receive the IV for the tunnel message, returning true if it is valid,
or false if it has already been used (or is otherwise invalid). To
prevent colluding attackers from successfully tagging the tunnel by
switching the IV and the first block of the message, the validator should
treat the XOR of the IV and the first block as the unique identifier,
not the IV alone (since the tunnel is encrypted via AES/CBC). Thanks to
dvorak for pointing out that tagging!