draft-ietf-v6ops-ipsec-tunnels-04.txt

[Fred Baker <fred@cisco.com>]

David:

The IPv6 Operations Working Group proposes that draft-ietf-v6ops- 
ipsec-tunnels-04.txt be published as an informational document.  
Please add it to the IESG's list.

> Who is the Document Shepherd for this document?

Fred Baker

> Has the Document Shepherd personally reviewed this version of the
> document and, in particular, does he or she believe this version is
> ready for forwarding to the IESG for publication?

I have read it, and yes, I believe that it is ready for publication.

> Has the document had adequate review both from key WG members and
> from key non-WG members?

This document has had extensive review from the working group and
from the Security area over the past couple of years.

> Does the Document Shepherd have any concerns about the depth or
> breadth of the reviews that have been performed?

In general, I wish that I could say that all participants in v6ops
read all drafts, and I can't say that. However, I do believe that the
review has been adequate, and my own review has not flushed out
further issues.

> Does the Document Shepherd have concerns that the document needs
> more review from a particular or broader perspective, e.g.,
> security, operational complexity, someone familiar with AAA,
> internationalization or XML?

It has already had security area review, which is the matter I would
consider most pressing.

> Does the Document Shepherd have any specific concerns or issues
> with this document that the Responsible Area Director and/or the
> IESG should be aware of? For example, perhaps he or she is
> uncomfortable with certain parts of the document, or has concerns
> whether there really is a need for it.

In my review, I had two questions: whether the recommendation to
avoid tunnel mode was necessary/appropriate, and whether the
description of a site-to-router tunnel made sense. In the former
case, it appears to me that the working group accepts the
recommendation, and my initial concerns with it actually deal with
another issue (which is tunnel mode across a network and consistent
with running IPv6 through an IPv4 transport tunnel). In the latter
case, the question arises because section 3.2 describes it, but I
don't know how to configure it. I know how to set up an IPSEC
security association host-host, host-router, and router-router, but
not from a site to a router. That said, the document describes this
as a genealized version of host-router, and in my mind the
generalization does no violence to the matter.

> In any event, if the WG has discussed those issues and has
> indicated that it still wishes to advance the document, detail
> those concerns here.

As I said, the consensus of the working group is to accept the
recommendation, and I am willing to go with that.

> How solid is the WG consensus behind this document?

Having been through a couple of last calls and quite a bit of
discussion, I believe that the working group buys in to this draft.

> Does it represent the strong concurrence of a few individuals, with
> others being silent, or does the WG as a whole understand and agree
> with it?

v6ops is a quiet crowd. My experience is that when things are going
sideways, they get noisy. I believe that the working group
understands the issues and the recommendations and concurs with them.

> Has anyone threatened an appeal or otherwise indicated extreme
> discontent?

no

> Has the Document Shepherd personally verified that the document
> satisfies all ID nits? (See http://www.ietf.org/ID-Checklist.html
> and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
> not enough; this check needs to be thorough.

The document refers, informatively, to two internet drafts that have
expired from the internet draft repository. As these are merely
informative, this is acceptable, and I would recommend that the RFC
Editor include in them the URL

    http://tools.ietf.org/html/...

That said, my preference would be for the two documents to be
published as RFCs (due to the fact that an internet draft is intended
to be an ephemeral document), perhaps with a note to the effect that
they represent unfinished work and the opinions of the authors. I'll
let the IESG flip that coin, and if they would like to invite the
authors to publish them through the RFC Editor process, to do so.

idnits 1.118

tmp/draft-ietf-v6ops-ipsec-tunnels-04.txt:


   Checking nits according to http://www.ietf.org/ID-Checklist.html:

     Checking conformance with RFC 3978/3979 boilerplate...

     the boilerplate looks good.

     No nits found.

   Checking nits according to http://www.ietf.org/ietf/1id-
guidelines.txt:
     Nothing found here (but these checks do not cover all of
     1id-guidelines.txt yet).

   Miscellaneous warnings:
     None.

   Experimental warnings:
     None.

     No nits found.

> Has the document met all formal review criteria it needs to, such
> as the MIB Doctor, media type and URI type reviews?

yes

> Has the document split its references into normative and informative?

yes

> Are there normative references to documents that are not ready for
> advancement or are otherwise in an unclear state?

no. This document is informational, and all of the normative
references are RFCs.

> Are there normative references that are downward references, as
> described in [RFC3967]? If so, list these downward references to
> support the Area Director in the Last Call procedure for them
> [RFC3967].

No, there are not.

> Has the Document Shepherd verified that the document IANA
> consideration section exists and is consistent with the body of the
> document?

Yes. The section states that there are no requests made of IANA, and
the document makes no requests of IANA.

> If the document specifies protocol extensions, are reservations
> requested in appropriate IANA registries?

no

> The IESG approval announcement includes a Document Announcement
> Write-Up. Please provide such a Document Announcement Writeup.
>
> Technical Summary

    This document gives guidance on securing manually configured
    IPv6-in-IPv4 tunnels using IPsec.  No additional protocol
    extensions are described beyond those available with the IPsec
    framework.

> Working Group Summary
> Was there anything in WG process that is worth noting? For example,
> was there controversy about particular points or were there
> decisions where the consensus was particularly rough?

As noted, the recommendation against tunnel mode surprised me, but I
was the only guy it bothered. I would not describe that as a
particularly rough consensus.

> Document Quality
> Are there existing implementations of the protocol?

There are implementations of IPv6/IPv4 tunneling, of host-router
tunnels, router-router tunnels, and host-host tunnels. With the
exception of describing a host-router tunnel as a site-router tunnel,
everything described in this document is bog-standard.

> Have a significant number of vendors indicated their plan to
> implement the specification?

A significant number already do. Does that count?

> Are there any reviewers that merit special mention as having done a
> thorough review, e.g., one that resulted in important changes or a
> conclusion that the document had no substantive issues?

Yes. The Acknowledgments section details a number of reviewers, some
of whom offered text.

> If there was a MIB Doctor, Media Type or other expert review, what
> was its course (briefly)?

The security review looked specifically at the use of IKE in both of
its versions and the issues being raised in the document. It was done
last spring and the result is the present document.

> Personnel
>
> Who is the Document Shepherd for this document?

Asked and answered :-)

> Who is the Responsible Area Director?

David Kessens