Hi Jim,
Thanks for your comments, and just one thing to follow
up on for now under a new subject heading:
Anytime a node tunnels packets to support a virtualized state such as
ISATAP does to support neighbor discovery has notes that should be
stated. That is what I mean by health warnings. For example nodes
should not be using this mechanism to subvert the addressing
policy and
use of IPv6 communications without be authorized, etc.
I think there has been for a long time a fundamental
misunderstanding of the ISATAP domain of applicability.
In particular, the ISATAP virtual link connects *router*
interfaces; not host interfaces. As such, packets are not
delivered to/from host interfaces attached to the ISATAP
virtual link; they are forwarded *through* router
interfaces attached to the link.
Therefore, IPv6 packets sent by hosts only traverse
the ISATAP virtual link by being forwarded via a router.
And, since encryption/authentication is required for the
IPv6 packets that are forwarded by a router across the
ISATAP virual link, there is nothing that could happen on
the ISATAP virtual link itself that would compromise IPv6
security.
Fred
fred.l.templin@boeing.com