The analysis in the second crypto review should be in the security considerations.

I believe there is an edge case where a partially chosen plaintext is possible.

1. The load balancer is supporting both an encrypted and unencrypted config, on different codepoints, that happen to use the same server ID mapping
2. The server is generating encrypted CIDs.
3. The attacker sends an initial packet sends an unencrypted CID.
4. Any server generated CID is therefore using the unencrypted server ID as plaintext. The random nonce should generally protect us, but maybe not?

Anyway, security considerations could say something like "unencrypted and encrypted CIDs MUST NOT use the same server ID assignments because...".

Fixed by #176