For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jad_Tabbara__J1's avatar
Jad_Tabbara__J1
Icon for Cirrostratus rankCirrostratus
May 16, 2019
Solved

Does F5 encrypts traffic internally from a VS to another VS ?

Dear community, 

 

Context

VS_Parent with clientssl + serverssl profiles and an iRule (that is responsible for routing the traffic to the child VSs based on the FQDN for example) 

VS_Child1  has clientssl + serverssl profiles 

VS_Child2 has clientssl + serverssl profiles  

 

All VSs are on the same BIGIP. 

Client < Encrypted Channel 1 > VS_Parent < Encrypted Channel 2 > VS_Child1 or VS_Child2 < Encrypted Channel 3 > Pool_Member 

 

Question

Based on the theory, the BIG-IP should have 3 encrypted channels

To confirm that, I've done a "tcpdump" on the child VS to see if the traffic is encrypted. I can't see any SSL packet using Wireshark. 

Does F5 encrypts traffic routed from a VS_Parent to a VS_Child ? Or it doesn't encrypt it, in order to optimize resource utilization ? 

 

Thanks for your help 

 

Jad

 

 

application delivery
BIG-IP
LTM
  • youssef1's avatar
    youssef1
    May 21, 2019

    Hi Jad,

     

    I had already asked myself the question.

     

    So Yes, F5 encrypts traffic routed from a VS_Parent to a VS_Child.

     

    I validate my supposition by removing SSL Client in VS_Child  and noticed that access to my service was not functional.

     

    Additional you can use my Debug irule (hosted in devcentral) that allow you to see that Cipher/protocol used in both VS (Child an parent).

     

    I advise you to process a ssldum using this kb:

     

    https://support.f5.com/csp/article/K10209

     

    So in child vs, initiate a basic capture:

     

    tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443

     

    then check ssl exchange:

     

    ssldump -nr /var/tmp/www-ssl-client.cap

     

    keep me in touch.

     

    regards,

3 Replies

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    May 21, 2019

    Hi Jad,

     

    I had already asked myself the question.

     

    So Yes, F5 encrypts traffic routed from a VS_Parent to a VS_Child.

     

    I validate my supposition by removing SSL Client in VS_Child  and noticed that access to my service was not functional.

     

    Additional you can use my Debug irule (hosted in devcentral) that allow you to see that Cipher/protocol used in both VS (Child an parent).

     

    I advise you to process a ssldum using this kb:

     

    https://support.f5.com/csp/article/K10209

     

    So in child vs, initiate a basic capture:

     

    tcpdump -vvv -s 0 -nni external -w /var/tmp/www-ssl-client.cap host 10.1.1.100 and port 443

     

    then check ssl exchange:

     

    ssldump -nr /var/tmp/www-ssl-client.cap

     

    keep me in touch.

     

    regards,

    • Jad_Tabbara__J1's avatar
      Jad_Tabbara__J1
      Icon for Cirrostratus rankCirrostratus
      May 21, 2019

      Hello Youssef,

       

      Thanks for your answer. Using the "tcpdump + ssldump" I can see the SSL Handshake on the VS_CHILD...

       

      Before posting my question, I've done same capture using tcpdump, but I used Wireshark to see the SSL Handshake.

       

      My wireshark was not parsing the SSL traffic correctly, indeed using my colleague Wireshark we can see the SSL Handshake. I will re-install my wireshark to correct this.

       

      So the issue come from my wireshark :D

       

      Thank you you helped me to answer 2 questions in one :p

       

      Regards

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    May 21, 2019

    Hello Jad,

     

    Glad to have been able to bring you my help my dear.

     

    Regards