Forum Discussion

JPcaceresMorale's avatar
JPcaceresMorale
Icon for Nimbostratus rankNimbostratus
Jun 14, 2018

Crypto irule cpu consumption

Hi all,

 

I have an irules to decrypt all http payload request and other to encrypt all http payload response, it works perfectly, but the CPU consumption of TMM is very high. Anyone have experience with these irules ?? Can it be optimized so that it does not use so much CPU? Thank you

 

My have a i5800 series

 

thanks all

 

JP

 

application delivery
iRules
LTM
security
  • JPcaceresMorale's avatar
    JPcaceresMorale
    Icon for Nimbostratus rankNimbostratus
    Jun 14, 2018
    when RULE_INIT {
         set static::hexkey "xxxxxxxxxxxxxxxxx"
         log local0.info"====Rule_Init===="
         log local0.info "Key is $static::hexkey"
         log local0.info"================="
    }

    when HTTP_REQUEST {
       HTTP::header remove "Accept-Encoding"
       if { [HTTP::version] eq "1.1" } {
           if { [HTTP::header is_keepalive] } {
               HTTP::header replace "Connection" "Keep-Alive"
           }
           HTTP::version "1.0"
       }

      if {[HTTP::method] != "OPTIONS"}{
        if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{
         if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
                Trigger collection for up to 1MB of data
                if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
                set content_length [HTTP::header "Content-Length"]
                } else {
                 set content_length 1048576
         }

          Check if $content_length is not set to 0
         if { $content_length > 0} {
           HTTP::collect $content_length
         }
      }
        }
      }
    }

    when HTTP_REQUEST_DATA {

    if {[HTTP::method] != "OPTIONS"}{
       if {! ([HTTP::uri] starts_with "/xxxx/claims/v1/xxxxxx") }{ 
        if { !([HTTP::uri] starts_with "/xxx/v1/xxxxxxx") }{
         log local0.info [HTTP::uri]
         set iv "xxxxxxxxxx"
         set paiload [HTTP::payload]
         log local0.info "payload: $paiload"
         set payload_without_json [string map {\{ {} \} {} \[ {} \] {} \" {} set {} value {} \: {}} $paiload]
         log local0.info "sin json:  $payload_without_json"
         set text_to_decrypt [b64decode $payload_without_json]
         log local0.info "dato encriptado: $text_to_decrypt"
         set dec_out_no_binary [CRYPTO::decrypt -alg aes-128-cbc -keyhex $static::hexkey -ivhex $iv $text_to_decrypt]
         binary scan $dec_out_no_binary H* enc_hex
         log local0.info "dato desencriptado: $dec_out_no_binary"
         HTTP::payload replace 0 [HTTP::payload length] $dec_out_no_binary
         HTTP::release
    }
    }
    }
    }
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Jun 17, 2018

    JPcaceresMorales,

     

    Crypto operations in TCL are CPU-intensive, so encrypting/decrypting requests will utilize significant CPU.

     

    Is there a reason that the Request/Response Body is encrypted in this way, as opposed to just relying on SSL/TLS encryption (which is hardware offloaded)?