Outgoing packets require somewhat different processing. When a packet is handed to the IP module for transmission (in ip_output), a lookup is made in the Security Policy Database (SPD) to determine whether that packet needs to be processed by IPsec. The SPD in OpenBSD is implemented as an extension to the standard BSD routing table. The decision is made based on the source/destination addresses, transport protocol, and port numbers. If IPsec processing is needed, the lookup will also specify what SA(s) to use for IPsec processing of the packet (even to the extent of specifying encryption/authentication algorithms to use). If no suitable SA is currently established with the destination host, the packet is dropped and a message is sent to the key management daemon through the PF_KEY interface [10]. It is then the key management's task to negotiate the necessary SAs. Otherwise, the packet is processed by IPsec and passed to ip_output again for transmission. The packet also carries an indication as to what IPsec processing has already occured to it, to avoid infinite processing loops.