quicwg · martinthomson · Mar 22, 2020 · Feb 8, 2020 · Jan 8, 2020 · Feb 12, 2020
diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
@@ -1829,10 +1829,24 @@ tokens that would be accepted by the server.  Only the server requires access to
 the integrity protection key for tokens.
 
 There is no need for a single well-defined format for the token because the
-server that generates the token also consumes it.  A token could include
-information about the claimed client address (IP and port), a timestamp, and any
-other supplementary information the server will need to validate the token in
-the future.
+server that generates the token also consumes it.  Tokens sent in Retry packets
+SHOULD include information that allows the server to verify that the source IP
+address and port in client packets remains constant.
+
+Tokens sent in NEW_TOKEN frames MUST include information that allows the server
+to verify that the client IP address has not changed from when the token was
+issued. Servers can use tokens from NEW_TOKEN in deciding not to send a Retry
+packet, even if the client address has changed. If the client IP address has
+changed, the server MUST adhere to the anti-amplification limits found in
+{{validate-handshake}}.  Note that in the presence of NAT, this requirement
+might be insufficient to protect other hosts that share the NAT from
+amplification attack.
+
+Servers MUST ensure that replay of tokens is prevented or limited.  For
+instance, servers might limit the time over which a token is accepted.  Tokens
+provided in NEW_TOKEN frames might need to allow longer validity periods.
+Tokens MAY include additional information about clients to further narrow
+applicability or reuse.
 
 
 ## Path Validation {#migrate-validate}