NIST to release IPv6 profile

The National Institute of Standards and Technology will release the federal government's Internet Protocol version 6 profile by the end of the month to help agencies and vendors understand the government's technical requirements.

Peter Tseronis, the Education Department's director of network services and co-chairman of the IPv6 working group, yesterday said the NIST profile will be out for public comment for about a month and then NIST will issue the first version of the profile.

The profile, which will be released in the Federal Register, recommends a technology acquisition approach for common IPv6 devices, Tseronis said.

"The goal of the profile is to illuminate and spark discussion," he said at the CIO Council's IT quarterly forum on IPv6 in Washington. "This is a ripe time for agency planning, and agencies must start thinking about purchases for 2008 and include them in their budget request."

The profile will discuss the features in equipment such as routers, switches, intrusion detection system and firewalls ? the basic network equipment that agencies will need to upgrade or modify to handle IPv6 by June 2008, which is the Office of Management and Budget's deadline.

In addition to ensuring IPv6 is part of the 2008 budget, Tseronis and other speakers emphasized the need for training security personnel and network administrators on IPv6, and testing the protocol in a self-contained lab.

Microsoft Corp. is working with the International Information Systems Security Certification Consortium of Palm Harbor, Fla., to develop IPv6 security training and make it part of the organization's certification program, said Sean Siler, Microsoft's lead program manager for IPv6 deployment and field readiness.

"The security architects need to be trained first," he said. "Most have no idea how to secure v6 networks."

Siler said the notion that IPv6 is more secure than IPv4 is not true. What is true, he said, is it is easier to secure IPv6 applications and networks because IP security is a default, and security happens at the network layer instead of the application layer.

"Most people don't deploy IP security in v4," Siler said. "The key is authentication with v6. Authentication is very important and easy with v6."

Brett Thorson, a network integration and security adviser for the North American v6 Task Force, a public-private-academia organization supporting the move to IPv6, said his organization will develop a white paper on the current state of IPv6 security. This will help establish a baseline of where the industry is at and assist agencies and companies in making v6 decisions.

Tseronis added that the key to training is not implementing IPv6 routers or changing the firewall to handle the new protocol. The challenge is configuring routers and switches to handle both v4 and v6 traffic at once.

"Whoever supports the network needs training," he said. "And you need different types of training for agency executives, CIOs, middle-manager types and those that do the network plumbing."

Thorson added that the easiest thing would be to send one network or security employee to training and let the trickle-down effect happen.

He also said setting up a test lab is another important source of training.

"All you have to do to set up a test lab is put a router, firewall, a switch and five computers in a room and connect it to the Internet" to run v6 packets, Thorson said. "You could use any operating system. It would at least give you experience of setting it up, installing applications and seeing what happens."

Jason Miller is assistant managing editor of Washington Technology's affiliate publication, Government Computer News.