* Translating from IPv4 to IPv6, transactions may become vulnerable. Because IPv4 and IPv6 are not "bits on the wire" compatible, protocol translation is seen as one path to wider deployment and adoption. Translating traffic from IPv4 to IPv6 will inevitably result in mediating transactions as they move through the network. Think of a mail sorter at a post office transfer facility that must open every IPv4 envelope to put each letter in an IPv6 one to ensure it reaches the correct address, at times changing content in the documents contained within in order to coincide with the new IPv6 external envelop information. Each time this happens, an opportunity arises for a poor implementation or a bad actor to tickle or exploit a potential vulnerability. Additionally, it compromises the end-to-end principle by introducing middle boxes that must maintain transaction state and complicates the network. In general, security staff should pay attention to security aspects of all translation and transition mechanisms (to include tunneling), and only enable such mechanisms explicitly after they have been thoroughly evaluated.
* Large network segments are both good and bad. IPv6 introduces network segments that are significantly larger than those we see today. The current recommended prefix length for an IPv6 subnet is /64 (264), which can accommodate some 18 quintillion hosts on a single segment! While this enables virtually unlimited LAN growth, its size also presents challenges. For instance, it would take years to scan a single IPv6 /64 block for vulnerabilities, while a single /24 IPv4 subnet 28 would only take seconds. Since a comprehensive scan is impossible, a better approach may be to utilize only the first /118 (the same number of hosts as a /22 in IPv4) of addresses to narrow the range of IPs to scan, or perhaps allocate all addresses explicitly and deny all others implicitly. This will make careful IP management and monitoring even more crucial than it is today. One might also expect passive domain name system (DNS) analysis and other reconnaissance techniques to be employed by attackers in place of traditional scanning.
* Neighbor discovery and solicitation can expose networks to problems. Neighbor discovery (ND) in IPv6 utilizes five different types of Internet Control Message Protocol version 6 (ICMPv6) messages for several purposes, including to determine the link layer addresses of neighbors on the attached links, to purge cached values that become invalid, and to discover neighbors willing to forward packets on their behalf. While ND offers many useful functions -- including duplicate address detection (DAD) -- it can also present opportunities to attackers. ND attacks in IPv6 will quite likely replace their IPv4 counterparts such as ARP spoofing. In general, it's a good idea to keep ports disabled unless explicitly provisioned, implement link layer access control and security mechanisms, and be sure to disable IPv6 completely where it's not in use.