Another way of looking at ipsec is that the transforms are really a layer *in between* network and transport. You're not so much adding a "user" concept at the network layer as adding a new layer next to the transport layer, which already has a concept of "user". - Bill