NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0417:  Updates to FDP_IFF.1 and FIA_UAU.2

Publication Date
2019.04.30

Protection Profiles
EP_ESC_V1.0

Other References
FDP_IFF.1, FIA_UAU.2.1/TC, FIA_UAU.2/VVoIP

Issue Description

FDP_IFF.1, FIA_UAU.2.1/TC and FIA_UAU.2/VVoIP have test assurance activities that indicate the tests "...shall be repeated in both IPv4 and IPv6 environment".  However, the NDcPP does not require IPv6 support.

Also, TD0137 indicates that IPsec is not required and corrects an issue in the FIA_X509_EXT.1 requirement where IPsec was being required. FIA_UAU.2/TC Assurance activities however, still refer to IPsec in defining expected results.

Resolution

The FDP_IFF.1 and FIA_UAU.2 Assurance Activities in the ESC EP are modified as follows (marked with strikethroughs and underlines):

FDP_IFF.1

Assurance Activity

Test

The evaluator shall perform one or more of the following tests depending on the protocols that the TOE claims to support. For each test performed, the evaluator shall conduct the test in both an IPv4 and an IPv6 for each supported  environment (IPv4 and/or IPv6).

FIA_UAU.2.1/TC

Assurance Activity

Test

The following testing shall be repeated in both an IPv4 and an IPv6 for each supported environment (IPv4 and/or IPv6):

The evaluator shall deploy the TOE in an environment with another ESC and configure both ESCs to support an encrypted IPsec trunk to one another, where the trunk is encrypted using the security protocol selected in FIA_X509_EXT.2.1. The evaluator shall also deploy a packet sniffer on the IPsec encrypted trunk channel. The evaluator shall perform the following tests:


Test 1: The evaluator shall configure the TOE to accept IPsec encrypted trunk communications from the remote ESC based on username, password, and IP address. The evaluator shall then use the remote ESC to connect to the TOE and verify that the IPsec encrypted trunk is successfully established. The evaluator shall use packet captures to verify that IPsec encrypted traffic is transmitted between the TOE and the remote ESC.

Test 2: The evaluator shall repeat test 1 but enter an invalid username/password when attempting to authenticate. The evaluator shall observe that the IPsec encrypted trunk is not successfully established due to invalid credentials.

Test 3: The evaluator shall repeat test 1 but configure the TOE to accept IPsec encrypted trunk communications from a different IP address than what is assigned to the remote ESC. The evaluator shall then attempt to connect to the TOE using the remote ESC with valid credentials and observe that the IPsec encrypted trunk is not successfully established due to invalid IP address.

FIA_UAU.2.1/VVoIP

Assurance Activity

Test

The following testing shall be repeated in both an IPv4 and an IPv6 for each suppported environment (IPv4 and/or IPv6):

 

Justification

See issue description.

 
 
Site Map              Contact Us              Home