What is Neighbor Discovery Protocol (NDP)?

Overview

The Neighbor Discovery Protocol (NDP) is a fundamental protocol in IPv6 networking that enables nodes on the same link to discover each other's presence, determine link-layer addresses, find available routers, and maintain reachability information. Specified in RFC 4861, NDP replaces several IPv4 protocols including ARP (Address Resolution Protocol), ICMP Router Discovery, and ICMP Redirect, consolidating their functionality into a single, more efficient protocol.

NDP operates at the Internet layer using ICMPv6 (Internet Control Message Protocol version 6) messages, making it more media-independent and secure than its IPv4 predecessors. By leveraging multicast rather than broadcast communications, NDP significantly reduces unnecessary network traffic and improves overall network efficiency.

Core Functions

NDP serves multiple critical functions in IPv6 networks:

1. Address Resolution: Determining the link-layer (MAC) address of neighbors on the same link, similar to ARP in IPv4
2. Router Discovery: Locating routers willing to forward packets on behalf of hosts
3. Prefix Discovery: Learning network prefixes for address configuration
4. Parameter Discovery: Obtaining configuration parameters such as link MTU and hop limits
5. Address Autoconfiguration: Enabling stateless address configuration (SLAAC)
6. Neighbor Unreachability Detection: Monitoring the reachability status of neighbor nodes
7. Duplicate Address Detection (DAD): Ensuring address uniqueness before assignment
8. Redirect Function: Informing hosts of better next-hop addresses for specific destinations

NDP Message Types

NDP defines five ICMPv6 message types, each serving specific discovery and maintenance functions:

1. Router Solicitation (RS) - Type 133

Router Solicitation messages are sent by hosts to request immediate Router Advertisement messages from routers. When a host connects to a network, it multicasts an RS to the all-routers multicast address (FF02::2) to expedite the router discovery process rather than waiting for the next scheduled Router Advertisement.

Host --> [RS: ICMPv6 Type 133] --> All-Routers Multicast (FF02::2)

2. Router Advertisement (RA) - Type 134

Routers send Router Advertisement messages either periodically (typically every 200 seconds) or in response to Router Solicitations. RAs contain critical information including:

• Router's link-local address
• Network prefixes for address autoconfiguration
• Prefix lifetimes (valid and preferred)
• Link MTU
• Hop limit values
• Flags indicating address configuration methods (managed/other configuration)

Router --> [RA: ICMPv6 Type 134] --> All-Nodes Multicast (FF02::1)

3. Neighbor Solicitation (NS) - Type 135

Neighbor Solicitation messages serve three primary purposes:

• Address Resolution: Determining the link-layer address of a neighbor with a known IPv6 address
• Neighbor Unreachability Detection: Verifying that a neighbor is still reachable via a cached link-layer address
• Duplicate Address Detection: Checking if a tentative address is already in use on the link

NS messages are sent to the solicited-node multicast address (FF02::1:FF00:0/104) corresponding to the target IPv6 address.

Node A --> [NS: ICMPv6 Type 135] --> Solicited-Node Multicast
         "What is the MAC address of 2001:db8::1?"

4. Neighbor Advertisement (NA) - Type 136

Neighbor Advertisement messages are sent in response to Neighbor Solicitations or unsolicited to announce link-layer address changes. NA messages contain:

• Target IPv6 address
• Link-layer address (MAC address)
• Flags indicating router status, solicited response, and override behavior

Node B --> [NA: ICMPv6 Type 136] --> Node A
         "2001:db8::1 is at MAC: 00:11:22:33:44:55"

5. Redirect - Type 137

Routers send Redirect messages to inform hosts of better first-hop routers or that the destination is actually on-link. This optimizes routing by allowing hosts to update their routing tables dynamically.

Router --> [Redirect: ICMPv6 Type 137] --> Host
         "Use 2001:db8::254 for destination 2001:db8:1::100"

Address Resolution Process

The NDP address resolution process demonstrates how nodes discover link-layer addresses:

1. Node A needs to send a packet to Node B at IPv6 address 2001:db8::b but doesn't know B's MAC address
2. Node A sends a Neighbor Solicitation to the solicited-node multicast address FF02::1:FF00:000b
3. Node B receives the NS (as it subscribes to this multicast group) and responds with a Neighbor Advertisement containing its link-layer address
4. Node A caches the IPv6-to-MAC address mapping in its neighbor cache
5. Node A can now send packets directly to Node B using the cached link-layer address

This process is more efficient than ARP's broadcast approach, as only nodes with matching solicited-node multicast addresses process the request.

Duplicate Address Detection (DAD)

Before assigning any unicast IPv6 address to an interface (whether configured manually, via SLAAC, or DHCPv6), a node must verify the address is unique on the link through DAD:

1. Tentative Address: The node generates or receives an IPv6 address marked as "tentative"
2. NS Transmission: The node sends a Neighbor Solicitation with:
   • Source address: unspecified address (::)
   • Target address: the tentative address
   • Destination: solicited-node multicast address of the tentative address
3. Waiting Period: The node waits for responses (typically 1 second, configurable)
4. Conflict Detection: If a Neighbor Advertisement is received, the address is duplicate and cannot be used
5. Success: If no response is received after the waiting period, the address is unique and transitions from "tentative" to "preferred" state

The DAD process is critical for preventing address conflicts in IPv6 networks, especially in environments using stateless address autoconfiguration.

NDP vs. ARP: Key Differences

While NDP serves a similar purpose to ARP in IPv4, it offers significant improvements:

Feature	ARP (IPv4)	NDP (IPv6)
Protocol Layer	Data Link Layer (Layer 2)	Network Layer (ICMPv6)
Message Delivery	Broadcast	Multicast
Functionality	Address resolution only	Address resolution, router discovery, autoconfiguration, DAD, redirect
Security	No built-in security	Supports IPsec, SEND protocol
Network Efficiency	High overhead (all hosts process broadcasts)	Low overhead (targeted multicast)
Media Independence	Media-dependent	Media-independent
Unreachability Detection	None	Built-in neighbor unreachability detection

The use of multicast instead of broadcast is particularly significant. In IPv4 networks, every ARP request interrupts all hosts on the LAN segment. In IPv6, only nodes subscribed to the relevant solicited-node multicast group process Neighbor Solicitations, dramatically reducing processing overhead on other nodes.

Router Discovery

NDP's router discovery mechanism allows hosts to automatically locate routers and configure themselves:

1. Host Initialization: When a host joins a network, it sends a Router Solicitation to the all-routers multicast address
2. Router Response: Routers respond with Router Advertisements containing network configuration information
3. Prefix Information: The RA includes network prefixes, allowing hosts to generate global unicast addresses
4. Default Router Selection: Hosts select a default router based on router preferences and other metrics
5. Periodic Updates: Routers continue sending RAs periodically to maintain host configurations

This mechanism enables Stateless Address Autoconfiguration (SLAAC), where hosts can configure themselves without DHCP servers, simplifying network administration in dual-stack and IPv6-only environments.

Security Considerations

NDP, like its predecessor ARP, is vulnerable to various attacks if not properly secured. Common threats include:

Common NDP Attacks

1. Router Advertisement Spoofing: Attackers send fake RAs to hijack traffic, cause denial of service, or manipulate routing
2. Neighbor Advertisement Spoofing: Similar to ARP poisoning, attackers can impersonate other nodes
3. DAD DoS Attacks: Attackers respond to all DAD Neighbor Solicitations, preventing legitimate nodes from configuring addresses
4. Redirect Message Attacks: Malicious redirects can cause suboptimal routing or man-in-the-middle attacks
5. Neighbor Cache Exhaustion: Flooding a router's neighbor cache can cause denial of service

Security Mechanisms

Several mechanisms have been developed to secure NDP:

RA Guard (RFC 6105)

Router Advertisement Guard is an Ethernet switch feature that filters RA messages, permitting only legitimate RAs from authorized router ports. RA Guard provides:

• Port-based RA filtering
• Protection against rogue router advertisements
• Validation of RA message contents

However, RA Guard has limitations. Early implementations could be bypassed using fragmented packets, as switches couldn't inspect fragmented ICMPv6 headers. Modern implementations address this vulnerability, but deployment gaps remain.

SEND - SEcure Neighbor Discovery (RFC 3971)

SEND provides cryptographic security for NDP messages through:

• Cryptographically Generated Addresses (CGA): Binds IPv6 addresses to public keys, proving address ownership
• RSA Signature Options: Authenticates NDP messages and prevents spoofing
• Timestamp Options: Protects against replay attacks
• Nonce Options: Provides additional replay protection for Neighbor Solicitation/Advertisement exchanges
• Certificate-Based Router Authorization: Validates that routers are authorized to advertise specific prefixes

SEND deployment, however, faces challenges:

• High administrative overhead for managing trust anchors and certificates
• Limited operating system support
• Performance overhead from cryptographic operations
• Complexity in certificate management
• Still vulnerable to certain DoS attacks

Despite these challenges, SEND remains the most comprehensive security solution for NDP. Organizations requiring strong security should evaluate SEND alongside other measures like IPsec protection for NDP traffic.

Additional Protections

Other security best practices include:

• Port Security: Limiting MAC addresses per switch port
• DHCPv6 Guard: Similar to RA Guard for DHCPv6 messages
• Source Address Validation: Implementing ingress filtering (BCP 38)
• Neighbor Discovery Inspection: Analyzing and validating NDP traffic patterns
• Rate Limiting: Throttling NDP message rates to prevent flooding
• IPv6 Firewall Configuration: Properly securing ICMPv6 traffic while allowing necessary NDP messages

Testing Your IPv6 Connectivity

Understanding NDP is crucial for troubleshooting IPv6 connectivity issues. If your system can successfully complete neighbor discovery and router discovery, you're well on your way to full IPv6 connectivity.

You can test your IPv6 connectivity and configuration at test-ipv6.run, which performs comprehensive IPv6 readiness testing including:

• IPv6 connectivity verification
• Dual-stack functionality tests
• Protocol preference detection
• Latency comparisons between IPv4 and IPv6

Proper NDP operation is fundamental to passing these tests. Issues with NDP can manifest as:

• Inability to reach IPv6 addresses
• Failed duplicate address detection
• Missing default routes
• Incorrect address autoconfiguration

Conclusion

The Neighbor Discovery Protocol represents a significant evolution from IPv4's fragmented approach to neighbor discovery and router discovery. By consolidating multiple IPv4 protocols into a single, efficient, multicast-based system, NDP provides:

• Improved network efficiency through targeted multicast communications
• Enhanced functionality including autoconfiguration and unreachability detection
• Better security foundations with support for cryptographic protection
• Media independence through its implementation at the ICMPv6 layer

As IPv6 adoption continues to grow, understanding NDP becomes increasingly critical for network administrators, developers, and security professionals. While security challenges exist, ongoing protocol developments and deployment of protective mechanisms like RA Guard and SEND continue to strengthen NDP's security posture.

For organizations deploying IPv6, proper NDP security should be a top priority. Implementing RA Guard on switches, considering SEND for high-security environments, and following security best practices will help ensure that NDP enhances rather than compromises network security.

---

For more information about IPv6 connectivity and testing, visit test-ipv6.run.