target = "https://www.rfc-editor.org/rfc/rfc9001#section-6.3"

# 6.3.  Timing of Receive Key Generation
#
# Endpoints responding to an apparent key update MUST NOT generate a
# timing side-channel signal that might indicate that the Key Phase bit
# was invalid (see Section 9.5).  Endpoints can use randomized packet
# protection keys in place of discarded keys when key updates are not
# yet permitted.  Using randomized keys ensures that attempting to
# remove packet protection does not result in timing variations, and
# results in packets with an invalid Key Phase bit being rejected.
# 
# The process of creating new packet protection keys for receiving
# packets could reveal that a key update has occurred.  An endpoint MAY
# generate new keys as part of packet processing, but this creates a
# timing signal that could be used by an attacker to learn when key
# updates happen and thus leak the value of the Key Phase bit.
# 
# Endpoints are generally expected to have current and next receive
# packet protection keys available.  For a short period after a key
# update completes, up to the PTO, endpoints MAY defer generation of
# the next set of receive packet protection keys.  This allows
# endpoints to retain only two sets of receive keys; see Section 6.5.
# 
# Once generated, the next set of packet protection keys SHOULD be
# retained, even if the packet that was received was subsequently
# discarded.  Packets containing apparent key updates are easy to
# forge, and while the process of key update does not require
# significant effort, triggering this process could be used by an
# attacker for DoS.
# 
# For this reason, endpoints MUST be able to retain two sets of packet
# protection keys for receiving packets: the current and the next.
# Retaining the previous keys in addition to these might improve
# performance, but this is not essential.

[[spec]]
level = "MUST"
quote = '''
Endpoints responding to an apparent key update MUST NOT generate a
timing side-channel signal that might indicate that the Key Phase bit
was invalid (see Section 9.5).
'''

[[spec]]
level = "MAY"
quote = '''
An endpoint MAY
generate new keys as part of packet processing, but this creates a
timing signal that could be used by an attacker to learn when key
updates happen and thus leak the value of the Key Phase bit.
'''

[[spec]]
level = "MAY"
quote = '''
For a short period after a key
update completes, up to the PTO, endpoints MAY defer generation of
the next set of receive packet protection keys.
'''

[[spec]]
level = "SHOULD"
quote = '''
Once generated, the next set of packet protection keys SHOULD be
retained, even if the packet that was received was subsequently
discarded.
'''

[[spec]]
level = "MUST"
quote = '''
For this reason, endpoints MUST be able to retain two sets of packet
protection keys for receiving packets: the current and the next.
'''