target = "https://www.rfc-editor.org/rfc/rfc9000#section-7.3"

# 7.3.  Authenticating Connection IDs
#
# The choice each endpoint makes about connection IDs during the
# handshake is authenticated by including all values in transport
# parameters; see Section 7.4.  This ensures that all connection IDs
# used for the handshake are also authenticated by the cryptographic
# handshake.
# 
# Each endpoint includes the value of the Source Connection ID field
# from the first Initial packet it sent in the
# initial_source_connection_id transport parameter; see Section 18.2.
# A server includes the Destination Connection ID field from the first
# Initial packet it received from the client in the
# original_destination_connection_id transport parameter; if the server
# sent a Retry packet, this refers to the first Initial packet received
# before sending the Retry packet.  If it sends a Retry packet, a
# server also includes the Source Connection ID field from the Retry
# packet in the retry_source_connection_id transport parameter.
# 
# The values provided by a peer for these transport parameters MUST
# match the values that an endpoint used in the Destination and Source
# Connection ID fields of Initial packets that it sent (and received,
# for servers).  Endpoints MUST validate that received transport
# parameters match received connection ID values.  Including connection
# ID values in transport parameters and verifying them ensures that an
# attacker cannot influence the choice of connection ID for a
# successful connection by injecting packets carrying attacker-chosen
# connection IDs during the handshake.
# 
# An endpoint MUST treat the absence of the
# initial_source_connection_id transport parameter from either endpoint
# or the absence of the original_destination_connection_id transport
# parameter from the server as a connection error of type
# TRANSPORT_PARAMETER_ERROR.
# 
# An endpoint MUST treat the following as a connection error of type
# TRANSPORT_PARAMETER_ERROR or PROTOCOL_VIOLATION:
# 
# *  absence of the retry_source_connection_id transport parameter from
#    the server after receiving a Retry packet,
# 
# *  presence of the retry_source_connection_id transport parameter
#    when no Retry packet was received, or
# 
# *  a mismatch between values received from a peer in these transport
#    parameters and the value sent in the corresponding Destination or
#    Source Connection ID fields of Initial packets.
# 
# If a zero-length connection ID is selected, the corresponding
# transport parameter is included with a zero-length value.
# 
# Figure 7 shows the connection IDs (with DCID=Destination Connection
# ID, SCID=Source Connection ID) that are used in a complete handshake.
# The exchange of Initial packets is shown, plus the later exchange of
# 1-RTT packets that includes the connection ID established during the
# handshake.
# 
# Client                                                  Server
# 
# Initial: DCID=S1, SCID=C1 ->
#                                   <- Initial: DCID=C1, SCID=S3
#                              ...
# 1-RTT: DCID=S3 ->
#                                              <- 1-RTT: DCID=C1
# 
#             Figure 7: Use of Connection IDs in a Handshake
# 
# Figure 8 shows a similar handshake that includes a Retry packet.
# 
# Client                                                  Server
# 
# Initial: DCID=S1, SCID=C1 ->
#                                     <- Retry: DCID=C1, SCID=S2
# Initial: DCID=S2, SCID=C1 ->
#                                   <- Initial: DCID=C1, SCID=S3
#                              ...
# 1-RTT: DCID=S3 ->
#                                              <- 1-RTT: DCID=C1
# 
#       Figure 8: Use of Connection IDs in a Handshake with Retry
# 
# In both cases (Figures 7 and 8), the client sets the value of the
# initial_source_connection_id transport parameter to "C1".
# 
# When the handshake does not include a Retry (Figure 7), the server
# sets original_destination_connection_id to "S1" (note that this value
# is chosen by the client) and initial_source_connection_id to "S3".
# In this case, the server does not include a
# retry_source_connection_id transport parameter.
# 
# When the handshake includes a Retry (Figure 8), the server sets
# original_destination_connection_id to "S1",
# retry_source_connection_id to "S2", and initial_source_connection_id
# to "S3".

[[spec]]
level = "MUST"
quote = '''
The values provided by a peer for these transport parameters MUST
match the values that an endpoint used in the Destination and Source
Connection ID fields of Initial packets that it sent (and received,
for servers).
'''

[[spec]]
level = "MUST"
quote = '''
Endpoints MUST validate that received transport
parameters match received connection ID values.
'''

[[spec]]
level = "MUST"
quote = '''
An endpoint MUST treat the absence of the
initial_source_connection_id transport parameter from either endpoint
or the absence of the original_destination_connection_id transport
parameter from the server as a connection error of type
TRANSPORT_PARAMETER_ERROR.
'''

[[spec]]
level = "MUST"
quote = '''
An endpoint MUST treat the following as a connection error of type
TRANSPORT_PARAMETER_ERROR or PROTOCOL_VIOLATION:
'''