Re: revised IPsec processing model: Q: VID and forwarding function

[Bill Sommerfeld <sommerfeld@east.sun.com>]

> 	This one is an editorial quesiton: I wonder about a particular phrase 
> in the paragraph which begins "- virtual interface:" There is a clause 
> which says "or one virtual interface may map to multiple virtual 
> interfaces.". I suppose from the intended parallelism of the sentence 
> that it perhaps should have read "or one virtual interface may map to 
> multiple physical interfaces."

That was my read of the sentance as well (actually I didn't even
notice the word substitution).  The case of single-vif to multiple
physical interfaces is interesting for simplifying management (i.e.,
when all interfaces really are connected to the "the same" net, or
when you have the traditional "red" vs "black" trusted vs untrusted
net but multiple links to one or both are present for any number of
reasons).

Note also that in the case of layer-2 multiplexing (vlans, atm virtual
circuits, etc.,), one layer's virtual interface is the next layer's
physical interface.

Perhaps we should use a term like "policy enforcement point" rather
than "virtual interface"?

					- Bill