Educause Security Discussion mailing list archives
Re: PCI
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 5 Jul 2011 12:37:15 -0400
On Mon, 27 Jun 2011 13:22:59 CDT, Paul Kendall said:
That's correct. Yes, the 'letter of the law' within PCI does conflict with IPv6. HOWEVER, there are numerous ways around it. Compensating controls are the first and foremost that come to mind, and it does not necessarily require a huge effort or workaround.
In this case, it's *trivial* - just do the following: 1) Run a scan against machines known to be present (make sure to sniff the ND caches and ARP tables on the router as well as machines you know about, so you get everybody that's *really* there including unauthorized ones). 2) Document the inability to scan the entire subnet as its own compensating control - if you can't scan the subnet for machines, the attacker can't either. (A bigger *actual* issue is what happens if somebody *tries* to scan the subnet - although most modern routers have enough ARP cache to handle a few /21 IPV4 subnets without trouble, many of them do (at best) poorly if somebody starts trying to scan an IPv6 /64 and they start having issues after the first few thousand hosts. Many routers will start dropping ND entries for known existing hosts to make room for incomplete entries, and hilarity ensues...)
Attachment:
_bin
Description:
Current thread:
- Re: PCI Valdis Kletnieks (Jul 05)
- <Possible follow-ups>
- Re: PCI Dexter Caldwell (Jul 05)