TD0824: Aligning MOD_VPNGW 1.3 with NDcPP 3.0E
Publication Date
2024.04.25
Protection Profiles
MOD_VPNGW_v1.3
Other References
Section 1.1, FCS_IPSEC_EXT.1.5, FCS_IPSEC_EXT.1.13, FPT_TST_EXT.1.1, FPT_TST_EXT.1.2, FPT_TUD_EXT.1.3
Issue Description
Several SFRs were updated in the CPP_ND_V3.0E that must be updated in MOD_VPNGW_V1.3 to maintain compatibility. Resolution
The following is added to the bulleted list of Base-PPs in Section 1.1 Overview of MOD_VPNGW_V1.3:
The following is added to the bulleted list of Base-PPs in Section 1.1 Technology Area and Scope of Supporting Document of MOD_VPNGW_V1.3-SD:
The Application Note for FCS_IPSEC_EXT.1.5 in Section 5.1.1.1 of MOD_VPNGW_V1.3 is modified as follows, with green highlighted underlines denoting additions: Application Note: This element is unchanged from its definition in the Base-PP when CPP_ND_V2.2E is used. When CPP_ND_V3.0E is the Base-PP, the element in Section 5.1.2.1 should be used, instead.
FCS_IPSEC_EXT.1.13 in Section 5.1.1.1 of MOD_VPNGW_V1.3 is modified as follows, with green highlighted underlines denoting that the text has been bolded: FCS_IPSEC_EXT.1.13 The TSF shall ensure that [selection: IKEv1, IKEv2] protocols perform peer authentication using [selection: RSA, ECDSA] that use X.509v3 certificates that conform to RFC 4945 and [selection: Pre-shared Keys that conform to RFC 8784, Pre-shared Keys transmitted via EAP-TTLS, EAP-TLS, no other method].
The Application Note for FPT_TST_EXT.1.1 in Section 5.1.1.4 of MOD_VPNGW_V1.3 is modified as follows, with green highlighted underlines denoting additions: Application Note: This SFR is modified from its definition in the NDcPP by requiring noise source health tests to be performed regardless of what other testing is claimed. It is expected that the behavior of this testing will be described in the entropy documentation. Other self-tests may be defined at the ST author’s discretion; note that the Application Note in the NDcPP regarding what other self-tests are expected is still applicable here. When CPP_ND_V3.0E is the Base-PP, the element in Section 5.1.2.2 should be used, instead.
The Application Note for FPT_TUD_EXT.1.3 in Section 5.1.1.4 of MOD_VPNGW_V1.3 is modified as follows, with green highlighted underlines denoting additions: Application Note: The NDcPP provides an option for how firmware/software updates can be verified but this PP-Module requires the digital signature method to be selected at minimum. Note that all other options specified in the NDcPP for this component are permitted so it is possible for the TSF to use code signing certificates to validate updates, in which case FPT_TUD_EXT.2 from the Base-PP is also included in the ST. When CPP_ND_V3.0E is the Base-PP, the element in Section 5.1.2.2 should be used, instead.
Section 5.1.2 Further Modified SFRs and its associated subsections are added to MOD_VPNGW_V1.3 as follows: 5.1.2 Further Modified SFRs The SFRs listed in this section are defined in the NDcPP V3.0E and relevant to the secure operation of the TOE. SFRs in this section must be used in lieu of their counterparts in Section 5.1.1 when CPP_ND_V3.0E is used as the Base PP. When not further refined in this section, SFRs listed in section 5.1.1 should be used as-is. 5.1.2.1 Cryptographic Support (FCS)
FCS_IPSEC_EXT.1 IPsec Protocol
FCS_IPSEC_EXT.1.5 • IKEv1, using Main Mode for Phase 1 exchanges, as defined in RFCs 2407, 2408, 2409, RFC 4109, [selection: no other RFCs for extended sequence numbers, RFC 4304 for extended sequence numbers ] and [selection: no other RFCs for hash functions, RFC 4868 for hash functions ] • IKEv2 as defined in RFC 7296 [selection, choose one of: with no support for NAT traversal, with mandatory support for NAT traversal as specified in RFC 7296, section 2.23 ] and [selection: no other RFCs for hash functions, RFC 4868 for hash functions ] 5.1.2.2 Protection of the TSF (FPT)
FPT_TST_EXT.1 TSF Testing FPT_TST_EXT.1.1 FPT_TST_EXT.1.2 The TSF shall respond to [selection: all failures, [assignment: list of failures detected by self-tests]] by [selection: entering a maintenance mode, rebooting, [assignment: other methods to enter a secure state]].
FPT_TUD_EXT.1 Trusted Update FPT_TUD_EXT.1.3
Justification
See Issue Description. |