Internet Protocol Version 6:
Federal Agencies Need to Plan for Transition and Manage Security Risks
GAO-05-845T, Jun 29, 2005
The Internet protocol (IP) provides the addressing mechanism that defines how and where information such as text, voice, and video moves across interconnected networks. Internet protocol version 4 (IPv4), which is widely used today, may not be able to accommodate the increasing number of global users and devices that are connecting to the Internet. As a result, IP version 6 (IPv6) was developed to increase the amount of available IP address space. The new protocol is gaining increased attention from regions with limited IP addresses. For its testimony, GAO was asked to discuss the findings and recommendations of its recent study of IPv6 (GAO-05-471). In this study, GAO was asked to (1) describe the key characteristics of IPv6; (2) identify the key planning considerations for federal agencies in transitioning to IPv6; and (3) determine the progress made by the Department of Defense (DOD) and other major agencies in the transition to IPv6.
The key characteristics of IPv6 are designed to increase address space, promote flexibility and functionality, and enhance security. For example, by using 128-bit addresses rather than 32-bit addresses, IPv6 dramatically increases the available Internet address space from approximately 4.3 billion in IPv4 to approximately 3.4 x 10^38 in IPv6. Key planning considerations for federal agencies include recognizing that the transition is already under way, because agency networks already include IPv6-capable software and equipment. Other important agency planning considerations include developing inventories and assessing risks; creating business cases that identify organizational needs and goals; establishing policies and enforcement mechanisms; determining costs; and identifying timelines and methods for transition. Managing the security aspects of transition is also an important consideration because poorly managed IPv6 capabilities can put agency information and systems at risk. DOD has made progress in developing a business case, policies, timelines, and processes for transitioning to IPv6. Unlike DOD, the majority of other major federal agencies reported that they have not yet initiated key planning efforts for IPv6. In its report, GAO recommended, among other things, that the Director of the Office of Management and Budget (OMB) instruct agencies to begin to address key planning considerations for the IPv6 transition and that agencies act to mitigate near-term IPv6 security risks. Officials from OMB, DOD, and Commerce generally agreed with the contents of the report.