I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: this document is part of a series of documents describing the protocol, and only deals with data elements. As such, most security considerations are dealt with elsewhere. However, I note that whilst a good deal of attention is paid to integrity and authentication of the data in those other documents, as far as I can see nothing is said about authentication of the requester, nor about access control. Given that flow information is potentially quite sensitive, this is surprising. The document itself seems OK, with nits. Nits: "3.1.14. string The type "string" represents a finite-length string of valid characters from the Unicode character encoding set [ISO.10646-1.1993]. Unicode allows for ASCII [ISO.646.1991] and many other international character sets to be used." RFC 5610 says this is encoded using UTF-8. UTF-8 can have security issues, e.g. sending a string with an incomplete UTF-8 encoded character, which then swallows part of a following string, or causes errors in parsers. Although this document may not be the right place for it, it is unfortunate this potential problem is not mentioned.