Re: PCI

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Mon, 27 Jun 2011 13:22:59 CDT, Paul Kendall said:

> That's correct. Yes, the 'letter of the law' within PCI does conflict with
> IPv6. HOWEVER, there are numerous ways around it. Compensating controls are the
> first and foremost that come to mind, and it does not necessarily require a
> huge effort or workaround.

In this case, it's *trivial* - just do the following:

1) Run a scan against machines known to be present (make sure to sniff the ND
caches and ARP tables on the router as well as machines you know about, so you
get everybody that's *really* there including unauthorized ones).

2) Document the inability to scan the entire subnet as its own compensating control - if
you can't scan the subnet for machines, the attacker can't either.

(A bigger *actual* issue is what happens if somebody *tries* to scan the subnet
- although most modern routers have enough ARP cache to handle a few /21 IPV4
subnets without trouble, many of them do (at best) poorly if somebody starts
trying to scan an IPv6 /64 and they start having issues after the first few
thousand hosts. Many routers will start dropping ND entries for known existing
hosts to make room for incomplete entries, and hilarity ensues...)

Attachment: _bin
Description: