NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0135:  SNMP in NDcPP MACsec EP v1.2

Publication Date
2017.01.25

Protection Profiles
PP_NDCPP_MACSEC_EP_V1.2

Other References
FMT_SNMP_EXT.1.1, FCS_SNMP_EXT.1.1

Issue Description

The end of the FMT_SNMP_EXT.1.1 SFR is confusing as currently written, causing differing interpretations. In addition, the FCS_SNMP_EXT.1.1 SFR is written like an assurance activity instead of a requirement and should be reworded.

Resolution

Replace FMT_SNMP_EXT.1.1 as follows:

FMT_SNMP_EXT.1.1 The TSF shall implement Simple Network Management Protocol (SNMP) with TLS security in conformance with RFC 6353 “Transport Layer Security (TLS) Transport Model for the Simple Network Management Protocol (SNMP)”.

Replace FCS_SNMP_EXT.1.1 and add an assurance activity as follows:

FCS_SNMP_EXT.1.1 The TSF shall support SNMP using TLS in accordance with RFC 6353 supporting the following cipher suites [

·         Mandatory Cipher suites:

o   TLS_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246

·         [selection: Optional Cipher suites:

o TLS_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 5246

o TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as defined in RFC 4492

o TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA as defined in RFC 4492

o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA as defined in RFC 4492

o TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA as defined in RFC 4492

o TLS_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5246

o TLS_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_128_CBC_ SHA256 as defined in RFC 5246

o TLS_DHE_RSA_WITH_AES_256_CBC_ SHA256 as defined in RFC 5246

o TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

o TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

o TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

o TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

o no other cipher suite]].

 

Assurance Activity

TSS

The evaluator shall check the TSS to verify that it describes the ability of the TSF to support SNMP-TLS along with the TLS versions and cipher suites supported in the SNMP-TLS implementation.

AGD

If the TLS version and/or supported cipher suites are configurable, the evaluator shall review the operational guidance to verify that it provides instructions on how these are configured

Test

The evaluator shall set up an environment where the TOE can connect to a second MACsec device, identified as device B. The evaluator shall configure the devices in two cases: first where the TOE will be the Authenticator and device B will be the Supplicant, and second where the TOE will be the Supplicant and device B will be the Authenticator. The evaluator shall set up an Authentication Server, which may run on the TOE or be a separate device that connects to the test environment.

The evaluator shall then perform the following test:
1 . Send some test SNMP commands and verify which cipher suite is used and match with what is configured.
2.
Configure each device to use only one cipher suite and each device must use a different cipher suite. Verify that the devices will not establish a connection.

 

Justification

Updates made for clarity.

 
 
Site Map              Contact Us              Home