Last Call Review of draft-ietf-avtcore-srtp-aes-gcm-14
review-ietf-avtcore-srtp-aes-gcm-14-secdir-lc-lepinski-2014-10-23-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document specifies the use of the Advanced Encryption Standard
(AES) in both Galois Counter Mode (GCM) and CBC Counter Mode (CCM) as
an Authenticated Encryption with Additional Data (AEAD) cipher-suite
for the SRTP protocol. This is the first AEAD specification for SRTP.
However, this specification is consistent with other AEAD work in the
IETF (i.e., RFC 5116).

I found no significant issues in the review of this document and
believe that it is ready for publication.

Nits (consider the following suggestions):

Section 3b: s/(as well one or more /(as well as one or more /

Section 6: s/XORed to the plaintext to form /XORed with the plaintext to form /

Section 9.1: s/XORed to the 12-octet salt to form /XORed with the
12-octet salt to form /

Section 10.1: s/XORed to the 12-octet salt to form /XORed with the
12-octet salt to form /

Section 11: s/accept inputs with varying lengths /accept inputs of
varying lengths /

Section 14.1: You use the phrase "If the master salt is to be kept
secret". However, I am not sure how an implementer is supposed to
decide whether or not to keep the master salt secret. If you have any
reference on the ramifications of keeping / not-keeping the master
salt secret, it would be helpful to include such a reference.

Section 14.2: s/authentication value until by chance they hit a valid
/authentication value until, by chance, they hit a valid /