In section 1 there is text saying: The DetNet Architecture models the DetNet related data plane functions as two sub-layers: functions into two sub-layers: a service sub-layer and a forwarding sub-layer. I think the second one of the "functions as/into two sub-layers" instance should be removed. In section 5.1.2.2 it says that SPI field of the ESP and AH is used, but in case the IPsec is configured to use UDP encapsulation (rfc3948, i.e., UDP destination port is 4500) there is different location for the SPI. Should this document also dig SPI out from the UDP encapsulated ESP/AH? There is also wrapped ESP (rfc5840) with bit different format, i.e., having wrapped ESP header before the normal ESP header. Should this be included also? In section 6, I would think it would be useful to have wildcard SPI matching too, i.e., match all ESP/AH traffic between two hosts regardless of SPI. Note, that standard procedure to support QoS in IPsec is to create multiple SAs between hosts with identical addresses, but different SPI, and where each flow has traffic related to one QoS level inside, but there might not be any way for external user to know which SPI match to which QoS level). So there is definitely need to have exact match SPI, but problem is that DetNet might not have any visibility which SPI match witch QoS level.