* Alexander Bluhm <alexander.bl...@gmx.net> [2013-11-14 01:29]: > Theo and others don't like that change as it decreases security. > There are hosts out there that still process RH0 and there are > OpenBSD routers with pf disabled. > > This diff brings back the header chain scanning. As an improvement > it only scans if pf has not done that before. > > Note that ip6_check_rh0hdr() can be easily tricked by hiding the > routing header type 0 behind a fragment header. Only pf can protect > you correctly as it reassembles on the forwarding path. So I am > not sure wether it is worth adding it again.
to be quite honest I don't see the point. the "protection" in teh stack is either very incomplete and easy enough to trick - you point it out yourself, fragment - or very expensive. especially given that pf is enabled by default: make sure the stack doesn't process RH0 itself, and otherwise leave it to pf. aka the status quo. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
