More Thoughts on IPv6 in Government

One of the comments on my earlier IPv6 post recommended I read the 29 June 2005 testimony to the Committee on Government Reform. I found some clarification while reading the statement by Karen Evans. She said

"Our policy will also set June 2008 as the date by which all agencies’ infrastructure (network backbones) must be using IPv6 and agency networks must interface with this infrastructure. Once the network backbones are ready, the applications and other elements will follow."

If only the backbone needs to be running IPv6, it's possible -- but not probable -- that "all agencies" will be using IPv6.

This section, however, made me laugh -- for reasons I'll explain shortly.

"[W]e are about to issue a policy memorandum providing guidance to the agencies to ensure an orderly and secure transition to IPv6...

[A]gencies will develop an inventory of existing IP capable devices and technologies. To ensure an orderly transition from IPv4 to IPv6, we must establish a baseline and determine the size of the problem...

While we know IPv6 technologies are deployed throughout the government, but like other organizations, we do not know specifically which ones, how many there are, or precisely where they are located. We are planning for each agency to file a report of their inventory of IP capable devices and technologies to OMB in the first quarter of FY 2006."

First quarter of FY 2006? Does that mean between 1 Oct and 31 Dec 2005? Is she serious?

Let's look at the Navy's experience with determining the number of systems for which it is responsible. The story Red Hat and Novell salivate as Navy learns to count servers by Ashlee Vance demonstrates the Navy's experience with NMCI. She cites a June 2005 Computerworld article that says the following:

"The U.S. Navy recently launched its first enterprisewide IT asset discovery and management initiative...

Since January, the Navy has been using a hosted software service from Mountain View, California-based BDNA Corp. to scan the IP addresses of hardware and software residing on its sprawling MCI network. The effort has enabled the Navy to identify and locate more than 250,000 systems installed in some 200 locations throughout the continental U.S. and Hawaii and Alaska, said Capt. Chris Christopher...

In the coming months, the Navy expects to pinpoint at least 250,000 more systems it has deployed on its bases and ships around the world using the centralized network scanning approach...

Christopher placed the cost of the BDNA asset discovery services at 'more than six figures' on an annual basis."

This story demonstrates the difficulty of enumerating all assets in government organizations. It seems Karen Evans and OMB need to rethink the scope of their problem. I would have thought that developing "an inventory of existing IP capable devices and technologies" would have been part of normal system and asset administration practices, not a precursor to IPv6 adoption. Stay tuned.

Comments

Anonymous said…
am i the only one noticing that the navy network implementation allows for such a scan to occur? isn't it reasonable to infer that it would be logistically difficult to contact every base, ship and user and ask them to allow inbound scanning to occur, so inbound scanning must be allowed? or, if this was a passive scan, that the network allows for the passing of identifying information in such a way that the scan was successful? or that it's possible for a service provider to be exposed to navy traffic over the mci network in such a way as to allow this type of classification?

too much information. why is this being published at all?

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics