In message <20070302224604.GA23060@NetBSD.org>DEGROOTE Arnaud writes
>
>--+QahgC5+KEYLbs62
>Content-Type: text/plain; charset=us-ascii
>Content-Disposition: inline
>
>In order to better integrate the fast_ipsec with our ipv{4,6} processing,
>we need to make some changes to the current way to deal in the output
>processing. Currently, we do something like that
>
>ip6_output calls ipsec6_process_packet which process the ipsec
>transformation on an asynchronous way. When it has finished,
>ipsec_process_done is called and the packet is reinjected in ip6_output
>with dummy arguments.
>
>There is two problems here :
>    - we lose the current argument of ip6_output ( all the options in
>	  particulary )
>    - we process some things that we already have processed on the first
>	 pass
>
>The situation is quite the same on the v4 side, maybe worse because when we
>call ipsec4_process_packet, we have already process most of the ip_output
>function.

But for tunnel mode, don't we *want* to redo all  that work?
("need to" might be more accurate.)