IPv6 Neighbor Discovery Messages

These messages are defined in RFC 4861, "Neighbor Discovery for IP Version 6 (IPv6)", section 4 "Message Formats". Each message has an "option" field in which one or more ND message options can be added.

There are 5 Neighbor Discovery messages:

 

Router Solicitation message 

Any node can send a Router Solicitation (RS) message at any time to request all routers on the local link to immediately send Router Advertisement (RA) messages. Routers send RA messages periodically, but when a node first powers on, it usually sends an RS message in order to get the RA information immediately, rather than waiting for the next periodic transmission. This is the only function of an RS message, so it has a very simple syntax:

nd rs msg

Fields in the IPv6 Packet Header:

The Source Address field is set to the link-local address of the sending interface. Optionally, if no address is currently assigned to that interface, it can use the unspecified address (::).

The Destination Address field is set to the all routers on local link multicast address (ff02::2). The RS message will be received by all routers in the local link, and each of them should reply with a Router Advertisement message.

The Hop Limit field is set to 255.

Fields in the RS message:

The Type field (8 bits) contains 133 for Router Solicitation

The Code field (8 bits) must contain zero.

The Checksum field (16 bits) contains a standard IP checksum.

The Reserved field (bytes 4-7, 32 bits) is unused, and must be set to zero.

The Options field (variable length, starting at offset 8) may contain the following options:

Up to one instance of the Source Link-Layer Address option. This specifies the Link Layer address of the sender. If the IP source address is the unspecified address, this option must not be included. Otherwise, this option should be included.

Now let's look at a captured Neighbor Solicitation message:

rs msg capture

The Link Layer is Ethernet II. The source MAC address is 50:46:5d:6b:7a:54 (the MAC address of lawrence-pc). The destination MAC address is 33:33:00:00:00:02 (the Ethernet multicast address corresponding to the IPv6 multicast address ff02::2). The Ethertype is 0x86dd (IPv6).

The Internet Layer is IPv6. The source IPv6 address is fe80::2030:9139:9cd5:ab52 (the link-local address of lawrence-pc). The destination IPv6 address is ff02::1 (the "all nodes on local link" multicast address). The Next Header field is 58 (ICMPv6).

The ICMPv6 message follows: The Message Type is 134 (Router Advertisement). The Code is zero. The M Flag (Managed Address Configuration) is set (so there is a stateful DHCPv6 server available). The O Flag is clear (since M=1, O doesn't matter). The Router Lifetime is 1800 seconds (the SolidGate firewall is willing to act as a gateway).The Reachable Time and Retrans Time are both zero.

There is one option:

The first option is a type 1 option, Source Link-Layer address. Its value is 00:90:0b:1b:57:62, the MAC address of the SolidGate firewall.

 

Router Advertisement message 

The Router Advertisement (RA) message communicates various subnet-wide information to all nodes in a subnet (link). Every IPv6 router should send an RA message periodically (the period is adjusted randomly to prevent all routers from sending simultaneously). They must also send an RA message in response to a Router Solicitation message from any internal node.

The syntax for the RA message is fairly complex:nd ra msg

Fields in the IPv6 Packet Header:

The Source Address field is set to the link-local address of the sending interface. Optionally, if no address is currently assigned to that interface, it can be set to the unspecified address (::).

The Destination Address field is set to the all nodes on local link multicast address (ff02::1). This will be received by all nodes (hosts and routers) in the local link.

The Hop Limit field is set to 255.

Fields in the RA message:

The Type field (8 bits) contains 134 for Router Advertisement.

The Code field (8 bits) must contain zero.

The Checksum field (16 bits) contains a standard IP checksum.

The Reserved field (bytes 4-7, 32 bits) is unused, and must be set to zero.

The Cur Hop Limit field (8 bits) specifies the subnet default value for Hop Limit, which is to be placed in the Hop Limit field of all outgoing IPv6 packets. A value of 0 means this default value is not specified by the sending router.

The M flag (1 bit) is also called the Managed Address Configuration flag.

M=1 indicates that a stateful DHCPv6 server is available, from which a managed global unicast address and stateless subnet-wide information (e.g. IPv6 addresses of DNS) can be obtained. In this case, the O flag is irrelevant and can be ignored.

M=0 indicates that there is no stateful DHCPv6 server available, but a stateless DHCPv6 server may be available (depending on the O flag).

The O flag (1 bit) is also called the Other Address Configuration flag. If M=1, then the state of the O flag doesn't matter.

O=1 indicates that a stateless DHCPv6 server is available, stateless subnet-wide information (e.g. IPv6 addresses of DNS) can be obtained.

M=0 and O=0 indicates that there is no DHCPv6 server of any kind (stateful or stateless) available.

The Reserved field (6 bits) is unused and must be set to zero.

The Router Lifetime field (16 bits) specified the lifetime of the sending router in seconds (up to 9,000). A zero router lifetime field indicates that this router is not willing to act as a subnet gateway, so should not be added to the default gateway table by nodes receiving this RA message.

The Reachable Time field (32 bits) is used in the Neighbor Unreachability Detection (NUD) mechanism. A node can assume that a neighbor is reachable for this number of milliseconds after receiving a reachability confirmation from NUD. A value of zero means that this setting is not specified by the sending router.

The Retrans Time field (32 bits) is used in the Address Resolution and Neighbor Unreachability mechanisms. It is the time in milliseconds between transmitted Neighbor Solicitation messages (usually several NS messages are sent in quick succession to insure all nodes receive one). A value of zero means this setting is not specified by the sending router.

The Options field (variable length, starting at offset 8) may contain the following options:

Up to one instance of the Source Link-Layer Address option. This specifies the Link Layer address of the sender. If the IP source address is the unspecified address, this option must not be included. Otherwise, this option should be included.

Up to one instance of the MTU option. Contains the maximum packet size allowed in this subnet.

One or more instances of the Prefix Information option. Each Prefix Information option contains information about one IPv6 prefix that is valid in this subnet. Internal nodes doing SLAAC will configure one or more global addresses for each advertised prefix.

Note that the SolidGate firewall was configured to advertise two 64 bit prefixes: 2001:470:3d:3000::/64 (Global) and fda4:73c2:e5b8:1000::/64 (ULA). Both have the L and A flags set, and use the default Valid and Preferred lifetimes.

ra prefix option config

Now let's look at a captured Router Advertisement message from SolidGate:

ra msg capture

The Link Layer is Ethernet II. The source MAC address is 00:90:0b:1b:57:62 (a SolidGate firewall). The destination MAC address is 33:33:00:00:00:01 (the Ethernet multicast address corresponding to IPv6 multicast address ff02::1). The Ethertype is 0x86dd (IPv6).

The Internet Layer is IPv6. The source IPv6 address is fe80::290:bff:fe1b:5762 (the link local address of the SolidGate firewall). The destination IPv6 address is ff02::1 (the "all nodes on local link" multicast address). The Next Header field is 58 (ICMPv6).

The ICMPv6 message follows: The Message Type is 134 (Router Advertisement). The Code is zero. The M-flag (Managed Address Configuration) is set (so there is a stateful DHCPv6 server available). The O flag is clear (since M=1, so O doesn't matter). The Router Lifetime is 1800 seconds (the SolidGate firewall is willing to act as a gateway).The Reachable Time and Retrans Time are both zero.

There are four options:

The first option is a type 1 option, Source Link-Layer Address. Its value is 00:90:0b:1b:57:62, the MAC address of the SolidGate firewall.

The second option is a type 5 option, MTU. The value is 1500 (bytes).

The third option is a type 3 option, Prefix Information. The advertised prefix is fda4:73c2:e5b8:1000::/64. The L (On-Link) flag is set (so this prefix can be used to determine if nodes are on-link). The A (Autonomous Configuration) flag is set (so this prefix can be used to generate addresses autonomously). The default Valid Lifetime for this prefix is 2,592,000 seconds (30 days). The default Preferred Lifetime is 604,800 seconds (7 days).

The fourth option is another type 3 option, Prefix Information. The advertised prefix is 2001:470:3d:3000::/64. The L (On-Link) flag is set (so this prefix can be used to determine if nodes are on-link). The A (Autonomous Configuration) flag is set (so this prefix can be used to generate addresses autonomously). The default Valid Lifetime for this prefix is 2,592,000 seconds (30 days). The default Preferred Lifetime is 604,800 seconds (7 days).

 

Neighbor Solicitation message 

Any IPv6 node can send a Neighbor Solicitation (NS) message at any time, to request a target node's link-layer address, while also providing its own link-layer address to the target node. NS messages are sent via multicast to the Solicited Node Multicast Address of the target node when the sending node is doing Address Resolution. They are sent via unicast to the target node's link-local address when the sending node is doing Neighbor Unreachability Detection.

The syntax of the Neighbor Solicitation message is as follows:nd ns msg

Fields in the IPv6 Packet Header:

The Source Address field is set to the link-local address of the sending interface. Optionally, if the sending node is doing Duplicate Address Detection (DAD), the source address can be set to the unspecified address (::).

The Destination Address field is set to the solicited node multicast address of the target node. This will be received only a few nodes that share that multicast address. Typically only a single node in the link will have that multicast address. This is much better targeted than using the all nodes on link multicast address, which cuts down on interruptions. It is like a rifle shot instead of a shotgun blast.

The Hop Limit field is set to 255.

Fields in the NS message:

The Type field (8 bits) contains 135 for Neighbor Solicitation.

The Code field (8 bits) must contain zero.

The Checksum field (16 bits) contains a standard IP checksum.

The Reserved field (bytes 4-7, 32 bits) is unused, and must be set to zero.

The Target Address field (128 bits) contains the IPv6 address of the target node (usually the link-local address). This cannot be a multicast address.

The Options field (variable length, starting at offset 8) may contain the following options:

Up to one instance of the Source Link-Layer Address option. This specifies the Link Layer address of the sender. If the IP source address is the unspecified address, this option must not be included. Otherwise, this option should be included. On Link Layers that support multicast (e.g. Ethernet) this option must be included in multicast transmissions and should be included in unicast transmissions.

Now let's look at a captured Neighbor Solicitation message:

ns msg capture

The Link Layer is Ethernet II. The source MAC address is 50:46:5d:6b:7a:54 (MAC address of node lawrence-pc. The destination MAC address is 33:33:ff:1b:57:62 (the Ethernet multicast address corresponding to IPv6 solicited node multicast address ff02::1:ff1b:5762). The Ethertype is 0x86dd (IPv6).

The Internet Layer is IPv6. The source IPv6 address is fe80::2020:9139:9cd5:ab52 (the link local address of node lawrence-pc). The destination IPv6 address is ff02::1:ff1b:5762 (the Solicited Node multicast address corresponding to link local address fe80:290:bff:fe1b:5762, which is the SolidGate firewall). The Next Header field is 58 (ICMPv6).

The ICMPv6 message follows: The Message Type is 135 (Neighbor Solicitation). The Code is zero. The Target Address is fe80::290:bff:fe1b:5762 (the link local address of the SolidGate firewall).

There is one option:

The option is a type 1 option, Source Link Layer Address. The address is 50:46:5d:6b:7a:54 (the MAC address of lawrence-pc).

 

Neighbor Advertisement message 

Any IPv6 node must send a Neighbor Advertisement (NA) message in response to a Neighbor Solicitation (NS) message. A node can also elect to send an unsolicited Neighbor Advertisement message in order to propagate new information quickly.

The Neighbor Advertisement message syntax is as follows:nd na msg

Fields in the IPv6 Packet Header:

The Source Address field is set to the link-local address of the sending interface. Optionally, if no address is currently assigned to that interface, it can be set to the unspecified address (::).

The Destination Address field is set to the source address from the invoking NS message. If that source address was the unspecified address (::), or for sending an unsolicited NA message, the destination address should be set to the all nodes on link multicast address (ff02::1).

The Hop Limit field is set to 255.

Fields in the RA message:

The Type field (8 bits) contains 136 for Neighbor Advertisement.

The Code field (8 bits) must contain zero.

The Checksum field (16 bits) contains a standard IP checksum.

The R flag (1 bit) is also called the Router flag.

R=1 indicates that the sender is a router. The R flag is used in Neighbor Unreachability Detection to detect a router that has changed to a host.

R=0 indicates that the sender is a host, not a router.

The S flag (1 bit) is also called the Solicited flag.

S=1 indicates the NA message is being sent in response to an NS message. The S flag is used as a reachability confirmation in Neighbor Unreachability Detection. It must not be set in multicast or unsolicited NA messages.

S=0 indicates the NA message is being sent unsolicited.

The O flag (1 bit) is also called the Override flag. It should not be set in solicited NA messages for anycast addresses, or in solicited proxy advertisements. It should be set in other solicited NA messages, and in unsolicited NA messages.

O=1 indicates that the advertisement should override an existing Neighbor Cache entry, and update the cached link-layer address.

O=0 indicates that the advertisement should update a Neighbor Cache entry only if no cached link-layer address is present.

The Reserved field (29 bits) is unused and must be set to zero.

The Target Address field contains the IPv6 address of the target node. This must not be a multicast address.

For solicited NA messages, this is the Target Address from the invoking NS message.

For unsolicited NA messages, this is the address whose link-layer address has changed.

The Options field (variable length, starting at offset 8) may contain the following options:

Up to one instance of the Target Link-Layer Address option. This specifies the Link Layer address of the target node. This option must be included on link layers that have addresses when responding to multicast solicitations. When responding to a unicast NS message, this option should be included.

Now let's look at a captured Neighbor Advertisement message:

na msg capture

The Link Layer is Ethernet II. The source MAC address is 00:90:0b:1b:57:62 (a SolidGate firewall). The destination MAC address is 50:46:5d:6b:7a:54 (the MAC address of lawrence-pc). The Ethertype is 0x86dd (IPv6).

The Internet Layer is IPv6. The source IPv6 address is fe80::290:bff:fe1b:5762 (the link local address of the SolidGate firewall). The destination IPv6 address is fe80::2030:9139:9cd5:ab52 (the link-local address of lawrence-pc). The Next Header field is 58 (ICMPv6).

The ICMPv6 message follows: The Message Type is 136 (Neighbor Advertisement). The Code is zero. The Router Flag is set (the SolidGate firewall happens to be a router). The Solicited Flag is set (lawrence-pc asked for this NA message). The Override Flag is set (this is fresh, accurate information - lawrence-pc should update its neighbor cache). The Target address is fe80::290:bff:fe1b:5762 (the link-local address of the SolidGate firewall).

There is one option:

The first option is a type 1 option, Source Link-Layer address. Its value is 00:90:0b:1b:57:62, the MAC address of the SolidGate firewall.

 

Redirect message 

The ND Redirect message is used to inform a host of a better first-hop node on the way to the intended destination node. You can think of it as "you can get there through me, but there is a better route going to this router"

The Redirect message can also be used to inform a host that the destination is in fact a neighbor (in its home subnet). You can think of this as saying "you don't need to send this to me, the destination is right there in your own subnet - just deliver it directly". This is done by setting the Target Address equal to the packet Destination Address. Due to things such as multiple /64 prefixes in a single physical subnet, this may not be as obvious as it sounds. The gateway router has a better view of the whole network than an internal node does, so it can more easily tell that a destination is actually in the home subnet. If a host gets this feedback, it should try normal on-link delivery using Ethernet (or whatever).

The syntax looks complicated because there are two 128 bit addresses:nd redirect msg

Fields in the IPv6 Packet Header:

The Source Address field is set to the link-local address of the sending interface.

The Destination Address field is set to the source address from the packet that needs to be redirected. This should be the original sender of the packet.

The Hop Limit field is set to 255.

Fields in the RA message:

The Type field (8 bits) contains 137 for Redirect.

The Code field (8 bits) must contain zero.

The Checksum field (16 bits) contains a standard IP checksum.

The Reserved field (32 bits) is unused and must be set to zero.

The Target Address (128 bits) is the IPv6 address that is the better next hop (preferred router). When the destination is a neighbor of the sender ("it's in your home subnet!") then this field should contain the same value as the Destination Address below.

The Destination Address (128 bits) is the destination IPv6 address of the packet which is being redirected.

The Options field (starting in byte 40, after the Destination Address) can contain the following:

Up to one instance of Target Link_Layer Address option - the Link Layer Address of the Target node. It should be included if known. On NBMA (Non-Broadcast Multiple Access) links, this option must be included.

Up to one instance of Redirected Header option - as much as possible of the IP packet that must be redirected, without making the entire packet exceed 1280 bytes.