Forum Discussion

Ram_Paranandi's avatar
Ram_Paranandi
Icon for Nimbostratus rankNimbostratus
Mar 02, 2022

How to setup internal virtual server and get TLS 1.3 keys from external virtual server via sideband?

Hi,

We have started evaluating LTM and as part of integration for decrypting PFS with BIG-IP VE , I have attempted to create internal virtual server to which a sideband connection from external virtual server is made via iRule, but we are seeing issue while creating sideband connection.
I have used UI to create internal virtual server and I would like to check what configuration should we need to use for internal virtual server so that we can have successful sideband connection ?
In the iRule of External virtual server we are able to get TLS 1.3 keys in CLIENT_HANDSHAKE but we are not able to connect to internal virtual server and send those keys.  Any help resolving this issue is appreciated.

Internal Virtual server config:

Type: Standard,

Destination 1.1.1.1 (non routable ip) , Port : <Port of internal node>

Profiles: tcp

Oneconnect 

Pool: Internal Server pool which has one member listening for http requests.

External Virtual server:

Default config, uses iRule to get TLS 1.3 keys and send them to Internal server.

application delivery
security

6 Replies

Sort By
  • Ram_Paranandi's avatar
    Ram_Paranandi
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2022

    Hi, 
    I am now able to see traffic being forwarded to internal virtual server when I removed and added new internal virtual server with default config and profile as tcp. If I change profile to http it is not working.

    I am also seeing that internal virtual server is sending traffic to its pool node but currently over http port as tcp data and it is receiving Unauthorized error from node as it needs authentication.

    Next step is how can we set authentication parameters to internal virtual server or pool node, such that it can authenticate and send data to node via http?

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Mar 05, 2022

    Hi Ram_Paranandi,

    what are you trying to achieve actually? To log TLS13 secrets off box so that you can later decrypt the traffic recorded?

    KR
    Daniel

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Mar 07, 2022

      I'm out. Since you did not further specify your requirements I must assume that you plan do record sensitive data from a production environment. I have a bad feeling about permanently storing such data without any filters.

      • Ram_Paranandi's avatar
        Ram_Paranandi
        Icon for Nimbostratus rankNimbostratus
        Mar 07, 2022

        We don't actually log those keys to disk, we keep them in memory (protected) and process with the traffic mirrored to the device, once done we rollout keys from device memory. Deployment would be like the one described in the article https://devcentral.f5.com/s/articles/lightboard-lesson-perfect-forward-secrecy-inspection-visibility... 
        Deployment:

        External Client ----> Big IP  ------> Internal Servers

                                     External Virtual Server
                                               |
                                               |  TLS 1.3 keys (Sideband TCP)
                                              v
                                         BigIP  Internal Virtual Server   ---------> Pool (HTTP/HTTPS)  --->         Pool Device (HTTP/HTTPS  Internal Detection Device )


        In this deployment from External Virtual Server to Internal Virtual Server  the TLS 1.3 keys are shared via TCP sideband, this part is OK and I am able to see that data on the wire.

        Now to share keys from Internal Virtual Server to the Pool and Pool device, how do we configure HTTP/HTTPS authentication?

         

  • Ram_Paranandi's avatar
    Ram_Paranandi
    Icon for Nimbostratus rankNimbostratus
    Mar 07, 2022

    We don't actually log those keys to disk, we keep them in memory (protected) and process with the traffic mirrored to the device, once done we rollout keys from device memory. Deployment would be like the one described in the article https://devcentral.f5.com/s/articles/lightboard-lesson-perfect-forward-secrecy-inspection-visibility... 
    Deployment:

    External Client ----> Big IP  ------> Internal Servers

                                 External Virtual Server
                                           |
                                           |  TLS 1.3 keys (Sideband TCP)
                                          v
                                     BigIP  Internal Virtual Server   ---------> Pool (HTTP/HTTPS)  --->     Pool Device (HTTP/HTTPS  Internal Detection Device )


    In this deployment from External Virtual Server to Internal Virtual Server  the TLS 1.3 keys are shared via TCP sideband, this part is OK and I am able to see that data on the wire.

    Now to share keys from Internal Virtual Server to the Pool and Pool device, how do we configure HTTP/HTTPS authentication?