(In)security of some of IPv6 specs

Some of IPv6 specs talks conflicting thing
Too many tunnelling specifications, with different definitions - hairy inbound processing
Use of special addresses (IPv4 mapped) - impose more work to third-party userland programs, insecure behavior by default
Issues with translators - tend to be configured as an open relay, help bad guys mistakenly

Solution: careful implementation, feedback to specs
Diagnose each specs and implement items that make sense only
Put enough warnings to users (education/documentation)
Careful restrictions/tweaks into API, feedback to specs

KAME case:
6to4 is not enabled by default
IPv4 mapped address is not enabled by default, or not supported at all
Filter out some of misconfigured DNS database entries