Re: Comments on draft-tschofenig-v6ops-secure-tunnels-03.txt

["Mohan Parthasarathy" <mohanp@sbcglobal.net>]

 Elwyn,

Thanks for your comments..

> 
> This seems a useful guide to using v6 in v4 tunnels in conjunction with IPsec.
> 
> I have a few comments (but not much in the way of contributions to the open 
> issues):
> S3.2: Last para: A bit more explanation of the alternative solution would help.

Ok. 

> S3.2: Some mention of potential scalability issues here - if i understand 
> correctly a tunnel and SA per host in the site is needed.

Yes, we can mention that in the next revision.

> S5.1 (and elsewhere): The acronyms IDc1 and IDcr may need expansion

Ok.

> S5 (all sections): My understanding (which may be wrong) is that SAs carry 
> either unicast or multicast traffic... some of the SAs defined in the SPD 
> seem to be intended to carry both unicast neighbor discovery/SAAC and the 
> associated MLD Join messages.  If this is true separate SAs will be needed 

Yes. But the intention is to have fewer SPD entries and protect most of the
link-local traffic. Otherwise, you need to have more SPD entries to
protect the different types of link-local traffic between the two end points.

> but they can be more tightly defined  ... the unicast ones are link local 
> to link local and the multicast ones have a restricted set of multicast 
> groups (All Nodes, All Routers, DHCP groups and Solicited Node groups).
>
> S5: Where the SPD rule applies to a prefix, it might be clearer to use a 
> different operator (like ~) to indicate prefix matching rather than 
> equality (=).

Okay.

> S5:the packet format piece at the end of the section probably deservces a 
> separate section.
> 
Okay.

> I have also made a number of editorial suggestions directly to the document 
> editor.
> 
Thanks
mohan

> Regards,
> Elwyn
> 
> 
>