Re: PCI

["Jacobson, Dick" <dick.jacobson () NDUS EDU>]

Fyi ... Thanks to Johannes for resonding with ...


Yes I was the instructor for the class, and that statement is correct.



There are a couple of reasons why PCI and IPv6 conflict. Of course, you could always address them with mitigating 
controls, but that means extra work.



For example, section 1.3, in particular 1.3.8 suggests the use of NAT, which doesn't exist in this form in IPv6, a 
reverse proxy and the Unique Local Addresses may fulfill this requirement. The "scan regularly" statement come from 
section 11.2 which does require regular vulnerability scans. It doesn't say specific that you have to do a full network 
scans, but it is frequently implied and required by auditors. Again, your milage may vary depending on your auditor, 
and some of the techniques mentioned in class (e.g. ping6 ff02::1) may be acceptable as a mitigating control.


From: Institute for Computer Policy and Law Constituent Group Listserv [mailto:ICPL () LISTSERV EDUCAUSE EDU] On Behalf 
Of Jacobson, Dick
Sent: Monday, June 27, 2011 9:41 AM
To: ICPL () LISTSERV EDUCAUSE EDU
Subject: [ICPL] PCI

I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me 
until after the seminar and  since the seminar I have been looking for an email address for Johannes Ullirich (the 
instructor), but have not found one, and asked a few people around here about this.  I have not been able to get a 
half-way-confident answer so I am bringing the question here.

I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address space 
makes it impossible to scan in a timely manner, as required.

Does this question make sense ?  Any comments/thoughts for me ?