Neighbour discovery in IPv6

What happens when you try to reach a host for the first time in an IPv4 network.

Source which wants to talk to the destination first has to know the MAC or layer2 address of the host to which it wants to talk. So source sends a ARP request to the layer2 broadcast address. This packet is received by all the hosts in the network along with destination host also. Since the payload of the packet contains the IPv4 address of destination host it responds to source host with its MAC address. It is called as resolving the layer2/MAC addresses. The problem with this approach is that the ARP request packet from source is received by all the hosts in the network. Even though only the destination is going to respond to the request, all the hosts in the network receive the packet, process it, ultimately to discard it which is waste of resources and network bandwidth. And if the network is large then throughput will definitely be affected. We can cause a DOS attack by sending spurious ARP requests because the other hosts in the network should receive this packet, process it & discard it and they will be busy spending there resources for doing this only.

Neighbour discovery in IPv6

In IPv6 networks, is the same technique used to identify the neighbours in the network. To start with

How its done in IPV6

With the above points in mind let us see what actually happens in an IPv6 network with some packet captures. First of all, a network interface can have any number of IPv6 addresses. It could be link local or it could be global addresses. Pls refer to this blog for different IPv6 address types. Whenever an IPv6 address is assigned to a network interface it is mandatory for that interface to join a few multicast addresses. For example, if an interface has only link local addresses then it is mandatory for that interface to join ff02::1 (the all nodes multicast address), ff02::2 (all routers multicast address). It is mandatory for an IPv6 capable interface to join these multicast addresses along with another addresses called solicited node multicast address.

Solicited node multicast address

This is a special type of multicast address which an interface should join for every unicast addresses assigned to it. This address is formed by taking the low-order 24 bits of an IPv6 address and appending those bits to prefix ff02:0:0:0:0:1:ff00::/104. So the range for solicited-node multicast addresses is from ff02:0:0:0:0:1:ff00:0000 to ff02:0:0:0:0:1:ffff:ffff

For example, in my machine i have been assigned the below addresses for the wireless interface.

Assigned IPv6 addresses

Let us take the link local address “fe80::fdad:fafb:fb9c:89bd/64” and gets its solicited node multicast address.  We need add the last 24 bits from the above address (“9c 89 bd”) to the solicited node multicast address prefix which is “ff02:0:0:0:0:1:ff00”. This gives us the address as “ff02:0:0:0:0:1:ff9c:89bd” which can be written as “ff02::1:ff9c:89bd” in short. So this is the solicited node multicast address for the link local address which the interface should join.

As you can see the interface is having two more IPv6 addresses (global addresses) and the same procedure is followed for them also.

The list of multicast addresses can be checked using the command “ip -6 maddr“. Below is a sample capture from my machine.


In fact the above capture shows more multicast addresses to which this interface has joined.  We can see that this interface has joined three solicited node multicast addresses as this interface has been assigned three addresses. Along with the solicited node addresses the interface has also joined the all nodes multicast address and all routers multicast address which is mandatory.

In fact the loopback interface and the wired interface “enp7s0” have also joined the all nodes multicast address and all routers multicast address. The wired interface is not even up yet it has joined these addresses.

Why this address

As said above for every address assigned to the interface it joins its solicited node multicast address counterpart. So if we know the layer 3 address of host to which we want to communicate (obviously) then we can send messages directly to the host’s solicited node multicast address and get the layer2 address. This is what is in-fact done by neighbour discovery message using ICMPv6 protocol.

When we try to communicate in IPv6 to a host whose layer2 address we are not familiar with then the source sends a neighbour solicitation message to the destination hosts solicited node multicast address and the destination responds to the query with a neighbour advertisement message.

Real world use case

Let us try to ping to a mobile phone which is connected to the same access point to which this machine is also connected. “fe80::20a:f5ff:fec7:990” is the link local address of the smart phone which is connected to the same access point

kasi@Vostro ~]$ ping6 -I wlp6s0 fe80::20a:f5ff:fec7:990

Below is the wireshark capture of what happens in the background.


The first two packets actually does the neighbour discovery process. The first packet is a neighbour solicitation packet and the second packet is a neighbour advertisement packet. Both of these packets are based on ICMPv6 protocol.

Neighbour solicitation packet

Let us expand this packet so that we can look into it in more detail.

Neighbour Solicitation

If we look down the stack, layer2 contents are the source MAC address and solicited node multicast address mapped IPv6 layer2 multicast address. Then we have the layer3 source address which is the link local address and the layer3 destination address which is the solicited node multicast address of the destination machine. If we look further down it shows that this packet belongs to ICMPv6 protocol and of packet type 135. The target address field shows the destination machine’s link local address for which we want to know the MAC address.

Neighbour Advertisement packet

Let us expand the second packet also to see what it actually contains.


If we walk down the stack, layer2 contains the source and destination MAC address, layer3 contains the IPv6 address of source and destination (and other bits). The most important detail is available in the neighbour advertisement packet’s payload which is the layer2 address of the link local address for which the solicitation was made. Note that this packet is based on ICMPv6 protocol and of type 136.

With just two packets the layer2 address of the destination machine has been identified and the best part is we never broadcast-ed any messages to the whole network which is pretty neat.

Solicited node multicast address is also used for Duplicate address detection (DAD) and we shall see about that in the next blog.