0.9.23/2.1.0 version update

skip extended options in SSU header
fixed complation error for boost 1.49 and gcc 4.7 and higher
2025-03-07 06:09:42 +00:00 · 2015-11-19 09:26:38 -05:00 · 2015-11-16 13:27:27 -05:00 · 2015-11-12 15:39:48 -05:00 · 2015-11-12 07:18:26 -05:00 · 2015-11-11 21:24:53 -06:00
159 changed files with 14657 additions and 24016 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@ obj/*.o
 router.info
 router.keys
 i2p
+libi2pd.so
 netDb

 # Autotools
--- a/AddressBook.cpp
+++ b/AddressBook.cpp
@@ -1,23 +1,214 @@
 #include <string.h>
+#include <inttypes.h>
 #include <string>
 #include <map>
-#include "base64.h"
+#include <fstream>
+#include <chrono>
+#include <condition_variable>
+#include <boost/filesystem.hpp>
+#include <boost/lexical_cast.hpp>
+#include "Base.h"
 #include "util.h"
 #include "Identity.h"
 #include "Log.h"
+#include "NetDb.h"
+#include "ClientContext.h"
 #include "AddressBook.h"

-#include <boost/algorithm/string.hpp>
-
 namespace i2p
 {
 namespace client
 {

-	AddressBook::AddressBook (): m_IsLoaded (false), m_IsDowloading (false)
+	class AddressBookFilesystemStorage: public AddressBookStorage
+	{
+		public:
+
+			AddressBookFilesystemStorage ();
+			std::shared_ptr<const i2p::data::IdentityEx> GetAddress (const i2p::data::IdentHash& ident) const;
+			void AddAddress (std::shared_ptr<const i2p::data::IdentityEx> address);
+			void RemoveAddress (const i2p::data::IdentHash& ident);
+
+			int Load (std::map<std::string, i2p::data::IdentHash>& addresses);
+			int Save (const std::map<std::string, i2p::data::IdentHash>& addresses);
+
+		private:	
+			
+			boost::filesystem::path GetPath () const { return i2p::util::filesystem::GetDefaultDataDir() / "addressbook"; };
+
+	};
+
+	AddressBookFilesystemStorage::AddressBookFilesystemStorage ()
+	{
+		auto path = GetPath ();
+		if (!boost::filesystem::exists (path))
+		{
+			// Create directory is necessary
+			if (!boost::filesystem::create_directory (path))
+				LogPrint (eLogError, "Failed to create addressbook directory");
+		}
+	}
+
+	std::shared_ptr<const i2p::data::IdentityEx> AddressBookFilesystemStorage::GetAddress (const i2p::data::IdentHash& ident) const
+	{
+		auto filename = GetPath () / (ident.ToBase32() + ".b32");
+		std::ifstream f(filename.c_str (), std::ifstream::binary);
+		if (f.is_open ())	
+		{
+			f.seekg (0,std::ios::end);
+			size_t len = f.tellg ();
+			if (len < i2p::data::DEFAULT_IDENTITY_SIZE)
+			{
+				LogPrint (eLogError, "File ", filename, " is too short. ", len);
+				return nullptr;
+			}
+			f.seekg(0, std::ios::beg);
+			uint8_t * buf = new uint8_t[len];
+			f.read((char *)buf, len);
+			auto address = std::make_shared<i2p::data::IdentityEx>(buf, len);
+			delete[] buf;
+			return address;
+		}
+		else
+			return nullptr;
+	}
+
+	void AddressBookFilesystemStorage::AddAddress (std::shared_ptr<const i2p::data::IdentityEx> address)
+	{
+		auto filename = GetPath () / (address->GetIdentHash ().ToBase32() + ".b32");
+		std::ofstream f (filename.c_str (), std::ofstream::binary | std::ofstream::out);
+		if (f.is_open ())	
+		{
+			size_t len = address->GetFullLen ();
+			uint8_t * buf = new uint8_t[len];
+			address->ToBuffer (buf, len);
+			f.write ((char *)buf, len);
+			delete[] buf;
+		}
+		else
+			LogPrint (eLogError, "Can't open file ", filename);	
+	}	
+
+	void AddressBookFilesystemStorage::RemoveAddress (const i2p::data::IdentHash& ident)
+	{
+		auto filename = GetPath () / (ident.ToBase32() + ".b32");
+		if (boost::filesystem::exists (filename))  
+			boost::filesystem::remove (filename);
+	}
+
+	int AddressBookFilesystemStorage::Load (std::map<std::string, i2p::data::IdentHash>& addresses)
+	{
+		int num = 0;	
+		auto filename = GetPath () / "addresses.csv";
+		std::ifstream f (filename.c_str (), std::ofstream::in); // in text mode
+		if (f.is_open ())	
+		{
+			addresses.clear ();
+			while (!f.eof ())
+			{
+				std::string s;
+				getline(f, s);
+				if (!s.length())
+					continue; // skip empty line
+
+				size_t pos = s.find(',');
+				if (pos != std::string::npos)
+				{
+					std::string name = s.substr(0, pos++);
+					std::string addr = s.substr(pos);
+
+					i2p::data::IdentHash ident;
+					ident.FromBase32 (addr);
+					addresses[name] = ident;
+					num++;
+				}		
+			}
+			LogPrint (eLogInfo, num, " addresses loaded");
+		}
+		else
+			LogPrint (eLogWarning, filename, " not found");
+		return num;
+	}
+
+	int AddressBookFilesystemStorage::Save (const std::map<std::string, i2p::data::IdentHash>& addresses)
+	{
+		int num = 0;
+		auto filename = GetPath () / "addresses.csv";
+		std::ofstream f (filename.c_str (), std::ofstream::out); // in text mode
+		if (f.is_open ())	
+		{
+			for (auto it: addresses)
+			{
+				f << it.first << "," << it.second.ToBase32 () << std::endl;
+				num++;
+			}
+			LogPrint (eLogInfo, num, " addresses saved");
+		}
+		else	
+			LogPrint (eLogError, "Can't open file ", filename);	
+		return num;	
+	}	
+
+//---------------------------------------------------------------------
+	AddressBook::AddressBook (): m_Storage (nullptr), m_IsLoaded (false), m_IsDownloading (false), 
+		m_DefaultSubscription (nullptr), m_SubscriptionsUpdateTimer (nullptr)
 	{
 	}

+	AddressBook::~AddressBook ()
+	{	
+		Stop ();
+	}
+
+	void AddressBook::Start ()
+	{
+		StartSubscriptions ();
+	}
+	
+	void AddressBook::Stop ()
+	{
+		StopSubscriptions ();
+		if (m_SubscriptionsUpdateTimer)
+		{	
+			delete m_SubscriptionsUpdateTimer;	
+			m_SubscriptionsUpdateTimer = nullptr;
+		}	
+		if (m_IsDownloading)
+		{
+			LogPrint (eLogInfo, "Subscription is downloading. Waiting for temination...");
+			for (int i = 0; i < 30; i++)
+			{
+				if (!m_IsDownloading)
+				{
+					LogPrint (eLogInfo, "Subscription download complete");
+					break;
+				}	
+				std::this_thread::sleep_for (std::chrono::seconds (1)); // wait for 1 seconds
+			}	
+			LogPrint (eLogError, "Subscription download hangs");
+			m_IsDownloading = false;
+		}	
+		if (m_Storage)
+		{
+			m_Storage->Save (m_Addresses);
+			delete m_Storage;
+			m_Storage = nullptr;
+		}
+		if (m_DefaultSubscription)
+		{	
+			delete m_DefaultSubscription;
+			m_DefaultSubscription = nullptr;
+		}	
+		for (auto it: m_Subscriptions)
+			delete it;
+		m_Subscriptions.clear ();	
+	}	
+	
+	AddressBookStorage * AddressBook::CreateStorage ()
+	{
+		return new AddressBookFilesystemStorage ();
+	}	
+
 	bool AddressBook::GetIdentHash (const std::string& address, i2p::data::IdentHash& ident)
 	{
 		auto pos = address.find(".b32.i2p");
@@ -37,9 +228,16 @@ namespace client
 					ident = *identHash;
 					return true;
 				}
+				else
+					return false;
 			}
 		}	
-		return false;
+		// if not .b32 we assume full base64 address
+		i2p::data::IdentityEx dest;
+		if (!dest.FromBase64 (address))
+			return false;
+		ident = dest.GetIdentHash ();
+		return true;
 	}
 	
 	const i2p::data::IdentHash * AddressBook::FindAddress (const std::string& address)
@@ -57,53 +255,68 @@ namespace client

 	void AddressBook::InsertAddress (const std::string& address, const std::string& base64)
 	{
-		i2p::data::IdentityEx ident;
-		ident.FromBase64 (base64);
-		m_Addresses[address] = ident.GetIdentHash ();
-		LogPrint (address,"->",ident.GetIdentHash ().ToBase32 (), ".b32.i2p added");
+		auto ident = std::make_shared<i2p::data::IdentityEx>();
+		ident->FromBase64 (base64);
+		if (!m_Storage)
+			 m_Storage = CreateStorage ();
+		m_Storage->AddAddress (ident);
+		m_Addresses[address] = ident->GetIdentHash ();
+		LogPrint (address,"->", ToAddress(ident->GetIdentHash ()), " added");
 	}

-	void AddressBook::LoadHostsFromI2P ()
+	void AddressBook::InsertAddress (std::shared_ptr<const i2p::data::IdentityEx> address)
 	{
-		std::string content;
-		int http_code = i2p::util::http::httpRequestViaI2pProxy("http://udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p/hosts.txt", content);
-		if (http_code == 200)
-		{
-			std::ofstream f_save(i2p::util::filesystem::GetFullPath("hosts.txt").c_str(), std::ofstream::out);
-			if (f_save.is_open())
-			{
-				f_save << content;
-				f_save.close();
-			}
-			else
-				LogPrint("Can't write hosts.txt");
-			m_IsLoaded = false;
-		}	
-		else
-			LogPrint ("Failed to download hosts.txt");
-		m_IsDowloading = false;	
-	
-		return;
+		if (!m_Storage) 
+			m_Storage = CreateStorage ();
+		m_Storage->AddAddress (address);
 	}

+	std::shared_ptr<const i2p::data::IdentityEx> AddressBook::GetAddress (const std::string& address)
+	{
+		if (!m_Storage) 
+			m_Storage = CreateStorage ();
+		i2p::data::IdentHash ident;
+		if (!GetIdentHash (address, ident)) return nullptr;
+		return m_Storage->GetAddress (ident);
+	}	
+
 	void AddressBook::LoadHosts ()
 	{
-		std::ifstream f (i2p::util::filesystem::GetFullPath ("hosts.txt").c_str (), std::ofstream::in); // in text mode
-		if (!f.is_open ())	
+		if (!m_Storage)
+			 m_Storage = CreateStorage ();
+		if (m_Storage->Load (m_Addresses) > 0)
 		{
-			LogPrint ("hosts.txt not found. Try to load...");
-			if (!m_IsDowloading)
-			{
-				m_IsDowloading = true;
-				std::thread load_hosts(&AddressBook::LoadHostsFromI2P, this);
-				load_hosts.detach();
-			}
+			m_IsLoaded = true;
 			return;
 		}
+	
+		// try hosts.txt first
+		std::ifstream f (i2p::util::filesystem::GetFullPath ("hosts.txt").c_str (), std::ofstream::in); // in text mode
+		if (f.is_open ())	
+		{
+			LoadHostsFromStream (f);
+			m_IsLoaded = true;
+		}
+		else
+		{
+			// if not found download it from http://i2p-projekt.i2p/hosts.txt 
+			LogPrint (eLogInfo, "hosts.txt not found. Try to download it from default subscription...");
+			if (!m_IsDownloading)
+			{
+				m_IsDownloading = true;
+				if (!m_DefaultSubscription)
+					m_DefaultSubscription = new AddressBookSubscription (*this, DEFAULT_SUBSCRIPTION_ADDRESS);
+				m_DefaultSubscription->CheckSubscription ();
+			}
+		}	
+		
+	}
+
+	void AddressBook::LoadHostsFromStream (std::istream& f)
+	{
+		std::unique_lock<std::mutex> l(m_AddressBookMutex);
 		int numAddresses = 0;
-
 		std::string s;
-
 		while (!f.eof ())
 		{
 			getline(f, s);
@@ -118,16 +331,237 @@ namespace client
 				std::string name = s.substr(0, pos++);
 				std::string addr = s.substr(pos);

-				i2p::data::IdentityEx ident;
-				ident.FromBase64(addr);
-				m_Addresses[name] = ident.GetIdentHash ();
-				numAddresses++;
+				auto ident = std::make_shared<i2p::data::IdentityEx> ();
+				if (ident->FromBase64(addr))
+				{	
+					m_Addresses[name] = ident->GetIdentHash ();
+					m_Storage->AddAddress (ident);
+					numAddresses++;
+				}	
+				else
+					LogPrint (eLogError, "Malformed address ", addr, " for ", name);
 			}		
 		}
-		LogPrint (numAddresses, " addresses loaded");
-		m_IsLoaded = true;
+		LogPrint (eLogInfo, numAddresses, " addresses processed");
+		if (numAddresses > 0)
+		{	
+			m_IsLoaded = true;
+			m_Storage->Save (m_Addresses);
+		}	
+	}	
+	
+	void AddressBook::LoadSubscriptions ()
+	{
+		if (!m_Subscriptions.size ())
+		{
+			std::ifstream f (i2p::util::filesystem::GetFullPath ("subscriptions.txt").c_str (), std::ofstream::in); // in text mode
+			if (f.is_open ())
+			{
+				std::string s;
+				while (!f.eof ())
+				{
+					getline(f, s);
+					if (!s.length()) continue; // skip empty line
+					m_Subscriptions.push_back (new AddressBookSubscription (*this, s));
+				}
+				LogPrint (eLogInfo, m_Subscriptions.size (), " subscriptions loaded");
+			}
+			else
+				LogPrint (eLogWarning, "subscriptions.txt not found");
+		}
+		else
+			LogPrint (eLogError, "Subscriptions already loaded");
 	}

+	void AddressBook::DownloadComplete (bool success)
+	{
+		m_IsDownloading = false;
+		if (m_SubscriptionsUpdateTimer)
+		{
+			m_SubscriptionsUpdateTimer->expires_from_now (boost::posix_time::minutes(
+				success ? CONTINIOUS_SUBSCRIPTION_UPDATE_TIMEOUT : CONTINIOUS_SUBSCRIPTION_RETRY_TIMEOUT));
+			m_SubscriptionsUpdateTimer->async_wait (std::bind (&AddressBook::HandleSubscriptionsUpdateTimer,
+				this, std::placeholders::_1));
+		}
+	}
+
+	void AddressBook::StartSubscriptions ()
+	{
+		LoadSubscriptions ();
+		if (!m_Subscriptions.size ()) return;	
+
+		auto dest = i2p::client::context.GetSharedLocalDestination ();
+		if (dest)
+		{
+			m_SubscriptionsUpdateTimer = new boost::asio::deadline_timer (dest->GetService ());
+			m_SubscriptionsUpdateTimer->expires_from_now (boost::posix_time::minutes(INITIAL_SUBSCRIPTION_UPDATE_TIMEOUT));
+			m_SubscriptionsUpdateTimer->async_wait (std::bind (&AddressBook::HandleSubscriptionsUpdateTimer,
+				this, std::placeholders::_1));
+		}
+		else
+			LogPrint (eLogError, "Can't start subscriptions: missing shared local destination");
+	}
+
+	void AddressBook::StopSubscriptions ()
+	{
+		if (m_SubscriptionsUpdateTimer)
+			m_SubscriptionsUpdateTimer->cancel ();
+	}
+
+	void AddressBook::HandleSubscriptionsUpdateTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{
+			auto dest = i2p::client::context.GetSharedLocalDestination ();
+			if (!dest) return;
+			if (m_IsLoaded && !m_IsDownloading && dest->IsReady () && !m_Subscriptions.empty ())
+			{
+				// pick random subscription
+				auto ind = rand () % m_Subscriptions.size();	
+				m_IsDownloading = true;	
+				m_Subscriptions[ind]->CheckSubscription ();		
+			}
+			else
+			{
+				if (!m_IsLoaded)
+					LoadHosts ();
+				// try it again later
+				m_SubscriptionsUpdateTimer->expires_from_now (boost::posix_time::minutes(INITIAL_SUBSCRIPTION_RETRY_TIMEOUT));
+				m_SubscriptionsUpdateTimer->async_wait (std::bind (&AddressBook::HandleSubscriptionsUpdateTimer,
+					this, std::placeholders::_1));
+			}
+		}
+	}
+
+	AddressBookSubscription::AddressBookSubscription (AddressBook& book, const std::string& link):
+		m_Book (book), m_Link (link)
+	{
+	}
+
+	void AddressBookSubscription::CheckSubscription ()
+	{
+		std::thread load_hosts(&AddressBookSubscription::Request, this);
+		load_hosts.detach(); // TODO: use join
+	}
+
+	void AddressBookSubscription::Request ()
+	{
+		// must be run in separate thread	
+		LogPrint (eLogInfo, "Downloading hosts from ", m_Link, " ETag: ", m_Etag, " Last-Modified: ", m_LastModified);
+		bool success = false;	
+		i2p::util::http::url u (m_Link);
+		i2p::data::IdentHash ident;
+		if (m_Book.GetIdentHash (u.host_, ident))
+		{
+			std::condition_variable newDataReceived;
+			std::mutex newDataReceivedMutex;
+			auto leaseSet = i2p::client::context.GetSharedLocalDestination ()->FindLeaseSet (ident);
+			if (!leaseSet)
+			{
+				std::unique_lock<std::mutex> l(newDataReceivedMutex);
+				i2p::client::context.GetSharedLocalDestination ()->RequestDestination (ident,
+					[&newDataReceived, &leaseSet](std::shared_ptr<i2p::data::LeaseSet> ls)
+				    {
+						leaseSet = ls;
+						newDataReceived.notify_all ();
+					});
+				if (newDataReceived.wait_for (l, std::chrono::seconds (SUBSCRIPTION_REQUEST_TIMEOUT)) == std::cv_status::timeout)
+					LogPrint (eLogError, "Subscription LeseseSet request timeout expired");
+			}
+			if (leaseSet)
+			{
+				std::stringstream request, response;
+				// standard header
+				request << "GET " << u.path_ << " HTTP/1.1\r\nHost: " << u.host_
+				<< "\r\nAccept: */*\r\n" << "User-Agent: Wget/1.11.4\r\n" << "Connection: close\r\n";
+				if (m_Etag.length () > 0) // etag
+					request << i2p::util::http::IF_NONE_MATCH << ": \"" << m_Etag << "\"\r\n";
+				if (m_LastModified.length () > 0) // if-modfief-since
+					request << i2p::util::http::IF_MODIFIED_SINCE << ": " << m_LastModified << "\r\n";
+				request << "\r\n"; // end of header
+				auto stream = i2p::client::context.GetSharedLocalDestination ()->CreateStream (leaseSet, u.port_);
+				stream->Send ((uint8_t *)request.str ().c_str (), request.str ().length ());
+				
+				uint8_t buf[4096];
+				bool end = false;
+				while (!end)
+				{
+					stream->AsyncReceive (boost::asio::buffer (buf, 4096), 
+						[&](const boost::system::error_code& ecode, std::size_t bytes_transferred)
+						{
+							if (bytes_transferred)
+								response.write ((char *)buf, bytes_transferred);
+							if (ecode == boost::asio::error::timed_out || !stream->IsOpen ())
+								end = true;	
+							newDataReceived.notify_all ();
+						},
+						30); // wait for 30 seconds
+					std::unique_lock<std::mutex> l(newDataReceivedMutex);
+					if (newDataReceived.wait_for (l, std::chrono::seconds (SUBSCRIPTION_REQUEST_TIMEOUT)) == std::cv_status::timeout)
+						LogPrint (eLogError, "Subscription timeout expired");
+				}
+				// process remaining buffer
+				while (size_t len = stream->ReadSome (buf, 4096))
+					response.write ((char *)buf, len);
+				
+				// parse response
+				std::string version;
+				response >> version; // HTTP version
+				int status = 0;
+				response >> status; // status
+				if (status == 200) // OK
+				{
+					bool isChunked = false;
+					std::string header, statusMessage;
+					std::getline (response, statusMessage);
+					// read until new line meaning end of header
+					while (!response.eof () && header != "\r")
+					{
+						std::getline (response, header);
+						auto colon = header.find (':');
+						if (colon != std::string::npos)
+						{
+							std::string field = header.substr (0, colon);
+							header.resize (header.length () - 1); // delete \r	
+							if (field == i2p::util::http::ETAG)
+								m_Etag = header.substr (colon + 1);
+							else if (field == i2p::util::http::LAST_MODIFIED)
+								m_LastModified = header.substr (colon + 1);
+							else if (field == i2p::util::http::TRANSFER_ENCODING)
+								isChunked = !header.compare (colon + 1, std::string::npos, "chunked");
+						}	
+					}
+					LogPrint (eLogInfo, m_Link, " ETag: ", m_Etag, " Last-Modified: ", m_LastModified);
+					if (!response.eof ())	
+					{
+						success = true;
+						if (!isChunked)
+							m_Book.LoadHostsFromStream (response);
+						else
+						{
+							// merge chunks
+							std::stringstream merged;
+							i2p::util::http::MergeChunkedResponse (response, merged);
+							m_Book.LoadHostsFromStream (merged);
+						}	
+					}	
+				}
+				else if (status == 304)
+				{	
+					success = true;
+					LogPrint (eLogInfo, "No updates from ", m_Link);
+				}	
+				else
+					LogPrint (eLogWarning, "Adressbook HTTP response ", status);
+			}
+			else
+				LogPrint (eLogError, "Address ", u.host_, " not found");
+		}
+		else
+			LogPrint (eLogError, "Can't resolve ", u.host_);
+		LogPrint (eLogInfo, "Download complete ", success ? "Success" : "Failed");
+		m_Book.DownloadComplete (success);
+	}
 }
 }

--- a/AddressBook.h
+++ b/AddressBook.h
@@ -4,7 +4,12 @@
 #include <string.h>
 #include <string>
 #include <map>
-#include "base64.h"
+#include <vector>
+#include <iostream>
+#include <mutex>
+#include <memory>
+#include <boost/asio.hpp>
+#include "Base.h"
 #include "util.h"
 #include "Identity.h"
 #include "Log.h"
@@ -13,22 +18,85 @@ namespace i2p
 {
 namespace client
 {
+	const char DEFAULT_SUBSCRIPTION_ADDRESS[] = "http://udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p/hosts.txt";
+	const int INITIAL_SUBSCRIPTION_UPDATE_TIMEOUT = 3; // in minutes	
+	const int INITIAL_SUBSCRIPTION_RETRY_TIMEOUT = 1; // in minutes			
+	const int CONTINIOUS_SUBSCRIPTION_UPDATE_TIMEOUT = 720; // in minutes (12 hours)			
+	const int CONTINIOUS_SUBSCRIPTION_RETRY_TIMEOUT = 5; // in minutes	
+	const int SUBSCRIPTION_REQUEST_TIMEOUT = 60; //in second
+	
+	inline std::string GetB32Address(const i2p::data::IdentHash& ident) { return ident.ToBase32().append(".b32.i2p"); }
+
+	class AddressBookStorage // interface for storage
+	{
+		public:
+
+			virtual ~AddressBookStorage () {};
+			virtual std::shared_ptr<const i2p::data::IdentityEx> GetAddress (const i2p::data::IdentHash& ident) const = 0;	
+			virtual void AddAddress (std::shared_ptr<const i2p::data::IdentityEx> address) = 0;
+			virtual void RemoveAddress (const i2p::data::IdentHash& ident) = 0;
+		
+			virtual int Load (std::map<std::string, i2p::data::IdentHash>& addresses) = 0;
+			virtual int Save (const std::map<std::string, i2p::data::IdentHash>& addresses) = 0;
+	};			
+
+	class AddressBookSubscription;
 	class AddressBook
 	{
 		public:

 			AddressBook ();
+			~AddressBook ();
+			void Start ();
+			void Stop ();
 			bool GetIdentHash (const std::string& address, i2p::data::IdentHash& ident);
+			std::shared_ptr<const i2p::data::IdentityEx> GetAddress (const std::string& address);
 			const i2p::data::IdentHash * FindAddress (const std::string& address);
 			void InsertAddress (const std::string& address, const std::string& base64); // for jump service
+			void InsertAddress (std::shared_ptr<const i2p::data::IdentityEx> address);
+
+			void LoadHostsFromStream (std::istream& f);
+			void DownloadComplete (bool success);
+			//This method returns the ".b32.i2p" address
+			std::string ToAddress(const i2p::data::IdentHash& ident) { return GetB32Address(ident); }
+			std::string ToAddress(std::shared_ptr<const i2p::data::IdentityEx> ident) { return ToAddress(ident->GetIdentHash ()); }
+		private:
+
+			void StartSubscriptions ();
+			void StopSubscriptions ();
+			
+			AddressBookStorage * CreateStorage ();	
+			void LoadHosts ();
+			void LoadSubscriptions ();
+
+			void HandleSubscriptionsUpdateTimer (const boost::system::error_code& ecode);
+
+		private:	
+
+			std::mutex m_AddressBookMutex;
+			std::map<std::string, i2p::data::IdentHash>  m_Addresses;
+			AddressBookStorage * m_Storage;
+			volatile bool m_IsLoaded, m_IsDownloading;
+			std::vector<AddressBookSubscription *> m_Subscriptions;
+			AddressBookSubscription * m_DefaultSubscription; // in case if we don't know any addresses yet
+			boost::asio::deadline_timer * m_SubscriptionsUpdateTimer;
+	};
+
+	class AddressBookSubscription
+	{
+		public:
+
+			AddressBookSubscription (AddressBook& book, const std::string& link);
+			void CheckSubscription ();
+
+		private:
+
+			void Request ();
 		
 		private:
-	
-			void LoadHosts ();
-			void LoadHostsFromI2P ();

-			std::map<std::string, i2p::data::IdentHash>  m_Addresses;
-			bool m_IsLoaded, m_IsDowloading;
+			AddressBook& m_Book;
+			std::string m_Link, m_Etag, m_LastModified;
 	};
 }
 }
--- a/BOB.cpp
+++ b/BOB.cpp
@@ -0,0 +1,643 @@
+#include <string.h>
+#include <boost/lexical_cast.hpp>
+#include "Log.h"
+#include "ClientContext.h"
+#include "BOB.h"
+
+namespace i2p
+{
+namespace client
+{
+	BOBI2PInboundTunnel::BOBI2PInboundTunnel (int port, std::shared_ptr<ClientDestination> localDestination): 
+		BOBI2PTunnel (localDestination), 
+		m_Acceptor (localDestination->GetService (), boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4(), port))
+	{
+	}
+
+	BOBI2PInboundTunnel::~BOBI2PInboundTunnel ()
+	{
+		Stop ();
+	}
+
+	void BOBI2PInboundTunnel::Start ()
+	{
+		m_Acceptor.listen ();
+		Accept ();
+	}
+
+	void BOBI2PInboundTunnel::Stop ()
+	{
+		m_Acceptor.close();
+		ClearHandlers ();
+	}
+
+	void BOBI2PInboundTunnel::Accept ()
+	{
+		auto receiver = std::make_shared<AddressReceiver> ();
+		receiver->socket = std::make_shared<boost::asio::ip::tcp::socket> (GetService ());
+		m_Acceptor.async_accept (*receiver->socket, std::bind (&BOBI2PInboundTunnel::HandleAccept, this,
+			std::placeholders::_1, receiver));
+	}	
+
+	void BOBI2PInboundTunnel::HandleAccept (const boost::system::error_code& ecode, std::shared_ptr<AddressReceiver> receiver)
+	{
+		if (!ecode)
+		{
+			Accept ();	
+			ReceiveAddress (receiver);
+		}
+	}
+
+	void BOBI2PInboundTunnel::ReceiveAddress (std::shared_ptr<AddressReceiver> receiver)
+	{
+		receiver->socket->async_read_some (boost::asio::buffer(
+		        receiver->buffer + receiver->bufferOffset, 
+				BOB_COMMAND_BUFFER_SIZE - receiver->bufferOffset),                
+			std::bind(&BOBI2PInboundTunnel::HandleReceivedAddress, this, 
+				std::placeholders::_1, std::placeholders::_2, receiver));
+	}
+	
+	void BOBI2PInboundTunnel::HandleReceivedAddress (const boost::system::error_code& ecode, std::size_t bytes_transferred,
+		std::shared_ptr<AddressReceiver> receiver)
+	{
+		if (ecode)
+			LogPrint ("BOB inbound tunnel read error: ", ecode.message ());
+		else
+		{
+			receiver->bufferOffset += bytes_transferred;
+			receiver->buffer[receiver->bufferOffset] = 0;
+			char * eol = strchr (receiver->buffer, '\n');
+			if (eol)
+			{
+				*eol = 0;
+				
+				receiver->data = (uint8_t *)eol + 1;
+				receiver->dataLen = receiver->bufferOffset - (eol - receiver->buffer + 1);
+				i2p::data::IdentHash ident;
+				if (!context.GetAddressBook ().GetIdentHash (receiver->buffer, ident)) 
+				{
+					LogPrint (eLogError, "BOB address ", receiver->buffer, " not found");
+					return;
+				}
+				auto leaseSet = GetLocalDestination ()->FindLeaseSet (ident);
+				if (leaseSet)
+					CreateConnection (receiver, leaseSet);
+				else
+					GetLocalDestination ()->RequestDestination (ident, 
+						std::bind (&BOBI2PInboundTunnel::HandleDestinationRequestComplete,
+						this, std::placeholders::_1, receiver));
+			}
+			else
+			{
+				if (receiver->bufferOffset < BOB_COMMAND_BUFFER_SIZE)
+					ReceiveAddress (receiver);
+				else
+					LogPrint ("BOB missing inbound address ");
+			}			
+		}
+	}
+
+	void BOBI2PInboundTunnel::HandleDestinationRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, std::shared_ptr<AddressReceiver> receiver)
+	{
+		if (leaseSet)
+			CreateConnection (receiver, leaseSet);
+		else
+			LogPrint ("LeaseSet for BOB inbound destination not found");
+	}	
+
+	void BOBI2PInboundTunnel::CreateConnection (std::shared_ptr<AddressReceiver> receiver, std::shared_ptr<const i2p::data::LeaseSet> leaseSet)
+	{
+		LogPrint ("New BOB inbound connection");
+		auto connection = std::make_shared<I2PTunnelConnection>(this, receiver->socket, leaseSet);
+		AddHandler (connection);
+		connection->I2PConnect (receiver->data, receiver->dataLen);
+	}
+
+	BOBI2POutboundTunnel::BOBI2POutboundTunnel (const std::string& address, int port, 
+		std::shared_ptr<ClientDestination> localDestination, bool quiet): BOBI2PTunnel (localDestination),
+		m_Endpoint (boost::asio::ip::address::from_string (address), port), m_IsQuiet (quiet)
+	{
+	}
+	
+	void BOBI2POutboundTunnel::Start ()
+	{
+		Accept ();
+	}
+
+	void BOBI2POutboundTunnel::Stop ()
+	{
+		ClearHandlers ();
+	}	
+
+	void BOBI2POutboundTunnel::Accept ()
+	{
+		auto localDestination = GetLocalDestination ();	
+		if (localDestination)
+			localDestination->AcceptStreams (std::bind (&BOBI2POutboundTunnel::HandleAccept, this, std::placeholders::_1));
+		else
+			LogPrint ("Local destination not set for server tunnel");
+	}
+
+	void BOBI2POutboundTunnel::HandleAccept (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		if (stream)
+		{	
+			auto conn = std::make_shared<I2PTunnelConnection> (this, stream, std::make_shared<boost::asio::ip::tcp::socket> (GetService ()), m_Endpoint, m_IsQuiet);
+			AddHandler (conn);
+			conn->Connect ();
+		}	
+	}
+
+	BOBDestination::BOBDestination (std::shared_ptr<ClientDestination> localDestination):
+		m_LocalDestination (localDestination), 
+		m_OutboundTunnel (nullptr), m_InboundTunnel (nullptr)
+	{
+	}
+		
+	BOBDestination::~BOBDestination ()
+	{
+		delete m_OutboundTunnel;
+		delete m_InboundTunnel;
+		i2p::client::context.DeleteLocalDestination (m_LocalDestination);
+	}	
+
+	void BOBDestination::Start ()
+	{
+		if (m_OutboundTunnel) m_OutboundTunnel->Start ();
+		if (m_InboundTunnel) m_InboundTunnel->Start ();
+	}
+		
+	void BOBDestination::Stop ()
+	{		
+		StopTunnels ();
+		m_LocalDestination->Stop ();
+	}	
+
+	void BOBDestination::StopTunnels ()
+	{
+		if (m_OutboundTunnel)
+		{	
+			m_OutboundTunnel->Stop ();
+			delete m_OutboundTunnel;
+			m_OutboundTunnel = nullptr;
+		}	
+		if (m_InboundTunnel)
+		{	
+			m_InboundTunnel->Stop ();
+			delete m_InboundTunnel;
+			m_InboundTunnel = nullptr;
+		}	
+	}	
+		
+	void BOBDestination::CreateInboundTunnel (int port)
+	{
+		if (!m_InboundTunnel)
+			m_InboundTunnel = new BOBI2PInboundTunnel (port, m_LocalDestination);
+	}
+		
+	void BOBDestination::CreateOutboundTunnel (const std::string& address, int port, bool quiet)
+	{
+		if (!m_OutboundTunnel)
+			m_OutboundTunnel = new BOBI2POutboundTunnel (address, port, m_LocalDestination, quiet);
+	}	
+		
+	BOBCommandSession::BOBCommandSession (BOBCommandChannel& owner): 
+		m_Owner (owner), m_Socket (m_Owner.GetService ()), m_ReceiveBufferOffset (0),
+		m_IsOpen (true), m_IsQuiet (false), m_InPort (0), m_OutPort (0),
+		m_CurrentDestination (nullptr)
+	{
+	}
+
+	BOBCommandSession::~BOBCommandSession ()
+	{
+	}
+
+	void BOBCommandSession::Terminate ()
+	{
+		m_Socket.close ();
+		m_IsOpen = false;	
+	}
+
+	void BOBCommandSession::Receive ()
+	{
+		m_Socket.async_read_some (boost::asio::buffer(m_ReceiveBuffer + m_ReceiveBufferOffset, BOB_COMMAND_BUFFER_SIZE - m_ReceiveBufferOffset),                
+			std::bind(&BOBCommandSession::HandleReceived, shared_from_this (), 
+			std::placeholders::_1, std::placeholders::_2));
+	}
+
+	void BOBCommandSession::HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred)
+	{
+		if (ecode)
+		{
+			LogPrint ("BOB command channel read error: ", ecode.message ());
+			if (ecode != boost::asio::error::operation_aborted)
+				Terminate ();
+		}	
+		else
+		{	
+			size_t size = m_ReceiveBufferOffset + bytes_transferred; 
+			m_ReceiveBuffer[size] = 0;
+			char * eol = strchr (m_ReceiveBuffer, '\n');
+			if (eol)
+			{
+				*eol = 0;
+				char * operand =  strchr (m_ReceiveBuffer, ' ');
+				if (operand)  
+				{	
+					*operand = 0;
+					operand++;
+				}	
+				else 
+					operand = eol;
+				// process command
+				auto& handlers = m_Owner.GetCommandHandlers ();
+				auto it = handlers.find (m_ReceiveBuffer);
+				if (it != handlers.end ())
+					(this->*(it->second))(operand, eol - operand);
+				else	
+				{
+					LogPrint (eLogError, "BOB unknown command ", m_ReceiveBuffer);
+					SendReplyError ("unknown command");
+				}
+
+				m_ReceiveBufferOffset = size - (eol - m_ReceiveBuffer) - 1;
+				memmove (m_ReceiveBuffer, eol + 1, m_ReceiveBufferOffset);
+			}
+			else
+			{
+				if (size < BOB_COMMAND_BUFFER_SIZE)
+					m_ReceiveBufferOffset = size;
+				else
+				{
+					LogPrint (eLogError, "Malformed input of the BOB command channel");
+					Terminate ();
+				}
+			}	
+		}
+	}
+
+	void BOBCommandSession::Send (size_t len)
+	{
+		boost::asio::async_write (m_Socket, boost::asio::buffer (m_SendBuffer, len), 
+			boost::asio::transfer_all (),
+			std::bind(&BOBCommandSession::HandleSent, shared_from_this (), 
+				std::placeholders::_1, std::placeholders::_2));
+	}
+
+	void BOBCommandSession::HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred)
+	{
+		if (ecode)
+        {
+			LogPrint ("BOB command channel send error: ", ecode.message ());
+			if (ecode != boost::asio::error::operation_aborted)
+				Terminate ();
+		}
+		else
+		{
+			if (m_IsOpen)
+				Receive ();
+			else
+				Terminate ();	
+		}
+	}
+
+	void BOBCommandSession::SendReplyOK (const char * msg)
+	{
+#ifdef _MSC_VER
+		size_t len = sprintf_s (m_SendBuffer, BOB_COMMAND_BUFFER_SIZE, BOB_REPLY_OK, msg);
+#else		
+		size_t len = snprintf (m_SendBuffer, BOB_COMMAND_BUFFER_SIZE, BOB_REPLY_OK, msg);
+#endif
+		Send (len);
+	}
+
+	void BOBCommandSession::SendReplyError (const char * msg)
+	{
+#ifdef _MSC_VER
+		size_t len = sprintf_s (m_SendBuffer, BOB_COMMAND_BUFFER_SIZE, BOB_REPLY_ERROR, msg);
+#else		
+		size_t len = snprintf (m_SendBuffer, BOB_COMMAND_BUFFER_SIZE, BOB_REPLY_ERROR, msg);
+#endif
+		Send (len);	
+	}
+		
+	void BOBCommandSession::SendVersion ()
+	{
+		size_t len = strlen (BOB_VERSION);
+		memcpy (m_SendBuffer, BOB_VERSION, len);
+		Send (len);
+	}
+
+	void BOBCommandSession::SendData (const char * nickname)
+	{
+#ifdef _MSC_VER
+		size_t len = sprintf_s (m_SendBuffer, BOB_COMMAND_BUFFER_SIZE, BOB_DATA, nickname);
+#else		
+		size_t len = snprintf (m_SendBuffer, BOB_COMMAND_BUFFER_SIZE, BOB_DATA, nickname);
+#endif
+		Send (len);			
+	}
+		
+	void BOBCommandSession::ZapCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: zap");
+		Terminate ();
+	}
+
+	void BOBCommandSession::QuitCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: quit");
+		m_IsOpen = false;
+		SendReplyOK ("Bye!");
+	}
+
+	void BOBCommandSession::StartCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: start ", m_Nickname);
+		if (!m_CurrentDestination)
+		{	
+			m_CurrentDestination = new BOBDestination (i2p::client::context.CreateNewLocalDestination (m_Keys, true, &m_Options));
+			m_Owner.AddDestination (m_Nickname, m_CurrentDestination);
+		}	
+		if (m_InPort)
+			m_CurrentDestination->CreateInboundTunnel (m_InPort);
+		if (m_OutPort && !m_Address.empty ())
+			m_CurrentDestination->CreateOutboundTunnel (m_Address, m_OutPort, m_IsQuiet);
+		m_CurrentDestination->Start ();	
+		SendReplyOK ("tunnel starting");	
+	}	
+	
+	void BOBCommandSession::StopCommandHandler (const char * operand, size_t len)
+	{
+		auto dest = m_Owner.FindDestination (m_Nickname);
+		if (dest)
+		{
+			dest->StopTunnels ();
+			SendReplyOK ("tunnel stopping");
+		}
+		else
+			SendReplyError ("tunnel not found");
+	}	
+	
+	void BOBCommandSession::SetNickCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: setnick ", operand);
+		m_Nickname = operand;
+		std::string msg ("Nickname set to ");
+		msg += operand;
+		SendReplyOK (msg.c_str ());
+	}	
+
+	void BOBCommandSession::GetNickCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: getnick ", operand);
+		m_CurrentDestination = m_Owner.FindDestination (operand); 
+		if (m_CurrentDestination)
+		{
+			m_Keys = m_CurrentDestination->GetKeys ();
+			m_Nickname = operand;
+			std::string msg ("Nickname set to ");
+			msg += operand;
+			SendReplyOK (msg.c_str ());
+		}
+		else
+			SendReplyError ("tunnel not found");	
+	}	
+
+	void BOBCommandSession::NewkeysCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: newkeys");
+		m_Keys = i2p::data::PrivateKeys::CreateRandomKeys ();
+		SendReplyOK (m_Keys.GetPublic ()->ToBase64 ().c_str ());
+	}	
+
+	void BOBCommandSession::SetkeysCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: setkeys ", operand);
+		m_Keys.FromBase64 (operand);
+		SendReplyOK (m_Keys.GetPublic ()->ToBase64 ().c_str ());
+	}
+		
+	void BOBCommandSession::GetkeysCommandHandler (const char * operand, size_t len)
+	{		
+		LogPrint (eLogDebug, "BOB: getkeys");
+		SendReplyOK (m_Keys.ToBase64 ().c_str ());
+	}	
+
+	void BOBCommandSession::GetdestCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: getdest");
+		SendReplyOK (m_Keys.GetPublic ()->ToBase64 ().c_str ());
+	}	
+		
+	void BOBCommandSession::OuthostCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: outhost ", operand);
+		m_Address = operand;
+		SendReplyOK ("outhost set");
+	}
+		
+	void BOBCommandSession::OutportCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: outport ", operand);
+		m_OutPort = boost::lexical_cast<int>(operand);
+		SendReplyOK ("outbound port set");
+	}	
+
+	void BOBCommandSession::InhostCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: inhost ", operand);
+		m_Address = operand;
+		SendReplyOK ("inhost set");
+	}
+		
+	void BOBCommandSession::InportCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: inport ", operand);
+		m_InPort = boost::lexical_cast<int>(operand);
+		SendReplyOK ("inbound port set");
+	}		
+
+	void BOBCommandSession::QuietCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: quiet");
+		m_IsQuiet = true;
+		SendReplyOK ("quiet");
+	}	
+	
+	void BOBCommandSession::LookupCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: lookup ", operand);
+		i2p::data::IdentHash ident;
+		if (!context.GetAddressBook ().GetIdentHash (operand, ident) || !m_CurrentDestination) 
+		{
+			SendReplyError ("Address Not found");
+			return;
+		}	
+		auto localDestination = m_CurrentDestination->GetLocalDestination ();
+		auto leaseSet = localDestination->FindLeaseSet (ident);
+		if (leaseSet)
+			SendReplyOK (leaseSet->GetIdentity ()->ToBase64 ().c_str ());
+		else
+		{
+			auto s = shared_from_this ();
+			localDestination->RequestDestination (ident, 
+				[s](std::shared_ptr<i2p::data::LeaseSet> ls)
+				{
+					if (ls)
+						s->SendReplyOK (ls->GetIdentity ()->ToBase64 ().c_str ());
+					else	
+						s->SendReplyError ("LeaseSet Not found");
+				}	
+			);
+		}
+	}
+
+	void BOBCommandSession::ClearCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: clear");
+		m_Owner.DeleteDestination (m_Nickname);
+		SendReplyOK ("cleared");
+	}	
+
+	void BOBCommandSession::ListCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: list");
+		auto& destinations = m_Owner.GetDestinations ();
+		for (auto it: destinations)
+			SendData (it.first.c_str ());
+		SendReplyOK ("Listing done");
+	}	
+
+	void BOBCommandSession::OptionCommandHandler (const char * operand, size_t len)
+	{
+		LogPrint (eLogDebug, "BOB: option ", operand);
+		const char * value = strchr (operand, '=');
+		if (value)
+		{	
+			*(const_cast<char *>(value)) = 0;
+			m_Options[operand] = value + 1; 
+			*(const_cast<char *>(value)) = '=';
+			SendReplyOK ("option");
+		}	
+		else
+			SendReplyError ("malformed");
+	}	
+		
+	BOBCommandChannel::BOBCommandChannel (int port):
+		m_IsRunning (false), m_Thread (nullptr),
+		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port))
+	{
+		// command -> handler
+		m_CommandHandlers[BOB_COMMAND_ZAP] = &BOBCommandSession::ZapCommandHandler; 
+		m_CommandHandlers[BOB_COMMAND_QUIT] = &BOBCommandSession::QuitCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_START] = &BOBCommandSession::StartCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_STOP] = &BOBCommandSession::StopCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_SETNICK] = &BOBCommandSession::SetNickCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_GETNICK] = &BOBCommandSession::GetNickCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_NEWKEYS] = &BOBCommandSession::NewkeysCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_GETKEYS] = &BOBCommandSession::GetkeysCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_SETKEYS] = &BOBCommandSession::SetkeysCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_GETDEST] = &BOBCommandSession::GetdestCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_OUTHOST] = &BOBCommandSession::OuthostCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_OUTPORT] = &BOBCommandSession::OutportCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_INHOST] = &BOBCommandSession::InhostCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_INPORT] = &BOBCommandSession::InportCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_QUIET] = &BOBCommandSession::QuietCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_LOOKUP] = &BOBCommandSession::LookupCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_CLEAR] = &BOBCommandSession::ClearCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_LIST] = &BOBCommandSession::ListCommandHandler;
+		m_CommandHandlers[BOB_COMMAND_OPTION] = &BOBCommandSession::OptionCommandHandler;
+	}
+
+	BOBCommandChannel::~BOBCommandChannel ()
+	{
+		Stop ();
+		for (auto it: m_Destinations)
+			delete it.second;
+	}
+
+	void BOBCommandChannel::Start ()
+	{
+		Accept ();
+		m_IsRunning = true;
+		m_Thread = new std::thread (std::bind (&BOBCommandChannel::Run, this));
+	}
+
+	void BOBCommandChannel::Stop ()
+	{
+		m_IsRunning = false;
+		for (auto it: m_Destinations)
+			it.second->Stop ();
+		m_Acceptor.cancel ();	
+		m_Service.stop ();
+		if (m_Thread)
+		{	
+			m_Thread->join (); 
+			delete m_Thread;
+			m_Thread = nullptr;
+		}	
+	}
+		
+	void BOBCommandChannel::Run () 
+	{ 
+		while (m_IsRunning)
+		{
+			try
+			{	
+				m_Service.run ();
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "BOB: ", ex.what ());
+			}	
+		}	
+	}
+
+	void BOBCommandChannel::AddDestination (const std::string& name, BOBDestination * dest)
+	{
+		m_Destinations[name] = dest;
+	}	
+
+	void BOBCommandChannel::DeleteDestination (const std::string& name)
+	{
+		auto it = m_Destinations.find (name);
+		if (it != m_Destinations.end ())
+		{
+			it->second->Stop ();
+			delete it->second;
+			m_Destinations.erase (it);
+		}	
+	}	
+		
+	BOBDestination * BOBCommandChannel::FindDestination (const std::string& name)
+	{
+		auto it = m_Destinations.find (name);
+		if (it != m_Destinations.end ())
+			return it->second;
+		return nullptr;	
+	}
+		
+	void BOBCommandChannel::Accept ()
+	{
+		auto newSession = std::make_shared<BOBCommandSession> (*this);
+		m_Acceptor.async_accept (newSession->GetSocket (), std::bind (&BOBCommandChannel::HandleAccept, this,
+			std::placeholders::_1, newSession));
+	}
+
+	void BOBCommandChannel::HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<BOBCommandSession> session)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+			Accept ();
+
+		if (!ecode)
+		{
+			LogPrint (eLogInfo, "New BOB command connection from ", session->GetSocket ().remote_endpoint ());
+			session->SendVersion ();	
+		}
+		else
+			LogPrint (eLogError, "BOB accept error: ",  ecode.message ());
+	}
+}
+}
+
--- a/BOB.h
+++ b/BOB.h
@@ -0,0 +1,237 @@
+#ifndef BOB_H__
+#define BOB_H__
+
+#include <inttypes.h>
+#include <thread>
+#include <memory>
+#include <map>
+#include <string>
+#include <boost/asio.hpp>
+#include "I2PTunnel.h"
+#include "I2PService.h"
+#include "Identity.h"
+#include "LeaseSet.h"
+
+namespace i2p
+{
+namespace client
+{
+	const size_t BOB_COMMAND_BUFFER_SIZE = 1024;
+	const char BOB_COMMAND_ZAP[] = "zap";
+	const char BOB_COMMAND_QUIT[] = "quit";
+	const char BOB_COMMAND_START[] = "start";
+	const char BOB_COMMAND_STOP[] = "stop";	
+	const char BOB_COMMAND_SETNICK[] = "setnick";
+	const char BOB_COMMAND_GETNICK[] = "getnick";		
+	const char BOB_COMMAND_NEWKEYS[] = "newkeys";
+	const char BOB_COMMAND_GETKEYS[] = "getkeys";
+	const char BOB_COMMAND_SETKEYS[] = "setkeys";
+	const char BOB_COMMAND_GETDEST[] = "getdest";
+	const char BOB_COMMAND_OUTHOST[] = "outhost";	
+	const char BOB_COMMAND_OUTPORT[] = "outport";
+	const char BOB_COMMAND_INHOST[] = "inhost";	
+	const char BOB_COMMAND_INPORT[] = "inport";
+	const char BOB_COMMAND_QUIET[] = "quiet";
+	const char BOB_COMMAND_LOOKUP[] = "lookup";	
+	const char BOB_COMMAND_CLEAR[] = "clear";
+	const char BOB_COMMAND_LIST[] = "list";
+	const char BOB_COMMAND_OPTION[] = "option";
+	
+	const char BOB_VERSION[] = "BOB 00.00.10\nOK\n";	
+	const char BOB_REPLY_OK[] = "OK %s\n";
+	const char BOB_REPLY_ERROR[] = "ERROR %s\n";
+	const char BOB_DATA[] = "NICKNAME %s\n";
+
+	class BOBI2PTunnel: public I2PService
+	{
+		public:
+
+			BOBI2PTunnel (std::shared_ptr<ClientDestination> localDestination): 
+				I2PService (localDestination) {};
+
+			virtual void Start () {};
+			virtual void Stop () {};				
+	};	
+	
+	class BOBI2PInboundTunnel: public BOBI2PTunnel
+	{
+			struct AddressReceiver
+			{
+				std::shared_ptr<boost::asio::ip::tcp::socket> socket;
+				char buffer[BOB_COMMAND_BUFFER_SIZE + 1]; // for destination base64 address
+				uint8_t * data; // pointer to buffer
+				size_t dataLen, bufferOffset; 
+
+				AddressReceiver (): data (nullptr), dataLen (0), bufferOffset (0) {};
+			};	
+		
+		public:
+
+			BOBI2PInboundTunnel (int port, std::shared_ptr<ClientDestination> localDestination);
+			~BOBI2PInboundTunnel ();
+
+			void Start ();
+			void Stop ();
+
+		private:
+
+			void Accept ();
+			void HandleAccept (const boost::system::error_code& ecode, std::shared_ptr<AddressReceiver> receiver);
+
+			void ReceiveAddress (std::shared_ptr<AddressReceiver> receiver);
+			void HandleReceivedAddress (const boost::system::error_code& ecode, std::size_t bytes_transferred,
+				std::shared_ptr<AddressReceiver> receiver);
+
+			void HandleDestinationRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, std::shared_ptr<AddressReceiver> receiver);
+
+			void CreateConnection (std::shared_ptr<AddressReceiver> receiver, std::shared_ptr<const i2p::data::LeaseSet> leaseSet);
+
+		private:
+
+			boost::asio::ip::tcp::acceptor m_Acceptor;	
+	};
+
+	class BOBI2POutboundTunnel: public BOBI2PTunnel
+	{
+		public:
+
+			 BOBI2POutboundTunnel (const std::string& address, int port, std::shared_ptr<ClientDestination> localDestination, bool quiet);	
+
+			void Start ();
+			void Stop ();
+
+			void SetQuiet () { m_IsQuiet = true; };
+
+		private:
+
+			void Accept ();
+			void HandleAccept (std::shared_ptr<i2p::stream::Stream> stream);
+
+		private:
+
+			boost::asio::ip::tcp::endpoint m_Endpoint;	
+			bool m_IsQuiet;	
+	};
+
+
+	class BOBDestination
+	{
+		public:
+
+			BOBDestination (std::shared_ptr<ClientDestination> localDestination);
+			~BOBDestination ();
+
+			void Start ();
+			void Stop ();
+			void StopTunnels ();
+			void CreateInboundTunnel (int port);
+			void CreateOutboundTunnel (const std::string& address, int port, bool quiet);
+			const i2p::data::PrivateKeys& GetKeys () const { return m_LocalDestination->GetPrivateKeys (); };
+			std::shared_ptr<ClientDestination> GetLocalDestination () const { return m_LocalDestination; };
+			
+		private:	
+
+			std::shared_ptr<ClientDestination> m_LocalDestination;
+			BOBI2POutboundTunnel * m_OutboundTunnel;
+			BOBI2PInboundTunnel * m_InboundTunnel;
+	};	
+	
+	class BOBCommandChannel;
+	class BOBCommandSession: public std::enable_shared_from_this<BOBCommandSession>
+	{
+		public:
+
+			BOBCommandSession (BOBCommandChannel& owner);
+			~BOBCommandSession ();	
+			void Terminate ();
+
+			boost::asio::ip::tcp::socket& GetSocket () { return m_Socket; };
+			void SendVersion ();
+
+			// command handlers
+			void ZapCommandHandler (const char * operand, size_t len);
+			void QuitCommandHandler (const char * operand, size_t len);
+			void StartCommandHandler (const char * operand, size_t len);
+			void StopCommandHandler (const char * operand, size_t len);
+			void SetNickCommandHandler (const char * operand, size_t len);
+			void GetNickCommandHandler (const char * operand, size_t len);
+			void NewkeysCommandHandler (const char * operand, size_t len);
+			void SetkeysCommandHandler (const char * operand, size_t len);
+			void GetkeysCommandHandler (const char * operand, size_t len);
+			void GetdestCommandHandler (const char * operand, size_t len);
+			void OuthostCommandHandler (const char * operand, size_t len);
+			void OutportCommandHandler (const char * operand, size_t len);
+			void InhostCommandHandler (const char * operand, size_t len);
+			void InportCommandHandler (const char * operand, size_t len);			
+			void QuietCommandHandler (const char * operand, size_t len);	
+			void LookupCommandHandler (const char * operand, size_t len);
+			void ClearCommandHandler (const char * operand, size_t len);
+			void ListCommandHandler (const char * operand, size_t len);
+			void OptionCommandHandler (const char * operand, size_t len);
+			
+		private:
+
+			void Receive ();
+			void HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);
+
+			void Send (size_t len);
+			void HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred);
+			void SendReplyOK (const char * msg);
+			void SendReplyError (const char * msg);
+			void SendData (const char * nickname);
+
+		private:
+
+			BOBCommandChannel& m_Owner;
+			boost::asio::ip::tcp::socket m_Socket;
+			char m_ReceiveBuffer[BOB_COMMAND_BUFFER_SIZE + 1], m_SendBuffer[BOB_COMMAND_BUFFER_SIZE + 1];
+			size_t m_ReceiveBufferOffset;
+			bool m_IsOpen, m_IsQuiet;
+			std::string m_Nickname, m_Address;
+			int m_InPort, m_OutPort;
+			i2p::data::PrivateKeys m_Keys;
+			std::map<std::string, std::string> m_Options; 
+			BOBDestination * m_CurrentDestination;
+	};
+	typedef void (BOBCommandSession::*BOBCommandHandler)(const char * operand, size_t len);
+
+	class BOBCommandChannel
+	{
+		public:
+
+			BOBCommandChannel (int port);
+			~BOBCommandChannel ();
+
+			void Start ();
+			void Stop ();
+
+			boost::asio::io_service& GetService () { return m_Service; };
+			void AddDestination (const std::string& name, BOBDestination * dest);
+			void DeleteDestination (const std::string& name);
+			BOBDestination * FindDestination (const std::string& name);
+			
+		private:
+
+			void Run ();
+			void Accept ();
+			void HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<BOBCommandSession> session);
+
+		private:
+
+			bool m_IsRunning;
+			std::thread * m_Thread;	
+			boost::asio::io_service m_Service;
+			boost::asio::ip::tcp::acceptor m_Acceptor;
+			std::map<std::string, BOBDestination *> m_Destinations;
+			std::map<std::string, BOBCommandHandler> m_CommandHandlers;
+
+		public:
+
+			const decltype(m_CommandHandlers)& GetCommandHandlers () const { return m_CommandHandlers; };
+			const decltype(m_Destinations)& GetDestinations () const { return m_Destinations; };
+	};	
+}
+}
+
+#endif
+
--- a/base64.cpp
+++ b/base64.cpp
@@ -1,11 +1,11 @@
 #include <stdlib.h>
-#include "base64.h"
+#include "Log.h"
+#include "Base.h"

 namespace i2p
 {
 namespace data
 {
-
 	static void iT64Build(void);

 	/*
@@ -79,7 +79,7 @@ namespace data
 		     outCount = 4*n;
 		else
 		     outCount = 4*(n+1);
-		if (outCount > len) return -1;
+		if (outCount > len) return 0;
 		pd = (unsigned char *)OutBuffer;
 		for ( i = 0; i<n; i++ ){
 		     acc_1 = *ps++;
@@ -158,7 +158,7 @@ namespace data
 		     outCount = 3*n;
 		else {
 		     outCount = 0;
-		     return -1;
+		     return 0;
 		}
 		
 		ps = (unsigned char *)(InBuffer + InCount - 1);
@@ -265,5 +265,69 @@ namespace data
 		}
 		return ret;
 	}
+
+	GzipInflator::GzipInflator (): m_IsDirty (false)
+	{
+		memset (&m_Inflator, 0, sizeof (m_Inflator));
+		inflateInit2 (&m_Inflator, MAX_WBITS + 16); // gzip
+	}
+	
+	GzipInflator::~GzipInflator ()
+	{
+		inflateEnd (&m_Inflator);
+	}	
+
+	size_t GzipInflator::Inflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen)
+	{
+		if (m_IsDirty) inflateReset (&m_Inflator);
+		m_IsDirty = true;
+		m_Inflator.next_in = const_cast<uint8_t *>(in);
+		m_Inflator.avail_in = inLen;
+		m_Inflator.next_out = out;
+		m_Inflator.avail_out = outLen;
+		int err;
+		if ((err = inflate (&m_Inflator, Z_NO_FLUSH)) == Z_STREAM_END)
+			return outLen - m_Inflator.avail_out;	
+		else
+		{
+			LogPrint (eLogError, "Decompression error ", err);
+			return 0;
+		}	
+	}	
+
+	GzipDeflator::GzipDeflator (): m_IsDirty (false)
+	{
+		memset (&m_Deflator, 0, sizeof (m_Deflator));
+		deflateInit2 (&m_Deflator, Z_DEFAULT_COMPRESSION, Z_DEFLATED, 15 + 16, 8, Z_DEFAULT_STRATEGY); // 15 + 16 sets gzip
+	}
+	
+	GzipDeflator::~GzipDeflator ()
+	{
+		deflateEnd (&m_Deflator);
+	}	
+
+	void GzipDeflator::SetCompressionLevel (int level)
+	{
+		deflateParams (&m_Deflator, level, Z_DEFAULT_STRATEGY);
+	}	
+	
+	size_t GzipDeflator::Deflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen)
+	{
+		if (m_IsDirty) deflateReset (&m_Deflator);
+		m_IsDirty = true;
+		m_Deflator.next_in = const_cast<uint8_t *>(in);
+		m_Deflator.avail_in = inLen;
+		m_Deflator.next_out = out;
+		m_Deflator.avail_out = outLen;
+		int err;
+		if ((err = deflate (&m_Deflator, Z_FINISH)) == Z_STREAM_END) 
+			return outLen - m_Deflator.avail_out;	
+		else
+		{
+			LogPrint (eLogError, "Compression error ", err);
+			return 0;
+		}	
+	}	
 }
 }
+
--- a/Base.h
+++ b/Base.h
@@ -0,0 +1,123 @@
+#ifndef BASE_H__
+#define BASE_H__
+
+#include <inttypes.h>
+#include <string.h>
+#include <string>
+#include <zlib.h>
+
+namespace i2p
+{
+namespace data
+{
+	size_t ByteStreamToBase64 (const uint8_t * InBuffer, size_t InCount, char * OutBuffer, size_t len);
+	size_t Base64ToByteStream (const char * InBuffer, size_t InCount, uint8_t * OutBuffer, size_t len );
+	const char * GetBase64SubstitutionTable ();	
+	
+	size_t Base32ToByteStream (const char * inBuf, size_t len, uint8_t * outBuf, size_t outLen);
+	size_t ByteStreamToBase32 (const uint8_t * InBuf, size_t len, char * outBuf, size_t outLen);
+
+	template<int sz>
+	class Tag
+	{
+		public:
+
+			Tag (const uint8_t * buf) { memcpy (m_Buf, buf, sz); };
+			Tag (const Tag<sz>& ) = default;
+#ifndef _WIN32 // FIXME!!! msvs 2013 can't compile it
+			Tag (Tag<sz>&& ) = default;
+#endif
+			Tag () = default;
+			
+			Tag<sz>& operator= (const Tag<sz>& ) = default;
+#ifndef _WIN32
+			Tag<sz>& operator= (Tag<sz>&& ) = default;
+#endif
+			
+			uint8_t * operator()() { return m_Buf; };
+			const uint8_t * operator()() const { return m_Buf; };
+
+			operator uint8_t * () { return m_Buf; };
+			operator const uint8_t * () const { return m_Buf; };
+			
+			const uint64_t * GetLL () const { return ll; };
+
+			bool operator== (const Tag<sz>& other) const { return !memcmp (m_Buf, other.m_Buf, sz); };
+			bool operator< (const Tag<sz>& other) const { return memcmp (m_Buf, other.m_Buf, sz) < 0; };
+
+			bool IsZero () const
+			{
+				for (int i = 0; i < sz/8; i++)
+					if (ll[i]) return false;
+				return true;
+			}
+			
+			std::string ToBase64 () const
+			{
+				char str[sz*2];
+				int l = i2p::data::ByteStreamToBase64 (m_Buf, sz, str, sz*2);
+				str[l] = 0;
+				return std::string (str);
+			}
+
+			std::string ToBase32 () const
+			{
+				char str[sz*2];
+				int l = i2p::data::ByteStreamToBase32 (m_Buf, sz, str, sz*2);
+				str[l] = 0;
+				return std::string (str);
+			}	
+
+			void FromBase32 (const std::string& s)
+			{
+				i2p::data::Base32ToByteStream (s.c_str (), s.length (), m_Buf, sz);
+			}
+
+			void FromBase64 (const std::string& s)
+			{
+				i2p::data::Base64ToByteStream (s.c_str (), s.length (), m_Buf, sz);
+			}
+
+		private:
+
+			union // 8 bytes alignment
+			{	
+				uint8_t m_Buf[sz];
+				uint64_t ll[sz/8];
+			};		
+	};
+
+	class GzipInflator
+	{
+		public:
+
+			GzipInflator ();
+			~GzipInflator ();
+
+			size_t Inflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen);
+			
+		private:
+
+			z_stream m_Inflator;
+			bool m_IsDirty;
+	};
+
+	class GzipDeflator
+	{
+		public:
+
+			GzipDeflator ();
+			~GzipDeflator ();
+
+			void SetCompressionLevel (int level);
+			size_t Deflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen);
+			
+		private:
+
+			z_stream m_Deflator;
+			bool m_IsDirty;
+	};
+}
+}
+
+#endif
--- a/ClientContext.cpp
+++ b/ClientContext.cpp
@@ -1,5 +1,10 @@
+#include <fstream>
+#include <iostream>
+#include <boost/property_tree/ptree.hpp>
+#include <boost/property_tree/ini_parser.hpp>
 #include "util.h"
 #include "Log.h"
+#include "Identity.h"
 #include "ClientContext.h"

 namespace i2p
@@ -9,8 +14,8 @@ namespace client
 	ClientContext context;	

 	ClientContext::ClientContext (): m_SharedLocalDestination (nullptr),
-		m_HttpProxy (nullptr), m_SocksProxy (nullptr), m_IrcTunnel (nullptr),
-		m_ServerTunnel (nullptr), m_SamBridge (nullptr)	
+		m_HttpProxy (nullptr), m_SocksProxy (nullptr), m_SamBridge (nullptr), 
+		m_BOBCommandChannel (nullptr)
 	{
 	}
 	
@@ -18,48 +23,58 @@ namespace client
 	{
 		delete m_HttpProxy;
 		delete m_SocksProxy;
-		delete m_IrcTunnel;
-		delete m_ServerTunnel;
 		delete m_SamBridge;
+		delete m_BOBCommandChannel;
 	}
 	
 	void ClientContext::Start ()
 	{
 		if (!m_SharedLocalDestination)
 		{	
-			m_SharedLocalDestination = new ClientDestination (false, i2p::data::SIGNING_KEY_TYPE_DSA_SHA1); // non-public, DSA
-			m_Destinations[m_SharedLocalDestination->GetIdentity ().GetIdentHash ()] = m_SharedLocalDestination;
+			m_SharedLocalDestination = CreateNewLocalDestination (); // non-public, DSA
+			m_Destinations[m_SharedLocalDestination->GetIdentity ()->GetIdentHash ()] = m_SharedLocalDestination;
 			m_SharedLocalDestination->Start ();
 		}

-		m_HttpProxy = new i2p::proxy::HTTPProxy(i2p::util::config::GetArg("-httpproxyport", 4446));
+		std::shared_ptr<ClientDestination> localDestination;	
+		// proxies	
+		std::string proxyKeys = i2p::util::config::GetArg("-proxykeys", "");
+		if (proxyKeys.length () > 0)
+			localDestination = LoadLocalDestination (proxyKeys, false);
+		m_HttpProxy = new i2p::proxy::HTTPProxy(i2p::util::config::GetArg("-httpproxyport", 4446), localDestination);
 		m_HttpProxy->Start();
 		LogPrint("HTTP Proxy started");
-		m_SocksProxy = new i2p::proxy::SOCKSProxy(i2p::util::config::GetArg("-socksproxyport", 4447));
+		m_SocksProxy = new i2p::proxy::SOCKSProxy(i2p::util::config::GetArg("-socksproxyport", 4447), localDestination);
 		m_SocksProxy->Start();
 		LogPrint("SOCKS Proxy Started");
+	
+		// I2P tunnels
 		std::string ircDestination = i2p::util::config::GetArg("-ircdest", "");
 		if (ircDestination.length () > 0) // ircdest is presented
 		{
-			ClientDestination * localDestination = nullptr;
+			localDestination = nullptr;
 			std::string ircKeys = i2p::util::config::GetArg("-irckeys", "");	
 			if (ircKeys.length () > 0)
-				localDestination = i2p::client::context.LoadLocalDestination (ircKeys, false);
-			m_IrcTunnel = new I2PClientTunnel (m_SocksProxy->GetService (), ircDestination,
-				i2p::util::config::GetArg("-ircport", 6668), localDestination);
-			m_IrcTunnel->Start ();
+				localDestination = LoadLocalDestination (ircKeys, false);
+			auto ircPort = i2p::util::config::GetArg("-ircport", 6668);
+			auto ircTunnel = new I2PClientTunnel (ircDestination, ircPort, localDestination);
+			ircTunnel->Start ();
+			m_ClientTunnels.insert (std::make_pair(ircPort, std::unique_ptr<I2PClientTunnel>(ircTunnel)));
 			LogPrint("IRC tunnel started");
 		}	
 		std::string eepKeys = i2p::util::config::GetArg("-eepkeys", "");
 		if (eepKeys.length () > 0) // eepkeys file is presented
 		{
-			auto localDestination = i2p::client::context.LoadLocalDestination (eepKeys, true);
-			m_ServerTunnel = new I2PServerTunnel (m_SocksProxy->GetService (), 
-				i2p::util::config::GetArg("-eephost", "127.0.0.1"), i2p::util::config::GetArg("-eepport", 80),
-				localDestination);
-			m_ServerTunnel->Start ();
+			localDestination = LoadLocalDestination (eepKeys, true);
+			auto serverTunnel = new I2PServerTunnel (i2p::util::config::GetArg("-eephost", "127.0.0.1"),
+ 				i2p::util::config::GetArg("-eepport", 80), localDestination);
+			serverTunnel->Start ();
+			m_ServerTunnels.insert (std::make_pair(localDestination->GetIdentHash (), std::unique_ptr<I2PServerTunnel>(serverTunnel)));
 			LogPrint("Server tunnel started");
 		}
+		ReadTunnels ();
+
+		// SAM
 		int samPort = i2p::util::config::GetArg("-samport", 0);
 		if (samPort)
 		{
@@ -67,6 +82,17 @@ namespace client
 			m_SamBridge->Start ();
 			LogPrint("SAM bridge started");
 		} 
+
+		// BOB
+		int bobPort = i2p::util::config::GetArg("-bobport", 0);
+		if (bobPort)
+		{
+			m_BOBCommandChannel = new BOBCommandChannel (bobPort);
+			m_BOBCommandChannel->Start ();
+			LogPrint("BOB command channel started");
+		} 
+
+		m_AddressBook.Start ();
 	}
 		
 	void ClientContext::Stop ()
@@ -74,85 +100,103 @@ namespace client
 		m_HttpProxy->Stop();
 		delete m_HttpProxy;
 		m_HttpProxy = nullptr;
-		LogPrint("HTTP Proxy stoped");
+		LogPrint("HTTP Proxy stopped");
 		m_SocksProxy->Stop();
 		delete m_SocksProxy;
 		m_SocksProxy = nullptr;
-		LogPrint("SOCKS Proxy stoped");
-		if (m_IrcTunnel)
+		LogPrint("SOCKS Proxy stopped");
+		for (auto& it: m_ClientTunnels)
 		{
-			m_IrcTunnel->Stop ();
-			delete m_IrcTunnel; 
-			m_IrcTunnel = nullptr;
-			LogPrint("IRC tunnel stoped");	
+			it.second->Stop ();
+			LogPrint("I2P client tunnel on port ", it.first, " stopped");	
 		}
-		if (m_ServerTunnel)
+		m_ClientTunnels.clear ();	
+		for (auto& it: m_ServerTunnels)
 		{
-			m_ServerTunnel->Stop ();
-			delete m_ServerTunnel; 
-			m_ServerTunnel = nullptr;
-			LogPrint("Server tunnel stoped");	
-		}			
+			it.second->Stop ();
+			LogPrint("I2P server tunnel stopped");	
+		}
+		m_ServerTunnels.clear ();	
 		if (m_SamBridge)
 		{
 			m_SamBridge->Stop ();
 			delete m_SamBridge; 
 			m_SamBridge = nullptr;
-			LogPrint("SAM brdige stoped");	
+			LogPrint("SAM brdige stopped");	
 		}		
-		
-		for (auto it: m_Destinations)
-		{	
-			it.second->Stop ();
-			delete it.second;
-		}		
-		m_Destinations.clear ();
-		m_SharedLocalDestination = 0; // deleted through m_Destination
-	}	
-
-	void ClientContext::LoadLocalDestinations ()
-	{
-		int numDestinations = 0;
-		boost::filesystem::path p (i2p::util::filesystem::GetDataDir());
-		boost::filesystem::directory_iterator end;
-		for (boost::filesystem::directory_iterator it (p); it != end; ++it)
+		if (m_BOBCommandChannel)
 		{
-			if (boost::filesystem::is_regular_file (*it) && it->path ().extension () == ".dat")
-			{
-				auto fullPath =
-#if BOOST_VERSION > 10500
-				it->path().string();
-#else
-				it->path();
-#endif
-				auto localDestination = new ClientDestination (fullPath, true);
-				m_Destinations[localDestination->GetIdentHash ()] = localDestination;
-				numDestinations++;
-			}	
-		}	
-		if (numDestinations > 0)
-			LogPrint (numDestinations, " local destinations loaded");
+			m_BOBCommandChannel->Stop ();
+			delete m_BOBCommandChannel; 
+			m_BOBCommandChannel = nullptr;
+			LogPrint("BOB command channel stopped");	
+		}			
+		m_AddressBook.Stop ();		
+		for (auto it: m_Destinations)
+			it.second->Stop ();
+		m_Destinations.clear ();
+		m_SharedLocalDestination = nullptr; 
 	}	
 	
-	ClientDestination * ClientContext::LoadLocalDestination (const std::string& filename, bool isPublic)
+	std::shared_ptr<ClientDestination> ClientContext::LoadLocalDestination (const std::string& filename, bool isPublic)
 	{
-		auto localDestination = new ClientDestination (i2p::util::filesystem::GetFullPath (filename), isPublic);
+		i2p::data::PrivateKeys keys;
+		std::string fullPath = i2p::util::filesystem::GetFullPath (filename);
+		std::ifstream s(fullPath.c_str (), std::ifstream::binary);
+		if (s.is_open ())	
+		{	
+			s.seekg (0, std::ios::end);
+			size_t len = s.tellg();
+			s.seekg (0, std::ios::beg);
+			uint8_t * buf = new uint8_t[len];
+			s.read ((char *)buf, len);
+			keys.FromBuffer (buf, len);
+			delete[] buf;
+			LogPrint ("Local address ", m_AddressBook.ToAddress(keys.GetPublic ()->GetIdentHash ()), " loaded");
+		}	
+		else
+		{
+			LogPrint ("Can't open file ", fullPath, " Creating new one");
+			keys = i2p::data::PrivateKeys::CreateRandomKeys (i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256); 
+			std::ofstream f (fullPath, std::ofstream::binary | std::ofstream::out);
+			size_t len = keys.GetFullLen ();
+			uint8_t * buf = new uint8_t[len];
+			len = keys.ToBuffer (buf, len);
+			f.write ((char *)buf, len);
+			delete[] buf;
+			
+			LogPrint ("New private keys file ", fullPath, " for ", m_AddressBook.ToAddress(keys.GetPublic ()->GetIdentHash ()), " created");
+		}	
+
+		std::shared_ptr<ClientDestination> localDestination = nullptr;	
 		std::unique_lock<std::mutex> l(m_DestinationsMutex);	
-		m_Destinations[localDestination->GetIdentHash ()] = localDestination;
-		localDestination->Start ();
+		auto it = m_Destinations.find (keys.GetPublic ()->GetIdentHash ()); 
+		if (it != m_Destinations.end ())
+		{
+			LogPrint (eLogWarning, "Local destination ",  m_AddressBook.ToAddress(keys.GetPublic ()->GetIdentHash ()), " alreday exists");
+			localDestination = it->second;
+		}
+		else
+		{
+			localDestination = std::make_shared<ClientDestination> (keys, isPublic);
+			m_Destinations[localDestination->GetIdentHash ()] = localDestination;
+			localDestination->Start ();
+		}
 		return localDestination;
 	}

-	ClientDestination * ClientContext::CreateNewLocalDestination (bool isPublic, i2p::data::SigningKeyType sigType)
+	std::shared_ptr<ClientDestination> ClientContext::CreateNewLocalDestination (bool isPublic, i2p::data::SigningKeyType sigType,
+		const std::map<std::string, std::string> * params)
 	{
-		auto localDestination = new ClientDestination (isPublic, sigType);
+		i2p::data::PrivateKeys keys = i2p::data::PrivateKeys::CreateRandomKeys (sigType);
+		auto localDestination = std::make_shared<ClientDestination> (keys, isPublic, params);
 		std::unique_lock<std::mutex> l(m_DestinationsMutex);
 		m_Destinations[localDestination->GetIdentHash ()] = localDestination;
 		localDestination->Start ();
 		return localDestination;
 	}

-	void ClientContext::DeleteLocalDestination (ClientDestination * destination)
+	void ClientContext::DeleteLocalDestination (std::shared_ptr<ClientDestination> destination)
 	{
 		if (!destination) return;
 		auto it = m_Destinations.find (destination->GetIdentHash ());
@@ -164,16 +208,16 @@ namespace client
 				m_Destinations.erase (it);
 			}	
 			d->Stop ();
-			delete d;
 		}
 	}

-	ClientDestination * ClientContext::CreateNewLocalDestination (const i2p::data::PrivateKeys& keys, bool isPublic)
+	std::shared_ptr<ClientDestination> ClientContext::CreateNewLocalDestination (const i2p::data::PrivateKeys& keys, bool isPublic,
+		const std::map<std::string, std::string> * params)
 	{
-		auto it = m_Destinations.find (keys.GetPublic ().GetIdentHash ());
+		auto it = m_Destinations.find (keys.GetPublic ()->GetIdentHash ());
 		if (it != m_Destinations.end ())
 		{
-			LogPrint ("Local destination ", keys.GetPublic ().GetIdentHash ().ToBase32 (), ".b32.i2p exists");
+			LogPrint ("Local destination ", m_AddressBook.ToAddress(keys.GetPublic ()->GetIdentHash ()), " exists");
 			if (!it->second->IsRunning ())
 			{	
 				it->second->Start ();
@@ -181,19 +225,104 @@ namespace client
 			}	
 			return nullptr;
 		}	
-		auto localDestination = new ClientDestination (keys, isPublic);
+		auto localDestination = std::make_shared<ClientDestination> (keys, isPublic, params);
 		std::unique_lock<std::mutex> l(m_DestinationsMutex);
-		m_Destinations[keys.GetPublic ().GetIdentHash ()] = localDestination;
+		m_Destinations[keys.GetPublic ()->GetIdentHash ()] = localDestination;
 		localDestination->Start ();
 		return localDestination;
 	}
 	
-	ClientDestination * ClientContext::FindLocalDestination (const i2p::data::IdentHash& destination) const
+	std::shared_ptr<ClientDestination> ClientContext::FindLocalDestination (const i2p::data::IdentHash& destination) const
 	{
 		auto it = m_Destinations.find (destination);
 		if (it != m_Destinations.end ())
 			return it->second;
 		return nullptr;
 	}	
+
+	void ClientContext::ReadTunnels ()
+	{
+		boost::property_tree::ptree pt;
+		try
+		{
+			boost::property_tree::read_ini (i2p::util::filesystem::GetFullPath (TUNNELS_CONFIG_FILENAME), pt);
+		}
+		catch (std::exception& ex)
+		{
+			LogPrint (eLogWarning, "Can't read ", TUNNELS_CONFIG_FILENAME, ": ", ex.what ());
+			return;
+		}
+			
+		int numClientTunnels = 0, numServerTunnels = 0;
+		for (auto& section: pt)
+		{
+			std::string name = section.first;			
+			try
+			{
+				std::string type = section.second.get<std::string> (I2P_TUNNELS_SECTION_TYPE);
+				if (type == I2P_TUNNELS_SECTION_TYPE_CLIENT)
+				{
+					// mandatory params
+					std::string dest = section.second.get<std::string> (I2P_CLIENT_TUNNEL_DESTINATION);
+					int port = section.second.get<int> (I2P_CLIENT_TUNNEL_PORT);
+					// optional params
+					std::string keys = section.second.get (I2P_CLIENT_TUNNEL_KEYS, "");
+					int destinationPort = section.second.get (I2P_CLIENT_TUNNEL_DESTINATION_PORT, 0);
+
+					std::shared_ptr<ClientDestination> localDestination = nullptr;
+					if (keys.length () > 0)
+						localDestination = LoadLocalDestination (keys, false);
+					auto clientTunnel = new I2PClientTunnel (dest, port, localDestination, destinationPort);
+					if (m_ClientTunnels.insert (std::make_pair (port, std::unique_ptr<I2PClientTunnel>(clientTunnel))).second)
+						clientTunnel->Start ();
+					else
+						LogPrint (eLogError, "I2P client tunnel with port ", port, " already exists");
+					numClientTunnels++;
+				}
+				else if (type == I2P_TUNNELS_SECTION_TYPE_SERVER || type == I2P_TUNNELS_SECTION_TYPE_HTTP)
+				{	
+					// mandatory params
+					std::string host = section.second.get<std::string> (I2P_SERVER_TUNNEL_HOST);
+					int port = section.second.get<int> (I2P_SERVER_TUNNEL_PORT);
+					std::string keys = section.second.get<std::string> (I2P_SERVER_TUNNEL_KEYS);
+					// optional params
+					int inPort = section.second.get (I2P_SERVER_TUNNEL_INPORT, 0);
+					std::string accessList = section.second.get (I2P_SERVER_TUNNEL_ACCESS_LIST, "");					
+
+					auto localDestination = LoadLocalDestination (keys, true);
+					I2PServerTunnel * serverTunnel = (type == I2P_TUNNELS_SECTION_TYPE_HTTP) ? new I2PServerTunnelHTTP (host, port, localDestination, inPort) : new I2PServerTunnel (host, port, localDestination, inPort);
+					if (accessList.length () > 0)
+					{
+						std::set<i2p::data::IdentHash> idents;
+						size_t pos = 0, comma;
+						do
+						{
+							comma = accessList.find (',', pos);
+							i2p::data::IdentHash ident;
+							ident.FromBase32 (accessList.substr (pos, comma != std::string::npos ? comma - pos : std::string::npos));	
+							idents.insert (ident);
+							pos = comma + 1;
+						}
+						while (comma != std::string::npos);
+						serverTunnel->SetAccessList (idents);
+					}
+					if (m_ServerTunnels.insert (std::make_pair (localDestination->GetIdentHash (), std::unique_ptr<I2PServerTunnel>(serverTunnel))).second)
+						serverTunnel->Start ();
+					else
+						LogPrint (eLogError, "I2P server tunnel for destination ",   m_AddressBook.ToAddress(localDestination->GetIdentHash ()), " already exists");	
+					numServerTunnels++;
+				}
+				else
+					LogPrint (eLogWarning, "Unknown section type=", type, " of ", name, " in ", TUNNELS_CONFIG_FILENAME);
+				
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "Can't read tunnel ", name, " params: ", ex.what ());
+			}
+		}	
+		LogPrint (eLogInfo, numClientTunnels, " I2P client tunnels created");
+		LogPrint (eLogInfo, numServerTunnels, " I2P server tunnels created");
+	}	
 }		
 }	
--- a/ClientContext.h
+++ b/ClientContext.h
@@ -1,18 +1,36 @@
 #ifndef CLIENT_CONTEXT_H__
 #define CLIENT_CONTEXT_H__

+#include <map>
 #include <mutex>
+#include <memory>
 #include "Destination.h"
 #include "HTTPProxy.h"
 #include "SOCKS.h"
 #include "I2PTunnel.h"
 #include "SAM.h"
+#include "BOB.h"
 #include "AddressBook.h"

 namespace i2p
 {
 namespace client
 {
+	const char I2P_TUNNELS_SECTION_TYPE[] = "type";
+	const char I2P_TUNNELS_SECTION_TYPE_CLIENT[] = "client";
+	const char I2P_TUNNELS_SECTION_TYPE_SERVER[] = "server";
+	const char I2P_TUNNELS_SECTION_TYPE_HTTP[] = "http";
+	const char I2P_CLIENT_TUNNEL_PORT[] = "port";
+	const char I2P_CLIENT_TUNNEL_DESTINATION[] = "destination";
+	const char I2P_CLIENT_TUNNEL_KEYS[] = "keys";
+	const char I2P_CLIENT_TUNNEL_DESTINATION_PORT[] = "destinationport";	
+	const char I2P_SERVER_TUNNEL_HOST[] = "host";	
+	const char I2P_SERVER_TUNNEL_PORT[] = "port";
+	const char I2P_SERVER_TUNNEL_KEYS[] = "keys";
+	const char I2P_SERVER_TUNNEL_INPORT[] = "inport";
+	const char I2P_SERVER_TUNNEL_ACCESS_LIST[] = "accesslist";		
+	const char TUNNELS_CONFIG_FILENAME[] = "tunnels.cfg";
+
 	class ClientContext
 	{
 		public:
@@ -23,32 +41,36 @@ namespace client
 			void Start ();
 			void Stop ();

-			ClientDestination * GetSharedLocalDestination () const { return m_SharedLocalDestination; };
-			ClientDestination * CreateNewLocalDestination (bool isPublic = true, i2p::data::SigningKeyType sigType = i2p::data::SIGNING_KEY_TYPE_DSA_SHA1); // transient
-			ClientDestination * CreateNewLocalDestination (const i2p::data::PrivateKeys& keys, bool isPublic = true);
-			void DeleteLocalDestination (ClientDestination * destination);
-			ClientDestination * FindLocalDestination (const i2p::data::IdentHash& destination) const;		
-			ClientDestination * LoadLocalDestination (const std::string& filename, bool isPublic);
+			std::shared_ptr<ClientDestination> GetSharedLocalDestination () const { return m_SharedLocalDestination; };
+			std::shared_ptr<ClientDestination> CreateNewLocalDestination (bool isPublic = false, i2p::data::SigningKeyType sigType = i2p::data::SIGNING_KEY_TYPE_DSA_SHA1,
+			    const std::map<std::string, std::string> * params = nullptr); // transient
+			std::shared_ptr<ClientDestination> CreateNewLocalDestination (const i2p::data::PrivateKeys& keys, bool isPublic = true, 
+				const std::map<std::string, std::string> * params = nullptr);
+			void DeleteLocalDestination (std::shared_ptr<ClientDestination> destination);
+			std::shared_ptr<ClientDestination> FindLocalDestination (const i2p::data::IdentHash& destination) const;		
+			std::shared_ptr<ClientDestination> LoadLocalDestination (const std::string& filename, bool isPublic);

 			AddressBook& GetAddressBook () { return m_AddressBook; };
+			const SAMBridge * GetSAMBridge () const { return m_SamBridge; };
+		
+		private:

-		private:	
-
-			void LoadLocalDestinations ();
-			
+			void ReadTunnels ();
+	
 		private:

 			std::mutex m_DestinationsMutex;
-			std::map<i2p::data::IdentHash, ClientDestination *> m_Destinations;
-			ClientDestination * m_SharedLocalDestination;	
+			std::map<i2p::data::IdentHash, std::shared_ptr<ClientDestination> > m_Destinations;
+			std::shared_ptr<ClientDestination>  m_SharedLocalDestination;	

 			AddressBook m_AddressBook;

 			i2p::proxy::HTTPProxy * m_HttpProxy;
 			i2p::proxy::SOCKSProxy * m_SocksProxy;
-			I2PClientTunnel * m_IrcTunnel;
-			I2PServerTunnel * m_ServerTunnel;
+			std::map<int, std::unique_ptr<I2PClientTunnel> > m_ClientTunnels; // port->tunnel
+			std::map<i2p::data::IdentHash, std::unique_ptr<I2PServerTunnel> > m_ServerTunnels; // destination->tunnel
 			SAMBridge * m_SamBridge;
+			BOBCommandChannel * m_BOBCommandChannel;

 		public:
 			// for HTTP
--- a/Crypto.cpp
+++ b/Crypto.cpp
@@ -0,0 +1,619 @@
+#include <string.h>
+#include <string>
+#include <openssl/sha.h>
+#include <openssl/dh.h>
+#include <openssl/md5.h>
+#include <openssl/rand.h>
+#include "Log.h"
+//#include "TunnelBase.h"
+#include "Crypto.h"
+
+namespace i2p
+{
+namespace crypto
+{	
+	const uint8_t elgp_[256]=
+	{
+		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 
+		0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 
+		0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+		0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+		0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+ 		0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+		0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+		0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 
+		0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+		0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+		0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 
+		0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+		0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+		0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+		0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+		0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+	};
+
+	const int elgg_ = 2;
+	
+	const uint8_t dsap_[128]=
+	{
+		0x9c, 0x05, 0xb2, 0xaa, 0x96, 0x0d, 0x9b, 0x97, 0xb8, 0x93, 0x19, 0x63, 0xc9, 0xcc, 0x9e, 0x8c,
+		0x30, 0x26, 0xe9, 0xb8, 0xed, 0x92, 0xfa, 0xd0, 0xa6, 0x9c, 0xc8, 0x86, 0xd5, 0xbf, 0x80, 0x15,
+		0xfc, 0xad, 0xae, 0x31, 0xa0, 0xad, 0x18, 0xfa, 0xb3, 0xf0, 0x1b, 0x00, 0xa3, 0x58, 0xde, 0x23,
+		0x76, 0x55, 0xc4, 0x96, 0x4a, 0xfa, 0xa2, 0xb3, 0x37, 0xe9, 0x6a, 0xd3, 0x16, 0xb9, 0xfb, 0x1c,
+		0xc5, 0x64, 0xb5, 0xae, 0xc5, 0xb6, 0x9a, 0x9f, 0xf6, 0xc3, 0xe4, 0x54, 0x87, 0x07, 0xfe, 0xf8,
+		0x50, 0x3d, 0x91, 0xdd, 0x86, 0x02, 0xe8, 0x67, 0xe6, 0xd3, 0x5d, 0x22, 0x35, 0xc1, 0x86, 0x9c,
+		0xe2, 0x47, 0x9c, 0x3b, 0x9d, 0x54, 0x01, 0xde, 0x04, 0xe0, 0x72, 0x7f, 0xb3, 0x3d, 0x65, 0x11, 
+		0x28, 0x5d, 0x4c, 0xf2, 0x95, 0x38, 0xd9, 0xe3, 0xb6, 0x05, 0x1f, 0x5b, 0x22, 0xcc, 0x1c, 0x93
+	};
+
+	const uint8_t dsaq_[20]=
+	{
+		0xa5, 0xdf, 0xc2, 0x8f, 0xef, 0x4c, 0xa1, 0xe2, 0x86, 0x74, 0x4c, 0xd8, 0xee, 0xd9, 0xd2, 0x9d,
+		0x68, 0x40, 0x46, 0xb7
+	};
+
+	const uint8_t dsag_[128]=
+	{
+		0x0c, 0x1f, 0x4d, 0x27, 0xd4, 0x00, 0x93, 0xb4, 0x29, 0xe9, 0x62, 0xd7, 0x22, 0x38, 0x24, 0xe0,
+		0xbb, 0xc4, 0x7e, 0x7c, 0x83, 0x2a, 0x39, 0x23, 0x6f, 0xc6, 0x83, 0xaf, 0x84, 0x88, 0x95, 0x81,
+		0x07, 0x5f, 0xf9, 0x08, 0x2e, 0xd3, 0x23, 0x53, 0xd4, 0x37, 0x4d, 0x73, 0x01, 0xcd, 0xa1, 0xd2,
+		0x3c, 0x43, 0x1f, 0x46, 0x98, 0x59, 0x9d, 0xda, 0x02, 0x45, 0x18, 0x24, 0xff, 0x36, 0x97, 0x52,
+		0x59, 0x36, 0x47, 0xcc, 0x3d, 0xdc, 0x19, 0x7d, 0xe9, 0x85, 0xe4, 0x3d, 0x13, 0x6c, 0xdc, 0xfc,
+		0x6b, 0xd5, 0x40, 0x9c, 0xd2, 0xf4, 0x50, 0x82, 0x11, 0x42, 0xa5, 0xe6, 0xf8, 0xeb, 0x1c, 0x3a,
+		0xb5, 0xd0, 0x48, 0x4b, 0x81, 0x29, 0xfc, 0xf1, 0x7b, 0xce, 0x4f, 0x7f, 0x33, 0x32, 0x1c, 0x3c, 
+		0xb3, 0xdb, 0xb1, 0x4a, 0x90, 0x5e, 0x7b, 0x2b, 0x3e, 0x93, 0xbe, 0x47, 0x08, 0xcb, 0xcc, 0x82  
+	};
+
+	const int rsae_ = 65537;	
+	
+	const CryptoConstants& GetCryptoConstants ()
+	{
+		static CryptoConstants cryptoConstants (elgp_, elgg_, dsap_, dsaq_, dsag_, rsae_);		                                        
+		return cryptoConstants;
+	}	
+
+	bool bn2buf (const BIGNUM * bn, uint8_t * buf, size_t len)
+	{
+		int offset = len - BN_num_bytes (bn);
+		if (offset < 0) return false;
+		BN_bn2bin (bn, buf + offset);
+		memset (buf, 0, offset);
+		return true;
+	}	
+
+// DH
+	
+	DHKeys::DHKeys (): m_IsUpdated (true)
+	{
+		m_DH = DH_new ();
+		m_DH->p = BN_dup (elgp);
+		m_DH->g = BN_dup (elgg);
+		m_DH->priv_key = NULL;
+		m_DH->pub_key = NULL;
+	}
+	
+	DHKeys::~DHKeys ()
+	{
+		DH_free (m_DH);
+	}	
+
+	void DHKeys::GenerateKeys (uint8_t * priv, uint8_t * pub)
+	{
+		if (m_DH->priv_key)  { BN_free (m_DH->priv_key); m_DH->priv_key = NULL; };
+		if (m_DH->pub_key)  { BN_free (m_DH->pub_key); m_DH->pub_key = NULL; };
+		DH_generate_key (m_DH);
+		if (priv) bn2buf (m_DH->priv_key, priv, 256);
+		if (pub) bn2buf (m_DH->pub_key, pub, 256);
+		m_IsUpdated = true;
+	}	
+
+	const uint8_t * DHKeys::GetPublicKey () 
+	{
+		if (m_IsUpdated)
+		{	
+			bn2buf (m_DH->pub_key, m_PublicKey, 256);
+			BN_free (m_DH->pub_key); m_DH->pub_key = NULL;
+			m_IsUpdated= false;
+		}	
+		return m_PublicKey;
+	}	
+	
+	void DHKeys::Agree (const uint8_t * pub, uint8_t * shared)
+	{
+		BIGNUM * pk = BN_bin2bn (pub, 256, NULL);
+		DH_compute_key (shared, pk, m_DH);
+		BN_free (pk);
+	}	
+	
+// ElGamal
+
+	ElGamalEncryption::ElGamalEncryption (const uint8_t * key)
+	{
+		ctx = BN_CTX_new ();
+		// select random k
+		BIGNUM * k = BN_new ();
+		BN_rand_range (k, elgp);
+		if (BN_is_zero (k)) BN_one (k);
+		// caulculate a
+		a = BN_new ();
+		BN_mod_exp (a, elgg, k, elgp, ctx);
+		BIGNUM * y = BN_new ();
+		BN_bin2bn (key, 256, y);
+		// calculate b1
+		b1 = BN_new ();
+		BN_mod_exp (b1, y, k, elgp, ctx);
+		BN_free (y);
+		BN_free (k);
+	}
+
+	ElGamalEncryption::~ElGamalEncryption ()
+	{
+		BN_CTX_free (ctx);
+		BN_free (a);
+		BN_free (b1);
+	}
+			
+	void ElGamalEncryption::Encrypt (const uint8_t * data, int len, uint8_t * encrypted, bool zeroPadding) const
+	{
+		// create m
+		uint8_t m[255];
+		m[0] = 0xFF;
+		memcpy (m+33, data, len);
+		SHA256 (m+33, 222, m+1);
+		// calculate b = b1*m mod p
+		BIGNUM * b = BN_new ();
+		BN_bin2bn (m, 255, b);
+		BN_mod_mul (b, b1, b, elgp, ctx);
+		// copy a and b
+		if (zeroPadding)
+		{
+			encrypted[0] = 0;
+			bn2buf (a, encrypted + 1, 256);
+			encrypted[257] = 0;
+			bn2buf (b, encrypted + 258, 256);
+		}	
+		else
+		{
+			bn2buf (a, encrypted, 256);
+			bn2buf (b, encrypted + 256, 256);
+		}		
+		BN_free (b);
+	}
+	
+	bool ElGamalDecrypt (const uint8_t * key, const uint8_t * encrypted, 
+		uint8_t * data, bool zeroPadding)
+	{
+		BN_CTX * ctx = BN_CTX_new ();
+		BIGNUM * x = BN_new (), * a = BN_new (), * b = BN_new ();
+		BN_bin2bn (key, 256, x);
+		BN_sub (x, elgp, x); BN_sub_word (x, 1); // x = elgp - x- 1
+		BN_bin2bn (zeroPadding ? encrypted + 1 : encrypted, 256, a);
+		BN_bin2bn (zeroPadding ? encrypted + 258 : encrypted + 256, 256, b);
+		// m = b*(a^x mod p) mod p		
+		BN_mod_exp (x, a, x, elgp, ctx);
+		BN_mod_mul (b, b, x, elgp, ctx);	
+		uint8_t m[255];
+		bn2buf (b, m, 255); 
+		BN_free (x); BN_free (a); BN_free (b); 
+		BN_CTX_free (ctx);
+		uint8_t hash[32];
+		SHA256 (m + 33, 222, hash);
+		if (memcmp (m + 1, hash, 32))
+		{
+			LogPrint (eLogError, "ElGamal decrypt hash doesn't match");
+			return false;
+		}	
+		memcpy (data, m + 33, 222);
+		return true;
+	}	
+
+	void GenerateElGamalKeyPair (uint8_t * priv, uint8_t * pub)
+	{
+#if defined(__x86_64__) || defined(__i386__) || defined(_MSC_VER)	
+		RAND_bytes (priv, 256);
+		BN_CTX * ctx = BN_CTX_new ();
+		BIGNUM * p = BN_new ();	
+		BN_bin2bn (priv, 256, p);
+		BN_mod_exp (p, elgg, p, elgp, ctx);
+		bn2buf (p, pub, 256); 
+		BN_free (p);
+		BN_CTX_free (ctx);
+#else
+		DHKeys dh;
+		dh.GenerateKeys (priv, pub);
+		
+#endif		
+	}
+
+// HMAC
+	const uint64_t IPAD = 0x3636363636363636;
+	const uint64_t OPAD = 0x5C5C5C5C5C5C5C5C; 			
+		
+	void HMACMD5Digest (uint8_t * msg, size_t len, const MACKey& key, uint8_t * digest)
+	// key is 32 bytes
+	// digest is 16 bytes
+	// block size is 64 bytes	
+	{
+		uint64_t buf[256];
+		// ikeypad
+		buf[0] = key.GetLL ()[0] ^ IPAD; 
+		buf[1] = key.GetLL ()[1] ^ IPAD; 
+		buf[2] = key.GetLL ()[2] ^ IPAD; 
+		buf[3] = key.GetLL ()[3] ^ IPAD; 
+		buf[4] = IPAD; 
+		buf[5] = IPAD; 
+		buf[6] = IPAD; 
+		buf[7] = IPAD; 		
+		// concatenate with msg
+		memcpy (buf + 8, msg, len);
+		// calculate first hash
+		uint8_t hash[16]; // MD5
+		MD5((uint8_t *)buf, len + 64, hash);
+		
+		// okeypad			
+		buf[0] = key.GetLL ()[0] ^ OPAD; 
+		buf[1] = key.GetLL ()[1] ^ OPAD; 
+		buf[2] = key.GetLL ()[2] ^ OPAD; 
+		buf[3] = key.GetLL ()[3] ^ OPAD; 
+		buf[4] = OPAD; 
+		buf[5] = OPAD; 
+		buf[6] = OPAD; 
+		buf[7] = OPAD; 
+		// copy first hash after okeypad		
+		memcpy (buf + 8, hash, 16);
+		// fill next 16 bytes with zeros (first hash size assumed 32 bytes in I2P)
+		memset (buf + 10, 0, 16);			
+		
+		// calculate digest
+		MD5((uint8_t *)buf, 96, digest);
+	}
+
+// AES
+	#ifdef AESNI
+	
+	#define KeyExpansion256(round0,round1) \
+		"pshufd	$0xff, %%xmm2, %%xmm2 \n" \
+		"movaps	%%xmm1, %%xmm4 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm1 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm1 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm1 \n" \
+		"pxor %%xmm2, %%xmm1 \n" \
+		"movaps	%%xmm1, "#round0"(%[sched]) \n" \
+		"aeskeygenassist $0, %%xmm1, %%xmm4 \n" \
+		"pshufd	$0xaa, %%xmm4, %%xmm2 \n" \
+		"movaps	%%xmm3, %%xmm4 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm3 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm3 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm3 \n" \
+		"pxor %%xmm2, %%xmm3 \n" \
+		"movaps	%%xmm3, "#round1"(%[sched]) \n" 
+
+	void ECBCryptoAESNI::ExpandKey (const AESKey& key)
+	{
+		__asm__
+		(
+			"movups (%[key]), %%xmm1 \n"
+			"movups 16(%[key]), %%xmm3 \n"
+			"movaps %%xmm1, (%[sched]) \n"
+			"movaps %%xmm3, 16(%[sched]) \n"
+			"aeskeygenassist $1, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(32,48)
+			"aeskeygenassist $2, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(64,80)
+			"aeskeygenassist $4, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(96,112)
+			"aeskeygenassist $8, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(128,144)
+			"aeskeygenassist $16, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(160,176)
+			"aeskeygenassist $32, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(192,208)
+			"aeskeygenassist $64, %%xmm3, %%xmm2 \n"
+			// key expansion final
+			"pshufd	$0xff, %%xmm2, %%xmm2 \n"
+			"movaps	%%xmm1, %%xmm4 \n" 
+			"pslldq	$4, %%xmm4 \n"
+			"pxor %%xmm4, %%xmm1 \n"
+			"pslldq	$4, %%xmm4 \n"
+			"pxor %%xmm4, %%xmm1 \n"
+			"pslldq	$4, %%xmm4 \n"
+			"pxor %%xmm4, %%xmm1 \n"
+			"pxor %%xmm2, %%xmm1 \n"
+			"movups	%%xmm1, 224(%[sched]) \n"
+			: // output
+			: [key]"r"((const uint8_t *)key), [sched]"r"(GetKeySchedule ()) // input
+			: "%xmm1", "%xmm2", "%xmm3", "%xmm4", "memory" // clogged
+		);
+	}
+
+	#define EncryptAES256(sched) \
+		"pxor (%["#sched"]), %%xmm0 \n" \
+		"aesenc	16(%["#sched"]), %%xmm0 \n" \
+		"aesenc	32(%["#sched"]), %%xmm0 \n" \
+		"aesenc	48(%["#sched"]), %%xmm0 \n" \
+		"aesenc	64(%["#sched"]), %%xmm0 \n" \
+		"aesenc	80(%["#sched"]), %%xmm0 \n" \
+		"aesenc	96(%["#sched"]), %%xmm0 \n" \
+		"aesenc	112(%["#sched"]), %%xmm0 \n" \
+		"aesenc	128(%["#sched"]), %%xmm0 \n" \
+		"aesenc	144(%["#sched"]), %%xmm0 \n" \
+		"aesenc	160(%["#sched"]), %%xmm0 \n" \
+		"aesenc	176(%["#sched"]), %%xmm0 \n" \
+		"aesenc	192(%["#sched"]), %%xmm0 \n" \
+		"aesenc	208(%["#sched"]), %%xmm0 \n" \
+		"aesenclast	224(%["#sched"]), %%xmm0 \n"
+		
+	void ECBEncryptionAESNI::Encrypt (const ChipherBlock * in, ChipherBlock * out)
+	{
+		__asm__
+		(
+			"movups	(%[in]), %%xmm0 \n"
+			EncryptAES256(sched)
+			"movups	%%xmm0, (%[out]) \n"	
+			: : [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out) : "%xmm0", "memory"
+		);
+	}		
+
+	#define DecryptAES256(sched) \
+		"pxor 224(%["#sched"]), %%xmm0 \n" \
+		"aesdec	208(%["#sched"]), %%xmm0 \n" \
+		"aesdec	192(%["#sched"]), %%xmm0 \n" \
+		"aesdec	176(%["#sched"]), %%xmm0 \n" \
+		"aesdec	160(%["#sched"]), %%xmm0 \n" \
+		"aesdec	144(%["#sched"]), %%xmm0 \n" \
+		"aesdec	128(%["#sched"]), %%xmm0 \n" \
+		"aesdec	112(%["#sched"]), %%xmm0 \n" \
+		"aesdec	96(%["#sched"]), %%xmm0 \n" \
+		"aesdec	80(%["#sched"]), %%xmm0 \n" \
+		"aesdec	64(%["#sched"]), %%xmm0 \n" \
+		"aesdec	48(%["#sched"]), %%xmm0 \n" \
+		"aesdec	32(%["#sched"]), %%xmm0 \n" \
+		"aesdec	16(%["#sched"]), %%xmm0 \n" \
+		"aesdeclast (%["#sched"]), %%xmm0 \n"
+	
+	void ECBDecryptionAESNI::Decrypt (const ChipherBlock * in, ChipherBlock * out)
+	{
+		__asm__
+		(
+			"movups	(%[in]), %%xmm0 \n"
+			DecryptAES256(sched)
+			"movups	%%xmm0, (%[out]) \n"	
+			: : [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out) : "%xmm0", "memory"
+		);		
+	}
+
+	#define CallAESIMC(offset) \
+		"movaps "#offset"(%[shed]), %%xmm0 \n"	\
+		"aesimc %%xmm0, %%xmm0 \n" \
+		"movaps %%xmm0, "#offset"(%[shed]) \n" 
+
+	void ECBDecryptionAESNI::SetKey (const AESKey& key)
+	{
+		ExpandKey (key); // expand encryption key first
+		// then  invert it using aesimc
+		__asm__
+		(
+			CallAESIMC(16)
+			CallAESIMC(32)
+			CallAESIMC(48)
+			CallAESIMC(64)
+			CallAESIMC(80)
+			CallAESIMC(96)
+			CallAESIMC(112)
+			CallAESIMC(128)
+			CallAESIMC(144)
+			CallAESIMC(160)
+			CallAESIMC(176)
+			CallAESIMC(192)
+			CallAESIMC(208)
+			: : [shed]"r"(GetKeySchedule ()) : "%xmm0", "memory"
+		);
+	}
+
+#endif		
+
+
+	void CBCEncryption::Encrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+		 	"movups	(%[iv]), %%xmm1 \n"
+		 	"1: \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+		 	"pxor %%xmm1, %%xmm0 \n"
+		 	EncryptAES256(sched)
+		 	"movaps	%%xmm0, %%xmm1 \n"	
+		 	"movups	%%xmm0, (%[out]) \n"
+		 	"add $16, %[in] \n"
+		 	"add $16, %[out] \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+		 	"movups	%%xmm1, (%[iv]) \n"
+			: 
+			: [iv]"r"(&m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
+			: "%xmm0", "%xmm1", "cc", "memory"
+		); 
+#else		
+		for (int i = 0; i < numBlocks; i++)
+		{
+			m_LastBlock ^= in[i];
+			m_ECBEncryption.Encrypt (&m_LastBlock, &m_LastBlock);
+			out[i] = m_LastBlock;
+		}
+#endif		
+	}
+
+	void CBCEncryption::Encrypt (const uint8_t * in, std::size_t len, uint8_t * out)
+	{
+		// len/16
+		int numBlocks = len >> 4;
+		if (numBlocks > 0)
+			Encrypt (numBlocks, (const ChipherBlock *)in, (ChipherBlock *)out); 
+	}
+
+	void CBCEncryption::Encrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+			"movups	(%[iv]), %%xmm1 \n"
+			"movups	(%[in]), %%xmm0 \n"
+		 	"pxor %%xmm1, %%xmm0 \n"
+		 	EncryptAES256(sched)
+			"movups	%%xmm0, (%[out]) \n"
+			"movups	%%xmm0, (%[iv]) \n"
+			: 
+			: [iv]"r"(&m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out)
+			: "%xmm0", "%xmm1", "memory"
+		);		
+#else
+		Encrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out); 
+#endif
+	}
+
+	void CBCDecryption::Decrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+			"movups	(%[iv]), %%xmm1 \n"
+		 	"1: \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+			"movaps %%xmm0, %%xmm2 \n"
+		 	DecryptAES256(sched)
+			"pxor %%xmm1, %%xmm0 \n"
+		 	"movups	%%xmm0, (%[out]) \n"
+			"movaps %%xmm2, %%xmm1 \n"
+		 	"add $16, %[in] \n"
+		 	"add $16, %[out] \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+		 	"movups	%%xmm1, (%[iv]) \n"
+			: 
+			: [iv]"r"(&m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
+			: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
+		); 
+#else
+		for (int i = 0; i < numBlocks; i++)
+		{
+			ChipherBlock tmp = in[i];
+			m_ECBDecryption.Decrypt (in + i, out + i);
+			out[i] ^= m_IV;
+			m_IV = tmp;
+		}
+#endif
+	}
+
+	void CBCDecryption::Decrypt (const uint8_t * in, std::size_t len, uint8_t * out)
+	{
+		int numBlocks = len >> 4;
+		if (numBlocks > 0)
+			Decrypt (numBlocks, (const ChipherBlock *)in, (ChipherBlock *)out); 
+	}
+
+	void CBCDecryption::Decrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+			"movups	(%[iv]), %%xmm1 \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+			"movups	%%xmm0, (%[iv]) \n"
+		 	DecryptAES256(sched)
+			"pxor %%xmm1, %%xmm0 \n"
+		 	"movups	%%xmm0, (%[out]) \n"	
+			: 
+			: [iv]"r"(&m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out)
+			: "%xmm0", "%xmm1", "memory"
+		);
+#else
+		Decrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out); 
+#endif
+	}
+
+	void TunnelEncryption::Encrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+            // encrypt IV 
+			"movups	(%[in]), %%xmm0 \n"
+			EncryptAES256(sched_iv)
+			"movaps %%xmm0, %%xmm1 \n"
+			// double IV encryption
+			EncryptAES256(sched_iv)
+			"movups %%xmm0, (%[out]) \n"
+			// encrypt data, IV is xmm1
+			"1: \n"
+			"add $16, %[in] \n"
+		    "add $16, %[out] \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+		 	"pxor %%xmm1, %%xmm0 \n"
+		 	EncryptAES256(sched_l)
+		 	"movaps	%%xmm0, %%xmm1 \n"	
+		 	"movups	%%xmm0, (%[out]) \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+			: 
+			: [sched_iv]"r"(m_IVEncryption.GetKeySchedule ()), [sched_l]"r"(m_LayerEncryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(63) // 63 blocks = 1008 bytes
+			: "%xmm0", "%xmm1", "cc", "memory"
+		);
+#else
+		m_IVEncryption.Encrypt ((const ChipherBlock *)in, (ChipherBlock *)out); // iv
+		m_LayerEncryption.SetIV (out);
+		m_LayerEncryption.Encrypt (in + 16, /*i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE*/1008, out + 16); // data
+		m_IVEncryption.Encrypt ((ChipherBlock *)out, (ChipherBlock *)out); // double iv
+#endif
+	}
+
+	void TunnelDecryption::Decrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+            // decrypt IV 
+			"movups	(%[in]), %%xmm0 \n"
+			DecryptAES256(sched_iv)
+			"movaps %%xmm0, %%xmm1 \n"
+			// double IV encryption
+			DecryptAES256(sched_iv)
+			"movups %%xmm0, (%[out]) \n"
+			// decrypt data, IV is xmm1
+			"1: \n"
+			"add $16, %[in] \n"
+		    "add $16, %[out] \n"
+			"movups	(%[in]), %%xmm0 \n"
+			"movaps %%xmm0, %%xmm2 \n"
+		 	DecryptAES256(sched_l)
+			"pxor %%xmm1, %%xmm0 \n"
+		 	"movups	%%xmm0, (%[out]) \n"
+			"movaps %%xmm2, %%xmm1 \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+			: 
+			: [sched_iv]"r"(m_IVDecryption.GetKeySchedule ()), [sched_l]"r"(m_LayerDecryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(63) // 63 blocks = 1008 bytes
+			: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
+		);
+#else
+		m_IVDecryption.Decrypt ((const ChipherBlock *)in, (ChipherBlock *)out); // iv
+		m_LayerDecryption.SetIV (out);	
+		m_LayerDecryption.Decrypt (in + 16, /*i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE*/1008, out + 16); // data
+		m_IVDecryption.Decrypt ((ChipherBlock *)out, (ChipherBlock *)out); // double iv
+#endif
+	}	
+}
+}
+
--- a/Crypto.h
+++ b/Crypto.h
@@ -1,15 +1,113 @@
-#ifndef AES_H__
-#define AES_H__
+#ifndef CRYPTO_H__
+#define CRYPTO_H__

 #include <inttypes.h>
-#include <cryptopp/modes.h>
-#include <cryptopp/aes.h>
-#include "Identity.h"
+#include <string>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/aes.h>
+#include "Base.h"

 namespace i2p
 {
 namespace crypto
-{	
+{
+	struct CryptoConstants
+	{
+		// DH/ElGamal
+		BIGNUM * elgp;
+		BIGNUM * elgg; 
+
+		// DSA
+		BIGNUM * dsap;		
+		BIGNUM * dsaq;
+		BIGNUM * dsag;
+
+		// RSA
+		BIGNUM * rsae;
+		
+		CryptoConstants (const uint8_t * elgp_, int elgg_, const uint8_t * dsap_, 
+			const uint8_t * dsaq_, const uint8_t * dsag_, int rsae_)
+		{
+			elgp = BN_new ();
+			BN_bin2bn (elgp_, 256, elgp);
+			elgg = BN_new ();
+			BN_set_word (elgg, elgg_);
+			dsap = BN_new ();
+			BN_bin2bn (dsap_, 128, dsap);
+			dsaq = BN_new ();
+			BN_bin2bn (dsaq_, 20, dsaq);
+			dsag = BN_new ();
+			BN_bin2bn (dsag_, 128, dsag);
+			rsae = BN_new ();
+			BN_set_word (rsae, rsae_);
+		}
+		
+		~CryptoConstants ()
+		{
+			BN_free (elgp);  BN_free (elgg); BN_free (dsap); BN_free (dsaq); BN_free (dsag); BN_free (rsae);
+		}	
+	};	
+	
+	const CryptoConstants& GetCryptoConstants ();
+	
+	// DH/ElGamal	
+	#define elgp GetCryptoConstants ().elgp
+	#define elgg GetCryptoConstants ().elgg
+
+	// DSA
+	#define dsap GetCryptoConstants ().dsap	
+	#define dsaq GetCryptoConstants ().dsaq
+	#define dsag GetCryptoConstants ().dsag	
+
+	// RSA
+	#define rsae GetCryptoConstants ().rsae	
+
+	bool bn2buf (const BIGNUM * bn, uint8_t * buf, size_t len);
+
+	// DH
+	class DHKeys
+	{
+		public:
+			
+			DHKeys ();
+			~DHKeys ();
+
+			void GenerateKeys (uint8_t * priv = nullptr, uint8_t * pub = nullptr);
+			const uint8_t * GetPublicKey ();
+			void Agree (const uint8_t * pub, uint8_t * shared);
+			
+		private:
+
+			DH * m_DH;
+			uint8_t m_PublicKey[256];
+			bool m_IsUpdated;
+	};	
+	
+	// ElGamal
+	class ElGamalEncryption
+	{
+		public:
+
+			ElGamalEncryption (const uint8_t * key);
+			~ElGamalEncryption ();
+			
+			void Encrypt (const uint8_t * data, int len, uint8_t * encrypted, bool zeroPadding = false) const;
+
+		private:
+
+			BN_CTX * ctx;
+			BIGNUM * a, * b1;
+	};
+
+	bool ElGamalDecrypt (const uint8_t * key, const uint8_t * encrypted, uint8_t * data, bool zeroPadding = false);
+	void GenerateElGamalKeyPair (uint8_t * priv, uint8_t * pub);
+
+	// HMAC
+	typedef i2p::data::Tag<32> MACKey;		
+	void HMACMD5Digest (uint8_t * msg, size_t len, const MACKey& key, uint8_t * digest);
+
+	// AES
 	struct ChipherBlock	
 	{
 		uint8_t buf[16];
@@ -45,7 +143,7 @@ namespace crypto
 			AESAlignedBuffer ()
 			{
 				m_Buf = m_UnalignedBuffer;
-				uint8_t rem = ((uint64_t)m_Buf) & 0x0f;
+				uint8_t rem = ((size_t)m_Buf) & 0x0f;
 				if (rem)
 					m_Buf += (16 - rem);
 			}
@@ -95,7 +193,7 @@ namespace crypto
 	typedef ECBEncryptionAESNI ECBEncryption;
 	typedef ECBDecryptionAESNI ECBDecryption;

-#else // use crypto++
+#else // use openssl

 	class ECBEncryption
 	{
@@ -103,16 +201,16 @@ namespace crypto
 		
 			void SetKey (const AESKey& key) 
 			{ 
-				m_Encryption.SetKey (key, 32); 
+				AES_set_encrypt_key (key, 256, &m_Key);
 			}
 			void Encrypt (const ChipherBlock * in, ChipherBlock * out)
 			{
-				m_Encryption.ProcessData (out->buf, in->buf, 16);
+				AES_encrypt (in->buf, out->buf, &m_Key);
 			}	

 		private:

-			CryptoPP::ECB_Mode<CryptoPP::AES>::Encryption m_Encryption;
+			AES_KEY m_Key;
 	};	

 	class ECBDecryption
@@ -121,16 +219,16 @@ namespace crypto
 		
 			void SetKey (const AESKey& key) 
 			{ 
-				m_Decryption.SetKey (key, 32); 
+				AES_set_decrypt_key (key, 256, &m_Key); 
 			}
 			void Decrypt (const ChipherBlock * in, ChipherBlock * out)
 			{
-				m_Decryption.ProcessData (out->buf, in->buf, 16);
+				AES_decrypt (in->buf, out->buf, &m_Key);
 			}	

 		private:

-			CryptoPP::ECB_Mode<CryptoPP::AES>::Decryption m_Decryption;
+			AES_KEY m_Key;
 	};		


@@ -185,7 +283,7 @@ namespace crypto
 				m_IVEncryption.SetKey (ivKey);
 			}	

-			void Encrypt (uint8_t * payload); // 1024 bytes (16 IV + 1008 data)		
+			void Encrypt (const uint8_t * in, uint8_t * out); // 1024 bytes (16 IV + 1008 data)		

 		private:

@@ -207,7 +305,7 @@ namespace crypto
 				m_IVDecryption.SetKey (ivKey);
 			}			

-			void Decrypt (uint8_t * payload); // 1024 bytes (16 IV + 1008 data)	
+			void Decrypt (const uint8_t * in, uint8_t * out); // 1024 bytes (16 IV + 1008 data)	

 		private:

@@ -217,9 +315,8 @@ namespace crypto
 #else
 			CBCDecryption m_LayerDecryption;
 #endif
-	};
-}
-}
+	};	
+}		
+}	

 #endif
-
--- a/CryptoConst.h
+++ b/CryptoConst.h
@@ -28,7 +28,10 @@ namespace crypto
 	// DSA
 	#define dsap GetCryptoConstants ().dsap	
 	#define dsaq GetCryptoConstants ().dsaq
-	#define dsag GetCryptoConstants ().dsag		
+	#define dsag GetCryptoConstants ().dsag	
+
+	// RSA
+	const int rsae = 65537;	
 }		
 }	

--- a/Daemon.cpp
+++ b/Daemon.cpp
@@ -1,9 +1,10 @@
 #include <thread>
+#include <memory>

 #include "Daemon.h"

 #include "Log.h"
-#include "base64.h"
+#include "Base.h"
 #include "version.h"
 #include "Transports.h"
 #include "NTCPSession.h"
@@ -16,7 +17,14 @@
 #include "Streaming.h"
 #include "Destination.h"
 #include "HTTPServer.h"
+#include "I2PControl.h"
 #include "ClientContext.h"
+// ssl.h somehow pulls Windows.h stuff that has to go after asio
+#include <openssl/ssl.h>
+
+#ifdef USE_UPNP
+#include "UPnP.h"
+#endif

 namespace i2p
 {
@@ -25,14 +33,15 @@ namespace i2p
 		class Daemon_Singleton::Daemon_Singleton_Private
 		{
 		public:
-			Daemon_Singleton_Private() : httpServer(nullptr)
-			{};
-			~Daemon_Singleton_Private() 
-			{
-				delete httpServer;
-			};
+			Daemon_Singleton_Private() {};
+			~Daemon_Singleton_Private() {};

-			i2p::util::HTTPServer *httpServer;
+			std::unique_ptr<i2p::util::HTTPServer> httpServer;
+			std::unique_ptr<i2p::client::I2PControlService> m_I2PControlService;
+
+#ifdef USE_UPNP
+			i2p::transport::UPnP m_UPnP;
+#endif	
 		};

 		Daemon_Singleton::Daemon_Singleton() : running(1), d(*new Daemon_Singleton_Private()) {};
@@ -51,6 +60,7 @@ namespace i2p

 		bool Daemon_Singleton::init(int argc, char* argv[])
 		{
+			SSL_library_init ();
 			i2p::util::config::OptionParser(argc, argv);
 			i2p::context.Init ();

@@ -69,11 +79,17 @@ namespace i2p
 			if (host && host[0])
 				i2p::context.UpdateAddress (boost::asio::ip::address::from_string (host));	

-			if (i2p::util::config::GetArg("-unreachable", 0))
-				i2p::context.SetUnreachable ();
-
 			i2p::context.SetSupportsV6 (i2p::util::config::GetArg("-v6", 0));
-			
+			i2p::context.SetFloodfill (i2p::util::config::GetArg("-floodfill", 0));
+			auto bandwidth = i2p::util::config::GetArg("-bandwidth", "");
+			if (bandwidth.length () > 0)
+			{
+				if (bandwidth[0] > 'L')
+					i2p::context.SetHighBandwidth ();
+				else
+					i2p::context.SetLowBandwidth ();
+			}	
+
 			LogPrint("CMD parameters:");
 			for (int i = 0; i < argc; ++i)
 				LogPrint(i, "  ", argv[i]);
@@ -89,29 +105,40 @@ namespace i2p
 				if (isDaemon)
 				{
 					std::string logfile_path = IsService () ? "/var/log" : i2p::util::filesystem::GetDataDir().string();
-	#ifndef _WIN32
+#ifndef _WIN32
 					logfile_path.append("/i2pd.log");
-	#else
+#else
 					logfile_path.append("\\i2pd.log");
-	#endif
+#endif
 					StartLog (logfile_path);
 				}
 				else
 					StartLog (""); // write to stdout
 			}

-			d.httpServer = new i2p::util::HTTPServer(i2p::util::config::GetArg("-httpport", 7070));
+			d.httpServer = std::unique_ptr<i2p::util::HTTPServer>(new i2p::util::HTTPServer(i2p::util::config::GetArg("-httpport", 7070)));
 			d.httpServer->Start();
 			LogPrint("HTTP Server started");
 			i2p::data::netdb.Start();
 			LogPrint("NetDB started");
+#ifdef USE_UPNP
+			d.m_UPnP.Start ();
+			LogPrint(eLogInfo, "UPnP started");
+#endif			
 			i2p::transport::transports.Start();
 			LogPrint("Transports started");
 			i2p::tunnel::tunnels.Start();
 			LogPrint("Tunnels started");
 			i2p::client::context.Start ();
 			LogPrint("Client started");
-			
+			// I2P Control
+			int i2pcontrolPort = i2p::util::config::GetArg("-i2pcontrolport", 0);
+			if (i2pcontrolPort)
+			{
+				d.m_I2PControlService = std::unique_ptr<i2p::client::I2PControlService>(new i2p::client::I2PControlService (i2pcontrolPort));
+				d.m_I2PControlService->Start ();
+				LogPrint("I2PControl started");
+			}
 			return true;
 		}

@@ -119,19 +146,28 @@ namespace i2p
 		{
 			LogPrint("Shutdown started.");
 			i2p::client::context.Stop();
-			LogPrint("Client stoped");
+			LogPrint("Client stopped");
 			i2p::tunnel::tunnels.Stop();
-			LogPrint("Tunnels stoped");
+			LogPrint("Tunnels stopped");
+#ifdef USE_UPNP
+			d.m_UPnP.Stop ();
+			LogPrint(eLogInfo, "UPnP stopped");
+#endif			
 			i2p::transport::transports.Stop();
-			LogPrint("Transports stoped");
+			LogPrint("Transports stopped");
 			i2p::data::netdb.Stop();
-			LogPrint("NetDB stoped");
+			LogPrint("NetDB stopped");
 			d.httpServer->Stop();
-			LogPrint("HTTP Server stoped");
+			d.httpServer = nullptr;
+			LogPrint("HTTP Server stopped");
+			if (d.m_I2PControlService)
+			{
+				d.m_I2PControlService->Stop ();
+				d.m_I2PControlService = nullptr;
+				LogPrint("I2PControl stopped");	
+			}	
 			StopLog ();

-			delete d.httpServer; d.httpServer = nullptr;
-
 			return true;
 		}
 	}
--- a/DaemonLinux.cpp
+++ b/DaemonLinux.cpp
@@ -62,7 +62,8 @@ namespace i2p
 					LogPrint("Error, could not create process group.");
 					return false;
 				}
-				chdir(i2p::util::filesystem::GetDataDir().string().c_str());
+				std::string d(i2p::util::filesystem::GetDataDir().string ()); // make a copy
+				chdir(d.c_str());

 				// close stdin/stdout/stderr descriptors
 				::close (0);
--- a/Datagram.cpp
+++ b/Datagram.cpp
@@ -1,7 +1,7 @@
 #include <string.h>
 #include <vector>
-#include <cryptopp/sha.h>
-#include <cryptopp/gzip.h>
+#include <openssl/sha.h>
+#include <openssl/rand.h>
 #include "Log.h"
 #include "TunnelBase.h"
 #include "RouterContext.h"
@@ -12,62 +12,78 @@ namespace i2p
 {
 namespace datagram
 {
-	DatagramDestination::DatagramDestination (i2p::client::ClientDestination& owner): 
+	DatagramDestination::DatagramDestination (std::shared_ptr<i2p::client::ClientDestination> owner): 
 		m_Owner (owner), m_Receiver (nullptr)
 	{
 	}
-
-	void DatagramDestination::SendDatagramTo (const uint8_t * payload, size_t len, const i2p::data::LeaseSet& remote)
+	
+	DatagramDestination::~DatagramDestination ()
+	{
+	}
+	
+	void DatagramDestination::SendDatagramTo (const uint8_t * payload, size_t len, const i2p::data::IdentHash& ident, uint16_t fromPort, uint16_t toPort)
 	{
 		uint8_t buf[MAX_DATAGRAM_SIZE];
-		auto identityLen = m_Owner.GetIdentity ().ToBuffer (buf, MAX_DATAGRAM_SIZE);
+		auto identityLen = m_Owner->GetIdentity ()->ToBuffer (buf, MAX_DATAGRAM_SIZE);
 		uint8_t * signature = buf + identityLen;
-		auto signatureLen = m_Owner.GetIdentity ().GetSignatureLen ();
+		auto signatureLen = m_Owner->GetIdentity ()->GetSignatureLen ();
 		uint8_t * buf1 = signature + signatureLen;
 		size_t headerLen = identityLen + signatureLen;
 		
 		memcpy (buf1, payload, len);	
-		if (m_Owner.GetIdentity ().GetSigningKeyType () == i2p::data::SIGNING_KEY_TYPE_DSA_SHA1)
+		if (m_Owner->GetIdentity ()->GetSigningKeyType () == i2p::data::SIGNING_KEY_TYPE_DSA_SHA1)
 		{
 			uint8_t hash[32];	
-			CryptoPP::SHA256().CalculateDigest (hash, buf1, len);
-			m_Owner.Sign (hash, 32, signature);
+			SHA256(buf1, len, hash);
+			m_Owner->Sign (hash, 32, signature);
 		}
 		else
-			m_Owner.Sign (buf1, len, signature);
-		
-		auto service = m_Owner.GetService ();
-		if (service) 
-			service->post (boost::bind (&DatagramDestination::SendMsg, this, 
-				CreateDataMessage (buf, len + headerLen), remote));
+			m_Owner->Sign (buf1, len, signature);
+
+		auto msg = CreateDataMessage (buf, len + headerLen, fromPort, toPort); 
+		auto remote = m_Owner->FindLeaseSet (ident);
+		if (remote)
+			m_Owner->GetService ().post (std::bind (&DatagramDestination::SendMsg, this, msg, remote));
 		else
-			LogPrint (eLogWarning, "Failed to send datagram. Destination is not running");
+			m_Owner->RequestDestination (ident, std::bind (&DatagramDestination::HandleLeaseSetRequestComplete, this, std::placeholders::_1, msg));
 	}

-	void DatagramDestination::SendMsg (I2NPMessage * msg, const i2p::data::LeaseSet& remote)
+	void DatagramDestination::HandleLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> remote, I2NPMessage * msg)
 	{
-		auto leases = remote.GetNonExpiredLeases ();
-		if (!leases.empty ())
+		if (remote)
+			SendMsg (msg, remote);
+		else
+			DeleteI2NPMessage (msg);
+	}	
+		
+	void DatagramDestination::SendMsg (I2NPMessage * msg, std::shared_ptr<const i2p::data::LeaseSet> remote)
+	{
+		auto outboundTunnel = m_Owner->GetTunnelPool ()->GetNextOutboundTunnel ();
+		auto leases = remote->GetNonExpiredLeases ();
+		if (!leases.empty () && outboundTunnel)
 		{
 			std::vector<i2p::tunnel::TunnelMessageBlock> msgs;			
-			uint32_t i = i2p::context.GetRandomNumberGenerator ().GenerateWord32 (0, leases.size () - 1);
-			auto garlic = m_Owner.WrapMessage (remote, msg, true);
+			uint32_t i = rand () % leases.size ();
+			auto garlic = m_Owner->WrapMessage (remote, ToSharedI2NPMessage (msg), true);
 			msgs.push_back (i2p::tunnel::TunnelMessageBlock 
 				{ 
 					i2p::tunnel::eDeliveryTypeTunnel,
 					leases[i].tunnelGateway, leases[i].tunnelID,
 					garlic
 				});
-			m_Owner.SendTunnelDataMsgs (msgs);
+			outboundTunnel->SendTunnelDataMsg (msgs);
 		}
 		else
 		{
-			LogPrint (eLogWarning, "Failed to send datagram. All leases expired");
+			if (outboundTunnel)
+				LogPrint (eLogWarning, "Failed to send datagram. All leases expired");
+			else
+				LogPrint (eLogWarning, "Failed to send datagram. No outbound tunnels");
 			DeleteI2NPMessage (msg);	
 		}	
 	}

-	void DatagramDestination::HandleDatagram (const uint8_t * buf, size_t len)
+	void DatagramDestination::HandleDatagram (uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)
 	{
 		i2p::data::IdentityEx identity;
 		size_t identityLen = identity.FromBuffer (buf, len);
@@ -77,17 +93,20 @@ namespace datagram
 		bool verified = false;
 		if (identity.GetSigningKeyType () == i2p::data::SIGNING_KEY_TYPE_DSA_SHA1)
 		{
-			uint8_t hash[32];	
-			CryptoPP::SHA256().CalculateDigest (hash, buf + headerLen, len - headerLen);
+			uint8_t hash[32];
+			SHA256(buf + headerLen, len - headerLen, hash);
 			verified = identity.Verify (hash, 32, signature);
-		}
+		}	
 		else	
 			verified = identity.Verify (buf + headerLen, len - headerLen, signature);
 				
 		if (verified)
 		{
-			if (m_Receiver != nullptr)
-				m_Receiver (identity, buf + headerLen, len -headerLen);
+			auto it = m_ReceiversByPorts.find (toPort);
+			if (it != m_ReceiversByPorts.end ())
+				it->second (identity, fromPort, toPort, buf + headerLen, len -headerLen);
+			else if (m_Receiver != nullptr)
+				m_Receiver (identity, fromPort, toPort, buf + headerLen, len -headerLen);
 			else
 				LogPrint (eLogWarning, "Receiver for datagram is not set");	
 		}
@@ -95,39 +114,35 @@ namespace datagram
 			LogPrint (eLogWarning, "Datagram signature verification failed");	
 	}

-	void DatagramDestination::HandleDataMessagePayload (const uint8_t * buf, size_t len)
+	void DatagramDestination::HandleDataMessagePayload (uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)
 	{
 		// unzip it
-		CryptoPP::Gunzip decompressor;
-		decompressor.Put (buf, len);
-		decompressor.MessageEnd();
 		uint8_t uncompressed[MAX_DATAGRAM_SIZE];
-		auto uncompressedLen = decompressor.MaxRetrievable ();
-		if (uncompressedLen <= MAX_DATAGRAM_SIZE)
-		{
-			decompressor.Get (uncompressed, uncompressedLen);
-			HandleDatagram (uncompressed, uncompressedLen); 
-		}
-		else
-			LogPrint ("Received datagram size ", uncompressedLen,  " exceeds max size");
-
+		size_t uncompressedLen = m_Inflator.Inflate (buf, len, uncompressed, MAX_DATAGRAM_SIZE);
+		if (uncompressedLen)
+			HandleDatagram (fromPort, toPort, uncompressed, uncompressedLen); 
 	}

-	I2NPMessage * DatagramDestination::CreateDataMessage (const uint8_t * payload, size_t len)
+	I2NPMessage * DatagramDestination::CreateDataMessage (const uint8_t * payload, size_t len, uint16_t fromPort, uint16_t toPort)
 	{
 		I2NPMessage * msg = NewI2NPMessage ();
-		CryptoPP::Gzip compressor; // default level
-		compressor.Put (payload, len);
-		compressor.MessageEnd();
-		int size = compressor.MaxRetrievable ();
 		uint8_t * buf = msg->GetPayload ();
-		*(uint32_t *)buf = htobe32 (size); // length
-		buf += 4;
-		compressor.Get (buf, size);
-		memset (buf + 4, 0, 4); // source and destination are zeroes
-		buf[9] = i2p::client::PROTOCOL_TYPE_DATAGRAM; // datagram protocol
-		msg->len += size + 4; 
-		FillI2NPMessageHeader (msg, eI2NPData);
+		buf += 4; // reserve for length
+		size_t size = m_Deflator.Deflate (payload, len, buf, msg->maxLen - msg->len);
+		if (size)
+		{
+			htobe32buf (msg->GetPayload (), size); // length
+			htobe16buf (buf + 4, fromPort); // source port
+			htobe16buf (buf + 6, toPort); // destination port 
+			buf[9] = i2p::client::PROTOCOL_TYPE_DATAGRAM; // datagram protocol
+			msg->len += size + 4; 
+			msg->FillI2NPMessageHeader (eI2NPData);
+		}	
+		else
+		{
+			DeleteI2NPMessage (msg);
+			msg = nullptr;
+		}	
 		return msg;
 	}	
 }
--- a/Datagram.h
+++ b/Datagram.h
@@ -2,7 +2,10 @@
 #define DATAGRAM_H__

 #include <inttypes.h>
+#include <memory>
 #include <functional>
+#include <map>
+#include "Base.h"
 #include "Identity.h"
 #include "LeaseSet.h"
 #include "I2NPProtocol.h"
@@ -18,29 +21,38 @@ namespace datagram
 	const size_t MAX_DATAGRAM_SIZE = 32768;
 	class DatagramDestination
 	{
-		typedef std::function<void (const i2p::data::IdentityEx& ident, const uint8_t *, size_t)> Receiver;
+		typedef std::function<void (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)> Receiver;

 		public:

-			DatagramDestination (i2p::client::ClientDestination& owner);
-			~DatagramDestination () {};				
+			DatagramDestination (std::shared_ptr<i2p::client::ClientDestination> owner);
+			~DatagramDestination ();				

-			void SendDatagramTo (const uint8_t * payload, size_t len, const i2p::data::LeaseSet& remote);
-			void HandleDataMessagePayload (const uint8_t * buf, size_t len);
+			void SendDatagramTo (const uint8_t * payload, size_t len, const i2p::data::IdentHash& ident, uint16_t fromPort = 0, uint16_t toPort = 0);
+			void HandleDataMessagePayload (uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len);

 			void SetReceiver (const Receiver& receiver) { m_Receiver = receiver; };
 			void ResetReceiver () { m_Receiver = nullptr; };

-		private:
-
-			I2NPMessage * CreateDataMessage (const uint8_t * payload, size_t len);
-			void SendMsg (I2NPMessage * msg, const i2p::data::LeaseSet& remote);
-			void HandleDatagram (const uint8_t * buf, size_t len);
+			void SetReceiver (const Receiver& receiver, uint16_t port) { m_ReceiversByPorts[port] = receiver; };
+			void ResetReceiver (uint16_t port) { m_ReceiversByPorts.erase (port); };

 		private:

-			i2p::client::ClientDestination& m_Owner;
-			Receiver m_Receiver;
+			void HandleLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, I2NPMessage * msg);
+			
+			I2NPMessage * CreateDataMessage (const uint8_t * payload, size_t len, uint16_t fromPort, uint16_t toPort);
+			void SendMsg (I2NPMessage * msg, std::shared_ptr<const i2p::data::LeaseSet> remote);
+			void HandleDatagram (uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len);
+
+		private:
+
+			std::shared_ptr<i2p::client::ClientDestination> m_Owner;
+			Receiver m_Receiver; // default
+			std::map<uint16_t, Receiver> m_ReceiversByPorts;
+
+			i2p::data::GzipInflator m_Inflator;
+			i2p::data::GzipDeflator m_Deflator;
 	};		
 }
 }
--- a/Destination.cpp
+++ b/Destination.cpp
@@ -1,8 +1,11 @@
-#include <fstream>
 #include <algorithm>
-#include <cryptopp/dh.h>
+#include <cassert>
+#include <boost/lexical_cast.hpp>
+#include <openssl/rand.h>
 #include "Log.h"
 #include "util.h"
+#include "Crypto.h"
+#include "Timestamp.h"
 #include "NetDb.h"
 #include "Destination.h"

@@ -10,125 +13,160 @@ namespace i2p
 {
 namespace client
 {
-	ClientDestination::ClientDestination (bool isPublic, i2p::data::SigningKeyType sigType): 
-		m_IsRunning (false), m_Thread (nullptr), m_Service (nullptr), m_Work (nullptr), 
-		m_CurrentOutboundTunnel (nullptr), m_LeaseSet (nullptr), m_IsPublic (isPublic),
-		m_DatagramDestination (nullptr)
-	{		
-		m_Keys = i2p::data::PrivateKeys::CreateRandomKeys (sigType);
-		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-		dh.GenerateKeyPair(i2p::context.GetRandomNumberGenerator (), m_EncryptionPrivateKey, m_EncryptionPublicKey);
-		m_Pool = i2p::tunnel::tunnels.CreateTunnelPool (*this, 3); // 3-hops tunnel
-		if (m_IsPublic)
-			LogPrint ("Local address ", GetIdentHash ().ToBase32 (), ".b32.i2p created");
-		m_StreamingDestination = new i2p::stream::StreamingDestination (*this); // TODO:
-	}
-
-	ClientDestination::ClientDestination (const std::string& fullPath, bool isPublic):
-		m_IsRunning (false), m_Thread (nullptr), m_Service (nullptr), m_Work (nullptr),
-		m_CurrentOutboundTunnel (nullptr), m_LeaseSet (nullptr), m_IsPublic (isPublic),
-		m_DatagramDestination (nullptr)
+	ClientDestination::ClientDestination (const i2p::data::PrivateKeys& keys, bool isPublic, 
+			const std::map<std::string, std::string> * params):
+		m_IsRunning (false), m_Thread (nullptr), m_Work (m_Service),	
+		m_Keys (keys), m_IsPublic (isPublic), m_PublishReplyToken (0),
+		m_DatagramDestination (nullptr), m_PublishConfirmationTimer (m_Service), m_CleanupTimer (m_Service)
 	{
-		std::ifstream s(fullPath.c_str (), std::ifstream::binary);
-		if (s.is_open ())	
-		{	
-			s.seekg (0, std::ios::end);
-			size_t len = s.tellg();
-			s.seekg (0, std::ios::beg);
-			uint8_t * buf = new uint8_t[len];
-			s.read ((char *)buf, len);
-			m_Keys.FromBuffer (buf, len);
-			delete[] buf;
-			LogPrint ("Local address ", GetIdentHash ().ToBase32 (), ".b32.i2p loaded");
-		}	
-		else
+		i2p::crypto::GenerateElGamalKeyPair(m_EncryptionPrivateKey, m_EncryptionPublicKey);
+		int inboundTunnelLen = DEFAULT_INBOUND_TUNNEL_LENGTH;
+		int outboundTunnelLen = DEFAULT_OUTBOUND_TUNNEL_LENGTH;
+		int inboundTunnelsQuantity = DEFAULT_INBOUND_TUNNELS_QUANTITY;
+		int outboundTunnelsQuantity = DEFAULT_OUTBOUND_TUNNELS_QUANTITY;
+		std::shared_ptr<std::vector<i2p::data::IdentHash> > explicitPeers;
+		if (params)
 		{
-			LogPrint ("Can't open file ", fullPath, " Creating new one");
-			m_Keys = i2p::data::PrivateKeys::CreateRandomKeys (i2p::data::SIGNING_KEY_TYPE_DSA_SHA1); 
-			std::ofstream f (fullPath, std::ofstream::binary | std::ofstream::out);
-			size_t len = m_Keys.GetFullLen ();
-			uint8_t * buf = new uint8_t[len];
-			len = m_Keys.ToBuffer (buf, len);
-			f.write ((char *)buf, len);
-			delete[] buf;
-			
-			LogPrint ("New private keys file ", fullPath, " for ", m_Keys.GetPublic ().GetIdentHash ().ToBase32 (), ".b32.i2p created");
+			auto it = params->find (I2CP_PARAM_INBOUND_TUNNEL_LENGTH);
+			if (it != params->end ())
+			{	
+				int len = boost::lexical_cast<int>(it->second);
+				if (len > 0)
+				{
+					inboundTunnelLen = len;
+					LogPrint (eLogInfo, "Inbound tunnel length set to ", len);
+				}
+			}	
+			it = params->find (I2CP_PARAM_OUTBOUND_TUNNEL_LENGTH);
+			if (it != params->end ())
+			{
+				int len = boost::lexical_cast<int>(it->second);
+				if (len > 0)
+				{
+					outboundTunnelLen = len;
+					LogPrint (eLogInfo, "Outbound tunnel length set to ", len);
+				}
+			}	
+			it = params->find (I2CP_PARAM_INBOUND_TUNNELS_QUANTITY);
+			if (it != params->end ())
+			{
+				int quantity = boost::lexical_cast<int>(it->second);
+				if (quantity > 0)
+				{
+					inboundTunnelsQuantity = quantity;
+					LogPrint (eLogInfo, "Inbound tunnels quantity set to ", quantity);
+				}	
+			}
+			it = params->find (I2CP_PARAM_OUTBOUND_TUNNELS_QUANTITY);
+			if (it != params->end ())
+			{
+				int quantity = boost::lexical_cast<int>(it->second);
+				if (quantity > 0)
+				{
+					outboundTunnelsQuantity = quantity;
+					LogPrint (eLogInfo, "Outbound tunnels quantity set to ", quantity);
+				}	
+			}
+			it = params->find (I2CP_PARAM_EXPLICIT_PEERS);
+			if (it != params->end ())
+			{
+				explicitPeers = std::make_shared<std::vector<i2p::data::IdentHash> >();
+				std::stringstream ss(it->second);
+				std::string b64;
+				while (std::getline (ss, b64, ','))
+				{
+					i2p::data::IdentHash ident;
+					ident.FromBase64 (b64);
+					explicitPeers->push_back (ident);
+				}
+				LogPrint (eLogInfo, "Explicit peers set to ", it->second);
+			}
 		}	
-
-		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-		dh.GenerateKeyPair(i2p::context.GetRandomNumberGenerator (), m_EncryptionPrivateKey, m_EncryptionPublicKey);
-		m_Pool = i2p::tunnel::tunnels.CreateTunnelPool (*this, 3); // 3-hops tunnel 
-		m_StreamingDestination = new i2p::stream::StreamingDestination (*this); // TODO:
-	}
-
-	ClientDestination::ClientDestination (const i2p::data::PrivateKeys& keys, bool isPublic):
-		m_IsRunning (false), m_Thread (nullptr), m_Service (nullptr), m_Work (nullptr),	
-		m_Keys (keys), m_CurrentOutboundTunnel (nullptr), m_LeaseSet (nullptr), m_IsPublic (isPublic),
-		m_DatagramDestination (nullptr)
-	{
-		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-		dh.GenerateKeyPair(i2p::context.GetRandomNumberGenerator (), m_EncryptionPrivateKey, m_EncryptionPublicKey);
-		m_Pool = i2p::tunnel::tunnels.CreateTunnelPool (*this, 3); // 3-hops tunnel 
+		m_Pool = i2p::tunnel::tunnels.CreateTunnelPool (this, inboundTunnelLen, outboundTunnelLen, inboundTunnelsQuantity, outboundTunnelsQuantity);  
+		if (explicitPeers)
+			m_Pool->SetExplicitPeers (explicitPeers);
 		if (m_IsPublic)
-			LogPrint ("Local address ", GetIdentHash ().ToBase32 (), ".b32.i2p created");
-		m_StreamingDestination = new i2p::stream::StreamingDestination (*this); // TODO:
+			LogPrint (eLogInfo, "Local address ", GetIdentHash().ToBase32 (), " created");		
 	}

 	ClientDestination::~ClientDestination ()
 	{
-		Stop ();
-		for (auto it: m_RemoteLeaseSets)
+		if (m_IsRunning)	
+			Stop ();
+		for (auto it: m_LeaseSetRequests)
 			delete it.second;
 		if (m_Pool)
 			i2p::tunnel::tunnels.DeleteTunnelPool (m_Pool);		
-		delete m_LeaseSet;
-		delete m_Work;
-		delete m_Service;
-		delete m_StreamingDestination;
-		delete m_DatagramDestination;
+		if (m_DatagramDestination)
+			delete m_DatagramDestination;
 	}	

 	void ClientDestination::Run ()
 	{
-		if (m_Service)
-			m_Service->run ();
+		while (m_IsRunning)
+		{
+			try
+			{	
+				m_Service.run ();
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint ("Destination: ", ex.what ());
+			}	
+		}	
 	}	

 	void ClientDestination::Start ()
 	{	
-		m_Service = new boost::asio::io_service;
-		m_Work = new boost::asio::io_service::work (*m_Service);
-		m_Pool->SetActive (true);
-		m_IsRunning = true;
-		m_Thread = new std::thread (std::bind (&ClientDestination::Run, this));
-		m_StreamingDestination->Start ();	
+		if (!m_IsRunning)
+		{	
+			m_IsRunning = true;
+			m_Pool->SetLocalDestination (this);
+			m_Pool->SetActive (true);			
+			m_Thread = new std::thread (std::bind (&ClientDestination::Run, this));
+			m_StreamingDestination = std::make_shared<i2p::stream::StreamingDestination> (shared_from_this ()); // TODO:
+			m_StreamingDestination->Start ();	
+			for (auto it: m_StreamingDestinationsByPorts)
+				it.second->Start ();
+			
+			m_CleanupTimer.expires_from_now (boost::posix_time::minutes (DESTINATION_CLEANUP_TIMEOUT));
+			m_CleanupTimer.async_wait (std::bind (&ClientDestination::HandleCleanupTimer,
+				this, std::placeholders::_1));
+		}	
 	}
 		
 	void ClientDestination::Stop ()
 	{	
-		m_StreamingDestination->Stop ();	
-		if (m_DatagramDestination)
-		{
-			auto d = m_DatagramDestination;
-			m_DatagramDestination = nullptr;
-			delete d;
-		}	
-		if (m_Pool)
-			i2p::tunnel::tunnels.StopTunnelPool (m_Pool);
-		m_IsRunning = false;
-		if (m_Service)
-			m_Service->stop ();
-		if (m_Thread)
+		if (m_IsRunning)
 		{	
-			m_Thread->join (); 
-			delete m_Thread;
-			m_Thread = 0;
+			m_CleanupTimer.cancel ();
+			m_IsRunning = false;
+			m_StreamingDestination->Stop ();
+			m_StreamingDestination = nullptr;
+			for (auto it: m_StreamingDestinationsByPorts)
+				it.second->Stop ();
+			if (m_DatagramDestination)
+			{
+				auto d = m_DatagramDestination;
+				m_DatagramDestination = nullptr;
+				delete d;
+			}	
+			if (m_Pool)
+			{	
+				m_Pool->SetLocalDestination (nullptr);
+				i2p::tunnel::tunnels.StopTunnelPool (m_Pool);
+			}	
+			m_Service.stop ();
+			if (m_Thread)
+			{	
+				m_Thread->join (); 
+				delete m_Thread;
+				m_Thread = 0;
+			}	
 		}	
-		delete m_Work; m_Work = nullptr;
-		delete m_Service; m_Service = nullptr;
 	}	

-	const i2p::data::LeaseSet * ClientDestination::FindLeaseSet (const i2p::data::IdentHash& ident)
+	std::shared_ptr<const i2p::data::LeaseSet> ClientDestination::FindLeaseSet (const i2p::data::IdentHash& ident)
 	{
 		auto it = m_RemoteLeaseSets.find (ident);
 		if (it != m_RemoteLeaseSets.end ())
@@ -136,17 +174,13 @@ namespace client
 			if (it->second->HasNonExpiredLeases ())
 				return it->second;
 			else
-			{
-				LogPrint ("All leases of remote LeaseSet expired. Request it");
-				i2p::data::netdb.RequestDestination (ident, true, m_Pool);
-			}	
+				LogPrint ("All leases of remote LeaseSet expired");
 		}	
 		else
 		{	
 			auto ls = i2p::data::netdb.FindLeaseSet (ident);
 			if (ls)
 			{
-				ls = new i2p::data::LeaseSet (*ls);
 				m_RemoteLeaseSets[ident] = ls;			
 				return ls;
 			}	
@@ -154,7 +188,7 @@ namespace client
 		return nullptr;
 	}	

-	const i2p::data::LeaseSet * ClientDestination::GetLeaseSet ()
+	std::shared_ptr<const i2p::data::LeaseSet> ClientDestination::GetLeaseSet ()
 	{
 		if (!m_Pool) return nullptr;
 		if (!m_LeaseSet)
@@ -164,51 +198,51 @@ namespace client

 	void ClientDestination::UpdateLeaseSet ()
 	{
-		auto newLeaseSet = new i2p::data::LeaseSet (*m_Pool);
-		if (!m_LeaseSet)
-			m_LeaseSet = newLeaseSet;
-		else
-		{	
-			// TODO: implement it better
-			*m_LeaseSet = *newLeaseSet;
-			delete newLeaseSet;
-		}	
+		m_LeaseSet.reset (new i2p::data::LeaseSet (*m_Pool));
 	}	

-	void ClientDestination::SendTunnelDataMsgs (const std::vector<i2p::tunnel::TunnelMessageBlock>& msgs)
+	bool ClientDestination::SubmitSessionKey (const uint8_t * key, const uint8_t * tag)
 	{
-		m_CurrentOutboundTunnel = m_Pool->GetNextOutboundTunnel (m_CurrentOutboundTunnel);
-		if (m_CurrentOutboundTunnel)
-			m_CurrentOutboundTunnel->SendTunnelDataMsg (msgs);
-		else
+		struct
 		{
-			LogPrint ("No outbound tunnels in the pool");
-			for (auto it: msgs)
-				DeleteI2NPMessage (it.data);
-		}
+			uint8_t k[32], t[32];
+		} data;	
+		memcpy (data.k, key, 32);
+		memcpy (data.t, tag, 32);
+		m_Service.post ([this,data](void)
+			{
+				this->AddSessionKey (data.k, data.t);
+			});
+		return true;
 	}

-	void ClientDestination::ProcessGarlicMessage (I2NPMessage * msg)
+	void ClientDestination::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
-		m_Service->post (boost::bind (&ClientDestination::HandleGarlicMessage, this, msg)); 
+		m_Service.post (std::bind (&ClientDestination::HandleGarlicMessage, this, msg)); 
 	}

-	void ClientDestination::ProcessDeliveryStatusMessage (I2NPMessage * msg)
+	void ClientDestination::ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
 	{
-		m_Service->post (boost::bind (&ClientDestination::HandleDeliveryStatusMessage, this, msg)); 
+		m_Service.post (std::bind (&ClientDestination::HandleDeliveryStatusMessage, this, msg)); 
 	}

-	void ClientDestination::HandleI2NPMessage (const uint8_t * buf, size_t len, i2p::tunnel::InboundTunnel * from)
+	void ClientDestination::HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
-		I2NPHeader * header = (I2NPHeader *)buf;
-		switch (header->typeID)
+		uint8_t typeID = buf[I2NP_HEADER_TYPEID_OFFSET];
+		switch (typeID)
 		{	
 			case eI2NPData:
-				HandleDataMessage (buf + sizeof (I2NPHeader), be16toh (header->size));
+				HandleDataMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
 			break;
+			case eI2NPDeliveryStatus:
+				// we assume tunnel tests non-encrypted
+				HandleDeliveryStatusMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from));
+			break;	
 			case eI2NPDatabaseStore:
-				HandleDatabaseStoreMessage (buf + sizeof (I2NPHeader), be16toh (header->size));
-				i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from)); // TODO: remove
+				HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
+			break;
+			case eI2NPDatabaseSearchReply:
+				HandleDatabaseSearchReplyMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
 			break;	
 			default:
 				i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from));
@@ -217,27 +251,114 @@ namespace client

 	void ClientDestination::HandleDatabaseStoreMessage (const uint8_t * buf, size_t len)
 	{
-		I2NPDatabaseStoreMsg * msg = (I2NPDatabaseStoreMsg *)buf;
-		size_t offset = sizeof (I2NPDatabaseStoreMsg);
-		if (msg->replyToken) // TODO:
-			offset += 36;
-		if (msg->type == 1) // LeaseSet
+		uint32_t replyToken = bufbe32toh (buf + DATABASE_STORE_REPLY_TOKEN_OFFSET);
+		size_t offset = DATABASE_STORE_HEADER_SIZE;
+		if (replyToken) 
 		{
-			LogPrint ("Remote LeaseSet");
-			auto it = m_RemoteLeaseSets.find (msg->key);
+			LogPrint (eLogInfo, "Reply token is ignored for DatabaseStore");
+			offset += 36;
+		}
+		std::shared_ptr<i2p::data::LeaseSet> leaseSet;
+		if (buf[DATABASE_STORE_TYPE_OFFSET] == 1) // LeaseSet
+		{
+			LogPrint (eLogDebug, "Remote LeaseSet");
+			auto it = m_RemoteLeaseSets.find (buf + DATABASE_STORE_KEY_OFFSET);
 			if (it != m_RemoteLeaseSets.end ())
 			{
-				it->second->Update (buf + offset, len - offset); 
-				LogPrint ("Remote LeaseSet updated");
+				leaseSet = it->second;
+				leaseSet->Update (buf + offset, len - offset); 
+				if (leaseSet->IsValid ())
+					LogPrint (eLogDebug, "Remote LeaseSet updated");
+				else
+				{
+					LogPrint (eLogDebug, "Remote LeaseSet update failed");
+					m_RemoteLeaseSets.erase (it);
+					leaseSet = nullptr;
+				}
 			}
 			else
 			{	
-				LogPrint ("New remote LeaseSet added");
-				m_RemoteLeaseSets[msg->key] = new i2p::data::LeaseSet (buf + offset, len - offset);
+				leaseSet = std::make_shared<i2p::data::LeaseSet> (buf + offset, len - offset);
+				if (leaseSet->IsValid ())
+				{
+					LogPrint (eLogDebug, "New remote LeaseSet added");
+					m_RemoteLeaseSets[buf + DATABASE_STORE_KEY_OFFSET] = leaseSet;
+				}
+				else
+				{
+					LogPrint (eLogError, "New remote LeaseSet verification failed");
+					leaseSet = nullptr;
+				}
 			}	
 		}	
 		else
-			LogPrint ("Unexpected client's DatabaseStore type ", msg->type, ". Dropped");
+			LogPrint (eLogError, "Unexpected client's DatabaseStore type ", buf[DATABASE_STORE_TYPE_OFFSET], ". Dropped");
+		
+		auto it1 = m_LeaseSetRequests.find (buf + DATABASE_STORE_KEY_OFFSET);
+		if (it1 != m_LeaseSetRequests.end ())
+		{
+			it1->second->requestTimeoutTimer.cancel ();
+			if (it1->second->requestComplete) it1->second->requestComplete (leaseSet);
+			delete it1->second;
+			m_LeaseSetRequests.erase (it1);
+		}	
+	}
+
+	void ClientDestination::HandleDatabaseSearchReplyMessage (const uint8_t * buf, size_t len)
+	{
+		i2p::data::IdentHash key (buf);
+		int num = buf[32]; // num
+		LogPrint ("DatabaseSearchReply for ", key.ToBase64 (), " num=", num);
+		auto it = m_LeaseSetRequests.find (key);
+		if (it != m_LeaseSetRequests.end ())
+		{
+			LeaseSetRequest * request = it->second;
+			bool found = false;
+			if (request->excluded.size () < MAX_NUM_FLOODFILLS_PER_REQUEST)
+			{	
+				for (int i = 0; i < num; i++)
+				{
+					i2p::data::IdentHash peerHash (buf + 33 + i*32);
+					auto floodfill = i2p::data::netdb.FindRouter (peerHash);
+					if (floodfill)
+					{
+						LogPrint (eLogInfo, "Requesting ", key.ToBase64 (), " at ", peerHash.ToBase64 ());
+						if (SendLeaseSetRequest (key, floodfill, request))
+							found = true;
+					}	
+					else
+					{	
+						LogPrint (eLogInfo, "Found new floodfill. Request it");
+						i2p::data::netdb.RequestDestination (peerHash);
+					}	
+				}
+				if (!found)
+					LogPrint (eLogError, "Suggested floodfills are not presented in netDb"); 
+			}	
+			else
+				LogPrint (eLogInfo, key.ToBase64 (), " was not found on ",  MAX_NUM_FLOODFILLS_PER_REQUEST," floodfills");
+			if (!found)
+			{
+				if (request->requestComplete) request->requestComplete (nullptr);
+				delete request;
+				m_LeaseSetRequests.erase (key);
+			}	
+		}	
+		else	
+			LogPrint ("Request for ", key.ToBase64 (), " not found");
+	}	
+		
+	void ClientDestination::HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
+	{
+		uint32_t msgID = bufbe32toh (msg->GetPayload () + DELIVERY_STATUS_MSGID_OFFSET);
+		if (msgID == m_PublishReplyToken)
+		{
+			LogPrint (eLogDebug, "Publishing confirmed");
+			m_ExcludedFloodfills.clear ();
+			m_PublishReplyToken = 0;
+		}
+		else
+			i2p::garlic::GarlicDestination::HandleDeliveryStatusMessage (msg);
 	}	

 	void ClientDestination::SetLeaseSetUpdated ()
@@ -245,27 +366,81 @@ namespace client
 		i2p::garlic::GarlicDestination::SetLeaseSetUpdated ();	
 		UpdateLeaseSet ();
 		if (m_IsPublic)
-			i2p::data::netdb.PublishLeaseSet (m_LeaseSet, m_Pool);
+			Publish ();
+	}
+		
+	void ClientDestination::Publish ()
+	{	
+		if (!m_LeaseSet || !m_Pool) 
+		{
+			LogPrint (eLogError, "Can't publish non-existing LeaseSet");
+			return;
+		}
+		if (m_PublishReplyToken)
+		{
+			LogPrint (eLogInfo, "Publishing is pending");
+			return;
+		}
+		auto outbound = m_Pool->GetNextOutboundTunnel ();
+		if (!outbound)
+		{
+			LogPrint ("Can't publish LeaseSet. No outbound tunnels");
+			return;
+		}
+		std::set<i2p::data::IdentHash> excluded; 
+		auto floodfill = i2p::data::netdb.GetClosestFloodfill (m_LeaseSet->GetIdentHash (), m_ExcludedFloodfills);	
+		if (!floodfill)
+		{
+			LogPrint ("Can't publish LeaseSet. No more floodfills found");
+			m_ExcludedFloodfills.clear ();
+			return;
+		}	
+		m_ExcludedFloodfills.insert (floodfill->GetIdentHash ());
+		LogPrint (eLogDebug, "Publish LeaseSet of ", GetIdentHash ().ToBase32 ());
+		RAND_bytes ((uint8_t *)&m_PublishReplyToken, 4);
+		auto msg = WrapMessage (floodfill, i2p::CreateDatabaseStoreMsg (m_LeaseSet, m_PublishReplyToken));			
+		m_PublishConfirmationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_CONFIRMATION_TIMEOUT));
+		m_PublishConfirmationTimer.async_wait (std::bind (&ClientDestination::HandlePublishConfirmationTimer,
+			this, std::placeholders::_1));	
+		outbound->SendTunnelDataMsg (floodfill->GetIdentHash (), 0, msg);	
+	}
+
+	void ClientDestination::HandlePublishConfirmationTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{	
+			if (m_PublishReplyToken)
+			{
+				LogPrint (eLogWarning, "Publish confirmation was not received in ", PUBLISH_CONFIRMATION_TIMEOUT,  "seconds. Try again");
+				m_PublishReplyToken = 0;
+				Publish ();
+			}
+		}
 	}

 	void ClientDestination::HandleDataMessage (const uint8_t * buf, size_t len)
 	{
-		uint32_t length = be32toh (*(uint32_t *)buf);
+		uint32_t length = bufbe32toh (buf);
 		buf += 4;
 		// we assume I2CP payload
+		uint16_t fromPort = bufbe16toh (buf + 4), // source
+			toPort = bufbe16toh (buf + 6); // destination 
 		switch (buf[9])
 		{
 			case PROTOCOL_TYPE_STREAMING:
+			{
 				// streaming protocol
-				if (m_StreamingDestination)
-					m_StreamingDestination->HandleDataMessagePayload (buf, length);
+				auto dest = GetStreamingDestination (toPort);
+				if (dest)
+					dest->HandleDataMessagePayload (buf, length);
 				else
 					LogPrint ("Missing streaming destination");
+			}
 			break;
 			case PROTOCOL_TYPE_DATAGRAM:
 				// datagram protocol
 				if (m_DatagramDestination)
-					m_DatagramDestination->HandleDataMessagePayload (buf, length);
+					m_DatagramDestination->HandleDataMessagePayload (fromPort, toPort, buf, length);
 				else
 					LogPrint ("Missing streaming destination");
 			break;
@@ -274,13 +449,44 @@ namespace client
 		}
 	}	

-	i2p::stream::Stream * ClientDestination::CreateStream (const i2p::data::LeaseSet& remote, int port)
+	void ClientDestination::CreateStream (StreamRequestComplete streamRequestComplete, const i2p::data::IdentHash& dest, int port) {
+		assert(streamRequestComplete);
+		auto leaseSet = FindLeaseSet (dest);
+		if (leaseSet)
+			streamRequestComplete(CreateStream (leaseSet, port));
+		else
+		{
+			RequestDestination (dest,
+				[this, streamRequestComplete, port](std::shared_ptr<i2p::data::LeaseSet> ls)
+				{
+					if (ls)
+						streamRequestComplete(CreateStream (ls, port));
+					else
+						streamRequestComplete (nullptr);
+				});
+		}
+	}
+
+	std::shared_ptr<i2p::stream::Stream> ClientDestination::CreateStream (std::shared_ptr<const i2p::data::LeaseSet> remote, int port)
 	{
 		if (m_StreamingDestination)
 			return m_StreamingDestination->CreateNewOutgoingStream (remote, port);
-		return nullptr;	
-	}		
+		else
+			return nullptr;
+	}

+	std::shared_ptr<i2p::stream::StreamingDestination> ClientDestination::GetStreamingDestination (int port) const 
+	{ 
+		if (port) 
+		{
+			auto it = m_StreamingDestinationsByPorts.find (port);
+			if (it != m_StreamingDestinationsByPorts.end ())
+				return it->second;
+		}	
+		// if port is zero or not found, use default destination
+		return m_StreamingDestination; 
+	}
+		
 	void ClientDestination::AcceptStreams (const i2p::stream::StreamingDestination::Acceptor& acceptor)
 	{
 		if (m_StreamingDestination)
@@ -292,7 +498,7 @@ namespace client
 		if (m_StreamingDestination)
 			m_StreamingDestination->ResetAcceptor ();
 	}
-
+		
 	bool ClientDestination::IsAcceptingStreams () const
 	{
 		if (m_StreamingDestination)
@@ -300,11 +506,162 @@ namespace client
 		return false;
 	}	

+	std::shared_ptr<i2p::stream::StreamingDestination> ClientDestination::CreateStreamingDestination (int port)
+	{
+		auto dest = std::make_shared<i2p::stream::StreamingDestination> (shared_from_this (), port); 
+		if (port)
+			m_StreamingDestinationsByPorts[port] = dest;
+		else // update default 
+			m_StreamingDestination = dest;
+		return dest;
+	}	
+		
 	i2p::datagram::DatagramDestination * ClientDestination::CreateDatagramDestination ()
 	{
 		if (!m_DatagramDestination)
-			m_DatagramDestination = new i2p::datagram::DatagramDestination (*this);
+			m_DatagramDestination = new i2p::datagram::DatagramDestination (shared_from_this ());
 		return m_DatagramDestination;	
 	}
+
+	bool ClientDestination::RequestDestination (const i2p::data::IdentHash& dest, RequestComplete requestComplete)
+	{
+		if (!m_Pool || !IsReady ()) 
+		{	
+			if (requestComplete) requestComplete (false);
+			return false;
+		}	
+		m_Service.post (std::bind (&ClientDestination::RequestLeaseSet, shared_from_this (), dest, requestComplete));
+		return true;
+	}
+
+	void ClientDestination::RequestLeaseSet (const i2p::data::IdentHash& dest, RequestComplete requestComplete)
+	{
+		std::set<i2p::data::IdentHash> excluded;
+		auto floodfill = i2p::data::netdb.GetClosestFloodfill (dest, excluded);
+		if (floodfill)
+		{
+			LeaseSetRequest * request = new LeaseSetRequest (m_Service);
+			request->requestComplete = requestComplete;
+			auto ret = m_LeaseSetRequests.insert (std::pair<i2p::data::IdentHash, LeaseSetRequest *>(dest,request));
+			if (ret.second) // inserted
+			{
+				if (!SendLeaseSetRequest (dest, floodfill, request))
+				{
+					// request failed
+					if (request->requestComplete) request->requestComplete (nullptr);
+					delete request;
+					m_LeaseSetRequests.erase (dest);
+				}
+			}	
+			else // duplicate
+			{
+				LogPrint (eLogError, "Request of ", dest.ToBase64 (), " is pending already");
+				// TODO: queue up requests
+				if (request->requestComplete) request->requestComplete (nullptr);
+				delete request;
+			}	
+		}	
+		else
+			LogPrint (eLogError, "No floodfills found");	
+	}	
+		
+	bool ClientDestination::SendLeaseSetRequest (const i2p::data::IdentHash& dest, 
+		std::shared_ptr<const i2p::data::RouterInfo>  nextFloodfill, LeaseSetRequest * request)
+	{
+		auto replyTunnel = m_Pool->GetNextInboundTunnel ();
+		if (!replyTunnel) LogPrint (eLogError, "No inbound tunnels found");	
+		
+		auto outboundTunnel = m_Pool->GetNextOutboundTunnel ();
+		if (!outboundTunnel) LogPrint (eLogError, "No outbound tunnels found");		
+			
+		if (replyTunnel && outboundTunnel)
+		{	
+			request->excluded.insert (nextFloodfill->GetIdentHash ());
+			request->requestTime = i2p::util::GetSecondsSinceEpoch ();
+			request->requestTimeoutTimer.cancel ();
+
+			uint8_t replyKey[32], replyTag[32];
+			RAND_bytes (replyKey, 32); // random session key 
+			RAND_bytes (replyTag, 32); // random session tag
+			AddSessionKey (replyKey, replyTag);
+
+			auto msg = WrapMessage (nextFloodfill,
+				CreateLeaseSetDatabaseLookupMsg (dest, request->excluded, 
+					replyTunnel.get (), replyKey, replyTag));
+			outboundTunnel->SendTunnelDataMsg (
+				{
+					i2p::tunnel::TunnelMessageBlock 
+					{ 
+						i2p::tunnel::eDeliveryTypeRouter,
+						nextFloodfill->GetIdentHash (), 0, msg
+					}
+				});	
+			request->requestTimeoutTimer.expires_from_now (boost::posix_time::seconds(LEASESET_REQUEST_TIMEOUT));
+			request->requestTimeoutTimer.async_wait (std::bind (&ClientDestination::HandleRequestTimoutTimer,
+				this, std::placeholders::_1, dest));
+		}	
+		else
+			return false;
+		return true;
+	}	
+
+	void ClientDestination::HandleRequestTimoutTimer (const boost::system::error_code& ecode, const i2p::data::IdentHash& dest)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{
+			auto it = m_LeaseSetRequests.find (dest);
+			if (it != m_LeaseSetRequests.end ())
+			{
+				bool done = false;
+				uint64_t ts = i2p::util::GetSecondsSinceEpoch ();
+				if (ts < it->second->requestTime + MAX_LEASESET_REQUEST_TIMEOUT)
+				{
+					auto floodfill = i2p::data::netdb.GetClosestFloodfill (dest, it->second->excluded);
+					if (floodfill)
+						 done = !SendLeaseSetRequest (dest, floodfill, it->second);
+					else
+						done = true;
+				}
+				else
+				{	
+					LogPrint (eLogInfo, dest.ToBase64 (), " was not found within ",  MAX_LEASESET_REQUEST_TIMEOUT, " seconds");
+					done = true;
+				}
+				
+				if (done)
+				{
+					if (it->second->requestComplete) it->second->requestComplete (false);
+					delete it->second;
+					m_LeaseSetRequests.erase (it);
+				}	
+			}	
+		}	
+	}
+
+	void ClientDestination::HandleCleanupTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{
+			CleanupRoutingSessions ();
+			CleanupRemoteLeaseSets ();
+			m_CleanupTimer.expires_from_now (boost::posix_time::minutes (DESTINATION_CLEANUP_TIMEOUT));
+			m_CleanupTimer.async_wait (std::bind (&ClientDestination::HandleCleanupTimer,
+				shared_from_this (), std::placeholders::_1));
+		}
+	}	
+
+	void ClientDestination::CleanupRemoteLeaseSets ()
+	{
+		for (auto it = m_RemoteLeaseSets.begin (); it != m_RemoteLeaseSets.end ();)
+		{
+			if (!it->second->HasNonExpiredLeases ()) // all leases expired
+			{
+				LogPrint ("Remote LeaseSet ", it->second->GetIdentHash ().ToBase64 (), " expired");
+				it = m_RemoteLeaseSets.erase (it);
+			}	
+			else 
+				it++;
+		}
+	}
 }
 }
--- a/Destination.h
+++ b/Destination.h
@@ -3,11 +3,18 @@

 #include <thread>
 #include <mutex>
+#include <memory>
+#include <map>
+#include <set>
+#include <string>
+#include <functional>
+#include <boost/asio.hpp>
 #include "Identity.h"
 #include "TunnelPool.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "LeaseSet.h"
 #include "Garlic.h"
+#include "NetDb.h"
 #include "Streaming.h"
 #include "Datagram.h"

@@ -18,34 +25,65 @@ namespace client
 	const uint8_t PROTOCOL_TYPE_STREAMING = 6;
 	const uint8_t PROTOCOL_TYPE_DATAGRAM = 17;
 	const uint8_t PROTOCOL_TYPE_RAW = 18;	
+	const int PUBLISH_CONFIRMATION_TIMEOUT = 5; // in seconds
+	const int LEASESET_REQUEST_TIMEOUT = 5; // in seconds
+	const int MAX_LEASESET_REQUEST_TIMEOUT = 40; // in seconds
+	const int MAX_NUM_FLOODFILLS_PER_REQUEST = 7;
+	const int DESTINATION_CLEANUP_TIMEOUT = 20; // in minutes 
+	
+	// I2CP
+	const char I2CP_PARAM_INBOUND_TUNNEL_LENGTH[] = "inbound.length";
+	const int DEFAULT_INBOUND_TUNNEL_LENGTH = 3;
+	const char I2CP_PARAM_OUTBOUND_TUNNEL_LENGTH[] = "outbound.length";
+	const int DEFAULT_OUTBOUND_TUNNEL_LENGTH = 3;
+	const char I2CP_PARAM_INBOUND_TUNNELS_QUANTITY[] = "inbound.quantity";
+	const int DEFAULT_INBOUND_TUNNELS_QUANTITY = 5;
+	const char I2CP_PARAM_OUTBOUND_TUNNELS_QUANTITY[] = "outbound.quantity";
+	const int DEFAULT_OUTBOUND_TUNNELS_QUANTITY = 5;
+	const char I2CP_PARAM_EXPLICIT_PEERS[] = "explicitPeers";
+	const int STREAM_REQUEST_TIMEOUT = 60; //in seconds

-	class ClientDestination: public i2p::garlic::GarlicDestination
+	typedef std::function<void (std::shared_ptr<i2p::stream::Stream> stream)> StreamRequestComplete;
+
+	class ClientDestination: public i2p::garlic::GarlicDestination,
+		public std::enable_shared_from_this<ClientDestination>
 	{
+		typedef std::function<void (std::shared_ptr<i2p::data::LeaseSet> leaseSet)> RequestComplete;
+		// leaseSet = nullptr means not found
+		struct LeaseSetRequest
+		{
+			LeaseSetRequest (boost::asio::io_service& service): requestTime (0), requestTimeoutTimer (service) {};
+			std::set<i2p::data::IdentHash> excluded;
+			uint64_t requestTime;
+			boost::asio::deadline_timer requestTimeoutTimer;
+			RequestComplete requestComplete;
+		};	
+		
+		
 		public:

-			ClientDestination (bool isPublic, i2p::data::SigningKeyType sigType);
-			ClientDestination (const std::string& fullPath, bool isPublic);
-			ClientDestination (const i2p::data::PrivateKeys& keys, bool isPublic);
+			ClientDestination (const i2p::data::PrivateKeys& keys, bool isPublic, const std::map<std::string, std::string> * params = nullptr);
 			~ClientDestination ();	

 			virtual void Start ();
 			virtual void Stop ();
 			bool IsRunning () const { return m_IsRunning; };
-			boost::asio::io_service * GetService () { return m_Service; };
-			i2p::tunnel::TunnelPool * GetTunnelPool () { return m_Pool; }; 
-			bool IsReady () const { return m_LeaseSet && m_LeaseSet->HasNonExpiredLeases (); };
-
-			void ResetCurrentOutboundTunnel () { m_CurrentOutboundTunnel = nullptr; };
-			const i2p::data::LeaseSet * FindLeaseSet (const i2p::data::IdentHash& ident);
-			void SendTunnelDataMsgs (const std::vector<i2p::tunnel::TunnelMessageBlock>& msgs);
-
+			boost::asio::io_service& GetService () { return m_Service; };
+			std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () { return m_Pool; }; 
+			bool IsReady () const { return m_LeaseSet && m_LeaseSet->HasNonExpiredLeases () && m_Pool->GetOutboundTunnels ().size () > 0; };
+			std::shared_ptr<const i2p::data::LeaseSet> FindLeaseSet (const i2p::data::IdentHash& ident);
+			bool RequestDestination (const i2p::data::IdentHash& dest, RequestComplete requestComplete = nullptr);
+			
 			// streaming
-			i2p::stream::StreamingDestination * GetStreamingDestination () const { return m_StreamingDestination; };
-			i2p::stream::Stream * CreateStream (const i2p::data::LeaseSet& remote, int port = 0);
+			std::shared_ptr<i2p::stream::StreamingDestination> CreateStreamingDestination (int port); // additional
+			std::shared_ptr<i2p::stream::StreamingDestination> GetStreamingDestination (int port = 0) const;
+			// following methods operate with default streaming destination
+			void CreateStream (StreamRequestComplete streamRequestComplete, const i2p::data::IdentHash& dest, int port = 0);
+			std::shared_ptr<i2p::stream::Stream> CreateStream (std::shared_ptr<const i2p::data::LeaseSet> remote, int port = 0);
 			void AcceptStreams (const i2p::stream::StreamingDestination::Acceptor& acceptor);
 			void StopAcceptingStreams ();
 			bool IsAcceptingStreams () const;
-
+			
 			// datagram
 			i2p::datagram::DatagramDestination * GetDatagramDestination () const { return m_DatagramDestination; };
 			i2p::datagram::DatagramDestination * CreateDatagramDestination ();
@@ -56,12 +94,14 @@ namespace client
 			const uint8_t * GetEncryptionPublicKey () const { return m_EncryptionPublicKey; };
 			
 			// implements GarlicDestination
-			const i2p::data::LeaseSet * GetLeaseSet ();
-			void HandleI2NPMessage (const uint8_t * buf, size_t len, i2p::tunnel::InboundTunnel * from);
+			std::shared_ptr<const i2p::data::LeaseSet> GetLeaseSet ();
+			std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () const { return m_Pool; }
+			void HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);

 			// override GarlicDestination
-			void ProcessGarlicMessage (I2NPMessage * msg);
-			void ProcessDeliveryStatusMessage (I2NPMessage * msg);	
+			bool SubmitSessionKey (const uint8_t * key, const uint8_t * tag);
+			void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);	
 			void SetLeaseSetUpdated ();

 			// I2CP
@@ -71,26 +111,41 @@ namespace client
 				
 			void Run ();			
 			void UpdateLeaseSet ();
-			void HandleDatabaseStoreMessage (const uint8_t * buf, size_t len);			
+			void Publish ();
+			void HandlePublishConfirmationTimer (const boost::system::error_code& ecode);
+			void HandleDatabaseStoreMessage (const uint8_t * buf, size_t len);
+			void HandleDatabaseSearchReplyMessage (const uint8_t * buf, size_t len);
+			void HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);		

+			void RequestLeaseSet (const i2p::data::IdentHash& dest, RequestComplete requestComplete);
+			bool SendLeaseSetRequest (const i2p::data::IdentHash& dest, std::shared_ptr<const i2p::data::RouterInfo>  nextFloodfill, LeaseSetRequest * request);	
+			void HandleRequestTimoutTimer (const boost::system::error_code& ecode, const i2p::data::IdentHash& dest);
+			void HandleCleanupTimer (const boost::system::error_code& ecode);
+			void CleanupRemoteLeaseSets ();
+			
 		private:

-			bool m_IsRunning;
+			volatile bool m_IsRunning;
 			std::thread * m_Thread;	
-			boost::asio::io_service * m_Service;
-			boost::asio::io_service::work * m_Work;
+			boost::asio::io_service m_Service;
+			boost::asio::io_service::work m_Work;
 			i2p::data::PrivateKeys m_Keys;
 			uint8_t m_EncryptionPublicKey[256], m_EncryptionPrivateKey[256];
-			std::map<i2p::data::IdentHash, i2p::data::LeaseSet *> m_RemoteLeaseSets;
+			std::map<i2p::data::IdentHash, std::shared_ptr<i2p::data::LeaseSet> > m_RemoteLeaseSets;
+			std::map<i2p::data::IdentHash, LeaseSetRequest *> m_LeaseSetRequests;

-			i2p::tunnel::TunnelPool * m_Pool;
-			i2p::tunnel::OutboundTunnel * m_CurrentOutboundTunnel;
-			i2p::data::LeaseSet * m_LeaseSet;
+			std::shared_ptr<i2p::tunnel::TunnelPool> m_Pool;
+			std::shared_ptr<i2p::data::LeaseSet> m_LeaseSet;
 			bool m_IsPublic;
-		
-			i2p::stream::StreamingDestination * m_StreamingDestination;
+			uint32_t m_PublishReplyToken;
+			std::set<i2p::data::IdentHash> m_ExcludedFloodfills; // for publishing
+			
+			std::shared_ptr<i2p::stream::StreamingDestination> m_StreamingDestination; // default
+			std::map<uint16_t, std::shared_ptr<i2p::stream::StreamingDestination> > m_StreamingDestinationsByPorts;
 			i2p::datagram::DatagramDestination * m_DatagramDestination;
 	
+			boost::asio::deadline_timer m_PublishConfirmationTimer, m_CleanupTimer;
+
 		public:
 			
 			// for HTTP only
--- a/ElGamal.h
+++ b/ElGamal.h
@@ -1,77 +0,0 @@
-#ifndef EL_GAMAL_H__
-#define EL_GAMAL_H__
-
-#include <inttypes.h>
-#include <cryptopp/integer.h>
-#include <cryptopp/osrng.h>
-#include <cryptopp/sha.h>
-#include "CryptoConst.h"
-#include "Log.h"
-
-namespace i2p
-{
-namespace crypto
-{
-
-	class ElGamalEncryption
-	{
-		public:
-
-			ElGamalEncryption (const uint8_t * key):
-				y (key, 256), k (rnd, CryptoPP::Integer::One(), elgp-1),
-				a (a_exp_b_mod_c (elgg, k, elgp)), b1 (a_exp_b_mod_c (y, k, elgp))
-			{
-			}
-
-			void Encrypt (const uint8_t * data, int len, uint8_t * encrypted, bool zeroPadding = false)
-			{
-				// calculate b = b1*m mod p
-				uint8_t m[255];
-				m[0] = 0xFF;
-				memcpy (m+33, data, len);
-				CryptoPP::SHA256().CalculateDigest(m+1, m+33, 222);
-				CryptoPP::Integer b (a_times_b_mod_c (b1, CryptoPP::Integer (m, 255), elgp));
-
-				// copy a and b
-				if (zeroPadding)
-				{
-					encrypted[0] = 0;
-					a.Encode (encrypted + 1, 256);
-					encrypted[257] = 0;
-					b.Encode (encrypted + 258, 256);
-				}	
-				else
-				{
-					a.Encode (encrypted, 256);	
-					b.Encode (encrypted + 256, 256);
-				}	
-			}
-
-		private:
-
-			CryptoPP::AutoSeededRandomPool rnd;	
-			CryptoPP::Integer y, k, a, b1;	
-			bool m_ZeroPadding;	
-	};
-
-	inline bool ElGamalDecrypt (const uint8_t * key, const uint8_t * encrypted, 
-		uint8_t * data, bool zeroPadding = false)
-	{
-		CryptoPP::Integer x(key, 256), a(zeroPadding? encrypted +1 : encrypted, 256), 
-			b(zeroPadding? encrypted + 258 :encrypted + 256, 256);
-		uint8_t m[255], hash[32];
-		a_times_b_mod_c (b, a_exp_b_mod_c (a, elgp - x - 1, elgp), elgp).Encode (m, 255);
-		CryptoPP::SHA256().CalculateDigest(hash, m+33, 222);
-		for (int i = 0; i < 32; i++)
-			if (hash[i] != m[i+1])
-			{
-				LogPrint ("ElGamal decrypt hash doesn't match");
-				return false;
-			}
-		memcpy (data, m + 33, 222);
-		return true;
-	}	
-}
-}	
-
-#endif
--- a/Garlic.cpp
+++ b/Garlic.cpp
@@ -2,12 +2,14 @@
 #include "I2PEndian.h"
 #include <map>
 #include <string>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
 #include "RouterContext.h"
 #include "I2NPProtocol.h"
 #include "Tunnel.h"
 #include "TunnelPool.h"
 #include "Timestamp.h"
-#include "Destination.h"
+#include "Log.h"
 #include "Garlic.h"

 namespace i2p
@@ -15,17 +17,18 @@ namespace i2p
 namespace garlic
 {
 	GarlicRoutingSession::GarlicRoutingSession (GarlicDestination * owner, 
-	    const i2p::data::RoutingDestination * destination, int numTags):
+	    std::shared_ptr<const i2p::data::RoutingDestination> destination, int numTags, bool attachLeaseSet):
 		m_Owner (owner), m_Destination (destination), m_NumTags (numTags), 
-		m_LeaseSetUpdated (numTags > 0)
+		m_LeaseSetUpdateStatus (attachLeaseSet ? eLeaseSetUpdated : eLeaseSetDoNotSend),
+		m_ElGamalEncryption (new i2p::crypto::ElGamalEncryption (destination->GetEncryptionPublicKey ()))
 	{
 		// create new session tags and session key
-		m_Rnd.GenerateBlock (m_SessionKey, 32);
+		RAND_bytes (m_SessionKey, 32);
 		m_Encryption.SetKey (m_SessionKey);
 	}	

 	GarlicRoutingSession::GarlicRoutingSession (const uint8_t * sessionKey, const SessionTag& sessionTag):
-		m_Owner (nullptr), m_Destination (nullptr), m_NumTags (1), m_LeaseSetUpdated (false)
+		m_Owner (nullptr), m_Destination (nullptr), m_NumTags (1), m_LeaseSetUpdateStatus (eLeaseSetDoNotSend)
 	{
 		memcpy (m_SessionKey, sessionKey, 32);
 		m_Encryption.SetKey (m_SessionKey);
@@ -46,18 +49,30 @@ namespace garlic
 		tags->tagsCreationTime = i2p::util::GetSecondsSinceEpoch ();		
 		for (int i = 0; i < m_NumTags; i++)
 		{
-			m_Rnd.GenerateBlock (tags->sessionTags[i], 32);
+			RAND_bytes (tags->sessionTags[i], 32);
 			tags->sessionTags[i].creationTime = tags->tagsCreationTime;
 		}			
 		return tags;	
 	}
-	
+
+	void GarlicRoutingSession::MessageConfirmed (uint32_t msgID)
+	{
+		TagsConfirmed (msgID);
+		if (msgID == m_LeaseSetUpdateMsgID)
+		{	
+			m_LeaseSetUpdateStatus = eLeaseSetUpToDate;
+			LogPrint (eLogInfo, "LeaseSet update confirmed");
+		}	
+		else
+			CleanupExpiredTags ();
+	}	
+		
 	void GarlicRoutingSession::TagsConfirmed (uint32_t msgID) 
 	{ 
-		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
 		auto it = m_UnconfirmedTagsMsgs.find (msgID);	
 		if (it != m_UnconfirmedTagsMsgs.end ())
 		{
+			uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
 			UnconfirmedTags * tags = it->second;
 			if (ts < tags->tagsCreationTime + OUTGOING_TAGS_EXPIRATION_TIMEOUT)
 			{	
@@ -67,22 +82,38 @@ namespace garlic
 			m_UnconfirmedTagsMsgs.erase (it);
 			delete tags;
 		}
+	}
+
+	bool GarlicRoutingSession::CleanupExpiredTags ()
+	{
+		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
+		for (auto it = m_SessionTags.begin (); it != m_SessionTags.end ();)
+		{
+			if (ts >= it->creationTime + OUTGOING_TAGS_EXPIRATION_TIMEOUT)
+				it = m_SessionTags.erase (it);
+			else 
+				it++;
+		}
 		// delete expired unconfirmed tags
 		for (auto it = m_UnconfirmedTagsMsgs.begin (); it != m_UnconfirmedTagsMsgs.end ();)
 		{
 			if (ts >= it->second->tagsCreationTime + OUTGOING_TAGS_EXPIRATION_TIMEOUT)
 			{
+				if (m_Owner)
+					m_Owner->RemoveCreatedSession (it->first);
 				delete it->second;
 				it = m_UnconfirmedTagsMsgs.erase (it);
 			}	
 			else
 				it++;
 		}	
-	}
+		return !m_SessionTags.empty () || m_UnconfirmedTagsMsgs.empty ();
+ 	}

-	I2NPMessage * GarlicRoutingSession::WrapSingleMessage (I2NPMessage * msg)
+	std::shared_ptr<I2NPMessage> GarlicRoutingSession::WrapSingleMessage (std::shared_ptr<const I2NPMessage> msg)
 	{
-		I2NPMessage * m = NewI2NPMessage ();
+		auto m = ToSharedI2NPMessage(NewI2NPMessage ());
+		m->Align (12); // in order to get buf aligned to 16 (12 + 4)
 		size_t len = 0;
 		uint8_t * buf = m->GetPayload () + 4; // 4 bytes for length

@@ -117,10 +148,10 @@ namespace garlic
 			// create ElGamal block
 			ElGamalBlock elGamal;
 			memcpy (elGamal.sessionKey, m_SessionKey, 32); 
-			m_Rnd.GenerateBlock (elGamal.preIV, 32); // Pre-IV
+			RAND_bytes (elGamal.preIV, 32); // Pre-IV
 			uint8_t iv[32]; // IV is first 16 bytes
-			CryptoPP::SHA256().CalculateDigest(iv, elGamal.preIV, 32); 
-			m_Destination->GetElGamalEncryption ()->Encrypt ((uint8_t *)&elGamal, sizeof(elGamal), buf, true);			
+			SHA256(elGamal.preIV, 32, iv); 
+			m_ElGamalEncryption->Encrypt ((uint8_t *)&elGamal, sizeof(elGamal), buf, true);			
 			m_Encryption.SetIV (iv);
 			buf += 514;
 			len += 514;	
@@ -130,27 +161,25 @@ namespace garlic
 			// session tag
 			memcpy (buf, tag, 32);	
 			uint8_t iv[32]; // IV is first 16 bytes
-			CryptoPP::SHA256().CalculateDigest(iv, tag, 32);
+			SHA256(tag, 32, iv);
 			m_Encryption.SetIV (iv);
 			buf += 32;
 			len += 32;		
 		}	
 		// AES block
 		len += CreateAESBlock (buf, msg);
-		*(uint32_t *)(m->GetPayload ()) = htobe32 (len);
+		htobe32buf (m->GetPayload (), len);
 		m->len += len + 4;
-		FillI2NPMessageHeader (m, eI2NPGarlic);
-		if (msg)
-			DeleteI2NPMessage (msg);
+		m->FillI2NPMessageHeader (eI2NPGarlic);
 		return m;
 	}	

-	size_t GarlicRoutingSession::CreateAESBlock (uint8_t * buf, const I2NPMessage * msg)
+	size_t GarlicRoutingSession::CreateAESBlock (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg)
 	{
 		size_t blockSize = 0;
-		bool createNewTags = m_Owner && m_NumTags && ((int)m_SessionTags.size () <= m_NumTags/2);
+		bool createNewTags = m_Owner && m_NumTags && ((int)m_SessionTags.size () <= m_NumTags*2/3);
 		UnconfirmedTags * newTags = createNewTags ? GenerateSessionTags () : nullptr;
-		*(uint16_t *)buf = newTags ? htobe16 (newTags->numTags) : 0; // tag count
+		htobuf16 (buf, newTags ? htobe16 (newTags->numTags) : 0); // tag count
 		blockSize += 2;
 		if (newTags) // session tags recreated
 		{	
@@ -167,8 +196,8 @@ namespace garlic
 		buf[blockSize] = 0; // flag
 		blockSize++;
 		size_t len = CreateGarlicPayload (buf + blockSize, msg, newTags);
-		*payloadSize = htobe32 (len);
-		CryptoPP::SHA256().CalculateDigest(payloadHash, buf + blockSize, len);
+		htobe32buf (payloadSize, len);
+		SHA256(buf + blockSize, len, payloadHash);
 		blockSize += len;
 		size_t rem = blockSize % 16;
 		if (rem)
@@ -177,10 +206,11 @@ namespace garlic
 		return blockSize;
 	}	

-	size_t GarlicRoutingSession::CreateGarlicPayload (uint8_t * payload, const I2NPMessage * msg, UnconfirmedTags * newTags)
+	size_t GarlicRoutingSession::CreateGarlicPayload (uint8_t * payload, std::shared_ptr<const I2NPMessage> msg, UnconfirmedTags * newTags)
 	{
 		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 5000; // 5 sec
-		uint32_t msgID = m_Rnd.GenerateWord32 ();	
+		uint32_t msgID;
+		RAND_bytes ((uint8_t *)&msgID, 4);
 		size_t size = 0;
 		uint8_t * numCloves = payload + size;
 		*numCloves = 0;
@@ -188,26 +218,36 @@ namespace garlic

 		if (m_Owner)
 		{	
-			if (newTags) // new session
+			// resubmit non-confirmed LeaseSet
+			if (m_LeaseSetUpdateStatus == eLeaseSetSubmitted && 
+			    i2p::util::GetMillisecondsSinceEpoch () > m_LeaseSetSubmissionTime + LEASET_CONFIRMATION_TIMEOUT)
+					m_LeaseSetUpdateStatus = eLeaseSetUpdated;
+
+			// attach DeviveryStatus if necessary
+			if (newTags || m_LeaseSetUpdateStatus == eLeaseSetUpdated) // new tags created or leaseset updated
 			{
 				// clove is DeliveryStatus 
-				size += CreateDeliveryStatusClove (payload + size, msgID);
-				if (size > 0) // successive?
+				auto cloveSize = CreateDeliveryStatusClove (payload + size, msgID);
+				if (cloveSize > 0) // successive?
 				{
+					size += cloveSize;
 					(*numCloves)++;
-					m_UnconfirmedTagsMsgs[msgID] = newTags;
-					m_Owner->DeliveryStatusSent (this, msgID);
+					if (newTags) // new tags created
+						m_UnconfirmedTagsMsgs[msgID] = newTags;
+					m_Owner->DeliveryStatusSent (shared_from_this (), msgID);
 				}
 				else
 					LogPrint ("DeliveryStatus clove was not created");
 			}	
-			if (m_LeaseSetUpdated) 
+			// attach LeaseSet
+			if (m_LeaseSetUpdateStatus == eLeaseSetUpdated) 
 			{
-				m_LeaseSetUpdated = false;
+				m_LeaseSetUpdateStatus = eLeaseSetSubmitted;
+				m_LeaseSetUpdateMsgID = msgID;
+				m_LeaseSetSubmissionTime = i2p::util::GetMillisecondsSinceEpoch ();
 				// clove if our leaseSet must be attached
 				auto leaseSet = CreateDatabaseStoreMsg (m_Owner->GetLeaseSet ());
-				size += CreateGarlicClove (payload + size, leaseSet, false);
-				DeleteI2NPMessage (leaseSet);
+				size += CreateGarlicClove (payload + size, leaseSet, false); 
 				(*numCloves)++;
 			}
 		}	
@@ -219,14 +259,14 @@ namespace garlic
 		
 		memset (payload + size, 0, 3); // certificate of message
 		size += 3;
-		*(uint32_t *)(payload + size) = htobe32 (msgID); // MessageID
+		htobe32buf (payload + size, msgID); // MessageID
 		size += 4;
-		*(uint64_t *)(payload + size) = htobe64 (ts); // Expiration of message
+		htobe64buf (payload + size, ts); // Expiration of message
 		size += 8;
 		return size;
 	}	

-	size_t GarlicRoutingSession::CreateGarlicClove (uint8_t * buf, const I2NPMessage * msg, bool isDestination)
+	size_t GarlicRoutingSession::CreateGarlicClove (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg, bool isDestination)
 	{
 		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 5000; // 5 sec
 		size_t size = 0;
@@ -245,9 +285,11 @@ namespace garlic
 		
 		memcpy (buf + size, msg->GetBuffer (), msg->GetLength ());
 		size += msg->GetLength ();
-		*(uint32_t *)(buf + size) = htobe32 (m_Rnd.GenerateWord32 ()); // CloveID
+		uint32_t cloveID;
+		RAND_bytes ((uint8_t *)&cloveID, 4);
+		htobe32buf (buf + size, cloveID); // CloveID
 		size += 4;
-		*(uint64_t *)(buf + size) = htobe64 (ts); // Expiration of clove
+		htobe64buf (buf + size, ts); // Expiration of clove
 		size += 8;
 		memset (buf + size, 0, 3); // certificate of clove
 		size += 3;
@@ -259,43 +301,43 @@ namespace garlic
 		size_t size = 0;
 		if (m_Owner)
 		{
-			auto leases = m_Owner->GetLeaseSet ()->GetNonExpiredLeases ();
-			if (!leases.empty ())
+			auto inboundTunnel = m_Owner->GetTunnelPool ()->GetNextInboundTunnel ();
+			if (inboundTunnel)
 			{	
 				buf[size] = eGarlicDeliveryTypeTunnel << 5; // delivery instructions flag tunnel
 				size++;
-				uint32_t i = m_Rnd.GenerateWord32 (0, leases.size () - 1);
 				// hash and tunnelID sequence is reversed for Garlic 
-				memcpy (buf + size, leases[i].tunnelGateway, 32); // To Hash
+				memcpy (buf + size, inboundTunnel->GetNextIdentHash (), 32); // To Hash
 				size += 32;
-				*(uint32_t *)(buf + size) = htobe32 (leases[i].tunnelID); // tunnelID
+				htobe32buf (buf + size, inboundTunnel->GetNextTunnelID ()); // tunnelID
 				size += 4; 	
 				// create msg 
-				I2NPMessage * msg = CreateDeliveryStatusMsg (msgID);
+				auto msg = CreateDeliveryStatusMsg (msgID);
 				if (m_Owner)
 				{
 					//encrypt 
 					uint8_t key[32], tag[32];
-					m_Rnd.GenerateBlock (key, 32); // random session key 
-					m_Rnd.GenerateBlock (tag, 32); // random session tag
-					m_Owner->AddSessionKey (key, tag);
+					RAND_bytes (key, 32); // random session key 
+					RAND_bytes (tag, 32); // random session tag
+					m_Owner->SubmitSessionKey (key, tag);
 					GarlicRoutingSession garlic (key, tag);
 					msg = garlic.WrapSingleMessage (msg);		
 				}
 				memcpy (buf + size, msg->GetBuffer (), msg->GetLength ());
 				size += msg->GetLength ();
-				DeleteI2NPMessage (msg);
 				// fill clove
 				uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 5000; // 5 sec
-				*(uint32_t *)(buf + size) = htobe32 (m_Rnd.GenerateWord32 ()); // CloveID
+				uint32_t cloveID;
+				RAND_bytes ((uint8_t *)&cloveID, 4);
+				htobe32buf (buf + size, cloveID); // CloveID
 				size += 4;
-				*(uint64_t *)(buf + size) = htobe64 (ts); // Expiration of clove
+				htobe64buf (buf + size, ts); // Expiration of clove
 				size += 8;
 				memset (buf + size, 0, 3); // certificate of clove
 				size += 3;
 			}
 			else	
-				LogPrint ("All tunnels of local LeaseSet expired");	
+				LogPrint (eLogError, "No inbound tunnels in the pool for DeliveryStatus");	
 		}
 		else
 			LogPrint ("Missing local LeaseSet");
@@ -305,9 +347,6 @@ namespace garlic
 	
 	GarlicDestination::~GarlicDestination ()
 	{
-		for (auto it: m_Sessions)
-			delete it.second;
-		m_Sessions.clear ();
 	}

 	void GarlicDestination::AddSessionKey (const uint8_t * key, const uint8_t * tag)
@@ -321,40 +360,55 @@ namespace garlic
 		}
 	}

-	void GarlicDestination::HandleGarlicMessage (I2NPMessage * msg)
+	bool GarlicDestination::SubmitSessionKey (const uint8_t * key, const uint8_t * tag) 
+	{
+		AddSessionKey (key, tag);
+		return true;
+	}
+
+	void GarlicDestination::HandleGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		uint8_t * buf = msg->GetPayload ();
-		uint32_t length = be32toh (*(uint32_t *)buf);
+		uint32_t length = bufbe32toh (buf);
+		if (length > msg->GetLength ())
+		{
+			LogPrint (eLogError, "Garlic message length ", length, " exceeds I2NP message length ", msg->GetLength ());
+			return;
+		}	
 		buf += 4; // length
 		auto it = m_Tags.find (SessionTag(buf));
 		if (it != m_Tags.end ())
 		{
 			// tag found. Use AES
-			uint8_t iv[32]; // IV is first 16 bytes
-			CryptoPP::SHA256().CalculateDigest(iv, buf, 32);
-			it->second->SetIV (iv);
-			it->second->Decrypt (buf + 32, length - 32, buf + 32);
-			HandleAESBlock (buf + 32, length - 32, it->second, msg->from);
-			m_Tags.erase (it); // tag might be used only once
+			if (length >= 32)
+			{	
+				uint8_t iv[32]; // IV is first 16 bytes
+				SHA256(buf, 32, iv);
+				it->second->SetIV (iv);
+				it->second->Decrypt (buf + 32, length - 32, buf + 32);
+				HandleAESBlock (buf + 32, length - 32, it->second, msg->from);
+			}	
+			else
+				LogPrint (eLogError, "Garlic message length ", length, " is less than 32 bytes");
+			m_Tags.erase (it); // tag might be used only once	
 		}
 		else
 		{
 			// tag not found. Use ElGamal
 			ElGamalBlock elGamal;
-			if (i2p::crypto::ElGamalDecrypt (GetEncryptionPrivateKey (), buf, (uint8_t *)&elGamal, true))
+			if (length >= 514 && i2p::crypto::ElGamalDecrypt (GetEncryptionPrivateKey (), buf, (uint8_t *)&elGamal, true))
 			{	
 				auto decryption = std::make_shared<i2p::crypto::CBCDecryption>();
 				decryption->SetKey (elGamal.sessionKey);
 				uint8_t iv[32]; // IV is first 16 bytes
-				CryptoPP::SHA256().CalculateDigest(iv, elGamal.preIV, 32); 
+				SHA256(elGamal.preIV, 32, iv); 
 				decryption->SetIV (iv);
 				decryption->Decrypt(buf + 514, length - 514, buf + 514);
 				HandleAESBlock (buf + 514, length - 514, decryption, msg->from);
 			}	
 			else
-				LogPrint ("Failed to decrypt garlic");
+				LogPrint (eLogError, "Failed to decrypt garlic");
 		}
-		DeleteI2NPMessage (msg);

 		// cleanup expired tags
 		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
@@ -380,21 +434,27 @@ namespace garlic
 	}	

 	void GarlicDestination::HandleAESBlock (uint8_t * buf, size_t len, std::shared_ptr<i2p::crypto::CBCDecryption> decryption,
-		i2p::tunnel::InboundTunnel * from)
+		std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
-		uint16_t tagCount = be16toh (*(uint16_t *)buf);
-		buf += 2;	
+		uint16_t tagCount = bufbe16toh (buf);
+		buf += 2; len -= 2;	
 		if (tagCount > 0)
 		{	
+			if (tagCount*32 > len) 
+			{
+				LogPrint (eLogError, "Tag count ", tagCount, " exceeds length ", len);
+				return ;
+			}	
 			uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
 			for (int i = 0; i < tagCount; i++)
 				m_Tags[SessionTag(buf + i*32, ts)] = decryption;	
 		}	
 		buf += tagCount*32;
-		uint32_t payloadSize = be32toh (*(uint32_t *)buf);
+		len -= tagCount*32;
+		uint32_t payloadSize = bufbe32toh (buf);
 		if (payloadSize > len)
 		{
-			LogPrint ("Unexpected payload size ", payloadSize);
+			LogPrint (eLogError, "Unexpected payload size ", payloadSize);
 			return;
 		}	
 		buf += 4;
@@ -405,9 +465,9 @@ namespace garlic
 		buf++; // flag

 		// payload
-		uint8_t hash[32];
-		CryptoPP::SHA256().CalculateDigest(hash, buf, payloadSize);
-		if (memcmp (hash, payloadHash, 32)) // payload hash doesn't match
+		uint8_t digest[32];
+		SHA256 (buf, payloadSize, digest);
+		if (memcmp (payloadHash, digest, 32)) // payload hash doesn't match
 		{
 			LogPrint ("Wrong payload hash");
 			return;
@@ -415,8 +475,9 @@ namespace garlic
 		HandleGarlicPayload (buf, payloadSize, from);
 	}	

-	void GarlicDestination::HandleGarlicPayload (uint8_t * buf, size_t len, i2p::tunnel::InboundTunnel * from)
+	void GarlicDestination::HandleGarlicPayload (uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
+		const uint8_t * buf1 = buf;
 		int numCloves = buf[0];
 		LogPrint (numCloves," cloves");
 		buf++;
@@ -449,14 +510,14 @@ namespace garlic
 					// gwHash and gwTunnel sequence is reverted
 					uint8_t * gwHash = buf;
 					buf += 32;
-					uint32_t gwTunnel = be32toh (*(uint32_t *)buf);
+					uint32_t gwTunnel = bufbe32toh (buf);
 					buf += 4;
-					i2p::tunnel::OutboundTunnel * tunnel = nullptr;
+					std::shared_ptr<i2p::tunnel::OutboundTunnel> tunnel;
 					if (from && from->GetTunnelPool ())
 						tunnel = from->GetTunnelPool ()->GetNextOutboundTunnel ();
 					if (tunnel) // we have send it through an outbound tunnel
 					{	
-						I2NPMessage * msg = CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from);
+						auto msg = CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from);
 						tunnel->SendTunnelDataMsg (gwHash, gwTunnel, msg);
 					}	
 					else
@@ -474,59 +535,75 @@ namespace garlic
 			buf += 4; // CloveID
 			buf += 8; // Date
 			buf += 3; // Certificate
+			if (buf - buf1  > (int)len)
+			{
+				LogPrint (eLogError, "Garlic clove is too long");
+				break;
+			}	
 		}	
 	}	
 	
-	I2NPMessage * GarlicDestination::WrapMessage (const i2p::data::RoutingDestination& destination, 
-		I2NPMessage * msg, bool attachLeaseSet)	
+	std::shared_ptr<I2NPMessage> GarlicDestination::WrapMessage (std::shared_ptr<const i2p::data::RoutingDestination> destination, 
+		std::shared_ptr<I2NPMessage> msg, bool attachLeaseSet)	
 	{
-		if (attachLeaseSet) // we should maintain this session
-		{	
-			auto session = GetRoutingSession (destination, 32);  // 32 tags by default
-			return session->WrapSingleMessage (msg);	
-		}
-		else // one time session
-		{
-			GarlicRoutingSession session (this, &destination, 0); // don't use tag if no LeaseSet
-			return session.WrapSingleMessage (msg);
-		}	
+		auto session = GetRoutingSession (destination, attachLeaseSet);  // 32 tags by default
+		return session->WrapSingleMessage (msg);	
 	}

-	GarlicRoutingSession * GarlicDestination::GetRoutingSession (
-		const i2p::data::RoutingDestination& destination, int numTags)
+	std::shared_ptr<GarlicRoutingSession> GarlicDestination::GetRoutingSession (
+		std::shared_ptr<const i2p::data::RoutingDestination> destination, bool attachLeaseSet)
 	{
-		auto it = m_Sessions.find (destination.GetIdentHash ());
-		GarlicRoutingSession * session = nullptr;
+		auto it = m_Sessions.find (destination->GetIdentHash ());
+		std::shared_ptr<GarlicRoutingSession> session;
 		if (it != m_Sessions.end ())
 			session = it->second;
 		if (!session)
 		{
-			session = new GarlicRoutingSession (this, &destination, numTags); 
+			session = std::make_shared<GarlicRoutingSession> (this, destination, 
+				attachLeaseSet ? 40 : 4, attachLeaseSet); // 40 tags for connections and 4 for LS requests
 			std::unique_lock<std::mutex> l(m_SessionsMutex);
-			m_Sessions[destination.GetIdentHash ()] = session;
+			m_Sessions[destination->GetIdentHash ()] = session;
 		}	
 		return session;
 	}	
-		
-	void GarlicDestination::DeliveryStatusSent (GarlicRoutingSession * session, uint32_t msgID)
+	
+	void GarlicDestination::CleanupRoutingSessions ()
+	{
+		std::unique_lock<std::mutex> l(m_SessionsMutex);
+		for (auto it = m_Sessions.begin (); it != m_Sessions.end ();)
+		{
+			if (!it->second->CleanupExpiredTags ())
+			{
+				LogPrint (eLogInfo, "Routing session to ", it->first.ToBase32 (), " deleted");
+				it = m_Sessions.erase (it);
+			}
+			else
+				it++;
+		}
+	}
+	
+	void GarlicDestination::RemoveCreatedSession (uint32_t msgID)
+	{
+		m_CreatedSessions.erase (msgID);
+	}
+
+	void GarlicDestination::DeliveryStatusSent (std::shared_ptr<GarlicRoutingSession> session, uint32_t msgID)
 	{
 		m_CreatedSessions[msgID] = session;
 	}		

-	void GarlicDestination::HandleDeliveryStatusMessage (I2NPMessage * msg)
+	void GarlicDestination::HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
 	{
-		I2NPDeliveryStatusMsg * deliveryStatus = (I2NPDeliveryStatusMsg *)msg->GetPayload ();
-		uint32_t msgID = be32toh (deliveryStatus->msgID);
+		uint32_t msgID = bufbe32toh (msg->GetPayload ());
 		{
 			auto it = m_CreatedSessions.find (msgID);
 			if (it != m_CreatedSessions.end ())			
 			{
-				it->second->TagsConfirmed (msgID);
+				it->second->MessageConfirmed (msgID);
 				m_CreatedSessions.erase (it);
-				LogPrint ("Garlic message ", msgID, " acknowledged");
+				LogPrint (eLogInfo, "Garlic message ", msgID, " acknowledged");
 			}	
 		}
-		DeleteI2NPMessage (msg);	
 	}

 	void GarlicDestination::SetLeaseSetUpdated ()
@@ -536,12 +613,12 @@ namespace garlic
 			it.second->SetLeaseSetUpdated ();
 	}

-	void GarlicDestination::ProcessGarlicMessage (I2NPMessage * msg)
+	void GarlicDestination::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		HandleGarlicMessage (msg);
 	}

-	void GarlicDestination::ProcessDeliveryStatusMessage (I2NPMessage * msg)
+	void GarlicDestination::ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		HandleDeliveryStatusMessage (msg);
 	}
--- a/Garlic.h
+++ b/Garlic.h
@@ -8,8 +8,7 @@
 #include <thread>
 #include <mutex>
 #include <memory>
-#include <cryptopp/osrng.h>
-#include "aes.h"
+#include "Crypto.h"
 #include "I2NPProtocol.h"
 #include "LeaseSet.h"
 #include "Queue.h"
@@ -39,6 +38,7 @@ namespace garlic

 	const int INCOMING_TAGS_EXPIRATION_TIMEOUT = 960; // 16 minutes			
 	const int OUTGOING_TAGS_EXPIRATION_TIMEOUT = 720; // 12 minutes
+	const int LEASET_CONFIRMATION_TIMEOUT = 4000; // in milliseconds
 	
 	struct SessionTag: public i2p::data::Tag<32> 
 	{
@@ -54,8 +54,16 @@ namespace garlic
 	};
 		
 	class GarlicDestination;
-	class GarlicRoutingSession
+	class GarlicRoutingSession: public std::enable_shared_from_this<GarlicRoutingSession>
 	{
+			enum LeaseSetUpdateStatus
+			{
+				eLeaseSetUpToDate = 0,
+				eLeaseSetUpdated,
+				eLeaseSetSubmitted,
+				eLeaseSetDoNotSend
+			};
+		
 			struct UnconfirmedTags
 			{
 				UnconfirmedTags (int n): numTags (n), tagsCreationTime (0) { sessionTags = new SessionTag[numTags]; };
@@ -67,37 +75,46 @@ namespace garlic

 		public:

-			GarlicRoutingSession (GarlicDestination * owner, const i2p::data::RoutingDestination * destination, int numTags);
+			GarlicRoutingSession (GarlicDestination * owner, std::shared_ptr<const i2p::data::RoutingDestination> destination, 
+				int numTags, bool attachLeaseSet);
 			GarlicRoutingSession (const uint8_t * sessionKey, const SessionTag& sessionTag); // one time encryption
 			~GarlicRoutingSession ();
-			I2NPMessage * WrapSingleMessage (I2NPMessage * msg);
-			void TagsConfirmed (uint32_t msgID);
+			std::shared_ptr<I2NPMessage> WrapSingleMessage (std::shared_ptr<const I2NPMessage> msg);
+			void MessageConfirmed (uint32_t msgID);
+			bool CleanupExpiredTags (); // returns true if something left 

-			void SetLeaseSetUpdated () { m_LeaseSetUpdated = true; };
+			void SetLeaseSetUpdated () 
+			{ 
+				if (m_LeaseSetUpdateStatus != eLeaseSetDoNotSend) m_LeaseSetUpdateStatus = eLeaseSetUpdated; 
+			};
 			
 		private:

-			size_t CreateAESBlock (uint8_t * buf, const I2NPMessage * msg);
-			size_t CreateGarlicPayload (uint8_t * payload, const I2NPMessage * msg, UnconfirmedTags * newTags);
-			size_t CreateGarlicClove (uint8_t * buf, const I2NPMessage * msg, bool isDestination);
+			size_t CreateAESBlock (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg);
+			size_t CreateGarlicPayload (uint8_t * payload, std::shared_ptr<const I2NPMessage> msg, UnconfirmedTags * newTags);
+			size_t CreateGarlicClove (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg, bool isDestination);
 			size_t CreateDeliveryStatusClove (uint8_t * buf, uint32_t msgID);
-			
+
+			void TagsConfirmed (uint32_t msgID);
 			UnconfirmedTags * GenerateSessionTags ();

 		private:

 			GarlicDestination * m_Owner;
-			const i2p::data::RoutingDestination * m_Destination;
+			std::shared_ptr<const i2p::data::RoutingDestination> m_Destination;
 			i2p::crypto::AESKey m_SessionKey;
 			std::list<SessionTag> m_SessionTags;
 			int m_NumTags;
 			std::map<uint32_t, UnconfirmedTags *> m_UnconfirmedTagsMsgs;	
-			bool m_LeaseSetUpdated;
-
+			
+			LeaseSetUpdateStatus m_LeaseSetUpdateStatus;
+			uint32_t m_LeaseSetUpdateMsgID;
+			uint64_t m_LeaseSetSubmissionTime; // in milliseconds
+			
 			i2p::crypto::CBCEncryption m_Encryption;
-			CryptoPP::AutoSeededRandomPool m_Rnd;
+			std::unique_ptr<const i2p::crypto::ElGamalEncryption> m_ElGamalEncryption; 
 	};	
-
+	
 	class GarlicDestination: public i2p::data::LocalDestination
 	{
 		public:
@@ -105,41 +122,45 @@ namespace garlic
 			GarlicDestination (): m_LastTagsCleanupTime (0) {};
 			~GarlicDestination ();

-			GarlicRoutingSession * GetRoutingSession (const i2p::data::RoutingDestination& destination, int numTags);	
-			I2NPMessage * WrapMessage (const i2p::data::RoutingDestination& destination, 
-			    I2NPMessage * msg, bool attachLeaseSet = false);
+			std::shared_ptr<GarlicRoutingSession> GetRoutingSession (std::shared_ptr<const i2p::data::RoutingDestination> destination, bool attachLeaseSet);	
+			void CleanupRoutingSessions ();
+			void RemoveCreatedSession (uint32_t msgID);
+			std::shared_ptr<I2NPMessage> WrapMessage (std::shared_ptr<const i2p::data::RoutingDestination> destination, 
+			    std::shared_ptr<I2NPMessage> msg, bool attachLeaseSet = false);

 			void AddSessionKey (const uint8_t * key, const uint8_t * tag); // one tag
-			void DeliveryStatusSent (GarlicRoutingSession * session, uint32_t msgID);
+			virtual bool SubmitSessionKey (const uint8_t * key, const uint8_t * tag); // from different thread
+			void DeliveryStatusSent (std::shared_ptr<GarlicRoutingSession> session, uint32_t msgID);
 			
-			virtual void ProcessGarlicMessage (I2NPMessage * msg);
-			virtual void ProcessDeliveryStatusMessage (I2NPMessage * msg);			
+			virtual void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			virtual void ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);			
 			virtual void SetLeaseSetUpdated ();
 			
-			virtual const i2p::data::LeaseSet * GetLeaseSet () = 0; // TODO
-			virtual void HandleI2NPMessage (const uint8_t * buf, size_t len, i2p::tunnel::InboundTunnel * from) = 0;
+			virtual std::shared_ptr<const i2p::data::LeaseSet> GetLeaseSet () = 0; // TODO
+			virtual std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () const = 0;
+			virtual void HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from) = 0;
 			
 		protected:

-			void HandleGarlicMessage (I2NPMessage * msg);
-			void HandleDeliveryStatusMessage (I2NPMessage * msg);			
+			void HandleGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);			
 	
 		private:

 			void HandleAESBlock (uint8_t * buf, size_t len, std::shared_ptr<i2p::crypto::CBCDecryption> decryption, 
-				i2p::tunnel::InboundTunnel * from);
-			void HandleGarlicPayload (uint8_t * buf, size_t len, i2p::tunnel::InboundTunnel * from);
+				std::shared_ptr<i2p::tunnel::InboundTunnel> from);
+			void HandleGarlicPayload (uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);

 		private:
 			
 			// outgoing sessions
 			std::mutex m_SessionsMutex;
-			std::map<i2p::data::IdentHash, GarlicRoutingSession *> m_Sessions;
+			std::map<i2p::data::IdentHash, std::shared_ptr<GarlicRoutingSession> > m_Sessions;
 			// incoming
 			std::map<SessionTag, std::shared_ptr<i2p::crypto::CBCDecryption>> m_Tags;
 			uint32_t m_LastTagsCleanupTime;
 			// DeliveryStatus
-			std::map<uint32_t, GarlicRoutingSession *> m_CreatedSessions; // msgID -> session
+			std::map<uint32_t, std::shared_ptr<GarlicRoutingSession> > m_CreatedSessions; // msgID -> session
 	};	
 }	
 }
--- a/HTTPProxy.cpp
+++ b/HTTPProxy.cpp
@@ -1,87 +1,299 @@
+#include <cstring>
+#include <cassert>
 #include <boost/lexical_cast.hpp>
 #include <boost/regex.hpp>
-
-#include "ClientContext.h"
+#include <string>
+#include <atomic>
 #include "HTTPProxy.h"
+#include "util.h"
+#include "Identity.h"
+#include "Streaming.h"
+#include "Destination.h"
+#include "ClientContext.h"
+#include "I2PEndian.h"
+#include "I2PTunnel.h"

 namespace i2p
 {
 namespace proxy
 {
-	void HTTPProxyConnection::parseHeaders(const std::string& h, std::vector<header>& hm) {
-		std::string str (h);
-		std::string::size_type idx;
-		std::string t;
-		int i = 0;
-		while( (idx=str.find ("\r\n")) != std::string::npos) {
-			t=str.substr (0,idx);
-			str.erase (0,idx+2);
-			if (t == "")
-				break;
-			idx=t.find(": ");
-			if (idx == std::string::npos)
+	static const size_t http_buffer_size = 8192;
+	class HTTPProxyHandler: public i2p::client::I2PServiceHandler, public std::enable_shared_from_this<HTTPProxyHandler> 
+	{
+		private:
+			enum state 
 			{
-				std::cout << "Bad header line: " << t << std::endl;
-				break;
-			}
-			LogPrint ("Name: ", t.substr (0,idx), " Value: ", t.substr (idx+2));
-			hm[i].name = t.substr (0,idx);
-			hm[i].value = t.substr (idx+2);
-			i++;
+				GET_METHOD,
+				GET_HOSTNAME,
+				GET_HTTPV,
+				GET_HTTPVNL, //TODO: fallback to finding HOst: header if needed
+				DONE
+			};
+
+			void EnterState(state nstate);
+			bool HandleData(uint8_t *http_buff, std::size_t len);
+			void HandleSockRecv(const boost::system::error_code & ecode, std::size_t bytes_transfered);
+			void Terminate();
+			void AsyncSockRead();
+			void HTTPRequestFailed(/*std::string message*/);
+			void ExtractRequest();
+			bool ValidateHTTPRequest();
+			void HandleJumpServices();
+			bool CreateHTTPRequest(uint8_t *http_buff, std::size_t len);
+			void SentHTTPFailed(const boost::system::error_code & ecode);
+			void HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream);
+
+			uint8_t m_http_buff[http_buffer_size];
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_sock;
+			std::string m_request; //Data left to be sent
+			std::string m_url; //URL
+			std::string m_method; //Method
+			std::string m_version; //HTTP version
+			std::string m_address; //Address
+			std::string m_path; //Path
+			int m_port; //Port
+			state m_state;//Parsing state
+
+		public:
+
+			HTTPProxyHandler(HTTPProxyServer * parent, std::shared_ptr<boost::asio::ip::tcp::socket> sock) : 
+				I2PServiceHandler(parent), m_sock(sock)
+				{ EnterState(GET_METHOD); }
+			~HTTPProxyHandler() { Terminate(); }
+			void Handle () { AsyncSockRead(); }
+	};
+
+	void HTTPProxyHandler::AsyncSockRead()
+	{
+		LogPrint(eLogDebug,"--- HTTP Proxy async sock read");
+		if(m_sock) {
+			m_sock->async_receive(boost::asio::buffer(m_http_buff, http_buffer_size),
+						std::bind(&HTTPProxyHandler::HandleSockRecv, shared_from_this(),
+								std::placeholders::_1, std::placeholders::_2));
+		} else {
+			LogPrint(eLogError,"--- HTTP Proxy no socket for read");
 		}
 	}

-	void HTTPProxyConnection::ExtractRequest(request& r)
+	void HTTPProxyHandler::Terminate() {
+		if (Kill()) return;
+		if (m_sock) 
+		{
+			LogPrint(eLogDebug,"--- HTTP Proxy close sock");
+			m_sock->close();
+			m_sock = nullptr;
+		}
+		Done(shared_from_this());
+	}
+
+	/* All hope is lost beyond this point */
+	//TODO: handle this apropriately
+	void HTTPProxyHandler::HTTPRequestFailed(/*HTTPProxyHandler::errTypes error*/)
 	{
-		std::string requestString = m_Buffer;
-		int idx=requestString.find(" ");
-		std::string method = requestString.substr(0,idx);
-		requestString = requestString.substr(idx+1);
-		idx=requestString.find(" ");
-		std::string requestUrl = requestString.substr(0,idx);
-		LogPrint("method is: ", method, "\nRequest is: ", requestUrl);
+		static std::string response = "HTTP/1.0 500 Internal Server Error\r\nContent-type: text/html\r\nContent-length: 0\r\n";
+		boost::asio::async_write(*m_sock, boost::asio::buffer(response,response.size()),
+					 std::bind(&HTTPProxyHandler::SentHTTPFailed, shared_from_this(), std::placeholders::_1));
+	}
+
+	void HTTPProxyHandler::EnterState(HTTPProxyHandler::state nstate) 
+	{
+		m_state = nstate;
+	}
+
+	void HTTPProxyHandler::ExtractRequest()
+	{
+		LogPrint(eLogDebug,"--- HTTP Proxy method is: ", m_method, "\nRequest is: ", m_url);
 		std::string server="";
 		std::string port="80";
 		boost::regex rHTTP("http://(.*?)(:(\\d+))?(/.*)");
 		boost::smatch m;
 		std::string path;
-		if(boost::regex_search(requestUrl, m, rHTTP, boost::match_extra)) {
+		if(boost::regex_search(m_url, m, rHTTP, boost::match_extra)) 
+		{
 			server=m[1].str();
-			if(m[2].str() != "") {
-				port=m[3].str();
-			}
+			if (m[2].str() != "")  port=m[3].str();
 			path=m[4].str();
 		}
-		LogPrint("server is: ",server, " port is: ", port, "\n path is: ",path);
-		r.uri = path;
-		r.method = method;
-		r.host = server;
-		r.port = boost::lexical_cast<int>(port);
+		LogPrint(eLogDebug,"--- HTTP Proxy server is: ",server, " port is: ", port, "\n path is: ",path);
+		m_address = server;
+		m_port = boost::lexical_cast<int>(port);
+		m_path = path;
 	}

-
-	void HTTPProxyConnection::RunRequest()
+	bool HTTPProxyHandler::ValidateHTTPRequest() 
 	{
-		request r;
-		ExtractRequest(r);
-		parseHeaders(m_Buffer, r.headers);
-		size_t addressHelperPos = r.uri.find ("i2paddresshelper");
-		if (addressHelperPos != std::string::npos)
+		if ( m_version != "HTTP/1.0" && m_version != "HTTP/1.1" ) 
 		{
-			// jump service
-			size_t addressPos = r.uri.find ("=", addressHelperPos);
-			if (addressPos != std::string::npos)
+			LogPrint(eLogError,"--- HTTP Proxy unsupported version: ", m_version);
+			HTTPRequestFailed(); //TODO: send right stuff
+			return false;
+		}
+		return true;
+	}
+
+	void HTTPProxyHandler::HandleJumpServices() 
+	{
+		static const char * helpermark1 = "?i2paddresshelper=";
+		static const char * helpermark2 = "&i2paddresshelper=";
+		size_t addressHelperPos1 = m_path.rfind (helpermark1);
+		size_t addressHelperPos2 = m_path.rfind (helpermark2);
+		size_t addressHelperPos;
+		if (addressHelperPos1 == std::string::npos)
+		{
+			if (addressHelperPos2 == std::string::npos)
+				return; //Not a jump service
+			else
+				addressHelperPos = addressHelperPos2;
+		}
+		else
+		{
+			if (addressHelperPos2 == std::string::npos)
+				addressHelperPos = addressHelperPos1;
+			else if ( addressHelperPos1 > addressHelperPos2 )
+				addressHelperPos = addressHelperPos1;
+			else
+				addressHelperPos = addressHelperPos2;
+		}
+		auto base64 = m_path.substr (addressHelperPos + strlen(helpermark1));
+		base64 = i2p::util::http::urlDecode(base64); //Some of the symbols may be urlencoded
+		LogPrint (eLogDebug,"Jump service for ", m_address, " found at ", base64, ". Inserting to address book");
+		//TODO: this is very dangerous and broken. We should ask the user before doing anything see http://pastethis.i2p/raw/pn5fL4YNJL7OSWj3Sc6N/
+		//TODO: we could redirect the user again to avoid dirtiness in the browser
+		i2p::client::context.GetAddressBook ().InsertAddress (m_address, base64);
+		m_path.erase(addressHelperPos);
+	}
+
+	bool HTTPProxyHandler::CreateHTTPRequest(uint8_t *http_buff, std::size_t len) 
+	{
+		ExtractRequest(); //TODO: parse earlier
+		if (!ValidateHTTPRequest()) return false;
+		HandleJumpServices();
+		m_request = m_method;
+		m_request.push_back(' ');
+		m_request += m_path;
+		m_request.push_back(' ');
+		m_request += m_version;
+		m_request.push_back('\r');
+		m_request.push_back('\n');
+		m_request.append("Connection: close\r\n");
+		m_request.append(reinterpret_cast<const char *>(http_buff),len);
+		return true;
+	}
+
+	bool HTTPProxyHandler::HandleData(uint8_t *http_buff, std::size_t len)
+	{
+		assert(len); // This should always be called with a least a byte left to parse
+		while (len > 0) 
+		{
+			//TODO: fallback to finding HOst: header if needed
+			switch (m_state) 
 			{
-				LogPrint ("Jump service for ", r.host, " found. Inserting to address book");
-				auto base64 = r.uri.substr (addressPos + 1);
-				i2p::client::context.GetAddressBook ().InsertAddress (r.host, base64);
+				case GET_METHOD:
+					switch (*http_buff) 
+					{
+						case ' ': EnterState(GET_HOSTNAME); break;
+						default: m_method.push_back(*http_buff); break;
+					}
+				break;
+				case GET_HOSTNAME:
+					switch (*http_buff) 
+					{
+						case ' ': EnterState(GET_HTTPV); break;
+						default: m_url.push_back(*http_buff); break;
+					}
+				break;
+				case GET_HTTPV:
+					switch (*http_buff) 
+					{
+						case '\r': EnterState(GET_HTTPVNL); break;
+						default: m_version.push_back(*http_buff); break;
+					}
+				break;
+				case GET_HTTPVNL:
+					switch (*http_buff) 
+					{
+						case '\n': EnterState(DONE); break;
+						default:
+							LogPrint(eLogError,"--- HTTP Proxy rejected invalid request ending with: ", ((int)*http_buff));
+							HTTPRequestFailed(); //TODO: add correct code
+							return false;
+					}
+				break;
+				default:
+					LogPrint(eLogError,"--- HTTP Proxy invalid state: ", m_state);
+					HTTPRequestFailed(); //TODO: add correct code 500
+					return false;
 			}
-		}			
+			http_buff++;
+			len--;
+			if (m_state == DONE)
+				return CreateHTTPRequest(http_buff,len);
+		}
+		return true;
+	}
+
+	void HTTPProxyHandler::HandleSockRecv(const boost::system::error_code & ecode, std::size_t len)
+	{
+		LogPrint(eLogDebug,"--- HTTP Proxy sock recv: ", len);
+		if(ecode) 
+		{
+			LogPrint(eLogWarning," --- HTTP Proxy sock recv got error: ", ecode);
+                        Terminate();
+			return;
+		}
+
+		if (HandleData(m_http_buff, len)) 
+		{
+			if (m_state == DONE) 
+			{
+				LogPrint(eLogInfo,"--- HTTP Proxy requested: ", m_url);
+				GetOwner()->CreateStream (std::bind (&HTTPProxyHandler::HandleStreamRequestComplete,
+						shared_from_this(), std::placeholders::_1), m_address, m_port);
+			} 
+			else 
+				AsyncSockRead();
+		}
+
+	}
+
+	void HTTPProxyHandler::SentHTTPFailed(const boost::system::error_code & ecode)
+	{
+		if (!ecode)
+			Terminate();
+		else 
+		{
+			LogPrint (eLogError,"--- HTTP Proxy Closing socket after sending failure because: ", ecode.message ());
+			Terminate();
+		}
+	}
+
+	void HTTPProxyHandler::HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		if (stream) 
+		{
+			if (Kill()) return;
+			LogPrint (eLogInfo,"--- HTTP Proxy New I2PTunnel connection");
+			auto connection = std::make_shared<i2p::client::I2PTunnelConnection>(GetOwner(), m_sock, stream);
+			GetOwner()->AddHandler (connection);
+			connection->I2PConnect (reinterpret_cast<const uint8_t*>(m_request.data()), m_request.size());
+			Done(shared_from_this());
+		} 
+		else 
+		{
+			LogPrint (eLogError,"--- HTTP Proxy Issue when creating the stream, check the previous warnings for more info.");
+			HTTPRequestFailed(); // TODO: Send correct error message host unreachable
+		}
+	}
+
+	HTTPProxyServer::HTTPProxyServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination): 
+		TCPIPAcceptor(port, localDestination ? localDestination : i2p::client::context.GetSharedLocalDestination ()) 
+	{
+	}
 	
-		LogPrint("Requesting ", r.host, ":", r.port, " with path ", r.uri, " and method ", r.method);
-		SendToAddress (r.host, r.port,  m_Buffer, m_BufferLen);
+	std::shared_ptr<i2p::client::I2PServiceHandler> HTTPProxyServer::CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	{
+		return std::make_shared<HTTPProxyHandler> (this, socket);
 	}

 }
 }
-
--- a/HTTPProxy.h
+++ b/HTTPProxy.h
@@ -1,42 +1,32 @@
 #ifndef HTTP_PROXY_H__
 #define HTTP_PROXY_H__

-#include <sstream>
-#include <thread>
+#include <memory>
+#include <set>
 #include <boost/asio.hpp>
-#include <boost/array.hpp>
-
-#include "HTTPServer.h"
+#include <mutex>
+#include "I2PService.h"
+#include "Destination.h"

 namespace i2p
 {
 namespace proxy
 {
-	class HTTPProxyConnection : public i2p::util::HTTPConnection
+	class HTTPProxyServer: public i2p::client::TCPIPAcceptor
 	{
 		public:
-			HTTPProxyConnection (boost::asio::ip::tcp::socket * socket): HTTPConnection(socket) { };
+
+			HTTPProxyServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination = nullptr);
+			~HTTPProxyServer() {};

 		protected:
-			void RunRequest();
-			void parseHeaders(const std::string& h, std::vector<header>& hm);
-			void ExtractRequest(request& r);
+			// Implements TCPIPAcceptor
+			std::shared_ptr<i2p::client::I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket);
+			const char* GetName() { return "HTTP Proxy"; }
 	};

-	class HTTPProxy : public i2p::util::HTTPServer
-	{
-		public:
-			HTTPProxy (int port): HTTPServer(port) {};
-
-		private:
-			void CreateConnection(boost::asio::ip::tcp::socket * m_NewSocket)
-			{
-				new HTTPProxyConnection(m_NewSocket);
-			}
-	};
+	typedef HTTPProxyServer HTTPProxy;
 }
 }

 #endif
-
-
--- a/HTTPServer.cpp
+++ b/HTTPServer.cpp
@@ -1,6 +1,7 @@
 #include <boost/bind.hpp>
 #include <boost/lexical_cast.hpp>
-#include "base64.h"
+#include <boost/date_time/posix_time/posix_time.hpp>
+#include "Base.h"
 #include "Log.h"
 #include "Tunnel.h"
 #include "TransitTunnel.h"
@@ -465,10 +466,14 @@ namespace util
 	const char HTTP_COMMAND_TRANSIT_TUNNELS[] = "transit_tunnels";
 	const char HTTP_COMMAND_TRANSPORTS[] = "transports";	
 	const char HTTP_COMMAND_START_ACCEPTING_TUNNELS[] = "start_accepting_tunnels";	
-	const char HTTP_COMMAND_STOP_ACCEPTING_TUNNELS[] = "stop_accepting_tunnels";		
+	const char HTTP_COMMAND_STOP_ACCEPTING_TUNNELS[] = "stop_accepting_tunnels";	
+	const char HTTP_COMMAND_RUN_PEER_TEST[] = "run_peer_test";	
 	const char HTTP_COMMAND_LOCAL_DESTINATIONS[] = "local_destinations";
 	const char HTTP_COMMAND_LOCAL_DESTINATION[] = "local_destination";
 	const char HTTP_PARAM_BASE32_ADDRESS[] = "b32";
+	const char HTTP_COMMAND_SAM_SESSIONS[] = "sam_sessions";
+	const char HTTP_COMMAND_SAM_SESSION[] = "sam_session";
+	const char HTTP_PARAM_SAM_SESSION_ID[] = "id";
 	
 	namespace misc_strings
 	{
@@ -485,17 +490,17 @@ namespace util
 		{
 			switch (status)
 			{
-				case 105: buffers.push_back(boost::asio::buffer("HTTP/1.0 105 Name Not Resolved\r\n")); break;
-				case 200: buffers.push_back(boost::asio::buffer("HTTP/1.0 200 OK\r\n")); break;
-				case 400: buffers.push_back(boost::asio::buffer("HTTP/1.0 400 Bad Request\r\n")); break;
-				case 404: buffers.push_back(boost::asio::buffer("HTTP/1.0 404 Not Found\r\n")); break;
-				case 408: buffers.push_back(boost::asio::buffer("HTTP/1.0 408 Request Timeout\r\n")); break;
-				case 500: buffers.push_back(boost::asio::buffer("HTTP/1.0 500 Internal Server Error\r\n")); break;
-				case 502: buffers.push_back(boost::asio::buffer("HTTP/1.0 502 Bad Gateway\r\n")); break;
-				case 503: buffers.push_back(boost::asio::buffer("HTTP/1.0 503 Not Implemented\r\n")); break;
-				case 504: buffers.push_back(boost::asio::buffer("HTTP/1.0 504 Gateway Timeout\r\n")); break;
+				case 105: buffers.push_back(boost::asio::buffer("HTTP/1.1 105 Name Not Resolved\r\n")); break;
+				case 200: buffers.push_back(boost::asio::buffer("HTTP/1.1 200 OK\r\n")); break;
+				case 400: buffers.push_back(boost::asio::buffer("HTTP/1.1 400 Bad Request\r\n")); break;
+				case 404: buffers.push_back(boost::asio::buffer("HTTP/1.1 404 Not Found\r\n")); break;
+				case 408: buffers.push_back(boost::asio::buffer("HTTP/1.1 408 Request Timeout\r\n")); break;
+				case 500: buffers.push_back(boost::asio::buffer("HTTP/1.1 500 Internal Server Error\r\n")); break;
+				case 502: buffers.push_back(boost::asio::buffer("HTTP/1.1 502 Bad Gateway\r\n")); break;
+				case 503: buffers.push_back(boost::asio::buffer("HTTP/1.1 503 Not Implemented\r\n")); break;
+				case 504: buffers.push_back(boost::asio::buffer("HTTP/1.1 504 Gateway Timeout\r\n")); break;
 				default:
-					buffers.push_back(boost::asio::buffer("HTTP/1.0 200 OK\r\n"));
+					buffers.push_back(boost::asio::buffer("HTTP/1.1 200 OK\r\n"));
 			}

 			for (std::size_t i = 0; i < headers.size(); ++i)
@@ -514,21 +519,22 @@ namespace util

 	void HTTPConnection::Terminate ()
 	{
-		if (m_Stream)
-		{
-			m_Stream->Close ();
-			i2p::stream::DeleteStream (m_Stream);
-			m_Stream = nullptr;
-		}
+		if (!m_Stream) return;
 		m_Socket->close ();
-		//delete this;
+		m_Stream->Close ();
+			
+		m_Socket->get_io_service ().post ([=](void)
+			{
+				m_Stream.reset ();
+				m_Stream = nullptr;
+			});
 	}

 	void HTTPConnection::Receive ()
 	{
 		m_Socket->async_read_some (boost::asio::buffer (m_Buffer, HTTP_CONNECTION_BUFFER_SIZE),
-			 boost::bind(&HTTPConnection::HandleReceive, this,
-				 boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
+			 std::bind(&HTTPConnection::HandleReceive, shared_from_this (),
+				 std::placeholders::_1, std::placeholders::_2));
 	}

 	void HTTPConnection::HandleReceive (const boost::system::error_code& ecode, std::size_t bytes_transferred)
@@ -602,7 +608,11 @@ namespace util
 	void HTTPConnection::HandleWriteReply (const boost::system::error_code& ecode)
 	{
 		if (ecode != boost::asio::error::operation_aborted)
+		{
+			boost::system::error_code ignored_ec;
+			m_Socket->shutdown(boost::asio::ip::tcp::socket::shutdown_both, ignored_ec);
 			Terminate ();
+		}	
 	}

 	void HTTPConnection::HandleWrite (const boost::system::error_code& ecode)
@@ -636,9 +646,26 @@ namespace util

 	void HTTPConnection::FillContent (std::stringstream& s)
 	{
-		s << "<h2>Welcome to the Webconsole!</h2><br><br>";
-		s << "<b>Data path:</b> " << i2p::util::filesystem::GetDataDir().string() << "<br>" << "<br>";
-		s << "<b>Our external address:</b>" << "<br>";
+		s << "<h2>Welcome to the Webconsole!</h2><br>";
+		s << "<b>Uptime:</b> " << boost::posix_time::to_simple_string (
+			boost::posix_time::time_duration (boost::posix_time::seconds (
+			i2p::context.GetUptime ()))) << "<br>";
+		s << "<b>Status:</b> ";
+		switch (i2p::context.GetStatus ())
+		{
+			case eRouterStatusOK: s << "OK"; break;
+			case eRouterStatusTesting: s << "Testing"; break;
+			case eRouterStatusFirewalled: s << "Firewalled"; break; 
+			default: s << "Unknown";
+		} 
+		s << "<br>";
+		s << "<b>Tunnel creation success rate:</b> " << i2p::tunnel::tunnels.GetTunnelCreationSuccessRate () << "%<br>";
+		s << "<b>Received:</b> " << i2p::transport::transports.GetTotalReceivedBytes ()/1000 << "K";
+		s << " (" << i2p::transport::transports.GetInBandwidth () <<" Bps)<br>";
+		s << "<b>Sent:</b> " << i2p::transport::transports.GetTotalSentBytes ()/1000 << "K";
+		s << " (" << i2p::transport::transports.GetOutBandwidth () <<" Bps)<br>";
+		s << "<b>Data path:</b> " << i2p::util::filesystem::GetDataDir().string() << "<br><br>";
+		s << "<b>Our external address:</b>" << "<br>" ;
 		for (auto& address : i2p::context.GetRouterInfo().GetAddresses())
 		{
 			switch (address.transportStyle)
@@ -667,12 +694,16 @@ namespace util
 		s << "<br><b><a href=/?" << HTTP_COMMAND_LOCAL_DESTINATIONS << ">Local destinations</a></b>";
 		s << "<br><b><a href=/?" << HTTP_COMMAND_TUNNELS << ">Tunnels</a></b>";
 		s << "<br><b><a href=/?" << HTTP_COMMAND_TRANSIT_TUNNELS << ">Transit tunnels</a></b>";
-		s << "<br><b><a href=/?" << HTTP_COMMAND_TRANSPORTS << ">Transports</a></b><br>";
+		s << "<br><b><a href=/?" << HTTP_COMMAND_TRANSPORTS << ">Transports</a></b>";
+		if (i2p::client::context.GetSAMBridge ())
+			s << "<br><b><a href=/?" << HTTP_COMMAND_SAM_SESSIONS << ">SAM sessions</a></b>";
+		s << "<br>";
 		
 		if (i2p::context.AcceptsTunnels ())
 			s << "<br><b><a href=/?" << HTTP_COMMAND_STOP_ACCEPTING_TUNNELS << ">Stop accepting tunnels</a></b><br>";
 		else	
 			s << "<br><b><a href=/?" << HTTP_COMMAND_START_ACCEPTING_TUNNELS << ">Start accepting tunnels</a></b><br>";
+		s << "<br><b><a href=/?" << HTTP_COMMAND_RUN_PEER_TEST << ">Run peer test</a></b><br>";	

 		s << "<p><a href=\"zmw2cyw2vj7f6obx3msmdvdepdhnw2ctc4okza2zjxlukkdfckhq.b32.i2p\">Flibusta</a></p>";
 	}
@@ -691,6 +722,8 @@ namespace util
 			StartAcceptingTunnels (s);
 		else if (cmd == HTTP_COMMAND_STOP_ACCEPTING_TUNNELS)
 			StopAcceptingTunnels (s);
+		else if (cmd == HTTP_COMMAND_RUN_PEER_TEST)
+			RunPeerTest (s);
 		else if (cmd == HTTP_COMMAND_LOCAL_DESTINATIONS)
 			ShowLocalDestinations (s);	
 		else if (cmd == HTTP_COMMAND_LOCAL_DESTINATION)
@@ -700,26 +733,38 @@ namespace util
 			auto b32 = params[HTTP_PARAM_BASE32_ADDRESS];
 			ShowLocalDestination (b32, s);
 		}	
+		else if (cmd == HTTP_COMMAND_SAM_SESSIONS)
+			ShowSAMSessions (s);
+		else if (cmd == HTTP_COMMAND_SAM_SESSION)
+		{
+			std::map<std::string, std::string> params;
+			ExtractParams (command.substr (paramsPos), params);
+			auto id = params[HTTP_PARAM_SAM_SESSION_ID];
+			ShowSAMSession (id, s);
+		}	
 	}	

 	void HTTPConnection::ShowTransports (std::stringstream& s)
 	{
-		s << "NTCP<br>";
-		for (auto it: i2p::transport::transports.GetNTCPSessions ())
-		{
-			if (it.second && it.second->IsEstablished ())
+		auto ntcpServer = i2p::transport::transports.GetNTCPServer (); 
+		if (ntcpServer)
+		{	
+			s << "NTCP<br>";
+			for (auto it: ntcpServer->GetNTCPSessions ())
 			{
-				// incoming connection doesn't have remote RI
-				auto outgoing = it.second->GetRemoteRouter ();
-				if (outgoing) s << "-->";
-				s << it.second->GetRemoteIdentity ().GetIdentHash ().ToBase64 ().substr (0, 4) <<  ": "
-					<< it.second->GetSocket ().remote_endpoint().address ().to_string ();
-				if (!outgoing) s << "-->";
-				s << " [" << it.second->GetNumSentBytes () << ":" << it.second->GetNumReceivedBytes () << "]";
-				s << "<br>";
+				if (it.second && it.second->IsEstablished ())
+				{
+					// incoming connection doesn't have remote RI
+					if (it.second->IsOutgoing ()) s << "-->";
+					s << i2p::data::GetIdentHashAbbreviation (it.second->GetRemoteIdentity ()->GetIdentHash ()) <<  ": "
+						<< it.second->GetSocket ().remote_endpoint().address ().to_string ();
+					if (!it.second->IsOutgoing ()) s << "-->";
+					s << " [" << it.second->GetNumSentBytes () << ":" << it.second->GetNumReceivedBytes () << "]";
+					s << "<br>";
+				}
+				s << std::endl;
 			}
-			s << std::endl;
-		}
+		}	
 		auto ssuServer = i2p::transport::transports.GetSSUServer ();
 		if (ssuServer)
 		{
@@ -727,12 +772,13 @@ namespace util
 			for (auto it: ssuServer->GetSessions ())
 			{
 				// incoming connections don't have remote router
-				auto outgoing = it.second->GetRemoteRouter ();
 				auto endpoint = it.second->GetRemoteEndpoint ();
-				if (outgoing) s << "-->";
+				if (it.second->IsOutgoing ()) s << "-->";
 				s << endpoint.address ().to_string () << ":" << endpoint.port ();
-				if (!outgoing) s << "-->";
+				if (!it.second->IsOutgoing ()) s << "-->";
 				s << " [" << it.second->GetNumSentBytes () << ":" << it.second->GetNumReceivedBytes () << "]";
+				if (it.second->GetRelayTag ())
+					s << " [itag:" << it.second->GetRelayTag () << "]";
 				s << "<br>";
 				s << std::endl;
 			}
@@ -741,11 +787,11 @@ namespace util
 	
 	void HTTPConnection::ShowTunnels (std::stringstream& s)
 	{
+		s << "Queue size:" << i2p::tunnel::tunnels.GetQueueSize () << "<br>";
+
 		for (auto it: i2p::tunnel::tunnels.GetOutboundTunnels ())
 		{
-			it->GetTunnelConfig ()->Print (s);
-			if (it->GetTunnelPool () && !it->GetTunnelPool ()->IsExploratory ())
-				s << " " << "Pool";
+			it->Print (s);
 			auto state = it->GetState ();
 			if (state == i2p::tunnel::eTunnelStateFailed)
 				s << " " << "Failed";
@@ -757,9 +803,7 @@ namespace util

 		for (auto it: i2p::tunnel::tunnels.GetInboundTunnels ())
 		{
-			it.second->GetTunnelConfig ()->Print (s);
-			if (it.second->GetTunnelPool () && !it.second->GetTunnelPool ()->IsExploratory ())
-				s << " " << "Pool";
+			it.second->Print (s);
 			auto state = it.second->GetState ();
 			if (state == i2p::tunnel::eTunnelStateFailed)
 				s << " " << "Failed";
@@ -788,20 +832,21 @@ namespace util
 	{
 		for (auto& it: i2p::client::context.GetDestinations ())
 		{
-			std::string b32 = it.first.ToBase32 (); 
+			auto ident = it.second->GetIdentHash ();; 
 			s << "<a href=/?" << HTTP_COMMAND_LOCAL_DESTINATION;
-			s << "&" << HTTP_PARAM_BASE32_ADDRESS << "=" << b32 << ">"; 
-			s << b32 << ".b32.i2p</a><br>" << std::endl;
+			s << "&" << HTTP_PARAM_BASE32_ADDRESS << "=" << ident.ToBase32 () << ">"; 
+			s << i2p::client::context.GetAddressBook ().ToAddress(ident) << "</a><br>" << std::endl;
 		}
 	}	

 	void  HTTPConnection::ShowLocalDestination (const std::string& b32, std::stringstream& s)
 	{
 		i2p::data::IdentHash ident;
-		i2p::data::Base32ToByteStream (b32.c_str (), b32.length (), ident, 32);
+		ident.FromBase32 (b32);
 		auto dest = i2p::client::context.FindLocalDestination (ident);
 		if (dest)
 		{
+			s << "<b>Base64:</b><br>" << dest->GetIdentity ()->ToBase64 () << "<br><br>";
 			s << "<b>LeaseSets:</b> <i>" << dest->GetNumRemoteLeaseSets () << "</i><br>";
 			auto pool = dest->GetTunnelPool ();
 			if (pool)
@@ -809,25 +854,89 @@ namespace util
 				s << "<b>Tunnels:</b><br>";
 				for (auto it: pool->GetOutboundTunnels ())
 				{
-					it->GetTunnelConfig ()->Print (s);
+					it->Print (s);
+					auto state = it->GetState ();
+					if (state == i2p::tunnel::eTunnelStateFailed)
+						s << " " << "Failed";
+					else if (state == i2p::tunnel::eTunnelStateExpiring)
+						s << " " << "Exp";
 					s << "<br>" << std::endl;
 				}
 				for (auto it: pool->GetInboundTunnels ())
 				{
-					it->GetTunnelConfig ()->Print (s);
+					it->Print (s);
+					auto state = it->GetState ();
+					if (state == i2p::tunnel::eTunnelStateFailed)
+						s << " " << "Failed";
+					else if (state == i2p::tunnel::eTunnelStateExpiring)
+						s << " " << "Exp";
 					s << "<br>" << std::endl;
 				}
 			}	
 			s << "<br><b>Streams:</b><br>";
 			for (auto it: dest->GetStreamingDestination ()->GetStreams ())
 			{	
-				s << it.first << "->" << it.second->GetRemoteIdentity ().GetIdentHash ().ToBase32 () << ".b32.i2p ";
+				s << it.first << "->" << i2p::client::context.GetAddressBook ().ToAddress(it.second->GetRemoteIdentity ()) << " ";
 				s << " [" << it.second->GetNumSentBytes () << ":" << it.second->GetNumReceivedBytes () << "]";
 				s << " [out:" << it.second->GetSendQueueSize () << "][in:" << it.second->GetReceiveQueueSize () << "]";
+				s << "[buf:" << it.second->GetSendBufferSize () << "]";
+				s << "[RTT:" << it.second->GetRTT () << "]";
+				s << "[Window:" << it.second->GetWindowSize () << "]";
+				s << "[Status:" << (int)it.second->GetStatus () << "]"; 
 				s << "<br>"<< std::endl; 
 			}	
 		}	
 	}	
+
+	void HTTPConnection::ShowSAMSessions (std::stringstream& s)
+	{
+		auto sam = i2p::client::context.GetSAMBridge ();
+		if (sam)
+		{	
+			for (auto& it: sam->GetSessions ())
+			{
+				s << "<a href=/?" << HTTP_COMMAND_SAM_SESSION;
+				s << "&" << HTTP_PARAM_SAM_SESSION_ID << "=" << it.first << ">";
+				s << it.first << "</a><br>" << std::endl;
+			}	
+		}	
+	}	
+
+	void HTTPConnection::ShowSAMSession (const std::string& id, std::stringstream& s)
+	{
+		auto sam = i2p::client::context.GetSAMBridge ();
+		if (sam)
+		{
+			auto session = sam->FindSession (id);
+			if (session)
+			{
+				auto& ident = session->localDestination->GetIdentHash();
+				s << "<a href=/?" << HTTP_COMMAND_LOCAL_DESTINATION;
+				s << "&" << HTTP_PARAM_BASE32_ADDRESS << "=" << ident.ToBase32 () << ">"; 
+				s << i2p::client::context.GetAddressBook ().ToAddress(ident) << "</a><br>" << std::endl;
+				s << "<b>Streams:</b><br>";
+				for (auto it: session->sockets)
+				{
+					switch (it->GetSocketType ())
+					{
+						case i2p::client::eSAMSocketTypeSession:
+							s << "session";
+						break;	
+						case i2p::client::eSAMSocketTypeStream:
+							s << "stream";
+						break;	
+						case i2p::client::eSAMSocketTypeAcceptor:
+							s << "acceptor";
+						break;
+						default:
+							s << "unknown";
+					}
+					s << " [" << it->GetSocket ().remote_endpoint() << "]";
+					s << "<br>" << std::endl;
+				}	
+			}
+		}	
+	}	
 	
 	void HTTPConnection::StartAcceptingTunnels (std::stringstream& s)
 	{
@@ -841,6 +950,12 @@ namespace util
 		s << "Accepting tunnels stopped" <<  std::endl;
 	}

+	void HTTPConnection::RunPeerTest (std::stringstream& s)
+	{
+		i2p::transport::transports.PeerTest ();
+		s << "Peer test" <<  std::endl;
+	}
+
 	void HTTPConnection::HandleDestinationRequest (const std::string& address, const std::string& uri)
 	{
 		std::string request = "GET " + uri + " HTTP/1.1\r\nHost:" + address + "\r\n";
@@ -863,10 +978,12 @@ namespace util
 			SendToDestination (leaseSet, port, buf, len);
 		else
 		{
-			i2p::data::netdb.RequestDestination (destination, true, i2p::client::context.GetSharedLocalDestination ()->GetTunnelPool ());
+			memcpy (m_Buffer, buf, len);
+			m_BufferLen = len;
+			i2p::client::context.GetSharedLocalDestination ()->RequestDestination (destination);
 			m_Timer.expires_from_now (boost::posix_time::seconds(HTTP_DESTINATION_REQUEST_TIMEOUT));
-			m_Timer.async_wait (boost::bind (&HTTPConnection::HandleDestinationRequestTimeout,
-				this, boost::asio::placeholders::error, destination, port, buf, len));
+			m_Timer.async_wait (std::bind (&HTTPConnection::HandleDestinationRequestTimeout,
+				shared_from_this (), std::placeholders::_1, destination, port, m_Buffer, m_BufferLen));
 		}
 	}
 	
@@ -884,10 +1001,10 @@ namespace util
 		}
 	}	
 	
-	void HTTPConnection::SendToDestination (const i2p::data::LeaseSet * remote, int port, const char * buf, size_t len)
+	void HTTPConnection::SendToDestination (std::shared_ptr<const i2p::data::LeaseSet> remote, int port, const char * buf, size_t len)
 	{
 		if (!m_Stream)
-			m_Stream = i2p::client::context.GetSharedLocalDestination ()->CreateStream (*remote, port);
+			m_Stream = i2p::client::context.GetSharedLocalDestination ()->CreateStream (remote, port);
 		if (m_Stream)
 		{
 			m_Stream->Send ((uint8_t *)buf, len);
@@ -899,8 +1016,8 @@ namespace util
 	{
 		if (m_Stream)
 			m_Stream->AsyncReceive (boost::asio::buffer (m_StreamBuffer, 8192),
-				boost::bind (&HTTPConnection::HandleStreamReceive, this,
-					boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred),
+				std::bind (&HTTPConnection::HandleStreamReceive, shared_from_this (),
+					std::placeholders::_1, std::placeholders::_2),
 				45); // 45 seconds timeout
 	}

@@ -909,7 +1026,7 @@ namespace util
 		if (!ecode)
 		{
 			boost::asio::async_write (*m_Socket, boost::asio::buffer (m_StreamBuffer, bytes_transferred),
-        		boost::bind (&HTTPConnection::HandleWrite, this, boost::asio::placeholders::error));
+        		std::bind (&HTTPConnection::HandleWrite, shared_from_this (), std::placeholders::_1));
 		}
 		else
 		{
@@ -930,13 +1047,12 @@ namespace util
 		m_Reply.headers[1].value = "text/html";

 		boost::asio::async_write (*m_Socket, m_Reply.to_buffers(status),
-			boost::bind (&HTTPConnection::HandleWriteReply, this,
-				boost::asio::placeholders::error));
+			std::bind (&HTTPConnection::HandleWriteReply, shared_from_this (), std::placeholders::_1));
 	}

 	HTTPServer::HTTPServer (int port):
 		m_Thread (nullptr), m_Work (m_Service),
-		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4(), port)),
+		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4 (), port)),
 		m_NewSocket (nullptr)
 	{

@@ -982,14 +1098,15 @@ namespace util
 	{
 		if (!ecode)
 		{
-			CreateConnection(m_NewSocket); // new HTTPConnection(m_NewSocket);
+			CreateConnection(m_NewSocket);
 			Accept ();
 		}
 	}

 	void HTTPServer::CreateConnection(boost::asio::ip::tcp::socket * m_NewSocket)
 	{
-		new HTTPConnection (m_NewSocket);
+		auto conn = std::make_shared<HTTPConnection> (m_NewSocket);
+		conn->Receive ();
 	}
 }
 }
--- a/HTTPServer.h
+++ b/HTTPServer.h
@@ -3,6 +3,7 @@

 #include <sstream>
 #include <thread>
+#include <memory>
 #include <boost/asio.hpp>
 #include <boost/array.hpp>
 #include "LeaseSet.h"
@@ -14,7 +15,7 @@ namespace util
 {
 	const size_t HTTP_CONNECTION_BUFFER_SIZE = 8192;	
 	const int HTTP_DESTINATION_REQUEST_TIMEOUT = 10; // in seconds
-	class HTTPConnection
+	class HTTPConnection: public std::enable_shared_from_this<HTTPConnection>
 	{
 		protected:

@@ -47,13 +48,13 @@ namespace util

 			HTTPConnection (boost::asio::ip::tcp::socket * socket): 
 				m_Socket (socket), m_Timer (socket->get_io_service ()), 
-				m_Stream (nullptr), m_BufferLen (0) { Receive (); };
-			virtual ~HTTPConnection() { delete m_Socket; }
-
+				m_Stream (nullptr), m_BufferLen (0) {};
+			~HTTPConnection() { delete m_Socket; }
+			void Receive ();
+			
 		private:

 			void Terminate ();
-			void Receive ();
 			void HandleReceive (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			void AsyncStreamReceive ();
 			void HandleStreamReceive (const boost::system::error_code& ecode, std::size_t bytes_transferred);
@@ -68,8 +69,11 @@ namespace util
 			void ShowTransitTunnels (std::stringstream& s);
 			void ShowLocalDestinations (std::stringstream& s);
 			void ShowLocalDestination (const std::string& b32, std::stringstream& s);
+			void ShowSAMSessions (std::stringstream& s);
+			void ShowSAMSession (const std::string& id, std::stringstream& s);
 			void StartAcceptingTunnels (std::stringstream& s);
 			void StopAcceptingTunnels (std::stringstream& s);
+			void RunPeerTest (std::stringstream& s);
 			void FillContent (std::stringstream& s);
 			std::string ExtractAddress ();
 			void ExtractParams (const std::string& str, std::map<std::string, std::string>& params);
@@ -79,7 +83,7 @@ namespace util

 			boost::asio::ip::tcp::socket * m_Socket;
 			boost::asio::deadline_timer m_Timer;
-			i2p::stream::Stream * m_Stream;
+			std::shared_ptr<i2p::stream::Stream> m_Stream;
 			char m_Buffer[HTTP_CONNECTION_BUFFER_SIZE + 1], m_StreamBuffer[HTTP_CONNECTION_BUFFER_SIZE + 1];
 			size_t m_BufferLen;
 			request m_Request;
@@ -92,7 +96,7 @@ namespace util
 			void SendToAddress (const std::string& address, int port, const char * buf, size_t len);
 			void HandleDestinationRequestTimeout (const boost::system::error_code& ecode, 
 				i2p::data::IdentHash destination, int port, const char * buf, size_t len);
-			void SendToDestination (const i2p::data::LeaseSet * remote, int port, const char * buf, size_t len);
+			void SendToDestination (std::shared_ptr<const i2p::data::LeaseSet> remote, int port, const char * buf, size_t len);

 		public:

--- a/I2NPProtocol.cpp
+++ b/I2NPProtocol.cpp
@@ -1,14 +1,15 @@
 #include <string.h>
 #include <atomic>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+#include "Base.h"
+#include "Log.h"
+#include "Crypto.h"
 #include "I2PEndian.h"
-#include <cryptopp/sha.h>
-#include <cryptopp/gzip.h>
-#include "ElGamal.h"
 #include "Timestamp.h"
 #include "RouterContext.h"
 #include "NetDb.h"
 #include "Tunnel.h"
-#include "base64.h"
 #include "Transports.h"
 #include "Garlic.h"
 #include "I2NPProtocol.h"
@@ -37,285 +38,288 @@ namespace i2p
 		delete msg;
 	}	

-	static std::atomic<uint32_t> I2NPmsgID(0); // TODO: create class
-	void FillI2NPMessageHeader (I2NPMessage * msg, I2NPMessageType msgType, uint32_t replyMsgID)
+	std::shared_ptr<I2NPMessage> ToSharedI2NPMessage (I2NPMessage * msg)
 	{
-		I2NPHeader * header = msg->GetHeader ();
-		header->typeID = msgType;
-		if (replyMsgID) // for tunnel creation
-			header->msgID = htobe32 (replyMsgID); 
-		else
-		{	
-			header->msgID = htobe32 (I2NPmsgID);
-			I2NPmsgID++;
-		}	
-		header->expiration = htobe64 (i2p::util::GetMillisecondsSinceEpoch () + 5000); // TODO: 5 secs is a magic number
-		int len = msg->GetLength () - sizeof (I2NPHeader);
-		header->size = htobe16 (len);
-		uint8_t hash[32];
-		CryptoPP::SHA256().CalculateDigest(hash, msg->GetPayload (), len);
-		header->chks = hash[0];
-	}	
+		return std::shared_ptr<I2NPMessage>(msg, DeleteI2NPMessage);
+	}

-	void RenewI2NPMessageHeader (I2NPMessage * msg)
+	void I2NPMessage::FillI2NPMessageHeader (I2NPMessageType msgType, uint32_t replyMsgID)
 	{
-		if (msg)
-		{
-			I2NPHeader * header = msg->GetHeader ();
-			header->msgID = htobe32 (I2NPmsgID);
-			I2NPmsgID++;
-			header->expiration = htobe64 (i2p::util::GetMillisecondsSinceEpoch () + 5000); 		
-		}
+		SetTypeID (msgType);
+		if (!replyMsgID) RAND_bytes ((uint8_t *)&replyMsgID, 4);
+		SetMsgID (replyMsgID); 
+		SetExpiration (i2p::util::GetMillisecondsSinceEpoch () + 5000); // TODO: 5 secs is a magic number
+		UpdateSize ();
+		UpdateChks ();
+	}		
+	
+	void I2NPMessage::RenewI2NPMessageHeader ()
+	{
+		uint32_t msgID;
+		RAND_bytes ((uint8_t *)&msgID, 4);
+		SetMsgID (msgID);
+		SetExpiration (i2p::util::GetMillisecondsSinceEpoch () + 5000); 		
 	}

 	I2NPMessage * CreateI2NPMessage (I2NPMessageType msgType, const uint8_t * buf, int len, uint32_t replyMsgID)
 	{
 		I2NPMessage * msg = NewI2NPMessage (len);
-		memcpy (msg->GetPayload (), buf, len);
-		msg->len += len;
-		FillI2NPMessageHeader (msg, msgType, replyMsgID);
+		if (msg->len + len < msg->maxLen)
+		{
+			memcpy (msg->GetPayload (), buf, len);
+			msg->len += len;
+		}
+		else
+			LogPrint (eLogError, "I2NP message length ", len, " exceeds max length");
+		msg->FillI2NPMessageHeader (msgType, replyMsgID);
 		return msg;
 	}	

-	I2NPMessage * CreateI2NPMessage (const uint8_t * buf, int len, i2p::tunnel::InboundTunnel * from)
+	std::shared_ptr<I2NPMessage> CreateI2NPMessage (const uint8_t * buf, int len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
 		I2NPMessage * msg = NewI2NPMessage ();
-		memcpy (msg->GetBuffer (), buf, len);
-		msg->len = msg->offset + len;
-		msg->from = from;
-		return msg;
+		if (msg->offset + len < msg->maxLen)
+		{
+			memcpy (msg->GetBuffer (), buf, len);
+			msg->len = msg->offset + len;
+			msg->from = from;
+		}
+		else
+			LogPrint (eLogError, "I2NP message length ", len, " exceeds max length");
+		return ToSharedI2NPMessage(msg);
 	}	
 	
-	I2NPMessage * CreateDeliveryStatusMsg (uint32_t msgID)
+	std::shared_ptr<I2NPMessage> CreateDeliveryStatusMsg (uint32_t msgID)
 	{
-		I2NPDeliveryStatusMsg msg;
+		I2NPMessage * m = NewI2NPShortMessage ();
+		uint8_t * buf = m->GetPayload ();
 		if (msgID)
 		{
-			msg.msgID = htobe32 (msgID);
-			msg.timestamp = htobe64 (i2p::util::GetMillisecondsSinceEpoch ());
+			htobe32buf (buf + DELIVERY_STATUS_MSGID_OFFSET, msgID);
+			htobe64buf (buf + DELIVERY_STATUS_TIMESTAMP_OFFSET, i2p::util::GetMillisecondsSinceEpoch ());
 		}
 		else // for SSU establishment
 		{
-			msg.msgID = htobe32 (i2p::context.GetRandomNumberGenerator ().GenerateWord32 ());
-			msg.timestamp = htobe64 (2); // netID = 2
- 		}
-		return CreateI2NPMessage (eI2NPDeliveryStatus, (uint8_t *)&msg, sizeof (msg));
+			RAND_bytes ((uint8_t *)&msgID, 4);
+			htobe32buf (buf + DELIVERY_STATUS_MSGID_OFFSET, msgID);
+			htobe64buf (buf + DELIVERY_STATUS_TIMESTAMP_OFFSET, 2); // netID = 2
+		}	
+		m->len += DELIVERY_STATUS_SIZE;
+		m->FillI2NPMessageHeader (eI2NPDeliveryStatus);
+		return ToSharedI2NPMessage (m);
 	}

-	I2NPMessage * CreateDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
-		uint32_t replyTunnelID, bool exploratory, std::set<i2p::data::IdentHash> * excludedPeers,
-	    bool encryption, i2p::tunnel::TunnelPool * pool)
+	std::shared_ptr<I2NPMessage> CreateRouterInfoDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
+		uint32_t replyTunnelID, bool exploratory, std::set<i2p::data::IdentHash> * excludedPeers)
 	{
-		I2NPMessage * m = NewI2NPMessage ();
+		auto m =  ToSharedI2NPMessage (excludedPeers ? NewI2NPMessage () : NewI2NPShortMessage ());
 		uint8_t * buf = m->GetPayload ();
 		memcpy (buf, key, 32); // key
 		buf += 32;
 		memcpy (buf, from, 32); // from
 		buf += 32;
+		uint8_t flag = exploratory ? DATABASE_LOOKUP_TYPE_EXPLORATORY_LOOKUP : DATABASE_LOOKUP_TYPE_ROUTERINFO_LOOKUP; 
 		if (replyTunnelID)
 		{
-			*buf = encryption ? 0x03: 0x01; // set delivery flag
-			*(uint32_t *)(buf+1) = htobe32 (replyTunnelID);
+			*buf = flag | DATABASE_LOOKUP_DELIVERY_FLAG; // set delivery flag
+			htobe32buf (buf+1, replyTunnelID);
 			buf += 5;
 		}
 		else
 		{	
-			encryption = false; // encryption can we set for tunnels only
-			*buf = 0; // flag
+			*buf = flag; // flag
 			buf++;
 		}	
-		
-		if (exploratory)
+				
+		if (excludedPeers)
 		{
-			*(uint16_t *)buf = htobe16 (1); // one exlude record
+			int cnt = excludedPeers->size ();
+			htobe16buf (buf, cnt);
 			buf += 2;
-			// reply with non-floodfill routers only
-			memset (buf, 0, 32);
-			buf += 32;
+			for (auto& it: *excludedPeers)
+			{
+				memcpy (buf, it, 32);
+				buf += 32;
+			}	
 		}
 		else
-		{
-			if (excludedPeers)
-			{
-				int cnt = excludedPeers->size ();
-				*(uint16_t *)buf = htobe16 (cnt);
-				buf += 2;
-				for (auto& it: *excludedPeers)
-				{
-					memcpy (buf, it, 32);
-					buf += 32;
-				}	
-			}
-			else
-			{	
-				// nothing to exclude
-				*(uint16_t *)buf = htobe16 (0);
-				buf += 2;
-			}	
-		}	
-		if (encryption)
-		{
-			// session key and tag for reply
-			auto& rnd = i2p::context.GetRandomNumberGenerator ();
-			rnd.GenerateBlock (buf, 32); // key
-			buf[32] = 1; // 1 tag
-			rnd.GenerateBlock (buf + 33, 32); // tag
-			if (pool)
-				pool->GetGarlicDestination ().AddSessionKey (buf, buf + 33); // introduce new key-tag to garlic engine
-			else
-				LogPrint ("Destination for encrypteed reply not specified");
-			buf += 65;
-		}	
+		{	
+			// nothing to exclude
+			htobuf16 (buf, 0);
+			buf += 2;
+		}		
+		
 		m->len += (buf - m->GetPayload ()); 
-		FillI2NPMessageHeader (m, eI2NPDatabaseLookup);
+		m->FillI2NPMessageHeader (eI2NPDatabaseLookup);
 		return m; 
 	}	

-	I2NPMessage * CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, 
-		const i2p::data::RouterInfo * floodfill)
+	std::shared_ptr<I2NPMessage> CreateLeaseSetDatabaseLookupMsg (const i2p::data::IdentHash& dest, 
+		const std::set<i2p::data::IdentHash>& excludedFloodfills,
+		const i2p::tunnel::InboundTunnel * replyTunnel, const uint8_t * replyKey, const uint8_t * replyTag)
 	{
-		I2NPMessage * m = NewI2NPShortMessage ();
+		int cnt = excludedFloodfills.size ();
+		auto m =  ToSharedI2NPMessage (cnt > 0 ? NewI2NPMessage () : NewI2NPShortMessage ());
+		uint8_t * buf = m->GetPayload ();
+		memcpy (buf, dest, 32); // key
+		buf += 32;
+		memcpy (buf, replyTunnel->GetNextIdentHash (), 32); // reply tunnel GW
+		buf += 32;
+		*buf = DATABASE_LOOKUP_DELIVERY_FLAG | DATABASE_LOOKUP_ENCYPTION_FLAG | DATABASE_LOOKUP_TYPE_LEASESET_LOOKUP; // flags 
+		htobe32buf (buf + 1, replyTunnel->GetNextTunnelID ()); // reply tunnel ID
+		buf += 5;
+		
+		// excluded
+		htobe16buf (buf, cnt);
+		buf += 2;
+		if (cnt > 0)
+		{
+			for (auto& it: excludedFloodfills)
+			{
+				memcpy (buf, it, 32);
+				buf += 32;
+			}
+		}	
+		// encryption
+		memcpy (buf, replyKey, 32);
+		buf[32] = 1; // 1 tag
+		memcpy (buf + 33, replyTag, 32);
+		buf += 65;
+
+		m->len += (buf - m->GetPayload ()); 
+		m->FillI2NPMessageHeader (eI2NPDatabaseLookup);
+		return m; 		  			
+	}			
+
+	std::shared_ptr<I2NPMessage> CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, 
+		 std::vector<i2p::data::IdentHash> routers)
+	{
+		auto m =  ToSharedI2NPMessage (NewI2NPShortMessage ());
 		uint8_t * buf = m->GetPayload ();
 		size_t len = 0;
 		memcpy (buf, ident, 32);
 		len += 32;
-		buf[len] = floodfill ? 1 : 0; // 1 router for now
+		buf[len] = routers.size (); 
 		len++;
-		if (floodfill)
+		for (auto it: routers)
 		{
-			memcpy (buf + len, floodfill->GetIdentHash (), 32);
+			memcpy (buf + len, it, 32);
 			len += 32;
 		}	
 		memcpy (buf + len, i2p::context.GetRouterInfo ().GetIdentHash (), 32);
 		len += 32;	
 		m->len += len;
-		FillI2NPMessageHeader (m, eI2NPDatabaseSearchReply);
+		m->FillI2NPMessageHeader (eI2NPDatabaseSearchReply);
 		return m; 
 	}	
 	
-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::RouterInfo * router)
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::RouterInfo> router, uint32_t replyToken)
 	{
 		if (!router) // we send own RouterInfo
-			router = &context.GetRouterInfo ();
+			router = context.GetSharedRouterInfo ();

-		I2NPMessage * m = NewI2NPShortMessage ();
-		I2NPDatabaseStoreMsg * msg = (I2NPDatabaseStoreMsg *)m->GetPayload ();		
+		auto m = ToSharedI2NPMessage (NewI2NPShortMessage ());
+		uint8_t * payload = m->GetPayload ();		

-		memcpy (msg->key, router->GetIdentHash (), 32);
-		msg->type = 0;
-		msg->replyToken = 0;
-		
-		CryptoPP::Gzip compressor;
-		compressor.Put (router->GetBuffer (), router->GetBufferLen ());
-		compressor.MessageEnd();
-		auto size = compressor.MaxRetrievable ();
-		uint8_t * buf = m->GetPayload () + sizeof (I2NPDatabaseStoreMsg);
-		*(uint16_t *)buf = htobe16 (size); // size
+		memcpy (payload + DATABASE_STORE_KEY_OFFSET, router->GetIdentHash (), 32);
+		payload[DATABASE_STORE_TYPE_OFFSET] = 0; // RouterInfo
+		htobe32buf (payload + DATABASE_STORE_REPLY_TOKEN_OFFSET, replyToken);
+		uint8_t * buf = payload + DATABASE_STORE_HEADER_SIZE;
+		if (replyToken)
+		{
+			memset (buf, 0, 4); // zero tunnelID means direct reply
+			buf += 4;
+			memcpy (buf, router->GetIdentHash (), 32);
+			buf += 32;
+		}		
+
+		uint8_t * sizePtr = buf;
 		buf += 2;
-		// TODO: check if size doesn't exceed buffer
-		compressor.Get (buf, size); 
-		m->len += sizeof (I2NPDatabaseStoreMsg) + 2 + size; // payload size
-		FillI2NPMessageHeader (m, eI2NPDatabaseStore);
-		
+		m->len += (buf - payload); // payload size
+		i2p::data::GzipDeflator deflator;
+		size_t size = deflator.Deflate (router->GetBuffer (), router->GetBufferLen (), buf, m->maxLen -m->len);
+		if (size)
+		{	
+			htobe16buf (sizePtr, size); // size
+			m->len += size;
+		}	
+		else
+			m = nullptr;
+		if (m)
+			m->FillI2NPMessageHeader (eI2NPDatabaseStore);
 		return m;
 	}	

-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::LeaseSet * leaseSet,  uint32_t replyToken)
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::LeaseSet> leaseSet,  uint32_t replyToken)
 	{
 		if (!leaseSet) return nullptr;
-		I2NPMessage * m = NewI2NPShortMessage ();
+		auto m =  ToSharedI2NPMessage (NewI2NPShortMessage ());
 		uint8_t * payload = m->GetPayload ();	
-		I2NPDatabaseStoreMsg * msg = (I2NPDatabaseStoreMsg *)payload;
-		memcpy (msg->key, leaseSet->GetIdentHash (), 32);
-		msg->type = 1; // LeaseSet
-		msg->replyToken = htobe32 (replyToken);
-		size_t size = sizeof (I2NPDatabaseStoreMsg);
+		memcpy (payload + DATABASE_STORE_KEY_OFFSET, leaseSet->GetIdentHash (), 32);
+		payload[DATABASE_STORE_TYPE_OFFSET] = 1; // LeaseSet
+		htobe32buf (payload + DATABASE_STORE_REPLY_TOKEN_OFFSET, replyToken);
+		size_t size = DATABASE_STORE_HEADER_SIZE;
 		if (replyToken)
 		{
 			auto leases = leaseSet->GetNonExpiredLeases ();
 			if (leases.size () > 0)
 			{
-				*(uint32_t *)(payload + size) = htobe32 (leases[0].tunnelID);
+				htobe32buf (payload + size, leases[0].tunnelID);
 				size += 4; // reply tunnelID
 				memcpy (payload + size, leases[0].tunnelGateway, 32);
 				size += 32; // reply tunnel gateway
 			}
 			else
-				msg->replyToken = 0;
+				htobe32buf (payload + DATABASE_STORE_REPLY_TOKEN_OFFSET, 0);
 		}
 		memcpy (payload + size, leaseSet->GetBuffer (), leaseSet->GetBufferLen ());
 		size += leaseSet->GetBufferLen ();
 		m->len += size;
-		FillI2NPMessageHeader (m, eI2NPDatabaseStore);
+		m->FillI2NPMessageHeader (eI2NPDatabaseStore);
 		return m;
 	}
-
-	I2NPBuildRequestRecordClearText CreateBuildRequestRecord (
-		const uint8_t * ourIdent, uint32_t receiveTunnelID, 
-	    const uint8_t * nextIdent, uint32_t nextTunnelID, 
-	    const uint8_t * layerKey,const uint8_t * ivKey,                                                                 
-	    const uint8_t * replyKey, const uint8_t * replyIV, uint32_t nextMessageID,
-	          bool isGateway, bool isEndpoint)
-	{
-		I2NPBuildRequestRecordClearText clearText;	
-		clearText.receiveTunnel = htobe32 (receiveTunnelID); 		
-		clearText.nextTunnel = htobe32(nextTunnelID);
-		memcpy (clearText.layerKey, layerKey, 32);
-		memcpy (clearText.ivKey, ivKey, 32);
-		memcpy (clearText.replyKey, replyKey, 32);
-		memcpy (clearText.replyIV, replyIV, 16);
-		clearText.flag = 0;
-		if (isGateway) clearText.flag |= 0x80;
-		if (isEndpoint) clearText.flag |= 0x40;
-		memcpy (clearText.ourIdent, ourIdent, 32);
-		memcpy (clearText.nextIdent, nextIdent, 32);
-		clearText.requestTime = htobe32 (i2p::util::GetHoursSinceEpoch ()); 
-		clearText.nextMessageID = htobe32(nextMessageID);
-		return clearText;
-	}	
-
-	void EncryptBuildRequestRecord (const i2p::data::RouterInfo& router, 
-		const I2NPBuildRequestRecordClearText& clearText,
-	    I2NPBuildRequestRecordElGamalEncrypted& record)
-	{
-		router.GetElGamalEncryption ()->Encrypt ((uint8_t *)&clearText, sizeof(clearText), record.encrypted);
-		memcpy (record.toPeer, (const uint8_t *)router.GetIdentHash (), 16);
-	}	
 	
-	bool HandleBuildRequestRecords (int num, I2NPBuildRequestRecordElGamalEncrypted * records, I2NPBuildRequestRecordClearText& clearText)
+	bool HandleBuildRequestRecords (int num, uint8_t * records, uint8_t * clearText)
 	{
 		for (int i = 0; i < num; i++)
 		{	
-			if (!memcmp (records[i].toPeer, (const uint8_t *)i2p::context.GetRouterInfo ().GetIdentHash (), 16))
+			uint8_t * record = records + i*TUNNEL_BUILD_RECORD_SIZE;
+			if (!memcmp (record + BUILD_REQUEST_RECORD_TO_PEER_OFFSET, (const uint8_t *)i2p::context.GetRouterInfo ().GetIdentHash (), 16))
 			{	
 				LogPrint ("Record ",i," is ours");	
 			
-				i2p::crypto::ElGamalDecrypt (i2p::context.GetEncryptionPrivateKey (), records[i].encrypted, (uint8_t *)&clearText);
-				// replace record to reply
-				I2NPBuildResponseRecord * reply = (I2NPBuildResponseRecord *)(records + i);				
-				if (i2p::context.AcceptsTunnels ())
+				i2p::crypto::ElGamalDecrypt (i2p::context.GetEncryptionPrivateKey (), record + BUILD_REQUEST_RECORD_ENCRYPTED_OFFSET, clearText);
+				// replace record to reply			
+				if (i2p::context.AcceptsTunnels () && 
+					i2p::tunnel::tunnels.GetTransitTunnels ().size () <= MAX_NUM_TRANSIT_TUNNELS &&
+					!i2p::transport::transports.IsBandwidthExceeded ())
 				{	
 					i2p::tunnel::TransitTunnel * transitTunnel = 
 						i2p::tunnel::CreateTransitTunnel (
-							be32toh (clearText.receiveTunnel), 
-							clearText.nextIdent, be32toh (clearText.nextTunnel),
-							clearText.layerKey, clearText.ivKey, 
-							clearText.flag & 0x80, clearText.flag & 0x40);
+							bufbe32toh (clearText + BUILD_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET), 
+							clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, 
+						    bufbe32toh (clearText + BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET),
+							clearText + BUILD_REQUEST_RECORD_LAYER_KEY_OFFSET, 
+						    clearText + BUILD_REQUEST_RECORD_IV_KEY_OFFSET, 
+							clearText[BUILD_REQUEST_RECORD_FLAG_OFFSET] & 0x80, 
+						    clearText[BUILD_REQUEST_RECORD_FLAG_OFFSET ] & 0x40);
 					i2p::tunnel::tunnels.AddTransitTunnel (transitTunnel);
-					reply->ret = 0;
+					record[BUILD_RESPONSE_RECORD_RET_OFFSET] = 0;
 				}
 				else
-					reply->ret = 30; // always reject with bandwidth reason (30)
+					record[BUILD_RESPONSE_RECORD_RET_OFFSET] = 30; // always reject with bandwidth reason (30)
 				
 				//TODO: fill filler
-				CryptoPP::SHA256().CalculateDigest(reply->hash, reply->padding, sizeof (reply->padding) + 1); // + 1 byte of ret
+				SHA256 (record + BUILD_RESPONSE_RECORD_PADDING_OFFSET, BUILD_RESPONSE_RECORD_PADDING_SIZE + 1, // + 1 byte of ret
+					record + BUILD_RESPONSE_RECORD_HASH_OFFSET);       
 				// encrypt reply
 				i2p::crypto::CBCEncryption encryption;
 				for (int j = 0; j < num; j++)
 				{
-					encryption.SetKey (clearText.replyKey);
-					encryption.SetIV (clearText.replyIV);
-					encryption.Encrypt((uint8_t *)(records + j), sizeof (records[j]), (uint8_t *)(records + j)); 
+					encryption.SetKey (clearText + BUILD_REQUEST_RECORD_REPLY_KEY_OFFSET);
+					encryption.SetIV (clearText + BUILD_REQUEST_RECORD_REPLY_IV_OFFSET);
+					uint8_t * reply = records + j*TUNNEL_BUILD_RECORD_SIZE;
+					encryption.Encrypt(reply, TUNNEL_BUILD_RECORD_SIZE, reply); 
 				}
 				return true;
 			}	
@@ -328,7 +332,7 @@ namespace i2p
 		int num = buf[0];
 		LogPrint ("VariableTunnelBuild ", num, " records");

-		i2p::tunnel::Tunnel * tunnel =  i2p::tunnel::tunnels.GetPendingTunnel (replyMsgID);
+		auto tunnel =  i2p::tunnel::tunnels.GetPendingInboundTunnel (replyMsgID);
 		if (tunnel)
 		{
 			// endpoint of inbound tunnel
@@ -337,7 +341,7 @@ namespace i2p
 			{
 				LogPrint ("Inbound tunnel ", tunnel->GetTunnelID (), " has been created");
 				tunnel->SetState (i2p::tunnel::eTunnelStateEstablished);	
-				i2p::tunnel::tunnels.AddInboundTunnel (static_cast<i2p::tunnel::InboundTunnel *>(tunnel));
+				i2p::tunnel::tunnels.AddInboundTunnel (tunnel);
 			}
 			else
 			{
@@ -347,48 +351,49 @@ namespace i2p
 		}
 		else
 		{
-			I2NPBuildRequestRecordElGamalEncrypted * records = (I2NPBuildRequestRecordElGamalEncrypted *)(buf+1); 
-			I2NPBuildRequestRecordClearText clearText;	
-			if (HandleBuildRequestRecords (num, records, clearText))
+			uint8_t clearText[BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE];	
+			if (HandleBuildRequestRecords (num, buf + 1, clearText))
 			{
-				if (clearText.flag & 0x40) // we are endpoint of outboud tunnel
+				if (clearText[BUILD_REQUEST_RECORD_FLAG_OFFSET] & 0x40) // we are endpoint of outboud tunnel
 				{
 					// so we send it to reply tunnel 
-					transports.SendMessage (clearText.nextIdent, 
-						CreateTunnelGatewayMsg (be32toh (clearText.nextTunnel),
+					transports.SendMessage (clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, 
+						ToSharedI2NPMessage (CreateTunnelGatewayMsg (bufbe32toh (clearText + BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET),
 							eI2NPVariableTunnelBuildReply, buf, len, 
-						    be32toh (clearText.nextMessageID)));                         
+						    bufbe32toh (clearText + BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET))));                         
 				}	
 				else	
-					transports.SendMessage (clearText.nextIdent, 
-						CreateI2NPMessage (eI2NPVariableTunnelBuild, buf, len, be32toh (clearText.nextMessageID)));
+					transports.SendMessage (clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, 
+						ToSharedI2NPMessage (CreateI2NPMessage (eI2NPVariableTunnelBuild, buf, len, 
+							bufbe32toh (clearText + BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET))));
 			}	
 		}	
 	}

 	void HandleTunnelBuildMsg (uint8_t * buf, size_t len)
 	{
-		I2NPBuildRequestRecordClearText clearText;	
-		if (HandleBuildRequestRecords (NUM_TUNNEL_BUILD_RECORDS, (I2NPBuildRequestRecordElGamalEncrypted *)buf, clearText))
+		uint8_t clearText[BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE];	
+		if (HandleBuildRequestRecords (NUM_TUNNEL_BUILD_RECORDS, buf, clearText))
 		{
-			if (clearText.flag & 0x40) // we are endpoint of outbound tunnel
+			if (clearText[BUILD_REQUEST_RECORD_FLAG_OFFSET] & 0x40) // we are endpoint of outbound tunnel
 			{
 				// so we send it to reply tunnel 
-				transports.SendMessage (clearText.nextIdent, 
-					CreateTunnelGatewayMsg (be32toh (clearText.nextTunnel),
+				transports.SendMessage (clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, 
+					ToSharedI2NPMessage (CreateTunnelGatewayMsg (bufbe32toh (clearText + BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET),
 						eI2NPTunnelBuildReply, buf, len, 
-					    be32toh (clearText.nextMessageID)));                         
+					    bufbe32toh (clearText + BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET))));                         
 			}	
 			else	
-				transports.SendMessage (clearText.nextIdent, 
-					CreateI2NPMessage (eI2NPTunnelBuild, buf, len, be32toh (clearText.nextMessageID)));
+				transports.SendMessage (clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, 
+					ToSharedI2NPMessage (CreateI2NPMessage (eI2NPTunnelBuild, buf, len, 
+						bufbe32toh (clearText + BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET))));
 		} 
 	}

 	void HandleVariableTunnelBuildReplyMsg (uint32_t replyMsgID, uint8_t * buf, size_t len)
 	{	
 		LogPrint ("VariableTunnelBuildReplyMsg replyMsgID=", replyMsgID);
-		i2p::tunnel::Tunnel * tunnel = i2p::tunnel::tunnels.GetPendingTunnel (replyMsgID);
+		auto tunnel = i2p::tunnel::tunnels.GetPendingOutboundTunnel (replyMsgID);
 		if (tunnel)
 		{	
 			// reply for outbound tunnel
@@ -396,7 +401,7 @@ namespace i2p
 			{	
 				LogPrint ("Outbound tunnel ", tunnel->GetTunnelID (), " has been created");
 				tunnel->SetState (i2p::tunnel::eTunnelStateEstablished);	
-				i2p::tunnel::tunnels.AddOutboundTunnel (static_cast<i2p::tunnel::OutboundTunnel *>(tunnel));
+				i2p::tunnel::tunnels.AddOutboundTunnel (tunnel);
 			}	
 			else
 			{
@@ -411,54 +416,60 @@ namespace i2p

 	I2NPMessage * CreateTunnelDataMsg (const uint8_t * buf)
 	{
-		I2NPMessage * msg = NewI2NPMessage ();
+		I2NPMessage * msg = NewI2NPShortMessage ();
 		memcpy (msg->GetPayload (), buf, i2p::tunnel::TUNNEL_DATA_MSG_SIZE);
 		msg->len += i2p::tunnel::TUNNEL_DATA_MSG_SIZE; 
-		FillI2NPMessageHeader (msg, eI2NPTunnelData);
+		msg->FillI2NPMessageHeader (eI2NPTunnelData);
 		return msg;
 	}	

 	I2NPMessage * CreateTunnelDataMsg (uint32_t tunnelID, const uint8_t * payload)	
 	{
-		I2NPMessage * msg = NewI2NPMessage ();
+		I2NPMessage * msg = NewI2NPShortMessage ();
 		memcpy (msg->GetPayload () + 4, payload, i2p::tunnel::TUNNEL_DATA_MSG_SIZE - 4);
-		*(uint32_t *)(msg->GetPayload ()) = htobe32 (tunnelID);
+		htobe32buf (msg->GetPayload (), tunnelID);
 		msg->len += i2p::tunnel::TUNNEL_DATA_MSG_SIZE; 
-		FillI2NPMessageHeader (msg, eI2NPTunnelData);
+		msg->FillI2NPMessageHeader (eI2NPTunnelData);
 		return msg;
 	}	
+
+	std::shared_ptr<I2NPMessage> CreateEmptyTunnelDataMsg ()
+	{
+		I2NPMessage * msg = NewI2NPShortMessage ();
+		msg->len += i2p::tunnel::TUNNEL_DATA_MSG_SIZE; 
+		return ToSharedI2NPMessage (msg);
+	}	
 	
 	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, const uint8_t * buf, size_t len)
 	{
 		I2NPMessage * msg = NewI2NPMessage (len);
-		TunnelGatewayHeader * header = (TunnelGatewayHeader *)msg->GetPayload ();
-		header->tunnelID = htobe32 (tunnelID);
-		header->length = htobe16 (len);
-		memcpy (msg->GetPayload () + sizeof (TunnelGatewayHeader), buf, len);
-		msg->len += sizeof (TunnelGatewayHeader) + len;
-		FillI2NPMessageHeader (msg, eI2NPTunnelGateway);
+		uint8_t * payload = msg->GetPayload ();
+		htobe32buf (payload + TUNNEL_GATEWAY_HEADER_TUNNELID_OFFSET, tunnelID);
+		htobe16buf (payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET, len);
+		memcpy (payload + TUNNEL_GATEWAY_HEADER_SIZE, buf, len);
+		msg->len += TUNNEL_GATEWAY_HEADER_SIZE + len;
+		msg->FillI2NPMessageHeader (eI2NPTunnelGateway);
 		return msg;
 	}	

-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessage * msg)
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, std::shared_ptr<I2NPMessage> msg)
 	{
-		if (msg->offset >= sizeof (I2NPHeader) + sizeof (TunnelGatewayHeader))
+		if (msg->offset >= I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE)
 		{
 			// message is capable to be used without copying
-			TunnelGatewayHeader * header = (TunnelGatewayHeader *)(msg->GetBuffer () - sizeof (TunnelGatewayHeader));
-			header->tunnelID = htobe32 (tunnelID);
+			uint8_t * payload = msg->GetBuffer () - TUNNEL_GATEWAY_HEADER_SIZE;
+			htobe32buf (payload + TUNNEL_GATEWAY_HEADER_TUNNELID_OFFSET, tunnelID);
 			int len = msg->GetLength ();
-			header->length = htobe16 (len);
-			msg->offset -= (sizeof (I2NPHeader) + sizeof (TunnelGatewayHeader));
-			msg->len = msg->offset + sizeof (I2NPHeader) + sizeof (TunnelGatewayHeader) +len;
-			FillI2NPMessageHeader (msg, eI2NPTunnelGateway);
+			htobe16buf (payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET, len);
+			msg->offset -= (I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE);
+			msg->len = msg->offset + I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE +len;
+			msg->FillI2NPMessageHeader (eI2NPTunnelGateway); 
 			return msg;
 		}
 		else
 		{	
 			I2NPMessage * msg1 = CreateTunnelGatewayMsg (tunnelID, msg->GetBuffer (), msg->GetLength ());
-			DeleteI2NPMessage (msg);
-			return msg1;
+			return ToSharedI2NPMessage (msg1);
 		}	                               
 	}

@@ -466,64 +477,35 @@ namespace i2p
 		const uint8_t * buf, size_t len, uint32_t replyMsgID)
 	{
 		I2NPMessage * msg = NewI2NPMessage (len);
-		size_t gatewayMsgOffset = sizeof (I2NPHeader) + sizeof (TunnelGatewayHeader);
+		size_t gatewayMsgOffset = I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE;
 		msg->offset += gatewayMsgOffset;
 		msg->len += gatewayMsgOffset;
 		memcpy (msg->GetPayload (), buf, len);
 		msg->len += len;
-		FillI2NPMessageHeader (msg, msgType, replyMsgID); // create content message
+		msg->FillI2NPMessageHeader (msgType, replyMsgID); // create content message
 		len = msg->GetLength ();
 		msg->offset -= gatewayMsgOffset;
-		TunnelGatewayHeader * header = (TunnelGatewayHeader *)msg->GetPayload ();
-		header->tunnelID = htobe32 (tunnelID);
-		header->length = htobe16 (len);
-		FillI2NPMessageHeader (msg, eI2NPTunnelGateway); // gateway message
+		uint8_t * payload = msg->GetPayload ();
+		htobe32buf (payload + TUNNEL_GATEWAY_HEADER_TUNNELID_OFFSET, tunnelID);
+		htobe16buf (payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET, len);
+		msg->FillI2NPMessageHeader (eI2NPTunnelGateway); // gateway message
 		return msg;
 	}	
-	
-	void HandleTunnelGatewayMsg (I2NPMessage * msg)
-	{		
-		TunnelGatewayHeader * header = (TunnelGatewayHeader *)msg->GetPayload ();
-		uint32_t tunnelID = be32toh(header->tunnelID);
-		uint16_t len = be16toh(header->length);
-		// we make payload as new I2NP message to send
-		msg->offset += sizeof (I2NPHeader) + sizeof (TunnelGatewayHeader);
-		msg->len = msg->offset + len;
-		LogPrint ("TunnelGateway of ", (int)len, " bytes for tunnel ", (unsigned int)tunnelID, ". Msg type ", (int)msg->GetHeader()->typeID);
-		if (msg->GetHeader()->typeID == eI2NPDatabaseStore ||
-		    msg->GetHeader()->typeID == eI2NPDatabaseSearchReply)
-		{
-			// transit DatabaseStore my contain new/updated RI 
-			// or DatabaseSearchReply with new routers
-			auto ds = NewI2NPMessage ();
-			*ds = *msg;
-			i2p::data::netdb.PostI2NPMsg (ds);
-		}	
-		i2p::tunnel::TransitTunnel * tunnel =  i2p::tunnel::tunnels.GetTransitTunnel (tunnelID);
-		if (tunnel)
-			tunnel->SendTunnelDataMsg (msg);
-		else
-		{	
-			LogPrint ("Tunnel ", (unsigned int)tunnelID, " not found");
-			i2p::DeleteI2NPMessage (msg);
-		}	
-	}	

 	size_t GetI2NPMessageLength (const uint8_t * msg)
 	{
-		I2NPHeader * header = (I2NPHeader *)msg;
-		return be16toh (header->size) + sizeof (I2NPHeader);
+		return bufbe16toh (msg + I2NP_HEADER_SIZE_OFFSET) + I2NP_HEADER_SIZE;
 	}	
 	
 	void HandleI2NPMessage (uint8_t * msg, size_t len)
 	{
-		I2NPHeader * header = (I2NPHeader *)msg;
-		uint32_t msgID = be32toh (header->msgID);	
-		LogPrint ("I2NP msg received len=", len,", type=", (int)header->typeID, ", msgID=", (unsigned int)msgID);
+		uint8_t typeID = msg[I2NP_HEADER_TYPEID_OFFSET];
+		uint32_t msgID = bufbe32toh (msg + I2NP_HEADER_MSGID_OFFSET);	
+		LogPrint ("I2NP msg received len=", len,", type=", (int)typeID, ", msgID=", (unsigned int)msgID);

-		uint8_t * buf = msg + sizeof (I2NPHeader);
-		int size = be16toh (header->size);
-		switch (header->typeID)
+		uint8_t * buf = msg + I2NP_HEADER_SIZE;
+		int size = bufbe16toh (msg + I2NP_HEADER_SIZE_OFFSET);
+		switch (typeID)
 		{	
 			case eI2NPVariableTunnelBuild:
 				LogPrint ("VariableTunnelBuild");
@@ -542,15 +524,15 @@ namespace i2p
 				// TODO:
 			break;	
 			default:
-				LogPrint ("Unexpected message ", (int)header->typeID);
+				LogPrint ("Unexpected message ", (int)typeID);
 		}	
 	}

-	void HandleI2NPMessage (I2NPMessage * msg)
+	void HandleI2NPMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		if (msg)
 		{	
-			switch (msg->GetHeader ()->typeID)
+			switch (msg->GetTypeID ())
 			{	
 				case eI2NPTunnelData:
 					LogPrint ("TunnelData");
@@ -558,15 +540,22 @@ namespace i2p
 				break;	
 				case eI2NPTunnelGateway:
 					LogPrint ("TunnelGateway");
-					HandleTunnelGatewayMsg (msg);
+					i2p::tunnel::tunnels.PostTunnelData (msg);
 				break;
 				case eI2NPGarlic:
+				{
 					LogPrint ("Garlic");
-					if (msg->from && msg->from->GetTunnelPool ())
-						msg->from->GetTunnelPool ()->GetGarlicDestination ().ProcessGarlicMessage (msg);
+					if (msg->from)
+					{
+						if (msg->from->GetTunnelPool ())
+							msg->from->GetTunnelPool ()->ProcessGarlicMessage (msg);
+						else
+							LogPrint (eLogInfo, "Local destination for garlic doesn't exist anymore");
+					}
 					else
 						i2p::context.ProcessGarlicMessage (msg); 
-				break;
+					break;
+				}
 				case eI2NPDatabaseStore:
 				case eI2NPDatabaseSearchReply:
 				case eI2NPDatabaseLookup:
@@ -574,16 +563,61 @@ namespace i2p
 					i2p::data::netdb.PostI2NPMsg (msg);
 				break;
 				case eI2NPDeliveryStatus:
+				{
 					LogPrint ("DeliveryStatus");
 					if (msg->from && msg->from->GetTunnelPool ())
 						msg->from->GetTunnelPool ()->ProcessDeliveryStatus (msg);
 					else
 						i2p::context.ProcessDeliveryStatusMessage (msg);
+					break;	
+				}
+				case eI2NPVariableTunnelBuild:		
+				case eI2NPVariableTunnelBuildReply:
+				case eI2NPTunnelBuild:
+				case eI2NPTunnelBuildReply:	
+					// forward to tunnel thread
+					i2p::tunnel::tunnels.PostTunnelData (msg);
 				break;	
 				default:
 					HandleI2NPMessage (msg->GetBuffer (), msg->GetLength ());
-					DeleteI2NPMessage (msg);
 			}	
 		}	
 	}	
+
+	I2NPMessagesHandler::~I2NPMessagesHandler ()
+	{
+		Flush ();
+	}
+	
+	void I2NPMessagesHandler::PutNextMessage (std::shared_ptr<I2NPMessage>  msg)
+	{
+		if (msg)
+		{
+			switch (msg->GetTypeID ())
+			{	
+				case eI2NPTunnelData:
+					m_TunnelMsgs.push_back (msg);
+				break;
+				case eI2NPTunnelGateway:	
+					m_TunnelGatewayMsgs.push_back (msg);
+				break;	
+				default:
+					HandleI2NPMessage (msg);
+			}		
+		}	
+	}
+	
+	void I2NPMessagesHandler::Flush ()
+	{
+		if (!m_TunnelMsgs.empty ())
+		{	
+			i2p::tunnel::tunnels.PostTunnelData (m_TunnelMsgs);
+			m_TunnelMsgs.clear ();
+		}	
+		if (!m_TunnelGatewayMsgs.empty ())
+		{	
+			i2p::tunnel::tunnels.PostTunnelData (m_TunnelGatewayMsgs);
+			m_TunnelGatewayMsgs.clear ();
+		}	
+	}	
 }
--- a/I2NPProtocol.h
+++ b/I2NPProtocol.h
@@ -2,81 +2,73 @@
 #define I2NP_PROTOCOL_H__

 #include <inttypes.h>
-#include <set>
 #include <string.h>
+#include <set>
+#include <memory>
+#include <openssl/sha.h>
 #include "I2PEndian.h"
+#include "Identity.h"
 #include "RouterInfo.h"
 #include "LeaseSet.h"

 namespace i2p
-{
-#pragma pack (1)
+{	
+	// I2NP header
+	const size_t I2NP_HEADER_TYPEID_OFFSET = 0;
+	const size_t I2NP_HEADER_MSGID_OFFSET = I2NP_HEADER_TYPEID_OFFSET + 1;
+	const size_t I2NP_HEADER_EXPIRATION_OFFSET = I2NP_HEADER_MSGID_OFFSET + 4;
+	const size_t I2NP_HEADER_SIZE_OFFSET = I2NP_HEADER_EXPIRATION_OFFSET + 8;
+	const size_t I2NP_HEADER_CHKS_OFFSET = I2NP_HEADER_SIZE_OFFSET + 2;
+	const size_t I2NP_HEADER_SIZE = I2NP_HEADER_CHKS_OFFSET + 1;

-	struct I2NPHeader
-	{
-		uint8_t typeID;
-		uint32_t msgID;
-		uint64_t expiration;
-		uint16_t size;
-		uint8_t chks;
-	};	
-
-	struct I2NPHeaderShort
-	{
-		uint8_t typeID;
-		uint32_t shortExpiration;
-	};	
-
-	struct I2NPDatabaseStoreMsg
-	{
-		uint8_t key[32];
-		uint8_t type;
-		uint32_t replyToken;	
-	};
-
-	struct I2NPDeliveryStatusMsg
-	{
-		uint32_t msgID;
-		uint64_t timestamp;
-	};
+	// I2NP short header
+	const size_t I2NP_SHORT_HEADER_TYPEID_OFFSET = 0;
+	const size_t I2NP_SHORT_HEADER_EXPIRATION_OFFSET = I2NP_SHORT_HEADER_TYPEID_OFFSET + 1;
+	const size_t I2NP_SHORT_HEADER_SIZE = I2NP_SHORT_HEADER_EXPIRATION_OFFSET + 4;
 	
-	struct I2NPBuildRequestRecordClearText
-	{
-		uint32_t receiveTunnel;
-		uint8_t ourIdent[32];
-		uint32_t nextTunnel;
-		uint8_t nextIdent[32];
-		uint8_t layerKey[32];
-		uint8_t ivKey[32];
-		uint8_t replyKey[32];
-		uint8_t replyIV[16];
-		uint8_t flag;
-		uint32_t requestTime;
-		uint32_t nextMessageID;	
-		uint8_t filler[29];
-	};
+	// Tunnel Gateway header
+	const size_t TUNNEL_GATEWAY_HEADER_TUNNELID_OFFSET = 0;
+	const size_t TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET = TUNNEL_GATEWAY_HEADER_TUNNELID_OFFSET + 4;
+	const size_t TUNNEL_GATEWAY_HEADER_SIZE = TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET + 2;

-	struct I2NPBuildResponseRecord
-	{
-		uint8_t hash[32];
-		uint8_t padding[495];
-		uint8_t ret;
-	};	
+	// DeliveryStatus	
+	const size_t DELIVERY_STATUS_MSGID_OFFSET = 0;
+	const size_t DELIVERY_STATUS_TIMESTAMP_OFFSET = DELIVERY_STATUS_MSGID_OFFSET + 4;
+	const size_t DELIVERY_STATUS_SIZE = DELIVERY_STATUS_TIMESTAMP_OFFSET + 8;
+
+	// DatabaseStore
+	const size_t DATABASE_STORE_KEY_OFFSET = 0;
+	const size_t DATABASE_STORE_TYPE_OFFSET = DATABASE_STORE_KEY_OFFSET + 32;
+	const size_t DATABASE_STORE_REPLY_TOKEN_OFFSET = DATABASE_STORE_TYPE_OFFSET + 1;
+	const size_t DATABASE_STORE_HEADER_SIZE = DATABASE_STORE_REPLY_TOKEN_OFFSET + 4;
+
+	// TunnelBuild	
+	const size_t TUNNEL_BUILD_RECORD_SIZE = 528;
+
+	//BuildRequestRecordClearText
+	const size_t BUILD_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET = 0;
+	const size_t BUILD_REQUEST_RECORD_OUR_IDENT_OFFSET = BUILD_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET + 4;
+	const size_t BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET = BUILD_REQUEST_RECORD_OUR_IDENT_OFFSET + 32;
+	const size_t BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET = BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET + 4;
+	const size_t BUILD_REQUEST_RECORD_LAYER_KEY_OFFSET = BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET + 32;
+	const size_t BUILD_REQUEST_RECORD_IV_KEY_OFFSET = BUILD_REQUEST_RECORD_LAYER_KEY_OFFSET + 32;
+	const size_t BUILD_REQUEST_RECORD_REPLY_KEY_OFFSET = BUILD_REQUEST_RECORD_IV_KEY_OFFSET + 32;
+	const size_t BUILD_REQUEST_RECORD_REPLY_IV_OFFSET = BUILD_REQUEST_RECORD_REPLY_KEY_OFFSET + 32;
+	const size_t BUILD_REQUEST_RECORD_FLAG_OFFSET = BUILD_REQUEST_RECORD_REPLY_IV_OFFSET + 16;
+	const size_t BUILD_REQUEST_RECORD_REQUEST_TIME_OFFSET = BUILD_REQUEST_RECORD_FLAG_OFFSET + 1;
+	const size_t BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET = BUILD_REQUEST_RECORD_REQUEST_TIME_OFFSET + 4;
+	const size_t BUILD_REQUEST_RECORD_PADDING_OFFSET = BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET + 4;
+	const size_t BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE = 222;
 	
-	struct I2NPBuildRequestRecordElGamalEncrypted
-	{
-		uint8_t toPeer[16];
-		uint8_t encrypted[512];
-	};
-
-	struct TunnelGatewayHeader
-	{
-		uint32_t tunnelID;
-		uint16_t length;
-	};		
-
+	// BuildRequestRecordEncrypted	
+	const size_t BUILD_REQUEST_RECORD_TO_PEER_OFFSET = 0;
+	const size_t BUILD_REQUEST_RECORD_ENCRYPTED_OFFSET = BUILD_REQUEST_RECORD_TO_PEER_OFFSET + 16;
 	
-#pragma pack ()	
+	// BuildResponseRecord
+	const size_t BUILD_RESPONSE_RECORD_HASH_OFFSET = 0;
+	const size_t BUILD_RESPONSE_RECORD_PADDING_OFFSET = 32;
+	const size_t BUILD_RESPONSE_RECORD_PADDING_SIZE = 495;
+	const size_t BUILD_RESPONSE_RECORD_RET_OFFSET = BUILD_RESPONSE_RECORD_PADDING_OFFSET + BUILD_RESPONSE_RECORD_PADDING_SIZE;

 	enum I2NPMessageType
 	{
@@ -96,6 +88,17 @@ namespace i2p

 	const int NUM_TUNNEL_BUILD_RECORDS = 8;	

+	// DatabaseLookup flags
+	const uint8_t DATABASE_LOOKUP_DELIVERY_FLAG = 0x01;
+	const uint8_t DATABASE_LOOKUP_ENCYPTION_FLAG = 0x02;	
+	const uint8_t DATABASE_LOOKUP_TYPE_FLAGS_MASK = 0x0C;
+	const uint8_t DATABASE_LOOKUP_TYPE_NORMAL_LOOKUP = 0;
+	const uint8_t DATABASE_LOOKUP_TYPE_LEASESET_LOOKUP = 0x04; // 0100
+	const uint8_t DATABASE_LOOKUP_TYPE_ROUTERINFO_LOOKUP = 0x08; // 1000			
+	const uint8_t DATABASE_LOOKUP_TYPE_EXPLORATORY_LOOKUP = 0x0C; // 1100
+
+	const int MAX_NUM_TRANSIT_TUNNELS = 2500;
+
 namespace tunnel
 {		
 	class InboundTunnel;
@@ -103,21 +106,54 @@ namespace tunnel
 }

 	const size_t I2NP_MAX_MESSAGE_SIZE = 32768; 
-	const size_t I2NP_MAX_SHORT_MESSAGE_SIZE = 2400; 
+	const size_t I2NP_MAX_SHORT_MESSAGE_SIZE = 4096; 
 	struct I2NPMessage
 	{	
 		uint8_t * buf;	
 		size_t len, offset, maxLen;
-		i2p::tunnel::InboundTunnel * from;
+		std::shared_ptr<i2p::tunnel::InboundTunnel> from;
 		
-		I2NPMessage (): buf (nullptr),len (sizeof (I2NPHeader) + 2), 
-			offset(2), maxLen (0), from (nullptr) {}; 
-		// reserve 2 bytes for NTCP header
-		I2NPHeader * GetHeader () { return (I2NPHeader *)GetBuffer (); };
-		uint8_t * GetPayload () { return GetBuffer () + sizeof(I2NPHeader); };
+		I2NPMessage (): buf (nullptr),len (I2NP_HEADER_SIZE + 2), 
+			offset(2), maxLen (0), from (nullptr) {};  // reserve 2 bytes for NTCP header
+	
+		// header accessors
+		uint8_t * GetHeader () { return GetBuffer (); };
+		const uint8_t * GetHeader () const { return GetBuffer (); };
+		void SetTypeID (uint8_t typeID) { GetHeader ()[I2NP_HEADER_TYPEID_OFFSET] = typeID; };
+		uint8_t GetTypeID () const { return GetHeader ()[I2NP_HEADER_TYPEID_OFFSET]; };
+		void SetMsgID (uint32_t msgID) { htobe32buf (GetHeader () + I2NP_HEADER_MSGID_OFFSET, msgID); };
+		uint32_t GetMsgID () const { return bufbe32toh (GetHeader () + I2NP_HEADER_MSGID_OFFSET); };
+		void SetExpiration (uint64_t expiration) { htobe64buf (GetHeader () + I2NP_HEADER_EXPIRATION_OFFSET, expiration); };
+		uint64_t GetExpiration () const { return bufbe64toh (GetHeader () + I2NP_HEADER_EXPIRATION_OFFSET); };
+		void SetSize (uint16_t size) { htobe16buf (GetHeader () + I2NP_HEADER_SIZE_OFFSET, size); };
+		uint16_t GetSize () const { return bufbe16toh (GetHeader () + I2NP_HEADER_SIZE_OFFSET); };
+		void UpdateSize () { SetSize (GetPayloadLength ()); };	
+		void SetChks (uint8_t chks) { GetHeader ()[I2NP_HEADER_CHKS_OFFSET] = chks; };
+		void UpdateChks () 
+		{
+			uint8_t hash[32];
+			SHA256(GetPayload (), GetPayloadLength (), hash);
+			GetHeader ()[I2NP_HEADER_CHKS_OFFSET] = hash[0];
+		}	
+		
+		// payload
+		uint8_t * GetPayload () { return GetBuffer () + I2NP_HEADER_SIZE; };
+		const uint8_t * GetPayload () const { return GetBuffer () + I2NP_HEADER_SIZE; };
 		uint8_t * GetBuffer () { return buf + offset; };
 		const uint8_t * GetBuffer () const { return buf + offset; };
-		size_t GetLength () const { return len - offset; };
+		size_t GetLength () const { return len - offset; };	
+		size_t GetPayloadLength () const { return GetLength () - I2NP_HEADER_SIZE; };	
+			
+		void Align (size_t alignment) 
+		{
+			if (len + alignment > maxLen) return;
+			size_t rem = ((size_t)GetBuffer ()) % alignment;
+			if (rem)
+			{
+				offset += (alignment - rem);
+				len += (alignment - rem);
+			}	
+		}

 		I2NPMessage& operator=(const I2NPMessage& other)
 		{
@@ -128,81 +164,88 @@ namespace tunnel
 		}	

 		// for SSU only
-		uint8_t * GetSSUHeader () { return buf + offset + sizeof(I2NPHeader) - sizeof(I2NPHeaderShort); };	
+		uint8_t * GetSSUHeader () { return buf + offset + I2NP_HEADER_SIZE - I2NP_SHORT_HEADER_SIZE; };	
 		void FromSSU (uint32_t msgID) // we have received SSU message and convert it to regular
 		{
-			I2NPHeaderShort ssu = *(I2NPHeaderShort *)GetSSUHeader ();
-			I2NPHeader * header = GetHeader ();
-			header->typeID = ssu.typeID;
-			header->msgID = htobe32 (msgID);
-			header->expiration = htobe64 (be32toh (ssu.shortExpiration)*1000LL);
-			header->size = htobe16 (len - offset - sizeof (I2NPHeader));
-			header->chks = 0;
+			const uint8_t * ssu = GetSSUHeader ();
+			GetHeader ()[I2NP_HEADER_TYPEID_OFFSET] = ssu[I2NP_SHORT_HEADER_TYPEID_OFFSET]; // typeid
+			SetMsgID (msgID);
+			SetExpiration (bufbe32toh (ssu + I2NP_SHORT_HEADER_EXPIRATION_OFFSET)*1000LL);
+			SetSize (len - offset - I2NP_HEADER_SIZE);
+			SetChks (0);
 		}
 		uint32_t ToSSU () // return msgID
 		{
-			I2NPHeader header = *GetHeader ();
-			I2NPHeaderShort * ssu = (I2NPHeaderShort *)GetSSUHeader ();
-			ssu->typeID = header.typeID;
-			ssu->shortExpiration = htobe32 (be64toh (header.expiration)/1000LL); 
-			len = offset + sizeof (I2NPHeaderShort) + be16toh (header.size);
-			return be32toh (header.msgID);
+			uint8_t header[I2NP_HEADER_SIZE];
+			memcpy (header, GetHeader (), I2NP_HEADER_SIZE);
+			uint8_t * ssu = GetSSUHeader ();
+			ssu[I2NP_SHORT_HEADER_TYPEID_OFFSET] = header[I2NP_HEADER_TYPEID_OFFSET]; // typeid
+			htobe32buf (ssu + I2NP_SHORT_HEADER_EXPIRATION_OFFSET, bufbe64toh (header + I2NP_HEADER_EXPIRATION_OFFSET)/1000LL);
+			len = offset + I2NP_SHORT_HEADER_SIZE + bufbe16toh (header + I2NP_HEADER_SIZE_OFFSET);
+			return bufbe32toh (header + I2NP_HEADER_MSGID_OFFSET);
 		}	
+
+		void FillI2NPMessageHeader (I2NPMessageType msgType, uint32_t replyMsgID = 0);
+		void RenewI2NPMessageHeader ();
 	};	

 	template<int sz>
 	struct I2NPMessageBuffer: public I2NPMessage
 	{
 		I2NPMessageBuffer () { buf = m_Buffer; maxLen = sz; };
-		uint8_t m_Buffer[sz];
+		uint8_t m_Buffer[sz + 16];
 	};

 	I2NPMessage * NewI2NPMessage ();
 	I2NPMessage * NewI2NPShortMessage ();
 	I2NPMessage * NewI2NPMessage (size_t len);
 	void DeleteI2NPMessage (I2NPMessage * msg);
-	void FillI2NPMessageHeader (I2NPMessage * msg, I2NPMessageType msgType, uint32_t replyMsgID = 0);
-	void RenewI2NPMessageHeader (I2NPMessage * msg);
+	std::shared_ptr<I2NPMessage> ToSharedI2NPMessage (I2NPMessage * msg);
+	
 	I2NPMessage * CreateI2NPMessage (I2NPMessageType msgType, const uint8_t * buf, int len, uint32_t replyMsgID = 0);	
-	I2NPMessage * CreateI2NPMessage (const uint8_t * buf, int len, i2p::tunnel::InboundTunnel * from = nullptr);
+	std::shared_ptr<I2NPMessage> CreateI2NPMessage (const uint8_t * buf, int len, std::shared_ptr<i2p::tunnel::InboundTunnel> from = nullptr);
 	
-	I2NPMessage * CreateDeliveryStatusMsg (uint32_t msgID);
-	I2NPMessage * CreateDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
-		uint32_t replyTunnelID, bool exploratory = false, 
-	    std::set<i2p::data::IdentHash> * excludedPeers = nullptr, bool encryption = false,
-	    i2p::tunnel::TunnelPool * pool = nullptr);
-	I2NPMessage * CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, const i2p::data::RouterInfo * floodfill);
+	std::shared_ptr<I2NPMessage> CreateDeliveryStatusMsg (uint32_t msgID);
+	std::shared_ptr<I2NPMessage> CreateRouterInfoDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
+		uint32_t replyTunnelID, bool exploratory = false, std::set<i2p::data::IdentHash> * excludedPeers = nullptr);
+	std::shared_ptr<I2NPMessage> CreateLeaseSetDatabaseLookupMsg (const i2p::data::IdentHash& dest, 
+		const std::set<i2p::data::IdentHash>& excludedFloodfills,
+		const i2p::tunnel::InboundTunnel * replyTunnel, const uint8_t * replyKey, const uint8_t * replyTag);
+	std::shared_ptr<I2NPMessage> CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, std::vector<i2p::data::IdentHash> routers);
 	
-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::RouterInfo * router = nullptr);
-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::LeaseSet * leaseSet, uint32_t replyToken = 0);		
-
-	I2NPBuildRequestRecordClearText CreateBuildRequestRecord (
-		const uint8_t * ourIdent, uint32_t receiveTunnelID, 
-	    const uint8_t * nextIdent, uint32_t nextTunnelID, 
-	    const uint8_t * layerKey,const uint8_t * ivKey,                                                                 
-	    const uint8_t * replyKey, const uint8_t * replyIV, uint32_t nextMessageID,
-	          bool isGateway, bool isEndpoint);
-	void EncryptBuildRequestRecord (const i2p::data::RouterInfo& router, 
-		const I2NPBuildRequestRecordClearText& clearText,
-	    I2NPBuildRequestRecordElGamalEncrypted& record);
-	
-	bool HandleBuildRequestRecords (int num, I2NPBuildRequestRecordElGamalEncrypted * records, I2NPBuildRequestRecordClearText& clearText);
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::RouterInfo> router = nullptr, uint32_t replyToken = 0);
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::LeaseSet> leaseSet, uint32_t replyToken = 0);		
+		
+	bool HandleBuildRequestRecords (int num, uint8_t * records, uint8_t * clearText);
 	void HandleVariableTunnelBuildMsg (uint32_t replyMsgID, uint8_t * buf, size_t len);
 	void HandleVariableTunnelBuildReplyMsg (uint32_t replyMsgID, uint8_t * buf, size_t len);
 	void HandleTunnelBuildMsg (uint8_t * buf, size_t len);	

 	I2NPMessage * CreateTunnelDataMsg (const uint8_t * buf);	
 	I2NPMessage * CreateTunnelDataMsg (uint32_t tunnelID, const uint8_t * payload);		
+	std::shared_ptr<I2NPMessage> CreateEmptyTunnelDataMsg ();
 	
-	void HandleTunnelGatewayMsg (I2NPMessage * msg);
 	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, const uint8_t * buf, size_t len);
 	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessageType msgType, 
 		const uint8_t * buf, size_t len, uint32_t replyMsgID = 0);
-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessage * msg);
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, std::shared_ptr<I2NPMessage> msg);

 	size_t GetI2NPMessageLength (const uint8_t * msg);
 	void HandleI2NPMessage (uint8_t * msg, size_t len);
-	void HandleI2NPMessage (I2NPMessage * msg);
+	void HandleI2NPMessage (std::shared_ptr<I2NPMessage> msg);
+
+	class I2NPMessagesHandler
+	{
+		public:
+
+			~I2NPMessagesHandler ();
+			void PutNextMessage (std::shared_ptr<I2NPMessage> msg);
+			void Flush ();
+			
+		private:
+
+			std::vector<std::shared_ptr<I2NPMessage> > m_TunnelMsgs, m_TunnelGatewayMsgs;
+	};
 }	

 #endif
--- a/I2PControl.cpp
+++ b/I2PControl.cpp
@@ -0,0 +1,416 @@
+// There is bug in boost 1.49 with gcc 4.7 coming with Debian Wheezy
+#define GCC47_BOOST149 ((BOOST_VERSION == 104900) && (__GNUC__ == 4) && (__GNUC_MINOR__ >= 7))
+
+#include "I2PControl.h"
+#include <sstream>
+#include <boost/lexical_cast.hpp>
+#include <boost/date_time/local_time/local_time.hpp>
+#include <boost/date_time/posix_time/posix_time.hpp>
+#if !GCC47_BOOST149
+#include <boost/property_tree/json_parser.hpp>
+#endif
+#include "Log.h"
+#include "NetDb.h"
+#include "RouterContext.h"
+#include "Daemon.h"
+#include "Tunnel.h"
+#include "Timestamp.h"
+#include "Transports.h"
+#include "version.h"
+
+namespace i2p
+{
+namespace client
+{
+	I2PControlService::I2PControlService (int port):
+		m_Password (I2P_CONTROL_DEFAULT_PASSWORD), m_IsRunning (false), m_Thread (nullptr),
+		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port)),
+		m_ShutdownTimer (m_Service)
+	{
+		m_MethodHandlers[I2P_CONTROL_METHOD_AUTHENTICATE] = &I2PControlService::AuthenticateHandler; 
+		m_MethodHandlers[I2P_CONTROL_METHOD_ECHO] = &I2PControlService::EchoHandler; 
+		m_MethodHandlers[I2P_CONTROL_METHOD_I2PCONTROL] = &I2PControlService::I2PControlHandler; 
+		m_MethodHandlers[I2P_CONTROL_METHOD_ROUTER_INFO] = &I2PControlService::RouterInfoHandler; 
+		m_MethodHandlers[I2P_CONTROL_METHOD_ROUTER_MANAGER] = &I2PControlService::RouterManagerHandler; 
+		m_MethodHandlers[I2P_CONTROL_METHOD_NETWORK_SETTING] = &I2PControlService::NetworkSettingHandler; 
+
+		// RouterInfo
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_UPTIME] = &I2PControlService::UptimeHandler;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_VERSION] = &I2PControlService::VersionHandler;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_STATUS] = &I2PControlService::StatusHandler;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_NETDB_KNOWNPEERS] = &I2PControlService::NetDbKnownPeersHandler;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_NETDB_ACTIVEPEERS] = &I2PControlService::NetDbActivePeersHandler;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_NET_STATUS] = &I2PControlService::NetStatusHandler;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_TUNNELS_PARTICIPATING] = &I2PControlService::TunnelsParticipatingHandler;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_BW_IB_1S] = &I2PControlService::InboundBandwidth1S ;
+		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_BW_OB_1S] = &I2PControlService::OutboundBandwidth1S ;
+
+		// RouterManager	
+		m_RouterManagerHandlers[I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN] = &I2PControlService::ShutdownHandler; 
+		m_RouterManagerHandlers[I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN_GRACEFUL] = &I2PControlService::ShutdownGracefulHandler;
+		m_RouterManagerHandlers[I2P_CONTROL_ROUTER_MANAGER_RESEED] = &I2PControlService::ReseedHandler;
+	}
+
+	I2PControlService::~I2PControlService ()
+	{
+		Stop ();
+	}
+
+	void I2PControlService::Start ()
+	{
+		if (!m_IsRunning)
+		{
+			Accept ();
+			m_IsRunning = true;
+			m_Thread = new std::thread (std::bind (&I2PControlService::Run, this));
+		}
+	}
+
+	void I2PControlService::Stop ()
+	{
+		if (m_IsRunning)
+		{
+			m_IsRunning = false;
+			m_Acceptor.cancel ();	
+			m_Service.stop ();
+			if (m_Thread)
+			{	
+				m_Thread->join (); 
+				delete m_Thread;
+				m_Thread = nullptr;
+			}	
+		}
+	}
+
+	void I2PControlService::Run () 
+	{ 
+		while (m_IsRunning)
+		{
+			try
+			{	
+				m_Service.run ();
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "I2PControl: ", ex.what ());
+			}	
+		}	
+	}
+
+	void I2PControlService::Accept ()
+	{
+		auto newSocket = std::make_shared<boost::asio::ip::tcp::socket> (m_Service);
+		m_Acceptor.async_accept (*newSocket, std::bind (&I2PControlService::HandleAccept, this,
+			std::placeholders::_1, newSocket));
+	}
+
+	void I2PControlService::HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+			Accept ();
+
+		if (!ecode)
+		{
+			LogPrint (eLogInfo, "New I2PControl request from ", socket->remote_endpoint ());
+			std::this_thread::sleep_for (std::chrono::milliseconds(5));
+			ReadRequest (socket);	
+		}
+		else
+			LogPrint (eLogError, "I2PControl accept error: ",  ecode.message ());
+	}
+
+	void I2PControlService::ReadRequest (std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	{
+		auto request = std::make_shared<I2PControlBuffer>();
+		socket->async_read_some (
+#if BOOST_VERSION >= 104900
+			boost::asio::buffer (*request),  
+#else
+			boost::asio::buffer (request->data (), request->size ()), 
+#endif              
+			std::bind(&I2PControlService::HandleRequestReceived, this, 
+			std::placeholders::_1, std::placeholders::_2, socket, request));
+	}
+
+	void I2PControlService::HandleRequestReceived (const boost::system::error_code& ecode,
+ 		size_t bytes_transferred, std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+		std::shared_ptr<I2PControlBuffer> buf)
+	{
+		if (ecode)
+		{
+			LogPrint (eLogError, "I2PControl read error: ", ecode.message ());
+		}
+		else
+		{
+			try
+			{
+				bool isHtml = !memcmp (buf->data (), "POST", 4);
+				std::stringstream ss;
+				ss.write (buf->data (), bytes_transferred);
+				if (isHtml)
+				{
+					std::string header;
+					while (!ss.eof () && header != "\r")
+						std::getline(ss, header);
+					if (ss.eof ())
+					{
+						LogPrint (eLogError, "Malformed I2PControl request. HTTP header expected");
+						return; // TODO:
+					}
+				}
+#if GCC47_BOOST149
+				LogPrint (eLogError, "json_read is not supported due bug in boost 1.49 with gcc 4.7");
+#else
+				boost::property_tree::ptree pt;
+				boost::property_tree::read_json (ss, pt);
+
+				std::string method = pt.get<std::string>(I2P_CONTROL_PROPERTY_METHOD);
+				auto it = m_MethodHandlers.find (method);
+				if (it != m_MethodHandlers.end ())
+				{
+					std::ostringstream response;
+					response << "{\"id\":" << pt.get<std::string>(I2P_CONTROL_PROPERTY_ID) << ",\"result\":{";					
+
+					(this->*(it->second))(pt.get_child (I2P_CONTROL_PROPERTY_PARAMS), response);
+					response << "},\"jsonrpc\":\"2.0\"}";
+					SendResponse (socket, buf, response, isHtml);
+				}	
+				else
+					LogPrint (eLogWarning, "Unknown I2PControl method ", method);
+#endif
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "I2PControl handle request: ", ex.what ());
+			}
+			catch (...)
+			{
+				LogPrint (eLogError, "I2PControl handle request unknown exception");
+			}
+		}
+	}
+
+	void I2PControlService::InsertParam (std::ostringstream& ss, const std::string& name, int value) const
+	{
+		ss << "\"" << name << "\":" << value;
+	} 
+
+	void I2PControlService::InsertParam (std::ostringstream& ss, const std::string& name, const std::string& value) const
+	{
+		ss << "\"" << name << "\":";	
+		if (value.length () > 0)
+			ss << "\"" << value << "\"";
+		else
+			ss << "null";
+	} 
+		
+	void I2PControlService::InsertParam (std::ostringstream& ss, const std::string& name, double value) const
+	{
+		ss << "\"" << name << "\":" << std::fixed << std::setprecision(2) << value;
+	}	
+
+	void I2PControlService::SendResponse (std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+		std::shared_ptr<I2PControlBuffer> buf, std::ostringstream& response, bool isHtml)
+	{
+		size_t len = response.str ().length (), offset = 0;
+		if (isHtml)
+		{
+			std::ostringstream header;
+			header << "HTTP/1.1 200 OK\r\n";
+			header << "Connection: close\r\n";
+			header << "Content-Length: " << boost::lexical_cast<std::string>(len) << "\r\n";
+			header << "Content-Type: application/json\r\n";
+			header << "Date: ";
+			auto facet = new boost::local_time::local_time_facet ("%a, %d %b %Y %H:%M:%S GMT");
+			header.imbue(std::locale (header.getloc(), facet));
+			header << boost::posix_time::second_clock::local_time() << "\r\n"; 
+			header << "\r\n";
+			offset = header.str ().size ();
+			memcpy (buf->data (), header.str ().c_str (), offset);
+		}	
+		memcpy (buf->data () + offset, response.str ().c_str (), len);
+		boost::asio::async_write (*socket, boost::asio::buffer (buf->data (), offset + len), 
+			boost::asio::transfer_all (),
+			std::bind(&I2PControlService::HandleResponseSent, this, 
+				std::placeholders::_1, std::placeholders::_2, socket, buf));
+	}
+
+	void I2PControlService::HandleResponseSent (const boost::system::error_code& ecode, std::size_t bytes_transferred,
+		std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<I2PControlBuffer> buf)
+	{
+		if (ecode)
+			LogPrint (eLogError, "I2PControl write error: ", ecode.message ());
+		socket->close ();
+	}
+
+// handlers
+
+	void I2PControlService::AuthenticateHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
+	{
+		int api = params.get<int> (I2P_CONTROL_PARAM_API);
+		auto password = params.get<std::string> (I2P_CONTROL_PARAM_PASSWORD);
+		LogPrint (eLogDebug, "I2PControl Authenticate API=", api, " Password=", password);
+		if (password != m_Password)
+			LogPrint (eLogError, "I2PControl Authenticate Invalid password ", password, " expected ", m_Password);
+		InsertParam (results, I2P_CONTROL_PARAM_API, api);
+		results << ",";
+		std::string token = boost::lexical_cast<std::string>(i2p::util::GetSecondsSinceEpoch ());
+		m_Tokens.insert (token);	
+		InsertParam (results, I2P_CONTROL_PARAM_TOKEN, token);
+	}	
+
+	void I2PControlService::EchoHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
+	{
+		auto echo = params.get<std::string> (I2P_CONTROL_PARAM_ECHO);
+		LogPrint (eLogDebug, "I2PControl Echo Echo=", echo);
+		InsertParam (results, I2P_CONTROL_PARAM_RESULT, echo);	
+	}
+
+
+// I2PControl
+
+	void I2PControlService::I2PControlHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
+	{
+		LogPrint (eLogDebug, "I2PControl I2PControl");
+		for (auto& it: params)
+		{
+			LogPrint (eLogDebug, it.first);
+			auto it1 = m_I2PControlHandlers.find (it.first);
+			if (it1 != m_I2PControlHandlers.end ())
+				(this->*(it1->second))(it.second.data ());	
+			else
+				LogPrint (eLogError, "I2PControl NetworkSetting unknown request ", it.first);			
+		}	
+	}
+
+// RouterInfo
+
+	void I2PControlService::RouterInfoHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
+	{
+		LogPrint (eLogDebug, "I2PControl RouterInfo");
+		for (auto it = params.begin (); it != params.end (); it++)
+		{
+			if (it != params.begin ()) results << ",";	
+			LogPrint (eLogDebug, it->first);
+			auto it1 = m_RouterInfoHandlers.find (it->first);
+			if (it1 != m_RouterInfoHandlers.end ())
+				(this->*(it1->second))(results);	
+			else
+				LogPrint (eLogError, "I2PControl RouterInfo unknown request ", it->first);
+		}
+	}
+
+	void I2PControlService::UptimeHandler (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_UPTIME, (int)i2p::context.GetUptime ()*1000);	
+	}
+
+	void I2PControlService::VersionHandler (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_VERSION, VERSION);	
+	}	
+
+	void I2PControlService::StatusHandler (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_STATUS, "???"); // TODO:
+	}
+		
+	void I2PControlService::NetDbKnownPeersHandler (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_NETDB_KNOWNPEERS, i2p::data::netdb.GetNumRouters ());	
+	}
+
+	void I2PControlService::NetDbActivePeersHandler (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_NETDB_ACTIVEPEERS, (int)i2p::transport::transports.GetPeers ().size ());	
+	}
+
+	void I2PControlService::NetStatusHandler (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_NET_STATUS, (int)i2p::context.GetStatus ());
+	}
+
+	void I2PControlService::TunnelsParticipatingHandler (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_TUNNELS_PARTICIPATING, (int)i2p::tunnel::tunnels.GetTransitTunnels ().size ());
+	}
+
+	void I2PControlService::InboundBandwidth1S (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_BW_IB_1S, (double)i2p::transport::transports.GetInBandwidth ());
+	}
+
+	void I2PControlService::OutboundBandwidth1S (std::ostringstream& results)
+	{
+		InsertParam (results, I2P_CONTROL_ROUTER_INFO_BW_OB_1S, (double)i2p::transport::transports.GetOutBandwidth ());
+	}
+
+// RouterManager
+	
+	void I2PControlService::RouterManagerHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
+	{
+		LogPrint (eLogDebug, "I2PControl RouterManager");
+		for (auto it = params.begin (); it != params.end (); it++)
+		{
+			if (it != params.begin ()) results << ",";	
+			LogPrint (eLogDebug, it->first);
+			auto it1 = m_RouterManagerHandlers.find (it->first);
+			if (it1 != m_RouterManagerHandlers.end ())
+				(this->*(it1->second))(results);	
+			else
+				LogPrint (eLogError, "I2PControl RouterManager unknown request ", it->first);			
+		}
+	}	
+
+
+	void I2PControlService::ShutdownHandler (std::ostringstream& results)	
+	{
+		LogPrint (eLogInfo, "Shutdown requested");
+		InsertParam (results, I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN, "");
+		m_ShutdownTimer.expires_from_now (boost::posix_time::seconds(1)); // 1 second to make sure response has been sent
+		m_ShutdownTimer.async_wait (
+			[](const boost::system::error_code& ecode)
+		    {
+				Daemon.running = 0; 
+			});
+	}
+
+	void I2PControlService::ShutdownGracefulHandler (std::ostringstream& results)
+	{
+		i2p::context.SetAcceptsTunnels (false);
+		int timeout = i2p::tunnel::tunnels.GetTransitTunnelsExpirationTimeout ();
+		LogPrint (eLogInfo, "Graceful shutdown requested. Will shutdown after ", timeout, " seconds");
+		InsertParam (results, I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN_GRACEFUL, "");
+		m_ShutdownTimer.expires_from_now (boost::posix_time::seconds(timeout + 1)); // + 1 second
+		m_ShutdownTimer.async_wait (
+			[](const boost::system::error_code& ecode)
+		    {
+				Daemon.running = 0; 
+			});
+	}
+
+	void I2PControlService::ReseedHandler (std::ostringstream& results)
+	{
+		LogPrint (eLogInfo, "Reseed requested");
+		InsertParam (results, I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN, "");	
+		i2p::data::netdb.Reseed ();
+	}
+
+// network setting
+	void I2PControlService::NetworkSettingHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
+	{
+		LogPrint (eLogDebug, "I2PControl NetworkSetting");
+		for (auto it = params.begin (); it != params.end (); it++)
+		{
+			if (it != params.begin ()) results << ",";	
+			LogPrint (eLogDebug, it->first);
+			auto it1 = m_NetworkSettingHandlers.find (it->first);
+			if (it1 != m_NetworkSettingHandlers.end ())
+				(this->*(it1->second))(it->second.data (), results);	
+			else
+				LogPrint (eLogError, "I2PControl NetworkSetting unknown request ", it->first);			
+		}
+	}
+
+}
+}
--- a/I2PControl.h
+++ b/I2PControl.h
@@ -0,0 +1,149 @@
+#ifndef I2P_CONTROL_H__
+#define I2P_CONTROL_H__
+
+#include <inttypes.h>
+#include <thread>
+#include <memory>
+#include <array>
+#include <string>
+#include <sstream>
+#include <map>
+#include <set>
+#include <boost/asio.hpp>
+#include <boost/property_tree/ptree.hpp>
+
+namespace i2p
+{
+namespace client
+{
+	const size_t I2P_CONTROL_MAX_REQUEST_SIZE = 1024;
+	typedef std::array<char, I2P_CONTROL_MAX_REQUEST_SIZE> I2PControlBuffer;		
+
+	const char I2P_CONTROL_DEFAULT_PASSWORD[] = "itoopie";	
+
+	const char I2P_CONTROL_PROPERTY_ID[] = "id";
+	const char I2P_CONTROL_PROPERTY_METHOD[] = "method";
+	const char I2P_CONTROL_PROPERTY_PARAMS[] = "params";
+	const char I2P_CONTROL_PROPERTY_RESULT[] = "result";
+
+	// methods	
+	const char I2P_CONTROL_METHOD_AUTHENTICATE[] = "Authenticate";
+	const char I2P_CONTROL_METHOD_ECHO[] = "Echo";
+	const char I2P_CONTROL_METHOD_I2PCONTROL[] = "I2PControl";		
+	const char I2P_CONTROL_METHOD_ROUTER_INFO[] = "RouterInfo";	
+	const char I2P_CONTROL_METHOD_ROUTER_MANAGER[] = "RouterManager";	
+	const char I2P_CONTROL_METHOD_NETWORK_SETTING[] = "NetworkSetting";	
+
+	// params
+	const char I2P_CONTROL_PARAM_API[] = "API";			
+	const char I2P_CONTROL_PARAM_PASSWORD[] = "Password";	
+	const char I2P_CONTROL_PARAM_TOKEN[] = "Token";	
+	const char I2P_CONTROL_PARAM_ECHO[] = "Echo";	
+	const char I2P_CONTROL_PARAM_RESULT[] = "Result";	
+
+	// I2PControl
+	const char I2P_CONTROL_I2PCONTROL_ADDRESS[] = "i2pcontrol.address";		
+	const char I2P_CONTROL_I2PCONTROL_PASSWORD[] = "i2pcontrol.password";
+	const char I2P_CONTROL_I2PCONTROL_PORT[] = "i2pcontrol.port";		
+
+	// RouterInfo requests
+	const char I2P_CONTROL_ROUTER_INFO_UPTIME[] = "i2p.router.uptime";
+	const char I2P_CONTROL_ROUTER_INFO_VERSION[] = "i2p.router.version";
+	const char I2P_CONTROL_ROUTER_INFO_STATUS[] = "i2p.router.status";	
+	const char I2P_CONTROL_ROUTER_INFO_NETDB_KNOWNPEERS[] = "i2p.router.netdb.knownpeers";
+	const char I2P_CONTROL_ROUTER_INFO_NETDB_ACTIVEPEERS[] = "i2p.router.netdb.activepeers";
+	const char I2P_CONTROL_ROUTER_INFO_NET_STATUS[] = "i2p.router.net.status";	
+	const char I2P_CONTROL_ROUTER_INFO_TUNNELS_PARTICIPATING[] = "i2p.router.net.tunnels.participating";
+	const char I2P_CONTROL_ROUTER_INFO_BW_IB_1S[] = "i2p.router.net.bw.inbound.1s";			
+	const char I2P_CONTROL_ROUTER_INFO_BW_OB_1S[] = "i2p.router.net.bw.outbound.1s";		
+
+	// RouterManager requests
+	const char I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN[] = "Shutdown";
+	const char I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN_GRACEFUL[] = "ShutdownGraceful";
+	const char I2P_CONTROL_ROUTER_MANAGER_RESEED[] = "Reseed";		
+
+	class I2PControlService
+	{
+		public:
+
+			I2PControlService (int port);
+			~I2PControlService ();
+
+			void Start ();
+			void Stop ();
+
+		private:
+
+			void Run ();
+			void Accept ();
+			void HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket);	
+			void ReadRequest (std::shared_ptr<boost::asio::ip::tcp::socket> socket);
+			void HandleRequestReceived (const boost::system::error_code& ecode, size_t bytes_transferred, 
+				std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<I2PControlBuffer> buf);
+			void SendResponse (std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+				std::shared_ptr<I2PControlBuffer> buf, std::ostringstream& response, bool isHtml);
+			void HandleResponseSent (const boost::system::error_code& ecode, std::size_t bytes_transferred,
+				std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<I2PControlBuffer> buf);
+
+		private:
+
+			void InsertParam (std::ostringstream& ss, const std::string& name, int value) const;
+			void InsertParam (std::ostringstream& ss, const std::string& name, double value) const;
+			void InsertParam (std::ostringstream& ss, const std::string& name, const std::string& value) const;
+
+			// methods
+			typedef void (I2PControlService::*MethodHandler)(const boost::property_tree::ptree& params, std::ostringstream& results);
+
+			void AuthenticateHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
+			void EchoHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
+			void I2PControlHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
+			void RouterInfoHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
+			void RouterManagerHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
+			void NetworkSettingHandler (const boost::property_tree::ptree& params, std::ostringstream& results);			
+
+			// I2PControl
+			typedef void (I2PControlService::*I2PControlRequestHandler)(const std::string& value);
+
+			// RouterInfo
+			typedef void (I2PControlService::*RouterInfoRequestHandler)(std::ostringstream& results);
+			void UptimeHandler (std::ostringstream& results);
+			void VersionHandler (std::ostringstream& results);
+			void StatusHandler (std::ostringstream& results);
+			void NetDbKnownPeersHandler (std::ostringstream& results);
+			void NetDbActivePeersHandler (std::ostringstream& results);	
+			void NetStatusHandler (std::ostringstream& results);		
+			void TunnelsParticipatingHandler (std::ostringstream& results);
+			void InboundBandwidth1S (std::ostringstream& results);
+			void OutboundBandwidth1S (std::ostringstream& results);
+
+			// RouterManager
+			typedef void (I2PControlService::*RouterManagerRequestHandler)(std::ostringstream& results);
+			void ShutdownHandler (std::ostringstream& results);
+			void ShutdownGracefulHandler (std::ostringstream& results);
+			void ReseedHandler (std::ostringstream& results);
+
+			// NetworkSetting
+			typedef void (I2PControlService::*NetworkSettingRequestHandler)(const std::string& value, std::ostringstream& results);	
+
+		private:
+
+			std::string m_Password;
+			bool m_IsRunning;
+			std::thread * m_Thread;	
+
+			boost::asio::io_service m_Service;
+			boost::asio::ip::tcp::acceptor m_Acceptor;
+			boost::asio::deadline_timer m_ShutdownTimer;
+			std::set<std::string> m_Tokens;
+			
+			std::map<std::string, MethodHandler> m_MethodHandlers;
+			std::map<std::string, I2PControlRequestHandler> m_I2PControlHandlers;
+			std::map<std::string, RouterInfoRequestHandler> m_RouterInfoHandlers;
+			std::map<std::string, RouterManagerRequestHandler> m_RouterManagerHandlers;
+			std::map<std::string, NetworkSettingRequestHandler> m_NetworkSettingHandlers;
+	};
+}
+}
+
+#endif
+
--- a/I2PEndian.cpp
+++ b/I2PEndian.cpp
@@ -5,6 +5,7 @@

 #include "LittleBigEndian.h"

+#ifdef NEEDS_LOCAL_ENDIAN
 uint16_t htobe16(uint16_t int16)
 {
 	BigEndian<uint16_t> u16(int16);
@@ -40,6 +41,7 @@ uint64_t be64toh(uint64_t big64)
 	LittleEndian<uint64_t> u64(big64);
 	return u64.raw_value;
 }
+#endif

 /* it can be used in Windows 8
 #include <Winsock2.h>
--- a/I2PEndian.h
+++ b/I2PEndian.h
@@ -1,5 +1,7 @@
 #ifndef I2PENDIAN_H__
 #define I2PENDIAN_H__
+#include <inttypes.h>
+#include <string.h>

 #if defined(__linux__) || defined(__FreeBSD_kernel__)
 #include <endian.h>
@@ -25,6 +27,7 @@
 #define le64toh(x) OSSwapLittleToHostInt64(x)

 #else
+#define NEEDS_LOCAL_ENDIAN
 #include <cstdint>
 uint16_t htobe16(uint16_t int16);
 uint32_t htobe32(uint32_t int32);
@@ -44,5 +47,73 @@ uint64_t be64toh(uint64_t big64);

 #endif

+inline uint16_t buf16toh(const void *buf)
+{
+	uint16_t b16;
+	memcpy(&b16, buf, sizeof(uint16_t));
+	return b16;
+}
+
+inline uint32_t buf32toh(const void *buf)
+{
+	uint32_t b32;
+	memcpy(&b32, buf, sizeof(uint32_t));
+	return b32;
+}
+
+inline uint64_t buf64toh(const void *buf)
+{
+	uint64_t b64;
+	memcpy(&b64, buf, sizeof(uint64_t));
+	return b64;
+}
+
+inline uint16_t bufbe16toh(const void *buf)
+{
+	return be16toh(buf16toh(buf));
+}
+
+inline uint32_t bufbe32toh(const void *buf)
+{
+	return be32toh(buf32toh(buf));
+}
+
+inline uint64_t bufbe64toh(const void *buf)
+{
+	return be64toh(buf64toh(buf));
+}
+
+inline void htobuf16(void *buf, uint16_t b16)
+{
+	memcpy(buf, &b16, sizeof(uint16_t));
+}
+
+inline void htobuf32(void *buf, uint32_t b32)
+{
+	memcpy(buf, &b32, sizeof(uint32_t));
+}
+
+inline void htobuf64(void *buf, uint64_t b64)
+{
+	memcpy(buf, &b64, sizeof(uint64_t));
+}
+
+inline void htobe16buf(void *buf, uint16_t big16)
+{
+	htobuf16(buf, htobe16(big16));
+}
+
+inline void htobe32buf(void *buf, uint32_t big32)
+{
+	htobuf32(buf, htobe32(big32));
+}
+
+inline void htobe64buf(void *buf, uint64_t big64)
+{
+	htobuf64(buf, htobe64(big64));
+}
+
+
+
 #endif // I2PENDIAN_H__

--- a/I2PService.cpp
+++ b/I2PService.cpp
@@ -0,0 +1,79 @@
+#include "Destination.h"
+#include "Identity.h"
+#include "ClientContext.h"
+#include "I2PService.h"
+
+
+namespace i2p
+{
+namespace client
+{
+	static const i2p::data::SigningKeyType I2P_SERVICE_DEFAULT_KEY_TYPE = i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256;
+
+	I2PService::I2PService (std::shared_ptr<ClientDestination> localDestination):
+		m_LocalDestination (localDestination ? localDestination :
+					i2p::client::context.CreateNewLocalDestination (false, I2P_SERVICE_DEFAULT_KEY_TYPE))
+	{
+	}
+	
+	I2PService::I2PService (i2p::data::SigningKeyType kt):
+		m_LocalDestination (i2p::client::context.CreateNewLocalDestination (false, kt))
+	{
+	}
+	
+	void I2PService::CreateStream (StreamRequestComplete streamRequestComplete, const std::string& dest, int port) {
+		assert(streamRequestComplete);
+		i2p::data::IdentHash identHash;
+		if (i2p::client::context.GetAddressBook ().GetIdentHash (dest, identHash))
+			m_LocalDestination->CreateStream (streamRequestComplete, identHash, port);
+		else
+		{
+			LogPrint (eLogWarning, "Remote destination ", dest, " not found");
+			streamRequestComplete (nullptr);
+		}
+	}
+
+	void TCPIPAcceptor::Start ()
+	{
+		m_Acceptor.listen ();
+		Accept ();
+	}
+
+	void TCPIPAcceptor::Stop ()
+	{
+		m_Acceptor.close();
+		m_Timer.cancel ();
+		ClearHandlers();
+	}
+
+	void TCPIPAcceptor::Accept ()
+	{
+		auto newSocket = std::make_shared<boost::asio::ip::tcp::socket> (GetService ());
+		m_Acceptor.async_accept (*newSocket, std::bind (&TCPIPAcceptor::HandleAccept, this,
+			std::placeholders::_1, newSocket));
+	}
+
+	void TCPIPAcceptor::HandleAccept (const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	{
+		if (!ecode)
+		{
+			LogPrint(eLogDebug,"--- ",GetName()," accepted");
+			auto handler = CreateHandler(socket);
+			if (handler) 
+			{
+				AddHandler(handler);
+				handler->Handle();
+			} 
+			else 
+				socket->close();
+			Accept();
+		}
+		else
+		{
+			if (ecode != boost::asio::error::operation_aborted)
+				LogPrint (eLogError,"--- ",GetName()," Closing socket on accept because: ", ecode.message ());
+		}
+	}
+
+}
+}
--- a/I2PService.h
+++ b/I2PService.h
@@ -0,0 +1,109 @@
+#ifndef I2PSERVICE_H__
+#define I2PSERVICE_H__
+
+#include <atomic>
+#include <mutex>
+#include <unordered_set>
+#include <memory>
+#include <boost/asio.hpp>
+#include "Destination.h"
+#include "Identity.h"
+
+namespace i2p
+{
+namespace client
+{
+	class I2PServiceHandler;
+	class I2PService
+	{
+		public:
+			I2PService (std::shared_ptr<ClientDestination> localDestination  = nullptr);
+			I2PService (i2p::data::SigningKeyType kt);
+			virtual ~I2PService () { ClearHandlers (); }
+
+			inline void AddHandler (std::shared_ptr<I2PServiceHandler> conn)
+			{
+				std::unique_lock<std::mutex> l(m_HandlersMutex);
+				m_Handlers.insert(conn);
+			}
+			inline void RemoveHandler (std::shared_ptr<I2PServiceHandler> conn)
+			{
+				std::unique_lock<std::mutex> l(m_HandlersMutex);
+				m_Handlers.erase(conn);
+			}
+			inline void ClearHandlers ()
+			{
+				std::unique_lock<std::mutex> l(m_HandlersMutex);
+				m_Handlers.clear();
+			}
+
+			inline std::shared_ptr<ClientDestination> GetLocalDestination () { return m_LocalDestination; }
+			inline void SetLocalDestination (std::shared_ptr<ClientDestination> dest) { m_LocalDestination = dest; }
+			void CreateStream (StreamRequestComplete streamRequestComplete, const std::string& dest, int port = 0);
+
+			inline boost::asio::io_service& GetService () { return m_LocalDestination->GetService (); }
+
+			virtual void Start () = 0;
+			virtual void Stop () = 0;
+
+			virtual const char* GetName() { return "Generic I2P Service"; }
+		private:
+
+			std::shared_ptr<ClientDestination> m_LocalDestination;
+			std::unordered_set<std::shared_ptr<I2PServiceHandler> > m_Handlers;
+			std::mutex m_HandlersMutex;
+	};
+
+	/*Simple interface for I2PHandlers, allows detection of finalization amongst other things */
+	class I2PServiceHandler
+	{
+		public:
+			I2PServiceHandler(I2PService * parent) : m_Service(parent), m_Dead(false) { }
+			virtual ~I2PServiceHandler() { }
+			//If you override this make sure you call it from the children
+			virtual void Handle() {}; //Start handling the socket
+		protected:
+			// Call when terminating or handing over to avoid race conditions
+			inline bool Kill () { return m_Dead.exchange(true); }
+			// Call to know if the handler is dead
+			inline bool Dead () { return m_Dead; }
+			// Call when done to clean up (make sure Kill is called first)
+			inline void Done (std::shared_ptr<I2PServiceHandler> me) { if(m_Service) m_Service->RemoveHandler(me); }
+			// Call to talk with the owner
+			inline I2PService * GetOwner() { return m_Service; }
+		private:
+			I2PService *m_Service;
+			std::atomic<bool> m_Dead; //To avoid cleaning up multiple times
+	};
+
+	/* TODO: support IPv6 too */
+	//This is a service that listens for connections on the IP network and interacts with I2P
+	class TCPIPAcceptor: public I2PService
+	{
+		public:
+			TCPIPAcceptor (int port, std::shared_ptr<ClientDestination> localDestination = nullptr) :
+				I2PService(localDestination),
+          m_Acceptor (GetService (), boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4 (), port)),
+				m_Timer (GetService ()) {}
+			TCPIPAcceptor (int port, i2p::data::SigningKeyType kt) :
+				I2PService(kt),
+				m_Acceptor (GetService (), boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4 (), port)),
+				m_Timer (GetService ()) {}
+			virtual ~TCPIPAcceptor () { TCPIPAcceptor::Stop(); }
+			//If you override this make sure you call it from the children
+			void Start ();
+			//If you override this make sure you call it from the children
+			void Stop ();
+		protected:
+			virtual std::shared_ptr<I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket) = 0;
+			virtual const char* GetName() { return "Generic TCP/IP accepting daemon"; }
+		private:
+			void Accept();
+			void HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket);
+			boost::asio::ip::tcp::acceptor m_Acceptor;
+			boost::asio::deadline_timer m_Timer;
+	};
+}
+}
+
+#endif
--- a/I2PTunnel.cpp
+++ b/I2PTunnel.cpp
@@ -1,7 +1,6 @@
-#include <boost/bind.hpp>
-#include "base64.h"
+#include <cassert>
+#include "Base.h"
 #include "Log.h"
-#include "NetDb.h"
 #include "Destination.h"
 #include "ClientContext.h"
 #include "I2PTunnel.h"
@@ -10,55 +9,75 @@ namespace i2p
 {
 namespace client
 {
-	I2PTunnelConnection::I2PTunnelConnection (I2PTunnel * owner, 
-	    boost::asio::ip::tcp::socket * socket, const i2p::data::LeaseSet * leaseSet): 
-		m_Socket (socket), m_Owner (owner) 
+	I2PTunnelConnection::I2PTunnelConnection (I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+		std::shared_ptr<const i2p::data::LeaseSet> leaseSet, int port): 
+		I2PServiceHandler(owner), m_Socket (socket), m_RemoteEndpoint (socket->remote_endpoint ()),
+		m_IsQuiet (true)
 	{
-		m_Stream = m_Owner->GetLocalDestination ()->CreateStream (*leaseSet);
-		m_Stream->Send (m_Buffer, 0); // connect
-		StreamReceive ();
-		Receive ();
+		m_Stream = GetOwner()->GetLocalDestination ()->CreateStream (leaseSet, port);
 	}	

-	I2PTunnelConnection::I2PTunnelConnection (I2PTunnel * owner, i2p::stream::Stream * stream,  
-	    boost::asio::ip::tcp::socket * socket, const boost::asio::ip::tcp::endpoint& target):
-		m_Socket (socket), m_Stream (stream), m_Owner (owner)
+	I2PTunnelConnection::I2PTunnelConnection (I2PService * owner,
+	    std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<i2p::stream::Stream> stream):
+		I2PServiceHandler(owner), m_Socket (socket), m_Stream (stream),
+		m_RemoteEndpoint (socket->remote_endpoint ()), m_IsQuiet (true)
+	{
+	}
+
+	I2PTunnelConnection::I2PTunnelConnection (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
+	    std::shared_ptr<boost::asio::ip::tcp::socket> socket, const boost::asio::ip::tcp::endpoint& target, bool quiet):
+		I2PServiceHandler(owner), m_Socket (socket), m_Stream (stream),
+		m_RemoteEndpoint (target), m_IsQuiet (quiet)
 	{
-		if (m_Socket)
-			m_Socket->async_connect (target, boost::bind (&I2PTunnelConnection::HandleConnect,
-				this, boost::asio::placeholders::error));
 	}

 	I2PTunnelConnection::~I2PTunnelConnection ()
 	{
-		delete m_Socket;
 	}	

+	void I2PTunnelConnection::I2PConnect (const uint8_t * msg, size_t len)
+	{
+		if (m_Stream)
+		{
+			if (msg)
+				m_Stream->Send (msg, len); // connect and send
+			else	
+				m_Stream->Send (m_Buffer, 0); // connect
+		}
+		StreamReceive ();
+		Receive ();
+	}
+		
+	void I2PTunnelConnection::Connect ()
+	{
+		if (m_Socket)
+			m_Socket->async_connect (m_RemoteEndpoint, std::bind (&I2PTunnelConnection::HandleConnect,
+				shared_from_this (), std::placeholders::_1));
+	}	
+		
 	void I2PTunnelConnection::Terminate ()
-	{	
+	{
+		if (Kill()) return;
 		if (m_Stream)
 		{
 			m_Stream->Close ();
-			i2p::stream::DeleteStream (m_Stream);
-			m_Stream = nullptr;
+			m_Stream.reset ();
 		}	
 		m_Socket->close ();
-		if (m_Owner)
-			m_Owner->RemoveConnection (this);
-		//delete this;	
+		Done(shared_from_this ());
 	}			

 	void I2PTunnelConnection::Receive ()
 	{
 		m_Socket->async_read_some (boost::asio::buffer(m_Buffer, I2P_TUNNEL_CONNECTION_BUFFER_SIZE),                
-			boost::bind(&I2PTunnelConnection::HandleReceived, this, 
-			boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
+			std::bind(&I2PTunnelConnection::HandleReceived, shared_from_this (), 
+			std::placeholders::_1, std::placeholders::_2));
 	}	
 	
 	void I2PTunnelConnection::HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred)
 	{
 		if (ecode)
-        {
+		{
 			LogPrint ("I2PTunnel read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
@@ -66,8 +85,17 @@ namespace client
 		else
 		{	
 			if (m_Stream)
-				m_Stream->Send (m_Buffer, bytes_transferred);
-			Receive ();
+			{	
+				auto s = shared_from_this ();
+				m_Stream->AsyncSend (m_Buffer, bytes_transferred,
+					[s](const boost::system::error_code& ecode)
+				    {
+						if (!ecode)
+							s->Receive ();
+						else
+							s->Terminate ();
+					});
+			}	
 		}
 	}	

@@ -87,8 +115,8 @@ namespace client
 	{
 		if (m_Stream)
 			m_Stream->AsyncReceive (boost::asio::buffer (m_StreamBuffer, I2P_TUNNEL_CONNECTION_BUFFER_SIZE),
-				boost::bind (&I2PTunnelConnection::HandleStreamReceive, this,
-					boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred),
+				std::bind (&I2PTunnelConnection::HandleStreamReceive, shared_from_this (),
+					std::placeholders::_1, std::placeholders::_2),
 				I2P_TUNNEL_CONNECTION_MAX_IDLE);
 	}	

@@ -101,10 +129,13 @@ namespace client
 				Terminate ();
 		}
 		else
-		{
-			boost::asio::async_write (*m_Socket, boost::asio::buffer (m_StreamBuffer, bytes_transferred),
-        		boost::bind (&I2PTunnelConnection::HandleWrite, this, boost::asio::placeholders::error));
-		}
+			Write (m_StreamBuffer, bytes_transferred);
+	}
+
+	void I2PTunnelConnection::Write (const uint8_t * buf, size_t len)
+	{
+		m_Socket->async_send (boost::asio::buffer (buf, len),
+        	std::bind (&I2PTunnelConnection::HandleWrite, shared_from_this (), std::placeholders::_1));
 	}

 	void I2PTunnelConnection::HandleConnect (const boost::system::error_code& ecode)
@@ -112,173 +143,260 @@ namespace client
 		if (ecode)
 		{
 			LogPrint ("I2PTunnel connect error: ", ecode.message ());
-			if (ecode != boost::asio::error::operation_aborted)
-			{
-				if (m_Stream) m_Stream->Close ();
-				i2p::stream::DeleteStream (m_Stream);
-				m_Stream = nullptr;
-			}	
+			Terminate ();
 		}
 		else
 		{
 			LogPrint ("I2PTunnel connected");
-			StreamReceive ();
+			if (m_IsQuiet)
+				StreamReceive ();
+			else
+			{
+				// send destination first like received from I2P
+				std::string dest = m_Stream->GetRemoteIdentity ()->ToBase64 ();
+				dest += "\n";
+				memcpy (m_StreamBuffer, dest.c_str (), dest.size ());
+				HandleStreamReceive (boost::system::error_code (), dest.size ());
+			}	
 			Receive ();	
 		}
 	}

-	void I2PTunnel::AddConnection (I2PTunnelConnection * conn)
+	I2PTunnelConnectionHTTP::I2PTunnelConnectionHTTP (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
+		std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+		const boost::asio::ip::tcp::endpoint& target, const std::string& host):
+		I2PTunnelConnection (owner, stream, socket, target), m_Host (host), m_HeaderSent (false)
 	{
-		m_Connections.insert (conn);
 	}
-		
-	void I2PTunnel::RemoveConnection (I2PTunnelConnection * conn)
-	{
-		m_Connections.erase (conn);
-	}	
-	
-	void I2PTunnel::ClearConnections ()
-	{
-		for (auto it: m_Connections)
-			delete it;
-		m_Connections.clear ();
-	}	
-		
-	I2PClientTunnel::I2PClientTunnel (boost::asio::io_service& service, const std::string& destination, 
-		int port, ClientDestination * localDestination): 
-		I2PTunnel (service, localDestination ? localDestination : 
-			i2p::client::context.CreateNewLocalDestination (false, i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256)), 
-		m_Acceptor (service, boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4(), port)),
-		m_Timer (service), m_Destination (destination), m_DestinationIdentHash (nullptr), 
-		m_RemoteLeaseSet (nullptr)
-	{
-	}	

-	I2PClientTunnel::~I2PClientTunnel ()
+	void I2PTunnelConnectionHTTP::Write (const uint8_t * buf, size_t len)
 	{
-		Stop ();
+		if (m_HeaderSent)
+			I2PTunnelConnection::Write (buf, len);
+		else
+		{	
+			m_InHeader.clear ();
+			m_InHeader.write ((const char *)buf, len);
+			std::string line;
+			bool endOfHeader = false;
+			while (!endOfHeader)
+			{
+				std::getline(m_InHeader, line);
+				if (!m_InHeader.fail ())
+				{
+					if (line.find ("Host:") != std::string::npos)
+						m_OutHeader << "Host: " << m_Host << "\r\n";
+					else
+						m_OutHeader << line << "\n";
+					if (line == "\r") endOfHeader = true;
+				}
+				else
+					break;
+			}
+
+			if (endOfHeader)
+			{
+				m_OutHeader << m_InHeader.str (); // data right after header
+				m_HeaderSent = true;
+				I2PTunnelConnection::Write ((uint8_t *)m_OutHeader.str ().c_str (), m_OutHeader.str ().length ());
+			}
+		}	
 	}
-	
+
+	/* This handler tries to stablish a connection with the desired server and dies if it fails to do so */
+	class I2PClientTunnelHandler: public I2PServiceHandler, public std::enable_shared_from_this<I2PClientTunnelHandler>
+	{
+		public:
+			I2PClientTunnelHandler (I2PClientTunnel * parent, i2p::data::IdentHash destination,
+				int destinationPort, std::shared_ptr<boost::asio::ip::tcp::socket> socket):
+				I2PServiceHandler(parent), m_DestinationIdentHash(destination), 
+				m_DestinationPort (destinationPort), m_Socket(socket) {};
+			void Handle();
+			void Terminate();
+		private:
+			void HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream);
+			i2p::data::IdentHash m_DestinationIdentHash;
+			int m_DestinationPort;
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_Socket;
+	};
+
+	void I2PClientTunnelHandler::Handle()
+	{
+		GetOwner()->GetLocalDestination ()->CreateStream ( 
+			std::bind (&I2PClientTunnelHandler::HandleStreamRequestComplete, shared_from_this(), std::placeholders::_1), 
+			m_DestinationIdentHash, m_DestinationPort);
+	}
+
+	void I2PClientTunnelHandler::HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		if (stream)
+		{
+			if (Kill()) return;
+			LogPrint (eLogInfo,"New I2PTunnel connection");
+			auto connection = std::make_shared<I2PTunnelConnection>(GetOwner(), m_Socket, stream);
+			GetOwner()->AddHandler (connection);
+			connection->I2PConnect ();
+			Done(shared_from_this());
+		}
+		else
+		{
+			LogPrint (eLogError,"I2P Client Tunnel Issue when creating the stream, check the previous warnings for more info.");
+			Terminate();
+		}
+	}
+
+	void I2PClientTunnelHandler::Terminate()
+	{
+		if (Kill()) return;
+		if (m_Socket)
+		{
+			m_Socket->close();
+			m_Socket = nullptr;
+		}
+		Done(shared_from_this());
+	}
+
+	I2PClientTunnel::I2PClientTunnel (const std::string& destination, int port, std::shared_ptr<ClientDestination> localDestination, int destinationPort): 
+		TCPIPAcceptor (port,localDestination), m_Destination (destination), m_DestinationIdentHash (nullptr), m_DestinationPort (destinationPort)
+	{}	
+
 	void I2PClientTunnel::Start ()
 	{
-		i2p::data::IdentHash identHash;
-		if (i2p::client::context.GetAddressBook ().GetIdentHash (m_Destination, identHash))
-			m_DestinationIdentHash = new i2p::data::IdentHash (identHash);	
-		if (!m_DestinationIdentHash)
-			LogPrint ("I2PTunnel unknown destination ", m_Destination);
-		m_Acceptor.listen ();
-		Accept ();
+		TCPIPAcceptor::Start ();
+		GetIdentHash();
 	}

 	void I2PClientTunnel::Stop ()
 	{
-		m_Acceptor.close();
-		m_Timer.cancel ();
-		ClearConnections ();
+		TCPIPAcceptor::Stop();
+		auto *originalIdentHash = m_DestinationIdentHash;
 		m_DestinationIdentHash = nullptr;
+		delete originalIdentHash;
 	}

-	void I2PClientTunnel::Accept ()
+	/* HACK: maybe we should create a caching IdentHash provider in AddressBook */
+	const i2p::data::IdentHash * I2PClientTunnel::GetIdentHash ()
 	{
-		auto newSocket = new boost::asio::ip::tcp::socket (GetService ());
-		m_Acceptor.async_accept (*newSocket, boost::bind (&I2PClientTunnel::HandleAccept, this,
-			boost::asio::placeholders::error, newSocket));
-	}	
-
-	void I2PClientTunnel::HandleAccept (const boost::system::error_code& ecode, boost::asio::ip::tcp::socket * socket)
-	{
-		if (!ecode)
+		if (!m_DestinationIdentHash)
 		{
-			if (!m_DestinationIdentHash)
-			{
-				i2p::data::IdentHash identHash;
-				if (i2p::client::context.GetAddressBook ().GetIdentHash (m_Destination, identHash))
-					m_DestinationIdentHash = new i2p::data::IdentHash (identHash);
-			}	
-			if (m_DestinationIdentHash)
-			{
-				// try to get a LeaseSet
-				m_RemoteLeaseSet = GetLocalDestination ()->FindLeaseSet (*m_DestinationIdentHash);
-				if (m_RemoteLeaseSet && m_RemoteLeaseSet->HasNonExpiredLeases ())
-					CreateConnection (socket);
-				else
-				{
-					i2p::data::netdb.RequestDestination (*m_DestinationIdentHash, true, GetLocalDestination ()->GetTunnelPool ());
-					m_Timer.expires_from_now (boost::posix_time::seconds (I2P_TUNNEL_DESTINATION_REQUEST_TIMEOUT));
-					m_Timer.async_wait (boost::bind (&I2PClientTunnel::HandleDestinationRequestTimer,
-						this, boost::asio::placeholders::error, socket));
-				}
-			}	
+			i2p::data::IdentHash identHash;
+			if (i2p::client::context.GetAddressBook ().GetIdentHash (m_Destination, identHash))
+				m_DestinationIdentHash = new i2p::data::IdentHash (identHash);
 			else
-			{
-				LogPrint ("Remote destination ", m_Destination, " not found");
-				delete socket;
-			}	
-				
-			Accept ();
+				LogPrint (eLogWarning,"Remote destination ", m_Destination, " not found");
 		}
+		return m_DestinationIdentHash;
+	}
+
+	std::shared_ptr<I2PServiceHandler> I2PClientTunnel::CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	{
+		const i2p::data::IdentHash *identHash = GetIdentHash();
+		if (identHash)
+			return  std::make_shared<I2PClientTunnelHandler>(this, *identHash, m_DestinationPort, socket);
 		else
-			delete socket;
+			return nullptr;
 	}

-	void I2PClientTunnel::HandleDestinationRequestTimer (const boost::system::error_code& ecode, boost::asio::ip::tcp::socket * socket)
-	{
-		if (ecode != boost::asio::error::operation_aborted)
-		{
-			if (m_DestinationIdentHash)
-			{
-				m_RemoteLeaseSet = GetLocalDestination ()->FindLeaseSet (*m_DestinationIdentHash);
-				CreateConnection (socket);
-				return;
-			}
-		}
-		delete socket;	
-	}
-
-	void I2PClientTunnel::CreateConnection (boost::asio::ip::tcp::socket * socket)
-	{
-		if (m_RemoteLeaseSet) // leaseSet found
-		{	
-			LogPrint ("New I2PTunnel connection");
-			auto connection = new I2PTunnelConnection (this, socket, m_RemoteLeaseSet);
-			AddConnection (connection);
-		}
-		else
-		{
-			LogPrint ("LeaseSet for I2PTunnel destination not found");
-			delete socket;
-		}	
-	}
-
-	I2PServerTunnel::I2PServerTunnel (boost::asio::io_service& service, const std::string& address, int port, 
-		ClientDestination * localDestination): I2PTunnel (service, localDestination),
-		m_Endpoint (boost::asio::ip::address::from_string (address), port)
+	I2PServerTunnel::I2PServerTunnel (const std::string& address, int port, 
+	    std::shared_ptr<ClientDestination> localDestination, int inport): 
+		I2PService (localDestination), m_Address (address), m_Port (port), m_IsAccessList (false)
 	{
+		m_PortDestination = localDestination->CreateStreamingDestination (inport > 0 ? inport : port);
 	}
 	
 	void I2PServerTunnel::Start ()
 	{
-		Accept ();
+		m_Endpoint.port (m_Port);	
+		boost::system::error_code ec;
+		auto addr = boost::asio::ip::address::from_string (m_Address, ec);
+		if (!ec)	
+		{
+			m_Endpoint.address (addr);
+			Accept ();
+		}
+		else
+		{
+			auto resolver = std::make_shared<boost::asio::ip::tcp::resolver>(GetService ());
+			resolver->async_resolve (boost::asio::ip::tcp::resolver::query (m_Address, ""), 
+				std::bind (&I2PServerTunnel::HandleResolve, this, 
+					std::placeholders::_1, std::placeholders::_2, resolver));
+		}	
 	}

 	void I2PServerTunnel::Stop ()
 	{
-		ClearConnections ();
+		ClearHandlers ();
 	}	

+	void I2PServerTunnel::HandleResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it, 
+		std::shared_ptr<boost::asio::ip::tcp::resolver> resolver)
+	{	
+		if (!ecode)
+		{	
+			auto addr = (*it).endpoint ().address ();
+			LogPrint (eLogInfo, "server tunnel ", (*it).host_name (), " has been resolved to ", addr);	
+			m_Endpoint.address (addr);
+			Accept ();	
+		}	
+		else
+			LogPrint (eLogError, "Unable to resolve server tunnel address: ", ecode.message ());
+	}
+
+	void I2PServerTunnel::SetAccessList (const std::set<i2p::data::IdentHash>& accessList)
+	{
+		m_AccessList = accessList;
+		m_IsAccessList = true;		
+	}
+
 	void I2PServerTunnel::Accept ()
 	{
+		if (m_PortDestination)
+			m_PortDestination->SetAcceptor (std::bind (&I2PServerTunnel::HandleAccept, this, std::placeholders::_1));
+
 		auto localDestination = GetLocalDestination ();	
 		if (localDestination)
-			localDestination->AcceptStreams (std::bind (&I2PServerTunnel::HandleAccept, this, std::placeholders::_1));
+		{
+			if (!localDestination->IsAcceptingStreams ()) // set it as default if not set yet
+				localDestination->AcceptStreams (std::bind (&I2PServerTunnel::HandleAccept, this, std::placeholders::_1));
+		}
 		else
 			LogPrint ("Local destination not set for server tunnel");
 	}

-	void I2PServerTunnel::HandleAccept (i2p::stream::Stream * stream)
+	void I2PServerTunnel::HandleAccept (std::shared_ptr<i2p::stream::Stream> stream)
 	{
 		if (stream)
-			new I2PTunnelConnection (this, stream, new boost::asio::ip::tcp::socket (GetService ()), m_Endpoint);
+		{	
+			if (m_IsAccessList)
+			{
+				if (!m_AccessList.count (stream->GetRemoteIdentity ()->GetIdentHash ()))
+				{
+					LogPrint (eLogWarning, "Address ", stream->GetRemoteIdentity ()->GetIdentHash ().ToBase32 (), " is not in white list. Incoming connection dropped");
+					stream->Close ();
+					return;
+				}
+			}
+			CreateI2PConnection (stream);
+		}	
+	}
+
+	void I2PServerTunnel::CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		auto conn = std::make_shared<I2PTunnelConnection> (this, stream, std::make_shared<boost::asio::ip::tcp::socket> (GetService ()), GetEndpoint ());
+		AddHandler (conn);
+		conn->Connect ();
+	}
+
+	I2PServerTunnelHTTP::I2PServerTunnelHTTP (const std::string& address, int port, std::shared_ptr<ClientDestination> localDestination, int inport):
+		I2PServerTunnel (address, port, localDestination, inport)
+	{
+	}
+
+	void I2PServerTunnelHTTP::CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		auto conn = std::make_shared<I2PTunnelConnectionHTTP> (this, stream, std::make_shared<boost::asio::ip::tcp::socket> (GetService ()), GetEndpoint (), GetAddress ());
+		AddHandler (conn);
+		conn->Connect ();
 	}
 }		
 }	
--- a/I2PTunnel.h
+++ b/I2PTunnel.h
@@ -4,10 +4,13 @@
 #include <inttypes.h>
 #include <string>
 #include <set>
+#include <memory>
+#include <sstream>
 #include <boost/asio.hpp>
 #include "Identity.h"
 #include "Destination.h"
 #include "Streaming.h"
+#include "I2PService.h"

 namespace i2p
 {
@@ -17,23 +20,28 @@ namespace client
 	const int I2P_TUNNEL_CONNECTION_MAX_IDLE = 3600; // in seconds	
 	const int I2P_TUNNEL_DESTINATION_REQUEST_TIMEOUT = 10; // in seconds

-	class I2PTunnel;
-	class I2PTunnelConnection
+
+	class I2PTunnelConnection: public I2PServiceHandler, public std::enable_shared_from_this<I2PTunnelConnection>
 	{
 		public:

-			I2PTunnelConnection (I2PTunnel * owner, boost::asio::ip::tcp::socket * socket,
-				const i2p::data::LeaseSet * leaseSet);
-			I2PTunnelConnection (I2PTunnel * owner, i2p::stream::Stream * stream,  boost::asio::ip::tcp::socket * socket, 
-				const boost::asio::ip::tcp::endpoint& target); 
+			I2PTunnelConnection (I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+				std::shared_ptr<const i2p::data::LeaseSet> leaseSet, int port = 0); // to I2P
+			I2PTunnelConnection (I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+				std::shared_ptr<i2p::stream::Stream> stream); // to I2P using simplified API 
+			I2PTunnelConnection (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,  std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+				const boost::asio::ip::tcp::endpoint& target, bool quiet = true); // from I2P
 			~I2PTunnelConnection ();
-
-		private:
+			void I2PConnect (const uint8_t * msg = nullptr, size_t len = 0);
+			void Connect ();
+			
+		protected:

 			void Terminate ();	

 			void Receive ();
 			void HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);	
+			virtual void Write (const uint8_t * buf, size_t len); // can be overloaded
 			void HandleWrite (const boost::system::error_code& ecode);	

 			void StreamReceive ();
@@ -43,81 +51,103 @@ namespace client
 		private:

 			uint8_t m_Buffer[I2P_TUNNEL_CONNECTION_BUFFER_SIZE], m_StreamBuffer[I2P_TUNNEL_CONNECTION_BUFFER_SIZE];
-			boost::asio::ip::tcp::socket * m_Socket;
-			i2p::stream::Stream * m_Stream;
-			I2PTunnel * m_Owner;
-	};	
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_Socket;
+			std::shared_ptr<i2p::stream::Stream> m_Stream;
+			boost::asio::ip::tcp::endpoint m_RemoteEndpoint;
+			bool m_IsQuiet; // don't send destination
+	};

-	class I2PTunnel
+	class I2PTunnelConnectionHTTP: public I2PTunnelConnection
 	{
 		public:
-
-			I2PTunnel (boost::asio::io_service& service, ClientDestination * localDestination): 
-				m_Service (service), m_LocalDestination (localDestination) {};
-			virtual ~I2PTunnel () { ClearConnections (); }; 
-
-			void AddConnection (I2PTunnelConnection * conn);
-			void RemoveConnection (I2PTunnelConnection * conn);	
-			void ClearConnections ();
-			ClientDestination * GetLocalDestination () { return m_LocalDestination; };
-			void SetLocalDestination (ClientDestination * dest) { m_LocalDestination = dest; }; 			
-
-			boost::asio::io_service& GetService () { return m_Service; };
 			
-		private:
+			I2PTunnelConnectionHTTP (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
+				std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+				const boost::asio::ip::tcp::endpoint& target, const std::string& host); 

-			boost::asio::io_service& m_Service;
-			ClientDestination * m_LocalDestination;
-			std::set<I2PTunnelConnection *> m_Connections;
-	};	
-	
-	class I2PClientTunnel: public I2PTunnel
+		protected:
+
+			void Write (const uint8_t * buf, size_t len);
+
+		private:
+		
+			std::string m_Host;
+			std::stringstream m_InHeader, m_OutHeader;
+			bool m_HeaderSent;
+	};
+
+	class I2PClientTunnel: public TCPIPAcceptor
 	{
+		protected:
+
+			// Implements TCPIPAcceptor
+			std::shared_ptr<I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket);
+			const char* GetName() { return "I2P Client Tunnel"; }
+
 		public:

-			I2PClientTunnel (boost::asio::io_service& service, const std::string& destination, int port,
-				ClientDestination * localDestination = nullptr);
-			~I2PClientTunnel ();				
+			I2PClientTunnel (const std::string& destination, int port, std::shared_ptr<ClientDestination> localDestination, int destinationPort = 0);
+			~I2PClientTunnel () {}
 	
 			void Start ();
 			void Stop ();

 		private:

-			void Accept ();
-			void HandleAccept (const boost::system::error_code& ecode, boost::asio::ip::tcp::socket * socket);
-			void HandleDestinationRequestTimer (const boost::system::error_code& ecode, boost::asio::ip::tcp::socket * socket);
-			void CreateConnection (boost::asio::ip::tcp::socket * socket);				
+			const i2p::data::IdentHash * GetIdentHash ();

-		private:
-
-			boost::asio::ip::tcp::acceptor m_Acceptor;
-			boost::asio::deadline_timer m_Timer;
 			std::string m_Destination;
 			const i2p::data::IdentHash * m_DestinationIdentHash;
-			const i2p::data::LeaseSet * m_RemoteLeaseSet;
+			int m_DestinationPort;	
 	};	

-	class I2PServerTunnel: public I2PTunnel
+	class I2PServerTunnel: public I2PService
 	{
 		public:

-			I2PServerTunnel (boost::asio::io_service& service, const std::string& address, int port, 
-				ClientDestination * localDestination);	
+			I2PServerTunnel (const std::string& address, int port, 
+				std::shared_ptr<ClientDestination> localDestination, int inport = 0);	

 			void Start ();
 			void Stop ();

+			void SetAccessList (const std::set<i2p::data::IdentHash>& accessList); 
+
+			const std::string& GetAddress() const { return m_Address; }
+			int GetPort () const { return m_Port; };
+			const boost::asio::ip::tcp::endpoint& GetEndpoint () const { return m_Endpoint; }
+
 		private:

+			void HandleResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it, 
+				std::shared_ptr<boost::asio::ip::tcp::resolver> resolver);
+
 			void Accept ();
-			void HandleAccept (i2p::stream::Stream * stream);
+			void HandleAccept (std::shared_ptr<i2p::stream::Stream> stream);
+			virtual void CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream);

 		private:

-			boost::asio::ip::tcp::endpoint m_Endpoint;		
+			std::string m_Address;
+			int m_Port;
+			boost::asio::ip::tcp::endpoint m_Endpoint;	
+			std::shared_ptr<i2p::stream::StreamingDestination> m_PortDestination;
+			std::set<i2p::data::IdentHash> m_AccessList;
+			bool m_IsAccessList;			
 	};
-}		
+
+	class I2PServerTunnelHTTP: public I2PServerTunnel
+	{
+		public:
+
+			I2PServerTunnelHTTP (const std::string& address, int port, 
+				std::shared_ptr<ClientDestination> localDestination, int inport = 0);	
+
+		private:
+
+			void CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream);	
+	};
+}
 }	

 #endif
--- a/Identity.cpp
+++ b/Identity.cpp
@@ -1,13 +1,12 @@
 #include <time.h>
 #include <stdio.h>
-#include <cryptopp/sha.h>
-#include <cryptopp/osrng.h>
-#include <cryptopp/dsa.h>
-#include "base64.h"
-#include "CryptoConst.h"
-#include "RouterContext.h"
-#include "Identity.h"
+#include <openssl/sha.h>
+#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include "Crypto.h"
 #include "I2PEndian.h"
+#include "Log.h"
+#include "Identity.h"

 namespace i2p
 {
@@ -30,30 +29,98 @@ namespace data
 	IdentHash Identity::Hash () const
 	{
 		IdentHash hash;
-		CryptoPP::SHA256().CalculateDigest(hash, publicKey, DEFAULT_IDENTITY_SIZE);
+		SHA256(publicKey, DEFAULT_IDENTITY_SIZE, hash);
 		return hash;
 	}	
 	
 	IdentityEx::IdentityEx ():
-		m_Verifier (nullptr), m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
 	{
 	}

 	IdentityEx::IdentityEx(const uint8_t * publicKey, const uint8_t * signingKey, SigningKeyType type)
 	{	
 		memcpy (m_StandardIdentity.publicKey, publicKey, sizeof (m_StandardIdentity.publicKey));
-		if (type == SIGNING_KEY_TYPE_ECDSA_SHA256_P256)
+		if (type != SIGNING_KEY_TYPE_DSA_SHA1)
 		{
-			memcpy (m_StandardIdentity.signingKey + 64, signingKey, 64);
+			size_t excessLen = 0;
+			uint8_t * excessBuf = nullptr;
+			switch (type)
+			{
+				case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
+				{	
+					size_t padding =  128 - i2p::crypto::ECDSAP256_KEY_LENGTH; // 64 = 128 - 64
+					RAND_bytes (m_StandardIdentity.signingKey, padding);
+					memcpy (m_StandardIdentity.signingKey + padding, signingKey, i2p::crypto::ECDSAP256_KEY_LENGTH);
+					break;
+				}
+				case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
+				{	
+					size_t padding = 128 - i2p::crypto::ECDSAP384_KEY_LENGTH; // 32 = 128 - 96
+					RAND_bytes (m_StandardIdentity.signingKey, padding);
+					memcpy (m_StandardIdentity.signingKey + padding, signingKey, i2p::crypto::ECDSAP384_KEY_LENGTH);
+					break;
+				}	
+				case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
+				{
+					memcpy (m_StandardIdentity.signingKey, signingKey, 128);
+					excessLen = i2p::crypto::ECDSAP521_KEY_LENGTH - 128; // 4 = 132 - 128
+					excessBuf = new uint8_t[excessLen];
+					memcpy (excessBuf, signingKey + 128, excessLen);
+					break;
+				}	
+				case SIGNING_KEY_TYPE_RSA_SHA256_2048:
+				{
+					memcpy (m_StandardIdentity.signingKey, signingKey, 128);
+					excessLen = i2p::crypto::RSASHA2562048_KEY_LENGTH - 128; // 128 = 256 - 128
+					excessBuf = new uint8_t[excessLen];
+					memcpy (excessBuf, signingKey + 128, excessLen);
+					break;
+				}	
+				case SIGNING_KEY_TYPE_RSA_SHA384_3072:
+				{
+					memcpy (m_StandardIdentity.signingKey, signingKey, 128);
+					excessLen = i2p::crypto::RSASHA3843072_KEY_LENGTH - 128; // 256 = 384 - 128
+					excessBuf = new uint8_t[excessLen];
+					memcpy (excessBuf, signingKey + 128, excessLen);
+					break;
+				}	
+				case SIGNING_KEY_TYPE_RSA_SHA512_4096:
+				{
+					memcpy (m_StandardIdentity.signingKey, signingKey, 128);
+					excessLen = i2p::crypto::RSASHA5124096_KEY_LENGTH - 128; // 384 = 512 - 128
+					excessBuf = new uint8_t[excessLen];
+					memcpy (excessBuf, signingKey + 128, excessLen);
+					break;
+				}	
+				case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+				{
+					size_t padding =  128 - i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH; // 96 = 128 - 32
+					RAND_bytes (m_StandardIdentity.signingKey, padding);
+					memcpy (m_StandardIdentity.signingKey + padding, signingKey, i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH);
+					break;
+				}	
+				default:
+					LogPrint ("Signing key type ", (int)type, " is not supported");
+			}	
+			m_ExtendedLen = 4 + excessLen; // 4 bytes extra + excess length
+			// fill certificate
 			m_StandardIdentity.certificate.type = CERTIFICATE_TYPE_KEY;
-			m_ExtendedLen = 4; // 4 bytes extra
-			m_StandardIdentity.certificate.length = htobe16 (4); 
+			m_StandardIdentity.certificate.length = htobe16 (m_ExtendedLen); 
+			// fill extended buffer
 			m_ExtendedBuffer = new uint8_t[m_ExtendedLen];
-			*(uint16_t *)m_ExtendedBuffer = htobe16 (SIGNING_KEY_TYPE_ECDSA_SHA256_P256);
-			*(uint16_t *)(m_ExtendedBuffer + 2) = htobe16 (CRYPTO_KEY_TYPE_ELGAMAL);
-			uint8_t buf[DEFAULT_IDENTITY_SIZE + 4];
-			ToBuffer (buf, DEFAULT_IDENTITY_SIZE + 4);
-			CryptoPP::SHA256().CalculateDigest(m_IdentHash, buf, GetFullLen ());
+			htobe16buf (m_ExtendedBuffer, type);
+			htobe16buf (m_ExtendedBuffer + 2, CRYPTO_KEY_TYPE_ELGAMAL);
+			if (excessLen && excessBuf)
+			{
+				memcpy (m_ExtendedBuffer + 4, excessBuf, excessLen);
+				delete[] excessBuf;
+			}	
+			// calculate ident hash
+			uint8_t * buf = new uint8_t[GetFullLen ()];
+			ToBuffer (buf, GetFullLen ());
+			SHA256(buf, GetFullLen (), m_IdentHash);
+			delete[] buf;
 		}
 		else // DSA-SHA1
 		{
@@ -67,20 +134,25 @@ namespace data
 	}	
 		
 	IdentityEx::IdentityEx (const uint8_t * buf, size_t len):
-		m_Verifier (nullptr), m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
 	{
 		FromBuffer (buf, len);
 	}

 	IdentityEx::IdentityEx (const IdentityEx& other):
-		m_Verifier (nullptr), m_ExtendedBuffer (nullptr)
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
 	{
 		*this = other;
 	}	
+
+	IdentityEx::IdentityEx (const Identity& standard):
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
+	{
+		*this = standard;
+	}	
 		
 	IdentityEx::~IdentityEx ()
 	{
-		delete m_Verifier;
 		delete[] m_ExtendedBuffer;
 	}	

@@ -99,7 +171,6 @@ namespace data
 		else
 			m_ExtendedBuffer = nullptr;
 		
-		delete m_Verifier;
 		m_Verifier = nullptr;
 		
 		return *this;
@@ -114,7 +185,6 @@ namespace data
 		m_ExtendedBuffer = nullptr;
 		m_ExtendedLen = 0;

-		delete m_Verifier;
 		m_Verifier = nullptr;
 		
 		return *this;
@@ -122,23 +192,35 @@ namespace data
 		
 	size_t IdentityEx::FromBuffer (const uint8_t * buf, size_t len)
 	{
+		if (len < DEFAULT_IDENTITY_SIZE)
+		{
+			LogPrint (eLogError, "Identity buffer length ", len, " is too small");
+			return 0;
+		}	
 		memcpy (&m_StandardIdentity, buf, DEFAULT_IDENTITY_SIZE);

 		delete[] m_ExtendedBuffer;
 		if (m_StandardIdentity.certificate.length)
 		{
 			m_ExtendedLen = be16toh (m_StandardIdentity.certificate.length);
-			m_ExtendedBuffer = new uint8_t[m_ExtendedLen];
-			memcpy (m_ExtendedBuffer, buf + DEFAULT_IDENTITY_SIZE, m_ExtendedLen);
+			if (m_ExtendedLen + DEFAULT_IDENTITY_SIZE <= len)
+			{	
+				m_ExtendedBuffer = new uint8_t[m_ExtendedLen];
+				memcpy (m_ExtendedBuffer, buf + DEFAULT_IDENTITY_SIZE, m_ExtendedLen);
+			}	
+			else
+			{
+				LogPrint (eLogError, "Certificate length ", m_ExtendedLen, " exceeds buffer length ", len - DEFAULT_IDENTITY_SIZE);
+				return 0;
+			}	
 		}		
 		else
 		{
 			m_ExtendedLen = 0;
 			m_ExtendedBuffer = nullptr;
 		}	
-		CryptoPP::SHA256().CalculateDigest(m_IdentHash, buf, GetFullLen ());
+		SHA256(buf, GetFullLen (), m_IdentHash);
 		
-		delete m_Verifier;
 		m_Verifier = nullptr;
 		
 		return GetFullLen ();
@@ -154,11 +236,21 @@ namespace data

 	size_t IdentityEx::FromBase64(const std::string& s)
 	{
-		uint8_t buf[512];
-		auto len = Base64ToByteStream (s.c_str(), s.length(), buf, 512);
+		uint8_t buf[1024];
+		auto len = Base64ToByteStream (s.c_str(), s.length(), buf, 1024);
 		return FromBuffer (buf, len);
 	}	
-		
+	
+	std::string IdentityEx::ToBase64 () const
+	{
+		uint8_t buf[1024];
+		char str[1536];
+		size_t l = ToBuffer (buf, 1024);
+		size_t l1 = i2p::data::ByteStreamToBase64 (buf, l, str, 1536);
+		str[l1] = 0;
+		return std::string (str);
+	}
+	
 	size_t IdentityEx::GetSigningPublicKeyLen () const
 	{
 		if (!m_Verifier) CreateVerifier ();
@@ -167,6 +259,14 @@ namespace data
 		return 128;
 	}	

+	size_t IdentityEx::GetSigningPrivateKeyLen () const
+	{
+		if (!m_Verifier) CreateVerifier ();
+		if (m_Verifier)	
+			return m_Verifier->GetPrivateKeyLen ();
+		return GetSignatureLen ()/2;
+	}	
+		
 	size_t IdentityEx::GetSignatureLen () const
 	{	
 		if (!m_Verifier) CreateVerifier ();	
@@ -185,9 +285,16 @@ namespace data
 	SigningKeyType IdentityEx::GetSigningKeyType () const
 	{
 		if (m_StandardIdentity.certificate.type == CERTIFICATE_TYPE_KEY && m_ExtendedBuffer)				
-			return be16toh (*(const uint16_t *)m_ExtendedBuffer); // signing key
+			return bufbe16toh (m_ExtendedBuffer); // signing key
 		return SIGNING_KEY_TYPE_DSA_SHA1;
 	}	
+
+	CryptoKeyType IdentityEx::GetCryptoKeyType () const
+	{
+		if (m_StandardIdentity.certificate.type == CERTIFICATE_TYPE_KEY && m_ExtendedBuffer)				
+			return bufbe16toh (m_ExtendedBuffer + 2); // crypto key
+		return CRYPTO_KEY_TYPE_ELGAMAL;
+	}	
 		
 	void IdentityEx::CreateVerifier () const 
 	{
@@ -195,88 +302,218 @@ namespace data
 		switch (keyType)
 		{
 			case SIGNING_KEY_TYPE_DSA_SHA1:
-				m_Verifier = new i2p::crypto::DSAVerifier (m_StandardIdentity.signingKey);
+				m_Verifier.reset (new i2p::crypto::DSAVerifier (m_StandardIdentity.signingKey));
 			break;
 			case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
-				m_Verifier = new i2p::crypto::ECDSAP256Verifier (m_StandardIdentity.signingKey + 64);
-			break;	
+			{	
+				size_t padding =  128 - i2p::crypto::ECDSAP256_KEY_LENGTH; // 64 = 128 - 64
+				m_Verifier.reset (new i2p::crypto::ECDSAP256Verifier (m_StandardIdentity.signingKey + padding));
+				break;
+			}	
+			case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
+			{	
+				size_t padding = 128 - i2p::crypto::ECDSAP384_KEY_LENGTH; // 32 = 128 - 96
+				m_Verifier.reset (new i2p::crypto::ECDSAP384Verifier (m_StandardIdentity.signingKey + padding));
+				break;
+			}	
+			case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
+			{	
+				uint8_t signingKey[i2p::crypto::ECDSAP521_KEY_LENGTH];
+				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
+				size_t excessLen = i2p::crypto::ECDSAP521_KEY_LENGTH - 128; // 4 = 132- 128
+				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
+				m_Verifier.reset (new i2p::crypto::ECDSAP521Verifier (signingKey));
+				break;
+			}		
+			case SIGNING_KEY_TYPE_RSA_SHA256_2048:
+			{	
+				uint8_t signingKey[i2p::crypto::RSASHA2562048_KEY_LENGTH];
+				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
+				size_t excessLen = i2p::crypto::RSASHA2562048_KEY_LENGTH - 128; // 128 = 256- 128
+				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
+				m_Verifier.reset (new i2p::crypto:: RSASHA2562048Verifier (signingKey));
+				break;
+			}	
+			case SIGNING_KEY_TYPE_RSA_SHA384_3072:
+			{	
+				uint8_t signingKey[i2p::crypto::RSASHA3843072_KEY_LENGTH];
+				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
+				size_t excessLen = i2p::crypto::RSASHA3843072_KEY_LENGTH - 128; // 256 = 384- 128
+				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
+				m_Verifier.reset (new i2p::crypto:: RSASHA3843072Verifier (signingKey));
+				break;
+			}	
+			case SIGNING_KEY_TYPE_RSA_SHA512_4096:
+			{	
+				uint8_t signingKey[i2p::crypto::RSASHA5124096_KEY_LENGTH];
+				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
+				size_t excessLen = i2p::crypto::RSASHA5124096_KEY_LENGTH - 128; // 384 = 512- 128
+				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
+				m_Verifier.reset (new i2p::crypto:: RSASHA5124096Verifier (signingKey));
+				break;
+			}	
+			case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+			{
+				size_t padding =  128 - i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH; // 96 = 128 - 32
+				m_Verifier.reset (new i2p::crypto::EDDSA25519Verifier (m_StandardIdentity.signingKey + padding));
+				break;
+			}	
 			default:
 				LogPrint ("Signing key type ", (int)keyType, " is not supported");
 		}			
 	}	
 	
+	void IdentityEx::DropVerifier () const
+	{
+		m_Verifier = nullptr; 
+	}
+
 	PrivateKeys& PrivateKeys::operator=(const Keys& keys)
 	{
-		m_Public = Identity (keys);
+		m_Public = std::make_shared<IdentityEx>(Identity (keys));
 		memcpy (m_PrivateKey, keys.privateKey, 256); // 256 
-		memcpy (m_SigningPrivateKey, keys.signingPrivateKey, 20); // 20 - DSA
-		delete m_Signer;
+		memcpy (m_SigningPrivateKey, keys.signingPrivateKey, m_Public->GetSigningPrivateKeyLen ());
+		m_Signer = nullptr;
 		CreateSigner ();
 		return *this;
 	}

 	PrivateKeys& PrivateKeys::operator=(const PrivateKeys& other)
 	{		
-		m_Public = other.m_Public;
+		m_Public = std::make_shared<IdentityEx>(*other.m_Public);
 		memcpy (m_PrivateKey, other.m_PrivateKey, 256); // 256 
-		memcpy (m_SigningPrivateKey, other.m_SigningPrivateKey, 128); // 128
-		delete m_Signer;
+		memcpy (m_SigningPrivateKey, other.m_SigningPrivateKey, m_Public->GetSigningPrivateKeyLen ()); 
+		m_Signer = nullptr;
 		CreateSigner ();
 		return *this;
 	}	
 		
 	size_t PrivateKeys::FromBuffer (const uint8_t * buf, size_t len)
 	{
-		size_t ret = m_Public.FromBuffer (buf, len);
+		m_Public = std::make_shared<IdentityEx>(buf, len);
+		size_t ret = m_Public->GetFullLen ();
 		memcpy (m_PrivateKey, buf + ret, 256); // private key always 256
 		ret += 256;
-		size_t signingPrivateKeySize = m_Public.GetSignatureLen ()/2; // 20 for DSA
+		size_t signingPrivateKeySize = m_Public->GetSigningPrivateKeyLen ();
 		memcpy (m_SigningPrivateKey, buf + ret, signingPrivateKeySize); 
 		ret += signingPrivateKeySize;
-		delete m_Signer;
+		m_Signer = nullptr;
 		CreateSigner ();
 		return ret;
 	}
 		
 	size_t PrivateKeys::ToBuffer (uint8_t * buf, size_t len) const
 	{
-		size_t ret = m_Public.ToBuffer (buf, len);
+		size_t ret = m_Public->ToBuffer (buf, len);
 		memcpy (buf + ret, m_PrivateKey, 256); // private key always 256
 		ret += 256;
-		size_t signingPrivateKeySize = m_Public.GetSignatureLen ()/2; // 20 for DSA
+		size_t signingPrivateKeySize = m_Public->GetSigningPrivateKeyLen (); 
 		memcpy (buf + ret, m_SigningPrivateKey, signingPrivateKeySize); 
 		ret += signingPrivateKeySize;
 		return ret;
 	}	

+	size_t PrivateKeys::FromBase64(const std::string& s)
+	{
+		uint8_t * buf = new uint8_t[s.length ()];
+		size_t l = i2p::data::Base64ToByteStream (s.c_str (), s.length (), buf, s.length ());
+		size_t ret = FromBuffer (buf, l);
+		delete[] buf;
+		return ret;
+	}	
+	
+	std::string PrivateKeys::ToBase64 () const
+	{
+		uint8_t * buf = new uint8_t[GetFullLen ()];
+		char * str = new char[GetFullLen ()*2];
+		size_t l = ToBuffer (buf, GetFullLen ());
+		size_t l1 = i2p::data::ByteStreamToBase64 (buf, l, str, GetFullLen ()*2);
+		str[l1] = 0;
+		delete[] buf;
+		std::string ret(str);
+		delete[] str;
+		return ret;
+	}
+
 	void PrivateKeys::Sign (const uint8_t * buf, int len, uint8_t * signature) const
 	{
 		if (m_Signer)
-			m_Signer->Sign (i2p::context.GetRandomNumberGenerator (), buf, len, signature);
+			m_Signer->Sign (buf, len, signature);
 	}			

 	void PrivateKeys::CreateSigner ()
 	{
-		if (m_Public.GetSigningKeyType () == SIGNING_KEY_TYPE_ECDSA_SHA256_P256)
-			m_Signer = new i2p::crypto::ECDSAP256Signer (m_SigningPrivateKey);
-		else
-			m_Signer = new i2p::crypto::DSASigner (m_SigningPrivateKey);
+		switch (m_Public->GetSigningKeyType ())
+		{	
+			case SIGNING_KEY_TYPE_DSA_SHA1:
+				m_Signer.reset (new i2p::crypto::DSASigner (m_SigningPrivateKey));
+			break;	
+			case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
+				m_Signer.reset (new i2p::crypto::ECDSAP256Signer (m_SigningPrivateKey));
+			break;
+			case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
+				m_Signer.reset (new i2p::crypto::ECDSAP384Signer (m_SigningPrivateKey));
+			break;	
+			case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
+				m_Signer.reset (new i2p::crypto::ECDSAP521Signer (m_SigningPrivateKey));
+			break;	
+			case SIGNING_KEY_TYPE_RSA_SHA256_2048:
+				m_Signer.reset (new i2p::crypto::RSASHA2562048Signer (m_SigningPrivateKey));
+			break;
+			case SIGNING_KEY_TYPE_RSA_SHA384_3072:
+				m_Signer.reset (new i2p::crypto::RSASHA3843072Signer (m_SigningPrivateKey));
+			break;
+			case SIGNING_KEY_TYPE_RSA_SHA512_4096:
+				m_Signer.reset (new i2p::crypto::RSASHA5124096Signer (m_SigningPrivateKey));
+			break;	
+			case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+				m_Signer.reset (new i2p::crypto::EDDSA25519Signer (m_SigningPrivateKey));
+			break;
+			default:
+				LogPrint ("Signing key type ", (int)m_Public->GetSigningKeyType (), " is not supported");
+		}
 	}	
 		
 	PrivateKeys PrivateKeys::CreateRandomKeys (SigningKeyType type)
 	{
-		if (type == SIGNING_KEY_TYPE_ECDSA_SHA256_P256)
+		if (type != SIGNING_KEY_TYPE_DSA_SHA1)
 		{
 			PrivateKeys keys;
-			auto& rnd = i2p::context.GetRandomNumberGenerator ();
+			// signature
+			uint8_t signingPublicKey[512]; // signing public key is 512 bytes max 
+			switch (type)
+			{	
+				case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
+					i2p::crypto::CreateECDSAP256RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);
+				break;	
+				case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
+					i2p::crypto::CreateECDSAP384RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);	
+				break;
+				case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
+					i2p::crypto::CreateECDSAP521RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);	
+				break;	
+				case SIGNING_KEY_TYPE_RSA_SHA256_2048:
+					i2p::crypto::CreateRSARandomKeys (i2p::crypto::RSASHA2562048_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
+				break;
+				case SIGNING_KEY_TYPE_RSA_SHA384_3072:
+					i2p::crypto::CreateRSARandomKeys (i2p::crypto::RSASHA3843072_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
+				break;
+				case SIGNING_KEY_TYPE_RSA_SHA512_4096:
+					i2p::crypto::CreateRSARandomKeys (i2p::crypto::RSASHA5124096_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
+				break;	
+				case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+					i2p::crypto::CreateEDDSA25519RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);
+				break;
+				default:
+					LogPrint ("Signing key type ", (int)type, " is not supported. Create DSA-SHA1");
+					return PrivateKeys (i2p::data::CreateRandomKeys ()); // DSA-SHA1
+			}	
 			// encryption
 			uint8_t publicKey[256];
-			CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-			dh.GenerateKeyPair(rnd, keys.m_PrivateKey, publicKey);
-			// signature
-			uint8_t signingPublicKey[64];
-			i2p::crypto::CreateECDSAP256RandomKeys (rnd, keys.m_SigningPrivateKey, signingPublicKey);
-			keys.m_Public = IdentityEx (publicKey, signingPublicKey, SIGNING_KEY_TYPE_ECDSA_SHA256_P256);
+			i2p::crypto::GenerateElGamalKeyPair (keys.m_PrivateKey, publicKey);
+			// identity
+			keys.m_Public = std::make_shared<IdentityEx> (publicKey, signingPublicKey, type);
+
 			keys.CreateSigner ();
 			return keys;
 		}	
@@ -286,12 +523,10 @@ namespace data
 	Keys CreateRandomKeys ()
 	{
 		Keys keys;		
-		auto& rnd = i2p::context.GetRandomNumberGenerator ();
 		// encryption
-		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-		dh.GenerateKeyPair(rnd, keys.privateKey, keys.publicKey);
+		i2p::crypto::GenerateElGamalKeyPair(keys.privateKey, keys.publicKey);
 		// signing
-		i2p::crypto::CreateDSARandomKeys (rnd, keys.signingPrivateKey, keys.signingKey);	
+		i2p::crypto::CreateDSARandomKeys (keys.signingPrivateKey, keys.signingKey);	
 		return keys;
 	}	

@@ -309,7 +544,7 @@ namespace data
 		sprintf((char *)(buf + 32), "%04i%02i%02i", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday);
 #endif		
 		IdentHash key;
-		CryptoPP::SHA256().CalculateDigest((uint8_t *)key, buf, 40);
+		SHA256(buf, 40, key);
 		return key;
 	}	
 	
--- a/Identity.h
+++ b/Identity.h
@@ -4,67 +4,19 @@
 #include <inttypes.h>
 #include <string.h>
 #include <string>
-#include "base64.h"
-#include "ElGamal.h"
+#include <memory>
+#include "Base.h"
 #include "Signature.h"

 namespace i2p
 {
 namespace data
 {
-	template<int sz>
-	class Tag
-	{
-		public:
-
-			Tag (const uint8_t * buf) { memcpy (m_Buf, buf, sz); };
-			Tag (const Tag<sz>& ) = default;
-#ifndef _WIN32 // FIXME!!! msvs 2013 can't compile it
-			Tag (Tag<sz>&& ) = default;
-#endif
-			Tag () = default;
-			
-			Tag<sz>& operator= (const Tag<sz>& ) = default;
-#ifndef _WIN32
-			Tag<sz>& operator= (Tag<sz>&& ) = default;
-#endif
-			
-			uint8_t * operator()() { return m_Buf; };
-			const uint8_t * operator()() const { return m_Buf; };
-
-			operator uint8_t * () { return m_Buf; };
-			operator const uint8_t * () const { return m_Buf; };
-			
-			const uint64_t * GetLL () const { return ll; };
-
-			bool operator== (const Tag<sz>& other) const { return !memcmp (m_Buf, other.m_Buf, sz); };
-			bool operator< (const Tag<sz>& other) const { return memcmp (m_Buf, other.m_Buf, sz) < 0; };
-
-			std::string ToBase64 () const
-			{
-				char str[sz*2];
-				int l = i2p::data::ByteStreamToBase64 (m_Buf, sz, str, sz*2);
-				str[l] = 0;
-				return std::string (str);
-			}
-
-			std::string ToBase32 () const
-			{
-				char str[sz*2];
-				int l = i2p::data::ByteStreamToBase32 (m_Buf, sz, str, sz*2);
-				str[l] = 0;
-				return std::string (str);
-			}	
-
-		private:
-
-			union // 8 bytes alignment
-			{	
-				uint8_t m_Buf[sz];
-				uint64_t ll[sz/8];
-			};		
-	};	
 	typedef Tag<32> IdentHash;
+	inline std::string GetIdentHashAbbreviation (const IdentHash& ident) 
+	{ 
+		return ident.ToBase64 ().substr (0, 4); 
+	}

 #pragma pack(1)
 	struct Keys
@@ -102,11 +54,18 @@ namespace data
 	Keys CreateRandomKeys ();
 	
 	const size_t DEFAULT_IDENTITY_SIZE = sizeof (Identity); // 387 bytes
-
+	
 	const uint16_t CRYPTO_KEY_TYPE_ELGAMAL = 0;
 	const uint16_t SIGNING_KEY_TYPE_DSA_SHA1 = 0;
 	const uint16_t SIGNING_KEY_TYPE_ECDSA_SHA256_P256 = 1;
+	const uint16_t SIGNING_KEY_TYPE_ECDSA_SHA384_P384 = 2;
+	const uint16_t SIGNING_KEY_TYPE_ECDSA_SHA512_P521 = 3;
+	const uint16_t SIGNING_KEY_TYPE_RSA_SHA256_2048 = 4;
+	const uint16_t SIGNING_KEY_TYPE_RSA_SHA384_3072 = 5;
+	const uint16_t SIGNING_KEY_TYPE_RSA_SHA512_4096 = 6;
+	const uint16_t SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519 = 7;
 	typedef uint16_t SigningKeyType;
+	typedef uint16_t CryptoKeyType;	
 	
 	class IdentityEx
 	{
@@ -117,21 +76,27 @@ namespace data
 				SigningKeyType type = SIGNING_KEY_TYPE_DSA_SHA1);
 			IdentityEx (const uint8_t * buf, size_t len);
 			IdentityEx (const IdentityEx& other);
+			IdentityEx (const Identity& standard);
 			~IdentityEx ();
 			IdentityEx& operator=(const IdentityEx& other);
 			IdentityEx& operator=(const Identity& standard);

-			size_t FromBase64(const std::string& s);
 			size_t FromBuffer (const uint8_t * buf, size_t len);
 			size_t ToBuffer (uint8_t * buf, size_t len) const;
+			size_t FromBase64(const std::string& s);
+			std::string ToBase64 () const;
 			const Identity& GetStandardIdentity () const { return m_StandardIdentity; };
 			const IdentHash& GetIdentHash () const { return m_IdentHash; };
+			const uint8_t * GetEncryptionPublicKey () const { return m_StandardIdentity.publicKey; };
 			size_t GetFullLen () const { return m_ExtendedLen + DEFAULT_IDENTITY_SIZE; };
 			size_t GetSigningPublicKeyLen () const;
+			size_t GetSigningPrivateKeyLen () const;
 			size_t GetSignatureLen () const;
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const;
 			SigningKeyType GetSigningKeyType () const;
-			
+			CryptoKeyType GetCryptoKeyType () const;
+			void DropVerifier () const; // to save memory			
+
 		private:

 			void CreateVerifier () const;
@@ -140,7 +105,7 @@ namespace data

 			Identity m_StandardIdentity;
 			IdentHash m_IdentHash;
-			mutable i2p::crypto::Verifier * m_Verifier; 
+			mutable std::unique_ptr<i2p::crypto::Verifier> m_Verifier; 
 			size_t m_ExtendedLen;
 			uint8_t * m_ExtendedBuffer;
 	};	
@@ -149,22 +114,25 @@ namespace data
 	{
 		public:
 			
-			PrivateKeys (): m_Signer (nullptr) {};
-			PrivateKeys (const PrivateKeys& other): m_Signer (nullptr) { *this = other; };
-			PrivateKeys (const Keys& keys): m_Signer (nullptr) { *this = keys; };
+			PrivateKeys () = default;
+			PrivateKeys (const PrivateKeys& other) { *this = other; };
+			PrivateKeys (const Keys& keys) { *this = keys; };
 			PrivateKeys& operator=(const Keys& keys);
 			PrivateKeys& operator=(const PrivateKeys& other);
-			~PrivateKeys () { delete m_Signer; };
+			~PrivateKeys () = default;
 			
-			const IdentityEx& GetPublic () const { return m_Public; };
+			std::shared_ptr<const IdentityEx> GetPublic () const { return m_Public; };
 			const uint8_t * GetPrivateKey () const { return m_PrivateKey; };
 			const uint8_t * GetSigningPrivateKey () const { return m_SigningPrivateKey; };
 			void Sign (const uint8_t * buf, int len, uint8_t * signature) const;

-			size_t GetFullLen () const { return m_Public.GetFullLen () + 256 + m_Public.GetSignatureLen ()/2; };			
+			size_t GetFullLen () const { return m_Public->GetFullLen () + 256 + m_Public->GetSigningPrivateKeyLen (); }; 		
 			size_t FromBuffer (const uint8_t * buf, size_t len);
 			size_t ToBuffer (uint8_t * buf, size_t len) const;

+			size_t FromBase64(const std::string& s);
+			std::string ToBase64 () const;
+
 			static PrivateKeys CreateRandomKeys (SigningKeyType type = SIGNING_KEY_TYPE_DSA_SHA1);
 	
 		private:
@@ -173,10 +141,10 @@ namespace data
 			
 		private:

-			IdentityEx m_Public;
+			std::shared_ptr<IdentityEx> m_Public;
 			uint8_t m_PrivateKey[256];
-			uint8_t m_SigningPrivateKey[128]; // assume private key doesn't exceed 128 bytes
-			i2p::crypto::Signer * m_Signer;
+			uint8_t m_SigningPrivateKey[1024]; // assume private key doesn't exceed 1024 bytes
+			std::unique_ptr<i2p::crypto::Signer> m_Signer;
 	};

 	// kademlia
@@ -201,23 +169,12 @@ namespace data
 	{
 		public:

-			RoutingDestination (): m_ElGamalEncryption (nullptr) {};
-			virtual ~RoutingDestination () { delete m_ElGamalEncryption; };
+			RoutingDestination () {};
+			virtual ~RoutingDestination () {};
 			
 			virtual const IdentHash& GetIdentHash () const = 0;
 			virtual const uint8_t * GetEncryptionPublicKey () const = 0;
 			virtual bool IsDestination () const = 0; // for garlic 
-
-			i2p::crypto::ElGamalEncryption * GetElGamalEncryption () const
-			{
-				if (!m_ElGamalEncryption)
-					m_ElGamalEncryption = new i2p::crypto::ElGamalEncryption (GetEncryptionPublicKey ());
-				return m_ElGamalEncryption;
-			}
-			
-		private:
-
-			mutable i2p::crypto::ElGamalEncryption * m_ElGamalEncryption; // use lazy initialization
 	};	

 	class LocalDestination 
@@ -229,8 +186,8 @@ namespace data
 			virtual const uint8_t * GetEncryptionPrivateKey () const = 0; 
 			virtual const uint8_t * GetEncryptionPublicKey () const = 0; 

-			const IdentityEx& GetIdentity () const { return GetPrivateKeys ().GetPublic (); };
-			const IdentHash& GetIdentHash () const { return GetIdentity ().GetIdentHash (); };  
+			std::shared_ptr<const IdentityEx> GetIdentity () const { return GetPrivateKeys ().GetPublic (); };
+			const IdentHash& GetIdentHash () const { return GetIdentity ()->GetIdentHash (); };  
 			void Sign (const uint8_t * buf, int len, uint8_t * signature) const 
 			{ 
 				GetPrivateKeys ().Sign (buf, len, signature); 
--- a/354
+++ b/354
@@ -1,339 +1,27 @@
-GNU GENERAL PUBLIC LICENSE
-                       Version 2, June 1991
+Copyright (c) 2013-2015, The PurpleI2P Project

- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
+All rights reserved.

-                            Preamble
+Redistribution and use in source and binary forms, with or without modification, are
+permitted provided that the following conditions are met:

-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
+1. Redistributions of source code must retain the above copyright notice, this list of
+conditions and the following disclaimer.

-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
+2. Redistributions in binary form must reproduce the above copyright notice, this list of
+conditions and the following disclaimer in the documentation and/or other materials
+provided with the distribution.

-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
+3. Neither the name of the copyright holder nor the names of its contributors may be used
+to endorse or promote products derived from this software without specific prior written
+permission.

-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-                            NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    i2p router for Linux written on C++
-    Copyright (C) 2013  orignal
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  {signature of Ty Coon}, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/LeaseSet.cpp
+++ b/LeaseSet.cpp
@@ -1,6 +1,6 @@
+#include <string.h>
 #include "I2PEndian.h"
-#include <cryptopp/dsa.h>
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "Log.h"
 #include "Timestamp.h"
 #include "NetDb.h"
@@ -12,21 +12,33 @@ namespace i2p
 namespace data
 {
 	
-	LeaseSet::LeaseSet (const uint8_t * buf, int len)
+	LeaseSet::LeaseSet (const uint8_t * buf, size_t len):
+		m_IsValid (true)
 	{
+		m_Buffer = new uint8_t[len];
 		memcpy (m_Buffer, buf, len);
 		m_BufferLen = len;
 		ReadFromBuffer ();
 	}

-	LeaseSet::LeaseSet (const i2p::tunnel::TunnelPool& pool)
+	LeaseSet::LeaseSet (const i2p::tunnel::TunnelPool& pool):
+		m_IsValid (true)
 	{	
 		// header
-		const i2p::data::LocalDestination& localDestination = pool.GetLocalDestination ();
-		m_BufferLen = localDestination.GetIdentity ().ToBuffer (m_Buffer, MAX_LS_BUFFER_SIZE);
-		memcpy (m_Buffer + m_BufferLen, localDestination.GetEncryptionPublicKey (), 256);
+		const i2p::data::LocalDestination * localDestination = pool.GetLocalDestination ();
+		if (!localDestination)
+		{
+			m_Buffer = nullptr;
+			m_BufferLen = 0;
+			m_IsValid = false;
+			LogPrint (eLogError, "Destination for local LeaseSet doesn't exist");
+			return;
+		}	
+		m_Buffer = new uint8_t[MAX_LS_BUFFER_SIZE];
+		m_BufferLen = localDestination->GetIdentity ()->ToBuffer (m_Buffer, MAX_LS_BUFFER_SIZE);
+		memcpy (m_Buffer + m_BufferLen, localDestination->GetEncryptionPublicKey (), 256);
 		m_BufferLen += 256;
-		auto signingKeyLen = localDestination.GetIdentity ().GetSigningPublicKeyLen ();
+		auto signingKeyLen = localDestination->GetIdentity ()->GetSigningPublicKeyLen ();
 		memset (m_Buffer + m_BufferLen, 0, signingKeyLen);
 		m_BufferLen += signingKeyLen;
 		auto tunnels = pool.GetInboundTunnels (5); // 5 tunnels maximum
@@ -35,71 +47,93 @@ namespace data
 		// leases
 		for (auto it: tunnels)
 		{	
-			Lease * lease = (Lease *)(m_Buffer + m_BufferLen);
-			memcpy (lease->tunnelGateway, it->GetNextIdentHash (), 32);
-			lease->tunnelID = htobe32 (it->GetNextTunnelID ());
-			uint64_t ts = it->GetCreationTime () + i2p::tunnel::TUNNEL_EXPIRATION_TIMEOUT - 60; // 1 minute before expiration
+			memcpy (m_Buffer + m_BufferLen, it->GetNextIdentHash (), 32);
+			m_BufferLen += 32; // gateway id
+			htobe32buf (m_Buffer + m_BufferLen, it->GetNextTunnelID ());
+			m_BufferLen += 4; // tunnel id
+			uint64_t ts = it->GetCreationTime () + i2p::tunnel::TUNNEL_EXPIRATION_TIMEOUT - i2p::tunnel::TUNNEL_EXPIRATION_THRESHOLD; // 1 minute before expiration
 			ts *= 1000; // in milliseconds
-			lease->endDate = htobe64 (ts);
-			m_BufferLen += sizeof (Lease);
-		}	
+			ts += rand () % 6; // + random milliseconds 0-5
+			htobe64buf (m_Buffer + m_BufferLen, ts);
+			m_BufferLen += 8; // end date
+		}
 		// signature
-		localDestination.Sign (m_Buffer, m_BufferLen, m_Buffer + m_BufferLen);
-		m_BufferLen += localDestination.GetIdentity ().GetSignatureLen (); 
+		localDestination->Sign (m_Buffer, m_BufferLen, m_Buffer + m_BufferLen);
+		m_BufferLen += localDestination->GetIdentity ()->GetSignatureLen (); 
 		LogPrint ("Local LeaseSet of ", tunnels.size (), " leases created");

 		ReadFromBuffer ();
 	}

-	void LeaseSet::Update (const uint8_t * buf, int len)
+	void LeaseSet::Update (const uint8_t * buf, size_t len)
 	{	
 		m_Leases.clear ();
+		if (len > m_BufferLen)
+		{
+			auto oldBuffer = m_Buffer;
+			m_Buffer = new uint8_t[len];
+			delete[] oldBuffer;
+		}	
 		memcpy (m_Buffer, buf, len);
 		m_BufferLen = len;
-		ReadFromBuffer ();
+		ReadFromBuffer (false);
 	}
 	
-	void LeaseSet::ReadFromBuffer ()	
+	void LeaseSet::ReadFromBuffer (bool readIdentity)	
 	{	
-		size_t size = m_Identity.FromBuffer (m_Buffer, m_BufferLen);
+		if (readIdentity || !m_Identity)
+			m_Identity = std::make_shared<IdentityEx>(m_Buffer, m_BufferLen);
+		size_t size = m_Identity->GetFullLen ();
 		memcpy (m_EncryptionKey, m_Buffer + size, 256);
 		size += 256; // encryption key
-		size += m_Identity.GetSigningPublicKeyLen (); // unused signing key
+		size += m_Identity->GetSigningPublicKeyLen (); // unused signing key
 		uint8_t num = m_Buffer[size];
 		size++; // num
 		LogPrint ("LeaseSet num=", (int)num);
+		if (!num)  m_IsValid = false;

 		// process leases
 		const uint8_t * leases = m_Buffer + size;
 		for (int i = 0; i < num; i++)
 		{
-			Lease lease = *(Lease *)leases;
-			lease.tunnelID = be32toh (lease.tunnelID);
-			lease.endDate = be64toh (lease.endDate);
+			Lease lease;
+			lease.tunnelGateway = leases;
+			leases += 32; // gateway
+			lease.tunnelID = bufbe32toh (leases);
+			leases += 4; // tunnel ID
+			lease.endDate = bufbe64toh (leases);
+			leases += 8; // end date
 			m_Leases.push_back (lease);
-			leases += sizeof (Lease);

 			// check if lease's gateway is in our netDb
 			if (!netdb.FindRouter (lease.tunnelGateway))
 			{
 				// if not found request it
-				LogPrint ("Lease's tunnel gateway not found. Requested");
+				LogPrint (eLogInfo, "Lease's tunnel gateway not found. Requested");
 				netdb.RequestDestination (lease.tunnelGateway);
 			}	
 		}	
 		
 		// verify
-		if (!m_Identity.Verify (m_Buffer, leases - m_Buffer, leases))
-			LogPrint ("LeaseSet verification failed");
+		if (!m_Identity->Verify (m_Buffer, leases - m_Buffer, leases))
+		{
+			LogPrint (eLogWarning, "LeaseSet verification failed");
+			m_IsValid = false;
+		}
 	}				
 	
-	const std::vector<Lease> LeaseSet::GetNonExpiredLeases () const
+	const std::vector<Lease> LeaseSet::GetNonExpiredLeases (bool withThreshold) const
 	{
 		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
 		std::vector<Lease> leases;
 		for (auto& it: m_Leases)
-			if (ts < it.endDate)
+		{
+			auto endDate = it.endDate;
+			if (!withThreshold)
+				endDate -= i2p::tunnel::TUNNEL_EXPIRATION_THRESHOLD*1000;
+			if (ts < endDate)
 				leases.push_back (it);
+		}	
 		return leases;	
 	}	

--- a/LeaseSet.h
+++ b/LeaseSet.h
@@ -16,12 +16,9 @@ namespace tunnel

 namespace data
 {	
-	
-#pragma pack(1)
-
 	struct Lease
 	{
-		uint8_t tunnelGateway[32];
+		IdentHash tunnelGateway;
 		uint32_t tunnelID;
 		uint64_t endDate;

@@ -33,28 +30,26 @@ namespace data
 				return tunnelID < other.tunnelID; 
 		}	
 	};	
-	
-#pragma pack()	

-	const int MAX_LS_BUFFER_SIZE = 2048;	
+	const int MAX_LS_BUFFER_SIZE = 3072;	
 	class LeaseSet: public RoutingDestination
 	{
 		public:

-			LeaseSet (const uint8_t * buf, int len);
-			LeaseSet (const LeaseSet& ) = default;
+			LeaseSet (const uint8_t * buf, size_t len);
 			LeaseSet (const i2p::tunnel::TunnelPool& pool);
-			LeaseSet& operator=(const LeaseSet& ) = default;
-			void Update (const uint8_t * buf, int len);
-			const IdentityEx& GetIdentity () const { return m_Identity; };			
+			~LeaseSet () { delete[] m_Buffer; };
+			void Update (const uint8_t * buf, size_t len);
+			std::shared_ptr<const IdentityEx> GetIdentity () const { return m_Identity; };			

 			const uint8_t * GetBuffer () const { return m_Buffer; };
 			size_t GetBufferLen () const { return m_BufferLen; };	
+			bool IsValid () const { return m_IsValid; };

 			// implements RoutingDestination
-			const IdentHash& GetIdentHash () const { return m_Identity.GetIdentHash (); };
+			const IdentHash& GetIdentHash () const { return m_Identity->GetIdentHash (); };
 			const std::vector<Lease>& GetLeases () const { return m_Leases; };
-			const std::vector<Lease> GetNonExpiredLeases () const;
+			const std::vector<Lease> GetNonExpiredLeases (bool withThreshold = true) const;
 			bool HasExpiredLeases () const;
 			bool HasNonExpiredLeases () const;
 			const uint8_t * GetEncryptionPublicKey () const { return m_EncryptionKey; };
@@ -62,14 +57,15 @@ namespace data

 		private:

-			void ReadFromBuffer ();
+			void ReadFromBuffer (bool readIdentity = true);
 			
 		private:

+			bool m_IsValid;
 			std::vector<Lease> m_Leases;
-			IdentityEx m_Identity;
+			std::shared_ptr<const IdentityEx> m_Identity;
 			uint8_t m_EncryptionKey[256];
-			uint8_t m_Buffer[MAX_LS_BUFFER_SIZE];
+			uint8_t * m_Buffer;
 			size_t m_BufferLen;
 	};	
 }		
--- a/Log.cpp
+++ b/Log.cpp
@@ -1,5 +1,5 @@
-#include "Log.h"
 #include <boost/date_time/posix_time/posix_time.hpp>
+#include "Log.h"

 Log * g_Log = nullptr;

@@ -13,26 +13,50 @@ static const char * g_LogLevelStr[eNumLogLevels] =

 void LogMsg::Process()
 {
-	output << boost::posix_time::second_clock::local_time().time_of_day () <<  
-		"/" << g_LogLevelStr[level] << " - ";
+	auto& output = (log && log->GetLogStream ()) ? *log->GetLogStream () : std::cerr;	
+	if (log)	
+		output << log->GetTimestamp ();
+	else
+		output << boost::posix_time::second_clock::local_time().time_of_day ();
+	output << "/" << g_LogLevelStr[level] << " - ";
 	output << s.str();
 }

+const std::string& Log::GetTimestamp ()
+{
+#if (__GNUC__ == 4) && (__GNUC_MINOR__ <= 6)	
+	auto ts = std::chrono::monotonic_clock::now ();	
+#else	
+	auto ts = std::chrono::steady_clock::now ();	
+#endif	
+	if (ts > m_LastTimestampUpdate + std::chrono::milliseconds (500)) // 0.5 second
+	{
+		m_LastTimestampUpdate = ts;
+		m_Timestamp = boost::posix_time::to_simple_string (boost::posix_time::second_clock::local_time().time_of_day ());
+	}		
+	return m_Timestamp;
+}
+
 void Log::Flush ()
 {
-	if (m_LogFile)
-		m_LogFile->flush();
+	if (m_LogStream)
+		m_LogStream->flush();
 }

 void Log::SetLogFile (const std::string& fullFilePath)
 {
-	if (m_LogFile) delete m_LogFile;
-	m_LogFile = new std::ofstream (fullFilePath, std::ofstream::out | std::ofstream::binary | std::ofstream::trunc);
-	if (m_LogFile->is_open ())
-		LogPrint("Logging to file ",  fullFilePath, " enabled.");
-	else
+	auto logFile = new std::ofstream (fullFilePath, std::ofstream::out | std::ofstream::binary | std::ofstream::trunc);
+	if (logFile->is_open ())
 	{
-		delete m_LogFile;
-		m_LogFile = nullptr;
-	}
+		SetLogStream (logFile);
+		LogPrint("Logging to file ",  fullFilePath, " enabled.");
+	}	
+	else
+		delete logFile;
+}
+
+void Log::SetLogStream (std::ostream * logStream)
+{
+	if (m_LogStream) delete m_LogStream;	
+	m_LogStream = logStream;
 }
--- a/Log.h
+++ b/Log.h
@@ -6,6 +6,7 @@
 #include <sstream>
 #include <fstream>
 #include <functional>
+#include <chrono>
 #include "Queue.h"

 enum LogLevel
@@ -17,13 +18,14 @@ enum LogLevel
 	eNumLogLevels
 };

+class Log;
 struct LogMsg
 {
 	std::stringstream s;
-	std::ostream& output;	
+	Log * log;	
 	LogLevel level;

-	LogMsg (std::ostream& o = std::cout, LogLevel l = eLogInfo): output (o), level (l) {};
+	LogMsg (Log * l = nullptr, LogLevel lv = eLogInfo): log (l), level (lv) {};
 	
 	void Process();
 };
@@ -32,11 +34,13 @@ class Log: public i2p::util::MsgQueue<LogMsg>
 {
 	public:

-		Log (): m_LogFile (nullptr) { SetOnEmpty (std::bind (&Log::Flush, this)); };
-		~Log () { delete m_LogFile; };
+		Log (): m_LogStream (nullptr) { SetOnEmpty (std::bind (&Log::Flush, this)); };
+		~Log () { delete m_LogStream; };

 		void SetLogFile (const std::string& fullFilePath);
-		std::ofstream * GetLogFile () const { return m_LogFile; };	
+		void SetLogStream (std::ostream * logStream);
+		std::ostream * GetLogStream () const { return m_LogStream; };	
+		const std::string& GetTimestamp ();

 	private:

@@ -44,7 +48,13 @@ class Log: public i2p::util::MsgQueue<LogMsg>

 	private:
 		
-		std::ofstream * m_LogFile;
+		std::ostream * m_LogStream;
+		std::string m_Timestamp;
+#if (__GNUC__ == 4) && (__GNUC_MINOR__ <= 6) // gcc 4.6
+		std::chrono::monotonic_clock::time_point m_LastTimestampUpdate;
+#else		
+		std::chrono::steady_clock::time_point m_LastTimestampUpdate;	
+#endif		
 };

 extern Log * g_Log;
@@ -53,9 +63,21 @@ inline void StartLog (const std::string& fullFilePath)
 {
 	if (!g_Log)
 	{	
-		g_Log = new Log ();
+		auto log = new Log ();
 		if (fullFilePath.length () > 0)
-			g_Log->SetLogFile (fullFilePath);
+			log->SetLogFile (fullFilePath);
+		g_Log = log;
+	}	
+}
+
+inline void StartLog (std::ostream * s)
+{
+	if (!g_Log)
+	{	
+		auto log = new Log ();
+		if (s)
+			log->SetLogStream (s);
+		g_Log = log;
 	}	
 }

@@ -63,8 +85,10 @@ inline void StopLog ()
 {
 	if (g_Log)
 	{
-		delete g_Log;
+		auto log = g_Log;
 		g_Log = nullptr;
+		log->Stop ();
+		delete log;
 	}		
 }

@@ -84,8 +108,7 @@ void LogPrint (std::stringstream& s, TValue arg, TArgs... args)
 template<typename... TArgs>
 void LogPrint (LogLevel level, TArgs... args) 
 {
-	LogMsg * msg = (g_Log && g_Log->GetLogFile ()) ? new LogMsg (*g_Log->GetLogFile (), level) : 
-		new LogMsg (std::cout, level);
+	LogMsg * msg = new LogMsg (g_Log, level);
 	LogPrint (msg->s, args...);
 	msg->s << std::endl;
 	if (g_Log)	
--- a/84
+++ b/84
@@ -1,29 +1,85 @@
 UNAME := $(shell uname -s)
+SHLIB := libi2pd.so
+ARLIB := libi2pd.a
+SHLIB_CLIENT := libi2pdclient.so
+ARLIB_CLIENT := libi2pdclient.a
+I2PD  := i2p
+GREP := fgrep
+DEPS := obj/make.dep
+
+include filelist.mk
+
+USE_AESNI  := yes
+USE_STATIC := no

 ifeq ($(UNAME),Darwin)
+	DAEMON_SRC += DaemonLinux.cpp
 	include Makefile.osx
-else ifeq ($(UNAME), FreeBSD)
+else ifeq ($(shell echo $(UNAME) | $(GREP) -c FreeBSD),1)
+	DAEMON_SRC += DaemonLinux.cpp
 	include Makefile.bsd
-else
+else ifeq ($(UNAME),Linux)
+	DAEMON_SRC += DaemonLinux.cpp
 	include Makefile.linux
+else # win32
+	DAEMON_SRC += DaemonWin32.cpp
 endif

-all: obj i2p
+all: mk_build_dir $(SHLIB) $(SHLIB_CLIENT) $(ARLIB) $(ARLIB_CLIENT) $(I2PD)

-i2p: $(OBJECTS:obj/%=obj/%)
-	$(CXX) -o $@ $^ $(LDLIBS) $(LDFLAGS) $(LIBS)
-
-.SUFFIXES:
-.SUFFIXES:	.c .cc .C .cpp .o
-
-obj/%.o : %.cpp
-	$(CXX) -o $@ $< -c $(CXXFLAGS) $(NEEDED_CXXFLAGS) $(INCFLAGS) $(CPU_FLAGS)
-
-obj:
+mk_build_dir:
 	mkdir -p obj

+api: $(SHLIB) $(ARLIB)
+
+## NOTE: The NEEDED_CXXFLAGS are here so that CXXFLAGS can be specified at build time
+## **without** overwriting the CXXFLAGS which we need in order to build.
+## For example, when adding 'hardening flags' to the build
+## (e.g. -fstack-protector-strong -Wformat -Werror=format-security), we do not want to remove
+## -std=c++11. If you want to remove this variable please do so in a way that allows setting
+## custom FLAGS to work at build-time.
+
+deps:
+	@mkdir -p obj
+	$(CXX) $(CXXFLAGS) $(NEEDED_CXXFLAGS) -MM *.cpp > $(DEPS)
+	@sed -i -e '/\.o:/ s/^/obj\//' $(DEPS)
+
+obj/%.o : %.cpp
+	@mkdir -p obj
+	$(CXX) $(CXXFLAGS) $(NEEDED_CXXFLAGS) $(INCFLAGS) $(CPU_FLAGS) -c -o $@ $<
+
+# '-' is 'ignore if missing' on first run
+-include $(DEPS)
+
+$(I2PD):  $(patsubst %.cpp,obj/%.o,$(DAEMON_SRC)) $(ARLIB) $(ARLIB_CLIENT)
+	$(CXX) -o $@ $^ $(LDLIBS) $(LDFLAGS)
+
+$(SHLIB): $(patsubst %.cpp,obj/%.o,$(LIB_SRC))
+ifneq ($(USE_STATIC),yes)
+	$(CXX) $(LDFLAGS) $(LDLIBS) -shared -o $@ $^
+endif
+
+$(SHLIB_CLIENT): $(patsubst %.cpp,obj/%.o,$(LIB_CLIENT_SRC))
+	$(CXX) $(LDFLAGS) $(LDLIBS) -shared -o $@ $^
+
+$(ARLIB): $(patsubst %.cpp,obj/%.o,$(LIB_SRC))
+	ar -r $@ $^
+
+$(ARLIB_CLIENT): $(patsubst %.cpp,obj/%.o,$(LIB_CLIENT_SRC))
+	ar -r $@ $^
+
 clean:
-	rm -fr obj i2p
+	rm -rf obj
+	$(RM) $(I2PD) $(SHLIB) $(ARLIB) $(SHLIB_CLIENT) $(ARLIB_CLIENT)
+
+LATEST_TAG=$(shell git describe --tags --abbrev=0 master)
+dist:
+	git archive --format=tar.gz -9 --worktree-attributes \
+	    --prefix=i2pd_$(LATEST_TAG)/ $(LATEST_TAG) -o i2pd_$(LATEST_TAG).tar.gz

 .PHONY: all
 .PHONY: clean
+.PHONY: deps
+.PHONY: dist
+.PHONY: api
+.PHONY: mk_build_dir
--- a/Makefile.bsd
+++ b/Makefile.bsd
@@ -1,8 +1,12 @@
 CXX = g++
 CXXFLAGS = -O2
+## NOTE: NEEDED_CXXFLAGS is here so that custom CXXFLAGS can be specified at build time
+## **without** overwriting the CXXFLAGS which we need in order to build.
+## For example, when adding 'hardening flags' to the build
+## (e.g. -fstack-protector-strong -Wformat -Werror=format-security), we do not want to remove
+## -std=c++11. If you want to remove this variable please do so in a way that allows setting
+## custom FLAGS to work at build-time.
 NEEDED_CXXFLAGS = -std=c++11
-include filelist.mk
 INCFLAGS = -I/usr/include/ -I/usr/local/include/
 LDFLAGS = -Wl,-rpath,/usr/local/lib -L/usr/local/lib
-LDLIBS = -lcryptopp -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
-LIBS =
+LDLIBS = -lcrypto -lssl -lz -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
--- a/Makefile.linux
+++ b/Makefile.linux
@@ -1,37 +1,54 @@
 CXXFLAGS = -g -Wall
-CXXVER := $(shell $(CXX) -dumpversion)
-
-FGREP = fgrep
-IS_64 := $(shell $(CXX) -dumpmachine 2>&1 | $(FGREP) -c "64")
-USE_AESNI := yes
-ifeq ($(shell expr match ${CXXVER} "4\.[0-9][0-9]"),4) # >= 4.10
-NEEDED_CXXFLAGS += -std=c++11
-else ifeq ($(shell expr match ${CXXVER} "4\.[7-9]"),3) # >= 4.7
-NEEDED_CXXFLAGS += -std=c++11
-else ifeq ($(shell expr match ${CXXVER} "4\.6"),3) # = 4.6
-NEEDED_CXXFLAGS += -std=c++0x
-else ifeq ($(shell expr match $(CXX) 'clang'),5)
-NEEDED_CXXFLAGS += -std=c++11
-else # not supported
-$(error Compiler too old)
-endif
-
-LIBDIR := /usr/lib
-
-include filelist.mk
 INCFLAGS =
-ifeq ($(STATIC),yes)
-LDLIBS += $(LIBDIR)/libcryptopp.a $(LIBDIR)/libboost_system.a
-LDLIBS += $(LIBDIR)/libboost_date_time.a $(LIBDIR)/libboost_filesystem.a
-LDLIBS += $(LIBDIR)/libboost_regex.a $(LIBDIR)/libboost_program_options.a
-LDLIBS += -lpthread -static-libstdc++ -static-libgcc
-USE_AESNI := no
-else
-LDLIBS = -lcryptopp -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
+
+## NOTE: The NEEDED_CXXFLAGS are here so that custom CXXFLAGS can be specified at build time
+## **without** overwriting the CXXFLAGS which we need in order to build.
+## For example, when adding 'hardening flags' to the build
+## (e.g. -fstack-protector-strong -Wformat -Werror=format-security), we do not want to remove
+## -std=c++11. If you want to remove this variable please do so in a way that allows setting
+## custom FLAGS to work at build-time.
+
+# detect proper flag for c++11 support by compilers
+CXXVER := $(shell $(CXX) -dumpversion)
+ifeq ($(shell expr match $(CXX) 'clang'),5)
+	NEEDED_CXXFLAGS += -std=c++11
+else ifeq ($(shell expr match ${CXXVER} "4\.[0-9][0-9]"),4) # gcc >= 4.10
+	NEEDED_CXXFLAGS += -std=c++11
+else ifeq ($(shell expr match ${CXXVER} "4\.[7-9]"),3) # >= 4.7
+	NEEDED_CXXFLAGS += -std=c++11
+else ifeq ($(shell expr match ${CXXVER} "4\.6"),3) # = 4.6
+	NEEDED_CXXFLAGS += -std=c++0x
+else ifeq ($(shell expr match ${CXXVER} "5\.[0-9]"),3) # gcc >= 5.0
+	NEEDED_CXXFLAGS += -std=c++11
+else # not supported
+	$(error Compiler too old)
 endif
-LIBS =

+NEEDED_CXXFLAGS += -fPIC

+ifeq ($(USE_STATIC),yes)
+  LIBDIR := /usr/lib
+  LDLIBS  = $(LIBDIR)/libboost_system.a
+  LDLIBS += $(LIBDIR)/libboost_date_time.a
+  LDLIBS += $(LIBDIR)/libboost_filesystem.a
+  LDLIBS += $(LIBDIR)/libboost_regex.a
+  LDLIBS += $(LIBDIR)/libboost_program_options.a
+  LDLIBS += $(LIBDIR)/libcrypto.a
+  LDLIBS += $(LIBDIR)/libssl.a
+  LDLIBS += $(LIBDIR)/libz.a
+  LDLIBS += -lpthread -static-libstdc++ -static-libgcc
+  USE_AESNI := no
+else
+  LDLIBS = -lcrypto -lssl -lz -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
+endif
+
+# UPNP Support (miniupnpc 1.5 or 1.6)
+ifeq ($(USE_UPNP),1)
+  LDFLAGS += -ldl
+  CXXFLAGS += -DUSE_UPNP
+endif
+
+IS_64 := $(shell $(CXX) -dumpmachine 2>&1 | $(GREP) -c "64")
 ifeq ($(USE_AESNI),yes)
 ifeq ($(IS_64),1)
 #check if AES-NI is supported by CPU
@@ -40,4 +57,3 @@ ifneq ($(shell grep -c aes /proc/cpuinfo),0)
 endif
 endif
 endif
-
--- a/Makefile.mingw
+++ b/Makefile.mingw
@@ -0,0 +1,6 @@
+CXX = g++
+CXXFLAGS = -O2 -D_MT -DWIN32 -D_WINDOWS -DWIN32_LEAN_AND_MEAN
+NEEDED_CXXFLAGS = -std=c++11
+INCFLAGS = -I/usr/include/ -I/usr/local/include/ -I/c/dev/openssl/include -I/c/dev/boost/include/boost-1_59 
+LDFLAGS = -Wl,-rpath,/usr/local/lib -L/usr/local/lib -L/c/dev/openssl -L/c/dev/boost/lib
+LDLIBS = -lboost_system-mgw48-mt-1_59 -lboost_date_time-mgw48-mt-1_59 -lboost_filesystem-mgw48-mt-1_59 -lboost_regex-mgw48-mt-1_59 -lboost_program_options-mgw48-mt-1_59 -lssl -lcrypto -lz -lpthread -lwsock32 -lws2_32 -lgdi32
--- a/Makefile.osx
+++ b/Makefile.osx
@@ -1,27 +1,25 @@
 CXX = clang++
-CXXFLAGS = -g -Wall -std=c++11 -lstdc++ -I/usr/local/include
-include filelist.mk
-INCFLAGS = -DCRYPTOPP_DISABLE_ASM
+CXXFLAGS = -g -Wall -std=c++11 -DCRYPTOPP_DISABLE_ASM -DMAC_OSX
+#CXXFLAGS = -g -O2 -Wall -std=c++11 -DCRYPTOPP_DISABLE_ASM
+INCFLAGS = -I/usr/local/include
 LDFLAGS = -Wl,-rpath,/usr/local/lib -L/usr/local/lib
 LDLIBS = -lcryptopp -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
-LIBS =
+
+ifeq ($(USE_UPNP),1)
+  LDFLAGS += -ldl
+  CXXFLAGS += -DUSE_UPNP
+endif

 # OSX Notes
 # http://www.hutsby.net/2011/08/macs-with-aes-ni.html
 # Seems like all recent Mac's have AES-NI, after firmware upgrade 2.2
 # Found no good way to detect it from command line. TODO: Might be some osx sysinfo magic
-CXXFLAGS += -maes -DAESNI
-
-
-${PREFIX}:
-
-install: all
-	mkdir -p ${PREFIX}/
-	cp -r i2p ${PREFIX}/
-
-
-
-# Apple Mac OSX
-UNAME_S := $(shell uname -s)
-ifeq ($(UNAME_S),Darwin)
+ifeq ($(USE_AESNI),yes)
+  CXXFLAGS += -maes -DAESNI
 endif
+
+# Disabled, since it will be the default make rule. I think its better
+# to define the default rule in Makefile and not Makefile.<ostype> - torkel
+#install: all
+#	test -d ${PREFIX} || mkdir -p ${PREFIX}/
+#	cp -r i2p ${PREFIX}/
--- a/NTCPSession.cpp
+++ b/NTCPSession.cpp
--- a/NTCPSession.h
+++ b/NTCPSession.h
@@ -2,12 +2,12 @@
 #define NTCP_SESSION_H__

 #include <inttypes.h>
-#include <list>
+#include <map>
+#include <memory>
+#include <thread>
+#include <mutex>
 #include <boost/asio.hpp>
-#include <cryptopp/modes.h>
-#include <cryptopp/aes.h>
-#include <cryptopp/adler32.h>
-#include "aes.h"
+#include "Crypto.h"
 #include "Identity.h"
 #include "RouterInfo.h"
 #include "I2NPProtocol.h"
@@ -35,55 +35,39 @@ namespace transport
 			uint8_t filler[12];
 		} encrypted;	
 	};	
-
-	struct NTCPPhase3
-	{
-		uint16_t size;
-		i2p::data::Identity ident;
-		uint32_t timestamp; 
-		uint8_t padding[15];
-		uint8_t signature[40];
-	};
-
-
-	struct NTCPPhase4
-	{
-		uint8_t signature[40];
-		uint8_t padding[8];
-	};
 	
 #pragma pack()	

 	const size_t NTCP_MAX_MESSAGE_SIZE = 16384; 
-	const size_t NTCP_BUFFER_SIZE = 1040; // fits one tunnel message (1028)
+	const size_t NTCP_BUFFER_SIZE = 4160; // fits 4 tunnel messages (4*1028)
 	const int NTCP_TERMINATION_TIMEOUT = 120; // 2 minutes
+	const size_t NTCP_DEFAULT_PHASE3_SIZE = 2/*size*/ + i2p::data::DEFAULT_IDENTITY_SIZE/*387*/ + 4/*ts*/ + 15/*padding*/ + 40/*signature*/; // 448 	
+	const int NTCP_BAN_EXPIRATION_TIMEOUT = 70; // in second

-	class NTCPSession: public TransportSession
+	class NTCPServer;
+	class NTCPSession: public TransportSession, public std::enable_shared_from_this<NTCPSession>
 	{
 		public:

-			NTCPSession (boost::asio::io_service& service, std::shared_ptr<const i2p::data::RouterInfo> in_RemoteRouter = nullptr);
+			NTCPSession (NTCPServer& server, std::shared_ptr<const i2p::data::RouterInfo> in_RemoteRouter = nullptr);
 			~NTCPSession ();
+			void Terminate ();
+			void Done ();

 			boost::asio::ip::tcp::socket& GetSocket () { return m_Socket; };
 			bool IsEstablished () const { return m_IsEstablished; };
 			
 			void ClientLogin ();
 			void ServerLogin ();
-			void SendI2NPMessage (I2NPMessage * msg);
-
-			size_t GetNumSentBytes () const { return m_NumSentBytes; };
-			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
-			
-		protected:
-
-			void Terminate ();
-			virtual void Connected ();
-			void SendTimeSyncMessage ();
-			void SetIsEstablished (bool isEstablished) { m_IsEstablished = isEstablished; }
+			void SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
 			
 		private:

+			void PostI2NPMessages (std::vector<std::shared_ptr<I2NPMessage> > msgs);
+			void Connected ();
+			void SendTimeSyncMessage ();
+			void SetIsEstablished (bool isEstablished) { m_IsEstablished = isEstablished; }
+
 			void CreateAESKey (uint8_t * pubKey, i2p::crypto::AESKey& key);
 				
 			// client
@@ -95,10 +79,12 @@ namespace transport

 			//server
 			void SendPhase2 ();
-			void SendPhase4 (uint32_t tsB);
+			void SendPhase4 (uint32_t tsA, uint32_t tsB);
 			void HandlePhase1Received (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			void HandlePhase2Sent (const boost::system::error_code& ecode, std::size_t bytes_transferred, uint32_t tsB);
 			void HandlePhase3Received (const boost::system::error_code& ecode, std::size_t bytes_transferred, uint32_t tsB);
+			void HandlePhase3ExtraReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred, uint32_t tsB, size_t paddingLen);
+			void HandlePhase3 (uint32_t tsB, size_t paddingLen);
 			void HandlePhase4Sent (const boost::system::error_code& ecode,  std::size_t bytes_transferred);
 			
 			// common
@@ -106,68 +92,88 @@ namespace transport
 			void HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			bool DecryptNextBlock (const uint8_t * encrypted);	
 		
-			void Send (i2p::I2NPMessage * msg);
-			void HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred, i2p::I2NPMessage * msg);
-
-
+			void Send (std::shared_ptr<i2p::I2NPMessage> msg);
+			boost::asio::const_buffers_1 CreateMsgBuffer (std::shared_ptr<I2NPMessage> msg);
+			void Send (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
+			void HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred, std::vector<std::shared_ptr<I2NPMessage> > msgs);
+			
+			
 			// timer
 			void ScheduleTermination ();
 			void HandleTerminationTimer (const boost::system::error_code& ecode);
 			
 		private:

+			NTCPServer& m_Server;
 			boost::asio::ip::tcp::socket m_Socket;
 			boost::asio::deadline_timer m_TerminationTimer;
-			bool m_IsEstablished;
+			bool m_IsEstablished, m_IsTerminated;
 			
 			i2p::crypto::CBCDecryption m_Decryption;
 			i2p::crypto::CBCEncryption m_Encryption;
-			CryptoPP::Adler32 m_Adler;

 			struct Establisher
 			{	
 				NTCPPhase1 phase1;
 				NTCPPhase2 phase2;
-				NTCPPhase3 phase3;
-				NTCPPhase4 phase4;
 			} * m_Establisher;	
 			
-			uint8_t m_ReceiveBuffer[NTCP_BUFFER_SIZE + 16], m_TimeSyncBuffer[16];
+			i2p::crypto::AESAlignedBuffer<NTCP_BUFFER_SIZE + 16> m_ReceiveBuffer;
+			i2p::crypto::AESAlignedBuffer<16> m_TimeSyncBuffer;
 			int m_ReceiveBufferOffset; 

-			i2p::I2NPMessage * m_NextMessage;
-			std::list<i2p::I2NPMessage *> m_DelayedMessages;
+			std::shared_ptr<I2NPMessage> m_NextMessage;
 			size_t m_NextMessageOffset;
+			i2p::I2NPMessagesHandler m_Handler;

-			size_t m_NumSentBytes, m_NumReceivedBytes;
+			bool m_IsSending;
+			std::vector<std::shared_ptr<I2NPMessage> > m_SendQueue;
+			
+			boost::asio::ip::address m_ConnectedFrom; // for ban
 	};	

-	class NTCPClient: public NTCPSession
+	// TODO: move to NTCP.h/.cpp
+	class NTCPServer
 	{
 		public:

-			NTCPClient (boost::asio::io_service& service, const boost::asio::ip::address& address, int port, std::shared_ptr<const i2p::data::RouterInfo> in_RouterInfo);
+			NTCPServer (int port);
+			~NTCPServer ();

-		private:
+			void Start ();
+			void Stop ();

-			void Connect ();
-			void HandleConnect (const boost::system::error_code& ecode);
+			void AddNTCPSession (std::shared_ptr<NTCPSession> session);
+			void RemoveNTCPSession (std::shared_ptr<NTCPSession> session);
+			std::shared_ptr<NTCPSession> FindNTCPSession (const i2p::data::IdentHash& ident);
+			void Connect (const boost::asio::ip::address& address, int port, std::shared_ptr<NTCPSession> conn);
 			
+			boost::asio::io_service& GetService () { return m_Service; };
+			void Ban (const boost::asio::ip::address& addr);			
+
 		private:

-			boost::asio::ip::tcp::endpoint m_Endpoint;
-	};	
+			void Run ();
+			void HandleAccept (std::shared_ptr<NTCPSession> conn, const boost::system::error_code& error);
+			void HandleAcceptV6 (std::shared_ptr<NTCPSession> conn, const boost::system::error_code& error);
+
+			void HandleConnect (const boost::system::error_code& ecode, std::shared_ptr<NTCPSession> conn);
+			
+		private:	
+
+			bool m_IsRunning;
+			std::thread * m_Thread;	
+			boost::asio::io_service m_Service;
+			boost::asio::io_service::work m_Work;
+			boost::asio::ip::tcp::acceptor * m_NTCPAcceptor, * m_NTCPV6Acceptor;
+			std::mutex m_NTCPSessionsMutex;
+			std::map<i2p::data::IdentHash, std::shared_ptr<NTCPSession> > m_NTCPSessions;
+			std::map<boost::asio::ip::address, uint32_t> m_BanList; // IP -> ban expiration time in seconds

-	class NTCPServerConnection: public NTCPSession
-	{
 		public:

-			NTCPServerConnection (boost::asio::io_service& service): 
-				NTCPSession (service) {};
-			
-		protected:
-
-			virtual void Connected ();
+			// for HTTP/I2PControl
+			const decltype(m_NTCPSessions)& GetNTCPSessions () const { return m_NTCPSessions; };
 	};	
 }	
 }	
--- a/NetDb.cpp
+++ b/NetDb.cpp
--- a/NetDb.h
+++ b/NetDb.h
@@ -9,48 +9,20 @@
 #include <thread>
 #include <mutex>
 #include <boost/filesystem.hpp>
+#include "Base.h"
 #include "Queue.h"
 #include "I2NPProtocol.h"
 #include "RouterInfo.h"
 #include "LeaseSet.h"
 #include "Tunnel.h"
 #include "TunnelPool.h"
+#include "Reseed.h"
+#include "NetDbRequests.h"

 namespace i2p
 {
 namespace data
 {		
-	class RequestedDestination
-	{
-		public:
-
-			RequestedDestination (const IdentHash& destination, bool isLeaseSet, 
-			    bool isExploratory = false, i2p::tunnel::TunnelPool * pool = nullptr):
-				m_Destination (destination), m_IsLeaseSet (isLeaseSet), m_IsExploratory (isExploratory), 
-				m_Pool (pool), m_CreationTime (0) {};
-			
-			const IdentHash& GetDestination () const { return m_Destination; };
-			int GetNumExcludedPeers () const { return m_ExcludedPeers.size (); };
-			const std::set<IdentHash>& GetExcludedPeers () { return m_ExcludedPeers; };
-			void ClearExcludedPeers ();
-			std::shared_ptr<const RouterInfo> GetLastRouter () const { return m_LastRouter; };
-			i2p::tunnel::TunnelPool * GetTunnelPool () { return m_Pool; };
-			bool IsExploratory () const { return m_IsExploratory; };
-			bool IsLeaseSet () const { return m_IsLeaseSet; };
-			bool IsExcluded (const IdentHash& ident) const { return m_ExcludedPeers.count (ident); };
-			uint64_t GetCreationTime () const { return m_CreationTime; };
-			I2NPMessage * CreateRequestMessage (std::shared_ptr<const RouterInfo>, const i2p::tunnel::InboundTunnel * replyTunnel);
-			I2NPMessage * CreateRequestMessage (const IdentHash& floodfill);
-						
-		private:
-
-			IdentHash m_Destination;
-			bool m_IsLeaseSet, m_IsExploratory;
-			i2p::tunnel::TunnelPool * m_Pool;
-			std::set<IdentHash> m_ExcludedPeers;
-			std::shared_ptr<const RouterInfo> m_LastRouter;
-			uint64_t m_CreationTime;
-	};	
 	
 	class NetDb
 	{
@@ -62,25 +34,33 @@ namespace data
 			void Start ();
 			void Stop ();
 			
+			void AddRouterInfo (const uint8_t * buf, int len);
 			void AddRouterInfo (const IdentHash& ident, const uint8_t * buf, int len);
-			void AddLeaseSet (const IdentHash& ident, const uint8_t * buf, int len, i2p::tunnel::InboundTunnel * from);
+			void AddLeaseSet (const IdentHash& ident, const uint8_t * buf, int len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);
 			std::shared_ptr<RouterInfo> FindRouter (const IdentHash& ident) const;
-			LeaseSet * FindLeaseSet (const IdentHash& destination) const;
+			std::shared_ptr<LeaseSet> FindLeaseSet (const IdentHash& destination) const;
+			std::shared_ptr<RouterProfile> FindRouterProfile (const IdentHash& ident) const;

-			void PublishLeaseSet (const LeaseSet * leaseSet, i2p::tunnel::TunnelPool * pool);
-			void RequestDestination (const IdentHash& destination, bool isLeaseSet = false, 
-				i2p::tunnel::TunnelPool * pool = nullptr);			
+			void RequestDestination (const IdentHash& destination, RequestedDestination::RequestComplete requestComplete = nullptr);			
 			
-			void HandleDatabaseStoreMsg (I2NPMessage * msg);
-			void HandleDatabaseSearchReplyMsg (I2NPMessage * msg);
-			void HandleDatabaseLookupMsg (I2NPMessage * msg);			
+			void HandleDatabaseStoreMsg (std::shared_ptr<const I2NPMessage> msg);
+			void HandleDatabaseSearchReplyMsg (std::shared_ptr<const I2NPMessage> msg);
+			void HandleDatabaseLookupMsg (std::shared_ptr<const I2NPMessage> msg);			

 			std::shared_ptr<const RouterInfo> GetRandomRouter () const;
 			std::shared_ptr<const RouterInfo> GetRandomRouter (std::shared_ptr<const RouterInfo> compatibleWith) const;
 			std::shared_ptr<const RouterInfo> GetHighBandwidthRandomRouter (std::shared_ptr<const RouterInfo> compatibleWith) const;
+			std::shared_ptr<const RouterInfo> GetRandomPeerTestRouter () const;
+			std::shared_ptr<const RouterInfo> GetRandomIntroducer () const;
+			std::shared_ptr<const RouterInfo> GetClosestFloodfill (const IdentHash& destination, const std::set<IdentHash>& excluded) const;
+			std::vector<IdentHash> GetClosestFloodfills (const IdentHash& destination, size_t num,
+				std::set<IdentHash>& excluded) const;
+			std::shared_ptr<const RouterInfo> GetClosestNonFloodfill (const IdentHash& destination, const std::set<IdentHash>& excluded) const;
 			void SetUnreachable (const IdentHash& ident, bool unreachable);			

-			void PostI2NPMsg (I2NPMessage * msg);
+			void PostI2NPMsg (std::shared_ptr<const I2NPMessage> msg);
+
+			void Reseed ();

 			// for web interface
 			int GetNumRouters () const { return m_RouterInfos.size (); };
@@ -90,36 +70,34 @@ namespace data
 		private:

 			bool CreateNetDb(boost::filesystem::path directory);
-			void Load (const char * directory);
-			void SaveUpdated (const char * directory);
+			void Load ();
+			void SaveUpdated ();
 			void Run (); // exploratory thread
-			void Explore (int numDestinations);
+			void Explore (int numDestinations);	
 			void Publish ();
-			std::shared_ptr<const RouterInfo> GetClosestFloodfill (const IdentHash& destination, const std::set<IdentHash>& excluded) const;
 			void ManageLeaseSets ();
-
-			RequestedDestination * CreateRequestedDestination (const IdentHash& dest, 
-				bool isLeaseSet, bool isExploratory = false, i2p::tunnel::TunnelPool * pool = nullptr);
-			bool DeleteRequestedDestination (const IdentHash& dest); // returns true if found
-			void DeleteRequestedDestination (RequestedDestination * dest);
+			void ManageRequests ();

 			template<typename Filter>
 			std::shared_ptr<const RouterInfo> GetRandomRouter (Filter filter) const;	
 		
 		private:

-			std::map<IdentHash, LeaseSet *> m_LeaseSets;
+			std::map<IdentHash, std::shared_ptr<LeaseSet> > m_LeaseSets;
 			mutable std::mutex m_RouterInfosMutex;
 			std::map<IdentHash, std::shared_ptr<RouterInfo> > m_RouterInfos;
 			mutable std::mutex m_FloodfillsMutex;
 			std::list<std::shared_ptr<RouterInfo> > m_Floodfills;
-			std::mutex m_RequestedDestinationsMutex;
-			std::map<IdentHash, RequestedDestination *> m_RequestedDestinations;
 			
 			bool m_IsRunning;
-			int m_ReseedRetries;
 			std::thread * m_Thread;	
-			i2p::util::Queue<I2NPMessage> m_Queue; // of I2NPDatabaseStoreMsg
+			i2p::util::Queue<std::shared_ptr<const I2NPMessage> > m_Queue; // of I2NPDatabaseStoreMsg
+
+			GzipInflator m_Inflator;
+			Reseeder * m_Reseeder;
+
+			friend class NetDbRequests; 
+			NetDbRequests m_Requests;

 			static const char m_NetDbPath[];
 	};
--- a/NetDbRequests.cpp
+++ b/NetDbRequests.cpp
@@ -0,0 +1,149 @@
+#include "Log.h"
+#include "I2NPProtocol.h"
+#include "Transports.h"
+#include "NetDb.h"
+#include "NetDbRequests.h"
+
+namespace i2p
+{
+namespace data
+{
+	std::shared_ptr<I2NPMessage> RequestedDestination::CreateRequestMessage (std::shared_ptr<const RouterInfo> router,
+		std::shared_ptr<const i2p::tunnel::InboundTunnel> replyTunnel)
+	{
+		auto msg = i2p::CreateRouterInfoDatabaseLookupMsg (m_Destination, 
+			replyTunnel->GetNextIdentHash (), replyTunnel->GetNextTunnelID (), m_IsExploratory, 
+		    &m_ExcludedPeers);
+		m_ExcludedPeers.insert (router->GetIdentHash ());
+		m_CreationTime = i2p::util::GetSecondsSinceEpoch ();
+		return msg;
+	}	
+
+	std::shared_ptr<I2NPMessage> RequestedDestination::CreateRequestMessage (const IdentHash& floodfill)
+	{
+		auto msg = i2p::CreateRouterInfoDatabaseLookupMsg (m_Destination, 
+			i2p::context.GetRouterInfo ().GetIdentHash () , 0, false, &m_ExcludedPeers);
+		m_ExcludedPeers.insert (floodfill);
+		m_CreationTime = i2p::util::GetSecondsSinceEpoch ();
+		return msg;
+	}	
+
+	void RequestedDestination::ClearExcludedPeers ()
+	{
+		m_ExcludedPeers.clear ();
+	}	
+	
+	void RequestedDestination::Success (std::shared_ptr<RouterInfo> r)
+	{
+		if (m_RequestComplete)
+		{
+			m_RequestComplete (r);
+			m_RequestComplete = nullptr;
+		}
+	}
+
+	void RequestedDestination::Fail ()
+	{
+		if (m_RequestComplete)
+		{
+			m_RequestComplete (nullptr);
+			m_RequestComplete = nullptr;
+		}
+	}
+
+	void NetDbRequests::Start ()
+	{
+	}
+
+	void NetDbRequests::Stop ()
+	{
+		m_RequestedDestinations.clear ();
+	}
+
+
+	std::shared_ptr<RequestedDestination> NetDbRequests::CreateRequest (const IdentHash& destination, bool isExploratory, RequestedDestination::RequestComplete requestComplete)
+	{
+		// request RouterInfo directly
+		auto dest = std::make_shared<RequestedDestination> (destination, isExploratory); 
+		dest->SetRequestComplete (requestComplete);
+		{
+			std::unique_lock<std::mutex> l(m_RequestedDestinationsMutex);
+			if (!m_RequestedDestinations.insert (std::make_pair (destination, 
+				std::shared_ptr<RequestedDestination> (dest))).second) // not inserted
+				return nullptr; 
+		}
+		return dest;
+	}	
+
+	void NetDbRequests::RequestComplete (const IdentHash& ident, std::shared_ptr<RouterInfo> r)
+	{
+		auto it = m_RequestedDestinations.find (ident);
+		if (it != m_RequestedDestinations.end ())
+		{	
+			if (r)
+				it->second->Success (r);
+			else
+				it->second->Fail ();
+			std::unique_lock<std::mutex> l(m_RequestedDestinationsMutex);
+			m_RequestedDestinations.erase (it);
+		}	
+	}
+
+	std::shared_ptr<RequestedDestination> NetDbRequests::FindRequest (const IdentHash& ident) const
+	{
+		auto it = m_RequestedDestinations.find (ident);
+		if (it != m_RequestedDestinations.end ())
+			return it->second;
+		return nullptr;
+	}	
+
+	void NetDbRequests::ManageRequests ()
+	{
+		uint64_t ts = i2p::util::GetSecondsSinceEpoch ();	
+		std::unique_lock<std::mutex> l(m_RequestedDestinationsMutex);	
+		for (auto it = m_RequestedDestinations.begin (); it != m_RequestedDestinations.end ();)
+		{
+			auto& dest = it->second;
+			bool done = false;
+			if (ts < dest->GetCreationTime () + 60) // request is worthless after 1 minute
+			{
+				if (ts > dest->GetCreationTime () + 5) // no response for 5 seconds
+				{
+					auto count = dest->GetExcludedPeers ().size ();
+					if (!dest->IsExploratory () && count < 7)
+					{
+						auto pool = i2p::tunnel::tunnels.GetExploratoryPool ();
+						auto outbound = pool->GetNextOutboundTunnel ();
+						auto inbound = pool->GetNextInboundTunnel ();	
+						auto nextFloodfill = netdb.GetClosestFloodfill (dest->GetDestination (), dest->GetExcludedPeers ());
+						if (nextFloodfill && outbound && inbound)
+							outbound->SendTunnelDataMsg (nextFloodfill->GetIdentHash (), 0,
+								dest->CreateRequestMessage (nextFloodfill, inbound));
+						else
+						{
+							done = true;
+							if (!inbound) LogPrint (eLogWarning, "No inbound tunnels");	
+							if (!outbound) LogPrint (eLogWarning, "No outbound tunnels");
+							if (!nextFloodfill) LogPrint (eLogWarning, "No more floodfills");	
+						}
+					}	
+					else
+					{
+						if (!dest->IsExploratory ())
+							LogPrint (eLogWarning, dest->GetDestination ().ToBase64 (), " not found after 7 attempts");	
+						done = true;
+					}	 
+				}	
+			}	
+			else // delete obsolete request
+				done = true;
+
+			if (done)
+				it = m_RequestedDestinations.erase (it);
+			else
+				it++;
+		}	
+	}
+}
+}
+
--- a/NetDbRequests.h
+++ b/NetDbRequests.h
@@ -0,0 +1,69 @@
+#ifndef NETDB_REQUESTS_H__
+#define NETDB_REQUESTS_H__
+
+#include <memory>
+#include <set>
+#include <map>
+#include "Identity.h"
+#include "RouterInfo.h"
+
+namespace i2p
+{
+namespace data
+{
+	class RequestedDestination
+	{	
+		public:
+
+			typedef std::function<void (std::shared_ptr<RouterInfo>)> RequestComplete;
+
+			RequestedDestination (const IdentHash& destination, bool isExploratory = false):
+				m_Destination (destination), m_IsExploratory (isExploratory), m_CreationTime (0) {};
+			~RequestedDestination () { if (m_RequestComplete) m_RequestComplete (nullptr); };			
+
+			const IdentHash& GetDestination () const { return m_Destination; };
+			int GetNumExcludedPeers () const { return m_ExcludedPeers.size (); };
+			const std::set<IdentHash>& GetExcludedPeers () { return m_ExcludedPeers; };
+			void ClearExcludedPeers ();
+			bool IsExploratory () const { return m_IsExploratory; };
+			bool IsExcluded (const IdentHash& ident) const { return m_ExcludedPeers.count (ident); };
+			uint64_t GetCreationTime () const { return m_CreationTime; };
+			std::shared_ptr<I2NPMessage> CreateRequestMessage (std::shared_ptr<const RouterInfo>, std::shared_ptr<const i2p::tunnel::InboundTunnel> replyTunnel);
+			std::shared_ptr<I2NPMessage> CreateRequestMessage (const IdentHash& floodfill);
+			
+			void SetRequestComplete (const RequestComplete& requestComplete) { m_RequestComplete = requestComplete; };
+			bool IsRequestComplete () const { return m_RequestComplete != nullptr; };
+			void Success (std::shared_ptr<RouterInfo> r);
+			void Fail ();
+			
+		private:
+
+			IdentHash m_Destination;
+			bool m_IsExploratory;
+			std::set<IdentHash> m_ExcludedPeers;
+			uint64_t m_CreationTime;
+			RequestComplete m_RequestComplete;
+	};	
+
+	class NetDbRequests
+	{
+		public:
+
+			void Start ();
+			void Stop ();
+
+			 std::shared_ptr<RequestedDestination> CreateRequest (const IdentHash& destination, bool isExploratory, RequestedDestination::RequestComplete requestComplete = nullptr);
+			void RequestComplete (const IdentHash& ident, std::shared_ptr<RouterInfo> r);
+			std::shared_ptr<RequestedDestination> FindRequest (const IdentHash& ident) const;
+			void ManageRequests ();
+
+		private:
+
+			std::mutex m_RequestedDestinationsMutex;
+			std::map<IdentHash, std::shared_ptr<RequestedDestination> > m_RequestedDestinations;
+	};
+}
+}
+
+#endif
+
--- a/Profiling.cpp
+++ b/Profiling.cpp
@@ -0,0 +1,214 @@
+#include <boost/filesystem.hpp>
+#include <boost/property_tree/ptree.hpp>
+#include <boost/property_tree/ini_parser.hpp>
+#include "Base.h"
+#include "util.h"
+#include "Log.h"
+#include "Profiling.h"
+
+namespace i2p
+{
+namespace data
+{
+	RouterProfile::RouterProfile (const IdentHash& identHash):
+		m_IdentHash (identHash), m_LastUpdateTime (boost::posix_time::second_clock::local_time()),
+		m_NumTunnelsAgreed (0), m_NumTunnelsDeclined (0), m_NumTunnelsNonReplied (0),
+		m_NumTimesTaken (0), m_NumTimesRejected (0) 
+	{
+	}
+
+	boost::posix_time::ptime RouterProfile::GetTime () const
+	{
+		return boost::posix_time::second_clock::local_time();
+	}	
+		
+	void RouterProfile::UpdateTime ()
+	{
+		m_LastUpdateTime = GetTime ();
+	}	
+		
+	void RouterProfile::Save ()
+	{
+		// fill sections
+		boost::property_tree::ptree participation;
+		participation.put (PEER_PROFILE_PARTICIPATION_AGREED, m_NumTunnelsAgreed);
+		participation.put (PEER_PROFILE_PARTICIPATION_DECLINED, m_NumTunnelsDeclined);
+		participation.put (PEER_PROFILE_PARTICIPATION_NON_REPLIED, m_NumTunnelsNonReplied);
+		boost::property_tree::ptree usage;
+		usage.put (PEER_PROFILE_USAGE_TAKEN, m_NumTimesTaken);
+		usage.put (PEER_PROFILE_USAGE_REJECTED, m_NumTimesRejected);
+		// fill property tree
+		boost::property_tree::ptree pt;
+		pt.put (PEER_PROFILE_LAST_UPDATE_TIME, boost::posix_time::to_simple_string (m_LastUpdateTime));
+		pt.put_child (PEER_PROFILE_SECTION_PARTICIPATION, participation);
+		pt.put_child (PEER_PROFILE_SECTION_USAGE, usage);		
+
+		// save to file
+		auto path = i2p::util::filesystem::GetDefaultDataDir() / PEER_PROFILES_DIRECTORY;
+		if (!boost::filesystem::exists (path))
+		{
+			// Create directory is necessary
+			if (!boost::filesystem::create_directory (path))
+			{	
+				LogPrint (eLogError, "Failed to create directory ", path);
+				return;
+			}			
+			const char * chars = GetBase64SubstitutionTable (); // 64 bytes
+			for (int i = 0; i < 64; i++)
+			{
+				auto path1 = path / (std::string ("p") + chars[i]);
+				if (!boost::filesystem::create_directory (path1)) 
+				{
+					LogPrint (eLogError, "Failed to create directory ", path1);
+					return;
+				}			
+			}				
+		}
+		std::string base64 = m_IdentHash.ToBase64 ();
+		path = path / (std::string ("p") + base64[0]);
+		auto filename = path / (std::string (PEER_PROFILE_PREFIX) + base64 + ".txt");
+		try
+		{
+			boost::property_tree::write_ini (filename.string (), pt);
+		}
+		catch (std::exception& ex)
+		{
+			LogPrint (eLogError, "Can't write ", filename, ": ", ex.what ());
+		}
+	}	
+
+	void RouterProfile::Load ()
+	{
+		std::string base64 = m_IdentHash.ToBase64 ();
+		auto path = i2p::util::filesystem::GetDefaultDataDir() / PEER_PROFILES_DIRECTORY;
+		path /= std::string ("p") + base64[0];
+		auto filename = path / (std::string (PEER_PROFILE_PREFIX) + base64 + ".txt");
+		if (boost::filesystem::exists (filename))
+		{	
+			boost::property_tree::ptree pt;
+			try
+			{
+				boost::property_tree::read_ini (filename.string (), pt);
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "Can't read ", filename, ": ", ex.what ());
+				return;
+			}
+			try
+			{	
+				auto t = pt.get (PEER_PROFILE_LAST_UPDATE_TIME, "");
+				if (t.length () > 0)
+					m_LastUpdateTime = boost::posix_time::time_from_string (t);
+				if ((GetTime () - m_LastUpdateTime).hours () < PEER_PROFILE_EXPIRATION_TIMEOUT) 
+				{	
+					try
+					{	
+						// read participations
+						auto participations = pt.get_child (PEER_PROFILE_SECTION_PARTICIPATION);
+						m_NumTunnelsAgreed = participations.get (PEER_PROFILE_PARTICIPATION_AGREED, 0);
+						m_NumTunnelsDeclined = participations.get (PEER_PROFILE_PARTICIPATION_DECLINED, 0);
+						m_NumTunnelsNonReplied = participations.get (PEER_PROFILE_PARTICIPATION_NON_REPLIED, 0);
+					}	
+					catch (boost::property_tree::ptree_bad_path& ex)
+					{
+						LogPrint (eLogWarning, "Missing section ", PEER_PROFILE_SECTION_PARTICIPATION);
+					}	
+					try
+					{	
+						// read usage
+						auto usage = pt.get_child (PEER_PROFILE_SECTION_USAGE);
+						m_NumTimesTaken = usage.get (PEER_PROFILE_USAGE_TAKEN, 0);
+						m_NumTimesRejected = usage.get (PEER_PROFILE_USAGE_REJECTED, 0);
+					}	
+					catch (boost::property_tree::ptree_bad_path& ex)
+					{
+						LogPrint (eLogWarning, "Missing section ", PEER_PROFILE_SECTION_USAGE);
+					}	
+				}	
+				else
+					*this = RouterProfile (m_IdentHash);
+			}	
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "Can't read profile ", base64, " :", ex.what ());
+			}	
+		}	
+	}	
+		
+	void RouterProfile::TunnelBuildResponse (uint8_t ret)
+	{
+		UpdateTime ();
+		if (ret > 0)
+			m_NumTunnelsDeclined++;
+		else
+			m_NumTunnelsAgreed++;
+	}	
+
+	void RouterProfile::TunnelNonReplied ()
+	{
+		m_NumTunnelsNonReplied++;
+		UpdateTime ();
+	}	
+
+	bool RouterProfile::IsLowPartcipationRate () const
+	{
+		return 4*m_NumTunnelsAgreed < m_NumTunnelsDeclined; // < 20% rate
+	}	
+
+	bool RouterProfile::IsLowReplyRate () const
+	{
+		auto total = m_NumTunnelsAgreed + m_NumTunnelsDeclined;
+		return m_NumTunnelsNonReplied > 10*(total + 1);
+	}	
+		
+	bool RouterProfile::IsBad ()
+	{ 
+		auto isBad = IsAlwaysDeclining () || IsLowPartcipationRate () /*|| IsLowReplyRate ()*/;
+		if (isBad && m_NumTimesRejected > 10*(m_NumTimesTaken + 1)) 
+		{
+			// reset profile
+			m_NumTunnelsAgreed = 0;
+			m_NumTunnelsDeclined = 0;
+			m_NumTunnelsNonReplied = 0;
+			isBad = false;
+		}		
+		if (isBad) m_NumTimesRejected++; else m_NumTimesTaken++;
+		return isBad;	
+	}
+		
+	std::shared_ptr<RouterProfile> GetRouterProfile (const IdentHash& identHash)
+	{
+		auto profile = std::make_shared<RouterProfile> (identHash);
+		profile->Load (); // if possible
+		return profile;
+	}		
+
+	void DeleteObsoleteProfiles ()
+	{
+		int num = 0;
+		auto ts = boost::posix_time::second_clock::local_time();
+		boost::filesystem::path p (i2p::util::filesystem::GetDataDir()/PEER_PROFILES_DIRECTORY);
+		if (boost::filesystem::exists (p))
+		{
+			boost::filesystem::directory_iterator end;
+			for (boost::filesystem::directory_iterator it (p); it != end; ++it)
+			{
+				if (boost::filesystem::is_directory (it->status()))
+				{
+					for (boost::filesystem::directory_iterator it1 (it->path ()); it1 != end; ++it1)
+					{
+						auto lastModified = boost::posix_time::from_time_t (boost::filesystem::last_write_time (it1->path ()));
+						if ((ts - lastModified).hours () >= PEER_PROFILE_EXPIRATION_TIMEOUT)
+						{	
+							boost::filesystem::remove (it1->path ());
+							num++;
+						}	
+					}	
+				}
+			}	
+		}
+		LogPrint (eLogInfo, num, " obsolete profiles deleted");
+	}	
+}		
+}	
--- a/Profiling.h
+++ b/Profiling.h
@@ -0,0 +1,69 @@
+#ifndef PROFILING_H__
+#define PROFILING_H__
+
+#include <memory>
+#include <boost/date_time/posix_time/posix_time.hpp>
+#include "Identity.h"
+
+namespace i2p
+{
+namespace data
+{	
+	const char PEER_PROFILES_DIRECTORY[] = "peerProfiles";
+	const char PEER_PROFILE_PREFIX[] = "profile-";
+	// sections
+	const char PEER_PROFILE_SECTION_PARTICIPATION[] = "participation";
+	const char PEER_PROFILE_SECTION_USAGE[] = "usage";
+	// params	
+	const char PEER_PROFILE_LAST_UPDATE_TIME[] = "lastupdatetime";
+	const char PEER_PROFILE_PARTICIPATION_AGREED[] = "agreed";
+	const char PEER_PROFILE_PARTICIPATION_DECLINED[] = "declined";
+	const char PEER_PROFILE_PARTICIPATION_NON_REPLIED[] = "nonreplied";	
+	const char PEER_PROFILE_USAGE_TAKEN[] = "taken";
+	const char PEER_PROFILE_USAGE_REJECTED[] = "rejected";
+
+	const int PEER_PROFILE_EXPIRATION_TIMEOUT = 72; // in hours (3 days)
+	
+	class RouterProfile
+	{
+		public:
+
+			RouterProfile (const IdentHash& identHash);
+			RouterProfile& operator= (const RouterProfile& ) = default;
+			
+			void Save ();
+			void Load ();
+
+			bool IsBad ();
+			
+			void TunnelBuildResponse (uint8_t ret);
+			void TunnelNonReplied ();
+
+		private:
+
+			boost::posix_time::ptime GetTime () const;
+			void UpdateTime ();
+
+			bool IsAlwaysDeclining () const { return !m_NumTunnelsAgreed && m_NumTunnelsDeclined >= 5; };
+			bool IsLowPartcipationRate () const;
+			bool IsLowReplyRate () const;
+			
+		private:	
+
+			IdentHash m_IdentHash;
+			boost::posix_time::ptime m_LastUpdateTime;
+			// participation
+			uint32_t m_NumTunnelsAgreed;
+			uint32_t m_NumTunnelsDeclined;	
+			uint32_t m_NumTunnelsNonReplied;
+			// usage
+			uint32_t m_NumTimesTaken;
+			uint32_t m_NumTimesRejected;	
+	};	
+
+	std::shared_ptr<RouterProfile> GetRouterProfile (const IdentHash& identHash); 
+	void DeleteObsoleteProfiles ();
+}		
+}	
+
+#endif
--- a/Queue.h
+++ b/Queue.h
@@ -2,6 +2,7 @@
 #define QUEUE_H__

 #include <queue>
+#include <vector>
 #include <mutex>
 #include <thread>
 #include <condition_variable>
@@ -16,17 +17,28 @@ namespace util
 	{	
 		public:

-			void Put (Element * e)
+			void Put (Element e)
 			{
 				std::unique_lock<std::mutex>  l(m_QueueMutex);
 				m_Queue.push (e);	
 				m_NonEmpty.notify_one ();
 			}

-			Element * GetNext ()
+			void Put (const std::vector<Element>& vec)
+			{
+				if (!vec.empty ())
+				{	
+					std::unique_lock<std::mutex>  l(m_QueueMutex);
+					for (auto it: vec)
+						m_Queue.push (it);	
+					m_NonEmpty.notify_one ();
+				}	
+			}
+			
+			Element GetNext ()
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
-				Element * el = GetNonThreadSafe ();
+				auto el = GetNonThreadSafe ();
 				if (!el)
 				{
 					m_NonEmpty.wait (l);
@@ -35,10 +47,10 @@ namespace util
 				return el;
 			}

-			Element * GetNextWithTimeout (int usec)
+			Element GetNextWithTimeout (int usec)
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
-				Element * el = GetNonThreadSafe ();
+				auto el = GetNonThreadSafe ();
 				if (!el)
 				{
 					m_NonEmpty.wait_for (l, std::chrono::milliseconds (usec));
@@ -64,16 +76,22 @@ namespace util
 				std::unique_lock<std::mutex> l(m_QueueMutex);
 				return m_Queue.empty ();
 			}
-			
+
+			int GetSize () 
+			{
+				std::unique_lock<std::mutex> l(m_QueueMutex);
+				return m_Queue.size ();
+			}			
+
 			void WakeUp () { m_NonEmpty.notify_all (); };

-			Element * Get ()
+			Element Get ()
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
 				return GetNonThreadSafe ();
 			}	

-			Element * Peek ()
+			Element Peek ()
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
 				return GetNonThreadSafe (true);
@@ -81,11 +99,11 @@ namespace util
 			
 		private:

-			Element * GetNonThreadSafe (bool peek = false)
+			Element GetNonThreadSafe (bool peek = false)
 			{
 				if (!m_Queue.empty ())
 				{
-					Element * el = m_Queue.front ();
+					auto el = m_Queue.front ();
 					if (!peek)
 						m_Queue.pop ();
 					return el;
@@ -95,13 +113,13 @@ namespace util
 			
 		private:

-			std::queue<Element *> m_Queue;
+			std::queue<Element> m_Queue;
 			std::mutex m_QueueMutex;
 			std::condition_variable m_NonEmpty;
 	};	

 	template<class Msg>
-	class MsgQueue: public Queue<Msg>
+	class MsgQueue: public Queue<Msg *>
 	{
 		public:

@@ -114,7 +132,7 @@ namespace util
 				if (m_IsRunning)
 				{
 					m_IsRunning = false;
-					Queue<Msg>::WakeUp ();					
+					Queue<Msg *>::WakeUp ();					
 					m_Thread.join();
 				}
 			}
@@ -127,7 +145,7 @@ namespace util
 			{
 				while (m_IsRunning)
 				{
-					while (Msg * msg = Queue<Msg>::Get ())
+					while (auto msg = Queue<Msg *>::Get ())
 					{
 						msg->Process ();
 						delete msg;
@@ -135,15 +153,15 @@ namespace util
 					if (m_OnEmpty != nullptr)
 						m_OnEmpty ();
 					if (m_IsRunning)
-						Queue<Msg>::Wait ();
+						Queue<Msg *>::Wait ();
 				}	
 			}	
 			
 		private:
 			
 			volatile bool m_IsRunning;
-			std::thread m_Thread;	
 			OnEmpty m_OnEmpty;
+			std::thread m_Thread;	
 	};	
 }		
 }	
--- a/README.md
+++ b/README.md
@@ -2,11 +2,25 @@ i2pd
 ====

 I2P router written in C++
+Contains all ongoing changes from https://bitbucket.org/orignal/i2pd/src
+
+License
+-------
+
+This project is licensed under the BSD 3-clause license, which can be found in the file
+LICENSE in the root of the project source code.
+
+Donations
+---------
+
+BTC: 1K7Ds6KUeR8ya287UC4rYTjvC96vXyZbDY   
+LTC: LKQirrYrDeTuAPnpYq5y7LVKtywfkkHi59   
+ANC: AQJYweYYUqM1nVfLqfoSMpUMfzxvS4Xd7z

 Requirements for Linux/FreeBSD/OSX
 ----------------------------------

-GCC 4.6 or newer, Boost 1.46 or newer, crypto++. Clang can be used instead of
+GCC 4.6 or newer, Boost 1.46 or newer, openssl, zlib. Clang can be used instead of
 GCC.

 Requirements for Windows
@@ -16,12 +30,19 @@ VS2013 (known to work with 12.0.21005.1 or newer), Boost 1.46 or newer,
 crypto++ 5.62. See Win32/README-Build.txt for instructions on how to build i2pd
 and its dependencies.

+Downloads
+------------
+
+Official binary releases could be found at:
+http://download.i2p.io/purplei2p/i2pd/releases/
+
+
 Build Statuses
 ---------------

- Linux x64      - [![Build Status](https://jenkins.nordcloud.no/buildStatus/icon?job=i2pd-linux)](https://jenkins.nordcloud.no/job/i2pd-linux/)
+- Linux x64      - [![Build Status](https://jenkins.greyhat.no/buildStatus/icon?job=i2pd-linux)](https://jenkins.nordcloud.no/job/i2pd-linux/)
 - Linux ARM      - To be added
- Mac OS X       - To be added
+- Mac OS X       - Got it working, but not well tested. (Only works with clang, not GCC.)
 - Microsoft VC13 - To be added


@@ -30,14 +51,14 @@ Testing

 First, build it.

+On Ubuntu/Debian based
+* sudo apt-get install libboost-dev libboost-filesystem-dev libboost-program-options-dev libboost-regex-dev libboost-date-time-dev libssl-dev zlib1g-dev 
 * $ cd i2pd
 * $ make

-Next, find out your public ip. (find it for example at http://www.whatismyip.com/)
+Then, run it:

-Then, run it with:
-
-$ ./i2p --host=YOUR_PUBLIC_IP
+$ ./i2p

 The client should now reseed by itself.

@@ -48,24 +69,77 @@ This should resulting in for example:
 http://localhost:7070/4oes3rlgrpbkmzv4lqcfili23h3cvpwslqcfjlk6vvguxyggspwa.b32.i2p


-Options
-------
+Cmdline options
+---------------

-* --host=               - The external IP
+* --host=               - The external IP (deprecated). 
 * --port=               - The port to listen on
 * --httpport=           - The http port to listen on
 * --log=                - Enable or disable logging to file. 1 for yes, 0 for no.
 * --daemon=             - Enable or disable daemon mode. 1 for yes, 0 for no.
 * --service=            - 1 if uses system folders (/var/run/i2pd.pid, /var/log/i2pd.log, /var/lib/i2pd).
-* --unreachable=        - 1 if router is declared as unreachable and works through introducers.
 * --v6=                 - 1 if supports communication through ipv6, off by default
+* --floodfill=          - 1 if router is floodfill, off by default
+* --bandwidth=          - L if bandwidth is limited to 32Kbs/sec, O if not. Always O if floodfill, otherwise L by default.
 * --httpproxyport=      - The port to listen on (HTTP Proxy)
 * --socksproxyport=     - The port to listen on (SOCKS Proxy)
+* --proxykeys=          - optional keys file for proxy's local destination
 * --ircport=            - The local port of IRC tunnel to listen on. 6668 by default
 * --ircdest=            - I2P destination address of IRC server. For example irc.postman.i2p
-* --irckeys=            - optional keys file for local destination
-* --eepkeys=            - File name containing destination keys. For example privKeys.dat
+* --irckeys=            - optional keys file for tunnel's local destination 
+* --eepkeys=            - File name containing destination keys, for example privKeys.dat.
+                          The file will be created if it does not already exist (issue #110).
 * --eephost=            - Address incoming trafic forward to. 127.0.0.1 by default
 * --eepport=            - Port incoming trafic forward to. 80 by default
 * --samport=            - Port of SAM bridge. Usually 7656. SAM is off if not specified
+* --bobport=            - Port of BOB command channel. Usually 2827. BOB is off if not specified
+* --i2pcontrolport=     - Port of I2P control service. Usually 7650. I2PControl is off if not specified
+* --conf=               - Config file (default: ~/.i2pd/i2p.conf or /var/lib/i2pd/i2p.conf)
+                          This parameter will be silently ignored if the specified config file does not exist.
+                          Options specified on the command line take precedence over those in the config file.

+Config files
+------------
+
+INI-like, syntax is the following : <key> = <value>.
+All command-line parameters are allowed as keys, for example:
+
+i2p.conf:
+
+	log = 1
+	v6 = 0
+	ircdest = irc.postman.i2p
+
+tunnels.cfg (filename of this config is subject of change):
+
+  ; outgoing tunnel sample, to remote service   
+  ; mandatory parameters:   
+  ; * type -- always "client"  
+  ; * port -- local port to listen to   
+  ; * destination -- i2p hostname   
+  ; optional parameters (may be omitted)   
+  ; * keys -- our identity, if unset, will be generated on every startup,   
+  ;     if set and file missing, keys will be generated and placed to this file   
+	[IRC]   
+	type = client   
+	port = 6668   
+	destination = irc.echelon.i2p   
+	keys = irc-keys.dat   
+   
+  ; incoming tunnel sample, for local service   
+  ; mandatory parameters:   
+  ; * type -- always "server"   
+  ; * host -- ip address of our service   
+  ; * port -- port of our service   
+  ; * keys -- file with LeaseSet of address in i2p   
+  ; optional parameters (may be omitted)   
+  ; * inport -- optional, i2p service port, if unset - the same as 'port'   
+  ; * accesslist -- comma-separated list of i2p addresses, allowed to connect   
+  ;    every address is b32 without '.b32.i2p' part   
+	[LOCALSITE]   
+	type = server   
+	host = 127.0.0.1   
+	port = 80   
+	keys = site-keys.dat   
+	inport = 81   
+	accesslist = <b32>[,<b32>]   
--- a/Reseed.cpp
+++ b/Reseed.cpp
@@ -1,11 +1,20 @@
-#include <iostream>
+#include <string.h>
 #include <fstream>
+#include <sstream>
 #include <boost/regex.hpp>
 #include <boost/filesystem.hpp>
-#include <cryptopp/gzip.h>
+#include <boost/asio.hpp>
+#include <boost/asio/ssl.hpp>
+#include <openssl/bn.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <zlib.h>
 #include "I2PEndian.h"
 #include "Reseed.h"
 #include "Log.h"
+#include "Identity.h"
+#include "Crypto.h"
+#include "NetDb.h"
 #include "util.h"


@@ -13,36 +22,19 @@ namespace i2p
 {
 namespace data
 {
-
-	static std::vector<std::string> httpReseedHostList = {
-				"http://193.150.121.66/netDb/",
-				"http://netdb.i2p2.no/",
-				"http://reseed.i2p-projekt.de/",
-				"http://cowpuncher.drollette.com/netdb/",
-				"http://i2p.mooo.com/netDb/",
-				"http://reseed.info/",
-				"http://uk.reseed.i2p2.no/",
-				"http://us.reseed.i2p2.no/",
-				"http://jp.reseed.i2p2.no/",
-				"http://i2p-netdb.innovatio.no/",
-				"http://ieb9oopo.mooo.com"
-			};
-
-	//TODO: Remember to add custom port support. Not all serves on 443
-	static std::vector<std::string> httpsReseedHostList = {
-				"https://193.150.121.66/netDb/",
-				"https://netdb.i2p2.no/",
-				"https://reseed.i2p-projekt.de/",
-				"https://cowpuncher.drollette.com/netdb/",
-				"https://i2p.mooo.com/netDb/",
-				"https://reseed.info/",
-				"https://i2p-netdb.innovatio.no/",
-				"https://ieb9oopo.mooo.com/",
-				"https://ssl.webpack.de/ivae2he9.sg4.e-plaza.de/" // Only HTTPS and SU3 (v2) support
-			};
+	static std::vector<std::string> httpsReseedHostList = 
+	{
+		"https://reseed.i2p-projekt.de/", // Only HTTPS
+        "https://i2pseed.zarrenspry.info/", // Only HTTPS and SU3 (v3) support
+        "https://i2p.mooo.com/netDb/",
+        "https://netdb.i2p2.no/", // Only SU3 (v3) support, SNI required
+		"https://us.reseed.i2p2.no:444/",	
+        "https://uk.reseed.i2p2.no:444/",
+        "https://reseed.i2p.vzaws.com:8443/", // Only SU3 (v3) support
+        "https://user.mx24.eu/", // Only HTTPS and SU3 (v3) support
+        "https://ieb9oopo.mooo.com/" // Only HTTPS and SU3 (v3) support
+	};
 	
-	//TODO: Implement v2 reseeding. Lightweight zip library is needed.
-	//TODO: Implement SU3, utils.
 	Reseeder::Reseeder()
 	{
 	}
@@ -51,129 +43,372 @@ namespace data
 	{
 	}

-	bool Reseeder::reseedNow()
+	int Reseeder::ReseedNowSU3 ()
 	{
-		try
-		{
-			// Seems like the best place to try to intercept with SSL
-			/*ssl_server = true;
-			try {
-				// SSL
-			}
-			catch (std::exception& e)
-			{
-				LogPrint("Exception in SSL: ", e.what());
-			}*/
-			std::string reseedHost = httpReseedHostList[(rand() % httpReseedHostList.size())];
-			LogPrint("Reseeding from ", reseedHost);
-			std::string content = i2p::util::http::httpRequest(reseedHost);
-			if (content == "")
-			{
-				LogPrint("Reseed failed");
-				return false;
-			}
-			boost::regex e("<\\s*A\\s+[^>]*href\\s*=\\s*\"([^\"]*)\"", boost::regex::normal | boost::regbase::icase);
-			boost::sregex_token_iterator i(content.begin(), content.end(), e, 1);
-			boost::sregex_token_iterator j;
-			//TODO: Ugly code, try to clean up.
-			//TODO: Try to reduce N number of variables
-			std::string name;
-			std::string routerInfo;
-			std::string tmpUrl;
-			std::string filename;
-			std::string ignoreFileSuffix = ".su3";
-			boost::filesystem::path root = i2p::util::filesystem::GetDataDir();
-			while (i != j)
-			{
-				name = *i++;
-				if (name.find(ignoreFileSuffix)!=std::string::npos)
-					continue;
-				LogPrint("Downloading ", name);
-				tmpUrl = reseedHost;
-				tmpUrl.append(name);
-				routerInfo = i2p::util::http::httpRequest(tmpUrl);
-				if (routerInfo.size()==0)
-					continue;
-				filename = root.string();
-#ifndef _WIN32
-				filename += "/netDb/r";
-#else
-				filename += "\\netDb\\r";
-#endif
-				filename += name.at(11); // first char in id
-#ifndef _WIN32
-				filename.append("/");
-#else
-				filename.append("\\");
-#endif
-				filename.append(name.c_str());
-				std::ofstream outfile (filename, std::ios::binary);
-				outfile << routerInfo;
-				outfile.close();
-			}
-			return true;
-		}
-		catch (std::exception& ex)
-		{
-			//TODO: error reporting
-			return false;
-		}
-		return false;
-	}	
-
-	void ProcessSU3File (const char * filename)
-	{
-		static uint32_t headerSignature = htole32 (0x04044B50);
-
-		std::ifstream s(filename, std::ifstream::binary);
-		if (s.is_open ())	
-		{	
-			while (!s.eof ())
-			{
-				uint32_t signature;
-				s.read ((char *)&signature, 4);
-				if (signature == headerSignature)
-				{
-					// next local file
-					s.seekg (14, std::ios::cur); // skip field we don't care about
-					uint32_t compressedSize, uncompressedSize; 
-					s.read ((char *)&compressedSize, 4);	
-					compressedSize = le32toh (compressedSize);	
-					s.read ((char *)&uncompressedSize, 4);
-					uncompressedSize = le32toh (uncompressedSize);	
-					uint16_t fileNameLength, extraFieldLength; 
-					s.read ((char *)&fileNameLength, 2);	
-					fileNameLength = le32toh (fileNameLength);
-					s.read ((char *)&extraFieldLength, 2);
-					extraFieldLength = le32toh (extraFieldLength);
-					char localFileName[255];
-					s.read (localFileName, fileNameLength);
-					localFileName[fileNameLength] = 0;
-					s.seekg (extraFieldLength, std::ios::cur);
-
-					uint8_t * compressed = new uint8_t[compressedSize];
-					s.read ((char *)compressed, compressedSize);
-					CryptoPP::Gunzip decompressor;
-					decompressor.Put (compressed, compressedSize);
-					delete[] compressed;	
-					if (decompressor.MaxRetrievable () <= uncompressedSize)
-					{
-						uint8_t * uncompressed = new uint8_t[uncompressedSize];	
-						decompressor.Get (uncompressed, decompressor.MaxRetrievable ());	
-						// TODO: save file		
-						delete[] uncompressed;
-					}
-					else
-						LogPrint (eLogError, "Actual uncompressed size ", decompressor.MaxRetrievable (), " exceed ", uncompressedSize, " from header");
-				}
-				else
-					break; // no more files
-			}
-		}
-		else
-			LogPrint (eLogError, "Can't open file ", filename);
+		auto ind = rand () % httpsReseedHostList.size ();
+		std::string& reseedHost = httpsReseedHostList[ind];
+		return ReseedFromSU3 (reseedHost, true);
 	}

+	int Reseeder::ReseedFromSU3 (const std::string& host, bool https)
+	{
+		std::string url = host + "i2pseeds.su3";
+		LogPrint (eLogInfo, "Dowloading SU3 from ", host);
+		std::string su3 = https ? HttpsRequest (url) : i2p::util::http::httpRequest (url);
+		if (su3.length () > 0)
+		{
+			std::stringstream s(su3);
+			return ProcessSU3Stream (s);
+		}
+		else
+		{
+			LogPrint (eLogWarning, "SU3 download failed");
+			return 0;
+		}
+	}
+	
+	int Reseeder::ProcessSU3File (const char * filename)
+	{
+		std::ifstream s(filename, std::ifstream::binary);
+		if (s.is_open ())	
+			return ProcessSU3Stream (s);
+		else
+		{
+			LogPrint (eLogError, "Can't open file ", filename);
+			return 0;
+		}
+	}
+
+	const char SU3_MAGIC_NUMBER[]="I2Psu3";	
+	const uint32_t ZIP_HEADER_SIGNATURE = 0x04034B50;
+	const uint32_t ZIP_CENTRAL_DIRECTORY_HEADER_SIGNATURE = 0x02014B50;	
+	const uint16_t ZIP_BIT_FLAG_DATA_DESCRIPTOR = 0x0008;	
+	int Reseeder::ProcessSU3Stream (std::istream& s)
+	{
+		char magicNumber[7];
+		s.read (magicNumber, 7); // magic number and zero byte 6
+		if (strcmp (magicNumber, SU3_MAGIC_NUMBER))
+		{
+			LogPrint (eLogError, "Unexpected SU3 magic number");	
+			return 0;
+		}			
+		s.seekg (1, std::ios::cur); // su3 file format version
+		SigningKeyType signatureType;
+		s.read ((char *)&signatureType, 2);  // signature type
+		signatureType = be16toh (signatureType);
+		uint16_t signatureLength;
+		s.read ((char *)&signatureLength, 2);  // signature length
+		signatureLength = be16toh (signatureLength);
+		s.seekg (1, std::ios::cur); // unused
+		uint8_t versionLength;
+		s.read ((char *)&versionLength, 1);  // version length	
+		s.seekg (1, std::ios::cur); // unused
+		uint8_t signerIDLength;
+		s.read ((char *)&signerIDLength, 1);  // signer ID length	
+		uint64_t contentLength;
+		s.read ((char *)&contentLength, 8);  // content length	
+		contentLength = be64toh (contentLength);
+		s.seekg (1, std::ios::cur); // unused
+		uint8_t fileType;
+		s.read ((char *)&fileType, 1);  // file type	
+		if (fileType != 0x00) //  zip file
+		{
+			LogPrint (eLogError, "Can't handle file type ", (int)fileType);	
+			return 0;
+		}
+		s.seekg (1, std::ios::cur); // unused
+		uint8_t contentType;
+		s.read ((char *)&contentType, 1);  // content type	
+		if (contentType != 0x03) // reseed data
+		{
+			LogPrint (eLogError, "Unexpected content type ", (int)contentType);	
+			return 0;
+		}
+		s.seekg (12, std::ios::cur); // unused
+
+		s.seekg (versionLength, std::ios::cur); // skip version
+		char signerID[256];
+		s.read (signerID, signerIDLength); // signerID
+		signerID[signerIDLength] = 0;
+		
+		//try to verify signature
+		auto it = m_SigningKeys.find (signerID);
+		if (it != m_SigningKeys.end ())
+		{
+			// TODO: implement all signature types
+			if (signatureType == SIGNING_KEY_TYPE_RSA_SHA512_4096)
+			{
+				size_t pos = s.tellg ();
+				size_t tbsLen = pos + contentLength;
+				uint8_t * tbs = new uint8_t[tbsLen];
+				s.seekg (0, std::ios::beg);
+				s.read ((char *)tbs, tbsLen);
+				uint8_t * signature = new uint8_t[signatureLength];
+				s.read ((char *)signature, signatureLength);
+				// RSA-raw
+				{
+					// calculate digest
+					uint8_t digest[64];
+					SHA512 (tbs, tbsLen, digest);
+					// encrypt signature
+					BN_CTX * bnctx = BN_CTX_new ();
+					BIGNUM * s = BN_new (), * n = BN_new ();
+					BN_bin2bn (signature, signatureLength, s);
+					BN_bin2bn (it->second, i2p::crypto::RSASHA5124096_KEY_LENGTH, n);
+					BN_mod_exp (s, s, i2p::crypto::rsae, n, bnctx); // s = s^e mod n 
+					uint8_t * enSigBuf = new uint8_t[signatureLength];
+					i2p::crypto::bn2buf (s, enSigBuf, signatureLength);
+					// digest is right aligned
+					// we can't use RSA_verify due wrong padding in SU3
+					if (memcmp (enSigBuf + (signatureLength - 64), digest, 64))
+						LogPrint (eLogWarning, "SU3 signature verification failed");
+					delete[] enSigBuf;
+					BN_free (s); BN_free (n);
+					BN_CTX_free (bnctx);
+				}	
+					
+				delete[] signature;
+				delete[] tbs;
+				s.seekg (pos, std::ios::beg);
+			}
+			else
+				LogPrint (eLogWarning, "Signature type ", signatureType, " is not supported");
+		}
+		else
+			LogPrint (eLogWarning, "Certificate for ", signerID, " not loaded");
+		
+		// handle content
+		int numFiles = 0;
+		size_t contentPos = s.tellg ();
+		while (!s.eof ())
+		{	
+			uint32_t signature;
+			s.read ((char *)&signature, 4);
+			signature = le32toh (signature);
+			if (signature == ZIP_HEADER_SIGNATURE)
+			{
+				// next local file
+				s.seekg (2, std::ios::cur); // version
+				uint16_t bitFlag;
+				s.read ((char *)&bitFlag, 2);	
+				bitFlag = le16toh (bitFlag);
+				uint16_t compressionMethod;
+				s.read ((char *)&compressionMethod, 2);	
+				compressionMethod = le16toh (compressionMethod);
+				s.seekg (4, std::ios::cur); // skip fields we don't care about
+				uint32_t compressedSize, uncompressedSize; 
+				uint32_t crc_32;
+				s.read ((char *)&crc_32, 4);
+				crc_32 = le32toh (crc_32);
+				s.read ((char *)&compressedSize, 4);	
+				compressedSize = le32toh (compressedSize);	
+				s.read ((char *)&uncompressedSize, 4);
+				uncompressedSize = le32toh (uncompressedSize);	
+				uint16_t fileNameLength, extraFieldLength; 
+				s.read ((char *)&fileNameLength, 2);	
+				fileNameLength = le16toh (fileNameLength);
+				s.read ((char *)&extraFieldLength, 2);
+				extraFieldLength = le16toh (extraFieldLength);
+				char localFileName[255];
+				s.read (localFileName, fileNameLength);
+				localFileName[fileNameLength] = 0;
+				s.seekg (extraFieldLength, std::ios::cur);
+				// take care about data desriptor if presented
+				if (bitFlag & ZIP_BIT_FLAG_DATA_DESCRIPTOR)
+				{
+					size_t pos = s.tellg ();
+					if (!FindZipDataDescriptor (s))
+					{
+						LogPrint (eLogError, "SU3 archive data descriptor not found");
+						return numFiles;
+					}									
+					s.read ((char *)&crc_32, 4);	
+					crc_32 = le32toh (crc_32);
+					s.read ((char *)&compressedSize, 4);	
+					compressedSize = le32toh (compressedSize) + 4; // ??? we must consider signature as part of compressed data
+					s.read ((char *)&uncompressedSize, 4);
+					uncompressedSize = le32toh (uncompressedSize);	
+
+					// now we know compressed and uncompressed size
+					s.seekg (pos, std::ios::beg); // back to compressed data
+				}
+
+				LogPrint (eLogDebug, "Proccessing file ", localFileName, " ", compressedSize, " bytes");
+				if (!compressedSize)
+				{
+					LogPrint (eLogWarning, "Unexpected size 0. Skipped");
+					continue;
+				}	
+				
+				uint8_t * compressed = new uint8_t[compressedSize];
+				s.read ((char *)compressed, compressedSize);
+				if (compressionMethod) // we assume Deflate
+				{
+					z_stream inflator;
+					memset (&inflator, 0, sizeof (inflator));
+					inflateInit2 (&inflator, -MAX_WBITS); // no zlib header
+					uint8_t * uncompressed = new uint8_t[uncompressedSize];
+					inflator.next_in = compressed;
+					inflator.avail_in = compressedSize;
+					inflator.next_out = uncompressed;
+					inflator.avail_out = uncompressedSize; 
+					int err;
+					if ((err = inflate (&inflator, Z_SYNC_FLUSH)) >= 0)
+					{	
+						uncompressedSize -= inflator.avail_out;
+						if (crc32 (0, uncompressed, uncompressedSize) == crc_32)
+						{
+							i2p::data::netdb.AddRouterInfo (uncompressed, uncompressedSize);
+							numFiles++;
+						}	
+						else
+							LogPrint (eLogError, "CRC32 verification failed");
+					}	
+					else
+						LogPrint (eLogError, "decompression error ", err);    
+					delete[] uncompressed;      
+					inflateEnd (&inflator);
+				}
+				else // no compression
+				{
+					i2p::data::netdb.AddRouterInfo (compressed, compressedSize);
+					numFiles++;
+				}	
+				delete[] compressed;
+				if (bitFlag & ZIP_BIT_FLAG_DATA_DESCRIPTOR)
+					s.seekg (12, std::ios::cur); // skip data descriptor section if presented (12 = 16 - 4)
+			}
+			else
+			{
+				if (signature != ZIP_CENTRAL_DIRECTORY_HEADER_SIGNATURE)
+					LogPrint (eLogWarning, "Missing zip central directory header");
+				break; // no more files
+			}
+			size_t end = s.tellg ();
+			if (end - contentPos >= contentLength)
+				break; // we are beyond contentLength
+		}
+		return numFiles;
+	}
+
+	const uint8_t ZIP_DATA_DESCRIPTOR_SIGNATURE[] = { 0x50, 0x4B, 0x07, 0x08 };	
+	bool Reseeder::FindZipDataDescriptor (std::istream& s)
+	{
+		size_t nextInd = 0;	
+		while (!s.eof ())
+		{
+			uint8_t nextByte;
+			s.read ((char *)&nextByte, 1);
+			if (nextByte == ZIP_DATA_DESCRIPTOR_SIGNATURE[nextInd])	
+			{
+				nextInd++;
+				if (nextInd >= sizeof (ZIP_DATA_DESCRIPTOR_SIGNATURE))
+					return true;
+			}
+			else
+				nextInd = 0;
+		}
+		return false;
+	}
+
+	void Reseeder::LoadCertificate (const std::string& filename)
+	{
+		SSL_CTX * ctx = SSL_CTX_new (TLSv1_method ());
+		int ret = SSL_CTX_use_certificate_file (ctx, filename.c_str (), SSL_FILETYPE_PEM); 
+		if (ret)
+		{	
+			SSL * ssl = SSL_new (ctx);
+			X509 * cert = SSL_get_certificate (ssl);
+			// verify
+			if (cert)
+			{	
+				// extract issuer name
+				char name[100];
+				X509_NAME_oneline (X509_get_issuer_name(cert), name, 100);
+				// extract RSA key (we need n only, e = 65537)
+				RSA * key = X509_get_pubkey (cert)->pkey.rsa;
+				PublicKey value;
+				i2p::crypto::bn2buf (key->n, value, 512);
+				m_SigningKeys[name] = value;
+			}	
+			SSL_free (ssl);			
+		}	
+		else
+			LogPrint (eLogError, "Can't open certificate file ", filename);
+		SSL_CTX_free (ctx);		
+	}
+
+	void Reseeder::LoadCertificates ()
+	{
+		boost::filesystem::path reseedDir = i2p::util::filesystem::GetCertificatesDir() / "reseed";
+		
+		if (!boost::filesystem::exists (reseedDir))
+		{
+			LogPrint (eLogWarning, "Reseed certificates not loaded. ", reseedDir, " doesn't exist");
+			return;
+		}
+
+		int numCertificates = 0;
+		boost::filesystem::directory_iterator end; // empty
+		for (boost::filesystem::directory_iterator it (reseedDir); it != end; ++it)
+		{
+			if (boost::filesystem::is_regular_file (it->status()) && it->path ().extension () == ".crt")
+			{	
+				LoadCertificate (it->path ().string ());
+				numCertificates++;
+			}	
+		}	
+		LogPrint (eLogInfo, numCertificates, " certificates loaded");
+	}	
+
+	std::string Reseeder::HttpsRequest (const std::string& address)
+	{
+		i2p::util::http::url u(address);
+		if (u.port_ == 80) u.port_ = 443; 
+
+		boost::asio::io_service service;
+		boost::system::error_code ecode;
+    	auto it = boost::asio::ip::tcp::resolver(service).resolve (
+			 boost::asio::ip::tcp::resolver::query (u.host_, std::to_string (u.port_)), ecode);
+		if (!ecode)
+		{
+			boost::asio::ssl::context ctx(service, boost::asio::ssl::context::sslv23);
+			ctx.set_verify_mode(boost::asio::ssl::context::verify_none);
+			boost::asio::ssl::stream<boost::asio::ip::tcp::socket> s(service, ctx);
+			s.lowest_layer().connect (*it, ecode);
+			if (!ecode)
+			{
+				s.handshake (boost::asio::ssl::stream_base::client, ecode);
+				if (!ecode)
+				{
+					LogPrint (eLogInfo, "Connected to ", u.host_, ":", u.port_);
+					// send request		
+					std::stringstream ss;
+					ss << "GET " << u.path_ << " HTTP/1.1\r\nHost: " << u.host_
+					<< "\r\nAccept: */*\r\n" << "User-Agent: Wget/1.11.4\r\n" << "Connection: close\r\n\r\n";	
+					s.write_some (boost::asio::buffer (ss.str ()));
+					// read response
+					std::stringstream rs;
+					char response[1024]; size_t l = 0;
+					do
+					{
+						l = s.read_some (boost::asio::buffer (response, 1024), ecode);
+						if (l) rs.write (response, l);
+					}
+					while (!ecode && l);
+					// process response
+					return i2p::util::http::GetHttpContent (rs);
+				}
+				else
+					LogPrint (eLogError, "SSL handshake failed: ", ecode.message ());
+			}
+			else
+				LogPrint (eLogError, "Couldn't connect to ", u.host_, ": ", ecode.message ());
+		}
+		else
+			LogPrint (eLogError, "Couldn't resolve address ", u.host_, ": ", ecode.message ()); 
+		return "";
+	}	
 }
 }

--- a/Reseed.h
+++ b/Reseed.h
@@ -1,8 +1,12 @@
 #ifndef RESEED_H
 #define RESEED_H

+#include <iostream>
 #include <string>
 #include <vector>
+#include <map>
+#include "Identity.h"
+#include "Crypto.h"

 namespace i2p
 {
@@ -11,13 +15,32 @@ namespace data

 	class Reseeder
 	{
+		typedef Tag<512> PublicKey;	
+		
 		public:
+		
 			Reseeder();
 			~Reseeder();
-			bool reseedNow();
-	};
+			int ReseedNowSU3 ();

-	void ProcessSU3File (const char * filename);	
+			void LoadCertificates ();
+			
+		private:
+
+			void LoadCertificate (const std::string& filename);
+						
+			int ReseedFromSU3 (const std::string& host, bool https = false);
+			int ProcessSU3File (const char * filename);	
+			int ProcessSU3Stream (std::istream& s);	
+
+			bool FindZipDataDescriptor (std::istream& s);
+			
+			std::string HttpsRequest (const std::string& address);
+
+		private:	
+
+			std::map<std::string, PublicKey> m_SigningKeys;
+	};
 }
 }

--- a/RouterContext.cpp
+++ b/RouterContext.cpp
@@ -1,24 +1,28 @@
 #include <fstream>
-#include <cryptopp/dh.h>
-#include <cryptopp/dsa.h>
-#include "CryptoConst.h"
-#include "RouterContext.h"
+#include <boost/lexical_cast.hpp>
+#include "Crypto.h"
 #include "Timestamp.h"
 #include "I2NPProtocol.h"
+#include "NetDb.h"
 #include "util.h"
 #include "version.h"
+#include "Log.h"
+#include "RouterContext.h"

 namespace i2p
 {
 	RouterContext context;

 	RouterContext::RouterContext ():
-		m_LastUpdateTime (0), m_IsUnreachable (false), m_AcceptsTunnels (true)
+		m_LastUpdateTime (0), m_AcceptsTunnels (true), m_IsFloodfill (false), 
+		m_StartupTime (0), m_Status (eRouterStatusOK )
 	{
 	}

 	void RouterContext::Init ()
 	{
+		srand (i2p::util::GetMillisecondsSinceEpoch () % 1000);
+		m_StartupTime = i2p::util::GetSecondsSinceEpoch ();
 		if (!Load ())
 			CreateNewRouter ();
 		UpdateRouterInfo ();
@@ -26,7 +30,11 @@ namespace i2p

 	void RouterContext::CreateNewRouter ()
 	{
-		m_Keys = i2p::data::CreateRandomKeys ();
+#if defined(__x86_64__) || defined(__i386__) || defined(_MSC_VER)			
+		m_Keys = i2p::data::PrivateKeys::CreateRandomKeys (i2p::data::SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519);
+#else
+		m_Keys = i2p::data::PrivateKeys::CreateRandomKeys (i2p::data::SIGNING_KEY_TYPE_DSA_SHA1);
+#endif		
 		SaveKeys ();
 		NewRouterInfo ();
 	}
@@ -37,7 +45,7 @@ namespace i2p
 		routerInfo.SetRouterIdentity (GetIdentity ());
 		int port = i2p::util::config::GetArg("-port", 0);
 		if (!port)
-			port = m_Rnd.GenerateWord32 (9111, 30777); // I2P network ports range
+			port = rand () % (30777 - 9111) + 9111; // I2P network ports range
 		routerInfo.AddSSUAddress (i2p::util::config::GetCharArg("-host", "127.0.0.1"), port, routerInfo.GetIdentHash ());
 		routerInfo.AddNTCPAddress (i2p::util::config::GetCharArg("-host", "127.0.0.1"), port);
 		routerInfo.SetCaps (i2p::data::RouterInfo::eReachable | 
@@ -47,6 +55,7 @@ namespace i2p
 		routerInfo.SetProperty ("router.version", I2P_VERSION);
 		routerInfo.SetProperty ("stat_uptime", "90m");
 		routerInfo.CreateBuffer (m_Keys);
+		m_RouterInfo.SetRouterIdentity (GetIdentity ());
 		m_RouterInfo.Update (routerInfo.GetBuffer (), routerInfo.GetBufferLen ());
 	}

@@ -57,6 +66,25 @@ namespace i2p
 		m_LastUpdateTime = i2p::util::GetSecondsSinceEpoch ();
 	}	

+	void RouterContext::SetStatus (RouterStatus status) 
+	{ 
+		if (status != m_Status)
+		{	
+			m_Status = status;
+			switch (m_Status)
+			{	
+				case eRouterStatusOK:
+					SetReachable ();
+				break;
+				case eRouterStatusFirewalled:
+					SetUnreachable ();
+				break;	
+				default:
+					;
+			}
+		}	
+	}
+		
 	void RouterContext::UpdatePort (int port)
 	{
 		bool updated = false;
@@ -88,16 +116,11 @@ namespace i2p
 			UpdateRouterInfo ();
 	}

-	bool RouterContext::AddIntroducer (const i2p::data::RouterInfo& routerInfo, uint32_t tag)
+	bool RouterContext::AddIntroducer (const i2p::data::RouterInfo::Introducer& introducer)
 	{
-		bool ret = false;
-		auto address = routerInfo.GetSSUAddress ();
-		if (address)
-		{	
-			ret = m_RouterInfo.AddIntroducer (address, tag);
-			if (ret)
-				UpdateRouterInfo ();
-		}	
+		bool ret = m_RouterInfo.AddIntroducer (introducer);
+		if (ret)
+			UpdateRouterInfo ();	
 		return ret;
 	}	

@@ -107,9 +130,46 @@ namespace i2p
 			UpdateRouterInfo ();
 	}	
 	
+	void RouterContext::SetFloodfill (bool floodfill)
+	{
+		m_IsFloodfill = floodfill;
+		if (floodfill)
+			m_RouterInfo.SetCaps (m_RouterInfo.GetCaps () | i2p::data::RouterInfo::eFloodfill);
+		else
+		{
+			m_RouterInfo.SetCaps (m_RouterInfo.GetCaps () & ~i2p::data::RouterInfo::eFloodfill);
+			// we don't publish number of routers and leaseset for non-floodfill
+			m_RouterInfo.DeleteProperty (ROUTER_INFO_PROPERTY_LEASESETS);
+			m_RouterInfo.DeleteProperty (ROUTER_INFO_PROPERTY_ROUTERS);
+		}
+		UpdateRouterInfo ();
+	}
+
+	void RouterContext::SetHighBandwidth ()
+	{
+		if (!m_RouterInfo.IsHighBandwidth ())
+		{
+			m_RouterInfo.SetCaps (m_RouterInfo.GetCaps () | i2p::data::RouterInfo::eHighBandwidth);
+			UpdateRouterInfo ();
+		}
+	}
+
+	void RouterContext::SetLowBandwidth ()
+	{
+		if (m_RouterInfo.IsHighBandwidth ())
+		{
+			m_RouterInfo.SetCaps (m_RouterInfo.GetCaps () & ~i2p::data::RouterInfo::eHighBandwidth);
+			UpdateRouterInfo ();
+		}
+	}
+
+	bool RouterContext::IsUnreachable () const
+	{
+		return m_RouterInfo.GetCaps () & i2p::data::RouterInfo::eUnreachable;
+	}	
+		
 	void RouterContext::SetUnreachable ()
 	{
-		m_IsUnreachable = true;	
 		// set caps
 		m_RouterInfo.SetCaps (i2p::data::RouterInfo::eUnreachable | i2p::data::RouterInfo::eSSUTesting); // LU, B
 		// remove NTCP address
@@ -125,11 +185,41 @@ namespace i2p
 		// delete previous introducers
 		for (auto& addr : addresses)
 			addr.introducers.clear ();
-		
+	
 		// update
 		UpdateRouterInfo ();
 	}

+	void RouterContext::SetReachable ()
+	{
+		// update caps
+		uint8_t caps = m_RouterInfo.GetCaps ();
+		caps &= ~i2p::data::RouterInfo::eUnreachable;
+		caps |= i2p::data::RouterInfo::eReachable;
+		caps |= i2p::data::RouterInfo::eSSUIntroducer;
+		if (m_IsFloodfill)
+			caps |= i2p::data::RouterInfo::eFloodfill;
+		m_RouterInfo.SetCaps (caps);
+		
+		// insert NTCP back
+		auto& addresses = m_RouterInfo.GetAddresses ();
+		for (size_t i = 0; i < addresses.size (); i++)
+		{
+			if (addresses[i].transportStyle == i2p::data::RouterInfo::eTransportSSU)
+			{
+				// insert NTCP address with host/port from SSU
+				m_RouterInfo.AddNTCPAddress (addresses[i].host.to_string ().c_str (), addresses[i].port);
+				break;
+			}
+		}		
+		// delete previous introducers
+		for (auto& addr : addresses)
+			addr.introducers.clear ();
+		
+		// update
+		UpdateRouterInfo ();
+	}	
+		
 	void RouterContext::SetSupportsV6 (bool supportsV6)
 	{
 		if (supportsV6)
@@ -174,38 +264,87 @@ namespace i2p
 		if (updated)
 			UpdateRouterInfo ();
 	}
+
+	void RouterContext::UpdateStats ()
+	{
+		if (m_IsFloodfill)
+		{
+			// update routers and leasesets
+			m_RouterInfo.SetProperty (ROUTER_INFO_PROPERTY_LEASESETS, boost::lexical_cast<std::string>(i2p::data::netdb.GetNumLeaseSets ()));
+			m_RouterInfo.SetProperty (ROUTER_INFO_PROPERTY_ROUTERS, boost::lexical_cast<std::string>(i2p::data::netdb.GetNumRouters ()));
+			UpdateRouterInfo (); 
+		}
+	}
 		
 	bool RouterContext::Load ()
 	{
 		std::ifstream fk (i2p::util::filesystem::GetFullPath (ROUTER_KEYS).c_str (), std::ifstream::binary | std::ofstream::in);
 		if (!fk.is_open ())	return false;
-		
-		i2p::data::Keys keys;	
-		fk.read ((char *)&keys, sizeof (keys));
-		m_Keys = keys;
+		fk.seekg (0, std::ios::end);
+		size_t len = fk.tellg();
+		fk.seekg (0, std::ios::beg);		
+
+		if (len == sizeof (i2p::data::Keys)) // old keys file format
+		{
+			i2p::data::Keys keys;	
+			fk.read ((char *)&keys, sizeof (keys));
+			m_Keys = keys;
+		}
+		else // new keys file format
+		{
+			uint8_t * buf = new uint8_t[len];
+			fk.read ((char *)buf, len);
+			m_Keys.FromBuffer (buf, len);
+			delete[] buf;
+		}

 		i2p::data::RouterInfo routerInfo(i2p::util::filesystem::GetFullPath (ROUTER_INFO)); // TODO
+		m_RouterInfo.SetRouterIdentity (GetIdentity ());
 		m_RouterInfo.Update (routerInfo.GetBuffer (), routerInfo.GetBufferLen ());
 		m_RouterInfo.SetProperty ("coreVersion", I2P_VERSION);
 		m_RouterInfo.SetProperty ("router.version", I2P_VERSION);
+
+		if (IsUnreachable ())
+			SetReachable (); // we assume reachable until we discover firewall through peer tests
 		
 		return true;
 	}

 	void RouterContext::SaveKeys ()
 	{	
+		// save in the same format as .dat files
 		std::ofstream fk (i2p::util::filesystem::GetFullPath (ROUTER_KEYS).c_str (), std::ofstream::binary | std::ofstream::out);
-		i2p::data::Keys keys;
-		memcpy (keys.privateKey, m_Keys.GetPrivateKey (), sizeof (keys.privateKey));
-		memcpy (keys.signingPrivateKey, m_Keys.GetSigningPrivateKey (), sizeof (keys.signingPrivateKey));
-		auto& ident = GetIdentity ().GetStandardIdentity ();	
-		memcpy (keys.publicKey, ident.publicKey, sizeof (keys.publicKey));
-		memcpy (keys.signingKey, ident.signingKey, sizeof (keys.signingKey));
-		fk.write ((char *)&keys, sizeof (keys));	
+		size_t len = m_Keys.GetFullLen ();
+		uint8_t * buf = new uint8_t[len];
+		m_Keys.ToBuffer (buf, len);
+		fk.write ((char *)buf, len);
+		delete[] buf;
 	}

-	void RouterContext::HandleI2NPMessage (const uint8_t * buf, size_t len, i2p::tunnel::InboundTunnel * from)
+	std::shared_ptr<i2p::tunnel::TunnelPool> RouterContext::GetTunnelPool () const
+	{
+		return i2p::tunnel::tunnels.GetExploratoryPool (); 
+	}	
+		
+	void RouterContext::HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
 		i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from));
+	}
+
+	void RouterContext::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
+	{
+		std::unique_lock<std::mutex> l(m_GarlicMutex);
+		i2p::garlic::GarlicDestination::ProcessGarlicMessage (msg);
+	}	
+			
+	void RouterContext::ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
+	{
+		std::unique_lock<std::mutex> l(m_GarlicMutex);
+		i2p::garlic::GarlicDestination::ProcessDeliveryStatusMessage (msg);
+	}	
+		
+	uint32_t RouterContext::GetUptime () const
+	{
+		return i2p::util::GetSecondsSinceEpoch () - m_StartupTime;
 	}	
 }
--- a/RouterContext.h
+++ b/RouterContext.h
@@ -4,9 +4,8 @@
 #include <inttypes.h>
 #include <string>
 #include <memory>
+#include <mutex>
 #include <boost/asio.hpp>
-#include <cryptopp/dsa.h>
-#include <cryptopp/osrng.h>
 #include "Identity.h"
 #include "RouterInfo.h"
 #include "Garlic.h"
@@ -17,6 +16,16 @@ namespace i2p
 	const char ROUTER_KEYS[] = "router.keys";	
 	const int ROUTER_INFO_UPDATE_INTERVAL = 1800; // 30 minutes
 	
+	const char ROUTER_INFO_PROPERTY_LEASESETS[] = "netdb.knownLeaseSets";
+	const char ROUTER_INFO_PROPERTY_ROUTERS[] = "netdb.knownRouters";		
+
+	enum RouterStatus
+	{
+		eRouterStatusOK = 0,
+		eRouterStatusTesting = 1,
+		eRouterStatusFirewalled = 2
+	};	
+
 	class RouterContext: public i2p::garlic::GarlicDestination 
 	{
 		public:
@@ -30,29 +39,44 @@ namespace i2p
 				return std::shared_ptr<const i2p::data::RouterInfo> (&m_RouterInfo, 
 					[](const i2p::data::RouterInfo *) {});
 			}
-			CryptoPP::RandomNumberGenerator& GetRandomNumberGenerator () { return m_Rnd; };	
+			uint32_t GetUptime () const;
+			uint32_t GetStartupTime () const { return m_StartupTime; };
+			uint64_t GetLastUpdateTime () const { return m_LastUpdateTime; };
+			RouterStatus GetStatus () const { return m_Status; };
+			void SetStatus (RouterStatus status);

 			void UpdatePort (int port); // called from Daemon
 			void UpdateAddress (const boost::asio::ip::address& host);	// called from SSU or Daemon
-			bool AddIntroducer (const i2p::data::RouterInfo& routerInfo, uint32_t tag);
+			bool AddIntroducer (const i2p::data::RouterInfo::Introducer& introducer);
 			void RemoveIntroducer (const boost::asio::ip::udp::endpoint& e);
-			bool IsUnreachable () const { return m_IsUnreachable; };
-			void SetUnreachable ();				
+			bool IsUnreachable () const;
+			void SetUnreachable ();		
+			void SetReachable ();
+			bool IsFloodfill () const { return m_IsFloodfill; };	
+			void SetFloodfill (bool floodfill);	
+			void SetHighBandwidth ();
+			void SetLowBandwidth ();
 			bool AcceptsTunnels () const { return m_AcceptsTunnels; };
 			void SetAcceptsTunnels (bool acceptsTunnels) { m_AcceptsTunnels = acceptsTunnels; };
 			bool SupportsV6 () const { return m_RouterInfo.IsV6 (); };
 			void SetSupportsV6 (bool supportsV6);
-			void UpdateNTCPV6Address (const boost::asio::ip::address& host); // called from NTCP session				
+			void UpdateNTCPV6Address (const boost::asio::ip::address& host); // called from NTCP session		
+			void UpdateStats ();		

 			// implements LocalDestination
 			const i2p::data::PrivateKeys& GetPrivateKeys () const { return m_Keys; };
 			const uint8_t * GetEncryptionPrivateKey () const { return m_Keys.GetPrivateKey (); };
-			const uint8_t * GetEncryptionPublicKey () const { return GetIdentity ().GetStandardIdentity ().publicKey; };
+			const uint8_t * GetEncryptionPublicKey () const { return GetIdentity ()->GetStandardIdentity ().publicKey; };
 			void SetLeaseSetUpdated () {};

 			// implements GarlicDestination
-			const i2p::data::LeaseSet * GetLeaseSet () { return nullptr; };
-			void HandleI2NPMessage (const uint8_t * buf, size_t len, i2p::tunnel::InboundTunnel * from);
+			std::shared_ptr<const i2p::data::LeaseSet> GetLeaseSet () { return nullptr; };
+			std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () const;
+			void HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);
+
+			// override GarlicDestination
+			void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);	
 			
 		private:

@@ -66,9 +90,11 @@ namespace i2p

 			i2p::data::RouterInfo m_RouterInfo;
 			i2p::data::PrivateKeys m_Keys; 
-			CryptoPP::AutoSeededRandomPool m_Rnd;
 			uint64_t m_LastUpdateTime;
-			bool m_IsUnreachable, m_AcceptsTunnels;
+			bool m_AcceptsTunnels, m_IsFloodfill;
+			uint64_t m_StartupTime; // in seconds since epoch
+			RouterStatus m_Status;
+			std::mutex m_GarlicMutex;
 	};

 	extern RouterContext context;
--- a/RouterInfo.cpp
+++ b/RouterInfo.cpp
@@ -3,15 +3,11 @@
 #include "I2PEndian.h"
 #include <fstream>
 #include <boost/lexical_cast.hpp>
-#include <cryptopp/sha.h>
-#include <cryptopp/dsa.h>
-#include "CryptoConst.h"
-#include "base64.h"
+#include "Crypto.h"
+#include "Base.h"
 #include "Timestamp.h"
 #include "Log.h"
 #include "RouterInfo.h"
-#include "RouterContext.h"
-

 namespace i2p
 {
@@ -36,26 +32,43 @@ namespace data

 	RouterInfo::~RouterInfo ()
 	{
-		delete m_Buffer;
+		delete[] m_Buffer;
 	}	
 		
 	void RouterInfo::Update (const uint8_t * buf, int len)
 	{
-		if (!m_Buffer)	
-			m_Buffer = new uint8_t[MAX_RI_BUFFER_SIZE];
-		m_IsUpdated = true;
-		m_IsUnreachable = false;
-		m_SupportedTransports = 0;
-		m_Caps = 0;
-		m_Addresses.clear ();
-		m_Properties.clear ();
-		memcpy (m_Buffer, buf, len);
-		m_BufferLen = len;
-		ReadFromBuffer (true);
-		// don't delete buffer until save to file
+		// verify signature since we have indentity already
+		int l = len - m_RouterIdentity->GetSignatureLen ();
+		if (m_RouterIdentity->Verify (buf, l, buf + l))
+		{
+			// clean up
+			m_IsUpdated = true;
+			m_IsUnreachable = false;
+			m_SupportedTransports = 0;
+			m_Caps = 0;
+			m_Addresses.clear ();
+			m_Properties.clear ();
+			// copy buffer
+			if (!m_Buffer)	
+				m_Buffer = new uint8_t[MAX_RI_BUFFER_SIZE];
+			memcpy (m_Buffer, buf, len);
+			m_BufferLen = len;
+			// skip identity
+			size_t identityLen = m_RouterIdentity->GetFullLen ();
+			// read new RI	
+			std::stringstream str (std::string ((char *)m_Buffer + identityLen, m_BufferLen - identityLen));
+			ReadFromStream (str);
+			// don't delete buffer until saved to the file
+		}
+		else
+		{	
+			LogPrint (eLogError, "RouterInfo signature verification failed");	
+			m_IsUnreachable = true;
+		}
+		m_RouterIdentity->DropVerifier ();
 	}	
 		
-	void RouterInfo::SetRouterIdentity (const IdentityEx& identity)
+	void RouterInfo::SetRouterIdentity (std::shared_ptr<const IdentityEx> identity)
 	{	
 		m_RouterIdentity = identity;
 		m_Timestamp = i2p::util::GetMillisecondsSinceEpoch ();
@@ -94,15 +107,20 @@ namespace data

 	void RouterInfo::ReadFromBuffer (bool verifySignature)
 	{
-		size_t identityLen = m_RouterIdentity.FromBuffer (m_Buffer, m_BufferLen);
+		m_RouterIdentity = std::make_shared<IdentityEx>(m_Buffer, m_BufferLen);
+		size_t identityLen = m_RouterIdentity->GetFullLen ();
 		std::stringstream str (std::string ((char *)m_Buffer + identityLen, m_BufferLen - identityLen));
 		ReadFromStream (str);
 		if (verifySignature)
 		{	
 			// verify signature
-			int l = m_BufferLen - m_RouterIdentity.GetSignatureLen ();
-			if (!m_RouterIdentity.Verify ((uint8_t *)m_Buffer, l, (uint8_t *)m_Buffer + l))	
-				LogPrint (eLogError, "signature verification failed");
+			int l = m_BufferLen - m_RouterIdentity->GetSignatureLen ();
+			if (!m_RouterIdentity->Verify ((uint8_t *)m_Buffer, l, (uint8_t *)m_Buffer + l))
+			{	
+				LogPrint (eLogError, "RouterInfo signature verification failed");	
+				m_IsUnreachable = true;
+			}
+			m_RouterIdentity->DropVerifier ();
 		}	
 	}	
 	
@@ -146,9 +164,17 @@ namespace data
 					address.host = boost::asio::ip::address::from_string (value, ecode);
 					if (ecode)
 					{	
-						// TODO: we should try to resolve address here
-						LogPrint (eLogWarning, "Unexpected address ", value);
-						isValidAddress = false;
+						if (address.transportStyle == eTransportNTCP)
+						{
+							m_SupportedTransports |= eNTCPV4; // TODO:
+							address.addressString = value;
+						}
+						else
+						{	
+							// TODO: resolve address for SSU
+							LogPrint (eLogWarning, "Unexpected SSU address ", value);
+							isValidAddress = false;
+						}	
 					}	
 					else
 					{
@@ -264,8 +290,13 @@ namespace data
 	void RouterInfo::UpdateCapsProperty ()
 	{	
 		std::string caps;
-		caps += (m_Caps & eHighBandwidth) ? CAPS_FLAG_HIGH_BANDWIDTH1 : CAPS_FLAG_LOW_BANDWIDTH2; // bandwidth
-		if (m_Caps & eFloodfill) caps += CAPS_FLAG_FLOODFILL; // floodfill
+		if (m_Caps & eFloodfill) 
+		{
+			caps += CAPS_FLAG_HIGH_BANDWIDTH3; // highest bandwidth
+			caps += CAPS_FLAG_FLOODFILL; // floodfill  
+		}	
+		else
+			caps += (m_Caps & eHighBandwidth) ? CAPS_FLAG_HIGH_BANDWIDTH3 : CAPS_FLAG_LOW_BANDWIDTH2; // bandwidth		
 		if (m_Caps & eHidden) caps += CAPS_FLAG_HIDDEN; // hidden
 		if (m_Caps & eReachable) caps += CAPS_FLAG_REACHABLE; // reachable
 		if (m_Caps & eUnreachable) caps += CAPS_FLAG_UNREACHABLE; // unreachable
@@ -402,7 +433,7 @@ namespace data
 		if (!m_Buffer)
 		{
 			if (LoadFile ())
-				LogPrint ("Buffer for ", GetIdentHashAbbreviation (), " loaded from file");
+				LogPrint ("Buffer for ", GetIdentHashAbbreviation (GetIdentHash ()), " loaded from file");
 		} 
 		return m_Buffer; 
 	}
@@ -412,7 +443,7 @@ namespace data
 		m_Timestamp = i2p::util::GetMillisecondsSinceEpoch (); // refresh timstamp
 		std::stringstream s;
 		uint8_t ident[1024];
-		auto identLen = privateKeys.GetPublic ().ToBuffer (ident, 1024);
+		auto identLen = privateKeys.GetPublic ()->ToBuffer (ident, 1024);
 		s.write ((char *)ident, identLen);			
 		WriteToStream (s);
 		m_BufferLen = s.str ().size ();
@@ -421,7 +452,7 @@ namespace data
 		memcpy (m_Buffer, s.str ().c_str (), m_BufferLen);
 		// signature
 		privateKeys.Sign ((uint8_t *)m_Buffer, m_BufferLen, (uint8_t *)m_Buffer + m_BufferLen);
-		m_BufferLen += privateKeys.GetPublic ().GetSignatureLen ();
+		m_BufferLen += privateKeys.GetPublic ()->GetSignatureLen ();
 	}	

 	void RouterInfo::SaveToFile (const std::string& fullPath)
@@ -430,10 +461,13 @@ namespace data
 		if (m_Buffer)
 		{	
 			std::ofstream f (fullPath, std::ofstream::binary | std::ofstream::out);
-			f.write ((char *)m_Buffer, m_BufferLen);
-		}	
+			if (f.is_open ())
+				f.write ((char *)m_Buffer, m_BufferLen);
+			else
+				LogPrint(eLogError, "Can't save RouterInfo to ", fullPath);
+		}
 		else
-			LogPrint (eLogError, "Can't save to file");
+			LogPrint (eLogError, "Can't save RouterInfo m_Buffer==NULL");
 	}
 	
 	size_t RouterInfo::ReadString (char * str, std::istream& s)
@@ -461,6 +495,8 @@ namespace data
 		addr.cost = 2;
 		addr.date = 0;
 		addr.mtu = 0;
+		for (auto it: m_Addresses) // don't insert same address twice
+			if (it == addr) return;
 		m_Addresses.push_back(addr);	
 		m_SupportedTransports |= addr.host.is_v6 () ? eNTCPV6 : eNTCPV4;
 	}	
@@ -475,26 +511,23 @@ namespace data
 		addr.date = 0;
 		addr.mtu = mtu; 
 		memcpy (addr.key, key, 32);
+		for (auto it: m_Addresses) // don't insert same address twice
+			if (it == addr) return;
 		m_Addresses.push_back(addr);	
 		m_SupportedTransports |= addr.host.is_v6 () ? eNTCPV6 : eSSUV4;
 		m_Caps |= eSSUTesting; 
 		m_Caps |= eSSUIntroducer; 
 	}	

-	bool RouterInfo::AddIntroducer (const Address * address, uint32_t tag)
+	bool RouterInfo::AddIntroducer (const Introducer& introducer)
 	{
 		for (auto& addr : m_Addresses)
 		{
 			if (addr.transportStyle == eTransportSSU && addr.host.is_v4 ())
 			{	
 				for (auto intro: addr.introducers)
-					if (intro.iTag == tag) return false; // already presented
-				Introducer x;
-				x.iHost = address->host;
-				x.iPort = address->port;
-				x.iTag = tag;
-				memcpy (x.iKey, address->key, 32); // TODO: replace to Tag<32>
-				addr.introducers.push_back (x);
+					if (intro.iTag == introducer.iTag) return false; // already presented
+				addr.introducers.push_back (introducer);
 				return true;
 			}	
 		}	
@@ -531,18 +564,15 @@ namespace data
 		ExtractCaps (caps);
 	}	
 		
-	void RouterInfo::SetProperty (const char * key, const char * value)
+	void RouterInfo::SetProperty (const std::string& key, const std::string& value)
 	{
 		m_Properties[key] = value;
 	}	

-	const char * RouterInfo::GetProperty (const char * key) const
+	void RouterInfo::DeleteProperty (const std::string& key)
 	{
-		auto it = m_Properties.find (key);
-		if (it != m_Properties.end ())
-			return it->second.c_str ();
-		return 0;
-	}	
+		m_Properties.erase (key);
+	}

 	bool RouterInfo::IsFloodfill () const
 	{
@@ -638,5 +668,12 @@ namespace data
 		}	
 		return nullptr;
 	}	
+
+	std::shared_ptr<RouterProfile> RouterInfo::GetProfile () const 
+	{
+		if (!m_Profile)
+			m_Profile = GetRouterProfile (GetIdentHash ());
+		return m_Profile;
+	}	
 }
 }
--- a/RouterInfo.h
+++ b/RouterInfo.h
@@ -8,6 +8,7 @@
 #include <iostream>
 #include <boost/asio.hpp>
 #include "Identity.h"
+#include "Profiling.h"

 namespace i2p
 {
@@ -57,11 +58,12 @@ namespace data
 				eTransportSSU
 			};

+			typedef Tag<32> IntroKey; // should be castable to MacKey and AESKey
 			struct Introducer			
 			{
 				boost::asio::ip::address iHost;
 				int iPort;
-				Tag<32> iKey;
+				IntroKey iKey;
 				uint32_t iTag;
 			};

@@ -69,11 +71,12 @@ namespace data
 			{
 				TransportStyle transportStyle;
 				boost::asio::ip::address host;
+				std::string addressString;
 				int port, mtu;
 				uint64_t date;
 				uint8_t cost;
 				// SSU only
-				Tag<32> key; // intro key for SSU
+				IntroKey key; // intro key for SSU
 				std::vector<Introducer> introducers;

 				bool IsCompatible (const boost::asio::ip::address& other) const 
@@ -81,6 +84,16 @@ namespace data
 					return (host.is_v4 () && other.is_v4 ()) ||
 						(host.is_v6 () && other.is_v6 ());
 				}	
+
+				bool operator==(const Address& other) const
+				{
+					return transportStyle == other.transportStyle && host == other.host && port == other.port;
+				}	
+
+				bool operator!=(const Address& other) const
+				{
+					return !(*this == other);
+				}	
 			};
 			
 			RouterInfo (const std::string& fullPath);
@@ -90,10 +103,9 @@ namespace data
 			RouterInfo (const uint8_t * buf, int len);
 			~RouterInfo ();
 			
-			const IdentityEx& GetRouterIdentity () const { return m_RouterIdentity; };
-			void SetRouterIdentity (const IdentityEx& identity);
+			std::shared_ptr<const IdentityEx> GetRouterIdentity () const { return m_RouterIdentity; };
+			void SetRouterIdentity (std::shared_ptr<const IdentityEx> identity);
 			std::string GetIdentHashBase64 () const { return GetIdentHash ().ToBase64 (); };
-			std::string GetIdentHashAbbreviation () const { return GetIdentHash ().ToBase64 ().substr (0, 4); };
 			uint64_t GetTimestamp () const { return m_Timestamp; };
 			std::vector<Address>& GetAddresses () { return m_Addresses; };
 			const Address * GetNTCPAddress (bool v4only = true) const;
@@ -102,10 +114,11 @@ namespace data
 			
 			void AddNTCPAddress (const char * host, int port);
 			void AddSSUAddress (const char * host, int port, const uint8_t * key, int mtu = 0);
-			bool AddIntroducer (const Address * address, uint32_t tag);
+			bool AddIntroducer (const Introducer& introducer);
 			bool RemoveIntroducer (const boost::asio::ip::udp::endpoint& e);
-			void SetProperty (const char * key, const char * value);
-			const char * GetProperty (const char * key) const;
+			void SetProperty (const std::string& key, const std::string& value); // called from RouterContext only
+			void DeleteProperty (const std::string& key); // called from RouterContext only
+			void ClearProperties () { m_Properties.clear (); };
 			bool IsFloodfill () const;
 			bool IsNTCP (bool v4only = true) const;
 			bool IsSSU (bool v4only = true) const;
@@ -117,6 +130,7 @@ namespace data
 			bool IsIntroducer () const { return m_Caps & eSSUIntroducer; };
 			bool IsPeerTesting () const { return m_Caps & eSSUTesting; };
 			bool IsHidden () const { return m_Caps & eHidden; };
+			bool IsHighBandwidth () const { return m_Caps & RouterInfo::eHighBandwidth; };

 			uint8_t GetCaps () const { return m_Caps; };	
 			void SetCaps (uint8_t caps);
@@ -134,12 +148,15 @@ namespace data
 			void SetUpdated (bool updated) { m_IsUpdated = updated; }; 
 			void SaveToFile (const std::string& fullPath);

+			std::shared_ptr<RouterProfile> GetProfile () const;
+			void SaveProfile () { if (m_Profile) m_Profile->Save (); };
+			
 			void Update (const uint8_t * buf, int len);
-			void DeleteBuffer () { delete m_Buffer; m_Buffer = nullptr; };
+			void DeleteBuffer () { delete[] m_Buffer; m_Buffer = nullptr; };
 			
 			// implements RoutingDestination
-			const IdentHash& GetIdentHash () const { return m_RouterIdentity.GetIdentHash (); };
-			const uint8_t * GetEncryptionPublicKey () const { return m_RouterIdentity.GetStandardIdentity ().publicKey; };
+			const IdentHash& GetIdentHash () const { return m_RouterIdentity->GetIdentHash (); };
+			const uint8_t * GetEncryptionPublicKey () const { return m_RouterIdentity->GetStandardIdentity ().publicKey; };
 			bool IsDestination () const { return false; };

 			
@@ -159,7 +176,7 @@ namespace data
 		private:

 			std::string m_FullPath;
-			IdentityEx m_RouterIdentity;
+			std::shared_ptr<const IdentityEx> m_RouterIdentity;
 			uint8_t * m_Buffer;
 			int m_BufferLen;
 			uint64_t m_Timestamp;
@@ -167,6 +184,7 @@ namespace data
 			std::map<std::string, std::string> m_Properties;
 			bool m_IsUpdated, m_IsUnreachable;
 			uint8_t m_SupportedTransports, m_Caps;
+			mutable std::shared_ptr<RouterProfile> m_Profile;
 	};	
 }	
 }
--- a/SAM.cpp
+++ b/SAM.cpp
@@ -3,11 +3,10 @@
 #ifdef _MSC_VER
 #include <stdlib.h>
 #endif
-#include <boost/bind.hpp>
-#include "base64.h"
+#include <boost/lexical_cast.hpp>
+#include "Base.h"
 #include "Identity.h"
 #include "Log.h"
-#include "NetDb.h"
 #include "Destination.h"
 #include "ClientContext.h"
 #include "SAM.h"
@@ -18,25 +17,28 @@ namespace client
 {
 	SAMSocket::SAMSocket (SAMBridge& owner): 
 		m_Owner (owner), m_Socket (m_Owner.GetService ()), m_Timer (m_Owner.GetService ()),
-		m_SocketType (eSAMSocketTypeUnknown), m_IsSilent (false), m_Stream (nullptr),
-		m_Session (nullptr)
+		m_BufferOffset (0), m_SocketType (eSAMSocketTypeUnknown), m_IsSilent (false), 
+		m_Stream (nullptr), m_Session (nullptr)
 	{
 	}

 	SAMSocket::~SAMSocket ()
 	{
-		if (m_Stream)
-			i2p::stream::DeleteStream (m_Stream);
+		Terminate ();
 	}	

-	void SAMSocket::Terminate ()
+	void SAMSocket::CloseStream ()
 	{
 		if (m_Stream)
+		{	
 			m_Stream->Close ();
-
-		// TODO: make this swap atomic
-		auto session = m_Session;
-		m_Session = nullptr;
+			m_Stream.reset ();
+		}	
+	}	
+		
+	void SAMSocket::Terminate ()
+	{
+		CloseStream ();
 		
 		switch (m_SocketType)
 		{
@@ -45,30 +47,31 @@ namespace client
 			break;
 			case eSAMSocketTypeStream:
 			{
-				if (session)
-					session->sockets.remove (shared_from_this ());
+				if (m_Session)
+					m_Session->sockets.remove (shared_from_this ());
 				break;
 			}
 			case eSAMSocketTypeAcceptor:
 			{
-				if (session)
+				if (m_Session)
 				{
-					session->sockets.remove (shared_from_this ());
-					session->localDestination->StopAcceptingStreams ();
+					m_Session->sockets.remove (shared_from_this ());
+					m_Session->localDestination->StopAcceptingStreams ();
 				}
 				break;
 			}
 			default:
 				;
 		}
+		m_SocketType = eSAMSocketTypeTerminated;
 		m_Socket.close ();
 	}

 	void SAMSocket::ReceiveHandshake ()
 	{
 		m_Socket.async_read_some (boost::asio::buffer(m_Buffer, SAM_SOCKET_BUFFER_SIZE),                
-			boost::bind(&SAMSocket::HandleHandshakeReceived, shared_from_this (), 
-			boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
+			std::bind(&SAMSocket::HandleHandshakeReceived, shared_from_this (), 
+			std::placeholders::_1, std::placeholders::_2));
 	}

 	void SAMSocket::HandleHandshakeReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred)
@@ -82,13 +85,45 @@ namespace client
 		else
 		{	
 			m_Buffer[bytes_transferred] = 0;
+			char * eol = (char *)memchr (m_Buffer, '\n', bytes_transferred);
+			if (eol)
+				*eol = 0;
 			LogPrint ("SAM handshake ", m_Buffer);
-			if (!memcmp (m_Buffer, SAM_HANDSHAKE, strlen (SAM_HANDSHAKE)))
+			char * separator = strchr (m_Buffer, ' ');
+			if (separator)
 			{
-				// TODO: check version
-				boost::asio::async_write (m_Socket, boost::asio::buffer (SAM_HANDSHAKE_REPLY, strlen (SAM_HANDSHAKE_REPLY)), boost::asio::transfer_all (),
-        			boost::bind(&SAMSocket::HandleHandshakeReplySent, shared_from_this (), 
-					boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
+				separator = strchr (separator + 1, ' ');	
+				if (separator) 
+					*separator = 0;
+			}
+
+			if (!strcmp (m_Buffer, SAM_HANDSHAKE))
+			{
+				std::string version("3.0");
+				// try to find MIN and MAX, 3.0 if not found
+				if (separator)
+				{
+					separator++;
+					std::map<std::string, std::string> params;
+					ExtractParams (separator, params);
+					auto it = params.find (SAM_PARAM_MAX);
+					// TODO: check MIN as well
+					if (it != params.end ())
+						version = it->second;
+				}
+				if (version[0] == '3') // we support v3 (3.0 and 3.1) only
+				{
+#ifdef _MSC_VER
+					size_t l = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_HANDSHAKE_REPLY, version.c_str ());
+#else		
+					size_t l = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_HANDSHAKE_REPLY, version.c_str ());
+#endif
+					boost::asio::async_write (m_Socket, boost::asio::buffer (m_Buffer, l), boost::asio::transfer_all (),
+        				std::bind(&SAMSocket::HandleHandshakeReplySent, shared_from_this (), 
+						std::placeholders::_1, std::placeholders::_2));
+				}	
+				else
+					SendMessageReply (SAM_HANDSHAKE_I2P_ERROR, strlen (SAM_HANDSHAKE_I2P_ERROR), true);
 			}
 			else
 			{
@@ -109,17 +144,17 @@ namespace client
 		else
 		{
 			m_Socket.async_read_some (boost::asio::buffer(m_Buffer, SAM_SOCKET_BUFFER_SIZE),                
-				boost::bind(&SAMSocket::HandleMessage, shared_from_this (), 
-				boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));	
+				std::bind(&SAMSocket::HandleMessage, shared_from_this (), 
+				std::placeholders::_1, std::placeholders::_2));	
 		}	
 	}

 	void SAMSocket::SendMessageReply (const char * msg, size_t len, bool close)
 	{
-		if (!m_IsSilent || m_SocketType == eSAMSocketTypeAcceptor) 
+		if (!m_IsSilent) 
 			boost::asio::async_write (m_Socket, boost::asio::buffer (msg, len), boost::asio::transfer_all (),
-				boost::bind(&SAMSocket::HandleMessageReplySent, shared_from_this (), 
-				boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred, close));
+				std::bind(&SAMSocket::HandleMessageReplySent, shared_from_this (), 
+				std::placeholders::_1, std::placeholders::_2, close));
 		else
 		{
 			if (close)
@@ -154,10 +189,14 @@ namespace client
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
+		else if (m_SocketType == eSAMSocketTypeStream)
+			HandleReceived (ecode, bytes_transferred);
 		else
 		{
+			bytes_transferred += m_BufferOffset;
+			m_BufferOffset = 0;
 			m_Buffer[bytes_transferred] = 0;
-			char * eol = strchr (m_Buffer, '\n');
+			char * eol = (char *)memchr (m_Buffer, '\n', bytes_transferred);
 			if (eol)
 			{
 				*eol = 0;
@@ -180,22 +219,43 @@ namespace client
 						ProcessDestGenerate ();
 					else if (!strcmp (m_Buffer, SAM_NAMING_LOOKUP))
 						ProcessNamingLookup (separator + 1, bytes_transferred - (separator - m_Buffer) - 1);
+					else if (!strcmp (m_Buffer, SAM_DATAGRAM_SEND))
+					{
+						size_t len = bytes_transferred - (separator - m_Buffer) - 1;
+						size_t processed = ProcessDatagramSend (separator + 1, len, eol + 1);
+						if (processed < len)
+						{
+							m_BufferOffset = len - processed;
+							if (processed > 0)
+								memmove (m_Buffer, separator + 1 + processed, m_BufferOffset);
+							else
+							{
+								// restore string back
+								*separator = ' ';
+								*eol = '\n';
+							}
+						}	
+						// since it's SAM v1 reply is not expected
+						Receive ();
+					}
 					else		
 					{	
-						LogPrint ("SAM unexpected message ", m_Buffer);		
+						LogPrint (eLogError, "SAM unexpected message ", m_Buffer);		
 						Terminate ();
 					}
 				}
 				else
 				{
-					LogPrint ("SAM malformed message ", m_Buffer);
+					LogPrint (eLogError, "SAM malformed message ", m_Buffer);
 					Terminate ();
 				}
 			}
 			else
 			{	
-				LogPrint ("SAM malformed message ", m_Buffer);
-				Terminate ();
+				LogPrint (eLogWarning, "SAM incomplete message ", bytes_transferred);
+				m_BufferOffset = bytes_transferred;
+				// try to receive remaining message
+				Receive ();
 			}
 		}
 	}
@@ -204,36 +264,37 @@ namespace client
 	{
 		LogPrint ("SAM session create: ", buf);
 		std::map<std::string, std::string> params;
-		ExtractParams (buf, len, params);
+		ExtractParams (buf, params);
 		std::string& style = params[SAM_PARAM_STYLE]; 
 		std::string& id = params[SAM_PARAM_ID];
 		std::string& destination = params[SAM_PARAM_DESTINATION];
-		m_ID = id;
+		m_ID = id; 
 		if (m_Owner.FindSession (id))
 		{
 			// session exists
 			SendMessageReply (SAM_SESSION_CREATE_DUPLICATED_ID, strlen(SAM_SESSION_CREATE_DUPLICATED_ID), true);
 			return;
 		}
-		m_Session = m_Owner.CreateSession (id, destination == SAM_VALUE_TRANSIENT ? "" : destination); 
+
+		// create destination	
+		m_Session = m_Owner.CreateSession (id, destination == SAM_VALUE_TRANSIENT ? "" : destination, &params); 
 		if (m_Session)
 		{
 			m_SocketType = eSAMSocketTypeSession;
-			if (m_Session->localDestination->IsReady ())
+			if (style == SAM_VALUE_DATAGRAM)
 			{
-				if (style == SAM_VALUE_DATAGRAM)
-				{
-					auto dest = m_Session->localDestination->CreateDatagramDestination ();
-					dest->SetReceiver (std::bind (&SAMSocket::HandleI2PDatagramReceive, shared_from_this (), 
-						std::placeholders::_1, std::placeholders::_2, std::placeholders::_3));
-				}
-				SendSessionCreateReplyOk ();
+				auto dest = m_Session->localDestination->CreateDatagramDestination ();
+				dest->SetReceiver (std::bind (&SAMSocket::HandleI2PDatagramReceive, shared_from_this (), 
+					std::placeholders::_1, std::placeholders::_2, std::placeholders::_3, std::placeholders::_4, std::placeholders::_5));
 			}
+
+			if (m_Session->localDestination->IsReady ())
+				SendSessionCreateReplyOk ();
 			else
 			{
 				m_Timer.expires_from_now (boost::posix_time::seconds(SAM_SESSION_READINESS_CHECK_INTERVAL));
-				m_Timer.async_wait (boost::bind (&SAMSocket::HandleSessionReadinessCheckTimer,
-					shared_from_this (), boost::asio::placeholders::error));	
+				m_Timer.async_wait (std::bind (&SAMSocket::HandleSessionReadinessCheckTimer,
+					shared_from_this (), std::placeholders::_1));	
 			}
 		}
 		else
@@ -249,8 +310,8 @@ namespace client
 			else
 			{
 				m_Timer.expires_from_now (boost::posix_time::seconds(SAM_SESSION_READINESS_CHECK_INTERVAL));
-				m_Timer.async_wait (boost::bind (&SAMSocket::HandleSessionReadinessCheckTimer,
-					shared_from_this (), boost::asio::placeholders::error));
+				m_Timer.async_wait (std::bind (&SAMSocket::HandleSessionReadinessCheckTimer,
+					shared_from_this (), std::placeholders::_1));
 			}	
 		}
 	}
@@ -272,9 +333,9 @@ namespace client

 	void SAMSocket::ProcessStreamConnect (char * buf, size_t len)
 	{
-		LogPrint ("SAM stream connect: ", buf);
+		LogPrint (eLogDebug, "SAM stream connect: ", buf);
 		std::map<std::string, std::string> params;
-		ExtractParams (buf, len, params);
+		ExtractParams (buf, params);
 		std::string& id = params[SAM_PARAM_ID];
 		std::string& destination = params[SAM_PARAM_DESTINATION];
 		std::string& silent = params[SAM_PARAM_SILENT];
@@ -283,26 +344,29 @@ namespace client
 		m_Session = m_Owner.FindSession (id);
 		if (m_Session)
 		{
-			uint8_t ident[1024];
-			size_t l = i2p::data::Base64ToByteStream (destination.c_str (), destination.length (), ident, 1024);
-			i2p::data::IdentityEx dest;
-			dest.FromBuffer (ident, l);
-			auto leaseSet = i2p::data::netdb.FindLeaseSet (dest.GetIdentHash ());
-			if (leaseSet)
-				Connect (*leaseSet);
-			else
+			auto dest = std::make_shared<i2p::data::IdentityEx> ();
+			size_t len = dest->FromBase64(destination);
+			if (len > 0)
 			{
-				i2p::data::netdb.RequestDestination (dest.GetIdentHash (), true, m_Session->localDestination->GetTunnelPool ());
-				m_Timer.expires_from_now (boost::posix_time::seconds(SAM_CONNECT_TIMEOUT));
-				m_Timer.async_wait (boost::bind (&SAMSocket::HandleStreamDestinationRequestTimer,
-					shared_from_this (), boost::asio::placeholders::error, dest.GetIdentHash ()));	
+				context.GetAddressBook().InsertAddress(dest);
+				auto leaseSet = m_Session->localDestination->FindLeaseSet(dest->GetIdentHash());
+				if (leaseSet)
+					Connect(leaseSet);
+				else
+				{
+					m_Session->localDestination->RequestDestination(dest->GetIdentHash(),
+						std::bind(&SAMSocket::HandleConnectLeaseSetRequestComplete,
+						shared_from_this(), std::placeholders::_1));
+				}
 			}
+			else
+				SendMessageReply(SAM_SESSION_STATUS_INVALID_KEY, strlen(SAM_SESSION_STATUS_INVALID_KEY), true);
 		}
-		else	
+		else
 			SendMessageReply (SAM_STREAM_STATUS_INVALID_ID, strlen(SAM_STREAM_STATUS_INVALID_ID), true);		
 	}

-	void SAMSocket::Connect (const i2p::data::LeaseSet& remote)
+	void SAMSocket::Connect (std::shared_ptr<const i2p::data::LeaseSet> remote)
 	{
 		m_SocketType = eSAMSocketTypeStream;
 		m_Session->sockets.push_back (shared_from_this ());
@@ -312,46 +376,22 @@ namespace client
 		SendMessageReply (SAM_STREAM_STATUS_OK, strlen(SAM_STREAM_STATUS_OK), false);
 	}

-	void SAMSocket::HandleStreamDestinationRequestTimer (const boost::system::error_code& ecode, i2p::data::IdentHash ident)
+	void SAMSocket::HandleConnectLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet)
 	{
-		if (!ecode) // timeout expired
+		if (leaseSet)
+			Connect (leaseSet);
+		else
 		{
-			auto leaseSet = m_Session->localDestination->FindLeaseSet (ident);
-			if (leaseSet)
-				Connect (*leaseSet);
-			else
-			{
-				LogPrint ("SAM destination to connect not found");
-				SendMessageReply (SAM_STREAM_STATUS_CANT_REACH_PEER, strlen(SAM_STREAM_STATUS_CANT_REACH_PEER), true);
-			}
-		}
-	}
-
-	void SAMSocket::HandleNamingLookupDestinationRequestTimer (const boost::system::error_code& ecode, i2p::data::IdentHash ident)
-	{
-		if (!ecode) // timeout expired
-		{
-			auto leaseSet = m_Session->localDestination->FindLeaseSet (ident);
-			if (leaseSet)
-				SendNamingLookupReply (leaseSet);
-			else
-			{
-				LogPrint ("SAM name destination not found");
-#ifdef _MSC_VER
-				size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY_KEY_NOT_FOUND, (ident.ToBase32 () + ".b32.i2p").c_str ());
-#else
-				size_t len = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY_KEY_NOT_FOUND, (ident.ToBase32 () + ".b32.i2p").c_str ());
-#endif
-				SendMessageReply (m_Buffer, len, false);
-			}
+			LogPrint ("SAM destination to connect not found");
+			SendMessageReply (SAM_STREAM_STATUS_CANT_REACH_PEER, strlen(SAM_STREAM_STATUS_CANT_REACH_PEER), true);
 		}
 	}

 	void SAMSocket::ProcessStreamAccept (char * buf, size_t len)
 	{
-		LogPrint ("SAM stream accept: ", buf);
+		LogPrint (eLogDebug, "SAM stream accept: ", buf);
 		std::map<std::string, std::string> params;
-		ExtractParams (buf, len, params);
+		ExtractParams (buf, params);
 		std::string& id = params[SAM_PARAM_ID];
 		std::string& silent = params[SAM_PARAM_SILENT];
 		if (silent == SAM_VALUE_TRUE) m_IsSilent = true;	
@@ -373,56 +413,77 @@ namespace client
 			SendMessageReply (SAM_STREAM_STATUS_INVALID_ID, strlen(SAM_STREAM_STATUS_INVALID_ID), true);
 	}

+	size_t SAMSocket::ProcessDatagramSend (char * buf, size_t len, const char * data)
+	{
+		LogPrint (eLogDebug, "SAM datagram send: ", buf, " ", len);
+		std::map<std::string, std::string> params;
+		ExtractParams (buf, params);
+		size_t size = boost::lexical_cast<int>(params[SAM_PARAM_SIZE]), offset = data - buf;
+		if (offset + size <= len)
+		{	
+			if (m_Session)
+			{	
+				auto d = m_Session->localDestination->GetDatagramDestination ();
+				if (d)
+				{
+					i2p::data::IdentityEx dest;
+					dest.FromBase64 (params[SAM_PARAM_DESTINATION]);
+					d->SendDatagramTo ((const uint8_t *)data, size, dest.GetIdentHash ());
+				}
+				else
+					LogPrint (eLogError, "SAM missing datagram destination");
+			}
+			else
+				LogPrint (eLogError, "SAM session is not created from DATAGRAM SEND");
+		}	
+		else
+		{
+			LogPrint (eLogWarning, "SAM sent datagram size ", size, " exceeds buffer ", len - offset);
+			return 0; // try to receive more
+		}	
+		return offset + size;
+	}	
+		
 	void SAMSocket::ProcessDestGenerate ()
 	{
-		LogPrint ("SAM dest generate");
-		auto localDestination = i2p::client::context.CreateNewLocalDestination ();
-		if (localDestination)
-		{
-			uint8_t buf[1024];
-			char priv[1024], pub[1024];
-			size_t l = localDestination->GetPrivateKeys ().ToBuffer (buf, 1024);
-			size_t l1 = i2p::data::ByteStreamToBase64 (buf, l, priv, 1024);
-			priv[l1] = 0;
-
-			l = localDestination->GetIdentity ().ToBuffer (buf, 1024);
-			l1 = i2p::data::ByteStreamToBase64 (buf, l, pub, 1024);
-			pub[l1] = 0;
+		LogPrint (eLogDebug, "SAM dest generate");
+		auto keys = i2p::data::PrivateKeys::CreateRandomKeys ();
 #ifdef _MSC_VER
-			size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_DEST_REPLY, pub, priv);	
+		size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_DEST_REPLY, 
+			keys.GetPublic ()->ToBase64 ().c_str (), keys.ToBase64 ().c_str ());
 #else			                        
-			size_t len = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_DEST_REPLY, pub, priv);
+		size_t len = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_DEST_REPLY, 
+		    keys.GetPublic ()->ToBase64 ().c_str (), keys.ToBase64 ().c_str ());
 #endif
-			SendMessageReply (m_Buffer, len, true);
-		}
-		else
-			SendMessageReply (SAM_DEST_REPLY_I2P_ERROR, strlen(SAM_DEST_REPLY_I2P_ERROR), true);
+		SendMessageReply (m_Buffer, len, false);
 	}

 	void SAMSocket::ProcessNamingLookup (char * buf, size_t len)
 	{
-		LogPrint ("SAM naming lookup: ", buf);
+		LogPrint (eLogDebug, "SAM naming lookup: ", buf);
 		std::map<std::string, std::string> params;
-		ExtractParams (buf, len, params);
+		ExtractParams (buf, params);
 		std::string& name = params[SAM_PARAM_NAME];
+		std::shared_ptr<const i2p::data::IdentityEx> identity;
 		i2p::data::IdentHash ident;
 		if (name == "ME")
-			SendNamingLookupReply (nullptr);
-		else if (m_Session && context.GetAddressBook ().GetIdentHash (name, ident))
+			SendNamingLookupReply (m_Session->localDestination->GetIdentity ());
+		else if ((identity = context.GetAddressBook ().GetAddress (name)) != nullptr)
+			SendNamingLookupReply (identity);
+		else if (m_Session && m_Session->localDestination &&
+			context.GetAddressBook ().GetIdentHash (name, ident))
 		{
 			auto leaseSet = m_Session->localDestination->FindLeaseSet (ident);
 			if (leaseSet)
-				SendNamingLookupReply (leaseSet);
+				SendNamingLookupReply (leaseSet->GetIdentity ());
 			else
-			{
-				i2p::data::netdb.RequestDestination (ident, true, m_Session->localDestination->GetTunnelPool ());
-				m_Timer.expires_from_now (boost::posix_time::seconds(SAM_NAMING_LOOKUP_TIMEOUT));
-				m_Timer.async_wait (boost::bind (&SAMSocket::HandleNamingLookupDestinationRequestTimer,
-					shared_from_this (), boost::asio::placeholders::error, ident));
-			}	
-		}
-		else
+				m_Session->localDestination->RequestDestination (ident, 
+					std::bind (&SAMSocket::HandleNamingLookupLeaseSetRequestComplete,
+					shared_from_this (), std::placeholders::_1, ident));	
+		}	
+		else 
 		{
+			LogPrint ("SAM naming failed. Unknown address ", name);
 #ifdef _MSC_VER
 			size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY_INVALID_KEY, name.c_str());
 #else				
@@ -432,23 +493,39 @@ namespace client
 		}
 	}	

-	void SAMSocket::SendNamingLookupReply (const i2p::data::LeaseSet * leaseSet)
+	void  SAMSocket::HandleNamingLookupLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, i2p::data::IdentHash ident)
 	{
-		uint8_t buf[1024];
-		char pub[1024];
-		const i2p::data::IdentityEx& identity = leaseSet ? leaseSet->GetIdentity () : m_Session->localDestination->GetIdentity ();
-		size_t l = identity.ToBuffer (buf, 1024);
-		size_t l1 = i2p::data::ByteStreamToBase64 (buf, l, pub, 1024);
-		pub[l1] = 0;
+		if (leaseSet)
+		{	
+			context.GetAddressBook ().InsertAddress (leaseSet->GetIdentity ());
+			SendNamingLookupReply (leaseSet->GetIdentity ());
+		}	
+		else
+		{
+			LogPrint (eLogInfo, "SAM naming lookup failed. LeaseSet for ", ident.ToBase32 (), " not found");
 #ifdef _MSC_VER
-		size_t l2 = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY, pub); 	
-#else			
-		size_t l2 = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY, pub);
+			size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY_INVALID_KEY, 
+				context.GetAddressBook ().ToAddress (ident).c_str());
+#else				
+			size_t len = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY_INVALID_KEY,
+				context.GetAddressBook ().ToAddress (ident).c_str());
 #endif
-		SendMessageReply (m_Buffer, l2, false);
+			SendMessageReply (m_Buffer, len, false);
+		}
+	}	
+		
+	void SAMSocket::SendNamingLookupReply (std::shared_ptr<const i2p::data::IdentityEx> identity)
+	{
+		auto base64 = identity->ToBase64 ();
+#ifdef _MSC_VER
+		size_t l = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY, base64.c_str ()); 	
+#else			
+		size_t l = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY, base64.c_str ());
+#endif
+		SendMessageReply (m_Buffer, l, false);
 	}

-	void SAMSocket::ExtractParams (char * buf, size_t len, std::map<std::string, std::string>& params)
+	void SAMSocket::ExtractParams (char * buf, std::map<std::string, std::string>& params)
 	{
 		char * separator;	
 		do
@@ -469,9 +546,15 @@ namespace client

 	void SAMSocket::Receive ()
 	{
-		m_Socket.async_read_some (boost::asio::buffer(m_Buffer, SAM_SOCKET_BUFFER_SIZE),                
-			boost::bind((m_SocketType == eSAMSocketTypeSession) ? &SAMSocket::HandleMessage : &SAMSocket::HandleReceived,
-			shared_from_this (), boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred));
+		if (m_BufferOffset >= SAM_SOCKET_BUFFER_SIZE)
+		{
+			LogPrint (eLogError, "Buffer is full. Terminate");
+			Terminate ();
+			return;
+		}
+		m_Socket.async_read_some (boost::asio::buffer(m_Buffer + m_BufferOffset, SAM_SOCKET_BUFFER_SIZE - m_BufferOffset),                
+			std::bind((m_SocketType == eSAMSocketTypeStream) ? &SAMSocket::HandleReceived : &SAMSocket::HandleMessage,
+			shared_from_this (), std::placeholders::_1, std::placeholders::_2));
 	}

 	void SAMSocket::HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred)
@@ -485,8 +568,17 @@ namespace client
 		else
 		{
 			if (m_Stream)
-				m_Stream->Send ((uint8_t *)m_Buffer, bytes_transferred);
-			Receive ();
+			{	
+				auto s = shared_from_this ();
+				m_Stream->AsyncSend ((uint8_t *)m_Buffer, bytes_transferred,
+					[s](const boost::system::error_code& ecode)
+				    {
+						if (!ecode)
+							s->Receive ();
+						else
+							s->Terminate ();
+					});
+			}	
 		}
 	}

@@ -494,8 +586,8 @@ namespace client
 	{
 		if (m_Stream)
 			m_Stream->AsyncReceive (boost::asio::buffer (m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE),
-				boost::bind (&SAMSocket::HandleI2PReceive, shared_from_this (),
-					boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred),
+				std::bind (&SAMSocket::HandleI2PReceive, shared_from_this (),
+					std::placeholders::_1, std::placeholders::_2),
 				SAM_SOCKET_CONNECTION_MAX_IDLE);
 	}	

@@ -510,7 +602,7 @@ namespace client
 		else
 		{
 			boost::asio::async_write (m_Socket, boost::asio::buffer (m_StreamBuffer, bytes_transferred),
-        		boost::bind (&SAMSocket::HandleWriteI2PData, shared_from_this (), boost::asio::placeholders::error));
+        		std::bind (&SAMSocket::HandleWriteI2PData, shared_from_this (), std::placeholders::_1));
 		}
 	}

@@ -526,47 +618,72 @@ namespace client
 			I2PReceive ();
 	}

-	void SAMSocket::HandleI2PAccept (i2p::stream::Stream * stream)
+	void SAMSocket::HandleI2PAccept (std::shared_ptr<i2p::stream::Stream> stream)
 	{
 		if (stream)
 		{
 			LogPrint ("SAM incoming I2P connection for session ", m_ID);
 			m_Stream = stream;
+			context.GetAddressBook ().InsertAddress (stream->GetRemoteIdentity ());
 			auto session = m_Owner.FindSession (m_ID);
 			if (session)	
 				session->localDestination->StopAcceptingStreams ();	
+			m_SocketType = eSAMSocketTypeStream;
 			if (!m_IsSilent)
 			{
 				// send remote peer address
 				uint8_t ident[1024];
-				size_t l = stream->GetRemoteIdentity ().ToBuffer (ident, 1024);
-				size_t l1 = i2p::data::ByteStreamToBase64 (ident, l, m_Buffer, SAM_SOCKET_BUFFER_SIZE);
-				m_Buffer[l1] = '\n';
-				SendMessageReply (m_Buffer, l1 + 1, false);
+				size_t l = stream->GetRemoteIdentity ()->ToBuffer (ident, 1024);
+				size_t l1 = i2p::data::ByteStreamToBase64 (ident, l, (char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE);
+				m_StreamBuffer[l1] = '\n';
+				HandleI2PReceive (boost::system::error_code (), l1 +1); // we send identity like it has been received from stream
 			}	
-			I2PReceive ();
-		}
-	}	
-
-	void SAMSocket::HandleI2PDatagramReceive (const i2p::data::IdentityEx& ident, const uint8_t * buf, size_t len)
-	{
-		uint8_t identBuf[1024];
-		size_t l = ident.ToBuffer (identBuf, 1024);
-		size_t l1 = i2p::data::ByteStreamToBase64 (identBuf, l, m_Buffer, SAM_SOCKET_BUFFER_SIZE);
-		m_Buffer[l1] = 0;
-#ifdef _MSC_VER
-		size_t l2 = sprintf_s ((char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE, SAM_DATAGRAM_RECEIVED, m_Buffer, len); 	
-#else			
-		size_t l2 = snprintf ((char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE, SAM_DATAGRAM_RECEIVED, m_Buffer, len); 	
-#endif
-		if (len < SAM_SOCKET_BUFFER_SIZE - l2)	
-		{	
-			memcpy (m_StreamBuffer + l2, buf, len);
-			boost::asio::async_write (m_Socket, boost::asio::buffer (m_StreamBuffer, len + l2),
-        		boost::bind (&SAMSocket::HandleWriteI2PData, shared_from_this (), boost::asio::placeholders::error));
+			else
+				I2PReceive ();
 		}
 		else
-			LogPrint (eLogWarning, "Datagram size ", len," exceeds buffer");
+			LogPrint (eLogInfo, "SAM I2P acceptor has been reset");
+	}	
+
+	void SAMSocket::HandleI2PDatagramReceive (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)
+	{
+		LogPrint (eLogDebug, "SAM datagram received ", len);
+		auto base64 = from.ToBase64 ();
+#ifdef _MSC_VER
+		size_t l = sprintf_s ((char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE, SAM_DATAGRAM_RECEIVED, base64.c_str (), len); 	
+#else			
+		size_t l = snprintf ((char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE, SAM_DATAGRAM_RECEIVED, base64.c_str (), len); 	
+#endif
+		if (len < SAM_SOCKET_BUFFER_SIZE - l)	
+		{	
+			memcpy (m_StreamBuffer + l, buf, len);
+			boost::asio::async_write (m_Socket, boost::asio::buffer (m_StreamBuffer, len + l),
+        		std::bind (&SAMSocket::HandleWriteI2PData, shared_from_this (), std::placeholders::_1));
+		}
+		else
+			LogPrint (eLogWarning, "SAM received datagram size ", len," exceeds buffer");
+	}
+
+	SAMSession::SAMSession (std::shared_ptr<ClientDestination> dest):
+		localDestination (dest)
+	{
+	}
+		
+	SAMSession::~SAMSession ()
+	{
+		for (auto it: sockets)
+			it->SetSocketType (eSAMSocketTypeTerminated);
+		i2p::client::context.DeleteLocalDestination (localDestination);
+	}
+
+	void SAMSession::CloseStreams ()
+	{
+		for (auto it: sockets)
+		{	
+			it->CloseStream ();
+			it->SetSocketType (eSAMSocketTypeTerminated);
+		}	
+		sockets.clear ();
 	}

 	SAMBridge::SAMBridge (int port):
@@ -578,7 +695,8 @@ namespace client

 	SAMBridge::~SAMBridge ()
 	{
-		Stop ();
+		if (m_IsRunning)
+			Stop ();
 	}	

 	void SAMBridge::Start ()
@@ -592,6 +710,10 @@ namespace client
 	void SAMBridge::Stop ()
 	{
 		m_IsRunning = false;
+		m_Acceptor.cancel ();
+		for (auto it: m_Sessions)
+			delete it.second;
+		m_Sessions.clear ();
 		m_Service.stop ();
 		if (m_Thread)
 		{	
@@ -619,16 +741,23 @@ namespace client
 	void SAMBridge::Accept ()
 	{
 		auto newSocket = std::make_shared<SAMSocket> (*this);
-		m_Acceptor.async_accept (newSocket->GetSocket (), boost::bind (&SAMBridge::HandleAccept, this,
-			boost::asio::placeholders::error, newSocket));
+		m_Acceptor.async_accept (newSocket->GetSocket (), std::bind (&SAMBridge::HandleAccept, this,
+			std::placeholders::_1, newSocket));
 	}

 	void SAMBridge::HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<SAMSocket> socket)
 	{
 		if (!ecode)
 		{
-			LogPrint ("New SAM connection from ", socket->GetSocket ().remote_endpoint ());
-			socket->ReceiveHandshake ();		
+			boost::system::error_code ec;
+			auto ep = socket->GetSocket ().remote_endpoint (ec);
+			if (!ec)
+			{	
+				LogPrint ("New SAM connection from ", ep);
+				socket->ReceiveHandshake ();
+			}
+			else
+				LogPrint (eLogError, "SAM connection from error ", ec.message ());
 		}
 		else
 			LogPrint ("SAM accept error: ",  ecode.message ());
@@ -637,29 +766,36 @@ namespace client
 			Accept ();
 	}

-	SAMSession * SAMBridge::CreateSession (const std::string& id, const std::string& destination)
+	SAMSession * SAMBridge::CreateSession (const std::string& id, const std::string& destination, 
+		const std::map<std::string, std::string> * params)
 	{
-		ClientDestination * localDestination = nullptr; 
+		std::shared_ptr<ClientDestination> localDestination = nullptr; 
 		if (destination != "")
 		{
-			uint8_t * buf = new uint8_t[destination.length ()];
-			size_t l = i2p::data::Base64ToByteStream (destination.c_str (), destination.length (), buf, destination.length ());
 			i2p::data::PrivateKeys keys;
-			keys.FromBuffer (buf, l);
-			delete[] buf;
-			localDestination = i2p::client::context.CreateNewLocalDestination (keys);
+			keys.FromBase64 (destination);
+			localDestination = i2p::client::context.CreateNewLocalDestination (keys, true, params);
 		}
 		else // transient
-			localDestination = i2p::client::context.CreateNewLocalDestination (); 
+		{
+			// extract signature type
+			i2p::data::SigningKeyType signatureType = i2p::data::SIGNING_KEY_TYPE_DSA_SHA1;
+			if (params)
+			{
+				auto it = params->find (SAM_PARAM_SIGNATURE_TYPE);
+				if (it != params->end ())
+					// TODO: extract string values	
+					signatureType = boost::lexical_cast<int> (it->second);
+			}
+			localDestination = i2p::client::context.CreateNewLocalDestination (true, signatureType, params); 
+		}
 		if (localDestination)
 		{
-			SAMSession session;
-			session.localDestination = localDestination;
 			std::unique_lock<std::mutex> l(m_SessionsMutex);
-			auto ret = m_Sessions.insert (std::pair<std::string, SAMSession>(id, session));
+			auto ret = m_Sessions.insert (std::pair<std::string, SAMSession *>(id, new SAMSession (localDestination)));
 			if (!ret.second)
 				LogPrint ("Session ", id, " already exists");
-			return &(ret.first->second);
+			return ret.first->second;
 		}
 		return nullptr;
 	}
@@ -670,18 +806,20 @@ namespace client
 		auto it = m_Sessions.find (id);
 		if (it != m_Sessions.end ())
 		{
-			it->second.sockets.clear ();
-			it->second.localDestination->Stop ();
+			auto session = it->second;
+			session->localDestination->StopAcceptingStreams ();
+			session->CloseStreams ();
 			m_Sessions.erase (it);
+			delete session;
 		}
 	}

-	SAMSession * SAMBridge::FindSession (const std::string& id)
+	SAMSession * SAMBridge::FindSession (const std::string& id) const
 	{
 		std::unique_lock<std::mutex> l(m_SessionsMutex);
 		auto it = m_Sessions.find (id);
 		if (it != m_Sessions.end ())
-			return &it->second;
+			return it->second;
 		return nullptr;
 	}

@@ -690,7 +828,7 @@ namespace client
 		m_DatagramSocket.async_receive_from (
 			boost::asio::buffer (m_DatagramReceiveBuffer, i2p::datagram::MAX_DATAGRAM_SIZE), 
 			m_SenderEndpoint,
-			boost::bind (&SAMBridge::HandleReceivedDatagram, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred)); 
+			std::bind (&SAMBridge::HandleReceivedDatagram, this, std::placeholders::_1, std::placeholders::_2)); 
 	}

 	void SAMBridge::HandleReceivedDatagram (const boost::system::error_code& ecode, std::size_t bytes_transferred)
@@ -713,20 +851,10 @@ namespace client
 					auto session = FindSession (sessionID);
 					if (session)
 					{	
-						uint8_t ident[1024];
-						size_t l = i2p::data::Base64ToByteStream (destination, strlen(destination), ident, 1024);
 						i2p::data::IdentityEx dest;
-						dest.FromBuffer (ident, l);
-						auto leaseSet = i2p::data::netdb.FindLeaseSet (dest.GetIdentHash ());
-						if (leaseSet)
-							session->localDestination->GetDatagramDestination ()->
-								SendDatagramTo ((uint8_t *)eol, payloadLen, *leaseSet);
-						else
-						{
-							LogPrint ("SAM datagram destination not found");
-							i2p::data::netdb.RequestDestination (dest.GetIdentHash (), true, 
-								session->localDestination->GetTunnelPool ());
-						}	
+						dest.FromBase64 (destination);
+						session->localDestination->GetDatagramDestination ()->
+							SendDatagramTo ((uint8_t *)eol, payloadLen, dest.GetIdentHash ());
 					}	
 					else
 						LogPrint ("Session ", sessionID, " not found");
--- a/SAM.h
+++ b/SAM.h
@@ -18,36 +18,41 @@ namespace i2p
 {
 namespace client
 {
-	const size_t SAM_SOCKET_BUFFER_SIZE = 4096;
-	const int SAM_SOCKET_CONNECTION_MAX_IDLE = 3600; // in seconds	
-	const int SAM_CONNECT_TIMEOUT = 5; // in seconds
-	const int SAM_NAMING_LOOKUP_TIMEOUT = 5; // in seconds
+	const size_t SAM_SOCKET_BUFFER_SIZE = 8192;
+	const int SAM_SOCKET_CONNECTION_MAX_IDLE = 3600; // in seconds
 	const int SAM_SESSION_READINESS_CHECK_INTERVAL = 20; // in seconds	
 	const char SAM_HANDSHAKE[] = "HELLO VERSION";
-	const char SAM_HANDSHAKE_REPLY[] = "HELLO REPLY RESULT=OK VERSION=3.0\n";
+	const char SAM_HANDSHAKE_REPLY[] = "HELLO REPLY RESULT=OK VERSION=%s\n";
+	const char SAM_HANDSHAKE_I2P_ERROR[] = "HELLO REPLY RESULT=I2P_ERROR\n";	
 	const char SAM_SESSION_CREATE[] = "SESSION CREATE";
 	const char SAM_SESSION_CREATE_REPLY_OK[] = "SESSION STATUS RESULT=OK DESTINATION=%s\n";
 	const char SAM_SESSION_CREATE_DUPLICATED_ID[] = "SESSION STATUS RESULT=DUPLICATED_ID\n";
 	const char SAM_SESSION_CREATE_DUPLICATED_DEST[] = "SESSION STATUS RESULT=DUPLICATED_DEST\n";	
+	const char SAM_SESSION_STATUS_INVALID_KEY[] = "SESSION STATUS RESULT=INVALID_KEY\n";
 	const char SAM_STREAM_CONNECT[] = "STREAM CONNECT";
 	const char SAM_STREAM_STATUS_OK[] = "STREAM STATUS RESULT=OK\n";
 	const char SAM_STREAM_STATUS_INVALID_ID[] = "STREAM STATUS RESULT=INVALID_ID\n";
 	const char SAM_STREAM_STATUS_CANT_REACH_PEER[] = "STREAM STATUS RESULT=CANT_REACH_PEER\n";
 	const char SAM_STREAM_STATUS_I2P_ERROR[] = "STREAM STATUS RESULT=I2P_ERROR\n";
 	const char SAM_STREAM_ACCEPT[] = "STREAM ACCEPT";	
+	const char SAM_DATAGRAM_SEND[] = "DATAGRAM SEND";
 	const char SAM_DEST_GENERATE[] = "DEST GENERATE";
 	const char SAM_DEST_REPLY[] = "DEST REPLY PUB=%s PRIV=%s\n";	
 	const char SAM_DEST_REPLY_I2P_ERROR[] = "DEST REPLY RESULT=I2P_ERROR\n";
 	const char SAM_NAMING_LOOKUP[] = "NAMING LOOKUP";
 	const char SAM_NAMING_REPLY[] = "NAMING REPLY RESULT=OK NAME=ME VALUE=%s\n";
-	const char SAM_DATAGRAM_RECEIVED[] = "DATAGRAM_RECEIVED DESTINATION=%s SIZE=%lu\n";	
+	const char SAM_DATAGRAM_RECEIVED[] = "DATAGRAM RECEIVED DESTINATION=%s SIZE=%lu\n";	
 	const char SAM_NAMING_REPLY_INVALID_KEY[] = "NAMING REPLY RESULT=INVALID_KEY NAME=%s\n";
-	const char SAM_NAMING_REPLY_KEY_NOT_FOUND[] = "NAMING REPLY RESULT=INVALID_KEY_NOT_FOUND NAME=%s\n";		
+	const char SAM_NAMING_REPLY_KEY_NOT_FOUND[] = "NAMING REPLY RESULT=INVALID_KEY_NOT_FOUND NAME=%s\n";
+	const char SAM_PARAM_MIN[] = "MIN";	
+	const char SAM_PARAM_MAX[] = "MAX";				
 	const char SAM_PARAM_STYLE[] = "STYLE";		
 	const char SAM_PARAM_ID[] = "ID";	
 	const char SAM_PARAM_SILENT[] = "SILENT";
 	const char SAM_PARAM_DESTINATION[] = "DESTINATION";	
-	const char SAM_PARAM_NAME[] = "NAME";		
+	const char SAM_PARAM_NAME[] = "NAME";
+	const char SAM_PARAM_SIGNATURE_TYPE[] = "SIGNATURE_TYPE";	
+	const char SAM_PARAM_SIZE[] = "SIZE";
 	const char SAM_VALUE_TRANSIENT[] = "TRANSIENT";	
 	const char SAM_VALUE_STREAM[] = "STREAM";
 	const char SAM_VALUE_DATAGRAM[] = "DATAGRAM";
@@ -60,24 +65,28 @@ namespace client
 		eSAMSocketTypeUnknown,
 		eSAMSocketTypeSession,
 		eSAMSocketTypeStream,
-		eSAMSocketTypeAcceptor	
+		eSAMSocketTypeAcceptor,
+		eSAMSocketTypeTerminated
 	};

 	class SAMBridge;
-	class SAMSession;
+	struct SAMSession;
 	class SAMSocket: public std::enable_shared_from_this<SAMSocket>
 	{
 		public:

 			SAMSocket (SAMBridge& owner);
 			~SAMSocket ();			
+			void CloseStream (); // TODO: implement it better	

 			boost::asio::ip::tcp::socket& GetSocket () { return m_Socket; };
 			void ReceiveHandshake ();
+			void SetSocketType (SAMSocketType socketType) { m_SocketType = socketType; };
+			SAMSocketType GetSocketType () const { return m_SocketType; };

 		private:

-			void Terminate ();
+			void Terminate ();	
 			void HandleHandshakeReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			void HandleHandshakeReplySent (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			void HandleMessage (const boost::system::error_code& ecode, std::size_t bytes_transferred);
@@ -88,21 +97,22 @@ namespace client

 			void I2PReceive ();	
 			void HandleI2PReceive (const boost::system::error_code& ecode, std::size_t bytes_transferred);
-			void HandleI2PAccept (i2p::stream::Stream * stream);
+			void HandleI2PAccept (std::shared_ptr<i2p::stream::Stream> stream);
 			void HandleWriteI2PData (const boost::system::error_code& ecode);
-			void HandleI2PDatagramReceive (const i2p::data::IdentityEx& ident, const uint8_t * buf, size_t len);
+			void HandleI2PDatagramReceive (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len);

 			void ProcessSessionCreate (char * buf, size_t len);
 			void ProcessStreamConnect (char * buf, size_t len);
 			void ProcessStreamAccept (char * buf, size_t len);
 			void ProcessDestGenerate ();
 			void ProcessNamingLookup (char * buf, size_t len);
-			void ExtractParams (char * buf, size_t len, std::map<std::string, std::string>& params);
+			size_t ProcessDatagramSend (char * buf, size_t len, const char * data); // from SAM 1.0	
+			void ExtractParams (char * buf, std::map<std::string, std::string>& params);

-			void Connect (const i2p::data::LeaseSet& remote);
-			void HandleStreamDestinationRequestTimer (const boost::system::error_code& ecode, i2p::data::IdentHash ident);
-			void HandleNamingLookupDestinationRequestTimer (const boost::system::error_code& ecode, i2p::data::IdentHash ident);
-			void SendNamingLookupReply (const i2p::data::LeaseSet * leaseSet);
+			void Connect (std::shared_ptr<const i2p::data::LeaseSet> remote);
+			void HandleConnectLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet);
+			void SendNamingLookupReply (std::shared_ptr<const i2p::data::IdentityEx> identity);
+			void HandleNamingLookupLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, i2p::data::IdentHash ident);
 			void HandleSessionReadinessCheckTimer (const boost::system::error_code& ecode);
 			void SendSessionCreateReplyOk ();

@@ -112,18 +122,24 @@ namespace client
 			boost::asio::ip::tcp::socket m_Socket;
 			boost::asio::deadline_timer m_Timer;
 			char m_Buffer[SAM_SOCKET_BUFFER_SIZE + 1];
+			size_t m_BufferOffset;
 			uint8_t m_StreamBuffer[SAM_SOCKET_BUFFER_SIZE];
 			SAMSocketType m_SocketType;
 			std::string m_ID; // nickname
 			bool m_IsSilent;
-			i2p::stream::Stream * m_Stream;
+			std::shared_ptr<i2p::stream::Stream> m_Stream;
 			SAMSession * m_Session;
 	};	

 	struct SAMSession
 	{
-		ClientDestination * localDestination;
+		std::shared_ptr<ClientDestination> localDestination;
 		std::list<std::shared_ptr<SAMSocket> > sockets;
+		
+		SAMSession (std::shared_ptr<ClientDestination> dest);		
+		~SAMSession ();
+
+		void CloseStreams ();
 	};

 	class SAMBridge
@@ -137,9 +153,10 @@ namespace client
 			void Stop ();
 			
 			boost::asio::io_service& GetService () { return m_Service; };
-			SAMSession * CreateSession (const std::string& id, const std::string& destination = ""); // empty string  means transient
+			SAMSession * CreateSession (const std::string& id, const std::string& destination, // empty string  means transient
+				const std::map<std::string, std::string> * params);
 			void CloseSession (const std::string& id);
-			SAMSession * FindSession (const std::string& id);
+			SAMSession * FindSession (const std::string& id) const;

 		private:

@@ -159,9 +176,14 @@ namespace client
 			boost::asio::ip::tcp::acceptor m_Acceptor;
 			boost::asio::ip::udp::endpoint m_DatagramEndpoint, m_SenderEndpoint;
 			boost::asio::ip::udp::socket m_DatagramSocket;
-			std::mutex m_SessionsMutex;
-			std::map<std::string, SAMSession> m_Sessions;
+			mutable std::mutex m_SessionsMutex;
+			std::map<std::string, SAMSession *> m_Sessions;
 			uint8_t m_DatagramReceiveBuffer[i2p::datagram::MAX_DATAGRAM_SIZE+1];
+
+		public:
+
+			// for HTTP
+			const decltype(m_Sessions)& GetSessions () const { return m_Sessions; };
 	};		
 }
 }
--- a/SOCKS.cpp
+++ b/SOCKS.cpp
@@ -1,284 +1,574 @@
+#include <cstring>
+#include <cassert>
+#include <string>
+#include <atomic>
 #include "SOCKS.h"
 #include "Identity.h"
-#include "NetDb.h"
+#include "Streaming.h"
 #include "Destination.h"
 #include "ClientContext.h"
-#include <cstring>
-#include <stdexcept>
-#include <boost/date_time/posix_time/posix_time.hpp>
-#include <boost/bind.hpp>
+#include "I2PEndian.h"
+#include "I2PTunnel.h"

 namespace i2p
 {
 namespace proxy
 {
-	const uint8_t socks_leaseset_timeout = 10;
-	const uint8_t socks_timeout = 60;
-		
-	void SOCKS4AHandler::AsyncSockRead()
+	static const size_t socks_buffer_size = 8192;
+	static const size_t max_socks_hostname_size = 255; // Limit for socks5 and bad idea to traverse
+
+	struct SOCKSDnsAddress 
 	{
-		LogPrint("--- socks4a async sock read");
-		if(m_sock) {
-			if (m_state == INITIAL) {
-				m_sock->async_receive(boost::asio::buffer(m_sock_buff, socks_buffer_size),
-						      boost::bind(&SOCKS4AHandler::HandleSockRecv, this,
-								  boost::asio::placeholders::error,
-								  boost::asio::placeholders::bytes_transferred));
-			} else { 
-				m_sock->async_receive(boost::asio::buffer(m_sock_buff, socks_buffer_size),
-						      boost::bind(&SOCKS4AHandler::HandleSockForward, this,
-								  boost::asio::placeholders::error,
-								  boost::asio::placeholders::bytes_transferred));
-			}
-		} else {
-			LogPrint("--- socks4a no socket for read");
+		uint8_t size;
+		char value[max_socks_hostname_size];
+		void FromString (std::string str) 
+		{
+			size = str.length();
+			if (str.length() > max_socks_hostname_size) size = max_socks_hostname_size;
+			memcpy(value,str.c_str(),size);
 		}
-	}
-	
-	void SOCKS4AHandler::AsyncStreamRead()
+		std::string ToString() { return std::string(value, size); }
+		void push_back (char c) { value[size++] = c; }
+	};
+
+	class SOCKSServer;
+	class SOCKSHandler: public i2p::client::I2PServiceHandler, public std::enable_shared_from_this<SOCKSHandler> 
 	{
-		
-		LogPrint("--- socks4a async stream read");
-		if (m_stream) {
-			m_stream->AsyncReceive(
-				boost::asio::buffer(m_stream_buff, socks_buffer_size),
-				boost::bind(&SOCKS4AHandler::HandleStreamRecv, this,
-					    boost::asio::placeholders::error, 
-					    boost::asio::placeholders::bytes_transferred), socks_timeout);
-		} else {
-			LogPrint("--- socks4a no stream for read");
-		}
+		private:
+			enum state 
+			{
+				GET_SOCKSV,
+				GET_COMMAND,
+				GET_PORT,
+				GET_IPV4,
+				GET4_IDENT,
+				GET4A_HOST,
+				GET5_AUTHNUM,
+				GET5_AUTH,
+				GET5_REQUESTV,
+				GET5_GETRSV,
+				GET5_GETADDRTYPE,
+				GET5_IPV6,
+				GET5_HOST_SIZE,
+				GET5_HOST,
+				DONE
+			};
+			enum authMethods 
+			{
+				AUTH_NONE = 0, //No authentication, skip to next step
+				AUTH_GSSAPI = 1, //GSSAPI authentication
+				AUTH_USERPASSWD = 2, //Username and password
+				AUTH_UNACCEPTABLE = 0xff //No acceptable method found
+			};
+			enum addrTypes 
+			{
+				ADDR_IPV4 = 1, //IPv4 address (4 octets)
+				ADDR_DNS = 3, // DNS name (up to 255 octets)
+				ADDR_IPV6 = 4 //IPV6 address (16 octets)
+			};
+			enum errTypes 
+			{
+				SOCKS5_OK = 0, // No error for SOCKS5
+				SOCKS5_GEN_FAIL = 1, // General server failure
+				SOCKS5_RULE_DENIED = 2, // Connection disallowed by ruleset
+				SOCKS5_NET_UNREACH = 3, // Network unreachable
+				SOCKS5_HOST_UNREACH = 4, // Host unreachable
+				SOCKS5_CONN_REFUSED = 5, // Connection refused by the peer
+				SOCKS5_TTL_EXPIRED = 6, // TTL Expired
+				SOCKS5_CMD_UNSUP = 7, // Command unsuported
+				SOCKS5_ADDR_UNSUP = 8, // Address type unsuported
+				SOCKS4_OK = 90, // No error for SOCKS4
+				SOCKS4_FAIL = 91, // Failed establishing connecting or not allowed
+				SOCKS4_IDENTD_MISSING = 92, // Couldn't connect to the identd server
+				SOCKS4_IDENTD_DIFFER = 93 // The ID reported by the application and by identd differ
+			};
+			enum cmdTypes 
+			{
+				CMD_CONNECT = 1, // TCP Connect
+				CMD_BIND = 2, // TCP Bind
+				CMD_UDP = 3 // UDP associate
+			};
+			enum socksVersions 
+			{
+				SOCKS4 = 4, // SOCKS4
+				SOCKS5 = 5 // SOCKS5
+			};
+			union address 
+			{
+				uint32_t ip;
+				SOCKSDnsAddress dns;
+				uint8_t ipv6[16];
+			};
+
+			void EnterState(state nstate, uint8_t parseleft = 1);
+			bool HandleData(uint8_t *sock_buff, std::size_t len);
+			bool ValidateSOCKSRequest();
+			void HandleSockRecv(const boost::system::error_code & ecode, std::size_t bytes_transfered);
+			void Terminate();
+			void AsyncSockRead();
+			boost::asio::const_buffers_1 GenerateSOCKS5SelectAuth(authMethods method);
+			boost::asio::const_buffers_1 GenerateSOCKS4Response(errTypes error, uint32_t ip, uint16_t port);
+			boost::asio::const_buffers_1 GenerateSOCKS5Response(errTypes error, addrTypes type, const address &addr, uint16_t port);
+			bool Socks5ChooseAuth();
+			void SocksRequestFailed(errTypes error);
+			void SocksRequestSuccess();
+			void SentSocksFailed(const boost::system::error_code & ecode);
+			void SentSocksDone(const boost::system::error_code & ecode);
+			void SentSocksResponse(const boost::system::error_code & ecode);
+			void HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream);
+
+			uint8_t m_sock_buff[socks_buffer_size];
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_sock;
+			std::shared_ptr<i2p::stream::Stream> m_stream;
+			uint8_t *m_remaining_data; //Data left to be sent
+			uint8_t m_response[7+max_socks_hostname_size];
+			address m_address; //Address
+			std::size_t m_remaining_data_len; //Size of the data left to be sent
+			uint32_t m_4aip; //Used in 4a requests
+			uint16_t m_port;
+			uint8_t m_command;
+			uint8_t m_parseleft; //Octets left to parse
+			authMethods m_authchosen; //Authentication chosen
+			addrTypes m_addrtype; //Address type chosen
+			socksVersions m_socksv; //Socks version
+			cmdTypes m_cmd; // Command requested
+			state m_state;
+
+		public:
+			SOCKSHandler(SOCKSServer * parent, std::shared_ptr<boost::asio::ip::tcp::socket> sock) :
+				I2PServiceHandler(parent), m_sock(sock), m_stream(nullptr),
+				m_authchosen(AUTH_UNACCEPTABLE), m_addrtype(ADDR_IPV4)
+				{ m_address.ip = 0; EnterState(GET_SOCKSV); }
+			~SOCKSHandler() { Terminate(); }
+			void Handle() { AsyncSockRead(); }
+	};
+
+	void SOCKSHandler::AsyncSockRead()
+	{
+		LogPrint(eLogDebug,"--- SOCKS async sock read");
+		if(m_sock)
+			m_sock->async_receive(boost::asio::buffer(m_sock_buff, socks_buffer_size),
+						std::bind(&SOCKSHandler::HandleSockRecv, shared_from_this(),
+								std::placeholders::_1, std::placeholders::_2));
+		else 
+			LogPrint(eLogError,"--- SOCKS no socket for read");
 	}

-        void SOCKS4AHandler::Terminate() {
-                CloseStream();
-                CloseSock();
-                delete this; // ew
-        }
-	
-	void SOCKS4AHandler::SocksFailed()
+	void SOCKSHandler::Terminate() 
 	{
-		LogPrint("--- socks4a failed");
-		m_sock->send(boost::asio::buffer("\x00\x5b 12345"));
-		Terminate();
-	}
-	
-	void SOCKS4AHandler::CloseSock()
-	{
-		if (m_sock) {
-			LogPrint("--- socks4a close sock");
+		if (Kill()) return;
+		if (m_sock) 
+		{
+			LogPrint(eLogDebug,"--- SOCKS close sock");
 			m_sock->close();
-			delete m_sock;
 			m_sock = nullptr;
 		}
+		if (m_stream) 
+		{
+			LogPrint(eLogDebug,"--- SOCKS close stream");
+			m_stream.reset ();
+		}
+		Done(shared_from_this());
 	}

-	void SOCKS4AHandler::CloseStream()
+	boost::asio::const_buffers_1 SOCKSHandler::GenerateSOCKS4Response(SOCKSHandler::errTypes error, uint32_t ip, uint16_t port)
 	{
-		if (m_stream) {
-			LogPrint("--- socks4a close stream");
-			delete m_stream;
-			m_stream = nullptr;
+		assert(error >= SOCKS4_OK);
+		m_response[0] = '\x00'; //Version
+		m_response[1] = error; //Response code
+		htobe16buf(m_response+2,port); //Port
+		htobe32buf(m_response+4,ip); //IP
+		return boost::asio::const_buffers_1(m_response,8);
+	}
+
+	boost::asio::const_buffers_1 SOCKSHandler::GenerateSOCKS5Response(SOCKSHandler::errTypes error, SOCKSHandler::addrTypes type, const SOCKSHandler::address &addr, uint16_t port)
+	{
+		size_t size = 6;
+		assert(error <= SOCKS5_ADDR_UNSUP);
+		m_response[0] = '\x05'; //Version
+		m_response[1] = error; //Response code
+		m_response[2] = '\x00'; //RSV
+		m_response[3] = type; //Address type
+		switch (type) 
+		{
+			case ADDR_IPV4:
+				size = 10;
+				htobe32buf(m_response+4,addr.ip);
+				break;
+			case ADDR_IPV6:
+				size = 22;
+				memcpy(m_response+4,addr.ipv6, 16);
+				break;
+			case ADDR_DNS:
+				size = 7+addr.dns.size;
+				m_response[4] = addr.dns.size;
+				memcpy(m_response+5,addr.dns.value, addr.dns.size);
+				break;
+		}
+		htobe16buf(m_response+size-2,port); //Port
+		return boost::asio::const_buffers_1(m_response,size);
+	}
+
+	bool SOCKSHandler::Socks5ChooseAuth()
+	{
+		m_response[0] = '\x05'; //Version
+		m_response[1] = m_authchosen; //Response code
+		boost::asio::const_buffers_1 response(m_response,2);
+		if (m_authchosen == AUTH_UNACCEPTABLE) 
+		{
+			LogPrint(eLogWarning,"--- SOCKS5 authentication negotiation failed");
+			boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksFailed,
+									      shared_from_this(), std::placeholders::_1));
+			return false;
+		} 
+		else 
+		{
+			LogPrint(eLogDebug,"--- SOCKS5 choosing authentication method: ", m_authchosen);
+			boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksResponse,
+									      shared_from_this(), std::placeholders::_1));
+			return true;
 		}
 	}

-	const size_t socks_hostname_size = 1024;
-	const size_t socks_ident_size = 1024;
-	const size_t destb32_len = 52;
-	
-	void SOCKS4AHandler::HandleSockForward(const boost::system::error_code & ecode, std::size_t len)
+	/* All hope is lost beyond this point */
+	void SOCKSHandler::SocksRequestFailed(SOCKSHandler::errTypes error)
 	{
-		if(ecode) {
-			LogPrint("--- socks4a forward got error: ", ecode);
-			Terminate();
-			return;
+		boost::asio::const_buffers_1 response(nullptr,0);
+		assert(error != SOCKS4_OK && error != SOCKS5_OK);
+		switch (m_socksv) 
+		{
+			case SOCKS4:
+				LogPrint(eLogWarning,"--- SOCKS4 failed: ", error);
+				if (error < SOCKS4_OK) error = SOCKS4_FAIL; //Transparently map SOCKS5 errors
+				response = GenerateSOCKS4Response(error, m_4aip, m_port);
+			break;
+			case SOCKS5:
+				LogPrint(eLogWarning,"--- SOCKS5 failed: ", error);
+				response = GenerateSOCKS5Response(error, m_addrtype, m_address, m_port);
+			break;
 		}
-		
-		LogPrint("--- socks4a sock forward: ", len);
-		m_stream->Send(m_sock_buff, len);
+		boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksFailed,
+								      shared_from_this(), std::placeholders::_1));
 	}

-	void SOCKS4AHandler::HandleSockRecv(const boost::system::error_code & ecode, std::size_t len)
+	void SOCKSHandler::SocksRequestSuccess()
 	{
-		LogPrint("--- socks4a sock recv: ", len);
-		
-		if(ecode) {
-			LogPrint(" --- sock recv got error: ", ecode);
-                        Terminate();
+		boost::asio::const_buffers_1 response(nullptr,0);
+		//TODO: this should depend on things like the command type and callbacks may change
+		switch (m_socksv) 
+		{
+			case SOCKS4:
+				LogPrint(eLogInfo,"--- SOCKS4 connection success");
+				response = GenerateSOCKS4Response(SOCKS4_OK, m_4aip, m_port);
+			break;
+			case SOCKS5:
+				LogPrint(eLogInfo,"--- SOCKS5 connection success");
+				auto s = i2p::client::context.GetAddressBook().ToAddress(GetOwner()->GetLocalDestination()->GetIdentHash());
+				address ad; ad.dns.FromString(s);
+				//HACK only 16 bits passed in port as SOCKS5 doesn't allow for more
+				response = GenerateSOCKS5Response(SOCKS5_OK, ADDR_DNS, ad, m_stream->GetRecvStreamID());
+			break;
+		}
+		boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksDone,
+								      shared_from_this(), std::placeholders::_1));
+	}
+
+	void SOCKSHandler::EnterState(SOCKSHandler::state nstate, uint8_t parseleft) {
+		switch (nstate) 
+		{
+			case GET_PORT: parseleft = 2; break;
+			case GET_IPV4: m_addrtype = ADDR_IPV4; m_address.ip = 0; parseleft = 4; break;
+			case GET4_IDENT: m_4aip = m_address.ip; break;
+			case GET4A_HOST:
+			case GET5_HOST: m_addrtype = ADDR_DNS; m_address.dns.size = 0; break;
+			case GET5_IPV6: m_addrtype = ADDR_IPV6; parseleft = 16; break;
+			default:;
+		}
+		m_parseleft = parseleft;
+		m_state = nstate;
+	}
+
+	bool SOCKSHandler::ValidateSOCKSRequest() 
+	{
+		if ( m_cmd != CMD_CONNECT ) 
+		{
+			//TODO: we need to support binds and other shit!
+			LogPrint(eLogError,"--- SOCKS unsupported command: ", m_cmd);
+			SocksRequestFailed(SOCKS5_CMD_UNSUP);
+			return false;
+		}
+		//TODO: we may want to support other address types!
+		if ( m_addrtype != ADDR_DNS ) 
+		{
+			switch (m_socksv) 
+			{
+				case SOCKS5:
+					LogPrint(eLogError,"--- SOCKS5 unsupported address type: ", m_addrtype);
+				break;
+				case SOCKS4:
+					LogPrint(eLogError,"--- SOCKS4a rejected because it's actually SOCKS4");
+				break;
+			}
+			SocksRequestFailed(SOCKS5_ADDR_UNSUP);
+			return false;
+		}
+		//TODO: we may want to support other domains
+		if(m_addrtype == ADDR_DNS && m_address.dns.ToString().find(".i2p") == std::string::npos) 
+		{
+			LogPrint(eLogError,"--- SOCKS invalid hostname: ", m_address.dns.ToString());
+			SocksRequestFailed(SOCKS5_ADDR_UNSUP);
+			return false;
+		}
+		return true;
+	}
+
+	bool SOCKSHandler::HandleData(uint8_t *sock_buff, std::size_t len)
+	{
+		assert(len); // This should always be called with a least a byte left to parse
+		while (len > 0) 
+		{
+			switch (m_state) 
+			{
+				case GET_SOCKSV:
+					m_socksv = (SOCKSHandler::socksVersions) *sock_buff;
+					switch (*sock_buff) 
+					{
+						case SOCKS4:
+							EnterState(GET_COMMAND); //Initialize the parser at the right position
+						break;
+						case SOCKS5:
+							EnterState(GET5_AUTHNUM); //Initialize the parser at the right position
+						break;
+						default:
+							LogPrint(eLogError,"--- SOCKS rejected invalid version: ", ((int)*sock_buff));
+							Terminate();
+							return false;
+					}
+				break;
+				case GET5_AUTHNUM:
+					EnterState(GET5_AUTH, *sock_buff);
+				break;
+				case GET5_AUTH:
+					m_parseleft --;
+					if (*sock_buff == AUTH_NONE)
+						m_authchosen = AUTH_NONE;
+					if ( m_parseleft == 0 ) 
+					{
+						if (!Socks5ChooseAuth()) return false;
+						EnterState(GET5_REQUESTV);
+					}
+				break;
+				case GET_COMMAND:
+					switch (*sock_buff) 
+					{
+						case CMD_CONNECT:
+						case CMD_BIND:
+						break;
+						case CMD_UDP:
+							if (m_socksv == SOCKS5) break;
+						default:
+							LogPrint(eLogError,"--- SOCKS invalid command: ", ((int)*sock_buff));
+							SocksRequestFailed(SOCKS5_GEN_FAIL);
+							return false;
+					}
+					m_cmd = (SOCKSHandler::cmdTypes)*sock_buff;
+					switch (m_socksv) 
+					{
+						case SOCKS5: EnterState(GET5_GETRSV); break;
+						case SOCKS4: EnterState(GET_PORT); break;
+					}
+				break;
+				case GET_PORT:
+					m_port = (m_port << 8)|((uint16_t)*sock_buff);
+					m_parseleft--;
+					if (m_parseleft == 0) 
+					{
+						switch (m_socksv) 
+						{
+							case SOCKS5: EnterState(DONE); break;
+							case SOCKS4: EnterState(GET_IPV4); break;
+						}
+					}
+				break;
+				case GET_IPV4:
+					m_address.ip = (m_address.ip << 8)|((uint32_t)*sock_buff);
+					m_parseleft--;
+					if (m_parseleft == 0) 
+					{
+						switch (m_socksv) 
+						{
+							case SOCKS5: EnterState(GET_PORT); break;
+							case SOCKS4: EnterState(GET4_IDENT); m_4aip = m_address.ip; break;
+						}
+					}
+				break;
+				case GET4_IDENT:
+					if (!*sock_buff) 
+					{
+						if( m_4aip == 0 || m_4aip > 255 )
+							EnterState(DONE);
+						else
+							EnterState(GET4A_HOST);
+					}
+				break;
+				case GET4A_HOST:
+					if (!*sock_buff) 
+					{
+						EnterState(DONE);
+						break;
+					}
+					if (m_address.dns.size >= max_socks_hostname_size) 
+					{
+						LogPrint(eLogError,"--- SOCKS4a destination is too large");
+						SocksRequestFailed(SOCKS4_FAIL);
+						return false;
+					}
+					m_address.dns.push_back(*sock_buff);
+				break;
+				case GET5_REQUESTV:
+					if (*sock_buff != SOCKS5) 
+					{
+						LogPrint(eLogError,"--- SOCKS5 rejected unknown request version: ", ((int)*sock_buff));
+						SocksRequestFailed(SOCKS5_GEN_FAIL);
+						return false;
+					}
+					EnterState(GET_COMMAND);
+				break;
+				case GET5_GETRSV:
+					if ( *sock_buff != 0 ) 
+					{
+						LogPrint(eLogError,"--- SOCKS5 unknown reserved field: ", ((int)*sock_buff));
+						SocksRequestFailed(SOCKS5_GEN_FAIL);
+						return false;
+					}
+					EnterState(GET5_GETADDRTYPE);
+				break;
+				case GET5_GETADDRTYPE:
+					switch (*sock_buff) 
+					{
+						case ADDR_IPV4: EnterState(GET_IPV4); break;
+						case ADDR_IPV6: EnterState(GET5_IPV6); break;
+						case ADDR_DNS : EnterState(GET5_HOST_SIZE); break;
+						default:
+							LogPrint(eLogError,"--- SOCKS5 unknown address type: ", ((int)*sock_buff));
+							SocksRequestFailed(SOCKS5_GEN_FAIL);
+							return false;
+					}
+				break;
+				case GET5_IPV6:
+					m_address.ipv6[16-m_parseleft] = *sock_buff;
+					m_parseleft--;
+					if (m_parseleft == 0) EnterState(GET_PORT);
+				break;
+				case GET5_HOST_SIZE:
+					EnterState(GET5_HOST, *sock_buff);
+				break;
+				case GET5_HOST:
+					m_address.dns.push_back(*sock_buff);
+					m_parseleft--;
+					if (m_parseleft == 0) EnterState(GET_PORT);
+				break;
+				default:
+					LogPrint(eLogError,"--- SOCKS parse state?? ", m_state);
+					Terminate();
+					return false;
+			}
+			sock_buff++;
+			len--;
+			if (m_state == DONE) 
+			{
+				m_remaining_data_len = len;
+				m_remaining_data = sock_buff;
+				return ValidateSOCKSRequest();
+			}
+		}
+		return true;
+	}
+
+	void SOCKSHandler::HandleSockRecv(const boost::system::error_code & ecode, std::size_t len)
+	{
+		LogPrint(eLogDebug,"--- SOCKS sock recv: ", len);
+		if(ecode) 
+		{
+			LogPrint(eLogWarning," --- SOCKS sock recv got error: ", ecode);
+            Terminate();
 			return;
 		}

-		if (m_state == INITIAL) {
-
-			char hostbuff[socks_hostname_size];
-			char identbuff[socks_ident_size];
-			std::memset(hostbuff, 0, sizeof(hostbuff));
-			std::memset(identbuff, 0, sizeof(hostbuff));
-			std::string dest;
-			// get port
-			uint16_t port = 0;
-			uint16_t idx1 = 0;
-			uint16_t idx2 = 0;
-				
-			LogPrint("--- socks4a state initial ", len);
-
-			// check valid request
-			if( m_sock_buff[0] != 4 || m_sock_buff[1] != 1 || m_sock_buff[len-1] ) {
-				LogPrint("--- socks4a rejected invalid");
-				SocksFailed();
-				return;
-			}
-
-			// get port
-			port = m_sock_buff[3] | m_sock_buff[2] << 8;
-
-			// read ident 
-			do {
-				LogPrint("--- socks4a ", (int) m_sock_buff[9+idx1]);
-				identbuff[idx1] = m_sock_buff[8+idx1];
-			} while( identbuff[idx1++] && idx1 < socks_ident_size );
-
-			LogPrint("--- socks4a ident ", identbuff);
-			// read hostname
-			do {
-				hostbuff[idx2] = m_sock_buff[8+idx1+idx2];
-			} while( hostbuff[idx2++] && idx2 < socks_hostname_size );
-
-			LogPrint("--- socks4a requested ", hostbuff, ":" , port);
-
-			dest = std::string(hostbuff);
-			if(dest.find(".b32.i2p") == std::string::npos) {
-				LogPrint("--- socks4a invalid hostname: ", dest);
-				SocksFailed();
-				return;
-			}
-				
-			if ( i2p::data::Base32ToByteStream(hostbuff, destb32_len, (uint8_t *) m_dest, 32) != 32 ) {
-				LogPrint("--- sock4a invalid b32: ", dest);
-			}
-			
-			LogPrint("--- sock4a find lease set");
-			m_ls = i2p::data::netdb.FindLeaseSet(m_dest);
-			if (!m_ls || m_ls->HasNonExpiredLeases()) {
-				i2p::data::netdb.RequestDestination (m_dest, true, i2p::client::context.GetSharedLocalDestination ()->GetTunnelPool ());
-				m_ls_timer.expires_from_now(boost::posix_time::seconds(socks_leaseset_timeout));
-				m_ls_timer.async_wait(boost::bind(&SOCKS4AHandler::LeaseSetTimeout, this, boost::asio::placeholders::error));
-			} else {
-				ConnectionSuccess();
-			}
-		} else {
-			LogPrint("--- socks4a state?? ", m_state);
+		if (HandleData(m_sock_buff, len)) 
+		{
+			if (m_state == DONE) 
+			{
+				LogPrint(eLogInfo,"--- SOCKS requested ", m_address.dns.ToString(), ":" , m_port);
+				GetOwner()->CreateStream ( std::bind (&SOCKSHandler::HandleStreamRequestComplete,
+						shared_from_this(), std::placeholders::_1), m_address.dns.ToString(), m_port);
+			} 
+			else
+				AsyncSockRead();
 		}
 	}
-	
-	void SOCKS4AHandler::HandleStreamRecv(const boost::system::error_code & ecode, std::size_t len)
+
+	void SOCKSHandler::SentSocksFailed(const boost::system::error_code & ecode)
 	{
-		if(ecode) { LogPrint("--- socks4a stream recv error: ", ecode); m_state = END; }
-		switch(m_state) {
-		case INITIAL:
-		case END:
+		if (!ecode) 
+			Terminate();
+		else 
+		{
+			LogPrint (eLogError,"--- SOCKS Closing socket after sending failure because: ", ecode.message ());
 			Terminate();
-                        return;
-		case OKAY:
-			LogPrint("--- socks4a stream recv ", len);
-			boost::asio::async_write(*m_sock, boost::asio::buffer(m_stream_buff, len), 
-						 boost::bind(&SOCKS4AHandler::StreamWrote, this, 
-							     boost::asio::placeholders::error));
 		}
 	}
+
+	void SOCKSHandler::SentSocksDone(const boost::system::error_code & ecode)
+	{
+		if (!ecode) 
+		{
+			if (Kill()) return;
+			LogPrint (eLogInfo,"--- SOCKS New I2PTunnel connection");
+			auto connection = std::make_shared<i2p::client::I2PTunnelConnection>(GetOwner(), m_sock, m_stream);
+			GetOwner()->AddHandler (connection);
+			connection->I2PConnect (m_remaining_data,m_remaining_data_len);
+			Done(shared_from_this());
+		}
+		else
+		{
+			LogPrint (eLogError,"--- SOCKS Closing socket after completion reply because: ", ecode.message ());
+			Terminate();
+		}
+	}
+
+	void SOCKSHandler::SentSocksResponse(const boost::system::error_code & ecode)
+	{
+		if (ecode) 
+		{
+			LogPrint (eLogError,"--- SOCKS Closing socket after sending reply because: ", ecode.message ());
+			Terminate();
+		}
+	}
+
+	void SOCKSHandler::HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		if (stream) 
+		{
+			m_stream = stream;
+			SocksRequestSuccess();
+		} 
+		else 
+		{
+			LogPrint (eLogError,"--- SOCKS Issue when creating the stream, check the previous warnings for more info.");
+			SocksRequestFailed(SOCKS5_HOST_UNREACH);
+		}
+	}
+
+	SOCKSServer::SOCKSServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination) : 
+		TCPIPAcceptor (port, localDestination ? localDestination : i2p::client::context.GetSharedLocalDestination ()) 
+	{
+	}
 	
-	void SOCKS4AHandler::SockWrote(const boost::system::error_code & ecode)
+	std::shared_ptr<i2p::client::I2PServiceHandler> SOCKSServer::CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket)
 	{
-		LogPrint("--- socks4a sock wrote");
-		if(ecode) { LogPrint("--- socks4a SockWrote error: ",ecode); }
-		else { AsyncSockRead(); }
+		return std::make_shared<SOCKSHandler> (this, socket);
 	}

-	void SOCKS4AHandler::StreamWrote(const boost::system::error_code & ecode)
-	{
-		
-		LogPrint("--- socks4a stream wrote");
-		if(ecode) { LogPrint("--- socks4a StreamWrote error: ",ecode); }
-		else { AsyncStreamRead(); }
-	}
-
-	void SOCKS4AHandler::LeaseSetTimeout(const boost::system::error_code & ecode)
-	{
-		m_ls = i2p::data::netdb.FindLeaseSet(m_dest);
-		if(m_ls) {
-			ConnectionSuccess();
-		} else {
-			LogPrint("--- socks4a ls timeout");
-			SocksFailed();
-		}
-	}
-
-	void SOCKS4AHandler::ConnectionSuccess()
-	{
-		LogPrint("--- socks4a connection success");
-		boost::asio::async_write(*m_sock, boost::asio::buffer("\x00\x5a 12345"),
-					 boost::bind(&SOCKS4AHandler::SentConnectionSuccess, this,
-						     boost::asio::placeholders::error));
-	}
-
-	void SOCKS4AHandler::SentConnectionSuccess(const boost::system::error_code & ecode)
-	{
-		LogPrint("--- socks4a making connection");
-		m_stream = i2p::client::context.GetSharedLocalDestination ()->CreateStream(*m_ls);
-		m_state = OKAY;
-		LogPrint("--- socks4a state is ", m_state);
-		AsyncSockRead();
-		AsyncStreamRead();
-	}
-
-	void SOCKS4AServer::Run()
-	{
-		LogPrint("--- socks4a run");
-		m_run = true;
-		while(m_run) {
-			try {
-				m_ios.run();
-			} catch (std::runtime_error & exc) {
-				LogPrint("--- socks4a exception: ", exc.what());
-			}
-		}
-	}
-	
-	void SOCKS4AServer::Accept()
-	{
-		m_new_sock = new boost::asio::ip::tcp::socket(m_ios);
-		m_acceptor.async_accept(*m_new_sock, 
-					boost::bind(
-						&SOCKS4AServer::HandleAccept, this, boost::asio::placeholders::error));
-	}
-
-	void SOCKS4AServer::Start()
-	{
-                m_run = true;
-		m_thread = new std::thread(std::bind(&SOCKS4AServer::Run, this));
-		m_acceptor.listen();
-		Accept();
-	}
-	
-	void SOCKS4AServer::Stop()
-	{
-		m_acceptor.close();
-		m_run = false;
-		m_ios.stop();
-		if (m_thread) {
-			m_thread->join();
-			delete m_thread;
-			m_thread = nullptr;
-		}
-	}
-		
-	void SOCKS4AServer::HandleAccept(const boost::system::error_code & ecode)
-	{
-		if (!ecode) {
-			LogPrint("--- socks4a accepted");
-			new SOCKS4AHandler(&m_ios, m_new_sock);
-			Accept();
-		}
-	}
 }
 }
--- a/SOCKS.h
+++ b/SOCKS.h
@@ -1,97 +1,30 @@
-#ifndef SOCKS4A_H__
-#define SOCKS4A_H__
+#ifndef SOCKS_H__
+#define SOCKS_H__

-#include <thread>
+#include <memory>
+#include <set>
 #include <boost/asio.hpp>
-#include <vector>
 #include <mutex>
-
-#include "Identity.h"
-#include "Streaming.h"
+#include "I2PService.h"

 namespace i2p
 {
 namespace proxy
 {
-
-	const size_t socks_buffer_size = 8192;
-
-	class SOCKS4AHandler {
-
-		private:
-            enum state {
-                    INITIAL,
-                    OKAY,
-                    END
-            };
-
-            void GotClientRequest(boost::system::error_code & ecode, std::string & host, uint16_t port);
-            void HandleSockRecv(const boost::system::error_code & ecode, std::size_t bytes_transfered);
-            void HandleSockForward(const boost::system::error_code & ecode, std::size_t bytes_transfered);
-            void HandleStreamRecv(const boost::system::error_code & ecode, std::size_t bytes_transfered);
-            void Terminate();
-            void CloseSock();
-            void CloseStream();
-            void AsyncSockRead();
-            void AsyncStreamRead();
-            void SocksFailed();
-            void LeaseSetTimeout(const boost::system::error_code & ecode);
-            void StreamWrote(const boost::system::error_code & ecode);		  
-            void SockWrote(const boost::system::error_code & ecode);
-            void SentConnectionSuccess(const boost::system::error_code & ecode);
-            void ConnectionSuccess();
-            
-            uint8_t m_sock_buff[socks_buffer_size];
-            uint8_t m_stream_buff[socks_buffer_size];
-            
-            boost::asio::io_service * m_ios;
-            boost::asio::ip::tcp::socket * m_sock;
-            boost::asio::deadline_timer m_ls_timer;
-            i2p::stream::Stream * m_stream;
-            i2p::data::LeaseSet * m_ls;
-            i2p::data::IdentHash m_dest;
-            state m_state;
-		
-            
+	class SOCKSServer: public i2p::client::TCPIPAcceptor
+	{
 		public:
-			SOCKS4AHandler(boost::asio::io_service * ios, boost::asio::ip::tcp::socket * sock) : 
-				m_ios(ios), m_sock(sock), m_ls_timer(*ios),
-				m_stream(nullptr), m_ls(nullptr), m_state(INITIAL) { AsyncSockRead(); }

-			~SOCKS4AHandler() { CloseSock(); CloseStream(); }
-			bool isComplete() { return m_state == END; }
+			SOCKSServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination = nullptr);
+			~SOCKSServer() {};
+
+		protected:
+			// Implements TCPIPAcceptor
+			std::shared_ptr<i2p::client::I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket);
+			const char* GetName() { return "SOCKS"; }
 	};

-	class SOCKS4AServer {
-		public:
-			SOCKS4AServer(int port) : m_run(false), 
-									  m_thread(nullptr), 
-									  m_work(m_ios),
-									  m_acceptor(m_ios, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port)),
-									  m_new_sock(nullptr) { }
-			~SOCKS4AServer() { Stop(); }
-			void Start();
-			void Stop();
-		
-			boost::asio::io_service& GetService () { return m_ios; };	
-
-		private:
-		
-			void Run();
-			void Accept();
-			void HandleAccept(const boost::system::error_code& ecode);
-
-			bool m_run;
-			std::thread * m_thread;
-			boost::asio::io_service m_ios;
-			boost::asio::io_service::work m_work;
-            boost::asio::ip::tcp::acceptor m_acceptor;
-			boost::asio::ip::tcp::socket * m_new_sock;
-		
-
-	};
-
-	typedef SOCKS4AServer SOCKSProxy;
+	typedef SOCKSServer SOCKSProxy;
 }
 }

--- a/SSU.cpp
+++ b/SSU.cpp
@@ -3,15 +3,18 @@
 #include "Log.h"
 #include "Timestamp.h"
 #include "RouterContext.h"
+#include "NetDb.h"
 #include "SSU.h"

 namespace i2p
 {
 namespace transport
 {
-	SSUServer::SSUServer (int port): m_Thread (nullptr), m_Work (m_Service),
-		m_Endpoint (boost::asio::ip::udp::v4 (), port), m_EndpointV6 (boost::asio::ip::udp::v6 (), port),
-		m_Socket (m_Service, m_Endpoint), m_SocketV6 (m_Service), m_IntroducersUpdateTimer (m_Service)	
+	SSUServer::SSUServer (int port): m_Thread (nullptr), m_ThreadV6 (nullptr), m_ReceiversThread (nullptr),
+		m_Work (m_Service), m_WorkV6 (m_ServiceV6), m_ReceiversWork (m_ReceiversService), 
+		m_Endpoint (boost::asio::ip::udp::v4 (), port), m_EndpointV6 (boost::asio::ip::udp::v6 (), port), 
+		m_Socket (m_ReceiversService, m_Endpoint), m_SocketV6 (m_ReceiversService), 
+		m_IntroducersUpdateTimer (m_Service), m_PeerTestsCleanupTimer (m_Service)	
 	{
 		m_Socket.set_option (boost::asio::socket_base::receive_buffer_size (65535));
 		m_Socket.set_option (boost::asio::socket_base::send_buffer_size (65535));
@@ -27,19 +30,21 @@ namespace transport
 	
 	SSUServer::~SSUServer ()
 	{
-		for (auto it: m_Sessions)
-			delete it.second;
 	}

 	void SSUServer::Start ()
 	{
 		m_IsRunning = true;
+		m_ReceiversThread = new std::thread (std::bind (&SSUServer::RunReceivers, this)); 
 		m_Thread = new std::thread (std::bind (&SSUServer::Run, this));
-		m_Service.post (boost::bind (&SSUServer::Receive, this));  
+		m_ReceiversService.post (std::bind (&SSUServer::Receive, this));  
 		if (context.SupportsV6 ())
-			m_Service.post (boost::bind (&SSUServer::ReceiveV6, this));  
-		if (i2p::context.IsUnreachable ())
-			ScheduleIntroducersUpdateTimer ();
+		{	
+			m_ThreadV6 = new std::thread (std::bind (&SSUServer::RunV6, this));
+			m_ReceiversService.post (std::bind (&SSUServer::ReceiveV6, this));  
+		}
+		SchedulePeerTestsCleanupTimer ();	
+		ScheduleIntroducersUpdateTimer (); // wait for 30 seconds and decide if we need introducers
 	}

 	void SSUServer::Stop ()
@@ -48,12 +53,27 @@ namespace transport
 		m_IsRunning = false;
 		m_Service.stop ();
 		m_Socket.close ();
+		m_ServiceV6.stop ();
+		m_SocketV6.close ();
+		m_ReceiversService.stop ();
+		if (m_ReceiversThread)
+		{	
+			m_ReceiversThread->join (); 
+			delete m_ReceiversThread;
+			m_ReceiversThread = nullptr;
+		}
 		if (m_Thread)
 		{	
 			m_Thread->join (); 
 			delete m_Thread;
-			m_Thread = 0;
-		}	
+			m_Thread = nullptr;
+		}
+		if (m_ThreadV6)
+		{	
+			m_ThreadV6->join (); 
+			delete m_ThreadV6;
+			m_ThreadV6 = nullptr;
+		}
 	}

 	void SSUServer::Run () 
@@ -70,13 +90,43 @@ namespace transport
 			}	
 		}	
 	}
-		
+
+	void SSUServer::RunV6 () 
+	{ 
+		while (m_IsRunning)
+		{
+			try
+			{	
+				m_ServiceV6.run ();
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "SSU V6 server: ", ex.what ());
+			}	
+		}	
+	}	
+
+	void SSUServer::RunReceivers () 
+	{ 
+		while (m_IsRunning)
+		{
+			try
+			{	
+				m_ReceiversService.run ();
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "SSU receivers: ", ex.what ());
+			}	
+		}	
+	}	
+	
 	void SSUServer::AddRelay (uint32_t tag, const boost::asio::ip::udp::endpoint& relay)
 	{
 		m_Relays[tag] = relay;
 	}	

-	SSUSession * SSUServer::FindRelaySession (uint32_t tag)
+	std::shared_ptr<SSUSession> SSUServer::FindRelaySession (uint32_t tag)
 	{
 		auto it = m_Relays.find (tag);
 		if (it != m_Relays.end ())
@@ -94,54 +144,112 @@ namespace transport

 	void SSUServer::Receive ()
 	{
-		m_Socket.async_receive_from (boost::asio::buffer (m_ReceiveBuffer, SSU_MTU_V4), m_SenderEndpoint,
-			boost::bind (&SSUServer::HandleReceivedFrom, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred)); 
+		SSUPacket * packet = new SSUPacket ();
+		m_Socket.async_receive_from (boost::asio::buffer (packet->buf, SSU_MTU_V4), packet->from,
+			std::bind (&SSUServer::HandleReceivedFrom, this, std::placeholders::_1, std::placeholders::_2, packet)); 
 	}

 	void SSUServer::ReceiveV6 ()
 	{
-		m_SocketV6.async_receive_from (boost::asio::buffer (m_ReceiveBufferV6, SSU_MTU_V6), m_SenderEndpointV6,
-			boost::bind (&SSUServer::HandleReceivedFromV6, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred)); 
+		SSUPacket * packet = new SSUPacket ();
+		m_SocketV6.async_receive_from (boost::asio::buffer (packet->buf, SSU_MTU_V6), packet->from,
+			std::bind (&SSUServer::HandleReceivedFromV6, this, std::placeholders::_1, std::placeholders::_2, packet)); 
 	}	

-	void SSUServer::HandleReceivedFrom (const boost::system::error_code& ecode, std::size_t bytes_transferred)
+	void SSUServer::HandleReceivedFrom (const boost::system::error_code& ecode, std::size_t bytes_transferred, SSUPacket * packet)
 	{
 		if (!ecode)
 		{
-			HandleReceivedBuffer (m_SenderEndpoint, m_ReceiveBuffer, bytes_transferred);
+			packet->len = bytes_transferred;
+			std::vector<SSUPacket *> packets;
+			packets.push_back (packet);
+
+			boost::system::error_code ec;
+			size_t moreBytes = m_Socket.available(ec);
+			while (moreBytes && packets.size () < 25)
+			{
+				packet = new SSUPacket ();
+				packet->len = m_Socket.receive_from (boost::asio::buffer (packet->buf, SSU_MTU_V4), packet->from);
+				packets.push_back (packet);
+				moreBytes = m_Socket.available();
+			}
+
+			m_Service.post (std::bind (&SSUServer::HandleReceivedPackets, this, packets));
 			Receive ();
 		}
 		else
+		{	
 			LogPrint ("SSU receive error: ", ecode.message ());
+			delete packet;
+		}	
 	}

-	void SSUServer::HandleReceivedFromV6 (const boost::system::error_code& ecode, std::size_t bytes_transferred)
+	void SSUServer::HandleReceivedFromV6 (const boost::system::error_code& ecode, std::size_t bytes_transferred, SSUPacket * packet)
 	{
 		if (!ecode)
 		{
-			HandleReceivedBuffer (m_SenderEndpointV6, m_ReceiveBufferV6, bytes_transferred);
+			packet->len = bytes_transferred;
+			std::vector<SSUPacket *> packets;
+			packets.push_back (packet);
+
+			size_t moreBytes = m_SocketV6.available ();
+			while (moreBytes && packets.size () < 25)
+			{
+				packet = new SSUPacket ();
+				packet->len = m_SocketV6.receive_from (boost::asio::buffer (packet->buf, SSU_MTU_V6), packet->from);
+				packets.push_back (packet);
+				moreBytes = m_SocketV6.available();
+			}
+
+			m_ServiceV6.post (std::bind (&SSUServer::HandleReceivedPackets, this, packets));
 			ReceiveV6 ();
 		}
 		else
+		{	
 			LogPrint ("SSU V6 receive error: ", ecode.message ());
+			delete packet;
+		}	
 	}

-	void SSUServer::HandleReceivedBuffer (boost::asio::ip::udp::endpoint& from, uint8_t * buf, std::size_t bytes_transferred)
+	void SSUServer::HandleReceivedPackets (std::vector<SSUPacket *> packets)
 	{
-		SSUSession * session = nullptr;
-		auto it = m_Sessions.find (from);
-		if (it != m_Sessions.end ())
-			session = it->second;
-		if (!session)
+		std::shared_ptr<SSUSession> session;	
+		for (auto it1: packets)
 		{
-			session = new SSUSession (*this, from);
-			m_Sessions[from] = session;
-			LogPrint ("New SSU session from ", from.address ().to_string (), ":", from.port (), " created");
+			auto packet = it1;
+			try
+			{	
+				if (!session || session->GetRemoteEndpoint () != packet->from) // we received packet for other session than previous
+				{
+					if (session) session->FlushData ();
+					auto it = m_Sessions.find (packet->from);
+					if (it != m_Sessions.end ())
+						session = it->second;
+					if (!session)
+					{
+						session = std::make_shared<SSUSession> (*this, packet->from);
+						session->WaitForConnect ();
+						{
+							std::unique_lock<std::mutex> l(m_SessionsMutex);
+							m_Sessions[packet->from] = session;
+						}	
+						LogPrint (eLogInfo, "New SSU session from ", packet->from.address ().to_string (), ":", packet->from.port (), " created");
+					}
+				}
+				session->ProcessNextMessage (packet->buf, packet->len, packet->from);
+			}	
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "SSU: HandleReceivedPackets ", ex.what ());
+				if (session) session->FlushData ();
+				session = nullptr;
+			}	
+			delete packet;
 		}
-		session->ProcessNextMessage (buf, bytes_transferred, from);
+		if (session) session->FlushData ();
 	}

-	SSUSession * SSUServer::FindSession (const i2p::data::RouterInfo * router) const
+	std::shared_ptr<SSUSession> SSUServer::FindSession (std::shared_ptr<const i2p::data::RouterInfo> router) const
 	{
 		if (!router) return nullptr;
 		auto address = router->GetSSUAddress (true); // v4 only
@@ -155,7 +263,7 @@ namespace transport
 		return FindSession (boost::asio::ip::udp::endpoint (address->host, address->port));
 	}	

-	SSUSession * SSUServer::FindSession (const boost::asio::ip::udp::endpoint& e) const
+	std::shared_ptr<SSUSession> SSUServer::FindSession (const boost::asio::ip::udp::endpoint& e) const
 	{
 		auto it = m_Sessions.find (e);
 		if (it != m_Sessions.end ())
@@ -164,9 +272,9 @@ namespace transport
 			return nullptr;
 	}
 		
-	SSUSession * SSUServer::GetSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest)
+	std::shared_ptr<SSUSession> SSUServer::GetSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest)
 	{
-		SSUSession * session = nullptr;
+		std::shared_ptr<SSUSession> session;
 		if (router)
 		{
 			auto address = router->GetSSUAddress (!context.SupportsV6 ());
@@ -175,17 +283,23 @@ namespace transport
 				boost::asio::ip::udp::endpoint remoteEndpoint (address->host, address->port);
 				auto it = m_Sessions.find (remoteEndpoint);
 				if (it != m_Sessions.end ())
+				{	
 					session = it->second;
+					if (peerTest && session->GetState () == eSessionStateEstablished)
+						session->SendPeerTest ();
+				}	
 				else
 				{
 					// otherwise create new session					
-					session = new SSUSession (*this, remoteEndpoint, router, peerTest);
-					m_Sessions[remoteEndpoint] = session;
-					
+					session = std::make_shared<SSUSession> (*this, remoteEndpoint, router, peerTest);
+					{
+						std::unique_lock<std::mutex> l(m_SessionsMutex);
+						m_Sessions[remoteEndpoint] = session;
+					}
 					if (!router->UsesIntroducer ())
 					{
 						// connect directly						
-						LogPrint ("Creating new SSU session to [", router->GetIdentHashAbbreviation (), "] ",
+						LogPrint ("Creating new SSU session to [", i2p::data::GetIdentHashAbbreviation (router->GetIdentHash ()), "] ",
 							remoteEndpoint.address ().to_string (), ":", remoteEndpoint.port ());
 						session->Connect ();
 					}
@@ -195,7 +309,7 @@ namespace transport
 						int numIntroducers = address->introducers.size ();
 						if (numIntroducers > 0)
 						{
-							SSUSession * introducerSession = nullptr;
+							std::shared_ptr<SSUSession> introducerSession;
 							const i2p::data::RouterInfo::Introducer * introducer = nullptr;
 							// we might have a session to introducer already
 							for (int i = 0; i < numIntroducers; i++)
@@ -216,73 +330,75 @@ namespace transport
 								LogPrint ("Creating new session to introducer");
 								introducer = &(address->introducers[0]); // TODO:
 								boost::asio::ip::udp::endpoint introducerEndpoint (introducer->iHost, introducer->iPort);
-								introducerSession = new SSUSession (*this, introducerEndpoint, router);
+								introducerSession = std::make_shared<SSUSession> (*this, introducerEndpoint, router);
+								std::unique_lock<std::mutex> l(m_SessionsMutex);
 								m_Sessions[introducerEndpoint] = introducerSession;													
 							}	
 							// introduce
-							LogPrint ("Introduce new SSU session to [", router->GetIdentHashAbbreviation (), 
+							LogPrint ("Introduce new SSU session to [", i2p::data::GetIdentHashAbbreviation (router->GetIdentHash ()), 
 									"] through introducer ", introducer->iHost, ":", introducer->iPort);
 							session->WaitForIntroduction ();	
 							if (i2p::context.GetRouterInfo ().UsesIntroducer ()) // if we are unreachable
-								Send (m_ReceiveBuffer, 0, remoteEndpoint); // send HolePunch
-							introducerSession->Introduce (introducer->iTag, introducer->iKey);
+							{
+								uint8_t buf[1];
+								Send (buf, 0, remoteEndpoint); // send HolePunch
+							}	
+							introducerSession->Introduce (*introducer);
 						}
 						else
 						{	
 							LogPrint (eLogWarning, "Can't connect to unreachable router. No introducers presented");
+							std::unique_lock<std::mutex> l(m_SessionsMutex);
 							m_Sessions.erase (remoteEndpoint);
-							delete session;
-							session = nullptr;
+							session.reset ();
 						}	
 					}
 				}
 			}
 			else
-				LogPrint (eLogWarning, "Router ", router->GetIdentHashAbbreviation (), " doesn't have SSU address");
+				LogPrint (eLogWarning, "Router ", i2p::data::GetIdentHashAbbreviation (router->GetIdentHash ()), " doesn't have SSU address");
 		}
 		return session;
 	}

-	void SSUServer::DeleteSession (SSUSession * session)
+	void SSUServer::DeleteSession (std::shared_ptr<SSUSession> session)
 	{
 		if (session)
 		{
 			session->Close ();
+			std::unique_lock<std::mutex> l(m_SessionsMutex);	
 			m_Sessions.erase (session->GetRemoteEndpoint ());
-			delete session;
 		}	
 	}	

 	void SSUServer::DeleteAllSessions ()
 	{
+		std::unique_lock<std::mutex> l(m_SessionsMutex);
 		for (auto it: m_Sessions)
-		{
 			it.second->Close ();
-			delete it.second;			
-		}	
 		m_Sessions.clear ();
 	}

 	template<typename Filter>
-	SSUSession * SSUServer::GetRandomSession (Filter filter)
+	std::shared_ptr<SSUSession> SSUServer::GetRandomSession (Filter filter)
 	{
-		std::vector<SSUSession *> filteredSessions;
+		std::vector<std::shared_ptr<SSUSession> > filteredSessions;
 		for (auto s :m_Sessions)
 			if (filter (s.second)) filteredSessions.push_back (s.second);
 		if (filteredSessions.size () > 0)
 		{
-			auto ind = i2p::context.GetRandomNumberGenerator ().GenerateWord32 (0, filteredSessions.size ()-1);
+			auto ind = rand () % filteredSessions.size ();
 			return filteredSessions[ind];
 		}
 		return nullptr;	
 	}

-	SSUSession * SSUServer::GetRandomEstablishedSession (const SSUSession * excluded)
+	std::shared_ptr<SSUSession> SSUServer::GetRandomEstablishedSession (std::shared_ptr<const SSUSession> excluded)
 	{
 		return GetRandomSession (
-			[excluded](SSUSession * session)->bool 
+			[excluded](std::shared_ptr<SSUSession> session)->bool 
 			{ 
-				return session->GetState () == eSessionStateEstablished &&
+				return session->GetState () == eSessionStateEstablished && !session->IsV6 () && 
 					session != excluded; 
 			}
 								);
@@ -295,16 +411,16 @@ namespace transport
 		for (int i = 0; i < maxNumIntroducers; i++)
 		{
 			auto session = GetRandomSession (
-				[&ret, ts](SSUSession * session)->bool 
+				[&ret, ts](std::shared_ptr<SSUSession> session)->bool 
 				{ 
-					return session->GetRelayTag () && !ret.count (session) &&
+					return session->GetRelayTag () && !ret.count (session.get ()) &&
 						session->GetState () == eSessionStateEstablished &&
 						ts < session->GetCreationTime () + SSU_TO_INTRODUCER_SESSION_DURATION; 
 				}
 											);	
 			if (session)
 			{
-				ret.insert (session);
+				ret.insert (session.get ());
 				break;
 			}	
 		}
@@ -314,15 +430,24 @@ namespace transport
 	void SSUServer::ScheduleIntroducersUpdateTimer ()
 	{
 		m_IntroducersUpdateTimer.expires_from_now (boost::posix_time::seconds(SSU_KEEP_ALIVE_INTERVAL));
-		m_IntroducersUpdateTimer.async_wait (boost::bind (&SSUServer::HandleIntroducersUpdateTimer,
-			this, boost::asio::placeholders::error));	
+		m_IntroducersUpdateTimer.async_wait (std::bind (&SSUServer::HandleIntroducersUpdateTimer,
+			this, std::placeholders::_1));	
 	}

 	void SSUServer::HandleIntroducersUpdateTimer (const boost::system::error_code& ecode)
 	{
-		if (!ecode)
+		if (ecode != boost::asio::error::operation_aborted)
 		{
 			// timeout expired
+			if (i2p::context.GetStatus () == eRouterStatusTesting)
+			{
+				// we still don't know if we need introducers
+				ScheduleIntroducersUpdateTimer ();
+				return;
+			}	
+			if (i2p::context.GetStatus () == eRouterStatusOK) return; // we don't need introducers anymore
+			// we are firewalled
+			if (!i2p::context.IsUnreachable ()) i2p::context.SetUnreachable ();
 			std::list<boost::asio::ip::udp::endpoint> newList;
 			size_t numIntroducers = 0;
 			uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
@@ -347,19 +472,94 @@ namespace transport
 				{
 					for (auto it1: introducers)
 					{
-						auto router = it1->GetRemoteRouter ();
-						if (router && i2p::context.AddIntroducer (*router, it1->GetRelayTag ()))
+						auto& ep = it1->GetRemoteEndpoint ();
+						i2p::data::RouterInfo::Introducer introducer;
+						introducer.iHost = ep.address ();
+						introducer.iPort = ep.port ();
+						introducer.iTag = it1->GetRelayTag ();
+						introducer.iKey = it1->GetIntroKey ();
+						if (i2p::context.AddIntroducer (introducer))
 						{	
-							newList.push_back (it1->GetRemoteEndpoint ());
+							newList.push_back (ep);
 							if (newList.size () >= SSU_MAX_NUM_INTRODUCERS) break;
 						}	
 					}	
 				}	
 			}	
 			m_Introducers = newList;
+			if (m_Introducers.empty ())
+			{
+				auto introducer = i2p::data::netdb.GetRandomIntroducer ();
+				if (introducer)
+					GetSession (introducer);
+			}	
 			ScheduleIntroducersUpdateTimer ();
 		}	
+	}
+
+	void SSUServer::NewPeerTest (uint32_t nonce, PeerTestParticipant role, std::shared_ptr<SSUSession> session)
+	{
+		m_PeerTests[nonce] = { i2p::util::GetMillisecondsSinceEpoch (), role, session };
+	}
+
+	PeerTestParticipant SSUServer::GetPeerTestParticipant (uint32_t nonce)
+	{
+		auto it = m_PeerTests.find (nonce);
+		if (it != m_PeerTests.end ())
+			return it->second.role;
+		else
+			return ePeerTestParticipantUnknown;
 	}	
+
+	std::shared_ptr<SSUSession> SSUServer::GetPeerTestSession (uint32_t nonce)
+	{
+		auto it = m_PeerTests.find (nonce);
+		if (it != m_PeerTests.end ())
+			return it->second.session;
+		else
+			return nullptr;
+	}
+
+	void SSUServer::UpdatePeerTest (uint32_t nonce, PeerTestParticipant role)
+	{
+		auto it = m_PeerTests.find (nonce);
+		if (it != m_PeerTests.end ())
+			it->second.role = role;
+	}	
+	
+	void SSUServer::RemovePeerTest (uint32_t nonce)
+	{
+		m_PeerTests.erase (nonce);
+	}	
+
+	void SSUServer::SchedulePeerTestsCleanupTimer ()
+	{
+		m_PeerTestsCleanupTimer.expires_from_now (boost::posix_time::seconds(SSU_PEER_TEST_TIMEOUT));
+		m_PeerTestsCleanupTimer.async_wait (std::bind (&SSUServer::HandlePeerTestsCleanupTimer,
+			this, std::placeholders::_1));	
+	}
+
+	void SSUServer::HandlePeerTestsCleanupTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{
+			int numDeleted = 0;	
+			uint64_t ts = i2p::util::GetMillisecondsSinceEpoch ();	
+			for (auto it = m_PeerTests.begin (); it != m_PeerTests.end ();)
+			{
+				if (ts > it->second.creationTime + SSU_PEER_TEST_TIMEOUT*1000LL)
+				{
+					numDeleted++;
+					it = m_PeerTests.erase (it);
+				}
+				else
+					it++;	 
+			}
+			if (numDeleted > 0)
+				LogPrint (eLogInfo, numDeleted, " peer tests have been expired");
+			SchedulePeerTestsCleanupTimer ();
+		}
+	}
 }
 }

--- a/SSU.h
+++ b/SSU.h
@@ -7,8 +7,9 @@
 #include <list>
 #include <set>
 #include <thread>
+#include <mutex>
 #include <boost/asio.hpp>
-#include "aes.h"
+#include "Crypto.h"
 #include "I2PEndian.h"
 #include "Identity.h"
 #include "RouterInfo.h"
@@ -20,8 +21,16 @@ namespace i2p
 namespace transport
 {
 	const int SSU_KEEP_ALIVE_INTERVAL = 30; // 30 seconds	
+	const int SSU_PEER_TEST_TIMEOUT = 60; // 60 seconds		
 	const int SSU_TO_INTRODUCER_SESSION_DURATION = 3600; // 1 hour
 	const size_t SSU_MAX_NUM_INTRODUCERS = 3;
+
+	struct SSUPacket
+	{
+		i2p::crypto::AESAlignedBuffer<1500> buf;
+		boost::asio::ip::udp::endpoint from;
+		size_t len;
+	};	
 	
 	class SSUServer
 	{
@@ -31,50 +40,68 @@ namespace transport
 			~SSUServer ();
 			void Start ();
 			void Stop ();
-			SSUSession * GetSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest = false);
-			SSUSession * FindSession (const i2p::data::RouterInfo * router) const;
-			SSUSession * FindSession (const boost::asio::ip::udp::endpoint& e) const;
-			SSUSession * GetRandomEstablishedSession (const SSUSession * excluded);
-			void DeleteSession (SSUSession * session);
+			std::shared_ptr<SSUSession> GetSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest = false);
+			std::shared_ptr<SSUSession> FindSession (std::shared_ptr<const i2p::data::RouterInfo> router) const;
+			std::shared_ptr<SSUSession> FindSession (const boost::asio::ip::udp::endpoint& e) const;
+			std::shared_ptr<SSUSession> GetRandomEstablishedSession (std::shared_ptr<const SSUSession> excluded);
+			void DeleteSession (std::shared_ptr<SSUSession> session);
 			void DeleteAllSessions ();			

-			boost::asio::io_service& GetService () { return m_Socket.get_io_service(); };
+			boost::asio::io_service& GetService () { return m_Service; };
+			boost::asio::io_service& GetServiceV6 () { return m_ServiceV6; };
 			const boost::asio::ip::udp::endpoint& GetEndpoint () const { return m_Endpoint; };			
 			void Send (const uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& to);
 			void AddRelay (uint32_t tag, const boost::asio::ip::udp::endpoint& relay);
-			SSUSession * FindRelaySession (uint32_t tag);
+			std::shared_ptr<SSUSession> FindRelaySession (uint32_t tag);
+
+			void NewPeerTest (uint32_t nonce, PeerTestParticipant role, std::shared_ptr<SSUSession> session = nullptr);
+			PeerTestParticipant GetPeerTestParticipant (uint32_t nonce);
+			std::shared_ptr<SSUSession> GetPeerTestSession (uint32_t nonce);
+			void UpdatePeerTest (uint32_t nonce, PeerTestParticipant role);
+			void RemovePeerTest (uint32_t nonce);

 		private:

 			void Run ();
+			void RunV6 ();
+			void RunReceivers ();
 			void Receive ();
 			void ReceiveV6 ();
-			void HandleReceivedFrom (const boost::system::error_code& ecode, std::size_t bytes_transferred);
-			void HandleReceivedFromV6 (const boost::system::error_code& ecode, std::size_t bytes_transferred);
-			void HandleReceivedBuffer (boost::asio::ip::udp::endpoint& from, uint8_t * buf, std::size_t bytes_transferred);
+			void HandleReceivedFrom (const boost::system::error_code& ecode, std::size_t bytes_transferred, SSUPacket * packet);
+			void HandleReceivedFromV6 (const boost::system::error_code& ecode, std::size_t bytes_transferred, SSUPacket * packet);
+			void HandleReceivedPackets (std::vector<SSUPacket *> packets);

 			template<typename Filter>
-			SSUSession * GetRandomSession (Filter filter);
+			std::shared_ptr<SSUSession> GetRandomSession (Filter filter);
 			
 			std::set<SSUSession *> FindIntroducers (int maxNumIntroducers);	
 			void ScheduleIntroducersUpdateTimer ();
 			void HandleIntroducersUpdateTimer (const boost::system::error_code& ecode);
-			
+
+			void SchedulePeerTestsCleanupTimer ();
+			void HandlePeerTestsCleanupTimer (const boost::system::error_code& ecode);
+
 		private:

+			struct PeerTest
+			{
+				uint64_t creationTime;
+				PeerTestParticipant role;
+				std::shared_ptr<SSUSession> session; // for Bob to Alice
+			};	
+			
 			bool m_IsRunning;
-			std::thread * m_Thread;	
-			boost::asio::io_service m_Service;
-			boost::asio::io_service::work m_Work;
+			std::thread * m_Thread, * m_ThreadV6, * m_ReceiversThread;	
+			boost::asio::io_service m_Service, m_ServiceV6, m_ReceiversService;
+			boost::asio::io_service::work m_Work, m_WorkV6, m_ReceiversWork;
 			boost::asio::ip::udp::endpoint m_Endpoint, m_EndpointV6;
 			boost::asio::ip::udp::socket m_Socket, m_SocketV6;
-			boost::asio::ip::udp::endpoint m_SenderEndpoint, m_SenderEndpointV6;
-			boost::asio::deadline_timer m_IntroducersUpdateTimer;
+			boost::asio::deadline_timer m_IntroducersUpdateTimer, m_PeerTestsCleanupTimer;
 			std::list<boost::asio::ip::udp::endpoint> m_Introducers; // introducers we are connected to
-			i2p::crypto::AESAlignedBuffer<2*SSU_MTU_V4> m_ReceiveBuffer;
-			i2p::crypto::AESAlignedBuffer<2*SSU_MTU_V6> m_ReceiveBufferV6; 
-			std::map<boost::asio::ip::udp::endpoint, SSUSession *> m_Sessions;
+			mutable std::mutex m_SessionsMutex;
+			std::map<boost::asio::ip::udp::endpoint, std::shared_ptr<SSUSession> > m_Sessions;
 			std::map<uint32_t, boost::asio::ip::udp::endpoint> m_Relays; // we are introducer
+			std::map<uint32_t, PeerTest> m_PeerTests; // nonce -> creation time in milliseconds

 		public:
 			// for HTTP only
--- a/SSUData.cpp
+++ b/SSUData.cpp
@@ -10,31 +10,48 @@ namespace i2p
 {
 namespace transport
 {
-	SSUData::SSUData (SSUSession& session):
-		m_Session (session), m_ResendTimer (session.m_Server.GetService ())
+	void IncompleteMessage::AttachNextFragment (const uint8_t * fragment, size_t fragmentSize)
+	{
+		if (msg->len + fragmentSize > msg->maxLen)
+		{
+			LogPrint (eLogInfo, "SSU I2NP message size ", msg->maxLen, " is not enough");
+			auto newMsg = ToSharedI2NPMessage(NewI2NPMessage ());
+			*newMsg = *msg;
+			msg = newMsg;
+		}
+		memcpy (msg->buf + msg->len, fragment, fragmentSize);
+		msg->len += fragmentSize;
+		nextFragmentNum++;
+	}
+
+	SSUData::SSUData (SSUSession& session):
+		m_Session (session), m_ResendTimer (session.GetService ()), m_DecayTimer (session.GetService ()),
+		m_IncompleteMessagesCleanupTimer (session.GetService ()), 
+		m_MaxPacketSize (session.IsV6 () ? SSU_V6_MAX_PACKET_SIZE : SSU_V4_MAX_PACKET_SIZE), 
+		m_PacketSize (m_MaxPacketSize)
 	{
-		m_MaxPacketSize = session.IsV6 () ? SSU_V6_MAX_PACKET_SIZE : SSU_V4_MAX_PACKET_SIZE;
-		m_PacketSize = m_MaxPacketSize;
-		auto remoteRouter = session.GetRemoteRouter ();
-		if (remoteRouter)
-			AdjustPacketSize (*remoteRouter);
 	}

 	SSUData::~SSUData ()
 	{
-		for (auto it: m_IncomleteMessages)
-			if (it.second)
-			{
-				DeleteI2NPMessage (it.second->msg);
-				delete it.second;
-			}	
-		for (auto it: m_SentMessages)
-			delete it.second;
 	}

-	void SSUData::AdjustPacketSize (const i2p::data::RouterInfo& remoteRouter)
+	void SSUData::Start ()
 	{
-		auto ssuAddress = remoteRouter.GetSSUAddress ();
+		ScheduleIncompleteMessagesCleanup ();
+	}	
+		
+	void SSUData::Stop ()
+	{
+		m_ResendTimer.cancel ();
+		m_DecayTimer.cancel ();
+		m_IncompleteMessagesCleanupTimer.cancel ();
+	}	
+		
+	void SSUData::AdjustPacketSize (std::shared_ptr<const i2p::data::RouterInfo> remoteRouter)
+	{
+		if (remoteRouter) return;
+		auto ssuAddress = remoteRouter->GetSSUAddress ();
 		if (ssuAddress && ssuAddress->mtu)
 		{
 			if (m_Session.IsV6 ())
@@ -61,7 +78,7 @@ namespace transport
 	{
 		auto routerInfo = i2p::data::netdb.FindRouter (remoteIdent);
 		if (routerInfo)
-			AdjustPacketSize (*routerInfo);
+			AdjustPacketSize (routerInfo);
 	}

 	void SSUData::ProcessSentMessageAck (uint32_t msgID)
@@ -69,7 +86,6 @@ namespace transport
 		auto it = m_SentMessages.find (msgID);
 		if (it != m_SentMessages.end ())
 		{
-			delete it->second;
 			m_SentMessages.erase (it);	
 			if (m_SentMessages.empty ())
 				m_ResendTimer.cancel ();
@@ -84,7 +100,7 @@ namespace transport
 			uint8_t numAcks =*buf;
 			buf++;
 			for (int i = 0; i < numAcks; i++)
-				ProcessSentMessageAck (be32toh (((uint32_t *)buf)[i]));
+				ProcessSentMessageAck (bufbe32toh (buf+i*4));
 			buf += numAcks*4;
 		}
 		if (flag & DATA_FLAG_ACK_BITFIELDS_INCLUDED)
@@ -94,7 +110,7 @@ namespace transport
 			buf++;
 			for (int i = 0; i < numBitfields; i++)
 			{
-				uint32_t msgID = be32toh (*(uint32_t *)buf);
+				uint32_t msgID = bufbe32toh (buf);
 				buf += 4; // msgID
 				auto it = m_SentMessages.find (msgID);		
 				// process individual Ack bitfields
@@ -115,10 +131,7 @@ namespace transport
 							if (bitfield & mask)
 							{
 								if (fragment < numSentFragments)
-								{
-									delete it->second->fragments[fragment];
-									it->second->fragments[fragment] = nullptr;
-								}	
+									it->second->fragments[fragment].reset (nullptr);
 							}				
 							fragment++;
 							mask <<= 1;
@@ -137,17 +150,16 @@ namespace transport
 		buf++;
 		for (int i = 0; i < numFragments; i++)
 		{	
-			uint32_t msgID = be32toh (*(uint32_t *)buf); // message ID
+			uint32_t msgID = bufbe32toh (buf); // message ID
 			buf += 4;
 			uint8_t frag[4];
 			frag[0] = 0;
 			memcpy (frag + 1, buf, 3);
 			buf += 3;
-			uint32_t fragmentInfo = be32toh (*(uint32_t *)frag); // fragment info
+			uint32_t fragmentInfo = bufbe32toh (frag); // fragment info
 			uint16_t fragmentSize = fragmentInfo & 0x1FFF; // bits 0 - 13
 			bool isLast = fragmentInfo & 0x010000; // bit 16	
-			uint8_t fragmentNum = fragmentInfo >> 17; // bits 23 - 17
-			LogPrint (eLogDebug, "SSU data fragment ", (int)fragmentNum, " of message ", msgID, " size=", (int)fragmentSize, isLast ? " last" : " non-last"); 		
+			uint8_t fragmentNum = fragmentInfo >> 17; // bits 23 - 17 		
 			if (fragmentSize >= SSU_V4_MAX_PACKET_SIZE)
 			{
 				LogPrint (eLogError, "Fragment size ", fragmentSize, "exceeds max SSU packet size");
@@ -155,45 +167,33 @@ namespace transport
 			}

 			//  find message with msgID
-			I2NPMessage * msg = nullptr;
-			IncompleteMessage * incompleteMessage = nullptr;
-			auto it = m_IncomleteMessages.find (msgID);
-			if (it != m_IncomleteMessages.end ()) 
-			{	
-				// message exists
-				incompleteMessage = it->second;
-				msg = incompleteMessage->msg;
-			}	
-			else
+			auto it = m_IncompleteMessages.find (msgID);
+			if (it == m_IncompleteMessages.end ()) 
 			{
 				// create new message
-				msg = NewI2NPMessage ();
-				msg->len -= sizeof (I2NPHeaderShort);
-				incompleteMessage = new IncompleteMessage (msg);
-				m_IncomleteMessages[msgID] = incompleteMessage;
-			}	
+				auto msg = ToSharedI2NPMessage (NewI2NPShortMessage ());
+				msg->len -= I2NP_SHORT_HEADER_SIZE;
+				it = m_IncompleteMessages.insert (std::make_pair (msgID, 
+					std::unique_ptr<IncompleteMessage>(new IncompleteMessage (msg)))).first;
+			}
+			std::unique_ptr<IncompleteMessage>& incompleteMessage = it->second;

 			// handle current fragment
 			if (fragmentNum == incompleteMessage->nextFragmentNum)
 			{
 				// expected fragment
-				memcpy (msg->buf + msg->len, buf, fragmentSize);
-				msg->len += fragmentSize;
-				incompleteMessage->nextFragmentNum++;
+				incompleteMessage->AttachNextFragment (buf, fragmentSize);
 				if (!isLast && !incompleteMessage->savedFragments.empty ())
 				{
 					// try saved fragments
 					for (auto it1 = incompleteMessage->savedFragments.begin (); it1 != incompleteMessage->savedFragments.end ();)
 					{
-						auto savedFragment = *it1;
+						auto& savedFragment = *it1;
 						if (savedFragment->fragmentNum == incompleteMessage->nextFragmentNum)
 						{
-							memcpy (msg->buf + msg->len, savedFragment->buf, savedFragment->len);
-							msg->len += savedFragment->len;
+							incompleteMessage->AttachNextFragment (savedFragment->buf, savedFragment->len);
 							isLast = savedFragment->isLast;
-							incompleteMessage->nextFragmentNum++;
 							incompleteMessage->savedFragments.erase (it1++);
-							delete savedFragment;
 						}
 						else
 							break;
@@ -212,11 +212,10 @@ namespace transport
 					// missing fragment
 					LogPrint (eLogWarning, "Missing fragments from ", (int)incompleteMessage->nextFragmentNum, " to ", fragmentNum - 1, " of message ", msgID);	
 					auto savedFragment = new Fragment (fragmentNum, buf, fragmentSize, isLast);
-					if (!incompleteMessage->savedFragments.insert (savedFragment).second)
-					{
+					if (incompleteMessage->savedFragments.insert (std::unique_ptr<Fragment>(savedFragment)).second)
+						incompleteMessage->lastFragmentInsertTime = i2p::util::GetSecondsSinceEpoch ();
+					else	
 						LogPrint (eLogWarning, "Fragment ", (int)fragmentNum, " of message ", msgID, " already saved");
-						delete savedFragment;
-					}	
 				}
 				isLast = false;
 			}	
@@ -224,8 +223,9 @@ namespace transport
 			if (isLast)
 			{
 				// delete incomplete message
-				delete incompleteMessage;
-				m_IncomleteMessages.erase (msgID);				
+				auto msg = incompleteMessage->msg;
+				incompleteMessage->msg = nullptr;
+				m_IncompleteMessages.erase (msgID);				
 				// process message
 				SendMsgAck (msgID);
 				msg->FromSSU (msgID);
@@ -233,27 +233,26 @@ namespace transport
 				{
 					if (!m_ReceivedMessages.count (msgID))
 					{	
-						if (m_ReceivedMessages.size () > 100) m_ReceivedMessages.clear ();
+						if (m_ReceivedMessages.size () > MAX_NUM_RECEIVED_MESSAGES)
+							m_ReceivedMessages.clear ();
+						else
+							ScheduleDecay ();
 						m_ReceivedMessages.insert (msgID);
-						i2p::HandleI2NPMessage (msg);
+						m_Handler.PutNextMessage (msg);
 					}	
 					else
-					{
 						LogPrint (eLogWarning, "SSU message ", msgID, " already received");						
-						i2p::DeleteI2NPMessage (msg);
-					}	
 				}	
 				else
 				{
 					// we expect DeliveryStatus
-					if (msg->GetHeader ()->typeID == eI2NPDeliveryStatus)
+					if (msg->GetTypeID () == eI2NPDeliveryStatus)
 					{
 						LogPrint ("SSU session established");
 						m_Session.Established ();
 					}	
 					else
-						LogPrint (eLogError, "SSU unexpected message ", (int)msg->GetHeader ()->typeID);
-					DeleteI2NPMessage (msg);
+						LogPrint (eLogError, "SSU unexpected message ", (int)msg->GetTypeID ());
 				}	
 			}	
 			else
@@ -262,12 +261,17 @@ namespace transport
 		}	
 	}

+	void SSUData::FlushReceivedMessage ()
+	{
+		m_Handler.Flush ();
+	}	
+		
 	void SSUData::ProcessMessage (uint8_t * buf, size_t len)
 	{
 		//uint8_t * start = buf;
 		uint8_t flag = *buf;
 		buf++;
-		LogPrint (eLogDebug, "Process SSU data flags=", (int)flag);
+		LogPrint (eLogDebug, "Process SSU data flags=", (int)flag, " len=", len);
 		// process acks if presented
 		if (flag & (DATA_FLAG_ACK_BITFIELDS_INCLUDED | DATA_FLAG_EXPLICIT_ACKS_INCLUDED))
 			ProcessAcks (buf, flag);
@@ -283,23 +287,25 @@ namespace transport
 		ProcessFragments (buf);
 	}

-	void SSUData::Send (i2p::I2NPMessage * msg)
+	void SSUData::Send (std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		uint32_t msgID = msg->ToSSU ();
 		if (m_SentMessages.count (msgID) > 0)
 		{
 			LogPrint (eLogWarning, "SSU message ", msgID, " already sent");
-			DeleteI2NPMessage (msg);
 			return;
 		}	
 		if (m_SentMessages.empty ()) // schedule resend at first message only
 			ScheduleResend ();
-		SentMessage * sentMessage = new SentMessage;
-		m_SentMessages[msgID] = sentMessage; 
-		sentMessage->nextResendTime = i2p::util::GetSecondsSinceEpoch () + RESEND_INTERVAL;
-		sentMessage->numResends = 0;
+		
+		auto ret = m_SentMessages.insert (std::make_pair (msgID, std::unique_ptr<SentMessage>(new SentMessage))); 
+		std::unique_ptr<SentMessage>& sentMessage = ret.first->second;
+		if (ret.second)	
+		{
+			sentMessage->nextResendTime = i2p::util::GetSecondsSinceEpoch () + RESEND_INTERVAL;
+			sentMessage->numResends = 0;
+		}	
 		auto& fragments = sentMessage->fragments;
-		msgID = htobe32 (msgID);	
 		size_t payloadSize = m_PacketSize - sizeof (SSUHeader) - 9; // 9  =  flag + #frg(1) + messageID(4) + frag info (3) 
 		size_t len = msg->GetLength ();
 		uint8_t * msgBuf = msg->GetSSUHeader ();
@@ -310,13 +316,12 @@ namespace transport
 			Fragment * fragment = new Fragment;
 			fragment->fragmentNum = fragmentNum;
 			uint8_t * buf = fragment->buf;
-			fragments.push_back (fragment);
 			uint8_t	* payload = buf + sizeof (SSUHeader);
 			*payload = DATA_FLAG_WANT_REPLY; // for compatibility
 			payload++;
 			*payload = 1; // always 1 message fragment per message
 			payload++;
-			*(uint32_t *)payload = msgID;
+			htobe32buf (payload, msgID);
 			payload += 4;
 			bool isLast = (len <= payloadSize);
 			size_t size = isLast ? len : payloadSize;
@@ -334,11 +339,18 @@ namespace transport
 			if (size & 0x0F) // make sure 16 bytes boundary
 				size = ((size >> 4) + 1) << 4; // (/16 + 1)*16
 			fragment->len = size; 
+			fragments.push_back (std::unique_ptr<Fragment> (fragment));
 			
 			// encrypt message with session key
 			m_Session.FillHeaderAndEncrypt (PAYLOAD_TYPE_DATA, buf, size);
-			m_Session.Send (buf, size);
-
+			try
+			{	
+				m_Session.Send (buf, size);
+			}
+			catch (boost::system::system_error& ec)
+			{
+				LogPrint (eLogError, "Can't send SSU fragment ", ec.what ());
+			}	
 			if (!isLast)
 			{	
 				len -= payloadSize;
@@ -348,7 +360,6 @@ namespace transport
 				len = 0;
 			fragmentNum++;
 		}	
-		DeleteI2NPMessage (msg);
 	}		

 	void SSUData::SendMsgAck (uint32_t msgID)
@@ -359,7 +370,7 @@ namespace transport
 		payload++;
 		*payload = 1; // number of ACKs
 		payload++;
-		*(uint32_t *)(payload) = htobe32 (msgID); // msgID	
+		htobe32buf (payload, msgID); // msgID
 		payload += 4;
 		*payload = 0; // number of fragments

@@ -401,29 +412,94 @@ namespace transport
 	{		
 		m_ResendTimer.cancel ();
 		m_ResendTimer.expires_from_now (boost::posix_time::seconds(RESEND_INTERVAL));
-		m_ResendTimer.async_wait (boost::bind (&SSUData::HandleResendTimer,
-			this, boost::asio::placeholders::error));
+		auto s = m_Session.shared_from_this();
+		m_ResendTimer.async_wait ([s](const boost::system::error_code& ecode)
+			{ s->m_Data.HandleResendTimer (ecode); });
 	}
-		
+
 	void SSUData::HandleResendTimer (const boost::system::error_code& ecode)
 	{
 		if (ecode != boost::asio::error::operation_aborted)
 		{
 			uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
-			for (auto it : m_SentMessages)
+			for (auto it = m_SentMessages.begin (); it != m_SentMessages.end ();)
 			{
-				if (ts >= it.second->nextResendTime && it.second->numResends < MAX_NUM_RESENDS)
+				if (ts >= it->second->nextResendTime)
 				{	
-					for (auto f: it.second->fragments)
-						if (f) m_Session.Send (f->buf, f->len); // resend
+					if (it->second->numResends < MAX_NUM_RESENDS)
+					{	
+						for (auto& f: it->second->fragments)
+							if (f) 
+							{
+								try
+								{	
+									m_Session.Send (f->buf, f->len); // resend
+								}
+								catch (boost::system::system_error& ec)
+								{
+									LogPrint (eLogError, "Can't resend SSU fragment ", ec.what ());
+								}
+							}	

-					it.second->numResends++;
-					it.second->nextResendTime += it.second->numResends*RESEND_INTERVAL;
+						it->second->numResends++;
+						it->second->nextResendTime += it->second->numResends*RESEND_INTERVAL;
+						it++;
+					}	
+					else
+					{
+						LogPrint (eLogError, "SSU message has not been ACKed after ", MAX_NUM_RESENDS, " attempts. Deleted");
+						it = m_SentMessages.erase (it);
+					}	
 				}	
+				else
+					it++;
 			}
 			ScheduleResend ();	
 		}	
 	}	
+
+	void SSUData::ScheduleDecay ()
+	{		
+		m_DecayTimer.cancel ();
+		m_DecayTimer.expires_from_now (boost::posix_time::seconds(DECAY_INTERVAL));
+		auto s = m_Session.shared_from_this();
+		m_ResendTimer.async_wait ([s](const boost::system::error_code& ecode)
+			{ s->m_Data.HandleDecayTimer (ecode); });
+	}	
+
+	void SSUData::HandleDecayTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+			m_ReceivedMessages.clear ();
+	}	
+
+	void SSUData::ScheduleIncompleteMessagesCleanup ()
+	{
+		m_IncompleteMessagesCleanupTimer.cancel ();
+		m_IncompleteMessagesCleanupTimer.expires_from_now (boost::posix_time::seconds(INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT));
+		auto s = m_Session.shared_from_this();
+		m_IncompleteMessagesCleanupTimer.async_wait ([s](const boost::system::error_code& ecode)
+			{ s->m_Data.HandleIncompleteMessagesCleanupTimer (ecode); });
+	}
+		
+	void SSUData::HandleIncompleteMessagesCleanupTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{
+			uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
+			for (auto it = m_IncompleteMessages.begin (); it != m_IncompleteMessages.end ();)
+			{
+				if (ts > it->second->lastFragmentInsertTime + INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT)
+				{
+					LogPrint (eLogError, "SSU message ", it->first, " was not completed  in ", INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT, " seconds. Deleted");
+					it = m_IncompleteMessages.erase (it);
+				}	
+				else
+					it++;
+			}	
+			ScheduleIncompleteMessagesCleanup ();
+		}	
+	}	
 }
 }

--- a/SSUData.h
+++ b/SSUData.h
@@ -6,6 +6,7 @@
 #include <map>
 #include <vector>
 #include <set>
+#include <memory>
 #include <boost/asio.hpp>
 #include "I2NPProtocol.h"
 #include "Identity.h"
@@ -25,6 +26,9 @@ namespace transport
 	const size_t SSU_V6_MAX_PACKET_SIZE = SSU_MTU_V6 - IPV6_HEADER_SIZE - UDP_HEADER_SIZE; // 1424
 	const int RESEND_INTERVAL = 3; // in seconds
 	const int MAX_NUM_RESENDS = 5;
+	const int DECAY_INTERVAL = 20; // in seconds
+	const int MAX_NUM_RECEIVED_MESSAGES = 1000; // how many msgID we store for duplicates check
+	const int INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT = 30; // in seconds
 	// data flags
 	const uint8_t DATA_FLAG_EXTENDED_DATA_INCLUDED = 0x02;
 	const uint8_t DATA_FLAG_WANT_REPLY = 0x04;
@@ -47,7 +51,7 @@ namespace transport

 	struct FragmentCmp
 	{
-		bool operator() (const Fragment * f1, const Fragment * f2) const
+		bool operator() (const std::unique_ptr<Fragment>& f1, const std::unique_ptr<Fragment>& f2) const
  		{	
 			return f1->fragmentNum < f2->fragmentNum; 
 		};
@@ -55,21 +59,20 @@ namespace transport
 	
 	struct IncompleteMessage
 	{
-		I2NPMessage * msg;
+		std::shared_ptr<I2NPMessage> msg;
 		int nextFragmentNum;	
-		std::set<Fragment *, FragmentCmp> savedFragments;
+		uint32_t lastFragmentInsertTime; // in seconds
+		std::set<std::unique_ptr<Fragment>, FragmentCmp> savedFragments;
 		
-		IncompleteMessage (I2NPMessage * m): msg (m), nextFragmentNum (0) {};
-		~IncompleteMessage () { for (auto it: savedFragments) { delete it; }; };
+		IncompleteMessage (std::shared_ptr<I2NPMessage> m): msg (m), nextFragmentNum (0), lastFragmentInsertTime (0) {};
+		void AttachNextFragment (const uint8_t * fragment, size_t fragmentSize);	
 	};

 	struct SentMessage
 	{
-		std::vector<Fragment *> fragments;
+		std::vector<std::unique_ptr<Fragment> > fragments;
 		uint32_t nextResendTime; // in seconds
 		int numResends;
-
-		~SentMessage () { for (auto it: fragments) { delete it; }; };
 	};	
 	
 	class SSUSession;
@@ -77,12 +80,17 @@ namespace transport
 	{
 		public:

-			SSUData (SSUSession& session);
+			SSUData (SSUSession& session); 
 			~SSUData ();

+			void Start ();
+			void Stop ();	
+			
 			void ProcessMessage (uint8_t * buf, size_t len);
-			void Send (i2p::I2NPMessage * msg);
+			void FlushReceivedMessage ();
+			void Send (std::shared_ptr<i2p::I2NPMessage> msg);

+			void AdjustPacketSize (std::shared_ptr<const i2p::data::RouterInfo> remoteRouter);	
 			void UpdatePacketSize (const i2p::data::IdentHash& remoteIdent);

 		private:
@@ -95,17 +103,23 @@ namespace transport

 			void ScheduleResend ();
 			void HandleResendTimer (const boost::system::error_code& ecode);	
+
+			void ScheduleDecay ();
+			void HandleDecayTimer (const boost::system::error_code& ecode);	
+
+			void ScheduleIncompleteMessagesCleanup ();
+			void HandleIncompleteMessagesCleanupTimer (const boost::system::error_code& ecode);	
 			
-			void AdjustPacketSize (const i2p::data::RouterInfo& remoteRouter);	
 			
 		private:	

 			SSUSession& m_Session;
-			std::map<uint32_t, IncompleteMessage *> m_IncomleteMessages;
-			std::map<uint32_t, SentMessage *> m_SentMessages;
+			std::map<uint32_t, std::unique_ptr<IncompleteMessage> > m_IncompleteMessages;
+			std::map<uint32_t, std::unique_ptr<SentMessage> > m_SentMessages;
 			std::set<uint32_t> m_ReceivedMessages;
-			boost::asio::deadline_timer m_ResendTimer;
+			boost::asio::deadline_timer m_ResendTimer, m_DecayTimer, m_IncompleteMessagesCleanupTimer;
 			int m_MaxPacketSize, m_PacketSize;
+			i2p::I2NPMessagesHandler m_Handler;
 	};	
 }
 }
--- a/SSUSession.cpp
+++ b/SSUSession.cpp
--- a/SSUSession.h
+++ b/SSUSession.h
@@ -3,10 +3,8 @@

 #include <inttypes.h>
 #include <set>
-#include <list>
-#include <boost/asio.hpp>
-#include "aes.h"
-#include "hmac.h"
+#include <memory>
+#include "Crypto.h"
 #include "I2NPProtocol.h"
 #include "TransportSession.h"
 #include "SSUData.h"
@@ -15,6 +13,7 @@ namespace i2p
 {
 namespace transport
 {
+	const uint8_t SSU_HEADER_EXTENDED_OPTIONS_INCLUDED = 0x04;
 #pragma pack(1)
 	struct SSUHeader
 	{
@@ -24,6 +23,7 @@ namespace transport
 		uint32_t time;	

 		uint8_t GetPayloadType () const { return flag >> 4; };
+		bool IsExtendedOptions () const { return flag & SSU_HEADER_EXTENDED_OPTIONS_INCLUDED; };	
 	};
 #pragma pack()

@@ -46,11 +46,21 @@ namespace transport
 		eSessionStateUnknown,	
 		eSessionStateIntroduced,
 		eSessionStateEstablished,
+		eSessionStateClosed,
 		eSessionStateFailed
 	};	

+	enum PeerTestParticipant
+	{
+		ePeerTestParticipantUnknown = 0,
+		ePeerTestParticipantAlice1,
+		ePeerTestParticipantAlice2,
+		ePeerTestParticipantBob,
+		ePeerTestParticipantCharlie
+	};
+	
 	class SSUServer;
-	class SSUSession: public TransportSession
+	class SSUSession: public TransportSession, public std::enable_shared_from_this<SSUSession>
 	{
 		public:

@@ -60,12 +70,14 @@ namespace transport
 			~SSUSession ();
 			
 			void Connect ();
-			void Introduce (uint32_t iTag, const uint8_t * iKey);
+			void WaitForConnect ();
+			void Introduce (const i2p::data::RouterInfo::Introducer& introducer);
 			void WaitForIntroduction ();
 			void Close ();
+			void Done ();
 			boost::asio::ip::udp::endpoint& GetRemoteEndpoint () { return m_RemoteEndpoint; };
 			bool IsV6 () const { return m_RemoteEndpoint.address ().is_v6 (); };
-			void SendI2NPMessage (I2NPMessage * msg);
+			void SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
 			void SendPeerTest (); // Alice			

 			SessionState GetState () const  { return m_State; };
@@ -74,17 +86,21 @@ namespace transport
 			
 			void SendKeepAlive ();	
 			uint32_t GetRelayTag () const { return m_RelayTag; };	
+			const i2p::data::RouterInfo::IntroKey& GetIntroKey () const { return m_IntroKey; };
 			uint32_t GetCreationTime () const { return m_CreationTime; };

+			void FlushData ();
+			
 		private:

+			boost::asio::io_service& GetService ();
 			void CreateAESandMacKey (const uint8_t * pubKey); 
-
-			void PostI2NPMessage (I2NPMessage * msg);
+			size_t GetSSUHeaderSize (uint8_t * buf) const;
+			void PostI2NPMessages (std::vector<std::shared_ptr<I2NPMessage> > msgs);
 			void ProcessMessage (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint); // call for established session
 			void ProcessSessionRequest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint);
 			void SendSessionRequest ();
-			void SendRelayRequest (uint32_t iTag, const uint8_t * iKey);
+			void SendRelayRequest (const i2p::data::RouterInfo::Introducer& introducer);
 			void ProcessSessionCreated (uint8_t * buf, size_t len);
 			void SendSessionCreated (const uint8_t * x);
 			void ProcessSessionConfirmed (uint8_t * buf, size_t len);
@@ -99,19 +115,18 @@ namespace transport
 			void Failed ();
 			void ScheduleConnectTimer ();
 			void HandleConnectTimer (const boost::system::error_code& ecode);
-			void ProcessPeerTest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint);
-			void SendPeerTest (uint32_t nonce, uint32_t address, uint16_t port, const uint8_t * introKey, bool toAddress = true); 
+			void ProcessPeerTest (const uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint);
+			void SendPeerTest (uint32_t nonce, uint32_t address, uint16_t port, const uint8_t * introKey, bool toAddress = true, bool sendAddress = true); 
 			void ProcessData (uint8_t * buf, size_t len);		
 			void SendSesionDestroyed ();
 			void Send (uint8_t type, const uint8_t * payload, size_t len); // with session key
 			void Send (const uint8_t * buf, size_t size); 
 			
-			void FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len, const uint8_t * aesKey, const uint8_t * iv, const uint8_t * macKey);
+			void FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len, const i2p::crypto::AESKey& aesKey, const uint8_t * iv, const i2p::crypto::MACKey& macKey);
 			void FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len); // with session key 
-			void Decrypt (uint8_t * buf, size_t len, const uint8_t * aesKey);
+			void Decrypt (uint8_t * buf, size_t len, const i2p::crypto::AESKey& aesKey);
 			void DecryptSessionKey (uint8_t * buf, size_t len);
-			bool Validate (uint8_t * buf, size_t len, const uint8_t * macKey);			
-			const uint8_t * GetIntroKey () const; 
+			bool Validate (uint8_t * buf, size_t len, const i2p::crypto::MACKey& macKey);			

 			void ScheduleTermination ();
 			void HandleTerminationTimer (const boost::system::error_code& ecode);
@@ -122,19 +137,19 @@ namespace transport
 			SSUServer& m_Server;
 			boost::asio::ip::udp::endpoint m_RemoteEndpoint;
 			boost::asio::deadline_timer m_Timer;
-			bool m_PeerTest;
+			bool m_IsPeerTest;
 			SessionState m_State;
 			bool m_IsSessionKey;
 			uint32_t m_RelayTag;	
-			std::set<uint32_t> m_PeerTestNonces;
 			i2p::crypto::CBCEncryption m_SessionKeyEncryption;
 			i2p::crypto::CBCDecryption m_SessionKeyDecryption;
 			i2p::crypto::AESKey m_SessionKey;
 			i2p::crypto::MACKey m_MacKey;
-			std::list<i2p::I2NPMessage *> m_DelayedMessages;
-			SSUData m_Data;
-			size_t m_NumSentBytes, m_NumReceivedBytes;
+			i2p::data::RouterInfo::IntroKey m_IntroKey;
 			uint32_t m_CreationTime; // seconds since epoch
+			SSUData m_Data;
+			bool m_IsDataReceived;
+			std::unique_ptr<SignedData> m_SignedData; // we need it for SessionConfirmed only
 	};


--- a/Signature.cpp
+++ b/Signature.cpp
@@ -0,0 +1,441 @@
+#include <memory>
+#include "Log.h"
+#include "Signature.h"
+
+namespace i2p
+{
+namespace crypto
+{
+	class Ed25519
+	{
+		public:
+
+			Ed25519 ()
+			{
+				BN_CTX * ctx = BN_CTX_new ();
+				BIGNUM * two = BN_new (), * tmp = BN_new ();
+				BN_set_word (two, 2);
+
+				q = BN_new ();
+				// 2^255-19				
+				BN_set_word (tmp, 255);
+				BN_exp (q, two, tmp, ctx);
+				BN_sub_word (q, 19);
+				
+				l = BN_new ();
+				// 2^252 + 27742317777372353535851937790883648493
+				BN_set_word (tmp, 252);
+				BN_exp (l, two, tmp, ctx);
+				two_252_2 = BN_dup (l);
+				BN_dec2bn (&tmp, "27742317777372353535851937790883648493");
+				BN_add (l, l, tmp);		
+				BN_sub_word (two_252_2, 2); // 2^252 - 2		
+
+				 // -121665*inv(121666)
+				d = BN_new ();
+				BN_set_word (tmp, 121666);
+				BN_mod_inverse (tmp, tmp, q, ctx);	
+				BN_set_word (d, 121665);
+				BN_set_negative (d, 1);							
+				BN_mul (d, d, tmp, ctx);
+
+				// 2^((q-1)/4)
+				I = BN_new ();
+				BN_free (tmp);
+				tmp = BN_dup (q);
+				BN_sub_word (tmp, 1);
+				BN_div_word (tmp, 4);	
+				BN_mod_exp (I, two, tmp, q, ctx);
+
+				// 4*inv(5)	
+				BIGNUM * By = BN_new ();		
+				BN_set_word (By, 5);
+				BN_mod_inverse (By, By, q, ctx);	
+				BN_mul_word (By, 4);
+				BIGNUM * Bx = RecoverX (By, ctx);	
+				BN_mod (Bx, Bx, q, ctx); // % q
+				BN_mod (By, By, q, ctx); // % q								
+				B = {Bx, By};
+
+				BN_free (two);
+				BN_free (tmp);
+			
+				// precalculate Bi16 table
+				Bi16[0][0] = { BN_dup (Bx), BN_dup (By) }; 
+				for (int i = 0; i < 64; i++)
+				{
+					if (i) Bi16[i][0] = Sum (Bi16[i-1][14], Bi16[i-1][0], ctx); 
+					for (int j = 1; j < 15; j++)
+						Bi16[i][j] = Sum (Bi16[i][j-1], Bi16[i][0], ctx); // (16+j+1)^i*B
+				}
+
+				BN_CTX_free (ctx);
+			}
+
+			~Ed25519 ()
+			{
+				BN_free (q);
+				BN_free (l);
+				BN_free (d);
+				BN_free (I);
+				BN_free (two_252_2);
+			}
+
+
+			EDDSAPoint GeneratePublicKey (const uint8_t * expandedPrivateKey, BN_CTX * ctx) const
+			{
+				return MulB (expandedPrivateKey, ctx); // left half of expanded key, considered as Little Endian
+			}
+
+			EDDSAPoint DecodePublicKey (const uint8_t * buf, BN_CTX * ctx) const
+			{
+				return DecodePoint (buf, ctx);
+			}
+
+			void EncodePublicKey (const EDDSAPoint& publicKey, uint8_t * buf, BN_CTX * ctx) const
+			{
+				EncodePoint (Normalize (publicKey, ctx), buf);
+			}
+
+			bool Verify (const EDDSAPoint& publicKey, const uint8_t * digest, const uint8_t * signature, BN_CTX * ctx) const
+			{
+				BIGNUM * h = DecodeBN<64> (digest);
+				// signature 0..31 - R, 32..63 - S 
+				// B*S = R + PK*h => R = B*S - PK*h
+				// we don't decode R, but encode (B*S - PK*h)
+				auto Bs = MulB (signature + EDDSA25519_SIGNATURE_LENGTH/2, ctx); // B*S;
+				BN_mod (h, h, l, ctx); // public key is multiple of B, but B%l = 0
+				auto PKh = Mul (publicKey, h, ctx); // PK*h
+				uint8_t diff[32];
+				EncodePoint (Normalize (Sum (Bs, -PKh, ctx), ctx), diff); // Bs - PKh encoded
+				bool passed = !memcmp (signature, diff, 32); // R
+				BN_free (h); 
+				if (!passed)
+					LogPrint (eLogError, "25519 signature verification failed");
+				return passed; 
+			}
+
+			void Sign (const uint8_t * expandedPrivateKey, const uint8_t * publicKeyEncoded, const uint8_t * buf, size_t len, 
+				uint8_t * signature, BN_CTX * bnCtx) const
+			{
+				// calculate r
+				SHA512_CTX ctx;
+				SHA512_Init (&ctx);
+				SHA512_Update (&ctx, expandedPrivateKey + EDDSA25519_PRIVATE_KEY_LENGTH, EDDSA25519_PRIVATE_KEY_LENGTH); // right half of expanded key
+				SHA512_Update (&ctx, buf, len); // data
+				uint8_t digest[64];
+				SHA512_Final (digest, &ctx);
+				BIGNUM * r = DecodeBN<32> (digest); // DecodeBN<64> (digest); // for test vectors
+				// calculate R
+				uint8_t R[EDDSA25519_SIGNATURE_LENGTH/2]; // we must use separate buffer because signature might be inside buf
+				EncodePoint (Normalize (MulB (digest, bnCtx), bnCtx), R); // EncodePoint (Mul (B, r, bnCtx), R); // for test vectors 
+				// calculate S
+				SHA512_Init (&ctx);
+				SHA512_Update (&ctx, R, EDDSA25519_SIGNATURE_LENGTH/2); // R
+				SHA512_Update (&ctx, publicKeyEncoded, EDDSA25519_PUBLIC_KEY_LENGTH); // public key
+				SHA512_Update (&ctx, buf, len); // data
+				SHA512_Final (digest, &ctx);
+				BIGNUM * h = DecodeBN<64> (digest);			
+				// S = (r + h*a) % l
+				BIGNUM * a = DecodeBN<EDDSA25519_PRIVATE_KEY_LENGTH> (expandedPrivateKey); // left half of expanded key
+				BN_mod_mul (h, h, a, l, bnCtx); // %l
+				BN_mod_add (h, h, r, l, bnCtx); // %l
+				memcpy (signature, R, EDDSA25519_SIGNATURE_LENGTH/2);
+				EncodeBN (h, signature + EDDSA25519_SIGNATURE_LENGTH/2, EDDSA25519_SIGNATURE_LENGTH/2); // S
+				BN_free (r); BN_free (h); BN_free (a);
+			}
+
+		private:		
+
+			EDDSAPoint Sum (const EDDSAPoint& p1, const EDDSAPoint& p2, BN_CTX * ctx) const
+			{
+				// x3 = (x1*y2+y1*x2)*(z1*z2-d*t1*t2)
+				// y3 = (y1*y2+x1*x2)*(z1*z2+d*t1*t2)
+				// z3 = (z1*z2-d*t1*t2)*(z1*z2+d*t1*t2)
+				// t3 = (y1*y2+x1*x2)*(x1*y2+y1*x2)
+				BIGNUM * x3 = BN_new (), * y3 = BN_new (), * z3 = BN_new (), * t3 = BN_new ();
+				BIGNUM * z1 = p1.z, * t1 = p1.t;
+				if (!z1) { z1 = BN_new (); BN_one (z1); }
+				if (!t1) { t1 = BN_new (); BN_mul (t1, p1.x, p1.y, ctx); }
+				
+				BIGNUM * z2 = p2.z, * t2 = p2.t;
+				if (!z2) { z2 = BN_new (); BN_one (z2); }
+				if (!t2) { t2 = BN_new (); BN_mul (t2, p2.x, p2.y, ctx); }
+				
+				BIGNUM * A = BN_new (), * B = BN_new (), * C = BN_new (), * D = BN_new ();
+				BN_mul (A, p1.x, p2.x, ctx); // A = x1*x2		
+				BN_mul (B, p1.y, p2.y, ctx); // B = y1*y2	
+				BN_mul (C, t1, t2, ctx);
+				BN_mul (C, C, d, ctx);  // C = d*t1*t2
+				BN_mul (D, z1, z2, ctx); // D = z1*z2	
+
+				BIGNUM * E = BN_new (), * F = BN_new (), * G = BN_new (), * H = BN_new ();
+				BN_add (x3, p1.x, p1.y);				
+				BN_add (y3, p2.x, p2.y);
+				BN_mul (E, x3, y3, ctx); // (x1 + y1)*(x2 + y2)
+				BN_sub (E, E, A);
+				BN_sub (E, E, B); // E = (x1 + y1)*(x2 + y2) - A - B
+				BN_sub (F, D, C); // F = D - C
+				BN_add (G, D, C); // G = D + C
+				BN_add (H, B, A); // H = B + A
+
+				BN_free (A); BN_free (B); BN_free (C); BN_free (D);	
+				if (!p1.z) BN_free (z1);
+				if (!p1.t) BN_free (t1);
+				if (!p2.z) BN_free (z2);
+				if (!p2.t) BN_free (t2);
+
+				BN_mod_mul (x3, E, F, q, ctx); // x3 = E*F
+				BN_mod_mul (y3, G, H, q, ctx); // y3 = G*H	
+				BN_mod_mul (z3, F, G, q, ctx); // z3 = F*G	
+				BN_mod_mul (t3, E, H, q, ctx); // t3 = E*H	
+
+				BN_free (E); BN_free (F); BN_free (G); BN_free (H);
+
+				return EDDSAPoint {x3, y3, z3, t3};
+			}
+
+			EDDSAPoint Double (const EDDSAPoint& p, BN_CTX * ctx) const
+			{
+				BIGNUM * x2 = BN_new (), * y2 = BN_new (), * z2 = BN_new (), * t2 = BN_new ();
+				BIGNUM * z = p.z, * t = p.t;
+				if (!z) { z = BN_new (); BN_one (z); }
+				if (!t) { t = BN_new (); BN_mul (t, p.x, p.y, ctx); }		
+				
+				BN_sqr (x2, p.x, ctx); // x2 = A = x^2		
+				BN_sqr (y2, p.y, ctx); // y2 = B = y^2	
+				BN_sqr (t2, t, ctx);
+				BN_mul (t2, t2, d, ctx);  // t2 = C = d*t^2 		
+				BN_sqr (z2, z, ctx); // z2 = D = z^2 		
+
+				BIGNUM * E = BN_new (), * F = BN_new (), * G = BN_new (), * H = BN_new ();
+				// E = (x+y)*(x+y)-A-B = x^2+y^2+2xy-A-B = 2xy
+				BN_mul (E, p.x, p.y, ctx);
+				BN_mul_word (E, 2);	// E =2*x*y							
+				BN_sub (F, z2, t2); // F = D - C
+				BN_add (G, z2, t2); // G = D + C 
+				BN_add (H, y2, x2); // H = B + A
+
+				if (!p.z) BN_free (z);
+				if (!p.t) BN_free (t);
+
+				BN_mod_mul (x2, E, F, q, ctx); // x2 = E*F
+				BN_mod_mul (y2, G, H, q, ctx); // y2 = G*H	
+				BN_mod_mul (z2, F, G, q, ctx); // z2 = F*G	
+				BN_mod_mul (t2, E, H, q, ctx); // t2 = E*H	
+
+				BN_free (E); BN_free (F); BN_free (G); BN_free (H);
+
+				return EDDSAPoint {x2, y2, z2, t2};
+			}
+			
+			EDDSAPoint Mul (const EDDSAPoint& p, const BIGNUM * e, BN_CTX * ctx) const
+			{
+				BIGNUM * zero = BN_new (), * one = BN_new ();
+				BN_zero (zero); BN_one (one);
+				EDDSAPoint res {zero, one};
+				if (!BN_is_zero (e))
+				{
+					int bitCount = BN_num_bits (e);
+					for (int i = bitCount - 1; i >= 0; i--)
+					{
+						res = Double (res, ctx);
+						if (BN_is_bit_set (e, i)) res = Sum (res, p, ctx);
+					}
+				}	
+				return res;
+			} 
+			
+			EDDSAPoint MulB (const uint8_t * e, BN_CTX * ctx) const // B*e. e is 32 bytes Little Endian
+			{
+				BIGNUM * zero = BN_new (), * one = BN_new ();
+				BN_zero (zero); BN_one (one);
+				EDDSAPoint res {zero, one};
+				for (int i = 0; i < 32; i++)
+				{
+					uint8_t x = e[i] & 0x0F; // 4 low bits
+					if (x > 0)
+						res = Sum (res, Bi16[i*2][x-1], ctx);
+					x = e[i] >> 4; // 4 high bits
+					if (x > 0)
+						res = Sum (res, Bi16[i*2+1][x-1], ctx);
+				}
+				return res;
+			}
+
+			EDDSAPoint Normalize (const EDDSAPoint& p, BN_CTX * ctx) const
+			{
+				if (p.z)
+				{
+					BIGNUM * x = BN_new (), * y = BN_new ();
+					BN_mod_inverse (y, p.z, q, ctx);
+					BN_mod_mul (x, p.x, y, q, ctx); // x = x/z
+					BN_mod_mul (y, p.y, y, q, ctx); // y = y/z
+					return  EDDSAPoint{x, y};
+				}
+				else
+					return EDDSAPoint{BN_dup (p.x), BN_dup (p.y)};
+			}
+
+			bool IsOnCurve (const EDDSAPoint& p, BN_CTX * ctx) const
+			{
+				BIGNUM * x2 = BN_new ();
+				BN_sqr (x2, p.x, ctx); // x^2
+				BIGNUM * y2 = BN_new ();
+				BN_sqr (y2, p.y, ctx); // y^2
+				// y^2 - x^2 - 1 - d*x^2*y^2 
+				BIGNUM * tmp = BN_new ();				
+				BN_mul (tmp, d, x2, ctx);
+				BN_mul (tmp, tmp, y2, ctx);	
+				BN_sub (tmp, y2, tmp);
+				BN_sub (tmp, tmp, x2);
+				BN_sub_word (tmp, 1);
+				BN_mod (tmp, tmp, q, ctx); // % q
+				bool ret = BN_is_zero (tmp);
+				BN_free (x2);
+				BN_free (y2);
+				BN_free (tmp);
+				return ret;
+			}	
+
+			BIGNUM * RecoverX (const BIGNUM * y, BN_CTX * ctx) const
+			{
+				BIGNUM * y2 = BN_new ();
+				BN_sqr (y2, y, ctx); // y^2
+				// xx = (y^2 -1)*inv(d*y^2 +1) 
+				BIGNUM * xx = BN_new ();
+				BN_mul (xx, d, y2, ctx);
+				BN_add_word (xx, 1);
+				BN_mod_inverse (xx, xx, q, ctx);
+				BN_sub_word (y2, 1);
+				BN_mul (xx, y2, xx, ctx);
+				// x = srqt(xx) = xx^(2^252-2)		
+				BIGNUM * x = BN_new ();
+				BN_mod_exp (x, xx, two_252_2, q, ctx);
+				// check (x^2 -xx) % q	
+				BN_sqr (y2, x, ctx);
+				BN_mod_sub (y2, y2, xx, q, ctx); 
+				if (!BN_is_zero (y2))
+					BN_mod_mul (x, x, I, q, ctx);
+				if (BN_is_odd (x))
+					BN_sub (x, q, x);
+				BN_free (y2);
+				BN_free (xx);
+				return x;
+			}
+
+			EDDSAPoint DecodePoint (const uint8_t * buf, BN_CTX * ctx) const
+			{
+				// buf is 32 bytes Little Endian, convert it to Big Endian
+				uint8_t buf1[EDDSA25519_PUBLIC_KEY_LENGTH];
+				for (size_t i = 0; i < EDDSA25519_PUBLIC_KEY_LENGTH/2; i++) // invert bytes
+				{
+					buf1[i] = buf[EDDSA25519_PUBLIC_KEY_LENGTH -1 - i];
+					buf1[EDDSA25519_PUBLIC_KEY_LENGTH -1 - i] = buf[i];
+				}
+				bool isHighestBitSet = buf1[0] & 0x80;
+				if (isHighestBitSet)
+					buf1[0] &= 0x7f; // clear highest bit
+				BIGNUM * y = BN_new ();
+				BN_bin2bn (buf1, EDDSA25519_PUBLIC_KEY_LENGTH, y);
+				auto x = RecoverX (y, ctx);
+				if (BN_is_bit_set (x, 0) != isHighestBitSet)
+					BN_sub (x, q, x); // x = q - x 
+				EDDSAPoint p {x, y};
+				if (!IsOnCurve (p, ctx)) 
+					LogPrint (eLogError, "Decoded point is not on 25519");
+				return p;
+			}
+			
+			void EncodePoint (const EDDSAPoint& p, uint8_t * buf) const
+			{
+				EncodeBN (p.y, buf,EDDSA25519_PUBLIC_KEY_LENGTH); 
+				if (BN_is_bit_set (p.x, 0)) // highest bit
+					buf[EDDSA25519_PUBLIC_KEY_LENGTH - 1] |= 0x80; // set highest bit
+			}
+
+			template<int len>
+			BIGNUM * DecodeBN (const uint8_t * buf) const
+			{
+				// buf is Little Endian convert it to Big Endian
+				uint8_t buf1[len];
+				for (size_t i = 0; i < len/2; i++) // invert bytes
+				{
+					buf1[i] = buf[len -1 - i];
+					buf1[len -1 - i] = buf[i];
+				}
+				BIGNUM * res = BN_new ();
+				BN_bin2bn (buf1, len, res);
+				return res;
+			}
+
+			void EncodeBN (const BIGNUM * bn, uint8_t * buf, size_t len) const
+			{
+				bn2buf (bn, buf, len);
+				// To Little Endian
+				for (size_t i = 0; i < len/2; i++) // invert bytes
+				{
+					uint8_t tmp = buf[i];
+					buf[i] = buf[len -1 - i];
+					buf[len -1 - i] = tmp;
+				}	
+			}
+
+		private:
+			
+			BIGNUM * q, * l, * d, * I; 
+			EDDSAPoint B; // base point
+			// transient values
+			BIGNUM * two_252_2; // 2^252-2
+			EDDSAPoint Bi16[64][15]; // per 4-bits, Bi16[i][j] = (16+j+1)^i*B, we don't store zeroes
+	};
+
+	static std::unique_ptr<Ed25519> g_Ed25519;
+	std::unique_ptr<Ed25519>& GetEd25519 ()
+	{
+		if (!g_Ed25519)
+			g_Ed25519.reset (new Ed25519 ());
+		return g_Ed25519; 
+	}	
+	
+
+	EDDSA25519Verifier::EDDSA25519Verifier (const uint8_t * signingKey):
+		m_Ctx (BN_CTX_new ()),
+		m_PublicKey (GetEd25519 ()->DecodePublicKey (signingKey, m_Ctx))
+	{
+		memcpy (m_PublicKeyEncoded, signingKey, EDDSA25519_PUBLIC_KEY_LENGTH); 
+	}
+
+	bool EDDSA25519Verifier::Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
+	{
+		SHA512_CTX ctx;
+		SHA512_Init (&ctx);
+		SHA512_Update (&ctx, signature, EDDSA25519_SIGNATURE_LENGTH/2); // R
+		SHA512_Update (&ctx, m_PublicKeyEncoded, EDDSA25519_PUBLIC_KEY_LENGTH); // public key
+		SHA512_Update (&ctx, buf, len); // data
+		uint8_t digest[64];
+		SHA512_Final (digest, &ctx);
+		return GetEd25519 ()->Verify (m_PublicKey, digest, signature, m_Ctx);
+	}
+
+	EDDSA25519Signer::EDDSA25519Signer (const uint8_t * signingPrivateKey):
+		m_Ctx (BN_CTX_new ())
+	{ 
+		// expand key
+		SHA512 (signingPrivateKey, EDDSA25519_PRIVATE_KEY_LENGTH, m_ExpandedPrivateKey);
+		m_ExpandedPrivateKey[0] &= 0xF8; // drop last 3 bits 
+		m_ExpandedPrivateKey[EDDSA25519_PRIVATE_KEY_LENGTH - 1] &= 0x1F; // drop first 3 bits
+		m_ExpandedPrivateKey[EDDSA25519_PRIVATE_KEY_LENGTH - 1] |= 0x40; // set second bit
+		// generate and encode public key
+		auto publicKey = GetEd25519 ()->GeneratePublicKey (m_ExpandedPrivateKey, m_Ctx);
+		GetEd25519 ()->EncodePublicKey (publicKey, m_PublicKeyEncoded, m_Ctx);	
+	} 
+		
+	void EDDSA25519Signer::Sign (const uint8_t * buf, int len, uint8_t * signature) const
+	{
+		GetEd25519 ()->Sign (m_ExpandedPrivateKey, m_PublicKeyEncoded, buf, len, signature, m_Ctx);
+	}	
+}
+}
+
+
--- a/Signature.h
+++ b/Signature.h
@@ -2,12 +2,15 @@
 #define SIGNATURE_H__

 #include <inttypes.h>
-#include <cryptopp/dsa.h>
-#include <cryptopp/asn.h>
-#include <cryptopp/oids.h>
-#include <cryptopp/osrng.h>
-#include <cryptopp/eccrypto.h>
-#include "CryptoConst.h"
+#include <string.h>
+#include <openssl/sha.h>
+#include <openssl/dsa.h>
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include "Crypto.h"

 namespace i2p
 {
@@ -21,6 +24,7 @@ namespace crypto
 			virtual bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const = 0;
 			virtual size_t GetPublicKeyLen () const = 0;
 			virtual size_t GetSignatureLen () const = 0;
+			virtual size_t GetPrivateKeyLen () const { return GetSignatureLen ()/2; };
 	};

 	class Signer
@@ -28,7 +32,7 @@ namespace crypto
 		public:

 			virtual ~Signer () {};		
-			virtual void Sign (CryptoPP::RandomNumberGenerator& rnd, const uint8_t * buf, int len, uint8_t * signature) const = 0; 
+			virtual void Sign (const uint8_t * buf, int len, uint8_t * signature) const = 0; 
 	};

 	const size_t DSA_PUBLIC_KEY_LENGTH = 128;
@@ -40,13 +44,32 @@ namespace crypto

 			DSAVerifier (const uint8_t * signingKey)
 			{
-				m_PublicKey.Initialize (dsap, dsaq, dsag, CryptoPP::Integer (signingKey, DSA_PUBLIC_KEY_LENGTH));
+				m_PublicKey = DSA_new ();
+				m_PublicKey->p = BN_dup (dsap);
+				m_PublicKey->q = BN_dup (dsaq);
+				m_PublicKey->g = BN_dup (dsag);
+				m_PublicKey->priv_key = NULL;
+				m_PublicKey->pub_key = BN_bin2bn (signingKey, DSA_PUBLIC_KEY_LENGTH, NULL);
 			}
-	
+
+			~DSAVerifier ()
+			{
+				DSA_free (m_PublicKey);
+			}
+			
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
 			{
-				CryptoPP::DSA::Verifier verifier (m_PublicKey);
-				return verifier.VerifyMessage (buf, len, signature, DSA_SIGNATURE_LENGTH);
+				// calculate SHA1 digest
+				uint8_t digest[20];
+				SHA1 (buf, len, digest);
+				// signature
+				DSA_SIG * sig = DSA_SIG_new();
+				sig->r = BN_bin2bn (signature, DSA_SIGNATURE_LENGTH/2, NULL);
+				sig->s = BN_bin2bn (signature + DSA_SIGNATURE_LENGTH/2, DSA_SIGNATURE_LENGTH/2, NULL);
+				// DSA verification
+				int ret = DSA_do_verify (digest, 20, sig, m_PublicKey);
+				DSA_SIG_free(sig);
+				return ret;
 			}	

 			size_t GetPublicKeyLen () const { return DSA_PUBLIC_KEY_LENGTH; };
@@ -54,7 +77,7 @@ namespace crypto
 			
 		private:

-			CryptoPP::DSA::PublicKey m_PublicKey;
+			DSA * m_PublicKey;
 	};

 	class DSASigner: public Signer
@@ -63,91 +86,365 @@ namespace crypto

 			DSASigner (const uint8_t * signingPrivateKey)
 			{
-				m_PrivateKey.Initialize (dsap, dsaq, dsag, CryptoPP::Integer (signingPrivateKey, DSA_PRIVATE_KEY_LENGTH));
+				m_PrivateKey = DSA_new ();
+				m_PrivateKey->p = BN_dup (dsap);
+				m_PrivateKey->q = BN_dup (dsaq);
+				m_PrivateKey->g = BN_dup (dsag);
+				m_PrivateKey->priv_key = BN_bin2bn (signingPrivateKey, DSA_PRIVATE_KEY_LENGTH, NULL);
+				m_PrivateKey->pub_key = NULL;
 			}

-			void Sign (CryptoPP::RandomNumberGenerator& rnd, const uint8_t * buf, int len, uint8_t * signature) const
+			~DSASigner ()
 			{
-				CryptoPP::DSA::Signer signer (m_PrivateKey);
-				signer.SignMessage (rnd, buf, len, signature);
+				DSA_free (m_PrivateKey);
+			}
+			
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const
+			{
+				uint8_t digest[20];
+				SHA1 (buf, len, digest);
+				DSA_SIG * sig = DSA_do_sign (digest, 20, m_PrivateKey);
+				bn2buf (sig->r, signature, DSA_SIGNATURE_LENGTH/2);
+				bn2buf (sig->s, signature + DSA_SIGNATURE_LENGTH/2, DSA_SIGNATURE_LENGTH/2);
+				DSA_SIG_free(sig);
 			}

 		private:

-			CryptoPP::DSA::PrivateKey m_PrivateKey;
+			DSA * m_PrivateKey;
 	};

-	inline void CreateDSARandomKeys (CryptoPP::RandomNumberGenerator& rnd, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	inline void CreateDSARandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		CryptoPP::DSA::PrivateKey privateKey;
-		CryptoPP::DSA::PublicKey publicKey;
-		privateKey.Initialize (rnd, dsap, dsaq, dsag);
-		privateKey.MakePublicKey (publicKey);
-		privateKey.GetPrivateExponent ().Encode (signingPrivateKey, DSA_PRIVATE_KEY_LENGTH);	
-		publicKey.GetPublicElement ().Encode (signingPublicKey, DSA_PUBLIC_KEY_LENGTH);
+		DSA * dsa = DSA_new ();
+		dsa->p = BN_dup (dsap);
+		dsa->q = BN_dup (dsaq);
+		dsa->g = BN_dup (dsag);
+		dsa->priv_key = NULL;
+		dsa->pub_key = NULL;
+		DSA_generate_key (dsa);
+		bn2buf (dsa->priv_key, signingPrivateKey, DSA_PRIVATE_KEY_LENGTH);
+		bn2buf (dsa->pub_key, signingPublicKey, DSA_PUBLIC_KEY_LENGTH);
+		DSA_free (dsa);
+		
 	}	

+	struct SHA256Hash
+	{	
+		static void CalculateHash (const uint8_t * buf, size_t len, uint8_t * digest)
+		{
+			SHA256 (buf, len, digest);
+		}

-	const size_t ECDSAP256_PUBLIC_KEY_LENGTH = 64;
-	const size_t ECDSAP256_PUBLIC_KEY_HALF_LENGTH = ECDSAP256_PUBLIC_KEY_LENGTH/2;
-	const size_t ECDSAP256_SIGNATURE_LENGTH = 64;
-	const size_t ECDSAP256_PRIVATE_KEY_LENGTH = ECDSAP256_SIGNATURE_LENGTH/2;		
-	class ECDSAP256Verifier: public Verifier
-	{
+		enum { hashLen = 32 };
+	};	
+
+	struct SHA384Hash
+	{	
+		static void CalculateHash (const uint8_t * buf, size_t len, uint8_t * digest)
+		{
+			SHA384 (buf, len, digest);
+		}
+
+		enum { hashLen = 48 };
+	};
+
+	struct SHA512Hash
+	{	
+		static void CalculateHash (const uint8_t * buf, size_t len, uint8_t * digest)
+		{
+			SHA512 (buf, len, digest);
+		}
+
+		enum { hashLen = 64 };
+	};
+	
+	template<typename Hash, int curve, size_t keyLen>
+	class ECDSAVerifier: public Verifier
+	{		
 		public:

-			ECDSAP256Verifier (const uint8_t * signingKey)
+			ECDSAVerifier (const uint8_t * signingKey)
 			{
-				m_PublicKey.Initialize (CryptoPP::ASN1::secp256r1(), 
-					CryptoPP::ECP::Point (CryptoPP::Integer (signingKey, ECDSAP256_PUBLIC_KEY_HALF_LENGTH), 
-					CryptoPP::Integer (signingKey + ECDSAP256_PUBLIC_KEY_HALF_LENGTH, ECDSAP256_PUBLIC_KEY_HALF_LENGTH)));
-			}			
+				m_PublicKey = EC_KEY_new_by_curve_name (curve);
+				EC_KEY_set_public_key_affine_coordinates (m_PublicKey, 
+					BN_bin2bn (signingKey, keyLen/2, NULL),
+					BN_bin2bn (signingKey + keyLen/2, keyLen/2, NULL));  
+			}

+			~ECDSAVerifier ()
+			{
+				EC_KEY_free (m_PublicKey);
+			}
+			
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
 			{
-				CryptoPP::ECDSA<CryptoPP::ECP, CryptoPP::SHA256>::Verifier verifier (m_PublicKey);
-				return verifier.VerifyMessage (buf, len, signature, ECDSAP256_SIGNATURE_LENGTH);
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				ECDSA_SIG * sig = ECDSA_SIG_new();
+				sig->r = BN_bin2bn (signature, GetSignatureLen ()/2, NULL);
+				sig->s = BN_bin2bn (signature + GetSignatureLen ()/2, GetSignatureLen ()/2, NULL);
+				// ECDSA verification
+				int ret = ECDSA_do_verify (digest, Hash::hashLen, sig, m_PublicKey);
+				ECDSA_SIG_free(sig);
+				return ret;
 			}	
+			
+			size_t GetPublicKeyLen () const { return keyLen; };
+			size_t GetSignatureLen () const { return keyLen; }; // signature length = key length

-			size_t GetPublicKeyLen () const { return ECDSAP256_PUBLIC_KEY_LENGTH; };
-			size_t GetSignatureLen () const { return ECDSAP256_SIGNATURE_LENGTH; };
 			
 		private:

-			CryptoPP::ECDSA<CryptoPP::ECP, CryptoPP::SHA256>::PublicKey m_PublicKey;
-	};	
+			EC_KEY * m_PublicKey;
+	};

-	class ECDSAP256Signer: public Signer
+	template<typename Hash, int curve, size_t keyLen>
+	class ECDSASigner: public Signer
 	{
 		public:

-			ECDSAP256Signer (const uint8_t * signingPrivateKey)
+			ECDSASigner (const uint8_t * signingPrivateKey)
 			{
-				m_PrivateKey.Initialize (CryptoPP::ASN1::secp256r1(), CryptoPP::Integer (signingPrivateKey, ECDSAP256_PRIVATE_KEY_LENGTH));
+				m_PrivateKey = EC_KEY_new_by_curve_name (curve);
+				EC_KEY_set_private_key (m_PrivateKey, BN_bin2bn (signingPrivateKey, keyLen/2, NULL));			
 			}

-			void Sign (CryptoPP::RandomNumberGenerator& rnd, const uint8_t * buf, int len, uint8_t * signature) const
+			~ECDSASigner ()
 			{
-				CryptoPP::ECDSA<CryptoPP::ECP, CryptoPP::SHA256>::Signer signer (m_PrivateKey);
-				signer.SignMessage (rnd, buf, len, signature);
+				EC_KEY_free (m_PrivateKey);
+			}
+			
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const
+			{
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				ECDSA_SIG * sig = ECDSA_do_sign (digest, Hash::hashLen, m_PrivateKey);
+				// signatureLen = keyLen
+				bn2buf (sig->r, signature, keyLen/2);
+				bn2buf (sig->s, signature + keyLen/2, keyLen/2);
+				ECDSA_SIG_free(sig);
 			}

 		private:

-			CryptoPP::ECDSA<CryptoPP::ECP, CryptoPP::SHA256>::PrivateKey m_PrivateKey;
+			EC_KEY * m_PrivateKey;
 	};

-	inline void CreateECDSAP256RandomKeys (CryptoPP::RandomNumberGenerator& rnd, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	inline void CreateECDSARandomKeys (int curve, size_t keyLen, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		CryptoPP::ECDSA<CryptoPP::ECP, CryptoPP::SHA256>::PrivateKey privateKey;
-		CryptoPP::ECDSA<CryptoPP::ECP, CryptoPP::SHA256>::PublicKey publicKey;
-		privateKey.Initialize (rnd, CryptoPP::ASN1::secp256r1());
-		privateKey.MakePublicKey (publicKey);
-		privateKey.GetPrivateExponent ().Encode (signingPrivateKey, ECDSAP256_PRIVATE_KEY_LENGTH);	
-		auto q = publicKey.GetPublicElement ();
-		q.x.Encode (signingPublicKey, ECDSAP256_PUBLIC_KEY_HALF_LENGTH);
-		q.y.Encode (signingPublicKey + ECDSAP256_PUBLIC_KEY_HALF_LENGTH, ECDSAP256_PUBLIC_KEY_HALF_LENGTH);
+		EC_KEY * signingKey = EC_KEY_new_by_curve_name (curve);
+		EC_KEY_generate_key (signingKey);
+		bn2buf (EC_KEY_get0_private_key (signingKey), signingPrivateKey, keyLen/2);
+		BIGNUM * x = BN_new(), * y = BN_new();
+		EC_POINT_get_affine_coordinates_GFp (EC_KEY_get0_group(signingKey),
+			EC_KEY_get0_public_key (signingKey), x, y, NULL);
+		bn2buf (x, signingPublicKey, keyLen/2);
+		bn2buf (y, signingPublicKey + keyLen/2, keyLen/2);
+		BN_free (x); BN_free (y);
+		EC_KEY_free (signingKey);		
+	}
+
+// ECDSA_SHA256_P256
+	const size_t ECDSAP256_KEY_LENGTH = 64;	
+	typedef ECDSAVerifier<SHA256Hash, NID_X9_62_prime256v1, ECDSAP256_KEY_LENGTH> ECDSAP256Verifier;
+	typedef ECDSASigner<SHA256Hash, NID_X9_62_prime256v1, ECDSAP256_KEY_LENGTH> ECDSAP256Signer;
+
+	inline void CreateECDSAP256RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	{
+		CreateECDSARandomKeys (NID_X9_62_prime256v1, ECDSAP256_KEY_LENGTH, signingPrivateKey, signingPublicKey);
 	}	
+
+// ECDSA_SHA384_P384
+	const size_t ECDSAP384_KEY_LENGTH = 96;
+	typedef ECDSAVerifier<SHA384Hash, NID_secp384r1, ECDSAP384_KEY_LENGTH> ECDSAP384Verifier;
+	typedef ECDSASigner<SHA384Hash, NID_secp384r1, ECDSAP384_KEY_LENGTH> ECDSAP384Signer;
+
+	inline void CreateECDSAP384RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	{
+		CreateECDSARandomKeys (NID_secp384r1, ECDSAP384_KEY_LENGTH, signingPrivateKey, signingPublicKey);
+	}	
+
+// ECDSA_SHA512_P521
+	const size_t ECDSAP521_KEY_LENGTH = 132;
+	typedef ECDSAVerifier<SHA512Hash, NID_secp521r1, ECDSAP521_KEY_LENGTH> ECDSAP521Verifier;
+	typedef ECDSASigner<SHA512Hash, NID_secp521r1, ECDSAP521_KEY_LENGTH> ECDSAP521Signer;
+
+	inline void CreateECDSAP521RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	{
+		CreateECDSARandomKeys (NID_secp521r1, ECDSAP521_KEY_LENGTH, signingPrivateKey, signingPublicKey);
+	}
+
+// RSA
+	template<typename Hash, int type, size_t keyLen>	
+	class RSAVerifier: public Verifier
+	{
+		public:
+
+			RSAVerifier (const uint8_t * signingKey)
+			{
+				m_PublicKey = RSA_new ();
+				memset (m_PublicKey, 0, sizeof (RSA));
+				m_PublicKey->e = BN_dup (rsae);
+				m_PublicKey->n = BN_bin2bn (signingKey, keyLen, NULL);
+			}
+
+			~RSAVerifier ()
+			{
+				RSA_free (m_PublicKey);
+			}
+			
+			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const 
+			{
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				return RSA_verify (type, digest, Hash::hashLen, signature, GetSignatureLen (), m_PublicKey);
+			}
+			size_t GetPublicKeyLen () const { return keyLen; }
+			size_t GetSignatureLen () const { return keyLen; }	
+			size_t GetPrivateKeyLen () const { return GetSignatureLen ()*2; };
+
+		private:
+			
+			RSA * m_PublicKey;			
+	};	
+
+	
+	template<typename Hash, int type, size_t keyLen>
+	class RSASigner: public Signer
+	{
+		public:
+
+			RSASigner (const uint8_t * signingPrivateKey)
+			{
+				m_PrivateKey = RSA_new ();
+				memset (m_PrivateKey, 0, sizeof (RSA));
+				m_PrivateKey->e = BN_dup (rsae);
+				m_PrivateKey->n = BN_bin2bn (signingPrivateKey, keyLen, NULL);
+				m_PrivateKey->d = BN_bin2bn (signingPrivateKey + keyLen, keyLen, NULL);
+			}
+
+			~RSASigner ()
+			{
+				RSA_free (m_PrivateKey);
+			}
+			
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const
+			{
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				unsigned int signatureLen = keyLen;
+				RSA_sign (type, digest, Hash::hashLen, signature, &signatureLen, m_PrivateKey);
+			}
+			
+		private:
+
+			RSA * m_PrivateKey;
+	};		
+
+	inline void CreateRSARandomKeys (size_t publicKeyLen, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	{
+		RSA * rsa = RSA_new ();
+		RSA_generate_key_ex (rsa, publicKeyLen*8, rsae, NULL);
+		bn2buf (rsa->n, signingPrivateKey, publicKeyLen);
+		bn2buf (rsa->d, signingPrivateKey + publicKeyLen, publicKeyLen);
+		bn2buf (rsa->n, signingPublicKey, publicKeyLen);
+		RSA_free (rsa);
+	}	
+	
+//  RSA_SHA256_2048
+	const size_t RSASHA2562048_KEY_LENGTH = 256;
+	typedef RSAVerifier<SHA256Hash, NID_sha256, RSASHA2562048_KEY_LENGTH> RSASHA2562048Verifier;
+	typedef RSASigner<SHA256Hash, NID_sha256, RSASHA2562048_KEY_LENGTH> RSASHA2562048Signer;
+
+//  RSA_SHA384_3072
+	const size_t RSASHA3843072_KEY_LENGTH = 384;
+	typedef RSAVerifier<SHA384Hash, NID_sha384, RSASHA3843072_KEY_LENGTH> RSASHA3843072Verifier;
+	typedef RSASigner<SHA384Hash, NID_sha384, RSASHA3843072_KEY_LENGTH> RSASHA3843072Signer;	
+
+//  RSA_SHA512_4096
+	const size_t RSASHA5124096_KEY_LENGTH = 512;
+	typedef RSAVerifier<SHA512Hash, NID_sha512, RSASHA5124096_KEY_LENGTH> RSASHA5124096Verifier;
+	typedef RSASigner<SHA512Hash, NID_sha512, RSASHA5124096_KEY_LENGTH> RSASHA5124096Signer;
+
+	// EdDSA
+	struct EDDSAPoint
+	{
+		BIGNUM * x, * y;
+		BIGNUM * z, * t; // projective coordinates
+		EDDSAPoint (): x(nullptr), y(nullptr), z(nullptr), t(nullptr) {};
+		EDDSAPoint (EDDSAPoint&& other): x(nullptr), y(nullptr), z(nullptr), t(nullptr)  
+		{ *this = std::move (other); };	
+		EDDSAPoint (BIGNUM * x1, BIGNUM * y1, BIGNUM * z1 = nullptr, BIGNUM * t1 = nullptr): x(x1), y(y1), z(z1), t(t1) {};	
+		~EDDSAPoint () { BN_free (x); BN_free (y); BN_free(z); BN_free(t); };
+
+		EDDSAPoint& operator=(EDDSAPoint&& other) 
+		{
+			if (x) BN_free (x);
+			if (y) BN_free (y);
+			if (z) BN_free (z);
+			if (t) BN_free (t);
+			x = other.x; other.x = nullptr;
+			y = other.y; other.y = nullptr;
+			z = other.z; other.z = nullptr;
+			t = other.t; other.t = nullptr;
+			return *this;
+		} 	
+
+		EDDSAPoint operator-() const
+		{
+			BIGNUM * x1 = NULL, * y1 = NULL, * z1 = NULL, * t1 = NULL;
+			if (x) { x1 = BN_dup (x); BN_set_negative (x1, !BN_is_negative (x)); };
+			if (y) y1 = BN_dup (y);
+			if (z) z1 = BN_dup (z);
+			if (t) { t1 = BN_dup (t); BN_set_negative (t1, !BN_is_negative (t)); };
+			return EDDSAPoint {x1, y1, z1, t1};
+		}
+	};	
+
+	const size_t EDDSA25519_PUBLIC_KEY_LENGTH = 32;
+	const size_t EDDSA25519_SIGNATURE_LENGTH = 64;
+	const size_t EDDSA25519_PRIVATE_KEY_LENGTH = 32;		
+	class EDDSA25519Verifier: public Verifier
+	{
+		public:
+
+			EDDSA25519Verifier (const uint8_t * signingKey);
+			~EDDSA25519Verifier () { BN_CTX_free (m_Ctx); };
+			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const;
+
+			size_t GetPublicKeyLen () const { return EDDSA25519_PUBLIC_KEY_LENGTH; };
+			size_t GetSignatureLen () const { return EDDSA25519_SIGNATURE_LENGTH; };
+
+		private:
+
+			BN_CTX * m_Ctx;
+			EDDSAPoint m_PublicKey;	
+			uint8_t m_PublicKeyEncoded[EDDSA25519_PUBLIC_KEY_LENGTH];
+	};
+
+	class EDDSA25519Signer: public Signer
+	{
+		public:
+
+			EDDSA25519Signer (const uint8_t * signingPrivateKey); 
+			~EDDSA25519Signer () { BN_CTX_free (m_Ctx); };
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const; 
+			const uint8_t * GetPublicKey () const { return m_PublicKeyEncoded; };
+			
+		private:
+
+			BN_CTX * m_Ctx;
+			uint8_t m_ExpandedPrivateKey[64]; 
+			uint8_t m_PublicKeyEncoded[EDDSA25519_PUBLIC_KEY_LENGTH];
+	};
+
+	inline void CreateEDDSA25519RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	{
+		RAND_bytes (signingPrivateKey, EDDSA25519_PRIVATE_KEY_LENGTH);
+		EDDSA25519Signer signer (signingPrivateKey);
+		memcpy (signingPublicKey, signer.GetPublicKey (), EDDSA25519_PUBLIC_KEY_LENGTH);
+	}
 }
 }

--- a/Streaming.cpp
+++ b/Streaming.cpp
--- a/Streaming.h
+++ b/Streaming.h
@@ -3,12 +3,15 @@

 #include <inttypes.h>
 #include <string>
+#include <sstream>
 #include <map>
 #include <set>
 #include <queue>
 #include <functional>
+#include <memory>
+#include <mutex>
 #include <boost/asio.hpp>
-#include <boost/bind.hpp>
+#include "Base.h"
 #include "I2PEndian.h"
 #include "Identity.h"
 #include "LeaseSet.h"
@@ -39,29 +42,33 @@ namespace stream
 	const size_t STREAMING_MTU = 1730;
 	const size_t MAX_PACKET_SIZE = 4096;
 	const size_t COMPRESSION_THRESHOLD_SIZE = 66;	
-	const int RESEND_TIMEOUT = 10; // in seconds
 	const int ACK_SEND_TIMEOUT = 200; // in milliseconds
-	const int MAX_NUM_RESEND_ATTEMPTS = 5;	
+	const int MAX_NUM_RESEND_ATTEMPTS = 6;	
+	const int WINDOW_SIZE = 6; // in messages
+	const int MIN_WINDOW_SIZE = 1;
+	const int MAX_WINDOW_SIZE = 128;		
+	const int INITIAL_RTT = 8000; // in milliseconds
+	const int INITIAL_RTO = 9000; // in milliseconds
 	
 	struct Packet
 	{
-		uint8_t buf[MAX_PACKET_SIZE];	
 		size_t len, offset;
-		int numResendAttempts;
+		uint8_t buf[MAX_PACKET_SIZE];	
+		uint64_t sendTime;
 		
-		Packet (): len (0), offset (0), numResendAttempts (0) {};
+		Packet (): len (0), offset (0), sendTime (0) {};
 		uint8_t * GetBuffer () { return buf + offset; };
 		size_t GetLength () const { return len - offset; };

-		uint32_t GetSendStreamID () const { return be32toh (*(uint32_t *)buf); };
-		uint32_t GetReceiveStreamID () const { return be32toh (*(uint32_t *)(buf + 4)); };
-		uint32_t GetSeqn () const { return be32toh (*(uint32_t *)(buf + 8)); };
-		uint32_t GetAckThrough () const { return be32toh (*(uint32_t *)(buf + 12)); };
+		uint32_t GetSendStreamID () const { return bufbe32toh (buf); };
+		uint32_t GetReceiveStreamID () const { return bufbe32toh (buf + 4); };
+		uint32_t GetSeqn () const { return bufbe32toh (buf + 8); };
+		uint32_t GetAckThrough () const { return bufbe32toh (buf + 12); };
 		uint8_t GetNACKCount () const { return buf[16]; };
-		uint32_t GetNACK (int i) const { return be32toh (((uint32_t *)(buf + 17))[i]); };
+		uint32_t GetNACK (int i) const { return bufbe32toh (buf + 17 + 4 * i); };
 		const uint8_t * GetOption () const { return buf + 17 + GetNACKCount ()*4 + 3; }; // 3 = resendDelay + flags
-		uint16_t GetFlags () const { return be16toh (*(uint16_t *)(GetOption () - 2)); };
-		uint16_t GetOptionSize () const { return be16toh (*(uint16_t *)GetOption ()); };
+		uint16_t GetFlags () const { return bufbe16toh (GetOption () - 2); };
+		uint16_t GetOptionSize () const { return bufbe16toh (GetOption ()); };
 		const uint8_t * GetOptionData () const { return GetOption () + 2; };
 		const uint8_t * GetPayload () const { return GetOptionData () + GetOptionSize (); };

@@ -76,41 +83,63 @@ namespace stream
 			return p1->GetSeqn () < p2->GetSeqn (); 
 		};
 	};	
+
+	enum StreamStatus
+	{
+		eStreamStatusNew = 0,
+		eStreamStatusOpen,
+		eStreamStatusReset,
+		eStreamStatusClosing,
+		eStreamStatusClosed
+	};	
 	
 	class StreamingDestination;
-	class Stream
+	class Stream: public std::enable_shared_from_this<Stream>
 	{	
 		public:

+			typedef std::function<void (const boost::system::error_code& ecode)> SendHandler;
+
 			Stream (boost::asio::io_service& service, StreamingDestination& local, 
-				const i2p::data::LeaseSet& remote, int port = 0); // outgoing
+				std::shared_ptr<const i2p::data::LeaseSet> remote, int port = 0); // outgoing
 			Stream (boost::asio::io_service& service, StreamingDestination& local); // incoming			

 			~Stream ();
 			uint32_t GetSendStreamID () const { return m_SendStreamID; };
 			uint32_t GetRecvStreamID () const { return m_RecvStreamID; };
-			const i2p::data::LeaseSet * GetRemoteLeaseSet () const { return m_RemoteLeaseSet; };
-			const i2p::data::IdentityEx& GetRemoteIdentity () const { return m_RemoteIdentity; };
-			bool IsOpen () const { return m_IsOpen; };
+			std::shared_ptr<const i2p::data::LeaseSet> GetRemoteLeaseSet () const { return m_RemoteLeaseSet; };
+			std::shared_ptr<const i2p::data::IdentityEx> GetRemoteIdentity () const { return m_RemoteIdentity; };
+			bool IsOpen () const { return m_Status == eStreamStatusOpen; };
 			bool IsEstablished () const { return m_SendStreamID; };
+			StreamStatus GetStatus () const { return m_Status; };
 			StreamingDestination& GetLocalDestination () { return m_LocalDestination; };
 			
 			void HandleNextPacket (Packet * packet);
 			size_t Send (const uint8_t * buf, size_t len);
+			void AsyncSend (const uint8_t * buf, size_t len, SendHandler handler);
 			
 			template<typename Buffer, typename ReceiveHandler>
 			void AsyncReceive (const Buffer& buffer, ReceiveHandler handler, int timeout = 0);
-
+			size_t ReadSome (uint8_t * buf, size_t len) { return ConcatenatePackets (buf, len); };
+			
 			void Close ();
+			void Cancel () { m_ReceiveTimer.cancel (); };

 			size_t GetNumSentBytes () const { return m_NumSentBytes; };
 			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
 			size_t GetSendQueueSize () const { return m_SentPackets.size (); };
 			size_t GetReceiveQueueSize () const { return m_ReceiveQueue.size (); };
+			size_t GetSendBufferSize () const { return m_SendBuffer.rdbuf ()->in_avail (); };
+			int GetWindowSize () const { return m_WindowSize; };
+			int GetRTT () const { return m_RTT; };
 			
 		private:

+			void Terminate ();
+
+			void SendBuffer ();
 			void SendQuickAck ();
+			void SendClose ();
 			bool SendPacket (Packet * packet);
 			void SendPackets (const std::vector<Packet *>& packets);

@@ -119,110 +148,121 @@ namespace stream
 			void ProcessAck (Packet * packet);
 			size_t ConcatenatePackets (uint8_t * buf, size_t len);

-			void UpdateCurrentRemoteLease ();
+			void UpdateCurrentRemoteLease (bool expired = false);
 			
 			template<typename Buffer, typename ReceiveHandler>
 			void HandleReceiveTimer (const boost::system::error_code& ecode, const Buffer& buffer, ReceiveHandler handler);
-
+			
 			void ScheduleResend ();
 			void HandleResendTimer (const boost::system::error_code& ecode);
 			void HandleAckSendTimer (const boost::system::error_code& ecode);

-			I2NPMessage * CreateDataMessage (const uint8_t * payload, size_t len);
+			std::shared_ptr<I2NPMessage> CreateDataMessage (const uint8_t * payload, size_t len);
 			
 		private:

 			boost::asio::io_service& m_Service;
 			uint32_t m_SendStreamID, m_RecvStreamID, m_SequenceNumber;
 			int32_t m_LastReceivedSequenceNumber;
-			bool m_IsOpen, m_IsReset, m_IsAckSendScheduled;
+			StreamStatus m_Status;
+			bool m_IsAckSendScheduled;
 			StreamingDestination& m_LocalDestination;
-			i2p::data::IdentityEx m_RemoteIdentity;
-			const i2p::data::LeaseSet * m_RemoteLeaseSet;
-			i2p::garlic::GarlicRoutingSession * m_RoutingSession;
+			std::shared_ptr<const i2p::data::IdentityEx> m_RemoteIdentity;
+			std::shared_ptr<const i2p::data::LeaseSet> m_RemoteLeaseSet;
+			std::shared_ptr<i2p::garlic::GarlicRoutingSession> m_RoutingSession;
 			i2p::data::Lease m_CurrentRemoteLease;
+			std::shared_ptr<i2p::tunnel::OutboundTunnel> m_CurrentOutboundTunnel;
 			std::queue<Packet *> m_ReceiveQueue;
 			std::set<Packet *, PacketCmp> m_SavedPackets;
 			std::set<Packet *, PacketCmp> m_SentPackets;
 			boost::asio::deadline_timer m_ReceiveTimer, m_ResendTimer, m_AckSendTimer;
 			size_t m_NumSentBytes, m_NumReceivedBytes;
 			uint16_t m_Port;
+
+			std::mutex m_SendBufferMutex;
+			std::stringstream m_SendBuffer;
+			int m_WindowSize, m_RTT, m_RTO;
+			uint64_t m_LastWindowSizeIncreaseTime;
+			int m_NumResendAttempts;
+			SendHandler m_SendHandler;
 	};

 	class StreamingDestination
 	{
 		public:

-			typedef std::function<void (Stream *)> Acceptor;
+			typedef std::function<void (std::shared_ptr<Stream>)> Acceptor;

-			StreamingDestination (i2p::client::ClientDestination& owner): m_Owner (owner) {};
-			~StreamingDestination () {};	
+			StreamingDestination (std::shared_ptr<i2p::client::ClientDestination> owner, uint16_t localPort = 0);
+			~StreamingDestination ();	

 			void Start ();
 			void Stop ();

-			Stream * CreateNewOutgoingStream (const i2p::data::LeaseSet& remote, int port = 0);
-			void DeleteStream (Stream * stream);			
+			std::shared_ptr<Stream> CreateNewOutgoingStream (std::shared_ptr<const i2p::data::LeaseSet> remote, int port = 0);
+			void DeleteStream (std::shared_ptr<Stream> stream);			
 			void SetAcceptor (const Acceptor& acceptor) { m_Acceptor = acceptor; };
-			void ResetAcceptor () { m_Acceptor = nullptr; };
+			void ResetAcceptor () { if (m_Acceptor) m_Acceptor (nullptr); m_Acceptor = nullptr; };
 			bool IsAcceptorSet () const { return m_Acceptor != nullptr; };	
-			i2p::client::ClientDestination& GetOwner () { return m_Owner; };
+			std::shared_ptr<i2p::client::ClientDestination> GetOwner () const { return m_Owner; };
+			uint16_t GetLocalPort () const { return m_LocalPort; };

 			void HandleDataMessagePayload (const uint8_t * buf, size_t len);

 		private:		
 	
 			void HandleNextPacket (Packet * packet);
-			Stream * CreateNewIncomingStream ();
+			std::shared_ptr<Stream> CreateNewIncomingStream ();

 		private:

-			i2p::client::ClientDestination& m_Owner;
+			std::shared_ptr<i2p::client::ClientDestination> m_Owner;
+			uint16_t m_LocalPort;
 			std::mutex m_StreamsMutex;
-			std::map<uint32_t, Stream *> m_Streams;
+			std::map<uint32_t, std::shared_ptr<Stream> > m_Streams;
 			Acceptor m_Acceptor;
 			
 		public:

+			i2p::data::GzipInflator m_Inflator;
+			i2p::data::GzipDeflator m_Deflator;
+			
 			// for HTTP only
 			const decltype(m_Streams)& GetStreams () const { return m_Streams; };
 	};		

-	void DeleteStream (Stream * stream);
-
 //-------------------------------------------------

 	template<typename Buffer, typename ReceiveHandler>
 	void Stream::AsyncReceive (const Buffer& buffer, ReceiveHandler handler, int timeout)
 	{
-		if (!m_ReceiveQueue.empty ())
+		auto s = shared_from_this();
+		m_Service.post ([=](void)
 		{
-			m_Service.post ([=](void) { this->HandleReceiveTimer (
-				boost::asio::error::make_error_code (boost::asio::error::operation_aborted),
-				buffer, handler); });
-		}
-		else
-		{
-			m_ReceiveTimer.expires_from_now (boost::posix_time::seconds(timeout));
-			m_ReceiveTimer.async_wait ([=](const boost::system::error_code& ecode)
-				{ this->HandleReceiveTimer (ecode, buffer, handler); });
-		}
+			if (!m_ReceiveQueue.empty () || m_Status == eStreamStatusReset)
+				s->HandleReceiveTimer (boost::asio::error::make_error_code (boost::asio::error::operation_aborted), buffer, handler);
+			else
+			{
+				s->m_ReceiveTimer.expires_from_now (boost::posix_time::seconds(timeout));
+				s->m_ReceiveTimer.async_wait ([=](const boost::system::error_code& ecode)
+					{ s->HandleReceiveTimer (ecode, buffer, handler); });
+			}
+		});	
 	}

 	template<typename Buffer, typename ReceiveHandler>
 	void Stream::HandleReceiveTimer (const boost::system::error_code& ecode, const Buffer& buffer, ReceiveHandler handler)
 	{
 		size_t received = ConcatenatePackets (boost::asio::buffer_cast<uint8_t *>(buffer), boost::asio::buffer_size(buffer));
-		if (ecode == boost::asio::error::operation_aborted)
+		if (received > 0)
+			handler (boost::system::error_code (), received);
+		else if (ecode == boost::asio::error::operation_aborted)
 		{	
 			// timeout not expired	
-			if (m_IsOpen)
-				// no error
-				handler (boost::system::error_code (), received); 
+			if (m_Status == eStreamStatusReset)
+				handler (boost::asio::error::make_error_code (boost::asio::error::connection_reset), 0);
 			else
-				// socket closed
-				handler (m_IsReset ? boost::asio::error::make_error_code (boost::asio::error::connection_reset) :
-					boost::asio::error::make_error_code (boost::asio::error::operation_aborted), 0);
+				handler (boost::asio::error::make_error_code (boost::asio::error::operation_aborted), 0); 
 		}	
 		else
 			// timeout expired
--- a/TransitTunnel.cpp
+++ b/TransitTunnel.cpp
@@ -14,50 +14,75 @@ namespace tunnel
 	TransitTunnel::TransitTunnel (uint32_t receiveTunnelID, 
 	    const uint8_t * nextIdent, uint32_t nextTunnelID, 
 		const uint8_t * layerKey,const uint8_t * ivKey): 
-			m_TunnelID (receiveTunnelID),  m_NextTunnelID (nextTunnelID), 
-			m_NextIdent (nextIdent), m_NumTransmittedBytes (0)
+			TunnelBase (receiveTunnelID, nextTunnelID, nextIdent)
 	{	
 		m_Encryption.SetKeys (layerKey, ivKey);
 	}	

-	void TransitTunnel::EncryptTunnelMsg (I2NPMessage * tunnelMsg)
+	void TransitTunnel::EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out)
 	{		
-		m_Encryption.Encrypt (tunnelMsg->GetPayload () + 4); 
+		m_Encryption.Encrypt (in->GetPayload () + 4, out->GetPayload () + 4); 
 	}	
-	
-	void TransitTunnel::HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg)
+
+	TransitTunnelParticipant::~TransitTunnelParticipant ()
 	{
-		EncryptTunnelMsg (tunnelMsg);
+	}	
+		
+	void TransitTunnelParticipant::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
+	{
+		auto newMsg = CreateEmptyTunnelDataMsg ();
+		EncryptTunnelMsg (tunnelMsg, newMsg);
 		
-		LogPrint ("TransitTunnel: ",m_TunnelID,"->", m_NextTunnelID);
 		m_NumTransmittedBytes += tunnelMsg->GetLength ();
-		*(uint32_t *)(tunnelMsg->GetPayload ()) = htobe32 (m_NextTunnelID);
-		FillI2NPMessageHeader (tunnelMsg, eI2NPTunnelData);
-		
-		i2p::transport::transports.SendMessage (m_NextIdent, tunnelMsg);	
+		htobe32buf (newMsg->GetPayload (), GetNextTunnelID ());
+		newMsg->FillI2NPMessageHeader (eI2NPTunnelData); 
+		m_TunnelDataMsgs.push_back (newMsg);
 	}

-	void TransitTunnel::SendTunnelDataMsg (i2p::I2NPMessage * msg)
+	void TransitTunnelParticipant::FlushTunnelDataMsgs ()
+	{
+		if (!m_TunnelDataMsgs.empty ())
+		{	
+			auto num = m_TunnelDataMsgs.size ();
+			if (num > 1)
+				LogPrint (eLogDebug, "TransitTunnel: ",GetTunnelID (),"->", GetNextTunnelID (), " ", num);
+			i2p::transport::transports.SendMessages (GetNextIdentHash (), m_TunnelDataMsgs);
+			m_TunnelDataMsgs.clear ();
+		}	
+	}	
+		
+	void TransitTunnel::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
 	{	
-		LogPrint ("We are not a gateway for transit tunnel ", m_TunnelID);
-		i2p::DeleteI2NPMessage (msg);	
+		LogPrint (eLogError, "We are not a gateway for transit tunnel ", GetTunnelID ());
 	}		

-	void TransitTunnelGateway::SendTunnelDataMsg (i2p::I2NPMessage * msg)
+	void TransitTunnel::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
+	{
+		LogPrint (eLogError, "Incoming tunnel message is not supported  ", GetTunnelID ());
+	}	
+		
+	void TransitTunnelGateway::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		TunnelMessageBlock block;
 		block.deliveryType = eDeliveryTypeLocal;
 		block.data = msg;
 		std::unique_lock<std::mutex> l(m_SendMutex);
-		m_Gateway.SendTunnelDataMsg (block);
+		m_Gateway.PutTunnelDataMsg (block);
 	}		

-	void TransitTunnelEndpoint::HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg)
+	void TransitTunnelGateway::FlushTunnelDataMsgs ()
 	{
-		EncryptTunnelMsg (tunnelMsg);
+		std::unique_lock<std::mutex> l(m_SendMutex);
+		m_Gateway.SendBuffer ();
+	}	
 		
-		LogPrint ("TransitTunnel endpoint for ", GetTunnelID ());
-		m_Endpoint.HandleDecryptedTunnelDataMsg (tunnelMsg); 
+	void TransitTunnelEndpoint::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
+	{
+		auto newMsg = CreateEmptyTunnelDataMsg ();
+		EncryptTunnelMsg (tunnelMsg, newMsg);
+		
+		LogPrint (eLogDebug, "TransitTunnel endpoint for ", GetTunnelID ());
+		m_Endpoint.HandleDecryptedTunnelDataMsg (newMsg); 
 	}
 		
 	TransitTunnel * CreateTransitTunnel (uint32_t receiveTunnelID,
@@ -67,18 +92,18 @@ namespace tunnel
 	{
 		if (isEndpoint)
 		{	
-			LogPrint ("TransitTunnel endpoint: ", receiveTunnelID, " created");
+			LogPrint (eLogInfo, "TransitTunnel endpoint: ", receiveTunnelID, " created");
 			return new TransitTunnelEndpoint (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
 		}	
 		else if (isGateway)
 		{	
-			LogPrint ("TransitTunnel gateway: ", receiveTunnelID, " created");
+			LogPrint (eLogInfo, "TransitTunnel gateway: ", receiveTunnelID, " created");
 			return new TransitTunnelGateway (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
 		}	
 		else	
 		{	
-			LogPrint ("TransitTunnel: ", receiveTunnelID, "->", nextTunnelID, " created");
-			return new TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
+			LogPrint (eLogInfo, "TransitTunnel: ", receiveTunnelID, "->", nextTunnelID, " created");
+			return new TransitTunnelParticipant (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
 		}	
 	}		
 }
--- a/TransitTunnel.h
+++ b/TransitTunnel.h
@@ -2,8 +2,10 @@
 #define TRANSIT_TUNNEL_H__

 #include <inttypes.h>
+#include <vector>
 #include <mutex>
-#include "aes.h"
+#include <memory>
+#include "Crypto.h"
 #include "I2NPProtocol.h"
 #include "TunnelEndpoint.h"
 #include "TunnelGateway.h"
@@ -13,7 +15,7 @@ namespace i2p
 {
 namespace tunnel
 {	
-	class TransitTunnel: public TunnelBase // tunnel patricipant
+	class TransitTunnel: public TunnelBase 
 	{
 		public:

@@ -21,26 +23,38 @@ namespace tunnel
 			    const uint8_t * nextIdent, uint32_t nextTunnelID, 
 	    		const uint8_t * layerKey,const uint8_t * ivKey); 
 			
-			virtual void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg);
-			virtual void SendTunnelDataMsg (i2p::I2NPMessage * msg);
-			virtual size_t GetNumTransmittedBytes () const { return m_NumTransmittedBytes; };
-			
-			uint32_t GetTunnelID () const { return m_TunnelID; };
+			virtual size_t GetNumTransmittedBytes () const { return 0; };

 			// implements TunnelBase
-			void EncryptTunnelMsg (I2NPMessage * tunnelMsg); 
-			uint32_t GetNextTunnelID () const { return m_NextTunnelID; };
-			const i2p::data::IdentHash& GetNextIdentHash () const { return m_NextIdent; };
-			
+			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg);
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
+			void EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out); 			
 		private:
-
-			uint32_t m_TunnelID, m_NextTunnelID;
-			i2p::data::IdentHash m_NextIdent;
-			size_t m_NumTransmittedBytes;
 			
 			i2p::crypto::TunnelEncryption m_Encryption;
 	};	

+	class TransitTunnelParticipant: public TransitTunnel
+	{
+		public:
+
+			TransitTunnelParticipant (uint32_t receiveTunnelID,
+			    const uint8_t * nextIdent, uint32_t nextTunnelID, 
+	    		const uint8_t * layerKey,const uint8_t * ivKey):
+				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, 
+				layerKey, ivKey), m_NumTransmittedBytes (0) {};
+			~TransitTunnelParticipant ();
+
+			size_t GetNumTransmittedBytes () const { return m_NumTransmittedBytes; };
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
+			void FlushTunnelDataMsgs ();
+
+		private:
+
+			size_t m_NumTransmittedBytes;
+			std::vector<std::shared_ptr<i2p::I2NPMessage> > m_TunnelDataMsgs;
+	};	
+	
 	class TransitTunnelGateway: public TransitTunnel
 	{
 		public:
@@ -51,7 +65,8 @@ namespace tunnel
 				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, 
 				layerKey, ivKey), m_Gateway(this) {};

-			void SendTunnelDataMsg (i2p::I2NPMessage * msg);
+			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg);
+			void FlushTunnelDataMsgs ();
 			size_t GetNumTransmittedBytes () const { return m_Gateway.GetNumSentBytes (); };
 			
 		private:
@@ -70,7 +85,7 @@ namespace tunnel
 				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey),
 				m_Endpoint (false) {}; // transit endpoint is always outbound

-			void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg);
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
 			size_t GetNumTransmittedBytes () const { return m_Endpoint.GetNumReceivedBytes (); }
 			
 		private:
--- a/TransportSession.h
+++ b/TransportSession.h
@@ -4,24 +4,25 @@
 #include <inttypes.h>
 #include <iostream>
 #include <memory>
+#include <vector>
 #include "Identity.h"
+#include "Crypto.h"
 #include "RouterInfo.h"
+#include "I2NPProtocol.h"

 namespace i2p
 {
 namespace transport
 {
-	struct DHKeysPair // transient keys for transport sessions
-	{
-		uint8_t publicKey[256];
-		uint8_t privateKey[256];
-	};	
-
 	class SignedData
 	{
 		public:

-			SignedData () {};
+			SignedData () {}
+			SignedData (const SignedData& other) 
+			{
+				m_Stream << other.m_Stream.rdbuf ();
+			}	
 			void Insert (const uint8_t * buf, size_t len) 
 			{ 
 				m_Stream.write ((char *)buf, len); 
@@ -33,9 +34,9 @@ namespace transport
 				m_Stream.write ((char *)&t, sizeof (T)); 
 			}

-			bool Verify (const i2p::data::IdentityEx& ident, const uint8_t * signature) const
+			bool Verify (std::shared_ptr<const i2p::data::IdentityEx> ident, const uint8_t * signature) const
 			{
-				return ident.Verify ((const uint8_t *)m_Stream.str ().c_str (), m_Stream.str ().size (), signature); 
+				return ident->Verify ((const uint8_t *)m_Stream.str ().c_str (), m_Stream.str ().size (), signature); 
 			}

 			void Sign (const i2p::data::PrivateKeys& keys, uint8_t * signature) const
@@ -52,23 +53,31 @@ namespace transport
 	{
 		public:

-			TransportSession (std::shared_ptr<const i2p::data::RouterInfo> in_RemoteRouter): 
-				m_RemoteRouter (in_RemoteRouter), m_DHKeysPair (nullptr) 
+			TransportSession (std::shared_ptr<const i2p::data::RouterInfo> router): 
+				m_DHKeysPair (nullptr), m_NumSentBytes (0), m_NumReceivedBytes (0), m_IsOutgoing (router)
 			{
-				if (m_RemoteRouter)
-					m_RemoteIdentity = m_RemoteRouter->GetRouterIdentity ();
+				if (router)
+					m_RemoteIdentity = router->GetRouterIdentity ();
 			}

-			virtual ~TransportSession () { delete m_DHKeysPair; };
+			virtual ~TransportSession () {};
+			virtual void Done () = 0;
+			
+			std::shared_ptr<const i2p::data::IdentityEx> GetRemoteIdentity () { return m_RemoteIdentity; };
+			void SetRemoteIdentity (std::shared_ptr<const i2p::data::IdentityEx> ident) { m_RemoteIdentity = ident; };
+			
+			size_t GetNumSentBytes () const { return m_NumSentBytes; };
+			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
+			bool IsOutgoing () const { return m_IsOutgoing; };
+			
+			virtual void SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs) = 0;
 			
-			std::shared_ptr<const i2p::data::RouterInfo> GetRemoteRouter () { return m_RemoteRouter; };
-			const i2p::data::IdentityEx& GetRemoteIdentity () { return m_RemoteIdentity; };
-
 		protected:

-			std::shared_ptr<const i2p::data::RouterInfo> m_RemoteRouter;
-			i2p::data::IdentityEx m_RemoteIdentity; 
-			DHKeysPair * m_DHKeysPair; // X - for client and Y - for server
+			std::shared_ptr<const i2p::data::IdentityEx> m_RemoteIdentity; 
+			std::shared_ptr<i2p::crypto::DHKeys> m_DHKeysPair; // X - for client and Y - for server
+			size_t m_NumSentBytes, m_NumReceivedBytes;
+			bool m_IsOutgoing;
 	};	
 }
 }
--- a/Transports.cpp
+++ b/Transports.cpp
@@ -1,7 +1,6 @@
-#include <cryptopp/dh.h>
-#include <boost/bind.hpp>
+#include <openssl/dh.h>
 #include "Log.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "RouterContext.h"
 #include "I2NPProtocol.h"
 #include "NetDb.h"
@@ -57,18 +56,18 @@ namespace transport
 	{
 		if (num > 0)
 		{
-			CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
+			i2p::crypto::DHKeys dh;
 			for (int i = 0; i < num; i++)
 			{
-				i2p::transport::DHKeysPair * pair = new i2p::transport::DHKeysPair ();
-				dh.GenerateKeyPair(m_Rnd, pair->privateKey, pair->publicKey);
+				auto pair = std::make_shared<i2p::crypto::DHKeys> ();
+				pair->GenerateKeys ();
 				std::unique_lock<std::mutex>  l(m_AcquiredMutex);
 				m_Queue.push (pair);
 			}
 		}
 	}

-	DHKeysPair * DHKeysPairSupplier::Acquire ()
+	std::shared_ptr<i2p::crypto::DHKeys> DHKeysPairSupplier::Acquire ()
 	{
 		if (!m_Queue.empty ())
 		{
@@ -79,15 +78,14 @@ namespace transport
 			return pair;
 		}	
 		else // queue is empty, create new
-		{
-			DHKeysPair * pair = new DHKeysPair ();
-			CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-			dh.GenerateKeyPair(m_Rnd, pair->privateKey, pair->publicKey);
+		{	
+			auto pair = std::make_shared<i2p::crypto::DHKeys> ();
+			pair->GenerateKeys ();
 			return pair;
 		}
 	}

-	void DHKeysPairSupplier::Return (DHKeysPair * pair)
+	void DHKeysPairSupplier::Return (std::shared_ptr<i2p::crypto::DHKeys> pair)
 	{
 		std::unique_lock<std::mutex>  l(m_AcquiredMutex);
 		m_Queue.push (pair);
@@ -96,8 +94,10 @@ namespace transport
 	Transports transports;	
 	
 	Transports::Transports (): 
-		m_Thread (nullptr), m_Work (m_Service), m_NTCPAcceptor (nullptr), m_NTCPV6Acceptor (nullptr), 
-		m_SSUServer (nullptr), m_DHKeysPairSupplier (5) // 5 pre-generated keys
+		m_IsRunning (false), m_Thread (nullptr), m_Work (m_Service), m_PeerCleanupTimer (m_Service),
+		m_NTCPServer (nullptr), m_SSUServer (nullptr), m_DHKeysPairSupplier (5), // 5 pre-generated keys
+		m_TotalSentBytes(0), m_TotalReceivedBytes(0), m_InBandwidth (0), m_OutBandwidth (0),
+		m_LastInBandwidthUpdateBytes (0), m_LastOutBandwidthUpdateBytes (0), m_LastBandwidthUpdateTime (0)	
 	{		
 	}
 		
@@ -115,31 +115,13 @@ namespace transport
 		auto addresses = context.GetRouterInfo ().GetAddresses ();
 		for (auto& address : addresses)
 		{
-			if (address.transportStyle == RouterInfo::eTransportNTCP && address.host.is_v4 ())
+			if (!m_NTCPServer)
 			{	
-				m_NTCPAcceptor = new boost::asio::ip::tcp::acceptor (m_Service,
-					boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), address.port));
-
-				LogPrint ("Start listening TCP port ", address.port);	
-				auto conn = new NTCPServerConnection (m_Service);
-				m_NTCPAcceptor->async_accept(conn->GetSocket (), boost::bind (&Transports::HandleAccept, this, 
-					conn, boost::asio::placeholders::error));	
-				
-				if (context.SupportsV6 ())
-				{
-					m_NTCPV6Acceptor = new boost::asio::ip::tcp::acceptor (m_Service);
-					m_NTCPV6Acceptor->open (boost::asio::ip::tcp::v6());
-					m_NTCPV6Acceptor->set_option (boost::asio::ip::v6_only (true));
-					m_NTCPV6Acceptor->bind (boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v6(), address.port));
-					m_NTCPV6Acceptor->listen ();
-
-					LogPrint ("Start listening V6 TCP port ", address.port);	
-					auto conn = new NTCPServerConnection (m_Service);
-					m_NTCPV6Acceptor->async_accept(conn->GetSocket (), boost::bind (&Transports::HandleAcceptV6,
-						this, conn, boost::asio::placeholders::error));
-				}	
+				m_NTCPServer = new NTCPServer (address.port);
+				m_NTCPServer->Start ();
 			}	
-			else if (address.transportStyle == RouterInfo::eTransportSSU && address.host.is_v4 ())
+			
+			if (address.transportStyle == RouterInfo::eTransportSSU && address.host.is_v4 ())
 			{
 				if (!m_SSUServer)
 				{	
@@ -152,24 +134,26 @@ namespace transport
 					LogPrint ("SSU server already exists");
 			}
 		}	
+		m_PeerCleanupTimer.expires_from_now (boost::posix_time::seconds(5*SESSION_CREATION_TIMEOUT));
+		m_PeerCleanupTimer.async_wait (std::bind (&Transports::HandlePeerCleanupTimer, this, std::placeholders::_1));
 	}
 		
 	void Transports::Stop ()
 	{	
+		m_PeerCleanupTimer.cancel ();	
+		m_Peers.clear ();
 		if (m_SSUServer)
 		{
 			m_SSUServer->Stop ();
 			delete m_SSUServer;
 			m_SSUServer = nullptr;
 		}	
-		
-		for (auto session: m_NTCPSessions)
-			delete session.second;
-		m_NTCPSessions.clear ();
-		delete m_NTCPAcceptor;
-		m_NTCPAcceptor = nullptr;
-		delete m_NTCPV6Acceptor;
-		m_NTCPV6Acceptor = nullptr;
+		if (m_NTCPServer)
+		{
+			m_NTCPServer->Stop ();
+			delete m_NTCPServer;
+			m_NTCPServer = nullptr;
+		}	

 		m_DHKeysPairSupplier.Stop ();
 		m_IsRunning = false;
@@ -197,153 +181,196 @@ namespace transport
 		}	
 	}
 		
-	void Transports::AddNTCPSession (NTCPSession * session)
+	void Transports::UpdateBandwidth ()
 	{
-		if (session)
-			m_NTCPSessions[session->GetRemoteIdentity ().GetIdentHash ()] = session;
-	}	
-
-	void Transports::RemoveNTCPSession (NTCPSession * session)
-	{
-		if (session)
-			m_NTCPSessions.erase (session->GetRemoteIdentity ().GetIdentHash ());
-	}	
-		
-	void Transports::HandleAccept (NTCPServerConnection * conn, const boost::system::error_code& error)
-	{		
-		if (!error)
+		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch ();
+		if (m_LastBandwidthUpdateTime > 0)
 		{
-			LogPrint ("Connected from ", conn->GetSocket ().remote_endpoint().address ().to_string ());
-			conn->ServerLogin ();
+			auto delta = ts - m_LastBandwidthUpdateTime;
+			if (delta > 0)
+			{
+				m_InBandwidth = (m_TotalReceivedBytes - m_LastInBandwidthUpdateBytes)*1000/delta; // per second 
+				m_OutBandwidth = (m_TotalSentBytes - m_LastOutBandwidthUpdateBytes)*1000/delta; // per second 
+			} 
 		}
-		else
-			delete conn;
-
-		if (error != boost::asio::error::operation_aborted)
-		{
-    		conn = new NTCPServerConnection (m_Service);
-			m_NTCPAcceptor->async_accept(conn->GetSocket (), boost::bind (&Transports::HandleAccept, this, 
-				conn, boost::asio::placeholders::error));
-		}	
+		m_LastBandwidthUpdateTime = ts;
+		m_LastInBandwidthUpdateBytes = m_TotalReceivedBytes;	
+		m_LastOutBandwidthUpdateBytes = m_TotalSentBytes;		
 	}

-	void Transports::HandleAcceptV6 (NTCPServerConnection * conn, const boost::system::error_code& error)
-	{		
-		if (!error)
-		{
-			LogPrint ("Connected from ", conn->GetSocket ().remote_endpoint().address ().to_string ());
-			conn->ServerLogin ();
-		}
-		else
-			delete conn;
-
-		if (error != boost::asio::error::operation_aborted)
-		{
-    		conn = new NTCPServerConnection (m_Service);
-			m_NTCPV6Acceptor->async_accept(conn->GetSocket (), boost::bind (&Transports::HandleAcceptV6, this, 
-				conn, boost::asio::placeholders::error));
-		}	
+	bool Transports::IsBandwidthExceeded () const
+	{
+		if (i2p::context.GetRouterInfo ().IsHighBandwidth ()) return false;
+		return std::max (m_InBandwidth, m_OutBandwidth) > LOW_BANDWIDTH_LIMIT;
 	}

-	NTCPSession * Transports::GetNextNTCPSession ()
+	void Transports::SendMessage (const i2p::data::IdentHash& ident, std::shared_ptr<i2p::I2NPMessage> msg)
 	{
-		for (auto session: m_NTCPSessions)
-			if (session.second->IsEstablished ())
-				return session.second;
-		return 0;
+		SendMessages (ident, std::vector<std::shared_ptr<i2p::I2NPMessage> > {msg });                             
 	}	

-	NTCPSession * Transports::FindNTCPSession (const i2p::data::IdentHash& ident)
+	void Transports::SendMessages (const i2p::data::IdentHash& ident, const std::vector<std::shared_ptr<i2p::I2NPMessage> >& msgs)
 	{
-		auto it = m_NTCPSessions.find (ident);
-		if (it != m_NTCPSessions.end ())
-			return it->second;
-		return 0;
+		m_Service.post (std::bind (&Transports::PostMessages, this, ident, msgs));
 	}	

-	void Transports::SendMessage (const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg)
+	void Transports::PostMessages (i2p::data::IdentHash ident, std::vector<std::shared_ptr<i2p::I2NPMessage> > msgs)
 	{
 		if (ident == i2p::context.GetRouterInfo ().GetIdentHash ())
+		{	
 			// we send it to ourself
-			i2p::HandleI2NPMessage (msg);
-		else
-			m_Service.post (boost::bind (&Transports::PostMessage, this, ident, msg));                             
-	}	
-
-	void Transports::PostMessage (const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg)
-	{
-		auto session = FindNTCPSession (ident);
-		if (session)
-			session->SendI2NPMessage (msg);
-		else
+			for (auto it: msgs)
+				i2p::HandleI2NPMessage (it);
+			return;
+		}	
+		auto it = m_Peers.find (ident);
+		if (it == m_Peers.end ())
 		{
-			auto r = netdb.FindRouter (ident);
-			if (r)
-			{	
-				auto ssuSession = m_SSUServer ? m_SSUServer->FindSession (r.get ()) : nullptr;
-				if (ssuSession)
-					ssuSession->SendI2NPMessage (msg);
-				else
-				{	
-					// existing session not found. create new 
-					// try NTCP first if message size < 16K
-					auto address = r->GetNTCPAddress (!context.SupportsV6 ()); 
-					if (address && !r->UsesIntroducer () && !r->IsUnreachable () && msg->GetLength () < NTCP_MAX_MESSAGE_SIZE)
-					{	
-						auto s = new NTCPClient (m_Service, address->host, address->port, r);
-						AddNTCPSession (s);
-						s->SendI2NPMessage (msg);
-					}	
-					else
-					{	
-						// then SSU					
-						auto s = m_SSUServer ? m_SSUServer->GetSession (r) : nullptr;
-						if (s)
-							s->SendI2NPMessage (msg);
-						else
+			bool connected = false; 
+			try
+			{
+				auto r = netdb.FindRouter (ident);
+				it = m_Peers.insert (std::pair<i2p::data::IdentHash, Peer>(ident, { 0, r, {},
+					i2p::util::GetSecondsSinceEpoch () })).first;
+				connected = ConnectToPeer (ident, it->second);
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "Transports::PostMessages ", ex.what ());
+			}
+			if (!connected) return;
+		}	
+		if (!it->second.sessions.empty ())
+			it->second.sessions.front ()->SendI2NPMessages (msgs);
+		else
+		{	
+			for (auto it1: msgs)
+				it->second.delayedMessages.push_back (it1);
+		}	
+	}	
+		
+	bool Transports::ConnectToPeer (const i2p::data::IdentHash& ident, Peer& peer)
+	{
+		if (peer.router) // we have RI already
+		{	
+			if (!peer.numAttempts) // NTCP
+			{
+				peer.numAttempts++;
+				auto address = peer.router->GetNTCPAddress (!context.SupportsV6 ());
+				if (address)
+				{
+#if BOOST_VERSION >= 104900
+					if (!address->host.is_unspecified ()) // we have address now
+#else
+					boost::system::error_code ecode;
+					address->host.to_string (ecode);
+					if (!ecode)
+#endif
+					{
+						if (!peer.router->UsesIntroducer () && !peer.router->IsUnreachable ())
+						{	
+							auto s = std::make_shared<NTCPSession> (*m_NTCPServer, peer.router);
+							m_NTCPServer->Connect (address->host, address->port, s);
+							return true;
+						}
+					}
+					else // we don't have address
+					{
+						if (address->addressString.length () > 0) // trying to resolve
 						{
-							LogPrint ("No NTCP and SSU addresses available");
-							DeleteI2NPMessage (msg); 
+							LogPrint (eLogInfo, "Resolving ", address->addressString);
+							NTCPResolve (address->addressString, ident);
+							return true;
 						}
 					}
 				}	
 			}
+			else  if (peer.numAttempts == 1)// SSU
+			{
+				peer.numAttempts++;
+				if (m_SSUServer)
+				{	
+					if (m_SSUServer->GetSession (peer.router))
+						return true;
+				}
+			}	
+			LogPrint (eLogError, "No NTCP and SSU addresses available");
+			peer.Done ();
+			m_Peers.erase (ident);
+			return false;
+		}	
+		else // otherwise request RI
+		{
+			LogPrint ("Router not found. Requested");
+			i2p::data::netdb.RequestDestination (ident, std::bind (
+				&Transports::RequestComplete, this, std::placeholders::_1, ident));
+		}	
+		return true;
+	}	
+	
+	void Transports::RequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, const i2p::data::IdentHash& ident)
+	{
+		m_Service.post (std::bind (&Transports::HandleRequestComplete, this, r, ident));
+	}		
+	
+	void Transports::HandleRequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, const i2p::data::IdentHash& ident)
+	{
+		auto it = m_Peers.find (ident);
+		if (it != m_Peers.end ())
+		{	
+			if (r)
+			{
+				LogPrint ("Router found. Trying to connect");
+				it->second.router = r;
+				ConnectToPeer (ident, it->second);
+			}	
 			else
 			{
-				LogPrint ("Router not found. Requested");
-				i2p::data::netdb.RequestDestination (ident);
-				auto resendTimer = new boost::asio::deadline_timer (m_Service);
-				resendTimer->expires_from_now (boost::posix_time::seconds(5)); // 5 seconds
-				resendTimer->async_wait (boost::bind (&Transports::HandleResendTimer,
-					this, boost::asio::placeholders::error, resendTimer, ident, msg));			
+				LogPrint ("Router not found. Failed to send messages");
+				m_Peers.erase (it);
 			}	
 		}	
 	}	

-	void Transports::HandleResendTimer (const boost::system::error_code& ecode, 
-		boost::asio::deadline_timer * timer, const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg)
+	void Transports::NTCPResolve (const std::string& addr, const i2p::data::IdentHash& ident)
 	{
-		auto r = netdb.FindRouter (ident);
-		if (r)
+		auto resolver = std::make_shared<boost::asio::ip::tcp::resolver>(m_Service);
+		resolver->async_resolve (boost::asio::ip::tcp::resolver::query (addr, ""), 
+			std::bind (&Transports::HandleNTCPResolve, this, 
+				std::placeholders::_1, std::placeholders::_2, ident, resolver));
+	}
+
+	void Transports::HandleNTCPResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it, 
+		i2p::data::IdentHash ident, std::shared_ptr<boost::asio::ip::tcp::resolver> resolver)
+	{
+		auto it1 = m_Peers.find (ident);
+		if (it1 != m_Peers.end ())
 		{
-			LogPrint ("Router found. Sending message");
-			PostMessage (ident, msg);
-		}	
-		else
-		{
-			LogPrint ("Router not found. Failed to send message");
-			DeleteI2NPMessage (msg);
-		}	
-		delete timer;
-	}	
-		
-	void Transports::CloseSession (const i2p::data::RouterInfo * router)
+			auto& peer = it1->second;
+			if (!ecode && peer.router)
+			{
+				auto address = (*it).endpoint ().address ();
+				LogPrint (eLogInfo, (*it).host_name (), " has been resolved to ", address);
+				auto addr = peer.router->GetNTCPAddress ();
+				if (addr)
+				{
+					auto s = std::make_shared<NTCPSession> (*m_NTCPServer, peer.router);
+					m_NTCPServer->Connect (address, addr->port, s);
+					return;
+				}	
+			}
+			LogPrint (eLogError, "Unable to resolve NTCP address: ", ecode.message ());
+			m_Peers.erase (it1);
+		}
+	}
+
+	void Transports::CloseSession (std::shared_ptr<const i2p::data::RouterInfo> router)
 	{
 		if (!router) return;
-		m_Service.post (boost::bind (&Transports::PostCloseSession, this, router));    
+		m_Service.post (std::bind (&Transports::PostCloseSession, this, router));    
 	}	

-	void Transports::PostCloseSession (const i2p::data::RouterInfo * router)
+	void Transports::PostCloseSession (std::shared_ptr<const i2p::data::RouterInfo> router)
 	{
 		auto ssuSession = m_SSUServer ? m_SSUServer->FindSession (router) : nullptr;
 		if (ssuSession) // try SSU first
@@ -356,23 +383,133 @@ namespace transport
 		
 	void Transports::DetectExternalIP ()
 	{
-		for (int i = 0; i < 5; i++)
+		if (m_SSUServer)
 		{
-			auto router = i2p::data::netdb.GetRandomRouter ();
-			if (router && router->IsSSU () && m_SSUServer)
-				m_SSUServer->GetSession (router, true);  // peer test	
-		}	
+			i2p::context.SetStatus (eRouterStatusTesting);
+			for (int i = 0; i < 5; i++)
+			{
+				auto router = i2p::data::netdb.GetRandomPeerTestRouter ();
+				if (router  && router->IsSSU ())
+					m_SSUServer->GetSession (router, true);  // peer test	
+				else
+				{
+					// if not peer test capable routers found pick any
+					router = i2p::data::netdb.GetRandomRouter ();
+					if (router && router->IsSSU ())
+						m_SSUServer->GetSession (router);  	// no peer test
+				}
+			}	
+		}
+		else
+			LogPrint (eLogError, "Can't detect external IP. SSU is not available");
 	}
-			
-	DHKeysPair * Transports::GetNextDHKeysPair ()
+
+	void Transports::PeerTest ()
+	{
+		if (m_SSUServer)
+		{
+			bool statusChanged = false;
+			for (int i = 0; i < 5; i++)
+			{
+				auto router = i2p::data::netdb.GetRandomPeerTestRouter ();
+				if (router && router->IsSSU ())
+				{	
+					if (!statusChanged)
+					{	
+						statusChanged = true;
+						i2p::context.SetStatus (eRouterStatusTesting); // first time only
+					}	
+					m_SSUServer->GetSession (router, true);  // peer test	
+				}	
+			}	
+		}
+	}	
+		
+	std::shared_ptr<i2p::crypto::DHKeys> Transports::GetNextDHKeysPair ()
 	{
 		return m_DHKeysPairSupplier.Acquire ();
 	}

-	void Transports::ReuseDHKeysPair (DHKeysPair * pair)
+	void Transports::ReuseDHKeysPair (std::shared_ptr<i2p::crypto::DHKeys> pair)
 	{
 		m_DHKeysPairSupplier.Return (pair);
 	}
+
+	void Transports::PeerConnected (std::shared_ptr<TransportSession> session)
+	{
+		m_Service.post([session, this]()
+		{   
+			if (!session->GetRemoteIdentity ()) return;
+			auto ident = session->GetRemoteIdentity ()->GetIdentHash ();
+			auto it = m_Peers.find (ident);
+			if (it != m_Peers.end ())
+			{
+				it->second.sessions.push_back (session);
+				session->SendI2NPMessages (it->second.delayedMessages);
+				it->second.delayedMessages.clear ();
+			}
+			else // incoming connection
+				m_Peers.insert (std::make_pair (ident, Peer{ 0, nullptr, { session }, i2p::util::GetSecondsSinceEpoch () }));
+		});			
+	}
+		
+	void Transports::PeerDisconnected (std::shared_ptr<TransportSession> session)
+	{
+		m_Service.post([session, this]()
+		{  
+			if (!session->GetRemoteIdentity ()) return;
+			auto ident = session->GetRemoteIdentity ()->GetIdentHash ();
+			auto it = m_Peers.find (ident);
+			if (it != m_Peers.end ())
+			{
+				it->second.sessions.remove (session);
+				if (it->second.sessions.empty ()) // TODO: why?
+				{	
+					if (it->second.delayedMessages.size () > 0)
+						ConnectToPeer (ident, it->second);
+					else
+						m_Peers.erase (it);
+				}
+			}
+		});	
+	}	
+
+	bool Transports::IsConnected (const i2p::data::IdentHash& ident) const
+	{
+		auto it = m_Peers.find (ident);
+		return it != m_Peers.end ();
+	}	
+		
+	void Transports::HandlePeerCleanupTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{
+			auto ts = i2p::util::GetSecondsSinceEpoch ();
+			for (auto it = m_Peers.begin (); it != m_Peers.end (); )
+			{
+				if (it->second.sessions.empty () && ts > it->second.creationTime + SESSION_CREATION_TIMEOUT)
+				{
+					LogPrint (eLogError, "Session to peer ", it->first.ToBase64 (), " has not been created in ", SESSION_CREATION_TIMEOUT, " seconds");
+					it = m_Peers.erase (it);
+				}
+				else
+					it++;
+			}
+			UpdateBandwidth (); // TODO: use separate timer(s) for it
+			if (i2p::context.GetStatus () == eRouterStatusTesting) // if still testing,  repeat peer test
+				DetectExternalIP ();
+			m_PeerCleanupTimer.expires_from_now (boost::posix_time::seconds(5*SESSION_CREATION_TIMEOUT));
+			m_PeerCleanupTimer.async_wait (std::bind (&Transports::HandlePeerCleanupTimer, this, std::placeholders::_1));
+		}	
+	}
+
+	std::shared_ptr<const i2p::data::RouterInfo> Transports::GetRandomPeer () const
+	{
+		if (!m_Peers.size ()) return nullptr;
+		auto it = m_Peers.begin ();
+		std::advance (it, rand () % m_Peers.size ());	
+		return it != m_Peers.end () ? it->second.router : nullptr;
+	}
 }
 }

--- a/Transports.h
+++ b/Transports.h
@@ -6,9 +6,11 @@
 #include <condition_variable>
 #include <functional>
 #include <map>
+#include <vector>
 #include <queue>
 #include <string>
-#include <cryptopp/osrng.h>
+#include <memory>
+#include <atomic>
 #include <boost/asio.hpp>
 #include "TransportSession.h"
 #include "NTCPSession.h"
@@ -29,8 +31,8 @@ namespace transport
 			~DHKeysPairSupplier ();
 			void Start ();
 			void Stop ();
-			DHKeysPair * Acquire ();
-			void Return (DHKeysPair * pair);
+			std::shared_ptr<i2p::crypto::DHKeys> Acquire ();
+			void Return (std::shared_ptr<i2p::crypto::DHKeys> pair);

 		private:

@@ -40,15 +42,31 @@ namespace transport
 		private:

 			const int m_QueueSize;
-			std::queue<DHKeysPair *> m_Queue;
+			std::queue<std::shared_ptr<i2p::crypto::DHKeys> > m_Queue;

 			bool m_IsRunning;
 			std::thread * m_Thread;	
 			std::condition_variable m_Acquired;
 			std::mutex m_AcquiredMutex;
-			CryptoPP::AutoSeededRandomPool m_Rnd;
 	};

+	struct Peer
+	{
+		int numAttempts;
+		std::shared_ptr<const i2p::data::RouterInfo> router;
+		std::list<std::shared_ptr<TransportSession> > sessions;
+		uint64_t creationTime;
+		std::vector<std::shared_ptr<i2p::I2NPMessage> > delayedMessages;
+
+		void Done ()
+		{
+			for (auto it: sessions)
+				it->Done ();
+		}	
+	};	
+	
+	const size_t SESSION_CREATION_TIMEOUT = 10; // in seconds
+	const uint32_t LOW_BANDWIDTH_LIMIT = 32*1024; // 32KBs
 	class Transports
 	{
 		public:
@@ -60,28 +78,44 @@ namespace transport
 			void Stop ();
 			
 			boost::asio::io_service& GetService () { return m_Service; };
-			i2p::transport::DHKeysPair * GetNextDHKeysPair ();	
-			void ReuseDHKeysPair (DHKeysPair * pair);
+			std::shared_ptr<i2p::crypto::DHKeys> GetNextDHKeysPair ();	
+			void ReuseDHKeysPair (std::shared_ptr<i2p::crypto::DHKeys> pair);

-			void AddNTCPSession (NTCPSession * session);
-			void RemoveNTCPSession (NTCPSession * session);
+			void SendMessage (const i2p::data::IdentHash& ident, std::shared_ptr<i2p::I2NPMessage> msg);
+			void SendMessages (const i2p::data::IdentHash& ident, const std::vector<std::shared_ptr<i2p::I2NPMessage> >& msgs);
+			void CloseSession (std::shared_ptr<const i2p::data::RouterInfo> router);
+
+			void PeerConnected (std::shared_ptr<TransportSession> session);
+			void PeerDisconnected (std::shared_ptr<TransportSession> session);
+			bool IsConnected (const i2p::data::IdentHash& ident) const;
 			
-			NTCPSession * GetNextNTCPSession ();
-			NTCPSession * FindNTCPSession (const i2p::data::IdentHash& ident);
+			void UpdateSentBytes (uint64_t numBytes) { m_TotalSentBytes += numBytes; };
+			void UpdateReceivedBytes (uint64_t numBytes) { m_TotalReceivedBytes += numBytes; };
+			uint64_t GetTotalSentBytes () const { return m_TotalSentBytes; };
+			uint64_t GetTotalReceivedBytes () const { return m_TotalReceivedBytes; };		
+			uint32_t GetInBandwidth () const { return m_InBandwidth; }; // bytes per second
+			uint32_t GetOutBandwidth () const { return m_OutBandwidth; }; // bytes per second
+			bool IsBandwidthExceeded () const;
+			size_t GetNumPeers () const { return m_Peers.size (); };
+			std::shared_ptr<const i2p::data::RouterInfo> GetRandomPeer () const;

-			void SendMessage (const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg);
-			void CloseSession (const i2p::data::RouterInfo * router);
+			void PeerTest ();
 			
 		private:

 			void Run ();
-			void HandleAccept (NTCPServerConnection * conn, const boost::system::error_code& error);
-			void HandleAcceptV6 (NTCPServerConnection * conn, const boost::system::error_code& error);
-			void HandleResendTimer (const boost::system::error_code& ecode, boost::asio::deadline_timer * timer,
-				const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg);
-			void PostMessage (const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg);
-			void PostCloseSession (const i2p::data::RouterInfo * router);
-			
+			void RequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, const i2p::data::IdentHash& ident);
+			void HandleRequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, const i2p::data::IdentHash& ident);
+			void PostMessages (i2p::data::IdentHash ident, std::vector<std::shared_ptr<i2p::I2NPMessage> > msgs);
+			void PostCloseSession (std::shared_ptr<const i2p::data::RouterInfo> router);
+			bool ConnectToPeer (const i2p::data::IdentHash& ident, Peer& peer);
+			void HandlePeerCleanupTimer (const boost::system::error_code& ecode);			
+
+			void NTCPResolve (const std::string& addr, const i2p::data::IdentHash& ident);
+			void HandleNTCPResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it,
+ 				i2p::data::IdentHash ident, std::shared_ptr<boost::asio::ip::tcp::resolver> resolver);
+
+			void UpdateBandwidth ();
 			void DetectExternalIP ();
 			
 		private:
@@ -90,18 +124,25 @@ namespace transport
 			std::thread * m_Thread;	
 			boost::asio::io_service m_Service;
 			boost::asio::io_service::work m_Work;
-			boost::asio::ip::tcp::acceptor * m_NTCPAcceptor, * m_NTCPV6Acceptor;
+			boost::asio::deadline_timer m_PeerCleanupTimer;

-			std::map<i2p::data::IdentHash, NTCPSession *> m_NTCPSessions;
+			NTCPServer * m_NTCPServer;
 			SSUServer * m_SSUServer;
-
+			std::map<i2p::data::IdentHash, Peer> m_Peers;
+			
 			DHKeysPairSupplier m_DHKeysPairSupplier;

+			std::atomic<uint64_t> m_TotalSentBytes, m_TotalReceivedBytes;
+			uint32_t m_InBandwidth, m_OutBandwidth;
+			uint64_t m_LastInBandwidthUpdateBytes, m_LastOutBandwidthUpdateBytes;	
+			uint64_t m_LastBandwidthUpdateTime;		
+
 		public:

 			// for HTTP only
-			const decltype(m_NTCPSessions)& GetNTCPSessions () const { return m_NTCPSessions; };
+			const NTCPServer * GetNTCPServer () const { return m_NTCPServer; };
 			const SSUServer * GetSSUServer () const { return m_SSUServer; };
+			const decltype(m_Peers)& GetPeers () const { return m_Peers; };
 	};	

 	extern Transports transports;
--- a/Tunnel.cpp
+++ b/Tunnel.cpp
@@ -1,8 +1,9 @@
+#include <string.h>
 #include "I2PEndian.h"
 #include <thread>
 #include <algorithm>
 #include <vector> 
-#include <cryptopp/sha.h>
+#include <openssl/rand.h>
 #include "RouterContext.h"
 #include "Log.h"
 #include "Timestamp.h"
@@ -16,24 +17,23 @@ namespace i2p
 namespace tunnel
 {		
 	
-	Tunnel::Tunnel (TunnelConfig * config): 
-		m_Config (config), m_Pool (nullptr), m_State (eTunnelStatePending)
+	Tunnel::Tunnel (std::shared_ptr<const TunnelConfig> config): 
+		TunnelBase (config->GetTunnelID (), config->GetNextTunnelID (), config->GetNextIdentHash ()),
+		m_Config (config), m_Pool (nullptr), m_State (eTunnelStatePending), m_IsRecreated (false)
 	{
 	}	

 	Tunnel::~Tunnel ()
 	{
-		delete m_Config;
 	}	

-	void Tunnel::Build (uint32_t replyMsgID, OutboundTunnel * outboundTunnel)
+	void Tunnel::Build (uint32_t replyMsgID, std::shared_ptr<OutboundTunnel> outboundTunnel)
 	{
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
 		auto numHops = m_Config->GetNumHops ();
 		int numRecords = numHops <= STANDARD_NUM_RECORDS ? STANDARD_NUM_RECORDS : numHops; 
-		I2NPMessage * msg = NewI2NPMessage ();
+		auto msg = NewI2NPShortMessage ();
 		*msg->GetPayload () = numRecords;
-		msg->len += numRecords*sizeof (I2NPBuildRequestRecordElGamalEncrypted) + 1;		
+		msg->len += numRecords*TUNNEL_BUILD_RECORD_SIZE + 1;		

 		// shuffle records
 		std::vector<int> recordIndicies;
@@ -41,22 +41,18 @@ namespace tunnel
 		std::random_shuffle (recordIndicies.begin(), recordIndicies.end());

 		// create real records
-		I2NPBuildRequestRecordElGamalEncrypted * records = (I2NPBuildRequestRecordElGamalEncrypted *)(msg->GetPayload () + 1); 
+		uint8_t * records = msg->GetPayload () + 1; 
 		TunnelHopConfig * hop = m_Config->GetFirstHop ();
 		int i = 0;
 		while (hop)
 		{
+			uint32_t msgID;
+			if (hop->next) // we set replyMsgID for last hop only 
+				RAND_bytes ((uint8_t *)&msgID, 4);
+			else
+				msgID = replyMsgID;
 			int idx = recordIndicies[i];
-			EncryptBuildRequestRecord (*hop->router,
-				CreateBuildRequestRecord (hop->router->GetIdentHash (), 
-				    hop->tunnelID,
-					hop->nextRouter->GetIdentHash (), 
-					hop->nextTunnelID,
-					hop->layerKey, hop->ivKey,                  
-					hop->replyKey, hop->replyIV,
-					hop->next ? rnd.GenerateWord32 () : replyMsgID, // we set replyMsgID for last hop only
-				    hop->isGateway, hop->isEndpoint), 
-		    	records[idx]);
+			hop->CreateBuildRequestRecord (records + idx*TUNNEL_BUILD_RECORD_SIZE, msgID); 
 			hop->recordIndex = idx; 
 			i++;
 			hop = hop->next;
@@ -65,7 +61,7 @@ namespace tunnel
 		for (int i = numHops; i < numRecords; i++)
 		{
 			int idx = recordIndicies[i];
-			rnd.GenerateBlock ((uint8_t *)(records + idx), sizeof (records[idx])); 
+			RAND_bytes (records + idx*TUNNEL_BUILD_RECORD_SIZE, TUNNEL_BUILD_RECORD_SIZE); 
 		}	

 		// decrypt real records
@@ -79,20 +75,19 @@ namespace tunnel
 			while (hop1)
 			{	
 				decryption.SetIV (hop->replyIV);
-				decryption.Decrypt((uint8_t *)&records[hop1->recordIndex], 
-					sizeof (I2NPBuildRequestRecordElGamalEncrypted), 
-				    (uint8_t *)&records[hop1->recordIndex]);
+				uint8_t * record = records + hop1->recordIndex*TUNNEL_BUILD_RECORD_SIZE;
+				decryption.Decrypt(record, TUNNEL_BUILD_RECORD_SIZE, record);
 				hop1 = hop1->next;
 			}	
 			hop = hop->prev;
 		}	
-		FillI2NPMessageHeader (msg, eI2NPVariableTunnelBuild);
+		msg->FillI2NPMessageHeader (eI2NPVariableTunnelBuild);

 		// send message
 		if (outboundTunnel)
-			outboundTunnel->SendTunnelDataMsg (GetNextIdentHash (), 0, msg);	
+			outboundTunnel->SendTunnelDataMsg (GetNextIdentHash (), 0, ToSharedI2NPMessage (msg));	
 		else
-			i2p::transport::transports.SendMessage (GetNextIdentHash (), msg);
+			i2p::transport::transports.SendMessage (GetNextIdentHash (), ToSharedI2NPMessage (msg));
 	}	
 		
 	bool Tunnel::HandleTunnelBuildResponse (uint8_t * msg, size_t len)
@@ -111,9 +106,9 @@ namespace tunnel
 				auto idx = hop1->recordIndex;
 				if (idx >= 0 && idx < msg[0])
 				{	
-					uint8_t * record = msg + 1 + idx*sizeof (I2NPBuildResponseRecord);
+					uint8_t * record = msg + 1 + idx*TUNNEL_BUILD_RECORD_SIZE;
 					decryption.SetIV (hop->replyIV);
-					decryption.Decrypt(record, sizeof (I2NPBuildResponseRecord), record);
+					decryption.Decrypt(record, TUNNEL_BUILD_RECORD_SIZE, record);
 				}	
 				else
 					LogPrint ("Tunnel hop index ", idx, " is out of range");
@@ -126,47 +121,84 @@ namespace tunnel
 		hop = m_Config->GetFirstHop ();
 		while (hop)
 		{			
-			I2NPBuildResponseRecord * record = (I2NPBuildResponseRecord *)(msg + 1 + hop->recordIndex*sizeof (I2NPBuildResponseRecord));
-			LogPrint ("Ret code=", (int)record->ret);
-			if (record->ret) 
+			const uint8_t * record = msg + 1 + hop->recordIndex*TUNNEL_BUILD_RECORD_SIZE;
+			uint8_t ret = record[BUILD_RESPONSE_RECORD_RET_OFFSET];
+			LogPrint ("Ret code=", (int)ret);
+			auto profile = i2p::data::netdb.FindRouterProfile (hop->ident->GetIdentHash ());
+			if (profile)
+				profile->TunnelBuildResponse (ret);
+			if (ret) 
 				// if any of participants declined the tunnel is not established
 				established = false; 
 			hop = hop->next;
 		}
 		if (established) 
 		{
-			// change reply keys to layer keys
-			hop = m_Config->GetFirstHop ();
+			// create tunnel decryptions from layer and iv keys in reverse order
+			hop = m_Config->GetLastHop ();
 			while (hop)
 			{
-				hop->decryption.SetKeys (hop->layerKey, hop->ivKey);
-				hop = hop->next;
+				auto tunnelHop = new TunnelHop;
+				tunnelHop->ident = hop->ident;
+				tunnelHop->decryption.SetKeys (hop->layerKey, hop->ivKey);
+				m_Hops.push_back (std::unique_ptr<TunnelHop>(tunnelHop));
+				hop = hop->prev;
 			}	
+			m_Config = nullptr;
 		}	
 		if (established) m_State = eTunnelStateEstablished;
 		return established;
 	}	

-	void Tunnel::EncryptTunnelMsg (I2NPMessage * tunnelMsg)
+	void Tunnel::EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out)
 	{
-		uint8_t * payload = tunnelMsg->GetPayload () + 4;
-		TunnelHopConfig * hop = m_Config->GetLastHop (); 
-		while (hop)
-		{	
-			hop->decryption.Decrypt (payload);
-			hop = hop->prev;
-		}
-	}	
-	
-	void InboundTunnel::HandleTunnelDataMsg (I2NPMessage * msg)
-	{
-		if (IsFailed ()) SetState (eTunnelStateEstablished); // incoming messages means a tunnel is alive			
-		msg->from = this;
-		EncryptTunnelMsg (msg);
-		m_Endpoint.HandleDecryptedTunnelDataMsg (msg);	
+		const uint8_t * inPayload = in->GetPayload () + 4;
+		uint8_t * outPayload = out->GetPayload () + 4;
+		for (auto& it: m_Hops)
+		{
+			it->decryption.Decrypt (inPayload, outPayload);
+			inPayload = outPayload;	
+		}	
 	}	

-	void OutboundTunnel::SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, i2p::I2NPMessage * msg)
+	void Tunnel::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
+	{
+		LogPrint (eLogInfo, "Can't send I2NP messages without delivery instructions");	
+	}	
+
+	std::vector<std::shared_ptr<const i2p::data::IdentityEx> > Tunnel::GetPeers () const
+	{
+		auto peers = GetInvertedPeers ();
+		std::reverse (peers.begin (), peers.end ());	
+		return peers;
+	}	
+
+	std::vector<std::shared_ptr<const i2p::data::IdentityEx> > Tunnel::GetInvertedPeers () const
+	{
+		// hops are in inverted order
+		std::vector<std::shared_ptr<const i2p::data::IdentityEx> > ret;
+		for (auto& it: m_Hops)
+			ret.push_back (it->ident);
+		return ret;	
+	}	
+		
+	void InboundTunnel::HandleTunnelDataMsg (std::shared_ptr<const I2NPMessage> msg)
+	{
+		if (IsFailed ()) SetState (eTunnelStateEstablished); // incoming messages means a tunnel is alive	
+		auto newMsg = CreateEmptyTunnelDataMsg ();
+		EncryptTunnelMsg (msg, newMsg);
+		newMsg->from = shared_from_this ();
+		m_Endpoint.HandleDecryptedTunnelDataMsg (newMsg);	
+	}	
+
+	void InboundTunnel::Print (std::stringstream& s) const
+	{
+		s << "-->" << i2p::data::GetIdentHashAbbreviation (GetNextIdentHash ()) << ":" << GetNextTunnelID ();
+		s << "-->" << (GetNumHops () - 1) << " hops ";
+		s << GetTunnelID () << ":me";
+	}	
+		
+	void OutboundTunnel::SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		TunnelMessageBlock block;
 		if (gwHash)
@@ -196,36 +228,32 @@ namespace tunnel
 		m_Gateway.SendBuffer ();
 	}	
 	
+	void OutboundTunnel::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
+	{
+		LogPrint (eLogError, "Incoming message for outbound tunnel ", GetTunnelID ());
+	}
+
+	void OutboundTunnel::Print (std::stringstream& s) const
+	{
+		s << "me-->" << i2p::data::GetIdentHashAbbreviation (GetNextIdentHash ()) << ":" << GetNextTunnelID ();
+		s << "-->" << (GetNumHops () - 1) << " hops-->";
+	}	
+		
 	Tunnels tunnels;
 	
-	Tunnels::Tunnels (): m_IsRunning (false), m_Thread (nullptr), m_ExploratoryPool (nullptr)
+	Tunnels::Tunnels (): m_IsRunning (false), m_Thread (nullptr),
+		m_NumSuccesiveTunnelCreations (0), m_NumFailedTunnelCreations (0)
 	{
 	}
 	
 	Tunnels::~Tunnels ()	
 	{
-		for (auto& it : m_OutboundTunnels)
-			delete it;
-		m_OutboundTunnels.clear ();
-
-		for (auto& it : m_InboundTunnels)
-			delete it.second;
-		m_InboundTunnels.clear ();
-		
 		for (auto& it : m_TransitTunnels)
 			delete it.second;
 		m_TransitTunnels.clear ();
-
-		/*for (auto& it : m_PendingTunnels)
-			delete it.second;
-		m_PendingTunnels.clear ();*/
-
-		for (auto& it: m_Pools)
-			delete it.second;
-		m_Pools.clear ();
 	}	
 	
-	InboundTunnel * Tunnels::GetInboundTunnel (uint32_t tunnelID)
+	std::shared_ptr<InboundTunnel> Tunnels::GetInboundTunnel (uint32_t tunnelID)
 	{
 		auto it = m_InboundTunnels.find(tunnelID);
 		if (it != m_InboundTunnels.end ())
@@ -240,11 +268,22 @@ namespace tunnel
 			return it->second;
 		return nullptr;
 	}	
-		
-	Tunnel * Tunnels::GetPendingTunnel (uint32_t replyMsgID)
+	
+	std::shared_ptr<InboundTunnel> Tunnels::GetPendingInboundTunnel (uint32_t replyMsgID)
 	{
-		auto it = m_PendingTunnels.find(replyMsgID);
-		if (it != m_PendingTunnels.end () && it->second->GetState () == eTunnelStatePending)
+		return GetPendingTunnel (replyMsgID, m_PendingInboundTunnels);	
+	}
+	
+	std::shared_ptr<OutboundTunnel> Tunnels::GetPendingOutboundTunnel (uint32_t replyMsgID)
+	{
+		return GetPendingTunnel (replyMsgID, m_PendingOutboundTunnels);	
+	}		
+
+	template<class TTunnel>		
+	std::shared_ptr<TTunnel> Tunnels::GetPendingTunnel (uint32_t replyMsgID, const std::map<uint32_t, std::shared_ptr<TTunnel> >& pendingTunnels)
+	{
+		auto it = pendingTunnels.find(replyMsgID);
+		if (it != pendingTunnels.end () && it->second->GetState () == eTunnelStatePending)
 		{	
 			it->second->SetState (eTunnelStateBuildReplyReceived);	
 			return it->second;
@@ -252,11 +291,10 @@ namespace tunnel
 		return nullptr;
 	}	

-	InboundTunnel * Tunnels::GetNextInboundTunnel ()
+	std::shared_ptr<InboundTunnel> Tunnels::GetNextInboundTunnel ()
 	{
-		InboundTunnel * tunnel  = nullptr; 
+		std::shared_ptr<InboundTunnel> tunnel; 
 		size_t minReceived = 0;
-		std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
 		for (auto it : m_InboundTunnels)
 		{
 			if (!it.second->IsEstablished ()) continue;
@@ -269,12 +307,11 @@ namespace tunnel
 		return tunnel;
 	}
 	
-	OutboundTunnel * Tunnels::GetNextOutboundTunnel ()
+	std::shared_ptr<OutboundTunnel> Tunnels::GetNextOutboundTunnel ()
 	{
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		uint32_t ind = rnd.GenerateWord32 (0, m_OutboundTunnels.size () - 1), i = 0;
-		OutboundTunnel * tunnel = nullptr;
-		std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
+		if (!m_OutboundTunnels.size ()) return nullptr;
+		uint32_t ind = rand () % m_OutboundTunnels.size (), i = 0;
+		std::shared_ptr<OutboundTunnel> tunnel;
 		for (auto it: m_OutboundTunnels)
 		{	
 			if (it->IsEstablished ())
@@ -287,28 +324,27 @@ namespace tunnel
 		return tunnel;
 	}	

-	TunnelPool * Tunnels::CreateTunnelPool (i2p::garlic::GarlicDestination& localDestination, int numHops)
+	std::shared_ptr<TunnelPool> Tunnels::CreateTunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOutboundHops, int numInboundTunnels, int numOutboundTunnels)
 	{
-		auto pool = new TunnelPool (localDestination, numHops);
+		auto pool = std::make_shared<TunnelPool> (localDestination, numInboundHops, numOutboundHops, numInboundTunnels, numOutboundTunnels);
 		std::unique_lock<std::mutex> l(m_PoolsMutex);
-		m_Pools[pool->GetIdentHash ()] = pool;
+		m_Pools.push_back (pool);
 		return pool;
 	}	

-	void Tunnels::DeleteTunnelPool (TunnelPool * pool)
+	void Tunnels::DeleteTunnelPool (std::shared_ptr<TunnelPool> pool)
 	{
 		if (pool)
 		{	
 			StopTunnelPool (pool);
-			m_Pools.erase (pool->GetLocalDestination ().GetIdentHash ());
-			for (auto it: m_PendingTunnels)
-				if (it.second->GetTunnelPool () == pool)
-					it.second->SetTunnelPool (nullptr);
-			delete pool;
+			{
+				std::unique_lock<std::mutex> l(m_PoolsMutex);
+				m_Pools.remove (pool);
+			}	
 		}	
 	}	

-	void Tunnels::StopTunnelPool (TunnelPool * pool)
+	void Tunnels::StopTunnelPool (std::shared_ptr<TunnelPool> pool)
 	{
 		if (pool)
 		{
@@ -320,7 +356,11 @@ namespace tunnel
 	void Tunnels::AddTransitTunnel (TransitTunnel * tunnel)
 	{
 		std::unique_lock<std::mutex> l(m_TransitTunnelsMutex);
-		m_TransitTunnels[tunnel->GetTunnelID ()] = tunnel;
+		if (!m_TransitTunnels.insert (std::make_pair (tunnel->GetTunnelID (), tunnel)).second)
+		{	
+			LogPrint (eLogError, "Transit tunnel ", tunnel->GetTunnelID (), " already exists");
+			delete tunnel;
+		}
 	}	

 	void Tunnels::Start ()
@@ -350,25 +390,61 @@ namespace tunnel
 		{
 			try
 			{	
-				I2NPMessage * msg = m_Queue.GetNextWithTimeout (1000); // 1 sec
-				while (msg)
-				{
-					uint32_t  tunnelID = be32toh (*(uint32_t *)msg->GetPayload ()); 
-					InboundTunnel * tunnel = GetInboundTunnel (tunnelID);
-					if (tunnel)
-						tunnel->HandleTunnelDataMsg (msg);
-					else
-					{	
-						TransitTunnel * transitTunnel = GetTransitTunnel (tunnelID);
-						if (transitTunnel)
-							transitTunnel->HandleTunnelDataMsg (msg);
-						else	
-						{	
-							LogPrint ("Tunnel ", tunnelID, " not found");
-							i2p::DeleteI2NPMessage (msg);
-						}	
-					}	
-					msg = m_Queue.Get ();
+				auto msg = m_Queue.GetNextWithTimeout (1000); // 1 sec
+				if (msg)
+				{	
+					uint32_t prevTunnelID = 0, tunnelID = 0;
+					TunnelBase * prevTunnel = nullptr; 
+					do
+					{
+						TunnelBase * tunnel = nullptr;
+						uint8_t typeID = msg->GetTypeID ();
+						switch (typeID)
+						{									
+							case eI2NPTunnelData:
+							case eI2NPTunnelGateway:
+							{	
+								tunnelID = bufbe32toh (msg->GetPayload ()); 
+								if (tunnelID == prevTunnelID)
+									tunnel = prevTunnel;
+								else if (prevTunnel)
+									prevTunnel->FlushTunnelDataMsgs (); 
+						
+								if (!tunnel && typeID == eI2NPTunnelData)
+									tunnel = GetInboundTunnel (tunnelID).get ();
+								if (!tunnel)
+									tunnel = GetTransitTunnel (tunnelID);
+								if (tunnel)
+								{
+									if (typeID == eI2NPTunnelData)
+										tunnel->HandleTunnelDataMsg (msg);
+									else // tunnel gateway assumed
+										HandleTunnelGatewayMsg (tunnel, msg);
+								}
+								else		
+									LogPrint (eLogWarning, "Tunnel ", tunnelID, " not found");
+								break;
+							}	
+							case eI2NPVariableTunnelBuild:		
+							case eI2NPVariableTunnelBuildReply:
+							case eI2NPTunnelBuild:
+							case eI2NPTunnelBuildReply:	
+								HandleI2NPMessage (msg->GetBuffer (), msg->GetLength ());
+							break;	
+							default:
+								LogPrint (eLogError, "Unexpected  messsage type ", (int)typeID);
+						}
+							
+						msg = m_Queue.Get ();
+						if (msg)
+						{
+							prevTunnelID = tunnelID;
+							prevTunnel = tunnel;
+						}
+						else if (tunnel)
+							tunnel->FlushTunnelDataMsgs ();
+					}
+					while (msg);
 				}	
 			
 				uint64_t ts = i2p::util::GetSecondsSinceEpoch ();
@@ -385,6 +461,28 @@ namespace tunnel
 		}	
 	}	

+	void Tunnels::HandleTunnelGatewayMsg (TunnelBase * tunnel, std::shared_ptr<I2NPMessage> msg)
+	{
+		if (!tunnel)
+		{
+			LogPrint (eLogError, "Missing tunnel for TunnelGateway");
+			return;
+		}
+		const uint8_t * payload = msg->GetPayload ();
+		uint16_t len = bufbe16toh(payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET);
+		// we make payload as new I2NP message to send
+		msg->offset += I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE;
+		msg->len = msg->offset + len;
+		auto typeID = msg->GetTypeID ();
+		LogPrint (eLogDebug, "TunnelGateway of ", (int)len, " bytes for tunnel ", tunnel->GetTunnelID (), ". Msg type ", (int)typeID);
+			
+		if (typeID == eI2NPDatabaseStore || typeID == eI2NPDatabaseSearchReply)
+			// transit DatabaseStore my contain new/updated RI 
+			// or DatabaseSearchReply with new routers
+			i2p::data::netdb.PostI2NPMsg (msg);	
+		tunnel->SendTunnelDataMsg (msg);
+	}
+
 	void Tunnels::ManageTunnels ()
 	{
 		ManagePendingTunnels ();
@@ -395,10 +493,17 @@ namespace tunnel
 	}	

 	void Tunnels::ManagePendingTunnels ()
+	{
+		ManagePendingTunnels (m_PendingInboundTunnels);
+		ManagePendingTunnels (m_PendingOutboundTunnels);
+	}
+
+	template<class PendingTunnels>
+	void Tunnels::ManagePendingTunnels (PendingTunnels& pendingTunnels)
 	{
 		// check pending tunnel. delete failed or timeout
 		uint64_t ts = i2p::util::GetSecondsSinceEpoch ();
-		for (auto it = m_PendingTunnels.begin (); it != m_PendingTunnels.end ();)
+		for (auto it = pendingTunnels.begin (); it != pendingTunnels.end ();)
 		{	
 			auto tunnel = it->second;
 			switch (tunnel->GetState ())
@@ -407,23 +512,42 @@ namespace tunnel
 					if (ts > tunnel->GetCreationTime () + TUNNEL_CREATION_TIMEOUT)
 					{
 						LogPrint ("Pending tunnel build request ", it->first, " timeout. Deleted");
-						delete tunnel;
-						it = m_PendingTunnels.erase (it);
+						// update stats
+						auto config = tunnel->GetTunnelConfig ();
+						if (config)
+						{
+							auto hop = config->GetFirstHop ();
+							while (hop)
+							{
+								if (hop->ident)
+								{
+									auto profile = i2p::data::netdb.FindRouterProfile (hop->ident->GetIdentHash ());
+									if (profile)
+										profile->TunnelNonReplied ();
+								}
+								hop = hop->next;
+							}	
+						}	
+						// delete
+						it = pendingTunnels.erase (it);
+						m_NumFailedTunnelCreations++;
 					}
 					else
 						it++;
 				break;
 				case eTunnelStateBuildFailed:
 					LogPrint ("Pending tunnel build request ", it->first, " failed. Deleted");
-					delete tunnel;
-					it = m_PendingTunnels.erase (it);
+					it = pendingTunnels.erase (it);
+					m_NumFailedTunnelCreations++;
 				break;
 				case eTunnelStateBuildReplyReceived:
-					// intermidiate state, will be either established of build failed
+					// intermediate state, will be either established of build failed
 					it++;
 				break;	
 				default:
-					it = m_PendingTunnels.erase (it);
+					// success
+					it = pendingTunnels.erase (it);
+					m_NumSuccesiveTunnelCreations++;
 			}	
 		}	
 	}
@@ -438,22 +562,25 @@ namespace tunnel
 				if (ts > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
 				{
 					LogPrint ("Tunnel ", tunnel->GetTunnelID (), " expired");
-					{
-						std::unique_lock<std::mutex> l(m_PoolsMutex);
-						auto pool = tunnel->GetTunnelPool ();
-						if (pool)
-							pool->TunnelExpired (tunnel);
-					}	
-					{
-						std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
-						it = m_OutboundTunnels.erase (it);
-					}
-					delete tunnel;
+					auto pool = tunnel->GetTunnelPool ();
+					if (pool)
+						pool->TunnelExpired (tunnel);
+					it = m_OutboundTunnels.erase (it);
 				}	
 				else 
 				{
-					if (tunnel->IsEstablished () && ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
-						tunnel->SetState (eTunnelStateExpiring);
+					if (tunnel->IsEstablished ())
+					{	
+						if (!tunnel->IsRecreated () && ts + TUNNEL_RECREATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+						{
+							tunnel->SetIsRecreated ();	
+							auto pool = tunnel->GetTunnelPool ();
+							if (pool)
+								pool->RecreateOutboundTunnel (tunnel);
+						}
+						if (ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+							tunnel->SetState (eTunnelStateExpiring);
+					}	
 					it++;
 				}
 			}
@@ -462,15 +589,14 @@ namespace tunnel
 		if (m_OutboundTunnels.size () < 5) 
 		{
 			// trying to create one more oubound tunnel
-			InboundTunnel * inboundTunnel = GetNextInboundTunnel ();
-			if (!inboundTunnel) return;
+			auto inboundTunnel = GetNextInboundTunnel ();
+			auto router = i2p::data::netdb.GetRandomRouter ();
+			if (!inboundTunnel || !router) return;
 			LogPrint ("Creating one hop outbound tunnel...");
 			CreateTunnel<OutboundTunnel> (
-			  	new TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> > 
-				    { 
-						i2p::data::netdb.GetRandomRouter ()
-					},		
-		     		inboundTunnel->GetTunnelConfig ()));
+				std::make_shared<TunnelConfig> (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > { router->GetRouterIdentity () },		
+		     		inboundTunnel->GetNextTunnelID (), inboundTunnel->GetNextIdentHash ())
+			                              );
 		}
 	}
 	
@@ -484,22 +610,26 @@ namespace tunnel
 				if (ts > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
 				{
 					LogPrint ("Tunnel ", tunnel->GetTunnelID (), " expired");
-					{
-						std::unique_lock<std::mutex> l(m_PoolsMutex);
-						auto pool = tunnel->GetTunnelPool ();
-						if (pool)
-							pool->TunnelExpired (tunnel);
-					}	
-					{
-						std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
-						it = m_InboundTunnels.erase (it);
-					}
-					delete tunnel;
+					auto pool = tunnel->GetTunnelPool ();
+					if (pool)
+						pool->TunnelExpired (tunnel);
+					it = m_InboundTunnels.erase (it);
 				}	
 				else 
 				{
-					if (tunnel->IsEstablished () && ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
-						tunnel->SetState (eTunnelStateExpiring);
+					if (tunnel->IsEstablished ())
+					{	
+						if (!tunnel->IsRecreated () && ts + TUNNEL_RECREATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+						{
+							tunnel->SetIsRecreated ();	
+							auto pool = tunnel->GetTunnelPool ();
+							if (pool)
+								pool->RecreateInboundTunnel (tunnel);
+						}
+	
+						if (ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+							tunnel->SetState (eTunnelStateExpiring);
+					}	
 					it++;
 				}
 			}
@@ -510,19 +640,18 @@ namespace tunnel
 			LogPrint ("Creating zero hops inbound tunnel...");
 			CreateZeroHopsInboundTunnel ();
 			if (!m_ExploratoryPool)
-				m_ExploratoryPool = CreateTunnelPool (i2p::context, 2); // 2-hop exploratory
+				m_ExploratoryPool = CreateTunnelPool (&i2p::context, 2, 2, 5, 5); // 2-hop exploratory, 5 tunnels
 			return;
 		}
 		
 		if (m_OutboundTunnels.empty () || m_InboundTunnels.size () < 5) 
 		{
-			// trying to create one more inbound tunnel			
+			// trying to create one more inbound tunnel		
+			auto router = i2p::data::netdb.GetRandomRouter ();
 			LogPrint ("Creating one hop inbound tunnel...");
 			CreateTunnel<InboundTunnel> (
-				new TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> >
-				    {              
-						i2p::data::netdb.GetRandomRouter ()
-					}));
+				std::make_shared<TunnelConfig> (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > { router->GetRouterIdentity () })
+			                             );
 		}
 	}	

@@ -533,8 +662,8 @@ namespace tunnel
 		{
 			if (ts > it->second->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
 			{
-				LogPrint ("Transit tunnel ", it->second->GetTunnelID (), " expired");
 				auto tmp = it->second;
+				LogPrint ("Transit tunnel ", tmp->GetTunnelID (), " expired");
 				{
 					std::unique_lock<std::mutex> l(m_TransitTunnelsMutex);
 					it = m_TransitTunnels.erase (it);
@@ -551,8 +680,8 @@ namespace tunnel
 		std::unique_lock<std::mutex> l(m_PoolsMutex);
 		for (auto it: m_Pools)
 		{	
-			TunnelPool * pool = it.second;
-			if (pool->IsActive ())
+			auto pool = it;
+			if (pool && pool->IsActive ())
 			{	
 				pool->CreateTunnels ();
 				pool->TestTunnels ();
@@ -560,24 +689,39 @@ namespace tunnel
 		}
 	}	
 	
-	void Tunnels::PostTunnelData (I2NPMessage * msg)
+	void Tunnels::PostTunnelData (std::shared_ptr<I2NPMessage> msg)
 	{
 		if (msg) m_Queue.Put (msg);		
 	}	

-	template<class TTunnel>
-	TTunnel * Tunnels::CreateTunnel (TunnelConfig * config, OutboundTunnel * outboundTunnel)
+	void Tunnels::PostTunnelData (const std::vector<std::shared_ptr<I2NPMessage> >& msgs)
 	{
-		TTunnel * newTunnel = new TTunnel (config);
-		uint32_t replyMsgID = i2p::context.GetRandomNumberGenerator ().GenerateWord32 ();
-		m_PendingTunnels[replyMsgID] = newTunnel; 
+		m_Queue.Put (msgs);
+	}	
+		
+	template<class TTunnel>
+	std::shared_ptr<TTunnel> Tunnels::CreateTunnel (std::shared_ptr<TunnelConfig> config, std::shared_ptr<OutboundTunnel> outboundTunnel)
+	{
+		auto newTunnel = std::make_shared<TTunnel> (config);
+		uint32_t replyMsgID;
+		RAND_bytes ((uint8_t *)&replyMsgID, 4);
+		AddPendingTunnel (replyMsgID, newTunnel); 
 		newTunnel->Build (replyMsgID, outboundTunnel);
 		return newTunnel;
 	}	

-	void Tunnels::AddOutboundTunnel (OutboundTunnel * newTunnel)
+	void Tunnels::AddPendingTunnel (uint32_t replyMsgID, std::shared_ptr<InboundTunnel> tunnel)
+	{
+		m_PendingInboundTunnels[replyMsgID] = tunnel; 
+	}
+
+	void Tunnels::AddPendingTunnel (uint32_t replyMsgID, std::shared_ptr<OutboundTunnel> tunnel)
+	{
+		m_PendingOutboundTunnels[replyMsgID] = tunnel; 
+	}
+
+	void Tunnels::AddOutboundTunnel (std::shared_ptr<OutboundTunnel> newTunnel)
 	{
-		std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
 		m_OutboundTunnels.push_back (newTunnel);
 		auto pool = newTunnel->GetTunnelPool ();
 		if (pool && pool->IsActive ())
@@ -586,15 +730,16 @@ namespace tunnel
 			newTunnel->SetTunnelPool (nullptr);
 	}	

-	void Tunnels::AddInboundTunnel (InboundTunnel * newTunnel)
+	void Tunnels::AddInboundTunnel (std::shared_ptr<InboundTunnel> newTunnel)
 	{
-		std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
 		m_InboundTunnels[newTunnel->GetTunnelID ()] = newTunnel;
 		auto pool = newTunnel->GetTunnelPool ();
 		if (!pool)
 		{		
 			// build symmetric outbound tunnel
-			CreateTunnel<OutboundTunnel> (newTunnel->GetTunnelConfig ()->Invert (), GetNextOutboundTunnel ());		
+			CreateTunnel<OutboundTunnel> (std::make_shared<TunnelConfig>(newTunnel->GetInvertedPeers (),
+					newTunnel->GetNextTunnelID (), newTunnel->GetNextIdentHash ()), 
+				GetNextOutboundTunnel ());		
 		}
 		else
 		{
@@ -609,10 +754,23 @@ namespace tunnel
 	void Tunnels::CreateZeroHopsInboundTunnel ()
 	{
 		CreateTunnel<InboundTunnel> (
-			new TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> >
+			std::make_shared<TunnelConfig> (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >
 			    { 
-					i2p::context.GetSharedRouterInfo ()
+					i2p::context.GetIdentity ()
 				}));
 	}	
+
+	int Tunnels::GetTransitTunnelsExpirationTimeout ()
+	{
+		int timeout = 0;
+		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
+		std::unique_lock<std::mutex> l(m_TransitTunnelsMutex);
+		for (auto it: m_TransitTunnels)
+		{
+			int t = it.second->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT - ts;
+			if (t > timeout) timeout = t;
+		}	
+		return timeout;
+	}	
 }
 }
--- a/Tunnel.h
+++ b/Tunnel.h
@@ -8,7 +8,9 @@
 #include <string>
 #include <thread>
 #include <mutex>
+#include <memory>
 #include "Queue.h"
+#include "Crypto.h"
 #include "TunnelConfig.h"
 #include "TunnelPool.h"
 #include "TransitTunnel.h"
@@ -23,6 +25,7 @@ namespace tunnel
 {	
 	const int TUNNEL_EXPIRATION_TIMEOUT = 660; // 11 minutes	
 	const int TUNNEL_EXPIRATION_THRESHOLD = 60; // 1 minute	
+	const int TUNNEL_RECREATION_THRESHOLD = 90; // 1.5 minutes	
 	const int TUNNEL_CREATION_TIMEOUT = 30; // 30 seconds
 	const int STANDARD_NUM_RECORDS = 5; // in VariableTunnelBuild message

@@ -41,67 +44,80 @@ namespace tunnel
 	class InboundTunnel;
 	class Tunnel: public TunnelBase
 	{
+		struct TunnelHop
+		{
+			std::shared_ptr<const i2p::data::IdentityEx> ident;
+			i2p::crypto::TunnelDecryption decryption;
+		};	
+		
 		public:

-			Tunnel (TunnelConfig * config);
+			Tunnel (std::shared_ptr<const TunnelConfig> config);
 			~Tunnel ();

-			void Build (uint32_t replyMsgID, OutboundTunnel * outboundTunnel = 0);
+			void Build (uint32_t replyMsgID, std::shared_ptr<OutboundTunnel> outboundTunnel = nullptr);
 			
-			TunnelConfig * GetTunnelConfig () const { return m_Config; }
+			std::shared_ptr<const TunnelConfig> GetTunnelConfig () const { return m_Config; }
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > GetPeers () const; 
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > GetInvertedPeers () const; 
 			TunnelState GetState () const { return m_State; };
 			void SetState (TunnelState state)  { m_State = state; };
+			int GetNumHops () const { return m_Hops.size (); }
 			bool IsEstablished () const { return m_State == eTunnelStateEstablished; };
 			bool IsFailed () const { return m_State == eTunnelStateFailed; };
+			bool IsRecreated () const { return m_IsRecreated; };
+			void SetIsRecreated () { m_IsRecreated = true; };

-			TunnelPool * GetTunnelPool () const { return m_Pool; };
-			void SetTunnelPool (TunnelPool * pool) { m_Pool = pool; };			
+			std::shared_ptr<TunnelPool> GetTunnelPool () const { return m_Pool; };
+			void SetTunnelPool (std::shared_ptr<TunnelPool> pool) { m_Pool = pool; };			
 			
 			bool HandleTunnelBuildResponse (uint8_t * msg, size_t len);
 			
 			// implements TunnelBase
-			void EncryptTunnelMsg (I2NPMessage * tunnelMsg); 
-			uint32_t GetNextTunnelID () const { return m_Config->GetFirstHop ()->tunnelID; };
-			const i2p::data::IdentHash& GetNextIdentHash () const { return m_Config->GetFirstHop ()->router->GetIdentHash (); };
-			
+			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg);
+			void EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out); 
+					
 		private:

-			TunnelConfig * m_Config;
-			TunnelPool * m_Pool; // pool, tunnel belongs to, or null
+			std::shared_ptr<const TunnelConfig> m_Config;
+			std::vector<std::unique_ptr<TunnelHop> > m_Hops;
+			std::shared_ptr<TunnelPool> m_Pool; // pool, tunnel belongs to, or null
 			TunnelState m_State;
+			bool m_IsRecreated;
 	};	

 	class OutboundTunnel: public Tunnel 
 	{
 		public:

-			OutboundTunnel (TunnelConfig * config): Tunnel (config), m_Gateway (this) {};
+			OutboundTunnel (std::shared_ptr<const TunnelConfig> config): 
+				Tunnel (config), m_Gateway (this), m_EndpointIdentHash (config->GetLastIdentHash ()) {};

-			void SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, i2p::I2NPMessage * msg);
+			void SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, std::shared_ptr<i2p::I2NPMessage> msg);
 			void SendTunnelDataMsg (const std::vector<TunnelMessageBlock>& msgs); // multiple messages
-			std::shared_ptr<const i2p::data::RouterInfo> GetEndpointRouter () const 
-				{ return GetTunnelConfig ()->GetLastHop ()->router; }; 
+			const i2p::data::IdentHash& GetEndpointIdentHash () const { return m_EndpointIdentHash; }; 
 			size_t GetNumSentBytes () const { return m_Gateway.GetNumSentBytes (); };
-
+			void Print (std::stringstream& s) const;
+			
 			// implements TunnelBase
-			uint32_t GetTunnelID () const { return GetNextTunnelID (); };
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
 			
 		private:

 			std::mutex m_SendMutex;
 			TunnelGateway m_Gateway; 
+			i2p::data::IdentHash m_EndpointIdentHash;
 	};
 	
-	class InboundTunnel: public Tunnel 
+	class InboundTunnel: public Tunnel, public std::enable_shared_from_this<InboundTunnel>
 	{
 		public:

-			InboundTunnel (TunnelConfig * config): Tunnel (config), m_Endpoint (true) {};
-			void HandleTunnelDataMsg (I2NPMessage * msg);
+			InboundTunnel (std::shared_ptr<const TunnelConfig> config): Tunnel (config), m_Endpoint (true) {};
+			void HandleTunnelDataMsg (std::shared_ptr<const I2NPMessage> msg);
 			size_t GetNumReceivedBytes () const { return m_Endpoint.GetNumReceivedBytes (); };
-
-			// implements TunnelBase
-			uint32_t GetTunnelID () const { return GetTunnelConfig ()->GetLastHop ()->nextTunnelID; };
+			void Print (std::stringstream& s) const;
+			
 		private:

 			TunnelEndpoint m_Endpoint; 
@@ -117,30 +133,42 @@ namespace tunnel
 			void Start ();
 			void Stop ();		
 			
-			InboundTunnel * GetInboundTunnel (uint32_t tunnelID);
-			Tunnel * GetPendingTunnel (uint32_t replyMsgID);
-			InboundTunnel * GetNextInboundTunnel ();
-			OutboundTunnel * GetNextOutboundTunnel ();
-			TunnelPool * GetExploratoryPool () const { return m_ExploratoryPool; };
+			std::shared_ptr<InboundTunnel> GetInboundTunnel (uint32_t tunnelID);
+			std::shared_ptr<InboundTunnel> GetPendingInboundTunnel (uint32_t replyMsgID);	
+			std::shared_ptr<OutboundTunnel> GetPendingOutboundTunnel (uint32_t replyMsgID);			
+			std::shared_ptr<InboundTunnel> GetNextInboundTunnel ();
+			std::shared_ptr<OutboundTunnel> GetNextOutboundTunnel ();
+			std::shared_ptr<TunnelPool> GetExploratoryPool () const { return m_ExploratoryPool; };
 			TransitTunnel * GetTransitTunnel (uint32_t tunnelID);
+			int GetTransitTunnelsExpirationTimeout ();
 			void AddTransitTunnel (TransitTunnel * tunnel);
-			void AddOutboundTunnel (OutboundTunnel * newTunnel);
-			void AddInboundTunnel (InboundTunnel * newTunnel);
-			void PostTunnelData (I2NPMessage * msg);
+			void AddOutboundTunnel (std::shared_ptr<OutboundTunnel> newTunnel);
+			void AddInboundTunnel (std::shared_ptr<InboundTunnel> newTunnel);
+			void PostTunnelData (std::shared_ptr<I2NPMessage> msg);
+			void PostTunnelData (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
 			template<class TTunnel>
-			TTunnel * CreateTunnel (TunnelConfig * config, OutboundTunnel * outboundTunnel = 0);
-			TunnelPool * CreateTunnelPool (i2p::garlic::GarlicDestination& localDestination, int numHops);
-			void DeleteTunnelPool (TunnelPool * pool);
-			void StopTunnelPool (TunnelPool * pool);
+			std::shared_ptr<TTunnel> CreateTunnel (std::shared_ptr<TunnelConfig> config, std::shared_ptr<OutboundTunnel> outboundTunnel = nullptr);
+			void AddPendingTunnel (uint32_t replyMsgID, std::shared_ptr<InboundTunnel> tunnel);
+			void AddPendingTunnel (uint32_t replyMsgID, std::shared_ptr<OutboundTunnel> tunnel);
+			std::shared_ptr<TunnelPool> CreateTunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOuboundHops, int numInboundTunnels, int numOutboundTunnels);
+			void DeleteTunnelPool (std::shared_ptr<TunnelPool> pool);
+			void StopTunnelPool (std::shared_ptr<TunnelPool> pool);
 			
 		private:
-			
+		
+			template<class TTunnel>
+			std::shared_ptr<TTunnel> GetPendingTunnel (uint32_t replyMsgID, const std::map<uint32_t, std::shared_ptr<TTunnel> >& pendingTunnels);			
+
+			void HandleTunnelGatewayMsg (TunnelBase * tunnel, std::shared_ptr<I2NPMessage> msg);
+
 			void Run ();	
 			void ManageTunnels ();
 			void ManageOutboundTunnels ();
 			void ManageInboundTunnels ();
 			void ManageTransitTunnels ();
 			void ManagePendingTunnels ();
+			template<class PendingTunnels>
+			void ManagePendingTunnels (PendingTunnels& pendingTunnels);
 			void ManageTunnelPools ();
 			
 			void CreateZeroHopsInboundTunnel ();
@@ -149,17 +177,19 @@ namespace tunnel

 			bool m_IsRunning;
 			std::thread * m_Thread;	
-			std::map<uint32_t, Tunnel *> m_PendingTunnels; // by replyMsgID
-			std::mutex m_InboundTunnelsMutex;
-			std::map<uint32_t, InboundTunnel *> m_InboundTunnels;
-			std::mutex m_OutboundTunnelsMutex;
-			std::list<OutboundTunnel *> m_OutboundTunnels;
+			std::map<uint32_t, std::shared_ptr<InboundTunnel> > m_PendingInboundTunnels; // by replyMsgID
+			std::map<uint32_t, std::shared_ptr<OutboundTunnel> > m_PendingOutboundTunnels; // by replyMsgID
+			std::map<uint32_t, std::shared_ptr<InboundTunnel> > m_InboundTunnels;
+			std::list<std::shared_ptr<OutboundTunnel> > m_OutboundTunnels;
 			std::mutex m_TransitTunnelsMutex;
 			std::map<uint32_t, TransitTunnel *> m_TransitTunnels;
 			std::mutex m_PoolsMutex;
-			std::map<i2p::data::IdentHash, TunnelPool *> m_Pools;
-			TunnelPool * m_ExploratoryPool;
-			i2p::util::Queue<I2NPMessage> m_Queue;
+			std::list<std::shared_ptr<TunnelPool>> m_Pools;
+			std::shared_ptr<TunnelPool> m_ExploratoryPool;
+			i2p::util::Queue<std::shared_ptr<I2NPMessage> > m_Queue;
+
+			// some stats
+			int m_NumSuccesiveTunnelCreations, m_NumFailedTunnelCreations;

 		public:

@@ -167,6 +197,12 @@ namespace tunnel
 			const decltype(m_OutboundTunnels)& GetOutboundTunnels () const { return m_OutboundTunnels; };
 			const decltype(m_InboundTunnels)& GetInboundTunnels () const { return m_InboundTunnels; };
 			const decltype(m_TransitTunnels)& GetTransitTunnels () const { return m_TransitTunnels; };
+			int GetQueueSize () { return m_Queue.GetSize (); };
+			int GetTunnelCreationSuccessRate () const // in percents
+			{ 
+				int totalNum = m_NumSuccesiveTunnelCreations + m_NumFailedTunnelCreations;
+				return totalNum ? m_NumSuccesiveTunnelCreations*100/totalNum : 0;
+			}		
 	};	

 	extern Tunnels tunnels;
--- a/TunnelBase.h
+++ b/TunnelBase.h
@@ -2,6 +2,7 @@
 #define TUNNEL_BASE_H__

 #include <inttypes.h>
+#include <memory>
 #include "Timestamp.h"
 #include "I2NPProtocol.h"
 #include "Identity.h"
@@ -25,33 +26,39 @@ namespace tunnel
 		TunnelDeliveryType deliveryType;
 		i2p::data::IdentHash hash;	
 		uint32_t tunnelID;
-		I2NPMessage * data;
+		std::shared_ptr<I2NPMessage> data;
 	};

 	class TunnelBase
 	{
 		public:

-			//WARNING!!! GetSecondsSinceEpoch() return uint64_t
-			TunnelBase (): m_CreationTime (i2p::util::GetSecondsSinceEpoch ()) {};
+			TunnelBase (uint32_t tunnelID, uint32_t nextTunnelID, i2p::data::IdentHash nextIdent): 
+				m_TunnelID (tunnelID), m_NextTunnelID (nextTunnelID), m_NextIdent (nextIdent),
+				m_CreationTime (i2p::util::GetSecondsSinceEpoch ()) {};
 			virtual ~TunnelBase () {};
 			
-			virtual void EncryptTunnelMsg (I2NPMessage * tunnelMsg) = 0;
-			virtual uint32_t GetNextTunnelID () const = 0;
-			virtual const i2p::data::IdentHash& GetNextIdentHash () const = 0;
-			virtual uint32_t GetTunnelID () const = 0; // as known at our side
+			virtual void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg) = 0;
+			virtual void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg) = 0;
+			virtual void FlushTunnelDataMsgs () {};
+			virtual void EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out) = 0;
+			uint32_t GetNextTunnelID () const { return m_NextTunnelID; };
+			const i2p::data::IdentHash& GetNextIdentHash () const { return m_NextIdent; };
+			virtual uint32_t GetTunnelID () const { return m_TunnelID; }; // as known at our side

 			uint32_t GetCreationTime () const { return m_CreationTime; };
 			void SetCreationTime (uint32_t t) { m_CreationTime = t; };

 		private:
-			
+
+			uint32_t m_TunnelID, m_NextTunnelID;
+			i2p::data::IdentHash m_NextIdent;
 			uint32_t m_CreationTime; // seconds since epoch
 	};	

 	struct TunnelCreationTimeCmp
 	{
-		bool operator() (const TunnelBase * t1, const TunnelBase * t2) const
+		bool operator() (std::shared_ptr<const TunnelBase> t1, std::shared_ptr<const TunnelBase> t2) const
  		{	
 			if (t1->GetCreationTime () != t2->GetCreationTime ())
 				return t1->GetCreationTime () > t2->GetCreationTime (); 
--- a/TunnelConfig.h
+++ b/TunnelConfig.h
@@ -5,9 +5,11 @@
 #include <sstream>
 #include <vector>
 #include <memory>
-#include "aes.h"
-#include "RouterInfo.h"
+#include <openssl/rand.h>
+#include "Crypto.h"
+#include "Identity.h"
 #include "RouterContext.h"
+#include "Timestamp.h"

 namespace i2p
 {
@@ -15,7 +17,8 @@ namespace tunnel
 {
 	struct TunnelHopConfig
 	{
-		std::shared_ptr<const i2p::data::RouterInfo> router, nextRouter;
+		std::shared_ptr<const i2p::data::IdentityEx> ident;
+		i2p::data::IdentHash nextIdent;
 		uint32_t tunnelID, nextTunnelID;
 		uint8_t layerKey[32];
 		uint8_t ivKey[32];
@@ -24,19 +27,17 @@ namespace tunnel
 		bool isGateway, isEndpoint;	
 		
 		TunnelHopConfig * next, * prev;
-		i2p::crypto::TunnelDecryption decryption;	
 		int recordIndex; // record # in tunnel build message
 		
-		TunnelHopConfig (std::shared_ptr<const i2p::data::RouterInfo> r)
+		TunnelHopConfig (std::shared_ptr<const i2p::data::IdentityEx> r)
 		{
-			CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-			rnd.GenerateBlock (layerKey, 32);
-			rnd.GenerateBlock (ivKey, 32);
-			rnd.GenerateBlock (replyIV, 16);
-			tunnelID = rnd.GenerateWord32 ();
+			RAND_bytes (layerKey, 32);
+			RAND_bytes (ivKey, 32);
+			RAND_bytes (replyIV, 16);
+			RAND_bytes ((uint8_t *)&tunnelID, 4);
 			isGateway = true;
 			isEndpoint = true;
-			router = r; 
+			ident = r; 
 			//nextRouter = nullptr; 
 			nextTunnelID = 0;

@@ -44,18 +45,17 @@ namespace tunnel
 			prev = nullptr;
 		}	

-		void SetNextRouter (std::shared_ptr<const i2p::data::RouterInfo> r)
+		void SetNextIdent (const i2p::data::IdentHash& ident)
 		{
-			nextRouter = r;
+			nextIdent = ident;
 			isEndpoint = false;
-			CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-			nextTunnelID = rnd.GenerateWord32 ();
+			RAND_bytes ((uint8_t *)&nextTunnelID, 4);
 		}	

-		void SetReplyHop (const TunnelHopConfig * replyFirstHop)
+		void SetReplyHop (uint32_t replyTunnelID, const i2p::data::IdentHash& replyIdent)
 		{
-			nextRouter = replyFirstHop->router;
-			nextTunnelID = replyFirstHop->tunnelID;
+			nextIdent = replyIdent;
+			nextTunnelID = replyTunnelID;
 			isEndpoint = true;
 		}
 		
@@ -67,7 +67,7 @@ namespace tunnel
 				next->prev = this;
 				next->isGateway = false;
 				isEndpoint = false;
-				nextRouter = next->router;
+				nextIdent = next->ident->GetIdentHash ();
 				nextTunnelID = next->tunnelID;
 			}	
 		}
@@ -82,35 +82,47 @@ namespace tunnel
 				isGateway = false;
 			}	
 		}
+
+		void CreateBuildRequestRecord (uint8_t * record, uint32_t replyMsgID) const
+		{
+			uint8_t clearText[BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE];
+			htobe32buf (clearText + BUILD_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET, tunnelID); 
+			memcpy (clearText + BUILD_REQUEST_RECORD_OUR_IDENT_OFFSET, ident->GetIdentHash (), 32);
+			htobe32buf (clearText + BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET, nextTunnelID);
+			memcpy (clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, nextIdent, 32);
+			memcpy (clearText + BUILD_REQUEST_RECORD_LAYER_KEY_OFFSET, layerKey, 32);
+			memcpy (clearText + BUILD_REQUEST_RECORD_IV_KEY_OFFSET, ivKey, 32);
+			memcpy (clearText + BUILD_REQUEST_RECORD_REPLY_KEY_OFFSET, replyKey, 32);
+			memcpy (clearText + BUILD_REQUEST_RECORD_REPLY_IV_OFFSET, replyIV, 16);
+			uint8_t flag = 0;
+			if (isGateway) flag |= 0x80;
+			if (isEndpoint) flag |= 0x40;
+			clearText[BUILD_REQUEST_RECORD_FLAG_OFFSET] = flag;
+			htobe32buf (clearText + BUILD_REQUEST_RECORD_REQUEST_TIME_OFFSET, i2p::util::GetHoursSinceEpoch ()); 
+			htobe32buf (clearText + BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET, replyMsgID); 
+			// TODO: fill padding
+			i2p::crypto::ElGamalEncryption elGamalEncryption (ident->GetEncryptionPublicKey ());
+			elGamalEncryption.Encrypt (clearText, BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE, record + BUILD_REQUEST_RECORD_ENCRYPTED_OFFSET);
+			memcpy (record + BUILD_REQUEST_RECORD_TO_PEER_OFFSET, (const uint8_t *)ident->GetIdentHash (), 16);
+		}	
 	};	

-	class TunnelConfig
+	class TunnelConfig: public std::enable_shared_from_this<TunnelConfig>
 	{
 		public:			
 			
-
-			TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> > peers, 
-				const TunnelConfig * replyTunnelConfig = nullptr) // replyTunnelConfig=nullptr means inbound
+			TunnelConfig (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers) // inbound
 			{
-				TunnelHopConfig * prev = nullptr;
-				for (auto it: peers)
-				{
-					auto hop = new TunnelHopConfig (it);
-					if (prev)
-						prev->SetNext (hop);
-					else	
-						m_FirstHop = hop;
-					prev = hop;
-				}	
-				m_LastHop = prev;
-				
-				if (replyTunnelConfig) // outbound
-				{
-					m_FirstHop->isGateway = false;
-					m_LastHop->SetReplyHop (replyTunnelConfig->GetFirstHop ());
-				}	
-				else // inbound
-					m_LastHop->SetNextRouter (i2p::context.GetSharedRouterInfo ());
+				CreatePeers (peers);
+				m_LastHop->SetNextIdent (i2p::context.GetIdentHash ());
+			}
+
+			TunnelConfig (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers, 
+				uint32_t replyTunnelID, const i2p::data::IdentHash& replyIdent) // outbound
+			{
+				CreatePeers (peers);
+				m_FirstHop->isGateway = false;
+				m_LastHop->SetReplyHop (replyTunnelID, replyIdent);
 			}
 			
 			~TunnelConfig ()
@@ -147,15 +159,51 @@ namespace tunnel
 				return num;
 			}

+			bool IsInbound () const { return m_FirstHop->isGateway; }
+
+			uint32_t GetTunnelID () const 
+			{	
+				if (!m_FirstHop) return 0;
+				return IsInbound () ? m_LastHop->nextTunnelID : m_FirstHop->tunnelID; 
+			}
+
+			uint32_t GetNextTunnelID () const 
+			{	
+				if (!m_FirstHop) return 0;
+				return m_FirstHop->tunnelID; 
+			}
+
+			const i2p::data::IdentHash& GetNextIdentHash () const 
+			{ 
+				return m_FirstHop->ident->GetIdentHash (); 
+			}	
+
+			const i2p::data::IdentHash& GetLastIdentHash () const 
+			{ 
+				return m_LastHop->ident->GetIdentHash (); 
+			}	
+			
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > GetPeers () const
+			{
+				std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers;
+				TunnelHopConfig * hop = m_FirstHop;		
+				while (hop)
+				{
+					peers.push_back (hop->ident);
+					hop = hop->next;
+				}	
+				return peers;
+			}
+
 			void Print (std::stringstream& s) const
 			{
 				TunnelHopConfig * hop = m_FirstHop;
-				if (!m_FirstHop->isGateway)
+				if (!IsInbound ()) // outbound
 					s << "me";
 				s << "-->" << m_FirstHop->tunnelID;
 				while (hop)
 				{
-					s << ":" << hop->router->GetIdentHashAbbreviation () << "-->"; 
+					s << ":" << GetIdentHashAbbreviation (hop->ident->GetIdentHash ()) << "-->"; 
 					if (!hop->isEndpoint)
 						s << hop->nextTunnelID;
 					else
@@ -165,46 +213,6 @@ namespace tunnel
 				// we didn't reach enpoint that mean we are last hop
 				s << ":me";	
 			}
-
-			TunnelConfig * Invert () const
-			{
-				TunnelConfig * newConfig = new TunnelConfig ();
-				TunnelHopConfig * hop = m_FirstHop, * nextNewHop = nullptr;
-				while (hop)
-				{
-					TunnelHopConfig * newHop = new TunnelHopConfig (hop->router);
-					if (nextNewHop)
-						newHop->SetNext (nextNewHop);
-					nextNewHop = newHop;
-					newHop->isEndpoint = hop->isGateway;
-					newHop->isGateway = hop->isEndpoint;
-					
-					if (!hop->prev) // first hop
-					{	
-						newConfig->m_LastHop = newHop; 
-						if (hop->isGateway) // inbound tunnel
-							newHop->SetReplyHop (m_FirstHop); // use it as reply tunnel
-						else
-							newHop->SetNextRouter (i2p::context.GetSharedRouterInfo ());
-					}	
-					if (!hop->next) newConfig->m_FirstHop = newHop; // last hop
-									
-					hop = hop->next;
-				}	
-				return newConfig;
-			}
-
-			TunnelConfig * Clone (const TunnelConfig * replyTunnelConfig = nullptr) const
-			{
-				std::vector<std::shared_ptr<const i2p::data::RouterInfo> > peers;
-				TunnelHopConfig * hop = m_FirstHop;
-				while (hop)
-				{
-					peers.push_back (hop->router);
-					hop = hop->next;
-				}	
-				return new TunnelConfig (peers, replyTunnelConfig);
-			}	
 			
 		private:

@@ -212,6 +220,22 @@ namespace tunnel
 			TunnelConfig (): m_FirstHop (nullptr), m_LastHop (nullptr)
 			{
 			}
+
+			template<class Peers>
+			void CreatePeers (const Peers& peers)
+			{
+				TunnelHopConfig * prev = nullptr;
+				for (auto it: peers)
+				{
+					auto hop = new TunnelHopConfig (it);
+					if (prev)
+						prev->SetNext (hop);
+					else	
+						m_FirstHop = hop;
+					prev = hop;
+				}	
+				m_LastHop = prev;
+			}
 			
 		private:

--- a/TunnelEndpoint.cpp
+++ b/TunnelEndpoint.cpp
@@ -1,5 +1,6 @@
 #include "I2PEndian.h"
 #include <string.h>
+#include <openssl/sha.h>
 #include "Log.h"
 #include "NetDb.h"
 #include "I2NPProtocol.h"
@@ -13,13 +14,9 @@ namespace tunnel
 {
 	TunnelEndpoint::~TunnelEndpoint ()
 	{
-		for (auto it: m_IncompleteMessages)
-			i2p::DeleteI2NPMessage (it.second.data);
-		for (auto it: m_OutOfSequenceFragments)
-			i2p::DeleteI2NPMessage (it.second.data);
 	}	
 	
-	void TunnelEndpoint::HandleDecryptedTunnelDataMsg (I2NPMessage * msg)
+	void TunnelEndpoint::HandleDecryptedTunnelDataMsg (std::shared_ptr<I2NPMessage> msg)
 	{
 		m_NumReceivedBytes += TUNNEL_DATA_MSG_SIZE;
 		
@@ -27,16 +24,14 @@ namespace tunnel
 		uint8_t * zero = (uint8_t *)memchr (decrypted + 4, 0, TUNNEL_DATA_ENCRYPTED_SIZE - 4); // witout 4-byte checksum
 		if (zero)
 		{	
-			LogPrint ("TunnelMessage: zero found at ", (int)(zero-decrypted));
 			uint8_t * fragment = zero + 1;
 			// verify checksum
 			memcpy (msg->GetPayload () + TUNNEL_DATA_MSG_SIZE, msg->GetPayload () + 4, 16); // copy iv to the end
 			uint8_t hash[32];
-			CryptoPP::SHA256().CalculateDigest (hash, fragment, TUNNEL_DATA_MSG_SIZE -(fragment - msg->GetPayload ()) + 16); // payload + iv
+			SHA256(fragment, TUNNEL_DATA_MSG_SIZE -(fragment - msg->GetPayload ()) + 16, hash); // payload + iv
 			if (memcmp (hash, decrypted, 4))
 			{
-				LogPrint ("TunnelMessage: checksum verification failed");
-				i2p::DeleteI2NPMessage (msg);
+				LogPrint (eLogError, "TunnelMessage: checksum verification failed");
 				return;
 			}	
 			// process fragments
@@ -57,17 +52,14 @@ namespace tunnel
 					switch (m.deliveryType)
 					{
 						case eDeliveryTypeLocal: // 0
-							LogPrint ("Delivery type local");
 						break;
 					  	case eDeliveryTypeTunnel: // 1
-							LogPrint ("Delivery type tunnel");	
-							m.tunnelID = be32toh (*(uint32_t *)fragment);
+							m.tunnelID = bufbe32toh (fragment);
 							fragment += 4; // tunnelID
 							m.hash = i2p::data::IdentHash (fragment);
 							fragment += 32; // hash
 						break;
 						case eDeliveryTypeRouter: // 2
-							LogPrint ("Delivery type router");	
 							m.hash = i2p::data::IdentHash (fragment);	
 							fragment += 32; // to hash
 						break;
@@ -79,34 +71,31 @@ namespace tunnel
 					if (isFragmented)
 					{
 						// Message ID
-						msgID = be32toh (*(uint32_t *)fragment); 	
+						msgID = bufbe32toh (fragment); 	
 						fragment += 4;
-						LogPrint ("Fragmented message ", msgID);
 						isLastFragment = false;
 					}	
 				}
 				else
 				{
 					// follow on
-					msgID = be32toh (*(uint32_t *)fragment); // MessageID			
+					msgID = bufbe32toh (fragment); // MessageID			
 					fragment += 4; 
 					fragmentNum = (flag >> 1) & 0x3F; // 6 bits
 					isLastFragment = flag & 0x01;
-					LogPrint ("Follow on fragment ", fragmentNum, " of message ", msgID, isLastFragment ? " last" : " non-last");
 				}	
 				
-				uint16_t size = be16toh (*(uint16_t *)fragment);
+				uint16_t size = bufbe16toh (fragment);
 				fragment += 2;
-				LogPrint ("Fragment size=", (int)size);

 				msg->offset = fragment - msg->buf;
 				msg->len = msg->offset + size;
 				if (fragment + size < decrypted + TUNNEL_DATA_ENCRYPTED_SIZE)
 				{
 					// this is not last message. we have to copy it
-					m.data = NewI2NPMessage ();
-					m.data->offset += sizeof (TunnelGatewayHeader); // reserve room for TunnelGateway header
-					m.data->len += sizeof (TunnelGatewayHeader);
+					m.data = ToSharedI2NPMessage (NewI2NPShortMessage ());
+					m.data->offset += TUNNEL_GATEWAY_HEADER_SIZE; // reserve room for TunnelGateway header
+					m.data->len += TUNNEL_GATEWAY_HEADER_SIZE;
 					*(m.data) = *msg;
 				}
 				else
@@ -121,9 +110,11 @@ namespace tunnel
 						if (!isFollowOnFragment) // create new incomlete message
 						{
 							m.nextFragmentNum = 1;
-							auto& msg = m_IncompleteMessages[msgID];
-							msg = m;
-							HandleOutOfSequenceFragment (msgID, msg);
+							auto ret = m_IncompleteMessages.insert (std::pair<uint32_t, TunnelMessageBlockEx>(msgID, m));
+							if (ret.second)
+								HandleOutOfSequenceFragment (msgID, ret.first->second);
+							else
+								LogPrint (eLogError, "Incomplete message ", msgID, "already exists");
 						}
 						else
 						{
@@ -131,18 +122,15 @@ namespace tunnel
 							HandleFollowOnFragment (msgID, isLastFragment, m);
 						}	
 					}
-					else
-						LogPrint ("Message is fragmented, but msgID is not presented");
+					else	
+						LogPrint (eLogError, "Message is fragmented, but msgID is not presented");
 				}	
 					
 				fragment += size;
 			}	
 		}	
 		else
-		{	
-			LogPrint ("TunnelMessage: zero not found");
-			i2p::DeleteI2NPMessage (msg);	
-		}	
+			LogPrint (eLogError, "TunnelMessage: zero not found");
 	}	

 	void TunnelEndpoint::HandleFollowOnFragment (uint32_t msgID, bool isLastFragment, const TunnelMessageBlockEx& m)
@@ -155,8 +143,15 @@ namespace tunnel
 			auto& msg = it->second;
 			if (m.nextFragmentNum == msg.nextFragmentNum)
 			{
-				if (msg.data->len + size < I2NP_MAX_MESSAGE_SIZE) // check if messega is not too long
+				if (msg.data->len + size < I2NP_MAX_MESSAGE_SIZE) // check if message is not too long
 				{	
+					if (msg.data->len + size > msg.data->maxLen)
+					{
+						LogPrint (eLogInfo, "Tunnel endpoint I2NP message size ", msg.data->maxLen, " is not enough");
+						auto newMsg = ToSharedI2NPMessage (NewI2NPMessage ());
+						*newMsg = *(msg.data);
+						msg.data = newMsg;
+					}
 					memcpy (msg.data->buf + msg.data->len, fragment, size); // concatenate fragment
 					msg.data->len += size;
 					if (isLastFragment)
@@ -173,32 +168,28 @@ namespace tunnel
 				}
 				else
 				{
-					LogPrint ("Fragment ", m.nextFragmentNum, " of message ", msgID, "exceeds max I2NP message size. Message dropped");
-					i2p::DeleteI2NPMessage (msg.data);
+					LogPrint (eLogError, "Fragment ", m.nextFragmentNum, " of message ", msgID, "exceeds max I2NP message size. Message dropped");
 					m_IncompleteMessages.erase (it);
 				}
-				i2p::DeleteI2NPMessage (m.data);
 			}
 			else
 			{	
-				LogPrint ("Unexpected fragment ", (int)m.nextFragmentNum, " instead ", (int)msg.nextFragmentNum, " of message ", msgID, ". Saved");
+				LogPrint (eLogInfo, "Unexpected fragment ", (int)m.nextFragmentNum, " instead ", (int)msg.nextFragmentNum, " of message ", msgID, ". Saved");
 				AddOutOfSequenceFragment (msgID, m.nextFragmentNum, isLastFragment, m.data);
 			}
 		}
 		else
 		{	
-			LogPrint ("First fragment of message ", msgID, " not found. Saved");
+			LogPrint (eLogInfo, "First fragment of message ", msgID, " not found. Saved");
 			AddOutOfSequenceFragment (msgID, m.nextFragmentNum, isLastFragment, m.data);
 		}	
 	}	

-	void TunnelEndpoint::AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, I2NPMessage * data)
+	void TunnelEndpoint::AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, std::shared_ptr<I2NPMessage> data)
 	{
 		auto it = m_OutOfSequenceFragments.find (msgID);
 		if (it == m_OutOfSequenceFragments.end ())
 			m_OutOfSequenceFragments.insert (std::pair<uint32_t, Fragment> (msgID, {fragmentNum, isLastFragment, data}));	
-		else
-			i2p::DeleteI2NPMessage (data);
 	}	

 	void TunnelEndpoint::HandleOutOfSequenceFragment (uint32_t msgID, TunnelMessageBlockEx& msg)
@@ -208,8 +199,15 @@ namespace tunnel
 		{
 			if (it->second.fragmentNum == msg.nextFragmentNum)
 			{
-				LogPrint ("Out-of-sequence fragment ", (int)it->second.fragmentNum, " of message ", msgID, " found");
+				LogPrint (eLogInfo, "Out-of-sequence fragment ", (int)it->second.fragmentNum, " of message ", msgID, " found");
 				auto size = it->second.data->GetLength ();
+				if (msg.data->len + size > msg.data->maxLen)
+				{
+					LogPrint (eLogInfo, "Tunnel endpoint I2NP message size ", msg.data->maxLen, " is not enough");
+					auto newMsg = ToSharedI2NPMessage (NewI2NPMessage ());
+					*newMsg = *(msg.data);
+					msg.data = newMsg;
+				}
 				memcpy (msg.data->buf + msg.data->len, it->second.data->GetBuffer (), size); // concatenate out-of-sync fragment
 				msg.data->len += size;
 				if (it->second.isLastFragment)
@@ -220,7 +218,6 @@ namespace tunnel
 				}	
 				else
 					msg.nextFragmentNum++;
-				i2p::DeleteI2NPMessage (it->second.data);
 				m_OutOfSequenceFragments.erase (it);
 			}	
 		}	
@@ -228,7 +225,7 @@ namespace tunnel
 	
 	void TunnelEndpoint::HandleNextMessage (const TunnelMessageBlock& msg)
 	{
-		LogPrint ("TunnelMessage: handle fragment of ", msg.data->GetLength ()," bytes. Msg type ", (int)msg.data->GetHeader()->typeID);
+		LogPrint (eLogInfo, "TunnelMessage: handle fragment of ", msg.data->GetLength ()," bytes. Msg type ", (int)msg.data->GetTypeID ());
 		switch (msg.deliveryType)
 		{
 			case eDeliveryTypeLocal:
@@ -245,25 +242,18 @@ namespace tunnel
 					// to somebody else
 					if (!m_IsInbound) // outbound transit tunnel
 					{
-						if (msg.data->GetHeader()->typeID == eI2NPDatabaseStore ||
-						    msg.data->GetHeader()->typeID == eI2NPDatabaseSearchReply )
-						{
+					/*	auto typeID = msg.data->GetTypeID ();
+						if (typeID == eI2NPDatabaseStore || typeID == eI2NPDatabaseSearchReply )
 							// catch RI or reply with new list of routers
-							auto ds = NewI2NPMessage ();
-							*ds = *(msg.data);
-							i2p::data::netdb.PostI2NPMsg (ds);
-						}
+							i2p::data::netdb.PostI2NPMsg (msg.data);*/
 						i2p::transport::transports.SendMessage (msg.hash, msg.data);
 					}
 					else // we shouldn't send this message. possible leakage 
-					{
-						LogPrint ("Message to another router arrived from an inbound tunnel. Dropped");
-						i2p::DeleteI2NPMessage (msg.data);
-					}
+						LogPrint (eLogError, "Message to another router arrived from an inbound tunnel. Dropped");
 				}
 			break;
 			default:
-				LogPrint ("TunnelMessage: Unknown delivery type ", (int)msg.deliveryType);
+				LogPrint (eLogError, "TunnelMessage: Unknown delivery type ", (int)msg.deliveryType);
 		};	
 	}	
 }		
--- a/TunnelEndpoint.h
+++ b/TunnelEndpoint.h
@@ -22,7 +22,7 @@ namespace tunnel
 		{
 			uint8_t fragmentNum;
 			bool isLastFragment;
-			I2NPMessage * data;
+			std::shared_ptr<I2NPMessage> data;
 		};	
 		
 		public:
@@ -31,14 +31,14 @@ namespace tunnel
 			~TunnelEndpoint ();
 			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
 			
-			void HandleDecryptedTunnelDataMsg (I2NPMessage * msg);
+			void HandleDecryptedTunnelDataMsg (std::shared_ptr<I2NPMessage> msg);

 		private:

 			void HandleFollowOnFragment (uint32_t msgID, bool isLastFragment, const TunnelMessageBlockEx& m);
 			void HandleNextMessage (const TunnelMessageBlock& msg);

-			void AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, I2NPMessage * data);
+			void AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, std::shared_ptr<I2NPMessage> data);
 			void HandleOutOfSequenceFragment (uint32_t msgID, TunnelMessageBlockEx& msg);
 			
 		private:			
--- a/TunnelGateway.cpp
+++ b/TunnelGateway.cpp
@@ -1,6 +1,7 @@
 #include <string.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
 #include "I2PEndian.h"
-#include <cryptopp/sha.h>
 #include "Log.h"
 #include "RouterContext.h"
 #include "Transports.h"
@@ -10,6 +11,18 @@ namespace i2p
 {
 namespace tunnel
 {
+	TunnelGatewayBuffer::TunnelGatewayBuffer (uint32_t tunnelID): m_TunnelID (tunnelID), 
+				m_CurrentTunnelDataMsg (nullptr), m_RemainingSize (0) 
+	{
+		RAND_bytes (m_NonZeroRandomBuffer, TUNNEL_DATA_MAX_PAYLOAD_SIZE);
+		for (size_t i = 0; i < TUNNEL_DATA_MAX_PAYLOAD_SIZE; i++)
+			if (!m_NonZeroRandomBuffer[i]) m_NonZeroRandomBuffer[i] = 1;
+	}
+
+	TunnelGatewayBuffer::~TunnelGatewayBuffer ()
+	{
+	}	
+	
 	void TunnelGatewayBuffer::PutI2NPMsg (const TunnelMessageBlock& block)
 	{
 		bool messageCreated = false;
@@ -26,7 +39,7 @@ namespace tunnel
 		{	
 			if (block.deliveryType == eDeliveryTypeTunnel)
 			{
-				*(uint32_t *)(di + diLen) = htobe32 (block.tunnelID);
+				htobe32buf (di + diLen, block.tunnelID);
 				diLen += 4; // tunnelID
 			}
 			
@@ -36,12 +49,12 @@ namespace tunnel
 		di[0] = block.deliveryType << 5; // set delivery type

 		// create fragments
-		I2NPMessage * msg = block.data;
+		std::shared_ptr<I2NPMessage> msg = block.data;
 		auto fullMsgLen = diLen + msg->GetLength () + 2; // delivery instructions + payload + 2 bytes length
 		if (fullMsgLen <= m_RemainingSize)
 		{
 			// message fits. First and last fragment
-			*(uint16_t *)(di + diLen) = htobe16 (msg->GetLength ());
+			htobe16buf (di + diLen, msg->GetLength ());
 			diLen += 2; // size
 			memcpy (m_CurrentTunnelDataMsg->buf + m_CurrentTunnelDataMsg->len, di, diLen);
 			memcpy (m_CurrentTunnelDataMsg->buf + m_CurrentTunnelDataMsg->len + diLen, msg->GetBuffer (), msg->GetLength ());
@@ -49,7 +62,6 @@ namespace tunnel
 			m_RemainingSize -= diLen + msg->GetLength ();
 			if (!m_RemainingSize)
 				CompleteCurrentTunnelDataMessage ();
-			DeleteI2NPMessage (msg);
 		}	
 		else
 		{
@@ -68,14 +80,15 @@ namespace tunnel
 			if (diLen + 6 <= m_RemainingSize)
 			{
 				// delivery instructions fit
-				uint32_t msgID = msg->GetHeader ()->msgID; // in network bytes order
+				uint32_t msgID;
+				memcpy (&msgID, msg->GetHeader () + I2NP_HEADER_MSGID_OFFSET, 4); // in network bytes order
 				size_t size = m_RemainingSize - diLen - 6; // 6 = 4 (msgID) + 2 (size)

 				// first fragment
 				di[0] |= 0x08; // fragmented
-				*(uint32_t *)(di + diLen) = msgID;
+				htobuf32 (di + diLen, msgID);
 				diLen += 4; // Message ID
-				*(uint16_t *)(di + diLen) = htobe16 (size);
+				htobe16buf (di + diLen, size);
 				diLen += 2; // size
 				memcpy (m_CurrentTunnelDataMsg->buf + m_CurrentTunnelDataMsg->len, di, diLen);
 				memcpy (m_CurrentTunnelDataMsg->buf + m_CurrentTunnelDataMsg->len + diLen, msg->GetBuffer (), size);
@@ -96,9 +109,9 @@ namespace tunnel
 					{	
 						buf[0] |= 0x01;
 						isLastFragment = true;
-					}	
-					*(uint32_t *)(buf + 1) = msgID; //Message ID
-					*(uint16_t *)(buf + 5) = htobe16 (s); // size
+					}
+					htobuf32 (buf + 1, msgID); //Message ID
+					htobe16buf (buf + 5, s); // size
 					memcpy (buf + 7, msg->GetBuffer () + size, s);
 					m_CurrentTunnelDataMsg->len += s+7;
 					if (isLastFragment)
@@ -112,7 +125,6 @@ namespace tunnel
 					size += s;
 					fragmentNumber++;
 				}
-				DeleteI2NPMessage (msg);
 			}	
 			else
 			{
@@ -131,9 +143,10 @@ namespace tunnel

 	void TunnelGatewayBuffer::CreateCurrentTunnelDataMessage ()
 	{
-		m_CurrentTunnelDataMsg = NewI2NPMessage ();
+		m_CurrentTunnelDataMsg = ToSharedI2NPMessage (NewI2NPShortMessage ());
+		m_CurrentTunnelDataMsg->Align (12);
 		// we reserve space for padding
-		m_CurrentTunnelDataMsg->offset += TUNNEL_DATA_MSG_SIZE + sizeof (I2NPHeader);
+		m_CurrentTunnelDataMsg->offset += TUNNEL_DATA_MSG_SIZE + I2NP_HEADER_SIZE;
 		m_CurrentTunnelDataMsg->len = m_CurrentTunnelDataMsg->offset;
 		m_RemainingSize = TUNNEL_DATA_MAX_PAYLOAD_SIZE;
 	}	
@@ -144,25 +157,28 @@ namespace tunnel
 		uint8_t * payload = m_CurrentTunnelDataMsg->GetBuffer ();
 		size_t size = m_CurrentTunnelDataMsg->len - m_CurrentTunnelDataMsg->offset;
 		
-		m_CurrentTunnelDataMsg->offset = m_CurrentTunnelDataMsg->len - TUNNEL_DATA_MSG_SIZE - sizeof (I2NPHeader);
+		m_CurrentTunnelDataMsg->offset = m_CurrentTunnelDataMsg->len - TUNNEL_DATA_MSG_SIZE - I2NP_HEADER_SIZE;
 		uint8_t * buf = m_CurrentTunnelDataMsg->GetPayload ();
-		*(uint32_t *)(buf) = htobe32 (m_TunnelID);
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		rnd.GenerateBlock (buf + 4, 16); // original IV	
+		htobe32buf (buf, m_TunnelID);
+		RAND_bytes (buf + 4, 16); // original IV	
 		memcpy (payload + size, buf + 4, 16); // copy IV for checksum 
 		uint8_t hash[32];
-		CryptoPP::SHA256().CalculateDigest (hash, payload, size+16);
+		SHA256(payload, size+16, hash);
 		memcpy (buf+20, hash, 4); // checksum		
 		payload[-1] = 0; // zero	
 		ptrdiff_t paddingSize = payload - buf - 25; // 25  = 24 + 1 
 		if (paddingSize > 0)
-			memset (buf + 24, 1, paddingSize); // padding TODO: fill with random data
+		{
+			// non-zero padding 
+			auto randomOffset = rand () % (TUNNEL_DATA_MAX_PAYLOAD_SIZE - paddingSize + 1);
+			memcpy (buf + 24, m_NonZeroRandomBuffer + randomOffset, paddingSize); 
+		}

 		// we can't fill message header yet because encryption is required
 		m_TunnelDataMsgs.push_back (m_CurrentTunnelDataMsg);
 		m_CurrentTunnelDataMsg = nullptr;
 	}	
-	
+
 	void TunnelGateway::SendTunnelDataMsg (const TunnelMessageBlock& block)
 	{
 		if (block.data)
@@ -184,11 +200,11 @@ namespace tunnel
 		auto tunnelMsgs = m_Buffer.GetTunnelDataMsgs ();
 		for (auto tunnelMsg : tunnelMsgs)
 		{	
-			m_Tunnel->EncryptTunnelMsg (tunnelMsg);
-			FillI2NPMessageHeader (tunnelMsg, eI2NPTunnelData);
-			i2p::transport::transports.SendMessage (m_Tunnel->GetNextIdentHash (), tunnelMsg);
+			m_Tunnel->EncryptTunnelMsg (tunnelMsg, tunnelMsg); 
+			tunnelMsg->FillI2NPMessageHeader (eI2NPTunnelData); 
 			m_NumSentBytes += TUNNEL_DATA_MSG_SIZE;
 		}	
+		i2p::transport::transports.SendMessages (m_Tunnel->GetNextIdentHash (), tunnelMsgs);
 		m_Buffer.ClearTunnelDataMsgs ();
 	}	
 }		
--- a/TunnelGateway.h
+++ b/TunnelGateway.h
@@ -3,6 +3,7 @@

 #include <inttypes.h>
 #include <vector>
+#include <memory>
 #include "I2NPProtocol.h"
 #include "TunnelBase.h"

@@ -13,10 +14,10 @@ namespace tunnel
 	class TunnelGatewayBuffer
 	{
 		public:
-			TunnelGatewayBuffer (uint32_t tunnelID): m_TunnelID (tunnelID), 
-				m_CurrentTunnelDataMsg (nullptr), m_RemainingSize (0) {};
+			TunnelGatewayBuffer (uint32_t tunnelID);
+			~TunnelGatewayBuffer ();
 			void PutI2NPMsg (const TunnelMessageBlock& block);	
-			const std::vector<I2NPMessage *>& GetTunnelDataMsgs () const { return m_TunnelDataMsgs; };
+			const std::vector<std::shared_ptr<I2NPMessage> >& GetTunnelDataMsgs () const { return m_TunnelDataMsgs; };
 			void ClearTunnelDataMsgs ();
 			void CompleteCurrentTunnelDataMessage ();

@@ -27,16 +28,17 @@ namespace tunnel
 		private:

 			uint32_t m_TunnelID;
-			std::vector<I2NPMessage *> m_TunnelDataMsgs;
-			I2NPMessage * m_CurrentTunnelDataMsg;
+			std::vector<std::shared_ptr<I2NPMessage> > m_TunnelDataMsgs;
+			std::shared_ptr<I2NPMessage> m_CurrentTunnelDataMsg;
 			size_t m_RemainingSize;
+			uint8_t m_NonZeroRandomBuffer[TUNNEL_DATA_MAX_PAYLOAD_SIZE];
 	};	

 	class TunnelGateway
 	{
 		public:

-			TunnelGateway (TunnelBase * tunnel): 
+			TunnelGateway (TunnelBase * tunnel):
 				m_Tunnel (tunnel), m_Buffer (tunnel->GetNextTunnelID ()), m_NumSentBytes (0) {};
 			void SendTunnelDataMsg (const TunnelMessageBlock& block);	
 			void PutTunnelDataMsg (const TunnelMessageBlock& block);
--- a/TunnelPool.cpp
+++ b/TunnelPool.cpp
@@ -1,18 +1,22 @@
+#include <algorithm>
+#include <openssl/rand.h>
 #include "I2PEndian.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "Tunnel.h"
 #include "NetDb.h"
 #include "Timestamp.h"
 #include "Garlic.h"
+#include "Transports.h"
+#include "Log.h"
 #include "TunnelPool.h"

 namespace i2p
 {
 namespace tunnel
 {
-	TunnelPool::TunnelPool (i2p::garlic::GarlicDestination& localDestination, int numHops, int numTunnels):
-		m_LocalDestination (localDestination), m_NumHops (numHops), m_NumTunnels (numTunnels),
-		m_IsActive (true)
+	TunnelPool::TunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOutboundHops, int numInboundTunnels, int numOutboundTunnels):
+		m_LocalDestination (localDestination), m_NumInboundHops (numInboundHops), m_NumOutboundHops (numOutboundHops),
+		m_NumInboundTunnels (numInboundTunnels), m_NumOutboundTunnels (numOutboundTunnels), m_IsActive (true)
 	{
 	}

@@ -21,6 +25,27 @@ namespace tunnel
 		DetachTunnels ();
 	}

+	void TunnelPool::SetExplicitPeers (std::shared_ptr<std::vector<i2p::data::IdentHash> > explicitPeers)
+	{
+		m_ExplicitPeers = explicitPeers;
+		if (m_ExplicitPeers)
+		{
+			int size = m_ExplicitPeers->size ();
+			if (m_NumInboundHops > size) 
+			{
+				m_NumInboundHops = size;
+				LogPrint (eLogInfo, "Inbound tunnel length has beed adjusted to ", size, " for explicit peers");
+			} 
+			if (m_NumOutboundHops > size) 
+			{
+				m_NumOutboundHops = size;
+				LogPrint (eLogInfo, "Outbound tunnel length has beed adjusted to ", size, " for explicit peers");
+			} 
+			m_NumInboundTunnels = 1;
+			m_NumOutboundTunnels = 1;
+		}	
+	}
+
 	void TunnelPool::DetachTunnels ()
 	{
 		{
@@ -38,54 +63,56 @@ namespace tunnel
 		m_Tests.clear ();
 	}	
 		
-	void TunnelPool::TunnelCreated (InboundTunnel * createdTunnel)
+	void TunnelPool::TunnelCreated (std::shared_ptr<InboundTunnel> createdTunnel)
 	{
 		if (!m_IsActive) return;
 		{
 			std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
 			m_InboundTunnels.insert (createdTunnel);
 		}
-		m_LocalDestination.SetLeaseSetUpdated ();
+		if (m_LocalDestination)
+			m_LocalDestination->SetLeaseSetUpdated ();
 	}

-	void TunnelPool::TunnelExpired (InboundTunnel * expiredTunnel)
+	void TunnelPool::TunnelExpired (std::shared_ptr<InboundTunnel> expiredTunnel)
 	{
 		if (expiredTunnel)
 		{	
 			expiredTunnel->SetTunnelPool (nullptr);
 			for (auto it: m_Tests)
 				if (it.second.second == expiredTunnel) it.second.second = nullptr;
-			RecreateInboundTunnel (expiredTunnel);	

 			std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
 			m_InboundTunnels.erase (expiredTunnel);
 		}	
 	}	

-	void TunnelPool::TunnelCreated (OutboundTunnel * createdTunnel)
+	void TunnelPool::TunnelCreated (std::shared_ptr<OutboundTunnel> createdTunnel)
 	{
 		if (!m_IsActive) return;
-		std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
-		m_OutboundTunnels.insert (createdTunnel);
+		{
+			std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
+			m_OutboundTunnels.insert (createdTunnel);
+		}
+		//CreatePairedInboundTunnel (createdTunnel);
 	}

-	void TunnelPool::TunnelExpired (OutboundTunnel * expiredTunnel)
+	void TunnelPool::TunnelExpired (std::shared_ptr<OutboundTunnel> expiredTunnel)
 	{
 		if (expiredTunnel)
 		{
 			expiredTunnel->SetTunnelPool (nullptr);
 			for (auto it: m_Tests)
 				if (it.second.first == expiredTunnel) it.second.first = nullptr;
-			RecreateOutboundTunnel (expiredTunnel);

 			std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
 			m_OutboundTunnels.erase (expiredTunnel);
 		}
 	}
 		
-	std::vector<InboundTunnel *> TunnelPool::GetInboundTunnels (int num) const
+	std::vector<std::shared_ptr<InboundTunnel> > TunnelPool::GetInboundTunnels (int num) const
 	{
-		std::vector<InboundTunnel *> v;
+		std::vector<std::shared_ptr<InboundTunnel> > v;
 		int i = 0;
 		std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
 		for (auto it : m_InboundTunnels)
@@ -100,38 +127,54 @@ namespace tunnel
 		return v;
 	}

-	OutboundTunnel * TunnelPool::GetNextOutboundTunnel (OutboundTunnel * suggested) const
+	std::shared_ptr<OutboundTunnel> TunnelPool::GetNextOutboundTunnel (std::shared_ptr<OutboundTunnel> excluded) const
 	{
 		std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);	
-		return GetNextTunnel (m_OutboundTunnels, suggested);
+		return GetNextTunnel (m_OutboundTunnels, excluded);
 	}	

-	InboundTunnel * TunnelPool::GetNextInboundTunnel (InboundTunnel * suggested) const
+	std::shared_ptr<InboundTunnel> TunnelPool::GetNextInboundTunnel (std::shared_ptr<InboundTunnel> excluded) const
 	{
 		std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);	
-		return GetNextTunnel (m_InboundTunnels, suggested);
+		return GetNextTunnel (m_InboundTunnels, excluded);
 	}

 	template<class TTunnels>
-	typename TTunnels::value_type TunnelPool::GetNextTunnel (TTunnels& tunnels, 
-		typename TTunnels::value_type suggested) const
+	typename TTunnels::value_type TunnelPool::GetNextTunnel (TTunnels& tunnels, typename TTunnels::value_type excluded) const
 	{
-		if (tunnels.empty ()) return nullptr;
-		if (suggested && tunnels.count (suggested) > 0 && suggested->IsEstablished ())
-				return suggested;
-		
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		uint32_t ind = rnd.GenerateWord32 (0, tunnels.size ()/2), i = 0;
+		if (tunnels.empty ()) return nullptr;		
+		uint32_t ind = rand () % (tunnels.size ()/2 + 1), i = 0;
 		typename TTunnels::value_type tunnel = nullptr;
 		for (auto it: tunnels)
 		{	
-			if (it->IsEstablished ())
+			if (it->IsEstablished () && it != excluded)
 			{
 				tunnel = it;
 				i++;
 			}
 			if (i > ind && tunnel) break;
-		}	
+		}
+		if (!tunnel && excluded && excluded->IsEstablished ()) tunnel = excluded;
+		return tunnel;
+	}
+
+	std::shared_ptr<OutboundTunnel> TunnelPool::GetNewOutboundTunnel (std::shared_ptr<OutboundTunnel> old) const
+	{
+		if (old && old->IsEstablished ()) return old;
+		std::shared_ptr<OutboundTunnel> tunnel;	
+		if (old)
+		{
+			std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);	
+			for (auto it: m_OutboundTunnels)
+				if (it->IsEstablished () && old->GetEndpointIdentHash () == it->GetEndpointIdentHash ())
+				{
+					tunnel = it;
+					break;
+				}
+		}
+	
+		if (!tunnel)
+			tunnel = GetNextOutboundTunnel ();		
 		return tunnel;
 	}

@@ -143,7 +186,7 @@ namespace tunnel
 			for (auto it : m_InboundTunnels)
 				if (it->IsEstablished ()) num++;
 		}
-		for (int i = num; i < m_NumTunnels; i++)
+		for (int i = num; i < m_NumInboundTunnels; i++)
 			CreateInboundTunnel ();	
 		
 		num = 0;
@@ -152,13 +195,12 @@ namespace tunnel
 			for (auto it : m_OutboundTunnels)
 				if (it->IsEstablished ()) num++;
 		}
-		for (int i = num; i < m_NumTunnels; i++)
+		for (int i = num; i < m_NumOutboundTunnels; i++)
 			CreateOutboundTunnel ();	
 	}

 	void TunnelPool::TestTunnels ()
 	{
-		auto& rnd = i2p::context.GetRandomNumberGenerator ();
 		for (auto it: m_Tests)
 		{
 			LogPrint ("Tunnel test ", (int)it.first, " failed"); 
@@ -183,13 +225,15 @@ namespace tunnel
 						std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
 						m_InboundTunnels.erase (it.second.second);
 					}
-					m_LocalDestination.SetLeaseSetUpdated ();
+					if (m_LocalDestination)
+						m_LocalDestination->SetLeaseSetUpdated ();
 				}	
 				else
 					it.second.second->SetState (eTunnelStateTestFailed);
 			}	
 		}
-		m_Tests.clear ();	
+		m_Tests.clear ();
+		// new tests	
 		auto it1 = m_OutboundTunnels.begin ();
 		auto it2 = m_InboundTunnels.begin ();
 		while (it1 != m_OutboundTunnels.end () && it2 != m_InboundTunnels.end ())
@@ -207,19 +251,32 @@ namespace tunnel
 			}
 			if (!failed)
 			{
-				uint32_t msgID = rnd.GenerateWord32 ();
-				m_Tests[msgID] = std::make_pair (*it1, *it2);
-				(*it1)->SendTunnelDataMsg ((*it2)->GetNextIdentHash (), (*it2)->GetNextTunnelID (),
+ 				uint32_t msgID;
+				RAND_bytes ((uint8_t *)&msgID, 4);
+ 				m_Tests[msgID] = std::make_pair (*it1, *it2);
+ 				(*it1)->SendTunnelDataMsg ((*it2)->GetNextIdentHash (), (*it2)->GetNextTunnelID (),
 					CreateDeliveryStatusMsg (msgID));
 				it1++; it2++;
 			}	
 		}
 	}

-	void TunnelPool::ProcessDeliveryStatus (I2NPMessage * msg)
+	void TunnelPool::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
-		I2NPDeliveryStatusMsg * deliveryStatus = (I2NPDeliveryStatusMsg *)msg->GetPayload ();
-		auto it = m_Tests.find (be32toh (deliveryStatus->msgID));
+		if (m_LocalDestination)
+			m_LocalDestination->ProcessGarlicMessage (msg);
+		else
+			LogPrint (eLogWarning, "Local destination doesn't exist. Dropped");
+	}	
+		
+	void TunnelPool::ProcessDeliveryStatus (std::shared_ptr<I2NPMessage> msg)
+	{
+		const uint8_t * buf = msg->GetPayload ();
+		uint32_t msgID = bufbe32toh (buf);
+		buf += 4;	
+		uint64_t timestamp = bufbe64toh (buf);
+
+		auto it = m_Tests.find (msgID);
 		if (it != m_Tests.end ())
 		{
 			// restore from test failed state if any
@@ -227,104 +284,154 @@ namespace tunnel
 				it->second.first->SetState (eTunnelStateEstablished);
 			if (it->second.second->GetState () == eTunnelStateTestFailed)
 				it->second.second->SetState (eTunnelStateEstablished);
-			LogPrint ("Tunnel test ", it->first, " successive. ", i2p::util::GetMillisecondsSinceEpoch () - be64toh (deliveryStatus->timestamp), " milliseconds");
+			LogPrint ("Tunnel test ", it->first, " successive. ", i2p::util::GetMillisecondsSinceEpoch () - timestamp, " milliseconds");
 			m_Tests.erase (it);
-			DeleteI2NPMessage (msg);
 		}
 		else
-			m_LocalDestination.ProcessDeliveryStatusMessage (msg);
+		{
+			if (m_LocalDestination)
+				m_LocalDestination->ProcessDeliveryStatusMessage (msg);
+			else
+				LogPrint (eLogWarning, "Local destination doesn't exist. Dropped");
+		}	
 	}

 	std::shared_ptr<const i2p::data::RouterInfo> TunnelPool::SelectNextHop (std::shared_ptr<const i2p::data::RouterInfo> prevHop) const
 	{
-		auto hop = m_NumHops >= 3 ? i2p::data::netdb.GetHighBandwidthRandomRouter (prevHop) :
-			i2p::data::netdb.GetRandomRouter (prevHop);
-		if (!hop)
+		bool isExploratory = (m_LocalDestination == &i2p::context); // TODO: implement it better
+		auto hop = isExploratory ? i2p::data::netdb.GetRandomRouter (prevHop): 
+			i2p::data::netdb.GetHighBandwidthRandomRouter (prevHop);
+
+		if (!hop || hop->GetProfile ()->IsBad ())
 			hop = i2p::data::netdb.GetRandomRouter ();
 		return hop;	
 	}	
-		
-	void TunnelPool::CreateInboundTunnel ()
+
+	bool TunnelPool::SelectPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& peers, bool isInbound)
 	{
-		OutboundTunnel * outboundTunnel = GetNextOutboundTunnel ();
-		if (!outboundTunnel)
-			outboundTunnel = tunnels.GetNextOutboundTunnel ();
-		LogPrint ("Creating destination inbound tunnel...");
+		if (m_ExplicitPeers) return SelectExplicitPeers (peers, isInbound);
 		auto prevHop = i2p::context.GetSharedRouterInfo ();	
-		std::vector<std::shared_ptr<const i2p::data::RouterInfo> > hops;
-		int numHops = m_NumHops;
-		if (outboundTunnel)
-		{	
-			// last hop
-			auto hop = outboundTunnel->GetTunnelConfig ()->GetFirstHop ()->router;
-			if (hop->GetIdentHash () != i2p::context.GetIdentHash ()) // outbound shouldn't be zero-hop tunnel
-			{	
-				prevHop = hop;
-				hops.push_back (prevHop);
+		int numHops = isInbound ? m_NumInboundHops : m_NumOutboundHops;
+		if (i2p::transport::transports.GetNumPeers () > 25)
+		{
+			auto r = i2p::transport::transports.GetRandomPeer ();
+			if (r && !r->GetProfile ()->IsBad ())
+			{
+				prevHop = r;
+				peers.push_back (r->GetRouterIdentity ());
 				numHops--;
 			}
 		}
+		
 		for (int i = 0; i < numHops; i++)
 		{
 			auto hop = SelectNextHop (prevHop);
+			if (!hop)
+			{
+				LogPrint (eLogError, "Can't select next hop");
+				return false;
+			}	
 			prevHop = hop;
-			hops.push_back (hop);
+			peers.push_back (hop->GetRouterIdentity ());
 		}		
-		std::reverse (hops.begin (), hops.end ());	
-		auto * tunnel = tunnels.CreateTunnel<InboundTunnel> (new TunnelConfig (hops), outboundTunnel);
-		tunnel->SetTunnelPool (this);
+		return true;
+	}	
+	
+	bool TunnelPool::SelectExplicitPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& peers, bool isInbound)
+	{
+		int size = m_ExplicitPeers->size ();
+		std::vector<int> peerIndicies;
+		for (int i = 0; i < size; i++) peerIndicies.push_back(i);
+		std::random_shuffle (peerIndicies.begin(), peerIndicies.end());
+	
+		int numHops = isInbound ? m_NumInboundHops : m_NumOutboundHops;		
+		for (int i = 0; i < numHops; i++) 
+		{
+			auto& ident = (*m_ExplicitPeers)[peerIndicies[i]];
+			auto r = i2p::data::netdb.FindRouter (ident);
+			if (r)
+				peers.push_back (r->GetRouterIdentity ());
+			else
+			{
+				LogPrint (eLogInfo, "Can't find router for ", ident.ToBase64 ());
+				i2p::data::netdb.RequestDestination (ident);
+				return false;
+			}
+		}
+		return true;
+	}
+	
+	void TunnelPool::CreateInboundTunnel ()
+	{
+		auto outboundTunnel = GetNextOutboundTunnel ();
+		if (!outboundTunnel)
+			outboundTunnel = tunnels.GetNextOutboundTunnel ();
+		LogPrint ("Creating destination inbound tunnel...");
+		std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers;
+		if (SelectPeers (peers, true))
+		{
+			std::reverse (peers.begin (), peers.end ());	
+			auto tunnel = tunnels.CreateTunnel<InboundTunnel> (std::make_shared<TunnelConfig> (peers), outboundTunnel);
+			tunnel->SetTunnelPool (shared_from_this ());
+		}	
+		else
+			LogPrint (eLogError, "Can't create inbound tunnel. No peers available");
 	}

-	void TunnelPool::RecreateInboundTunnel (InboundTunnel * tunnel)
+	void TunnelPool::RecreateInboundTunnel (std::shared_ptr<InboundTunnel> tunnel)
 	{
-		OutboundTunnel * outboundTunnel = GetNextOutboundTunnel ();
+		auto outboundTunnel = GetNextOutboundTunnel ();
 		if (!outboundTunnel)
 			outboundTunnel = tunnels.GetNextOutboundTunnel ();
 		LogPrint ("Re-creating destination inbound tunnel...");
-		auto * newTunnel = tunnels.CreateTunnel<InboundTunnel> (tunnel->GetTunnelConfig ()->Clone (), outboundTunnel);
-		newTunnel->SetTunnelPool (this);
+		auto newTunnel = tunnels.CreateTunnel<InboundTunnel> (std::make_shared<TunnelConfig>(tunnel->GetPeers ()), outboundTunnel);
+		newTunnel->SetTunnelPool (shared_from_this());
 	}	
 		
 	void TunnelPool::CreateOutboundTunnel ()
 	{
-		InboundTunnel * inboundTunnel = GetNextInboundTunnel ();
+		auto inboundTunnel = GetNextInboundTunnel ();
 		if (!inboundTunnel)
 			inboundTunnel = tunnels.GetNextInboundTunnel ();
 		if (inboundTunnel)
 		{	
 			LogPrint ("Creating destination outbound tunnel...");
-
-			auto prevHop = i2p::context.GetSharedRouterInfo ();
-			std::vector<std::shared_ptr<const i2p::data::RouterInfo> > hops;
-			for (int i = 0; i < m_NumHops; i++)
-			{
-				auto hop = SelectNextHop (prevHop);
-				prevHop = hop;
-				hops.push_back (hop);
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers;
+			if (SelectPeers (peers, false))
+			{	
+				auto tunnel = tunnels.CreateTunnel<OutboundTunnel> (
+					std::make_shared<TunnelConfig> (peers, inboundTunnel->GetNextTunnelID (), inboundTunnel->GetNextIdentHash ()));
+				tunnel->SetTunnelPool (shared_from_this ());
 			}	
-				
-			auto * tunnel = tunnels.CreateTunnel<OutboundTunnel> (
-				new TunnelConfig (hops, inboundTunnel->GetTunnelConfig ()));
-			tunnel->SetTunnelPool (this);
+			else
+				LogPrint (eLogError, "Can't create outbound tunnel. No peers available");
 		}	
 		else
-			LogPrint ("Can't create outbound tunnel. No inbound tunnels found");
+			LogPrint (eLogError, "Can't create outbound tunnel. No inbound tunnels found");
 	}	
 		
-	void TunnelPool::RecreateOutboundTunnel (OutboundTunnel * tunnel)
+	void TunnelPool::RecreateOutboundTunnel (std::shared_ptr<OutboundTunnel> tunnel)
 	{
-		InboundTunnel * inboundTunnel = GetNextInboundTunnel ();
+		auto inboundTunnel = GetNextInboundTunnel ();
 		if (!inboundTunnel)
 			inboundTunnel = tunnels.GetNextInboundTunnel ();
 		if (inboundTunnel)
 		{	
 			LogPrint ("Re-creating destination outbound tunnel...");
-			auto * newTunnel = tunnels.CreateTunnel<OutboundTunnel> (
-				tunnel->GetTunnelConfig ()->Clone (inboundTunnel->GetTunnelConfig ()));
-			newTunnel->SetTunnelPool (this);
+			auto newTunnel = tunnels.CreateTunnel<OutboundTunnel> (
+				std::make_shared<TunnelConfig> (tunnel->GetPeers (),
+					inboundTunnel->GetNextTunnelID (), inboundTunnel->GetNextIdentHash ()));
+			newTunnel->SetTunnelPool (shared_from_this ());
 		}	
 		else
 			LogPrint ("Can't re-create outbound tunnel. No inbound tunnels found");
-	}			
+	}		
+
+	void TunnelPool::CreatePairedInboundTunnel (std::shared_ptr<OutboundTunnel> outboundTunnel)
+	{
+		LogPrint (eLogInfo, "Creating paired inbound tunnel...");
+		auto tunnel = tunnels.CreateTunnel<InboundTunnel> (std::make_shared<TunnelConfig>(outboundTunnel->GetInvertedPeers ()), outboundTunnel);
+		tunnel->SetTunnelPool (shared_from_this ());
+	}	
 }
 }
--- a/TunnelPool.h
+++ b/TunnelPool.h
@@ -6,6 +6,7 @@
 #include <vector>
 #include <utility>
 #include <mutex>
+#include <memory>
 #include "Identity.h"
 #include "LeaseSet.h"
 #include "RouterInfo.h"
@@ -22,31 +23,32 @@ namespace tunnel
 	class InboundTunnel;
 	class OutboundTunnel;

-	class TunnelPool // per local destination
+	class TunnelPool: public std::enable_shared_from_this<TunnelPool> // per local destination
 	{
 		public:

-			TunnelPool (i2p::garlic::GarlicDestination& localDestination, int numHops, int numTunnels = 5);
+			TunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOutboundHops, int numInboundTunnels, int numOutboundTunnels);
 			~TunnelPool ();
-
-			const uint8_t * GetEncryptionPrivateKey () const { return m_LocalDestination.GetEncryptionPrivateKey (); };
-			const uint8_t * GetEncryptionPublicKey () const { return m_LocalDestination.GetEncryptionPublicKey (); };
-			const i2p::data::LocalDestination& GetLocalDestination () const { return m_LocalDestination; };			
-			i2p::garlic::GarlicDestination& GetGarlicDestination () const { return m_LocalDestination; };	
-			bool IsExploratory () const { return GetIdentHash () == i2p::context.GetIdentHash (); };		
+		
+			i2p::garlic::GarlicDestination * GetLocalDestination () const { return m_LocalDestination; };
+			void SetLocalDestination (i2p::garlic::GarlicDestination * destination) { m_LocalDestination = destination; };
+			void SetExplicitPeers (std::shared_ptr<std::vector<i2p::data::IdentHash> > explicitPeers);

 			void CreateTunnels ();
-			void TunnelCreated (InboundTunnel * createdTunnel);
-			void TunnelExpired (InboundTunnel * expiredTunnel);
-			void TunnelCreated (OutboundTunnel * createdTunnel);
-			void TunnelExpired (OutboundTunnel * expiredTunnel);
-			std::vector<InboundTunnel *> GetInboundTunnels (int num) const;
-			OutboundTunnel * GetNextOutboundTunnel (OutboundTunnel * suggested = nullptr) const;
-			InboundTunnel * GetNextInboundTunnel (InboundTunnel * suggested = nullptr) const;
-			const i2p::data::IdentHash& GetIdentHash () const { return m_LocalDestination.GetIdentHash (); };			
+			void TunnelCreated (std::shared_ptr<InboundTunnel> createdTunnel);
+			void TunnelExpired (std::shared_ptr<InboundTunnel> expiredTunnel);
+			void TunnelCreated (std::shared_ptr<OutboundTunnel> createdTunnel);
+			void TunnelExpired (std::shared_ptr<OutboundTunnel> expiredTunnel);
+			void RecreateInboundTunnel (std::shared_ptr<InboundTunnel> tunnel);
+			void RecreateOutboundTunnel (std::shared_ptr<OutboundTunnel> tunnel);
+			std::vector<std::shared_ptr<InboundTunnel> > GetInboundTunnels (int num) const;
+			std::shared_ptr<OutboundTunnel> GetNextOutboundTunnel (std::shared_ptr<OutboundTunnel> excluded = nullptr) const;
+			std::shared_ptr<InboundTunnel> GetNextInboundTunnel (std::shared_ptr<InboundTunnel> excluded = nullptr) const;		
+			std::shared_ptr<OutboundTunnel> GetNewOutboundTunnel (std::shared_ptr<OutboundTunnel> old) const;

 			void TestTunnels ();
-			void ProcessDeliveryStatus (I2NPMessage * msg);
+			void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void ProcessDeliveryStatus (std::shared_ptr<I2NPMessage> msg);

 			bool IsActive () const { return m_IsActive; };
 			void SetActive (bool isActive) { m_IsActive = isActive; };
@@ -56,22 +58,23 @@ namespace tunnel

 			void CreateInboundTunnel ();	
 			void CreateOutboundTunnel ();
-			void RecreateInboundTunnel (InboundTunnel * tunnel);
-			void RecreateOutboundTunnel (OutboundTunnel * tunnel);
+			void CreatePairedInboundTunnel (std::shared_ptr<OutboundTunnel> outboundTunnel);
 			template<class TTunnels>
-			typename TTunnels::value_type GetNextTunnel (TTunnels& tunnels, 
-				typename TTunnels::value_type suggested = nullptr) const;
+			typename TTunnels::value_type GetNextTunnel (TTunnels& tunnels, typename TTunnels::value_type excluded) const;
 			std::shared_ptr<const i2p::data::RouterInfo> SelectNextHop (std::shared_ptr<const i2p::data::RouterInfo> prevHop) const;
-			
+			bool SelectPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& hops, bool isInbound);
+			bool SelectExplicitPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& hops, bool isInbound);			
+
 		private:

-			i2p::garlic::GarlicDestination& m_LocalDestination;
-			int m_NumHops, m_NumTunnels;
+			i2p::garlic::GarlicDestination * m_LocalDestination;
+			int m_NumInboundHops, m_NumOutboundHops, m_NumInboundTunnels, m_NumOutboundTunnels;
+			std::shared_ptr<std::vector<i2p::data::IdentHash> > m_ExplicitPeers;	
 			mutable std::mutex m_InboundTunnelsMutex;
-			std::set<InboundTunnel *, TunnelCreationTimeCmp> m_InboundTunnels; // recent tunnel appears first
+			std::set<std::shared_ptr<InboundTunnel>, TunnelCreationTimeCmp> m_InboundTunnels; // recent tunnel appears first
 			mutable std::mutex m_OutboundTunnelsMutex;
-			std::set<OutboundTunnel *, TunnelCreationTimeCmp> m_OutboundTunnels;
-			std::map<uint32_t, std::pair<OutboundTunnel *, InboundTunnel *> > m_Tests;
+			std::set<std::shared_ptr<OutboundTunnel>, TunnelCreationTimeCmp> m_OutboundTunnels;
+			std::map<uint32_t, std::pair<std::shared_ptr<OutboundTunnel>, std::shared_ptr<InboundTunnel> > > m_Tests;
 			bool m_IsActive;

 		public:
--- a/UPnP.cpp
+++ b/UPnP.cpp
@@ -1,68 +1,247 @@
+#ifdef USE_UPNP
 #include <string>
-#include <boost/lexical_cast.hpp>
+#include <thread>
+
+#include <boost/thread/thread.hpp>
+#include <boost/asio.hpp>
 #include <boost/bind.hpp>
+
+#ifdef _WIN32
+#include <windows.h>
+#define dlsym GetProcAddress
+#else
+#include <dlfcn.h>
+#endif
+
 #include "Log.h"
+
+#include "RouterContext.h"
 #include "UPnP.h"
+#include "NetDb.h"
+#include "util.h"
+
+#include <miniupnpc/miniupnpc.h>
+#include <miniupnpc/upnpcommands.h>
+
+// These are per-process and are safe to reuse for all threads
+#ifndef UPNPDISCOVER_SUCCESS
+/* miniupnpc 1.5 */
+UPNPDev* (*upnpDiscoverFunc) (int, const char *, const char *, int);
+int (*UPNP_AddPortMappingFunc) (const char *, const char *, const char *, const char *,
+                                             const char *, const char *, const char *, const char *);
+#else
+/* miniupnpc 1.6 */
+UPNPDev* (*upnpDiscoverFunc) (int, const char *, const char *, int, int, int *);
+int (*UPNP_AddPortMappingFunc) (const char *, const char *, const char *, const char *,
+                                             const char *, const char *, const char *, const char *, const char *);
+#endif
+int (*UPNP_GetValidIGDFunc) (struct UPNPDev *, struct UPNPUrls *, struct IGDdatas *, char *, int);
+int (*UPNP_GetExternalIPAddressFunc) (const char *, const char *, char *);
+int (*UPNP_DeletePortMappingFunc) (const char *, const char *, const char *, const char *, const char *);
+void (*freeUPNPDevlistFunc) (struct UPNPDev *);
+void (*FreeUPNPUrlsFunc) (struct UPNPUrls *);
+
+// Nice approach http://stackoverflow.com/a/21517513/673826
+template<class M, typename F>
+F GetKnownProcAddressImpl(M hmod, const char *name, F) {
+    auto proc = reinterpret_cast<F>(dlsym(hmod, name));
+    if (!proc) {
+        LogPrint("Error resolving ", name, " from UPNP library. This often happens if there is version mismatch!");
+    }
+    return proc;
+}
+#define GetKnownProcAddress(hmod, func) GetKnownProcAddressImpl(hmod, #func, func##Func);
+

 namespace i2p
 {
-	UPnP::UPnP (): m_Timer (m_Service),
-		m_Endpoint (boost::asio::ip::udp::v4 (), UPNP_REPLY_PORT),
-		m_MulticastEndpoint (boost::asio::ip::address::from_string (UPNP_GROUP), UPNP_PORT),		
-		m_Socket (m_Service, m_Endpoint.protocol ())
-	{
-		m_Socket.set_option (boost::asio::socket_base::receive_buffer_size (65535));
-		m_Socket.set_option (boost::asio::socket_base::send_buffer_size (65535));
-		m_Socket.set_option(boost::asio::ip::udp::socket::reuse_address(true));
-	}
-	
-	UPnP::~UPnP ()
-	{
-	}	
+namespace transport
+{
+    UPnP::UPnP () : m_Thread (nullptr) , m_IsModuleLoaded (false)
+    {
+    }

-	void UPnP::Run ()
-	{
-		DiscoverRouter ();
-		m_Service.run ();
-	}	
-		
-	void UPnP::DiscoverRouter ()
-	{
-		m_Timer.expires_from_now (boost::posix_time::seconds(5)); // 5 seconds
-		m_Timer.async_wait (boost::bind (&UPnP::HandleTimer, this, boost::asio::placeholders::error));
+    void UPnP::Stop ()
+    {
+        if (m_Thread)
+        {   
+            m_Thread->join (); 
+            delete m_Thread;
+            m_Thread = nullptr;
+        }
+    }

-		std::string address = UPNP_GROUP;
-		address += ":" + boost::lexical_cast<std::string>(UPNP_PORT);
-		std::string request = "M-SEARCH * HTTP/1.1\r\n"
-			"HOST: " + address + "\r\n"
-			"ST:" + UPNP_ROUTER + "\r\n"
-			"MAN:\"ssdp:discover\"\r\n"
-			"MX:3\r\n"
-			"\r\n\r\n";
-		m_Socket.send_to (boost::asio::buffer (request.c_str (), request.length ()), m_MulticastEndpoint);
-		Receive ();
-	}	
+    void UPnP::Start()
+    {
+        if (!m_IsModuleLoaded) {
+#ifdef MAC_OSX
+            m_Module = dlopen ("libminiupnpc.dylib", RTLD_LAZY);
+#elif _WIN32
+            m_Module = LoadLibrary ("miniupnpc.dll"); // official prebuilt binary, e.g., in upnpc-exe-win32-20140422.zip
+#else
+            m_Module = dlopen ("libminiupnpc.so", RTLD_LAZY);
+#endif
+            if (m_Module == NULL)
+            {
+                LogPrint ("Error loading UPNP library. This often happens if there is version mismatch!");
+                return;
+            }
+            else
+            {
+                upnpDiscoverFunc = GetKnownProcAddress (m_Module, upnpDiscover);
+                UPNP_GetValidIGDFunc = GetKnownProcAddress (m_Module, UPNP_GetValidIGD);
+                UPNP_GetExternalIPAddressFunc = GetKnownProcAddress (m_Module, UPNP_GetExternalIPAddress);
+                UPNP_AddPortMappingFunc = GetKnownProcAddress (m_Module, UPNP_AddPortMapping);
+                UPNP_DeletePortMappingFunc = GetKnownProcAddress (m_Module, UPNP_DeletePortMapping);
+                freeUPNPDevlistFunc = GetKnownProcAddress (m_Module, freeUPNPDevlist);
+                FreeUPNPUrlsFunc = GetKnownProcAddress (m_Module, FreeUPNPUrls);
+                if (upnpDiscoverFunc && UPNP_GetValidIGDFunc && UPNP_GetExternalIPAddressFunc && UPNP_AddPortMappingFunc &&
+                    UPNP_DeletePortMappingFunc && freeUPNPDevlistFunc && FreeUPNPUrlsFunc)
+                    m_IsModuleLoaded = true;
+            }
+        }
+        m_Thread = new std::thread (std::bind (&UPnP::Run, this));
+    }
+    
+    UPnP::~UPnP ()
+    {
+    } 

-	void UPnP::Receive ()
-	{
-		m_Socket.async_receive_from (boost::asio::buffer (m_ReceiveBuffer, UPNP_MAX_PACKET_LEN), m_SenderEndpoint,
-			boost::bind (&UPnP::HandleReceivedFrom, this, boost::asio::placeholders::error, boost::asio::placeholders::bytes_transferred)); 
-	}
-		
-	void UPnP::HandleReceivedFrom (const boost::system::error_code& ecode, size_t bytes_transferred)
-	{		
-		LogPrint ("UPnP: ", bytes_transferred, " received from ", m_SenderEndpoint.address ());
-		std::string str (m_ReceiveBuffer, bytes_transferred);
-		LogPrint (str);
-		m_Timer.cancel ();
-	}
+    void UPnP::Run ()
+    {
+        for (auto& address : context.GetRouterInfo ().GetAddresses ())
+        {
+            if (!address.host.is_v6 ())
+            {
+                Discover ();
+                if (address.transportStyle == data::RouterInfo::eTransportSSU )
+                {
+                    TryPortMapping (I2P_UPNP_UDP, address.port);
+                }
+                else if (address.transportStyle == data::RouterInfo::eTransportNTCP )
+                {
+                    TryPortMapping (I2P_UPNP_TCP, address.port);
+                }
+            }
+        }
+    } 
+        
+    void UPnP::Discover ()
+    {
+#ifndef UPNPDISCOVER_SUCCESS
+        /* miniupnpc 1.5 */
+        m_Devlist = upnpDiscoverFunc (2000, m_MulticastIf, m_Minissdpdpath, 0);
+#else
+        /* miniupnpc 1.6 */
+        int nerror = 0;
+        m_Devlist = upnpDiscoverFunc (2000, m_MulticastIf, m_Minissdpdpath, 0, 0, &nerror);
+#endif
+
+        int r;
+        r = UPNP_GetValidIGDFunc (m_Devlist, &m_upnpUrls, &m_upnpData, m_NetworkAddr, sizeof (m_NetworkAddr));
+        if (r == 1)
+        {
+            r = UPNP_GetExternalIPAddressFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, m_externalIPAddress);
+            if(r != UPNPCOMMAND_SUCCESS)
+            {
+                LogPrint ("UPnP: UPNP_GetExternalIPAddress () returned ", r);
+                return;
+            }
+            else
+            {
+                if (m_externalIPAddress[0])
+                {
+                    LogPrint ("UPnP: ExternalIPAddress = ", m_externalIPAddress);
+                    i2p::context.UpdateAddress (boost::asio::ip::address::from_string (m_externalIPAddress));
+                    return;
+                }
+                else
+                {
+                    LogPrint ("UPnP: GetExternalIPAddress failed.");
+                    return;
+                }
+            }
+        }
+    }
+
+    void UPnP::TryPortMapping (int type, int port)
+    {
+        std::string strType, strPort (std::to_string (port));
+        switch (type)
+        {
+            case I2P_UPNP_TCP:
+                strType = "TCP";
+                break;
+            case I2P_UPNP_UDP:
+            default:
+                strType = "UDP";
+        }
+        int r;
+        std::string strDesc = "I2Pd";
+        try {
+            for (;;) {
+#ifndef UPNPDISCOVER_SUCCESS
+                /* miniupnpc 1.5 */
+                r = UPNP_AddPortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, strPort.c_str (), strPort.c_str (), m_NetworkAddr, strDesc.c_str (), strType.c_str (), 0);
+#else
+                /* miniupnpc 1.6 */
+                r = UPNP_AddPortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, strPort.c_str (), strPort.c_str (), m_NetworkAddr, strDesc.c_str (), strType.c_str (), 0, "0");
+#endif
+                if (r!=UPNPCOMMAND_SUCCESS)
+                {
+                    LogPrint ("AddPortMapping (", strPort.c_str () ,", ", strPort.c_str () ,", ", m_NetworkAddr, ") failed with code ", r);
+                    return;
+                }
+                else
+                {
+                    LogPrint ("UPnP Port Mapping successful. (", m_NetworkAddr ,":", strPort.c_str(), " type ", strType.c_str () ," -> ", m_externalIPAddress ,":", strPort.c_str() ,")");
+                    return;
+                }
+                std::this_thread::sleep_for(std::chrono::minutes(20)); // c++11
+                //boost::this_thread::sleep_for(); // pre c++11
+                //sleep(20*60); // non-portable
+            }
+        }
+        catch (boost::thread_interrupted)
+        {
+            CloseMapping(type, port);
+            Close();
+            throw;
+        }
+    }
+
+    void UPnP::CloseMapping (int type, int port)
+    {
+        std::string strType, strPort (std::to_string (port));
+        switch (type)
+        {
+            case I2P_UPNP_TCP:
+                strType = "TCP";
+                break;
+            case I2P_UPNP_UDP:
+            default:
+                strType = "UDP";
+        }
+        int r = 0;
+        r = UPNP_DeletePortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, strPort.c_str (), strType.c_str (), 0);
+        LogPrint ("UPNP_DeletePortMapping() returned : ", r, "\n");
+    }
+
+    void UPnP::Close ()
+    {
+        freeUPNPDevlistFunc (m_Devlist);
+        m_Devlist = 0;
+        FreeUPNPUrlsFunc (&m_upnpUrls);
+#ifndef _WIN32
+        dlclose (m_Module);
+#else
+        FreeLibrary (m_Module);
+#endif
+    }

-	void UPnP::HandleTimer (const boost::system::error_code& ecode)
-	{
-		if (ecode != boost::asio::error::operation_aborted)
-		{
-			LogPrint ("UPnP: timeout expired");
-			m_Service.stop ();
-		}	
-	}	
 }
+}
+
+
+#endif
+
--- a/UPnP.h
+++ b/UPnP.h
@@ -1,41 +1,63 @@
-#ifndef UPNP_H__
-#define UPNP_H__
+#ifndef __UPNP_H__
+#define __UPNP_H__
+
+#ifdef USE_UPNP
+#include <string>
+#include <thread>
+
+#include <miniupnpc/miniwget.h>
+#include <miniupnpc/miniupnpc.h>
+#include <miniupnpc/upnpcommands.h>
+#include <miniupnpc/upnperrors.h>

 #include <boost/asio.hpp>

+#include "util.h"
+
+#define I2P_UPNP_TCP 1
+#define I2P_UPNP_UDP 2
+
 namespace i2p
 {
-	const int UPNP_MAX_PACKET_LEN = 1500;
-	const char UPNP_GROUP[] = "239.255.255.250";
-	const int UPNP_PORT = 1900;
-	const int UPNP_REPLY_PORT = 1901;
-	const char UPNP_ROUTER[] = "urn:schemas-upnp-org:device:InternetGatewayDevice:1";	
-	
+namespace transport
+{
 	class UPnP
 	{
-		public:
+	public:

-			UPnP ();
-			~UPnP ();
+		UPnP ();
+		~UPnP ();
+        void Close ();

-			void Run ();
-			
+        void Start ();
+        void Stop ();

-		private:
+		void Discover ();
+		void TryPortMapping (int type, int port);
+		void CloseMapping (int type, int port);
+	private:
+		void Run ();

-			void DiscoverRouter ();
-			void Receive ();
-			void HandleReceivedFrom (const boost::system::error_code& ecode, size_t bytes_transferred);
-			void HandleTimer (const boost::system::error_code& ecode);
-			
-		private:
+        std::thread * m_Thread;
+        struct UPNPUrls m_upnpUrls;
+        struct IGDdatas m_upnpData;

-			boost::asio::io_service m_Service;
-			boost::asio::deadline_timer m_Timer;
-			boost::asio::ip::udp::endpoint m_Endpoint, m_MulticastEndpoint, m_SenderEndpoint;
-			boost::asio::ip::udp::socket m_Socket;
-			char m_ReceiveBuffer[UPNP_MAX_PACKET_LEN];
-	};	
+        // For miniupnpc
+        char * m_MulticastIf = 0;
+        char * m_Minissdpdpath = 0;
+        struct UPNPDev * m_Devlist = 0;
+        char m_NetworkAddr[64];
+        char m_externalIPAddress[40];
+        bool m_IsModuleLoaded;
+#ifndef _WIN32
+        void *m_Module;
+#else
+        HINSTANCE m_Module;
+#endif
+	};
+}
 }

 #endif
+
+#endif
--- a/Win32/README-Build.txt
+++ b/Win32/README-Build.txt
@@ -3,8 +3,8 @@ Building i2pd for Windows

 Requirements for building:

-* Visual Studio 2013 (tested with VS2013 Update 1, Update 3, and Update 4 RC)
-* Boost (tested with 1.56 and 1.57)
+* Visual Studio 2013 (tested with VS2013 Update 1, Update 3, and Update 4)
+* Boost (tested with 1.56, 1.57, and 1.58)
 * Crypto++ (tested with 5.6.2)


@@ -31,7 +31,7 @@ After Boost is compiled, set the environment variable `BOOST` to the directory
 Boost was installed to. If you followed the instructions outlined here, you
 should set it to `C:\Boost`. Additionally, set the BOOSTVER variable to the
 version of Boost that you're using, but instead of a '.' use a '_'. For
-example, I have `BOOSTVER` set to `1_57`.
+example, I have `BOOSTVER` set to `1_58`.

 Building Crypto++
 -----------------
--- a/Win32/Win32Service.h
+++ b/Win32/Win32Service.h
@@ -2,7 +2,6 @@
 #define WIN_32_SERVICE_H__

 #include <thread>
-#define WIN32_LEAN_AND_MEAN
 #include <windows.h>


--- a/Win32/i2pd.vcxproj
+++ b/Win32/i2pd.vcxproj
@@ -22,6 +22,7 @@
    <ClCompile Include="..\AddressBook.cpp" />
    <ClCompile Include="..\aes.cpp" />
    <ClCompile Include="..\base64.cpp" />
+    <ClCompile Include="..\BOB.cpp" />
    <ClCompile Include="..\CryptoConst.cpp" />
    <ClCompile Include="..\Daemon.cpp" />
    <ClCompile Include="..\DaemonWin32.cpp" />
@@ -31,14 +32,18 @@
    <ClCompile Include="..\I2NPProtocol.cpp" />
    <ClCompile Include="..\i2p.cpp" />
    <ClCompile Include="..\I2PEndian.cpp" />
+    <ClCompile Include="..\I2PService.cpp" />
    <ClCompile Include="..\Identity.cpp" />
    <ClCompile Include="..\LeaseSet.cpp" />
    <ClCompile Include="..\Log.cpp" />
    <ClCompile Include="..\NetDb.cpp" />
+	<ClCompile Include="..\NetDbRequests.cpp" />
    <ClCompile Include="..\NTCPSession.cpp" />
+	<ClCompile Include="..\Profiling.cpp" />
    <ClCompile Include="..\Reseed.cpp" />
    <ClCompile Include="..\RouterContext.cpp" />
    <ClCompile Include="..\RouterInfo.cpp" />
+	<ClCompile Include="..\Signature.cpp" />	
    <ClCompile Include="..\SAM.cpp" />
    <ClCompile Include="..\SSU.cpp" />
    <ClCompile Include="..\SSUData.cpp" />
@@ -56,12 +61,14 @@
    <ClCompile Include="..\util.cpp" />
    <ClCompile Include="..\SOCKS.cpp" />
    <ClCompile Include="..\I2PTunnel.cpp" />
+    <ClCompile Include="..\I2PControl.cpp" />
    <ClCompile Include="..\ClientContext.cpp" />
    <ClCompile Include="Win32Service.cpp" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="..\AddressBook.h" />
    <ClInclude Include="..\base64.h" />
+    <ClInclude Include="..\BOB.h" />
    <ClInclude Include="..\CryptoConst.h" />
    <ClInclude Include="..\Daemon.h" />
    <ClInclude Include="..\ElGamal.h" />
@@ -70,13 +77,16 @@
    <ClInclude Include="..\HTTPServer.h" />
    <ClInclude Include="..\I2NPProtocol.h" />
    <ClInclude Include="..\I2PEndian.h" />
+    <ClInclude Include="..\I2PService.h" />
    <ClInclude Include="..\Identity.h" />
    <ClInclude Include="..\LeaseSet.h" />
    <ClInclude Include="..\LittleBigEndian.h" />
    <ClInclude Include="..\Log.h" />
+	<ClInclude Include="..\NetDbRequests.h" />
    <ClInclude Include="..\NetDb.h" />
    <ClInclude Include="..\NTCPSession.h" />
    <ClInclude Include="..\Queue.h" />
+	<ClInclude Include="..\Profiling.h" />
    <ClInclude Include="..\Reseed.h" />
    <ClInclude Include="..\RouterContext.h" />
    <ClInclude Include="..\RouterInfo.h" />
@@ -100,6 +110,7 @@
    <ClInclude Include="..\util.h" />
    <ClInclude Include="..\SOCKS.h" />
    <ClInclude Include="..\I2PTunnel.h" />
+    <ClInclude Include="..\I2PControl.h" />
    <ClInclude Include="..\version.h" />
    <ClInclude Include="..\Signature.h" />
    <ClInclude Include="..\ClientContext.h" />
@@ -278,4 +289,4 @@
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
  </ImportGroup>
-</Project>
+</Project>
--- a/Win32/i2pd.vcxproj.filters
+++ b/Win32/i2pd.vcxproj.filters
@@ -135,6 +135,15 @@
    <ClCompile Include="..\ClientContext.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="..\BOB.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\I2PControl.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="..\I2PService.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="..\Identity.h">
@@ -275,6 +284,15 @@
    <ClInclude Include="resource.h">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="..\BOB.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\I2PControl.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\I2PService.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="Resource.rc">
--- a/aes.cpp
+++ b/aes.cpp
@@ -1,351 +0,0 @@
-#include <stdlib.h>
-#include "TunnelBase.h"
-#include "aes.h"
-
-namespace i2p
-{
-namespace crypto
-{
-
-#ifdef AESNI
-	
-	#define KeyExpansion256(round0,round1) \
-		"pshufd	$0xff, %%xmm2, %%xmm2 \n" \
-		"movaps	%%xmm1, %%xmm4 \n" \
-		"pslldq	$4, %%xmm4 \n" \
-		"pxor %%xmm4, %%xmm1 \n" \
-		"pslldq	$4, %%xmm4 \n" \
-		"pxor %%xmm4, %%xmm1 \n" \
-		"pslldq	$4, %%xmm4 \n" \
-		"pxor %%xmm4, %%xmm1 \n" \
-		"pxor %%xmm2, %%xmm1 \n" \
-		"movaps	%%xmm1, "#round0"(%[sched]) \n" \
-		"aeskeygenassist $0, %%xmm1, %%xmm4 \n" \
-		"pshufd	$0xaa, %%xmm4, %%xmm2 \n" \
-		"movaps	%%xmm3, %%xmm4 \n" \
-		"pslldq	$4, %%xmm4 \n" \
-		"pxor %%xmm4, %%xmm3 \n" \
-	    "pslldq	$4, %%xmm4 \n" \
-		"pxor %%xmm4, %%xmm3 \n" \
-		"pslldq	$4, %%xmm4 \n" \
-		"pxor %%xmm4, %%xmm3 \n" \
-		"pxor %%xmm2, %%xmm3 \n" \
-		"movaps	%%xmm3, "#round1"(%[sched]) \n" 
-
-	void ECBCryptoAESNI::ExpandKey (const AESKey& key)
-	{
-		__asm__
-		(
-			"movups (%[key]), %%xmm1 \n"
-			"movups 16(%[key]), %%xmm3 \n"
-			"movaps %%xmm1, (%[sched]) \n"
-			"movaps %%xmm3, 16(%[sched]) \n"
-			"aeskeygenassist $1, %%xmm3, %%xmm2 \n"
-			KeyExpansion256(32,48)
-			"aeskeygenassist $2, %%xmm3, %%xmm2 \n"
-			KeyExpansion256(64,80)
-			"aeskeygenassist $4, %%xmm3, %%xmm2 \n"
-			KeyExpansion256(96,112)
-			"aeskeygenassist $8, %%xmm3, %%xmm2 \n"
-			KeyExpansion256(128,144)
-			"aeskeygenassist $16, %%xmm3, %%xmm2 \n"
-			KeyExpansion256(160,176)
-			"aeskeygenassist $32, %%xmm3, %%xmm2 \n"
-			KeyExpansion256(192,208)
-			"aeskeygenassist $64, %%xmm3, %%xmm2 \n"
-			// key expansion final
-			"pshufd	$0xff, %%xmm2, %%xmm2 \n"
-			"movaps	%%xmm1, %%xmm4 \n" 
-			"pslldq	$4, %%xmm4 \n"
-			"pxor %%xmm4, %%xmm1 \n"
-			"pslldq	$4, %%xmm4 \n"
-			"pxor %%xmm4, %%xmm1 \n"
-			"pslldq	$4, %%xmm4 \n"
-			"pxor %%xmm4, %%xmm1 \n"
-			"pxor %%xmm2, %%xmm1 \n"
-			"movups	%%xmm1, 224(%[sched]) \n"
-			: // output
-			: [key]"r"((const uint8_t *)key), [sched]"r"(GetKeySchedule ()) // input
-			: "%xmm1", "%xmm2", "%xmm3", "%xmm4" // clogged
-		);
-	}
-
-	#define EncryptAES256(sched) \
-		"pxor (%["#sched"]), %%xmm0 \n" \
-		"aesenc	16(%["#sched"]), %%xmm0 \n" \
-		"aesenc	32(%["#sched"]), %%xmm0 \n" \
-		"aesenc	48(%["#sched"]), %%xmm0 \n" \
-		"aesenc	64(%["#sched"]), %%xmm0 \n" \
-		"aesenc	80(%["#sched"]), %%xmm0 \n" \
-		"aesenc	96(%["#sched"]), %%xmm0 \n" \
-		"aesenc	112(%["#sched"]), %%xmm0 \n" \
-		"aesenc	128(%["#sched"]), %%xmm0 \n" \
-		"aesenc	144(%["#sched"]), %%xmm0 \n" \
-		"aesenc	160(%["#sched"]), %%xmm0 \n" \
-		"aesenc	176(%["#sched"]), %%xmm0 \n" \
-		"aesenc	192(%["#sched"]), %%xmm0 \n" \
-		"aesenc	208(%["#sched"]), %%xmm0 \n" \
-		"aesenclast	224(%["#sched"]), %%xmm0 \n"
-		
-	void ECBEncryptionAESNI::Encrypt (const ChipherBlock * in, ChipherBlock * out)
-	{
-		__asm__
-		(
-			"movups	(%[in]), %%xmm0 \n"
-			EncryptAES256(sched)
-			"movups	%%xmm0, (%[out]) \n"	
-			: : [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out) : "%xmm0"
-		);
-	}		
-
-	#define DecryptAES256(sched) \
-		"pxor 224(%["#sched"]), %%xmm0 \n" \
-		"aesdec	208(%["#sched"]), %%xmm0 \n" \
-		"aesdec	192(%["#sched"]), %%xmm0 \n" \
-		"aesdec	176(%["#sched"]), %%xmm0 \n" \
-		"aesdec	160(%["#sched"]), %%xmm0 \n" \
-		"aesdec	144(%["#sched"]), %%xmm0 \n" \
-		"aesdec	128(%["#sched"]), %%xmm0 \n" \
-		"aesdec	112(%["#sched"]), %%xmm0 \n" \
-		"aesdec	96(%["#sched"]), %%xmm0 \n" \
-		"aesdec	80(%["#sched"]), %%xmm0 \n" \
-		"aesdec	64(%["#sched"]), %%xmm0 \n" \
-		"aesdec	48(%["#sched"]), %%xmm0 \n" \
-		"aesdec	32(%["#sched"]), %%xmm0 \n" \
-		"aesdec	16(%["#sched"]), %%xmm0 \n" \
-		"aesdeclast (%["#sched"]), %%xmm0 \n"
-	
-	void ECBDecryptionAESNI::Decrypt (const ChipherBlock * in, ChipherBlock * out)
-	{
-		__asm__
-		(
-			"movups	(%[in]), %%xmm0 \n"
-			DecryptAES256(sched)
-			"movups	%%xmm0, (%[out]) \n"	
-			: : [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out) : "%xmm0"
-		);		
-	}
-
-	#define CallAESIMC(offset) \
-		"movaps "#offset"(%[shed]), %%xmm0 \n"	\
-		"aesimc %%xmm0, %%xmm0 \n" \
-		"movaps %%xmm0, "#offset"(%[shed]) \n" 
-
-	void ECBDecryptionAESNI::SetKey (const AESKey& key)
-	{
-		ExpandKey (key); // expand encryption key first
-		// then  invert it using aesimc
-		__asm__
-		(
-			CallAESIMC(16)
-			CallAESIMC(32)
-			CallAESIMC(48)
-			CallAESIMC(64)
-			CallAESIMC(80)
-			CallAESIMC(96)
-			CallAESIMC(112)
-			CallAESIMC(128)
-			CallAESIMC(144)
-			CallAESIMC(160)
-			CallAESIMC(176)
-			CallAESIMC(192)
-			CallAESIMC(208)
-			: : [shed]"r"(GetKeySchedule ()) : "%xmm0"
-		);
-	}
-
-#endif		
-
-
-	void CBCEncryption::Encrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
-	{
-#ifdef AESNI
-		__asm__
-		(
-		 	"movups	(%[iv]), %%xmm1 \n"
-		 	"block_e: \n"
-		 	"movups	(%[in]), %%xmm0 \n"
-		 	"pxor %%xmm1, %%xmm0 \n"
-		 	EncryptAES256(sched)
-		 	"movaps	%%xmm0, %%xmm1 \n"	
-		 	"movups	%%xmm0, (%[out]) \n"
-		 	"add $16, %[in] \n"
-		 	"add $16, %[out] \n"
-		 	"dec %[num] \n"
-		 	"jnz block_e; \n"	 	
-		 	"movups	%%xmm1, (%[iv]) \n"
-			: 
-			: [iv]"r"(&m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()), 
-			  [in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
-			: "%xmm0", "%xmm1", "cc", "memory"
-		); 
-#else		
-		for (int i = 0; i < numBlocks; i++)
-		{
-			m_LastBlock ^= in[i];
-			m_ECBEncryption.Encrypt (&m_LastBlock, &m_LastBlock);
-			out[i] = m_LastBlock;
-		}
-#endif		
-	}
-
-	void CBCEncryption::Encrypt (const uint8_t * in, std::size_t len, uint8_t * out)
-	{
-		// len/16
-		Encrypt (len >> 4, (const ChipherBlock *)in, (ChipherBlock *)out); 
-	}
-
-	void CBCEncryption::Encrypt (const uint8_t * in, uint8_t * out)
-	{
-#ifdef AESNI
-		__asm__
-		(
-			"movups	(%[iv]), %%xmm1 \n"
-			"movups	(%[in]), %%xmm0 \n"
-		 	"pxor %%xmm1, %%xmm0 \n"
-		 	EncryptAES256(sched)
-			"movups	%%xmm0, (%[out]) \n"
-			"movups	%%xmm0, (%[iv]) \n"
-			: 
-			: [iv]"r"(&m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()), 
-			  [in]"r"(in), [out]"r"(out)
-			: "%xmm0", "%xmm1", "memory"
-		);		
-#else
-		Encrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out); 
-#endif
-	}
-
-	void CBCDecryption::Decrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
-	{
-#ifdef AESNI
-		__asm__
-		(
-			"movups	(%[iv]), %%xmm1 \n"
-		 	"block_d: \n"
-		 	"movups	(%[in]), %%xmm0 \n"
-			"movaps %%xmm0, %%xmm2 \n"
-		 	DecryptAES256(sched)
-			"pxor %%xmm1, %%xmm0 \n"
-		 	"movups	%%xmm0, (%[out]) \n"
-			"movaps %%xmm2, %%xmm1 \n"
-		 	"add $16, %[in] \n"
-		 	"add $16, %[out] \n"
-		 	"dec %[num] \n"
-		 	"jnz block_d; \n"	 	
-		 	"movups	%%xmm1, (%[iv]) \n"
-			: 
-			: [iv]"r"(&m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()), 
-			  [in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
-			: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
-		); 
-#else
-		for (int i = 0; i < numBlocks; i++)
-		{
-			ChipherBlock tmp = in[i];
-			m_ECBDecryption.Decrypt (in + i, out + i);
-			out[i] ^= m_IV;
-			m_IV = tmp;
-		}
-#endif
-	}
-
-	void CBCDecryption::Decrypt (const uint8_t * in, std::size_t len, uint8_t * out)
-	{
-		Decrypt (len >> 4, (const ChipherBlock *)in, (ChipherBlock *)out); 
-	}
-
-	void CBCDecryption::Decrypt (const uint8_t * in, uint8_t * out)
-	{
-#ifdef AESNI
-		__asm__
-		(
-			"movups	(%[iv]), %%xmm1 \n"
-		 	"movups	(%[in]), %%xmm0 \n"
-			"movups	%%xmm0, (%[iv]) \n"
-		 	DecryptAES256(sched)
-			"pxor %%xmm1, %%xmm0 \n"
-		 	"movups	%%xmm0, (%[out]) \n"	
-			: 
-			: [iv]"r"(&m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()), 
-			  [in]"r"(in), [out]"r"(out)
-			: "%xmm0", "%xmm1", "memory"
-		);
-#else
-		Decrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out); 
-#endif
-	}
-
-	void TunnelEncryption::Encrypt (uint8_t * payload)
-	{
-#ifdef AESNI
-		__asm__
-		(
-            // encrypt IV 
-			"movups	(%[payload]), %%xmm0 \n"
-			EncryptAES256(sched_iv)
-			"movaps %%xmm0, %%xmm1 \n"
-			// double IV encryption
-			EncryptAES256(sched_iv)
-			"movups %%xmm0, (%[payload]) \n"
-			// encrypt data, IV is xmm1
-			"block_et: \n"
-			"add $16, %[payload] \n"
-		 	"movups	(%[payload]), %%xmm0 \n"
-		 	"pxor %%xmm1, %%xmm0 \n"
-		 	EncryptAES256(sched_l)
-		 	"movaps	%%xmm0, %%xmm1 \n"	
-		 	"movups	%%xmm0, (%[payload]) \n"
-		 	"dec %[num] \n"
-		 	"jnz block_et; \n"	 	
-			: 
-			: [sched_iv]"r"(m_IVEncryption.GetKeySchedule ()), [sched_l]"r"(m_LayerEncryption.GetKeySchedule ()), 
-			  [payload]"r"(payload), [num]"r"(63) // 63 blocks = 1008 bytes
-			: "%xmm0", "%xmm1", "cc", "memory"
-		);
-#else
-		m_IVEncryption.Encrypt ((ChipherBlock *)payload, (ChipherBlock *)payload); // iv
-		m_LayerEncryption.SetIV (payload);
-		m_LayerEncryption.Encrypt (payload + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, payload + 16); // data
-		m_IVEncryption.Encrypt ((ChipherBlock *)payload, (ChipherBlock *)payload); // double iv
-#endif
-	}
-
-	void TunnelDecryption::Decrypt (uint8_t * payload)
-	{
-#ifdef AESNI
-		__asm__
-		(
-            // decrypt IV 
-			"movups	(%[payload]), %%xmm0 \n"
-			DecryptAES256(sched_iv)
-			"movaps %%xmm0, %%xmm1 \n"
-			// double IV encryption
-			DecryptAES256(sched_iv)
-			"movups %%xmm0, (%[payload]) \n"
-			// decrypt data, IV is xmm1
-			"block_dt: \n"
-			"add $16, %[payload] \n"
-			"movups	(%[payload]), %%xmm0 \n"
-			"movaps %%xmm0, %%xmm2 \n"
-		 	DecryptAES256(sched_l)
-			"pxor %%xmm1, %%xmm0 \n"
-		 	"movups	%%xmm0, (%[payload]) \n"
-			"movaps %%xmm2, %%xmm1 \n"
-		 	"dec %[num] \n"
-		 	"jnz block_dt; \n"	 	
-			: 
-			: [sched_iv]"r"(m_IVDecryption.GetKeySchedule ()), [sched_l]"r"(m_LayerDecryption.GetKeySchedule ()), 
-			  [payload]"r"(payload), [num]"r"(63) // 63 blocks = 1008 bytes
-			: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
-		);
-#else
-		m_IVDecryption.Decrypt ((ChipherBlock *)payload, (ChipherBlock *)payload); // iv
-		m_LayerDecryption.SetIV (payload);	
-		m_LayerDecryption.Decrypt (payload + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, payload + 16); // data
-		m_IVDecryption.Decrypt ((ChipherBlock *)payload, (ChipherBlock *)payload); // double iv
-#endif
-	}
-}
-}
-
--- a/api.cpp
+++ b/api.cpp
@@ -0,0 +1,114 @@
+#include <string>
+#include <map>
+#include "Log.h"
+#include "NetDb.h"
+#include "Transports.h"
+#include "Tunnel.h"
+#include "RouterContext.h"
+#include "Identity.h"
+#include "Destination.h"
+#include "util.h"
+#include "api.h"
+
+namespace i2p
+{
+namespace api
+{
+	void InitI2P (int argc, char* argv[], const char * appName)
+	{
+		i2p::util::filesystem::SetAppName (appName);
+		i2p::util::config::OptionParser(argc, argv);
+		i2p::context.Init ();	
+	}
+
+	void StartI2P (std::ostream * logStream)
+	{
+		if (logStream)
+			StartLog (logStream);
+		else
+			StartLog (i2p::util::filesystem::GetFullPath (i2p::util::filesystem::GetAppName () + ".log"));
+		i2p::data::netdb.Start();
+		LogPrint("NetDB started");
+		i2p::transport::transports.Start();
+		LogPrint("Transports started");
+		i2p::tunnel::tunnels.Start();
+		LogPrint("Tunnels started");
+	}
+
+	void StopI2P ()
+	{
+		LogPrint("Shutdown started.");
+		i2p::tunnel::tunnels.Stop();
+		LogPrint("Tunnels stopped");
+		i2p::transport::transports.Stop();
+		LogPrint("Transports stopped");
+		i2p::data::netdb.Stop();
+		LogPrint("NetDB stopped");
+		StopLog ();
+	}
+
+	void RunPeerTest ()
+	{
+		i2p::transport::transports.PeerTest ();
+	}	
+	
+	std::shared_ptr<i2p::client::ClientDestination> CreateLocalDestination (const i2p::data::PrivateKeys& keys, bool isPublic,
+		const std::map<std::string, std::string> * params)
+	{
+		auto localDestination = std::make_shared<i2p::client::ClientDestination> (keys, isPublic, params);
+		localDestination->Start ();
+		return localDestination;
+	}
+
+	std::shared_ptr<i2p::client::ClientDestination> CreateLocalDestination (bool isPublic, i2p::data::SigningKeyType sigType,
+		const std::map<std::string, std::string> * params)
+	{
+		i2p::data::PrivateKeys keys = i2p::data::PrivateKeys::CreateRandomKeys (sigType);
+		auto localDestination = std::make_shared<i2p::client::ClientDestination> (keys, isPublic, params);
+		localDestination->Start ();
+		return localDestination;
+	}
+
+	void DestroyLocalDestination (std::shared_ptr<i2p::client::ClientDestination> dest)
+	{
+		if (dest)
+			dest->Stop ();
+	}
+
+	void RequestLeaseSet (std::shared_ptr<i2p::client::ClientDestination> dest, const i2p::data::IdentHash& remote)
+	{
+		if (dest)
+			dest->RequestDestination (remote);
+	}
+
+	std::shared_ptr<i2p::stream::Stream> CreateStream (std::shared_ptr<i2p::client::ClientDestination> dest, const i2p::data::IdentHash& remote)
+	{
+		if (!dest) return nullptr;
+		auto leaseSet = dest->FindLeaseSet (remote);
+		if (leaseSet)
+		{
+			auto stream = dest->CreateStream (leaseSet);
+			stream->Send (nullptr, 0); // connect
+			return stream;
+		}
+		else
+		{
+			RequestLeaseSet (dest, remote);
+			return nullptr;	
+		}	
+	}
+
+	void AcceptStream (std::shared_ptr<i2p::client::ClientDestination> dest, const i2p::stream::StreamingDestination::Acceptor& acceptor)
+	{
+		if (dest)
+			dest->AcceptStreams (acceptor);
+	}
+
+	void DestroyStream (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		if (stream)
+			stream->Close ();
+	}
+}
+}
+
--- a/Show More
+++ b/Show More