Enhanced address space vs. ping sweeps
In IPv6 the default subnet size is 2^64 - which means it can exist of 18.446.744.073.709.551.616 hosts within one network.
With a 2GHz Dual Core machine connected to a 100MBit network a nmap scan (using the echo request/reply mechanism) for a /24 subnet takes 2.554 seconds. If we assume there is the same speed to the IPv6 remote network we want to scan it would take 5.835.714.585 years to scan the 2^64 subnet.
Network administrators face the problem that IPv6 addresses are not really friendly to remind. For practical reasons all the hosts in an IPv6 network will be in a DNS server. Thus the main target to find hosts in a remote network will be DNS servers.
Stateless Address/Router Configuration
This is a point which affects the security of IPv6 in a negative way. What is a real help for administrators can also be an advantage for attackers with the aim of gaining access to the infrastructure.
If there is a new machine in the net, it will generate its EUI-64 IPv6 address - but before assigning the address to the interface it will check with a request packet if this address is already used by another host to avoid conflicts.
Later on the host will ask in the local network for a router. The router will respond to that request and provide the necessary information in order to connect the host to e.g. the Internet.
All these automatic configuration mechanisms are based on trust, so everybody could spoof a message that says this address is already assigned, or respond to the router request to make a man-in-the middle attack.
The THC (The Hackers Choice) Group has proved these and more attacks in practice and released the code here . Also the presentation is truly worth a look.
The solution to this problem - SEcure Neighbor Discovery (SEND) is already discussed in 2005 in the RFC 3971 , but until now there is no implementation found in recent operating systems.
Some more attacks to IPv6 not only related to the local trust model can be found here .