nanog mailing list archives
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
From: Scott Howard <scott () doc net au>
Date: Mon, 9 Feb 2009 22:24:03 -0800
On Mon, Feb 9, 2009 at 9:54 PM, John Osmon <josmon () rigozsaurus com> wrote:
It isn't SOX, but sadly enough, PCI DSS Requirement 1.5 says: Implement IP address masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT)
It's moved to Requirement 1.3.8 of the current PCI DSS (V1.2, October 2008), and has been reworded slight : *1.3.8 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies—for example, port address translation (PAT).* However the PCI DSS does contain a "Compensating controls" section, which allows for the use of functionality which "provide[s] a similar level of defense" to the stated requirements, where the stated requirements can not be followed due to "legitimate technical or documented business constraints" Now the fact that RFC1918 addresses don't work with IPv6 is clearly a "legitimate technical ... constraint", so as long as you could successfully argue that a stateful firewall or other measures in place provided equivalent security as NAT you should be fine. Scott.
Current thread:
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space, (continued)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space John Curran (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Matthew Palmer (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Valdis . Kletnieks (Feb 10)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space TJ (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Mohacsi Janos (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Nathan Ward (Feb 04)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Brandon Butterworth (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Roger Marquis (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Jack Bates (Feb 05)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Nuno Vieira - nfsi telecom (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Scott Howard (Feb 09)