The NIT has issued a technical decision for making CBC cipher suites optional in IPsec.

To align with NIT interpretation # 201707, FCS_IPSEC_EXT.1.4 and FCS_IPSEC_EXT.1.6 shall therefore be modified as follows:

FCS_IPSEC_EXT.1.4 shall therefore be modified as follows:

FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using the cryptographic algorithms [selection: AES-CBC-128 (specified by RFC 3602), AES-CBC-256 (specified by RFC 3602), AES-GCM-128 (specified in RFC 4106), AES-GCM-256 (specified in RFC 4106)] together with a Secure Hash Algorithm (SHA)-based HMAC."

FCS_IPSEC_EXT.1.6 shall be modified as follows:

FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the [selection: IKEv1, IKEv2] protocol uses the cryptographic algorithms [selection: AES-CBC-128 (as specified in RFC 3602), AES-CBC-256 (as specified in RFC 3602), AES-GCM-128 (as specified in RFC 5282), AES-GCM-256 (as specified in RFC 5282)].

The TSS requirements for FCS_IPSEC_EXT.1.4 in NDSD V1.0 shall be modified as follows:

The evaluator shall examine the TSS to verify the TSS describes all cryptographic algorithms selected in FCS_IPSEC_EXT.1.4. In addition, the evaluator ensures that the SHA-based HMAC algorithm conforms to the algorithms specified in FCS_COP.1(4) Cryptographic Operations (for keyed-hash message authentication).

The TSS requirements for FCS_IPSEC_EXT.1.6 in NDSD V1.0 shall be modified as follows:

The evaluator shall ensure the TSS identifies the algorithms used for encrypting the IKEv1 and/or IKEv2 payload, and that all cryptographic algorithms selected in FCS_IPSEC_EXT.1.6 are included in the TSS discussion.

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201707.pdf

The NIT acknowledges that there are some security related concerns regarding AES-CBC mode and therefore supports making AES-128-CBC and AES-256-CBC optional for IKE and ESP.