For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

epaalx's avatar
epaalx
Icon for Cirrus rankCirrus
May 06, 2011

Requesting clarification of srcport "preserve strict"

Hello F5 users,

 

 

I'd appreciate clarification of srcport "preserve strict" functionality.

 

 

"Configuration Guide for BIG-IP® Local Traffic Manager 10.2" says "If the port is in use, the system does not process the connection." which seems to contradict the next sentence "If the port is in use by another connection, the system uses that source port anyway, and the destination server cannot distinguish the traffic of the connections sharing that source port."

 

 

So, if "system does not process the connection" [or says sol11003 says "system resets the clientside connection"] then how can it "uses that source port anyway"?

 

 

Also, bottom of sol8227, says "The preserve strict option does not currently work for TCP connections, and should only be used for UDP virtual servers." but sol11116's reference to nPath is still referring to "connection", implying TCP and SCTP.

 

 

Are these contradictions?

 

Regards, Alex
config
design

3 Replies

  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    May 06, 2011
    There is additional information within the BigIP Configuration Console Help Menu that describes the selectable options.

     

     

    Preserve:

     

    Specifies that the system preserves the value configured for the source port, unless the source port from a particular SNAT is already in use, in which case the system uses a different port.

     

     

    Preserve Strict:

     

    Specifies that the system preserves the value configured for the source port. If the port is in use, the system does not process the connection. If the port is in use by another connection, the system uses that source port anyway, and the destination server cannot distinguish the traffic of the connections sharing that source port. F5 Networks recommends that you restrict use of this setting to cases that meet at least one of the following conditions:

     

     

    - The port is configured for UDP traffic.

     

    - The system is configured for nPath routing or is running in transparent mode (that is, there is no translation of any other Layer 3 or Layer 4 field).

     

    - There is a one-to-one relationship between virtual IP addresses and node addresses, or clustered multi-processing (CMP) is disabled.

     

     

    Change:

     

    Specifies that the system changes the source port. This setting is useful for obfuscating internal network addresses.
  • epaalx's avatar
    epaalx
    Icon for Cirrus rankCirrus
    May 08, 2011
    Posted By Michael Yates on 05/06/2011 08:24 AM

     

    There is additional information within the BigIP Configuration Console Help Menu that describes the selectable options.

     

    :

     

    Preserve Strict:

     

    ... If the port is in use, the system does not process the connection. If the port is in use by another connection, the system uses that source port anyway ...

     

    Err, thanks, but aren't you quoting back to me the contradiction I am referring to? R's, Alex

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 09, 2011
    Hi Epaalx,

     

     

    You could try testing this with netcat -p < port > or open a case with F5 Support to find out. If the docs are wrong/contradictory, F5 Support can request to have them clarified.

     

     

    Aaron