IPv6 neighbor discovery

By stretch | Thursday, August 28, 2008 at 5:03 a.m. UTC

Neighbor Discovery Protocol (NDP) can be conceptualized as a toolbox used by IPv6 hosts to carry out various link-local operations. NDP itself does not describe a wire-level protocol or packet structure, but rather it establishes directions for accomplishing routine tasks using certain algorithms and five ICMPv6 message types.

Many of the capabilities provided by NDP are very similar to those found in IPv4's ARP and ICMPv4, while others are new implementations available only under IPv6. RFC 4861 describes the nine functions of NDP in detail, but this article should suffice as a high-level review. A packet capture of various IPv6 Neighbor Discovery functions is available if you want to follow along with Wireshark.

Router Discovery

Whereas IPv4 hosts must rely on manual configuration or DHCP to provide the address of a default gateway, IPv6 hosts can automatically locate default routers on the link. This is accomplished through the use of two ICMPv6 messages: Router Solicitation (type 133) and Router Advertisement (type 134). When first joining a link, an IPv6 host multicasts a router solicitation to the all routers multicast group, and each router active on the link responds by sending a router advertisement with its address to the all nodes group.


Router advertisements indicate paths out of the local link, but they also specify additional information necessary to assist other NDP operations.

Prefix Discovery

One of the options typically carried by a router advertisement is the Prefix Information option (type 3). Each prefix information option lists an IPv6 prefix (subnet) reachable on the local link. Remember that it is not uncommon for multiple IPv6 prefixes to reside on the same link, and routers may include more than one prefix in each advertisement. A host which knows what prefixes are reachable on the link can communicate directly with destinations in those prefixes without passing its traffic through a router.

Parameter Discovery

Another option included in router advertisements is the MTU option (type 5), which informs hosts of the IP MTU to use. For example, this value is typically set to 1500 for Ethernet networks. However, not all link types have a standardized MTU size. Including this option ensures all hosts know the correct MTU to use.

Router advertisements also specify the default value hosts should use for the IPv6 hop count. This isn't an option, but a field built into the router advertisement message header.

Address Autoconfiguration

NDP provides mechanisms for a host to automatically configure itself with an address from a prefix learned from a local router through prefix discovery. This is done by concatenating a candidate learned prefix with the EUI-64 address of the host's interface. In this manner, a host can achieve stateless autoconfiguration.

Address Resolution

The function of address resolution was handled by ARP for IPv4, but is handled by ICMPv6 for IPv6. In a process very similar to router discovery, two ICMPv6 messages are used: Neighbor Solicitation (type 135) and Neighbor Advertisement (type 136). A host seeking the link layer address of a neighbor multicasts a neighbor solicitation and the neighbor (if online) responds with its link layer address in a neighbor advertisement.


Next-Hop Determination

As in IPv4, next-hop determination is simply a procedure for performing longest-match lookups on the host routing table and, for off-link destinations, the selection of a default router.

Neighbor Unreachability Detection

NDP is able to determine the reachability of a neighbor by examining clues from upper-layer protocols (for example, received TCP acknowledgments), or by actively reperforming address resolution (via ICMPv6) when certain thresholds are reached.

Duplicate Address Detection

When a host first joins a link, it multicasts neighbor solicitations for its own IPv6 address for a short period before attempting to use that address to communicate. If it receives a neighbor advertisement in response, the host realizes that another neighbor on the link is already using that address. The host will mark the address as a duplicate and will not use it on the link.

Note that this process is similar to IPv4 gratuitous ARP requests, but NDP elegantly allows for detection of two hosts with the same address before both hosts are actively sending traffic from the address.


A fifth type of ICMPv6 message, the Redirect (type 137), is used by routers to either point hosts toward a more preferable router, or to indicate that the destination actually resides on link. ICMPv4 provides the same capability with its own redirect message.


About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in IPv6, Routing


Dinger (guest)
August 28, 2008 at 1:40 p.m. UTC

The link for EUI-64 address in the 'address autoconfig' section is broken.

August 28, 2008 at 2:33 p.m. UTC

Whoops! Fixed. Thanks for the heads up!

Rodrigo Brazil (guest)
August 31, 2008 at 1:28 p.m. UTC

Mate, I guess you could write a book with some articles from your blog. I'm sure that it would be widely accepted. Congrats!

TJ (guest)
December 24, 2008 at 3:55 p.m. UTC

Very nice write-up!

One nit: Are you sure a redirect triggers a retransmit? I thought the router would forward the packet normally, but also send a redir ... and the host would then make a route table entry for the destination to use the better first hop ... ?


peter (guest)
July 8, 2009 at 6:24 a.m. UTC

IPV6 has not been fully utilize by many organization due to inability to migration from IPV4 and relaxity by the network administrator to enforce IPV6.

October 21, 2010 at 9:20 p.m. UTC

Thanks for a good explanation.

Eddie (guest)
February 4, 2011 at 2:49 p.m. UTC

My reading also confirms what TJ said, the redirect message is sent to the original sender, but the original packet is still forwarded to the 'better' next hop.

Additionally, periodic router advertisements (RAs) are sent to the "all nodes" multicast group. However, RA's sent in response to a Router Solicitation (RS) are sent directly, unciast, to the node which sent the RS. The article above implied RA's are always sent to the all nodes group.

Great read other than these two minor points above. Love all the knowledge you have "put to paper" on packetlife.net! Thanks!

June 28, 2011 at 3:50 a.m. UTC

Hi everyone!

I wonder if you have any flash files or videos regarding this neighbor discovery.. It would really help me a lot to understand more on this topic..


p/s: does anyone have the IPSO Neighbor Discovery? it's no longer available from IPSO website :(

vadi (guest)
July 20, 2011 at 3:41 a.m. UTC

It is a good reference of basics on IPv6 ND.

Please refer any VoD or PPT with detailed ND operation.


Andrei (guest)
August 19, 2011 at 5:58 a.m. UTC


Thanks, great article.
I am looking for an answer to quite simple problem; may be people who have played with IPv6 can help me.

It is intriguing (or may be it is obvious for someone who knows IPv6 well). I have a classroom of Windows 7 PCs, which work quite happily on IPv4 (access the Internet, other subnets, etc) They have IPv6 installed by default, of course, being W7. Students need to do some basic labs with IPv6, like ping Link-local adresses of their neighbours. The problem is - they can't: Destination host unreachable!
For example: one pc host name is ET300, it's IPv6 link-local address is fe80::e4c3:d187:f8ca:90f7%11, another PC is ET316, it's IPv6 address is fe80::7023:d014:6f27:9f8d%11. They can happily ping each other on IPv4, but not on IPv6. On IPv4 they can access each other's shared drives, RDP, etc. Firewall is disabled on all machines. If I try ping by name (for example: ping ET316 -6 , it resolves name correctly to IPv6 address, but still "Destination host unreachable". I have captured IPv6 packets with Wireshark: i can see Neighbor solicitation messages going from source computer fe80::e4c3:d187:f8ca:90f7 to ff02::1:ff27:9f8d (when I try to ping fe80::7023:d014:6f27:9f8d), but no replies.

I have searched the net for a while, but couldn't find any explanation, which indicates that either something is unusual in my network, or this is normal behaviour of IPv6 (this doesn't make sense to me).

I have set up a few virtual machines using Windows virtual PC. I have got exatly the same problem. what is going on?

If anyone can help me, it would be great.

Andrei (guest)
August 19, 2011 at 6:45 a.m. UTC

Regarding pinging IPv6 link-local addresses on Windows 7:
I have solved the issue. Symantec Endpoint Protection was the cause.

Manouchehr (guest)
December 2, 2011 at 8:09 p.m. UTC


sobu86 (guest)
July 6, 2012 at 11:07 a.m. UTC

Nice writeup.
Very helpful for IPv6 beginners like me !!

Hank (guest)
September 18, 2012 at 11:59 a.m. UTC

Excellent job, this is the best article about NDP I can find from internet.

Fahim (guest)
January 28, 2013 at 7:07 p.m. UTC

This saved me reading the long RFC. For all my networking needs your blog is becoming my one stop shop. Thanks.

Amit (guest)
June 19, 2013 at 12:44 p.m. UTC

Beautiful writeup!
Very helpful.

November 25, 2013 at 3:29 a.m. UTC

Excellent straight forward article. Please explain more about how it choses more preferable router with Redirect ICMPV6?

Can you explain the following scenario

In HSRP configuration for VLANs using IPV6, we configure .1 on 1a Physical interface and .2 on 1b physical interface and not configuring any standby HSRP IPV6. My end host automatically getting IPV6 address without DHCP...not sure how its getting only .1 as gateway and how its choosing best router.

I am configuring something like this

ASR 9K device;

On primary device:
interface Bundle-Ether100.200
ipv4 address
ipv6 nd reachable-time 600000
ipv6 nd other-config-flag
ipv6 address 2001:4898:e0:f230::1/64
encapsulation dot1q 200

interface Bundle-Ether100.200
address-family ipv4
hsrp 39
timers 6 19
priority 150
track Loopback100 100
track Bundle-EtherX 11
track Bundle-EtherX 11

On secondary device:

interface Bundle-Ether100.200
ipv4 address
ipv6 nd reachable-time 600000
ipv6 nd other-config-flag
ipv6 address 2001:4898:e0:f230::2/64
encapsulation dot1q 200

--For IPV4 we are separately defining hsrp group and Standby IP. which I truncated here, how ever for IPV6 we do not have any of such configuration.

Ajay (guest)
September 4, 2014 at 9:27 a.m. UTC

Nice article and very informative. thanks for providing such a wonderful article explaining IPv6 in simple terms.

Khalid Mahgoub (guest)
October 28, 2014 at 1:19 p.m. UTC

Elegantly written. And I loved the fact that you provided wireshark trace with the article.

I felt obliged to thank you for this article.

BR, Khalid Mahgoub

nag (guest)
August 13, 2016 at 11:36 a.m. UTC

Hello Jeremy Stretch,

thanks for your knowledge sharing. I have following questions.

  1. is there anyway we can disable negihbor solicitation message at router?
  2. why link local address is used to find distination MAC address. why cant we use globel address itself like ipv4?

Thanks Nag

Comments have closed for this article due to its age.