Loading learning content...
When designing IPv4, the architects faced a fundamental tension: the protocol needed to be efficient for fast forwarding, yet flexible enough to accommodate future needs. Their solution was the Options field—a variable-length extension to the standard 20-byte header that could carry additional control information.
This design seemed elegant: most packets would use the minimal 20-byte header for speed, while special cases could include options for debugging, routing control, security, and features not yet imagined. The Internet Header Length (IHL) field—expressing header size in 4-byte units—enabled headers up to 60 bytes (15 × 4), leaving 40 bytes for options.
What the designers didn't anticipate was that this flexibility would become IPv4's Achilles' heel. Processing options requires routers to examine variable-length data, make complex decisions, and potentially modify header contents—operations that destroy forwarding performance. Worse, options became a vector for attacks: malformed options crashed routers, source routing enabled bypass of security controls, and options-heavy packets created denial-of-service opportunities.
Today, most networks filter IP options at their borders; many routers drop options-bearing packets entirely. Understanding options is nonetheless essential for security analysis, troubleshooting legacy systems, and appreciating why IPv6 took a radically different approach to extensibility.
By the end of this page, you will understand the options field structure, common option types, processing requirements, security vulnerabilities, filtering practices, and how IPv6 improved upon this design with extension headers.
The Options field occupies the variable-length tail of the IPv4 header, beginning at byte 20 (immediately after the Destination Address) and extending to the byte count specified by the Internet Header Length (IHL) field.
| Byte Range | Field | Notes |
|---|---|---|
| 0-19 | Fixed header fields | Always present: Version, IHL, ToS, Length, ID, Flags, Fragment Offset, TTL, Protocol, Checksum, Source/Dest addresses |
| 20-59 | Options (if present) | Variable length, 0-40 bytes |
| After options | Padding | Zeros to align to 32-bit boundary |
IHL and Options Length:
The IHL field in bytes 0 (bits 4-7) indicates the total header length in 32-bit (4-byte) words:
This encoding means:
1234567891011121314151617181920212223242526
# Calculating header length from IHL # Example 1: Standard header, no optionsIHL = 5Header length = IHL × 4 = 5 × 4 = 20 bytesOptions length = Header length - 20 = 0 bytes # Example 2: Header with Record Route optionIHL = 9Header length = IHL × 4 = 9 × 4 = 36 bytesOptions length = 36 - 20 = 16 bytes # Example 3: Maximum header sizeIHL = 15Header length = IHL × 4 = 15 × 4 = 60 bytesOptions length = 60 - 20 = 40 bytes # Binary representation in first byte:# Version (4) | IHL (5) = 0100 0101 = 0x45 (no options)# Version (4) | IHL (9) = 0100 1001 = 0x49 (with options) # Wireshark filter for packets WITH options:ip.hdr_len > 20 # Wireshark filter for packets WITHOUT options:ip.hdr_len == 20When options are present, the payload begins at byte 20 + options_length instead of byte 20. Code that assumes payload starts at offset 20 will break. Always read IHL and calculate header_length = IHL × 4.
Each option within the options field follows a Type-Length-Value (TLV) format, with some single-byte exceptions.
Single-Byte Options:
Two special options consist of only a single type byte:
Multi-Byte Options:
All other options use this format:
| Field | Size | Description |
|---|---|---|
| Type | 1 byte | Option type code (see below) |
| Length | 1 byte | Total option length including Type and Length fields |
| Data | Length-2 bytes | Option-specific data |
Type Byte Structure:
The Type byte itself encodes three pieces of information in its 8 bits:
| Bits | Name | Meaning |
|---|---|---|
| Bit 7 (MSB) | Copied flag | 1 = Copy this option to all fragments. 0 = Copy only to first fragment. |
| Bits 6-5 | Class | Option class: 0=Control, 2=Debugging/Measurement, 1 and 3=Reserved |
| Bits 4-0 | Number | Option-specific identifier within class |
12345678910111213141516171819202122232425262728293031323334353637383940
# Option Type Byte Decoding # Type = 0x00 (End of Option List)Binary: 0 00 00000Copied: 0 (don't copy to fragments)Class: 0 (control)Number: 0 # Type = 0x01 (No Operation)Binary: 0 00 00001Copied: 0Class: 0 (control)Number: 1 # Type = 0x07 (Record Route)Binary: 0 00 00111Copied: 0 (only first fragment)Class: 0 (control)Number: 7 # Type = 0x44 (Timestamp)Binary: 0 10 00100Copied: 0Class: 2 (debugging/measurement)Number: 4 # Type = 0x83 (Loose Source Route)Binary: 1 00 00011Copied: 1 (copy to all fragments!)Class: 0 (control)Number: 3 # Type = 0x89 (Strict Source Route)Binary: 1 00 01001Copied: 1 (copy to all fragments)Class: 0 (control)Number: 9 # Key insight: Security options (source routing) have Copied=1# because route must be preserved across all fragmentsRFC 791 defined several options. While rarely used today, understanding them is essential for security analysis and legacy system support.
Record Route Option (Type 7)
Records the route a packet takes by having each router append its IP address.
Structure:
How It Works:
Limitation: Maximum 9 addresses (36 bytes + 3 bytes header = 39 bytes). Internet paths often exceed 9 hops, making this option useless for diagnosing modern paths.
123456789101112131415161718192021222324
# Record Route Option Structure Byte 0: 0x07 (Type 7 = Record Route)Byte 1: 0x27 (Length 39 = max size)Byte 2: 0x04 (Pointer = 4, first slot)Bytes 3-6: [First router address slot]Bytes 7-10: [Second router address slot]...Bytes 35-38: [Ninth router address slot] # After traversing 3 routers:07 27 10 c0 a8 01 01 c0 a8 02 01 0a 00 00 01 00 00 00 00 ... ^^ Pointer now at 16 (4 + 3*4 = 16) ^^^^^^^^^^^^ Router 1: 192.168.1.1 ^^^^^^^^^^^^ Router 2: 192.168.2.1 ^^^^^^^^^^^^ Router 3: 10.0.0.1 # Ping with record route (Linux/macOS):ping -R www.example.com # Windows:ping -r 9 www.example.com # 9 = max hops to record # Note: Many routers ignore or drop packets with this optionProcessing IP options is expensive. Unlike the fixed header fields that can be processed in hardware with predictable operations, options require variable-length parsing, conditional logic, and potentially header modification.
Processing Steps for Options-Bearing Packets:
Options processing typically requires moving packets from the hardware fast path to the router's CPU (slow path). This can reduce throughput by orders of magnitude—from millions of packets per second to thousands. A single malformed options packet can consume significant CPU time.
Fragmentation and Options:
The "Copied" flag in the option type determines behavior during fragmentation:
This design ensures security-critical options like source routing cannot be circumvented by sending some fragments without the option.
IP options have been a rich source of security vulnerabilities throughout Internet history. Understanding these risks is essential for defensive network engineering.
| Vulnerability | Mechanism | Impact | Mitigation |
|---|---|---|---|
| Pointer overflow | Malformed pointer field exceeds option length | Router crash, memory corruption | Strict bounds checking |
| Ping of Death | Fragmented ICMP with overlapping options | System crash | Fragment reassembly limits |
| Source route spoofing | Control reply path to spoofed source | Bypass authentication | Block source routing |
| Option length attacks | Length > 40 or Length > remaining header | Buffer overflow | Validate length fields |
| Zero-length options | Length = 0 causing infinite parsing loop | CPU exhaustion | Minimum length checks |
| Record Route amplification | Force traffic through multiple paths | DDoS amplification | Block Record Route |
Case Study: Source Routing Attack
Consider this attack scenario:
Without source routing: Attack blocked by firewall.
With source routing (if not blocked):
123456789101112131415161718192021
# Attack packet structure: IPv4 Header: Source IP: 203.0.113.100 (attacker, spoofed as 192.168.100.5) Destination IP: 192.168.1.50 (target server) Options: Loose Source Route Route: 203.0.113.100 → 10.0.0.1 (firewall) → 192.168.1.50 # Attack flow:1. Attacker sends packet with spoofed source 192.168.100.52. Source route forces packet through specific path3. Firewall sees packet destined for internal network, may forward4. Target server receives packet appearing from trusted 192.168.100.55. Responses follow source route BACK to attacker # Why this works:- Source routing overrides normal routing decisions- Responses use recorded route in reverse- Attacker receives replies despite spoofed source address # Defense: Block ALL source-routed packets at network edgeGiven the security risks and performance impact, most modern networks aggressively filter IP options. Understanding these practices helps design secure network architectures.
123456789101112131415161718192021222324
# Linux iptables: Drop packets with IP options # Drop ALL packets with any IP optionsiptables -A INPUT -m u32 --u32 "0>>22&0x3C@0>>24&0xF!=5" -j DROP# Explanation: Extract IHL field, drop if > 5 (meaning options present) # More specific: Drop source-routed packetsiptables -A INPUT -m ipv4options --lsrr -j DROPiptables -A INPUT -m ipv4options --ssrr -j DROPiptables -A FORWARD -m ipv4options --lsrr -j DROPiptables -A FORWARD -m ipv4options --ssrr -j DROP # Drop Record Route optioniptables -A INPUT -m ipv4options --rr -j DROP # Drop Timestamp option iptables -A INPUT -m ipv4options --ts -j DROP # Log before dropping (for monitoring)iptables -A INPUT -m ipv4options --any-opt -j LOG --log-prefix "IP_OPTION: "iptables -A INPUT -m ipv4options --any-opt -j DROP # nftables equivalent (modern Linux):nft add rule ip filter input ip hdrlength > 20 dropIPv6 learned from IPv4's options mistakes. Instead of a variable-length options field within a single header, IPv6 uses extension headers—a chain of separate headers between the fixed IPv6 header and the upper-layer payload.
| Aspect | IPv4 Options | IPv6 Extension Headers |
|---|---|---|
| Location | Variable tail of main header | Separate headers after fixed header |
| Size Limit | 40 bytes maximum | No inherent limit (64KB practical) |
| Processing | All options examined by every router | Most extensions only processed by endpoints |
| Performance | Slow path required | Only Hop-by-Hop option needs router processing |
| Chaining | All options in single block | Headers chain via Next Header field |
| Flexibility | Limited by size constraint | Unlimited extension types |
Key IPv6 Extension Headers:
The Critical Improvement:
Most IPv6 extension headers are processed only by the destination, not by intermediate routers. This eliminates the performance penalty that plagued IPv4 options. Only Hop-by-Hop Options require router processing, and even those can be ignored by overloaded routers.
Despite the improved design, IPv6 extension headers have also faced filtering. Large operators drop packets with extension headers due to processing concerns and attack potential. This has caused deployment challenges for Mobile IPv6 and other extension-dependent protocols.
The IPv4 Options field represents a well-intentioned extensibility mechanism that became a liability in practice. Let's consolidate the key concepts:
Module Complete:
You have now completed the comprehensive exploration of TTL and Protocol in IPv4. This module covered:
These fields work together to enable reliable, secure packet delivery across the Internet. Understanding them deeply is essential for network engineering, security analysis, and protocol design.
Congratulations! You have mastered the TTL and Protocol module. You understand the full lifecycle of packets from lifetime management through upper-layer delivery, integrity verification, and optional extensions. This knowledge forms a critical foundation for advanced network engineering.