Reviewer: Stewart Bryant Review result: Has Issues I apologies for the lateness of this last call review. The routing technology in this specification seems fine, however I do have concerns over the network security. >From the text in the introduction is says: "On similar lines, introducing the SRv6 related information in BGP-LS allows consumer applications that require topological visibility to also receive the SRv6 SIDs from nodes across an IGP domain or even across Autonomous Systems (AS), as required. This allows applications to leverage the SRv6 capabilities for network programming." Then in the security section it says "SR operates within a trusted domain [RFC8402] and its security considerations also apply to BGP-LS sessions when carrying SR information." I am concerned that the exposure of sensitive network information outside the network as proposed here represents a significant security risk. I am also concerned that the increased (practically unconstrained) exposure to the threat of hostile actors. The "trusted domain" concept which is fundamental to SRv6 is fragile at best. The scope of the domain and the method of policing are not well described, and unlike MPLS which successfully operates that model, SRv6 does not have the advantage of being able to automatically classify external traffic as being of an alien type. With this specification the domain is expanded from the network itself to some subset of the applications using the network. It is difficult to see how the scope and size of the threat to the network is contained in this operational model and I do not see text that help the operator in that regard. Applications significantly increase the size of the code base and number of organizations that can introduce a threat, and by their nature expand the geographic area of risk in an unconstrained way, perhaps to the full Internet. I believe that a more complete review of the security model is needed before this specification is finalised. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call