Architecting Next-generation Internet Technologies

1. 1 Architecting Next-generation Internet Technologies IPv6 was initially developed in the early 1990s because of the anticipated need for more addresses based on forecasted Internet growth: cell phone deployment PDA introduction, smart appliances, and billions of new users in developing countries, e.g. China, India, and so on. The Internet was designed in part to provide a communications network that would work even if some of the sites were destroyed by nuclear attack. If the most direct route was not available, routers would direct traffic around the network via alternate routes. The Internet matured in the 70's as a result of the TCP/IP architecture first proposed by Bob Kahn at BBN and further developed by Kahn and Vint Cerf at Stanford and others throughout the 70's. It was adopted by the Defense Department in 1980 replacing the earlier Network Control Protocol (NCP) and universally adopted by 1983. The development in 1993 of the graphical browser Mosaic by Marc Andreessen and his team at the National Center for Supercomputing Applications (NCSA) gave the protocol its big boost. Later, Andreessen moved to become the brains behind Netscape Corp., which produced the most successful graphical type of browser and server until Microsoft declared war and developed its Microsoft Internet Explorer. IPv6 was initially developed in the early 1990s because of the anticipated need for more addresses based on forecasted Internet growth: cell phone deployment PDA introduction, smart appliances, and billions of new users in developing countries, e.g. China, India, and so on. The Internet was designed in part to provide a communications network that would work even if some of the sites were destroyed by nuclear attack. If the most direct route was not available, routers would direct traffic around the network via alternate routes. The Internet matured in the 70's as a result of the TCP/IP architecture first proposed by Bob Kahn at BBN and further developed by Kahn and Vint Cerf at Stanford and others throughout the 70's. It was adopted by the Defense Department in 1980 replacing the earlier Network Control Protocol (NCP) and universally adopted by 1983. The development in 1993 of the graphical browser Mosaic by Marc Andreessen and his team at the National Center for Supercomputing Applications (NCSA) gave the protocol its big boost. Later, Andreessen moved to become the brains behind Netscape Corp., which produced the most successful graphical type of browser and server until Microsoft declared war and developed its Microsoft Internet Explorer.

2. 2 A brief history and chronology� The Internet is a worldwide network of networks comprised of servers, routers, and backbone networks The basic function of the Internet is to transmit packets of information across interconnected networks via: Addressing Fragmentation of data The two primary protocols enable these packets to traverse the Internet: TCP and IP In February 2003, the President�s National Strategy to Secure Cyberspace commenced the government wide effort to address IPv6 In May 2005, the GAO-05-471 informed Congress on the state of the federal IPv6 landscape and recommended that OMB begin addressing key planning considerations for an IPv6 transition In August 2005, OMB released M-05-22 requiring to begin the transition to IPv6 on core network backbones In September 2008, NIST published A Profile for IPv6 in the U.S. Government � Version 1.0 to assist Federal agencies in formulating plans for the acquisition of IPv6 technologies Geographic-based Numbering and Routing Approaches: U.S. Postal Service uses a form of routing via the zip code system Phone calls are routed based on hierarchical addressed phone numbers TCP: decomposes data into packets and ensures that they are reassembled properly at the destination IP: guides or routes the packets through the Internet National Strategy to Secure Cyberspace: Secure the mechanisms of the Internet by improving protocols and routing Our economy and national security became fully dependent upon information technology and the information infrastructure All sectors share the Internet�all are at risk if its mechanisms (e.g. protocols and routers) are not secure The WWW is a planetary information grid of systems. Internationally shared standards enable interoperability among the world�s computer systemsGeographic-based Numbering and Routing Approaches: U.S. Postal Service uses a form of routing via the zip code system Phone calls are routed based on hierarchical addressed phone numbers TCP: decomposes data into packets and ensures that they are reassembled properly at the destination IP: guides or routes the packets through the Internet National Strategy to Secure Cyberspace: Secure the mechanisms of the Internet by improving protocols and routing Our economy and national security became fully dependent upon information technology and the information infrastructure All sectors share the Internet�all are at risk if its mechanisms (e.g. protocols and routers) are not secure The WWW is a planetary information grid of systems. Internationally shared standards enable interoperability among the world�s computer systems

3. 3 Implications of not using IPv6� Despite the wide-scale deployment of Network Address Translation (NAT) at Federal agencies and within the United States, the worldwide consumption of the IPv4 address pool continues at an accelerating rate IPv4 address space is projected to run out in or before 2011 Moreover, the current community (IPv4) may not be able to talk to the future Internet community (IPv6) effectively, which could splinter the Internet Agencies may not be prepared for dramatic changes brought about by IPv6 in commercial and international markets ICANN - Internet Corporation for Assigned Names and Numbers: oversee a number of Internet-related tasks previously performed directly on behalf of the U.S. government by other organizations, notably the Internet Assigned Numbers Authority IANA. IANA - Internet Assigned Numbers Authority oversees global IP address allocation, DNS root zone management, media types, and other Internet protocol assignments. It is operated by ICANN. RIR- Regional Internet Registry overseeing the allocation and registration of Internet number resources within a particular region of the world American Registry for Internet Numbers (ARIN for North America and parts of the Caribbean RIPE Network Coordination Centre (RIPE NCC) [2] for Europe, the Middle East and Central Asia Asia-Pacific Network Information Centre (APNIC) for Asia and the Pacific region Latin American and Caribbean Internet Address Registry (LACNIC) for Latin America and parts of the Caribbean region African Network Information Centre (AfriNIC) for Africa IANA delegates Internet resources to the RIRs, and in turn, the RIRs follow their regional policies for further sub-delegation of resources to their customers, which include Internet service providers and end-user organizations Globally unique IP addresses: ultimately connect to one another without conflict�.Private IPv4 addresses are not globally unique or routable Improved Connectivity: bring back end-to-end controlled communications across a transparent network infrastructure Rapid Automatic Address Configuration (ad-hoc): unique link-local IPv6 address (suitable for communicating with other hosts on the subnet) without relying on the presence of a router or DHCP server to centrally assign addresses on that network BENEFITS: Expanded addressing capabilities Server-less autoconfiguration (plug-and-play) and reconfiguration More efficient and robust mobility mechanisms End-to-end security, with built-in, strong IP-layer encryption and authentication Streamlined header format and flow identification Enhanced support for multicast and QoS Extensibility: improved support for options/extensions IPv6 has more capabilities built into its foundation than IPv4 consumers look for �plug-and-play� simplicity, collaboration, and mobility IPv6 is a natural convergence protocol for tomorrow�s IP-centric world! EXAMPLE: asset management via networks versus manually walking aroundICANN - Internet Corporation for Assigned Names and Numbers: oversee a number of Internet-related tasks previously performed directly on behalf of the U.S. government by other organizations, notably the Internet Assigned Numbers Authority IANA. IANA - Internet Assigned Numbers Authority oversees global IP address allocation, DNS root zone management, media types, and other Internet protocol assignments. It is operated by ICANN. RIR- Regional Internet Registry overseeing the allocation and registration of Internet number resources within a particular region of the world American Registry for Internet Numbers (ARIN for North America and parts of the Caribbean RIPE Network Coordination Centre (RIPE NCC) [2] for Europe, the Middle East and Central Asia Asia-Pacific Network Information Centre (APNIC) for Asia and the Pacific region Latin American and Caribbean Internet Address Registry (LACNIC) for Latin America and parts of the Caribbean region African Network Information Centre (AfriNIC) for Africa IANA delegates Internet resources to the RIRs, and in turn, the RIRs follow their regional policies for further sub-delegation of resources to their customers, which include Internet service providers and end-user organizations Globally unique IP addresses: ultimately connect to one another without conflict�.Private IPv4 addresses are not globally unique or routable Improved Connectivity: bring back end-to-end controlled communications across a transparent network infrastructure Rapid Automatic Address Configuration (ad-hoc): unique link-local IPv6 address (suitable for communicating with other hosts on the subnet) without relying on the presence of a router or DHCP server to centrally assign addresses on that network BENEFITS: Expanded addressing capabilities Server-less autoconfiguration (plug-and-play) and reconfiguration More efficient and robust mobility mechanisms End-to-end security, with built-in, strong IP-layer encryption and authentication Streamlined header format and flow identification Enhanced support for multicast and QoS Extensibility: improved support for options/extensions IPv6 has more capabilities built into its foundation than IPv4 consumers look for �plug-and-play� simplicity, collaboration, and mobility IPv6 is a natural convergence protocol for tomorrow�s IP-centric world! EXAMPLE: asset management via networks versus manually walking around

4. 4 Exponentially More Addresses� IPv4: 4,294,967,296 IPv6: 340,282,366,920,938,463,374,607,432,768,211,456 Data is transmitted based on IP numbers Federal agencies should become early adopters of new, more secure systems and protocols where appropriate DNS was developed to simplify the management of IP addresses via domains and a structured hierarchical addressing schema National Strategy to Secure Cyberspace: Improve the Security and Resilience of Key Internet Protocols IP, DNS, and BGP Promote Improved Internet Routing DoS attacks that overwhelm a router�s processing capability�preventing control data from reaching the router Encourage increased use of address verification and �out-of-band mgmt�to counter DoS attacks� Carriers and service providers are encouraged to independently and collectively continue to analyze their networks to strengthen reliability and intentional redundancy As telephones and mobile devices incorporate more sophisticated operating systems and connectivity they may require security features to prevent their exploitation for distributed attacks on mobile networks and even the InternetData is transmitted based on IP numbers Federal agencies should become early adopters of new, more secure systems and protocols where appropriate DNS was developed to simplify the management of IP addresses via domains and a structured hierarchical addressing schema National Strategy to Secure Cyberspace: Improve the Security and Resilience of Key Internet Protocols IP, DNS, and BGP Promote Improved Internet Routing DoS attacks that overwhelm a router�s processing capability�preventing control data from reaching the router Encourage increased use of address verification and �out-of-band mgmt�to counter DoS attacks� Carriers and service providers are encouraged to independently and collectively continue to analyze their networks to strengthen reliability and intentional redundancy As telephones and mobile devices incorporate more sophisticated operating systems and connectivity they may require security features to prevent their exploitation for distributed attacks on mobile networks and even the Internet

5. 5 Phase I was about� Culminating a 35-month initiative to begin migrating the federal government to the next generation Internet Integrating the next generation Internet protocol into core backbone network infrastructure Substantiating an enterprise architecture framework for IPv6 adoption Building momentum for Phase II EAAF is a framework for measuring agency efforts to use information and IT to improve agency performance in four (4) ways: Closing mission performance gaps identified via agency performance improvement and strategic planning activities Saving money and avoiding cost through Collaboration and reuse Process reengineering and productivity enhancements Elimination of redundancy Strengthening the quality of investments within agency portfolios as reflected in critical attributes in including: security interoperability, reliability availability end-user performance, flexibility, serviceability, and reduced time and cost to deliver new services and solutions Improving the quality, validity, and timeliness of program performance output and outcome, program planning and management, and cost accounting data and information Of the 13 categories evaluated in the OMB EAAF (2007), IPv6 was one of the two highest average scores among all agencies (INPUT federal Industry Analysis, 2008) President�s FY09 Budget: ~70B in annual spending ~20B in Development, Modernization, and Enhancement (DME) funding EAAF is a framework for measuring agency efforts to use information and IT to improve agency performance in four (4) ways: Closing mission performance gaps identified via agency performance improvement and strategic planning activities Saving money and avoiding cost through Collaboration and reuse Process reengineering and productivity enhancements Elimination of redundancy Strengthening the quality of investments within agency portfolios as reflected in critical attributes in including: security interoperability, reliability availability end-user performance, flexibility, serviceability, and reduced time and cost to deliver new services and solutions Improving the quality, validity, and timeliness of program performance output and outcome, program planning and management, and cost accounting data and information Of the 13 categories evaluated in the OMB EAAF (2007), IPv6 was one of the two highest average scores among all agencies (INPUT federal Industry Analysis, 2008) President�s FY09 Budget: ~70B in annual spending ~20B in Development, Modernization, and Enhancement (DME) funding

6. 6 IPv6 Market Trends� IPv4 Address space depletion Operating system releases with v6 �on� and �preferred� by default Explosion of connected appliances Earth population trend: 6B (now) to 9B (2050) National IT strategies: M 05-22 E.U. Recommendations China Next Generation Internet E-Japan Korea IT-839 ��transition to a converged, fully multimedia-enabled, real-time packet-based communication infrastructure for both enterprise networks and for carriers� network environments in support of commercial-grade real-time voice, commercial-grade video, and commercial-grade Video-On-Demand (VOD) services.� ��these converged networks will allow for voice, video, data and images to be delivered anywhere in the world, at any time, and with any kind of user�s communication deice and network access service.� Mobility Support Presence-related functions Unified Messaging Virtual Contact Centers �Triple-Play� Applications 2 problems: lack of de facto intrinsic QoS in many of the IPnetworks deployed around the globe (both at the carrier and enterprise levels) end-to-end integrity of the signaling and bearer path for VoIP, specifically VoIP packets being carried across firewalls (protocol itself and NAT issues) National IT Strategies: Korea IT839: strategy, which covers eight services, three types of infrastructure and nine products for Wireless Broadband, RFID, digital multimedia broadcasting, The u-Korea (ubiquitous communications) project plans will allow people to communicate and access information anywhere and anytime. E-Japan: create a "knowledge-emergent society," where everyone can actively utilize information technology (IT) and fully enjoy its benefits. We will strive to establish an environment where the private sector, based on market forces, can exert its full potential and make Japan the world's most advanced IT nation within five years by: 1) building an ultra high-speed Internet network and providing constant Internet access at the earliest date possible, 2) establishing rules on electronic commerce, 3) realizing an electronic government and 4) nurturing high-quality human resources for the new era. China's Next Generation Internet (CNGI): project is a 5-year plan initiated by the Chinese government with the purpose of gaining a significant position in cyberspace through the early adoption of IPv6. The U.S. has almost one third of the theoretical maximum IPv4 addresses while China has more high-speed Internet users than IP addresses and the largest Internet user base of any country. China is showcasing CNGI and the IPv6 network infrastructure at the 2008 Olympics. Everything from security cameras, taxis, to the Olympic events cameras are networked by IPv6; the events are streamed live over the Internet while networked cars are able to monitor traffic conditions readily. E.U. Recommendations: The European Commission encourages the widespread adoption of its sixth version, the Internet Protocol version 6 (IPv6) on the basis of a specific action plan that should be fully implemented by 2010. ��transition to a converged, fully multimedia-enabled, real-time packet-based communication infrastructure for both enterprise networks and for carriers� network environments in support of commercial-grade real-time voice, commercial-grade video, and commercial-grade Video-On-Demand (VOD) services.� ��these converged networks will allow for voice, video, data and images to be delivered anywhere in the world, at any time, and with any kind of user�s communication deice and network access service.� Mobility Support Presence-related functions Unified Messaging Virtual Contact Centers �Triple-Play� Applications 2 problems: lack of de facto intrinsic QoS in many of the IPnetworks deployed around the globe (both at the carrier and enterprise levels) end-to-end integrity of the signaling and bearer path for VoIP, specifically VoIP packets being carried across firewalls (protocol itself and NAT issues) National IT Strategies: Korea IT839: strategy, which covers eight services, three types of infrastructure and nine products for Wireless Broadband, RFID, digital multimedia broadcasting, The u-Korea (ubiquitous communications) project plans will allow people to communicate and access information anywhere and anytime. E-Japan: create a "knowledge-emergent society," where everyone can actively utilize information technology (IT) and fully enjoy its benefits. We will strive to establish an environment where the private sector, based on market forces, can exert its full potential and make Japan the world's most advanced IT nation within five years by: 1) building an ultra high-speed Internet network and providing constant Internet access at the earliest date possible, 2) establishing rules on electronic commerce, 3) realizing an electronic government and 4) nurturing high-quality human resources for the new era. China's Next Generation Internet (CNGI): project is a 5-year plan initiated by the Chinese government with the purpose of gaining a significant position in cyberspace through the early adoption of IPv6. The U.S. has almost one third of the theoretical maximum IPv4 addresses while China has more high-speed Internet users than IP addresses and the largest Internet user base of any country. China is showcasing CNGI and the IPv6 network infrastructure at the 2008 Olympics. Everything from security cameras, taxis, to the Olympic events cameras are networked by IPv6; the events are streamed live over the Internet while networked cars are able to monitor traffic conditions readily. E.U. Recommendations: The European Commission encourages the widespread adoption of its sixth version, the Internet Protocol version 6 (IPv6) on the basis of a specific action plan that should be fully implemented by 2010.

7. 7 IT Predictions for 2008� Web 2.0 evolution Infrastructure optimization/modernization Information Sharing/Collaboration Distance Learning IT Security Wireless and Mobile communications Virtualization Green IT Broad use of telework Web 2.0: Tools � collaborative web technologies (for information sharing) Wikis, Blogs, Communities of Interest, Social Networking Environment (for information sharing) SoA, SaaS Infrastructure optimization/modernization: Move from steady-state to DME Information Sharing/Collaboration (aka Government 2.0) Leveraging the web as the platform for activity Harnessing collective intelligence Leveraging highly available data Using radical new application models (especially development) Distance Learning Geographical dispersion, travel costs Cybersecurity According to INPUT, The President�s proposed FY 2009 budgets show that $103 out of every $1,000 requested for IT spending next year � roughly $7.3 billion in total � will be spent on improving IT security. That represents 9.8% more than what was spent in FY 2008, and 73% more than the $4.2 billion budget for cyber security in FY 2004 Issued under a classified joint directive on January 8, 2008, the National Security Agency (NSA) is being tasked with monitoring the internet traffic of all government agencies. The White House is taking this proactive approach after a number of agencies have failed to defend against an increasing progression of attacks on government networks. Wireless and Mobile communications: Defense, Emergency Response, and Law Enforcement Virtualization: leverage new server technology that allows multiple operating systems to use the same hardware rather than needing independent servers. In essence, a single server can be split into several �virtual� servers to maximize use of the processing power. Significant savings can be achieved through reduced hardware and data center space requirements as well as faster provisioning of services. Several issues such as security and unexpected peak load issues make adopting virtualization more difficulty, but the speed and relative ease of the payback has led agencies to rush toward virtualization investments. Green IT: cast as �green� for the beneficial effects on the environment, these strategies are primarily targeted at saving another kind of green � money � through reduced electricity consumption. Some critics indicate that it is a clever tactic to sell new hardware, but many agencies are finding that using more modern and power-efficient PCs and blade servers can cut their electricity consumption by 20%. IPv6 Forum Working Group focused on Reducing Global Energy Use by 25% Percent (building design, development, and conro) Broad use of telework: Web 2.0: Tools � collaborative web technologies (for information sharing) Wikis, Blogs, Communities of Interest, Social Networking Environment (for information sharing) SoA, SaaS Infrastructure optimization/modernization: Move from steady-state to DME Information Sharing/Collaboration (aka Government 2.0) Leveraging the web as the platform for activity Harnessing collective intelligence Leveraging highly available data Using radical new application models (especially development) Distance Learning Geographical dispersion, travel costs Cybersecurity According to INPUT, The President�s proposed FY 2009 budgets show that $103 out of every $1,000 requested for IT spending next year � roughly $7.3 billion in total � will be spent on improving IT security. That represents 9.8% more than what was spent in FY 2008, and 73% more than the $4.2 billion budget for cyber security in FY 2004 Issued under a classified joint directive on January 8, 2008, the National Security Agency (NSA) is being tasked with monitoring the internet traffic of all government agencies. The White House is taking this proactive approach after a number of agencies have failed to defend against an increasing progression of attacks on government networks. Wireless and Mobile communications: Defense, Emergency Response, and Law Enforcement Virtualization: leverage new server technology that allows multiple operating systems to use the same hardware rather than needing independent servers. In essence, a single server can be split into several �virtual� servers to maximize use of the processing power. Significant savings can be achieved through reduced hardware and data center space requirements as well as faster provisioning of services. Several issues such as security and unexpected peak load issues make adopting virtualization more difficulty, but the speed and relative ease of the payback has led agencies to rush toward virtualization investments. Green IT: cast as �green� for the beneficial effects on the environment, these strategies are primarily targeted at saving another kind of green � money � through reduced electricity consumption. Some critics indicate that it is a clever tactic to sell new hardware, but many agencies are finding that using more modern and power-efficient PCs and blade servers can cut their electricity consumption by 20%. IPv6 Forum Working Group focused on Reducing Global Energy Use by 25% Percent (building design, development, and conro) Broad use of telework:

8. 8 Phase II is about� Deploying secure, end-to-end, shared IPv6-enabled network services Implementing of the USG standards profile Developing of an open, public formal testing program for IPv6 technologies Producing a suite of artifacts via the Federal Enterprise Architecture PMO to guide to guide Federal IPv6 transitions Coordinating IPv6 initiatives with the IT infrastructure Line of Business (ITILOB) Utilizing the IT Infrastructure and Information Sharing Segment Architectures to define a �to-be� IPv6 environment Reinforcing how EA and Enterprise Transition Plans drive IPv6 Exhibit 300 development Profile Purpose and Scope: A strategic planning guide for future acquisitions Statement of strategic IPv6 technical direction for a large IT user group (USG) and as a potential vehicle for communication to a broad product industry A complete specification of viable IPv6-capabilities requires reference to hundreds of individual protocol, architecture, and algorithm specifications. (mainly IETF RFCs) 12 Functional Categories of IPv6 Capabilities Compliance Federal IPv6 Transition Guidance: The next phase of Federal IPv6 transition is the deployment of secure, end-to-end, shared IPv6-enabled network services supporting core Agency mission applications. Two resources: Federal IPv6 Transition Guidance: An update to the February 2006 CIO Council Transition Guide, which: Defines the Government�s future IPv6 Vision, what �IPv6-enabled network services� are, and their business value Provides a detailed roadmap and milestones for achieving that vision Explains IPv6 impact on other Federal Initiatives, such as TIC, HSPD-12, and FDCC Outlines how to leverage Enterprise Architecture as a planning tool Describes how OMB will use the Federal Enterprise Architecture Assessment Framework and Quarterly EA Milestone Reporting to measure Agency progress. IPv6 Portions of the IT Infrastructure Segment Architecture Template: The IT Infrastructure Segment Architecture Template will provide Agencies with a standardized format for documenting and assessing their IT Infrastructure Target Vision � including business requirements/functions, supporting applications and network enhancements, enabling technologies, and expected performance metrics. The IPv6 Working Group is coordinating with the Federal IT Infrastructure PMO to integrate IPv6-related sections into the ITI Segment Architecture Template. This will allow agencies to develop comprehensive, integrated plans for the deployment of IPv6-enabled network services The Federal IPv6 Transition Guidance will provide detailed instructions on how to complete the IPv6-related sections of the IT Infrastructure Segment Architecture. The Federal IPv6 Transition Guidance and will be published for Agency comment by October 31, 2008. The Federal ITI LoB PMO will also publish the final IT Infrastructure Segment Architecture on this day. These resources will enable agencies to: Develop concrete plans for Deployment of IPv6-enabled network services using the IT Infrastructure Segment Architecture Template and their Enterprise Transition Strategy Plans. These documents should be submitted to OMB in February 2009 as part of the regular FEA PMO EA Assessment Cycle Incorporate IPv6 milestones (as defined in their Enterprise Transition Strategy Plans) into their EA Quarterly Milestone Reports � due June 2009 Develop and submit Exhibit 300 business cases for investments supporting the deployment of IPv6-enabled network services (as defined in their IT Infrastructure Segment Architectures) by September 2009 Deploy these investments and update their IT Infrastructure Segment Architectures, Transition Strategy Plans, and Milestone Reports accordingly during FY2010 and beyond Changing the Security Paradigm End nodes will assume a greater degree of security services as opposed to relying on boundary devices (greater firewall , virus, and intrusion detection capabilities) Boundary devices will NOT go away�they�ll play a critical role as gatekeepers screening for policy breaches and be the front line to shut down unauthorized streams of communication Agencies should do everything they can to get people to stop memorizing addresses, and creating easy to guess targets for attack Limiting routing scope is one layer in a security toolbox; Unique Local Addresses (ULAs) are not globally routable and will be used for internal communication Profile Purpose and Scope: A strategic planning guide for future acquisitions Statement of strategic IPv6 technical direction for a large IT user group (USG) and as a potential vehicle for communication to a broad product industry A complete specification of viable IPv6-capabilities requires reference to hundreds of individual protocol, architecture, and algorithm specifications. (mainly IETF RFCs) 12 Functional Categories of IPv6 Capabilities Compliance Federal IPv6 Transition Guidance: The next phase of Federal IPv6 transition is the deployment of secure, end-to-end, shared IPv6-enabled network services supporting core Agency mission applications. Two resources: Federal IPv6 Transition Guidance: An update to the February 2006 CIO Council Transition Guide, which: Defines the Government�s future IPv6 Vision, what �IPv6-enabled network services� are, and their business value Provides a detailed roadmap and milestones for achieving that vision Explains IPv6 impact on other Federal Initiatives, such as TIC, HSPD-12, and FDCC Outlines how to leverage Enterprise Architecture as a planning tool Describes how OMB will use the Federal Enterprise Architecture Assessment Framework and Quarterly EA Milestone Reporting to measure Agency progress. IPv6 Portions of the IT Infrastructure Segment Architecture Template: The IT Infrastructure Segment Architecture Template will provide Agencies with a standardized format for documenting and assessing their IT Infrastructure Target Vision � including business requirements/functions, supporting applications and network enhancements, enabling technologies, and expected performance metrics. The IPv6 Working Group is coordinating with the Federal IT Infrastructure PMO to integrate IPv6-related sections into the ITI Segment Architecture Template. This will allow agencies to develop comprehensive, integrated plans for the deployment of IPv6-enabled network services The Federal IPv6 Transition Guidance will provide detailed instructions on how to complete the IPv6-related sections of the IT Infrastructure Segment Architecture. The Federal IPv6 Transition Guidance and will be published for Agency comment by October 31, 2008. The Federal ITI LoB PMO will also publish the final IT Infrastructure Segment Architecture on this day. These resources will enable agencies to: Develop concrete plans for Deployment of IPv6-enabled network services using the IT Infrastructure Segment Architecture Template and their Enterprise Transition Strategy Plans. These documents should be submitted to OMB in February 2009 as part of the regular FEA PMO EA Assessment Cycle Incorporate IPv6 milestones (as defined in their Enterprise Transition Strategy Plans) into their EA Quarterly Milestone Reports � due June 2009 Develop and submit Exhibit 300 business cases for investments supporting the deployment of IPv6-enabled network services (as defined in their IT Infrastructure Segment Architectures) by September 2009 Deploy these investments and update their IT Infrastructure Segment Architectures, Transition Strategy Plans, and Milestone Reports accordingly during FY2010 and beyond Changing the Security Paradigm End nodes will assume a greater degree of security services as opposed to relying on boundary devices (greater firewall , virus, and intrusion detection capabilities) Boundary devices will NOT go away�they�ll play a critical role as gatekeepers screening for policy breaches and be the front line to shut down unauthorized streams of communication Agencies should do everything they can to get people to stop memorizing addresses, and creating easy to guess targets for attack Limiting routing scope is one layer in a security toolbox; Unique Local Addresses (ULAs) are not globally routable and will be used for internal communication

9. 9 IP Security will evolve� The AS-IS: IP security relies heavily on perimeter devices (firewalls, routers, NAT) Network-based security is the �modus operandi� IP security security constantly �adding on� to meet requirements The TO-BE: Move towards an �end-to-end� security model via a policy-based trust domains: a combination of host, application, and network-based security Boundary devices will servea s gatekeepers screenifn for pokkciy breaches Nodes will provide firewall, intrusion detection and virus capabilities Security services can be applied at varying levels of the TCP/IP model Reliance on a distributed security architecture/model to remove the burden of screening rules at a perimeter firewall Leverage integrated security that v6 has to offer Initial Intent of the Internet: End-to-End Security OVERARCHING GOAL (for a sound Security Policy): Preservation of Confidentiality, Integrity, Accountability, and Availability Understanding the threats to your enterprise and your vulnerabilities is essential to determining your risk profile, but you must also factor in the value of what you are protecting. GREATEST THREAT: lack of knowledge and planning�education is key Adopt a phased approach (leveraging EA and it�s �Architect-Invest-Implement� philosophy AS-IS IP security today is primarily boundary focused Control incoming and outgoing communication channels within the enterprise (firewalls, IP-based security perimeter devices) Use VPNs when geographic dispersion is realized Assumption is that internal users are good, Internet hosts are treated as hostile TO-BE (Rearchitect enterprise security solutions Security Services: Accountability, Authentication, Confidentiality, Integrity, Non-Repudiation, Availability Moving back to an end-to-end security model�reduce the stovepipe or bootstrapped solutions in use today Radically change the way information security is viewed and implemented within the enterprise (NAT, firewalls, creating insulation between internal assets and the rest of the world Transition to v6 provides the best time for agencies to begin re-architecting their enterprise security solution to support end-to-end and other enhanced capabilities; the vision and plans must be developed to achieve maximum value during the initial planning stages of the transition IPSec is considered a mandatory part of Ipv6 (ubiquitous security layer) Node and Topology hiding (due to increased address space) mitigating scanning opportunities Develop an Ipv6 Security Plan Training, Policy Guidance, Vendors, Boundary security (packet filtering router configurations for v6), Traffic monitoring (sniffers) Mobility Mobile Ipv6 may accelerate the proliferation of handheld mobile devices and mobile networks The key benefit of Mobile IPv6 is that even though the mobile node changes locations and addresses, the existing connections through which the mobile node is communicating are maintained. To accomplish this, connections to mobile nodes are made with a specific address that is always assigned to the mobile node, and through which the mobile node is always reachable. Mobile IPv6 provides Transport layer connection survivability when a node moves from one link to another by performing address maintenance for mobile nodes at the Internet layer. (avoids triangulation routing�like in Mobile Ipv4) Stateless address autoconfiguration allows IPv6 hosts to configure themselves automatically when connected to a routed IPv6 network using ICMPv6 router discovery messages. When first connected to a network, a host sends a link local multicast router solicitation request for its configuration parameters; if configured suitably, routers respond to such a request with a router advertisement packet that contains network-layer configuration parameters.[5] If IPv6 stateless address autoconfiguration (SLAAC) proves unsuitable, a host can use stateful configuration (DHCPv6) or be configured manually. In particular, stateless autoconfiguration is not used by routers, these must be configured manually or by other means. References IETF RFC 3775 Mobility Support in IPv6 IETF RFC 3776 Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents Initial Intent of the Internet: End-to-End Security OVERARCHING GOAL (for a sound Security Policy): Preservation of Confidentiality, Integrity, Accountability, and Availability Understanding the threats to your enterprise and your vulnerabilities is essential to determining your risk profile, but you must also factor in the value of what you are protecting. GREATEST THREAT: lack of knowledge and planning�education is key Adopt a phased approach (leveraging EA and it�s �Architect-Invest-Implement� philosophy AS-IS IP security today is primarily boundary focused Control incoming and outgoing communication channels within the enterprise (firewalls, IP-based security perimeter devices) Use VPNs when geographic dispersion is realized Assumption is that internal users are good, Internet hosts are treated as hostile TO-BE (Rearchitect enterprise security solutions Security Services: Accountability, Authentication, Confidentiality, Integrity, Non-Repudiation, Availability Moving back to an end-to-end security model�reduce the stovepipe or bootstrapped solutions in use today Radically change the way information security is viewed and implemented within the enterprise (NAT, firewalls, creating insulation between internal assets and the rest of the world Transition to v6 provides the best time for agencies to begin re-architecting their enterprise security solution to support end-to-end and other enhanced capabilities; the vision and plans must be developed to achieve maximum value during the initial planning stages of the transition IPSec is considered a mandatory part of Ipv6 (ubiquitous security layer) Node and Topology hiding (due to increased address space) mitigating scanning opportunities Develop an Ipv6 Security Plan Training, Policy Guidance, Vendors, Boundary security (packet filtering router configurations for v6), Traffic monitoring (sniffers) Mobility Mobile Ipv6 may accelerate the proliferation of handheld mobile devices and mobile networks The key benefit of Mobile IPv6 is that even though the mobile node changes locations and addresses, the existing connections through which the mobile node is communicating are maintained. To accomplish this, connections to mobile nodes are made with a specific address that is always assigned to the mobile node, and through which the mobile node is always reachable. Mobile IPv6 provides Transport layer connection survivability when a node moves from one link to another by performing address maintenance for mobile nodes at the Internet layer. (avoids triangulation routing�like in Mobile Ipv4) Stateless address autoconfiguration allows IPv6 hosts to configure themselves automatically when connected to a routed IPv6 network using ICMPv6 router discovery messages. When first connected to a network, a host sends a link local multicast router solicitation request for its configuration parameters; if configured suitably, routers respond to such a request with a router advertisement packet that contains network-layer configuration parameters.[5] If IPv6 stateless address autoconfiguration (SLAAC) proves unsuitable, a host can use stateful configuration (DHCPv6) or be configured manually. In particular, stateless autoconfiguration is not used by routers, these must be configured manually or by other means. References IETF RFC 3775 Mobility Support in IPv6 IETF RFC 3776 Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents

10. 10 Things to think about� Evaluating transition mechanisms Architecting IPSec and IKE across your enterprise Investigating Secure Neighbor Discovery (SEND) Deploying DHCPv6 and DNSSEC Designing scalable Addressing and Routing schemas Replacing NAT functionality with v6 capabilities NAT implementations provide: Simple Gateway Between Internet and Private Network Simple Security Due to Stateful Filter Implementation User/Application Tracking Privacy and Topology Hiding Independent Control of Addressing in a Private Network Global Address Pool Conservation Ipv6 Tools that can replace NAT functionality: Privacy Addresses (RFC 4941) Unique Local Addresses (RFC 4193) DHCPv6 Prefix delegation Untraceable IPv6 Addresses NAT implementations provide: Simple Gateway Between Internet and Private Network Simple Security Due to Stateful Filter Implementation User/Application Tracking Privacy and Topology Hiding Independent Control of Addressing in a Private Network Global Address Pool Conservation Ipv6 Tools that can replace NAT functionality: Privacy Addresses (RFC 4941) Unique Local Addresses (RFC 4193) DHCPv6 Prefix delegation Untraceable IPv6 Addresses

11. 11 How to define the �to-be� v6 environment� Use the Enterprise Architecture Assessment Framework (v3.0) Enterprise architecture levels Enterprise common/shared assets; aligning resources; all stakeholders Segment core mission areas; structure, reuse, and alignment; business owners Solution applications/components; users and developers Performance Improvement Lifecycle Communities Strategic/Performance Improvement: �Strategize � Formulate � Execute� Information Technology: �Architect � Invest � Implement� Segment architecture maturity Segments are subset of the overall agency architecture Segment Types: Core Mission, Business Service, or Enterprise Service Serve as a conduit between strategic plans and enterprise investments EAAF is about Business-led versus Technology- or Budget-driven Leverage the enterprise architecture management practice to maximize the contribution of an agency�s: IT resources IT investments System development activities PYRAMID: Top: Focus on delivering specific capabilities to support the business process; Middle: Focus on delivering common capabilities that can be leveraged across multiple business units; Bottom: Required to support enterprise wide IT operations Segment Architecture: Core: Unique service areas defining the mission or purpose of the agency. Core mission areas are defined by the agency business model (e.g., tactical defense, air transportation, energy supply, pollution prevention and control, and emergency response). Business Service: Common or shared business services supporting the core mission areas. Business services are defined by the agency business model and include the foundational mechanisms and back office services used to achieve the purpose of the agency (e.g., inspections and auditing, program monitoring, human resource management, and financial management). Enterprise: Common or shared IT services supporting core mission areas and business services. Enterprise services are defined by the agency service model and include the applications and service components used to achieve the purpose of the agency (e.g., knowledge management, records management, mapping/GIS, business intelligence, and reporting). Enterprise Services are the underlying IT support for an Agency�s �business� (or back-office) services. Per the definitions in the table to the right, the IT Infrastructure Segment is considered to be an �Enterprise Service�. IPv6-enabled Network Services will be captured in the IT Infrastructure Segment and will support (and be shared among) Agency Core Mission Applications. EAAF is about Business-led versus Technology- or Budget-driven Leverage the enterprise architecture management practice to maximize the contribution of an agency�s: IT resources IT investments System development activities PYRAMID: Top: Focus on delivering specific capabilities to support the business process; Middle: Focus on delivering common capabilities that can be leveraged across multiple business units; Bottom: Required to support enterprise wide IT operations Segment Architecture: Core: Unique service areas defining the mission or purpose of the agency. Core mission areas are defined by the agency business model (e.g., tactical defense, air transportation, energy supply, pollution prevention and control, and emergency response). Business Service: Common or shared business services supporting the core mission areas. Business services are defined by the agency business model and include the foundational mechanisms and back office services used to achieve the purpose of the agency (e.g., inspections and auditing, program monitoring, human resource management, and financial management). Enterprise: Common or shared IT services supporting core mission areas and business services. Enterprise services are defined by the agency service model and include the applications and service components used to achieve the purpose of the agency (e.g., knowledge management, records management, mapping/GIS, business intelligence, and reporting). Enterprise Services are the underlying IT support for an Agency�s �business� (or back-office) services. Per the definitions in the table to the right, the IT Infrastructure Segment is considered to be an �Enterprise Service�. IPv6-enabled Network Services will be captured in the IT Infrastructure Segment and will support (and be shared among) Agency Core Mission Applications.

12. 12 IT Portfolio Alignment: Line-of-Sight SOA: Positioning IT resources to serve agency business Improved business agility via the sharing/ruse of infrastructure, services, information, and solutions Flexible architecture centered on business/technology capabilities standards-based infrastructure Must be built into an organizations EA, IT Governance, and IT Policy Framework Rise of the Internet (standardized use of web technologies/protocols and emergence of distributed computing platform�led to the Rise of SOA Rationale for SOA: Improve government responsiveness Simplify delivery of enhanced government services (enable broader/more consistent access to information) Contribute to more efficient government collaboration Promote inform sharing (effective, efficient, and repeatable approaches) Increase transparency/resilience (shared standards-based infrastructureSOA: Positioning IT resources to serve agency business Improved business agility via the sharing/ruse of infrastructure, services, information, and solutions Flexible architecture centered on business/technology capabilities standards-based infrastructure Must be built into an organizations EA, IT Governance, and IT Policy Framework Rise of the Internet (standardized use of web technologies/protocols and emergence of distributed computing platform�led to the Rise of SOA Rationale for SOA: Improve government responsiveness Simplify delivery of enhanced government services (enable broader/more consistent access to information) Contribute to more efficient government collaboration Promote inform sharing (effective, efficient, and repeatable approaches) Increase transparency/resilience (shared standards-based infrastructure

13. 13 High Level IPv6 Transition Strategy� Flexible IPv6 Transition Mechanisms: Security products located at customer premises (and in the service provider �clouds�) must offer 4 to 6 and 6 to 4 tunneling, as well as 4 to 6 and 6 to 4 translation Plan for greater functionality in the future Security Today: enclave Level centrally-administered Security Between: Enclave or node focused? How long will there be overlap Unique security issues can/will arise due to mixed environment Careful planning and testing required Security Tomorrow: Node level Integrate with policy-based networking Flexible IPv6 Transition Mechanisms: Security products located at customer premises (and in the service provider �clouds�) must offer 4 to 6 and 6 to 4 tunneling, as well as 4 to 6 and 6 to 4 translation Plan for greater functionality in the future Security Today: enclave Level centrally-administered Security Between: Enclave or node focused? How long will there be overlap Unique security issues can/will arise due to mixed environment Careful planning and testing required Security Tomorrow: Node level Integrate with policy-based networking

14. 14 During the transition� Well dual-stack does create another sign post, but there are relatively few signs on the new one. The problem is that the new signs are effectively in another language, so while it is a shorter list the existing system can't interpret what they say. The part I think you missed was that once IANA and the RIRs run out of space, people will sell/lease unused addresses on eBay (one block already sold there last month). Since these are undoubtedly small segments of existing aggregates, the process effectively breaks off parts of an existing sign to create a new one. The only thing that will stop this fragmentation is when the demand drops off because the price is too high. The ARIN policy discussion has some misguided perception that they will somehow control the market, but realistically people will buy and sell whatever they want, and if ARIN tries to restrain them, they will simply ignore the silliness and do what they planned from the beginning. The best that any of the RIRs can hope for is to have policies where the bar is low enough that people figure it is not worth their time to work around it. I won't disagree with you John about scale. While every equipment vendor would be happy to keep selling ever larger routers, replacing them at an unconstrained rate to keep up with growth is not a sustainable business model for anyone. John describes the short term that starts right after the IPv4 Free-pool is exhausted. Once the redistribution of addresses stabilizes based on market pricing, we face the bigger problem of indirection. To continue the analogy, eventually those sign posts can't be evaluated fast enough because there are just too many options, even assuming that we can build a large enough memory. At that point we end up adding a sign at the top of the post that effectively says, 'if you can't find the destination here, try the sign post over there'. Essentially a default route for the default-free-zone. While that may not sound too bad, the added delay to route through some far away root of knowledge, combined with the inevitable delay of searching a truly massive global My personal favorite: There's not much difference between an intersection of roads and an intersection of circuits. Roads come together in places called "intersections" and circuits come together at places called routers. At every intersection, there's a big, big signpost full of signs with arrows pointing to various cities and which road out of the intersection is the best path. These sign posts exist in the routing tables of major backbones today, and do have one sign/routing-entry for each and every destination. (They're really, really tall signposts...) There is already a challenge getting packets though the router at faster and faster speeds, since each and every packet (like each car) must check the signpost and find its destination to know which path to take. The good news is that a small number of signs suffices for most destinations... for example, there might be two dozen signs for a single ISP, each being a block of addresses that they received over time. A major corporation or educational organization might have a dozen or so routers for the same reason. All of these routes are actual aggregates which cover thousands of addresses. In a world where ISP's can't get additional blocks from the RIR system, but still try to add customers to their networks, they need to find/beg/borrow addresses from elsewhere, and then route those addresses. Here's the scary part: those routes end up in every router of every major network in the Internet... i.e. effectively, these are new signs that get put on top of every signpost globally. If we need to do this often down to the street level in the world (i.e. "ElmStreetMCCleanVirginaUS" is now being used for a new subdivision over Seattle, and now needs to be on every sign post globally), then the system collapses fairly quickly. In routing table terms, we're seeing serious growth in the current routing table <http://tinyurl.com/299ep8> even with the current levels of hierarchy and aggregation. Again, the number one form of growth is ISP's picking up and routing a single new address block every 6 months from their RIR. In a world where ISP's instead have to cobble together many small leftover pieces to connect the same number of new customers, then the number of new routers per month will increase geometrically. While Tony may argue with me about the absolute limit in routing capacity, suffice to say that even if the equipment could be built to handle 4x routes, there is very few, if any, ISP's that could afford to replace every default-free router in the backbone with one. Well dual-stack does create another sign post, but there are relatively few signs on the new one. The problem is that the new signs are effectively in another language, so while it is a shorter list the existing system can't interpret what they say. The part I think you missed was that once IANA and the RIRs run out of space, people will sell/lease unused addresses on eBay (one block already sold there last month). Since these are undoubtedly small segments of existing aggregates, the process effectively breaks off parts of an existing sign to create a new one. The only thing that will stop this fragmentation is when the demand drops off because the price is too high. The ARIN policy discussion has some misguided perception that they will somehow control the market, but realistically people will buy and sell whatever they want, and if ARIN tries to restrain them, they will simply ignore the silliness and do what they planned from the beginning. The best that any of the RIRs can hope for is to have policies where the bar is low enough that people figure it is not worth their time to work around it. I won't disagree with you John about scale. While every equipment vendor would be happy to keep selling ever larger routers, replacing them at an unconstrained rate to keep up with growth is not a sustainable business model for anyone. John describes the short term that starts right after the IPv4 Free-pool is exhausted. Once the redistribution of addresses stabilizes based on market pricing, we face the bigger problem of indirection. To continue the analogy, eventually those sign posts can't be evaluated fast enough because there are just too many options, even assuming that we can build a large enough memory. At that point we end up adding a sign at the top of the post that effectively says, 'if you can't find the destination here, try the sign post over there'. Essentially a default route for the default-free-zone. While that may not sound too bad, the added delay to route through some far away root of knowledge, combined with the inevitable delay of searching a truly massive global My personal favorite: There's not much difference between an intersection of roads and an intersection of circuits. Roads come together in places called "intersections" and circuits come together at places called routers. At every intersection, there's a big, big signpost full of signs with arrows pointing to various cities and which road out of the intersection is the best path. These sign posts exist in the routing tables of major backbones today, and do have one sign/routing-entry for each and every destination. (They're really, really tall signposts...) There is already a challenge getting packets though the router at faster and faster speeds, since each and every packet (like each car) must check the signpost and find its destination to know which path to take. The good news is that a small number of signs suffices for most destinations... for example, there might be two dozen signs for a single ISP, each being a block of addresses that they received over time. A major corporation or educational organization might have a dozen or so routers for the same reason. All of these routes are actual aggregates which cover thousands of addresses. In a world where ISP's can't get additional blocks from the RIR system, but still try to add customers to their networks, they need to find/beg/borrow addresses from elsewhere, and then route those addresses. Here's the scary part: those routes end up in every router of every major network in the Internet... i.e. effectively, these are new signs that get put on top of every signpost globally. If we need to do this often down to the street level in the world (i.e. "ElmStreetMCCleanVirginaUS" is now being used for a new subdivision over Seattle, and now needs to be on every sign post globally), then the system collapses fairly quickly. In routing table terms, we're seeing serious growth in the current routing table <http://tinyurl.com/299ep8> even with the current levels of hierarchy and aggregation. Again, the number one form of growth is ISP's picking up and routing a single new address block every 6 months from their RIR. In a world where ISP's instead have to cobble together many small leftover pieces to connect the same number of new customers, then the number of new routers per month will increase geometrically. While Tony may argue with me about the absolute limit in routing capacity, suffice to say that even if the equipment could be built to handle 4x routes, there is very few, if any, ISP's that could afford to replace every default-free router in the backbone with one.

15. 15 High Level IPv6 Transition Strategy�

16. 16 OMB IPv6 Assessment Criteria (draft)� The assessment focuses on three capability areas of EA: Completion of an enterprise architecture; Use of EA to drive improved decision-making; and Results achieved to improve the agency�s program effectiveness. 3 Capability Areas addressing specific Key Performance Indicators (KPIs): Completion: This category measures the completion maturity of an agency�s EA artifacts in terms of performance, business, data, services, and technology. The agency�s baseline and target architectures are well-defined, showing traceability through all architectural layers. Using its enterprise transition plan, the agency is able to achieve its desired target state. Use: The agency has established the necessary management practices, processes, and policies needed for developing, maintaining and overseeing EA, and demonstrating the importance of EA awareness and the value of employing EA practices within the agency. The agency uses its EA to inform strategic planning, information resources management, IT management, and capital planning and investment control processes. Results: The agency is measuring the effectiveness and value of its EA activities by assigning performance measurements to its EA and related processes, and reporting on actual results from the enterprise to demonstrate EA success. The assessment focuses on three capability areas of EA: Completion of an enterprise architecture; Use of EA to drive improved decision-making; and Results achieved to improve the agency�s program effectiveness. 3 Capability Areas addressing specific Key Performance Indicators (KPIs): Completion: This category measures the completion maturity of an agency�s EA artifacts in terms of performance, business, data, services, and technology. The agency�s baseline and target architectures are well-defined, showing traceability through all architectural layers. Using its enterprise transition plan, the agency is able to achieve its desired target state. Use: The agency has established the necessary management practices, processes, and policies needed for developing, maintaining and overseeing EA, and demonstrating the importance of EA awareness and the value of employing EA practices within the agency. The agency uses its EA to inform strategic planning, information resources management, IT management, and capital planning and investment control processes. Results: The agency is measuring the effectiveness and value of its EA activities by assigning performance measurements to its EA and related processes, and reporting on actual results from the enterprise to demonstrate EA success.

17. 17

18. 18 Takeaways� Wide Area Network Design Laboratory (WANDL) and OPNET IPv6 Migration Planning: OPNET�s IPv6 Planning and Operations Module: IPv6 readiness assessment IPv6 migration planner WANDL tools: Network Planning and Analysis Integrated Planning an Analysis IP/MPLSView IP Address Management (IPAM) Tool: Numbering and tracking IP addresses IPv6 Network Assessor Tool: Scans Cisco routers and switches Wide Area Network Design Laboratory (WANDL) and OPNET IPv6 Migration Planning: OPNET�s IPv6 Planning and Operations Module: IPv6 readiness assessment IPv6 migration planner WANDL tools: Network Planning and Analysis Integrated Planning an Analysis IP/MPLSView IP Address Management (IPAM) Tool: Numbering and tracking IP addresses IPv6 Network Assessor Tool: Scans Cisco routers and switches

19. 19 Peter J. Tseronis, PMP Chair, Federal IPv6 Working Group FOR MORE INFO: Go To www.EGOV.gov > Information Policy > IPv6