I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes extensions to the ALTO (Application Layer Traffic Optimization) protocol that allows for more efficient information exchanges between an ALTO client and an ALTO server. Specifically, it allows a client to query for multiple metrics in one request. The security considerations section correctly refers to the basic ALTO protocol I only have one additional consideration (and I don't even know if it applies ...): With the existing ALTO protocol, a server could defend against dDOS by not throttling requests. However, each accepted request is simple in that it only deals with one metric. With this document, a malicious client could send a highly complicated query to the server, which may cause significant resources to be used on the server end and without an ability to throttle. Is that a risk? Other than that, the document may benefit from a language/grammar review. Example: "Hence a legacy may send a request with a constraint test on any of the cost types listed in "cost-type-name" - should likely be "legacy client". There are more such examples. Thanks, -- Magnus