Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document provides the network management framework for the Transport Profile for Multi-Protocol Label Switching (MPLS-TP). This framework relies on the management terminology from the ITU-T to describe the management architecture that could be used for an MPLS-TP management network. The Security Considerations section is the basis of my comment. I don't think the first two sentences are sentences. At least I think they need to be restated to clarify their meaning. The section states: " Provisions to any of the network mechanisms designed to satisfy the requirements described herein need to prevent their unauthorized use and provide a means for an operator to prevent denial of service attacks if those network mechanisms are used in such an attack. Solutions need to provide mechanisms to prevent private information from being accessed by unauthorized eavesdropping, or being directly obtained by an unauthenticated network element, system or user." Using terminology from the document, I think the paragraphs should really say something to the effect of: "Many of the EMF Interfaces (Section 2.3) are critical to proper NE operation and need to be protected from denial of service conditions or attack. The EMF Interfaces that use or access private information should be protected from eavesdropping or being accessed by unauthorized network elements, systems, or users. " Since the next part of the section points the reader to the ITU and other RFC documents, it should flow okay. Although I am by no means an MPLS expert, the rest of the document looked fine. [As a side note, normally the term 'unauthorized eavesdropping' is not used. Eavesdropping is always performed by an unauthorized party; if they are authorized it's called 'network monitoring'. ;) ] Pat Cain