Neighbor Discovery Protocol (NDP) is the mechanism IPv6 networks use to find other devices on the same local network, discover routers, and automatically configure addresses. It replaces several older IPv4 protocols, most notably ARP (Address Resolution Protocol), by combining their functions into a single, more efficient system built on top of ICMPv6. If you’re working with any modern IPv6 network, NDP is running constantly in the background, handling tasks that keep devices connected and reachable.
What NDP Actually Does
NDP handles five core jobs on a local network. First, it resolves IPv6 addresses to physical hardware (MAC) addresses, which is the equivalent of what ARP does in IPv4. Second, it lets devices discover routers on the network and learn which prefixes (address ranges) belong to that network. Third, it enables devices to automatically generate their own IPv6 addresses without a central server. Fourth, it detects duplicate addresses before a device commits to using one. Fifth, it continuously checks whether neighboring devices are still reachable.
All of these functions run through five specific ICMPv6 message types, each assigned a number:
- Router Solicitation (Type 133): A device joining the network sends this to ask any routers to identify themselves.
- Router Advertisement (Type 134): Routers periodically broadcast their presence and share network configuration details, or respond directly to a solicitation.
- Neighbor Solicitation (Type 135): A device sends this to find the MAC address of another device, or to verify that a neighbor is still reachable.
- Neighbor Advertisement (Type 136): The response to a Neighbor Solicitation, confirming a device’s MAC address.
- Redirect (Type 137): A router sends this to tell a device there’s a better first-hop router for a particular destination.
How NDP Improves on ARP
In IPv4, ARP uses broadcast messages to resolve addresses. A broadcast hits every single device on the local network, forcing each one to process the message even if it’s irrelevant to them. NDP replaces this with multicast, which targets a much smaller group. IPv6 address resolution multicasts are spread across roughly 4 billion multicast groups, so only the device (or tiny subset of devices) mapped to that group needs to process the message. Non-IPv6 devices aren’t interrupted at all.
This matters more as networks grow. On a busy IPv4 network with hundreds of devices, ARP broadcasts create measurable overhead. NDP’s multicast approach scales far more gracefully. It also integrates router discovery and address configuration directly into the protocol, whereas IPv4 relies on separate protocols (ICMP Router Discovery, DHCP) to handle those tasks independently.
Address Autoconfiguration and DAD
One of NDP’s most practical features is Stateless Address Autoconfiguration (SLAAC). When a device connects to an IPv6 network, it listens for Router Advertisements that contain the network prefix. The device then combines that prefix with an identifier it generates locally to create a full IPv6 address, no DHCP server required.
Before the device starts using that address, it runs Duplicate Address Detection (DAD). The device sends a Neighbor Solicitation for the address it wants to claim. If another device on the network already holds that address, it responds with a Neighbor Advertisement saying the address is taken. Only after this check passes does the new device begin using the address.
Router Advertisements also carry configuration flags that tell devices how to get additional settings. The M flag (Managed Address Configuration) signals that a DHCPv6 server is available for full address assignment. The O flag (Other Configuration) tells devices to use DHCPv6 for extra settings like DNS servers, but to keep their SLAAC-generated address. When both flags are off, the network runs entirely on stateless configuration.
Neighbor Unreachability Detection
NDP doesn’t just discover neighbors once and forget about them. It maintains a neighbor cache, a table of known devices and their current status, and actively monitors whether those devices are still reachable. This process is called Neighbor Unreachability Detection (NUD).
Each entry in the neighbor cache moves through a series of states. When a device first tries to resolve an address, the entry starts as INCOMPLETE, meaning a solicitation has been sent but no response received yet. Once the neighbor replies, the entry moves to REACHABLE. After a timeout with no confirmed communication, it transitions to STALE, meaning the address is probably still valid but hasn’t been verified recently. If the device then needs to send traffic to that neighbor, the entry moves to DELAY, giving a short window for passive confirmation (like receiving traffic back from that neighbor). If no confirmation arrives, it enters PROBE, where the device actively sends unicast Neighbor Solicitations to check. If those probes fail, the entry can move to UNREACHABLE, at which point the device switches to multicast solicitations with exponential backoff, giving the neighbor more time to respond before giving up entirely.
This lifecycle keeps the neighbor cache accurate without flooding the network with unnecessary traffic. Reachable neighbors get left alone, and unreachable ones get progressively more aggressive checks before being dropped.
Security Concerns
Basic NDP has no built-in authentication. Any device on the local network can send forged Router Advertisements, fake Neighbor Advertisements, or malicious Redirect messages. An attacker could impersonate a router to intercept traffic, claim another device’s address to hijack connections, or poison neighbor caches to redirect packets.
The DAD process is particularly vulnerable. An attacker can monitor for Neighbor Solicitations from new devices and immediately respond with a fraudulent advertisement claiming the address is already in use. The new device regenerates a different address, and the attacker repeats. This denial-of-service loop can prevent a device from ever obtaining a valid address.
To address these risks, the IETF developed SEcure Neighbor Discovery (SEND), defined in RFC 3971. SEND adds cryptographic signatures to NDP messages, allowing devices to verify that Router Advertisements actually come from legitimate routers and that Neighbor Advertisements come from the real address owner. Notably, SEND does not rely on IPsec. Instead, it uses Cryptographically Generated Addresses, where the address itself is mathematically tied to a public key, making it much harder to forge. In practice, SEND adoption has been limited due to its complexity, and many networks rely on simpler measures like RA Guard (filtering rogue Router Advertisements at the switch level) to protect against the most common NDP attacks.