v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

Scott Howard scott at doc.net.au
Tue Feb 10 00:24:03 CST 2009


On Mon, Feb 9, 2009 at 9:54 PM, John Osmon <josmon at rigozsaurus.com> wrote:

> It isn't SOX, but sadly enough, PCI DSS Requirement 1.5 says:
>   Implement IP address masquerading to prevent internal addresses from
>   being translated and revealed on the Internet. Use technologies that
>   implement RFC 1918 address space, such as port address translation (PAT)
>   or network address translation (NAT)


It's moved to Requirement 1.3.8 of the current PCI DSS (V1.2, October 2008),
and has been reworded slight :
*1.3.8 Implement IP masquerading to prevent internal addresses from being
translated and revealed on the Internet, using RFC 1918 address space. Use
network address translation (NAT) technologies—for example, port address
translation (PAT).*

However the PCI DSS does contain a "Compensating controls" section, which
allows for the use of functionality which "provide[s] a similar level of
defense" to the stated requirements, where the stated requirements can not
be followed due to "legitimate technical or documented business constraints"

Now the fact that RFC1918 addresses don't work with IPv6 is clearly a
"legitimate technical ... constraint", so as long as you could successfully
argue that a stateful firewall or other measures in place provided
equivalent security as NAT you should be fine.

  Scott.



More information about the NANOG mailing list