IPv6: pf drops all fragments unconditionally

[Daniel Roethlisberger]

Inspired by the addition of IPv6 glue to the root zone and the various
IPv6 hours, I am in the process of IPv6 enabling systems and networks
under my control.

The only showstopper so far is the fact that pf unconditionally drops
all IPv6 fragmented packets, since IPv6 fragment reassembly is not
implemented yet.  According to pf.conf(5):

    Currently, only IPv4 fragments are supported and IPv6 fragments are
    blocked unconditionally.

While I certainly agree with failing closed by default, not open, I'd
really like to be able to have my machines handle IPv6 fragments
properly, or for the time being, have some way to at least make the
``drop all fragments'' behaviour tunable without patching/recompiling.
I am aware that given PMTU discovery, fragmentation is less likely to
happen with IPv6 than with IPv4.

What is the state of full IPv6 fragment reassembly support?  Is anybody
working on this, at FreeBSD or upstream?  Is there a reason why fragment
reassembly is any harder to implement for IPv6 than for IPv4?

I don't think that pf is ready for IPv6 yet if it unconditionally drops
IPv6 fragments.

-Dan

-- 
Daniel Roethlisberger <daniel at roe.ch>