We put two layers side-by-side over the basic packet delivery services. One layer is for non-key traffic, the other layer consists of only the key management protocol. I favor this arrangement over schemes that use UDP for key management, because I believe it yields a cleaner separation of software functionality and is easier to analyze.