Last Call Review of draft-ietf-netconf-4741bis-

Request Review of draft-ietf-netconf-4741bis
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-02-07
Requested 2011-01-25
Authors Rob Enns, Martin Björklund, Andy Bierman, Jürgen Schönwälder
Draft last updated 2011-02-16
Completed reviews Secdir Last Call review of -?? by Tina Tsou
Secdir Telechat review of -?? by Tina Tsou
Tsvdir Last Call review of -?? by Rolf Winter
Assignment Reviewer Tina Tsou 
State Completed
Review review-ietf-netconf-4741bis-secdir-lc-tsou-2011-02-16
Review completed: 2011-02-16


I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

It is well written, so only some editorial comments are below.

2.2.  Authentication, Integrity, and Confidentiality
2.3.  Authentication

Perhaps the Titles of 2.2 and 2.3 can harmonize better to explain why there
are two "authentications" here.

6.2.  Subtree Filter Components

   A subtree filter is comprised of XML elements and their XML
   attributes.  There are five types of components that may be present
   in a subtree filter:

   o  Namespace Selection

   o  Attribute Match Expressions

   o  Containment Nodes

   o  Selection Nodes

   o  Content Match Nodes

If a figure could be provided to describe the relationship among these 5
components and when it becomes what, it would be very helpful for readers to
understand more easily.

6.2.3.  Containment Nodes

   Nodes that contain child elements within a subtree filter are called
   "containment nodes".  

I would say "Child Elements Nodes" or "Child Nodes" might be a little bit
more of straight forward than "Containment Nodes".

7.2.  <edit-config>
merge:  The configuration data in the <config> parameter is
            merged with the configuration at the corresponding level in
            the target datastore.  This is the default behavior.
Has the <config> parameter been introduced before?

Best Regards,