> Maby something along the lines of the 'nd6_onlink_ns_rfc4861' sysctl > flag mentioned at > http://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc > could be used for the odd cases where it's needed?
This is an all-or-nothing approach. What about the option to provide the "known-good" address of the router (via sysctl or by other means)? If an address is given, treat this exception as a neighbor. If left empty, just behave as-is.
