I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG. These comments were written primarily for the benefit of the

security area directors. Document editors and WG chairs should treat

these comments just like any other last call comments.

This document describes a hierarchical distributed database that helps a router find a mapping between what LISP calls an "endpoint identifier" and "routing locator".

I have not been following LISP, and am not completely convinced that it solves a problem that can't be solved in other ways, but hierarchical distributed databases do seem like the right solution for lots of problems (like DNS).

I do not recommend trying to dive into LISP starting with this document.  Alia Atlas helpfully pointed me at the document "An architectural Introduction to the Locator/ID Separation Protocol".  It would have been nice if this document referenced it, though it's not an RFC...it's an internet draft.

Anyway, from a security point of view, it seems fine, mostly because it's pretty much copied all the security mechanisms from DNSSEC. I do wonder why a whole separate infrastructure would be necessary, and why this information couldn't simply be in DNS.

Radia