Follow

Issue: Missing Client IP (Source IP) / Solution: Insert IP Address into TCP Option 28

Description

The true Client IP (Source IP or SrcIP) is lost when traffic traverses the scrubbing centers in a proxy configuration. 

 

Environment

  • Proxy / Proxies

 

Cause

  • The traditional method of inserting the SrcIP via the XFF header isn't possible.  
  • Inserting the XFF isn't possible when the traffic is either non-HTTP traffic or HTTPS traffic that is not decrypted and re-encrypted within Silverline.

 

Resolution

If utilizing IPv4, the SrcIP can be inserted into TCP Option 28, via a combination of a specific TCP profile and iRule within the F5 Silverline Cloud Platform.  Then, the SrcIP can be extracted via a BIG-IP at a customer's location, via a TCP profile and iRule.

Step 1: Silverline Creates iRule

Within Silverline, a specific iRule is available that reads the SrcIP and inserts it into TCP Option 28.  An example of the iRule within Silverline:

tcp-opt-28-1-v2.png

when SERVER_CONNECTED {
   if { [IP::version] == 4} {
      scan [IP::client_addr] {%d.%d.%d.%d} a b c d
      TCP::option set 28 [format %02x%02x%02x%02x $a $b $c $d] all
   }
}

 

This iRule then needs to be applied to the proxy(ies) requiring the SrcIP insertion:

 

Step 2: TCP Rule on Customer Premises

On the CPE BIG-IP, a combination of a modified TCP Profile and iRule will enable the extraction of the SrcIP from TCP Option 28.

First, either create a new TCP profile (recommended), or modify an existing profile, to enable the use of TCP option 28.  This will enable the iRule to extract (and log if desired), the SrcIP.

Example tmsh command (replace red text with profile names):

create ltm profile tcp tcp-profile-name defaults-from tcp-parent-profile tcp-options "{28 last}"

Example result:

This TCP profile will then need to be applied to each Virtual Server where the ScrIP would need to be extracted.

 

Step 3: iRule on Customer Premises

Depending on whether or not the traffic is HTTP or other will determine which iRule needs to be created and applied to the Virtual Server(s).

Example HTTP iRule:

tcp-opt-28-cpe-http-rule-v2.png

Example Other iRule:

tcp-opt-28-cpe-non-http-rule-v2.png

Example VS config (non-HTTP and HTTP):

 

Result: TCP OPTION 28

SrcIP is inserted to TCP Option 28 within the Silverline Proxy infrastructure, and is then able to be extracted locally, as shown in the log messages (/var/log/ltm) as shown below:

 

Additional Note

Cisco ASA Firewalls have a feature called "TCP Normalizer" which automatically removes TCP options such as option 28.  To allow these options through a Cisco ASA firewall, you will need to configure a new tcp-map with the specific TCP option number you wish to be preserved.

 

Related Content

  • none
Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request