[arin-ppml] IPv4 Depletion as an ARIN policy concern
Leo Bicknell
bicknell at ufp.org
Wed Oct 28 16:53:56 EDT 2009
In a message written on Wed, Oct 28, 2009 at 04:37:31PM -0400, Rodgers Moore wrote:
> PCI-DSS v1.2 Requirement 1.3.8 - "Implement IP masquerading to
> prevent internal addresses from being translated and revealed on
> the Internet, using RFC 1918 address space. Use network address
> translation (NAT) technologies-for example, port address translation
> (PAT)."
If I take away all the IPv4 specific blather, I get:
"Implement IP masquerading to prevent internal addresses from being
translated and revealed on the Internet."
It would seem to me that IPv6 Privacy Extensions (prehaps better known
as "temporary addresses") would fit the bill.
http://www.ietf.org/rfc/rfc3041.txt
Indeed, I've used this on my OSX and FreeBSD boxes. Outbound
connections make use of randomly generated IPv6 host identifiers,
and with careful configuration none of your internal addresses (e.g.
what SSH is listening on) are ever exposed. I think it's a credible
argument that the 2^64 search space in IPv6 is at least as secure
as the 2^32 (source+dest 16 bit port fields, as adjusted by a NAT)
in IPv4, and it's probably more secure.
Lots of standards, BCP's and other documents will have to be updated
to include IPv6. To suggest the only way to do that is to 100%
mirror IPv4 is foolish.
--
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20091028/47a6ad8a/attachment.sig>
More information about the ARIN-PPML
mailing list