RFC 9898 - Neighbor Discovery Considerations in IPv6 Deployments

Publication Date: November 2025
Status: Informational
Authors:

• X. Xiao (Huawei Technologies)
• E. Vasilenko (Huawei Technologies)
• E. Metz (KPN N.V.)
• G. Mishra (Verizon Inc.)
• N. Buraglio (Energy Sciences Network)

---

Abstract

The Neighbor Discovery (ND) protocol is a critical component of the IPv6 architecture. The protocol uses multicast in many messages. It also assumes a security model where all nodes on a link are trusted. Such a design might be inefficient in some scenarios (e.g., use of multicast in wireless networks) or when nodes are not trustworthy (e.g., public access networks). These security and operational issues and the associated mitigation solutions are documented in more than twenty RFCs. There is a need to track these issues and solutions in a single document.

To that aim, this document summarizes the published ND issues and then describes how all these issues originate from three causes. Addressing the issues is made simpler by addressing the causes. This document also analyzes the mitigation solutions and demonstrates that isolating hosts into different subnets and links can help to address the three causes. Guidance is provided for selecting a suitable isolation method to prevent potential ND issues.

---

Contents

• 1. Introduction
  • 1.1 Terminology
• 2. Review of Inventoried ND Issues
  • 2.1 Multicast May Cause Performance and Reliability Issues
  • 2.2 Trusting-All-Nodes May Cause On-Link Security Issues
  • 2.3 Router-NCE-on-Demand May Cause Forwarding Delay, NCE Exhaustion, and Address Accountability Issues
  • 2.4 Summary of ND Issues
• 3. Review of ND Mitigation Solutions
  • 3.1 Mobile Broadband IPv6 (MBBv6)
  • 3.2 Fixed Broadband IPv6 (FBBv6)
  • 3.3 Unique Prefix per Host (UPPH)
  • 3.4 Wireless ND (WiND)
  • 3.5 Scalable Address Resolution Protocol (SARP)
  • 3.6 ND Optimization for TRILL
  • 3.7 Proxy ND in Ethernet Virtual Private Networks (ND EVPN)
  • 3.8 Reducing Router Advertisements per RFC 7772
  • 3.9 Gratuitous Neighbor Discovery (GRAND)
  • 3.10 Source Address Validation Improvement (SAVI) and Router Advertisement Guard (RA-Guard)
  • 3.11 Dealing with NCE Exhaustion Attacks per RFC 6583
  • 3.12 Registering Self-Generated IPv6 Addresses Using DHCPv6 per RFC 9686
  • 3.13 Enhanced DAD
  • 3.14 ND Mediation for IP Interworking of Layer 2 VPNs
  • 3.15 ND Solutions Defined Before the Latest Versions of ND
    • 3.15.1 Secure Neighbor Discovery (SEND)
    • 3.15.2 Cryptographically Generated Addresses (CGA)
    • 3.15.3 ND Proxy
    • 3.15.4 Optimistic DAD
• 4. Guidelines for Prevention of Potential ND Issues
  • 4.1 Learning Host Isolation from the Existing Solutions
  • 4.2 Applicability of Various Isolation Methods
    • 4.2.1 Applicability of L3+L2 Isolation
    • 4.2.2 Applicability of L3 Isolation
    • 4.2.3 Applicability of Partial L2 Isolation
  • 4.3 Guidelines for Applying Isolation Methods
• 5. Security Considerations
• 6. IANA Considerations
• 7. References
  • 7.1 Normative References
  • 7.2 Informative References

Appendices

• Acknowledgements
• Authors' Addresses

---

Related Resources

• Official Text: RFC 9898
• Official Page: RFC 9898 DataTracker
• Errata: RFC Editor Errata