We may have to wrangle out some compromise on KAME passing struct
socket *, versus the fast-ipsec struc inpcb *, after all.  Fast-ipsec
already has considerable hooks for inet6 processing, but those hooks
were designed and implemented with the assumption that inpcb and
in6pcb have been unified -- as they are, on FreeBSD.

If the space issue is a big concern, maybe we can compromise on
rearranging the fields within struct inpcb and struct in6pcb, so that
the ``common'' fields needed for v4/v6 IPsec processing are moved into
a common sub-structure. Then, we pass a pointer to that common
sub-structure into in_output() and in6_output().

That avoids the space growth of a unified pcb for both in/in6.  Macros
to preserve the field namespace for KAME merges are trivial (two for
each field in the common prefix, one for the current v4 names,
one for v6).

I will look at that over the weekend in my own tree, and see how
far I can get with pasting (openbsd-like) packet-tag dispatch from our
netinet6/ into the v6 code in netipsec/.