I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The technology is somewhat outside my area of expertise but I found the document relatively easy to follow anyway. I'm a fan of writing crypto-related algorithms with very little left for the imagination of the reader. To that end I would strongly suggest specifying what goes into the GAP message hash even more clearly. In this case I suspect the intent is that the inner hash is over all bytes of GAP message except the GAP authentication TLV which is added to the message _after_ the hash is computed. Conversely the validation phase needs to clearly say what bits of the message are to be included in computing the hash. Also I would change the timestamp verification step to use normative language, eg: "... the receiver MUST, upon successfully authenticating a message verify that the timestamp field corresponds... The receiver MUST silently discard a GAP message that fails timestamp verification."