>Always having the inner ip header (making the outer ip header >irrelevant) would allow the check to always be done as part of ipsec >rather than over in some other part of the system. But these features are already being implemented in firewall and policy routing modules (e.g., the policy routing stuff in Linux 2.2). Why reinvent the wheel? Phil