The security considerations section does exist and defers to RFC 4884 and 8335
in regards to the security of ICMP extensions. The section also recommends
limiting the extension to the internally-facing administrative domain in
consideration of privacy by filtering out these sustainability metrics and
data. I agree with these assertions. However, one attack vector that I could
think of is a high-fidelity reporting of power draw for the targeted node's
memory, cache, or HSM component then an attacker could perform a remote
side-channel attack (i.e., using DPA) during cryptographic operations in order
to extract the associated secret key.
From Shawn Emery's review: