The following is a quote from the Security Consideration section of the draft:
"The use of layer-2 or layer-3 security for RPL control messages prevents the two aforementioned attacks, by preventing malicious nodes from becoming part of the control plane."

The following quote is from RFC7416, section 7.1.2:
"A number of deployments, such as [ZigBeeIP] specify no Layer 3 (L3) / RPL encryption or authentication and rely upon similar security at Layer 2 (L2).  These networks are immune to outside wiretapping attacks but are vulnerable to passive (and active) routing attacks through compromises of nodes (see Section 8.2)."

The draft seems to suggest layer-2 security might be sufficient protection, while RFC7416 seems to suggest that solely relying on layer-2 might not be enough. 

RFC7416, section 8.2 states:
"RPL provides for asymmetric authentication at L3 of the RPL Control Message carrying the DIO, and this may be warranted in some deployments."

I feel that this should be discussed here to make it clear that in some deployments, layer-2 by itself might not be sufficient and the use of asymmetric authentication at L3 might be required.