> what does it mean for more widespread IPv6 adoption?
If I were a security hacker (whatever shade), I'd be spending all of my time looking at IPv6, from device drivers through kernels and routers up to user-level programs.
IPv6 is simply not hardened in the way IPv4 is. It will be some day, but it's going to have to earn it the hard way, same as IPv4 did.
Indeed, IPV6 is a possible entry point for pen testers, as plenty of admins will leave ipv6 enabled, but not bother to setup ip6tables. Plenty of software is setup to bind on "all interfaces", which includes your link local address. Fortunately, takes some effort to scan the link local address space.. But if they are based on MAC, and you can just ask for the MAC of the host via ARP...
Yup. iptables should really have a "figure out how to mirror this" mode, since 99% of iptables rules can be translated to ip6tables rules by sprinkling 6s around, and almost everyone screws it up initially.
I've got a bit of a headache right now, but IIRC the second remotely exploitable OpenBSD bug was because they had IPv6 enabled by default. There are a lot of grues lurking in there.
The parent wasn't just implying it being enabled, but also likely buggy in the implementation as well. E.g. Maybe an overflow with the next header implementation.
If I were a security hacker (whatever shade), I'd be spending all of my time looking at IPv6, from device drivers through kernels and routers up to user-level programs.
IPv6 is simply not hardened in the way IPv4 is. It will be some day, but it's going to have to earn it the hard way, same as IPv4 did.