Neighbour Discovery Protocol (NDP) – what is it?

Any device that uses the Neighbor Discovery Protocol for network com­mu­nic­a­tions manages its’ own neighbour cache. In this, all devices of the known network are listed and can be verified by their unique device addresses (MAC). Here you can see whether the buffered address belongs to a simple client or, for example, to a router. However, the neighbour cache is not a stan­dalone, but one of four buffers carrying out the functions of the NDP protocol. The other three com­pon­ents, which are also handled by each device sep­ar­ately, are as follows:

• Des­tin­a­tion cache: The ‘target’ cache includes entries about all hosts on the network, which have already been sent data packets. Each of these entries, in turn, refers an address link in the neighbour cache which should be used as the next hop (in­ter­me­di­ate station) when sending data packets to the desired des­tin­a­tion host.
• Prefix cache: The prefix cache, or prefix list is used to manage all prefixes that apply to the network where the client resides. This listing is necessary, on the one hand, because IPv6 supports multi-homing – i.e. the ac­cess­ib­il­ity of the network via two different providers – and on the other hand, allows the address space to be split into different prefixes. By using the entries in the prefix cache, NDP ensures that the target host is on the same subnet. Each prefix, except for the MAC address (also, link layer address), has a defined validity period so that the cache always remains up to date.
• Default Router List: The default router list includes all known routers that regularly contact the device. Only active routers are listed because the ex­pir­a­tion date is auto­mat­ic­ally defined for all rep­res­ent­at­ives. An extension or refresh is only possible if the router is returned.

In order to create different caches for the NDP, a different internet protocol is used, which is known as ICPMv6 (Internet Control Message Protocol for the Internet Protocol Version 6).

ICMPv6 is commonly used in the current version of the internet protocol family as a relay for error and in­form­a­tion messages, and it is also used by the Neighbour Discovery Protocol in the form of 5 different types of ICMPv6. Depending on the type, certain no­ti­fic­a­tions are used – these help to form temporary storage or lists.

This type of message therefore has a standard length of 128 bits, with ad­di­tion­al bits for options. Valid options include the routers’ MAC address, the ‘Maximum Trans­mis­sion Unit’ and all relevant prefix in­form­a­tion.

The ‘type’ field is set to 134 and the ‘code’ field are always set to 0. That is followed by a 16-bit ICMP checksum and an 8-bit length spe­cific­a­tion of the hop limit, which may include the stations re­com­men­ded by the router.

After that follow single bits, which provide insight into:

• Whether IP addresses can be obtained via dynamic DHCPv6 (M)

• And whether other address in­form­a­tion can be obtained via dynamic DHCPv6 (O).

The ‘reserved’ field remains unused and is ignored by the recipient. In addition, the router ad­vert­ise­ment contains figures about:

• The time in seconds that the router should remain in the default router list (router lifespan, 16-bit integer, maximum 65535).

• The time in mil­li­seconds that an address in the neighbour cache should still be available after reaching avail­ab­il­ity (avail­ab­il­ity time-out, 32-bit integer, maximum of ap­prox­im­ately 50 days).

• The time in mil­li­seconds after which a neighbour so­li­cit­a­tion message (see below) should be resent (res­ol­u­tion time-out, 32-bit integer).

The default con­fig­ur­a­tion of an NDP-ICMPv6 type 133 message thus provides a minimum length of 64 bits. ‘Type’ is assigned the router so­li­cit­a­tion value 133, while ‘Code’ is set to 0 again. The two other mandatory fields are the ICMP checksum (16 bits) and a 32-bit long ‘Reserved” field, which remains unused.

The only possible option that can be attached to the message is the MAC address of the sender.

Like all ICMPv6 message types, neighbour so­li­cit­a­tions starts with 8-bit type iden­ti­fic­a­tion – in this case, ‘type’ has the value 135. This is followed by the 8-bit long code, which is set to 0, and the 16-bit checksum. The ‘Reserved’ field remains unused, as with the pre­vi­ously presented messages.

With 128 bits, the targeted IP address which cannot be a multicast address, makes the bulk of the message, with a total length of at least 192 bits. This type of message, which is decisive for the Neighbour Discovery Protocol, also allows the MAC address of the sender as an optional ad­di­tion­al spe­cific­a­tion.

With a minimum length of 320 bits, redirects are the largest ICMPv6 messages that are relevant to how the Neighbour Discovery Protocol functions. The typical structure with bit strings for the type iden­ti­fic­a­tion (137), the code (0), the checksum and an unused “reserved” field (32 bits) are followed by the address of the re­com­men­ded hops and then the address for which both of these re­dir­ec­tions are re­com­men­ded (both 128 bits). Op­tion­ally, the message packet may include the des­tin­a­tion’s MAC address, as well as the header of the re­dir­ec­ted packet.

There is a lot to the caching mech­an­isms and com­mu­nic­a­tions of the Neighbour Discovery Protocol in con­junc­tion with the Internet Control Message Protocol. The following NDP scenarios il­lus­trate the interplay and func­tion­al­ity of the two protocols:

• Detecting the router and network prefix: All routers in a network routinely broadcast router ad­vert­ise­ments via multicast to all network operators. These include, among other things, in­form­a­tion like the address, network prefix and routing used to create the default router list, as well as the prefix list. These clients are then used to determine the default gateway and subnet mask. Since all entries have only a limited validity period, only active routers remain. The router ad­vert­ise­ments can also be enforced using router so­li­cit­a­tions.

• De­term­in­ing important para­met­ers for packet trans­mis­sion: Router ad­vert­ise­ments can also op­tion­ally contain in­form­a­tion about which parameter the par­ti­cip­at­ing clients have to apply when de­liv­er­ing packets. This can be very specific in­form­a­tion, such as the maximum packet size, but also broad internet para­met­ers, such as the fixed limit of in­ter­me­di­ate stations for outgoing packets.

• Identi­fy­ing the next hop: If a packet is being sent, the NDP protocol ensures that the des­tin­a­tion cache already contains a cor­res­pond­ing entry for the targeted des­tin­a­tion host. If this is not the case, the protocol de­term­ines the next in­ter­me­di­ate station using the in­form­a­tion from the prefix list and the default router list. Sub­sequently, the new state of knowledge is stored in the des­tin­a­tion cache, which is im­me­di­ately available when a new request is made. If the newly created entry does not already have an equi­val­ent in the neighbour cache, this is auto­mat­ic­ally generated and then the address res­ol­u­tion is initiated.

• Resolving the IP address in the MAC address: In order to determine the MAC address of a specific host in the network, it receives a neighbour so­li­cit­a­tion via IPv6 multicast to its own specific multicast address. Only the host can respond to this unique address com­bin­a­tion. It sends a neighbor ad­vert­ise­ment in response with the MAC address stored by the output client in the neighbor cache. The Neighbour Discovery Protocol is thus used to identify neigh­bours, as well as to determine routers.

• Detecting neg­li­gence of a neighbour: All MAC addresses stored in the neighbor cache must be regularly checked for their relevance. As long as TCP/IP data or receipts are sent from a re­gistered address, this is logically con­sidered to be active and the host hiding behind it can be reached. If there has not been a data exchange with the relevant device for a long time, and the entry’s validity period has expired, this is marked as outdated. To check whether the re­spect­ive host is no longer ac­cess­ible, an ordinary data packet is sent to the re­gistered address first. If an answer returns, one final test is started via Unicast neighbour so­li­cit­a­tion. If this confirms non-avail­ab­il­ity, the entry from the neighbour cache dis­ap­pears.

• Detecting duplicate addresses: If a device has auto-con­figured an address, NDP clas­si­fies it as ‘tentative’ (temporary).  For this purpose, the newly connected network client sends a neighbor so­li­cit­a­tion to the temporary address that he wants to use himself – with a tem­por­ar­ily un­spe­cif­ic sender address. If another host is already using the address, they respond with a neighbor ad­vert­ise­ment message to the general multicast address. The checking client also receives this message, which suggests a new address.

• Informing about redirect options: The Neighbour Discovery Protocol gives routers with the redirect message the ability to optimise the path from data packets to the targeted hosts. As noted above, they can use ICMPv6 type 137 to make re­com­mend­a­tions for more ap­pro­pri­ate in­ter­me­di­ate stations that are included in the des­tin­a­tion cache.

Whether Windows, MacOS, Linux, iOS or Android – modern operating systems support IPv6 and are able to access the pos­sib­il­it­ies of NDP in ethernet-based networks. By using the ap­pro­pri­ate in­struc­tion, you can use the command line at any time to call the neighbour cache that was created for your device.

In Windows for example, you can list your network neigh­bours using the netsh (network shell) program and the following command:

With most Linux dis­tri­bu­tions, you can access the neighbor cache using the iproute2 tool and this command: