I've found it useful to describe the possible combinations in terms of a regular expression consisting of IP, AH, and ESP. Here are a couple of questions: Suppose a sequence of headers involves several different identities; may a host have a local policy rejecting some or all such combinations and still be conforming? Also, must/should the ip-in-ip protocol be supported?