MQTT 3.1.1 has a CVE against it (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13849) for a DoS attack related to the Keep Alive interval.

MQTT-SN perhaps is less vulnerable because the server has no TCP connection open, nevertheless it does hold session state and a Virtual Connection for each client.

The Server Keep Alive returned in the CONNACK in MQTT 5 allows the server to limit the length of the Keep Alive interval to reduce any DoS attack effectiveness.

Should we allow an optional Server Keep alive to be returned on the CONNACK too?