The MAST device provide a mooring point for routing protocols and firewall policies. The MAST device represents one or more IPsec tunnels.
Packets routed to a MAST device will get encrypted with a default SA. A different SA may be specified using NetFilter (aka ipchains, aka iptables) rules.
Packets that are received via one of the SAs associated with this device will be marked as having been received on a MAST device.
The link status of a MAST device reflects the keying status of all underlying SAs. If at least one SA is keyed, then the MAST device will be up. If no SA that is associated has valid keys, or if no SAs that are associated with the device, then the device will be marked down.
This is provided in part to satisfy requirement 21 (see 4.21) and requirement 5 (see 4.5).