GitLab

The ARM describes the tcp-self option for update-policy as (quoting from the HTML version):

              No signer is required for <em class="replaceable"><code>tcp-self</code></em>
              or <em class="replaceable"><code>6to4-self</code></em> however the standard
              reverse mapping / prefix conversion must match the identity
              field.

This doesn't explicitly state that the update has to be received over TCP instead of UDP. While this might be thought to be strongly implied with tcp-self, I don't know that it's implied at all with 6to4-self (and I wonder if the rules might actually be different), such that it's probably worth explicitly stating the exact criteria looked for in the client identity (not to be confused with the identity field, which is different).