Compliant Product - Nokia 7x50 SR OS 20.10.R4 for 7750 SR-7, 7750 SR-12, 7750 SR-12e, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750 SR-a4, and 7750 SR-a8 with maxp10-10/1Gb-msec-sfp+ and me12-10/1gb-sfp+ MDAs
Certificate Date:
2021.10.22
CC Certificate Validation Report Number: CCEVS-VR-VID11182-2021 Product Type: Network Device Conformance Claim: Protection Profile Compliant PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e Extended Package for MACsec Ethernet Encryption Version 1.2 CC Testing Lab: Acumen Security ![]() ![]() ![]() Assurance Activity ![]() Administrative Guide ![]()
Product Description
The TOE portfolio delivers high-performance, scaling and flexibility to support a full array of IP and MPLS services and functions for service provider, web scale and enterprise networks. The 7750 SR family includes a wide range of physical platforms that share a mutual architecture and feature set. This allows Nokia customers to select the platform that best addresses their unique business goals and fulfills their scale, density, space, power, and value-added service requirements without compromising on quality or features. The 7750 series are chassis-based routers. The TOE supports a full array of network functions and services, achieving scale and efficiency without compromising versatility. It provides highly available service delivery mechanisms that maximize network stability and minimize service interruptions. Every Nokia 7750 series routing appliance is a whole routing system that provides a variety of high-speed interfaces (only Ethernet is within scope of this evaluation) for various scale of networks and various network applications. The TOE utilizes a common Nokia SR OS firmware, features, and technology for compatibility across all platforms. Nokia SR OS firmware is mainly responsible for all the functionalities and services provided by the routers. The routers can be accessed either via a local console or via a network connection that is protected using the SSH protocol. Each time a user accesses the routers, either via local console terminal connection or from the network remotely using SSH, the user must successfully authenticate with the correct credentials. The TOE also supports MACsec functionality between compatible Nokia MACsec peer devices using the Media Dependent Adapter (MDA). The communication between these devices includes frames for ARP and Ethernet Control frames. In addition, it includes Destination MAC and Source MAC addresses in MACsec and MACsec Key Agreement (MKA) frames, which are not protected. The MDAs are pluggable adapter cards. They provide physical interface connectivity to the devices. MDAs can be different in terms of connectivity and density configuration settings. Additionally, the MDA modules vary by chassis. Regardless, they provide the same functionality and security for the related chassis. MDAs support Ethernet and multiservice interfaces. For this evaluation, the following is true:
MKA protocol uses the Connectivity Association Key (CAK) to derive transient session keys called Secure Association Keys (SAKs). SAKs and other MKA parameters are required to sustain communication over the secure channel and to perform encryption and other MACsec security functions. SAKs, along with other essential control information, are distributed in MKA protocol control packets, also referred to as MKPDUs. MACsec can be deployed in two modes:
In the evaluated configuration, MACsec is configured for individual point-to-point MACsec peers over an point-to-multipoint Ethernet link. A pair of MACsec devices can be connected via bridge or a direct connection. In order to establish the secured channel, the MACsec devices rely on a CAK and utilize the MKA protocol to make and receive the successful secure connection. In order to determine an authorized peer, both devices must first exchange an MKA frame, these devices must agree upon a shared key and MACsec cipher suite in order to set up transmit Security Associations (SA). Once the connections are established, the MACsec frames will be transmitted between devices.
Evaluated Configuration
In the evaluated configuration, MACsec is configured for individual point-to-point MACsec peers over an point-to-multipoint Ethernet link. A pair of MACsec devices can be connected via bridge or a direct connection. In order to establish the secured channel, the MACsec devices rely on a CAK and utilize the MKA protocol to make and receive the successful secure connection. In order to determine an authorized peer, both devices must first exchange an MKA frame, these devices must agree upon a shared key and MACsec cipher suite in order to set up transmit Security Associations (SA). Once the connections are established, the MACsec frames will be transmitted between devices. The TOE is comprised of the following models: Table 1 –TOE Physical Boundary Components
|