>> another reason that passing around socket * is better than passing
>> around inpcb *: there are L4 protocols that cannot be handled by inpcb.
> 
> No.  If other transport protocols sit on top of IP with IPsec, then
> the pcbs for those protocols should also share a common pcb-header
> prefix.  Then, IPsec relies on that common prefix, no matter what the
> upper-level transport.
> 
> Your way, we would have to find *all* the places where IPsec relies on
> transport-layer protocol-control state, and update *all* the switches.
> That is bad style.  

	SCTP pcb has multiple pair of addresses, therefore inpcb cannot support
	it.  i guess i made it clear in the previous message.  could you tell
	me how you would support SCTP with your approach?

> The example you, raise (adding SCTP support to IPsec), is one of the
> reasons why the currently-taken approach *is* bad style.  If it had
> been done right in the first place, you shouldn't have to touch
> the IPsec code at all.

	i beg to differ.  unfortunately we use layer 4 information (inpcb or
	sctp_pcb) to hold ipsec policy information, therefore, there needs
	to be some information grabbed by IPsec code from there.  to pass
	pointer to such layer 4 information, socket * is better.

itojun