Ran, ESP is also a transport-layer encryptor, not just an IP-layer encryptor (read the draft). Your argument fails. I'm not sure which argument you are referring to, since I've made several recently. Could you clarify? Are you contemplating implementing transport-mode ESP within the transport-layer (UDP or TCP or ICMP) code itself?