Stephen Kent wrote: > RFC 2401 is reasonably clear in noting that the SPD is nominally per > interface. What sort of management interface is provided to a client is > up to the vendor, so long as one can achieve the same effects as a > per-interface SPD. Otherwise, the implementation would not be compliant. As a side note, I misunderstood this for a long time to mean "SPD per PHYSICAL interface", which is not sufficient (because of ambiguities via multiple matching tunnel-mode SAs in the same per-physical-interface SPD). When viewing tunnel mode SAs as virtual interfaces in their own right that have separate SPDs associated with them, these problems dissapear. Maybe that's part of the confusion around tunnel mode... Lars -- Lars Eggert <larse@isi.edu> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature