Wasn't this check introduced as mitigation of CVE-2008-2476 five years ago?
E.g. http://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/001_ndp.patch
Am 07.05.2013 um 18:26 schrieb Stefan Sperling <s...@openbsd.org>:
> On Tue, May 07, 2013 at 04:48:41PM +0200, Janne Johansson wrote:
>> this patch (stupidly) fixes my problem. I don't like my broken setup,
>> but this works.
>
> We've determined the RFC doesn't require source addresses in
> neighbour solicitations to be sent from a matching prefix.
>
> I don't see any reason why responding to such solicitations is bad.
> I agree with removing this check.
>
>> Index: nd6_nbr.c
>> ===================================================================
>> RCS file: /cvs/src/sys/netinet6/nd6_nbr.c,v
>> retrieving revision 1.66
>> diff -u -p -r1.66 nd6_nbr.c
>> --- nd6_nbr.c 7 Mar 2013 09:03:16 -0000 1.66
>> +++ nd6_nbr.c 7 May 2013 11:44:56 -0000
>> @@ -132,17 +132,7 @@ nd6_ns_input(struct mbuf *m, int off, in
>> "(wrong ip6 dst)\n"));
>> goto bad;
>> }
>> - } else {
>> - /*
>> - * Make sure the source address is from a neighbor's address.
>> - */
>> - if (!in6_ifpprefix(ifp, &saddr6)) {
>> - nd6log((LOG_INFO, "nd6_ns_input: "
>> - "NS packet from non-neighbor\n"));
>> - goto bad;
>> - }
>> }
>> -
>>
>> if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
>> nd6log((LOG_INFO, "nd6_ns_input: bad NS target (multicast)\n"));
