I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document specifies the use of the Advanced Encryption Standard (AES) in both Galois Counter Mode (GCM) and CBC Counter Mode (CCM) as an Authenticated Encryption with Additional Data (AEAD) cipher-suite for the SRTP protocol. This is the first AEAD specification for SRTP. However, this specification is consistent with other AEAD work in the IETF (i.e., RFC 5116). I found no significant issues in the review of this document and believe that it is ready for publication. Nits (consider the following suggestions): Section 3b: s/(as well one or more /(as well as one or more / Section 6: s/XORed to the plaintext to form /XORed with the plaintext to form / Section 9.1: s/XORed to the 12-octet salt to form /XORed with the 12-octet salt to form / Section 10.1: s/XORed to the 12-octet salt to form /XORed with the 12-octet salt to form / Section 11: s/accept inputs with varying lengths /accept inputs of varying lengths / Section 14.1: You use the phrase "If the master salt is to be kept secret". However, I am not sure how an implementer is supposed to decide whether or not to keep the master salt secret. If you have any reference on the ramifications of keeping / not-keeping the master salt secret, it would be helpful to include such a reference. Section 14.2: s/authentication value until by chance they hit a valid /authentication value until, by chance, they hit a valid /