When you introduce IPv6 into an existing network, you must take necessary precautions to ensure that you do not compromise the security of the site.
Be aware of the following security issues as you phase in your IPv6 implementation:
The same amount of filtering is required for both IPv6 packets and IPv4 packets.
IPv6 packets are often tunneled through a firewall.
Therefore, you should implement either of the following scenarios:
Have the firewall perform content inspection inside the tunnel.
Put an IPv6 firewall with similar rules at the opposite tunnel endpoint.
Some transition mechanisms that use IPv6 over User Datagram Protocol (UDP), and User Datagram Protocol (UDP) over IPv4 tunnels exist. These mechanisms might prove problematic by short-circuiting the firewall.
IPv6 nodes are globally reachable from outside the enterprise network. If your security policy prohibits public access, you must establish stricter rules for the firewall. For example, consider configuring a stateful firewall.
Refer to the following documents for information about security features that you can use with an IPv6 implementation:
IPsec enables you to provide cryptographic protection for IPv6 packets. For more information, refer to Chapter 8, About IP Security Architecture in Securing the Network in Oracle Solaris 11.3.
IKE and IKEv2 automates keys management for IPsec. For more information, refer to Chapter 10, About Internet Key Exchange in Securing the Network in Oracle Solaris 11.3.