how about inserting two or maybe four bytes of "confounder", a la Kerberos, before the actual packet, and throwing them away after decryption? Minimal overhead, and they can be essentially random. If a single PRNG is used to seed all the packets going out of an IPSP box, the confounders will be even more random if it's talking to more than one place... _H*