I am reviewing this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Feel free to forward to any appropriate forum. This document extends the limited support for IPv6 VPN solutions in IKEv2, in particular allowing for multiple prefixes rather than a fixed number of addresses, which in turn allows various addressing strategies to be used. The Security Considerations section is actually quite unclear to me - at first glance, the opening phrase suggests that the solution does indeed do the thing it warns against, that is, assigning each client a unique, and therefore identifiable, prefix. It also fails to draw the reader's attention to any other relevent considerations - I'm assuming that the two and a half pages of security considerations in RFC 4306 have some direct relevance here. Also, the informative references noted in the Acknowledgements section would appear to have some potentially important security considerations - for example, RFC 4891's final consideration is: Please note that using IPsec for the scenarios described in Figures 1, 2, and 3 does not aim to protect the end-to-end communication. It protects just the tunnel part. It is still possible for an IPv6 endpoint not attached to the IPsec tunnel to spoof packets. ... given that IKEv2's previous support for IPv6 limited it to a single host at the client end, one assumes that this document introduces at least this security consideration. Dave.