IPv6 is great.
IPv6 modernises networking with a vast address space, cleaner host discovery, and routing that scales. This page offers a concise, practitioner‑friendly overview of Layer 2 and Layer 3 behaviour.
Deep dive
Host discovery
- RS (133) / RA (134) for router & prefix discovery
- NS (135) / NA (136) for neighbour resolution & DAD
- Redirect (137) for better on‑link next‑hop
Key multicast groups
ff02::1(all‑nodes),ff02::2(all‑routers)ff02::1:ff00:0/104(solicited‑node)ff02::1:2(DHCPv6 agents)
Deployment tips
- Prefer SLAAC + RA; add DHCPv6 options as needed
- Enable RA Guard / DHCPv6 Guard at the edge
- Use MLD snooping to constrain multicast
Neighbour Discovery in action
NS targets a solicited‑node multicast; NA answers unicast.
Multicast replaces broadcast
IPv6 eliminates Layer 2 broadcast. It relies on scoped multicast so that control traffic reaches only interested nodes. The most visible example is the solicited‑node multicast group (ff02::1:ffXX:XXXX) derived from the last 24 bits of an address.
This design reduces noise on the link and limits exposure since fewer hosts see discovery frames. Switches can further constrain traffic with MLD snooping.
Quick facts
- No ARP in IPv6
- NDP (ICMPv6) handles discovery & reachability
- All‑nodes:
ff02::1; Routers:ff02::2 - Hosts auto‑join their solicited‑node groups
NDP instead of ARP
Neighbour Discovery replaces ARP with ICMPv6 messages: Router Solicitation/Advertisement (RS/RA), Neighbour Solicitation/Advertisement (NS/NA), and Redirect. Reachability is maintained by Neighbour Unreachability Detection to avoid stale cache entries.
Addressing can be done with SLAAC using RAs and optionally complemented by DHCPv6 for extra options.
Duplicate Address Detection (DAD)
DAD checks if an address is already in use before activation. A host sends an NS to the address’s solicited‑node multicast; any NA response signals a duplicate and the address must not be used.
In short, DAD prevents accidental duplicate assignments, improving stability during autoconfiguration and renumbering.
No NAT required
With a 128‑bit address space, IPv6 removes the scarcity that drove NAT in IPv4 and restores end‑to‑end connectivity, simplifying protocols and troubleshooting.
Stateful firewalls and prefix delegation replace the habit of using NAT as a security boundary. For policy control, apply filtering and proper segmentation—not address translation.
NAT66 exists in some products but is rarely justified; translation is not a routing requirement in IPv6.
Operational benefits
- Cleaner application behaviour with fewer ALGs
- Straightforward traceability with proper logging
- Better path‑MTU handling and fewer edge cases
- Native support for multi‑homing and renumbering
FAQ
Does IPv6 improve security by itself?
Not automatically. IPv6 reduces broadcast exposure and removes NAT side‑effects, but you still need stateful firewalls, proper filtering, and host hardening.
How does DAD differ from ARP probing?
DAD is part of NDP. A host probes using NS to the address’s solicited‑node multicast; any NA response indicates a duplicate so the address stays tentative and is not assigned.
If NAT isn’t used, how do I protect hosts?
Use stateful firewalls, ingress/egress filtering, and micro‑segmentation. NAT was never a security feature; policy and filtering are.
Do I still need DHCP?
Often you can rely on SLAAC for addressing and add DHCPv6 for options such as DNS servers when RDNSS via RA is not preferred.
Resources
RFCs to know
RFC 4861 – Neighbor Discovery for IPv6
RFC 4862 – IPv6 Stateless Address Autoconfiguration
RFC 8200 – Internet Protocol, Version 6 (IPv6)
Operator guidance
IETF BCP 38/84 – Ingress/Egress filtering
RA Guard, DHCPv6 Guard, MLD Snooping
Use prefix delegation for customer edges
At a glance
Multicast over broadcast on L2
NDP (NS/NA, RS/RA) replaces ARP
DAD prevents duplicate addresses
NAT not a routing requirement in IPv6