Merge branch 'dev' into netbsd-support

1 files changed, 283 insertions, 351 deletions

diff --git a/node/Peer.hpp b/node/Peer.hpp
index 445535c8..b6f3c695 100644
--- a/node/Peer.hpp
+++ b/node/Peer.hpp
@@ -1,6 +1,6 @@
 /*
  * ZeroTier One - Network Virtualization Everywhere
- * Copyright (C) 2011-2016  ZeroTier, Inc.  https://www.zerotier.com/
+ * Copyright (C) 2011-2018  ZeroTier, Inc.  https://www.zerotier.com/
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -14,6 +14,14 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * --
+ *
+ * You can be released from the requirements of the license by purchasing
+ * a commercial license. Buying such a license is mandatory as soon as you
+ * develop commercial closed-source software that incorporates or links
+ * directly against ZeroTier software without disclosing the source code
+ * of your own application.
  */
 
 #ifndef ZT_PEER_HPP
@@ -31,7 +39,6 @@
 #include "../include/ZeroTierOne.h"
 
 #include "RuntimeEnvironment.hpp"
-#include "CertificateOfMembership.hpp"
 #include "Path.hpp"
 #include "Address.hpp"
 #include "Utils.hpp"
@@ -42,18 +49,15 @@
 #include "AtomicCounter.hpp"
 #include "Hashtable.hpp"
 #include "Mutex.hpp"
-#include "NonCopyable.hpp"
 
-// Very rough computed estimate: (8 + 256 + 80 + (16 * 64) + (128 * 256) + (128 * 16))
-// 1048576 provides tons of headroom -- overflow would just cause peer not to be persisted
-#define ZT_PEER_SUGGESTED_SERIALIZATION_BUFFER_SIZE 1048576
+#define ZT_PEER_MAX_SERIALIZED_STATE_SIZE (sizeof(Peer) + 32 + (sizeof(Path) * 2))
 
 namespace ZeroTier {
 
 /**
  * Peer on P2P Network (virtual layer 1)
  */
-class Peer : NonCopyable
+class Peer
 {
 	friend class SharedPtr<Peer>;
 
@@ -74,26 +78,14 @@ public:
 	Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Identity &peerIdentity);
 
 	/**
-	 * @return Time peer record was last used in any way
-	 */
-	inline uint64_t lastUsed() const throw() { return _lastUsed; }
-
-	/**
-	 * Log a use of this peer record (done by Topology when peers are looked up)
-	 *
-	 * @param now New time of last use
-	 */
-	inline void use(uint64_t now) throw() { _lastUsed = now; }
-
-	/**
 	 * @return This peer's ZT address (short for identity().address())
 	 */
-	inline const Address &address() const throw() { return _id.address(); }
+	inline const Address &address() const { return _id.address(); }
 
 	/**
 	 * @return This peer's identity
 	 */
-	inline const Identity &identity() const throw() { return _id; }
+	inline const Identity &identity() const { return _id; }
 
 	/**
 	 * Log receipt of an authenticated packet
@@ -101,154 +93,190 @@ public:
 	 * This is called by the decode pipe when a packet is proven to be authentic
 	 * and appears to be valid.
 	 *
-	 * @param RR Runtime environment
-	 * @param localAddr Local address
-	 * @param remoteAddr Internet address of sender
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
+	 * @param path Path over which packet was received
 	 * @param hops ZeroTier (not IP) hops
 	 * @param packetId Packet ID
 	 * @param verb Packet verb
 	 * @param inRePacketId Packet ID in reply to (default: none)
 	 * @param inReVerb Verb in reply to (for OK/ERROR, default: VERB_NOP)
+	 * @param trustEstablished If true, some form of non-trivial trust (like allowed in network) has been established
+	 * @param networkId Network ID if this pertains to a network, or 0 otherwise
 	 */
 	void received(
-		const InetAddress &localAddr,
-		const InetAddress &remoteAddr,
-		unsigned int hops,
-		uint64_t packetId,
-		Packet::Verb verb,
-		uint64_t inRePacketId = 0,
-		Packet::Verb inReVerb = Packet::VERB_NOP);
-
-	/**
-	 * Get the current best direct path to this peer
+		void *tPtr,
+		const SharedPtr<Path> &path,
+		const unsigned int hops,
+		const uint64_t packetId,
+		const Packet::Verb verb,
+		const uint64_t inRePacketId,
+		const Packet::Verb inReVerb,
+		const bool trustEstablished,
+		const uint64_t networkId);
+
+	/**
+	 * Check whether we have an active path to this peer via the given address
 	 *
 	 * @param now Current time
-	 * @return Best path or NULL if there are no active direct paths
-	 */
-	inline Path *getBestPath(uint64_t now) { return _getBestPath(now); }
-
-	/**
-	 * @param now Current time
 	 * @param addr Remote address
 	 * @return True if we have an active path to this destination
 	 */
-	inline bool hasActivePathTo(uint64_t now,const InetAddress &addr) const
+	inline bool hasActivePathTo(int64_t now,const InetAddress &addr) const
 	{
-		for(unsigned int p=0;p<_numPaths;++p) {
-			if ((_paths[p].active(now))&&(_paths[p].address() == addr))
-				return true;
+		Mutex::Lock _l(_paths_m);
+		for(unsigned int i=0;i<ZT_MAX_PEER_NETWORK_PATHS;++i) {
+			if (_paths[i].p) {
+				if (((now - _paths[i].lr) < ZT_PEER_PATH_EXPIRATION)&&(_paths[i].p->address() == addr))
+					return true;
+			} else break;
 		}
 		return false;
 	}
 
 	/**
-	 * Set all paths in the same ss_family that are not this one to cluster suboptimal
-	 *
-	 * Addresses in other families are not affected.
+	 * Send via best direct path
 	 *
-	 * @param addr Address to make exclusive
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
+	 * @param data Packet data
+	 * @param len Packet length
+	 * @param now Current time
+	 * @param force If true, send even if path is not alive
+	 * @return True if we actually sent something
 	 */
-	inline void setClusterOptimalPathForAddressFamily(const InetAddress &addr)
+	inline bool sendDirect(void *tPtr,const void *data,unsigned int len,int64_t now,bool force)
 	{
-		for(unsigned int p=0;p<_numPaths;++p) {
-			if (_paths[p].address().ss_family == addr.ss_family) {
-				_paths[p].setClusterSuboptimal(_paths[p].address() != addr);
-			}
-		}
+		SharedPtr<Path> bp(getBestPath(now,force));
+		if (bp)
+			return bp->send(RR,tPtr,data,len,now);
+		return false;
 	}
 
 	/**
-	 * Send via best path
+	 * Get the best current direct path
 	 *
-	 * @param data Packet data
-	 * @param len Packet length
 	 * @param now Current time
-	 * @return Path used on success or NULL on failure
+	 * @param includeExpired If true, include even expired paths
+	 * @return Best current path or NULL if none
 	 */
-	inline Path *send(const void *data,unsigned int len,uint64_t now)
-	{
-		Path *const bestPath = getBestPath(now);
-		if (bestPath) {
-			if (bestPath->send(RR,data,len,now))
-				return bestPath;
-		}
-		return (Path *)0;
-	}
+	SharedPtr<Path> getBestPath(int64_t now,bool includeExpired) const;
+
+	/**
+	 * Send VERB_RENDEZVOUS to this and another peer via the best common IP scope and path
+	 */
+	void introduce(void *const tPtr,const int64_t now,const SharedPtr<Peer> &other) const;
 
 	/**
 	 * Send a HELLO to this peer at a specified physical address
 	 *
-	 * This does not update any statistics. It's used to send initial HELLOs
-	 * for NAT traversal and path verification.
+	 * No statistics or sent times are updated here.
 	 *
-	 * @param localAddr Local address
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
+	 * @param localSocket Local source socket
 	 * @param atAddress Destination address
 	 * @param now Current time
-	 * @param ttl Desired IP TTL (default: 0 to leave alone)
 	 */
-	void sendHELLO(const InetAddress &localAddr,const InetAddress &atAddress,uint64_t now,unsigned int ttl = 0);
+	void sendHELLO(void *tPtr,const int64_t localSocket,const InetAddress &atAddress,int64_t now);
 
 	/**
-	 * Send pings or keepalives depending on configured timeouts
+	 * Send ECHO (or HELLO for older peers) to this peer at the given address
 	 *
+	 * No statistics or sent times are updated here.
+	 *
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
+	 * @param localSocket Local source socket
+	 * @param atAddress Destination address
 	 * @param now Current time
-	 * @param inetAddressFamily Keep this address family alive, or 0 to simply pick current best ignoring family
-	 * @return True if at least one direct path seems alive
+	 * @param sendFullHello If true, always send a full HELLO instead of just an ECHO
 	 */
-	bool doPingAndKeepalive(uint64_t now,int inetAddressFamily);
+	void attemptToContactAt(void *tPtr,const int64_t localSocket,const InetAddress &atAddress,int64_t now,bool sendFullHello);
 
 	/**
-	 * Push direct paths back to self if we haven't done so in the configured timeout
+	 * Try a memorized or statically defined path if any are known
+	 *
+	 * Under the hood this is done periodically based on ZT_TRY_MEMORIZED_PATH_INTERVAL.
 	 *
-	 * @param localAddr Local address
-	 * @param toAddress Remote address to send push to (usually from path)
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
 	 * @param now Current time
-	 * @param force If true, push regardless of rate limit
-	 * @param includePrivatePaths If true, include local interface address paths (should only be done to peers with a trust relationship)
-	 * @return True if something was actually sent
 	 */
-	bool pushDirectPaths(const InetAddress &localAddr,const InetAddress &toAddress,uint64_t now,bool force,bool includePrivatePaths);
+	void tryMemorizedPath(void *tPtr,int64_t now);
 
 	/**
-	 * @return All known direct paths to this peer (active or inactive)
+	 * Send pings or keepalives depending on configured timeouts
+	 *
+	 * This also cleans up some internal data structures. It's called periodically from Node.
+	 *
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
+	 * @param now Current time
+	 * @param inetAddressFamily Keep this address family alive, or -1 for any
+	 * @return 0 if nothing sent or bit mask: bit 0x1 if IPv4 sent, bit 0x2 if IPv6 sent (0x3 means both sent)
 	 */
-	inline std::vector<Path> paths() const
-	{
-		std::vector<Path> pp;
-		for(unsigned int p=0,np=_numPaths;p<np;++p)
-			pp.push_back(_paths[p]);
-		return pp;
-	}
+	unsigned int doPingAndKeepalive(void *tPtr,int64_t now);
 
 	/**
-	 * @return Time of last receive of anything, whether direct or relayed
+	 * Process a cluster redirect sent by this peer
+	 *
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
+	 * @param originatingPath Path from which redirect originated
+	 * @param remoteAddress Remote address
+	 * @param now Current time
 	 */
-	inline uint64_t lastReceive() const throw() { return _lastReceive; }
+	void clusterRedirect(void *tPtr,const SharedPtr<Path> &originatingPath,const InetAddress &remoteAddress,const int64_t now);
 
 	/**
-	 * @return Time of most recent unicast frame received
+	 * Reset paths within a given IP scope and address family
+	 *
+	 * Resetting a path involves sending an ECHO to it and then deactivating
+	 * it until or unless it responds. This is done when we detect a change
+	 * to our external IP or another system change that might invalidate
+	 * many or all current paths.
+	 *
+	 * @param tPtr Thread pointer to be handed through to any callbacks called as a result of this call
+	 * @param scope IP scope
+	 * @param inetAddressFamily Family e.g. AF_INET
+	 * @param now Current time
 	 */
-	inline uint64_t lastUnicastFrame() const throw() { return _lastUnicastFrame; }
+	void resetWithinScope(void *tPtr,InetAddress::IpScope scope,int inetAddressFamily,int64_t now);
 
 	/**
-	 * @return Time of most recent multicast frame received
+	 * @param now Current time
+	 * @return All known paths to this peer
 	 */
-	inline uint64_t lastMulticastFrame() const throw() { return _lastMulticastFrame; }
+	inline std::vector< SharedPtr<Path> > paths(const int64_t now) const
+	{
+		std::vector< SharedPtr<Path> > pp;
+		Mutex::Lock _l(_paths_m);
+		for(unsigned int i=0;i<ZT_MAX_PEER_NETWORK_PATHS;++i) {
+			if (!_paths[i].p) break;
+			pp.push_back(_paths[i].p);
+		}
+		return pp;
+	}
 
 	/**
-	 * @return Time of most recent frame of any kind (unicast or multicast)
+	 * @return Time of last receive of anything, whether direct or relayed
 	 */
-	inline uint64_t lastFrame() const throw() { return std::max(_lastUnicastFrame,_lastMulticastFrame); }
+	inline int64_t lastReceive() const { return _lastReceive; }
+
+	/**
+	 * @return True if we've heard from this peer in less than ZT_PEER_ACTIVITY_TIMEOUT
+	 */
+	inline bool isAlive(const int64_t now) const { return ((now - _lastReceive) < ZT_PEER_ACTIVITY_TIMEOUT); }
 
 	/**
 	 * @return True if this peer has sent us real network traffic recently
 	 */
-	inline uint64_t activelyTransferringFrames(uint64_t now) const throw() { return ((now - lastFrame()) < ZT_PEER_ACTIVITY_TIMEOUT); }
+	inline int64_t isActive(int64_t now) const { return ((now - _lastNontrivialReceive) < ZT_PEER_ACTIVITY_TIMEOUT); }
 
 	/**
-	 * @return Latency in milliseconds or 0 if unknown
+	 * @return Latency in milliseconds of best path or 0xffff if unknown / no paths
 	 */
-	inline unsigned int latency() const { return _latency; }
+	inline unsigned int latency(const int64_t now) const
+	{
+		SharedPtr<Path> bp(getBestPath(now,false));
+		if (bp)
+			return bp->latency();
+		return 0xffff;
+	}
 
 	/**
 	 * This computes a quality score for relays and root servers
@@ -261,71 +289,21 @@ public:
 	 *
 	 * @return Relay quality score computed from latency and other factors, lower is better
 	 */
-	inline unsigned int relayQuality(const uint64_t now) const
+	inline unsigned int relayQuality(const int64_t now) const
 	{
 		const uint64_t tsr = now - _lastReceive;
 		if (tsr >= ZT_PEER_ACTIVITY_TIMEOUT)
 			return (~(unsigned int)0);
-		unsigned int l = _latency;
+		unsigned int l = latency(now);
 		if (!l)
 			l = 0xffff;
-		return (l * (((unsigned int)tsr / (ZT_PEER_DIRECT_PING_DELAY + 1000)) + 1));
+		return (l * (((unsigned int)tsr / (ZT_PEER_PING_PERIOD + 1000)) + 1));
 	}
 
 	/**
-	 * Update latency with a new direct measurment
-	 *
-	 * @param l Direct latency measurment in ms
-	 */
-	inline void addDirectLatencyMeasurment(unsigned int l)
-	{
-		unsigned int ol = _latency;
-		if ((ol > 0)&&(ol < 10000))
-			_latency = (ol + std::min(l,(unsigned int)65535)) / 2;
-		else _latency = std::min(l,(unsigned int)65535);
-	}
-
-	/**
-	 * @param now Current time
-	 * @return True if this peer has at least one active direct path
-	 */
-	inline bool hasActiveDirectPath(uint64_t now) const
-	{
-		for(unsigned int p=0;p<_numPaths;++p) {
-			if (_paths[p].active(now))
-				return true;
-		}
-		return false;
-	}
-
-#ifdef ZT_ENABLE_CLUSTER
-	/**
-	 * @param now Current time
-	 * @return True if this peer has at least one active direct path that is not cluster-suboptimal
-	 */
-	inline bool hasClusterOptimalPath(uint64_t now) const
-	{
-		for(unsigned int p=0,np=_numPaths;p<np;++p) {
-			if ((_paths[p].active(now))&&(!_paths[p].isClusterSuboptimal()))
-				return true;
-		}
-		return false;
-	}
-#endif
-
-	/**
-	 * Reset paths within a given scope
-	 *
-	 * @param scope IP scope of paths to reset
-	 * @param now Current time
-	 * @return True if at least one path was forgotten
-	 */
-	bool resetWithinScope(InetAddress::IpScope scope,uint64_t now);
-
-	/**
 	 * @return 256-bit secret symmetric encryption key
 	 */
-	inline const unsigned char *key() const throw() { return _key; }
+	inline const unsigned char *key() const { return _key; }
 
 	/**
 	 * Set the currently known remote version of this peer's client
@@ -343,259 +321,213 @@ public:
 		_vRevision = (uint16_t)vrev;
 	}
 
-	inline unsigned int remoteVersionProtocol() const throw() { return _vProto; }
-	inline unsigned int remoteVersionMajor() const throw() { return _vMajor; }
-	inline unsigned int remoteVersionMinor() const throw() { return _vMinor; }
-	inline unsigned int remoteVersionRevision() const throw() { return _vRevision; }
+	inline unsigned int remoteVersionProtocol() const { return _vProto; }
+	inline unsigned int remoteVersionMajor() const { return _vMajor; }
+	inline unsigned int remoteVersionMinor() const { return _vMinor; }
+	inline unsigned int remoteVersionRevision() const { return _vRevision; }
 
-	inline bool remoteVersionKnown() const throw() { return ((_vMajor > 0)||(_vMinor > 0)||(_vRevision > 0)); }
+	inline bool remoteVersionKnown() const { return ((_vMajor > 0)||(_vMinor > 0)||(_vRevision > 0)); }
 
 	/**
-	 * Get most recently active path addresses for IPv4 and/or IPv6
-	 *
-	 * Note that v4 and v6 are not modified if they are not found, so
-	 * initialize these to a NULL address to be able to check.
-	 *
-	 * @param now Current time
-	 * @param v4 Result parameter to receive active IPv4 address, if any
-	 * @param v6 Result parameter to receive active IPv6 address, if any
+	 * @return True if peer has received a trust established packet (e.g. common network membership) in the past ZT_TRUST_EXPIRATION ms
 	 */
-	void getBestActiveAddresses(uint64_t now,InetAddress &v4,InetAddress &v6) const;
+	inline bool trustEstablished(const int64_t now) const { return ((now - _lastTrustEstablishedPacketReceived) < ZT_TRUST_EXPIRATION); }
 
 	/**
-	 * Check network COM agreement with this peer
-	 *
-	 * @param nwid Network ID
-	 * @param com Another certificate of membership
-	 * @return True if supplied COM agrees with ours, false if not or if we don't have one
+	 * Rate limit gate for VERB_PUSH_DIRECT_PATHS
 	 */
-	bool networkMembershipCertificatesAgree(uint64_t nwid,const CertificateOfMembership &com) const;
+	inline bool rateGatePushDirectPaths(const int64_t now)
+	{
+		if ((now - _lastDirectPathPushReceive) <= ZT_PUSH_DIRECT_PATHS_CUTOFF_TIME)
+			++_directPathPushCutoffCount;
+		else _directPathPushCutoffCount = 0;
+		_lastDirectPathPushReceive = now;
+		return (_directPathPushCutoffCount < ZT_PUSH_DIRECT_PATHS_CUTOFF_LIMIT);
+	}
 
 	/**
-	 * Check the validity of the COM and add/update if valid and new
-	 *
-	 * @param nwid Network ID
-	 * @param com Externally supplied COM
+	 * Rate limit gate for VERB_NETWORK_CREDENTIALS
 	 */
-	bool validateAndSetNetworkMembershipCertificate(uint64_t nwid,const CertificateOfMembership &com);
+	inline bool rateGateCredentialsReceived(const int64_t now)
+	{
+		if ((now - _lastCredentialsReceived) <= ZT_PEER_CREDENTIALS_CUTOFF_TIME)
+			++_credentialsCutoffCount;
+		else _credentialsCutoffCount = 0;
+		_lastCredentialsReceived = now;
+		return (_directPathPushCutoffCount < ZT_PEER_CREDEITIALS_CUTOFF_LIMIT);
+	}
 
 	/**
-	 * @param nwid Network ID
-	 * @param now Current time
-	 * @param updateLastPushedTime If true, go ahead and update the last pushed time regardless of return value
-	 * @return Whether or not this peer needs another COM push from us
+	 * Rate limit gate for sending of ERROR_NEED_MEMBERSHIP_CERTIFICATE
 	 */
-	bool needsOurNetworkMembershipCertificate(uint64_t nwid,uint64_t now,bool updateLastPushedTime);
+	inline bool rateGateRequestCredentials(const int64_t now)
+	{
+		if ((now - _lastCredentialRequestSent) >= ZT_PEER_GENERAL_RATE_LIMIT) {
+			_lastCredentialRequestSent = now;
+			return true;
+		}
+		return false;
+	}
 
 	/**
-	 * Perform periodic cleaning operations
-	 *
-	 * @param now Current time
+	 * Rate limit gate for inbound WHOIS requests
 	 */
-	void clean(uint64_t now);
+	inline bool rateGateInboundWhoisRequest(const int64_t now)
+	{
+		if ((now - _lastWhoisRequestReceived) >= ZT_PEER_WHOIS_RATE_LIMIT) {
+			_lastWhoisRequestReceived = now;
+			return true;
+		}
+		return false;
+	}
 
 	/**
-	 * Update direct path push stats and return true if we should respond
-	 *
-	 * This is a circuit breaker to make VERB_PUSH_DIRECT_PATHS not particularly
-	 * useful as a DDOS amplification attack vector. Otherwise a malicious peer
-	 * could send loads of these and cause others to bombard arbitrary IPs with
-	 * traffic.
-	 *
-	 * @param now Current time
-	 * @return True if we should respond
+	 * Rate limit gate for inbound ECHO requests
 	 */
-	inline bool shouldRespondToDirectPathPush(const uint64_t now)
+	inline bool rateGateEchoRequest(const int64_t now)
 	{
-		if ((now - _lastDirectPathPushReceive) <= ZT_PUSH_DIRECT_PATHS_CUTOFF_TIME)
-			++_directPathPushCutoffCount;
-		else _directPathPushCutoffCount = 0;
-		_lastDirectPathPushReceive = now;
-		return (_directPathPushCutoffCount < ZT_PUSH_DIRECT_PATHS_CUTOFF_LIMIT);
+		if ((now - _lastEchoRequestReceived) >= ZT_PEER_GENERAL_RATE_LIMIT) {
+			_lastEchoRequestReceived = now;
+			return true;
+		}
+		return false;
 	}
 
 	/**
-	 * Find a common set of addresses by which two peers can link, if any
-	 *
-	 * @param a Peer A
-	 * @param b Peer B
-	 * @param now Current time
-	 * @return Pair: B's address (to send to A), A's address (to send to B)
+	 * Rate gate incoming requests for network COM
 	 */
-	static inline std::pair<InetAddress,InetAddress> findCommonGround(const Peer &a,const Peer &b,uint64_t now)
+	inline bool rateGateIncomingComRequest(const int64_t now)
 	{
-		std::pair<InetAddress,InetAddress> v4,v6;
-		b.getBestActiveAddresses(now,v4.first,v6.first);
-		a.getBestActiveAddresses(now,v4.second,v6.second);
-		if ((v6.first)&&(v6.second)) // prefer IPv6 if both have it since NAT-t is (almost) unnecessary
-			return v6;
-		else if ((v4.first)&&(v4.second))
-			return v4;
-		else return std::pair<InetAddress,InetAddress>();
+		if ((now - _lastComRequestReceived) >= ZT_PEER_GENERAL_RATE_LIMIT) {
+			_lastComRequestReceived = now;
+			return true;
+		}
+		return false;
 	}
 
-	template<unsigned int C>
-	inline void serialize(Buffer<C> &b) const
+	/**
+	 * Rate gate outgoing requests for network COM
+	 */
+	inline bool rateGateOutgoingComRequest(const int64_t now)
 	{
-		Mutex::Lock _l(_networkComs_m);
-
-		const unsigned int recSizePos = b.size();
-		b.addSize(4); // space for uint32_t field length
+		if ((now - _lastComRequestSent) >= ZT_PEER_GENERAL_RATE_LIMIT) {
+			_lastComRequestSent = now;
+			return true;
+		}
+		return false;
+	}
 
-		b.append((uint16_t)1); // version of serialized Peer data
+	/**
+	 * Serialize a peer for storage in local cache
+	 *
+	 * This does not serialize everything, just non-ephemeral information.
+	 */
+	template<unsigned int C>
+	inline void serializeForCache(Buffer<C> &b) const
+	{
+		b.append((uint8_t)1);
 
-		_id.serialize(b,false);
+		_id.serialize(b);
 
-		b.append((uint64_t)_lastUsed);
-		b.append((uint64_t)_lastReceive);
-		b.append((uint64_t)_lastUnicastFrame);
-		b.append((uint64_t)_lastMulticastFrame);
-		b.append((uint64_t)_lastAnnouncedTo);
-		b.append((uint64_t)_lastDirectPathPushSent);
-		b.append((uint64_t)_lastDirectPathPushReceive);
-		b.append((uint64_t)_lastPathSort);
 		b.append((uint16_t)_vProto);
 		b.append((uint16_t)_vMajor);
 		b.append((uint16_t)_vMinor);
 		b.append((uint16_t)_vRevision);
-		b.append((uint32_t)_latency);
-		b.append((uint16_t)_directPathPushCutoffCount);
-
-		b.append((uint16_t)_numPaths);
-		for(unsigned int i=0;i<_numPaths;++i)
-			_paths[i].serialize(b);
-
-		b.append((uint32_t)_networkComs.size());
-		{
-			uint64_t *k = (uint64_t *)0;
-			_NetworkCom *v = (_NetworkCom *)0;
-			Hashtable<uint64_t,_NetworkCom>::Iterator i(const_cast<Peer *>(this)->_networkComs);
-			while (i.next(k,v)) {
-				b.append((uint64_t)*k);
-				b.append((uint64_t)v->ts);
-				v->com.serialize(b);
-			}
-		}
 
-		b.append((uint32_t)_lastPushedComs.size());
 		{
-			uint64_t *k = (uint64_t *)0;
-			uint64_t *v = (uint64_t *)0;
-			Hashtable<uint64_t,uint64_t>::Iterator i(const_cast<Peer *>(this)->_lastPushedComs);
-			while (i.next(k,v)) {
-				b.append((uint64_t)*k);
-				b.append((uint64_t)*v);
+			Mutex::Lock _l(_paths_m);
+			unsigned int pc = 0;
+			for(unsigned int i=0;i<ZT_MAX_PEER_NETWORK_PATHS;++i) {
+				if (_paths[i].p)
+					++pc;
+				else break;
 			}
+			b.append((uint16_t)pc);
+			for(unsigned int i=0;i<pc;++i)
+				_paths[i].p->address().serialize(b);
 		}
-
-		b.template setAt<uint32_t>(recSizePos,(uint32_t)(b.size() - (recSizePos + 4))); // set size
 	}
 
-	/**
-	 * Create a new Peer from a serialized instance
-	 *
-	 * @param renv Runtime environment
-	 * @param myIdentity This node's identity
-	 * @param b Buffer containing serialized Peer data
-	 * @param p Pointer to current position in buffer, will be updated in place as buffer is read (value/result)
-	 * @return New instance of Peer or NULL if serialized data was corrupt or otherwise invalid (may also throw an exception via Buffer)
-	 */
 	template<unsigned int C>
-	static inline SharedPtr<Peer> deserializeNew(const RuntimeEnvironment *renv,const Identity &myIdentity,const Buffer<C> &b,unsigned int &p)
+	inline static SharedPtr<Peer> deserializeFromCache(int64_t now,void *tPtr,Buffer<C> &b,const RuntimeEnvironment *renv)
 	{
-		const unsigned int recSize = b.template at<uint32_t>(p); p += 4;
-		if ((p + recSize) > b.size())
-			return SharedPtr<Peer>(); // size invalid
-		if (b.template at<uint16_t>(p) != 1)
-			return SharedPtr<Peer>(); // version mismatch
-		p += 2;
-
-		Identity npid;
-		p += npid.deserialize(b,p);
-		if (!npid)
-			return SharedPtr<Peer>();
-
-		SharedPtr<Peer> np(new Peer(renv,myIdentity,npid));
-
-		np->_lastUsed = b.template at<uint64_t>(p); p += 8;
-		np->_lastReceive = b.template at<uint64_t>(p); p += 8;
-		np->_lastUnicastFrame = b.template at<uint64_t>(p); p += 8;
-		np->_lastMulticastFrame = b.template at<uint64_t>(p); p += 8;
-		np->_lastAnnouncedTo = b.template at<uint64_t>(p); p += 8;
-		np->_lastDirectPathPushSent = b.template at<uint64_t>(p); p += 8;
-		np->_lastDirectPathPushReceive = b.template at<uint64_t>(p); p += 8;
-		np->_lastPathSort = b.template at<uint64_t>(p); p += 8;
-		np->_vProto = b.template at<uint16_t>(p); p += 2;
-		np->_vMajor = b.template at<uint16_t>(p); p += 2;
-		np->_vMinor = b.template at<uint16_t>(p); p += 2;
-		np->_vRevision = b.template at<uint16_t>(p); p += 2;
-		np->_latency = b.template at<uint32_t>(p); p += 4;
-		np->_directPathPushCutoffCount = b.template at<uint16_t>(p); p += 2;
-
-		const unsigned int numPaths = b.template at<uint16_t>(p); p += 2;
-		for(unsigned int i=0;i<numPaths;++i) {
-			if (i < ZT_MAX_PEER_NETWORK_PATHS) {
-				p += np->_paths[np->_numPaths++].deserialize(b,p);
-			} else {
-				// Skip any paths beyond max, but still read stream
-				Path foo;
-				p += foo.deserialize(b,p);
+		try {
+			unsigned int ptr = 0;
+			if (b[ptr++] != 1)
+				return SharedPtr<Peer>();
+
+			Identity id;
+			ptr += id.deserialize(b,ptr);
+			if (!id)
+				return SharedPtr<Peer>();
+
+			SharedPtr<Peer> p(new Peer(renv,renv->identity,id));
+
+			p->_vProto = b.template at<uint16_t>(ptr); ptr += 2;
+			p->_vMajor = b.template at<uint16_t>(ptr); ptr += 2;
+			p->_vMinor = b.template at<uint16_t>(ptr); ptr += 2;
+			p->_vRevision = b.template at<uint16_t>(ptr); ptr += 2;
+
+			// When we deserialize from the cache we don't actually restore paths. We
+			// just try them and then re-learn them if they happen to still be up.
+			// Paths are fairly ephemeral in the real world in most cases.
+			const unsigned int tryPathCount = b.template at<uint16_t>(ptr); ptr += 2;
+			for(unsigned int i=0;i<tryPathCount;++i) {
+				InetAddress inaddr;
+				try {
+					ptr += inaddr.deserialize(b,ptr);
+					if (inaddr)
+						p->attemptToContactAt(tPtr,-1,inaddr,now,true);
+				} catch ( ... ) {
+					break;
+				}
 			}
-		}
-
-		const unsigned int numNetworkComs = b.template at<uint32_t>(p); p += 4;
-		for(unsigned int i=0;i<numNetworkComs;++i) {
-			_NetworkCom &c = np->_networkComs[b.template at<uint64_t>(p)]; p += 8;
-			c.ts = b.template at<uint64_t>(p); p += 8;
-			p += c.com.deserialize(b,p);
-		}
 
-		const unsigned int numLastPushed = b.template at<uint32_t>(p); p += 4;
-		for(unsigned int i=0;i<numLastPushed;++i) {
-			const uint64_t nwid = b.template at<uint64_t>(p); p += 8;
-			const uint64_t ts = b.template at<uint64_t>(p); p += 8;
-			np->_lastPushedComs.set(nwid,ts);
+			return p;
+		} catch ( ... ) {
+			return SharedPtr<Peer>();
 		}
-
-		return np;
 	}
 
 private:
-	void _doDeadPathDetection(Path &p,const uint64_t now);
-	Path *_getBestPath(const uint64_t now);
-	Path *_getBestPath(const uint64_t now,int inetAddressFamily);
+	struct _PeerPath
+	{
+		_PeerPath() : lr(0),p(),priority(1) {}
+		int64_t lr; // time of last valid ZeroTier packet
+		SharedPtr<Path> p;
+		long priority; // >= 1, higher is better
+	};
 
-	unsigned char _key[ZT_PEER_SECRET_KEY_LENGTH]; // computed with key agreement, not serialized
+	uint8_t _key[ZT_PEER_SECRET_KEY_LENGTH];
 
 	const RuntimeEnvironment *RR;
-	uint64_t _lastUsed;
-	uint64_t _lastReceive; // direct or indirect
-	uint64_t _lastUnicastFrame;
-	uint64_t _lastMulticastFrame;
-	uint64_t _lastAnnouncedTo;
-	uint64_t _lastDirectPathPushSent;
-	uint64_t _lastDirectPathPushReceive;
-	uint64_t _lastPathSort;
+
+	int64_t _lastReceive; // direct or indirect
+	int64_t _lastNontrivialReceive; // frames, things like netconf, etc.
+	int64_t _lastTriedMemorizedPath;
+	int64_t _lastDirectPathPushSent;
+	int64_t _lastDirectPathPushReceive;
+	int64_t _lastCredentialRequestSent;
+	int64_t _lastWhoisRequestReceived;
+	int64_t _lastEchoRequestReceived;
+	int64_t _lastComRequestReceived;
+	int64_t _lastComRequestSent;
+	int64_t _lastCredentialsReceived;
+	int64_t _lastTrustEstablishedPacketReceived;
+	int64_t _lastSentFullHello;
+
 	uint16_t _vProto;
 	uint16_t _vMajor;
 	uint16_t _vMinor;
 	uint16_t _vRevision;
+
+	_PeerPath _paths[ZT_MAX_PEER_NETWORK_PATHS];
+	Mutex _paths_m;
+
 	Identity _id;
-	Path _paths[ZT_MAX_PEER_NETWORK_PATHS];
-	unsigned int _numPaths;
-	unsigned int _latency;
-	unsigned int _directPathPushCutoffCount;
 
-	struct _NetworkCom
-	{
-		_NetworkCom() {}
-		_NetworkCom(uint64_t t,const CertificateOfMembership &c) : ts(t),com(c) {}
-		uint64_t ts;
-		CertificateOfMembership com;
-	};
-	Hashtable<uint64_t,_NetworkCom> _networkComs;
-	Hashtable<uint64_t,uint64_t> _lastPushedComs;
-	Mutex _networkComs_m;
+	unsigned int _directPathPushCutoffCount;
+	unsigned int _credentialsCutoffCount;
 
 	AtomicCounter __refCount;
 };