[111675] in North American Network Operators' Group
RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
daemon@ATHENA.MIT.EDU (TJ)
Tue Feb 10 08:57:37 2009
From: "TJ" <trejrco@gmail.com>
To: <nanog@merit.edu>
In-Reply-To: <f1dedf9c0902092224p79f0f239ud654986955420e42@mail.gmail.com>
Date: Tue, 10 Feb 2009 08:57:28 -0500
Errors-To: nanog-bounces@nanog.org
>However the PCI DSS does contain a "Compensating controls" section, which
>allows for the use of functionality which "provide[s] a similar level of
>defense" to the stated requirements, where the stated requirements can not
>be followed due to "legitimate technical or documented business
constraints"
>
>Now the fact that RFC1918 addresses don't work with IPv6 is clearly a
>"legitimate technical ... constraint", so as long as you could successfully
>argue that a stateful firewall or other measures in place provided
>equivalent security as NAT you should be fine.
Excellent loophole!
Although I wonder how many clueful auditors are out there and able to make
this fly ...
