通过第 4 层 TCP::option 插入 IPV6 源地址解决安全追踪问题

在cdn的托盘业务中，有些cdn只做四层加速转发，源地址转换后转给发业务服务VS。这样的场景下如果为防范攻击，需要cdn在四层TCP:OPTION插入客户端真实地址，然后由客户的F5读取字段并插入XFF

IP规划：

2405:57c0:0:4::1 (self) 2405:57c0:0:4::2 (VS)--->2405:57c0:0:4::3 (self) 2405:57c0:0:4::4 (VS)   172.16.1.200(self)--->     172.16.1.10(SERVER)

LTM1机：

ltm profile tcp jtcp {
    app-service none
    tcp-options "{8 first} {29 last}"
    timestamps disabled
}

root@(k8s-ve)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm rule rule_insert_option
ltm rule rule_insert_option {
#https://devcentral.f5.com/s/articles/tcl-procedures-to-compress-expand-a-ipv6-address-notation-988
proc expand_ipv6_addr_sp { addr } {
if { [catch {
#Enumerating and storing IPv6 ZoneID / Route Domain suffix
if { [set id [getfield $addr "%" 2]] ne "" } then {
set id "%$id"
set addr [getfield $addr "%" 1]
}
#Parsing the first IPv6 address block of a possible :: notation by splitting the block into : separated IPv6 address groups
set blk1 ""
foreach val [split [getfield $addr "::" 1] ":"] {
if { $val contains "." } then {
#The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $val {%d.%d.%d.%d} oct1 oct2 oct3 oct4
#Convert the four IPv4 address octets into two IPv6 address groups
append blk1 [format "%02x%02x %02x%02x " $oct1 $oct2 $oct3 $oct4]
unset -nocomplain oct1 oct2 oct3 oct4
} else {
append blk1 "[format %04x 0x$val] "
}
}
set blk2 ""
foreach val [split [getfield $addr "::" 2] ":"] {
if { $val contains "." } then {
#The current group contains a IPv4 address notation. Trying to extract the four IPv4 address octets
scan $val {%d.%d.%d.%d} oct1 oct2 oct3 oct4
#Convert the four IPv4 address octets into two IPv6 address groups
append blk2 [format "%02x%02x %02x%02x " $oct1 $oct2 $oct3 $oct4]
unset -nocomplain oct1 oct2 oct3 oct4
} else {
append blk2 "[format %04x 0x$val] "
}
}
set addr "[join "$blk1[string repeat "0000 " [expr {8 - [string length "$blk1$blk2"]/5}]] $blk2" ":"]"
}] } then {
log local0.debug "errorInfo: [subst \$::errorInfo]"
return "errorInfo: [subst \$::errorInfo]"
return ""
}
#Append the previously extracted IPv6 ZoneID / Route Domain suffix and return the expanded IPv6 address notation
#return "$addr$id"
return "$addr"
}


when SERVER_CONNECTED {         

set ip [IP::client_addr]
set big6 [call expand_ipv6_addr_sp $ip]
set nosep [string map {: ""} $big6]
log local0. "ClientIP: $ip big6: $big6 nosep: $nosep"
TCP::option set 29 [binary format H* $nosep] all   
}
}

ltm virtual vs_cdn_web {
    creation-time 2022-03-01:01:35:20
    destination 2405:57c0:0:4::2.http
    ip-protocol tcp
    last-modified-time 2022-03-01:04:16:05
    pool pool_ipv6_F5_web
    profiles {
        http { }
        jtcp { }
    }
    rules {
        rule_insert_option
    }
    serverssl-use-sni disabled
    translate-address enabled
    translate-port enabled
    vs-index 10
}

LTM2机：

ltm profile tcp tcp_opt78 {
    app-service none
    tcp-options "{78 last}"
}

ltm rule get_option_insert_xxf_simple {
when HTTP_REQUEST {
set opt29 [TCP::option get 29]
log local0. "opt29 is $opt29"
set optaddr [IP::addr parse -ipv6 $opt29]
         if { [info exists optaddr] } {
           HTTP::header insert "X-Forwarded-For" $optaddr
           log local0. "Real client ip is $optaddr"
       }
}

tm virtual vs_web_ipv6xff_test {
    creation-time 2022-07-29:14:59:05
    destination 2405:57c0:0:4::4.http
    ip-protocol tcp
    last-modified-time 2022-07-29:18:59:19
    pool pool_web_80
    profiles {
        http { }
        options-get { }
    }
    rules {
        get_option_insert_xxf_simple
    }
    serverssl-use-sni disabled
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
    vlans {
        vlan_internal
    }
    vlans-enabled
    vs-index 30
}

在LTM1机发起访问：

[root@k8s-ve:Active:Standalone] config # curl http://[2405:57c0:0:4::2]

Mar  1 04:22:11 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar  1 04:25:09 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar  1 04:25:10 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar  1 10:21:43 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001
Mar  1 10:21:44 k8s-ve.cgbchina.com.cn info tmm[25536]: Rule /Common/rule_insert_option <SERVER_CONNECTED>: ClientIP: 2405:57c0:0:4::1 big6: 2405:57c0:0000:0004:0000:0000:0000:0001 nosep: 240557c0000000040000000000000001

看LTM2机：

Jul 30 11:16:27 ESXI_BIGIP_SSLO.cgbchina.com.cn info tmm[17544]: Rule /Common/get_option_insert_xxf_simple <HTTP_REQUEST>: opt29 is $WÀJul 30 11:16:27 ESXI_BIGIP_SSLO.cgbchina.com.cn info tmm[17544]: Rule /Common/get_option_insert_xxf_simple <HTTP_REQUEST>: Real client ip is 2405:57c0:0:4::1

抓包附件：

https://files.cnblogs.com/files/key-network/tcp_option%E6%8A%93%E5%8C%85.rar?t=1659179992

原文地址：https://www.cnblogs.com/key-network/p/16535634.html