I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I consider this draft to be Ready. When a LISP-enabled site has a multicast source emitting messages to other LISP-enabled sites, PIM is used to report that there are multicast receivers within those LISP-enabled sites. These PIM messages are encapsulated with LISP over the provider network (“RLOC address space”) to a LISP ITR at site containing the multicast source. This Internet-Draft adds an attribute to PIM that enables PIM at the LISP xTR in front of a multicast receiver to indicate how it would like to receive the multicast data packets. It may indicate that the LISP multicast data messages are to be sent as native multicast LISP encapsulated packets (replicated in the provider network) or as unicast LISP packets. When unicast packets are selected, another new attribute can indicate exactly which unicast receiver RLOC to which the multicast messages should be addressed. Security considerations of the semantics for protecting the multicast data packets are outside the scope of this document. These new attributes are all delivered in PIM messages, which are sent encapsulated in LISP, and if a user has chosen to protect the LISP traffic across the provider network for confidentiality or privacy reasons, and/or chosen to protect the PIM packets with an integrity method, then the new attributes will also be protected. The information in the attributes related only to delivery of the packets, and there are no particular privacy considerations. The current Security Considerations section seems adequate. Brian -- Brian Weis Security, CSG, Cisco Systems Telephone: +1 408 526 4796 Email: bew at cisco.com