Requirements for IPv6 Firewalls
Gary Buhrmaster
gary.buhrmaster at gmail.com
Sat Apr 19 15:47:31 UTC 2014
On Sat, Apr 19, 2014 at 2:29 PM, joel jaeggli <joelja at bogus.com> wrote:
> On 4/18/14, 7:04 PM, Jeff Kell wrote:
>> PCI requirement 1.3.8 pretty much requires RFC1918
>> addressing of the computers in scope...
>
> It does not
You are correct. In theory. However, for those
organizations that have chosen to use a firewall
with NAT rather than apply one of the other alternatives,
the practice says that to implement IPv6, the
firewall they want needs to do NAT.
Again, telling someone that they are doing it
wrong (and that they should change) will not
be successful. Especially if the network people
do not talk to the systems people, and do not
talk to the applications people, and do not talk
to the auditors.... Not that any organization
would be so stove-piped. Perhaps there should
be a I-D BCP about not stove-piping organizations
too.
And, while PCI compliance was the straw-man,
I have seen other audit results that called out
a lack of using NAT too (even though they, also,
should not have done so; it was the policy that
they should have called out. But that would
require real understanding rather than a checklist).
Gary
More information about the NANOG
mailing list