In my previous column, I started reviewing an interesting paper by Hillary Elmore, L. Jean Camp and Brandon Stephens entitled "Diffusion and Adoption of IPv6 in the ARIN Region" that they presented at the 2008 Workshop on the Economics of Information Security (WEIS 2008) at Dartmouth College in June.

I found the most interesting section of the paper to be part 6, the discussion of “Related Work in Economics of Information Security.” I summarize below some of the key points made by the authors explaining resistance to adoption of new technologies, and I urge readers to download the paper themselves to read the details. In my own words, here are some highlights of their discussion:

• Small networks may experience relatively few benefits from adoption of new technology compared with the high cost of upgrading.
• Like patches, new protocols may have unexpected bugs or cause unexpected problems through their interactions with the existing technical infrastructure; therefore, many organizations will tend to delay implementation until others in the market have tried the new technology and ironed out the first bugs.
• The costs of implementing a change in the fundamental infrastructure mentioned in the point just above will include personnel education and training plus time and money involved in coping with inevitable problems resulting from inexperience. Such costs are difficult to explain and justify to nontechnical managers looking at the profit-and-loss statements of an organization.

Given the urgency of coping with exhaustion of the IPv4 address space, what are some measures that might encourage wider acceptance of IPv6? The authors discuss the following approaches, which are not mutually exclusive:

• Governments can offer subsidies to offset costs.
• Governments can legislate fines as negative incentives (but these are less effective than positive incentives).
• A free market in IPv4 addresses can develop which might eventually drive the price of acquiring someone else’s old IPv4 address above the costs of installing a new IPv6 address…
• … or alternatively, a free market in IPv4 addresses might manage scarcity and indefinitely reduce pressures to move to IPv6.
• Government pressures to force implementation of IPv6 by the governments of “the US and Europe could force premature adoption causing a window of greater disruption and vulnerability.”
• New policies by the Regional Internet Registries (RIR) community could limit assignment of new IPv4 addresses to organizations that do not currently have any. “If organizations which already have IPv4 blocks which can be routed are assigned only IPv6 addresses, this implies that the most rapidly expanding entities on the network will have the greatest incentive to move to IPv6.” However, the authors continue, “Making these choices is made more complex by the fact that the RIR communities consist exactly of those organizations which already have IPv4 blocks. Thus the RIR will effectively be asking its membership to deny itself access to potentially valuable address space to ensure that others have this address space.”

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.