Hi, My minimal request for this draft is for my name to be removed from the Acknowledgements, as I do not think that my comments have been acted on. In fact, I think that in its current state, this document is harmful to IPv6 deployment. It in effect encourage sites to fence themselves into an IPv4-only world. Particularly, it explicitly suggests a default/deny approach to IPv6-in-IPv4 tunnels, which would prevent the typical "baby steps" first approach to IPv6 deployment. I would like to see the document convey a positive message, suggesting that an IPv4 site first decides which IPv6 deployment mechanism it will use, and then configures security appropriately (to allow that mechanism and block all others). This wouldn't affect the technical recommendations much if at all. A specific aspect of this is that if a site provides one well-managed 6in4 tunnel mechanism, all tunneled IPv6 packets will pass through well-defined points where security mechanisms may be applied. We shouldn't imply that not having an IPv6 plan and blocking all IPv6 by default is a sound strategy. Regards Brian