I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes a method for allowing multiple instances on the same domain in OSPFv2. Since the Autype field in OSPFv2 will be halved by this document then one concern would have been if there were existing implementations using Autype values large enough to set bits in the higher octet. According to the authors this is not the case and so the risk of re-use of existing Autype values does apparently not exist. Conversely, when a router which does not understand this new use of the Autype field is presented with a packet from a router that is instance-aware (and uses a non-zero instance-id value) it will not accept it since it would represent an unknown authentication type. I would therefore tend to agree with the authors that the introduction of an InstanceID as part of the previous Autype field should not be a cause of concern. Editorial: - Section 2: Unclear sentence: "In support of this capability, this document introduces a modified packet header format with the Authentication Type field is split into an Instance ID and AuType." (Probably the "is" should be removed/replaced) - Section 5: Refers to Appendix D but there is no Appendix D. Presumably the link should be to Appendix D of OSPFv2. -- Magnus