One of networking's greatest arguments: IPv4 vs. IPv6

You say that a lot of organizations may already have IPv6 running over their networks and not realize it. Can you give me an example of how this happens?

Well it might happen if they have IPv6-capable hosts, meaning that maybe their own network doesn't run IPv6 per se but that traffic can be tunneled over IPv4 systems. If you have machines on your network that run Vista, then that would run both protocols at the same time. And even if your network isn't using the IPv6 stack, there are ways to awaken the IPv6 stack. For instance, Windows XP systems can be configured to run IPv6, so a hacker can turn it on by infecting your machine with some worm that changes your settings.

Can you explain in greater detail what you mean by IPv6 traffic being "tunneled" through IPv4 systems?

Sure. So right now there aren't nearly as many IPv6 addresses as there are IPv4 addresses. And the problem comes in when you need to get two IPv6 islands to talk to each other in an ocean of IPv4 networks. So the solution is that we encapsulate the IPv6 traffic inside what looks on the outside like IPv4 traffic so it can be sent over IPv4 networks. The security implications of this come in if I have a simple firewall that just sees an IPv4 box and doesn't parse it enough to see that there's something else in there. The firewalls don't look closely enough at encapsulated packets because the typical firewall today has nothing capable of opening up the capsule. Some vendors are starting to work together on this problem but they aren't there yet.

What are some of the unique challenges in securing a dual-stack network that supports both IPv4 and IPv6?