Hi.  I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

I have mixed feelings about this document.  The Security Considerations seems fine. It calls out that new SAFI can provide new avenues for traffic diversion. It says that BGPsec can be extended to mitigate those risks, but that extension is not done in this document. That is fine, especially for an experimental draft.

But I can't honestly say that I understand the draft. I thought it could be just me not having enough routing clue to figure it out, but even the rtgdir review suggests more explanation of "color" and "color-aware routing" in the introduction.

A comment accompanying the requested review suggested the following: 

   Security reviews should consider this draft as being deployed in a "walled garden" 
   where the walls are created via configuration by providers.  Some questions that 
   might be explored are: 

     a) Does the security text provide an adequate description of the formation of 
     the "walled garden" via BGP TCP security, address considerations, preventing 
     DOS service attacks, and strong BGP security (BGP origin and BGPsec). 
 
     b) does the security text provide an adequate description of how to detect if 
     traffic goes outside of the "walled garden"? 

I'm afraid I don't understand the protocol enough to answer those questions.