Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This experimental draft "provides a framework for designing suites of IP diagnostic tests" to measure a network path's bulk transport capacity. As mentioned in the security considerations, actual attempts at measurement might be subject to manipulation by an attacker. As I understand it, the framework in this document neither attempts to prevent such attacks, nor makes them any more likely. The only other relevant potential security issue I could think of is whether measurement system(s) using this framework could be co-opted by an attacker to cause a denial of service to a specific network path. I think this would depend entirely on the implementation of a system designed using the framework in this document, and is therefore pretty far removed from this document itself. An attack like this also might not be possible because of some part of the framework that I missed. So I'll trust the authors' and/or working group's judgment on what to do with this comment. I think this draft is somewhere between (inclusive) Ready and Ready With Issues, depending on how far off-base my point about denial of service is. I'm leaning towards Ready. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/