target = "https://www.rfc-editor.org/rfc/rfc9001#section-9.5"

# 9.5.  Header Protection Timing Side Channels
#
# An attacker could guess values for packet numbers or Key Phase and
# have an endpoint confirm guesses through timing side channels.
# Similarly, guesses for the packet number length can be tried and
# exposed.  If the recipient of a packet discards packets with
# duplicate packet numbers without attempting to remove packet
# protection, they could reveal through timing side channels that the
# packet number matches a received packet.  For authentication to be
# free from side channels, the entire process of header protection
# removal, packet number recovery, and packet protection removal MUST
# be applied together without timing and other side channels.
# 
# For the sending of packets, construction and protection of packet
# payloads and packet numbers MUST be free from side channels that
# would reveal the packet number or its encoded size.
# 
# During a key update, the time taken to generate new keys could reveal
# through timing side channels that a key update has occurred.
# Alternatively, where an attacker injects packets, this side channel
# could reveal the value of the Key Phase on injected packets.  After
# receiving a key update, an endpoint SHOULD generate and save the next
# set of receive packet protection keys, as described in Section 6.3.
# By generating new keys before a key update is received, receipt of
# packets will not create timing signals that leak the value of the Key
# Phase.
# 
# This depends on not doing this key generation during packet
# processing, and it can require that endpoints maintain three sets of
# packet protection keys for receiving: for the previous key phase, for
# the current key phase, and for the next key phase.  Endpoints can
# instead choose to defer generation of the next receive packet
# protection keys until they discard old keys so that only two sets of
# receive keys need to be retained at any point in time.

[[spec]]
level = "MUST"
quote = '''
For authentication to be
free from side channels, the entire process of header protection
removal, packet number recovery, and packet protection removal MUST
be applied together without timing and other side channels.
'''

[[spec]]
level = "MUST"
quote = '''
For the sending of packets, construction and protection of packet
payloads and packet numbers MUST be free from side channels that
would reveal the packet number or its encoded size.
'''

[[spec]]
level = "SHOULD"
quote = '''
After
receiving a key update, an endpoint SHOULD generate and save the next
set of receive packet protection keys, as described in Section 6.3.
'''