I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The document defines a new BGP capability "Long-lived Graceful Restart Capability"
that allows stale routes to be retained for a longer time than is currently allowed 
by RFC 4724. The document is well written and is easy to understand.

My concern is that the upper limit for the "Long-lived Stale Time" period is 2^24 - 1 seconds
(about 194 days) and the document doesn't specify any restrictions for this value.
It seems to me that having such long lived stale routes may open new possibilities for attackers.
In particular, a possibility of a resource exhausting for storing a lot of stale routes
for a very long time leading to a DoS attack come first to my mind. 
This possibility is not mentioned in the Security Considerations. 
Then, it seems to me that the countermeasures suggested in Section 6 to avoid VPN breach 
may not work for large values of the "Long-lived Stale Time" period.

And a final nit: the last para of Section 6 looks to me like some sort of excuse, which 
in my opinion is not appropriate for a technical document. No matter how complex an attack is,
if it is ever feasible with the given threat model, then we should just describe it 
with no additional sentiments that it is hard. Perhaps it is better to describe possible
attacks in terms of attacker's capabilities. E.g.: "If an attacker is able to inject packets
into the network then the following attacks are possible...".