NASA’s IPv6 Implementation:Now is the time!

Kevin L. JonesNASA IPv6 Transition ManagerAugust 15, 2011

2

Who are you representing?

1 2 3 4 5 6 7

14% 14% 14% 14%14%14%14%

1. NASA Civil Servant2. NASA Contractor3. Other Government

Agency4. Industry5. University6. Other7. Not Sure?

3

Why are you here?1. I am excited about IPv62. I am excited about NASA

implementing IPv63. I am interested in learning about

IPv64. What’s the rush to implement

IPv65. I am still skeptical about this IPv6

thing6. I have serious concerns about

implementing IPv67. Still recovering from lunch and I

have not moved since8. An empty seat & wireless access

Agenda• Motivation to implement IPv6• Federal IPv6 Taskforce• NASA IPv6 Taskforce• World IPv6 Day• Next Steps• Questions

Motivation to Implement IPv6• Because OMB said so?

– But didn’t OMB “say make it so” in 2005 too?– What happened? – Why aren’t we done already?

• August 2005 – A memo M-05-22 titled Transition Planning for Internet Protocol Version 6 (IPv6) was sent to the Federal Agency CIOs

Summary of M-05-22• By June 2008 all agencies’ infrastructure

(network backbones) must be using IPv6 and agency networks must interface with that infrastructure– Nov 2005 – assign an agency lead and

inventory equipment– Feb 2006 – develop a transition plan &

progress report– June 2006 – complete inventory & analysis

Updated Guidance from OMB• Feb 2006 – FAQ on M-05-22, clarified that “must

be using IPv6” meant “must demonstrate IPv6 capability on their backbones”– Transmit IPv6 traffic from the Internet and external

peers, through the core (WAN), to the LAN– Transmit IPv6 traffic from the LAN, through the core

(WAN), out to the Internet and external peers– Transmit IPv6 from the LAN, through the core (WAN),

to another LAN (or another node on the same LAN)• NASA was compliant but further progress halted

IPv6 Drivers• Enable the successful deployment and expansion of key Federal

information technology (IT) modernization initiatives, such as Cloud Computing, Broadband, and SmartGrid, which rely on robust, scalable Internet networks;

• Reduce complexity and increase transparency of Internet services by eliminating the architectural need to rely on Network Address Translation (NAT) technologies;

• Enable ubiquitous security services for end-to-end network communications that will serve as the foundation for securing future Federal IT systems;

• Enable the Internet to continue to operate efficiently through an integrated, well-architected networking platform and accommodate the future expansion of Internet-based services.

• Maintain continuity of operations, and to reach and be reached by customers.

Vivek Kundra’s September 28, 2010 Memorandum: Transition to IPv61. Designate an IPv6 Transition Manager by 10/30/2010

– Responsible for leading the agency’s IPv6 Transition Activities– Liaison with the wider Federal IPv6 effort as necessary

2. Ensure agency procurements of networked IT comply with the FAR requirements for use of the USGv6 Profile and Test Program for the completeness and quality of their IPv6 capabilities

3. (Goal # 1) Upgrade public/external facing servers and services (e.g. web, email, DNS, IP services, etc.) to operationally use native IPv6 by the end of FY 2012

4. (Goal # 2) Upgrade internal client applications that communicate with public internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014http://www.cio.gov/documents/IPv6MemoFINAL.pdf

So what does the first goal mean?• Intent of the FY2012 requirement is to

ensure that any and all networked services that agencies provide to the general public over the Internet are seamlessly accessible via both IPv6 and IPv4– Out of Scope: internal services, external

services only accessible via VPN or closed user groups,

– In Scope: external web (http), email (stmp), and domain name system (dns)

And what about the 2nd goal? • Intent of the 2014 requirement is to ensure that

public IPv6-enabled network services that are provided external to an agency, are accessible to USG users residing in their agency enterprise networks– Definition of public is the same for this goal– agency clients applications, host operating systems,

and supporting networking infrastructure should be IPv6-enabled such that it is possible to establish native IPv6 end-to-end communication between client application and the external IPv6-enabled public server/service

More on “Operationally use native IPv6”• Native IPv6 transport end-to-end:

– From public facing servers to IPv6 enabled clients on the public Internet (FY2012)

– From internal client systems to external IPv6 servers (FY2014)

• Support of IPv6 is transparent to the end user– www.nasa.gov must support both IPv4 and

IPv6 (not create a new www.ipv6.nasa.gov for IPv6 clients)

Depletion of IPv4 Address• The Internet Assigned Numbers Authority (IANA) coordinates the

global IP and AS number space, and allocates these to Regional Internet Registries (RIRs)

• On Thursday, February 3, 2011, IANA depleted their IPv4 address space

• A formal ceremony was held to commemoratethe significant event, IANA’s distributionof the last five /8s to the RIRs

• Video of this historic event are listed at:http://www.nro.net/media-center/video-archive-3-february-2011• Also available via IPv6 on YouTube:http://www.youtube.com/watch?v=p9AzSl2MdFk&feature=relatedhttp://www.youtube.com/watch?v=gveJs6YRYXU• NOTE: NASA has a sufficient amount of IPv4 address space

More Motivation• More IP addresses

– IPv4 provides 32 bit address ~ 4.2 x 109 addresses– IPv6 provides 128 bit address ~ 3.4 x 1038 addresses

• Significantly enhanced mobility features• Opportunity to increase the ubiquity of network security

capabilities• NASA will need to ensure that external services are

seamlessly accessible via both IPv6 and IPv4• Because OMB said so…

– And they said it twice!!– NASA is NOT going to wait for the October 2015 OMB memo to

implement IPv6

NIST’s IPv6 Deployment Monitor• NIST’s IPv6 Deployment Monitor – is a

measurement tool that attempts to estimate the status of IPv6 enabled external facing services across the USG. Currently the monitor tests the status of WWW, Email and DNS services and tracks the progress of IPv6 deployment over time.– http://fedv6-deployment.antd.nist.gov/

v6task-force@nist.govFederal CIO Council

Executive Chair: Jeffrey ZientsDirector: Steven VanRokel

Architecture and Infrastructure Committee (AIC)

Chair: Michael Carleton

Technology Infrastructure Subcommittee

Federal IPv6 Interagency Working Group

Federal IPv6Initiative Support

Contractors

ACT/IAC IPv6 SIGIndustry Collaboration

OMB Lead PolicyAnalyst:

Carol Bales

Federal ChiefArchitect:

Scott Bernard

Federal IPv6Task Force

Bobbie Stempfley(DoD)

Co-Chair

Cita Furlani(NIST)

Co-Chair

Co-Chair: Jane CoffinNTIA

Chair: Peter Tseronis(DOE)

DougMontgomery

(NIST)

StephenNightingale

(NIST)

Ron Broersma(DoD)

Sean Donelan(DHS)

Don BeaverFrank Tiller

(GSA)

Technical Sub TeamStu Mitchell, Chair (DOI)

Sharon Lattanze, Co-Chair (Commerce)

IT Management Sub TeamLuis Gonzalez, Chair (DHS)

Outreach Sub TeamSteven Pirzchaiski, Chair (VA)

Not part of Federal Government?• … but you want to get in on the fun of helping

the government implement IPv6?• Consider joining the American Council for

Technology, Industry Advisory Council (ACT-IAC)– Members consist of private industry, academia &

state/local government• Responsible for updating the “Planning

Guide/Roadmap Toward IPv6 Adoption within the U.S. Government”

• Contact Chris Chroniger to join cchroniger@gmail.com

Transition Manager Responsibilities

• Agency Transition Manager’s Fedv6-deploy@nist.gov

Role Responsibilities

Agency Transition Managers

1. Represent their Agency on the Federal IPv6 Interagency Working Group

2. Represent their agency’s IPv6 efforts to OMB, the Public and across the USG

3. Develop and maintain their Agency’s IPv6 Transition Plan4. Ensure that their Agency’s IPv6 vision and transition plan is

integrated into their Agency’s Enterprise Architecture and Capital Planning process

5. Communicate the Federal Government’s IPv6 guidance and direction to all appropriate personnel within their Agency

6. Track Agency IPv6 milestones and reporting/resolving issues7. Participate in OMB TechStat Meetings to provide progress

updates

World IPv6 Day: June 8, 2011• June 8th a 24-hour IPv6 Test Flight occurred• Goal was to motivate organizations across the industry –

Internet service providers, hardware makers, operating system vendors and web companies – to prepare their services for IPv6 to ensure successful implementations

• Universities were involved as well• OMB has mandated that government participation

– Implement a website with IPv6 (dual-stack)• Even before World IPv6 day occurred, there were

already discussions of potentially having another World IPv6 Day– Might even be sooner than 6/8/2012

NASA World IPv6 Participation• Coordinated by the Internet Society (ISOC)

– http://isoc.org/wp/worldipv6day/• NASA participating websites captured on the main NASA website

blog.• Confirmed NASA websites

– www.nas.nasa.gov – www.caib.nasa.gov (Limelight)– www.km.nasa.gov (Akamai)– apod.eos.nasa.gov– earthobservatory.eos.nasa.gov– ipv6.nasa.gov (Akamai)

• Due to a launch and therefore anticipated heavy traffic, decided not to implement www.nasa.gov on World IPv6 Day

NASA’s interest in World IPv6• It was more than just because OMB said so• OMB mandated all agencies participate in World IPv6

Day and have requested that they try to implement their top level domains

• NASA has over 1000 public/external facing websites that need to be implemented by September 2012, so this was an excellent opportunity to document lessons learned, help scope workload and test approaches for successful implementations

• It provided an opportunity for NASA to evaluate vendor’s IPv6 implementations. Specifically, Akamai & Limelight

What happened on World IPv6 Day?1. IPv6 worked according to

plan2. Google, Facebook,

Yahoo!, Akamai & Limelight hosted parties

3. This is my first time hearing about World IPv6 Day, so it could not have been much

4. IPv6 traffic adversely impacted IPv4 traffic

5. Complete waste of time?

0%0%0%0%0%

1 2 3 4 5

World IPv6 Participation• There were 434 registered ISOC participants

– 90% of those sites were reachable and viewable via IPv6

– Participation by 25 US Government agencies– 94% had resolvable AAAA DNS records

• There were so few problems, some considered it practically a non-event – “World IPv6 Day fails to kill the Internet”– 99% of the World IPv6 websites were reaching using

IPv4– Basic layer 3 routing worked to the sites

The Good – Things worked!• Operating systems (Linux/Unix, Mac OS X, Windows), web servers

(e.g. Apache) clients (Firefox, Safari, IE)• Most dual stack IPv4/IPv6 host client and server applications

including ssh, scp, Kerberized telnet and rcp (although Kerberos itself was only using IPv4), and http/https client and server

• IPAM and DNS (both forward AAAA and reverse PTR records)• Global IPv6 routing exchange and packet forwarding verified to a

number of sites• ping6 and traceroute6 IPv6 network diagnostic tools performed

analogously to their ping and traceroute IPv4 tools• 10-GigE IPv6 network performance between GSFC and ARC using

our automated nuttperf/nuttcp network performance measurement capability was demonstrated to be very comparable to the equivalent IPv4 network performance tests

The Bad – Things to watch out for…• Some sites did not make IPv6 DNS available via IPv6 (making pure IPv6

problematic). Some sites were so intent on trying to make sure that there was zero impact to IPv4 users that it caused a few unnecessary issues for IPv6

• In some cases, infrastructure software had to be updated. Some existing router/switch software still relies on IPv4 for certain things (e.g. SNMP) and can't run IPv6-only.

• No general way to force IPv4 or IPv6 name resolution for a specific command

• Limited IPv6 peering (e.g. Level 3 & Hurricane Electric) caused additional routing workarounds necessary

• Needed to modify a network monitoring system to deal with IPv6 addresses, since it was using a “:” as the field separator in the control file

• Firewalls will probably need to replicate IPv4 rulesets with equivalent IPv6 rulesets. Perhaps intelligent firewall frontends will eventually minimize the required effort to support simultaneous IPv4/IPv6 access restrictions

Need creative approaches for troubleshooting IPv6

ISPs are in the process of upgrading IPv6 by 2012 too

Network monitoring needs to support IPv6

Dual-stack requires security for both IPv4 & IPv6

Some apps & tools still require IPv4 only

No single transition day for IPv4 to IPv6

The Ugly – Warning: Lots of work ahead…• Policy development is behind the technology development, and some

policies are contradictory (e.g. "scanning must be done by package X, but, package X doesn't support IPv6")

• Security is behind the other aspects of IPv6. Many IDS systems handle IPv6 poorly (if at all), likewise some firewall appliances. Some host scanners (at least the legacy versions) do not do IPv6 at all. Some security software vendors seem to have not taken IPv6 mandates and plans seriously, so security will have to play catch-up in order to meet mandated deadlines.

• If no IPv6 route exists to some service such as a web server, the system automatically drops back to an IPv4 connection, but if an IPv6 route exists (even an IPv6 default route), and the IPv6 destination is not actually reachable for some reason, the user will experience about a 2 minute TCP timeout before switching to IPv4.

• Postponing the implementing IPv6 is no longer an option. It is critical to “break glass” now to maintain a continuity of operations.

Need to update both policies & equipment

Need communicate IPv6 security reqs. to vendors early

Growing pains in this transition are inevitable

Now is the time!

Security Sub TeamLuke Drury

Bryan BoatrightBobby CatesTony Arivola

Terry BruggerChris Jones

Debra RushingKen White

Greg CogginsDawn Bedard

Ron ColvinRalph BischofLinda Wood

Stephanie ChandlerTerri Chow

Chris MishagaTom HinkeDennis Kay

Dennis TaylorAlex BaldwinGary GapinskiGlen MorhewGreg CampbellHugh LaMasterMichael NeblettPatrick Patterson

Tim BaldridgeVince Moyers

Bill TerryKevin Jones

DNS Sub TeamDave SwagerCarol Bryant

Dawn BedardGary GapinskiGreg CogginsJoshua BeingKofi BurneyLuke Drury

Nancy ShelvinRalph BischoffTony ArviolaKevin Jones

Routing Sub TeamHugh LaMasterAndy GermainDawn BedardGeorge Uhl

Greg CogginsGreg Campbell

James GoodKen White

Kevin KranacsKofi BurneyLuke Drury

Michael NeblettRalph Bischoff

Bill FinkKevin Jones

Test & Verification Sub TeamBill Fink

Aruna MuppallaDave GuevaraDave HartzellGeorge Uhl

Greg CogginsGreg CampbellHugh LaMaster

Pat GaryKathy HatleyKen WhiteLuke Drury

Mark FosterPaul Lang

Ralph BischofKevin Jones

Web & Applications

Sub TeamIan SturkenAlvin CottlesDawn BedardDuane Smith

Eashwer SrinivasanGreg Coggins

Greg CampbellJJ ToothmanLinda HongLuke Drury

Marcus FriskePeter CauwelsRalph Bischof

Steven FunderburkTim Baldridge

Tommy McguireKevin Jones

IT ProcurementsSub Team

TBDGary Gapinski

Kevin Jones

NASA IPv6 Taskforce Sub Teams

Routing Sub Team Milestones• Need to implement IPv4/IPv6 dual-stack in the core

WAN routers. (10/2011)• Operational IPv6 peering with providers (e.g. Level 3,

Hurricane Electric) and some NASA networks (e.g. NISN, NAS, NREN, SEN) (12/2011)

• Testing and deployment of updated Router/Switch and monitoring software will need to be done so that, e.g., SNMP and flow data export work over IPv6. (1/2012)

• Implement IPv6 in NASA DMZ locations where public facing servers are located (2/2012)

• Update agency network management procedures to reflect IPv6 (3/2012)

DNS Sub Team Milestones• Document and publicize approved process

for allocating and distributing permanent IPv6 address assignments (8/2011)

• NASA's IPAM/DNS servers need to be reachable via IPv6 (10/2011)

Security Sub Team Milestones• Notice to SSP owners & security community about IPv6 mandates

and potential impact (8/2011)• Develop security policies, procedures, and devices/tools for

securing your Agency's IPv6 operations (9/2011) • Communicate requirements to security vendors (10/2011) • LAN/DMZ/shared-services security hardware and software to be

upgraded to be as fully capable in IPv6 as in IPv4 (3/2012) • WAN security hardware and software to be upgraded to be as fully

capable in IPv6 as in IPv4 (4/2012)• Update risk assessments and C&A procedures for all public/external

facing servers and services operationally using native IPv6 (9/2012)

Testing & Verification Sub Team Milestones• Provide feedback to NIST for proposed

USGv6 updates (8/2011)• Develop agency test/demonstration plans

for services affected by OMB FY2012 mandate (9/2011)

• Update agency testing processes to reflect FY 2012 milestones (10/2011)

Web & Apps Sub Team Milestones• Update of STRAW database with additional public/external facing

websites (8/2011)• Identify any unique IPv6 requirements from your user community

(9/2011)• Identify any IPv4-only (“legacy”) assets affected by the OMB

FY2012 mandate that cannot support IPv6 (9/2011)• Implementation of www.nasa.gov in dual stack mode (2/2012)• 10% of public/external facing websites implemented with dual-stack

IPv6 (3/2012)• Upgrade public/external facing servers and services (e.g. web,

email, DNS, ISP services, etc) to operationally use native IPv6 (9/2012)

Contact Information• NASA IPv6 Taskforce Sharepoint Site:

– https://share.nasa.gov/teams/arc/ipv6-taskforce/default.aspx• NASA IPv6 Distribution Lists:

– ipv6-taskforce@lists.nasa.gov– ipv6-routing-subteam@lists.nasa.gov– ipv6-dns@lists.nasa.gov– ipv6-security@lists.nasa.gov– ipv6-tv@lists.nasa.gov – ipv6-web-apps@lists.nasa.gov

• Federal IPv6 Taskforce Distribution Lists & Federal IPv6 Wiki– v6task-force@nist.gov– fedv6-deploy@nist.gov– https://max.omb.gov/community/x/EhPVI

Resources1. Planning Guide and Roadmap toward IPv6 Adoption in USG

http://www.cio.gov/documents_details.cfm/uid/1F4376CF-2170-9AD7-F24F363D0A04637E/structure/Enterprise%20Architecture/category/IPv6

2. USG IPv6 Profilehttp://www.antd.nist.gov/usgv6/usgv6-v1.pdf

3. Federal Acquisition Regulations (FAR) http://edocket.access.gpo.gov/2009/pdf/E9-28931.pdf

4. USGv6 Testing Program for product compliance http://www.antd.nist.gov/usgv6/testing.html

5. Suppliers Declaration of Conformity Template http://www.antd.nist.gov/usgv6/sdoc.html

6. Guidelines for the Secure Deployment of IPv6, SP 800-119 http://csrc.nist.gov/publications

35

Have your attitudes change about IPv6?

0%0%0%0%0%0%

1 2 3 4 5 6

1. I am so excited, I am going to start writing a test plan on the plane ride home!

2. I am interested in helping to implement IPv6

3. Yes, and for the better!4. No, but I was already a

proponent5. I was scared before, but I am

really scared now! 6. Still a non-believer, I will

believe when I see it.

Questions?

Kevin L. JonesNASA IPv6 Transition Manager

Kevin.L.Jones@nasa.gov650-604-2006

Backup Slides

IPv6 Testers• Numerous tools exist to test the IPv6

capabilities of local access and transit networks. These tools might be of use to agencies in testing IPv6 ISP services.– http://test-ipv6.com/– http://netalyzr.icsi.berkeley.edu/