I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last-call comments.

This draft specifies BGP protocol extensions to support multicast (MVPN) and Ethernet VPN (EVPN) services over a Segment Routing (SR) network. It provides the procedures for using BGP to automatically establish and manage two types of transport tunnels for this one-to-many traffic: efficient SR Point-to-Multipoint (P2MP) trees and Ingress Replication. The specifications cover both SR-MPLS and SRv6 network environments. This draft is certainly not in my area of expertise and is intended for an audience with sufficient routing background.

The security considerations section simply refers to security considerations of the following documents: RFC 6513 (Multicast in MPLS/BGP IP VPNs), RFC 6514 (BGP Encodings and Procedures for Multicast in MPLS/BGP IP VPNs), RFC 9524 (Segment Routing Replication for Multipoint Service Delivery), and  draft-ietf-pim-sr-p2mp-policy (Segment Routing Point-to-Multipoint Policy). This might be acceptable as routing domain experts will likely be familiar with the considerations that apply to securing BGP sessions and the underlying Segment Routing fabric. I haven't read those documents and I am not familiar with them. I guess the risks of a compromised PE injecting malicious BGP routes to manipulate multicast tunnels, potentially causing traffic interception, misdirection, or DoS are either not relevant or are covered in the documents pointed to.