v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Tue Feb 10 03:45:55 UTC 2009

Mark Andrews wrote:
> 	Please cite references.
> 
> 	I can find plenty of firewall required references but I'm
> 	yet to find a NAT and/or RFC 1918 required.

(Skip if you've participated in a SOX audit from the IT department POV)

The way it works is that the law doesn't call for specific measures. The 
law calls for audits. Audits are done by outside firms (like "large 
accounting firms") using their internally-developed checklists for 
compliance. Passing the checklist gets you an unqualified audit. Failing 
a few items gets you a qualified audit. Failing more means you don't 
have the necessary audit document to present.

The exact details of every line item are typically under non-disclosure 
when presented to the IT department for review, so for instance I can't 
post the ones from the last audit I participated in.

Firms are also free to develop their own internal control guidelines, as 
long as they can convince the outside auditor that the controls are at 
least as strong as the ones on the checklist.

Other regulations, like HIPPA, also require the same thing. For 
instance, the top Google hit for HIPPA and "private address space" links 
to a wustl.edu document regarding how their controls over 
HIPPA-protected information are implemented (including the use of 
private address space and the use of multiple layers of NAT).

It takes a *lot* longer to get policies changed and auditors to sign off 
on the revised policies than it does to make a change in a router. That 
means that the process of updating policies should have started *even 
sooner* than the process of upgrading and reconfiguring routers for 
IPv6. But since there's still open questions (like the recent discussion 
of IPv6 NAT on the BEHAVE list) that have no answers at all, I can 
imagine why some folks might be putting off revising their policies and 
asking for external review of those.

Matthew Kaufman