The server MAY choose to reduce the number of active
sessions in response to implementation-dependent criteria, such as resource
limits or detection of a denial-of-service attack.<26> The
affected sessions MUST be cleaned up as described in section 3.2.6.1.