![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0018: Usage of the Term "Loopback Network" in the Application Level Firewall PP
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
In the ALFWPP v1.c (and V1.0) expansion of FDP_IFF.1.6.d in both FDP_IFF.1(1) and FSP_IFF.1(2), the term, "loopback network," is used instead of the more correct term, "loopback address." Specifically both FDP_IFF.1.6d iterations say:
The TOE shall reject requests for access or services where the information arrives on either an internal or external TOE interface, and the presumed address of the source subject is an external IT entity on the loopback network;
Resolution
While some sense can be made of the term, "loopback network," it should not be used. Intead, the term, "loopback address," should be used as follows in both FDP_IFF.1.6d iterations:
The TOE shall reject requests for access or services where the information arrives on either an internal or external TOE interface, and the presumed address of the source subject is a loopback address.
Furthermore, because IPV4 and IPV6 differ in the formats of IP addresses and the values used for the loopback address, the PP author(s) should provide a definition of "loopback address" (in an Application Note or in a footnote at the term's first mention) that allows the PP to apply to either IP version. IPV4 treats any IP address with a network ID of 127 as a loopback address. For IPV6, the address 0:0:0:0:0:0:0:1 is the loopback address.
Support
Both "loopback network" and "loopback address" are referenced in several IETF RFCs. However, what those RFCs seem to have in common is the use of an address form reserved for loopback purposes. Although such addresses in some sense could be considered a network, the RFCs are explicit in saying that the data transmitted to a loopback address must not actually appear on any network. The data are typically just returned as input data by low-level-protocol software.
Since both iterations of FDP_IFF.1.6d are describing an information flow control rule, "loopback address" identifies more clearly what the TOE will be examining in these information flow checks.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- ALFWPPv1.c
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0123