> > > There is a third major challenge to dual-stack that isn't addressed in > the document: differing network security models that must deliver the > same result for the same collection of hosts regardless of whether > Ipv4 or v6 is selected. I can throw a COTS d-link box with > address-overloaded NAT on a connection and have reasonably effective > network security and anonymity in IPv4. Achieving comparable results > in the IPv6 portion of the dual stack on each of those hosts is > complicated at best. > Actually, it isn't particularly hard at all... Turn on privacy addressing on each of the hosts (if it isn't on by default) and then put a linux firewall in front of them with a relatively simple ip6tables configuration for outbound only.
(The linux firewall could be as simple as a WRT-54G running dd-wrt or such). Owen