[ My first review; please let me know if anything's wrong]

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

In my view this document is Ready with nits; suggested clarification of Figure 1, below.

This document a mechanism for an intermediary to use space in a padding area to counteract the effect of a prior intermediary adding a high-accuracy timestamp into a UDP packet. The technique is used elsewhere (draft-ietf-ntp-checksum-trailer and IEEE1588) and dates back to RFC 1624 from 1994. The mechanism is better than the current approach, which zero's out the checksum and makes any checksum impossible.

The document and its security considerations are seem thorough, discussing the impact on encrypted packets, the general idea of an MITM modifying packets, and so on.

I think Figure 1 could be improved by showing how and/or where the checksum trailer is applied inside the "enabled Node" box.  Is it a separate node, or is it all a single flow within a node before the packet is put onto the IP Network "cloud"?  Also, the art of the cloud is commendable :)

--  
Senior Architect, Akamai Technologies
IM: richsalz at jabber.at Twitter: RichSalz