Hi -
>From: The IESG <iesg-secretary@xxxxxxxx>
>Sent: Sep 28, 2015 10:11 AM
>To: IETF-Announce <ietf-announce@xxxxxxxx>
>Subject: Last Call: <draft-ietf-ipfix-mib-variable-export-09.txt> (Exporting MIB Variables using the IPFIX Protocol) to Proposed Standard
...
I think the Security Considerations section needs to be a bit more explicit.
For example, it states:
| However if the exporter is a client of an SNMP engine on the same
| device it MUST abide by existing SNMP security rules.
A few questions come to mind:
- just exactly what is meant by "client of an SNMP engine"?
- in deciding whether a bit of information may be exported to
a particular entity, how does the IPFIX implementation decide
what VACM user name would correspond to that entity, in order
to abide by SNMP security rules?
- if the VACM configuration specifies that a given piece of information
is to be communicated only by secure means (e.g. auth/priv using
a particular algorithm) how does the IPFIX implementation honor
that commitment in forwarding the information without subverting
the keystore?
- in granting IPFIX access to the information, should VACM be using
the read view or the notify view?
Randy