Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: * With Nits Details: * NB: I did not review the Yang Models or Appendices * Awkward sentence in section 8, top of page 21: Moreover, the startup configuration datastore MUST be also pre-configured with the required ALLOW policies that allow to communicate the NSF with the I2NSF Controller once the NSF is deployed. Specifically "that allow to communicate the NSF with ..." should be changed, possibly to read "that allow the NSF to communicate with ..." * at the end of 8.3 at the bottom of page 23 there is a space for "the subtrees and data nodes and their sensitivity/vulnerability:" but there is no list, it just goes onto the next paragraph at the top of the next page. -derek