[133233] in North American Network Operators' Group
Re: Pointer for documentation on actually delivering IPv6
daemon@ATHENA.MIT.EDU (Owen DeLong)
Tue Dec 7 09:29:55 2010
From: Owen DeLong <owen@delong.com>
In-Reply-To: <20101207140524.GF22479@angus.ind.WPI.EDU>
Date: Tue, 7 Dec 2010 06:27:00 -0800
To: Chuck Anderson <cra@WPI.EDU>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 7, 2010, at 6:05 AM, Chuck Anderson wrote:
> On Tue, Dec 07, 2010 at 08:18:31AM -0500, david raistrick wrote:
>> On Mon, 6 Dec 2010, Owen DeLong wrote:
>>
>>> Seriously, though, you're welcome to use fd00::/8 for exactly that
>>> purpose. The problem is that you (and hopefully it stays this way)
>>> won't have much luck finding a vendor that will provide the NAT for you
>>> to do it with.
>>
>> [with my flame-retardant hat installed firmly]
>>
>> So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the
>> use of RFC1918 space? Admitedly, it's been a year or two since I last
>> had to engineer around that particular set of rules...but it's life or
>> death for a lot of folks.
>
> Simple. Use RFC1918 IPv4 along side global IPv6 addresses. Done :-)
1. PCI allows for equivalent effective security. IPv6 privacy addresses
actually meet that test, among other possible solutions.
2. I believe there is work underway to correct some of the specious
requirements in PCI DSS, among which this is one.
Owen
