kaduk
commented
3 years ago What was the motivation for this change?
The idea was to bring us in line with the normal handling for invalid records, which is to ignore them rather than send an alert and tear things down. DTLS associations are supposed to be robust against injected packets.
I suspect that there is also some remnant of the previous state of affairs when just incrementing the epoch was all that was needed to generate new keys, as opposed to requiring KeyUpdate+ACK, though that's not directly related to making this change.
What was the motivation for this change?