diff --git a/src/quic_conn.c b/src/quic_conn.c
index 17f31ebc7..5a011eb5f 100644
--- a/src/quic_conn.c
+++ b/src/quic_conn.c
@@ -6323,6 +6323,18 @@ static int qc_handle_conn_migration(struct quic_conn *qc,
 {
 	TRACE_ENTER(QUIC_EV_CONN_LPKT, qc);
 
+	/* RFC 9000 9. Connection Migration
+	 *
+	 * The design of QUIC relies on endpoints retaining a stable address for
+	 * the duration of the handshake.  An endpoint MUST NOT initiate
+	 * connection migration before the handshake is confirmed, as defined in
+	 * Section 4.1.2 of [QUIC-TLS].
+	 */
+	if (qc->state < QUIC_HS_ST_COMPLETE) {
+		TRACE_STATE("Connection migration during handshake rejected", QUIC_EV_CONN_LPKT, qc);
+		goto err;
+	}
+
 	/* RFC 9000 9. Connection Migration
 	 *
 	 * TODO