On Tue, 2012-01-31 at 21:02 +0000, Tom Hill wrote: > On 31/01/12 15:35, Leo Vegoda wrote: > >> I note that PCI DSS poses a problem for IPv6, in that section 1.3.8 > >> (my copy is dated October 2010) mandates that private IP addresses > >> (they clearly mean RFC1918) are not revealed to or routable from the > >> internet (my paraphrasing). > > > > Are RFC 4193 addresses not substitutable? > > Indeed, how 'clearly' do they insinuate RFC1918? "private IP addresses" > would cover both IPv4 & IPv6 equivalents, even if I do have to take my > anti-cynicism pills to get there.
The exact text of requirement 1.3.8: [1] 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT) Placing servers containing cardholder data behind proxy servers/firewalls or content caches, Removal or filtering of route advertisements for private networks that employ registered addressing, Internal use of RFC1918 address space instead of registered addresses. PCI-DSS gets a lot of bad press (mainly for the genius of the card industry for being able to shift the risk to every merchant on the planet) but is generally founded in common sense. The problem tends to be with auditors who have a long list of boxes to tick and remarkably little IT / networks understanding. Cheers, Gavin. [1] https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
