Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentASR 900 Series
31323334353637383940
Cisco Aggregation Services Router (ASR) 900 Series Security Target
Page 32 of 52
FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches
anything that is otherwise unmatched, and discards it.
FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC
4303 using [the cryptographic algorithms AES-CBC-128 (as specified by RFC 3602) together
with a Secure Hash Algorithm (SHA)-based HMAC, AES-CBC-256 (as specified by RFC
3602)].
FCS_IPSEC_EXT.1.5 The TSF shall implement the protocol: [IKEv1 as defined in RFCs 2407,
2408, 2409, RFC 4109, [no other RFCs for extended sequence numbers], and [no other RFCs for
hash functions]].
FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the [IKEv1] protocol uses
the cryptographic algorithms AES-CBC-128, AES-CBC-256 as specified in RFC 6379 and [no
other algorithm].
FCS_IPSEC_EXT.1.7 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main
mode.
FCS_IPSEC_EXT.1.8 The TSF shall ensure that [IKEv1 SA lifetimes can be established based
on [number of packets/number of bytes and length of time, where the time values can be limited
to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs].
FCS_IPSEC_EXT.1.9 The TSF shall ensure that all IKE protocols implement DH Groups 14
(2048-bit MODP), and [no other DH groups].
FCS_IPSEC_EXT.1.10 The TSF shall ensure that all IKE protocols perform Peer Authentication
using the [RSA] algorithm and [Pre-shared Keys].
5.2.2.8 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)
FCS_RBG_EXT.1.1 The TSF shall perform all random bit generation (RBG) services in
accordance with [NIST Special Publication 800-90 using [CTR_DRBG (AES)] seeded by an
entropy source that accumulated entropy from [a TSF-hardware-based noise source].
FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded with a minimum of [256 bits] of
entropy at least equal to the greatest security strength of the keys and hashes that it will generate.
5.2.2.9 FCS_SSH_EXT.1 Explicit: SSH
FCS_SSH_EXT.1.1 The TSF shall implement the SSH protocol that complies with RFCs 4251,
4252, 4253, 4254, and [no other RFCs].
FCS_SSH_EXT.1.2 The TSF shall ensure that the SSH protocol implementation supports the
following authentication methods as described in RFC 4252: public key-based, password-based.