On Sat, Apr 19, 2014 at 2:29 PM, joel jaeggli <joelja@bogus.com> wrote:
On 4/18/14, 7:04 PM, Jeff Kell wrote:
PCI requirement 1.3.8 pretty much requires RFC1918 addressing of the computers in scope...
It does not
You are correct. In theory. However, for those organizations that have chosen to use a firewall with NAT rather than apply one of the other alternatives, the practice says that to implement IPv6, the firewall they want needs to do NAT. Again, telling someone that they are doing it wrong (and that they should change) will not be successful. Especially if the network people do not talk to the systems people, and do not talk to the applications people, and do not talk to the auditors.... Not that any organization would be so stove-piped. Perhaps there should be a I-D BCP about not stove-piping organizations too. And, while PCI compliance was the straw-man, I have seen other audit results that called out a lack of using NAT too (even though they, also, should not have done so; it was the policy that they should have called out. But that would require real understanding rather than a checklist). Gary