Comments on draft-tschofenig-v6ops-secure-tunnels-03.txt

[Elwyn Davies <elwynd@dial.pipex.com>]

Hi.

This seems a useful guide to using v6 in v4 tunnels in conjunction with IPsec.

I have a few comments (but not much in the way of contributions to the open 
issues):
S3.2: Last para: A bit more explanation of the alternative solution would help.
S3.2: Some mention of potential scalability issues here - if i understand 
correctly a tunnel and SA per host in the site is needed.
S5.1 (and elsewhere): The acronyms IDc1 and IDcr may need expansion
S5 (all sections): My understanding (which may be wrong) is that SAs carry 
either unicast or multicast traffic... some of the SAs defined in the SPD 
seem to be intended to carry both unicast neighbor discovery/SAAC and the 
associated MLD Join messages.  If this is true separate SAs will be needed 
but they can be more tightly defined  ... the unicast ones are link local 
to link local and the multicast ones have a restricted set of multicast 
groups (All Nodes, All Routers, DHCP groups and Solicited Node groups).
S5: Where the SPD rule applies to a prefix, it might be clearer to use a 
different operator (like ~) to indicate prefix matching rather than 
equality (=).
S5:the packet format piece at the end of the section probably deservces a 
separate section.

I have also made a number of editorial suggestions directly to the document 
editor.

Regards,
Elwyn