"Kipp E.B. Hickman" says:
A (probably naive) question: If IPSP is essentially "tunnelling", don't sysadmin's and the like get concerned that now their fancy routers etc. can no longer shield certain classes of unwanted traffic?
You are right that an encrypted IPSP packet can't be "peeked into" and thus can't be selectively blocked by a filtering router. There is, however, a notion in the IPv6 version (will be in the v4 version if I have anything to do with it) of a "transparent authentication header" which allows you to achieve authentication without privacy for those situations that require the ability to filter packets at a firewall. Overall, however, IPSP reduces (but does NOT by any means eliminate) the need for firewalls, because IPSP packets can be fully private and authenticated and thus can't be hijacked. Perry