Archived
TD0417: Updates to FDP_IFF.1 and FIA_UAU.2
Publication Date
2019.04.30
Protection Profiles
EP_ESC_V1.0
Other References
FDP_IFF.1, FIA_UAU.2.1/TC, FIA_UAU.2/VVoIP
Issue Description
FDP_IFF.1, FIA_UAU.2.1/TC and FIA_UAU.2/VVoIP have test assurance activities that indicate the tests "...shall be repeated in both IPv4 and IPv6 environment". However, the NDcPP does not require IPv6 support. Also, TD0137 indicates that IPsec is not required and corrects an issue in the FIA_X509_EXT.1 requirement where IPsec was being required. FIA_UAU.2/TC Assurance activities however, still refer to IPsec in defining expected results. Resolution
The FDP_IFF.1 and FIA_UAU.2 Assurance Activities in the ESC EP are modified as follows (marked with strikethroughs and underlines): FDP_IFF.1Assurance Activity Test The evaluator shall perform one or more of the following tests depending on the protocols that the TOE claims to support. For each test performed, the evaluator shall conduct the test in both an IPv4 and an IPv6 for each supported environment (IPv4 and/or IPv6). FIA_UAU.2.1/TCAssurance Activity Test The following testing shall be repeated in both an IPv4 and an IPv6 for each supported environment (IPv4 and/or IPv6): The evaluator shall deploy the TOE in an environment with another ESC and configure both ESCs to support an encrypted IPsec trunk to one another, where the trunk is encrypted using the security protocol selected in FIA_X509_EXT.2.1. The evaluator shall also deploy a packet sniffer on the IPsec encrypted trunk channel. The evaluator shall perform the following tests:
Test 2: The evaluator shall repeat test 1 but enter an invalid username/password when attempting to authenticate. The evaluator shall observe that the IPsec encrypted trunk is not successfully established due to invalid credentials. Test 3: The evaluator shall repeat test 1 but configure the TOE to accept IPsec encrypted trunk communications from a different IP address than what is assigned to the remote ESC. The evaluator shall then attempt to connect to the TOE using the remote ESC with valid credentials and observe that the IPsec encrypted trunk is not successfully established due to invalid IP address. FIA_UAU.2.1/VVoIPAssurance Activity Test The following testing shall be repeated in both an IPv4 and an IPv6 for each suppported environment (IPv4 and/or IPv6):
Justification
See issue description. |