As Federal agencies transition to all-Internet Protocol version 6 (IPv6) systems, having solid security policies and determining how security teams can monitor the IPv6 transition is essential to fully implementing steps to complete the transition, IT industry officials said on June 16.
During the General Services Administration’s (GSA) Completing the Transition to IPv6 event, industry officials from Forescout, Cisco, and Corelight talked about planning for the transition, and the benefits and challenges it brings.
“The challenge with IPv6 is it is global, like IPv4, so it’s not just local on the network,” said Stephen Orr, Distinguished Systems Engineer at Cisco. “It does provide another threat vector – a new threat vector, I would say – and for years people have been running IPv6 dual stack on their devices on their networks without knowing and … you’ve got to look for it,” he said.
IPv6 is the latest-generation internet protocol addressing system that is replacing IPv4, whose available inventory of address was exhausted six years ago. A 2020 memo from the Office of Management and Budget (OMB) outlines the requirements for completing the operational deployment of all-IPv6 across Federal information systems and services, and sets a deadline for the end of Fiscal Year 2025 to have the vast majority of systems running IPv6 only.
“What I’d say is have a plan, work within the memo constraints and then create your own plan on top of it, get more specific, and then have that methodical rollout mentality knowing the operating systems web applications,” Orr said. “Anytime we’re dealing with Federal government, everything’s mission critical,” he added.
Greg Bell, co-founder and chief strategy officer at Corelight, explained that a primary benefit of shifting to an IPv6-only environment is that reducing network complexity by not having to run dual-stack systems accommodating IPv4 can help build a more secure environment.
“I think a key foundational benefit of IPv6-only is much reduced complexity,” said Bell. “So, complexity is just all by itself a big security concern. I learned this as an operator just over and over debugging systems that were too complicated for anyone to understand quickly. It’s the complexity that slows us down, it effectively creates attack surface. So, IPv6-only is much, much simpler and easier to understand.”
Tim Jones, Senior Director of Systems Engineering, Public Sector at Forescout Technologies, added that a question agencies have to ask is how quickly they can integrate into the IPv6-only environments.
“You may have to evaluate and take a look a little bit differently about the traffic and types of devices and even just the way your devices are connecting within your enterprise to be able to get some of those security requirements,” said Jones. “I think for the most part, industry is ready to address some of these components.”