* Choking on large extension headers, firewalls and security gateways could fall prey to DDoS attacks. In IPv6, the IP options function has been removed from the main header and is instead implemented via a set of additional headers called extension headers (EH) that specify destination options, hop-by-hop options, authentication and an array of other options. These extension headers follow the IPv6 main header, which is fixed at 40 bytes, and are linked together to create an IPv6 packet (fixed header + extension headers + payload). IPv6 traffic with large numbers of extension headers could overwhelm firewalls and security gateways, or perhaps even introduce router forwarding performance degradation, and thus serve as a potential vector for DDoS and other attacks. Disabling "IPv6 source routing" on routers may be necessary to protect against DDoS threats, and explicitly codifying which extension headers are supported and checking network equipment for proper implementation is critical. In general, IPv6 adds many more components to be filtered or require scoped propagation, to include some extension headers, multicast addressing, and increased uses for ICMP.
* 6to4 and 6RD proxying may encourage attacks and abuse. 6to4 -- along with its ISP rapid deployment cousin, 6RD -- allows IPv6 packets to jump the IPv4 moat without having to configure dedicated tunnels. But deploying IPv6 proxy servers may avail proxy operators to a world of trouble, including discovery attacks, spoofing and reflection attacks, and proxy operators themselves can be leveraged as a "source" for attacks and abuse.
* Support for IPv6 services could expose existing IPv4 applications or systems. One limitation is that existing security fixes may only be applied to IPv4 support, yet most kernels will prefer IPv6 interfaces before IPv4 when engaging in such activities as DNS lookups in order to foster more rapid IPv6 deployment. Indeed, the dynamic between IPv6 and IPv4 could result in a doubling of traffic for each DNS lookup (with both AAAA and A records requested, or worse, each over IPv4 and IPv6). This could result in large amounts on unnecessary DNS traffic in order to optimize for user experience. OS and content vendors frequently put hacks in place to mitigate or optimize for this behavior (e.g., AAAA whitelisting), which creates added system load and state. Additionally, it should certainly be observed that with new IPv6 stacks being accessible new vulnerabilities are sure to surface. Dual-stacking during a long transitional coexistence period, and inter-dependences between routers, end systems, and network services such as the DNS are sure to serve as fertile ground for miscreants.
* Many users may be obscured behind fixed sets of addresses. Obscuring users behind large network address translation protocol translation (NAT-PT) devices could break useful functions like geolocation or tools that enable attribution of malicious network behaviors, and make number and namespace reputation-based security controls more problematic.