Any IPv6 node must send a Neighbor Advertisement (NA) message in response to a Neighbor Solicitation (NS) message. A node can also elect to send an unsolicited Neighbor Advertisement message in order to propagate new information quickly.
The Neighbor Advertisement message syntax is as follows:
Fields in the IPv6 Packet Header:
The Source Address field is set to the link-local address of the sending interface. Optionally, if no address is currently assigned to that interface, it can be set to the unspecified address (::).
The Destination Address field is set to the source address from the invoking NS message. If that source address was the unspecified address (::), or for sending an unsolicited NA message, the destination address should be set to the all nodes on link multicast address (ff02::1).
The Hop Limit field is set to 255.
Fields in the RA message:
The Type field (8 bits) contains 136 for Neighbor Advertisement.
The Code field (8 bits) must contain zero.
The Checksum field (16 bits) contains a standard IP checksum.
The R flag (1 bit) is also called the Router flag.
R=1 indicates that the sender is a router. The R flag is used in Neighbor Unreachability Detection to detect a router that has changed to a host.
R=0 indicates that the sender is a host, not a router.
The S flag (1 bit) is also called the Solicited flag.
S=1 indicates the NA message is being sent in response to an NS message. The S flag is used as a reachability confirmation in Neighbor Unreachability Detection. It must not be set in multicast or unsolicited NA messages.
S=0 indicates the NA message is being sent unsolicited.
The O flag (1 bit) is also called the Override flag. It should not be set in solicited NA messages for anycast addresses, or in solicited proxy advertisements. It should be set in other solicited NA messages, and in unsolicited NA messages.
O=1 indicates that the advertisement should override an existing Neighbor Cache entry, and update the cached link-layer address.
O=0 indicates that the advertisement should update a Neighbor Cache entry only if no cached link-layer address is present.
The Reserved field (29 bits) is unused and must be set to zero.
The Target Address field contains the IPv6 address of the target node. This must not be a multicast address.
For solicited NA messages, this is the Target Address from the invoking NS message.
For unsolicited NA messages, this is the address whose link-layer address has changed.
The Options field (variable length, starting at offset 8) may contain the following options:
Up to one instance of the Target Link-Layer Address option. This specifies the Link Layer address of the target node. This option must be included on link layers that have addresses when responding to multicast solicitations. When responding to a unicast NS message, this option should be included.
Now let’s look at a captured Neighbor Advertisement message:
The Link Layer is Ethernet II. The source MAC address is 00:90:0b:1b:57:62 (a firewall). The destination MAC address is 50:46:5d:6b:7a:54 (the MAC address of lawrence-pc). The Ethertype is 0x86dd (IPv6).
The Internet Layer is IPv6. The source IPv6 address is fe80::290:bff:fe1b:5762 (the link local address of the firewall). The destination IPv6 address is fe80::2030:9139:9cd5:ab52 (the link-local address of lawrence-pc). The Next Header field is 58 (ICMPv6).
The ICMPv6 message follows: The Message Type is 136 (Neighbor Advertisement). The Code is zero. The Router Flag is set (the firewall happens to be a router). The Solicited Flag is set (lawrence-pc asked for this NA message). The Override Flag is set (this is fresh, accurate information – lawrence-pc should update its neighbor cache). The Target address is fe80::290:bff:fe1b:5762 (the link-local address of the firewall).
There is one option:
The first option is a type 1 option, Source Link-Layer address. Its value is 00:90:0b:1b:57:62, the MAC address of the firewall.