Document: draft-carroll-dynmobileip-cdma-04.txt Title: "Verizon Wireless Dynamic Mobile IP Key Update for cdma2000(R) Networks" Intended Status: Informational Reviewer: Suzanne Woolf Review Date: 16 February 2004 Returning item A few comments: Wrong boilerplate. This could be important, as some IPR constraints are briefly noted at the end of the document. The protocol described has some weird scaling properties-- a lot of pre-loaded mobile stations and AAA servers sharing an RSA keypair. If the MP has the pubkey corresponding to a universal private key, that's potentially a lot of AAA servers, or a long period of time, or both with the same RSA secret key. I defer to the Security ADs, but this doesn't feel scalable. I assume it's not really intended to be, in the sense that it's envisioned that one (or a handful) of keypairs, some set of MPs, and some smaller (by several orders of magnitude) set of AAA servers is envisioned, all under unified adminsitrative control. There is a reference to the possibility of different manufacturers or network operators sharing RSA keypairs, with the obvious dangers. "The RADIUS AAA Server MUST maintain a database of RSA Public/Private key pair indexed by the Public Key Identifier." is repeated. (p. 13) "Note that the inclusion of a vendor-specific attribute in the Access Reject message is not consistent with section 5.44 of [4]." How so? Key lifetime concerns are minimized by asserting the Mobile Node can't initiate DMU, but I'm a little confused then on how it's initiated. And I'm really scared, from an operational perspective, when people make a MUST of protecting keys but not a MUST of planning for the possibility of compromise. Who's maintaining the PKOID registry included here? Presumably it's not intended as an IANA registry, but it's not clear whose registry it is, and there's no IANA Considerations section at all. What do the patents referred to (Verizon, Qualcomm) really encumber? I know the IETF isn't in the patent lawyering business, but I'm also of the impression that if the IETF's publication of this document will be supporting IPR claims, it's best if people are up-front about that.