I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Apologies for the absolute last-minute review; I overlooked until just now that this had been assigned a telechat date. This document is Ready. I do have some concerns — in particular I think relying on application-layer measures to prevent amplified reflection attacks is a bit dubious — but these have been debated to death already, the issues are well-captured in the document, and I don't think I have anything new to add.