The WLAN PP mandates that IKEv1 SA lifetimes be limited by the number of packets and time. Once the limit, is reached, the SA must be closed or re-negotiated. However, newer PPs such as NDPPv1.1 Errata #2, VPN GW EP 1.1 and IPsec VPN client, stipulate that the TOE can limit IKE v1 SA lifetime based on either number packets/number of bytes OR length of time.  Can the same approach be taken for WLAN?

FCS_IPSEC_EXT.1.4 can be updated to allow the TOE to limit both IKE v1 and IKE v2 SA lifetimes based on either number packets/number of bytes OR length of time. The modified requirement will read as follows:

***
FCS_IPSEC_EXT.1.4: The TSF shall ensure that [selection: IKEv1 SA lifetimes are able to be limited by [selection: number of packets/number of bytes; length of time, where the time values can be limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs]; IKEv2 SA lifetimes can be configured by an administrator based on [selection: number of packets/number of bytes; length of time, where the time values can be limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs]].
***

No modifications to the Application Note or Assurance Activity for FCS_IPSEC_EXT.1.4 were necessary.

The newer PPs such as the IPsec VPN client allow SA lifetime limits based on either number packets/number bytes or time for both IKE v1 and IKE v2. The WLAN AS PP is one of the older PPs and needs updating to reflect more current practice.