diff --git a/controller/EmbeddedNetworkController.cpp b/controller/EmbeddedNetworkController.cpp
index 5ba8cf983..cd8ce8bf4 100644
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@@ -516,8 +516,8 @@ void EmbeddedNetworkController::threadMain()
 			Mutex::Lock _l(_refreshQueue_m);
 			while (_refreshQueue.size() > 0) {
 				_Refresh &r = _refreshQueue.front();
-				if (_node)
-					_node->pushNetworkRefresh(r.dest,r.nwid,r.blacklistAddresses,r.blacklistThresholds,r.numBlacklistEntries);
+				//if (_node)
+				//	_node->pushNetworkRefresh(r.dest,r.nwid,r.blacklistAddresses,r.blacklistThresholds,r.numBlacklistEntries);
 				_refreshQueue.pop_front();
 				if (++count >= 50)
 					break;
diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index 591ff1fe5..c66b90799 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -1928,27 +1928,6 @@ enum ZT_ResultCode ZT_Node_circuitTestBegin(ZT_Node *node,ZT_CircuitTest *test,v
  */
 void ZT_Node_circuitTestEnd(ZT_Node *node,ZT_CircuitTest *test);
 
-/**
- * Push a network refresh
- *
- * This is used by network controller implementations to send a
- * NETWORK_CONFIG_REFRESH message to tell a node to refresh its
- * config and to optionally push one or more credential timestamp
- * blacklist thresholds for members of the network.
- *
- * Code outside a controller implementation will have no use for
- * this as these messages are ignored if they do not come from a
- * controller.
- *
- * @param node Node instance
- * @param dest ZeroTier address of destination to which to send NETWORK_CONFIG_REFRESH
- * @param nwid Network ID
- * @param blacklistAddresses Array of ZeroTier addresses of network members to set timestamp blacklists for
- * @param blacklistBeforeTimestamps Timestamps before which to blacklist credentials for each corresponding address in blacklistAddresses[]
- * @param blacklistCount Size of blacklistAddresses[] and blacklistBeforeTimestamps[]
- */
-void ZT_Node_pushNetworkRefresh(ZT_Node *node,uint64_t dest,uint64_t nwid,const uint64_t *blacklistAddresses,const uint64_t *blacklistBeforeTimestamps,unsigned int blacklistCount);
-
 /**
  * Initialize cluster operation
  *
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp
index c50db794e..72dfbfd82 100644
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@@ -982,7 +982,7 @@ bool IncomingPacket::_doNETWORK_CONFIG(const RuntimeEnvironment *RR,const Shared
 
 
 
-		peer->received(_path,hops(),packetId(),Packet::VERB_NETWORK_CONFIG_REFRESH,0,Packet::VERB_NOP,trustEstablished);
+		peer->received(_path,hops(),packetId(),Packet::VERB_NETWORK_CONFIG,0,Packet::VERB_NOP,trustEstablished);
 	} catch ( ... ) {
 		TRACE("dropped NETWORK_CONFIG_REFRESH from %s(%s): unexpected exception",source().toString().c_str(),_path->address().toString().c_str());
 	}
diff --git a/node/Node.cpp b/node/Node.cpp
index 2533eeb69..db9b8ea07 100644
--- a/node/Node.cpp
+++ b/node/Node.cpp
@@ -552,31 +552,6 @@ void Node::circuitTestEnd(ZT_CircuitTest *test)
 	}
 }
 
-void Node::pushNetworkRefresh(uint64_t dest,uint64_t nwid,const uint64_t *blacklistAddresses,const uint64_t *blacklistBeforeTimestamps,unsigned int blacklistCount)
-{
-	Packet outp(Address(dest),RR->identity.address(),Packet::VERB_NETWORK_CONFIG_REFRESH);
-	outp.append(nwid);
-	outp.addSize(2);
-	unsigned int c = 0;
-	for(unsigned int i=0;i<blacklistCount;++i) {
-		if ((outp.size() + 13) >= ZT_PROTO_MAX_PACKET_LENGTH) {
-			outp.setAt<uint16_t>(ZT_PACKET_IDX_PAYLOAD + 8,(uint16_t)c);
-			RR->sw->send(outp,true);
-			outp = Packet(Address(dest),RR->identity.address(),Packet::VERB_NETWORK_CONFIG_REFRESH);
-			outp.append(nwid);
-			outp.addSize(2);
-			c = 0;
-		}
-		Address(blacklistAddresses[i]).appendTo(outp);
-		outp.append(blacklistBeforeTimestamps[i]);
-		++c;
-	}
-	if (c > 0) {
-		outp.setAt<uint16_t>(ZT_PACKET_IDX_PAYLOAD + 8,(uint16_t)c);
-		RR->sw->send(outp,true);
-	}
-}
-
 ZT_ResultCode Node::clusterInit(
 	unsigned int myId,
 	const struct sockaddr_storage *zeroTierPhysicalEndpoints,
@@ -973,13 +948,6 @@ void ZT_Node_circuitTestEnd(ZT_Node *node,ZT_CircuitTest *test)
 	} catch ( ... ) {}
 }
 
-void ZT_Node_pushNetworkRefresh(ZT_Node *node,uint64_t dest,uint64_t nwid,const uint64_t *blacklistAddresses,const uint64_t *blacklistBeforeTimestamps,unsigned int blacklistCount)
-{
-	try {
-		reinterpret_cast<ZeroTier::Node *>(node)->pushNetworkRefresh(dest,nwid,blacklistAddresses,blacklistBeforeTimestamps,blacklistCount);
-	} catch ( ... ) {}
-}
-
 enum ZT_ResultCode ZT_Node_clusterInit(
 	ZT_Node *node,
 	unsigned int myId,
diff --git a/node/Node.hpp b/node/Node.hpp
index 568698161..114625314 100644
--- a/node/Node.hpp
+++ b/node/Node.hpp
@@ -107,7 +107,6 @@ public:
 	void setNetconfMaster(void *networkControllerInstance);
 	ZT_ResultCode circuitTestBegin(ZT_CircuitTest *test,void (*reportCallback)(ZT_Node *,ZT_CircuitTest *,const ZT_CircuitTestReport *));
 	void circuitTestEnd(ZT_CircuitTest *test);
-	void pushNetworkRefresh(uint64_t dest,uint64_t nwid,const uint64_t *blacklistAddresses,const uint64_t *blacklistBeforeTimestamps,unsigned int blacklistCount);
 	ZT_ResultCode clusterInit(
 		unsigned int myId,
 		const struct sockaddr_storage *zeroTierPhysicalEndpoints,
diff --git a/node/Packet.hpp b/node/Packet.hpp
index e76cb96cd..b03ec3274 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -670,9 +670,11 @@ public:
 		 *   0x6 - WATCHed inbound frame
 		 *   0x7 - (reserved for future use)
 		 *   
-		 * An extended frame carries full MAC addressing, making them a
-		 * superset of VERB_FRAME. They're used for bridging or when we
-		 * want to attach a certificate since FRAME does not support that.
+		 * An extended frame carries full MAC addressing, making it a
+		 * superset of VERB_FRAME. It is used for bridged traffic,
+		 * redirected or observed traffic via rules, and can in theory
+		 * be used for multicast though MULTICAST_FRAME exists for that
+		 * purpose and has additional options and capabilities.
 		 *
 		 * OK payload (if ACK flag is set):
 		 *   <[8] 64-bit network ID>
@@ -725,6 +727,9 @@ public:
 		 * These will of course only be accepted if they are properly signed.
 		 * Credentials can be for any number of networks.
 		 *
+		 * The use of a zero byte to terminate the COM section is for legacy
+		 * backward compatiblity. Newer fields are prefixed with a length.
+		 *
 		 * OK/ERROR are not generated.
 		 */
 		VERB_NETWORK_CREDENTIALS = 0x0a,