Requirement Name:
Growing (dynamic) content shall not influence system functions.
Requirement Description:
Growing or dynamic content (e.g. log files, uploads) shall not influence system functions. A file system that reaches its maximum capacity shall not stop a system from operating properly. Therefore, countermeasures shall be taken such as usage of dedicated filesystems, separated from main system functions, or quotas, or at least a file system monitoring to ensure that this scenario is avoided.
Test Case:
Test Name:
TC_HANDLING_OF_GROWING_CONTENT
Purpose:
To verify that the growing or dynamic content does not influence system functions.
Procedure and execution steps:
Pre-Conditions:
-
Growing or dynamic content sources like e.g. log files and their paths are documented.
-
Measures that are taken to protect system functions from growing or dynamic content that may exhaust file system capacity are documented.
-
All logging capabilities that are not enabled by default are enabled manually as per the documentation instructions.
Execution Steps:
-
Tester checks that the sources that are susceptible to being exhausted have been documented and measures aimed to counteract this are described.
-
Tester enables monitoring of the system operation.
-
Tester initiates traffic that causes increase of log files and monitors the system behaviour until the log file either reaches its quota or until file system is exhausted.
-
In case file uploading is allowed (e.g. via SFTP) the tester initiates file uploading and tries to exhaust the file system.
Expected Results:
-
It is verified that the taken measures are sufficient so that system operation is not influenced by growing or dynamic content at any case.
Expected format of evidence:
System monitoring data (e.g. Alarms, logs, CPU utilization, etc.).
Requirement Name:
Processing of ICMPv4 and ICMPv6 packets
Requirement Description:
Processing of ICMPv4 and ICMPv6 packets which are not required for operation shall be disabled on the network product. In particular, there are certain types of ICMP4 and ICMPv6 that are not used in most networks, but represent a risk.
ICMP message types which on receipt lead to responses or to configuration changes are not mentioned in this requirement, but they may be necessary to support relevant and specified networking features. Those must be documented.
Certain ICMP types are generally permitted and do not need to be specifically documented. Those are marked as "Permitted" in below table.
The network product shall not send certain ICMP types by default, but it may support the option to enable utilization of these types (e.g. for debugging). This is marked as "Optional" in below table.
Type (IPv4) |
Type (IPv6) |
Description |
Send |
Respond to |
0 | 128 | Echo Reply | Optional
(i.e. as automatic reply to "Echo Request") | N/A |
3 | 1 | Destination Unreachable | Permitted | N/A |
8 | 129 | Echo Request | Permitted | Optional |
11 | 3 | Time Exceeded | Optional | N/A |
12 | 4 | Parameter Problem | Permitted | N/A |
N/A | 2 | Packet Too Big | Permitted | N/A |
N/A | 135 | Neigbor Solicitation | Permitted | Permitted |
N/A | 136 | Neighbor Advertisement | Permitted | N/A |
The network product shall not respond to, or process (i.e. do changes to configuration), under any circumstances certain ICMP message types as marked in below table.
Type (IPv4) |
Type (IPv6) |
Description |
Send |
Respond to |
Process (i.e. do changes to configuration) |
5 | 137 | Redirect | N/A | N/A | Not Permitted |
13 | N/A | Timestamp | N/A | Not Permitted | N/A |
14 | N/A | Timestamp Reply | Not Permitted
(i.e. as automatic reply to "Timestamp") | N/A | N/A |
N/A | 133 | Router Solicitation | N/A | Not Permitted | Not Permitted |
N/A | 134 | Router Advertisement | N/A | N/A | Not Permitted |
Test Case:
The test for this requirement can be carried out using a suitable tool or manually by performing the steps described below. If a tool is used then the tester needs to provide evidence, e.g. by referring to the documentation of the tool, that the tool actually provides functionality equivalent to the steps described below.
Test Name:
Purpose:
To verify that the network product does not reply to certain ICMP types in accordance with the requirement. To verify that the network product does not send 'Time Exceeded'.
To verify that the network product does not process the following ICMPv4 and ICMPv6 types:
-
"Redirect (5)"
-
Router Solicitation
-
Router Advertisement
Procedure and execution steps:
Pre-Conditions:
-
The tester knows whether the network product supports IPv4 and/or IPv6:
-
If applicable, the tester has the needed system privileges for confirming that the ICMP messages with types "Not Permitted" to process are indeed not leading to configuration changes..
-
If applicable, the tester has the needed system privileges for confirming that certain ICMP message types are dropped by the network product on receipt.
-
A tester machine is available and equipped with a suitable ICMP packets generator tool.
Execution Steps:
The following needs to be done for all IP protocol versions (IPv4 and/or IPv6) supported by the network element.
For verifying that the network product does not reply to ICMP messages with types where this is not permitted: The tester sends samples of the applicable ICMP messages from the tester machine to the network product and verifies by appropriate means that
-
the messages are dropped on receipt by the network product (e.g. by means of appropriate firewall rules),
-
or no response is sent out towards the test machine,
-
or there are other means ensuring that the ICMP messages cannot trigger a response.
For verifying that the network product does not change its configuration due to receiving ICMP messages with types where this is not permitted: The tester sends samples of the applicable ICMP messages from the tester machine to the network product and verifies by appropriate means that
-
the messages are dropped on receipt by the network product (e.g. by means of appropriate firewall rules),
-
or the network product's applicable system configuration remains unchanged upon receipt of the messages,
-
or there are other means ensuring that the ICMP messages cannot lead to configuration changes.
The tester utilizes appropriate means to verify consistency between the documentation in regard to ICMP and the network product.
Expected Results:
The ICMP messages which are "Not Permitted" to generate a response from the network product do not generate a response.
The ICMP messages which are "Not Permitted" to change the configuration of the network element do not change the configuration.
ICMP message types which lead to responses or to configuration changes on receipt, if neither mentioned in the requirement nor in the documentation, are not enabled.
Expected format of evidence:
The following information needs to be retained and included into the report as appropriate:
-
Tools used and their configuration
-
Tool output
-
Test result (Passed or not)
Requirement Name:
IP packets with unnecessary options or extension headers shall not be processed.
Requirement Description:
IP packets with unnecessary options or extension headers shall not be processed. IP options and extension headers (e.g. source routing) are only required in exceptional cases. So, all packets with enabled IP options or extension headers shall be filtered.
Test Case:
The test for this requirement can be carried out using a suitable tool or manually by performing the steps described below. If a tool is used then the tester needs to provide evidence, e.g. by referring to the documentation of the tool, that the tool actually provides functionality equivalent to the steps described below.
Test Name:
TC_HANDLING-IP-OPTIONS-AND-EXTENSIONS
Purpose:
To verify that the network product provides functionality to filter out IP packets with unnecessary options or extension headers.
Procedure and execution steps:
Pre-Conditions:
-
The manufacturer declares in the documentation accompanying the network product at least the following information:
-
The support of filtering capability for IP packets with unnecessary options or extensions headers.
-
The actions performed by the network product when an IP packet with unnecessary options or extensions headers is received (e.g. the packet is dropped, the options or extensions are ignored and the packet is treated as if it has no IP options, etc.) .
-
Guidelines on how to enable and configure this filtering capability.
-
The network product has at least one physical interface named if1 supporting both IPv4 and IPv6. If the network product does not support IPv6 then IPv6 related steps and checks may be skipped.
-
A network traffic analyser on the network product (e.g. TCPDUMP) or an external traffic analyser directly connected to the network product is available .
-
The tester has administrative privileges.
-
A tester machine is available with a tool able to send IPv4 packets with the IP Options and IPv6 packets (if supported by the network product) with Extension Header set (e.g. Scapy).
Execution Steps:
-
The tester logs in the network product.
-
The tester configures on the network product a filtering rule to drop all IP packets containing an IP Option set
-
The tester establishes an O&M session on if1 interface
-
Using the tool (e.g. Scapy) the tester sends from the tester machine an IPv4 TCP SYN packet with an appropriate destination portto if1 interface without setting any IP Options
-
Using the network traffic analyser, the tester verifies that the IP packet is received by the network product and the tester verifies that the corresponding ACK message is sent back.
-
Using the tool (e.g. Scapy) the tester sends an IPv4 TCP SYN packet with an appropriate destination port and an IP Option set to the if1 interface
-
Using the network traffic analyser, the tester verifies that the IP packet is received by the network product but no ACK message is sent back. This confirms the packet is dropped as expected from the filtering rule.
-
The tester configures on the network product a filtering rule to drop all incoming packets based on specific Extension Header Types, e.g. packets with the Routing Header extension. Step 3 may be skipped if the network product does not support IPv6.
-
Using the tool (e.g. Scapy) the tester sends from the tester machine an IPv6 TCP SYN packet with an appropriate destination port to if1 interface without setting any extension header
-
Using the network traffic analyser, the tester verifies that the IP packet is received by the network product and the tester verifies that the corresponding ACK message is sent back.
-
Using the tool (e.g. Scapy) the tester sends an IPv6 TCP SYN packet with an appropriate destination port and an extension header set to the if1 interface
-
Using the network traffic analyser, the tester verifies that the IP packet is received by the network product but no ACK message is sent back. This confirms the packet is dropped as expected from the filtering rule.
Expected Results:
The network product discards IPv4 packets with unnecessary options or IPv6 packets (assuming the network product supports IPv6) with extension header.
Expected format of evidence:
A testing report provided by the testing agency which will consist of the following information:
-
Used tools and their configurations
-
Settings and configurations used
-
Pcap trace
-
Screenshot
-
Test result (Passed or not)