You raise valid points. Let me toss a countervailing point into the mix: if the more expensive processing is done at by a thread, it becomes possible to have multiple (software) IPsec threads -- one per core -- for parallel decryptions, multiple ipinput/tcpinput threads, etc.