I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The document describes a hub and spoke topology for BGP/MPLS VPNs.  The security considerations refer to RFC4364.   While I share the concern in Stephen's Comment, I have thought about it a bit and have not come up with significant  recommendations that are not covered in RFC4364.   The document does discuss multicast routing a bit so I'm wondering if it should also reference the security considerations in RFC 6513 and/or RFC 6514. 

Aside from this comment I think the document is ready to go.   

Cheers,

Joe