Technical and Economic Assessment of
The President’s National Strategy to Secure Cyberspace (National Strategy) directed the Secretary of Commerce to form a task force to examine the most recent iteration of the Internet Protocol, IP version 6 (IPv6). The President charged the task force with considering a variety of IPv6-related issues, including the appropriate role of government, international interoperability, security in transition, and costs and benefits.
The Internet Protocol (IP) is an international communications standard that is essential to the operation of both the public Internet and many private networks in existence today. IP provides a standardized “envelope” that carries addressing, routing, and message-handling information, thereby enabling a message to be transmitted from its source to its final destination over the various interconnected networks that comprise the Internet.
The current generation of IP, version 4 (IPv4), has been in use for more than 20 years and has supported the Internet’s rapid growth during that time. With the transformation of the Internet in the 1990s from a research network to a commercialized network, concerns were raised about the ability of IPv4 to accommodate anticipated increasing demand for Internet addresses. In 1993, the Internet Engineering Task Force (IETF) began a design and standardization process to develop a next generation Internet Protocol that would address, among other issues, the predicted exhaustion of available IPv4 addresses. The resulting set of standards, collectively known as IP version 6 (IPv6), was developed over the course of several years. Although various aspects of these protocols continue to evolve within the IETF, a stable core of IPv6 protocols emerged by 1998.
This report by the Department of Commerce’s IPv6 Task Force examines the technical and economic issues related to IPv6 adoption in the United States, including the appropriate role of government, international interoperability, security in transition, and costs and benefits of IPv6 deployment. In developing this report, the Task Force, with the assistance of a consultant, RTI International (RTI), has gathered information from a wide range of stakeholders through a request for comment published in January 2004, a public meeting held on IPv6 issues in July 2004, and numerous contacts with public and private-sector stakeholders.
The public record compiled by the Task Force suggests that although IPv6 has the potential to produce significant benefits for U.S. businesses and consumers over time, the near-term benefits are less clear. Available evidence suggests, for example, that in the initial years of IPv6 deployment, network security will likely be no greater under the new protocol than is currently available in IPv4 networks. Additional evidence suggests that premature adoption of IPv6 (i.e., that which precedes adequate technical and business case planning) could result in unnecessary costs and reduced information technology (IT) security.
The Evolving IPv6 Market and Potential Benefits
Although IPv6 is in the early stages of adoption, most network hardware, operating systems, and network-enabled software packages (e.g., databases, email, etc.) will likely include IPv6 capabilities within the next five years. In many cases, these IPv6 capabilities will be bundled as standard features of new versions of products, and thus will be incorporated in deployed networks through the usual cycle of replacing or upgrading hardware and software. This gradual deployment of IPv6 may occur at a somewhat faster pace in other countries, in large part due to perceived regional concerns about a shortage of IPv4 address space.
Industry stakeholders and Internet experts generally agree that IPv6-based networks would be technically superior to the common installed base of IPv4-based networks. The vastly increased IP address space available under IPv6 could potentially stimulate a plethora of new innovative communications services. Deployment of IPv6 would, at a minimum, "future proof" the Internet against potential address shortages resulting from the emergence of new services or applications that require large quantities of globally routable Internet addresses.
Current market trends suggest that demand for unique IP addresses could expand considerably in future years. The growing use of the Internet will likely increase pressures on existing IPv4 address resources, as more and more people around the globe seek IP addresses to enjoy the benefits of Internet access. In addition, the potential development of new classes of networked applications (e.g., widely available networked computing in the home, the office, and industrial devices for monitoring, control, and repair) could result in rapid increases in demand for global IP addresses.
Over time, IPv6 could become (as compared to IPv4) a more useful, more flexible mechanism for providing user communications on an end-to-end basis. The redesigned header structure in IPv6 and the enhanced capabilities of the new protocol could also simplify the configuration, and operation of certain networks and services. These enhancements could produce operations and management cost savings for network administrators. In addition, autoconfiguration and other features of IPv6 could make it easier to connect computers to the Internet and simplify network access for mobile Internet users.
Obstacles to IPV6 Deployment
Deployment of IPv6 faces a number of hurdles. First and foremost, the large embedded base of IPv4-compatible equipment and applications, coupled with the fact that IPv4 has proven to be robust enough and flexible enough to serve the needs of many producers and users, will likely constrain the rate of migration to IPv6. Additionally, in order to fully realize the potential end-to-end communications capabilities of IPv6, users will have to expend capital and labor resources to transition to the new protocol.
As a result, the transition to IPv6 may be a long process. Experts predict that long after most Internet users have migrated to IPv6, pockets of IPv4 may still exist in legacy systems. Hardware and software interoperability will be a key concern for enterprises wishing to interconnect their networks across heterogeneous environments. interoperability needs will be a major consideration in an enterprise’s decision to adopt IPv6.
Most observers generally agree that acquiring IPv6 capability over a short period of time will be more expensive than making the transition as part of a firm’s normal upgrade/replacement cycle. IPv6 transition mechanisms and scenarios have been specifically designed to enable a prolonged overlap and to minimize deployment and operational interdependencies. Rather than forcing a short-term shift, many experts suggest that a reasonable deployment plan for Internet service providers (ISPs) and Internet users would focus on replacing as much IPv4-only hardware and software as possible through normal product refresh cycles. Activating IPv6 for routine use can effectively occur only after a critical mass of IPv6-enabled replacement technology, appropriate operational and security plans, and substantial training are in hand.
Most observers expect that ISPs and users will purchase IPv6-capable products during their normal equipment refresh cycles and that the costs of those products will be no greater than the costs of similar IPv4-only products. As a result, most of the costs that ISPs and users incur in turning on their IPv6 capabilities should be labor-related (e.g., staff training, installation, network testing).
Transition costs also will likely vary significantly among user groups. Costs to smaller Internet users, including residential users and small and medium enterprises (SMEs) that do not operate their own significant network services, will be relatively minimal if IPv6 capabilities are acquired through routine upgrades. In contrast, large and mid-sized user organizations, such as corporations and government agencies, will likely incur greater costs. The magnitude of those costs will depend on each user’s existing network infrastructure and operational policies, the extent to which their custom applications must be modified to adopt IPv6, and whether the user intends to connect to other organizations using IPv6.
Security in Transition and in the Longer Term
The greatest potential security benefits of IPv6 appear to be associated with the long-term evolution of new security paradigms that are significantly different than those commonly employed in today’s networks. In particular, evolving from today’s network centric (perimeter- based) security architectures to end-to-end (host-based) models would better accommodate the self organizing systems envisioned for future network environments. The time and expense of designing and developing new security models will likely be considerable, but the creation of new, effective security paradigms would benefit all current and future Internet users.
With respect to IPv6 deployment in the near term, experts generally agree that implementing any new protocol, such as IPv6, will entail an initial period of increased security vulnerability. Additional resources will be necessary to deal with new threats posed by a dual standard environment. For example, while IPv6 may provide operational advantages over IPv4 with respect to auto-configuration and other capabilities, the new protocol’s fundamental reliance on those capabilities also creates new threats and vulnerabilities associated with their potential misuse. Emerging new threats and vulnerabilities would clearly need to be addressed. Moreover, as IPv6 becomes more prevalent, many security issues will likely arise as attackers give it more attention.
Nevertheless, because IPv6 capabilities increasingly are included in new hardware and software products, IPv6 will likely begin to appear in operational networks independently of an organization’s own plans and schedules for adoption. As a result, all organizations will need to develop security plans and policies for dealing with IPv6 traffic, regardless of their decisions whether and when to transition to IPv6. Although IPv6 transition mechanisms have been carefully designed for specific interoperability scenarios, operating in a dual standard mode will increase security risks. Users will likely need to devote additional resources to develop large-scale test and evaluation capabilities, to evaluate the impact of various transition mechanisms on typical security architectures, and to establish best common practices for new security policies and management mechanisms capable of ensuring the security and stability of networks in transition.
Thus, in the short term (i.e., in the first three to five years of significant IPv6 use), the user community will likely see no better security than what can be realized in IPv4-only networks today. Given its state of evolution, during this period, more security holes will probably be found in IPv6 and its transition mechanisms than in IPv4. In the longer term, security may improve as a result of increased use of end-to-end security mechanisms.
Potential Roles of Government
The Task Force finds that no substantial market barriers appear to exist that would prevent industry from investing in IPv6 products and services as its needs require or as consumers demand. The Task Force, therefore, believes that aggressive government action to accelerate deployment of IPv6 by the private sector is not warranted at this time. The Task Force believes that, in the near term, private sector organizations should undertake a careful analysis of their business cases for IPv6 adoption and plan for the inevitable emergence of IPv6 traffic on both internal and external networks.
With respect to public sector information systems, the Task Force recommends that government agencies initiate near-term activities to analyze their own business cases for IPv6 and to develop appropriate security plans for the inevitable emergence of IPv6 on both internal and external networks. This need for expedited planning and analysis in federal IT systems has also been identified in a recent report by the General Accountability Office and emerging policy guidance from the Office of Management and Budget. Each of these recommendations emphasizes that careful planning, development, and evaluation should precede any agency-specific decision to deploy new IPv6 technologies in operational networks. The results of this study indicate that significant technical and economic risks can be associated with failure to adequately plan for and appropriately schedule IPv6 adoption.
Looking longer term, the Task Force
notes that the federal government will need to consider
allocation of new resources and to work cooperatively
with non-federal authorities and the private sector
to address outstanding IPv6 research and development
issues, and to expedite the development of suitable
deployment, coexistence, and transition plans.