> * Alexander Bluhm <alexander.bl...@gmx.net> [2013-11-14 01:29]: > > Theo and others don't like that change as it decreases security. > > There are hosts out there that still process RH0 and there are > > OpenBSD routers with pf disabled. > > > > This diff brings back the header chain scanning. As an improvement > > it only scans if pf has not done that before. > > > > Note that ip6_check_rh0hdr() can be easily tricked by hiding the > > routing header type 0 behind a fragment header. Only pf can protect > > you correctly as it reassembles on the forwarding path. So I am > > not sure wether it is worth adding it again. > > to be quite honest I don't see the point. the "protection" in teh > stack is either very incomplete and easy enough to trick - you point > it out yourself, fragment - or very expensive. > > especially given that pf is enabled by default: make sure the stack > doesn't process RH0 itself, and otherwise leave it to pf. > aka the status quo.
You're wrong about the status quo. It *was* being filtered, until a month ago.
