VII. Router Diagnostics

Stateful Packet Inspection (SPI), as a term, is taken to mean different things depending on the context, and also the person or company using the term. The technique may also be known as 'keepstate' but that's not much more descriptive either.

The important concept is that the router keeps a record of outgoing connections from LAN clients to the WAN (Internet) - their state is kept by the router. These records are then used when an incoming packet is received and inspected. There we are - the three words that make up SPI actually explained in context for once!

NAT (Network Address Translation) is a system whereby one IP address is exchanged for another as it passes through a gateway (router). In the most common router scenario, this is a Many-to-One NAT system (many local IP addresses mapped to one external WAN address). A router must keep track of all outgoing connections in order to know who a reply packet is intended for. This is a type of kept-state as if a packet arrives at a router's WAN interface without a matching NAT table entry, the router doesn't know who its for, so it is dropped. This provides some inherrent security of the NAT system however NAT's primary purpose is not one of security - in fact it does everything possible to try and let data through, if it can work out who it's for. This method is obviously of no use in non-NAT scenarios where clients have direct public IP addresses.

True SPI doesn't rely on NAT tables but instead keeps track of all outgoing connections, whether the LAN client has a private NATted address or a fully routed public IP address (NAT security obvious doesn't apply if you are using public IP addresses inside your network). With SPI Any incoming packet is blocked by default unless there is an existing record of that LAN-side client soliciting information from that external location.

On the Vigor, with full SPI enabled the following is applied:

• All traffic (incoming, outgoing, including NAT'd and non-NAT) is checked by the IP Filters both inbound and outbound. Without full SPI enabled, only outbound NAT Traffic would be passed through the IP filters. Inbound NAT Traffic that had a corresponding entry in the NAT active sessions table would skip the IP Filters as the Vigor assumed it to be trusted since it was solicited from a NAT'd device on the LAN.
• IP Routed traffic (LAN-side clients with public IP addresses) can be keep-stated automatically without having to setup IP Filters; unsolicited inbound IP Routed Traffic is automatically blocked.
• The State Table is stricter than the NAT Active Sessions Table, partly because the NAT system is meant to let as much through as possible - working out the assumed correct destination, whereas SPI's primary purpose is to block incoming data which is believed to be unsolicited. For example, with full SPI enabled a Trace Route out to the Internet will fail for all Hops other than final destination - since the intermediary Hops replying (due to the TTL expiry) are not replying from the Kept-State (final) destination.

How do you rate this article?