Note : This is the classic/original FAQ. For the very latest articles and new content for UK/Ireland users, please visit the Product Knowledgebase here

DrayTek Logo

General Router FAQ

Stateful Packet Inspection

Stateful Packet Inspection

Stateful Packet Inspection (SPI), as a term, is taken to mean different things depending on the context, and also the person or company using the term. The technique may also be known as 'keepstate' but that's not much more descriptive either.

The important concept is that the router keeps a record of outgoing connections from LAN clients to the WAN (Internet) - their state is kept by the router. These records are then used when an incoming packet is received and inspected. There we are - the three words that make up SPI actually explained in context for once!

NAT (Network Address Translation) is a system whereby one IP address is exchanged for another as it passes through a gateway (router). In the most common router scenario, this is a Many-to-One NAT system (many local IP addresses mapped to one external WAN address). A router must keep track of all outgoing connections in order to know who a reply packet is intended for. This is a type of kept-state as if a packet arrives at a router's WAN interface without a matching NAT table entry, the router doesn't know who its for, so it is dropped. This provides some inherrent security of the NAT system however NAT's primary purpose is not one of security - in fact it does everything possible to try and let data through, if it can work out who it's for. This method is obviously of no use in non-NAT scenarios where clients have direct public IP addresses.

True SPI doesn't rely on NAT tables but instead keeps track of all outgoing connections, whether the LAN client has a private NATted address or a fully routed public IP address (NAT security obvious doesn't apply if you are using public IP addresses inside your network). With SPI Any incoming packet is blocked by default unless there is an existing record of that LAN-side client soliciting information from that external location.

On the Vigor, with full SPI enabled the following is applied:

NOTICE : This document is © SEG Communications and may not be distributed without specific written consent. Information and products subject to change at any time without notice.