Last Call Review of draft-ietf-ipfix-mib-variable-export-09
review-ietf-ipfix-mib-variable-export-09-secdir-lc-kumari-2015-11-19-00

Be ye not afraid...
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting
MIB Variables using the IPFIX Protocol

Summary:
LGTM, Security AD attention not required, modulo questions below.

I'm not quite sure what:
"However if the exporter is a client of an SNMP engine on the same
 device it MUST abide by existing SNMP security rules." is supposed to
mean. What exactly are "existing SNMP security rules"? Those defined
in RFCs? Configured on the device?

Also:
"Network operators should take care that the only MIB objects which
are included in IPFIX Data Records are ones which the receiving flow
collector is allowed to receive."
It may be worth mentioning that multiple users may have access to the
data from the flow collector.
I don't think that this is a major issue, as the sorts of data that
are likely to be exported are not (in my wild-ass guess) likely to be
sensitive.


I suspect that the MIB Doctors should review this (if they haven't
already) - while not a MIB, they will probably have useful input.

W



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf