Re: revised IPsec processing model: Q: VID and forwarding function

[Stephen Kent <kent@bbn.com>]

At 12:30 -0400 7/19/03, Bill Sommerfeld wrote:
>  >	This one is an editorial quesiton: I wonder about a particular phrase
>>  in the paragraph which begins "- virtual interface:" There is a clause
>>  which says "or one virtual interface may map to multiple virtual
>>  interfaces.". I suppose from the intended parallelism of the sentence
>>  that it perhaps should have read "or one virtual interface may map to
>>  multiple physical interfaces."
>
>That was my read of the sentance as well (actually I didn't even
>notice the word substitution).  The case of single-vif to multiple
>physical interfaces is interesting for simplifying management (i.e.,
>when all interfaces really are connected to the "the same" net, or
>when you have the traditional "red" vs "black" trusted vs untrusted
>net but multiple links to one or both are present for any number of
>reasons).

Your text is an accurate reflection of the sort of notions that 
motivated the virtual/physical interface mapping I mentioned.

>
>Note also that in the case of layer-2 multiplexing (vlans, atm virtual
>circuits, etc.,), one layer's virtual interface is the next layer's
>physical interface.
>
>Perhaps we should use a term like "policy enforcement point" rather
>than "virtual interface"?

I am not absolutely wedded to the term "virtual interface" but it is 
primarily a routing construct and so I hesitate to use the term you 
mention above.  I fear that "policy" is too generic a term these days 
to be a useful modifier anymore.

Steve