It is desireable to have virtual interface for IPsec tunnels. The link status of the interface would reflect whether or not the tunnel has an active phase 2 SA. This can be used by active routing systems to determine if the connection is up. If not, then an alternate route to that destination can be used.
With IPsec as a virtual device, then selecting traffic to go into it can become a simple routing decision, identical to all other routing decisions that are done on the system.
One other advantage about using the routing system directly is that the virtual interface can be assigned an IP address, and TCP will automactically select the right end-point address. This is particularily important for end-systems (e.g. road warriors).
The downside of having a tunnel appear as a virtual interface is one of scaling: if it is required that every tunnel show up as a seperate virtual interface, then there are severe system impacts if the number of interfaces reaches more than several dozen. Note that VLAN and IPalias features face the identical scaling questions. A system solution to this may ensue.
There are therefore three alternatives:
The current KLIPS1 code uses option 1.
The NRL code used option 2.
KAME uses option 1.