ARP vs NDP
Side-by-side comparison of ARP (IPv4) and NDP (IPv6) for address resolution and neighbor discovery.
Purpose and Function
Both ARP (Address Resolution Protocol) and NDP (Neighbor Discovery Protocol) solve the same fundamental problem: how to find the MAC address (link-layer address) when you only know the IP address. However, NDP is much more capable than ARP, handling not just address resolution but also router discovery, address autoconfiguration, and duplicate address detection.
Side-by-Side Comparison
| Aspect | ARP (IPv4) | NDP (IPv6) |
|---|---|---|
| Primary Purpose | Find MAC address from IPv4 address | Find MAC address from IPv6 address + much more |
| Protocol Layer | Separate protocol (EtherType 0x0806) | Uses ICMPv6 (part of IPv6) |
| Broadcast/Multicast | Uses broadcast (ff:ff:ff:ff:ff:ff) | Uses specific multicast addresses |
| Security | No built-in security (vulnerable to spoofing) | Can use IPSec for security |
| Address Space Efficiency | Broadcasts to all hosts on subnet | Multicasts only to likely neighbors |
ARP (Address Resolution Protocol)
ARP Message Types
ARP Request
Description: Who has IP address X.X.X.X? Tell MAC address Y:Y:Y:Y:Y:Y
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Response: Target host responds if it owns that IP
ARP Reply
Description: I have IP address X.X.X.X at MAC address Z:Z:Z:Z:Z:Z
Destination: Unicast to requesting host
Response: Requesting host updates its ARP table
Gratuitous ARP
Description: Unsolicited announcement of IP/MAC binding
Destination: Broadcast
Response: Hosts update their ARP tables
ARP Probe
Description: Check if IP address is already in use
Destination: Broadcast with sender IP as 0.0.0.0
Response: Conflict if someone responds
ARP Process
- Host A wants to send packet to Host B (knows IP, needs MAC)
- Host A checks its ARP table for cached entry
- If no entry, Host A broadcasts ARP Request
- Host B (owner of target IP) sends ARP Reply with its MAC
- Host A caches the IP/MAC mapping in ARP table
- Host A can now send packets to Host B
ARP Limitations
- No built-in security (ARP spoofing attacks)
- Broadcasts create network noise
- No duplicate address detection
- No router discovery mechanism
- Cache entries can become stale
NDP (Neighbor Discovery Protocol)
NDP Message Types
Neighbor Solicitation (NS)
ICMP Type:
ICMPv6 Type 135Description: IPv6 equivalent of ARP Request
Destination: Solicited-node multicast address
Purpose: Find MAC address for IPv6 address
Neighbor Advertisement (NA)
ICMP Type:
ICMPv6 Type 136Description: IPv6 equivalent of ARP Reply
Destination: Unicast or all-nodes multicast
Purpose: Provide MAC address for IPv6 address
Router Solicitation (RS)
ICMP Type:
ICMPv6 Type 133Description: Find routers on network
Destination: All-routers multicast (ff02::2)
Purpose: Discover available routers
Router Advertisement (RA)
ICMP Type:
ICMPv6 Type 134Description: Router announces its presence and configuration
Destination: All-nodes multicast (ff02::1)
Purpose: Provide network configuration info
Redirect
ICMP Type:
ICMPv6 Type 137Description: Better path to destination
Destination: Unicast to original sender
Purpose: Optimize routing path
NDP Process
- Host A wants to communicate with Host B (IPv6 address known)
- Host A checks its neighbor cache for cached entry
- If no entry, Host A sends Neighbor Solicitation to solicited-node multicast
- Only hosts with matching addresses process the NS
- Host B sends Neighbor Advertisement with its MAC address
- Host A caches the IPv6/MAC mapping in neighbor cache
- Periodic reachability confirmation keeps entries fresh
NDP Advantages Over ARP
- More efficient (multicast vs broadcast)
- Built-in duplicate address detection
- Router discovery and autoconfiguration
- Neighbor unreachability detection
- Can use IPSec for security
- Supports mobile IPv6
Practical Differences
Network Discovery
ARP (IPv4): No router discovery - must be manually configured
NDP (IPv6): Automatic router discovery via Router Advertisements
Impact: IPv6 hosts can automatically find default gateway
Address Conflicts
ARP (IPv4): No built-in conflict detection
NDP (IPv6): Duplicate Address Detection (DAD) prevents conflicts
Impact: IPv6 is more robust against address conflicts
Network Efficiency
ARP (IPv4): Broadcasts disturb all hosts on subnet
NDP (IPv6): Multicasts only to likely targets
Impact: IPv6 creates less network noise
Security
ARP (IPv4): Vulnerable to spoofing attacks
NDP (IPv6): Can use IPSec, harder to spoof multicast
Impact: IPv6 can be more secure with proper configuration
Mobility Support
ARP (IPv4): No mobility support
NDP (IPv6): Built-in support for mobile devices
Impact: IPv6 better for mobile and wireless networks
Troubleshooting Commands
| Purpose | IPv4 (ARP) | IPv6 (NDP) | Windows |
|---|---|---|---|
| View ARP Table | arp -a | ip -6 neighbor show | netsh interface ipv6 show neighbors |
| Clear Cache | arp -d [ip] | ip -6 neighbor del [ipv6] dev [interface] | netsh interface ipv6 delete neighbors |
| Send Manual Request | arping [ip] | ndisc6 [ipv6] [interface] | ping [address] (triggers resolution) |
| Monitor Traffic | tcpdump arp | tcpdump icmp6 and ip6[40] >= 133 and ip6[40] <= 137 | Wireshark filter: arp or (icmpv6.type >= 133 and icmpv6.type <= 137) |
Common Issues
ARP Spoofing Attack (ARP)
Description: Attacker sends fake ARP replies to redirect traffic
Detection: Monitor for duplicate MAC addresses or unusual ARP traffic
Mitigation: Use ARP inspection, static ARP entries, or 802.1X
ARP Table Full (ARP)
Description: Too many entries cause legitimate entries to be dropped
Detection: Intermittent connectivity to some hosts
Mitigation: Increase ARP table size or implement rate limiting
Duplicate Address Detection Failure (NDP)
Description: IPv6 address conflicts not properly detected
Detection: Intermittent IPv6 connectivity
Mitigation: Check DAD configuration and timing
Router Advertisement Flooding (NDP)
Description: Rogue RAs cause network disruption
Detection: Hosts getting wrong IPv6 configuration
Mitigation: Use RA Guard on switches, monitor for rogue RAs
Best Practices
ARP Best Practices
- Monitor for ARP spoofing attacks
- Use static ARP entries for critical servers
- Implement Dynamic ARP Inspection on switches
- Set appropriate ARP cache timeouts
- Monitor ARP table sizes on routers
NDP Best Practices
- Enable RA Guard on access switches
- Monitor for rogue Router Advertisements
- Configure proper DAD timing
- Use IPSec for NDP security in sensitive environments
- Monitor neighbor cache sizes
Quick Reference
ARP Key Points
Broadcasts to ff:ff:ff:ff:ff:ff
EtherType 0x0806
Request/Reply model
No security
Cache timeout typically 60-240 seconds
NDP Key Points
Uses solicited-node multicast (ff02::1:ffXX:XXXX)
ICMPv6 types 133-137
Request/Advertisement + Router Discovery
Can use IPSec
Neighbor Unreachability Detection
IPv4 to IPv6 Migration Tips
Important Considerations
IPv6 NDP is more complex but more capable than ARP
Security tools need updating for NDP monitoring
NDP multicast addresses must be properly handled by switches
Router Advertisement security becomes critical in IPv6
Neighbor cache management differs from ARP table management
Key Takeaway
While NDP is more complex than ARP, it's also much more capable and efficient. Understanding both protocols is
essential for mixed IPv4/IPv6 environments.