Draft:  draft-ietf-opsec-filter-caps-08.txt
Reviewer: Mark Allman [mallman@icir.org]
Review Date: 6/28/2007 
IETF LC Date: 6/25/2007

Summary: 
This draft seems basically fine to me.  

Comments:
----------
There is one part that I just
don't grok, but I assume that will be easy enough to fix.  I also
flagged a few nits that ought to be fixed if the authors make another
pass over this document.  Details below.


MORE-THAN-NITS
--------------

Sec 5.1: The "Capability" description is not at all clear to me.  I
keep re-reading this one and just cannot understand what it says.
Please re-write this in a more clear fashion--perhaps with an
example.



NITS
----

Sec 1.2: "threat model of this document" --> "threat model assumed
in this document"

Sec 3.1 (and others): "and or" --> "and/or"  (do a search & replace,
as this happens quite a few times in text that looks like it was cut
& pasted)

Sec 3.5: "It allows invalid or malicious traffic" --> "It allows
traffic judged to be invalid or malicious"

Sec 3.6: I'd suggest a reference to the PMTUD blackhole RFC (2923)
where you mention the negatives of dropping ICMPs.

Sec 4.1 (and others): "TCP Resets." --> "TCP Resets, for instance."

Sec 4.1: "(e.g., syslog" --> "(e.g., via syslog"

Sec 5.1: "applied two" --> "applied to two"

Sec 7.2: Seems weird to me that you say we could define malicious
traffic using layer 3 or 4 information when it is pretty common to
use actual payload contents to detect malicious traffic.  Or, are
you trying to say that after detection we can use some handy
identifiers from layers 3 & 4 to take action?  This could be more
clear, I think.