Write down spoofed packet guarantees

draft-ietf-quic-transport.md

@@ -3150,7 +3150,7 @@ QUIC packets on the affected path.  This could result in termination of the
 connection if an alternative path cannot be found.
 
 
-### Special Considerations for PMTU Discovery
+### IPv4 PMTU Discovery {#v4-pmtud}
 
 Traditional ICMP-based path MTU discovery in IPv4 {{!PMTUDv4}} is potentially
 vulnerable to off-path attacks that successfully guess the IP/port 4-tuple and
@@ -4017,6 +4017,54 @@ transport to cancel a stream in response to receipt of a STOP_SENDING frame.
 
 # Security Considerations
 
+## Handshake Denial of Service
+
+As an encrypted and authenticated transport QUIC provides a range of protections
+against denial of service.  Once the cryptographic handshake is complete, QUIC
+endpoints discard most packets that are not authenticated, greatly limiting the
+ability of an attacker to interfere with existing connections.
+
+Once a connection is established QUIC endpoints might accept some
+unauthenticated ICMP packets (see {{v4-pmtud}}), but the use of these packets is
+extremely limited.  The only other type of packet that an endpoint might accept
+is a stateless reset ({{stateless-reset}}) which relies on the token being kept
+secret until it is used.
+
+During the creation of a connection, QUIC only provides protection against
+attack from off the network path.  All QUIC packets contain proof that the
+recipient saw a preceding packet from its peer.
+
+The first mechanism used is the source and destination connection IDs, which are
+required to match those set by a peer.  Except for an Initial and stateless
+reset packets, an endpoint only accepts packets that include a destination
+connection that matches a connection ID the endpoint previously chose.  This is
+the only protection offered for Version Negotiation packets.
+
+The destination connection ID in an Initial packet is selected by a client to be
+unpredictable, which serves an additional purpose.  The packets that carry the
+cryptographic handshake are protected with a key that is derived from this
+connection ID and salt specific to the QUIC version.  This allows endpoints to
+use the same process for authenticating packets that they receive as they use
+after the cryptographic handshake completes.  Packets that cannot be
+authenticated are discarded.  Protecting packets in this fashion provides a
+strong assurance that the sender of the packet saw the Initial packet and
+understood it.
+
+These protections are not intended to be effective against an attacker that is
+able to receive QUIC packets prior to the connection being established.  Such an
+attacker can potentially send packets that will be accepted by QUIC endpoints.
+This version of QUIC attempts to detect this sort of attack, but it expects that
+endpoints will fail to establish a connection rather than recovering.  For the
+most part, the cryptographic handshake protocol {{QUIC-TLS}} is responsible for
+detecting tampering during the handshake, though additional validation is
+required for version negotiation (see {{version-validation}}).
+
+Endpoints are permitted to use other methods to detect and attempt to recover
+from interference with the handshake.  Invalid packets may be identified and
+discarded using other methods, but no specific method is mandated in this
+document.
+
+
 ## Spoofed ACK Attack
 
 An attacker might be able to receive an address validation token