Output/input machinery

Security association: key database
address + key + algorithm + SPI

Output
"IP payload"
Decide policy by address (like packet filter), or socket
Encrypt, attach SPI
"IP [ESP payload]"

Input
"IP [ESP payload]"
Lookup security association by SPI, then decrypt
"IP payload"