Internet Protocol Version 6: Federal Agencies Need to Plan for Transition and Manage Security Risks
GAO-05-471
Published: May 20, 2005. Publicly Released: May 24, 2005.
Skip to Highlights
Highlights
The Internet protocol (IP) provides the addressing mechanism that defines how and where information such as text, voice, and video move across interconnected networks. Internet protocol version 4 (IPv4), which is widely used today, may not be able to accommodate the increasing number of global users and devices that are connecting to the Internet. As a result, IP version 6 (IPv6) was developed to increase the amount of available IP address space. It is gaining momentum globally from regions with limited address space. GAO was asked to (1) describe the key characteristics of IPv6; (2) identify the key planning considerations for federal agencies in transitioning to IPv6; and (3) determine the progress made by the Department of Defense (DOD) and other major agencies to transition to IPv6.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director of OMB should instruct federal agencies to begin addressing key IPv6 planning considerations, including developing inventories and assessing risks; creating business cases for the IPv6 transition; establishing policies and enforcement mechanisms; determining costs; and identifying timelines and methods for transition, as appropriate. |
Closed – Implemented
On May 20, 2005, we identified that the majority of federal agencies had not initiated the following planning efforts for the transition to Internet Protocol Version 6 (IPv6): (1) cost determination, (2) business case creation, (3) identification of timelines and methods, (4) development of inventories and risk assessment, and (5) establishment of enforcement mechanisms. As a result, we recommended that the Director of the Office of Management and Budget (OMB) instruct agencies to begin to address key planning considerations for the IPv6 transition. Based on GAO analysis of the issues surrounding IPv6, OMB issued a policy memorandum on August 2, 2005, to aid federal agencies with the transition to the new protocol. The guidance includes a deadline of June 2008 for all government agencies' to transition their network backbones to IPv6. The OMB policy memorandum ensures that federal agencies will have a structured approach to follow as they transition to IPv6. The memorandum addressed all GAO planning considerations, with the exception of a discussion on creating a business case. In February 2006 OMB issued additional IPv6 guidance for the agencies. This guidance discusses creating a business case.
|
| Office of Management and Budget | The Director of OMB should amend the Federal Acquisition Regulation with specific language that requires that all information technology systems and applications purchased by the federal government be able to operate in an IPv6 environment. |
Closed – Not Implemented
In August 2006, the Civilian Agency Acquisition Council and Defense Acquisition Regulations Council submitted a proposal to amend the Federal Acquisition Regulation (FAR) to require that IPv6 capable products be included in information technology procurements to the maximum extent practicable. The proposal also included language requiring agencies to specify how their acquisition will comply with the IPv6 requirements outlined in OMB's memo on transition planning for IPv6 (M-05-22). On September 16, 2009, an official from the General Services Administration office responsible for collecting comments on the proposal stated that the proposal had not yet been incorporated into the FAR.
|
| Department of Homeland Security | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
DHS has taken action to determine its IPv6 capabilities by conducting a systems inventory.
|
| Department of Agriculture | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Agriculture has taken actions to address near term security risks by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Education | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Education has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Commerce | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Commerce took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Defense | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
As reported in our June 2006 report on federal efforts to transition to IPV6, the Department of Defense has conducted an inventory of existing routers, switches, and hardware firewalls.
|
| Department of Energy | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Energy has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Housing and Urban Development | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
HUD has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Health and Human Services | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
HHS has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Social Security Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
SSA took action to determine its IPv6 cababilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of the Interior | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Interior took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Justice | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Justice has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Transportation | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Transportation took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Labor | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Labor has taken actions to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of the Treasury | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
Treasury took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Veterans Affairs | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
VA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of State | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
State took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Environmental Protection Agency | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
EPA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| General Services Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
GSA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| National Aeronautics and Space Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
NASA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| National Science Foundation | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
NSF took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Small Business Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
SBA took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Nuclear Regulatory Commission | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
NRC took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Office of Personnel Management | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
OPM took action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| U.S. Agency for International Development | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including determining what IPv6 capabilities they may have. |
Closed – Implemented
USAID has taken action to determine its IPv6 capabilities by conducting a systems inventory of all IPv6 capable hardware and software.
|
| Department of Homeland Security | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Not Implemented
In June 2009, we requested information on the status of this recommendation from the Department of Homeland Security. We followed up with the department several times and, as of September 2009, had not received any response.
|
| Department of Agriculture | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Consistent with our recommendation, the Department of Agriculture, among other things, conducted readiness tests for transporting IPv6 data across its core network, and between this network, partner agencies, and the Internet which it documented in its February 2008 IPV6 Readiness Testing Implementation Summary.
|
| Department of Education | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Education has begun to address near term security risks by actively monitoring their network for IPv6 traffic. Additionally, they have included IPv6 related network monitoring and internal controls in their policies per ED's Security Review Board (SRB).
|
| Department of Commerce | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Commerce has begun to address near term security risks by creating a policy within their IPv6 transition plan that bans IPv6 traffic from DOC networks that carry operations traffic.
|
| Department of Defense | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Defense has taken steps to address near term IPv6 security risks by including a policy in their IPv6 transition plan stating that no IPv6 traffic is allowed on networks that contain operations traffic.
|
| Department of Energy | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
In its IPV6 transition plan, the Department of Energy included policies that dictate network maintenance and monitoring policies for the new protocol.
|
| Department of Housing and Urban Development | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
HUD has included a policy in its IPv6 transition plan that states that, as IPv6 is enabled, the network control center must perform the daily maintenance and support of the network.
|
| Department of Health and Human Services | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Not Implemented
The Department of Health and Human Services stated that IPv6 is not enabled on its backbone network and therefore security devices have not been configured to actively monitor or block IPv6 traffic.
|
| Social Security Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
SSA included a policy in its IPv6 transition plan that states that its network will be monitored for IPv6 traffic.
|
| Department of the Interior | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Consistent with our recommendation, the Department of Interior configured its firewalls to prevent inbound and outbound IPV6 traffic which it documented in its July 2009 IPV6 Security Posture.
|
| Department of Justice | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Not Implemented
In June 2009, we requested information on the status of this recommendation from the Department of Justice. We followed up with the department but, as of September 2009, we had not received any response.
|
| Department of Transportation | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Not Implemented
In June 2009, we requested information on the status of this recommendation from the Department of Transportation. We followed up with the department several times, but, as of September 2009, we had not received any response.
|
| Department of Labor | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Consistent with our recommendation, the Department of Labor, among other things, used a test environment to transport IPv6 data across its networks which it documented in its May 2008 IPV6 Test Results Summary.
|
| Department of the Treasury | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Not Implemented
While the Acting Associate Chief Information Officer for Infrastructure Operations stated that the department had performed several activities to address this recommendation, including configuring its firewalls and intrusion detection systems, and establishing monitoring capabilities, the department did not provide evidence of these activities.
|
| Department of Veterans Affairs | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
On September 16, 2009, the Department of Veterans Affairs provided evidence that it has developed IPv6 security policy and that it has the capability to monitor IPV6 traffic.
|
| Department of State | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
State included a policy in their IPv6 transition plan that defines what needs to be done to manage IPv6 traffic on its network.
|
| Environmental Protection Agency | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
The EPA has taken steps to address near term security risks by including a policy in its IPv6 transition plan that calls for IPv6 network monitoring, management and troubleshooting.
|
| General Services Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
GSA developed an IPV6 transition plan that included policies for managing and monitoring IPv6 traffic.
|
| National Aeronautics and Space Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Not Implemented
In June 2009, we requested information on the status of these recommendation from the National Aeronautics and Space Administration. We followed up with the agency several times, but, as of September 2009, we had not received any response.
|
| National Science Foundation | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Consistent with our recommendation, the National Science Foundation, among other things, configured its firewalls so that they do not route IPV6 traffic and is monitoring network switch data to ensure no IPv6 traffic.
|
| Small Business Administration | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
Consistent with our recommendation, the Small Business Administration developed an IPv6 Information Security Plan in November 2007. The security plan, among other things, includes information on IPv6 security threats and the implementation of a separate firewall for IPv6 traffic.
|
| Nuclear Regulatory Commission | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
NRC has included a policy in their IPv6 transition plan that states they will block and monitor IPv6 traffic.
|
| Office of Personnel Management | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
In October 2007, OPM issued an IPv6 Risk Assessment. This assessment includes a threat identification and impact analysis among other security analysis on IPv6.
|
| U.S. Agency for International Development | Because of the immediate risk that poorly configured and unmanaged IPv6 capabilities present to federal agency networks, the 24 CFO agency heads should take immediate actions to address the near-term security risks, including initiating steps to ensure that they can control and monitor IPv6 traffic. |
Closed – Implemented
USAID has taken steps to control and monitor IPV6 traffic including. On September 17, 2009, USAID security officials presented evidence of USAID's IPV6 capable network intrusion detection system that was capable of monitoring all inbound and outbound IPV6 traffic.
|
Full Report
Office of Public Affairs
Topics
Computer network protocolsComputer networksEvaluationInformation technologyInternetIP addressesSoftwareStrategic information systems planningIPFederal agencies