The Serpent

// Cursing the Internet since 1998

IPv6 Host Scanning

Better, or worse?
Posted June 13, 2012 Archive

I’ve been following a good debate that’s been brewing in the circles of security and network folk regarding the feasibility of scanning IPv6 networks. Some say its safer since the address space is so vast, and therefore individual subnets will be so sparsely populated that finding ‘alive’ hosts will simply take too much time, but others say that because of the predictable nature in which IPv6 assigns addresses using Stateless Address Auto Configuration, or network admins simply using smaller blocks for interface ID’s, it could actually advertise more about your network design then you’d like.

I’m on the fence with this one (hey, there’s nothing wrong with the fence!). I can see how the old scan methods will need to be revised (you can’t just pick a /22 block and go nuts), but I imagine administrators will go out of their way to make early IPv6 deployments as simple as possible, limiting the address space to what they consider ‘feasible’ - resulting in a few hundred, or thousand addresses, which we all know Nmap can handle perfectly.

If using the standard approach, the client MAC will form part of the address. Usually something network address translation has hidden for a long time. It’s relatively safe to say that someone with your MAC address isn’t a threat as long as they aren’t on your internal network, but it still feels like this information shouldn’t leave the confines of your network - and I imagine most network engineers will want total control of the address space.

This is why I would assume most IPv6 deployments which utilise DHCP (otherwise why didn’t we all just use APIPA?) will still go for the smaller blocks of address assignments - which will allow port\host scanning to continue just like the good old IPv4 days. But let’s see how this plays out, shall we?

IPv6 Host Scanning
Posted June 13, 2012
Written by John Payne