This document discusses improving IPsec security association resolution. It outlines problems with the current approach, where applications often get errors when no SA exists. The proposed solution is to have connect(), sendmsg(), and other calls return status to indicate resolution is in progress, and queue or retry packets as needed. Ongoing work includes handling all use cases and determining the full scope of the problem to address. Key challenges include different needs for opportunistic encryption versus large scale deployments.