Need for IPv6 security products may hold up agency compliance

The biggest concern for federal agencies, which are facing the deadline to move their network backbone to Internet Protocol Version 6 in 18 months, is whether the security industry will have enough products to support them.

Three agency officials who are leading efforts to move to IPv6 today expressed concern over the lack of support from security vendors so far, and said federal agencies, such as the National Institute of Standards and Technology and the Defense Advanced Research Projects Agency, will have to provide seed money to move products along.

"Security has not received the same focus as, say, routers," said John McManus, Commerce Department deputy CIO and co-chairman of the IPv6 working group. "The Office of Management and Budget's memo said the security must be at least the same, if not higher. If you can't secure your network, you will not bring it online."

McManus was one of four agency officials to discuss their agency's move to IPv6 at a breakfast in Bethesda, Md., sponsored by the Armed Forces Communications and Electronics Association's Bethesda chapter.

Additionally, the Government Accountability Office is monitoring a handful of agencies', including the Agriculture Department, move to IPv6. Janice Lilja, USDA associate CIO for telecommunications services and operations, said if their systems are not certified and accredited, and all security issues are not addressed, they will not deploy IPv6 components on their network.

The Defense Department is focusing its transition initially on its sensitive but unclassified networks because, in part, of security concerns.

Kris Strance, a senior analyst in the DOD CIO office, said vendors' IP encryptors for the classified and top-secret networks are not IPv6-capable. He said DOD expects to transition to IPv6 on its classified and top-secret networks by 2010.

The National Security Agency has done the specifications of the encryptors, but vendors, such as General Dynamics, Cisco Systems and L3 Communications, have yet to make the commitment to build products and software to those specifications, he added.

In addition to IP encryptors, DOD has provided NSA funding to develop IPv6 standards for firewalls, intrusion detection systems and routers for all their networks.

"Vendors know they need to go there, but it is a business case situation," Strance said. "They need to know there is a demand for the products. We think we have an operational imperative for these products, but the demand in the commercial market is not there. Vendors are not coming on board as fast as we would like."

McManus said that agencies recognize that smaller vendors cannot afford the product development costs to take the "build it and agencies will come" approach.

"These companies have to leverage grant programs from places like NIST and DARPA," he said. "This is an issue that will require consistent attention. I think parts will mitigate over time, especially if civilian and DOD agencies stay on track. Then investments by vendors will follow."

McManus also said NIST will issue draft security standards for IPv6 for agency comment by the end of December. He said it will be out for public comment by the end of January.

"Once security elements are defined, large companies will move," McManus said.

Jason Miller is assistant managing editor of Washington Technology's affiliate publication, Government Computer News.