On 1/8/2019 10:38 AM, JORDI PALET MARTINEZ wrote: > The security concerns raised *initially* by Christian were related to the use of DHCP for configuring the WAN. At least that was what I understood. Then we continued discussing about the LAN, which I agree with you, is not a requirement on this document. I may be very confused, because the way I read your draft I assumed that the DHCPv6 S46 option was meant to inform the LAN-side devices of the available and preferred transition services. From what you are telling me, the S46 option is actually provided by the WAN side DHCPv6 server, of which the CPE is a client. That would be the preferred way for an ISP to configure the customer premise device. If the DHCPv6 option is only used on the WAN side, then I agree with Barbara and you that solutions like DHCP Guard or 802.1x are not relevant. There is no need for the proposed paragraph starting with "considering that" and ending with "scope of this document". On the other hand, if I was that much confused, others will be too. I might be useful to drop a line in section 3.2 explain in layman terms how the S46 option is used. -- Christian Huitema