I wrote:
>In Section 4.4, the client IP is added to the hash in the creation of the
>server cookie.

Ah, never mind, that is already in RFC 7873.

So a client that wants to (re-)use a server cookie needs to know the
source address it previously used to communicate with the server.
So if the client maintains that kind of state (and sends follow up traffic
only from the recorded source address), then the client can just as well
use a new pseudo-random client cookie each time the client creates new
state. No need to include the client IP address in the cookie or worry 
about the cookie leaking. The send off the packet will fail if the 
source address is no long available.




_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to