Douglas Roseboro, Director Office of IT Research and Development ...

DGI IPv6 ConferenceFederal AviationAdministrationFAAIPv6 Project Status andLessons LearnedDouglas RoseboroIT Research And Technology,FAA Chief Technology OfficerDigital Government Institute’sGovernment IPv6 ConferenceOctober 2011

Topics• OMB Mandate• Background on IPv6 Requirements• IPv6 Strategy and Plan• FAA Status• Lessons Learned

• OMBBackground - Federal IPv6 Transition Activities– Issued a Memorandum M-05-22, August 2, 2005, which• Required Agencies to demonstrate IPv6 capabilities over the Agencies’ backbonenetwork by June 30, 2008 and• Directed NIST to develop IPv6 standards• FAA successfully met OMB deadline– Issued a Memorandum on Requirements for EnterpriseArchitecture and IPv6 Progress Reports on November 21, 2007,and– Issued a Memorandum, dated September 28 2010, describingspecific steps for agencies to expedite the IPv6 deployment

OMB Memo on IPv6 Transition (09/28/2010)• Required Federal Agencies to transition to IPv6 in order to– Enable the successful deployment and expansion of key Federal informationtechnology (IT) modernization initiatives, such as Cloud Computing, Broadband, andSmartGrid, which rely on robust, scalable Internet networks;– Reduce complexity and increase transparency of Internet services by eliminating thearchitectural need to rely on Network Address Translation (NAT) technologies;– Enable ubiquitous security services for end-to-end network communications that willserve as the foundation for securing future Federal IT systems; and,– Enable the Internet to continue to operate efficiently through an integrated, wellarchitectednetworking platform and accommodate the future expansion of Internetbasedservices.

Required DOT and FAA Actions and Timelines• Program Management– Designate an IPv6 Transition Manager and submitting their name, title, and contactinformation to IPv6@omb.eop.gov by October 30, 2010– Plan to meet with Federal IPv6 Task Force on the week December 6 th and follow onTechStat sessions in the future to ensure a timely and successful transition to IPv6– Review procurement guideline to ensure procurements of networked IT comply withFAR requirements for use of the USGv6 Profile and Test Program for thecompleteness and quality of their IPv6 capabilities• Technology Implementation– Upgrade public/external facing servers and services (e.g. web, email, DNS, ISPservices, etc) to operationally use native IPv6 by the end of FY 2012– Upgrade internal client applications that communicate with public Internet servers andsupporting enterprise networks to operationally use native IPv6 by the end of FY 2014

IPv6 Benefits• Operationso Increased demand for connectivity from remote & international partners(NextGen program)oImproved connectivity for FAA mobile workforce (safety inspectors, accidentinvestigators etc)• Technicalo Significantly increase the available address spaceoProvides options to improve network architecture and efficiency Network design no longer restricted by the number of available addressesoImproves end-to-end security and communications Better access control through NAT and application proxies Built-in IPSEC at network layer (instead of at the application layer) Makes network scanning attacks nearly impossibleoSimplifies application development and deployment No work around because of NAT is needed6

OverviewWAN Topology7

IPv6 Transition Plan• Collect As-Is– List of external facing servers/services (validate)– Impacted physical servers, networks, and security devices• Transition to To-Be (Goals and Objectives)– Target network configuration– Initial IPv6 address allocations– Security configuration– Server network configuration

IPv6 Transition Plan (continued)• Identify the Issues (Areas of Concern)– Hardware upgrade/replacement requirements– Software upgrade/replacement requirements– Security tools upgrade/replacement requirements– Training requirements– Testing/assessment capabilities– Funding and resource availability• Develop a Sequencing Plan ( MS Project)– Early implementation opportunities and schedule– Delivery schedule for all identified servers

IPv6 Transition Plan (continued)b. Roles and Responsibilities• ARD coordinates requirements and compliance reporting activities• LOBs provide dedicated members to Tiger Team• Tiger Team members plan and accomplish LOB/SOs implementations• Tiger Team works and resolves implementation issues• Identify training requirements and training resourcesc. Acquisition• USGv6 Profile and Test Program designated as core requirements for all networkedIT purchases when possible - AIO Memo on USGv6 guidanced. Communications and Training• Participate in Federal IPv6 Task Force meetings and provide OMB/DOTrequirements and guidance to Tiger Team and LOBs• Chair FAA IPv6 Tiger Team meetings• Status reporting (progress and Tech Stat)

FAA IPv6 Transition Plan AccomplishmentsFAA collaboration with web content hosting provider, and began testing transition ofIPv4 to IPv6 web sites• FAA has alternative approach for web content hosting to deliver (1) IPv6 onlyconfiguration and (2) dual stack (if hardwired IPv4 address)• FAA IPv6 Working Group re-established, all impacted internal organizations toparticipate•IPv6 Tiger Team tasked to implement deployment•Focused efforts on IPv6 external facing services migration•FAA completed IPv6 address allocation plan•FAA revised policy requiring IPv6 capabilities for future IT networks•USGv6 Test Program provides new guidance12

Current Status - FAA IPv6 Transition• IPv6 Tiger Team establishedooooRegularly scheduled meetings hosted by ARD-200Tiger team members from each LOB are responsible for the IPv6implementation and progress reporting to the ARD-200High level milestones and target dates have been established forimplementation of FY2012 requirementsDetailed planning within each LOB is underway• Acquisition policy memo to require IPv6 capabilities based on USGv6profile and USGv6 Test program for all future networked IT purchases hasbeen signed by the FAA CIO and distributed• Networks/ Servers/ Services with IPv6 capabilities will be introduced intothe FAA environment in the near future• Security guidance and tools upgrade are needed for the new environment• Training classes held for IPv6 WG and Tiger Team members13

Lessons Learned• IPv6 deployment is a significant undertakingo Extensive planning and coordination is key to kick start implementation (policyochange, awareness, inventory, conduct study, resource, buy-in, training)Significant impact on all current and future devices/networks and applications• Vendor software / hardware products continue to evolve with IPv6capabilitiesooContinue certification process and testing of productsRelearning and retesting may be necessary• Security is an ongoing efforto Security principles stay the same, but policies may need to be revised to adoptooIPv6 features (Policies on tunneling in the internal network)Include security community in IPv6 planning stage and training programs (C&Aguidance, penetration tests preparation)Acquire knowledge to install/configure/manage firewalls, to configureIDSs/IPSs and monitoring/controlling IPv6 and tunneled traffic14

Lessons Learned(Continued)• Hands-on is training necessaryo Include Network & System administrators, help desk support, networkooapplication developers, technology buyersThe operational workforce has limited time to devote to trainingAlternate solutions for hands-on training (such as expanding use of webinars)can be effective• Extensive testing is both necessary and beneficialo Unit testing may not be as essential if the products have been successfullyootested through the USGv6 associated labs, e.g. UNH-IOL, ICSAIntegration tests, on the other hand, are crucial to ensure secure andsuccessful deploymentTesting provides hands-on training for gaining IPv6 experiences15

Lessons Learned(Continued)Trusted Internet Connection (TIC) impact• Better manage use of Internet access points• TIC strategy to offload heavy internet traffic thru web hosting• Reduced cost ISP cost• Reduces FAA cyber security risks (DDOS)• Front line for routing IPv4/IPv6 traffic• Worldwide site redundancy promotes continuity of FAA services16

Lessons Learned(Continued)• Unfunded mandate and shrinking agency budget makes IPv6migration task challengingoExecutive support is necessary to drive a successful transitionoAcquisition policy change necessary for procuring IPv6 products17

IPv6 TransitionFederal AviationAdministrationQuestions?

IPv6 TransitionFederal AviationAdministrationBack UpIPv6 Use Case ExperiencesOctober 2011

References• Guidelines for the Secure Deployment of IPv6, NIST, SP800-119, December 2010• Router Security Configuration Guide Supplement – Securityfor IPv6 Routers, NSA, May 2006• Guidelines on Firewalls and Firewall Policies, NIST, SP800-41,September 2009October 201120