Resolves [HAS 97] 5.2.19 This section is a bit lacking in terms of breadth of measures.

#### 5.2.19.2 MI-FDRP: Fast packet drop

The product shall check network traffic from untrusted sources for validity and discard it efficiently, using reasonable efforts to minimise use of system resources on invalid packets.

The product shall check network traffic from untrusted sources for validity and discard it efficiently, using reasonable efforts to minimize use of system resources on invalid packets.

> NOTE: One method of minimising resource use on invalid packets is to do the least resource-intensive validity checks first, and to do validity checks before using system resources based on possibly invalid data. For example, verifying that the length of a packet is valid should be done before verifying that the source address is valid, and both should be done before allocating memory necessary to process a packet of that length.

> NOTE: One method of minimizing resource use on invalid packets is to do the least resource-intensive validity checks first, and to do validity checks before using system resources based on possibly invalid data. For example, verifying that the length of a packet is valid should be done before verifying that the source address is valid, and both should be done before allocating memory necessary to process a packet of that length.

* Reference: TR-AVAI

* Objective: Maintain service availability during denial-of-service attacks

> NOTE: The product should range-check untrusted input fields that trigger memory allocations and rate-limit or drop input that would allocate enough memory to impair the functions of any part of the system.

* Reference: TR-AVAI

* Objective: Maintain service availability during denial of service attacks

* Objective: Maintain service availability during denial-of-service attacks

* Preparation: Identify input fields from untrusted input that are used to calculate the size of memory allocations, and create a set of inputs that, if processed as fast as possible, would significantly degrade the function of the product due to overallocation of memory

* Activities: For each set of inputs, send them to the product, while simultaneously measuring the availability of the product functions and the functions of the underlying platform

* Verdict: For each set of inputs, the product functions and the platform functions remain acceptably available => PASS, otherwise FAIL

* Applicability: VPN products with multiple users sharing infrastructure

* Reference: TR-AVAI

* Objective: Maintain service availability during denial of service attacks

* Objective: Maintain service availability during denial-of-service attacks

* Preparation: Prepare several different sources of VPN traffic with varying amounts of resource usage

* Activities: While multiple sources of VPN traffic are using the VPN connection, measure the bandwidth and latency on each source of traffic

* Verdict: Each source of traffic makes steady progress without unreasonable stalls => PASS, otherwise FAIL

#### 5.2.19.5 MI-DOST: Document risk transfer to operational environment for denial of service

The product shall be accompanied by documentation informing the user that denial of service protection must be provided by the environment, in a form appropriate for a typical user for the intended purpose and reasonably foreseeable use and misuse of the product.

The product shall be accompanied by documentation informing the user that denial-of-service protection must be provided by the environment, in a form appropriate for a typical user for the intended purpose and reasonably foreseeable use and misuse of the product.

* Reference: TR-AVAI

* Objective: Maintain service availability during denial of service attacks

* Objective: Maintain service availability during denial-of-service attacks

* Preparation: None

* Activities: Examine documentation

* Verdict: Documentation exists and is appropriate to the typical user => PASS, otherwise FAIL

* Evidence: Documentation, analysis of documentation, documentation of intended purpose

#### 5.2.19.6 MI-DOST: Rate limit unauthenticated traffic 

The product shall rate limit traffic from unauthenticated endpoints to nodes. 

* Reference: TR-AVAI

* Objective: Maintain service availability during denial-of-service attacks

* Preparation: None

* Activities: Start capturing on all interfaces, repeatedly flood the node with unauthenticated traffic, observe any traffic rejections or package dropping

* Verdict: Rate limiting can be observed => PASS, otherwise FAIL

* Evidence: Network package capture, log messages

#### 5.2.19.7 MI-DOST: Automatic traffic handling during denial-of-service attack

Unless the product relies on a single node or dedicated IP address, the product shall support multiple nodes which act as possible alternative fallbacks if a node becomes reachable. 

> NOTE 1: A product may relay on a single node or dedicated IP address if the production function requires such setup. Such instances could be a dedicated IP address assigned to one VPN server, a dedicated IP address assigned to a cluster of VPN servers, or a mesh node which usually doesn't have a fallback.

> NOTE 2: Instances of such attack where a whole IP address becomes unavailable are Border Gateway Protocol (BGP) hijacking, (distributed) denial-of-service attacks making an IP address or a node unavailable, or IP address blocking by a network adversary. 

* Applicability: Not for mesh nodes

* Reference: TR-AVAI

* Objective: Maintain service availability during denial-of-service attacks

* Preparation: None

* Activities: Capture traffic on all interfaces, start the VPN connection, shutdown or disable traffic to the currently connected VPN server, observe automatic reconnection or traffic rerouting to the next available VPN server

* Verdict: If connection automatically restored => PASS, otherwise FAIL

* Evidence: Network package capture, log messages

### 5.2.20 TR-CDST: Confidentiality of data stored on the product

#### 5.2.20.1 Requirement