Those with a dynamic address CAN participate as their public gateway can now be a FQDN for their dynamic service. I have some within the New York State subnet (44.68/16).

The issue is that IPIP tunnels have to be validate with their external address for at least SOME security, and this means that when the address changes there is nothing else we can do than drop their packets until the change comes through the portal and RIP system.

With a system that has those dynamic addresses connect only to one or two VPN routers in a secure manner (e.g. L2TP/IPsec) we would not have that problem.

Also, those address changes would not be important to other systems on the network. Out of the 561 registered gateways, we only ever receive traffic only from 73 of them. (the others could be either inactive or not be sending traffic to the Netherlands) Their address changes would not be important to us.

Rob