diff --git a/.buildkite/pipeline.yml b/.buildkite/pipeline.yml
index 7a7d7f1b29..7898f04fa6 100644
--- a/.buildkite/pipeline.yml
+++ b/.buildkite/pipeline.yml
@@ -125,6 +125,7 @@ steps:
         - ./scion.sh topology -c topology/default.topo
         - ./scion.sh run
         - tools/await-connectivity
+        - sleep 5
         - ./bin/scion_integration || ( echo "^^^ +++" && false )
         - ./bin/end2end_integration || ( echo "^^^ +++" && false )
       plugins: &scion-run-hooks
@@ -141,7 +142,7 @@ steps:
             pre-exit: .buildkite/cleanup-leftovers.sh
       artifact_paths: &scion-run-artifact-paths
         - test-out.tar.gz
-      timeout_in_minutes: 15
+      timeout_in_minutes: 20
       key: e2e_integration_tests_v2
       retry: *automatic-retry
     - label: "E2E: failing links :man_in_business_suit_levitating:"
@@ -152,6 +153,7 @@ steps:
         - ./scion.sh topology -c topology/default-no-peers.topo
         - ./scion.sh run
         - tools/await-connectivity
+        - sleep 5
         - ./bin/end2end_integration || ( echo "^^^ +++" && false )
         - ./tools/integration/revocation_test.sh
       plugins: *scion-run-hooks
@@ -167,6 +169,7 @@ steps:
         - ./scion.sh topology -d
         - ./scion.sh run
         - tools/await-connectivity
+        - sleep 5
         - echo "--- run tests"
         - ./bin/end2end_integration -d || ( echo "^^^ +++" && false )
       plugins: *scion-run-hooks
diff --git a/.golangci.yml b/.golangci.yml
index d3a2fc784f..8574907cd0 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -41,24 +41,29 @@ linters:
           msg: spell trust root certificate as trc / TRC
     goheader:
       values:
-        regexp:
-          copyright-lines: |-
-            (Copyright 20[0-9][0-9] .*)(
-            Copyright 20[0-9][0-9] .*)*
-      template: |-
-        {{copyright-lines}}
-
-        Licensed under the Apache License, Version 2.0 (the "License");
-        you may not use this file except in compliance with the License.
-        You may obtain a copy of the License at
+        const:
+          LICENSE_TEXT: |-
+            Licensed under the Apache License, Version 2.0 \(the "License"\);
+            you may not use this file except in compliance with the License.
+            You may obtain a copy of the License at
 
-          http://www.apache.org/licenses/LICENSE-2.0
+              http://www.apache.org/licenses/LICENSE-2.0
 
-        Unless required by applicable law or agreed to in writing, software
-        distributed under the License is distributed on an "AS IS" BASIS,
-        WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-        See the License for the specific language governing permissions and
-        limitations under the License.
+            Unless required by applicable law or agreed to in writing, software
+            distributed under the License is distributed on an "AS IS" BASIS,
+            WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+            See the License for the specific language governing permissions and
+            limitations under the License.
+          SPDX_LINE: |-
+            SPDX-License-Identifier: Apache-2.0
+        regexp:
+          copyright_lines: |-
+            (Copyright 20[0-9][0-9] .*)
+            (Copyright 20[0-9][0-9] .*)*
+          license: |-
+            ({{SPDX_LINE}})|({{LICENSE_TEXT}})
+      template: |-
+        {{copyright_lines}}{{license}}
     lll:
       line-length: 100
       tab-width: 4
diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
index aa77e411a6..f53807ed73 100644
--- a/MODULE.bazel.lock
+++ b/MODULE.bazel.lock
@@ -241,7 +241,7 @@
   "moduleExtensions": {
     "//:antlr.bzl%antlr": {
       "general": {
-        "bzlTransitiveDigest": "RES7NpV12lXIUZ53wkYAoJNKF9F09XklX2+arTCQ4nI=",
+        "bzlTransitiveDigest": "5XvXGtK4xIbJd9TfgGbSNCdMpU+eMrPzz404GgDb/D4=",
         "usagesDigest": "MYi7gCA2Rcv9xbxcCUXgWRLbup3cc3pAjZrw7P3G8M4=",
         "recordedFileInputs": {},
         "recordedDirentsInputs": {},
diff --git a/Makefile b/Makefile
index 34b9bb750b..962de9b9cb 100644
--- a/Makefile
+++ b/Makefile
@@ -6,11 +6,13 @@ build-dev:
 	tar -kxf bazel-bin/scion.tar -C bin
 	tar -kxf bazel-bin/scion-ci.tar -C bin
 	tar -kxf bazel-bin/scion-topo.tar -C bin
+	sudo setcap "cap_bpf=ep cap_net_admin=ep cap_net_raw=ep" bin/router
 
 build:
 	rm -f bin/*
 	bazel build //:scion
 	tar -kxf bazel-bin/scion.tar -C bin
+	sudo setcap "cap_bpf=ep cap_net_admin=ep cap_net_raw=ep" bin/router
 
 # BFLAGS is optional. It may contain additional command line flags for CI builds. Currently this is:
 # "--file_name_version=$(tools/git-version)" to include the git version in the artifacts names.
diff --git a/acceptance/common/raw.bzl b/acceptance/common/raw.bzl
index 7eb6718a53..d07a6dc7da 100644
--- a/acceptance/common/raw.bzl
+++ b/acceptance/common/raw.bzl
@@ -51,7 +51,7 @@ def raw_test(
     py_binary(
         name = "%s_teardown" % name,
         srcs = [src],
-        args = ["teardown"],
+        args = ["teardown"] + args,
         main = src,
         deps = [":%s_lib" % name],
         imports = imports,
diff --git a/acceptance/common/topogen.bzl b/acceptance/common/topogen.bzl
index bebb575a2a..d90e127f00 100644
--- a/acceptance/common/topogen.bzl
+++ b/acceptance/common/topogen.bzl
@@ -108,7 +108,7 @@ def topogen_test(
 
     py_test(
         name = name,
-        size = "large",
+        size = "medium",
         srcs = [src],
         main = src,
         args = args + common_args,
diff --git a/acceptance/hidden_paths/test.py b/acceptance/hidden_paths/test.py
index 3056096671..1932900461 100755
--- a/acceptance/hidden_paths/test.py
+++ b/acceptance/hidden_paths/test.py
@@ -4,6 +4,7 @@
 
 import http.server
 import threading
+import time
 
 from acceptance.common import base
 from acceptance.common import scion
@@ -110,11 +111,11 @@ def setup_start(self):
         server_thread = threading.Thread(target=configuration_server, args=[server])
         server_thread.start()
         self._server = server
-
         super().setup_start()
 
-        self.await_connectivity()
-        self._server.shutdown()  # by now configuration must have been downloaded everywhere
+        self.await_connectivity()  # <- not very reliable
+        time.sleep(10)             # <- ...so
+        self._server.shutdown()    # by now configuration must have been downloaded everywhere
 
     def _run(self):
         # Group 3
@@ -141,7 +142,7 @@ def _showpaths_bidirectional(self, source: str, destination: str):
 
     def _showpaths_run(self, source_as: str, destination_as: str):
         print(self.execute_tester(ISD_AS(self._ases[source_as]),
-                                  "scion", "sp", self._ases[destination_as], "--timeout", "2s"))
+                                  "scion", "sp", self._ases[destination_as], "--timeout", "3s"))
 
 
 def configuration_server(server):
diff --git a/acceptance/router_benchmark/BUILD.bazel b/acceptance/router_benchmark/BUILD.bazel
index 21f3f853da..b44e0b9a5a 100644
--- a/acceptance/router_benchmark/BUILD.bazel
+++ b/acceptance/router_benchmark/BUILD.bazel
@@ -48,8 +48,6 @@ py_library(
     srcs = ["benchmarklib.py"],
 )
 
-# To ensure that the linter runs over this. Cannot actually be run with
-# bazel run; it is meant to be executed from the command line.
 py_binary(
     name = "benchmark",
     srcs = ["benchmark.py"],
@@ -57,9 +55,7 @@ py_binary(
         "--brload",
         "$(location //acceptance/router_benchmark/brload:brload)",
     ],
-    data = [
-        "//acceptance/router_benchmark/brload",
-    ],
+    data = data,
     imports = ["."],
     visibility = ["//visibility:public"],
     deps = [
diff --git a/acceptance/router_benchmark/benchmark.py b/acceptance/router_benchmark/benchmark.py
index 04e77807b5..1859c97e8f 100755
--- a/acceptance/router_benchmark/benchmark.py
+++ b/acceptance/router_benchmark/benchmark.py
@@ -25,16 +25,21 @@
 
 from benchmarklib import Intf, RouterBM
 from collections import namedtuple
+from plumbum import BG
 from plumbum import cli
 from plumbum import cmd
 from plumbum import local
 from plumbum.cmd import docker
 from plumbum.machines import LocalCommand
-from random import randint
+
 from urllib.request import urlopen
 
 logger = logging.getLogger(__name__)
 
+# Router profiling ON or OFF?
+PROFILING_TRACE = False
+PROFILING_CPU = False
+
 TEST_CASES = [
     "in",
     "out",
@@ -82,8 +87,7 @@ class RouterBMTool(cli.Application, RouterBM):
     mx_interface: str = None
     to_flush: list[str] = []
     scrape_addr: str = None
-
-    log_level = cli.SwitchAttr(["l", "loglevel"], str, default='warning', help="Logging level")
+    log_level: str = cli.SwitchAttr(["l", "loglevel"], str, default='warning', help="Logging level")
 
     doit = cli.Flag(["r", "run"],
                     help="Run the benchmark, as opposed to seeing the instructions")
@@ -95,23 +99,37 @@ class RouterBMTool(cli.Application, RouterBM):
                               help="The coremark score of the subject machine")
     mmbm = cli.SwitchAttr(["m", "mmbm"], int, default=0,
                           help="The mmbm score of the subject machine")
-    packet_size = cli.SwitchAttr(["s", "size"], int, default=172,
+    packet_size = cli.SwitchAttr(["s", "size"], int, default=1500,
                                  help="Test packet size (includes all headers - floored at 154)")
     brload_path = cli.SwitchAttr(["b", "brload"], str, default="bin/brload",
                                  help="Relative path to the brload tool")
-
+    intern_overrides = cli.SwitchAttr(["i", "intern-addr-override"], str, list=True, default=[],
+                                      help="Override args")
+    public_overrides = cli.SwitchAttr(["p", "public-addr-override"], str, list=True, default=[],
+                                      help="Override args")
+    skip_ifconfig = cli.Flag(["n", "no-ifconfig"],
+                             help="Skip configuring local interfaces (already configured).")
     intf_map: dict[str, Intf] = {}
     brload: LocalCommand = None
     brload_cpus: list[int] = []
     artifacts = f"{os.getcwd()}/acceptance/router_benchmark"
     prom_address: str = "localhost:9090"
+    debug_run: bool = False
+    intern_over_args = []
+    public_over_args = []
 
     def host_interface(self, excl: bool):
         """Returns the next host interface that we should use for a brload links.
 
         If excl is true, we pick one and never pick that one again.
         Else, we pick one the first time it's needed and keep it for reuse.
+
+        If skip_ifconfig is true, we forego multiplexing as it is likely not how things
+        have been configured. We assume one interface per address.
         """
+        if self.skip_ifconfig:
+            return self.avail_interfaces.pop()
+
         if excl:
             return self.avail_interfaces.pop()
 
@@ -148,12 +166,14 @@ def config_interface(self, req: IntfReq):
         # the router's subnet that's not otherwise used. This must NOT be "PeerIP".
         # brload requires the internal interface to be "exclusive", that's our clue.
         if exclusive:
-            net = ipaddress.ip_network(f"{req.ip}/{req.prefix_len}", strict=False)
-            hostAddr = next(net.hosts()) + 126
             self.scrape_addr = req.ip
-            sudo("ip", "addr", "add", f"{hostAddr}/{req.prefix_len}",
-                 "broadcast", str(net.broadcast_address), "dev", host_intf)
-            self.to_flush.append(host_intf)
+            self.profiling_addr = req.ip
+            if not self.skip_ifconfig:
+                net = ipaddress.ip_network(f"{req.ip}/{req.prefix_len}", strict=False)
+                hostAddr = next(net.hosts()) + 126
+                sudo("ip", "addr", "add", f"{hostAddr}/{req.prefix_len}",
+                     "broadcast", str(net.broadcast_address), "dev", host_intf)
+                self.to_flush.append(host_intf)
 
         logger.debug(f"=> Configuring interface {host_intf} for: {req}...")
 
@@ -163,19 +183,23 @@ def config_interface(self, req: IntfReq):
             if i.name == host_intf:
                 break
         else:
-            sudo("ip", "link", "set", host_intf, "mtu", "9000")
-
-            # Do not assign the host addresses but create one link-local addr.
-            # Brload needs some src IP to send arp requests. (This requires rp_filter
-            # to be off on the router side, else, brload's arp requests are discarded).
-            sudo("ip", "addr", "add", f"169.254.{randint(0, 255)}.{randint(0, 255)}/16",
-                 "broadcast", "169.254.255.255",
-                 "dev", host_intf, "scope", "link")
-            sudo("sysctl", "-qw", f"net.ipv6.conf.{host_intf}.disable_ipv6=1")
-            self.to_flush.append(host_intf)
+            # Do not assign the host addresses but some other addr in the same subnet.
+            # This is because brload needs some src IP to send arp requests but we do not want the
+            # linux kernel to handle our incoming packets and respond with icmp errors.
+            if not self.skip_ifconfig:
+                # We allow for packets as large as they get.
+                sudo("ip", "link", "set", host_intf, "mtu", "9000")
+
+                net = ipaddress.ip_network(f"{req.ip}/{req.prefix_len}", strict=False)
+                hostAddr = next(net.hosts()) + 125
+                sudo("ip", "addr", "add", f"{hostAddr}/{req.prefix_len}",
+                     "broadcast", str(net.broadcast_address), "dev", host_intf)
+                sudo("sysctl", "-qw", f"net.ipv6.conf.{host_intf}.disable_ipv6=1")
+                self.to_flush.append(host_intf)
 
         # Fit for duty.
-        sudo("ip", "link", "set", host_intf, "up")
+        if not self.skip_ifconfig:
+            sudo("ip", "link", "set", host_intf, "up")
 
         # Ship it. Leave mac addresses alone. In this standalone test we use the real one.
         self.intf_map[req.label] = Intf(host_intf, None, None)
@@ -198,16 +222,18 @@ def fetch_horsepower(self) -> tuple[int]:
     def setup(self, avail_interfaces: list[str]):
         logger.info("Preparing...")
 
-        # Check that the given interfaces are safe to use. We will wreck their config.
-        for intf in avail_interfaces:
-            output = sudo("ip", "addr", "show", "dev", intf)
-            if len(output.splitlines()) > 2:
-                logger.error(f"""\
-                Interface {intf} appears to be in some kind of use. Cowardly refusing to modify it.
-                If you have a network manager, tell it to disable or ignore that interface.
-                Else, how about \"sudo ip addr flush dev {intf}\"?
-                """)
-                raise RuntimeError("Interface in use")
+        if not self.skip_ifconfig:
+            # Check that the given interfaces are safe to use. We will wreck their config.
+            for intf in avail_interfaces:
+                output = sudo("ip", "addr", "show", "dev", intf)
+                # The check below is too sloppy. Some systems yield false positives.
+                if False:  # len(output.splitlines()) > 2:
+                    logger.error(f"""\
+                    Interface {intf} appears to be in some kind of use. Cowardly refusing to modify
+                    it. If you have a network manager, tell it to disable or ignore that interface.
+                    Else, how about \"sudo ip addr flush dev {intf}\"?
+                    """)
+                    raise RuntimeError("Interface in use")
 
         # Looks safe.
         self.avail_interfaces = avail_interfaces
@@ -216,7 +242,7 @@ def setup(self, avail_interfaces: list[str]):
         # We supply the label->host-side-name mapping to brload when we start it.
         logger.debug("==> Configuring host interfaces...")
 
-        output = self.brload("show-interfaces")
+        output = self.brload("show-interfaces", *self.intern_over_args, *self.public_over_args)
 
         lines = sorted(output.splitlines())
         for line in lines:
@@ -243,6 +269,14 @@ def setup(self, avail_interfaces: list[str]):
         # They'll be used to produce a performance index.
         self.fetch_horsepower()
 
+        # Optionally profile the router
+        if PROFILING_CPU:
+            cmd.curl[f"{self.profiling_addr}:30442/debug/pprof/cpu?seconds=70",
+                     "-o", "router_cpu.pprof"] & BG
+
+        if PROFILING_TRACE:
+            cmd.curl[f"{self.profiling_addr}:30442/debug/pprof/trace?seconds=70",
+                     "-o", "router_trace.pprof"] & BG
         logger.info("Prepared")
 
     def cleanup(self, retcode: int):
@@ -252,7 +286,7 @@ def cleanup(self, retcode: int):
         return retcode
 
     def instructions(self):
-        output = self.brload("show-interfaces")
+        output = self.brload("show-interfaces", *self.intern_over_args, *self.public_over_args)
 
         exclusives = []
         multiplexed = []
@@ -268,6 +302,7 @@ def instructions(self):
         for line in lines:
             elems = line.split(",")
             if len(elems) != 5:
+                print("*******", line)
                 continue
             req = IntfReq._make(elems)
             reqs.append(req)
@@ -290,16 +325,17 @@ def instructions(self):
         print(f"""
 INSTRUCTIONS:
 
-1 - Configure your subject router according to accept/router_benchmark/conf/router.toml")
-    If using openwrt, an easy way to do that is to install the bmtools.ipk package. In addition,
-    bmtools includes two microbenchmarks: scion-coremark and scion-mmbm. Those will run
-    automatically and the results will be used to improve the benchmark report.
+1 - Configure your subject router according to "acceptance/router_benchmark/conf/*" (copy everything
+    to /etc/scion of the router). If using openwrt, an easy way to do that is to install
+    the bmtools.ipk package. In addition, bmtools includes two microbenchmarks: scion-coremark and
+    scion-mmbm. Those will run automatically and the results will be used to improve the benchmark
+    report.
 
     Optional: If you did not install bmtools.ipk, install and run those microbenchmarks and make a
     note of the results: (scion-coremark; scion-mmbm).
 
 2 - Configure the following interfaces on your router (The procedure depends on your router
-    UI) - All interfaces should have the mtu set to 9000:
+    UI):
     - One physical interface with addresses: {", ".join(multiplexed)}
 {nl.join(['    - One physical interface with address: ' + s for s in exclusives])}
 
@@ -335,6 +371,14 @@ def instructions(self):
 """)
 
     def main(self, *interfaces: str):
+        for over in self.intern_overrides:
+            self.intern_over_args.append("--intern-addr-override")
+            self.intern_over_args.append(over)
+
+        for over in self.public_overrides:
+            self.public_over_args.append("--public-addr-override")
+            self.public_over_args.append(over)
+
         # brload cannot be set statically. It need the cli arguments to be
         # processed.
         self.brload = local[self.brload_path]
diff --git a/acceptance/router_benchmark/benchmarklib.py b/acceptance/router_benchmark/benchmarklib.py
index 4290de20bb..76da8a68ff 100644
--- a/acceptance/router_benchmark/benchmarklib.py
+++ b/acceptance/router_benchmark/benchmarklib.py
@@ -74,7 +74,7 @@ def perf_index(self, rate: int) -> float:
 
     def add_case(self, name: str, rate: int, droppage: int, raw_rate: int):
         dropRatio = round(float(droppage) / (rate + droppage), 2)
-        saturated = dropRatio > 0.03
+        saturated = dropRatio >= 0.03
         perf = 0.0
         if self.cores == 3 and self.coremark and self.mmbm:
             perf = round(self.perf_index(rate), 1)
@@ -166,11 +166,17 @@ def exec_br_load(self, case: str, map_args: list[str], duration: int) -> str:
             "run",
             "--artifacts", self.artifacts,
             *map_args,
+            *self.intern_over_args,
+            *self.public_over_args,
             "--case", case,
             "--duration", f"{duration}s",
             "--num-streams", "840",
             "--packet-size", f"{self.packet_size}",
+            "--log.console", "warn" if self.log_level == "warning" else f"{self.log_level}",
         ]
+        if self.debug_run:
+            brload_args.extend(["--num-packets", 1000])
+
         if self.brload_cpus:
             brload_args = [
                 "taskset", "-c", ",".join(map(str, self.brload_cpus)),
@@ -319,13 +325,16 @@ def run_bm(self, test_cases: [str]) -> Results:
 
         # Run one test (30% size) as warm-up to trigger any frequency scaling, else the first test
         # can get much lower performance.
-        logger.debug("Warmup")
-        self.exec_br_load(test_cases[0], map_args, 5)
-
-        # Fetch the core count once. It doesn't change while the router is running.
-        # We cannot get this until the router has been up for a few seconds. If you shorten
-        # the warmup for some reason, make sure to add a delay.
-        cores = self.core_count()
+        if self.debug_run:
+            cores = 3
+        else:
+            logger.debug("Warmup")
+            self.exec_br_load(test_cases[0], map_args, 5)
+
+            # Fetch the core count once. It doesn't change while the router is running.
+            # We cannot get this until the router has been up for a few seconds. If you shorten
+            # the warmup for some reason, make sure to add a delay.
+            cores = self.core_count()
 
         # At long last, run the tests.
         results = Results(cores, self.coremark, self.mmbm, self.packet_size)
diff --git a/acceptance/router_benchmark/brload/main.go b/acceptance/router_benchmark/brload/main.go
index 48cf770126..b537636b20 100644
--- a/acceptance/router_benchmark/brload/main.go
+++ b/acceptance/router_benchmark/brload/main.go
@@ -73,13 +73,16 @@ var (
 		"out_transit": cases.OutTransit,
 		"br_transit":  cases.BrTransit,
 	}
-	logConsole   string
-	dir          string
-	testDuration time.Duration
-	packetSize   int
-	numStreams   uint16
-	caseToRun    caseChoice
-	interfaces   []string
+	logConsole          string
+	dir                 string
+	testDuration        time.Duration
+	numPackets          int
+	packetSize          int
+	numStreams          uint16
+	caseToRun           caseChoice
+	interfaces          []string
+	internAddrOverrides []string
+	publicAddrOverrides []string
 )
 
 func main() {
@@ -102,6 +105,7 @@ func main() {
 		},
 	}
 	runCmd.Flags().DurationVar(&testDuration, "duration", time.Second*15, "Test duration")
+	runCmd.Flags().IntVar(&numPackets, "num-packets", -1, "Maximum number of packets")
 	runCmd.Flags().IntVar(&packetSize, "packet-size", 172, "Total size of each packet sent")
 	runCmd.Flags().Uint16Var(&numStreams, "num-streams", 4,
 		"Number of independent streams (flowID) to use")
@@ -113,9 +117,24 @@ func main() {
 		`label=<host_interface>[,<MACaddr>] where <host_interface> is the host device that matches
  the <label> requirement from --show-interfaces and <MACaddr> is the local address to assume for it.
  <MACaddr> defaults to the real address assigned to the device`)
+	runCmd.Flags().StringArrayVar(&internAddrOverrides, "intern-addr-override", []string{},
+		`<AS>_<router>=<IP addr> where <AS> is an AS number, <router> is the index of one router
+of that AS, and <IP addr> is the IP address assigned to the internal interface of that
+router`)
+	runCmd.Flags().StringArrayVar(&publicAddrOverrides, "public-addr-override", []string{},
+		`<localAS>_<remoteAS>=<IP addr> where <localAS> and <remoteAS> are AS numbers,
+and <IP addr> is the IP address assigned on the side of localAS`)
 	runCmd.MarkFlagRequired("case")
 	runCmd.MarkFlagRequired("interface")
 
+	intfCmd.Flags().StringArrayVar(&internAddrOverrides, "intern-addr-override", []string{},
+		`<AS>_<router>=<IP addr> where <AS> is an AS number, <router> is the index of one router
+of that AS, and <IP addr> is the IP address assigned to the internal interface of that
+router`)
+	intfCmd.Flags().StringArrayVar(&publicAddrOverrides, "public-addr-override", []string{},
+		`<localAS>_<remoteAS>=<IP addr> where <localAS> and <remoteAS> are AS numbers,
+and <IP addr> is the IP address assigned on the side of localAS`)
+
 	rootCmd.AddCommand(intfCmd)
 	rootCmd.AddCommand(runCmd)
 	rootCmd.CompletionOptions.HiddenDefaultCmd = true
@@ -127,10 +146,49 @@ func main() {
 }
 
 func showInterfaces(cmd *cobra.Command) int {
+	// Process overrides if any, and create the interfaces map
+	cases.InitIntIPoverrides(internAddrOverrides)
+	cases.InitPubIPoverrides(publicAddrOverrides)
+	cases.InitIntfMap()
+
 	fmt.Println(cases.ListInterfaces())
 	return 0
 }
 
+func rttCheck(
+	writePktTo *afpacket.TPacket,
+	packetChan chan gopacket.Packet,
+	rawPkt []byte,
+	payload []byte,
+) (time.Duration, error) {
+	// Because we're using IPV4 only, the UDP checksum is optional, so we are allowed to
+	// just set it to zero instead of recomputing it. The IP checksum does not cover the payload, so
+	// we don't need to update it.
+	binary.BigEndian.PutUint16(rawPkt[40:42], 0)
+
+	// Prepare a batch of 1 packet.
+	allPkts := make([][]byte, 1)
+	allPkts[0] = make([]byte, len(rawPkt))
+	copy(allPkts[0], rawPkt)
+
+	// Share it with a multi-packets sender.
+	sender := newMpktSender(writePktTo)
+	sender.setPkts(allPkts)
+
+	// Send and receive just one packet. Measure the interval.
+	timeout := time.After(1 * time.Second)
+	begin := time.Now()
+	if _, err := sender.sendAll(); err != nil {
+		return time.Duration(0), err
+	}
+	select {
+	case <-packetChan:
+	case <-timeout:
+		return time.Duration(0), errors.New("listener never saw any packet")
+	}
+	return time.Since(begin), nil
+}
+
 func run(cmd *cobra.Command) int {
 	logCfg := log.Config{Console: log.ConsoleConfig{Level: logConsole}}
 	if err := log.Setup(logCfg); err != nil {
@@ -155,6 +213,11 @@ func run(cmd *cobra.Command) int {
 		return 1
 	}
 
+	// Process overrides if any, and create the interfaces map
+	cases.InitIntIPoverrides(internAddrOverrides)
+	cases.InitPubIPoverrides(publicAddrOverrides)
+	cases.InitIntfMap()
+
 	interfaceNames := cases.InitInterfaces(interfaces)
 	handles, err := openDevices(interfaceNames)
 	if err != nil {
@@ -186,19 +249,27 @@ func run(cmd *cobra.Command) int {
 	packetChan := packetSource.Packets()
 	listenerChan := make(chan int)
 
+	// Because we're using IPV4 only, the UDP checksum is optional, so we are allowed to
+	// just set it to zero instead of recomputing it. The IP checksum does not cover the payload, so
+	// we don't need to update it.
+	binary.BigEndian.PutUint16(rawPkt[40:42], 0)
+
+	// Measure the rtt with one packet.
+	rtt, err := rttCheck(writePktTo, packetChan, rawPkt, payload)
+	if err == nil {
+		fmt.Printf("rtt: %s\n", rtt.String())
+	} else {
+		fmt.Printf("rtt error: %s\n", err)
+	}
+
 	go func() {
 		defer log.HandlePanic()
 		defer close(listenerChan)
 		listenerChan <- receivePackets(packetChan, payload)
 	}()
 
-	// Because we're using IPV4 only, the UDP checksum is optional, so we are allowed to
-	// just set it to zero instead of recomputing it. The IP checksum does not cover the payload, so
-	// we don't need to update it.
-	binary.BigEndian.PutUint16(rawPkt[40:42], 0)
-
 	// Prepare a batch worth of packets.
-	batchSize := int(8)
+	batchSize := int(64)
 	allPkts := make([][]byte, batchSize)
 	for i := 0; i < batchSize; i++ {
 		allPkts[i] = make([]byte, len(rawPkt))
@@ -215,6 +286,7 @@ func run(cmd *cobra.Command) int {
 	metricsBegin := begin.Unix()
 
 	numPkt := 0
+out:
 	for time.Since(begin) < testDuration {
 		// we break every 1000 batches to check the time
 		for range 1000 {
@@ -223,14 +295,20 @@ func run(cmd *cobra.Command) int {
 			// first 32 bit field. To make our life simpler, we only use the last 16 bits (so no
 			// more than 64K flows).
 			for j := range batchSize {
-				binary.BigEndian.PutUint16(allPkts[j][44:46], uint16(numPkt%int(numStreams)))
-				numPkt++
+				binary.BigEndian.PutUint16(allPkts[j][44:46], uint16((numPkt+j)%int(numStreams)))
 			}
 
-			if _, err := sender.sendAll(); err != nil {
+			if n, err := sender.sendAll(); err == nil {
+				// n can be less than a batch if sendAll is made non-blocking.
+				numPkt += n
+			} else {
 				log.Error("writing input packet", "case", string(caseToRun), "error", err)
 				return 1
 			}
+			// We check packet count in one batch increment.
+			if numPackets > 0 && numPackets <= numPkt {
+				break out
+			}
 		}
 	}
 
@@ -248,7 +326,7 @@ func run(cmd *cobra.Command) int {
 		select {
 		case outcome = <-listenerChan:
 			if outcome == 0 {
-				log.Error("Listener never saw a valid packet being forwarded")
+				log.Error("listener never saw a valid packet being forwarded")
 				return 1
 			}
 		case <-timeout:
@@ -306,7 +384,11 @@ func openDevices(interfaceNames []string) (map[string]*afpacket.TPacket, error)
 	handles := make(map[string]*afpacket.TPacket)
 
 	for _, intf := range interfaceNames {
-		handle, err := afpacket.NewTPacket(afpacket.OptInterface(intf), afpacket.OptFrameSize(4096))
+		handle, err := afpacket.NewTPacket(
+			afpacket.OptInterface(intf),
+			afpacket.OptBlockTimeout(time.Millisecond), // TPv3 waits for and aggregates packets!
+			// afpacket.OptFrameSize(intf.MTU), // Constrained. default is probably best
+		)
 		if err != nil {
 			return nil, serrors.Wrap("creating TPacket", err)
 		}
diff --git a/acceptance/router_benchmark/brload/mmsg.go b/acceptance/router_benchmark/brload/mmsg.go
index 7695842f6d..8e95e60549 100644
--- a/acceptance/router_benchmark/brload/mmsg.go
+++ b/acceptance/router_benchmark/brload/mmsg.go
@@ -18,10 +18,13 @@ package main
 
 import (
 	"reflect"
+	"runtime"
 	"unsafe"
 
 	"github.com/gopacket/gopacket/afpacket"
 	"golang.org/x/sys/unix"
+
+	"github.com/scionproto/scion/pkg/log"
 )
 
 type mmsgHdr struct {
@@ -48,6 +51,21 @@ func newMpktSender(tp *afpacket.TPacket) *mpktSender {
 	sender.fd = int(fdv.Int())
 	// This is to make sure that tp cannot be finalized before we're done abusing its file desc.
 	sender.tp = tp
+
+	// Try and bypass queing discipline. If that doesn't work, we'll survive.
+	err := unix.SetsockoptInt(sender.fd, unix.SOL_PACKET, unix.PACKET_QDISC_BYPASS, 1)
+	if err != nil {
+		log.Info("Could not bypass queing discipline", "err", err)
+	}
+
+	// If we're going to send, we need to make sure we're not receiving our own stuff. The default
+	// behaviour is less than clear. The loopback doesn't work with veth, but likely does with
+	// everything else.
+	err = unix.SetsockoptInt(sender.fd, unix.SOL_PACKET, unix.PACKET_IGNORE_OUTGOING, 1)
+	if err != nil {
+		panic(err)
+	}
+
 	return sender
 }
 
@@ -67,16 +85,27 @@ func (sender *mpktSender) setPkts(ps [][]byte) {
 }
 
 func (sender *mpktSender) sendAll() (int, error) {
-	// This will hog a core (as far as the Go scheduler is concerned) for the duration of the call
-	// as the Go run-time has no idea that this is a blocking write. This is perfectly fine for our
-	// use case.
-	n, _, err := unix.Syscall6(unix.SYS_SENDMMSG,
-		uintptr(sender.fd),
-		uintptr(unsafe.Pointer(&sender.msgs[0])),
-		uintptr(len(sender.msgs)),
-		0, 0, 0)
-	if err == 0 {
-		return int(n), nil
+	for {
+		// This will hog a core (as far as the Go scheduler is concerned) for the duration of the
+		// call as the Go run-time has no idea that this is a blocking write. This is perfectly fine
+		// for our use case. This can be made non-blocking if that helps sending faster.
+		n, _, err := unix.Syscall6(unix.SYS_SENDMMSG,
+			uintptr(sender.fd),
+			uintptr(unsafe.Pointer(&sender.msgs[0])),
+			uintptr(len(sender.msgs)),
+			0, // uintptr(unix.MSG_DONTWAIT),
+			0, 0)
+		if err == 0 {
+			// we sent some packets.
+			return int(n), nil
+		}
+		if err == unix.EWOULDBLOCK || err == unix.EAGAIN {
+			// We sent nothing at all. The queue is completely full. Take a breather (cheaper than
+			// using poll or select). That happens only in non-blocking mode.
+			runtime.Gosched()
+			continue
+		}
+		// Some error other than EWOULDBLOCK. Nothing was sent either
+		return 0, err
 	}
-	return int(n), err
 }
diff --git a/acceptance/router_benchmark/cases/topo.go b/acceptance/router_benchmark/cases/topo.go
index c3a7c5f953..95a05c17c9 100644
--- a/acceptance/router_benchmark/cases/topo.go
+++ b/acceptance/router_benchmark/cases/topo.go
@@ -77,6 +77,9 @@ type intfDesc struct {
 // Per our scheme, the subnet number is the largest of the two AS numbers and the host is always
 // the local AS. This works if there are no cycles. Else there could be subnet number collisions.
 func PublicIP(localAS byte, remoteAS byte) netip.Addr {
+	if addrOverride, found := pubIPoverrides[int(localAS)][int(remoteAS)]; found {
+		return addrOverride
+	}
 	subnetNr := max(remoteAS, localAS)
 	return netip.AddrFrom4([4]byte{10, 123, subnetNr, localAS})
 }
@@ -90,6 +93,9 @@ func PublicIPPort(localAS byte, remoteAS byte) (netip.Addr, layers.UDPPort) {
 // internalIP returns the IP address that is assigned to the internal interface of the given
 // router in the AS of the given index.
 func InternalIP(AS byte, routerIndex byte) netip.Addr {
+	if addrOverride, found := intIPoverrides[int(AS)][int(routerIndex)]; found {
+		return addrOverride
+	}
 	return netip.AddrFrom4([4]byte{10, 123, AS * 10, routerIndex})
 }
 
@@ -156,11 +162,7 @@ func interfaceLabel(AS int, intf int) string {
 
 var (
 	// intfMap lists the required interfaces. That's what we use to respond to showInterfaces
-	intfMap map[string]intfDesc = map[string]intfDesc{
-		interfaceLabel(1, 0): {InternalIP(1, 1), InternalIP(1, 2), true},
-		interfaceLabel(1, 2): {PublicIP(1, 2), PublicIP(2, 1), false},
-		interfaceLabel(1, 3): {PublicIP(1, 3), PublicIP(3, 1), false},
-	}
+	intfMap map[string]intfDesc = map[string]intfDesc{}
 
 	// deviceNames holds the real (os-given) names of our required network interfaces. It is
 	// created and populated from the values of the --interface options by InitInterfaces.
@@ -171,8 +173,87 @@ var (
 	// interface since we record the neighbor's addresses too. Additional IPs not from intfMap have
 	// no known mac addresses; we are free to make them up to make credible packets.
 	macAddrs map[netip.Addr]net.HardwareAddr
+
+	// override map for public ip addresses. Use those, rather than the autogenerated ones, if
+	// instructed.  (Note, that it means that the topology file and router config have been changed
+	// too).  Used as ipAddrs[localAS][remoteAS] == ip_addr_at_localAS
+	pubIPoverrides map[int]map[int]netip.Addr
+
+	// override map for internal ip addresses. Use those, rather than the autogenerated ones, if
+	// instructed.  (Note, that it means that the topology file and router config have been changed
+	// too).  Used as ipAddrs[AS][routerNb] == internal_ip_addr_at_router
+	intIPoverrides map[int]map[int]netip.Addr
 )
 
+// InitPubIPoverrides takes an array of strings and generates a map.
+// the format of each string is "localAS_remoteAS=IP". Where AS is an AS number.
+func InitPubIPoverrides(pairs []string) {
+	pubIPoverrides = make(map[int]map[int]netip.Addr)
+	for _, pair := range pairs {
+		p := strings.Split(pair, "=")
+		ASes := strings.Split(p[0], "_")
+		IP, err := netip.ParseAddr(p[1])
+		if err != nil {
+			panic(err)
+		}
+		localAS, err := strconv.Atoi(ASes[0])
+		if err != nil {
+			panic(err)
+		}
+		remoteAS, err := strconv.Atoi(ASes[1])
+		if err != nil {
+			panic(err)
+		}
+		if pubIPoverrides[localAS] == nil {
+			pubIPoverrides[localAS] = make(map[int]netip.Addr)
+		}
+		pubIPoverrides[localAS][remoteAS] = IP
+		fmt.Printf("pubIpOverride: localAS %d remoteAS %d IP %s\n", localAS, remoteAS, IP.String())
+		if err != nil {
+			panic(err)
+		}
+	}
+}
+
+// InitIntIPoverrides takes an array of strings and generates a map.
+// the format of each string is "AS_router=IP". Where AS is an AS number and router is
+// the index of one router.
+func InitIntIPoverrides(pairs []string) {
+	intIPoverrides = make(map[int]map[int]netip.Addr)
+	for _, pair := range pairs {
+		p := strings.Split(pair, "=")
+		ASrouter := strings.Split(p[0], "_")
+		IP, err := netip.ParseAddr(p[1])
+		if err != nil {
+			panic(err)
+		}
+		AS, err := strconv.Atoi(ASrouter[0])
+		if err != nil {
+			panic(err)
+		}
+		routerNb, err := strconv.Atoi(ASrouter[1])
+		if err != nil {
+			panic(err)
+		}
+		if intIPoverrides[AS] == nil {
+			intIPoverrides[AS] = make(map[int]netip.Addr)
+		}
+		fmt.Printf("intIpOverride: AS %d router %d IP %s\n", AS, routerNb, IP.String())
+		intIPoverrides[AS][routerNb] = IP
+		if err != nil {
+			panic(err)
+		}
+	}
+}
+
+func InitIntfMap() {
+	intfMap = map[string]intfDesc{
+		interfaceLabel(1, 0): {InternalIP(1, 1), InternalIP(1, 2), true},
+		interfaceLabel(1, 2): {PublicIP(1, 2), PublicIP(2, 1), false},
+		interfaceLabel(1, 3): {PublicIP(1, 3), PublicIP(3, 1), false},
+	}
+}
+
 // InitInterfaces collects the names (OS device name) and mac addresses for the interfaces setup by
 // the invoker according to instructions given via listInterfaces().
 // This information is indexed by our own interface labels.
@@ -201,7 +282,8 @@ func InitInterfaces(pairs []string) []string {
 
 		// PeerMac (our side): By default we use the real one, but we can be told to use another.
 		// (If the link is virtual ethernet, using the real mac address causes serious performance
-		// issues, the cause of which has yet to be found).
+		// issues: the kernel will waste time trying to process incoming packets and sending icmp
+		// errors back).
 		peerMAC := device.HardwareAddr
 		if len(info) > 1 {
 			peerMAC, err = net.ParseMAC(info[1])
diff --git a/acceptance/router_benchmark/test.py b/acceptance/router_benchmark/test.py
index 739f2b7ea3..e1e5b49c1a 100644
--- a/acceptance/router_benchmark/test.py
+++ b/acceptance/router_benchmark/test.py
@@ -39,6 +39,14 @@
 # Router profiling ON or OFF?
 PROFILING = False
 
+# DEBUG run: set this to True to reduce number of packets and skip microbenchmarks and warmup.
+DEBUG_RUN = False
+
+# MAX_CPUS: the total number of cpus that the test will try to harness. The standard for this
+# test is 5: 2 for brload and 3 for the router. Any different number invalidates the performance
+# index (which will be reported as 0).
+MAX_CPUS = 5
+
 # Those values are valid expectations only when running in the CI environment.
 TEST_CASES = {
     "in": 700000,
@@ -73,13 +81,13 @@ def choose_cpus_from_unshared_cache(caches: list[int], cores: list[int]) -> list
     is the configuration that causes the least performance variability.
 
     Returns:
-      A list of up to 4 vcpus. All are first choice.
+      A list of up to MAX_CPUS vcpus. All are first choice.
     """
 
     chosen = [cpus[0] for cpus in caches.values() if len(cpus) == 1]
 
     logger.info(f"CPUs from unshared cache: best={len(chosen)}")
-    return sorted(chosen)[0:4]
+    return sorted(chosen)[0:MAX_CPUS]
 
 
 def choose_cpus_from_single_cache(caches: list[int], cores: list[int]) -> list[int]:
@@ -93,16 +101,16 @@ def choose_cpus_from_single_cache(caches: list[int], cores: list[int]) -> list[i
     activities.
 
     Returns:
-      A list of up to 4 vcpus. The ones at the head of the list are the best.
+      A list of up to MAX_CPUS vcpus. The ones at the head of the list are the best.
     """
 
     best = {cpus[0] for cpus in cores.values() if len(cpus) == 1}
     chosen = set()
     for cpus in caches.values():
         chosen = set(cpus) & best
-        if len(chosen) >= 4:
+        if len(chosen) >= MAX_CPUS:
             logger.info(f"CPUs from single cache: best={len(chosen)}")
-            return sorted(chosen)[0:4]
+            return sorted(chosen)[0:MAX_CPUS]
 
     # Not enough. Add second-best CPUs (one from each hyperthreaded core)
     # and filter the cache sets again.
@@ -122,7 +130,7 @@ def choose_cpus_from_single_cache(caches: list[int], cores: list[int]) -> list[i
                 f"best={len(chosen & best)} "
                 f"second_best={len(chosen & second_best)}")
 
-    return (sorted(chosen & best) + sorted(chosen & second_best))[0:4]
+    return (sorted(chosen & best) + sorted(chosen & second_best))[0:MAX_CPUS]
 
 
 def choose_cpus_from_best_cores(caches: list[int], cores: list[int]) -> list[int]:
@@ -130,13 +138,13 @@ def choose_cpus_from_best_cores(caches: list[int], cores: list[int]) -> list[int
 
     This variant gives up on cache discrimination and applies only the second level criteria:
 
-    Collect up to 4 cpus by selecting, in that order:
+    Collect up to MAX_CPUS cpus by selecting, in that order:
     * cpus of non-hyperthreaded cores.
     * only one cpu of each hyperthreaded core.
     * any remaining cpu.
 
     Returns:
-      A list of up to 4 vcpus. The ones at the head of the list are the best.
+      A list of up to MAX_CPUS vcpus. The ones at the head of the list are the best.
     """
 
     cpus_by_core = list(cores.values())  # What we get is a list of cpu groups.
@@ -150,7 +158,7 @@ def choose_cpus_from_best_cores(caches: list[int], cores: list[int]) -> list[int
     quality += 1
 
     # Collect the rest, one round at a time.
-    while len(cpus_by_core) > 0 and len(chosen) < 4:
+    while len(cpus_by_core) > 0 and len(chosen) < MAX_CPUS:
         other = ([cpus.pop(0) for cpus in cpus_by_core])
         cpus_by_core = [cpus for cpus in cpus_by_core if len(cpus) > 0]
         report[quality] += len(other)
@@ -161,7 +169,7 @@ def choose_cpus_from_best_cores(caches: list[int], cores: list[int]) -> list[int
                 f"best={report[0]} second_best={report[1]} other={report[2]}")
 
     # The last round can get too many, so truncate to promised length.
-    return chosen[0:4]
+    return chosen[0:MAX_CPUS]
 
 
 class RouterBMTest(base.TestBase, RouterBM):
@@ -185,21 +193,25 @@ class RouterBMTest(base.TestBase, RouterBM):
     Pretend traffic is injected by brload's. See the test cases for details.
     """
 
-    # TODO(jiceatscion): We construct intf_map during setup and we use it later, during
-    # _run(). As a result, running setup, run, at teardown separately is not possible for
-    # this test. May be it would be possible to reconstruct the map without actually setup the
-    # interfaces, assuming brload isn't being changed in-between.
+    # We construct intf_map during setup and we use it later, during _run(). As a result, running
+    # setup, run, and teardown separately is difficult.  During run and teardown, we reconstruct the
+    # map without actually setup the interfaces. This assumes that brload isn't being changed
+    # in-between, since the map is based on the requirements that it outputs.
 
+    debug_run: bool = DEBUG_RUN
     router_cpus: list[int] = [0]
 
     # Used by the RouterBM mixin:
     coremark: int = 0
     mmbm: int = 0
+    log_level: str = "error"
     packet_size: int = BM_PACKET_SIZE
     intf_map: dict[str, Intf] = {}
     brload: LocalCommand = None
     brload_cpus: list[int] = [0]
     prom_address: str = "localhost:9999"
+    intern_over_args = []
+    public_over_args = []
 
     ci = cli.Flag(
         "ci",
@@ -215,9 +227,9 @@ def init(self):
         self.choose_cpus()
 
     def choose_cpus(self):
-        """Chooses 4 cpus and assigns 3 for the router and 1 for the blaster.
+        """Chooses MAX_CPUS cpus and assigns 1 to the blaster and the rest to the router.
 
-        Try various policies in decreasing order of preference. We use fewer than 4 cores
+        Try various policies in decreasing order of preference. We use fewer than MAX_CPUS cores
         only as a last resort
         """
 
@@ -249,25 +261,25 @@ def choose_cpus(self):
             cores[core].append(cpu)
 
         chosen = choose_cpus_from_unshared_cache(caches, cores)
-        if len(chosen) < 4:
+        if len(chosen) < MAX_CPUS:
             chosen = choose_cpus_from_single_cache(caches, cores)
-        if len(chosen) < 4:
+        if len(chosen) < MAX_CPUS:
             chosen = choose_cpus_from_best_cores(caches, cores)
 
         # Make the best of what we got. All but the last cpu go to the router. Those are the
         # best choice.
-        if len(chosen) == 1:
+        if len(chosen) < 3:
             # When you have lemons...
             self.router_cpus = chosen
             self.brload_cpus = chosen
         else:
-            self.router_cpus = chosen[:-1]
-            self.brload_cpus = chosen[-1:]
+            self.router_cpus = chosen[:-2]
+            self.brload_cpus = chosen[-2:]
 
         logger.info(f"router cpus: {self.router_cpus}")
         logger.info(f"brload cpus: {self.brload_cpus}")
 
-    def create_interface(self, req: IntfReq, ns: str):
+    def create_interface(self, req: IntfReq, ns: str, doit: bool):
         """Creates a pair of virtual interfaces, with one end in the given network namespace and the
         other in the host stack.
 
@@ -306,7 +318,10 @@ def create_interface(self, req: IntfReq, ns: str):
             * The IP address to be assigned to that interface.
             * The IP address of one neighbor.
           ns: The network namespace where that interface must exist.
-
+          doit: If true, do it for real. Else, assume it is already done and just re-populate the
+                interface map. That is necessary for split operations, where test_setup, test_run,
+                and test_teardown are used. Of course this will only work well if requested
+                interfaces have not changed.
         """
 
         phys_label = req.label if req.exclusive == "true" else "mx"
@@ -323,40 +338,42 @@ def create_interface(self, req: IntfReq, ns: str):
         else:
             peer_mac = mac_for_ip(req.peer_ip)
             mac = mac_for_ip(req.ip)
-            sudo("ip", "link", "add", host_intf, "type", "veth", "peer", "name", br_intf)
-            sudo("ip", "link", "set", host_intf, "mtu", "9000")
-            sudo("ip", "link", "set", host_intf, "arp", "off")  # Make sure the real addr isn't used
-
-            # Do not assign the host addresses but create one link-local addr.
-            # Brload needs some src IP to send arp requests.
-            sudo("ip", "addr", "add", f"169.254.{randint(0, 255)}.{randint(0, 255)}/16",
-                 "broadcast", "169.254.255.255",
-                 "dev", host_intf, "scope", "link")
-
-            sudo("sysctl", "-qw", f"net.ipv6.conf.{host_intf}.disable_ipv6=1")
-            sudo("ethtool", "-K", br_intf, "rx", "off", "tx", "off")
-            sudo("ip", "link", "set", br_intf, "mtu", "9000")
-            sudo("ip", "link", "set", br_intf, "address", mac)
-
-            # The network namespace
-            sudo("ip", "link", "set", br_intf, "netns", ns)
-            sudo("ip", "netns", "exec", ns,
-                 "sysctl", "-qw", f"net.ipv6.conf.{br_intf}.disable_ipv6=1")
+            if doit:
+                sudo("ip", "link", "add", host_intf, "type", "veth", "peer", "name", br_intf)
+                sudo("ip", "link", "set", host_intf, "mtu", "9000")
+                sudo("ip", "link", "set", host_intf, "arp", "off")  # Make sure real addr not used
+
+                # Do not assign the host addresses but create one link-local addr.
+                # Brload needs some src IP to send arp requests.
+                sudo("ip", "addr", "add", f"169.254.{randint(0, 255)}.{randint(0, 255)}/16",
+                     "broadcast", "169.254.255.255",
+                     "dev", host_intf, "scope", "link")
+
+                sudo("sysctl", "-qw", f"net.ipv6.conf.{host_intf}.disable_ipv6=1")
+                sudo("ethtool", "-K", br_intf, "rx", "off", "tx", "off")
+                sudo("ip", "link", "set", br_intf, "mtu", "9000")
+                sudo("ip", "link", "set", br_intf, "address", mac)
+
+                # The network namespace
+                sudo("ip", "link", "set", br_intf, "netns", ns)
+                sudo("ip", "netns", "exec", ns,
+                     "sysctl", "-qw", f"net.ipv6.conf.{br_intf}.disable_ipv6=1")
+                sudo("ip", "netns", "exec", ns,
+                     "sysctl", "-qw", "net.ipv4.conf.all.rp_filter=0")
+                sudo("ip", "netns", "exec", ns,
+                     "sysctl", "-qw", f"net.ipv4.conf.{br_intf}.rp_filter=0")
+
+        if doit:
+            # Add the router side IP addresses (even if we're multiplexing on an existing intf).
             sudo("ip", "netns", "exec", ns,
-                 "sysctl", "-qw", "net.ipv4.conf.all.rp_filter=0")
-            sudo("ip", "netns", "exec", ns,
-                 "sysctl", "-qw", f"net.ipv4.conf.{br_intf}.rp_filter=0")
-
-        # Add the router side IP addresses (even if we're multiplexing on an existing interface).
-        sudo("ip", "netns", "exec", ns,
-             "ip", "addr", "add", f"{req.ip}/{req.prefix_len}",
-             "broadcast",
-             ipaddress.ip_network(f"{req.ip}/{req.prefix_len}", strict=False).broadcast_address,
-             "dev", br_intf)
+                 "ip", "addr", "add", f"{req.ip}/{req.prefix_len}",
+                 "broadcast",
+                 ipaddress.ip_network(f"{req.ip}/{req.prefix_len}", strict=False).broadcast_address,
+                 "dev", br_intf)
 
-        # Fit for duty.
-        sudo("ip", "link", "set", host_intf, "up")
-        sudo("ip", "netns", "exec", ns, "ip", "link", "set", br_intf, "up")
+            # Fit for duty.
+            sudo("ip", "link", "set", host_intf, "up")
+            sudo("ip", "netns", "exec", ns, "ip", "link", "set", br_intf, "up")
 
         # Ship it.
         self.intf_map[req.label] = Intf(host_intf, mac, peer_mac)
@@ -366,6 +383,8 @@ def create_interface(self, req: IntfReq, ns: str):
             self.profiling_addr = req.ip
 
     def fetch_horsepower(self):
+        if self.debug_run:
+            return
         try:
             coremark_exe = self.get_executable("coremark")
             output = taskset("-c", self.router_cpus[0], coremark_exe.executable)
@@ -389,6 +408,28 @@ def fetch_horsepower(self):
         except Exception as e:
             logger.info(e)
 
+    # Args:
+    #   doit: If True, the interfaces realy need to be created. Otherwise, this is just to re-
+    #         populate the map (needed if invoked in several phases (setup, run, teardown).
+    #
+    def create_interfaces(self, doit: bool):
+        # Run test brload test with --show-interfaces and set up the veth that it needs.
+        # The router uses one end and the test uses the other end to feed it with (and possibly
+        # capture) traffic.
+        # We supply the label->(host-side-name,mac,peermac) mapping to brload when we start it.
+        output = self.brload("show-interfaces")
+        for line in output.splitlines():
+            elems = line.split(",")
+            if len(elems) != 5:
+                continue
+            t = IntfReq._make(elems)
+
+            # If we're supposed to re-populate the map with already created interfaces, and if we
+            # see that the map is already populated; we can just stop.
+            if t.label in self.intf_map and not doit:
+                break
+            self.create_interface(t, "benchmark", doit)
+
     def setup_prepare(self):
         super().setup_prepare()
 
@@ -426,21 +467,13 @@ def setup_prepare(self):
         # value 64, so that packets sent from router will match the expected value.
         sudo("ip", "netns", "exec", "benchmark", "sysctl", "-w", "net.ipv4.ip_default_ttl=64")
 
-        # Run test brload test with --show-interfaces and set up the veth that it needs.
-        # The router uses one end and the test uses the other end to feed it with (and possibly
-        # capture) traffic.
-        # We supply the label->(host-side-name,mac,peermac) mapping to brload when we start it.
-        output = self.brload("show-interfaces")
-
-        for line in output.splitlines():
-            elems = line.split(",")
-            if len(elems) != 5:
-                continue
-            t = IntfReq._make(elems)
-            self.create_interface(t, "benchmark")
+        self.create_interfaces(True)
 
         # Now the router can start.
         docker("run",
+               "--cap-add=NET_RAW",
+               "--cap-add=NET_ADMIN",
+               "--cap-add=BPF",
                "-v", f"{self.artifacts}/conf:/etc/scion",
                "-d",
                "-e", f"GOMAXPROCS={len(self.router_cpus)}",
@@ -469,8 +502,11 @@ def setup_prepare(self):
 
         # We don't need that symlink any more
         sudo("rm", "/var/run/netns/benchmark")
+        logger.info("Setup complete")
 
     def teardown(self):
+        super().teardown()
+        self.create_interfaces(False)
         docker["logs", "router"].run_fg(retcode=None)
         docker("rm", "-f", "prometheus")
         docker("rm", "-f", "router")
@@ -478,6 +514,7 @@ def teardown(self):
         sudo("chown", "-R", whoami().strip(), self.artifacts)
 
     def _run(self):
+        self.create_interfaces(False)
         results = self.run_bm(list(TEST_CASES.keys()))
         if results.cores != len(self.router_cpus):
             raise RuntimeError("Wrong number of cores used by the router; "
diff --git a/acceptance/router_multi/test.py b/acceptance/router_multi/test.py
index fc7da04a7a..f7d0b086c2 100644
--- a/acceptance/router_multi/test.py
+++ b/acceptance/router_multi/test.py
@@ -39,6 +39,9 @@ def sudo(command: str) -> str:
     return cmd.sudo("-A", str.split(command))
 
 
+# Can't assign the host-side addresses to the interfaces. If we do that the kernel tries
+# to resolve the ports that aren't there (because brload is using a raw socket) and sends
+# errors back.
 def create_veth(host: str, container: str, ip: str, mac: str, ns: str, neighbors: List[str]):
     sudo("ip link add %s mtu 8000 type veth peer name %s mtu 8000" % (host, container))
     sudo("sysctl -qw net.ipv6.conf.%s.disable_ipv6=1" % host)
@@ -96,10 +99,12 @@ def setup_start(self):
 
         if self.bfd:
             exec_docker(f"run -v {self.artifacts}/conf:/etc/scion -d "
+                        "--cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=BPF "
                         "--network container:pause --name router "
                         "scion/router:latest")
         else:
             exec_docker(f"run -v {self.artifacts}/conf:/etc/scion -d "
+                        "--cap-add=NET_RAW --cap-add=NET_ADMIN --cap-add=BPF "
                         "--network container:pause --name router "
                         "scion/router:latest "
                         "--config /etc/scion/router_nobfd.toml")
diff --git a/acceptance/sig_short_exp_time/docker-compose.yml b/acceptance/sig_short_exp_time/docker-compose.yml
index 3286b77531..990757fbbe 100644
--- a/acceptance/sig_short_exp_time/docker-compose.yml
+++ b/acceptance/sig_short_exp_time/docker-compose.yml
@@ -95,6 +95,5 @@ services:
       bridge2:
         ipv4_address: 242.254.200.10
     privileged: true
-version: '2.4'
 volumes:
   vol_logs: null
diff --git a/dist/openwrt/initds/router b/dist/openwrt/initds/router
index 0d18d3d0fb..3abbcfbd78 100644
--- a/dist/openwrt/initds/router
+++ b/dist/openwrt/initds/router
@@ -10,6 +10,7 @@ SERVICE_WRITE_PID=1
 SERVICE_DAEMONIZE=1
 
 start() {
+    setcap "cap_bpf=ep cap_net_admin=ep cap_net_raw=ep" /usr/bin/$APP
     service_start /usr/bin/$APP --config /etc/scion/router.toml
 }
 
diff --git a/dist/rpm/scion.postinst b/dist/rpm/scion.postinst
index 3dbae88ebb..a20815a076 100644
--- a/dist/rpm/scion.postinst
+++ b/dist/rpm/scion.postinst
@@ -10,4 +10,3 @@ mkdir /etc/scion/ >& /dev/null || true
 mkdir /var/lib/scion/ >& /dev/null || true
 chown scion:scion /etc/scion/ /var/lib/scion
 
-
diff --git a/dist/systemd/scion-router@.service b/dist/systemd/scion-router@.service
index f4677d7a1e..bfd6b56914 100644
--- a/dist/systemd/scion-router@.service
+++ b/dist/systemd/scion-router@.service
@@ -11,6 +11,7 @@ User=scion
 Group=scion
 ExecStart=/usr/bin/scion-router --config /etc/scion/%i.toml
 Restart=on-failure
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_BPF
 
 [Install]
 WantedBy=multi-user.target
diff --git a/dist/test/openwrt_test.sh b/dist/test/openwrt_test.sh
index ff36029d10..5102786fc0 100755
--- a/dist/test/openwrt_test.sh
+++ b/dist/test/openwrt_test.sh
@@ -29,7 +29,7 @@ if [ "$DEBUG" == 0 ]; then  # if DEBUG: keep container openwrt-x86_64 running af
 fi
 
 # Start container as-is.
-docker run -d --rm --name openwrt-x86_64 -t \
+docker run -d --rm --name openwrt-x86_64 -t --privileged \
        -v $SCION_OPENWRT_PACKAGES_DIR:/openwrt \
        "openwrt/rootfs:x86-64-openwrt-24.10" /sbin/init
 
diff --git a/doc/dev/testing/benchmarking.rst b/doc/dev/testing/benchmarking.rst
index c3460edd7b..0680772a8b 100644
--- a/doc/dev/testing/benchmarking.rst
+++ b/doc/dev/testing/benchmarking.rst
@@ -4,10 +4,10 @@ Router Benchmark
 
 :program:`acceptance/router_benchmark/benchmark.py` is a tool to benchmark an external router.
 
-The usage is simply: ``acceptance/router_benchmark/benchmark.py``.
+The usage is simply: ``bazel run acceptance/router_benchmark/benchmark.py``.
 
 Without any options, the tool outputs instructions. Those instructions comprise how to configure
-the subject router and how to re-execute the tool so it actually carries the measurement.
+the subject router and how to re-execute the tool so it actually carries out the measurement.
 
 In order to accomplish the tool's instructions one will need to:
 
diff --git a/doc/manuals/common.rst b/doc/manuals/common.rst
index c728306a94..0ecb1eeb03 100644
--- a/doc/manuals/common.rst
+++ b/doc/manuals/common.rst
@@ -148,8 +148,10 @@ of the individual fields below.
       "link_to": <"parent"|"child"|"peer"|"core">,
       "mtu": <int>,
       "underlay": {
+         "protocol": "<udpip|other_underlay_protocol>"
          "local": "<ip|hostname>:<port>", # or just ":<port>"
-         "remote": "<ip|hostname:port>",
+         "remote": "<ip|hostname>:<port>",
+         "options": "<options>", # optional, defined by protocol
       },
       "bfd": {              # optional
          "disable": <bool>,
@@ -255,6 +257,17 @@ of the individual fields below.
          In the configuration for the corresponding interface in the neighbor AS, these
          addresses are exactly swapped (unless one or both routers are behind NAT).
 
+         .. option:: protocol = <string>, default = "udpip"
+
+            The underlay protocol to be used. The selected underlay protocol must be supported
+            by a specific border router underlay component that declares to implement it.
+
+            The addresses provided via the ``remote`` and ``local`` options must be valid string
+            representations of addresses for the specified protocol.
+
+            As of this writing, the only available underlay protocol is "udpip",
+            which is the default. As a result addresses are always <ip>:<port> pairs.
+
          .. option:: remote = <ip|hostname>:<port>, required
 
             The IP/UDP address of the corresponding router interface in the neighbor AS. If that router
@@ -267,6 +280,9 @@ of the individual fields below.
             address. If the router is behind NAT, this field must be set to the non-public address;
             that is, the address that the router should bind to.
 
+      .. option:: options
+         Arbitrary string. Format and semantics are defined by each underlay
+         protocol.
       .. option:: bfd, optional
 
          :term:`Bidirectional Forwarding Detection (BFD) <BFD>` is used to determine
diff --git a/doc/manuals/router.rst b/doc/manuals/router.rst
index e7f0445528..858623716b 100644
--- a/doc/manuals/router.rst
+++ b/doc/manuals/router.rst
@@ -224,6 +224,29 @@ considers the following options.
          Can be overridden for specific inter-AS BFD sessions with
          :option:`bfd.required_min_rx_interval <topology-json required_min_rx_interval>`.
 
+   .. object:: preferred_underlays
+
+      .. option:: udpip = <string>, default = "afpacket"
+
+         Selects an implementation for the "udpip" underlay protocol. If the preferred
+         implementation is not available then any other available implementation is selected.
+         As of this writting, two implementations exist for the "udpip" underlay protocol:
+
+         * "inet": An implementation based on AF_INET sockets and portable to many Unix-like
+           platforms.
+         * "afpacket": An implementation based on AF_PACKET sockets and EBPF filtering, which
+           is less portable.
+
+         In the absence of ``preferred_underlays``, "afpacket" is preferred; falling back to
+         "inet".
+
+      .. option:: <underlay_protocol> = <string>
+
+         Sets the given string as the preferred implementation for the given underlay protocol.
+         The ``preferred_underlays`` section is handled as a map, so any key may be used (to
+         designate future underlay protocols). Entries for nonexistent underlay protocols are
+         silently ignored.
+
 .. _router-conf-topo:
 
 topology.json
diff --git a/go.sum b/go.sum
index bf725837e7..4c3b49230d 100644
--- a/go.sum
+++ b/go.sum
@@ -148,6 +148,8 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
+github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE=
 github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -187,6 +189,8 @@ github.com/mdlayher/arp v0.0.0-20220512170110-6706a2966875 h1:ql8x//rJsHMjS+qqEa
 github.com/mdlayher/arp v0.0.0-20220512170110-6706a2966875/go.mod h1:kfOoFJuHWp76v1RgZCb9/gVUc7XdY877S2uVYbNliGc=
 github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118 h1:2oDp6OOhLxQ9JBoUuysVz9UZ9uI6oLUbvAZu0x8o+vE=
 github.com/mdlayher/ethernet v0.0.0-20220221185849-529eae5b6118/go.mod h1:ZFUnHIVchZ9lJoWoEGUg8Q3M4U8aNNWA3CVSUTkW4og=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
 github.com/mdlayher/packet v1.0.0/go.mod h1:eE7/ctqDhoiRhQ44ko5JZU2zxB88g+JH/6jmnjzPjOU=
 github.com/mdlayher/packet v1.1.2 h1:3Up1NG6LZrsgDVn6X4L9Ge/iyRyxFEFD9o6Pr3Q1nQY=
 github.com/mdlayher/packet v1.1.2/go.mod h1:GEu1+n9sG5VtiRE4SydOmX5GTwyyYlteZiFU+x0kew4=
diff --git a/licenses/data/com_github_cilium_ebpf/LICENSE b/licenses/data/com_github_cilium_ebpf/LICENSE
new file mode 100644
index 0000000000..c637ae99c2
--- /dev/null
+++ b/licenses/data/com_github_cilium_ebpf/LICENSE
@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2017 Nathan Sweet
+Copyright (c) 2018, 2019 Cloudflare
+Copyright (c) 2019 Authors of Cilium
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/licenses/data/com_github_cilium_ebpf/examples/headers/LICENSE.BSD-2-Clause b/licenses/data/com_github_cilium_ebpf/examples/headers/LICENSE.BSD-2-Clause
new file mode 100644
index 0000000000..da366e2ce5
--- /dev/null
+++ b/licenses/data/com_github_cilium_ebpf/examples/headers/LICENSE.BSD-2-Clause
@@ -0,0 +1,32 @@
+Valid-License-Identifier: BSD-2-Clause
+SPDX-URL: https://spdx.org/licenses/BSD-2-Clause.html
+Usage-Guide:
+  To use the BSD 2-clause "Simplified" License put the following SPDX
+  tag/value pair into a comment according to the placement guidelines in
+  the licensing rules documentation:
+    SPDX-License-Identifier: BSD-2-Clause
+License-Text:
+
+Copyright (c) <year> <owner> . All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice,
+   this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
diff --git a/pkg/connect/happy/happy.go b/pkg/connect/happy/happy.go
index b82c41fc99..a02b2fc2ee 100644
--- a/pkg/connect/happy/happy.go
+++ b/pkg/connect/happy/happy.go
@@ -182,7 +182,7 @@ func Happy[R any](ctx context.Context, preferred, fallback Caller[R], cfg Config
 	// Preferred request failed. Return fallback.
 	case errs[idxPreferred] != nil:
 		return reps[idxFallback], errs[idxFallback]
-	// Preferred succeeded. Return fast (even if fallback succeeded too)
+	// Preferred succeeded. Return preferred (even if fallback succeeded too)
 	default:
 		return reps[idxPreferred], errs[idxPreferred]
 	}
diff --git a/private/topology/json/json.go b/private/topology/json/json.go
index 0bcd6722da..efb26a94fb 100644
--- a/private/topology/json/json.go
+++ b/private/topology/json/json.go
@@ -118,9 +118,10 @@ type BRInterface struct {
 
 // Underlay is the underlay information for a BR interface.
 type Underlay struct {
-	Provider string `json:"provider,omitempty"`
+	Protocol string `json:"protocol,omitempty"`
 	Local    string `json:"local,omitempty"`
 	Remote   string `json:"remote,omitempty"`
+	Options  string `json:"options,omitempty"`
 }
 
 // BFD configuration.
diff --git a/private/topology/topology.go b/private/topology/topology.go
index df256953b8..774c2c1e9f 100644
--- a/private/topology/topology.go
+++ b/private/topology/topology.go
@@ -120,9 +120,10 @@ type (
 		ID           iface.ID       // ID of this interface in the local AS.
 		BRName       string         // of the owning router
 		InternalAddr netip.AddrPort // of the owning router. It must be a udpip address.
-		Provider     string         // Underlay provider name
+		Protocol     string         // Underlay protocol name
 		Local        string         // Underlay addr on owning router side
 		Remote       string         // Underlay addr on far router side
+		Options      string         // Underlay link options, if any.
 		RemoteIfID   iface.ID       // ID of this interface for the far router
 		IA           addr.IA        // IA number of the remote AS
 		LinkType     LinkType       // (Child, Parent, Core or Peering)
@@ -319,12 +320,13 @@ func (t *RWTopology) populateBR(raw *jsontopo.Topology) error {
 				t.IFInfoMap[ifID] = ifinfo
 				continue
 			}
-			ifinfo.Provider = rawIntf.Underlay.Provider
-			if ifinfo.Provider == "" { // Backward compatible with older configs
-				ifinfo.Provider = "udpip"
+			ifinfo.Protocol = rawIntf.Underlay.Protocol
+			if ifinfo.Protocol == "" { // Backward compatible with older configs
+				ifinfo.Protocol = "udpip"
 			}
 			ifinfo.Local = rawIntf.Underlay.Local
 			ifinfo.Remote = rawIntf.Underlay.Remote
+			ifinfo.Options = rawIntf.Underlay.Options
 			brInfo.IFs[ifID] = &ifinfo
 			t.IFInfoMap[ifID] = ifinfo
 		}
@@ -617,8 +619,8 @@ func (i IFInfo) CheckLinks(isCore bool, brName string) error {
 
 func (i IFInfo) String() string {
 	return fmt.Sprintf("IFinfo: Name[%s] IntAddr[%+v] Local:%+v "+
-		"Remote:%+v IA:%s Type:%v MTU:%d", i.BRName, i.InternalAddr,
-		i.Local, i.Remote, i.IA, i.LinkType, i.MTU)
+		"Remote:%+v Options:%+v IA:%s Type:%v MTU:%d", i.BRName, i.InternalAddr,
+		i.Local, i.Remote, i.Options, i.IA, i.LinkType, i.MTU)
 }
 
 func (i *IFInfo) copy() *IFInfo {
diff --git a/private/topology/topology_test.go b/private/topology/topology_test.go
index 7a69c22495..cac6d17ff1 100644
--- a/private/topology/topology_test.go
+++ b/private/topology/topology_test.go
@@ -194,7 +194,7 @@ func TestIFInfoMap(t *testing.T) {
 			ID:           1,
 			BRName:       "br1-ff00:0:311-1",
 			InternalAddr: netip.MustParseAddrPort("10.1.0.1:0"),
-			Provider:     "udpip",
+			Protocol:     "udpip",
 			Local:        "192.0.2.1:44997",
 			Remote:       "192.0.2.2:44998",
 			IA:           addr.MustParseIA("1-ff00:0:312"),
@@ -210,7 +210,7 @@ func TestIFInfoMap(t *testing.T) {
 			ID:           3,
 			BRName:       "br1-ff00:0:311-1",
 			InternalAddr: netip.MustParseAddrPort("10.1.0.1:0"),
-			Provider:     "udpip",
+			Protocol:     "udpip",
 			Local:        "[2001:db8:a0b:12f0::1]:44997",
 			Remote:       "[2001:db8:a0b:12f0::2]:44998",
 			IA:           addr.MustParseIA("1-ff00:0:314"),
@@ -221,7 +221,7 @@ func TestIFInfoMap(t *testing.T) {
 			ID:           8,
 			BRName:       "br1-ff00:0:311-1",
 			InternalAddr: netip.MustParseAddrPort("10.1.0.1:0"),
-			Provider:     "udpip",
+			Protocol:     "udpip",
 			Local:        ":44997",
 			Remote:       "192.0.2.3:44998",
 			IA:           addr.MustParseIA("1-ff00:0:313"),
@@ -232,7 +232,7 @@ func TestIFInfoMap(t *testing.T) {
 			ID:           11,
 			BRName:       "br1-ff00:0:311-2",
 			InternalAddr: netip.MustParseAddrPort(`[2001:db8:a0b:12f0::1%some-internal-zone]:0`),
-			Provider:     "udpip",
+			Protocol:     "udpip",
 			Local:        `[2001:db8:a0b:12f0::1%some-local-zone]:44897`,
 			Remote:       `[2001:db8:a0b:12f0::2%some-remote-zone]:44898`,
 			IA:           addr.MustParseIA("1-ff00:0:314"),
@@ -251,7 +251,7 @@ func TestIFInfoMapCoreAS(t *testing.T) {
 			ID:           91,
 			BRName:       "borderrouter6-ff00:0:362-1",
 			InternalAddr: netip.MustParseAddrPort("10.1.0.1:0"),
-			Provider:     "udpip",
+			Protocol:     "udpip",
 			Local:        "192.0.2.1:4997",
 			Remote:       "192.0.2.2:4998",
 			IA:           addr.MustParseIA("6-ff00:0:363"),
@@ -262,7 +262,7 @@ func TestIFInfoMapCoreAS(t *testing.T) {
 			ID:           32,
 			BRName:       "borderrouter6-ff00:0:362-9",
 			InternalAddr: netip.MustParseAddrPort("[2001:db8:a0b:12f0::2]:0"),
-			Provider:     "udpip",
+			Protocol:     "udpip",
 			Local:        "[2001:db8:a0b:12f0::1]:4997",
 			Remote:       "[2001:db8:a0b:12f0::2]:4998",
 			IA:           addr.MustParseIA("6-ff00:0:364"),
diff --git a/private/underlay/ebpf/BUILD.bazel b/private/underlay/ebpf/BUILD.bazel
index bafe2ad64f..7e3ea488ad 100644
--- a/private/underlay/ebpf/BUILD.bazel
+++ b/private/underlay/ebpf/BUILD.bazel
@@ -1,17 +1,18 @@
+load("@bazel_skylib//rules:native_binary.bzl", "native_test")
 load("@rules_go//go:def.bzl", "go_library")
 load("//tools:go.bzl", "go_test")
 
 genrule(
-    # The generated file is bazel-bin/private/underlay/ebpf/portfilter_bpfel.go
-    name = "gen_bpf_filter_go",
+    # The generated file is bazel-bin/private/underlay/ebpf/sockfilter_bpfel.go
+    name = "gen_bpf_sock_filter_go",
     srcs = [
-        "portfilter.c",
+        "sockfilter.c",
         "bpf_helpers.h",
         "bpf_helper_defs.h",
     ],
     outs = [
-        "portfilter_bpfel.go",
-        "portfilter_bpfel.o",
+        "sockfilter_bpfel.go",
+        "sockfilter_bpfel.o",
     ],
     cmd = """
         ARCH=$$(uname -m)
@@ -24,10 +25,41 @@ genrule(
             exit 1
         fi
         GOPACKAGE=ebpf $(execpath @com_github_cilium_ebpf//cmd/bpf2go) \
-            -output-dir $$(dirname $(location portfilter_bpfel.go)) \
+            -output-dir $$(dirname $(location sockfilter_bpfel.go)) \
             -tags linux \
             --cflags="-I$$INC" \
-            portfilter $(location portfilter.c)
+            sockfilter $(location sockfilter.c)
+    """,
+    tools = ["@com_github_cilium_ebpf//cmd/bpf2go"],
+)
+
+genrule(
+    # The generated file is bazel-bin/private/underlay/ebpf/kfilter_bpfel.go
+    name = "gen_bpf_k_filter_go",
+    srcs = [
+        "kfilter.c",
+        "bpf_helpers.h",
+        "bpf_helper_defs.h",
+    ],
+    outs = [
+        "kfilter_bpfel.go",
+        "kfilter_bpfel.o",
+    ],
+    cmd = """
+        ARCH=$$(uname -m)
+        if [ "$$ARCH" = "x86_64" ]; then
+            INC=/usr/include/x86_64-linux-gnu
+        elif [ "$$ARCH" = "aarch64" ]; then
+            INC=/usr/include/aarch64-linux-gnu
+        else
+            echo "Unsupported arch: $$ARCH" >&2
+            exit 1
+        fi
+        GOPACKAGE=ebpf $(execpath @com_github_cilium_ebpf//cmd/bpf2go) \
+            -output-dir $$(dirname $(location kfilter_bpfel.go)) \
+            -tags linux \
+            --cflags="-I$$INC" \
+            kfilter $(location kfilter.c)
     """,
     tools = ["@com_github_cilium_ebpf//cmd/bpf2go"],
 )
@@ -37,16 +69,23 @@ go_library(
     srcs = [
         "bpf_helper_defs.h",
         "bpf_helpers.h",
+        "kfilter_bpfel.go",
+        "kfilter_lint.go",  # keep
         "portfilter.go",
-        "portfilter_bpfel.go",
-        "portfilter_lint.go",  # keep
+        "sockfilter_bpfel.go",
+        "sockfilter_lint.go",  # keep
     ],
     embedsrcs = [
-        "portfilter_bpfel.o",  #keep
+        "sockfilter_bpfel.o",  #keep
+        "kfilter_bpfel.o",  #keep
     ],
     importpath = "github.com/scionproto/scion/private/underlay/ebpf",
     visibility = ["//visibility:public"],
-    deps = ["@com_github_cilium_ebpf//:go_default_library"],
+    deps = [
+        "@com_github_cilium_ebpf//:go_default_library",
+        "@com_github_cilium_ebpf//link:go_default_library",
+        "@com_github_gopacket_gopacket//afpacket:go_default_library",
+    ],
 )
 
 # Builds the portfilter test; but it will be missing the required capabilities; so we must not
diff --git a/private/underlay/ebpf/README.md b/private/underlay/ebpf/README.md
index 87c91049c9..9014e95acb 100644
--- a/private/underlay/ebpf/README.md
+++ b/private/underlay/ebpf/README.md
@@ -3,9 +3,9 @@
 ## Cilium vs. libbpf LICENSING
 
 The files bpf_helpers.h and bpf_helper_defs.h were copied here from
-[](https://github.com/cilium/ebpf/tree/main/examples/headers). These files
+[here](https://github.com/cilium/ebpf/tree/main/examples/headers). These files
 where themselves obviously copied from
-[](https://github.com/libbpf/libbpf/tree/master/src).
+[here](https://github.com/libbpf/libbpf/tree/master/src).
 
 Whether from Cilium or libbpf, the files do not carry a copyright statement.
 bpf_helper_defs.h does not reference any license. bpf_helpers.h is offered
diff --git a/private/underlay/ebpf/kfilter.c b/private/underlay/ebpf/kfilter.c
new file mode 100644
index 0000000000..74ddefe5b7
--- /dev/null
+++ b/private/underlay/ebpf/kfilter.c
@@ -0,0 +1,90 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build ignore
+
+#include <linux/bpf.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/udp.h>
+#include "bpf_helpers.h"
+
+// kfilter: the kernel-side filter. The purpose of this program is to prevent the traffic that goes
+// to the AF_PACKET socket from getting to the regular kernel networking stack as well. If it did,
+// the kernel would expand resources processing the traffic, generating ICMP responses AND sending
+// them!
+//
+// This is still not ideal because I have yet to find a way to dispatch traffic before it is cloned
+// for AF_PACKET handling but after it is turned into an SKB. To solve that problem we would need to
+// go to XDP.
+//
+// This might not be as bad as it looks though: traffic is cloned via c-o-w and it might even not be
+// cloned until the AF_PACKET tap has made a drop/keep decision. The traffic that we keep is
+// definitely cloned; so...  dear cow, a third swiss industry is now counting on you.
+
+typedef struct {
+  __u8 ip_addr[16];
+  __u16 port; // in network byte order
+  __u8 type;
+  __u8 padding; // just to make it clear what the real size of the struct is.
+} addrPort;
+
+// k_map_flt tells our bpf program which address/port(s) go to the AF_PACKET socket and therefore
+// not to the kernel. Ports must be in network byte order.
+//
+// The same data is used by sockfilter to perform the opposite filtering. We may have many
+// pairs to filter for a given interface. We could have several one-addrPort filters in series,
+// but we would easily exceed the number of filters that can be attached to an interface (not
+// mentionning this would be inefficient). So we need a map with multiple pairs.
+struct {
+  __uint(type, BPF_MAP_TYPE_HASH);
+  __type(key, addrPort); // An IP address and a port number.
+  __type(value, __u8); // Nothing. The map is just a set of keys.
+  __uint(max_entries, 64);
+} k_map_flt SEC(".maps");
+
+// This is a very simple classifier type of filter: it looks at the packet's protocol and dest
+// port. If it is UDP and if the port is found in sock_map_filt, then the packet is dropped (because
+// the AF_PACKET socket will get and process it).
+SEC("tcx/ingress")
+int bpf_k_filter(struct __sk_buff *skb)
+{
+  __u16 ethtype;
+  bpf_skb_load_bytes(skb, 12, &ethtype, 2);
+
+  __u8 ipproto;
+  addrPort key = {0};
+
+  if (ethtype == 0x0008) {
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct iphdr, protocol), &ipproto, 1);
+    if (ipproto != IPPROTO_UDP) {
+      return -1; // TC_NEXT
+    }
+    key.type = 4;
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct iphdr, daddr), key.ip_addr, 4);
+    bpf_skb_load_bytes(skb, 14 + sizeof(struct iphdr) + offsetof(struct udphdr, dest),
+        &key.port, 2);
+  } else if (ethtype == 0xDD86) {
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct ipv6hdr, nexthdr), &ipproto, 1);
+    if (ipproto != IPPROTO_UDP) {
+      return -1; // TC_NEXT
+    }
+    key.type = 6;
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct ipv6hdr, daddr), key.ip_addr, 16);
+    bpf_skb_load_bytes(skb, 14 + sizeof(struct ipv6hdr) + offsetof(struct udphdr, dest),
+		       &key.port, 2);
+  } else {
+      return -1; // TC_NEXT
+  }
+
+  __u8 *forbidden = bpf_map_lookup_elem(&k_map_flt, &key);
+  if (forbidden == NULL) {
+    return -1; // TC_NEXT
+  }
+  return 2; // TC_DROP
+}
+
+// This program only uses non-gpl_only helpers. So we can use our normal license.
+char __license[] SEC("license") = "Apache-2.0";
diff --git a/private/underlay/ebpf/kfilter_lint.go b/private/underlay/ebpf/kfilter_lint.go
new file mode 100644
index 0000000000..756d8ec8e2
--- /dev/null
+++ b/private/underlay/ebpf/kfilter_lint.go
@@ -0,0 +1,15 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+// Placeholder for generated code during lint.
+
+//go:build lint
+
+package ebpf
+
+import "github.com/cilium/ebpf"
+
+func loadKfilter() (*ebpf.CollectionSpec, error) {
+	return nil, nil
+}
diff --git a/private/underlay/ebpf/portfilter.c b/private/underlay/ebpf/portfilter.c
deleted file mode 100644
index 37e86be8a1..0000000000
--- a/private/underlay/ebpf/portfilter.c
+++ /dev/null
@@ -1,61 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-//
-// Copyright 2025 SCION Association
-
-//go:build ignore
-
-#include <linux/bpf.h>
-#include <linux/in.h>
-#include <linux/ip.h>
-#include <linux/udp.h>
-#include "bpf_helpers.h"
-
-// This tells our bpf program which port goes to the AF_PACKET socket.
-// 
-// This is a very small array; e.g. length 1. So it is just a plain sequence
-// of allowed port numbers. Those must be in network byte order.
-//
-// Since AF_PACKET ports receive cloned traffic, we can just drop everything
-// we don't want and the regular networking stack will get it.
-//
-// This is far from ideal because I have yet to find a way to dispatch traffic
-// before it is cloned for AF_PACKET handling but after it is turned into an
-// SKB. To solve that problem we need to go to XDP.
-//
-// This might not be as bad as it looks though: traffic is cloned via c-o-w
-// and it might even not be cloned until the AF_PACKET tap has made a
-// drop/keep decision. The traffic that we keep is definitely cloned; so...
-// dear cow, a third swiss industry is now counting on you.
-//
-struct {
-  __uint(type, BPF_MAP_TYPE_ARRAY);
-  __type(key, __u32); // Plain int. Index into the array.
-  __type(value, __u16); // A port number.
-  __uint(max_entries, 1);
-} sock_map_flt SEC(".maps");
-
-// This is a very simple socket filter: it looks at the packet's protocol and
-// dest port. If it is UDP and if the port is found in sock_map_filt, then the
-// packet is accepted. Else, dropped. The userland code just adds allowed ports
-// to the map.
-SEC("socket")
-int bpf_port_filter(struct __sk_buff *skb)
-{
-  __u8 proto;
-  bpf_skb_load_bytes(skb, 14 + offsetof(struct iphdr, protocol), &proto, 1);
-  if (proto != IPPROTO_UDP) {
-      return 0;
-  }
-  __u16 portNbo;
-  bpf_skb_load_bytes(skb, 14 + sizeof(struct iphdr) + offsetof(struct udphdr, dest), &portNbo, 2);
-
-  __u32 index = 0;
-  __u16 *allowedPort = bpf_map_lookup_elem(&sock_map_flt, &index);
-  if (allowedPort == NULL || *allowedPort != portNbo) {
-    return 0;
-  }
-  return skb->len;
-}
-
-// This program only uses non-gpl_only helpers. So we can use our normal license.
-char __license[] SEC("license") = "Apache-2.0";
diff --git a/private/underlay/ebpf/portfilter.go b/private/underlay/ebpf/portfilter.go
index 60e2f2201e..9e79ec15db 100644
--- a/private/underlay/ebpf/portfilter.go
+++ b/private/underlay/ebpf/portfilter.go
@@ -1,78 +1,191 @@
-// SPDX-License-Identifier: Apache-2.0
-//
 // Copyright 2025 SCION Association
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package ebpf
 
 import (
 	"encoding/binary"
 	"fmt"
-	"unsafe"
+	"net/netip"
 
 	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
+	"github.com/gopacket/gopacket/afpacket"
 )
 
-// Loads a port filter bpf socket filter program that only allows UDP traffic to the given port
-// number. This function returns a file descriptor referencing the loaded program (and indirectly,
-// the associated map). This program can then be attached to a (typically raw) socket and will
-// filter the traffic to be delivered to that socket. When the socket is closed the program and its
-// map are discarded by the kernel.
-//
-// For any of this to work, the calling process must have the following capabilities:
+// For any of the below to work, the calling process must have the following capabilities:
 // cap_bpf, cap_net_admin, cap_net_raw. For example, the buildfile applies to following command
 // to the portfilter_test executable:
 //
-//	/usr/bin/sudo setcap "cap_bpf+ep cap_net_admin+ep cap_net_raw+ep" $@
-func BpfSockFilter(port uint16) (int, error) {
-	spec, err := loadPortfilter()
+//	/usr/bin/sudo setcap "cap_bpf+ep cap_net_admin+ep cap_net_raw+ep" executable_file
+
+// KFilterHandle holds the interface->kernel filter and keeps it alive until Closed. Link refers to
+// the traffic control filter for the kernel stack. As long as such an object exists, the filter
+// remain active. kObjs refers to the filter resources; that is the program and its map.
+type KFilterHandle struct {
+	kLink link.Link
+	kObjs *ebpf.Collection
+}
+
+// Close causes the filter to go away.
+func (kf *KFilterHandle) Close() {
+	kf.kLink.Close()
+	kf.kObjs.Close()
+}
+
+// Adds the given port to the map of the given filter. As a result UDP/IP packets destined to that
+// port will be filtered out from the kernel networking stack.
+func (kf *KFilterHandle) AddAddrPort(addrPort netip.AddrPort) {
+	myMap := kf.kObjs.Maps["k_map_flt"]
+	if myMap == nil {
+		panic(fmt.Errorf("no map named k_map_flt found"))
+	}
+
+	// map.Put plays crystal ball with key and value so it accepts either
+	// pointers or values.
+	var key [20]byte
+	addr := addrPort.Addr()
+	if addr.Is4() || addr.Is4In6() {
+		addrBytes := addr.As4()
+		copy(key[0:4], addrBytes[0:4])
+		key[18] = byte(4)
+	} else {
+		addrBytes := addr.As16()
+		copy(key[0:16], addrBytes[0:16])
+		key[18] = byte(6)
+	}
+	binary.BigEndian.PutUint16(key[16:18], addrPort.Port())
+	b := uint8(0)
+	if err := myMap.Put(key, b); err != nil {
+		panic(fmt.Sprintf("error kFilter AddPort: %v, key=%p\n", err, &key))
+	}
+}
+
+// BpfKFilter attaches a SCHED_CLS program to the network interface "ifIndex". The SCHED_CLS program
+// filters all traffic to specified ports from interface "ifIndex" out of the kernel networking
+// stack.
+//
+// Specifically, all traffic is delivered to the kernel networking stack, except UDP/IP to a port
+// that has been added to the map.
+//
+// Note that every call to this function results in attaching a new filter to the interface. The
+// filters operate serially.
+//
+// To insert ports into the filter's map, use the AddPort method.
+//
+// Returns: a handle referring to the program and map. Calling the handle's Close() method will
+// discard both.
+func BpfKFilter(ifIndex int) (*KFilterHandle, error) {
+	spec, err := loadKfilter()
 	if err != nil {
-		return -1, err
+		return nil, err
 	}
 	coll, err := ebpf.NewCollection(spec)
 	if err != nil {
-		return -1, err
+		return nil, err
 	}
-	// We only need the collection to initialize stuff.
-	defer coll.Close()
 
-	// We keep the program, so the collection can be closed without closing the program.
-	prog := coll.DetachProgram("bpf_port_filter")
+	// We keep the program.
+	prog := coll.Programs["bpf_k_filter"]
 	if prog == nil {
-		panic("no program named pbf_port_filter found")
+		panic("no program named bpf_k_filter found")
+	}
+
+	// Attach the program to the interface. We attach it at head; it has almost zero cost.
+	l, err := link.AttachTCX(link.TCXOptions{
+		Interface: ifIndex,
+		Program:   prog,
+		Attach:    ebpf.AttachTCXIngress,
+		Anchor:    link.Head(),
+	})
+	if err != nil {
+		prog.Close()
+		coll.Close()
+		return nil, err
 	}
 
-	// Now load the map and populate it with our port mapping. We let the fd be closed along with
-	// the collection: we are done with it. The program keeps the map alive.
-	myMap := coll.Maps["sock_map_flt"]
+	kf := &KFilterHandle{kLink: l, kObjs: coll}
+	return kf, nil
+}
+
+// SFilterHandle holds the socket->application filter and keeps it alive until Closed. sObjs is the
+// SockFilter rsources; that is, the program and its map. As long as such an object exists, the
+// filter remains active.
+type SFilterHandle struct {
+	sObjs *ebpf.Collection
+}
+
+// Close causes the filter to go away.
+func (sf *SFilterHandle) Close() {
+	sf.sObjs.Close()
+}
+
+// Adds the given port to the map of the given filter. As a result UDP/IP packets destined to that
+// port will be delivered to the associated socket.
+func (sf *SFilterHandle) AddAddrPort(addrPort netip.AddrPort) {
+	// Now load the map and populate it with our port mapping.
+	myMap := sf.sObjs.Maps["sock_map_flt"]
 	if myMap == nil {
 		panic(fmt.Errorf("no map named sock_map_flt found"))
 	}
 
 	// map.Put plays crystal ball with key and value so it accepts either
 	// pointers or values.
-	idx := uint32(0)
-	portNbo := htons(port)
-	if err := myMap.Put(idx, portNbo); err != nil {
-		panic(fmt.Sprintf("error: %v, key=%p, val=%p\n", err, &idx, &portNbo))
+	var key [20]byte
+	addr := addrPort.Addr()
+	if addr.Is4() || addr.Is4In6() {
+		addrBytes := addr.As4()
+		copy(key[0:4], addrBytes[0:4])
+		key[18] = byte(4)
+	} else {
+		addrBytes := addr.As16()
+		copy(key[0:16], addrBytes[0:16])
+		key[18] = byte(6)
+	}
+	binary.BigEndian.PutUint16(key[16:18], addrPort.Port())
+	b := uint8(0)
+	if err := myMap.Put(key, b); err != nil {
+		panic(fmt.Sprintf("error sFilter AddPort: %v, key=%p\n", err, &key))
 	}
-
-	return prog.FD(), nil
 }
 
-func htons(i uint16) uint16 {
-	b := make([]byte, 2)
-	binary.BigEndian.PutUint16(b, i)
-	return *(*uint16)(unsafe.Pointer(&b[0]))
+// BpfSockFilter attaches a SOCK_FILTER program to the raw socket "afp".  The SOCK_FILTER program
+// only allows traffic to specified ports to reach the socket referred to by "afp". Only the
+// following traffic is delivered to the socket:
+//
+// UDP/IP: only if the destination port has been added to the map.
+// ARP: all
+// ICMPv6: all
+//
+// Note this function replaces any SOCK_FILTER already attached to the socket. There can be only
+// one. To insert ports into the filter's map, use the AddPort method.
+//
+// Returns: a handle referring to the program and map. Calling the handle's Close() method will
+// discard both.
+func BpfSFilter(afp *afpacket.TPacket) (*SFilterHandle, error) {
+	spec, err := loadSockfilter()
+	if err != nil {
+		return nil, err
+	}
+	coll, err := ebpf.NewCollection(spec)
+	if err != nil {
+		return nil, err
+	}
+
+	// We keep the program, so the collection can be closed without closing the program.
+	prog := coll.Programs["bpf_sock_filter"]
+	if prog == nil {
+		panic("no program named pbf_sock_filter found")
+	}
+
+	err = afp.SetEBPF(int32(prog.FD()))
+	if err != nil {
+		prog.Close()
+		coll.Close()
+		return nil, err
+	}
+
+	sf := &SFilterHandle{sObjs: coll}
+	return sf, nil
 }
diff --git a/private/underlay/ebpf/portfilter_lint.go b/private/underlay/ebpf/portfilter_lint.go
deleted file mode 100644
index ab957bff51..0000000000
--- a/private/underlay/ebpf/portfilter_lint.go
+++ /dev/null
@@ -1,27 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-//
-// Copyright 2025 SCION Association
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// Placeholder for generated code during lint.
-
-//go:build lint
-
-package ebpf
-
-import "github.com/cilium/ebpf"
-
-func loadPortfilter() (*ebpf.CollectionSpec, error) {
-	return nil, nil
-}
diff --git a/private/underlay/ebpf/portfilter_test.go b/private/underlay/ebpf/portfilter_test.go
index 0d9d2670c2..3eabd2b558 100644
--- a/private/underlay/ebpf/portfilter_test.go
+++ b/private/underlay/ebpf/portfilter_test.go
@@ -1,22 +1,11 @@
-// SPDX-License-Identifier: Apache-2.0
-//
 // Copyright 2025 SCION Association
 //
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+// SPDX-License-Identifier: Apache-2.0
 
 package ebpf_test
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"os"
@@ -110,39 +99,61 @@ func TestRawSocket(t *testing.T) {
 	// with sending.
 
 	// Side A
+	intfA, err := net.InterfaceByName("vethA")
+	require.NoError(t, err)
 	afpHandleA, err := afpacket.NewTPacket(
 		afpacket.OptInterface("vethA"),
-		afpacket.OptFrameSize(4096))
-	require.NoError(t, err)
-	filterA, err := ebpf.BpfSockFilter(50000)
-	require.NoError(t, err)
-	err = afpHandleA.SetEBPF(int32(filterA))
+		afpacket.OptFrameSize(4096),
+	)
 	require.NoError(t, err)
 	rawAddrA, err := net.ResolveUDPAddr("udp4", "10.123.100.1:50000")
 	require.NoError(t, err)
 	// ipAddrA is not assigned to the interface but used as source address in hand-made packets.
 	ipAddrA, err := net.ResolveUDPAddr("udp4", "10.123.100.1:50001")
 	require.NoError(t, err)
+	kFilterA, err := ebpf.BpfKFilter(intfA.Index)
+	require.NoError(t, err)
+	kFilterA.AddAddrPort(rawAddrA.AddrPort())
+	sFilterA, err := ebpf.BpfSFilter(afpHandleA)
+	require.NoError(t, err)
+	sFilterA.AddAddrPort(rawAddrA.AddrPort())
 
 	// Side B
+	intfB, err := net.InterfaceByName("vethB")
+	require.NoError(t, err)
 	afpHandleB, err := afpacket.NewTPacket(
 		afpacket.OptInterface("vethB"),
-		afpacket.OptFrameSize(4096))
-	require.NoError(t, err)
-	filterB, err := ebpf.BpfSockFilter(50000)
-	require.NoError(t, err)
-	err = afpHandleB.SetEBPF(int32(filterB))
+		afpacket.OptFrameSize(4096),
+		afpacket.OptPollTimeout(200*time.Millisecond),
+	)
 	require.NoError(t, err)
 	rawAddrB, err := net.ResolveUDPAddr("udp4", "10.123.100.2:50000")
 	require.NoError(t, err)
 	ipAddrB, err := net.ResolveUDPAddr("udp4", "10.123.100.2:50001")
 	require.NoError(t, err)
+	kFilterB, err := ebpf.BpfKFilter(intfB.Index)
+	require.NoError(t, err)
+	kFilterB.AddAddrPort(rawAddrB.AddrPort()) // The destination that the kernel must *not* handle.
+	sFilterB, err := ebpf.BpfSFilter(afpHandleB)
+	require.NoError(t, err)
+	sFilterB.AddAddrPort(rawAddrB.AddrPort())
 
 	// On side B we expect packets to port 50000 at the raw socket and packets to port 50001 at the
-	// regular socket.
-	packetChanB := gopacket.NewPacketSource(afpHandleB, layers.LinkTypeEthernet).Packets()
+	// regular socket. We also listen on port 50000 with a regular socket and we do not expect it
+	// to receive anything.
 	connB, err := net.ListenUDP("udp4", ipAddrB)
 	require.NoError(t, err)
+	connB2, err := net.ListenUDP("udp4", rawAddrB)
+	require.NoError(t, err)
+
+	// Drain stray packets that arrived before e added the filter.
+	for {
+		_, _, err := afpHandleB.ZeroCopyReadPacketData()
+		if errors.Is(err, afpacket.ErrTimeout) {
+			break
+		}
+		require.NoError(t, err)
+	}
 
 	// Now, check what we can and cannot receive and where.
 	buf := make([]byte, 256)
@@ -154,36 +165,58 @@ func TestRawSocket(t *testing.T) {
 	require.NoError(t, err)
 
 	// The regular socket should get that.
-	err = connB.SetReadDeadline(time.Now().Add(1 * time.Second))
+	err = connB.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
 	require.NoError(t, err)
 	_, _, err = connB.ReadFrom(buf)
 	require.NoError(t, err)
 	require.Equal(t, string(buf[:5]), "hello")
 
-	// The raw socket shouldn't have gotten anything.
-	afterCh := time.After(1 * time.Second)
-	select {
-	case <-packetChanB:
-		t.Fatal("Received on raw socket\n")
-	case <-afterCh:
+	// The raw socket shouldn't have gotten anything (except a random ARP/NDP).
+	for {
+		p, _, err := afpHandleB.ZeroCopyReadPacketData()
+		if errors.Is(err, afpacket.ErrTimeout) {
+			break
+		}
+		if p[12] == 0x06 && p[13] == 0x08 {
+			// ARP
+			continue
+		}
+		if p[12] == 0x86 && p[13] == 0xDD {
+			// IPv6 (likely NDP, since we didn't send any v6 packet).
+			continue
+		}
+		t.Fatalf("Received on raw socket: % X\n", p)
 	}
 
 	// To raw sockets; port 50000
 	pkt = mkPacket(rawAddrA, rawAddrB)
 	err = afpHandleA.WritePacketData(pkt)
 	require.NoError(t, err)
-	afterCh = time.After(1 * time.Second)
-	select {
-	case <-packetChanB:
-	case <-afterCh:
-		t.Fatal("Never received on raw socket\n")
-	}
+	_, _, err = afpHandleB.ZeroCopyReadPacketData()
+	require.NoError(t, err)
 
 	// The regular socket can't possibly get that:
-	err = connB.SetReadDeadline(time.Now().Add(time.Second))
+	err = connB.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
 	require.NoError(t, err)
 	_, _, err = connB.ReadFrom(buf)
 	require.Error(t, err)
+
+	// The regular socket listening on 50000 port cannot get it either because it was suppressed
+	// by the TC filter.
+	err = connB2.SetReadDeadline(time.Now().Add(100 * time.Millisecond))
+	require.NoError(t, err)
+	copy(buf, "     ")
+	_, _, err = connB2.ReadFrom(buf)
+	require.Error(t, err)
+
+	afpHandleA.Close()
+	afpHandleB.Close()
+	connB.Close()
+	connB2.Close()
+	kFilterA.Close()
+	sFilterA.Close()
+	sFilterB.Close()
+	kFilterB.Close()
 }
 
 var pktOptions = gopacket.SerializeOptions{
diff --git a/private/underlay/ebpf/sockfilter.c b/private/underlay/ebpf/sockfilter.c
new file mode 100644
index 0000000000..ea2a109db1
--- /dev/null
+++ b/private/underlay/ebpf/sockfilter.c
@@ -0,0 +1,98 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build ignore
+
+#include <linux/bpf.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/udp.h>
+#include <linux/if_ether.h>
+#include "bpf_helpers.h"
+
+// sockfilter: The socket-level filter. The purpose of this program is to ensure that the associated
+// AF_PACKET socket processes only the packets destined to selected address/port pairs. AF_PACKET
+// sockets receive cloned traffic; all of it. We drop everything we don't want. The traffic that we
+// do want also gets to the kernel networking stack. Another filter (kfilter.c) has to drop it.
+//
+// This is still not ideal because I have yet to find a way to dispatch traffic before it is
+// cloned for AF_PACKET handling but after it is turned into an SKB. To solve that problem we need
+// to go to XDP.
+//
+// This might not be as bad as it looks though: traffic is cloned via c-o-w and it might even not be
+// cloned until the AF_PACKET tap has made a drop/keep decision. The traffic that we keep is
+// definitely cloned; so...  dear cow, a third swiss industry is now counting on you.
+
+typedef struct {
+  __u8 ip_addr[16];
+  __u16 port; // in network byte order
+  __u8 type;
+  __u8 padding; // just to make it clear what the real size of the struct is.
+} addrPort;
+
+// sock_map_flt tells our bpf program which address/port(s) go to the AF_PACKET socket (and not the
+// kernel). The ports must be in network byte order.
+//
+// This is the same data used by kfilter to perform the opposite filtering. We may have several
+// pairs to filter for a given raw socket. We could have several sockets, each with a one-pair
+// filter, but we do not want to be bound by that constraint (and it may be less efficient).
+// So we need a map with multiple pairs.
+struct {
+  __uint(type, BPF_MAP_TYPE_HASH);
+  __type(key, addrPort); // An IP address and a port number.
+  __type(value, __u8); // Nothing. The map is just a set of keys.
+  __uint(max_entries, 64);
+} sock_map_flt SEC(".maps");
+
+// This is a very simple classifier type of filter: it looks at the packet's protocol and dest
+// port. If it is UDP and if the port is found in sock_map_filt (or it is icmp), then the packet is
+// accepted Otherwise the regular networking stack will have a chance to process it. Note that icmp
+// packets are processed by both the regular kernel stack and AF_PACKETS sockets.
+SEC("socket")
+int bpf_sock_filter(struct __sk_buff *skb)
+{
+  __u16 ethtype;
+  bpf_skb_load_bytes(skb, 12, &ethtype, 2);
+  if (ethtype == 0x0608) {
+    return skb->len;
+  }
+
+  __u8 ipproto;
+  addrPort key = {0};
+
+  if (ethtype == 0x0008) {
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct iphdr, protocol), &ipproto, 1);
+    if (ipproto != IPPROTO_UDP) {
+      return 0;
+    }
+    key.type = 4;
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct iphdr, daddr), key.ip_addr, 4);
+    bpf_skb_load_bytes(skb, 14 + sizeof(struct iphdr) + offsetof(struct udphdr, dest),
+        &key.port, 2);
+  } else if (ethtype == 0xDD86) {
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct ipv6hdr, nexthdr), &ipproto, 1);
+    if (ipproto == IPPROTO_ICMPV6) {
+      return skb->len;
+    }
+    if (ipproto != IPPROTO_UDP) {
+      return 0;
+    }
+    key.type = 6;
+    bpf_skb_load_bytes(skb, 14 + offsetof(struct ipv6hdr, daddr), key.ip_addr, 16);
+    bpf_skb_load_bytes(skb, 14 + sizeof(struct ipv6hdr) + offsetof(struct udphdr, dest),
+		       &key.port, 2);
+  } else {
+    return 0;
+  }
+
+  __u8 *allowed = bpf_map_lookup_elem(&sock_map_flt, &key);
+  if (allowed == NULL) {
+      return 0;
+  }
+  return skb->len;
+}
+
+// This program only uses non-gpl_only helpers. So we can use our normal license.
+char __license[] SEC("license") = "Apache-2.0";
diff --git a/private/underlay/ebpf/sockfilter_lint.go b/private/underlay/ebpf/sockfilter_lint.go
new file mode 100644
index 0000000000..06520d6ff4
--- /dev/null
+++ b/private/underlay/ebpf/sockfilter_lint.go
@@ -0,0 +1,15 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+// Placeholder for generated code during lint.
+
+//go:build lint
+
+package ebpf
+
+import "github.com/cilium/ebpf"
+
+func loadSockfilter() (*ebpf.CollectionSpec, error) {
+	return nil, nil
+}
diff --git a/router/BUILD.bazel b/router/BUILD.bazel
index 9d42f1a9da..dab5519bcc 100644
--- a/router/BUILD.bazel
+++ b/router/BUILD.bazel
@@ -7,6 +7,7 @@ go_library(
         "connector.go",
         "dataplane.go",
         "doc.go",
+        "fnv1acheap.go",
         "metrics.go",
         "serialize_proxy.go",
         "svc.go",
diff --git a/router/cmd/router/BUILD.bazel b/router/cmd/router/BUILD.bazel
index f8fc3976be..27348d6f45 100644
--- a/router/cmd/router/BUILD.bazel
+++ b/router/cmd/router/BUILD.bazel
@@ -17,6 +17,7 @@ go_library(
         "//router/config:go_default_library",
         "//router/control:go_default_library",
         "//router/mgmtapi:go_default_library",
+        "//router/underlayproviders/afpacketudpip:go_default_library",
         "//router/underlayproviders/udpip:go_default_library",
         "@com_github_go_chi_chi_v5//:go_default_library",
         "@com_github_go_chi_cors//:go_default_library",
diff --git a/router/cmd/router/main.go b/router/cmd/router/main.go
index acd3df1a77..8b5a5386c7 100644
--- a/router/cmd/router/main.go
+++ b/router/cmd/router/main.go
@@ -38,6 +38,7 @@ import (
 	"github.com/scionproto/scion/router/config"
 	"github.com/scionproto/scion/router/control"
 	api "github.com/scionproto/scion/router/mgmtapi"
+	_ "github.com/scionproto/scion/router/underlayproviders/afpacketudpip"
 	_ "github.com/scionproto/scion/router/underlayproviders/udpip"
 )
 
diff --git a/router/config/config.go b/router/config/config.go
index 37e70547b2..37d8a67c00 100644
--- a/router/config/config.go
+++ b/router/config/config.go
@@ -52,8 +52,9 @@ type RouterConfig struct {
 	// configured router in the context of acceptance tests. However, this
 	// introduces two sources for the port configuration. We should remove this
 	// and adapt the acceptance tests.
-	DispatchedPortStart *int `toml:"dispatched_port_start,omitempty"`
-	DispatchedPortEnd   *int `toml:"dispatched_port_end,omitempty"`
+	DispatchedPortStart *int              `toml:"dispatched_port_start,omitempty"`
+	DispatchedPortEnd   *int              `toml:"dispatched_port_end,omitempty"`
+	PreferredUnderlays  map[string]string `toml:"preferred_underlays, omitempty"`
 }
 
 // BFD configuration. Unfortunately cannot be shared with topology.BFD
@@ -147,6 +148,9 @@ func (cfg *RouterConfig) InitDefaults() {
 	if cfg.BFD.RequiredMinRxInterval.Duration == 0 {
 		cfg.BFD.RequiredMinRxInterval = util.DurWrap{Duration: 200 * time.Millisecond}
 	}
+	if cfg.PreferredUnderlays == nil {
+		cfg.PreferredUnderlays = map[string]string{"udpip": "afpacket"}
+	}
 }
 
 func (cfg *RouterConfig) Sample(dst io.Writer, path config.Path, ctx config.CtxMap) {
diff --git a/router/connector.go b/router/connector.go
index 4b8c9916e3..829c2da513 100644
--- a/router/connector.go
+++ b/router/connector.go
@@ -57,6 +57,7 @@ func NewConnector(config config.RouterConfig, features env.Features) *Connector
 				BatchSize:             config.BatchSize,
 				ReceiveBufferSize:     config.ReceiveBufferSize,
 				SendBufferSize:        config.SendBufferSize,
+				PreferredUnderlays:    config.PreferredUnderlays,
 			},
 			features.ExperimentalSCMPAuthentication,
 		),
@@ -82,7 +83,7 @@ func (c *Connector) CreateIACtx(ia addr.IA) error {
 
 // AddInternalInterface adds the internal interface.
 func (c *Connector) AddInternalInterface(
-	ia addr.IA, localHost addr.Host, provider, localAddr string) error {
+	ia addr.IA, localHost addr.Host, protocol, localAddr string) error {
 
 	c.mtx.Lock()
 	defer c.mtx.Unlock()
@@ -92,10 +93,10 @@ func (c *Connector) AddInternalInterface(
 	}
 	c.internalInterfaces = append(c.internalInterfaces, control.InternalInterface{
 		IA:       ia,
-		Provider: provider,
+		Protocol: protocol,
 		Addr:     localAddr,
 	})
-	return c.DataPlane.AddInternalInterface(localHost, provider, localAddr)
+	return c.DataPlane.AddInternalInterface(localHost, protocol, localAddr)
 }
 
 // AddExternalInterface adds a link between the local and remote address.
@@ -108,6 +109,7 @@ func (c *Connector) AddExternalInterface(
 	log.Debug("Adding external interface", "interface", localIfID,
 		"local_isd_as", link.Local.IA, "local_addr", link.Local.Addr,
 		"remote_isd_as", link.Remote.IA, "remote_addr", link.Remote.Addr,
+		"link_options", link.Options,
 		"owned", owned,
 		"link_bfd_configured", link.BFD.Disable != nil,
 		"link_bfd_enabled", link.BFD.Disable == nil || !*link.BFD.Disable,
@@ -151,7 +153,7 @@ func (c *Connector) AddExternalInterface(
 func (c *Connector) AddSvc(ia addr.IA, svc addr.SVC, a addr.Host, p uint16) error {
 	c.mtx.Lock()
 	defer c.mtx.Unlock()
-	log.Debug("Adding service", "isd_as", ia, "svc", svc, "address", a)
+	log.Debug("Adding service", "isd_as", ia, "svc", svc, "address", a, "port", p)
 	if !c.ia.Equal(ia) {
 		return serrors.JoinNoStack(errMultiIA, nil, "current", c.ia, "new", a)
 	}
diff --git a/router/control/conf.go b/router/control/conf.go
index f56fb771a6..66243e2a08 100644
--- a/router/control/conf.go
+++ b/router/control/conf.go
@@ -33,7 +33,7 @@ import (
 // Dataplane.
 type Dataplane interface {
 	CreateIACtx(ia addr.IA) error
-	AddInternalInterface(ia addr.IA, localHost addr.Host, provider, local string) error
+	AddInternalInterface(ia addr.IA, localHost addr.Host, protocol, local string) error
 	AddExternalInterface(
 		localIfID iface.ID, info LinkInfo, localHost, remoteHost addr.Host, owned bool) error
 	AddSvc(ia addr.IA, svc addr.SVC, a addr.Host, port uint16) error
@@ -48,9 +48,10 @@ type BFD topology.BFD
 // LinkInfo contains the information about a link between an internal and
 // external router.
 type LinkInfo struct {
-	Provider string
+	Protocol string
 	Local    LinkEnd
 	Remote   LinkEnd
+	Options  string // Optional, underlay protocol specific link configuration
 	Instance string
 	LinkTo   topology.LinkType
 	BFD      BFD
@@ -73,8 +74,8 @@ type ObservableDataplane interface {
 // InternalInterface represents the internal underlay interface of a router.
 type InternalInterface struct {
 	IA       addr.IA
-	Provider string // Name of the underlay provider.
-	Addr     string // Configuration: interpreted by underlay.
+	Protocol string // Name of the underlay protocol for which the address is meaningful
+	Addr     string // Configuration: interpreted by the underlay provider.
 }
 
 // ExternalInterface represents an external underlay interface of a router.
@@ -139,15 +140,18 @@ func ConfigDataplane(dp Dataplane, cfg *Config) error {
 		}
 	}
 
-	// Add internal interfaces
+	// Set Endhost port range. This is needed while adding interfaces.
+	dp.SetPortRange(cfg.Topo.PortRange())
+
 	if cfg.BR != nil {
+		// Add internal interfaces
 		if cfg.BR.InternalAddr != (netip.AddrPort{}) {
 			// The assumption that BR.InternalAddr is a netip address is endemic. Eradicating it
 			// will take a long time. Play along for now. The router is no-longer contagious.
 			host := addr.HostIP(cfg.BR.InternalAddr.Addr())
-			provider := "udpip" // Since BR.InternalInterface is always a netip.AddrPort
+			protocol := "udpip" // Since BR.InternalInterface is always a netip.AddrPort
 			addr := cfg.BR.InternalAddr.String()
-			if err := dp.AddInternalInterface(cfg.IA, host, provider, addr); err != nil {
+			if err := dp.AddInternalInterface(cfg.IA, host, protocol, addr); err != nil {
 				return err
 			}
 		} // else TODO: what legitimate reason would there be to not have an internal addr?
@@ -157,12 +161,14 @@ func ConfigDataplane(dp Dataplane, cfg *Config) error {
 			return err
 		}
 	}
-	// Set SVC services, a.k.a. SVC resolution
+
+	// Set SVC services, a.k.a. SVC resolution. This must be done last; once all the underlay
+	// providers have been instantiated; which happens when first adding a link that needs a
+	// provider.
 	if err := confServices(dp, cfg); err != nil {
 		return err
 	}
-	// Set Endhost port range
-	dp.SetPortRange(cfg.Topo.PortRange())
+
 	return nil
 }
 
@@ -194,7 +200,7 @@ func confExternalInterfaces(dp Dataplane, cfg *Config) error {
 	for _, ifID := range ifIDs {
 		iface := infoMap[ifID]
 		linkInfo := LinkInfo{
-			Provider: iface.Provider,
+			Protocol: iface.Protocol,
 			Local: LinkEnd{
 				IA:   cfg.IA,
 				Addr: iface.Local,
@@ -205,6 +211,7 @@ func confExternalInterfaces(dp Dataplane, cfg *Config) error {
 				Addr: iface.Remote,
 				IfID: iface.RemoteIfID,
 			},
+			Options:  iface.Options,
 			Instance: iface.BRName,
 			BFD:      BFD(iface.BFD),
 			LinkTo:   iface.LinkType,
@@ -238,7 +245,7 @@ func confExternalInterfaces(dp Dataplane, cfg *Config) error {
 			// point-of-view of the local router, the traffic must go through an intermediate
 			// link that connects the local router to its sibling. Until the config schema catches
 			// up, we use internal interfaces for sibling links.
-			linkInfo.Provider = "udpip" // For now, all internal interfaces use udp/ip.
+			linkInfo.Protocol = "udpip" // For now, all internal interfaces use udp/ip.
 			linkInfo.Local.Addr = cfg.BR.InternalAddr.String()
 			linkInfo.Remote.Addr = iface.InternalAddr.String() // i.e. via sibling router.
 			localHost = addr.HostIP(cfg.BR.InternalAddr.Addr())
diff --git a/router/dataplane.go b/router/dataplane.go
index 3e8466d3cb..b337a9cbdb 100644
--- a/router/dataplane.go
+++ b/router/dataplane.go
@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"hash"
 	"math"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -89,16 +90,45 @@ type BatchConn interface {
 }
 
 // underlayProviders is a map of our underlay providers. Each entry associates a name with a
-// NewProviderFn. A new instance of that provider is created by every invocation so multiple
+// descriptor. A new instance of that provider is created by every invocation of New, so multiple
 // dataplane instances can co-exist (as is routinely done by tests).
-var underlayProviders map[string]NewProviderFn
+var underlayProviders map[string]UnderlayProvider
 
-// AddUnderlay registers the named factory function.
-func AddUnderlay(name string, newProvider func(int, int, int) UnderlayProvider) {
+// AddUnderlayImpl registers a underlay implementation.
+// If a provider by the same name is already registered, we keep the new one.
+func AddUnderlayProvider(name string, newProv UnderlayProvider) {
 	if underlayProviders == nil {
-		underlayProviders = make(map[string]NewProviderFn)
+		underlayProviders = make(map[string]UnderlayProvider)
 	}
-	underlayProviders[name] = newProvider
+	underlayProviders[name] = newProv
+}
+
+func underlayProvider(protocol string, preferrence map[string]string) (UnderlayProvider, bool) {
+	// The preference map gives us an implementation name for a protocol name.
+	// Underlay implementations register with a name of the form "protocol[:implementation]".
+	//
+	wanted := protocol + ":" + preferrence[protocol]
+	u, found := underlayProviders[wanted]
+	if found {
+		return u, true
+	}
+
+	// The preference is not available or there is no preference (and no "<protocol>:" registered).
+	// See if there's an underlay with no specified implementation that matches the protocol.
+	u, found = underlayProviders[protocol]
+	if found {
+		return u, true
+	}
+
+	// Ok, got to do it the hard way
+	wanted = protocol + ":"
+	for k, v := range underlayProviders {
+		if strings.HasPrefix(k, wanted) {
+			return v, true
+		}
+	}
+
+	return nil, false
 }
 
 type disposition int
@@ -139,7 +169,7 @@ type Packet struct {
 	egress uint16
 	// The type of traffic. This is used for metrics at the forwarding stage, but is most
 	// economically determined at the processing stage. So store it here. It's 2 bytes long.
-	trafficType trafficType
+	TrafficType trafficType
 	// Pad to 64 bytes. For 64bit arch, add 1 byte. For 32bit arch, add 29 bytes.
 	_ [1 + is32bit*28]byte
 }
@@ -174,16 +204,27 @@ func (p *Packet) reset(headroom int) {
 	// Everything else is reset to zero value.
 }
 
-// WithHeader returns the a slice of the underlying packet buffer that represents the same bytes as
+// WithHeader returns a slice of the underlying packet buffer that represents the same bytes as
 // p.rawPacket[:] plus the n prededing bytes. This slice is meant to be used when receiving a raw
 // packet with an n bytes header, such that the payload is exactly at p.rawPacket[0:]. p.RawPacket
 // is *not* modified. This method panics if n is greater than the available headroom in the packet
 // buffer.
 func (p *Packet) WithHeader(n int) []byte {
-	headroom := len(p.buffer) - cap(p.RawPacket) - n
+	start := len(p.buffer) - cap(p.RawPacket) // Where rawPacket starts in the buffer
+	end := start + len(p.RawPacket)           // Where rawPacket ends in the buffer
+
+	// n>start is a panicable offense.
+	return p.buffer[start-n : end]
+}
 
-	// A negative value is a panicable offense.
-	return p.buffer[headroom:]
+// HeadBytes returns a slice of bytes of the requested size borrowed from the head of the packet
+// buffer. This space can be used safely by an underlay to store data on ingest and retrieve it on
+// egress; should the same underlay perform both operations. The data is protected against
+// overwrites provided that the value of n is counted in the underlay's headroom requirements.
+//
+// n is the size of the slice to be borrowed from the head of the packet buffer.
+func (p *Packet) HeadBytes(n int) []byte {
+	return p.buffer[0:n]
 }
 
 // PacketPool allocates and resets packets. There is one packet pool per instance of the dataplane,
@@ -212,6 +253,11 @@ func (p *PacketPool) Put(pkt *Packet) {
 
 }
 
+// ResetPacket resets the packet as if it had been obtained from Get.
+func (p *PacketPool) ResetPacket(pkt *Packet) {
+	pkt.reset(p.headroom)
+}
+
 // makePacketPool creates a packetpool of size poolSize, that configures packet buffers with the
 // given headroom. The pool is initially empty. Packets must be added separately.
 func makePacketPool(poolSize, headroom int) PacketPool {
@@ -222,7 +268,7 @@ func makePacketPool(poolSize, headroom int) PacketPool {
 // from multiple sockets, performs routing, and sends them to their destinations
 // (after updating the path, if that is needed).
 type dataPlane struct {
-	underlays           map[string]UnderlayProvider
+	underlays           map[string]Underlay
 	interfaces          [math.MaxUint16 + 1]Link
 	numInterfaces       int
 	linkTypes           [math.MaxUint16 + 1]topology.LinkType
@@ -240,9 +286,9 @@ type dataPlane struct {
 	RunConfig                      RunConfig
 
 	// The pool that stores all the packet buffers as described in the design document. See
-	// https://github.com/scionproto/scion/blob/master/doc/dev/design/BorderRouter.rst
-	// To avoid garbage collection, most the meta-data that is produced during the processing of a
-	// packet is kept in a data structure (packet struct) that is pooled and recycled along with
+	// https://github.com/scionproto/scion/blob/master/doc/dev/design/BorderRouter.rst To avoid
+	// garbage collection, most the meta-data that is produced during the processing of a packet is
+	// kept in a data structure (packet struct) that is pooled and recycled along with the
 	// corresponding packet buffer. The packet struct refers permanently to the packet buffer. The
 	// packet structure is fetched from the pool passed-around through the various channels and
 	// returned to the pool. To reduce the cost of copying, the packet structure is passed by
@@ -318,12 +364,15 @@ func newDataPlane(runConfig RunConfig, authSCMP bool) *dataPlane {
 // copy.
 func makeDataPlane(runConfig RunConfig, authSCMP bool) dataPlane {
 	// So many tests need the udpip underlay provider instantiated early that we do it here rather
-	// than in AddInternalInterface. Currently there can be no dataplane without the udpip provider,
+	// than in AddInternalInterface. Currently there can be no dataplane without a udpip provider,
 	// therefore not having a registered factory for it is a panicable offsense. We have no plan B.
-
+	udpip, exists := underlayProvider("udpip", runConfig.PreferredUnderlays)
+	if !exists {
+		panic("No udpip underlay implementation available")
+	}
 	return dataPlane{
-		underlays: map[string]UnderlayProvider{
-			"udpip": underlayProviders["udpip"](
+		underlays: map[string]Underlay{
+			"udpip": udpip.New(
 				runConfig.BatchSize,
 				runConfig.SendBufferSize,
 				runConfig.ReceiveBufferSize,
@@ -418,7 +467,7 @@ func (d *dataPlane) SetPortRange(start, end uint16) {
 // called on a not yet running dataplane. Note that localHost is a SCION host address. It currently
 // mirrors localAddr, which is the address on the local underlay network, but that could change
 // in the future. This is not the router's decision.
-func (d *dataPlane) AddInternalInterface(localHost addr.Host, provider, localAddr string) error {
+func (d *dataPlane) AddInternalInterface(localHost addr.Host, protocol, localAddr string) error {
 	d.mtx.Lock()
 	defer d.mtx.Unlock()
 	if d.isRunning() {
@@ -430,10 +479,13 @@ func (d *dataPlane) AddInternalInterface(localHost addr.Host, provider, localAdd
 
 	// The internal network underlay is instantiated at construction to simplify some tests. Things
 	// would become a lot more complicated if we ever supported multiple internal underlays.
-	internalUnderlay := d.underlays[provider]
+	internalUnderlay := d.underlays[protocol]
 	if internalUnderlay == nil {
-		return serrors.JoinNoStack(errNoSuchUnderlay, nil, "provider", provider)
+		return serrors.JoinNoStack(errNoSuchUnderlay, nil, "protocol", protocol)
 	}
+	internalUnderlay.SetDispatchPorts(d.dispatchedPortStart, d.dispatchedPortEnd,
+		topology.EndhostPort)
+
 	iMetrics := newInterfaceMetrics(d.Metrics, 0, d.localIA, "", d.neighborIAs[0])
 	lk, err := internalUnderlay.NewInternalLink(localAddr, d.RunConfig.BatchSize, iMetrics)
 	if err != nil {
@@ -469,18 +521,19 @@ func (d *dataPlane) AddExternalInterface(
 		return errEmptyValue
 	}
 
-	underlay, instantiated := d.underlays[link.Provider]
+	underlay, instantiated := d.underlays[link.Protocol]
 	if !instantiated {
-		underlayProvider, exists := underlayProviders[link.Provider]
+		underlayProvider, exists := underlayProvider(link.Protocol, d.RunConfig.PreferredUnderlays)
 		if !exists {
-			panic(fmt.Sprintf("no provider for underlay: %q", link.Provider))
+			panic(fmt.Sprintf("no provider for underlay protocol: %q", link.Protocol))
 		}
-		underlay = underlayProvider(
+		underlay = underlayProvider.New(
 			d.RunConfig.BatchSize,
 			d.RunConfig.SendBufferSize,
 			d.RunConfig.ReceiveBufferSize,
 		)
-		d.underlays[link.Provider] = underlay
+		underlay.SetDispatchPorts(d.dispatchedPortStart, d.dispatchedPortEnd, topology.EndhostPort)
+		d.underlays[link.Protocol] = underlay
 	}
 	d.linkTypes[ifID] = link.LinkTo
 
@@ -490,6 +543,7 @@ func (d *dataPlane) AddExternalInterface(
 		bfd,
 		link.Local.Addr,
 		link.Remote.Addr,
+		link.Options,
 		ifID,
 		iMetrics)
 	if err != nil {
@@ -615,18 +669,19 @@ func (d *dataPlane) AddNextHop(
 	if link.Remote.Addr == "" {
 		return errEmptyValue
 	}
-	underlay, instantiated := d.underlays[link.Provider]
+	underlay, instantiated := d.underlays[link.Protocol]
 	if !instantiated {
-		underlayProvider, exists := underlayProviders[link.Provider]
+		underlayProvider, exists := underlayProvider(link.Protocol, d.RunConfig.PreferredUnderlays)
 		if !exists {
-			panic(fmt.Sprintf("no provider for underlay: %q", link.Provider))
+			panic(fmt.Sprintf("no provider for underlay protocol: %q", link.Protocol))
 		}
-		underlay = underlayProvider(
+		underlay = underlayProvider.New(
 			d.RunConfig.BatchSize,
 			d.RunConfig.SendBufferSize,
 			d.RunConfig.ReceiveBufferSize,
 		)
-		d.underlays[link.Provider] = underlay
+		underlay.SetDispatchPorts(d.dispatchedPortStart, d.dispatchedPortEnd, topology.EndhostPort)
+		d.underlays[link.Protocol] = underlay
 	}
 	d.linkTypes[ifID] = link.LinkTo
 
@@ -636,7 +691,7 @@ func (d *dataPlane) AddNextHop(
 	iMetrics := newInterfaceMetrics(
 		d.Metrics, ifID, d.localIA, link.Remote.Addr, d.neighborIAs[ifID])
 	lk, err := underlay.NewSiblingLink(
-		d.RunConfig.BatchSize, bfd, link.Local.Addr, link.Remote.Addr, iMetrics)
+		d.RunConfig.BatchSize, bfd, link.Local.Addr, link.Remote.Addr, link.Options, iMetrics)
 	if err != nil {
 		return err
 	}
@@ -685,6 +740,7 @@ type RunConfig struct {
 	BatchSize             int
 	ReceiveBufferSize     int
 	SendBufferSize        int
+	PreferredUnderlays    map[string]string
 }
 
 func (d *dataPlane) Run(ctx context.Context) error {
@@ -824,10 +880,7 @@ func (d *dataPlane) runProcessor(id int, q <-chan *Packet, slowQ chan<- *Packet)
 			metrics[sc].DroppedPacketsInvalid.Inc()
 			continue
 		}
-		if !fwLink.Send(p) {
-			d.packetPool.Put(p)
-			metrics[sc].DroppedPacketsBusyForwarder.Inc()
-		}
+		fwLink.Send(p)
 	}
 }
 
@@ -857,9 +910,7 @@ func (d *dataPlane) runSlowPathProcessor(id int, q <-chan *Packet) {
 			d.packetPool.Put(p)
 			continue
 		}
-		if !egressLink.Send(p) {
-			d.packetPool.Put(p)
-		}
+		egressLink.Send(p)
 	}
 }
 
@@ -918,6 +969,10 @@ func (p *slowPathPacketProcessor) processPacket(pkt *Packet) error {
 	if err != nil {
 		return err
 	}
+
+	// Difficult to draw a hard line, but let's say that from here on, this packet is no longer
+	// an incoming packet, but is a slowpath packet (i.e. an error response).
+	pkt.TrafficType = ttSlowPath
 	pathType := p.scionLayer.PathType
 	switch pathType {
 	case scion.PathType:
@@ -982,10 +1037,10 @@ func newPacketProcessor(d *dataPlane) *scionPacketProcessor {
 	return p
 }
 
-func (p *scionPacketProcessor) reset() error {
+func (p *scionPacketProcessor) reset() {
 	p.pkt = nil
 	p.ingressFromLink = 0
-	// p.scionLayer // cannot easily be reset
+	// p.scionLayer // cannot easily be reset but no need (so far).
 	p.path = nil
 	p.hopField = path.HopField{}
 	p.infoField = path.InfoField{}
@@ -997,7 +1052,6 @@ func (p *scionPacketProcessor) reset() error {
 	p.hbhLayer = slayers.HopByHopExtnSkipper{}
 	// Reset e2e layer
 	p.e2eLayer = slayers.EndToEndExtnSkipper{}
-	return nil
 }
 
 // Convenience function to log an error and return the pDiscard disposition.
@@ -1008,9 +1062,7 @@ func errorDiscard(ctx ...any) disposition {
 }
 
 func (p *scionPacketProcessor) processPkt(pkt *Packet) disposition {
-	if err := p.reset(); err != nil {
-		return errorDiscard("error", err)
-	}
+	p.reset()
 	p.pkt = pkt
 	p.ingressFromLink = pkt.Link.IfID()
 
@@ -1173,7 +1225,7 @@ func (p *slowPathPacketProcessor) packSCMP(
 
 	// We're about to send a packet that has little to do with the one we received.
 	// The original traffic type, if one had been set, no-longer applies.
-	p.pkt.trafficType = ttOther
+	p.pkt.TrafficType = ttOther
 
 	// The packet does not need any addressing: the slowpath processor always sends the packet back
 	// on the link that delivered it (p.pkt.link). In case the link is an unconnected one, it did
@@ -1267,8 +1319,7 @@ func (p *scionPacketProcessor) validateIngressID() disposition {
 		errCode = slayers.SCMPCodeUnknownHopFieldEgress
 	}
 	if p.ingressFromLink != 0 && p.ingressFromLink != hdrIngressID {
-		log.Debug("SCMP response", "cause", errIngressInterfaceInvalid,
-			"pkt_ingress", hdrIngressID, "router_ingress", p.ingressFromLink)
+		log.Debug("SCMP response", "cause", errIngressInterfaceInvalid)
 		p.pkt.slowPathRequest = slowPathRequest{
 			spType:  slowPathType(slayers.SCMPTypeParameterProblem),
 			code:    errCode,
@@ -1283,22 +1334,26 @@ func (p *scionPacketProcessor) validateSrcDstIA() disposition {
 	srcIsLocal := (p.scionLayer.SrcIA == p.d.localIA)
 	dstIsLocal := (p.scionLayer.DstIA == p.d.localIA)
 	if p.ingressFromLink == 0 {
-		// Outbound
+		// Ingested via internal or sibling link. Therefore may only go to a different AS.
 		// Only check SrcIA if first hop, for transit this already checked by ingress router.
 		// Note: SCMP error messages triggered by the sibling router may use paths that
 		// don't start with the first hop.
 		if p.path.IsFirstHop() && !srcIsLocal {
+			// This is absurd; gross error or forgery attempt.
 			return p.respInvalidSrcIA()
 		}
 		if dstIsLocal {
+			// That would be hairpin; not allowed.
 			return p.respInvalidDstIA()
 		}
 	} else {
-		// Inbound
+		// In via external Link (may only be local dst or transit).
 		if srcIsLocal {
+			// Absurd: path can't contain its starting point more than once.
 			return p.respInvalidSrcIA()
 		}
 		if p.path.IsLastHop() != dstIsLocal {
+			// How did it get here?
 			return p.respInvalidDstIA()
 		}
 	}
@@ -1749,7 +1804,7 @@ func (p *scionPacketProcessor) process() disposition {
 		if disp != pForward {
 			return disp
 		}
-		p.pkt.trafficType = ttIn
+		p.pkt.TrafficType = ttIn
 		return pForward
 	}
 
@@ -1809,13 +1864,13 @@ func (p *scionPacketProcessor) process() disposition {
 			// Therefore it is BRTransit
 			tt = ttBrTransit
 		}
-		p.pkt.trafficType = tt
+		p.pkt.TrafficType = tt
 		return pForward
 	}
 
 	// ASTransit in: pkt leaving this AS through another BR.
 	// We already know the egressID is valid. The packet can go straight to forwarding.
-	p.pkt.trafficType = ttInTransit
+	p.pkt.TrafficType = ttInTransit
 	return pForward
 }
 
@@ -2071,7 +2126,7 @@ func updateSCIONLayer(rawPkt []byte, s slayers.SCION) error {
 	payloadOffset := len(rawPkt) - len(s.LayerPayload())
 
 	// Prepends must go just before payload. (and any Append will wreck it)
-	serBuf := newSerializeProxyStart(rawPkt, payloadOffset)
+	serBuf := NewSerializeProxyStart(rawPkt, payloadOffset)
 	return s.SerializeTo(&serBuf, gopacket.SerializeOptions{})
 }
 
@@ -2164,7 +2219,7 @@ func (b *bfdSend) Send(bfd *layers.BFD) error {
 
 	p := b.dataPlane.packetPool.Get()
 
-	serBuf := newSerializeProxy(p.RawPacket) // set for prepend-only by default. Perfect here.
+	serBuf := NewSerializeProxy(p.RawPacket) // set for prepend-only by default. Perfect here.
 
 	// serialized bytes lend directly into p.RawPacket (aligned at the end).
 	err := gopacket.SerializeLayers(&serBuf, gopacket.SerializeOptions{FixLengths: true},
@@ -2181,12 +2236,12 @@ func (b *bfdSend) Send(bfd *layers.BFD) error {
 	// the forwarding queue is an serious internal error. Let that panic.
 	fwLink := b.dataPlane.interfaces[b.ifID]
 
-	if !fwLink.Send(p) {
-		// We do not care if some BFD packets get bounced under high load. If it becomes a problem,
-		// the solution is do use BFD's demand-mode. To be considered in a future refactoring.
-		b.dataPlane.packetPool.Put(p)
-	}
-	return err
+	// We do not care if some BFD packets get bounced under high load. If it becomes a problem,
+	// the solution is to use BFD's demand-mode. To be considered in a future refactoring.
+	// TODO(jiceatscion): the underlay will still count a dropped packet. We migh want to avoid
+	// that.
+	fwLink.Send(p)
+	return nil
 }
 
 func (p *slowPathPacketProcessor) prepareSCMP(
@@ -2324,7 +2379,7 @@ func (p *slowPathPacketProcessor) prepareSCMP(
 		if hdrLen+p.d.underlayHeadroom > headroom {
 			// Not enough headroom. Pack at end.
 			quote := p.pkt.RawPacket[:quoteLen]
-			serBuf = newSerializeProxy(p.pkt.RawPacket)
+			serBuf = NewSerializeProxy(p.pkt.RawPacket)
 			err = gopacket.SerializeLayers(&serBuf, sopts, &scmpH, scmpP, gopacket.Payload(quote))
 			if err != nil {
 				return serrors.JoinNoStack(
@@ -2332,10 +2387,10 @@ func (p *slowPathPacketProcessor) prepareSCMP(
 			}
 		} else {
 			// Serialize in front of the quoted packet. The quoted packet must be included in the
-			// serialize buffer before we pack the SCMP header in from of it. AppendBytes will do
+			// serialize buffer before we pack the SCMP header in front of it. AppendBytes will do
 			// that; it exposes the underlying buffer but doesn't modify it.
 			p.pkt.RawPacket = p.pkt.buffer[0:(quoteLen + headroom)]
-			serBuf = newSerializeProxyStart(p.pkt.RawPacket, headroom)
+			serBuf = NewSerializeProxyStart(p.pkt.RawPacket, headroom)
 			_, _ = serBuf.AppendBytes(quoteLen) // Implementation never fails.
 			err = scmpP.SerializeTo(&serBuf, sopts)
 			if err != nil {
@@ -2351,7 +2406,7 @@ func (p *slowPathPacketProcessor) prepareSCMP(
 	} else {
 		// We do not need to preserve the packet. Just pack our headers at the end of the buffer.
 		// (this is what serializeProxy does by default).
-		serBuf = newSerializeProxy(p.pkt.RawPacket)
+		serBuf = NewSerializeProxy(p.pkt.RawPacket)
 		err = gopacket.SerializeLayers(&serBuf, sopts, &scmpH, scmpP)
 		if err != nil {
 			return serrors.JoinNoStack(errCannotRoute, err, "details", "serializing SCMP message")
diff --git a/router/dataplane_internal_test.go b/router/dataplane_internal_test.go
index 91a4d71430..245dd154ac 100644
--- a/router/dataplane_internal_test.go
+++ b/router/dataplane_internal_test.go
@@ -216,7 +216,7 @@ func TestForwarder(t *testing.T) {
 		rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 		nobfd := control.BFD{Disable: ptr.To(true)}
 		link := control.LinkInfo{
-			Provider: "udpip",
+			Protocol: "udpip",
 			Local:    l,
 			Remote:   r,
 			BFD:      nobfd,
diff --git a/router/dataplane_test.go b/router/dataplane_test.go
index 590653438e..1d29e71e09 100644
--- a/router/dataplane_test.go
+++ b/router/dataplane_test.go
@@ -123,13 +123,13 @@ func TestDataPlaneAddExternalInterface(t *testing.T) {
 	rh2 := addr.HostIP(netip.MustParseAddrPort(r2.Addr).Addr())
 	nobfd := control.BFD{Disable: ptr.To(true)}
 	link1 := control.LinkInfo{
-		Provider: "udpip",
+		Protocol: "udpip",
 		Local:    l,
 		Remote:   r1,
 		BFD:      nobfd,
 	}
 	link2 := control.LinkInfo{
-		Provider: "udpip",
+		Protocol: "udpip",
 		Local:    l,
 		Remote:   r2,
 		BFD:      nobfd,
@@ -148,7 +148,7 @@ func TestDataPlaneAddExternalInterface(t *testing.T) {
 		d := router.NewDPRaw(router.RunConfig{}, false)
 		d.SetConnOpener("udpip", router.MockConnOpener{Ctrl: ctrl})
 		link3 := control.LinkInfo{
-			Provider: "udpip",
+			Protocol: "udpip",
 			Local:    control.LinkEnd{},
 			Remote:   r1,
 			BFD:      nobfd,
@@ -161,7 +161,7 @@ func TestDataPlaneAddExternalInterface(t *testing.T) {
 		d := router.NewDPRaw(router.RunConfig{}, false)
 		d.SetConnOpener("udpip", router.MockConnOpener{Ctrl: ctrl})
 		link3 := control.LinkInfo{
-			Provider: "udpip",
+			Protocol: "udpip",
 			Local:    l,
 			Remote:   control.LinkEnd{},
 			BFD:      nobfd,
@@ -242,13 +242,13 @@ func TestDataPlaneAddNextHop(t *testing.T) {
 	rh2 := addr.HostIP(netip.MustParseAddrPort(r2.Addr).Addr())
 	nobfd := control.BFD{Disable: ptr.To(true)}
 	link1 := control.LinkInfo{
-		Provider: "udpip",
+		Protocol: "udpip",
 		Local:    l,
 		Remote:   r1,
 		BFD:      nobfd,
 	}
 	link2 := control.LinkInfo{
-		Provider: "udpip",
+		Protocol: "udpip",
 		Local:    l,
 		Remote:   r2,
 		BFD:      nobfd,
@@ -267,7 +267,7 @@ func TestDataPlaneAddNextHop(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		d.SetConnOpener("udpip", router.MockConnOpener{Ctrl: ctrl})
 		link3 := control.LinkInfo{
-			Provider: "udpip",
+			Protocol: "udpip",
 			Local:    control.LinkEnd{},
 			Remote:   r1,
 			BFD:      nobfd,
@@ -281,7 +281,7 @@ func TestDataPlaneAddNextHop(t *testing.T) {
 		ctrl := gomock.NewController(t)
 		d.SetConnOpener("udpip", router.MockConnOpener{Ctrl: ctrl})
 		link3 := control.LinkInfo{
-			Provider: "udpip",
+			Protocol: "udpip",
 			Local:    l,
 			Remote:   control.LinkEnd{},
 			BFD:      nobfd,
@@ -409,7 +409,7 @@ func TestDataPlaneRun(t *testing.T) {
 				rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 				nobfd := control.BFD{Disable: ptr.To(true)}
 				link := control.LinkInfo{
-					Provider: "udpip",
+					Protocol: "udpip",
 					Local:    l,
 					Remote:   r,
 					BFD:      nobfd,
@@ -521,7 +521,7 @@ func TestDataPlaneRun(t *testing.T) {
 					}
 					rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 					link := control.LinkInfo{
-						Provider: "udpip",
+						Protocol: "udpip",
 						Local:    l,
 						Remote:   r,
 						BFD:      bfd(),
@@ -558,7 +558,7 @@ func TestDataPlaneRun(t *testing.T) {
 				}
 				rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 				link := control.LinkInfo{
-					Provider: "udpip",
+					Protocol: "udpip",
 					Local:    l,
 					Remote:   r,
 					BFD:      bfd(),
@@ -671,7 +671,7 @@ func TestDataPlaneRun(t *testing.T) {
 				rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 
 				link := control.LinkInfo{
-					Provider: "udpip",
+					Protocol: "udpip",
 					Local:    l,
 					Remote:   r,
 					BFD:      bfd(),
@@ -766,7 +766,7 @@ func TestDataPlaneRun(t *testing.T) {
 				lh := addr.HostIP(netip.MustParseAddrPort(l.Addr).Addr())
 				rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 				link := control.LinkInfo{
-					Provider: "udpip",
+					Protocol: "udpip",
 					Local:    l,
 					Remote:   r,
 					BFD:      bfd(),
diff --git a/router/export_test.go b/router/export_test.go
index 7062f33f49..9c5d519082 100644
--- a/router/export_test.go
+++ b/router/export_test.go
@@ -57,7 +57,7 @@ func (l *MockLink) Metrics() *InterfaceMetrics                           { retur
 func (l *MockLink) Scope() LinkScope                                     { return Internal }
 func (l *MockLink) BFDSession() *bfd.Session                             { return nil }
 func (l *MockLink) Resolve(p *Packet, host addr.Host, port uint16) error { return nil }
-func (l *MockLink) Send(p *Packet) bool                                  { return true }
+func (l *MockLink) Send(p *Packet)                                       {}
 func (l *MockLink) SendBlocking(p *Packet)                               {}
 
 var _ Link = new(MockLink)
@@ -165,7 +165,7 @@ func mustMakeDP(
 		}
 		rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 		link := control.LinkInfo{
-			Provider: "udpip",
+			Protocol: "udpip",
 			Local:    l,
 			Remote:   r,
 			BFD:      nobfd,
@@ -188,7 +188,7 @@ func mustMakeDP(
 		}
 		rh := addr.HostIP(netip.MustParseAddrPort(r.Addr).Addr())
 		link := control.LinkInfo{
-			Provider: "udpip",
+			Protocol: "udpip",
 			Local:    l,
 			Remote:   r,
 			BFD:      nobfd,
@@ -270,7 +270,7 @@ func (d *DataPlane) ProcessPkt(pkt *Packet) Disposition {
 	p := newPacketProcessor(&d.dataPlane)
 	disp := p.processPkt(pkt)
 	// Erase trafficType; we don't set it in the expected results.
-	pkt.trafficType = ttOther
+	pkt.TrafficType = ttOther
 	return Disposition(disp)
 }
 
diff --git a/router/underlayproviders/udpip/fnv1acheap.go b/router/fnv1acheap.go
similarity index 92%
rename from router/underlayproviders/udpip/fnv1acheap.go
rename to router/fnv1acheap.go
index 02591c2a13..a21ee0c846 100644
--- a/router/underlayproviders/udpip/fnv1acheap.go
+++ b/router/fnv1acheap.go
@@ -12,18 +12,18 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package udpip
+package router
 
 // fnv1aOffset32 is an initial offset that can be used as initial state when calling
 // hashFNV1a.
-const fnv1aOffset32 uint32 = 2166136261
+const Fnv1aOffset32 uint32 = 2166136261
 
 // hashFNV1a returns a hash value for the given initial state combined with the given byte.
 // To get a hash for a sequence of bytes, invoke for each byte, passing the returned value
 // of one call as the state for the next. Example. s1 = hashFNV1a(fnv1aOffset, byte1)
 // s2 = hashFNV1a(s1, byte2) etc. It is valid and recommended to use a value obtained
 // from calls to hashFNV1a() as the initial state rather than fnv1aOffset32 itself.
-func hashFNV1a(state uint32, c byte) uint32 {
+func HashFNV1a(state uint32, c byte) uint32 {
 	const prime32 = 16777619
 	return (state ^ uint32(c)) * prime32
 }
diff --git a/router/metrics.go b/router/metrics.go
index e896db10c4..3667149980 100644
--- a/router/metrics.go
+++ b/router/metrics.go
@@ -90,7 +90,7 @@ func NewMetrics() *Metrics {
 				Name: "router_dropped_pkts_total",
 				Help: "Total number of packets dropped by the router.",
 			},
-			[]string{"interface", "isd_as", "neighbor_isd_as", "sizeclass", "reason"},
+			[]string{"interface", "isd_as", "neighbor_isd_as", "sizeclass", "type", "reason"},
 		),
 		InterfaceUp: promauto.NewGaugeVec(
 			prometheus.GaugeOpts{
@@ -182,6 +182,7 @@ const (
 	ttInTransit
 	ttOutTransit
 	ttBrTransit
+	ttSlowPath
 	ttMax
 )
 
@@ -265,7 +266,7 @@ type trafficMetrics struct {
 	InputPacketsTotal           prometheus.Counter
 	DroppedPacketsInvalid       prometheus.Counter
 	DroppedPacketsBusyProcessor prometheus.Counter
-	DroppedPacketsBusyForwarder prometheus.Counter
+	DroppedPacketsBusyForwarder [ttMax]prometheus.Counter
 	DroppedPacketsBusySlowPath  prometheus.Counter
 	ProcessedPackets            prometheus.Counter
 	Output                      [ttMax]outputMetrics
@@ -306,36 +307,40 @@ func newTrafficMetrics(
 		ProcessedPackets:  metrics.ProcessedPackets.MustCurryWith(ifLabels).With(scLabels),
 	}
 
-	// Output metrics have the extra "trafficType" label.
+	// Dropped metrics have the extra "Reason" label.
+	reasonMap := map[string]string{}
+
+	// Output metrics have the extra "trafficType" label and so does the dropped metrics with
+	// the reason "busy_forwarder".
+	reasonMap["reason"] = "busy_forwarder"
 	for t := ttOther; t < ttMax; t++ {
 		ttLabels := prometheus.Labels{"type": t.String()}
 		c.Output[t] = newOutputMetrics(metrics, ifLabels, scLabels, ttLabels)
+		c.DroppedPacketsBusyForwarder[t] = metrics.DroppedPacketsTotal.MustCurryWith(
+			ifLabels).MustCurryWith(scLabels).MustCurryWith(ttLabels).With(reasonMap)
+		c.DroppedPacketsBusyForwarder[t].Add(0)
 	}
 
-	// Dropped metrics have the extra "Reason" label.
-	reasonMap := map[string]string{}
-
+	ttLabels := prometheus.Labels{"type": ttOther.String()}
 	reasonMap["reason"] = "invalid"
 	c.DroppedPacketsInvalid =
-		metrics.DroppedPacketsTotal.MustCurryWith(ifLabels).MustCurryWith(scLabels).With(reasonMap)
+		metrics.DroppedPacketsTotal.MustCurryWith(ifLabels).MustCurryWith(scLabels).MustCurryWith(
+			ttLabels).With(reasonMap)
 
 	reasonMap["reason"] = "busy_processor"
 	c.DroppedPacketsBusyProcessor =
-		metrics.DroppedPacketsTotal.MustCurryWith(ifLabels).MustCurryWith(scLabels).With(reasonMap)
-
-	reasonMap["reason"] = "busy_forwarder"
-	c.DroppedPacketsBusyForwarder =
-		metrics.DroppedPacketsTotal.MustCurryWith(ifLabels).MustCurryWith(scLabels).With(reasonMap)
+		metrics.DroppedPacketsTotal.MustCurryWith(ifLabels).MustCurryWith(scLabels).MustCurryWith(
+			ttLabels).With(reasonMap)
 
 	reasonMap["reason"] = "busy_slow_path"
 	c.DroppedPacketsBusySlowPath =
-		metrics.DroppedPacketsTotal.MustCurryWith(ifLabels).MustCurryWith(scLabels).With(reasonMap)
+		metrics.DroppedPacketsTotal.MustCurryWith(ifLabels).MustCurryWith(scLabels).MustCurryWith(
+			ttLabels).With(reasonMap)
 
 	c.InputBytesTotal.Add(0)
 	c.InputPacketsTotal.Add(0)
 	c.DroppedPacketsInvalid.Add(0)
 	c.DroppedPacketsBusyProcessor.Add(0)
-	c.DroppedPacketsBusyForwarder.Add(0)
 	c.DroppedPacketsBusySlowPath.Add(0)
 	c.ProcessedPackets.Add(0)
 	return c
@@ -408,7 +413,7 @@ func UpdateOutputMetrics(metrics *InterfaceMetrics, packets []*Packet) {
 	for _, p := range packets {
 		s := len(p.RawPacket)
 		sc := ClassOfSize(s)
-		tt := p.trafficType
+		tt := p.TrafficType
 		writtenPkts[tt][sc]++
 		writtenBytes[tt][sc] += s
 	}
diff --git a/router/serialize_proxy.go b/router/serialize_proxy.go
index 7f18c4e8fb..ea15a232fd 100644
--- a/router/serialize_proxy.go
+++ b/router/serialize_proxy.go
@@ -35,16 +35,16 @@ type serializeProxy struct {
 	layers  []gopacket.LayerType
 }
 
-// newSerializeProxy returns a new serializeProxy. The initial prepend/append point is set to the
+// NewSerializeProxy returns a new serializeProxy. The initial prepend/append point is set to the
 // end of the buffer in anticipation of AppendBytes never being used. The prepend/append point can
 // be changed when calling clear().
-func newSerializeProxy(buf []byte) serializeProxy {
-	return newSerializeProxyStart(buf, cap(buf))
+func NewSerializeProxy(buf []byte) serializeProxy {
+	return NewSerializeProxyStart(buf, cap(buf))
 }
 
-// newSerializeProxyStart returns a new serializeProxy. The initial prepend/append point is set to
+// NewSerializeProxyStart returns a new serializeProxy. The initial prepend/append point is set to
 // the given start value. This has the same effect as calling clear(start).
-func newSerializeProxyStart(buf []byte, start int) serializeProxy {
+func NewSerializeProxyStart(buf []byte, start int) serializeProxy {
 	serBuf := serializeProxy{
 		data: buf,
 	}
diff --git a/router/underlay.go b/router/underlay.go
index 5e8cb44bd7..ac93fad3d5 100644
--- a/router/underlay.go
+++ b/router/underlay.go
@@ -60,7 +60,7 @@ type Link interface {
 	// Resolve finds and sets the packet's internal underlay destination for the given dst and port.
 	Resolve(p *Packet, dst addr.Host, port uint16) error
 	// Send queues the packet for sending over this link; discarding if the queue is full.
-	Send(p *Packet) bool
+	Send(p *Packet)
 	// SendBlocking queues the packet for sending over this link; blocking while the queue is full.
 	SendBlocking(p *Packet)
 }
@@ -69,11 +69,7 @@ type Link interface {
 //
 // For any given underlay, there are three kinds of Link implementations to choose from. The
 // difference between them is the intent regarding addressing.
-//
-// TODO(multi_underlay): The local internal address is explicitly a udpip underlay address as the
-// main router code as well as the entire end-host stack still assume that the internal network
-// underlay is always "udp/ip".
-type UnderlayProvider interface {
+type Underlay interface {
 
 	// SetConnOpener is a unit testing device: it allows the replacement of the function
 	// that opens new underlay connections. Underlay implementations can, at their
@@ -127,6 +123,7 @@ type UnderlayProvider interface {
 		bfd *bfd.Session,
 		local string,
 		remote string,
+		options string,
 		ifID uint16,
 		metrics *InterfaceMetrics,
 	) (Link, error)
@@ -140,6 +137,7 @@ type UnderlayProvider interface {
 		bfd *bfd.Session,
 		local string,
 		remote string,
+		options string,
 		metrics *InterfaceMetrics,
 	) (Link, error)
 
@@ -149,5 +147,7 @@ type UnderlayProvider interface {
 	NewInternalLink(localAddr string, qSize int, metrics *InterfaceMetrics) (Link, error)
 }
 
-// NewProviderFn is a function that instantiates an underlay provider.
-type NewProviderFn func(batchSize, receiveBufferSize, sendBufferSize int) UnderlayProvider
+// ProviderFactory allows the instatiation of a provider.
+type UnderlayProvider interface {
+	New(batchSize, receiveBufferSize, sendBufferSize int) Underlay
+}
diff --git a/router/underlay_import_test.go b/router/underlay_import_test.go
index 2953d46af3..64b5d07c79 100644
--- a/router/underlay_import_test.go
+++ b/router/underlay_import_test.go
@@ -27,3 +27,7 @@ import (
 // in the same test without the router package importing it.
 //
 // Outside of tests, underlay providers are imported by the main or config packages.
+//
+// Note that tests have expectations about which underlay provider is installed: the afpacket
+// underlay provider wouldn't do. Do not import both: the afpacket implementation has the same
+// name and a higher precedence.
diff --git a/router/underlayproviders/afpacketudpip/BUILD.bazel b/router/underlayproviders/afpacketudpip/BUILD.bazel
new file mode 100644
index 0000000000..94e69c2300
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/BUILD.bazel
@@ -0,0 +1,29 @@
+load("@rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "afpacketudpip.go",
+        "internallink.go",
+        "mmsg.go",
+        "neighbors.go",
+        "ptplink.go",
+        "udpconnection.go",
+    ],
+    importpath = "github.com/scionproto/scion/router/underlayproviders/afpacketudpip",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/addr:go_default_library",
+        "//pkg/log:go_default_library",
+        "//pkg/private/serrors:go_default_library",
+        "//pkg/slayers:go_default_library",
+        "//private/underlay/conn:go_default_library",
+        "//private/underlay/ebpf:go_default_library",
+        "//router:go_default_library",
+        "//router/bfd:go_default_library",
+        "@com_github_gopacket_gopacket//:go_default_library",
+        "@com_github_gopacket_gopacket//afpacket:go_default_library",
+        "@com_github_gopacket_gopacket//layers:go_default_library",
+        "@org_golang_x_sys//unix:go_default_library",
+    ],
+)
diff --git a/router/underlayproviders/afpacketudpip/afpacketudpip.go b/router/underlayproviders/afpacketudpip/afpacketudpip.go
new file mode 100644
index 0000000000..d8db6df3fc
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/afpacketudpip.go
@@ -0,0 +1,494 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package afpacketudpip
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"maps"
+	"net"
+	"net/netip"
+	"reflect"
+	"slices"
+	"sync"
+	"time"
+
+	"github.com/gopacket/gopacket/afpacket"
+	"golang.org/x/sys/unix"
+
+	"github.com/scionproto/scion/pkg/addr"
+	"github.com/scionproto/scion/pkg/log"
+	"github.com/scionproto/scion/pkg/private/serrors"
+	"github.com/scionproto/scion/pkg/slayers"
+	"github.com/scionproto/scion/private/underlay/conn"
+	"github.com/scionproto/scion/private/underlay/ebpf"
+	"github.com/scionproto/scion/router"
+	"github.com/scionproto/scion/router/bfd"
+)
+
+const (
+	ethLen = 14
+
+	ipOffset      = ethLen
+	ipv4Len       = 20
+	ipv4LenOffset = ipOffset + 2
+	ipv4SumOffset = ipOffset + 10
+	ipv4DstOffset = ipOffset + 16
+
+	ipv6Len       = 40
+	ipv6LenOffset = ipOffset + 4
+	ipv6SrcOffset = ipOffset + 8
+	ipv6DstOffset = ipOffset + 24
+
+	udpv4Offset = ipOffset + ipv4Len
+	udpv6Offset = ipOffset + ipv6Len
+	udpLen      = 8
+
+	udpv4LenOffset     = udpv4Offset + 4
+	udpv4SumOffset     = udpv4Offset + 6
+	udpv4DstPortOffset = udpv4Offset + 2
+
+	udpv6LenOffset     = udpv6Offset + 4
+	udpv6SumOffset     = udpv6Offset + 6
+	udpv6DstPortOffset = udpv6Offset + 2
+
+	ipv4AddrLen = 4
+	ipv6AddrLen = 16
+	portLen     = 2
+)
+
+var (
+	errResolveOnNonInternalLink = errors.New("unsupported address resolution on link not internal")
+	errInvalidServiceAddress    = errors.New("invalid service address")
+	errShortPacket              = errors.New("packet is too short")
+	errDuplicateRemote          = errors.New("duplicate remote address")
+)
+
+// udpConnFilters holds the port filter handles.
+// There are scalability concerns regarding the kFilter (attached directly to an interface):  only
+// a limited number of filters can be attached to an interface and it is inefficient to have many.
+// Deduplication is accomplished for free as a result of deduplicating udpConnections: we create
+// only one per interface and add ports to the single filter as we add links sharing it.
+type udpConnFilters struct {
+	kFilter *ebpf.KFilterHandle
+	sFilter *ebpf.SFilterHandle
+}
+
+func (uf udpConnFilters) AddDst(dst *netip.AddrPort) {
+	uf.kFilter.AddAddrPort(*dst)
+	uf.sFilter.AddAddrPort(*dst)
+}
+
+func (uf udpConnFilters) Close() {
+	uf.kFilter.Close()
+	uf.sFilter.Close()
+}
+
+// An interface to enable unit testing of this specific underlay implementation.
+// (Well... that would still be hard - To be improved).
+type ConnOpener interface {
+	// Creates a connection as specified.
+	Open(index int) (*afpacket.TPacket, udpConnFilters, error)
+}
+
+// The default ConnOpener for this underlay: opens a afpacket socket.
+type udpOpener struct{}
+
+func (uo udpOpener) Open(index int) (*afpacket.TPacket, udpConnFilters, error) {
+	intf, err := net.InterfaceByIndex(index)
+	if err != nil {
+		return nil, udpConnFilters{}, serrors.Wrap("finding interface", err)
+	}
+
+	// We have to make the TPacket non-blocking because it needs to be drained of packets after
+	// adding the filter. We use a longish timeout since the rest of the time we don't actually want
+	// to wake up.  Caution: an afpacket socket normally receives its own outgoing traffic.
+	// mpkSender configures the socket to avoid that but if you ever remove mpkSender, you
+	// need to do something about it. The bpf does *not* do it either and should not. It is
+	// inefficient.
+	handle, err := afpacket.NewTPacket(
+		afpacket.OptInterface(intf.Name),
+		afpacket.OptPollTimeout(200*time.Millisecond),
+		afpacket.OptBlockTimeout(time.Millisecond), // TPv3 waits for and aggregates packets!
+		// afpacket.OptFrameSize(intf.MTU), // Constrained. default is probably best
+	)
+	if err != nil {
+		return nil, udpConnFilters{}, serrors.Wrap("creating TPacket", err)
+	}
+
+	kFilter, err := ebpf.BpfKFilter(index)
+	if err != nil {
+		return nil, udpConnFilters{}, serrors.Wrap(fmt.Sprintf(
+			"adding port filter to interface %s", intf.Name,
+		), err)
+	}
+	sFilter, err := ebpf.BpfSFilter(handle)
+	if err != nil {
+		return nil, udpConnFilters{}, serrors.Wrap(fmt.Sprintf(
+			"adding port filter to rawSocket %s", intf.Name), err)
+	}
+
+	// Drain
+	for {
+		_, _, err = handle.ZeroCopyReadPacketData()
+		if err != nil {
+			break
+		}
+	}
+	log.Debug("Added port filter to interface", "name", intf.Name)
+	return handle, udpConnFilters{kFilter, sFilter}, nil
+}
+
+// underlay implements Underlay by making and returning Udp/Ip links on top of
+// packet sockets.
+type underlay struct {
+	mu                sync.Mutex // Prevents race between adding connections and Start/Stop.
+	batchSize         int
+	allLinks          map[netip.AddrPort]udpLink
+	allConnections    map[int]*udpConnection // One per network interface and port combination.
+	connOpener        ConnOpener             // udpOpener{}, except for unit tests
+	svc               *router.Services[netip.AddrPort]
+	receiveBufferSize int
+	sendBufferSize    int
+	dispatchStart     uint16
+	dispatchEnd       uint16
+	dispatchRedirect  uint16
+}
+
+type udpLink interface {
+	router.Link
+	start(ctx context.Context, procQs []chan *router.Packet, pool router.PacketPool)
+	stop()
+	receive(p *router.Packet)
+	handleNeighbor(isReq bool, targetIP, senderIP, rcptIP netip.Addr, remoteHw [6]byte)
+}
+
+func init() {
+	// Register ourselves as an underlay provider. The registration consists of a factory, not
+	// a provider object, because multiple router instances each must have their own underlay
+	// provider. The provider is not re-entrant.
+
+	// We add ourselves as an implementation of the "udpip" underlay. The two udpip underlays
+	// are interchangeable. Only this one should perform better but exists only for Linux.
+	// The priorities cause the router to chose this one over the other when both are available.
+	router.AddUnderlayProvider("udpip:afpacket", underlayProvider{})
+}
+
+// Implement router.ProviderFactory
+type underlayProvider struct{}
+
+// New instantiates a new instance of the provider for exclusive use by the caller.
+// TODO(multi_underlay): batchSize should be an underlay-specific config.
+func (underlayProvider) New(
+	batchSize int,
+	receiveBufferSize int,
+	sendBufferSize int,
+) router.Underlay {
+	return &underlay{
+		batchSize:         batchSize,
+		allLinks:          make(map[netip.AddrPort]udpLink),
+		allConnections:    make(map[int]*udpConnection),
+		connOpener:        udpOpener{},
+		svc:               router.NewServices[netip.AddrPort](),
+		receiveBufferSize: receiveBufferSize,
+		sendBufferSize:    sendBufferSize,
+	}
+}
+
+// SetConnOpener installs the given opener. opener must be an implementation of ConnOpener or
+// panic will ensue. Only for use in unit tests.
+func (u *underlay) SetConnOpener(opener any) {
+	u.connOpener = opener.(ConnOpener)
+}
+
+func (u *underlay) NumConnections() int {
+	u.mu.Lock()
+	defer u.mu.Unlock()
+	return len(u.allLinks)
+}
+
+func (u *underlay) Headroom() int {
+
+	// We advise of enough headroom for ethernet + max(ip) + udp headers on outgoing packets (we do
+	// not need to add extensions and do not use options). On receipt, we cannot predict if the IP
+	// header is v4 or v6 or has options or extensions. We align the packet with the assumtion that
+	// it is v4 with no options. As a result, the payload never starts earlier than planned. This is
+	// needed to ensure that the headroom we leave is never less than the worst case requirement
+	// across all underlays. We add the binary representation of src address and src port to our
+	// headroom requirements, so internal links can safely use packet.HeadBytes() to store those.
+	return ethLen + ipv6Len + udpLen + ipv6AddrLen + portLen
+}
+
+func (u *underlay) SetDispatchPorts(start, end, redirect uint16) {
+	log.Debug("SetDispactherPorts", "start", start, "end", end, "redirect", redirect)
+	u.dispatchStart = start
+	u.dispatchEnd = end
+	u.dispatchRedirect = redirect
+}
+
+// AddSvc adds the address for the given service.
+func (u *underlay) AddSvc(svc addr.SVC, host addr.Host, port uint16) error {
+	// We pre-resolve the addresses, which is trivial for this underlay.
+	addr := netip.AddrPortFrom(host.IP(), port)
+	if !addr.IsValid() {
+		return errInvalidServiceAddress
+	}
+	u.svc.AddSvc(svc, addr)
+	return nil
+}
+
+// DelSvc deletes the address for the given service.
+func (u *underlay) DelSvc(svc addr.SVC, host addr.Host, port uint16) error {
+	addr := netip.AddrPortFrom(host.IP(), port)
+	if !addr.IsValid() {
+		return errInvalidServiceAddress
+	}
+	u.svc.DelSvc(svc, addr)
+	return nil
+}
+
+// The queues to be used by the receiver task are supplied at this point because they must be
+// sized according to the number of connections that will be started.
+func (u *underlay) Start(
+	ctx context.Context, pool router.PacketPool, procQs []chan *router.Packet,
+) {
+	u.mu.Lock()
+	if len(procQs) == 0 {
+		// Pointless to run without any processor of incoming traffic
+		return
+	}
+	connSnapshot := slices.Collect(maps.Values(u.allConnections))
+	linkSnapshot := slices.Collect(maps.Values(u.allLinks))
+	u.mu.Unlock()
+
+	// Links MUST be started before connections. Given that this is an internal mater, we don't pay
+	// the price of checking at use time.
+	for _, l := range linkSnapshot {
+		l.start(ctx, procQs, pool)
+	}
+	for _, c := range connSnapshot {
+		c.start(u.batchSize, pool)
+	}
+}
+
+func (u *underlay) Stop() {
+	u.mu.Lock()
+	connSnapshot := slices.Collect(maps.Values(u.allConnections))
+	linkSnapshot := slices.Collect(maps.Values(u.allLinks))
+	u.mu.Unlock()
+
+	for _, c := range connSnapshot {
+		c.stop()
+	}
+	for _, l := range linkSnapshot {
+		l.stop()
+	}
+}
+
+// addMcastGrp adds the given (TPacket, interface) pair to the given multicast group.
+func addMcastGrp(tp *afpacket.TPacket, ifIndex int, mcastAddr net.HardwareAddr) {
+	// Unceremonious but necessary until we submit a change (which would have to be more general
+	// than this) to the afpacket project and get it merged.
+	fdv := reflect.ValueOf(tp).Elem().FieldByName("fd")
+	tpfd := int(fdv.Int())
+
+	mreq := unix.PacketMreq{
+		Ifindex: int32(ifIndex),
+		Type:    unix.PACKET_MR_MULTICAST,
+		Alen:    6,
+	}
+	copy(mreq.Address[0:6], mcastAddr[:])
+
+	opt := unix.PACKET_ADD_MEMBERSHIP
+
+	if err := unix.SetsockoptPacketMreq(tpfd, unix.SOL_PACKET, opt, &mreq); err != nil {
+		panic(err)
+	}
+}
+
+// getUdpConnection returns the appropriate udpConnection; creating it if it doesn't exist yet.
+func (u *underlay) getUdpConnection(
+	qSize int, local *netip.AddrPort,
+	metrics *router.InterfaceMetrics,
+) (*udpConnection, error) {
+
+	localAddr := local.Addr()
+	localAddrStr := localAddr.String()
+
+	// TODO(jiceatscion): We don't really need to go through every interface every time.
+	interfaces, _ := net.Interfaces()
+	for _, intf := range interfaces {
+		if addrs, err := intf.Addrs(); err == nil {
+			for _, addr := range addrs {
+				// net.Addr is very generic. We have to take a guess (educated by reading the code)
+				// at what the underlying type is to make our comparison.
+				ipNet, ok := addr.(*net.IPNet)
+				if ok {
+					// We match loopback addresses to the lo interface in support of how
+					// we configure test topologies when running with the supervisor: loopack
+					// addresses are not explicitly assigned. There is exactly one udpConnection
+					// per socket, one socket per interface.
+					if ipNet.IP.String() == localAddrStr ||
+						(localAddr.IsLoopback() && intf.Name == "lo") {
+
+						c := u.allConnections[intf.Index]
+						if c == nil {
+							log.Debug("New UDP connection created", "addr", localAddrStr,
+								"interface", intf.Name)
+							c, err = newUdpConnection(intf, qSize, u.connOpener, metrics)
+							if err != nil {
+								return nil, err
+							}
+							u.allConnections[intf.Index] = c
+						}
+						c.connFilters.AddDst(local)
+						if localAddr.Is6() {
+							addrBytes := localAddr.As16()
+							mcastGrp := net.HardwareAddr{
+								0x33, 0x33, ndpMcastPrefix[12],
+								addrBytes[13], addrBytes[14], addrBytes[15],
+							}
+							addMcastGrp(c.afp, intf.Index, mcastGrp)
+						}
+						return c, nil
+					}
+				}
+			}
+		}
+	}
+
+	return nil, errors.New("no interface with the requested address")
+}
+
+// NewExternalLink returns an external link over the UDP/IP underlay. It is implemented with a
+// ptpLink and has a specific ifID.
+func (u *underlay) NewExternalLink(
+	qSize int,
+	bfd *bfd.Session,
+	local string,
+	remote string,
+	_ string, // this underlay provider doesn't have link options
+	ifID uint16,
+	metrics *router.InterfaceMetrics,
+) (router.Link, error) {
+	localAddr, err := conn.ResolveAddrPortOrPort(local)
+	if err != nil {
+		return nil, serrors.Wrap("resolving local address", err)
+	}
+	remoteAddr, err := conn.ResolveAddrPort(remote)
+	if err != nil {
+		return nil, serrors.Wrap("resolving remote address", err)
+	}
+
+	u.mu.Lock()
+	defer u.mu.Unlock()
+
+	// Duplicate external links are not supported. That they happen at all would denote a serious
+	// configuration error.
+	if l := u.allLinks[remoteAddr]; l != nil {
+		return nil, serrors.Join(errDuplicateRemote, nil, "addr", remote)
+	}
+	c, err := u.getUdpConnection(qSize, &localAddr, metrics)
+	if err != nil {
+		return nil, err
+	}
+	l := newPtpLinkExternal(&localAddr, &remoteAddr, c, bfd, ifID, metrics)
+	u.allLinks[remoteAddr] = l
+	return l, nil
+}
+
+// NewSiblingLink returns an external link over the UDP/IP underlay. It is implemented with a
+// ptpLink and has the unspecified ifID: 0.
+//
+// We de-duplicate sibling links. The router gives us a BFDSession in all cases and we might throw
+// it away (there are no persistent resources attached to it). This could be fixed by moving some
+// BFD related code in-here.
+func (u *underlay) NewSiblingLink(
+	qSize int,
+	bfd *bfd.Session,
+	local string,
+	remote string,
+	_ string, // this underlay provider doesn't have link options
+	metrics *router.InterfaceMetrics,
+) (router.Link, error) {
+	localAddr, err := conn.ResolveAddrPortOrPort(local)
+	if err != nil {
+		return nil, serrors.Wrap("resolving local address", err)
+	}
+	remoteAddr, err := conn.ResolveAddrPort(remote)
+	if err != nil {
+		return nil, serrors.Wrap("resolving remote address", err)
+	}
+
+	u.mu.Lock()
+	defer u.mu.Unlock()
+
+	// We silently deduplicate sibling links, so the router doesn't need to be aware or keep track
+	// of link sharing.
+	if l := u.allLinks[remoteAddr]; l != nil {
+		return l, nil
+	}
+	c, err := u.getUdpConnection(qSize, &localAddr, metrics)
+	if err != nil {
+		return nil, err
+	}
+	l := newPtpLinkSibling(&localAddr, &remoteAddr, c, bfd, metrics)
+	u.allLinks[remoteAddr] = l
+	return l, nil
+}
+
+// NewInternalLink returns a internal link over the UdpIpUnderlay. The link implementation has
+// no fixed peer. It finds the destination address in the packet structure. Unlike ptpLink, it
+// can resolve a SCION peer address to a local underlay address; via the dispatcher if needed.
+func (u *underlay) NewInternalLink(
+	local string, qSize int, metrics *router.InterfaceMetrics,
+) (router.Link, error) {
+	u.mu.Lock()
+	defer u.mu.Unlock()
+
+	localAddr, err := conn.ResolveAddrPort(local)
+	if err != nil {
+		return nil, serrors.Wrap("resolving local address", err)
+	}
+	c, err := u.getUdpConnection(qSize, &localAddr, metrics)
+	if err != nil {
+		return nil, err
+	}
+
+	il := newInternalLink(
+		&localAddr, c, u.svc, u.dispatchStart, u.dispatchEnd, u.dispatchRedirect, metrics)
+	u.allLinks[netip.AddrPort{}] = il
+	return il, nil
+}
+
+// Technically, this is a layering violation. We're peeking into the SCION packet for the
+// flowID...oh well.
+func computeProcID(data []byte, numProcRoutines int, hashSeed uint32) (uint32, error) {
+	if len(data) < slayers.CmnHdrLen {
+		return 0, errShortPacket
+	}
+	dstHostAddrLen := slayers.AddrType(data[9] >> 4 & 0xf).Length()
+	srcHostAddrLen := slayers.AddrType(data[9] & 0xf).Length()
+	addrHdrLen := 2*addr.IABytes + srcHostAddrLen + dstHostAddrLen
+	if len(data) < slayers.CmnHdrLen+addrHdrLen {
+		return 0, errShortPacket
+	}
+
+	s := hashSeed
+
+	// inject the flowID
+	s = router.HashFNV1a(s, data[1]&0xF) // The left 4 bits aren't part of the flowID.
+	for _, c := range data[2:4] {
+		s = router.HashFNV1a(s, c)
+	}
+
+	// Inject the src/dst addresses
+	for _, c := range data[slayers.CmnHdrLen : slayers.CmnHdrLen+addrHdrLen] {
+		s = router.HashFNV1a(s, c)
+	}
+
+	return s % uint32(numProcRoutines), nil
+}
diff --git a/router/underlayproviders/afpacketudpip/internal/debug/BUILD.bazel b/router/underlayproviders/afpacketudpip/internal/debug/BUILD.bazel
new file mode 100644
index 0000000000..4159ee399f
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/internal/debug/BUILD.bazel
@@ -0,0 +1,15 @@
+load("@rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["debug.go"],
+    importpath = "github.com/scionproto/scion/router/underlayproviders/afpacketudpip/internal/debug",
+    visibility = ["//router/underlayproviders/afpacketudpip:__subpackages__"],
+    deps = [
+        "//pkg/log:go_default_library",
+        "@com_github_gopacket_gopacket//:go_default_library",
+        "@com_github_gopacket_gopacket//layers:go_default_library",
+        "@org_uber_go_zap//:go_default_library",
+        "@org_uber_go_zap//zapcore:go_default_library",
+    ],
+)
diff --git a/router/underlayproviders/afpacketudpip/internal/debug/debug.go b/router/underlayproviders/afpacketudpip/internal/debug/debug.go
new file mode 100644
index 0000000000..20879350f7
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/internal/debug/debug.go
@@ -0,0 +1,199 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package debug
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"strings"
+
+	"github.com/gopacket/gopacket"
+	"github.com/gopacket/gopacket/layers"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+
+	"github.com/scionproto/scion/pkg/log"
+)
+
+func DissectAndShow(data []byte, ctx string) {
+	// Even the below check has a cost. Careful where you use this function.
+	if !zap.L().Core().Enabled(zapcore.Level(log.DebugLevel)) {
+		return
+	}
+	outcome := dissect(data)
+
+	var b strings.Builder
+
+	b.WriteString(ctx)
+	b.WriteString(": [\n")
+	for _, k := range []string{
+		"ethernet", "ARP", "ipv4", "ipv6", "network", "UDP", "icmp6", "transport", "payload",
+	} {
+		if v := outcome[k]; v != "" {
+			b.WriteString(k)
+			b.WriteString(": [")
+			b.WriteString(v)
+			b.WriteString("]\n")
+		}
+	}
+	b.WriteString("]\n")
+	log.Debug(b.String())
+}
+
+func dissect(data []byte) map[string]string {
+	var ethLayer layers.Ethernet
+	var arpLayer layers.ARP
+	var icmp6Layer layers.ICMPv6
+	var ipv4Layer layers.IPv4
+	var ipv6Layer layers.IPv6
+	var udpLayer layers.UDP
+
+	outcome := make(map[string]string)
+
+	// Now we need to figure out the real length of the headers and the src addr.
+	if err := ethLayer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+		outcome["ethernet"] = fmt.Sprintf("Undecodable. Err: %v. bytes: %v", err, data[0:14])
+		return outcome
+	}
+	data = ethLayer.LayerPayload() // chop off the eth header
+	outcome["ethernet"] = EthString(&ethLayer)
+	switch ethLayer.EthernetType {
+	case layers.EthernetTypeIPv4:
+		if err := ipv4Layer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			outcome["ipv4"] = fmt.Sprintf("Undecodable. Err: %v. bytes: %v", err, data[0:20])
+			return outcome
+		}
+		data = ipv4Layer.LayerPayload() // chop off the ip header
+		outcome["ipv4"] = IPv4String(&ipv4Layer)
+		if ipv4Layer.Protocol != layers.IPProtocolUDP {
+			outcome["transport"] = fmt.Sprintf("Uknown. Proto: %d", ipv4Layer.Protocol)
+			return outcome
+		}
+	case layers.EthernetTypeIPv6:
+		if err := ipv6Layer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			outcome["ipv6"] = fmt.Sprintf("Undecodable. Err: %v. bytes: %v", err, data[0:40])
+			return outcome
+		}
+		outcome["ipv6"] = IPv6String(&ipv6Layer)
+		data = ipv6Layer.LayerPayload() // chop off the ip header
+		if ipv6Layer.NextHeader == layers.IPProtocolICMPv6 {
+			if err := icmp6Layer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+				outcome["ipcm6"] = fmt.Sprintf("Undecodabe. Err: %v. bytes: %v", err, data[0:16])
+				return outcome
+			}
+			outcome["icmp6"] = ICMP6String(&icmp6Layer)
+			return outcome
+		} else if ipv6Layer.NextHeader != layers.IPProtocolUDP {
+			outcome["transport"] = fmt.Sprintf("Unknown. Proto: %d", ipv4Layer.Protocol)
+			return outcome
+		}
+	case layers.EthernetTypeARP:
+		if err := arpLayer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			outcome["ARP"] = fmt.Sprintf("Undecodable. err: %v. bytes: %v", err, data[0:20])
+			return outcome
+		}
+		outcome["ARP"] = ARPString(&arpLayer)
+		return outcome
+	default:
+		outcome["network"] = fmt.Sprintf("Unknown. Type: %d", ethLayer.EthernetType)
+		return outcome
+	}
+	if err := udpLayer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+		outcome["UDP"] = fmt.Sprintf("Undecodable. err: %v. bytes: %v", err, data[0:8])
+		return outcome
+	}
+	data = udpLayer.LayerPayload() // chop off the udp header. The rest is SCION.
+	outcome["UDP"] = UDPString(&udpLayer)
+
+	outcome["payload"] = fmt.Sprintf("%d bytes", len(data))
+	return outcome
+}
+
+// Gopacket layers don't have pretty String methods
+func EthString(l *layers.Ethernet) string {
+	return fmt.Sprintf("{Src: %s, Dst: %s, Type: %s}", l.SrcMAC, l.DstMAC, l.EthernetType)
+}
+
+func ARPString(l *layers.ARP) string {
+	srcIP, _ := netip.AddrFromSlice(l.SourceProtAddress)
+	targIP, _ := netip.AddrFromSlice(l.DstProtAddress)
+
+	return fmt.Sprintf(
+		"Operation: %v, SenderMAC: %s, SenderIP: %s, TargetMAC: %s, TargetIP: %s",
+		l.Operation, net.HardwareAddr(l.SourceHwAddress), srcIP,
+		net.HardwareAddr(l.DstHwAddress), targIP,
+	)
+}
+
+func IPv4String(l *layers.IPv4) string {
+	return fmt.Sprintf(
+		"{Src: %s, Dst: %s, Protocol: %s, Length: %d}",
+		l.SrcIP, l.DstIP, l.Protocol, l.Length,
+	)
+}
+
+func IPv6String(l *layers.IPv6) string {
+	return fmt.Sprintf(
+		"{Src: %s, Dst: %s, NextHdr: %s, Length: %d}",
+		l.SrcIP, l.DstIP, l.NextHeader, l.Length,
+	)
+}
+
+func ICMP6String(l *layers.ICMPv6) string {
+	data := l.LayerPayload()
+
+	switch l.TypeCode.Type() {
+	case layers.ICMPv6TypeNeighborSolicitation:
+		var query layers.ICMPv6NeighborSolicitation
+		if err := query.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			return fmt.Sprintf("{TypeCode: (%s), Solitation: <broken>}", l.TypeCode)
+		}
+		return fmt.Sprintf("{TypeCode: (%s), Solicitation: %s}", l.TypeCode, NDPSolString(&query))
+
+	case layers.ICMPv6TypeNeighborAdvertisement:
+		var response layers.ICMPv6NeighborAdvertisement
+		if err := response.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			return fmt.Sprintf("{TypeCode: (%s), Advertisement: <broken>}", l.TypeCode)
+		}
+		return fmt.Sprintf(
+			"{TypeCode: (%s), Advertisement: %s}",
+			l.TypeCode, NDPAdvString(&response),
+		)
+
+	default:
+		return fmt.Sprintf("{TypeCode: (%s)}", l.TypeCode)
+	}
+}
+
+func NDPSolString(l *layers.ICMPv6NeighborSolicitation) string {
+	var srcMAC net.HardwareAddr
+
+	for _, opt := range l.Options {
+		if opt.Type == layers.ICMPv6OptSourceAddress {
+			if len(opt.Data) == 6 {
+				srcMAC = net.HardwareAddr(opt.Data)
+			}
+		}
+	}
+	return fmt.Sprintf("{TargetAddress: %s, opt.SourceMAC: %s}", l.TargetAddress, srcMAC)
+}
+
+func NDPAdvString(l *layers.ICMPv6NeighborAdvertisement) string {
+	var targetMAC net.HardwareAddr
+
+	for _, opt := range l.Options {
+		if opt.Type == layers.ICMPv6OptTargetAddress {
+			if len(opt.Data) == 6 {
+				targetMAC = net.HardwareAddr(opt.Data)
+			}
+		}
+	}
+	return fmt.Sprintf("{TargetAddress: %s, opt.TargetMAC: %s}", l.TargetAddress, targetMAC)
+}
+
+func UDPString(l *layers.UDP) string {
+	return fmt.Sprintf("{SrcPort: %s, DstPort: %s, Length: %d}", l.SrcPort, l.DstPort, l.Length)
+}
diff --git a/router/underlayproviders/afpacketudpip/internallink.go b/router/underlayproviders/afpacketudpip/internallink.go
new file mode 100644
index 0000000000..90e6d5dee1
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/internallink.go
@@ -0,0 +1,532 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package afpacketudpip
+
+import (
+	"context"
+	"encoding/binary"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync/atomic"
+
+	"github.com/gopacket/gopacket"
+	"github.com/gopacket/gopacket/layers"
+
+	"github.com/scionproto/scion/pkg/addr"
+	"github.com/scionproto/scion/pkg/log"
+	"github.com/scionproto/scion/router"
+	"github.com/scionproto/scion/router/bfd"
+)
+
+// internalLink is actually a half link. It is not associated with a specific remote address.
+// TODO(jiceatscion): a lot of code could be deduplicated between the two link implementations.
+type internalLink struct {
+	procQs           []chan *router.Packet
+	header           []byte
+	localMAC         net.HardwareAddr // replace w/ 6 bytes?
+	pool             router.PacketPool
+	localAddr        *netip.AddrPort
+	egressQ          chan *router.Packet
+	metrics          *router.InterfaceMetrics
+	neighbors        *neighborCache
+	svc              *router.Services[netip.AddrPort]
+	backlogCheck     chan netip.Addr
+	sendBacklogDone  chan struct{}
+	running          atomic.Bool
+	seed             uint32
+	dispatchStart    uint16
+	dispatchEnd      uint16
+	dispatchRedirect uint16
+	is4              bool
+}
+
+// getRemote returns the ip address and port of the far end of the packet's trip.
+//
+// It is used as follows:
+// * We set it from src address when we ingest a packet: it will be used for any SCMP response.
+// * We set it when the main router code has us resolve the destination (for non-responses).
+// * We use it as destination when finally sending the packet.
+//
+// That address and port are stored at the beginning of the packet buffer so we do not need to
+// allocate. getRemoteAddr returns a slice pointing directly at that storage. It is meant to
+// copied into the outgoing packet header.
+func getRemoteAddr(p *router.Packet, is4 bool) ([]byte, uint16) {
+	if is4 {
+		bh := p.HeadBytes(6)
+		return bh[:4], binary.BigEndian.Uint16(bh[4:6])
+	}
+	bh := p.HeadBytes(18)
+	return bh[:16], binary.BigEndian.Uint16(bh[16:18])
+}
+
+// setRemote stores the ip address and port of the far end of the packet's trip.
+//
+// That address and port are stored at the beginning of the packet buffer.
+func setRemoteAddr(p *router.Packet, ip []byte, port uint16) {
+	// FWIW: The storage format is identical to that produced by AddrPort.marshalBinary
+	// as long as there's no zone. Just without all the hullabaloo because we never need a netip.
+	bh := p.HeadBytes(len(ip) + 2)
+	copy(bh, ip)
+	binary.BigEndian.PutUint16(bh[len(ip):], port)
+}
+
+// This is called during initialization only and does not need the neighbors cache. The header
+// is incomplete and gets patched for each packet.
+func (l *internalLink) packHeader() {
+	sb := gopacket.NewSerializeBuffer()
+	srcIP := l.localAddr.Addr()
+	if l.is4 {
+		ethernet := layers.Ethernet{
+			SrcMAC:       l.localMAC,
+			DstMAC:       zeroMacAddr[:],
+			EthernetType: layers.EthernetTypeIPv4,
+		}
+		udp := layers.UDP{
+			SrcPort: layers.UDPPort(l.localAddr.Port()),
+		}
+		ip := layers.IPv4{
+			Version:  4,
+			IHL:      5,
+			TTL:      64,
+			SrcIP:    srcIP.AsSlice(),
+			DstIP:    netip.IPv4Unspecified().AsSlice(),
+			Protocol: layers.IPProtocolUDP,
+			Flags:    layers.IPv4DontFragment, // Sure about that?
+		}
+		_ = udp.SetNetworkLayerForChecksum(&ip)
+		err := gopacket.SerializeLayers(sb, seropts, &ethernet, &ip, &udp)
+		if err != nil {
+			// The only possible reason for this is in the few lines above.
+			panic("cannot serialize static header")
+		}
+
+		// We have to truncate the result; gopacket is scared of generating a packet shorter than
+		// the ethernet minimum.
+		l.header = sb.Bytes()[:42]
+		return
+	}
+	ethernet := layers.Ethernet{
+		SrcMAC:       l.localMAC,
+		DstMAC:       zeroMacAddr[:],
+		EthernetType: layers.EthernetTypeIPv6,
+	}
+	udp := layers.UDP{
+		SrcPort: layers.UDPPort(l.localAddr.Port()),
+	}
+	ip := layers.IPv6{
+		Version:    6,
+		NextHeader: layers.IPProtocolUDP,
+		HopLimit:   64,
+		SrcIP:      srcIP.AsSlice(),
+		DstIP:      netip.IPv6Unspecified().AsSlice(),
+	}
+	_ = udp.SetNetworkLayerForChecksum(&ip)
+	err := gopacket.SerializeLayers(sb, seropts, &ethernet, &ip, &udp)
+	if err != nil {
+		// The only possible reason for this is in the few lines above.
+		panic("cannot serialize static header")
+	}
+	// We have to truncate the result; gopacket is scared of generating a packet shorter than the
+	// ethernet minimum.
+	l.header = sb.Bytes()[:62]
+}
+
+// addHeader fetches the canned header, which never changes, pastes it on the packet, and patches
+// in the destination. If the destination is not resolved, this method returns false and the
+// packet is left with an incorrect header. Note that an address resolution is triggered if the
+// destination is not already resolved.
+func (l *internalLink) addHeader(p *router.Packet) bool {
+	dstIPBytes, dstPort := getRemoteAddr(p, l.is4)
+	dstIP, ok := netip.AddrFromSlice(dstIPBytes)
+	if !ok {
+		// This is an internal error: these bytes were stored and validated by us.
+		panic("Broken remote address")
+	}
+	// Resolve the destination MAC address if we can.
+	l.neighbors.Lock()
+	dstMac, backlog := l.neighbors.get(dstIP) // Send ARP/NDP req as needed.
+	l.neighbors.Unlock()
+	if dstMac == nil {
+		// We don't have an address to offer, but we have a backlog queue.
+		select {
+		case backlog <- p:
+		default:
+			sc := router.ClassOfSize(len(p.RawPacket))
+			l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+			l.pool.Put(p)
+		}
+		return false
+	}
+
+	// Prepend the canned header
+	p.RawPacket = p.WithHeader(len(l.header))
+	copy(p.RawPacket, l.header)
+
+	// Inject dest.
+	copy(p.RawPacket, dstMac[:])
+	if l.is4 {
+		copy(p.RawPacket[ipv4DstOffset:], dstIPBytes) // Can do cheaper?
+		binary.BigEndian.PutUint16(p.RawPacket[udpv4DstPortOffset:], dstPort)
+	} else {
+		copy(p.RawPacket[ipv6DstOffset:], dstIPBytes) // Can do cheaper?
+		binary.BigEndian.PutUint16(p.RawPacket[udpv6DstPortOffset:], dstPort)
+	}
+	return true
+}
+
+// TODO(jiceatscion): can do cleaner, more legible, faster?
+func (l *internalLink) finishPacket(p *router.Packet) bool {
+	payloadLen := len(p.RawPacket)
+	if !l.addHeader(p) {
+		return false
+	}
+	if l.is4 {
+		// Fix the IP total length field
+		binary.BigEndian.PutUint16(p.RawPacket[ipv4LenOffset:], uint16(payloadLen)+ipv4Len+udpLen)
+
+		// Update UDP length
+		binary.BigEndian.PutUint16(p.RawPacket[udpv4LenOffset:], uint16(payloadLen)+udpLen)
+
+		// For IPv4 fix the IP checksum
+		p.RawPacket[ipv4SumOffset] = 0
+		p.RawPacket[ipv4SumOffset+1] = 0
+		csum := gopacket.ComputeChecksum(p.RawPacket[ipOffset:udpv4Offset], 0)
+		binary.BigEndian.PutUint16(p.RawPacket[ipv4SumOffset:], gopacket.FoldChecksum(csum))
+
+		// For IPV4 we can screw the UDP checksum
+		p.RawPacket[udpv4SumOffset] = 0
+		p.RawPacket[udpv4SumOffset+1] = 0
+		return true
+	}
+
+	// Fix the IPv6 payload length field (udp plus the scion stuff)
+	binary.BigEndian.PutUint16(p.RawPacket[ipv6LenOffset:], uint16(payloadLen)+udpLen)
+
+	// Update UDP length
+	binary.BigEndian.PutUint16(p.RawPacket[udpv6LenOffset:], uint16(payloadLen)+udpLen)
+
+	// Zero-out the checksum as it is part of the computation's input.
+	p.RawPacket[udpv6SumOffset] = 0
+	p.RawPacket[udpv6SumOffset+1] = 0
+
+	// For IPV6 we must compute the UDP checksum.
+	// In theory we could dispense with it as we're a tunneling protocol; however all the plain
+	// udp underlay implementations would drop the packets. TODO(jiceatscion): save a few cycles
+	// by using UDPlite?
+	zerosAndProto := []byte{0, 0, 0, 17}
+	csum := gopacket.ComputeChecksum(p.RawPacket[ipv6SrcOffset:udpv6Offset], 0)         // src+dst
+	csum = gopacket.ComputeChecksum(p.RawPacket[udpv6LenOffset:udpv6LenOffset+2], csum) // length
+	csum = gopacket.ComputeChecksum(zerosAndProto, csum)                                // proto num
+	csum = gopacket.ComputeChecksum(p.RawPacket[udpv6Offset:], csum)                    // all
+	binary.BigEndian.PutUint16(p.RawPacket[udpv6SumOffset:], gopacket.FoldChecksum(csum))
+	return true
+}
+
+func (l *internalLink) start(
+	ctx context.Context,
+	procQs []chan *router.Packet,
+	pool router.PacketPool,
+) {
+	wasRunning := l.running.Swap(true)
+	if wasRunning {
+		return
+	}
+	// procQs and pool are never known before all configured links have been instantiated. So we
+	// get them only now. We didn't need it earlier since the connections have not been started yet.
+	l.procQs = procQs
+	l.pool = pool
+
+	// cache ticker is desirable.
+	l.neighbors.start(l.pool)
+
+	// We do not have a known peer that we can resolve ahead of time, but we can at least save
+	// peers that are already up from having to resolve us and may be drop the first packet.
+	localIP := l.localAddr.Addr()
+	l.neighbors.seekNeighbor(&localIP)
+
+	// Backlog sender
+	go func() {
+		defer log.HandlePanic()
+		dstAddr := netip.Addr{}
+		for l.running.Load() {
+			l.sendBacklog(dstAddr)
+			dstAddr = <-l.backlogCheck
+		}
+		close(l.sendBacklogDone)
+	}()
+}
+
+func (l *internalLink) stop() {
+	wasRunning := l.running.Swap(false)
+	if wasRunning {
+		// wakeup! Time to die.
+		select {
+		case l.backlogCheck <- netip.Addr{}:
+		default:
+		}
+		<-l.sendBacklogDone
+	}
+
+	l.neighbors.stop()
+}
+
+func (l *internalLink) IfID() uint16 {
+	return 0
+}
+
+func (l *internalLink) Metrics() *router.InterfaceMetrics {
+	return l.metrics
+}
+
+func (l *internalLink) Scope() router.LinkScope {
+	return router.Internal
+}
+
+func (l *internalLink) BFDSession() *bfd.Session {
+	return nil
+}
+
+func (l *internalLink) IsUp() bool {
+	return true
+}
+
+// Resolve updates the packet's underlay destination according to the given SCION host/service
+// address and SCION port number.  On the UDP/IP underlay, host addresses are bit-for-bit identical
+// to underlay addresses. The port space is the same, except if the packet is redirected to the shim
+// dispatcher.
+func (l *internalLink) Resolve(p *router.Packet, dst addr.Host, port uint16) error {
+	var dstAddr netip.Addr
+	switch dst.Type() {
+	case addr.HostTypeSVC:
+		// For map lookup use the Base address, i.e. strip the multi cast information, because we
+		// only register base addresses in the map.
+		a, ok := l.svc.Any(dst.SVC().Base())
+		if !ok {
+			return router.ErrNoSVCBackend
+		}
+		dstAddr = a.Addr()
+		// Supplied port is irrelevant. Port is in svc record.
+		port = a.Port()
+	case addr.HostTypeIP:
+		dstAddr = dst.IP()
+		if dstAddr.Is4In6() {
+			return router.ErrUnsupportedV4MappedV6Address
+		}
+		if dstAddr.IsUnspecified() {
+			return router.ErrUnsupportedUnspecifiedAddress
+		}
+	default:
+		panic(fmt.Sprintf("unexpected address type returned from DstAddr: %s", dst.Type()))
+	}
+
+	// if port is outside the configured port range we send to the fixed port.
+	if port < l.dispatchStart || port > l.dispatchEnd {
+		port = l.dispatchRedirect
+	}
+
+	setRemoteAddr(p, dstAddr.AsSlice(), port)
+	return nil
+}
+
+func (l *internalLink) sendBacklog(dstAddr netip.Addr) {
+	l.neighbors.Lock()
+	backlog := l.neighbors.getBacklog(dstAddr)
+	l.neighbors.Unlock()
+
+	if backlog == nil {
+		return
+	}
+	givenup := false
+	for {
+		select {
+		case p := <-backlog:
+			if givenup {
+				sc := router.ClassOfSize(len(p.RawPacket))
+				l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+				l.pool.Put(p)
+				continue
+			}
+			// The neighbor cache doesn't know the dest port, but the full address is in the packet.
+			if !l.finishPacket(p) {
+				// Note that this packet goes back onto the backlog so we will drop it at the end of
+				// the loop. TODO(jiceatscion): need new drop reason.
+				givenup = true
+				continue
+			}
+			select {
+			case l.egressQ <- p:
+			default:
+				sc := router.ClassOfSize(len(p.RawPacket))
+				l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+				l.pool.Put(p)
+			}
+		default:
+			// Backlog drained (for now).
+			return
+		}
+	}
+}
+
+func (l *internalLink) Send(p *router.Packet) {
+
+	// TODO(jiceatscion): The packet's destination is in the packet's meta-data; it was put there by
+	// Resolve() We need to craft a header in front of the packet.  May be resolve could do that,
+	// instead of just storing the destination in the packet structure. That would save us the
+	// allocation of address but requires some more changes to the dataplane code structure.
+
+	if !l.finishPacket(p) {
+		// The packet got put on the backlog (or discarded if the backlog is full).
+		return
+	}
+	select {
+	case l.egressQ <- p:
+	default:
+		sc := router.ClassOfSize(len(p.RawPacket))
+		l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+		l.pool.Put(p)
+	}
+}
+
+// Only tests actually use this method, but since we have to have it, we might as well implement it
+// ~correctly. Doesn't hurt. TODO(jiceatscion): deal with backlog (or not).
+func (l *internalLink) SendBlocking(p *router.Packet) {
+	if l.finishPacket(p) {
+		l.egressQ <- p
+	}
+	// else, backlog'd or discarded => non-blocking after all. Sorry.
+}
+
+// receive delivers an incoming packet to the appropriate processing queue.
+// Because this link is not associated with a specific remote address, the src
+// address of the packet is recorded in the packet structure. This may be used
+// as the destination if SCMP responds.
+func (l *internalLink) receive(p *router.Packet) {
+	metrics := l.metrics
+	sc := router.ClassOfSize(len(p.RawPacket))
+	metrics[sc].InputPacketsTotal.Inc()
+	metrics[sc].InputBytesTotal.Add(float64(len(p.RawPacket)))
+	procID, err := computeProcID(p.RawPacket, len(l.procQs), l.seed)
+	if err != nil {
+		log.Debug("Error while computing procID", "err", err)
+		l.pool.Put(p)
+		metrics[sc].DroppedPacketsInvalid.Inc()
+		return
+	}
+
+	p.Link = l
+
+	select {
+	case l.procQs[procID] <- p:
+	default:
+		l.pool.Put(p)
+		metrics[sc].DroppedPacketsBusyProcessor.Inc()
+	}
+}
+
+// We have to deal with the idiosyncracies of both ARP and NDP, here.
+// In ARP responses the address of the recipient is DstProtAddress while the address being
+// resolved is SourceProtAddress. In NDP responses, the address of the recipient is in the IP header
+// and the address being resolved is always TargetAddress. In ARP requests the address of the sender
+// is srcProtAddress while the address being resolved dstProtAddress. In NDP requests the address
+// of the sender is in the IP header, while the address being resolved is TargetAddress.
+// Since this method is called for both requests and responses and for both ARP and NDP, we have
+// to make our own convention:
+// target is always the address being resolved.
+// sender is always the sender of the packet.
+// rcpt is always the intended recipient, when one is specified. It is also the target when isReq
+// is true.
+//
+// We do use requests to populate our cache, which means that we use sender for that, instead of
+// target. That way we gain knowledge from requests, even when the target is something else (for
+// example, the local address).
+func (l *internalLink) handleNeighbor(
+	isReq bool,
+	targetIP, senderIP, rcptIP netip.Addr,
+	remoteHw [6]byte,
+) {
+	// Don't pollute our table with stuff that we can't have asked. However, per RFC826, update
+	// what we already have when given a chance.
+	// remoteHwP always points at an in-cache MAC address, which reduces GC pressure.
+	// We respond only to peers that we keep in the cache.
+	var remoteHwP *[6]byte
+	changed := false
+
+	l.neighbors.Lock()
+	found := l.neighbors.check(senderIP) // pending => found.
+	if (rcptIP == l.localAddr.Addr() &&
+		senderIP != targetIP && // could be response or could be gratuitous. If !found, not wanted.
+		!senderIP.IsUnspecified()) || found {
+
+		// Good to cache or update
+		remoteHwP, changed = l.neighbors.put(senderIP, remoteHw)
+	} else {
+		// Not cacheable => No response needed either.
+		isReq = false
+	}
+	l.neighbors.Unlock()
+
+	if changed {
+		select {
+		case l.backlogCheck <- senderIP:
+		default:
+		}
+	}
+
+	// We do respond. The kernel might or might not, depending on how we setup interfaces.
+	if !isReq {
+		return
+	}
+	if targetIP != l.localAddr.Addr() {
+		// Can be a gratuitous request or simply a request for another host.
+		return
+	}
+	p := l.pool.Get()
+	localIP := l.localAddr.Addr()
+	// TODO(jiceatscion): should suppress response here too for loopback devices.
+	packNeighborResp(p, &localIP, l.localMAC[:], &senderIP, remoteHwP[:], l.is4)
+	select {
+	case l.egressQ <- p:
+	default:
+	}
+}
+
+func newInternalLink(
+	localAddr *netip.AddrPort,
+	conn *udpConnection,
+	svc *router.Services[netip.AddrPort],
+	dispatchStart, dispatchEnd, dispatchRedirect uint16,
+	metrics *router.InterfaceMetrics,
+) *internalLink {
+	il := &internalLink{
+		localMAC:  conn.localMAC,
+		localAddr: localAddr,
+		egressQ:   conn.queue,
+		metrics:   metrics,
+		neighbors: newNeighborCache(
+			"internal",
+			conn.localMAC,
+			localAddr.Addr(),
+			conn.queue,
+		),
+		svc:              svc,
+		backlogCheck:     make(chan netip.Addr, 1),
+		sendBacklogDone:  make(chan struct{}),
+		seed:             conn.seed,
+		dispatchStart:    dispatchStart,
+		dispatchEnd:      dispatchEnd,
+		dispatchRedirect: dispatchRedirect,
+		is4:              localAddr.Addr().Is4(),
+	}
+	il.packHeader()
+	conn.intLinks[addrPort{ip: localAddr.Addr(), port: localAddr.Port()}] = il
+
+	log.Debug("***** Link", "scope", "internal", "local", localAddr, "localMAC", conn.localMAC)
+	return il
+}
+
+func (l *internalLink) String() string {
+	return fmt.Sprintf("Internal: local: %s", l.localAddr)
+}
diff --git a/router/underlayproviders/afpacketudpip/mmsg.go b/router/underlayproviders/afpacketudpip/mmsg.go
new file mode 100644
index 0000000000..d1ff3c34a5
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/mmsg.go
@@ -0,0 +1,104 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build linux
+
+package afpacketudpip
+
+import (
+	"reflect"
+	"runtime"
+	"unsafe"
+
+	"github.com/gopacket/gopacket/afpacket"
+	"golang.org/x/sys/unix"
+
+	"github.com/scionproto/scion/pkg/log"
+)
+
+// TODO(jiceatscion): there is another copy of this code in router_benchmark. Move this to a common
+// package (in underlay for example) or, probably better, specialize this one to make it more
+// efficient for the router's use.
+
+type mmsgHdr struct {
+	hdr unix.Msghdr
+	len uint32
+	_   [4]byte
+}
+
+// mpktSender is a helper class to add the ability of using the sendmmsg system call
+// with afpacket sockets.
+type mpktSender struct {
+	fd     int
+	tp     *afpacket.TPacket
+	msgs   []mmsgHdr
+	iovecs []unix.Iovec
+}
+
+func newMpktSender(tp *afpacket.TPacket) *mpktSender {
+	sender := &mpktSender{}
+
+	// Unceremonious but necessary until we submit a change (which would have to be more general
+	// than this) to the afpacket project and get it merged.
+	fdv := reflect.ValueOf(tp).Elem().FieldByName("fd")
+	sender.fd = int(fdv.Int())
+	// This is to make sure that tp cannot be finalized before we're done abusing its file desc.
+	sender.tp = tp
+
+	// Try and bypass queing discipline. If that doesn't work, we'll survive.
+	err := unix.SetsockoptInt(sender.fd, unix.SOL_PACKET, unix.PACKET_QDISC_BYPASS, 1)
+	if err != nil {
+		log.Info("Could not bypass queing discipline", "err", err)
+	}
+
+	// If we're going to send, we need to make sure we're not receiving our own stuff. The default
+	// behaviour is less than clear. The loopback doesn't work with veth, but likely does with
+	// everything else.
+	err = unix.SetsockoptInt(sender.fd, unix.SOL_PACKET, unix.PACKET_IGNORE_OUTGOING, 1)
+	if err != nil {
+		panic(err)
+	}
+	return sender
+}
+
+func (sender *mpktSender) setPkts(ps [][]byte) {
+	numP := len(ps)
+	sender.msgs = make([]mmsgHdr, numP)
+	sender.iovecs = make([]unix.Iovec, numP)
+
+	for i, p := range ps {
+		if len(p) > 0 {
+			sender.iovecs[i].Base = (*byte)(unsafe.Pointer(&p[0]))
+			sender.iovecs[i].SetLen(len(p))
+		}
+		sender.msgs[i].hdr.Iov = &sender.iovecs[i]
+		sender.msgs[i].hdr.Iovlen = 1
+	}
+}
+
+func (sender *mpktSender) sendAll() (int, error) {
+	// This will hog a core (as far as the Go scheduler is concerned) for the duration of the call
+	// as the Go run-time has no idea that this may be a ~blocking write. This is perfectly fine for
+	// our use case.
+	for {
+		n, _, err := unix.Syscall6(unix.SYS_SENDMMSG,
+			uintptr(sender.fd),
+			uintptr(unsafe.Pointer(&sender.msgs[0])),
+			uintptr(len(sender.msgs)),
+			uintptr(unix.MSG_DONTWAIT), // return when the interface queue is full.
+			0, 0)
+		if err == 0 {
+			// we sent some packets.
+			return int(n), nil
+		}
+		if err == unix.EWOULDBLOCK {
+			// We sent nothing at all. The queue is completely full. Take a breather (cheaper than
+			// using poll or select).
+			runtime.Gosched()
+			continue
+		}
+		// Some error other than EWOULDBLOCK. Nothing was sent either
+		return 0, err
+	}
+}
diff --git a/router/underlayproviders/afpacketudpip/neighbors.go b/router/underlayproviders/afpacketudpip/neighbors.go
new file mode 100644
index 0000000000..28dd758d43
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/neighbors.go
@@ -0,0 +1,391 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package afpacketudpip
+
+import (
+	"net"
+	"net/netip"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/gopacket/gopacket"
+	"github.com/gopacket/gopacket/layers"
+
+	"github.com/scionproto/scion/pkg/log"
+	"github.com/scionproto/scion/router"
+)
+
+// ARP cache parameters. The longish TTL is because I suspect that linux rate limits responses,
+// so, we have to resolve stuff other than a SCION router not too often.
+// Requests for unresolved entries that have a backlog are sent once per tick.
+const (
+	neighborTick       = 1000 * time.Millisecond // Cache clock period.
+	neighborTTL        = 600                     // Time to live of resolved entry (in ticks).
+	neighborTTR        = 3                       // TTL threshold for resolution (in ticks).
+	neighborMaxBacklog = 3                       // Number of packets pending resolution.
+)
+
+// FF02:0000:0000:0000:0000:0001:FF00:0000/104
+var ndpMcastPrefix = []byte{0xff, 0x02, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x1, 0xff}
+var zeroMacAddr = [6]byte{0, 0, 0, 0, 0, 0}
+
+type neighborState int
+
+const (
+	None neighborState = iota
+	Incomplete
+	Reachable
+	Stale
+	Probe
+)
+
+// neighbor represents one neighbor. This is a bit simplistic compared to Linux's arp
+// life-cycle. There is a small backlog of packets waiting for resolution, (Because too much of the
+// SCION test code assumes infaillible packet delivery).
+type neighbor struct {
+	mac *[6]byte
+	// timer keeps track of the time that the entry has been resolved or pending:
+	timer int
+	// TODO(jiceatscion): the whole neighbor management is getting clumsy. Reorg.
+	backlog chan *router.Packet
+	state   neighborState
+}
+
+// neighborCache is a cache of IP address to MAC address mapping.
+// It is not automatically
+// re-entrant: you must use lock() and unlock() explicitly. The reason is that we have two different
+// usage patterns; one of which needs to manipulate another object in the same critical section.
+// There is a builtin entry ticker. Calling start() will activate it and stop() will
+// deactivate it.
+type neighborCache struct {
+	sync.Mutex
+	name       string
+	localMAC   net.HardwareAddr
+	localIP    netip.Addr
+	pool       router.PacketPool
+	mappings   map[netip.Addr]neighbor
+	egressQ    chan *router.Packet
+	tickerDone chan struct{}
+	running    atomic.Bool
+	is4        bool
+	isLoop     bool // If true, the cache is just a stub. All MAC addresses are zero.
+}
+
+// TODO(jiceatscion): This can end-up being called from the critical section. Not ideal.
+func (cache *neighborCache) seekNeighbor(remoteIP *netip.Addr) {
+	if cache.isLoop {
+		return
+	}
+	p := cache.pool.Get()
+	packNeighborReq(p, &cache.localIP, cache.localMAC, remoteIP, cache.is4)
+	select {
+	case cache.egressQ <- p:
+	default:
+	}
+}
+
+// Lookup returns the mac address associated with the given IP, or nil if not known. A new (pending)
+// entry is created if none existed. A resolution is triggered if the entry did not exist.
+// The pending entry will exist for as long as specified by the TTR. This function either returns
+// a non-nil address or a non-nil backlog channel. Unresolved packets can be put on that queue
+// for later sending.
+func (cache *neighborCache) get(ip netip.Addr) (*[6]byte, chan *router.Packet) {
+	if cache.isLoop {
+		return &zeroMacAddr, nil
+	}
+
+	entry := cache.mappings[ip]
+	switch entry.state {
+	case None:
+		// Whole new entry
+		entry.state = Incomplete
+		entry.backlog = make(chan *router.Packet, neighborMaxBacklog)
+		entry.timer = neighborTTR // We have that long to resolve it.
+		cache.mappings[ip] = entry
+		cache.seekNeighbor(&ip)
+		return nil, entry.backlog
+	case Incomplete:
+		// Already started resolving. Don't do anything more for now. You get the backlog.
+		return nil, entry.backlog
+	case Reachable, Probe:
+		// All good. If probe, the ticker works on refreshing.
+		return entry.mac, nil
+	case Stale:
+		// Since we do use it; ask the ticker to refresh.
+		entry.state = Probe
+		return entry.mac, nil
+	default:
+		panic("Illegal entry state")
+	}
+}
+
+func (cache *neighborCache) getBacklog(ip netip.Addr) chan *router.Packet {
+	if cache.isLoop {
+		return nil
+	}
+	return cache.mappings[ip].backlog
+}
+
+// Check returns true if we have any kind of interrest in the address: either we already know it
+// (and so an update would be good), or we're trying to resolve it.
+func (cache *neighborCache) check(ip netip.Addr) bool {
+	if cache.isLoop {
+		return false
+	}
+	return cache.mappings[ip].timer != 0
+}
+
+// Associates the given IP address to the given MAC address, unless an identical association
+// already exists. Returns a pointer to the retained value. This cannonicalization reduces GC
+// pressure by not forcing a copy of the given address to escape to the heap unnecessarily.
+// The second return value is true if an entry was added or changed.
+func (cache *neighborCache) put(ip netip.Addr, mac [6]byte) (*[6]byte, bool) {
+	if cache.isLoop {
+		return &zeroMacAddr, false
+	}
+	entry := cache.mappings[ip]
+	if entry.state == None {
+		entry.backlog = make(chan *router.Packet, neighborMaxBacklog)
+	}
+	entry.timer = neighborTTL
+	entry.state = Reachable
+	isChange := false
+	if entry.mac == nil || *entry.mac != mac {
+		entry.mac = &mac
+		isChange = true
+	}
+	cache.mappings[ip] = entry
+	return entry.mac, isChange
+}
+
+// tick updates the timer of each entry. Itdeletes entries that have been in the cache for too
+// long. Resolved entries live for neighborTTL seconds. Once their time is below neighborTTR a
+// resolution is attempted if there is a backlog. Unresolved entries live for no more than
+// neighborTTR seconds. When an entry is used while its time is below TTR, a single refresh
+// is attempted.
+func (cache *neighborCache) tick() {
+	cache.Lock()
+	for k, entry := range cache.mappings {
+		if entry.timer == 0 {
+			// Completely stale. Throw away.
+			delete(cache.mappings, k)
+			close(entry.backlog)
+			for p := range entry.backlog {
+				cache.pool.Put(p)
+			}
+			continue
+		}
+		entry.timer--
+		switch entry.state {
+		case None:
+			// WTF? they're never inserted in the map like that.
+			continue
+		case Incomplete, Probe:
+			// We do need the address resolved.
+			cache.seekNeighbor(&k)
+		case Stale:
+			// Not in active use, so don't refresh.
+		case Reachable:
+			if entry.timer < neighborTTR {
+				entry.state = Stale
+			}
+		default:
+			panic("Illegal entry state")
+		}
+		cache.mappings[k] = entry
+	}
+	cache.Unlock()
+}
+
+func (cache *neighborCache) start(pool router.PacketPool) {
+	wasRunning := cache.running.Swap(true)
+	if wasRunning {
+		return
+	}
+	cache.pool = pool
+	if cache.isLoop {
+		return
+	}
+	// Ticker task
+	go func() {
+		defer log.HandlePanic()
+		for cache.running.Load() {
+			cache.tick()
+			time.Sleep(neighborTick)
+		}
+		close(cache.tickerDone)
+	}()
+}
+
+func (cache *neighborCache) stop() {
+	wasRunning := cache.running.Swap(false)
+	if cache.isLoop {
+		return
+	}
+	if wasRunning {
+		<-cache.tickerDone
+	}
+}
+
+func newNeighborCache(
+	name string,
+	localMAC net.HardwareAddr,
+	localIP netip.Addr,
+	egressQ chan *router.Packet,
+) *neighborCache {
+	return &neighborCache{
+		name:       name,
+		localMAC:   localMAC,
+		localIP:    localIP,
+		mappings:   make(map[netip.Addr]neighbor),
+		egressQ:    egressQ,
+		tickerDone: make(chan struct{}),
+		is4:        localIP.Is4(),
+		isLoop:     ([6]byte(localMAC) == zeroMacAddr),
+	}
+}
+
+// packNeighborReq builds an ARP or NDP request into the given packet.
+// It does not need to refer to the cache but there's no more relevant place to put this.
+func packNeighborReq(
+	p *router.Packet,
+	localIP *netip.Addr,
+	localMAC net.HardwareAddr,
+	remoteIP *netip.Addr,
+	v4 bool,
+) {
+	serBuf := router.NewSerializeProxyStart(p.RawPacket, 128)
+	var err error
+
+	// TODO(jiceatscion): use a canned packet?
+	if v4 {
+		ethernet := layers.Ethernet{
+			SrcMAC:       localMAC,
+			DstMAC:       net.HardwareAddr{0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+			EthernetType: layers.EthernetTypeARP,
+		}
+		arp := layers.ARP{
+			AddrType:          layers.LinkTypeEthernet,
+			HwAddressSize:     6,
+			Protocol:          layers.EthernetTypeIPv4,
+			ProtAddressSize:   4,
+			Operation:         layers.ARPRequest,
+			SourceHwAddress:   localMAC,
+			SourceProtAddress: localIP.AsSlice(),
+			DstHwAddress:      zeroMacAddr[:],
+			DstProtAddress:    remoteIP.AsSlice(),
+		}
+		err = gopacket.SerializeLayers(&serBuf, seropts, &ethernet, &arp)
+	} else {
+		var typ uint8
+		var mcAddr []byte
+		var dstMAC []byte
+
+		// We can do announcements too. The intent is conveyed using the IPv4 convention.
+		if *localIP == *remoteIP {
+			mcAddr = netip.IPv6LinkLocalAllNodes().AsSlice()
+			typ = layers.ICMPv6TypeNeighborAdvertisement
+			dstMAC = net.HardwareAddr{0xff, 0xff, 0xff, 0xff, 0xff, 0xff}
+		} else {
+			mcAddr = remoteIP.AsSlice()
+			copy(mcAddr[0:13], ndpMcastPrefix)
+			typ = layers.ICMPv6TypeNeighborSolicitation
+			dstMAC = net.HardwareAddr{0x33, 0x33, mcAddr[12], mcAddr[13], mcAddr[14], mcAddr[15]}
+		}
+		ethernet := layers.Ethernet{
+			SrcMAC:       localMAC,
+			DstMAC:       dstMAC,
+			EthernetType: layers.EthernetTypeIPv6,
+		}
+		ipv6 := layers.IPv6{
+			Version:    6,
+			NextHeader: layers.IPProtocolICMPv6,
+			HopLimit:   255,
+			SrcIP:      localIP.AsSlice(),
+			DstIP:      mcAddr,
+		}
+		icmp6 := layers.ICMPv6{
+			TypeCode: layers.CreateICMPv6TypeCode(typ, 0),
+		}
+		request := layers.ICMPv6NeighborSolicitation{
+			TargetAddress: remoteIP.AsSlice(),
+			Options: layers.ICMPv6Options{
+				layers.ICMPv6Option{Type: layers.ICMPv6OptSourceAddress, Data: localMAC},
+			},
+		}
+		_ = icmp6.SetNetworkLayerForChecksum(&ipv6)
+		err = gopacket.SerializeLayers(&serBuf, seropts, &ethernet, &ipv6, &icmp6, &request)
+	}
+	if err != nil {
+		// The only possible reason for this is in the few lines above.
+		panic("cannot serialize neighbor response")
+	}
+	p.RawPacket = serBuf.Bytes()
+}
+
+// packNeighborResp builds a an ARP/NDP response into the given packet.
+// It does not need to refer to the cache but there's no more relevant place to put this.
+func packNeighborResp(
+	p *router.Packet,
+	localIP *netip.Addr, // The question
+	localMAC net.HardwareAddr, // The answer
+	remoteIP *netip.Addr, // The requestant
+	remoteMAC net.HardwareAddr, // Ditto
+	is4 bool,
+) {
+	serBuf := router.NewSerializeProxyStart(p.RawPacket, 128)
+	var err error
+
+	if is4 {
+		ethernet := layers.Ethernet{
+			SrcMAC:       localMAC,
+			DstMAC:       remoteMAC,
+			EthernetType: layers.EthernetTypeARP,
+		}
+		arp := layers.ARP{
+			AddrType:          layers.LinkTypeEthernet,
+			HwAddressSize:     6,
+			Protocol:          layers.EthernetTypeIPv4,
+			ProtAddressSize:   4,
+			Operation:         layers.ARPReply,
+			SourceHwAddress:   localMAC,
+			SourceProtAddress: localIP.AsSlice(),
+			DstHwAddress:      remoteMAC,
+			DstProtAddress:    remoteIP.AsSlice(),
+		}
+		err = gopacket.SerializeLayers(&serBuf, seropts, &ethernet, &arp)
+	} else {
+		ethernet := layers.Ethernet{
+			SrcMAC:       localMAC,
+			DstMAC:       remoteMAC,
+			EthernetType: layers.EthernetTypeIPv6,
+		}
+		ipv6 := layers.IPv6{
+			Version:    6,
+			NextHeader: layers.IPProtocolICMPv6,
+			HopLimit:   255,
+			SrcIP:      localIP.AsSlice(),
+			DstIP:      remoteIP.AsSlice(),
+		}
+		icmp6 := layers.ICMPv6{
+			TypeCode: layers.CreateICMPv6TypeCode(layers.ICMPv6TypeNeighborAdvertisement, 0),
+		}
+		response := layers.ICMPv6NeighborAdvertisement{
+			Flags:         0x60, // Sollicited | Override.
+			TargetAddress: localIP.AsSlice(),
+			Options: layers.ICMPv6Options{
+				layers.ICMPv6Option{Type: layers.ICMPv6OptTargetAddress, Data: localMAC},
+			},
+		}
+		_ = icmp6.SetNetworkLayerForChecksum(&ipv6)
+		err = gopacket.SerializeLayers(&serBuf, seropts, &ethernet, &ipv6, &icmp6, &response)
+	}
+	if err != nil {
+		// The only possible reason for this is in the few lines above.
+		panic("cannot serialize neighbor response")
+	}
+	p.RawPacket = serBuf.Bytes()
+}
diff --git a/router/underlayproviders/afpacketudpip/ptplink.go b/router/underlayproviders/afpacketudpip/ptplink.go
new file mode 100644
index 0000000000..34cf20e30a
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/ptplink.go
@@ -0,0 +1,517 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package afpacketudpip
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync/atomic"
+
+	"github.com/gopacket/gopacket"
+	"github.com/gopacket/gopacket/layers"
+
+	"github.com/scionproto/scion/pkg/addr"
+	"github.com/scionproto/scion/pkg/log"
+	"github.com/scionproto/scion/router"
+	"github.com/scionproto/scion/router/bfd"
+)
+
+// ptpLink is a point-to-point link. All links share a single raw socket per NIC. However
+// point to point links are dedicated to a single src/dst pair.
+// TODO(jiceatscion): a lot of code could be deduplicated between the two link implementations.
+type ptpLink struct {
+	procQs          []chan *router.Packet
+	header          []byte
+	localMAC        net.HardwareAddr // replace w/ 6 bytes?
+	pool            router.PacketPool
+	localAddr       *netip.AddrPort
+	remoteAddr      *netip.AddrPort
+	egressQ         chan<- *router.Packet
+	metrics         *router.InterfaceMetrics
+	bfdSession      *bfd.Session
+	neighbors       *neighborCache
+	backlogCheck    chan struct{}
+	sendBacklogDone chan struct{}
+	running         atomic.Bool
+	scope           router.LinkScope
+	seed            uint32
+	ifID            uint16 // 0 for sibling links
+	is4             bool
+}
+
+// Expensive. Call only to make a few prefab headers.
+// This must be called with the neighbors cache locked.
+// This function either sets a header, or returns a backlog queue.
+func (l *ptpLink) packHeader() chan *router.Packet {
+	dstIP := l.remoteAddr.Addr()
+
+	// Resolve the destination MAC address if we can.
+	dstMac, backlog := l.neighbors.get(dstIP) // Sends ARP/NDP req as needed.
+	if dstMac == nil {
+		// We don't have an address to offer, but we have a backlog queue.
+		return backlog
+	}
+
+	// Build the header.
+	sb := gopacket.NewSerializeBuffer()
+	srcIP := l.localAddr.Addr()
+	if l.is4 {
+		ethernet := layers.Ethernet{
+			SrcMAC:       l.localMAC,
+			DstMAC:       dstMac[:],
+			EthernetType: layers.EthernetTypeIPv4,
+		}
+		udp := layers.UDP{
+			SrcPort: layers.UDPPort(l.localAddr.Port()),
+			DstPort: layers.UDPPort(l.remoteAddr.Port()),
+		}
+		ip := layers.IPv4{
+			Version:  4,
+			IHL:      5,
+			TTL:      64,
+			SrcIP:    srcIP.AsSlice(),
+			DstIP:    dstIP.AsSlice(),
+			Protocol: layers.IPProtocolUDP,
+			Flags:    layers.IPv4DontFragment, // Sure about that?
+		}
+		_ = udp.SetNetworkLayerForChecksum(&ip)
+		err := gopacket.SerializeLayers(sb, seropts, &ethernet, &ip, &udp)
+		if err != nil {
+			// The only possible reason for this is in the few lines above.
+			panic("cannot serialize static header")
+		}
+
+		// We have to truncate the result; gopacket is scared of generating a packet shorter than
+		// the ethernet minimum.
+		l.header = sb.Bytes()[:42]
+		return nil
+	}
+	ethernet := layers.Ethernet{
+		SrcMAC:       l.localMAC,
+		DstMAC:       dstMac[:],
+		EthernetType: layers.EthernetTypeIPv6,
+	}
+	udp := layers.UDP{
+		SrcPort: layers.UDPPort(l.localAddr.Port()),
+		DstPort: layers.UDPPort(l.remoteAddr.Port()),
+	}
+	ip := layers.IPv6{
+		Version:    6,
+		NextHeader: layers.IPProtocolUDP,
+		HopLimit:   64,
+		SrcIP:      srcIP.AsSlice(),
+		DstIP:      dstIP.AsSlice(),
+	}
+	_ = udp.SetNetworkLayerForChecksum(&ip)
+	err := gopacket.SerializeLayers(sb, seropts, &ethernet, &ip, &udp)
+	if err != nil {
+		// The only possible reason for this is in the few lines above.
+		panic("cannot serialize static header")
+	}
+	// We have to truncate the result; gopacket is scared of generating a packet shorter than the
+	// ethernet minimum.
+	l.header = sb.Bytes()[:62]
+	return nil
+}
+
+// addHeader fetches the then-most-current version of the canned header and pastes it on the packet.
+// If no canned header is available, this method returns false and the packet is left without a
+// header. Note that packHeader triggers an address resolution if a canned header cannot be
+// constructed immediately.
+func (l *ptpLink) addHeader(p *router.Packet) bool {
+	l.neighbors.Lock()
+	var backlog chan *router.Packet
+	if l.header == nil {
+		backlog = l.packHeader()
+	}
+	header := l.header
+	if header == nil {
+		if backlog != nil {
+			select {
+			case backlog <- p:
+			default:
+				sc := router.ClassOfSize(len(p.RawPacket))
+				l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+				l.pool.Put(p)
+			}
+		}
+	}
+	l.neighbors.Unlock()
+
+	if header == nil {
+		return false
+	}
+	p.RawPacket = p.WithHeader(len(header))
+	copy(p.RawPacket, header)
+	return true
+}
+
+// TODO(jiceatscion): can do cleaner, more legible, faster?
+func (l *ptpLink) finishPacket(p *router.Packet) bool {
+	payloadLen := len(p.RawPacket)
+	if !l.addHeader(p) {
+		return false
+	}
+	if l.is4 {
+		// Fix the IP total length field
+		binary.BigEndian.PutUint16(p.RawPacket[ipv4LenOffset:], uint16(payloadLen)+ipv4Len+udpLen)
+
+		// Update UDP length
+		binary.BigEndian.PutUint16(p.RawPacket[udpv4LenOffset:], uint16(payloadLen)+udpLen)
+
+		// For IPv4 fix the IP checksum
+		p.RawPacket[ipv4SumOffset] = 0
+		p.RawPacket[ipv4SumOffset+1] = 0
+		csum := gopacket.ComputeChecksum(p.RawPacket[ipOffset:udpv4Offset], 0)
+		binary.BigEndian.PutUint16(p.RawPacket[ipv4SumOffset:], gopacket.FoldChecksum(csum))
+
+		// For IPV4 we can screw the UDP checksum
+		p.RawPacket[udpv4SumOffset] = 0
+		p.RawPacket[udpv4SumOffset+1] = 0
+		return true
+	}
+
+	// Fix the IPv6 payload length field (udp plus the scion stuff)
+	binary.BigEndian.PutUint16(p.RawPacket[ipv6LenOffset:], uint16(payloadLen)+udpLen)
+
+	// Update UDP length
+	binary.BigEndian.PutUint16(p.RawPacket[udpv6LenOffset:], uint16(payloadLen)+udpLen)
+
+	// Zero-out the checksum as it is part of the computation's input.
+	p.RawPacket[udpv6SumOffset] = 0
+	p.RawPacket[udpv6SumOffset+1] = 0
+
+	// For IPV6 we must compute the UDP checksum.
+	// In theory we could dispense with it as we're a tunneling protocol; however all the plain
+	// udp underlay implementations would drop the packets. TODO(jiceatscion): save a few cycles
+	// by using UDPlite?
+	zerosAndProto := []byte{0, 0, 0, 17}
+	csum := gopacket.ComputeChecksum(p.RawPacket[ipv6SrcOffset:udpv6Offset], 0)         // src+dst
+	csum = gopacket.ComputeChecksum(p.RawPacket[udpv6LenOffset:udpv6LenOffset+2], csum) // length
+	csum = gopacket.ComputeChecksum(zerosAndProto, csum)                                // proto num
+	csum = gopacket.ComputeChecksum(p.RawPacket[udpv6Offset:], csum)                    // all
+	binary.BigEndian.PutUint16(p.RawPacket[udpv6SumOffset:], gopacket.FoldChecksum(csum))
+	return true
+}
+
+func (l *ptpLink) start(
+	ctx context.Context,
+	procQs []chan *router.Packet,
+	pool router.PacketPool,
+) {
+	wasRunning := l.running.Swap(true)
+	if wasRunning {
+		return
+	}
+	// procQs and pool are never known before all configured links have been instantiated.  So we
+	// get them only now. We didn't need it earlier since the connections have not been started yet.
+	l.procQs = procQs
+	l.pool = pool
+
+	// cache ticker is desirable.
+	l.neighbors.start(l.pool)
+
+	// Backlog sender
+	go func() {
+		defer log.HandlePanic()
+		for l.running.Load() {
+			l.sendBacklog()
+			<-l.backlogCheck
+		}
+		close(l.sendBacklogDone)
+	}()
+
+	// Since we have only one peer, try and resolve it in case it's up. That's like an
+	// announcement, but we can also get a response.
+	peerIP := l.remoteAddr.Addr()
+	l.neighbors.seekNeighbor(&peerIP)
+
+	if l.bfdSession == nil {
+		return
+	}
+	go func() {
+		defer log.HandlePanic()
+		if err := l.bfdSession.Run(ctx); err != nil && !errors.Is(err, bfd.ErrAlreadyRunning) {
+			log.Error("BFD session failed to start", "remote address", l.remoteAddr, "err", err)
+		}
+	}()
+}
+
+func (l *ptpLink) stop() {
+	if l.bfdSession == nil {
+		return
+	}
+	l.bfdSession.Close()
+	wasRunning := l.running.Swap(false)
+	if wasRunning {
+		select {
+		case l.backlogCheck <- struct{}{}:
+		default:
+		}
+		<-l.sendBacklogDone
+	}
+	l.neighbors.stop()
+}
+
+func (l *ptpLink) IfID() uint16 {
+	return l.ifID
+}
+
+func (l *ptpLink) Metrics() *router.InterfaceMetrics {
+	return l.metrics
+}
+
+func (l *ptpLink) Scope() router.LinkScope {
+	return l.scope
+}
+
+func (l *ptpLink) BFDSession() *bfd.Session {
+	return l.bfdSession
+}
+
+func (l *ptpLink) IsUp() bool {
+	return l.bfdSession == nil || l.bfdSession.IsUp()
+}
+
+// Resolve should not be useful on a sibling or external link so we don't implement it yet.
+func (l *ptpLink) Resolve(p *router.Packet, host addr.Host, port uint16) error {
+	log.Debug("Trying to resolve inbound address on non-internal link")
+	return errResolveOnNonInternalLink
+}
+
+func (l *ptpLink) sendBacklog() {
+	dstAddr := l.remoteAddr.Addr()
+	l.neighbors.Lock()
+	backlog := l.neighbors.getBacklog(dstAddr)
+	l.neighbors.Unlock()
+
+	if backlog == nil {
+		return
+	}
+
+	givenup := false
+	for {
+		select {
+		case p := <-backlog:
+			if givenup {
+				sc := router.ClassOfSize(len(p.RawPacket))
+				l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+				l.pool.Put(p)
+				continue
+			}
+			if !l.finishPacket(p) {
+				// Note that this packet goes back onto the backlog so we will drop it at the end of
+				// the loop. TODO(jiceatscion): need new drop reason.
+				givenup = true
+				continue
+			}
+			select {
+			case l.egressQ <- p:
+			default:
+				sc := router.ClassOfSize(len(p.RawPacket))
+				l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+				l.pool.Put(p)
+			}
+		default:
+			// Backlog drained (for now).
+			return
+		}
+	}
+}
+
+func (l *ptpLink) Send(p *router.Packet) {
+
+	// TODO(jiceatscion): The packet's destination is in the packet's meta-data; it was put there by
+	// Resolve() We need to craft a header in front of the packet.  May be resolve could do that,
+	// instead of just storing the destination in the packet structure. That would save us the
+	// allocation of address but requires some more changes to the dataplane code structure.
+	if !l.finishPacket(p) {
+		// The packet got put on the backlog (or discarded if the backlog is full).
+		return
+	}
+	select {
+	case l.egressQ <- p:
+	default:
+		sc := router.ClassOfSize(len(p.RawPacket))
+		l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc()
+		l.pool.Put(p)
+	}
+}
+
+// Only tests actually use this method, but since we have to have it, we might as well implement it
+// ~correctly. Doesn't hurt. TODO(jiceatscion): deal with backlog (or not).
+func (l *ptpLink) SendBlocking(p *router.Packet) {
+	if l.finishPacket(p) {
+		l.egressQ <- p
+	}
+	// else, backlog'd or discarded => non-blocking after all. Sorry.
+}
+
+// receive delivers an incoming packet to the appropriate processing queue.
+func (l *ptpLink) receive(p *router.Packet) {
+	metrics := l.metrics
+	sc := router.ClassOfSize(len(p.RawPacket))
+	metrics[sc].InputPacketsTotal.Inc()
+	metrics[sc].InputBytesTotal.Add(float64(len(p.RawPacket)))
+	procID, err := computeProcID(p.RawPacket, len(l.procQs), l.seed)
+	if err != nil {
+		log.Debug("Error while computing procID", "err", err)
+		l.pool.Put(p)
+		metrics[sc].DroppedPacketsInvalid.Inc()
+		return
+	}
+
+	p.Link = l
+
+	// The src address does not need to be recorded in the packet. The link has all the relevant
+	// information.
+	select {
+	case l.procQs[procID] <- p:
+	default:
+		l.pool.Put(p)
+		metrics[sc].DroppedPacketsBusyProcessor.Inc()
+	}
+}
+
+func (l *ptpLink) handleNeighbor(
+	isReq bool,
+	targetIP, senderIP, _rcptIP netip.Addr,
+	remoteHw [6]byte,
+) {
+	// We only care or know our one remote host. However we respond to every deserving query.
+
+	// This is needed to minimize GC pressure. It gets assigned to a dynamically allocated
+	// copy only when there is no better choice.
+	var remoteHwP *[6]byte
+	changed := false
+
+	if senderIP == l.remoteAddr.Addr() {
+		l.neighbors.Lock()
+		// We want, regardless of cache content.
+		remoteHwP, changed = l.neighbors.put(senderIP, remoteHw)
+		if changed {
+			// Time to rebuild the packed header.
+			l.header = nil
+		}
+		l.neighbors.Unlock()
+		// backlog is an unbuffered channel. Cannot post to it while holding the mutex.
+		if changed {
+			select {
+			case l.backlogCheck <- struct{}{}:
+			default:
+			}
+		}
+	} else if targetIP == l.localAddr.Addr() && !senderIP.IsUnspecified() {
+		// We don't want but it may deserve a response.
+		// No choice, senderMAC escapes to the heap.
+		remoteHwP = &remoteHw
+	} else {
+		// We don't want and no response needed.
+		isReq = false
+	}
+
+	// We do respond. The kernel might or might not, depending on how we setup interfaces.
+	if !isReq {
+		return
+	}
+	if targetIP != l.localAddr.Addr() {
+		// Can be a gratuitous request or simply a request for another host.
+		return
+	}
+	p := l.pool.Get()
+	localIP := l.localAddr.Addr()
+	// TODO(jiceatscion): should suppress response here too for loopback devices.
+	packNeighborResp(p, &localIP, l.localMAC[:], &senderIP, remoteHwP[:], l.is4)
+	select {
+	case l.egressQ <- p:
+	default:
+	}
+}
+
+func newPtpLinkExternal(
+	localAddr *netip.AddrPort,
+	remoteAddr *netip.AddrPort,
+	conn *udpConnection,
+	bfd *bfd.Session,
+	ifID uint16,
+	metrics *router.InterfaceMetrics,
+) *ptpLink {
+	l := &ptpLink{
+		localMAC:   conn.localMAC,
+		localAddr:  localAddr,
+		remoteAddr: remoteAddr,
+		egressQ:    conn.queue,
+		metrics:    metrics,
+		neighbors: newNeighborCache(
+			"sibTo_"+remoteAddr.String(),
+			conn.localMAC,
+			localAddr.Addr(),
+			conn.queue,
+		),
+		bfdSession:      bfd,
+		backlogCheck:    make(chan struct{}, 1),
+		sendBacklogDone: make(chan struct{}),
+		scope:           router.External,
+		seed:            conn.seed,
+		ifID:            ifID,
+		is4:             localAddr.Addr().Is4(),
+	}
+	conn.ptpLinks[fourTuple{
+		src: addrPort{ip: remoteAddr.Addr(), port: remoteAddr.Port()},
+		dst: addrPort{ip: localAddr.Addr(), port: localAddr.Port()},
+	}] = l
+
+	log.Debug("***** Link", "scope", "external", "local", localAddr, "localMAC", conn.localMAC,
+		"remote", remoteAddr)
+	return l
+}
+
+func newPtpLinkSibling(
+	localAddr *netip.AddrPort,
+	remoteAddr *netip.AddrPort,
+	conn *udpConnection,
+	bfd *bfd.Session,
+	metrics *router.InterfaceMetrics,
+) *ptpLink {
+	l := &ptpLink{
+		localMAC:   conn.localMAC,
+		localAddr:  localAddr,
+		remoteAddr: remoteAddr,
+		egressQ:    conn.queue,
+		metrics:    metrics,
+		neighbors: newNeighborCache(
+			"extTo_"+remoteAddr.String(),
+			conn.localMAC,
+			localAddr.Addr(),
+			conn.queue,
+		),
+		bfdSession:      bfd,
+		backlogCheck:    make(chan struct{}),
+		sendBacklogDone: make(chan struct{}),
+		scope:           router.Sibling,
+		seed:            conn.seed,
+		ifID:            0,
+		is4:             localAddr.Addr().Is4(),
+	}
+	conn.ptpLinks[fourTuple{
+		src: addrPort{ip: remoteAddr.Addr(), port: remoteAddr.Port()},
+		dst: addrPort{ip: localAddr.Addr(), port: localAddr.Port()},
+	}] = l
+	log.Debug("***** Link", "scope", "sibling", "local", localAddr, "localMAC", conn.localMAC,
+		"remote", remoteAddr)
+	return l
+}
+
+func (l *ptpLink) String() string {
+	scope := "External"
+	if l.scope == router.Sibling {
+		scope = "Sibling"
+	}
+	return fmt.Sprintf("%s: local: %s remote: %s", scope, l.localAddr, l.remoteAddr)
+}
diff --git a/router/underlayproviders/afpacketudpip/udpconnection.go b/router/underlayproviders/afpacketudpip/udpconnection.go
new file mode 100644
index 0000000000..38c33931ed
--- /dev/null
+++ b/router/underlayproviders/afpacketudpip/udpconnection.go
@@ -0,0 +1,460 @@
+// Copyright 2025 SCION Association
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package afpacketudpip
+
+import (
+	"crypto/rand"
+	"net"
+	"net/netip"
+	"slices"
+	"sync/atomic"
+
+	"github.com/gopacket/gopacket"
+	"github.com/gopacket/gopacket/afpacket"
+	"github.com/gopacket/gopacket/layers"
+
+	"github.com/scionproto/scion/pkg/log"
+	"github.com/scionproto/scion/router"
+)
+
+// addrPort is like netip.AddrPort but with mutable (for us) fields. This saves an address copy.
+type addrPort struct {
+	ip   netip.Addr
+	port uint16
+}
+
+// fourTuple aggregates src and dst addrPorts.
+type fourTuple struct {
+	src addrPort
+	dst addrPort
+}
+
+// udpConnection is a TPacket connection with a sending queue and a demultiplexer. The rest is
+// about logs and metrics. This allows UDP connections to be shared between links, which is the
+// norm in this case; since a raw socket receives traffic for all ports.
+type udpConnection struct {
+	localMAC     net.HardwareAddr
+	connFilters  udpConnFilters
+	name         string                // For logs. It's more informative than ifID.
+	ptpLinks     map[fourTuple]udpLink // Link map for specific remote addresses.
+	intLinks     map[addrPort]udpLink  // Link map for unknown remote addresses.
+	afp          *afpacket.TPacket
+	queue        chan *router.Packet
+	metrics      *router.InterfaceMetrics
+	receiverDone chan struct{}
+	senderDone   chan struct{}
+	seed         uint32
+	running      atomic.Bool
+}
+
+// start puts the connection in the running state. In that state, the connection can deliver
+// incoming packets and ignores packets present on its input channel.
+func (u *udpConnection) start(batchSize int, pool router.PacketPool) {
+	wasRunning := u.running.Swap(true)
+	if wasRunning {
+		return
+	}
+
+	// Receiver task
+	go func() {
+		defer log.HandlePanic()
+		u.receive(pool)
+		close(u.receiverDone)
+	}()
+
+	// Forwarder task
+	go func() {
+		defer log.HandlePanic()
+		u.send(batchSize, pool)
+		close(u.senderDone)
+	}()
+}
+
+// stop() puts the connection in the stopped state. In that state, the connection no longer delivers
+// incoming packets and ignores packets present on its input channel. The connection is fully
+// stopped when this method returns. The first call to stop is acted upon regardless of how many
+// times start was called.
+func (u *udpConnection) stop() {
+	wasRunning := u.running.Swap(false)
+
+	if wasRunning {
+		u.afp.Close()  // Unblock receiver
+		close(u.queue) // Unblock sender
+		u.connFilters.Close()
+		<-u.receiverDone
+		<-u.senderDone
+	}
+}
+
+func (u *udpConnection) handleArp(arp *layers.ARP) {
+	if arp.AddrType != layers.LinkTypeEthernet ||
+		arp.HwAddressSize != 6 ||
+		arp.Protocol != layers.EthernetTypeIPv4 ||
+		arp.ProtAddressSize != 4 {
+		return
+	}
+	var targetIP netip.Addr
+	var senderIP netip.Addr
+	var rcptIP netip.Addr
+
+	// Get the MACs out of the packet too; it's all just slices referring to it.
+	// Reduce them to just 6 bytes while we are at it.
+	if len(arp.SourceHwAddress) != 6 {
+		return
+	}
+	senderMAC := [6]byte(arp.SourceHwAddress)
+
+	// We don't care about duplicate address probes nor about loopback devices.
+	if senderMAC == zeroMacAddr {
+		return
+	}
+	// TODO(jiceatscion): ignore gratuitous reqs
+	isReq := (arp.Operation == layers.ARPRequest)
+
+	if isReq {
+		targetIP = netip.AddrFrom4([4]byte(arp.DstProtAddress))
+		senderIP = netip.AddrFrom4([4]byte(arp.SourceProtAddress))
+		rcptIP = targetIP
+	} else {
+		targetIP = netip.AddrFrom4([4]byte(arp.SourceProtAddress))
+		senderIP = targetIP
+		rcptIP = netip.AddrFrom4([4]byte(arp.DstProtAddress))
+	}
+
+	// We have to pass all requests to all links. Sometimes the sender uses an IP address
+	// that we don't know about (e.g. the traffic generator uses interfaces with a different
+	// IP assigned - which the arp lib then uses to make requests).
+	for _, l := range u.ptpLinks {
+		l.handleNeighbor(isReq, targetIP, senderIP, rcptIP, senderMAC)
+	}
+	for _, l := range u.intLinks {
+		l.handleNeighbor(isReq, targetIP, senderIP, rcptIP, senderMAC)
+	}
+}
+
+// Handle NDP minimally.
+// Terminology just as shitty as ARP; only different - Summary of the protocol:
+//
+// |                     Sollicitations   |   advertisements
+// ---------------------------------------------------------------
+// IP to be resolved:    TargetAddress    |   TargetAddress
+// IP of pkt sender:     from IP header   |   TargetAddress
+// MAC to be found:      -                |   OptTargetAddress
+// MAC of pkt sender:    OptSourceAddress |   -
+func (u *udpConnection) handleV6NDP(icmp6 *layers.ICMPv6, srcIP, dstIP netip.Addr) {
+	data := icmp6.LayerPayload()
+	var isReq bool
+	var valid bool
+	var targetIP netip.Addr
+	var rcptIP netip.Addr
+	var remoteMAC [6]byte
+
+	switch icmp6.TypeCode.Type() {
+	case layers.ICMPv6TypeNeighborSolicitation:
+		var query layers.ICMPv6NeighborSolicitation
+		if err := query.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			return
+		}
+		targetIP, valid = netip.AddrFromSlice(query.TargetAddress)
+		if !valid {
+			return
+		}
+		rcptIP = targetIP // Even if it arrived via mcast.
+		isReq = true
+		for _, opt := range query.Options {
+			if opt.Type == layers.ICMPv6OptSourceAddress {
+				if len(opt.Data) != 6 {
+					return
+				}
+				remoteMAC = [6]byte(opt.Data)
+			}
+		}
+	case layers.ICMPv6TypeNeighborAdvertisement:
+		var response layers.ICMPv6NeighborAdvertisement
+		if err := response.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			return
+		}
+		targetIP, valid = netip.AddrFromSlice(response.TargetAddress)
+		if !valid {
+			return
+		}
+		rcptIP = dstIP
+		for _, opt := range response.Options {
+			if opt.Type == layers.ICMPv6OptTargetAddress {
+				if len(opt.Data) != 6 {
+					return
+				}
+				remoteMAC = [6]byte(opt.Data)
+			}
+		}
+	default:
+		return
+	}
+	// We don't care about duplicate address probes nor about loopback devices.
+	if remoteMAC == zeroMacAddr {
+		return
+	}
+	// We have to pass all requests to all links. Sometimes the sender uses an IP address
+	// that we don't know about (e.g. the traffic generator uses interfaces with a different
+	// IP assigned - which the arp lib then uses to make requests).
+	for _, l := range u.ptpLinks {
+		l.handleNeighbor(isReq, targetIP, srcIP, rcptIP, remoteMAC)
+	}
+	for _, l := range u.intLinks {
+		l.handleNeighbor(isReq, targetIP, srcIP, rcptIP, remoteMAC)
+	}
+}
+
+func (u *udpConnection) receive(pool router.PacketPool) {
+	// Since we do not know the real size of the IP header, we have to plan on it being short; so
+	// our payload doesn't encroach on the headroom space. If the header is longer, then we will
+	// leave more headroom than needed. We don't even know if we're getting v4 or v6. Assume v4.
+	minHeadRoom := ethLen + ipv4Len + udpLen
+
+	// We'll reuse this one until we can deliver it. At which point, we fetch a fresh one.
+	// pool.Reset is much cheaper than pool.Put/Get
+	p := pool.Get()
+
+	for u.running.Load() {
+		var ethLayer layers.Ethernet
+		var arpLayer layers.ARP
+		var icmp6Layer layers.ICMPv6
+		var ipv4Layer layers.IPv4
+		var ipv6Layer layers.IPv6
+		var udpLayer layers.UDP
+		var srcDst fourTuple
+		var srcIPBytes []byte
+		var validIP bool
+
+		// Since it may be recycled...
+		pool.ResetPacket(p)
+
+		data := p.WithHeader(minHeadRoom) // data now maps to where we dump the whole packet
+		_, err := u.afp.ReadPacketDataTo(data)
+		if err != nil {
+			continue
+		}
+
+		// DissectAndShow(data, "Received") // Enabled only if debug logging.
+
+		// Now we need to figure out the real length of the headers and the src addr.
+		if err := ethLayer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			continue
+		}
+
+		data = ethLayer.LayerPayload() // chop off the eth header
+		switch ethLayer.EthernetType {
+		case layers.EthernetTypeIPv4:
+			if err := ipv4Layer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+				continue
+			}
+			if ipv4Layer.Protocol != layers.IPProtocolUDP {
+				continue
+			}
+			// Retrieve src & dst from the decoded IP layers.
+			srcDst.src.ip, validIP = netip.AddrFromSlice(ipv4Layer.SrcIP)
+			if !validIP {
+				// WTF?
+				continue
+			}
+			srcIPBytes = ipv4Layer.SrcIP
+			srcDst.dst.ip, validIP = netip.AddrFromSlice(ipv4Layer.DstIP)
+			if !validIP {
+				// WTF?
+				continue
+			}
+			data = ipv4Layer.LayerPayload() // chop off the ip header
+		case layers.EthernetTypeIPv6:
+			if err := ipv6Layer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+				continue
+			}
+			// Retrieve src from the decoded IP layers.
+			srcDst.src.ip, validIP = netip.AddrFromSlice(ipv6Layer.SrcIP)
+			if !validIP {
+				// WTF?
+				continue
+			}
+			srcIPBytes = ipv6Layer.DstIP
+			srcDst.dst.ip, validIP = netip.AddrFromSlice(ipv6Layer.DstIP)
+			if !validIP {
+				// WTF?
+				continue
+			}
+			data = ipv6Layer.LayerPayload() // chop off the ip header
+			if ipv6Layer.NextHeader == layers.IPProtocolICMPv6 {
+				if err := icmp6Layer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err == nil {
+					u.handleV6NDP(&icmp6Layer, srcDst.src.ip, srcDst.dst.ip) // We own the packet.
+				}
+				continue
+			} else if ipv6Layer.NextHeader != layers.IPProtocolUDP {
+				// Not UPD either? Could be extensions. We don't expect any.
+				continue
+			}
+		case layers.EthernetTypeARP:
+			if err := arpLayer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err == nil {
+				u.handleArp(&arpLayer) // We own the packet.
+			}
+			continue
+		default:
+			continue
+		}
+		if err := udpLayer.DecodeFromBytes(data, gopacket.NilDecodeFeedback); err != nil {
+			continue
+		}
+		p.RawPacket = udpLayer.LayerPayload() // chop off the udp header. The rest is SCION.
+
+		// Demultiplex to a link. There is one connection per interface, so they are mostly shared
+		// between links; including the internal link. The internal link catches all remote
+		// addresses that no other link claims.
+		srcDst.src.port = uint16(udpLayer.SrcPort)
+		srcDst.dst.port = uint16(udpLayer.DstPort)
+		if l, found := u.ptpLinks[srcDst]; found {
+			l.receive(p)
+			p = pool.Get() // we need a fresh packet buffer now.
+			continue
+		}
+		if l, found := u.intLinks[srcDst.dst]; found {
+			setRemoteAddr(p, srcIPBytes, srcDst.src.port)
+			l.receive(p)
+			p = pool.Get() // we need a fresh packet buffer now.
+			continue
+		}
+	}
+	// We have to stop receiving. Return the unused packet to the pool to avoid creating
+	// a leak (the process is not required to exit - e.g. in tests).
+	pool.Put(p)
+}
+
+// TODO(jiceatscion): This way of doing things isn't efficient here. The mpktSender API was lifted
+// from brload, where it made more sense than here...simplify by merging mst of mpktSender in-here.
+func readUpTo(queue <-chan *router.Packet, n int, needsBlocking bool, pkts []*router.Packet) int {
+	i := 0
+	if needsBlocking {
+		p, ok := <-queue
+		if !ok {
+			return i
+		}
+		pkts[i] = p
+		i++
+	}
+
+	for ; i < n; i++ {
+		select {
+		case p, ok := <-queue:
+			if !ok {
+				return i
+			}
+			pkts[i] = p
+		default:
+			return i
+		}
+	}
+	return i
+}
+
+var seropts = gopacket.SerializeOptions{
+	FixLengths:       true,
+	ComputeChecksums: true,
+}
+
+func (u *udpConnection) send(batchSize int, pool router.PacketPool) {
+	// We use this somewhat like a ring buffer.
+	pkts := make([]*router.Packet, batchSize)
+
+	// We use this as a temporary container, but allocate it just once
+	// to save on garbage handling. TODO(jiceatscion): should not be needed: modify mmsg.go.
+	msgs := make([][]byte, batchSize)
+	queue := u.queue
+	sender := newMpktSender(u.afp)
+	metrics := u.metrics
+	toWrite := 0
+
+	for u.running.Load() {
+		// Top-up our batch.
+		toWrite += readUpTo(queue, batchSize-toWrite, toWrite == 0, pkts[toWrite:])
+
+		// Line the raw packets up for the sender.
+		for i, p := range pkts[:toWrite] {
+			msgs[i] = p.RawPacket
+		}
+		sender.setPkts(msgs[:toWrite])
+		written, _ := sender.sendAll()
+		router.UpdateOutputMetrics(metrics, pkts[:written])
+		for _, p := range pkts[:written] {
+			// DissectAndShow(p.RawPacket, "Successfully Output") // Enabled only if debug logging.
+			pool.Put(p)
+		}
+		if written == 0 {
+			// This happens IFF there is an error and zero packets were sent.
+			// The first packet may have caused it, so, drop it. We'll retry the rest.
+			sc := router.ClassOfSize(len(pkts[0].RawPacket))
+			metrics[sc].DroppedPacketsInvalid.Inc() // Need other drop reason counter
+			pool.Put(pkts[0])
+			written = 1 // At least, not to-be-written any more.
+		}
+		if written != toWrite {
+			// Shift the leftovers to the head of the buffers.
+			toWrite -= written
+			for i := 0; i < toWrite; i++ {
+				pkts[i] = pkts[i+written]
+			}
+		} else {
+			toWrite = 0
+		}
+	}
+}
+
+// makeHashSeed creates a new random number to serve as hash seed.
+// Each receive loop is associated with its own hash seed to compute
+// the proc queue where a packet should be delivered. All links that share
+// an underlying connection (therefore a receive loop) use the same hash seed.
+func makeHashSeed() uint32 {
+	hashSeed := router.Fnv1aOffset32
+	randomBytes := make([]byte, 4)
+	if _, err := rand.Read(randomBytes); err != nil {
+		panic("Error while generating random value")
+	}
+	for _, c := range randomBytes {
+		hashSeed = router.HashFNV1a(hashSeed, c)
+	}
+	return hashSeed
+}
+
+func newUdpConnection(
+	intf net.Interface,
+	qSize int,
+	connOpener ConnOpener,
+	metrics *router.InterfaceMetrics,
+) (*udpConnection, error) {
+	queue := make(chan *router.Packet, qSize)
+	afp, connFilters, err := connOpener.Open(intf.Index)
+	if err != nil {
+		return nil, err
+	}
+	hwAddr := intf.HardwareAddr
+
+	// Catering to tests that use a local address (on the loopback interface) which has no mac
+	// address assigned. In that case neighbor address resolution isn't needed and doesn't work.
+	// The neighbors cache dumbs itself down accordingly.
+	if len(hwAddr) == 0 || slices.Equal(hwAddr, net.HardwareAddr{0, 0, 0, 0, 0, 0}) {
+		// num := rand.Uint32()
+		// hwAddr = net.HardwareAddr{2, 0, 0, 0, 0, 0}
+		// binary.BigEndian.PutUint32(hwAddr[2:], num)
+		hwAddr = zeroMacAddr[:]
+	}
+	return &udpConnection{
+		localMAC:     hwAddr,
+		connFilters:  connFilters,
+		name:         intf.Name,
+		afp:          afp,
+		queue:        queue,
+		ptpLinks:     make(map[fourTuple]udpLink),
+		intLinks:     make(map[addrPort]udpLink),
+		metrics:      metrics,
+		seed:         makeHashSeed(),
+		receiverDone: make(chan struct{}),
+		senderDone:   make(chan struct{}),
+	}, nil
+}
diff --git a/router/underlayproviders/udpip/BUILD.bazel b/router/underlayproviders/udpip/BUILD.bazel
index 0c3a362b2c..3106c5b677 100644
--- a/router/underlayproviders/udpip/BUILD.bazel
+++ b/router/underlayproviders/udpip/BUILD.bazel
@@ -3,10 +3,7 @@ load("//tools:go.bzl", "go_test")
 
 go_library(
     name = "go_default_library",
-    srcs = [
-        "fnv1acheap.go",
-        "udpip.go",
-    ],
+    srcs = ["udpip.go"],
     importpath = "github.com/scionproto/scion/router/underlayproviders/udpip",
     visibility = ["//visibility:public"],
     deps = [
@@ -32,6 +29,7 @@ go_test(
         "//pkg/slayers:go_default_library",
         "//pkg/slayers/path:go_default_library",
         "//pkg/slayers/path/scion:go_default_library",
+        "//router:go_default_library",
         "@com_github_gopacket_gopacket//:go_default_library",
         "@com_github_stretchr_testify//assert:go_default_library",
         "@com_github_stretchr_testify//require:go_default_library",
diff --git a/router/underlayproviders/udpip/udpip.go b/router/underlayproviders/udpip/udpip.go
index e5730093f1..15bc7a501a 100644
--- a/router/underlayproviders/udpip/udpip.go
+++ b/router/underlayproviders/udpip/udpip.go
@@ -68,11 +68,11 @@ func (uo) UDPCanReuseLocal() bool {
 	return conn.UDPCanReuseLocal()
 }
 
-// provider implements UnderlayProvider by making and returning Udp/Ip links.
+// underlay implements Underlay by making and returning Udp/Ip links.
 //
 // This is currently the only implementation. The goal of splitting out this code from the router
 // is to enable other implementations.
-type provider struct {
+type underlay struct {
 	mu                 sync.Mutex // Prevents race between adding connections and Start/Stop.
 	batchSize          int
 	allLinks           map[netip.AddrPort]udpLink
@@ -96,16 +96,22 @@ type udpLink interface {
 }
 
 func init() {
-	// Register ourselves as an underlay provider. The registration consists of a constructor, not
+	// Register ourselves as an underlay provider. The registration consists of a factory, not
 	// a provider object, because multiple router instances each must have their own underlay
 	// provider. The provider is not re-entrant.
-	router.AddUnderlay("udpip", newProvider)
+	router.AddUnderlayProvider("udpip:inet", underlayProvider{})
 }
 
+type underlayProvider struct{}
+
 // New instantiates a new instance of the provider for exclusive use by the caller.
 // TODO(multi_underlay): batchSize should be an underlay-specific config.
-func newProvider(batchSize int, receiveBufferSize int, sendBufferSize int) router.UnderlayProvider {
-	return &provider{
+func (underlayProvider) New(
+	batchSize int,
+	receiveBufferSize int,
+	sendBufferSize int,
+) router.Underlay {
+	return &underlay{
 		batchSize:         batchSize,
 		allLinks:          make(map[netip.AddrPort]udpLink),
 		connOpener:        uo{},
@@ -117,30 +123,30 @@ func newProvider(batchSize int, receiveBufferSize int, sendBufferSize int) route
 
 // SetConnOpener installs the given opener. opener must be an implementation of ConnOpener or
 // panic will ensue. Only for use in unit tests.
-func (u *provider) SetConnOpener(opener any) {
+func (u *underlay) SetConnOpener(opener any) {
 	u.connOpener = opener.(ConnOpener)
 }
 
-func (u *provider) NumConnections() int {
+func (u *underlay) NumConnections() int {
 	u.mu.Lock()
 	defer u.mu.Unlock()
 	return len(u.allLinks)
 }
 
-func (u *provider) Headroom() int {
+func (u *underlay) Headroom() int {
 	// This underlay does not add any header of its own: the UDP socket API manages the header
 	// independently.
 	return 0
 }
 
-func (u *provider) SetDispatchPorts(start, end, redirect uint16) {
+func (u *underlay) SetDispatchPorts(start, end, redirect uint16) {
 	u.dispatchStart = start
 	u.dispatchEnd = end
 	u.dispatchRedirect = redirect
 }
 
 // AddSvc adds the address for the given service.
-func (u *provider) AddSvc(svc addr.SVC, host addr.Host, port uint16) error {
+func (u *underlay) AddSvc(svc addr.SVC, host addr.Host, port uint16) error {
 	// We pre-resolve the addresses, which is trivial for this underlay.
 	addr := netip.AddrPortFrom(host.IP(), port)
 	if !addr.IsValid() {
@@ -151,7 +157,7 @@ func (u *provider) AddSvc(svc addr.SVC, host addr.Host, port uint16) error {
 }
 
 // DelSvc deletes the address for the given service.
-func (u *provider) DelSvc(svc addr.SVC, host addr.Host, port uint16) error {
+func (u *underlay) DelSvc(svc addr.SVC, host addr.Host, port uint16) error {
 	addr := netip.AddrPortFrom(host.IP(), port)
 	if !addr.IsValid() {
 		return errInvalidServiceAddress
@@ -162,7 +168,7 @@ func (u *provider) DelSvc(svc addr.SVC, host addr.Host, port uint16) error {
 
 // The queues to be used by the receiver task are supplied at this point because they must be
 // sized according to the number of connections that will be started.
-func (u *provider) Start(
+func (u *underlay) Start(
 	ctx context.Context, pool router.PacketPool, procQs []chan *router.Packet,
 ) {
 	u.mu.Lock()
@@ -184,7 +190,7 @@ func (u *provider) Start(
 	}
 }
 
-func (u *provider) Stop() {
+func (u *underlay) Stop() {
 	u.mu.Lock()
 	connSnapshot := slices.Clone(u.allConnections)
 	linkSnapshot := slices.Collect(maps.Values(u.allLinks))
@@ -389,10 +395,11 @@ func (u *udpConnection) send(batchSize int, pool router.PacketPool) {
 			sc := router.ClassOfSize(len(pkts[written].RawPacket))
 			metrics[sc].DroppedPacketsInvalid.Inc()
 			pool.Put(pkts[written])
-			toWrite -= (written + 1)
+			written++ // Not to-be-written any more
+			toWrite -= written
 			// Shift the leftovers to the head of the buffers.
 			for i := 0; i < toWrite; i++ {
-				pkts[i] = pkts[i+written+1]
+				pkts[i] = pkts[i+written]
 			}
 		} else {
 			toWrite = 0
@@ -405,13 +412,13 @@ func (u *udpConnection) send(batchSize int, pool router.PacketPool) {
 // the proc queue where a packet should be delivered. All links that share
 // an underlying connection (therefore a receive loop) use the same hash seed.
 func makeHashSeed() uint32 {
-	hashSeed := fnv1aOffset32
+	hashSeed := router.Fnv1aOffset32
 	randomBytes := make([]byte, 4)
 	if _, err := rand.Read(randomBytes); err != nil {
 		panic("Error while generating random value")
 	}
 	for _, c := range randomBytes {
-		hashSeed = hashFNV1a(hashSeed, c)
+		hashSeed = router.HashFNV1a(hashSeed, c)
 	}
 	return hashSeed
 }
@@ -433,11 +440,12 @@ type connectedLink struct {
 
 // NewExternalLink returns an external link over the UDP/IP underlay. It is always implemented with
 // a connectedLink.
-func (u *provider) NewExternalLink(
+func (u *underlay) NewExternalLink(
 	qSize int,
 	bfd *bfd.Session,
 	local string,
 	remote string,
+	_ string, // this underlay provider doesn't have link options
 	ifID uint16,
 	metrics *router.InterfaceMetrics,
 ) (router.Link, error) {
@@ -461,7 +469,7 @@ func (u *provider) NewExternalLink(
 	return u.newConnectedLink(qSize, bfd, localAddr, remoteAddr, ifID, metrics, router.External)
 }
 
-func (u *provider) newConnectedLink(
+func (u *underlay) newConnectedLink(
 	qSize int,
 	bfd *bfd.Session,
 	localAddr netip.AddrPort,
@@ -554,15 +562,18 @@ func (l *connectedLink) Resolve(p *router.Packet, host addr.Host, port uint16) e
 	return errResolveOnExternalLink
 }
 
-func (l *connectedLink) Send(p *router.Packet) bool {
+func (l *connectedLink) Send(p *router.Packet) {
 	select {
 	case l.egressQ <- p:
 	default:
-		return false
+		sc := router.ClassOfSize(len(p.RawPacket))
+		l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc() // Need other drop cause.
+		l.pool.Put(p)
 	}
-	return true
 }
 
+// Only tests actually use this method, but since we have to have it, we might as well implement it
+// ~correctly. Doesn't hurt.
 func (l *connectedLink) SendBlocking(p *router.Packet) {
 	// We use a bound and connected socket so we don't need to specify the destination.
 	l.egressQ <- p
@@ -612,11 +623,12 @@ type detachedLink struct {
 // We de-duplicate sibling links. The router gives us a BFDSession in all cases and we might throw
 // it away (there are no persistent resources attached to it). This could be fixed by moving some
 // BFD related code in-here.
-func (u *provider) NewSiblingLink(
+func (u *underlay) NewSiblingLink(
 	qSize int,
 	bfd *bfd.Session,
 	local string,
 	remote string,
+	_ string, // this underlay provider doesn't have link options
 	metrics *router.InterfaceMetrics,
 ) (router.Link, error) {
 	localAddr, err := conn.ResolveAddrPortOrPort(local)
@@ -645,7 +657,7 @@ func (u *provider) NewSiblingLink(
 	return u.newDetachedLink(bfd, remoteAddr, metrics)
 }
 
-func (u *provider) newDetachedLink(
+func (u *underlay) newDetachedLink(
 	bfd *bfd.Session,
 	remoteAddr netip.AddrPort,
 	metrics *router.InterfaceMetrics,
@@ -723,7 +735,7 @@ func (l *detachedLink) Resolve(p *router.Packet, host addr.Host, port uint16) er
 	return errResolveOnSiblingLink
 }
 
-func (l *detachedLink) Send(p *router.Packet) bool {
+func (l *detachedLink) Send(p *router.Packet) {
 	// We use an unbound connection but we offer a connection-oriented service. So, we need to
 	// supply the packet's destination address. Trying to reuse the packet's RemoteAddress storage
 	// is pointless: if we loan l.remote we avoid a copy and still discard at most one address. This
@@ -732,11 +744,14 @@ func (l *detachedLink) Send(p *router.Packet) bool {
 	select {
 	case l.egressQ <- p:
 	default:
-		return false
+		sc := router.ClassOfSize(len(p.RawPacket))
+		l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc() // Need other drop cause.
+		l.pool.Put(p)
 	}
-	return true
 }
 
+// Only tests actually use this method, but since we have to have it, we might as well implement it
+// ~correctly. Doesn't hurt.
 func (l *detachedLink) SendBlocking(p *router.Packet) {
 	// Same as Send(). We must supply the destination address.
 	p.RemoteAddr = unsafe.Pointer(l.remote)
@@ -783,7 +798,7 @@ type internalLink struct {
 //
 // TODO(multi_underlay): We still go with the assumption that internal links are always
 // udpip, so we don't expect a string here. That should change.
-func (u *provider) NewInternalLink(
+func (u *underlay) NewInternalLink(
 	local string, qSize int, metrics *router.InterfaceMetrics,
 ) (router.Link, error) {
 	u.mu.Lock()
@@ -901,14 +916,15 @@ func (l *internalLink) Resolve(p *router.Packet, dst addr.Host, port uint16) err
 		panic(fmt.Sprintf("unexpected address type returned from DstAddr: %s", dst.Type()))
 	}
 	// if port is outside the configured port range we send to the fixed port.
-	if port < l.dispatchStart && port > l.dispatchEnd {
+	if port < l.dispatchStart || port > l.dispatchEnd {
 		port = l.dispatchRedirect
 	}
 
 	// Packets that get here must have come from an external or a sibling link; neither of which
 	// attach a RemoteAddr to the packet (besides; it could be a different type).  So, RemoteAddr is
 	// not generally usable. We must allocate a new object. The precautions needed to pool them cost
-	// more than the pool saves (verified experimentally).
+	// more than the pool saves (verified experimentally). We should do like the afpacket underlay
+	// and store the bits at the head of the packet buffer instead.
 	p.RemoteAddr = unsafe.Pointer(&net.UDPAddr{
 		IP:   dstAddr.AsSlice(),
 		Zone: dstAddr.Zone(),
@@ -917,18 +933,21 @@ func (l *internalLink) Resolve(p *router.Packet, dst addr.Host, port uint16) err
 	return nil
 }
 
-// The packet's destination is already in the packet's meta-data.
-func (l *internalLink) Send(p *router.Packet) bool {
+func (l *internalLink) Send(p *router.Packet) {
+	// The packet's destination is in the packet's meta-data.
 	select {
 	case l.egressQ <- p:
 	default:
-		return false
+		sc := router.ClassOfSize(len(p.RawPacket))
+		l.metrics[sc].DroppedPacketsBusyForwarder[p.TrafficType].Inc() // Need other drop cause.
+		l.pool.Put(p)
 	}
-	return true
 }
 
-// The packet's destination is already in the packet's meta-data.
+// Only tests actually use this method, but since we have to have it, we might as well implement it
+// ~correctly. Doesn't hurt.
 func (l *internalLink) SendBlocking(p *router.Packet) {
+	// The packet's destination is in the packet's meta-data.
 	l.egressQ <- p
 }
 
@@ -976,14 +995,14 @@ func computeProcID(data []byte, numProcRoutines int, hashSeed uint32) (uint32, e
 	s := hashSeed
 
 	// inject the flowID
-	s = hashFNV1a(s, data[1]&0xF) // The left 4 bits aren't part of the flowID.
+	s = router.HashFNV1a(s, data[1]&0xF) // The left 4 bits aren't part of the flowID.
 	for _, c := range data[2:4] {
-		s = hashFNV1a(s, c)
+		s = router.HashFNV1a(s, c)
 	}
 
 	// Inject the src/dst addresses
 	for _, c := range data[slayers.CmnHdrLen : slayers.CmnHdrLen+addrHdrLen] {
-		s = hashFNV1a(s, c)
+		s = router.HashFNV1a(s, c)
 	}
 
 	return s % uint32(numProcRoutines), nil
diff --git a/router/underlayproviders/udpip/udpip_test.go b/router/underlayproviders/udpip/udpip_test.go
index a0594c3a7b..db8cfdc781 100644
--- a/router/underlayproviders/udpip/udpip_test.go
+++ b/router/underlayproviders/udpip/udpip_test.go
@@ -34,6 +34,7 @@ import (
 	"github.com/scionproto/scion/pkg/slayers"
 	"github.com/scionproto/scion/pkg/slayers/path"
 	"github.com/scionproto/scion/pkg/slayers/path/scion"
+	"github.com/scionproto/scion/router"
 )
 
 var (
@@ -90,9 +91,9 @@ func TestComputeProcId(t *testing.T) {
 
 	// ComputeProcID expects the per-receiver random number to be pre-hashed into the seed that we
 	// pass.
-	hashSeed := fnv1aOffset32
+	hashSeed := router.Fnv1aOffset32
 	for _, c := range randomValueBytes {
-		hashSeed = hashFNV1a(hashSeed, c)
+		hashSeed = router.HashFNV1a(hashSeed, c)
 	}
 
 	// this function returns the procID as we expect it by using the  slayers.SCION serialization
diff --git a/scion.sh b/scion.sh
index bd9768954c..7a002a032f 100755
--- a/scion.sh
+++ b/scion.sh
@@ -86,11 +86,21 @@ cmd_mstart() {
 }
 
 run_setup() {
+    # The raw-socket implementation of the SCION router cannot work on the loopback device if the
+    # kernel isn't willing to ingest packets sent to that device.
+    loopdev=$(ip addr show to 127.0.0.1 | cut -d' ' -f 2 -s | cut -d':' -f 1 -s)
+    sysctl net.ipv4.conf.${loopdev}.accept_local net.ipv4.conf.${loopdev}.route_localnet \
+    > gen/lo.conf
+    (echo "net.ipv4.conf.${loopdev}.accept_local = 1";\
+     echo "net.ipv4.conf.${loopdev}.route_localnet = 1") | sudo sysctl -p-
     tools/set_ipv6_addr.py -a
 }
 
 run_teardown() {
     tools/set_ipv6_addr.py -d
+    if [ -f gen/lo.conf ]; then
+	sudo sysctl -p gen/lo.conf
+    fi
 }
 
 stop_scion() {
diff --git a/scion/ping/ping.go b/scion/ping/ping.go
index 122b9bc3c7..86ccaf3cee 100644
--- a/scion/ping/ping.go
+++ b/scion/ping/ping.go
@@ -199,15 +199,21 @@ func (p *pinger) Ping(
 
 	var wg sync.WaitGroup
 	wg.Add(1)
-
 	go func() {
 		defer log.HandlePanic()
 		defer wg.Done()
-		for i := uint16(0); i < p.attempts; i++ {
+
+		i := p.attempts
+		for {
 			if err := p.send(remote, dPath, nextHop); err != nil {
 				errSend <- serrors.Wrap("sending", err)
 				return
 			}
+			i--
+			if i == 0 {
+				// Don't wait for the tick after we're done.
+				break
+			}
 			select {
 			case <-send.C:
 			case <-ctx.Done():
@@ -233,6 +239,7 @@ func (p *pinger) Ping(
 			p.receive(reply)
 		}
 	}
+
 	wg.Wait()
 	return p.stats, nil
 }
diff --git a/tools/braccept/cases/bfd.go b/tools/braccept/cases/bfd.go
index 4489639dc4..21dab696ac 100644
--- a/tools/braccept/cases/bfd.go
+++ b/tools/braccept/cases/bfd.go
@@ -153,6 +153,8 @@ func ExternalBFD(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:              "ExternalBFD",
 		WriteTo:           "veth_131_host",
 		ReadFrom:          "veth_131_host",
+		LocalMAC:          ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:           ip.DstIP,        // Recipient of the "want packet".
 		Input:             input.Bytes(),
 		Want:              want.Bytes(),
 		StoreDir:          filepath.Join(artifactsDir, "ExternalBFD"),
@@ -247,6 +249,8 @@ func InternalBFD(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:              "InternalBFD",
 		WriteTo:           "veth_int_host",
 		ReadFrom:          "veth_int_host",
+		LocalMAC:          ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:           ip.DstIP,        // Recipient of the "want packet".
 		Input:             input.Bytes(),
 		Want:              want.Bytes(),
 		StoreDir:          filepath.Join(artifactsDir, "InternalBFD"),
diff --git a/tools/braccept/cases/child_to_child_xover.go b/tools/braccept/cases/child_to_child_xover.go
index eefbca4617..38e0c88f0d 100644
--- a/tools/braccept/cases/child_to_child_xover.go
+++ b/tools/braccept/cases/child_to_child_xover.go
@@ -155,6 +155,8 @@ func ChildToChildXover(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "ChildToChildXover",
 		WriteTo:  "veth_151_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ChildToChildXover"),
diff --git a/tools/braccept/cases/child_to_internal.go b/tools/braccept/cases/child_to_internal.go
index 8b417e18e5..82c7cfc49e 100644
--- a/tools/braccept/cases/child_to_internal.go
+++ b/tools/braccept/cases/child_to_internal.go
@@ -143,6 +143,8 @@ func ChildToInternalHost(
 		Name:     "ChildToInternalHost",
 		WriteTo:  "veth_141_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ChildToInternalHost"),
@@ -253,6 +255,8 @@ func ChildToInternalHostShortcut(
 		Name:     "ChildToInternalHostShortcut",
 		WriteTo:  "veth_141_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ChildToInternalHostShortcut"),
@@ -371,6 +375,8 @@ func ChildToInternalParent(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "ChildToInternalParent",
 		WriteTo:  "veth_141_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ChildToInternalParent"),
diff --git a/tools/braccept/cases/child_to_parent.go b/tools/braccept/cases/child_to_parent.go
index ccb8c5f46c..8137b75ce2 100644
--- a/tools/braccept/cases/child_to_parent.go
+++ b/tools/braccept/cases/child_to_parent.go
@@ -152,6 +152,8 @@ func ChildToParent(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "ChildToParent",
 		WriteTo:  "veth_141_host",
 		ReadFrom: "veth_131_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ChildToParent"),
diff --git a/tools/braccept/cases/child_to_peer.go b/tools/braccept/cases/child_to_peer.go
index 6bd584985e..da17091eb4 100644
--- a/tools/braccept/cases/child_to_peer.go
+++ b/tools/braccept/cases/child_to_peer.go
@@ -188,6 +188,8 @@ func ChildToPeer(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "ChildToChildPeeringOut",
 		WriteTo:  "veth_151_host", // Where we inject the test packet
 		ReadFrom: "veth_121_host", // Where we capture the forwarded packet
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ChildToChildXover"),
diff --git a/tools/braccept/cases/internal_to_child.go b/tools/braccept/cases/internal_to_child.go
index bddc9a4d80..c84a833d01 100644
--- a/tools/braccept/cases/internal_to_child.go
+++ b/tools/braccept/cases/internal_to_child.go
@@ -148,6 +148,8 @@ func InternalHostToChild(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "InternalHostToChild",
 		WriteTo:  "veth_int_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "InternalHostToChild"),
@@ -274,6 +276,8 @@ func InternalParentToChild(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "InternalParentToChild",
 		WriteTo:  "veth_int_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "InternalParentToChild"),
@@ -379,6 +383,8 @@ func InvalidSrcInternalParentToChild(artifactsDir string, mac hash.Hash) runner.
 		Name:     "InvalidSrcInternalParentToChild",
 		WriteTo:  "veth_int_host",
 		ReadFrom: "no_pkt_expected",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     nil,
 		StoreDir: filepath.Join(artifactsDir, "InvalidSrcInternalParentToChild"),
diff --git a/tools/braccept/cases/jumbo.go b/tools/braccept/cases/jumbo.go
index 5b3a140316..c77d038486 100644
--- a/tools/braccept/cases/jumbo.go
+++ b/tools/braccept/cases/jumbo.go
@@ -156,6 +156,8 @@ func JumboPacket(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "JumboPacket",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "JumboPacket"),
diff --git a/tools/braccept/cases/malformed_path.go b/tools/braccept/cases/malformed_path.go
index 383264709c..9cd70110ad 100644
--- a/tools/braccept/cases/malformed_path.go
+++ b/tools/braccept/cases/malformed_path.go
@@ -145,6 +145,8 @@ func MalformedPathSingletonSegment(artifactsDir string, mac hash.Hash) runner.Ca
 		Name:     "MalformedPathSingletonSegment",
 		WriteTo:  "veth_151_host",
 		ReadFrom: "no_pkt_expected",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     nil,
 		StoreDir: filepath.Join(artifactsDir, "MalformedPathSingletonSegment"),
@@ -252,6 +254,8 @@ func MalformedPathCurrHFNotInCurrINF(artifactsDir string, mac hash.Hash) runner.
 		Name:     "MalformedPathCurrHFNotInCurrINF",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "no_pkt_expected",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     nil,
 		StoreDir: filepath.Join(artifactsDir, "MalformedPathCurrHFNotInCurrINF"),
diff --git a/tools/braccept/cases/onehop.go b/tools/braccept/cases/onehop.go
index 29216eb3ed..fe9d1c9fa0 100644
--- a/tools/braccept/cases/onehop.go
+++ b/tools/braccept/cases/onehop.go
@@ -125,6 +125,8 @@ func IncomingOneHop(
 		Name:     "IncomingOneHop",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "IncomingOneHop"),
@@ -218,6 +220,8 @@ func OutgoingOneHop(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "OutgoingOneHop",
 		WriteTo:  "veth_int_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "OutgoingOneHop"),
diff --git a/tools/braccept/cases/parent_to_child.go b/tools/braccept/cases/parent_to_child.go
index cbb52e1544..70f7721893 100644
--- a/tools/braccept/cases/parent_to_child.go
+++ b/tools/braccept/cases/parent_to_child.go
@@ -152,6 +152,8 @@ func ParentToChild(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "ParentToChild",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ParentToChild"),
diff --git a/tools/braccept/cases/parent_to_internal.go b/tools/braccept/cases/parent_to_internal.go
index c0dca32309..2154d12951 100644
--- a/tools/braccept/cases/parent_to_internal.go
+++ b/tools/braccept/cases/parent_to_internal.go
@@ -135,6 +135,8 @@ func ParentToInternalHost(
 		Name:     "ParentToInternalHost",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ParentToInternalHost"),
@@ -253,6 +255,8 @@ func ParentToInternalHostMultiSegment(
 		Name:     "ParentToInternalHostMultiSegment",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ParentToInternalHostMultiSegment"),
diff --git a/tools/braccept/cases/peer_to_child.go b/tools/braccept/cases/peer_to_child.go
index 53507a311f..0836f0053c 100644
--- a/tools/braccept/cases/peer_to_child.go
+++ b/tools/braccept/cases/peer_to_child.go
@@ -186,6 +186,8 @@ func PeerToChild(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "ChildToChildPeeringTransit",
 		WriteTo:  "veth_121_host", // Where we inject the test packet
 		ReadFrom: "veth_151_host", // Where we capture the forwarded packet
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "ChildToChildXover"),
diff --git a/tools/braccept/cases/scmp_dest_unreachable.go b/tools/braccept/cases/scmp_dest_unreachable.go
index 8d96deb50d..39157d8c02 100644
--- a/tools/braccept/cases/scmp_dest_unreachable.go
+++ b/tools/braccept/cases/scmp_dest_unreachable.go
@@ -170,6 +170,8 @@ func SCMPDestinationUnreachable(artifactsDir string, mac hash.Hash) runner.Case
 		Name:            "SCMPDestinationUnreachable",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPDestinationUnreachable"),
diff --git a/tools/braccept/cases/scmp_expired_hop.go b/tools/braccept/cases/scmp_expired_hop.go
index 2c125d2b7c..af629f8a28 100644
--- a/tools/braccept/cases/scmp_expired_hop.go
+++ b/tools/braccept/cases/scmp_expired_hop.go
@@ -184,6 +184,8 @@ func SCMPExpiredHop(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPExpiredHop",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPExpiredHop"),
@@ -363,6 +365,8 @@ func SCMPExpiredHopAfterXover(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPExpiredHopAfterXover",
 		WriteTo:         "veth_151_host",
 		ReadFrom:        "veth_151_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPExpiredHopAfterXover"),
@@ -539,6 +543,8 @@ func SCMPExpiredHopAfterXoverConsDir(artifactsDir string, mac hash.Hash) runner.
 		Name:            "SCMPExpiredHopAfterXoverConsDir",
 		WriteTo:         "veth_151_host",
 		ReadFrom:        "veth_151_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPExpiredHopAfterXoverConsDir"),
@@ -709,6 +715,8 @@ func SCMPExpiredHopAfterXoverInternal(artifactsDir string, mac hash.Hash) runner
 		Name:            "SCMPExpiredHopAfterXoverInternal",
 		WriteTo:         "veth_int_host",
 		ReadFrom:        "veth_int_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPExpiredHopAfterXoverInternal"),
@@ -880,6 +888,8 @@ func SCMPExpiredHopAfterXoverInternalConsDir(
 		Name:     "SCMPExpiredHopAfterXoverInternalConsDir",
 		WriteTo:  "veth_int_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(
diff --git a/tools/braccept/cases/scmp_invalid_hop.go b/tools/braccept/cases/scmp_invalid_hop.go
index 13f6eb20e9..ac91695987 100644
--- a/tools/braccept/cases/scmp_invalid_hop.go
+++ b/tools/braccept/cases/scmp_invalid_hop.go
@@ -185,6 +185,8 @@ func SCMPInvalidHopParentToParent(artifactsDir string, mac hash.Hash) runner.Cas
 		Name:            "SCMPInvalidHopParentToParent",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPInvalidHopParentToParent"),
@@ -346,6 +348,8 @@ func SCMPInvalidHopChildToChild(artifactsDir string, mac hash.Hash) runner.Case
 		Name:            "SCMPInvalidHopChildToChild",
 		WriteTo:         "veth_141_host",
 		ReadFrom:        "veth_141_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPInvalidHopChildToChild"),
diff --git a/tools/braccept/cases/scmp_invalid_ia.go b/tools/braccept/cases/scmp_invalid_ia.go
index d29274a2ce..3eb77a26cf 100644
--- a/tools/braccept/cases/scmp_invalid_ia.go
+++ b/tools/braccept/cases/scmp_invalid_ia.go
@@ -171,6 +171,8 @@ func SCMPInvalidSrcIAInternalHostToChild(artifactsDir string, mac hash.Hash) run
 		Name:            "SCMPInvalidSrcIAInternalHostToChild",
 		WriteTo:         "veth_int_host",
 		ReadFrom:        "veth_int_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPInvalidSrcIAInternalHostToChild"),
@@ -318,6 +320,8 @@ func SCMPInvalidDstIAInternalHostToChild(artifactsDir string, mac hash.Hash) run
 		Name:            "SCMPInvalidDstIAInternalHostToChild",
 		WriteTo:         "veth_int_host",
 		ReadFrom:        "veth_int_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPInvalidDstIAInternalHostToChild"),
@@ -474,6 +478,8 @@ func SCMPInvalidSrcIAChildToParent(artifactsDir string, mac hash.Hash) runner.Ca
 		Name:            "SCMPInvalidSrcIAChildToParent",
 		WriteTo:         "veth_141_host",
 		ReadFrom:        "veth_141_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPInvalidSrcIAChildToParent"),
@@ -630,6 +636,8 @@ func SCMPInvalidDstIAChildToParent(artifactsDir string, mac hash.Hash) runner.Ca
 		Name:            "SCMPInvalidDstIAChildToParent",
 		WriteTo:         "veth_141_host",
 		ReadFrom:        "veth_141_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPInvalidDstIAChildToParent"),
diff --git a/tools/braccept/cases/scmp_invalid_mac.go b/tools/braccept/cases/scmp_invalid_mac.go
index bc5de2b8a5..40d2a10a88 100644
--- a/tools/braccept/cases/scmp_invalid_mac.go
+++ b/tools/braccept/cases/scmp_invalid_mac.go
@@ -182,6 +182,8 @@ func SCMPBadMAC(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPBadMAC",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPBadMAC"),
@@ -334,6 +336,8 @@ func SCMPBadMACInternal(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPBadMACInternal",
 		WriteTo:         "veth_int_host",
 		ReadFrom:        "veth_int_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPBadMACInternal"),
diff --git a/tools/braccept/cases/scmp_invalid_pkt.go b/tools/braccept/cases/scmp_invalid_pkt.go
index d5e9b24e59..c43f4859b1 100644
--- a/tools/braccept/cases/scmp_invalid_pkt.go
+++ b/tools/braccept/cases/scmp_invalid_pkt.go
@@ -176,6 +176,8 @@ func SCMPBadPktLen(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPBadPktLen",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPBadPktLen"),
@@ -338,6 +340,8 @@ func SCMPQuoteCut(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPQuoteCut",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPQuoteCut"),
@@ -450,6 +454,8 @@ func NoSCMPReplyForSCMPError(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "NoSCMPReplyForSCMPError",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "no_pkt_expected",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            nil,
 		StoreDir:        filepath.Join(artifactsDir, "NoSCMPReplyForSCMPError"),
diff --git a/tools/braccept/cases/scmp_invalid_segment_change.go b/tools/braccept/cases/scmp_invalid_segment_change.go
index 917eb307c7..12420403eb 100644
--- a/tools/braccept/cases/scmp_invalid_segment_change.go
+++ b/tools/braccept/cases/scmp_invalid_segment_change.go
@@ -199,6 +199,8 @@ func SCMPParentToParentXover(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPParentToParentXover",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPParentToParentXover"),
@@ -375,6 +377,8 @@ func SCMPParentToChildXover(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPParentToChildXover",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPParentToChildXover"),
@@ -553,6 +557,8 @@ func SCMPChildToParentXover(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPChildToParentXover",
 		WriteTo:         "veth_141_host",
 		ReadFrom:        "veth_141_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPChildToParentXover"),
@@ -728,6 +734,8 @@ func SCMPInternalXover(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPInternalXover",
 		WriteTo:         "veth_int_host",
 		ReadFrom:        "veth_int_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPInternalXover"),
diff --git a/tools/braccept/cases/scmp_invalid_segment_change_local.go b/tools/braccept/cases/scmp_invalid_segment_change_local.go
index 4fcd5ecbc1..730680ebc2 100644
--- a/tools/braccept/cases/scmp_invalid_segment_change_local.go
+++ b/tools/braccept/cases/scmp_invalid_segment_change_local.go
@@ -199,6 +199,8 @@ func SCMPParentToParentLocalXover(artifactsDir string, mac hash.Hash) runner.Cas
 		Name:            "SCMPParentToParentLocalXover",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPParentToParentLocalXover"),
@@ -375,6 +377,8 @@ func SCMPParentToChildLocalXover(artifactsDir string, mac hash.Hash) runner.Case
 		Name:            "SCMPParentToChildLocalXover",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPParentToChildLocalXover"),
@@ -553,6 +557,8 @@ func SCMPChildToParentLocalXover(artifactsDir string, mac hash.Hash) runner.Case
 		Name:            "SCMPChildToParentLocalXover",
 		WriteTo:         "veth_141_host",
 		ReadFrom:        "veth_141_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPChildToParentLocalXover"),
diff --git a/tools/braccept/cases/scmp_traceroute.go b/tools/braccept/cases/scmp_traceroute.go
index d2addabf0c..3aa83dad9d 100644
--- a/tools/braccept/cases/scmp_traceroute.go
+++ b/tools/braccept/cases/scmp_traceroute.go
@@ -168,6 +168,8 @@ func SCMPTracerouteIngress(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "SCMPTracerouteIngress",
 		WriteTo:  "veth_141_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "SCMPTracerouteIngress"),
@@ -385,6 +387,8 @@ func SCMPTracerouteIngressWithSPAO(artifactsDir string, mac hash.Hash) runner.Ca
 		Name:            "SCMPTracerouteIngressWithSPAO",
 		WriteTo:         "veth_141_host",
 		ReadFrom:        "veth_141_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPTracerouteIngressWithSPAO"),
@@ -530,6 +534,8 @@ func SCMPTracerouteIngressConsDir(artifactsDir string, mac hash.Hash) runner.Cas
 		Name:     "SCMPTracerouteIngressConsDir",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "veth_131_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "SCMPTracerouteIngressConsDir"),
@@ -670,6 +676,8 @@ func SCMPTracerouteEgress(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "SCMPTracerouteEgress",
 		WriteTo:  "veth_141_host",
 		ReadFrom: "veth_141_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "SCMPTracerouteEgress"),
@@ -814,6 +822,8 @@ func SCMPTracerouteEgressConsDir(artifactsDir string, mac hash.Hash) runner.Case
 		Name:     "SCMPTracerouteEgressConsDir",
 		WriteTo:  "veth_131_host",
 		ReadFrom: "veth_131_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "SCMPTracerouteEgressConsDir"),
@@ -972,6 +982,8 @@ func SCMPTracerouteEgressAfterXover(artifactsDir string, mac hash.Hash) runner.C
 		Name:     "SCMPTracerouteEgressAfterXover",
 		WriteTo:  "veth_int_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "SCMPTracerouteEgressAfterXover"),
@@ -1106,6 +1118,8 @@ func SCMPTracerouteInternal(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "SCMPTracerouteInternal",
 		WriteTo:  "veth_int_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "SCMPTracerouteInternal"),
diff --git a/tools/braccept/cases/scmp_unknown_hop.go b/tools/braccept/cases/scmp_unknown_hop.go
index 925049f741..533cf23145 100644
--- a/tools/braccept/cases/scmp_unknown_hop.go
+++ b/tools/braccept/cases/scmp_unknown_hop.go
@@ -183,6 +183,8 @@ func SCMPUnknownHop(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPUnknownHop",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPUnknownHop"),
@@ -340,6 +342,8 @@ func SCMPUnknownHopEgress(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPUnknownHopEgress",
 		WriteTo:         "veth_131_host",
 		ReadFrom:        "veth_131_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPUnknownHopEgress"),
@@ -492,6 +496,8 @@ func SCMPUnknownHopWrongRouter(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:            "SCMPUnknownHopWrongRouter",
 		WriteTo:         "veth_int_host",
 		ReadFrom:        "veth_int_host",
+		LocalMAC:        ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:         ip.DstIP,        // Recipient of the "want packet".
 		Input:           input.Bytes(),
 		Want:            want.Bytes(),
 		StoreDir:        filepath.Join(artifactsDir, "SCMPUnknownHopWrongRouter"),
diff --git a/tools/braccept/cases/svc.go b/tools/braccept/cases/svc.go
index 45cadc765a..1d482e873d 100644
--- a/tools/braccept/cases/svc.go
+++ b/tools/braccept/cases/svc.go
@@ -138,6 +138,8 @@ func SVC(artifactsDir string, mac hash.Hash) runner.Case {
 		Name:     "SVC",
 		WriteTo:  "veth_141_host",
 		ReadFrom: "veth_int_host",
+		LocalMAC: ethernet.DstMAC, // Recipient of the "want packet".
+		LocalIP:  ip.DstIP,        // Recipient of the "want packet".
 		Input:    input.Bytes(),
 		Want:     want.Bytes(),
 		StoreDir: filepath.Join(artifactsDir, "SVC"),
diff --git a/tools/braccept/runner/run_linux.go b/tools/braccept/runner/run_linux.go
index 7ad24707ab..4e38318228 100644
--- a/tools/braccept/runner/run_linux.go
+++ b/tools/braccept/runner/run_linux.go
@@ -24,6 +24,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"slices"
 	"strings"
 	"time"
 
@@ -62,7 +63,10 @@ func NewRunConfig() (*RunConfig, error) {
 		if !strings.HasPrefix(dev.Name, "veth_") || !strings.HasSuffix(dev.Name, "_host") {
 			continue
 		}
-		handle, err := afpacket.NewTPacket(afpacket.OptInterface(dev.Name))
+		handle, err := afpacket.NewTPacket(
+			afpacket.OptInterface(dev.Name),
+			afpacket.OptBlockTimeout(time.Millisecond), // TPv3 waits for and aggregates packets!
+		)
 		if err != nil {
 			return nil, serrors.Wrap("creating TPacket", err)
 		}
@@ -104,11 +108,72 @@ type ExpectedPacket struct {
 	Pkt               gopacket.Packet
 }
 
+// Handles arp packets (silently - respond if we can, else just drop).
+func (c *RunConfig) handleArp(
+	ethHdr *layers.Ethernet,
+	localIP net.IP,
+	localMAC net.HardwareAddr,
+	afp *afpacket.TPacket,
+) {
+	arpData := ethHdr.LayerPayload()
+	var req layers.ARP
+	if req.DecodeFromBytes(arpData, gopacket.NilDecodeFeedback) != nil {
+		return
+	}
+	if req.Operation != layers.ARPRequest {
+		// We don't need an arp cache we know all addresses. So, we only respond to requests.
+		return
+	}
+	if slices.Equal(req.SourceProtAddress, net.IPv4zero) {
+		// Probe. Respond if we have the target address. Since i'm not sure it's legal to
+		// respond with the unspecified address as the target, use ours. Which is technically
+		// the correct value anyway.
+		req.SourceProtAddress = localIP // will become dstProtAddress in the response.
+	}
+	if !slices.Equal(req.DstProtAddress, localIP) {
+		// Gratuitous req or not for us. No response.
+		return
+	}
+	ethernet := layers.Ethernet{
+		SrcMAC:       localMAC,
+		DstMAC:       req.SourceHwAddress,
+		EthernetType: layers.EthernetTypeARP,
+	}
+	arp := layers.ARP{
+		AddrType:          layers.LinkTypeEthernet,
+		HwAddressSize:     6,
+		Protocol:          layers.EthernetTypeIPv4,
+		ProtAddressSize:   4,
+		Operation:         layers.ARPReply,
+		SourceHwAddress:   localMAC,
+		SourceProtAddress: req.DstProtAddress,
+		DstHwAddress:      req.SourceHwAddress,
+		DstProtAddress:    req.SourceProtAddress,
+	}
+	var seropts = gopacket.SerializeOptions{
+		FixLengths:       true,
+		ComputeChecksums: true,
+	}
+	serBuf := gopacket.NewSerializeBuffer()
+	if gopacket.SerializeLayers(serBuf, seropts, &ethernet, &arp) != nil {
+		log.Debug("Could not serialize arp response")
+		return
+	}
+	_ = afp.WritePacketData(serBuf.Bytes())
+}
+
 // ExpectPacket expects packet pkt on the device devName. It stores all received
 // packets using the storer. If the received packet in the device is matching
 // the expected packet and no other packet is received nil is returned.
 // Otherwise details of what went wrong are returned in the error.
-func (c *RunConfig) ExpectPacket(pkt ExpectedPacket, normalizeFn NormalizePacketFn) error {
+func (c *RunConfig) ExpectPacket(
+	pkt ExpectedPacket,
+	normalizeFn NormalizePacketFn,
+	localIP net.IP,
+	localMAC net.HardwareAddr,
+	handles map[string]*afpacket.TPacket,
+) error {
+
 	timerCh := time.After(pkt.Timeout)
 	c.packetChans[len(c.deviceNames)] = reflect.SelectCase{
 		Dir:  reflect.SelectRecv,
@@ -134,9 +199,58 @@ func (c *RunConfig) ExpectPacket(pkt ExpectedPacket, normalizeFn NormalizePacket
 				"type", common.TypeOf(pktV.Interface())))
 			continue
 		}
+		// We're only configuring V4 addresses. So, only IPv4 traffic is ours.
+		// Even on veth, there can be other things scooting by; such as ARP. Speaking of
+		// ARP: we have to respond. Neighbor entries that the test harness shoves into the router
+		// won't work: the router can also use a raw socket.
+		if got.LinkLayer() == nil {
+			log.Debug("No link hdr")
+			continue
+		}
+		if got.LinkLayer().LayerType() != layers.LayerTypeEthernet {
+			log.Debug("Not ethernet")
+			continue
+		}
+		ethHdr := got.LinkLayer().(*layers.Ethernet)
+		if ethHdr.EthernetType == layers.EthernetTypeARP {
+			if afp := handles[c.deviceNames[idx]]; afp != nil {
+				c.handleArp(ethHdr, localIP, localMAC, afp)
+			} else {
+				log.Debug("Cannot respond to arp: came in through unknown device")
+			}
+			continue
+		}
+		if ethHdr.EthernetType != layers.EthernetTypeIPv4 {
+			log.Debug("Not IPv4")
+			continue
+		}
+		if got.NetworkLayer() == nil {
+			log.Debug("No netwk hdr")
+			continue
+		}
+		ipHdr := got.NetworkLayer().(*layers.IPv4)
+		if ipHdr.Protocol != layers.IPProtocolUDP {
+			continue
+		}
+		if got.TransportLayer() == nil {
+			log.Debug("No transport hdr")
+			continue
+		}
+		udpHdr := got.TransportLayer().(*layers.UDP)
+		// It isn't easy to tell a packet with the wrong dest port apart from a noise packet. We
+		// treat everything outside the normal SCION range as noise. this is a closed veth, so there
+		// can't be completely arbitrary noise either.
+		if udpHdr.DstPort < 20000 || udpHdr.DstPort >= 60000 {
+			// treat that as noise
+			log.Debug("Not ours")
+			continue
+		}
 		pkt.Storer.storePkt(fmt.Sprintf("got-%d", i), got)
 		// Packet received
 		if c.deviceNames[idx] != pkt.DevName {
+			if pkt.IgnoreNonMatching {
+				continue
+			}
 			errors = append(errors, serrors.New("received packet on unexpected interface",
 				"pkt", i, "expected", pkt.DevName, "actual", c.deviceNames[idx], "packet", got))
 			continue
@@ -194,7 +308,7 @@ func (t *Case) Run(cfg *RunConfig) error {
 	ePkt := ExpectedPacket{
 		Storer:            storer,
 		DevName:           t.ReadFrom,
-		Timeout:           350 * time.Millisecond,
+		Timeout:           500 * time.Millisecond,
 		IgnoreNonMatching: t.IgnoreNonMatching,
 		Pkt:               wantPkt,
 	}
@@ -202,7 +316,8 @@ func (t *Case) Run(cfg *RunConfig) error {
 	if normalizePacket == nil {
 		normalizePacket = DefaultNormalizePacket
 	}
-	err := cfg.ExpectPacket(ePkt, normalizePacket)
+
+	err := cfg.ExpectPacket(ePkt, normalizePacket, t.LocalIP, t.LocalMAC, cfg.handles)
 	if err == nil {
 		return nil
 	}
diff --git a/tools/braccept/runner/runner.go b/tools/braccept/runner/runner.go
index 3119a74f43..192bab011e 100644
--- a/tools/braccept/runner/runner.go
+++ b/tools/braccept/runner/runner.go
@@ -15,7 +15,11 @@
 
 package runner
 
-import "github.com/gopacket/gopacket"
+import (
+	"net"
+
+	"github.com/gopacket/gopacket"
+)
 
 type NormalizePacketFn func(gopacket.Packet)
 
@@ -23,6 +27,8 @@ type NormalizePacketFn func(gopacket.Packet)
 type Case struct {
 	Name              string
 	WriteTo, ReadFrom string
+	LocalMAC          net.HardwareAddr
+	LocalIP           net.IP
 	Input, Want       []byte
 	StoreDir          string
 	IgnoreNonMatching bool
diff --git a/tools/end2end_integration/main.go b/tools/end2end_integration/main.go
index 30a5637d98..4f27e5300e 100644
--- a/tools/end2end_integration/main.go
+++ b/tools/end2end_integration/main.go
@@ -106,7 +106,7 @@ func realMain() int {
 
 // addFlags adds the necessary flags.
 func addFlags() {
-	flag.IntVar(&attempts, "attempts", 1, "Number of attempts per client before giving up.")
+	flag.IntVar(&attempts, "attempts", 2, "Number of attempts per client before giving up.")
 	flag.StringVar(&cmd, "cmd", "./bin/end2end",
 		"The end2end binary to run (default: ./bin/end2end)")
 	flag.StringVar(&name, "name", "end2end_integration",
diff --git a/tools/env/debian/pkgs.txt b/tools/env/debian/pkgs.txt
index 004feb0590..041cb06967 100644
--- a/tools/env/debian/pkgs.txt
+++ b/tools/env/debian/pkgs.txt
@@ -9,6 +9,7 @@ g++
 gcc
 git
 jq
+libcap2-bin
 llvm
 make
 moreutils
diff --git a/tools/env/rhel/pkgs.txt b/tools/env/rhel/pkgs.txt
index 2676780239..10732de3e0 100644
--- a/tools/env/rhel/pkgs.txt
+++ b/tools/env/rhel/pkgs.txt
@@ -3,6 +3,7 @@ ethtool
 clang
 gcc
 g++
+libcap
 llvm
 python3-pip
 python3-setuptools
diff --git a/tools/topology/defines.py b/tools/topology/defines.py
index 7f4f28da70..1a24aef882 100644
--- a/tools/topology/defines.py
+++ b/tools/topology/defines.py
@@ -54,5 +54,3 @@
 DEFAULT6_PRIV_NETWORK = DEFAULT6_PRIV_NETWORK_ADDR + DEFAULT6_MASK
 DEFAULT6_CLIENT = "fd00:f00d:cafe::7f00:0002"
 DEFAULT6_SERVER = "fd00:f00d:cafe::7f00:0003"
-
-DOCKER_COMPOSE_CONFIG_VERSION = "2.4"
diff --git a/tools/topology/docker.py b/tools/topology/docker.py
index ba59b9db58..4bfbd63e7f 100644
--- a/tools/topology/docker.py
+++ b/tools/topology/docker.py
@@ -18,8 +18,8 @@
 from typing import Mapping
 # External packages
 import yaml
+
 # SCION
-from topology.defines import DOCKER_COMPOSE_CONFIG_VERSION
 from topology.util import write_file
 from topology.common import (
     ArgsTopoDicts,
@@ -53,7 +53,6 @@ def __init__(self, args):
         """
         self.args = args
         self.dc_conf = {
-            'version': DOCKER_COMPOSE_CONFIG_VERSION,
             'name': 'scion',
             'services': {},
             'networks': {},
@@ -146,9 +145,9 @@ def _br_conf(self, topo_id, topo, base):
             entry = {
                 'image': image,
                 'networks': {},
-                'user': self.user,
                 'volumes': ['%s:/etc/scion:ro' % base],
-                'command': ['--config', '/etc/scion/%s.toml' % k]
+                'command': ['--config', '/etc/scion/%s.toml' % k],
+                'cap_add': ['NET_ADMIN', 'NET_RAW', 'BPF']
             }
             # add data networks:
             net_keys = [k, k + '_internal']
diff --git a/tools/topology/monitoring.py b/tools/topology/monitoring.py
index 974dde5273..e0f74407f4 100644
--- a/tools/topology/monitoring.py
+++ b/tools/topology/monitoring.py
@@ -28,7 +28,7 @@
 import yaml
 
 # SCION
-from topology.defines import DOCKER_COMPOSE_CONFIG_VERSION, PROM_FILE
+from topology.defines import PROM_FILE
 from topology.util import write_file
 from topology.common import (
     ArgsTopoDicts,
@@ -167,7 +167,6 @@ def _write_disp_file(self):
     def _write_dc_file(self):
         # Merged yeager and prometheus files.
         monitoring_dc = {
-            'version': DOCKER_COMPOSE_CONFIG_VERSION,
             'name': 'monitoring',
             'services': {
                 'prometheus': {
diff --git a/topology/default4.topo b/topology/default4.topo
new file mode 100644
index 0000000000..22b29a2e8b
--- /dev/null
+++ b/topology/default4.topo
@@ -0,0 +1,89 @@
+--- # Default topology
+ASes:
+  "1-ff00:0:110":
+    core: true
+    voting: true
+    authoritative: true
+    issuing: true
+    underlay: UDP/IPv4
+  "1-ff00:0:120":
+    core: true
+    voting: true
+    authoritative: true
+    issuing: true
+  "1-ff00:0:130":
+    core: true
+    voting: true
+    authoritative: true
+    issuing: true
+    underlay: UDP/IPv4
+  "1-ff00:0:111":
+    cert_issuer: 1-ff00:0:110
+    underlay: UDP/IPv4
+  "1-ff00:0:112":
+    cert_issuer: 1-ff00:0:110
+    mtu: 1450
+  "1-ff00:0:121":
+    cert_issuer: 1-ff00:0:120
+  "1-ff00:0:122":
+    cert_issuer: 1-ff00:0:120
+    underlay: UDP/IPv4
+  "1-ff00:0:131":
+    cert_issuer: 1-ff00:0:130
+  "1-ff00:0:132":
+    cert_issuer: 1-ff00:0:130
+    underlay: UDP/IPv4
+  "1-ff00:0:133":
+    cert_issuer: 1-ff00:0:130
+  "2-ff00:0:210":
+    core: true
+    voting: true
+    authoritative: true
+    issuing: true
+    mtu: 1280
+  "2-ff00:0:220":
+    core: true
+    voting: true
+    authoritative: true
+    issuing: true
+    underlay: UDP/IPv4
+  "2-ff00:0:211":
+    cert_issuer: 2-ff00:0:210
+    underlay: UDP/IPv4
+  "2-ff00:0:212":
+    cert_issuer: 2-ff00:0:210
+  "2-ff00:0:221":
+    cert_issuer: 2-ff00:0:220
+  "2-ff00:0:222":
+    cert_issuer: 2-ff00:0:220
+    underlay: UDP/IPv4
+links:
+  - {a: "1-ff00:0:110#1",     b: "1-ff00:0:120-A#6",   linkAtoB: CORE}
+  - {a: "1-ff00:0:110#2",     b: "1-ff00:0:130-A#104", linkAtoB: CORE, underlay: UDP/IPv4}
+  - {a: "1-ff00:0:110#3",     b: "2-ff00:0:210#453",   linkAtoB: CORE}
+  - {a: "1-ff00:0:120-A#1",   b: "1-ff00:0:130-B#105", linkAtoB: CORE}
+  - {a: "1-ff00:0:120-B#2",   b: "2-ff00:0:220#501",   linkAtoB: CORE, mtu: 1350}
+  - {a: "1-ff00:0:120-B#3",   b: "2-ff00:0:220#502",   linkAtoB: CORE, mtu: 1400}
+  - {a: "1-ff00:0:120-B#4",   b: "1-ff00:0:121#3",     linkAtoB: CHILD}
+  - {a: "1-ff00:0:120#5",     b: "1-ff00:0:111-B#104", linkAtoB: CHILD}
+  - {a: "1-ff00:0:130-A#111", b: "1-ff00:0:131#479",   linkAtoB: CHILD}
+  - {a: "1-ff00:0:130-B#112", b: "1-ff00:0:111-A#105", linkAtoB: CHILD, underlay: UDP/IPv4}
+  - {a: "1-ff00:0:130-A#113", b: "1-ff00:0:112#495",   linkAtoB: CHILD}
+  - {a: "1-ff00:0:111-C#100", b: "1-ff00:0:121#4",     linkAtoB: PEER}
+  - {a: "1-ff00:0:111-B#101", b: "2-ff00:0:211-A#5",   linkAtoB: PEER, underlay: UDP/IPv4}
+  - {a: "1-ff00:0:111-C#102", b: "2-ff00:0:211-A#6",   linkAtoB: PEER}
+  - {a: "1-ff00:0:111-A#103", b: "1-ff00:0:112#494",   linkAtoB: CHILD}
+  - {a: "1-ff00:0:121#1",     b: "1-ff00:0:131#480",   linkAtoB: PEER}
+  - {a: "1-ff00:0:121#2",     b: "1-ff00:0:122#2",     linkAtoB: CHILD, underlay: UDP/IPv4}
+  - {a: "1-ff00:0:122#1",     b: "1-ff00:0:133#1",     linkAtoB: PEER}
+  - {a: "1-ff00:0:131#478",   b: "1-ff00:0:132#2",     linkAtoB: CHILD}
+  - {a: "1-ff00:0:132#1",     b: "1-ff00:0:133#2",     linkAtoB: CHILD}
+  - {a: "2-ff00:0:210#450",   b: "2-ff00:0:220#503",   linkAtoB: CORE, underlay: UDP/IPv4}
+  - {a: "2-ff00:0:210#451",   b: "2-ff00:0:211-A#7",   linkAtoB: CHILD}
+  - {a: "2-ff00:0:210#452",   b: "2-ff00:0:211-A#8",   linkAtoB: CHILD}
+  - {a: "2-ff00:0:220#500",   b: "2-ff00:0:221#2",     linkAtoB: CHILD}
+  - {a: "2-ff00:0:211-A#1",   b: "2-ff00:0:221#3",     linkAtoB: PEER, underlay: UDP/IPv4}
+  - {a: "2-ff00:0:211-A#2",   b: "2-ff00:0:212#201",   linkAtoB: CHILD}
+  - {a: "2-ff00:0:211-A#3",   b: "2-ff00:0:212#200",   linkAtoB: CHILD}
+  - {a: "2-ff00:0:211-A#4",   b: "2-ff00:0:222#301",   linkAtoB: CHILD}
+  - {a: "2-ff00:0:221#1",     b: "2-ff00:0:222#302",   linkAtoB: CHILD}