IPv6 Neighbor Discovery Protocol (ND)

IPv6 Neighbor Discovery is actually a subset of the ICMPv6 protocol. It uses the same protocol number (58) and syntax as the basic ICMPv6 messages, but is specified in its own standard. Neighbor Discovery was originally defined in RFC 1920, “Neighbor Discovery for IP version 6 (IPv6)”, August 1996.

RFC 1920 was replaced by RFC 2461 “Neighbor Discovery for IP version 6 (IPv6)”, December 1998. This in turn was replaced by RFC 4861, “Neighbor Discovery for IP version 6 (IPv6)”, September 2007, which is the current version.

RFC 4861 states the purpose of Neighbor Discovery as follows:

“IPv6 nodes on the same link use Neighbor Discovery to discover each other’s presence, to determine each other’s link-layer addresses, to find routers and to maintain reachability information about the paths to active neighbors.”

Neighbor Discovery (ND) is one of the key components of IPv6. It has no exact equivalent in IPv4, although some of the mechanisms in IPv4 were similar (but mostly without the full functionality of the IPv6 mechanisms). ND replaces ARP (Address Resolution Protocol), ICMPv4 Router Discovery and ICMPv4 Redirect. There is no official IPv4 equivalent to Neighbor Unreachability Detection (NUD), although both Microsoft and Linux have implemented IPv4 functionality very similar to IPv6’s NUD in their recent releases.

Router Discovery is a part of the base IPv6 protocol set, so there is no need to “snoop” the routing protocols to perform this function (as is done with IPv4).

There are five messages used in Neighbor Discovery. A Neighbor Discovery message is a short block of binary data with well defined fields. The fields are defined by the offset of the start of the block from the beginning of the message, and the length of the field in bits.

There are five options that are used in the various messages, that are inserted in the options field of a message. A Neighbor Discovery option is a short block of binary data that is incorporated into the option field of a Neighbor Discovery message. The options also have fields, similar to the messages. They include:

There are nine mechanisms that use the above messages and options. Some of these overlap (e.g. Stateless Address Autoconfiguration includes Router Discovery, Prefix Discovery and Parameter Discovery).  These mechanisms are as follows:

All ND mechanisms are Link-Local (they take place only within the local link or subnet – ND messages don’t cross routers). They use only Link-Local Unicast addresses (from fe80::/64) and Link-Local Multicast addresses. The Hop Limit field in the Packet Header of all ND messages is set to 255 (the maximum possible value of an 8 bit field). If someone injects an ND message from outside the current link, there is no possible way for the Hop Limit to be 255 after it crosses the router into the Local Link. If a hacker sets the Hop Limit to 255, it will be 254 after crossing the router. If a hacker sets the Hop Limit to 0, the router will discard it upon receipt instead of forwarding it. This prevents a whole class of hacking attacks. It is still possible for a compromised node in the Local Link to send bogus ND messages, but this requires compromising at least one internal node.

In IPv4, ARP is used for Address Resolution (mapping IP addresses to Link Layer addresses). There is no way to protect ARP, so it is the target of many effective hacking attacks. Since ND Address Resolution is in the Internet Layer (instead of the Link Layer, as ARP is), it can be protected with IPsec AH and/or ESP. There is a recent standard, RFC 3971, “Secure Neighbor Discovery (SEND)”, March 2005, that specifies a secure version of ND using public key infrastructure (or other security mechanisms). SEND is even better than ND protected with IPsec, but is not yet widely implemented (in particular, Microsoft has chosen not to implement it in Windows).

Every ND packet begins with a basic IPv6 Packet Header with IPv6 Link-Local source and destination addresses. The basic IPv6 Packet Header can be followed by zero or more Packet Header Extensions (e.g. IPsec AH and IPsec ESP). The Next Header field of the Packet Header (or final Extension Header) contains the value 58 (the same value as for ICMPv6). The checksum field of ND messages is handled the same as with any ICMPv6 message, and unlike ICMPv4 messages, incorporates a pseudo header that contains information from the IPv6 basic Packet Header.

Most ND messages are sent to a multicast address, either all nodes in local link (ff02::1) or all routers in local link (ff02::2). This allows all nodes (or routers) to listen in to most transmissions, and update their tables if necessary, whether or not the message was intended for them. The Neighbor Solicitation message (if used to obtain the Link Layer address of another node) is sent using the Solicited Node multicast address of that node, so that only that node (and maybe a small handful of others) will receive it.