As noted, ESP coverage of selected header fields would increase complexity and reduce performance. It also would create even more circumstances where NAT could interfere with IPsec use. Today, using ESP in tunnel mode can be made to work with NAT, but if the outer S/D IP addresses were covered, that capability (I hesitate to call it a feature) would go away.Steve,As for as I know, in many implementations, NAT is done prior to ipsec processing at the sending end, and Ipsec processing is done before NAT at the receiving end.Are there situvations where NAT would interfere in ipsec processing ? if so, kindly will you brief them?Assuming there will be situations where NAT will interfere with IPsec processing, how AH in transport mode will work there?ThanksLokesh.