Neighbor Discovery Protocol (NDP) for IPv6 performs
functions similar to those provided by Address Resolution Protocol
(ARP) for IPv4. RFC 4861 defines Neighbor Discovery for IP version 6 (IPv6).
Hosts, routers, and firewalls use NDP to determine the link-layer
addresses of neighbors on connected links, to keep track of which
neighbors are reachable, and to update neighbors’ link-layer addresses
that have changed. Peers advertise their own MAC address and IPv6
address, and they also solicit addresses from peers.
NDP also supports the concept of proxy, when a node
has a neighboring device that is able to forward packets on behalf
of the node. The device (firewall) performs the role of NDP Proxy.
Palo Alto Networks
firewalls support NDP and NDP
Proxy on their interfaces. When you configure the firewall to act
as an NDP Proxy for addresses, it allows the firewall to send Neighbor
Discovery (ND) advertisements and respond to ND solicitations from
peers that are asking for MAC addresses of IPv6 prefixes assigned
to devices behind the firewall. You can also configure addresses
for which the firewall will not respond to proxy requests (negated
In fact, NDP is enabled by default, and you need to configure
NDP Proxy when you configure NPTv6, for the following reasons:
The stateless nature of NPTv6 requires a way to instruct
the firewall to respond to ND packets sent to specified NDP Proxy
addresses, and to not respond to negated NDP Proxy addresses.
It is recommended that you negate your
neighbors’ addresses in the NDP Proxy configuration, because NDP
Proxy indicates the firewall will reach those addresses behind the
firewall, but the neighbors are not behind the firewall.
NDP causes the firewall to save the MAC addresses and IPv6
addresses of neighbors in its ND cache. (Refer to the figure in NPTv6 and NDP Proxy Example.) The firewall
does not perform NPTv6 translation for addresses that it finds in
its ND cache because doing so could introduce a conflict. If the
host portion of an address in the cache happens to overlap with
the host portion of a neighbor’s address, and the prefix in the
cache is translated to the same prefix as that of the neighbor (because
the egress interface on the firewall belongs to the same subnet
as the neighbor), then you would have a translated address that
is exactly the same as the legitimate IPv6 address of the neighbor,
and a conflict occurs. (If an attempt to perform NPTv6 translation
occurs on an address in the ND cache, an informational syslog message
logs the event:
NPTv6 Translation Failed.
When an interface with NDP Proxy enabled receives an ND solicitation
requesting a MAC address for an IPv6 address, the following sequence
The firewall searches the ND
cache to ensure the IPv6 address from the solicitation is not there.
If the address is there, the firewall ignores the ND solicitation.
If the source IPv6 address is 0, that means the packet is
a Duplicate Address Detection packet, and the firewall ignores the
The firewall does a Longest Prefix Match search of the NDP
Proxy addresses and finds the best match to the address in the solicitation.
If the Negate field for the match is checked (in the NDP Proxy list), the
firewall drops the ND solicitation.
Only if the Longest Prefix Match search matches, and that
matched address is not negated, will the NDP Proxy respond to the
ND solicitation. The firewall responds with an ND packet, providing
its own MAC address as the MAC address of the next hop toward the
In order to successfully support NDP, the firewall does not perform
NDP Proxy for the following:
Duplicate Address Detection (DAD).
Addresses in the ND cache (because such addresses do not
belong to the firewall; they belong to discovered neighbors).