You have more experience with this. Can you really think of an instance in which one would really want to simply repackage each host pair SAID rather than encrypting the whole link under a single policy, which would seem to leak less data? Is it something that would actually be desirable? Perry