Assurance Continuity - Update IOS-XE Version 17.3 to Version 17.6
Date of Maintenance Completion:
2022.07.29
CC Certificate Product Type: Virtual Private Network Network Device Conformance Claim: Protection Profile Compliant PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e PP-Module for Virtual Private Network (VPN) Gateways Version 1.1 Original Evaluated TOE: 2021.12.28 - Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Cloud Services Router 1000V (CSR1000V), Cisco Integrated Services Router 1100 Series (ISR1100), Cisco Integrated Services Router 4200 Series (ISR4K) running IOS-XE 17.3 ![[PDF]](/assets/images/icon_pdf.gif){kind=icon}
Validation Report
Assurance Activity
Administrative Guide: Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Integrated Services Router 1100 Series (ISR1100), Cisco Integrated Services Router 4200 Series (ISR4K) running IOS-XE Version 17.3 CC Configuration Guide
Administrative Guide: Cisco Cloud Services Router 1000V (CSR1000V) running IOS-XE Version 17.3 CC Configuration Guide
Please note:
The above files are for the Original Evaluated TOE.
Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Security Target
*
Assurance Continuity Maintenance Report
Administrative Guide
Please note:
This serves as an addendum to the VR for the Original Evaluated TOE.
*
This is the Security Target (ST) associated with this latest Maintenance Release.
To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation. Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
Product Description
Hardware Changes: No changes to hardware other than removal of the CSR1000V from the evaluated configuration. · Evaluated TOE Hardware Models: Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Cloud Services Router 1000V (CSR1000V), Cisco Integrated Services Router 1100 Series (ISR1100), Cisco Integrated Services Router 4200 Series (ISR4K) · Changed TOE Hardware Models: Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Integrated Services Router 1100 Series (ISR1100), Cisco Integrated Services Router 4200 Series (ISR4K) Software Changes: · Evaluated TOE Software Version: IOS-XE 17.3 · Changed TOE Software Version: IOS-XE 17.6 The TOE version updates include 37 new features and 219 bug fixes have been found to either not have any security relevance or do not fall within the scope of the evaluated functionality. Of these 219 bug fixes: · Related to features/components outside the CC evaluated configuration: 114 · Related to implementation of functionality that is not claimed in the TSF: 33 · Related to ensuring that the TOE functions as expected, but below the level of visibility to assurance activities: 72 Information on the specific updates can be found in detail in Appendix B and Appendix C of the IAR. The following is a summary of the new features introduced with the TOE software update: · Optional features not part of the evaluated configuration, and disabled by default o Network-Based Application Recognition (NBAR) support o Distributed Anycast Gateways (DAG) o Performance Management (PM) o Micro-BFD support o Dynamic ARP Inspection (DAI) o IPv6 First Hop Security o Dynamic Core Allocation · Features that add support for functionality that do not impact TOE security functions o Performance related enhancements including added support for L2VPN, L3VPN and service-group together on port-channel interfaces in QOS Policies o Support for global address within static NAT and static PAT o Enhancements to the BGP routing protocol o Added support for Stateless Static NAT o Enhancements to the IS-IS routing protocol o Enhancements to the punt policing and monitoring feature o Enhancements to IPv6 Mroutes o Enhancements to EVPN VXLAN o Added support for Segment Routing Flexible Algorithm with IS-IS o Enhancements to interface speed o Enhancements to SR-TE Policy o Added support for Tunnel Path MTU discovery on MPLS-enabled GRE tunnel o Enhancements to show commands o Added support for Asymmetric Lease for DHCPv6 Relay Prefix Delegation o Added support for System Reports o Enhancements to breakout cable support · Features that pertain to functionality not included in the Common Criteria evaluation o Configuring Smart Licensing using Web UI – Web UI is not included o Configuring Encapsulated Remote Switching Port Analyzer (ERSPAN) – Cisco DNA is not included o Secure Factory Reset – not included o IEEE802.1ad Support on Port-channel and Subinterfaces – IEEE802.1ad is not included o Layer 2 Protocol Tunneling on Ports – Layer 2 Protocol Tunneling is not included o Consent Token Authorization Process for Dev Key Access – Consent Token Authorization Process is not included o L2VPN Traffic SteeringUsing SR-TE Preferred Path – VPWS or VPLS are not included o Zone-Based Firewall Reclassification – Zone-Based Firewall (ZBFW) is not included Changes to the IT Environment: None Changes to the Development Environment: None Vendor InformationCisco Systems, Inc. Cert Team +1 410-309-4862 certteam@cisco.com cisco.com |