Section 5.3 of RFC6052 explained how an attacker could abuse the NAT64 translation mechanism to bypass security mechanism such as firewall or IDS/IPS if those devices only have an IPv4 blacklist. The mitigation is to convert the IPv4-embedded IPv6 to IPv4 than comparing it with the IPv4 blacklist.
My question is how to implement the converting and comparing mechanism in network security devices? Does any vendor already support such mechanism?
