Indermohan, The discard function is present because not every IPsec implementation would be part of a firewall, e.g., it could be a stand alone crypto device or a shim in a host stack, etc. Thus we added this option to provide a complete characterization of what to do with every outbound or inbound packet traversing the IPsec interface. Steve