Hi, Reviewer: Daniel Migault Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other The comment below mostly reflects what raised my curiosity while reading the document. I do not see any of these comments requires some changes to the document. While reading the document I was wondering what could be the reason for advertising ca-ns and us-ny. Note that whatever the response is, there is no need to change the document. From my point of view, I imagined that subdivision code would be mostly used to characterize a geographic zone that is served by a CDN and so that expected codes would be neighbor areas. The example takes ca-ns and us-ny which I do not see as neighbors, at least geographically speaking. I know we can always find a case, but I am wondering if it is expected to be common to have some non neighbor subdivisions being advertised and why. One reason could be that geographic neighborhood and networking neighborhood may also be distinct and I would be curious to understand if that is the reason and how often it is expected to happen. To be clear, I am fine if the subdivision code has just been taken (pseudo) randomly for example. The Union data type is mentioned as overcoming the limitation of narrowing capability. I think the text is nice saying that narrowing does not work for what we do, but overall I do see the need to have union as a completely separate need from the need to narrow. In other words, I do not see the justification as something needed. My perception is that we were able to have AND and Union enables to have OR. If my understanding is correct, I have the impression that there is an alternative way to achieve OR which would consist of having different separate advertisements. Not being an expert in CDNI, what I have in mind is that a dCDN may send one advertisement with a union or may make multiple advertisements (1 for each member of the union). I am not challenging here the need for a union as I am convinced it is needed - or will be needed at some point. What I would like to understand is if multiple advertisements could effectively be considered as an alternative to the union. If that is correct, I would be interested to briefly understand the pro/cons of each alternative. I suspect this mostly an operational advantage, but I am curious to learn a bit more on it. The SUBDIVISION Domain was not entirely clear to me, but I suspect this connects the newly defined footprint type to the more generic framework. The main security consideration I have regarding the footprint type is the ability to prove that the dCDN is legitimate for announcing such capabilities. Typically, I am wondering if there is any way to prevent a CDN to advertise capabilities in Australia for example - while he is not serving that region ? Note that we generic and so, is likely to be already addressed at a higher level. My impression is that the model is that one has to trust the advertisement, and so only consider those of trusted CDNs. I am wondering if there are any practical ways to evaluate the trustworthiness related to the subdivision. Yours, Daniel