I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: ready with issues, or maybe not ready (AD's choice!) Firstly, I'm not generally keen on RFCs for "vanity" ciphers - or, indeed, any cipher that's been as lightly reviewed as ARIA has. The Security ADs may feel differently, so I defer to them. Secondly, ARIA-CTR and ARIA-GCM both use SHA-1 as a hash function, and I believe we are trying to deprecate that practice. Thirdly, I am not familiar enough with SRTP to understand why short authentication tags are needed, but in general its a bad idea, so I feel the Security Considerations should explain more fully than "Ciphersuites with short tag length may be considered for specific application environments stated in 7.5 of [RFC3711], but the risk of weak authentication described in Section 9.5.1 of [RFC3711] should be taken into account." How would I take this risk into account? Finally, given that short tags are a risk, why are there no modes with full-length tags?