System information

ManualsBrandsCisco ManualsComputer equipmentCatalyst 3750X-48PF

Cisco Cat3K ST 6 June 2012

TOE SFRs How the SFR is Met

FCS_CKM.1(1)

FCS_COP.1(1)

The TOE generates RSA key establishment schemes conformant with FIPS 186-

3. RSA keys are used for encryption and decryption of keying material in

SSHv2 used for remote administration of the TOE. (Refer to FIPS 140-2

certificate # 1657)

FCS_CKM.4 The TOE meets all requirements specified in FIPS 140-2 for destruction of keys

through the module securely administering both cryptographic keys and other

critical security parameters (CSPs) such as passwords. (Refer to FIPS 140-2

certificate #1657)

FCS_CKM.1(2)

FCS_COP.1(2)

FCS_COP.1(3)

AES is used for RADIUS KeyWrap. The TOE provides key generation for AES

128-bit and 256-bit keys using a Random Number Generator that meets NIST

SP 800-90 DRBG as specified in FIPS 140-2 Annex C. The TOE provides

symmetric encryption and decryption capabilities using AES in CBC mode

(128, 256 bits) as described in FIPS PUB 197, “Advanced Encryption Standard

(AES)” and NIST SP 800-38A. (Refer to FIPS 140-2 certificate #1657)

FCS_COP.1(4) The TOE provides MD5 hashing for authentication of neighbor routers via

BGPv4, EIGRP, PIM-SMv2, and OSPFv2 with shared passwords. The hash

mechanism is implemented as specified in MD5 RFC 1321 and applied in

OSPFv2 (RFC 2328), BGPv4 (RFC 2385), MSDP (RFC 3618) for PIM-SMv2

(RFC 4601), and EIGRP (Cisco proprietary).

• OSPFv2 uses MD5 for authentication of routing updates, as defined in

appendix D of RFC 2328 (OSPF Version 2).

• BGPv4 uses MD5 for authentication of routing updates as defined in RFC

2385 (Protection of BGP Sessions via the TCP MD5 Signature Option).

• MSDP uses MD5 to secure and authenticate control messages for TCP

connections between two Multicast Source Discovery Protocol (MSDP)

peers across Protocol-Independent Multicast sparse-mode (PIM-SM)

domains, as defined in RFC 3618 (Multicast Source Discovery Protocol).

• EIGRP (Cisco proprietary) uses MD5 for authentication of routing updates.

Routing tables for IPv4 and IPv6 can be created and maintained manually using

static routes configured by the administrator. Use of routing protocols in IPv4

or IPv6 is not required to support or enforce any TOE security functionality

including filtering of IPv4 or IPv6 traffic. EIGRP supports MD5-authenticated

routing updates with IPv6 or IPv4, as does BGPv4 and PIM-SMv2 while

OSPFv2 routing protocol support MD5-authenticated routing updates for IPv4

only.

It is noted that per the FIPS Security Policy, that MD5 is not a validated

algorithm during FIPS mode of operation. For additional security, it is

recommended router protocol traffic also be isolated to separate VLANs.

FCS_SSH_EXT.1 The TOE implements SSHv2 (telnet is disabled in the evaluated configuration).

SSHv2 sessions are limited to a configurable session timeout period of 120

seconds, a maximum number of failed authentication attempts limited to 3, and

will be rekeyed upon request from the SSH client. SSH connections will be

dropped if the TOE receives a packet larger than 35,000 bytes. The TOE’s

implementation of SSHv2 supports hashing algorithms hmac-sha1, hmac-sha1-

96 and hmac-md5. The TOE can also be configured to use only one of the

identified DH groups for key exchange. The available groups include Diffie

Hellman group 14, group 16, and group 2.