Merge branch 'dev' of http://10.6.6.2/zerotier/ZeroTierOne into dev

11 files changed, 306 insertions, 425 deletions

diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 841060d6..b7b740a0 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -665,7 +665,7 @@ unsigned int EmbeddedNetworkController::handleControlPlaneHttpPOST(
 								// Member is being de-authorized, so spray Revocation objects to all online members
 								if (!newAuth) {
 									_clearNetworkMemberInfoCache(nwid);
-									Revocation rev(_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
+									Revocation rev((uint32_t)_node->prng(),nwid,0,now,ZT_REVOCATION_FLAG_FAST_PROPAGATE,Address(address),Revocation::CREDENTIAL_TYPE_COM);
 									rev.sign(_signingId);
 									Mutex::Lock _l(_lastRequestTime_m);
 									for(std::map< std::pair<uint64_t,uint64_t>,uint64_t >::iterator i(_lastRequestTime.begin());i!=_lastRequestTime.end();++i) {
diff --git a/node/Capability.hpp b/node/Capability.hpp
index 5ef6c994..454723ac 100644
--- a/node/Capability.hpp
+++ b/node/Capability.hpp
@@ -24,6 +24,7 @@
 #include <string.h>
 
 #include "Constants.hpp"
+#include "Credential.hpp"
 #include "Address.hpp"
 #include "C25519.hpp"
 #include "Utils.hpp"
@@ -58,9 +59,11 @@ class RuntimeEnvironment;
  * handed off between nodes. Limited transferrability of capabilities is
  * a feature of true capability based security.
  */
-class Capability
+class Capability : public Credential
 {
 public:
+	static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_CAPABILITY; }
+
 	Capability()
 	{
 		memset(this,0,sizeof(Capability));
diff --git a/node/CertificateOfMembership.hpp b/node/CertificateOfMembership.hpp
index ae976b50..dfccb138 100644
--- a/node/CertificateOfMembership.hpp
+++ b/node/CertificateOfMembership.hpp
@@ -27,6 +27,7 @@
 #include <algorithm>
 
 #include "Constants.hpp"
+#include "Credential.hpp"
 #include "Buffer.hpp"
 #include "Address.hpp"
 #include "C25519.hpp"
@@ -68,9 +69,11 @@ class RuntimeEnvironment;
  * This is a memcpy()'able structure and is safe (in a crash sense) to modify
  * without locks.
  */
-class CertificateOfMembership
+class CertificateOfMembership : public Credential
 {
 public:
+	static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COM; }
+
 	/**
 	 * Reserved qualifier IDs
 	 *
@@ -155,18 +158,23 @@ public:
 	/**
 	 * @return True if there's something here
 	 */
-	inline operator bool() const throw() { return (_qualifierCount != 0); }
+	inline operator bool() const { return (_qualifierCount != 0); }
+
+	/**
+	 * @return Credential ID, always 0 for COMs
+	 */
+	inline uint32_t id() const { return 0; }
 
 	/**
 	 * @return Timestamp for this cert and maximum delta for timestamp
 	 */
-	inline std::pair<uint64_t,uint64_t> timestamp() const
+	inline uint64_t timestamp() const
 	{
 		for(unsigned int i=0;i<_qualifierCount;++i) {
 			if (_qualifiers[i].id == COM_RESERVED_ID_TIMESTAMP)
-				return std::pair<uint64_t,uint64_t>(_qualifiers[i].value,_qualifiers[i].maxDelta);
+				return _qualifiers[i].value;
 		}
-		return std::pair<uint64_t,uint64_t>(0ULL,0ULL);
+		return 0;
 	}
 
 	/**
@@ -258,12 +266,12 @@ public:
 	/**
 	 * @return True if signed
 	 */
-	inline bool isSigned() const throw() { return (_signedBy); }
+	inline bool isSigned() const { return (_signedBy); }
 
 	/**
 	 * @return Address that signed this certificate or null address if none
 	 */
-	inline const Address &signedBy() const throw() { return _signedBy; }
+	inline const Address &signedBy() const { return _signedBy; }
 
 	template<unsigned int C>
 	inline void serialize(Buffer<C> &b) const
@@ -321,7 +329,6 @@ public:
 	}
 
 	inline bool operator==(const CertificateOfMembership &c) const
-		throw()
 	{
 		if (_signedBy != c._signedBy)
 			return false;
@@ -335,7 +342,7 @@ public:
 		}
 		return (_signature == c._signature);
 	}
-	inline bool operator!=(const CertificateOfMembership &c) const throw() { return (!(*this == c)); }
+	inline bool operator!=(const CertificateOfMembership &c) const { return (!(*this == c)); }
 
 private:
 	struct _Qualifier
diff --git a/node/CertificateOfOwnership.hpp b/node/CertificateOfOwnership.hpp
index 8c47582d..93be64dd 100644
--- a/node/CertificateOfOwnership.hpp
+++ b/node/CertificateOfOwnership.hpp
@@ -25,6 +25,7 @@
 #include <string.h>
 
 #include "Constants.hpp"
+#include "Credential.hpp"
 #include "C25519.hpp"
 #include "Address.hpp"
 #include "Identity.hpp"
@@ -45,9 +46,11 @@ class RuntimeEnvironment;
 /**
  * Certificate indicating ownership of a network identifier
  */
-class CertificateOfOwnership
+class CertificateOfOwnership : public Credential
 {
 public:
+	static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COO; }
+
 	enum Thing
 	{
 		THING_NULL = 0,
diff --git a/node/CertificateOfRepresentation.hpp b/node/CertificateOfRepresentation.hpp
index 02e961c4..710ee577 100644
--- a/node/CertificateOfRepresentation.hpp
+++ b/node/CertificateOfRepresentation.hpp
@@ -20,6 +20,7 @@
 #define ZT_CERTIFICATEOFREPRESENTATION_HPP
 
 #include "Constants.hpp"
+#include "Credential.hpp"
 #include "Address.hpp"
 #include "C25519.hpp"
 #include "Identity.hpp"
@@ -47,14 +48,17 @@ namespace ZeroTier {
  * roots can shield nodes entirely and p2p connectivity behind them can
  * be disabled. This will be desirable for a number of use cases.
  */
-class CertificateOfRepresentation
+class CertificateOfRepresentation : public Credential
 {
 public:
+	static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_COR; }
+
 	CertificateOfRepresentation()
 	{
 		memset(this,0,sizeof(CertificateOfRepresentation));
 	}
 
+	inline uint32_t id() const { return 0; }
 	inline uint64_t timestamp() const { return _timestamp; }
 	inline const Address &representative(const unsigned int i) const { return _reps[i]; }
 	inline unsigned int repCount() const { return _repCount; }
diff --git a/node/Credential.hpp b/node/Credential.hpp
new file mode 100644
index 00000000..0ae2a0a8
--- /dev/null
+++ b/node/Credential.hpp
@@ -0,0 +1,58 @@
+/*
+ * ZeroTier One - Network Virtualization Everywhere
+ * Copyright (C) 2011-2016  ZeroTier, Inc.  https://www.zerotier.com/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef ZT_CREDENTIAL_HPP
+#define ZT_CREDENTIAL_HPP
+
+#include <string>
+#include <memory>
+#include <stdexcept>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "Constants.hpp"
+
+namespace ZeroTier {
+
+/**
+ * Base class for credentials
+ */
+class Credential
+{
+public:
+	/**
+	 * Do not change type code IDs -- these are used in Revocation objects and elsewhere
+	 */
+	enum Type
+	{
+		CREDENTIAL_TYPE_NULL = 0,
+		CREDENTIAL_TYPE_COM = 1,        // CertificateOfMembership
+		CREDENTIAL_TYPE_CAPABILITY = 2,
+		CREDENTIAL_TYPE_TAG = 3,
+		CREDENTIAL_TYPE_COO = 4,        // CertificateOfOwnership
+		CREDENTIAL_TYPE_COR = 5,        // CertificateOfRepresentation
+		CREDENTIAL_TYPE_REVOCATION = 6
+	};
+};
+
+} // namespace ZeroTier
+
+#endif
diff --git a/node/Membership.cpp b/node/Membership.cpp
index 22c13c88..62c07314 100644
--- a/node/Membership.cpp
+++ b/node/Membership.cpp
@@ -33,11 +33,13 @@ namespace ZeroTier {
 Membership::Membership() :
 	_lastUpdatedMulticast(0),
 	_lastPushedCom(0),
-	_comRevocationThreshold(0)
+	_comRevocationThreshold(0),
+	_revocations(4),
+	_remoteTags(4),
+	_remoteCaps(4),
+	_remoteCoos(4)
 {
-	for(unsigned int i=0;i<ZT_MAX_NETWORK_TAGS;++i) _remoteTags[i] = &(_tagMem[i]);
-	for(unsigned int i=0;i<ZT_MAX_NETWORK_CAPABILITIES;++i) _remoteCaps[i] = &(_capMem[i]);
-	for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) _remoteCoos[i] = &(_cooMem[i]);
+	resetPushState();
 }
 
 void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const uint64_t now,const Address &peerAddress,const NetworkConfig &nconf,int localCapabilityIndex,const bool force)
@@ -47,18 +49,16 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u
 	const Capability *sendCap;
 	if (localCapabilityIndex >= 0) {
 		sendCap = &(nconf.capabilities[localCapabilityIndex]);
-		if ( (_localCaps[localCapabilityIndex].id != sendCap->id()) || ((now - _localCaps[localCapabilityIndex].lastPushed) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
-			_localCaps[localCapabilityIndex].lastPushed = now;
-			_localCaps[localCapabilityIndex].id = sendCap->id();
-		} else sendCap = (const Capability *)0;
+		if ( ((now - _localCredLastPushed.cap[localCapabilityIndex]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) )
+			_localCredLastPushed.cap[localCapabilityIndex] = now;
+		else sendCap = (const Capability *)0;
 	} else sendCap = (const Capability *)0;
 
 	const Tag *sendTags[ZT_MAX_NETWORK_TAGS];
 	unsigned int sendTagCount = 0;
 	for(unsigned int t=0;t<nconf.tagCount;++t) {
-		if ( (_localTags[t].id != nconf.tags[t].id()) || ((now - _localTags[t].lastPushed) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
-			_localTags[t].lastPushed = now;
-			_localTags[t].id = nconf.tags[t].id();
+		if ( ((now - _localCredLastPushed.tag[t]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
+			_localCredLastPushed.tag[t] = now;
 			sendTags[sendTagCount++] = &(nconf.tags[t]);
 		}
 	}
@@ -66,9 +66,8 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u
 	const CertificateOfOwnership *sendCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
 	unsigned int sendCooCount = 0;
 	for(unsigned int c=0;c<nconf.certificateOfOwnershipCount;++c) {
-		if ( (_localCoos[c].id != nconf.certificatesOfOwnership[c].id()) || ((now - _localCoos[c].lastPushed) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
-			_localCoos[c].lastPushed = now;
-			_localCoos[c].id = nconf.certificatesOfOwnership[c].id();
+		if ( ((now - _localCredLastPushed.coo[c]) >= ZT_CREDENTIAL_PUSH_EVERY) || (force) ) {
+			_localCredLastPushed.coo[c] = now;
 			sendCoos[sendCooCount++] = &(nconf.certificatesOfOwnership[c]);
 		}
 	}
@@ -117,21 +116,15 @@ void Membership::pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const u
 	}
 }
 
-const Tag *Membership::getTag(const NetworkConfig &nconf,const uint32_t id) const
-{
-	const _RemoteCredential<Tag> *const *t = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)id,_RemoteCredentialComp<Tag>());
-	return ( ((t != &(_remoteTags[ZT_MAX_NETWORK_CAPABILITIES]))&&((*t)->id == (uint64_t)id)) ? ((((*t)->lastReceived)&&(_isCredentialTimestampValid(nconf,**t))) ? &((*t)->credential) : (const Tag *)0) : (const Tag *)0);
-}
-
 Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfMembership &com)
 {
-	const uint64_t newts = com.timestamp().first;
+	const uint64_t newts = com.timestamp();
 	if (newts <= _comRevocationThreshold) {
 		TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (revoked)",com.issuedTo().toString().c_str(),com.networkId());
 		return ADD_REJECTED;
 	}
 
-	const uint64_t oldts = _com.timestamp().first;
+	const uint64_t oldts = _com.timestamp();
 	if (newts < oldts) {
 		TRACE("addCredential(CertificateOfMembership) for %s on %.16llx REJECTED (older than current)",com.issuedTo().toString().c_str(),com.networkId());
 		return ADD_REJECTED;
@@ -154,84 +147,73 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
 	}
 }
 
-Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag)
+// Template out addCredential() for many cred types to avoid copypasta
+template<typename C>
+static Membership::AddCredentialResult _addCredImpl(Hashtable<uint32_t,C> &remoteCreds,const Hashtable<uint64_t,uint64_t> &revocations,const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const C &cred)
 {
-	_RemoteCredential<Tag> *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)tag.id(),_RemoteCredentialComp<Tag>());
-	_RemoteCredential<Tag> *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)tag.id())) ? *htmp : (_RemoteCredential<Tag> *)0;
-	if (have) {
-		if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > tag.timestamp()) ) {
-			TRACE("addCredential(Tag) for %s on %.16llx REJECTED (revoked or too old)",tag.issuedTo().toString().c_str(),tag.networkId());
-			return ADD_REJECTED;
+	C *rc = remoteCreds.get(cred.id());
+	if (rc) {
+		if (rc->timestamp() >= cred.timestamp()) {
+			TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (older than credential we have)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+			return Membership::ADD_REJECTED;
 		}
-		if (have->credential == tag) {
-			TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (redundant)",tag.issuedTo().toString().c_str(),tag.networkId());
-			return ADD_ACCEPTED_REDUNDANT;
+		if (*rc == cred) {
+			TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (redundant)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+			return Membership::ADD_ACCEPTED_REDUNDANT;
 		}
 	}
 
-	switch(tag.verify(RR,tPtr)) {
-		default:
-			TRACE("addCredential(Tag) for %s on %.16llx REJECTED (invalid)",tag.issuedTo().toString().c_str(),tag.networkId());
-			return ADD_REJECTED;
-		case 0:
-			TRACE("addCredential(Tag) for %s on %.16llx ACCEPTED (new)",tag.issuedTo().toString().c_str(),tag.networkId());
-			if (!have) have = _newTag(tag.id());
-			have->lastReceived = RR->node->now();
-			have->credential = tag;
-			return ADD_ACCEPTED_NEW;
-		case 1:
-			return ADD_DEFERRED_FOR_WHOIS;
+	const uint64_t *const rt = revocations.get(Membership::credentialKey(C::credentialType(),cred.id()));
+	if ((rt)&&(*rt >= cred.timestamp())) {
+		TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (timestamp below revocation threshold)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+		return Membership::ADD_REJECTED;
 	}
-}
 
-Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap)
-{
-	_RemoteCredential<Capability> *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)cap.id(),_RemoteCredentialComp<Capability>());
-	_RemoteCredential<Capability> *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)cap.id())) ? *htmp : (_RemoteCredential<Capability> *)0;
-	if (have) {
-		if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > cap.timestamp()) ) {
-			TRACE("addCredential(Capability) for %s on %.16llx REJECTED (revoked or too old)",cap.issuedTo().toString().c_str(),cap.networkId());
-			return ADD_REJECTED;
-		}
-		if (have->credential == cap) {
-			TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (redundant)",cap.issuedTo().toString().c_str(),cap.networkId());
-			return ADD_ACCEPTED_REDUNDANT;
-		}
-	}
-
-	switch(cap.verify(RR,tPtr)) {
+	switch(cred.verify(RR,tPtr)) {
 		default:
-			TRACE("addCredential(Capability) for %s on %.16llx REJECTED (invalid)",cap.issuedTo().toString().c_str(),cap.networkId());
-			return ADD_REJECTED;
+			TRACE("addCredential(type==%d) for %s on %.16llx REJECTED (invalid)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+			return Membership::ADD_REJECTED;
 		case 0:
-			TRACE("addCredential(Capability) for %s on %.16llx ACCEPTED (new)",cap.issuedTo().toString().c_str(),cap.networkId());
-			if (!have) have = _newCapability(cap.id());
-			have->lastReceived = RR->node->now();
-			have->credential = cap;
-			return ADD_ACCEPTED_NEW;
+			TRACE("addCredential(type==%d) for %s on %.16llx ACCEPTED (new)",(int)C::credentialType(),cred.issuedTo().toString().c_str(),cred.networkId());
+			if (!rc)
+				rc = &(remoteCreds[cred.id()]);
+			*rc = cred;
+			return Membership::ADD_ACCEPTED_NEW;
 		case 1:
-			return ADD_DEFERRED_FOR_WHOIS;
+			return Membership::ADD_DEFERRED_FOR_WHOIS;
 	}
 }
 
+Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Tag &tag) { return _addCredImpl<Tag>(_remoteTags,_revocations,RR,tPtr,nconf,tag); }
+Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Capability &cap) { return _addCredImpl<Capability>(_remoteCaps,_revocations,RR,tPtr,nconf,cap); }
+Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo) { return _addCredImpl<CertificateOfOwnership>(_remoteCoos,_revocations,RR,tPtr,nconf,coo); }
+
 Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev)
 {
+	uint64_t *rt;
 	switch(rev.verify(RR,tPtr)) {
 		default:
 			return ADD_REJECTED;
 		case 0: {
-			const uint64_t now = RR->node->now();
-			switch(rev.type()) {
+			const Credential::Type ct = rev.type();
+			switch(ct) {
+				case Credential::CREDENTIAL_TYPE_COM:
+					if (rev.threshold() > _comRevocationThreshold) {
+						_comRevocationThreshold = rev.threshold();
+						return ADD_ACCEPTED_NEW;
+					}
+					return ADD_ACCEPTED_REDUNDANT;
+				case Credential::CREDENTIAL_TYPE_CAPABILITY:
+				case Credential::CREDENTIAL_TYPE_TAG:
+				case Credential::CREDENTIAL_TYPE_COO:
+					rt = &(_revocations[credentialKey(ct,rev.credentialId())]);
+					if (*rt < rev.threshold()) {
+						*rt = rev.threshold();
+						return ADD_ACCEPTED_NEW;
+					}
+					return ADD_ACCEPTED_REDUNDANT;
 				default:
 					return ADD_REJECTED;
-				case Revocation::CREDENTIAL_TYPE_COM:
-					return (_revokeCom(rev) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
-				case Revocation::CREDENTIAL_TYPE_CAPABILITY:
-					return (_revokeCap(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
-				case Revocation::CREDENTIAL_TYPE_TAG:
-					return (_revokeTag(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
-				case Revocation::CREDENTIAL_TYPE_COO:
-					return (_revokeCoo(rev,now) ? ADD_ACCEPTED_NEW : ADD_ACCEPTED_REDUNDANT);
 			}
 		}
 		case 1:
@@ -239,157 +221,11 @@ Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironme
 	}
 }
 
-Membership::AddCredentialResult Membership::addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo)
-{
-	_RemoteCredential<CertificateOfOwnership> *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)coo.id(),_RemoteCredentialComp<CertificateOfOwnership>());
-	_RemoteCredential<CertificateOfOwnership> *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)coo.id())) ? *htmp : (_RemoteCredential<CertificateOfOwnership> *)0;
-	if (have) {
-		if ( (!_isCredentialTimestampValid(nconf,*have)) || (have->credential.timestamp() > coo.timestamp()) ) {
-			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (revoked or too old)",coo.issuedTo().toString().c_str(),coo.networkId());
-			return ADD_REJECTED;
-		}
-		if (have->credential == coo) {
-			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (redundant)",coo.issuedTo().toString().c_str(),coo.networkId());
-			return ADD_ACCEPTED_REDUNDANT;
-		}
-	}
-
-	switch(coo.verify(RR,tPtr)) {
-		default:
-			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx REJECTED (invalid)",coo.issuedTo().toString().c_str(),coo.networkId());
-			return ADD_REJECTED;
-		case 0:
-			TRACE("addCredential(CertificateOfOwnership) for %s on %.16llx ACCEPTED (new)",coo.issuedTo().toString().c_str(),coo.networkId());
-			if (!have) have = _newCoo(coo.id());
-			have->lastReceived = RR->node->now();
-			have->credential = coo;
-			return ADD_ACCEPTED_NEW;
-		case 1:
-			return ADD_DEFERRED_FOR_WHOIS;
-	}
-}
-
-Membership::_RemoteCredential<Tag> *Membership::_newTag(const uint64_t id)
+void Membership::clean(const uint64_t now,const NetworkConfig &nconf)
 {
-	_RemoteCredential<Tag> *t = NULL;
-	uint64_t minlr = 0xffffffffffffffffULL;
-	for(unsigned int i=0;i<ZT_MAX_NETWORK_TAGS;++i) {
-		if (_remoteTags[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
-			t = _remoteTags[i];
-			break;
-		} else if (_remoteTags[i]->lastReceived <= minlr) {
-			t = _remoteTags[i];
-			minlr = _remoteTags[i]->lastReceived;
-		}
-	}
-
-	if (t) {
-		t->id = id;
-		t->lastReceived = 0;
-		t->revocationThreshold = 0;
-		t->credential = Tag();
-	}
-
-	std::sort(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),_RemoteCredentialComp<Tag>());
-	return t;
-}
-
-Membership::_RemoteCredential<Capability> *Membership::_newCapability(const uint64_t id)
-{
-	_RemoteCredential<Capability> *c = NULL;
-	uint64_t minlr = 0xffffffffffffffffULL;
-	for(unsigned int i=0;i<ZT_MAX_NETWORK_CAPABILITIES;++i) {
-		if (_remoteCaps[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
-			c = _remoteCaps[i];
-			break;
-		} else if (_remoteCaps[i]->lastReceived <= minlr) {
-			c = _remoteCaps[i];
-			minlr = _remoteCaps[i]->lastReceived;
-		}
-	}
-
-	if (c) {
-		c->id = id;
-		c->lastReceived = 0;
-		c->revocationThreshold = 0;
-		c->credential = Capability();
-	}
-
-	std::sort(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),_RemoteCredentialComp<Capability>());
-	return c;
-}
-
-Membership::_RemoteCredential<CertificateOfOwnership> *Membership::_newCoo(const uint64_t id)
-{
-	_RemoteCredential<CertificateOfOwnership> *c = NULL;
-	uint64_t minlr = 0xffffffffffffffffULL;
-	for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) {
-		if (_remoteCoos[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED) {
-			c = _remoteCoos[i];
-			break;
-		} else if (_remoteCoos[i]->lastReceived <= minlr) {
-			c = _remoteCoos[i];
-			minlr = _remoteCoos[i]->lastReceived;
-		}
-	}
-
-	if (c) {
-		c->id = id;
-		c->lastReceived = 0;
-		c->revocationThreshold = 0;
-		c->credential = CertificateOfOwnership();
-	}
-
-	std::sort(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),_RemoteCredentialComp<CertificateOfOwnership>());
-	return c;
-}
-
-bool Membership::_revokeCom(const Revocation &rev)
-{
-	if (rev.threshold() > _comRevocationThreshold) {
-		_comRevocationThreshold = rev.threshold();
-		return true;
-	}
-	return false;
-}
-
-bool Membership::_revokeCap(const Revocation &rev,const uint64_t now)
-{
-	_RemoteCredential<Capability> *const *htmp = std::lower_bound(&(_remoteCaps[0]),&(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<Capability>());
-	_RemoteCredential<Capability> *have = ((htmp != &(_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<Capability> *)0;
-	if (!have) have = _newCapability(rev.credentialId());
-	if (rev.threshold() > have->revocationThreshold) {
-		have->lastReceived = now;
-		have->revocationThreshold = rev.threshold();
-		return true;
-	}
-	return false;
-}
-
-bool Membership::_revokeTag(const Revocation &rev,const uint64_t now)
-{
-	_RemoteCredential<Tag> *const *htmp = std::lower_bound(&(_remoteTags[0]),&(_remoteTags[ZT_MAX_NETWORK_TAGS]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<Tag>());
-	_RemoteCredential<Tag> *have = ((htmp != &(_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<Tag> *)0;
-	if (!have) have = _newTag(rev.credentialId());
-	if (rev.threshold() > have->revocationThreshold) {
-		have->lastReceived = now;
-		have->revocationThreshold = rev.threshold();
-		return true;
-	}
-	return false;
-}
-
-bool Membership::_revokeCoo(const Revocation &rev,const uint64_t now)
-{
-	_RemoteCredential<CertificateOfOwnership> *const *htmp = std::lower_bound(&(_remoteCoos[0]),&(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]),(uint64_t)rev.credentialId(),_RemoteCredentialComp<CertificateOfOwnership>());
-	_RemoteCredential<CertificateOfOwnership> *have = ((htmp != &(_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP]))&&((*htmp)->id == (uint64_t)rev.credentialId())) ? *htmp : (_RemoteCredential<CertificateOfOwnership> *)0;
-	if (!have) have = _newCoo(rev.credentialId());
-	if (rev.threshold() > have->revocationThreshold) {
-		have->lastReceived = now;
-		have->revocationThreshold = rev.threshold();
-		return true;
-	}
-	return false;
+	_cleanCredImpl<Tag>(nconf,_remoteTags);
+	_cleanCredImpl<Capability>(nconf,_remoteCaps);
+	_cleanCredImpl<CertificateOfOwnership>(nconf,_remoteCoos);
 }
 
 } // namespace ZeroTier
diff --git a/node/Membership.hpp b/node/Membership.hpp
index c28d598c..22772859 100644
--- a/node/Membership.hpp
+++ b/node/Membership.hpp
@@ -23,6 +23,8 @@
 
 #include "Constants.hpp"
 #include "../include/ZeroTierOne.h"
+#include "Credential.hpp"
+#include "Hashtable.hpp"
 #include "CertificateOfMembership.hpp"
 #include "Capability.hpp"
 #include "Tag.hpp"
@@ -45,35 +47,6 @@ class Network;
  */
 class Membership
 {
-private:
-	template<typename T>
-	struct _RemoteCredential
-	{
-		_RemoteCredential() : id(ZT_MEMBERSHIP_CRED_ID_UNUSED),lastReceived(0),revocationThreshold(0) {}
-		uint64_t id;
-		uint64_t lastReceived; // last time we got this credential
-		uint64_t revocationThreshold; // credentials before this time are invalid
-		T credential;
-		inline bool operator<(const _RemoteCredential &c) const { return (id < c.id); }
-	};
-
-	template<typename T>
-	struct _RemoteCredentialComp
-	{
-		inline bool operator()(const _RemoteCredential<T> *a,const _RemoteCredential<T> *b) const { return (a->id < b->id); }
-		inline bool operator()(const uint64_t a,const _RemoteCredential<T> *b) const { return (a < b->id); }
-		inline bool operator()(const _RemoteCredential<T> *a,const uint64_t b) const { return (a->id < b); }
-		inline bool operator()(const uint64_t a,const uint64_t b) const { return (a < b); }
-	};
-
-	// Used to track push state for network config tags[] and capabilities[] entries
-	struct _LocalCredentialPushState
-	{
-		_LocalCredentialPushState() : lastPushed(0),id(0) {}
-		uint64_t lastPushed; // last time we sent our own copy of this credential
-		uint64_t id;
-	};
-
 public:
 	enum AddCredentialResult
 	{
@@ -83,72 +56,6 @@ public:
 		ADD_DEFERRED_FOR_WHOIS
 	};
 
-	/**
-	 * Iterator to scan forward through capabilities in ascending order of ID
-	 */
-	class CapabilityIterator
-	{
-	public:
-		CapabilityIterator(const Membership &m,const NetworkConfig &nconf) :
-			_m(&m),
-			_c(&nconf),
-			_i(&(m._remoteCaps[0])) {}
-
-		inline const Capability *next()
-		{
-			for(;;) {
-				if ((_i != &(_m->_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
-					const Capability *tmp = &((*_i)->credential);
-					if (_m->_isCredentialTimestampValid(*_c,**_i)) {
-						++_i;
-						return tmp;
-					} else ++_i;
-				} else {
-					return (const Capability *)0;
-				}
-			}
-		}
-
-	private:
-		const Membership *_m;
-		const NetworkConfig *_c;
-		const _RemoteCredential<Capability> *const *_i;
-	};
-	friend class CapabilityIterator;
-
-	/**
-	 * Iterator to scan forward through tags in ascending order of ID
-	 */
-	class TagIterator
-	{
-	public:
-		TagIterator(const Membership &m,const NetworkConfig &nconf) :
-			_m(&m),
-			_c(&nconf),
-			_i(&(m._remoteTags[0])) {}
-
-		inline const Tag *next()
-		{
-			for(;;) {
-				if ((_i != &(_m->_remoteTags[ZT_MAX_NETWORK_TAGS]))&&((*_i)->id != ZT_MEMBERSHIP_CRED_ID_UNUSED)) {
-					const Tag *tmp = &((*_i)->credential);
-					if (_m->_isCredentialTimestampValid(*_c,**_i)) {
-						++_i;
-						return tmp;
-					} else ++_i;
-				} else {
-					return (const Tag *)0;
-				}
-			}
-		}
-
-	private:
-		const Membership *_m;
-		const NetworkConfig *_c;
-		const _RemoteCredential<Tag> *const *_i;
-	};
-	friend class TagIterator;
-
 	Membership();
 
 	/**
@@ -168,19 +75,19 @@ public:
 	void pushCredentials(const RuntimeEnvironment *RR,void *tPtr,const uint64_t now,const Address &peerAddress,const NetworkConfig &nconf,int localCapabilityIndex,const bool force);
 
 	/**
-	 * Check whether we should push MULTICAST_LIKEs to this peer
+	 * Check whether we should push MULTICAST_LIKEs to this peer, and update last sent time if true
 	 *
 	 * @param now Current time
 	 * @return True if we should update multicasts
 	 */
-	inline bool shouldLikeMulticasts(const uint64_t now) const { return ((now - _lastUpdatedMulticast) >= ZT_MULTICAST_ANNOUNCE_PERIOD); }
-
-	/**
-	 * Set time we last updated multicasts for this peer
-	 *
-	 * @param now Current time
-	 */
-	inline void likingMulticasts(const uint64_t now) { _lastUpdatedMulticast = now; }
+	inline bool multicastLikeGate(const uint64_t now)
+	{
+		if ((now - _lastUpdatedMulticast) >= ZT_MULTICAST_ANNOUNCE_PERIOD) {
+			_lastUpdatedMulticast = now;
+			return true;
+		}
+		return false;
+	}
 
 	/**
 	 * Check whether the peer represented by this Membership should be allowed on this network at all
@@ -190,10 +97,8 @@ public:
 	 */
 	inline bool isAllowedOnNetwork(const NetworkConfig &nconf) const
 	{
-		if (nconf.isPublic())
-			return true;
-		if (_com.timestamp().first <= _comRevocationThreshold)
-			return false;
+		if (nconf.isPublic()) return true;
+		if (_com.timestamp() <= _comRevocationThreshold) return false;
 		return nconf.com.agreesWith(_com);
 	}
 
@@ -208,21 +113,28 @@ public:
 	template<typename T>
 	inline bool hasCertificateOfOwnershipFor(const NetworkConfig &nconf,const T &r) const
 	{
-		for(unsigned int i=0;i<ZT_MAX_CERTIFICATES_OF_OWNERSHIP;++i) {
-			if (_remoteCoos[i]->id == ZT_MEMBERSHIP_CRED_ID_UNUSED)
-				break;
-			if ((_isCredentialTimestampValid(nconf,*_remoteCoos[i]))&&(_remoteCoos[i]->credential.owns(r)))
+		uint32_t *k = (uint32_t *)0;
+		CertificateOfOwnership *v = (CertificateOfOwnership *)0;
+		Hashtable< uint32_t,CertificateOfOwnership >::Iterator i(*(const_cast< Hashtable< uint32_t,CertificateOfOwnership> *>(&_remoteCoos)));
+		while (i.next(k,v)) {
+			if (_isCredentialTimestampValid(nconf,*v)&&(v->owns(r)))
 				return true;
 		}
 		return false;
 	}
 
 	/**
+	 * Get a remote member's tag (if we have it)
+	 *
 	 * @param nconf Network configuration
 	 * @param id Tag ID
 	 * @return Pointer to tag or NULL if not found
 	 */
-	const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const;
+	inline const Tag *getTag(const NetworkConfig &nconf,const uint32_t id) const
+	{
+		const Tag *const t = _remoteTags.get(id);
+		return (((t)&&(_isCredentialTimestampValid(nconf,*t))) ? t : (Tag *)0);
+	}
 
 	/**
 	 * Validate and add a credential if signature is okay and it's otherwise good
@@ -242,29 +154,59 @@ public:
 	/**
 	 * Validate and add a credential if signature is okay and it's otherwise good
 	 */
-	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
+	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
 
 	/**
 	 * Validate and add a credential if signature is okay and it's otherwise good
 	 */
-	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const CertificateOfOwnership &coo);
+	AddCredentialResult addCredential(const RuntimeEnvironment *RR,void *tPtr,const NetworkConfig &nconf,const Revocation &rev);
+
+	/**
+	 * Clean internal databases of stale entries
+	 *
+	 * @param now Current time
+	 * @param nconf Current network configuration
+	 */
+	void clean(const uint64_t now,const NetworkConfig &nconf);
+
+	/**
+	 * Reset last pushed time for local credentials
+	 *
+	 * This is done when we update our network configuration and our credentials have changed
+	 */
+	inline void resetPushState()
+	{
+		_lastPushedCom = 0;
+		memset(&_localCredLastPushed,0,sizeof(_localCredLastPushed));
+	}
+
+	/**
+	 * Generates a key for the internal use in indexing credentials by type and credential ID
+	 */
+	static uint64_t credentialKey(const Credential::Type &t,const uint32_t i) { return (((uint64_t)t << 32) | (uint64_t)i); }
 
 private:
-	_RemoteCredential<Tag> *_newTag(const uint64_t id);
-	_RemoteCredential<Capability> *_newCapability(const uint64_t id);
-	_RemoteCredential<CertificateOfOwnership> *_newCoo(const uint64_t id);
-	bool _revokeCom(const Revocation &rev);
-	bool _revokeCap(const Revocation &rev,const uint64_t now);
-	bool _revokeTag(const Revocation &rev,const uint64_t now);
-	bool _revokeCoo(const Revocation &rev,const uint64_t now);
+	template<typename C>
+	inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const C &remoteCredential) const
+	{
+		const uint64_t ts = remoteCredential.timestamp();
+		if (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) {
+			const uint64_t *threshold = _revocations.get(credentialKey(C::credentialType(),remoteCredential.id()));
+			return ((!threshold)||(ts > *threshold));
+		}
+		return false;
+	}
 
 	template<typename C>
-	inline bool _isCredentialTimestampValid(const NetworkConfig &nconf,const _RemoteCredential<C> &remoteCredential) const
+	void _cleanCredImpl(const NetworkConfig &nconf,Hashtable<uint32_t,C> &remoteCreds)
 	{
-		if (!remoteCredential.lastReceived)
-			return false;
-		const uint64_t ts = remoteCredential.credential.timestamp();
-		return ( (((ts >= nconf.timestamp) ? (ts - nconf.timestamp) : (nconf.timestamp - ts)) <= nconf.credentialTimeMaxDelta) && (ts > remoteCredential.revocationThreshold) );
+		uint32_t *k = (uint32_t *)0;
+		C *v = (C *)0;
+		typename Hashtable<uint32_t,C>::Iterator i(remoteCreds);
+		while (i.next(k,v)) {
+			if (!_isCredentialTimestampValid(nconf,*v))
+				remoteCreds.erase(*k);
+		}
 	}
 
 	// Last time we pushed MULTICAST_LIKE(s)
@@ -279,20 +221,46 @@ private:
 	// Remote member's latest network COM
 	CertificateOfMembership _com;
 
-	// Sorted (in ascending order of ID) arrays of pointers to remote credentials
-	_RemoteCredential<Tag> *_remoteTags[ZT_MAX_NETWORK_TAGS];
-	_RemoteCredential<Capability> *_remoteCaps[ZT_MAX_NETWORK_CAPABILITIES];
-	_RemoteCredential<CertificateOfOwnership> *_remoteCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
+	// Revocations by credentialKey()
+	Hashtable< uint64_t,uint64_t > _revocations;
+
+	// Remote credentials that we have received from this member (and that are valid)
+	Hashtable< uint32_t,Tag > _remoteTags;
+	Hashtable< uint32_t,Capability > _remoteCaps;
+	Hashtable< uint32_t,CertificateOfOwnership > _remoteCoos;
 
-	// This is the RAM allocated for remote credential cache objects
-	_RemoteCredential<Tag> _tagMem[ZT_MAX_NETWORK_TAGS];
-	_RemoteCredential<Capability> _capMem[ZT_MAX_NETWORK_CAPABILITIES];
-	_RemoteCredential<CertificateOfOwnership> _cooMem[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
+	// Time we last pushed our local credentials to this member
+	struct {
+		uint64_t tag[ZT_MAX_NETWORK_TAGS];
+		uint64_t cap[ZT_MAX_NETWORK_CAPABILITIES];
+		uint64_t coo[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
+	} _localCredLastPushed;
 
-	// Local credential push state tracking
-	_LocalCredentialPushState _localTags[ZT_MAX_NETWORK_TAGS];
-	_LocalCredentialPushState _localCaps[ZT_MAX_NETWORK_CAPABILITIES];
-	_LocalCredentialPushState _localCoos[ZT_MAX_CERTIFICATES_OF_OWNERSHIP];
+public:
+	class CapabilityIterator
+	{
+	public:
+		CapabilityIterator(Membership &m,const NetworkConfig &nconf) :
+			_hti(m._remoteCaps),
+			_k((uint32_t *)0),
+			_c((Capability *)0),
+			_nconf(nconf)
+		{
+		}
+
+		inline Capability *next()
+		{
+			if (_hti.next(_k,_c))
+				return _c;
+			else return (Capability *)0;
+		}
+
+	private:
+		Hashtable< uint32_t,Capability >::Iterator _hti;
+		uint32_t *_k;
+		Capability *_c;
+		const NetworkConfig &_nconf;
+	};
 };
 
 } // namespace ZeroTier
diff --git a/node/Network.cpp b/node/Network.cpp
index 0abfdf86..3c607b28 100644
--- a/node/Network.cpp
+++ b/node/Network.cpp
@@ -534,9 +534,9 @@ static _doZtFilterResult _doZtFilter(
 					}
 					if (inbound) {
 						if (membership) {
-							if ((src)&&(membership->hasCertificateOfOwnershipFor(nconf,src)))
+							if ((src)&&(membership->hasCertificateOfOwnershipFor<InetAddress>(nconf,src)))
 								ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_IP_AUTHENTICATED;
-							if (membership->hasCertificateOfOwnershipFor(nconf,macSource))
+							if (membership->hasCertificateOfOwnershipFor<MAC>(nconf,macSource))
 								ownershipVerificationMask |= ZT_RULE_PACKET_CHARACTERISTICS_SENDER_MAC_AUTHENTICATED;
 						}
 					} else {
@@ -1143,21 +1143,31 @@ int Network::setConfiguration(void *tPtr,const NetworkConfig &nconf,bool saveToD
 	// _lock is NOT locked when this is called
 	try {
 		if ((nconf.issuedTo != RR->identity.address())||(nconf.networkId != _id))
-			return 0;
+			return 0; // invalid config that is not for us or not for this network
 		if (_config == nconf)
 			return 1; // OK config, but duplicate of what we already have
 
 		ZT_VirtualNetworkConfig ctmp;
 		bool oldPortInitialized;
-		{
+		{	// do things that require lock here, but unlock before calling callbacks
 			Mutex::Lock _l(_lock);
+
 			_config = nconf;
 			_lastConfigUpdate = RR->node->now();
 			_netconfFailure = NETCONF_FAILURE_NONE;
+
 			oldPortInitialized = _portInitialized;
 			_portInitialized = true;
+
 			_externalConfig(&ctmp);
+
+			Address *a = (Address *)0;
+			Membership *m = (Membership *)0;
+			Hashtable<Address,Membership>::Iterator i(_memberships);
+			while (i.next(a,m))
+				m->resetPushState();
 		}
+
 		_portError = RR->node->configureVirtualNetworkPort(tPtr,_id,&_uPtr,(oldPortInitialized) ? ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_CONFIG_UPDATE : ZT_VIRTUAL_NETWORK_CONFIG_OPERATION_UP,&ctmp);
 
 		if (saveToDisk) {
@@ -1299,10 +1309,9 @@ bool Network::gate(void *tPtr,const SharedPtr<Peer> &peer)
 			if ( (_config.isPublic()) || ((m)&&(m->isAllowedOnNetwork(_config))) ) {
 				if (!m)
 					m = &(_membership(peer->address()));
-				if (m->shouldLikeMulticasts(now)) {
+				if (m->multicastLikeGate(now)) {
 					m->pushCredentials(RR,tPtr,now,peer->address(),_config,-1,false);
 					_announceMulticastGroupsTo(tPtr,peer->address(),_allMulticastGroups());
-					m->likingMulticasts(now);
 				}
 				return true;
 			}
@@ -1338,6 +1347,7 @@ void Network::clean()
 		while (i.next(a,m)) {
 			if (!RR->topology->getPeerNoCache(*a))
 				_memberships.erase(*a);
+			else m->clean(now,_config);
 		}
 	}
 }
@@ -1546,8 +1556,7 @@ void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMu
 	}
 
 	// Make sure that all "network anchors" have Membership records so we will
-	// push multicasts to them. Note that _membership() also does this but in a
-	// piecemeal on-demand fashion.
+	// push multicasts to them.
 	const std::vector<Address> anchors(_config.anchors());
 	for(std::vector<Address>::const_iterator a(anchors.begin());a!=anchors.end();++a)
 		_membership(*a);
@@ -1559,11 +1568,8 @@ void Network::_sendUpdatesToMembers(void *tPtr,const MulticastGroup *const newMu
 		Hashtable<Address,Membership>::Iterator i(_memberships);
 		while (i.next(a,m)) {
 			m->pushCredentials(RR,tPtr,now,*a,_config,-1,false);
-			if ( ((newMulticastGroup)||(m->shouldLikeMulticasts(now))) && (m->isAllowedOnNetwork(_config)) ) {
-				if (!newMulticastGroup)
-					m->likingMulticasts(now);
+			if ( ( m->multicastLikeGate(now) || (newMulticastGroup) ) && (m->isAllowedOnNetwork(_config)) )
 				_announceMulticastGroupsTo(tPtr,*a,groups);
-			}
 		}
 	}
 }
diff --git a/node/Revocation.hpp b/node/Revocation.hpp
index 8b9ce6dd..e5e013bd 100644
--- a/node/Revocation.hpp
+++ b/node/Revocation.hpp
@@ -26,6 +26,7 @@
 
 #include "Constants.hpp"
 #include "../include/ZeroTierOne.h"
+#include "Credential.hpp"
 #include "Address.hpp"
 #include "C25519.hpp"
 #include "Utils.hpp"
@@ -44,20 +45,10 @@ class RuntimeEnvironment;
 /**
  * Revocation certificate to instantaneously revoke a COM, capability, or tag
  */
-class Revocation
+class Revocation : public Credential
 {
 public:
-	/**
-	 * Credential type being revoked
-	 */
-	enum CredentialType
-	{
-		CREDENTIAL_TYPE_NULL = 0,
-		CREDENTIAL_TYPE_COM = 1, // CertificateOfMembership
-		CREDENTIAL_TYPE_CAPABILITY = 2,
-		CREDENTIAL_TYPE_TAG = 3,
-		CREDENTIAL_TYPE_COO = 4 // CertificateOfOwnership
-	};
+	static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_REVOCATION; }
 
 	Revocation()
 	{
@@ -73,23 +64,23 @@ public:
 	 * @param tgt Target node whose credential(s) are being revoked
 	 * @param ct Credential type being revoked
 	 */
-	Revocation(const uint64_t i,const uint64_t nwid,const uint64_t cid,const uint64_t thr,const uint64_t fl,const Address &tgt,const CredentialType ct) :
+	Revocation(const uint32_t i,const uint64_t nwid,const uint32_t cid,const uint64_t thr,const uint64_t fl,const Address &tgt,const Credential::Type ct) :
 		_id(i),
-		_networkId(nwid),
 		_credentialId(cid),
+		_networkId(nwid),
 		_threshold(thr),
 		_flags(fl),
 		_target(tgt),
 		_signedBy(),
 		_type(ct) {}
 
-	inline uint64_t id() const { return _id; }
+	inline uint32_t id() const { return _id; }
+	inline uint32_t credentialId() const { return _credentialId; }
 	inline uint64_t networkId() const { return _networkId; }
-	inline uint64_t credentialId() const { return _credentialId; }
 	inline uint64_t threshold() const { return _threshold; }
 	inline const Address &target() const { return _target; }
 	inline const Address &signer() const { return _signedBy; }
-	inline CredentialType type() const { return _type; }
+	inline Credential::Type type() const { return _type; }
 
 	inline bool fastPropagate() const { return ((_flags & ZT_REVOCATION_FLAG_FAST_PROPAGATE) != 0); }
 
@@ -123,8 +114,10 @@ public:
 	{
 		if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL);
 
+		b.append((uint32_t)0); // 4 unused bytes, currently set to 0
 		b.append(_id);
 		b.append(_networkId);
+		b.append((uint32_t)0); // 4 unused bytes, currently set to 0
 		b.append(_credentialId);
 		b.append(_threshold);
 		b.append(_flags);
@@ -151,14 +144,16 @@ public:
 
 		unsigned int p = startAt;
 
-		_id = b.template at<uint64_t>(p); p += 8;
+		p += 4; // 4 bytes, currently unused
+		_id = b.template at<uint32_t>(p); p += 4;
 		_networkId = b.template at<uint64_t>(p); p += 8;
-		_credentialId = b.template at<uint64_t>(p); p += 8;
+		p += 4; // 4 bytes, currently unused
+		_credentialId = b.template at<uint32_t>(p); p += 4;
 		_threshold = b.template at<uint64_t>(p); p += 8;
 		_flags = b.template at<uint64_t>(p); p += 8;
 		_target.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH;
 		_signedBy.setTo(b.field(p,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); p += ZT_ADDRESS_LENGTH;
-		_type = (CredentialType)b[p++];
+		_type = (Credential::Type)b[p++];
 
 		if (b[p++] == 1) {
 			if (b.template at<uint16_t>(p) == ZT_C25519_SIGNATURE_LEN) {
@@ -178,14 +173,14 @@ public:
 	}
 
 private:
-	uint64_t _id;
+	uint32_t _id;
+	uint32_t _credentialId;
 	uint64_t _networkId;
-	uint64_t _credentialId;
 	uint64_t _threshold;
 	uint64_t _flags;
 	Address _target;
 	Address _signedBy;
-	CredentialType _type;
+	Credential::Type _type;
 	C25519::Signature _signature;
 };
 
diff --git a/node/Tag.hpp b/node/Tag.hpp
index 38085906..1f7f6835 100644
--- a/node/Tag.hpp
+++ b/node/Tag.hpp
@@ -25,6 +25,7 @@
 #include <string.h>
 
 #include "Constants.hpp"
+#include "Credential.hpp"
 #include "C25519.hpp"
 #include "Address.hpp"
 #include "Identity.hpp"
@@ -51,9 +52,11 @@ class RuntimeEnvironment;
  * Unlike capabilities tags are signed only by the issuer and are never
  * transferrable.
  */
-class Tag
+class Tag : public Credential
 {
 public:
+	static inline Credential::Type credentialType() { return Credential::CREDENTIAL_TYPE_TAG; }
+
 	Tag()
 	{
 		memset(this,0,sizeof(Tag));
@@ -67,19 +70,19 @@ public:
 	 * @param value Tag value
 	 */
 	Tag(const uint64_t nwid,const uint64_t ts,const Address &issuedTo,const uint32_t id,const uint32_t value) :
-		_networkId(nwid),
-		_ts(ts),
 		_id(id),
 		_value(value),
+		_networkId(nwid),
+		_ts(ts),
 		_issuedTo(issuedTo),
 		_signedBy()
 	{
 	}
 
-	inline uint64_t networkId() const { return _networkId; }
-	inline uint64_t timestamp() const { return _ts; }
 	inline uint32_t id() const { return _id; }
 	inline const uint32_t &value() const { return _value; }
+	inline uint64_t networkId() const { return _networkId; }
+	inline uint64_t timestamp() const { return _ts; }
 	inline const Address &issuedTo() const { return _issuedTo; }
 	inline const Address &signedBy() const { return _signedBy; }
 
@@ -115,11 +118,9 @@ public:
 	{
 		if (forSign) b.append((uint64_t)0x7f7f7f7f7f7f7f7fULL);
 
-		// These are the same between Tag and Capability
 		b.append(_networkId);
 		b.append(_ts);
 		b.append(_id);
-
 		b.append(_value);
 
 		_issuedTo.appendTo(b);
@@ -187,10 +188,10 @@ public:
 	};
 
 private:
-	uint64_t _networkId;
-	uint64_t _ts;
 	uint32_t _id;
 	uint32_t _value;
+	uint64_t _networkId;
+	uint64_t _ts;
 	Address _issuedTo;
 	Address _signedBy;
 	C25519::Signature _signature;