nanog mailing list archives
Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space
From: John Curran <jcurran () mail com>
Date: Tue, 10 Feb 2009 17:56:15 -0500
On Feb 10, 2009, at 4:30 PM, TJ wrote:
But that is my point - Do any of the compliance frameworks / requirements / audit standards today address IPv6, or detail how it could be implemented insuch a fashion as to 'pass' an audit (including the "in-house" /consultant-specific audit guidelines)? If it can be done, but is solely a "you and your (current) auditor figure it out, on a case by case basis, every time" I would argue that that is not good enough for the general case.
Compliance frameworks are generally technology agonistic. They tell you "have an information boundary for your system", "manage your user identifiers", etc. Aside from the DoD IA STIGs (and small handful of NIST areas such as encryption), you don't find specifications that particular protocols or technology is required. They don't require major updating for IPv6 because there's very little IPv4 specific contents in them already. That's not to say that moving an application to IPv6 is trivial from a compliance and security perspective, as you've still got a pile of mandatory firewall, load-balancing, and IDS infrastructure that needs to handle IPv6 correctly before you can get started. In organizations that are planning ahead, this is common security control infrastructure, and gets done once centrally rather than each little component.
And while I agree with you, "any change = redo" I would argue that noteveryone realizes that all of their C&A work will need to be re-done in order to retain their CTOs/ATOs if they move forward with any sort of IPv6 deployment. I have heard the gasps (I didn't see the faces, that was acoworker of mine did and said it was amusing - in a sad way.)
Look, systems change. Change your database software, and you get to update the corresponding pieces of the C&A package. Add IPv6, you have to update the network portions. This shouldn't be a surprise to anyone, and it certainly doesn't mean "all of their C&A work will need to be re-done". /John
Current thread:
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space, (continued)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Seth Mattinen (Feb 09)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space TJ (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Jack Bates (Feb 09)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space TJ (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Mark Andrews (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Matthew Kaufman (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space John Osmon (Feb 09)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space TJ (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space John Curran (Feb 10)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space TJ (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space John Curran (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Matthew Palmer (Feb 09)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Valdis . Kletnieks (Feb 10)
- RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space TJ (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Mohacsi Janos (Feb 10)
- Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space Jack Bates (Feb 05)