Mapping Multicast Addresses to Layer 2 addresses

We know that when a packet is sent out into the network it must have a specify IP address as its destination address. For example, when we do a ping to find out whether a particular host is up or not, we specify the destination IP address alone and if it is the first time we are trying to reach to the other host then the current host wont be knowing the MAC address of that destination host. In this case particularly in IPv4 ARP protocol helps us to map the MAC address with the IP address. The identified MAC address is then stored in the cache by the kernel and used in future just in case if we try to contact the same host again.

Hmm, what if we try to ping to a Multicast IPv4/IPv6 addresses ?

Pls check out one of my other blog about the types of IPv6 addresses which will be of much help if you want to understand this much more quickly.

Check Multicast addresses

Hoping that either you read the blog post shared above or you already know that IPv6 multicast addresses have a prefix of ff00::/8. IPv6 multicast address ff02::1  refers to all nodes address on the link local scope. In other words any packet that is sent to this address will be received by all the nodes in the local IPv6 network. The reason is, every interface which supports IPv6 should join this multicast group. You can check this using “ip -6 maddress” command if you have a Linux machine.

Lets see what is happening under the hood

When a packet is sent to a layer 3 IPv6 multicast address, the layer 3 IPv6 address must be mapped to a MAC address on the link layer aka layer 2. The format of the Ethernet MAC multicast address is specified in RFC 2464 and 7042. The first two bytes of an IPv6 MAC multicast address are 0x3333 (in IPv4 it is 01:00:5e). The following four bytes correspond to the last four bytes of the layer 3 IPv6 multicast address.

Let us look into this with an IPv6 packet capture. If you have an IPv6 router or an access point which supports IPv6 and if you have turned on IPv6 support then the router would sent out router advertisement packets periodically to the local network. These packets are basically ICMPv6 packets. This helps us to filter them easily using wireshark.

Router Advertisement Packet from Access point

The above figure shows the router advertisement packet from router in an expanded format.

IPv6 Layer 3 Multicast address

As you can see the IPv6 (layer 3) source address is “fe80::c6e9:84ff:fe65:cbb0” (highlighted in green) which is the link local address (fe80 is the prefix) of the router which i am using. The destination IPv6 address is  ff02::1 which is all nodes IPv6 multicast address. So this packet is received by all the nodes in the local network.  Now lets look at the layer 2 destination address which is of now interest now.

Highlighted Layer 2 Address on the same packet

As said above the first 2 bytes of this address is 33:33. The rest of the 4 bytes are taken from Layer 3 destination IPv6 address and then appended to 33:33. In case of router advertisement, the layer 3 destination IPv6 address is ff02::1 which when written in full form expands to ff02:0000:0000:0000:0000:0000:0000:0001. Now take the last 4 bytes from this address and then add 33:33 to it, [33:33+00:00:00:01]. So the layer 2 destination address now is 33:33:00:00:00:01 which is what you see exactly in the above image. I have highlighted the layer 2 destination address for easy viewing.

The same is true when a router solicitation message is sent from a client device to the network. Router solicitation messages are sent to the ff02::2 layer 3 destination address which is the address of all routers on the local network. Here the layer 2 address is mapped similarly as said above, take the last 4 bytes from layer 3 IPv6 address and then append it to 33:33 to make it 33:33:00:00:00:02 which is the layer 2 address of the router solicitation packets. See the below image of router solicitation packet sent from a host on the local network to all routers IPv6 multicast address.

Router Solicitation from client device on the local network

Pls note that the things which we discussed above are common for both IPv4 and IPv6 except for the fact that the first 3 bytes of layer 2 IPv4 multicast addresses are “01:00:5e“.

There is a special multicast IPv6 address called solicited node multicast address. We shall look into it in a separate blog soon.