Last Call Review of draft-ietf-netconf-4741bis-

Request Review of draft-ietf-netconf-4741bis
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-02-07
Requested 2011-01-25
Other Reviews Secdir Telechat review of - by Tina Tsou (diff)
Tsvdir Last Call review of - by Rolf Winter (diff)
Review State Completed
Reviewer Tina Tsou
Review review-ietf-netconf-4741bis-secdir-lc-tsou-2011-02-16
Posted at
Draft last updated 2011-02-16
Review completed: 2011-02-16


I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

It is well written, so only some editorial comments are below.

2.2.  Authentication, Integrity, and Confidentiality
2.3.  Authentication

Perhaps the Titles of 2.2 and 2.3 can harmonize better to explain why there
are two "authentications" here.

6.2.  Subtree Filter Components

   A subtree filter is comprised of XML elements and their XML
   attributes.  There are five types of components that may be present
   in a subtree filter:

   o  Namespace Selection

   o  Attribute Match Expressions

   o  Containment Nodes

   o  Selection Nodes

   o  Content Match Nodes

If a figure could be provided to describe the relationship among these 5
components and when it becomes what, it would be very helpful for readers to
understand more easily.

6.2.3.  Containment Nodes

   Nodes that contain child elements within a subtree filter are called
   "containment nodes".  

I would say "Child Elements Nodes" or "Child Nodes" might be a little bit
more of straight forward than "Containment Nodes".

7.2.  <edit-config>
merge:  The configuration data in the <config> parameter is
            merged with the configuration at the corresponding level in
            the target datastore.  This is the default behavior.
Has the <config> parameter been introduced before?

Best Regards,