IPv6 scrubbing

[Freek Dijkstra]

Hi,

What is the advice on scrubbing IPv6 packets in PF?

I've come across three bugs in pf that caused legitimate IPv6 to be dropped:

* "scrub fragment reassemble" drops all IPv6 fragments. (PF in OpenBSD
5.0 has fixed this, but FreeBSD 9.2 unfortunately still seems to use the
PF version of OpenBSD 4.5).
(http://www.freebsd.org/cgi/query-pr.cgi?pr=124933)

* "scrub reassemble tcp" is causing a ~30 second delay in setting up a
SSH connecting to a server with a pf firewall. In TCPdump I see a large
number of TCP retransmissions from the client to the server after the
SYN ACK packet. I have not dived into the specifics, but turning this
option off fixed things.
(http://www.freebsd.org/cgi/query-pr.cgi?pr=172648)

* IPv6 traffic over the loopback interface (lo0) generally is reported
as traversing a non-loopback interface. I've first come across this in
ipfw, but since the bug is in the kernel, it applies to PF as well.
(http://www.freebsd.org/cgi/query-pr.cgi?pr=165190)


While these are the only pf/IPv6 bugs I've encountered since I started
using FreeBSD about 2 years ago now, and switched to PF last month, I
see more potential problems, like #169630 (though that's not IPv6 specific).

Rather than waiting for me to bump into the next IPv6 bug, I try to
understand the current limitations of IPv6 support in PF.


In particular, what is the recommended scrubbing for IPv6 packets?

I currently have:
scrub ipv4 fragment reassemble reassemble tcp random-id
scrub ipv6 fragment reassemble random-id
pass quick inet6 proto ipv6-frag all

Is this recommended?



A small question about the bug database:

Is there a way to 'follow' certain bug reports (i.e. get email upon
comments or state changes)?

Bugs #165190 and #169630 have patches for over a year (even though the
later has no '[patch]' tag yet); what is the general way to raise
awareness of these bugs so they are applied to a next version of FreeBSD?


Regards,
Freek Dijkstra