[171144] in North American Network Operators' Group
Re: Requirements for IPv6 Firewalls
daemon@ATHENA.MIT.EDU (Matt Palmer)
Fri Apr 18 22:17:55 2014
Date: Sat, 19 Apr 2014 12:16:09 +1000
From: Matt Palmer <mpalmer@hezmatt.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <5351D9B3.2030902@utc.edu>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Apr 18, 2014 at 10:04:35PM -0400, Jeff Kell wrote:
> As to address the other argument in this threat on NAT / private
> addressing, PCI requirement 1.3.8 pretty much requires RFC1918 addressing
> of the computers in scope... has anyone hinted at PCI for IPv6?
1.3.8 lists use of RFC1918 address space as one of four possible
implementations, immediately after the phrase "may include, but are not
limited to". I don't interpret that as "pretty much requires RFC1918".
Now, if you'd like to claim that 1.3.8 is completely useless, I won't argue
with you -- it's security-by-obscurity of the worst possible form. But
don't blame PCI compliance for any inability to deploy IPv6, because it just
ain't true.
- Matt
