diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md
index 96251b3dd0..262818368e 100644
--- a/draft-ietf-quic-tls.md
+++ b/draft-ietf-quic-tls.md
@@ -793,6 +793,9 @@ modifying the contents of handshake packets from future versions.
 The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initial
 packets even where the TLS versions offered do not include TLS 1.3.
 
+{{test-vectors-initial}} contains test vectors for the initial packet
+encryption.
+
 Note:
 
 : The Destination Connection ID is of arbitrary length, and it could be zero
@@ -1391,6 +1394,76 @@ values in the following registries:
 
 --- back
 
+# Test Vectors for Initial Packet Encryption {#test-vectors-initial}
+
+This section shows sample packet encryption secrets so
+that implementations can be verified incrementally.
+
+{{initial-secrets}} contains the salt used for Initial Packet
+Encryption.
+Using an Initial Destination Connection ID 0x8394c8f03e515708, the
+derived 32 byte initial secret is:
+
+~~~
+ 44 96 d3 90 3d 3f 97 cc 5e 45 ac 57 90 dd c6 86
+ 68 3c 7c 00 67 01 2b b0 9d 90 0c c2 18 32 d5 96
+~~~
+
+The labels generated by the HKDF-Expand-Label function are:
+
+~~~
+ tls13 client in: 00 20 0f 74 6c 73 31 33 20 63 6c 69 65 6e 74 20
+                  69 6e 00
+
+ tls13 server in: 00 20 0f 74 6c 73 31 33 20 73 65 72 76 65 72 20
+                  69 6e 00
+
+ tls13 quic key:  00 10 0e 74 6c 73 31 33 20 71 75 69 63 20 6b 65
+                  79 00
+
+ tls13 quic iv:   00 0c 0d 74 6c 73 31 33 20 71 75 69 63 20 69 76
+                  00
+ tls13 quic hp:   00 10 0d 74 6c 73 31 33 20 71 75 69 63 20 68 70
+                  00
+~~~
+
+The client initial secret is 32 bytes long:
+
+~~~
+ 8a 35 15 a1 4a e3 c3 1b 9c 2d 6d 5b c5 85 38 ca
+ 5c d2 ba a1 19 08 71 43 e6 08 87 42 8d cb 52 f6
+~~~
+
+Using this secret, we get the following keys (16 bytes) and
+initialization vector (12 bytes):
+
+~~~
+ key:    98 b0 d7 e5 e7 a4 02 c6 7c 33 f3 50 fa 65 ea 54
+
+ hp key: 0e dd 98 2a 6a c5 27 f2 ed dc bb 73 48 de a5 d7
+
+ IV:     19 e9 43 87 80 5e b0 b4 6c 03 a7 88
+~~~
+
+The server initial secret is 32 bytes long:
+
+~~~
+ 47 b2 ea ea 6c 26 6e 32 c0 69 7a 9e 2a 89 8b df
+ 5c 4f b3 e5 ac 34 f0 e5 49 bf 2c 58 58 1a 38 11
+~~~
+
+Using this secret, we get the following keys (16 bytes) and
+initialization vector (12 bytes):
+
+~~~
+ key:    9a 8b e9 02 a9 bd d9 1d 16 06 4c a1 18 04 5f b4
+
+ hp key: 94 b9 45 2d 2b 3c 7c 7f 6d a7 fd d8 59 35 37 fd
+
+ IV:     0a 82 08 6d 32 20 5b a2 22 41 d8 dc
+~~~
+
+
 # Change Log
 
 > **RFC Editor's Note:** Please remove this section prior to publication of a