Check the new IPsec architectrure document for clarification of these and other topics. The RFCs you cited are to be replaced very soon by the newly arrpoved set of IPsec I-Ds. Steve