Educause Security Discussion mailing list archives
Re: PCI
From: "Jacobson, Dick" <dick.jacobson () NDUS EDU>
Date: Mon, 27 Jun 2011 09:27:12 -0700
Fyi ... Thanks to Johannes for resonding with ... Yes I was the instructor for the class, and that statement is correct. There are a couple of reasons why PCI and IPv6 conflict. Of course, you could always address them with mitigating controls, but that means extra work. For example, section 1.3, in particular 1.3.8 suggests the use of NAT, which doesn't exist in this form in IPv6, a reverse proxy and the Unique Local Addresses may fulfill this requirement. The "scan regularly" statement come from section 11.2 which does require regular vulnerability scans. It doesn't say specific that you have to do a full network scans, but it is frequently implied and required by auditors. Again, your milage may vary depending on your auditor, and some of the techniques mentioned in class (e.g. ping6 ff02::1) may be acceptable as a mitigating control. From: Institute for Computer Policy and Law Constituent Group Listserv [mailto:ICPL () LISTSERV EDUCAUSE EDU] On Behalf Of Jacobson, Dick Sent: Monday, June 27, 2011 9:41 AM To: ICPL () LISTSERV EDUCAUSE EDU Subject: [ICPL] PCI I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me until after the seminar and since the seminar I have been looking for an email address for Johannes Ullirich (the instructor), but have not found one, and asked a few people around here about this. I have not been able to get a half-way-confident answer so I am bringing the question here. I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address space makes it impossible to scan in a timely manner, as required. Does this question make sense ? Any comments/thoughts for me ?