Robin -
I can't see how Six/One Router's Unilateral mode could support IPsec authentication of the IPv6 header.
You are correct. In backwards compatibility mode, Six/One Router breaks IPsec Authentication Header. It's the same as with NATs. Packet exchanges between two upgraded edge networks don't have this limitation. And packet exchanges in IPsec ESP don't have it either. But packet exchanges in IPsec AH with legacy edge networks do. One may argue that this is acceptable because IPsec AH is not widely used, but that is clearly a personal opinion. - Christian -- to unsubscribe send a message to rrg-request@psg.com with the word 'unsubscribe' in a single line as the message text body. archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg