I have reviewed the differences between draft-20 and draft-23. The draft-20 was already a pretty good document, and I only suggested fixing two minor nits. Draft-23 addresses my first nit: the text describing the denial-of-service attacks is now moved to the security consideration section. It also addresses my second, to make the privacy issues more prominent in the introduction -- and it indeed did not need much text to do that.