NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0633:  NIT Technical Decision for IPsec IKE/SA Lifetimes Tolerance

Publication Date
2022.03.21

Protection Profiles
CPP_ND_V2.2E

Other References
ND SD2.2, FCS_IPSEC_EXT.1.7, FCS_IPSEC_EXT.1.8

Issue Description

The NIT has issued a technical decision for IPsec IKE/SA Lifetimes Tolerance.

Resolution

This TD has been superseded by TD0800 and is now archived.

Guidance Documentation requirements for FCS_IPSEC_EXT.1.7 shall be modified as follows:

The evaluator shall verify that the values for SA lifetimes can be configured and that the instructions for doing so are located in the guidance documentation. If time-based limits are supported, configuring the limit may lead to a rekey no later than the specified limit. For some implementations, it may be necessary, though, to configure the TOE with a lower time value to ensure a rekey is performed before the maximum SA lifetime of 24 hours is exceeded (e.g. configure a time value of 23h 45min to ensure the actual rekey is performed no later than 24h). The evaluator shall verify that the guidance documentation allows the Administrator to configure the Phase 1 SA value of 24 hours or provides sufficient instruction about the time value to configure to ensure the rekey is performed no later than the maximum SA lifetime of 24 hours. It is not permitted to configure a value of 24 hours if that leads to an actual rekey after more than 24hours. Currently there are no values mandated for the number of bytes, the evaluator just ensures that this can be configured if selected in the requirement.

Guidance Documentation requirements for FCS_IPSEC_EXT.1.8 shall be modified as follows:

The evaluator shall verify that the values for SA lifetimes can be configured and that the instructions for doing so are located in the guidance documentation. If time-based limits are supported, configuring the limit may lead to a rekey no later than the specified limit. For some implementations, it may be necessary, though, to configure the TOE with a lower time value to ensure a rekey is performed before the maximum SA lifetime of 8 hours is exceeded (e.g. configure a time value of 7h 45min to ensure the actual rekey is performed no later than 8h). The evaluator shall verify that the guidance documentation allows the Administrator to configure the Phase 2 SA value of 8 hours or provides sufficient instruction about the time value to configure to ensure the rekey is performed no later than the maximum SA lifetime of 8 hours. It is not permitted to configure a value of 8 hours if that leads to an actual rekey after more than 8hours. Currently there are no values mandated for the number of bytes, the evaluator just ensures that this can be configured if selected in the requirement.

Test requirements for FCS_IPSEC_EXT.1.7 and FCS_IPSEC_EXT.1.8 shall be modified as follows:

Test 2 for FCS_IPSEC_EXT.1.7 shall be modified as follows:

If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime no later than 24 hours for the Phase 1 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 1 SA lifetime that exceeds the Phase 1 SA lifetime on the TOE.

Test 2 for FCS_IPSEC_EXT.1.8 shall be modified as follows:

If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime no later than 8 hours for the Phase 2 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 2 SA lifetime that exceeds the Phase 2 SA lifetime on the TOE.

For further information, please see NIT Interpretation at:  https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI202116.pdf

Justification

See issue description.

 
 
Site Map              Contact Us              Home