Re: Requirements for IPv6 Firewalls

[Eugeniu Patrascu <eugen () imacandi net>]

On Sat, Apr 19, 2014 at 5:04 AM, Jeff Kell <jeff-kell () utc edu> wrote:

> On 4/18/2014 9:53 PM, Dobbins, Roland wrote:
> > On Apr 19, 2014, at 1:20 AM, William Herrin <bill () herrin us> wrote:
> >
> > > There isn't much a firewall can do to break it.
> > As someone who sees firewalls break the Internet all the time for those
> whose packets have the misfortune to traverse one, I must respectfully
> disagree.
>
> If end-to-end connectivity is your idea of "the Internet", then a
> firewall's primary purpose is to break the Internet.  It's how we
> provide access control.
>
> If a firewall blocks "legitimate, authorized" access then perhaps it
> adds to breakage (PMTU, ICMP, other blocking) but otherwise it works.
>
> As to address the other argument in this threat on NAT / private
> addressing, PCI requirement 1.3.8 pretty  much requires RFC1918
> addressing of the computers in scope...  has anyone hinted at PCI for IPv6?

1.3.8: Do not disclose private IP addresses and routing information to
unauthorized parties.
Note: Methods to obscure IP addressing may include, but are not limited to:
- Network Address Translation (NAT)
- Placing servers containing cardholder data behind proxy servers/firewalls
or content caches
- Removal or filtering of route advertisements for private networks that
employ registered addressing
- Internal use of RFC1918 address space instead of registered addresses.

> From what I see in the requirement it says "don't let people on the outside
know that your webserver has 192.168.100.200 as an IP address", not that
you should NAT everything.

Also if you are lucky enough to have lots of IPv4 addresses and assign them
to all your servers/devices in your PCI compliant infrastructure this
requirement (1.3.8) will not even apply to you.

Eugeniu