From 59c6be51ed13e20b7bb140cd1525cebad4cf93be Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 16:20:06 +1000
Subject: [PATCH 01/16] Final batch of text changes for transport

Now I have to scrub the XML...
---
 draft-ietf-quic-transport.md | 314 +++++++++++++++++------------------
 1 file changed, 152 insertions(+), 162 deletions(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index f19b33a50c..b6a8419edd 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -73,6 +73,7 @@ normative:
         role: editor
 
   TLS13: RFC8446
+  RFC8126:
 
 informative:
 
@@ -6545,26 +6546,25 @@ descriptions of known attacks and countermeasures.
 
 A complete security analysis of QUIC is outside the scope of this document.
 This section provides an informal description of the desired security properties
-as an aid to implementors and to help guide protocol analysis.
+as an aid to implementers and to help guide protocol analysis.
 
 QUIC assumes the threat model described in {{?SEC-CONS=RFC3552}} and provides
 protections against many of the attacks that arise from that model.
 
 For this purpose, attacks are divided into passive and active attacks.  Passive
-attackers have the capability to read packets from the network, while active
-attackers also have the capability to write packets into the network.  However,
-a passive attack could involve an attacker with the ability to cause a routing
+attackers have the ability to read packets from the network, while active
+attackers also have the ability to write packets into the network.  However, a
+passive attack could involve an attacker with the ability to cause a routing
 change or other modification in the path taken by packets that comprise a
 connection.
 
 Attackers are additionally categorized as either on-path attackers or off-path
-attackers.  An on-path attacker can read,
-modify, or remove any packet it observes such that it no longer reaches its
-destination, while an off-path attacker observes the packets, but cannot prevent
-the original packet from reaching its intended destination.  Both types of
-attackers can also transmit arbitrary packets.  This definition differs from
-that of {{Section 3.5 of SEC-CONS}} in that an off-path attacker is able to
-observe packets.
+attackers.  An on-path attacker can read, modify, or remove any packet it
+observes such that the packet no longer reaches its destination, while an
+off-path attacker observes the packets but cannot prevent the original packet
+from reaching its intended destination.  Both types of attackers can also
+transmit arbitrary packets.  This definition differs from that of {{Section 3.5
+of SEC-CONS}} in that an off-path attacker is able to observe packets.
 
 Properties of the handshake, protected packets, and connection migration are
 considered separately.
@@ -6625,7 +6625,7 @@ new connection establishment without incurring this cost.
 
 An on-path or off-path attacker can force a handshake to fail by replacing or
 racing Initial packets. Once valid Initial packets have been exchanged,
-subsequent Handshake packets are protected with the handshake keys and an
+subsequent Handshake packets are protected with the Handshake keys and an
 on-path attacker cannot force handshake failure other than by dropping packets
 to cause endpoints to abandon the attempt.
 
@@ -6665,14 +6665,14 @@ Both on-path and off-path attackers can mount a passive attack in which they
 save observed packets for an offline attack against packet protection at a
 future time; this is true for any observer of any packet on any network.
 
-A blind attacker, one who injects packets without being able to observe valid
-packets for a connection, is unlikely to be successful, since packet protection
-ensures that valid packets are only generated by endpoints that possess the
-key material established during the handshake; see {{handshake}} and
-{{handshake-properties}}. Similarly, any active attacker that observes packets
+An attacker that injects packets without being able to observe valid packets for
+a connection is unlikely to be successful, since packet protection ensures that
+valid packets are only generated by endpoints that possess the key material
+established during the handshake; see Sections {{<handshake}} and
+{{<handshake-properties}}. Similarly, any active attacker that observes packets
 and attempts to insert new data or modify existing data in those packets should
-not be able to generate packets deemed valid by the receiving endpoint,
-other than Initial packets.
+not be able to generate packets deemed valid by the receiving endpoint, other
+than Initial packets.
 
 A spoofing attack, in which an active attacker rewrites unprotected parts of a
 packet that it forwards or injects, such as the source or destination
@@ -6682,7 +6682,7 @@ processed by the endpoints that completed the handshake, and invalid
 packets are ignored by those endpoints.
 
 An attacker can also modify the boundaries between packets and UDP datagrams,
-causing multiple packets to be coalesced into a single datagram, or splitting
+causing multiple packets to be coalesced into a single datagram or splitting
 coalesced packets into multiple datagrams. Aside from datagrams containing
 Initial packets, which require padding, modification of how packets are
 arranged in datagrams has no functional effect on a connection, although it
@@ -6691,7 +6691,7 @@ might change some performance characteristics.
 
 ### Connection Migration {#migration-properties}
 
-Connection Migration ({{migration}}) provides endpoints with the ability to
+Connection migration ({{migration}}) provides endpoints with the ability to
 transition between IP addresses and ports on multiple paths, using one path at a
 time for transmission and receipt of non-probing frames.  Path validation
 ({{migrate-validate}}) establishes that a peer is both willing and able
@@ -6724,8 +6724,8 @@ An on-path attacker cannot:
 - Modify an authenticated portion of a packet and cause the recipient to accept
   that packet
 
-An on-path attacker has the opportunity to modify the packets that it observes,
-however any modifications to an authenticated portion of a packet will cause it
+An on-path attacker has the opportunity to modify the packets that it observes;
+however, any modifications to an authenticated portion of a packet will cause it
 to be dropped by the receiving endpoint as invalid, as packet payloads are both
 authenticated and encrypted.
 
@@ -6752,7 +6752,7 @@ properties:
 
 #### Off-Path Active Attacks
 
-An off-path attacker is not directly on the path between a client and server,
+An off-path attacker is not directly on the path between a client and server
 but could be able to obtain copies of some or all packets sent between the
 client and the server. It is also able to send copies of those packets to
 either endpoint.
@@ -6860,19 +6860,20 @@ same reasons.
 
 ## Handshake Denial of Service {#handshake-dos}
 
-As an encrypted and authenticated transport QUIC provides a range of protections
-against denial of service.  Once the cryptographic handshake is complete, QUIC
-endpoints discard most packets that are not authenticated, greatly limiting the
-ability of an attacker to interfere with existing connections.
+As an encrypted and authenticated transport, QUIC provides a range of
+protections against denial of service.  Once the cryptographic handshake is
+complete, QUIC endpoints discard most packets that are not authenticated,
+greatly limiting the ability of an attacker to interfere with existing
+connections.
 
-Once a connection is established QUIC endpoints might accept some
-unauthenticated ICMP packets (see {{pmtud}}), but the use of these packets
-is extremely limited.  The only other type of packet that an endpoint might
-accept is a stateless reset ({{stateless-reset}}), which relies on the token
-being kept secret until it is used.
+Once a connection is established, QUIC endpoints might accept some
+unauthenticated ICMP packets (see {{pmtud}}), but the use of these packets is
+extremely limited.  The only other type of packet that an endpoint might accept
+is a stateless reset ({{stateless-reset}}), which relies on the token being kept
+secret until it is used.
 
 During the creation of a connection, QUIC only provides protection against
-attack from off the network path.  All QUIC packets contain proof that the
+attacks from off the network path.  All QUIC packets contain proof that the
 recipient saw a preceding packet from its peer.
 
 Addresses cannot change during the handshake, so endpoints can discard packets
@@ -6881,7 +6882,7 @@ that are received on a different network path.
 The Source and Destination Connection ID fields are the primary means of
 protection against off-path attack during the handshake; see
 {{validate-handshake}}.  These are required to match those set by a peer.
-Except for an Initial and stateless reset packets, an endpoint only accepts
+Except for Initial and stateless reset packets, an endpoint only accepts
 packets that include a Destination Connection ID field that matches a value the
 endpoint previously chose.  This is the only protection offered for Version
 Negotiation packets.
@@ -6945,7 +6946,7 @@ the network.
 For request forgery to be effective, an attacker needs to be able to influence
 what packets the peer sends and where these packets are sent. If an attacker
 can target a vulnerable service with a controlled payload, that service might
-perform actions that are attributed to the attacker's peer, but decided by the
+perform actions that are attributed to the attacker's peer but decided by the
 attacker.
 
 For example, cross-site request forgery {{?CSRF=DOI.10.1145/1455770.1455782}}
@@ -6966,7 +6967,7 @@ attacks.
 This section also describes limited countermeasures that can be implemented by
 QUIC endpoints. These mitigations can be employed unilaterally by a QUIC
 implementation or deployment, without potential targets for request forgery
-attacks taking action. However these countermeasures could be insufficient if
+attacks taking action. However, these countermeasures could be insufficient if
 UDP-based services do not properly authorize requests.
 
 Because the migration attack described in
@@ -6979,7 +6980,7 @@ ingress filtering {{!BCP38}} and also have inadequately secured UDP endpoints.
 Although it is not generally possible to ensure that clients are not co-located
 with vulnerable endpoints, this version of QUIC does not allow servers to
 migrate, thus preventing spoofed migration attacks on clients.  Any future
-extension which allows server migration MUST also define countermeasures for
+extension that allows server migration MUST also define countermeasures for
 forgery attacks.
 
 
@@ -6989,7 +6990,8 @@ QUIC offers some opportunities for an attacker to influence or control where
 its peer sends UDP datagrams:
 
 * initial connection establishment ({{handshake}}), where a server is able to
-  choose where a client sends datagrams, for example by populating DNS records;
+  choose where a client sends datagrams -- for example, by populating DNS
+  records;
 
 * preferred addresses ({{preferred-address}}), where a server is able to choose
   where a client sends datagrams;
@@ -6999,7 +7001,7 @@ its peer sends UDP datagrams:
   datagrams; and
 
 * spoofed packets that cause a server to send a Version Negotiation packet
-  {{vn-spoofing}}.
+  ({{vn-spoofing}}).
 
 In all cases, the attacker can cause its peer to send datagrams to a
 victim that might not understand QUIC. That is, these packets are sent by
@@ -7033,9 +7035,9 @@ used for request forgery.
 
 An attacker acting as a server can choose the IP address and port on which it
 advertises its availability, so Initial packets from clients are assumed to be
-available for use in this sort of attack. The address validation implicit in
-the handshake ensures that - for a new connection - a client will not send
-other types of packet to a destination that does not understand QUIC or is not
+available for use in this sort of attack. The address validation implicit in the
+handshake ensures that -- for a new connection -- a client will not send other
+types of packets to a destination that does not understand QUIC or is not
 willing to accept a QUIC connection.
 
 Initial packet protection ({{Section 5.2 of QUIC-TLS}}) makes it difficult for
@@ -7044,18 +7046,18 @@ choosing an unpredictable Destination Connection ID ensures that servers are
 unable to control any of the encrypted portion of Initial packets from clients.
 
 However, the Token field is open to server control and does allow a server to
-use clients to mount request forgery attacks. Use of tokens provided with the
-NEW_TOKEN frame ({{validate-future}}) offers the only option for request
+use clients to mount request forgery attacks. The use of tokens provided with
+the NEW_TOKEN frame ({{validate-future}}) offers the only option for request
 forgery during connection establishment.
 
-Clients however are not obligated to use the NEW_TOKEN frame. Request forgery
+Clients, however, are not obligated to use the NEW_TOKEN frame. Request forgery
 attacks that rely on the Token field can be avoided if clients send an empty
 Token field when the server address has changed from when the NEW_TOKEN frame
 was received.
 
 Clients could avoid using NEW_TOKEN if the server address changes. However, not
 including a Token field could adversely affect performance. Servers could rely
-on NEW_TOKEN to enable sending of data in excess of the three times limit on
+on NEW_TOKEN to enable sending of data in excess of the three-times limit on
 sending data; see {{validate-handshake}}. In particular, this affects cases
 where clients use 0-RTT to request data from servers.
 
@@ -7100,17 +7102,17 @@ can adversely affect performance. If the server sends frames carrying
 application data, an attacker might be able to control most of the content of
 datagrams.
 
-This document does not offer specific countermeasures that can be implemented
-by endpoints aside from the generic measures described in {{forgery-generic}}.
-However, countermeasures for address spoofing at the network level, in
-particular ingress filtering {{?BCP38=RFC2827}}, are especially effective
+This document does not offer specific countermeasures that can be implemented by
+endpoints, aside from the generic measures described in {{forgery-generic}}.
+However, countermeasures for address spoofing at the network level -- in
+particular, ingress filtering {{?BCP38=RFC2827}} -- are especially effective
 against attacks that use spoofing and originate from an external network.
 
 
 ### Request Forgery with Version Negotiation {#vn-spoofing}
 
 Clients that are able to present a spoofed source address on a packet can cause
-a server to send a Version Negotiation packet {{packet-version}} to that
+a server to send a Version Negotiation packet ({{packet-version}}) to that
 address.
 
 The absence of size restrictions on the connection ID fields for packets of an
@@ -7120,7 +7122,7 @@ and the next four bytes are zero, but the client is able to control up to 512
 bytes starting from the fifth byte.
 
 No specific countermeasures are provided for this attack, though generic
-protections {{forgery-generic}} could apply.  In this case, ingress filtering
+protections ({{forgery-generic}}) could apply.  In this case, ingress filtering
 {{?BCP38}} is also effective.
 
 
@@ -7128,10 +7130,10 @@ protections {{forgery-generic}} could apply.  In this case, ingress filtering
 
 The most effective defense against request forgery attacks is to modify
 vulnerable services to use strong authentication. However, this is not always
-something that is within the control of a QUIC deployment. This section
-outlines some others steps that QUIC endpoints could take unilaterally. These
-additional steps are all discretionary as, depending on circumstances, they
-could interfere with or prevent legitimate uses.
+something that is within the control of a QUIC deployment. This section outlines
+some other steps that QUIC endpoints could take unilaterally. These additional
+steps are all discretionary, because, depending on circumstances, they could
+interfere with or prevent legitimate uses.
 
 Services offered over loopback interfaces often lack proper authentication.
 Endpoints MAY prevent connection attempts or migration to a loopback address.
@@ -7141,7 +7143,7 @@ was provided by a service at a non-loopback address. Endpoints that depend on
 these capabilities could offer an option to disable these protections.
 
 Similarly, endpoints could regard a change in address to link-local address
-{{?RFC4291}} or an address in a private use range {{?RFC1918}} from a global,
+{{?RFC4291}} or an address in a private-use range {{?RFC1918}} from a global,
 unique-local {{?RFC4193}}, or non-private address as a potential attempt at
 request forgery. Endpoints could refuse to use these addresses entirely, but
 that carries a significant risk of interfering with legitimate uses. Endpoints
@@ -7173,7 +7175,7 @@ Note:
 
 ## Slowloris Attacks
 
-The attacks commonly known as Slowloris ({{SLOWLORIS}}) try to keep many
+The attacks commonly known as Slowloris {{SLOWLORIS}} try to keep many
 connections to the target endpoint open and hold them open as long as possible.
 These attacks can be executed against a QUIC endpoint by generating the minimum
 amount of activity necessary to avoid being closed for inactivity.  This might
@@ -7200,17 +7202,16 @@ stream data in an attempt to force the sender to store the unacknowledged stream
 data for retransmission.
 
 The attack on receivers is mitigated if flow control windows correspond to
-available memory.  However, some receivers will over-commit memory and
-advertise flow control offsets in the aggregate that exceed actual available
-memory.  The over-commitment strategy can lead to better performance when
-endpoints are well behaved, but renders endpoints vulnerable to the stream
-fragmentation attack.
+available memory.  However, some receivers will overcommit memory and advertise
+flow control offsets in the aggregate that exceed actual available memory.  The
+overcommitment strategy can lead to better performance when endpoints are well
+behaved, but renders endpoints vulnerable to the stream fragmentation attack.
 
-QUIC deployments SHOULD provide mitigations against stream fragmentation
-attacks.  Mitigations could consist of avoiding over-committing memory,
-limiting the size of tracking data structures, delaying reassembly
-of STREAM frames, implementing heuristics based on the age and
-duration of reassembly holes, or some combination.
+QUIC deployments SHOULD provide mitigations for stream fragmentation attacks.
+Mitigations could consist of avoiding overcommitting memory, limiting the size
+of tracking data structures, delaying reassembly of STREAM frames, implementing
+heuristics based on the age and duration of reassembly holes, or some
+combination of these.
 
 
 ## Stream Commitment Attack
@@ -7239,8 +7240,9 @@ streams.
 ## Peer Denial of Service {#useless}
 
 QUIC and TLS both contain frames or messages that have legitimate uses in some
-contexts, but that can be abused to cause a peer to expend processing resources
-without having any observable impact on the state of the connection.
+contexts, but these frames or messages can be abused to cause a peer to expend
+processing resources without having any observable impact on the state of the
+connection.
 
 Messages can also be used to change and revert state in small or inconsequential
 ways, such as by sending small increments to flow control limits.
@@ -7252,7 +7254,7 @@ exhaust processing capacity.
 While there are legitimate uses for all messages, implementations SHOULD track
 cost of processing relative to progress and treat excessive quantities of any
 non-productive packets as indicative of an attack.  Endpoints MAY respond to
-this condition with a connection error, or by dropping packets.
+this condition with a connection error or by dropping packets.
 
 
 ## Explicit Congestion Notification Attacks {#security-ecn}
@@ -7271,25 +7273,26 @@ successfully processed; see {{ecn}}.
 
 ## Stateless Reset Oracle {#reset-oracle}
 
-Stateless resets create a possible denial of service attack analogous to a TCP
+Stateless resets create a possible denial-of-service attack analogous to a TCP
 reset injection. This attack is possible if an attacker is able to cause a
 stateless reset token to be generated for a connection with a selected
 connection ID. An attacker that can cause this token to be generated can reset
 an active connection with the same connection ID.
 
-If a packet can be routed to different instances that share a static key, for
-example by changing an IP address or port, then an attacker can cause the server
-to send a stateless reset.  To defend against this style of denial of service,
-endpoints that share a static key for stateless reset (see {{reset-token}}) MUST
-be arranged so that packets with a given connection ID always arrive at an
-instance that has connection state, unless that connection is no longer active.
+If a packet can be routed to different instances that share a static key -- for
+example, by changing an IP address or port -- then an attacker can cause the
+server to send a stateless reset.  To defend against this style of denial of
+service, endpoints that share a static key for stateless resets (see
+{{reset-token}}) MUST be arranged so that packets with a given connection ID
+always arrive at an instance that has connection state, unless that connection
+is no longer active.
 
 More generally, servers MUST NOT generate a stateless reset if a connection with
 the corresponding connection ID could be active on any endpoint using the same
 static key.
 
 In the case of a cluster that uses dynamic load balancing, it is possible that a
-change in load balancer configuration could occur while an active instance
+change in load-balancer configuration could occur while an active instance
 retains connection state.  Even if an instance retains connection state, the
 change in routing and resulting stateless reset will result in the connection
 being terminated.  If there is no chance of the packet being routed to the
@@ -7300,8 +7303,8 @@ be influenced by an attacker.
 
 ## Version Downgrade {#version-downgrade}
 
-This document defines QUIC Version Negotiation packets in
-{{version-negotiation}} that can be used to negotiate the QUIC version used
+This document defines QUIC Version Negotiation packets
+({{version-negotiation}}), which can be used to negotiate the QUIC version used
 between two endpoints. However, this document does not specify how this
 negotiation will be performed between this version and subsequent future
 versions.  In particular, Version Negotiation packets do not contain any
@@ -7325,10 +7328,10 @@ The length of QUIC packets can reveal information about the length of the
 content of those packets.  The PADDING frame is provided so that endpoints have
 some ability to obscure the length of packet content; see {{frame-padding}}.
 
-Note however that defeating traffic analysis is challenging and the subject of
-active research.  Length is not the only way that information might leak.
-Endpoints might also reveal sensitive information through other side channels,
-such as the timing of packets.
+Defeating traffic analysis is challenging and the subject of active research.
+Length is not the only way that information might leak.  Endpoints might also
+reveal sensitive information through other side channels, such as the timing of
+packets.
 
 
 # IANA Considerations {#iana}
@@ -7347,17 +7350,17 @@ registries.
 
 ### Provisional Registrations {#iana-provisional}
 
-Provisional registration of codepoints are intended to allow for private use and
-experimentation with extensions to QUIC.  Provisional registrations only require
-the inclusion of the codepoint value and contact information.  However,
+Provisional registrations of codepoints are intended to allow for private use
+and experimentation with extensions to QUIC.  Provisional registrations only
+require the inclusion of the codepoint value and contact information.  However,
 provisional registrations could be reclaimed and reassigned for another purpose.
 
-Provisional registrations require Expert Review, as defined in {{Section 4.5
-of RFC8126}}. Designated expert(s) are advised that only registrations for an
-excessive proportion of remaining codepoint space or the very first unassigned
-value (see {{iana-random}}) can be rejected.
+Provisional registrations require Expert Review, as defined in {{Section 4.5 of
+RFC8126}}. The designated expert or experts are advised that only registrations
+for an excessive proportion of remaining codepoint space or the very first
+unassigned value (see {{iana-random}}) can be rejected.
 
-Provisional registrations will include a date field that indicates when the
+Provisional registrations will include a Date field that indicates when the
 registration was last updated.  A request to update the date on any provisional
 registration can be made without review from the designated expert(s).
 
@@ -7374,7 +7377,7 @@ Specification:
 : A reference to a publicly available specification for the value.
 
 Date:
-: The date of last update to the registration.
+: The date of the last update to the registration.
 
 Change Controller:
 : The entity that is responsible for the definition of the registration.
@@ -7387,7 +7390,7 @@ Notes:
 
 Provisional registrations MAY omit the Specification and Notes fields, plus any
 additional fields that might be required for a permanent registration.  The Date
-field is not required as part of requesting a registration as it is set to the
+field is not required as part of requesting a registration, as it is set to the
 date the registration is created or updated.
 
 
@@ -7399,7 +7402,7 @@ codepoint in the selected space.  Requests for multiple codepoints MAY use a
 contiguous range.  This minimizes the risk that differing semantics are
 attributed to the same codepoint by different implementations.
 
-Use of the first unassigned codepoint is reserved for allocation using the
+The use of the first unassigned codepoint is reserved for allocation using the
 Standards Action policy; see {{Section 4.9 of RFC8126}}.  The early codepoint
 assignment process {{!EARLY-ASSIGN=RFC7120}} can be used for these values.
 
@@ -7419,15 +7422,15 @@ codepoint is unassigned and the requirements of the registration policy are met.
 A request might be made to remove an unused provisional registration from the
 registry to reclaim space in a registry, or portion of the registry (such as the
 64-16383 range for codepoints that use variable-length encodings).  This SHOULD
-be done only for the codepoints with the earliest recorded date and entries that
-have been updated less than a year prior SHOULD NOT be reclaimed.
+be done only for the codepoints with the earliest recorded date, and entries
+that have been updated less than a year prior SHOULD NOT be reclaimed.
 
-A request to remove a codepoint MUST be reviewed by the designated expert(s).
-The expert(s) MUST attempt to determine whether the codepoint is still in use.
+A request to remove a codepoint MUST be reviewed by the designated experts.  The
+experts MUST attempt to determine whether the codepoint is still in use.
 Experts are advised to contact the listed contacts for the registration, plus as
 wide a set of protocol implementers as possible in order to determine whether
-any use of the codepoint is known.  The expert(s) are advised to allow at least
-four weeks for responses.
+any use of the codepoint is known.  The experts are also advised to allow at
+least four weeks for responses.
 
 If any use of the codepoints is identified by this search or a request to update
 the registration is made, the codepoint MUST NOT be reclaimed.  Instead, the
@@ -7439,24 +7442,24 @@ registration, the codepoint MAY be removed from the registry.
 
 This review and consultation process also applies to requests to change a
 provisional registration into a permanent registration, except that the goal is
-not to determine whether there is no use of the codepoint, but to determine that
+not to determine whether there is no use of the codepoint but to determine that
 the registration is an accurate representation of any deployed usage.
 
 
 ### Permanent Registrations {#iana-permanent}
 
 Permanent registrations in QUIC registries use the Specification Required policy
-({{!RFC8126}}), unless otherwise specified.  The designated expert(s) verify
-that a specification exists and is readily accessible.  Expert(s) are encouraged
-to be biased towards approving registrations unless they are abusive, frivolous,
-or actively harmful (not merely aesthetically displeasing, or architecturally
-dubious).  The creation of a registry MAY specify additional constraints on
-permanent registrations.
+({{Section 4.6 of RFC8126}}), unless otherwise specified.  The designated expert
+or experts verify that a specification exists and is readily accessible.
+Experts are encouraged to be biased towards approving registrations unless they
+are abusive, frivolous, or actively harmful (not merely aesthetically
+displeasing or architecturally dubious).  The creation of a registry MAY specify
+additional constraints on permanent registrations.
 
 The creation of a registry MAY identify a range of codepoints where
 registrations are governed by a different registration policy.  For instance,
-the frame type registry in {{iana-frames}} has a stricter policy for codepoints
-in the range from 0 to 63.
+the "QUIC Frame Types" registry ({{iana-frames}}) has a stricter policy for
+codepoints in the range from 0 to 63.
 
 Any stricter requirements for permanent registrations do not prevent provisional
 registrations for affected codepoints.  For instance, a provisional registration
@@ -7465,48 +7468,37 @@ for a frame type of 61 could be requested.
 All registrations made by Standards Track publications MUST be permanent.
 
 All registrations in this document are assigned a permanent status and list a
-change controller of the IETF and a contact of the QUIC working group
+change controller of the IETF and a contact of the QUIC Working Group
 (quic@ietf.org).
 
 
 ## QUIC Versions Registry {#iana-version}
 
-IANA \[SHALL add/has added] a registry for "QUIC Versions" under a "QUIC"
-heading.
+IANA has added a registry for "QUIC Versions" under a "QUIC" heading.
 
 The "QUIC Versions" registry governs a 32-bit space; see {{versions}}. This
 registry follows the registration policy from {{iana-policy}}. Permanent
 registrations in this registry are assigned using the Specification Required
-policy ({{!RFC8126}}).
+policy ({{Section 4.6 of RFC8126}}).
 
-The codepoint of 0x00000001 to the protocol is assigned with permanent status
-to the protocol defined in this document. The codepoint of 0x00000000 is
-permanently reserved; the note for this codepoint \[shall] indicate\[s] that
-this version is reserved for Version Negotiation.
+The codepoint of 0x00000001 to the protocol is assigned with permanent status to
+the protocol defined in this document. The codepoint of 0x00000000 is
+permanently reserved; the note for this codepoint indicates that this version is
+reserved for Version Negotiation.
 
 All codepoints that follow the pattern 0x?a?a?a?a are reserved and MUST NOT be
-assigned by IANA and MUST NOT appear in the listing of assigned values.
-
-\[\[RFC editor: please remove the following note before publication.]]
+assigned by IANA, and MUST NOT appear in the listing of assigned values.
 
-IANA note:
 
-: Several pre-standardization versions will likely be in use at the time of
-  publication. There is no need to document these in an RFC, but recording
-  information about these version will ensure that the information in the
-  registry is accurate.  The document editors or working group chairs can
-  facilitate getting the necessary information.
+## QUIC Transport Parameters Registry {#iana-transport-parameters}
 
-
-## QUIC Transport Parameter Registry {#iana-transport-parameters}
-
-IANA \[SHALL add/has added] a registry for "QUIC Transport Parameters" under a
-"QUIC" heading.
+IANA has added a registry for "QUIC Transport Parameters" under a "QUIC"
+heading.
 
 The "QUIC Transport Parameters" registry governs a 62-bit space.  This registry
 follows the registration policy from {{iana-policy}}.  Permanent registrations
 in this registry are assigned using the Specification Required policy
-({{!RFC8126}}).
+({{Section 4.6 of RFC8126}}).
 
 In addition to the fields in {{iana-provisional}}, permanent registrations in
 this registry MUST include the following field:
@@ -7536,7 +7528,7 @@ The initial contents of this registry are shown in {{iana-tp-table}}.
 | 0x0e | active_connection_id_limit  | {{transport-parameter-definitions}} |
 | 0x0f | initial_source_connection_id | {{transport-parameter-definitions}} |
 | 0x10 | retry_source_connection_id  | {{transport-parameter-definitions}} |
-{: #iana-tp-table title="Initial QUIC Transport Parameters Entries"}
+{: #iana-tp-table title="Initial QUIC Transport Parameters Registry Entries"}
 
 Each value of the format `31 * N + 27` for integer values of N (that is, 27, 58,
 89, ...) are reserved; these values MUST NOT be assigned by IANA and MUST NOT
@@ -7545,15 +7537,14 @@ appear in the listing of assigned values.
 
 ## QUIC Frame Types Registry {#iana-frames}
 
-IANA \[SHALL add/has added] a registry for "QUIC Frame Types" under a
-"QUIC" heading.
+IANA has added a registry for "QUIC Frame Types" under a "QUIC" heading.
 
 The "QUIC Frame Types" registry governs a 62-bit space. This registry follows
 the registration policy from {{iana-policy}}. Permanent registrations in this
-registry are assigned using the Specification Required policy ({{!RFC8126}}),
-except for values between 0x00 and 0x3f (in hexadecimal; inclusive), which are
-assigned using Standards Action or IESG Approval as defined in {{Sections 4.9
-and 4.10 of RFC8126}}.
+registry are assigned using the Specification Required policy ({{Section 4.6 of
+RFC8126}}), except for values between 0x00 and 0x3f (in hexadecimal), inclusive,
+which are assigned using Standards Action or IESG Approval as defined in
+{{Sections 4.9 and 4.10 of RFC8126}}.
 
 In addition to the fields in {{iana-provisional}}, permanent registrations in
 this registry MUST include the following field:
@@ -7576,15 +7567,15 @@ that the registry does not include the "Pkts" and "Spec" columns from
 
 ## QUIC Transport Error Codes Registry {#iana-error-codes}
 
-IANA \[SHALL add/has added] a registry for "QUIC Transport Error Codes" under a
-"QUIC" heading.
+IANA has added a registry for "QUIC Transport Error Codes" under a "QUIC"
+heading.
 
 The "QUIC Transport Error Codes" registry governs a 62-bit space.  This space is
 split into three regions that are governed by different policies.  Permanent
 registrations in this registry are assigned using the Specification Required
-policy ({{!RFC8126}}), except for values between 0x00 and 0x3f (in hexadecimal;
-inclusive), which are assigned using Standards Action or IESG Approval as
-defined in {{Sections 4.9 and 4.10 of RFC8126}}.
+policy ({{Section 4.6 of RFC8126}}), except for values between 0x00 and 0x3f (in
+hexadecimal), inclusive, which are assigned using Standards Action or IESG
+Approval as defined in {{Sections 4.9 and 4.10 of RFC8126}}.
 
 In addition to the fields in {{iana-provisional}}, permanent registrations in
 this registry MUST include the following fields:
@@ -7613,13 +7604,13 @@ The initial contents of this registry are shown in {{iana-error-table}}.
 | 0x08  | TRANSPORT_PARAMETER_ERROR | Error in transport parameters | {{error-codes}} |
 | 0x09  | CONNECTION_ID_LIMIT_ERROR | Too many connection IDs received | {{error-codes}} |
 | 0x0a  | PROTOCOL_VIOLATION        | Generic protocol violation    | {{error-codes}} |
-| 0x0b  | INVALID_TOKEN             | Invalid Token Received        | {{error-codes}} |
+| 0x0b  | INVALID_TOKEN             | Invalid Token received        | {{error-codes}} |
 | 0x0c  | APPLICATION_ERROR         | Application error             | {{error-codes}} |
 | 0x0d  | CRYPTO_BUFFER_EXCEEDED    | CRYPTO data buffer overflowed | {{error-codes}} |
 | 0x0e  | KEY_UPDATE_ERROR          | Invalid packet protection update | {{error-codes}} |
 | 0x0f  | AEAD_LIMIT_REACHED        | Excessive use of packet protection keys | {{error-codes}} |
 | 0x10  | NO_VIABLE_PATH            | No viable network path exists | {{error-codes}} |
-{: #iana-error-table title="Initial QUIC Transport Error Codes Entries"}
+{: #iana-error-table title="Initial QUIC Transport Error Codes Registry Entries"}
 
 
 --- back
@@ -7630,14 +7621,14 @@ The pseudocode in this section describes sample algorithms.  These algorithms
 are intended to be correct and clear, rather than being optimally performant.
 
 The pseudocode segments in this section are licensed as Code Components; see the
-copyright notice.
+Copyright Notice.
 
 
 ## Sample Variable-Length Integer Decoding {#sample-varint}
 
-The pseudocode in {{alg-varint}} shows how a variable-length integer can be
-read from a stream of bytes.  The function ReadVarint takes a single argument, a
-sequence of bytes which can be read in network byte order.
+The pseudocode in {{alg-varint}} shows how a variable-length integer can be read
+from a stream of bytes.  The function ReadVarint takes a single argument -- a
+sequence of bytes, which can be read in network byte order.
 
 ~~~
 ReadVarint(data):
@@ -7670,7 +7661,7 @@ an appropriate size for packet number encodings.
 The EncodePacketNumber function takes two arguments:
 
 * full_pn is the full packet number of the packet being sent.
-* largest_acked is the largest packet number which has been acknowledged by the
+* largest_acked is the largest packet number that has been acknowledged by the
   peer in the current packet number space, if any.
 
 ~~~
@@ -7761,18 +7752,17 @@ implement different methods.
 
 The path is assigned an ECN state that is one of "testing", "unknown", "failed",
 or "capable".  On paths with a "testing" or "capable" state the endpoint sends
-packets with an ECT marking, by default ECT(0); otherwise, the endpoint sends
+packets with an ECT marking -- ECT(0) by default; otherwise, the endpoint sends
 unmarked packets.
 
-To start testing a path, the ECN state is set to "testing" and existing ECN
+To start testing a path, the ECN state is set to "testing", and existing ECN
 counts are remembered as a baseline.
 
-The testing period runs for a number of packets or a limited time, as
-determined by the endpoint.  The goal is not to limit the duration of the
-testing period, but to ensure that enough marked packets are sent for received
-ECN counts to provide a clear indication of how the path treats marked packets.
-{{ecn-validation}} suggests limiting this to 10 packets or 3 times the probe
-timeout.
+The testing period runs for a number of packets or a limited time, as determined
+by the endpoint.  The goal is not to limit the duration of the testing period,
+but to ensure that enough marked packets are sent for received ECN counts to
+provide a clear indication of how the path treats marked packets.
+{{ecn-validation}} suggests limiting this to ten packets or three times the PTO.
 
 After the testing period ends, the ECN state for the path becomes "unknown".
 From the "unknown" state, successful validation of the ECN counts an ACK frame

From f2118efb1af5a09e6bd0ce3adb49bb10e3defc26 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 16:53:53 +1000
Subject: [PATCH 02/16] Asides

---
 draft-ietf-quic-transport.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index b6a8419edd..bab4c0a68b 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -6602,12 +6602,12 @@ Prior to address validation, endpoints are limited in what they are able to
 send.  Endpoints cannot send data toward an unvalidated address in excess of
 three times the data received from that address.
 
-Note:
-
-: The anti-amplification limit only applies when an endpoint responds to packets
-  received from an unvalidated address. The anti-amplification limit does not
-  apply to clients when establishing a new connection or when initiating
-  connection migration.
+<aside markdown="block">
+Note: The anti-amplification limit only applies when an endpoint responds to
+  packets received from an unvalidated address. The anti-amplification limit
+  does not apply to clients when establishing a new connection or when
+  initiating connection migration.
+</aside>
 
 
 #### Server-Side DoS
@@ -7166,11 +7166,11 @@ send datagrams that match these patterns prior to validating the destination
 address. Endpoints MAY retire connection IDs containing patterns known to be
 problematic without using them.
 
-Note:
-
-: Modifying endpoints to apply these protections is more efficient than
-  deploying network-based protections, as endpoints do not need to perform
-  any additional processing when sending to an address that has been validated.
+<aside markdown="block">
+Note: Modifying endpoints to apply these protections is more efficient than
+  deploying network-based protections, as endpoints do not need to perform any
+  additional processing when sending to an address that has been validated.
+</aside>
 
 
 ## Slowloris Attacks

From add9e2ff01c05ce1515dfd6cd76f3ed56a62cabd Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 17:59:00 +1000
Subject: [PATCH 03/16] Clarify without (1) and (2)

---
 draft-ietf-quic-transport.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index bab4c0a68b..988f54d415 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -6782,8 +6782,8 @@ consistently "win" a race with the legitimate packets between the endpoints,
 potentially causing the original packet to be ignored by the recipient.
 
 It is also assumed that an attacker has the resources necessary to affect NAT
-state, potentially both causing an endpoint to lose its NAT binding, and an
-attacker to obtain the same port for use with its traffic.
+state. In particular, an attacker can cause an endpoint to lose its NAT binding
+and then obtain the same port for use with its own traffic.
 
 In the presence of an off-path attacker, QUIC aims to provide the following
 properties:

From 066d7c8943bfe730141c6284401f4127cfd151a5 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 18:01:19 +1000
Subject: [PATCH 04/16] Compact dl

---
 draft-ietf-quic-transport.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index 988f54d415..cfc119692a 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -7387,6 +7387,7 @@ Contact:
 
 Notes:
 : Supplementary notes about the registration.
+{: spacing="compact"}
 
 Provisional registrations MAY omit the Specification and Notes fields, plus any
 additional fields that might be required for a permanent registration.  The Date

From 4a353030d00417319300640845ec37da48ccdbe4 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 18:01:34 +1000
Subject: [PATCH 05/16] Use of is not really right, it's requests for

---
 draft-ietf-quic-transport.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index cfc119692a..e06dfc9d72 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -7397,7 +7397,7 @@ date the registration is created or updated.
 
 ### Selecting Codepoints {#iana-random}
 
-New uses of codepoints from QUIC registries SHOULD use a randomly selected
+New requests for codepoints from QUIC registries SHOULD use a randomly selected
 codepoint that excludes both existing allocations and the first unallocated
 codepoint in the selected space.  Requests for multiple codepoints MAY use a
 contiguous range.  This minimizes the risk that differing semantics are

From d6647cc616ef40b514ffa5d97cb6a0fba002d58d Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 18:02:44 +1000
Subject: [PATCH 06/16] just version negotiation

---
 draft-ietf-quic-transport.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index e06dfc9d72..80c060228b 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -7485,7 +7485,7 @@ policy ({{Section 4.6 of RFC8126}}).
 The codepoint of 0x00000001 to the protocol is assigned with permanent status to
 the protocol defined in this document. The codepoint of 0x00000000 is
 permanently reserved; the note for this codepoint indicates that this version is
-reserved for Version Negotiation.
+reserved for version negotiation.
 
 All codepoints that follow the pattern 0x?a?a?a?a are reserved and MUST NOT be
 assigned by IANA, and MUST NOT appear in the listing of assigned values.

From 90455c4e3bde66d7a5ae7095e2907ebb5b158b5a Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 18:07:35 +1000
Subject: [PATCH 07/16] It's a type name

---
 draft-ietf-quic-transport.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index 80c060228b..36cb856857 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -7550,7 +7550,7 @@ which are assigned using Standards Action or IESG Approval as defined in
 In addition to the fields in {{iana-provisional}}, permanent registrations in
 this registry MUST include the following field:
 
-Frame Name:
+Frame Type Name:
 
 : A short mnemonic for the frame type.
 

From 103137d9dfb3deb43fa024193caf2c6c857a8829 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 18:08:13 +1000
Subject: [PATCH 08/16] Ranges not regions

---
 draft-ietf-quic-transport.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index 36cb856857..c7d360cd79 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -7572,7 +7572,7 @@ IANA has added a registry for "QUIC Transport Error Codes" under a "QUIC"
 heading.
 
 The "QUIC Transport Error Codes" registry governs a 62-bit space.  This space is
-split into three regions that are governed by different policies.  Permanent
+split into three ranges that are governed by different policies.  Permanent
 registrations in this registry are assigned using the Specification Required
 policy ({{Section 4.6 of RFC8126}}), except for values between 0x00 and 0x3f (in
 hexadecimal), inclusive, which are assigned using Standards Action or IESG

From fa80452f831c564bc218084bad31396b9cb2742e Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 18:09:49 +1000
Subject: [PATCH 09/16] pseudocode markings

---
 draft-ietf-quic-transport.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index c7d360cd79..148ec56cde 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -7631,7 +7631,7 @@ The pseudocode in {{alg-varint}} shows how a variable-length integer can be read
 from a stream of bytes.  The function ReadVarint takes a single argument -- a
 sequence of bytes, which can be read in network byte order.
 
-~~~
+~~~pseudocode
 ReadVarint(data):
   // The length of variable-length integers is encoded in the
   // first two bits of the first byte.
@@ -7665,7 +7665,7 @@ The EncodePacketNumber function takes two arguments:
 * largest_acked is the largest packet number that has been acknowledged by the
   peer in the current packet number space, if any.
 
-~~~
+~~~pseudocode
 EncodePacketNumber(full_pn, largest_acked):
 
   // The number of bits must be at least one more
@@ -7680,7 +7680,7 @@ EncodePacketNumber(full_pn, largest_acked):
   num_bytes = ceil(min_bits / 8)
 
   // Encode the integer value and truncate to
-  // the num_bytes least-significant bytes.
+  // the num_bytes least significant bytes.
   return encode(full_pn, num_bytes)
 ~~~
 {: #alg-encode-pn title="Sample Packet Number Encoding Algorithm"}
@@ -7707,7 +7707,7 @@ The DecodePacketNumber function takes three arguments:
 * truncated_pn is the value of the Packet Number field.
 * pn_nbits is the number of bits in the Packet Number field (8, 16, 24, or 32).
 
-~~~
+~~~pseudocode
 DecodePacketNumber(largest_pn, truncated_pn, pn_nbits):
    expected_pn  = largest_pn + 1
    pn_win       = 1 << pn_nbits

From 865e3e6791afdaa829b77d39363016ef321a1309 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 30 Apr 2021 18:10:44 +1000
Subject: [PATCH 10/16] Clarify sentence

---
 draft-ietf-quic-transport.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index 148ec56cde..e15fdd2aaf 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -7766,9 +7766,9 @@ provide a clear indication of how the path treats marked packets.
 {{ecn-validation}} suggests limiting this to ten packets or three times the PTO.
 
 After the testing period ends, the ECN state for the path becomes "unknown".
-From the "unknown" state, successful validation of the ECN counts an ACK frame
-(see {{ecn-ack}}) causes the ECN state for the path to become "capable", unless
-no marked packet has been acknowledged.
+From the "unknown" state, successful validation of the ECN counts in an ACK
+frame (see {{ecn-ack}}) causes the ECN state for the path to become "capable"
+unless no marked packet has been acknowledged.
 
 If validation of ECN counts fails at any time, the ECN state for the affected
 path becomes "failed".  An endpoint can also mark the ECN state for a path as

From 8587cd6d451aaa1ebfbd995045f36e4c24f12a03 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Mon, 3 May 2021 10:39:56 +1000
Subject: [PATCH 11/16] ~

Co-authored-by: Jana Iyengar <jri.ietf@gmail.com>
---
 draft-ietf-quic-transport.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/draft-ietf-quic-transport.md b/draft-ietf-quic-transport.md
index e15fdd2aaf..94985f7433 100644
--- a/draft-ietf-quic-transport.md
+++ b/draft-ietf-quic-transport.md
@@ -6882,7 +6882,7 @@ that are received on a different network path.
 The Source and Destination Connection ID fields are the primary means of
 protection against off-path attack during the handshake; see
 {{validate-handshake}}.  These are required to match those set by a peer.
-Except for Initial and stateless reset packets, an endpoint only accepts
+Except for Initial and Stateless Reset packets, an endpoint only accepts
 packets that include a Destination Connection ID field that matches a value the
 endpoint previously chose.  This is the only protection offered for Version
 Negotiation packets.
@@ -7605,7 +7605,7 @@ The initial contents of this registry are shown in {{iana-error-table}}.
 | 0x08  | TRANSPORT_PARAMETER_ERROR | Error in transport parameters | {{error-codes}} |
 | 0x09  | CONNECTION_ID_LIMIT_ERROR | Too many connection IDs received | {{error-codes}} |
 | 0x0a  | PROTOCOL_VIOLATION        | Generic protocol violation    | {{error-codes}} |
-| 0x0b  | INVALID_TOKEN             | Invalid Token received        | {{error-codes}} |
+| 0x0b  | INVALID_TOKEN             | Invalid token received        | {{error-codes}} |
 | 0x0c  | APPLICATION_ERROR         | Application error             | {{error-codes}} |
 | 0x0d  | CRYPTO_BUFFER_EXCEEDED    | CRYPTO data buffer overflowed | {{error-codes}} |
 | 0x0e  | KEY_UPDATE_ERROR          | Invalid packet protection update | {{error-codes}} |

From 8d91ee64017a6559ff4dcf5193c321d24c9b978d Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Mon, 3 May 2021 15:39:35 +1000
Subject: [PATCH 12/16] Aim to constrain attackers

---
 rfc9000.md | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/rfc9000.md b/rfc9000.md
index aba2383be6..78405ce0c3 100644
--- a/rfc9000.md
+++ b/rfc9000.md
@@ -6697,8 +6697,7 @@ however, any modifications to an authenticated portion of a packet will cause it
 to be dropped by the receiving endpoint as invalid, as packet payloads are both
 authenticated and encrypted.
 
-In the presence of an on-path attacker, QUIC aims to provide the following
-properties:
+QUIC aims to constrain the capabilities of an on-path attacker as follows:
 
 1. An on-path attacker can prevent use of a path for a connection, causing
    the connection to fail if it cannot use a different path that does not
@@ -6753,8 +6752,7 @@ It is also assumed that an attacker has the resources necessary to affect NAT
 state. In particular, an attacker can cause an endpoint to lose its NAT binding
 and then obtain the same port for use with its own traffic.
 
-In the presence of an off-path attacker, QUIC aims to provide the following
-properties:
+QUIC aims to constrain the capabilities of an off-path attacker as follows:
 
 1. An off-path attacker can race packets and attempt to become a "limited"
    on-path attacker.
@@ -6810,8 +6808,7 @@ offer routing with worse latency than the original path.  If a limited on-path
 attacker drops packets, the original copy will still arrive at the destination
 endpoint.
 
-In the presence of a limited on-path attacker, QUIC aims to provide the
-following properties:
+QUIC aims to constrain the capabilities of a limited off-path attacker as follows:
 
 1. A limited on-path attacker cannot cause a connection to close once the
    handshake has completed.

From a9587d3bdf26849d8e27122823512018118d7377 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Mon, 3 May 2021 16:03:49 +1000
Subject: [PATCH 13/16] Some consistency edits

---
 rfc9000.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/rfc9000.md b/rfc9000.md
index 78405ce0c3..4122e4a729 100644
--- a/rfc9000.md
+++ b/rfc9000.md
@@ -4611,8 +4611,8 @@ Packet Number Length:
 : In packet types that contain a Packet Number field, the least significant two
   bits (those with a mask of 0x03) of byte 0 contain the length of the packet
   number, encoded as an unsigned, two-bit integer that is one less than the
-  length of the packet number field in bytes.  That is, the length of the packet
-  number field is the value of this field, plus one.  These bits are protected
+  length of the Packet Number field in bytes.  That is, the length of the Packet
+  Number field is the value of this field, plus one.  These bits are protected
   using header protection; see {{Section 5.4 of QUIC-TLS}}.
 
 Length:
@@ -4623,9 +4623,9 @@ Length:
 
 Packet Number:
 
-: The packet number field is 1 to 4 bytes long. The packet number is protected
+: The Packet Number field is 1 to 4 bytes long. The packet number is protected
   using header protection; see {{Section 5.4 of QUIC-TLS}}.  The length of the
-  packet number field is encoded in the Packet Number Length bits of byte 0; see
+  Packet Number field is encoded in the Packet Number Length bits of byte 0; see
   above.
 
 ### Version Negotiation Packet {#packet-version}
@@ -5074,8 +5074,8 @@ Packet Number Length:
 
 : The least significant two bits (those with a mask of 0x03) of byte 0 contain
   the length of the packet number, encoded as an unsigned, two-bit integer that
-  is one less than the length of the packet number field in bytes.  That is, the
-  length of the packet number field is the value of this field, plus one.  These
+  is one less than the length of the Packet Number field in bytes.  That is, the
+  length of the Packet Number field is the value of this field, plus one.  These
   bits are protected using header protection; see {{Section 5.4 of QUIC-TLS}}.
 
 Destination Connection ID:
@@ -5085,9 +5085,9 @@ Destination Connection ID:
 
 Packet Number:
 
-: The packet number field is 1 to 4 bytes long. The packet number is protected
+: The Packet Number field is 1 to 4 bytes long. The packet number is protected
   using header protection; see
-  {{Section 5.4 of QUIC-TLS}}. The length of the packet number field is encoded
+  {{Section 5.4 of QUIC-TLS}}. The length of the Packet Number field is encoded
   in Packet Number Length field. See {{packet-encoding}} for details.
 
 Packet Payload:
@@ -7496,7 +7496,7 @@ The initial contents of this registry are shown in {{iana-tp-table}}.
 | 0x10 | retry_source_connection_id  | {{transport-parameter-definitions}} |
 {: #iana-tp-table title="Initial QUIC Transport Parameters Registry Entries"}
 
-Each value of the format `31 * N + 27` for integer values of N (that is, 27, 58,
+Each value of the form `31 * N + 27` for integer values of N (that is, 27, 58,
 89, ...) are reserved; these values MUST NOT be assigned by IANA and MUST NOT
 appear in the listing of assigned values.
 

From ae0f8628dd5a61be899ed39199d36b5b58ca36aa Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Mon, 3 May 2021 16:16:39 +1000
Subject: [PATCH 14/16] Wrap

---
 rfc9000.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rfc9000.md b/rfc9000.md
index 4122e4a729..cc2b817a4b 100644
--- a/rfc9000.md
+++ b/rfc9000.md
@@ -6808,7 +6808,8 @@ offer routing with worse latency than the original path.  If a limited on-path
 attacker drops packets, the original copy will still arrive at the destination
 endpoint.
 
-QUIC aims to constrain the capabilities of a limited off-path attacker as follows:
+QUIC aims to constrain the capabilities of a limited off-path attacker as
+follows:
 
 1. A limited on-path attacker cannot cause a connection to close once the
    handshake has completed.

From d7abcd1da1ec06b324f7454481bbe2afe874c294 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Wed, 5 May 2021 08:34:54 +1000
Subject: [PATCH 15/16] Missed one

---
 rfc9000.md | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/rfc9000.md b/rfc9000.md
index 0bbf168d26..ad49510d08 100644
--- a/rfc9000.md
+++ b/rfc9000.md
@@ -5091,16 +5091,11 @@ Key Phase:
 Packet Number Length:
 
 : The least significant two bits (those with a mask of 0x03) of byte 0 contain
-<<<<<<< HEAD
-  the length of the packet number, encoded as an unsigned, two-bit integer that
-  is one less than the length of the Packet Number field in bytes.  That is, the
-  length of the Packet Number field is the value of this field, plus one.  These
-=======
-  the length of the packet number, encoded as an unsigned two-bit integer that
-  is one less than the length of the packet number field in bytes.  That is, the
-  length of the packet number field is the value of this field plus one.  These
->>>>>>> origin/master
-  bits are protected using header protection; see {{Section 5.4 of QUIC-TLS}}.
+  the length of the Packet Number field, encoded as an unsigned two-bit integer
+  that is one less than the length of the packet number field in bytes.  That
+  is, the length of the packet number field is the value of this field plus one.
+  These bits are protected using header protection; see {{Section 5.4 of
+  QUIC-TLS}}.
 
 Destination Connection ID:
 

From 7d209a29818251e396fd1875b1b2dfee8af66208 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Wed, 5 May 2021 08:35:51 +1000
Subject: [PATCH 16/16] capitalize

---
 rfc9000.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rfc9000.md b/rfc9000.md
index ad49510d08..f37f16630d 100644
--- a/rfc9000.md
+++ b/rfc9000.md
@@ -5092,8 +5092,8 @@ Packet Number Length:
 
 : The least significant two bits (those with a mask of 0x03) of byte 0 contain
   the length of the Packet Number field, encoded as an unsigned two-bit integer
-  that is one less than the length of the packet number field in bytes.  That
-  is, the length of the packet number field is the value of this field plus one.
+  that is one less than the length of the Packet Number field in bytes.  That
+  is, the length of the Packet Number field is the value of this field plus one.
   These bits are protected using header protection; see {{Section 5.4 of
   QUIC-TLS}}.