Remove doc folder, out of date

tidy
Update config comments
2025-08-27 06:00:20 +00:00 · 2021-06-19 18:02:38 +01:00 · 2021-06-19 11:56:03 -05:00 · 2021-06-19 17:51:11 +01:00 · 2021-06-19 10:42:38 -05:00 · 2021-06-19 09:53:11 -05:00
119 changed files with 6865 additions and 11464 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,11 +1,170 @@
 # Golang CircleCI 2.0 configuration file
 #
 # Check https://circleci.com/docs/2.0/language-go/ for more details
-version: 2
+version: 2.1
 jobs:
-  build:
+  lint:
    docker:
-      - image: circleci/golang:1.11
+      - image: circleci/golang:1.16
+
+    steps:
+      - checkout
+
+      - run:
+          name: Run golangci-lint
+          command: |
+              go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.31.0
+              golangci-lint run
+
+      - run:
+          name: Run Go tests
+          command: |
+              go test ./...
+
+  build-linux:
+    docker:
+      - image: circleci/golang:1.16
+
+    steps:
+      - checkout
+
+      - run:
+          name: Create artifact upload directory and set variables
+          command: |
+              mkdir /tmp/upload
+              echo 'export CINAME=$(sh contrib/semver/name.sh)' >> $BASH_ENV
+              echo 'export CIVERSION=$(sh contrib/semver/version.sh --bare)' >> $BASH_ENV
+              echo 'export CIVERSIONRPM=$(sh contrib/semver/version.sh --bare | tr "-" ".")' >> $BASH_ENV
+              echo 'export CIBRANCH=$(echo $CIRCLE_BRANCH | tr -d "/")' >> $BASH_ENV
+              case "$CINAME" in \
+                "yggdrasil") (echo 'export CICONFLICTS=yggdrasil-develop' >> $BASH_ENV) ;; \
+                "yggdrasil-develop") (echo 'export CICONFLICTS=yggdrasil' >> $BASH_ENV) ;; \
+                *) (echo 'export CICONFLICTS="yggdrasil yggdrasil-develop"' >> $BASH_ENV) ;; \
+              esac
+              git config --global user.email "$(git log --format='%ae' HEAD -1)";
+              git config --global user.name "$(git log --format='%an' HEAD -1)";
+
+      - run:
+          name: Install RPM utilities
+          command: |
+              sudo apt-get update
+              sudo apt-get install -y rpm file
+              mkdir -p ~/rpmbuild/BUILD ~/rpmbuild/RPMS ~/rpmbuild/SOURCES ~/rpmbuild/SPECS ~/rpmbuild/SRPMS
+
+      - run:
+          name: Test debug builds
+          command: |
+              ./build -d
+              test -f yggdrasil && test -f yggdrasilctl
+
+      - run:
+          name: Build for Linux (including Debian packages)
+          command: |
+              rm -f {yggdrasil,yggdrasilctl}
+              PKGARCH=amd64 sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-amd64 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-amd64;
+              PKGARCH=i386 sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-i386 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-i386;
+              PKGARCH=mipsel sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-mipsel && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-mipsel;
+              PKGARCH=mips sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-mips && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-mips;
+              PKGARCH=armhf sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-armhf && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-armhf;
+              PKGARCH=armel sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-armel && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-armel;
+              PKGARCH=arm64 sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-arm64 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-arm64;
+              mv *.deb /tmp/upload/
+
+      - run:
+          name: Build for Linux (RPM packages)
+          command: |
+              git clone https://github.com/yggdrasil-network/yggdrasil-package-rpm ~/rpmbuild/SPECS
+              cd ../ && tar -czvf ~/rpmbuild/SOURCES/v$CIVERSIONRPM --transform "s/project/yggdrasil-go-$CIBRANCH-$CIVERSIONRPM/" project
+              sed -i "s/yggdrasil-go/yggdrasil-go-$CIBRANCH/" ~/rpmbuild/SPECS/yggdrasil.spec
+              sed -i "s/^PKGNAME=yggdrasil/PKGNAME=yggdrasil-$CIBRANCH/" ~/rpmbuild/SPECS/yggdrasil.spec
+              sed -i "s/^Name\:.*/Name\:           $CINAME/" ~/rpmbuild/SPECS/yggdrasil.spec
+              sed -i "s/^Version\:.*/Version\:        $CIVERSIONRPM/" ~/rpmbuild/SPECS/yggdrasil.spec
+              sed -i "s/^Conflicts\:.*/Conflicts\:      $CICONFLICTS/" ~/rpmbuild/SPECS/yggdrasil.spec
+              cat ~/rpmbuild/SPECS/yggdrasil.spec
+              GOARCH=amd64 rpmbuild -v --nodeps --target=x86_64 -ba ~/rpmbuild/SPECS/yggdrasil.spec
+              #GOARCH=386 rpmbuild -v --nodeps --target=i386 -bb ~/rpmbuild/SPECS/yggdrasil.spec
+              find ~/rpmbuild/RPMS/ -name '*.rpm' -exec mv {} /tmp/upload \;
+              find ~/rpmbuild/SRPMS/ -name '*.rpm' -exec mv {} /tmp/upload \;
+
+      - run:
+          name: Build for EdgeRouter and VyOS
+          command: |
+              rm -f {yggdrasil,yggdrasilctl}
+              git clone https://github.com/neilalexander/vyatta-yggdrasil /tmp/vyatta-yggdrasil;
+              cd /tmp/vyatta-yggdrasil;
+              BUILDDIR_YGG=$CIRCLE_WORKING_DIRECTORY ./build-edgerouter-x $CIRCLE_BRANCH;
+              BUILDDIR_YGG=$CIRCLE_WORKING_DIRECTORY ./build-edgerouter-lite $CIRCLE_BRANCH;
+              BUILDDIR_YGG=$CIRCLE_WORKING_DIRECTORY ./build-vyos-i386 $CIRCLE_BRANCH
+              BUILDDIR_YGG=$CIRCLE_WORKING_DIRECTORY ./build-vyos-amd64 $CIRCLE_BRANCH
+              mv *.deb /tmp/upload;
+
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+            - upload
+
+  build-macos:
+    macos:
+      xcode: "10.0.0"
+
+    working_directory: ~/go/src/github.com/yggdrasil-network/yggdrasil-go
+
+    steps:
+      - checkout
+
+      - run:
+          name: Create artifact upload directory and set variables
+          command: |
+              mkdir /tmp/upload
+              echo 'export CINAME=$(sh contrib/semver/name.sh)' >> $BASH_ENV
+              echo 'export CIVERSION=$(sh contrib/semver/version.sh --bare)' >> $BASH_ENV
+              echo 'export PATH=$PATH:/usr/local/go/bin:~/go/bin' >> $BASH_ENV
+              git config --global user.email "$(git log --format='%ae' HEAD -1)";
+              git config --global user.name "$(git log --format='%an' HEAD -1)";
+              echo -e "Host *\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
+
+      - run:
+          name: Install Go 1.16
+          command: |
+              cd /tmp
+              curl -LO https://dl.google.com/go/go1.16.darwin-amd64.pkg
+              sudo installer -pkg /tmp/go1.16.darwin-amd64.pkg -target /
+
+      #- run:
+      #    name: Install Gomobile
+      #    command: |
+      #        GO111MODULE=off go get golang.org/x/mobile/cmd/gomobile
+      #        gomobile init
+
+      - run:
+          name: Build for macOS
+          command: |
+              GO111MODULE=on GOOS=darwin GOARCH=amd64 ./build
+              cp yggdrasil /tmp/upload/$CINAME-$CIVERSION-darwin-amd64
+              cp yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-darwin-amd64;
+
+      - run:
+          name: Build for macOS (.pkg format)
+          command: |
+              PKGARCH=amd64 sh contrib/macos/create-pkg.sh
+              mv *.pkg /tmp/upload/
+
+      #- run:
+      #    name: Build framework for iOS (.framework format)
+      #    command: |
+      #        sudo GO111MODULE=off go get -v github.com/yggdrasil-network/yggdrasil-go/cmd/...
+      #        sudo GO111MODULE=off go get -v github.com/yggdrasil-network/yggdrasil-go/src/...
+      #        GO111MODULE=off ./build -i
+      #        mv *.framework /tmp/upload
+
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+            - upload
+
+  build-other:
+    docker:
+      - image: circleci/golang:1.16

    steps:
      - checkout
@@ -19,44 +178,6 @@ jobs:
              git config --global user.email "$(git log --format='%ae' HEAD -1)";
              git config --global user.name "$(git log --format='%an' HEAD -1)";

-      - run:
-          name: Install alien
-          command: |
-              sudo apt-get install -y alien
-
-      - run:
-          name: Test debug builds
-          command: |
-              ./build -d
-              test -f yggdrasil && test -f yggdrasilctl
-
-      - run:
-          name: Build for Linux (including Debian packages and RPMs)
-          command: |
-              rm -f {yggdrasil,yggdrasilctl}
-              PKGARCH=amd64 sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-amd64 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-amd64;
-              PKGARCH=i386 sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-i386 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-i386;
-              PKGARCH=mipsel sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-mipsel && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-mipsel;
-              PKGARCH=mips sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-mips && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-mips;
-              PKGARCH=armhf sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-armhf && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-armhf;
-              PKGARCH=arm64 sh contrib/deb/generate.sh && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-linux-arm64 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-linux-arm64;
-              sudo alien --to-rpm yggdrasil*.deb --scripts --keep-version && mv *.rpm /tmp/upload/;
-              mv *.deb /tmp/upload/
-
-      - run:
-          name: Build for macOS
-          command: |
-              rm -f {yggdrasil,yggdrasilctl}
-              GOOS=darwin GOARCH=amd64 ./build && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-darwin-amd64 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-darwin-amd64;
-              GOOS=darwin GOARCH=386 ./build && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-darwin-i386 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-darwin-i386;
-
-      - run:
-          name: Build for macOS (.pkg format)
-          command: |
-              rm -rf {yggdrasil,yggdrasilctl}
-              GOOS=darwin GOARCH=amd64 ./build && PKGARCH=amd64 sh contrib/macos/create-pkg.sh && mv *.pkg /tmp/upload/
-              GOOS=darwin GOARCH=386 ./build && PKGARCH=i386 sh contrib/macos/create-pkg.sh && mv *.pkg /tmp/upload/
-
      - run:
          name: Build for OpenBSD
          command: |
@@ -71,13 +192,6 @@ jobs:
              GOOS=freebsd GOARCH=amd64 ./build && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-freebsd-amd64 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-freebsd-amd64;
              GOOS=freebsd GOARCH=386 ./build && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-freebsd-i386 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-freebsd-i386;

-      - run:
-          name: Build for NetBSD
-          command: |
-              rm -f {yggdrasil,yggdrasilctl}
-              GOOS=netbsd GOARCH=amd64 ./build && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-netbsd-amd64 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-netbsd-amd64;
-              GOOS=netbsd GOARCH=386 ./build && mv yggdrasil /tmp/upload/$CINAME-$CIVERSION-netbsd-i386 && mv yggdrasilctl /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-netbsd-i386;
-
      - run:
          name: Build for Windows
          command: |
@@ -85,26 +199,32 @@ jobs:
              GOOS=windows GOARCH=amd64 ./build && mv yggdrasil.exe /tmp/upload/$CINAME-$CIVERSION-windows-amd64.exe && mv yggdrasilctl.exe /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-windows-amd64.exe;
              GOOS=windows GOARCH=386 ./build && mv yggdrasil.exe /tmp/upload/$CINAME-$CIVERSION-windows-i386.exe && mv yggdrasilctl.exe /tmp/upload/$CINAME-$CIVERSION-yggdrasilctl-windows-i386.exe;

-      - run:
-          name: Build for EdgeRouter
-          command: |
-              rm -f {yggdrasil,yggdrasilctl}
-              git clone https://github.com/neilalexander/vyatta-yggdrasil /tmp/vyatta-yggdrasil;
-              cd /tmp/vyatta-yggdrasil;
-              BUILDDIR_YGG=$CIRCLE_WORKING_DIRECTORY ./build-edgerouter-x $CIRCLE_BRANCH;
-              BUILDDIR_YGG=$CIRCLE_WORKING_DIRECTORY ./build-edgerouter-lite $CIRCLE_BRANCH;
-              mv *.deb /tmp/upload;
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+            - upload
+
+  upload:
+    machine: true
+
+    steps:
+      - attach_workspace:
+          at: /tmp

      - store_artifacts:
          path: /tmp/upload
          destination: /

-      - run:
-          name: Create tags (master branch only)
-          command: >
-              if [ "${CIRCLE_BRANCH}" == "master" ]; then
-                git tag -f -a $(sh contrib/semver/version.sh) -m "Created by CircleCI" && git push -f --tags;
-              else
-                echo "Only runs for master branch (this is ${CIRCLE_BRANCH})";
-              fi;
-          when: on_success
+workflows:
+  version: 2.1
+  build:
+    jobs:
+      - lint
+      - build-linux
+      - build-macos
+      - build-other
+      - upload:
+          requires:
+            - build-linux
+            - build-macos
+            - build-other
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,10 @@
+run:
+  build-tags:
+    - lint
+  issues-exit-code: 0 # TODO: change this to 1 when we want it to fail builds
+  skip-dirs:
+    - contrib/
+    - misc/
+linters:
+  disable:
+    - gocyclo
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,6 +25,319 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - in case of vulnerabilities.
 -->

+## [0.3.16] - 2021-03-18
+### Added
+- New simulation code under `cmd/yggdrasilsim` (work-in-progress)
+
+### Changed
+- Multi-threading in the switch
+  - Swich lookups happen independently for each (incoming) peer connection, instead of being funneled to a single dedicated switch worker
+  - Packets are queued for each (outgoing) peer connection, instead of being handled by a single dedicated switch worker
+- Queue logic rewritten
+  - Heap structure per peer that traffic is routed to, with one FIFO queue per traffic flow
+  - The total size of each heap is configured automatically (we basically queue packets until we think we're blocked on a socket write)
+  - When adding to a full heap, the oldest packet from the largest queue is dropped
+  - Packets are popped from the queue in FIFO order (oldest packet from among all queues in the heap) to prevent packet reordering at the session level
+- Removed global `sync.Pool` of `[]byte`
+  - Local `sync.Pool`s are used in the hot loops, but not exported, to avoid memory corruption if libraries are reused by other projects
+  - This may increase allocations (and slightly reduce speed in CPU-bound benchmarks) when interacting with the tun/tap device, but traffic forwarded at the switch layer should be unaffected
+- Upgrade dependencies
+- Upgrade build to Go 1.16
+
+### Fixed
+- Fixed a bug where the connection listener could exit prematurely due to resoruce exhaustion (if e.g. too many connections were opened)
+- Fixed DefaultIfName for OpenBSD (`/dev/tun0` -> `tun0`)
+- Fixed an issue where a peer could sometimes never be added to the switch
+- Fixed a goroutine leak that could occur if a peer with an open connection continued to spam additional connection attempts
+
+## [0.3.15] - 2020-09-27
+### Added
+- Support for pinning remote public keys in peering strings has been added, e.g.
+  - By signing public key: `tcp://host:port?ed25519=key`
+  - By encryption public key: `tcp://host:port?curve25519=key`
+  - By both: `tcp://host:port?ed25519=key&curve25519=key`
+  - By multiple, in case of DNS round-robin or similar: `tcp://host:port?curve25519=key&curve25519=key&ed25519=key&ed25519=key`
+- Some checks to prevent Yggdrasil-over-Yggdrasil peerings have been added
+- Added support for SOCKS proxy authentication, e.g. `socks://user@password:host/...`
+
+### Fixed
+- Some bugs in the multicast code that could cause unnecessary CPU usage have been fixed
+- A possible multicast deadlock on macOS when enumerating interfaces has been fixed
+- A deadlock in the connection code has been fixed
+- Updated HJSON dependency that caused some build problems
+
+### Changed
+- `DisconnectPeer` and `RemovePeer` have been separated and implemented properly now
+- Less nodes are stored in the DHT now, reducing ambient network traffic and possible instability
+- Default config file for FreeBSD is now at `/usr/local/etc/yggdrasil.conf` instead of `/etc/yggdrasil.conf`
+
+## [0.3.14] - 2020-03-28
+### Fixed
+- Fixes a memory leak that may occur if packets are incorrectly never removed from a switch queue
+
+### Changed
+- Make DHT searches a bit more reliable by tracking the 16 most recently visited nodes
+
+## [0.3.13] - 2020-02-21
+### Added
+- Support for the Wireguard TUN driver, which now replaces Water and provides far better support and performance on Windows
+- Windows `.msi` installer files are now supported (bundling the Wireguard TUN driver)
+- NodeInfo code is now actorised, should be more reliable
+- The DHT now tries to store the two closest nodes in either direction instead of one, such that if a node goes offline, the replacement is already known
+- The Yggdrasil API now supports dialing a remote node using the public key instead of the Node ID
+
+### Changed
+- The `-loglevel` command line parameter is now cumulative and automatically includes all levels below the one specified
+- DHT search code has been significantly simplified and processes rumoured nodes in parallel, speeding up search time
+- DHT search results are now sorted
+- The systemd service now handles configuration generation in a different unit
+- The Yggdrasil API now returns public keys instead of node IDs when querying for local and remote addresses
+
+### Fixed
+- The multicast code no longer panics when shutting down the node
+- A potential OOB error when calculating IPv4 flow labels (when tunnel routing is enabled) has been fixed
+- A bug resulting in incorrect idle notifications in the switch should now be fixed
+- MTUs are now using a common datatype throughout the codebase
+
+### Removed
+- TAP mode has been removed entirely, since it is no longer supported with the Wireguard TUN package. Please note that if you are using TAP mode, you may need to revise your config!
+- NetBSD support has been removed until the Wireguard TUN package supports NetBSD
+
+## [0.3.12] - 2019-11-24
+### Added
+- New API functions `SetMaximumSessionMTU` and `GetMaximumSessionMTU`
+- New command line parameters `-address` and `-subnet` for getting the address/subnet from the config file, for use with `-useconffile` or `-useconf`
+- A warning is now produced in the Yggdrasil output at startup when the MTU in the config is invalid or has been adjusted for some reason
+
+### Changed
+- On Linux, outgoing `InterfacePeers` connections now use `SO_BINDTODEVICE` to prefer an outgoing interface
+- The `genkeys` utility is now in `cmd` rather than `misc`
+
+### Fixed
+- A data race condition has been fixed when updating session coordinates
+- A crash when shutting down when no multicast interfaces are configured has been fixed
+- A deadlock when calling `AddPeer` multiple times has been fixed
+- A typo in the systemd unit file (for some Linux packages) has been fixed
+- The NodeInfo and admin socket now report `unknown` correctly when no build name/version is available in the environment at build time
+- The MTU calculation now correctly accounts for ethernet headers when running in TAP mode
+
+## [0.3.11] - 2019-10-25
+### Added
+- Support for TLS listeners and peers has been added, allowing the use of `tls://host:port` in `Peers`, `InterfacePeers` and `Listen` configuration settings - this allows hiding Yggdrasil peerings inside regular TLS connections
+
+### Changed
+- Go 1.13 or later is now required for building Yggdrasil
+- Some exported API functions have been updated to work with standard Go interfaces:
+  - `net.Conn` instead of `yggdrasil.Conn`
+  - `net.Dialer` (the interface it would satisfy if it wasn't a concrete type) instead of `yggdrasil.Dialer`
+  - `net.Listener` instead of `yggdrasil.Listener`
+- Session metadata is now updated correctly when a search completes for a node to which we already have an open session
+- Multicast module reloading behaviour has been improved
+
+### Fixed
+- An incorrectly held mutex in the crypto-key routing code has been fixed
+- Multicast module no longer opens a listener socket if no multicast interfaces are configured
+
+## [0.3.10] - 2019-10-10
+### Added
+- The core library now includes several unit tests for peering and `yggdrasil.Conn` connections
+
+### Changed
+- On recent Linux kernels, Yggdrasil will now set the `tcp_congestion_control` algorithm used for its own TCP sockets to [BBR](https://github.com/google/bbr), which reduces latency under load
+- The systemd service configuration in `contrib` (and, by extension, some of our packages) now attempts to load the `tun` module, in case TUN/TAP support is available but not loaded, and it restricts Yggdrasil to the `CAP_NET_ADMIN` capability for managing the TUN/TAP adapter, rather than letting it do whatever the (typically `root`) user can do
+
+### Fixed
+- The `yggdrasil.Conn.RemoteAddr()` function no longer blocks, fixing a deadlock when CKR is used while under heavy load
+
+## [0.3.9] - 2019-09-27
+### Added
+- Yggdrasil will now complain more verbosely when a peer URI is incorrectly formatted
+- Soft-shutdown methods have been added, allowing a node to shut down gracefully when terminated
+- New multicast interval logic which sends multicast beacons more often when Yggdrasil is first started to increase the chance of finding nearby nodes quickly after startup
+
+### Changed
+- The switch now buffers packets more eagerly in an attempt to give the best link a chance to send, which appears to reduce packet reordering when crossing aggregate sets of peerings
+- Substantial amounts of the codebase have been refactored to use the actor model, which should substantially reduce the chance of deadlocks
+- Nonce tracking in sessions has been modified so that memory usage is reduced whilst still only allowing duplicate packets within a small window
+- Soft-reconfiguration support has been simplified using new actor functions
+- The garbage collector threshold has been adjusted for mobile builds
+- The maximum queue size is now managed exclusively by the switch rather than by the core
+
+### Fixed
+- The broken `hjson-go` dependency which affected builds of the previous version has now been resolved in the module manifest
+- Some minor memory leaks in the switch have been fixed, which improves memory usage on mobile builds
+- A memory leak in the add-peer loop has been fixed
+- The admin socket now reports the correct URI strings for SOCKS peers in `getPeers`
+- A race condition when dialing a remote node by both the node address and routed prefix simultaneously has been fixed
+- A race condition between the router and the dial code resulting in a panic has been fixed
+- A panic which could occur when the TUN/TAP interface disappears (e.g. during soft-shutdown) has been fixed
+- A bug in the semantic versioning script which accompanies Yggdrasil for builds has been fixed
+- A panic which could occur when the TUN/TAP interface reads an undersized/corrupted packet has been fixed
+
+### Removed
+- A number of legacy debug functions have now been removed and a number of exported API functions are now better documented
+
+## [0.3.8] - 2019-08-21
+### Changed
+- Yggdrasil can now send multiple packets from the switch at once, which results in improved throughput with smaller packets or lower MTUs
+- Performance has been slightly improved by not allocating cancellations where not necessary
+- Crypto-key routing options have been renamed for clarity
+  - `IPv4Sources` is now named `IPv4LocalSubnets`
+  - `IPv6Sources` is now named `IPv6LocalSubnets`
+  - `IPv4Destinations` is now named `IPv4RemoteSubnets`
+  - `IPv6Destinations` is now named `IPv6RemoteSubnets`
+  - The old option names will continue to be accepted by the configuration parser for now but may not be indefinitely
+- When presented with multiple paths between two nodes, the switch now prefers the most recently used port when possible instead of the least recently used, helping to reduce packet reordering
+- New nonce tracking should help to reduce the number of packets dropped as a result of multiple/aggregate paths or congestion control in the switch
+
+### Fixed
+- A deadlock was fixed in the session code which could result in Yggdrasil failing to pass traffic after some time
+
+### Security
+- Address verification was not strict enough, which could result in a malicious session sending traffic with unexpected or spoofed source or destination addresses which Yggdrasil could fail to reject
+  - Versions `0.3.6` and `0.3.7` are vulnerable - users of these versions should upgrade as soon as possible
+  - Versions `0.3.5` and earlier are not affected
+
+## [0.3.7] - 2019-08-14
+### Changed
+- The switch should now forward packets along a single path more consistently in cases where congestion is low and multiple equal-length paths exist, which should improve stability and result in fewer out-of-order packets
+- Sessions should now be more tolerant of out-of-order packets, by replacing a bitmask with a variable sized heap+map structure to track recently received nonces, which should reduce the number of packets dropped due to reordering when multiple paths are used or multiple independent flows are transmitted through the same session
+- The admin socket can no longer return a dotfile representation of the known parts of the network, this could be rebuilt by clients using information from `getSwitchPeers`,`getDHT` and `getSessions`
+
+### Fixed
+- A number of significant performance regressions introduced in version 0.3.6 have been fixed, resulting in better performance
+- Flow labels are now used to prioritise traffic flows again correctly
+- In low-traffic scenarios where there are multiple peerings between a pair of nodes, Yggdrasil now prefers the most active peering instead of the least active, helping to reduce packet reordering
+- The `Listen` statement, when configured as a string rather than an array, will now be parsed correctly
+- The admin socket now returns `coords` as a correct array of unsigned 64-bit integers, rather than the internal representation
+- The admin socket now returns `box_pub_key` in string format again
+- Sessions no longer leak/block when no listener (e.g. TUN/TAP) is configured
+- Incoming session connections no longer block when a session already exists, which results in less leaked goroutines
+- Flooded sessions will no longer block other sessions
+- Searches are now cleaned up properly and a couple of edge-cases with duplicate searches have been fixed
+- A number of minor allocation and pointer fixes
+
+## [0.3.6] - 2019-08-03
+### Added
+- Yggdrasil now has a public API with interfaces such as `yggdrasil.ConnDialer`, `yggdrasil.ConnListener` and `yggdrasil.Conn` for using Yggdrasil as a transport directly within applications
+- Session gatekeeper functions, part of the API, which can be used to control whether to allow or reject incoming or outgoing sessions dynamically (compared to the previous fixed whitelist/blacklist approach)
+- Support for logging to files or syslog (where supported)
+- Platform defaults now include the ability to set sane defaults for multicast interfaces
+
+### Changed
+- Following a massive refactoring exercise, Yggdrasil's codebase has now been broken out into modules
+- Core node functionality in the `yggdrasil` package with a public API
+  - This allows Yggdrasil to be integrated directly into other applications and used as a transport
+  - IP-specific code has now been moved out of the core `yggdrasil` package, making Yggdrasil effectively protocol-agnostic
+- Multicast peer discovery functionality is now in the `multicast` package
+- Admin socket functionality is now in the `admin` package and uses the Yggdrasil public API
+- TUN/TAP, ICMPv6 and all IP-specific functionality is now in the `tuntap` package
+- `PPROF` debug output is now sent to `stderr` instead of `stdout`
+- Node IPv6 addresses on macOS are now configured as `secured`
+- Upstream dependency references have been updated, which includes a number of fixes in the Water library
+
+### Fixed
+- Multicast discovery is no longer disabled if the nominated interfaces aren't available on the system yet, e.g. during boot
+- Multicast interfaces are now re-evaluated more frequently so that Yggdrasil doesn't need to be restarted to use interfaces that have become available since startup
+- Admin socket error cases are now handled better
+- Various fixes in the TUN/TAP module, particularly surrounding Windows platform support
+- Invalid keys will now cause the node to fail to start, rather than starting but silently not working as before
+- Session MTUs are now always calculated correctly, in some cases they were incorrectly defaulting to 1280 before
+- Multiple searches now don't take place for a single connection
+- Concurrency bugs fixed
+- Fixed a number of bugs in the ICMPv6 neighbor solicitation in the TUN/TAP code
+- A case where peers weren't always added correctly if one or more peers were unreachable has been fixed
+- Searches which include the local node are now handled correctly
+- Lots of small bug tweaks and clean-ups throughout the codebase
+
+## [0.3.5] - 2019-03-13
+### Fixed
+- The `AllowedEncryptionPublicKeys` option has now been fixed to handle incoming connections properly and no longer blocks outgoing connections (this was broken in v0.3.4)
+- Multicast TCP listeners will now be stopped correctly when the link-local address on the interface changes or disappears altogether
+
+## [0.3.4] - 2019-03-12
+### Added
+- Support for multiple listeners (although currently only TCP listeners are supported)
+- New multicast behaviour where each multicast interface is given its own link-local listener and does not depend on the `Listen` configuration
+- Blocking detection in the switch to avoid parenting a blocked peer
+- Support for adding and removing listeners and multicast interfaces when reloading configuration during runtime
+- Yggdrasil will now attempt to clean up UNIX admin sockets on startup if left behind by a previous crash
+- Admin socket `getTunnelRouting` and `setTunnelRouting` calls for enabling and disabling crypto-key routing during runtime
+- On macOS, Yggdrasil will now try to wake up AWDL on start-up when `awdl0` is a configured multicast interface, to keep it awake after system sleep, and to stop waking it when no longer needed
+- Added `LinkLocalTCPPort` option for controlling the port number that link-local TCP listeners will listen on by default when setting up `MulticastInterfaces` (a node restart is currently required for changes to `LinkLocalTCPPort` to take effect - it cannot be updated by reloading config during runtime)
+
+### Changed
+- The `Listen` configuration statement is now an array instead of a string
+- The `Listen` configuration statement should now conform to the same formatting as peers with the protocol prefix, e.g. `tcp://[::]:0`
+- Session workers are now non-blocking
+- Multicast interval is now fixed at every 15 seconds and network interfaces are reevaluated for eligibility on each interval (where before the interval depended upon the number of configured multicast interfaces and evaluation only took place at startup)
+- Dead connections are now closed in the link handler as opposed to the switch
+- Peer forwarding is now prioritised instead of randomised
+
+### Fixed
+- Admin socket `getTunTap` call now returns properly instead of claiming no interface is enabled in all cases
+- Handling of `getRoutes` etc in `yggdrasilctl` is now working
+- Local interface names are no longer leaked in multicast packets
+- Link-local TCP connections, particularly those initiated because of multicast beacons, are now always correctly scoped for the target interface
+- Yggdrasil now correctly responds to multicast interfaces going up and down during runtime
+
+## [0.3.3] - 2019-02-18
+### Added
+- Dynamic reconfiguration, which allows reloading the configuration file to make changes during runtime by sending a `SIGHUP` signal (note: this only works with `-useconffile` and not `-useconf` and currently reconfiguring TUN/TAP is not supported)
+- Support for building Yggdrasil as an iOS or Android framework if the appropriate tools (e.g. `gomobile`/`gobind` + SDKs) are available
+- Connection contexts used for TCP connections which allow more exotic socket options to be set, e.g.
+  - Reusing the multicast socket to allow multiple running Yggdrasil instances without having to disable multicast
+  - Allowing supported Macs to peer with other nearby Macs that aren't even on the same Wi-Fi network using AWDL
+- Flexible logging support, which allows for logging at different levels of verbosity
+
+### Changed
+- Switch changes to improve parent selection
+- Node configuration is now stored centrally, rather than having fragments/copies distributed at startup time
+- Significant refactoring in various areas, including for link types (TCP, AWDL etc), generic streams and adapters
+- macOS builds through CircleCI are now 64-bit only
+
+### Fixed
+- Simplified `systemd` service now in `contrib`
+
+### Removed
+- `ReadTimeout` option is now deprecated
+
+## [0.3.2] - 2018-12-26
+### Added
+- The admin socket is now multithreaded, greatly improving performance of the crawler and allowing concurrent lookups to take place
+- The ability to hide NodeInfo defaults through either setting the `NodeInfoPrivacy` option or through setting individual `NodeInfo` attributes to `null`
+
+### Changed
+- The `armhf` build now targets ARMv6 instead of ARMv7, adding support for Raspberry Pi Zero and other older models, amongst others
+
+### Fixed
+- DHT entries are now populated using a copy in memory to fix various potential DHT bugs
+- DHT traffic should now throttle back exponentially to reduce idle traffic
+- Adjust how nodes are inserted into the DHT which should help to reduce some incorrect DHT traffic
+- In TAP mode, the NDP target address is now correctly used when populating the peer MAC table. This fixes serious connectivity problems when in TAP mode, particularly on BSD
+- In TUN mode, ICMPv6 packets are now ignored whereas they were incorrectly processed before
+
+## [0.3.1] - 2018-12-17
+### Added
+- Build name and version is now imprinted onto the binaries if available/specified during build
+- Ability to disable admin socket with `AdminListen: none`
+- `AF_UNIX` domain sockets for the admin socket
+- Cache size restriction for crypto-key routes
+- `NodeInfo` support for specifying node information, e.g. node name or contact, which can be used in network crawls or surveys
+- `getNodeInfo` request added to admin socket
+- Adds flags `-c`, `-l` and `-t` to `build` script for specifying `GCFLAGS`, `LDFLAGS` or whether to keep symbol/DWARF tables
+
+### Changed
+- Default `AdminListen` in newly generated config is now `unix:///var/run/yggdrasil.sock`
+- Formatting of `getRoutes` in the admin socket has been improved
+- Debian package now adds `yggdrasil` group to assist with `AF_UNIX` admin socket permissions
+- Crypto, address and other utility code refactored into separate Go packages
+
+### Fixed
+- Switch peer convergence is now much faster again (previously it was taking up to a minute once the peering was established)
+- `yggdrasilctl` is now less prone to crashing when parameters are specified incorrectly
+- Panic fixed when `Peers` or `InterfacePeers` was commented out
+
 ## [0.3.0] - 2018-12-12
 ### Added
 - Crypto-key routing support for tunnelling both IPv4 and IPv6 over Yggdrasil
@@ -139,7 +452,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Wire format changes (backwards incompatible).
 - Less maintenance traffic per peer.
 - Exponential back-off for DHT maintenance traffic (less maintenance traffic for known good peers).
- Iterative DHT (added some time between v0.1.0 and here).
+- Iterative DHT (added sometime between v0.1.0 and here).
 - Use local queue sizes for a sort of local-only backpressure routing, instead of the removed bandwidth estimates, when deciding where to send a packet.

 ### Removed
--- a/README.md
+++ b/README.md
@@ -3,149 +3,121 @@
 [![CircleCI](https://circleci.com/gh/yggdrasil-network/yggdrasil-go.svg?style=shield&circle-token=:circle-token
 )](https://circleci.com/gh/yggdrasil-network/yggdrasil-go)

-## What is it?
+## Introduction

-This is a toy implementation of an encrypted IPv6 network, with many good ideas stolen from [cjdns](https://github.com/cjdelisle/cjdns), which was written to test a particular routing scheme that was cobbled together one random afternoon.
-It's notably not a shortest path routing scheme, with the goal of scalable name-independent routing on dynamic networks with an internet-like topology.
-It's named Yggdrasil after the world tree from Norse mythology, because that seemed like the obvious name given how it works.
-More information is available at <https://yggdrasil-network.github.io/>.
+Yggdrasil is an early-stage implementation of a fully end-to-end encrypted IPv6
+network. It is lightweight, self-arranging, supported on multiple platforms and
+allows pretty much any IPv6-capable application to communicate securely with
+other Yggdrasil nodes. Yggdrasil does not require you to have IPv6 Internet
+connectivity - it also works over IPv4.

-This is a toy / proof-of-principle, and considered alpha quality by the developers. It's not expected to be feature complete, and future updates may not be backwards compatible, though it should warn you if it sees a connection attempt with a node running a newer version.
-You're encouraged to play with it, but it is strongly advised not to use it for anything mission critical.
+Although Yggdrasil shares many similarities with
+[cjdns](https://github.com/cjdelisle/cjdns), it employs a different routing
+algorithm based on a globally-agreed spanning tree and greedy routing in a
+metric space, and aims to implement some novel local backpressure routing
+techniques. In theory, Yggdrasil should scale well on networks with
+internet-like topologies.
+
+## Supported Platforms
+
+We actively support the following platforms, and packages are available for
+some of the below:
+
+- Linux
+  - `.deb` and `.rpm` packages are built by CI for Debian and Red Hat-based
+    distributions
+  - Arch, Nix, Void packages also available within their respective repositories
+- macOS
+  - `.pkg` packages are built by CI
+- Ubiquiti EdgeOS
+  - `.deb` Vyatta packages are built by CI
+- Windows
+- FreeBSD
+- OpenBSD
+- OpenWrt
+
+Please see our [Platforms](https://yggdrasil-network.github.io/platforms.html) pages for more
+specific information about each of our supported platforms, including
+installation steps and caveats.
+
+You may also find other platform-specific wrappers, scripts or tools in the
+`contrib` folder.

 ## Building

-1. Install Go (requires 1.11 or later, [godeb](https://github.com/niemeyer/godeb) is recommended for Debian-based Linux distributions).
-2. Clone this repository.
-2. `./build`
+If you want to build from source, as opposed to installing one of the pre-built
+packages:

-Note that you can cross-compile for other platforms and architectures by specifying the `$GOOS` and `$GOARCH` environment variables, for example, `GOOS=windows ./build` or `GOOS=linux GOARCH=mipsle ./build`.
+1. Install [Go](https://golang.org) (requires Go 1.16 or later)
+2. Clone this repository
+2. Run `./build`

-The build script sets its own `$GOPATH`, so the build environment is self-contained.
+Note that you can cross-compile for other platforms and architectures by
+specifying the `GOOS` and `GOARCH` environment variables, e.g. `GOOS=windows
+./build` or `GOOS=linux GOARCH=mipsle ./build`.

 ## Running

-To run the program, you'll need permission to create a `tun` device and configure it using `ip`.
-If you don't want to mess with capabilities for the `tun` device, then using `sudo` should work, with the usual security caveats about running a program as root.
+### Generate configuration

-To run with default settings:
+To generate static configuration, either generate a HJSON file (human-friendly,
+complete with comments):

-1. `./yggdrasil --autoconf`
-
-That will generate a new set of keys (and an IP address) each time the program is run.
-The program will bind to all addresses on a random port and listen for incoming connections.
-It will send announcements over IPv6 link-local multicast, and it will attempt to start a connection if it hears an announcement from another device.
-
-In practice, you probably want to run this instead:
-
-1. `./yggdrasil --genconf > conf.json`
-2. `./yggdrasil --useconf < conf.json`
-
-This keeps a persistent set of keys (and by extension, IP address) and gives you the option of editing the configuration file.
-If you want to use it as an overlay network on top of e.g. the internet, then you can do so by adding the remote devices domain/address and port (as a string, e.g. `"1.2.3.4:5678"`) to the list of `Peers` in the configuration file.
-By default, it peers over TCP (which can be forced with `"tcp://1.2.3.4:5678"` syntax), but it's also possible to connect over a socks proxy (`"socks://socksHost:socksPort/1.2.3.4:5678"`).
-The socks proxy approach is useful for e.g. [peering over tor hidden services](https://github.com/yggdrasil-network/public-peers/blob/master/other/tor.md).
-UDP support was removed as part of v0.2, and may be replaced by a better implementation at a later date.
-
-### Platforms
-
-#### Linux
-
- Should work out of the box on most Linux distributions with `iproute2` installed.
- systemd service scripts are included in the `contrib/systemd/` folder so that it runs automatically in the background (using `/etc/yggdrasil.conf` for configuration), copy the service files into `/etc/systemd/system`, copy `yggdrasil` into your `$PATH`, i.e. `/usr/bin`, and then enable the service:
 ```
-systemctl enable yggdrasil
-systemctl start yggdrasil
-```
- Once installed as a systemd service, you can read the `yggdrasil` output:
-```
-systemctl status yggdrasil
-journalctl -u yggdrasil
+./yggdrasil -genconf > /path/to/yggdrasil.conf
 ```

-#### macOS
+... or generate a plain JSON file (which is easy to manipulate
+programmatically):

- Tested and working out of the box on macOS 10.13 High Sierra.
- May work in theory on any macOS version with `utun` support (which was added in macOS 10.7 Lion), although this is untested at present.
- TAP mode is not supported on macOS.
-
-#### FreeBSD, NetBSD
-
- Works in TAP mode, but currently doesn't work in TUN mode.
- You may need to create the TAP adapter first if it doesn't already exist, i.e. `ifconfig tap0 create`.
-
-#### OpenBSD
-
- Works in TAP mode, but currently doesn't work in TUN mode.
- You may need to create the TAP adapter first if it doesn't already exist, i.e. `ifconfig tap0 create`.
- OpenBSD is not capable of listening on both IPv4 and IPv6 at the same time on the same socket (unlike FreeBSD and NetBSD). This affects the `Listen` and `AdminListen` configuration options. You will need to set `Listen` and `AdminListen` to use either an IPv4 or an IPv6 address.
- You may consider using [relayd](https://man.openbsd.org/relayd.8) to allow incoming Yggdrasil connections on both IPv4 and IPv6 simultaneously.
-
-#### Windows
-
- Tested and working on Windows 7 and Windows 10, and should work on any recent versions of Windows, but it depends on the [OpenVPN TAP driver](https://openvpn.net/index.php/open-source/downloads.html) being installed first.
- Has been proven to work with both the [NDIS 5](https://swupdate.openvpn.org/community/releases/tap-windows-9.9.2_3.exe) (`tap-windows-9.9.2_3`) driver and the [NDIS 6](https://swupdate.openvpn.org/community/releases/tap-windows-9.21.2.exe) (`tap-windows-9.21.2`) driver, however there are substantial performance issues with the NDIS 6 driver therefore it is recommended to use the NDIS 5 driver instead.
- Be aware that connectivity issues can occur on Windows if multiple IPv6 addresses from the `200::/7` prefix are assigned to the TAP interface. If this happens, then you may need to manually remove the old/unused addresses from the interface (though the code has a workaround in place to do this automatically in some cases).
- TUN mode is not supported on Windows.
- Yggdrasil can be installed as a Windows service so that it runs automatically in the background. From an Administrator Command Prompt:
 ```
-sc create yggdrasil binpath= "\"C:\path\to\yggdrasil.exe\" -useconffile \"C:\path\to\yggdrasil.conf\""
-sc config yggdrasil displayname= "Yggdrasil Service"
-sc config yggdrasil start= "auto"
-sc start yggdrasil
-```
- Alternatively, if you want the service to autoconfigure instead of using an `yggdrasil.conf`, replace the `sc create` line from above with:
-```
-sc create yggdrasil binpath= "\"C:\path\to\yggdrasil.exe\" -autoconf"
+./yggdrasil -genconf -json > /path/to/yggdrasil.conf
 ```

-#### EdgeRouter
+You will need to edit the `yggdrasil.conf` file to add or remove peers, modify
+other configuration such as listen addresses or multicast addresses, etc.

- Tested and working on the EdgeRouter X, using the [vyatta-yggdrasil](https://github.com/neilalexander/vyatta-yggdrasil) wrapper package.
+### Run Yggdrasil

-## Optional: advertise a prefix locally
-
-Suppose a node has generated the address: `200:1111:2222:3333:4444:5555:6666:7777`
-
-Then the node may also use addresses from the prefix: `300:1111:2222:3333::/64` (note the `200` changed to `300`, a separate `/8` is used for prefixes, but the rest of the first 64 bits are the same).
-
-To advertise this prefix and a route to `200::/7`, the following seems to work on the developers' networks:
-
-1. Enable IPv6 forwarding (e.g. `sysctl -w net.ipv6.conf.all.forwarding=1` or add it to sysctl.conf).
-
-2. `ip addr add 300:1111:2222:3333::1/64 dev eth0` or similar, to assign an address for the router to use in that prefix, where the LAN is reachable through `eth0`.
-
-3. Install/run `radvd` with something like the following in `/etc/radvd.conf`:
+To run with the generated static configuration:
 ```
-interface eth0
-{
-        AdvSendAdvert on;
-        prefix 300:1111:2222:3333::/64 {
-            AdvOnLink on;
-            AdvAutonomous on;
-        };
-        route 200::/7 {};
-};
+./yggdrasil -useconffile /path/to/yggdrasil.conf
 ```

-This is enough to give unsupported devices on the LAN access to the yggdrasil network. See the [configuration](https://yggdrasil-network.github.io/configuration.html) page for more info.
+To run in auto-configuration mode (which will use sane defaults and random keys
+at each startup, instead of using a static configuration file):

-## How does it work?
+```
+./yggdrasil -autoconf
+```

-I'd rather not try to explain in the readme, but it is described further on the [about](https://yggdrasil-network.github.io/about.html) page, so you can check there if you're interested.
-Be warned that it's still not a very good explanation, but it at least gives a high-level overview and links to some relevant work by other people.
+You will likely need to run Yggdrasil as a privileged user or under `sudo`,
+unless you have permission to create TUN/TAP adapters. On Linux this can be done
+by giving the Yggdrasil binary the `CAP_NET_ADMIN` capability.

-## Obligatory performance propaganda
+## Documentation

-A [simplified model](misc/sim/treesim-forward.py) of this routing scheme has been tested in simulation on the 9204-node [skitter](https://www.caida.org/tools/measurement/skitter/) network topology dataset from [caida](https://www.caida.org/), and compared with results in [arxiv:0708.2309](https://arxiv.org/abs/0708.2309).
-Using the routing scheme as implemented in this code, the average multiplicative stretch is observed to be about 1.08, with an average routing table size of 6 for a name-dependent scheme, and approximately 30 additional (but smaller) entries needed for the name-independent routing table.
-The number of name-dependent routing table entries needed is proportional to node degree, so that 6 is the mean of a distribution with a long tail, but this may be an acceptable tradeoff(it's at least worth trying, hence this code).
-The size of name-dependent routing table entries is relatively large, due to cryptographic signatures associated with routing table updates, but in the absence of cryptographic overhead, each entry should otherwise be comparable in size to the BC routing scheme described in the above paper.
-A modified version of this scheme, with the same resource requirements, achieves a multiplicative stretch of 1.02, which drops to 1.01 if source routing is used.
-Both of these optimizations are not present in the current implementation, as the former depends on network state information that appears difficult to cryptographically secure, and the latter optimization is both tedious to implement and would make debugging other aspects of the implementation more difficult.
+Documentation is available on our [GitHub
+Pages](https://yggdrasil-network.github.io) site, or in the base submodule
+repository within `doc/yggdrasil-network.github.io`.
+
+- [Configuration file options](https://yggdrasil-network.github.io/configuration.html)
+- [Platform-specific documentation](https://yggdrasil-network.github.io/platforms.html)
+- [Frequently asked questions](https://yggdrasil-network.github.io/faq.html)
+- [Admin API documentation](https://yggdrasil-network.github.io/admin.html)
+- [Version changelog](CHANGELOG.md)
+
+## Community
+
+Feel free to join us on our [Matrix
+channel](https://matrix.to/#/#yggdrasil:matrix.org) at `#yggdrasil:matrix.org`
+or in the `#yggdrasil` IRC channel on Freenode.

 ## License

-This code is released under the terms of the LGPLv3, but with an added exception that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb).
-Under certain circumstances, this exception permits distribution of binaries that are (statically or dynamically) linked with this code, without requiring the distribution of Minimal Corresponding Source or Minimal Application Code.
+This code is released under the terms of the LGPLv3, but with an added exception
+that was shamelessly taken from [godeb](https://github.com/niemeyer/godeb).
+Under certain circumstances, this exception permits distribution of binaries
+that are (statically or dynamically) linked with this code, without requiring
+the distribution of Minimal Corresponding Source or Minimal Application Code.
 For more details, see: [LICENSE](LICENSE).
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -0,0 +1,20 @@
+version: '{build}'
+pull_requests:
+  do_not_increment_build_number: true
+os: Visual Studio 2019
+shallow_clone: false
+
+environment:
+  MSYS2_PATH_TYPE: inherit
+  CHERE_INVOKING: enabled_from_arguments
+
+build_script:
+- cmd: >-
+    cd %APPVEYOR_BUILD_FOLDER%
+- c:\msys64\usr\bin\bash -lc "./contrib/msi/build-msi.sh x64"
+- c:\msys64\usr\bin\bash -lc "./contrib/msi/build-msi.sh x86"
+
+test: off
+
+artifacts:
+- path: '*.msi'
--- a/52
+++ b/52
@@ -1,36 +1,54 @@
 #!/bin/sh

-PKGSRC=${PKGSRC:-github.com/yggdrasil-network/yggdrasil-go/src/yggdrasil}
+set -ef
+
+PKGSRC=${PKGSRC:-github.com/yggdrasil-network/yggdrasil-go/src/version}
 PKGNAME=${PKGNAME:-$(sh contrib/semver/name.sh)}
 PKGVER=${PKGVER:-$(sh contrib/semver/version.sh --bare)}

 LDFLAGS="-X $PKGSRC.buildName=$PKGNAME -X $PKGSRC.buildVersion=$PKGVER"
+ARGS="-v"

-while getopts "udtc:l:" option
+while getopts "uaitc:l:dro:p" option
 do
-  case "${option}"
+  case "$option"
  in
  u) UPX=true;;
-  d) DEBUG=true;;
+  i) IOS=true;;
+  a) ANDROID=true;;
  t) TABLES=true;;
  c) GCFLAGS="$GCFLAGS $OPTARG";;
  l) LDFLAGS="$LDFLAGS $OPTARG";;
+  d) ARGS="$ARGS -tags debug" DEBUG=true;;
+  r) ARGS="$ARGS -race";;
+  o) ARGS="$ARGS -o $OPTARG";;
+  p) ARGS="$ARGS -buildmode=pie";;
  esac
 done

-if [ -z $TABLES ]; then
-  STRIP="-s -w"
+if [ -z $TABLES ] && [ -z $DEBUG ]; then
+  LDFLAGS="$LDFLAGS -s -w"
 fi

-for CMD in `ls cmd/` ; do
-  echo "Building: $CMD"
+if [ $IOS ]; then
+  echo "Building framework for iOS"
+  go get golang.org/x/mobile/bind
+  gomobile bind -target ios -tags mobile -o Yggdrasil.framework -ldflags="$LDFLAGS $STRIP" -gcflags="$GCFLAGS" \
+    github.com/yggdrasil-network/yggdrasil-extras/src/mobile \
+    github.com/yggdrasil-network/yggdrasil-go/src/config
+elif [ $ANDROID ]; then
+  echo "Building aar for Android"
+  go get golang.org/x/mobile/bind
+  gomobile bind -target android -tags mobile -o yggdrasil.aar -ldflags="$LDFLAGS $STRIP" -gcflags="$GCFLAGS" \
+    github.com/yggdrasil-network/yggdrasil-extras/src/mobile \
+    github.com/yggdrasil-network/yggdrasil-go/src/config
+else
+  for CMD in yggdrasil yggdrasilctl ; do
+    echo "Building: $CMD"
+    go build $ARGS -ldflags="$LDFLAGS" -gcflags="$GCFLAGS" ./cmd/$CMD

-  if [ $DEBUG ]; then
-    go build -ldflags="$LDFLAGS" -gcflags="$GCFLAGS" -tags debug -v ./cmd/$CMD
-  else
-    go build -ldflags="$LDFLAGS $STRIP" -gcflags="$GCFLAGS" -v ./cmd/$CMD
-  fi
-  if [ $UPX ]; then
-    upx --brute $CMD
-  fi
-done
+    if [ $UPX ]; then
+      upx --brute $CMD
+    fi
+  done
+fi
--- a/2
+++ b/2
@@ -1,2 +1,2 @@
-#!/bin/bash
+#!/bin/sh
 git clean -dxf
--- a/cmd/genkeys/main.go
+++ b/cmd/genkeys/main.go
@@ -0,0 +1,78 @@
+/*
+
+This file generates crypto keys.
+It prints out a new set of keys each time if finds a "better" one.
+By default, "better" means a higher NodeID (-> higher IP address).
+This is because the IP address format can compress leading 1s in the address, to increase the number of ID bits in the address.
+
+If run with the "-sig" flag, it generates signing keys instead.
+A "better" signing key means one with a higher TreeID.
+This only matters if it's high enough to make you the root of the tree.
+
+*/
+package main
+
+import (
+	"crypto/ed25519"
+	"encoding/hex"
+	"fmt"
+	"net"
+	"runtime"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+type keySet struct {
+	priv ed25519.PrivateKey
+	pub  ed25519.PublicKey
+}
+
+func main() {
+	threads := runtime.GOMAXPROCS(0)
+	var currentBest ed25519.PublicKey
+	newKeys := make(chan keySet, threads)
+	for i := 0; i < threads; i++ {
+		go doKeys(newKeys)
+	}
+	for {
+		newKey := <-newKeys
+		if isBetter(currentBest, newKey.pub) || len(currentBest) == 0 {
+			currentBest = newKey.pub
+			fmt.Println("-----")
+			fmt.Println("Priv:", hex.EncodeToString(newKey.priv))
+			fmt.Println("Pub:", hex.EncodeToString(newKey.pub))
+			addr := address.AddrForKey(newKey.pub)
+			fmt.Println("IP:", net.IP(addr[:]).String())
+		}
+	}
+}
+
+func isBetter(oldPub, newPub ed25519.PublicKey) bool {
+	for idx := range oldPub {
+		if newPub[idx] < oldPub[idx] {
+			return true
+		}
+		if newPub[idx] > oldPub[idx] {
+			break
+		}
+	}
+	return false
+}
+
+func doKeys(out chan<- keySet) {
+	bestKey := make(ed25519.PublicKey, ed25519.PublicKeySize)
+	for idx := range bestKey {
+		bestKey[idx] = 0xff
+	}
+	for {
+		pub, priv, err := ed25519.GenerateKey(nil)
+		if err != nil {
+			panic(err)
+		}
+		if !isBetter(bestKey, pub) {
+			continue
+		}
+		bestKey = pub
+		out <- keySet{priv, pub}
+	}
+}
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
@@ -2,82 +2,119 @@ package main

 import (
 	"bytes"
+	"crypto/ed25519"
 	"encoding/hex"
 	"encoding/json"
 	"flag"
 	"fmt"
 	"io/ioutil"
-	"log"
-	"math/rand"
+	"net"
 	"os"
 	"os/signal"
-	"regexp"
+	"strings"
 	"syscall"
-	"time"

 	"golang.org/x/text/encoding/unicode"

+	"github.com/gologme/log"
+	gsyslog "github.com/hashicorp/go-syslog"
+	"github.com/hjson/hjson-go"
 	"github.com/kardianos/minwinsvc"
 	"github.com/mitchellh/mapstructure"
-	"github.com/neilalexander/hjson-go"

+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 	"github.com/yggdrasil-network/yggdrasil-go/src/config"
-	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
-	"github.com/yggdrasil-network/yggdrasil-go/src/yggdrasil"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/core"
+	"github.com/yggdrasil-network/yggdrasil-go/src/multicast"
+	"github.com/yggdrasil-network/yggdrasil-go/src/tuntap"
+	"github.com/yggdrasil-network/yggdrasil-go/src/version"
 )

-type nodeConfig = config.NodeConfig
-type Core = yggdrasil.Core
-
 type node struct {
-	core Core
+	core      core.Core
+	config    *config.NodeConfig
+	tuntap    *tuntap.TunAdapter
+	multicast *multicast.Multicast
+	admin     *admin.AdminSocket
 }

-// Generates default configuration. This is used when outputting the -genconf
-// parameter and also when using -autoconf. The isAutoconf flag is used to
-// determine whether the operating system should select a free port by itself
-// (which guarantees that there will not be a conflict with any other services)
-// or whether to generate a random port number. The only side effect of setting
-// isAutoconf is that the TCP and UDP ports will likely end up with different
-// port numbers.
-func generateConfig(isAutoconf bool) *nodeConfig {
-	// Create a new core.
-	core := Core{}
-	// Generate encryption keys.
-	bpub, bpriv := core.NewEncryptionKeys()
-	spub, spriv := core.NewSigningKeys()
-	// Create a node configuration and populate it.
-	cfg := nodeConfig{}
-	if isAutoconf {
-		cfg.Listen = "[::]:0"
+func readConfig(log *log.Logger, useconf *bool, useconffile *string, normaliseconf *bool) *config.NodeConfig {
+	// Use a configuration file. If -useconf, the configuration will be read
+	// from stdin. If -useconffile, the configuration will be read from the
+	// filesystem.
+	var conf []byte
+	var err error
+	if *useconffile != "" {
+		// Read the file from the filesystem
+		conf, err = ioutil.ReadFile(*useconffile)
 	} else {
-		r1 := rand.New(rand.NewSource(time.Now().UnixNano()))
-		cfg.Listen = fmt.Sprintf("[::]:%d", r1.Intn(65534-32768)+32768)
+		// Read the file from stdin.
+		conf, err = ioutil.ReadAll(os.Stdin)
 	}
-	cfg.AdminListen = defaults.GetDefaults().DefaultAdminListen
-	cfg.EncryptionPublicKey = hex.EncodeToString(bpub[:])
-	cfg.EncryptionPrivateKey = hex.EncodeToString(bpriv[:])
-	cfg.SigningPublicKey = hex.EncodeToString(spub[:])
-	cfg.SigningPrivateKey = hex.EncodeToString(spriv[:])
-	cfg.Peers = []string{}
-	cfg.InterfacePeers = map[string][]string{}
-	cfg.AllowedEncryptionPublicKeys = []string{}
-	cfg.MulticastInterfaces = []string{".*"}
-	cfg.IfName = defaults.GetDefaults().DefaultIfName
-	cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU
-	cfg.IfTAPMode = defaults.GetDefaults().DefaultIfTAPMode
-	cfg.SessionFirewall.Enable = false
-	cfg.SessionFirewall.AllowFromDirect = true
-	cfg.SessionFirewall.AllowFromRemote = true
-	cfg.SwitchOptions.MaxTotalQueueSize = yggdrasil.SwitchQueueTotalMinSize
-
-	return &cfg
+	if err != nil {
+		panic(err)
+	}
+	// If there's a byte order mark - which Windows 10 is now incredibly fond of
+	// throwing everywhere when it's converting things into UTF-16 for the hell
+	// of it - remove it and decode back down into UTF-8. This is necessary
+	// because hjson doesn't know what to do with UTF-16 and will panic
+	if bytes.Equal(conf[0:2], []byte{0xFF, 0xFE}) ||
+		bytes.Equal(conf[0:2], []byte{0xFE, 0xFF}) {
+		utf := unicode.UTF16(unicode.BigEndian, unicode.UseBOM)
+		decoder := utf.NewDecoder()
+		conf, err = decoder.Bytes(conf)
+		if err != nil {
+			panic(err)
+		}
+	}
+	// Generate a new configuration - this gives us a set of sane defaults -
+	// then parse the configuration we loaded above on top of it. The effect
+	// of this is that any configuration item that is missing from the provided
+	// configuration will use a sane default.
+	cfg := config.GenerateConfig()
+	var dat map[string]interface{}
+	if err := hjson.Unmarshal(conf, &dat); err != nil {
+		panic(err)
+	}
+	// Check if we have old field names
+	if _, ok := dat["TunnelRouting"]; ok {
+		log.Warnln("WARNING: Tunnel routing is no longer supported")
+	}
+	if old, ok := dat["SigningPrivateKey"]; ok {
+		log.Warnln("WARNING: The \"SigningPrivateKey\" configuration option has been renamed to \"PrivateKey\"")
+		if _, ok := dat["PrivateKey"]; !ok {
+			if privstr, err := hex.DecodeString(old.(string)); err == nil {
+				priv := ed25519.PrivateKey(privstr)
+				pub := priv.Public().(ed25519.PublicKey)
+				dat["PrivateKey"] = hex.EncodeToString(priv[:])
+				dat["PublicKey"] = hex.EncodeToString(pub[:])
+			} else {
+				log.Warnln("WARNING: The \"SigningPrivateKey\" configuration option contains an invalid value and will be ignored")
+			}
+		}
+	}
+	// Sanitise the config
+	confJson, err := json.Marshal(dat)
+	if err != nil {
+		panic(err)
+	}
+	if err := json.Unmarshal(confJson, &cfg); err != nil {
+		panic(err)
+	}
+	// Overlay our newly mapped configuration onto the autoconf node config that
+	// we generated above.
+	if err = mapstructure.Decode(dat, &cfg); err != nil {
+		panic(err)
+	}
+	return cfg
 }

 // Generates a new configuration and returns it in HJSON format. This is used
 // with -genconf.
 func doGenconf(isjson bool) string {
-	cfg := generateConfig(false)
+	cfg := config.GenerateConfig()
 	var bs []byte
 	var err error
 	if isjson {
@@ -91,6 +128,32 @@ func doGenconf(isjson bool) string {
 	return string(bs)
 }

+func setLogLevel(loglevel string, logger *log.Logger) {
+	levels := [...]string{"error", "warn", "info", "debug", "trace"}
+	loglevel = strings.ToLower(loglevel)
+
+	contains := func() bool {
+		for _, l := range levels {
+			if l == loglevel {
+				return true
+			}
+		}
+		return false
+	}
+
+	if !contains() { // set default log level
+		logger.Infoln("Loglevel parse failed. Set default level(info)")
+		loglevel = "info"
+	}
+
+	for _, l := range levels {
+		logger.EnableLevel(l)
+		if l == loglevel {
+			break
+		}
+	}
+}
+
 // The main function is responsible for configuring and starting Yggdrasil.
 func main() {
 	// Configure the command line parameters.
@@ -100,99 +163,52 @@ func main() {
 	normaliseconf := flag.Bool("normaliseconf", false, "use in combination with either -useconf or -useconffile, outputs your configuration normalised")
 	confjson := flag.Bool("json", false, "print configuration from -genconf or -normaliseconf as JSON instead of HJSON")
 	autoconf := flag.Bool("autoconf", false, "automatic mode (dynamic IP, peer with IPv6 neighbors)")
-	version := flag.Bool("version", false, "prints the version of this build")
+	ver := flag.Bool("version", false, "prints the version of this build")
+	logto := flag.String("logto", "stdout", "file path to log to, \"syslog\" or \"stdout\"")
+	getaddr := flag.Bool("address", false, "returns the IPv6 address as derived from the supplied configuration")
+	getsnet := flag.Bool("subnet", false, "returns the IPv6 subnet as derived from the supplied configuration")
+	loglevel := flag.String("loglevel", "info", "loglevel to enable")
 	flag.Parse()

-	var cfg *nodeConfig
+	// Create a new logger that logs output to stdout.
+	var logger *log.Logger
+	switch *logto {
+	case "stdout":
+		logger = log.New(os.Stdout, "", log.Flags())
+	case "syslog":
+		if syslogger, err := gsyslog.NewLogger(gsyslog.LOG_NOTICE, "DAEMON", version.BuildName()); err == nil {
+			logger = log.New(syslogger, "", log.Flags())
+		}
+	default:
+		if logfd, err := os.OpenFile(*logto, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644); err == nil {
+			logger = log.New(logfd, "", log.Flags())
+		}
+	}
+	if logger == nil {
+		logger = log.New(os.Stdout, "", log.Flags())
+		logger.Warnln("Logging defaulting to stdout")
+	}
+
+	if *normaliseconf {
+		setLogLevel("error", logger)
+	} else {
+		setLogLevel(*loglevel, logger)
+	}
+
+	var cfg *config.NodeConfig
+	var err error
 	switch {
-	case *version:
-		fmt.Println("Build name:", yggdrasil.GetBuildName())
-		fmt.Println("Build version:", yggdrasil.GetBuildVersion())
-		os.Exit(0)
+	case *ver:
+		fmt.Println("Build name:", version.BuildName())
+		fmt.Println("Build version:", version.BuildVersion())
+		return
 	case *autoconf:
 		// Use an autoconf-generated config, this will give us random keys and
 		// port numbers, and will use an automatically selected TUN/TAP interface.
-		cfg = generateConfig(true)
+		cfg = config.GenerateConfig()
 	case *useconffile != "" || *useconf:
-		// Use a configuration file. If -useconf, the configuration will be read
-		// from stdin. If -useconffile, the configuration will be read from the
-		// filesystem.
-		var config []byte
-		var err error
-		if *useconffile != "" {
-			// Read the file from the filesystem
-			config, err = ioutil.ReadFile(*useconffile)
-		} else {
-			// Read the file from stdin.
-			config, err = ioutil.ReadAll(os.Stdin)
-		}
-		if err != nil {
-			panic(err)
-		}
-		// If there's a byte order mark - which Windows 10 is now incredibly fond of
-		// throwing everywhere when it's converting things into UTF-16 for the hell
-		// of it - remove it and decode back down into UTF-8. This is necessary
-		// because hjson doesn't know what to do with UTF-16 and will panic
-		if bytes.Compare(config[0:2], []byte{0xFF, 0xFE}) == 0 ||
-			bytes.Compare(config[0:2], []byte{0xFE, 0xFF}) == 0 {
-			utf := unicode.UTF16(unicode.BigEndian, unicode.UseBOM)
-			decoder := utf.NewDecoder()
-			config, err = decoder.Bytes(config)
-			if err != nil {
-				panic(err)
-			}
-		}
-		// Generate a new configuration - this gives us a set of sane defaults -
-		// then parse the configuration we loaded above on top of it. The effect
-		// of this is that any configuration item that is missing from the provided
-		// configuration will use a sane default.
-		cfg = generateConfig(false)
-		var dat map[string]interface{}
-		if err := hjson.Unmarshal(config, &dat); err != nil {
-			panic(err)
-		}
-		confJson, err := json.Marshal(dat)
-		if err != nil {
-			panic(err)
-		}
-		json.Unmarshal(confJson, &cfg)
-		// For now we will do a little bit to help the user adjust their
-		// configuration to match the new configuration format, as some of the key
-		// names have changed recently.
-		changes := map[string]string{
-			"Multicast":      "",
-			"LinkLocal":      "MulticastInterfaces",
-			"BoxPub":         "EncryptionPublicKey",
-			"BoxPriv":        "EncryptionPrivateKey",
-			"SigPub":         "SigningPublicKey",
-			"SigPriv":        "SigningPrivateKey",
-			"AllowedBoxPubs": "AllowedEncryptionPublicKeys",
-		}
-		// Loop over the mappings aove and see if we have anything to fix.
-		for from, to := range changes {
-			if _, ok := dat[from]; ok {
-				if to == "" {
-					if !*normaliseconf {
-						log.Println("Warning: Deprecated config option", from, "- please remove")
-					}
-				} else {
-					if !*normaliseconf {
-						log.Println("Warning: Deprecated config option", from, "- please rename to", to)
-					}
-					// If the configuration file doesn't already contain a line with the
-					// new name then set it to the old value. This makes sure that we
-					// don't overwrite something that was put there intentionally.
-					if _, ok := dat[to]; !ok {
-						dat[to] = dat[from]
-					}
-				}
-			}
-		}
-		// Overlay our newly mapped configuration onto the autoconf node config that
-		// we generated above.
-		if err = mapstructure.Decode(dat, &cfg); err != nil {
-			panic(err)
-		}
+		// Read the configuration from either stdin or from the filesystem
+		cfg = readConfig(logger, useconf, useconffile, normaliseconf)
 		// If the -normaliseconf option was specified then remarshal the above
 		// configuration and print it back to stdout. This lets the user update
 		// their configuration file with newly mapped names (like above) or to
@@ -223,73 +239,89 @@ func main() {
 	if cfg == nil {
 		return
 	}
-	// Create a new logger that logs output to stdout.
-	logger := log.New(os.Stdout, "", log.Flags())
+	// Have we been asked for the node address yet? If so, print it and then stop.
+	getNodeKey := func() ed25519.PublicKey {
+		if pubkey, err := hex.DecodeString(cfg.PrivateKey); err == nil {
+			return ed25519.PrivateKey(pubkey).Public().(ed25519.PublicKey)
+		}
+		return nil
+	}
+	switch {
+	case *getaddr:
+		if key := getNodeKey(); key != nil {
+			addr := address.AddrForKey(key)
+			ip := net.IP(addr[:])
+			fmt.Println(ip.String())
+		}
+		return
+	case *getsnet:
+		if key := getNodeKey(); key != nil {
+			snet := address.SubnetForKey(key)
+			ipnet := net.IPNet{
+				IP:   append(snet[:], 0, 0, 0, 0, 0, 0, 0, 0),
+				Mask: net.CIDRMask(len(snet)*8, 128),
+			}
+			fmt.Println(ipnet.String())
+		}
+		return
+	default:
+	}
+
 	// Setup the Yggdrasil node itself. The node{} type includes a Core, so we
 	// don't need to create this manually.
-	n := node{}
-	// Check to see if any multicast interface expressions were provided in the
-	// config. If they were then set them now.
-	for _, ll := range cfg.MulticastInterfaces {
-		ifceExpr, err := regexp.Compile(ll)
-		if err != nil {
-			panic(err)
-		}
-		n.core.AddMulticastInterfaceExpr(ifceExpr)
-	}
-	// Now that we have a working configuration, we can now actually start
-	// Yggdrasil. This will start the router, switch, DHT node, TCP and UDP
-	// sockets, TUN/TAP adapter and multicast discovery port.
-	if err := n.core.Start(cfg, logger); err != nil {
-		logger.Println("An error occurred during startup")
+	n := node{config: cfg}
+	// Now start Yggdrasil - this starts the DHT, router, switch and other core
+	// components needed for Yggdrasil to operate
+	if err = n.core.Start(cfg, logger); err != nil {
+		logger.Errorln("An error occurred during startup")
 		panic(err)
 	}
-	// Check to see if any allowed encryption keys were provided in the config.
-	// If they were then set them now.
-	for _, pBoxStr := range cfg.AllowedEncryptionPublicKeys {
-		n.core.AddAllowedEncryptionPublicKey(pBoxStr)
+	// Register the session firewall gatekeeper function
+	// Allocate our modules
+	n.admin = &admin.AdminSocket{}
+	n.multicast = &multicast.Multicast{}
+	n.tuntap = &tuntap.TunAdapter{}
+	// Start the admin socket
+	if err := n.admin.Init(&n.core, cfg, logger, nil); err != nil {
+		logger.Errorln("An error occurred initialising admin socket:", err)
+	} else if err := n.admin.Start(); err != nil {
+		logger.Errorln("An error occurred starting admin socket:", err)
 	}
-	// If any static peers were provided in the configuration above then we should
-	// configure them. The loop ensures that disconnected peers will eventually
-	// be reconnected with.
-	go func() {
-		if len(cfg.Peers) == 0 && len(cfg.InterfacePeers) == 0 {
-			return
-		}
-		for {
-			for _, peer := range cfg.Peers {
-				n.core.AddPeer(peer, "")
-				time.Sleep(time.Second)
-			}
-			for intf, intfpeers := range cfg.InterfacePeers {
-				for _, peer := range intfpeers {
-					n.core.AddPeer(peer, intf)
-					time.Sleep(time.Second)
-				}
-			}
-			time.Sleep(time.Minute)
-		}
-	}()
-	// The Stop function ensures that the TUN/TAP adapter is correctly shut down
-	// before the program exits.
-	defer func() {
-		n.core.Stop()
-	}()
+	n.admin.SetupAdminHandlers(n.admin)
+	// Start the multicast interface
+	if err := n.multicast.Init(&n.core, cfg, logger, nil); err != nil {
+		logger.Errorln("An error occurred initialising multicast:", err)
+	} else if err := n.multicast.Start(); err != nil {
+		logger.Errorln("An error occurred starting multicast:", err)
+	}
+	n.multicast.SetupAdminHandlers(n.admin)
+	// Start the TUN/TAP interface
+	if err := n.tuntap.Init(&n.core, cfg, logger, nil); err != nil {
+		logger.Errorln("An error occurred initialising TUN/TAP:", err)
+	} else if err := n.tuntap.Start(); err != nil {
+		logger.Errorln("An error occurred starting TUN/TAP:", err)
+	}
+	n.tuntap.SetupAdminHandlers(n.admin)
 	// Make some nice output that tells us what our IPv6 address and subnet are.
 	// This is just logged to stdout for the user.
-	address := n.core.GetAddress()
-	subnet := n.core.GetSubnet()
-	logger.Printf("Your IPv6 address is %s", address.String())
-	logger.Printf("Your IPv6 subnet is %s", subnet.String())
+	address := n.core.Address()
+	subnet := n.core.Subnet()
+	public := n.core.GetSelf().Key
+	logger.Infof("Your public key is %s", hex.EncodeToString(public[:]))
+	logger.Infof("Your IPv6 address is %s", address.String())
+	logger.Infof("Your IPv6 subnet is %s", subnet.String())
 	// Catch interrupts from the operating system to exit gracefully.
 	c := make(chan os.Signal, 1)
 	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
-	// Create a function to capture the service being stopped on Windows.
-	winTerminate := func() {
-		c <- os.Interrupt
-	}
-	minwinsvc.SetOnExit(winTerminate)
-	// Wait for the terminate/interrupt signal. Once a signal is received, the
-	// deferred Stop function above will run which will shut down TUN/TAP.
+	// Capture the service being stopped on Windows.
 	<-c
+	minwinsvc.SetOnExit(n.shutdown)
+	n.shutdown()
+}
+
+func (n *node) shutdown() {
+	_ = n.admin.Stop()
+	_ = n.multicast.Stop()
+	_ = n.tuntap.Stop()
+	n.core.Stop()
 }
--- a/cmd/yggdrasilctl/main.go
+++ b/cmd/yggdrasilctl/main.go
@@ -17,33 +17,45 @@ import (

 	"golang.org/x/text/encoding/unicode"

-	"github.com/neilalexander/hjson-go"
+	"github.com/hjson/hjson-go"
 	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
+	"github.com/yggdrasil-network/yggdrasil-go/src/version"
 )

 type admin_info map[string]interface{}

 func main() {
+	// makes sure we can use defer and still return an error code to the OS
+	os.Exit(run())
+}
+
+func run() int {
 	logbuffer := &bytes.Buffer{}
 	logger := log.New(logbuffer, "", log.Flags())
-	defer func() {
+	defer func() int {
 		if r := recover(); r != nil {
 			logger.Println("Fatal error:", r)
 			fmt.Print(logbuffer)
-			os.Exit(1)
+			return 1
 		}
+		return 0
 	}()

 	endpoint := defaults.GetDefaults().DefaultAdminListen

 	flag.Usage = func() {
-		fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [options] command [key=value] [key=value] ...\n", os.Args[0])
+		fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [options] command [key=value] [key=value] ...\n\n", os.Args[0])
 		fmt.Println("Options:")
 		flag.PrintDefaults()
+		fmt.Println()
+		fmt.Println("Please note that options must always specified BEFORE the command\non the command line or they will be ignored.")
+		fmt.Println()
 		fmt.Println("Commands:\n  - Use \"list\" for a list of available commands")
+		fmt.Println()
 		fmt.Println("Examples:")
 		fmt.Println("  - ", os.Args[0], "list")
 		fmt.Println("  - ", os.Args[0], "getPeers")
+		fmt.Println("  - ", os.Args[0], "-v getSelf")
 		fmt.Println("  - ", os.Args[0], "setTunTap name=auto mtu=1500 tap_mode=false")
 		fmt.Println("  - ", os.Args[0], "-endpoint=tcp://localhost:9001 getDHT")
 		fmt.Println("  - ", os.Args[0], "-endpoint=unix:///var/run/ygg.sock getDHT")
@@ -51,18 +63,26 @@ func main() {
 	server := flag.String("endpoint", endpoint, "Admin socket endpoint")
 	injson := flag.Bool("json", false, "Output in JSON format (as opposed to pretty-print)")
 	verbose := flag.Bool("v", false, "Verbose output (includes public keys)")
+	ver := flag.Bool("version", false, "Prints the version of this build")
 	flag.Parse()
 	args := flag.Args()

+	if *ver {
+		fmt.Println("Build name:", version.BuildName())
+		fmt.Println("Build version:", version.BuildVersion())
+		fmt.Println("To get the version number of the running Yggdrasil node, run", os.Args[0], "getSelf")
+		return 0
+	}
+
 	if len(args) == 0 {
 		flag.Usage()
-		return
+		return 0
 	}

 	if *server == endpoint {
 		if config, err := ioutil.ReadFile(defaults.GetDefaults().DefaultConfigFile); err == nil {
-			if bytes.Compare(config[0:2], []byte{0xFF, 0xFE}) == 0 ||
-				bytes.Compare(config[0:2], []byte{0xFE, 0xFF}) == 0 {
+			if bytes.Equal(config[0:2], []byte{0xFF, 0xFE}) ||
+				bytes.Equal(config[0:2], []byte{0xFE, 0xFF}) {
 				utf := unicode.UTF16(unicode.BigEndian, unicode.UseBOM)
 				decoder := utf.NewDecoder()
 				config, err = decoder.Bytes(config)
@@ -87,6 +107,7 @@ func main() {
 			logger.Println("Falling back to platform default", defaults.GetDefaults().DefaultAdminListen)
 		}
 	} else {
+		endpoint = *server
 		logger.Println("Using endpoint", endpoint, "from command line")
 	}

@@ -121,24 +142,34 @@ func main() {

 	for c, a := range args {
 		if c == 0 {
+			if strings.HasPrefix(a, "-") {
+				logger.Printf("Ignoring flag %s as it should be specified before other parameters\n", a)
+				continue
+			}
 			logger.Printf("Sending request: %v\n", a)
 			send["request"] = a
 			continue
 		}
 		tokens := strings.Split(a, "=")
-		if i, err := strconv.Atoi(tokens[1]); err == nil {
-			logger.Printf("Sending parameter %s: %d\n", tokens[0], i)
-			send[tokens[0]] = i
-		} else {
-			switch strings.ToLower(tokens[1]) {
-			case "true":
-				send[tokens[0]] = true
-			case "false":
-				send[tokens[0]] = false
-			default:
-				send[tokens[0]] = tokens[1]
+		if len(tokens) == 1 {
+			send[tokens[0]] = true
+		} else if len(tokens) > 2 {
+			send[tokens[0]] = strings.Join(tokens[1:], "=")
+		} else if len(tokens) == 2 {
+			if i, err := strconv.Atoi(tokens[1]); err == nil {
+				logger.Printf("Sending parameter %s: %d\n", tokens[0], i)
+				send[tokens[0]] = i
+			} else {
+				switch strings.ToLower(tokens[1]) {
+				case "true":
+					send[tokens[0]] = true
+				case "false":
+					send[tokens[0]] = false
+				default:
+					send[tokens[0]] = tokens[1]
+				}
+				logger.Printf("Sending parameter %s: %v\n", tokens[0], send[tokens[0]])
 			}
-			logger.Printf("Sending parameter %s: %v\n", tokens[0], send[tokens[0]])
 		}
 	}

@@ -154,15 +185,15 @@ func main() {
 			} else {
 				fmt.Println("Admin socket returned an error but didn't specify any error text")
 			}
-			os.Exit(1)
+			return 1
 		}
 		if _, ok := recv["request"]; !ok {
 			fmt.Println("Missing request in response (malformed response?)")
-			os.Exit(1)
+			return 1
 		}
 		if _, ok := recv["response"]; !ok {
 			fmt.Println("Missing response body (malformed response?)")
-			os.Exit(1)
+			return 1
 		}
 		req := recv["request"].(map[string]interface{})
 		res := recv["response"].(map[string]interface{})
@@ -171,7 +202,7 @@ func main() {
 			if json, err := json.MarshalIndent(res, "", "  "); err == nil {
 				fmt.Println(string(json))
 			}
-			os.Exit(0)
+			return 0
 		}

 		switch strings.ToLower(req["request"].(string)) {
@@ -187,7 +218,7 @@ func main() {
 					if !keysOrdered {
 						for k := range slv.(map[string]interface{}) {
 							if !*verbose {
-								if k == "box_pub_key" || k == "box_sig_key" {
+								if k == "box_pub_key" || k == "box_sig_key" || k == "nodeinfo" || k == "was_mtu_fixed" {
 									continue
 								}
 							}
@@ -260,10 +291,16 @@ func main() {
 				if subnet, ok := v.(map[string]interface{})["subnet"].(string); ok {
 					fmt.Println("IPv6 subnet:", subnet)
 				}
+				if boxSigKey, ok := v.(map[string]interface{})["key"].(string); ok {
+					fmt.Println("Public key:", boxSigKey)
+				}
 				if coords, ok := v.(map[string]interface{})["coords"].(string); ok {
 					fmt.Println("Coords:", coords)
 				}
 				if *verbose {
+					if nodeID, ok := v.(map[string]interface{})["node_id"].(string); ok {
+						fmt.Println("Node ID:", nodeID)
+					}
 					if boxPubKey, ok := v.(map[string]interface{})["box_pub_key"].(string); ok {
 						fmt.Println("Public encryption key:", boxPubKey)
 					}
@@ -375,16 +412,30 @@ func main() {
 				}
 			}
 		case "getroutes":
-			if _, ok := res["routes"]; !ok {
-				fmt.Println("No routes found")
-			} else if res["routes"] == nil {
+			if routes, ok := res["routes"].(map[string]interface{}); !ok {
 				fmt.Println("No routes found")
 			} else {
-				fmt.Println("Routes:")
-				for _, v := range res["routes"].([]interface{}) {
-					fmt.Println("-", v)
+				if res["routes"] == nil || len(routes) == 0 {
+					fmt.Println("No routes found")
+				} else {
+					fmt.Println("Routes:")
+					for k, v := range routes {
+						if pv, ok := v.(string); ok {
+							fmt.Println("-", k, " via ", pv)
+						}
+					}
 				}
 			}
+		case "settunnelrouting":
+			fallthrough
+		case "gettunnelrouting":
+			if enabled, ok := res["enabled"].(bool); !ok {
+				fmt.Println("Tunnel routing is disabled")
+			} else if !enabled {
+				fmt.Println("Tunnel routing is disabled")
+			} else {
+				fmt.Println("Tunnel routing is enabled")
+			}
 		default:
 			if json, err := json.MarshalIndent(recv["response"], "", "  "); err == nil {
 				fmt.Println(string(json))
@@ -395,7 +446,7 @@ func main() {
 	}

 	if v, ok := recv["status"]; ok && v != "success" {
-		os.Exit(1)
+		return 1
 	}
-	os.Exit(0)
+	return 0
 }
--- a/contrib/ansible/genkeys.go
+++ b/contrib/ansible/genkeys.go
@@ -0,0 +1,114 @@
+/*
+
+This file generates crypto keys for [ansible-yggdrasil](https://github.com/jcgruenhage/ansible-yggdrasil/)
+
+*/
+package main
+
+import (
+	"crypto/ed25519"
+	"encoding/hex"
+	"flag"
+	"fmt"
+	"net"
+	"os"
+
+	"github.com/cheggaaa/pb/v3"
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+var numHosts = flag.Int("hosts", 1, "number of host vars to generate")
+var keyTries = flag.Int("tries", 1000, "number of tries before taking the best keys")
+
+type keySet struct {
+	priv []byte
+	pub  []byte
+	ip   string
+}
+
+func main() {
+	flag.Parse()
+
+	bar := pb.StartNew(*keyTries*2 + *numHosts)
+
+	if *numHosts > *keyTries {
+		println("Can't generate less keys than hosts.")
+		return
+	}
+
+	var keys []keySet
+	for i := 0; i < *numHosts+1; i++ {
+		keys = append(keys, newKey())
+		bar.Increment()
+	}
+	keys = sortKeySetArray(keys)
+	for i := 0; i < *keyTries-*numHosts-1; i++ {
+		keys[0] = newKey()
+		keys = bubbleUpTo(keys, 0)
+		bar.Increment()
+	}
+
+	os.MkdirAll("host_vars", 0755)
+
+	for i := 1; i <= *numHosts; i++ {
+		os.MkdirAll(fmt.Sprintf("host_vars/%x", i), 0755)
+		file, err := os.Create(fmt.Sprintf("host_vars/%x/vars", i))
+		if err != nil {
+			return
+		}
+		defer file.Close()
+		file.WriteString(fmt.Sprintf("yggdrasil_public_key: %v\n", hex.EncodeToString(keys[i].pub)))
+		file.WriteString("yggdrasil_private_key: \"{{ vault_yggdrasil_private_key }}\"\n")
+		file.WriteString(fmt.Sprintf("ansible_host: %v\n", keys[i].ip))
+
+		file, err = os.Create(fmt.Sprintf("host_vars/%x/vault", i))
+		if err != nil {
+			return
+		}
+		defer file.Close()
+		file.WriteString(fmt.Sprintf("vault_yggdrasil_private_key: %v\n", hex.EncodeToString(keys[i].priv)))
+		bar.Increment()
+	}
+	bar.Finish()
+}
+
+func newKey() keySet {
+	pub, priv, err := ed25519.GenerateKey(nil)
+	if err != nil {
+		panic(err)
+	}
+	ip := net.IP(address.AddrForKey(pub)[:]).String()
+	return keySet{priv[:], pub[:], ip}
+}
+
+func isBetter(oldID, newID []byte) bool {
+	for idx := range oldID {
+		if newID[idx] < oldID[idx] {
+			return true
+		}
+		if newID[idx] > oldID[idx] {
+			return false
+		}
+	}
+	return false
+}
+
+func sortKeySetArray(sets []keySet) []keySet {
+	for i := 0; i < len(sets); i++ {
+		sets = bubbleUpTo(sets, i)
+	}
+	return sets
+}
+
+func bubbleUpTo(sets []keySet, num int) []keySet {
+	for i := 0; i < len(sets)-num-1; i++ {
+		if isBetter(sets[i+1].pub, sets[i].pub) {
+			var tmp = sets[i]
+			sets[i] = sets[i+1]
+			sets[i+1] = tmp
+		} else {
+			break
+		}
+	}
+	return sets
+}
--- a/contrib/apparmor/usr.bin.yggdrasil
+++ b/contrib/apparmor/usr.bin.yggdrasil
@@ -0,0 +1,17 @@
+# Last Modified: Fri Oct 30 11:33:31 2020
+#include <tunables/global>
+
+/usr/bin/yggdrasil {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+
+  capability net_admin,
+  capability net_raw,
+
+  /dev/net/tun rw,
+  /proc/sys/net/core/somaxconn r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  /etc/yggdrasil.conf rw,
+  /run/yggdrasil.sock rw,
+}
--- a/contrib/busybox-init/S42yggdrasil
+++ b/contrib/busybox-init/S42yggdrasil
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+CONFFILE="/etc/yggdrasil.conf"
+
+genconf() {
+	/usr/bin/yggdrasil -genconf > "$1"
+	return $?
+}
+
+probetun() {
+	modprobe tun
+	return $?
+}
+
+start() {
+	if [ ! -f "$CONFFILE" ]; then
+		printf 'Generating configuration file: '
+		if genconf "$CONFFILE"; then
+			echo "OK"
+		else
+			echo "FAIL"
+			return 1
+		fi
+	fi
+
+	if [ ! -e /dev/net/tun ]; then
+		printf 'Inserting TUN module: '
+		if probetun; then
+			echo "OK"
+		else
+			echo "FAIL"
+			return 1
+		fi
+	fi
+
+	printf 'Starting yggdrasil: '
+	if start-stop-daemon -S -q -b -x /usr/bin/yggdrasil \
+		-- -useconffile "$CONFFILE"; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+}
+
+stop() {
+	printf "Stopping yggdrasil: "
+	if start-stop-daemon -K -q -x /usr/bin/yggdrasil; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+}
+
+reload() {
+	printf "Reloading yggdrasil: "
+	if start-stop-daemon -K -q -s HUP -x /usr/bin/yggdrasil; then
+		echo "OK"
+	else
+		echo "FAIL"
+		start
+	fi
+}
+
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+	start|stop|restart|reload)
+		"$1";;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac
+
+exit 0
--- a/contrib/config/yggdrasilconf.go
+++ b/contrib/config/yggdrasilconf.go
@@ -1,97 +0,0 @@
-package main
-
-/*
-This is a small utility that is designed to accompany the vyatta-yggdrasil
-package. It takes a HJSON configuration file, makes changes to it based on
-the command line arguments, and then spits out an updated file.
-*/
-
-import (
-	"bytes"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"io/ioutil"
-	"strconv"
-
-	"github.com/neilalexander/hjson-go"
-	"golang.org/x/text/encoding/unicode"
-
-	"github.com/yggdrasil-network/yggdrasil-go/src/config"
-)
-
-type nodeConfig = config.NodeConfig
-
-func main() {
-	useconffile := flag.String("useconffile", "/etc/yggdrasil.conf", "update config at specified file path")
-	flag.Parse()
-	cfg := nodeConfig{}
-	var config []byte
-	var err error
-	config, err = ioutil.ReadFile(*useconffile)
-	if err != nil {
-		panic(err)
-	}
-	if bytes.Compare(config[0:2], []byte{0xFF, 0xFE}) == 0 ||
-		bytes.Compare(config[0:2], []byte{0xFE, 0xFF}) == 0 {
-		utf := unicode.UTF16(unicode.BigEndian, unicode.UseBOM)
-		decoder := utf.NewDecoder()
-		config, err = decoder.Bytes(config)
-		if err != nil {
-			panic(err)
-		}
-	}
-	var dat map[string]interface{}
-	if err := hjson.Unmarshal(config, &dat); err != nil {
-		panic(err)
-	}
-	confJson, err := json.Marshal(dat)
-	if err != nil {
-		panic(err)
-	}
-	json.Unmarshal(confJson, &cfg)
-	switch flag.Arg(0) {
-	case "setMTU":
-		cfg.IfMTU, err = strconv.Atoi(flag.Arg(1))
-		if err != nil {
-			cfg.IfMTU = 1280
-		}
-		if mtu, _ := strconv.Atoi(flag.Arg(1)); mtu < 1280 {
-			cfg.IfMTU = 1280
-		}
-	case "setIfName":
-		cfg.IfName = flag.Arg(1)
-	case "setListen":
-		cfg.Listen = flag.Arg(1)
-	case "setAdminListen":
-		cfg.AdminListen = flag.Arg(1)
-	case "setIfTapMode":
-		if flag.Arg(1) == "true" {
-			cfg.IfTAPMode = true
-		} else {
-			cfg.IfTAPMode = false
-		}
-	case "addPeer":
-		found := false
-		for _, v := range cfg.Peers {
-			if v == flag.Arg(1) {
-				found = true
-			}
-		}
-		if !found {
-			cfg.Peers = append(cfg.Peers, flag.Arg(1))
-		}
-	case "removePeer":
-		for k, v := range cfg.Peers {
-			if v == flag.Arg(1) {
-				cfg.Peers = append(cfg.Peers[:k], cfg.Peers[k+1:]...)
-			}
-		}
-	}
-	bs, err := hjson.Marshal(cfg)
-	if err != nil {
-		panic(err)
-	}
-	fmt.Println(string(bs))
-	return
-}
--- a/contrib/deb/generate.sh
+++ b/contrib/deb/generate.sh
@@ -25,10 +25,11 @@ if [ $PKGARCH = "amd64" ]; then GOARCH=amd64 GOOS=linux ./build
 elif [ $PKGARCH = "i386" ]; then GOARCH=386 GOOS=linux ./build
 elif [ $PKGARCH = "mipsel" ]; then GOARCH=mipsle GOOS=linux ./build
 elif [ $PKGARCH = "mips" ]; then GOARCH=mips64 GOOS=linux ./build
-elif [ $PKGARCH = "armhf" ]; then GOARCH=arm GOOS=linux GOARM=7 ./build
+elif [ $PKGARCH = "armhf" ]; then GOARCH=arm GOOS=linux GOARM=6 ./build
 elif [ $PKGARCH = "arm64" ]; then GOARCH=arm64 GOOS=linux ./build
+elif [ $PKGARCH = "armel" ]; then GOARCH=arm GOOS=linux GOARM=5 ./build
 else
-  echo "Specify PKGARCH=amd64,i386,mips,mipsel,armhf,arm64"
+  echo "Specify PKGARCH=amd64,i386,mips,mipsel,armhf,arm64,armel"
  exit 1
 fi

@@ -52,8 +53,11 @@ Architecture: $PKGARCH
 Replaces: $PKGREPLACES
 Conflicts: $PKGREPLACES
 Maintainer: Neil Alexander <neilalexander@users.noreply.github.com>
-Description: Debian yggdrasil package
- Binary yggdrasil package for Debian and Ubuntu
+Description: Yggdrasil Network
+ Yggdrasil is an early-stage implementation of a fully end-to-end encrypted IPv6
+ network. It is lightweight, self-arranging, supported on multiple platforms and
+ allows pretty much any IPv6-capable application to communicate securely with
+ other Yggdrasil nodes.
 EOF
 cat > /tmp/$PKGNAME/debian/copyright << EOF
 Please see https://github.com/yggdrasil-network/yggdrasil-go/
@@ -68,32 +72,50 @@ etc/systemd/system/*.service etc/systemd/system
 EOF
 cat > /tmp/$PKGNAME/debian/postinst << EOF
 #!/bin/sh
+
+if ! getent group yggdrasil 2>&1 > /dev/null; then
+  groupadd --system --force yggdrasil || echo "Failed to create group 'yggdrasil' - please create it manually and reinstall"
+fi
+
 if [ -f /etc/yggdrasil.conf ];
 then
  mkdir -p /var/backups
  echo "Backing up configuration file to /var/backups/yggdrasil.conf.`date +%Y%m%d`"
  cp /etc/yggdrasil.conf /var/backups/yggdrasil.conf.`date +%Y%m%d`
-  echo "Normalising /etc/yggdrasil.conf"
-  /usr/bin/yggdrasil -useconffile /var/backups/yggdrasil.conf.`date +%Y%m%d` -normaliseconf > /etc/yggdrasil.conf
+  echo "Normalising and updating /etc/yggdrasil.conf"
+  /usr/bin/yggdrasil -useconf -normaliseconf < /var/backups/yggdrasil.conf.`date +%Y%m%d` > /etc/yggdrasil.conf
+  chgrp yggdrasil /etc/yggdrasil.conf
+
+  if command -v systemctl >/dev/null; then
+    systemctl daemon-reload >/dev/null || true
+    systemctl enable yggdrasil || true
+    systemctl start yggdrasil || true
+  fi
+else
+  echo "Generating initial configuration file /etc/yggdrasil.conf"
+  echo "Please familiarise yourself with this file before starting Yggdrasil"
+  sh -c 'umask 0027 && /usr/bin/yggdrasil -genconf > /etc/yggdrasil.conf'
+  chgrp yggdrasil /etc/yggdrasil.conf
 fi
-systemctl enable yggdrasil
-systemctl start yggdrasil
 EOF
 cat > /tmp/$PKGNAME/debian/prerm << EOF
 #!/bin/sh
-systemctl disable yggdrasil
-systemctl stop yggdrasil
+if command -v systemctl >/dev/null; then
+  if systemctl is-active --quiet yggdrasil; then
+    systemctl stop yggdrasil || true
+  fi
+  systemctl disable yggdrasil || true
+fi
 EOF

 cp yggdrasil /tmp/$PKGNAME/usr/bin/
 cp yggdrasilctl /tmp/$PKGNAME/usr/bin/
-cp contrib/systemd/yggdrasil.service /tmp/$PKGNAME/etc/systemd/system/
-cp contrib/systemd/yggdrasil-resume.service /tmp/$PKGNAME/etc/systemd/system/
+cp contrib/systemd/*.service /tmp/$PKGNAME/etc/systemd/system/

 tar -czvf /tmp/$PKGNAME/data.tar.gz -C /tmp/$PKGNAME/ \
  usr/bin/yggdrasil usr/bin/yggdrasilctl \
  etc/systemd/system/yggdrasil.service \
-  etc/systemd/system/yggdrasil-resume.service
+  etc/systemd/system/yggdrasil-default-config.service
 tar -czvf /tmp/$PKGNAME/control.tar.gz -C /tmp/$PKGNAME/debian .
 echo 2.0 > /tmp/$PKGNAME/debian-binary

--- a/contrib/docker/Dockerfile
+++ b/contrib/docker/Dockerfile
@@ -2,13 +2,16 @@ FROM docker.io/golang:alpine as builder

 COPY . /src
 WORKDIR /src
-RUN apk add git && ./build 
+
+ENV CGO_ENABLED=0
+
+RUN apk add git && ./build && go build -o /src/genkeys cmd/genkeys/main.go

 FROM docker.io/alpine
-LABEL maintainer="Christer Waren/CWINFO <christer.waren@cwinfo.org>"

 COPY --from=builder /src/yggdrasil /usr/bin/yggdrasil
 COPY --from=builder /src/yggdrasilctl /usr/bin/yggdrasilctl
+COPY --from=builder /src/genkeys /usr/bin/genkeys
 COPY contrib/docker/entrypoint.sh /usr/bin/entrypoint.sh

 # RUN addgroup -g 1000 -S yggdrasil-network \
--- a/contrib/logo/ygg-neilalexander.svg
+++ b/contrib/logo/ygg-neilalexander.svg
@@ -0,0 +1,157 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   sodipodi:docname="drawing.svg"
+   inkscape:version="0.91 r13725"
+   version="1.1"
+   id="svg4240"
+   viewBox="0 0 981.96461 321.60015"
+   height="90.762711mm"
+   width="277.13223mm">
+  <defs
+     id="defs4242" />
+  <sodipodi:namedview
+     fit-margin-bottom="0"
+     fit-margin-right="0"
+     fit-margin-left="0"
+     fit-margin-top="0"
+     inkscape:window-maximized="1"
+     inkscape:window-y="1"
+     inkscape:window-x="0"
+     inkscape:window-height="1021"
+     inkscape:window-width="2048"
+     showgrid="false"
+     inkscape:current-layer="layer2"
+     inkscape:document-units="px"
+     inkscape:cy="13.914395"
+     inkscape:cx="751.6295"
+     inkscape:zoom="0.66468037"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     borderopacity="1.0"
+     bordercolor="#666666"
+     pagecolor="#ffffff"
+     id="base" />
+  <metadata
+     id="metadata4245">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(383.92494,-160.49328)" />
+  <g
+     inkscape:groupmode="layer"
+     id="layer2"
+     inkscape:label="Layer 2"
+     transform="translate(383.92494,-160.49328)">
+    <path
+       style="fill:#000000"
+       d="m 352.74397,478.24119 c 0.92103,-3.76903 11.87131,-30.48993 21.5083,-52.48465 9.86344,-22.51152 9.67726,-21.6278 6.92943,-32.89221 -3.42997,-14.06075 -3.22164,-36.95243 0.44688,-49.10642 13.24423,-43.87864 47.63362,-73.61698 122.30718,-105.76556 24.32504,-10.47245 37.67777,-17.18807 47.80968,-24.04538 17.86083,-12.08828 36.4402,-33.06424 42.38057,-47.84736 1.25285,-3.11781 2.66096,-5.64051 3.12912,-5.60598 1.46014,0.10767 0.73701,44.30167 -0.9768,59.69719 -10.61597,95.36545 -42.95689,157.39345 -96.20598,184.51751 -30.73114,15.65385 -79.17559,21.45357 -101.74118,12.18037 -3.19081,-1.31125 -6.5492,-2.38408 -7.46311,-2.38408 -3.43636,0 -15.75824,32.89925 -19.29523,51.51802 -1.09802,5.78003 -2.76237,13.70787 -3.00898,14.91667 -5.50064,-0.0422 -0.35371,-0.0119 -8.18026,-0.0119 l -8.29605,0 z"
+       id="path4918"
+       inkscape:connector-curvature="0"
+       sodipodi:nodetypes="ssssssscssssscscs" />
+    <g
+       style="font-style:normal;font-weight:normal;font-size:150px;line-height:86.00000143%;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       id="text4920"
+       transform="translate(-2,0)">
+      <path
+         d="m -345.34994,319.70594 -36.575,-55.6875 21.725,0 23.925,38.775 24.2,-38.775 20.625,0 -36.575,55.6875 0,41.6625 -17.325,0 0,-41.6625 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5638"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m -202.55678,354.21844 q -18.0125,9.625 -40.2875,9.625 -11.275,0 -20.7625,-3.575 -9.35,-3.7125 -16.225,-10.3125 -6.7375,-6.7375 -10.5875,-16.0875 -3.85,-9.35 -3.85,-20.7625 0,-11.6875 3.85,-21.175 3.85,-9.625 10.5875,-16.3625 6.875,-6.7375 16.225,-10.3125 9.4875,-3.7125 20.7625,-3.7125 11.1375,0 20.9,2.75 9.7625,2.6125 17.4625,9.4875 l -12.7875,12.925 q -4.675,-4.5375 -11.4125,-7.0125 -6.6,-2.475 -14.025,-2.475 -7.5625,0 -13.75,2.75 -6.05,2.6125 -10.45,7.425 -4.4,4.675 -6.875,11 -2.3375,6.325 -2.3375,13.6125 0,7.8375 2.3375,14.4375 2.475,6.6 6.875,11.4125 4.4,4.8125 10.45,7.5625 6.1875,2.75 13.75,2.75 6.6,0 12.375,-1.2375 5.9125,-1.2375 10.45,-3.85 l 0,-22.9625 -19.9375,0 0,-15.675 37.2625,0 0,49.775 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5640"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m -102.05346,354.21844 q -18.0125,9.625 -40.2875,9.625 -11.275,0 -20.7625,-3.575 -9.35,-3.7125 -16.225,-10.3125 -6.7375,-6.7375 -10.5875,-16.0875 -3.85,-9.35 -3.85,-20.7625 0,-11.6875 3.85,-21.175 3.85,-9.625 10.5875,-16.3625 6.875,-6.7375 16.225,-10.3125 9.4875,-3.7125 20.7625,-3.7125 11.1375,0 20.9,2.75 9.7625,2.6125 17.4625,9.4875 l -12.7875,12.925 q -4.675,-4.5375 -11.4125,-7.0125 -6.6,-2.475 -14.025,-2.475 -7.5625,0 -13.75,2.75 -6.05,2.6125 -10.45,7.425 -4.4,4.675 -6.875,11 -2.3375,6.325 -2.3375,13.6125 0,7.8375 2.3375,14.4375 2.475,6.6 6.875,11.4125 4.4,4.8125 10.45,7.5625 6.1875,2.75 13.75,2.75 6.6,0 12.375,-1.2375 5.9125,-1.2375 10.45,-3.85 l 0,-22.9625 -19.9375,0 0,-15.675 37.2625,0 0,49.775 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5642"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m -90.037646,264.01844 38.3625,0 q 9.625,0 18.5625,3.025 8.9375,2.8875 15.8125,8.9375 6.875,6.05 11,15.2625 4.125,9.075 4.125,21.45 0,12.5125 -4.8125,21.725 -4.675,9.075 -12.2375,15.125 -7.425,5.9125 -16.6375,8.9375 -9.075,2.8875 -17.875,2.8875 l -36.3,0 0,-97.35 z m 30.25,81.675 q 8.1125,0 15.2625,-1.7875 7.2875,-1.925 12.65,-5.775 5.3625,-3.9875 8.3875,-10.175 3.1625,-6.325 3.1625,-15.2625 0,-8.8 -2.75,-15.125 -2.75,-6.325 -7.7,-10.175 -4.8125,-3.9875 -11.55,-5.775 -6.6,-1.925 -14.575,-1.925 l -15.8125,0 0,66 12.925,0 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5644"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 7.511578,264.01844 33.825,0 q 7.0125,0 13.475,1.375 6.6,1.2375 11.687502,4.4 5.0875,3.1625 8.1125,8.525 3.025,5.3625 3.025,13.6125 0,10.5875 -5.9125,17.7375 -5.775002,7.15 -16.637502,8.6625 l 25.850002,43.0375 -20.900002,0 -22.55,-41.25 -12.65,0 0,41.25 -17.325,0 0,-97.35 z m 30.8,41.25 q 3.7125,0 7.425,-0.275 3.7125,-0.4125 6.7375,-1.65 3.1625,-1.375 5.0875,-3.9875 1.925,-2.75 1.925,-7.5625 0,-4.2625 -1.7875,-6.875 -1.7875,-2.6125 -4.675,-3.85 -2.8875,-1.375 -6.4625,-1.7875 -3.4375,-0.4125 -6.7375,-0.4125 l -14.9875,0 0,26.4 13.475,0 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5646"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 126.82369,264.01844 14.9875,0 41.9375,97.35 -19.8,0 -9.075,-22.275 -42.2125,0 -8.8,22.275 -19.3875,0 42.35,-97.35 z m 22,60.225 -14.9875,-39.6 -15.2625,39.6 30.25,0 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5648"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 239.7639,284.91844 q -2.75,-3.9875 -7.425,-5.775 -4.5375,-1.925 -9.625,-1.925 -3.025,0 -5.9125,0.6875 -2.75,0.6875 -5.0875,2.2 -2.2,1.5125 -3.575,3.9875 -1.375,2.3375 -1.375,5.6375 0,4.95 3.4375,7.5625 3.4375,2.6125 8.525,4.5375 5.0875,1.925 11.1375,3.7125 6.05,1.7875 11.1375,4.95 5.0875,3.1625 8.525,8.3875 3.4375,5.225 3.4375,13.8875 0,7.8375 -2.8875,13.75 -2.8875,5.775 -7.8375,9.625 -4.8125,3.85 -11.275,5.775 -6.4625,1.925 -13.6125,1.925 -9.075,0 -17.4625,-3.025 -8.3875,-3.025 -14.4375,-10.175 l 13.0625,-12.65 q 3.1625,4.8125 8.25,7.5625 5.225,2.6125 11,2.6125 3.025,0 6.05,-0.825 3.025,-0.825 5.5,-2.475 2.475,-1.65 3.9875,-4.125 1.5125,-2.6125 1.5125,-5.9125 0,-5.3625 -3.4375,-8.25 -3.4375,-2.8875 -8.525,-4.8125 -5.0875,-2.0625 -11.1375,-3.85 -6.05,-1.7875 -11.1375,-4.8125 -5.0875,-3.1625 -8.525,-8.25 -3.4375,-5.225 -3.4375,-13.8875 0,-7.5625 3.025,-13.0625 3.1625,-5.5 8.1125,-9.075 5.0875,-3.7125 11.55,-5.5 6.4625,-1.7875 13.2,-1.7875 7.7,0 14.85,2.3375 7.2875,2.3375 13.0625,7.7 l -12.65,13.3375 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5650"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 264.21257,264.01844 17.325,0 0,97.35 -17.325,0 0,-97.35 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5652"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 296.37837,264.01844 17.325,0 0,81.675 41.3875,0 0,15.675 -58.7125,0 0,-97.35 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5654"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m -369.13744,382.26844 22.9625,0 47.1625,72.325 0.275,0 0,-72.325 17.325,0 0,97.35 -22,0 -48.125,-74.6625 -0.275,0 0,74.6625 -17.325,0 0,-97.35 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5656"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m -270.48568,382.26844 64.4875,0 0,15.675 -47.1625,0 0,23.925 44.6875,0 0,15.675 -44.6875,0 0,26.4 49.6375,0 0,15.675 -66.9625,0 0,-97.35 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5658"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m -165.14057,397.94344 -29.8375,0 0,-15.675 77,0 0,15.675 -29.8375,0 0,81.675 -17.325,0 0,-81.675 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5660"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m -111.36694,382.26844 18.974997,0 18.2875,70.125 0.275,0 21.8625,-70.125 17.05,0 21.45,70.125 0.275,0 19.1125,-70.125 17.6,0 -28.3250004,97.35 -16.4999996,0 -22.55,-74.1125 -0.275,0 -22.55,74.1125 -15.95,0 -28.737497,-97.35 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5662"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 24.435016,431.35594 q 0,-11.6875 3.85,-21.175 3.85,-9.625 10.5875,-16.3625 6.875,-6.7375 16.225,-10.3125 9.4875,-3.7125 20.7625,-3.7125 11.412504,-0.1375 20.900004,3.4375 9.4875,3.4375 16.3625,10.175 6.875,6.7375 10.725,16.225 3.85,9.4875 3.85,21.175 0,11.4125 -3.85,20.7625 -3.85,9.35 -10.725,16.0875 -6.875,6.7375 -16.3625,10.5875 -9.4875,3.7125 -20.900004,3.85 -11.275,0 -20.7625,-3.575 -9.35,-3.7125 -16.225,-10.3125 -6.7375,-6.7375 -10.5875,-16.0875 -3.85,-9.35 -3.85,-20.7625 z m 18.15,-1.1 q 0,7.8375 2.3375,14.4375 2.475,6.6 6.875,11.4125 4.4,4.8125 10.45,7.5625 6.1875,2.75 13.75,2.75 7.5625,0 13.750004,-2.75 6.1875,-2.75 10.5875,-7.5625 4.4,-4.8125 6.7375,-11.4125 2.475,-6.6 2.475,-14.4375 0,-7.2875 -2.475,-13.6125 -2.3375,-6.325 -6.7375,-11 -4.4,-4.8125 -10.5875,-7.425 -6.187504,-2.75 -13.750004,-2.75 -7.5625,0 -13.75,2.75 -6.05,2.6125 -10.45,7.425 -4.4,4.675 -6.875,11 -2.3375,6.325 -2.3375,13.6125 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5664"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 137.68287,382.26844 33.825,0 q 7.0125,0 13.475,1.375 6.6,1.2375 11.6875,4.4 5.0875,3.1625 8.1125,8.525 3.025,5.3625 3.025,13.6125 0,10.5875 -5.9125,17.7375 -5.775,7.15 -16.6375,8.6625 l 25.85,43.0375 -20.9,0 -22.55,-41.25 -12.65,0 0,41.25 -17.325,0 0,-97.35 z m 30.8,41.25 q 3.7125,0 7.425,-0.275 3.7125,-0.4125 6.7375,-1.65 3.1625,-1.375 5.0875,-3.9875 1.925,-2.75 1.925,-7.5625 0,-4.2625 -1.7875,-6.875 -1.7875,-2.6125 -4.675,-3.85 -2.8875,-1.375 -6.4625,-1.7875 -3.4375,-0.4125 -6.7375,-0.4125 l -14.9875,0 0,26.4 13.475,0 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5666"
+         inkscape:connector-curvature="0" />
+      <path
+         d="m 221.50746,382.26844 17.325,0 0,41.25 0.825,0 40.2875,-41.25 23.375,0 -45.5125,44.9625 48.5375,52.3875 -24.3375,0 -42.2125,-47.85 -0.9625,0 0,47.85 -17.325,0 0,-97.35 z"
+         style="font-style:normal;font-variant:normal;font-weight:900;font-stretch:normal;font-size:137.5px;line-height:86.00000143%;font-family:Avenir;-inkscape-font-specification:'Avenir Heavy';letter-spacing:1.35000002px"
+         id="path5668"
+         inkscape:connector-curvature="0" />
+    </g>
+  </g>
+</svg>
--- a/contrib/macos/yggdrasil.plist
+++ b/contrib/macos/yggdrasil.plist
@@ -8,7 +8,7 @@
    <array>
      <string>sh</string>
      <string>-c</string>
-      <string>/usr/local/bin/yggdrasil -useconf &lt; /etc/yggdrasil.conf</string>
+      <string>/usr/local/bin/yggdrasil -useconffile /etc/yggdrasil.conf</string>
    </array>
    <key>KeepAlive</key>
    <true/>
--- a/contrib/msi/build-msi.sh
+++ b/contrib/msi/build-msi.sh
@@ -0,0 +1,225 @@
+#!/bin/sh
+
+# This script generates an MSI file for Yggdrasil for a given architecture. It
+# needs to run on Windows within MSYS2 and Go 1.13 or later must be installed on
+# the system and within the PATH. This is ran currently by Appveyor (see
+# appveyor.yml in the repository root) for both x86 and x64.
+#
+# Author: Neil Alexander <neilalexander@users.noreply.github.com>
+
+# Get arch from command line if given
+PKGARCH=$1
+if [ "${PKGARCH}" == "" ];
+then
+  echo "tell me the architecture: x86, x64 or arm"
+  exit 1
+fi
+
+# Get the rest of the repository history. This is needed within Appveyor because
+# otherwise we don't get all of the branch histories and therefore the semver
+# scripts don't work properly.
+if [ "${APPVEYOR_PULL_REQUEST_HEAD_REPO_BRANCH}" != "" ];
+then
+  git fetch --all
+  git checkout ${APPVEYOR_PULL_REQUEST_HEAD_REPO_BRANCH}
+elif [ "${APPVEYOR_REPO_BRANCH}" != "" ];
+then
+  git fetch --all
+  git checkout ${APPVEYOR_REPO_BRANCH}
+fi
+
+# Install prerequisites within MSYS2
+pacman -S --needed --noconfirm unzip git curl
+
+# Download the wix tools!
+if [ ! -d wixbin ];
+then
+  curl -LO https://github.com/wixtoolset/wix3/releases/download/wix3112rtm/wix311-binaries.zip
+  if [ `md5sum wix311-binaries.zip | cut -f 1 -d " "` != "47a506f8ab6666ee3cc502fb07d0ee2a" ];
+  then
+    echo "wix package didn't match expected checksum"
+    exit 1
+  fi
+  mkdir -p wixbin
+  unzip -o wix311-binaries.zip -d wixbin || (
+    echo "failed to unzip WiX"
+    exit 1
+  )
+fi
+
+# Build Yggdrasil!
+[ "${PKGARCH}" == "x64" ] && GOOS=windows GOARCH=amd64 CGO_ENABLED=0 ./build
+[ "${PKGARCH}" == "x86" ] && GOOS=windows GOARCH=386 CGO_ENABLED=0 ./build
+[ "${PKGARCH}" == "arm" ] && GOOS=windows GOARCH=arm CGO_ENABLED=0 ./build
+#[ "${PKGARCH}" == "arm64" ] && GOOS=windows GOARCH=arm64 CGO_ENABLED=0 ./build
+
+# Create the postinstall script
+cat > updateconfig.bat << EOF
+if not exist %ALLUSERSPROFILE%\\Yggdrasil (
+  mkdir %ALLUSERSPROFILE%\\Yggdrasil
+)
+if not exist %ALLUSERSPROFILE%\\Yggdrasil\\yggdrasil.conf (
+  if exist yggdrasil.exe (
+    yggdrasil.exe -genconf > %ALLUSERSPROFILE%\\Yggdrasil\\yggdrasil.conf
+  )
+)
+EOF
+
+# Work out metadata for the package info
+PKGNAME=$(sh contrib/semver/name.sh)
+PKGVERSION=$(sh contrib/msi/msversion.sh --bare)
+PKGVERSIONMS=$(echo $PKGVERSION | tr - .)
+[ "${PKGARCH}" == "x64" ] && \
+  PKGGUID="77757838-1a23-40a5-a720-c3b43e0260cc" PKGINSTFOLDER="ProgramFiles64Folder" || \
+  PKGGUID="54a3294e-a441-4322-aefb-3bb40dd022bb" PKGINSTFOLDER="ProgramFilesFolder"
+
+# Download the Wintun driver
+if [ ! -d wintun ];
+then
+  curl -o wintun.zip https://www.wintun.net/builds/wintun-0.11.zip
+  unzip wintun.zip
+fi
+if [ $PKGARCH = "x64" ]; then
+  PKGWINTUNDLL=wintun/bin/amd64/wintun.dll
+elif [ $PKGARCH = "x86" ]; then
+  PKGWINTUNDLL=wintun/bin/x86/wintun.dll
+elif [ $PKGARCH = "arm" ]; then
+  PKGWINTUNDLL=wintun/bin/arm/wintun.dll
+#elif [ $PKGARCH = "arm64" ]; then
+#  PKGWINTUNDLL=wintun/bin/arm64/wintun.dll
+else
+  echo "wasn't sure which architecture to get wintun for"
+  exit 1
+fi
+
+if [ $PKGNAME != "master" ]; then
+  PKGDISPLAYNAME="Yggdrasil Network (${PKGNAME} branch)"
+else
+  PKGDISPLAYNAME="Yggdrasil Network"
+fi
+
+# Generate the wix.xml file
+cat > wix.xml << EOF
+<?xml version="1.0" encoding="windows-1252"?>
+<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
+  <Product
+    Name="${PKGDISPLAYNAME}"
+    Id="*"
+    UpgradeCode="${PKGGUID}"
+    Language="1033"
+    Codepage="1252"
+    Version="${PKGVERSIONMS}"
+    Manufacturer="github.com/yggdrasil-network">
+
+    <Package
+      Id="*"
+      Keywords="Installer"
+      Description="Yggdrasil Network Installer"
+      Comments="Yggdrasil Network standalone router for Windows."
+      Manufacturer="github.com/yggdrasil-network"
+      InstallerVersion="200"
+      InstallScope="perMachine"
+      Languages="1033"
+      Compressed="yes"
+      SummaryCodepage="1252" />
+
+    <MajorUpgrade
+      AllowDowngrades="yes" />
+
+    <Media
+      Id="1"
+      Cabinet="Media.cab"
+      EmbedCab="yes"
+      CompressionLevel="high" />
+
+    <Directory Id="TARGETDIR" Name="SourceDir">
+      <Directory Id="${PKGINSTFOLDER}" Name="PFiles">
+        <Directory Id="YggdrasilInstallFolder" Name="Yggdrasil">
+
+          <Component Id="MainExecutable" Guid="c2119231-2aa3-4962-867a-9759c87beb24">
+            <File
+              Id="Yggdrasil"
+              Name="yggdrasil.exe"
+              DiskId="1"
+              Source="yggdrasil.exe"
+              KeyPath="yes" />
+
+            <File
+              Id="Wintun"
+              Name="wintun.dll"
+              DiskId="1"
+              Source="${PKGWINTUNDLL}" />
+
+            <ServiceInstall
+              Id="ServiceInstaller"
+              Account="LocalSystem"
+              Description="Yggdrasil Network router process"
+              DisplayName="Yggdrasil Service"
+              ErrorControl="normal"
+              LoadOrderGroup="NetworkProvider"
+              Name="Yggdrasil"
+              Start="auto"
+              Type="ownProcess"
+              Arguments='-useconffile "%ALLUSERSPROFILE%\\Yggdrasil\\yggdrasil.conf" -logto "%ALLUSERSPROFILE%\\Yggdrasil\\yggdrasil.log"'
+              Vital="yes" />
+
+            <ServiceControl
+              Id="ServiceControl"
+              Name="yggdrasil"
+              Start="install"
+              Stop="both"
+              Remove="uninstall" />
+          </Component>
+
+          <Component Id="CtrlExecutable" Guid="a916b730-974d-42a1-b687-d9d504cbb86a">
+            <File
+              Id="Yggdrasilctl"
+              Name="yggdrasilctl.exe"
+              DiskId="1"
+              Source="yggdrasilctl.exe"
+              KeyPath="yes"/>
+          </Component>
+
+          <Component Id="ConfigScript" Guid="64a3733b-c98a-4732-85f3-20cd7da1a785">
+            <File
+              Id="Configbat"
+              Name="updateconfig.bat"
+              DiskId="1"
+              Source="updateconfig.bat"
+              KeyPath="yes"/>
+          </Component>
+        </Directory>
+      </Directory>
+    </Directory>
+
+    <Feature Id="YggdrasilFeature" Title="Yggdrasil" Level="1">
+      <ComponentRef Id="MainExecutable" />
+      <ComponentRef Id="CtrlExecutable" />
+      <ComponentRef Id="ConfigScript" />
+    </Feature>
+
+    <CustomAction
+      Id="UpdateGenerateConfig"
+      Directory="YggdrasilInstallFolder"
+      ExeCommand="cmd.exe /c updateconfig.bat"
+      Execute="deferred"
+      Return="check"
+      Impersonate="yes" />
+
+    <InstallExecuteSequence>
+      <Custom
+        Action="UpdateGenerateConfig"
+        Before="StartServices">
+          NOT Installed AND NOT REMOVE
+      </Custom>
+    </InstallExecuteSequence>
+
+  </Product>
+</Wix>
+EOF
+
+# Generate the MSI
+CANDLEFLAGS="-nologo"
+LIGHTFLAGS="-nologo -spdb -sice:ICE71 -sice:ICE61"
+wixbin/candle $CANDLEFLAGS -out ${PKGNAME}-${PKGVERSION}-${PKGARCH}.wixobj -arch ${PKGARCH} wix.xml && \
+wixbin/light $LIGHTFLAGS -ext WixUtilExtension.dll -out ${PKGNAME}-${PKGVERSION}-${PKGARCH}.msi ${PKGNAME}-${PKGVERSION}-${PKGARCH}.wixobj
--- a/contrib/msi/msversion.sh
+++ b/contrib/msi/msversion.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Get the last tag
+TAG=$(git describe --abbrev=0 --tags --match="v[0-9]*\.[0-9]*\.[0-9]*" 2>/dev/null)
+
+# Did getting the tag succeed?
+if [ $? != 0 ] || [ -z "$TAG" ]; then
+  printf -- "unknown"
+  exit 0
+fi
+
+# Get the current branch
+BRANCH=$(git symbolic-ref -q HEAD --short 2>/dev/null)
+
+# Did getting the branch succeed?
+if [ $? != 0 ] || [ -z "$BRANCH" ]; then
+  BRANCH="master"
+fi
+
+# Split out into major, minor and patch numbers
+MAJOR=$(echo $TAG | cut -c 2- | cut -d "." -f 1)
+MINOR=$(echo $TAG | cut -c 2- | cut -d "." -f 2)
+PATCH=$(echo $TAG | cut -c 2- | cut -d "." -f 3 | awk -F"rc" '{print $1}')
+
+# Output in the desired format
+if [ $((PATCH)) -eq 0 ]; then
+  printf '%s%d.%d' "$PREPEND" "$((MAJOR))" "$((MINOR))"
+else
+  printf '%s%d.%d.%d' "$PREPEND" "$((MAJOR))" "$((MINOR))" "$((PATCH))"
+fi
+
+# Add the build tag on non-master branches
+if [ "$BRANCH" != "master" ]; then
+  BUILD=$(git rev-list --count $TAG..HEAD 2>/dev/null)
+
+  # Did getting the count of commits since the tag succeed?
+  if [ $? != 0 ] || [ -z "$BUILD" ]; then
+    printf -- "-unknown"
+    exit 0
+  fi
+
+  # Is the build greater than zero?
+  if [ $((BUILD)) -gt 0 ]; then
+      printf -- "-%04d" "$((BUILD))"
+  fi
+fi
--- a/contrib/openrc/yggdrasil
+++ b/contrib/openrc/yggdrasil
@@ -0,0 +1,55 @@
+#!/sbin/openrc-run
+
+description="An experiment in scalable routing as an encrypted IPv6 overlay network."
+
+CONFFILE="/etc/yggdrasil.conf"
+pidfile="/run/${RC_SVCNAME}.pid"
+
+command="/usr/bin/yggdrasil"
+extra_started_commands="reload"
+
+depend() {
+	use net dns logger
+}
+
+start_pre() {
+	if [ ! -f "${CONFFILE}" ]; then
+		ebegin "Generating new configuration file into ${CONFFILE}"
+		if ! eval ${command} -genconf > ${CONFFILE}; then
+			eerror "Failed to generate configuration file"
+			exit 1
+		fi
+	fi
+
+	if [ ! -e /dev/net/tun ]; then
+		ebegin "Inserting TUN module"
+		if ! modprobe tun;  then
+			eerror "Failed to insert TUN kernel module"
+			exit 1
+		fi
+	fi
+}
+
+start() {
+	ebegin "Starting ${RC_SVCNAME}"
+	start-stop-daemon --start --quiet \
+		--pidfile "${pidfile}" \
+		--make-pidfile \
+		--background \
+		--stdout /var/log/yggdrasil.stdout.log \
+		--stderr /var/log/yggdrasil.stderr.log \
+		--exec "${command}" -- -useconffile "${CONFFILE}"
+	eend $?
+}
+
+reload() {
+	ebegin "Reloading ${RC_SVCNAME}"
+	start-stop-daemon --signal HUP --pidfile "${pidfile}"
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping ${RC_SVCNAME}"
+	start-stop-daemon --stop --pidfile "${pidfile}" --exec "${command}"
+	eend $?
+}
--- a/contrib/rpm/yggdrasil.spec
+++ b/contrib/rpm/yggdrasil.spec
@@ -1,47 +0,0 @@
-Name:           yggdrasil
-Version:        0.3.0
-Release:        1%{?dist}
-Summary:        End-to-end encrypted IPv6 networking
-
-License:        GPLv3
-URL:            https://yggdrasil-network.github.io
-Source0:        https://codeload.github.com/yggdrasil-network/yggdrasil-go/tar.gz/v0.3.0
-
-%{?systemd_requires}
-BuildRequires:  systemd golang >= 1.11
-
-%description
-Yggdrasil is a proof-of-concept to explore a wholly different approach to
-network routing. Whereas current computer networks depend heavily on very
-centralised design and configuration, Yggdrasil breaks this mould by making
-use of a global spanning tree to form a scalable IPv6 encrypted mesh network.
-
-%prep
-%setup -qn yggdrasil-go-%{version}
-
-%build
-./build -t -l "-linkmode=external"
-
-%install
-rm -rf %{buildroot}
-mkdir -p %{buildroot}/%{_bindir}
-mkdir -p %{buildroot}/%{_sysconfdir}/systemd/system
-install -m 0755 yggdrasil %{buildroot}/%{_bindir}/yggdrasil
-install -m 0755 yggdrasilctl %{buildroot}/%{_bindir}/yggdrasilctl
-install -m 0755 contrib/systemd/yggdrasil.service %{buildroot}/%{_sysconfdir}/systemd/system/yggdrasil.service
-install -m 0755 contrib/systemd/yggdrasil-resume.service %{buildroot}/%{_sysconfdir}/systemd/system/yggdrasil-resume.service
-
-%files
-%{_bindir}/yggdrasil
-%{_bindir}/yggdrasilctl
-%{_sysconfdir}/systemd/system/yggdrasil.service
-%{_sysconfdir}/systemd/system/yggdrasil-resume.service
-
-%post
-%systemd_post yggdrasil.service
-
-%preun
-%systemd_preun yggdrasil.service
-
-%postun
-%systemd_postun_with_restart yggdrasil.service
--- a/contrib/semver/name.sh
+++ b/contrib/semver/name.sh
@@ -4,9 +4,9 @@
 BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null)

 # Complain if the git history is not available
-if [ $? != 0 ]; then
-  printf "unknown"
-  exit 1
+if [ $? != 0 ] || [ -z "$BRANCH" ]; then
+  printf "yggdrasil"
+  exit 0
 fi

 # Remove "/" characters from the branch name if present
--- a/contrib/semver/version.sh
+++ b/contrib/semver/version.sh
@@ -1,62 +1,11 @@
 #!/bin/sh

-# Merge commits from this branch are counted
-DEVELOPBRANCH="yggdrasil-network/develop"
-
-# Get the last tag
-TAG=$(git describe --abbrev=0 --tags --match="v[0-9]*\.[0-9]*\.0" 2>/dev/null)
-
-# Get last merge to master
-MERGE=$(git rev-list $TAG..master --grep "from $DEVELOPBRANCH" 2>/dev/null | head -n 1)
-
-# Get the number of merges since the last merge to master
-PATCH=$(git rev-list $TAG..master --count --merges --grep="from $DEVELOPBRANCH" 2>/dev/null)
-
-# Decide whether we should prepend the version with "v" - the default is that
-# we do because we use it in git tags, but we might not always need it
-PREPEND="v"
-if [ "$1" = "--bare" ]; then
-  PREPEND=""
-fi
-
-# If it fails then there's no last tag - go from the first commit
-if [ $? != 0 ]; then
-  PATCH=$(git rev-list HEAD --count 2>/dev/null)
-
-  # Complain if the git history is not available
-  if [ $? != 0 ]; then
-    printf 'unknown'
-    exit 1
-  fi
-
-  printf '%s0.0.%d' "$PREPEND" "$PATCH"
-  exit 1
-fi
-
-# Get the number of merges on the current branch since the last tag
-BUILD=$(git rev-list $TAG..HEAD --count --merges)
-
-# Split out into major, minor and patch numbers
-MAJOR=$(echo $TAG | cut -c 2- | cut -d "." -f 1)
-MINOR=$(echo $TAG | cut -c 2- | cut -d "." -f 2)
-
-# Get the current checked out branch
-BRANCH=$(git rev-parse --abbrev-ref HEAD)
-
-# Output in the desired format
-if [ $PATCH = 0 ]; then
-  if [ ! -z $FULL ]; then
-    printf '%s%d.%d.0' "$PREPEND" "$MAJOR" "$MINOR"
-  else
-    printf '%s%d.%d' "$PREPEND" "$MAJOR" "$MINOR"
-  fi
-else
-  printf '%s%d.%d.%d' "$PREPEND" "$MAJOR" "$MINOR" "$PATCH"
-fi
-
-# Add the build tag on non-master branches
-if [ $BRANCH != "master" ]; then
-  if [ $BUILD != 0 ]; then
-    printf -- "-%04d" "$BUILD"
-  fi
-fi
+case "$*" in
+  *--bare*)
+    # Remove the "v" prefix
+    git describe --tags --match="v[0-9]*\.[0-9]*\.[0-9]*" | cut -c 2-
+    ;;
+  *)
+    git describe --tags --match="v[0-9]*\.[0-9]*\.[0-9]*"
+    ;;
+esac
--- a/contrib/systemd/yggdrasil-default-config.service
+++ b/contrib/systemd/yggdrasil-default-config.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=yggdrasil default config generator
+ConditionPathExists=|!/etc/yggdrasil.conf
+ConditionFileNotEmpty=|!/etc/yggdrasil.conf
+Wants=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+Group=yggdrasil
+StandardOutput=file:/etc/yggdrasil.conf
+ExecStart=/usr/bin/yggdrasil -genconf
+ExecStartPost=/usr/bin/chmod 0640 /etc/yggdrasil.conf
--- a/contrib/systemd/yggdrasil-resume.service
+++ b/contrib/systemd/yggdrasil-resume.service
@@ -1,10 +0,0 @@
-[Unit]
-Description=Restart yggdrasil on resume from sleep
-After=sleep.target
-
-[Service]
-Type=oneshot
-ExecStart=/bin/systemctl restart yggdrasil
-
-[Install]
-WantedBy=sleep.target
--- a/contrib/systemd/yggdrasil.service
+++ b/contrib/systemd/yggdrasil.service
@@ -1,20 +1,21 @@
 [Unit]
 Description=yggdrasil
 Wants=network.target
+Wants=yggdrasil-default-config.service
 After=network.target
+After=yggdrasil-default-config.service

 [Service]
+Group=yggdrasil
 ProtectHome=true
 ProtectSystem=true
 SyslogIdentifier=yggdrasil
-ExecStartPre=/bin/sh -ec "if ! test -s /etc/yggdrasil.conf; \
-                then umask 077; \
-                yggdrasil -genconf > /etc/yggdrasil.conf; \
-                echo 'WARNING: A new /etc/yggdrasil.conf file has been generated.'; \
-            fi"
-ExecStart=/bin/sh -c "exec yggdrasil -useconf < /etc/yggdrasil.conf"
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+ExecStartPre=+-/sbin/modprobe tun
+ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
+ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
+TimeoutStopSec=5

 [Install]
 WantedBy=multi-user.target
-Also=yggdrasil-resume.service
--- a/contrib/yggdrasil-brute-simple/LICENSE
+++ b/contrib/yggdrasil-brute-simple/LICENSE
@@ -0,0 +1,150 @@
+This software is released into the public domain. As such, it can be
+used under the Unlicense or CC0 public domain dedications.
+
+
+
+The Unlicense
+
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>
+
+
+
+CC0 1.0 Universal
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator and
+subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for the
+purpose of contributing to a commons of creative, cultural and scientific
+works ("Commons") that the public can reliably and without fear of later
+claims of infringement build upon, modify, incorporate in other works, reuse
+and redistribute as freely as possible in any form whatsoever and for any
+purposes, including without limitation commercial purposes. These owners may
+contribute to the Commons to promote the ideal of a free culture and the
+further production of creative, cultural and scientific works, or to gain
+reputation or greater distribution for their Work in part through the use and
+efforts of others.
+
+For these and/or other purposes and motivations, and without any expectation
+of additional consideration or compensation, the person associating CC0 with a
+Work (the "Affirmer"), to the extent that he or she is an owner of Copyright
+and Related Rights in the Work, voluntarily elects to apply CC0 to the Work
+and publicly distribute the Work under its terms, with knowledge of his or her
+Copyright and Related Rights in the Work and the meaning and intended legal
+effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not limited
+to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display, communicate,
+  and translate a Work;
+
+  ii. moral rights retained by the original author(s) and/or performer(s);
+
+  iii. publicity and privacy rights pertaining to a person's image or likeness
+  depicted in a Work;
+
+  iv. rights protecting against unfair competition in regards to a Work,
+  subject to the limitations in paragraph 4(a), below;
+
+  v. rights protecting the extraction, dissemination, use and reuse of data in
+  a Work;
+
+  vi. database rights (such as those arising under Directive 96/9/EC of the
+  European Parliament and of the Council of 11 March 1996 on the legal
+  protection of databases, and under any national implementation thereof,
+  including any amended or successor version of such directive); and
+
+  vii. other similar, equivalent or corresponding rights throughout the world
+  based on applicable law or treaty, and any national implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention of,
+applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and
+unconditionally waives, abandons, and surrenders all of Affirmer's Copyright
+and Related Rights and associated claims and causes of action, whether now
+known or unknown (including existing as well as future claims and causes of
+action), in the Work (i) in all territories worldwide, (ii) for the maximum
+duration provided by applicable law or treaty (including future time
+extensions), (iii) in any current or future medium and for any number of
+copies, and (iv) for any purpose whatsoever, including without limitation
+commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes
+the Waiver for the benefit of each member of the public at large and to the
+detriment of Affirmer's heirs and successors, fully intending that such Waiver
+shall not be subject to revocation, rescission, cancellation, termination, or
+any other legal or equitable action to disrupt the quiet enjoyment of the Work
+by the public as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason be
+judged legally invalid or ineffective under applicable law, then the Waiver
+shall be preserved to the maximum extent permitted taking into account
+Affirmer's express Statement of Purpose. In addition, to the extent the Waiver
+is so judged Affirmer hereby grants to each affected person a royalty-free,
+non transferable, non sublicensable, non exclusive, irrevocable and
+unconditional license to exercise Affirmer's Copyright and Related Rights in
+the Work (i) in all territories worldwide, (ii) for the maximum duration
+provided by applicable law or treaty (including future time extensions), (iii)
+in any current or future medium and for any number of copies, and (iv) for any
+purpose whatsoever, including without limitation commercial, advertising or
+promotional purposes (the "License"). The License shall be deemed effective as
+of the date CC0 was applied by Affirmer to the Work. Should any part of the
+License for any reason be judged legally invalid or ineffective under
+applicable law, such partial invalidity or ineffectiveness shall not
+invalidate the remainder of the License, and in such case Affirmer hereby
+affirms that he or she will not (i) exercise any of his or her remaining
+Copyright and Related Rights in the Work or (ii) assert any associated claims
+and causes of action with respect to the Work, in either case contrary to
+Affirmer's express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+  a. No trademark or patent rights held by Affirmer are waived, abandoned,
+  surrendered, licensed or otherwise affected by this document.
+
+  b. Affirmer offers the Work as-is and makes no representations or warranties
+  of any kind concerning the Work, express, implied, statutory or otherwise,
+  including without limitation warranties of title, merchantability, fitness
+  for a particular purpose, non infringement, or the absence of latent or
+  other defects, accuracy, or the present or absence of errors, whether or not
+  discoverable, all to the greatest extent permissible under applicable law.
+
+  c. Affirmer disclaims responsibility for clearing rights of other persons
+  that may apply to the Work or any use thereof, including without limitation
+  any person's Copyright and Related Rights in the Work. Further, Affirmer
+  disclaims responsibility for obtaining any necessary consents, permissions
+  or other rights required for any use of the Work.
+
+  d. Affirmer understands and acknowledges that Creative Commons is not a
+  party to this document and has no duty or obligation with respect to this
+  CC0 or use of the Work.
+
+For more information, please see
+<http://creativecommons.org/publicdomain/zero/1.0/>
--- a/contrib/yggdrasil-brute-simple/Makefile
+++ b/contrib/yggdrasil-brute-simple/Makefile
@@ -0,0 +1,12 @@
+.PHONY: all
+
+all: util yggdrasil-brute-multi-curve25519 yggdrasil-brute-multi-ed25519
+
+util: util.c
+	gcc -Wall -std=c89 -O3 -c -o util.o util.c
+
+yggdrasil-brute-multi-ed25519: yggdrasil-brute-multi-ed25519.c util.o
+	gcc -Wall -std=c89 -O3 -o yggdrasil-brute-multi-ed25519 -lsodium yggdrasil-brute-multi-ed25519.c util.o
+
+yggdrasil-brute-multi-curve25519: yggdrasil-brute-multi-curve25519.c util.o
+	gcc -Wall -std=c89 -O3 -o yggdrasil-brute-multi-curve25519 -lsodium yggdrasil-brute-multi-curve25519.c util.o
--- a/contrib/yggdrasil-brute-simple/README.md
+++ b/contrib/yggdrasil-brute-simple/README.md
@@ -0,0 +1,8 @@
+# yggdrasil-brute-simple
+
+Simple program for finding curve25519 and ed25519 public keys whose sha512 hash has many leading ones.
+Because ed25519 private keys consist of a seed that is hashed to find the secret part of the keypair,
+this program is near optimal for finding ed25519 keypairs. Curve25519 key generation, on the other hand,
+could be further optimized with elliptic curve magic.
+
+Depends on libsodium.
--- a/contrib/yggdrasil-brute-simple/util.c
+++ b/contrib/yggdrasil-brute-simple/util.c
@@ -0,0 +1,62 @@
+#include "yggdrasil-brute.h"
+
+int find_where(unsigned char hash[64], unsigned char besthashlist[NUMKEYS][64]) {
+	/* Where to insert hash into sorted hashlist */
+	int j;
+	int where = -1;
+	for (j = 0; j < NUMKEYS; ++j) {
+		if (memcmp(hash, besthashlist[j], 64) > 0) ++where;
+		else break;
+	}
+	return where;
+}
+
+void insert_64(unsigned char itemlist[NUMKEYS][64], unsigned char item[64], int where) {
+	int j;
+	for (j = 0; j < where; ++j) {
+		memcpy(itemlist[j], itemlist[j+1], 64);
+	}
+	memcpy(itemlist[where], item, 64);
+}
+
+void insert_32(unsigned char itemlist[NUMKEYS][32], unsigned char item[32], int where) {
+	int j;
+	for (j = 0; j < where; ++j) {
+		memcpy(itemlist[j], itemlist[j+1], 32);
+	}
+	memcpy(itemlist[where], item, 32);
+}
+
+void make_addr(unsigned char addr[32], unsigned char hash[64]) {
+	/* Public key hash to yggdrasil ipv6 address */
+	int i;
+	int offset;
+	unsigned char mask;
+	unsigned char c;
+	int ones = 0;
+	unsigned char br = 0; /* false */
+	for (i = 0; i < 64 && !br; ++i) {
+		mask = 128;
+		c = hash[i];
+		while (mask) {
+			if (c & mask) {
+				++ones;
+			} else {
+				br = 1; /* true */
+				break;
+			}
+			mask >>= 1;
+		}
+	}
+
+	addr[0] = 2;
+	addr[1] = ones;
+
+	offset = ones + 1;
+	for (i = 0; i < 14; ++i) {
+		c = hash[offset/8] << (offset%8);
+		c |= hash[offset/8 + 1] >> (8 - offset%8);
+		addr[i + 2] = c;
+		offset += 8;
+	}
+}
--- a/contrib/yggdrasil-brute-simple/yggdrasil-brute-multi-curve25519.c
+++ b/contrib/yggdrasil-brute-simple/yggdrasil-brute-multi-curve25519.c
@@ -0,0 +1,105 @@
+/*
+sk: 32 random bytes
+sk[0] &= 248;
+sk[31] &= 127;
+sk[31] |= 64;
+
+increment sk
+pk = curve25519_scalarmult_base(mysecret)
+hash = sha512(pk)
+
+if besthash:
+	bestsk = sk
+	besthash = hash
+*/
+
+#include "yggdrasil-brute.h"
+
+
+void seed(unsigned char sk[32]) {
+	randombytes_buf(sk, 32);
+	sk[0] &= 248;
+	sk[31] &= 127;
+	sk[31] |= 64;
+}
+
+
+int main(int argc, char **argv) {
+	int i;
+	int j;
+	unsigned char addr[16];
+	time_t starttime;
+	time_t requestedtime;
+
+	unsigned char bestsklist[NUMKEYS][32];
+	unsigned char bestpklist[NUMKEYS][32];
+	unsigned char besthashlist[NUMKEYS][64];
+
+	unsigned char sk[32];
+	unsigned char pk[32];
+	unsigned char hash[64];
+
+	unsigned int runs = 0;
+	int where;
+
+	if (argc != 2) {
+		fprintf(stderr, "usage: ./yggdrasil-brute-multi-curve25519 <seconds>\n");
+		return 1;
+	}
+
+	if (sodium_init() < 0) {
+		/* panic! the library couldn't be initialized, it is not safe to use */
+		printf("sodium init failed!\n");
+		return 1;
+	}
+
+	starttime = time(NULL);
+	requestedtime = atoi(argv[1]);
+
+	if (requestedtime < 0) requestedtime = 0;
+	fprintf(stderr, "Searching for yggdrasil curve25519 keys (this will take slightly longer than %ld seconds)\n", requestedtime);
+
+	sodium_memzero(bestsklist, NUMKEYS * 32);
+	sodium_memzero(bestpklist, NUMKEYS * 32);
+	sodium_memzero(besthashlist, NUMKEYS * 64);
+	seed(sk);
+
+	do {
+		/* generate pubkey, hash, compare, increment secret.
+		 * this loop should take 4 seconds on modern hardware */
+		for (i = 0; i < (1 << 16); ++i) {
+			++runs;
+			if (crypto_scalarmult_curve25519_base(pk, sk) != 0) {
+				printf("scalarmult to create pub failed!\n");
+				return 1;
+			}
+			crypto_hash_sha512(hash, pk, 32);
+
+			where = find_where(hash, besthashlist);
+			if (where >= 0) {
+				insert_32(bestsklist, sk, where);
+				insert_32(bestpklist, pk, where);
+				insert_64(besthashlist, hash, where);
+
+				seed(sk);
+			}
+			for (j = 1; j < 31; ++j) if (++sk[j]) break;
+		}
+	} while (time(NULL) - starttime < requestedtime || runs < NUMKEYS);
+
+	fprintf(stderr, "--------------addr-------------- -----------------------------secret----------------------------- -----------------------------public-----------------------------\n");
+	for (i = 0; i < NUMKEYS; ++i) {
+		make_addr(addr, besthashlist[i]);
+		for (j = 0; j < 16; ++j) printf("%02x", addr[j]);
+		printf(" ");
+		for (j = 0; j < 32; ++j) printf("%02x", bestsklist[i][j]);
+		printf(" ");
+		for (j = 0; j < 32; ++j) printf("%02x", bestpklist[i][j]);
+		printf("\n");
+	}
+
+	sodium_memzero(bestsklist, NUMKEYS * 32);
+	sodium_memzero(sk, 32);
+
+	return 0;
+}
--- a/contrib/yggdrasil-brute-simple/yggdrasil-brute-multi-ed25519.c
+++ b/contrib/yggdrasil-brute-simple/yggdrasil-brute-multi-ed25519.c
@@ -0,0 +1,106 @@
+/*
+seed: 32 random bytes
+sk: sha512(seed)
+sk[0] &= 248
+sk[31] &= 127
+sk[31] |= 64
+
+pk: scalarmult_ed25519_base(sk)
+
+
+increment seed
+generate sk
+generate pk
+hash = sha512(mypub)
+
+if besthash:
+	bestseed = seed
+	bestseckey = sk
+	bestpubkey = pk
+	besthash = hash
+*/
+
+#include "yggdrasil-brute.h"
+
+
+int main(int argc, char **argv) {
+	int i;
+	int j;
+	time_t starttime;
+	time_t requestedtime;
+
+	unsigned char bestsklist[NUMKEYS][64]; /* sk contains pk */
+	unsigned char besthashlist[NUMKEYS][64];
+
+	unsigned char seed[32];
+	unsigned char sk[64];
+	unsigned char pk[32];
+	unsigned char hash[64];
+
+	unsigned int runs = 0;
+	int where;
+
+	if (argc != 2) {
+		fprintf(stderr, "usage: ./yggdrasil-brute-multi-curve25519 <seconds>\n");
+		return 1;
+	}
+
+	if (sodium_init() < 0) {
+		/* panic! the library couldn't be initialized, it is not safe to use */
+		printf("sodium init failed!\n");
+		return 1;
+	}
+
+	starttime = time(NULL);
+	requestedtime = atoi(argv[1]);
+
+	if (requestedtime < 0) requestedtime = 0;
+	fprintf(stderr, "Searching for yggdrasil ed25519 keys (this will take slightly longer than %ld seconds)\n", requestedtime);
+
+	sodium_memzero(bestsklist, NUMKEYS * 64);
+	sodium_memzero(besthashlist, NUMKEYS * 64);
+	randombytes_buf(seed, 32);
+
+	do {
+		/* generate pubkey, hash, compare, increment secret.
+		 * this loop should take 4 seconds on modern hardware */
+		for (i = 0; i < (1 << 17); ++i) {
+			++runs;
+			crypto_hash_sha512(sk, seed, 32);
+
+			if (crypto_scalarmult_ed25519_base(pk, sk) != 0) {
+				printf("scalarmult to create pub failed!\n");
+				return 1;
+			}
+			memcpy(sk + 32, pk, 32);
+
+			crypto_hash_sha512(hash, pk, 32);
+
+			/* insert into local list of good key */
+			where = find_where(hash, besthashlist);
+			if (where >= 0) {
+				insert_64(bestsklist, sk, where);
+				insert_64(besthashlist, hash, where);
+				randombytes_buf(seed, 32);
+			}
+			for (j = 1; j < 31; ++j) if (++seed[j]) break;
+		}
+	} while (time(NULL) - starttime < requestedtime || runs < NUMKEYS);
+
+	fprintf(stderr, "!! Secret key is seed concatenated with public !!\n");
+	fprintf(stderr, "---hash--- ------------------------------seed------------------------------ -----------------------------public-----------------------------\n");
+	for (i = 0; i < NUMKEYS; ++i) {
+		for (j = 0; j < 5; ++j) printf("%02x", besthashlist[i][j]);
+		printf(" ");
+		for (j = 0; j < 32; ++j) printf("%02x", bestsklist[i][j]);
+		printf(" ");
+		for (j = 32; j < 64; ++j) printf("%02x", bestsklist[i][j]);
+		printf("\n");
+	}
+
+	sodium_memzero(bestsklist, NUMKEYS * 64);
+	sodium_memzero(sk, 64);
+	sodium_memzero(seed, 32);
+
+	return 0;
+}
--- a/contrib/yggdrasil-brute-simple/yggdrasil-brute.h
+++ b/contrib/yggdrasil-brute-simple/yggdrasil-brute.h
@@ -0,0 +1,12 @@
+#include <sodium.h>
+#include <stdio.h>  /* printf */
+#include <string.h> /* memcpy */
+#include <stdlib.h> /* atoi */
+#include <time.h> /* time */
+
+
+#define NUMKEYS 10
+void make_addr(unsigned char addr[32], unsigned char hash[64]);
+int find_where(unsigned char hash[64], unsigned char besthashlist[NUMKEYS][64]);
+void insert_64(unsigned char itemlist[NUMKEYS][64], unsigned char item[64], int where);
+void insert_32(unsigned char itemlist[NUMKEYS][32], unsigned char item[32], int where);
--- a/doc/Whitepaper.md
+++ b/doc/Whitepaper.md
@@ -1,148 +0,0 @@
-# Yggdasil
-
-Note: This is a very rough early draft.
-
-Yggdrasil is an encrypted IPv6 network running in the [`200::/7` address range](https://en.wikipedia.org/wiki/Unique_local_address).
-It is an experimental/toy network, so failure is acceptable, as long as it's instructive to see how it breaks if/when everything falls apart.
-
-IP addresses are derived from cryptographic keys, to reduce the need for public key infrastructure.
-A form of locator/identifier separation (similar in goal to [LISP](https://en.wikipedia.org/wiki/Locator/Identifier_Separation_Protocol)) is used to map static identifiers (IP addresses) onto dynamic routing information (locators), using a [distributed hash table](https://en.wikipedia.org/wiki/Distributed_hash_table) (DHT).
-Locators are used to approximate the distance between nodes in the network, where the approximate distance is the length of a real worst-case-scenario path through the network.
-This is (arguably) easier to secure and requires less information about the network than commonly used routing schemes.
-
-While not technically a [compact routing scheme](https://arxiv.org/abs/0708.2309), tests on real-world networks suggest that routing in this style incurs stretch comparable to the name-dependent compact routing schemes designed for static networks.
-Compared to compact routing schemes, Yggdrasil appears to have smaller average routing table sizes, works on dynamic networks, and is name-independent.
-It currently lacks the provable bounds of compact routing schemes, and there's a serious argument to be made that it cheats by stretching the definition of some of the above terms, but the main point to be emphasized is that there are trade-offs between different concerns when trying to route traffic, and we'd rather make every part *good* than try to make any one part *perfect*.
-In that sense, Yggdrasil seems to be competitive, on what are supposedly realistic networks, with compact routing schemes.
-
-## Addressing
-
-Yggdrasil uses a truncated version of a `NodeID` to assign addresses.
-An address is assigned from the `200::/7` prefix, according to the following:
-
-1. Begin with `0x02` as the first byte of the address, or `0x03` if it's a `/64` prefix.
-2. Count the number of leading `1` bits in the NodeID.
-3. Set the second byte of the address to the number of leading `1` bits in the NodeID (8 bit unsigned integer, at most 255).
-4. Append the NodeID to the remaining bits of the address, truncating the leading `1` bits and the first `0` bit, to a total address size of 128 bits.
-
-The last bit of the first byte is used to flag if an address is for a router (`200::/8`), or part of an advertised prefix (`300::/8`), where each router owns a `/64` that matches their address (except with the eight bit set to 1 instead of 0).
-This allows the prefix to be advertised to the router's LAN, so unsupported devices can still connect to the network (e.g. network printers).
-
-The NodeID is a [sha512sum](https://en.wikipedia.org/wiki/SHA-512) of a node's public encryption key.
-Addresses are checked that they match NodeID, to prevent address spoofing.
-As such, while a 128 bit IPv6 address is likely too short to be considered secure by cryptographer standards, there is a significant cost in attempting to cause an address collision.
-Addresses can be made more secure by brute force generating a large number of leading `1` bits in the NodeID.
-
-When connecting to a node, the IP address is unpacked into the known bits of the NodeID and a matching bitmask to track which bits are significant.
-A node is only communicated with if its `NodeID` matches its public key and the known `NodeID` bits from the address.
-
-It is important to note that only `NodeID` is used internally for routing, so the addressing scheme could in theory be changed without breaking compatibility with intermediate routers.
-This has been done once, when moving the address range from the `fd00::/8` ULA range to the reserved-but-[deprecated](https://tools.ietf.org/html/rfc4048) `200::/7` range.
-Further addressing scheme changes could occur if, for example, an IPv7 format ever emerges.
-
-### Cryptography
-
-Public key encryption is done using the `golang.org/x/crypto/nacl/box`, which uses [Curve25519](https://en.wikipedia.org/wiki/Curve25519), [XSalsa20](https://en.wikipedia.org/wiki/Salsa20), and [Poly1305](https://en.wikipedia.org/wiki/Poly1305) for key exchange, encryption, and authentication (interoperable with [NaCl](https://en.wikipedia.org/wiki/NaCl_(software))).
-Permanent keys are used only for protocol traffic, with random nonces generated on a per-packet basis using `crypto/rand` from Go's standard library.
-Ephemeral session keys (for [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy)) are generated for encapsulated IPv6 traffic, using the same set of primitives, with random initial nonces that are subsequently incremented.
-A list of recently received session nonces is kept (as a bitmask) and checked to reject duplicated packets, in an effort to block duplicate packets and replay attacks.
-A separate set of keys are generated and used for signing with [Ed25519](https://en.wikipedia.org/wiki/Ed25519), which is used by the routing layer to secure construction of a spanning tree.
-
-### Prefixes
-
-Recall that each node's address is in the lower half of the address range, I.e. `200::/8`. A `/64` prefix is made available to each node under `300::/8`, where the remaining bits of the prefix match the node's address under `200::/8`.
-A node may optionally advertise a prefix on their local area network, which allows unsupported or legacy devices with IPv6 support to connect to the network.
-Note that there are 64 fewer bits of `NodeID` available to check in each address from a routing prefix, so it makes sense to brute force a `NodeID` with more significant bits in the address if this approach is to be used.
-Running `genkeys.go` will do this by default.
-
-## Locators and Routing
-
-Locators are generated using information from a spanning tree (described below).
-The result is that each node has a set of [coordinates in a greedy metric space](https://en.wikipedia.org/wiki/Greedy_embedding).
-These coordinates are used as a distance label.
-Given the coordinates of any two nodes, it is possible to calculate the length of some real path through the network between the two nodes.
-
-Traffic is forwarded using a [greedy routing](https://en.wikipedia.org/wiki/Small-world_routing#Greedy_routing) scheme, where each node forwards the packet to a one-hop neighbor that is closer to the destination (according to this distance metric) than the current node.
-In particular, when a packet needs to be forward, a node will forward it to whatever peer is closest to the destination in the greedy [metric space](https://en.wikipedia.org/wiki/Metric_space) used by the network, provided that the peer is closer to the destination than the current node.
-
-If no closer peers are idle, then the packet is queued in FIFO order, with separate queues per destination coords (currently, as a bit of a hack, IPv6 flow labels are embedeed after the end of the significant part of the coords, so queues distinguish between different traffic streams with the same destination).
-Whenever the node finishes forwarding a packet to a peer, it checks the queues, and will forward the first packet from the queue with the maximum `<age of first packet>/<queue size in bytes>`, i.e. the bandwidth the queue is attempting to use, subject to the constraint that the peer is a valid next hop (i.e. closer to the destination than the current node).
-If no non-empty queue is available, then the peer is added to the idle set, forward packets when the need arises.
-
-This acts as a crude approximation of backpressure routing, where the remote queue sizes are assumed to be equal to the distance of a node from a destination (rather than communicating queue size information), and packets are never forwarded "backwards" through the network, but congestion on a local link is routed around when possible.
-The queue selection strategy behaves similar to shortest-queue-first, in that a larger fration of available bandwith to sessions that attempt to use less bandwidth, and is loosely based on the rationale behind some proposed solutions to the [cake-cutting](https://en.wikipedia.org/wiki/Fair_cake-cutting) problem.
-
-The queue size is limited to 4 MB. If a packet is added to a queue and the total size of all queues is larger than this threshold, then a random queue is selected (with odds proportional to relative queue sizes), and the first packet from that queue is dropped, with the process repeated until the total queue size drops below the allowed threshold.
-
-Note that this forwarding procedure generalizes to nodes that are not one-hop neighbors, but the current implementation omits the use of more distant neighbors, as this is expected to be a minor optimization (it would add per-link control traffic to pass path-vector-like information about a subset of the network, which is a lot of overhead compared to the current setup).
-
-### Spanning Tree
-
-A [spanning tree](https://en.wikipedia.org/wiki/Spanning_tree) is constructed with the tree rooted at the highest TreeID, where TreeID is equal to a sha512sum of a node's public [Ed25519](https://en.wikipedia.org/wiki/Ed25519) key (used for signing).
-A node sends periodic advertisement messages to each neighbor.
-The advertisement contains the coords that match the path from the root through the node, plus one additional hop from the node to the neighbor being advertised to.
-Each hop in this advertisement includes a matching ed25519 signature.
-These signatures prevent nodes from forging arbitrary routing advertisements.
-
-The first hop, from the root, also includes a sequence number, which must be updated periodically.
-A node will blacklist the current root (keeping a record of the last sequence number observed) if the root fails to update for longer than some timeout (currently hard coded at 1 minute).
-Normally, a root node will update their sequence number for frequently than this (once every 30 seconds).
-Nodes are throttled to ignore updates with a new sequence number for some period after updating their most recently seen sequence number (currently this cooldown is 15 seconds).
-The implementation chooses to set the sequence number equal to the unix time on the root's clock, so that a new (higher) sequence number will be selected if the root is restarted and the clock is not set back.
-
-Other than the root node, every other node in the network must select one of its neighbors to use as their parent.
-This selection is done by tracking when each neighbor first sends us a message with a new timestamp from the root, to determine the ordering of the latency of each path from the root, to each neighbor, and then to the node that's searching for a parent.
-These relative latencies are tracked by, for each neighbor, keeping a score vs each other neighbor.
-If a neighbor sends a message with an updated timestamp before another neighbor, then the faster neighbor's score is increased by 1.
-If the neighbor sends a message slower, then the score is decreased by 2, to make sure that a node must be reliably faster (at least 2/3 of the time) to see a net score increase over time.
-If a node begins to advertise new coordinates, then its score vs all other nodes is reset to 0.
-A node switches to a new parent if a neighbor's score (vs the current parent) reaches some threshold, currently 240, which corresponds to about 2 hours of being a reliably faster path.
-The intended outcome of this process is that stable connections from fixed infrastructure near the "core" of the network should (eventually) select parents that minimize latency from the root to themselves, while the more dynamic parts of the network, presumably more towards the edges, will try to favor reliability when selecting a parent.
-
-The distance metric between nodes is simply the distance between the nodes if they routed on the spanning tree.
-This is equal to the sum of the distance from each node to the last common ancestor of the two nodes being compared.
-The locator then consists of a root's key, timestamp, and coordinates representing each hop in the path from the root to the node.
-In practice, only the coords are used for routing, while the root and timestamp, along with all the per-hop signatures, are needed to securely construct the spanning tree.
-
-## Name-independent routing
-
-A [Chord](https://en.wikipedia.org/wiki/Chord_(peer-to-peer))-like Distributed Hash Table (DHT) is used as a distributed database that maps NodeIDs onto coordinates in the spanning tree metric space.
-The DHT is Chord-like in that it uses a successor/predecessor structure to do lookups in `O(n)` time with `O(1)` entries, then augments this with some additional information, adding roughly `O(logn)` additional entries, to reduce the lookup time to something around `O(logn)`.
-In the long term, the idea is to favor spending our bandwidth making sure the minimum `O(1)` part is right, to prioritize correctness, and then try to conserve bandwidth (and power) by being a bit lazy about checking the remaining `O(logn)` portion when it's not in use.
-
-To be specific, the DHT stores the immediate successor of a node, plus the next node it manages to find which is strictly closer (by the tree hop-count metric) than all previous nodes.
-The same process is repeated for predecessor nodes, and lookups walk the network in the predecessor direction, with each key being owned by its successor (to make sure defaulting to 0 for unknown bits of a `NodeID` doesn't cause us to overshoot the target during a lookup).
-In addition, all of a node's one-hop neighbors are included in the DHT, since we get this information "for free", and we must include it in our DHT to ensure that the network doesn't diverge to a broken state (though I suspect that only adding parents or parent-child relationships may be sufficient -- worth trying to prove or disprove, if somebody's bored).
-The DHT differs from Chord in that there are no values in the key:value store -- it only stores information about DHT peers -- and that it uses a [Kademlia](https://en.wikipedia.org/wiki/Kademlia)-inspired iterative-parallel lookup process.
-
-To summarize the entire routing procedure, when given only a node's IP address, the goal is to find a route to the destination.
-That happens through 3 steps:
-
-1. The address is unpacked into the known bits of a NodeID and a bitmask to signal which bits of the NodeID are known (the unknown bits are ignored).
-2. A DHT search is performed, which normally results in a response from the node closest in the DHT keyspace to the target `NodeID`. The response contains the node's curve25519 public key, which is checked to match the `NodeID` (and therefore the address), as well as the node's coordinates.
-3. Using the keys and coords from the above step, an ephemeral key exchange occurs between the source and destination nodes. These ephemeral session keys are used to encrypt any ordinary IPv6 traffic that may be encapsulated and sent between the nodes.
-
-From that point, the session keys and coords are cached and used to encrypt and send traffic between nodes. This is *mostly* transparent to the user: the initial DHT lookup and key exchange takes at least 2 round trips, so there's some delay before session setup completes and normal IPv6 traffic can flow. This is similar to the delay caused by a DNS lookup, although it generally takes longer, as a DHT lookup requires multiple iterations to reach the destination.
-
-## Project Status and Plans
-
-The current (Go) implementation is considered alpha, so compatibility with future versions is neither guaranteed nor expected.
-While users are discouraged from running anything truly critical on top of it, as of writing, it seems reliable enough for day-to-day use.
-
-As an "alpha" quality release, Yggdrasil *should* at least be able to detect incompatible versions when it sees them, and warn the users that an update may be needed.
-A "beta" quality release should know enough to be compatible in the face of wire format changes, and reasonably feature complete.
-A "stable" 1.0 release, if it ever happens, would probably be feature complete, with no expectation of future wire format changes, and free of known critical bugs.
-
-Roughly speaking, there are a few obvious ways the project could turn out:
-
-1. The developers could lose interest before it goes anywhere.
-2. The project could be reasonably complete (beta or stable), but never gain a significant number of users.
-3. The network may grow large enough that fundamental (non-fixable) design problems appear, which is hopefully a learning experience, but the project may die as a result.
-4. The network may grow large, but never hit any design problems, in which case we need to think about either moving the important parts into other projects ([cjdns](https://github.com/cjdelisle/cjdns)) or rewriting compatible implementations that are better optimized for the target platforms (e.g. a linux kernel module).
-
-That last one is probably impossible, because the speed of light would *eventually* become a problem, for a sufficiently large network.
-If the only thing limiting network growth turns out to be the underlying physics, then that arguably counts as a win.
-
-Also, note that some design decisions were made for ease-of-programming or ease-of-testing reasons, and likely need to be reconsidered at some point.
-In particular, Yggdrasil currently uses TCP for connections with one-hop neighbors, which introduces an additional layer of buffering that can lead to increased and/or unstable latency in congested areas of the network.
-
--- a/go.mod
+++ b/go.mod
@@ -1,14 +1,26 @@
 module github.com/yggdrasil-network/yggdrasil-go

+go 1.16
+
 require (
-	github.com/docker/libcontainer v2.2.1+incompatible
-	github.com/kardianos/minwinsvc v0.0.0-20151122163309-cad6b2b879b0
-	github.com/mitchellh/mapstructure v1.1.2
-	github.com/neilalexander/hjson-go v0.0.0-20180509131856-23267a251165
-	github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091
-	github.com/yggdrasil-network/water v0.0.0-20180615095340-f732c88f34ae
-	golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9
-	golang.org/x/net v0.0.0-20181207154023-610586996380
-	golang.org/x/sys v0.0.0-20181206074257-70b957f3b65e
-	golang.org/x/text v0.3.0
+	github.com/Arceliar/ironwood v0.0.0-20210619124114-6ad55cae5031
+	github.com/Arceliar/phony v0.0.0-20210209235338-dde1a8dca979
+	github.com/VividCortex/ewma v1.2.0 // indirect
+	github.com/cheggaaa/pb/v3 v3.0.8
+	github.com/fatih/color v1.12.0 // indirect
+	github.com/gologme/log v1.2.0
+	github.com/hashicorp/go-syslog v1.0.0
+	github.com/hjson/hjson-go v3.1.0+incompatible
+	github.com/kardianos/minwinsvc v1.0.0
+	github.com/mattn/go-isatty v0.0.13 // indirect
+	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mitchellh/mapstructure v1.4.1
+	github.com/vishvananda/netlink v1.1.0
+	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a // indirect
+	golang.org/x/net v0.0.0-20210610132358-84b48f89b13b
+	golang.org/x/sys v0.0.0-20210611083646-a4fc73990273
+	golang.org/x/text v0.3.7-0.20210503195748-5c7c50ebbd4f
+	golang.zx2c4.com/wireguard v0.0.0-20210604143328-f9b48a961cd2
+	golang.zx2c4.com/wireguard/windows v0.3.14
 )
--- a/go.sum
+++ b/go.sum
@@ -1,20 +1,79 @@
-github.com/docker/libcontainer v2.2.1+incompatible h1:++SbbkCw+X8vAd4j2gOCzZ2Nn7s2xFALTf7LZKmM1/0=
-github.com/docker/libcontainer v2.2.1+incompatible/go.mod h1:osvj61pYsqhNCMLGX31xr7klUBhHb/ZBuXS0o1Fvwbw=
-github.com/kardianos/minwinsvc v0.0.0-20151122163309-cad6b2b879b0 h1:YnZmFjg0Nvk8851WTVWlqMC1ecJH07Ctz+Ezxx4u54g=
-github.com/kardianos/minwinsvc v0.0.0-20151122163309-cad6b2b879b0/go.mod h1:rUi0/YffDo1oXBOGn1KRq7Fr07LX48XEBecQnmwjsAo=
-github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/neilalexander/hjson-go v0.0.0-20180509131856-23267a251165 h1:Oo7Yfu5lEQLGvvh2p9Z8FRHJIsl7fdOCK9xXFNBkqmQ=
-github.com/neilalexander/hjson-go v0.0.0-20180509131856-23267a251165/go.mod h1:l+Zao6IpQ+6d/y7LnYnOfbfOeU/9xRiTi4HLVpnkcTg=
-github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091 h1:1zN6ImoqhSJhN8hGXFaJlSC8msLmIbX8bFqOfWLKw0w=
-github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091/go.mod h1:N20Z5Y8oye9a7HmytmZ+tr8Q2vlP0tAHP13kTHzwvQY=
-github.com/yggdrasil-network/water v0.0.0-20180615095340-f732c88f34ae h1:MYCANF1kehCG6x6G+/9txLfq6n3lS5Vp0Mxn1hdiBAc=
-github.com/yggdrasil-network/water v0.0.0-20180615095340-f732c88f34ae/go.mod h1:R0SBCsugm+Sf1katgTb2t7GXMm+nRIv43tM4VDZbaOs=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/net v0.0.0-20181207154023-610586996380 h1:zPQexyRtNYBc7bcHmehl1dH6TB3qn8zytv8cBGLDNY0=
-golang.org/x/net v0.0.0-20181207154023-610586996380/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/sys v0.0.0-20181206074257-70b957f3b65e h1:njOxP/wVblhCLIUhjHXf6X+dzTt5OQ3vMQo9mkOIKIo=
-golang.org/x/sys v0.0.0-20181206074257-70b957f3b65e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+github.com/Arceliar/ironwood v0.0.0-20210619124114-6ad55cae5031 h1:DZVDfYhVdu+0wAiRHoY1olyNkKxIot9UjBnbQFzuUlM=
+github.com/Arceliar/ironwood v0.0.0-20210619124114-6ad55cae5031/go.mod h1:RP72rucOFm5udrnEzTmIWLRVGQiV/fSUAQXJ0RST/nk=
+github.com/Arceliar/phony v0.0.0-20210209235338-dde1a8dca979 h1:WndgpSW13S32VLQ3ugUxx2EnnWmgba1kCqPkd4Gk1yQ=
+github.com/Arceliar/phony v0.0.0-20210209235338-dde1a8dca979/go.mod h1:6Lkn+/zJilRMsKmbmG1RPoamiArC6HS73xbwRyp3UyI=
+github.com/VividCortex/ewma v1.1.1/go.mod h1:2Tkkvm3sRDVXaiyucHiACn4cqf7DpdyLvmxzcbUokwA=
+github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
+github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
+github.com/cheggaaa/pb/v3 v3.0.8 h1:bC8oemdChbke2FHIIGy9mn4DPJ2caZYQnfbRqwmdCoA=
+github.com/cheggaaa/pb/v3 v3.0.8/go.mod h1:UICbiLec/XO6Hw6k+BHEtHeQFzzBH4i2/qk/ow1EJTA=
+github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
+github.com/fatih/color v1.12.0 h1:mRhaKNwANqRgUBGKmnI5ZxEk7QXmjQeCcuYFMX2bfcc=
+github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
+github.com/gologme/log v1.2.0 h1:Ya5Ip/KD6FX7uH0S31QO87nCCSucKtF44TLbTtO7V4c=
+github.com/gologme/log v1.2.0/go.mod h1:gq31gQ8wEHkR+WekdWsqDuf8pXTUZA9BnnzTuPz1Y9U=
+github.com/hashicorp/go-syslog v1.0.0 h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE=
+github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
+github.com/hjson/hjson-go v3.1.0+incompatible h1:DY/9yE8ey8Zv22bY+mHV1uk2yRy0h8tKhZ77hEdi0Aw=
+github.com/hjson/hjson-go v3.1.0+incompatible/go.mod h1:qsetwF8NlsTsOTwZTApNlTCerV+b2GjYRRcIk4JMFio=
+github.com/kardianos/minwinsvc v1.0.0 h1:+JfAi8IBJna0jY2dJGZqi7o15z13JelFIklJCAENALA=
+github.com/kardianos/minwinsvc v1.0.0/go.mod h1:Bgd0oc+D0Qo3bBytmNtyRKVlp85dAloLKhfxanPFFRc=
+github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
+github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
+github.com/mattn/go-colorable v0.1.8 h1:c1ghPdyEDarC70ftn0y+A/Ee++9zz8ljHG1b13eJ0s8=
+github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-isatty v0.0.13 h1:qdl+GuBjcsKKDco5BsxPJlId98mSWNKqYA+Co0SC1yA=
+github.com/mattn/go-isatty v0.0.13/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
+github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
+github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mitchellh/mapstructure v1.4.1 h1:CpVNEelQCZBooIPDn+AR3NpivK/TIKU8bDxdASFVQag=
+github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0=
+github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
+github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
+github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f h1:p4VB7kIXpOQvVn1ZaTIVp+3vuYAXFe3OJEvjbUYJLaA=
+github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210610132358-84b48f89b13b h1:k+E048sYJHyVnsr1GDrRZWQ32D2C7lWs9JRc0bel53A=
+golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210309040221-94ec62e08169/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210611083646-a4fc73990273 h1:faDu4veV+8pcThn4fewv6TVlNCezafGoC1gM/mxQLbQ=
+golang.org/x/sys v0.0.0-20210611083646-a4fc73990273/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7-0.20210503195748-5c7c50ebbd4f h1:yQJrRE0hDxDFmZLlRaw+3vusO4fwNHgHIjUOMO7bHYI=
+golang.org/x/text v0.3.7-0.20210503195748-5c7c50ebbd4f/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.zx2c4.com/wireguard v0.0.0-20210510202332-9844c74f67ec/go.mod h1:a057zjmoc00UN7gVkaJt2sXVK523kMJcogDTEvPIasg=
+golang.zx2c4.com/wireguard v0.0.0-20210604143328-f9b48a961cd2 h1:wfOOSvHgIzTZ9h5Vb6yUFZNn7uf3bT7PeYsHOO7tYDM=
+golang.zx2c4.com/wireguard v0.0.0-20210604143328-f9b48a961cd2/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
+golang.zx2c4.com/wireguard/windows v0.3.14 h1:5yIDYyrQyGkLqV+tzY4ilMNeIvQeMXAz0glZz9u179A=
+golang.zx2c4.com/wireguard/windows v0.3.14/go.mod h1:3P4IEAsb+BjlKZmpUXgy74c0iX9AVwwr3WcVJ8nPgME=
--- a/misc/genkeys.go
+++ b/misc/genkeys.go
@@ -1,133 +0,0 @@
-/*
-
-This file generates crypto keys.
-It prints out a new set of keys each time if finds a "better" one.
-By default, "better" means a higher NodeID (-> higher IP address).
-This is because the IP address format can compress leading 1s in the address, to incrase the number of ID bits in the address.
-
-If run with the "-sig" flag, it generates signing keys instead.
-A "better" signing key means one with a higher TreeID.
-This only matters if it's high enough to make you the root of the tree.
-
-*/
-package main
-
-import "encoding/hex"
-import "flag"
-import "fmt"
-import "runtime"
-import . "github.com/yggdrasil-network/yggdrasil-go/src/yggdrasil"
-
-var doSig = flag.Bool("sig", false, "generate new signing keys instead")
-
-type keySet struct {
-	priv []byte
-	pub  []byte
-	id   []byte
-	ip   string
-}
-
-func main() {
-	threads := runtime.GOMAXPROCS(0)
-	var threadChannels []chan []byte
-	var currentBest []byte
-	newKeys := make(chan keySet, threads)
-	flag.Parse()
-
-	for i := 0; i < threads; i++ {
-		threadChannels = append(threadChannels, make(chan []byte, threads))
-		switch {
-		case *doSig:
-			go doSigKeys(newKeys, threadChannels[i])
-		default:
-			go doBoxKeys(newKeys, threadChannels[i])
-		}
-	}
-
-	for {
-		newKey := <-newKeys
-		if isBetter(currentBest[:], newKey.id[:]) || len(currentBest) == 0 {
-			currentBest = newKey.id
-			for _, channel := range threadChannels {
-				select {
-				case channel <- newKey.id:
-				}
-			}
-			fmt.Println("--------------------------------------------------------------------------------")
-			switch {
-			case *doSig:
-				fmt.Println("sigPriv:", hex.EncodeToString(newKey.priv[:]))
-				fmt.Println("sigPub:", hex.EncodeToString(newKey.pub[:]))
-				fmt.Println("TreeID:", hex.EncodeToString(newKey.id[:]))
-			default:
-				fmt.Println("boxPriv:", hex.EncodeToString(newKey.priv[:]))
-				fmt.Println("boxPub:", hex.EncodeToString(newKey.pub[:]))
-				fmt.Println("NodeID:", hex.EncodeToString(newKey.id[:]))
-				fmt.Println("IP:", newKey.ip)
-			}
-		}
-	}
-}
-
-func isBetter(oldID, newID []byte) bool {
-	for idx := range oldID {
-		if newID[idx] > oldID[idx] {
-			return true
-		}
-		if newID[idx] < oldID[idx] {
-			return false
-		}
-	}
-	return false
-}
-
-func doBoxKeys(out chan<- keySet, in <-chan []byte) {
-	c := Core{}
-	pub, _ := c.DEBUG_newBoxKeys()
-	bestID := c.DEBUG_getNodeID(pub)
-	for idx := range bestID {
-		bestID[idx] = 0
-	}
-	for {
-		select {
-		case newBestID := <-in:
-			if isBetter(bestID[:], newBestID) {
-				copy(bestID[:], newBestID)
-			}
-		default:
-			pub, priv := c.DEBUG_newBoxKeys()
-			id := c.DEBUG_getNodeID(pub)
-			if !isBetter(bestID[:], id[:]) {
-				continue
-			}
-			bestID = id
-			ip := c.DEBUG_addrForNodeID(id)
-			out <- keySet{priv[:], pub[:], id[:], ip}
-		}
-	}
-}
-
-func doSigKeys(out chan<- keySet, in <-chan []byte) {
-	c := Core{}
-	pub, _ := c.DEBUG_newSigKeys()
-	bestID := c.DEBUG_getTreeID(pub)
-	for idx := range bestID {
-		bestID[idx] = 0
-	}
-	for {
-		select {
-		case newBestID := <-in:
-			if isBetter(bestID[:], newBestID) {
-				copy(bestID[:], newBestID)
-			}
-		default:
-		}
-		pub, priv := c.DEBUG_newSigKeys()
-		id := c.DEBUG_getTreeID(pub)
-		if !isBetter(bestID[:], id[:]) {
-			continue
-		}
-		bestID = id
-		out <- keySet{priv[:], pub[:], id[:], ""}
-	}
-}
--- a/misc/run-schannel-netns
+++ b/misc/run-schannel-netns
@@ -51,12 +51,12 @@ ip netns exec node4 ip link set lo up
 ip netns exec node5 ip link set lo up
 ip netns exec node6 ip link set lo up

-ip netns exec node1 env PPROFLISTEN=localhost:6060 ./run --autoconf &> /dev/null &
-ip netns exec node2 env PPROFLISTEN=localhost:6060 ./run --autoconf &> /dev/null &
-ip netns exec node3 env PPROFLISTEN=localhost:6060 ./run --autoconf &> /dev/null &
-ip netns exec node4 env PPROFLISTEN=localhost:6060 ./run --autoconf &> /dev/null &
-ip netns exec node5 env PPROFLISTEN=localhost:6060 ./run --autoconf &> /dev/null &
-ip netns exec node6 env PPROFLISTEN=localhost:6060 ./run --autoconf &> /dev/null &
+echo '{AdminListen: "none"}' | ip netns exec node1 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
+echo '{AdminListen: "none"}' | ip netns exec node2 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
+echo '{AdminListen: "none"}' | ip netns exec node3 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
+echo '{AdminListen: "none"}' | ip netns exec node4 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
+echo '{AdminListen: "none"}' | ip netns exec node5 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &
+echo '{AdminListen: "none"}' | ip netns exec node6 env PPROFLISTEN=localhost:6060 ./yggdrasil --useconf &> /dev/null &

 echo "Started, to continue you should (possibly w/ sudo):"
 echo "kill" $(jobs -p)
--- a/misc/run-twolink-test
+++ b/misc/run-twolink-test
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Connects nodes in two namespaces by two links with different bandwidth (10mbit and 100mbit)
+
+ip netns add node1
+ip netns add node2
+
+ip link add veth11 type veth peer name veth21
+ip link set veth11 netns node1 up
+ip link set veth21 netns node2 up
+
+ip link add veth12 type veth peer name veth22
+ip link set veth12 netns node1 up
+ip link set veth22 netns node2 up
+
+ip netns exec node1 tc qdisc add dev veth11 root tbf rate 10mbit burst 8192 latency 1ms
+ip netns exec node2 tc qdisc add dev veth21 root tbf rate 10mbit burst 8192 latency 1ms
+
+ip netns exec node1 tc qdisc add dev veth12 root tbf rate 100mbit burst 8192 latency 1ms
+ip netns exec node2 tc qdisc add dev veth22 root tbf rate 100mbit burst 8192 latency 1ms
+
+echo '{AdminListen: "unix://node1.sock"}' | ip netns exec node1 env PPROFLISTEN=localhost:6060 ./yggdrasil -logging "info,warn,error,debug" -useconf &> node1.log &
+echo '{AdminListen: "unix://node2.sock"}' | ip netns exec node2 env PPROFLISTEN=localhost:6060 ./yggdrasil -logging "info,warn,error,debug" -useconf &> node2.log &
+
+echo "Started, to continue you should (possibly w/ sudo):"
+echo "kill" $(jobs -p)
+wait
+
+ip netns delete node1
+ip netns delete node2
+
+ip link delete veth11
+ip link delete veth12
--- a/misc/sim/fc00-2017-08-12.txt
+++ b/misc/sim/fc00-2017-08-12.txt
--- a/misc/sim/merge.py
+++ b/misc/sim/merge.py
@@ -1,62 +0,0 @@
-import glob
-import sys
-inputDirPath =  sys.argv[1]
-
-inputFilePaths = glob.glob(inputDirPath+"/*")
-inputFilePaths.sort()
-
-merged = dict()
-
-stretches = []
-
-total = 0
-for inputFilePath in inputFilePaths:
-  print "Processing file {}".format(inputFilePath)
-  with open(inputFilePath, 'r') as f:
-    inData = f.readlines()
-  pathsChecked = 0.
-  avgStretch = 0.
-  for line in inData:
-    dat = line.rstrip('\n').split(' ')
-    eHops = int(dat[0])
-    nHops = int(dat[1])
-    count = int(dat[2])
-    if eHops not in merged: merged[eHops] = dict()
-    if nHops not in merged[eHops]: merged[eHops][nHops] = 0
-    merged[eHops][nHops] += count
-    total += count
-    pathsChecked += count
-    stretch = float(nHops)/eHops
-    avgStretch += stretch*count
-  finStretch = avgStretch / max(1, pathsChecked)
-  stretches.append(str(finStretch))
-
-hopsUsed = 0.
-hopsNeeded = 0.
-avgStretch = 0.
-results = []
-for eHops in sorted(merged.keys()):
-  for nHops in sorted(merged[eHops].keys()):
-    count = merged[eHops][nHops]
-    result = "{} {} {}".format(eHops, nHops, count)
-    results.append(result)
-    hopsUsed += nHops*count
-    hopsNeeded += eHops*count
-    stretch = float(nHops)/eHops
-    avgStretch += stretch*count
-    print result
-bandwidthUsage = hopsUsed/max(1, hopsNeeded)
-avgStretch /= max(1, total)
-
-with open("results.txt", "w") as f:
-  f.write('\n'.join(results))
-
-with open("stretches.txt", "w") as f:
-  f.write('\n'.join(stretches))
-
-print "Total files processed: {}".format(len(inputFilePaths))
-print "Total paths found: {}".format(total)
-print "Bandwidth usage: {}".format(bandwidthUsage)
-print "Average stretch: {}".format(avgStretch)
-
-
--- a/misc/sim/run-sim
+++ b/misc/sim/run-sim
@@ -1,2 +0,0 @@
-#!/bin/bash
-go run -tags debug misc/sim/treesim.go "$@"
--- a/misc/sim/treesim-forward.py
+++ b/misc/sim/treesim-forward.py
@@ -1,901 +0,0 @@
-# Tree routing scheme (named Yggdrasil, after the world tree from Norse mythology)
-# Steps:
-#   1: Pick any node, here I'm using highest nodeID
-#   2: Build spanning tree, each node stores path back to root
-#     Optionally with weights for each hop
-#     Ties broken by preferring a parent with higher degree
-#   3: Distance metric: self->peer + (via tree) peer->dest
-#   4: Perform (modified) greedy lookup via this metric for each direction (A->B and B->A)
-#   5: Source-route traffic using the better of those two paths
-
-# Note: This makes no attempt to simulate a dynamic network
-#   E.g. A node's peers cannot be disconnected
-
-# TODO:
-#   Make better use of drop?
-#   In particular, we should be ignoring *all* recently dropped *paths* to the root
-#     To minimize route flapping
-#     Not really an issue in the sim, but probably needed for a real network
-
-import array
-import gc
-import glob
-import gzip
-import heapq
-import os
-import random
-import time
-
-#############
-# Constants #
-#############
-
-# Reminder of where link cost comes in
-LINK_COST = 1
-
-# Timeout before dropping something, in simulated seconds
-TIMEOUT = 60
-
-###########
-# Classes #
-###########
-
-class PathInfo:
-  def __init__(self, nodeID):
-    self.nodeID = nodeID   # e.g. IP
-    self.coords = []       # Position in tree
-    self.tstamp = 0        # Timestamp from sender, to keep track of old vs new info
-    self.degree = 0        # Number of peers the sender has, used to break ties
-    # The above should be signed
-    self.path   = [nodeID] # Path to node (in path-vector route)
-    self.time   = 0        # Time info was updated, to keep track of e.g. timeouts
-    self.treeID = nodeID   # Hack, let tree use different ID than IP, used so we can dijkstra once and test many roots
-  def clone(self):
-    # Return a deep-enough copy of the path
-    clone = PathInfo(None)
-    clone.nodeID = self.nodeID
-    clone.coords = self.coords[:]
-    clone.tstamp = self.tstamp
-    clone.degree = self.degree
-    clone.path = self.path[:]
-    clone.time = self.time
-    clone.treeID = self.treeID
-    return clone
-# End class PathInfo
-
-class Node:
-  def __init__(self, nodeID):
-    self.info  = PathInfo(nodeID) # Self NodeInfo
-    self.root  = None             # PathInfo to node at root of tree
-    self.drop  = dict()           # PathInfo to nodes from clus that have timed out
-    self.peers = dict()           # PathInfo to peers
-    self.links = dict()           # Links to peers (to pass messages)
-    self.msgs  = []               # Said messages
-    self.table = dict()           # Pre-computed lookup table of peer info
-
-  def tick(self):
-    # Do periodic maintenance stuff, including push updates
-    self.info.time += 1
-    if self.info.time > self.info.tstamp + TIMEOUT/4:
-      # Update timestamp at least once every 1/4 timeout period
-      # This should probably be randomized in a real implementation
-      self.info.tstamp = self.info.time
-      self.info.degree = 0# TODO decide if degree should be used, len(self.peers)
-    changed = False # Used to track when the network has converged
-    changed |= self.cleanRoot()
-    self.cleanDropped()
-    # Should probably send messages infrequently if there's nothing new to report
-    if self.info.tstamp == self.info.time:
-      msg = self.createMessage()
-      self.sendMessage(msg)
-    return changed
-
-  def cleanRoot(self):
-    changed = False
-    if self.root and self.info.time - self.root.time > TIMEOUT:
-      print "DEBUG: clean root,", self.root.path
-      self.drop[self.root.treeID] = self.root
-      self.root = None
-      changed = True
-    if not self.root or self.root.treeID < self.info.treeID:
-      # No need to drop someone who'se worse than us
-      self.info.coords = [self.info.nodeID]
-      self.root = self.info.clone()
-      changed = True
-    elif self.root.treeID == self.info.treeID:
-      self.root = self.info.clone()
-    return changed
-
-  def cleanDropped(self):
-    # May actually be a treeID... better to iterate over keys explicitly
-    nodeIDs = sorted(self.drop.keys())
-    for nodeID in nodeIDs:
-      node = self.drop[nodeID]
-      if self.info.time - node.time > 4*TIMEOUT:
-        del self.drop[nodeID]
-    return None
-
-  def createMessage(self):
-    # Message is just a tuple
-    # First element is the sender
-    # Second element is the root
-    # We will .clone() everything during the send operation
-    msg = (self.info, self.root)
-    return msg
-
-  def sendMessage(self, msg):
-    for link in self.links.values():
-      newMsg = (msg[0].clone(), msg[1].clone())
-      link.msgs.append(newMsg)
-    return None
-
-  def handleMessages(self):
-    changed = False
-    while self.msgs:
-      changed |= self.handleMessage(self.msgs.pop())
-    return changed
-
-  def handleMessage(self, msg):
-    changed = False
-    for node in msg:
-      # Update the path and timestamp for the sender and root info
-      node.path.append(self.info.nodeID)
-      node.time = self.info.time
-    # Update the sender's info in our list of peers
-    sender = msg[0]
-    self.peers[sender.nodeID] = sender
-    # Decide if we want to update the root
-    root = msg[1]
-    updateRoot = False
-    isSameParent = False
-    isBetterParent = False
-    if len(self.root.path) > 1 and len(root.path) > 1:
-      parent = self.peers[self.root.path[-2]]
-      if parent.nodeID == sender.nodeID: isSameParent = True
-      if sender.degree > parent.degree:
-        # This would also be where you check path uptime/reliability/whatever
-        # All else being equal, we prefer parents with high degree
-        # We are trusting peers to report degree correctly in this case
-        # So expect some performance reduction if your peers aren't trustworthy
-        # (Lies can increase average stretch by a few %)
-        isBetterParent = True
-    if self.info.nodeID in root.path[:-1]: pass # No loopy routes allowed
-    elif root.treeID in self.drop and self.drop[root.treeID].tstamp >= root.tstamp: pass
-    elif not self.root: updateRoot = True
-    elif self.root.treeID < root.treeID: updateRoot = True
-    elif self.root.treeID != root.treeID: pass
-    elif self.root.tstamp > root.tstamp: pass
-    elif len(root.path) < len(self.root.path): updateRoot = True
-    elif isBetterParent and len(root.path) == len(self.root.path): updateRoot = True
-    elif isSameParent and self.root.tstamp < root.tstamp: updateRoot = True
-    if updateRoot:
-      if not self.root or self.root.path != root.path: changed = True
-      self.root = root
-      self.info.coords = self.root.path
-    return changed
-
-  def lookup(self, dest):
-    # Note: Can loop in an unconverged network
-    # The person looking up the route is responsible for checking for loops
-    best = None
-    bestDist = 0
-    for node in self.peers.itervalues():
-      # dist = distance to node + dist (on tree) from node to dest
-      dist = len(node.path)-1 + treeDist(node.coords, dest.coords)
-      if not best or dist < bestDist:
-        best = node
-        bestDist = dist
-    if best:
-      next = best.path[-2]
-      assert next in self.peers
-      return next
-    else:
-      # We failed to look something up
-      # TODO some way to signal this which doesn't crash
-      assert False
-
-  def initTable(self):
-    # Pre-computes a lookup table for destination coords
-    # Insert parent first so you prefer them as a next-hop
-    self.table.clear()
-    parent = self.info.nodeID
-    if len(self.info.coords) >= 2: parent = self.info.coords[-2]
-    for peer in self.peers.itervalues():
-      current = self.table
-      for coord in peer.coords:
-        if coord not in current: current[coord] = (peer.nodeID, dict())
-        old = current[coord]
-        next = old[1]
-        oldPeer = self.peers[old[0]]
-        oldDist = len(oldPeer.coords)
-        oldDeg = oldPeer.degree
-        newDist = len(peer.coords)
-        newDeg = peer.degree
-        # Prefer parent
-        # Else prefer short distance from root
-        # If equal distance, prefer high degree
-        if peer.nodeID == parent: current[coord] = (peer.nodeID, next)
-        elif newDist < oldDist: current[coord] = (peer.nodeID, next)
-        elif newDist == oldDist and newDeg > oldDeg: current[coord] = (peer.nodeID, next)
-        current = next
-    return None
-
-  def lookup_new(self, dest):
-    # Use pre-computed lookup table to look up next hop for dest coords
-    assert self.table
-    if len(self.info.coords) >= 2: parent = self.info.coords[-2]
-    else: parent = None
-    current = (parent, self.table)
-    c = None
-    for coord in dest.coords:
-      c = coord
-      if coord not in current[1]: break
-      current = current[1][coord]
-    next = current[0]
-    if c in self.peers: next = c
-    if next not in self.peers:
-      assert next == None
-      # You're the root of a different connected component
-      # You'd drop the packet in this case
-      # To make the path cache not die, need to return a valid next hop...
-      # Returning self for that reason
-      next = self.info.nodeID
-    return next
-# End class Node
-
-####################
-# Helper Functions #
-####################
-
-def getIndexOfLCA(source, dest):
-  # Return index of last common ancestor in source/dest coords
-  # -1 if no common ancestor (e.g. different roots)
-  lcaIdx = -1
-  minLen = min(len(source), len(dest))
-  for idx in xrange(minLen):
-    if source[idx] == dest[idx]: lcaIdx = idx
-    else: break
-  return lcaIdx
-
-def treePath(source, dest):
-  # Return path with source at head and dest at tail
-  lastMatch = getIndexOfLCA(source, dest)
-  path = dest[-1:lastMatch:-1] + source[lastMatch:]
-  assert path[0] == dest[-1]
-  assert path[-1] == source[-1]
-  return path
-
-def treeDist(source, dest):
-  dist = len(source) + len(dest)
-  lcaIdx = getIndexOfLCA(source, dest)
-  dist -= 2*(lcaIdx+1)
-  return dist
-
-def dijkstra(nodestore, startingNodeID):
-  # Idea to use heapq and basic implementation taken from stackexchange post
-  # http://codereview.stackexchange.com/questions/79025/dijkstras-algorithm-in-python
-  nodeIDs = sorted(nodestore.keys())
-  nNodes = len(nodeIDs)
-  idxs = dict()
-  for nodeIdx in xrange(nNodes):
-    nodeID = nodeIDs[nodeIdx]
-    idxs[nodeID] = nodeIdx
-  dists = array.array("H", [0]*nNodes)
-  queue = [(0, startingNodeID)]
-  while queue:
-    dist, nodeID = heapq.heappop(queue)
-    idx = idxs[nodeID]
-    if not dists[idx]: # Unvisited, otherwise we skip it
-      dists[idx] = dist
-      for peer in nodestore[nodeID].links:
-        if not dists[idxs[peer]]:
-          # Peer is also unvisited, so add to queue
-          heapq.heappush(queue, (dist+LINK_COST, peer))
-  return dists
-
-def dijkstrall(nodestore):
-  # Idea to use heapq and basic implementation taken from stackexchange post
-  # http://codereview.stackexchange.com/questions/79025/dijkstras-algorithm-in-python
-  nodeIDs = sorted(nodestore.keys())
-  nNodes = len(nodeIDs)
-  idxs = dict()
-  for nodeIdx in xrange(nNodes):
-    nodeID = nodeIDs[nodeIdx]
-    idxs[nodeID] = nodeIdx
-  dists = array.array("H", [0]*nNodes*nNodes) # use GetCacheIndex(nNodes, start, end)
-  for sourceIdx in xrange(nNodes):
-    print "Finding shortest paths for node {} / {} ({})".format(sourceIdx+1, nNodes, nodeIDs[sourceIdx])
-    queue = [(0, sourceIdx)]
-    while queue:
-      dist, nodeIdx = heapq.heappop(queue)
-      distIdx = getCacheIndex(nNodes, sourceIdx, nodeIdx)
-      if not dists[distIdx]: # Unvisited, otherwise we skip it
-        dists[distIdx] = dist
-        for peer in nodestore[nodeIDs[nodeIdx]].links:
-          pIdx = idxs[peer]
-          pdIdx = getCacheIndex(nNodes, sourceIdx, pIdx)
-          if not dists[pdIdx]:
-            # Peer is also unvisited, so add to queue
-            heapq.heappush(queue, (dist+LINK_COST, pIdx))
-  return dists
-
-def linkNodes(node1, node2):
-  node1.links[node2.info.nodeID] = node2
-  node2.links[node1.info.nodeID] = node1
-
-############################
-# Store topology functions #
-############################
-
-def makeStoreSquareGrid(sideLength, randomize=True):
-  # Simple grid in a sideLength*sideLength square
-  # Just used to validate that the code runs
-  store = dict()
-  nodeIDs = list(range(sideLength*sideLength))
-  if randomize: random.shuffle(nodeIDs)
-  for nodeID in nodeIDs:
-    store[nodeID] = Node(nodeID)
-  for index in xrange(len(nodeIDs)):
-    if (index % sideLength != 0): linkNodes(store[nodeIDs[index]], store[nodeIDs[index-1]])
-    if (index >= sideLength): linkNodes(store[nodeIDs[index]], store[nodeIDs[index-sideLength]])
-  print "Grid store created, size {}".format(len(store))
-  return store
-
-def makeStoreASRelGraph(pathToGraph):
-  #Existing network graphs, in caida.org's asrel format (ASx|ASy|z per line, z denotes relationship type)
-  with open(pathToGraph, "r") as f:
-    inData = f.readlines()
-  store = dict()
-  for line in inData:
-    if line.strip()[0] == "#": continue # Skip comment lines
-    line = line.replace('|'," ")
-    nodes = map(int, line.split()[0:2])
-    if nodes[0] not in store: store[nodes[0]] = Node(nodes[0])
-    if nodes[1] not in store: store[nodes[1]] = Node(nodes[1])
-    linkNodes(store[nodes[0]], store[nodes[1]])
-  print "CAIDA AS-relation graph successfully imported, size {}".format(len(store))
-  return store
-
-def makeStoreASRelGraphMaxDeg(pathToGraph, degIdx=0):
-  with open(pathToGraph, "r") as f:
-    inData = f.readlines()
-  store = dict()
-  nodeDeg = dict()
-  for line in inData:
-    if line.strip()[0] == "#": continue # Skip comment lines
-    line = line.replace('|'," ")
-    nodes = map(int, line.split()[0:2])
-    if nodes[0] not in nodeDeg: nodeDeg[nodes[0]] = 0
-    if nodes[1] not in nodeDeg: nodeDeg[nodes[1]] = 0
-    nodeDeg[nodes[0]] += 1
-    nodeDeg[nodes[1]] += 1
-  sortedNodes = sorted(nodeDeg.keys(), \
-                       key=lambda x: (nodeDeg[x], x), \
-                       reverse=True)
-  maxDegNodeID = sortedNodes[degIdx]
-  return makeStoreASRelGraphFixedRoot(pathToGraph, maxDegNodeID)
-
-def makeStoreASRelGraphFixedRoot(pathToGraph, rootNodeID):
-  with open(pathToGraph, "r") as f:
-    inData = f.readlines()
-  store = dict()
-  for line in inData:
-    if line.strip()[0] == "#": continue # Skip comment lines
-    line = line.replace('|'," ")
-    nodes = map(int, line.split()[0:2])
-    if nodes[0] not in store:
-      store[nodes[0]] = Node(nodes[0])
-      if nodes[0] == rootNodeID: store[nodes[0]].info.treeID += 1000000000
-    if nodes[1] not in store:
-      store[nodes[1]] = Node(nodes[1])
-      if nodes[1] == rootNodeID: store[nodes[1]].info.treeID += 1000000000
-    linkNodes(store[nodes[0]], store[nodes[1]])
-  print "CAIDA AS-relation graph successfully imported, size {}".format(len(store))
-  return store
-
-def makeStoreDimesEdges(pathToGraph, rootNodeID=None):
-  # Read from a DIMES csv-formatted graph from a gzip file
-  store = dict()
-  with gzip.open(pathToGraph, "r") as f:
-    inData = f.readlines()
-  size = len(inData)
-  index = 0
-  for edge in inData:
-    if not index % 1000:
-      pct = 100.0*index/size
-      print "Processing edge {}, {:.2f}%".format(index, pct)
-    index += 1
-    dat = edge.rstrip().split(',')
-    node1 = "N" + str(dat[0].strip())
-    node2 = "N" + str(dat[1].strip())
-    if '?' in node1 or '?' in node2: continue #Unknown node
-    if node1 == rootNodeID: node1 = "R" + str(dat[0].strip())
-    if node2 == rootNodeID: node2 = "R" + str(dat[1].strip())
-    if node1 not in store: store[node1] = Node(node1)
-    if node2 not in store: store[node2] = Node(node2)
-    if node1 != node2: linkNodes(store[node1], store[node2])
-  print "DIMES graph successfully imported, size {}".format(len(store))
-  return store
-
-def makeStoreGeneratedGraph(pathToGraph, root=None):
-  with open(pathToGraph, "r") as f:
-    inData = f.readlines()
-  store = dict()
-  for line in inData:
-    if line.strip()[0] == "#": continue # Skip comment lines
-    nodes = map(int, line.strip().split(' ')[0:2])
-    node1 = nodes[0]
-    node2 = nodes[1]
-    if node1 == root: node1 += 1000000
-    if node2 == root: node2 += 1000000
-    if node1 not in store: store[node1] = Node(node1)
-    if node2 not in store: store[node2] = Node(node2)
-    linkNodes(store[node1], store[node2])
-  print "Generated graph successfully imported, size {}".format(len(store))
-  return store
-
-
-############################################
-# Functions used as parts of network tests #
-############################################
-
-def idleUntilConverged(store):
-  nodeIDs = sorted(store.keys())
-  timeOfLastChange = 0
-  step = 0
-  # Idle until the network has converged
-  while step - timeOfLastChange < 4*TIMEOUT:
-    step += 1
-    print "Step: {}, last change: {}".format(step, timeOfLastChange)
-    changed = False
-    for nodeID in nodeIDs:
-      # Update node status, send messages
-      changed |= store[nodeID].tick()
-    for nodeID in nodeIDs:
-      # Process messages
-      changed |= store[nodeID].handleMessages()
-    if changed: timeOfLastChange = step
-  initTables(store)
-  return store
-
-def getCacheIndex(nodes, sourceIndex, destIndex):
-  return sourceIndex*nodes + destIndex
-
-def initTables(store):
-  nodeIDs = sorted(store.keys())
-  nNodes = len(nodeIDs)
-  print "Initializing routing tables for {} nodes".format(nNodes)
-  for idx in xrange(nNodes):
-    nodeID = nodeIDs[idx]
-    store[nodeID].initTable()
-  print "Routing tables initialized"
-  return None
-
-def getCache(store):
-  nodeIDs = sorted(store.keys())
-  nNodes = len(nodeIDs)
-  nodeIdxs = dict()
-  for nodeIdx in xrange(nNodes):
-    nodeIdxs[nodeIDs[nodeIdx]] = nodeIdx
-  cache = array.array("H", [0]*nNodes*nNodes)
-  for sourceIdx in xrange(nNodes):
-    sourceID = nodeIDs[sourceIdx]
-    print "Building fast lookup table for node {} / {} ({})".format(sourceIdx+1, nNodes, sourceID)
-    for destIdx in xrange(nNodes):
-      destID = nodeIDs[destIdx]
-      if sourceID == destID: nextHop = destID # lookup would fail
-      else: nextHop = store[sourceID].lookup(store[destID].info)
-      nextHopIdx = nodeIdxs[nextHop]
-      cache[getCacheIndex(nNodes, sourceIdx, destIdx)] = nextHopIdx
-  return cache
-
-def testPaths(store, dists):
-  cache = getCache(store)
-  nodeIDs = sorted(store.keys())
-  nNodes = len(nodeIDs)
-  idxs = dict()
-  for nodeIdx in xrange(nNodes):
-    nodeID = nodeIDs[nodeIdx]
-    idxs[nodeID] = nodeIdx
-  results = dict()
-  for sourceIdx in xrange(nNodes):
-    sourceID = nodeIDs[sourceIdx]
-    print "Testing paths from node {} / {} ({})".format(sourceIdx+1, len(nodeIDs), sourceID)
-    #dists = dijkstra(store, sourceID)
-    for destIdx in xrange(nNodes):
-      destID = nodeIDs[destIdx]
-      if destID == sourceID: continue # Skip self
-      distIdx = getCacheIndex(nNodes, sourceIdx, destIdx)
-      eHops = dists[distIdx]
-      if not eHops: continue # The network is split, no path exists
-      hops = 0
-      for pair in ((sourceIdx, destIdx),):
-        nHops = 0
-        locIdx = pair[0]
-        dIdx = pair[1]
-        while locIdx != dIdx:
-          locIdx = cache[getCacheIndex(nNodes, locIdx, dIdx)]
-          nHops += 1
-        if not hops or nHops < hops: hops = nHops
-      if eHops not in results: results[eHops] = dict()
-      if hops not in results[eHops]: results[eHops][hops] = 0
-      results[eHops][hops] += 1
-  return results
-
-def getAvgStretch(pathMatrix):
-  avgStretch = 0.
-  checked = 0.
-  for eHops in sorted(pathMatrix.keys()):
-    for nHops in sorted(pathMatrix[eHops].keys()):
-      count = pathMatrix[eHops][nHops]
-      stretch = float(nHops)/float(max(1, eHops))
-      avgStretch += stretch*count
-      checked += count
-  avgStretch /= max(1, checked)
-  return avgStretch
-
-def getMaxStretch(pathMatrix):
-  maxStretch = 0.
-  for eHops in sorted(pathMatrix.keys()):
-    for nHops in sorted(pathMatrix[eHops].keys()):
-      stretch = float(nHops)/float(max(1, eHops))
-      maxStretch = max(maxStretch, stretch)
-  return maxStretch
-
-def getCertSizes(store):
-  # Returns nCerts frequency distribution
-  # De-duplicates common certs (for shared prefixes in the path)
-  sizes = dict()
-  for node in store.values():
-    certs = set()
-    for peer in node.peers.values():
-      pCerts = set()
-      assert len(peer.path) == 2
-      assert peer.coords[-1] == peer.path[0]
-      hops = peer.coords + peer.path[1:]
-      for hopIdx in xrange(len(hops)-1):
-        send = hops[hopIdx]
-        if send == node.info.nodeID: continue # We created it, already have it
-        path = hops[0:hopIdx+2]
-        # Each cert is signed by the sender
-        # Includes information about the path from the sender to the next hop
-        # Next hop is at hopIdx+1, so the path to next hop is hops[0:hopIdx+2]
-        cert = "{}:{}".format(send, path)
-        certs.add(cert)
-    size = len(certs)
-    if size not in sizes: sizes[size] = 0
-    sizes[size] += 1
-  return sizes
-
-def getMinLinkCertSizes(store):
-  # Returns nCerts frequency distribution
-  # De-duplicates common certs (for shared prefixes in the path)
-  # Based on the minimum number of certs that must be traded through a particular link
-  # Handled per link
-  sizes = dict()
-  for node in store.values():
-    peerCerts = dict()
-    for peer in node.peers.values():
-      pCerts = set()
-      assert len(peer.path) == 2
-      assert peer.coords[-1] == peer.path[0]
-      hops = peer.coords + peer.path[1:]
-      for hopIdx in xrange(len(hops)-1):
-        send = hops[hopIdx]
-        if send == node.info.nodeID: continue # We created it, already have it
-        path = hops[0:hopIdx+2]
-        # Each cert is signed by the sender
-        # Includes information about the path from the sender to the next hop
-        # Next hop is at hopIdx+1, so the path to next hop is hops[0:hopIdx+2]
-        cert = "{}:{}".format(send, path)
-        pCerts.add(cert)
-      peerCerts[peer.nodeID] = pCerts
-    for peer in peerCerts:
-      size = 0
-      pCerts = peerCerts[peer]
-      for cert in pCerts:
-        required = True
-        for p2 in peerCerts:
-          if p2 == peer: continue
-          p2Certs = peerCerts[p2]
-          if cert in p2Certs: required = False
-        if required: size += 1
-      if size not in sizes: sizes[size] = 0
-      sizes[size] += 1
-  return sizes
-
-def getPathSizes(store):
-  # Returns frequency distribution of the total number of hops the routing table
-  # I.e. a node with 3 peers, each with 5 hop coord+path, would count as 3x5=15
-  sizes = dict()
-  for node in store.values():
-    size = 0
-    for peer in node.peers.values():
-      assert len(peer.path) == 2
-      assert peer.coords[-1] == peer.path[0]
-      peerSize = len(peer.coords) + len(peer.path) - 1 # double-counts peer, -1
-      size += peerSize
-    if size not in sizes: sizes[size] = 0
-    sizes[size] += 1
-  return sizes
-
-def getPeerSizes(store):
-  # Returns frequency distribution of the number of peers each node has
-  sizes = dict()
-  for node in store.values():
-    nPeers = len(node.peers)
-    if nPeers not in sizes: sizes[nPeers] = 0
-    sizes[nPeers] += 1
-  return sizes
-
-def getAvgSize(sizes):
-  sumSizes = 0
-  nNodes = 0
-  for size in sizes:
-    count = sizes[size]
-    sumSizes += size*count
-    nNodes += count
-  avgSize = float(sumSizes)/max(1, nNodes)
-  return avgSize
-
-def getMaxSize(sizes):
-  return max(sizes.keys())
-
-def getMinSize(sizes):
-  return min(sizes.keys())
-
-def getResults(pathMatrix):
-  results = []
-  for eHops in sorted(pathMatrix.keys()):
-    for nHops in sorted(pathMatrix[eHops].keys()):
-      count = pathMatrix[eHops][nHops]
-      results.append("{} {} {}".format(eHops, nHops, count))
-  return '\n'.join(results)
-
-####################################
-# Functions to run different tests #
-####################################
-
-def runTest(store):
-  # Runs the usual set of tests on the store
-  # Does not save results, so only meant for quick tests
-  # To e.g. check the code works, maybe warm up the pypy jit
-  for node in store.values():
-    node.info.time = random.randint(0, TIMEOUT)
-    node.info.tstamp = TIMEOUT
-  print "Begin testing network"
-  dists = None
-  if not dists: dists = dijkstrall(store)
-  idleUntilConverged(store)
-  pathMatrix = testPaths(store, dists)
-  avgStretch = getAvgStretch(pathMatrix)
-  maxStretch = getMaxStretch(pathMatrix)
-  peers = getPeerSizes(store)
-  certs = getCertSizes(store)
-  paths = getPathSizes(store)
-  linkCerts = getMinLinkCertSizes(store)
-  avgPeerSize = getAvgSize(peers)
-  maxPeerSize = getMaxSize(peers)
-  avgCertSize = getAvgSize(certs)
-  maxCertSize = getMaxSize(certs)
-  avgPathSize = getAvgSize(paths)
-  maxPathSize = getMaxSize(paths)
-  avgLinkCert = getAvgSize(linkCerts)
-  maxLinkCert = getMaxSize(linkCerts)
-  totalCerts = sum(map(lambda x: x*certs[x], certs.keys()))
-  totalLinks = sum(map(lambda x: x*peers[x], peers.keys())) # one-way links
-  avgCertsPerLink = float(totalCerts)/max(1, totalLinks)
-  print "Finished testing network"
-  print "Avg / Max stretch: {} / {}".format(avgStretch, maxStretch)
-  print "Avg / Max nPeers size: {} / {}".format(avgPeerSize, maxPeerSize)
-  print "Avg / Max nCerts size: {} / {}".format(avgCertSize, maxCertSize)
-  print "Avg / Max total hops in any node's routing table: {} / {}".format(avgPathSize, maxPathSize)
-  print "Avg / Max lower bound cert requests per link (one-way): {} / {}".format(avgLinkCert, maxLinkCert)
-  print "Avg certs per link (one-way): {}".format(avgCertsPerLink)
-  return # End of function
-
-def rootNodeASTest(path, outDir="output-treesim-AS", dists=None, proc = 1):
-  # Checks performance for every possible choice of root node
-  # Saves output for each root node to a separate file on disk
-  # path = input path to some caida.org formatted AS-relationship graph
-  if not os.path.exists(outDir): os.makedirs(outDir)
-  assert os.path.exists(outDir)
-  store = makeStoreASRelGraph(path)
-  nodes = sorted(store.keys())
-  for nodeIdx in xrange(len(nodes)):
-    if nodeIdx % proc != 0: continue # Work belongs to someone else
-    rootNodeID = nodes[nodeIdx]
-    outpath = outDir+"/{}".format(rootNodeID)
-    if os.path.exists(outpath):
-      print "Skipping {}, already processed".format(rootNodeID)
-      continue
-    store = makeStoreASRelGraphFixedRoot(path, rootNodeID)
-    for node in store.values():
-      node.info.time = random.randint(0, TIMEOUT)
-      node.info.tstamp = TIMEOUT
-    print "Beginning {}, size {}".format(nodeIdx, len(store))
-    if not dists: dists = dijkstrall(store)
-    idleUntilConverged(store)
-    pathMatrix = testPaths(store, dists)
-    avgStretch = getAvgStretch(pathMatrix)
-    maxStretch = getMaxStretch(pathMatrix)
-    results = getResults(pathMatrix)
-    with open(outpath, "w") as f:
-      f.write(results)
-    print "Finished test for root AS {} ({} / {})".format(rootNodeID, nodeIdx+1, len(store))
-    print "Avg / Max stretch: {} / {}".format(avgStretch, maxStretch)
-    #break # Stop after 1, because they can take forever
-  return # End of function
-
-def timelineASTest():
-  # Meant to study the performance of the network as a function of network size
-  # Loops over a set of AS-relationship graphs
-  # Runs a test on each graph, selecting highest-degree node as the root
-  # Saves results for each graph to a separate file on disk
-  outDir = "output-treesim-timeline-AS"
-  if not os.path.exists(outDir): os.makedirs(outDir)
-  assert os.path.exists(outDir)
-  paths = sorted(glob.glob("asrel/datasets/*"))
-  for path in paths:
-    date = os.path.basename(path).split(".")[0]
-    outpath = outDir+"/{}".format(date)
-    if os.path.exists(outpath):
-      print "Skipping {}, already processed".format(date)
-      continue
-    store = makeStoreASRelGraphMaxDeg(path)
-    dists = None
-    for node in store.values():
-      node.info.time = random.randint(0, TIMEOUT)
-      node.info.tstamp = TIMEOUT
-    print "Beginning {}, size {}".format(date, len(store))
-    if not dists: dists = dijkstrall(store)
-    idleUntilConverged(store)
-    pathMatrix = testPaths(store, dists)
-    avgStretch = getAvgStretch(pathMatrix)
-    maxStretch = getMaxStretch(pathMatrix)
-    results = getResults(pathMatrix)
-    with open(outpath, "w") as f:
-      f.write(results)
-    print "Finished {} with {} nodes".format(date, len(store))
-    print "Avg / Max stretch: {} / {}".format(avgStretch, maxStretch)
-    #break # Stop after 1, because they can take forever
-  return # End of function
-
-def timelineDimesTest():
-  # Meant to study the performance of the network as a function of network size
-  # Loops over a set of AS-relationship graphs
-  # Runs a test on each graph, selecting highest-degree node as the root
-  # Saves results for each graph to a separate file on disk
-  outDir = "output-treesim-timeline-dimes"
-  if not os.path.exists(outDir): os.makedirs(outDir)
-  assert os.path.exists(outDir)
-  # Input files are named ASEdgesX_Y where X = month (no leading 0), Y = year
-  paths = sorted(glob.glob("DIMES/ASEdges/*.gz"))
-  exists = set(glob.glob(outDir+"/*"))
-  for path in paths:
-    date = os.path.basename(path).split(".")[0]
-    outpath = outDir+"/{}".format(date)
-    if outpath in exists:
-      print "Skipping {}, already processed".format(date)
-      continue
-    store = makeStoreDimesEdges(path)
-    # Get the highest degree node and make it root
-    # Sorted by nodeID just to make it stable in the event of a tie
-    nodeIDs = sorted(store.keys())
-    bestRoot = ""
-    bestDeg = 0
-    for nodeID in nodeIDs:
-      node = store[nodeID]
-      if len(node.links) > bestDeg:
-        bestRoot = nodeID
-        bestDeg = len(node.links)
-    assert bestRoot
-    store = makeStoreDimesEdges(path, bestRoot)
-    rootID = "R" + bestRoot[1:]
-    assert rootID in store
-    # Don't forget to set random seed before setitng times
-    # To make results reproducible
-    nodeIDs = sorted(store.keys())
-    random.seed(12345)
-    for nodeID in nodeIDs:
-      node = store[nodeID]
-      node.info.time = random.randint(0, TIMEOUT)
-      node.info.tstamp = TIMEOUT
-    print "Beginning {}, size {}".format(date, len(store))
-    if not dists: dists = dijkstrall(store)
-    idleUntilConverged(store)
-    pathMatrix = testPaths(store, dists)
-    avgStretch = getAvgStretch(pathMatrix)
-    maxStretch = getMaxStretch(pathMatrix)
-    results = getResults(pathMatrix)
-    with open(outpath, "w") as f:
-      f.write(results)
-    print "Finished {} with {} nodes".format(date, len(store))
-    print "Avg / Max stretch: {} / {}".format(avgStretch, maxStretch)
-    break # Stop after 1, because they can take forever
-  return # End of function
-
-def scalingTest(maxTests=None, inputDir="graphs"):
-  # Meant to study the performance of the network as a function of network size
-  # Loops over a set of nodes in a previously generated graph
-  # Runs a test on each graph, testing each node as the root
-  # if maxTests is set, tests only that number of roots (highest degree first)
-  # Saves results for each graph to a separate file on disk
-  outDir = "output-treesim-{}".format(inputDir)
-  if not os.path.exists(outDir): os.makedirs(outDir)
-  assert os.path.exists(outDir)
-  paths = sorted(glob.glob("{}/*".format(inputDir)))
-  exists = set(glob.glob(outDir+"/*"))
-  for path in paths:
-    gc.collect() # pypy waits for gc to close files
-    graph = os.path.basename(path).split(".")[0]
-    store = makeStoreGeneratedGraph(path)
-    # Get the highest degree node and make it root
-    # Sorted by nodeID just to make it stable in the event of a tie
-    nodeIDs = sorted(store.keys(), key=lambda x: len(store[x].links), reverse=True)
-    dists = None
-    if maxTests: nodeIDs = nodeIDs[:maxTests]
-    for nodeID in nodeIDs:
-      nodeIDStr = str(nodeID).zfill(len(str(len(store)-1)))
-      outpath = outDir+"/{}-{}".format(graph, nodeIDStr)
-      if outpath in exists:
-        print "Skipping {}-{}, already processed".format(graph, nodeIDStr)
-        continue
-      store = makeStoreGeneratedGraph(path, nodeID)
-      # Don't forget to set random seed before setting times
-      random.seed(12345) # To make results reproducible
-      nIDs = sorted(store.keys())
-      for nID in nIDs:
-        node = store[nID]
-        node.info.time = random.randint(0, TIMEOUT)
-        node.info.tstamp = TIMEOUT
-      print "Beginning {}, size {}".format(graph, len(store))
-      if not dists: dists = dijkstrall(store)
-      idleUntilConverged(store)
-      pathMatrix = testPaths(store, dists)
-      avgStretch = getAvgStretch(pathMatrix)
-      maxStretch = getMaxStretch(pathMatrix)
-      results = getResults(pathMatrix)
-      with open(outpath, "w") as f:
-        f.write(results)
-      print "Finished {} with {} nodes for root {}".format(graph, len(store), nodeID)
-      print "Avg / Max stretch: {} / {}".format(avgStretch, maxStretch)
-  return # End of function
-
-##################
-# Main Execution #
-##################
-
-if __name__ == "__main__":
-  if True: # Run a quick test
-    random.seed(12345) # DEBUG
-    store = makeStoreSquareGrid(4)
-    runTest(store) # Quick test
-  store = None
-  # Do some real work
-  #runTest(makeStoreDimesEdges("DIMES/ASEdges/ASEdges1_2007.csv.gz"))
-  #timelineDimesTest()
-  #rootNodeASTest("asrel/datasets/19980101.as-rel.txt")
-  #timelineASTest()
-  #rootNodeASTest("hype-2016-09-19.list", "output-treesim-hype")
-  #scalingTest(None, "graphs-20") # First argument 1 to only test 1 root per graph
-  #store = makeStoreGeneratedGraph("bgp_tables")
-  #store = makeStoreGeneratedGraph("skitter")
-  #store = makeStoreASRelGraphMaxDeg("hype-2016-09-19.list") #http://hia.cjdns.ca/watchlist/c/walk.peers.20160919
-  #store = makeStoreGeneratedGraph("fc00-2017-08-12.txt")
-  if store: runTest(store)
-  #rootNodeASTest("skitter", "output-treesim-skitter", None, 0, 1)
-  #scalingTest(1, "graphs-20") # First argument 1 to only test 1 root per graph
-  #scalingTest(1, "graphs-21") # First argument 1 to only test 1 root per graph
-  #scalingTest(1, "graphs-22") # First argument 1 to only test 1 root per graph
-  #scalingTest(1, "graphs-23") # First argument 1 to only test 1 root per graph
-  if not store:
-    import sys
-    args = sys.argv
-    if len(args) == 2:
-      job_number = int(sys.argv[1])
-      rootNodeASTest("fc00-2017-08-12.txt", "fc00", None, job_number)
-    else:
-      print "Usage: {} job_number".format(args[0])
-      print "job_number = which job set to run on this node (1-indexed)"
-
--- a/misc/sim/treesim.go
+++ b/misc/sim/treesim.go
@@ -1,453 +0,0 @@
-package main
-
-import "fmt"
-import "bufio"
-import "os"
-import "strings"
-import "strconv"
-import "time"
-import "log"
-
-import "runtime"
-import "runtime/pprof"
-import "flag"
-
-import . "github.com/yggdrasil-network/yggdrasil-go/src/yggdrasil"
-
-////////////////////////////////////////////////////////////////////////////////
-
-type Node struct {
-	index int
-	core  Core
-	send  chan<- []byte
-	recv  <-chan []byte
-}
-
-func (n *Node) init(index int) {
-	n.index = index
-	n.core.Init()
-	n.send = n.core.DEBUG_getSend()
-	n.recv = n.core.DEBUG_getRecv()
-	n.core.DEBUG_simFixMTU()
-}
-
-func (n *Node) printTraffic() {
-	for {
-		packet := <-n.recv
-		fmt.Println(n.index, packet)
-		//panic("Got a packet")
-	}
-}
-
-func (n *Node) startPeers() {
-	//for _, p := range n.core.Peers.Ports {
-	//  go p.MainLoop()
-	//}
-	//go n.printTraffic()
-	//n.core.Peers.DEBUG_startPeers()
-}
-
-func linkNodes(m, n *Node) {
-	// Don't allow duplicates
-	if m.core.DEBUG_getPeers().DEBUG_hasPeer(n.core.DEBUG_getSigningPublicKey()) {
-		return
-	}
-	// Create peers
-	// Buffering reduces packet loss in the sim
-	//  This slightly speeds up testing (fewer delays before retrying a ping)
-	pLinkPub, pLinkPriv := m.core.DEBUG_newBoxKeys()
-	qLinkPub, qLinkPriv := m.core.DEBUG_newBoxKeys()
-	p := m.core.DEBUG_getPeers().DEBUG_newPeer(n.core.DEBUG_getEncryptionPublicKey(),
-		n.core.DEBUG_getSigningPublicKey(), *m.core.DEBUG_getSharedKey(pLinkPriv, qLinkPub))
-	q := n.core.DEBUG_getPeers().DEBUG_newPeer(m.core.DEBUG_getEncryptionPublicKey(),
-		m.core.DEBUG_getSigningPublicKey(), *n.core.DEBUG_getSharedKey(qLinkPriv, pLinkPub))
-	DEBUG_simLinkPeers(p, q)
-	return
-}
-
-func makeStoreSquareGrid(sideLength int) map[int]*Node {
-	store := make(map[int]*Node)
-	nNodes := sideLength * sideLength
-	idxs := make([]int, 0, nNodes)
-	// TODO shuffle nodeIDs
-	for idx := 1; idx <= nNodes; idx++ {
-		idxs = append(idxs, idx)
-	}
-	for _, idx := range idxs {
-		node := &Node{}
-		node.init(idx)
-		store[idx] = node
-	}
-	for idx := 0; idx < nNodes; idx++ {
-		if (idx % sideLength) != 0 {
-			linkNodes(store[idxs[idx]], store[idxs[idx-1]])
-		}
-		if idx >= sideLength {
-			linkNodes(store[idxs[idx]], store[idxs[idx-sideLength]])
-		}
-	}
-	//for _, node := range store { node.initPorts() }
-	return store
-}
-
-func makeStoreStar(nNodes int) map[int]*Node {
-	store := make(map[int]*Node)
-	center := &Node{}
-	center.init(0)
-	store[0] = center
-	for idx := 1; idx < nNodes; idx++ {
-		node := &Node{}
-		node.init(idx)
-		store[idx] = node
-		linkNodes(center, node)
-	}
-	return store
-}
-
-func loadGraph(path string) map[int]*Node {
-	f, err := os.Open(path)
-	if err != nil {
-		panic(err)
-	}
-	defer f.Close()
-	store := make(map[int]*Node)
-	s := bufio.NewScanner(f)
-	for s.Scan() {
-		line := s.Text()
-		nodeIdxstrs := strings.Split(line, " ")
-		nodeIdx0, _ := strconv.Atoi(nodeIdxstrs[0])
-		nodeIdx1, _ := strconv.Atoi(nodeIdxstrs[1])
-		if store[nodeIdx0] == nil {
-			node := &Node{}
-			node.init(nodeIdx0)
-			store[nodeIdx0] = node
-		}
-		if store[nodeIdx1] == nil {
-			node := &Node{}
-			node.init(nodeIdx1)
-			store[nodeIdx1] = node
-		}
-		linkNodes(store[nodeIdx0], store[nodeIdx1])
-	}
-	//for _, node := range store { node.initPorts() }
-	return store
-}
-
-////////////////////////////////////////////////////////////////////////////////
-
-func startNetwork(store map[[32]byte]*Node) {
-	for _, node := range store {
-		node.startPeers()
-	}
-}
-
-func getKeyedStore(store map[int]*Node) map[[32]byte]*Node {
-	newStore := make(map[[32]byte]*Node)
-	for _, node := range store {
-		newStore[node.core.DEBUG_getSigningPublicKey()] = node
-	}
-	return newStore
-}
-
-func testPaths(store map[[32]byte]*Node) bool {
-	nNodes := len(store)
-	count := 0
-	for _, source := range store {
-		count++
-		fmt.Printf("Testing paths from node %d / %d (%d)\n", count, nNodes, source.index)
-		for _, dest := range store {
-			//if source == dest { continue }
-			destLoc := dest.core.DEBUG_getLocator()
-			coords := destLoc.DEBUG_getCoords()
-			temp := 0
-			ttl := ^uint64(0)
-			oldTTL := ttl
-			for here := source; here != dest; {
-				temp++
-				if temp > 4096 {
-					fmt.Println("Loop?")
-					time.Sleep(time.Second)
-					return false
-				}
-				nextPort := here.core.DEBUG_switchLookup(coords)
-				// First check if "here" is accepting packets from the previous node
-				// TODO explain how this works
-				ports := here.core.DEBUG_getPeers().DEBUG_getPorts()
-				nextPeer := ports[nextPort]
-				if nextPeer == nil {
-					fmt.Println("Peer associated with next port is nil")
-					return false
-				}
-				next := store[nextPeer.DEBUG_getSigKey()]
-				/*
-				   if next == here {
-				     //for idx, link := range here.links {
-				     //  fmt.Println("DUMP:", idx, link.nodeID)
-				     //}
-				     if nextPort != 0 { panic("This should not be") }
-				     fmt.Println("Failed to route:", source.index, here.index, dest.index, oldTTL, ttl)
-				     //here.table.DEBUG_dumpTable()
-				     //fmt.Println("Ports:", here.nodeID, here.ports)
-				     return false
-				     panic(fmt.Sprintln("Routing Loop:",
-				                        source.index,
-				                        here.index,
-				                        dest.index))
-				   }
-				*/
-				if temp > 4090 {
-					fmt.Println("DEBUG:",
-						source.index, source.core.DEBUG_getLocator(),
-						here.index, here.core.DEBUG_getLocator(),
-						dest.index, dest.core.DEBUG_getLocator())
-					//here.core.DEBUG_getSwitchTable().DEBUG_dumpTable()
-				}
-				if here != source {
-					// This is sufficient to check for routing loops or blackholes
-					//break
-				}
-				if here == next {
-					fmt.Println("Drop:", source.index, here.index, dest.index, oldTTL)
-					return false
-				}
-				here = next
-			}
-		}
-	}
-	return true
-}
-
-func stressTest(store map[[32]byte]*Node) {
-	fmt.Println("Stress testing network...")
-	nNodes := len(store)
-	dests := make([][]byte, 0, nNodes)
-	for _, dest := range store {
-		loc := dest.core.DEBUG_getLocator()
-		coords := loc.DEBUG_getCoords()
-		dests = append(dests, coords)
-	}
-	lookups := 0
-	start := time.Now()
-	for _, source := range store {
-		for _, coords := range dests {
-			source.core.DEBUG_switchLookup(coords)
-			lookups++
-		}
-	}
-	timed := time.Since(start)
-	fmt.Printf("%d lookups in %s (%f lookups per second)\n",
-		lookups,
-		timed,
-		float64(lookups)/timed.Seconds())
-}
-
-func pingNodes(store map[[32]byte]*Node) {
-	fmt.Println("Sending pings...")
-	nNodes := len(store)
-	count := 0
-	equiv := func(a []byte, b []byte) bool {
-		if len(a) != len(b) {
-			return false
-		}
-		for idx := 0; idx < len(a); idx++ {
-			if a[idx] != b[idx] {
-				return false
-			}
-		}
-		return true
-	}
-	for _, source := range store {
-		count++
-		//if count > 16 { break }
-		fmt.Printf("Sending packets from node %d/%d (%d)\n", count, nNodes, source.index)
-		sourceKey := source.core.DEBUG_getEncryptionPublicKey()
-		payload := sourceKey[:]
-		sourceAddr := source.core.DEBUG_getAddr()[:]
-		sendTo := func(bs []byte, destAddr []byte) {
-			packet := make([]byte, 40+len(bs))
-			copy(packet[8:24], sourceAddr)
-			copy(packet[24:40], destAddr)
-			copy(packet[40:], bs)
-			packet[0] = 6 << 4
-			source.send <- packet
-		}
-		destCount := 0
-		for _, dest := range store {
-			destCount += 1
-			fmt.Printf("%d Nodes, %d Send, %d Recv\n", nNodes, count, destCount)
-			if dest == source {
-				fmt.Println("Skipping self")
-				continue
-			}
-			destAddr := dest.core.DEBUG_getAddr()[:]
-			ticker := time.NewTicker(150 * time.Millisecond)
-			sendTo(payload, destAddr)
-			for loop := true; loop; {
-				select {
-				case packet := <-dest.recv:
-					{
-						if equiv(payload, packet[len(packet)-len(payload):]) {
-							loop = false
-						}
-					}
-				case <-ticker.C:
-					sendTo(payload, destAddr)
-					//dumpDHTSize(store) // note that this uses racey functions to read things...
-				}
-			}
-			ticker.Stop()
-		}
-		//break // Only try sending pings from 1 node
-		// This is because, for some reason, stopTun() doesn't always close it
-		// And if two tuns are up, bad things happen (sends via wrong interface)
-	}
-	fmt.Println("Finished pinging nodes")
-}
-
-func pingBench(store map[[32]byte]*Node) {
-	fmt.Println("Benchmarking pings...")
-	nPings := 0
-	payload := make([]byte, 1280+40) // MTU + ipv6 header
-	var timed time.Duration
-	//nNodes := len(store)
-	count := 0
-	for _, source := range store {
-		count++
-		//fmt.Printf("Sending packets from node %d/%d (%d)\n", count, nNodes, source.index)
-		getPing := func(key [32]byte, decodedCoords []byte) []byte {
-			// TODO write some function to do this the right way, put... somewhere...
-			coords := DEBUG_wire_encode_coords(decodedCoords)
-			packet := make([]byte, 0, len(key)+len(coords)+len(payload))
-			packet = append(packet, key[:]...)
-			packet = append(packet, coords...)
-			packet = append(packet, payload[:]...)
-			return packet
-		}
-		for _, dest := range store {
-			key := dest.core.DEBUG_getEncryptionPublicKey()
-			loc := dest.core.DEBUG_getLocator()
-			coords := loc.DEBUG_getCoords()
-			ping := getPing(key, coords)
-			// TODO make sure the session is open first
-			start := time.Now()
-			for i := 0; i < 1000000; i++ {
-				source.send <- ping
-				nPings++
-			}
-			timed += time.Since(start)
-			break
-		}
-		break
-	}
-	fmt.Printf("Sent %d pings in %s (%f per second)\n",
-		nPings,
-		timed,
-		float64(nPings)/timed.Seconds())
-}
-
-func dumpStore(store map[NodeID]*Node) {
-	for _, node := range store {
-		fmt.Println("DUMPSTORE:", node.index, node.core.DEBUG_getLocator())
-		node.core.DEBUG_getSwitchTable().DEBUG_dumpTable()
-	}
-}
-
-func dumpDHTSize(store map[[32]byte]*Node) {
-	var min, max, sum int
-	for _, node := range store {
-		num := node.core.DEBUG_getDHTSize()
-		min = num
-		max = num
-		break
-	}
-	for _, node := range store {
-		num := node.core.DEBUG_getDHTSize()
-		if num < min {
-			min = num
-		}
-		if num > max {
-			max = num
-		}
-		sum += num
-	}
-	avg := float64(sum) / float64(len(store))
-	fmt.Printf("DHT min %d / avg %f / max %d\n", min, avg, max)
-}
-
-func (n *Node) startTCP(listen string) {
-	n.core.DEBUG_setupAndStartGlobalTCPInterface(listen)
-}
-
-func (n *Node) connectTCP(remoteAddr string) {
-	n.core.AddPeer(remoteAddr, remoteAddr)
-}
-
-////////////////////////////////////////////////////////////////////////////////
-
-var cpuprofile = flag.String("cpuprofile", "", "write cpu profile `file`")
-var memprofile = flag.String("memprofile", "", "write memory profile to this file")
-
-func main() {
-	flag.Parse()
-	if *cpuprofile != "" {
-		f, err := os.Create(*cpuprofile)
-		if err != nil {
-			panic(fmt.Sprintf("could not create CPU profile: ", err))
-		}
-		if err := pprof.StartCPUProfile(f); err != nil {
-			panic(fmt.Sprintf("could not start CPU profile: ", err))
-		}
-		defer pprof.StopCPUProfile()
-	}
-	if *memprofile != "" {
-		f, err := os.Create(*memprofile)
-		if err != nil {
-			panic(fmt.Sprintf("could not create memory profile: ", err))
-		}
-		defer func() { pprof.WriteHeapProfile(f); f.Close() }()
-	}
-	fmt.Println("Test")
-	Util_testAddrIDMask()
-	idxstore := makeStoreSquareGrid(4)
-	//idxstore := makeStoreStar(256)
-	//idxstore := loadGraph("misc/sim/hype-2016-09-19.list")
-	//idxstore := loadGraph("misc/sim/fc00-2017-08-12.txt")
-	//idxstore := loadGraph("skitter")
-	kstore := getKeyedStore(idxstore)
-	//*
-	logger := log.New(os.Stderr, "", log.Flags())
-	for _, n := range kstore {
-		n.core.DEBUG_setLogger(logger)
-	}
-	//*/
-	startNetwork(kstore)
-	//time.Sleep(10*time.Second)
-	// Note that testPaths only works if pressure is turend off
-	//  Otherwise congestion can lead to routing loops?
-	for finished := false; !finished; {
-		finished = testPaths(kstore)
-	}
-	pingNodes(kstore)
-	//pingBench(kstore) // Only after disabling debug output
-	//stressTest(kstore)
-	//time.Sleep(120 * time.Second)
-	dumpDHTSize(kstore) // note that this uses racey functions to read things...
-	if false {
-		// This connects the sim to the local network
-		for _, node := range kstore {
-			node.startTCP("localhost:0")
-			node.connectTCP("localhost:12345")
-			break // just 1
-		}
-		for _, node := range kstore {
-			go func() {
-				// Just dump any packets sent to this node
-				for range node.recv {
-				}
-			}()
-		}
-		var block chan struct{}
-		<-block
-	}
-	runtime.GC()
-}
--- a/src/address/address.go
+++ b/src/address/address.go
@@ -0,0 +1,146 @@
+// Package address contains the types used by yggdrasil to represent IPv6 addresses or prefixes, as well as functions for working with these types.
+// Of particular importance are the functions used to derive addresses or subnets from a NodeID, or to get the NodeID and bitmask of the bits visible from an address, which is needed for DHT searches.
+package address
+
+import (
+	"crypto/ed25519"
+)
+
+// Address represents an IPv6 address in the yggdrasil address range.
+type Address [16]byte
+
+// Subnet represents an IPv6 /64 subnet in the yggdrasil subnet range.
+type Subnet [8]byte
+
+// GetPrefix returns the address prefix used by yggdrasil.
+// The current implementation requires this to be a multiple of 8 bits + 7 bits.
+// The 8th bit of the last byte is used to signal nodes (0) or /64 prefixes (1).
+// Nodes that configure this differently will be unable to communicate with each other using IP packets, though routing and the DHT machinery *should* still work.
+func GetPrefix() [1]byte {
+	return [...]byte{0x02}
+}
+
+// IsValid returns true if an address falls within the range used by nodes in the network.
+func (a *Address) IsValid() bool {
+	prefix := GetPrefix()
+	for idx := range prefix {
+		if (*a)[idx] != prefix[idx] {
+			return false
+		}
+	}
+	return true
+}
+
+// IsValid returns true if a prefix falls within the range usable by the network.
+func (s *Subnet) IsValid() bool {
+	prefix := GetPrefix()
+	l := len(prefix)
+	for idx := range prefix[:l-1] {
+		if (*s)[idx] != prefix[idx] {
+			return false
+		}
+	}
+	return (*s)[l-1] == prefix[l-1]|0x01
+}
+
+// AddrForKey takes an ed25519.PublicKey as an argument and returns an *Address.
+// This function returns nil if the key length is not ed25519.PublicKeySize.
+// This address begins with the contents of GetPrefix(), with the last bit set to 0 to indicate an address.
+// The following 8 bits are set to the number of leading 1 bits in the bitwise inverse of the public key.
+// The bitwise inverse of the key, excluding the leading 1 bits and the first leading 0 bit, is truncated to the appropriate length and makes up the remainder of the address.
+func AddrForKey(publicKey ed25519.PublicKey) *Address {
+	// 128 bit address
+	// Begins with prefix
+	// Next bit is a 0
+	// Next 7 bits, interpreted as a uint, are # of leading 1s in the NodeID
+	// Leading 1s and first leading 0 of the NodeID are truncated off
+	// The rest is appended to the IPv6 address (truncated to 128 bits total)
+	if len(publicKey) != ed25519.PublicKeySize {
+		return nil
+	}
+	var buf [ed25519.PublicKeySize]byte
+	copy(buf[:], publicKey)
+	for idx := range buf {
+		buf[idx] = ^buf[idx]
+	}
+	var addr Address
+	var temp []byte
+	done := false
+	ones := byte(0)
+	bits := byte(0)
+	nBits := 0
+	for idx := 0; idx < 8*len(buf); idx++ {
+		bit := (buf[idx/8] & (0x80 >> byte(idx%8))) >> byte(7-(idx%8))
+		if !done && bit != 0 {
+			ones++
+			continue
+		}
+		if !done && bit == 0 {
+			done = true
+			continue // FIXME? this assumes that ones <= 127, probably only worth changing by using a variable length uint64, but that would require changes to the addressing scheme, and I'm not sure ones > 127 is realistic
+		}
+		bits = (bits << 1) | bit
+		nBits++
+		if nBits == 8 {
+			nBits = 0
+			temp = append(temp, bits)
+		}
+	}
+	prefix := GetPrefix()
+	copy(addr[:], prefix[:])
+	addr[len(prefix)] = ones
+	copy(addr[len(prefix)+1:], temp)
+	return &addr
+}
+
+// SubnetForKey takes an ed25519.PublicKey as an argument and returns a *Subnet.
+// This function returns nil if the key length is not ed25519.PublicKeySize.
+// The subnet begins with the address prefix, with the last bit set to 1 to indicate a prefix.
+// The following 8 bits are set to the number of leading 1 bits in the bitwise inverse of the key.
+// The bitwise inverse of the key, excluding the leading 1 bits and the first leading 0 bit, is truncated to the appropriate length and makes up the remainder of the subnet.
+func SubnetForKey(publicKey ed25519.PublicKey) *Subnet {
+	// Exactly as the address version, with two exceptions:
+	//  1) The first bit after the fixed prefix is a 1 instead of a 0
+	//  2) It's truncated to a subnet prefix length instead of 128 bits
+	addr := AddrForKey(publicKey)
+	if addr == nil {
+		return nil
+	}
+	var snet Subnet
+	copy(snet[:], addr[:])
+	prefix := GetPrefix()
+	snet[len(prefix)-1] |= 0x01
+	return &snet
+}
+
+// GetKet returns the partial ed25519.PublicKey for the Address.
+// This is used for key lookup.
+func (a *Address) GetKey() ed25519.PublicKey {
+	var key [ed25519.PublicKeySize]byte
+	prefix := GetPrefix()
+	ones := int(a[len(prefix)])
+	for idx := 0; idx < ones; idx++ {
+		key[idx/8] |= 0x80 >> byte(idx%8)
+	}
+	keyOffset := ones + 1
+	addrOffset := 8*len(prefix) + 8
+	for idx := addrOffset; idx < 8*len(a); idx++ {
+		bits := a[idx/8] & (0x80 >> byte(idx%8))
+		bits <<= byte(idx % 8)
+		keyIdx := keyOffset + (idx - addrOffset)
+		bits >>= byte(keyIdx % 8)
+		key[keyIdx/8] |= bits
+	}
+	for idx := range key {
+		key[idx] = ^key[idx]
+	}
+	return ed25519.PublicKey(key[:])
+}
+
+// GetKet returns the partial ed25519.PublicKey for the Subnet.
+// This is used for key lookup.
+func (s *Subnet) GetKey() ed25519.PublicKey {
+	var addr Address
+	copy(addr[:], s[:])
+	return addr.GetKey()
+}
--- a/src/admin/admin.go
+++ b/src/admin/admin.go
@@ -0,0 +1,308 @@
+package admin
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"net/url"
+	"os"
+
+	"strings"
+	"time"
+
+	"github.com/gologme/log"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/config"
+	"github.com/yggdrasil-network/yggdrasil-go/src/core"
+)
+
+// TODO: Add authentication
+
+type AdminSocket struct {
+	core       *core.Core
+	log        *log.Logger
+	listenaddr string
+	listener   net.Listener
+	handlers   map[string]handler
+	done       chan struct{}
+}
+
+type AdminSocketResponse struct {
+	Status  string `json:"status"`
+	Request struct {
+		Name      string `json:"request"`
+		KeepAlive bool   `json:"keepalive"`
+	} `json:"request"`
+	Response interface{} `json:"response"`
+}
+
+type handler struct {
+	args    []string                                   // List of human-readable argument names
+	handler func(json.RawMessage) (interface{}, error) // First is input map, second is output
+}
+
+type ListResponse struct {
+	List map[string]ListEntry `json:"list"`
+}
+
+type ListEntry struct {
+	Fields []string `json:"fields"`
+}
+
+// AddHandler is called for each admin function to add the handler and help documentation to the API.
+func (a *AdminSocket) AddHandler(name string, args []string, handlerfunc func(json.RawMessage) (interface{}, error)) error {
+	if _, ok := a.handlers[strings.ToLower(name)]; ok {
+		return errors.New("handler already exists")
+	}
+	a.handlers[strings.ToLower(name)] = handler{
+		args:    args,
+		handler: handlerfunc,
+	}
+	return nil
+}
+
+// Init runs the initial admin setup.
+func (a *AdminSocket) Init(c *core.Core, nc *config.NodeConfig, log *log.Logger, options interface{}) error {
+	a.core = c
+	a.log = log
+	a.handlers = make(map[string]handler)
+	nc.RLock()
+	a.listenaddr = nc.AdminListen
+	nc.RUnlock()
+	a.done = make(chan struct{})
+	close(a.done) // Start in a done / not-started state
+	_ = a.AddHandler("list", []string{}, func(_ json.RawMessage) (interface{}, error) {
+		res := &ListResponse{
+			List: map[string]ListEntry{},
+		}
+		for name, handler := range a.handlers {
+			res.List[name] = ListEntry{
+				Fields: handler.args,
+			}
+		}
+		return res, nil
+	})
+	a.core.SetAdmin(a)
+	return nil
+}
+
+func (a *AdminSocket) SetupAdminHandlers(na *AdminSocket) {
+	_ = a.AddHandler("getSelf", []string{}, func(in json.RawMessage) (interface{}, error) {
+		req := &GetSelfRequest{}
+		res := &GetSelfResponse{}
+		if err := json.Unmarshal(in, &req); err != nil {
+			return nil, err
+		}
+		if err := a.getSelfHandler(req, res); err != nil {
+			return nil, err
+		}
+		return res, nil
+	})
+	_ = a.AddHandler("getPeers", []string{}, func(in json.RawMessage) (interface{}, error) {
+		req := &GetPeersRequest{}
+		res := &GetPeersResponse{}
+		if err := json.Unmarshal(in, &req); err != nil {
+			return nil, err
+		}
+		if err := a.getPeersHandler(req, res); err != nil {
+			return nil, err
+		}
+		return res, nil
+	})
+	_ = a.AddHandler("getDHT", []string{}, func(in json.RawMessage) (interface{}, error) {
+		req := &GetDHTRequest{}
+		res := &GetDHTResponse{}
+		if err := json.Unmarshal(in, &req); err != nil {
+			return nil, err
+		}
+		if err := a.getDHTHandler(req, res); err != nil {
+			return nil, err
+		}
+		return res, nil
+	})
+	_ = a.AddHandler("getPaths", []string{}, func(in json.RawMessage) (interface{}, error) {
+		req := &GetPathsRequest{}
+		res := &GetPathsResponse{}
+		if err := json.Unmarshal(in, &req); err != nil {
+			return nil, err
+		}
+		if err := a.getPathsHandler(req, res); err != nil {
+			return nil, err
+		}
+		return res, nil
+	})
+	_ = a.AddHandler("getSessions", []string{}, func(in json.RawMessage) (interface{}, error) {
+		req := &GetSessionsRequest{}
+		res := &GetSessionsResponse{}
+		if err := json.Unmarshal(in, &req); err != nil {
+			return nil, err
+		}
+		if err := a.getSessionsHandler(req, res); err != nil {
+			return nil, err
+		}
+		return res, nil
+	})
+	//_ = a.AddHandler("getNodeInfo", []string{"key"}, t.proto.nodeinfo.nodeInfoAdminHandler)
+	//_ = a.AddHandler("debug_remoteGetSelf", []string{"key"}, t.proto.getSelfHandler)
+	//_ = a.AddHandler("debug_remoteGetPeers", []string{"key"}, t.proto.getPeersHandler)
+	//_ = a.AddHandler("debug_remoteGetDHT", []string{"key"}, t.proto.getDHTHandler)
+}
+
+// Start runs the admin API socket to listen for / respond to admin API calls.
+func (a *AdminSocket) Start() error {
+	if a.listenaddr != "none" && a.listenaddr != "" {
+		a.done = make(chan struct{})
+		go a.listen()
+	}
+	return nil
+}
+
+// IsStarted returns true if the module has been started.
+func (a *AdminSocket) IsStarted() bool {
+	select {
+	case <-a.done:
+		// Not blocking, so we're not currently running
+		return false
+	default:
+		// Blocked, so we must have started
+		return true
+	}
+}
+
+// Stop will stop the admin API and close the socket.
+func (a *AdminSocket) Stop() error {
+	if a.listener != nil {
+		select {
+		case <-a.done:
+		default:
+			close(a.done)
+		}
+		return a.listener.Close()
+	}
+	return nil
+}
+
+// listen is run by start and manages API connections.
+func (a *AdminSocket) listen() {
+	u, err := url.Parse(a.listenaddr)
+	if err == nil {
+		switch strings.ToLower(u.Scheme) {
+		case "unix":
+			if _, err := os.Stat(a.listenaddr[7:]); err == nil {
+				a.log.Debugln("Admin socket", a.listenaddr[7:], "already exists, trying to clean up")
+				if _, err := net.DialTimeout("unix", a.listenaddr[7:], time.Second*2); err == nil || err.(net.Error).Timeout() {
+					a.log.Errorln("Admin socket", a.listenaddr[7:], "already exists and is in use by another process")
+					os.Exit(1)
+				} else {
+					if err := os.Remove(a.listenaddr[7:]); err == nil {
+						a.log.Debugln(a.listenaddr[7:], "was cleaned up")
+					} else {
+						a.log.Errorln(a.listenaddr[7:], "already exists and was not cleaned up:", err)
+						os.Exit(1)
+					}
+				}
+			}
+			a.listener, err = net.Listen("unix", a.listenaddr[7:])
+			if err == nil {
+				switch a.listenaddr[7:8] {
+				case "@": // maybe abstract namespace
+				default:
+					if err := os.Chmod(a.listenaddr[7:], 0660); err != nil {
+						a.log.Warnln("WARNING:", a.listenaddr[:7], "may have unsafe permissions!")
+					}
+				}
+			}
+		case "tcp":
+			a.listener, err = net.Listen("tcp", u.Host)
+		default:
+			// err = errors.New(fmt.Sprint("protocol not supported: ", u.Scheme))
+			a.listener, err = net.Listen("tcp", a.listenaddr)
+		}
+	} else {
+		a.listener, err = net.Listen("tcp", a.listenaddr)
+	}
+	if err != nil {
+		a.log.Errorf("Admin socket failed to listen: %v", err)
+		os.Exit(1)
+	}
+	a.log.Infof("%s admin socket listening on %s",
+		strings.ToUpper(a.listener.Addr().Network()),
+		a.listener.Addr().String())
+	defer a.listener.Close()
+	for {
+		conn, err := a.listener.Accept()
+		if err == nil {
+			go a.handleRequest(conn)
+		} else {
+			select {
+			case <-a.done:
+				// Not blocked, so we havent started or already stopped
+				return
+			default:
+				// Blocked, so we're supposed to keep running
+			}
+		}
+	}
+}
+
+// handleRequest calls the request handler for each request sent to the admin API.
+func (a *AdminSocket) handleRequest(conn net.Conn) {
+	decoder := json.NewDecoder(conn)
+	decoder.DisallowUnknownFields()
+
+	encoder := json.NewEncoder(conn)
+	encoder.SetIndent("", "  ")
+
+	defer conn.Close()
+
+	defer func() {
+		r := recover()
+		if r != nil {
+			a.log.Debugln("Admin socket error:", r)
+			if err := encoder.Encode(&ErrorResponse{
+				Error: "Check your syntax and input types",
+			}); err != nil {
+				a.log.Debugln("Admin socket JSON encode error:", err)
+			}
+			conn.Close()
+		}
+	}()
+
+	for {
+		var err error
+		var buf json.RawMessage
+		_ = decoder.Decode(&buf)
+		var resp AdminSocketResponse
+		resp.Status = "success"
+		if err = json.Unmarshal(buf, &resp.Request); err == nil {
+			if resp.Request.Name == "" {
+				resp.Status = "error"
+				resp.Response = &ErrorResponse{
+					Error: "No request specified",
+				}
+			} else if h, ok := a.handlers[strings.ToLower(resp.Request.Name)]; ok {
+				resp.Response, err = h.handler(buf)
+				if err != nil {
+					resp.Status = "error"
+					resp.Response = &ErrorResponse{
+						Error: err.Error(),
+					}
+				}
+			} else {
+				resp.Status = "error"
+				resp.Response = &ErrorResponse{
+					Error: fmt.Sprintf("Unknown action '%s', try 'list' for help", resp.Request.Name),
+				}
+			}
+		}
+		if err = encoder.Encode(resp); err != nil {
+			a.log.Debugln("Encode error:", err)
+		}
+		if !resp.Request.KeepAlive {
+			break
+		} else {
+			continue
+		}
+	}
+}
--- a/src/admin/error.go
+++ b/src/admin/error.go
@@ -0,0 +1,5 @@
+package admin
+
+type ErrorResponse struct {
+	Error string `json:"error"`
+}
--- a/src/admin/getdht.go
+++ b/src/admin/getdht.go
@@ -0,0 +1,34 @@
+package admin
+
+import (
+	"encoding/hex"
+	"net"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+type GetDHTRequest struct{}
+
+type GetDHTResponse struct {
+	DHT map[string]DHTEntry `json:"dht"`
+}
+
+type DHTEntry struct {
+	PublicKey string `json:"key"`
+	Port      uint64 `json:"port"`
+	Rest      uint64 `json:"rest"`
+}
+
+func (a *AdminSocket) getDHTHandler(req *GetDHTRequest, res *GetDHTResponse) error {
+	res.DHT = map[string]DHTEntry{}
+	for _, d := range a.core.GetDHT() {
+		addr := address.AddrForKey(d.Key)
+		so := net.IP(addr[:]).String()
+		res.DHT[so] = DHTEntry{
+			PublicKey: hex.EncodeToString(d.Key[:]),
+			Port:      d.Port,
+			Rest:      d.Rest,
+		}
+	}
+	return nil
+}
--- a/src/admin/getpaths.go
+++ b/src/admin/getpaths.go
@@ -0,0 +1,33 @@
+package admin
+
+import (
+	"encoding/hex"
+	"net"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+type GetPathsRequest struct {
+}
+
+type GetPathsResponse struct {
+	Paths map[string]PathEntry `json:"paths"`
+}
+
+type PathEntry struct {
+	PublicKey string   `json:"key"`
+	Path      []uint64 `json:"path"`
+}
+
+func (a *AdminSocket) getPathsHandler(req *GetPathsRequest, res *GetPathsResponse) error {
+	res.Paths = map[string]PathEntry{}
+	for _, p := range a.core.GetPaths() {
+		addr := address.AddrForKey(p.Key)
+		so := net.IP(addr[:]).String()
+		res.Paths[so] = PathEntry{
+			PublicKey: hex.EncodeToString(p.Key),
+			Path:      p.Path,
+		}
+	}
+	return nil
+}
--- a/src/admin/getpeers.go
+++ b/src/admin/getpeers.go
@@ -0,0 +1,37 @@
+package admin
+
+import (
+	"encoding/hex"
+	"net"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+type GetPeersRequest struct {
+}
+
+type GetPeersResponse struct {
+	Peers map[string]PeerEntry `json:"peers"`
+}
+
+type PeerEntry struct {
+	PublicKey string   `json:"key"`
+	Port      uint64   `json:"port"`
+	Coords    []uint64 `json:"coords"`
+	Remote    string   `json:"remote"`
+}
+
+func (a *AdminSocket) getPeersHandler(req *GetPeersRequest, res *GetPeersResponse) error {
+	res.Peers = map[string]PeerEntry{}
+	for _, p := range a.core.GetPeers() {
+		addr := address.AddrForKey(p.Key)
+		so := net.IP(addr[:]).String()
+		res.Peers[so] = PeerEntry{
+			PublicKey: hex.EncodeToString(p.Key),
+			Port:      p.Port,
+			Coords:    p.Coords,
+			Remote:    p.Remote,
+		}
+	}
+	return nil
+}
--- a/src/admin/getself.go
+++ b/src/admin/getself.go
@@ -0,0 +1,36 @@
+package admin
+
+import (
+	"encoding/hex"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/version"
+)
+
+type GetSelfRequest struct{}
+
+type GetSelfResponse struct {
+	Self map[string]SelfEntry `json:"self"`
+}
+
+type SelfEntry struct {
+	BuildName    string   `json:"build_name"`
+	BuildVersion string   `json:"build_version"`
+	PublicKey    string   `json:"key"`
+	Coords       []uint64 `json:"coords"`
+	Subnet       string   `json:"subnet"`
+}
+
+func (a *AdminSocket) getSelfHandler(req *GetSelfRequest, res *GetSelfResponse) error {
+	res.Self = make(map[string]SelfEntry)
+	self := a.core.GetSelf()
+	addr := a.core.Address().String()
+	snet := a.core.Subnet()
+	res.Self[addr] = SelfEntry{
+		BuildName:    version.BuildName(),
+		BuildVersion: version.BuildVersion(),
+		PublicKey:    hex.EncodeToString(self.Key[:]),
+		Subnet:       snet.String(),
+		Coords:       self.Coords,
+	}
+	return nil
+}
--- a/src/admin/getsessions.go
+++ b/src/admin/getsessions.go
@@ -0,0 +1,30 @@
+package admin
+
+import (
+	"encoding/hex"
+	"net"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+type GetSessionsRequest struct{}
+
+type GetSessionsResponse struct {
+	Sessions map[string]SessionEntry `json:"sessions"`
+}
+
+type SessionEntry struct {
+	PublicKey string `json:"key"`
+}
+
+func (a *AdminSocket) getSessionsHandler(req *GetSessionsRequest, res *GetSessionsResponse) error {
+	res.Sessions = map[string]SessionEntry{}
+	for _, s := range a.core.GetSessions() {
+		addr := address.AddrForKey(s.Key)
+		so := net.IP(addr[:]).String()
+		res.Sessions[so] = SessionEntry{
+			PublicKey: hex.EncodeToString(s.Key[:]),
+		}
+	}
+	return nil
+}
--- a/src/config/config.go
+++ b/src/config/config.go
@@ -1,53 +1,83 @@
+/*
+The config package contains structures related to the configuration of an
+Yggdrasil node.
+
+The configuration contains, amongst other things, encryption keys which are used
+to derive a node's identity, information about peerings and node information
+that is shared with the network. There are also some module-specific options
+related to TUN, multicast and the admin socket.
+
+In order for a node to maintain the same identity across restarts, you should
+persist the configuration onto the filesystem or into some configuration storage
+so that the encryption keys (and therefore the node ID) do not change.
+
+Note that Yggdrasil will automatically populate sane defaults for any
+configuration option that is not provided.
+*/
 package config

-// NodeConfig defines all configuration values needed to run a signle yggdrasil node
+import (
+	"crypto/ed25519"
+	"encoding/hex"
+	"sync"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
+)
+
+// NodeConfig is the main configuration structure, containing configuration
+// options that are necessary for an Yggdrasil node to run. You will need to
+// supply one of these structs to the Yggdrasil core when starting a node.
 type NodeConfig struct {
-	Listen                      string              `comment:"Listen address for peer connections. Default is to listen for all\nTCP connections over IPv4 and IPv6 with a random port."`
-	AdminListen                 string              `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."`
-	Peers                       []string            `comment:"List of connection strings for static peers in URI format, e.g.\ntcp://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j."`
-	InterfacePeers              map[string][]string `comment:"List of connection strings for static peers in URI format, arranged\nby source interface, e.g. { \"eth0\": [ tcp://a.b.c.d:e ] }. Note that\nSOCKS peerings will NOT be affected by this option and should go in\nthe \"Peers\" section instead."`
-	ReadTimeout                 int32               `comment:"Read timeout for connections, specified in milliseconds. If less\nthan 6000 and not negative, 6000 (the default) is used. If negative,\nreads won't time out."`
-	AllowedEncryptionPublicKeys []string            `comment:"List of peer encryption public keys to allow or incoming TCP\nconnections from. If left empty/undefined then all connections\nwill be allowed by default."`
-	EncryptionPublicKey         string              `comment:"Your public encryption key. Your peers may ask you for this to put\ninto their AllowedEncryptionPublicKeys configuration."`
-	EncryptionPrivateKey        string              `comment:"Your private encryption key. DO NOT share this with anyone!"`
-	SigningPublicKey            string              `comment:"Your public signing key. You should not ordinarily need to share\nthis with anyone."`
-	SigningPrivateKey           string              `comment:"Your private signing key. DO NOT share this with anyone!"`
-	MulticastInterfaces         []string            `comment:"Regular expressions for which interfaces multicast peer discovery\nshould be enabled on. If none specified, multicast peer discovery is\ndisabled. The default value is .* which uses all interfaces."`
-	IfName                      string              `comment:"Local network interface name for TUN/TAP adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN/TAP."`
-	IfTAPMode                   bool                `comment:"Set local network interface to TAP mode rather than TUN mode if\nsupported by your platform - option will be ignored if not."`
-	IfMTU                       int                 `comment:"Maximux Transmission Unit (MTU) size for your local TUN/TAP interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
-	SessionFirewall             SessionFirewall     `comment:"The session firewall controls who can send/receive network traffic\nto/from. This is useful if you want to protect this node without\nresorting to using a real firewall. This does not affect traffic\nbeing routed via this node to somewhere else. Rules are prioritised as\nfollows: blacklist, whitelist, always allow outgoing, direct, remote."`
-	TunnelRouting               TunnelRouting       `comment:"Allow tunneling non-Yggdrasil traffic over Yggdrasil. This effectively\nallows you to use Yggdrasil to route to, or to bridge other networks,\nsimilar to a VPN tunnel. Tunnelling works between any two nodes and\ndoes not require them to be directly peered."`
-	SwitchOptions               SwitchOptions       `comment:"Advanced options for tuning the switch. Normally you will not need\nto edit these options."`
-	//Net                         NetConfig `comment:"Extended options for connecting to peers over other networks."`
+	sync.RWMutex        `json:"-"`
+	Peers               []string               `comment:"List of connection strings for outbound peer connections in URI format,\ne.g. tls://a.b.c.d:e or socks://a.b.c.d:e/f.g.h.i:j. These connections\nwill obey the operating system routing table, therefore you should\nuse this section when you may connect via different interfaces."`
+	InterfacePeers      map[string][]string    `comment:"List of connection strings for outbound peer connections in URI format,\narranged by source interface, e.g. { \"eth0\": [ tls://a.b.c.d:e ] }.\nNote that SOCKS peerings will NOT be affected by this option and should\ngo in the \"Peers\" section instead."`
+	Listen              []string               `comment:"Listen addresses for incoming connections. You will need to add\nlisteners in order to accept incoming peerings from non-local nodes.\nMulticast peer discovery will work regardless of any listeners set\nhere. Each listener should be specified in URI format as above, e.g.\ntls://0.0.0.0:0 or tls://[::]:0 to listen on all interfaces."`
+	AdminListen         string                 `comment:"Listen address for admin connections. Default is to listen for local\nconnections either on TCP/9001 or a UNIX socket depending on your\nplatform. Use this value for yggdrasilctl -endpoint=X. To disable\nthe admin socket, use the value \"none\" instead."`
+	MulticastInterfaces []string               `comment:"Regular expressions for which interfaces multicast peer discovery\nshould be enabled on. If none specified, multicast peer discovery is\ndisabled. The default value is .* which uses all interfaces."`
+	AllowedPublicKeys   []string               `comment:"List of peer public keys to allow incoming peering connections\nfrom. If left empty/undefined then all connections will be allowed\nby default. This does not affect outgoing peerings, nor does it\naffect link-local peers discovered via multicast."`
+	PublicKey           string                 `comment:"Your public key. Your peers may ask you for this to put\ninto their AllowedPublicKeys configuration."`
+	PrivateKey          string                 `comment:"Your private key. DO NOT share this with anyone!"`
+	LinkLocalTCPPort    uint16                 `comment:"The port number to be used for the link-local TCP listeners for the\nconfigured MulticastInterfaces. This option does not affect listeners\nspecified in the Listen option. Unless you plan to firewall link-local\ntraffic, it is best to leave this as the default value of 0. This\noption cannot currently be changed by reloading config during runtime."`
+	IfName              string                 `comment:"Local network interface name for TUN adapter, or \"auto\" to select\nan interface automatically, or \"none\" to run without TUN."`
+	IfMTU               uint64                 `comment:"Maximum Transmission Unit (MTU) size for your local TUN interface.\nDefault is the largest supported size for your platform. The lowest\npossible value is 1280."`
+	NodeInfoPrivacy     bool                   `comment:"By default, nodeinfo contains some defaults including the platform,\narchitecture and Yggdrasil version. These can help when surveying\nthe network and diagnosing network routing problems. Enabling\nnodeinfo privacy prevents this, so that only items specified in\n\"NodeInfo\" are sent back if specified."`
+	NodeInfo            map[string]interface{} `comment:"Optional node info. This must be a { \"key\": \"value\", ... } map\nor set as null. This is entirely optional but, if set, is visible\nto the whole network on request."`
 }

-// NetConfig defines network/proxy related configuration values
-type NetConfig struct {
-	Tor TorConfig `comment:"Experimental options for configuring peerings over Tor."`
-	I2P I2PConfig `comment:"Experimental options for configuring peerings over I2P."`
+// Generates default configuration and returns a pointer to the resulting
+// NodeConfig. This is used when outputting the -genconf parameter and also when
+// using -autoconf.
+func GenerateConfig() *NodeConfig {
+	// Generate encryption keys.
+	spub, spriv, err := ed25519.GenerateKey(nil)
+	if err != nil {
+		panic(err)
+	}
+	// Create a node configuration and populate it.
+	cfg := NodeConfig{}
+	cfg.Listen = []string{}
+	cfg.AdminListen = defaults.GetDefaults().DefaultAdminListen
+	cfg.PublicKey = hex.EncodeToString(spub[:])
+	cfg.PrivateKey = hex.EncodeToString(spriv[:])
+	cfg.Peers = []string{}
+	cfg.InterfacePeers = map[string][]string{}
+	cfg.AllowedPublicKeys = []string{}
+	cfg.MulticastInterfaces = defaults.GetDefaults().DefaultMulticastInterfaces
+	cfg.IfName = defaults.GetDefaults().DefaultIfName
+	cfg.IfMTU = defaults.GetDefaults().DefaultIfMTU
+	cfg.NodeInfoPrivacy = false
+
+	return &cfg
 }

-// SessionFirewall controls the session firewall configuration
-type SessionFirewall struct {
-	Enable                        bool     `comment:"Enable or disable the session firewall. If disabled, network traffic\nfrom any node will be allowed. If enabled, the below rules apply."`
-	AllowFromDirect               bool     `comment:"Allow network traffic from directly connected peers."`
-	AllowFromRemote               bool     `comment:"Allow network traffic from remote nodes on the network that you are\nnot directly peered with."`
-	AlwaysAllowOutbound           bool     `comment:"Allow outbound network traffic regardless of AllowFromDirect or\nAllowFromRemote. This does allow a remote node to send unsolicited\ntraffic back to you for the length of the session."`
-	WhitelistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always accepted,\nregardless of AllowFromDirect or AllowFromRemote."`
-	BlacklistEncryptionPublicKeys []string `comment:"List of public keys from which network traffic is always rejected,\nregardless of the whitelist, AllowFromDirect or AllowFromRemote."`
-}
-
-// TunnelRouting contains the crypto-key routing tables for tunneling
-type TunnelRouting struct {
-	Enable           bool              `comment:"Enable or disable tunnel routing."`
-	IPv6Destinations map[string]string `comment:"IPv6 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"aaaa:bbbb:cccc::/e\": \"boxpubkey\", ... }"`
-	IPv6Sources      []string          `comment:"Optional IPv6 source subnets which are allowed to be tunnelled in\naddition to this node's Yggdrasil address/subnet. If not\nspecified, only traffic originating from this node's Yggdrasil\naddress or subnet will be tunnelled."`
-	IPv4Destinations map[string]string `comment:"IPv4 CIDR subnets, mapped to the EncryptionPublicKey to which they\nshould be routed, e.g. { \"a.b.c.d/e\": \"boxpubkey\", ... }"`
-	IPv4Sources      []string          `comment:"IPv4 source subnets which are allowed to be tunnelled. Unlike for\nIPv6, this option is required for bridging IPv4 traffic. Only\ntraffic with a source matching these subnets will be tunnelled."`
-}
-
-// SwitchOptions contains tuning options for the switch
-type SwitchOptions struct {
-	MaxTotalQueueSize uint64 `comment:"Maximum size of all switch queues combined (in bytes)."`
+// NewSigningKeys replaces the signing keypair in the NodeConfig with a new
+// signing keypair. The signing keys are used by the switch to derive the
+// structure of the spanning tree.
+func (cfg *NodeConfig) NewKeys() {
+	spub, spriv, err := ed25519.GenerateKey(nil)
+	if err != nil {
+		panic(err)
+	}
+	cfg.PublicKey = hex.EncodeToString(spub[:])
+	cfg.PrivateKey = hex.EncodeToString(spriv[:])
 }
--- a/src/config/i2p.go
+++ b/src/config/i2p.go
@@ -1,8 +0,0 @@
-package config
-
-// I2PConfig is the configuration structure for i2p related configuration
-type I2PConfig struct {
-	Keyfile string // private key file or empty string for ephemeral keys
-	Addr    string // address of i2p api connector
-	Enabled bool
-}
--- a/src/config/tor.go
+++ b/src/config/tor.go
@@ -1,8 +0,0 @@
-package config
-
-// TorConfig is the configuration structure for Tor Proxy related values
-type TorConfig struct {
-	OnionKeyfile string // hidden service private key for ADD_ONION (currently unimplemented)
-	ControlAddr  string // tor control port address
-	Enabled      bool
-}
--- a/src/core/api.go
+++ b/src/core/api.go
@@ -0,0 +1,301 @@
+package core
+
+import (
+	"crypto/ed25519"
+	//"encoding/hex"
+	"encoding/json"
+	//"errors"
+	//"fmt"
+	"net"
+	"net/url"
+	//"sort"
+	//"time"
+
+	"github.com/gologme/log"
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+	//"github.com/yggdrasil-network/yggdrasil-go/src/crypto"
+	//"github.com/Arceliar/phony"
+)
+
+type Self struct {
+	Key    ed25519.PublicKey
+	Root   ed25519.PublicKey
+	Coords []uint64
+}
+
+type Peer struct {
+	Key    ed25519.PublicKey
+	Root   ed25519.PublicKey
+	Coords []uint64
+	Port   uint64
+	Remote string
+}
+
+type DHTEntry struct {
+	Key  ed25519.PublicKey
+	Port uint64
+	Rest uint64
+}
+
+type PathEntry struct {
+	Key  ed25519.PublicKey
+	Path []uint64
+}
+
+type Session struct {
+	Key ed25519.PublicKey
+}
+
+func (c *Core) GetSelf() Self {
+	var self Self
+	s := c.pc.PacketConn.Debug.GetSelf()
+	self.Key = s.Key
+	self.Root = s.Root
+	self.Coords = s.Coords
+	return self
+}
+
+func (c *Core) GetPeers() []Peer {
+	var peers []Peer
+	names := make(map[net.Conn]string)
+	c.links.mutex.Lock()
+	for _, info := range c.links.links {
+		names[info.conn] = info.lname
+	}
+	c.links.mutex.Unlock()
+	ps := c.pc.PacketConn.Debug.GetPeers()
+	for _, p := range ps {
+		var info Peer
+		info.Key = p.Key
+		info.Root = p.Root
+		info.Coords = p.Coords
+		info.Port = p.Port
+		info.Remote = p.Conn.RemoteAddr().String()
+		if name := names[p.Conn]; name != "" {
+			info.Remote = name
+		}
+		peers = append(peers, info)
+	}
+	return peers
+}
+
+func (c *Core) GetDHT() []DHTEntry {
+	var dhts []DHTEntry
+	ds := c.pc.PacketConn.Debug.GetDHT()
+	for _, d := range ds {
+		var info DHTEntry
+		info.Key = d.Key
+		info.Port = d.Port
+		info.Rest = d.Rest
+		dhts = append(dhts, info)
+	}
+	return dhts
+}
+
+func (c *Core) GetPaths() []PathEntry {
+	var paths []PathEntry
+	ps := c.pc.PacketConn.Debug.GetPaths()
+	for _, p := range ps {
+		var info PathEntry
+		info.Key = p.Key
+		info.Path = p.Path
+		paths = append(paths, info)
+	}
+	return paths
+}
+
+func (c *Core) GetSessions() []Session {
+	var sessions []Session
+	ss := c.pc.Debug.GetSessions()
+	for _, s := range ss {
+		var info Session
+		info.Key = s.Key
+		sessions = append(sessions, info)
+	}
+	return sessions
+}
+
+// Listen starts a new listener (either TCP or TLS). The input should be a url.URL
+// parsed from a string of the form e.g. "tcp://a.b.c.d:e". In the case of a
+// link-local address, the interface should be provided as the second argument.
+func (c *Core) Listen(u *url.URL, sintf string) (*TcpListener, error) {
+	return c.links.tcp.listenURL(u, sintf)
+}
+
+// Address gets the IPv6 address of the Yggdrasil node. This is always a /128
+// address. The IPv6 address is only relevant when the node is operating as an
+// IP router and often is meaningless when embedded into an application, unless
+// that application also implements either VPN functionality or deals with IP
+// packets specifically.
+func (c *Core) Address() net.IP {
+	addr := net.IP(address.AddrForKey(c.public)[:])
+	return addr
+}
+
+// Subnet gets the routed IPv6 subnet of the Yggdrasil node. This is always a
+// /64 subnet. The IPv6 subnet is only relevant when the node is operating as an
+// IP router and often is meaningless when embedded into an application, unless
+// that application also implements either VPN functionality or deals with IP
+// packets specifically.
+func (c *Core) Subnet() net.IPNet {
+	subnet := address.SubnetForKey(c.public)[:]
+	subnet = append(subnet, 0, 0, 0, 0, 0, 0, 0, 0)
+	return net.IPNet{IP: subnet, Mask: net.CIDRMask(64, 128)}
+}
+
+// SetLogger sets the output logger of the Yggdrasil node after startup. This
+// may be useful if you want to redirect the output later. Note that this
+// expects a Logger from the github.com/gologme/log package and not from Go's
+// built-in log package.
+func (c *Core) SetLogger(log *log.Logger) {
+	c.log = log
+}
+
+// AddPeer adds a peer. This should be specified in the peer URI format, e.g.:
+// 		tcp://a.b.c.d:e
+//		socks://a.b.c.d:e/f.g.h.i:j
+// This adds the peer to the peer list, so that they will be called again if the
+// connection drops.
+/*
+func (c *Core) AddPeer(addr string, sintf string) error {
+	if err := c.CallPeer(addr, sintf); err != nil {
+		// TODO: We maybe want this to write the peer to the persistent
+		// configuration even if a connection attempt fails, but first we'll need to
+		// move the code to check the peer URI so that we don't deliberately save a
+		// peer with a known bad URI. Loading peers from config should really do the
+		// same thing too but I don't think that happens today
+		return err
+	}
+	c.config.Mutex.Lock()
+	defer c.config.Mutex.Unlock()
+	if sintf == "" {
+		for _, peer := range c.config.Current.Peers {
+			if peer == addr {
+				return errors.New("peer already added")
+			}
+		}
+		c.config.Current.Peers = append(c.config.Current.Peers, addr)
+	} else {
+		if _, ok := c.config.Current.InterfacePeers[sintf]; ok {
+			for _, peer := range c.config.Current.InterfacePeers[sintf] {
+				if peer == addr {
+					return errors.New("peer already added")
+				}
+			}
+		}
+		if _, ok := c.config.Current.InterfacePeers[sintf]; !ok {
+			c.config.Current.InterfacePeers[sintf] = []string{addr}
+		} else {
+			c.config.Current.InterfacePeers[sintf] = append(c.config.Current.InterfacePeers[sintf], addr)
+		}
+	}
+	return nil
+}
+*/
+
+/*
+func (c *Core) RemovePeer(addr string, sintf string) error {
+	if sintf == "" {
+		for i, peer := range c.config.Current.Peers {
+			if peer == addr {
+				c.config.Current.Peers = append(c.config.Current.Peers[:i], c.config.Current.Peers[i+1:]...)
+				break
+			}
+		}
+	} else if _, ok := c.config.Current.InterfacePeers[sintf]; ok {
+		for i, peer := range c.config.Current.InterfacePeers[sintf] {
+			if peer == addr {
+				c.config.Current.InterfacePeers[sintf] = append(c.config.Current.InterfacePeers[sintf][:i], c.config.Current.InterfacePeers[sintf][i+1:]...)
+				break
+			}
+		}
+	}
+
+	panic("TODO") // Get the net.Conn to this peer (if any) and close it
+	c.peers.Act(nil, func() {
+		ports := c.peers.ports
+		for _, peer := range ports {
+			if addr == peer.intf.name() {
+				c.peers._removePeer(peer)
+			}
+		}
+	})
+
+	return nil
+}
+*/
+
+// CallPeer calls a peer once. This should be specified in the peer URI format,
+// e.g.:
+// 		tcp://a.b.c.d:e
+//		socks://a.b.c.d:e/f.g.h.i:j
+// This does not add the peer to the peer list, so if the connection drops, the
+// peer will not be called again automatically.
+func (c *Core) CallPeer(u *url.URL, sintf string) error {
+	return c.links.call(u, sintf)
+}
+
+func (c *Core) PublicKey() ed25519.PublicKey {
+	return c.public
+}
+
+func (c *Core) MaxMTU() uint64 {
+	return c.store.maxSessionMTU()
+}
+
+func (c *Core) SetMTU(mtu uint64) {
+	if mtu < 1280 {
+		mtu = 1280
+	}
+	c.store.mutex.Lock()
+	c.store.mtu = mtu
+	c.store.mutex.Unlock()
+}
+
+func (c *Core) MTU() uint64 {
+	c.store.mutex.Lock()
+	mtu := c.store.mtu
+	c.store.mutex.Unlock()
+	return mtu
+}
+
+// Implement io.ReadWriteCloser
+
+func (c *Core) Read(p []byte) (n int, err error) {
+	n, err = c.store.readPC(p)
+	return
+}
+
+func (c *Core) Write(p []byte) (n int, err error) {
+	n, err = c.store.writePC(p)
+	return
+}
+
+func (c *Core) Close() error {
+	c.Stop()
+	return nil
+}
+
+// Hack to get the admin stuff working, TODO something cleaner
+
+type AddHandler interface {
+	AddHandler(name string, args []string, handlerfunc func(json.RawMessage) (interface{}, error)) error
+}
+
+// SetAdmin must be called after Init and before Start.
+// It sets the admin handler for NodeInfo and the Debug admin functions.
+func (c *Core) SetAdmin(a AddHandler) error {
+	if err := a.AddHandler("getNodeInfo", []string{"key"}, c.proto.nodeinfo.nodeInfoAdminHandler); err != nil {
+		return err
+	}
+	if err := a.AddHandler("debug_remoteGetSelf", []string{"key"}, c.proto.getSelfHandler); err != nil {
+		return err
+	}
+	if err := a.AddHandler("debug_remoteGetPeers", []string{"key"}, c.proto.getPeersHandler); err != nil {
+		return err
+	}
+	if err := a.AddHandler("debug_remoteGetDHT", []string{"key"}, c.proto.getDHTHandler); err != nil {
+		return err
+	}
+	return nil
+}
--- a/src/core/core.go
+++ b/src/core/core.go
@@ -0,0 +1,183 @@
+package core
+
+import (
+	"context"
+	"crypto/ed25519"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net/url"
+	"time"
+
+	iw "github.com/Arceliar/ironwood/encrypted"
+	"github.com/Arceliar/phony"
+	"github.com/gologme/log"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/config"
+	//"github.com/yggdrasil-network/yggdrasil-go/src/crypto"
+	"github.com/yggdrasil-network/yggdrasil-go/src/version"
+)
+
+// The Core object represents the Yggdrasil node. You should create a Core
+// object for each Yggdrasil node you plan to run.
+type Core struct {
+	// This is the main data structure that holds everything else for a node
+	// We're going to keep our own copy of the provided config - that way we can
+	// guarantee that it will be covered by the mutex
+	phony.Inbox
+	pc           *iw.PacketConn
+	config       *config.NodeConfig // Config
+	secret       ed25519.PrivateKey
+	public       ed25519.PublicKey
+	links        links
+	proto        protoHandler
+	store        keyStore
+	log          *log.Logger
+	addPeerTimer *time.Timer
+	ctx          context.Context
+	ctxCancel    context.CancelFunc
+}
+
+func (c *Core) _init() error {
+	// TODO separate init and start functions
+	//  Init sets up structs
+	//  Start launches goroutines that depend on structs being set up
+	// This is pretty much required to completely avoid race conditions
+	c.config.RLock()
+	defer c.config.RUnlock()
+	if c.log == nil {
+		c.log = log.New(ioutil.Discard, "", 0)
+	}
+
+	sigPriv, err := hex.DecodeString(c.config.PrivateKey)
+	if err != nil {
+		return err
+	}
+	if len(sigPriv) < ed25519.PrivateKeySize {
+		return errors.New("PrivateKey is incorrect length")
+	}
+
+	c.secret = ed25519.PrivateKey(sigPriv)
+	c.public = c.secret.Public().(ed25519.PublicKey)
+	// TODO check public against current.PublicKey, error if they don't match
+
+	c.pc, err = iw.NewPacketConn(c.secret)
+	c.ctx, c.ctxCancel = context.WithCancel(context.Background())
+	c.store.init(c)
+	c.proto.init(c)
+	if err := c.proto.nodeinfo.setNodeInfo(c.config.NodeInfo, c.config.NodeInfoPrivacy); err != nil {
+		return fmt.Errorf("setNodeInfo: %w", err)
+	}
+	return err
+}
+
+// If any static peers were provided in the configuration above then we should
+// configure them. The loop ensures that disconnected peers will eventually
+// be reconnected with.
+func (c *Core) _addPeerLoop() {
+	c.config.RLock()
+	defer c.config.RUnlock()
+
+	if c.addPeerTimer == nil {
+		return
+	}
+
+	// Add peers from the Peers section
+	for _, peer := range c.config.Peers {
+		go func(peer string, intf string) {
+			u, err := url.Parse(peer)
+			if err != nil {
+				c.log.Errorln("Failed to parse peer url:", peer, err)
+			}
+			if err := c.CallPeer(u, intf); err != nil {
+				c.log.Errorln("Failed to add peer:", err)
+			}
+		}(peer, "") // TODO: this should be acted and not in a goroutine?
+	}
+
+	// Add peers from the InterfacePeers section
+	for intf, intfpeers := range c.config.InterfacePeers {
+		for _, peer := range intfpeers {
+			go func(peer string, intf string) {
+				u, err := url.Parse(peer)
+				if err != nil {
+					c.log.Errorln("Failed to parse peer url:", peer, err)
+				}
+				if err := c.CallPeer(u, intf); err != nil {
+					c.log.Errorln("Failed to add peer:", err)
+				}
+			}(peer, intf) // TODO: this should be acted and not in a goroutine?
+		}
+	}
+
+	c.addPeerTimer = time.AfterFunc(time.Minute, func() {
+		c.Act(nil, c._addPeerLoop)
+	})
+}
+
+// Start starts up Yggdrasil using the provided config.NodeConfig, and outputs
+// debug logging through the provided log.Logger. The started stack will include
+// TCP and UDP sockets, a multicast discovery socket, an admin socket, router,
+// switch and DHT node. A config.NodeState is returned which contains both the
+// current and previous configurations (from reconfigures).
+func (c *Core) Start(nc *config.NodeConfig, log *log.Logger) (err error) {
+	phony.Block(c, func() {
+		err = c._start(nc, log)
+	})
+	return
+}
+
+// This function is unsafe and should only be ran by the core actor.
+func (c *Core) _start(nc *config.NodeConfig, log *log.Logger) error {
+	c.log = log
+	c.config = nc
+
+	if name := version.BuildName(); name != "unknown" {
+		c.log.Infoln("Build name:", name)
+	}
+	if version := version.BuildVersion(); version != "unknown" {
+		c.log.Infoln("Build version:", version)
+	}
+
+	c.log.Infoln("Starting up...")
+	if err := c._init(); err != nil {
+		c.log.Errorln("Failed to initialize core")
+		return err
+	}
+
+	if err := c.links.init(c); err != nil {
+		c.log.Errorln("Failed to start link interfaces")
+		return err
+	}
+
+	c.addPeerTimer = time.AfterFunc(0, func() {
+		c.Act(nil, c._addPeerLoop)
+	})
+
+	c.log.Infoln("Startup complete")
+	return nil
+}
+
+// Stop shuts down the Yggdrasil node.
+func (c *Core) Stop() {
+	phony.Block(c, c._stop)
+}
+
+// This function is unsafe and should only be ran by the core actor.
+func (c *Core) _stop() {
+	c.log.Infoln("Stopping...")
+	c.ctxCancel()
+	c.pc.Close()
+	if c.addPeerTimer != nil {
+		c.addPeerTimer.Stop()
+		c.addPeerTimer = nil
+	}
+	_ = c.links.stop()
+	/* FIXME this deadlocks, need a waitgroup or something to coordinate shutdown
+	for _, peer := range c.GetPeers() {
+		c.DisconnectPeer(peer.Port)
+	}
+	*/
+	c.log.Infoln("Stopped")
+}
--- a/src/core/core_test.go
+++ b/src/core/core_test.go
@@ -0,0 +1,192 @@
+package core
+
+import (
+	"bytes"
+	"math/rand"
+	"net/url"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/gologme/log"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/config"
+)
+
+// GenerateConfig produces default configuration with suitable modifications for tests.
+func GenerateConfig() *config.NodeConfig {
+	cfg := config.GenerateConfig()
+	cfg.AdminListen = "none"
+	cfg.Listen = []string{"tcp://127.0.0.1:0"}
+	cfg.IfName = "none"
+
+	return cfg
+}
+
+// GetLoggerWithPrefix creates a new logger instance with prefix.
+// If verbose is set to true, three log levels are enabled: "info", "warn", "error".
+func GetLoggerWithPrefix(prefix string, verbose bool) *log.Logger {
+	l := log.New(os.Stderr, prefix, log.Flags())
+	if !verbose {
+		return l
+	}
+	l.EnableLevel("info")
+	l.EnableLevel("warn")
+	l.EnableLevel("error")
+	return l
+}
+
+// CreateAndConnectTwo creates two nodes. nodeB connects to nodeA.
+// Verbosity flag is passed to logger.
+func CreateAndConnectTwo(t testing.TB, verbose bool) (nodeA *Core, nodeB *Core) {
+	nodeA = new(Core)
+	if err := nodeA.Start(GenerateConfig(), GetLoggerWithPrefix("A: ", verbose)); err != nil {
+		t.Fatal(err)
+	}
+	nodeA.SetMTU(1500)
+
+	nodeB = new(Core)
+	if err := nodeB.Start(GenerateConfig(), GetLoggerWithPrefix("B: ", verbose)); err != nil {
+		t.Fatal(err)
+	}
+	nodeB.SetMTU(1500)
+
+	u, err := url.Parse("tcp://" + nodeA.links.tcp.getAddr().String())
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = nodeB.CallPeer(u, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	time.Sleep(100 * time.Millisecond)
+
+	if l := len(nodeA.GetPeers()); l != 1 {
+		t.Fatal("unexpected number of peers", l)
+	}
+	if l := len(nodeB.GetPeers()); l != 1 {
+		t.Fatal("unexpected number of peers", l)
+	}
+
+	return nodeA, nodeB
+}
+
+// WaitConnected blocks until either nodes negotiated DHT or 5 seconds passed.
+func WaitConnected(nodeA, nodeB *Core) bool {
+	// It may take up to 3 seconds, but let's wait 5.
+	for i := 0; i < 50; i++ {
+		time.Sleep(100 * time.Millisecond)
+		if len(nodeA.GetPeers()) > 0 && len(nodeB.GetPeers()) > 0 {
+			return true
+		}
+	}
+	return false
+}
+
+// CreateEchoListener creates a routine listening on nodeA. It expects repeats messages of length bufLen.
+// It returns a channel used to synchronize the routine with caller.
+func CreateEchoListener(t testing.TB, nodeA *Core, bufLen int, repeats int) chan struct{} {
+	// Start routine
+	done := make(chan struct{})
+	go func() {
+		buf := make([]byte, bufLen)
+		res := make([]byte, bufLen)
+		for i := 0; i < repeats; i++ {
+			n, err := nodeA.Read(buf)
+			if err != nil {
+				t.Error(err)
+				return
+			}
+			if n != bufLen {
+				t.Error("missing data")
+				return
+			}
+			copy(res, buf)
+			copy(res[8:24], buf[24:40])
+			copy(res[24:40], buf[8:24])
+			_, err = nodeA.Write(res)
+			if err != nil {
+				t.Error(err)
+			}
+		}
+		done <- struct{}{}
+	}()
+
+	return done
+}
+
+// TestCore_Start_Connect checks if two nodes can connect together.
+func TestCore_Start_Connect(t *testing.T) {
+	CreateAndConnectTwo(t, true)
+}
+
+// TestCore_Start_Transfer checks that messages can be passed between nodes (in both directions).
+func TestCore_Start_Transfer(t *testing.T) {
+	nodeA, nodeB := CreateAndConnectTwo(t, true)
+	defer nodeA.Stop()
+	defer nodeB.Stop()
+
+	msgLen := 1500
+	done := CreateEchoListener(t, nodeA, msgLen, 1)
+
+	if !WaitConnected(nodeA, nodeB) {
+		t.Fatal("nodes did not connect")
+	}
+
+	// Send
+	msg := make([]byte, msgLen)
+	rand.Read(msg[40:])
+	msg[0] = 0x60
+	copy(msg[8:24], nodeB.Address())
+	copy(msg[24:40], nodeA.Address())
+	_, err := nodeB.Write(msg)
+	if err != nil {
+		t.Fatal(err)
+	}
+	buf := make([]byte, msgLen)
+	_, err = nodeB.Read(buf)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !bytes.Equal(msg[40:], buf[40:]) {
+		t.Fatal("expected echo")
+	}
+	<-done
+}
+
+// BenchmarkCore_Start_Transfer estimates the possible transfer between nodes (in MB/s).
+func BenchmarkCore_Start_Transfer(b *testing.B) {
+	nodeA, nodeB := CreateAndConnectTwo(b, false)
+
+	msgLen := 1500 // typical MTU
+	done := CreateEchoListener(b, nodeA, msgLen, b.N)
+
+	if !WaitConnected(nodeA, nodeB) {
+		b.Fatal("nodes did not connect")
+	}
+
+	// Send
+	msg := make([]byte, msgLen)
+	rand.Read(msg[40:])
+	msg[0] = 0x60
+	copy(msg[8:24], nodeB.Address())
+	copy(msg[24:40], nodeA.Address())
+
+	buf := make([]byte, msgLen)
+
+	b.SetBytes(int64(msgLen))
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		_, err := nodeB.Write(msg)
+		if err != nil {
+			b.Fatal(err)
+		}
+		_, err = nodeB.Read(buf)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+	<-done
+}
--- a/src/core/debug.go
+++ b/src/core/debug.go
@@ -0,0 +1,33 @@
+// +build debug
+
+package core
+
+import "fmt"
+
+import _ "net/http/pprof"
+import "net/http"
+import "runtime"
+import "os"
+
+import "github.com/gologme/log"
+
+// Start the profiler in debug builds, if the required environment variable is set.
+func init() {
+	envVarName := "PPROFLISTEN"
+	hostPort := os.Getenv(envVarName)
+	switch {
+	case hostPort == "":
+		fmt.Fprintf(os.Stderr, "DEBUG: %s not set, profiler not started.\n", envVarName)
+	default:
+		fmt.Fprintf(os.Stderr, "DEBUG: Starting pprof on %s\n", hostPort)
+		go func() { fmt.Println(http.ListenAndServe(hostPort, nil)) }()
+	}
+}
+
+// Starts the function profiler. This is only supported when built with
+// '-tags build'.
+func StartProfiler(log *log.Logger) error {
+	runtime.SetBlockProfileRate(1)
+	go func() { log.Println(http.ListenAndServe("localhost:6060", nil)) }()
+	return nil
+}
--- a/src/core/icmpv6.go
+++ b/src/core/icmpv6.go
@@ -0,0 +1,80 @@
+package core
+
+// The ICMPv6 module implements functions to easily create ICMPv6
+// packets. These functions, when mixed with the built-in Go IPv6
+// and ICMP libraries, can be used to send control messages back
+// to the host. Examples include:
+// - NDP messages, when running in TAP mode
+// - Packet Too Big messages, when packets exceed the session MTU
+// - Destination Unreachable messages, when a session prohibits
+//   incoming traffic
+
+import (
+	"encoding/binary"
+	"net"
+
+	"golang.org/x/net/icmp"
+	"golang.org/x/net/ipv6"
+)
+
+type ICMPv6 struct{}
+
+// Marshal returns the binary encoding of h.
+func ipv6Header_Marshal(h *ipv6.Header) ([]byte, error) {
+	b := make([]byte, 40)
+	b[0] |= byte(h.Version) << 4
+	b[0] |= byte(h.TrafficClass) >> 4
+	b[1] |= byte(h.TrafficClass) << 4
+	b[1] |= byte(h.FlowLabel >> 16)
+	b[2] = byte(h.FlowLabel >> 8)
+	b[3] = byte(h.FlowLabel)
+	binary.BigEndian.PutUint16(b[4:6], uint16(h.PayloadLen))
+	b[6] = byte(h.NextHeader)
+	b[7] = byte(h.HopLimit)
+	copy(b[8:24], h.Src)
+	copy(b[24:40], h.Dst)
+	return b, nil
+}
+
+// Creates an ICMPv6 packet based on the given icmp.MessageBody and other
+// parameters, complete with IP headers only, which can be written directly to
+// a TUN adapter, or called directly by the CreateICMPv6L2 function when
+// generating a message for TAP adapters.
+func CreateICMPv6(dst net.IP, src net.IP, mtype ipv6.ICMPType, mcode int, mbody icmp.MessageBody) ([]byte, error) {
+	// Create the ICMPv6 message
+	icmpMessage := icmp.Message{
+		Type: mtype,
+		Code: mcode,
+		Body: mbody,
+	}
+
+	// Convert the ICMPv6 message into []byte
+	icmpMessageBuf, err := icmpMessage.Marshal(icmp.IPv6PseudoHeader(src, dst))
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the IPv6 header
+	ipv6Header := ipv6.Header{
+		Version:    ipv6.Version,
+		NextHeader: 58,
+		PayloadLen: len(icmpMessageBuf),
+		HopLimit:   255,
+		Src:        src,
+		Dst:        dst,
+	}
+
+	// Convert the IPv6 header into []byte
+	ipv6HeaderBuf, err := ipv6Header_Marshal(&ipv6Header)
+	if err != nil {
+		return nil, err
+	}
+
+	// Construct the packet
+	responsePacket := make([]byte, ipv6.HeaderLen+ipv6Header.PayloadLen)
+	copy(responsePacket[:ipv6.HeaderLen], ipv6HeaderBuf)
+	copy(responsePacket[ipv6.HeaderLen:], icmpMessageBuf)
+
+	// Send it back
+	return responsePacket, nil
+}
--- a/src/core/keystore.go
+++ b/src/core/keystore.go
@@ -0,0 +1,306 @@
+package core
+
+import (
+	"crypto/ed25519"
+	"errors"
+	"fmt"
+	"sync"
+	"time"
+
+	"golang.org/x/net/icmp"
+	"golang.org/x/net/ipv6"
+
+	iwt "github.com/Arceliar/ironwood/types"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+const keyStoreTimeout = 2 * time.Minute
+
+type keyArray [ed25519.PublicKeySize]byte
+
+type keyStore struct {
+	core         *Core
+	address      address.Address
+	subnet       address.Subnet
+	mutex        sync.Mutex
+	keyToInfo    map[keyArray]*keyInfo
+	addrToInfo   map[address.Address]*keyInfo
+	addrBuffer   map[address.Address]*buffer
+	subnetToInfo map[address.Subnet]*keyInfo
+	subnetBuffer map[address.Subnet]*buffer
+	mtu          uint64
+}
+
+type keyInfo struct {
+	key     keyArray
+	address address.Address
+	subnet  address.Subnet
+	timeout *time.Timer // From calling a time.AfterFunc to do cleanup
+}
+
+type buffer struct {
+	packet  []byte
+	timeout *time.Timer
+}
+
+func (k *keyStore) init(core *Core) {
+	k.core = core
+	k.address = *address.AddrForKey(k.core.public)
+	k.subnet = *address.SubnetForKey(k.core.public)
+	if err := k.core.pc.SetOutOfBandHandler(k.oobHandler); err != nil {
+		err = fmt.Errorf("tun.core.SetOutOfBandHander: %w", err)
+		panic(err)
+	}
+	k.keyToInfo = make(map[keyArray]*keyInfo)
+	k.addrToInfo = make(map[address.Address]*keyInfo)
+	k.addrBuffer = make(map[address.Address]*buffer)
+	k.subnetToInfo = make(map[address.Subnet]*keyInfo)
+	k.subnetBuffer = make(map[address.Subnet]*buffer)
+	k.mtu = 1280 // Default to something safe, expect user to set this
+}
+
+func (k *keyStore) sendToAddress(addr address.Address, bs []byte) {
+	k.mutex.Lock()
+	if info := k.addrToInfo[addr]; info != nil {
+		k.resetTimeout(info)
+		k.mutex.Unlock()
+		_, _ = k.core.pc.WriteTo(bs, iwt.Addr(info.key[:]))
+	} else {
+		var buf *buffer
+		if buf = k.addrBuffer[addr]; buf == nil {
+			buf = new(buffer)
+			k.addrBuffer[addr] = buf
+		}
+		msg := append([]byte(nil), bs...)
+		buf.packet = msg
+		if buf.timeout != nil {
+			buf.timeout.Stop()
+		}
+		buf.timeout = time.AfterFunc(keyStoreTimeout, func() {
+			k.mutex.Lock()
+			defer k.mutex.Unlock()
+			if nbuf := k.addrBuffer[addr]; nbuf == buf {
+				delete(k.addrBuffer, addr)
+			}
+		})
+		k.mutex.Unlock()
+		k.sendKeyLookup(addr.GetKey())
+	}
+}
+
+func (k *keyStore) sendToSubnet(subnet address.Subnet, bs []byte) {
+	k.mutex.Lock()
+	if info := k.subnetToInfo[subnet]; info != nil {
+		k.resetTimeout(info)
+		k.mutex.Unlock()
+		_, _ = k.core.pc.WriteTo(bs, iwt.Addr(info.key[:]))
+	} else {
+		var buf *buffer
+		if buf = k.subnetBuffer[subnet]; buf == nil {
+			buf = new(buffer)
+			k.subnetBuffer[subnet] = buf
+		}
+		msg := append([]byte(nil), bs...)
+		buf.packet = msg
+		if buf.timeout != nil {
+			buf.timeout.Stop()
+		}
+		buf.timeout = time.AfterFunc(keyStoreTimeout, func() {
+			k.mutex.Lock()
+			defer k.mutex.Unlock()
+			if nbuf := k.subnetBuffer[subnet]; nbuf == buf {
+				delete(k.subnetBuffer, subnet)
+			}
+		})
+		k.mutex.Unlock()
+		k.sendKeyLookup(subnet.GetKey())
+	}
+}
+
+func (k *keyStore) update(key ed25519.PublicKey) *keyInfo {
+	k.mutex.Lock()
+	var kArray keyArray
+	copy(kArray[:], key)
+	var info *keyInfo
+	if info = k.keyToInfo[kArray]; info == nil {
+		info = new(keyInfo)
+		info.key = kArray
+		info.address = *address.AddrForKey(ed25519.PublicKey(info.key[:]))
+		info.subnet = *address.SubnetForKey(ed25519.PublicKey(info.key[:]))
+		k.keyToInfo[info.key] = info
+		k.addrToInfo[info.address] = info
+		k.subnetToInfo[info.subnet] = info
+		k.resetTimeout(info)
+		k.mutex.Unlock()
+		if buf := k.addrBuffer[info.address]; buf != nil {
+			k.core.pc.WriteTo(buf.packet, iwt.Addr(info.key[:]))
+			delete(k.addrBuffer, info.address)
+		}
+		if buf := k.subnetBuffer[info.subnet]; buf != nil {
+			k.core.pc.WriteTo(buf.packet, iwt.Addr(info.key[:]))
+			delete(k.subnetBuffer, info.subnet)
+		}
+	} else {
+		k.resetTimeout(info)
+		k.mutex.Unlock()
+	}
+	return info
+}
+
+func (k *keyStore) resetTimeout(info *keyInfo) {
+	if info.timeout != nil {
+		info.timeout.Stop()
+	}
+	info.timeout = time.AfterFunc(keyStoreTimeout, func() {
+		k.mutex.Lock()
+		defer k.mutex.Unlock()
+		if nfo := k.keyToInfo[info.key]; nfo == info {
+			delete(k.keyToInfo, info.key)
+		}
+		if nfo := k.addrToInfo[info.address]; nfo == info {
+			delete(k.addrToInfo, info.address)
+		}
+		if nfo := k.subnetToInfo[info.subnet]; nfo == info {
+			delete(k.subnetToInfo, info.subnet)
+		}
+	})
+}
+
+func (k *keyStore) oobHandler(fromKey, toKey ed25519.PublicKey, data []byte) {
+	if len(data) != 1+ed25519.SignatureSize {
+		return
+	}
+	sig := data[1:]
+	switch data[0] {
+	case typeKeyLookup:
+		snet := *address.SubnetForKey(toKey)
+		if snet == k.subnet && ed25519.Verify(fromKey, toKey[:], sig) {
+			// This is looking for at least our subnet (possibly our address)
+			// Send a response
+			k.sendKeyResponse(fromKey)
+		}
+	case typeKeyResponse:
+		// TODO keep a list of something to match against...
+		// Ignore the response if it doesn't match anything of interest...
+		if ed25519.Verify(fromKey, toKey[:], sig) {
+			k.update(fromKey)
+		}
+	}
+}
+
+func (k *keyStore) sendKeyLookup(partial ed25519.PublicKey) {
+	sig := ed25519.Sign(k.core.secret, partial[:])
+	bs := append([]byte{typeKeyLookup}, sig...)
+	_ = k.core.pc.SendOutOfBand(partial, bs)
+}
+
+func (k *keyStore) sendKeyResponse(dest ed25519.PublicKey) {
+	sig := ed25519.Sign(k.core.secret, dest[:])
+	bs := append([]byte{typeKeyResponse}, sig...)
+	_ = k.core.pc.SendOutOfBand(dest, bs)
+}
+
+func (k *keyStore) maxSessionMTU() uint64 {
+	const sessionTypeOverhead = 1
+	return k.core.pc.MTU() - sessionTypeOverhead
+}
+
+func (k *keyStore) readPC(p []byte) (int, error) {
+	buf := make([]byte, k.core.pc.MTU(), 65535)
+	for {
+		bs := buf
+		n, from, err := k.core.pc.ReadFrom(bs)
+		if err != nil {
+			return n, err
+		}
+		if n == 0 {
+			continue
+		}
+		switch bs[0] {
+		case typeSessionTraffic:
+			// This is what we want to handle here
+		case typeSessionProto:
+			var key keyArray
+			copy(key[:], from.(iwt.Addr))
+			data := append([]byte(nil), bs[1:n]...)
+			k.core.proto.handleProto(nil, key, data)
+			continue
+		default:
+			continue
+		}
+		bs = bs[1:n]
+		if len(bs) == 0 {
+			continue
+		}
+		if bs[0]&0xf0 != 0x60 {
+			continue // not IPv6
+		}
+		if len(bs) < 40 {
+			continue
+		}
+		k.mutex.Lock()
+		mtu := int(k.mtu)
+		k.mutex.Unlock()
+		if len(bs) > mtu {
+			// Using bs would make it leak off the stack, so copy to buf
+			buf := make([]byte, 40)
+			copy(buf, bs)
+			ptb := &icmp.PacketTooBig{
+				MTU:  mtu,
+				Data: buf[:40],
+			}
+			if packet, err := CreateICMPv6(buf[8:24], buf[24:40], ipv6.ICMPTypePacketTooBig, 0, ptb); err == nil {
+				_, _ = k.writePC(packet)
+			}
+			continue
+		}
+		var srcAddr, dstAddr address.Address
+		var srcSubnet, dstSubnet address.Subnet
+		copy(srcAddr[:], bs[8:])
+		copy(dstAddr[:], bs[24:])
+		copy(srcSubnet[:], bs[8:])
+		copy(dstSubnet[:], bs[24:])
+		if dstAddr != k.address && dstSubnet != k.subnet {
+			continue // bad local address/subnet
+		}
+		info := k.update(ed25519.PublicKey(from.(iwt.Addr)))
+		if srcAddr != info.address && srcSubnet != info.subnet {
+			continue // bad remote address/subnet
+		}
+		n = copy(p, bs)
+		return n, nil
+	}
+}
+
+func (k *keyStore) writePC(bs []byte) (int, error) {
+	if bs[0]&0xf0 != 0x60 {
+		return 0, errors.New("not an IPv6 packet") // not IPv6
+	}
+	if len(bs) < 40 {
+		strErr := fmt.Sprint("undersized IPv6 packet, length:", len(bs))
+		return 0, errors.New(strErr)
+	}
+	var srcAddr, dstAddr address.Address
+	var srcSubnet, dstSubnet address.Subnet
+	copy(srcAddr[:], bs[8:])
+	copy(dstAddr[:], bs[24:])
+	copy(srcSubnet[:], bs[8:])
+	copy(dstSubnet[:], bs[24:])
+	if srcAddr != k.address && srcSubnet != k.subnet {
+		// This happens all the time due to link-local traffic
+		// Don't send back an error, just drop it
+		return 0, nil
+	}
+	buf := make([]byte, 1+len(bs), 65535)
+	buf[0] = typeSessionTraffic
+	copy(buf[1:], bs)
+	if dstAddr.IsValid() {
+		k.sendToAddress(dstAddr, buf)
+	} else if dstSubnet.IsValid() {
+		k.sendToSubnet(dstSubnet, buf)
+	} else {
+		return 0, errors.New("invalid destination address")
+	}
+	return len(bs), nil
+}
--- a/src/core/link.go
+++ b/src/core/link.go
@@ -0,0 +1,250 @@
+package core
+
+import (
+	"crypto/ed25519"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/url"
+	"strings"
+	"sync"
+
+	//"sync/atomic"
+	"time"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+	"github.com/yggdrasil-network/yggdrasil-go/src/util"
+	"golang.org/x/net/proxy"
+	//"github.com/Arceliar/phony" // TODO? use instead of mutexes
+)
+
+type links struct {
+	core    *Core
+	mutex   sync.RWMutex // protects links below
+	links   map[linkInfo]*link
+	tcp     tcp // TCP interface support
+	stopped chan struct{}
+	// TODO timeout (to remove from switch), read from config.ReadTimeout
+}
+
+// linkInfo is used as a map key
+type linkInfo struct {
+	key      keyArray
+	linkType string // Type of link, e.g. TCP, AWDL
+	local    string // Local name or address
+	remote   string // Remote name or address
+}
+
+type link struct {
+	lname    string
+	links    *links
+	conn     net.Conn
+	options  linkOptions
+	info     linkInfo
+	incoming bool
+	force    bool
+	closed   chan struct{}
+}
+
+type linkOptions struct {
+	pinnedEd25519Keys map[keyArray]struct{}
+}
+
+func (l *links) init(c *Core) error {
+	l.core = c
+	l.mutex.Lock()
+	l.links = make(map[linkInfo]*link)
+	l.mutex.Unlock()
+	l.stopped = make(chan struct{})
+
+	if err := l.tcp.init(l); err != nil {
+		c.log.Errorln("Failed to start TCP interface")
+		return err
+	}
+
+	return nil
+}
+
+func (l *links) call(u *url.URL, sintf string) error {
+	//u, err := url.Parse(uri)
+	//if err != nil {
+	//	return fmt.Errorf("peer %s is not correctly formatted (%s)", uri, err)
+	//}
+	tcpOpts := tcpOptions{}
+	if pubkeys, ok := u.Query()["key"]; ok && len(pubkeys) > 0 {
+		tcpOpts.pinnedEd25519Keys = make(map[keyArray]struct{})
+		for _, pubkey := range pubkeys {
+			if sigPub, err := hex.DecodeString(pubkey); err == nil {
+				var sigPubKey keyArray
+				copy(sigPubKey[:], sigPub)
+				tcpOpts.pinnedEd25519Keys[sigPubKey] = struct{}{}
+			}
+		}
+	}
+	switch u.Scheme {
+	case "tcp":
+		l.tcp.call(u.Host, tcpOpts, sintf)
+	case "socks":
+		tcpOpts.socksProxyAddr = u.Host
+		if u.User != nil {
+			tcpOpts.socksProxyAuth = &proxy.Auth{}
+			tcpOpts.socksProxyAuth.User = u.User.Username()
+			tcpOpts.socksProxyAuth.Password, _ = u.User.Password()
+		}
+		pathtokens := strings.Split(strings.Trim(u.Path, "/"), "/")
+		l.tcp.call(pathtokens[0], tcpOpts, sintf)
+	case "tls":
+		tcpOpts.upgrade = l.tcp.tls.forDialer
+		l.tcp.call(u.Host, tcpOpts, sintf)
+	default:
+		return errors.New("unknown call scheme: " + u.Scheme)
+	}
+	return nil
+}
+
+func (l *links) create(conn net.Conn, name, linkType, local, remote string, incoming, force bool, options linkOptions) (*link, error) {
+	// Technically anything unique would work for names, but let's pick something human readable, just for debugging
+	intf := link{
+		conn:    conn,
+		lname:   name,
+		links:   l,
+		options: options,
+		info: linkInfo{
+			linkType: linkType,
+			local:    local,
+			remote:   remote,
+		},
+		incoming: incoming,
+		force:    force,
+	}
+	return &intf, nil
+}
+
+func (l *links) stop() error {
+	close(l.stopped)
+	if err := l.tcp.stop(); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (intf *link) handler() (chan struct{}, error) {
+	// TODO split some of this into shorter functions, so it's easier to read, and for the FIXME duplicate peer issue mentioned later
+	defer intf.conn.Close()
+	meta := version_getBaseMetadata()
+	meta.key = intf.links.core.public
+	metaBytes := meta.encode()
+	// TODO timeouts on send/recv (goroutine for send/recv, channel select w/ timer)
+	var err error
+	if !util.FuncTimeout(30*time.Second, func() {
+		var n int
+		n, err = intf.conn.Write(metaBytes)
+		if err == nil && n != len(metaBytes) {
+			err = errors.New("incomplete metadata send")
+		}
+	}) {
+		return nil, errors.New("timeout on metadata send")
+	}
+	if err != nil {
+		return nil, err
+	}
+	if !util.FuncTimeout(30*time.Second, func() {
+		var n int
+		n, err = io.ReadFull(intf.conn, metaBytes)
+		if err == nil && n != len(metaBytes) {
+			err = errors.New("incomplete metadata recv")
+		}
+	}) {
+		return nil, errors.New("timeout on metadata recv")
+	}
+	if err != nil {
+		return nil, err
+	}
+	meta = version_metadata{}
+	base := version_getBaseMetadata()
+	if !meta.decode(metaBytes) {
+		return nil, errors.New("failed to decode metadata")
+	}
+	if !meta.check() {
+		intf.links.core.log.Errorf("Failed to connect to node: %s is incompatible version (local %s, remote %s)",
+			intf.lname,
+			fmt.Sprintf("%d.%d", base.ver, base.minorVer),
+			fmt.Sprintf("%d.%d", meta.ver, meta.minorVer),
+		)
+		return nil, errors.New("remote node is incompatible version")
+	}
+	// Check if the remote side matches the keys we expected. This is a bit of a weak
+	// check - in future versions we really should check a signature or something like that.
+	if pinned := intf.options.pinnedEd25519Keys; pinned != nil {
+		var key keyArray
+		copy(key[:], meta.key)
+		if _, allowed := pinned[key]; !allowed {
+			intf.links.core.log.Errorf("Failed to connect to node: %q sent ed25519 key that does not match pinned keys", intf.name())
+			return nil, fmt.Errorf("failed to connect: host sent ed25519 key that does not match pinned keys")
+		}
+	}
+	// Check if we're authorized to connect to this key / IP
+	intf.links.core.config.RLock()
+	allowed := intf.links.core.config.AllowedPublicKeys
+	intf.links.core.config.RUnlock()
+	isallowed := len(allowed) == 0
+	for _, k := range allowed {
+		if k == hex.EncodeToString(meta.key) { // TODO: this is yuck
+			isallowed = true
+			break
+		}
+	}
+	if intf.incoming && !intf.force && !isallowed {
+		intf.links.core.log.Warnf("%s connection from %s forbidden: AllowedEncryptionPublicKeys does not contain key %s",
+			strings.ToUpper(intf.info.linkType), intf.info.remote, hex.EncodeToString(meta.key))
+		intf.close()
+		return nil, nil
+	}
+	// Check if we already have a link to this node
+	copy(intf.info.key[:], meta.key)
+	intf.links.mutex.Lock()
+	if oldIntf, isIn := intf.links.links[intf.info]; isIn {
+		intf.links.mutex.Unlock()
+		// FIXME we should really return an error and let the caller block instead
+		// That lets them do things like close connections on its own, avoid printing a connection message in the first place, etc.
+		intf.links.core.log.Debugln("DEBUG: found existing interface for", intf.name())
+		return oldIntf.closed, nil
+	} else {
+		intf.closed = make(chan struct{})
+		intf.links.links[intf.info] = intf
+		defer func() {
+			intf.links.mutex.Lock()
+			delete(intf.links.links, intf.info)
+			intf.links.mutex.Unlock()
+			close(intf.closed)
+		}()
+		intf.links.core.log.Debugln("DEBUG: registered interface for", intf.name())
+	}
+	intf.links.mutex.Unlock()
+	themAddr := address.AddrForKey(ed25519.PublicKey(intf.info.key[:]))
+	themAddrString := net.IP(themAddr[:]).String()
+	themString := fmt.Sprintf("%s@%s", themAddrString, intf.info.remote)
+	intf.links.core.log.Infof("Connected %s: %s, source %s",
+		strings.ToUpper(intf.info.linkType), themString, intf.info.local)
+	// Run the handler
+	err = intf.links.core.pc.HandleConn(ed25519.PublicKey(intf.info.key[:]), intf.conn)
+	// TODO don't report an error if it's just a 'use of closed network connection'
+	if err != nil {
+		intf.links.core.log.Infof("Disconnected %s: %s, source %s; error: %s",
+			strings.ToUpper(intf.info.linkType), themString, intf.info.local, err)
+	} else {
+		intf.links.core.log.Infof("Disconnected %s: %s, source %s",
+			strings.ToUpper(intf.info.linkType), themString, intf.info.local)
+	}
+	return nil, err
+}
+
+func (intf *link) close() {
+	intf.conn.Close()
+}
+
+func (intf *link) name() string {
+	return intf.lname
+}
--- a/src/core/nodeinfo.go
+++ b/src/core/nodeinfo.go
@@ -0,0 +1,189 @@
+package core
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"net"
+	"runtime"
+	"strings"
+	"time"
+
+	iwt "github.com/Arceliar/ironwood/types"
+	"github.com/Arceliar/phony"
+
+	//"github.com/yggdrasil-network/yggdrasil-go/src/crypto"
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+	"github.com/yggdrasil-network/yggdrasil-go/src/version"
+)
+
+// NodeInfoPayload represents a RequestNodeInfo response, in bytes.
+type NodeInfoPayload []byte
+
+type nodeinfo struct {
+	phony.Inbox
+	proto      *protoHandler
+	myNodeInfo NodeInfoPayload
+	callbacks  map[keyArray]nodeinfoCallback
+}
+
+type nodeinfoCallback struct {
+	call    func(nodeinfo NodeInfoPayload)
+	created time.Time
+}
+
+// Initialises the nodeinfo cache/callback maps, and starts a goroutine to keep
+// the cache/callback maps clean of stale entries
+func (m *nodeinfo) init(proto *protoHandler) {
+	m.Act(nil, func() {
+		m._init(proto)
+	})
+}
+
+func (m *nodeinfo) _init(proto *protoHandler) {
+	m.proto = proto
+	m.callbacks = make(map[keyArray]nodeinfoCallback)
+	m._cleanup()
+}
+
+func (m *nodeinfo) _cleanup() {
+	for boxPubKey, callback := range m.callbacks {
+		if time.Since(callback.created) > time.Minute {
+			delete(m.callbacks, boxPubKey)
+		}
+	}
+	time.AfterFunc(time.Second*30, func() {
+		m.Act(nil, m._cleanup)
+	})
+}
+
+func (m *nodeinfo) _addCallback(sender keyArray, call func(nodeinfo NodeInfoPayload)) {
+	m.callbacks[sender] = nodeinfoCallback{
+		created: time.Now(),
+		call:    call,
+	}
+}
+
+// Handles the callback, if there is one
+func (m *nodeinfo) _callback(sender keyArray, nodeinfo NodeInfoPayload) {
+	if callback, ok := m.callbacks[sender]; ok {
+		callback.call(nodeinfo)
+		delete(m.callbacks, sender)
+	}
+}
+
+func (m *nodeinfo) _getNodeInfo() NodeInfoPayload {
+	return m.myNodeInfo
+}
+
+// Set the current node's nodeinfo
+func (m *nodeinfo) setNodeInfo(given interface{}, privacy bool) (err error) {
+	phony.Block(m, func() {
+		err = m._setNodeInfo(given, privacy)
+	})
+	return
+}
+
+func (m *nodeinfo) _setNodeInfo(given interface{}, privacy bool) error {
+	defaults := map[string]interface{}{
+		"buildname":     version.BuildName(),
+		"buildversion":  version.BuildVersion(),
+		"buildplatform": runtime.GOOS,
+		"buildarch":     runtime.GOARCH,
+	}
+	newnodeinfo := make(map[string]interface{})
+	if !privacy {
+		for k, v := range defaults {
+			newnodeinfo[k] = v
+		}
+	}
+	if nodeinfomap, ok := given.(map[string]interface{}); ok {
+		for key, value := range nodeinfomap {
+			if _, ok := defaults[key]; ok {
+				if strvalue, strok := value.(string); strok && strings.EqualFold(strvalue, "null") || value == nil {
+					delete(newnodeinfo, key)
+				}
+				continue
+			}
+			newnodeinfo[key] = value
+		}
+	}
+	newjson, err := json.Marshal(newnodeinfo)
+	if err == nil {
+		if len(newjson) > 16384 {
+			return errors.New("NodeInfo exceeds max length of 16384 bytes")
+		}
+		m.myNodeInfo = newjson
+		return nil
+	}
+	return err
+}
+
+func (m *nodeinfo) sendReq(from phony.Actor, key keyArray, callback func(nodeinfo NodeInfoPayload)) {
+	m.Act(from, func() {
+		m._sendReq(key, callback)
+	})
+}
+
+func (m *nodeinfo) _sendReq(key keyArray, callback func(nodeinfo NodeInfoPayload)) {
+	if callback != nil {
+		m._addCallback(key, callback)
+	}
+	_, _ = m.proto.core.pc.WriteTo([]byte{typeSessionProto, typeProtoNodeInfoRequest}, iwt.Addr(key[:]))
+}
+
+func (m *nodeinfo) handleReq(from phony.Actor, key keyArray) {
+	m.Act(from, func() {
+		m._sendRes(key)
+	})
+}
+
+func (m *nodeinfo) handleRes(from phony.Actor, key keyArray, info NodeInfoPayload) {
+	m.Act(from, func() {
+		m._callback(key, info)
+	})
+}
+
+func (m *nodeinfo) _sendRes(key keyArray) {
+	bs := append([]byte{typeSessionProto, typeProtoNodeInfoResponse}, m._getNodeInfo()...)
+	_, _ = m.proto.core.pc.WriteTo(bs, iwt.Addr(key[:]))
+}
+
+// Admin socket stuff
+
+type GetNodeInfoRequest struct {
+	Key string `json:"key"`
+}
+type GetNodeInfoResponse map[string]interface{}
+
+func (m *nodeinfo) nodeInfoAdminHandler(in json.RawMessage) (interface{}, error) {
+	var req GetNodeInfoRequest
+	if err := json.Unmarshal(in, &req); err != nil {
+		return nil, err
+	}
+	var key keyArray
+	var kbs []byte
+	var err error
+	if kbs, err = hex.DecodeString(req.Key); err != nil {
+		return nil, err
+	}
+	copy(key[:], kbs)
+	ch := make(chan []byte, 1)
+	m.sendReq(nil, key, func(info NodeInfoPayload) {
+		ch <- info
+	})
+	timer := time.NewTimer(6 * time.Second)
+	defer timer.Stop()
+	select {
+	case <-timer.C:
+		return nil, errors.New("timeout")
+	case info := <-ch:
+		var msg json.RawMessage
+		if err := msg.UnmarshalJSON(info); err != nil {
+			return nil, err
+		}
+		ip := net.IP(address.AddrForKey(kbs)[:])
+		res := GetNodeInfoResponse{ip.String(): msg}
+		return res, nil
+	}
+}
--- a/src/core/proto.go
+++ b/src/core/proto.go
@@ -0,0 +1,349 @@
+package core
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net"
+	"time"
+
+	iwt "github.com/Arceliar/ironwood/types"
+	"github.com/Arceliar/phony"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+)
+
+const (
+	typeDebugDummy = iota
+	typeDebugGetSelfRequest
+	typeDebugGetSelfResponse
+	typeDebugGetPeersRequest
+	typeDebugGetPeersResponse
+	typeDebugGetDHTRequest
+	typeDebugGetDHTResponse
+)
+
+type reqInfo struct {
+	callback func([]byte)
+	timer    *time.Timer // time.AfterFunc cleanup
+}
+
+type protoHandler struct {
+	phony.Inbox
+	core     *Core
+	nodeinfo nodeinfo
+	sreqs    map[keyArray]*reqInfo
+	preqs    map[keyArray]*reqInfo
+	dreqs    map[keyArray]*reqInfo
+}
+
+func (p *protoHandler) init(core *Core) {
+	p.core = core
+	p.nodeinfo.init(p)
+	p.sreqs = make(map[keyArray]*reqInfo)
+	p.preqs = make(map[keyArray]*reqInfo)
+	p.dreqs = make(map[keyArray]*reqInfo)
+}
+
+func (p *protoHandler) handleProto(from phony.Actor, key keyArray, bs []byte) {
+	if len(bs) == 0 {
+		return
+	}
+	switch bs[0] {
+	case typeProtoDummy:
+	case typeProtoNodeInfoRequest:
+		p.nodeinfo.handleReq(p, key)
+	case typeProtoNodeInfoResponse:
+		p.nodeinfo.handleRes(p, key, bs[1:])
+	case typeProtoDebug:
+		p._handleDebug(key, bs[1:])
+	}
+}
+
+func (p *protoHandler) _handleDebug(key keyArray, bs []byte) {
+	if len(bs) == 0 {
+		return
+	}
+	switch bs[0] {
+	case typeDebugDummy:
+	case typeDebugGetSelfRequest:
+		p._handleGetSelfRequest(key)
+	case typeDebugGetSelfResponse:
+		p._handleGetSelfResponse(key, bs[1:])
+	case typeDebugGetPeersRequest:
+		p._handleGetPeersRequest(key)
+	case typeDebugGetPeersResponse:
+		p._handleGetPeersResponse(key, bs[1:])
+	case typeDebugGetDHTRequest:
+		p._handleGetDHTRequest(key)
+	case typeDebugGetDHTResponse:
+		p._handleGetDHTResponse(key, bs[1:])
+	}
+}
+
+func (p *protoHandler) sendGetSelfRequest(key keyArray, callback func([]byte)) {
+	p.Act(nil, func() {
+		if info := p.sreqs[key]; info != nil {
+			info.timer.Stop()
+			delete(p.sreqs, key)
+		}
+		info := new(reqInfo)
+		info.callback = callback
+		info.timer = time.AfterFunc(time.Minute, func() {
+			p.Act(nil, func() {
+				if p.sreqs[key] == info {
+					delete(p.sreqs, key)
+				}
+			})
+		})
+		p.sreqs[key] = info
+		p._sendDebug(key, typeDebugGetSelfRequest, nil)
+	})
+}
+
+func (p *protoHandler) _handleGetSelfRequest(key keyArray) {
+	self := p.core.GetSelf()
+	res := map[string]string{
+		"key":    hex.EncodeToString(self.Key[:]),
+		"coords": fmt.Sprintf("%v", self.Coords),
+	}
+	bs, err := json.Marshal(res) // FIXME this puts keys in base64, not hex
+	if err != nil {
+		return
+	}
+	p._sendDebug(key, typeDebugGetSelfResponse, bs)
+}
+
+func (p *protoHandler) _handleGetSelfResponse(key keyArray, bs []byte) {
+	if info := p.sreqs[key]; info != nil {
+		info.timer.Stop()
+		info.callback(bs)
+		delete(p.sreqs, key)
+	}
+}
+
+func (p *protoHandler) sendGetPeersRequest(key keyArray, callback func([]byte)) {
+	p.Act(nil, func() {
+		if info := p.preqs[key]; info != nil {
+			info.timer.Stop()
+			delete(p.preqs, key)
+		}
+		info := new(reqInfo)
+		info.callback = callback
+		info.timer = time.AfterFunc(time.Minute, func() {
+			p.Act(nil, func() {
+				if p.preqs[key] == info {
+					delete(p.preqs, key)
+				}
+			})
+		})
+		p.preqs[key] = info
+		p._sendDebug(key, typeDebugGetPeersRequest, nil)
+	})
+}
+
+func (p *protoHandler) _handleGetPeersRequest(key keyArray) {
+	peers := p.core.GetPeers()
+	var bs []byte
+	for _, pinfo := range peers {
+		tmp := append(bs, pinfo.Key[:]...)
+		const responseOverhead = 2 // 1 debug type, 1 getpeers type
+		if uint64(len(tmp))+responseOverhead > p.core.store.maxSessionMTU() {
+			break
+		}
+		bs = tmp
+	}
+	p._sendDebug(key, typeDebugGetPeersResponse, bs)
+}
+
+func (p *protoHandler) _handleGetPeersResponse(key keyArray, bs []byte) {
+	if info := p.preqs[key]; info != nil {
+		info.timer.Stop()
+		info.callback(bs)
+		delete(p.preqs, key)
+	}
+}
+
+func (p *protoHandler) sendGetDHTRequest(key keyArray, callback func([]byte)) {
+	p.Act(nil, func() {
+		if info := p.dreqs[key]; info != nil {
+			info.timer.Stop()
+			delete(p.dreqs, key)
+		}
+		info := new(reqInfo)
+		info.callback = callback
+		info.timer = time.AfterFunc(time.Minute, func() {
+			p.Act(nil, func() {
+				if p.dreqs[key] == info {
+					delete(p.dreqs, key)
+				}
+			})
+		})
+		p.dreqs[key] = info
+		p._sendDebug(key, typeDebugGetDHTRequest, nil)
+	})
+}
+
+func (p *protoHandler) _handleGetDHTRequest(key keyArray) {
+	dinfos := p.core.GetDHT()
+	var bs []byte
+	for _, dinfo := range dinfos {
+		tmp := append(bs, dinfo.Key[:]...)
+		const responseOverhead = 2 // 1 debug type, 1 getdht type
+		if uint64(len(tmp))+responseOverhead > p.core.store.maxSessionMTU() {
+			break
+		}
+		bs = tmp
+	}
+	p._sendDebug(key, typeDebugGetDHTResponse, bs)
+}
+
+func (p *protoHandler) _handleGetDHTResponse(key keyArray, bs []byte) {
+	if info := p.dreqs[key]; info != nil {
+		info.timer.Stop()
+		info.callback(bs)
+		delete(p.dreqs, key)
+	}
+}
+
+func (p *protoHandler) _sendDebug(key keyArray, dType uint8, data []byte) {
+	bs := append([]byte{typeSessionProto, typeProtoDebug, dType}, data...)
+	_, _ = p.core.pc.WriteTo(bs, iwt.Addr(key[:]))
+}
+
+// Admin socket stuff
+
+type DebugGetSelfRequest struct {
+	Key string `json:"key"`
+}
+
+type DebugGetSelfResponse map[string]interface{}
+
+func (p *protoHandler) getSelfHandler(in json.RawMessage) (interface{}, error) {
+	var req DebugGetSelfRequest
+	if err := json.Unmarshal(in, &req); err != nil {
+		return nil, err
+	}
+	var key keyArray
+	var kbs []byte
+	var err error
+	if kbs, err = hex.DecodeString(req.Key); err != nil {
+		return nil, err
+	}
+	copy(key[:], kbs)
+	ch := make(chan []byte, 1)
+	p.sendGetSelfRequest(key, func(info []byte) {
+		ch <- info
+	})
+	timer := time.NewTimer(6 * time.Second)
+	defer timer.Stop()
+	select {
+	case <-timer.C:
+		return nil, errors.New("timeout")
+	case info := <-ch:
+		var msg json.RawMessage
+		if err := msg.UnmarshalJSON(info); err != nil {
+			return nil, err
+		}
+		ip := net.IP(address.AddrForKey(kbs)[:])
+		res := DebugGetSelfResponse{ip.String(): msg}
+		return res, nil
+	}
+}
+
+type DebugGetPeersRequest struct {
+	Key string `json:"key"`
+}
+
+type DebugGetPeersResponse map[string]interface{}
+
+func (p *protoHandler) getPeersHandler(in json.RawMessage) (interface{}, error) {
+	var req DebugGetPeersRequest
+	if err := json.Unmarshal(in, &req); err != nil {
+		return nil, err
+	}
+	var key keyArray
+	var kbs []byte
+	var err error
+	if kbs, err = hex.DecodeString(req.Key); err != nil {
+		return nil, err
+	}
+	copy(key[:], kbs)
+	ch := make(chan []byte, 1)
+	p.sendGetPeersRequest(key, func(info []byte) {
+		ch <- info
+	})
+	timer := time.NewTimer(6 * time.Second)
+	defer timer.Stop()
+	select {
+	case <-timer.C:
+		return nil, errors.New("timeout")
+	case info := <-ch:
+		ks := make(map[string][]string)
+		bs := info
+		for len(bs) >= len(key) {
+			ks["keys"] = append(ks["keys"], hex.EncodeToString(bs[:len(key)]))
+			bs = bs[len(key):]
+		}
+		js, err := json.Marshal(ks)
+		if err != nil {
+			return nil, err
+		}
+		var msg json.RawMessage
+		if err := msg.UnmarshalJSON(js); err != nil {
+			return nil, err
+		}
+		ip := net.IP(address.AddrForKey(kbs)[:])
+		res := DebugGetPeersResponse{ip.String(): msg}
+		return res, nil
+	}
+}
+
+type DebugGetDHTRequest struct {
+	Key string `json:"key"`
+}
+
+type DebugGetDHTResponse map[string]interface{}
+
+func (p *protoHandler) getDHTHandler(in json.RawMessage) (interface{}, error) {
+	var req DebugGetDHTRequest
+	if err := json.Unmarshal(in, &req); err != nil {
+		return nil, err
+	}
+	var key keyArray
+	var kbs []byte
+	var err error
+	if kbs, err = hex.DecodeString(req.Key); err != nil {
+		return nil, err
+	}
+	copy(key[:], kbs)
+	ch := make(chan []byte, 1)
+	p.sendGetDHTRequest(key, func(info []byte) {
+		ch <- info
+	})
+	timer := time.NewTimer(6 * time.Second)
+	defer timer.Stop()
+	select {
+	case <-timer.C:
+		return nil, errors.New("timeout")
+	case info := <-ch:
+		ks := make(map[string][]string)
+		bs := info
+		for len(bs) >= len(key) {
+			ks["keys"] = append(ks["keys"], hex.EncodeToString(bs[:len(key)]))
+			bs = bs[len(key):]
+		}
+		js, err := json.Marshal(ks)
+		if err != nil {
+			return nil, err
+		}
+		var msg json.RawMessage
+		if err := msg.UnmarshalJSON(js); err != nil {
+			return nil, err
+		}
+		ip := net.IP(address.AddrForKey(kbs)[:])
+		res := DebugGetDHTResponse{ip.String(): msg}
+		return res, nil
+	}
+}
--- a/src/core/tcp.go
+++ b/src/core/tcp.go
@@ -0,0 +1,417 @@
+package core
+
+// This sends packets to peers using TCP as a transport
+// It's generally better tested than the UDP implementation
+// Using it regularly is insane, but I find TCP easier to test/debug with it
+// Updating and optimizing the UDP version is a higher priority
+
+// TODO:
+//  Something needs to make sure we're getting *valid* packets
+//  Could be used to DoS (connect, give someone else's keys, spew garbage)
+//  I guess the "peer" part should watch for link packets, disconnect?
+
+// TCP connections start with a metadata exchange.
+//  It involves exchanging version numbers and crypto keys
+//  See version.go for version metadata format
+
+import (
+	"context"
+	"fmt"
+	"math/rand"
+	"net"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/net/proxy"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+	//"github.com/yggdrasil-network/yggdrasil-go/src/util"
+)
+
+const default_timeout = 6 * time.Second
+
+// The TCP listener and information about active TCP connections, to avoid duplication.
+type tcp struct {
+	links     *links
+	waitgroup sync.WaitGroup
+	mutex     sync.Mutex // Protecting the below
+	listeners map[string]*TcpListener
+	calls     map[string]struct{}
+	conns     map[linkInfo](chan struct{})
+	tls       tcptls
+}
+
+// TcpListener is a stoppable TCP listener interface. These are typically
+// returned from calls to the ListenTCP() function and are also used internally
+// to represent listeners created by the "Listen" configuration option and for
+// multicast interfaces.
+type TcpListener struct {
+	Listener net.Listener
+	opts     tcpOptions
+	stop     chan struct{}
+}
+
+type TcpUpgrade struct {
+	upgrade func(c net.Conn, o *tcpOptions) (net.Conn, error)
+	name    string
+}
+
+type tcpOptions struct {
+	linkOptions
+	upgrade        *TcpUpgrade
+	socksProxyAddr string
+	socksProxyAuth *proxy.Auth
+	socksPeerAddr  string
+}
+
+func (l *TcpListener) Stop() {
+	defer func() { _ = recover() }()
+	close(l.stop)
+}
+
+// Wrapper function to set additional options for specific connection types.
+func (t *tcp) setExtraOptions(c net.Conn) {
+	switch sock := c.(type) {
+	case *net.TCPConn:
+		_ = sock.SetNoDelay(true)
+	// TODO something for socks5
+	default:
+	}
+}
+
+// Returns the address of the listener.
+func (t *tcp) getAddr() *net.TCPAddr {
+	// TODO: Fix this, because this will currently only give a single address
+	// to multicast.go, which obviously is not great, but right now multicast.go
+	// doesn't have the ability to send more than one address in a packet either
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	for _, l := range t.listeners {
+		return l.Listener.Addr().(*net.TCPAddr)
+	}
+	return nil
+}
+
+// Initializes the struct.
+func (t *tcp) init(l *links) error {
+	t.links = l
+	t.tls.init(t)
+	t.mutex.Lock()
+	t.calls = make(map[string]struct{})
+	t.conns = make(map[linkInfo](chan struct{}))
+	t.listeners = make(map[string]*TcpListener)
+	t.mutex.Unlock()
+
+	t.links.core.config.RLock()
+	defer t.links.core.config.RUnlock()
+	for _, listenaddr := range t.links.core.config.Listen {
+		u, err := url.Parse(listenaddr)
+		if err != nil {
+			t.links.core.log.Errorln("Failed to parse listener: listener", listenaddr, "is not correctly formatted, ignoring")
+		}
+		if _, err := t.listenURL(u, ""); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (t *tcp) stop() error {
+	t.mutex.Lock()
+	for _, listener := range t.listeners {
+		listener.Stop()
+	}
+	t.mutex.Unlock()
+	t.waitgroup.Wait()
+	return nil
+}
+
+func (t *tcp) listenURL(u *url.URL, sintf string) (*TcpListener, error) {
+	var listener *TcpListener
+	var err error
+	hostport := u.Host // Used for tcp and tls
+	if len(sintf) != 0 {
+		host, port, err := net.SplitHostPort(hostport)
+		if err == nil {
+			hostport = fmt.Sprintf("[%s%%%s]:%s", host, sintf, port)
+		}
+	}
+	switch u.Scheme {
+	case "tcp":
+		listener, err = t.listen(hostport, nil)
+	case "tls":
+		listener, err = t.listen(hostport, t.tls.forListener)
+	default:
+		t.links.core.log.Errorln("Failed to add listener: listener", u.String(), "is not correctly formatted, ignoring")
+	}
+	return listener, err
+}
+
+func (t *tcp) listen(listenaddr string, upgrade *TcpUpgrade) (*TcpListener, error) {
+	var err error
+
+	ctx := t.links.core.ctx
+	lc := net.ListenConfig{
+		Control: t.tcpContext,
+	}
+	listener, err := lc.Listen(ctx, "tcp", listenaddr)
+	if err == nil {
+		l := TcpListener{
+			Listener: listener,
+			opts:     tcpOptions{upgrade: upgrade},
+			stop:     make(chan struct{}),
+		}
+		t.waitgroup.Add(1)
+		go t.listener(&l, listenaddr)
+		return &l, nil
+	}
+
+	return nil, err
+}
+
+// Runs the listener, which spawns off goroutines for incoming connections.
+func (t *tcp) listener(l *TcpListener, listenaddr string) {
+	defer t.waitgroup.Done()
+	if l == nil {
+		return
+	}
+	// Track the listener so that we can find it again in future
+	t.mutex.Lock()
+	if _, isIn := t.listeners[listenaddr]; isIn {
+		t.mutex.Unlock()
+		l.Listener.Close()
+		return
+	}
+	callproto := "TCP"
+	if l.opts.upgrade != nil {
+		callproto = strings.ToUpper(l.opts.upgrade.name)
+	}
+	t.listeners[listenaddr] = l
+	t.mutex.Unlock()
+	// And here we go!
+	defer func() {
+		t.links.core.log.Infoln("Stopping", callproto, "listener on:", l.Listener.Addr().String())
+		l.Listener.Close()
+		t.mutex.Lock()
+		delete(t.listeners, listenaddr)
+		t.mutex.Unlock()
+	}()
+	t.links.core.log.Infoln("Listening for", callproto, "on:", l.Listener.Addr().String())
+	go func() {
+		<-l.stop
+		l.Listener.Close()
+	}()
+	defer l.Stop()
+	for {
+		sock, err := l.Listener.Accept()
+		if err != nil {
+			t.links.core.log.Errorln("Failed to accept connection:", err)
+			select {
+			case <-l.stop:
+				return
+			default:
+			}
+			time.Sleep(time.Second) // So we don't busy loop
+			continue
+		}
+		t.waitgroup.Add(1)
+		options := l.opts
+		go t.handler(sock, true, options)
+	}
+}
+
+// Checks if we already are calling this address
+func (t *tcp) startCalling(saddr string) bool {
+	t.mutex.Lock()
+	defer t.mutex.Unlock()
+	_, isIn := t.calls[saddr]
+	t.calls[saddr] = struct{}{}
+	return !isIn
+}
+
+// Checks if a connection already exists.
+// If not, it adds it to the list of active outgoing calls (to block future attempts) and dials the address.
+// If the dial is successful, it launches the handler.
+// When finished, it removes the outgoing call, so reconnection attempts can be made later.
+// This all happens in a separate goroutine that it spawns.
+func (t *tcp) call(saddr string, options tcpOptions, sintf string) {
+	go func() {
+		callname := saddr
+		callproto := "TCP"
+		if options.upgrade != nil {
+			callproto = strings.ToUpper(options.upgrade.name)
+		}
+		if sintf != "" {
+			callname = fmt.Sprintf("%s/%s/%s", callproto, saddr, sintf)
+		}
+		if !t.startCalling(callname) {
+			return
+		}
+		defer func() {
+			// Block new calls for a little while, to mitigate livelock scenarios
+			rand.Seed(time.Now().UnixNano())
+			delay := default_timeout + time.Duration(rand.Intn(10000))*time.Millisecond
+			time.Sleep(delay)
+			t.mutex.Lock()
+			delete(t.calls, callname)
+			t.mutex.Unlock()
+		}()
+		var conn net.Conn
+		var err error
+		if options.socksProxyAddr != "" {
+			if sintf != "" {
+				return
+			}
+			dialerdst, er := net.ResolveTCPAddr("tcp", options.socksProxyAddr)
+			if er != nil {
+				return
+			}
+			var dialer proxy.Dialer
+			dialer, err = proxy.SOCKS5("tcp", dialerdst.String(), options.socksProxyAuth, proxy.Direct)
+			if err != nil {
+				return
+			}
+			ctx, done := context.WithTimeout(t.links.core.ctx, default_timeout)
+			conn, err = dialer.(proxy.ContextDialer).DialContext(ctx, "tcp", saddr)
+			done()
+			if err != nil {
+				return
+			}
+			t.waitgroup.Add(1)
+			options.socksPeerAddr = saddr
+			if ch := t.handler(conn, false, options); ch != nil {
+				<-ch
+			}
+		} else {
+			dst, err := net.ResolveTCPAddr("tcp", saddr)
+			if err != nil {
+				return
+			}
+			if dst.IP.IsLinkLocalUnicast() {
+				dst.Zone = sintf
+				if dst.Zone == "" {
+					return
+				}
+			}
+			dialer := net.Dialer{
+				Control: t.tcpContext,
+			}
+			if sintf != "" {
+				dialer.Control = t.getControl(sintf)
+				ief, err := net.InterfaceByName(sintf)
+				if err != nil {
+					return
+				}
+				if ief.Flags&net.FlagUp == 0 {
+					return
+				}
+				addrs, err := ief.Addrs()
+				if err == nil {
+					for addrindex, addr := range addrs {
+						src, _, err := net.ParseCIDR(addr.String())
+						if err != nil {
+							continue
+						}
+						if src.Equal(dst.IP) {
+							continue
+						}
+						if !src.IsGlobalUnicast() && !src.IsLinkLocalUnicast() {
+							continue
+						}
+						bothglobal := src.IsGlobalUnicast() == dst.IP.IsGlobalUnicast()
+						bothlinklocal := src.IsLinkLocalUnicast() == dst.IP.IsLinkLocalUnicast()
+						if !bothglobal && !bothlinklocal {
+							continue
+						}
+						if (src.To4() != nil) != (dst.IP.To4() != nil) {
+							continue
+						}
+						if bothglobal || bothlinklocal || addrindex == len(addrs)-1 {
+							dialer.LocalAddr = &net.TCPAddr{
+								IP:   src,
+								Port: 0,
+								Zone: sintf,
+							}
+							break
+						}
+					}
+					if dialer.LocalAddr == nil {
+						return
+					}
+				}
+			}
+			ctx, done := context.WithTimeout(t.links.core.ctx, default_timeout)
+			conn, err = dialer.DialContext(ctx, "tcp", dst.String())
+			done()
+			if err != nil {
+				t.links.core.log.Debugf("Failed to dial %s: %s", callproto, err)
+				return
+			}
+			t.waitgroup.Add(1)
+			if ch := t.handler(conn, false, options); ch != nil {
+				<-ch
+			}
+		}
+	}()
+}
+
+func (t *tcp) handler(sock net.Conn, incoming bool, options tcpOptions) chan struct{} {
+	defer t.waitgroup.Done() // Happens after sock.close
+	defer sock.Close()
+	t.setExtraOptions(sock)
+	var upgraded bool
+	if options.upgrade != nil {
+		var err error
+		if sock, err = options.upgrade.upgrade(sock, &options); err != nil {
+			t.links.core.log.Errorln("TCP handler upgrade failed:", err)
+			return nil
+		}
+		upgraded = true
+	}
+	var name, proto, local, remote string
+	if options.socksProxyAddr != "" {
+		name = "socks://" + sock.RemoteAddr().String() + "/" + options.socksPeerAddr
+		proto = "socks"
+		local, _, _ = net.SplitHostPort(sock.LocalAddr().String())
+		remote, _, _ = net.SplitHostPort(options.socksPeerAddr)
+	} else {
+		if upgraded {
+			proto = options.upgrade.name
+			name = proto + "://" + sock.RemoteAddr().String()
+		} else {
+			proto = "tcp"
+			name = proto + "://" + sock.RemoteAddr().String()
+		}
+		local, _, _ = net.SplitHostPort(sock.LocalAddr().String())
+		remote, _, _ = net.SplitHostPort(sock.RemoteAddr().String())
+	}
+	localIP := net.ParseIP(local)
+	if localIP = localIP.To16(); localIP != nil {
+		var laddr address.Address
+		var lsubnet address.Subnet
+		copy(laddr[:], localIP)
+		copy(lsubnet[:], localIP)
+		if laddr.IsValid() || lsubnet.IsValid() {
+			// The local address is with the network address/prefix range
+			// This would route ygg over ygg, which we don't want
+			// FIXME ideally this check should happen outside of the core library
+			//  Maybe dial/listen at the application level
+			//  Then pass a net.Conn to the core library (after these kinds of checks are done)
+			t.links.core.log.Debugln("Dropping ygg-tunneled connection", local, remote)
+			return nil
+		}
+	}
+	force := net.ParseIP(strings.Split(remote, "%")[0]).IsLinkLocalUnicast()
+	link, err := t.links.create(sock, name, proto, local, remote, incoming, force, options.linkOptions)
+	if err != nil {
+		t.links.core.log.Println(err)
+		panic(err)
+	}
+	t.links.core.log.Debugln("DEBUG: starting handler for", name)
+	ch, err := link.handler()
+	t.links.core.log.Debugln("DEBUG: stopped handler for", name, err)
+	return ch
+}
--- a/src/core/tcp_darwin.go
+++ b/src/core/tcp_darwin.go
@@ -0,0 +1,32 @@
+// +build darwin
+
+package core
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
+
+func (t *tcp) tcpContext(network, address string, c syscall.RawConn) error {
+	var control error
+	var recvanyif error
+
+	control = c.Control(func(fd uintptr) {
+		// sys/socket.h: #define	SO_RECV_ANYIF	0x1104
+		recvanyif = unix.SetsockoptInt(int(fd), syscall.SOL_SOCKET, 0x1104, 1)
+	})
+
+	switch {
+	case recvanyif != nil:
+		return recvanyif
+	default:
+		return control
+	}
+}
+
+func (t *tcp) getControl(sintf string) func(string, string, syscall.RawConn) error {
+	return t.tcpContext
+}
--- a/src/core/tcp_linux.go
+++ b/src/core/tcp_linux.go
@@ -0,0 +1,45 @@
+// +build linux
+
+package core
+
+import (
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+// WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
+
+func (t *tcp) tcpContext(network, address string, c syscall.RawConn) error {
+	var control error
+	var bbr error
+
+	control = c.Control(func(fd uintptr) {
+		bbr = unix.SetsockoptString(int(fd), unix.IPPROTO_TCP, unix.TCP_CONGESTION, "bbr")
+	})
+
+	// Log any errors
+	if bbr != nil {
+		t.links.core.log.Debugln("Failed to set tcp_congestion_control to bbr for socket, SetsockoptString error:", bbr)
+	}
+	if control != nil {
+		t.links.core.log.Debugln("Failed to set tcp_congestion_control to bbr for socket, Control error:", control)
+	}
+
+	// Return nil because errors here are not considered fatal for the connection, it just means congestion control is suboptimal
+	return nil
+}
+
+func (t *tcp) getControl(sintf string) func(string, string, syscall.RawConn) error {
+	return func(network, address string, c syscall.RawConn) error {
+		var err error
+		btd := func(fd uintptr) {
+			err = unix.BindToDevice(int(fd), sintf)
+		}
+		_ = c.Control(btd)
+		if err != nil {
+			t.links.core.log.Debugln("Failed to set SO_BINDTODEVICE:", sintf)
+		}
+		return t.tcpContext(network, address, c)
+	}
+}
--- a/src/core/tcp_other.go
+++ b/src/core/tcp_other.go
@@ -0,0 +1,17 @@
+// +build !darwin,!linux
+
+package core
+
+import (
+	"syscall"
+)
+
+// WARNING: This context is used both by net.Dialer and net.Listen in tcp.go
+
+func (t *tcp) tcpContext(network, address string, c syscall.RawConn) error {
+	return nil
+}
+
+func (t *tcp) getControl(sintf string) func(string, string, syscall.RawConn) error {
+	return t.tcpContext
+}
--- a/src/core/tls.go
+++ b/src/core/tls.go
@@ -0,0 +1,125 @@
+package core
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/hex"
+	"encoding/pem"
+	"errors"
+	"log"
+	"math/big"
+	"net"
+	"time"
+)
+
+type tcptls struct {
+	tcp         *tcp
+	config      *tls.Config
+	forDialer   *TcpUpgrade
+	forListener *TcpUpgrade
+}
+
+func (t *tcptls) init(tcp *tcp) {
+	t.tcp = tcp
+	t.forDialer = &TcpUpgrade{
+		upgrade: t.upgradeDialer,
+		name:    "tls",
+	}
+	t.forListener = &TcpUpgrade{
+		upgrade: t.upgradeListener,
+		name:    "tls",
+	}
+
+	edpriv := make(ed25519.PrivateKey, ed25519.PrivateKeySize)
+	copy(edpriv[:], tcp.links.core.secret[:])
+
+	certBuf := &bytes.Buffer{}
+
+	// TODO: because NotAfter is finite, we should add some mechanism to regenerate the certificate and restart the listeners periodically for nodes with very high uptimes. Perhaps regenerate certs and restart listeners every few months or so.
+	pubtemp := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: hex.EncodeToString(tcp.links.core.public[:]),
+		},
+		NotBefore:             time.Now(),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 365),
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	derbytes, err := x509.CreateCertificate(rand.Reader, &pubtemp, &pubtemp, edpriv.Public(), edpriv)
+	if err != nil {
+		log.Fatalf("Failed to create certificate: %s", err)
+	}
+
+	if err := pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: derbytes}); err != nil {
+		panic("failed to encode certificate into PEM")
+	}
+
+	cpool := x509.NewCertPool()
+	cpool.AppendCertsFromPEM(derbytes)
+
+	t.config = &tls.Config{
+		RootCAs: cpool,
+		Certificates: []tls.Certificate{
+			{
+				Certificate: [][]byte{derbytes},
+				PrivateKey:  edpriv,
+			},
+		},
+		InsecureSkipVerify: true,
+		MinVersion:         tls.VersionTLS13,
+	}
+}
+
+func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
+	config := *t.config
+	config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
+		if len(rawCerts) != 1 {
+			return errors.New("tls not exactly 1 cert")
+		}
+		cert, err := x509.ParseCertificate(rawCerts[0])
+		if err != nil {
+			return errors.New("tls failed to parse cert")
+		}
+		if cert.PublicKeyAlgorithm != x509.Ed25519 {
+			return errors.New("tls wrong cert algorithm")
+		}
+		pk := cert.PublicKey.(ed25519.PublicKey)
+		var key keyArray
+		copy(key[:], pk)
+		// If options does not have a pinned key, then pin one now
+		if options.pinnedEd25519Keys == nil {
+			options.pinnedEd25519Keys = make(map[keyArray]struct{})
+			options.pinnedEd25519Keys[key] = struct{}{}
+		}
+		if _, isIn := options.pinnedEd25519Keys[key]; !isIn {
+			return errors.New("tls key does not match pinned key")
+		}
+		return nil
+	}
+	return &config
+}
+
+func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
+	config := t.configForOptions(options)
+	conn := tls.Server(c, config)
+	if err := conn.Handshake(); err != nil {
+		return c, err
+	}
+	return conn, nil
+}
+
+func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
+	config := t.configForOptions(options)
+	conn := tls.Client(c, config)
+	if err := conn.Handshake(); err != nil {
+		return c, err
+	}
+	return conn, nil
+}
--- a/src/core/types.go
+++ b/src/core/types.go
@@ -0,0 +1,23 @@
+package core
+
+// Out-of-band packet types
+const (
+	typeKeyDummy = iota // nolint:deadcode,varcheck
+	typeKeyLookup
+	typeKeyResponse
+)
+
+// In-band packet types
+const (
+	typeSessionDummy = iota // nolint:deadcode,varcheck
+	typeSessionTraffic
+	typeSessionProto
+)
+
+// Protocol packet types
+const (
+	typeProtoDummy = iota
+	typeProtoNodeInfoRequest
+	typeProtoNodeInfoResponse
+	typeProtoDebug = 255
+)
--- a/src/yggdrasil/version.go
+++ b/src/yggdrasil/version.go
@@ -1,20 +1,20 @@
-package yggdrasil
+package core

 // This file contains the version metadata struct
-// Used in the inital connection setup and key exchange
+// Used in the initial connection setup and key exchange
 // Some of this could arguably go in wire.go instead

+import "crypto/ed25519"
+
 // This is the version-specific metadata exchanged at the start of a connection.
-// It must always beign with the 4 bytes "meta" and a wire formatted uint64 major version number.
-// The current version also includes a minor version number, and the box/sig/link keys that need to be exchanged to open an connection.
+// It must always begin with the 4 bytes "meta" and a wire formatted uint64 major version number.
+// The current version also includes a minor version number, and the box/sig/link keys that need to be exchanged to open a connection.
 type version_metadata struct {
 	meta [4]byte
-	ver  uint64 // 1 byte in this version
+	ver  uint8 // 1 byte in this version
 	// Everything after this point potentially depends on the version number, and is subject to change in future versions
-	minorVer uint64 // 1 byte in this version
-	box      boxPubKey
-	sig      sigPubKey
-	link     boxPubKey
+	minorVer uint8 // 1 byte in this version
+	key      ed25519.PublicKey
 }

 // Gets a base metadata with no keys set, but with the correct version numbers.
@@ -22,18 +22,16 @@ func version_getBaseMetadata() version_metadata {
 	return version_metadata{
 		meta:     [4]byte{'m', 'e', 't', 'a'},
 		ver:      0,
-		minorVer: 2,
+		minorVer: 0,
 	}
 }

-// Gest the length of the metadata for this version, used to know how many bytes to read from the start of a connection.
+// Gets the length of the metadata for this version, used to know how many bytes to read from the start of a connection.
 func version_getMetaLength() (mlen int) {
-	mlen += 4            // meta
-	mlen += 1            // ver, as long as it's < 127, which it is in this version
-	mlen += 1            // minorVer, as long as it's < 127, which it is in this version
-	mlen += boxPubKeyLen // box
-	mlen += sigPubKeyLen // sig
-	mlen += boxPubKeyLen // link
+	mlen += 4                     // meta
+	mlen++                        // ver, as long as it's < 127, which it is in this version
+	mlen++                        // minorVer, as long as it's < 127, which it is in this version
+	mlen += ed25519.PublicKeySize // key
 	return
 }

@@ -41,11 +39,9 @@ func version_getMetaLength() (mlen int) {
 func (m *version_metadata) encode() []byte {
 	bs := make([]byte, 0, version_getMetaLength())
 	bs = append(bs, m.meta[:]...)
-	bs = append(bs, wire_encode_uint64(m.ver)...)
-	bs = append(bs, wire_encode_uint64(m.minorVer)...)
-	bs = append(bs, m.box[:]...)
-	bs = append(bs, m.sig[:]...)
-	bs = append(bs, m.link[:]...)
+	bs = append(bs, m.ver)
+	bs = append(bs, m.minorVer)
+	bs = append(bs, m.key[:]...)
 	if len(bs) != version_getMetaLength() {
 		panic("Inconsistent metadata length")
 	}
@@ -54,20 +50,14 @@ func (m *version_metadata) encode() []byte {

 // Decodes version metadata from its wire format into the struct.
 func (m *version_metadata) decode(bs []byte) bool {
-	switch {
-	case !wire_chop_slice(m.meta[:], &bs):
-		return false
-	case !wire_chop_uint64(&m.ver, &bs):
-		return false
-	case !wire_chop_uint64(&m.minorVer, &bs):
-		return false
-	case !wire_chop_slice(m.box[:], &bs):
-		return false
-	case !wire_chop_slice(m.sig[:], &bs):
-		return false
-	case !wire_chop_slice(m.link[:], &bs):
+	if len(bs) != version_getMetaLength() {
 		return false
 	}
+	offset := 0
+	offset += copy(m.meta[:], bs[offset:])
+	m.ver, offset = bs[offset], offset+1
+	m.minorVer, offset = bs[offset], offset+1
+	m.key = append([]byte(nil), bs[offset:]...)
 	return true
 }

--- a/src/defaults/defaults.go
+++ b/src/defaults/defaults.go
@@ -10,9 +10,11 @@ type platformDefaultParameters struct {
 	// Configuration (used for yggdrasilctl)
 	DefaultConfigFile string

+	// Multicast interfaces
+	DefaultMulticastInterfaces []string
+
 	// TUN/TAP
-	MaximumIfMTU     int
-	DefaultIfMTU     int
-	DefaultIfName    string
-	DefaultIfTAPMode bool
+	MaximumIfMTU  uint64
+	DefaultIfMTU  uint64
+	DefaultIfName string
 }
--- a/src/defaults/defaults_darwin.go
+++ b/src/defaults/defaults_darwin.go
@@ -12,10 +12,15 @@ func GetDefaults() platformDefaultParameters {
 		// Configuration (used for yggdrasilctl)
 		DefaultConfigFile: "/etc/yggdrasil.conf",

+		// Multicast interfaces
+		DefaultMulticastInterfaces: []string{
+			"en.*",
+			"bridge.*",
+		},
+
 		// TUN/TAP
-		MaximumIfMTU:     65535,
-		DefaultIfMTU:     65535,
-		DefaultIfName:    "auto",
-		DefaultIfTAPMode: false,
+		MaximumIfMTU:  65535,
+		DefaultIfMTU:  65535,
+		DefaultIfName: "auto",
 	}
 }
--- a/src/defaults/defaults_freebsd.go
+++ b/src/defaults/defaults_freebsd.go
@@ -10,12 +10,16 @@ func GetDefaults() platformDefaultParameters {
 		DefaultAdminListen: "unix:///var/run/yggdrasil.sock",

 		// Configuration (used for yggdrasilctl)
-		DefaultConfigFile: "/etc/yggdrasil.conf",
+		DefaultConfigFile: "/usr/local/etc/yggdrasil.conf",
+
+		// Multicast interfaces
+		DefaultMulticastInterfaces: []string{
+			".*",
+		},

 		// TUN/TAP
-		MaximumIfMTU:     32767,
-		DefaultIfMTU:     32767,
-		DefaultIfName:    "/dev/tap0",
-		DefaultIfTAPMode: true,
+		MaximumIfMTU:  32767,
+		DefaultIfMTU:  32767,
+		DefaultIfName: "/dev/tun0",
 	}
 }
--- a/src/defaults/defaults_linux.go
+++ b/src/defaults/defaults_linux.go
@@ -12,10 +12,14 @@ func GetDefaults() platformDefaultParameters {
 		// Configuration (used for yggdrasilctl)
 		DefaultConfigFile: "/etc/yggdrasil.conf",

+		// Multicast interfaces
+		DefaultMulticastInterfaces: []string{
+			".*",
+		},
+
 		// TUN/TAP
-		MaximumIfMTU:     65535,
-		DefaultIfMTU:     65535,
-		DefaultIfName:    "auto",
-		DefaultIfTAPMode: false,
+		MaximumIfMTU:  65535,
+		DefaultIfMTU:  65535,
+		DefaultIfName: "auto",
 	}
 }
--- a/src/defaults/defaults_netbsd.go
+++ b/src/defaults/defaults_netbsd.go
@@ -1,21 +0,0 @@
-// +build netbsd
-
-package defaults
-
-// Sane defaults for the BSD platforms. The "default" options may be
-// may be replaced by the running configuration.
-func GetDefaults() platformDefaultParameters {
-	return platformDefaultParameters{
-		// Admin
-		DefaultAdminListen: "unix:///var/run/yggdrasil.sock",
-
-		// Configuration (used for yggdrasilctl)
-		DefaultConfigFile: "/etc/yggdrasil.conf",
-
-		// TUN/TAP
-		MaximumIfMTU:     9000,
-		DefaultIfMTU:     9000,
-		DefaultIfName:    "/dev/tap0",
-		DefaultIfTAPMode: true,
-	}
-}
--- a/src/defaults/defaults_openbsd.go
+++ b/src/defaults/defaults_openbsd.go
@@ -12,10 +12,14 @@ func GetDefaults() platformDefaultParameters {
 		// Configuration (used for yggdrasilctl)
 		DefaultConfigFile: "/etc/yggdrasil.conf",

+		// Multicast interfaces
+		DefaultMulticastInterfaces: []string{
+			".*",
+		},
+
 		// TUN/TAP
-		MaximumIfMTU:     16384,
-		DefaultIfMTU:     16384,
-		DefaultIfName:    "/dev/tap0",
-		DefaultIfTAPMode: true,
+		MaximumIfMTU:  16384,
+		DefaultIfMTU:  16384,
+		DefaultIfName: "tun0",
 	}
 }
--- a/src/defaults/defaults_other.go
+++ b/src/defaults/defaults_other.go
@@ -1,4 +1,4 @@
-// +build !linux,!darwin,!windows,!openbsd,!freebsd,!netbsd
+// +build !linux,!darwin,!windows,!openbsd,!freebsd

 package defaults

@@ -12,10 +12,14 @@ func GetDefaults() platformDefaultParameters {
 		// Configuration (used for yggdrasilctl)
 		DefaultConfigFile: "/etc/yggdrasil.conf",

+		// Multicast interfaces
+		DefaultMulticastInterfaces: []string{
+			".*",
+		},
+
 		// TUN/TAP
-		MaximumIfMTU:     65535,
-		DefaultIfMTU:     65535,
-		DefaultIfName:    "none",
-		DefaultIfTAPMode: false,
+		MaximumIfMTU:  65535,
+		DefaultIfMTU:  65535,
+		DefaultIfName: "none",
 	}
 }
--- a/src/defaults/defaults_windows.go
+++ b/src/defaults/defaults_windows.go
@@ -12,10 +12,14 @@ func GetDefaults() platformDefaultParameters {
 		// Configuration (used for yggdrasilctl)
 		DefaultConfigFile: "C:\\Program Files\\Yggdrasil\\yggdrasil.conf",

+		// Multicast interfaces
+		DefaultMulticastInterfaces: []string{
+			".*",
+		},
+
 		// TUN/TAP
-		MaximumIfMTU:     65535,
-		DefaultIfMTU:     65535,
-		DefaultIfName:    "auto",
-		DefaultIfTAPMode: true,
+		MaximumIfMTU:  65535,
+		DefaultIfMTU:  65535,
+		DefaultIfName: "Yggdrasil",
 	}
 }
--- a/src/multicast/admin.go
+++ b/src/multicast/admin.go
@@ -0,0 +1,34 @@
+package multicast
+
+import (
+	"encoding/json"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
+)
+
+type GetMulticastInterfacesRequest struct{}
+type GetMulticastInterfacesResponse struct {
+	Interfaces []string `json:"multicast_interfaces"`
+}
+
+func (m *Multicast) getMulticastInterfacesHandler(req *GetMulticastInterfacesRequest, res *GetMulticastInterfacesResponse) error {
+	res.Interfaces = []string{}
+	for _, v := range m.Interfaces() {
+		res.Interfaces = append(res.Interfaces, v.Name)
+	}
+	return nil
+}
+
+func (m *Multicast) SetupAdminHandlers(a *admin.AdminSocket) {
+	_ = a.AddHandler("getMulticastInterfaces", []string{}, func(in json.RawMessage) (interface{}, error) {
+		req := &GetMulticastInterfacesRequest{}
+		res := &GetMulticastInterfacesResponse{}
+		if err := json.Unmarshal(in, &req); err != nil {
+			return nil, err
+		}
+		if err := m.getMulticastInterfacesHandler(req, res); err != nil {
+			return nil, err
+		}
+		return res, nil
+	})
+}
--- a/src/multicast/multicast.go
+++ b/src/multicast/multicast.go
@@ -0,0 +1,382 @@
+package multicast
+
+import (
+	"bytes"
+	"context"
+	"crypto/ed25519"
+	"encoding/hex"
+	"fmt"
+	"net"
+	"net/url"
+	"regexp"
+	"time"
+
+	"github.com/Arceliar/phony"
+	"github.com/gologme/log"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/config"
+	"github.com/yggdrasil-network/yggdrasil-go/src/core"
+	"golang.org/x/net/ipv6"
+)
+
+// Multicast represents the multicast advertisement and discovery mechanism used
+// by Yggdrasil to find peers on the same subnet. When a beacon is received on a
+// configured multicast interface, Yggdrasil will attempt to peer with that node
+// automatically.
+type Multicast struct {
+	phony.Inbox
+	core        *core.Core
+	config      *config.NodeConfig
+	log         *log.Logger
+	sock        *ipv6.PacketConn
+	groupAddr   string
+	listeners   map[string]*listenerInfo
+	listenPort  uint16
+	isOpen      bool
+	_interfaces map[string]interfaceInfo
+}
+
+type interfaceInfo struct {
+	iface net.Interface
+	addrs []net.Addr
+}
+
+type listenerInfo struct {
+	listener *core.TcpListener
+	time     time.Time
+	interval time.Duration
+}
+
+// Init prepares the multicast interface for use.
+func (m *Multicast) Init(core *core.Core, nc *config.NodeConfig, log *log.Logger, options interface{}) error {
+	m.core = core
+	m.config = nc
+	m.log = log
+	m.listeners = make(map[string]*listenerInfo)
+	m._interfaces = make(map[string]interfaceInfo)
+	m.listenPort = m.config.LinkLocalTCPPort
+	m.groupAddr = "[ff02::114]:9001"
+	return nil
+}
+
+// Start starts the multicast interface. This launches goroutines which will
+// listen for multicast beacons from other hosts and will advertise multicast
+// beacons out to the network.
+func (m *Multicast) Start() error {
+	var err error
+	phony.Block(m, func() {
+		err = m._start()
+	})
+	m.log.Debugln("Started multicast module")
+	return err
+}
+
+func (m *Multicast) _start() error {
+	if m.isOpen {
+		return fmt.Errorf("multicast module is already started")
+	}
+	m.config.RLock()
+	defer m.config.RUnlock()
+	if len(m.config.MulticastInterfaces) == 0 {
+		return nil
+	}
+	m.log.Infoln("Starting multicast module")
+	addr, err := net.ResolveUDPAddr("udp", m.groupAddr)
+	if err != nil {
+		return err
+	}
+	listenString := fmt.Sprintf("[::]:%v", addr.Port)
+	lc := net.ListenConfig{
+		Control: m.multicastReuse,
+	}
+	conn, err := lc.ListenPacket(context.Background(), "udp6", listenString)
+	if err != nil {
+		return err
+	}
+	m.sock = ipv6.NewPacketConn(conn)
+	if err = m.sock.SetControlMessage(ipv6.FlagDst, true); err != nil { // nolint:staticcheck
+		// Windows can't set this flag, so we need to handle it in other ways
+	}
+
+	m.isOpen = true
+	go m.listen()
+	m.Act(nil, m._multicastStarted)
+	m.Act(nil, m._announce)
+
+	return nil
+}
+
+// IsStarted returns true if the module has been started.
+func (m *Multicast) IsStarted() bool {
+	var isOpen bool
+	phony.Block(m, func() {
+		isOpen = m.isOpen
+	})
+	return isOpen
+}
+
+// Stop stops the multicast module.
+func (m *Multicast) Stop() error {
+	var err error
+	phony.Block(m, func() {
+		err = m._stop()
+	})
+	m.log.Debugln("Stopped multicast module")
+	return err
+}
+
+func (m *Multicast) _stop() error {
+	m.log.Infoln("Stopping multicast module")
+	m.isOpen = false
+	if m.sock != nil {
+		m.sock.Close()
+	}
+	return nil
+}
+
+func (m *Multicast) _updateInterfaces() {
+	interfaces := make(map[string]interfaceInfo)
+	intfs := m.getAllowedInterfaces()
+	for _, intf := range intfs {
+		addrs, err := intf.Addrs()
+		if err != nil {
+			m.log.Warnf("Failed up get addresses for interface %s: %s", intf.Name, err)
+			continue
+		}
+		interfaces[intf.Name] = interfaceInfo{
+			iface: intf,
+			addrs: addrs,
+		}
+	}
+	m._interfaces = interfaces
+}
+
+func (m *Multicast) Interfaces() map[string]net.Interface {
+	interfaces := make(map[string]net.Interface)
+	phony.Block(m, func() {
+		for _, info := range m._interfaces {
+			interfaces[info.iface.Name] = info.iface
+		}
+	})
+	return interfaces
+}
+
+// getAllowedInterfaces returns the currently known/enabled multicast interfaces.
+func (m *Multicast) getAllowedInterfaces() map[string]net.Interface {
+	interfaces := make(map[string]net.Interface)
+	// Get interface expressions from config
+	exprs := m.config.MulticastInterfaces
+	// Ask the system for network interfaces
+	allifaces, err := net.Interfaces()
+	if err != nil {
+		// Don't panic, since this may be from e.g. too many open files (from too much connection spam)
+		// TODO? log something
+		return nil
+	}
+	// Work out which interfaces to announce on
+	for _, iface := range allifaces {
+		if iface.Flags&net.FlagUp == 0 {
+			// Ignore interfaces that are down
+			continue
+		}
+		if iface.Flags&net.FlagMulticast == 0 {
+			// Ignore non-multicast interfaces
+			continue
+		}
+		if iface.Flags&net.FlagPointToPoint != 0 {
+			// Ignore point-to-point interfaces
+			continue
+		}
+		for _, expr := range exprs {
+			// Compile each regular expression
+			e, err := regexp.Compile(expr)
+			if err != nil {
+				panic(err)
+			}
+			// Does the interface match the regular expression? Store it if so
+			if e.MatchString(iface.Name) {
+				interfaces[iface.Name] = iface
+			}
+		}
+	}
+	return interfaces
+}
+
+func (m *Multicast) _announce() {
+	if !m.isOpen {
+		return
+	}
+	m._updateInterfaces()
+	groupAddr, err := net.ResolveUDPAddr("udp6", m.groupAddr)
+	if err != nil {
+		panic(err)
+	}
+	destAddr, err := net.ResolveUDPAddr("udp6", m.groupAddr)
+	if err != nil {
+		panic(err)
+	}
+	// There might be interfaces that we configured listeners for but are no
+	// longer up - if that's the case then we should stop the listeners
+	for name, info := range m.listeners {
+		// Prepare our stop function!
+		stop := func() {
+			info.listener.Stop()
+			delete(m.listeners, name)
+			m.log.Debugln("No longer multicasting on", name)
+		}
+		// If the interface is no longer visible on the system then stop the
+		// listener, as another one will be started further down
+		if _, ok := m._interfaces[name]; !ok {
+			stop()
+			continue
+		}
+		// It's possible that the link-local listener address has changed so if
+		// that is the case then we should clean up the interface listener
+		found := false
+		listenaddr, err := net.ResolveTCPAddr("tcp6", info.listener.Listener.Addr().String())
+		if err != nil {
+			stop()
+			continue
+		}
+		// Find the interface that matches the listener
+		if info, ok := m._interfaces[name]; ok {
+			for _, addr := range info.addrs {
+				if ip, _, err := net.ParseCIDR(addr.String()); err == nil {
+					// Does the interface address match our listener address?
+					if ip.Equal(listenaddr.IP) {
+						found = true
+						break
+					}
+				}
+			}
+		}
+		// If the address has not been found on the adapter then we should stop
+		// and clean up the TCP listener. A new one will be created below if a
+		// suitable link-local address is found
+		if !found {
+			stop()
+		}
+	}
+	// Now that we have a list of valid interfaces from the operating system,
+	// we can start checking if we can send multicasts on them
+	for _, info := range m._interfaces {
+		iface := info.iface
+		for _, addr := range info.addrs {
+			addrIP, _, _ := net.ParseCIDR(addr.String())
+			// Ignore IPv4 addresses
+			if addrIP.To4() != nil {
+				continue
+			}
+			// Ignore non-link-local addresses
+			if !addrIP.IsLinkLocalUnicast() {
+				continue
+			}
+			// Join the multicast group
+			_ = m.sock.JoinGroup(&iface, groupAddr)
+			// Try and see if we already have a TCP listener for this interface
+			var info *listenerInfo
+			if nfo, ok := m.listeners[iface.Name]; !ok || nfo.listener.Listener == nil {
+				// No listener was found - let's create one
+				urlString := fmt.Sprintf("tls://[%s]:%d", addrIP, m.listenPort)
+				u, err := url.Parse(urlString)
+				if err != nil {
+					panic(err)
+				}
+				if li, err := m.core.Listen(u, iface.Name); err == nil {
+					m.log.Debugln("Started multicasting on", iface.Name)
+					// Store the listener so that we can stop it later if needed
+					info = &listenerInfo{listener: li, time: time.Now()}
+					m.listeners[iface.Name] = info
+				} else {
+					m.log.Warnln("Not multicasting on", iface.Name, "due to error:", err)
+				}
+			} else {
+				// An existing listener was found
+				info = m.listeners[iface.Name]
+			}
+			// Make sure nothing above failed for some reason
+			if info == nil {
+				continue
+			}
+			if time.Since(info.time) < info.interval {
+				continue
+			}
+			// Get the listener details and construct the multicast beacon
+			lladdr := info.listener.Listener.Addr().String()
+			if a, err := net.ResolveTCPAddr("tcp6", lladdr); err == nil {
+				a.Zone = ""
+				destAddr.Zone = iface.Name
+				msg := append([]byte(nil), m.core.GetSelf().Key...)
+				msg = append(msg, a.String()...)
+				_, _ = m.sock.WriteTo(msg, nil, destAddr)
+			}
+			if info.interval.Seconds() < 15 {
+				info.interval += time.Second
+			}
+			break
+		}
+	}
+	time.AfterFunc(time.Second, func() {
+		m.Act(nil, m._announce)
+	})
+}
+
+func (m *Multicast) listen() {
+	groupAddr, err := net.ResolveUDPAddr("udp6", m.groupAddr)
+	if err != nil {
+		panic(err)
+	}
+	bs := make([]byte, 2048)
+	for {
+		nBytes, rcm, fromAddr, err := m.sock.ReadFrom(bs)
+		if err != nil {
+			if !m.IsStarted() {
+				return
+			}
+			panic(err)
+		}
+		if rcm != nil {
+			// Windows can't set the flag needed to return a non-nil value here
+			// So only make these checks if we get something useful back
+			// TODO? Skip them always, I'm not sure if they're really needed...
+			if !rcm.Dst.IsLinkLocalMulticast() {
+				continue
+			}
+			if !rcm.Dst.Equal(groupAddr.IP) {
+				continue
+			}
+		}
+		if nBytes < ed25519.PublicKeySize {
+			continue
+		}
+		var key ed25519.PublicKey
+		key = append(key, bs[:ed25519.PublicKeySize]...)
+		if bytes.Equal(key, m.core.GetSelf().Key) {
+			continue // don't bother trying to peer with self
+		}
+		anAddr := string(bs[ed25519.PublicKeySize:nBytes])
+		addr, err := net.ResolveTCPAddr("tcp6", anAddr)
+		if err != nil {
+			continue
+		}
+		from := fromAddr.(*net.UDPAddr)
+		if addr.IP.String() != from.IP.String() {
+			continue
+		}
+		var interfaces map[string]interfaceInfo
+		phony.Block(m, func() {
+			interfaces = m._interfaces
+		})
+		if _, ok := interfaces[from.Zone]; ok {
+			addr.Zone = ""
+			pin := fmt.Sprintf("/?key=%s", hex.EncodeToString(key))
+			u, err := url.Parse("tls://" + addr.String() + pin)
+			if err != nil {
+				m.log.Debugln("Call from multicast failed, parse error:", addr.String(), err)
+			}
+			if err := m.core.CallPeer(u, from.Zone); err != nil {
+				m.log.Debugln("Call from multicast failed:", err)
+			}
+		}
+	}
+}
--- a/src/multicast/multicast_darwin.go
+++ b/src/multicast/multicast_darwin.go
@@ -0,0 +1,68 @@
+// +build darwin
+
+package multicast
+
+/*
+#cgo CFLAGS: -x objective-c
+#cgo LDFLAGS: -framework Foundation
+#import <Foundation/Foundation.h>
+NSNetServiceBrowser *serviceBrowser;
+void StartAWDLBrowsing() {
+	if (serviceBrowser == nil) {
+		serviceBrowser = [[NSNetServiceBrowser alloc] init];
+		serviceBrowser.includesPeerToPeer = YES;
+	}
+	[serviceBrowser searchForServicesOfType:@"_yggdrasil._tcp" inDomain:@""];
+}
+void StopAWDLBrowsing() {
+	if (serviceBrowser == nil) {
+		return;
+	}
+	[serviceBrowser stop];
+}
+*/
+import "C"
+import (
+	"syscall"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+func (m *Multicast) _multicastStarted() {
+	if !m.isOpen {
+		return
+	}
+	C.StopAWDLBrowsing()
+	for intf := range m._interfaces {
+		if intf == "awdl0" {
+			C.StartAWDLBrowsing()
+			break
+		}
+	}
+	time.AfterFunc(time.Minute, func() {
+		m.Act(nil, m._multicastStarted)
+	})
+}
+
+func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
+	var control error
+	var reuseport error
+	var recvanyif error
+
+	control = c.Control(func(fd uintptr) {
+		reuseport = unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1)
+
+		// sys/socket.h: #define	SO_RECV_ANYIF	0x1104
+		recvanyif = unix.SetsockoptInt(int(fd), syscall.SOL_SOCKET, 0x1104, 1)
+	})
+
+	switch {
+	case reuseport != nil:
+		return reuseport
+	case recvanyif != nil:
+		return recvanyif
+	default:
+		return control
+	}
+}
--- a/src/multicast/multicast_other.go
+++ b/src/multicast/multicast_other.go
@@ -0,0 +1,13 @@
+// +build !linux,!darwin,!netbsd,!freebsd,!openbsd,!dragonflybsd,!windows
+
+package multicast
+
+import "syscall"
+
+func (m *Multicast) _multicastStarted() {
+
+}
+
+func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
+	return nil
+}
--- a/src/multicast/multicast_unix.go
+++ b/src/multicast/multicast_unix.go
@@ -1,11 +1,15 @@
-// +build linux darwin netbsd freebsd openbsd dragonflybsd
+// +build linux netbsd freebsd openbsd dragonflybsd

-package yggdrasil
+package multicast

 import "syscall"
 import "golang.org/x/sys/unix"

-func multicastReuse(network string, address string, c syscall.RawConn) error {
+func (m *Multicast) _multicastStarted() {
+
+}
+
+func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
 	var control error
 	var reuseport error

--- a/src/multicast/multicast_windows.go
+++ b/src/multicast/multicast_windows.go
@@ -1,11 +1,15 @@
 // +build windows

-package yggdrasil
+package multicast

 import "syscall"
 import "golang.org/x/sys/windows"

-func multicastReuse(network string, address string, c syscall.RawConn) error {
+func (m *Multicast) _multicastStarted() {
+
+}
+
+func (m *Multicast) multicastReuse(network string, address string, c syscall.RawConn) error {
 	var control error
 	var reuseaddr error

--- a/src/tuntap/admin.go
+++ b/src/tuntap/admin.go
@@ -0,0 +1,37 @@
+package tuntap
+
+import (
+	"encoding/json"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
+)
+
+type GetTUNRequest struct{}
+type GetTUNResponse map[string]TUNEntry
+
+type TUNEntry struct {
+	MTU uint64 `json:"mtu"`
+}
+
+func (t *TunAdapter) getTUNHandler(req *GetTUNRequest, res *GetTUNResponse) error {
+	*res = GetTUNResponse{
+		t.Name(): TUNEntry{
+			MTU: t.MTU(),
+		},
+	}
+	return nil
+}
+
+func (t *TunAdapter) SetupAdminHandlers(a *admin.AdminSocket) {
+	_ = a.AddHandler("getTunTap", []string{}, func(in json.RawMessage) (interface{}, error) {
+		req := &GetTUNRequest{}
+		res := &GetTUNResponse{}
+		if err := json.Unmarshal(in, &req); err != nil {
+			return nil, err
+		}
+		if err := t.getTUNHandler(req, res); err != nil {
+			return nil, err
+		}
+		return res, nil
+	})
+}
--- a/src/tuntap/iface.go
+++ b/src/tuntap/iface.go
@@ -0,0 +1,47 @@
+package tuntap
+
+const TUN_OFFSET_BYTES = 4
+
+func (tun *TunAdapter) read() {
+	var buf [TUN_OFFSET_BYTES + 65535]byte
+	for {
+		n, err := tun.iface.Read(buf[:], TUN_OFFSET_BYTES)
+		if n <= TUN_OFFSET_BYTES || err != nil {
+			tun.log.Errorln("Error reading TUN:", err)
+			ferr := tun.iface.Flush()
+			if ferr != nil {
+				tun.log.Errorln("Unable to flush packets:", ferr)
+			}
+			return
+		}
+		begin := TUN_OFFSET_BYTES
+		end := begin + n
+		bs := buf[begin:end]
+		if _, err := tun.core.Write(bs); err != nil {
+			tun.log.Errorln("Unable to send packet:", err)
+		}
+	}
+}
+
+func (tun *TunAdapter) write() {
+	var buf [TUN_OFFSET_BYTES + 65535]byte
+	for {
+		bs := buf[TUN_OFFSET_BYTES:]
+		n, err := tun.core.Read(bs)
+		if err != nil {
+			tun.log.Errorln("Exiting tun writer due to core read error:", err)
+			return
+		}
+		if !tun.isEnabled {
+			continue // Nothing to do, the tun isn't enabled
+		}
+		bs = buf[:TUN_OFFSET_BYTES+n]
+		if _, err = tun.iface.Write(bs, TUN_OFFSET_BYTES); err != nil {
+			tun.Act(nil, func() {
+				if !tun.isOpen {
+					tun.log.Errorln("TUN iface write error:", err)
+				}
+			})
+		}
+	}
+}
--- a/src/tuntap/tun.go
+++ b/src/tuntap/tun.go
@@ -0,0 +1,177 @@
+package tuntap
+
+// This manages the tun driver to send/recv packets to/from applications
+
+// TODO: Crypto-key routing support
+// TODO: Set MTU of session properly
+// TODO: Reject packets that exceed session MTU with ICMPv6 for PMTU Discovery
+// TODO: Connection timeouts (call Conn.Close() when we want to time out)
+// TODO: Don't block in reader on writes that are pending searches
+
+import (
+	"errors"
+	"fmt"
+	"net"
+
+	//"sync"
+
+	"github.com/Arceliar/phony"
+	"github.com/gologme/log"
+	"golang.zx2c4.com/wireguard/tun"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/address"
+	"github.com/yggdrasil-network/yggdrasil-go/src/config"
+	"github.com/yggdrasil-network/yggdrasil-go/src/core"
+	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
+)
+
+type MTU uint16
+
+// TunAdapter represents a running TUN interface and extends the
+// yggdrasil.Adapter type. In order to use the TUN adapter with Yggdrasil, you
+// should pass this object to the yggdrasil.SetRouterAdapter() function before
+// calling yggdrasil.Start().
+type TunAdapter struct {
+	core        *core.Core
+	config      *config.NodeConfig
+	log         *log.Logger
+	addr        address.Address
+	subnet      address.Subnet
+	mtu         uint64
+	iface       tun.Device
+	phony.Inbox // Currently only used for _handlePacket from the reader, TODO: all the stuff that currently needs a mutex below
+	//mutex        sync.RWMutex // Protects the below
+	isOpen    bool
+	isEnabled bool // Used by the writer to drop sessionTraffic if not enabled
+}
+
+// Gets the maximum supported MTU for the platform based on the defaults in
+// defaults.GetDefaults().
+func getSupportedMTU(mtu uint64) uint64 {
+	if mtu < 1280 {
+		return 1280
+	}
+	if mtu > MaximumMTU() {
+		return MaximumMTU()
+	}
+	return mtu
+}
+
+// Name returns the name of the adapter, e.g. "tun0". On Windows, this may
+// return a canonical adapter name instead.
+func (tun *TunAdapter) Name() string {
+	if name, err := tun.iface.Name(); err == nil {
+		return name
+	}
+	return ""
+}
+
+// MTU gets the adapter's MTU. This can range between 1280 and 65535, although
+// the maximum value is determined by your platform. The returned value will
+// never exceed that of MaximumMTU().
+func (tun *TunAdapter) MTU() uint64 {
+	return getSupportedMTU(tun.mtu)
+}
+
+// DefaultName gets the default TUN interface name for your platform.
+func DefaultName() string {
+	return defaults.GetDefaults().DefaultIfName
+}
+
+// DefaultMTU gets the default TUN interface MTU for your platform. This can
+// be as high as MaximumMTU(), depending on platform, but is never lower than 1280.
+func DefaultMTU() uint64 {
+	return defaults.GetDefaults().DefaultIfMTU
+}
+
+// MaximumMTU returns the maximum supported TUN interface MTU for your
+// platform. This can be as high as 65535, depending on platform, but is never
+// lower than 1280.
+func MaximumMTU() uint64 {
+	return defaults.GetDefaults().MaximumIfMTU
+}
+
+// Init initialises the TUN module. You must have acquired a Listener from
+// the Yggdrasil core before this point and it must not be in use elsewhere.
+func (tun *TunAdapter) Init(core *core.Core, config *config.NodeConfig, log *log.Logger, options interface{}) error {
+	tun.core = core
+	tun.config = config
+	tun.log = log
+	return nil
+}
+
+// Start the setup process for the TUN adapter. If successful, starts the
+// reader actor to handle packets on that interface.
+func (tun *TunAdapter) Start() error {
+	var err error
+	phony.Block(tun, func() {
+		err = tun._start()
+	})
+	return err
+}
+
+func (tun *TunAdapter) _start() error {
+	if tun.isOpen {
+		return errors.New("TUN module is already started")
+	}
+	tun.config.RLock()
+	defer tun.config.RUnlock()
+	if tun.config == nil {
+		return errors.New("no configuration available to TUN")
+	}
+	pk := tun.core.PublicKey()
+	tun.addr = *address.AddrForKey(pk)
+	tun.subnet = *address.SubnetForKey(pk)
+	addr := fmt.Sprintf("%s/%d", net.IP(tun.addr[:]).String(), 8*len(address.GetPrefix())-1)
+	if tun.config.IfName == "none" || tun.config.IfName == "dummy" {
+		tun.log.Debugln("Not starting TUN as ifname is none or dummy")
+		tun.isEnabled = false
+		go tun.write()
+		return nil
+	}
+	mtu := tun.config.IfMTU
+	if tun.core.MaxMTU() < mtu {
+		mtu = tun.core.MaxMTU()
+	}
+	if err := tun.setup(tun.config.IfName, addr, mtu); err != nil {
+		return err
+	}
+	if tun.MTU() != mtu {
+		tun.log.Warnf("Warning: Interface MTU %d automatically adjusted to %d (supported range is 1280-%d)", tun.config.IfMTU, tun.MTU(), MaximumMTU())
+	}
+	tun.core.SetMTU(tun.MTU())
+	tun.isOpen = true
+	tun.isEnabled = true
+	go tun.read()
+	go tun.write()
+	return nil
+}
+
+// IsStarted returns true if the module has been started.
+func (tun *TunAdapter) IsStarted() bool {
+	var isOpen bool
+	phony.Block(tun, func() {
+		isOpen = tun.isOpen
+	})
+	return isOpen
+}
+
+// Start the setup process for the TUN adapter. If successful, starts the
+// read/write goroutines to handle packets on that interface.
+func (tun *TunAdapter) Stop() error {
+	var err error
+	phony.Block(tun, func() {
+		err = tun._stop()
+	})
+	return err
+}
+
+func (tun *TunAdapter) _stop() error {
+	tun.isOpen = false
+	// by TUN, e.g. readers/writers, sessions
+	if tun.iface != nil {
+		// Just in case we failed to start up the iface for some reason, this can apparently happen on Windows
+		tun.iface.Close()
+	}
+	return nil
+}
--- a/src/yggdrasil/tun_bsd.go
+++ b/src/yggdrasil/tun_bsd.go
@@ -1,6 +1,6 @@
-// +build openbsd freebsd netbsd
+// +build openbsd freebsd

-package yggdrasil
+package tuntap

 import (
 	"encoding/binary"
@@ -12,7 +12,7 @@ import (

 	"golang.org/x/sys/unix"

-	"github.com/yggdrasil-network/water"
+	wgtun "golang.zx2c4.com/wireguard/tun"
 )

 const SIOCSIFADDR_IN6 = (0x80000000) | ((288 & 0x1fff) << 16) | uint32(byte('i'))<<8 | 12
@@ -72,76 +72,60 @@ type in6_ifreq_lifetime struct {
 	ifru_addrlifetime in6_addrlifetime
 }

-// Sets the IPv6 address of the utun adapter. On all BSD platforms (FreeBSD,
-// OpenBSD, NetBSD) an attempt is made to set the adapter properties by using
-// a system socket and making syscalls to the kernel. This is not refined though
-// and often doesn't work (if at all), therefore if a call fails, it resorts
-// to calling "ifconfig" instead.
-func (tun *tunDevice) setup(ifname string, iftapmode bool, addr string, mtu int) error {
-	var config water.Config
-	if ifname[:4] == "auto" {
-		ifname = "/dev/tap0"
-	}
-	if len(ifname) < 9 {
-		panic("TUN/TAP name must be in format /dev/tunX or /dev/tapX")
-	}
-	switch {
-	case iftapmode || ifname[:8] == "/dev/tap":
-		config = water.Config{DeviceType: water.TAP}
-	case !iftapmode || ifname[:8] == "/dev/tun":
-		panic("TUN mode is not currently supported on this platform, please use TAP instead")
-	default:
-		panic("TUN/TAP name must be in format /dev/tunX or /dev/tapX")
-	}
-	config.Name = ifname
-	iface, err := water.New(config)
+// Configures the TUN adapter with the correct IPv6 address and MTU.
+func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
+	iface, err := wgtun.CreateTUN(ifname, int(mtu))
 	if err != nil {
 		panic(err)
 	}
 	tun.iface = iface
-	tun.mtu = getSupportedMTU(mtu)
+	if mtu, err := iface.MTU(); err == nil {
+		tun.mtu = getSupportedMTU(uint64(mtu))
+	} else {
+		tun.mtu = 0
+	}
 	return tun.setupAddress(addr)
 }

-func (tun *tunDevice) setupAddress(addr string) error {
+func (tun *TunAdapter) setupAddress(addr string) error {
 	var sfd int
 	var err error

 	// Create system socket
 	if sfd, err = unix.Socket(unix.AF_INET, unix.SOCK_DGRAM, 0); err != nil {
-		tun.core.log.Printf("Create AF_INET socket failed: %v.", err)
+		tun.log.Printf("Create AF_INET socket failed: %v.", err)
 		return err
 	}

 	// Friendly output
-	tun.core.log.Printf("Interface name: %s", tun.iface.Name())
-	tun.core.log.Printf("Interface IPv6: %s", addr)
-	tun.core.log.Printf("Interface MTU: %d", tun.mtu)
+	tun.log.Infof("Interface name: %s", tun.Name())
+	tun.log.Infof("Interface IPv6: %s", addr)
+	tun.log.Infof("Interface MTU: %d", tun.mtu)

 	// Create the MTU request
 	var ir in6_ifreq_mtu
-	copy(ir.ifr_name[:], tun.iface.Name())
+	copy(ir.ifr_name[:], tun.Name())
 	ir.ifru_mtu = int(tun.mtu)

 	// Set the MTU
 	if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(sfd), uintptr(syscall.SIOCSIFMTU), uintptr(unsafe.Pointer(&ir))); errno != 0 {
 		err = errno
-		tun.core.log.Printf("Error in SIOCSIFMTU: %v", errno)
+		tun.log.Errorf("Error in SIOCSIFMTU: %v", errno)

 		// Fall back to ifconfig to set the MTU
-		cmd := exec.Command("ifconfig", tun.iface.Name(), "mtu", string(tun.mtu))
-		tun.core.log.Printf("Using ifconfig as fallback: %v", strings.Join(cmd.Args, " "))
+		cmd := exec.Command("ifconfig", tun.Name(), "mtu", string(tun.mtu))
+		tun.log.Warnf("Using ifconfig as fallback: %v", strings.Join(cmd.Args, " "))
 		output, err := cmd.CombinedOutput()
 		if err != nil {
-			tun.core.log.Printf("SIOCSIFMTU fallback failed: %v.", err)
-			tun.core.log.Println(string(output))
+			tun.log.Errorf("SIOCSIFMTU fallback failed: %v.", err)
+			tun.log.Traceln(string(output))
 		}
 	}

 	// Create the address request
 	// FIXME: I don't work!
 	var ar in6_ifreq_addr
-	copy(ar.ifr_name[:], tun.iface.Name())
+	copy(ar.ifr_name[:], tun.Name())
 	ar.ifru_addr.sin6_len = uint8(unsafe.Sizeof(ar.ifru_addr))
 	ar.ifru_addr.sin6_family = unix.AF_INET6
 	parts := strings.Split(strings.Split(addr, "/")[0], ":")
@@ -155,15 +139,15 @@ func (tun *tunDevice) setupAddress(addr string) error {
 	// Set the interface address
 	if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(sfd), uintptr(SIOCSIFADDR_IN6), uintptr(unsafe.Pointer(&ar))); errno != 0 {
 		err = errno
-		tun.core.log.Printf("Error in SIOCSIFADDR_IN6: %v", errno)
+		tun.log.Errorf("Error in SIOCSIFADDR_IN6: %v", errno)

 		// Fall back to ifconfig to set the address
-		cmd := exec.Command("ifconfig", tun.iface.Name(), "inet6", addr)
-		tun.core.log.Printf("Using ifconfig as fallback: %v", strings.Join(cmd.Args, " "))
+		cmd := exec.Command("ifconfig", tun.Name(), "inet6", addr)
+		tun.log.Warnf("Using ifconfig as fallback: %v", strings.Join(cmd.Args, " "))
 		output, err := cmd.CombinedOutput()
 		if err != nil {
-			tun.core.log.Printf("SIOCSIFADDR_IN6 fallback failed: %v.", err)
-			tun.core.log.Println(string(output))
+			tun.log.Errorf("SIOCSIFADDR_IN6 fallback failed: %v.", err)
+			tun.log.Traceln(string(output))
 		}
 	}

--- a/src/yggdrasil/tun_darwin.go
+++ b/src/yggdrasil/tun_darwin.go
@@ -1,4 +1,6 @@
-package yggdrasil
+// +build !mobile
+
+package tuntap

 // The darwin platform specific tun parts

@@ -10,46 +12,57 @@ import (

 	"golang.org/x/sys/unix"

-	water "github.com/yggdrasil-network/water"
+	wgtun "golang.zx2c4.com/wireguard/tun"
 )

 // Configures the "utun" adapter with the correct IPv6 address and MTU.
-func (tun *tunDevice) setup(ifname string, iftapmode bool, addr string, mtu int) error {
-	if iftapmode {
-		tun.core.log.Printf("TAP mode is not supported on this platform, defaulting to TUN")
+func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
+	if ifname == "auto" {
+		ifname = "utun"
 	}
-	config := water.Config{DeviceType: water.TUN}
-	iface, err := water.New(config)
+	iface, err := wgtun.CreateTUN(ifname, int(mtu))
 	if err != nil {
 		panic(err)
 	}
 	tun.iface = iface
-	tun.mtu = getSupportedMTU(mtu)
+	if m, err := iface.MTU(); err == nil {
+		tun.mtu = getSupportedMTU(uint64(m))
+	} else {
+		tun.mtu = 0
+	}
 	return tun.setupAddress(addr)
 }

-const darwin_SIOCAIFADDR_IN6 = 2155899162
+const (
+	darwin_SIOCAIFADDR_IN6       = 2155899162 // netinet6/in6_var.h
+	darwin_IN6_IFF_NODAD         = 0x0020     // netinet6/in6_var.h
+	darwin_IN6_IFF_SECURED       = 0x0400     // netinet6/in6_var.h
+	darwin_ND6_INFINITE_LIFETIME = 0xFFFFFFFF // netinet6/nd6.h
+)

+// nolint:structcheck
 type in6_addrlifetime struct {
-	ia6t_expire    float64
-	ia6t_preferred float64
+	ia6t_expire    float64 // nolint:unused
+	ia6t_preferred float64 // nolint:unused
 	ia6t_vltime    uint32
 	ia6t_pltime    uint32
 }

+// nolint:structcheck
 type sockaddr_in6 struct {
 	sin6_len      uint8
 	sin6_family   uint8
-	sin6_port     uint8
-	sin6_flowinfo uint32
+	sin6_port     uint8  // nolint:unused
+	sin6_flowinfo uint32 // nolint:unused
 	sin6_addr     [8]uint16
-	sin6_scope_id uint32
+	sin6_scope_id uint32 // nolint:unused
 }

+// nolint:structcheck
 type in6_aliasreq struct {
 	ifra_name       [16]byte
 	ifra_addr       sockaddr_in6
-	ifra_dstaddr    sockaddr_in6
+	ifra_dstaddr    sockaddr_in6 // nolint:unused
 	ifra_prefixmask sockaddr_in6
 	ifra_flags      uint32
 	ifra_lifetime   in6_addrlifetime
@@ -62,22 +75,22 @@ type ifreq struct {

 // Sets the IPv6 address of the utun adapter. On Darwin/macOS this is done using
 // a system socket and making direct syscalls to the kernel.
-func (tun *tunDevice) setupAddress(addr string) error {
+func (tun *TunAdapter) setupAddress(addr string) error {
 	var fd int
 	var err error

 	if fd, err = unix.Socket(unix.AF_INET6, unix.SOCK_DGRAM, 0); err != nil {
-		tun.core.log.Printf("Create AF_SYSTEM socket failed: %v.", err)
+		tun.log.Printf("Create AF_SYSTEM socket failed: %v.", err)
 		return err
 	}

 	var ar in6_aliasreq
-	copy(ar.ifra_name[:], tun.iface.Name())
+	copy(ar.ifra_name[:], tun.Name())

 	ar.ifra_prefixmask.sin6_len = uint8(unsafe.Sizeof(ar.ifra_prefixmask))
 	b := make([]byte, 16)
 	binary.LittleEndian.PutUint16(b, uint16(0xFE00))
-	ar.ifra_prefixmask.sin6_addr[0] = uint16(binary.BigEndian.Uint16(b))
+	ar.ifra_prefixmask.sin6_addr[0] = binary.BigEndian.Uint16(b)

 	ar.ifra_addr.sin6_len = uint8(unsafe.Sizeof(ar.ifra_addr))
 	ar.ifra_addr.sin6_family = unix.AF_INET6
@@ -86,29 +99,32 @@ func (tun *tunDevice) setupAddress(addr string) error {
 		addr, _ := strconv.ParseUint(parts[i], 16, 16)
 		b := make([]byte, 16)
 		binary.LittleEndian.PutUint16(b, uint16(addr))
-		ar.ifra_addr.sin6_addr[i] = uint16(binary.BigEndian.Uint16(b))
+		ar.ifra_addr.sin6_addr[i] = binary.BigEndian.Uint16(b)
 	}

-	ar.ifra_lifetime.ia6t_vltime = 0xFFFFFFFF
-	ar.ifra_lifetime.ia6t_pltime = 0xFFFFFFFF
+	ar.ifra_flags |= darwin_IN6_IFF_NODAD
+	ar.ifra_flags |= darwin_IN6_IFF_SECURED
+
+	ar.ifra_lifetime.ia6t_vltime = darwin_ND6_INFINITE_LIFETIME
+	ar.ifra_lifetime.ia6t_pltime = darwin_ND6_INFINITE_LIFETIME

 	var ir ifreq
-	copy(ir.ifr_name[:], tun.iface.Name())
+	copy(ir.ifr_name[:], tun.Name())
 	ir.ifru_mtu = uint32(tun.mtu)

-	tun.core.log.Printf("Interface name: %s", ar.ifra_name)
-	tun.core.log.Printf("Interface IPv6: %s", addr)
-	tun.core.log.Printf("Interface MTU: %d", ir.ifru_mtu)
+	tun.log.Infof("Interface name: %s", ar.ifra_name)
+	tun.log.Infof("Interface IPv6: %s", addr)
+	tun.log.Infof("Interface MTU: %d", ir.ifru_mtu)

 	if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(darwin_SIOCAIFADDR_IN6), uintptr(unsafe.Pointer(&ar))); errno != 0 {
 		err = errno
-		tun.core.log.Printf("Error in darwin_SIOCAIFADDR_IN6: %v", errno)
+		tun.log.Errorf("Error in darwin_SIOCAIFADDR_IN6: %v", errno)
 		return err
 	}

 	if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(fd), uintptr(unix.SIOCSIFMTU), uintptr(unsafe.Pointer(&ir))); errno != 0 {
 		err = errno
-		tun.core.log.Printf("Error in SIOCSIFMTU: %v", errno)
+		tun.log.Errorf("Error in SIOCSIFMTU: %v", errno)
 		return err
 	}

--- a/src/tuntap/tun_linux.go
+++ b/src/tuntap/tun_linux.go
@@ -0,0 +1,57 @@
+// +build !mobile
+
+package tuntap
+
+// The linux platform specific tun parts
+
+import (
+	"github.com/vishvananda/netlink"
+	wgtun "golang.zx2c4.com/wireguard/tun"
+)
+
+// Configures the TUN adapter with the correct IPv6 address and MTU.
+func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
+	if ifname == "auto" {
+		ifname = "\000"
+	}
+	iface, err := wgtun.CreateTUN(ifname, int(mtu))
+	if err != nil {
+		panic(err)
+	}
+	tun.iface = iface
+	if mtu, err := iface.MTU(); err == nil {
+		tun.mtu = getSupportedMTU(uint64(mtu))
+	} else {
+		tun.mtu = 0
+	}
+	return tun.setupAddress(addr)
+}
+
+// Configures the TAP adapter with the correct IPv6 address and MTU. Netlink
+// is used to do this, so there is not a hard requirement on "ip" or "ifconfig"
+// to exist on the system, but this will fail if Netlink is not present in the
+// kernel (it nearly always is).
+func (tun *TunAdapter) setupAddress(addr string) error {
+	nladdr, err := netlink.ParseAddr(addr)
+	if err != nil {
+		return err
+	}
+	nlintf, err := netlink.LinkByName(tun.Name())
+	if err != nil {
+		return err
+	}
+	if err := netlink.AddrAdd(nlintf, nladdr); err != nil {
+		return err
+	}
+	if err := netlink.LinkSetMTU(nlintf, int(tun.mtu)); err != nil {
+		return err
+	}
+	if err := netlink.LinkSetUp(nlintf); err != nil {
+		return err
+	}
+	// Friendly output
+	tun.log.Infof("Interface name: %s", tun.Name())
+	tun.log.Infof("Interface IPv6: %s", addr)
+	tun.log.Infof("Interface MTU: %d", tun.mtu)
+	return nil
+}
--- a/src/tuntap/tun_other.go
+++ b/src/tuntap/tun_other.go
@@ -0,0 +1,32 @@
+// +build !linux,!darwin,!windows,!openbsd,!freebsd,!mobile
+
+package tuntap
+
+// This is to catch unsupported platforms
+// If your platform supports tun devices, you could try configuring it manually
+
+import (
+	wgtun "golang.zx2c4.com/wireguard/tun"
+)
+
+// Configures the TUN adapter with the correct IPv6 address and MTU.
+func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
+	iface, err := wgtun.CreateTUN(ifname, mtu)
+	if err != nil {
+		panic(err)
+	}
+	tun.iface = iface
+	if mtu, err := iface.MTU(); err == nil {
+		tun.mtu = getSupportedMTU(uint64(mtu))
+	} else {
+		tun.mtu = 0
+	}
+	return tun.setupAddress(addr)
+}
+
+// We don't know how to set the IPv6 address on an unknown platform, therefore
+// write about it to stdout and don't try to do anything further.
+func (tun *TunAdapter) setupAddress(addr string) error {
+	tun.log.Warnln("Warning: Platform not supported, you must set the address of", tun.Name(), "to", addr)
+	return nil
+}
--- a/src/tuntap/tun_windows.go
+++ b/src/tuntap/tun_windows.go
@@ -0,0 +1,150 @@
+// +build windows
+
+package tuntap
+
+import (
+	"bytes"
+	"errors"
+	"log"
+	"net"
+
+	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
+	"golang.org/x/sys/windows"
+
+	wgtun "golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wireguard/windows/elevate"
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+)
+
+// This is to catch Windows platforms
+
+// Configures the TUN adapter with the correct IPv6 address and MTU.
+func (tun *TunAdapter) setup(ifname string, addr string, mtu uint64) error {
+	if ifname == "auto" {
+		ifname = defaults.GetDefaults().DefaultIfName
+	}
+	return elevate.DoAsSystem(func() error {
+		var err error
+		var iface wgtun.Device
+		var guid windows.GUID
+		if guid, err = windows.GUIDFromString("{8f59971a-7872-4aa6-b2eb-061fc4e9d0a7}"); err != nil {
+			return err
+		}
+		if iface, err = wgtun.CreateTUNWithRequestedGUID(ifname, &guid, int(mtu)); err != nil {
+			return err
+		}
+		tun.iface = iface
+		if err = tun.setupAddress(addr); err != nil {
+			tun.log.Errorln("Failed to set up TUN address:", err)
+			return err
+		}
+		if err = tun.setupMTU(getSupportedMTU(mtu)); err != nil {
+			tun.log.Errorln("Failed to set up TUN MTU:", err)
+			return err
+		}
+		if mtu, err := iface.MTU(); err == nil {
+			tun.mtu = uint64(mtu)
+		}
+		return nil
+	})
+}
+
+// Sets the MTU of the TAP adapter.
+func (tun *TunAdapter) setupMTU(mtu uint64) error {
+	if tun.iface == nil || tun.Name() == "" {
+		return errors.New("Can't configure MTU as TUN adapter is not present")
+	}
+	if intf, ok := tun.iface.(*wgtun.NativeTun); ok {
+		luid := winipcfg.LUID(intf.LUID())
+		ipfamily, err := luid.IPInterface(windows.AF_INET6)
+		if err != nil {
+			return err
+		}
+
+		ipfamily.NLMTU = uint32(mtu)
+		intf.ForceMTU(int(ipfamily.NLMTU))
+		ipfamily.UseAutomaticMetric = false
+		ipfamily.Metric = 0
+		ipfamily.DadTransmits = 0
+		ipfamily.RouterDiscoveryBehavior = winipcfg.RouterDiscoveryDisabled
+
+		if err := ipfamily.Set(); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// Sets the IPv6 address of the TAP adapter.
+func (tun *TunAdapter) setupAddress(addr string) error {
+	if tun.iface == nil || tun.Name() == "" {
+		return errors.New("Can't configure IPv6 address as TUN adapter is not present")
+	}
+	if intf, ok := tun.iface.(*wgtun.NativeTun); ok {
+		if ipaddr, ipnet, err := net.ParseCIDR(addr); err == nil {
+			luid := winipcfg.LUID(intf.LUID())
+			addresses := append([]net.IPNet{}, net.IPNet{
+				IP:   ipaddr,
+				Mask: ipnet.Mask,
+			})
+
+			err := luid.SetIPAddressesForFamily(windows.AF_INET6, addresses)
+			if err == windows.ERROR_OBJECT_ALREADY_EXISTS {
+				cleanupAddressesOnDisconnectedInterfaces(windows.AF_INET6, addresses)
+				err = luid.SetIPAddressesForFamily(windows.AF_INET6, addresses)
+			}
+			if err != nil {
+				return err
+			}
+		} else {
+			return err
+		}
+	} else {
+		return errors.New("unable to get NativeTUN")
+	}
+	return nil
+}
+
+/*
+ * cleanupAddressesOnDisconnectedInterfaces
+ * SPDX-License-Identifier: MIT
+ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
+ */
+func cleanupAddressesOnDisconnectedInterfaces(family winipcfg.AddressFamily, addresses []net.IPNet) {
+	if len(addresses) == 0 {
+		return
+	}
+	includedInAddresses := func(a net.IPNet) bool {
+		// TODO: this makes the whole algorithm O(n^2). But we can't stick net.IPNet in a Go hashmap. Bummer!
+		for _, addr := range addresses {
+			ip := addr.IP
+			if ip4 := ip.To4(); ip4 != nil {
+				ip = ip4
+			}
+			mA, _ := addr.Mask.Size()
+			mB, _ := a.Mask.Size()
+			if bytes.Equal(ip, a.IP) && mA == mB {
+				return true
+			}
+		}
+		return false
+	}
+	interfaces, err := winipcfg.GetAdaptersAddresses(family, winipcfg.GAAFlagDefault)
+	if err != nil {
+		return
+	}
+	for _, iface := range interfaces {
+		if iface.OperStatus == winipcfg.IfOperStatusUp {
+			continue
+		}
+		for address := iface.FirstUnicastAddress; address != nil; address = address.Next {
+			ip := address.Address.IP()
+			ipnet := net.IPNet{IP: ip, Mask: net.CIDRMask(int(address.OnLinkPrefixLength), 8*len(ip))}
+			if includedInAddresses(ipnet) {
+				log.Printf("Cleaning up stale address %s from interface ‘%s’", ipnet.String(), iface.FriendlyName())
+				iface.LUID.DeleteIPAddress(ipnet)
+			}
+		}
+	}
+}
--- a/src/util/util.go
+++ b/src/util/util.go
@@ -0,0 +1,37 @@
+// Package util contains miscellaneous utilities used by yggdrasil.
+// In particular, this includes a crypto worker pool, Cancellation machinery, and a sync.Pool used to reuse []byte.
+package util
+
+// These are misc. utility functions that didn't really fit anywhere else
+
+import (
+	"time"
+)
+
+// TimerStop stops a timer and makes sure the channel is drained, returns true if the timer was stopped before firing.
+func TimerStop(t *time.Timer) bool {
+	stopped := t.Stop()
+	select {
+	case <-t.C:
+	default:
+	}
+	return stopped
+}
+
+// FuncTimeout runs the provided function in a separate goroutine, and returns true if the function finishes executing before the timeout passes, or false if the timeout passes.
+// It includes no mechanism to stop the function if the timeout fires, so the user is expected to do so on their own (such as with a Cancellation or a context).
+func FuncTimeout(timeout time.Duration, f func()) bool {
+	success := make(chan struct{})
+	go func() {
+		defer close(success)
+		f()
+	}()
+	timer := time.NewTimer(timeout)
+	defer TimerStop(timer)
+	select {
+	case <-success:
+		return true
+	case <-timer.C:
+		return false
+	}
+}
--- a/src/version/version.go
+++ b/src/version/version.go
@@ -0,0 +1,22 @@
+package version
+
+var buildName string
+var buildVersion string
+
+// BuildName gets the current build name. This is usually injected if built
+// from git, or returns "unknown" otherwise.
+func BuildName() string {
+	if buildName == "" {
+		return "unknown"
+	}
+	return buildName
+}
+
+// BuildVersion gets the current build version. This is usually injected if
+// built from git, or returns "unknown" otherwise.
+func BuildVersion() string {
+	if buildVersion == "" {
+		return "unknown"
+	}
+	return buildVersion
+}
--- a/src/yggdrasil/address.go
+++ b/src/yggdrasil/address.go
@@ -1,146 +0,0 @@
-package yggdrasil
-
-// address represents an IPv6 address in the yggdrasil address range.
-type address [16]byte
-
-// subnet represents an IPv6 /64 subnet in the yggdrasil subnet range.
-type subnet [8]byte
-
-// address_prefix is the prefix used for all addresses and subnets in the network.
-// The current implementation requires this to be a muliple of 8 bits + 7 bits.
-// The 8th bit of the last byte is used to signal nodes (0) or /64 prefixes (1).
-// Nodes that configure this differently will be unable to communicate with eachother, though routing and the DHT machinery *should* still work.
-var address_prefix = [...]byte{0x02}
-
-// isValid returns true if an address falls within the range used by nodes in the network.
-func (a *address) isValid() bool {
-	for idx := range address_prefix {
-		if (*a)[idx] != address_prefix[idx] {
-			return false
-		}
-	}
-	return true
-}
-
-// isValid returns true if a prefix falls within the range usable by the network.
-func (s *subnet) isValid() bool {
-	l := len(address_prefix)
-	for idx := range address_prefix[:l-1] {
-		if (*s)[idx] != address_prefix[idx] {
-			return false
-		}
-	}
-	return (*s)[l-1] == address_prefix[l-1]|0x01
-}
-
-// address_addrForNodeID takes a *NodeID as an argument and returns an *address.
-// This subnet begins with the address prefix, with the last bit set to 0 to indicate an address.
-// The following 8 bits are set to the number of leading 1 bits in the NodeID.
-// The NodeID, excluding the leading 1 bits and the first leading 0 bit, is truncated to the appropriate length and makes up the remainder of the address.
-func address_addrForNodeID(nid *NodeID) *address {
-	// 128 bit address
-	// Begins with prefix
-	// Next bit is a 0
-	// Next 7 bits, interpreted as a uint, are # of leading 1s in the NodeID
-	// Leading 1s and first leading 0 of the NodeID are truncated off
-	// The rest is appended to the IPv6 address (truncated to 128 bits total)
-	var addr address
-	var temp []byte
-	done := false
-	ones := byte(0)
-	bits := byte(0)
-	nBits := 0
-	for idx := 0; idx < 8*len(nid); idx++ {
-		bit := (nid[idx/8] & (0x80 >> byte(idx%8))) >> byte(7-(idx%8))
-		if !done && bit != 0 {
-			ones++
-			continue
-		}
-		if !done && bit == 0 {
-			done = true
-			continue // FIXME? this assumes that ones <= 127, probably only worth changing by using a variable length uint64, but that would require changes to the addressing scheme, and I'm not sure ones > 127 is realistic
-		}
-		bits = (bits << 1) | bit
-		nBits++
-		if nBits == 8 {
-			nBits = 0
-			temp = append(temp, bits)
-		}
-	}
-	copy(addr[:], address_prefix[:])
-	addr[len(address_prefix)] = ones
-	copy(addr[len(address_prefix)+1:], temp)
-	return &addr
-}
-
-// address_subnetForNodeID takes a *NodeID as an argument and returns a *subnet.
-// This subnet begins with the address prefix, with the last bit set to 1 to indicate a prefix.
-// The following 8 bits are set to the number of leading 1 bits in the NodeID.
-// The NodeID, excluding the leading 1 bits and the first leading 0 bit, is truncated to the appropriate length and makes up the remainder of the subnet.
-func address_subnetForNodeID(nid *NodeID) *subnet {
-	// Exactly as the address version, with two exceptions:
-	//  1) The first bit after the fixed prefix is a 1 instead of a 0
-	//  2) It's truncated to a subnet prefix length instead of 128 bits
-	addr := *address_addrForNodeID(nid)
-	var snet subnet
-	copy(snet[:], addr[:])
-	snet[len(address_prefix)-1] |= 0x01
-	return &snet
-}
-
-// getNodeIDandMask returns two *NodeID.
-// The first is a NodeID with all the bits known from the address set to their correct values.
-// The second is a bitmask with 1 bit set for each bit that was known from the address.
-// This is used to look up NodeIDs in the DHT and tell if they match an address.
-func (a *address) getNodeIDandMask() (*NodeID, *NodeID) {
-	// Mask is a bitmask to mark the bits visible from the address
-	// This means truncated leading 1s, first leading 0, and visible part of addr
-	var nid NodeID
-	var mask NodeID
-	ones := int(a[len(address_prefix)])
-	for idx := 0; idx < ones; idx++ {
-		nid[idx/8] |= 0x80 >> byte(idx%8)
-	}
-	nidOffset := ones + 1
-	addrOffset := 8*len(address_prefix) + 8
-	for idx := addrOffset; idx < 8*len(a); idx++ {
-		bits := a[idx/8] & (0x80 >> byte(idx%8))
-		bits <<= byte(idx % 8)
-		nidIdx := nidOffset + (idx - addrOffset)
-		bits >>= byte(nidIdx % 8)
-		nid[nidIdx/8] |= bits
-	}
-	maxMask := 8*(len(a)-len(address_prefix)-1) + ones + 1
-	for idx := 0; idx < maxMask; idx++ {
-		mask[idx/8] |= 0x80 >> byte(idx%8)
-	}
-	return &nid, &mask
-}
-
-// getNodeIDandMask returns two *NodeID.
-// The first is a NodeID with all the bits known from the address set to their correct values.
-// The second is a bitmask with 1 bit set for each bit that was known from the subnet.
-// This is used to look up NodeIDs in the DHT and tell if they match a subnet.
-func (s *subnet) getNodeIDandMask() (*NodeID, *NodeID) {
-	// As with the address version, but visible parts of the subnet prefix instead
-	var nid NodeID
-	var mask NodeID
-	ones := int(s[len(address_prefix)])
-	for idx := 0; idx < ones; idx++ {
-		nid[idx/8] |= 0x80 >> byte(idx%8)
-	}
-	nidOffset := ones + 1
-	addrOffset := 8*len(address_prefix) + 8
-	for idx := addrOffset; idx < 8*len(s); idx++ {
-		bits := s[idx/8] & (0x80 >> byte(idx%8))
-		bits <<= byte(idx % 8)
-		nidIdx := nidOffset + (idx - addrOffset)
-		bits >>= byte(nidIdx % 8)
-		nid[nidIdx/8] |= bits
-	}
-	maxMask := 8*(len(s)-len(address_prefix)-1) + ones + 1
-	for idx := 0; idx < maxMask; idx++ {
-		mask[idx/8] |= 0x80 >> byte(idx%8)
-	}
-	return &nid, &mask
-}
--- a/src/yggdrasil/admin.go
+++ b/src/yggdrasil/admin.go
@@ -1,933 +0,0 @@
-package yggdrasil
-
-import (
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net"
-	"net/url"
-	"os"
-	"sort"
-	"strconv"
-	"strings"
-	"sync/atomic"
-	"time"
-
-	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
-)
-
-// TODO: Add authentication
-
-type admin struct {
-	core       *Core
-	listenaddr string
-	listener   net.Listener
-	handlers   []admin_handlerInfo
-}
-
-type admin_info map[string]interface{}
-
-type admin_handlerInfo struct {
-	name    string                               // Checked against the first word of the api call
-	args    []string                             // List of human-readable argument names
-	handler func(admin_info) (admin_info, error) // First is input map, second is output
-}
-
-// admin_pair maps things like "IP", "port", "bucket", or "coords" onto values.
-type admin_pair struct {
-	key string
-	val interface{}
-}
-
-// admin_nodeInfo represents the information we know about a node for an admin response.
-type admin_nodeInfo []admin_pair
-
-// addHandler is called for each admin function to add the handler and help documentation to the API.
-func (a *admin) addHandler(name string, args []string, handler func(admin_info) (admin_info, error)) {
-	a.handlers = append(a.handlers, admin_handlerInfo{name, args, handler})
-}
-
-// init runs the initial admin setup.
-func (a *admin) init(c *Core, listenaddr string) {
-	a.core = c
-	a.listenaddr = listenaddr
-	a.addHandler("list", []string{}, func(in admin_info) (admin_info, error) {
-		handlers := make(map[string]interface{})
-		for _, handler := range a.handlers {
-			handlers[handler.name] = admin_info{"fields": handler.args}
-		}
-		return admin_info{"list": handlers}, nil
-	})
-	a.addHandler("dot", []string{}, func(in admin_info) (admin_info, error) {
-		return admin_info{"dot": string(a.getResponse_dot())}, nil
-	})
-	a.addHandler("getSelf", []string{}, func(in admin_info) (admin_info, error) {
-		self := a.getData_getSelf().asMap()
-		ip := fmt.Sprint(self["ip"])
-		delete(self, "ip")
-		return admin_info{"self": admin_info{ip: self}}, nil
-	})
-	a.addHandler("getPeers", []string{}, func(in admin_info) (admin_info, error) {
-		sort := "ip"
-		peers := make(admin_info)
-		for _, peerdata := range a.getData_getPeers() {
-			p := peerdata.asMap()
-			so := fmt.Sprint(p[sort])
-			peers[so] = p
-			delete(peers[so].(map[string]interface{}), sort)
-		}
-		return admin_info{"peers": peers}, nil
-	})
-	a.addHandler("getSwitchPeers", []string{}, func(in admin_info) (admin_info, error) {
-		sort := "port"
-		switchpeers := make(admin_info)
-		for _, s := range a.getData_getSwitchPeers() {
-			p := s.asMap()
-			so := fmt.Sprint(p[sort])
-			switchpeers[so] = p
-			delete(switchpeers[so].(map[string]interface{}), sort)
-		}
-		return admin_info{"switchpeers": switchpeers}, nil
-	})
-	a.addHandler("getSwitchQueues", []string{}, func(in admin_info) (admin_info, error) {
-		queues := a.getData_getSwitchQueues()
-		return admin_info{"switchqueues": queues.asMap()}, nil
-	})
-	a.addHandler("getDHT", []string{}, func(in admin_info) (admin_info, error) {
-		sort := "ip"
-		dht := make(admin_info)
-		for _, d := range a.getData_getDHT() {
-			p := d.asMap()
-			so := fmt.Sprint(p[sort])
-			dht[so] = p
-			delete(dht[so].(map[string]interface{}), sort)
-		}
-		return admin_info{"dht": dht}, nil
-	})
-	a.addHandler("getSessions", []string{}, func(in admin_info) (admin_info, error) {
-		sort := "ip"
-		sessions := make(admin_info)
-		for _, s := range a.getData_getSessions() {
-			p := s.asMap()
-			so := fmt.Sprint(p[sort])
-			sessions[so] = p
-			delete(sessions[so].(map[string]interface{}), sort)
-		}
-		return admin_info{"sessions": sessions}, nil
-	})
-	a.addHandler("addPeer", []string{"uri", "[interface]"}, func(in admin_info) (admin_info, error) {
-		// Set sane defaults
-		intf := ""
-		// Has interface been specified?
-		if itf, ok := in["interface"]; ok {
-			intf = itf.(string)
-		}
-		if a.addPeer(in["uri"].(string), intf) == nil {
-			return admin_info{
-				"added": []string{
-					in["uri"].(string),
-				},
-			}, nil
-		} else {
-			return admin_info{
-				"not_added": []string{
-					in["uri"].(string),
-				},
-			}, errors.New("Failed to add peer")
-		}
-	})
-	a.addHandler("removePeer", []string{"port"}, func(in admin_info) (admin_info, error) {
-		if a.removePeer(fmt.Sprint(in["port"])) == nil {
-			return admin_info{
-				"removed": []string{
-					fmt.Sprint(in["port"]),
-				},
-			}, nil
-		} else {
-			return admin_info{
-				"not_removed": []string{
-					fmt.Sprint(in["port"]),
-				},
-			}, errors.New("Failed to remove peer")
-		}
-	})
-	a.addHandler("getTunTap", []string{}, func(in admin_info) (r admin_info, e error) {
-		defer func() {
-			recover()
-			r = admin_info{"none": admin_info{}}
-			e = nil
-		}()
-
-		return admin_info{
-			a.core.tun.iface.Name(): admin_info{
-				"tap_mode": a.core.tun.iface.IsTAP(),
-				"mtu":      a.core.tun.mtu,
-			},
-		}, nil
-	})
-	a.addHandler("setTunTap", []string{"name", "[tap_mode]", "[mtu]"}, func(in admin_info) (admin_info, error) {
-		// Set sane defaults
-		iftapmode := defaults.GetDefaults().DefaultIfTAPMode
-		ifmtu := defaults.GetDefaults().DefaultIfMTU
-		// Has TAP mode been specified?
-		if tap, ok := in["tap_mode"]; ok {
-			iftapmode = tap.(bool)
-		}
-		// Check we have enough params for MTU
-		if mtu, ok := in["mtu"]; ok {
-			if mtu.(float64) >= 1280 && ifmtu <= defaults.GetDefaults().MaximumIfMTU {
-				ifmtu = int(in["mtu"].(float64))
-			}
-		}
-		// Start the TUN adapter
-		if err := a.startTunWithMTU(in["name"].(string), iftapmode, ifmtu); err != nil {
-			return admin_info{}, errors.New("Failed to configure adapter")
-		} else {
-			return admin_info{
-				a.core.tun.iface.Name(): admin_info{
-					"tap_mode": a.core.tun.iface.IsTAP(),
-					"mtu":      ifmtu,
-				},
-			}, nil
-		}
-	})
-	a.addHandler("getMulticastInterfaces", []string{}, func(in admin_info) (admin_info, error) {
-		var intfs []string
-		for _, v := range a.core.multicast.interfaces() {
-			intfs = append(intfs, v.Name)
-		}
-		return admin_info{"multicast_interfaces": intfs}, nil
-	})
-	a.addHandler("getAllowedEncryptionPublicKeys", []string{}, func(in admin_info) (admin_info, error) {
-		return admin_info{"allowed_box_pubs": a.getAllowedEncryptionPublicKeys()}, nil
-	})
-	a.addHandler("addAllowedEncryptionPublicKey", []string{"box_pub_key"}, func(in admin_info) (admin_info, error) {
-		if a.addAllowedEncryptionPublicKey(in["box_pub_key"].(string)) == nil {
-			return admin_info{
-				"added": []string{
-					in["box_pub_key"].(string),
-				},
-			}, nil
-		} else {
-			return admin_info{
-				"not_added": []string{
-					in["box_pub_key"].(string),
-				},
-			}, errors.New("Failed to add allowed key")
-		}
-	})
-	a.addHandler("removeAllowedEncryptionPublicKey", []string{"box_pub_key"}, func(in admin_info) (admin_info, error) {
-		if a.removeAllowedEncryptionPublicKey(in["box_pub_key"].(string)) == nil {
-			return admin_info{
-				"removed": []string{
-					in["box_pub_key"].(string),
-				},
-			}, nil
-		} else {
-			return admin_info{
-				"not_removed": []string{
-					in["box_pub_key"].(string),
-				},
-			}, errors.New("Failed to remove allowed key")
-		}
-	})
-	a.addHandler("addSourceSubnet", []string{"subnet"}, func(in admin_info) (admin_info, error) {
-		var err error
-		a.core.router.doAdmin(func() {
-			err = a.core.router.cryptokey.addSourceSubnet(in["subnet"].(string))
-		})
-		if err == nil {
-			return admin_info{"added": []string{in["subnet"].(string)}}, nil
-		} else {
-			return admin_info{"not_added": []string{in["subnet"].(string)}}, errors.New("Failed to add source subnet")
-		}
-	})
-	a.addHandler("addRoute", []string{"subnet", "box_pub_key"}, func(in admin_info) (admin_info, error) {
-		var err error
-		a.core.router.doAdmin(func() {
-			err = a.core.router.cryptokey.addRoute(in["subnet"].(string), in["box_pub_key"].(string))
-		})
-		if err == nil {
-			return admin_info{"added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
-		} else {
-			return admin_info{"not_added": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to add route")
-		}
-	})
-	a.addHandler("getSourceSubnets", []string{}, func(in admin_info) (admin_info, error) {
-		var subnets []string
-		a.core.router.doAdmin(func() {
-			getSourceSubnets := func(snets []net.IPNet) {
-				for _, subnet := range snets {
-					subnets = append(subnets, subnet.String())
-				}
-			}
-			getSourceSubnets(a.core.router.cryptokey.ipv4sources)
-			getSourceSubnets(a.core.router.cryptokey.ipv6sources)
-		})
-		return admin_info{"source_subnets": subnets}, nil
-	})
-	a.addHandler("getRoutes", []string{}, func(in admin_info) (admin_info, error) {
-		routes := make(admin_info)
-		a.core.router.doAdmin(func() {
-			getRoutes := func(ckrs []cryptokey_route) {
-				for _, ckr := range ckrs {
-					routes[ckr.subnet.String()] = hex.EncodeToString(ckr.destination[:])
-				}
-			}
-			getRoutes(a.core.router.cryptokey.ipv4routes)
-			getRoutes(a.core.router.cryptokey.ipv6routes)
-		})
-		return admin_info{"routes": routes}, nil
-	})
-	a.addHandler("removeSourceSubnet", []string{"subnet"}, func(in admin_info) (admin_info, error) {
-		var err error
-		a.core.router.doAdmin(func() {
-			err = a.core.router.cryptokey.removeSourceSubnet(in["subnet"].(string))
-		})
-		if err == nil {
-			return admin_info{"removed": []string{in["subnet"].(string)}}, nil
-		} else {
-			return admin_info{"not_removed": []string{in["subnet"].(string)}}, errors.New("Failed to remove source subnet")
-		}
-	})
-	a.addHandler("removeRoute", []string{"subnet", "box_pub_key"}, func(in admin_info) (admin_info, error) {
-		var err error
-		a.core.router.doAdmin(func() {
-			err = a.core.router.cryptokey.removeRoute(in["subnet"].(string), in["box_pub_key"].(string))
-		})
-		if err == nil {
-			return admin_info{"removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, nil
-		} else {
-			return admin_info{"not_removed": []string{fmt.Sprintf("%s via %s", in["subnet"].(string), in["box_pub_key"].(string))}}, errors.New("Failed to remove route")
-		}
-	})
-	a.addHandler("dhtPing", []string{"box_pub_key", "coords", "[target]"}, func(in admin_info) (admin_info, error) {
-		if in["target"] == nil {
-			in["target"] = "none"
-		}
-		result, err := a.admin_dhtPing(in["box_pub_key"].(string), in["coords"].(string), in["target"].(string))
-		if err == nil {
-			infos := make(map[string]map[string]string, len(result.Infos))
-			for _, dinfo := range result.Infos {
-				info := map[string]string{
-					"box_pub_key": hex.EncodeToString(dinfo.key[:]),
-					"coords":      fmt.Sprintf("%v", dinfo.coords),
-				}
-				addr := net.IP(address_addrForNodeID(getNodeID(&dinfo.key))[:]).String()
-				infos[addr] = info
-			}
-			return admin_info{"nodes": infos}, nil
-		} else {
-			return admin_info{}, err
-		}
-	})
-}
-
-// start runs the admin API socket to listen for / respond to admin API calls.
-func (a *admin) start() error {
-	if a.listenaddr != "none" && a.listenaddr != "" {
-		go a.listen()
-	}
-	return nil
-}
-
-// cleans up when stopping
-func (a *admin) close() error {
-	return a.listener.Close()
-}
-
-// listen is run by start and manages API connections.
-func (a *admin) listen() {
-	u, err := url.Parse(a.listenaddr)
-	if err == nil {
-		switch strings.ToLower(u.Scheme) {
-		case "unix":
-			if _, err := os.Stat(a.listenaddr[7:]); err == nil {
-				a.core.log.Println("WARNING:", a.listenaddr[7:], "already exists and may be in use by another process")
-			}
-			a.listener, err = net.Listen("unix", a.listenaddr[7:])
-			if err == nil {
-				switch a.listenaddr[7:8] {
-				case "@": // maybe abstract namespace
-				default:
-					if err := os.Chmod(a.listenaddr[7:], 0660); err != nil {
-						a.core.log.Println("WARNING:", a.listenaddr[:7], "may have unsafe permissions!")
-					}
-				}
-			}
-		case "tcp":
-			a.listener, err = net.Listen("tcp", u.Host)
-		default:
-			// err = errors.New(fmt.Sprint("protocol not supported: ", u.Scheme))
-			a.listener, err = net.Listen("tcp", a.listenaddr)
-		}
-	} else {
-		a.listener, err = net.Listen("tcp", a.listenaddr)
-	}
-	if err != nil {
-		a.core.log.Printf("Admin socket failed to listen: %v", err)
-		os.Exit(1)
-	}
-	a.core.log.Printf("%s admin socket listening on %s",
-		strings.ToUpper(a.listener.Addr().Network()),
-		a.listener.Addr().String())
-	defer a.listener.Close()
-	for {
-		conn, err := a.listener.Accept()
-		if err == nil {
-			a.handleRequest(conn)
-		}
-	}
-}
-
-// handleRequest calls the request handler for each request sent to the admin API.
-func (a *admin) handleRequest(conn net.Conn) {
-	decoder := json.NewDecoder(conn)
-	encoder := json.NewEncoder(conn)
-	encoder.SetIndent("", "  ")
-	recv := make(admin_info)
-	send := make(admin_info)
-
-	defer func() {
-		r := recover()
-		if r != nil {
-			send = admin_info{
-				"status": "error",
-				"error":  "Unrecoverable error, possibly as a result of invalid input types or malformed syntax",
-			}
-			fmt.Println("Admin socket error:", r)
-			if err := encoder.Encode(&send); err != nil {
-				fmt.Println("Admin socket JSON encode error:", err)
-			}
-			conn.Close()
-		}
-	}()
-
-	for {
-		// Start with a clean slate on each request
-		recv = admin_info{}
-		send = admin_info{}
-
-		// Decode the input
-		if err := decoder.Decode(&recv); err != nil {
-			//	fmt.Println("Admin socket JSON decode error:", err)
-			return
-		}
-
-		// Send the request back with the response, and default to "error"
-		// unless the status is changed below by one of the handlers
-		send["request"] = recv
-		send["status"] = "error"
-
-	handlers:
-		for _, handler := range a.handlers {
-			// We've found the handler that matches the request
-			if strings.ToLower(recv["request"].(string)) == strings.ToLower(handler.name) {
-				// Check that we have all the required arguments
-				for _, arg := range handler.args {
-					// An argument in [square brackets] is optional and not required,
-					// so we can safely ignore those
-					if strings.HasPrefix(arg, "[") && strings.HasSuffix(arg, "]") {
-						continue
-					}
-					// Check if the field is missing
-					if _, ok := recv[arg]; !ok {
-						send = admin_info{
-							"status":    "error",
-							"error":     "Expected field missing: " + arg,
-							"expecting": arg,
-						}
-						break handlers
-					}
-				}
-
-				// By this point we should have all the fields we need, so call
-				// the handler
-				response, err := handler.handler(recv)
-				if err != nil {
-					send["error"] = err.Error()
-					if response != nil {
-						send["response"] = response
-					}
-				} else {
-					send["status"] = "success"
-					if response != nil {
-						send["response"] = response
-					}
-				}
-
-				break
-			}
-		}
-
-		// Send the response back
-		if err := encoder.Encode(&send); err != nil {
-			return
-		}
-
-		// If "keepalive" isn't true then close the connection
-		if keepalive, ok := recv["keepalive"]; !ok || !keepalive.(bool) {
-			conn.Close()
-		}
-	}
-}
-
-// asMap converts an admin_nodeInfo into a map of key/value pairs.
-func (n *admin_nodeInfo) asMap() map[string]interface{} {
-	m := make(map[string]interface{}, len(*n))
-	for _, p := range *n {
-		m[p.key] = p.val
-	}
-	return m
-}
-
-// toString creates a printable string representation of an admin_nodeInfo.
-func (n *admin_nodeInfo) toString() string {
-	// TODO return something nicer looking than this
-	var out []string
-	for _, p := range *n {
-		out = append(out, fmt.Sprintf("%v: %v", p.key, p.val))
-	}
-	return strings.Join(out, ", ")
-}
-
-// printInfos returns a newline separated list of strings from admin_nodeInfos, e.g. a printable string of info about all peers.
-func (a *admin) printInfos(infos []admin_nodeInfo) string {
-	var out []string
-	for _, info := range infos {
-		out = append(out, info.toString())
-	}
-	out = append(out, "") // To add a trailing "\n" in the join
-	return strings.Join(out, "\n")
-}
-
-// addPeer triggers a connection attempt to a node.
-func (a *admin) addPeer(addr string, sintf string) error {
-	u, err := url.Parse(addr)
-	if err == nil {
-		switch strings.ToLower(u.Scheme) {
-		case "tcp":
-			a.core.tcp.connect(u.Host, sintf)
-		case "socks":
-			a.core.tcp.connectSOCKS(u.Host, u.Path[1:])
-		default:
-			return errors.New("invalid peer: " + addr)
-		}
-	} else {
-		// no url scheme provided
-		addr = strings.ToLower(addr)
-		if strings.HasPrefix(addr, "tcp:") {
-			addr = addr[4:]
-		}
-		a.core.tcp.connect(addr, "")
-		return nil
-	}
-	return nil
-}
-
-// removePeer disconnects an existing node (given by the node's port number).
-func (a *admin) removePeer(p string) error {
-	iport, err := strconv.Atoi(p)
-	if err != nil {
-		return err
-	}
-	a.core.peers.removePeer(switchPort(iport))
-	return nil
-}
-
-// startTunWithMTU creates the tun/tap device, sets its address, and sets the MTU to the provided value.
-func (a *admin) startTunWithMTU(ifname string, iftapmode bool, ifmtu int) error {
-	// Close the TUN first if open
-	_ = a.core.tun.close()
-	// Then reconfigure and start it
-	addr := a.core.router.addr
-	straddr := fmt.Sprintf("%s/%v", net.IP(addr[:]).String(), 8*len(address_prefix)-1)
-	if ifname != "none" {
-		err := a.core.tun.setup(ifname, iftapmode, straddr, ifmtu)
-		if err != nil {
-			return err
-		}
-		// If we have open sessions then we need to notify them
-		// that our MTU has now changed
-		for _, sinfo := range a.core.sessions.sinfos {
-			if ifname == "none" {
-				sinfo.myMTU = 0
-			} else {
-				sinfo.myMTU = uint16(ifmtu)
-			}
-			a.core.sessions.sendPingPong(sinfo, false)
-		}
-		// Aaaaand... go!
-		go a.core.tun.read()
-	}
-	go a.core.tun.write()
-	return nil
-}
-
-// getData_getSelf returns the self node's info for admin responses.
-func (a *admin) getData_getSelf() *admin_nodeInfo {
-	table := a.core.switchTable.table.Load().(lookupTable)
-	coords := table.self.getCoords()
-	self := admin_nodeInfo{
-		{"box_pub_key", hex.EncodeToString(a.core.boxPub[:])},
-		{"ip", a.core.GetAddress().String()},
-		{"subnet", a.core.GetSubnet().String()},
-		{"coords", fmt.Sprint(coords)},
-	}
-	if name := GetBuildName(); name != "unknown" {
-		self = append(self, admin_pair{"build_name", name})
-	}
-	if version := GetBuildVersion(); version != "unknown" {
-		self = append(self, admin_pair{"build_version", version})
-	}
-
-	return &self
-}
-
-// getData_getPeers returns info from Core.peers for an admin response.
-func (a *admin) getData_getPeers() []admin_nodeInfo {
-	ports := a.core.peers.ports.Load().(map[switchPort]*peer)
-	var peerInfos []admin_nodeInfo
-	var ps []switchPort
-	for port := range ports {
-		ps = append(ps, port)
-	}
-	sort.Slice(ps, func(i, j int) bool { return ps[i] < ps[j] })
-	for _, port := range ps {
-		p := ports[port]
-		addr := *address_addrForNodeID(getNodeID(&p.box))
-		info := admin_nodeInfo{
-			{"ip", net.IP(addr[:]).String()},
-			{"port", port},
-			{"uptime", int(time.Since(p.firstSeen).Seconds())},
-			{"bytes_sent", atomic.LoadUint64(&p.bytesSent)},
-			{"bytes_recvd", atomic.LoadUint64(&p.bytesRecvd)},
-			{"endpoint", p.endpoint},
-			{"box_pub_key", hex.EncodeToString(p.box[:])},
-		}
-		peerInfos = append(peerInfos, info)
-	}
-	return peerInfos
-}
-
-// getData_getSwitchPeers returns info from Core.switchTable for an admin response.
-func (a *admin) getData_getSwitchPeers() []admin_nodeInfo {
-	var peerInfos []admin_nodeInfo
-	table := a.core.switchTable.table.Load().(lookupTable)
-	peers := a.core.peers.ports.Load().(map[switchPort]*peer)
-	for _, elem := range table.elems {
-		peer, isIn := peers[elem.port]
-		if !isIn {
-			continue
-		}
-		addr := *address_addrForNodeID(getNodeID(&peer.box))
-		coords := elem.locator.getCoords()
-		info := admin_nodeInfo{
-			{"ip", net.IP(addr[:]).String()},
-			{"coords", fmt.Sprint(coords)},
-			{"port", elem.port},
-			{"bytes_sent", atomic.LoadUint64(&peer.bytesSent)},
-			{"bytes_recvd", atomic.LoadUint64(&peer.bytesRecvd)},
-			{"endpoint", peer.endpoint},
-			{"box_pub_key", hex.EncodeToString(peer.box[:])},
-		}
-		peerInfos = append(peerInfos, info)
-	}
-	return peerInfos
-}
-
-// getData_getSwitchQueues returns info from Core.switchTable for an queue data.
-func (a *admin) getData_getSwitchQueues() admin_nodeInfo {
-	var peerInfos admin_nodeInfo
-	switchTable := &a.core.switchTable
-	getSwitchQueues := func() {
-		queues := make([]map[string]interface{}, 0)
-		for k, v := range switchTable.queues.bufs {
-			nexthop := switchTable.bestPortForCoords([]byte(k))
-			queue := map[string]interface{}{
-				"queue_id":      k,
-				"queue_size":    v.size,
-				"queue_packets": len(v.packets),
-				"queue_port":    nexthop,
-			}
-			queues = append(queues, queue)
-		}
-		peerInfos = admin_nodeInfo{
-			{"queues", queues},
-			{"queues_count", len(switchTable.queues.bufs)},
-			{"queues_size", switchTable.queues.size},
-			{"highest_queues_count", switchTable.queues.maxbufs},
-			{"highest_queues_size", switchTable.queues.maxsize},
-			{"maximum_queues_size", switchTable.queueTotalMaxSize},
-		}
-	}
-	a.core.switchTable.doAdmin(getSwitchQueues)
-	return peerInfos
-}
-
-// getData_getDHT returns info from Core.dht for an admin response.
-func (a *admin) getData_getDHT() []admin_nodeInfo {
-	var infos []admin_nodeInfo
-	getDHT := func() {
-		now := time.Now()
-		var dhtInfos []*dhtInfo
-		for _, v := range a.core.dht.table {
-			dhtInfos = append(dhtInfos, v)
-		}
-		sort.SliceStable(dhtInfos, func(i, j int) bool {
-			return dht_ordered(&a.core.dht.nodeID, dhtInfos[i].getNodeID(), dhtInfos[j].getNodeID())
-		})
-		for _, v := range dhtInfos {
-			addr := *address_addrForNodeID(v.getNodeID())
-			info := admin_nodeInfo{
-				{"ip", net.IP(addr[:]).String()},
-				{"coords", fmt.Sprint(v.coords)},
-				{"last_seen", int(now.Sub(v.recv).Seconds())},
-				{"box_pub_key", hex.EncodeToString(v.key[:])},
-			}
-			infos = append(infos, info)
-		}
-	}
-	a.core.router.doAdmin(getDHT)
-	return infos
-}
-
-// getData_getSessions returns info from Core.sessions for an admin response.
-func (a *admin) getData_getSessions() []admin_nodeInfo {
-	var infos []admin_nodeInfo
-	getSessions := func() {
-		for _, sinfo := range a.core.sessions.sinfos {
-			// TODO? skipped known but timed out sessions?
-			info := admin_nodeInfo{
-				{"ip", net.IP(sinfo.theirAddr[:]).String()},
-				{"coords", fmt.Sprint(sinfo.coords)},
-				{"mtu", sinfo.getMTU()},
-				{"was_mtu_fixed", sinfo.wasMTUFixed},
-				{"bytes_sent", sinfo.bytesSent},
-				{"bytes_recvd", sinfo.bytesRecvd},
-				{"box_pub_key", hex.EncodeToString(sinfo.theirPermPub[:])},
-			}
-			infos = append(infos, info)
-		}
-	}
-	a.core.router.doAdmin(getSessions)
-	return infos
-}
-
-// getAllowedEncryptionPublicKeys returns the public keys permitted for incoming peer connections.
-func (a *admin) getAllowedEncryptionPublicKeys() []string {
-	pubs := a.core.peers.getAllowedEncryptionPublicKeys()
-	var out []string
-	for _, pub := range pubs {
-		out = append(out, hex.EncodeToString(pub[:]))
-	}
-	return out
-}
-
-// addAllowedEncryptionPublicKey whitelists a key for incoming peer connections.
-func (a *admin) addAllowedEncryptionPublicKey(bstr string) (err error) {
-	boxBytes, err := hex.DecodeString(bstr)
-	if err == nil {
-		var box boxPubKey
-		copy(box[:], boxBytes)
-		a.core.peers.addAllowedEncryptionPublicKey(&box)
-	}
-	return
-}
-
-// removeAllowedEncryptionPublicKey removes a key from the whitelist for incoming peer connections.
-// If none are set, an empty list permits all incoming connections.
-func (a *admin) removeAllowedEncryptionPublicKey(bstr string) (err error) {
-	boxBytes, err := hex.DecodeString(bstr)
-	if err == nil {
-		var box boxPubKey
-		copy(box[:], boxBytes)
-		a.core.peers.removeAllowedEncryptionPublicKey(&box)
-	}
-	return
-}
-
-// Send a DHT ping to the node with the provided key and coords, optionally looking up the specified target NodeID.
-func (a *admin) admin_dhtPing(keyString, coordString, targetString string) (dhtRes, error) {
-	var key boxPubKey
-	if keyBytes, err := hex.DecodeString(keyString); err != nil {
-		return dhtRes{}, err
-	} else {
-		copy(key[:], keyBytes)
-	}
-	var coords []byte
-	for _, cstr := range strings.Split(strings.Trim(coordString, "[]"), " ") {
-		if cstr == "" {
-			// Special case, happens if trimmed is the empty string, e.g. this is the root
-			continue
-		}
-		if u64, err := strconv.ParseUint(cstr, 10, 8); err != nil {
-			return dhtRes{}, err
-		} else {
-			coords = append(coords, uint8(u64))
-		}
-	}
-	resCh := make(chan *dhtRes, 1)
-	info := dhtInfo{
-		key:    key,
-		coords: coords,
-	}
-	target := *info.getNodeID()
-	if targetString == "none" {
-		// Leave the default target in place
-	} else if targetBytes, err := hex.DecodeString(targetString); err != nil {
-		return dhtRes{}, err
-	} else if len(targetBytes) != len(target) {
-		return dhtRes{}, errors.New("Incorrect target NodeID length")
-	} else {
-		target = NodeID{}
-		copy(target[:], targetBytes)
-	}
-	rq := dhtReqKey{info.key, target}
-	sendPing := func() {
-		a.core.dht.addCallback(&rq, func(res *dhtRes) {
-			defer func() { recover() }()
-			select {
-			case resCh <- res:
-			default:
-			}
-		})
-		a.core.dht.ping(&info, &target)
-	}
-	a.core.router.doAdmin(sendPing)
-	go func() {
-		time.Sleep(6 * time.Second)
-		close(resCh)
-	}()
-	for res := range resCh {
-		return *res, nil
-	}
-	return dhtRes{}, errors.New(fmt.Sprintf("DHT ping timeout: %s", keyString))
-}
-
-// getResponse_dot returns a response for a graphviz dot formatted representation of the known parts of the network.
-// This is color-coded and labeled, and includes the self node, switch peers, nodes known to the DHT, and nodes with open sessions.
-// The graph is structured as a tree with directed links leading away from the root.
-func (a *admin) getResponse_dot() []byte {
-	self := a.getData_getSelf()
-	peers := a.getData_getSwitchPeers()
-	dht := a.getData_getDHT()
-	sessions := a.getData_getSessions()
-	// Start building a tree from all known nodes
-	type nodeInfo struct {
-		name    string
-		key     string
-		parent  string
-		port    switchPort
-		options string
-	}
-	infos := make(map[string]nodeInfo)
-	// Get coords as a slice of strings, FIXME? this looks very fragile
-	coordSlice := func(coords string) []string {
-		tmp := strings.Replace(coords, "[", "", -1)
-		tmp = strings.Replace(tmp, "]", "", -1)
-		return strings.Split(tmp, " ")
-	}
-	// First fill the tree with all known nodes, no parents
-	addInfo := func(nodes []admin_nodeInfo, options string, tag string) {
-		for _, node := range nodes {
-			n := node.asMap()
-			info := nodeInfo{
-				key:     n["coords"].(string),
-				options: options,
-			}
-			if len(tag) > 0 {
-				info.name = fmt.Sprintf("%s\n%s", n["ip"].(string), tag)
-			} else {
-				info.name = n["ip"].(string)
-			}
-			coordsSplit := coordSlice(info.key)
-			if len(coordsSplit) != 0 {
-				portStr := coordsSplit[len(coordsSplit)-1]
-				portUint, err := strconv.ParseUint(portStr, 10, 64)
-				if err == nil {
-					info.port = switchPort(portUint)
-				}
-			}
-			infos[info.key] = info
-		}
-	}
-	addInfo(dht, "fillcolor=\"#ffffff\" style=filled fontname=\"sans serif\"", "Known in DHT")                               // white
-	addInfo(sessions, "fillcolor=\"#acf3fd\" style=filled fontname=\"sans serif\"", "Open session")                          // blue
-	addInfo(peers, "fillcolor=\"#ffffb5\" style=filled fontname=\"sans serif\"", "Connected peer")                           // yellow
-	addInfo(append([]admin_nodeInfo(nil), *self), "fillcolor=\"#a5ff8a\" style=filled fontname=\"sans serif\"", "This node") // green
-	// Now go through and create placeholders for any missing nodes
-	for _, info := range infos {
-		// This is ugly string manipulation
-		coordsSplit := coordSlice(info.key)
-		for idx := range coordsSplit {
-			key := fmt.Sprintf("[%v]", strings.Join(coordsSplit[:idx], " "))
-			newInfo, isIn := infos[key]
-			if isIn {
-				continue
-			}
-			newInfo.name = "?"
-			newInfo.key = key
-			newInfo.options = "fontname=\"sans serif\" style=dashed color=\"#999999\" fontcolor=\"#999999\""
-
-			coordsSplit := coordSlice(newInfo.key)
-			if len(coordsSplit) != 0 {
-				portStr := coordsSplit[len(coordsSplit)-1]
-				portUint, err := strconv.ParseUint(portStr, 10, 64)
-				if err == nil {
-					newInfo.port = switchPort(portUint)
-				}
-			}
-
-			infos[key] = newInfo
-		}
-	}
-	// Now go through and attach parents
-	for _, info := range infos {
-		pSplit := coordSlice(info.key)
-		if len(pSplit) > 0 {
-			pSplit = pSplit[:len(pSplit)-1]
-		}
-		info.parent = fmt.Sprintf("[%v]", strings.Join(pSplit, " "))
-		infos[info.key] = info
-	}
-	// Finally, get a sorted list of keys, which we use to organize the output
-	var keys []string
-	for _, info := range infos {
-		keys = append(keys, info.key)
-	}
-	// sort
-	sort.SliceStable(keys, func(i, j int) bool {
-		return keys[i] < keys[j]
-	})
-	sort.SliceStable(keys, func(i, j int) bool {
-		return infos[keys[i]].port < infos[keys[j]].port
-	})
-	// Now print it all out
-	var out []byte
-	put := func(s string) {
-		out = append(out, []byte(s)...)
-	}
-	put("digraph {\n")
-	// First set the labels
-	for _, key := range keys {
-		info := infos[key]
-		put(fmt.Sprintf("\"%v\" [ label = \"%v\" %v ];\n", info.key, info.name, info.options))
-	}
-	// Then print the tree structure
-	for _, key := range keys {
-		info := infos[key]
-		if info.key == info.parent {
-			continue
-		} // happens for the root, skip it
-		port := fmt.Sprint(info.port)
-		style := "fontname=\"sans serif\""
-		if infos[info.parent].name == "?" || infos[info.key].name == "?" {
-			style = "fontname=\"sans serif\" style=dashed color=\"#999999\" fontcolor=\"#999999\""
-		}
-		put(fmt.Sprintf("  \"%+v\" -> \"%+v\" [ label = \"%v\" %s ];\n", info.parent, info.key, port, style))
-	}
-	put("}\n")
-	return out
-}
--- a/src/yggdrasil/ckr.go
+++ b/src/yggdrasil/ckr.go
@@ -1,348 +0,0 @@
-package yggdrasil
-
-import (
-	"bytes"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"net"
-	"sort"
-)
-
-// This module implements crypto-key routing, similar to Wireguard, where we
-// allow traffic for non-Yggdrasil ranges to be routed over Yggdrasil.
-
-type cryptokey struct {
-	core        *Core
-	enabled     bool
-	ipv4routes  []cryptokey_route
-	ipv6routes  []cryptokey_route
-	ipv4cache   map[address]cryptokey_route
-	ipv6cache   map[address]cryptokey_route
-	ipv4sources []net.IPNet
-	ipv6sources []net.IPNet
-}
-
-type cryptokey_route struct {
-	subnet      net.IPNet
-	destination boxPubKey
-}
-
-// Initialise crypto-key routing. This must be done before any other CKR calls.
-func (c *cryptokey) init(core *Core) {
-	c.core = core
-	c.ipv4routes = make([]cryptokey_route, 0)
-	c.ipv6routes = make([]cryptokey_route, 0)
-	c.ipv4cache = make(map[address]cryptokey_route, 0)
-	c.ipv6cache = make(map[address]cryptokey_route, 0)
-	c.ipv4sources = make([]net.IPNet, 0)
-	c.ipv6sources = make([]net.IPNet, 0)
-}
-
-// Enable or disable crypto-key routing.
-func (c *cryptokey) setEnabled(enabled bool) {
-	c.enabled = enabled
-}
-
-// Check if crypto-key routing is enabled.
-func (c *cryptokey) isEnabled() bool {
-	return c.enabled
-}
-
-// Check whether the given address (with the address length specified in bytes)
-// matches either the current node's address, the node's routed subnet or the
-// list of subnets specified in IPv4Sources/IPv6Sources.
-func (c *cryptokey) isValidSource(addr address, addrlen int) bool {
-	ip := net.IP(addr[:addrlen])
-
-	if addrlen == net.IPv6len {
-		// Does this match our node's address?
-		if bytes.Equal(addr[:16], c.core.router.addr[:16]) {
-			return true
-		}
-
-		// Does this match our node's subnet?
-		if bytes.Equal(addr[:8], c.core.router.subnet[:8]) {
-			return true
-		}
-	}
-
-	// Does it match a configured CKR source?
-	if c.isEnabled() {
-		// Build our references to the routing sources
-		var routingsources *[]net.IPNet
-
-		// Check if the prefix is IPv4 or IPv6
-		if addrlen == net.IPv6len {
-			routingsources = &c.ipv6sources
-		} else if addrlen == net.IPv4len {
-			routingsources = &c.ipv4sources
-		} else {
-			return false
-		}
-
-		for _, subnet := range *routingsources {
-			if subnet.Contains(ip) {
-				return true
-			}
-		}
-	}
-
-	// Doesn't match any of the above
-	return false
-}
-
-// Adds a source subnet, which allows traffic with these source addresses to
-// be tunnelled using crypto-key routing.
-func (c *cryptokey) addSourceSubnet(cidr string) error {
-	// Is the CIDR we've been given valid?
-	_, ipnet, err := net.ParseCIDR(cidr)
-	if err != nil {
-		return err
-	}
-
-	// Get the prefix length and size
-	_, prefixsize := ipnet.Mask.Size()
-
-	// Build our references to the routing sources
-	var routingsources *[]net.IPNet
-
-	// Check if the prefix is IPv4 or IPv6
-	if prefixsize == net.IPv6len*8 {
-		routingsources = &c.ipv6sources
-	} else if prefixsize == net.IPv4len*8 {
-		routingsources = &c.ipv4sources
-	} else {
-		return errors.New("Unexpected prefix size")
-	}
-
-	// Check if we already have this CIDR
-	for _, subnet := range *routingsources {
-		if subnet.String() == ipnet.String() {
-			return errors.New("Source subnet already configured")
-		}
-	}
-
-	// Add the source subnet
-	*routingsources = append(*routingsources, *ipnet)
-	c.core.log.Println("Added CKR source subnet", cidr)
-	return nil
-}
-
-// Adds a destination route for the given CIDR to be tunnelled to the node
-// with the given BoxPubKey.
-func (c *cryptokey) addRoute(cidr string, dest string) error {
-	// Is the CIDR we've been given valid?
-	ipaddr, ipnet, err := net.ParseCIDR(cidr)
-	if err != nil {
-		return err
-	}
-
-	// Get the prefix length and size
-	_, prefixsize := ipnet.Mask.Size()
-
-	// Build our references to the routing table and cache
-	var routingtable *[]cryptokey_route
-	var routingcache *map[address]cryptokey_route
-
-	// Check if the prefix is IPv4 or IPv6
-	if prefixsize == net.IPv6len*8 {
-		routingtable = &c.ipv6routes
-		routingcache = &c.ipv6cache
-	} else if prefixsize == net.IPv4len*8 {
-		routingtable = &c.ipv4routes
-		routingcache = &c.ipv4cache
-	} else {
-		return errors.New("Unexpected prefix size")
-	}
-
-	// Is the route an Yggdrasil destination?
-	var addr address
-	var snet subnet
-	copy(addr[:], ipaddr)
-	copy(snet[:], ipnet.IP)
-	if addr.isValid() || snet.isValid() {
-		return errors.New("Can't specify Yggdrasil destination as crypto-key route")
-	}
-	// Do we already have a route for this subnet?
-	for _, route := range *routingtable {
-		if route.subnet.String() == ipnet.String() {
-			return errors.New(fmt.Sprintf("Route already exists for %s", cidr))
-		}
-	}
-	// Decode the public key
-	if bpk, err := hex.DecodeString(dest); err != nil {
-		return err
-	} else if len(bpk) != boxPubKeyLen {
-		return errors.New(fmt.Sprintf("Incorrect key length for %s", dest))
-	} else {
-		// Add the new crypto-key route
-		var key boxPubKey
-		copy(key[:], bpk)
-		*routingtable = append(*routingtable, cryptokey_route{
-			subnet:      *ipnet,
-			destination: key,
-		})
-
-		// Sort so most specific routes are first
-		sort.Slice(*routingtable, func(i, j int) bool {
-			im, _ := (*routingtable)[i].subnet.Mask.Size()
-			jm, _ := (*routingtable)[j].subnet.Mask.Size()
-			return im > jm
-		})
-
-		// Clear the cache as this route might change future routing
-		// Setting an empty slice keeps the memory whereas nil invokes GC
-		for k := range *routingcache {
-			delete(*routingcache, k)
-		}
-
-		c.core.log.Println("Added CKR destination subnet", cidr)
-		return nil
-	}
-}
-
-// Looks up the most specific route for the given address (with the address
-// length specified in bytes) from the crypto-key routing table. An error is
-// returned if the address is not suitable or no route was found.
-func (c *cryptokey) getPublicKeyForAddress(addr address, addrlen int) (boxPubKey, error) {
-	// Check if the address is a valid Yggdrasil address - if so it
-	// is exempt from all CKR checking
-	if addr.isValid() {
-		return boxPubKey{}, errors.New("Cannot look up CKR for Yggdrasil addresses")
-	}
-
-	// Build our references to the routing table and cache
-	var routingtable *[]cryptokey_route
-	var routingcache *map[address]cryptokey_route
-
-	// Check if the prefix is IPv4 or IPv6
-	if addrlen == net.IPv6len {
-		routingtable = &c.ipv6routes
-		routingcache = &c.ipv6cache
-	} else if addrlen == net.IPv4len {
-		routingtable = &c.ipv4routes
-		routingcache = &c.ipv4cache
-	} else {
-		return boxPubKey{}, errors.New("Unexpected prefix size")
-	}
-
-	// Check if there's a cache entry for this addr
-	if route, ok := (*routingcache)[addr]; ok {
-		return route.destination, nil
-	}
-
-	// No cache was found - start by converting the address into a net.IP
-	ip := make(net.IP, addrlen)
-	copy(ip[:addrlen], addr[:])
-
-	// Check if we have a route. At this point c.ipv6routes should be
-	// pre-sorted so that the most specific routes are first
-	for _, route := range *routingtable {
-		// Does this subnet match the given IP?
-		if route.subnet.Contains(ip) {
-			// Check if the routing cache is above a certain size, if it is evict
-			// a random entry so we can make room for this one. We take advantage
-			// of the fact that the iteration order is random here
-			for k := range *routingcache {
-				if len(*routingcache) < 1024 {
-					break
-				}
-				delete(*routingcache, k)
-			}
-
-			// Cache the entry for future packets to get a faster lookup
-			(*routingcache)[addr] = route
-
-			// Return the boxPubKey
-			return route.destination, nil
-		}
-	}
-
-	// No route was found if we got to this point
-	return boxPubKey{}, errors.New(fmt.Sprintf("No route to %s", ip.String()))
-}
-
-// Removes a source subnet, which allows traffic with these source addresses to
-// be tunnelled using crypto-key routing.
-func (c *cryptokey) removeSourceSubnet(cidr string) error {
-	// Is the CIDR we've been given valid?
-	_, ipnet, err := net.ParseCIDR(cidr)
-	if err != nil {
-		return err
-	}
-
-	// Get the prefix length and size
-	_, prefixsize := ipnet.Mask.Size()
-
-	// Build our references to the routing sources
-	var routingsources *[]net.IPNet
-
-	// Check if the prefix is IPv4 or IPv6
-	if prefixsize == net.IPv6len*8 {
-		routingsources = &c.ipv6sources
-	} else if prefixsize == net.IPv4len*8 {
-		routingsources = &c.ipv4sources
-	} else {
-		return errors.New("Unexpected prefix size")
-	}
-
-	// Check if we already have this CIDR
-	for idx, subnet := range *routingsources {
-		if subnet.String() == ipnet.String() {
-			*routingsources = append((*routingsources)[:idx], (*routingsources)[idx+1:]...)
-			c.core.log.Println("Removed CKR source subnet", cidr)
-			return nil
-		}
-	}
-	return errors.New("Source subnet not found")
-}
-
-// Removes a destination route for the given CIDR to be tunnelled to the node
-// with the given BoxPubKey.
-func (c *cryptokey) removeRoute(cidr string, dest string) error {
-	// Is the CIDR we've been given valid?
-	_, ipnet, err := net.ParseCIDR(cidr)
-	if err != nil {
-		return err
-	}
-
-	// Get the prefix length and size
-	_, prefixsize := ipnet.Mask.Size()
-
-	// Build our references to the routing table and cache
-	var routingtable *[]cryptokey_route
-	var routingcache *map[address]cryptokey_route
-
-	// Check if the prefix is IPv4 or IPv6
-	if prefixsize == net.IPv6len*8 {
-		routingtable = &c.ipv6routes
-		routingcache = &c.ipv6cache
-	} else if prefixsize == net.IPv4len*8 {
-		routingtable = &c.ipv4routes
-		routingcache = &c.ipv4cache
-	} else {
-		return errors.New("Unexpected prefix size")
-	}
-
-	// Decode the public key
-	bpk, err := hex.DecodeString(dest)
-	if err != nil {
-		return err
-	} else if len(bpk) != boxPubKeyLen {
-		return errors.New(fmt.Sprintf("Incorrect key length for %s", dest))
-	}
-	netStr := ipnet.String()
-
-	for idx, route := range *routingtable {
-		if bytes.Equal(route.destination[:], bpk) && route.subnet.String() == netStr {
-			*routingtable = append((*routingtable)[:idx], (*routingtable)[idx+1:]...)
-			for k := range *routingcache {
-				delete(*routingcache, k)
-			}
-			c.core.log.Printf("Removed CKR destination subnet %s via %s\n", cidr, dest)
-			return nil
-		}
-	}
-	return errors.New(fmt.Sprintf("Route does not exists for %s", cidr))
-}
--- a/src/yggdrasil/core.go
+++ b/src/yggdrasil/core.go
@@ -1,302 +0,0 @@
-package yggdrasil
-
-import (
-	"encoding/hex"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"regexp"
-
-	"github.com/yggdrasil-network/yggdrasil-go/src/config"
-	"github.com/yggdrasil-network/yggdrasil-go/src/defaults"
-)
-
-var buildName string
-var buildVersion string
-
-// The Core object represents the Yggdrasil node. You should create a Core
-// object for each Yggdrasil node you plan to run.
-type Core struct {
-	// This is the main data structure that holds everything else for a node
-	boxPub      boxPubKey
-	boxPriv     boxPrivKey
-	sigPub      sigPubKey
-	sigPriv     sigPrivKey
-	switchTable switchTable
-	peers       peers
-	sessions    sessions
-	router      router
-	dht         dht
-	tun         tunDevice
-	admin       admin
-	searches    searches
-	multicast   multicast
-	tcp         tcpInterface
-	log         *log.Logger
-	ifceExpr    []*regexp.Regexp // the zone of link-local IPv6 peers must match this
-}
-
-func (c *Core) init(bpub *boxPubKey,
-	bpriv *boxPrivKey,
-	spub *sigPubKey,
-	spriv *sigPrivKey) {
-	// TODO separate init and start functions
-	//  Init sets up structs
-	//  Start launches goroutines that depend on structs being set up
-	// This is pretty much required to completely avoid race conditions
-	util_initByteStore()
-	if c.log == nil {
-		c.log = log.New(ioutil.Discard, "", 0)
-	}
-	c.boxPub, c.boxPriv = *bpub, *bpriv
-	c.sigPub, c.sigPriv = *spub, *spriv
-	c.admin.core = c
-	c.searches.init(c)
-	c.dht.init(c)
-	c.sessions.init(c)
-	c.multicast.init(c)
-	c.peers.init(c)
-	c.router.init(c)
-	c.switchTable.init(c, c.sigPub) // TODO move before peers? before router?
-	c.tun.init(c)
-}
-
-// Get the current build name. This is usually injected if built from git,
-// or returns "unknown" otherwise.
-func GetBuildName() string {
-	if buildName == "" {
-		return "unknown"
-	}
-	return buildName
-}
-
-// Get the current build version. This is usually injected if built from git,
-// or returns "unknown" otherwise.
-func GetBuildVersion() string {
-	if buildVersion == "" {
-		return "unknown"
-	}
-	return buildVersion
-}
-
-// Starts up Yggdrasil using the provided NodeConfig, and outputs debug logging
-// through the provided log.Logger. The started stack will include TCP and UDP
-// sockets, a multicast discovery socket, an admin socket, router, switch and
-// DHT node.
-func (c *Core) Start(nc *config.NodeConfig, log *log.Logger) error {
-	c.log = log
-
-	if name := GetBuildName(); name != "unknown" {
-		c.log.Println("Build name:", name)
-	}
-	if version := GetBuildVersion(); version != "unknown" {
-		c.log.Println("Build version:", version)
-	}
-
-	c.log.Println("Starting up...")
-
-	var boxPub boxPubKey
-	var boxPriv boxPrivKey
-	var sigPub sigPubKey
-	var sigPriv sigPrivKey
-	boxPubHex, err := hex.DecodeString(nc.EncryptionPublicKey)
-	if err != nil {
-		return err
-	}
-	boxPrivHex, err := hex.DecodeString(nc.EncryptionPrivateKey)
-	if err != nil {
-		return err
-	}
-	sigPubHex, err := hex.DecodeString(nc.SigningPublicKey)
-	if err != nil {
-		return err
-	}
-	sigPrivHex, err := hex.DecodeString(nc.SigningPrivateKey)
-	if err != nil {
-		return err
-	}
-	copy(boxPub[:], boxPubHex)
-	copy(boxPriv[:], boxPrivHex)
-	copy(sigPub[:], sigPubHex)
-	copy(sigPriv[:], sigPrivHex)
-
-	c.init(&boxPub, &boxPriv, &sigPub, &sigPriv)
-	c.admin.init(c, nc.AdminListen)
-
-	if err := c.tcp.init(c, nc.Listen, nc.ReadTimeout); err != nil {
-		c.log.Println("Failed to start TCP interface")
-		return err
-	}
-
-	if nc.SwitchOptions.MaxTotalQueueSize >= SwitchQueueTotalMinSize {
-		c.switchTable.queueTotalMaxSize = nc.SwitchOptions.MaxTotalQueueSize
-	}
-
-	if err := c.switchTable.start(); err != nil {
-		c.log.Println("Failed to start switch")
-		return err
-	}
-
-	c.sessions.setSessionFirewallState(nc.SessionFirewall.Enable)
-	c.sessions.setSessionFirewallDefaults(
-		nc.SessionFirewall.AllowFromDirect,
-		nc.SessionFirewall.AllowFromRemote,
-		nc.SessionFirewall.AlwaysAllowOutbound,
-	)
-	c.sessions.setSessionFirewallWhitelist(nc.SessionFirewall.WhitelistEncryptionPublicKeys)
-	c.sessions.setSessionFirewallBlacklist(nc.SessionFirewall.BlacklistEncryptionPublicKeys)
-
-	if err := c.router.start(); err != nil {
-		c.log.Println("Failed to start router")
-		return err
-	}
-
-	c.router.cryptokey.setEnabled(nc.TunnelRouting.Enable)
-	if c.router.cryptokey.isEnabled() {
-		c.log.Println("Crypto-key routing enabled")
-		for ipv6, pubkey := range nc.TunnelRouting.IPv6Destinations {
-			if err := c.router.cryptokey.addRoute(ipv6, pubkey); err != nil {
-				panic(err)
-			}
-		}
-		for _, source := range nc.TunnelRouting.IPv6Sources {
-			if c.router.cryptokey.addSourceSubnet(source); err != nil {
-				panic(err)
-			}
-		}
-		for ipv4, pubkey := range nc.TunnelRouting.IPv4Destinations {
-			if err := c.router.cryptokey.addRoute(ipv4, pubkey); err != nil {
-				panic(err)
-			}
-		}
-		for _, source := range nc.TunnelRouting.IPv4Sources {
-			if c.router.cryptokey.addSourceSubnet(source); err != nil {
-				panic(err)
-			}
-		}
-	}
-
-	if err := c.admin.start(); err != nil {
-		c.log.Println("Failed to start admin socket")
-		return err
-	}
-
-	if err := c.multicast.start(); err != nil {
-		c.log.Println("Failed to start multicast interface")
-		return err
-	}
-
-	ip := net.IP(c.router.addr[:]).String()
-	if err := c.tun.start(nc.IfName, nc.IfTAPMode, fmt.Sprintf("%s/%d", ip, 8*len(address_prefix)-1), nc.IfMTU); err != nil {
-		c.log.Println("Failed to start TUN/TAP")
-		return err
-	}
-
-	c.log.Println("Startup complete")
-	return nil
-}
-
-// Stops the Yggdrasil node.
-func (c *Core) Stop() {
-	c.log.Println("Stopping...")
-	c.tun.close()
-	c.admin.close()
-}
-
-// Generates a new encryption keypair. The encryption keys are used to
-// encrypt traffic and to derive the IPv6 address/subnet of the node.
-func (c *Core) NewEncryptionKeys() (*boxPubKey, *boxPrivKey) {
-	return newBoxKeys()
-}
-
-// Generates a new signing keypair. The signing keys are used to derive the
-// structure of the spanning tree.
-func (c *Core) NewSigningKeys() (*sigPubKey, *sigPrivKey) {
-	return newSigKeys()
-}
-
-// Gets the node ID.
-func (c *Core) GetNodeID() *NodeID {
-	return getNodeID(&c.boxPub)
-}
-
-// Gets the tree ID.
-func (c *Core) GetTreeID() *TreeID {
-	return getTreeID(&c.sigPub)
-}
-
-// Gets the IPv6 address of the Yggdrasil node. This is always a /128.
-func (c *Core) GetAddress() *net.IP {
-	address := net.IP(address_addrForNodeID(c.GetNodeID())[:])
-	return &address
-}
-
-// Gets the routed IPv6 subnet of the Yggdrasil node. This is always a /64.
-func (c *Core) GetSubnet() *net.IPNet {
-	subnet := address_subnetForNodeID(c.GetNodeID())[:]
-	subnet = append(subnet, 0, 0, 0, 0, 0, 0, 0, 0)
-	return &net.IPNet{IP: subnet, Mask: net.CIDRMask(64, 128)}
-}
-
-// Sets the output logger of the Yggdrasil node after startup. This may be
-// useful if you want to redirect the output later.
-func (c *Core) SetLogger(log *log.Logger) {
-	c.log = log
-}
-
-// Adds a peer. This should be specified in the peer URI format, i.e.
-// tcp://a.b.c.d:e, udp://a.b.c.d:e, socks://a.b.c.d:e/f.g.h.i:j
-func (c *Core) AddPeer(addr string, sintf string) error {
-	return c.admin.addPeer(addr, sintf)
-}
-
-// Adds an expression to select multicast interfaces for peer discovery. This
-// should be done before calling Start. This function can be called multiple
-// times to add multiple search expressions.
-func (c *Core) AddMulticastInterfaceExpr(expr *regexp.Regexp) {
-	c.ifceExpr = append(c.ifceExpr, expr)
-}
-
-// Adds an allowed public key. This allow peerings to be restricted only to
-// keys that you have selected.
-func (c *Core) AddAllowedEncryptionPublicKey(boxStr string) error {
-	return c.admin.addAllowedEncryptionPublicKey(boxStr)
-}
-
-// Gets the default admin listen address for your platform.
-func (c *Core) GetAdminDefaultListen() string {
-	return defaults.GetDefaults().DefaultAdminListen
-}
-
-// Gets the default TUN/TAP interface name for your platform.
-func (c *Core) GetTUNDefaultIfName() string {
-	return defaults.GetDefaults().DefaultIfName
-}
-
-// Gets the default TUN/TAP interface MTU for your platform. This can be as high
-// as 65535, depending on platform, but is never lower than 1280.
-func (c *Core) GetTUNDefaultIfMTU() int {
-	return defaults.GetDefaults().DefaultIfMTU
-}
-
-// Gets the maximum supported TUN/TAP interface MTU for your platform. This
-// can be as high as 65535, depending on platform, but is never lower than 1280.
-func (c *Core) GetTUNMaximumIfMTU() int {
-	return defaults.GetDefaults().MaximumIfMTU
-}
-
-// Gets the default TUN/TAP interface mode for your platform.
-func (c *Core) GetTUNDefaultIfTAPMode() bool {
-	return defaults.GetDefaults().DefaultIfTAPMode
-}
-
-// Gets the current TUN/TAP interface name.
-func (c *Core) GetTUNIfName() string {
-	return c.tun.iface.Name()
-}
-
-// Gets the current TUN/TAP interface MTU.
-func (c *Core) GetTUNIfMTU() int {
-	return c.tun.mtu
-}
--- a/Show More
+++ b/Show More