The overall IPsec architecture is very similar to previous work [5] and is composed of three modules:
Outgoing packets are authenticated, encrypted, and encapsulated just before being sent to the network, and incoming packets are decapsulated, verified, and decrypted immediately upon receipt. These protocols are typically implemented inside the kernel, for performance and security reasons. A brief overview of the OpenBSD kernel IPsec architecture is given in Section 2.2.
For more details on their implementation in OpenBSD, see [3].