Proxy-Chosen Virtual Client Connection ID

As described in ietf-wg-masque#88, loop attacks are possible when clients pick the
virtual connection ID. This change moves the responsibility of
generating a Virtual Client Connection ID to the proxy and requires
the proxy to generate unpredictable virtual connection IDs.

Unfortunately, this change complicates the capsule exchange.
Specifically, the proxy cannot send forwarded mode packets in the
Target->Client direction until it knows that the client is ready to
receive them. Previously, when the client chose the vcid, we could
require that the client not share the vcid unless it's ready to receive
with it. Now that the proxy chooses the client vcid, we need the
client to signal it's ready to receive forwarded mode packets. To
accomplish this, ACK_CLIENT_VCID is introduced.

The ACK_CLIENT_VCID capsule solves the rule-readiness problem and
maintains that the client can supply a Stateless Reset Token for
resetting the client<->target tunnel.