I already sent few comments offline to the authors but for the sake of openness here they are again on the list. The first set concerns Section 2.6.3.2. NAT64/DNS64.
o I would suggest a reference to Section 3.1 of draft-ietf-behave-nat64-discovery-heuristic into the second paragraph that mentions DNSSEC. The BEHAVE draft has a nice text of using DNSSEC to validate the discovered the Pref64::/n. o I don't think the statement that UDP encapsulated IPsec would survive NAT64 is correct as a blank statement. I have hard time seeing how IKE or SPDs would work. Or is the assumption that IPsec is manually configured on the "IPv4-only host", which is then actually a dual stack host but with IPv4 only interface terminating IPsec? If so that should be pointed out. - Jouni _______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
