ARP vs NDP

Side-by-side comparison of ARP (IPv4) and NDP (IPv6) for address resolution and neighbor discovery.

Purpose and Function

Both ARP (Address Resolution Protocol) and NDP (Neighbor Discovery Protocol) solve the same fundamental problem: how to find the MAC address (link-layer address) when you only know the IP address. However, NDP is much more capable than ARP, handling not just address resolution but also router discovery, address autoconfiguration, and duplicate address detection.

comparison.title

Aspectcomparison.headers.arpcomparison.headers.ndp
Primary PurposeFind MAC address from IPv4 addressFind MAC address from IPv6 address + much more
Protocol LayerSeparate protocol (EtherType 0x0806)Uses ICMPv6 (part of IPv6)
Broadcast/MulticastUses broadcast (ff:ff:ff:ff:ff:ff)Uses specific multicast addresses
SecurityNo built-in security (vulnerable to spoofing)Can use IPSec for security
Address Space EfficiencyBroadcasts to all hosts on subnetMulticasts only to likely neighbors

ARP (Address Resolution Protocol)

arp.messageTypes.title

ARP Request
arp.messageTypes.fields.description Who has IP address X.X.X.X? Tell MAC address Y:Y:Y:Y:Y:Y
arp.messageTypes.fields.destination Broadcast (ff:ff:ff:ff:ff:ff)
arp.messageTypes.fields.response Target host responds if it owns that IP
ARP Reply
arp.messageTypes.fields.description I have IP address X.X.X.X at MAC address Z:Z:Z:Z:Z:Z
arp.messageTypes.fields.destination Unicast to requesting host
arp.messageTypes.fields.response Requesting host updates its ARP table
Gratuitous ARP
arp.messageTypes.fields.description Unsolicited announcement of IP/MAC binding
arp.messageTypes.fields.destination Broadcast
arp.messageTypes.fields.response Hosts update their ARP tables
ARP Probe
arp.messageTypes.fields.description Check if IP address is already in use
arp.messageTypes.fields.destination Broadcast with sender IP as 0.0.0.0
arp.messageTypes.fields.response Conflict if someone responds

arp.process.title

  1. Host A wants to send packet to Host B (knows IP, needs MAC)
  2. Host A checks its ARP table for cached entry
  3. If no entry, Host A broadcasts ARP Request
  4. Host B (owner of target IP) sends ARP Reply with its MAC
  5. Host A caches the IP/MAC mapping in ARP table
  6. Host A can now send packets to Host B

arp.limitations.title

  • No built-in security (ARP spoofing attacks)
  • Broadcasts create network noise
  • No duplicate address detection
  • No router discovery mechanism
  • Cache entries can become stale

NDP (Neighbor Discovery Protocol)

ndp.messageTypes.title

Neighbor Solicitation (NS)
ndp.messageTypes.fields.icmpType ICMPv6 Type 135
ndp.messageTypes.fields.description IPv6 equivalent of ARP Request
ndp.messageTypes.fields.destination Solicited-node multicast address
ndp.messageTypes.fields.purpose Find MAC address for IPv6 address
Neighbor Advertisement (NA)
ndp.messageTypes.fields.icmpType ICMPv6 Type 136
ndp.messageTypes.fields.description IPv6 equivalent of ARP Reply
ndp.messageTypes.fields.destination Unicast or all-nodes multicast
ndp.messageTypes.fields.purpose Provide MAC address for IPv6 address
Router Solicitation (RS)
ndp.messageTypes.fields.icmpType ICMPv6 Type 133
ndp.messageTypes.fields.description Find routers on network
ndp.messageTypes.fields.destination All-routers multicast (ff02::2)
ndp.messageTypes.fields.purpose Discover available routers
Router Advertisement (RA)
ndp.messageTypes.fields.icmpType ICMPv6 Type 134
ndp.messageTypes.fields.description Router announces its presence and configuration
ndp.messageTypes.fields.destination All-nodes multicast (ff02::1)
ndp.messageTypes.fields.purpose Provide network configuration info
Redirect
ndp.messageTypes.fields.icmpType ICMPv6 Type 137
ndp.messageTypes.fields.description Better path to destination
ndp.messageTypes.fields.destination Unicast to original sender
ndp.messageTypes.fields.purpose Optimize routing path

ndp.process.title

  1. Host A wants to communicate with Host B (IPv6 address known)
  2. Host A checks its neighbor cache for cached entry
  3. If no entry, Host A sends Neighbor Solicitation to solicited-node multicast
  4. Only hosts with matching addresses process the NS
  5. Host B sends Neighbor Advertisement with its MAC address
  6. Host A caches the IPv6/MAC mapping in neighbor cache
  7. Periodic reachability confirmation keeps entries fresh

ndp.advantages.title

  • More efficient (multicast vs broadcast)
  • Built-in duplicate address detection
  • Router discovery and autoconfiguration
  • Neighbor unreachability detection
  • Can use IPSec for security
  • Supports mobile IPv6

practical.title

Network Discovery
practical.fields.arp No router discovery - must be manually configured
practical.fields.ndp Automatic router discovery via Router Advertisements
practical.fields.impact IPv6 hosts can automatically find default gateway
Address Conflicts
practical.fields.arp No built-in conflict detection
practical.fields.ndp Duplicate Address Detection (DAD) prevents conflicts
practical.fields.impact IPv6 is more robust against address conflicts
Network Efficiency
practical.fields.arp Broadcasts disturb all hosts on subnet
practical.fields.ndp Multicasts only to likely targets
practical.fields.impact IPv6 creates less network noise
Security
practical.fields.arp Vulnerable to spoofing attacks
practical.fields.ndp Can use IPSec, harder to spoof multicast
practical.fields.impact IPv6 can be more secure with proper configuration
Mobility Support
practical.fields.arp No mobility support
practical.fields.ndp Built-in support for mobile devices
practical.fields.impact IPv6 better for mobile and wireless networks

troubleshooting.title

Purposetroubleshooting.headers.ipv4troubleshooting.headers.ipv6Windows
View ARP Tablearp -aip -6 neighbor shownetsh interface ipv6 show neighbors
Clear Cachearp -d [ip]ip -6 neighbor del [ipv6] dev [interface]netsh interface ipv6 delete neighbors
Send Manual Requestarping [ip]ndisc6 [ipv6] [interface]ping [address] (triggers resolution)
Monitor Traffictcpdump arptcpdump icmp6 and ip6[40] >= 133 and ip6[40] <= 137Wireshark filter: arp or (icmpv6.type >= 133 and icmpv6.type <= 137)

issues.title

ARP Spoofing Attack (ARP)

issues.fields.description Attacker sends fake ARP replies to redirect traffic

issues.fields.detection Monitor for duplicate MAC addresses or unusual ARP traffic

issues.fields.mitigation Use ARP inspection, static ARP entries, or 802.1X

ARP Table Full (ARP)

issues.fields.description Too many entries cause legitimate entries to be dropped

issues.fields.detection Intermittent connectivity to some hosts

issues.fields.mitigation Increase ARP table size or implement rate limiting

Duplicate Address Detection Failure (NDP)

issues.fields.description IPv6 address conflicts not properly detected

issues.fields.detection Intermittent IPv6 connectivity

issues.fields.mitigation Check DAD configuration and timing

Router Advertisement Flooding (NDP)

issues.fields.description Rogue RAs cause network disruption

issues.fields.detection Hosts getting wrong IPv6 configuration

issues.fields.mitigation Use RA Guard on switches, monitor for rogue RAs

bestPractices.title

ARP Best Practices

  • Monitor for ARP spoofing attacks
  • Use static ARP entries for critical servers
  • Implement Dynamic ARP Inspection on switches
  • Set appropriate ARP cache timeouts
  • Monitor ARP table sizes on routers

NDP Best Practices

  • Enable RA Guard on access switches
  • Monitor for rogue Router Advertisements
  • Configure proper DAD timing
  • Use IPSec for NDP security in sensitive environments
  • Monitor neighbor cache sizes

quickReference.title

quickReference.arp
Broadcasts to ff:ff:ff:ff:ff:ff
EtherType 0x0806
Request/Reply model
No security
Cache timeout typically 60-240 seconds
quickReference.ndp
Uses solicited-node multicast (ff02::1:ffXX:XXXX)
ICMPv6 types 133-137
Request/Advertisement + Router Discovery
Can use IPSec
Neighbor Unreachability Detection

migration.title

migration.considerations
IPv6 NDP is more complex but more capable than ARP
Security tools need updating for NDP monitoring
NDP multicast addresses must be properly handled by switches
Router Advertisement security becomes critical in IPv6
Neighbor cache management differs from ARP table management
Key Takeaway
While NDP is more complex than ARP, it's also much more capable and efficient. Understanding both protocols is essential for mixed IPv4/IPv6 environments.