TTL stands for Time To Live and is an 8 bit field in the IP header of a IPv4 packet. The commonly accepted explanation of what TTL is that it is a number that is decremented by 1 every hop of it’s journey to the destination host. When this number decrements to 0, the current router drops it, and sends back an ICMP error (11-Time Exceeded) to the sender. This mitigates endless routing loops if there is errors in the network path, and, without the TTL field, routers would continue to pass the packet back and forth for all eternity.
What is interesting is that, depending on the firewall, you could see a packet with a TTL of 122 go into the firewall, and come out the other side with TTL of 120. How is this you ask? Well, let’s take a look at the RFC that defines the TTL field. (As a side note, RFC (Request for Comments) is a series of memorandums that engineers (or whoever!) publish for peer-review of their proposals for protocols. The IETF will take some of these RFC’s and make them an Internet Standard. All of the protocols of the underpinnings of the Internet, among many other things, are spelled out in RFCs. So let’s take a look at RFC 1122. (There are others that offer more detailed info as well)
RFC 1122 states that the TTL should be decremented between 60 seconds and 120 seconds–not every hop. Later RFC’s stated that the TTL had to be decremented by at least one every hop. As this was implemented in regards to routers, the manufactures of the routers found that it just could not be done very easily–whereas firewalls they could. So what we have is routers that decrement the TTL based on hops, and firewalls decrementing based on time (seconds). Not really a big deal at first glance, but make sure you take it into account when you use a utility like traceroute.
Josh
Defensive Depth 