Closed boaks closed 2 years ago
Let me add: RFC7252 is not that explicit about that, but, If the response is a "piggybacked response", the client may additionally check the MID and drop it on mismatch. That doesn't make the attack impossible, but lowers the probability.
Good comments
Addressed. (I have an additional comment for the http and nstart-1, but I will open an new issue).
Using DTLS, it seems to be hard to determine, that the client uses the same token. Are there any additional assumptions about determining the token, if DTLS is used?