>>> 	KAME code removes tag before calling if_output().  why it isn't
>>> 	sufficient?
>> Offhand, because that means that tags only work "right" for IP traffic.
>> While that is like 99.999% of the overall traffic, we should abstract
>> things correctly. Since only the loopback interface can have packets
>> "arrive" with tags, only it needs to worry about flushing them.
>>
>> I am of course assuming that the standard mbuf recycling code will deal
>> with flushing tags (whatever that may mean). If instead the semantics are
>> that the protocol should flush them, then ip_output needs to clean them
>> for FAST_IPSEC too. And all the other protocols should too. :-|
>
> 	my point is, what is the rationale for making layer 2 (if_loop.c) do
> 	cleanup for layer 3 tags (FAST_IPSEC)?  the cleanup of FAST_IPSEC tags
> 	must be done in layer 3, which is, for instance, right before the call
> 	to if_output().

Fast ipsec should not probably not leave it's tags on mbufs unless they are 
intended for a layer below (e.g. to communicate with IPSEC-aware NIC's) or 
to deal with potential loop detection.  It's typically been neglected 
because tags are collected when the mbuf chain is reclaimed and doing it 
explicitly adds overhead.

I've been aware of some issues in this area and just not attacked them yet 
because they haven't caused problems.

	Sam