SPI filtering for packets that are part of ongoing communications is usually simple.

SPI filtering relies on the Security Parameter Index to select the correct Security Association for processing a packet. For packets in ongoing communications, the active SPIs aren’t fixed; they can change as sessions are rekeyed or new SAs are established. Some environments may use a single, long-lived SA, which makes filtering relatively straightforward. Others may have many SAs per tunnel or per direction, with SPIs rotating frequently during rekeying, which makes filtering more complex. Because the difficulty of filtering by SPI depends entirely on how SAs are managed in a given deployment—the number of active SPIs, how often they change, and how rekeying is handled—you can’t determine the complexity from the statement alone. In practice, you’d need visibility into the SA lifecycle for that particular network to decide how hard SPI-based filtering would be.