The Security Architecture document (if we ever manage to get it out) pecifically requires that per-user SAs be supported when IPSEC is implemented within a system at a point where individual user identities are available. This excludes the requirement to provide this fine granularity keying in gateways or firewalls, in BITW devices, and leaves BITS in a gray area. Steve