If you're a firewall vendor, it seems like a no-lose situation to drop packets with the evil bit. Either someone's experimenting like in this blog post, and you look cool because you implemented an April Fool's RFC, or someone is actually sending malicious packets, and you look like a competent firewall. Imagine if you didn't drop the packets with the evil bit, and a hacker thinks it's funny to add the bit to their packets while they're exploiting some unrelated vulnerability in your software. The post-mortems and exploit writeups would make you look incompetent - "this firewall vendor can't even stop packets that announce their evil intentions!"
> Packets with the evil bit off MUST NOT be dropped.
That seems to be at odds with standard firewall operation, that may choose to drop packets because of all sorts of reasons unrelated to the "Evil bit". This would seem to constrain their operations unnecessarily, and so I would say that it is in the best interest of security vendors to ignore most of this RFC as frivolous and not binding.
No, no, that's the whole point - assuming standards-compliant users and attackers who follow this RFC, this simplifies firewall operation so that all packets with the evil bit off are not evil and can safely be forwarded, as any malicious traffic without the evil bit is simply noncompliant and should not be there, so any consequences of that are the fault of the noncompliant device (i.e. the attacker) as the firewall is operating properly according to the requirements.
The purpose of the RFC is to simplify security on the Internet, make such decisions transparent, and to preserve clear separation of concerns between the layers. As such, the evil bit is supposed to be the only thing that a conforming device checks.
Otherwise, we're back to square 1, where you don't know what caused your packets to be dropped even though they are clearly and explicitly not evil!