Dan McD is correct (and the RFC-1827 ESP spec has a bug). Fragmentation processing occurs _after_ all outbound IPsec processing and _before_ all inbound IPsec processing. This should be for ESP as well as for AH. Ideally this will get corrected in the new ESP spec. Mea Culpa. Ran rja@inet.org