IPv6 has no mechanism like masquerading or PAT/NAT/PNAT per design, because it breaks the mandatory feature end-to-end security. This results in an end-to-end connection through anything inbetween.

There are people (such as me) who see this as a benefit. More often than not, those people think of PAT/NAT/PNAT as a kludge^H^H^H^H^H^Hsmart hack to conserve IPv4 address space, make (often sloppy) ad-hoc IP network design easier and come by without proxies for many protocols. And not a security mechanism.

2) if no firewalling is done, but IPv6 access is established, in fact a client is complete "IPv6-open" to the Internet, even if protected by IPv4 firewalls.

I don't think the Goths would have been exactly dismayed to find only one of the hypothetical two gates to Rome open and the other heavily fortified... This is an option, of course, albeit more of an academic nature.

4) IPv4 people also have to rethink "We are secure because we use private IPv4 addresses and a dynamic portfilter FW or simple transparent proxy FW", because of: - you are able to tunnel most of the traffic over HTTPS, HTTP (think about SOAP), ICMP, DNS a.s.o. or other valid encrypted traffic.

This is nonsense anyhow. I believe you mean to say the same, so I agree wholeheartedly.

Only very few firewalls (try to) do full payload checking and rewriting (last one is important).

What you say sounds a lot like 'application {layer/level} gateway'. :-)

For IPv6, such transparent check&rewrite proxies are needed.

I'm not sure *transparent* proxies are needed, I have a dislike for those. I believe protocols should be designed to be proxy-compatible and I mean ALG, not simply SOCKS.

* For total protection: forget gateway security for IPv6 (for IPv4 also...), you can block some ports, but what happen if end-to-end security is established (mandatory feature) - gateway sees nothing anymore

This is already a problem with end-to-end security, it's not restricted to IPSec (which is available for IPv4 as well, just not mandatory and not in widespread use). SSL, SSH, etc. all pose serious problems for firewalls and firewall systems. Cheers Tobias