(Sorry for the missed review deadline.) Other than general doubts about "I'll only use this in one administrative domain", the only specific thing that concerned me here was that draft-ietf-detnet-security doesn't seem to include any analysis of detnet/UDP (and indeed says that detnet runs over IP) and the security considerations section here is purely by reference. Given that draft-ietf-detnet-security seems to have done a reasonable job of analysis, it's a pity to not have that for the detnet/UDP case. All that said, I don't have any concrete problems to highlight with detnet/UDP, though of course I've not been thinking about this as $dayjob, so there may be issues there.