Internet Protocol version 6 (IPv6) for New Zealand Government

In this section

Background

Internet Protocol version 4 (IPv4) is the network protocol developed in the late 1970s that supports the Internet and most internal organisational networks. It was designed to support up to 4 billion addressable devices and is now running critically short of address capacity.

To maintain connectivity with their constituents and business partners, governments must provide leadership in the process of evolving to the more modern and extensible Internet Protocol version 6 (IPv6). It is in the best interests of New Zealand to safeguard the ongoing growth of the Internet.

In 2010, the Department of Internal Affairs (DIA) identified that the New Zealand Government needed to transition to IPv6 so that New Zealand Government online (publically accessible websites) and All-of-Government cloud computing initiatives remain fully accessible and compliant with international standards.

On 3 February 2011, the last available IPv4 addresses were released regionally foruse. The Asia Pacific region exhausted its supply in April 2011, and the European and North American region’s supplies are projected to follow shortly (US Government CIO S&P Committee, ‘Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government’, July 2012).

The Internet has traditionally used the IPv4 addressing protocol to find and connect a web user to a web page. ICT networks identify devices (routers, servers, computers, printers, mobile phones, industrial machines, etc) by their IP address.  Due to the growth of the Internet, mass-market broadband and mobile device deployment, and continuing adoption of cloud computing services there will not be enough IPv4 addressing for global needs. 

To mitigate the shortcomings in IPv4, various modifications to the protocol and its implementation have been introduced over time. However, while these measures have significantly extended the useful life of IPv4, their continued effectiveness is becoming limited and in some cases is undermining the fundamental architectural principles of the design of the Internet. The only viable long-term solution to the issue is the deployment of IPv4’s successor protocol, IPv6 (Internet Protocol version 6).

IPv6 provides (by today’s understanding) virtually unlimited addressing. The amount of IPv6 traffic on the Internet is growing daily, increasingly being deployed on large-scale mobile networks and by content providers such as Google, Wikipedia, Akamai, Yahoo, Facebook and Verizon Wireless. It is anticipated that due to the global growth of mobile and the ‘Internet of Things’, there will eventually only be IPv6 native users and devices.

IPv6 is not a single, monolithic, technology with a precise definition. Rather, it is a collective term used to represent the suite of protocols, configurations and implementation methodologies detailed by hundreds of IETF RFCs that together describe the successor to IPv4.

IPv6 is not backward-compatible with IPv4, hence an IPv6-native device or service cannot communicate with an IPv4 user and vice versa. This constraint requires that special measures are taken to ensure the safe and secure operation of government networks and Internet websites.

Dual-stack IPv4  IPv6

‘Dual-stack’ refers to side-by-side implementation of IPv4 and IPv6, also known as a ‘dual IP layer’ device (eg. computer, firewall, router) or application (eg. web browser).  It is a technique for providing simultaneous support for both Internet protocols (IPv4 and IPv6).

Dual-stack is generally recommended by the industry including Google as the best method of transitioning to IPv6 for website content. Other transition mechanisms have significant short-comings and should only be considered if dual-stack is not feasible.

As part of the New Zealand Government’s strategy for adoption of IPv6, the ‘.govt.nz’ domain has been designed to be dual-stack capable, which means it supports both IPv4 and IPv6, allowing any user to access IPv6 ‘.govt.nz’ websites natively.

What this means for New Zealand government agencies

New Zealand Government will need to transition to IPv6 so government websites, and All-of-Government (AoG) cloud computing Common Capabilities remain fully accessible and compliant with international standards. Our principal partner nations have similar target timelines and approaches, for migration of their key government systems and websites to IPv6 as New Zealand.

The foundation for the growth of IPv6 in New Zealand Government is well set:

  • All of New Zealand’s major peering exchanges (clearing houses shared by ISPs) are sharing IPv6 routes.
  • The NZ Registry Services is IPv6-enabled and so is a good percentage of our core internet infrastructure.
  • A number of commercial network providers and ISPs offer native IPv6 connectivity and/or transit.
  • The high-speed research and education network, Research and Education Advanced Network of NZ (REANNZ), has been IPv6 enabled since 2006.
  • The government Domain Name System (DNS) was IPv6 enabled in February 2012.
  •  “govt.nz” DNS capability was further enhanced through the addition of IPv6 ready DNSSEC (secure DNS) in March 2015.
  • New Zealand Government provides a range of ICT Common Capability Allof Government (AoG) cloud computing services that are IPv6 ready, reducing the requirement and cost of individual agencies needing to implement IPv6 capabilities themselves.
    • The government’s One.govt network, and the newer Telecommunications as a Service (TaaS) network, as well as the AoG secure email (SEEMail) services are designed to be IPv6-ready, and can offer out-of-the-box IPv6 connectivity externally and across the government backbone.
    • All-ofGovernment Infrastructure as a Service (IaaS) providers are required to provide a platform that doesn’t prevent participating agencies moving to an IPv6 or dual-stacked environment.
    • The All-of-Government Common Web Platform provides IPv6 access to publically accessible government websites upon request.

Action required by Government

DIA GCIO Circular No: GCIO-2012-01, 7th Feb 2012, “Transition to IPv6 for Government Agencies” states the policy for agencies as:

  • New Zealand Government publically accessible websites shall be IPv6-enabled and IPv4-capable where necessary;
  • Transition of agency networks to IPv6 should only occur when all aspects of agencies’ IT environments are fully capable of managing IPv6 traffic and addressing.
  • New Zealand Government operational systems and internal agency networks shall remain IPv4-enabled; and

It is important that government’s publically accessible websites become IPv6-enabled as soon as possible. Agency networks and hosted websites require more complex configuration, security controls and testing.

State Service agencies are expected to comply with the 2012 GCIO Circular that advises IPv6 transition should be achieved through the course of technology and application refresh cycles, planned system upgrades, or funded new capability project business cases. Other government agencies and entities are advised to adopt this position as good practice.

  • Ensure all publically accessible and externally delivered Internet services (e.g. websites, email, DNS, online forms, transaction services) are accessible and operationally utilise IPv6 capabilities.
  • Ensure that internal networks, applications and devices are operationally capable of using IPv6. Noting internal agency networks that have not implemented IPv6 compliant network/application management and monitoring tools should Disable IPv6 functionality to reduce threat exposure and risk of compromise.
    • Provide status updates on their progress to the GCIO, through annual Operational Assurance reporting.

The New Zealand Information Security Manual (NZISM) covers the requirements for implementing IPv6 on government networks:

  • Agencies are required to apply the NZISM rationale and controls regarding IPv6 implementation on appropriately Classified networks, gateways and line of business systems.
  • Re-accreditation of agency systems when transitioned to IPv6 is also required.
  • The NZISM also serves as a source of relevant security research regarding IPv6 technologies.

The Australian Federal Governments, ‘A Strategy for the Implementation of IPv6 in Australian Government Agencies’ (version 2, July 2009) provides a generic guide applicable  to New Zealand government agencies planning to migrate to IPv6, though our general advice for agencies is to:

  • Understand what IPv6 means for your agency, from both business and architecture viewpoints.
  • Understand the options and investment intervention opportunities available to your agency for transition to IPv6.
  • Understand how the All-of-Government (AoG) ICT Common Capability Services will help your agency in attaining IPv6 goals and benefits.
  • Understand your Internet Service Providers’ and outsourced Service Providers’ IPv6 readiness and management capabilities.
  • Ensure that your external Domain Name System (DNS) and other critical externally-facing components are IPv6 ready.
  • Ensure all privacy and security controls, and security devices in your network are fully IPv6 capable before transition.
  • Ensure your ICT technical support staff have the requisite skills and knowledge of IPv6 implementation, management and exploitation.
  • Education - ensure staff and management understand why migration to IPv6 is required and what it means to their ways of working. This includes any changes required to the ICT Support functions.
  • While IPv4 remains in use globally, Dual-Stack is the recommended approach to IPv6 implementation.

Important links

Internet New Zealand Inc

NZ Government – DNS Registrar

New Zealand Government – Open Data 

New Zealand Government – Web Toolkit

Australian Government, ‘A Strategy for the Implementation of IPv6 in Australian Government Agencies’ version 2 dated July 2009

US Govt CIO S&P Committee, ‘Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government’, dated July 2012

UK Government, Defence Joint Service Publication #604 (JSP604), Issue 3.1, Rule 6.

RFC 4213, Basic Transition Mechanisms for IPv6 Hosts and Routers, October 2005.

InternetNZ and Auckland University of Technology: Ipv6 Adoption and Assimilation in NZ Public Sector Report   

Network World article: IPv6 - Dual Stack where you can and tunnel where you must

Number Resource Organization (NRO) article: IPv4 free pool depleted.

 

Page last updated: 20/09/2016