IPv6 replacement for scanning IP range
Under IPv4, I often use nmap to scan my entire IP range to identify newly-connected devices and update my documentation, track down and shut off things that don't belong on the network, etc. I even have tools that do this automatically, for instance my AV software scans a defined IP range and then installs AV software on anything it can see in that range.
That's going to be infeasible under IPv6, as I will go from scanning a few thousand IP addresses to many quntillions.
What will the alternative be? Will routers/switches be able to report what IPv6 addresses they've seen lately so I can port scan everything on the network? That's the only approach I can see, but I expect that SF will have more and better ideas.
Solution 1:
Yes, brute-force scanning of IPv6 networks is futile, and that's a very good thing for network security. As the systems administrator, you still have a number of sources of information available to you to help keep tabs on your networks:
Routers on your networks, presumably running radvd, can log the clients that have requested IPv6 stateless autoconfig. You can turn off radvd's periodic gratuitous router advertisements if you want to force all autoconfig clients to send router solicitations.
Your DHCPv6 servers (if you have any) can log all clients that have requested/received IPv6 stateful config.
You can sniff ICMPv6 traffic, which includes neighbor solicitation multicasts (the equivalent of IPv4 ARP). Any device on your network attempting to "stealth" itself with a static configuration will still have to send such packets in order to communicate with other devices on the local link.
Of course, your own servers will have properly documented static IP addresses, so you always know how to reach them. It was a bad idea to give servers static DHCP leases in IPv4, and it's still a bad idea to do so in IPv6.
It's still early days for IPv6, but I expect that in the coming years, we'll start seeing better integration between DNS and radvd/DHCPv6, and hence better network inventory/reporting tools, as a matter of necessity.
Solution 2:
I'm not sure what exactly your needs are (size of network, etc.) but I suspect that issues like these would be evolving as IPV6 gains more traction.
In the meantime you could approach the problem in layers...
DHCP servers would keep track of what's requested an address.
Just about any device set to promiscuous monitoring will see some broadcast traffic for RARP/ARP requests and can look for unusual/new devices.
A machine on a monitoring port of a switch can look for traffic from new devices.
A proxy at the border can easily track what is web browsing or using other services.
A honeypot machine can monitor network traffic using something like SNORT in case you're worried about something or someone hopping on the network to probe your machines.
Your switches can monitor what is connected to each port and report what devices are sending traffic if you have switches that support this.
You might even be able to limit on the switch what IP's are allowed to be routed through them so you create vlans and limit what traffic to look for on a given subnet. Might be more work than it's worth, depending on your situation, but that would mean that even in an IPV6 network you wouldn't have to scan as many addresses as there are stars in the sky to find unusual traffic and anyone or anything hopping in will have to fit that segment of IP addresses in order to do anything or get routed properly.