Note that the next-hop IP address is a purely local concept, it never becomes part of a packet sent on the wire. If no next hop is specified in the routing table the IP of the destination is used as the next hop.
Thus, the soliciting node learns the MAC-address of the target node.Īnd yes, NDP-spoofing works much like ARP-spoofing. On receipt, the target node answers with its Neighbor Advertisement, which is sent to the unicast address (link layer and IPv6) of the soliciting node. The Neighbor Solicitation contains also the unicast IPv6 addresses and the MAC address of the soliciting system. All nodes with an address ending on *55:6677 belong to that multicast group and will listen to that - this is most likely only the target system itself. A node that wants to learn a link-layer address for a particular IP address sends a Neighbor Solicitation to the according link-local solicited-node multicast address - there is no broadcast for IPv6 any more.įor example, if the address in question is 2001:db8::0011:2233:4455:6677, then the according solicited-node multicast address is ff02::1:ff55:6677, and the according ethernet multicast address is 33:33:ff:55:66:77. The NDP provides two message types that are of interest here: Neighbor Solicitation and Neighbor Advertisement.
Thus, you must not ignore ICMPv6 and filter it away, as is the custom with legacy IP. The mapping between layer 2 and IPv6 addresses is done by the Neighbor Discovery Protocol (NDP), which is sent over ICMPv6. To begin with, there is no such thing as ARPv6. Since the question was tagged with IPv6, I'll answer for that because IPv6 is very different from IPv4.