>> I  have no argument that fast ipsec or any other user should remove
>> their own  tags before they hit if_loop (as appropriate).
>
> The proposal to have if_loop() remove nonpersistent tags is for
> *consistency*: so that sending via if_loop() behaves the same as sending
> on a real interface, which then hears its own packet.
>
> The other approach is to have fast-ipsec remove its tags on the way
> through ip_output(). I dont see how that can work. If we want to use
> NIC IPsec offload to perform encryptoion of outbound packets (and we
> do!), then ipsec tags have to stay on an outbound packet until the
> packet hits the NIC driver. The NIC driver inspects the tags, to
> decide whether set up NIC-specific commands to do the transform.
>

Well, that was why I said "as appropriate".  Theoretically one could strip 
everything but stuff that should be passed downward.  Whether or not this 
is a good idea is to be seen.

> I suppose we could end up with a situation where sometimes ip_output()
> removes ipsec tags, and sometimes it inserts packet tags for the
> benefit of on-NIC ipsec offload engines. In that world, sometimes
> ifp->if_output() remove tags, and sometimes it doesn't.
>
> I'd sooner have consisent behaviour (leading to robustness and
> reliability) than an API which goes in the other direction.
>

Whether or not tags are stripped out elsewhere I think if_loop should 
cleanse the mbuf chain before passing it along.  This is only necessary 
because the mbuf is reused.

	Sam