v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space

John Curran jcurran at mail.com
Tue Feb 10 22:56:15 UTC 2009

On Feb 10, 2009, at 4:30 PM, TJ wrote:
> But that is my point - Do any of the compliance frameworks /  
> requirements /
> audit standards today address IPv6, or detail how it could be  
> implemented in
> such a fashion as to 'pass' an audit (including the "in-house" /
> consultant-specific audit guidelines)?  If it can be done, but is  
> solely a
> "you and your (current) auditor figure it out, on a case by case  
> basis,
> every time" I would argue that that is not good enough for the  
> general case.

Compliance frameworks are generally technology agonistic.
They tell you "have an information boundary for your system",
"manage your user identifiers", etc.  Aside from the DoD IA
STIGs (and small handful of NIST areas such as encryption),
you don't find specifications that particular protocols or
technology is required.  They don't require major updating
for IPv6 because there's very little IPv4 specific contents
in them already.

That's not to say that moving an application to IPv6 is trivial
from a compliance and security perspective, as you've still got a
pile of mandatory firewall, load-balancing, and IDS infrastructure
that needs to handle IPv6 correctly before you can get started.
In organizations that are planning ahead, this is common security
control infrastructure, and gets done once centrally rather than
each little component.

> And while I agree with you, "any change = redo" I would argue that not
> everyone realizes that all of their C&A work will need to be re-done  
> in
> order to retain their CTOs/ATOs if they move forward with any sort  
> of IPv6
> deployment.  I have heard the gasps (I didn't see the faces, that  
> was a
> coworker of mine did and said it was amusing - in a sad way.)

Look, systems change.  Change your database software, and you
get to update the corresponding pieces of the C&A package.  Add
IPv6, you have to update the network portions.  This shouldn't
be a surprise to anyone, and it certainly doesn't mean "all of
their C&A work will need to be re-done".


More information about the NANOG mailing list