]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/netinet6/nd6_nbr.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-4903.270.47.tar.gz
[apple/xnu.git] / bsd / netinet6 / nd6_nbr.c
diff --git a/bsd/netinet6/nd6_nbr.c b/bsd/netinet6/nd6_nbr.c
index 53d5367cf3af782c443ec0f94db1540bde6f9f20..9adb4feae3a6ebc3e711838a534b2a7b196f2255 100644 (file)
--- a/bsd/netinet6/nd6_nbr.c
+++ b/bsd/netinet6/nd6_nbr.c
@@ -1,8 +1,8 @@
 /*
 /*
- * Copyright (c) 2000-2012 Apple Inc. All rights reserved.
+ * Copyright (c) 2000-2019 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
- * 
+ *
  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
  * This file contains Original Code and/or Modifications of Original Code
  * as defined in and that are subject to the Apple Public Source License
  * Version 2.0 (the 'License'). You may not use this file except in
@@ -11,10 +11,10 @@
  * unlawful or unlicensed copies of an Apple operating system, or to
  * circumvent, violate, or enable the circumvention or violation of, any
  * terms of an Apple operating system software license agreement.
  * unlawful or unlicensed copies of an Apple operating system, or to
  * circumvent, violate, or enable the circumvention or violation of, any
  * terms of an Apple operating system software license agreement.
- * 
+ *
  * Please obtain a copy of the License at
  * http://www.opensource.apple.com/apsl/ and read it before using this file.
  * Please obtain a copy of the License at
  * http://www.opensource.apple.com/apsl/ and read it before using this file.
- * 
+ *
  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  * The Original Code and all software distributed under the License are
  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
@@ -22,11 +22,9 @@
  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  * Please see the License for the specific language governing rights and
  * limitations under the License.
  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  * Please see the License for the specific language governing rights and
  * limitations under the License.
- * 
+ *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
-/*     $FreeBSD: src/sys/netinet6/nd6_nbr.c,v 1.4.2.4 2001/07/06 05:32:25 sumikawa Exp $       */
-/*     $KAME: nd6_nbr.c,v 1.64 2001/05/17 03:48:30 itojun Exp $        */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -71,6 +69,7 @@
 #include <sys/mcache.h>
 #include <sys/protosw.h>
 #include <kern/queue.h>
 #include <sys/mcache.h>
 #include <sys/protosw.h>
 #include <kern/queue.h>
+#include <dev/random/randomdev.h>
 
 #include <kern/locks.h>
 #include <kern/zalloc.h>
 
 #include <kern/locks.h>
 #include <kern/zalloc.h>
@@ -81,10 +80,13 @@
 #include <net/if_dl.h>
 #include <net/if_llreach.h>
 #include <net/route.h>
 #include <net/if_dl.h>
 #include <net/if_llreach.h>
 #include <net/route.h>
+#include <net/dlil.h>
+#include <net/nwk_wq.h>
 
 #include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <netinet6/in6_var.h>
 
 #include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <netinet6/in6_var.h>
+#include <netinet6/in6_ifattach.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/nd6.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/nd6.h>
@@ -96,75 +98,76 @@
 #if INET6
 #include <netinet6/ipsec6.h>
 #endif
 #if INET6
 #include <netinet6/ipsec6.h>
 #endif
-extern int ipsec_bypass;
 #endif
 
 #endif
 
-#include <net/net_osdep.h>
-
 struct dadq;
 struct dadq;
-static struct dadq *nd6_dad_find(struct ifaddr *);
+static struct dadq *nd6_dad_find(struct ifaddr *, struct nd_opt_nonce *);
 void nd6_dad_stoptimer(struct ifaddr *);
 static void nd6_dad_timer(struct ifaddr *);
 static void nd6_dad_ns_output(struct dadq *, struct ifaddr *);
 void nd6_dad_stoptimer(struct ifaddr *);
 static void nd6_dad_timer(struct ifaddr *);
 static void nd6_dad_ns_output(struct dadq *, struct ifaddr *);
-static void nd6_dad_ns_input(struct ifaddr *);
-static void nd6_dad_na_input(struct ifaddr *, caddr_t, int);
+static void nd6_dad_ns_input(struct ifaddr *, char *, int, struct nd_opt_nonce *);
+static struct mbuf *nd6_dad_na_input(struct mbuf *, struct ifnet *,
+    struct in6_addr *, caddr_t, int);
 static void dad_addref(struct dadq *, int);
 static void dad_remref(struct dadq *);
 static struct dadq *nd6_dad_attach(struct dadq *, struct ifaddr *);
 static void nd6_dad_detach(struct dadq *, struct ifaddr *);
 
 static void dad_addref(struct dadq *, int);
 static void dad_remref(struct dadq *);
 static struct dadq *nd6_dad_attach(struct dadq *, struct ifaddr *);
 static void nd6_dad_detach(struct dadq *, struct ifaddr *);
 
-static int dad_ignore_ns = 0;  /* ignore NS in DAD - specwise incorrect*/
-static int dad_maxtry = 15;    /* max # of *tries* to transmit DAD packet */
+static int dad_maxtry = 15;     /* max # of *tries* to transmit DAD packet */
 
 
-static unsigned int dad_size;                  /* size of zone element */
-static struct zone *dad_zone;                  /* zone for dadq */
+static unsigned int dad_size;                   /* size of zone element */
+static struct zone *dad_zone;                   /* zone for dadq */
 
 
-#define        DAD_ZONE_MAX    64                      /* maximum elements in zone */
-#define        DAD_ZONE_NAME   "nd6_dad"               /* zone name */
+#define DAD_ZONE_MAX    64                      /* maximum elements in zone */
+#define DAD_ZONE_NAME   "nd6_dad"               /* zone name */
 
 
-#define        DAD_LOCK_ASSERT_HELD(_dp)                                       \
-       lck_mtx_assert(&(_dp)->dad_lock, LCK_MTX_ASSERT_OWNED)
+#define DAD_LOCK_ASSERT_HELD(_dp)                                       \
+       LCK_MTX_ASSERT(&(_dp)->dad_lock, LCK_MTX_ASSERT_OWNED)
 
 
-#define        DAD_LOCK_ASSERT_NOTHELD(_dp)                                    \
-       lck_mtx_assert(&(_dp)->dad_lock, LCK_MTX_ASSERT_NOTOWNED)
+#define DAD_LOCK_ASSERT_NOTHELD(_dp)                                    \
+       LCK_MTX_ASSERT(&(_dp)->dad_lock, LCK_MTX_ASSERT_NOTOWNED)
 
 
-#define        DAD_LOCK(_dp)                                                   \
+#define DAD_LOCK(_dp)                                                   \
        lck_mtx_lock(&(_dp)->dad_lock)
 
        lck_mtx_lock(&(_dp)->dad_lock)
 
-#define        DAD_LOCK_SPIN(_dp)                                              \
+#define DAD_LOCK_SPIN(_dp)                                              \
        lck_mtx_lock_spin(&(_dp)->dad_lock)
 
        lck_mtx_lock_spin(&(_dp)->dad_lock)
 
-#define        DAD_CONVERT_LOCK(_dp) do {                                      \
-       DAD_LOCK_ASSERT_HELD(_dp);                                      \
-       lck_mtx_convert_spin(&(_dp)->dad_lock);                         \
+#define DAD_CONVERT_LOCK(_dp) do {                                      \
+       DAD_LOCK_ASSERT_HELD(_dp);                                      \
+       lck_mtx_convert_spin(&(_dp)->dad_lock);                         \
 } while (0)
 
 } while (0)
 
-#define        DAD_UNLOCK(_dp)                                                 \
+#define DAD_UNLOCK(_dp)                                                 \
        lck_mtx_unlock(&(_dp)->dad_lock)
 
        lck_mtx_unlock(&(_dp)->dad_lock)
 
-#define        DAD_ADDREF(_dp)                                                 \
+#define DAD_ADDREF(_dp)                                                 \
        dad_addref(_dp, 0)
 
        dad_addref(_dp, 0)
 
-#define        DAD_ADDREF_LOCKED(_dp)                                          \
+#define DAD_ADDREF_LOCKED(_dp)                                          \
        dad_addref(_dp, 1)
 
        dad_addref(_dp, 1)
 
-#define        DAD_REMREF(_dp)                                                 \
+#define DAD_REMREF(_dp)                                                 \
        dad_remref(_dp)
 
 extern lck_mtx_t *dad6_mutex;
 extern lck_mtx_t *nd6_mutex;
        dad_remref(_dp)
 
 extern lck_mtx_t *dad6_mutex;
 extern lck_mtx_t *nd6_mutex;
-extern int in6_get_hw_ifid(struct ifnet *, struct in6_addr *);
 
 
-static int nd6_llreach_base = (LL_BASE_REACHABLE / 1000); /* seconds */
+static int nd6_llreach_base = 30;        /* seconds */
 
 static struct sockaddr_in6 hostrtmask;
 
 SYSCTL_DECL(_net_inet6_icmp6);
 
 static struct sockaddr_in6 hostrtmask;
 
 SYSCTL_DECL(_net_inet6_icmp6);
-
 SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, nd6_llreach_base,
 SYSCTL_INT(_net_inet6_icmp6, OID_AUTO, nd6_llreach_base,
-    CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_llreach_base, LL_BASE_REACHABLE,
+    CTLFLAG_RW | CTLFLAG_LOCKED, &nd6_llreach_base, 0,
     "default ND6 link-layer reachability max lifetime (in seconds)");
 
     "default ND6 link-layer reachability max lifetime (in seconds)");
 
+int dad_enhanced = 1;
+SYSCTL_DECL(_net_inet6_ip6);
+SYSCTL_INT(_net_inet6_ip6, OID_AUTO, dad_enhanced, CTLFLAG_RW | CTLFLAG_LOCKED,
+    &dad_enhanced, 0,
+    "Enable Enhanced DAD, which adds a random nonce to NS messages for DAD.");
+
 /*
  * Obtain a link-layer source cache entry for the sender.
  *
 /*
  * Obtain a link-layer source cache entry for the sender.
  *
@@ -178,8 +181,8 @@ nd6_llreach_alloc(struct rtentry *rt, struct ifnet *ifp, void *addr,
 
        if (nd6_llreach_base != 0 &&
            (ln->ln_expire != 0 || (ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) &&
 
        if (nd6_llreach_base != 0 &&
            (ln->ln_expire != 0 || (ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) &&
-           rt->rt_ifp != lo_ifp &&
-           ifp->if_addrlen == IF_LLREACH_MAXLEN &&     /* Ethernet */
+           !(rt->rt_ifp->if_flags & IFF_LOOPBACK) &&
+           ifp->if_addrlen == IF_LLREACH_MAXLEN &&     /* Ethernet */
            alen == ifp->if_addrlen) {
                struct if_llreach *lr;
                const char *why = NULL, *type = "";
            alen == ifp->if_addrlen) {
                struct if_llreach *lr;
                const char *why = NULL, *type = "";
@@ -204,7 +207,7 @@ nd6_llreach_alloc(struct rtentry *rt, struct ifnet *ifp, void *addr,
                                why = " for different target HW address; "
                                    "using new llreach record";
                        } else {
                                why = " for different target HW address; "
                                    "using new llreach record";
                        } else {
-                               lr->lr_probes = 0;      /* reset probe count */
+                               lr->lr_probes = 0;      /* reset probe count */
                                IFLR_UNLOCK(lr);
                                if (solicited) {
                                        why = " for same target HW address; "
                                IFLR_UNLOCK(lr);
                                if (solicited) {
                                        why = " for same target HW address; "
@@ -217,18 +220,19 @@ nd6_llreach_alloc(struct rtentry *rt, struct ifnet *ifp, void *addr,
                        lr = ln->ln_llreach = ifnet_llreach_alloc(ifp,
                            ETHERTYPE_IPV6, addr, alen, nd6_llreach_base);
                        if (lr != NULL) {
                        lr = ln->ln_llreach = ifnet_llreach_alloc(ifp,
                            ETHERTYPE_IPV6, addr, alen, nd6_llreach_base);
                        if (lr != NULL) {
-                               lr->lr_probes = 0;      /* reset probe count */
-                               if (why == NULL)
+                               lr->lr_probes = 0;      /* reset probe count */
+                               if (why == NULL) {
                                        why = "creating new llreach record";
                                        why = "creating new llreach record";
+                               }
                        }
                }
 
                if (nd6_debug && lr != NULL && why != NULL) {
                        char tmp[MAX_IPv6_STR_LEN];
 
                        }
                }
 
                if (nd6_debug && lr != NULL && why != NULL) {
                        char tmp[MAX_IPv6_STR_LEN];
 
-                       nd6log((LOG_DEBUG, "%s%d: %s%s for %s\n", ifp->if_name,
-                           ifp->if_unit, type, why, inet_ntop(AF_INET6,
-                           &SIN6(rt_key(rt))->sin6_addr, tmp, sizeof (tmp))));
+                       nd6log((LOG_DEBUG, "%s: %s%s for %s\n", if_name(ifp),
+                           type, why, inet_ntop(AF_INET6,
+                           &SIN6(rt_key(rt))->sin6_addr, tmp, sizeof(tmp))));
                }
        }
 }
                }
        }
 }
@@ -236,15 +240,16 @@ nd6_llreach_alloc(struct rtentry *rt, struct ifnet *ifp, void *addr,
 void
 nd6_llreach_use(struct llinfo_nd6 *ln)
 {
 void
 nd6_llreach_use(struct llinfo_nd6 *ln)
 {
-       if (ln->ln_llreach != NULL)
+       if (ln->ln_llreach != NULL) {
                ln->ln_lastused = net_uptime();
                ln->ln_lastused = net_uptime();
+       }
 }
 
 /*
  * Input a Neighbor Solicitation Message.
  *
 }
 
 /*
  * Input a Neighbor Solicitation Message.
  *
- * Based on RFC 2461
- * Based on RFC 2462 (duplicate address detection)
+ * Based on RFC 4861
+ * Based on RFC 4862 (duplicate address detection)
  */
 void
 nd6_ns_input(
  */
 void
 nd6_ns_input(
@@ -267,29 +272,21 @@ nd6_ns_input(
        union nd_opts ndopts;
        struct sockaddr_dl proxydl;
        boolean_t advrouter;
        union nd_opts ndopts;
        struct sockaddr_dl proxydl;
        boolean_t advrouter;
-
-       if ((ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) {
-               nd6log((LOG_INFO, "nd6_ns_input: on ND6ALT interface!\n"));
-               return;
-       }
+       boolean_t is_dad_probe;
+       int oflgclr = 0;
 
        /* Expect 32-bit aligned data pointer on strict-align platforms */
        MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
 
 
        /* Expect 32-bit aligned data pointer on strict-align platforms */
        MBUF_STRICT_DATA_ALIGNMENT_CHECK_32(m);
 
-#ifndef PULLDOWN_TEST
-       IP6_EXTHDR_CHECK(m, off, icmp6len, return);
+       IP6_EXTHDR_CHECK(m, off, icmp6len, return );
        nd_ns = (struct nd_neighbor_solicit *)((caddr_t)ip6 + off);
        nd_ns = (struct nd_neighbor_solicit *)((caddr_t)ip6 + off);
-#else
-       IP6_EXTHDR_GET(nd_ns, struct nd_neighbor_solicit *, m, off, icmp6len);
-       if (nd_ns == NULL) {
-               icmp6stat.icp6s_tooshort++;
-               return;
-       }
-#endif
+       m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
+
        ip6 = mtod(m, struct ip6_hdr *); /* adjust pointer for safety */
        taddr6 = nd_ns->nd_ns_target;
        ip6 = mtod(m, struct ip6_hdr *); /* adjust pointer for safety */
        taddr6 = nd_ns->nd_ns_target;
-       if (in6_setscope(&taddr6, ifp, NULL) != 0)
+       if (in6_setscope(&taddr6, ifp, NULL) != 0) {
                goto bad;
                goto bad;
+       }
 
        if (ip6->ip6_hlim != IPV6_MAXHLIM) {
                nd6log((LOG_ERR,
 
        if (ip6->ip6_hlim != IPV6_MAXHLIM) {
                nd6log((LOG_ERR,
@@ -299,7 +296,8 @@ nd6_ns_input(
                goto bad;
        }
 
                goto bad;
        }
 
-       if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
+       is_dad_probe = IN6_IS_ADDR_UNSPECIFIED(&saddr6);
+       if (is_dad_probe) {
                /* dst has to be a solicited node multicast address. */
                if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL &&
                    /* don't check ifindex portion */
                /* dst has to be a solicited node multicast address. */
                if (daddr6.s6_addr16[0] == IPV6_ADDR_INT16_MLL &&
                    /* don't check ifindex portion */
@@ -309,7 +307,7 @@ nd6_ns_input(
                        ; /* good */
                } else {
                        nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
                        ; /* good */
                } else {
                        nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
-                               "(wrong ip6 dst)\n"));
+                           "(wrong ip6 dst)\n"));
                        goto bad;
                }
        } else if (!nd6_onlink_ns_rfc4861) {
                        goto bad;
                }
        } else if (!nd6_onlink_ns_rfc4861) {
@@ -327,7 +325,7 @@ nd6_ns_input(
                src_sa6.sin6_addr = saddr6;
                if (!nd6_is_addr_neighbor(&src_sa6, ifp, 0)) {
                        nd6log((LOG_INFO, "nd6_ns_input: "
                src_sa6.sin6_addr = saddr6;
                if (!nd6_is_addr_neighbor(&src_sa6, ifp, 0)) {
                        nd6log((LOG_INFO, "nd6_ns_input: "
-                               "NS packet from non-neighbor\n"));
+                           "NS packet from non-neighbor\n"));
                        goto bad;
                }
        }
                        goto bad;
                }
        }
@@ -351,7 +349,7 @@ nd6_ns_input(
                lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3;
        }
 
                lladdrlen = ndopts.nd_opts_src_lladdr->nd_opt_len << 3;
        }
 
-       if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && lladdr) {
+       if (is_dad_probe && lladdr) {
                nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
                    "(link-layer address option)\n"));
                goto bad;
                nd6log((LOG_INFO, "nd6_ns_input: bad DAD packet "
                    "(link-layer address option)\n"));
                goto bad;
@@ -367,10 +365,11 @@ nd6_ns_input(
         * In implementation, we add target link-layer address by default.
         * We do not add one in MUST NOT cases.
         */
         * In implementation, we add target link-layer address by default.
         * We do not add one in MUST NOT cases.
         */
-       if (!IN6_IS_ADDR_MULTICAST(&daddr6))
+       if (!IN6_IS_ADDR_MULTICAST(&daddr6)) {
                tlladdr = 0;
                tlladdr = 0;
-       else
+       } else {
                tlladdr = 1;
                tlladdr = 1;
+       }
 
        /*
         * Target address (taddr6) must be either:
 
        /*
         * Target address (taddr6) must be either:
@@ -402,7 +401,7 @@ nd6_ns_input(
                                 * proxy NDP for single entry
                                 */
                                ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(
                                 * proxy NDP for single entry
                                 */
                                ifa = (struct ifaddr *)in6ifa_ifpforlinklocal(
-                                   ifp, IN6_IFF_NOTREADY|IN6_IFF_ANYCAST);
+                                       ifp, IN6_IFF_NOTREADY | IN6_IFF_ANYCAST);
                                if (ifa) {
                                        proxy = 1;
                                        proxydl = *SDL(rt->rt_gateway);
                                if (ifa) {
                                        proxy = 1;
                                        proxydl = *SDL(rt->rt_gateway);
@@ -427,9 +426,12 @@ nd6_ns_input(
                 *
                 * Forwarding associated with NDPRF_PRPROXY may apply.
                 */
                 *
                 * Forwarding associated with NDPRF_PRPROXY may apply.
                 */
-               if (ip6_forwarding && nd6_prproxy)
+               if (ip6_forwarding && nd6_prproxy) {
                        nd6_prproxy_ns_input(ifp, &saddr6, lladdr,
                        nd6_prproxy_ns_input(ifp, &saddr6, lladdr,
-                           lladdrlen, &daddr6, &taddr6);
+                           lladdrlen, &daddr6, &taddr6,
+                           (ndopts.nd_opts_nonce == NULL) ? NULL :
+                           ndopts.nd_opts_nonce->nd_opt_nonce);
+               }
                goto freeit;
        }
        IFA_LOCK(ifa);
                goto freeit;
        }
        IFA_LOCK(ifa);
@@ -447,14 +449,14 @@ nd6_ns_input(
                nd6log((LOG_INFO,
                    "nd6_ns_input: lladdrlen mismatch for %s "
                    "(if %d, NS packet %d)\n",
                nd6log((LOG_INFO,
                    "nd6_ns_input: lladdrlen mismatch for %s "
                    "(if %d, NS packet %d)\n",
-                       ip6_sprintf(&taddr6), ifp->if_addrlen, lladdrlen - 2));
+                   ip6_sprintf(&taddr6), ifp->if_addrlen, lladdrlen - 2));
                goto bad;
        }
 
        if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) {
                nd6log((LOG_INFO,
                goto bad;
        }
 
        if (IN6_ARE_ADDR_EQUAL(&myaddr6, &saddr6)) {
                nd6log((LOG_INFO,
-                       "nd6_ns_input: duplicate IP6 address %s\n",
-                       ip6_sprintf(&saddr6)));
+                   "nd6_ns_input: duplicate IP6 address %s\n",
+                   ip6_sprintf(&saddr6)));
                goto freeit;
        }
 
                goto freeit;
        }
 
@@ -465,10 +467,13 @@ nd6_ns_input(
         * src addr     how to process?
         * ---          ---
         * multicast    of course, invalid (rejected in ip6_input)
         * src addr     how to process?
         * ---          ---
         * multicast    of course, invalid (rejected in ip6_input)
-        * unicast      somebody is doing address resolution -> ignore
+        * unicast      somebody is doing address resolution
         * unspec       dup address detection
         *
         * unspec       dup address detection
         *
-        * The processing is defined in RFC 2462 (and updated by RFC 4429)
+        * The processing is defined in the "draft standard" RFC 4862 (and by
+        * RFC 4429, which is a "proposed standard" update to its obsolete
+        * predecessor, RFC 2462)  The reason optimistic DAD is not included
+        * in RFC 4862 is entirely due to IETF procedural considerations.
         */
        if (dadprogress) {
                /*
         */
        if (dadprogress) {
                /*
@@ -476,12 +481,20 @@ nd6_ns_input(
                 * duplicate address detection.
                 *
                 * If not, the packet is for addess resolution;
                 * duplicate address detection.
                 *
                 * If not, the packet is for addess resolution;
-                * silently ignore it.
+                * silently ignore it when not optimistic
+                *
+                * Per RFC 4429 the reply for an optimistic address must
+                * have the Override flag cleared
                 */
                 */
-               if (IN6_IS_ADDR_UNSPECIFIED(&saddr6))
-                       nd6_dad_ns_input(ifa);
+               if (!is_dad_probe && (dadprogress & IN6_IFF_OPTIMISTIC) != 0) {
+                       oflgclr = 1;
+               } else {
+                       if (is_dad_probe) {
+                               nd6_dad_ns_input(ifa, lladdr, lladdrlen, ndopts.nd_opts_nonce);
+                       }
 
 
-               goto freeit;
+                       goto freeit;
+               }
        }
 
        /* Are we an advertising router on this interface? */
        }
 
        /* Are we an advertising router on this interface? */
@@ -496,16 +509,18 @@ nd6_ns_input(
         * the address.
         * S bit ("solicited") must be zero.
         */
         * the address.
         * S bit ("solicited") must be zero.
         */
-       if (IN6_IS_ADDR_UNSPECIFIED(&saddr6)) {
+       if (is_dad_probe) {
                saddr6 = in6addr_linklocal_allnodes;
                saddr6 = in6addr_linklocal_allnodes;
-               if (in6_setscope(&saddr6, ifp, NULL) != 0)
+               if (in6_setscope(&saddr6, ifp, NULL) != 0) {
                        goto bad;
                        goto bad;
-               if ((dadprogress & IN6_IFF_OPTIMISTIC) == 0)
+               }
+               if ((dadprogress & IN6_IFF_OPTIMISTIC) == 0) {
                        nd6_na_output(ifp, &saddr6, &taddr6,
                            ((anycast || proxy || !tlladdr) ? 0 :
                            ND_NA_FLAG_OVERRIDE) | (advrouter ?
                            ND_NA_FLAG_ROUTER : 0), tlladdr, proxy ?
                            (struct sockaddr *)&proxydl : NULL);
                        nd6_na_output(ifp, &saddr6, &taddr6,
                            ((anycast || proxy || !tlladdr) ? 0 :
                            ND_NA_FLAG_OVERRIDE) | (advrouter ?
                            ND_NA_FLAG_ROUTER : 0), tlladdr, proxy ?
                            (struct sockaddr *)&proxydl : NULL);
+               }
                goto freeit;
        }
 
                goto freeit;
        }
 
@@ -513,23 +528,25 @@ nd6_ns_input(
            ND_NEIGHBOR_SOLICIT, 0);
 
        nd6_na_output(ifp, &saddr6, &taddr6,
            ND_NEIGHBOR_SOLICIT, 0);
 
        nd6_na_output(ifp, &saddr6, &taddr6,
-           ((anycast || proxy || !tlladdr) ? 0 : ND_NA_FLAG_OVERRIDE) |
+           ((anycast || proxy || !tlladdr || oflgclr) ? 0 : ND_NA_FLAG_OVERRIDE) |
            (advrouter ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
            tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
            (advrouter ? ND_NA_FLAG_ROUTER : 0) | ND_NA_FLAG_SOLICITED,
            tlladdr, proxy ? (struct sockaddr *)&proxydl : NULL);
- freeit:
+freeit:
        m_freem(m);
        m_freem(m);
-       if (ifa != NULL)
+       if (ifa != NULL) {
                IFA_REMREF(ifa);
                IFA_REMREF(ifa);
+       }
        return;
 
        return;
 
- bad:
+bad:
        nd6log((LOG_ERR, "nd6_ns_input: src=%s\n", ip6_sprintf(&saddr6)));
        nd6log((LOG_ERR, "nd6_ns_input: dst=%s\n", ip6_sprintf(&daddr6)));
        nd6log((LOG_ERR, "nd6_ns_input: tgt=%s\n", ip6_sprintf(&taddr6)));
        icmp6stat.icp6s_badns++;
        m_freem(m);
        nd6log((LOG_ERR, "nd6_ns_input: src=%s\n", ip6_sprintf(&saddr6)));
        nd6log((LOG_ERR, "nd6_ns_input: dst=%s\n", ip6_sprintf(&daddr6)));
        nd6log((LOG_ERR, "nd6_ns_input: tgt=%s\n", ip6_sprintf(&taddr6)));
        icmp6stat.icp6s_badns++;
        m_freem(m);
-       if (ifa != NULL)
+       if (ifa != NULL) {
                IFA_REMREF(ifa);
                IFA_REMREF(ifa);
+       }
 }
 
 /*
 }
 
 /*
@@ -538,9 +555,9 @@ nd6_ns_input(
  *     - ND6 header target IP6 address
  *     - ND6 header source datalink address
  *
  *     - ND6 header target IP6 address
  *     - ND6 header source datalink address
  *
- * Based on RFC 2461
- * Based on RFC 2462 (duplicate address detection)
- * Updated by RFC 4429 (optimistic duplicate address detection)
+ * Based on RFC 4861
+ * Based on RFC 4862 (duplicate address detection)
+ * Based on RFC 4429 (optimistic duplicate address detection)
  *
  * Caller must bump up ln->ln_rt refcnt to make sure 'ln' doesn't go
  * away if there is a llinfo_nd6 passed in.
  *
  * Caller must bump up ln->ln_rt refcnt to make sure 'ln' doesn't go
  * away if there is a llinfo_nd6 passed in.
@@ -550,8 +567,8 @@ nd6_ns_output(
        struct ifnet *ifp,
        const struct in6_addr *daddr6,
        const struct in6_addr *taddr6,
        struct ifnet *ifp,
        const struct in6_addr *daddr6,
        const struct in6_addr *taddr6,
-       struct llinfo_nd6 *ln,  /* for source address determination */
-       int dad)        /* duplicated address detection */
+       struct llinfo_nd6 *ln,  /* for source address determination */
+       uint8_t *nonce) /* duplicated address detection */
 {
        struct mbuf *m;
        struct ip6_hdr *ip6;
 {
        struct mbuf *m;
        struct ip6_hdr *ip6;
@@ -559,22 +576,27 @@ nd6_ns_output(
        struct in6_ifaddr *ia = NULL;
        struct in6_addr *src, src_in, src_storage;
        struct ip6_moptions *im6o = NULL;
        struct in6_ifaddr *ia = NULL;
        struct in6_addr *src, src_in, src_storage;
        struct ip6_moptions *im6o = NULL;
-        struct ifnet *outif = NULL;
+       struct ifnet *outif = NULL;
        int icmp6len;
        int maxlen;
        int flags;
        caddr_t mac;
        struct route_in6 ro;
        int icmp6len;
        int maxlen;
        int flags;
        caddr_t mac;
        struct route_in6 ro;
-       struct ip6_out_args ip6oa =
-           { IFSCOPE_NONE, { 0 }, IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR };
+       struct ip6_out_args ip6oa;
        u_int32_t rtflags = 0;
 
        u_int32_t rtflags = 0;
 
-       if ((ifp->if_eflags & IFEF_IPV6_ND6ALT) || IN6_IS_ADDR_MULTICAST(taddr6))
+       if ((ifp->if_eflags & IFEF_IPV6_ND6ALT) || IN6_IS_ADDR_MULTICAST(taddr6)) {
                return;
                return;
+       }
 
        bzero(&ro, sizeof(ro));
 
        bzero(&ro, sizeof(ro));
-
+       bzero(&ip6oa, sizeof(ip6oa));
        ip6oa.ip6oa_boundif = ifp->if_index;
        ip6oa.ip6oa_boundif = ifp->if_index;
+       ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR |
+           IP6OAF_AWDL_UNRESTRICTED | IP6OAF_INTCOPROC_ALLOWED;
+       ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
+       ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
+
        ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
 
        /* estimate the size of message */
        ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
 
        /* estimate the size of message */
@@ -588,7 +610,7 @@ nd6_ns_output(
                return;
        }
 
                return;
        }
 
-       MGETHDR(m, M_DONTWAIT, MT_DATA);        /* XXXMAC: mac_create_mbuf_linklayer() probably */
+       MGETHDR(m, M_DONTWAIT, MT_DATA);        /* XXXMAC: mac_create_mbuf_linklayer() probably */
        if (m && max_linkhdr + maxlen >= MHLEN) {
                MCLGET(m, M_DONTWAIT);
                if ((m->m_flags & M_EXT) == 0) {
        if (m && max_linkhdr + maxlen >= MHLEN) {
                MCLGET(m, M_DONTWAIT);
                if ((m->m_flags & M_EXT) == 0) {
@@ -596,8 +618,9 @@ nd6_ns_output(
                        m = NULL;
                }
        }
                        m = NULL;
                }
        }
-       if (m == NULL)
+       if (m == NULL) {
                return;
                return;
+       }
        m->m_pkthdr.rcvif = NULL;
 
        if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) {
        m->m_pkthdr.rcvif = NULL;
 
        if (daddr6 == NULL || IN6_IS_ADDR_MULTICAST(daddr6)) {
@@ -616,7 +639,7 @@ nd6_ns_output(
 
        icmp6len = sizeof(*nd_ns);
        m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len;
 
        icmp6len = sizeof(*nd_ns);
        m->m_pkthdr.len = m->m_len = sizeof(*ip6) + icmp6len;
-       m->m_data += max_linkhdr;       /* or MH_ALIGN() equivalent? */
+       m->m_data += max_linkhdr;       /* or MH_ALIGN() equivalent? */
 
        /* fill neighbor solicitation packet */
        ip6 = mtod(m, struct ip6_hdr *);
 
        /* fill neighbor solicitation packet */
        ip6 = mtod(m, struct ip6_hdr *);
@@ -626,19 +649,20 @@ nd6_ns_output(
        /* ip6->ip6_plen will be set later */
        ip6->ip6_nxt = IPPROTO_ICMPV6;
        ip6->ip6_hlim = IPV6_MAXHLIM;
        /* ip6->ip6_plen will be set later */
        ip6->ip6_nxt = IPPROTO_ICMPV6;
        ip6->ip6_hlim = IPV6_MAXHLIM;
-       if (daddr6)
+       if (daddr6) {
                ip6->ip6_dst = *daddr6;
                ip6->ip6_dst = *daddr6;
-       else {
+       else {
                ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
                ip6->ip6_dst.s6_addr16[1] = 0;
                ip6->ip6_dst.s6_addr32[1] = 0;
                ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE;
                ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3];
                ip6->ip6_dst.s6_addr8[12] = 0xff;
                ip6->ip6_dst.s6_addr16[0] = IPV6_ADDR_INT16_MLL;
                ip6->ip6_dst.s6_addr16[1] = 0;
                ip6->ip6_dst.s6_addr32[1] = 0;
                ip6->ip6_dst.s6_addr32[2] = IPV6_ADDR_INT32_ONE;
                ip6->ip6_dst.s6_addr32[3] = taddr6->s6_addr32[3];
                ip6->ip6_dst.s6_addr8[12] = 0xff;
-               if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0)
+               if (in6_setscope(&ip6->ip6_dst, ifp, NULL) != 0) {
                        goto bad;
                        goto bad;
+               }
        }
        }
-       if (!dad) {
+       if (nonce == NULL) {
                /*
                 * RFC2461 7.2.2:
                 * "If the source address of the packet prompting the
                /*
                 * RFC2461 7.2.2:
                 * "If the source address of the packet prompting the
@@ -654,7 +678,7 @@ nd6_ns_output(
                 * - saddr6 belongs to the outgoing interface.
                 * Otherwise, we perform the source address selection as usual.
                 */
                 * - saddr6 belongs to the outgoing interface.
                 * Otherwise, we perform the source address selection as usual.
                 */
-               struct ip6_hdr *hip6;           /* hold ip6 */
+               struct ip6_hdr *hip6;           /* hold ip6 */
                struct in6_addr *hsrc = NULL;
 
                /* Caller holds ref on this route */
                struct in6_addr *hsrc = NULL;
 
                /* Caller holds ref on this route */
@@ -667,10 +691,11 @@ nd6_ns_output(
                        if (ln->ln_hold != NULL) {
                                hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
                                /* XXX pullup? */
                        if (ln->ln_hold != NULL) {
                                hip6 = mtod(ln->ln_hold, struct ip6_hdr *);
                                /* XXX pullup? */
-                               if (sizeof (*hip6) < ln->ln_hold->m_len)
+                               if (sizeof(*hip6) < ln->ln_hold->m_len) {
                                        hsrc = &hip6->ip6_src;
                                        hsrc = &hip6->ip6_src;
-                               else
+                               } else {
                                        hsrc = NULL;
                                        hsrc = NULL;
+                               }
                        }
                        /* Update probe count, if applicable */
                        if (ln->ln_llreach != NULL) {
                        }
                        /* Update probe count, if applicable */
                        if (ln->ln_llreach != NULL) {
@@ -681,10 +706,6 @@ nd6_ns_output(
                        rtflags = ln->ln_rt->rt_flags;
                        RT_UNLOCK(ln->ln_rt);
                }
                        rtflags = ln->ln_rt->rt_flags;
                        RT_UNLOCK(ln->ln_rt);
                }
-               if (ia != NULL) {
-                       IFA_REMREF(&ia->ia_ifa);
-                       ia = NULL;
-               }
                if (hsrc != NULL && (ia = in6ifa_ifpwithaddr(ifp, hsrc)) &&
                    (ia->ia6_flags & IN6_IFF_OPTIMISTIC) == 0) {
                        src = hsrc;
                if (hsrc != NULL && (ia = in6ifa_ifpwithaddr(ifp, hsrc)) &&
                    (ia->ia6_flags & IN6_IFF_OPTIMISTIC) == 0) {
                        src = hsrc;
@@ -709,6 +730,18 @@ nd6_ns_output(
                                goto bad;
                        }
 
                                goto bad;
                        }
 
+                       if (ia != NULL) {
+                               IFA_REMREF(&ia->ia_ifa);
+                               ia = NULL;
+                       }
+                       /*
+                        * RFC 4429 section 3.2:
+                        * When a node has a unicast packet to send
+                        * from an Optimistic Address to a neighbor,
+                        * but does not know the neighbor's link-layer
+                        * address, it MUST NOT perform Address
+                        * Resolution.
+                        */
                        ia = in6ifa_ifpwithaddr(ifp, src);
                        if (!ia || (ia->ia6_flags & IN6_IFF_OPTIMISTIC)) {
                                nd6log((LOG_DEBUG,
                        ia = in6ifa_ifpwithaddr(ifp, src);
                        if (!ia || (ia->ia6_flags & IN6_IFF_OPTIMISTIC)) {
                                nd6log((LOG_DEBUG,
@@ -750,7 +783,7 @@ nd6_ns_output(
         *      Multicast NS            MUST add one    add the option
         *      Unicast NS              SHOULD add one  add the option
         */
         *      Multicast NS            MUST add one    add the option
         *      Unicast NS              SHOULD add one  add the option
         */
-       if (!dad && (mac = nd6_ifptomac(ifp))) {
+       if (nonce == NULL && (mac = nd6_ifptomac(ifp))) {
                int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
                struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
                /* 8 byte alignments... */
                int optlen = sizeof(struct nd_opt_hdr) + ifp->if_addrlen;
                struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
                /* 8 byte alignments... */
@@ -764,32 +797,52 @@ nd6_ns_output(
                nd_opt->nd_opt_len = optlen >> 3;
                bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
        }
                nd_opt->nd_opt_len = optlen >> 3;
                bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
        }
+       /*
+        * Add a Nonce option (RFC 3971) to detect looped back NS messages.
+        * This behavior is documented as Enhanced Duplicate Address
+        * Detection in draft-ietf-6man-enhanced-dad-13.
+        * net.inet6.ip6.dad_enhanced=0 disables this.
+        */
+       if (dad_enhanced != 0 && nonce != NULL && !(ifp->if_flags & IFF_POINTOPOINT)) {
+               int optlen = sizeof(struct nd_opt_hdr) + ND_OPT_NONCE_LEN;
+               struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)(nd_ns + 1);
+               /* 8-byte alignment is required. */
+               optlen = (optlen + 7) & ~7;
 
 
+               m->m_pkthdr.len += optlen;
+               m->m_len += optlen;
+               icmp6len += optlen;
+               bzero((caddr_t)nd_opt, optlen);
+               nd_opt->nd_opt_type = ND_OPT_NONCE;
+               nd_opt->nd_opt_len = optlen >> 3;
+               bcopy(nonce, (caddr_t)(nd_opt + 1), ND_OPT_NONCE_LEN);
+       }
        ip6->ip6_plen = htons((u_short)icmp6len);
        nd_ns->nd_ns_cksum = 0;
        nd_ns->nd_ns_cksum
        ip6->ip6_plen = htons((u_short)icmp6len);
        nd_ns->nd_ns_cksum = 0;
        nd_ns->nd_ns_cksum
-               = in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len);
+               = in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len);
 
 
-#if IPSEC
-       /* Don't lookup socket */
-       if (ipsec_bypass == 0)
-               (void)ipsec_setsocket(m, NULL);
-#endif
-       flags = dad ? IPV6_UNSPECSRC : 0;
+       flags = nonce ? IPV6_UNSPECSRC : 0;
        flags |= IPV6_OUTARGS;
 
        flags |= IPV6_OUTARGS;
 
+       /*
+        * PKTF_{INET,INET6}_RESOLVE_RTR are mutually exclusive, so make
+        * sure only one of them is set (just in case.)
+        */
+       m->m_pkthdr.pkt_flags &= ~(PKTF_INET_RESOLVE | PKTF_RESOLVE_RTR);
+       m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
        /*
         * If this is a NS for resolving the (default) router, mark
         * the packet accordingly so that the driver can find out,
         * in case it needs to perform driver-specific action(s).
         */
        if (rtflags & RTF_ROUTER) {
        /*
         * If this is a NS for resolving the (default) router, mark
         * the packet accordingly so that the driver can find out,
         * in case it needs to perform driver-specific action(s).
         */
        if (rtflags & RTF_ROUTER) {
-               m->m_pkthdr.aux_flags |= MAUXF_INET6_RESOLVE_RTR;
-               VERIFY(!(m->m_pkthdr.aux_flags & MAUXF_INET_RESOLVE_RTR));
+               m->m_pkthdr.pkt_flags |= PKTF_RESOLVE_RTR;
        }
 
        if (ifp->if_eflags & IFEF_TXSTART) {
        }
 
        if (ifp->if_eflags & IFEF_TXSTART) {
-               /* Use control service class if the interface 
+               /*
+                * Use control service class if the interface
                 * supports transmit-start model
                 */
                (void) m_set_service_class(m, MBUF_SC_CTL);
                 * supports transmit-start model
                 */
                (void) m_set_service_class(m, MBUF_SC_CTL);
@@ -803,42 +856,35 @@ nd6_ns_output(
        }
        icmp6stat.icp6s_outhist[ND_NEIGHBOR_SOLICIT]++;
 
        }
        icmp6stat.icp6s_outhist[ND_NEIGHBOR_SOLICIT]++;
 
-       if (im6o != NULL)
+exit:
+       if (im6o != NULL) {
                IM6O_REMREF(im6o);
                IM6O_REMREF(im6o);
-       if (ro.ro_rt) {         /* we don't cache this route. */
-               rtfree(ro.ro_rt);
        }
        }
-       if (ia != NULL)
+
+       ROUTE_RELEASE(&ro);     /* we don't cache this route. */
+
+       if (ia != NULL) {
                IFA_REMREF(&ia->ia_ifa);
                IFA_REMREF(&ia->ia_ifa);
+       }
        return;
 
 bad:
        return;
 
 bad:
-       if (im6o != NULL)
-               IM6O_REMREF(im6o);
-       if (ro.ro_rt) {
-               rtfree(ro.ro_rt);
-       }
        m_freem(m);
        m_freem(m);
-       if (ia != NULL)
-               IFA_REMREF(&ia->ia_ifa);
-       return;
+       goto exit;
 }
 
 /*
  * Neighbor advertisement input handling.
  *
 }
 
 /*
  * Neighbor advertisement input handling.
  *
- * Based on RFC 2461
- * Based on RFC 2462 (duplicate address detection)
+ * Based on RFC 4861
+ * Based on RFC 4862 (duplicate address detection)
  *
  * the following items are not implemented yet:
  *
  * the following items are not implemented yet:
- * - proxy advertisement delay rule (RFC2461 7.2.8, last paragraph, SHOULD)
- * - anycast advertisement delay rule (RFC2461 7.2.7, SHOULD)
+ * - anycast advertisement delay rule (RFC 4861 7.2.7, SHOULD)
+ * - proxy advertisement delay rule (RFC 4861 7.2.8, last paragraph, "should")
  */
 void
  */
 void
-nd6_na_input(
-       struct mbuf *m,
-       int off, 
-       int icmp6len)
+nd6_na_input(struct mbuf *m, int off, int icmp6len)
 {
        struct ifnet *ifp = m->m_pkthdr.rcvif;
        struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 {
        struct ifnet *ifp = m->m_pkthdr.rcvif;
        struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
@@ -852,16 +898,16 @@ nd6_na_input(
        int is_override;
        char *lladdr = NULL;
        int lladdrlen = 0;
        int is_override;
        char *lladdr = NULL;
        int lladdrlen = 0;
-       struct ifaddr *ifa = NULL;
        struct llinfo_nd6 *ln;
        struct rtentry *rt;
        struct sockaddr_dl *sdl;
        union nd_opts ndopts;
        struct llinfo_nd6 *ln;
        struct rtentry *rt;
        struct sockaddr_dl *sdl;
        union nd_opts ndopts;
-       struct timeval timenow;
+       uint64_t timenow;
+       bool send_nc_alive_kev = false;
 
        if ((ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) {
                nd6log((LOG_INFO, "nd6_na_input: on ND6ALT interface!\n"));
 
        if ((ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) {
                nd6log((LOG_INFO, "nd6_na_input: on ND6ALT interface!\n"));
-               return;
+               goto freeit;
        }
 
        /* Expect 32-bit aligned data pointer on strict-align platforms */
        }
 
        /* Expect 32-bit aligned data pointer on strict-align platforms */
@@ -875,16 +921,9 @@ nd6_na_input(
                goto bad;
        }
 
                goto bad;
        }
 
-#ifndef PULLDOWN_TEST
-       IP6_EXTHDR_CHECK(m, off, icmp6len, return);
+       IP6_EXTHDR_CHECK(m, off, icmp6len, return );
        nd_na = (struct nd_neighbor_advert *)((caddr_t)ip6 + off);
        nd_na = (struct nd_neighbor_advert *)((caddr_t)ip6 + off);
-#else
-       IP6_EXTHDR_GET(nd_na, struct nd_neighbor_advert *, m, off, icmp6len);
-       if (nd_na == NULL) {
-               icmp6stat.icp6s_tooshort++;
-               return;
-       }
-#endif
+       m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
 
        flags = nd_na->nd_na_flags_reserved;
        is_router = ((flags & ND_NA_FLAG_ROUTER) != 0);
 
        flags = nd_na->nd_na_flags_reserved;
        is_router = ((flags & ND_NA_FLAG_ROUTER) != 0);
@@ -892,21 +931,22 @@ nd6_na_input(
        is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0);
 
        taddr6 = nd_na->nd_na_target;
        is_override = ((flags & ND_NA_FLAG_OVERRIDE) != 0);
 
        taddr6 = nd_na->nd_na_target;
-       if (in6_setscope(&taddr6, ifp, NULL))
-               goto bad;       /* XXX: impossible */
-
+       if (in6_setscope(&taddr6, ifp, NULL)) {
+               goto bad;       /* XXX: impossible */
+       }
        if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
                nd6log((LOG_ERR,
                    "nd6_na_input: invalid target address %s\n",
                    ip6_sprintf(&taddr6)));
                goto bad;
        }
        if (IN6_IS_ADDR_MULTICAST(&taddr6)) {
                nd6log((LOG_ERR,
                    "nd6_na_input: invalid target address %s\n",
                    ip6_sprintf(&taddr6)));
                goto bad;
        }
-       if (IN6_IS_ADDR_MULTICAST(&daddr6))
+       if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
                if (is_solicited) {
                        nd6log((LOG_ERR,
                            "nd6_na_input: a solicited adv is multicasted\n"));
                        goto bad;
                }
                if (is_solicited) {
                        nd6log((LOG_ERR,
                            "nd6_na_input: a solicited adv is multicasted\n"));
                        goto bad;
                }
+       }
 
        icmp6len -= sizeof(*nd_na);
        nd6_option_init(nd_na + 1, icmp6len, &ndopts);
 
        icmp6len -= sizeof(*nd_na);
        nd6_option_init(nd_na + 1, icmp6len, &ndopts);
@@ -920,65 +960,26 @@ nd6_na_input(
        if (ndopts.nd_opts_tgt_lladdr) {
                lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1);
                lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3;
        if (ndopts.nd_opts_tgt_lladdr) {
                lladdr = (char *)(ndopts.nd_opts_tgt_lladdr + 1);
                lladdrlen = ndopts.nd_opts_tgt_lladdr->nd_opt_len << 3;
-       }
 
 
-       ifa = (struct ifaddr *)in6ifa_ifpwithaddr(ifp, &taddr6);
-
-       /*
-        * Target address matches one of my interface address.
-        *
-        * If my address is tentative or optimistic, this means that there's
-        * somebody already using the same address as mine.  This indicates DAD
-        * failure.  This is defined in RFC 2462 and updated by RFC 4429.
-        *
-        * Otherwise, process as defined in RFC 2461.
-        */
-       if (ifa != NULL) {
-               IFA_LOCK(ifa);
-               if (((struct in6_ifaddr *)ifa)->ia6_flags &
-                   IN6_IFF_DADPROGRESS) {
-                       struct nd_ifinfo *ndi;
-                       boolean_t ignorena = FALSE;
-
-                       IFA_UNLOCK(ifa);
-                       lck_rw_lock_shared(nd_if_rwlock);
-                       ndi = ND_IFINFO(ifp);
-                       if (ndi != NULL && ndi->initialized) {
-                               lck_mtx_lock(&ndi->lock);
-                               ignorena = ndi->flags & ND6_IFF_IGNORE_NA;
-                               lck_mtx_unlock(&ndi->lock);
-                       }
-                       lck_rw_done(nd_if_rwlock);
-                       if (ignorena)
-                               log(LOG_ERR, "%s: ignoring duplicate DAD due "
-                                   "to sleep proxy (%s)\n", __func__,
-                                   if_name(ifp));
-                       else 
-                               nd6_dad_na_input(ifa, lladdr, lladdrlen);
-                       goto freeit;
+               if (((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
+                       nd6log((LOG_INFO,
+                           "nd6_na_input: lladdrlen mismatch for %s "
+                           "(if %d, NA packet %d)\n",
+                           ip6_sprintf(&taddr6), ifp->if_addrlen,
+                           lladdrlen - 2));
+                       goto bad;
                }
                }
-               IFA_UNLOCK(ifa);
        }
 
        }
 
-       /* Just for safety, maybe unnecessary. */
-       if (ifa) {
-               log(LOG_ERR,
-                   "nd6_na_input: duplicate IP6 address %s\n",
-                   ip6_sprintf(&taddr6));
-               goto freeit;
-       }
-
-       if (lladdr && ((ifp->if_addrlen + 2 + 7) & ~7) != lladdrlen) {
-               nd6log((LOG_INFO,
-                   "nd6_na_input: lladdrlen mismatch for %s "
-                   "(if %d, NA packet %d)\n",
-                       ip6_sprintf(&taddr6), ifp->if_addrlen, lladdrlen - 2));
-               goto bad;
+       m = nd6_dad_na_input(m, ifp, &taddr6, lladdr, lladdrlen);
+       if (m == NULL) {
+               return;
        }
 
        /* Forwarding associated with NDPRF_PRPROXY may apply. */
        }
 
        /* Forwarding associated with NDPRF_PRPROXY may apply. */
-       if (ip6_forwarding && nd6_prproxy)
+       if (ip6_forwarding && nd6_prproxy) {
                nd6_prproxy_na_input(ifp, &saddr6, &daddr6, &taddr6, flags);
                nd6_prproxy_na_input(ifp, &saddr6, &daddr6, &taddr6, flags);
+       }
 
        /*
         * If no neighbor cache entry is found, NA SHOULD silently be
 
        /*
         * If no neighbor cache entry is found, NA SHOULD silently be
@@ -987,19 +988,22 @@ nd6_na_input(
         * another interface (in case we are doing prefix proxying.)
         */
        if ((rt = nd6_lookup(&taddr6, 0, ifp, 0)) == NULL) {
         * another interface (in case we are doing prefix proxying.)
         */
        if ((rt = nd6_lookup(&taddr6, 0, ifp, 0)) == NULL) {
-               if (!ip6_forwarding || !ip6_doscopedroute || !nd6_prproxy)
+               if (!ip6_forwarding || !nd6_prproxy) {
                        goto freeit;
                        goto freeit;
+               }
 
 
-               if ((rt = nd6_lookup(&taddr6, 0, NULL, 0)) == NULL)
+               if ((rt = nd6_lookup(&taddr6, 0, NULL, 0)) == NULL) {
                        goto freeit;
                        goto freeit;
+               }
 
                RT_LOCK_ASSERT_HELD(rt);
                if (rt->rt_ifp != ifp) {
                        /*
                         * Purge any link-layer info caching.
                         */
 
                RT_LOCK_ASSERT_HELD(rt);
                if (rt->rt_ifp != ifp) {
                        /*
                         * Purge any link-layer info caching.
                         */
-                       if (rt->rt_llinfo_purge != NULL)
+                       if (rt->rt_llinfo_purge != NULL) {
                                rt->rt_llinfo_purge(rt);
                                rt->rt_llinfo_purge(rt);
+                       }
 
                        /* Adjust route ref count for the interfaces */
                        if (rt->rt_if_ref_fn != NULL) {
 
                        /* Adjust route ref count for the interfaces */
                        if (rt->rt_if_ref_fn != NULL) {
@@ -1009,6 +1013,14 @@ nd6_na_input(
 
                        /* Change the interface when the existing route is on */
                        rt->rt_ifp = ifp;
 
                        /* Change the interface when the existing route is on */
                        rt->rt_ifp = ifp;
+
+                       /*
+                        * If rmx_mtu is not locked, update it
+                        * to the MTU used by the new interface.
+                        */
+                       if (!(rt->rt_rmx.rmx_locks & RTV_MTU)) {
+                               rt->rt_rmx.rmx_mtu = rt->rt_ifp->if_mtu;
+                       }
                }
        }
 
                }
        }
 
@@ -1020,7 +1032,8 @@ nd6_na_input(
                goto freeit;
        }
 
                goto freeit;
        }
 
-       getmicrotime(&timenow);
+       timenow = net_uptime();
+
        if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
                /*
                 * If the link-layer has address, and no lladdr option came,
        if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
                /*
                 * If the link-layer has address, and no lladdr option came,
@@ -1038,57 +1051,82 @@ nd6_na_input(
                sdl->sdl_alen = ifp->if_addrlen;
                bcopy(lladdr, LLADDR(sdl), ifp->if_addrlen);
                if (is_solicited) {
                sdl->sdl_alen = ifp->if_addrlen;
                bcopy(lladdr, LLADDR(sdl), ifp->if_addrlen);
                if (is_solicited) {
-                       ln->ln_state = ND6_LLINFO_REACHABLE;
-                       ln->ln_byhint = 0;
-                       if (ln->ln_expire) {
-                               struct nd_ifinfo *ndi;
+                       send_nc_alive_kev = (rt->rt_flags & RTF_ROUTER) ? true : false;
+                       ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_REACHABLE);
+                       if (ln->ln_expire != 0) {
+                               struct nd_ifinfo *ndi = NULL;
 
 
-                               lck_rw_lock_shared(nd_if_rwlock);
                                ndi = ND_IFINFO(rt->rt_ifp);
                                VERIFY(ndi != NULL && ndi->initialized);
                                lck_mtx_lock(&ndi->lock);
                                ndi = ND_IFINFO(rt->rt_ifp);
                                VERIFY(ndi != NULL && ndi->initialized);
                                lck_mtx_lock(&ndi->lock);
-                               ln->ln_expire = rt_expiry(rt, timenow.tv_sec,
-                                   ndi->reachable);
+                               ln_setexpire(ln, timenow + ndi->reachable);
                                lck_mtx_unlock(&ndi->lock);
                                lck_mtx_unlock(&ndi->lock);
-                               lck_rw_done(nd_if_rwlock);
+                               RT_UNLOCK(rt);
+                               lck_mtx_lock(rnh_lock);
+                               nd6_sched_timeout(NULL, NULL);
+                               lck_mtx_unlock(rnh_lock);
+                               RT_LOCK(rt);
                        }
                } else {
                        }
                } else {
-                       ln->ln_state = ND6_LLINFO_STALE;
-                       ln->ln_expire = rt_expiry(rt, timenow.tv_sec,
-                           nd6_gctimer);
+                       ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_STALE);
+                       ln_setexpire(ln, timenow + nd6_gctimer);
                }
                }
+
+
+               /*
+                * Enqueue work item to invoke callback for this
+                * route entry
+                */
+               route_event_enqueue_nwk_wq_entry(rt, NULL,
+                   ROUTE_LLENTRY_RESOLVED, NULL, TRUE);
+
                if ((ln->ln_router = is_router) != 0) {
                if ((ln->ln_router = is_router) != 0) {
+                       struct radix_node_head  *rnh = NULL;
+                       struct route_event rt_ev;
+                       route_event_init(&rt_ev, rt, NULL, ROUTE_LLENTRY_RESOLVED);
                        /*
                         * This means a router's state has changed from
                         * non-reachable to probably reachable, and might
                         * affect the status of associated prefixes..
                        /*
                         * This means a router's state has changed from
                         * non-reachable to probably reachable, and might
                         * affect the status of associated prefixes..
+                        * We already have a reference on rt. Don't need to
+                        * take one for the unlock/lock.
                         */
                        RT_UNLOCK(rt);
                         */
                        RT_UNLOCK(rt);
+                       lck_mtx_lock(rnh_lock);
+                       rnh = rt_tables[AF_INET6];
+
+                       if (rnh != NULL) {
+                               (void) rnh->rnh_walktree(rnh, route_event_walktree,
+                                   (void *)&rt_ev);
+                       }
+                       lck_mtx_unlock(rnh_lock);
                        lck_mtx_lock(nd6_mutex);
                        pfxlist_onlink_check();
                        lck_mtx_unlock(nd6_mutex);
                        RT_LOCK(rt);
                }
        } else {
                        lck_mtx_lock(nd6_mutex);
                        pfxlist_onlink_check();
                        lck_mtx_unlock(nd6_mutex);
                        RT_LOCK(rt);
                }
        } else {
-               int llchange;
+               int llchange = 0;
 
                /*
                 * Check if the link-layer address has changed or not.
                 */
 
                /*
                 * Check if the link-layer address has changed or not.
                 */
-               if (!lladdr)
+               if (lladdr == NULL) {
                        llchange = 0;
                        llchange = 0;
-               else {
+               else {
                        if (sdl->sdl_alen) {
                        if (sdl->sdl_alen) {
-                               if (bcmp(lladdr, LLADDR(sdl), ifp->if_addrlen))
+                               if (bcmp(lladdr, LLADDR(sdl), ifp->if_addrlen)) {
                                        llchange = 1;
                                        llchange = 1;
-                               else
+                               } else {
                                        llchange = 0;
                                        llchange = 0;
-                       } else
+                               }
+                       } else {
                                llchange = 1;
                                llchange = 1;
+                       }
                }
 
                /*
                }
 
                /*
-                * This is VERY complex.  Look at it with care.
+                * This is VERY complex. Look at it with care.
                 *
                 * override solicit lladdr llchange     action
                 *                                      (L: record lladdr)
                 *
                 * override solicit lladdr llchange     action
                 *                                      (L: record lladdr)
@@ -1112,16 +1150,15 @@ nd6_na_input(
                         * no other updates should be done.
                         */
                        if (ln->ln_state == ND6_LLINFO_REACHABLE) {
                         * no other updates should be done.
                         */
                        if (ln->ln_state == ND6_LLINFO_REACHABLE) {
-                               ln->ln_state = ND6_LLINFO_STALE;
-                               ln->ln_expire = rt_expiry(rt, timenow.tv_sec,
-                                   nd6_gctimer);
+                               ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_STALE);
+                               ln_setexpire(ln, timenow + nd6_gctimer);
                        }
                        RT_REMREF_LOCKED(rt);
                        RT_UNLOCK(rt);
                        goto freeit;
                        }
                        RT_REMREF_LOCKED(rt);
                        RT_UNLOCK(rt);
                        goto freeit;
-               } else if (is_override                             /* (2a) */
-                       || (!is_override && (lladdr && !llchange)) /* (2b) */
-                       || !lladdr) {                              /* (2c) */
+               } else if (is_override                             /* (2a) */
+                   || (!is_override && (lladdr && !llchange))     /* (2b) */
+                   || !lladdr) {                                  /* (2c) */
                        /*
                         * Update link-local address, if any.
                         */
                        /*
                         * Update link-local address, if any.
                         */
@@ -1136,28 +1173,68 @@ nd6_na_input(
                         * changed, make it STALE.
                         */
                        if (is_solicited) {
                         * changed, make it STALE.
                         */
                        if (is_solicited) {
-                               ln->ln_state = ND6_LLINFO_REACHABLE;
-                               ln->ln_byhint = 0;
-                               if (ln->ln_expire) {
-                                       struct nd_ifinfo *ndi;
+                               ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_REACHABLE);
+                               if (ln->ln_expire != 0) {
+                                       struct nd_ifinfo *ndi = NULL;
 
 
-                                       lck_rw_lock_shared(nd_if_rwlock);
                                        ndi = ND_IFINFO(ifp);
                                        VERIFY(ndi != NULL && ndi->initialized);
                                        lck_mtx_lock(&ndi->lock);
                                        ndi = ND_IFINFO(ifp);
                                        VERIFY(ndi != NULL && ndi->initialized);
                                        lck_mtx_lock(&ndi->lock);
-                                       ln->ln_expire =
-                                           rt_expiry(rt, timenow.tv_sec,
-                                               ndi->reachable);
+                                       ln_setexpire(ln,
+                                           timenow + ndi->reachable);
                                        lck_mtx_unlock(&ndi->lock);
                                        lck_mtx_unlock(&ndi->lock);
-                                       lck_rw_done(nd_if_rwlock);
+                                       RT_UNLOCK(rt);
+                                       lck_mtx_lock(rnh_lock);
+                                       nd6_sched_timeout(NULL, NULL);
+                                       lck_mtx_unlock(rnh_lock);
+                                       RT_LOCK(rt);
                                }
                        } else {
                                if (lladdr && llchange) {
                                }
                        } else {
                                if (lladdr && llchange) {
-                                       ln->ln_state = ND6_LLINFO_STALE;
-                                       ln->ln_expire = rt_expiry(rt,
-                                           timenow.tv_sec, nd6_gctimer);
+                                       ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_STALE);
+                                       ln_setexpire(ln, timenow + nd6_gctimer);
                                }
                        }
                                }
                        }
+
+                       /*
+                        * XXX
+                        * The above is somewhat convoluted, for now just
+                        * issue a callback for LLENTRY changed.
+                        */
+                       /* Enqueue work item to invoke callback for this route entry */
+                       if (llchange) {
+                               route_event_enqueue_nwk_wq_entry(rt, NULL,
+                                   ROUTE_LLENTRY_CHANGED, NULL, TRUE);
+                       }
+
+                       /*
+                        * If the router's link-layer address has changed,
+                        * notify routes using this as gateway so they can
+                        * update any cached information.
+                        */
+                       if (ln->ln_router && is_router && llchange) {
+                               struct radix_node_head  *rnh = NULL;
+                               struct route_event rt_ev;
+                               route_event_init(&rt_ev, rt, NULL, ROUTE_LLENTRY_CHANGED);
+                               /*
+                                * This means a router's state has changed from
+                                * non-reachable to probably reachable, and might
+                                * affect the status of associated prefixes..
+                                *
+                                * We already have a valid rt reference here.
+                                * We don't need to take another one for unlock/lock.
+                                */
+                               RT_UNLOCK(rt);
+                               lck_mtx_lock(rnh_lock);
+                               rnh = rt_tables[AF_INET6];
+
+                               if (rnh != NULL) {
+                                       (void) rnh->rnh_walktree(rnh, route_event_walktree,
+                                           (void *)&rt_ev);
+                               }
+                               lck_mtx_unlock(rnh_lock);
+                               RT_LOCK(rt);
+                       }
                }
 
                if (ln->ln_router && !is_router) {
                }
 
                if (ln->ln_router && !is_router) {
@@ -1177,26 +1254,48 @@ nd6_na_input(
                        lck_mtx_lock(nd6_mutex);
                        dr = defrouter_lookup(in6, rt_ifp);
                        if (dr) {
                        lck_mtx_lock(nd6_mutex);
                        dr = defrouter_lookup(in6, rt_ifp);
                        if (dr) {
+                               TAILQ_REMOVE(&nd_defrouter, dr, dr_entry);
                                defrtrlist_del(dr);
                                defrtrlist_del(dr);
+                               NDDR_REMREF(dr);        /* remove list reference */
                                NDDR_REMREF(dr);
                                lck_mtx_unlock(nd6_mutex);
                        } else {
                                lck_mtx_unlock(nd6_mutex);
                                NDDR_REMREF(dr);
                                lck_mtx_unlock(nd6_mutex);
                        } else {
                                lck_mtx_unlock(nd6_mutex);
-                               if (ip6_doscopedroute || !ip6_forwarding) {
-                                       /*
-                                        * Even if the neighbor is not in the
-                                        * default router list, the neighbor
-                                        * may be used as a next hop for some
-                                        * destinations (e.g. redirect case).
-                                        * So we must call rt6_flush explicitly.
-                                        */
-                                       rt6_flush(&ip6->ip6_src, rt_ifp);
-                               }
+                               /*
+                                * Even if the neighbor is not in the
+                                * default router list, the neighbor
+                                * may be used as a next hop for some
+                                * destinations (e.g. redirect case).
+                                * So we must call rt6_flush explicitly.
+                                */
+                               rt6_flush(&ip6->ip6_src, rt_ifp);
                        }
                        RT_LOCK(rt);
                }
                ln->ln_router = is_router;
        }
                        }
                        RT_LOCK(rt);
                }
                ln->ln_router = is_router;
        }
+
+       if (send_nc_alive_kev && (ifp->if_addrlen == IF_LLREACH_MAXLEN)) {
+               struct kev_msg ev_msg;
+               struct kev_nd6_ndalive nd6_ndalive;
+               bzero(&ev_msg, sizeof(ev_msg));
+               bzero(&nd6_ndalive, sizeof(nd6_ndalive));
+               ev_msg.vendor_code      = KEV_VENDOR_APPLE;
+               ev_msg.kev_class        = KEV_NETWORK_CLASS;
+               ev_msg.kev_subclass     = KEV_ND6_SUBCLASS;
+               ev_msg.event_code       = KEV_ND6_NDALIVE;
+
+               nd6_ndalive.link_data.if_family = ifp->if_family;
+               nd6_ndalive.link_data.if_unit = ifp->if_unit;
+               strlcpy(nd6_ndalive.link_data.if_name,
+                   ifp->if_name,
+                   sizeof(nd6_ndalive.link_data.if_name));
+               ev_msg.dv[0].data_ptr = &nd6_ndalive;
+               ev_msg.dv[0].data_length =
+                   sizeof(nd6_ndalive);
+               dlil_post_complete_msg(NULL, &ev_msg);
+       }
+
        RT_LOCK_ASSERT_HELD(rt);
        rt->rt_flags &= ~RTF_REJECT;
 
        RT_LOCK_ASSERT_HELD(rt);
        rt->rt_flags &= ~RTF_REJECT;
 
@@ -1215,8 +1314,9 @@ nd6_na_input(
                 * prevent a ln_hold lookup in nd6_output()
                 * (wouldn't happen, though...)
                 */
                 * prevent a ln_hold lookup in nd6_output()
                 * (wouldn't happen, though...)
                 */
-               for (m_hold = ln->ln_hold;
-                   m_hold; m_hold = m_hold_next) {
+               m_hold = ln->ln_hold;
+               ln->ln_hold = NULL;
+               for (; m_hold; m_hold = m_hold_next) {
                        m_hold_next = m_hold->m_nextpkt;
                        m_hold->m_nextpkt = NULL;
                        /*
                        m_hold_next = m_hold->m_nextpkt;
                        m_hold->m_nextpkt = NULL;
                        /*
@@ -1227,23 +1327,18 @@ nd6_na_input(
                        nd6_output(ifp, ifp, m_hold, &sin6, rt, NULL);
                        RT_LOCK_SPIN(rt);
                }
                        nd6_output(ifp, ifp, m_hold, &sin6, rt, NULL);
                        RT_LOCK_SPIN(rt);
                }
-               ln->ln_hold = NULL;
-
        }
        RT_REMREF_LOCKED(rt);
        RT_UNLOCK(rt);
        }
        RT_REMREF_LOCKED(rt);
        RT_UNLOCK(rt);
-
-freeit:
        m_freem(m);
        m_freem(m);
-       if (ifa != NULL)
-               IFA_REMREF(ifa);
        return;
 
 bad:
        icmp6stat.icp6s_badna++;
        return;
 
 bad:
        icmp6stat.icp6s_badna++;
+       /* fall through */
+freeit:
        m_freem(m);
        m_freem(m);
-       if (ifa != NULL)
-               IFA_REMREF(ifa);
+       return;
 }
 
 /*
 }
 
 /*
@@ -1264,8 +1359,8 @@ nd6_na_output(
        const struct in6_addr *daddr6_0,
        const struct in6_addr *taddr6,
        uint32_t flags,
        const struct in6_addr *daddr6_0,
        const struct in6_addr *taddr6,
        uint32_t flags,
-       int tlladdr,            /* 1 if include target link-layer address */
-       struct sockaddr *sdl0)  /* sockaddr_dl (= proxy NA) or NULL */
+       int tlladdr,            /* 1 if include target link-layer address */
+       struct sockaddr *sdl0)  /* sockaddr_dl (= proxy NA) or NULL */
 {
        struct mbuf *m;
        struct ip6_hdr *ip6;
 {
        struct mbuf *m;
        struct ip6_hdr *ip6;
@@ -1277,15 +1372,20 @@ nd6_na_output(
        struct in6_ifaddr *ia;
        struct sockaddr_in6 dst_sa;
        int icmp6len, maxlen, error;
        struct in6_ifaddr *ia;
        struct sockaddr_in6 dst_sa;
        int icmp6len, maxlen, error;
-        struct ifnet *outif = NULL;
-       struct ip6_out_args ip6oa =
-           { IFSCOPE_NONE, { 0 }, IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR };
+       struct ifnet *outif = NULL;
 
 
+       struct ip6_out_args ip6oa;
        bzero(&ro, sizeof(ro));
 
        bzero(&ro, sizeof(ro));
 
-       daddr6 = *daddr6_0;     /* make a local copy for modification */
+       daddr6 = *daddr6_0;     /* make a local copy for modification */
 
 
+       bzero(&ip6oa, sizeof(ip6oa));
        ip6oa.ip6oa_boundif = ifp->if_index;
        ip6oa.ip6oa_boundif = ifp->if_index;
+       ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF | IP6OAF_BOUND_SRCADDR |
+           IP6OAF_AWDL_UNRESTRICTED | IP6OAF_INTCOPROC_ALLOWED;
+       ip6oa.ip6oa_sotc = SO_TC_UNSPEC;
+       ip6oa.ip6oa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
+
        ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
 
        /* estimate the size of message */
        ip6oa.ip6oa_flags |= IP6OAF_BOUND_IF;
 
        /* estimate the size of message */
@@ -1299,7 +1399,7 @@ nd6_na_output(
                return;
        }
 
                return;
        }
 
-       MGETHDR(m, M_DONTWAIT, MT_DATA);        /* XXXMAC: mac_create_mbuf_linklayer() probably */
+       MGETHDR(m, M_DONTWAIT, MT_DATA);        /* XXXMAC: mac_create_mbuf_linklayer() probably */
        if (m && max_linkhdr + maxlen >= MHLEN) {
                MCLGET(m, M_DONTWAIT);
                if ((m->m_flags & M_EXT) == 0) {
        if (m && max_linkhdr + maxlen >= MHLEN) {
                MCLGET(m, M_DONTWAIT);
                if ((m->m_flags & M_EXT) == 0) {
@@ -1307,8 +1407,9 @@ nd6_na_output(
                        m = NULL;
                }
        }
                        m = NULL;
                }
        }
-       if (m == NULL)
+       if (m == NULL) {
                return;
                return;
+       }
        m->m_pkthdr.rcvif = NULL;
 
        if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
        m->m_pkthdr.rcvif = NULL;
 
        if (IN6_IS_ADDR_MULTICAST(&daddr6)) {
@@ -1327,7 +1428,7 @@ nd6_na_output(
 
        icmp6len = sizeof(*nd_na);
        m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len;
 
        icmp6len = sizeof(*nd_na);
        m->m_pkthdr.len = m->m_len = sizeof(struct ip6_hdr) + icmp6len;
-       m->m_data += max_linkhdr;       /* or MH_ALIGN() equivalent? */
+       m->m_data += max_linkhdr;       /* or MH_ALIGN() equivalent? */
 
        /* fill neighbor advertisement packet */
        ip6 = mtod(m, struct ip6_hdr *);
 
        /* fill neighbor advertisement packet */
        ip6 = mtod(m, struct ip6_hdr *);
@@ -1343,12 +1444,14 @@ nd6_na_output(
                daddr6.s6_addr32[1] = 0;
                daddr6.s6_addr32[2] = 0;
                daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE;
                daddr6.s6_addr32[1] = 0;
                daddr6.s6_addr32[2] = 0;
                daddr6.s6_addr32[3] = IPV6_ADDR_INT32_ONE;
-               if (in6_setscope(&daddr6, ifp, NULL))
+               if (in6_setscope(&daddr6, ifp, NULL)) {
                        goto bad;
                        goto bad;
+               }
 
                flags &= ~ND_NA_FLAG_SOLICITED;
 
                flags &= ~ND_NA_FLAG_SOLICITED;
-       } else
+       } else {
                ip6->ip6_dst = daddr6;
                ip6->ip6_dst = daddr6;
+       }
 
        bzero(&dst_sa, sizeof(struct sockaddr_in6));
        dst_sa.sin6_family = AF_INET6;
 
        bzero(&dst_sa, sizeof(struct sockaddr_in6));
        dst_sa.sin6_family = AF_INET6;
@@ -1375,8 +1478,9 @@ nd6_na_output(
         */
        ia = in6ifa_ifpwithaddr(ifp, src);
        if (ia != NULL) {
         */
        ia = in6ifa_ifpwithaddr(ifp, src);
        if (ia != NULL) {
-               if (ia->ia6_flags & IN6_IFF_OPTIMISTIC)
+               if (ia->ia6_flags & IN6_IFF_OPTIMISTIC) {
                        flags &= ~ND_NA_FLAG_OVERRIDE;
                        flags &= ~ND_NA_FLAG_OVERRIDE;
+               }
                IFA_REMREF(&ia->ia_ifa);
        }
 
                IFA_REMREF(&ia->ia_ifa);
        }
 
@@ -1398,13 +1502,14 @@ nd6_na_output(
                 * lladdr in sdl0.  If we are not proxying (sending NA for
                 * my address) use lladdr configured for the interface.
                 */
                 * lladdr in sdl0.  If we are not proxying (sending NA for
                 * my address) use lladdr configured for the interface.
                 */
-               if (sdl0 == NULL)
+               if (sdl0 == NULL) {
                        mac = nd6_ifptomac(ifp);
                        mac = nd6_ifptomac(ifp);
-               else if (sdl0->sa_family == AF_LINK) {
+               else if (sdl0->sa_family == AF_LINK) {
                        struct sockaddr_dl *sdl;
                        sdl = (struct sockaddr_dl *)(void *)sdl0;
                        struct sockaddr_dl *sdl;
                        sdl = (struct sockaddr_dl *)(void *)sdl0;
-                       if (sdl->sdl_alen == ifp->if_addrlen)
+                       if (sdl->sdl_alen == ifp->if_addrlen) {
                                mac = LLADDR(sdl);
                                mac = LLADDR(sdl);
+                       }
                }
        }
        if (tlladdr && mac) {
                }
        }
        if (tlladdr && mac) {
@@ -1421,20 +1526,17 @@ nd6_na_output(
                nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
                nd_opt->nd_opt_len = optlen >> 3;
                bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
                nd_opt->nd_opt_type = ND_OPT_TARGET_LINKADDR;
                nd_opt->nd_opt_len = optlen >> 3;
                bcopy(mac, (caddr_t)(nd_opt + 1), ifp->if_addrlen);
-       } else
+       } else {
                flags &= ~ND_NA_FLAG_OVERRIDE;
                flags &= ~ND_NA_FLAG_OVERRIDE;
+       }
 
        ip6->ip6_plen = htons((u_short)icmp6len);
        nd_na->nd_na_flags_reserved = flags;
        nd_na->nd_na_cksum = 0;
        nd_na->nd_na_cksum =
 
        ip6->ip6_plen = htons((u_short)icmp6len);
        nd_na->nd_na_flags_reserved = flags;
        nd_na->nd_na_cksum = 0;
        nd_na->nd_na_cksum =
-               in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len);
+           in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len);
 
 
-#if IPSEC
-       /* Don't lookup socket */
-       if (ipsec_bypass == 0)
-               (void)ipsec_setsocket(m, NULL);
-#endif
+       m->m_pkthdr.pkt_flags |= PKTF_INET6_RESOLVE;
 
        if (ifp->if_eflags & IFEF_TXSTART) {
                /* Use control service class if the interface supports
 
        if (ifp->if_eflags & IFEF_TXSTART) {
                /* Use control service class if the interface supports
@@ -1451,21 +1553,17 @@ nd6_na_output(
        }
        icmp6stat.icp6s_outhist[ND_NEIGHBOR_ADVERT]++;
 
        }
        icmp6stat.icp6s_outhist[ND_NEIGHBOR_ADVERT]++;
 
-       if (im6o != NULL)
+exit:
+       if (im6o != NULL) {
                IM6O_REMREF(im6o);
                IM6O_REMREF(im6o);
-       if (ro.ro_rt) {
-               rtfree(ro.ro_rt);
        }
        }
+
+       ROUTE_RELEASE(&ro);
        return;
 
 bad:
        return;
 
 bad:
-       if (im6o != NULL)
-               IM6O_REMREF(im6o);
-       if (ro.ro_rt) {
-               rtfree(ro.ro_rt);
-       }
        m_freem(m);
        m_freem(m);
-       return;
+       goto exit;
 }
 
 caddr_t
 }
 
 caddr_t
@@ -1489,7 +1587,7 @@ nd6_ifptomac(
 #endif
        case IFT_BRIDGE:
        case IFT_ISO88025:
 #endif
        case IFT_BRIDGE:
        case IFT_ISO88025:
-               return ((caddr_t)ifnet_lladdr(ifp));
+               return (caddr_t)IF_LLADDR(ifp);
        default:
                return NULL;
        }
        default:
                return NULL;
        }
@@ -1498,16 +1596,22 @@ nd6_ifptomac(
 TAILQ_HEAD(dadq_head, dadq);
 struct dadq {
        decl_lck_mtx_data(, dad_lock);
 TAILQ_HEAD(dadq_head, dadq);
 struct dadq {
        decl_lck_mtx_data(, dad_lock);
-       u_int32_t dad_refcount; /* reference count */
+       u_int32_t dad_refcount; /* reference count */
        int dad_attached;
        TAILQ_ENTRY(dadq) dad_list;
        struct ifaddr *dad_ifa;
        int dad_attached;
        TAILQ_ENTRY(dadq) dad_list;
        struct ifaddr *dad_ifa;
-       int dad_count;          /* max NS to send */
-       int dad_ns_tcount;      /* # of trials to send NS */
-       int dad_ns_ocount;      /* NS sent so far */
+       int dad_count;          /* max NS to send */
+       int dad_ns_tcount;      /* # of trials to send NS */
+       int dad_ns_ocount;      /* NS sent so far */
        int dad_ns_icount;
        int dad_na_icount;
        int dad_ns_icount;
        int dad_na_icount;
-       int dad_na_ixcount;     /* Count of IFDISABLED eligible NA rx'd */
+       int dad_ns_lcount;      /* looped back NS */
+       int dad_loopbackprobe;  /* probing state for loopback detection */
+       uint8_t dad_lladdr[ETHER_ADDR_LEN];
+       uint8_t dad_lladdrlen;
+#define ND_OPT_NONCE_LEN32 \
+    ((ND_OPT_NONCE_LEN + sizeof(uint32_t) - 1)/sizeof(uint32_t))
+       uint32_t dad_nonce[ND_OPT_NONCE_LEN32];
 };
 
 static struct dadq_head dadq;
 };
 
 static struct dadq_head dadq;
@@ -1516,10 +1620,10 @@ void
 nd6_nbr_init(void)
 {
        int i;
 nd6_nbr_init(void)
 {
        int i;
-       
+
        TAILQ_INIT(&dadq);
 
        TAILQ_INIT(&dadq);
 
-       dad_size = sizeof (struct dadq);
+       dad_size = sizeof(struct dadq);
        dad_zone = zinit(dad_size, DAD_ZONE_MAX * dad_size, 0, DAD_ZONE_NAME);
        if (dad_zone == NULL) {
                panic("%s: failed allocating %s", __func__, DAD_ZONE_NAME);
        dad_zone = zinit(dad_size, DAD_ZONE_MAX * dad_size, 0, DAD_ZONE_NAME);
        if (dad_zone == NULL) {
                panic("%s: failed allocating %s", __func__, DAD_ZONE_NAME);
@@ -1531,35 +1635,55 @@ nd6_nbr_init(void)
        bzero(&hostrtmask, sizeof hostrtmask);
        hostrtmask.sin6_family = AF_INET6;
        hostrtmask.sin6_len = sizeof hostrtmask;
        bzero(&hostrtmask, sizeof hostrtmask);
        hostrtmask.sin6_family = AF_INET6;
        hostrtmask.sin6_len = sizeof hostrtmask;
-       for (i = 0; i < sizeof hostrtmask.sin6_addr; ++i)
+       for (i = 0; i < sizeof hostrtmask.sin6_addr; ++i) {
                hostrtmask.sin6_addr.s6_addr[i] = 0xff;
                hostrtmask.sin6_addr.s6_addr[i] = 0xff;
+       }
 }
 
 static struct dadq *
 }
 
 static struct dadq *
-nd6_dad_find(struct ifaddr *ifa)
+nd6_dad_find(struct ifaddr *ifa, struct nd_opt_nonce *nonce)
 {
        struct dadq *dp;
 
        lck_mtx_lock(dad6_mutex);
        for (dp = dadq.tqh_first; dp; dp = dp->dad_list.tqe_next) {
                DAD_LOCK_SPIN(dp);
 {
        struct dadq *dp;
 
        lck_mtx_lock(dad6_mutex);
        for (dp = dadq.tqh_first; dp; dp = dp->dad_list.tqe_next) {
                DAD_LOCK_SPIN(dp);
-               if (dp->dad_ifa == ifa) {
-                       DAD_ADDREF_LOCKED(dp);
+               if (dp->dad_ifa != ifa) {
                        DAD_UNLOCK(dp);
                        DAD_UNLOCK(dp);
-                       lck_mtx_unlock(dad6_mutex);
-                       return (dp);
+                       continue;
                }
                }
+
+               /*
+                * Skip if the nonce matches the received one.
+                * +2 in the length is required because of type and
+                * length fields are included in a header.
+                */
+               if (nonce != NULL &&
+                   nonce->nd_opt_nonce_len == (ND_OPT_NONCE_LEN + 2) / 8 &&
+                   memcmp(&nonce->nd_opt_nonce[0], &dp->dad_nonce[0],
+                   ND_OPT_NONCE_LEN) == 0) {
+                       nd6log((LOG_ERR, "%s: a looped back NS message is "
+                           "detected during DAD for %s. Ignoring.\n",
+                           if_name(ifa->ifa_ifp),
+                           ip6_sprintf(IFA_IN6(ifa))));
+                       dp->dad_ns_lcount++;
+                       ++ip6stat.ip6s_dad_loopcount;
+                       DAD_UNLOCK(dp);
+                       continue;
+               }
+
+               DAD_ADDREF_LOCKED(dp);
                DAD_UNLOCK(dp);
                DAD_UNLOCK(dp);
+               break;
        }
        lck_mtx_unlock(dad6_mutex);
        }
        lck_mtx_unlock(dad6_mutex);
-       return (NULL);
+       return dp;
 }
 
 void
 nd6_dad_stoptimer(
        struct ifaddr *ifa)
 {
 }
 
 void
 nd6_dad_stoptimer(
        struct ifaddr *ifa)
 {
-
        untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
 }
 
        untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
 }
 
@@ -1569,11 +1693,17 @@ nd6_dad_stoptimer(
 void
 nd6_dad_start(
        struct ifaddr *ifa,
 void
 nd6_dad_start(
        struct ifaddr *ifa,
-       int *tick_delay)        /* minimum delay ticks for IFF_UP event */
+       int *tick_delay)        /* minimum delay ticks for IFF_UP event */
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct dadq *dp;
 
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct dadq *dp;
 
+       nd6log2((LOG_DEBUG, "%s - %s ifp %s ia6_flags 0x%x\n",
+           __func__,
+           ip6_sprintf(&ia->ia_addr.sin6_addr),
+           if_name(ia->ia_ifp),
+           ia->ia6_flags));
+
        /*
         * If we don't need DAD, don't do it.
         * There are several cases:
        /*
         * If we don't need DAD, don't do it.
         * There are several cases:
@@ -1582,11 +1712,11 @@ nd6_dad_start(
         */
        IFA_LOCK(&ia->ia_ifa);
        if (!(ia->ia6_flags & IN6_IFF_DADPROGRESS)) {
         */
        IFA_LOCK(&ia->ia_ifa);
        if (!(ia->ia6_flags & IN6_IFF_DADPROGRESS)) {
-               log(LOG_DEBUG,
-                       "nd6_dad_start: not a tentative or optimistic address "
-                       "%s(%s)\n",
-                       ip6_sprintf(&ia->ia_addr.sin6_addr),
-                       ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
+               nd6log0((LOG_DEBUG,
+                   "nd6_dad_start: not a tentative or optimistic address "
+                   "%s(%s)\n",
+                   ip6_sprintf(&ia->ia_addr.sin6_addr),
+                   ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"));
                IFA_UNLOCK(&ia->ia_ifa);
                return;
        }
                IFA_UNLOCK(&ia->ia_ifa);
                return;
        }
@@ -1596,13 +1726,14 @@ nd6_dad_start(
                return;
        }
        IFA_UNLOCK(&ia->ia_ifa);
                return;
        }
        IFA_UNLOCK(&ia->ia_ifa);
-       if (ifa->ifa_ifp == NULL)
+       if (ifa->ifa_ifp == NULL) {
                panic("nd6_dad_start: ifa->ifa_ifp == NULL");
                panic("nd6_dad_start: ifa->ifa_ifp == NULL");
+       }
        if (!(ifa->ifa_ifp->if_flags & IFF_UP) ||
            (ifa->ifa_ifp->if_eflags & IFEF_IPV6_ND6ALT)) {
                return;
        }
        if (!(ifa->ifa_ifp->if_flags & IFF_UP) ||
            (ifa->ifa_ifp->if_eflags & IFEF_IPV6_ND6ALT)) {
                return;
        }
-       if ((dp = nd6_dad_find(ifa)) != NULL) {
+       if ((dp = nd6_dad_find(ifa, NULL)) != NULL) {
                DAD_REMREF(dp);
                /* DAD already in progress */
                return;
                DAD_REMREF(dp);
                /* DAD already in progress */
                return;
@@ -1610,10 +1741,10 @@ nd6_dad_start(
 
        dp = zalloc(dad_zone);
        if (dp == NULL) {
 
        dp = zalloc(dad_zone);
        if (dp == NULL) {
-               log(LOG_ERR, "nd6_dad_start: memory allocation failed for "
-                       "%s(%s)\n",
-                       ip6_sprintf(&ia->ia_addr.sin6_addr),
-                       ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
+               nd6log0((LOG_ERR, "nd6_dad_start: memory allocation failed for "
+                   "%s(%s)\n",
+                   ip6_sprintf(&ia->ia_addr.sin6_addr),
+                   ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"));
                return;
        }
        bzero(dp, dad_size);
                return;
        }
        bzero(dp, dad_size);
@@ -1622,9 +1753,10 @@ nd6_dad_start(
        /* Callee adds one reference for us */
        dp = nd6_dad_attach(dp, ifa);
 
        /* Callee adds one reference for us */
        dp = nd6_dad_attach(dp, ifa);
 
-       nd6log((LOG_DEBUG, "%s: starting %sDAD for %s\n",
+       nd6log0((LOG_DEBUG, "%s: starting %sDAD %sfor %s\n",
            if_name(ifa->ifa_ifp),
            if_name(ifa->ifa_ifp),
-           (ia->ia_flags & IN6_IFF_OPTIMISTIC) ? "optimistic " : "",
+           (ia->ia6_flags & IN6_IFF_OPTIMISTIC) ? "optimistic " : "",
+           (tick_delay == NULL) ? "immediately " : "",
            ip6_sprintf(&ia->ia_addr.sin6_addr)));
 
        /*
            ip6_sprintf(&ia->ia_addr.sin6_addr)));
 
        /*
@@ -1635,30 +1767,29 @@ nd6_dad_start(
         */
        if (tick_delay == NULL) {
                u_int32_t retrans;
         */
        if (tick_delay == NULL) {
                u_int32_t retrans;
-               struct nd_ifinfo *ndi;
+               struct nd_ifinfo *ndi = NULL;
 
                nd6_dad_ns_output(dp, ifa);
 
                nd6_dad_ns_output(dp, ifa);
-               lck_rw_lock_shared(nd_if_rwlock);
                ndi = ND_IFINFO(ifa->ifa_ifp);
                VERIFY(ndi != NULL && ndi->initialized);
                lck_mtx_lock(&ndi->lock);
                retrans = ndi->retrans * hz / 1000;
                lck_mtx_unlock(&ndi->lock);
                ndi = ND_IFINFO(ifa->ifa_ifp);
                VERIFY(ndi != NULL && ndi->initialized);
                lck_mtx_lock(&ndi->lock);
                retrans = ndi->retrans * hz / 1000;
                lck_mtx_unlock(&ndi->lock);
-               lck_rw_done(nd_if_rwlock);
                timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
        } else {
                int ntick;
 
                timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
        } else {
                int ntick;
 
-               if (*tick_delay == 0)
+               if (*tick_delay == 0) {
                        ntick = random() % (MAX_RTR_SOLICITATION_DELAY * hz);
                        ntick = random() % (MAX_RTR_SOLICITATION_DELAY * hz);
-               else
+               } else {
                        ntick = *tick_delay + random() % (hz / 2);
                        ntick = *tick_delay + random() % (hz / 2);
+               }
                *tick_delay = ntick;
                timeout((void (*)(void *))nd6_dad_timer, (void *)ifa,
                *tick_delay = ntick;
                timeout((void (*)(void *))nd6_dad_timer, (void *)ifa,
-                       ntick);
+                   ntick);
        }
 
        }
 
-       DAD_REMREF(dp);         /* drop our reference */
+       DAD_REMREF(dp);         /* drop our reference */
 }
 
 static struct dadq *
 }
 
 static struct dadq *
@@ -1667,20 +1798,21 @@ nd6_dad_attach(struct dadq *dp, struct ifaddr *ifa)
        lck_mtx_lock(dad6_mutex);
        DAD_LOCK(dp);
        dp->dad_ifa = ifa;
        lck_mtx_lock(dad6_mutex);
        DAD_LOCK(dp);
        dp->dad_ifa = ifa;
-       IFA_ADDREF(ifa);        /* for dad_ifa */
+       IFA_ADDREF(ifa);        /* for dad_ifa */
        dp->dad_count = ip6_dad_count;
        dp->dad_ns_icount = dp->dad_na_icount = 0;
        dp->dad_ns_ocount = dp->dad_ns_tcount = 0;
        dp->dad_count = ip6_dad_count;
        dp->dad_ns_icount = dp->dad_na_icount = 0;
        dp->dad_ns_ocount = dp->dad_ns_tcount = 0;
-       dp->dad_na_ixcount = 0;
+       dp->dad_ns_lcount = dp->dad_loopbackprobe = 0;
        VERIFY(!dp->dad_attached);
        dp->dad_attached = 1;
        VERIFY(!dp->dad_attached);
        dp->dad_attached = 1;
-       DAD_ADDREF_LOCKED(dp);  /* for caller */
-       DAD_ADDREF_LOCKED(dp);  /* for dadq_head list */
+       dp->dad_lladdrlen = 0;
+       DAD_ADDREF_LOCKED(dp);  /* for caller */
+       DAD_ADDREF_LOCKED(dp);  /* for dadq_head list */
        TAILQ_INSERT_TAIL(&dadq, (struct dadq *)dp, dad_list);
        DAD_UNLOCK(dp);
        lck_mtx_unlock(dad6_mutex);
 
        TAILQ_INSERT_TAIL(&dadq, (struct dadq *)dp, dad_list);
        DAD_UNLOCK(dp);
        lck_mtx_unlock(dad6_mutex);
 
-       return (dp);
+       return dp;
 }
 
 static void
 }
 
 static void
@@ -1700,7 +1832,7 @@ nd6_dad_detach(struct dadq *dp, struct ifaddr *ifa)
        DAD_UNLOCK(dp);
        lck_mtx_unlock(dad6_mutex);
        if (detached) {
        DAD_UNLOCK(dp);
        lck_mtx_unlock(dad6_mutex);
        if (detached) {
-               DAD_REMREF(dp);         /* drop dadq_head reference */
+               DAD_REMREF(dp);         /* drop dadq_head reference */
        }
 }
 
        }
 }
 
@@ -1712,7 +1844,7 @@ nd6_dad_stop(struct ifaddr *ifa)
 {
        struct dadq *dp;
 
 {
        struct dadq *dp;
 
-       dp = nd6_dad_find(ifa);
+       dp = nd6_dad_find(ifa, NULL);
        if (!dp) {
                /* DAD wasn't started yet */
                return;
        if (!dp) {
                /* DAD wasn't started yet */
                return;
@@ -1721,10 +1853,9 @@ nd6_dad_stop(struct ifaddr *ifa)
        untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
 
        nd6_dad_detach(dp, ifa);
        untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
 
        nd6_dad_detach(dp, ifa);
-       DAD_REMREF(dp);         /* drop our reference */
+       DAD_REMREF(dp);         /* drop our reference */
 }
 
 }
 
-
 static void
 nd6_unsol_na_output(struct ifaddr *ifa)
 {
 static void
 nd6_unsol_na_output(struct ifaddr *ifa)
 {
@@ -1734,17 +1865,20 @@ nd6_unsol_na_output(struct ifaddr *ifa)
 
        if ((ifp->if_flags & IFF_UP) == 0 ||
            (ifp->if_flags & IFF_RUNNING) == 0 ||
 
        if ((ifp->if_flags & IFF_UP) == 0 ||
            (ifp->if_flags & IFF_RUNNING) == 0 ||
-           (ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0)
+           (ifp->if_eflags & IFEF_IPV6_ND6ALT) != 0) {
                return;
                return;
+       }
 
        IFA_LOCK_SPIN(&ia->ia_ifa);
        taddr6 = ia->ia_addr.sin6_addr;
        IFA_UNLOCK(&ia->ia_ifa);
 
        IFA_LOCK_SPIN(&ia->ia_ifa);
        taddr6 = ia->ia_addr.sin6_addr;
        IFA_UNLOCK(&ia->ia_ifa);
-       if (in6_setscope(&taddr6, ifp, NULL) != 0)
+       if (in6_setscope(&taddr6, ifp, NULL) != 0) {
                return;
                return;
+       }
        saddr6 = in6addr_linklocal_allnodes;
        saddr6 = in6addr_linklocal_allnodes;
-       if (in6_setscope(&saddr6, ifp, NULL) != 0)
+       if (in6_setscope(&saddr6, ifp, NULL) != 0) {
                return;
                return;
+       }
 
        nd6log((LOG_INFO, "%s: sending unsolicited NA\n",
            if_name(ifa->ifa_ifp)));
 
        nd6log((LOG_INFO, "%s: sending unsolicited NA\n",
            if_name(ifa->ifa_ifp)));
@@ -1757,31 +1891,40 @@ nd6_dad_timer(struct ifaddr *ifa)
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct dadq *dp = NULL;
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct dadq *dp = NULL;
+       struct nd_ifinfo *ndi = NULL;
+       u_int32_t retrans;
 
        /* Sanity check */
        if (ia == NULL) {
 
        /* Sanity check */
        if (ia == NULL) {
-               log(LOG_ERR, "nd6_dad_timer: called with null parameter\n");
+               nd6log0((LOG_ERR, "nd6_dad_timer: called with null parameter\n"));
                goto done;
        }
                goto done;
        }
-       dp = nd6_dad_find(ifa);
+
+       nd6log2((LOG_DEBUG, "%s - %s ifp %s ia6_flags 0x%x\n",
+           __func__,
+           ip6_sprintf(&ia->ia_addr.sin6_addr),
+           if_name(ia->ia_ifp),
+           ia->ia6_flags));
+
+       dp = nd6_dad_find(ifa, NULL);
        if (dp == NULL) {
        if (dp == NULL) {
-               log(LOG_ERR, "nd6_dad_timer: DAD structure not found\n");
+               nd6log0((LOG_ERR, "nd6_dad_timer: DAD structure not found\n"));
                goto done;
        }
        IFA_LOCK(&ia->ia_ifa);
        if (ia->ia6_flags & IN6_IFF_DUPLICATED) {
                goto done;
        }
        IFA_LOCK(&ia->ia_ifa);
        if (ia->ia6_flags & IN6_IFF_DUPLICATED) {
-               log(LOG_ERR, "nd6_dad_timer: called with duplicated address "
-                       "%s(%s)\n",
-                       ip6_sprintf(&ia->ia_addr.sin6_addr),
-                       ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
+               nd6log0((LOG_ERR, "nd6_dad_timer: called with duplicated address "
+                   "%s(%s)\n",
+                   ip6_sprintf(&ia->ia_addr.sin6_addr),
+                   ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"));
                IFA_UNLOCK(&ia->ia_ifa);
                goto done;
        }
        if ((ia->ia6_flags & IN6_IFF_DADPROGRESS) == 0) {
                IFA_UNLOCK(&ia->ia_ifa);
                goto done;
        }
        if ((ia->ia6_flags & IN6_IFF_DADPROGRESS) == 0) {
-               log(LOG_ERR, "nd6_dad_timer: not a tentative or optimistic "
-                       "address %s(%s)\n",
-                       ip6_sprintf(&ia->ia_addr.sin6_addr),
-                       ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???");
+               nd6log0((LOG_ERR, "nd6_dad_timer: not a tentative or optimistic "
+                   "address %s(%s)\n",
+                   ip6_sprintf(&ia->ia_addr.sin6_addr),
+                   ifa->ifa_ifp ? if_name(ifa->ifa_ifp) : "???"));
                IFA_UNLOCK(&ia->ia_ifa);
                goto done;
        }
                IFA_UNLOCK(&ia->ia_ifa);
                goto done;
        }
@@ -1791,8 +1934,8 @@ nd6_dad_timer(struct ifaddr *ifa)
        DAD_LOCK(dp);
        if (dp->dad_ns_tcount > dad_maxtry) {
                DAD_UNLOCK(dp);
        DAD_LOCK(dp);
        if (dp->dad_ns_tcount > dad_maxtry) {
                DAD_UNLOCK(dp);
-               nd6log((LOG_INFO, "%s: could not run DAD, driver problem?\n",
-                       if_name(ifa->ifa_ifp)));
+               nd6log0((LOG_INFO, "%s: could not run DAD, driver problem?\n",
+                   if_name(ifa->ifa_ifp)));
 
                nd6_dad_detach(dp, ifa);
                goto done;
 
                nd6_dad_detach(dp, ifa);
                goto done;
@@ -1800,49 +1943,65 @@ nd6_dad_timer(struct ifaddr *ifa)
 
        /* Need more checks? */
        if (dp->dad_ns_ocount < dp->dad_count) {
 
        /* Need more checks? */
        if (dp->dad_ns_ocount < dp->dad_count) {
-               u_int32_t retrans;
-               struct nd_ifinfo *ndi;
-
                DAD_UNLOCK(dp);
                /*
                 * We have more NS to go.  Send NS packet for DAD.
                 */
                nd6_dad_ns_output(dp, ifa);
                DAD_UNLOCK(dp);
                /*
                 * We have more NS to go.  Send NS packet for DAD.
                 */
                nd6_dad_ns_output(dp, ifa);
-               lck_rw_lock_shared(nd_if_rwlock);
                ndi = ND_IFINFO(ifa->ifa_ifp);
                VERIFY(ndi != NULL && ndi->initialized);
                lck_mtx_lock(&ndi->lock);
                retrans = ndi->retrans * hz / 1000;
                lck_mtx_unlock(&ndi->lock);
                ndi = ND_IFINFO(ifa->ifa_ifp);
                VERIFY(ndi != NULL && ndi->initialized);
                lck_mtx_lock(&ndi->lock);
                retrans = ndi->retrans * hz / 1000;
                lck_mtx_unlock(&ndi->lock);
-               lck_rw_done(nd_if_rwlock);
                timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
        } else {
                /*
                 * We have transmitted sufficient number of DAD packets.
                 * See what we've got.
                 */
                timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
        } else {
                /*
                 * We have transmitted sufficient number of DAD packets.
                 * See what we've got.
                 */
-               int duplicate;
-
-               duplicate = 0;
+               if (dp->dad_na_icount > 0 || dp->dad_ns_icount) {
+                       /* We've seen NS or NA, means DAD has failed. */
+                       DAD_UNLOCK(dp);
+                       nd6log0((LOG_INFO,
+                           "%s: duplicate IPv6 address %s [timer]\n",
+                           __func__, ip6_sprintf(&ia->ia_addr.sin6_addr),
+                           if_name(ia->ia_ifp)));
+                       nd6_dad_duplicated(ifa);
+                       /* (*dp) will be freed in nd6_dad_duplicated() */
+               } else if (dad_enhanced != 0 &&
+                   dp->dad_ns_lcount > 0 &&
+                   dp->dad_ns_lcount > dp->dad_loopbackprobe) {
+                       dp->dad_loopbackprobe = dp->dad_ns_lcount;
+                       dp->dad_count =
+                           dp->dad_ns_ocount + dad_maxtry - 1;
+                       DAD_UNLOCK(dp);
+                       ndi = ND_IFINFO(ifa->ifa_ifp);
+                       VERIFY(ndi != NULL && ndi->initialized);
+                       lck_mtx_lock(&ndi->lock);
+                       retrans = ndi->retrans * hz / 1000;
+                       lck_mtx_unlock(&ndi->lock);
 
 
-               if (dp->dad_na_icount) {
                        /*
                        /*
-                        * the check is in nd6_dad_na_input(),
-                        * but just in case
+                        * Sec. 4.1 in RFC 7527 requires transmission of
+                        * additional probes until the loopback condition
+                        * becomes clear when a looped back probe is detected.
                         */
                         */
-                       duplicate++;
-               }
-
-               if (dp->dad_ns_icount) {
-                       /* We've seen NS, means DAD has failed. */
-                       duplicate++;
-               }
-               DAD_UNLOCK(dp);
-
-               if (duplicate) {
-                       /* (*dp) will be freed in nd6_dad_duplicated() */
-                       nd6_dad_duplicated(ifa, TRUE);
+                       nd6log0((LOG_INFO,
+                           "%s: a looped back NS message is "
+                           "detected during DAD for %s. "
+                           "Another DAD probe is being sent on interface.\n",
+                           __func__, ip6_sprintf(&ia->ia_addr.sin6_addr),
+                           if_name(ia->ia_ifp)));
+                       /*
+                        * Send an NS immediately and increase dad_count by
+                        * nd6_mmaxtries - 1.
+                        */
+                       nd6_dad_ns_output(dp, ifa);
+                       timeout((void (*)(void *))nd6_dad_timer, (void *)ifa, retrans);
+                       goto done;
                } else {
                } else {
+                       boolean_t txunsolna;
+                       DAD_UNLOCK(dp);
                        /*
                         * We are done with DAD.  No NA came, no NS came.
                         * No duplicate address found.
                        /*
                         * We are done with DAD.  No NA came, no NS came.
                         * No duplicate address found.
@@ -1851,81 +2010,168 @@ nd6_dad_timer(struct ifaddr *ifa)
                        ia->ia6_flags &= ~IN6_IFF_DADPROGRESS;
                        IFA_UNLOCK(&ia->ia_ifa);
 
                        ia->ia6_flags &= ~IN6_IFF_DADPROGRESS;
                        IFA_UNLOCK(&ia->ia_ifa);
 
-                       nd6log((LOG_DEBUG,
-                           "%s: DAD complete for %s - no duplicates found\n",
+                       ndi = ND_IFINFO(ifa->ifa_ifp);
+                       VERIFY(ndi != NULL && ndi->initialized);
+                       lck_mtx_lock(&ndi->lock);
+                       txunsolna = (ndi->flags & ND6_IFF_REPLICATED) != 0;
+                       lck_mtx_unlock(&ndi->lock);
+
+                       if (txunsolna) {
+                               nd6_unsol_na_output(ifa);
+                       }
+
+                       nd6log0((LOG_DEBUG,
+                           "%s: DAD complete for %s - no duplicates found%s\n",
                            if_name(ifa->ifa_ifp),
                            if_name(ifa->ifa_ifp),
-                           ip6_sprintf(&ia->ia_addr.sin6_addr)));
-                       /*
-                        * Send an Unsolicited Neighbor Advertisement so that
-                        * other machines on the network are aware of us
-                        * (important when we are waking from sleep).
-                        */
-                       nd6_unsol_na_output(ifa);
-                       in6_post_msg(ia->ia_ifp, KEV_INET6_NEW_USER_ADDR, ia);
+                           ip6_sprintf(&ia->ia_addr.sin6_addr),
+                           txunsolna ? ", tx unsolicited NA with O=1" : "."));
+
+                       if (dp->dad_ns_lcount > 0) {
+                               nd6log0((LOG_DEBUG,
+                                   "%s: DAD completed while "
+                                   "a looped back NS message is detected "
+                                   "during DAD for %s om interface %s\n",
+                                   __func__,
+                                   ip6_sprintf(&ia->ia_addr.sin6_addr),
+                                   if_name(ia->ia_ifp)));
+                       }
+
+                       in6_post_msg(ia->ia_ifp, KEV_INET6_NEW_USER_ADDR, ia,
+                           dp->dad_lladdr);
                        nd6_dad_detach(dp, ifa);
                }
        }
 
 done:
                        nd6_dad_detach(dp, ifa);
                }
        }
 
 done:
-       if (dp != NULL)
-               DAD_REMREF(dp);         /* drop our reference */
+       if (dp != NULL) {
+               DAD_REMREF(dp);         /* drop our reference */
+       }
 }
 
 void
 }
 
 void
-nd6_dad_duplicated(struct ifaddr *ifa, boolean_t dontignhwdup)
+nd6_dad_duplicated(struct ifaddr *ifa)
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct dadq *dp;
        struct ifnet *ifp = ifa->ifa_ifp;
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct dadq *dp;
        struct ifnet *ifp = ifa->ifa_ifp;
-       int hwdupposs;
+       boolean_t candisable;
 
 
-       dp = nd6_dad_find(ifa);
+       dp = nd6_dad_find(ifa, NULL);
        if (dp == NULL) {
        if (dp == NULL) {
-               log(LOG_ERR, "nd6_dad_duplicated: DAD structure not found\n");
+               log(LOG_ERR, "%s: DAD structure not found.\n", __func__);
                return;
        }
                return;
        }
-       hwdupposs = 0;
        IFA_LOCK(&ia->ia_ifa);
        DAD_LOCK(dp);
        IFA_LOCK(&ia->ia_ifa);
        DAD_LOCK(dp);
-       log(LOG_ERR, "%s: DAD detected duplicate IPv6 address %s: "
-           "NS in/out=%d/%d, NA in=%d inx=%d\n",
-           if_name(ifp), ip6_sprintf(&ia->ia_addr.sin6_addr),
-           dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_na_icount,
-           dp->dad_na_ixcount);
-       hwdupposs = dp->dad_na_ixcount;
+       nd6log((LOG_ERR, "%s: NS in/out/loopback=%d/%d, NA in=%d\n",
+           __func__, dp->dad_ns_icount, dp->dad_ns_ocount, dp->dad_ns_lcount,
+           dp->dad_na_icount));
+       candisable = FALSE;
+
+       if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr) &&
+           !(ia->ia6_flags & IN6_IFF_SECURED)) {
+               struct in6_addr in6;
+               struct ifaddr *llifa = NULL;
+               struct sockaddr_dl *sdl = NULL;
+               uint8_t *lladdr = dp->dad_lladdr;
+               uint8_t lladdrlen = dp->dad_lladdrlen;
+
+               /*
+                * To avoid over-reaction, we only apply this logic when we are
+                * very sure that hardware addresses are supposed to be unique.
+                */
+               switch (ifp->if_type) {
+               case IFT_BRIDGE:
+               case IFT_ETHER:
+               case IFT_FDDI:
+               case IFT_ATM:
+               case IFT_IEEE1394:
+#ifdef IFT_IEEE80211
+               case IFT_IEEE80211:
+#endif
+                       /*
+                        * Check if our hardware address matches the
+                        * link layer information received in the
+                        * NS/NA
+                        */
+                       llifa = ifp->if_lladdr;
+                       IFA_LOCK(llifa);
+                       sdl = (struct sockaddr_dl *)(void *)
+                           llifa->ifa_addr;
+                       if (lladdrlen == sdl->sdl_alen &&
+                           bcmp(lladdr, LLADDR(sdl), lladdrlen) == 0) {
+                               candisable = TRUE;
+                       }
+                       IFA_UNLOCK(llifa);
+
+                       in6 = ia->ia_addr.sin6_addr;
+                       if (in6_iid_from_hw(ifp, &in6) != 0) {
+                               break;
+                       }
+
+                       /* Refine decision about whether IPv6 can be disabled */
+                       if (candisable &&
+                           !IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
+                               /*
+                                * Apply this logic only to the embedded MAC
+                                * address form of link-local IPv6 address.
+                                */
+                               candisable = FALSE;
+                       } else if (lladdr == NULL &&
+                           IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
+                               /*
+                                * We received a NA with no target link-layer
+                                * address option. This means that someone else
+                                * has our address. Mark it as a hardware
+                                * duplicate so we disable IPv6 later on.
+                                */
+                               candisable = TRUE;
+                       }
+                       break;
+               default:
+                       break;
+               }
+       }
        DAD_UNLOCK(dp);
        DAD_UNLOCK(dp);
+
        ia->ia6_flags &= ~IN6_IFF_DADPROGRESS;
        ia->ia6_flags |= IN6_IFF_DUPLICATED;
        ia->ia6_flags &= ~IN6_IFF_DADPROGRESS;
        ia->ia6_flags |= IN6_IFF_DUPLICATED;
+       in6_event_enqueue_nwk_wq_entry(IN6_ADDR_MARKED_DUPLICATED,
+           ia->ia_ifa.ifa_ifp, &ia->ia_addr.sin6_addr,
+           0);
        IFA_UNLOCK(&ia->ia_ifa);
 
        IFA_UNLOCK(&ia->ia_ifa);
 
+       /* increment DAD collision counter */
+       ++ip6stat.ip6s_dad_collide;
+
        /* We are done with DAD, with duplicated address found. (failure) */
        untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
 
        IFA_LOCK(&ia->ia_ifa);
        /* We are done with DAD, with duplicated address found. (failure) */
        untimeout((void (*)(void *))nd6_dad_timer, (void *)ifa);
 
        IFA_LOCK(&ia->ia_ifa);
-       log(LOG_ERR, "%s: DAD complete for %s - duplicate found\n",
+       log(LOG_ERR, "%s: DAD complete for %s - duplicate found.\n",
            if_name(ifp), ip6_sprintf(&ia->ia_addr.sin6_addr));
            if_name(ifp), ip6_sprintf(&ia->ia_addr.sin6_addr));
-       log(LOG_ERR, "%s: manual intervention required\n",
-           if_name(ifp));
        IFA_UNLOCK(&ia->ia_ifa);
        IFA_UNLOCK(&ia->ia_ifa);
-       
-       if (hwdupposs ||
-           (dontignhwdup && IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr))) {
+
+       if (candisable) {
+               struct nd_ifinfo *ndi =  ND_IFINFO(ifp);
                log(LOG_ERR, "%s: possible hardware address duplication "
                log(LOG_ERR, "%s: possible hardware address duplication "
-                   "detected, disable IPv6\n", if_name(ifp));
-               
-               lck_rw_lock_shared(nd_if_rwlock);
-               nd_ifinfo[ifp->if_index].flags |=
-                   ND6_IFF_IFDISABLED;
-               lck_rw_done(nd_if_rwlock);
+                   "detected, disabling IPv6 for interface.\n", if_name(ifp));
+
+               VERIFY((NULL != ndi) && (TRUE == ndi->initialized));
+               ndi->flags |= ND6_IFF_IFDISABLED;
+               /* Make sure to set IFEF_IPV6_DISABLED too */
+               nd6_if_disable(ifp, TRUE);
        }
 
        }
 
+       log(LOG_ERR, "%s: manual intervention required!\n", if_name(ifp));
+
        /* Send an event to the configuration agent so that the
         * duplicate address will be notified to the user and will
         * be removed.
         */
        /* Send an event to the configuration agent so that the
         * duplicate address will be notified to the user and will
         * be removed.
         */
-       in6_post_msg(ifp, KEV_INET6_NEW_USER_ADDR, ia);
+       in6_post_msg(ifp, KEV_INET6_NEW_USER_ADDR, ia, dp->dad_lladdr);
        nd6_dad_detach(dp, ifa);
        nd6_dad_detach(dp, ifa);
-       DAD_REMREF(dp);         /* drop our reference */
+       DAD_REMREF(dp);         /* drop our reference */
 }
 
 static void
 }
 
 static void
@@ -1933,6 +2179,7 @@ nd6_dad_ns_output(struct dadq *dp, struct ifaddr *ifa)
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct ifnet *ifp = ifa->ifa_ifp;
 {
        struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
        struct ifnet *ifp = ifa->ifa_ifp;
+       int i = 0;
        struct in6_addr taddr6;
 
        DAD_LOCK(dp);
        struct in6_addr taddr6;
 
        DAD_LOCK(dp);
@@ -1951,180 +2198,176 @@ nd6_dad_ns_output(struct dadq *dp, struct ifaddr *ifa)
        IFA_LOCK_SPIN(&ia->ia_ifa);
        taddr6 = ia->ia_addr.sin6_addr;
        IFA_UNLOCK(&ia->ia_ifa);
        IFA_LOCK_SPIN(&ia->ia_ifa);
        taddr6 = ia->ia_addr.sin6_addr;
        IFA_UNLOCK(&ia->ia_ifa);
-       nd6_ns_output(ifp, NULL, &taddr6, NULL, 1);
+       if (dad_enhanced != 0 && !(ifp->if_flags & IFF_POINTOPOINT)) {
+               for (i = 0; i < ND_OPT_NONCE_LEN32; i++) {
+                       dp->dad_nonce[i] = RandomULong();
+               }
+               /*
+                * XXXHRS: Note that in the case that
+                * DupAddrDetectTransmits > 1, multiple NS messages with
+                * different nonces can be looped back in an unexpected
+                * order.  The current implementation recognizes only
+                * the latest nonce on the sender side.  Practically it
+                * should work well in almost all cases.
+                */
+       }
+       nd6_ns_output(ifp, NULL, &taddr6, NULL,
+           (uint8_t *)&dp->dad_nonce[0]);
 }
 
 }
 
+/*
+ * @brief       Called to process DAD NS
+ *
+ * @param       ifa is the pointer to the interface's address
+ * @param       lladdr is source link layer information
+ * @param       lladdrlen is source's linklayer length
+ *
+ * @return      void
+ */
 static void
 static void
-nd6_dad_ns_input(struct ifaddr *ifa)
+nd6_dad_ns_input(struct ifaddr *ifa, char *lladdr,
+    int lladdrlen, struct nd_opt_nonce *ndopt_nonce)
 {
        struct dadq *dp;
 {
        struct dadq *dp;
-       int duplicate;
-       struct ifnet *ifp;
+       VERIFY(ifa != NULL);
 
 
-       if (ifa == NULL)
-               panic("ifa == NULL in nd6_dad_ns_input");
-
-       ifp = ifa->ifa_ifp;
-       duplicate = 0;
-       dp = nd6_dad_find(ifa);
+       /* Ignore Nonce option when Enhanced DAD is disabled. */
+       if (dad_enhanced == 0) {
+               ndopt_nonce = NULL;
+       }
 
 
-       /* Quickhack - completely ignore DAD NS packets */
-       if (dad_ignore_ns) {
-               struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
-               IFA_LOCK(&ia->ia_ifa);
-               nd6log((LOG_INFO,
-                   "nd6_dad_ns_input: ignoring DAD NS packet for "
-                   "address %s(%s)\n", ip6_sprintf(&ia->ia_addr.sin6_addr),
-                   if_name(ifa->ifa_ifp)));
-               IFA_UNLOCK(&ia->ia_ifa);
+       dp = nd6_dad_find(ifa, ndopt_nonce);
+       if (dp == NULL) {
                return;
        }
 
                return;
        }
 
-       /*
-        * if I'm yet to start DAD, someone else started using this address
-        * first.  I have a duplicate and you win.
-        */
-       if (dp != NULL)
-               DAD_LOCK(dp);
-       if (dp == NULL || dp->dad_ns_ocount == 0)
-               duplicate++;
-
-       /* XXX more checks for loopback situation - see nd6_dad_timer too */
-
-       if (duplicate) {
-               if (dp != NULL) {
-                       DAD_UNLOCK(dp);
-                       DAD_REMREF(dp);
-                       dp = NULL;
-               }
-               nd6_dad_duplicated(ifa, TRUE);
-       } else if (dp != NULL) {
-               /*
-                * not sure if I got a duplicate.
-                * increment ns count and see what happens.
-                */
-               dp->dad_ns_icount++;
-               DAD_UNLOCK(dp);
-               DAD_REMREF(dp);
+       DAD_LOCK(dp);
+       ++dp->dad_ns_icount;
+       if (lladdr && lladdrlen >= ETHER_ADDR_LEN) {
+               memcpy(dp->dad_lladdr, lladdr, ETHER_ADDR_LEN);
+               dp->dad_lladdrlen = lladdrlen;
        }
        }
+       DAD_UNLOCK(dp);
+       DAD_REMREF(dp);
 }
 
 }
 
-static void
-nd6_dad_na_input(struct ifaddr *ifa, caddr_t lladdr, int lladdrlen)
+/*
+ * @brief      Called to process received NA for DAD
+ *
+ * @param      m is the pointer to the packet's mbuf
+ * @param      ifp is the pointer to the interface on which packet
+ *              was receicved.
+ * @param      taddr is pointer to target's IPv6 address
+ * @param      lladdr is target's link layer information
+ * @param      lladdrlen is target's linklayer length
+ *
+ * @return     NULL if the packet is consumed by DAD processing, else
+ *              pointer to the mbuf.
+ */
+static struct mbuf *
+nd6_dad_na_input(struct mbuf *m, struct ifnet *ifp, struct in6_addr *taddr,
+    caddr_t lladdr, int lladdrlen)
 {
 {
-       struct in6_ifaddr *ia = (struct in6_ifaddr *)ifa;
-       struct dadq *dp;
-       int hwdupposs;
+       struct ifaddr *ifa = NULL;
+       struct in6_ifaddr *ia = NULL;
+       struct dadq *dp = NULL;
+       struct nd_ifinfo *ndi = NULL;
+       boolean_t replicated;
 
 
-       if (ifa == NULL)
-               panic("ifa == NULL in nd6_dad_na_input");
+       ifa = (struct ifaddr *) in6ifa_ifpwithaddr(ifp, taddr);
+       if (ifa == NULL) {
+               return m;
+       }
 
 
-       dp = nd6_dad_find(ifa);
-       if (dp == NULL) {
-               log(LOG_ERR, "nd6_dad_na_input: DAD structure not found\n");
-               return;
+       replicated = FALSE;
+
+       /* Get the ND6_IFF_REPLICATED flag. */
+       ndi = ND_IFINFO(ifp);
+       if (ndi != NULL && ndi->initialized) {
+               lck_mtx_lock(&ndi->lock);
+               replicated = !!(ndi->flags & ND6_IFF_REPLICATED);
+               lck_mtx_unlock(&ndi->lock);
        }
        }
-       
-       /*
-        * If the address is a link-local address formed from an interface
-        * identifier based on the hardware address which is supposed to be
-        * uniquely assigned (e.g., EUI-64 for an Ethernet interface), IP
-        * operation on the interface SHOULD be disabled according to RFC 4862,
-        * section 5.4.5, but here we decide not to disable if the target
-        * hardware address is not also ours, which is a transitory possibility
-        * in the presence of network-resident sleep proxies on the local link.
-        */
-       hwdupposs = 0;
+
+       if (replicated) {
+               nd6log((LOG_INFO, "%s: ignoring duplicate NA on "
+                   "replicated interface %s\n", __func__, if_name(ifp)));
+               goto done;
+       }
+
+       /* Lock the interface address until done (see label below). */
        IFA_LOCK(ifa);
        IFA_LOCK(ifa);
-       if (IN6_IS_ADDR_LINKLOCAL(&ia->ia_addr.sin6_addr)) {
-               struct ifnet *ifp;
-               struct in6_addr in6;
-               
+       ia = (struct in6_ifaddr *) ifa;
+
+       if (!(ia->ia6_flags & IN6_IFF_DADPROGRESS)) {
                IFA_UNLOCK(ifa);
                IFA_UNLOCK(ifa);
-               ifp = ifa->ifa_ifp;
-               
-               /*
-                * To avoid over-reaction, we only apply this logic when we are
-                * very sure that hardware addresses are supposed to be unique.
-                */
-               switch (ifp->if_type) {
-               case IFT_BRIDGE:
-               case IFT_ETHER:
-               case IFT_FDDI:
-               case IFT_ATM:
-               case IFT_IEEE1394:
-#ifdef IFT_IEEE80211
-               case IFT_IEEE80211:
-#endif
-                       /* Check if our hardware address matches the target */
-                       if (lladdr != NULL && lladdrlen > 0) {
-                               struct ifaddr *llifa;
-                               struct sockaddr_dl *sdl;
-                               
-                               llifa = ifp->if_lladdr;
-                               IFA_LOCK(llifa);
-                               sdl = (struct sockaddr_dl *)(void *)
-                                   llifa->ifa_addr;
-                               if (lladdrlen == sdl->sdl_alen ||
-                                   bcmp(lladdr, LLADDR(sdl), lladdrlen) == 0)
-                                       hwdupposs = 1;
-                               IFA_UNLOCK(llifa);
-                       }
-                       in6 = ia->ia_addr.sin6_addr;
-                       if (in6_get_hw_ifid(ifp, &in6) != 0)
-                               break;
-                       /*
-                        * Apply this logic only to the EUI-64 form of
-                        * link-local interface identifiers.
-                        */
-                       IFA_LOCK(ifa);
-                       if (hwdupposs &&
-                           !IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
-                               hwdupposs = 0;
-                       } else if (lladdr == NULL &&
-                           IN6_ARE_ADDR_EQUAL(&ia->ia_addr.sin6_addr, &in6)) {
-                               /*
-                                * We received a NA with no target link-layer
-                                * address option. This means that someone else
-                                * has our address. Mark it as a hardware
-                                * duplicate so we disable IPv6 later on.
-                                */
-                               hwdupposs = 1;
-                       }
+               nd6log((LOG_INFO, "%s: ignoring duplicate NA on "
+                   "%s [DAD not in progress]\n", __func__,
+                   if_name(ifp)));
+               goto done;
+       }
+
+       /* Some sleep proxies improperly send the client's Ethernet address in
+        * the target link-layer address option, so detect this by comparing
+        * the L2-header source address, if we have seen it, with the target
+        * address, and ignoring the NA if they don't match.
+        */
+       if (lladdr != NULL && lladdrlen >= ETHER_ADDR_LEN) {
+               struct ip6aux *ip6a = ip6_findaux(m);
+               if (ip6a && (ip6a->ip6a_flags & IP6A_HASEEN) != 0 &&
+                   bcmp(ip6a->ip6a_ehsrc, lladdr, ETHER_ADDR_LEN) != 0) {
                        IFA_UNLOCK(ifa);
                        IFA_UNLOCK(ifa);
-                       break;
-               default:
-                       break;
+                       nd6log((LOG_ERR, "%s: ignoring duplicate NA on %s "
+                           "[eh_src != tgtlladdr]\n", __func__, if_name(ifp)));
+                       goto done;
                }
                }
-       } else {
-               IFA_UNLOCK(ifa);
        }
        }
-       
+
+       IFA_UNLOCK(ifa);
+
+       dp = nd6_dad_find(ifa, NULL);
+       if (dp == NULL) {
+               nd6log((LOG_INFO, "%s: no DAD structure for %s on %s.\n",
+                   __func__, ip6_sprintf(taddr), if_name(ifp)));
+               goto done;
+       }
+
        DAD_LOCK_SPIN(dp);
        DAD_LOCK_SPIN(dp);
+       if (lladdr != NULL && lladdrlen >= ETHER_ADDR_LEN) {
+               memcpy(dp->dad_lladdr, lladdr, ETHER_ADDR_LEN);
+               dp->dad_lladdrlen = lladdrlen;
+       }
        dp->dad_na_icount++;
        dp->dad_na_icount++;
-       if (hwdupposs)
-               dp->dad_na_ixcount++;
        DAD_UNLOCK(dp);
        DAD_REMREF(dp);
        DAD_UNLOCK(dp);
        DAD_REMREF(dp);
-       
+
        /* remove the address. */
        /* remove the address. */
-       nd6_dad_duplicated(ifa, FALSE);
+       nd6log((LOG_INFO,
+           "%s: duplicate IPv6 address %s [processing NA on %s]\n", __func__,
+           ip6_sprintf(taddr), if_name(ifp)));
+done:
+       IFA_LOCK_ASSERT_NOTHELD(ifa);
+       IFA_REMREF(ifa);
+       m_freem(m);
+       return NULL;
 }
 
 static void
 dad_addref(struct dadq *dp, int locked)
 {
 }
 
 static void
 dad_addref(struct dadq *dp, int locked)
 {
-       if (!locked)
+       if (!locked) {
                DAD_LOCK_SPIN(dp);
                DAD_LOCK_SPIN(dp);
-       else
+       } else {
                DAD_LOCK_ASSERT_HELD(dp);
                DAD_LOCK_ASSERT_HELD(dp);
+       }
 
        if (++dp->dad_refcount == 0) {
                panic("%s: dad %p wraparound refcnt\n", __func__, dp);
                /* NOTREACHED */
        }
 
        if (++dp->dad_refcount == 0) {
                panic("%s: dad %p wraparound refcnt\n", __func__, dp);
                /* NOTREACHED */
        }
-       if (!locked)
+       if (!locked) {
                DAD_UNLOCK(dp);
                DAD_UNLOCK(dp);
+       }
 }
 
 static void
 }
 
 static void
@@ -2133,8 +2376,9 @@ dad_remref(struct dadq *dp)
        struct ifaddr *ifa;
 
        DAD_LOCK_SPIN(dp);
        struct ifaddr *ifa;
 
        DAD_LOCK_SPIN(dp);
-       if (dp->dad_refcount == 0)
+       if (dp->dad_refcount == 0) {
                panic("%s: dad %p negative refcnt\n", __func__, dp);
                panic("%s: dad %p negative refcnt\n", __func__, dp);
+       }
        --dp->dad_refcount;
        if (dp->dad_refcount > 0) {
                DAD_UNLOCK(dp);
        --dp->dad_refcount;
        if (dp->dad_refcount > 0) {
                DAD_UNLOCK(dp);
@@ -2149,7 +2393,7 @@ dad_remref(struct dadq *dp)
        }
 
        if ((ifa = dp->dad_ifa) != NULL) {
        }
 
        if ((ifa = dp->dad_ifa) != NULL) {
-               IFA_REMREF(ifa);        /* drop dad_ifa reference */
+               IFA_REMREF(ifa);        /* drop dad_ifa reference */
                dp->dad_ifa = NULL;
        }
 
                dp->dad_ifa = NULL;
        }
 
@@ -2161,8 +2405,9 @@ void
 nd6_llreach_set_reachable(struct ifnet *ifp, void *addr, unsigned int alen)
 {
        /* Nothing more to do if it's disabled */
 nd6_llreach_set_reachable(struct ifnet *ifp, void *addr, unsigned int alen)
 {
        /* Nothing more to do if it's disabled */
-       if (nd6_llreach_base == 0)
+       if (nd6_llreach_base == 0) {
                return;
                return;
+       }
 
        ifnet_llreach_set_reachable(ifp, ETHERTYPE_IPV6, addr, alen);
 }
 
        ifnet_llreach_set_reachable(ifp, ETHERTYPE_IPV6, addr, alen);
 }
@@ -2172,29 +2417,29 @@ nd6_alt_node_addr_decompose(struct ifnet *ifp, struct sockaddr *sa,
     struct sockaddr_dl* sdl, struct sockaddr_in6 *sin6)
 {
        static const size_t EUI64_LENGTH = 8;
     struct sockaddr_dl* sdl, struct sockaddr_in6 *sin6)
 {
        static const size_t EUI64_LENGTH = 8;
-       
+
        VERIFY(nd6_need_cache(ifp));
        VERIFY(sa);
        VERIFY(sdl && (void *)sa != (void *)sdl);
        VERIFY(sin6 && (void *)sa != (void *)sin6);
        VERIFY(nd6_need_cache(ifp));
        VERIFY(sa);
        VERIFY(sdl && (void *)sa != (void *)sdl);
        VERIFY(sin6 && (void *)sa != (void *)sin6);
-       
+
        bzero(sin6, sizeof *sin6);
        sin6->sin6_len = sizeof *sin6;
        sin6->sin6_family = AF_INET6;
        bzero(sin6, sizeof *sin6);
        sin6->sin6_len = sizeof *sin6;
        sin6->sin6_family = AF_INET6;
-       
+
        bzero(sdl, sizeof *sdl);
        sdl->sdl_len = sizeof *sdl;
        sdl->sdl_family = AF_LINK;
        sdl->sdl_type = ifp->if_type;
        sdl->sdl_index = ifp->if_index;
        bzero(sdl, sizeof *sdl);
        sdl->sdl_len = sizeof *sdl;
        sdl->sdl_family = AF_LINK;
        sdl->sdl_type = ifp->if_type;
        sdl->sdl_index = ifp->if_index;
-       
+
        switch (sa->sa_family) {
        case AF_INET6: {
                struct sockaddr_in6 *sin6a = (struct sockaddr_in6 *)(void *)sa;
                struct in6_addr *in6 = &sin6a->sin6_addr;
        switch (sa->sa_family) {
        case AF_INET6: {
                struct sockaddr_in6 *sin6a = (struct sockaddr_in6 *)(void *)sa;
                struct in6_addr *in6 = &sin6a->sin6_addr;
-               
+
                VERIFY(sa->sa_len == sizeof *sin6);
                VERIFY(sa->sa_len == sizeof *sin6);
-               
+
                sdl->sdl_nlen = strlen(ifp->if_name);
                bcopy(ifp->if_name, sdl->sdl_data, sdl->sdl_nlen);
                if (in6->s6_addr[11] == 0xff && in6->s6_addr[12] == 0xfe) {
                sdl->sdl_nlen = strlen(ifp->if_name);
                bcopy(ifp->if_name, sdl->sdl_data, sdl->sdl_nlen);
                if (in6->s6_addr[11] == 0xff && in6->s6_addr[12] == 0xfe) {
@@ -2205,12 +2450,11 @@ nd6_alt_node_addr_decompose(struct ifnet *ifp, struct sockaddr *sa,
                        LLADDR(sdl)[3] = in6->s6_addr[13];
                        LLADDR(sdl)[4] = in6->s6_addr[14];
                        LLADDR(sdl)[5] = in6->s6_addr[15];
                        LLADDR(sdl)[3] = in6->s6_addr[13];
                        LLADDR(sdl)[4] = in6->s6_addr[14];
                        LLADDR(sdl)[5] = in6->s6_addr[15];
-               }
-               else {
+               } else {
                        sdl->sdl_alen = EUI64_LENGTH;
                        bcopy(&in6->s6_addr[8], LLADDR(sdl), EUI64_LENGTH);
                }
                        sdl->sdl_alen = EUI64_LENGTH;
                        bcopy(&in6->s6_addr[8], LLADDR(sdl), EUI64_LENGTH);
                }
-               
+
                sdl->sdl_slen = 0;
                break;
        }
                sdl->sdl_slen = 0;
                break;
        }
@@ -2218,20 +2462,21 @@ nd6_alt_node_addr_decompose(struct ifnet *ifp, struct sockaddr *sa,
                struct sockaddr_dl *sdla = (struct sockaddr_dl *)(void *)sa;
                struct in6_addr *in6 = &sin6->sin6_addr;
                caddr_t lla = LLADDR(sdla);
                struct sockaddr_dl *sdla = (struct sockaddr_dl *)(void *)sa;
                struct in6_addr *in6 = &sin6->sin6_addr;
                caddr_t lla = LLADDR(sdla);
-               
+
                VERIFY(sa->sa_len <= sizeof *sdl);
                bcopy(sa, sdl, sa->sa_len);
                VERIFY(sa->sa_len <= sizeof *sdl);
                bcopy(sa, sdl, sa->sa_len);
-               
+
                sin6->sin6_scope_id = sdla->sdl_index;
                sin6->sin6_scope_id = sdla->sdl_index;
-               if (sin6->sin6_scope_id == 0)
+               if (sin6->sin6_scope_id == 0) {
                        sin6->sin6_scope_id = ifp->if_index;
                        sin6->sin6_scope_id = ifp->if_index;
+               }
                in6->s6_addr[0] = 0xfe;
                in6->s6_addr[1] = 0x80;
                in6->s6_addr[0] = 0xfe;
                in6->s6_addr[1] = 0x80;
-               if (sdla->sdl_alen == EUI64_LENGTH)
+               if (sdla->sdl_alen == EUI64_LENGTH) {
                        bcopy(lla, &in6->s6_addr[8], EUI64_LENGTH);
                        bcopy(lla, &in6->s6_addr[8], EUI64_LENGTH);
-               else {
+               else {
                        VERIFY(sdla->sdl_alen == ETHER_ADDR_LEN);
                        VERIFY(sdla->sdl_alen == ETHER_ADDR_LEN);
-                       
+
                        in6->s6_addr[8] = ((uint8_t) lla[0] ^ ND6_EUI64_UBIT);
                        in6->s6_addr[9] = (uint8_t) lla[1];
                        in6->s6_addr[10] = (uint8_t) lla[2];
                        in6->s6_addr[8] = ((uint8_t) lla[0] ^ ND6_EUI64_UBIT);
                        in6->s6_addr[9] = (uint8_t) lla[1];
                        in6->s6_addr[10] = (uint8_t) lla[2];
@@ -2241,7 +2486,7 @@ nd6_alt_node_addr_decompose(struct ifnet *ifp, struct sockaddr *sa,
                        in6->s6_addr[14] = (uint8_t) lla[4];
                        in6->s6_addr[15] = (uint8_t) lla[5];
                }
                        in6->s6_addr[14] = (uint8_t) lla[4];
                        in6->s6_addr[15] = (uint8_t) lla[5];
                }
-               
+
                break;
        }
        default:
                break;
        }
        default:
@@ -2256,24 +2501,36 @@ nd6_alt_node_present(struct ifnet *ifp, struct sockaddr_in6 *sin6,
 {
        struct rtentry *rt;
        struct llinfo_nd6 *ln;
 {
        struct rtentry *rt;
        struct llinfo_nd6 *ln;
-       struct  if_llreach *lr;
+       struct  if_llreach *lr = NULL;
+       const uint16_t temp_embedded_id = sin6->sin6_addr.s6_addr16[1];
+
+       if (IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr) &&
+           (temp_embedded_id == 0)) {
+               sin6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
+       }
 
 
-       nd6_cache_lladdr(ifp, &sin6->sin6_addr, LLADDR(sdl),
-           sdl->sdl_alen, ND_NEIGHBOR_ADVERT, 0);
+       nd6_cache_lladdr(ifp, &sin6->sin6_addr, LLADDR(sdl), sdl->sdl_alen,
+           ND_NEIGHBOR_ADVERT, 0);
 
 
-       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
+       LCK_MTX_ASSERT(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
        lck_mtx_lock(rnh_lock);
 
        rt = rtalloc1_scoped_locked((struct sockaddr *)sin6, 1, 0,
            ifp->if_index);
        lck_mtx_lock(rnh_lock);
 
        rt = rtalloc1_scoped_locked((struct sockaddr *)sin6, 1, 0,
            ifp->if_index);
+
+       /* Restore the address that was passed to us */
+       if (temp_embedded_id == 0) {
+               sin6->sin6_addr.s6_addr16[1] = 0;
+       }
+
        if (rt != NULL) {
                RT_LOCK(rt);
                VERIFY(rt->rt_flags & RTF_LLINFO);
                VERIFY(rt->rt_llinfo);
 
                ln = rt->rt_llinfo;
        if (rt != NULL) {
                RT_LOCK(rt);
                VERIFY(rt->rt_flags & RTF_LLINFO);
                VERIFY(rt->rt_llinfo);
 
                ln = rt->rt_llinfo;
-               ln->ln_state = ND6_LLINFO_REACHABLE;
-               ln->ln_expire = 0;
+               ND6_CACHE_STATE_TRANSITION(ln, ND6_LLINFO_REACHABLE);
+               ln_setexpire(ln, 0);
 
                lr = ln->ln_llreach;
                if (lr) {
 
                lr = ln->ln_llreach;
                if (lr) {
@@ -2293,10 +2550,10 @@ nd6_alt_node_present(struct ifnet *ifp, struct sockaddr_in6 *sin6,
        if (rt == NULL) {
                log(LOG_ERR, "%s: failed to add/update host route to %s.\n",
                    __func__, ip6_sprintf(&sin6->sin6_addr));
        if (rt == NULL) {
                log(LOG_ERR, "%s: failed to add/update host route to %s.\n",
                    __func__, ip6_sprintf(&sin6->sin6_addr));
-       }
-       else {
-               nd6log((LOG_DEBUG, "%s: host route to %s [lr=%p]\n", __func__,
-                       ip6_sprintf(&sin6->sin6_addr), lr));
+       } else {
+               nd6log((LOG_DEBUG, "%s: host route to %s [lr=0x%llx]\n",
+                   __func__, ip6_sprintf(&sin6->sin6_addr),
+                   (uint64_t)VM_KERNEL_ADDRPERM(lr)));
        }
 }
 
        }
 }
 
@@ -2304,21 +2561,33 @@ void
 nd6_alt_node_absent(struct ifnet *ifp, struct sockaddr_in6 *sin6)
 {
        struct rtentry *rt;
 nd6_alt_node_absent(struct ifnet *ifp, struct sockaddr_in6 *sin6)
 {
        struct rtentry *rt;
+       const uint16_t temp_embedded_id = sin6->sin6_addr.s6_addr16[1];
 
        nd6log((LOG_DEBUG, "%s: host route to %s\n", __func__,
            ip6_sprintf(&sin6->sin6_addr)));
 
 
        nd6log((LOG_DEBUG, "%s: host route to %s\n", __func__,
            ip6_sprintf(&sin6->sin6_addr)));
 
-       lck_mtx_assert(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
+       if (IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr) &&
+           (temp_embedded_id == 0)) {
+               sin6->sin6_addr.s6_addr16[1] = htons(ifp->if_index);
+       }
+
+       LCK_MTX_ASSERT(rnh_lock, LCK_MTX_ASSERT_NOTOWNED);
        lck_mtx_lock(rnh_lock);
 
        rt = rtalloc1_scoped_locked((struct sockaddr *)sin6, 0, 0,
            ifp->if_index);
        lck_mtx_lock(rnh_lock);
 
        rt = rtalloc1_scoped_locked((struct sockaddr *)sin6, 0, 0,
            ifp->if_index);
+
+       /* Restore the address that was passed to us */
+       if (temp_embedded_id == 0) {
+               sin6->sin6_addr.s6_addr16[1] = 0;
+       }
+
        if (rt != NULL) {
                RT_LOCK(rt);
 
        if (rt != NULL) {
                RT_LOCK(rt);
 
-               if (!(rt->rt_flags & (RTF_PINNED|RTF_CLONING|RTF_PRCLONING)) &&
-                   (rt->rt_flags & (RTF_HOST|RTF_LLINFO|RTF_WASCLONED)) ==
-                     (RTF_HOST|RTF_LLINFO|RTF_WASCLONED)) {
+               if (!(rt->rt_flags & (RTF_CLONING | RTF_PRCLONING)) &&
+                   (rt->rt_flags & (RTF_HOST | RTF_LLINFO | RTF_WASCLONED)) ==
+                   (RTF_HOST | RTF_LLINFO | RTF_WASCLONED)) {
                        rt->rt_flags |= RTF_CONDEMNED;
                        RT_UNLOCK(rt);
 
                        rt->rt_flags |= RTF_CONDEMNED;
                        RT_UNLOCK(rt);
 
@@ -2327,8 +2596,7 @@ nd6_alt_node_absent(struct ifnet *ifp, struct sockaddr_in6 *sin6)
                            (struct rtentry **)NULL);
 
                        rtfree_locked(rt);
                            (struct rtentry **)NULL);
 
                        rtfree_locked(rt);
-               }
-               else {
+               } else {
                        RT_REMREF_LOCKED(rt);
                        RT_UNLOCK(rt);
                }
                        RT_REMREF_LOCKED(rt);
                        RT_UNLOCK(rt);
                }
mirror of XNU