I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I consider this document ready with issues described below. draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03 discusses issues with IPv6 running on networks that have incomplete security controls (firewall and IDS) for IPv6. It basically describes what you need to filter on to filter out IPv6 traffic and tunneling technologies. This seems like mostly useful information, however its not clear to me if you implement all the controls in the document if you would not still have a problem form IPv6 on a local link or IPv6 tunneled through some non-standard means. It seems the document should at least mention this risk in the security considerations since hosts on these networks may be IPv6 enabled. One related issue I have seen is in end host configuration where a host based firewall is configured with IPv4 rules and left silent on IPv6 with varying results. I don't recall seeing any discussion of this in the document, but it might also be worth covering in security considerations as well. Cheers, Joe