FPT_DDP_EXT.1.1 is meant to be optional but an inconsistency with FCS_MKA_EXT.1.4 currently makes it mandatory.

This TD has been superseded by TD0817 and is now archived.

FCS_MKA_EXT.1.4 in MOD_MACSEC_V1.0 is modified as follows, with green highlighted underlines denoting addition:

FCS_MKA_EXT.1.4: The TSF shall enforce an MKA Lifetime Timeout limit of 6.0 seconds and [selection: MKA Hello Time limit of 2 seconds, MKA Bounded Hello Time limit of 0.5 seconds].

Application Note: The key server may also distribute a group CAK established by pairwise CAKs.

If optional requirement FPT_DDP_EXT.1 is claimed, then "MKA Bounded Hello Time limit of 0.5 seconds" must be selected.

FPT_DDP_EXT.1 Application Note in MOD_MACSEC_V1.0 is added as follows, with green highlighted underlines denoting addition:

Application Note: if FPT_DDP_EXT.1 is claimed, then the corresponding selection of "MKA Bounded Hello Time limit of 0.5 seconds" must be made in FCS_MKA_EXT.1.4.

FIA_MKA_EXT.1.4 Test 13 in the MOD_MACSEC_V1.0 SD is modified  as follows, with green highlighted underlines denoting additions:

Test 13: The evaluator shall send a fresh SAK that includes both peers as active participants. The

evaluator shall start an MKA session between the TOE and the two active participant peers and send

MKPDUs. The evaluator shall verify from packet captures that MKPDUs are sent at least once every two seconds or every half-second in accordance with the SFR selection.

See issue description.