You're troubleshooting a network issue. Maybe duplicate IPs are causing chaos. Maybe a device isn't talking to its gateway. You pull up a packet capture and see ARP requests flying everywhere — who-has, who-has, who-has.
And you wonder: is ARP the only protocol doing this job on IPv4?
Short answer: mostly, yes. But there's a second one that gets overlooked. And understanding both changes how you diagnose Layer 2 problems.
What Is Neighbor Discovery on IPv4
Neighbor discovery sounds like an IPv6 term. That's why it is — NDP (Neighbor Discovery Protocol) is the IPv6 suite that handles address resolution, router discovery, prefix discovery, parameter discovery, and neighbor unreachability detection. All in one protocol, built on ICMPv6.
IPv4 doesn't have a single protocol called "neighbor discovery.And " It never got that memo. Instead, it splits the work across older, simpler tools that evolved separately Not complicated — just consistent..
The core job — mapping an IPv4 address to a MAC address so frames can actually be delivered on Ethernet — belongs to ARP, the Address Resolution Protocol. Defined in RFC 826 back in 1982. On top of that, it's ancient. It's everywhere. And it does one thing: "Who has 192.168.On the flip side, 1. On the flip side, 5? But tell 192. That said, 168. Because of that, 1. 1 That's the part that actually makes a difference..
Easier said than done, but still worth knowing.
But ARP doesn't operate in a vacuum. It doesn't resolve addresses. There's a second protocol that manages reachability and failure detection for those same neighbors. It tells you when a neighbor stops answering Practical, not theoretical..
That protocol is ICMP — specifically, ICMP Redirect and Destination Unreachable messages, plus the echo request/reply pair we all know as ping.
Together, ARP and ICMP form the de facto neighbor discovery stack on IPv4. In real terms, one finds the hardware address. The other verifies the neighbor is still there.
ARP: The Workhorse
ARP is simple by design. A host wants to send a packet to an IP on the same subnet. It checks its ARP cache. Miss? Broadcast an ARP request. The target replies with its MAC. Think about it: cache updated. Packet sent Most people skip this — try not to. Simple as that..
No handshake. On top of that, no state machine. No timers in the protocol itself — implementations handle aging locally (typically 5–30 minutes on Linux, 4 hours on Windows by default).
ARP is also stateless. It doesn't track "neighbor reachability" the way IPv6 NDP does. If a device goes silent, ARP doesn't know until the cache entry expires or a new request fails.
That's where ICMP comes in That's the part that actually makes a difference..
ICMP: The Silent Watchdog
ICMP isn't a neighbor discovery protocol per se. And it's a control message protocol. But in practice, it's how IPv4 hosts detect neighbor failures.
- Echo Request/Reply (ping): Active reachability testing. If replies stop, the neighbor is down.
- Destination Unreachable (Code 1 — Host Unreachable): Sent by a router when it can't deliver to a host on a directly connected network. Often triggered by failed ARP.
- Redirect (Code 1 — Redirect for Host): Tells a host "use this router instead for that destination." Implies the original next-hop neighbor is still reachable, but a better path exists.
IPv4 stacks use ICMP feedback to update routing and ARP behavior. Linux, for example, tracks neighbor reachability in the kernel's neighbour subsystem (/proc/sys/net/ipv4/neigh/). It uses ARP for resolution, ICMP (and upper-layer feedback like TCP ACKs) for reachability hints, and timers for state transitions: REACHABLE → STALE → DELAY → PROBE → FAILED Not complicated — just consistent..
That state machine? It's IPv4's version of NUD (Neighbor Unreachability Detection). Just not standardized in a single RFC.
Why It Matters
Most network engineers know ARP. Fewer think about ICMP as part of neighbor discovery. That gap causes real problems.
Silent Failures
A server's NIC fails. TCP retransmits. Clients' ARP entries time out — eventually. It stops answering ARP. But until then, they keep sending frames to a MAC that never responds. Consider this: applications hang. No ICMP error arrives because the router never gets a packet to forward — the host never resolves the MAC.
If you only monitor ARP, you miss this. If you monitor ICMP unreachables from the gateway, you catch it faster.
Asymmetric Reachability
Host A can reach Host B. ICMP echo works one way. Day to day, aRP works one way. Host B can't reach Host A. This happens with firewall rules, uRPF failures, or broken return paths.
Treating neighbor discovery as "ARP only" makes you blind to Layer 3 reachability issues that look like Layer 2 problems.
Security Blind Spots
ARP spoofing (poisoning) is the classic IPv4 neighbor attack. But ICMP redirects can also be abused — a malicious host sends forged redirects to hijack traffic. Both protocols trust the local segment. Neither authenticates.
Understanding both vectors matters for hardening It's one of those things that adds up..
How It Works in Practice
Let's walk through a real scenario. Host 10.That's why 0. 0.So 5 wants to talk to 10. 0.0.10 on the same VLAN.
Step 1: ARP Resolution
- Host checks ARP cache for 10.0.0.10. Miss.
- Broadcasts ARP request:
Who has 10.0.0.10? Tell 10.0.0.5 - 10.0.0.10 receives, updates its cache with 10.0.0.5's MAC (gratuitous learning), replies unicast:
10.0.0.10 is at aa:bb:cc:dd:ee:ff - Both hosts update
… and the MAC address is now cached on both ends. The packet can be transmitted immediately.
Step 2: Sending the Data
When 10.Because of that, 0. Still, 0. That's why 5 sends a TCP SYN to 10. But 0. 0 Most people skip this — try not to..
Destination MAC: aa:bb:cc:dd:ee:ff
Source MAC: 11:22:33:44:55:66
The frame is forwarded by the switch to the correct port. In practice, the Linux kernel on 10. On the flip side, 10. 0.0.On the flip side, 0. The switch, seeing the destination MAC, forwards it to 10.0.10 receives the frame, strips the Ethernet header, and delivers the IP packet to the IP layer That alone is useful..
This changes depending on context. Keep that in mind.
Step 3: Neighbor Feedback
While the data path is working, the kernel periodically sends Neighbor Solicitation–style probes in the form of ICMP Echo Requests (or even ARP Probe in the IPv6 NDP world). That said, 0. Practically speaking, 10 stops answering (say, its NIC is unplugged), the probes will fail. If 10.At that point, the kernel flushes the entry and any pending packets are dropped. The kernel will move the neighbor entry from REACHABLE to STALE, then to DELAY, and finally to FAILED once no response is received after the configured number of probes. That said, 0. The application layer sees a timeout, and the user sees the “connection refused” or “unreachable” error.
In the opposite direction, if 10.0.Plus, 0. 10’s ARP cache is stale but the link is still up, the first packet to 10.0.Here's the thing — 0. 5 will trigger a new ARP request. Once the reply comes back, the entry is refreshed and the path is restored.
The ICMP Side of Neighbor Discovery
ICMP Redirects
When a router learns that a host can reach a destination more directly, it may send an ICMP Redirect to the host. Here's one way to look at it: if 10.0.Consider this: 0. Think about it: 5 is connected to a router on 10. Still, 0. 0.Also, 1, but the best path to 10. On the flip side, 0. 0.10 is through 10.0.0.2, the router on 10.Day to day, 0. 0.
ICMP Type 5 (Redirect) – Code 1 (Redirect for Host)
The packet tells 10.0.Also, 0. 5: “Use 10.0.That's why 0. 2 as the next hop for 10.So 0. 0.10.” The host updates its routing table accordingly. If the router disconnects, the host will revert to the old path, and the network will experience a brief hiccup. Because Redirects are only sent to the originating host, they are a subtle source of asymmetric routing.
Not obvious, but once you see it — you'll see it everywhere Not complicated — just consistent..
ICMP Destination Unreachable
When a router receives a packet whose next hop is unreachable, it may send back an ICMP Destination Unreachable (Type 3). Code 1 indicates that the host is unreachable. This message is critical for the source host’s NUD: it immediately marks the neighbor as FAILED, forcing a fresh ARP or NDP resolution before any further packets are sent. Without this, the source might keep sending frames to a dead MAC address, wasting bandwidth and time.
Configuring the Neighbour Subsystem
Linux exposes a rich set of tunables that control how aggressively a host detects unreachable neighbors:
| Parameter | Default | Meaning |
|---|---|---|
/proc/sys/net/ipv4/neigh/default/gc_stale_time |
60 s | How long a REACHABLE entry stays before becoming STALE |
/proc/sys/net/ipv4/neigh/default/reachable_time_min |
3 s | Minimum time the kernel assumes a neighbor is reachable after a successful probe |
/proc/sys/net/ipv4/neigh/default/probe_time |
1 s | Interval between probes when a neighbor is in DELAY |
/proc/sys/net/ipv4/neigh/default/probes |
3 | Number of probes before marking a neighbor FAILED |
/proc/sys/net/ipv4/neigh/default/ucast_probes |
3 | Number of unicast probes before a neighbor is considered unreachable |
Tuning these values can help in high‑availability environments. Take this case: reducing probe_time to 200 ms and probes to 2 makes the system react faster to a failed NIC, but increases the risk of false positives under transient link noise.
Security Implications
Both ARP and ICMP are inherently trust‑based. A malicious host can:
- ARP Poisoning – Reply to ARP requests with a forged MAC, redirecting traffic to the attacker.
- ICMP Redirect Injection – Send forged Redirects to hijack traffic or manipulate routing tables.
- ICMP Unreachables Flood – Generate a flood of Destination Unreachable messages to exhaust a host’s resources.
Mitigations include:
- Static ARP Entries for critical hosts to prevent dynamic poisoning.
- ARP Flux Protection (
arp_ignore,arp_announcesysctls) to limit which interfaces will answer ARP requests. - ICMP Rate Limiting (
net.ipv4.icmp_ratelimit,net.ipv4.icmp_ratelimit_burst) to dampen malicious traffic. - MACsec or IPsec to authenticate frames or packets at a higher layer.
Operational Best Practices
| Practice | Why It Helps |
|---|---|
| Enable Neighbor Unreachability Detection | Quickly detects failed NICs or link drops, preventing stale entries from causing traffic blackholes. |
| Monitor ICMP Echo and Redirects | Early detection of routing changes or failures that ARP alone would miss. Which means |
| Use Gratuitous ARP | Broadcasts a host’s MAC to all neighbors, ensuring that switches and routers update their tables promptly. |
| Keep ARP Cache Size Adequate | Prevents table overflow attacks; Linux defaults are usually sufficient, but large VLANs may need tuning. |
| Audit ICMP Traffic | Regularly inspect logs for unexpected Redirects or Unreachables, which may signal misconfigurations or attacks. |
A Real‑World Example: The “Ghost Host” Problem
A multi‑tenant data center hosts a shared storage appliance (10.On the flip side, 0. On the flip side, 0. One day, an unrelated VM loses its NIC, but the switch’s MAC table still holds an entry for 10.Ten virtual machines (VMs) on the same subnet need to talk to it. Consider this: 0. Packets destined for the storage appliance are forwarded to the dead VM’s MAC, never reaching the appliance. On top of that, 200). In practice, 200’s MAC. 0.The VMs experience timeouts, but no ARP or ICMP errors appear because the switch never gets a chance to send a packet to the dead NIC And that's really what it comes down to. Still holds up..
When the storage appliance’s ARP cache eventually times out, it starts broadcasting a gratuitous ARP. The switch learns the correct MAC, and traffic resumes. If the storage appliance had been configured with a static ARP entry, the problem would have been avoided entirely Most people skip this — try not to..
Conclusion
Neighbor discovery in IPv4 is more than just ARP. It’s a dance between link‑layer resolution and layer‑3 reachability feedback, orchestrated by ICMP messages and the kernel’s neighbour subsystem. Understanding how ARP, ICMP Echo, Redirect, and Destination Unreachable work together allows operators to diagnose subtle connectivity problems, harden their networks against spoofing attacks, and tune the system for optimal responsiveness.
In practice, the combination of ARP for MAC lookup and ICMP for reachability feedback creates a resilient neighbor discovery mechanism. When you monitor both sides—ARP tables and ICMP traffic—you gain visibility into the health of your network that would otherwise remain hidden. By configuring the neighbour subsystem appropriately and applying the operational best practices outlined above, you can reduce silent failures, mitigate security risks, and keep data flowing where it should Worth keeping that in mind. Turns out it matters..
