some questions about IPSEC ESN

ESN feature is described in RFC 4303. Here is some questions which bothered me:

1. When use ESN combined with AES_GCM or AES_GMAC alogrithom, do I need to add the high-order ESN bits to the packets?
   According to RFC 4303: If a combined mode algorithm is employed, the algorithm choice determines whether the high-order ESN bits are transmitted or are included implicitly in the computation. According to RFC 4106, it is said ESN bits need to be part of AAD format, does it mean ESN bits must add to the packets?

2. In which algorithom we need to add icv padding when use ESN? In this picture from RFC4303, icv padding will add in some case, but i see hmac algorithom, it doesnt need to add padding when calculating icv.

According to RFC 4106, it is said ESN bits need to be part of AAD format, does it mean ESN bits must add to the packets?

No. The additional authenticated data (AAD) that's included in the AES-GCM computation is not sent in that form. That's the whole point of AAD, they are not part of the encrypted data.

Combined-mode algorithms could theoretically replicate the complete sequence number (and the SPI) in the ESP Payload Data if they don't use AAD but only authenticate encrypted data (see section 2 of RFC 4303). The format of that data has to be defined for each algorithm. As you can see in section 3 of RFC 4106, AES-GCM does not require encoding SPI and sequence number, only the IV.

In which algorithom we need to add icv padding when use ESN?

See the end of section 3.3.2.1 of RFC 4303, which explains that this implicit padding might be necessary for integrity algorithms that require the input to be a multiple of a specific block size. HMACs handle padding to the internal block sizes internally, so IPsec does not have to add additional padding (see e.g. section 2.2 of RFC 4868).