NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0198:  IPS_SBD_EXT.1.1 - IPv4, IPv6, ICMP

Publication Date
2017.05.03

Protection Profiles
PP_NDCPP_IPS_EP_V2.1

Other References
IPS_SBD_EXT.1.1; PP_NDCPP_IPS_EP_V2.1

Issue Description

IPv4 & IPv6:  Some header fields do not need to be inspected.

ICMP:  The requirement must be explicit in what is required to be inspected. If it is not, this can lead to inconsistent interpretation of the requirement and/or testing the wrong fields.

Resolution

IPS_SBD_EXT.1.1

The TSF shall support inspection of packet header contents and be able to inspect at least the following header fields:

· IPv4: Version; Header Length; Packet Length; ID; IP Flags; Fragment Offset; Time to Live (TTL); Protocol; Header Checksum; Source Address; Destination Address; and IP Options and [selection: Type of Service (ToS), no other field].

· IPv6: Version; traffic class; flow label; payload length; next header; hop limit; source address; destination address; routing header; and [selection: traffic class, flow label, home address options, no other field].

· ICMP: Type; Code; Header Checksum; and Rest of Header (varies based on the ICMP type and code) [selection: ID, sequence number, [assignment: other field in the ICMP header]].

· ICMPv6: Type; Code; and Header Checksum.

· TCP: Source port; destination port; sequence number; acknowledgement number; offset; reserved; TCP flags; window; checksum; urgent pointer; and TCP options.

· UDP: Source port; destination port; length; and UDP checksum.

Justification

IPv4 "Traffic class and flow label fields" – There is no real-world vulnerability or security implication associated with the IPv6 traffic class or flow label field. There is a theoretical attack scenario but it is based on an implementation issue in the RFC itself which has been corrected with a new RFC.  

IPv6 "Home address options field" – This is not a field in the IPv6 header (which is what this requirement is about), nor is it even a valid Extension Header (EH) option. IPS products can inspect the Next Header (NH) field via an intrusion rule for invalid IPv6 protocol or Extension Header option. However, this field is a field inside the Destination Option EH option (type 60), and its purpose is to identify the home address of a mobile node. In general, an IPS product wouldn’t inspect this field because it wouldn’t know which home addresses are appropriate for mobile nodes. We recommend removing this field as it doesn’t belong in this requirement.

ICMP "Rest of Header" - This is too vague. IPS products can check the ICMP ID and sequence, in addition to type and code. ICMP has not been the subject of many security incidents, other than flooding or providing false information.

 
 
Site Map              Contact Us              Home