On Thu, Nov 14, 2013 at 10:04 PM, Mike Belopuhov <[email protected]> wrote: > On 14 November 2013 18:52, Henning Brauer <[email protected]> wrote: >> * Theo de Raadt <[email protected]> [2013-11-14 18:47]: >>> > it is the status quo *right now* >>> >>> Look, you can't call something the status quo when a commit was made 1 >>> month ago, to a REAL status quo that existed for 10 years when itojun >>> made the change... and immediately after this recent commit we >>> started arguying about the change. >>> >>> Go find out what "status quo" means. >> >> let's not get into this, leads us nowhere. >> >>> > > It *was* being filtered, until a month ago. >>> > no news here - we had discussed that change at the time. pretty sure >>> > you were in the loop even. >>> No, I was not in the loop before it was commited, and many others were >>> not either. Apparently only you and mikeb were, and you did NOT push >>> for more people to know about the change before it was commited. >> >> mikeb? bluhm worked on & comitted that otoh. >> i'm still pretty damn sure you were Cc'd; won't dig for old mail just >> to prove it; don't see the point, doesn't change anything now anyway. >> > > we have discussed that with bluhm in berlin and initially i had the same > opinion: leave the check in the stack, but he has convinced me that it's > rather pf's job to do it. i'm not against bringing it back and his diff > looks fine to me, esp. since it avoids double check that was there before.
Personally, I wasn't aware that variations of RH0 attacks are possible, and that PF is the only way to mitigate the attacks completely, until alexender blumh mentioned. To me, that is an important piece of information for end-users running v6 networks. Do you guys think that it might be worth mentioning this in pfctl man page ? Index: src/sbin/pfctl/pfctl.8 =================================================================== RCS file: /cvs/src/sbin/pfctl/pfctl.8,v retrieving revision 1.163 diff -u -p -r1.163 pfctl.8 --- src/sbin/pfctl/pfctl.8 21 Jul 2013 17:22:49 -0000 1.163 +++ src/sbin/pfctl/pfctl.8 14 Nov 2013 20:03:46 -0000 @@ -175,6 +175,9 @@ Overrides the definition of in the ruleset. .It Fl d Disable the packet filter. + +This disables advanced protection against Routing Type 0 attacks as the network +stack only has a basic protection solution to Routing Type 0 vulnerability. .It Fl e Enable the packet filter. .It Fl F Ar modifier > >>> The non-pf RH0 filtering case is worthwhile. >> >> and here we disagree. >> >> -- >> Henning Brauer, [email protected], [email protected] >> BS Web Services GmbH, http://bsws.de, Full-Service ISP >> Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully >> Managed >> Henning Brauer Consulting, http://henningbrauer.com/ >> > -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
