The AEAD is constructed as follows: for each packet, generate a Poly1305 key by taking 128 bits of ChaCha20 stream output generated using K_2 and an IV of zero. The chacha20 key-stream remains for follow up packets (don't change the IV and block counter) and will only be reset after a rekeying. A client may precompute the ChaCha20 key-stream up to the desired length.
A rekey MUST exact happen after 2^24 bytes (16MB) have been used from the key-stream. The rekeying can also happen in the middle of encrypting a payload. If the key-stream contains less than 128bits when starting to encrypt a packet, a rekeying MUST happen (to avoid a MAC key from two cipher instances).
The next symmetric cipher key MUST be calculated by `SHA256(SHA256(session ID || old_symmetric_cipher_key))`.
During a rekey, the packet length encryption instance keyed by K_1 must also reset (use the next symmatric cipher key, reset IV and block counter to zero).
The packet length encryption instance can therefor maximal encrypt 2^24/3+1+16 packet lengths (~2.4MB) per key (20 bytes is the smallest possible packet).