I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

My knowledge of IPsec is limited: I think of it as "TLS for IP"

This draft documents a way for peers to negotiate and use additional security associations for processing the cryptography associated with the traffic. The security considerations section is good, pointing out the concerns about allowing "just anyone" to request a reservation, particular a CPU-tied one, for that work.

This document assumes all readers know what acronyms like "SA" stand for.  This probably makes sense, it's only the occasional newcomer reader (like Your Humble Reviewer) who have to search to find out what they mean. Perhaps other long-term activities should follow the DNS example of periodically creating a glossary RFC. But that issue does not affect this document.