v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

TJ trejrco at gmail.com
Tue Feb 10 13:52:31 UTC 2009

>> >> >	The SOX auditor ought to know better.  Any auditor that
>> >> >	requires NAT is incompenent.
>> >>
>> >> Sadly, there are many audit REQUIREMENTS explicitly naming NAT and
>> >> RFC1918 addressing ...
>> >
>> >SOX auditors are incompetent. I've been asked about anti-virus
>> >software on UNIX servers and then asked to prove that they run
>> Fair enough, but my point was that it isn't the auditors' faults in
>> _all_ cases.
>> When the compliance explicitly requires something they are required to
>> check for it, they don't have the option of ignoring or waving
>requirements ...
>> and off the top of my head I don't recall if it is SOX that calls for
>> RFC1918 explicitly but I know there are some that do.
>	Please cite references.
>	I can find plenty of firewall required references but I'm
>	yet to find a NAT and/or RFC 1918 required.

Minor correction (I did say I wasn't sure it was SOX) ... It is PCI that
requires RFC1918 and translation.
For SOX, what is your assessment of (IPv6) internal controls and risk based
on?  Has anyone (with the authority to do so) developed and released
guidance?  Do we have a repository of "current best practices" to rely on

Interestingly, with SOX, I am curious if lack of IPv6 preparation will play
into the risk assessment as well :).

Current versions of the rest (HIPAA, GLBA, SOX, FIPS, etc.) simply tend to
omit IPv6 completely, and generally require everything not explicitly called
out to be disabled ... thus, no IPv6 on any network that falls under any of
these regulations.  We are just starting to see finalized product profiles
and STIGs for IPv6 configuration - without that guidance Defense networks
really couldn't <wink> run IPv6 either.

(In other words (again, generally speaking) - if you run IPv6, your current
C&A (or perhaps your CTO (Certificate To Operate)) is invalid).

More information about the NANOG mailing list