Reviewer: Christian Huitema Review result: Ready I already reviewed the version 11 of this draft. From a security point of view, the main change between the two versions is the addition of a paragraph acknowledging the potential risks of relying on DHCP for configuration. To quote: "As described in [RFC8026] and [RFC8026] Security Consideration sections, there are generic DHCP security issues, which in the case of this document means that malicious nodes may alter the priority of the transition mechanisms." Well, on the one hand, this does directly address the point I raised in the previous review. On the other hand, it is a bit sad to have a dry acknowledgement like that, without any hint at mitigations. If I was writing an April's fool RFC, I would qualify that as one of those security sections that seem written primarily for appeasing the security reviewer. But then, do we want to give some advice to implementers? For example, do we want to tell them that it is OK to deploy compliant devices in a basic home network? Probably. In the branch office of a financial institution? Most probably not. Do we have a way to convey that in simple terms? I would add something like: "As stated in the introduction, this document addresses deployment of IPv4 as a service in a residential or small-office network. Deployment in more challenging environments would require additional security analysis."
