Tap the BIG-IP Hardware RNG from an iRule¶
Contributed by: dholmesf5¶
Description¶
BIG-IP Physical devices, including VIPRIONs and appliances, include a
hardware random number generator (RNG). Here is an iRule that taps it
and returns 1024 bytes of non-deterministic, true random data from the
RNG. You can specify the length with a len=N parameter. You can also
encode the output with base64 by specifying len=N&encode=1 in the URL.
Note, you must disable CMP processing on the virtual server that
serves this iRule.
Use this to increase the entropy of other systems near the BIG-IP. For
example,
% curl -s http://1.1.1.1 > /dev/random
On some systems, you can look at /proc/sys/kernel/random/entropy_avail
to see how much random data is already available.
iRule Source¶
#
# Return 1K of data from hardware RNG
#
# usage: curl -s http://1.1.1.1 > /dev/random
#
# optional parameters: /len=<n>&encode=<0|1>
#
# len should be > 0 and < 1400. 1400 is about the max you are going to
# get back in a single UDP packet anyway (MTU?)
#
# by David Holmes + Richard Harlan + Simon Kowallik
when HTTP_REQUEST {
# default is 1024 bytes of binary random byte output
set encode 0
set len 1024
# Get the parameters from the URL
scan [HTTP::uri] {/?len=%d&encode=%d"} len encode
if { $len < 1 || $len > 1400 } {
HTTP::respond 400 content "Error: len must be > 0 and < 1400\n"
return
}
# Encode len(L) as 4-byte octect: 00LL
set elen [ binary format I $len ]
set conn [connect -protocol UDP -timeout 1000 127.1.1.2:3 ]
set send_info [send -timeout 1000 -status ss $conn $elen]
set r [recv -timeout 1000 -status rs $len $conn]
close $conn
if { $encode > 0 } {
set r [b64encode $r]
set r "$r\n"
}
HTTP::respond 200 content $r
}
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.