I don't understand. Why is it simple to filter UDP but not simple to filter based on a cookie? Is the validation cpu-expensive in bulk? Do you not have the capability to filter that way at the boundary?