating on a network protocol that’s 40 years old,” said Carol Bales, a senior policy analyst in the Office of Management and Budget who has been working on the IPv6 transition in government for 16 years. “We talk a lot about modernizing our infrastructure, and I think that transitioning to IPv6 is a critical part of this. It’s an important component of innovation.”

Bales and Roat both said the shift to IPv6 supports the new cybersecurity mandates issued by the Biden administration.

“By providing end-to-end network paths and better support of microsegmentation, the transition to IPv6 only is going to be a key component of ZTA—zero trust architecture—which is one of the key pillars in the executive order,” Roat said.

Branko Bokan, a cybersecurity specialist with the Cybersecurity and Infrastructure Security Agency, agreed but noted the transition will also bring new security concerns.

IPv6 “not only introduces and adds to the security of our networks and improves the security of networks,” he said, “IPv6 also opens up this whole new world of new threat landscapes and threat service that we didn’t have to deal with.”

As the agency charged with leading cybersecurity efforts for the entire government, Bokan said CISA is working on three tasks to ensure IPv6 is a boon for agency security instead of a liability.

Those tasks include:

  • Guidance for federal agencies on implementing IPv6, including the Trusted Internet Connection 3.0 initiative.
  • Making sure all programs and services provided by or through CISA fully support IPv6.
  • Ensure that tools and services enable measuring the implementation of IPv6 across the federal enterprise.

“IPv6 is well on its way to becoming the dominant and necessary internet protocol,” Bales said, and agencies need to be ready.

Roat noted federal agencies should be in process today in order to comply with the November 2020 memo requiring agencies to have 80% of IP-enabled assets operating in IPv6-only environments by the end of 2025.

“When you think about that in the cycles—in the budget and the planning cycles—we’re already moving into FY ’23 planning,” she said, adding that this effort will require more than just IT shops. “This is not a CIO thing. This involves key stakeholders, as well as industry, your [chief financial officers] and others in the planning.”

Audience members Wednesday noted that the 2020 memo was not the first attempt to get all of the federal government moving toward IPv6. But this time will be different, according to Doug Montgomery, manager of Internet and Scalable Systems Research at the National Institute for Standards and Technology.

“In 2010, we were pushing the envelope [with regard to] the state of the technology and the product industry,” he wrote in response to a question. “Today, every common [operating system]/platform on the market have mature IPv6 implementations.”

With industry leading the way, “Much more is known about how to transition v4 to v6 and address security issues at scale,” he said.

Montgomery also challenged the notion that previous efforts failed.

While federal agencies still use systems configured for IPv4, around “2014 the USG IPv6 deployment was the largest enterprise deployment in the world,” he said. “What has happened in the years since, is the private industry has caught up to and passed the USG in IPv6 adoption.”

The federal government has been working on this problem since 2005, when then-Administrator of the Office of E-Government and Information Technology Karen Evans issued a memo pushing agencies to begin the transition. At that time, Evans established a deadline of June 2008 for all agencies’ infrastructure to be using IPv6 and able to “interface with this infrastructure.”

A follow-up memo was issued in 2010 requiring any new “public internet servers and internal applications that communicate with public servers” deployed by agencies to use IPv6 by default.

“The intent of the newly proposed policy … is to communicate the requirements for completing the operational deployment of IPv6 across all federal information systems and services, and help agencies overcome barriers that prevent them from migrating to IPv6-only systems,” then-Federal CIO Suzette Kent said in March 2020 when the draft guidance was released.

NEXT STORY: Bipartisan Bill Bolsters FCC Motion to Ban Suspect Chinese Telecom Equipment

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.