Using IPsec to Secure IPv6-in-IPv4 Tunnels
RFC 4891
Yes
No Objection
Note: This ballot was opened for revision 05 and is now closed.
Lars Eggert No Objection
(David Kessens; former steering group member) Yes
(Bill Fenner; former steering group member) No Objection
(Brian Carpenter; former steering group member) (was Discuss) No Objection
From Gen-ART reviewer David Black, referring to the -05 version: I suggest that an RFC Editor note be used to insert the following text (much of which Fred Baker wrote) to explain what "modeled as an interface" means: An important consideration in determining whether to use IPsec tunnel mode is whether the IPsec tunnel mode SA is modeled as an interface. This notion of interface is logical - any time a system, host or router, sends a datagram, it has to account for having done so using the RFC 2863 Interface MIB. To do so, the system derives ifIndex from the route entry (see InetCidrRouteEntry in RFC 4292) that it uses to forward the datagram, or from the IpDefaultRouterEntry described in RFC 4293. The management information accessed via the ifIndex is "the interface" from a management and configuration perspective. This text should be inserted immediately following this sentence in Section 5: The IPv6 traffic can be protected using transport or tunnel mode. This will also entail adding informative references to RFCs 2863, 4292 and 4293.
(Dan Romascanu; former steering group member) No Objection
(Jari Arkko; former steering group member) No Objection
> The reason threat (1) exists is the lack of widespread deployment of > IPv4 ingress filtering [RFC3704]. I believe it would be more correct to say "lack of universal deployment" -- it is very widely deployed, just not everywhere.
(Lisa Dusseault; former steering group member) No Objection
(Magnus Westerlund; former steering group member) No Objection
(Mark Townsley; former steering group member) No Objection
(Ross Callon; former steering group member) No Objection
(Russ Housley; former steering group member) No Objection
From the SecDir Review by Sean Turner: Section 2, 1st para after numbered items: The RFC 4031 list of security services also includes access control, data origin authentication, rejection of replays, and limited traffic flow confidentiality. Are these not offered? Section 5.2, 2nd to last para: s/bu no inter-/but no inter-/
(Sam Hartman; former steering group member) (was Discuss) No Objection
(Ted Hardie; former steering group member) No Objection