5

The Linux Kernel provides Netfilter as a mechanism for both NAT and firewall functionality. Both of those functionalities require analysis and classification of incoming packets, which is dubbed "stateful packet inspection".

For most traffic, looking at the IP packet headers is sufficient. However, protocols like FTP, IRC, H.323 (and a couple more) have specific modules in the kernel configuration in order to facilitate proper NAT-traversal for those packets. In the kernel those are called 'conntrack modules'.

Now, my understanding is that the payload of those packets is examined in order to enable netfilter to recognize when an external connection arrives and needs to be routed to the respective client. This is because the protocol expects information transmitted on OSI layer 7 which has a direct impact on the actual IP packets being sent on layer 3. In other words, the application code causes the creation of another TCP connection, which has to be routed by the NAT device.

Now to my questions:

  • Why is this nowhere (okay, i just did a quick Google search) labelled with the term Deep Packet Inspection?
  • Given the massive number of plastic router devices running on GNU/Linux, might this be a legal problem in areas where Deep Packet Inspection is considered unlawful? Possible regulations regarding net neutrality and confidentiality of traffic come to mind, which might impact network service providers, who wish to provide a better service for clients and who need to employ NAT in certain environments.
egthomas
  • 31
  • 6
tomboy64
  • 51
  • 1
  • 3
  • `conntrack` and Deep Packet Inspection (DPI) are not the same. `conntrack` for FTP, for example, needs to know which port the client specified for Active FTP, not to inspect the packet for forbidden content, for example. DPI are much, much more complex than that. – ThoriumBR Oct 23 '17 at 20:16
  • You're stating that DPI is complex just because it's DPI. My premise, however, is that DPI is DPI because it looks at a packet's payload. In contrast to Shallow Packet Inspection, which is the norm for routing devices and only looks at their envelopes. The (usual) complexity of DPI stems from the huge number of operations it's required to perform within complex protocols. – tomboy64 Oct 24 '17 at 22:04
  • No, I am stating that DPI is not conntrack. DPI inspects way more content than IPs and ports. Shallow Packet Inspection is another name to the more common Stateful Packet Inspection. SPI is concerned about the *state*, while DPI is concerned about the *content*. – ThoriumBR Oct 24 '17 at 22:11

0 Answers0