Migrating a firewall from IPv4 to IPv6

I am working in a project to migrate a firewall application from IPv4 to IPv6. I have several questions:

1. What changes and modifications might be needed?
2. Will the popular protocols such as FTP, HTTP, POP3 also need to be adapted/modified?
3. Which IPv6 components should or must be implemented?
4. Which tunneling/transition mechanism to prefer?

As I am new to this ne开发者_开发问答twork security field, I hope you guys could give me some valuable input. Thanks in advance.

There are a lot of things to consider. Off the top of my head:

• Learn the difference between link-local (fe80::/10), global unicast, and multicast address ranges. Make sure you support interface scoping with link-local addresses (you will see addresses like fe80::1%eth1, which will indicate the link-local address on the eth1 interface).
• ARP equivalent (IPv6 neighbor discovery) is now part of ICMP. This is important because if the user wants to block ICMP packets and isn't careful, they could lose all their connectivity!
• Most (sane) protocols will not need major changes. FTP is one protocol that will potentially need changes, since it sometimes passes network addresses within the protocol itself (rather than letting the lower-level protocols take care of it)
• The most basic tunneling/transition mechanism you will need is called 6in4; it simply encapsulates IPv6 packets within IPv4 packets and allows the user to manually configure the endpoints of the tunnel. Automatic tunneling mechanisms like 6to4 and Teredo can also be useful in some situations.
• If you are selling a commercial product, I recommend you take a look at the USGv6 test selection tables. Also, read through the USGv6 profile which has pointers to many of the RFCs you will need to understand in order to develop an IPv6-compliant product. Not supporting the USGv6 profile for a network protection device (NPD) could severely limit your market. Finally, get some training! IPv6 is vastly different from IPv4 in many ways. If your employer wants this project to succeed, training will be critical given that it appears that many project members are new to both IPv6 and network security. (do you have a mentor on the team to ask questions?)