As for PCI DSS 2.0: Yes, I think their insistence on NAT is a bit silly. I’ve seen one-to-one static NAT implemented, and that meets the letter of PCI DSS 2.0: And does absolutely nothing for security. When IPv6 becomes more widespread, I expect that we will see DSS evolve again.

One thing that’s changed from when I wrote this article, though, is: There is NAT in IPv6, now. It’s called NPT, Network Prefix Translation, and came out of the NAT66 efforts. It takes one /48 and translates it 1:1 to another /48. There are legitimate uses for this, a network with multiple (think on the order of 15) geographically diverse exit points (data centers) being one of them.

Internal-LAN to Any on http/https/ping : Allow
Any to Internal-LAN on Any : Deny

Will do the same thing. But those rules must be maintained. And you must *have* a firewall in place. With NAT, you get them automatically, and you have to work hard to poke holes into the firewall. It’s virtually impossible to accidentally expose a whole computer on the Internet. In IPv6, it’s trivial to replace a firewall with a router (“just to test if this is a firewall issue”). For instance, in Linux all it would take is the command “service ip6tables stop” – and then it’s just as trivial to forget to put things back.

With NAT, that’s not going to happen. Without the firewall in place, nothing works, so you leave it untouched.

In fact, the credit-card industry has recognized this. They explicitly require NAT in their PCI security standards (and thus implicitly prohibit using IPv6).

Agreed on all the nightmares NAT causes, though.

if you downloaded the patch.py and diff file in c:\Python27 just run:

python patch-11.01.py vcvars3.diff

finally install using pip (google this and follow directions to download):

pip install pycrypto