I have reviewed this document as part of the security directorate's  ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the  security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is Ready with nits.

---

1. Section 4 (Advice for Specification of New Flags) seems sparse. There are a number of security considerations that apply to LCP extensions (for e.g. https://www.rfc-editor.org/rfc/rfc8231.html#section-10). It would be helpful for this document to mention that there are security considerations related to adding new flags that might interact with existing extensions. It would also be especially helpful for this document's Security Considerations to summarize the security-critical aspects of existing flags so as to help future flag developers make secure choices. 

2. The Security Considerations section of RFC 8231 says:

As a general precaution, it is RECOMMENDED that these PCEP extensions
   only be activated on authenticated and encrypted sessions across PCEs
   and PCCs belonging to the same administrative authority, using
   Transport Layer Security (TLS) [PCEPS], as per the recommendations
   and best current practices in [RFC7525].

Is there any reason we can't provide similar guidance for new LSP extended flags?