6. Recommendations

   In Section 5, we examined the differences between setting up an IPsec
   IPv6-in-IPv4 tunnel using either transport or tunnel mode.  We
   observe that applying transport mode to a tunnel interface is the
   simplest and therefore recommended solution.

   In Appendix A, we also explore what it would take to use so-called
   Specific SPD (SSPD) tunnel mode.  Such usage is more complicated
   because IPv6 prefixes need to be known a priori, and multicast and
   link-local traffic do not work over such a tunnel.  Fragment handling
   in tunnel mode is also more difficult.  However, because the Mobility
   and Multihoming Protocol (MOBIKE) [RFC4555] supports only tunnel
   mode, when the IPv4 endpoints of a tunnel are dynamic and the other
   constraints are not applicable, using tunnel mode may be an
   acceptable solution.

   Therefore, our primary recommendation is to use transport mode
   applied to a tunnel interface.  Source address spoofing can be
   limited by enabling ingress filtering on the tunnel interface.

   Manual keying must not be used as large amounts of IPv6 traffic may
   be carried over the tunnels and doing so would make it easier for an
   attacker to recover the keys.  IKEv1 or IKEv2 must be used for
   establishing the IPsec SAs.  IKEv2 should be used where supported and
   available; if not, IKEv1 may be used instead.