I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document discusses implications of IPv6's larger address space and larger typical subnet size for traditional network address range scanning techniques often used to identify nodes. It discusses other methods which may be used by attackers to discover IPv6 notes, approaches that can be used by network administrators to counter them, and techniques by which adminstrators can take advantage of IPv6's large address apace to make it harder to identify potential targets for attack. This document provides a lot of good advice on how to make node addresses on an IPv6 network difficult to discover. That is, it discusses ways to obscure addresses. According to traditional wisdom, "security through obscurity is worse than no security at all". Put another way, obscuring addresses can be a useful tool in building a defense-in-depth, but relying solely on obscurity of node addresses is asking for trouble. I would like this point stressed in the security considerations for this document, possibly including references to other sources on techniques that can be used to secure hosts, communication between hosts, and/or network access. -- Jeff _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf