You finally have realized that a transition to IPv6
must happen in your organization. It is also obvious
that one fell swoop is NOT a possibility.
Are there proxy-ing, tunneling or masking tools to ease the
Please note: source routing and ICMPv6 are REQUIRED
for IPv6. These are viewed as BIG security liabilities
by many system Administrators...not any more...
ARP is also feared by system Administrators and is
now called ND : "Neighbor Discovery". It turns an
ethernet's own address into a 128bit IPv6 address that
can not go through a router (un-routable). This is
also known as stateless "IPV6 auto-configuration",
(The auto-configuration address is supposed to be
There are indeed particular prefixes for IPv6 addresses
that are reserved to sugar coat IPv4. This is spelled
out in RFC 2529. But there is a limitation for multiple
subnets: Multicast must be available because IPv4 acts
as virtual datalink layer. This can be a problem.
ISATAP is an alternative BUT is more complex and is
well supported by Operating Systems. (See also:
This will also directly translate an IPv4 address into
the IPv6 space but is recognizably different than RFC
2529 / 6over4.
Both of these mechanisms use a Protocol number of 41.
There is also RFC 5569. This is for relaying between IPv6
subnets. It was pioneered by a Frenchman at free.fr
and is the reason France has one of the highest IPv6
usage rates. The Frenchman is Rémi Després.
Comcast and Softank of Japan have both deployed it.
Most major operating systems already support IPv6.
Opensuse, Fedora, and other Linux distributions
that autostart their IP interfaces (will show an
IPv4 and an IPv6 autoconfigured address). IPv6
is some fifteen years old. Java already supports it
as does VMWare and VirtualBox.
Domain Name Service
Domain Name Service is that overworked (and fragile)
mechanism for turning www.something.com into something
a computer can actually understand: numbers. There are
a number of different types of records DNS can be asked
for (not exhaustive):
|| Canonical Name
||IPv4 address translation
||This can vary and is the least likely to be supported.
||This is the IPv6 equivalent to IPv4's "A" record.
As this article warned before, impersonating a DNS
server, especially a public one, is easy. There is no
real attempt at masking DNS Queries. DNSSEC (required
by IPv6) has had a painful gestation because of the
perceived complexities and processor hit in supporting
SSL type (X.509 based) keys. A suggestion for Elliptical
Curve cryptography was implemented by Sun Microsystems
but for Patent reasons, it has been turned off/hidden
in most openssl installations.