-----BEGIN PGP SIGNED MESSAGE-----


For a somewhat similar situation (determining what IP source address
would be used for an IKE packet on Linux/FreeS/WAN), I had suggested an
IP-layer socket option which I called, "IP_JUST_KIDDING"

It would do *all* processing, including host-based NAT, whatever IP
source address selection rules that might be in IP(f), etc. but not send
the resulting packet at the step just before sending to the hardware TX
queue. Instead, the packet would be returned to the application for
examination. 

You are basically talking about leaving appropriate space so that IPsec
doesn't have to cope with oversize packets - shouldn't that be a more
general situation - that IPsec updates the MTU of the socket itself?

Or do you want to adjust the MSS in the initial TCP exchange?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQEDLbYqHRg3pndX9AQGz1wP/arLZFADL7VVrWN7GiCIKAnLLeR4Uew0t
+ApN/kDMqlC18TrETSY3lNGC6nIf9SVkSqoJkxpSSStIsn7cNrFJO4bt32AwOUZn
V4ui3gdZFgGfmUivGcMT9mHdtq+FYvXF1hh5uhj9D6qj1yDgwBromKKBygnjQ+ZG
bcUYVOSwguM=
=wxpe
-----END PGP SIGNATURE-----