[NoZebra120vClip]

Section 4 of the RFC says:

> Packets with the evil bit off MUST NOT be dropped.

That seems to be at odds with standard firewall operation, that may choose to drop packets because of all sorts of reasons unrelated to the "Evil bit". This would seem to constrain their operations unnecessarily, and so I would say that it is in the best interest of security vendors to ignore most of this RFC as frivolous and not binding.

[PeterisP]

No, no, that's the whole point - assuming standards-compliant users and attackers who follow this RFC, this simplifies firewall operation so that all packets with the evil bit off are not evil and can safely be forwarded, as any malicious traffic without the evil bit is simply noncompliant and should not be there, so any consequences of that are the fault of the noncompliant device (i.e. the attacker) as the firewall is operating properly according to the requirements.

[gbear605]

I interpreted that as having an implicit “by this step of the filtering process”, not as applying to the entire firewall.

[tsimionescu]

The purpose of the RFC is to simplify security on the Internet, make such decisions transparent, and to preserve clear separation of concerns between the layers. As such, the evil bit is supposed to be the only thing that a conforming device checks.

Otherwise, we're back to square 1, where you don't know what caused your packets to be dropped even though they are clearly and explicitly not evil!