diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index 44d840f92e..0d55ef83a9 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -3481,8 +3481,10 @@ Reserved Bits (R):
   packet types.  These bits are protected using header protection (see Section
   5.4 of {{QUIC-TLS}}). The value included prior to protection MUST be set to 0.
   An endpoint MUST treat receipt of a packet that has a non-zero value for these
-  bits after removing protection as a connection error of type
-  PROTOCOL_VIOLATION.
+  bits, after removing both packet and header protection, as a connection error
+  of type PROTOCOL_VIOLATION. Discarding such a packet after only removing
+  header protection can expose the endpoint to attacks (see Section 9.3 of
+  {{QUIC-TLS}}).
 
 Packet Number Length (P):
 
@@ -3932,8 +3934,10 @@ Reserved Bits (R):
   bits are protected using header protection (see Section 5.4 of
   {{QUIC-TLS}}).  The value included prior to protection MUST be set to 0.  An
   endpoint MUST treat receipt of a packet that has a non-zero value for these
-  bits after removing protection as a connection error of type
-  PROTOCOL_VIOLATION.
+  bits, after removing both packet and header protection, as a connection error
+  of type PROTOCOL_VIOLATION. Discarding such a packet after only removing
+  header protection can expose the endpoint to attacks (see Section 9.3 of
+  {{QUIC-TLS}}).
 
 Key Phase (K):