[re-sending with proper recipients list; sorry for the duplicate] Hi all, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft is Ready. I had to do some background reading (RFC 2475, mostly, and skimming some other references) to really understand what's going on here; I'll probably use some wrong terminology as a result. This draft describes a standard set of 4 Treatment Aggregates that can be used by MPLS networks using the Short-Pipe tunnel mode to preserve IP Differentiated Service code point markings and the corresponding per-hop behaviors as traffic traverses the network boundary. DSCP translation is expected to be done both at entry and exit from the network (as applicable; not all traffic is through traffic, of course) betwen the standard DSCPs and network-internal DSCPs used to apply PHBs, but the benfit of this scheme is the standardized interface, much as how it is easier for a user to accept a two-clause BSD software license that is well-known than it is for that user to accept a software EULA that was custom written by a company's lawyers. Otherwise, everything described in this document could be done already by two peered networks that negotiate an SLA. With this document, they still must negotiate an SLA, but there are standard terms to simplify the process. The security considerations accordingly note (correctly) that this document does not introduce new features; rather, it describes how to use existing ones. It refers to the security considerations in RFCs 2475 and 4594, which seem to be complete, noting that differentiated services introduce the possibility of fasely marked/prioritized traffic and the potential for denial of service. Only calling out IPsec as the example is a bit dated, but the general principles still seem fine -- the physical network has to be protected and traffic sanitized on entry. However, I do think it's worth giving a little bit of new thought to the potential privacy considerations -- a new way of marking traffic, in abstract, has the potential to leak classification information about the traffic in question (e.g., is this IP address doing telephony?). That said, the classification added by this document is something that could be done by any party with access to the raw network traffic, so I don't think there are actually any new considerations in play; it's just something to keep in mind. A few editorial comments follow: Please expand PHBs in the abstract, not just in the introduction Introduction, first paragraph, space between ')' and 'and'. Just a few words later, is it clearer to s/at/for use at/? Top of page 3, last sentence of first paragraph ("This draft assumes that latter approach by defining additional DSCPs that are known and expected at network interconnection interfaces.") -- I think maybe "subsumes" is a better verb than "assumes", as it is true that unknown/unexpected DSCPs are remarked to zero, but there is additional functionality in the known/expected DSCPs that are preserved. Across the page 3/page 4 boundary, the part after the semicolon is a sentence fragment ... I can't even tell what it's trying to say. Maybe, "remarking to zero is performed in the absence of [...]" (but put a comma before "for"). Section 1.1, first paragraph, is this work really intended to *complement* RFC 5160? It seems to me that rather it is building upon 5160, or implementing its suggestions, or something like that. Section 4, Telephony Service Treatment Aggregate, it looks like the convention would have the DSCP be formatted as "101 100" with a space. -Ben