* Theo de Raadt <dera...@cvs.openbsd.org> [2013-11-14 16:35]: > > * Alexander Bluhm <alexander.bl...@gmx.net> [2013-11-14 01:29]: > > > Theo and others don't like that change as it decreases security. > > > There are hosts out there that still process RH0 and there are > > > OpenBSD routers with pf disabled. > > > > > > This diff brings back the header chain scanning. As an improvement > > > it only scans if pf has not done that before. > > > > > > Note that ip6_check_rh0hdr() can be easily tricked by hiding the > > > routing header type 0 behind a fragment header. Only pf can protect > > > you correctly as it reassembles on the forwarding path. So I am > > > not sure wether it is worth adding it again. > > to be quite honest I don't see the point. the "protection" in teh > > stack is either very incomplete and easy enough to trick - you point > > it out yourself, fragment - or very expensive. > > especially given that pf is enabled by default: make sure the stack > > doesn't process RH0 itself, and otherwise leave it to pf. > > aka the status quo. > You're wrong about the status quo.
it is the status quo *right now* > It *was* being filtered, until a month ago. no news here - we had discussed that change at the time. pretty sure you were in the loop even. I stand by my point either way. the stack check for forwarded packets is either very incomplete or expensive. the aproach "stack protects the local machine (in this case: don't obey RH0), pf handles forwarded packets" matches what we do generally. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/