I concur with what Colin says - using the IP ID as an IV may be just one of the allowable techniques. Question for those who know BSD kernel internals better than me -- is this easily done? Or is the IP ID assigned after the transport layer (IPSEC, in this case) has already handed its packet down to IP? Phil