> As Steve Bellovin has pointed out on numerous occasions, the IP header > in transport-mode ESP can be "authenticated" merely by doing a compare > of the source and destination addresses against static state in the > SA... but we need to survey whether there is really no ip extention header to be protected or not, don't we ?.