Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: * Ready to publish, but nits remain Details: * The specific authorization details between the Client and Relay is elided. Specifically, how does a proxy get configured for specific client connections? The spec does say it needs to get configured (section 9), and talks at length about configuring the relay for the available networks, but doesn't say much else about how to authorize clients. * Can a Relay be a client to another Relay? It's unclear what would happen if someone tried to configure it that way; the specification does not talk to that possibility (or prohibit it), as far as I can tell. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant