I am the assigned reviewer from the Security Directorate (SECDIR). These comments are intended mainly to help the Sec AD's; everyone else should treat them as any other last-call comments.

I guess this document is READY. But I have to admit that seeing description of the heuristics makes me feel uncomfortable. At some point, a heuristic is just a high-falutin' way to spell hack. I would imagine that if a commercial firewall vendor, for example, implemented this on their own, significant portions of the IETF community would be claiming "ossified."

But, if you want to do this kind of thing (or if you need to do it even though you would really rather not), this document is well-written and clear, except for one suggestion.  "If the value does not match any known range, then the packet MUST be dropped and an alert MAY be logged. This process is summarized in Figure 3." Figure 3 does not have an "else" clause, or something, that handles the first sentence quoted.