The nicest thing about routable interfaces (vs what FreeSWAN and many other
IPsec's use now) is that it makes the choice of outgoing IP address (the one
inside the tunnel) behave like all other multihoming.
I think the same criteria applies to VLAN interfaces as well.
My hunch is that the having a dozen VLAN/IPsec interfaces on a box may be
rather reasonable. Having 4000 of them is a pretty rare situation, that can
be dealt with via expansion of the hash table at compile time.
] Train travel features AC outlets with no take-off restrictions|gigabit is no[
] Michael Richardson, Solidum Systems Oh where, oh where has|problem with[
] mcr@xxxxxxxxxxx www.solidum.com the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [