Document: draft-ietf-opsec-ip-security-05
Reviewer: Vijay K. Gurbani
Review Date: Jan-03-2011
IETF LC End Date: Dec-12-2010
IESG Telechat date: Unknown

Summary: This draft is ready as an Informational RFC.
Major issues: 0
Minor issues: 0
Nits/editorial comments: 9

Sorry for the late review, I note that this document is in
IESG evaluation state, so I suspect that one more revision
may be required.  If so, I hope the following feedback aids
in improving an already excellent document.

1) S3.3.2.2, page 14 --- please expand the acronym "RED" on first use.

2) S3.5.1, top of end of page 16 and top of page 17 --- "Linux (and
 Solaris) later set the IP Identification field on a per-IP address
 basis."  Which address --- source or destination?

3) S3.5.2.2, page 18 --- s/Packet loss is can be/Packet loss can be/

4) S3.6, underneath Figure 5 on page 20 ---
 s/In Figure 3, an attacker/In Figure 5, an attacker/

5) Same section, same page ---
 s/router that encounters that this/router to determine that this/

6) S3.7 --- when discussing the Fragment Offset, is it worth
 stating that the Fragment Offset is measured in units of 8 octets
 (thereby giving the magic number 65528 = 8191*8)?

7) S3.8.4, page 26, last bullet item at top of page ---
 s/Four hops away from D./Two hops away from D./

8) S4.1.1.3, page 51, last paragraph of that subsection ---
 Any references?

9) S4.1.1.4, page 52, first bullet item, first sentence ---
 what do you mean by "overlapping fragments"?  Maybe you meant,
 instead, "duplicate fragments"?