Policy doc fails to describe vhost abstraction properly

Section 7. Security misses an important point when describing policy and how policy is effected by vhost settings: Access policy is applied at the point of ingress to a router network. Once that access is granted then all named resources anywhere in the network are accessible.

Access restrictions are specified in a policy vhost object. The vhost contains the restrictions that get applied to a connection when the connection is established. Reading the doc it sounds as if there are vhost objects that may contain addresses somewhere in the router. That conceptual model is the issue in the doc that needs to be fixed.

7.2.3.4 Methods for Specifying Vhost Policy Source and Target Addresses is a good example. In the table the first item is titled Allow all users in the user group to access all source or target addresses on the vhost . In reality the addresses are not on the vhost _but are _in the router network.

Throughout the document the text "on a vhost" could be changed to "through a vhost" or "specified by a vhost".