EasyManua.ls Logo

Zte ZXR10 M6000 Series - Fdp_Iff.1

Zte ZXR10 M6000 Series
57 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Chapter5SECURITYREQUIREMENTS
5.1.2.8FDP_IFF.1(1)Simplesecurityattributes(unauthenticated)
FDP_IFF.1.1TheTSFshallenforcethe[UNAUTHENTICATEDSFP]basedonthe
followingtypesofsubjectandinformationsecurityattributes:
[securitysubjectattributes:
1.IPnetworkaddressandportofsourcesubject;
2.IPnetworkaddressandportofdestinationsubject;
3.transportlayerprotocolandtheiragsandattributes(UDP ,TCP);
4.networklayerprotocol(IP ,ICMP);
5.interfaceonwhichtrafcarrivesanddeparts;
6.routingprotocols(BGPv4,OSPFv2,IS-IS,RIPv2)andtheircongurationandstate;
and
7.controltrafcandtrafcthreshold].
ApplicationNote:theTOEonlyacceptsroutinginformationfromotherrouterswithtrusted
IPsconguredbytheadministrators.
FDP_IFF.1.2TheTSFshallpermitaninformationowbetweenacontrolledsubjectand
controlledinformationviaacontrolledoperationifthefollowingruleshold:
1.[a.theinformationsecurityattributesmatchtheattributesinalteringrule(contained
intheinformationowpolicyrulesetdenedbytheAdministrator)accordingtothe
followingalgorithm:
lFirstmatch.Whenmultiplepolicynamesarespecied,thepoliciesshallbe
executedintheordertheyarespecied.Therstpolicythatmatchesisapplied;
theselectedinformationowpolicyrulespeciesthattheinformationowisto
bepermitted]
2.thepresumedaddressofthesourcesubject,inthepacket,isconsistentwiththe
networkinterfaceitarriveson;
3.thepresumedaddressofthedestinationsubject,inthepacket,canbemappedtoa
nexthop;
4.thesecurityattributesofthepacketmatchestheconguredroute-mappolicy
(containedintheinformationowpolicyrulesetdenedbytheAdministrator)andit
canbemappedtothenexthop].
ApplicationNote:A“nexthop”isthenextroutertowhichapacketissentfromanygiven
routerasittraversesanetworkonitsjourneytoitsnaldestination.Intheeventthatthe
packetisatthenalrouterinitsjourney,thenexthopisthenaldestination.
FDP_IFF.1.3TheTSFshallenforcethe[followingrules:
1.whentheup-sendingowratefromthenetworkinterfaceexceedsthecongured
threshold,theexceededtrafcwillbedropped(Anti-DoS);
2.whentheoutgoinginterfaceofthesourceroutingpacketisdifferentfromtheingoing
interface,thepacketwillbedropped.(URPF)
3.whenthesemi-connectionstatisticsinformationoftheTCPSYNoodexceeds
conguredthreshold,theTOEsuppressestheseattacks.]
5-5
SJ-20110815105844-030|2011/08/19R1.6ZTECORPORATION

Table of Contents

Related product manuals