Using TCP options for the client IP insertion

1:56 PM
Using TCP options for the client IP insertion -

sometimes need IP client Web servers for security / logging. Using a proxy between the client and the server can hide this detail based on security policies. There are various methods available with Netscaler for insertion of IP header of the client; but they only work if either the client device directly sends the request or proxy provides these HTTP header data. But in secure environments generally Proxies are not allowed to modify HTTP header. for example. If using NIRS (Single Routing Information Protocol), for the design of a proxy device will not send the packets and not view or modify the application layer headers and therefore can not insert an HTTP header containing the IP address of the actual client request send HTTP proxy to Netscaler VIP.

We can configure proxy device to put the client for IP header field TCP option. TCP option field is used if the offset data (specifying the header length of the TCP packet) is greater than 5 bytes. Option field typically contains

  • Option-Type: A byte in size, it is the only mandatory field, indicates kind of option
  • Option Length: One byte in size, optional element which gives the option length field
  • data option

for the list of available standard options please refer: http://www.iana.org / assignments / tcp-parameters / tcp- parameters.xml

Take an example of such a configured TCP packet


here

'1c' - indicates option-Kind
07 - indicates the length of the registered option TCP header
01 - the version number is inserted by proxy used
'cf 4f ed 79 - indicates IP (207.237.121.79) in decimal hexadecimal

in such a scenario NetScaler receives IP client in TCP options and should be inserted as an HTTP header. for the management server. Tricky job but that is our policy AppExpert come save and allow us to play with the TCP packet headers to the payload. You can use the expression of the policy of advance reading client IP address inserted in the TCP option and rewrite the action to insert it as an HTTP header. Here are the details of expression.

CLIENT.TCP.OPTIONS.TYPE (0x1c) .GET_SIGNED32 (1 BIG_ENDIAN) .TYPECAST_IP_ADDRESS_AT

  • CLIENT .TCP.OPTIONS.TYPE () returns the value of the TCP option whose type is specified as an argument as a string of bytes Big endian format
  • . GET_SIGNED32 ( ) treats the text string returned by the prefix as a string of bytes, 32 bits extracted from offset n bytes, and converts the sequence of bits to extract a 32- bit signed integer
  • .TYPECAST_IP_ADDRESS_AT converts the number to an IP address

for processing, can be used as checks

  • CLIENT error .TCP.OPTIONS.TYPE (0x1c) .EXISTS that returns a Boolean indicating the weather-type option is set or not
  • CLIENT.TCP.OPTIONS.TYPE (0x1c). GET_UNSIGNED8 (0) == 1 to check the version established by proxy

This was a way to send and retrieve data using TCP option field. We can now use the IP client with different policies Netscaler. Stay tuned for part two of this blog on how to use it with the policies of NetScaler.

Previous
Next Post »
0 Komentar