target = "https://www.rfc-editor.org/rfc/rfc9000#section-21.5"

# 21.5.  Request Forgery Attacks
#
# A request forgery attack occurs where an endpoint causes its peer to
# issue a request towards a victim, with the request controlled by the
# endpoint.  Request forgery attacks aim to provide an attacker with
# access to capabilities of its peer that might otherwise be
# unavailable to the attacker.  For a networking protocol, a request
# forgery attack is often used to exploit any implicit authorization
# conferred on the peer by the victim due to the peer's location in the
# network.
# 
# For request forgery to be effective, an attacker needs to be able to
# influence what packets the peer sends and where these packets are
# sent.  If an attacker can target a vulnerable service with a
# controlled payload, that service might perform actions that are
# attributed to the attacker's peer but are decided by the attacker.
# 
# For example, cross-site request forgery [CSRF] exploits on the Web
# cause a client to issue requests that include authorization cookies
# [COOKIE], allowing one site access to information and actions that
# are intended to be restricted to a different site.
# 
# As QUIC runs over UDP, the primary attack modality of concern is one
# where an attacker can select the address to which its peer sends UDP
# datagrams and can control some of the unprotected content of those
# packets.  As much of the data sent by QUIC endpoints is protected,
# this includes control over ciphertext.  An attack is successful if an
# attacker can cause a peer to send a UDP datagram to a host that will
# perform some action based on content in the datagram.
# 
# This section discusses ways in which QUIC might be used for request
# forgery attacks.
# 
# This section also describes limited countermeasures that can be
# implemented by QUIC endpoints.  These mitigations can be employed
# unilaterally by a QUIC implementation or deployment, without
# potential targets for request forgery attacks taking action.
# However, these countermeasures could be insufficient if UDP-based
# services do not properly authorize requests.
# 
# Because the migration attack described in Section 21.5.4 is quite
# powerful and does not have adequate countermeasures, QUIC server
# implementations should assume that attackers can cause them to
# generate arbitrary UDP payloads to arbitrary destinations.  QUIC
# servers SHOULD NOT be deployed in networks that do not deploy ingress
# filtering [BCP38] and also have inadequately secured UDP endpoints.
# 
# Although it is not generally possible to ensure that clients are not
# co-located with vulnerable endpoints, this version of QUIC does not
# allow servers to migrate, thus preventing spoofed migration attacks
# on clients.  Any future extension that allows server migration MUST
# also define countermeasures for forgery attacks.

[[spec]]
level = "SHOULD"
quote = '''
QUIC
servers SHOULD NOT be deployed in networks that do not deploy ingress
filtering [BCP38] and also have inadequately secured UDP endpoints.
'''

[[spec]]
level = "MUST"
quote = '''
Any future extension that allows server migration MUST
also define countermeasures for forgery attacks.
'''