Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: Ready to publish. Details: Obviously the security of this solution is based on the full trust of the complete end-to-end BIER network. There is no cryptography to ensure that a packet is not manipulated enroute which would change the bit-fields. The good news is that it's probably hard to inject a BIER-headed packet into the network from the outside (once it hits an external router it would be re-encapsulated). On the other hand there is nothing to stop a bad-actor internal router from creating a bogus BIER header or modifying an existing BIER header. I suspect this is already handled in the MPLS and IGP Security Considerations, but I wanted to ensure that the IESG was aware of this restriction (which is not explicitly stated here). -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant