On Fri, Apr 18, 2014 at 06:37:28PM -0400, Lee Howard wrote:
On 4/18/14 4:33 PM, "George Herbert" <george.herbert@gmail.com> wrote:
If William and I fight that fight, lose it, and come back and tell you "They won't go because insufficient NAT" you need to listen. I've fought this in a dozen places and lost 8 of them, not because I don't know v6, but because the clients have inertia and politics around security posture changes (and in some cases, PCI compliance regs).
IPv6 evangelists are used to fighting inertia. PCI, however. . . anyone have any contacts there?
If you get to talk to them, they'll probably look at you funny and say, "whatchoo talkin' 'bout?". PCI DSS *does not require NAT*. Anyone who says differently is selling something (probably a NAT box). You can refer to the source documents yourself -- they're freely available (https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf, for example). As a testimonial, we run a no-NAT environment and got full PCI compliance with nary a twitch of the eyebrow. Didn't even have to argue the toss with anyone. - Matt