[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Comments on draft-tschofenig-v6ops-secure-tunnels-03.txt
Hi.
This seems a useful guide to using v6 in v4 tunnels in conjunction with IPsec.
I have a few comments (but not much in the way of contributions to the open
issues):
S3.2: Last para: A bit more explanation of the alternative solution would help.
S3.2: Some mention of potential scalability issues here - if i understand
correctly a tunnel and SA per host in the site is needed.
S5.1 (and elsewhere): The acronyms IDc1 and IDcr may need expansion
S5 (all sections): My understanding (which may be wrong) is that SAs carry
either unicast or multicast traffic... some of the SAs defined in the SPD
seem to be intended to carry both unicast neighbor discovery/SAAC and the
associated MLD Join messages. If this is true separate SAs will be needed
but they can be more tightly defined ... the unicast ones are link local
to link local and the multicast ones have a restricted set of multicast
groups (All Nodes, All Routers, DHCP groups and Solicited Node groups).
S5: Where the SPD rule applies to a prefix, it might be clearer to use a
different operator (like ~) to indicate prefix matching rather than
equality (=).
S5:the packet format piece at the end of the section probably deservces a
separate section.
I have also made a number of editorial suggestions directly to the document
editor.
Regards,
Elwyn