v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

TJ trejrco at gmail.com
Tue Feb 10 07:57:28 CST 2009


>However the PCI DSS does contain a "Compensating controls" section, which
>allows for the use of functionality which "provide[s] a similar level of
>defense" to the stated requirements, where the stated requirements can not
>be followed due to "legitimate technical or documented business
constraints"
>
>Now the fact that RFC1918 addresses don't work with IPv6 is clearly a
>"legitimate technical ... constraint", so as long as you could successfully
>argue that a stateful firewall or other measures in place provided
>equivalent security as NAT you should be fine.


Excellent loophole!
Although I wonder how many clueful auditors are out there and able to make
this fly ...





More information about the NANOG mailing list