UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

IPSec Security Association parameters must be compliant with all requirements specified for VPN Suite B when transporting classified traffic across a non-classified network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30955 NET-VPN-190 SV-40997r2_rule ECSC-1 High
Description
RFC 6379 Suite B Cryptographic Suites for IPSec defines four cryptographic user interface suites for deploying IPSec. Each suite provides choices for Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE). The four suites are differentiated by the choice of IKE authentication and key exchange, cryptographic algorithm strengths, and whether ESP is to provide both confidentiality and integrity or integrity only. The suite names are based on the Advanced Encryption Standard (AES) mode and AES key length specified for ESP. Two suites are defined for transporting classified information up to SECRET level—one for both confidentiality and integrity and one for integrity only. There are also two suites defined for transporting classified information up to TOP SECRET level.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2016-09-28

Details

Check Text ( C-39615r1_chk )
Review all transform sets defined in IPSec profiles and crypto maps used for securing classified traffic to determine if they are compliant with Suite B requirements.

According to NIST, AES with 128-bit keys, SHA-256, and ECDH and ECDSA using the 256-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to SECRET level. AES with 356-bit keys, SHA-384, and Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve (FIPS PUB 186-3) provide adequate protection for classified information up to TOP SECRET level.

Note: During the transition to the use of elliptic curve cryptography in ECDH and ECDSA, DH, DSA and RSA can be used with a 2048-bit modulus to protect classified information up to the SECRET level.
Fix Text (F-34765r1_fix)
Configure transform sets used for transporting classified packets to be compliant with Suite B requirements.