Forum Discussion

f5gurunot's avatar
f5gurunot
Icon for Cirrus rankCirrus
Feb 02, 2023

TCP Option 28 X-Forwarded-For Header

Using Akamai for DDOS mitigation and the requests sent to us show Akamai IP instead of the Client IP.  I have enabled TCP Option 28 and trying to insert the Client IP into X-Forwarded-For header.  I ...
application delivery
  • xuwen's avatar
    xuwen
    Feb 03, 2023

    when CLIENT_DATA {
    set opt28 [TCP::option get 28]
    if { [string length $opt28] == 4 } {
    binary scan $opt28 H8 addr
    scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
    set optaddr "$ip1.$ip2.$ip3.$ip4"
    log local0. "optaddr is $optaddr"
    log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
    }
    }

f5gurunot's avatar
f5gurunot
Icon for Cirrus rankCirrus

We are on version 17, will get a tcpdump.

xuwen's avatar
xuwen
Icon for Cumulonimbus rankCumulonimbus
Feb 03, 2023

Observe the clientside tcpdump file of F5 to see if there is a tcp option 28 field.

If not, check whether there is a firewall or other security cleaning equipment or The reverse proxy device in front of F5,It is better to restore iRules to a state without tcp option 28 and exec tcpdump command.

if wireshark pcap file has tcp option 28 field:

Because your iRules in CLIENT_ACCEPED event executed TCP:: collect command, I personally estimate that your tcp option 28 code should be placed in CLIENT_DATA event(personally advise, have not test in BIGIP VE environment)

when CLIENT_DATA {
 set opt28 [TCP::option get 28]
 log local0. "tcp option 28 length is [string length $opt28]"
 ........
 }

 

  • f5gurunot's avatar
    f5gurunot
    Icon for Cirrus rankCirrus
    Feb 03, 2023

    with this:
    when CLIENT_DATA {
       set opt28 [TCP::option get 28]
        log local0. “tcp option 28 length is [string length $opt28]”

    I see:
    Feb 3 09:39:55 info tmm4[12700]: Rule /Common/Akamai_Opt28 <CLIENT_DATA>: tcp option 28 length is 4

    with this:
    when CLIENT_DATA {    set opt28 [TCP::option get 28]
        if { [string length $opt28] == 4 } {
        log local0. “tcp option 28 length is [string length $opt28]”
            binary scan $opt28 c ver
            if { $ver != 1 } {
                log local0. “Unsupported Akamai version: $ver”
            } else {
                set optaddr [IP::addr parse -ipv4 $opt28 1]
            }
        }

    I see:
    Feb 3 09:47:48 info tmm[12700]: Rule /Common/Akamai_Opt28 <CLIENT_DATA>: tcp option 28 length is 4
    Feb 3 09:47:48 info tmm[12700]: Rule /Common/Akamai_Opt28 <CLIENT_DATA>: Unsupported Akamai version: 76

    • f5gurunot's avatar
      f5gurunot
      Icon for Cirrus rankCirrus
      Feb 03, 2023

      Akamai said the IP address forwarded in TCP Option28 is in HEX format and needs to be converted back to the decimal version...

      • xuwen's avatar
        xuwen
        Icon for Cumulonimbus rankCumulonimbus
        Feb 03, 2023

        when CLIENT_DATA {
        set opt28 [TCP::option get 28]
        if { [string length $opt28] == 4 } {
        binary scan $opt28 H8 addr
        scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
        set optaddr "$ip1.$ip2.$ip3.$ip4"
        log local0. "optaddr is $optaddr"
        log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
        }
        }