Optional CloseNotify on unrecognised data

[ShadowJonathan]

As a reason for this library's creation is to support ruma/lb, one other goal is to be marginally compatible with matrix-org/lb, which is a reference implementation of the "MSC", which contains the following bit in the proposal text;

DTLS operates over UDP which is "connectionless". This makes restarting connections after restarting the server difficult. TCP has the concept of FIN packets, which let the client know that the connection they currently are using is dead and should be terminated. UDP has no equivalent. For this reason, restarting the server will take up to the connection timeout value for clients to detect a dead connection. This can be shortened by modifying DTLS to send CloseNotify alerts when the UDP socket receives unrecognised data.

While one problem with this section is that, if this was taken at "face value", this would allow a DoS attack, I'd like to also add in the additional functionality;

Allow an optional configuration setting in the server listener, which will respond to unrecognised DTLS packets with CloseNotify, and only every X amount of times for connections in a timeout.

This would mitigate DoS amplification attacks, while eventually edging off existing DTLS connections after such a server restart.

Of course, the default behaviour would be to drop these packets, this is an opt-in behaviour.

[ShadowJonathan]

Hmmm, actually, there may be a problem with this behaviour, as alert messages required an encryption context, and receiving and processing this effectively could allow for DoS attacks, similarly to a MITM agent sending a RST to either party.

This is exasperated by the fact that UDP can allow very easy source address spoofing, I'll notify the authors of this proposal of this problem.