NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0596:  VPN Traffic Permitted in FDP_IFC_EXT.1

Publication Date

Protection Profiles
PP_MD_V3.1, PP_MDF_V3.2

Other References

Issue Description

FDP_IFC_EXT.1 and its application note make it unclear what exceptions are allowed for establishing the VPN connection.


FDP_IFC_EXT.1.1 in MDF v3.1 and v3.2 is replaced as follows:


FDP_IFC_EXT.1.1   The TSF shall [selection:

·       provide an interface which allows a VPN client to protect all IP traffic using IPsec,

·       provide a VPN client which can protect all IP traffic using IPsec as defined in the PP-Module for VPN Client

] with the exception of IP traffic required to establish needed to manage the VPN connection, and [selection: [assignment: traffic needed for correct functioning of the TOE], no other traffic], when the VPN is enabled.


Application Note: Typically, the traffic required to establish needed to manage the VPN connection is referred to as "Control Plane" traffic; whereas, the IP traffic protected by the IPsec VPN is referred to as "Data Plane" traffic. All "Data Plane" traffic must flow through the VPN connection and the VPN must not split-tunnel. “IP traffic needed for correct functioning of the TOE” comprises traffic that would prevent the TOE from proper operation if it was either blocked by or routed through the VPN. Enabling the VPN means that the VPN client has been activated by the user. If the VPN tunnel gets interrupted, then no “Data Plane” traffic should be sent without the VPN tunnel being re-established or the user disabling the VPN client.

If no native 
IPsec client is validated or third-party VPN clients may also implement the required Information Flow Control, the first option must be selected. In these cases, the TOE provides an API to third-party VPN clients that allow them to configure the TOE’s network stack to perform the required Information Flow Control.

ST author must select the second option if the TSF implements a native VPN client (IPsec is selected in FTP_ITC_EXT.1). Thus the TSF must be validated against the PP-Module for VPN Client and the ST author must also include FDP_IFC_EXT.1 from the PP-Module for VPN Client.

It is optional for the 
VPN client to be configured to be always-on per FMT_SMF_EXT.1 Function 45. Always-on means the establishment of an IPsec trusted channel to allow any communication by the TSF.


Evaluation Activities


The evaluator shall verify that the TSS section of the ST describes the routing of IP traffic through processes on the TSF when a VPN client is enabled. The evaluator shall ensure that the description indicates which traffic does not go through the VPN and which traffic does. The evaluator shall verify that a configuration exists for each baseband protocol in which only the traffic identified by the ST author as necessary for establishing the VPN connection (IKE traffic and perhaps HTTPS or DNS trafficor needed for the correct functioning of the TOE is not encapsulated by the VPN protocol (IPsec). The evaluator shall verify that the TSS section describes any differences in the routing of IP traffic when using any supported baseband protocols (e.g. Wi-Fi or, LTE). 


The evaluator shall verify that one (or more) of the following options is addressed by the documentation:

  • The description above indicates that if a VPN client is enabled, all configurations route all Data Plane traffic through the tunnel interface established by the VPN client.
  • The AGD guidance describes how the user and/or administrator can configure the TSF to meet this requirement.
  • The API documentation includes a security function that allows a VPN client to specify this routing.


  • Test 1: If the ST author identifies any differences in the routing between Wi-Fi and cellular protocols, the evaluator shall repeat this test with a base station implementing one of the identified cellular protocols.

    Step 1: The evaluator shall enable a Wi-Fi configuration as described in the AGD guidance (as required by 
    FTP_ITC_EXT.1). The evaluator shall use a packet sniffing tool between the wireless access point and an Internet-connected network. The evaluator shall turn on the sniffing tool and perform actions with the device such as navigating to websites, using provided applications, and accessing other Internet resources. The evaluator shall verify that the sniffing tool captures the traffic generated by these actions, turn off the sniffing tool, and save the session data.

    Step 2: The evaluator shall configure an IPsec VPN client that supports the routing specified in this requirement, and if necessary, configure the device to perform the routing specified as described in the AGD guidance. The evaluator shall ensure the test network is capable of sending any traffic identified as exceptions. The evaluator shall turn on the sniffing tool, establish the VPN connection, and perform the same actions with the device as performed in the first step, as well as ensuring that all exception traffic is generated. The evaluator shall verify that the sniffing tool captures traffic generated by these actions, turn off the sniffing tool, and save the session data.

    Step 3: The evaluator shall examine the traffic from both step one and step two to verify that all Data Plane traffic is encapsulated by 
    IPsec, modulo the exceptions identified in the SFR (if applicable). For each exception listed in the SFR, the evaluator shall verify that that traffic is allowed outside of the VPN tunnel. The evaluator shall examine the Security Parameter Index (SPI) value present in the encapsulated packets captured in Step two from the TOE to the Gateway and shall verify this value is the same for all actions used to generate traffic through the VPN. Note that it is expected that the SPI value for packets from the Gateway to the TOE is different than the SPI value for packets from the TOE to the Gateway. The evaluator shall be aware that IP traffic on the cellular baseband outside of the IPsec tunnel may be emanating from the baseband processor and shall verify with the manufacturer that any identified traffic is not emanating from the application processor.

    Step 4: (Conditional: If ICMP is not listed as part of the IP traffic needed for the correct functioning of the TOE) The evaluator shall perform an ICMP echo from the TOE to the IP address of another device on the local wireless network and shall verify that no packets are sent using the sniffing tool. The evaluator shall attempt to send packets to the TOE outside the VPN tunnel (i.e. not through the VPN gateway), including from the local wireless network, and shall verify that the TOE discards them.

See justification.

Site Map              Contact Us              Home