Computer NetworksTTL and Protocol

TTL and Protocol Fields in IPv4

LevelIntermediate

Duration90 mins

TopicTTL and Protocol

2 / 5

TTL Purpose

Why Every Packet Must Eventually Die

Imagine a postal system where undeliverable letters never get returned or destroyed—instead, they circulate endlessly between sorting facilities, each clerk forwarding them to the next in an infinite loop. Within days, the postal system would collapse under the weight of these immortal letters, unable to process legitimate mail.

This scenario isn't hypothetical in computer networks—it's the inevitable consequence of routing loops. When routers misconfigure or network topology changes faster than routing protocols can converge, packets can enter cycles where Router A forwards to Router B, which forwards to Router C, which forwards back to Router A, ad infinitum.

The Time to Live (TTL) field exists precisely to prevent this catastrophe. Its primary purpose is brutally simple: ensure every packet eventually dies, even in the worst-case routing failure. But this simple mechanism has evolved to serve many additional purposes, from enabling critical diagnostic tools to forming the basis of security protocols.

This page explores the multifaceted purposes of TTL, demonstrating why this seemingly simple 8-bit counter is fundamental to the Internet's operation.

What You Will Learn

By the end of this page, you will understand the five critical purposes of TTL: loop prevention, network diagnostics, multicast scoping, packet lifetime management, and security applications including GTSM.

Primary Purpose: Routing Loop Prevention

The original and most critical purpose of TTL is preventing packets from circulating forever in routing loops. Understanding why loops occur—and why TTL is the ultimate safety net—requires examining routing protocol behavior during network instability.

Why Routing Loops Occur

Routing loops arise when routers disagree about the best path to a destination. This disagreement typically happens during convergence periods—the time after a network change when routers are still propagating and processing routing updates.

Consider this scenario:

Converting Mermaid diagram...

Now, suppose the link between Router C and network 10.0.0.0/24 fails:

Timeline of Loop Formation:

T=0: Link fails. Router C detects failure and removes the route from its table.
T=1s: Router B still has old information. Its routing table says: "10.0.0.0/24 via Router C."
T=2s: Router C sends update to Router B, but before it arrives, Router C receives a query from Router A.
T=3s: Router A asks Router B for a path. Router B responds: "I can reach 10.0.0.0/24 via C."
T=4s: Router C, having lost its direct route, queries neighbors. Router B says: "I can reach it!"
Loop formed: Router C now thinks the path is via Router B. Packets to 10.0.0.0/24 bounce between B and C indefinitely.

Converting Mermaid diagram...

Without TTL: Catastrophic Amplification

Without TTL, every packet entering this loop would circulate forever. With even modest traffic, the loop would consume all available bandwidth within seconds. Multiply this by thousands of simultaneous connections, and the network collapses entirely.

How TTL Breaks the Loop

With TTL, each packet has a maximum lifespan:

Packet enters at Router A with TTL=64
Router A forwards to Router B: TTL decremented to 63
Router B forwards to Router C: TTL=62
Router C forwards back to Router B: TTL=61
This continues until TTL reaches 0
At TTL=0, the router discards the packet and sends ICMP Time Exceeded to the source

With TTL=64, a loop can execute at most 63 times before the packet is destroyed. The source receives notification via ICMP, and no single packet can consume infinite resources.

Loop Impact With and Without TTL
Metric	Without TTL	With TTL=64
Packet Lifetime	Infinite	Maximum 64 hops
Bandwidth Impact	Exponential growth to saturation	Bounded by initial packet count × 64
Recovery Time	Never (network collapse)	Seconds (packets expire, ICMP notifies)
Source Awareness	None (silent failure)	ICMP Time Exceeded messages
Router CPU Impact	Overload and crash	Minimal additional load

Enabling Network Diagnostic Tools

TTL's loop-prevention mechanism has a powerful side effect: by intentionally sending packets with low TTL values, we can probe the path between source and destination. This technique forms the basis of traceroute, one of the most essential network diagnostic tools ever created.

The Traceroute Algorithm

Traceroute exploits TTL behavior systematically:

Send a packet to the destination with TTL=1
First router decrements TTL to 0, discards packet, sends ICMP Time Exceeded
Source learns the first router's identity and round-trip time
Repeat with TTL=2, then TTL=3, and so on
Continue until destination responds (or max hops reached)

The result is a complete map of the path, showing every intermediate router.

Converting Mermaid diagram...

traceroute-examples.sh

# Basic traceroute using ICMP (macOS default) or UDP (Linux default)
traceroute www.example.com
 
# Force ICMP mode (requires root on Linux)
sudo traceroute -I www.example.com
 
# Force TCP mode (useful when ICMP is blocked)
sudo traceroute -T -p 443 www.example.com
 
# Paris-traceroute: Consistent ECMP path per TTL
paris-traceroute www.example.com
 
# Example output:
# traceroute to www.example.com (93.184.216.34), 30 hops max
#  1  192.168.1.1 (192.168.1.1)  1.234 ms  0.987 ms  0.876 ms
#  2  10.0.0.1 (10.0.0.1)  5.432 ms  4.321 ms  4.567 ms
#  3  72.14.194.226 (72.14.194.226)  12.345 ms  11.234 ms  11.567 ms
#  4  * * *   <- Router not responding to ICMP
#  5  93.184.216.34 (93.184.216.34)  15.678 ms  14.567 ms  15.123 ms
 
# MTR: Continuous traceroute with statistics
mtr --report --report-cycles 10 www.example.com

Advanced Traceroute Variations

The basic traceroute concept has spawned many specialized tools:

Traceroute Tool Variations
Tool	Technique	Use Case
traceroute (Linux)	UDP to high ports	Default, works through most NATs
traceroute -I	ICMP Echo Request	When UDP is blocked
traceroute -T	TCP SYN packets	When ICMP/UDP blocked by firewalls
paris-traceroute	Consistent 5-tuple per TTL	Accurate ECMP path discovery
dublin-traceroute	NAT-aware, multi-path	Complex enterprise networks
mtr	Continuous traceroute + ping	Real-time path monitoring
pathping (Windows)	Combined ping + traceroute	Packet loss statistics per hop

Why Hops Show Asterisks (*)

Asterisks in traceroute output indicate the router didn't respond to ICMP. This happens when: (1) router is configured to not send ICMP Time Exceeded, (2) firewall blocks ICMP, (3) router is overloaded and rate-limits ICMP, or (4) return path is broken. The packet may still have passed through that hop.

Multicast Traffic Scoping

In multicast networking, TTL serves a secondary but critical purpose: scope limitation. Unlike unicast traffic (where packets are destined for a single recipient), multicast packets are replicated to potentially thousands of receivers. Controlling how far multicast traffic propagates is essential for bandwidth management and administrative boundaries.

The Scoping Problem

Consider a video conferencing application multicasting to address 224.1.1.1. Without scope controls:

Traffic might propagate across the entire Internet
Users worldwide could (theoretically) join the session
Bandwidth consumption would be catastrophic
No administrative control over traffic boundaries

TTL-based scoping provides a simple solution: multicast routers can refuse to forward packets below a certain TTL threshold. This creates concentric circles of reach based on TTL values.

RFC 2365 Multicast TTL Scopes
TTL Value	Scope Name	Typical Boundary	Example Use
0	Same interface	Loopback	Testing multicast stack
1	Same subnet	Layer 2 broadcast domain	Service discovery (mDNS, SSDP)
15	Same site	Campus or building	Departmental video streaming
31	Same site (historic)	Legacy site boundary	Older configurations
63	Same region	Metropolitan area	Regional content distribution
127	Same continent	Continental boundary	CDN distribution
255	Unrestricted	Global Internet	Internet-wide multicast (rare)

How TTL Scoping Works

Multicast routers implement TTL thresholds on their interfaces. When a multicast packet arrives:

Router decrements TTL (standard behavior)
Router compares remaining TTL against interface's threshold
If TTL < threshold, packet is NOT forwarded out that interface
If TTL ≥ threshold, packet is forwarded

This allows administrators to define scope boundaries by configuring thresholds:

multicast-ttl-config.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Cisco IOS: Configure multicast TTL threshold
interface GigabitEthernet0/0
 ip multicast ttl-threshold 32
 ! Packets with TTL < 32 will NOT be forwarded out this interface
 ! Use this on WAN links to contain site-local multicast
 
# Example: Creating site boundary
# Internal interfaces: ttl-threshold 1 (forward almost everything)
# WAN interface: ttl-threshold 16 (block site-local traffic)
 
interface GigabitEthernet0/1
 description Internal-LAN
 ip multicast ttl-threshold 1
 
interface GigabitEthernet0/2
 description WAN-Link
 ip multicast ttl-threshold 16
 
# Verify configuration
show ip multicast interface
# Output shows threshold per interface
 
# Juniper JunOS equivalent:
# set protocols pim interface ge-0/0/0 ttl-threshold 32

TTL Scoping is Deprecated

RFC 2365 recommends using administratively scoped addresses (239.0.0.0/8) instead of TTL-based scoping. Address-based scoping is more explicit and reliable. However, TTL scoping persists in legacy systems and some applications (like mDNS using TTL=1 for link-local restriction).

Common Protocols Using TTL=1

Many service discovery and link-local protocols set TTL=1 intentionally:

Protocols with TTL=1

•mDNS (Multicast DNS) — Returns TTL=1 to keep queries and responses link-local. Used by Apple Bonjour, Avahi.
•SSDP (Simple Service Discovery Protocol) — UPnP discovery uses TTL=1 or 2 for home network devices.
•OSPF Hello Packets — Routing protocol keepalives use TTL=1 since neighbors must be directly connected.
•VRRP (Virtual Router Redundancy Protocol) — Advertisements use TTL=255, but receivers reject if TTL isn't 255 (security measure).
•IGMP (Internet Group Management Protocol) — Membership reports use TTL=1 since only the local router needs them.

Packet Lifetime and Resource Management

Beyond loop prevention, TTL provides a broader guarantee: bounded packet lifetime. This guarantee has important implications for protocol design, system resources, and network behavior.

Maximum Segment Lifetime (MSL) and TCP

TCP relies on the concept of Maximum Segment Lifetime—the longest time a packet can exist in the network. MSL is typically set to 2 minutes (120 seconds), which assumes TTL provides adequate bound.

Why MSL Matters:

When a TCP connection closes, the endpoint that sends the final ACK enters the TIME_WAIT state for 2×MSL (4 minutes by default). This ensures:

Any delayed packets from the old connection have expired (TTL depleted)
The new connection using the same 4-tuple won't receive old packets
Proper connection state cleanup across all network paths

Without TTL's lifetime guarantee, TCP would have no reliable way to know when old packets have definitively expired.

tcp-msl-relationship.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# TCP TIME_WAIT and MSL relationship
#
# TIME_WAIT duration = 2 × MSL = 2 × 120 seconds = 240 seconds (4 minutes)
#
# This design assumes:
# - TTL ensures packets die within MSL
# - No packet can live longer than MSL regardless of routing conditions
# - After 2×MSL, any duplicate packets are guaranteed to be expired
 
# Linux: View/modify TIME_WAIT duration (in seconds)
cat /proc/sys/net/ipv4/tcp_fin_timeout
# Default: 60 seconds (Linux uses shorter value than RFC)
 
# View current TIME_WAIT sockets
ss -tan state time-wait | wc -l
 
# High TIME_WAIT count is normal for busy servers
# Each represents a recently-closed connection waiting for packets to expire
 
# Example: Web server with 50,000 requests/minute
# At 60-second TIME_WAIT: expect ~50,000 sockets in TIME_WAIT state

The MSL-TTL Assumption

The 2-minute MSL assumes packets traverse at most 255 hops with some processing delay. With modern networks typically under 30 hops, packets actually expire much faster. However, MSL remains conservative to handle pathological cases like satellite links and extremely slow networks.

Fragment Reassembly Timeout

When IP fragments arrive at a destination, the receiving host must hold them until all fragments arrive. But how long should it wait?

RFC 791 recommends a reassembly timeout of 15-60 seconds, related to (but independent of) TTL. The reasoning:

Fragments with expired TTL will never arrive
Holding fragments indefinitely wastes memory
Timeout should exceed maximum expected variation in fragment arrival

In practice, most implementations use 30-60 seconds, far shorter than MSL, as fragments typically arrive within milliseconds of each other.

TTL and Related Timeouts
Concept	Typical Value	Relationship to TTL
Maximum Segment Lifetime (MSL)	120 seconds	Upper bound on packet lifetime; assumes TTL provides limit
TCP TIME_WAIT	2 × MSL = 240s	Waits for all old packets to expire via TTL
Fragment Reassembly Timeout	30-60 seconds	Maximum wait for missing fragments
DNS Record TTL	Varies (seconds-days)	Unrelated; uses 'TTL' name but for cache lifetime
BGP Hold Timer	90 seconds (default)	Unrelated; keepalive timeout, not packet lifetime

Security Applications of TTL

TTL has evolved beyond its original purposes to become a security tool. Several security mechanisms leverage TTL's hop-counting property to detect spoofing and enforce topological requirements.

Generalized TTL Security Mechanism (GTSM) - RFC 5082

GTSM is a security technique that uses TTL to verify packets came directly from a neighbor, protecting routing protocols from remote attackers.

The Security Problem:

Routing protocols like BGP, OSPF, and LDP exchange critical information with neighboring routers. An attacker spoofing a neighbor's IP address from a remote location could inject malicious routing updates, causing traffic hijacking or black holes.

The GTSM Solution:

Sender sets TTL=255 (maximum value) for all routing protocol packets
Receiver rejects packets with TTL < 254 (or stricter threshold)
Since each intermediate hop decrements TTL, a packet from a remote attacker arrives with reduced TTL
Only directly-connected peers can send packets that arrive with TTL=254 or 255

Converting Mermaid diagram...

gtsm-configuration.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Cisco IOS: Enable GTSM for BGP neighbor
router bgp 65001
 neighbor 10.0.0.2 remote-as 65002
 neighbor 10.0.0.2 ttl-security hops 1
 ! Requires TTL >= 254 (255 - 1 = 254 minimum)
 ! Packets from more than 1 hop away are rejected
 
# For eBGP multihop (multiple hops allowed)
 neighbor 10.0.0.3 remote-as 65003
 neighbor 10.0.0.3 ebgp-multihop 3
 neighbor 10.0.0.3 ttl-security hops 3
 ! Allows up to 3 hops; minimum TTL = 255 - 3 = 252
 
# Juniper JunOS: BGP TTL security
set protocols bgp group external neighbor 10.0.0.2 ttl 255
set protocols bgp group external neighbor 10.0.0.2 multihop ttl-threshold 254
 
# Linux (BIRD/FRRouting): TTL security
neighbor 10.0.0.2 {
    ttl-security hops 1
}

ICMP Time Exceeded Messages

When TTL reaches zero, the discarding router doesn't silently drop the packet—it sends an ICMP Time Exceeded message back to the source. This notification mechanism is essential for network visibility and troubleshooting.

ICMP Time Exceeded Message Structure (Type 11)
Field	Size	Value	Description
Type	8 bits	11	Time Exceeded
Code	8 bits	0 or 1	0=TTL exceeded, 1=Fragment reassembly timeout
Checksum	16 bits	Computed	ICMP header checksum
Unused	32 bits	0	Reserved for future use
Original Header	≥28 bytes	Copy	IP header + first 8 bytes of original packet

Code Values:

Code 0 (TTL Exceeded in Transit): Packet was discarded because TTL reached 0 during forwarding. This is the most common case and is used by traceroute.
Code 1 (Fragment Reassembly Time Exceeded): Destination received some fragments but the reassembly timer expired waiting for remaining fragments.

What's Included in the Response:

The ICMP Time Exceeded message includes a copy of the original packet's IP header plus the first 8 bytes of the original payload. This provides:

Original source and destination addresses (identify the flow)
Original protocol field (identify TCP/UDP/etc.)
First 8 bytes of payload (typically includes source and destination ports for TCP/UDP)

These 28+ bytes of context allow the source to identify which packet triggered the error, essential for applications like traceroute that must correlate responses with probes.

icmp-time-exceeded-packet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Wireshark decode of ICMP Time Exceeded message
 
Internet Control Message Protocol
    Type: 11 (Time-to-live exceeded)
    Code: 0 (TTL exceeded in transit)
    Checksum: 0x4d5a [correct]
    Unused: 00000000
    
    # Copy of original packet header
    Internet Protocol Version 4, Src: 192.168.1.100, Dst: 8.8.8.8
        Version: 4
        Header Length: 20 bytes
        Total Length: 84
        Identification: 0x1234
        Flags: 0x0000
        Fragment Offset: 0
        Time to Live: 1    # Original TTL when sent (was 1, router decremented to 0)
        Protocol: UDP (17)
        Header Checksum: 0x... [correct]
        Source Address: 192.168.1.100
        Destination Address: 8.8.8.8
    
    User Datagram Protocol, Src Port: 42849, Dst Port: 33434
        Source Port: 42849    # First 8 bytes of original payload
        Destination Port: 33434
        Length: 32
        Checksum: 0x...
 
# Note: Port 33434 is classic traceroute starting port
# Each probe uses incrementing ports: 33434, 33435, 33436...

ICMP Rate Limiting

Most routers rate-limit ICMP generation to prevent ICMP floods from consuming CPU resources. Common limits are 1-2 ICMP messages per second per destination. This is why traceroute probes may timeout even when the path works—the router simply didn't generate an ICMP response for that probe.

Summary: TTL Purpose

The Time to Live field serves as one of the most important safety and utility mechanisms in the IP protocol. Let's consolidate its critical purposes:

Key Takeaways

•Loop Prevention — TTL's primary purpose is ensuring packets cannot circulate forever in routing loops, protecting the network from catastrophic resource exhaustion.
•Network Diagnostics — By sending packets with incrementing TTL values, we can map network paths through traceroute, one of the most essential debugging tools.
•Multicast Scoping — TTL limits multicast propagation, allowing administrators to define boundaries for traffic distribution (though address-based scoping is now preferred).
•Packet Lifetime Bound — TTL provides guarantee that packets expire, enabling TCP's TIME_WAIT and fragment reassembly timeouts to function correctly.
•Security (GTSM) — TTL=255 requirement ensures routing protocol packets come from directly-connected peers, blocking remote spoofing attacks.
•Forensics — TTL reveals path length and can indicate spoofing when values deviate from expected patterns.

What's Next:

Now that you understand TTL's structure and purposes, the next page explores the Protocol field—the 8-bit multiplexer that identifies which upper-layer protocol (TCP, UDP, ICMP, etc.) should receive the packet's payload. This field is essential for the IP layer to correctly demultiplex incoming datagrams.

Page Complete

You now have a comprehensive understanding of why TTL exists and its five critical purposes. From loop prevention to security, this 8-bit field is fundamental to the Internet's stability and manageability. Next, we'll examine the Protocol field and upper-layer multiplexing.

2 / 5

Loading learning content...

Computer NetworksTTL and Protocol

TTL and Protocol Fields in IPv4

LevelIntermediate

Duration90 mins

TopicTTL and Protocol

2 / 5

TTL Purpose

Why Every Packet Must Eventually Die

This page explores the multifaceted purposes of TTL, demonstrating why this seemingly simple 8-bit counter is fundamental to the Internet's operation.

What You Will Learn

Primary Purpose: Routing Loop Prevention

Why Routing Loops Occur

Consider this scenario:

Converting Mermaid diagram...

Now, suppose the link between Router C and network 10.0.0.0/24 fails:

Timeline of Loop Formation:

T=0: Link fails. Router C detects failure and removes the route from its table.
T=1s: Router B still has old information. Its routing table says: "10.0.0.0/24 via Router C."
T=2s: Router C sends update to Router B, but before it arrives, Router C receives a query from Router A.
T=3s: Router A asks Router B for a path. Router B responds: "I can reach 10.0.0.0/24 via C."
T=4s: Router C, having lost its direct route, queries neighbors. Router B says: "I can reach it!"
Loop formed: Router C now thinks the path is via Router B. Packets to 10.0.0.0/24 bounce between B and C indefinitely.

Converting Mermaid diagram...

Without TTL: Catastrophic Amplification

How TTL Breaks the Loop

With TTL, each packet has a maximum lifespan:

Packet enters at Router A with TTL=64
Router A forwards to Router B: TTL decremented to 63
Router B forwards to Router C: TTL=62
Router C forwards back to Router B: TTL=61
This continues until TTL reaches 0
At TTL=0, the router discards the packet and sends ICMP Time Exceeded to the source

With TTL=64, a loop can execute at most 63 times before the packet is destroyed. The source receives notification via ICMP, and no single packet can consume infinite resources.

Loop Impact With and Without TTL
Metric	Without TTL	With TTL=64
Packet Lifetime	Infinite	Maximum 64 hops
Bandwidth Impact	Exponential growth to saturation	Bounded by initial packet count × 64
Recovery Time	Never (network collapse)	Seconds (packets expire, ICMP notifies)
Source Awareness	None (silent failure)	ICMP Time Exceeded messages
Router CPU Impact	Overload and crash	Minimal additional load

Enabling Network Diagnostic Tools

The Traceroute Algorithm

Traceroute exploits TTL behavior systematically:

Send a packet to the destination with TTL=1
First router decrements TTL to 0, discards packet, sends ICMP Time Exceeded
Source learns the first router's identity and round-trip time
Repeat with TTL=2, then TTL=3, and so on
Continue until destination responds (or max hops reached)

The result is a complete map of the path, showing every intermediate router.

Converting Mermaid diagram...

traceroute-examples.sh

# Basic traceroute using ICMP (macOS default) or UDP (Linux default)
traceroute www.example.com
 
# Force ICMP mode (requires root on Linux)
sudo traceroute -I www.example.com
 
# Force TCP mode (useful when ICMP is blocked)
sudo traceroute -T -p 443 www.example.com
 
# Paris-traceroute: Consistent ECMP path per TTL
paris-traceroute www.example.com
 
# Example output:
# traceroute to www.example.com (93.184.216.34), 30 hops max
#  1  192.168.1.1 (192.168.1.1)  1.234 ms  0.987 ms  0.876 ms
#  2  10.0.0.1 (10.0.0.1)  5.432 ms  4.321 ms  4.567 ms
#  3  72.14.194.226 (72.14.194.226)  12.345 ms  11.234 ms  11.567 ms
#  4  * * *   <- Router not responding to ICMP
#  5  93.184.216.34 (93.184.216.34)  15.678 ms  14.567 ms  15.123 ms
 
# MTR: Continuous traceroute with statistics
mtr --report --report-cycles 10 www.example.com

Advanced Traceroute Variations

The basic traceroute concept has spawned many specialized tools:

Traceroute Tool Variations
Tool	Technique	Use Case
traceroute (Linux)	UDP to high ports	Default, works through most NATs
traceroute -I	ICMP Echo Request	When UDP is blocked
traceroute -T	TCP SYN packets	When ICMP/UDP blocked by firewalls
paris-traceroute	Consistent 5-tuple per TTL	Accurate ECMP path discovery
dublin-traceroute	NAT-aware, multi-path	Complex enterprise networks
mtr	Continuous traceroute + ping	Real-time path monitoring
pathping (Windows)	Combined ping + traceroute	Packet loss statistics per hop

Why Hops Show Asterisks (*)

Multicast Traffic Scoping

The Scoping Problem

Consider a video conferencing application multicasting to address 224.1.1.1. Without scope controls:

Traffic might propagate across the entire Internet
Users worldwide could (theoretically) join the session
Bandwidth consumption would be catastrophic
No administrative control over traffic boundaries

TTL-based scoping provides a simple solution: multicast routers can refuse to forward packets below a certain TTL threshold. This creates concentric circles of reach based on TTL values.

RFC 2365 Multicast TTL Scopes
TTL Value	Scope Name	Typical Boundary	Example Use
0	Same interface	Loopback	Testing multicast stack
1	Same subnet	Layer 2 broadcast domain	Service discovery (mDNS, SSDP)
15	Same site	Campus or building	Departmental video streaming
31	Same site (historic)	Legacy site boundary	Older configurations
63	Same region	Metropolitan area	Regional content distribution
127	Same continent	Continental boundary	CDN distribution
255	Unrestricted	Global Internet	Internet-wide multicast (rare)

How TTL Scoping Works

Multicast routers implement TTL thresholds on their interfaces. When a multicast packet arrives:

Router decrements TTL (standard behavior)
Router compares remaining TTL against interface's threshold
If TTL < threshold, packet is NOT forwarded out that interface
If TTL ≥ threshold, packet is forwarded

This allows administrators to define scope boundaries by configuring thresholds:

multicast-ttl-config.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Cisco IOS: Configure multicast TTL threshold
interface GigabitEthernet0/0
 ip multicast ttl-threshold 32
 ! Packets with TTL < 32 will NOT be forwarded out this interface
 ! Use this on WAN links to contain site-local multicast
 
# Example: Creating site boundary
# Internal interfaces: ttl-threshold 1 (forward almost everything)
# WAN interface: ttl-threshold 16 (block site-local traffic)
 
interface GigabitEthernet0/1
 description Internal-LAN
 ip multicast ttl-threshold 1
 
interface GigabitEthernet0/2
 description WAN-Link
 ip multicast ttl-threshold 16
 
# Verify configuration
show ip multicast interface
# Output shows threshold per interface
 
# Juniper JunOS equivalent:
# set protocols pim interface ge-0/0/0 ttl-threshold 32

TTL Scoping is Deprecated

Common Protocols Using TTL=1

Many service discovery and link-local protocols set TTL=1 intentionally:

Protocols with TTL=1

•mDNS (Multicast DNS) — Returns TTL=1 to keep queries and responses link-local. Used by Apple Bonjour, Avahi.
•SSDP (Simple Service Discovery Protocol) — UPnP discovery uses TTL=1 or 2 for home network devices.
•OSPF Hello Packets — Routing protocol keepalives use TTL=1 since neighbors must be directly connected.
•VRRP (Virtual Router Redundancy Protocol) — Advertisements use TTL=255, but receivers reject if TTL isn't 255 (security measure).
•IGMP (Internet Group Management Protocol) — Membership reports use TTL=1 since only the local router needs them.

Packet Lifetime and Resource Management

Beyond loop prevention, TTL provides a broader guarantee: bounded packet lifetime. This guarantee has important implications for protocol design, system resources, and network behavior.

Maximum Segment Lifetime (MSL) and TCP

TCP relies on the concept of Maximum Segment Lifetime—the longest time a packet can exist in the network. MSL is typically set to 2 minutes (120 seconds), which assumes TTL provides adequate bound.

Why MSL Matters:

When a TCP connection closes, the endpoint that sends the final ACK enters the TIME_WAIT state for 2×MSL (4 minutes by default). This ensures:

Any delayed packets from the old connection have expired (TTL depleted)
The new connection using the same 4-tuple won't receive old packets
Proper connection state cleanup across all network paths

Without TTL's lifetime guarantee, TCP would have no reliable way to know when old packets have definitively expired.

tcp-msl-relationship.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# TCP TIME_WAIT and MSL relationship
#
# TIME_WAIT duration = 2 × MSL = 2 × 120 seconds = 240 seconds (4 minutes)
#
# This design assumes:
# - TTL ensures packets die within MSL
# - No packet can live longer than MSL regardless of routing conditions
# - After 2×MSL, any duplicate packets are guaranteed to be expired
 
# Linux: View/modify TIME_WAIT duration (in seconds)
cat /proc/sys/net/ipv4/tcp_fin_timeout
# Default: 60 seconds (Linux uses shorter value than RFC)
 
# View current TIME_WAIT sockets
ss -tan state time-wait | wc -l
 
# High TIME_WAIT count is normal for busy servers
# Each represents a recently-closed connection waiting for packets to expire
 
# Example: Web server with 50,000 requests/minute
# At 60-second TIME_WAIT: expect ~50,000 sockets in TIME_WAIT state

The MSL-TTL Assumption

Fragment Reassembly Timeout

When IP fragments arrive at a destination, the receiving host must hold them until all fragments arrive. But how long should it wait?

RFC 791 recommends a reassembly timeout of 15-60 seconds, related to (but independent of) TTL. The reasoning:

Fragments with expired TTL will never arrive
Holding fragments indefinitely wastes memory
Timeout should exceed maximum expected variation in fragment arrival

In practice, most implementations use 30-60 seconds, far shorter than MSL, as fragments typically arrive within milliseconds of each other.

TTL and Related Timeouts
Concept	Typical Value	Relationship to TTL
Maximum Segment Lifetime (MSL)	120 seconds	Upper bound on packet lifetime; assumes TTL provides limit
TCP TIME_WAIT	2 × MSL = 240s	Waits for all old packets to expire via TTL
Fragment Reassembly Timeout	30-60 seconds	Maximum wait for missing fragments
DNS Record TTL	Varies (seconds-days)	Unrelated; uses 'TTL' name but for cache lifetime
BGP Hold Timer	90 seconds (default)	Unrelated; keepalive timeout, not packet lifetime

Security Applications of TTL

TTL has evolved beyond its original purposes to become a security tool. Several security mechanisms leverage TTL's hop-counting property to detect spoofing and enforce topological requirements.

Generalized TTL Security Mechanism (GTSM) - RFC 5082

GTSM is a security technique that uses TTL to verify packets came directly from a neighbor, protecting routing protocols from remote attackers.

The Security Problem:

The GTSM Solution:

Sender sets TTL=255 (maximum value) for all routing protocol packets
Receiver rejects packets with TTL < 254 (or stricter threshold)
Since each intermediate hop decrements TTL, a packet from a remote attacker arrives with reduced TTL
Only directly-connected peers can send packets that arrive with TTL=254 or 255

Converting Mermaid diagram...

gtsm-configuration.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Cisco IOS: Enable GTSM for BGP neighbor
router bgp 65001
 neighbor 10.0.0.2 remote-as 65002
 neighbor 10.0.0.2 ttl-security hops 1
 ! Requires TTL >= 254 (255 - 1 = 254 minimum)
 ! Packets from more than 1 hop away are rejected
 
# For eBGP multihop (multiple hops allowed)
 neighbor 10.0.0.3 remote-as 65003
 neighbor 10.0.0.3 ebgp-multihop 3
 neighbor 10.0.0.3 ttl-security hops 3
 ! Allows up to 3 hops; minimum TTL = 255 - 3 = 252
 
# Juniper JunOS: BGP TTL security
set protocols bgp group external neighbor 10.0.0.2 ttl 255
set protocols bgp group external neighbor 10.0.0.2 multihop ttl-threshold 254
 
# Linux (BIRD/FRRouting): TTL security
neighbor 10.0.0.2 {
    ttl-security hops 1
}

ICMP Time Exceeded Messages

ICMP Time Exceeded Message Structure (Type 11)
Field	Size	Value	Description
Type	8 bits	11	Time Exceeded
Code	8 bits	0 or 1	0=TTL exceeded, 1=Fragment reassembly timeout
Checksum	16 bits	Computed	ICMP header checksum
Unused	32 bits	0	Reserved for future use
Original Header	≥28 bytes	Copy	IP header + first 8 bytes of original packet

Code Values:

Code 0 (TTL Exceeded in Transit): Packet was discarded because TTL reached 0 during forwarding. This is the most common case and is used by traceroute.
Code 1 (Fragment Reassembly Time Exceeded): Destination received some fragments but the reassembly timer expired waiting for remaining fragments.

What's Included in the Response:

The ICMP Time Exceeded message includes a copy of the original packet's IP header plus the first 8 bytes of the original payload. This provides:

Original source and destination addresses (identify the flow)
Original protocol field (identify TCP/UDP/etc.)
First 8 bytes of payload (typically includes source and destination ports for TCP/UDP)

These 28+ bytes of context allow the source to identify which packet triggered the error, essential for applications like traceroute that must correlate responses with probes.

icmp-time-exceeded-packet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Wireshark decode of ICMP Time Exceeded message
 
Internet Control Message Protocol
    Type: 11 (Time-to-live exceeded)
    Code: 0 (TTL exceeded in transit)
    Checksum: 0x4d5a [correct]
    Unused: 00000000
    
    # Copy of original packet header
    Internet Protocol Version 4, Src: 192.168.1.100, Dst: 8.8.8.8
        Version: 4
        Header Length: 20 bytes
        Total Length: 84
        Identification: 0x1234
        Flags: 0x0000
        Fragment Offset: 0
        Time to Live: 1    # Original TTL when sent (was 1, router decremented to 0)
        Protocol: UDP (17)
        Header Checksum: 0x... [correct]
        Source Address: 192.168.1.100
        Destination Address: 8.8.8.8
    
    User Datagram Protocol, Src Port: 42849, Dst Port: 33434
        Source Port: 42849    # First 8 bytes of original payload
        Destination Port: 33434
        Length: 32
        Checksum: 0x...
 
# Note: Port 33434 is classic traceroute starting port
# Each probe uses incrementing ports: 33434, 33435, 33436...

ICMP Rate Limiting

Summary: TTL Purpose

The Time to Live field serves as one of the most important safety and utility mechanisms in the IP protocol. Let's consolidate its critical purposes:

Key Takeaways

•Loop Prevention — TTL's primary purpose is ensuring packets cannot circulate forever in routing loops, protecting the network from catastrophic resource exhaustion.
•Network Diagnostics — By sending packets with incrementing TTL values, we can map network paths through traceroute, one of the most essential debugging tools.
•Multicast Scoping — TTL limits multicast propagation, allowing administrators to define boundaries for traffic distribution (though address-based scoping is now preferred).
•Packet Lifetime Bound — TTL provides guarantee that packets expire, enabling TCP's TIME_WAIT and fragment reassembly timeouts to function correctly.
•Security (GTSM) — TTL=255 requirement ensures routing protocol packets come from directly-connected peers, blocking remote spoofing attacks.
•Forensics — TTL reveals path length and can indicate spoofing when values deviate from expected patterns.

What's Next:

Page Complete

2 / 5