Using IPsec to Secure IPv6-in-IPv4 Tunnels
RFC 4891

Note: This ballot was opened for revision 05 and is now closed.

(David Kessens) Yes

(Jari Arkko) No Objection

Comment (2006-12-14 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
> The reason threat (1) exists is the lack of widespread deployment of
> IPv4 ingress filtering [RFC3704].

I believe it would be more correct to say "lack of universal
deployment" -- it is very widely deployed, just not everywhere.

(Ross Callon) No Objection

(Brian Carpenter) (was Discuss) No Objection

Comment (2007-01-18)
No email
send info
From Gen-ART reviewer David Black, referring to the -05 version:

I suggest that an
RFC Editor note be used to insert the following text (much of which
Fred Baker wrote) to explain what "modeled as an interface" means:

  An important consideration in determining whether to use IPsec tunnel
  mode is whether the IPsec tunnel mode SA is modeled as an interface.
  This notion of interface is logical - any time a system, host or
  router, sends a datagram, it has to account for having done so using
  the RFC 2863 Interface MIB.  To do so, the system derives ifIndex from
  the route entry (see InetCidrRouteEntry in RFC 4292) that it uses to
  forward the   datagram, or from the IpDefaultRouterEntry described
  in RFC 4293.  The management information accessed via the ifIndex
  is "the interface" from a management and configuration perspective.

This text should be inserted immediately following this sentence in
Section 5:

  The IPv6 traffic can be protected using transport or tunnel mode.

This will also entail adding informative references to RFCs 2863,
4292 and 4293.

(Lisa Dusseault) No Objection

(Lars Eggert) No Objection

(Bill Fenner) No Objection

(Ted Hardie) No Objection

(Sam Hartman) (was Discuss) No Objection

Comment (2006-12-13 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
Folks, thanks for doing a great job on this document both at balancing
RFC 4301 vs RFC 2401 and at handling issues like the PAD.

(Russ Housley) No Objection

Comment (2006-12-11 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
  From the SecDir Review by Sean Turner:

  Section 2, 1st para after numbered items: The RFC 4031 list of security
  services also includes access control, data origin authentication,
  rejection of replays, and limited traffic flow confidentiality.  Are
  these not offered?

  Section 5.2, 2nd to last para: s/bu no inter-/but no inter-/

(Dan Romascanu) No Objection

(Mark Townsley) No Objection

Magnus Westerlund No Objection