1. Introduction

   The IPv6 Operations (v6ops) working group has selected (manually
   configured) IPv6-in-IPv4 tunneling [RFC4213] as one of the IPv6
   transition mechanisms for IPv6 deployment.

   [RFC4213] identified a number of threats that had not been adequately
   analyzed or addressed in its predecessor [RFC2893].  The most
   complete solution is to use IPsec to protect IPv6-in-IPv4 tunneling.
   The document was intentionally not expanded to include the details on
   how to set up an IPsec-protected tunnel in an interoperable manner,
   but instead the details were deferred to this memo.

   The first four sections of this document analyze the threats and
   scenarios that can be addressed by IPsec and assumptions made by this
   document for successful IPsec Security Association (SA)
   establishment.  Section 5 gives the details of Internet Key Exchange
   (IKE) and IP security (IPsec) exchange with packet formats and
   Security Policy Database (SPD) entries.  Section 6 gives
   recommendations.  Appendices further discuss tunnel mode usage and
   optional extensions.

   This document does not address the use of IPsec for tunnels that are
   not manually configured (e.g., 6to4 tunnels [RFC3056]).  Presumably,
   some form of opportunistic encryption or "better-than-nothing
   security" might or might not be applicable.  Similarly, propagating
   quality-of-service attributes (apart from Explicit Congestion
   Notification bits [RFC4213]) from the encapsulated packets to the
   tunnel path is out of scope.

   The use of the word "interface" or the phrase "IP interface" refers
   to the IPv6 interface that must be present on any IPv6 node to send
   or receive IPv6 packets.  The use of the phrase "tunnel interface"
   refers to the interface that receives the IPv6-in-IPv4 tunneled
   packets over IPv4.