NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0013:  AVA_VAN.1 in VPN GW EP

Publication Date
2014.09.15

Protection Profiles
PP_ND_TFFW_EP_V1.0, PP_ND_VPN_GW_EP_v1.1

Other References
PP_ND_VPN_GW_EP_V1.1, PP_ND_TFFW_EP_V1.0

Issue Description

AVA_VAN.1 in the NDPP Extended Package VPN Gateway (VPN GW EP) reads as follows:

The evaluator shall generate network packets that cycle through all of the values for attributes, Type, Code, and Transport Layer Protocol, that are undefined by the RFC for each of the protocols, ICMPv4, ICMPv6, IPv4, and IPv6. For example, ICMPv4 has an eight-byte field for Type and an eight-byte field for the Code. Only 21 Types are defined in the RFC (see table 4-2), but there are 256 possible value. Each Type has a Code associated with it, the number of RFC defined Codes varies based on the Type. The evaluator is required to construct packets that exercise each possible value not defined in the RFC (the defined values are already tested in FPF_RUL_EXT.1.10) of Type and Code (including all possible combinations) and target each distinct interface type to determine that the TOE handles these packets appropriately. Since none of these packets will match a rule, or belong to an allowed session the packets should be dropped. Since there are no requirements that the firewall audit a packet being dropped under these circumstances, the evaluator shall ensure the firewall does not allow these packets to flow through the TOE.

Both Table 4-2 and FPF_RUL_EXT.1.10 are not found in the NDPP Extended Package VPN Gateway document.  The above quoted paragraph was also found in the Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall (FW EP) document word-for-word with the exception that FFW_RUL_EXT.1.10 was written in place of FPF_RUL_EXT.1.10.

Resolution

There were typos and copy/paste errors made when AVA_VAN.1 was copied from the FW EP to the VPN GW EP.  FPF_RUL_EXT.1.10 should be FPF_RUL_EXT.1.7, Table 4.2 should be Table 9-1 in Appendix E, and ICMPv4 and ICMPv6 should be removed, as there are no ICMP requirements in the VPN GW EP. Also, protocol numbers for IPv6 extension headers should be removed from Table 9-1 as specified in TD0007 and should be excluded from testing. With these corrections, AVA_VAN.1 in the VPN GW EP should read as follows:

The evaluator shall generate network packets that cycle through all of the values for the Transport Layer Protocol attribute that are undefined by the RFCs for  IPv4 and IPv6. For example, IPv4 has an eight-bit field for Transport Layer Protocol. Only 100 Transport Layer Protocol values are defined in the RFC for IPv4 (see Table 9-1 in Appendix E), but there are 256 possible values.  The evaluator is required to construct packets that exercise each possible value not defined in the RFC (the defined values are already tested in FPF_RUL_EXT.1.7) of Transport Layer Protocol (including all possible combinations) and target each distinct interface type to determine that the TOE handles these packets appropriately. Since none of these packets will match a rule, or belong to an allowed session the packets should be dropped. Since there are no requirements that the VPN Gateway audit a packet being dropped under these circumstances, the evaluator shall ensure the VPN Gateway does not allow these packets to flow through the TOE. Note that for IPv6, protocol numbers 0 (Hop-by-Hop options), 60 (Destination options), 44 (Fragment), 51 (AH), and 50 (ESP) are extension header numbers rather than transport layer protocol numbers and should be excluded from testing.
Justification
 
 
Site Map              Contact Us              Home