Closed OlegAndrianov closed 8 months ago
kr15tyk
commented
9 months ago @OlegAndrianov I don't see the problem. Test 2 for FCS_IPSEC_EXT.1.7 and FCS_IPSEC_EXT.1.8 in ND SD v3.0 here, https://github.com/ND-iTC/Documents/blob/main/ND_Supporting_Document_3_0.adoc, match theNIT RFI here, https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI202116.pdf.
OlegAndrianov
commented
9 months ago @kr15tyk
The NIT prescribes to change part of previous assurance activity, but now SD contains only that updated part.
Basically it now has only "evaluator shall configure.... " and no longer contains the second part with "The evaluator shall verify that...."
Original AA was:
Test 2: If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime of 24 hours for the Phase 1 SA following the guidance documentation. The evaluator shall configure a test peer with a lifetime that exceeds the lifetime of the TOE.
The evaluator shall establish an SA between the TOE and the test peer, maintain the Phase 1 SA for 24 hours, and determine that a new Phase 1 SA is negotiated on or before 24 hours has elapsed. The evaluator shall verify that the TOE initiates a Phase 1 negotiation.
Now only the first part remained.
kr15tyk
commented
9 months ago Okay, got it. I'll make sure this is added back in v3.0e.
OlegAndrianov
commented
8 months ago NIAP resolved in by updating their TD: https://www.niap-ccevs.org/Documents_and_Guidance/view_td.cfm?TD=0800
Provide the location of the issue FCS_IPSEC_EXT.1.7 – Test 2 and FCS_IPSEC_EXT.1.8 – Test 2.
What is the correction request for the cPP? Please describe. Network Device Interpretation # 202116 has not been correctly carried over to TD0633, and thus has been incorrectly applied in this draft. Thus intended Test 2: If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime no later than 24 hours for the Phase 1 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 1 SA lifetime that exceeds the Phase 1 SA lifetime on the TOE. The evaluator shall establish ana SA between the TOE and the test peer, maintain the Phase 1 SA for 24 hours, and determine that a new Phase 1 SA is negotiated on or before 24 hours has elapsed. The evaluator shall verify that the TOE initiates a Phase 1 negotiation. Became Test 2: If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime no later than 24 hours for the Phase 1 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 1 SA lifetime that exceeds the Phase 1 SA lifetime on the TOE.
Thus missing expected results and important evaluator test steps.
Describe the solution you'd like By NIT decision assurance activities shall read 1.7 Test 2: If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime no later than 24 hours for the Phase 1 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 1 SA lifetime that exceeds the Phase 1 SA lifetime on the TOE. The evaluator shall establish ana SA between the TOE and the test peer, maintain the Phase 1 SA for 24 hours, and determine that a new Phase 1 SA is negotiated on or before 24 hours has elapsed. The evaluator shall verify that the TOE initiates a Phase 1 negotiation. 1.8 Test 2: If ‘length of time’ is selected as the SA lifetime measure, the evaluator shall configure a maximum lifetime no later than 8 hours for the Phase 2 SA following the guidance documentation. The evaluator shall configure a test peer with a Phase 2 SA lifetime that exceeds the Phase 2 SA lifetime on the TOE. The evaluator shall establish a SA between the TOE and the test peer, maintain the Phase 1 SA for 8 hours, and determine that once a new Phase 2 SA is negotiated when or before 8 hours has lapsed. The evaluator shall verify that the TOE initiates a Phase 2 negotiation.
Describe alternatives you've considered
Additional context Refer to NIT decision https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI202116.pdf