Securing tunnel endpoints for IPv6 transition in enterprise networks

Tunneling IPv6-in-IPv4 has become common at the early stage of IPv6 deployment. Unfortunately, tunneling introduces security threats in which intruders may spoof the address of the packet origin, and potentially inject the packet at the tunnel endpoint. Additionally, during the coexistence of both IPv4 and IPv6 in the network, one of the protocols may escape from firewall by being encapsulated in the other protocol. Mitigating the issue is possible by utilizing IPsec to authenticate the incoming packet. Nevertheless, in order to thoroughly secure the tunnel endpoints, this paper puts forward the importance of having separate firewalls to filter IPv4 as well as IPv6 packet to ensure that none of the packets can escape the filtering process. Our preliminary result shows that applying separate firewalls at the tunnel endpoints does not really cause delay or give significant effect to the filtering time.