Marcus, I agree with most of comments and would like to add a clarification. While it may not be appropriate to require the presence of an EKU in an IPsec implementation, it may be appropriate to require the ability to configure such constraints in every IPsec implementation, to ensure that folks have this local configuration option. Steve