[171132] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Matt Palmer)
Fri Apr 18 19:02:35 2014
Date: Sat, 19 Apr 2014 09:02:04 +1000
From: Matt Palmer <mpalmer@hezmatt.org>
To: NANOG <nanog@nanog.org>
Mail-Followup-To: NANOG <nanog@nanog.org>
In-Reply-To: <CF772128.50EA3%Lee@asgard.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Apr 18, 2014 at 06:37:28PM -0400, Lee Howard wrote:
> On 4/18/14 4:33 PM, "George Herbert" <george.herbert@gmail.com> wrote:
> >
> >If William and I fight that fight, lose it, and come back and tell you
> >"They won't go because insufficient NAT" you need to listen. I've fought
> >this in a dozen places and lost 8 of them, not because I don't know v6,
> >but
> >because the clients have inertia and politics around security posture
> >changes (and in some cases, PCI compliance regs).
>
> IPv6 evangelists are used to fighting inertia.
> PCI, however. . . anyone have any contacts there?
If you get to talk to them, they'll probably look at you funny and say,
"whatchoo talkin' 'bout?". PCI DSS *does not require NAT*. Anyone who
says differently is selling something (probably a NAT box). You can refer
to the source documents yourself -- they're freely available
(https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf, for
example). As a testimonial, we run a no-NAT environment and got full PCI
compliance with nary a twitch of the eyebrow. Didn't even have to argue the
toss with anyone.
- Matt
