IETF Last Call Review of draft-ietf-sidrops-avoid-rpki-state-in-bgp-06
review-ietf-sidrops-avoid-rpki-state-in-bgp-06-secdir-lc-kelly-2026-05-23-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

The summary of the review is ready with nits.

From the abstract, this document provides guidance to avoid carrying Resource
Public Key Infrastructure (RPKI) derived validation states in transitive Border
Gateway Protocol (BGP) Path Attributes.

A couple of minor issues:

Page 2, 3rd paragraph,”…new BGP UPDATE messages will have to be send…” --
should replace “send” with “sent”

NLRI is used without expansion.

For the security considerations:
If I understand correctly, there are two types of risk that this document calls
out. One type is operational (i.e. the negative operational implications and
consequences that may arise from legitimate changes/annotations). The other
type is security-related, e.g. issues resulting from malicious behavior. I
would expect the security considerations to call out the malicious case(s), and
I would expect the operational case(s) to be called out elsewhere in the doc.
As it is, I think the current security considerations section may be mixing the
two.

Of the three paragraphs, I think the second paragraph is clear (it describes
specific attacker behavior/consequences). I think the first paragraph may be
providing some preliminary context for this, but it's not entirely clear to me.
And the third paragraph seems operational, so maybe that would be better
covered in section 6 (Operational Considerations).