From f74c7faa455fc367f33988894d15f6b9ebe831ef Mon Sep 17 00:00:00 2001
From: Mike Bishop <mbishop@evequefou.be>
Date: Tue, 3 Sep 2019 15:48:34 -0400
Subject: [PATCH 1/2] Security Considerations text for a memory limit

---
 draft-ietf-quic-qpack.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/draft-ietf-quic-qpack.md b/draft-ietf-quic-qpack.md
index 7c3e86ff13..ffc83df6a7 100644
--- a/draft-ietf-quic-qpack.md
+++ b/draft-ietf-quic-qpack.md
@@ -1126,6 +1126,13 @@ HTTP_QPACK_DECODER_STREAM_ERROR (0x202):
 
 TBD.
 
+While the negotiated limit on the dynamic table size accounts for much of the
+memory that can be consumed by a QPACK implementation, data which cannot be
+immediately sent due to flow control is not affected by this limit.
+Implementations MUST limit the size of unsent data, especially on the decoder
+stream where flexibility to choose what to send is limited.  If this limit is
+exceeded, the connection MUST be terminated.
+
 # IANA Considerations
 
 ## Settings Registration

From 76b6f221757b6adc1966f662454e4f2ed3f856ea Mon Sep 17 00:00:00 2001
From: Mike Bishop <mbishop@evequefou.be>
Date: Wed, 4 Sep 2019 14:02:40 -0400
Subject: [PATCH 2/2] Less normative

---
 draft-ietf-quic-qpack.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/draft-ietf-quic-qpack.md b/draft-ietf-quic-qpack.md
index ffc83df6a7..46981dc4f4 100644
--- a/draft-ietf-quic-qpack.md
+++ b/draft-ietf-quic-qpack.md
@@ -1129,9 +1129,11 @@ TBD.
 While the negotiated limit on the dynamic table size accounts for much of the
 memory that can be consumed by a QPACK implementation, data which cannot be
 immediately sent due to flow control is not affected by this limit.
-Implementations MUST limit the size of unsent data, especially on the decoder
-stream where flexibility to choose what to send is limited.  If this limit is
-exceeded, the connection MUST be terminated.
+Implementations should limit the size of unsent data, especially on the decoder
+stream where flexibility to choose what to send is limited.  Possible responses
+to an excess of unsent data might include limiting the ability of the peer to
+open new streams, reading only from the encoder stream, or closing the
+connection.
 
 # IANA Considerations