diff --git a/sys/netgraph/ng_ksocket.c b/sys/netgraph/ng_ksocket.c
index 7f2a654b7c10..023d7ccbe513 100644
--- a/sys/netgraph/ng_ksocket.c
+++ b/sys/netgraph/ng_ksocket.c
@@ -908,9 +908,14 @@ ng_ksocket_rcvdata(hook_p hook, item_p item)
 	NGI_GET_M(item, m);
 	NG_FREE_ITEM(item);
 
-	/* Look if socket address is stored in packet tags */
-	if ((stag = (struct sa_tag *)m_tag_locate(m, NGM_KSOCKET_COOKIE,
-	    NG_KSOCKET_TAG_SOCKADDR, NULL)) != NULL)
+	/*
+	 * Look if socket address is stored in packet tags.
+	 * If sockaddr is ours, or provided by a third party (zero id),
+	 * then we accept it.
+	 */
+	if (((stag = (struct sa_tag *)m_tag_locate(m, NGM_KSOCKET_COOKIE,
+	    NG_KSOCKET_TAG_SOCKADDR, NULL)) != NULL) &&
+	    (stag->id == NG_NODE_ID(node) || stag->id == 0))
 		sa = &stag->sa;
 
 	/* Send packet */
@@ -1121,6 +1126,7 @@ ng_ksocket_incoming2(node_p node, hook_p hook, void *arg1, int waitflag)
 			}
 			bcopy(sa, &stag->sa, sa->sa_len);
 			FREE(sa, M_SONAME);
+			stag->id = NG_NODE_ID(node);
 			m_tag_prepend(m, &stag->tag);
 		}
 
diff --git a/sys/netgraph/ng_ksocket.h b/sys/netgraph/ng_ksocket.h
index 3eaa0f97fe7b..953486f09864 100644
--- a/sys/netgraph/ng_ksocket.h
+++ b/sys/netgraph/ng_ksocket.h
@@ -100,6 +100,7 @@ enum {
 /* Structure for sockaddr tag */
 struct sa_tag {
 	struct m_tag	tag;
+	ng_ID_t		id;
 	struct sockaddr	sa;
 };