The US Department of Defense is woefully behind on its plan to upgrade its IT infrastructure to support the newer IPv6 protocol, according to a government report published on Monday.
This current effort is the third time the DOD attempts to upgrade its infrastructure to support IPv6 over in the past 17 years.
The first two attempts took place in 2003 and 2010, respectively. The 2003 effort was abandoned with the DOD citing security risks and a lack of personnel trained in IPv6, while the second attempt was also abandoned, similarly on the grounds that IPv6 was not yet secure enough for the DOD's sensitive networks.
DOD failed to follow some pretty basic rules
On Monday, the Government Accountability Office (GAO), the auditing agency of the US government, said that the DOD's third attempt isn't doing any better either.
GAO officials said the DOD failed to follow four basic requirements that were set out by the White House Office of Management and Budget (OMB) in 2006.
The four requirements were part of an OMB guideline sent to all federal agencies detailing the proper procedure for upgrading networks from IPv4 to IPv6.
"For its current [third] initiative, DOD has not completed three of four longstanding OMB requirements," GAO auditors said in a report published on Monday.
GAO auditors said that while the DOD has assigned an official to lead and coordinate the agency's IPv6 migration planning, they have failed to complete the three other recommended steps.
These included creating an inventory of all existing IP (internet-connectable) devices, putting together a cost estimate for all the IPv4 devices that will need to be replaced, and putting together a risk analysis of the IPv6 protocol -- the very same step that thwarted their previous attempts.
Because the DOD failed to comply with these recommendations, the DOD's latest IPv6 implementation attempt is woefully behind, as crucial information is not available.
The DOD's third attempt to migrate to IPv6 began in April 2017 and got officially underway in February 2019, when the DOD published an implementation plan containing 35 steps the DOD needed to go through to deploy IPv6 on its network and replace old IPv4-only devices.
Of these 35 transition steps, 18 were due to be completed before March 2020. However, GAO said the DOD has only completed six of the 18 steps by March 2020.
GAO said the DOD's failure to follow OMB's four requirements played a part in the delay, as DOD officials had set out deadlines that were too optimistic, lacking the proper insight into their own IT infrastructure.
No plans to follow basic rules, despite obvious drawbacks
However, GAO said that despite a flaw in its plan, the DOD doesn't plan to follow OMB requirements, opting not to perform an inventory of all of its IP devices.
GAO said that DOD officials cited the impracticality of creating an inventory of all its IP-compatible devices due to the department's size.
"The [DOD] officials leading the IPv6 transition also said that DOD has been mitigating the risk of not having an inventory by ensuring that the department has only been acquiring IPv6-capable IT devices since December 2009. However, while only acquiring IPv6-capable devices and applications could help the transition move forward, it would not be as complete as an inventory, given that an inventory would include technology purchased before December 2009," GAO said.
Since a device inventory is also crucial for the other two OMB requirements -- the cost estimate and the risk analysis -- GAO said the DOD is on track for many cost overruns, schedule delays, and complicated patch management for any IPv6 security vulnerabilities.
Transitioning to IPv6 is crucial, as the number of IPv4 addresses is running out at a rapid pace, and assigning IPv4 addresses to new devices will become more complicated.
The IPv6 protocol was released in the mid-90s as an alternative to IPv4, supporting more IP addresses that can be assigned to devices, when compared to the older IPv4, which was limited to only 4,294,967,296 addresses.
IP (Internet Protocol) addresses are crucial to any device that connects online, as they act as identifiers for each system inside the internet's larger network -- hence the need to update from the depleting IPv4 to IPv6.