The U.S. Air Force began its transition to IPv6 earlier this summer, and it expects to have their entire network migrated by the end of September 2014, the deadline self-imposed by the U.S. government for all of its network operations. The Air Force is also motivated to have a IPv6 network in place to support more ad hoc networks in the field; the intent is to make them more operationally agile and to better support machine-to-machine communications.
Several years ago the Air Force established a Transition Management Office at Scott Air Force Base, located outside of St. Louis, to help coordinate the effort. I visited with Doug Fry, network engineer at the Air Force Network Integration Center and the TMO’s engineering lead. His role is to develop network policies and operational procedures that will be carried out by the various Air Force base engineers around the world. Fry is giving a talk at the upcoming New York City Interop this fall about the process.
One of Fry’s biggest issues is maintaining the security of the network as it makes its transition to IPv6. "We can't let unknown traffic traverse our networks, of course, but the security tools that we have in our inventory aren't fully IPv6 compliant yet," he says.
The Air Force has 130 bases and about 100 of them are IPv6 capable and ready, according to Fry. He is working on the remainder of them right now.
The Air Force base furthest along in the transition process is Eglin in the Florida panhandle, which also happens to be the largest base. It covers more than 600 square miles and employs more than 30,000 people. This is more a matter of circumstances than anything else: The base's aging Cisco routers and switches were due for a major refresh at the same time that the Air Force was planning the IPv6 transition. To give you an idea of the size of the base, they have 30,000 individual IP addresses assigned, to a wide mix of both computing and embedded equipment. There are two core networks, 14 access layer devices, and 5,000 in-building switches. That is a lot of gear to migrate over to the new networking protocols.
So what are some of the lessons the Air Force has learned – so far – that can help with your own deployment of IPv6?
Don't go with your first address plan, but think about ways that you can make it more hierarchical and improve it. "We are on our fourth iteration of our address plan," says Fry.
Make sure your core and IOS routers are all IPv6 compatible and can run dual stack protocols. This seems obvious but it is worth mentioning. You may need to replace gear that you can't upgrade.
Make sure all your monitoring equipment is also up to snuff. Elgin uses homegrown IP address assignment and monitoring programs, and of course these have to be upgraded to handle the longer IPv6 addresses.
Now is the time to make sure your entire network documentation actually reflects what is actually deployed. "Some Air Force bases are better documented than others," says Fry.
Build a test lab that replicates your entire network, if you can afford to. "I wish we had the budget to build a lab from the beginning; it would have been helpful to learn more about v6 before we got down the road," says Lee Tran, a technical advisor for the Operational Infrastructure Branch and part of the Communications Squadron for Eglin. (You can read a white paper about how to build a test lab from two experienced network engineers.)
Understand how things will change when you add new desktops or network infrastructure to your IPv6 network. "You don't want to introduce any new vulnerabilities," says Tran. One issue for them is being able to automatically push out security patches to their routers over a IPv6 network. "Right now we have to do this manually," he says. Another implication is how your desktop systems will come with IPv6 support, and whether you want this active or not before you actually cut over.
Finally, review the past World IPv6 Day's activities of the Internet Society and other experiments to prove out your installation and deployment plans. The Society has links to case studies (such as for Netflix), among other resources. "This was incredibly helpful for us, and I was glad to see that our IPv6 servers didn't have any issues then," Fry says.
Good luck with your own IPv6 transition plans.