pub const MAX_REKEY_CATCHUP: u8 = 16;Expand description
How many epochs the receive path will catch up in one packet when accepting
an authenticated forward rekey (C1). A small bound caps the HKDF work an
attacker can force per spoofed packet (each step is a trial that commits
nothing unless AEAD verifies) while comfortably absorbing the small epoch
divergence that arises when both directions rekey at slightly different
cadences. A gap larger than this is rejected; over a reliable transport the
sender retransmits at the then-current epoch, so no data is lost. In
practice (production REKEY_SOFT_LIMIT of 2^47) the gap is essentially
always 0 or 1.