Add warning about request forgery and client-side migration. Fixes #4086

quicwg · Sep 16, 2020 · 647c68f · 647c68f
1 parent d593a63
commit 647c68f
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
@@ -6440,8 +6440,19 @@ This section also describes limited countermeasures that can be implemented by
 QUIC endpoints. These mitigations can be employed unilaterally by a QUIC
 implementation or deployment, without potential targets for request forgery
 attacks taking action. However these countermeasures could be insufficient if
-UDP-based services do not properly authorize requests.
-
+UDP-based services do not properly authorize requests. 
+
+Because the migration attack described in
+{{request-forgery-with-spoofed-migration}} is quite powerful and does
+not have adequate countermeasures, QUIC server implementations should
+assume that attackers can cause them to generate arbitrary UDP
+payloads to arbitrary destinations. QUIC servers SHOULD NOT be
+deployed in networks that also have inadequately secured UDP
+endpoints.  Although it is not generally possible to ensure that
+clients are not co-located with vulnerable endpoints, this version of
+QUIC does not allow servers to migrate, thus preventing spoofed
+migration attacks on clients.  Any future extension which allows
+server migration MUST also define countermeasures for forgery attacks.
 
 ### Control Options for Endpoints