I think it’s simpler to keep a short list (a queue actually, but usually with no more than 2-5 entries) or <difficulty-level ; secret> pairs.
Generate a new pair every 10 seconds or whenever the difficulty level needs to change. Remember all entries for the last 20 seconds. Calculate the cookie as described in the RFC. When receiving a cookie, you try to validate it using all the remembered secret-difficulty pairs (I guess you check for sufficiently many zeros before you check for the hash), and let them in if one such pair validated. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
