IPS_SBD_EXT.1.1 requires:

·         IPv6: version; payload length; next header; hop limit; source address; destination address; routing header; and [selection: traffic class, flow label, no other field].

·         ICMP: type; code; header checksum; and [selection: ID, sequence number, [assignment: other field in the ICMP header]].

The Operational Guidance and Test 1 require:

·         IPv6: Version; traffic class; flow label; payload length; next header; hop limit; source address; destination address; routing header; home address options.

·         ICMP: type; code; header checksum; and rest of header (varies based on the ICMP type and code).

Specifically, the SFR does not specify IPv6 Home Address options, and does not require examination of the IPv6 traffic class, IPv6 flow label, or ICMP Rest of Header.

Also, the operational Guidance  and Test 1 do not account for the  selection of type of service (ToS) for IPv4.

In Supporting Document (MOD_IPS_v1.0-SD), as associated with the MOD_IPS_V1.0 Protection Profile and referenced in IPS_SBD_EXT.1.1, the following changes are made: 

IPS_SBD_EXT.1.1 Operational Guidance EA is modified as follows, with strikethroughs in red highlight denoting deletions and underlines in green highlight denoting additions:

Operational Guidance

The evaluator shall verify that the operational guidance provides instructions with how to create and/or configure rules using the following protocols and header inspection fields:

• IPv4: version; header length; packet length; ID; IP flags; fragment offset; time to live (TTL); protocol; header checksum; source address; destination address; and IP options; and, if selected, type of service (ToS).

• IPv6: Version; traffic class; flow label; payload length; next header; hop limit; source address; destination address; routing header; home address options and, if selected, traffic class and/or flow label.

• ICMP: type; code; header checksum; and, if selected, rest of other header fields (varies based on the ICMP type and code).

• ICMPv6: type; code; and header checksum.

• TCP: Source port; destination port; sequence number; acknowledgement number; offset; reserved; TCP flags; window; checksum; urgent pointer; and TCP options.

• UDP: source port; destination port; length; and UDP checksum.

IPS_SBD_EXT.1.1 Test 1 is modified as follows, with strikethroughs in red highlight denoting deletions and underlines in green highlight denoting additions:

Test 1: The evaluator shall use the instructions in the operational guidance to test that packet header signatures can be created and/or configured with the selected and/or configured reactions specified in IPS_SBD_EXT.1.5 for each of the attributes listed below. Each attribute shall be individually assigned to its own unique signature:

• IPv4: Version; Header Length; Packet Length; ID; IP Flags; Fragment Offset; Time to Live (TTL); Protocol; Header Checksum; Source Address; Destination Address; and IP Options; and, if selected, type of service (ToS).

• IPv6: Version; traffic class; flow label; payload length; next header; hop limit; source address; destination address; routing header; home address options and, if selected, traffic class and/or flow label.

• ICMP: Type; Code; Header Checksum; and, if selected, Rest of other Header fields (varies based on the ICMP type and code).

• ICMPv6: Type; Code; and Header Checksum.

• TCP: Source port; destination port; sequence number; acknowledgement number; offset; reserved; TCP flags; window; checksum; urgent pointer; and TCP options.

• UDP: source port; destination port; length; and UDP checksum.

The evaluator shall generate traffic to trigger a signature and shall then use a packet sniffer to capture traffic that ensures the reactions of each rule are performed as expected.

See issue description.