Rob,
You stated:
"When you are worried about intrusions it is probably more effective to block IPIP packets from sources that are not in the gateway list. I do that as well (via ampr-ripd)."
What command/script do you use to add the endpoints to iptables?
I have posted it before on this mailinglist: http://hamradio.ucsd.edu/mailman/private/44net/2014-November/003577.html
This script manipulates an iptables chain. It would be possible to do a similar thing with the "ipset" command to manipulate an address list when you are familiar with that (I wasn't when I wrote this script). Advantage of using iptables is you have statistics per rule in the table so you can see which IPIP peers are sending traffic to you. New versions of ipset support counters but the one I am running doesn't.
With a command like this you get a quick overview of your active IPIP peers: iptables -L ipipfilter -vn | grep -v ' 0 ACCE'
Rob