From owner-freebsd-pf@FreeBSD.ORG  Mon Apr 28 12:50:01 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5ECF3106567D
	for <freebsd-pf@freebsd.org>; Mon, 28 Apr 2008 12:50:01 +0000 (UTC)
	(envelope-from daniel@roe.ch)
Received: from hobbes.ustdmz.roe.ch (hobbes.roe.ch [213.144.141.27])
	by mx1.freebsd.org (Postfix) with ESMTP id 277FC8FC0C
	for <freebsd-pf@freebsd.org>; Mon, 28 Apr 2008 12:50:01 +0000 (UTC)
	(envelope-from daniel@roe.ch)
Received: from roe by hobbes.ustdmz.roe.ch (envelope-from <daniel@roe.ch>)
	with LOCAL id 1JqSW3-0003du-00
	for freebsd-pf@freebsd.org; Mon, 28 Apr 2008 14:31:31 +0200
Date: Mon, 28 Apr 2008 14:31:31 +0200
From: Daniel Roethlisberger <daniel@roe.ch>
To: freebsd-pf@freebsd.org
Message-ID: <20080428123131.GA11879@hobbes.ustdmz.roe.ch>
Mail-Followup-To: freebsd-pf@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.4i
Subject: IPv6: pf drops all fragments unconditionally
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2008 12:50:01 -0000

Inspired by the addition of IPv6 glue to the root zone and the various
IPv6 hours, I am in the process of IPv6 enabling systems and networks
under my control.

The only showstopper so far is the fact that pf unconditionally drops
all IPv6 fragmented packets, since IPv6 fragment reassembly is not
implemented yet.  According to pf.conf(5):

    Currently, only IPv4 fragments are supported and IPv6 fragments are
    blocked unconditionally.

While I certainly agree with failing closed by default, not open, I'd
really like to be able to have my machines handle IPv6 fragments
properly, or for the time being, have some way to at least make the
``drop all fragments'' behaviour tunable without patching/recompiling.
I am aware that given PMTU discovery, fragmentation is less likely to
happen with IPv6 than with IPv4.

What is the state of full IPv6 fragment reassembly support?  Is anybody
working on this, at FreeBSD or upstream?  Is there a reason why fragment
reassembly is any harder to implement for IPv6 than for IPv4?

I don't think that pf is ready for IPv6 yet if it unconditionally drops
IPv6 fragments.

-Dan

-- 
Daniel Roethlisberger <daniel@roe.ch>