RE: I-0451: When To Use IFF/IFC And AFF/AFC
- Subject: RE: I-0451: When To Use IFF/IFC And AFF/AFC
- From: "Michelle A. Ruppel" <email@example.com>
- Date: Mon, 27 Oct 2003 21:12:23 -0600
- Content-Transfer-Encoding: 8bit
- Content-Type: text/plain; charset="us-ascii"
- Importance: Normal
- In-Reply-To: <3F2971CA.18126.34F7EC@localhost>
I have the following comments on this proposal for formal guidance.
1. Network devices have used IFF.1 / IFC.1 to define the data flow through
the device since the beginning of the CC.
The 4 validated Firewall Protection Profiles do not comply with this
Since this can and probably will be confusing to many individuals, consider
addressing this discrepancy in this Guidance Interpretation.
The Guidance provided removes the ability to control/mediate data flow
through network devices. If this guidance is
released, it needs to provide an alternative for controlling/mediating data
flow through network devices.
Consider allowing IFF.1 / IFC.1 to remain to be interpreted as it has
historically and suggest that IFF.2-6 and IFC.2 to apply to
the guidance since these requirements are where lattices and illicit
information flows enter the requirements.
1. ". IFF/IFC should be used when the intent is to control the flow of
This statement, depending on one's background and interpretation, allows for
IFF/IFC to be used for applications such as firewalls, routers, etc.
Based on the rest of the Guidance, I do not believe this is what was
2. "Information flow control is based on some fundamental characteristic of
the information (not the container), and may not involve an active subject."
The characteristic of the information is usually stored in or with the
container, so one could interpret that the fundamental characteristic is
on the container. If my interpretation of what is meant here is correct, I
suggest rewording this sentence so the intent is not lost.
Consider something similar to following:
"Information flow control is based on some fundamental, static
characteristic of the information (which may be stored in or with the
container but will always
be associated with/linked to the information as it moves through the TSF),
and may not involve an active subject. Only a privileged user can modify
the characteristic associated with the information." Or is it a permanent
3. "Information flow policies dictate whether information with a particular
characteristic can move from one controlled entity to another."
As a standalone sentence, this would allow information flow policies to be
used for applications such as firewalls, routers, etc. For example,
an owner or originating IP address could be a particular characteristic.
However, this is not the intent, so you may want to consider rewording to
something like :
"Information flow policies dictate whether information with a static
characteristic can move from one controlled entity to another." Or is it a
4. Last sentence: "The type of policy should be chosen based on the
fundamental type of control: is it subject access to an object, or is it
based on characteristics of the information."
Depending on your interpretation, neither of these choices apply to network
devices/applications such as firewalls, routers, etc. They can dictate what
information can flow through the appliance with no consideration of the
subject accessing an object. That decision is made on the originating system
or the destination system; neither subject or object.
Michelle A. Ruppel
P.O. Box 11154
Champaign, IL 61826
217-359-7763 Fax: 217-359-8753
From: firstname.lastname@example.org [mailto:email@example.com] On Behalf Of NIAP
Sent: Thursday, July 31, 2003 9:51 PM
To: Multiple recipients of list
Subject: Re: I-0451: When To Use IFF/IFC And AFF/AFC
The following is a proposal for formal guidance related to the Common
Criteria and ancillary documents. It is being posted in accordance with
the procedures of the IWG.
Comments on this proposal are welcomed and should be posted to this
transaction chain. If any party wishes to post a comment anonymously,
the comment should be mailed to firstname.lastname@example.org in a form suitable for
posting. All comments should be posted no later than Tuesday, October
CCITSE/CEM GUIDANCE (PROPOSED)
I-0451: When To Use IFF/IFC And AFF/AFC
STATUS: Ready for External Repost after Interpretations Board
TITLE: When To Use IFF/IFC And AFF/AFC
PREVIOUS POSTING: [cc-cmt 00357]
COMMENTS DUE BY: Tuesday, October 28, 2003 to email@example.com
SOURCE REFERENCE: CC v2.1 Part 2 Subclause 6.1 FDP_ACC
CC v2.1 Part 2 Subclause 6.2 FDP_ACF
CC v2.1 Part 2 Subclause 6.5 FDP_IFC
CC v2.1 Part 2 Subclause 6.6 FDP_IFF
RELATED TO: <None>
When is it appropriate to use IFF/IFC or ACC/ACF? In particular, for
an environment where there is an externally defined policy and no
attributes on objects, should IFF/IFC be used?
ACC/ACF should be used when the intent is to control access to an
object; IFF/IFC should be used when the intent is to control the flow
Access to an object means that there is a set of rules that define
whether some entity (a "subject") may have a particular form of access
to a data container (an "object") for some particular type of
operation. There are no controls based on the information itself; that
is: if the subject is permitted to write the object, it may write any
data into the object; similarly, if a subject is permitted to read an
object, it can do whatever it wishes with the data it has read.
Information flow control is based on some fundamental characteristic
of the information (not the container), and may not involve an active
subject. Information flow policies dictate whether information with a
particular characteristic can move from one controlled entity to
When the Common Criteria was first written, the goal on the functional
side was to capture the policies that were present in the previous
criteria that served as inspiration. In the case of the Trusted
Computer System Evaluation Criteria, this was Discretionary Access
Control (DAC) and Mandatory Access Control (MAC). However, at this
time, there was an effort not to use terms that brought with them
specific connotations--hence, many TCSEC terms were not used in the
While the TCSEC separated controls based upon who was allowed to make
changes (discretionary verses mandatory), the CC has separated
controls based upon the type of control. Since IFF/IFC type controls
were often non-discretionary and ACF/ACC were often discretionary the
confusion arose that this was always the case.
Access controls (ACF/ACC) may be used to model what in the
TCSEC-paradigm was called Discretionary Access Control, but this is
not their sole use. They could also be used to implement Role-Based
Access Controls, as well as a variety of other controls. The key
characteristic is that the controls are based on the object containing
the information: they address the fundamental question of whether a
particular subject can access a particular object. Note that this is
independent of the actual implementation: it could be an access
control list on an object, but it could also be a permitted access
list on a subject, or some fixed rule set stored completely
independently of either subject or object.
Information flow controls (IFF/IFC) may be used to model what in the
TCSEC-paradigm was called Mandatory Access Control (more properly,
non-Discetionary Access Control, although even that is a misnomer),
but that is not their sole use. The key characteristic is that the
controls are based on a characteristic of the information, such as a
sensitivity label, the quality of the data, or the source of the data.
More importantly, the characteristic stays with the data as it moves
through the TSF, and serves to provide the basis for the controls.
Subjects need not be involved in this flow, as might happen in a
network device that services to connect two ports.
In determining which policy to use in writing a security target or
profile, it is extremely important not to let the actual or planned
implementation affect the choice of policy. The type of policy should
be chosen based on the fundamental type of control: is it subject
access to an object, or is it based on characteristics of the
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org