Adding a description of stream commitment attacks in security section

draft-ietf-quic-transport.md

@@ -2209,7 +2209,7 @@ MUST terminate the connection with an error of type QUIC_TOO_MANY_OPEN_STREAMS
 ({{error-handling}}).
 
 
-## Stream Concurrency
+## Stream Concurrency {#stream-concurrency}
 
 An endpoint limits the number of concurrently active incoming streams by setting
 the concurrent stream limit (see {{transport-parameter-definitions}}) in the
@@ -2697,6 +2697,32 @@ also be forward-secure encrypted.  Since the attacker will not have the forward
 secure key, the attacker will not be able to generate forward-secure encrypted
 packets with ACK frames.
 
+## Stream Commitment Attack
+
+An adversarial endpoint can open lots of streams,
+exhausting state on the server.
+The adversarial endpoint, or endpoint, could repeat the process on a
+large number of connections, in a manner similar to
+SYN flooding attacks in TCP.
+
+Normally, clients will open streams sequentially,
+as explained in {{stream-identifiers}}.
+However, when several streams are initiated at short intervals,
+transmission error may cause STREAM DATA frames opening streams to be
+received out of sequence. A receiver is obligated to open intervening
+streams if a higher-numbered stream ID is received. Thus, on a
+new connection, opening stream 2000001 opens 1 million streams,
+as required by the specification.
+
+The number of active streams is limited
+by the concurrent stream limit transport
+parameter, as explained in {{stream-concurrency}}.
+If chosen judisciously, this limit
+mitigates the effect of the stream commitment attack.
+However, setting the limit
+too low could affect performance when
+applications expect to open large number
+of streams.
 
 # IANA Considerations