Guides

Neighbor Discovery Protocol: complete guide for IPv6

Discover what the neighbor discovery protocol is, how it works in IPv6, and why it is essential for secure and efficient communication in modern networks.

The Role of ICMPv6

11 December 2025

Table of contents

  • Introduction to the Neighbor Discovery Protocol
  • Differences Between ARP and Neighbor Discovery Protocol
  • The role of ICMPv6 in the Neighbor Discovery Protocol
  • Main messages of the Neighbor Discovery Protocol
  • Duplicate Address Detection (DAD)
  • Neighbor Unreachability Detection (NUD)
  • Stateless Autoconfiguring with NDP
  • Neighbor Discovery Protocol Tables
  • Security of the Neighbor Discovery Protocol
  • Practical Implications for Network Managers
  • Practical Example of Neighbor Discovery in action

Introduction to the Neighbor Discovery Protocol

When discussing next-generation networks, the transition from IPv4 to IPv6 represents one of the most significant challenges. With IPv6, the classic address resolution protocol ARP is no longer used. Instead, we find the neighbor discovery protocol (NDP), an essential component for communication between devices and for managing network tables.

The IPv6 neighbor discovery protocol is based on ICMPv6 messages and performs numerous tasks: from resolving an IP address into a MAC address, to detecting available nodes, discovering the default router, managing the cache entry, and verifying reachability through neighbor unreachability detection.

In this article, we will explore how the neighbor discovery protocol NDP works, its main message types, its security mechanisms, and the practical implications for network managers and system administrators.

Differences Between ARP and Neighbor Discovery Protocol

With IPv4, to map an IP address to a link layer address, the address resolution protocol ARP was used. With IPv6, this function is replaced by the IPv6 neighbor discovery protocol.

The main differences between the two protocols are:

  • ARP uses broadcast messages, while NDP relies on multicast messages, reducing network load.
  • NDP integrates more functions: not only address resolution but also duplicate address detection, default router management, and redirect messages.
  • In terms of security, NDP can be vulnerable to certain attacks (similar to ARP spoofing), but extensions such as SEND (Secure Neighbor Discovery) increase reliability.

The role of ICMPv6 in the Neighbor Discovery Protocol

The Internet Control Message Protocol version 6 (ICMPv6) is the foundation of the IPv6 neighbor discovery protocol. All NDP operations are carried out through specific ICMPv6 messages.

These messages are used to:

  • Resolve an IP address into a link layer address.
  • Verify whether a node is still reachable.
  • Inform devices of the presence of a default router.
  • Avoid address conflicts through duplicate address detection.

Thanks to ICMPv6, every device sending can communicate efficiently without relying on intrusive broadcasts, but by using link local addresses and selective multicast.

Main messages of the Neighbor Discovery Protocol

The operation of the neighbor discovery protocol NDP is based on a set of key messages, each with a specific purpose.

Neighbor Solicitation (NS)

When a node needs to discover the MAC address corresponding to an IP address, it sends a neighbor solicitation. This message is sent to a multicast address corresponding to the target node.

The main content of a neighbor solicitation NS message includes:

  • Destination address (the address to be resolved).
  • Link layer address of the sender (if available).

If the recipient exists and is listening, it will respond with a neighbor advertisement.

Neighbor Advertisement (NA)

The neighbor advertisement (NA) is the response to a neighbor solicitation. It informs the sender of the correct link layer address.

This message can also be sent unsolicited to update any cache entries in nearby devices.

Router Solicitation (RS) and Router Advertisement (RA)

When a device connects to an IPv6 network, it sends a router solicitation to discover the presence of a default router.

Routers respond with a router advertisement, which contains:

  • The router’s link local address.
  • Information about prefixes and configurations.
  • Instructions for stateless autoconfiguring, which allows an IP address to be automatically generated without the need for DHCP.

Redirect message

The redirect message is used by routers to inform a host of a better path to a specific destination address. It is a tool that optimizes local routing and reduces transmission times.

Duplicate Address Detection (DAD)

One of the most critical problems in a network is the assignment of duplicate addresses. The IPv6 neighbor discovery protocol implements duplicate address detection to prevent conflicts.

The mechanism works as follows:

  • The node chooses a provisional link local address.
  • It sends a neighbor solicitation NS message with the address as the target.
  • If no one responds, the address is available.
  • If another node sends a neighbor advertisement, it means the address is already in use and the node must generate a new one.

Neighbor Unreachability Detection (NUD)

The neighbor unreachability detection mechanism is another pillar of the IPv6 neighbor discovery protocol.

It makes it possible to determine whether a previously reachable node is no longer available.

The procedure works as follows:

  • Every time a node uses a cache entry, it must verify that the destination address is still active.
  • In case of doubt, it sends a new neighbor solicitation.
  • If it does not receive a neighbor advertisement, the entry is marked as inactive and removed from the table.

This ensures that data is not sent to offline or disconnected devices.

Stateless Autoconfiguring with NDP

One of the advantages of IPv6 is the ability to self-configure without DHCP servers. This process, known as stateless autoconfiguring, uses the messages of the neighbor discovery protocol.

Thanks to router advertisements, a node can:

  • Calculate its own IP address by combining the prefix provided by the router with its hardware identifier.
  • Record the default router in its table.
  • Start duplicate address detection mechanisms to prevent conflicts.

In this way, the entire network becomes more scalable and resilient.

Neighbor Discovery Protocol Tables

The neighbor discovery protocol NDP uses several internal tables to manage communications. Among the most important are:

  • Neighbor Cache
    Contains associations between IP addresses and MAC addresses, with validity state and timers.
  • Destination Cache
    Records the best router to use to reach a given destination address.
  • Prefix List
    Stores prefixes received through router advertisements.
  • Default Router List
    Lists the routers currently available on the network.

This information allows network managers and operating systems to optimize connections and reduce latency.

Security of the Neighbor Discovery Protocol

Despite the numerous benefits introduced by the IPv6 neighbor discovery protocol, this mechanism is not free from risks. Since it relies on sending and receiving ICMPv6 messages, it can be exploited by attackers who manipulate packets to alter normal network operations. Understanding these vulnerabilities is crucial for network managers and system administrators.

  • One of the most common attacks is neighbor advertisement spoofing. In this scenario, an attacker sends a fake neighbor advertisement (NA) that associates a specific IP address with its own MAC address. The result is that traffic intended for a legitimate node is redirected to the malicious device, enabling activities such as sniffing, interception, or man-in-the-middle attacks. This issue closely resembles ARP spoofing in IPv4 but can have even more serious consequences in IPv6 given the protocol’s ubiquity.
  • Another threat is represented by DoS attacks through false duplicate address detection. During the stateless autoconfiguring phase, each node sends a neighbor solicitation NS message to verify that its address is not already in use. An attacker may respond with a fake neighbor advertisement, claiming that the address is occupied. This prevents the victim device from completing the configuration of its link local address, effectively excluding it from the network.

Attackers can also exploit redirect messages. These messages, intended to improve efficiency by routing packets through more optimal paths, can be manipulated to convince a host to route traffic through an attacker-controlled node. This type of abuse can lead to interception, alteration of traffic, or redirection to fraudulent destinations.

To address these vulnerabilities, the IETF developed the Secure Neighbor Discovery (SEND) extension. SEND uses cryptographic mechanisms to ensure the authenticity and integrity of NDP messages. Its main features include:

  • RSA-based cryptographic signatures to validate messages sent by nodes.
  • Prefix-based certificates proving a router’s authority to announce specific address blocks.
  • The use of nonces and unique identifiers to prevent replay attacks.

These tools allow hosts to distinguish legitimate messages from malicious ones, reducing the risk of spoofing and tampering. However, implementing SEND presents practical challenges: it requires complex key management, may increase computational load on devices, and is not yet supported across all platforms and operating systems.

Beyond SEND, other countermeasures include:

  • Filtering suspicious ICMPv6 messages through firewalls and intrusion detection systems.
  • Continuous monitoring of the neighbor cache to detect anomalous updates.
  • Network segmentation to limit the spread of attacks.
  • Adoption of advanced security practices, such as integrating IPsec, to protect packet confidentiality and integrity.

In short, while the neighbor discovery protocol NDP is a necessary evolution from ARP, its security must be addressed with the same seriousness as other critical network components. Proactive management, combined with the use of extensions such as SEND and constant monitoring, can ensure a safer and more efficient IPv6 environment.

Practical Implications for Network Managers

For network administrators, a thorough understanding of the neighbor discovery protocol is essential.

Some best practices include:

  • Regularly monitoring cache entries for anomalies.
  • Limiting the use of redirect messages to only those scenarios where they are truly necessary.
  • Implementing security controls such as firewalls and ICMPv6 filters to reduce spoofing risks.
  • Considering the use of SEND in sensitive networks.

Practical Example of Neighbor Discovery in action

Let’s imagine a new device connecting to an IPv6 network:

  • The device sending generates a link local address and starts duplicate address detection.
  • After confirming that the address is free, it sends a router solicitation.
  • It receives a router advertisement with the network prefix.
  • It uses stateless autoconfiguring to obtain a complete IP address.
  • To communicate with another node, it sends a neighbor solicitation NS message.
  • It receives a neighbor advertisement NA with the correct MAC address.
  • It inserts a cache entry and starts transmitting data.
  • If the node later stops responding, neighbor unreachability detection comes into play.
3
To top