When you introduce IPv6 into an existing network, you must take care not to compromise the security of the site. Be aware of the following security issues as you phase in your IPv6 implementation:
The same amount of filtering is required for both IPv6 packets and IPv4 packets.
IPv6 packets are often tunneled through a firewall. Therefore, you should implement either of the following scenarios:
Have the firewall do content inspection inside the tunnel.
Put an IPv6 firewall with similar rules at the opposite tunnel endpoint.
Some transition mechanisms exist that use IPv6 over UDP over IPv4 tunnels. These mechanisms might prove dangerous by short-circuiting the firewall.
IPv6 nodes are globally reachable from outside the enterprise network. If your security policy prohibits public access, you must establish stricter rules for the firewall. For example, consider configuring a stateful firewall.
This book includes security features that can be used within an IPv6 implementation.
The IP security architecture (IPsec) feature enables you to provide cryptographic protection for IPv6 packets. For more information, refer to Chapter 19, IP Security Architecture (Overview).
The Internet Key Exchange (IKE) feature enables you to use public key authentication for IPv6 packets. For more information, refer to Chapter 22, Internet Key Exchange (Overview).