Hello,
> I found the link http://www.secfu.net/ in one of sthen@'s mails.
> There the author mentions that we accept IPv6 hop-by-hop headers
> after fragment headers. In fact this is a result of my pf fragment
> reassembly, so add an extra check there.
>
> ok?
I'm O.K. with it.
Side Note: I did quick check to RFCs. It seems to me there is a 'bug' in
specification. RFC 2460 says:
When more than one extension header is used in the same packet, it is
recommended that those headers appear in the following order:
^^^^^^^^^^^
IPv6 header
Hop-by-Hop Options header
Destination Options header (note 1)
Routing header
Fragment header
The RFC 7045, which updates RFC 2460, says in section 2.2:
As a reminder, in RFC 2460, it is stated that the Hop-by-Hop Options
header, if present, must be first.
^^^^^^^
The quotation upgrades 'recommended/should' to 'required/must'. In any
case bluhm's patch makes sense to me.
regards
sasha
