Forum Discussion

Angelo_Iannaril's avatar
Angelo_Iannaril
Icon for Nimbostratus rankNimbostratus
Feb 04, 2007

authenticated IP's and session tables

We have an iRule that needs to keep track of authenticated IP addresses across several event clauses within the iRule (as an extra security check). We're using the universal session table to achieve this, as shown below.

 

 

when CLIENTSSL_CLIENTCERT {

 

 

session add universal [IP::client_addr] $status $timeout

 

….

 

}

 

 

 

when HTTP_REQUEST {

 

...

 

if {[session lookup universal [IP::client_addr]] == $authenticated} {

 

 

}

 

...

 

}

 

 

 

This seems to work, but I'm not sure that this is necessarily the best approach as the session table looks like it was intended to contain SSL session IDs. Can anyone tell me whether there are any known issues with this approach? Is there a better option for storing the IP address in a commonly accessable table for a specified time period?

 

 

3 Replies

  • You could populate an array instead of the session table, but I'm not sure which is the bigger resource hog. You'd need to put logic in to clean up the array as the clients in question drop off, whereas the session table cleans itself up. Turn timing on both versions of the rule to evaluate the performance of each.
  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    The session table is actually slightly more efficient than an array, but unless you're taling about huge amounts of data, there probably wouldn't be a large difference.

     

     

    Elah's right, too, that the array method takes a little more care in setting/cleaning up.

     

     

    Colin
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    Since you are using an IP address, you could actually use "source_addr" as the key to the session table. The session table uses the same keying system as the persist table. So, using the "source_addr" key type would actually be more efficient than "universal" because the IP address wouldn't get converted to string and then hashed. It would just be hashed using an IP address hash algorithm instead of of a string hash algorithm.

     

     

    HTH.