Forum Discussion

f5gurunot's avatar
f5gurunot
Icon for Cirrus rankCirrus
Feb 02, 2023

TCP Option 28 X-Forwarded-For Header

Using Akamai for DDOS mitigation and the requests sent to us show Akamai IP instead of the Client IP.  I have enabled TCP Option 28 and trying to insert the Client IP into X-Forwarded-For header.  I ...
application delivery
  • xuwen's avatar
    xuwen
    Feb 03, 2023

    when CLIENT_DATA {
    set opt28 [TCP::option get 28]
    if { [string length $opt28] == 4 } {
    binary scan $opt28 H8 addr
    scan $addr "%2x%2x%2x%2x" ip1 ip2 ip3 ip4
    set optaddr "$ip1.$ip2.$ip3.$ip4"
    log local0. "optaddr is $optaddr"
    log local0. "ip addr parse result is [IP::addr parse -ipv4 $opt28]"
    }
    }

xuwen's avatar
xuwen
Icon for Cumulonimbus rankCumulonimbus
Feb 03, 2023

i just used two BIGIP V16 VE test,

F5-1(set/insert tcp option 28) ====> F5-2(read/get tcp option 28 value)

i find that:

if F5-1 set tcp option 28 not in SERVER_INIT event(test in SERVER_CONNECTED), it will insert tcp option 28 in tcp data(not insert in tcp three handshake process), F5-2 in CLIENT_ACCEPTED event log [string length [TCP::option get 28]] is 0 and in CLIENT_DATA or HTTP_REQUEST event log [string length [TCP::option get 28]] is 4, This corresponds to the picture Akamai gave you the pcap.png content,Akamai insert tcp option 28 is in tcp data, not in tcp three handshake process,so you use set opt28 [TCP::option get 28]; log local0. "tcp option 28 length is [string length $opt28]"

in CLIENT_ACCEPTED event, the value is 0

Feb  3 23:30:49 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_ACCEPTED>: tcp option 28 length in CLIENT_ACCEPTED is 0
Feb  3 23:30:49 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_DATA>: tcp option 28 length in CLIENT_DATA is 4
Feb  3 23:30:49 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_ACCEPTED>: tcp option 28 length in CLIENT_ACCEPTED is 0
Feb  3 23:30:49 f5 info tmm[10530]: Rule /Common/gslb_http <HTTP_REQUEST>: tcp option 28 length in HTTP_REQUEST is 4
Feb  3 23:30:49 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_DATA>: tcp option 28 length in CLIENT_DATA is 4
Feb  3 23:30:49 f5 info tmm[10530]: Rule /Common/gslb_http <HTTP_REQUEST>: tcp option 28 length in HTTP_REQUEST is 4

 

if F5-1 set tcp option 28 in SERVER_INIT event, it will insert tcp option 28 in (tcp syn, tcp ack, tcp data), and F5-2 in CLIENT_ACCEPTED, CLIENT_DATA, HTTP_REQUEST event is log [string length [TCP::option get 28]] is 4

Feb  3 23:32:11 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_ACCEPTED>: tcp option 28 length in CLIENT_ACCEPTED is 4
Feb  3 23:32:11 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_DATA>: tcp option 28 length in CLIENT_DATA is 4
Feb  3 23:32:11 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_ACCEPTED>: tcp option 28 length in CLIENT_ACCEPTED is 4
Feb  3 23:32:11 f5 info tmm[10530]: Rule /Common/gslb_http <HTTP_REQUEST>: tcp option 28 length in HTTP_REQUEST is 4
Feb  3 23:32:11 f5 info tmm[10530]: Rule /Common/gslb_http <CLIENT_DATA>: tcp option 28 length in CLIENT_DATA is 4
Feb  3 23:32:11 f5 info tmm[10530]: Rule /Common/gslb_http <HTTP_REQUEST>: tcp option 28 length in HTTP_REQUEST is 4