diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index e39aa7c870..4db85d2ef7 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -6950,8 +6950,8 @@ Because the migration attack described in
 {{request-forgery-with-spoofed-migration}} is quite powerful and does not have
 adequate countermeasures, QUIC server implementations should assume that
 attackers can cause them to generate arbitrary UDP payloads to arbitrary
-destinations. QUIC servers SHOULD NOT be deployed in networks that also have
-inadequately secured UDP endpoints.
+destinations. QUIC servers SHOULD NOT be deployed in networks that do not deploy
+ingress filtering {{!BCP38}} and also have inadequately secured UDP endpoints.
 
 Although it is not generally possible to ensure that clients are not co-located
 with vulnerable endpoints, this version of QUIC does not allow servers to