nanog mailing list archives
Re: Requirements for IPv6 Firewalls
From: Eugeniu Patrascu <eugen () imacandi net>
Date: Sat, 19 Apr 2014 11:52:02 +0300
On Sat, Apr 19, 2014 at 5:04 AM, Jeff Kell <jeff-kell () utc edu> wrote:
On 4/18/2014 9:53 PM, Dobbins, Roland wrote:On Apr 19, 2014, at 1:20 AM, William Herrin <bill () herrin us> wrote:There isn't much a firewall can do to break it.As someone who sees firewalls break the Internet all the time for thosewhose packets have the misfortune to traverse one, I must respectfully disagree. If end-to-end connectivity is your idea of "the Internet", then a firewall's primary purpose is to break the Internet. It's how we provide access control. If a firewall blocks "legitimate, authorized" access then perhaps it adds to breakage (PMTU, ICMP, other blocking) but otherwise it works. As to address the other argument in this threat on NAT / private addressing, PCI requirement 1.3.8 pretty much requires RFC1918 addressing of the computers in scope... has anyone hinted at PCI for IPv6?
1.3.8: Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to: - Network Address Translation (NAT) - Placing servers containing cardholder data behind proxy servers/firewalls or content caches - Removal or filtering of route advertisements for private networks that employ registered addressing - Internal use of RFC1918 address space instead of registered addresses.
From what I see in the requirement it says "don't let people on the outside
know that your webserver has 192.168.100.200 as an IP address", not that you should NAT everything. Also if you are lucky enough to have lots of IPv4 addresses and assign them to all your servers/devices in your PCI compliant infrastructure this requirement (1.3.8) will not even apply to you. Eugeniu
Current thread:
- Re: Requirements for IPv6 Firewalls, (continued)
- Re: Requirements for IPv6 Firewalls Lukasz Bromirski (Apr 22)
- Re: Requirements for IPv6 Firewalls Doug Barton (Apr 22)
- Re: Requirements for IPv6 Firewalls Peter Kristolaitis (Apr 18)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- RE: Requirements for IPv6 Firewalls Seamus Ryan (Apr 20)
- Re: Requirements for IPv6 Firewalls Dobbins, Roland (Apr 20)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 21)
- Re: Requirements for IPv6 Firewalls Valdis . Kletnieks (Apr 21)
- Re: Requirements for IPv6 Firewalls Eugeniu Patrascu (Apr 19)
- Re: Requirements for IPv6 Firewalls joel jaeggli (Apr 19)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 19)
- Re: Requirements for IPv6 Firewalls TheIpv6guy . (Apr 18)
- Re: Requirements for IPv6 Firewalls Florian Weimer (Apr 19)
- Re: Requirements for IPv6 Firewalls Simon Perreault (Apr 22)
- Re: Requirements for IPv6 Firewalls William Herrin (Apr 18)
- Re: Requirements for IPv6 Firewalls George Herbert (Apr 18)
- Re: Requirements for IPv6 Firewalls Lee Howard (Apr 18)
- Re: Requirements for IPv6 Firewalls Matt Palmer (Apr 18)
- Re: Requirements for IPv6 Firewalls Gary Buhrmaster (Apr 18)