@@ -165,7 +165,11 @@ Virtual network interfaces are products with digital elements that directly or i
This category includes but is not limited to wired and wireless network interface cards, controllers and adapters, such as for Wi-Fi, Ethernet, IrDA, USB, Bluetooth, NearLink, Zigbee, or Fieldbus, and Infiniband. It also includes modems that are designed to connect directly to a system bus on the host and provide connection from the host to analog transmission media, as for example Power Line Communication devices.
It also includes purely virtual standalone products, such as virtual network interface cards, container network interfaces, VPN interfaces, and loopback interfaces.
This category includes purely virtual standalone products, such as virtual network interface cards, container network interfaces, VPN interfaces, and loopback interfaces.
This category includes products whose core function is a network interface and provides the feature of remote management interface for the network interface or the host system.
FIXME what to do about network interfaces with multiple adapters that have a non-default switch mode?
For the purposes of this standard, network interfaces will be split up into the following groups, due to their distinct threat models:
@@ -180,13 +184,10 @@ Products not in scope include:
* Products whose primary purpose is not that of a network interface
* Switches, routers, and standalone modems
* Cables connected to network interfaces
* Any device that supports authentication in its secure default configuration
* Software or hardware add-ons, changes, or upgrades not shipped by the manufacturer that substantially modify the product
This standard does not cover products in use in contexts other than those identified in Annex <L>.
> FIXME add remote management capabilities to in scope
# 2 References
## 2.1 Normative references
@@ -229,8 +230,6 @@ The following referenced documents may be useful in implementing an ETSI deliver
*<aname="_ref_i.4">[i.4]</a> EN 18031-3 (2024): “Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value".
> FIXME add or delete informative references as work progresses
# 3 Definition of terms, symbols and abbreviations
## 3.1 Terms
@@ -274,8 +273,6 @@ For the purposes of the present document, the following abbreviations apply:
| VNI | Virtual Network Interface |
> FIXME add more abbreviations as necessary
# 4 Product context
## 4.1 General
@@ -325,19 +322,17 @@ A virtual network interface consists of a device driver only.
### 4.3.2 Types of network interface
A physical network interface connects via the local communications bus to the host. The host transmits and receives data to the network by means of the local bus interface provided by the network interface.
A physical network interface connects via the local communications bus to the host. The host transmits and receives data to the network by means of the local bus interface provided by the network interface. A physical network interface can typically directly read and write the host memory and raise interrupts. It sometimes has more advanced features that allow it to power cycle the entire system, download files using simple protocols, and act as a simple boot loader.
> FIXME mermaid chart temporarily removed to generate Word doc
> FIXME change Host OS to be more generic
A wired network interface transmits data via a wired medium such as Ethernet cable, fiber optic cable, coaxial cable or power lines. A wireless network interface uses radiofrequency transmissions to transmit data over the air. A virtual network interface transmits data only within the memory of a host system.
Wireless network interfaces often have an independent real-time operating system on the network interface itself. Wireless medium access often requires real-time response to manage the radio frequency transmissions properly. The network interface must also prevent improper settings of radio frequency transmission parameters, which is often implemented by having the internal firmware set the parameters, rather than exposing them to the host. The complexity of this firmware may increase the risk of a wireless interface.
A virtual interface emulates the device driver interface of a network interface to the host operating system. Instead of a physical network interface, it may send and receive packets to a hypervisor, a container, another device driver, another part of the network stack, an application, or other software.
A virtual interface emulates the device driver interface of a network interface to a host's device driver API. Instead of a physical network interface, it may send and receive packets to a hypervisor, a container, another device driver, another part of the network stack, an application, or other software.
> FIXME add hypervisor or other software to diagram
@@ -345,9 +340,7 @@ A virtual interface emulates the device driver interface of a network interface
### 4.3.3 Device drivers for network interfaces
The device driver communicates with the host software or firmware by means of a network device driver interface. This interface abstracts the implementation details of the underlying network interface. Such network device driver interface is typically defined by the host operating system or by the network interface manufacturer and is used by the host network stack to send or receive data through the network interface.
> FIXME phsyical dveice can access host memory
The device driver communicates with the host software or firmware by means of a network device driver API. This API abstracts the implementation details of the underlying network interface. Such network device driver API is typically defined by the host operating system or other software and is used by the host network stack to send or receive data through the network interface.
Physical interfaces require device drivers to make use of the physical hardware through the local communication bus. Virtual interfaces are effectively device drivers only, since they are made of software only without underlying hardware.
@@ -359,8 +352,6 @@ This list of use cases describes several system scenarios for network interfaces
### 4.4.1 Wired network interface use cases
> FIXME do wired IoT, etc. versions of wireless
* UC-WD-1 Wired professional device in isolated internal infrastructure
* E.g. Data center for internal job processing, smart meter in an isolated private network
* Behind a firewall/gateway, no direct route to internet
@@ -390,7 +381,7 @@ This list of use cases describes several system scenarios for network interfaces
* Professional administration by enterprise IT
* UC-WD-5 Wired stationary home device
* E.g. stationary personal computer, IoT hub
* E.g. stationary personal computer, IoT hub, thermostat, TV
@@ -427,37 +418,37 @@ This list of use cases describes several system scenarios for network interfaces
### 4.4.2 Wireless network interface use cases
* UC-WL-1 Wireless mobile enterprise worker device
*Company laptop, phone, tablet
*E.g. company laptop, phone, tablet
* Exposed to entire internet via any access point
* Users are company employees
* Interface implements radio control and encryption
* Professional administration by enterprise IT
* UC-WL-2 Wireless stationary home device
* IoT lightbulb, smart oven, stationary personal computer
*E.g. IoT lightbulb, smart oven, stationary personal computer
* Behind home gateway firewall, network accessible by physically nearby attackers
* Host access limited to people within the home
* Interface implements radio control and encryption
* May be administered by anyone in the home
* UC-WL-3 Wireless stationary device for public use
*Public library computer, vending machine
*E.g. public library computer, vending machine
* Behind some firewall, network accessible by physically nearby attackers
* Can be used by literally anybody
* Interface implements radio control and encryption
* Professional administration but probably underfunded
### 4.4.3 Virtual network interface use cases
* UC-WL-4 Wireless mobile personal device
*Laptop, phone, tablet
*E.g. laptop, phone, tablet, watch
* Exposed to entire internet, physically nearby attackers
* Users limited to owner and a few people they trust
* Interface implements radio control and encryption
* May be administered by anyone in the home
* Amateur administration
### 4.4.3 Virtual network interface use cases
* UC-VI-1 Virtual interface for internal use on private device
*Loopback, containers, tunnel to local application
*E.g. loopback, containers, tunnel to local application
* Packets only from other applications/users on host
* Users are administrators and approved applications in containers
* Very simple device driver
@@ -490,35 +481,31 @@ This list of use cases describes several system scenarios for network interfaces
The risk factors identified by the risk assessment in Annex C are grouped into risk categories and assigned unique identifiers below.
* Number of unprivileged users with network access on the host system
**[USR]** Number of agents with unprivileged access to the network interface on the host system
***[USR-L-0]** Effectively no users
***[USR-L-1]** Only trusted users with a formal approval system
***[USR-L-2]** Trusted users within the home
***[USR-L-3]** Untrusted users
This measures how many agents on the host can access the network interface from the host using the normal unprivileged system interfaces such as TCP or UDP sockets. It assumes that raw sockets or access to the configuration functions of the network interface are only available to privileged users.
> FIXME raw sockets vs not
***[USR-L-0]** Effectively no agents
***[USR-L-1]** Only trusted agents with a formal approval system
***[USR-L-2]** Trusted agents within the home
***[USR-L-3]** Untrusted agents
> FIXME users -> entities or something
**[ACC]** Degree of access to attached network by untrusted entities
> FIXME make it clearer this is access from inside the system
* Degree of access to attached network by untrusted users
This measures how easy it is for untrusted entities to send packets that the network interface will receive from outside the host, such as a user or program on another host attached to the same network.
***[ACC-L-0]** Untrusted users have no or highly filtered access to attached network
***[ACC-L-1]** Untrusted users have somewhat filtered access to attached network
***[ACC-L-2]** Untrusted users have unfiltered access to attached network
> FIXME make it clearer this is access from outside the system
* Complexity of network interface implementation
**[COM]** Complexity of network interface implementation
***[COM-L-0]** Minimal features to send/recv packets
***[COM-L-1]** Some simple performance features
***[COM-L-2]** Encryption features on device
***[COM-L-3]** Entire RTOS doing radio management or similar
***[COM-L-3]** Entire RTOS managing radio, PXE boot, remote management, or similar
* Skill level of administration
**[ADM]** Skill level of administration
***[ADM-L-0]** Professional administration
***[ADM-L-1]** Amateur administration
@@ -598,7 +585,7 @@ Optional:
### 4.7.3 Virtual interface essential functions
* Bridge between host OS device driver interface and other software
* Bridge between host device driver interface and other software
Other functionality is generally implemented outside of the device driver.
@@ -608,7 +595,7 @@ The technical requirements of the present document apply under the environmental
The manufacturer shall document and communicate the expected environmental profile for the product to the consumer.
The network device will operate in the context of a host system and operating system. If the device driver is not included with the product, it will be provided by the operating system or other part of the system. See Section 4.10 for more details.
The network interface will operate in the context of a host system and operating system or other software. If the device driver is not included with the product, it will be provided by the operating system or other part of the system. See Section 4.10 for more details.
## 4.9 Users
@@ -634,7 +621,7 @@ For example, most individual hardware components do not have a built-in method o
### 4.10.2 Security functions provided outside the product
The following security functionalities are handled by the operating system or other external security function:
The following security functionalities are frequently handled by the operating system or other external component:
* Disable all interfaces that intercept incoming packets above data link layer and do not pass them to the to the host
* Check that outgoing packets only contain the data requested to be copied from host
* Don't auto-connect to an network that is not really the same network
# Annex A (informative): Mapping between the present document and CRA requirements
> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.
* Security keys (firmware encryption/decryption, MAC level encryption/decryption)
> FIXME add assets for device driver and virtual interface
#### C.1.1.2 Virtual network interfaces or device drivers
* Device driver code
* Interface configuration that is not stored by the host
### C.1.2 Product functions
@@ -829,12 +827,6 @@ For wireless - operating environment of standard applies
> FIXME random notes below, should be rewritten or deleted when no longer necessary
For each network interface placed on the market, the manufacturer shall develop a threat model and risk profile of the foreseeable use of the operating system, and shall consider the interplay between:
* Complexity of foreseeable use
* Likelihood of an incident, given the foreseeable use
* Impact of an incident, given the foreseeable use
Attack vectors that are the responsibility of the network interface:
