NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0534:  NIT Technical Decision for Firewall IPv4 & IPv6 testing by default

Publication Date
2020.07.13

Protection Profiles
CPP_FW_V2.0E, MOD_CPP_FW_v1.3

Other References
FW SDv2.0e, FW MOD SDv1.3

Issue Description

The NIT has issued a technical decision for Firewall IPv4 & IPv6 testing by default

Resolution

In general, both IPv4 and IPv6 must be tested for all FFW_RUL_EXT.1 evaluation activities. In particular where handling of IPv4 and IPv6 is implemented separately in the TOE, both protocols need to be tested to ensure correct TOE behavior. There is no expectation, though, to test pure IPv4 features with IPv6 (or vice versa, if applicable). In particular, the following changes shall be applied:

1.) Between the headlines "FFW_RUL_EXT.1 Stateful Traffic Filtering" and "TSS" the following paragraph shall be added.

The following table provides an overview about execution of test cases regarding IPv4 and IPv6.

 

SFR Element/Test Case

Test execution

FFW_RUL_EXT.1, Tests 1-2

Both, IPv4 and IPv6.

FFW_RUL_EXT.1.2/1.3/1.4,

Tests 1-2

As defined in the test description.

FFW_RUL_EXT.1.5, Tests 1-8

Both, IPv4 and IPv6.

FFW_RUL_EXT.1.6, Tests 1-2

Both IPv4 and IPv6 shall be tested for items a), b), c), d), and e) of the SFR element FFW_RUL_EXT.1.6. Both IPv4 and IPv6 shall be tested for item i) unless the rule definition is specific to IPv4 or IPv6. Note: f), g), and h) are specific to IPv4 or IPv6 and shall be tested accordingly.

FFW_RUL_EXT.1.7, Tests 1-2

Both, IPv4 and IPv6.

FFW_RUL_EXT.1.8, Tests 1-2

Both, IPv4 and IPv6.

FFW_RUL_EXT.1.9, Test 1

As defined in the test description.

FFW_RUL_EXT.1.10, Tests 1

Both, IPv4 and IPv6.

 

 

2.) At the beginning of the Test section for FFW_RUL_EXT.1.5 (before the test definition) the following sentence shall be added:

 

shall be replaced by

 

 

The following tests shall be run using IPv4 and IPv6.

 

Test 1: The evaluator shall configure the TOE to permit and log TCP traffic. The evaluator shall initiate a TCP session. ..."

 

 

 

3.) At the beginning of the Test section for FFW_RUL_EXT.1.6 (before the test definition) the following sentence shall be added:

 

shall be replaced by

 

Both IPv4 and IPv6 shall be tested for items a), b), c), d), and e) of the SFR element. Both IPv4 and IPv6 shall be tested for item i) unless the rule definition is specific to IPv4 or IPv6. Note: f), g), and h) are specific to IPv4 or IPv6 and shall be tested accordingly.

Test 1: The evaluator shall test each of the conditions for automatic packet rejection in turn. ..."

 

 

 

4.) At the beginning of the Test section for FFW_RUL_EXT.1.7 (before the test definition) the following sentence shall be added:

 

shall be replaced by

 

The following tests shall be run using IPv4 and IPv6.

Test 1: The evaluator shall configure the TOE to drop and log network traffic where the source address of the packet matches that of the TOE network interface upon which the traffic was received. ..."

 

 

5.) At the beginning of the Test section for FFW_RUL_EXT.1.10 (before the test definition) the following sentence shall be added:

shall be replaced by

 

The following tests shall be run using IPv4 and IPv6.

Test 1: The evaluator shall define a TCP half-open connection limit on the TOE. The evaluator shall generate TCP SYN requests to pass through the TOE to the target system using a randomised source IP address and common destination IP address. ..."

For further information, please see the NIT interpretation at:

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfi201927.pdf

 

Justification

See issue description

 
 
Site Map              Contact Us              Home