Requirements for IPv6 Firewalls

Gary Buhrmaster gary.buhrmaster at gmail.com
Sat Apr 19 15:47:31 UTC 2014


On Sat, Apr 19, 2014 at 2:29 PM, joel jaeggli <joelja at bogus.com> wrote:
> On 4/18/14, 7:04 PM, Jeff Kell wrote:
>> PCI requirement 1.3.8 pretty  much requires RFC1918
>> addressing of the computers in scope...
>
> It does not

You are correct.  In theory.  However, for those
organizations that have chosen to use a firewall
with NAT rather than apply one of the other alternatives,
the practice says that to implement IPv6, the
firewall they want needs to do NAT.

Again, telling someone that they are doing it
wrong (and that they should change) will not
be successful.  Especially if the network people
do not talk to the systems people, and do not
talk to the applications people, and do not talk
to the auditors....  Not that any organization
would be so stove-piped.  Perhaps there should
be a I-D BCP about not stove-piping organizations
too.

And, while PCI compliance was the straw-man,
I have seen other audit results that called out
a lack of using NAT too (even though they, also,
should not have done so; it was the policy that
they should have called out.  But that would
require real understanding rather than a checklist).

Gary




More information about the NANOG mailing list