Which fields of the IP header change from router to router?

oogleemooglee-

First off, I love the name. Secondly, I have an unhealthy fixation
with network protocols and so I thank you for the opportunity to
answer your question.

And your question is a tricky one. A router can do several different
things with a packet when it forwards it. The easy answer to your
question is that the Checksum and TTL (time-to-live) fields change. A
router is just supposed to decrement the TTL, recalculate the checksum
and send the packet on its merry way (unless the TTL equals 1 when the
router _receives_ the packet; in that case it should drop the packet
and send an ICMP TTL-Expired-In-Transit to the source address). But
now we get into the tricky area.

Many routers-- particularly packet-filter and stateful-inspection
firewalls-- want to appear invisible on the network. In these cases
they just forward to packet as-is and change neither the TTL or
Checksum.

Additionally, depending on the MTU (maximum transmission unit) of the
interface on the forward side of the router, a whole bunch of things
could change. If the network attached to the back side of a router can
deal with packets bigger than the front side is physically able to
handle, the router is responsible for chopping the packet up into
slices more easily digestible by the front side. In these cases the
Total Length (bits 16-31), the Fragment Offset (bits 39-63) and the
Checksum fields will all change. And this does not include the fields
that _could_ change (like TTL, which will very likely but is not
guaranteed to change).

Any router is also free to add or remove values from the Options
field. When trying to be a Good Internet Neighbor you should not
remove any Options, but in the name of security many sites do
(particularly the Record Route option, which can be used to discover
network topology when firewalls are configured to disable network
mapping tools such as traceroute, firewalk and Lantern). A change in
this field will require a change to the Total Length field (bits
16-31) as well as the to the Checksum.

It is also possible that the Flags field (bits 36-38) could change,
but is in
unlikley (their use is officially Reserved, but not defined, so some
routers may make undefined use of these fields and their values cannot
be relied upon). Such a change will also mean a change to the
Checksum.


So, like I said before, it is difficult to positively identify the
changes a router could make to an IP header (and we didn't even get
into the issues associated with NAT [Network Address Translation]).
From a purely generic sense, one can expect the the TTL (bits 64-71)
and Checksum (bits 80-95). However, this cannot be counted on. The
only axiom in routing with relation to the IP header is that any
change requires a change in the Checksum. Any, all and any combination
of the above scenarios can and will happen when routing.

Hopefully I've helped you, but I have a feeling that you had a
specific situation in mind. If this is the case, and I've not helped
you with that situation, please let me know so that I can clarify.

Great comprehensive answer. This totally exceeded my expectations --
provided correct answer plus more information than necessary, but
nonetheless, extremely valuable.