[Swan] NDcPP 1.0: FCS_IPSEC_EXT.1.12
jonetsu
jonetsu at teksavvy.com
Mon Feb 1 17:13:34 UTC 2016
Hello,
FIPS and the NDcPP are not directly related although quite often both are required to make a complete security 'standard' package.
The Collaborative Protection Profile for Network Devices (NDcPP 1.0) states:
"FCS_IPSEC_EXT.1.12 The unit shall be able to ensure by default
that the strength of the symmetric algorithm (in terms of the
number of bits in the key) negotiated to protect either the
IKEv1 Phase 1 or the IKEv2 IKE_SA connection is greater than or
equal to the strength of the symmetric algorithm (in terms of
the number of bits in the key) negotiated to protect either the
IKEv1 Phase 2 or IKEv2 CHILD_SA connection."
Where does libreswan stands regarding, when running in FIPS mode ?
Also, another FIPS-loosely-related document, the Common Criteria states:
"The unit must implement the IPsec protocol ESP as defined by RFC 4303 AES-GCM-128, AES-GCM-256,
and optionally AES-CBC-128, AES-CBC-256 with HMAC-SHA."
Does libreswan make use of RFC 4303 ?
Thanks !
More information about the Swan
mailing list