[111662] in North American Network Operators' Group
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (Scott Howard)
Tue Feb 10 01:24:07 2009
Date: Mon, 9 Feb 2009 22:24:03 -0800
From: Scott Howard <scott@doc.net.au>
To: John Osmon <josmon@rigozsaurus.com>, nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Mon, Feb 9, 2009 at 9:54 PM, John Osmon <josmon@rigozsaurus.com> wrote:
> It isn't SOX, but sadly enough, PCI DSS Requirement 1.5 says:
> Implement IP address masquerading to prevent internal addresses from
> being translated and revealed on the Internet. Use technologies that
> implement RFC 1918 address space, such as port address translation (PAT=
)
> or network address translation (NAT)
It's moved to Requirement 1.3.8 of the current PCI DSS (V1.2, October 2008)=
,
and has been reworded slight :
*1.3.8 Implement IP masquerading to prevent internal addresses from being
translated and revealed on the Internet, using RFC 1918 address space. Use
network address translation (NAT) technologies=97for example, port address
translation (PAT).*
However the PCI DSS does contain a "Compensating controls" section, which
allows for the use of functionality which "provide[s] a similar level of
defense" to the stated requirements, where the stated requirements can not
be followed due to "legitimate technical or documented business constraints=
"
Now the fact that RFC1918 addresses don't work with IPv6 is clearly a
"legitimate technical ... constraint", so as long as you could successfully
argue that a stateful firewall or other measures in place provided
equivalent security as NAT you should be fine.
Scott.
