[arin-ppml] IPV4 allocations

McNutt, Justin M. McNuttJ at missouri.edu
Sun Jan 4 08:53:12 EST 2009 

> If IPv6 is going to pass through the present litany of compliance
bodies
> then Firewalls and NAT are here to stay.  PCI requires both, HIPAA
doesn't
> specifically, but there's no other way to meet the privacy
requirements
> without them and now Microsoft's new PII standard has similar wording
to
> PCI.

Actually, PCI requires firewalls, but not NAT.  I'm told by our
compliance people that a firewall that rejects all incoming traffic
makes the host "unaddressable from the Internet," which is sufficient.
I've never heard an auditor complain once he was shown the
accountability issue on top of it.

Getting rid of firewalls is for the Grand Future, not the present.  It's
also for the general case.  PCI-compliant implementations do not
encompass the majority of our user networks, as I suspect they don't for
most networks, by design (since having hundreds of users in the same
security zone as the e-commerce servers would break PCI).

Point being, IPv6 firewalls aren't a problem.  NAT is.

> The requirements for security were developed because of known issues
as
> mentioned and, since none of the RFC's seem to say "IPv6 will make up
for
> bad coding, bad applications, networks and systems installed and
maintained
> by "bob the computer guy" then IPv6 better be able to do everything
IPv4
> does when it comes to established security criteria.

The thing is, *nothing* can make up for an insurmountable wave of
stupidity (bad coding, bad apps, etc.).  Better to just build something
good.  If people do bad and stupid things with it, then blame them for
doing bad and stupid things, but don't *help them do it*.  Building
things that we know are bad into IPv6 on purpose is moving in the wrong
direction.

"If a team is in a positive frame of mind, it will have a good attitude.
If it has a good attitude, it will make a commitment to playing the game
right. If it plays the game right, it will win-unless, of course, it
doesn't have enough talent to win, and no manager can make goose-liver
pate out of goose feathers, so why worry?"
	--Sparky Anderson

> The real world can be a drag.

It can, indeed.  I see no reason to participate in making it worse,
though.  If the fools can build NAT and make it work, let them.  I, for
one, do not intend to even attempt to support it, if it appears on my
network.

--J

More information about the ARIN-PPML mailing list