IPv6 On-Link Determination – What Is It And Why Do We Need It?

When an IPv4/IPv6 host wants to send a packet to another host, it has to answer the following simple questions:

  • Can I reach the destination IP address directly (is the destination on the same LAN/subnet)?
  • If not, who will help me forward the packet (who is the first-hop router)?

In IPv4 world, the host can get all the information it needs through DHCP. In IPv6 world, things are way more complex (but also way more correct if you’re a theoretician).

This post is a follow-up to the IPv6 Router Advertisement Deep Dive post.

The Magic of the Subnet Mask

In the IPv4 world, the host gets the answer to the first question with a simple logical AND operation. To figure out if the destination address is in the same subnet, the IPv4 host ANDs its own and the destination IP address with the subnet mask. If (SourceAddr & SubnetMask == DestinationAddr & SubnetMask), the host can send the packet directly to the destination address (assuming it has the destination’s MAC address in its ARP cache).

We’ll ignore all the complexities introduced by having multiple interfaces and multiple IP addresses per interface; it’s important you get the generic idea.

If the destination IPv4 address is not in the same subnet, the IPv4 host sends the packet to the first-hop router (sometimes called default gateway for historical reasons).

An IPv4 host thus needs two parameters: subnet mask and first-hop router’s IPv4 address. Both can be configured manually or passed to the host through DHCP.

Situation is a bit different when an IPv4 host uses PPP. PPP connection assumes subnet mask of (no other host is on the same subnet); the default gateway is replaced with an interface default route (a static route without an IPv4 next hop pointing to an interface).

The many wonders of the IPv6 world

In the IPv6 world, IPv6 hosts have to listen to router advertisement (RA) messages sent by the adjacent routers to get the required parameters:

  • Source IPv6 address of an RA message is assumed to be a router. If the lifetime advertised in the RA message is not zero, that router can be used as the first-hop router, and the IPv6 host installs a default route to that IPv6 address.

Source IPv6 address of an RA message is always a link-local address; the next hop of a default route is thus always a link-local address.

  • Subnet mask (more precisely, the prefix length) of IPv6 prefixes is advertised by the routers in prefix information option of RA messages.

An IPv6 host MUST listen to RA messages even if it got its IPv6 address through DHCPv6. At the moment DHCPv6 cannot be used to send the prefix length or first-hop router information to IPv6 hosts.

Every router might advertise numerous prefixes in RA messages (IPv6 works perfectly well with numerous IPv6 prefixes on the same LAN/L2 subnet), but only those that have the L bit set can be used to figure out the prefix length.

In the end, an IPv6 host could have information about numerous on-link IPv6 prefixes (prefixes that are present on the same LAN/link as the IPv6 host). When a host wants to figure out whether it can send an IPv6 packet directly to the destination address, it has to go through the list of all IPv6 prefixes known to be on the outgoing interface and check whether the destination IPv6 address belongs to one of them. If it does, the packet can be sent directly, otherwise the packet is sent toward the link-local address of one of the routers.

The host behavior in environments with multiple first-hop routers is “somewhat” undefined and depends on the host’s TCP stack.

More information

If you want to know more, you MUST read RFC 5942 (IPv6 Subnet Model: The Relationship between Links and Subnet Prefixes) and you SHOULD read RFC 4943. You might also be interested in how things work in mobile world, in which case read RFC 6459 (IPv6 in 3GPP EPS) and the RFC 3316bis draft (IPv6 for 3GPP Cellular Hosts).

Finally (you know I have to mention that) you can buy the recording of the Building Large IPv6 Service Provider Networks webinar (also available in the IPv6 trilogy or yearly subscription).


  1. Hello Ivan,

    Great article again on IPv6.
    I was wandering can you write an article about IPv6 and auto-summary command for both IGPs but also BGP.


    1. Don't tell me auto-summarization crept into IPv6 ... Can you send me links to specific command(s)?

  2. Ivan,

    This was great, thanks a lot. I am enlightened.

  3. "otherwise the packet is sent toward the link-local address of one of the routers."

    just to clarify - it is sent in sequence towards the link-local address of the router that the first RA message was received by the host, followed by the 2nd RA's router, 3rd RA's router, and so on.

    1. No. I wrote "one of the routers", and that's exactly what happens. The host selects the router to use (based on RA preference + whatever criteria that seem to be OS-dependent) and sends the off-net packets there.

      There's no retrying. If the router is dead, RA lifetime and/or ND should detect that, if the packet is sent to the wrong router, the router can send back ICMPv6 Redirect.

  4. Thank you very much for all the insight you provide us with on every post. Yesterday I was studying ND and RA messages using GNS3 along with VirtualBox. I was using IOS 12.4 Advanced Enterprise and Windows 7 Enterprise. As soon as I configured the router's interface with ipv6 address 2001:db8:1111:1::/64 eui-64 and ipv6 enable, the router starts sending ND messages as well as RA messages, as verified by using debug ipv6 icmp and debug ipv6 nd.
    The host receives one IPv6 address, using the prefix sent by the router and its EUI-64 portion. Why is this happening if I have not configured the sending of RA messages on the router yet? I have been reading the theory but it doesn't make much sense to me when compared to what I witness on the machines. Any guidance will be helpful.

    1. RAs are enabled on LAN interfaces by default, if you don't want them, you have to turn them off.

  5. Hi Ivan

    If the on-link is working, then why IPv6 requires neighbor discovery in this case. The First Hop router will always gives u the On-link ( Same LAN prefixes ) to reach . So then why need host should send Neighbor discovery .

    1. On an Ethernet network, NICs in hosts listen to their MAC addresses. How will you figure out what the MAC address of another host on the same network is?

  6. You need to ARP about the desired MAC u need it, oops i got it :) Wat a stupid question it is :( :(

    IP to MAC. But On -link is just knowing IP address,

    What is the equivalent of On-link in IPV4. Is there anything present.

    1. As explained in the article: subnet mask, configured manually or propagated with DHCP.

  7. If ipv6 hosts support multiple IPv6 prefixes, would that mean that HSRP is not needed for IPV6 networks that use SLAAC?

    1. To sort of answer my own question...

      This mostly works with "ipv6 nd ra-interval" set to 5, but since failover is driven by the client it is a bit unpredictable.

      It works nicely if you 'shutdown' an interface on one of the routers since that seems to revoke the router advertisement. If you hard reload a router it may or may not fail over nicely.

      The worst failover time I saw was around 40 seconds, but I know much of that was ospf figuring out the new return path. To properly test this I should set it up both with and without hsrp and see what the difference is.

      But in general it does seem to work.

    2. Here is some about


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.