Tunnel interface for securing traffic over a network

What is claimed is: 1 . A method comprising: instantiating, within each of a plurality of service processing switches of a service provider, a plurality of virtual routers (VRs), wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports a network service; assigning one or more VRs of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider; receiving, by a service management system (SMS) of the service provider, a request to establish an Internet Protocol (IP) connection between a first location of the subscriber and a second location of the subscriber; and establishing a tunnel between a first service processing switch of the plurality of service processing switches and a second service processing switch of the plurality of service processing switches coupled in communication with the first service processing switch through a public network, including: binding an encryption configuration decision associated with the request with a routing configuration of a first packet routing node of the first service processing switch, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and binding the encryption configuration decision with a routing configuration of a second packet routing node of the second service processing switch, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network. 2 . The method of claim 1 , wherein the object group includes a routing object, a packet filtering object, a firewall object and a network address translation (NAT) object. 3 . The method of claim 1 , wherein each VR of the plurality of VRs comprises a separate instantiation. 4 . The method of claim 1 , wherein the SMS is operable to perform services including one or more of: configuration of hardware of the service processing switch, definition of subscribers, determination of network services and generation of Internet Protocol security (IPSec) public/private key pairs. 5 . The method of claim 1 , further comprising providing customized network services to the subscriber by the one or more VRs assigned to the subscriber, wherein the customized network services can be enabled or disabled on a subscriber-by-subscriber basis by adding one or more objects to or omitting the one or more objects from the object group. 6 . The method of claim 1 , further comprising: assigning a unique processor identifier (PEID) to each of a plurality of processors of the service processing switch; assigning a logical queue identifier (LQID) to each object of an object group of a VR of the plurality of VRs; receiving, by the service processing switch, a packet that includes a PEID value and an LQID value; directing the received packet to a processor of the plurality of processors to which the PEID value has been assigned; and further directing the received packet within the processor to an object of the object group to which the LQID value has been assigned. 9 . The method of claim 1 , wherein the tunnel is formed using a first virtual encrypting router running in the first service processing switch coupled to a first virtual decrypting router running in the second service processing switch and a second virtual encrypting router running in the second service processing switch coupled to a second virtual decrypting router running in the first service processing switch. 10 . A system operable by a service provider, the system comprising: a service management system (SMS) configured to operate within a service provider network; a plurality of virtual routers (VRs) instantiated within a plurality of service processing switches within the service provider network, wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports a network service; wherein the SMS is further configured to: assign one or more of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider; receive a request to establish an Internet Protocol (IP) connection between a first location of the subscriber and a second location of the subscriber; establish a tunnel between a first service processing switch of the plurality of service processing switches and a second service processing switch of the plurality of service processing switches coupled in communication with the first service processing switch through a public network; bind an encryption configuration decision associated with the request with a routing configuration of a first packet routing node of the first service processing switch, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted after transmission through the public network; and bind the encryption configuration decision with a routing configuration of a second packet routing node of the second service processing switch, by, when the request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission through the public network. 11 . The system of claim 10 , wherein the object group includes a routing object, a packet filtering object, a firewall object and a network address translation (NAT) object. 12 . The system of claim 10 , wherein each VR of the plurality of VRs comprises a separate instantiation. 13 . The system of claim 10 , wherein the SMS further provides one or more of: configuration of hardware, defining subscribers, determining services, and generation of IP security (IPSec) public/private key pairs. 14 . The system of claim 10 , wherein the SMS further provides customized network services to a subscriber of the service provider network, wherein the customized network services can be enabled or disabled on a subscriber-by-subscriber basis by adding one or more objects to or omitting the one or more objects from the object group. 15 . The system of claim 10 , wherein the SMS is further configured to: assign a unique processor identifier (PEID) to each of a plurality of processors within the plurality of service processing switches; assign a logical queue identifier (LQID) to each object of an object group of a VR of the plurality of VRs; direct the received packet to a processor of the plurality of processors to which the PEID value has been assigned; and further direct the received packet within the processor to an object of the object group to which the LQID value has been assigned. 18 . The system of claim 10 , wherein the first packet routing node comprises a first virtual encrypting