Requirements for IPv6 Firewalls

Gary Buhrmaster gary.buhrmaster at
Sat Apr 19 15:47:31 UTC 2014

On Sat, Apr 19, 2014 at 2:29 PM, joel jaeggli <joelja at> wrote:
> On 4/18/14, 7:04 PM, Jeff Kell wrote:
>> PCI requirement 1.3.8 pretty  much requires RFC1918
>> addressing of the computers in scope...
> It does not

You are correct.  In theory.  However, for those
organizations that have chosen to use a firewall
with NAT rather than apply one of the other alternatives,
the practice says that to implement IPv6, the
firewall they want needs to do NAT.

Again, telling someone that they are doing it
wrong (and that they should change) will not
be successful.  Especially if the network people
do not talk to the systems people, and do not
talk to the applications people, and do not talk
to the auditors....  Not that any organization
would be so stove-piped.  Perhaps there should
be a I-D BCP about not stove-piping organizations

And, while PCI compliance was the straw-man,
I have seen other audit results that called out
a lack of using NAT too (even though they, also,
should not have done so; it was the policy that
they should have called out.  But that would
require real understanding rather than a checklist).


More information about the NANOG mailing list