http://www.cs.columbia.edu/~smb/papers/v6worms.pdf - courtesy Schneier
on Security and then the ITU newslog.
Interesting. By the way is there a "currently" missing between "not"
and "feasible" there?
Even given the sheer size of v6 space some of the other traits noted
by SMB - like the tendency of network equipment to be clustered in the
first few bits of a /48, and possibly observing new v6 netblocks get
announced and routed might be used by someone to make intelligent
guesses.
And nmap can probably be hacked into doing that kind of scanning.
After all when there's an unlimited number of hosts connected to the
v6 network, all that needs to happen is a small botnet to develop, and
then start to port scan.
The potentially larger number of hosts that can get infected will
probably help do an exhaustive search for you, so that v6 botnets
start small and then grow exponentially in size over time.
I rather suspect that the portscanning will grow to keep pace with the
actual number of v6 connected hosts.
It's joint work with Angelos Keromytis and Bill Cheswick.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
OK.. let's say we have a /48 allocated to an end site, and their router
falls over at 1Mpps. The exhaustive search will completely clog their pipe
for (2 ** (128 - 48))/1000000 seconds, or approximately 38,334,786,263 *years*.
(That 2**80 is *huge*, a lot bigger than people think...)
Even the most dim-witted site will notice after a day or two of this.
And that's why a worm would have to use techniques like Steve and fiends wrote about.
One of method missing is doing top down random walks of ip6.arpa.
Mark
That's only easy if delegation were on a per-nybble basis, which is commonly
not the case. Because there are not typically NS's at every nybble level,
you have to do more than one hex digit's worth of randomness in the scan in
order to find a next-level delegation, increasing the cost of scanning that
namespace quite a bit.
(Having delegations at every nybble level would be ... alarming at best,
given the amount of PTR redirection that implies. 
One of method missing is doing top down random walks of ip6.arpa.
Given the difficulty of finding IP addresses for free,
perhaps the commercial people will take over the whole
botnet business. Then it is simple to find IPv6 addresses
to attack. Simply buy webserver logs on the open market
similar to the way the bad guys now buy lists of credit
card numbers. People are always the weak link in any
security scenario, no matter how bulletproof the
technologists may claim it is.
IPv6 may have less impact on the fact of botnet activity
and more impact on the sociology of the participants.
--Michael Dillon