I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I think this document is ready with some minor issues. First I like what you have done with the security considerations section. It defines the attacks of concern in a clear way and describes some mitigations. 1. The security considerations section mentions several mitigations for false overload control messages including TCP, Websockets, BCP-38 and TLS. While TCP and Websockets provide more protection than UDP its not clear to me that they are providing sufficient protection. In addition, it seems that BCP-38 should be encouraged in all cases (not just the TLS case). I'd feel better about the recommendation if it stated some thing like "TCP and Websockets in conjunction with BCP-38 make it more difficult for an attacker to insert or modify messages, but it is still possible depending on where the attacker is positioned in the network. TLS provides better protection from an attacker that has access to the network link." 2. Some privacy considerations are mentioned in section 5.3. Its not really clear to me what these considerations are so it would be good to expand upon them in the security considerations section. 3. Is it possible that some of the oc-agorithms might have their own security considerations. If this is likely then it might be good to indicate the reader should check to see if the individual algorithm specifications security considerations. 4. Is there any mitigation for the attack involving a proxy that does not support mechanism from blindly forwarding an attacker's oc headers? Cheers, Joe