cancel
Showing results for 
Search instead for 
Did you mean: 

How to setup internal virtual server and get TLS 1.3 keys from external virtual server via sideband?

Ram_Paranandi
Nimbostratus
Nimbostratus

Hi,

We have started evaluating LTM and as part of integration for decrypting PFS with BIG-IP VE , I have attempted to create internal virtual server to which a sideband connection from external virtual server is made via iRule, but we are seeing issue while creating sideband connection.
I have used UI to create internal virtual server and I would like to check what configuration should we need to use for internal virtual server so that we can have successful sideband connection ?
In the iRule of External virtual server we are able to get TLS 1.3 keys in CLIENT_HANDSHAKE but we are not able to connect to internal virtual server and send those keys.  Any help resolving this issue is appreciated.

Internal Virtual server config:

Type: Standard,

Destination 1.1.1.1 (non routable ip) , Port : <Port of internal node>

Profiles: tcp

Oneconnect 

Pool: Internal Server pool which has one member listening for http requests.

External Virtual server:

Default config, uses iRule to get TLS 1.3 keys and send them to Internal server.

6 REPLIES 6

Ram_Paranandi
Nimbostratus
Nimbostratus

Hi, 
I am now able to see traffic being forwarded to internal virtual server when I removed and added new internal virtual server with default config and profile as tcp. If I change profile to http it is not working.

I am also seeing that internal virtual server is sending traffic to its pool node but currently over http port as tcp data and it is receiving Unauthorized error from node as it needs authentication.

Next step is how can we set authentication parameters to internal virtual server or pool node, such that it can authenticate and send data to node via http?

Hi @Ram_Paranandi,

what are you trying to achieve actually? To log TLS13 secrets off box so that you can later decrypt the traffic recorded?

KR
Daniel

Ram_Paranandi
Nimbostratus
Nimbostratus

Hi @Daniel_Wolf ,

Yes, similar to that. Post/copy TLS 1.3 secrets to an internal device API listening on http/https.

 

I'm out. Since you did not further specify your requirements I must assume that you plan do record sensitive data from a production environment. I have a bad feeling about permanently storing such data without any filters.

We don't actually log those keys to disk, we keep them in memory (protected) and process with the traffic mirrored to the device, once done we rollout keys from device memory. Deployment would be like the one described in the article https://devcentral.f5.com/s/articles/lightboard-lesson-perfect-forward-secrecy-inspection-visibility... 
Deployment:

External Client ----> Big IP  ------> Internal Servers

                             External Virtual Server
                                       |
                                       |  TLS 1.3 keys (Sideband TCP)
                                      v
                                 BigIP  Internal Virtual Server   ---------> Pool (HTTP/HTTPS)  ---> 
Pool Device (HTTP/HTTPS  Internal Detection Device )


In this deployment from External Virtual Server to Internal Virtual Server  the TLS 1.3 keys are shared via TCP sideband, this part is OK and I am able to see that data on the wire.

Now to share keys from Internal Virtual Server to the Pool and Pool device, how do we configure HTTP/HTTPS authentication?

 

Ram_Paranandi
Nimbostratus
Nimbostratus

We don't actually log those keys to disk, we keep them in memory (protected) and process with the traffic mirrored to the device, once done we rollout keys from device memory. Deployment would be like the one described in the article https://devcentral.f5.com/s/articles/lightboard-lesson-perfect-forward-secrecy-inspection-visibility... 
Deployment:

External Client ----> Big IP  ------> Internal Servers

                             External Virtual Server
                                       |
                                       |  TLS 1.3 keys (Sideband TCP)
                                      v
                                 BigIP  Internal Virtual Server   ---------> Pool (HTTP/HTTPS)  ---> 
Pool Device (HTTP/HTTPS  Internal Detection Device )


In this deployment from External Virtual Server to Internal Virtual Server  the TLS 1.3 keys are shared via TCP sideband, this part is OK and I am able to see that data on the wire.

Now to share keys from Internal Virtual Server to the Pool and Pool device, how do we configure HTTP/HTTPS authentication?