diff --git a/docs/wire-protocol.txt b/docs/wire-protocol.txt
index d3756bf21..0cb51cc0c 100644
--- a/docs/wire-protocol.txt
+++ b/docs/wire-protocol.txt
@@ -30,15 +30,22 @@ A asks for a flow id from B.
 
 B MAY send a flow id to A or MAY reject the message from A.
 
-
 session handshake:
 
 an encrypted session is established using establish wire session messages
 using a newly created flow id.
 
+message format:
 
-outer message format:
+there are 2 layers in this protocol, outer messages and inner messages.
+
+outer messages are sent in plaintext and / or obfsucated with symettric
+encryption using a preshared key.
 
+inner messages are inside an encrypted and authenticated envelope
+wrapped by an outer messages, which is always a data tranmssion message.
+
+outer message format:
 
 every outer message MAY be obfsucated via symettric encryption for dpi
 resistance reasons, this is not authenticated encryption.
@@ -57,6 +64,11 @@ K = HS(B_k)
 N = HS(n + K)
 X = SD(K, m, N[0:24])
 
+where
+B_k is the long term identity public key of the recipient.
+HS is blake2 256 bit non keyed hash
+SD is xchacha20 symettric stream cipher (decryption)
+
 outer-header:
 
 <1 byte command>
@@ -70,7 +82,7 @@ obtain a flow id
 <6 magic bytes "netid?">
 <8 bytes netid, I>
 <8 bytes timestamp milliseconds since epoch, T>
-<32 bytes ed25519 public key of sender, A_k>
+<32 bytes public identity key of sender, A_k>
 <0-N bytes discarded>
 <last 64 bytes signature of unobfuscated packet, Z>
 
@@ -84,8 +96,8 @@ command 'G' - give flow id
 <outer-header>
 <6 magic bytes "netid!">
 <16 bytes new flow id>
-<32 bytes ed25519 public key of sender, A_k>
-<0-N bytes discarded>
+<32 bytes public identiy key of sender, A_k>
+<0-N bytes ignored but included in signature>
 <last 64 bytes signature of unobfsucated packet, Z>
 
 after recieving a give flow id message a session negotiation can happen with that flow id.
@@ -97,8 +109,8 @@ reject new flow
 <outer-header>
 <14 ascii bytes reason for rejection null padded>
 <8 bytes timestamp>
-<32 bytes ed25519 public key of sender, A_k>
-<0-N bytes discarded>
+<32 bytes public identity key of sender, A_k>
+<0-N bytes ignored but included in signature>
 <last 64 bytes signature of unobsfucated packet, Z>
 
 command 'E' - establish wire session
@@ -106,12 +118,17 @@ command 'E' - establish wire session
 establish an encrypted session using a flow id
 
 <outer-header>
+<2 bytes 0x0a 0x0d>
+<4 bytes flags, F>
 <16 bytes flow id, B>
 <32 bytes ephemeral public encryption key, E>
 <8 bytes packet counter starting at 0>
 <optional 32 bytes authenticated credentials, A>
 <last 64 bytes signature of unobfuscated packet using identity key, Z>
 
+
+F is currently set to all zeros
+
 every time we try establishing a wire session we increment the counter
 by 1 for the next message we send.
 
@@ -145,14 +162,13 @@ Z is keyed hash of entire message
 
 Z is generated via:
 
-msg.Z = '0x00' * 32
-msg.Z = MDS(msg, tx_K)
+msg.Z = MDS(outer-header + F + N + X, tx_K)
 
 data tranmission:
 
 inner message format of X (after decryption):
 
-header:
+inner header:
 
 <1 byte protocol version>
 <1 byte command>
@@ -162,7 +178,7 @@ command: 'k' (keep alive)
 
 tell other side to acknoledge they are alive
 
-<header>
+<inner header>
 <2 bytes resevered, set to 0>
 <2 bytes attempt counter, set to 0 and incremented every retransmit, reset when we get a keepalive ack>
 <2 bytes milliseconds ping timeout>
@@ -175,7 +191,7 @@ command: 'l' (keep alive ack)
 
 acknolege keep alive message
 
-<header>
+<inner header>
 <6 bytes reserved, set to 0>
 <8 bytes current session RX limit in bytes per second>
 <8 bytes current session TX use in bytes per second>
@@ -188,7 +204,7 @@ command: 'n' (advertise neighboors)
 tell peer about neighboors, only sent by non service nodes to other non service
 nodes.
 
-<header>
+<inner header>
 <route between us and them>
 <0 or more intermediate routes>
 <route from a service node>
@@ -209,7 +225,7 @@ command: 'c' (congestion)
 
 tell other side to slow down
 
-<header>
+<inner header>
 <2 bytes reduce TX rate by this many 1024 bytes per second>
 <4 bytes milliseconds slowdown lifetime>
 <remaining bytes discarded>
@@ -218,48 +234,42 @@ command: 'd' (anti-congestion)
 
 tell other side to speed up
 
-<header>
+<inner header>
 <2 bytes increase TX rate by this many 1024 bytes per second>
 <4 bytes milliseconds speedup lifetime>
 <remaining bytes discarded>
 
-command: 't' (transmit data)
 
-transmit a message to a peer
+command: 's' (start transmission)
+
+initate the transmission of a message to the remote peer
 
-if this fragment is not addressed to us we route it to the neighboor
-with the shortest route to the recipiant as advertised by all neighboors.
+<inner header>
+<1 byte flags F>
+<1 byte reserved R set to zero>
+<2 bytes total size of full message>
+<4 bytes sequence number S>
+<32 bytes blake2 hash of full message>
+<N remaining bytes first fragment of message>
 
-<header>
-<32 bytes public identity key of recipiant>
-<32 bytes public identity key of sender>
-<24 bytes nounce, N>
-<N bytes encrypted message, X>
-<last 32 bytes keyed hash, Z>
+if F lsb is set then there is no further fragments
 
-encrypted via:
+command: 't' (continued transmission)
 
-K = EDDH(recipiant, sender)
-X = SE(msg, K, N)
-Z = MDS(X, K)
+continue transmission of a bigger message
 
-encrypted message format:
+<inner header>
+<1 byte flags F>
+<1 bytes reserved R set to zero>
+<2 bytes 16 byte block offset in message>
+<4 bytes sequence number S>
+<N remaining bytes fragment of message aligned to 16 bytes>
+<remaining bytes not aligned to 16 bytes discarded>
 
-<1 byte version, currently 0>
-<1 byte number of acks following, aN>
-<8 * aN bytes acks>
-<4 byte sequence number of fragment or 0 if no fragment is included>
-<2 byte 16 byte block offset in message of this fragment if it is included>
-<remaining bytes fragment data aligned to 16 bytes>
-<discard anything not aligned to 16 bytes>
+command: 'q' (acknoledge transmission)
 
-ack format:
+acknoledges a transmitted message
 
-<4 byte message sequence number>
-<1 byte reserved current set to 0>
-<1 byte ack counter (number of acks sent for the corrisponding message)>
-<1 byte bitmask fragments selective ack (msb is fragment 0, lsb is fragment 7)>
-<1 byte bitmask fragments posative ack (msb is fragment 0, lsb is fragment 7)>
 
 
 command: 'r' (rotate keys)
@@ -273,6 +283,7 @@ n_K = TKE(K, B_e, K_seed, N)
 A.tx_K = n_K
 B.rx_K = n_K
 
+<inner header>
 <2 bytes milliseconds lifetime of old keys, retain them for this long and then discard>
 <4 bytes reserved, set to 0>
 <32 bytes key exchange nounce, N>
@@ -283,7 +294,7 @@ command: 'u' (upgrade)
 
 request protocol upgrade
 
-<header>
+<inner header>
 <1 byte protocol min version to upgrade to>
 <1 byte protocol max version to upgrade to>
 <remaining bytes discarded>
@@ -292,7 +303,7 @@ command: 'v' (version upgrade)
 
 sent in response to upgrade message
 
-<header>
+<inner header>
 <1 byte protocol version selected>
 <1 byte protocol version highest we support>
 <remaining bytes discarded>
diff --git a/llarp/net/net.cpp b/llarp/net/net.cpp
index efb722fd2..fd8792f3c 100644
--- a/llarp/net/net.cpp
+++ b/llarp/net/net.cpp
@@ -992,7 +992,7 @@ namespace llarp
   bool
   IsBogon(const in6_addr& addr)
   {
-#ifdef TESTNET
+#if defined(TESTNET)
     (void)addr;
     return false;
 #else
@@ -1022,12 +1022,15 @@ namespace llarp
         iprange_ipv4(192, 168, 0, 0, 16),  iprange_ipv4(198, 18, 0, 0, 15),
         iprange_ipv4(198, 51, 100, 0, 24), iprange_ipv4(203, 0, 113, 0, 24),
         iprange_ipv4(224, 0, 0, 0, 4),     iprange_ipv4(240, 0, 0, 0, 4)};
-
     for(const auto& bogon : bogonRanges)
     {
       if(bogon.Contains(addr))
       {
+#if defined(TESTNET)
+        return false;
+#else
         return true;
+#endif
       }
     }
     return false;