Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. This document proposes a ‘ simplified ’ type of VPLS which only support IP. In addition, in this solution the maintenance of the MAC forwarding tables is done via a control plane protocol, rather than via the MAC address learning procedures specified in [IEEE 802.1D] I think this document is almost ready for publication. Two comments are as follows: 1) In security consideration, MD5 should not be recommended. So, "authenticating the LDP messages using MD5 authentication." could be changed to "authenticating the LDP messages by verifying keyed digests." 2) In this solution, a PE actively detects the presence of local CEs by snooping IP and ARP frames received over the ACs. As the PE discovers each locally attached CE, a unicast multipoint- to-point pseudowire (mp2p PW) associated exclusively with that CE is created by distributing the MAC address and optionally IP address of the CE along with a PW-Label to all the remote PE peers that participate in the same IPLS instance. So, IMHO, DDoS attacks by generating large amounts of bogus IP and ARP frames should be considered, and counter measures should be provided. For instance, MAC addresses of CEs should be distributed only in a limited frequency. Cheers Dacheng