Re: [fw-wiz] IPv6 support in firewalls

On Wed, 22 Aug 2007 20:02:05 -0400
"Mike Barkett" <mbarkett@xxxxxxxxxxxxxxxxx> wrote:

Some of the problems are a bit different due to the increased scale.
For example, can you think of a good way to proactively scan an
entire IPv6 subnet for vulnerabilities and rogue hosts? With v4 and
RFC 1918, it is barely feasible to actively scan 10/8 within a
reasonable amount of time, so v6 presents a new challenge in this
respect. Basically, you have to wait until something starts talking
and then go out and scan it. Either way, you're going to be waiting
a while before you even know it's there.

I don't think the problem is that bad, though some extra logging may
need to be added to routers. You can always send broadcast pings on
each LAN, monitor switch and router MAC address tables, etc. These are
things that are relatively easy for good guys to do. See for how the bad guys
can do it.

--Steve Bellovin,
firewall-wizards mailing list