Upon decryption/decapsulation of a packet, the inner set of selectors should be checked against SA definition. This is a requirement from RFC2401. It provides a paranoid check against possible mis-behaviour/mis-configuration of a corresponding peer.