pubkey x y z: x=keylen, y=encryption key, z=modulus
mobile: declare this to be a 'mobile' site
+** Logging etc.
+
+There are several possible ways of running secnet:
+
+'reporting' only: --version, --help, etc. command line options and the
+--just-check-config mode.
+
+'normal' run: perform setup in the foreground, and then background.
+
+'failed' run: setup in the foreground, and terminate with an error
+before going to background.
+
+'reporting' modes should never output anything except to stdout/stderr.
+'normal' and 'failed' runs output to stdout/stderr before
+backgrounding, then thereafter output only to log destinations.
+
** Protocols
*** Protocol environment:
Note that 'i' may be re-used from one session to the next, whereas 'n'
is always fresh.
+The protocol version selection stuff is not yet implemented: I'm not
+yet convinced it's a good idea. Instead, the initiator could try
+using its preferred protocol (which starts with a different magic
+number) and fall back if there's no reply.
+
Messages:
1) A->B: *,iA,msg1,A,B,protorange-A,nA
sent when a key times out, or the tunnel is forcibly terminated for
some reason.
-XXX not yet implemented.
-
-8) i?,i?,NAK/msg8
+8) i?,i?,NAK (encoded as zero)
If the link-layer can't work out what to do with a packet (session has
gone away, etc.) it can transmit a NAK back to the sender. The sender