> On Dec 4, 2014, at 9:20 AM, Valery Smyslov <sva...@gmail.com> wrote: > >>> Hi Scott, >>> >>> this is almost identical to what I proposed in my original e-mail, >>> if you substitute "difficulty level" with "puzzle id”. >> >> Or call it “generation id”, and increment it whenever you generate a new >> secret and/or change the difficulty level.= > > That will work. In this case it is better to make “generation id” long enough > (4 bytes or longer) > and initialize it with random value after reboot. > > Anyway, it doesn't matter how exactly the cookie is constructed and it should > not be mandated in RFC, as it doest't affect interoperability. However, some > guidance and examples should be given.
Definitely agree. If a document doesn’t give an example of how to do this non-stupidly, implementers will come up with multiple creative ways of doing this wrong. > In particular, RFC should advise > implementers to construct cookie in such way, that the responder is able to > quickly detect > invalid/stale/forged cookies/puzzles spending as little resources as possible. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec