NIST SP 500-267 profile for IPv6 in the U.S. Government - Version 1.0 (DRAFT)

NIST Special Publication 500-267, A Profile for IPv6 in the U.S. Government - Version 1.0, is now available for a 30 day public comment period. A DRAFT version of the publication can be found at http://www.antd.nist.gov/usgv6-v1-draft.pdf. NIST SP 500-267 is a draft profile to assist federal agencies in developing plans to acquire and deploy products that implement Internet Protocol version 6 (IPv6). The profile recommends IPv6 capabilities for common network devices, including hosts, routers, intrusion detection systems, and firewalls, and includes a selection of IPv6 standards and specifications needed to meet the minimum operational requirements of most federal agencies. It was developed to help insure that IPv6-enabled federal information systems are interoperable and secure and addresses how such systems can interoperate and co-exist with the current IPv4 systems. Agencies with unique information technology requirements are expected to use the NIST profile as a basis for further refined specifications and policies. Comments should be submitted to: sp500-267-comments@antd.nist.gov. We request that detailed comments on the specification be submitted using the following spread sheet (http://www.antd.nist.gov/usgv6-v1-comments.xls). The comment period closes at 5:00 PM EST on March 2, 2007.

Executive Summary:

NIST SP 500-267 A Profile for IPv6 in the U.S. Government - Version 1.0 (DRAFT).

The suite of protocols commonly known as Internet Protocol version 6 (IPv6) [1] has been under design and development within the Internet Engineering Task Force (IETF) and the Internet industry for well over 10 years. This industry led effort was initiated in the early 1990's to address perceived scaling problems in the Internet's addressing and routing architectures. Today, stable standards exist for basic IPv6 functionality, commercial implementations and services are emerging and vendors and large user groups are pursuing significant product development and technology adoption plans.

The United States Government (USG) is one such large user group, and most Agencies across the government are beginning to plan for the adoption and deployment of IPv6 technologies in response to mission driven technical and economic assessments of the technology [62], broad government policies [63], the product release plans of major vendors, and the plans and actions of other organizations on the Internet. Given the prevalence and importance of Internet technologies in Federal IT systems today and the nature and scale of both the opportunities and risks associated with significant deployments of new networking technologies, NIST undertook an effort to evaluate the need for additional standards and testing infrastructures to support emerging USG plans for IPv6 deployment. As part of this effort we examined the state of base IETF standards; the present state of maturity of emerging commercial implementations; the Department of Defense IPv6 profile [3] and product testing capability [4]; and, national and international profiles and testing programs driven by the vendor communities [5]. The objective of this analysis was to determine: (a) where significant technical gaps exist in the near term technical landscape for IPv6 deployment; (b) what, if any, additional standards and testing infrastructures and processes are necessary and advisable to assist federal agencies towards safe and economical adoption of this new technology.

Our findings from these efforts include:

  1. A core set of IPv6 standards have stabilized and operationally viable commercial implementations of these specifications are emerging. Agency budgeting, procurement and deployment planning, could benefit from a common identification and definition of these base IPv6 capabilities.

  2. While significant commercial implementations have and continue to emerge, broad vendor product lines are currently at varying levels of maturity and completeness. Until there is time for significant market forces to effectively define de facto standard levels of completeness and correctness, product testing services may be necessary to ensure the confidence and to protect the investment of early IPv6 adopters.

  3. The current state of IPv6 security technologies and operational knowledge typically lags behind that of IPv4 and the existing Internet. Additional efforts are required to "raise the bar" in these areas to ensure the safety of IPv6 deployments in operational Federal IT systems.

  4. While, in general, the proliferation of technology standards are to be avoided, the existing DoD and industry profiling and testing efforts are not well suited in content, nor governance, for the perceived requirements of the USG as a whole. In the near term, the broad requirements of civilian agencies can be best met by a distinct profile and testing program. In the long term, it would be desirable to converge and harmonize these efforts into broader user/vendor initiatives in which the technical and process requirements of the USG can be accommodated.

  5. Some key IPv6 design issues remain unresolved. As the USG begins to undertake significant operational deployments and investments in IPv6 technology, additional efforts are warranted to ensure that the eventual resolution of these design issues remains consistent with USG requirements and investments.

This document recommends a technology acquisition profile for common IPv6 devices to be procured and deployed near term, in operational USG IT systems. It is intended to address several aspects of findings 1, 3, 4 and 5 above and will be augmented by additional documents and activities including:

This standards profile is meant to: (a) define a simple taxonomy of common network devices; (b) define their minimal mandatory IPv6 capabilities and identify significant options so as to assist agencies in the development of more specific acquisition and deployment plans; and, (c) provide the basis to further define the technical meaning of specific policies. The scope of the device taxonomy and the selection of mandatory capabilities and identified options are purposefully conservative in some ways; defining systems and capabilities that are thought to be of common utility to the USG as a whole. In other ways, this profile "raises the bar" for some common realizations of IPv6 technologies in areas that are thought vital to protect the current and future security of federal IT systems and to protect the economic investment of early adopters. It is fully expected that agencies would further augment these specifications to meet the requirements of specific IT system procurements and agency policies.

Dates: Comments due on or before March 2nd, 2007.

NIST SP 500-267 is available electronically at: http://www.antd.nist.gov/usgv6-v1-draft.pdf
Comments are requested in the spreadsheet format to be found at: http://www.antd.nist.gov/usgv6-v1-comments.xls
Electronic Comments may be sent to: sp500-267-comments@antd.nist.gov