Building an IPv6 Integrated Project Team

Audience: isp6 members, IT leadership, programme managers, and technology directors responsible for IPv6 adoption programmes — particularly those managing cross-functional teams across networking, cloud/systems, and security disciplines.

Last updated: April 2026

1. Introduction

Most IPv6 deployment failures are not technical. The protocol is mature, the RFCs are stable, and the cloud providers have supported it for years. The failure mode is organisational: networking teams design address plans in isolation, cloud teams build dual-stack infrastructure independently, and security teams — untrained and uninvolved — block the deployment at the perimeter firewall.

The most beautifully engineered IPv6 network is entirely useless if no actual user traffic ever touches it.

This article examines why IPv6 adoption is fundamentally a cross-functional organisational challenge, not a networking project, and provides a framework for building the integrated team structure that successful deployments require. It draws on established organisational models — Team Topologies, Westrum's culture typology, and Kotter's change management framework — to give programme managers a structured approach to an initiative that too often drifts into technical silos.

For isp6 members, the good news is that a significant portion of the specialist complexity — RIPE NCC registration, RPKI and ROA management, route6 objects, and ongoing compliance — is already handled by isp6 as a service. This article shows where that fits within the team structure so your organisation can focus on the cross-functional coordination that actually determines success or failure.

flowchart LR
    subgraph failure["Common Failure Mode"]
        direction TB
        A["Networking designs<br>addressing in isolation"]
        B["Cloud teams build<br>dual-stack independently"]
        C["Security blocks at<br>the perimeter firewall"]
    end
    subgraph success["Target State"]
        direction TB
        D["Unified IPv6 Blueprint"]
        E["Cross-functional<br>Integrated Project Team"]
        F["Concurrent security<br>and routing design"]
    end
    failure -->|"Organisational<br>transformation"| success

2. The Siloed Deployment Anti-Pattern

IPv6 deployments that follow the traditional waterfall handoff between functional teams exhibit a predictable cascading failure:

Phase 1: Networking

The networking team — often the most IPv6-literate group in the organisation — charges ahead. They design a global addressing plan, configure routing protocols for dual-stack operation, and allocate prefixes from the organisation's RIPE NCC allocation. The work is technically sound, thoroughly documented, and delivered on schedule.

Phase 2: Cloud and Systems

Cloud and platform teams begin independently. They provision IPv6 CIDRs in AWS VPCs, configure dual-stack load balancers, and update Terraform modules. They may or may not reference the networking team's address plan. Dual-stack infrastructure is built, but host-level concerns — address selection policy, application binding, DNS AAAA record publication — receive inconsistent attention.

Phase 3: Security

The security team encounters IPv6 traffic for the first time at the perimeter firewall. They have not been trained on ICMPv6 filtering requirements (RFC 4890), do not understand why "block all ICMP" breaks Neighbor Discovery, and have no IPv6-specific threat model. Faced with uncertainty, they apply the only risk mitigation available to an uninformed team: block everything.

flowchart LR
    P1["Phase 1<br>Networking<br><em>Designs addressing<br>plan in isolation</em>"]
    P2["Phase 2<br>Cloud Teams<br><em>Build dual-stack<br>independently</em>"]
    P3["Phase 3<br>Security<br><em>No IPv6 training,<br>no threat model</em>"]
    Wall["🧱<br>Perimeter<br>Firewall<br>Block"]

    P1 --> P2 --> P3 --> Wall

    style Wall fill:#f8d7da,stroke:#dc3545

The deployment stalls — not because of a technical deficiency, but because the organisation treated IPv6 as a sequential infrastructure project rather than a cross-cutting capability change.

Gene Kim's The Phoenix Project identifies this exact failure mode: functional silos optimising locally while the end-to-end value stream — in this case, IPv6 traffic reaching users — is blocked by handoff friction and knowledge gaps. Kim's First Way (systems thinking and left-to-right flow) demands that the entire delivery chain, from prefix allocation to firewall policy, be designed as a single system.

3. Case Study: The US Department of Defense

The US Department of Defense provides the most extensively documented example of organisational failure in IPv6 adoption.

In 2003, the DoD issued a mandate requiring all networked systems to be IPv6-capable. The initiative was abandoned due to security risks and a lack of trained personnel. In 2020, the Government Accountability Office published GAO-20-402, "Internet Protocol Version 6: DOD Needs to Improve Transition Planning," which examined why the earlier effort failed and assessed the DoD's readiness for a renewed mandate.

Key Findings

Finding	Implication
Failure to train and engage security personnel early was cited as a primary cause of the abandoned 2003 effort	Security teams defaulted to blocking what they did not understand — the same pattern seen in enterprise deployments
The DoD had not inventoried its IP-capable devices	Without an asset inventory, scoping the transition is impossible
No realistic cost estimates existed for the transition	Programme governance requires cost baselines; IPv6 was treated as a technical task without programme-level planning
GAO made three formal recommendations: inventory devices, estimate costs, and develop risk-based transition plans	All three are programme management activities, not networking tasks

The GAO report is notable because every recommendation it made was organisational, not technical. The DoD did not lack routing engineers who could configure OSPFv3. It lacked a programme structure that treated IPv6 as a cross-functional capability requiring coordinated training, planning, and governance.

4. Organisational Culture and IPv6 Readiness

Ron Westrum's typology of organisational cultures — originally published in the context of healthcare safety and later applied to technology organisations by the DORA (DevOps Research and Assessment) programme — provides a diagnostic lens for IPv6 readiness.

Westrum's Three Culture Types

Characteristic	Pathological (Power)	Bureaucratic (Rules)	Generative (Performance)
Information flow	Hoarded for political advantage	Flows through formal channels only	Flows freely to where it is needed
Cross-team cooperation	Discouraged; teams are rivals	Tolerated within process boundaries	Actively sought; mission over turf
Failure response	Scapegoating	Process tightening	Root-cause inquiry and learning
New ideas	Crushed	Create problems (process deviation)	Welcomed and investigated
Risk management	Concealed	Procedural compliance	Shared ownership; risks surfaced early

The DORA research, published in Accelerate (Forsgren, Humble, Kim, 2018), demonstrated that generative culture is a statistically significant predictor of both software delivery performance and organisational outcomes. For IPv6 adoption, the cultural type determines how cross-functional friction is handled:

Pathological: The networking team hoards IPv6 expertise as a power base. Security blocks the deployment and blames networking for "creating risk." The programme dies in political crossfire.
Bureaucratic: Each team follows its own change process. Networking files a change request; security opens a review ticket; months pass. IPv6 is technically approved but operationally stalled by sequential handoffs and approval queues.
Generative: Networking, security, and cloud teams form a joint working group from day one. Security raises ICMPv6 filtering concerns during the addressing design phase, not after deployment. Risks are surfaced, discussed, and resolved as a shared problem.

Diagnosing Your Organisation

Before launching an IPv6 programme, assess which cultural pattern dominates your infrastructure teams. If the answer is pathological or bureaucratic, the organisational change work must begin before the technical work — or it will be consumed by it.

flowchart TD
    Q["How does your organisation<br>handle cross-team risk?"]
    P["Pathological<br><em>Blame and conceal</em>"]
    B["Bureaucratic<br><em>Escalate through process</em>"]
    G["Generative<br><em>Surface, discuss, resolve</em>"]
    PA["Fix culture first.<br>IPv6 will fail without<br>cross-team trust."]
    BA["Streamline handoffs.<br>Embed security in the<br>IPv6 team, don't gate it."]
    GA["Ready for an integrated<br>project team. Proceed<br>with the framework below."]

    Q --> P --> PA
    Q --> B --> BA
    Q --> G --> GA

    style PA fill:#f8d7da,stroke:#dc3545
    style BA fill:#fff3cd,stroke:#ffc107
    style GA fill:#d4edda,stroke:#28a745

5. Mapping IPv6 Roles to Team Topologies

Matthew Skelton and Manuel Pais's Team Topologies (IT Revolution Press, 2019) provides a vocabulary for structuring teams around the flow of change rather than around functional specialisations. The model defines four fundamental team types and three interaction modes.

The Four Team Types

Team Type	Definition	IPv6 Mapping
Stream-aligned	Delivers value directly to users/customers; owns the end-to-end flow for a product or service	The IPv6 Integrated Project Team itself — owns the end-to-end flow from prefix allocation through to IPv6 traffic reaching production workloads
Enabling	Helps other teams acquire new capabilities; time-limited engagement focused on skill transfer	An IPv6 skills team that delivers training, pair-configures firewalls with security engineers, and disbands once the capability is embedded
Complicated-subsystem	Owns an area requiring deep specialist knowledge that most teams cannot reasonably develop	BGP/routing specialists, RPKI/ROA management, or IPsec tunnel engineering — deep protocol expertise that the stream-aligned team consumes but does not need to own. For isp6 members, isp6 itself acts as an external complicated-subsystem provider — managing RIPE registration, RPKI, ROA creation, route6 objects, and ongoing compliance so your IPT does not need to staff or build this capability in-house
Platform	Provides internal self-service capabilities that reduce cognitive load on stream-aligned teams	The infrastructure platform team that provides dual-stack VPCs, IPv6-enabled load balancers, and self-service subnet allocation as a product

The Three Interaction Modes

Mode	Definition	IPv6 Application
Collaboration	Two teams work closely together for a defined period to solve a shared problem	Networking and security co-designing ICMPv6 firewall policy during the initial deployment phase
X-as-a-Service	One team consumes another's capability through a well-defined API or interface	Application teams consuming IPv6-enabled subnets from the platform team via Terraform modules — no need to understand BGP or RIPE registration
Facilitating	An enabling team coaches another team to build a new skill	The IPv6 enabling team running workshops with the security team on NDP, ICMPv6 filtering, and IPv6 threat modelling

Why This Matters for IPv6

The traditional model — a "networking project" staffed by network engineers — maps to a single complicated-subsystem team working in isolation. It produces technically excellent routing configurations that never reach users because the stream-aligned teams (application delivery) and the platform teams (cloud infrastructure) were not part of the design.

Team Topologies reframes the question: Who owns the end-to-end flow of IPv6 traffic from allocation to production? That owner is the stream-aligned team — the Integrated Project Team — and it must include representatives from every discipline that IPv6 touches.

flowchart TD
    subgraph ipt["Stream-Aligned: IPv6 Integrated Project Team"]
        direction LR
        NET["Networking"]
        SEC["Security"]
        CLD["Cloud / Systems"]
    end

    subgraph enabling["Enabling Team"]
        TRAIN["IPv6 Training<br>& Skills Uplift"]
    end

    subgraph complicated["Complicated-Subsystem"]
        BGP["BGP / RPKI<br>Specialists"]
        ISP6["isp6 LIR Service<br>RIPE registration, ROA,<br>route6, RPKI, compliance"]
    end

    subgraph platform["Platform Team"]
        PLAT["Dual-Stack VPCs,<br>LBs, Terraform<br>Modules"]
    end

    enabling -->|"Facilitating"| ipt
    complicated -->|"X-as-a-Service"| ipt
    ipt -->|"Collaboration"| platform

IPv6 natively bridges the gap between network transport and host OS behaviour — address selection (RFC 6724), SLAAC, and NDP operate at the intersection of networking, systems, and security. A deployment model that treats these as separate domains will fail at exactly those intersection points.

6. Building the Integrated Project Team

The Integrated Project Team (IPT) is a cross-functional group with a single mandate: deliver end-to-end IPv6 connectivity from prefix allocation to production traffic. It is not a committee, a working group, or a review board. It is a delivery team with shared accountability for outcomes.

Composition

Discipline	Role in the IPT	Key Responsibilities
Networking	Prefix architecture and routing	Address plan design, BGP/OSPFv3 configuration, peering and transit. Must step out of the core-router vacuum and engage with host-level and application-level concerns. For isp6 members, RIPE registration, route6 objects, and ROA management are handled by isp6 — the networking discipline focuses on how to deploy the allocation, not how to register it
Cloud / Systems	Host and platform integration	Dual-stack VPC provisioning, host address selection policy, SLAAC/DHCPv6 configuration, application binding (listen on `[::]`), DNS AAAA publication, BYOIP onboarding. isp6 provides BYOIP guides for AWS, Azure, and Google Cloud covering exactly what the cloud team needs to configure
Security	Policy, threat modelling, and compliance	ICMPv6 firewall policy (RFC 4890), NDP security, IPv6 threat model, flow telemetry for host discovery (replacing subnet scanning), compliance framework updates
Programme management	Governance and delivery	Milestone tracking, risk register, stakeholder communication, training coordination, budget management. Owns the programme plan, not the technical decisions

Operating Principles

Single source of truth. The IPT maintains one IPv6 addressing and policy blueprint. There is no separate "networking address plan" and "security firewall policy" — they are sections of the same document, reviewed and approved together.
Concurrent design, not sequential handoff. Security policy is designed at the same time as the addressing plan, not after it. Cloud provisioning is planned in parallel with routing, not as a follow-on phase. This eliminates the cascading failure described in Section 2.
Embed, don't gate. Security is a member of the IPT, not an external review gate. If security concerns are raised during design, they are resolved within the team. If they are raised after deployment by an external review board, the programme is structurally broken.
Time-box the collaboration. Per Team Topologies, close collaboration between teams is cognitively expensive and should be time-limited. The IPT operates in intensive collaboration mode during the design and initial deployment phases, then transitions to an X-as-a-Service model where the platform team provides self-service IPv6 capabilities and the IPT disbands or scales down to a maintenance function.
Measure traffic, not configuration. The success metric is not "IPv6 is configured" — it is "IPv6 traffic is flowing in production." Instrument your deployment to measure the percentage of traffic using IPv6 from day one.

7. Leading the Transition: Kotter's 8-Step Model

John Kotter's eight-step model for leading organisational change (Leading Change, Harvard Business School Press, 1996) provides a proven structure for IPv6 adoption programmes. IPv6 is not a technology upgrade — it is a capability change that requires new skills, new processes, and new ways of working across team boundaries.

Step	Kotter's Model	IPv6 Programme Application
1	Create urgency	IPv4 exhaustion is real: RIPE NCC has been on its last /8 since 2019. AWS charges for public IPv4 ($0.005/hr per address, ~$43.80/year). IPv6-only services (Apple App Store review, T-Mobile US) are growing. Frame IPv6 not as a future concern but as an operational cost and capability gap today
2	Build a guiding coalition	Assemble the IPT sponsors: a networking director, a CISO or security architect, a cloud platform lead, and a programme manager. Without security leadership in the coalition, the deployment will stall at Phase 3
3	Form a strategic vision	"All new workloads deploy dual-stack by default. IPv6 is the primary protocol; IPv4 is the compatibility layer." A clear, directional statement that teams can align to
4	Enlist a volunteer army	Identify IPv6 champions in each team — engineers who are curious, have lab experience, or have deployed IPv6 elsewhere. These are your enabling team members who will drive adoption from within
5	Enable action by removing barriers	Procure training (RIPE NCC courses, vendor labs). Update firewall change processes to include ICMPv6 baseline rules. Provide self-service IPv6 subnet allocation from the platform team. Remove the friction that makes IPv4 the path of least resistance
6	Generate short-term wins	Deploy a non-critical workload on dual-stack and demonstrate it working. Publish the first AAAA record. Show IPv6 traffic flowing in monitoring dashboards. Early, visible wins build credibility and momentum
7	Sustain acceleration	Expand from the pilot to additional workloads, regions, and environments. Each success reduces the perceived risk and increases organisational confidence. Do not declare victory after one deployment
8	Institute change	Update the organisation's default posture: new VPCs are dual-stack, new security group templates include ICMPv6 baselines, new applications bind to `[::]`. IPv6 is no longer a project — it is how the organisation operates

The Critical Step: Number 5

Most IPv6 programmes fail at step 5. The barriers are not technical — they are procedural and educational:

Security teams lack IPv6 training and default to blocking what they do not understand
Firewall change processes do not include IPv6-specific templates or baselines
Platform teams have not updated their Terraform modules / CloudFormation templates for dual-stack
Application teams do not know how to bind to IPv6 or test dual-stack connectivity

Removing these barriers is the programme manager's primary responsibility. It is not glamorous work, but it is the work that determines whether the programme succeeds or produces another shelf of unused documentation.

8. The IPv6 Success Framework

Successful IPv6 adoption rests on two pillars. Technical competence without organisational alignment produces an engineered network that nobody uses. Organisational alignment without technical competence produces a programme that cannot deliver. Both pillars must be built concurrently.

flowchart TD
    TOP["End-to-End IPv6 Adoption"]
    P1["Pillar 1:<br><strong>Abundance Mindset</strong>"]
    P2["Pillar 2:<br><strong>Organisational Synchronisation</strong>"]

    P1A["Standardise on the<br>/64 boundary"]
    P1B["Adopt Global Unicast<br>Addressing (not ULA)"]
    P1C["Decouple filtering<br>from translation"]

    P2A["Mandate a cross-functional<br>Integrated Project Team"]
    P2B["Design security policy<br>concurrently with routing"]
    P2C["Align training across<br>all IT disciplines"]

    TOP --> P1
    TOP --> P2
    P1 --> P1A
    P1 --> P1B
    P1 --> P1C
    P2 --> P2A
    P2 --> P2B
    P2 --> P2C

Pillar 1: Abundance Mindset

Stop applying IPv4 scarcity constraints to a protocol designed for abundance:

Standardise on /64. Every end-host subnet gets a /64 — no exceptions. Do not carve smaller prefixes to "conserve" space (RFC 7421).
Use Global Unicast Addresses. Do not default to ULA as a replacement for RFC 1918. GUA behind stateful firewalls provides equivalent security without the address selection problems of RFC 6724.
Decouple filtering from translation. Firewalls provide security; NAT provided address sharing. In IPv6, these are separate concerns. Design your security posture around stateful filtering, not address translation (RFC 4864).

For a detailed treatment of these technical misconceptions, see Stop Thinking in IPv4: Misconceptions That Sabotage Your IPv6 Deployment.

Pillar 2: Organisational Synchronisation

Stop building in functional silos:

Mandate a cross-functional IPT. Networking, cloud/systems, and security must be represented in a single delivery team with shared accountability. Use the Team Topologies model to structure the team and its interactions.
Design security concurrently with routing. Security policy is not a review gate after the network is built — it is a design input from day one. The ICMPv6 filtering baseline, the IPv6 threat model, and the flow telemetry strategy are all designed alongside the address plan.
Align training across disciplines. Every member of the IPT needs IPv6 training, not just the networking engineers. Security teams need ICMPv6 and NDP training. Cloud teams need BYOIP and dual-stack provisioning training. Use the RIPE NCC's free training courses at learning.ripe.net as a baseline.

Successful IPv6 deployment is 50% unlearning old technical constraints and 50% dismantling operational silos.

9. Recommendations

#	Recommendation	Owner
1	Assess organisational culture using Westrum's typology before launching the programme. If the culture is pathological or bureaucratic, address this first — the IPv6 work will not survive cross-team friction	Programme sponsor
2	Form the Integrated Project Team with representatives from networking, cloud/systems, security, and programme management. This is a delivery team, not a steering committee	Programme manager
3	Invest in training across all disciplines. Use RIPE NCC's free IPv6 training courses. Budget for vendor-specific training (AWS, Azure, GCP) on dual-stack and BYOIP. isp6's knowledge base provides cloud-specific BYOIP guides and technical reference material for your team	Programme manager
4	Create a single IPv6 blueprint covering addressing, routing, security policy, and platform integration. Maintain it as one document owned by the IPT	IPT collectively
5	Design security policy concurrently with the address plan. Include ICMPv6 baselines, NDP security, and flow telemetry from the start	Security lead within IPT
6	Start with a non-critical pilot to generate a short-term win (Kotter step 6). Deploy a staging or internal workload on dual-stack and measure IPv6 traffic flow	IPT collectively
7	Measure traffic, not configuration. The success metric is the percentage of production traffic using IPv6, not the number of interfaces configured	Programme manager
8	Plan the team's evolution. The IPT operates in collaboration mode during design and initial deployment, then transitions to X-as-a-Service as IPv6 becomes the default. Budget for both phases	Programme sponsor

10. References

Organisational Models and Change Management

Source	Author(s)	Publisher / Year	Relevance
Team Topologies: Organizing Business and Technology Teams for Fast Flow	Matthew Skelton, Manuel Pais	IT Revolution Press, 2019	Four team types and three interaction modes for structuring cross-functional delivery teams
Accelerate: The Science of Lean Software and DevOps	Nicole Forsgren, Jez Humble, Gene Kim	IT Revolution Press, 2018	DORA research demonstrating the link between generative culture and delivery performance; applies Westrum's typology to technology organisations
Leading Change	John P. Kotter	Harvard Business School Press, 1996	Eight-step model for leading organisational change; directly applicable to IPv6 adoption programmes
The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win	Gene Kim, Kevin Behr, George Spafford	IT Revolution Press, 2013	The Three Ways (Flow, Feedback, Continual Learning); illustrates the cost of functional silos in technology delivery
The Unicorn Project	Gene Kim	IT Revolution Press, 2019	The Five Ideals of DevOps, including Locality and Simplicity, and Psychological Safety; reinforces the case for small, empowered, cross-functional teams
"A Typology of Organisational Cultures"	Ron Westrum	Quality and Safety in Health Care, 2004	Original paper defining pathological, bureaucratic, and generative culture types
DORA: Generative Organizational Culture	DORA / Google Cloud	Online	Application of Westrum's typology to technology delivery performance

Government and Institutional Reports

Source	Reference	Year	Relevance
Internet Protocol Version 6: DOD Needs to Improve Transition Planning	GAO-20-402	2020	US Government Accountability Office report documenting the organisational failures of the DoD's IPv6 mandate; all three recommendations were programme management activities
Guidelines for the Secure Deployment of IPv6	NIST SP 800-119	2010	NIST guidance on IPv6 security, including deployment planning and transition strategy

IPv6 Training and Deployment Guidance

Source	Publisher	Relevance
RIPE NCC IPv6 Info Centre	RIPE NCC	Phased deployment planning guide covering address allocation, routing, reverse DNS, and IRR registration
RIPE NCC Training Courses	RIPE NCC	Free IPv6 training: Basic (1 day), Advanced (2 days with labs), and Security (1 day)
RIPE-690: Best Current Operational Practice for Operators — IPv6 Prefix Assignment for End-Users	RIPE NCC	Operational guidance for IPv6 prefix assignment policies

Technical References

RFC	Title	Relevance
RFC 4890	Recommendations for Filtering ICMPv6 Messages in Firewalls	The authoritative guide to ICMPv6 firewall policy — the document security teams must read before configuring IPv6 firewalls
RFC 6724	Default Address Selection for IPv6	Default address selection policy table; explains why ULA is deprioritised below IPv4 on dual-stack hosts
RFC 7421	Analysis of the 64-bit Boundary in IPv6 Addressing	Why every end-host subnet must be a /64
RFC 4864	Local Network Protection for IPv6	How IPv6 achieves NAT-equivalent protection without address translation

Designing the Next Internet: An Introduction to IPv6 — an accessible primer to share with cross-functional team members who need a baseline understanding of the protocol before joining the programme
Stop Thinking in IPv4: Misconceptions That Sabotage Your IPv6 Deployment — technical companion covering the six most common IPv4 reflexes that harm IPv6 deployments
Planning Your isp6 Allocation — sizing and structuring a /48 or /44, the architect's counterpart to the programme-level framing in this article
Bring Your Own IPv6 to AWS — step-by-step guide for isp6 members, covering what isp6 handles vs. cloud-side configuration
Bring Your Own IPv6 to Azure — Custom IP Prefix onboarding for isp6 members
Bring Your Own IPv6 to Google Cloud — PAP/PDP model for isp6 members

This document is provided for informational purposes. Protocol specifications and cloud provider behaviour are subject to change. Consult the linked RFCs and vendor documentation for authoritative, up-to-date information before making architectural decisions.