Be ye not afraid... I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Version reviewed: draft-ietf-ipfix-mib-variable-export-09 - Exporting MIB Variables using the IPFIX Protocol Summary: LGTM, Security AD attention not required, modulo questions below. I'm not quite sure what: "However if the exporter is a client of an SNMP engine on the same device it MUST abide by existing SNMP security rules." is supposed to mean. What exactly are "existing SNMP security rules"? Those defined in RFCs? Configured on the device? Also: "Network operators should take care that the only MIB objects which are included in IPFIX Data Records are ones which the receiving flow collector is allowed to receive." It may be worth mentioning that multiple users may have access to the data from the flow collector. I don't think that this is a major issue, as the sorts of data that are likely to be exported are not (in my wild-ass guess) likely to be sensitive. I suspect that the MIB Doctors should review this (if they haven't already) - while not a MIB, they will probably have useful input. W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf