* Theo de Raadt <dera...@cvs.openbsd.org> [2013-11-15 01:38]: > >My diff was on tech@ for one day during a hackathon before I commited it.
NOT hidden / circulated privately. > >The reasons why I removed the check in the stack are: > >- Scanning headers in the forwarding path is against the spirit of IPv6. > One day someone should find the people who pushed RH0 into IPv6 and punish > them. ok henning :) > >- It is pf's job to add more security. > It is. However, you will note that in IPv4 land we have sysctl > net.inet.ip.sourceroute. It defaults to 0 (off). RH is like IPv4 source > routing, except on steriods. Would any of us at this time recommend > net.inet.ip.sourceroute=1, or to go further, remove the code disabling code > from the kernel and assume that pf is doing the filtering? I doubt it. that analogy is actually a good one. net.inet.ip.sourceroute controls wether we OBEY src routes. as in, we don't by default, as we don't obey RH0 at all, without a button. we do, however, NOT remove src routing information from forwarded packets. > >- The scanning was done twice with pf enabled. > This latter point is very valid. I am very happy with your new approach that > does the extra scanning only if pf is disabled. no doubt that is an improvement. > I only believe in this approach when the header is already cache-hot, and > there > is little performance. Untimately if many feel "pf is always on", then there > is > no argument for resisting code for the "pf is disabled" case... heh :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/