Javascript disabled? Like other modern websites, the IETF Datatracker relies on Javascript. Please enable Javascript for full functionality.

Using IPsec to Secure IPv6-in-IPv4 Tunnels
draft-ietf-v6ops-ipsec-tunnels-05

Yes

(David Kessens)

No Objection

(Bill Fenner)

(Brian Carpenter)

(Dan Romascanu)

(Jari Arkko)

(Lars Eggert)

(Lisa Dusseault)

(Magnus Westerlund)

(Mark Townsley)

(Ross Callon)

(Russ Housley)

(Sam Hartman)

(Ted Hardie)

Note: This ballot was opened for revision 05 and is now closed.

David Kessens Former IESG member

Yes

Yes () Unknown

Bill Fenner Former IESG member

No Objection

No Objection () Unknown

Brian Carpenter Former IESG member

(was Discuss) No Objection

No Objection (2007-01-18) Unknown

From Gen-ART reviewer David Black, referring to the -05 version:

I suggest that an
RFC Editor note be used to insert the following text (much of which
Fred Baker wrote) to explain what "modeled as an interface" means:

  An important consideration in determining whether to use IPsec tunnel
  mode is whether the IPsec tunnel mode SA is modeled as an interface.
  This notion of interface is logical - any time a system, host or
  router, sends a datagram, it has to account for having done so using
  the RFC 2863 Interface MIB.  To do so, the system derives ifIndex from
  the route entry (see InetCidrRouteEntry in RFC 4292) that it uses to
  forward the   datagram, or from the IpDefaultRouterEntry described
  in RFC 4293.  The management information accessed via the ifIndex
  is "the interface" from a management and configuration perspective.

This text should be inserted immediately following this sentence in
Section 5:

  The IPv6 traffic can be protected using transport or tunnel mode.

This will also entail adding informative references to RFCs 2863,
4292 and 4293.

Dan Romascanu Former IESG member

No Objection

No Objection () Unknown

Jari Arkko Former IESG member

No Objection

No Objection (2006-12-14) Unknown

> The reason threat (1) exists is the lack of widespread deployment of
> IPv4 ingress filtering [RFC3704].

I believe it would be more correct to say "lack of universal
deployment" -- it is very widely deployed, just not everywhere.

Lars Eggert Former IESG member

No Objection

No Objection () Unknown

Lisa Dusseault Former IESG member

No Objection

No Objection () Unknown

Magnus Westerlund Former IESG member

No Objection

No Objection () Unknown

Mark Townsley Former IESG member

No Objection

No Objection () Unknown

Ross Callon Former IESG member

No Objection

No Objection () Unknown

Russ Housley Former IESG member

No Objection

No Objection (2006-12-11) Unknown

  From the SecDir Review by Sean Turner:

  Section 2, 1st para after numbered items: The RFC 4031 list of security
  services also includes access control, data origin authentication,
  rejection of replays, and limited traffic flow confidentiality.  Are
  these not offered?

  Section 5.2, 2nd to last para: s/bu no inter-/but no inter-/

Sam Hartman Former IESG member

(was Discuss) No Objection

No Objection (2006-12-13) Unknown

Folks, thanks for doing a great job on this document both at balancing
RFC 4301 vs RFC 2401 and at handling issues like the PAD.

Ted Hardie Former IESG member

No Objection

No Objection () Unknown

Using IPsec to Secure IPv6-in-IPv4 Tunnels draft-ietf-v6ops-ipsec-tunnels-05

Using IPsec to Secure IPv6-in-IPv4 Tunnels
draft-ietf-v6ops-ipsec-tunnels-05