HMAC is added in babel call to prevent babel communication between nodes of different re6st networks. 
This solves the problem of machines in different re6st networks but on the same LAN that exchange routes through babel. 
The key used to authenticate packets is randomly created on 16 bytes by the registry and sent to nodes when they fetch network parameters. 
This uses the WIP hmac branch of jech/babeld with Nexedi patches and the added possibility to not check HMAC in incoming packets for better HMAC integration on a HMAC-less network.

/reviewed-on !18

The received network parameter name can have a ':json' suffix that
is not present in the class attribute of this parameter.
This suffix was not removed and could cause attribute deletion to fail.

/reviewed-on !20

In SQLite, a string that only contains '0' chars evaluates to False.

- registry: make --dh mandatory
- node: retry if the registry returns nothing (instead of writing an empty file)

The old distutils way is not compatible with zc.recipe.egg in develop mode,
because egg_info does not provide any information about such scripts.

Generating them takes a lot of time and there's no reason to do this by default.
We keep --dh option in 're6stnet' to not break existing configuration.

db.py -> cache.py
PeerDB -> Cache
peers.db -> cache.db

For the registry at least, we'll want to store integers
without having to convert to/from strings.

To upgrade 'registry.db':
- dump it to a file
- fix create table statements
- load it

Nodes will restart with an empty cache.

It's normal such failure happens occasionally and re6st retries later so:
- do not frighten user/admin with 500 status and ssl errors
- do not waste resources by killing session with registry

The way peer addresses were exchanged polluted caches with information about
dead nodes. In particular, bootstrapping often took a long time because the
cache of the primary node was mostly useless.

This also fixes bootstrap of registry.

- authenticated communications with registered clients
- XML-RPC is dropped
- multi-threaded server

When a peer advertised several addresses, a node trying to create a tunnel to
it never tried any other address than the first one.

Before, we wrongly assumed OpenVPN would try all addresses before aborting
(--ping-exit). New code reexecutes OpenVPN until all addresses are tried
and update the peer db to reorder addresses if the first one failed.

The previous broadcast model is replaced by a query-response one.
During normal operation, the cache of peers is not used anymore to select
peers to connect to. It now only used for bootstrapping and avoid querying
an already known address.

using the same socket for sending and listenning

A peer now advertise itself more at the begining to be as present in the local db of other peers than the average