-# udptunnel will userv ipif locally, as
-# userv root ipif <private-local-addr>,<private-remote-addr>,<mtu>,<proto>
-# <extra-local-nets>
-# or, if -l was given, userv root ipif is replaced with the argument(s) to
-# successive -l options.
+# If it was given Print for <bob-phys-foo'>, udptunnel's first stdout
+# output will be the real <bob-phys-addr>,<bob-phys-port> pair. It
+# may then produce more stdout which, if any, will be forwarded to the
+# local end's stdout as debugging info.
+#
+# After this, if any encryption was specified, the encryption key
+# material will be fed into its stdin. See the documentation in the
+# mech-*.c files for details of the parameters. udptunnel on alice
+# will arrange to feed the keys fd of udptunnel-forwarder into the
+# stdin of the udptunnel on bob.
+#
+# <bob-phys-foo'> is as follows:
+# <bob-phys-foo> <bob-phys-foo'>
+# actual addr/port that addr/port
+# `Command' `Print'
+# `Wait' `Any'
+#
+# <alice-phys-foo'> is as follows:
+# <alice-phys-foo> <alice-phys-foo'> <alice-phys-foo'>
+# (-m not specified) (-m specified)
+# actual addr/port that addr/port `Wait'
+# `Print' the chosen address `Wait'
+# `Any' `Wait' for addr, `Wait'
+# chosen port for port
+#
+# In each case udptunnel will run userv ipif locally, as
+# userv root ipif <local-virt-addr>,<remote-virt-addr>,<mtu>,<proto>
+# <remote-priv-nets>
+# or, if -l was given, userv root ipif is replaced with the argument(s)
+# following -l option(s) until `.'.
+#
+# udptunnel will also run udptunnel-forwarder with appropriate options.
+#
+# recommended encryption parameters are:
+# -e nonce (prepend 32 bit counter)
+# -e timestamp/<max-skew>/<max-age> (prepend 32 bit time_t, and check on receipt)
+# -e pkcs5/8 (pad as per PKCS#5 to 8-byte boundary)
+# -e blowfish-cbcmac/128 (prepend CBC MAC with random IV and 128 bit key)
+# -e blowfish-cbc/128 (encrypt with CBC, random IV and 128 bit key)
+# where <max-skew> is perhaps 10 and <max-age> perhaps 30. If your
+# clocks are not sufficiently well synchronised, you could replace
+# `-e nonce -e timestamp/...' with just `-e sequence'. Do not just
+# remove `-e timestamp/...'.