I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Has Nits

The main issues of concern from my first review have been addressed:

— Describing dependance on ICMP messages

— Rationalization of how AH processing is affected, which is declaring
that a sender “MUST calculate the Integrity Check Value (ICV) over
the packet as it arrives at the destination node”.  This matches
the intent of RFC 4302, and is in fact possible for the CRH originator.

I still think the following comment from my original review is
important enough to mention, but I don’t consider it an issue.

“One general comment is that I would expect the network operators
in some networks  to deploy packet inspection devices (e.g., firewall,
intrusion detection) at choke points within the network. Because
the IPv6 Destination Address is changed hop-by-hop they cannot
simply compare the packets SA and DA to {source, destination} rules
simply by extracting the SA an DA from the packet. In order for
these packet inspection devices to validate based on endpoint
addresses they will need to be aware of the mapping of SIDs to IP
addresses. I think this issue is worth mentioning in Security
Considerations.”