The answer is the second one.  R4 is receiving this.
So it'd better be something encrypted with a key that R4 can decrypt.
R4 should not be able to decrypt something encrypted with the public key of Alice.
R4 could decrypt these two because R4 could know the public key of Bob,
but then anyone could also decrypt these two.
So we want it encrypted in a way that only R4 can open.
That's like the envelope with a seal that only a particular person should be able to open.
The content needs to be visible to R4 where to send the message next,
which is what the To Alice part does, but invisible to R4 what the actual content is.
Alice looks different from the other routers the way I'm writing in here.
For this to be secure, there shouldn't be any real distinction between R4 and Alice.
That's hard to get in a network like this.
So it probably is the case that R4 actually learns that Alice is the endpoint,
but because the message was received from the previous one in this chain
doesn't learn that it was Bob talking with Alice.
