Senin, 20 Agustus 2012

How the Air Force Is Flying Toward IPv6

The United States Air Force is one very high-tech organization, and we're not just talking about jet fighters. The Air Force's latest mission is a high-stakes, high-speed migration to Internet Protocol v6 (IPv6). Chances are most corporate networks aren't as extensive or complex as the Air Force's, but the service's planning operations offer worthwhile lessons for many organizations.

The Air Force began its transition to IPv6 earlier this summer, and expects to have its entire network migrated by the end of September 2014, the deadline self-imposed by the US government for all of its network operations. The move to IPv6 will also let the Air Force support more ad hoc networks in the field - making it them more operationally agile and better able to support machine-to-machine communications.

A Complex Mission

Several years ago the Air Force established a Transition Management Office (TMO) at Scott Air Force Base, located outside of St. Louis, to help coordinate the effort. ReadWriteWeb visited with Doug Fry, Network Engineer, Air Force Network Integration Center and engineering lead for the TMO. His role is to develop network policies and operational procedures that will be carried out by the various Air Force base engineers around the world. Fry is giving a talk at the upcoming New York City Interop this fall.

One of Fry's biggest issues is maintaining the security of the network as it makes its transition to IPv6. 'We can't let unknown traffic traverse our networks, of course, but the security tools that we have in our inventory aren't fully v6 compliant yet.'

The Air Force has 130 bases and about 100 of them are IPv6 capable and ready, according to Fry. He is working on the rest right now.

The Air Force base furthest along in the transition process is Eglin in the Florida panhandle, which also happens to be the service's largest base - covering more than 600 square miles and employing more than 30,000 people. To give you an idea of the size of the base, it has 30,000 individual IP addresses assigned, to a wide mix of both computing and embedded equipment. There are two core networks, 14 access layer devices, and 5000 in-building switches. That is a lot of gear to migrate over to the new networking protocols.

But Eglin's lead role is more a matter of circumstances than anything else: the base's aging Cisco routers and switches were due for a major refresh at the same time that the Air Force was planning the IPv6 transition.

8 IPv6 Lessons Learned

So what are some of the lessons the Air Force has learned so far?

  1. Don't go with your first address plan, but think about ways that you can make it more hierarchical and improve it. "We are on our fourth iteration of our address plan," said Fry.
  2. Make sure your core and IOS routers are all IPv6 compatible and can run dual stack protocols. This seems obvious but it is worth mentioning.
  3. Make sure all your monitoring equipment is up to snuff. Eglin uses homegrown IP address assignment and monitoring programs, and of course these will have to be upgrade to handle the longer IPv6 addresses.
  4. Now is the time to make sure your entire network documentation actually reflects what is actually deployed. "Some Air Force bases are better documented than others," said Fry.
  5. Upgrade your router firmware or replace them to handle IPv6.
  6. Build a test lab that replicates your entire network if you can afford to. "I wish we had the budget to build a lab from the beginning, it would have been helpful to learn more about IPv6 before we got down the road," said Lee Tran, a technical advisor for the Operational Infrastructure Branch and part of the Communications Squadron for Eglin. (You can read a ReadWriteWeb a white paper about this topic here.
  7. Understand how things will change when you add new desktops or network infrastructure to your IPv6 network. "You don't want to introduce any new vulnerabilities," said Tran. One issue for the Air Force is being able to automatically push out security patches to its routers over an IPv6 network. "Right now we have to do this manually," he said. Another implication is how your desktops will come with support for IPv6, and whether you want this active or not before you actually cut over to IPv6.
  8. Finally, participate in the next World IPv6 Day in June and other experiments to prove out your installation and deployment plans."This was incredibly helpful for us, and I was glad to see that our IPv6 servers didn't have any issues then," said Fry.

Good luck with your own IPv6 transition plans.

 

Lead image and Air Force medallion courtesy of Shutterstock.

Bottom image courtesy of the US Air Force.



0 komentar:

Posting Komentar