I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Section 3.1 says: o Permit RADIUS authentication and accounting replies from RADIUS servers 198.51.100.9, 198.51.100.10, 2001:DB8:100::9, and 2001: DB8:100::10 that are listening on UDP ports 1645 and 1646. Note that this doesn't account for a server using Internet Assigned Numbers Authority (IANA) ports 1812 and 1813 for RADIUS. So, in other words, RADIUS traffic on the ports (officially assigned for more than ten years now) will be blocked. This seems like a very poor example.