Transition Planning for IPv6 as mandated by the US Govt

Hi,

I was just reading
http://www.whitehouse.gov/omb/egov/b-1-information.html#IPV6, released
some time back in 2005, and it seems that the US Govt. had set the
target date of 30th June 2008 for all federal govt agencies to move
their network backbones to IPv6. This deadline is almost here. Are we
any close for this transition?

I have another related question:

Do all ISPs atleast support tunneling the IPv6 pkts to some end point?
For example, is there a way for an IPv6 enthusiast to send his IPv6
packet from his laptop to a remote IPv6 server in the current
circumstances if his ISP does not actively support native IPv6?

Cheers,
Glen

No, and no. Shouldn't be a surprise. ("all" is the dealbreaker, certain
agencies are on the ball, but most are barely experimenting).

Yes - 6to4 and Teredo.

6to4[1] if your router (or some host with an unfiltered non-RFC1918 address) supports it.
Teredo[2] if you're behind NAT or some other filtering.

- These are enabled by default in Vista.
- Enable them in XP SP2 by typing 'netsh interface ipv6 install'.
- Apple Airport Extreme has 6to4 enabled by default if it is your NAT router (stateful firewall, allowing new connections outgoing- only by default)
- Cisco supports 6to4 and has for years.
- Linux and FreeBSD both support 6to4 (no OpenBSD, can't recall RE. NetBSD).
- Teredo support in Linux and *BSD with 'miredo' software - it's in APT and FreeBSD ports.

Azureus bittorrent client uses IPv6 for DHT. More DHT IPv6 bidirectional relationships than DHT IPv4 bidirectional relationships. So, it's not just IPv6 "enthusiasts".
Numbers here:
http://www.ops.ietf.org/lists/v6ops/v6ops.2007/msg00859.html
More up to date numbers when I get around to processing them [3].

Upcoming version of uTorrent will enable IPv6 (so, Teredo/6to4) on XP SP2 as part of the install process - currently Azureus only uses it if it's enabled already.

If you're providing content or network services on v6 and you don't have both a Teredo and 6to4 relay, you should - there are more v6 users on those two than there are on native v6[1]. Talk to me and I'll give you a pre-built FreeBSD image that does it, boot off compact flash or hard drives. Soekris (~$350USD, incl. power supply and CF card), or regular server/whatever PC.
Also, if you want config for 6to4 on Cisco, email me and I'll hook you up so I'm not spamming the list with it, alternatively Google. It's about 10 lines, and requires you to inject an anycast IPv4 /24 and an IPv6 /16 in to your IGP(s).

Thanks,

My understanding of the mandate is that they (the Department and Agencies) demonstrate passing IPv6 traffic on their backbone from one system out to their backbone and back to another system.

A number of agencies, if I remember the number of about 30 have IPv6 allocations. IRS has demonstrated mandate compliance and several others are in line to also show mandate compliance.

Both the Federal CIO Council and the Small CIO council are working with a number of their members to not only obtain compliance with the mandate but examine their processes to see how IPv6 can give them a better method of providing their services to each other and the public.

John (ISDN) Lee

If you're providing content or network services on v6 and you
don't have both a Teredo and 6to4 relay, you should - there
are more v6 users on those two than there are on native
v6[1]. Talk to me and I'll give you a pre-built FreeBSD image
that does it, boot off compact flash or hard drives. Soekris
(~$350USD, incl. power supply and CF card), or regular
server/whatever PC.

Pardon me for interfering with your lucrative business here,
but anyone contemplating running a Teredo relay and 6to4 relay
should first understand the capacity issues before buying a
little embedded box to stick in their network.

The ARIN IPv6 wiki has this page
<http://www.getipv6.info/index.php/First_Steps_for_ISPs>
which not only gives you a number of options for setting up 6to4 and
Teredo relays, it also points you to documents which describe
what these things do so that you can understand how to size them
and how to manage them. And the ARIN wiki tries to be vendor
agnostic as well.

--Michael Dillon

Do you imagine that Soekris are giving Nathan kick-backs for mentioning the price of their boxes on NANOG?

I'm sure for many small networks a Soekris box would do fine. For the record, FreeBSD also runs on more capable hardware.

Joe

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Abley wrote:

I'm sure for many small networks a Soekris box would do fine. For the
record, FreeBSD also runs on more capable hardware.

Can attest to that. I have picked up Nathan's handywork and used it on
other hardware. some work is needed, but nevertheless quite useful for
small networks. the soekris boxes are of good value nevertheless for
something like this.

thanks
~ -gaurab

Hi Michael,

Giving away code and hardware is quite the opposite of lucrative, let me assure you.

I'm not selling anything. Code is freely available. When I've got some decent instructions for it I'll post links to NANOG if you like.
To be fair, it's really nothing more than FreeBSD with a couple of patches, and Miredo packaged up in a nice-to-deal-with bundle, that means you can plug it in today and make it work with 2 or 3 lines of config, instead of spending the next 3 years "engineering a solution" that the various parts of "the business" agree with - that is, assuming they give their engineers time to even think about IPv6, let alone engineer for it. Key word: pragmatic.

It moves about 20Mbit/s on a Soekris box, probably more. If you're doing more 6to4 and Teredo traffic than that, then well done. How fast can you do it on a Cisco (or, whatever) box? Someone lend me some hardware for a week and I'd be more than happy to test and publish numbers on that.

Soekris was an example of hardware, as that's what I've developed on. As I mentioned, it works on regular PC hardware as well - it's just an i386 FreeBSD thing.

I've actually given this Soekris hardware away to several ISPs here in New Zealand, sponsored by InternetNZ. That's also related to another project - when I've got that all written up properly I'll let you know. Geoff Huston wrote about it on his ISP column a month or so back.

The reason I do this, is so people at ISPs are deploying these things, instead of not because it might not scale at some point in the future. If it doesn't suit their needs in terms of scale, I'm more than happy to tell them other ways to do it - and have done. Note my comment something along the lines of "ask me if you want cisco configs", and as I mentioned, this code will run on any i386 box you throw it at. I've also got several slide packs with this stuff in it, if people want those. I believe they're reachable via the NZNOG website somewhere (nznog.org, I think).

Ps. Yes, vendors should do Teredo relay and 6to4 in hardware. If you're a vendor and do, tell me, and I'll encourage people to give you lots of money.
Pps. I'll reply to those of you who asked me for 6to4 Cisco configs and code later today (it's 1.30pm here), I'm just heading off to fix some stuff first. That wiki thing Michael posted links to has the cisco stuff.

Thanks,

I'm not selling anything. Code is freely available. When I've got some decent
instructions for it I'll post links to NANOG if you like.
To be fair, it's really nothing more than FreeBSD with a couple of patches,
and Miredo packaged up in a nice-to-deal-with bundle, that means you can plug
it in today and make it work with 2 or 3 lines of config, instead of spending
the next 3 years "engineering a solution" that the various parts of "the
business" agree with - that is, assuming they give their engineers time to
even think about IPv6, let alone engineer for it. Key word: pragmatic.

Perhaps you could integrate your work with a project like pfsense?

From what I've seen, that's the best "open source CPE" solution, and

doesn't yet have real IPv6 support (but has just about everything else).
That would be a huge benefit to the community and potentially open up some
business opportunities for you.

Andy

I believe whoever shows off a functional NAT-PT device at the next NANOG
might get some praise. I heard it was a bit of a disaster.

Adrian

I believe whoever shows off a functional NAT-PT device at the next NANOG
might get some praise. I heard it was a bit of a disaster.

by the time the show got to apnic/apricot the week after nanog, we had
the cisco implementation of nat-pt and totd working and it worked well.

randy

Randy Bush wrote:

I believe whoever shows off a functional NAT-PT device at the next NANOG
might get some praise. I heard it was a bit of a disaster.
    
by the time the show got to apnic/apricot the week after nanog, we had
the cisco implementation of nat-pt and totd working and it worked well.

randy
  

   And the NAT-PT implementation at NANOG (naptd) did seem
to work once some configuration issues were ironed out. Unfortunately,
this was not resolved until the very end of the meeting.

And the NAT-PT implementation at NANOG (naptd) did seem
to work once some configuration issues were ironed out. Unfortunately,
this was not resolved until the very end of the meeting.

your made heroic efforts with the linux nat-pt, and finally got it. but
do you think it will scale well?

i suspect that all the nat-pt implementations are old and not well
maintained. this needs to be fixed.

randy

It'd be good if the pfsense guys would do some IPv6 stuff, yes. I however, am not really interested in building CPEs, nor am I interested in building CPEs commercially.

Thanks,

Giving away code and hardware is quite the opposite of
lucrative, let me assure you.

Right. I looked at your message and it does not parse
very clearly. Given that it is odd for people to offer
to give away boxes, let alone quote a price for the
box that they are giving away, I thought you were
advertising something for sale.

It moves about 20Mbit/s on a Soekris box, probably more. If
you're doing more 6to4 and Teredo traffic than that, then
well done. How fast can you do it on a Cisco (or, whatever)
box? Someone lend me some hardware for a week and I'd be more
than happy to test and publish numbers on that.

It would be good for people to do some performance testing of
all the various bits and pieces. And publish all that test info
on the ARIN wiki. Perhaps you could test the hardware that
you have and document the test environment so that people
with Juniper, Cisco, etc. can do the same tests and post
their numbers. If people are interested in alternatives to
Soekris, then http://www.linuxdevices.com has pointers
to tons of embedded systems which are quite capable of running
FreeBSD as well as Linux.

I've actually given this Soekris hardware away to several
ISPs here in New Zealand, sponsored by InternetNZ.

One wonders if there is any organization in the USA that
might sponsor similar giveaways to ISPs. Just how much importance
does the Federal government attach to IPv6 transition?
Has anyone talked to their Congressional reps about tax
relief for the special one-time costs of enabling IPv6?

I've also got several slide packs with this stuff in it, if
people want those. I believe they're reachable via the NZNOG
website somewhere (nznog.org, I think).

They can now also find it by looking at the wiki page
<http://www.getipv6.info/index.php/IPv6_Presentations_and_Documents>
with your name on it. It was a full-day tutorial on all
aspects of IPv6 deployment.

--Michael Dillon

Nathan Ward <nanog@daork.net> writes:

Perhaps you could integrate your work with a project like pfsense?

From what I've seen, that's the best "open source CPE" solution, and
doesn't yet have real IPv6 support (but has just about everything
else).
That would be a huge benefit to the community and potentially open
up some
business opportunities for you.

It'd be good if the pfsense guys would do some IPv6 stuff, yes. I
however, am not really interested in building CPEs, nor am I
interested in building CPEs commercially.

My understanding is that there is some IPv6 support in HEAD, but not
in RELENG_1. Someone who has the time and inclination should join the
development team; they do not seem averse to the notion of having v6
support in there, but like so many other endeavors, effort is
commensurate with demand, yadda yadda yadda...

                                        ---rob

I'm looking for documentation on how the US Government IPv6 mandate affects associated agencies--e.g. healthcare providers, non-profits, or any company that depends on US Gvt. funding, record keeping, or financial reimbursement for services rendered (e.g. via Medicare).

Over the past 5 years most US Gvt--Assoc. Agencies communications have moved from modem/BBS type systems to Internet based systems. With the mandate, IPv4 will still be available, but I would bet it will be less and less supported as time moves on. I would like to see what the Gvt. has planned....

I've googled, read FAQs, and looked over the docs at whitehouse.gov without much luck. Can anyone point me in the right direction?

--Patrick Darden

Patrick/NANOG, see list of sites below to get information on IPV6 transitions. When you go to www.cio.gov you can type in ipv6 in the search bar to get more information. When the USG migrates to IPv6 those agencies working with them will have to migrate or take one of the approaches listed in previous postings to the nanog list. It'll most likely be a slow transition but you'll really need to have that conversation with the agency you're supporting or getting services from to determine their timeline and what will be supported in the future.

Now more specifically in your case that would be a good question for HHS & SSA on what the roadmap is for pushing information and receiving it for medicare or other e-gov programs.

I typed in the following into google and got all kinds of good info related to your question: ipv6 medicare and site:.gov

http://www.cio.gov/

http://www.cio.gov/documents/IPv6_FAQs.pdf

http://www.whitehouse.gov/omb/egov/a-1-fea.html

http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2007-03/IPv6-NIST-ITL_ISPAB0307.pdf

Jerry
jerry@jdixon.com

Darden, Patrick S. wrote:

I'm looking for documentation on how the US Government IPv6 mandate affects associated agencies--e.g. healthcare providers, non-profits, or any company that depends on US Gvt. funding, record keeping, or financial reimbursement for services rendered (e.g. via Medicare).

Over the past 5 years most US Gvt--Assoc. Agencies communications have moved from modem/BBS type systems to Internet based systems. With the mandate, IPv4 will still be available, but I would bet it will be less and less supported as time moves on. I would like to see what the Gvt. has planned....

I've googled, read FAQs, and looked over the docs at whitehouse.gov without much luck. Can anyone point me in the right direction?

--Patrick Darden

Patrick,

the mandate (note, it is an *unfunded* mandate) comes from the OMB.

Search terms including "OMB IPv6 mandate" will point you to useful information. Thus far, as with any such mandate, there will be "loads" of waivers in place, and providers wanting to do business with the US gov't may fall under such requirements. http://www.federalnewsradio.com/index.php?sid=1319907&nid=169 might also prove useful.

http://www.whitehouse.gov/omb/egov/b-1-information.html

INTERNET PROTOCOL VERSION 6 (IPV6)
On August 2, 2005, the OMB Office of E-Gov and IT issued OMB Memorandum 05-22, �Transition Planning for Internet Protocol Version 6 (IPv6),� directing all Federal government agencies to transition their network backbones to the next generation of the Internet Protocol Version 6 (IPv6), by June 30, 2008. The memorandum identifies several key milestones and requirements for all Federal government agencies in support of the June 30, 2008 target date.

The existing protocol supporting the Internet today - Internet Protocol Version 4 (IPv4) � supports only 4 billion IP addresses, limiting the number of devices that can be given a unique, globally routable location on the Internet. This has constrained the growth of the Internet worldwide, and has limited the number of computers and other devices that can be connected to one another via the Internet. In contrast to IPv4, IPv6 provides an almost unlimited number of IP addresses, and offers enhanced mobility, security, and network management features. IPv6 supports the continued growth of the Internet and development of new business capabilities leveraging mobile, Internet connectivity.

The CIO Council will issue guidance to assist agencies with transition planning.

Randy Bush wrote:

And the NAT-PT implementation at NANOG (naptd) did seem
to work once some configuration issues were ironed out. Unfortunately,
this was not resolved until the very end of the meeting.
    
your made heroic efforts with the linux nat-pt, and finally got it. but
do you think it will scale well?
  

      For the size of a NANOG meeting, it seemed to be
sufficient. I don't think I'd recommend trying to put
thousands of users behind it though.

i suspect that all the nat-pt implementations are old and not well
maintained. this needs to be fixed.

   Still trying to understand deployment scenarios for nat-pt.
I could see a case for very controlled environments with
uniform clients (with robust v6 support). Outside of that,
native-v6 + v4-nat (as outlined in Michael Sinatra's
lightning talk) and Alain Durand's v4v6v4 seem more
likely deployment candidates. That said, nat-pt is very useful
for exercising native v6 support in clients and their applications.

-Larry