>> I implemented a tunnel for my home netlink (I found I couldn't use
>> existing tunnel code; I can explain why if anyone cares)
> Did it have something to do with many, many sites blocking all ICMP
> packets, including "must fragment"?

No, though that is a problem - when a host trying to do MTU discovery
is behind such a misconfigured router, communication breaks down.  I've
tried writing to a few such; so far I've gotten only one response, from
a site saying "we used to but then we fixed it because of exactly the
problem you bring up - I don't know why you're still having trouble".
I offered to do what I could to help track down the problem, but never
got a reply to that.

No, the reasons I couldn't use existing tunnel code were:

- One of the inner tunnel addresses (my home end) is liable to change
   with no warning; somehow this has to be communicated to the other
   end so it knows where to send packets.

- The packets are signed.  (I could encrypt them as well, but haven't
   perceived a need yet.)

- There are actually two tunnels, decision between which is made based
   on the *source* address of the packet.  (For example, 132.206.78.3
   and 216.46.5.3 are the same machine; if an outgoing packet has
   source address 132.206.78.3 it goes down one tunnel, whereas if it
   has source address 216.46.5.3 it goes down the other.)

There may have been others, but those are the ones I recall now.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B