nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Requirements for IPv6 Firewalls

From: Gary Buhrmaster <gary.buhrmaster () gmail com>
Date: Sat, 19 Apr 2014 15:47:31 +0000
On Sat, Apr 19, 2014 at 2:29 PM, joel jaeggli <joelja () bogus com> wrote:

On 4/18/14, 7:04 PM, Jeff Kell wrote:

PCI requirement 1.3.8 pretty  much requires RFC1918
addressing of the computers in scope...


It does not


You are correct.  In theory.  However, for those
organizations that have chosen to use a firewall
with NAT rather than apply one of the other alternatives,
the practice says that to implement IPv6, the
firewall they want needs to do NAT.

Again, telling someone that they are doing it
wrong (and that they should change) will not
be successful.  Especially if the network people
do not talk to the systems people, and do not
talk to the applications people, and do not talk
to the auditors....  Not that any organization
would be so stove-piped.  Perhaps there should
be a I-D BCP about not stove-piping organizations
too.

And, while PCI compliance was the straw-man,
I have seen other audit results that called out
a lack of using NAT too (even though they, also,
should not have done so; it was the policy that
they should have called out.  But that would
require real understanding rather than a checklist).

Gary
Previous By Date Next
Previous By Thread Next

Current thread: