I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. For the security area directions, I consider this document to be "Ready with nits?. This document specifies objects (MIB) for managing virtual machines controlled by a hypervisor (a.k.a. virtual machine monitor) using SNMP. The security section is thoroughly written, points out the operational risk if some management variables can be SET, and the privacy or other security risks if hostile parties can read some of the objects. The essential recommendation is to use SNMPv3 strong security, or when that strong security is not available, to disable the "SET" capabilities. There is an aggravating factor not mentioned in the security section. In many large data centers, some virtual machines will not be under the direct control of the data center manager. They may have been rented to third parties, or they may have been subverted. These potentially hostile virtual machines will have direct network connectivity with the hypervisor, and potentially with other hypervisors in the same subnet. Attackers in control of these machines can gain advantage of even read-only access to hypervisor state variables. One wonders whether even GET access should be allowed in the absence of authentication through SNMPv3. Attempting to support even GET operations with prior versions of SNMP appears risky. -- Christian Huitema