[HOKEY] WGLC comments for preauth document

WGLC Comments for draft-ietf-hokey-preauth-ps-02:

Overall
-------

A terminology section is needed.  The document uses a lot of terminology 
without defining it or citing documents in which it has already been 
defined.

This document discusses cases where we wish to pre-authenticate from one 
authenticator to another, but it's not clear whether these 
authenticators have to be served by the same AAA server or AAA domain. 
I think one of the major benefits of pre-authentication is the ability 
to pre-authenticate to a remote AAA domain that does not have a roaming 
relationship with your current AAA domain.  This would allow a mobile 
node with multiple credential sets (with multiple AAA servers/domains) 
to roam between networks that don't have a roaming relationship.  For 
example, this might allow you to roam from your home WiFi network to an 
operator's WiMAX network.  I think more discussion should be in the 
document to distinguish between and clarify these cases.

Section 1:
----------

This should be moved to the end of the document.

Section 2:
----------

"When a mobile during an ...": some terminology is needed, particularly 
define "mobile", or preferably refer to it using EAP terminology, i.e. 
the "peer".

s/may change its subnet/may change the subnet/

s/support an interactive/support interactive,/

authentication procedure and authorization procedure are poorly defined

s/affects the ongoing/affects ongoing/

s/where an AAA/where a AAA/

Reword sentence: "Depending upon the
    type of architecture, in some cases the AAA signals traverse all the
    way to the AAA server in the home domain of the mobile as well before
    the network service is granted to the mobile in the new network."

s/such as VoIP is very/such as VoIP are/

Section 3:
----------

s/setting up of L2/setting up L2/

s/AP (Access Point)/Access Point (AP)/

Reword sentence: "Following a successful authentication, a secure 
association protocol
    named four-way handshake with the wireless station derives a new set
    of the session keys for use in data communications."

s/Unless PMK (Pairwise Master Key)/Unless the Pairwise Master Key (PMK)/

Need reference for: "This is
    larger than the average coverage overlap of a wireless LAN (WLAN)."

s/organizations.  But these/organizations, but these/

Add references for 11f and 11i

Reword sentence: "Especially, a solution is needed to
    enable EAP pre-authentication in IEEE 802.11 to work even if the
    station and AP are not members of the same VLAN."

s/of high bandwidth wireless/of high-bandwidth, wireless/

s/802.11a\/b\/g/802.11/

s/hotspot like coverages/hotspot-like coverage/

s/relatively lower bandwidth/relatively low bandwidth/

s/handover keying or EAP/handover keying, or EAP/

s/contact in the new/context to the new/

s/because of domino effect/because of the domino effect/

s/a compromise of/the compromise of/g

s/I-D.ietf-hokey-reauth-ps/RFC5169/

Recommend not using term "subnet" as it's not defined in the EAP 
context.  EAP is typically an L2 protocol, which has no notion of subnets.

s/Note that EAP pre-/Note that the EAP pre-/

s/by each link-layer/by each link layer/

s/developed at IETF/developed by the IETF/

s/ongoing data communications are/ongoing data communication is/

Figure 1: Why is "Internet" in the middle?  Can't it be an arbitrary L3 
network?

s/functionality of EAP authenticator/functionality of an EAP authenticator/

s/is either standalone/is either a standalone/

s/functionality of EAP server/functionality of an EAP server/

s/On the other hand, when/When/

s/with EAP server/with the EAP server/

Add references for RADIUS and Diameter

s/uses an MSK (Master Session Key)/uses a Master Session Key (MSK)/

Section 4:
----------

s/two scenarios on how/two scenarios for how/

s/a serving authenticator/serving authenticator
s/a candidate authenticator/candidate authenticator
s/a AAA server/AAA server/

s/for both pre-authentication scenarios/for either pre-authentication 
scenario/

Section 4.2:
------------

Reword sentence: "Indirect pre-authentication signaling is spliced into 
mobile node to
    serving authenticator signaling (MN-SA signaling) and serving
    authenticator to candidate authenticator signaling (SA-CA signaling)."

Section 5
---------

s/pre-authentication, i.e., authenticator/preauthentication: authenticator/

Section 5.1
-----------

s/IP address and a mechanism/IP address, and a mechanism/

Section 6
-----------

s/AAA documentations/AAA documents/

s/This means, when such/This means that when/

s/support pre-authentication function,/support pre-authentication,/

s/life time/lifetime/g

s/pre- authenticated/pre-authenticated/

s/or the NAS, when/or the NAS when/

"mobile entity"?  Be consistent with terminology.

s/ping pongs/cycles/

s/common for the network operators/common for network operators/

s/maintain the control/maintain control/

s/in an anticipation for/in anticipation of/

Section 7:
----------

s/any solution for this problem needs considerations on/any solution 
needs to consider/

Sentence fragment, revise: "   First, a possible resource consumption 
denial of service attack where
    an attacker that is not on the same IP link as the mobile node or the
    candidate authenticator may send unprotected pre-authentication
    messages to the mobile node or the candidate authenticator to let the
    legitimate mobile node and candidate authenticator spend their
    computational and bandwidth resources."

s/noted that, when/noted that when/

Appendix A:
-----------

I think this should be significantly shortened, citing references, and 
included in the body of the document.

-- 
t. charles clancy, ph.d.                 eng.umd.edu/~tcc
electrical & computer engineering, university of maryland
_______________________________________________
HOKEY mailing list
HOKEY@ietf.org
https://www.ietf.org/mailman/listinfo/hokey