Merge pull request #4104 from ekr/forgery_warnings

Add warning about request forgery and client-side migration. Fixes #4086

draft-ietf-quic-transport.md

@@ -6435,6 +6435,19 @@ implementation or deployment, without potential targets for request forgery
 attacks taking action. However these countermeasures could be insufficient if
 UDP-based services do not properly authorize requests.
 
+Because the migration attack described in
+{{request-forgery-with-spoofed-migration}} is quite powerful and does not have
+adequate countermeasures, QUIC server implementations should assume that
+attackers can cause them to generate arbitrary UDP payloads to arbitrary
+destinations. QUIC servers SHOULD NOT be deployed in networks that also have
+inadequately secured UDP endpoints.
+
+Although it is not generally possible to ensure that clients are not co-located
+with vulnerable endpoints, this version of QUIC does not allow servers to
+migrate, thus preventing spoofed migration attacks on clients.  Any future
+extension which allows server migration MUST also define countermeasures for
+forgery attacks.
+
 
 ### Control Options for Endpoints