I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies packet filtering criterion so that DHCPv6-server messages are discarded by the layer-2 device unless they are received on a specific (previously configured) ports of the layer-2 device. The document is well-written and I don't see any problems with the write-up. While specifying packet filtering firewall rules is an implementation / configuration dependent task that does not require standardization as such this work follows earlier patterns, namely the RA-Guard mechanism for the protection against rogue router advertisements. The only question I have whether the document type (currently set to 'Best Current Practice') is appropriate. Ciao Hannes PS: Minor editorial nit: " Finally, we note that the security of a site employing DHCPv6 Shield could be further improved by deploying [I-D.ietf-savi-dhcp], to mitigate IPv6 address. spoofing attacks. ^^^ " Attachment: signature.asc Description: OpenPGP digital signature