v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

John Curran jcurran at mail.com
Tue Feb 10 20:22:36 UTC 2009

On Feb 10, 2009, at 8:52 AM, TJ wrote:
> Current versions of the rest (HIPAA, GLBA, SOX, FIPS, etc.) simply  
> tend to
> omit IPv6 completely, and generally require everything not  
> explicitly called
> out to be disabled ... thus, no IPv6 on any network that falls under  
> any of
> these regulations.

TJ - You attempted to say that for PCI, and then it was shown that
there's clear language regarding compensating controls that could
easily be considered applicable.  I haven't had the honor of running
an IPv6-enabled system through a PCI compliance audit, but have little
doubt that it will happen shortly and will require auditor education
just like every other technology introduction.

I run a data center which specializes in secure, compliant managed
services, and have been through hundreds of audits in support of
our clients which include federal civilian, federal defense, health
care, and financial services firms.  There are very few IT standards
which have precise protocol or address requirements embedded in them,
and there is almost always an opportunity to provide compensating
controls where necessary.  If you've got an example from one of the
above compliance frameworks to the contrary that would actually
preclude IPv6 deployment, please cite it.

> (In other words (again, generally speaking) - if you run IPv6, your  
> current
> C&A (or perhaps your CTO (Certificate To Operate)) is invalid).

Sure... change your network, and you need to update your C&A package
as part of maintaining your ATO.  It's up to your DAA as to whether
they want to use IPv6 prior to equipment being certified under the
DoD IPv6 Profile.

John Curran
ServerVault Corp

More information about the NANOG mailing list