Hi Scott,
this is almost identical to what I proposed in my original e-mail,
if you substitute "difficulty level" with "puzzle id”.
Or call it “generation id”, and increment it whenever you generate a new
secret and/or change the difficulty level.=
That will work. In this case it is better to make “generation id” long
enough (4 bytes or longer)
and initialize it with random value after reboot.
Anyway, it doesn't matter how exactly the cookie is constructed and it
should
not be mandated in RFC, as it doest't affect interoperability. However, some
guidance and examples should be given. In particular, RFC should advise
implementers to construct cookie in such way, that the responder is able to
quickly detect
invalid/stale/forged cookies/puzzles spending as little resources as
possible.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec