Oh boy, where to start ? I guess I'll work my comments in between yours:
said by DeanD:I've been trying to learn more about IPv6 since at least 2008.
That is the correct approach to take. Ideally combine the theory with some practical experience as well. The Hurricane Electric free IPv6 certification training and free IPv6 tunnels are highly recommended.
said by DeanD: Typically here in the states working network managers don't seem too interested in IPv6. If they have their 10 dot, they're fine with that.
You are absolutely correct about that but I don't think that is a good thing.
said by DeanD: I just had the network manager here say there are new RFCs coming out all the time, it isn't mature, it isn't stable, and likely less secure than v4.
Hmmm, yes there are new RFC's coming out all the time and every once in a while there is an errata for an existing RFC on the Standards Track. A quick look at the IETF or RFC-Editor websites for recent RFCs (last 14 days, 12 most recent) shows none that is specifically related to IPv6.
The fact is that IPv6 is old. A lot of the original ideas have indeed been tried, found wanting and some have been amended or obsoleted. All major operating systems implement IPv6 (for some time now) and whatever may be added to IPv6 in future will have to be compatible with today's standard compliant implementations.
said by DeanD: He cited arp poisoning as an example. He said the same problem exists in v6, but it is worse.
I wonder in what way spoofing of Neighbor Announcements (a function of ND, Neighbor Discovery) is supposed to be worse then ARP poisoning ?
Both are clearly very similar in nature. Performing such spoofing as an attack in either IPv4 or IPv6 requires a level of access by the attacker that makes it only useful for a malicious insider or someone that has already successfully penetrated your network defenses. In either case you probably have bigger problems then misdirected traffic for a specifically targeted system.
There is a specification for a secure version of neighbor discovery (SEND) that solves that problem in IPv6.
said by DeanD: Crackers who know v6 may know it much better than people at companies. So he is happy to not be on IPv6, and wants to wait 5 or 10 years for other people to work out the kinks.
There is a definite learning curve to IPv6. It is probably even harder for those of us who are intimately familiar with IPv4 because it is so easy to think it would all be the same, just with a bigger address (only to be tripped up by the differences).
The part about crackers knowing more about IPv6 then most network managers is likely to be true but entirely the fault of those network managers! There is no excuse to wait until circumstances force them to use IPv6. The time to learn IPv6 properly is now while the production use is still on the horizon. It is too late to play catch-up when that day arrives and the network manager is unprepared.
Ignorance of IPv6 does not protect those managers networks. There are already IPv6 related security threads that apply even to networks where routers and firewalls block IPv6 but internal hosts establish opportunistic IPv6 tunnels over the existing IPv4 infrastructure.
said by DeanD:Meanwhile no ISP that I know of offers it here. Comcast talked about it but never delivered and they are overpriced.
Comcast appears to be the one US ISP serving residential customers that has a good IPv6 strategy and also appears well advanced in implementing it.
For commercial Internet access with IPv6 I would trust Hurricane Electric (he.com) to be the most experienced ISP.
I know AT&T (business, not residential) is still giving me evasive answers every time I bring up the topic of IPv6.
said by DeanD:Anyone have any thoughts, reactions?
What more ?