Merge pull request #3686 from quicwg/forgeries-and-updates

Forgeries likely exhaust TWO keys

draft-ietf-quic-tls.md

@@ -1558,6 +1558,16 @@ this limit.  If a key update is not possible, the endpoint MUST immediately
 close the connection.  Applying a limit reduces the probability that an attacker
 is able to successfully forge a packet; see {{AEBounds}} and {{ROBUST}}.
 
+Note:
+
+: Due to the way that header protection protects the Key Phase, packets that are
+  discarded are likely to have an even distribution of both Key Phase values.
+  This means that packets that fail authentication will often use the packet
+  protection keys from the next key phase.  It is therefore necessary to also
+  track the number of packets that fail authentication with the next set of
+  packet protection keys.  To avoid exhaustion of both sets of keys, it might be
+  necessary to initiate two key updates in succession.
+
 For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limit on
 the number of packets that fail authentication is 2^36.  Note that the analysis
 in {{AEBounds}} supports a higher limit for the AEAD_AES_128_GCM and