Commit 9cb33f95 authored by Marvin Petzolt's avatar Marvin Petzolt Committed by Aki Braun
Browse files

HAS 96: clarifies packet filtering responsibilities

parent 76e72c15

clauses/5.Requirements.md

+4 −4
Original line number Diff line number Diff line
@@ -1005,14 +1005,14 @@ The product shall protect the availability of essential functions. 


#### 5.2.19.2 MI-FDRP: Fast packet drop



The product shall check network traffic from untrusted sources for validity and discard it efficiently, using reasonable efforts to minimize use of system resources on invalid packets.

The product shall check network traffic from untrusted sources for validity and discard it efficiently, using reasonable efforts to minimise use of system resources on invalid packets.



> [!note]

> One method of minimizing resource use on invalid packets is to do the least resource-intensive validity checks first, and to do validity checks before using system resources based on possibly invalid data. For example, verifying that the length of a packet is valid should be done before verifying that the source address is valid, and both should be done before allocating memory necessary to process a packet of that length.

> One method of minimising resource use on invalid packets is to do the least resource-intensive validity checks first, and to do validity checks before using system resources based on possibly invalid data. For example, verifying that the length of a packet is valid should be done before verifying that the source address is valid, and both should be done before allocating memory necessary to process a packet of that length.



* Reference: TR-AVAI

* Objective: Maintain service availability during denial of service attacks

* Preparation: Create a selection of invalid packets and enable some type of instrumentation or logging in the packet validity checking code

* Objective: Maintain service availability during denial-of-service attacks

* Preparation: Using packet generation software to bypass operating system level interference, create a selection of invalid packets and enable some type of instrumentation or logging in the packet validity checking code

* Activities: For each invalid packet, send the packet to the product and record the checks it makes and its use of system resources before it drops the packet

* Verdict: For each invalid packet, if the packet used resources that were not reasonably required to reject the packet, or the packet was not rejected => FAIL, otherwise PASS

* Evidence: Invalid packets and their descriptions, logs of processing, annotations explaining why the order of operations is the most efficient reasonable way to process the packet.