I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document (draft-ietf-sipcore-reinvite-06.txt) provides clarification on how to process a re-invite in SIP. The notion of a re-invite is defined in RFC 3261 (SIP). This document was created to clarify the description provided in 3261, based on feedback from implementers. It includes a number of examples designed to clarify. It is fair to say that this document not only offers clarifications, but also makes some changes to SIP handling of re-INVITEs. For example, the document notes that "Section 4.3 specifies new rules for the handling of target-refresh requests." The document makes reference to "properly" authenticated requests in a couple of places (4.4 & 4.6), but provides no indication of what constitutes proper authentication. I think it would be appropriate to include references to whatever SIP security mechanisms are currently recommended for message/session authentication (as opposed to what 3261 said 8 years ago). The document has a trivial Security Considerations section: This document does not introduce any new security issue. It just clarifies how certain transactions should be handled in SIP. Security issues related to re-INVITEs and UPDATE requests are discussed in RFC 3261 [RFC3261] and RFC 3311 [RFC3311]. I checked 3261 and I agree that this document provides a decent review of security for SIP in general, but it makes no specific mention of UPDATE or (re)INVITE messages and attendant security concerns. RFC 3311 has an almost trivial Security Considerations section, but at least it does specifically refer to UPDATE and (re-)Invite messages, briefly, and the need for authentication. I think it would be appropriate to add a discussion of how these clarifications operate in various SIP security contexts, e.g., use of TLS for point-to-point SIP security or use of S/MIME for end-to-end SIP security. A statement that the security offered for SIP when the initial call setup was processed cannot be undermined by a later re-INVITE or UPDATE would be reassuring (if accompanied by a rationale for that statement :).