Tap the BIG-IP Hardware RNG from an iRule

Contributed by: dholmesf5

Description

BIG-IP Physical devices, including VIPRIONs and appliances, include a hardware random number generator (RNG). Here is an iRule that taps it and returns 1024 bytes of non-deterministic, true random data from the RNG. You can specify the length with a len=N parameter. You can also encode the output with base64 by specifying len=N&encode=1 in the URL. Note, you must disable CMP processing on the virtual server that serves this iRule.
Use this to increase the entropy of other systems near the BIG-IP. For example,
% curl -s http://1.1.1.1 > /dev/random
On some systems, you can look at /proc/sys/kernel/random/entropy_avail to see how much random data is already available.

iRule Source

#
# Return 1K of data from hardware RNG
#
# usage: curl -s http://1.1.1.1 > /dev/random
#
# optional parameters: /len=<n>&encode=<0|1>
#
# len should be > 0 and < 1400. 1400 is about the max you are going to
# get back in a single UDP packet anyway (MTU?)
#
# by David Holmes + Richard Harlan + Simon Kowallik

when HTTP_REQUEST {
    # default is 1024 bytes of binary random byte output
    set encode 0
    set len 1024

    # Get the parameters from the URL
    scan [HTTP::uri] {/?len=%d&encode=%d"} len encode
    if { $len < 1 || $len > 1400 } {
        HTTP::respond 400 content "Error: len must be > 0 and < 1400\n"
        return
    }
    # Encode len(L) as 4-byte octect: 00LL
    set elen [ binary format I $len ]

    set conn [connect -protocol UDP -timeout 1000 127.1.1.2:3 ]
    set send_info [send -timeout 1000 -status ss $conn $elen]
    set r [recv -timeout 1000 -status rs $len $conn]
    close $conn
    if { $encode > 0 } {
        set r [b64encode $r]
        set r "$r\n"
    }
    HTTP::respond 200 content $r
}

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.