Educause Security Discussion mailing list archives
Re: PCI
From: "Curtis, Bruce" <Bruce.Curtis () NDSU EDU>
Date: Mon, 27 Jun 2011 08:01:19 -0700
On Jun 27, 2011, at 9:41 AM, Jacobson, Dick wrote:
I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me until after the seminar and since the seminar I have been looking for an email address for Johannes Ullirich (the instructor), but have not found one, and asked a few people around here about this. I have not been able to get a half-way-confident answer so I am bringing the question here. I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address space makes it impossible to scan in a timely manner, as required. Does this question make sense ? Any comments/thoughts for me ?
There are several things about PCI that do not make any sense. For example PCI requires that a network implement NAT. Since there is no NAT in IPv6 PCI appears to have it's head in the sand about the future of the Internet. PCI does have some provisions for compensating methods so perhaps there is a way around the NAT requirements but it just seems silly that PCI has not considered the implications of IPv6. I'm less familiar with the PCI requirements on scanning but I have heard that there were issues with NIST or other government agency requirements and scanning but they may have made progress on those issues by now. Essentially it is impossible to scan all of the IPv6 addresses in a subnet from a remote host that is not on that subnet. If the scan of an IPv6 subnet is performed from that subnet then there may be ways of scanning all active IPv6 hosts on that subnet. http://www.ietf.org/rfc/rfc5157.txt --- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University