I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The document defines a way to include vendor-specific messages in DHCPv4. I've only one relatively minor comment: Is this new message type likely to be used for passing sensitive information like user credentials? (E.g. username/password) If that's not the intent it might be worth stating that in the security considerations, just to discourage folks from doing that unless they provide their own confidentiality service. (I'm assuming there's no general confidentiality mechanism available.) Aside from that you may or may not want to capitalise the "should" in the last paragraph of the security considerations. (I don't care, but it might be an oversight.) On a non-security point: I didn't get the real need for this from reading the text and the references to the "Vendor-Identifying Vendor Options" I found confusing. So you could improve that a bit, but I assume that DHCP implementers would find it sufficiently clear. Stephen.