I wrote: >In Section 4.4, the client IP is added to the hash in the creation of the >server cookie.
Ah, never mind, that is already in RFC 7873. So a client that wants to (re-)use a server cookie needs to know the source address it previously used to communicate with the server. So if the client maintains that kind of state (and sends follow up traffic only from the recorded source address), then the client can just as well use a new pseudo-random client cookie each time the client creates new state. No need to include the client IP address in the cookie or worry about the cookie leaking. The send off the packet will fail if the source address is no long available. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop