Posted By Joel Moses on 03/30/2011 03:37 PM
Thanks, guys!
jquimby: Well, "binary scan" and its bitwise jump functions are pretty capable of replicating most of what pcap packet slicing can do; they just do it in a different syntax. For example a pcap "[13:2]" is pretty much equivalent to "binary scan [TCP::payload] @13S output". But I agree that it's not as easy to navigate for network folks who have had the pcap syntax firmly mashed into their brains through years of experience.
It'd be cool to have, say, a "TCP::payload match (pcap-style 'expr relop expr')" that would do the same thing as a binary scan but return just the bytes referenced -- that way you could take an existing pcap match rule and convert it.
I had to do this in CLIENT_DATA because it's pretty much the only place I can jump in before SSL/TLS negotiation. Really, though, I think it would be useful to create another iRules event: CLIENTSSL_HANDSHAKE_INIT. In the processing flow, this would happen after CLIENT_ACCEPTED and CLIENT_DATA, but just prior to CLIENTSSL_HANDSHAKE. It would essentially fire after the first ClientHello is collected but before it begins the handshake process. This would be a good place to grab and process TLS extensions, read the requested Cipherlist, and set variables to affect later script operation.
Some new commands would be needed: something like "SSL::extension" (giving access to TLS extension package data -- SNI included), "SSL::handshake cipherlist", and "SSL::handshake compressionlist". In addition to giving access to the ServerName extension early, this could also allow you to select the "strongest" ClientSSL profile _manually_ based on what the client's proposed cipherlist. Other extensions would be useful to obtain early on: max_fragment_length, trusted_ca_keys, and ocsp_status_request.
There are always ways to make things easier for the administrator, but to F5's credit, I've run into very little that I can't accomplish using an iRule or two... Kudos, guys!
Some of your ideas here are already under consideration in development. The pcap idea is a good one, and has a couple of developers asking questions. Nice work.