From: James Morris <jmorris@namei.org>
Date: Wed, 2 Aug 2006 12:04:31 -0400 (EDT)

Why can't IPSec & MIP transforms be bundled on the same policy?

At the first year of netconf, Yoshifuji went into detail
as to why the IPSEC and MIP transformations had to live
seperately.

It's partly a side effect of different userland daemons controlling
IPSEC vs. MIP configuration.

Or, perhaps a different approach is needed, where the disposition of a 
policy can be to re-submit a packet for another policy match after the 
current bundle has been traversed (something like NF_REPEAT).

We can consider an approach like this as a future refinement.
It would allow arbitrary nesting of sub-transforms, for sure,
just like netfilter's NF_REPEAT.