IP connectivityIntermediate23 min read

What Is Neighbor Solicitation in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Neighbor Solicitation is like knocking on a neighbor's door to ask for their address, but in an IPv6 computer network. When one device needs to communicate with another device on the same local network, it sends a Neighbor Solicitation message to find out the target’s hardware address. This process helps devices discover each other and also checks that no two devices are using the same IP address. It is a core part of how IPv6 handles local communication, replacing the older ARP method used in IPv4.

Commonly Confused With

Neighbor SolicitationvsRouter Solicitation

Router Solicitation (ICMPv6 type 133) is sent by hosts to request Router Advertisements from routers, to learn about available prefixes and default gateways. Neighbor Solicitation (type 135) is used to resolve a neighbor's MAC address or to check for duplicate IPs. The destination addresses also differ: Router Solicitation uses the all-routers multicast address FF02::2, while Neighbor Solicitation uses the solicited-node multicast address.

A host boots up and sends a Router Solicitation to find a router, then later sends a Neighbor Solicitation to find the MAC address of that router.

Neighbor SolicitationvsNeighbor Advertisement

Neighbor Advertisement (ICMPv6 type 136) is the response to a Neighbor Solicitation. The Solicitation asks 'Who has this IP?' and the Advertisement answers 'I have it, here is my MAC address.' They are a pair: you cannot have one without the other in a successful address resolution. In exam questions, you must know which message is the request and which is the reply.

Device A sends a Neighbor Solicitation asking for the MAC address of IP X. Device B with IP X sends a Neighbor Advertisement with its MAC address. Without the Advertisement, A never learns B's MAC.

Neighbor SolicitationvsARP (Address Resolution Protocol)

ARP is the IPv4 equivalent of Neighbor Solicitation + Advertisement, but there are key differences. ARP uses broadcast traffic, while Neighbor Solicitation uses multicast. ARP is a separate protocol (not ICMP), whereas Neighbor Solicitation is an ICMPv6 message. IPv6 uses Neighbor Solicitation to also perform DAD and NUD, while IPv4 uses separate mechanisms like ARP probes for duplicate detection. IPv6 also incorporates security features that ARP lacks natively.

In IPv4, if a host wants to send to 192.168.1.1, it broadcasts an ARP request. In IPv6, to send to fe80::1, it multicasts a Neighbor Solicitation. Both achieve MAC resolution, but the methods differ in efficiency and functionality.

Must Know for Exams

For general IT certification exams, understanding Neighbor Solicitation is important, especially for those covering IPv6 fundamentals. In CompTIA Network+, the term appears under objective 1.4 regarding IPv6 addressing and protocols.

You may be asked to identify the purpose of Neighbor Solicitation messages or differentiate it from ARP in IPv4. Questions might present a scenario where devices on the same VLAN cannot communicate, and you must recognize that a neighbor discovery failure could be the cause. For the CCNA (Cisco Certified Network Associate) exam, Neighbor Solicitation is a core concept under the IPv6 section.

Cisco expects you to understand NDP (Neighbor Discovery Protocol) in depth, including the five message types: Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement, and Redirect. You may be asked to interpret output from 'show ipv6 neighbors' or 'debug ipv6 nd' commands, and you must know that Neighbor Solicitation uses type 135 ICMPv6 messages. Exam questions may also test your knowledge of Duplicate Address Detection (DAD) and how it uses Neighbor Solicitation with an unspecified source address.

In the CompTIA Security+ exam, Neighbor Solicitation appears in the context of network attacks and mitigation. You might encounter questions about neighbor spoofing, where an attacker sends fake Neighbor Advertisements to intercept traffic, and you need to understand that this is a risk associated with NDP. The exam may ask about Secure Neighbor Discovery (SEND) as a countermeasure.

For the Juniper JNCIA-Junos exam, Neighbor Solicitation is part of the IPv6 fundamentals objective, and you may need to configure IPv6 on interfaces and verify neighbor cache entries using 'show ipv6 neighbors'. The exam will test your ability to interpret the neighbor state, such as REACH, STALE, DELAY, and PROBE, which are determined by Neighbor Solicitation messages. In all these exams, Neighbor Solicitation appears not as a standalone topic but integrated into broader questions about IPv6 operations, troubleshooting, and security.

The best way to prepare is to understand the message flow, the multicast addresses used, and the flags in Neighbor Advertisements. Practicing with packet captures and reading RFC 4861 will solidify your understanding.

Simple Meaning

Imagine you live in a large apartment building and you need to deliver a package to a specific apartment number. You know the apartment number (like an IP address), but you don't know which door to knock on. So you stand in the hallway and shout, 'Hey, who is in apartment 305?

Please tell me where your door is.' That shout is the Neighbor Solicitation message. The person in apartment 305 then replies with their exact door location (the MAC address), and you can now deliver the package.

This whole transaction lets devices on the same local network find each other’s hardware addresses so they can exchange data. Neighbor Solicitation also serves as a duplicate address detection mechanism. Before a device uses a new IP address, it sends a Neighbor Solicitation to see if any other device responds, which would mean the address is already taken.

If no one answers, the device can safely use that address. This is very similar to checking if a seat is taken before you sit down. In IPv6, this neighbor discovery process is more efficient and secure than the older system used in IPv4, because it uses multicast messages (targeting a group of devices) instead of broadcasting to every device on the network.

Full Technical Definition

Neighbor Solicitation is an ICMPv6 message type (Type 135) used in the Neighbor Discovery Protocol (NDP) for IPv6. It serves two primary functions: address resolution and duplicate address detection (DAD). In address resolution, a node sends a Neighbor Solicitation message to the solicited-node multicast address corresponding to the target IPv6 address.

The solicited-node multicast address is formed by combining the prefix FF02::1:FF00:0/104 with the last 24 bits of the target IPv6 address. This narrows the multicast group to only those devices that share the same last 24 bits, reducing unnecessary traffic. The requesting node includes its own link-layer address in the Source Link-Layer Address option of the message, so the target can reply directly.

When the target receives the Neighbor Solicitation, it responds with a Neighbor Advertisement message (Type 136), which contains its own link-layer address and various flags indicating its reachability state. For Duplicate Address Detection, a node sends a Neighbor Solicitation with an unspecified source address (::) to the solicited-node multicast address of the tentative address it wishes to use. If any node responds with a Neighbor Advertisement, the address is considered duplicate and cannot be used.

The DAD process is defined in RFC 4862 and is mandatory for all unicast addresses. The Neighbor Solicitation message also supports neighbor unreachability detection (NUD), where a node actively probes a neighbor by sending solicitation messages to confirm that the neighbor is still reachable. The Neighbor Solicitation message structure includes the ICMPv6 type (135), code (0), a reserved field, a target address field, and optional fields such as Source Link-Layer Address.

The implementation of Neighbor Solicitation is integral to IPv6 network operation and is directly supported by all modern operating systems including Windows, Linux, macOS, and network devices running IPv6. In enterprise networks, Neighbor Solicitation traffic can be monitored and captured using tools like Wireshark, with filters such as 'icmpv6.type == 135' to isolate these messages.

Real-Life Example

Think of a college dormitory during move-in day. Each student has a room number (like an IP address), but they don't know each other's names (MAC addresses). You are in room 204 and you want to send a note to the student in room 307.

You don't know their name, so you go to the common area and say, 'I'm looking for the student in room 307. Please come and tell me your name so I can deliver this note.' That announcement is your Neighbor Solicitation.

The student in room 307 hears you and replies, 'I am the student in room 307, and my name is Alex.' Now you know that Alex is in room 307, and you can deliver your note. This maps to Neighbor Solicitation in IPv6: your device (room 204) wants to send data to the device with IP address 2001:db8::307 (room 307).

Your device sends a Neighbor Solicitation message to the multicast group associated with that IP address, essentially asking, 'Who has this IP? Give me your MAC address.' The device with that IP responds with its MAC address, just like Alex gave you their name.

After that, your device can send data directly because it has the hardware address. Now imagine another scenario: you are a new student who hasn't been assigned a room yet. You want to claim room number 307, but you don't know if it's already taken.

So you shout, 'I'm considering room 307 – is anyone already living there?' If someone responds, you know the room is taken and you must choose a different number. That is exactly how Duplicate Address Detection works.

Your device sends a Neighbor Solicitation with its tentative IP address (the one it wants to use). If any device responds, the address is already in use and your device must generate a new one. This everyday analogy of asking and verifying before claiming helps understand the dual role of Neighbor Solicitation in IPv6 networks.

Why This Term Matters

Neighbor Solicitation matters because it is a foundational mechanism for all IPv6 local network communication. Without it, devices on the same network segment would not be able to discover each other's hardware addresses, making data transmission impossible. In IPv4, this function was performed by the Address Resolution Protocol (ARP), which had several security and efficiency limitations.

ARP was vulnerable to spoofing attacks and used broadcast messages that woke up all devices on the network, consuming unnecessary bandwidth and CPU cycles. IPv6's Neighbor Solicitation improves on this by using multicast messages targeted to a specific group of devices, reducing network noise and improving performance, especially on large networks. For IT professionals, understanding Neighbor Solicitation is crucial for network troubleshooting.

For example, if a device cannot communicate with others on the same subnet, a common cause is a failure in the neighbor discovery process. This can happen due to firewall rules blocking ICMPv6 messages, misconfigured network switches, or duplicate IP addresses detected via DAD. Knowing how Neighbor Solicitation works allows you to capture and analyze these messages using tools like tcpdump or Wireshark to pinpoint where the process breaks down.

Neighbor Solicitation plays a role in security. Because Neighbor Solicitation and Advertisement messages carry link-layer addresses, they can be exploited in neighbor spoofing attacks where an attacker claims the IP address of another device. Defensive mechanisms like Secure Neighbor Discovery (SEND) and RA Guard are built around protecting the neighbor discovery process.

For anyone pursuing IT certifications, understanding Neighbor Solicitation is not just theoretical; it directly impacts the ability to design, configure, and secure IPv6 networks. It is a concept that appears repeatedly in network troubleshooting scenarios, and a solid grasp of this process is a marker of genuine IPv6 competence.

How It Appears in Exam Questions

Neighbor Solicitation appears in exam questions through multiple formats: scenario-based, configuration verification, and troubleshooting. In scenario-based questions, you might be told that a new host is connecting to an IPv6 network and you are asked what message it sends first to avoid duplicate addresses. The correct answer is Neighbor Solicitation with an unspecified source address, used for DAD.

Another scenario could involve a device that cannot communicate with its default gateway. The question may ask which protocol is responsible for resolving the gateway's MAC address. Here, Neighbor Solicitation is the answer.

For configuration questions, especially in Cisco exams, you might be given a partial output from 'show ipv6 interface' and asked to identify the neighbor discovery state. You must know that the state 'INCMP' (incomplete) means a Neighbor Solicitation was sent but no Neighbor Advertisement has been received yet. Configuration questions may ask you to enable IPv6 on an interface and then verify that the router is sending Router Advertisements (RA) which trigger Neighbor Solicitation from hosts.

Troubleshooting questions are particularly common. They often present a scenario where clients on the same VLAN cannot ping each other, but IPv4 works fine. You need to suspect that ICMPv6 is being filtered, specifically Neighbor Solicitation and Advertisement messages.

A typical troubleshooting question might show a packet capture filter with 'icmpv6.type == 135' and ask what this filter isolates. The answer is Neighbor Solicitation messages. Another common question type asks you to identify the correct multicast address for Neighbor Solicitation.

The solicited-node multicast address is formed from the last 24 bits of the target IPv6 address plus the prefix FF02::1:FF00:0/104. You may need to calculate this address given a specific IPv6 address. This type of question tests your understanding of the multicast structure and its efficiency benefits over broadcast.

Some questions compare IPv4 ARP with IPv6 Neighbor Solicitation. You might be asked why Neighbor Solicitation is considered more secure or efficient. The efficiency comes from using multicast instead of broadcast, and the security improvement is due to the use of optional cryptographic protections in SEND.

By understanding these typical question formats, you can approach exam problems strategically and avoid common pitfalls.

Practise Neighbor Solicitation Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a help desk technician at a medium-sized company that recently migrated from IPv4 to IPv6. A user calls and says their laptop cannot access the internet, but it can connect to the local network drive. You check the laptop's IPv6 configuration and see it has a link-local address starting with fe80:: but no global unicast address.

To understand the problem, you need to think about how the laptop obtains its address. When the laptop first connected to the network, it performed Duplicate Address Detection (DAD) using Neighbor Solicitation. It sent a Neighbor Solicitation with its tentative link-local address to the solicited-node multicast address.

Since no other device responded, the laptop assigned that fe80:: address to itself. Then the laptop listened for Router Advertisements (RA) from the network router. The RA contained the network prefix and instructed the laptop to use SLAAC (Stateless Address Autoconfiguration).

The laptop auto-configured a global unicast address by combining the prefix from the RA with its own interface identifier. But before using that new address, the laptop again performed DAD by sending a Neighbor Solicitation. This time, a different workstation on the same subnet responded with a Neighbor Advertisement, indicating that the generated address was already in use.

Because of this, the laptop could not use that address and generated a new one. But due to a configuration error, the router was sending an incorrect prefix, causing the laptop to generate addresses that conflicted with other devices. The repeated DAD failures prevented the laptop from obtaining a usable global address.

Your troubleshooting would involve capturing Neighbor Solicitation and Advertisement traffic using Wireshark. You would filter for icmpv6.type == 135 and icmpv6.type == 136 to see the DAD process.

You would notice that the laptop sends Neighbor Solicitations for each tentative address, and multiple responses come back from other devices claiming the same IP. This would lead you to the router's misconfigured RA and allow you to fix the prefix. This scenario shows how Neighbor Solicitation is at the heart of IPv6 address assignment and conflict detection, and how understanding it is essential for real-world network support.

Common Mistakes

Thinking Neighbor Solicitation is only for address resolution and ignoring its role in Duplicate Address Detection (DAD).

Neighbor Solicitation serves two equally important functions: resolving a known IP address to a MAC address, and verifying that a tentative address is not already in use. In DAD, the source IP is set to :: (unspecified). Ignoring DAD leads to a misunderstanding of IPv6 autoconfiguration and can cause you to miss exam questions about how a device avoids IP conflicts.

Remember that Neighbor Solicitation messages with source address :: are always DAD probes, not ordinary address resolution. Always consider both functions when analyzing the message.

Confusing Neighbor Solicitation with Router Solicitation.

Router Solicitation (type 133) is used by a host to request Router Advertisements to discover routers on the link, while Neighbor Solicitation (type 135) is for resolving neighbor MAC addresses and DAD. The two serve different purposes and have different message structures. Mixing them up is a common exam error.

Remember the message types: Router Solicitation = type 133, Router Advertisement = type 134, Neighbor Solicitation = type 135, Neighbor Advertisement = type 136. Use the mnemonic: 'Routers are 133 and 134, Neighbors are 135 and 136.'

Assuming Neighbor Solicitation is broadcast like IPv4 ARP.

Neighbor Solicitation uses solicited-node multicast addresses, not broadcast. This is a deliberate design choice to reduce network overhead. The multicast group is determined by the last 24 bits of the target IP address, so only a small number of devices process the message. Thinking it is broadcast leads to incorrect answers about efficiency.

Study the structure of solicited-node multicast address: FF02::1:FF00:0/104 + last 24 bits of target IPv6. Understand that this is more efficient than broadcast.

Believing that Neighbor Solicitation is used for resolving link-local addresses only.

Neighbor Solicitation is used for resolving any unicast IPv6 address on the local link, including global unicast and unique local addresses. It is not limited to link-local addresses. This misconception likely comes from the fact that link-layer resolution is often associated with link-local communication, but Neighbor Solicitation works for all on-link addresses.

Practice scenarios where a host resolves a global unicast address using Neighbor Solicitation. Remember that the process is identical regardless of address type.

Forgetting that Neighbor Solicitation can be used for Neighbor Unreachability Detection (NUD).

In addition to address resolution and DAD, Neighbor Solicitation is used for NUD to confirm that a previously reachable neighbor is still reachable. This is important for maintaining accurate neighbor cache entries. Ignoring NUD leads to gaps in understanding how IPv6 handles link-state changes.

When studying neighbor cache states (REACH, STALE, DELAY, PROBE), understand that the PROBE state sends Neighbor Solicitations to verify reachability. This is a key troubleshooting step.

Exam Trap — Don't Get Fooled

{"trap":"A question shows an IPv6 address and asks which address is used as the destination for a Neighbor Solicitation when resolving that address. The trap answer is often the all-nodes multicast address FF02::1.","why_learners_choose_it":"Learners remember that IPv6 uses multicast instead of broadcast, but they oversimplify and think the all-nodes address is the generic multicast for all purposes.

Since FF02::1 is a well-known multicast group, it feels like a reasonable choice.","how_to_avoid_it":"Know that Neighbor Solicitation uses the solicited-node multicast address, not the all-nodes address. The solicited-node address is FF02::1:FFxx:xxxx where the last 24 bits match the target IP.

The all-nodes address FF02::1 is used for other purposes, such as Router Advertisements, not for neighbor resolution. Memorize the specific multicast prefix used by NDP."

Step-by-Step Breakdown

1

Step 1: A device needs to send data to another device on the same link

The device checks its neighbor cache (similar to ARP cache) for the target IPv6 address and its corresponding MAC address. If the cache has no entry or the entry is stale, the device initiates the Neighbor Solicitation process.

2

Step 2: The device constructs a Neighbor Solicitation message

The message is built with ICMPv6 type 135. The target address field contains the IPv6 address of the neighbor being resolved. The source link-layer address option is included so the target can reply directly. The source IPv6 address is the sender's own unicast address (or :: for DAD).

3

Step 3: The device sends the Neighbor Solicitation to the solicited-node multicast address

The destination multicast address is calculated by taking the last 24 bits of the target IPv6 address and appending them to FF02::1:FF00:0/104. This creates a multicast group that only includes devices whose IP ends with those same 24 bits. This narrows the audience, making the process efficient.

4

Step 4: The target device receives the Neighbor Solicitation and processes it

The target device verifies that the target address in the message matches its own IP address. It then updates its own neighbor cache with the sender's link-layer address from the Source Link-Layer Address option. It also prepares a Neighbor Advertisement response.

5

Step 5: The target sends a Neighbor Advertisement back to the requester

The Neighbor Advertisement (type 136) includes the target's link-layer address. It is sent as a unicast message directly to the requester's MAC address, since the requester provided its link-layer address in the solicitation. The Advertisement also includes flags indicating the target is a router and the message is solicited.

6

Step 6: The requesting device receives the Neighbor Advertisement and updates its neighbor cache

The device now has the MAC address for the target IPv6 address. It stores this mapping in its neighbor cache with a reachability state (typically REACHABLE). Subsequent data packets can now be sent directly to the target using its MAC address.

Practical Mini-Lesson

Neighbor Solicitation is a fundamental part of the Neighbor Discovery Protocol (NDP) in IPv6. As a network professional, you will interact with it regularly, whether you are configuring devices, troubleshooting connectivity, or securing the network. The first thing to understand is that Neighbor Solicitation messages are always sent to solicited-node multicast addresses.

This multicast address is derived from the target IPv6 address by taking the lower 24 bits and prefixing them with FF02::1:FF00:0/104. For example, if the target address is 2001:db8::1, the solicited-node multicast address would be FF02::1:FF00:1. This means only devices whose IPv6 address ends with the same 24 bits (in this case, 00:01) will receive the message.

This is much more efficient than IPv4 ARP, which wakes up every device on the VLAN. In practice, you can observe Neighbor Solicitation messages using packet capture tools. In Wireshark, you can filter for 'icmpv6.

type == 135' to see all solicitations. You will see the target address and the source link-layer address in the ICMPv6 options. The neighbor cache on a device can be viewed using commands like 'netsh interface ipv6 show neighbors' on Windows, 'ip -6 neigh show' on Linux, or 'show ipv6 neighbors' on Cisco routers.

The cache entries show the IPv6 address, MAC address, and state (REACHABLE, STALE, DELAY, PROBE, INCOMPLETE). The INCOMPLETE state means a Neighbor Solicitation was sent but no Advertisement has been received yet – this often indicates a problem such as the target being offline or a firewall blocking ICMPv6. When configuring IPv6 on a network, you must ensure that ICMPv6 type 135 and 136 are allowed between devices.

Many firewall defaults block all ICMP, which can break neighbor discovery. For example, a Windows firewall might block these by default in a public profile. Allowing these messages is essential for IPv6 communication to work.

Another practical aspect is Duplicate Address Detection. When a device assigns a new address, it sends a Neighbor Solicitation with source address :: (unspecified) to the solicited-node multicast address. If any device responds, the address is a duplicate.

As an IT professional, you may encounter situations where DAD fails due to network latency or temporary issues, causing address conflicts. You can monitor the system log for DAD failure events. Understanding Neighbor Solicitation also helps with security.

An attacker can send fake Neighbor Advertisements to impersonate another device, leading to man-in-the-middle attacks. To mitigate this, Secure Neighbor Discovery (RFC 3971) uses cryptographic signatures, and network switches can implement RA Guard and ND Inspection to validate messages. As you gain experience, you will learn to correlate neighbor cache states with network issues and use targeted Neighbor Solicitation in diagnostic tools like ping6 -I to force resolution.

Mastering this message type is a core skill for any professional working with IPv6.

Memory Tip

Remember 'NS' for Neighbor Solicitation is like 'n-S' for 'notify sender', you are notifying the network to find a neighbor, and '135' is the ICMPv6 type, similar to how '911' is for emergencies, you call 135 when you need to find a neighbor or check for duplicates.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the ICMPv6 type for Neighbor Solicitation?

The ICMPv6 type for Neighbor Solicitation is 135. The corresponding Neighbor Advertisement has type 136.

Does Neighbor Solicitation use broadcast like ARP?

No, it uses solicited-node multicast addresses, not broadcast. This is more efficient because only devices matching the lower 24 bits of the target address receive the message.

How does a device perform Duplicate Address Detection (DAD) with Neighbor Solicitation?

The device sends a Neighbor Solicitation with an unspecified source address (::) to the solicited-node multicast address of the tentative address. If a Neighbor Advertisement is received, the address is a duplicate and cannot be used.

What is the difference between Neighbor Solicitation and Router Solicitation?

Neighbor Solicitation (type 135) is used to resolve a neighbor's MAC address or check for duplicates. Router Solicitation (type 133) is used by hosts to discover routers on the link.

Can Neighbor Solicitation be blocked by firewalls?

Yes, many firewalls block ICMPv6 by default, including types 135 and 136. This can prevent neighbor discovery and break IPv6 communication. Ensure these message types are permitted in your network.

Is Neighbor Solicitation used in IPv4?

No, Neighbor Solicitation is specific to IPv6. IPv4 uses the Address Resolution Protocol (ARP) for similar functions, but ARP works differently and does not use ICMP.

Summary

Neighbor Solicitation is a core ICMPv6 message type (type 135) within the Neighbor Discovery Protocol that enables IPv6 devices to resolve link-layer addresses (MAC addresses) from IPv6 addresses, detect duplicate addresses through Duplicate Address Detection (DAD), and verify neighbor reachability via Neighbor Unreachability Detection (NUD). It replaces the less secure and less efficient ARP protocol used in IPv4. By using solicited-node multicast addresses, Neighbor Solicitation reduces network traffic compared to broadcast-based ARP.

Understanding this message is essential for any IT professional working with IPv6, as it directly impacts address assignment, network discovery, and security. In exams like CompTIA Network+, CCNA, and Security+, you may encounter questions about its function, message type number, destination address, and role in DAD. The most common errors include confusing it with Router Solicitation or Router Advertisement, assuming it uses broadcast, and forgetting its dual role in address resolution and duplicate detection.

To avoid exam traps, remember that the destination for a Neighbor Solicitation is always the solicited-node multicast address, not the all-nodes address FF02::1. Also, remember that a Neighbor Solicitation with source :: is a DAD message, not an ordinary resolution. Practically, you should know how to inspect neighbor caches with commands like 'show ipv6 neighbors' and how to filter for these messages in packet captures.

The message format is simple but powerful, and mastering it is a step toward proficiency in IPv6 networking. The takeaway for any certification candidate: Neighbor Solicitation is not just a theoretical concept; it is the heartbeat of local IPv6 communication. Study it, test it in labs, and you will be well-prepared for exam questions and real-world networking.