[SCTP] state cookie generation

[rainliu]

move webrtc-rs/sctp#1 to here

looking at the state cookie generation implementation, shouldn't it include HMAC generation and other things as mentioned here?

[lolgesten]

According to the RFC:

Note: After sending out INIT ACK with the State Cookie parameter,
      "Z" MUST NOT allocate any resources or keep any states for the new
      association.  Otherwise, "Z" will be vulnerable to resource
      attacks.

And later regarding state cookie generation:

From the TCB, identify and collect the minimal subset of
       information needed to re-create the TCB, and generate a MAC using
       this subset of information and a secret key

The current impl creates all resources from start, and doesn't do this "delayed init" via the state cookie. This is probably okay since the SCTP state is bound to the underlying lifetime of the DTLS, which in turn depends on ICE. "Resource attacks" might be unlikely if the lower levels guards for it.

But it begs the question, what do we want to do with this issue?

It seems unnecessary to encode a bunch of stuff into the state cookie when we

a) not going to use it to recreate the TCB (Association) from it
b) could keep any state wanted (such as created time) in the Association directly

We could maybe enforce a timely init by having a 60 second lifetime of the cookie. That doesn't need to be stored in the cookie itself however.