Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I see no major technical issues with this document, although I do have one question: In the Security Considerations section under Spoofing attacks you talk about ingress filtering and address consistency, but couldn't one could theoretically spoof ICMP messages by injecting messages with the "reserved IPv4 dummy address" specified in section 4.8? Moreover, the whole security of the system depends on everyone in the network behaving properly. Is that something we can really assume to be true? I also have one editorial comment: In Section 3, on page 7 you say: For IPv4 anti-spoofing protection to extend to IPv4, ingress filtering has to be effective in IPv6 (Section 4.4 and Section 5). I suspect this should read "For IPv6 anti-spoofing protection to extend to IPv4,...". Or maybe the other way around? I'm not sure what you mean here; the current phrasing is confusing. Thanks, -derek -- Derek Atkins 617-623-3745 derek at ihtfp.com www.ihtfp.com Computer and Internet Security Consultant