I have reviewed this document as part of the Operational directorate’s ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments. Document reviewed:  draft-ietf-ipsecme-tcp-encaps-09 Summary: This document defines a method for encapsulating both the IKE control messages as well as the IPSec data messages within a TCP connection. Document Status: Ready. Comments: The following comments look at the document both from an operational perspective as well as a management perspective. Operational Considerations: Operational considerations include installation and initial setup, migration path, requirements on other protocols, impact on network operations and verification of correct operation. The document has adequately addressed issues related to initial setup, migration path from using UDP over port 500, to port 4500 to using TCP. Management Considerations: Management considerations include interoperability, fault management, configuration management, accounting, performance and security. Already acknowledged that there is performance impact in carrying IKE and IPSec data messages over TCP. This includes limitation of message lengths to UDP datagram ESP payload lengths, further impacting the performance of the encapsulation method. Document talks about reconfiguration of TCP encapsulation on both the TCP Originator and TCP Responder. That includes configuration of ports the Responder will listen on. A run of idnits returns the following warnings: (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'Appendix A' is mentioned on line 305, but not defined == Missing Reference: 'Section 4' is mentioned on line 363, but not defined == Missing Reference: 'ChangeCipherSpec' is mentioned on line 922, but not defined == Missing Reference: 'CERTREQ' is mentioned on line 765, but not defined == Missing Reference: 'CERT' is mentioned on line 770, but not defined == Missing Reference: 'CP' is mentioned on line 814, but not defined Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 1 comment (--).