ICMPv6 Explained: The Protocol That Makes IPv6 Work

ICMPv6 Is Not Optional#

In IPv4, ICMP handles diagnostics. You can block it and most things still work. IPv6 doesn't work that way.

ICMPv6 is the nervous system of IPv6. It handles error reporting, diagnostics, neighbor discovery, router discovery, and address resolution. Block the wrong ICMPv6 message types and you'll break basic connectivity, prevent hosts from finding their default gateway, and cause mysterious connection hangs that take hours to debug.

The IPv6 specification doesn't treat ICMPv6 as an add-on. It's a mandatory, integral component. Understanding ICMPv6 is understanding how IPv6 actually works.

ICMPv6 vs ICMP (IPv4)#

ICMPv6 evolved from IPv4's ICMP but took on significantly more responsibility.

The key difference: ICMPv6 absorbed functionality that used separate protocols in IPv4. ARP runs at layer 2 in IPv4. IPv6 has no ARP—Neighbor Discovery uses ICMPv6 instead. IGMP managed multicast groups in IPv4. IPv6 uses Multicast Listener Discovery (MLD) messages within ICMPv6.

This consolidation simplified the protocol stack but made ICMPv6 absolutely essential. You can't block it without breaking core functionality.

Message Type Structure#

ICMPv6 messages have a simple structure: type, code, checksum, and message-specific data. The type field determines the message category.

Type number ranges:

• 0-127: Error messages
• 128-255: Informational messages

This split makes filtering easier. Error messages report problems with packet delivery. Informational messages handle queries, responses, and neighbor/router discovery.

Common Message Types#

Neighbor Discovery Protocol (NDP)#

Neighbor Discovery Protocol replaces IPv4's ARP and adds capabilities that IPv4 handled through multiple protocols. NDP runs entirely over ICMPv6 and handles five critical functions:

1. Address resolution - Map IPv6 addresses to MAC addresses (replaces ARP)
2. Router discovery - Find local routers without configuration
3. Prefix discovery - Learn network prefixes for auto-configuration
4. Parameter discovery - Get MTU, hop limit, and other parameters
5. Next-hop determination - Identify the best router for a destination

The Five NDP Message Types#

Router Solicitation (Type 133)#

Sent by hosts to request routers to announce themselves immediately instead of waiting for the next scheduled Router Advertisement.

When it's sent:

• Host boots up
• Interface comes online
• Host wants configuration quickly

Format:

Source: Link-local address or ::
Destination: ff02::2 (all-routers multicast)
Hop Limit: 255

This allows hosts to request immediate router information instead of waiting for the next scheduled advertisement, enabling faster network configuration.

Router Advertisement (Type 134)#

Sent by routers to announce their presence, advertise prefixes for SLAAC, and provide configuration parameters.

When it's sent:

• Periodically (every few minutes)
• In response to Router Solicitation
• When router configuration changes

What it contains:

• Router lifetime (how long to use this router)
• Network prefix(es) and their validity
• MTU recommendation
• Hop limit suggestion
• Flags for SLAAC and DHCPv6

Format:

Source: Router's link-local address
Destination: ff02::1 (all-nodes multicast) or soliciting host
Hop Limit: 255

Router Advertisements are how hosts learn their network configuration automatically. No DHCP required—routers broadcast everything hosts need to configure themselves.

Neighbor Solicitation (Type 135)#

The IPv6 equivalent of ARP requests. Sent to discover the MAC address of a neighbor or verify a neighbor is still reachable.

When it's sent:

• Resolving an IPv6 address to MAC address
• Verifying a neighbor is still reachable
• Duplicate Address Detection (checking if an address is already in use)

Format:

Source: Sender's address (or :: for DAD)
Destination: Solicited-node multicast address or target address
Hop Limit: 255

Neighbor Solicitation messages use solicited-node multicast addresses instead of broadcast. This reduces unnecessary processing—only the target host and hosts with similar addresses receive the packet.

Neighbor Advertisement (Type 136)#

Response to Neighbor Solicitation. Provides the sender's MAC address or confirms reachability.

When it's sent:

• Response to Neighbor Solicitation
• Unsolicited announcement of address change

Format:

Source: Sender's link-local or global address
Destination: Solicitor's address or all-nodes multicast
Hop Limit: 255

This provides the MAC address mapping and confirms reachability to requesting hosts.

Redirect (Type 137)#

Sent by routers to inform hosts that a better first-hop router exists for a specific destination.

When it's sent:

• Host sends packet to router
• Router knows a better next-hop on the same link
• Router forwards the packet AND sends redirect

Format:

Source: Router's link-local address
Destination: Original sender
Hop Limit: 255

This optimizes routing by directing hosts to better next-hop routers without requiring complex routing tables on end hosts.

How Address Resolution Works#

When a host needs to send a packet to another IPv6 address on the local link:

1. Check neighbor cache - Is the MAC address already known?
2. Send Neighbor Solicitation - If not, send NS to solicited-node multicast address
3. Receive Neighbor Advertisement - Target responds with MAC address
4. Update cache - Store mapping for future use
5. Send packet - Deliver the original packet

The solicited-node multicast address is computed from the target's IPv6 address:

ff02::1:ff + last 24 bits of IPv6 address
 
Example:
IPv6: 2001:db8::a4b2:c3d4:e5f6:7890
Solicited-node: ff02::1:ff:f6:7890

This multicast approach reduces network traffic compared to IPv4's broadcast-based ARP.

Router Discovery in Detail#

Routers advertise themselves and network configuration through Router Advertisement messages. Hosts listen and autoconfigure based on these advertisements.

Router Advertisement Contents#

A typical RA contains:

Router Information:

• Router lifetime (0-9000 seconds, 0 means "not a default router")
• Reachability time (how long to consider a neighbor reachable)
• Retransmit timer (delay between neighbor solicitations)

Prefix Information:

• Network prefix (e.g., 2001:db8:1234::/64)
• Valid lifetime (how long addresses are valid)
• Preferred lifetime (how long to use for new connections)
• Flags:
  • L (On-link): Prefix is on local link
  • A (Autonomous): Use for SLAAC

Other Options:

• MTU recommendation
• DNS servers (RDNSS option)
• DNS search domains (DNSSL option)

SLAAC Address Formation#

When a host receives an RA with the A flag set:

1. Take the prefix - e.g., 2001:db8:1234::/64
2. Generate interface identifier - 64 bits derived from MAC or random
3. Combine them - 2001:db8:1234::a4b2:c3d4:e5f6:7890
4. Run Duplicate Address Detection - Ensure no one else uses it
5. Configure the address - Add to interface
6. Set default route - Use router as next hop

This happens automatically without user intervention or DHCP servers.

Flags That Control Configuration#

Router Advertisements include flags that tell hosts how to configure themselves:

• M (Managed): Use DHCPv6 for addresses (not SLAAC)
• O (Other): Use DHCPv6 for other configuration (DNS, NTP, etc.)

Common combinations:

Most networks use M=0, O=0 (pure SLAAC) or M=0, O=1 (SLAAC + DHCPv6 for DNS).

Path MTU Discovery#

IPv6 routers don't fragment packets. The source must send packets small enough to fit the entire path. This is where ICMPv6 type 2 becomes critical.

How PMTUD Works#

The Path MTU Discovery process works as follows:

1. Host sends packet using interface MTU (typically 1500 bytes)
2. Router encounters smaller MTU and cannot fragment (IPv6 doesn't allow router fragmentation)
3. Router drops packet and sends ICMPv6 Packet Too Big message back to source
4. Message includes MTU telling the sender the maximum size that path supports
5. Host reduces packet size and retransmits with smaller MTU
6. Connection continues using the discovered path MTU

Packet Too Big message format:

Type: 2
Code: 0
MTU: 1280 (or whatever the next hop supports)
Original packet: First portion of dropped packet

The minimum IPv6 MTU is 1280 bytes. All links must support at least this size. Larger packets require PMTUD to work.

What Happens When You Block Type 2#

Connection symptoms when Packet Too Big messages are blocked:

• Initial connection works - SYN, SYN-ACK, ACK packets are small
• Data transfer hangs - Large packets get dropped silently
• No error messages - Connection just stalls
• Timeout after minutes - TCP eventually gives up

This is one of the most frustrating issues to debug because the connection establishes successfully before failing.

Real-world scenario:

$ curl -6 https://example.com/
# Connection hangs after TLS handshake
# Browser shows "Loading..." forever
# SSH connects but hangs during banner exchange

All because some middlebox blocked ICMPv6 type 2.

Echo Request and Echo Reply (Ping)#

Type 128 (Echo Request) and Type 129 (Echo Reply) work exactly like IPv4 ping.

Format:

Type: 128 (request) or 129 (reply)
Code: 0
Identifier: Arbitrary (matches request/reply)
Sequence: Increments with each ping
Data: Arbitrary payload

Diagnostic Uses#

Ping is the simplest connectivity test:

# Basic ping
ping6 2001:4860:4860::8888

This sends standard ICMPv6 echo requests to test basic connectivity.

# Specify source address
ping6 -I 2001:db8::10 2001:4860:4860::8888

This uses a specific source address for the ping, useful when the host has multiple IPv6 addresses.

# Large packets to test PMTUD
ping6 -s 1400 google.com

This tests Path MTU Discovery by sending larger packets that may trigger Packet Too Big responses.

# Flood ping (requires root)
sudo ping6 -f 2001:4860:4860::8888

This sends packets as fast as possible for performance testing (use responsibly).

Rate Limiting Considerations#

Many administrators rate-limit ping to prevent reconnaissance and DoS attacks. This is reasonable for production servers, but complete blocking makes troubleshooting harder.

Recommended approach:

• Allow echo request/reply
• Rate limit to prevent abuse
• Log excessive attempts

Linux example:

# Allow ping but rate limit
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 \
  -m limit --limit 10/sec --limit-burst 20 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -j DROP

This allows 10 pings per second with bursts up to 20, dropping excess traffic.

Firewall Considerations#

ICMPv6 filtering requires understanding which types are essential and which are optional.

Must Allow (Breaking Connectivity)#

Type 2: Packet Too Big

• Direction: Both inbound and outbound
• Reason: Path MTU discovery breaks without it
• Scope: All connections

Types 133-136: Neighbor Discovery

• Direction: Link-local only (hop limit 255)
• Reason: Address resolution and router discovery fail
• Scope: Local network only

Type 1: Destination Unreachable

• Direction: Inbound (responses to your traffic)
• Reason: TCP needs to know when ports/routes don't exist
• Scope: All connections

Should Allow (Breaking Diagnostics)#

Type 3: Time Exceeded

• Direction: Inbound
• Reason: Traceroute fails without it
• Impact: Can't diagnose routing problems

Types 128-129: Echo Request/Reply

• Direction: Both
• Reason: Ping is the primary connectivity test
• Impact: Can't verify basic reachability

Can Block (Informational Only)#

Types 130-132: Multicast Listener Discovery

• Scope: Local network only
• Impact: Multicast might not work optimally

Type 137: Redirect

• Impact: Suboptimal routing on local network
• Security: Some admins block to prevent route manipulation

Example iptables Rules#

Minimal host firewall:

# Essential ICMPv6
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 1 -j ACCEPT   # Destination Unreachable
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 2 -j ACCEPT   # Packet Too Big
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 3 -j ACCEPT   # Time Exceeded
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 128 -j ACCEPT # Echo Request
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 129 -j ACCEPT # Echo Reply
 
# Neighbor discovery (link-local only, hop limit 255)
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 133 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT

The hop limit check (--hl-eq 255) ensures neighbor discovery packets originate from the local link. Legitimate NDP always uses hop limit 255. Packets from routers would have decremented values.

nftables equivalent:

# Essential ICMPv6
nft add rule ip6 filter input icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply } accept
 
# Neighbor discovery with hop limit check
nft add rule ip6 filter input icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept

Troubleshooting with ICMPv6#

Reading Error Messages#

When connections fail, check for ICMPv6 error messages with tcpdump:

# Capture all ICMPv6
sudo tcpdump -i eth0 -n ip6 and icmp6

This captures all ICMPv6 traffic on the interface for analysis.

# Specific types
sudo tcpdump -i eth0 -n 'ip6 and icmp6 and ip6[40] == 1'  # Type 1 (Destination Unreachable)
sudo tcpdump -i eth0 -n 'ip6 and icmp6 and ip6[40] == 2'  # Type 2 (Packet Too Big)

These filter for specific ICMPv6 message types to diagnose particular issues.

Common error scenarios:

Type 1, Code 1: Communication administratively prohibited

# Firewall blocking traffic
18:23:45.123456 IP6 2001:db8::1 > 2001:db8::10: ICMP6, destination unreachable,
  administratively prohibited, length 68

Firewall or access control list blocking the connection.

Type 1, Code 4: Port unreachable

# Service not running
18:23:45.234567 IP6 2001:db8::10 > 2001:db8::1: ICMP6, destination unreachable,
  port unreachable, length 68

Nothing listening on the target port.

Type 2: Packet too big

# MTU issue
18:23:45.345678 IP6 2001:db8:1234::1 > 2001:db8::10: ICMP6, packet too big,
  mtu 1280, length 1240

Path MTU is smaller than sender assumed. Sender should reduce packet size to 1280 bytes.

Using Wireshark for NDP#

Wireshark makes NDP analysis easier with display filters:

# All ICMPv6
icmpv6
 
# Neighbor Discovery only
icmpv6.type >= 133 && icmpv6.type <= 137
 
# Router Advertisements
icmpv6.type == 134
 
# Neighbor Solicitations for a specific address
icmpv6.type == 135 && icmpv6.nd.ns.target_address == 2001:db8::10

Watch Router Advertisements to see what configuration your network provides:

# Filter RAs, expand ICMPv6 layer in packet details
# Check:
# - Flags (M, O)
# - Prefix information
# - DNS servers (RDNSS option)
# - MTU option

Common Issues and Solutions#

*Problem: Host has no global IPv6 address, only fe80::

Diagnosis:

# Check for Router Advertisements
sudo tcpdump -i eth0 -n 'icmp6 && ip6[40] == 134'

Causes:

• No router on network
• Router not sending RAs
• Firewall blocking type 134

Solution: Enable IPv6 on router, verify RA configuration, check firewall rules.

Problem: Ping works but large transfers hang

Diagnosis:

# Test with large ping packets
ping6 -s 1400 target.example.com

Causes:

• ICMPv6 type 2 blocked somewhere
• MTU mismatch in path
• Firewall filtering Packet Too Big

Solution: Allow type 2 through all firewalls, check MTU configuration.

Problem: Can't reach neighbors on same subnet

Diagnosis:

# Check neighbor cache
ip -6 neigh show
 
# Watch for Neighbor Solicitations
sudo tcpdump -i eth0 -n 'icmp6 && ip6[40] == 135'

Causes:

• Firewall blocking types 135/136
• Switch filtering multicast
• IPv6 disabled on target

Solution: Allow NDP through firewalls, verify switch multicast configuration.

Problem: Hosts ignore Router Advertisements

Diagnosis:

# Verify RAs are arriving
sudo tcpdump -i eth0 -n 'icmp6 && ip6[40] == 134'
 
# Check accept_ra setting (Linux)
sysctl net.ipv6.conf.eth0.accept_ra

Causes:

• accept_ra disabled (Linux)
• IPv6 forwarding enabled on host (disables RA processing)
• RA has invalid hop limit (!= 255)

Solution: Enable accept_ra, disable forwarding on end hosts, verify router configuration.

Related Articles#

• IPv6 Fundamentals - Learn the basics of IPv6 addressing and why IPv6 exists.
• IPv6 Firewall Configuration - Configure your firewall to allow essential ICMPv6 while maintaining security.
• IPv6 Troubleshooting - Diagnose and fix common IPv6 connectivity issues using ICMPv6.

Frequently Asked Questions#