target = "https://www.rfc-editor.org/rfc/rfc9000#section-9.3.2"

# 9.3.2.  On-Path Address Spoofing
#
# An on-path attacker could cause a spurious connection migration by
# copying and forwarding a packet with a spoofed address such that it
# arrives before the original packet.  The packet with the spoofed
# address will be seen to come from a migrating connection, and the
# original packet will be seen as a duplicate and dropped.  After a
# spurious migration, validation of the source address will fail
# because the entity at the source address does not have the necessary
# cryptographic keys to read or respond to the PATH_CHALLENGE frame
# that is sent to it even if it wanted to.
# 
# To protect the connection from failing due to such a spurious
# migration, an endpoint MUST revert to using the last validated peer
# address when validation of a new peer address fails.  Additionally,
# receipt of packets with higher packet numbers from the legitimate
# peer address will trigger another connection migration.  This will
# cause the validation of the address of the spurious migration to be
# abandoned, thus containing migrations initiated by the attacker
# injecting a single packet.
# 
# If an endpoint has no state about the last validated peer address, it
# MUST close the connection silently by discarding all connection
# state.  This results in new packets on the connection being handled
# generically.  For instance, an endpoint MAY send a Stateless Reset in
# response to any further incoming packets.

[[spec]]
level = "MUST"
quote = '''
To protect the connection from failing due to such a spurious
migration, an endpoint MUST revert to using the last validated peer
address when validation of a new peer address fails.
'''

[[spec]]
level = "MUST"
quote = '''
If an endpoint has no state about the last validated peer address, it
MUST close the connection silently by discarding all connection
state.
'''

[[spec]]
level = "MAY"
quote = '''
For instance, an endpoint MAY send a Stateless Reset in
response to any further incoming packets.
'''