[arin-ppml] IPv4 Depletion as an ARIN policy concern

Wed Oct 28 16:56:16 EDT 2009

Does anyone know what the mechanism is for getting the next version of 
PCI-DSS updated to translate that requirement into something that covers 
IPv6?  Their concern is reasonable, and we should probably be engaging 
in a conversation with the PCI Security Standards Council and working 
with them to address those concerns as networks move to IPv6.

Unless someone here is involved in that process, it sounds like an 
opportunity for ARIN to do some additional outreach (if they're not 
already)...

-Scott

Rodgers Moore wrote:
> Only because I can chime in...  Any system that uses IPv6 will not be PCI-DSS compliant.
>
> PCI-DSS v1.2 Requirement 1.3.8 - "Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, using RFC 1918 address space. Use network address translation (NAT) technologies-for example, port address translation (PAT)."
>
> It matters not how much B.S. this is, only that being non-compliant (as per the technically challenged auditor determines) allows Visa, MasterCard, Discover, and Amex to fine the *&^$# out of you and/or revoke your organization's ability to transact credit cards.
>
> Sorry, I couldn't help but bring a new twist to the conversation.  Or, uh, throw gas on the fire.
>
> Rodgers Moore, CCIE# 8153
> CSO
> Fortress Network Security
> 2500 Technology Dr
> Louisville KY 40299
>
>
> -----Original Message-----
> From: arin-ppml-bounces at arin.net [mailto:arin-ppml-bounces at arin.net] On Behalf Of Chris Engel
> Sent: Wednesday, October 28, 2009 4:06 PM
> To: 'Paul G. Timmins'; Joe Maimon; Chris Grundemann
> Cc: arin-ppml at arin.net
> Subject: Re: [arin-ppml] IPv4 Depletion as an ARIN policy concern
>
> Paul,
>
>
> Respectfully, that is because for the vast majority of Network/System Admins IPv6 and the details of it's implementation are barely a blip on the radar screen....if that.
>
> I can attest that NAT is a tool which see's extensive use among said Admins...and NOT simply because one cannot obtain enough public IP addresses. As I believe I have illustrated...it has a variety of useful functionality for us. I can assure you that if something in IPv6 does not offer the equivalent functionality to that which NAT currently provides for IPV4 and in a similarly convenient manner.....you are going to hear a VERY loud wailing and gnashing of teeth from this population.
>
> I'm sure that is a sound that will resonate with equipment vendors. However without some confidence that some sort of NAT66 solution will be provided (or nearly identical functionality can be achieved).....your going to see alot of resistance in this population to IPv6 adoption.
>
> If you want people to actually be SUPPORTIVE of that adoption rather then RESISTANT then you have to provide some assurance that the tools they are used to working with to solve real problems will be available in some form.....or at the very least a substitute that achieves equivalent functionality and is easily translatable.
>
>
>
>
>
>
> "Taking this to its logical conclusion, it's not necessary for community consensus to implement NAT66. If people demand it, and equipment vendors want to implement it, they will, and then will standardize it after the fact, much like many other current standards have been done.
>
> The fact that no such standard exists and no platform I'm aware of implements NAT66 is pretty telling in and of itself.
>
> -Paul"
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>   