Know Thy (IPv6) Neighbor

In IPv6 there are four [tables | lists | data structures] used as part of the packet forwarding process (e.g. Neighbor Discovery and the Conceptual Sending Algorithm).  They are:

  • Neighbor Cache
  • Destination Cache
  • Prefix List
  • Default Router List

These data structures are currently defined by RFC 4861 (and previously by RFC 1970 and RFC 2461, both now obsolete).  RFC 4861 does a good job describing what these data structures are for and how they should be used but does not, as is typical (and appropriate) to RFC’s, provide any specifics on how they are implemented by each operating system.

The Neighbor Cache, whose closest conceptual relative in IPv4 is the ARP cache, is primarily a list of IPv6-to-MAC address mappings.  If that were all that was true we could say that the ARP cache and the Neighbor Cache were the same thing.  But they are not.  A Neighbor Cache is much more than an ARP cache.  The Neighbor Cache contains the following information:

  • The IPv6 address of the remote node
  • The link-layer address of the remote node (e.g. the MAC address)
  • An indicator (flag) that identifies the remote node as a host or a router
  • Information on the nodes’ reachability (reachable, stale, delay, probe)  (which is also defined in RFC 4861)
  • An indicator/pointer to any packets that are waiting for link-layer resolution to complete.

Shown below is a description of how to view the Neighbor Cache on the most commonly used OS’.

For Windows systems you will need to use the netsh command from a command-prompt.

C:\>netsh interface ipv6 show neighbor
Interface 11: Local Area Connection
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
fe80::216:eaff:fe5f:dac4 00-16-ea-5f-da-c4 Reachable
fe80::216:eaff:fef5:dac4 Unreachable Unreachable
fe80::21b:21ff:feb5:5a00 00-1b-21-b5-5a-00 Reachable
fe80::223:6cff:fe96:788b 00-23-6c-96-78-8b Stale
ff02::2 33-33-00-00-00-02 Permanent
ff02::16 33-33-00-00-00-16 Permanent
ff02::1:2 33-33-00-01-00-02 Permanent
ff02::1:3 33-33-00-01-00-03 Permanent
ff02::1:ff5f:dac4 33-33-ff-5f-da-c4 Permanent
ff02::1:ff96:788b 33-33-ff-96-78-8b Permanent
ff02::1:ffab:ee4a 33-33-ff-ab-ee-4a Permanent
ff02::1:ffb5:5a00 33-33-ff-b5-5a-00 Permanent
ff02::1:fff5:dac4 33-33-ff-f5-da-c4 Permanent
Interface 13: Local Area Connection* 9
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
ff02::16 Permanent
ff02::1:2 Permanent

For Linux systems use the ip command from a terminal prompt as follows:

colin@office:~$ ip -6 neigh show
fe80::cc60:7866:aab:ee4a dev eth1 lladdr 08:00:27:f1:8a:63 STALE
fe80::216:eaff:fe5f:dac4 dev eth1 lladdr 00:16:ea:5f:da:c4 REACHABLE
fe80::223:6cff:fe96:788b dev eth1 lladdr 00:23:6c:96:78:8b REACHABLE

For Mac OSX systems use the ndp command from a terminal (stands for neighbor discovery protocol) as follows:

macbook:~ Colin$ ndp -na
Neighbor                        Linklayer Address  Netif Expire    St Flgs Prbs
::1                             (incomplete)         lo0 permanent R      
fe80::1%lo0                     (incomplete)         lo0 permanent R      
fe80::216:eaff:fe5f:dac4%en1    0:16:ea:5f:da:c4     en1 23h7m38s  S      
fe80::21b:21ff:feb5:5a00%en1    0:1b:21:b5:5a:0      en1 1s        R      
fe80::223:6cff:fe96:788b%en1    0:23:6c:96:78:8b     en1 permanent R      
fe80::cc60:7866:aab:ee4a%en1    8:0:27:f1:8a:63      en1 23h45m4s  S      
macbook:~ Colin$


Colin Weaver

About the Author

Colin Weaver

Colin Weaver is co-owner and lead instructor at ITdojo, Inc., a network security and information assurance training center and consulting firm located in Virginia Beach, VA. His passion for technology, networks, and security has led him to become enthralled with the idea of IPv6 and its implementation. In this blog he will share with you glimpses of what he has learned and a hint at what you’ll learn in his classes.