NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0657:  IPSEC_EXT.1.6 GCM support for VPN GW

Publication Date

Protection Profiles

Other References

Issue Description

FCS_IPSEC_EXT.1.6 in MOD_VPNGW_V1.2 incorrectly labeled two AES-GCM algorithms as AES-CBC.


FCS_IPSEC_EXT.1.6 in MOD_VPNGW_V1.2 is modified as follows, with strikethrough denoting deletions and underline denoting additions:

FCS_IPSEC_EXT.1.6         The TSF shall ensure the encrypted payload in the [selectionIKEv1IKEv2] protocol uses the cryptographic algorithms [selectionAES-CBC-128AES-CBC-192AES-CBC-256 (specified in RFC 3602)AES-GCM-128AES-CBC-192, AES-CBCGCM-256 (specified in RFC 5282)].


Application Note: This element is unchanged from its definition in the Base-PP to remove AES-GCM-192, which is not recommended. AES-CBC implementation for IPsec is specified in RFC 3602. AES-GCM implementation for IPsec is specified in RFC 5282.


RFC 5282 specifically calls out AES-GCM-192 as not recommended, so it should be removed from an option.

Site Map              Contact Us              Home