SERTIT, Postboks 814, 1306 Sandvika, NORWAY
Phone: +47 67 86 40 00 Fax: +47 67 86 40 09 E-mail: post@sertit.no Internet: www.sertit.no
Sertifiseringsmyndigheten for IT-sikkerhet Norwegian Certification Authority for IT Security
SERTIT-087 CR Certification Report
Issue 1.0 07 April 2017
Huawei NE40E&CX600&ME60&NE20E Router V800R008C10SPC945T
CERTIFICATION REPORT - SERTIT STANDARD REPORT TEMPLATE SD 009 VERSION 2.1 11.11.2011
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 2 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATES IN
THE FIELD OF INFORMATION TECHNOLOGY SECURITY
SERTIT, the Norwegian Certification Authority for IT Sec urity, is a member of the
above Arrangement and as such this confirms that the Common Criteria
certificate has been issued by or under the authority of a Party to this
Arrangement and is the Party’s claim that the certificate has been issued in
accordance with the terms of this Arrangement
The judgements contained in the certificate and Certification Report are those of
SERTIT which issued it and the Norwegian evaluation facility (EVIT) which carried
out the evaluation. There is no implication of acceptance by other Members of
the Agreement Group of liability in respect of those judgements or for loss
sustained as a result of reliance placed upon those judgements by a third party.
The Common Criteria Recognition Arrangement logo printed on the certificate
indicates that this certification is recognized under the terms of the CCRA July
2nd 2014.
The recognition under CCRA is limited to cPP related assurance packages or EAL 2
and ALC_FLR CC part 3 components.
MUTUAL RECOGNITION AGREEMENT OF INFORMATION TECHNOLOGY SECURITY
EVALUATION CERTIFICATES (SOGIS MRA)
SERTIT, the Norwegian Certification Authority for IT Security, is a member of the
above Agreement and as such this confirms that the Common Criteria certificate
has been issued by or under the authority of a Party to this Agreement and is the
Party’s claim that the certificate has been issued in accordance with the terms of
this Agreement
The judgements contained in the certificate and Certification Report are those of
SERTIT which issued it and the Norwegian evaluation facility (EVIT) which carried
out the evaluation. There is no implication of acceptance by other Members of
the Agreement Group of liability in respect of those judgements or for loss
sustained as a result of reliance placed upon those j udgements by a third party.
Mutual recognition under SOGIS MRA applies to components up to EAL 4.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 3 of 42
Contents
1 Certification Statement 5
2 Abbreviations 6
3 References 8
4 Executive Summary 9
4.1 Introduction 9
4.2 Evaluated Product 9
4.3 TOE scope 10
4.4 Protection Profile Conformance 10
4.5 Assurance Level 10
4.6 Security Policy 10
4.7 Security Claims 10
4.8 Threats Countered 10
4.9 Threats Countered by the TOE’s environment 11
4.10 Threats and Attacks not Countered 11
4.11 Environmental Assumptions and Dependencies 11
4.12 IT Security Objectives 12
4.13 Non-IT Security Objectives 12
4.14 Security Functional Requirements 13
4.15 Security Function Policy 14
4.16 Evaluation Conduct 15
4.17 General Points 15
5 Evaluation Findings 16
5.1 Introduction 17
5.2 Delivery 17
5.3 Installation and Guidance Documentation 17
5.4 Misuse 17
5.5 Vulnerability Analysis 17
5.6 Developer’s Tests 18
5.7 Evaluators’ Tests 18
6 Evaluation Outcome 19
6.1 Certification Result 19
6.2 Recommendations 19
Annex A: Evaluated Configuration 20
TOE Identification 20
Hardware 20
Software 41
TOE Documentation 41
TOE Configuration 42
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 4 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
Environmental Configuration 42
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 6 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
2 Abbreviations
AES Advanced Encryption Standard
CC Common Criteria for Information Technology Security Evaluation
(ISO/IEC 15408)
CCRA Arrangement on the Recognition of Common Criteria Certificates in
the Field of Information Technology Security
CEM Common Methodology for Information Technology Security
Evaluation
CF Compact Flash
CLC Cluster Line-card Chassis
CLI Command Line Interface
DSA Digital Signature Algorithm
EAL Evaluation Assurance Level
EOR Evaluation Observation Report
ETH Ethernet
ETR Evaluation Technical Report
EVIT Evaluation Facility under the Norwegian Certification Scheme for IT
Security
EWP Evaluation Work Plan
GUI Graphical User Interface
IS-IS Intermediate System to Intermediate System
LMT Local Maintenance Terminal
LPU Line Process Unit
MD5 Message-Digest Algorithm 5
MPU Main Process Unit
NE NetEngine
NMS Network Management Sub-system
OFC Optical Flexible Card
POC Point of Contact
QP Qualified Participant
RMT Remote Maintenance Terminal
RSA Rivest Shamir Adleman
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 7 of 42
SERTIT Norwegian Certification Authority for IT Security
SFE Switch Fabric Extend unit
SFR Security Functional Requirement
SFU Switching Fabric Unit
SPM Security Policy Model
SPU Service Process Unit
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 8 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
3 References
[1] Huawei NE40E&CX600&ME60&NE20E Router V800R008 - Security Target,
version 1.51, 22 November 2016
[2] Common Criteria Part 1, CCMB-2012-09-001, Version 3.1 R4, September
2012.
[3] Common Criteria Part 2, CCMB-2012-09-002, Version 3.1 R4, September
2012.
[4] Common Criteria Part 3, CCMB-2012-09-003, Version 3.1 R4, September
2012.
[5] The Norwegian Certification Scheme, SD001E, Version 9.0, 2 April 2013.
[6] Common Methodology for Information Technology Security Evalua tion,
Evaluation Methodology, CCMB-2012-09-004, Version 3.1 R4, September
2012.
[7] Common Criteria Security Evaluation – Certified Configuration v1.5,
2016-11-22.
[8] Evaluation Technical Report Common Criteria EAL2+ Evaluation of
Huawei NE40E&CX600&ME60&NE20E Router V800R008, V1.0, 2017-01-
03.
[9] NE40E V800R008 C10 Product Manual, V01, 2016-09-30
[10] CX600 V800R008C10 Product Manual, V01, 2016-09-30
[11] NE20E-S V800R008C10 Product Manual, V01, 2016-09-30
[12] ME60 V800R008C10 Product Manual, V01, 2016-09-30
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 9 of 42
4 Executive Summary
4.1 Introduction
This Certification Report states the outcome of the Common Criteria security
evaluation of Huawei NE40E&CX600&ME60&NE20E Router version
V800R008C10SPC945T to the Sponsor, Huawei Technology Co. Ltd., and is intended
to assist prospective consumers when judging the suitability of the IT security of
the product for their particular requirements.
Prospective consumers are advised to read this report in conjunction with the
Security Target[1] which specifies the functional, environmental and assurance
evaluation requirements.
4.2 Evaluated Product
The version of the product evaluated was Huawei NE40E&CX600&ME60&NE20E
Router and version V800R008C10SPC945T.
These products are also described in this report as the Target of Evaluation ( TOE).
The developer was Huawei Technologies.
Huawei NE40E&CX600&ME60&NE20E Router V800R008, the TOE, which has large
capacity and high performance, is developed to meet the requirement of carrier -
class reliability.
The Huawei NetEngine40E Universal Service Router (NE40E) is a high -end network
product developed by Huawei. It is deployed at the edge of IP backbone networks,
IP metropolitan area networks (MANs), and other large -scale IP networks.
The Huawei CX600 Metro Services Platform (hereinafter referred to as the CX600)
is a high-end device with 100 Gbit/s interfaces designed for core and backbone
networks. The CX600 is positioned as the edge or convergence router on the IP
backbone network.
The NE20E-S4&NE20E-S8/16(hereinafter referred to as the NE20E-S4&NE20E-
S8/16) are a high-end network product used to access, converge, and transmit
carrier-class Ethernet services on Fixed-Mobile Convergence (FMC) Metropolitan
Area Networks (MANs).
The Huawei ME60 is high-end network products used to access, aggregate, and
transmit carrier-class Ethernet services on Fixed-Mobile Convergence (FMC)
Metropolitan Area Networks (MANs). ME60 Multiservice Control Gateway
(hereinafter referred to as the ME60), as an MSCG developed to meet th e
requirement for transformation, ensures security, reliability, and QoS for various
telecommunication services.
At the core of each chassis is the Versatile Routing Platform (VRP), the software
for managing and running the router’s networking functionali ty. VRP provides
extensive security features. These features include assigning different privileges to
administration users with different privilege levels; enforcing authentications
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 10 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
prior to establishment of administrative sessions with the TOE; auditing of
security-relevant management activities; as well as the correct enforcement of
routing decisions to ensure that network traffic gets forwarded to the correct
interfaces. Details of the evaluated configuration, including the TOE’s supporting
guidance documentation, are given in Annex A.
An overview of the TOE’s security architecture can be found in Annex B.
4.3 TOE scope
The TOE scope is described in the ST Huawei NE40E&CX600&ME60&NE20E Router
V800R008 - Security Target, version 1.51, 22 November 2016, chapter 1.4.2 and
1.4.3.
4.4 Protection Profile Conformance
The Security Target[1] did not claim conformance to any protection profile.
4.5 Assurance Level
The Security Target[1] specified the assurance requirements for the evaluation.
The assurance incorporated predefined evaluation assurance level EAL 2,
augmented by ALC_FLR.2. Common Criteria Part 3[4] describes the scale of
assurance given by predefined assurance levels EAL1 to EAL7. An overview of CC is
given in CC Part 1[2].
4.6 Security Policy
There are no Organizational Security Policies or rules with which the TOE must
comply.
4.7 Security Claims
The Security Target[1] fully specifies the TOE’s security objectives, the threats
which these objectives counter and security functional requirements and security
functions to elaborate the objectives. All of the SFR’s are taken from CC Part 2[3];
use of this standard facilitates comparison with other evaluated products.
4.8 Threats Countered
T.UnwantedNetworkTraffic
Unwanted network traffic sent to the TOE will not only consume the TOE’s
processing capacity for incoming network traffic thus fails to process traffic
expected to be processed, but an internal traffic jam might happen when
those traffic are sent to MPU from LPU within the TOE. This may cause
denial of service of TOE.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 11 of 42
This may further cause the TOE fails to respond to system control and
security management operations.
Routing information exchanged between the TOE and peer routes may also
be affected due to the traffic overload.
T.UnwantedNetworkTraffic
A user who is not a user of the TOE gains access to the TOE.
T.UnauthorizedAccess
A user of the TOE authorized to perform certain actions and access certain
information gains access to commands or information he is not authorized
for. This threat also includes data leakage to non-intended person or device
T.Eavesdrop
An eavesdropper (remote attacker) in the management network served by
the TOE is able to intercept, and potentially modify or re-use information
assets that are exchanged between TOE and LMT/RMT.
4.9 Threats Countered by the TOE’s environment
There are no threats countered by the TOE’s environment.
4.10 Threats and Attacks not Countered
No threats or attacks that are not countered are described.
4.11 Environmental Assumptions and Dependencies
It is assumed that the TOE (including any console attached, access of CF card) is
protected against unauthorized physical access.
The environment is supposed to provide supporting mechanism to the TOE:
A Radius server or TACACS+ server for external authentication/authorization
decisions;
NMS, logging server and SNMP trapserver used for administration of the
TOE
In addition, it is assumed the Radius server, and TACACS+ server, and the NMS are
all trusted and will not be used to attack the TOE.
Peer router(s) for the exchange of dynamic routing information;
A remote entities (PCs) used for administration of the TOE.
It is assumed that the ETH interface on MPU in the TOE will be accessed only
through sub-network where the TOE hosts. The sub-network is separate from the
application (or, public) networks where the interfaces on LPU in the TOE are
accessible.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 12 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
The authorized users will be competent, and not careless or wilfully negligent or
hostile, and will follow and abide by the instructions provided by the TOE
documentation.
4.12 IT Security Objectives
The following objectives must be met by the TOE:
O. DeviceAvail
The TOE shall ensure its own availability.
O.UserAvail
The TOE shall ensure authorized users can access network resources through
the TOE.
O. DataFilter
The TOE shall ensure that only allowed traffic goes through the TOE.
O.Communication
The TOE must implement logical protection measures for network
communication between the TOE and LMT/RMT from the operational
environment.
O.Authorization
The TOE shall implement different authorization levels that can be assigned
to administrators in order to restrict the functionality that is available to
individual administrators.
O.Authentication
The TOE must authenticate users of its user access.
O.Audit
The TOE shall provide functionality to generate audit records for security-
relevant administrator actions.
4.13 Non-IT Security Objectives
OE.NetworkElements:
The operational environment shall provide securely and correctly working
network devices as resources that the TOE needs to cooperate with.
Behaviors of such network devices provided by operational environment
shall be also secure and correct. For example, other routers for the
exchange of routing information, PCs used for TOE administration, and
Radius and TACACS+ servers for obtaining authentication and authorization
decisions.
OE.Physical:
The TOE (i.e., the complete system including attached peripherals, such as a
console, and CF card inserted in the MPU) shall be protected against
unauthorized physical access.
OE.NetworkSegregation:
The operational environment shall provide segregation by deploying the
Ethernet interface on MPU in TOE into a local sub-network, compared to the
interfaces on LPU in TOE serving the application (or public) network.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 13 of 42
OE.Person:
Personnel working as authorized administrators shall be carefully selected
for trustworthiness and trained for proper operation of the TOE.
4.14 Security Functional Requirements
FAU_GEN.1 Audit data generation
FAU_GEN.2 User identity association
FAU_SAR.1 Audit review
FAU_SAR.3 Selectable audit review
FAU_STG.1 Protected audit trail storage
FAU_STG.3 Action in case of possible audit data loss
FCS_COP.1/AES Cryptographic operation
FCS_COP.1/3DES Cryptographic operation
FCS_COP.1/RSA Cryptographic operation
FCS_COP.1/MD5 Cryptographic operation
FCS_COP.1/HMAC-MD5 Cryptographic operation
FCS_COP.1/DHKeyExchange Cryptographic operation
FCS_COP.1/DSA Cryptographic operation
FCS_CKM.1/AES Cryptographic key generation
FCS_CKM.1/3DES Cryptographic key generation
FCS_CKM.1/RSA Cryptographic key generation
FCS_CKM.1/HMAC_MD5 Cryptographic key generation
FCS_CKM.1/DHKey Cryptographic key generation
FCS_CKM.1/DSA Cryptographic key generation
FCS_CKM.4/3DES-AES Cryptographic key destruction
FCS_CKM.4/RSA Cryptographic key destruction
FCS_CKM.4/HMAC_MD5 Cryptographic key destruction
FCS_CKM.4/DHKey Cryptographic key destruction
FCS_CKM.4/DSA Cryptographic key destruction
FDP_ACC.1 Subset access control
FDP_ACF.1 Security attribute based access control
FDP_DAU.1 Basic Data Authentication
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 14 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
FDP_IFC.1(1) Subset information flow control- CPU-defend
FDP_IFC.1(2) Subset information flow control- Data plane traffic control
FDP_IFF.1(1) Simple security attributes - CPU-defend
FDP_IFF.1(2) Simple security attributes – Data plane traffic control
FIA_AFL.1 Authentication failure handling
FIA_ATD.1 User attribute definition
FIA_SOS.1 Verification of secrets
FIA_UAU.1 Timing of authentication –Administrator Authentication
FIA_UAU.5 Multiple authentication mechanisms
FIA_UID.1 Timing of identification – Administrator Identification
FMT_MOF.1 Management of security functions behaviour
FMT_MSA.1 Management of security attributes
FMT_MSA.3 Static attribute initialization
FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security roles
FPT_STM.1 Reliable time stamps
FTA_SSL.3 TSF-initiated termination
FTA_TSE.1 TOE session establishment
FTP_TRP.1 Trusted path
FTP_ITC.1 Trusted channel
4.15 Security Function Policy
At the core of each chassis is the Versatile Routing Platform (VRP), the sof tware
for managing and running the router’s networking functionality. VRP provides
extensive security features. These features include assigning different privileges to
administration users with different privilege levels; enforcing authentications
prior to establishment of administrative sessions with the TOE; auditing of
security-relevant management activities; as well as the correct enforcement of
routing decisions to ensure that network traffic gets forwarded to the correct
interfaces.
The Main Processing Units (MPU) integrate the main control unit and the system
maintenance unit. The MPU controls and manages the system in a centralized way
and is responsible for data exchange.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 15 of 42
The Line Processing Units (LPU) are the actual hardware providing net work traffic
processing capacity. Network traffic is processed and forwarded according to
routing decisions downloaded from VRP.
Besides the MPUs and LPUs, there are other types of boards on TOE, such as
Switch Fabric Unit (SFU). Only MPU and LPU are security relevant.
4.16 Evaluation Conduct
The evaluation was carried out in accordance with the requirements of the
Norwegian Certification Scheme for IT Security as described in SERTIT Document
SD001[5]. The Scheme is managed by the Norwegian Certification Authority for IT
Security (SERTIT). As stated on page 2 of this Certification Report, SERTIT is a
member of the Arrangement on the Recognition of Common Criteria Certificat es in
the Field of Information Technology Security (CCRA), and the Senior Officials
Group Information Systems Security (SOGIS) and the evaluation was conducted in
accordance with the terms of these Arrangements and the evaluation was
conducted in accordance with these terms of this Arrangement.
The purpose of the evaluation was to provide assurance about the effectiveness of
the TOE in meeting its Security Target[1], which prospective consumers are
advised to read. To ensure that the Security Target [1] gave an appropriate
baseline for a CC evaluation, it was first itself evaluated. The TOE was then
evaluated against this baseline. Both parts of the evaluation were performed in
accordance with CC Part 3[4] and the Common Evaluation Methodology (CEM)[6].
SERTIT monitored the evaluation which was carried out by the Brightsight B.V IT-
Security Evaluation Facility (EVIT). The evaluation was completed when the EVIT
submitted the final Evaluation Technical Report (ETR)[8] to SERTIT in 03 January
2017. SERTIT then produced this Certification Report.
4.17 General Points
The evaluation addressed the security functionality claimed in the Security
Target[1] with reference to the assumed operating environment specified by the
Security Target[1]. The evaluated configuration was that specified in Annex A.
Prospective consumers are advised to check that this matches their identified
requirements and give due consideration to the recommendations and caveats of
this report.
Certification does not guarantee that the IT product is free from security
vulnerabilities. This Certification Report and the belonging Certificate only reflect
the view of SERTIT at the time of certification. It is furthermore the responsibility
of users (both existing and prospective) to check whether any security
vulnerabilities have been discovered since the date shown in this report. This
Certification Report is not an endorsement of the IT product by SERTIT or any
other organization that recognizes or gives effect to this Certification Repor t, and
no warranty of the IT product by SERTIT or any other organization that recognizes
or gives effect to this Certification Report is either expressed or implied.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 16 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
5 Evaluation Findings
The evaluators examined the following assurance classes and component s taken
from CC Part 3[4]. These classes comprise the EAL 2 assurance package augmented
with ALC_FLR.2.
Assurance class Assurance components
Development ADV_ARC.1 Security architecture description
ADV_FSP.2 Functional specification with complete
summary
ADV_TDS.1 Architectural design
Guidance documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
Life-cycle support ALC_CMC.2 Production support, acceptance procedures
and automation
ALC_CMS.2 Problem tracking CM coverage
ALC_DEL.1 Delivery procedures
ALC_FLR.2 Flaw reporting procedures
Security Target
evaluation
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
ASE_OBJ.2 Security objectives
ASE_TSS.1 TOE summary specification
Tests ATE_COV.1 Analysis of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
Vulnerability
assessment
AVA_VAN.2 Vulnerability analysis
All assurance classes were found to be satisfactory and were awarded an overall
“pass” verdict.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 17 of 42
5.1 Introduction
The evaluation addressed the requirements specified in the Security Target [1]. The
results of this work were reported in the ETR[8] under the CC Part 3[4] headings.
The following sections note considerations that are of particular relevance to
either consumers or those involved with subsequent assurance maintenance and
re-evaluation of the TOE.
5.2 Delivery
On receipt of the TOE, the consumer is recommended to check that the evaluated
version has been supplied, and to check that the security of the TOE has not been
compromised in delivery.
5.3 Installation and Guidance Documentation
Installation of the TOE must be performed completely in accordance with the
guidance listed in the ST[1] chapter 1.4.2 and Preparative Procedures documents
[9][10][11][12] provided by the developer. The Common Criteria Security
Evaluation – Certified Configuration [7] describes all necessary steps to configure
the TOE in the certified configuration.
These documents are a collection of all security relevant operations and settings
that must be observed to ensure that the TOE operates in a secure manner.
5.4 Misuse
There is always a risk of intentional and unintentional misconfigurations that could
possibly compromise confidential information. The user should always follow the
guidance for the TOE in order to ensure that the TOE operates in a secure manner.
The guidance documents adequately describe the mode of operation of the TOE,
all assumptions about the intended environment and all requirements for external
security. Sufficient guidance is provided for the consumer to effectively use the
TOE’s security functions.
5.5 Vulnerability Analysis
The Evaluators’ vulnerability analysis was based on both public domain sources
and the visibility of the TOE given by the evaluation process.
The TOE are substantially similar to other router/switches on the market. This
technology is well-established. The technology and possible vulnerabilities are
described in a series of public documents.
The evaluators assessed all possible vulnerabilities found during evaluation.
Potential vulnerabilities were found but only two turned out to be possibly
exploitable. The developer has updated the guidance to enhance the secure
configuration of the TOE, and as a result this issue has become moot.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 18 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
5.6 Developer’s Tests
The developer test plan consists of 12 different categories of tests of 90 tests. The
categories are based on major groupings of security functionalities, and, in
combination with all SFRs and TSFIs.
5.7 Evaluators’ Tests
For independent testing, the evaluator has chosen to perform some additional
testing although the developer’s testing was extensive but some additional
assurance could be gained by additional testing.
For independent testing, the evaluator has made a sample of penetration tests
performed by the developer.
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 19 of 42
6 Evaluation Outcome
6.1 Certification Result
After due consideration of the ETR[8], produced by the Evaluators, and the
conduct of the evaluation, as witnessed by the Certifier, SERTIT has determined
that Huawei NE40E&CX600&ME60&NE20E Router version
V800R008C10SPC945Tmeet the Common Criteria Part 3 augmented requirements
of Evaluation Assurance Level EAL 2 augmented with ALC_FLR.2 for the specified
Common Criteria Part 2 conformant functionality in the specified environment,
when running on platforms specified in Annex A.
6.2 Recommendations
Prospective consumers of Huawei NE40E&CX600&ME60&NE20E Router version
V800R008C10SPC945T should understand the specific scope of the certification by
reading this report in conjunction with the Security Target [1]. The TOE should be
used in accordance with a number of environmental considerations as specified in
the Security Target.
Only the evaluated TOE configuration should be installed. This is specified in
Annex A with further relevant information given above under Section 4.3 “TOE
Scope” and Section 5 “Evaluation Findings”.
The TOE should be used in accordance with the supporting guidance
documentation included in the evaluated configuration.
The above “Evaluation Findings” include a number of recommendations relating to
the secure receipt, installation, configuration and operation of the TOE .
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 20 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
Annex A: Evaluated Configuration
TOE Identification
The TOE consists of:
Hardware
There are eleven types of chassis of an NE40E chassis as shown in Table 1.
The following boards will be covered during this evaluation:
Product
Name
Board Name for
Order
Description
NE40E-
X16A
CR5P16BASD76
NE40E-X16A Basic Configuration
(Including NE40E-X16A Chassis, 2
MPUs, 4 SFUs(480G),7 DC Power,4
Fan Tray, without Software Charge
and Document)
CR5P16BASA76
NE40E-X16A Basic Configuration
(Including NE40E-X16A Chassis, 2
MPUs, 4 SFUs(480G), 10 AC Power,4
Fan Tray, without Software Charge
and Document)
CR5P16BASD77
NE40E-X16A Basic Configuration
(Including NE40E-X16A Chassis, 2
MPUs, 4 SFUs(1T), 10 DC Power,6
Fan Tray,without Software Charge
and Document)
CR5P16BASA77
NE40E-X16A Basic Configuration
(Including NE40E-X16A Chassis, 2
MPUs, 4 SFUs(1T), 14 AC Power,6
Fan Tray, without Software Charge
and Document)
CR5B0BKP1673
NE40E-X16A Integrated DC Chassis
ComponentsE40E-X16A Chassis, 2
MP
CR5B0BKP1674
NE40E-X16A Integrated AC Chassis
Components Integrate 4 Fan Traya
CR5D0MPUB570 Main Processing Unit B5
CR5DSFUIM07B
480Gbps Switch Fabric Unit B(SFUI-
480-B)
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 21 of 42
CR5DSFUIU07B
1Tbps Switch Fabric Unit B(SFUI-1T-
B)
NE40E-
X8A
CR5P08BASD76
NE40E-X8A Basic Configuration
(Including NE40E-X8A Chassis,2
SRUs,2 SFUs(480G),4 DC Power,2
Fan Tray, without Software Charge
and Document)
CR5P08BASA76
NE40E-X8A Basic Configuration
(Including NE40E-X8A Chassis,2
SRUs,2 SFUs(480G),6 AC Power,2
Fan Tray,without Software Charge
and Document)
CR5P08BASD77
NE40E-X8A Basic Configuration
(Including NE40E-X8A Chassis,2
SRUs,2 SFUs(1T),6 DC Power,3 Fan
Tray,without Software Charge and
Document)
CR5P08BASA77
NE40E-X8A Basic Configuration
(Including NE40E-X8A Chassis,2
SRUs,2 SFUs(1T),8 AC Power,3 Fan
Tray,without Software Charge and
Document)
CR5B0BKP0871
NE40E-X8A Integrated Chassis DC
ComponentsE40E-X8A Chassis,2
SRUs
CR5B0BKP0872
NE40E-X8A Integrated Chassis AC
ComponentsE40E-X8A Chassis,2
SRUs
CR5D0SRUA870
Switch and Route Processing Unit
A8
CR5DSFUIM07C
480Gbps Switch Fabric Unit C(SFUI -
480-C)
CR5D0SRUA970
Switch and Route Processing Unit
A9
CR5DSFUIU07C
1Tbps Switch Fabric Unit C(SFUI -1T-
C)
NE40E-
X3A
CR5P03BASD75
NE40E-X3A Basic Configuration
(Including NE40E-X3A Chassis,2
MPUs, 2 DC Power,without
Software Charge and Document)
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 22 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
CR5P03BASA75
NE40E-X3A Basic Configuration
(Including NE40E-X3A Chassis,2
MPUs, 2 AC Power,without Software
Charge and Document)
CR5D0MPUD470 Main Processing Unit D4
CR5B0BKP0373
NE40E-X3A Integrated DC Chassis
Components, Including Dual DC
Power
CR5B0BKP0374
NE40E-X3A Integrated AC Chassis
Components, Including Dual AC
Power
NE40E-
X16
CR5P16BASD74
NE40E-X16 Basic Configuration
(Including NE40E-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 DC Power,
without Software Charge and
Document)
CR5P16BASA74
NE40E-X16 Basic Configuration
(Including NE40E-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 AC Power,
without Software Charge and
Document)
CR5P16BASD71
NE40E-X16 Basic Configuration
(Including NE40E-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 DC Power,
without Software Charge and
Document)
CR5P16BASA71
NE40E-X16 Basic Configuration
(Including NE40E-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 AC Power,
without Software Charge and
Document)
CR5B0BKP1670
NE40E-X16 Integrated Chassis
Components (Including 8 DC Power)
CR5D0MPUB460 Main Processing Unit B4
CR5D0MPUB570 Main Processing Unit B5
CR5DSFUIE07B
200Gbps Switch Fabric Unit B(SFUI-
200-B)
NE40E-
X8 CR5P08BASD71
NE40E-X8 Basic Configuration
(Including NE40E-X8 Chassis, 2+1
Redundant 200G SRU/SFU, 4 DC
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 23 of 42
Power, without Software Charge
and Document)
CR5P08BASA71
NE40E-X8 Basic Configuration
(Including NE40E-X8 Chassis, 2+1
Redundant 200G SRU/SFU,4 AC
Power, without Software Charge
and Document)
CR5B0BKP0870
NE40E-X8 Integrated Chassis
Components (Including 4 DC Power)
CR5D0SRUA570
Switch and Route Processing Unit
A5
CR5DSFUIE07C
200Gbps Switch Fabric Unit C(SFUI -
200-C)
NE40E-
X3 CR52-BKPE-4U-DC
Integrated DC Chassis
Components(NE40E-X3)-
4U,Including Dual DC Power
CR5B0BKP0370
NE40E-X3 Integrated AC Chassis
Components, (Including Dual AC
Power)
CR5D0MPUD170
Main Processing Unit D2(Including
2G Memory and 2G USB)
CR5P03BASD71
NE40E-X3 Basic Configuration
(Include NE40E-X3 Chassis,2 MPUs,
2 DC Power,without Software
Charge and Document)
CR5P03BASA72
NE40E-X3 Basic Configuration
(Include NE40E-X3 Chassis,2 MPUs,
2 AC Power(2200W),without
Software Charge and Document)
CR5D0MPUD270
Main Processing Unit D3(Including
4G Memory and 2G USB)
CR5P03BASD73
NE40E-X3 Basic Configuration
(Include NE40E-X3 Chassis,2 MPUs,
2 DC Power,without Software
Charge and Document)
CR5P03BASA73
NE40E-X3 Basic Configuration
(Include NE40E-X3 Chassis,2 MPUs,
2 AC Power(2200W),without
Software Charge and Document)
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 24 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
NE40E-
X1-M4
CR5P01BASD71
NE40E-X1-M4 Basic Configuration
(Includes NE40E-X1-M4
Chassis,2*MPUK,2*DC
Power,without Software Charge and
Document)
CR5P01BASA71
NE40E-X1-M4 Basic Configuration
(Includes NE40E-X1-M4
Chassis,2*MPUK,AC Power,without
Software Charge and Document)
CR5P01BASA72
NE40E-X1-M4 Basic Configuration
(Includes NE40E-X1-M4
Chassis,2*MPUK,2*AC
Power,without Software Charge and
Document)
CR5P01BASD73
NE40E-X1-M4 Basic Configuration
(Includes NE40E-X1-M4
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Document)
CR5P01BASA73
NE40E-X1-M4 Basic Configuration
(Includes NE40E-X1-M4
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
CR5B0BKP0171
NE40E-X1-M4 Integrated Chassis
Components
CR5B0BKP0172
NE40E-X1-M4 Integrated AC Chassis
Components
CR5D00MPUK70 Main Processing Unit K
CR5D0MPUK170 Main Processing Unit K1
CR5M001FBX71 NE40E-X1-M4 Fan Box
NE40E-
X2-M8
CR5P02BASD71
NE40E-X2-M8 Basic Configuration
(Includes NE40E-X2-M8
Chassis,2*MPUK,2*DC
Power,without Software Charge and
Document)
CR5P02BASA71
NE40E-X2-M8 Basic Configuration
(Includes NE40E-X2-M8
Chassis,2*MPUK,2*AC
Power,without Software Charge and
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 25 of 42
Document)
CR5P02BASD73
NE40E-X2-M8 Basic Configuration
(Includes NE40E-X2-M8
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Document)
CR5P02BASA73
NE40E-X2-M8 Basic Configuration
(Includes NE40E-X2-M8
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
CR5P02BASD75
NE40E-X2-M8 Basic Configuration
(Includes NE40E-X2-M8
Chassis,2*MPUK,2*DC
Power,without Software Charge and
Document)
CR5B0BKP0271
NE40E-X2-M8 Integrated DC Chassis
Components
CR5B0BKP0274
NE40E-X2-M8 Integrated DC Chassis
Components
CR5B0BKP0273
NE40E-X2-M8 Integrated AC Chassis
Components
CR5D00MPUK70 Main Processing Unit K
CR5D0MPUK170 Main Processing Unit K1
CR5M002FBX71 NE40E-X2-M8 DC Fan Box
CR5M002FBX73 X2-M8 AC Fan Box
CR5M002FBX74 NE40E-X2-M8 DC Fan Box
NE40E-
X2-M16
CR5P02BASD72
NE40E-X2-M16 Basic Configuration
(Includes NE40E-X2-M16
Chassis,2*MPUK,2*DC
Power,without Software Charge and
Document)
CR5P02BASA72
NE40E-X2-M16 Basic Configuration
(Includes NE40E-X2-M16
Chassis,2*MPUK,2*AC
Power,without Software Charge and
Document)
CR5P02BASD74 NE40E-X2-M16 Basic Configuration
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 26 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
(Includes NE40E-X2-M16
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Document)
CR5P02BASA74
NE40E-X2-M16 Basic Configuration
(Includes NE40E-X2-M16
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
CR5B0BKP0272
NE40E-X2-M16 Integrated Chassis
Components
CR5D00MPUK70 Main Processing Unit K
CR5D0MPUK170 Main Processing Unit K1
CR5M002FBX72 X2-M16 Fan Box
NE40E-
M2E
CR5PM2EBAS70
NE40E-M2E Basic Configuration
(Includes NE40E-M2E
Chassis,2*10GE-SFP+ and 24GE-SFP
fixed interface,2*DC Power,Fan
Box,without Software Charge and
Document)
CR5PM2EBAS71
NE40E-M2E Basic Configuration
(Includes NE40E-M2E
Chassis,2*10GE-SFP+ and 24GE-SFP
fixed interface,2*AC Power,Fan
Box,without Software Charge and
Document)
CR5M0M2FBX70 Fan Box
CR5B0BKP0371
NE40E-M2E Integrated Chassis
Components
CR5B2PWRDC00 DC Power Supply Unit
CR5B2PWRAC00 AC Power Supply Unit 500W
NE40E-
M2F
CR5PM2FBAS70
NE40E-M2F Basic Configuration
(Includes NE40E-M2F
Chassis,4*10GE-SFP+ and 40GE-SFP
fixed interface,2*DC Power,Fan
Box,without Software Charge and
Document)
CR5PM2FBAS71 NE40E-M2F Basic Configuration
(Includes NE40E-M2F
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 27 of 42
Chassis,4*10GE-SFP+ and 40GE-SFP
fixed interface,2*AC Power,Fan
Box,without Software Charge and
Document)
CR5M0M2FBX70 Fan Box
CR5B0BKP0372
NE40E-M2F Integrated Chassis
Components
CR5B2PWRDC00 DC Power Supply Unit
CR5B2PWRAC00 AC Power Supply Unit 500W
Table 1 List of boards
There are eleven types of chassis of an CX600 chassis as shown in Table 2.
The following boards will be covered during this evaluation:
Product
Name
Board Name for
Order
Description
CX600-
X16A
CX6P16BASD76
CX600-X16A Basic Configuration
(Including CX600-X16A Chassis, 2
MPUs, 4 SFUs(480G),7 DC Power,4
Fan Tray, without Software Charge
and Document)
CX6P16BASA76
CX600-X16A Basic Configuration
(Including CX600-X16A Chassis, 2
MPUs, 4 SFUs(480G), 10 AC Power,4
Fan Tray, without Software Charge
and Document)
CX6P16BASD77
CX600-X16A Basic Configuration
(Including CX600-X16A Chassis, 2
MPUs, 4 SFUs(1T), 10 DC Power,6
Fan Tray,without Software Charge
and Document)
CX6P16BASA77
CX600-X16A Basic Configuration
(Including CX600-X16A Chassis, 2
MPUs, 4 SFUs(1T), 14 AC Power,6
Fan Tray, without Software Charge
and Document)
CX6B0BKP1670
CX600-X16A Integrated DC Chassis
ComponentsX600-X1ing 4 Fan Tray）
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 28 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
CX6B0BKP1671
CX600-X16A Integrated AC Chassis
ComponentsX600-X1ing 4 Fan
Tray0-
CX6D0MPUB570 Main Processing Unit B5
CX6DSFUIM07B
480Gbps Switch Fabric Unit B(SFUI-
480-B)
CX6DSFUIU07B
1Tbps Switch Fabric Unit B(SFUI-1T-
B)
CX600-
X8A
CX6P08BASD76
CX600-X8A Basic Configuration
(Including CX600-X8A Chassis,2
SRUs,2 SFUs(480G),4 DC Power,2
Fan Tray, without Software Charge
and Document)
CX6P08BASA76
CX600-X8A Basic Configuration
(Including CX600-X8A Chassis,2
SRUs,2 SFUs(480G),6 AC Power,2
Fan Tray,without Software Charge
and Document)
CX6P08BASD77
CX600-X8A Basic Configuration
(Including CX600-X8A Chassis,2
SRUs,2 SFUs(1T),6 DC Power,3 Fan
Tray,without Software Charge and
Document)
CX6P08BASA77
CX600-X8A Basic Configuration
(Including CX600-X8A Chassis,2
SRUs,2 SFUs(1T),8 AC Power,3 Fan
Tray,without Software Charge and
Document)
CX6B0BKP0870
CX600-X8A Integrated DC Chassis
ComponentsX600-X8A Chassis,2
SRUs
CX6B0BKP0871
CX600-X8A Integrated AC Chassis
ComponentsX600-X8A Chassis,2 Sy）
CX6D0SRUA870
Switch and Route Processing Unit
A8
CX6DSFUIM07C
480Gbps Switch Fabric Unit C(SFUI-
480-C)
CX6D0SRUA970
Switch and Route Processing Unit
A9
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 29 of 42
CX6DSFUIU07C
1Tbps Switch Fabric Unit C(SFUI -1T-
C)
CX600-
X3A
CX6P03BASD75
CX600-X3A Basic Configuration
(Including CX600-X3A Chassis,2
MPUs, 2 DC Power,without
Software Charge and Document)
CX6P03BASA75
CX600-X3A Basic Configuration
(Including CX600-X3A Chassis,2
MPUs, 2 AC Power,without Software
Charge and Document)
CX6D0MPUD470 Main Processing Unit D4
CX6B0BKP0373
CX600-X3A Integrated DC Chassis
Components, Including Dual DC
Power
CX6B0BKP0374
CX600-X3A Integrated AC Chassis
Components, Including Dual AC
Power
CX600-
X16
CX6P16BASD70
CX600-X16 Basic Configuration
(Including CX600-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 DC Power,
without Software Charge and
Document)
CX6P16BASA70
CX600-X16 Basic Configuration
(Including CX600-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 AC Power,
without Software Charge and
Document)
CX6P16BASD11
CX600-X16 Basic Configuration
(Including CX600-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 DC Power,
without Software Charge and
Document)
CX6P16BASA11
CX600-X16 Basic Configuration
(Including CX600-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 AC Power,
without Software Charge and
Document)
CX6B0BKP1610
CX600-X16 Integrated Chassis
Components (Including 8 DC Power)
CX6D0MPUB410 Main Processing Unit B4
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 30 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
CX6D0MPUB570 Main Processing Unit B5
CX6DSFUIE01B
200Gbps Switch Fabric Unit B(SFUI-
200-B)
CX600-
X8
CX6P08BASD11
CX600-X8 Basic Configuration
(Including CX600-X8 Chassis, 2+1
Redundant 200G SRU/SFU, 4 DC
Power, without Software Charge
and Document)
CX6P08BASA11
CX600-X8 Basic Configuration
(Including CX600-X8 Chassis, 2+1
Redundant 200G SRU/SFU,4 AC
Power, without Software Charge
and Document)
CX6B0BKP0810
CX600-X8 Integrated Chassis
Components (Including 4 DC Power)
CX6D0SRUA510
Switch and Route Processing Unit
A5
CX6DSFUIE01C
200Gbps Switch Fabric Unit C(SFUI -
200-C)
CX600-
X3 CX61-BKPE-4U-DC
Integrated DC Chassis
Components(CX600-X3)-
4U,Including Dual DC Power
CX6B0BKP0370
CX600-X3 Integrated AC Chassis
Components, (Including Dual AC
Power)
CX6D0MPUD170
Main Processing Unit D2(Including
2G Memory and 2G USB)
CX6P03BASD70
CX600-X3 Basic Configuration
(Include CX600-X3 Chassis,2 MPUs,
2 DC Power,without Software
Charge and Document)
CX6P03BASA72
CX600-X3 Basic Configuration
(Include CX600-X3 Chassis,2 MPUs,2
AC Power(2200W),without Software
Charge and Document)
CX6D0MPUD270
Main Processing Unit D3(Including
4G Memory and 2G USB)
CX6P03BASD73 CX600-X3 Basic Configuration
(Include CX600-X3 Chassis,2 MPUs,
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 31 of 42
2 DC Power,without Software
Charge and Document)
CX6P03BASA73
CX600-X3 Basic Configuration
(Include CX600-X3 Chassis,2 MPUs,2
AC Power(2200W),without Software
Charge and Document)
CX600-
X1-M4
CX6P01BASD71
CX600-X1-M4 Basic Configuration
(Includes CX600-X1-M4
Chassis,2*MPUK,2*DC
Power,without Software Charge and
Document)
CX6P01BASA71
CX600-X1-M4 Basic Configuration
(Includes CX600-X1-M4
Chassis,2*MPUK,AC Power,without
Software Charge and Document)
CX6P01BASA72
CX600-X1-M4 Basic Configuration
(Includes CX600-X1-M4
Chassis,2*MPUK,2*AC
Power,without Software Charge and
Document)
CX6P01BASD73
CX600-X1-M4 Basic Configuration
(Includes CX600-X1-M4
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Document)
CX6P01BASA73
CX600-X1-M4 Basic Configuration
(Includes CX600-X1-M4
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
CX6B0BKP0171
CX600-X1-M4 Integrated Chassis
Components
CX6B0BKP0172
CX600-X1-M4 Integrated AC Chassis
Components
CX6D00MPUK70 Main Processing Unit K
CX6D0MPUK170 Main Processing Unit K1
CX6M001FBX71 CX600-X1-M4 Fan Box
CX600-
X2-M8 CX6P02BASD71
CX600-X2-M8 Basic Configuration
(Includes CX600-X2-M8
Chassis,2*MPUK,2*DC
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 32 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
Power,without Software Charge and
Document)
CX6P02BASA71
CX600-X2-M8 Basic Configuration
(Includes CX600-X2-M8
Chassis,2*MPUK,2*AC
Power,without Software Charge and
Document)
CX6P02BASD73
CX600-X2-M8 Basic Configuration
(Includes CX600-X2-M8
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Document)
CX6P02BASA73
CX600-X2-M8 Basic Configuration
(Includes CX600-X2-M8
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
CX6B0BKP0271
CX600-X2-M8 Integrated DC Chassis
Components
CX6B0BKP0273
CX600-X2-M8 Integrated AC Chassis
Components
CX6D00MPUK70 Main Processing Unit K
CX6D0MPUK170 Main Processing Unit K1
CX6M002FBX71 CX600-X2-M8 DC Fan Box
CR5M002FBX73 X2-M8 AC Fan Box
CX600-
X2-M16
CX6P02BASD72
CX600-X2-M16 Basic Configuration
(Includes CX600-X2-M16
Chassis,2*MPUK,2*DC
Power,without Software Charge and
Document)
CX6P02BASA72
CX600-X2-M16 Basic Configuration
(Includes CX600-X2-M16
Chassis,2*MPUK,2*AC
Power,without Software Charge and
Document)
CX6P02BASD74
CX600-X2-M16 Basic Configuration
(Includes CX600-X2-M16
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 33 of 42
Document)
CX6P02BASA74
CX600-X2-M16 Basic Configuration
(Includes CX600-X2-M16
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
CX6B0BKP0272
CX600-X2-M16 Integrated Chassis
Components
CX6D00MPUK70 Main Processing Unit K
CX6D0MPUK170 Main Processing Unit K1
CR5M002FBX72 X2-M16 Fan Box
CX600-
M2E
CX6PM2EBAS70
CX600-M2E Basic Configuration
(Includes CX600-M2E
Chassis,2*10GE-SFP+ and 24GE-SFP
fixed interface,2*DC Power,Fan
Box,without Software Charge and
Document)
CX6PM2EBAS71
CX600-M2E Basic Configuration
(Includes CX600-M2E
Chassis,2*10GE-SFP+ and 24GE-SFP
fixed interface,2*AC Power,Fan
Box,without Software Charge and
Document)
CX6M0M2FBX70 Fan Box
CX6B0BKP0371
CX600-M2E Integrated Chassis
Components
CR5B2PWRDC00 DC Power Supply Unit
CR5B2PWRAC00 AC Power Supply Unit 500W
CX600-
M2F
CX6PM2FBAS70
CX600-M2F Basic Configuration
(Includes CX600-M2F
Chassis,4*10GE-SFP+ and 40GE-SFP
fixed interface,2*DC Power,Fan
Box,without Software Charge and
Document)
CX6PM2FBAS71
CX600-M2F Basic Configuration
(Includes CX600-M2F
Chassis,4*10GE-SFP+ and 40GE-SFP
fixed interface,2*AC Power,Fan
Box,without Software Charge and
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 34 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
Document)
CX6M0M2FBX70 Fan Box
CX6B0BKP0372
CX600-M2F Integrated Chassis
Components
CR5B2PWRDC00 DC Power Supply Unit
CR5B2PWRAC00 AC Power Supply Unit 500W
Table 2 List of boards
There are five types of chassis of an ME60 chassis as shown in Table 3.
The following boards will be covered during this evaluation:
Product
Name
Board Name for
Order
Description
ME60-
X16
ME0P16BASD70 ME60-X16 Basic Configuration
(Including ME60-X16 Chassis, 2
MPUs, 4 SFUs(200G),8 DC Power,
without Software Charge and
Document)
ME0P16BASA70 ME60-X16 Basic Configuration
(Including ME60-X16 Chassis, 2
MPUs, 4 SFUs(200G), 8 AC Power,
without Software Charge and
Document)
ME0P16BASD72 ME60-X16 Basic Configuration
(Including ME60-X16 Chassis, 2
MPUs, 4 SFUs(100G), 8 DC Power,
without Software Charge and
Document)
ME0P16BASA72 ME60-X16 Basic Configuration
(Including ME60-X16 Chassis, 2
MPUs, 4 SFUs(100G), 8 AC Power,
without Software Charge and
Document)
ME0B0BKP1630 ME60-X16 Integrated Chassis
Components (Including 8 DC Power)
ME0D0MPUB470 ME60-X16 Main Processing Unit B4
ME0DSFUIE07B 200Gbps Switch Fabric Unit B(SFUI-
200-B)
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 35 of 42
ME0DSFUIE07D 100Gbps Switch Fabric Unit E(SFUI -
100-E)
ME0P16SFUE71 ME60-X16 100G SFU Bundle
Configuration(Including 4*SFUI-
100-E)
ME0P16SFUE70 ME60-X16 200G SFU Bundle
Configuration(Including 4*SFUI-
200-B)
ME60-
X8
ME0P08BASD70 ME60-X8 Basic Configuration
(Including ME60-X8 Chassis, 2+1
Redundant 200G SRU/SFU,4 DC
Power, without Software Charge
and Document)
ME0P08BASA70 ME60-X8 Basic Configuration
(Including ME60-X8 Chassis, 2+1
Redundant 200G SRU/SFU,4 AC
Power, without Software Charge
and Document)
ME0P08BASD72 ME60-X8 Basic Configuration
(Including ME60-X8 Chassis, 2+1
Redundant 100G SRU/SFU, 4 DC
Power, without Software Charge
and Document)
ME0P08BASA72 ME60-X8 Basic Configuration
(Including ME60-X8 Chassis, 2+1
Redundant 100G SRU/SFU, 4 AC
Power, without Software Charge
and Document)
ME0B0BKP0830 ME60-X8 Integrated Chassis
Components (Including 4 DC Power)
ME0D0SRUA570 Switch and Route Processing Unit
A5
ME0DSFUIE07C 200Gbps Switch Fabric Unit C(SFUI -
200-C)
ME0P08SFUE70 ME60-X8 200G SFU Bundle
Configuration(Including 2*SRUA5
and 1*SFUI-200-C)
ME0D0SRUA770 Switch and Route Processing Unit
A7
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 36 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
ME0DSFUIA07D 100Gbps Switch Fabric Unit D(SFUI-
100-D)
ME0P08SFUF70 ME60-X8 100G SFU Bundle
Configuration(Including
2*SRUs,1*SFU)
ME60-
X3
ME0P03BASD70
ME60-X3 Basic Configuration
(Include ME60-X3 Chassis, 2 MPUs,
2 DC Power, without Software
Charge and Document)
ME0B0BKPD330 Integrated DC Chassis
Components(ME60-X3)
ME0D00MPUD71 Main Processing Unit D2
ME0B0BKPA331 ME60-X3 Integrated AC Chassis
Components, (Including Dual AC
Power)
ME0P03BASA31 ME60-X3 Basic Configuration
(Include ME60-X3 Chassis,2 MPUs, 2
AC Power(2200W),without Software
Charge and Document)
ME0D00MPUD72 Main Processing Unit D3
ME0P03BASD71
ME60-X3 Basic Configuration
(Include ME60-X3 Chassis, 2 MPUs,
2 DC Power, without Software
Charge and Document)
ME0P03BASA71
ME60-X3 Basic Configuration
(Include ME60-X3 Chassis,2 MPUs, 2
AC Power(2200W),without Software
Charge and Document)
ME60-
X2-M8
ME0P02BASD73
ME60-X2-M8 Basic Configuration
(Includes ME60-X2-M8
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Document)
ME0P02BASA73
ME60-X2-M8 Basic Configuration
(Includes ME60-X2-M8
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
ME0B0BKP0271 ME60-X2-M8 Integrated DC Chassis
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 37 of 42
Components
ME0B0BKP0273
ME60-X2-M8 Integrated AC Chassis
Components
ME0D0MPUK171 Main Processing Unit K1
ME0M002FBX71 ME60-X2-M8 DC Fan Box
ME0M002FBX73 X2-M8 AC Fan Box
ME60-
X2-M16
ME0P02BASD74
ME60-X2-M16 Basic Configuration
(Includes ME60-X2-M16
Chassis,2*MPUK1,2*DC
Power,without Software Charge and
Document)
ME0P02BASA74
ME60-X2-M16 Basic Configuration
(Includes ME60-X2-M16
Chassis,2*MPUK1,2*AC
Power,without Software Charge and
Document)
ME0B0BKP0272
ME60-X2-M16 Integrated Chassis
Components
ME0D0MPUK171 Main Processing Unit K1
ME0M002FBX72 X2-M16 Fan Box
Table 3 List of boards
There are five types of chassis of an NE20E chassis as shown in Table 4.
The following boards will be covered during this evaluation:
Product
Name
Board Name for
Order
Description
NE20E-
S4
CR2M04BASD01
NE20E-S4 DC Basic Configuration
(Includes NE20E-S4
Chassis,1*MPUE,2*DC Power,Power
cord,without Software Charge and
Document)
CR2M04BASD02
NE20E-S4 DC Basic Configuration
(Includes NE20E-S4
Chassis,2*MPUE,2*DC Power,Power
cord,without Software Charge and
Document)
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 38 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
CR2M04BASA01
NE20E-S4 AC Basic Configuration
(Includes NE20E-S4
Chassis,1*MPUE,2*AC Power,Power
cord,without Software Charge and
Document)
CR2M04BASA02
NE20E-S4 AC Basic Configuration
(Includes NE20E-S4
Chassis,2*MPUE,2*AC Power,Power
cord,without Software Charge and
Document)
CR2M04BASD11
NE20E-S4 DC Basic Configuration
(Includes NE20E-S4
Chassis,1*MPUE1,2*DC
Power,Power cord,without Software
Charge and Document)
CR2M04BASD12
NE20E-S4 DC Basic Configuration
(Includes NE20E-S4
Chassis,2*MPUE1,2*DC
Power,Power cord,without Software
Charge and Document)
CR2M04BASA11
NE20E-S4 AC Basic Configuration
(Includes NE20E-S4
Chassis,1*MPUE1,2*AC
Power,Power cord,without Software
Charge and Document)
CR2M04BASA12
NE20E-S4 AC Basic Configuration
(Includes NE20E-S4
Chassis,2*MPUE1,2*AC
Power,Power cord,without Software
Charge and Document)
CR2B0BKP0410
NE20E-S4 Integrated Chassis
Components
CR2B0BKP0411
NE20E-S4 Integrated AC Chassis
Components
CR2D00MPUE10 Main Processing Unit E
CR2D0MPUE110 Main Processing Unit E1
CR2M004FBX10 NE20E-S4 Fan Box
NE20E-
S8 CR2M08BASD02
NE20E-S8 DC Basic Configuration
(Includes NE20E-S8
Chassis,2*MPUE,2*DC Power,Power
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 39 of 42
cord,without Software Charge and
Document)
CR2M08BASA02
NE20E-S8 AC Basic Configuration
(Includes NE20E-S8
Chassis,2*MPUE,2*AC Power,Power
cord,without Software Charge and
Document)
CR2M08BASD12
NE20E-S8 DC Basic Configuration
(Includes NE20E-S8
Chassis,2*MPUE1,2*DC
Power,Power cord,without Software
Charge and Document)
CR2M08BASA12
NE20E-S8 AC Basic Configuration
(Includes NE20E-S8
Chassis,2*MPUE1,2*AC
Power,Power cord,without Software
Charge and Document)
CR2B0BKP0810
NE20E-S8 Integrated DC Chassis
Components
CR2B0BKP0811
NE20E-S8 Integrated AC Chassis
Components
CR2D00MPUE10 Main Processing Unit E
CR2D0MPUE110 Main Processing Unit E1
CR2M008FBX10 NE20E-S8 DC Fan Box
CR2M008FBX11 NE20E-S8 AC Fan Box
NE20E-
S16
CR2M16BASD02
NE20E-S16 DC Basic Configuration
(Includes NE20E-S16
Chassis,2*MPUE,2*DC Power,Power
cord,without Software Charge and
Document)
CR2M16BASA02
NE20E-S16 AC Basic Configuration
(Includes NE20E-S16
Chassis,2*MPUE,2*AC Power,Power
cord,without Software Charge and
Document)
CR2M16BASD12
NE20E-S16 DC Basic Configuration
(Includes NE20E-S16
Chassis,2*MPUE1,2*DC
Power,Power cord,without Software
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 40 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
Charge and Document)
CR2M16BASA12
NE20E-S16 AC Basic Configuration
(Includes NE20E-S16
Chassis,2*MPUE1,2*AC
Power,Power cord,without Software
Charge and Document)
CR2B0BKP1610
NE20E-S16 Integrated Chassis
Components
CR2D00MPUE10 Main Processing Unit E
CR2D0MPUE110 Main Processing Unit E1
CR2M016FBX10 NE20E-S16 Fan Box
NE20E-
S2E
CR2P2EBASD10
NE20E-S2E Basic Configuration
(Includes NE20E-S2E
Chassis,2*10GE-SFP+ and 24GE-SFP
fixed interface,2*DC Power,Fan
Box,Power cord,without Software
Charge and Document)
CR2P2EBASA10
NE20E-S2E Basic Configuration
(Includes NE20E-S2E
Chassis,2*10GE-SFP+ and 24GE-SFP
fixed interface,2*AC Power,Fan
Box,Power cord,without Software
Charge and Document)
CR2M002FBX10 Fan Box
CR2B0BKP0210
NE20E-S2E Integrated Chassis
Components
CR5B2PWRDC00 DC Power Supply Unit 600W
CR5B2PWRAC00 AC Power Supply Unit 500W
NE20E-
S2F
CR2P2FBASD10
NE20E-S2F Basic Configuration
(Includes NE20E-S2F
Chassis,4*10GE-SFP+ and 40GE-SFP
fixed interface,2*DC Power,Fan
Box,Power cord,without Software
Charge and Document)
CR2P2FBASA10
NE20E-S2F Basic Configuration
(Includes NE20E-S2F
Chassis,4*10GE-SFP+ and 40GE-SFP
fixed interface,2*AC Power,Fan
Box,Power cord,without Software
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
SERTIT-087 CR Issue 1.0
07 April 2017
Page 41 of 42
Charge and Document)
CR2M002FBX10 Fan Box
CR2B0BKP0211
NE20E-S2F Integrated Chassis
Components
CR5B2PWRDC00 DC Power Supply Unit 600W
CR5B2PWRAC00 AC Power Supply Unit 500W
Table 4 List of boards
Software
Type Name Version
Software
Product
software
V800R008C10SPC945T
VRP Version 8 Release 12
Linux Version:
WRlinux4.3.0.0(CR5D0MPUB570,CR5D0SR
UA870,CR5D0SRUA970,CR5D0MPUD470,C
X6D0MPUB570,CX6D0SRUA870,CX6D0SRU
A970,CX6D0MPUD470)
/WRlinux4.1.0.0(CR5D0MPUB460,CR5D0S
RUA570,CR5D0MPUD170,CR5D0MPUD270,
CR5D00MPUK70,CR5D0MPUK170,CX6D0M
PUB410,CX6D0SRUA510,CX6D0MPUD170,
CX6D0MPUD270,CX6D00MPUK70,CX6D0M
PUK170,ME0D0MPUB470,ME0D0SRUA570,
ME0D0SRUA770,ME0D00MPUD71,ME0D00
MPUD72,ME0D0MPUK171,CR2D00MPUE1
0,CR2D0MPUE110)
Table 5 List of Software
TOE Documentation
The supporting guidance documents evaluated were:
[a] NE40E V800R008 C10 Product Manual, V01, 2016/09/30
[b] CX600 V800R008C10 Product Manual, V01, 2016/09/30
[c] NE20E V800R008C10 Product Manual, V01, 2016/09/30
[d] ME60 V800R008C10 Product Manual, V01, 2016/09/30
[e] Common Criteria Security Evaluation – Certified Configuration, V1.5
Huawei NE40E&CX600&ME60&NE20E
Router Version V800R008C10SPC945T
EAL 2+
Page 42 of 42 SERTIT-087 CR Issue 1.0
07 April 2017
[Further discussion of the supporting guidance material is given in Section 5.3
“Installation and Guidance Documentation”.]
TOE Configuration
The following configuration was used for testing:
ITEM IDENTIFIER
HARDWARE One of the hardware models from each series listed in section TOE Identification
SOFTWARE Product software version V800R008C10SPC945T, VRP Version 8 Release 12,
WRLinux 4.3.0.0 / WRLinux 4.1.0.0, configured according to [7].
MANUALS NE40E V800R008 C10 Product Manual, V01, 2016/09/30
CX600 V800R008C10 Product Manual, V01, 2016/09/30
NE20E V800R008C10 Product Manual, V01, 2016/09/30
ME60 V800R008C10 Product Manual, V01, 2016/09/30
Common Criteria Security Evaluation – Certified Configuration, V1.5
Environmental Configuration
The TOE is tested in the following test setups: