Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentASR 900 Series
41424344454647484950
Cisco Aggregation Services Router (ASR) 900 Series Security Target
Page 43 of 52
TOE SFRs
How the SFR is Met
services using AES-CBC-128 and AES-CBC-256 together with HMAC-SHA1.
The TOE uses IPsec to secure communications with the remote syslog server, with
AAA servers (RADIUS and TACACS+) for remote authentication if configured
and with NTP servers if configured.
IPsec Internet Key Exchange (IKEv1, also called ISAKMP), is the negotiation
protocol that lets two peers agree on how to build an IPsec Security Association
(SA). The IKE protocols implement Peer Authentication using the rDSA
algorithm. IKE separates negotiation into two phases: phase 1 and phase 2. Phase
1 creates the first tunnel, which protects later ISAKMP negotiation messages.
Phase 1 establishes the secure channel using Diffie-Hellman (DH) key exchange
in which the TOE generates the ‘secret value’ (“x” in “gx mod p”) using a random
bit generator (RBG) to ensure the length of “x” is at least 256 bits. The key
negotiated in phase 1 enables IKE peers to communicate securely in phase 2.
During Phase 2 IKE establishes the IPsec SA. IKE maintains a trusted channel,
referred to as a Security Association (SA), between IPsec peers that is also used to
manage IPsec connections, including:
The negotiation of mutually acceptable IPsec options between peers
(including peer authentication parameters, either signature based or pre-
shared key based),
The establishment of additional Security Associations to protect packets
flows using Encapsulating Security Payload (ESP), and
The agreement of secure bulk data encryption AES keys for use with
ESP.
A crypto map (the Security Policy Definition) set can contain multiple entries,
each with a different access list. The crypto map entries are searched in a
sequence the TOE attempts to match the packet to the access list (acl) specified
in that entry. When a packet matches a permit entry in a particular access list, the
method of security in the corresponding crypto map is applied. If the crypto map
entry is tagged as ipsecisakmp, IPsec is triggered. The traffic matching the permit
acls would then flow through the IPsec tunnel and be classified as
“PROTECTED”. Traffic that does not match a permit crypto map acl and does
not match a non-crypto permit acl on the interface would be DISCARDED.
Traffic that does not match a permit acl in the crypto map, but does match a non-
crypto permit acl would be allowed to BYPASS the tunnel. For example, a non-
crypto permit acl for icmp would allow ping traffic to flow unencrypted if a
permit crypto map was not configured that matches the ping traffic.
After the two peers agree upon a policy, the security parameters of the policy are
identified by an SA established at each peer, and these IKE SAs apply to all
subsequent IKE traffic during the negotiation.
The TOE will be configured to not support aggressive mode for IKEv1 exchanges
and to only use main mode.
The TOE will be configured to not allow “confidentiality only” ESP mode by
ensuring the IKE Policies configured include ESP-encryption.