[arin-ppml] IPv4 Depletion as an ARIN policy concern

Joe Maimon jmaimon at chl.com
Wed Oct 28 17:11:41 EDT 2009



Leo Bicknell wrote:
> In a message written on Wed, Oct 28, 2009 at 04:37:31PM -0400, Rodgers Moore wrote:
>> PCI-DSS v1.2 Requirement 1.3.8 - "Implement IP masquerading to
>> prevent internal addresses from being translated and revealed on
>> the Internet, using RFC 1918 address space. Use network address
>> translation (NAT) technologies-for example, port address translation
>> (PAT)."
> 
> If I take away all the IPv4 specific blather, I get:

The only reason it is IPv4 specific is because it happens not to be 
available YET in ipv6.


> 
> Indeed, I've used this on my OSX and FreeBSD boxes.  Outbound
> connections make use of randomly generated IPv6 host identifiers,
> and with careful configuration none of your internal addresses (e.g.
> what SSH is listening on) are ever exposed. 

So do you think PCI compliance will be updated to include verifying that 
all the public IPv6 addresses used to source traffic from the thousands 
of lan machines are not listening on any sockets on those address?


> I think it's a credible
> argument that the 2^64 search space in IPv6 is at least as secure
> as the 2^32 (source+dest 16 bit port fields, as adjusted by a NAT)
> in IPv4, and it's probably more secure.

I think its possible the intent of the standard language is not nearly 
as narrowly technical as you are reading it.

> 
> Lots of standards, BCP's and other documents will have to be updated
> to include IPv6.  To suggest the only way to do that is to 100%
> mirror IPv4 is foolish.

And it is possible they will be updated to require features that 
currently are not widely available in IPv6 or to otherwise explicitly 
disallow it.

It is not foolish to suggest that providing all abilities in IPv6 that 
are widely used in IPv4 lowers the barrier to adoption.

Joe



More information about the ARIN-PPML mailing list