I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document presents the need for introducing Mediators (known in other quarters as "proxies") into the IPFIX architecture. The document is in general well written, and it does attempt to cover most of the relevant security issues. But I would have liked to see a bit more discussion on: - Privacy concerns, especially where actual data packets are sampled. These concerns may be amplified when streams from multiple sources are combined. - Multi-tenancy: large networks, i.e. those that require such solutions, may process and sometime aggregate data from many different owners. An extreme example is virtualized processing clouds. Tenants should be protected from one another, and possibly also from the service provider. - The subsection of the Security Considerations that discusses confidentiality protection could be improved to more clearly point out that transport-level security is no longer sufficient in this architecture, and (at least in some cases) should be replaced by end-to-end, application-level security. - The trust model should be clarified, possibly just to say "we all trust the Mediator". Non-security comments The document starts out by discussing IPFIX, and then suddenly in 3.2, PSAMP is introduced. The clueless reader is left confused: how does PSAMP relate to per-flow information? I'd appreciate a clarifying paragraph at the top of Sec. 3.