target = "https://www.rfc-editor.org/rfc/rfc9000#section-21.5.3"

# 21.5.3.  Request Forgery with Preferred Addresses
#
# Servers can specify a preferred address, which clients then migrate
# to after confirming the handshake; see Section 9.6.  The Destination
# Connection ID field of packets that the client sends to a preferred
# address can be used for request forgery.
# 
# A client MUST NOT send non-probing frames to a preferred address
# prior to validating that address; see Section 8.  This greatly
# reduces the options that a server has to control the encrypted
# portion of datagrams.
# 
# This document does not offer any additional countermeasures that are
# specific to the use of preferred addresses and can be implemented by
# endpoints.  The generic measures described in Section 21.5.6 could be
# used as further mitigation.

[[spec]]
level = "MUST"
quote = '''
A client MUST NOT send non-probing frames to a preferred address
prior to validating that address; see Section 8.
'''