Problem Description:
With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6
fragment headers would be reassembled, and then immediately processed. That
is, a packet with multiple fragment extension headers would not be recognized
as the correct ultimate payload. Instead a packet with multiple IPv6 fragment
headers would unexpectedly be interpreted as a fragmented packet, rather than
as whatever the real payload is.
Impact:
IPv6 fragments may bypass firewall rules written on the assumption all
fragments have been reassembled and, as a result, be forwarded or processed
by the host.