Security? Scope is Internet traffic, not VPN traffic If confidentiality or integrity is required inside the tunnel, it’s also required outside the tunnel, so no new confidentiality requirement Spoofed encapsulation header is possible but without the tunnel, a spoofed payload packet would be possible, so no new authentication requirement |