IPv6 Neighbor Discovery


, , ,

If you are keeping a blog, you know you have to write & publish posts at the right time without taking too much time on a post. Sometime you start a blog post and never finishes. Sometime difficult to maintain your motivation on a particular post after some time, this happen to me many times.

In my case I have over 30+ posts still in draft stage where I could not publish them as they were incomplete. Here is one of them that I started writing long time back but never finish & publish it that time.

Today I had to teach IPv6 basics to my team mates and I got a sudden motivation to finish this old post & publish it.

In this post we will look at basic Neighbor Discovery messages used in IPv6. There are 5 different ICMPv6 message types defined in RFC 4861. Pls watch this great 10min video by  (Cisco Press) to understand overview of those message types. Below shows those 5 messages types definition as per RFC 4861.

  1. RS-Router Solicitation (ICMPv6 type 133)
    When an interface becomes enabled, hosts may send out Router Solicitations that request routers togenerate Router Advertisements immediately rather thanat their next scheduled time
  2. RA-Router Advertisement (ICMPv6 type 134)
    Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for determining whether another address shares the same link (on-link determination) and/or address configuration, a suggested hop limit value, etc.
  3. NS-Neighbor Solicitation (ICMPv6 type 135)
    Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address.Neighbor Solicitations are also used for Duplicate Address Detection (DAD).
  4. NA-Neighbor Advertisement (ICMPv6 type 136)
    A response to a Neighbor Solicitation message. A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.
  5. Redirect (ICMPv6 type 137)
    Used by routers to inform hosts of a better first hop for a destination.

All of these messages should use its link local addresses (FE80::/64) as its source & a hop limit of 255 (for security reason)

My test setup is as shown below. I have taken wireshark capture from these laptops (using capture filter – ipv6) to look at details of these ICMPv6 frame exchange.


Router Solicitation (RS)
These messages are send by nodes when they boot up to find any routers in a local segment. It will be send to All Router IPv6 Multicast Address (FF02::2) . All layer 3 multicast addresses got a corresponding layer 2 mac address (33:33:xx:xx:xx:xx where xx:xx:xx:xx is last 32 bits of L3 multicast address). Here is the pcap file for RS/RA frames for your reference.


Router Advertisement (RA)

RA will be sent periodically or as a response to RS message. Routers in a local segment will respond to Router Solicitation messages with Router Advertisement (ICMPv6 type 134 message). It destine to all nodes multicast address (FF02::1). Router Advertisement consists of certain flags and options (prefix, MTU, DNS, SLLA – Src Link Layer Address).

Here are the meaning of certain flags

  • Managed (M flag) = 1 mean address provided by a Statefull DHCPv6
  • Other (O flag) = 1 mean address provided by Stateless DHCPv6, useful to provide options when client doing SLAACStateless Address Autoconfiguration. (Note that there is no option for default gateway)
  • Address Autoconfiguraion (A flag) = 1 mean it suggest host to create its own IPv6 address using SLAAC
  • Router lifetime = if it got anything other than “0” value, then source sending that RA will be the default gateway (Note that it is a link local address & not global unique address)

Here are different options seen in the given RA

  • Option 3- Prefix Info (Every RA should have this field)
  • Option 25 – DNS Server Info
  • Option 5 – MTU
  • Option 24 – Route Information
  • Option 1 – Source Link Layer Address

Note that it use link local IPv6 address (FE80::9ec7:a6ff:fe29:e197) as source. This address will be use as “default-gateway” by host. In this packet, “A” flag set to 1 mean Laptops will derive its IPv6  address based on the prefix information (2001:44b8:41e1:cc00::/64) provided by Router. Depending on the OS running on end device, some devices will choose EUI-64 method to derive Interface-ID part of IPv6 address while other devices use random 64 bits for better security (You will see both Windows 10 & Mac Book Pro use random 64 bits instead of EUI-64).


There are another two type of neighbor discovery message exchange called  NS– Neighbor solicitation & NA– Neighbor Advertisement. It is similar to ARP Process in IPv4, where nodes need to learn link layer address (MAC address) prior to communicating with each other. In IPv6 it is done via NS & NA messages.

Neighbor solicitation (NS)

Here is packet details when I try to ping from Dell Laptop to Mac Book Pro (ping 2001:44b8:41e1:cc00:843e:7b93:daa0:6e09 from Dell Laptop) . Here is NS message send by Dell to MBP.

First Dell laptop need to find out MAC address of MBP, so it will send a NS message to  Solicited Node multicast address of target (MBP) that  got lower 24 bits from IPv6 unicast address (ff02::1:ff:a0:6e:09). Every L3 multicast address is mapped to layer 2 multicast mac address (33:33:xx:xx:xx:xx) where xx:xx:xx:xx is last 32 bits of Solicited Node Multicast address. In this case destination MAC address is 33:33:ff:a0:6e:09 , note that lower 32 bits came from IPv6 Solicited Node Multicast address.


Neighbor Advertisement – NA

When a device get IPv6 address, it will join solicited node multicast group (to see if any other device trying to communicate with it). In our case MBP actively join its solicited multicast group ff02::1:ff:a0:6e:09. Therefore it gets to know about NS message & it will respond with NANeighbor Advertisement . It will send directly to Dell Laptop’s link layer address (as it was in NS message). Additionally it will set few flags, in my case router flag 0 as response going from another node. Solicited flag 1 as it is response to NS msg. Override set to 1,  to let others know about it is link layer address.


Once Layer 2 address known by each node, they will communicate directly (frame 128 – 135 as shown below) . Here is the capture of Frame 126-135 for your reference.Screen Shot 2019-10-03 at 9.36.12 PM

Here is frame 128 details where Dell laptop use MBP mac address as layer 2 destination address.


DAD – Duplicate Address Detection

There is a special type of Neighbor Solicitation (NS) messages that use for DADDuplicate Address Detection. In this case NS message source with unspecified IPv6  address ::/128 & destined to solicited node multicast address of the IPv6 address it intend to use.


ICMPv6 – Redirect
Since my test setup does not have multiple routers, I could not see ICMPv6 redirect messages in the captures.

1. Rick Graziani Resource Page (Great free resource for you to learn about IPv6)
2. IPv6: The Protocol – BRKIP6-2191 (CLEUR-2019) by Tim Martin
3. Packet Life – IPv6 Neighbor Discovery
4. IPv6 Configuration Guide, Cisco IOS Release 15.2M&T

Related Posts
1. IPv6 Basics
2. Configuring IPv6 Routing