The NIT has issued a technical decision for IPsec IKE/SA Lifetimes Tolerance.

TD0633 modifies Test 2 in Evaluation Activities for FCS_IPSEC_EXT.1.7 and FCS_IPSEC_EXT.1.8, but potentially leaves testing information out in NIT decision and TD0633.

TD0633 is archived and replaced with the following:

Guidance Documentation requirements for FCS_IPSEC_EXT.1.7 shall be modified as follows, with red highlighted strikethroughs denoting deletion and green highlighted underlines denoting additions:

The evaluator shall verify that the values for SA lifetimes can be configured and that the instructions for doing so are located in the guidance documentation. If time-based limits are supported, the evaluator ensures that the Administrator is able to configure Phase 1 SA values for 24 hours. configuring the limit may lead to a rekey no later than the specified limit. For some implementations, it may be necessary, though, to configure the TOE with a lower time value to ensure a rekey is performed before the maximum SA lifetime of 24 hours is exceeded (e.g. configure a time value of 23h 45min to ensure the actual rekey is performed no later than 24h). The evaluator shall verify that the guidance documentation allows the Administrator to configure the Phase 1 SA value of 24 hours or provides sufficient instruction about the time value to configure to ensure the rekey is performed no later than the maximum SA lifetime of 24 hours. It is not permitted to configure a value of 24 hours if that leads to an actual rekey after more than 24hours. Currently there are no values mandated for the number of bytes, the evaluator just ensures that this can be configured if selected in the requirement.

Guidance Documentation requirements for FCS_IPSEC_EXT.1.8 shall be modified as follows, with red highlighted strikethroughs denoting deletion and green highlighted underlines denoting addition:

The evaluator shall verify that the values for SA lifetimes can be configured and that the instructions for doing so are located in the guidance documentation. If time-based limits are supported, the evaluator ensures that the Administrator is able to configure Phase 2 SA values for 8 hours configuring the limit may lead to a rekey no later than the specified limit. For some implementations, it may be necessary, though, to configure the TOE with a lower time value to ensure a rekey is performed before the maximum SA lifetime of 8 hours is exceeded (e.g. configure a time value of 7h 45min to ensure the actual rekey is performed no later than 8h). The evaluator shall verify that the guidance documentation allows the Administrator to configure the Phase 2 SA value of 8 hours or provides sufficient instruction about the time value to configure to ensure the rekey is performed no later than the maximum SA lifetime of 8 hours. It is not permitted to configure a value of 8 hours if that leads to an actual rekey after more than 8 hours. Currently there are no values mandated for the number of bytes, the evaluator just ensures that this can be configured if selected in the requirement.

Test requirements for FCS_IPSEC_EXT.1.7 and FCS_IPSEC_EXT.1.8 shall be modified as follows, with red highlighted strikethroughs denoting deletion and green highlighted underlines denoting addition:

Test 2 for FCS_IPSEC_EXT.1.7 shall be modified as follows:

If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime of no later than 24 hours for the Phase 1 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 1 SA lifetime that exceeds the Phase 1 SA lifetime ofn the TOE. The evaluator shall establish a SA between the TOE and the test peer, maintain the Phase 1 SA for 24 hours, and determine that a new Phase 1 SA is negotiated on or before 24 hours has elapsed. The evaluator shall verify that the TOE initiates a Phase 1 negotiation.

Test 2 for FCS_IPSEC_EXT.1.8 shall be modified as follows, with red highlighted strikethroughs denoting deletion and green highlighted underlines denoting addition:

If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime of no later than 8 hours for the Phase 2 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 2 SA lifetime that exceeds the Phase 2 SA lifetime ofn the TOE. The evaluator shall establish a SA between the TOE and the test peer, maintain the Phase 1 SA for 8 hours, and determine that once a new Phase 2 SA is negotiated when or before 8 hours has lapsed. The evaluator shall verify that the TOE initiates a Phase 2 negotiation.

The NIT changes are not replacing the entire test, and just modifying the portions that did change, but it could be made more clear.

For more information, please see the NIT Decision.