System information
Cisco Cat3K ST 6 June 2012
34
5.2.3.5 FDP_IFC.1(2) Subset Information Flow Control - ACL
FDP_IFC.1.1(2) The TSF shall enforce the [ACL SFP] on: [
a) Controlled subjects: Layer 3 interfaces (i.e. any interface
configured with an IP address including physical copper
or fiber ports, or any virtual sub-interface, or Layer 3
VLAN interface);
b) Controlled information: IP packets
c) Operation: forward or drop the packets].
5.2.3.6 FDP_IFF.1(2) Simple Security Attributes - ACL
FDP_IFF.1.1(2) The TSF shall enforce the [ACL SFP] based on the following
types of subject and information security attributes: [
a) security attributes of controlled subjects:
• Interface ID (e.g. physical slot/port identifier, or
logical port-channel identifier, or VLAN interface
identifier);
• IP address assigned to the interface
b) security attributes of controlled information:
• source IP address indentified within the packet;
• destination IP address identified within the
packet;
• transport layer protocol number (e.g. UDP, TCP);
• network layer protocol number (e.g. IPv4, IPv6,
ICMPv4, ICMPv6, ESP, AH, etc.);
• ICMP type].
FDP_IFF.1.2(2) The TSF shall permit an information flow between a controlled
subject and controlled information via a controlled operation if
the following rules hold: [
• all the information security attribute values are
unambiguously permitted by the information flow
security policy rules (IP ACLs or ICMP), where
such rules may be composed from all possible
combinations of the values of the information flow
security attributes, created by the authorized
administrator;
• the source IP address in the information (packet),
correlates to network address in the routing table,