ip6-nd: Solicitation reply only if target is our link-local

Type: fix

The fib source IP6_ND is used for all link-local entries, hence
solicitation responses were sent for a peer's address. Constrain the
source check to also in clude the LOCAL flag, which indicates that the
link-local address is ours.

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: Iba7e66049e4d89ee3f36d77aeb09310b978d70de

src/vnet/ip6-nd/ip6_nd.c

@@ -215,10 +215,15 @@ icmp6_neighbor_solicitation_or_advertisement (vlib_main_t * vm,
 			  /* It's an address that belongs to one of our interfaces
 			   * that's good. */
 			}
-		      else
-			if (fib_entry_is_sourced
-			    (fei, FIB_SOURCE_IP6_ND_PROXY) ||
-			    fib_entry_is_sourced (fei, FIB_SOURCE_IP6_ND))
+		      else if (FIB_ENTRY_FLAG_LOCAL &
+			       fib_entry_get_flags_for_source (
+				 fei, FIB_SOURCE_IP6_ND))
+			{
+			  /* It's one of our link local addresses
+			   * that's good. */
+			}
+		      else if (fib_entry_is_sourced (fei,
+						     FIB_SOURCE_IP6_ND_PROXY))
 			{
 			  /* The address was added by IPv6 Proxy ND config.
 			   * We should only respond to these if the NS arrived on

test/test_ip6.py

@@ -504,6 +504,18 @@ class TestIPv6(TestIPv6ND):
                                 dst_ip=self.pg0._remote_hosts[3].ip6_ll,
                                 tgt_ip=self.pg0.local_ip6_ll)
 
+        #
+        # do not respond to a NS for the peer's address
+        #
+        p = (Ether(dst=in6_getnsmac(nsma), src=self.pg0.remote_mac) /
+             IPv6(dst=d,
+                  src=self.pg0._remote_hosts[3].ip6_ll) /
+             ICMPv6ND_NS(tgt=self.pg0._remote_hosts[3].ip6_ll) /
+             ICMPv6NDOptSrcLLAddr(
+                 lladdr=self.pg0.remote_mac))
+
+        self.send_and_assert_no_replies(self.pg0, p)
+
         #
         # we should have learned an ND entry for the peer's link-local
         # but not inserted a route to it in the FIB