通过第 4 层 TCP::option 插入 IPV6 源地址解决安全追踪问题
在cdn的托盘业务中,有些cdn只做四层加速转发,源地址转换后转给发业务服务VS。这样的场景下如果为防范攻击,需要cdn在四层TCP:OPTION插入客户端真实地址,然后由客户的F5读取字段并插入XFF
IP规划:
2405:57c0:0:4::1 (self) 2405:57c0:0:4::2 (VS)--->2405:57c0:0:4::3 (self) 2405:57c0:0:4::4 (VS) 172.16.1.200(self)---> 172.16.1.10(SERVER)
LTM1机:
ltm profile tcp jtcp {
app-service none
tcp-options "{8 first} {29 last}"
timestamps disabled
}
root@(k8s-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule rule_insert_option
ltm rule rule_insert_option {
#https://devcentral.f5.com/s/articles/tcl-procedures-to-compress-expand-a-ipv6-address-notation-988
proc expand_ipv6_addr_sp { addr } {
if { [catch {
#Enumerating and storing IPv6 ZoneID / Route Domain suffix
if { [set id [getfield $addr "%" 2]] ne "" } then {
set id "%$id"
set addr [getfield $addr "%" 1]
}
#Parsing the first IPv6 address block of a possible :: notation by splitting the block into : separated IPv6 address groups
set blk1 ""
foreach val [split [getfield $addr "::" 1] ":"] {
if { $val contains "." } then {
#The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $val {%d.%d.%d.%d} oct1 oct2 oct3 oct4
#Convert the four IPv4 address octets into two IPv6 address groups
append blk1 [format "%02x%02x %02x%02x " $oct1 $oct2 $oct3 $oct4]
unset -nocomplain oct1 oct2 oct3 oct4
} else {
append blk1 "[format %04x 0x$val] "
}
}
set blk2 ""
foreach val [split [getfield $addr "::" 2] ":"] {
if { $val contains "." } then {
#The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $val {%d.%d.%d.%d} oct1 oct2 oct3 oct4
#Convert the four IPv4 address octets into two IPv6 address groups
append blk2 [format "%02x%02x %02x%02x " $oct1 $oct2 $oct3 $oct4]
unset -nocomplain oct1 oct2 oct3 oct4
} else {
append blk2 "[format %04x 0x$val] "
}
}
set addr "[join "$blk1[string repeat "0000 " [expr {8 - [string length "$blk1$blk2"]/5}]] $blk2" ":"]"
}] } then {
log local0.debug "errorInfo: [subst \$::errorInfo]"
return "errorInfo: [subst \$::errorInfo]"
return ""
}
#Append the previously extracted IPv6 ZoneID / Route Domain suffix and return the expanded IPv6 address notation
#return "$addr$id"
return "$addr"
}
when SERVER_CONNECTED {
set ip [IP::client_addr]
set big6 [call expand_ipv6_addr_sp $ip]
set nosep [string map {: ""} $big6]
log local0. "ClientIP: $ip big6: $big6 nosep: $nosep"
TCP::option set 29 [binary format H* $nosep] all
}
}
ltm virtual vs_cdn_web {
creation-time 2022-03-01:01:35:20
destination 2405:57c0:0:4::2.http
ip-protocol tcp
last-modified-time 2022-03-01:04:16:05
pool pool_ipv6_F5_web
profiles {
http { }
jtcp { }
}
rules {
rule_insert_option
}
serverssl-use-sni disabled
translate-address enabled
translate-port enabled
vs-index 10
}
LTM2机:
ltm profile tcp tcp_opt78 {
app-service none
tcp-options "{78 last}"
}
ltm rule get_option_insert_xxf_simple {
when HTTP_REQUEST {
set opt29 [TCP::option get 29]
log local0. "opt29 is $opt29"
set optaddr [IP::addr parse -ipv6 $opt29]
if { [info exists optaddr] } {
HTTP::header insert "X-Forwarded-For" $optaddr
log local0. "Real client ip is $optaddr"
}
}
tm virtual vs_web_ipv6xff_test {
creation-time 2022-07-29:14:59:05
destination 2405:57c0:0:4::4.http
ip-protocol tcp
last-modified-time 2022-07-29:18:59:19
pool pool_web_80
profiles {
http { }
options-get { }
}
rules {
get_option_insert_xxf_simple
}
serverssl-use-sni disabled
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vlans {
vlan_internal
}
vlans-enabled
vs-index 30
}
在LTM1机发起访问:
[root@k8s-ve:Active:Standalone] config # curl http://[2405:57c0:0:4::2]
Mar 1 04:22:11 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar 1 04:25:09 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar 1 04:25:10 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar 1 10:21:43 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar 1 10:21:44 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
看LTM2机:
Jul 30 11:16:27 ESXI_BIGIP_SSLO.cgbchina.com.cn info tmm[17544]: Rule /Common/get_option_insert_xxf_simple <HTTP_REQUEST>: opt29 is $WÀJul 30 11:16:27 ESXI_BIGIP_SSLO.cgbchina.com.cn info tmm[17544]: Rule /Common/get_option_insert_xxf_simple <HTTP_REQUEST>: Real client ip is 2405:57c0:0:4::1
抓包附件:
https://files.cnblogs.com/files/key-network/tcp_option%E6%8A%93%E5%8C%85.rar?t=1659179992
原文地址:https://www.cnblogs.com/key-network/p/16535634.html
下一篇: 为已连接的开放客户端设置固定 IP 地址