In IPv4, a host needed several different protocols just to start talking. ARP found MAC addresses, ICMP Router Discovery advertised the gateway, DHCP handed out addresses, and ICMP Redirect fixed routes, each running independently. IPv6 folds these four jobs into five message types over ICMPv6, and that consolidation mechanism is NDP (Neighbor Discovery Protocol).
Following what each of those five messages looks like, and the order they fly in when a host joins a network, shows how NDP works.
The Five ICMPv6 Messages

NDP does everything with five messages, ICMPv6 Types 133 through 137. Each one absorbed an IPv4 function:
| IPv4 | IPv6 NDP message | Type |
|---|---|---|
| ARP Request | Neighbor Solicitation (NS) | 135 |
| ARP Reply | Neighbor Advertisement (NA) | 136 |
| ICMP Router Discovery (request) | Router Solicitation (RS) | 133 |
| ICMP Router Discovery (reply) | Router Advertisement (RA) | 134 |
| ICMP Redirect | Redirect | 137 |
Every NDP message has Hop Limit 255. Passing through a router decrements the value, so the receiver treats any NDP message that isn’t 255 as forged and injected from off-link, and drops it. It is NDP’s baseline anti-forgery check.
Router Solicitation (RS) — Type 133
The host asking “any routers here?” It’s sent the instant the host connects, which makes for fast configuration.
ICMPv6 Header (8 bytes):
Type: 133, Code: 0, Checksum
Reserved: 0 (4 bytes)
Options:
Source Link-Layer Address (optional, 8 bytes)
Transmission: source = Link-Local or :: (if no address yet)
destination = FF02::2 (All-Routers multicast)
Router Advertisement (RA) — Type 134
A router broadcasting network configuration. It answers an RS or multicasts periodically. It’s the richest NDP message, and it dictates how the host configures its address.
ICMPv6 Header (16 bytes):
Type: 134, Code: 0, Checksum
Cur Hop Limit: 64
M Flag: whether to get the address from DHCPv6
O Flag: whether to get extra info from DHCPv6
Router Lifetime: 1800 (seconds)
Reachable Time / Retrans Timer
Options:
Source Link-Layer Address, MTU
Prefix Information (32 bytes):
Prefix: 2001:db8::/64, Prefix Length: 64
L Flag: 1 (On-Link)
A Flag: 1 (allow address generation via SLAAC)
Valid / Preferred Lifetime
The M/O flag combination here decides the address-configuration policy.
- M=0, O=0: pure SLAAC. The host builds its own address. No DHCPv6.
- M=0, O=1: address via SLAAC, but extra info like DNS comes from DHCPv6.
- M=1: stateful DHCPv6. A DHCPv6 server assigns the address.
Neighbor Solicitation (NS) — Type 135
The replacement for ARP Request. It asks for a destination’s MAC, checks whether a neighbor is still alive, or verifies that an address you want to use isn’t already taken.
ICMPv6 Header (24 bytes):
Type: 135, Code: 0, Checksum
Reserved: 0 (4 bytes)
Target Address: 2001:db8::20 (IPv6 you're looking for, 16 bytes)
Options:
Source Link-Layer Address (optional, omitted during DAD)
An NS goes to a Solicited-Node multicast address rather than to broadcast: FF02::1:FF00::/104 followed by the last 24 bits of the target IPv6 address. Looking for 2001:db8::1234 sends to FF02::1:FF00:1234. Only the handful of nodes whose low 24 bits match listen to that address, so unlike an ARP broadcast it doesn’t wake every host on the network. This is what it means for IPv6 to cut unnecessary traffic with multicast.
Neighbor Advertisement (NA) — Type 136
A reply to an NS, or a notice that one’s own MAC changed. The equivalent of ARP Reply.
ICMPv6 Header (24 bytes):
Type: 136, Code: 0, Checksum
R Flag: whether sender is a router
S Flag: whether this is a response to an NS (Solicited)
O Flag: whether to overwrite the cache (Override)
Target Address: 2001:db8::20 (own IPv6, 16 bytes)
Options:
Target Link-Layer Address (8 bytes)
Three flags split the behavior. S=1 is a unicast reply to an NS; S=0 is an unsolicited notice (Gratuitous NA). O=1 tells the receiver to overwrite its existing cache entry with the new MAC.
Redirect — Type 137
A router telling a host “for that destination, this next hop is faster.” Only routers may send it, and for safety it goes only from a Link-Local address with Hop Limit 255.
ICMPv6 Header:
Type: 137, Code: 0, Checksum
Target Address: better next hop (16 bytes)
Destination Address: final destination (16 bytes)
Options:
Target Link-Layer Address, Redirected Header (part of original packet)
The Five-Stage Join Flow

The order these messages travel runs from the instant a new host is plugged in to the moment communication begins.
Stage 1 — Router Discovery (RS → RA)
The host finds a router and receives a network prefix.
[Host → FF02::2] Router Solicitation (133)
source: FE80::1234:5678:9abc:def0 (Link-Local)
[Router → FF02::1] Router Advertisement (134)
M=0, O=0 (use SLAAC)
Prefix: 2001:db8::/64, A=1, L=1
MTU: 1500, Router Lifetime: 1800
Stage 2 — Stateless Address Autoconfiguration (SLAAC)
The host combines the prefix from the RA with an interface ID to build a global address.
prefix 2001:db8::/64 (from RA)
interface ID 1234:5678:9abc:def0 (same as Link-Local)
→ 2001:db8::1234:5678:9abc:def0 (state: Tentative)
This stage turns on how the interface ID is made. The traditional method, EUI-64, stretches a 48-bit MAC to 64 bits.
MAC 00:11:22:33:44:55
(1) insert FFFE in the middle → 00:11:22:FF:FE:33:44:55
(2) flip the 7th bit (U/L) → 02:11:22:FF:FE:33:44:55
(3) IPv6 form → 0211:22ff:fe33:4455
full 2001:db8::211:22ff:fe33:4455
The MAC ends up embedded in the address, which lets a device be tracked. Modern OSes use RFC 4941 (Privacy Extensions) or RFC 7217 (Stable Privacy) to generate random or stable interface IDs that don’t leak the MAC.
Stage 3 — Duplicate Address Detection (DAD)
The host verifies its new address isn’t already in use. Optional in IPv4, mandatory in IPv6.
[Host → Solicited-Node multicast] Neighbor Solicitation (135)
source: :: ← the telltale sign of DAD (no address yet)
Target: 2001:db8::1234:5678:9abc:def0
[wait 1 second]
no reply → state Preferred, bind to interface
NA received → duplicate, regenerate with a new interface ID and retry
An NS with source :: (unspecified) is DAD, since the sender’s own address isn’t finalized yet.
Stage 4 — Neighbor Address Resolution (NS → NA)
To actually communicate, the host resolves the destination IPv6’s MAC. This is ARP’s IPv6 counterpart.
[Host A 2001:db8::10 → Solicited-Node multicast] NS (135)
Target: 2001:db8::20
Option: Source Link-Layer = aa:aa:aa:aa:aa:aa
[Host B 2001:db8::20 → Host A unicast] NA (136)
S=1 (reply), O=1 (update cache)
Option: Target Link-Layer = bb:bb:bb:bb:bb:bb
→ Host A's Neighbor Cache: 2001:db8::20 = bb:bb:... (REACHABLE)
Stage 5 — Neighbor Unreachability Detection (NUD)
A state machine tracks whether cached neighbors are still alive. Unlike the ARP cache, which leaned on simple expiry, NDP transitions states explicitly.
REACHABLE (default 30s) ── time passes ──▶ STALE
STALE ── upper layer tries to send ──▶ DELAY (5s)
DELAY ── no confirmation ──▶ PROBE (retransmit NS, max 3x)
PROBE ── NA received ──▶ REACHABLE
PROBE ── fails ──▶ removed from cache
This state machine prevents the waste of sending packets to a dead neighbor and reacts quickly to topology changes.
SLAAC and DHCPv6
A common misconception is that IPv6 dropped DHCP. In fact the RA’s M/O flags combine the two.
| Who makes the address | Server | RA M | RA O | |
|---|---|---|---|---|
| SLAAC | Host generates | Not needed | 0 | 0 |
| Stateless DHCPv6 | Host generates | For extra info only | 0 | 1 |
| Stateful DHCPv6 | DHCPv6 assigns | Required | 1 | - |
SLAAC is plug-and-play with no server, but addresses are hard to manage centrally. A large environment that needs an IP ledger uses stateful DHCPv6. It is not a matter of picking one or the other; it is a matter of declaring policy through RA flags.
No Authentication
NDP consolidated the functions, but plain NDP has no authentication of the message sender. The Hop Limit 255 check only blocks off-link forgery; it does nothing against an attacker on the same link. The same attacks that hit IPv4 ARP spoofing exist in NDP, structurally identical.
- RA spoofing: a forged RA injects a fake prefix, gateway, and DNS, routing all traffic through the attacker (MITM). The highest-impact NDP threat.
- NS/NA spoofing: a forged NA with O=1 poisons the neighbor cache. The IPv6 version of ARP cache poisoning.
- DAD DoS: every time a host runs DAD on a new address, the attacker replies “already in use” with a false NA, so the host never gets an address.
- Redirect attack: a forged Redirect changes the host’s next hop to the attacker.
Defense runs along two lines. One is to authenticate the messages themselves: SEND (SEcure Neighbor Discovery, RFC 3971) blocks forgery with public-key signatures and CGA (addresses whose interface ID is a hash of the public key). It is strong but needs PKI and has thin device support, so deployment is limited. The other is to filter abnormal messages at the network gear: RA Guard blocks RAs arriving on host ports (since routers live only on router ports), while DHCPv6 Guard and IPv6 Source Guard block unauthorized DHCPv6 replies and spoofed source addresses respectively. In practice the latter is the realistic first line of defense, with SEND added when the threat model is high.