I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last-call comments.

This document is naturally a bit tough to grasp for someone without routing background. However, it essentially defines a new BGP Flow-spec action that allows a BGP peer to request specific traffic be redirected or copied to a target IP address (presumably a specialized inspection server(s)). The primary security risk with this mechanism is unauthorized traffic manipulation. Specifically, a peer attempting to hijack traffic that doesn't belong to them, or redirecting it to a target IP they don't control. To mitigate this, the document relies on a two validations. First, it specifies that baseline Flow-spec validation (RFC 9117) SHOULD be applied to verify the peer has legitimate authority over the traffic pattern being filtered. Second, it introduces a new rule stating that receiving peers must validate that the announcing peer also holds legitimate routing authority over the specific target IP address. This ensures a peer cannot manipulate traffic unless they own both the original destination and the redirect target. Perhaps the requirements language can be carefully evaluated. For example: "[RFC9117] SHOULD be applied" vs. "SHALL" or "MUST".