From Dark Reading

Traditional host discovery via network scanning won't work with IPv6, but alternative methods are available

IPv6 brings some welcome security and other features, but there are some 'gotchas' for IP professionals that may not be immediately apparent.

The next generation IPv6 protocol has been "coming soon" for the last decade and is finally nearing the point of necessity as IPv4 addresses get closer to exhaustion. Many hail it as the next great thing for security because of nifty features like native IPSec support.

But it will also bring challenges for security pros, namely in vulnerability scanning and penetration testing. With the addition of all of this new IP space afforded by IPv6, scanning each IP to determine which hosts are up, and then performing a vulnerability scan, would take years. Host discovery through traditional means of network scanning -- host by host and subnet by subnet -- will go away. Instead, new host discovery methods will need to be put in place to make vulnerability scanning more targeted.

Fortunately, there are several techniques that can be used based on existing hardware and software tools. With little to no extra cost, it's possible to determine which IPs are in use on the network without scanning. You can then feed the discovered IPs into the vulnerability scanner so the scanner can spend more time on vulnerability scanning, and not on host discovery.

[More...] [Comments...]