The rule that you MUST pad allows alignment optimization to be made not just on encrypt but on decrypt as well. Unfortunately, since not everyone does it right, you still need to be able to cope with misaligned packets inbound -- unless you're willing to fail interoperation with anyone who doesn't obey the alignment rule. paul