IPSec Security Association parameters must be compliant with all requirements specified for VPN Suite B when transporting classified traffic across a non-classified network.

From IPSec VPN Gateway Security Technical Implementation Guide

Part of The IPSec SA is not VPN Suite B compliant.

Associated with IA controls: ECSC-1

SV-40997r2_rule IPSec Security Association parameters must be compliant with all requirements specified for VPN Suite B when transporting classified traffic across a non-classified network.

Vulnerability discussion

RFC 6379 Suite B Cryptographic Suites for IPSec defines four cryptographic user interface suites for deploying IPSec. Each suite provides choices for Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE). The four suites are differentiated by the choice of IKE authentication and key exchange, cryptographic algorithm strengths, and whether ESP is to provide both confidentiality and integrity or integrity only. The suite names are based on the Advanced Encryption Standard (AES) mode and AES key length specified for ESP. Two suites are defined for transporting classified information up to SECRET level—one for both confidentiality and integrity and one for integrity only. There are also two suites defined for transporting classified information up to TOP SECRET level.

Check content

Review all transform sets defined in IPSec profiles and crypto maps used for securing classified traffic to determine if they are compliant with Suite B requirements. According to NIST, AES with 128-bit keys, SHA-256, and ECDH and ECDSA using the 256-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to SECRET level. AES with 356-bit keys, SHA-384, and Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to TOP SECRET level. Note: During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.

Fix text

Configure transform sets used for transporting classified packets to be compliant with Suite B requirements.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer