Three different implementation architectures are defined for IPsec in RFC
2401. The one you use depends on various factors including the version of IP used
(IPv4 or IPv6), the requirements of the application, and other factors. These, in
turn, rest on a primary implementation decision: Should IPsec be programmed
into all hosts on a network, or just into certain routers or other intermediate
devices? This is a design decision that must be based on the requirements of the
network