On Thu, Nov 14, 2013 at 11:00:37AM -0700, Theo de Raadt wrote: > It was not shown to enough people. PERIOD.
My diff was on tech@ for one day during a hackathon before I commited it. Not enough people discussed it back then. Fine. Let's discuss it now. The reasons why I removed the check in the stack are: - Scanning headers in the forwarding path is against the spirit of IPv6. - pf deals much better with fragments and headers now. - When the check was added, there was no RFC. Now I am following RFC5095. - It is pf's job to add more security. - The scanning was done twice with pf enabled. Now I am tempted to put it back because: - Theo says there a lot of OpenBSD boxes without pf attached to the internet. - Fernando Gont says there are plenty of legacy implementations supporting RH0. - Fernando Gont says it is not the most secure approach to remove the check. - I have removed the double scan when pf is enabled. bluhm