Skip to content
pablo@docs:~$
Portfolio

IPv6 Neighbor Discovery Protocol (NDP)

In IPv4, a host uses ARP to resolve an IP address to a MAC address and ICMP Router Discovery to find its default gateway. IPv6 replaces both with a single protocol: Neighbor Discovery Protocol (NDP), defined in RFC 4861 and carried inside ICMPv6.

NDP operates on the local link only — it does not route across subnets.

1. What NDP does

Section titled “1. What NDP does”
FunctionIPv4 equivalentNDP mechanism
Address resolutionARP Request / ReplyNeighbor Solicitation / Advertisement
Default gateway discoveryICMP Router Discovery / DHCPRouter Solicitation / Advertisement
Duplicate address checkGratuitous ARPDuplicate Address Detection (DAD)
Redirect to a better next hopICMP RedirectICMPv6 Redirect
Keep neighbor info freshARP cache timeoutNeighbor Unreachability Detection (NUD)

2. ICMPv6 message types

Section titled “2. ICMPv6 message types”

NDP uses five ICMPv6 message types (type 133–137):

TypeNamePurpose
133Router Solicitation (RS)Host asks: “Are there any routers on this link?“
134Router Advertisement (RA)Router announces its presence, prefix, and flags
135Neighbor Solicitation (NS)Host asks: “Who owns this IPv6 address?“
136Neighbor Advertisement (NA)Host replies with its link-layer (MAC) address
137RedirectRouter tells a host to use a different next hop for a destination

All NDP messages are sent to link-local scope — they never leave the local segment.

3. Address resolution (NS / NA)

Section titled “3. Address resolution (NS / NA)”

When Host A wants to send traffic to Host B on the same link, it must learn B’s MAC address. The process mirrors ARP:

  1. Host A sends a Neighbor Solicitation to the solicited-node multicast address of Host B’s IPv6 address.
  2. Host B responds with a Neighbor Advertisement containing its MAC address.
  3. Host A stores the mapping in its neighbor cache (the IPv6 equivalent of an ARP table).
Host A (2001:db8::1)  →  NS: "Who has 2001:db8::2?"
Host B (2001:db8::2)  →  NA: "2001:db8::2 is at aa:bb:cc:dd:ee:ff"

A gratuitous NA (unsolicited advertisement) can also update neighbor caches when a host’s MAC changes — similar to gratuitous ARP in IPv4.

4. Router discovery (RS / RA)

Section titled “4. Router discovery (RS / RA)”

When an IPv6 host comes online, it needs a default gateway and network prefix. Two methods exist:

4.1 Stateless Address Autoconfiguration (SLAAC)

Section titled “4.1 Stateless Address Autoconfiguration (SLAAC)”
  1. Host sends a Router Solicitation to FF02::2 (all routers multicast).
  2. Router replies with a Router Advertisement containing:
    • Network prefix (e.g., 2001:db8:1::/64)
    • Default gateway address
    • Flags: M (Managed — use DHCPv6), O (Other — use DHCPv6 for DNS), A (Autonomous — build address via SLAAC)
  3. Host builds its global address by combining the prefix with its interface identifier (often EUI-64 from the MAC).

4.2 Router Advertisement flags

Section titled “4.2 Router Advertisement flags”
FlagMeaning
A (Autonomous)Host may auto-configure an address from the advertised prefix (SLAAC)
M (Managed)Host must use DHCPv6 for address configuration
O (Other)Host must use DHCPv6 for other config (DNS, etc.)

If no RA is received, the host can only communicate using its link-local address (fe80::/10).

5. Duplicate Address Detection (DAD)

Section titled “5. Duplicate Address Detection (DAD)”

Before using a newly assigned address, an IPv6 node verifies it is not already in use on the link:

  1. Send a Neighbor Solicitation for its own address (target = self).
  2. If no Neighbor Advertisement comes back, the address is unique and safe to use.
  3. If a reply arrives, the address is a duplicate and must not be used.

DAD runs automatically when an address is added to an interface — whether via SLAAC, DHCPv6, or manual configuration.

Section titled “6. Link-local addresses”

Every IPv6 interface automatically gets a link-local address in the fe80::/10 range. NDP always uses link-local addresses as the source for its messages, even when communicating about global addresses.

Link-local addresses are never routed beyond the local segment and are the foundation for NDP to work.

7. Key multicast addresses

Section titled “7. Key multicast addresses”
AddressPurpose
FF02::1All nodes on the local link
FF02::2All routers on the local link
FF02::1:FFxx:xxxxSolicited-node multicast (last 24 bits of target IPv6 address)

The solicited-node address ensures NS messages are delivered only to the node that owns the target address, not broadcast to every device on the link.

8. Neighbor cache

Section titled “8. Neighbor cache”

Each IPv6 node maintains a neighbor cache — a table mapping IPv6 addresses to link-layer addresses and reachability state:

StateMeaning
INCOMPLETEAddress resolution in progress (NS sent, waiting for NA)
REACHABLENeighbor confirmed reachable; entry is fresh
STALEEntry exists but has not been verified recently
DELAYWaiting to verify reachability before marking unreachable
PROBEActively sending NS to confirm reachability

Neighbor Unreachability Detection (NUD) periodically probes stale entries to detect failed neighbors without waiting for traffic to fail.

9. NDP vs ARP

Section titled “9. NDP vs ARP”
ARP (IPv4)NDP (IPv6)
ProtocolLayer 2 broadcast (Ethernet broadcast)ICMPv6 multicast (solicited-node)
ScopeBroadcast to all hosts on segmentTargeted multicast — less noise
Gateway discoverySeparate mechanism (DHCP / ICMP)Built into NDP (RS / RA)
Address checkGratuitous ARP (optional)DAD (mandatory)
Cache tableARP tableNeighbor cache
SecurityVulnerable to spoofing (see DAI)Same class of attacks (NDP spoofing)

10. Verification (Cisco IOS)

Section titled “10. Verification (Cisco IOS)”

View the IPv6 neighbor table:

Router# show ipv6 neighbors

View interface IPv6 addresses and link-local:

Router# show ipv6 interface brief

View Router Advertisement details on an interface:

Router# show ipv6 routers

On a host (Linux):

Terminal window
ip -6 neighbor show
Terminal window
ip -6 route show