I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these as comments just like any other last call comments. I apologize for the late review. I did not find any major issues with the document. The security considerations section does describe the additional DOS threat associated with the operation of the protocol. I think the potential mitigations could be described better. 1) it seems that the stateless PCI should be moved up in the section since it is related to the last sentence of the first paragraph. 2) it's not clear that "authorized" is the best word to use here since authentication has not completed yet. It might be better to say "It is recommended that messages are only accepted from PACs originating from well known IP networks for a given PAA." It's not really clear how effective or practical this restriction would be, but I'm not very familiar with PANA deployments. Cheers, Joe