> Hear. Hear. Except for the authenticationless. If [one] has to do AH > to get the IP header, you don't want to do another authentication. (I'd > rather see ESP follow the same exact rules as AH...) Hmm. Why can't you just do tunnel mode ESP in that case, where the inner IP header is the one which really needs protecting. - Bill