On Wed, Apr 25, 2007 at 08:46:05AM +0200, Gert Doering wrote:
> Hi,
> 
> I'm not sure whether "the NetBSD network folks" are aware of the following
> issue:
> 
> http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
> 
> it's about IPv6 type 0 routing headers, and the fact that all BSDs are
> processing them to forward frames, even if ip6.forwarding = 0.
> 
> OpenBSD and FreeBSD have commited changes to their stacks yesterday
> already (do not forward frames if we're not a router), so there seems to 
> be some sort of consensus on what's "the right thing to do".

I guess you are talking about the following commit:

: Date: Sun, 22 Apr 2007 19:47:42 +0000 (UTC)
: From: Christos Zoulas <christos@NetBSD.org>
: Subject: CVS commit: src
: 
: Module Name:    src
: Committed By:   christos
: Date:           Sun Apr 22 19:47:41 UTC 2007
: 
: Modified Files:
:         src/share/man/man7: sysctl.7
:         src/sys/netinet6: ip6_input.c ip6_var.h route6.c
: 
: Log Message:
: Disable processing of routing header type 0 packets since they can be used
: of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
: 
: Information from:
:         http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
: 
: To generate a diff of this commit:
: cvs rdiff -r1.8 -r1.9 src/share/man/man7/sysctl.7
: cvs rdiff -r1.101 -r1.102 src/sys/netinet6/ip6_input.c
: cvs rdiff -r1.40 -r1.41 src/sys/netinet6/ip6_var.h
: cvs rdiff -r1.17 -r1.18 src/sys/netinet6/route6.c

Bernd