The US Department of Defense (DoD) has been shamed for its appalling IPv6 migration efforts in a formal probe by the Government Accountability Office (GAO).
The auditor’s 37-page report [PDF], dated June 2020, noted that the DoD is actually on its third attempt to migrate to the expansive internet protocol, having tried and failed first in 2003 and again in 2010. The Pentagon was warned it is going to fail again unless it makes big changes to its plan.
“DOD began planning for its transition to the next version of IP in 2017, following at least two prior attempts to do so since 2003,” the GAO summarized. “But, DOD has yet to clearly define the magnitude of work involved, the level of resources required, and the extent or nature of cybersecurity risks if vulnerabilities aren’t proactively managed.”
In its most stark explanation, the GAO has produced a one-page summary that noted the White House Office of Management and Budget (OMB) provided four basic requirements for an IPv6 migration back in 2006 and the DoD’s current plan fulfills… one of them.
Assign an official to lead and coordinate agency planning? Yes, tick. Complete an inventory of existing IP compliant devices and technologies? No. Develop a cost estimate? Nope. Develop a risk analysis? Afraid not.
Considering these are the highest-level recommendations, and still no progress, the GAO felt confident to pronounce the third migration effort dead-on-arrival. However, the auditors, renowned for their wholly unjustified optimism over government action, haven’t given up hope just yet. The watchdog body took the three unfilled requirements and turned them into official recommendations.
What went wrong?
What was behind the two earlier failed attempts by the Pentagon to migrate to IPv6? In a word: security. “In one effort that began in approximately 2003, DoD initially did make progress implementing IPv6 on its systems,” the report noted, “but then the department ended the effort due to security risks and a lack of personnel trained in IPv6.”
And try number two? “DOD initiated another attempt in response to 2010 OMB guidance. However, this initiative was terminated shortly thereafter, again due to security concerns.”
What are these security concerns? That would definitely be something of interest to everybody trying to shift to IPv6 from IPv4. The GAO would love to tell you but then it would have to kill you: "We received additional information about why DoD disabled the IPv6 functionality, but we are not including it in the report due to the information being marked as for official use only."
You. Drop and give me 20... per cent IPv6 by 2023, 80% by 2025, Uncle Sam tells its IT admins after years of slackingREAD MORE
That was for the 2003 transition. As for the 2010 effort: "According to DoD, the department originally planned to meet the 2010 OMB requirements; however, it decided not to complete the upgrades due to security concerns. Again, we received additional information about the department’s security concerns; however, we are not including those details in this report because they were marked as for official use only."
As for this third effort, most it was supposed to have been completed by March this year. In fact, of the 35 “activities” that the DoD itself identified in February 2019 as necessary to shift to IPv6, the DoD planned to have 18 of them completed three months ago. How many were actually completed? Six.
“DoD officials acknowledged that the department’s transition time frames were optimistic,” the latest report noted. “They added that they had thought that the activities’ deadlines were reasonable until they started performing the work. Without an inventory, a cost estimate, or a risk analysis, DOD significantly reduced the probability that it could have developed a realistic transition schedule.
“Addressing these basic planning requirements would supply DoD with needed information that would enable the department to develop realistic, detailed, and informed transition plans and timeframes.”
In other words, useless. ®