Home / Blogs

IPv6 and the Swedish Public Sector

Torbjörn Eklöv

This post has been co-authored by Jörgen Eriksson and Torbjörn Eklöv.

No one can have failed to notice that the last IPv4 address will soon be allocated. We have lived with a shortage of addresses for 15 years, but when the last address is allocated, the shortage will become acute, instead of just a pain, as it is today. There is much to read on http://www.ipv6forum.se and http://www.ipv6actnow.org/.

In The Hitchhiker's Guide to the Galaxy, Douglas Adams describes the least expensive and most effective method for making something invisible. You simply decide that it is Someone Else's Problem or SEP, if you abbreviate. This is an approach that is frighteningly similar to the Swedish public sector's view of the address shortage on the Internet. "It is not our problem — if we ignore it, it will probably go away."

The only reasonable solution for the long term is currently called IPv6, a technology that has been available for many years but which few have begun to use. We wondered a bit about how well the Swedish public sector is prepared for IPv6. We talked to a person who works with IT procurement, who said that he was not aware of a single procurement in recent years that required support for IPv6. One can wonder why this is so. One explanation is that the Legal, Financial and Administrative Services Agency, which currently handles procurement for the public sector, has not completed its procurement requirements, since the E-Delegation's study "Strategy for the authorities' work with e-administration" (SOU 2009:86) is still being circulated for comment. Hopefully, but far from certainly, this study will clearly indicate the need for IPv6 and other technologies as a basic requirement to ensure a stable and accessible Internet also in the future!

We have several proposals for the Swedish public sector that we hope they will adopt - not to be caught unprepared the day the Internet as we know it changes drastically.

Demand IPv6 from your Internet supplier

According to a study in October 2009, only 15 percent of Sweden's Internet suppliers are able to provide IPv6 (source). Those who cannot do so should be disqualified in an automated procurement, and as customers, you must put pressure on them by demanding that they activate IPv6 directly at installation. Do not let them get away with vague promises of "in the autumn!" If they cannot support IPv6 now, they have no place in the market.

There are also suppliers that state that they are able to support IPv6, but a critical examination reveals that it is not as easy as they promise! So demand references for the same connection type and geographic area before signing any contracts. A good example is Telia, which needed about four months from order to delivery of IPv6. And they are not even able to deliver native IPv6, but only tunnels.

Make sure that all equipment and system software supports IPv6.

Examples of external systems that must support IPv6:

  • Firewalls – Many leading suppliers of firewalls have support for IPv6. If you are bound by long contracts for firewalls that only support IPv4, purchase an additional firewall. Place it in parallell to the old one and run all IPv6 in it. You will not need the same extensive set of rules or performance in a separate firewall, if it only runs IPv6! For SEK 10,000, you will have a firewall to start with and learn from.
  • Web servers – Most systems in the market are IPv6 compatible. The web is ideal as a first service! Google has been testing IPv6 for a number of years by making its ordinary search service available over IPv6, although at another address: http://ipv6.google.com. A company can do the same. This has minimal impact on the existing operating environment, yet provides an opportunity to test and learn the new protocol.
  • E-mail systems – Many companies today perform some form of filtering of e-mail for spam and virus before allowing it to enter internal systems. Demand that all e-mail servers that receive your e-mail from others must also accept IPv6 for incoming and outgoing e-mail.
  • Operating systems – Believe it or not, but Microsoft is a shining star with respect to support for IPv6 and is clearly ahead of the open-source operating systems based on Linux and BSD. Above all, Windows Vista and Windows 7 are excellent examples of systems with full IPv6 support, but even the older Windows XP handles IPv6 relatively well! It may be a good idea for the IT department to begin testing and using IPv6 so that they gain experience prior to a broader roll-out.
  • DNS – To be able to show the rest of the Internet that your services can be accessed via IPv6, your DNS must naturally identify the services that have IPv6 addresses. However, the DNS servers themselves should also be accessible via IPv6. If you have DNS servers with your ISP or elsewhere, check with them if they are ready, and if not, consider using another supplier that is!

Start training

Only short training is required to start IPv6, in our opinion. If you know IPv4, it is easy to get started with IPv6! And getting started will build experience — that is something you can not get from classes! A good idea is to gather personnel from several municipalities or the public authorities with which you work and bring in an experienced technician to hold practical workshops to warm you up before investing major sums in training. Training always works best if you have some prior knowledge!

Other infrastructure that needs attention

DNSSEC – We naturally focus on IPv6, since that is one of our main interests. However, there are several extremely important areas where the public sector could take the lead. One of them is a more secure infrastructure for DNS, which is commonly known as DNSSEC. A few years ago, a researcher showed how easy it is to redirect a user wishing to access a given website or e-mail server to another malicious one. Today, upgrades have made this a little more difficult, but it is still possible. DNSSEC with DNS operators, companies and ISPs, this loophole would be closed. Once again, the standard has been in place for some time, but introduction has been slow.

E-identification – Important decisions also remain to be taken regarding e-identification. The model that has been in use in Sweden for a number of years suffers from several deficiencies. It is important to place requirements on the system so that it,

  • is based on open standards,
  • provides full protection for personal integrity,
  • is technology-neutral and
  • is available to all players in all parts of society.

The roles of registrars and issuers of identification should also be made clear and separated. Today's system also suffers from the fact that only private persons can identify themselves. Companies, authorities and associations should naturally also be able to identify themselves! In this context, it is important that the government opens its databases in a manner that not only creates opportunities, but also protects integrity.

Am I already running IPv6?

Modern operating systems have IPv6 activated by default. This means that you may already be running IPv6 via an automatic tunnel service without knowing it! Test towards http://test.ipv6.tk and you will see if you are running IPv6 or not! The results may vary with the same computer if you are at work or at home, depending on firewalls and other equipment.

Conclusion?

The pages http://www.kommunermedipv6.se and http://www.myndighetermedipv6.se show that very little is happening, unfortunately. There must be a demand from above for the public sector to prioritize this in its IT operations. At the same time, this is not a monumental task! It is a matter of working days per agency, not several man years.

By Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Related topics: DNS, DNS Security, Email, Internet Governance, IPv6, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Translated some pages Torbjörn Eklöv  –  Feb 11, 2010 11:04 PM PST

Hi, I have translated the pages www.kommunermedipv6.se and www.myndighetermedipv6.se to english.

/Tobbe

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Domain Name .Africa Faces Hurdles - Q&A with Sophia Bekele

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Director Wins ICANN's 2014 Leadership Award

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

DotConnectAfrica Contributes at the 9th IGF in Istanbul, Turkey

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

Non-English "IDN Email" Addresses Are Finally Working!

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

Video Interviews from ICANN 50 in London

ICANN London Recap Webinar

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Sponsored Topics

Afilias

DNS Security

Sponsored by
Afilias
dotMobi

Mobile

Sponsored by
dotMobi
Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Verisign

Security

Sponsored by
Verisign