White Paper
Cisco IPv6 Certification Testing
Background: IPv6 Mandate from the U.S. Department of Defense and
Office of Management and Budget
As U.S. Government agencies continue their migration to incorporate IPv6 into their Enterprise Architecture it is
critical that there is a baseline set of standards that are mandated to promote interoperable architectures. The US
Government issued a mandate that required government networks to be IPv6-capable by June 30, 2008 and any
future procurements must consist of “IPv6 Capable” networking equipment. In response to this mandate, the
government has worked closely with industry vendors to ensure that any equipment purchased will meet the IPv6capable requirement.
These requirements are defined by a set of documents produced by both the U.S. Department of Defense for DoD
networks and the National Institute of Standards and Technologies (NIST) for US Government (USG) civilian
networks. Additionally, both the DoD and the USG have defined the process by which a network device can
achieve IPv6 certification. These processes will be defined later in this document.
It should be noted that, just as IPv6 has evolved in the industry as evidenced by increasing support from the
vendor community and adoption by customers around the world, so too has the certification process evolved. The
DoD had originally initiated a certification process in 2006 that involved certifying stand-alone devices. However,
after two and half years, the DoD has integrated their IPv6 requirements under the umbrella of the Unified
Capabilities Requirements (UCR) program and retired the original IPv6 Approved Products List. The concept is to
test systems instead of stand-alone devices. For example, instead of testing a router or a layer 3 switch for
compliance to a set of IPv6 RFC’s, the UCR 2008 program will test an Assured Services LAN (ASLAN) system
consisting of specifically chosen switches and routers meeting ALL requirements of an ASLAN system, of which
IPv6 is only a subset.
Just as the DoD IPv6 Certification process evolved and matured, so too has the USG IPv6 program (formally
referred to as the USGv6 program). Where the USG was just initiating their program two years ago, they have now
established a new and different program from the DoD’s UCR program. Both DoD and USG have evolved their
IPv6 programs during the last few years and this document will provide an overview of the IPv6 certification
process.
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 1 of 7
With respect to the original DoD IPv6 certification process, Cisco actively participated and became one of the
leading vendors on the certification Approved Product List (APL). Cisco successfully certified edge, aggregation,
and core routers, the first IPv6 certified Firewall (Cisco IOS® Firewall), and was the only vendor with certified Layer
3 switches. As mentioned above, this APL is no longer “active” since the DoD has transitioned its IPv6 efforts to the
UCR 2008 program.
Defining Products as IPv6-Capable
Successful completion of IPv6 certification testing requires that the IPv6 capability criteria be clearly defined. In the
case of IPv6, the IPv6 mandate identifies that government networks must be IPv6-capable. Both DoD and NIST
have taken steps to clearly define what IPv6-capable means.
The DoD has published several iterations of the “DoD IPv6 Standard Profiles For IPv6 Capable Products”. IPv6
Capable as defined by this document is:
“The term “IPv6 Capable Product” as used in this document, means any product that meets the minimum set of
mandated requirements, appropriate to its Product Class, necessary for it to interoperate with other IPv6 products
employed in DoD IPv6 networks.”
This document, commonly referred to as the IPv6 Product Profiles, attempts to categorize network devices into
subsets based on functionality or place in the network, as well as, the requirements that each profile must meet to
ensure IPv6 capability. The requirements are generated using IETF RFC descriptions to ensure a standards-based
approach.
Collectively, the DoD IPv6 Product Profiles provide the baseline definition of IPv6-capable for network equipment
vendors. For more information on the DoD IPv6 Product Profiles, see:
http://jitc.fhu.disa.mil/apl/ipv6/pdf/disr_ipv6_50.pdf
NIST has also published a separate document titled “A Profile for IPv6 in the U.S. Government” that provides its
own definition of network equipment profiles, as well as the specific RFC requirements that must be met by within
each profile.
The NIST document provides a definition of IPv6-capable with respect to civilian networks. For more information on
the NIST profiles, see:
http://www.antd.nist.gov/usgv6/usgv6-v1.pdf
DoD and USG Civilian Agencies IPv6 Certifications
DoD IPv6 Certification Process
As mentioned above, DoD has transitioned the original IPv6 Certification program, which focused on stand-alone
device certification, to the UCR 2008 program. Given the system-level focus of the UCR, the process is a bit more
complex than the previous IPv6 certification effort. The process can best be described by the diagram below, which
is copied directly from the UCR 2008 baselined (e.g. officially signed) publication:
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 2 of 7
The key differences between testing for IPv6 requirements under the UCR 2008 program and the original IPv6
Certification program are:
●
The UCR focuses on systems and not stand-alone device certification
●
In order to enter testing under the UCR, there must be a sponsor (e.g. service branch) that requests a
vendor’s system to be tested. Under the original IPv6 Certification program, a vendor could simply schedule
a test with JITC once they had a product that met the requirements.
●
The focus of the UCR program is clearly on enabling Voice and Video with IPv6 being just one set of
requirements the system must meet. The focus of the original DoD IPv6 Certification program was entirely
on interoperable data traffic.
For more information on the DoD UCR certification process, please see:
http://www.disa.mil/ucco/apl_process.html
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 3 of 7
USGv6 (NIST) Certification Process
In the USGv6 Certification program, there are only three profile types: 1. Host 2. Router and 3. Network Protection
Devices (NPD). For both Host and Router designation, a device must complete a Conformance test suite and an
Interoperability test suite. All tests must be conducted by an accredited lab. For the Conformance test suite, a
vendor CAN become an accredited lab and complete these tests if they so desire. However, Interoperability tests
MUST be done by an independent accredited lab. NPD devices must be tested by an independent accredited lab
as well. Here is an overview of the Certification Testing Process for the USGv6 Program:
Conformance Testing
●
is conducted between the device and/or protocol implementations under test, and a special purpose test
system
●
uses tests described in the published abstract test specifications
●
must be performed in a 1st, 2nd or 3rd party accredited laboratory.
●
is the gate required before interoperability testing.
Interoperability Testing
●
is conducted among several host or router devices under test and one or more “reference” devices.
●
uses tests described in the published abstract test suites
●
must be performed in a 2nd or 3rd party accredited laboratory
●
Is the prerequisite for issuing SDOC for Hosts/Routers.
Network Protection Testing
●
is conducted with special purpose test equipment.
●
uses tests generally described in published abstract test suites
●
must be performed in a 2nd or 3rd party accredited laboratory.
●
is the prerequisite for issuing SDOC for network protection devices.
SDOC Production
●
After testing their devices in an accredited laboratory, product vendors will develop a Suppliers Declaration
of Conformity in compliance with ISO/IEC 17050:2004 that serves as indication to purchasers that required
testing has taken place. Whether a test laboratory wants to offer the service of SDOC creation after testing
is a matter between the lab and its customer.
Upon completion of the certification process, the SDOC is the mechanism used to let purchasing agents in
Government agencies know that Cisco has completed the requisite testing and which requirements we comply to.
It is essential for sales and account teams to understand that the SPECIFIC IPv6 requirements that a particular
agency needs are up to them. They are not required to ask for all mandated requirements in the USGv6 Product
Profiles.
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 4 of 7
The USGv6 Certification program, while containing many of the same elements of the DoD IPv6 effort, mainly a
similar set of RFC requirements, is in fact unique. The key differences between the two programs are:
●
The DoD establishes an Approved Products List (APL) the identifies which products have successfully
completed certification testing and which is used by DoD purchasing agents to acquire new products. The
USGv6 program does NOT use an APL and relies on a Suppliers Declaration of Conformity that a vendor
will provide to a civilian agency to show which requirements the vendors’ products have met. The APL is
openly visible on a DoD website while there is no intention to have a single website under the USGv6
program showing the status of vendor’s certification testing. The SDOC is supplied by the vendor at the time
of response to an RFP or purchase request.
●
The DoD’s IPv6 requirements are a hard and fast set of requirements that MUST be met in order to get onto
the APL and therefore only those devices that meet the requirements can purchased within DoD. The
benefit of this program is that the bar is clear as to what must be met to gain entry onto the APL. The
detriment of this program is that there may well be features mandated by the DISR but not tested during the
UCR process that may not be used by anyone in the DoD for quite some time but requires vendors to
provide production-level support of the feature(s). From an Acquisition Officers perspective, the APL makes
the purchasing decision easy with respect to IPv6.
●
The USGv6 program allows much more flexibility to the purchasing agent but requires much more
forethought as to what IPv6 requirements they will actually need in their network. The benefit of this
program is that IPv6 should be considered from a true transition perspective and only those IPv6 features
that are actually going to be deployed should emerge as requirements to vendors. The detriment of this
program is that it makes it impossible to know if vendors are by and large providing the same level of IPv6
support in their product lines.
For more information on the entire USGv6 Program, please visit:
http://www.antd.nist.gov/usgv6/testing.html
Global IPv6 Certifications (IPv6 Ready)
Most commercial, enterprise customers and other countries use the IPv6 Ready Logo to help determine if network
equipment meets minimum standards for IPv6. The IPv6 Ready Logo has three distinct phases and is defined as
follows:
Phase 1:
●
In a first stage, the Logo indicates that the product includes IPv6 mandatory core protocols and can
interoperate with other IPv6 implementations.
Phase 2:
●
The “IPv6 ready” step implies a proper care, technical consensus, and clear technical references. The IPv6
Ready Logo indicates that a product has successfully satisfied stringent requirements stated by the IPv6
Logo Committee (v6LC).
To avoid confusion, the logo “IPv6 Ready” will be generic. The v6LC will define the test profiles with
associated requirements for specific functionalities.
Phase 3:
●
Same as Phase 2 with IPsec mandated.
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 5 of 7
Cisco has participated in the IPv6 Ready Logo, and certified many products and subsequent product releases
through this process. With the introduction of the more stringent US Government IPv6 Certification process, Cisco
has focused efforts on certifying its products against the approved product profiles and has even seen other
governments take a reciprocal stand – meaning products that have successfully completed the DoD IPv6
Certification process, they would only require testing for those features that may be unique to their government.
More information on the IPv6 Ready Logo is available at:
http://www.ipv6ready.org/?page=home
Value of IPv6 Certifications
Global government and Public Sector agencies rely on standardization and certifications to ensure people,
processes, and missions are uniformly focused in on their goals. This level of assurance is equally paramount in
the deployed communication systems throughout and between agencies. To deliver products that comply with
rigorous security and assurance standards, networking and communications equipment vendors must rely on
government certification guidelines and processes.
IPv6 certifications provide government agencies a level of assurance that equipment purchases will be protected
when a government agency needs to enable IPv6 on its network. Regardless of whether an agency plans to deploy
IPv6 immediately or sometime in the foreseeable future, the agency can rest assured that purchasing IPv6 capable
equipment will protect their investment.
IPv6 certifications are part of a larger overall certification strategy that Cisco has participated in for many years and
is one of the leading vendors in this process. An example of key certifications that Cisco has achieved across a
wide range of product families and platforms are NIAP Common Criteria and NIST FIPS. For a broader discussion
of certifications that Cisco participates in, see:
http://www.cisco.com/go/securitycert
Conclusion
Cisco continues to be an industry leader in delivering a wide range of products that incorporate critical IPv6
features and functionality. We actively and successfully participated in the original (and now retired) IPv6
Certification program where we had more routers and layer 3 switches achieve IPv6 certification than any other
vendor. We are now actively involved with the UCR 2008 program where IPv6 requirements are incorporated as
part of the overall set of requirements. Finally, Cisco is additionally working with the new USGv6 program being run
by NIST to ensure civilian agencies can continue to purchase Cisco products with the requisite IPv6 support.
Collectively, these actions show that Cisco continues to be a trusted partner in the adoption of IPv6 in Government
and Industry.
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 6 of 7
Printed in USA
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 7 of 7