[This post is a slight departure from my stated policy of trying not to increase the average level of inane wittering on the Internet any further by keeping my opinions to myself in this blog, but this particular insight is just too penetrating not to share it with the world. Like all of my opinions, it is - of course - entirely correct ]

I have had an epiphany. I now know what causes pretty much all network problems: GUIs. At first blush, this may sound like a slightly sweeping statement but I have come to believe in it very deeply. Stick with me here and I will explain why.

Take today for example: Myself and one of my esteemed colleagues squandered an hour of our lives dealing with a guy in a secondary school where we support the Internet router. His Internet access was broken. I’ll spare you the long and painful details of the hour…suffice it to say that by the end of it we determined that there was a server sitting between his 140 snotty, insolent teenagers and our router. It took a startlingly large fraction of that hour to glean from this barely-adequate specimen of humanity that this server even existed. We also figured out that – somehow – the server was at the core of the problem. After a conversation reminiscent of having teeth pulled, our hero volunteered that – infact – there had been a change to the server that morning: he had uninstalled Microsoft ISA server off it !! Somehow – and it completely eludes me how anyone can be quite this gormless – it never entered his head that perhaps uninstalling the proxy/firewall software off the server separating the hormonal masses from the Internet router might be somehow related to his current predicament (140 horny teenagers separated from their porn supply and becoming increasingly antsy about it).

So, how do I extrapolate from this to my theory about GUIs being the root of all evil ? Well, if that server had been a Linux server, there is no way on earth that this guy would have taken it upon himself to touch it. The slightly arcane (yes…I admit it) Linux command-line has a way of scaring off people like this who really need most of their brain power just so they remember to breathe regularly and are taking huge risks by trying to apply their limited stock of intelligence to anything else. In short, command-lines have a way of making things appear a little harder to do than they actually are and therefore act as a built-in safety-net, preventing “special” people from trying to do things they are simply not equipped to do. GUIs, have exactly the opposite effect: they allow the dimmest of knuckle-dragging troglodytes to poke and prod at things they don’t really understand until eventually they manage to break it.

I formulated a more limited form of this theory some years ago when I formed the opinion that Checkpoint Firewall-1 was the source of all security problems on the Internet. When I first started working in the field of data security I could never really understand how hackers seemed to be able to waltz past the best of access lists and firewalls as if they weren’t there. How could it be that the hackers were all so clever and the developers of firewalls were all apparently dribbling idiots ? Then, one day, I was on-site with a large multinational customer watching the guys in there trying to get an application working through a Checkpoint firewall. So, they fired up Checkpoint’s very lovely GUI and they added the rule they thought should do the trick. It didn’t, so the relaxed the rule a little further. It still didn’t, so they relaxed it a little further again, and so the cycle continued through several iterations until eventually the application did work and the “firewall” was reduced to the functional equivalent of a piece of wire. At that moment I understood for the first time that security holes were rarely caused by weaknesses in firewalls and far more often caused by mental deficiencies in those charged with configuring them. I also understood that the GUI was at fault: Checkpoint’s (lovely) GUI makes it very easy to set up rules without the bothersome inconvenience of having to have the remotest understanding of what the hell you are doing. If they had a PIX rather than a Checkpoint (these were the halcyon days before PIX Device Manager, when all was right with the world), this would not have happened. The only thing I didn’t grasp at the time was exactly how generally-applicable the GUI theory was.

I have spent the better part of the day trying to diagnose an IPSec connectivity problem between a Cisco PIX (version 6.3.5) and a WatchGuard Firebox of some kind (I have no visibility of it). The problem turns out to be rather subtle, so I thought I would share it here.

The configuration on the PIX is fairly standard (IP addresses have been changed to protect the innocent !):-

crypto ipsec transform-set Esp3DesMD5 esp-3des esp-md5-hmac
:
:
access-list VPNToFirebox permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
:
:
crypto map VPN 60 ipsec-isakmp
crypto map VPN 60 match address VPNToFirebox
crypto map VPN 60 set pfs
crypto map VPN 60 set peer 2.2.2.2
crypto map VPN 60 set transform-set Esp3DesMD5
crypto map VPN 60 set security-association lifetime seconds 86400 kilobytes 8192
:
:
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode


The ISAKMP (Phase 1) SA establishes just fine, but the IPSEC (Phase 2) SA never comes up. Watching the debug information on the PIX, here’s what happens:-


ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 8192
ISAKMP: group is 2
ISAKMP: encaps is 61433
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS


The key is the “encaps is 61433″ line. What this should say is “encaps is 61443″ which is the (old, pre-RFC3947) encapsulation ID for ESP via NAT Traversal. As it is, the PIX has no idea what “61433″ is supposed to be and the SA negotiation fails.

Here’s what the debug output looks like when talking to another PIX (which sends the correct ID):-


ISAKMP (0): processing SA payload. message ID = 177759204
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (basic) of 8192
ISAKMP: authenticator is HMAC-MD5
ISAKMP: group is 1
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

Here the encapsulation ID is correct and the tunnel comes up.

The problem only arises when NAT is detected on the path between the Firebox and the PIX…otherwise there is no need to encapsulate the ESP inside UDP.

References

• Negotiation of NAT-Traversal in the IKE – http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-04