For the past couple of years the Protection Profile for Voice Over IP Applications (VOIP_PP) has been available for vendors who want to get a VoIP client Common Criteria certified. In March of 2017 this PP will reach its sunset date. Its place will be taken by the newly developed Extended Package for Voice and Video over IP (VOIP_EP). This EP, which was released in September of this year, will extend either the Application Protection Profile (APP_PP) or the collaborative Network Device Protection Profile (NDcPP).
One of the most significant differences between the old VOIP_PP and the new VOIP_EP is the types of TOEs it is meant to cover. The VOIP_PP was meant for software applications running on a host platform, typically one certified against an Operating System or Mobile Device PP. VOIP_PP TOEs were required to use SDES-SRTP for protected voice communications and SIP over TLS for call control. By extending either the APP_PP or the NDcPP the VOIP_EP can be used for both software applications or dedicated network appliances. The VOIP_EP is now also clearly meant to cover TOEs that offer video capabilities, while the old VOIP_PP only covered voice data.
One unusual limitation that was noted in the “Use Cases” section of the EP was that a Software Application TOE should be running on a general purpose computer with an operating system that is conformant to the General Purpose Operating System Protection Profile. This statement would appear to exclude mobile applications that run on Mobile Device PP certified platforms. While we believe this was an oversight in the VOIP_EP, vendors who are planning on certifying mobile applications should confirm with NIAP that that a Mobile Device PP certified platform is acceptable.
The most notable difference in requirements between the VOIP_PP and the VOIP_EP is the addition of audit requirements to the EP. Any VOIP_EP TOE that extends the NDcPP would have to meet NDcPP audit requirements, but VVOIP audit requirements have also been added in that apply to both NDcPP and APP_PP based TOEs. This is important to remember since most CC evaluations of mobile applications do not include any SFRs that cover audit. Since the EP only contains FAU_GEN.1 this also means that APP_PP based TOEs will have a requirement to generate audit records but without the usual corresponding requirements for audit data protection or storage. There is an optional Audit Event Storage SFR for TOEs that claim APP_PP conformance. Interestingly the language in that optional SFR says that it shall be included for APP_PP evaluations, which makes it sound like a selection-based SFR rather than an optional one. This is something that should be clarified by NIAP before a TOE enters evaluation under this EP.
Another significant change in the VOIP_EP is the addition of a requirement that the TOE use a constant bit rate voice vocoder. This is meant to avoid potential vulnerabilities than can result when you encrypt the output of a variable rate vocoder. There is also a new requirement that the TOE close all ports that are not in active use.
A new option that has been made available to developers in the VOIP_EP is the option to use H.323 rather than SIP for communication with an Enterprise Session Controller. H.323/H.235 is now also an acceptable alternative to SRTP for protecting communications with another VVOIP endpoint. This was presumably included because of the EP’s coverage of both voice and video clients.
The release of the VOIP_EP is another step in NIAP’s attempt to move to more modular Protection Profiles. By extending two very common PPs it should make Common Criteria certification possible for a wide variety of voice and video over IP products. Everything from a standalone phone to a desktop software application can now be evaluated, giving vendors and clients more options for CC-compliant voice and video clients.