Wasn't this check introduced as mitigation of CVE-2008-2476 five years ago? E.g. http://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/001_ndp.patch
Am 07.05.2013 um 18:26 schrieb Stefan Sperling <s...@openbsd.org>: > On Tue, May 07, 2013 at 04:48:41PM +0200, Janne Johansson wrote: >> this patch (stupidly) fixes my problem. I don't like my broken setup, >> but this works. > > We've determined the RFC doesn't require source addresses in > neighbour solicitations to be sent from a matching prefix. > > I don't see any reason why responding to such solicitations is bad. > I agree with removing this check. > >> Index: nd6_nbr.c >> =================================================================== >> RCS file: /cvs/src/sys/netinet6/nd6_nbr.c,v >> retrieving revision 1.66 >> diff -u -p -r1.66 nd6_nbr.c >> --- nd6_nbr.c 7 Mar 2013 09:03:16 -0000 1.66 >> +++ nd6_nbr.c 7 May 2013 11:44:56 -0000 >> @@ -132,17 +132,7 @@ nd6_ns_input(struct mbuf *m, int off, in >> "(wrong ip6 dst)\n")); >> goto bad; >> } >> - } else { >> - /* >> - * Make sure the source address is from a neighbor's address. >> - */ >> - if (!in6_ifpprefix(ifp, &saddr6)) { >> - nd6log((LOG_INFO, "nd6_ns_input: " >> - "NS packet from non-neighbor\n")); >> - goto bad; >> - } >> } >> - >> >> if (IN6_IS_ADDR_MULTICAST(&taddr6)) { >> nd6log((LOG_INFO, "nd6_ns_input: bad NS target (multicast)\n"));