icmp6 + ipf packet of death

I am afraid we might have an icmp6 packet of death problem. I don't know what the packet is yet... but I received two crashes recently, one on a very current OS version, and one several months old. This is a frequent crash, although I do not know the actual trigger yet.

Here is the trace from the older machine:

NetBSD 4.99.38 (GENERIC) #0: Sat Dec  1 03:52:04 UTC 2007

fr_makefrip(28,cadd8030,ccee78d4,2068880,f7aa9d99) at netbsd:fr_makefrip+0x132 fr_checkicmp6matchingstate(1900,850b,6fbe5514,4,c02e1919) at netbsd:fr_checkicmp6matchingstate+0xc8 fr_stlookup(ccee7b74,cadd8028,ccee7b28,c1851500,c1c8ad00) at netbsd:fr_stlookup+0x27c fr_checkstate(ccee7b74,ccee7c1c,ccee7b74,c16282c0,ccee7b8c) at netbsd:fr_checkstate+0x463
fr_check(c1c8add0,28,c160d04c,1,ccee7c8c) at netbsd:fr_check+0x650
fr_check_wrapper6(0,ccee7c8c,c160d04c,2,0) at netbsd:fr_check_wrapper6+0x40
pfil_run_hooks(c0a8fe40,ccee7e14,c160d04c,2,0) at netbsd:pfil_run_hooks+0x91
ip6_output(c1c8ad00,0,ccee7ddc,4,0) at netbsd:ip6_output+0xd34
icmp6_reflect(c1c8ad00,28,1,ccee7f1c,408) at netbsd:icmp6_reflect+0x287
icmp6_error(c20b9900,3,1,0,c0a54f20) at netbsd:icmp6_error+0x2c9
frag6_freef(3,1,c07a0430,c01450b8,c07a1140) at netbsd:frag6_freef+0x6a
frag6_slowtimo(47aca08e,c343208e,73288405,c0a05d60,4) at netbsd:frag6_slowtimo+0x7d
pfslowtimo(0,c160c000,c160c16c,c0a9fea0,c0a05d60) at netbsd:pfslowtimo+0x39
callout_softclock(0,3,c160d04c,0,0) at netbsd:callout_softclock+0x21d
softintr_dispatch(0,ca83fbfc,1040028,0,0) at netbsd:softintr_dispatch+0x3f
DDB lost frame for netbsd:Xsoftclock+0x35, trying 0xccee7ff4
Xsoftclock() at netbsd:Xsoftclock+0x35

The newer machine I don't have a serial console on, and it doesn't save core, but here are the typed-in-from-a-photo details:

NetBSD 4.99.53 (GENERIC) #0: Thu Feb  7 11:39:43 UTC 2008

fr_makefrip() +0x132
fr_checkicmp6matchingstate() + 0xc8
fr_stlookup() + 0x6dc
fr_checkstate() + 0x463
fr_check() + 0x650
fr_check_wrapper6() + 0x40
pfil_run_hooks() + 0x91
ip6_input() + 0x349
ip6intr() + 0x3f
softint_dispatch() + 0x79

