[ipv6hackers] Help wanted: Nmap IPv6 OS Detection

Joe Klein jsklein at gmail.com
Wed Sep 28 05:01:49 CEST 2011

Eric Vynche,

FF02::1 (and others) are great for recon on network, and per RFC 4291,
are required on all devices nodes. The exception is Microsoft who did
not follow the standard and at one time failed “IPv6 Ready” testing
(and others), due to this design decision.

The decision to allow or not allow all-nodes-multicast should depend
on your security trust model, as defined by RFC 3756 (IPv6 Neighbor
Discovery (ND) Trust Models and Threats, May 2004), and as such,
should be designed into your IPv6 security architecture.

Simply, if you trust every node on your network, go ahead, allow
FF02::1, it does make it easy to manage.

On the other hand, if you live in a less ‘trusting neighborhood’, then
you might want to make a different IPv6 security architecture

As far as the CISO doing a recon on there IPv6 network --- doesn’t
they have a security architecture, which identifies and manages assets
on their networks?

Joe Klein

More information about the Ipv6hackers mailing list