idnits 2.17.1 draft-ietf-ipsp-config-policy-model-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == There are 2 instances of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 8) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([PCIM], DOI], [COMP,ESP,, AH,, [IKE]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 6 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 4078 has weird spacing: '...tion of a sub...' == Line 4770 has weird spacing: '...dentity initi...' == Line 4773 has weird spacing: '... "other secur...' == Line 5354 has weird spacing: '... "its subcl...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SARule serves as a base class for IKERule and IPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actions for both types of rules. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SAAction serves as the base class for IKE and IPsec actions. Although the class is concrete, it MUST not be instantiated. It is used for aggregating different types of actions to IKE and IPsec rules. The class definition for SAAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SAStaticAction serves as the base class for IKE and IPsec actions that do not require any negotiation. Although the class is concrete, it MUST not be instantiated. The class definition for SAStaticAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SANegotiationAction serves as the base class for IKE and IPsec actions that result in a IKE negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for SANegotiationAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IPsecAction is as follows: -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'SAProposal' is mentioned on line 2264, but not defined == Missing Reference: 'SATransform' is mentioned on line 2277, but not defined == Missing Reference: 'IN' is mentioned on line 4228, but not defined == Missing Reference: 'OUT' is mentioned on line 4229, but not defined == Unused Reference: 'COMP' is defined on line 3652, but no explicit reference was found in the text == Unused Reference: 'ESP' is defined on line 3655, but no explicit reference was found in the text == Unused Reference: 'AH' is defined on line 3658, but no explicit reference was found in the text == Unused Reference: 'IPSO' is defined on line 3687, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2393 (ref. 'COMP') (Obsoleted by RFC 3173) ** Obsolete normative reference: RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) ** Obsolete normative reference: RFC 2407 (ref. 'DOI') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2251 (ref. 'LDAP') (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513) ** Downref: Normative reference to an Historic draft: draft-ietf-rap-pr (ref. 'COPSPR') == Outdated reference: A later version (-04) exists of draft-ietf-ipsp-spsl-00 -- Possible downref: Normative reference to a draft: ref. 'SPSL' ** Downref: Normative reference to an Historic RFC: RFC 1108 (ref. 'IPSO') ** Obsolete normative reference: RFC 2401 (ref. 'IPSEC') (Obsoleted by RFC 4301) Summary: 15 errors (**), 0 flaws (~~), 25 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Jamie Jason 3 INTERNET DRAFT Intel Corporation 4 1-March-2001 Lee Rafalow 5 IBM 6 Eric Vyncke 7 Cisco Systems 9 IPsec Configuration Policy Model 10 draft-ietf-ipsp-config-policy-model-02.txt 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six 21 months and may be updated, replaced, or obsoleted by other documents 22 at any time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Abstract 33 This document presents an object-oriented model of IPsec policy 34 designed to: 35 o facilitate agreement about the content and semantics of IPsec 36 policy 37 o enable derivations of task-specific representations of IPsec 38 policy such as storage schema, distribution representations, 39 and policy specification languages used to configure IPsec- 40 enabled endpoints 41 The schema described in this document models the IKE phase one 42 parameters as described in [IKE] and the IKE phase two parameters 43 for the IPsec Domain of Interpretation as described in [COMP, ESP, 44 AH, DOI]. It is based upon the core policy classes as defined in 45 the Policy Core Information Model (PCIM) [PCIM]. 47 Table of Contents 49 Status of this Memo................................................1 50 Abstract...........................................................1 51 Table of Contents..................................................2 52 1. Introduction....................................................7 53 2. UML Conventions.................................................7 54 3. IPsec Policy Model Inheritance Hierarchy........................8 55 4. Policy Classes.................................................13 56 4.1. The Class IPsecPolicyGroup...................................14 57 4.2. The Class SARule.............................................14 58 4.2.1. The Property LimitNegotiation..............................14 59 4.3. The Class IKERule............................................15 60 4.3.1. The Property IdentityContexts..............................15 61 4.4. The Class IPsecRule..........................................16 62 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........16 63 4.5.1. The Reference GroupComponent...............................17 64 4.5.2. The Reference PartComponent................................17 65 4.5.3. The Property GroupPriority.................................17 66 4.6. The Association Class IPsecPolicyForEndpoint.................17 67 4.6.1. The Reference Antecedent...................................18 68 4.6.2. The Reference Dependent....................................18 69 4.7. The Association Class IPsecPolicyForSystem...................18 70 4.7.1. The Reference Antecedent...................................18 71 4.7.2. The Reference Dependent....................................18 72 4.8. The Aggregation Class RuleForIKENegotiation..................19 73 4.8.1. The Reference GroupComponent...............................19 74 4.8.2. The Reference PartComponent................................19 75 4.9. The Aggregation Class RuleForIPsecNegotiation................19 76 4.9.1. The Reference GroupComponent...............................19 77 4.9.2. The Reference PartComponent................................20 78 4.10. The Aggregation Class SAConditionInRule.....................20 79 4.10.1. The Reference GroupComponent..............................20 80 4.10.2. The Reference PartComponent...............................20 81 4.11. The Aggregation Class SAActionInRule........................20 82 4.11.1. The Reference GroupComponent..............................21 83 4.11.2. The Reference PartComponent...............................21 84 4.11.3. The Property ActionOrder..................................21 85 5. Condition and Filter Classes...................................22 86 5.1. The Class SACondition........................................22 87 5.2. The Class FilterEntry........................................23 88 5.3. The Class CredentialFilterEntry..............................23 89 5.3.1. The Property MatchFieldName................................24 90 5.3.2. The Property MatchFieldValue...............................24 91 5.3.3. The Property CredentialType................................24 92 5.4. The Class IPSOFilterEntry....................................24 93 5.4.1. The Property MatchConditionType............................25 94 5.4.2. The Property MatchConditionValue...........................25 95 5.5. The Class PeerIDPayloadFilterEntry...........................25 96 5.5.1. The Property MatchIdentityType.............................26 97 5.5.2. The Property MatchIdentityValue............................26 98 5.6. The Association Class FilterOfSACondition....................27 99 5.6.1. The Reference Antecedent...................................27 100 5.6.2. The Reference Dependent....................................27 101 5.7. The Association Class AcceptCredentialFrom...................27 102 5.7.1. The Reference Antecedent...................................28 103 5.7.2. The Reference Dependent....................................28 104 6. Action Classes.................................................29 105 6.1. The Class SAAction...........................................30 106 6.1.1. The Property DoActionLogging...............................30 107 6.1.2. The Property DoPacketLogging...............................30 108 6.2. The Class SAStaticAction.....................................31 109 6.2.1. The Property LifetimeSeconds...............................31 110 6.3. The Class IPsecBypassAction..................................31 111 6.4. The Class IPsecDiscardAction.................................31 112 6.5. The Class IKERejectAction....................................32 113 6.6. The Class PreconfiguredSAAction..............................32 114 6.6.1. The Property LifetimeKilobytes.............................33 115 6.7. The Class PreconfiguredTransportAction.......................33 116 6.8. The Class PreconfiguredTunnelAction..........................33 117 6.8.1. The Property PeerGatewayAddressType........................33 118 6.8.2. The Property PeerGatewayAddress............................34 119 6.8.3. The Property DFHandling....................................34 120 6.9. The Class SANegotiationAction................................34 121 6.9.1. The Property MinLifetimeSeconds............................35 122 6.9.2. The Property MinLifetimeKilobytes..........................35 123 6.9.3. The Property RefreshThresholdSeconds.......................35 124 6.9.4. The Property RefreshThresholdKilobytes.....................36 125 6.9.5. The Property IdleDurationSeconds...........................36 126 6.10. The Class IPsecAction.......................................36 127 6.10.1. The Property UsePFS.......................................37 128 6.10.2. The Property UseIKEGroup..................................37 129 6.10.3. The Property GroupId......................................37 130 6.10.4. The Property Granularity..................................38 131 6.10.5. The Property VendorID.....................................38 132 6.11. The Class IPsecTransportAction..............................38 133 6.12. The Class IPsecTunnelAction.................................38 134 6.12.1. The Property DFHandling...................................39 135 6.13. The Class IKEAction.........................................39 136 6.13.1. The Property RefreshThresholdDerivedKeys..................39 137 6.13.2. The Property ExchangeMode.................................40 138 6.13.3. The Property UseIKEIdentityType...........................40 139 6.13.4. The Property VendorID.....................................40 140 6.13.5. The Property AggressiveModeGroupId........................41 141 6.14. The Class PeerGateway.......................................41 142 6.14.1. The Property Name.........................................41 143 6.14.2. The Property PeerIdentityType.............................41 144 6.14.3. The Property PeerIdentity.................................42 145 6.15. The Association Class PeerGatewayForTunnel..................42 146 6.15.1. The Reference Antecedent..................................42 147 6.15.2. The Reference Dependent...................................43 148 6.15.3. The Property SequenceNumber...............................43 149 6.16. The Aggregation Class ContainedProposal.....................43 150 6.16.1. The Reference GroupComponent..............................43 151 6.16.2. The Reference PartComponent...............................44 152 6.16.3. The Property SequenceNumber...............................44 153 6.17. The Association Class HostedPeerGatewayInformation..........44 154 6.17.1. The Reference Antecedent..................................44 155 6.17.2. The Reference Dependent...................................44 156 6.18. The Association Class TransformOfPreconfiguredAction........44 157 6.18.1. The Reference Antecedent..................................45 158 6.18.2. The Reference Dependent...................................45 159 6.18.3. The Property SPI..........................................45 160 7. Proposal and Transform Classes.................................46 161 7.1. The Abstract Class SAProposal................................46 162 7.1.1. The Property Name..........................................46 163 7.2. The Class IKEProposal........................................47 164 7.2.1. The Property LifetimeDerivedKeys...........................47 165 7.2.2. The Property CipherAlgorithm...............................47 166 7.2.3. The Property HashAlgorithm.................................48 167 7.2.4. The Property PRFAlgorithm..................................48 168 7.2.5. The Property GroupId.......................................48 169 7.2.6. The Property AuthenticationMethod..........................48 170 7.2.7. The Property MaxLifetimeSeconds............................49 171 7.2.8. The Property MaxLifetimeKilobytes..........................49 172 7.2.9. The Property VendorID......................................49 173 7.3. The Class IPsecProposal......................................49 174 7.4. The Abstract Class SATransform...............................50 175 7.4.1. The Property TransformName.................................50 176 7.4.2. The Property VendorID......................................50 177 7.4.3. The Property MaxLifetimeSeconds............................50 178 7.4.4. The Property MaxLifetimeKilobytes..........................51 179 7.5. The Class AHTransform........................................51 180 7.5.1. The Property AHTransformId.................................51 181 7.5.2. The Property UseReplayPrevention...........................51 182 7.5.3. The Property ReplayPreventionWindowSize....................52 183 7.6. The Class ESPTransform.......................................52 184 7.6.1. The Property IntegrityTransformId..........................52 185 7.6.2. The Property CipherTransformId.............................52 186 7.6.3. The Property CipherKeyLength...............................53 187 7.6.4. The Property CipherKeyRounds...............................53 188 7.6.5. The Property UseReplayPrevention...........................53 189 7.6.6. The Property ReplayPreventionWindowSize....................53 190 7.7. The Class IPCOMPTransform....................................54 191 7.7.1. The Property Algorithm.....................................54 192 7.7.2. The Property DictionarySize................................54 193 7.7.3. The Property PrivateAlgorithm..............................54 194 7.8. The Association Class SAProposalInSystem.....................54 195 7.8.1. The Reference Antecedent...................................55 196 7.8.2. The Reference Dependent....................................55 197 7.9. The Aggregation Class ContainedTransform.....................55 198 7.9.1. The Reference GroupComponent...............................55 199 7.9.2. The Reference PartComponent................................56 200 7.9.3. The Property SequenceNumber................................56 201 7.10. The Association Class SATransformInSystem...................56 202 7.10.1. The Reference Antecedent..................................56 203 7.10.2. The Reference Dependent...................................56 204 8. IKE Service and Identity Classes...............................58 205 8.1. The Class IKEService.........................................59 206 8.2. The Class PeerIdentityTable..................................59 207 8.3.1. The Property Name..........................................59 208 8.3. The Class PeerIdentityEntry..................................60 209 8.3.1. The Property PeerIdentity..................................60 210 8.3.2. The Property PeerIdentityType..............................60 211 8.3.3. The Property PeerAddress...................................60 212 8.3.4. The Property PeerAddressType...............................60 213 8.4. The Class AutostartIKEConfiguration..........................61 214 8.5. The Class AutostartIKESetting................................61 215 8.5.1. The Property Phase1Only....................................61 216 8.5.2. The Property AddressType...................................62 217 8.5.3. The Property SourceAddress.................................62 218 8.5.4. The Property SourcePort....................................62 219 8.5.5. The Property DestinationAddress............................62 220 8.5.6. The Property DestinationPort...............................63 221 8.5.7. The Property Protocol......................................63 222 8.6. The Class IKEIdentity........................................63 223 8.6.1. The Property IdentityType..................................64 224 8.6.2. The Property IdentityValue.................................64 225 8.6.3. The Property IdentityContexts..............................64 226 8.7. The Association Class HostedPeerIdentityTable................65 227 8.7.1. The Reference Antecedent...................................65 228 8.7.2. The Reference Dependent....................................65 229 8.8. The Aggregation Class PeerIdentityMember.....................65 230 8.8.1. The Reference Collection...................................65 231 8.8.2. The Reference Member.......................................66 232 8.9. The Association Class IKEServicePeerGateway..................66 233 8.9.1. The Reference Antecedent...................................66 234 8.9.2. The Reference Dependent....................................66 235 8.10. The Association Class IKEServicePeerIdentityTable...........66 236 8.10.1. The Reference Antecedent..................................67 237 8.10.2. The Reference Dependent...................................67 238 8.11. The Association Class IKEAutostartSetting...................67 239 8.11.1. The Reference Element.....................................67 240 8.11.2. The Reference Setting.....................................67 241 8.12. The Aggregation Class AutostartIKESettingContext............67 242 8.12.1. The Reference Context.....................................68 243 8.12.2. The Reference Setting.....................................68 244 8.12.3. The Property SequenceNumber...............................68 245 8.13. The Association Class IKEServiceForEndpoint.................68 246 8.13.1. The Reference Antecedent..................................69 247 8.13.2. The Reference Dependent...................................69 248 8.14. The Association Class IKEAutostartConfiguration.............69 249 8.14.1. The Reference Antecedent..................................69 250 8.14.2. The Reference Dependent...................................69 251 8.14.3. The Property Active.......................................69 252 8.15. The Association Class IKEUsesCredentialManagementService....70 253 8.15.1. The Reference Antecedent..................................70 254 8.15.2. The Reference Dependent...................................70 255 8.16. The Association Class EndpointHasLocalIKEIdentity...........70 256 8.16.1. The Reference Antecedent..................................71 257 8.16.2. The Reference Dependent...................................71 258 8.17. The Association Class CollectionHasLocalIKEIdentity.........71 259 8.17.1. The Reference Antecedent..................................71 260 8.17.2. The Reference Dependent...................................71 261 8.18. The Association Class IKEIdentitysCredential................72 262 8.18.1. The Reference Antecedent..................................72 263 8.18.2. The Reference Dependent...................................72 264 9. Security Considerations........................................72 265 10. Intellectual Property.........................................72 266 11. Acknowledgments...............................................73 267 12. References....................................................73 268 13. Disclaimer....................................................74 269 14. Authors' Addresses............................................74 270 15. Full Copyright Statement......................................74 271 Appendix A (DMTF Core Model MOF)..................................75 272 Appendix B (DMTF User Model MOF)..................................90 273 Appendix C (DMTF Network Model MOF)..............................105 275 1. Introduction 277 Internet Protocol security (IPsec) policy may assume a variety of 278 forms as it travels from storage to distribution point to decision 279 point. At each step, it needs to be represented in a way that is 280 convenient for the current task. For example, the policy could 281 exist as, but is not limited to: 283 o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in 284 a directory 285 o an on-the-wire representation over a transport protocol like the 286 Common Object Policy Service (COPS) [COPS, COPSPR] 287 o a text-based policy specification language [SPSL] suitable for 288 editing by an administrator 289 o an Extensible Markup Language (XML) document 291 Each of these task-specific representations should be derived from a 292 canonical representation that precisely specifies the content and 293 semantics of the IPsec policy. The purpose of this document is to 294 abstract IPsec policy into a task-independent representation that is 295 not constrained by any particular task-dependent representation. 297 This document is organized as follows: 299 o Section 2 provides a quick introduction to the Unified Modeling 300 Language (UML) graphical notation conventions used in this 301 document. 303 o Section 3 provides the inheritance hierarchy that describes 304 where the IPsec policy classes fit into the policy class 305 hierarchy already defined by the Policy Core Information Model 306 (PCIM). 308 o The remainder of the document describes the classes that make up 309 the IPsec policy model. 311 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 312 "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 313 document are to be interpreted as described in [KEYWORDS]. 315 2. UML Conventions 317 For this document, a UML static class diagram was chosen as the 318 canonical representation for the IPsec policy model. The reason 319 behind this decision is that UML provides a graphical, task- 320 independent way to model systems. A treatise on the graphical 321 notation used in UML is beyond the scope of this paper. However, 322 given the use of ASCII drawing for UML static class diagrams, a 323 description of the notational conventions used in this document is 324 in order: 326 o Boxes represent classes, with class names in brackets ([]) 327 representing an abstract class. 329 o A line that terminates with an arrow (<, >, ^, v) denotes 330 inheritance. The arrow always points to the parent class. 331 Inheritance can also be called generalization or specialization 332 (depending upon the reference point). A base class is a 333 generalization of a derived class, and a derived class is a 334 specialization of a base class. 335 o Associations are used to model a relationship between two 336 classes. Classes that share an association are connected using 337 a line. A special kind of association is also used: an 338 aggregation. An aggregation models a whole-part relationship 339 between two classes. Associations, and therefore aggregations, 340 can also be modeled as classes. 341 o A line that begins with an "o" denotes aggregation. Aggregation 342 denotes containment in which the contained class and the 343 containing class have independent lifetimes. 344 o Next to a line representing an association appears a 345 cardinality. Cardinalities indicate the constraints on the 346 number of object instances in a set of relationships. Every 347 association instance has a single set of references. The 348 cardinality indicates the number of instances that may refer to 349 a given object instance. The cardinality may be: 350 - a range in the form "lower bound..upper bound" indicating the 351 minimum and maximum number of objects. 352 - a number that indicates the exact number of objects. 353 - an asterisk indicating any number of objects, including zero. 354 Using an asterisk is shorthand for 0..n. 355 - the letter n indicating from 1 to many. Using the letter n is 356 shorthand for 1..n. 357 o A class that has an association may have a "w" next to the line 358 representing the association. This is called a weak association 359 and is discussed in [PCIM]. 361 It should be noted that the UML static class diagram presented is a 362 conceptual view of IPsec policy designed to aid in understanding. 363 It does not necessarily get translated class for class into another 364 representation. For example, an LDAP implementation may flatten out 365 the representation to fewer classes (because of the inefficiency of 366 following references). 368 3. IPsec Policy Model Inheritance Hierarchy 370 Like PCIM from which it is derived, the IPsec Configuration Policy 371 Model derives from and uses classes defined in the DMTF Common 372 Information Model (CIM). The following tree represents the 373 inheritance hierarchy for the IPsec policy model classes and how 374 they fit into PCIM and the other DMTF models (see Appendices for 375 descriptions of classes that are not being introduced as part of 376 IPsec model). CIM classes that are not used as a superclass from 377 which to derive new classes but are only referenced are not included 378 this inheritance hierarchy, but are included in the appropriate 379 appendix. 381 ManagedElement (DMTF Core Model - Appendix A) 382 | 383 +--Collection (DMTF Core Model - Appendix A) 384 | | 385 | +--PeerIdentityTable 386 | 387 +--ManagedSystemElement (DMTF Core Model - Appendix A) 388 | | 389 | +--LogicalElement (DMTF Core Model - Appendix A) 390 | | 391 | +--FilterEntryBase (DMTF Network Model - Appendix C) 392 | | | 393 | | +--CredentialFilterEntry 394 | | | 395 | | +--IPSOFilterEntry 396 | | | 397 | | +--PeerIDPayloadFilterEntry 398 | | 399 | +--PeerGateway 400 | | 401 | +--PeerIdentityEntry 402 | | 403 | +--Service (DMTF Core Model - Appendix A) 404 | | 405 | +--NetworkService (DMTF Network Model - Appendix C) 406 | | 407 | +--IKEService 408 | 409 +--OrganizationalEntity (DMTF User Model - Appendix B) 410 | | 411 | +--UserEntity (DMTF User Model - Appendix B) 412 | | 413 | +--UsersAccess (DMTF User Model - Appendix B) 414 | | 415 | +--IKEIdentity 416 | 417 +--Policy (PCIM) 418 | | 419 | +--PolicyAction (PCIM) 420 | | | 421 | | +--SAAction 422 | | | 423 | | +--SANegotiationAction 424 | | | | 425 | | | +--IKEAction 426 | | | | 427 | | | +--IPsecAction 428 | | | | 429 | | | +--IPsecTransportAction 430 | | | | 431 | | | +--IPsecTunnelAction 432 | | | 433 | | +--SAStaticAction 434 | | | 435 | | +--IKERejectAction 436 | | | 437 | | +--IPsecBypassAction 438 | | | 439 | | +--IPsecDiscardAction 440 | | | 441 | | +--PreconfiguredSAAction 442 | | | 443 | | +--PreconfiguredTransportAction 444 | | | 445 | | +--PreconfiguredTunnelAction 446 | | 447 | +--PolicyCondition (PCIM) 448 | | | 449 | | +--SACondition 450 | | 451 | +--PolicyGroup (PCIM) 452 | | | 453 | | +--IPsecPolicyGroup 454 | | 455 | +--PolicyRule (PCIM) 456 | | | 457 | | +--SARule 458 | | | 459 | | +--IKERule 460 | | | 461 | | +--IPsecRule 462 | | 463 | +--SAProposal 464 | | | 465 | | +--IKEProposal 466 | | | 467 | | +--IPsecProposal 468 | | 469 | +--SATransform 470 | | 471 | +--AHTransform 472 | | 473 | +--ESPTransform 474 | | 475 | +--IPCOMPTransform 476 | 477 +--Setting (DMTF Core Model - Appendix A) 478 | | 479 | +--SystemSetting (DMTF Core Model - Appendix A) 480 | | 481 | +--AutostartIKESetting 482 | 483 +--SystemConfiguration (DMTF Core Model - Appendix A) 484 | 485 +--AutostartIKEConfiguration 487 The following tree represents the inheritance hierarchy of the IPsec 488 policy model association classes and how they fit into PCIM and the 489 other DMTF models (see Appendices for description of associations 490 classes that are not being introduced as part of IPsec model). 492 Dependency (DMTF Core Model - Appendix A) 493 | 494 +--AcceptCredentialsFrom 495 | 496 +--ElementAsUser (DMTF User Model - Appendix B) 497 | | 498 | +--EndpointHasLocalIKEIdentity 499 | | 500 | +--CollectionHasLocalIKEIdentity 501 | 502 +--FilterOfSACondition 503 | 504 +--HostedPeerGatewayInformation 505 | 506 +--HostedPeerIdentityTable 507 | 508 +--IKEAutostartConfiguration 509 | 510 +--IKEServiceForEndpoint 511 | 512 +--IKEServicePeerGateway 513 | 514 +--IKEServicePeerIdentityTable 515 | 516 +--IKEUsesCredentialManagementService 517 | 518 +--IPsecPolicyForEndpoint 519 | 520 +--PeerGatewayForTunnel 521 | 522 +--PolicyInSystem (PCIM) 523 | | 524 | +--PolicyGroupInSystem (PCIM) 525 | | 526 | +--SAProposalInSystem 527 | | 528 | +--SATransformInSystem 529 | 530 +--IPsecPolicyForSystem 531 | 532 +--TransformOfPreconfiguredAction 533 | 534 +--UsersCredential (DMTF User Model - Appendix B) 535 | 536 +--IKEIdentitysCredential 538 ElementSetting (DMTF Core Model - Appendix A) 539 | 540 +--IKEAutostartSetting 542 MemberOfCollection (DMTF Core Model - Appendix A) 543 | 544 +--PeerIdentityMember 546 PolicyComponent (PCIM) 547 | 548 +--ContainedProposal 549 | 550 +--ContainedTransform 551 | 552 +--PolicyActionInPolicyRule (PCIM) 553 | | 554 | +--SAActionInRule 555 | 556 +--PolicyConditionInPolicyRule (PCIM) 557 | | 558 | +--SAConditionInRule 559 | 560 +--PolicyGroupInPolicyGroup (PCIM) 561 | | 562 | +--IPsecPolicyGroupInPolicyGroup 563 | 564 +--PolicyRuleInPolicyGroup 565 | 566 +--RuleForIKENegotiation 567 | 568 +--RuleForIPsecNegotiation 570 SystemSettingContext (DMTF Core Model - Appendix A) 571 | 572 +--AutostartIKESettingContext 574 4. Policy Classes 576 The IPsec policy classes represent the set of policies that are 577 contained on a system. 579 +--------------------+ 580 | IPProtocolEndpoint | 581 | (Appendix C) | 582 +--------------------+ 583 | * 584 | 585 (a) | (b) 586 +------+ | 587 | |* | 0..1 588 | *+------------------+0..1 (c) *+------------+ 589 +---o| IPsecPolicyGroup |-----------| System | 590 +------------------+ |(Appendix A)| 591 1 o o 1 +------------+ 592 (d) | | (e) 593 +-----------------------+ +---------------------+ 594 | | 595 | +---------------------------+ | 596 | | PolicyTimePeriodCondition | | 597 | | (see [PCIM]) | | 598 | +---------------------------+ | 599 | *| | 600 | | (f) | 601 | *o | 602 | +-------------+n *+--------+* n+----------+ | 603 | | SACondition |------o| SARule |o-------| SAAction | | 604 | +-------------+ (g) +--------+ (h) +----------+ | 605 | ^ | 606 | | | 607 | +--------+--------+ | 608 | | | | 609 | *+---------+ +-----------+* | 610 +---------------| IKERule | | IPsecRule |------------+ 611 +---------+ +-----------+ 613 (a) IPsecPolicyGroupInPolicyGroup 614 (b) IPsecPolicyForEndpoint 615 (c) IPsecPolicyForSystem 616 (d) RuleForIKENegotiation 617 (e) RuleForIPsecNegotiation 618 (f) PolicyRuleValidityPeriod (see [PCIM]) 619 (g) SAConditionInRule 620 (h) SAActionInRule 622 An IPsecPolicyGroup represents the set of policies that are used on 623 an interface. This IPsecPolicyGroup SHOULD be associated either 624 directly with the IPProtocolEndpoint class instance that represents 625 the interface (via the IPsecPolicyForEndpoint association) or 626 indirectly (via the IPsecPolicyForSystem association) associated 627 with the System that hosts the interface. 629 4.1. The Class IPsecPolicyGroup 631 The class IPsecPolicyGroup serves as a container of either other 632 IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The 633 class definition for IPsecPolicyGroup is as follows: 635 NAME IPsecPolicyGroup 636 DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules 637 and a set of IPsecRules. 638 DERIVED FROM PolicyGroup (see [PCIM]) 639 ABSTRACT FALSE 640 PROPERTIES PolicyGroupName (from PolicyGroup) 642 NOTE: for derivations of the schema that are used for policy 643 distribution to an IPsec device (for example, COPS-PR), the server 644 may follow all of IPsecPolicyGroupInPolicyGroup associations and 645 create one policy group which is simply a set of all of the IKE 646 rules and a set of all of the IPsec rules. See the section on the 647 IPsecPolicyGroupInPolicyGroup aggregation for information on merging 648 multiple IPsecPolicyGroups. 650 4.2. The Class SARule 652 The class SARule serves as a base class for IKERule and IPsecRule. 653 Even though the class is concrete, it MUST not be instantiated. It 654 defines a common connection point for associations to conditions and 655 actions for both types of rules. Through its derivation from 656 PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has 657 the PolicyRuleValidityPeriod association. 659 An SARule inherits the property Priority from PolicyRule. Since 660 there is a need for an unambiguous ordering of rules in an IPsec 661 system, all SARules contained within an IPsecPolicyGroup must have 662 unique priority values. 664 The class definition for SARule is as follows: 666 NAME SARule 667 DESCRIPTION A base class for IKERule and IPsecRule. 668 DERIVED FROM PolicyRule (see [PCIM]) 669 ABSTRACT FALSE 670 PROPERTIES PolicyRuleName (from PolicyRule) 671 Enabled (from PolicyRule) 672 ConditionListType (from PolicyRule) 673 LimitNegotiation 675 4.2.1. The Property LimitNegotiation 676 The property LimitNegotiation is used as part of processing either 677 an IKE or an IPsec rule. 679 Before proceeding with a phase 1 negotiation, this property is 680 checked to determine if the negotiation role of the rule matches 681 that defined for the negotiation being undertaken (e.g., Initiator, 682 Responder, or Both). If this check fails (e.g. the current role is 683 IKE responder while the rule specifies IKE initiator), then the IKE 684 negotiation is stopped. Note that this only applies to new IKE phase 685 1 negotiations and has no effect on either renegotiation or refresh 686 operations with peers for which an established SA already exists. 688 Before proceeding with a phase 2 negotiation, the LimitNegotiation 689 property of the IPsecRule is first checked to determine if the 690 negotiation role indicated for the rule matches that of the current 691 negotiation (Initiator, Responder, or Either). Note that this limit 692 applies only to new phase 2 negotiations. It is ignored when an 693 attempt is made to refresh an expiring SA (either side can initiate 694 a refresh operation). The IKE system can determine that the 695 negotiation is a refresh operation by checking to see if the 696 selector information matches that of an existing SA. If 697 LimitNegotiation does not match and the selector corresponds to a 698 new SA, the negotiation is stopped. 700 The property is defined as follows: 702 NAME LimitNegotiation 703 DESCRIPTION Limits the role to be undertaken during negotiation. 704 SYNTAX unsigned 16-bit integer 705 VALUE 1 � initiator-only 706 2 � responder-only 707 3 - both 709 4.3. The Class IKERule 711 The class IKERule associates Conditions and Actions for IKE phase 1 712 negotiations. The class definition for IKERule is as follows: 714 NAME IKERule 715 DESCRIPTION Associates Conditions and Actions for IKE phase 1 716 negotiations. 717 DERIVED FROM SARule 718 ABSTRACT FALSE 719 PROPERTIES same as SARule, plus 720 IdentityContexts 722 4.3.1. The Property IdentityContexts 724 The IKE service of a security endpoint may have multiple identities 725 for use in different situations. The combination of the interface 726 (represented by the IPProtocolEndpoint), the identity type (as 727 specified in the IKEAction) and the IdentityContexts specifies a 728 unique identity. 730 The IdentityContexts property specifies the context to select the 731 relevant IKE identity to be used during the further IKEAction. A 732 context may be a VPN name or other identifier for selecting the 733 appropriate identity for use on the protected IPProtocolEndpoint. 735 IdentityContexts is an array of strings. The multiple values in the 736 array are ORed together in evaluating the IdentityContexts. Each 737 value in the array may be the composition of multiple context names. 738 So, a single value may be a single context name (e.g., 739 "CompanyXVPN") or it may be combination of contexts. When an array 740 value is a composition, the individual values are ANDed together for 741 evaluation purposes and the syntax is: 743 [&&]* 745 where the individual context names appear in alphabetical order 746 (according to the collating sequence for UCS-2). So, for example, 747 the values "CompanyXVPN", "CompanyYVPN&&TopSecret", 748 "CompanyZVPN&&Confidential" means that, for the appropriate 749 IPProtocolEndpoint and IdentityType, the contexts are matched if the 750 identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or 751 "CompanyZVPN&&Confidential". 753 The property is defined as follows: 755 NAME IdentityContexts 756 DESCRIPTION Specifies the context in which to select the IKE 757 identity. 758 SYNTAX string array 760 4.4. The Class IPsecRule 762 The class IPsecRule associates Conditions and Actions for IKE phase 763 2 negotiations for the IPsec DOI. The class definition for 764 IPsecRule is as follows: 766 NAME IKERule 767 DESCRIPTION Associates Conditions and Actions for IKE phase 2 768 negotiations for the IPsec DOI. 769 DERIVED FROM SARule 770 ABSTRACT FALSE 771 PROPERTIES same as SARule 773 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup 775 The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec 776 policies to be combined into one effective policy. See [PCIM] for a 777 description of the how policies are merged (see also the property 778 GroupPriority). The class definition for 779 IPsecPolicyGroupInPolicyGroup is as follows: 781 NAME IPsecPolicyGroupInPolicyGroup 782 DESCRIPTION Associates a nested IPsecPolicyGroup with the 783 IPsecPolicyGroup that contains it. 784 DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM]) 785 ABSTRACT FALSE 786 PROPERTIES GroupComponent[ref IPsecPolicyGroup[0..n]] 787 PartComponent[ref IPsecPolicyGroup[0..n]] 788 GroupPriority 790 4.5.1. The Reference GroupComponent 792 The property GroupComponent is inherited from 793 PolicyGroupInPolicyGroup and is overridden to refer to an 794 IPsecPolicyGroup instance. The [0..n] cardinality indicates that a 795 given IPsecPolicyGroup instance may be a part of zero or more 796 containing IPsecPolicyGroup instances (i.e., there may be zero or 797 more GroupComponent references per PartComponent). 799 4.5.2. The Reference PartComponent 801 The property PartComponent is inherited from 802 PolicyGroupInPolicyGroup and is overridden to refer to an 803 IPsecPolicyGroup instance. The [0..n] cardinality indicates that a 804 given IPsecPolicyGroup instance may contain zero or more 805 IPsecPolicyGroup instances (i.e., there may be zero or more 806 PartComponent references per GroupComponent). 808 4.5.3. The Property GroupPriority 810 Since policy groups, IPsecPolicyGroup, can contain both rules and 811 other policy groups, the relative priorities of the rules of the 812 contained groups are established by setting the GroupPriority 813 property of IPsecPolicyGroupInPolicyGroup as a unique rule priority 814 in the containing group. 816 The rules of the nested group are inserted in order at that position 817 (i.e. indicated by GroupPriority) in the containing group's rules 819 The property is defined as follows: 821 NAME GroupPriority 822 DESCRIPTION Specifies the rule priority to be set to all nested 823 rules. 824 SYNTAX unsigned 16-bit integer 825 VALUE Any value between 1 and 2^16-1 inclusive. Lower values 826 have higher precedence (i.e., 1 is the highest 827 precedence). The merging order of two ContainedGroups 828 with the same precedence is undefined. 830 4.6. The Association Class IPsecPolicyForEndpoint 832 The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with 833 a specific network interface. If an IPProtocolEndpoint of a system 834 does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, 835 then the IPsecPolicyForSystem associated IPsecPolicyGroup is used 836 for that endpoint. The class definition for IPsecPolicyForEndpoint 837 is as follows: 839 NAME IPsecPolicyForEndpoint 840 DESCRIPTION Associates a policy group to a network interface. 841 DERIVED FROM Dependency (see Appendix A) 842 ABSTRACT FALSE 843 PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] 844 Dependent[ref IPsecPolicyGroup[0..1]] 846 4.6.1. The Reference Antecedent 848 The property Antecedent is inherited from Dependency and is 849 overridden to refer to an IPProtocolEndpoint instance. The [0..n] 850 cardinality indicates that an IPsecPolicyGroup instance may be 851 associated with zero or more IPProtocolEndpoint instances. 853 4.6.2. The Reference Dependent 855 The property Dependent is inherited from Dependency and is 856 overridden to refer to an IPsecPolicyGroup instance. The [0..1] 857 cardinality indicates that an IPProtocolEndpoint instance may have 858 an association to at most one IPsecPolicyGroup instance. 860 4.7. The Association Class IPsecPolicyForSystem 862 The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a 863 specific system. If an IPProtocolEndpoint of a system does not have 864 an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the 865 IPsecPolicyForSystem associated IPsecPolicyGroup is used for that 866 endpoint. The class definition for IPsecPolicyForSystem is as 867 follows: 869 NAME IPsecPolicyForSystem 870 DESCRIPTION Default policy group for a system. 871 DERIVED FROM Dependency (see Appendix A) 872 ABSTRACT FALSE 873 PROPERTIES Antecedent[ref System[0..n]] 874 Dependent[ref IPsecPolicyGroup[0..1]] 876 4.7.1. The Reference Antecedent 878 The property Antecedent is inherited from Dependency and is 879 overridden to refer to a System instance. The [0..n] cardinality 880 indicates that an IPsecPolicyGroup instance may have an association 881 to zero or more System instances. 883 4.7.2. The Reference Dependent 885 The property Dependent is inherited from Dependency and is 886 overridden to refer to an IPsecPolicyGroup instance. The [0..1] 887 cardinality indicates that a System instance may have an association 888 to at most one IPsecPolicyGroup instance. 890 4.8. The Aggregation Class RuleForIKENegotiation 892 The class RuleForIKENegotiation associates an IKERule with the 893 IPsecPolicyGroup that contains it. The class definition for 894 RuleForIKENegotiation is as follows: 896 NAME RuleForIKENegotiation 897 DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that 898 contains it. 899 DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM]) 900 ABSTRACT FALSE 901 PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]] 902 PartComponent [ref IKERule [0..n]] 904 4.8.1. The Reference GroupComponent 906 The property GroupComponent is inherited from 907 PolicyRuleInPolicyGroup and is overridden to refer to an 908 IPsecPolicyGroup instance. The [1..1] cardinality indicates that an 909 IKERule instance may be contained in one and only one 910 IPsecPolicyGroup instance (i.e., IKERules are not shared across 911 IPsecPolicyGroups). 913 4.8.2. The Reference PartComponent 915 The property PartComponent is inherited from PolicyRuleInPolicyGroup 916 and is overridden to refer to an IKERule instance. The [0..n] 917 cardinality indicates that an IPsecPolicyGroup instance may contain 918 zero or more IKERule instances. 920 4.9. The Aggregation Class RuleForIPsecNegotiation 922 The class RuleForIPsecNegotiation associates an IPsecRule with the 923 IPsecPolicyGroup that contains it. The class definition for 924 RuleForIPsecNegotiation is as follows: 926 NAME RuleForIPsecNegotiation 927 DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that 928 contains it. 929 DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM]) 930 ABSTRACT FALSE 931 PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]] 932 PartComponent [ref IPsecRule [0..n]] 934 4.9.1. The Reference GroupComponent 936 The property GroupComponent is inherited from 937 PolicyRuleInPolicyGroup and is overridden to refer to an 938 IPsecPolicyGroup instance. The [1..1] cardinality indicates that an 939 IPsecRule instance may be contained in only one IPsecPolicyGroup 940 instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 942 4.9.2. The Reference PartComponent 944 The property PartComponent is inherited from PolicyRuleInPolicyGroup 945 and is overridden to refer to an IPsecRule instance. The [0..n] 946 cardinality indicates that an IPsecPolicyGroup instance may contain 947 zero or more IPsecRules instance. 949 4.10. The Aggregation Class SAConditionInRule 951 The class SAConditionInRule associates an SARule with the 952 SACondition instance(s) that trigger(s) it. See [PCIM] for the 953 usage for the properties GroupNumber and ConditionNegated. The 954 class definition for SAConditionInRule is as follows: 956 NAME SAConditionInRule 957 DESCRIPTION Associates an SARule with the SACondition instance(s) 958 that trigger(s) it. 959 DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) 960 ABSTRACT FALSE 961 PROPERTIES GroupComponent [ref SARule [0..n]] 962 PartComponent [ref SACondition [1..n]] 963 GroupNumber (from PolicyConditionInPolicyRule) 964 ConditionNegated (from PolicyConditionInPolicyRule) 966 4.10.1. The Reference GroupComponent 968 The property GroupComponent is inherited from 969 PolicyConditionInPolicyRule and is overridden to refer to an SARule 970 instance. The [0..n] cardinality indicates that an SACondition 971 instance may be contained in zero or more SARule instances. 973 4.10.2. The Reference PartComponent 975 The property PartComponent is inherited from 976 PolicyConditionInPolicyRule and is overridden to refer to an 977 SACondition instance. The [1..n] cardinality indicates that an 978 SARule instance MUST contain at least one SACondition instance. 980 4.11. The Aggregation Class SAActionInRule 982 The SAActionInRule class associates an SARule with its primary 983 SAAction. The class definition for SAActionInRule is as follows: 985 NAME SAActionInRule 986 DESCRIPTION Associates an SARule with its SAAction(s). 987 DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) 988 ABSTRACT FALSE 989 PROPERTIES GroupComponent [ref SARule [0..n]] 990 PartComponent [ref SAAction [1..n]] 991 ActionOrder 993 4.11.1. The Reference GroupComponent 995 The property GroupComponent is inherited from 996 PolicyActionInPolicyRule and is overridden to refer to an SARule 997 instance. The [0..n] cardinality indicates that an SAAction 998 instance may be contained in zero or more SARule instances. 1000 4.11.2. The Reference PartComponent 1002 The property PartComponent is inherited from 1003 PolicyActionInPolicyRule and is overridden to refer to an SAAction 1004 instance. The [1..n] cardinality indicates that an SARule instance 1005 MUST contain at least one SAAction instance. 1007 4.11.3. The Property ActionOrder 1009 The property ActionOrder specifies the relative position of this 1010 SAAction in the sequence of actions associated with a PolicyRule. 1011 The ActionOrder MUST be unique so as to provide a deterministic 1012 order. In addition, the actions in an SARule are executed as 1013 follows. 1015 For an initiator, if there is more than one action in the rule, the 1016 additional actions are 'backup' actions in the event that the first 1017 action is not able to be completed successfully. They are tried in 1018 the ActionOrder until the list is exhausted or one completes 1019 successfully. For example, an IKE initiator may have several 1020 IKEActions for the same SACondition. The initiator will try all 1021 IKEActions in the order defined by ActionOrder. I.e. it will 1022 possibly try several phases 1 possibly with different modes (main 1023 mode then aggressive mode) and/or with possibly multiple IKE peers. 1025 For a responder, there can be more than one action in the rule, this 1026 provides alternative actions depending on the received proposals. 1027 For example, the same IKERule may be used to handle aggressive mode 1028 and main mode negotiations with different actions. The first 1029 appropriate action in the list of actions is used by the responder. 1031 The property is defined as follows: 1033 [Need an explanation of what the action order means as it replaces 1034 the fallback association] 1036 NAME ActionOrder 1037 DESCRIPTION Specifies the order of actions. 1038 SYNTAX unsigned 16-bit integer 1039 VALUE Any value between 1 and 2^16-1 inclusive. Lower values 1040 have higher precedence (i.e., 1 is the highest 1041 precedence). The merging order of two SAActions with 1042 the same precedence is undefined. 1044 5. Condition and Filter Classes 1046 The IPsec condition and filter classes are used to build the "if" 1047 part of the IKE and IPsec rules. 1049 *+-------------+ 1050 +--------------------| SACondition | 1051 | +-------------+ 1052 | * | 1053 | |(a) 1054 | 1 | 1055 | +--------------+ 1056 | | FilterList | 1057 | | (Appendix C) | 1058 | +--------------+ 1059 | 1 o 1060 |(b) |(c) 1061 | * | 1062 | +-----------------+ 1063 | | FilterEntryBase | 1064 | | (Appendix C) | 1065 | +-----------------+ 1066 | ^ 1067 | | 1068 | +--------------+ | +-----------------------+ 1069 | | FilterEntry |----+----| CredentialFilterEntry | 1070 | | (Appendix C) | | +-----------------------+ 1071 | +--------------+ | 1072 | | 1073 | +-----------------+ | +--------------------------+ 1074 | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | 1075 | +-----------------+ +--------------------------+ 1076 | 1077 | *+-----------------------------+ 1078 +------------| CredentialManagementService | 1079 | (Appendix B) | 1080 +-----------------------------+ 1082 (a) FilterOfSACondition 1083 (b) AcceptCredentialsFrom 1084 (c) EntriesInFilterList (see Appendix C) 1086 5.1. The Class SACondition 1088 The class SACondition defines the conditions of rules for IKE and 1089 IPsec negotiations. Conditions are associated with policy rules via 1090 the SAConditionInRule aggregation. It is used as an anchor point to 1091 associate various types of filters with policy rules via the 1092 FilterOfSACondition association. It also defines whether Credentials 1093 can be accepted for a particular policy rule via the 1094 AcceptCredentialsFrom association. 1096 Associated objects represent components of the condition that may or 1097 may not apply at a given rule evaluation. For example, an 1098 AcceptCredentialsFrom evaluation is only performed when a credential 1099 is available to be evaluated against the list of trusted credential 1100 management services. Similarly, a PeerIDPayloadFilterEntry may only 1101 be evaluated when an IDPayload value is available to compared with 1102 the filter. Condition components that do not have corresponding 1103 values with which to evaluate are evaluated as TRUE unless the 1104 protocol has completed without providing the required information. 1106 The class definition for SACondition is as follows: 1108 NAME SACondition 1109 DESCRIPTION Defines the preconditions for IKE and IPsec 1110 negotiations. 1111 DERIVED FROM PolicyCondition (see [PCIM]) 1112 ABSTRACT FALSE 1113 PROPERTIES PolicyConditionName (from PolicyCondition) 1115 5.2. The Class FilterEntry 1117 The class FilterEntry is defined in appendix C with the following 1118 notes: 1120 1) since actions in the IPsec Policy Model are not part of the 1121 condition side of the rule, the Action property of each 1122 FilterEntry is ignored and should be set to "FilterOnly". 1124 2) to specify 5-tuple filters that are to apply symmetrically (i.e., 1125 matches traffic in both directions of the same flow between the 1126 two peers), the Direction property of the FilterList should be 1127 set to "Mirrored". 1129 5.3. The Class CredentialFilterEntry 1131 The class CredentialFilterEntry defines an equivalence class that 1132 match credentials of IKE peers. Each CredentialFilterEntry includes 1133 a MatchFieldName that is interpreted according to the 1134 CredentialManagementService(s) associated with the SACondition 1135 (AcceptCredentialsFrom). 1137 These credentials can be X.509 certificates, Kerberos tickets, or 1138 other types of credentials obtained during the Phase 1 exchange. 1140 The class definition for CredentialFilterEntry is as follows: 1142 NAME CredentialFilterEntry 1143 DESCRIPTION Specifies a match filter based on the IKE credentials. 1144 DERIVED FROM FilterEntryBase (see Appendix C) 1145 ABSTRACT FALSE 1146 PROPERTIES Name (from FilterEntryBase) 1147 IsNegated (from FilterEntryBase) 1148 MatchFieldName 1149 MatchFieldValue 1150 CredentialType 1152 5.3.1. The Property MatchFieldName 1154 The property MatchFieldName specifies the sub-part of the credential 1155 to match against MatchFieldValue. The property is defined as 1156 follows: 1158 NAME MatchFieldName 1159 DESCRIPTION Specifies which sub-part of the credential to match. 1160 SYNTAX string 1161 VALUE 1163 5.3.2. The Property MatchFieldValue 1165 The property MatchFieldValue specifies the value to compare with the 1166 MatchFieldName in a credential to determine if the credential 1167 matches this filter entry. The property is defined as follows: 1169 NAME MatchFieldValue 1170 DESCRIPTION Specifies the value to be matched by the 1171 MatchFieldName. 1172 SYNTAX string 1173 VALUE NB: If the CredentialFilterEntry corresponds to a 1174 DistinguishedName, this value in the CIM class is 1175 represented by an ordinary string value. However, an 1176 implementation must convert this string to a DER- 1177 encoded string before matching against the values 1178 extracted from credentials at runtime. 1180 5.3.3. The Property CredentialType 1182 The property CredentialType specifies the particular type of 1183 credential that is being matched. The property is defined as 1184 follows: 1186 NAME CredentialType 1187 DESCRIPTION Defines the type of IKE credentials. 1188 SYNTAX unsigned 16-bit integer 1189 VALUE 1 - X.509 Certificate 1190 2 - Kerberos Ticket 1192 5.4. The Class IPSOFilterEntry 1194 The class IPSOFilterEntry is used to match traffic based on the IP 1195 Security Options header values (ClassificationLevel and 1196 ProtectionAuthority) as defined in RFC1108. This type of FilterEntry 1197 is used to adjust the IPsec encryption level according to the IPSO 1198 classification of the traffic (e.g., secret, confidential, 1199 restricted, etc. The class definition for IPSOFilterEntry is as 1200 follows: 1202 NAME IPSOFilterEntry 1203 DESCRIPTION Specifies the a match filter based on IP Security 1204 Options. 1205 DERIVED FROM FilterEntryBase (see Appendix C) 1206 ABSTRACT FALSE 1207 PROPERTIES Name (from FilterEntryBase) 1208 IsNegated (from FilterEntryBase) 1209 MatchConditionType 1210 MatchConditionValue 1212 5.4.1. The Property MatchConditionType 1214 The property MatchConditionType specifies the IPSO header field that 1215 will be matched (e.g., traffic classification level or protection 1216 authority). The property is defined as follows: 1218 NAME MatchConditionType 1219 DESCRIPTION Specifies the IPSO header field to be matched. 1220 SYNTAX unsigned 16-bit integer 1221 VALUE 1 - ClassificationLevel 1222 2 - ProtectionAuthority 1224 5.4.2. The Property MatchConditionValue 1226 The property MatchConditionValue specifies the value of the IPSO 1227 header field to be matched against. The property is defined as 1228 follows: 1230 NAME MatchConditionValue 1231 DESCRIPTION Specifies the value of the IPSO header field to be 1232 matched against. 1233 SYNTAX unsigned 16-bit integer 1234 VALUE For ClassificationLevel, the values are: 1235 61 - TopSecret 1236 90 - Secret 1237 150 - Confidential 1238 171 - Unclassified 1239 For ProtectionAuthority, the values are: 1240 0 - GENSER 1241 1 - SIOP-ESI 1242 2 - SCI 1243 3 - NSA 1244 4 - DOE 1246 5.5. The Class PeerIDPayloadFilterEntry 1248 The class PeerIDPayloadFilterEntry defines filters used to match ID 1249 payload values from the IKE protocol exchange. 1250 PeerIDPayloadFilterEntry permits the specification of certain ID 1251 payload values such as "*@company.com" or "193.190.125.0/24". 1253 Obviously this filter applies only to IKERules when acting as a 1254 responder. Moreover, this filter can be applied immediately in the 1255 case of aggressive mode but its application is to be delayed in the 1256 case of main mode. The class definition for 1257 PeerIDPayloadFilterEntry is as follows: 1259 NAME PeerIDPayloadFilterEntry 1260 DESCRIPTION Specifies a match filter based on IKE identity. 1261 DERIVED FROM FilterEntryBase (see Appendix C) 1262 ABSTRACT FALSE 1263 PROPERTIES Name (from FilterEntryBase) 1264 IsNegated (from FilterEntryBase) 1265 MatchIdentityType 1266 MatchIdentityValue 1268 5.5.1. The Property MatchIdentityType 1270 The property MatchIdentityType specifies the type of identity 1271 provided by the peer in the ID payload." The property is defined 1272 as follows: 1274 NAME MatchIdentityType 1275 DESCRIPTION Specifies the ID payload type. 1276 SYNTAX unsigned 16-bit integer 1277 VALUE 1 - IPv4 Address 1278 2 - FQDN 1279 3 - User FQDN 1280 4 - IPv4 Subnet 1281 5 - IPv6 Address 1282 6 - IPv6 Subnet 1283 7 - IPv4 Address Range 1284 8 - IPv6 Address Range 1285 9 - DER-Encoded ASN.1 X.500 Distinguished Name 1286 10 - DER-Encoded ASN.1 X.500 GeneralName 1287 11 - Key ID 1289 5.5.2. The Property MatchIdentityValue 1291 The property MatchIdentityValue specifies the filter value for 1292 comparison with the ID payload, e.g., "*@company.com" The property 1293 is defined as follows: 1295 NAME MatchIdentityValue 1296 DESCRIPTION Specifies the ID payload value. 1297 SYNTAX string 1298 VALUE NB: The syntax may need to be converted for comparison. 1299 If the PeerIDPayloadFilterEntry type is a 1300 DistinguishedName, the name in the MatchIdentityValue 1301 property is represented by an ordinary string value, 1302 but this value must be converted into a DER-encoded 1303 string before matching against the values extracted 1304 from IKE ID payloads at runtime. The same applies to 1305 IPv4 & IPv6 addresses. 1307 Wildcards can be used as well as the prefix notation 1308 for IPv4 addresses: 1309 - a MatchIdentityValue of "*@company.com" will match an 1310 ID payload of "JDOE@COMPANY.COM" 1311 - a MatchIdentityValue of "193.190.125.0/24" will match 1312 an ID payload of 193.190.125.10. 1314 5.6. The Association Class FilterOfSACondition 1316 The class FilterOfSACondition associates an SACondition with the 1317 filter specifications (FilterList) that make up the condition. The 1318 class definition for FilterOfSACondition is as follows: 1320 NAME FilterOfSACondition 1321 DESCRIPTION Associates a condition with the filter list that make 1322 up the individual condition elements. 1323 DERIVED FROM Dependency (see Appendix A) 1324 ABSTRACT FALSE 1325 PROPERTIES Antecedent [ref FilterList[1..1]] 1326 Dependent [ref SACondition[0..n]] 1328 5.6.1. The Reference Antecedent 1330 The property Antecedent is inherited from Dependency and is 1331 overridden to refer to a FilterList instance. The [1..1] 1332 cardinality indicates that an SACondition instance MUST be 1333 associated with one and only one FilterList instance. 1335 5.6.2. The Reference Dependent 1337 The property Dependent is inherited from Dependency and is 1338 overridden to refer to an SACondition instance. The [0..n] 1339 cardinality indicates that a FilterList instance may be associated 1340 with zero or more SAConditions instance. 1342 5.7. The Association Class AcceptCredentialFrom 1344 The class AcceptCredentialFrom specifies which credential management 1345 services (e.g., a CertificateAuthority or a Kerberos service) are to 1346 be trusted to certify peer credentials. This is used to validate 1347 that the credential being matched in the CredentialFilterEntry is a 1348 valid credential that has been supplied by an approved 1349 CredentialManagementService. If a CredentialManagementService is 1350 specified and a corresponding CredentialFilterEntry is used, but the 1351 credential supplied by the peer is not certified by that 1352 CredentialManagementService (or one of the 1353 CredentialManagementServices in its trust hierarchy), the 1354 CredentialFilterEntry is deemed not to match. If a credential is 1355 certified by a CredentialManagementService in the 1356 AcceptCredentialsFrom list of services but there is no 1357 CredentialFilterEntry, this is considered equivalent to a 1358 CredentialFilterEntry that matches all credentials from those 1359 services. 1361 The class definition for AcceptCredentialFrom is as follows: 1363 NAME AcceptCredentialFrom 1364 DESCRIPTION Associates a condition with the credential management 1365 services to be trusted. 1366 DERIVED FROM Dependency (see Appendix A) 1367 ABSTRACT FALSE 1368 PROPERTIES Antecedent [ref CredentialManagementService[0..n]] 1369 Dependent [ref SACondition[0..n]] 1371 5.7.1. The Reference Antecedent 1373 The property Antecedent is inherited from Dependency and is 1374 overridden to refer to a CredentialManagementService instance. The 1375 [0..n] cardinality indicates that an SACondition instance may be 1376 associated with zero or more CredentialManagementServices instance. 1378 5.7.2. The Reference Dependent 1380 The property Dependent is inherited from Dependency and is 1381 overridden to refer to an SACondition instance. The [0..n] 1382 cardinality indicates that a CredentialManagementService instance 1383 may be associated with zero or more SAConditions instance. 1385 6. Action Classes 1387 The action classes are used to model the different actions an IPsec 1388 device may take when the evaluation of the associated condition 1389 results in a match. 1391 +----------+ 1392 | SAAction | 1393 +----------+ 1394 ^ 1395 | 1396 +-----------+--------------+ 1397 | | 1398 *+----------------+ +---------------------+* 1399 | SAStaticAction | | SANegotiationAction |o-----+ 1400 +----------------+ +---------------------+ | 1401 ^ ^ | 1402 | | | 1403 | +-----------+-------+ | 1404 | | | | 1405 +-------------------+ | +-------------+ +-----------+ | 1406 | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | 1407 +-------------------+ | +-------------+ +-----------+ | 1408 | ^ | 1409 +--------------------+ | | +----------------------+ | 1410 | IPsecDiscardAction |---+ +----| IPsecTransportAction | | 1411 +--------------------+ | | +----------------------+ | 1412 | | | 1413 +-----------------+ | | +-------------------+ | 1414 | IKERejectAction |---+ +----| IPsecTunnelAction | | 1415 +-----------------+ | +-------------------+ | 1416 | *| | 1417 | +--------------+ | 1418 | | | 1419 +-----------------------+ | | +--------------+n | 1420 | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ 1421 +-----------------------+ | +--------------+ (b) 1422 ^ | 1423 | | *+-------------+ 1424 +---------------------+ +-------| PeerGateway | 1425 | +-------------+ 1426 +-----------------------------+ | *w| 1427 | PreconfiguredTransportAction|--+ |(c) 1428 +-----------------------------+ | 1| 1429 | +--------------+ 1430 +-----------------------------+ | | System | 1431 | PreconfiguredTransportAction|--+ | (Appendix A) | 1432 +-----------------------------+ +--------------+ 1433 *| 1434 | 1..3+---------------+ 1435 +-------| [SATransform] | 1436 (d) +---------------+ 1438 (a) PeerGatewayForTunnel 1439 (b) ContainedProposal 1440 (c) HostedPeerGatewayInformation 1441 (d) TransformOfPreconfiguredAction 1443 6.1. The Class SAAction 1445 The class SAAction serves as the base class for IKE and IPsec 1446 actions. Although the class is concrete, it MUST not be 1447 instantiated. It is used for aggregating different types of actions 1448 to IKE and IPsec rules. The class definition for SAAction is as 1449 follows: 1451 NAME SAAction 1452 DESCRIPTION The base class for IKE and IPsec actions. 1453 DERIVED FROM PolicyAction (see [PCIM]) 1454 ABSTRACT FALSE 1455 PROPERTIES PolicyActionName (from PolicyAction) 1456 DoActionLogging 1457 DoPacketLogging 1459 6.1.1. The Property DoActionLogging 1461 The property DoActionLogging specifies whether a log message is to 1462 be generated when the action is performed (even if the action 1463 fails). The property is defined as follows: 1465 NAME DoActionLogging 1466 DESCRIPTION Specifies the whether to log when the action is 1467 performed. 1468 SYNTAX boolean 1469 VALUE true - a log message is to be generated when action is 1470 performed. 1471 false - no log message is to be generated when action 1472 is performed. 1474 6.1.2. The Property DoPacketLogging 1476 The property DoPacketLogging specifies whether a log message is to 1477 be generated when the resulting security association is used to 1478 process the packet. If the action successfully executes and results 1479 in the creation of one or several security associations, the value 1480 of DoPacketLogging SHOULD be propagated to an optional field of 1481 SADB. This optional field should be used to decide whether a log 1482 message is to be generated when the SA is used to process a packet. 1483 The property is defined as follows: 1485 NAME DoPacketLogging 1486 DESCRIPTION Specifies the whether to log when the resulting 1487 security association is used to process the packet. 1488 SYNTAX boolean 1489 VALUE true - a log message is to be generated when the 1490 resulting security association is used to process the 1491 packet. 1492 false - no log message is to be generated. 1494 6.2. The Class SAStaticAction 1496 The class SAStaticAction serves as the base class for IKE and IPsec 1497 actions that do not require any negotiation. Although the class is 1498 concrete, it MUST not be instantiated. The class definition for 1499 SAStaticAction is as follows: 1501 NAME SAStaticAction 1502 DESCRIPTION The base class for IKE and IPsec actions that do not 1503 require any negotiation. 1504 DERIVED FROM SAAction 1505 ABSTRACT FALSE 1506 PROPERTIES LifetimeSeconds 1508 6.2.1. The Property LifetimeSeconds 1510 The property LifetimeSeconds specifies how long the security 1511 association derived from this action should be used. The property 1512 is defined as follows: 1514 NAME LifetimeSeconds 1515 DESCRIPTION Specifies the amount of time (in seconds) that a 1516 security association derived from this action should be 1517 used. 1518 SYNTAX unsigned 32-bit integer 1519 VALUE A value of zero indicates that there is not a lifetime 1520 associated with this action (i.e., infinite lifetime). 1521 A non-zero value is typically used in conjunction with 1522 alternate SAActions performed when there is a 1523 negotiation failure of some sort. 1525 6.3. The Class IPsecBypassAction 1527 The class IPsecBypassAction is used when packets are allowed to be 1528 processed without applying IPsec encapsulation to them. This is the 1529 same as stating that packets are allowed to flow in the clear. The 1530 class definition for IPsecBypassAction is as follows: 1532 NAME IPsecBypassAction 1533 DESCRIPTION Specifies that packets are to be allowed to pass in the 1534 clear. 1535 DERIVED FROM SAStaticAction 1536 ABSTRACT FALSE 1538 6.4. The Class IPsecDiscardAction 1539 The class IPsecDiscardAction is used when packets are to be 1540 discarded. This is the same as stating that packets are to be 1541 denied. The class definition for IPsecDiscardAction is as follows: 1543 NAME IPsecDiscardAction 1544 DESCRIPTION Specifies that packets are to be discarded. 1545 DERIVED FROM SAStaticAction 1546 ABSTRACT FALSE 1548 6.5. The Class IKERejectAction 1550 The class IKERejectAction is used to prevent attempting an IKE 1551 negotiation with the peer(s). The main use of this class is to 1552 prevent some denial of service attacks when acting as IKE responder. 1553 It goes beyond a plain discard of UDP/500 IKE packets because the 1554 SACondition can be based on specific PeerIDPayloadFilterEntry (when 1555 aggressive mode is used). The class definition for IKERejectAction 1556 is as follows: 1558 NAME IKERejectAction 1559 DESCRIPTION Specifies that an IKE negotiation should not even be 1560 attempted or continued. 1561 DERIVED FROM SAStaticAction 1562 ABSTRACT FALSE 1564 6.6. The Class PreconfiguredSAAction 1566 The class PreconfiguredSAAction is used to create a security 1567 association using preconfigured, hard-wired algorithms and keys. 1569 Notes: 1571 - the SPI for a PreconfiguredSAAction is contained in the 1572 association, TransformOfPreconfiguredAction; 1574 - the session key (if applicable) is contained in an instance of the 1575 class SharedSecret (see appendix B). The session key is stored in 1576 the property secret, the property protocol contains either "ESP" 1577 or "AH", the property algorithm contains the algorithm used to 1578 protect the secret (can be "PLAINTEXT" if the IPsec entity has no 1579 secret storage), the value of property RemoteID is the 1580 concatenation of the remote IPsec peer IP address in dotted 1581 decimal, of the character "/", and of the hexadecimal 1582 representation of the SPI. 1584 Although the class is concrete, it MUST not be instantiated. The 1585 class definition for PreconfiguredSAAction is as follows: 1587 NAME PreconfiguredSAAction 1588 DESCRIPTION Specifies preconfigured algorithm and keying 1589 information for creation of a security association. 1590 DERIVED FROM SAStaticAction 1591 ABSTRACT FALSE 1592 PROPERTIES LifetimeKilobytes 1594 6.6.1. The Property LifetimeKilobytes 1596 The property LifetimeKilobytes specifies a traffic limit in 1597 kilobytes that can be consumed before the SA is deleted.. The 1598 property is defined as follows: 1600 NAME LifetimeKilobytes 1601 DESCRIPTION Specifies the SA lifetime in kilobytes. 1602 SYNTAX unsigned 32-bit integer 1603 VALUE A value of zero indicates that there is not a lifetime 1604 associated with this action (i.e., infinite lifetime). 1605 A non-zero value is used to indicate that after this 1606 amount of kilobytes has been consumed the SA must be 1607 deleted from the SADB. 1609 6.7. The Class PreconfiguredTransportAction 1611 The class PreconfiguredTransportAction is used to create an IPsec 1612 transport-mode security association using preconfigured, hard-wired 1613 algorithms and keys. The class definition for 1614 PreconfiguredTransportAction is as follows: 1616 NAME PreconfiguredTransportAction 1617 DESCRIPTION Specifies preconfigured algorithm and keying 1618 information for creation of an IPsec transport security 1619 association. 1620 DERIVED FROM PreconfiguredSAAction 1621 ABSTRACT FALSE 1623 6.8. The Class PreconfiguredTunnelAction 1625 The class PreconfiguredTunnelAction is used to create an IPsec 1626 tunnel-mode security association using preconfigured, hard-wired 1627 algorithms and keys. The class definition for PreconfiguredSAAction 1628 is as follows: 1630 NAME PreconfiguredTunnelAction 1631 DESCRIPTION Specifies preconfigured algorithm and keying 1632 information for creation of an IPsec tunnel-mode 1633 security association. 1634 DERIVED FROM PreconfiguredSAAction 1635 ABSTRACT FALSE 1636 PROPERTIES PeerGatewayAddressType 1637 PeerGatewayAddress 1638 DFHandling 1640 6.8.1. The Property PeerGatewayAddressType 1642 The property PeerGatewayAddressType specifies the format of the 1643 PeerGatewayAddress property. Addresses that can be formatted in 1644 IPv4 format, must be formatted that way to ensure mixed IPv4/IPv6 1645 support. When the tunnel peer is not a security gateway, this 1646 property value is set to 0. The property is defined as follows: 1648 NAME PeerGatewayAddressType 1649 DESCRIPTION Specifies the format of PeerGatewayAddress. 1650 SYNTAX unsigned 16-bit integer 1651 VALUE 0 - unknown 1652 1 - IPv4 1653 2 - IPv6 1655 6.8.2. The Property PeerGatewayAddress 1657 The property PeerGatewayAddress specifies the IP address of the 1658 tunnel peer security gateway formatted according to the appropriate 1659 convention as defined in the PeerGatewayAddressType property of this 1660 class (e.g., 171.79.6.40). When the tunnel peer is not a security 1661 gateway, this property value is set to NULL. The property is 1662 defined as follows: 1664 NAME PeerGatewayAddress 1665 DESCRIPTION Specifies the IP address of the tunnel peer. 1666 SYNTAX string 1667 VALUE When the value is NULL, this is a special meaning: the 1668 IP address of the actual remote IKE entity is the 1669 destination IP address of the IP packet that triggered 1670 the SARule. Else, the value is a string representation 1671 of an IPv4 or IPv6 address. 1673 6.8.3. The Property DFHandling 1675 The property DFHandling specifies how the Don't Fragment bit of the 1676 internal IP header is to be handled during IPsec processing. The 1677 property is defined as follows: 1679 NAME DFHandling 1680 DESCRIPTION Specifies the processing of the DF bit. 1681 SYNTAX unsigned 16-bit integer 1682 VALUE 1 - Copy the DF bit from the internal IP header to the 1683 external IP header. 1684 2 - Set the DF bit of the external IP header to 1. 1685 3 - Clear the DF bit of the external IP header to 0. 1687 6.9. The Class SANegotiationAction 1689 The class SANegotiationAction serves as the base class for IKE and 1690 IPsec actions that result in a IKE negotiation. Although the class 1691 is concrete, is MUST not be instantiated. The class definition for 1692 SANegotiationAction is as follows: 1694 NAME SANegotiationAction 1695 DESCRIPTION A base class for IKE and IPsec actions that specifies 1696 the parameters that are common for IKE phase 1 and IKE 1697 phase 2 IPsec DOI negotiations. 1699 DERIVED FROM SAAction 1700 ABSTRACT FALSE 1701 PROPERTIES MinLifetimeSeconds 1702 MinLifetimeKilobytes 1703 RefreshThresholdSeconds 1704 RefreshThresholdKilobytes 1705 IdleDurationSeconds 1707 6.9.1. The Property MinLifetimeSeconds 1709 The property MinLifetimeSeconds specifies the minimum seconds 1710 lifetime that will be accepted from the peer. MinLifetimeSeconds is 1711 used to prevent certain denial of service attacks where the peer 1712 requests an arbitrarily low lifetime value, causing renegotiations 1713 with correspondingly expensive Diffie-Hellman operations. The 1714 property is defined as follows: 1716 NAME MinLifetimeSeconds 1717 DESCRIPTION Specifies the minimum acceptable seconds lifetime. 1718 SYNTAX unsigned 32-bit integer 1719 VALUE A value of zero indicates that there is no minimum 1720 value. A non-zero value specifies the minimum seconds 1721 lifetime. 1723 6.9.2. The Property MinLifetimeKilobytes 1725 The property MinLifetimeKilobytes specifies the minimum kilobytes 1726 lifetime that will be accepted from the peer. MinLifetimeKilobytes 1727 is used to prevent certain denial of service attacks where the peer 1728 requests an arbitrarily low lifetime value, causing renegotiations 1729 with correspondingly expensive Diffie-Hellman operations. Note that 1730 there has been considerable debate regarding the usefulness of 1731 applying kilobyte lifetimes to IKE phase 1 security associations, so 1732 it is likely that this property will only apply to the sub-class 1733 IPsecAction. The property is defined as follows: 1735 NAME MinLifetimeKilobytes 1736 DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. 1737 SYNTAX unsigned 32-bit integer 1738 VALUE A value of zero indicates that there is no minimum 1739 value. A non-zero value specifies the minimum 1740 kilobytes lifetime. 1742 6.9.3. The Property RefreshThresholdSeconds 1744 The property RefreshThresholdSeconds specifies what percentage of 1745 the seconds lifetime can expire before IKE should attempt to 1746 renegotiate the security association. A random value may be added 1747 to the calculated threshold (percentage x seconds lifetime) to 1748 reduce the chance of both peers attempting to renegotiate at the 1749 same time. The property is defined as follows: 1751 NAME RefreshThresholdSeconds 1752 DESCRIPTION Specifies the percentage of seconds lifetime that has 1753 expired before the security association is 1754 renegotiated. 1755 SYNTAX unsigned 8-bit integer 1756 VALUE A value between 1 and 100 representing a percentage. A 1757 value of 100 indicates that the security association 1758 should not be renegotiated until the seconds lifetime 1759 has been reached. 1761 6.9.4. The Property RefreshThresholdKilobytes 1763 The property RefreshThresholdKilobytes specifies what percentage of 1764 the kilobyte lifetime can expire before IKE should attempt to 1765 renegotiate the IPsec security association. A random value may be 1766 added to the calculated threshold (percentage x kilobyte lifetime) 1767 to reduce the chance of both peers attempting to renegotiate at the 1768 same time. Note, that as with the property MinLifetimeKilobytes, 1769 this property is probably only relevant to IPsecAction sub-classes. 1770 The property is defined as follows: 1772 NAME RefreshThresholdKilobytes 1773 DESCRIPTION Specifies the percentage of kilobyte lifetime that has 1774 expired before the IPsec security association is 1775 renegotiated. 1776 SYNTAX unsigned 8-bit integer 1777 VALUE A value between 1 and 100 representing a percentage. A 1778 value of 100 indicates that the IPsec security 1779 association should not be renegotiated until the 1780 kilobyte lifetime has been reached. 1782 6.9.5. The Property IdleDurationSeconds 1784 The property IdleDurationSeconds specifies how many seconds a 1785 security association may remain idle (i.e., no traffic protected 1786 using the security association) before it is deleted. The property 1787 is defined as follows: 1789 NAME IdleDurationSeconds 1790 DESCRIPTION Specifies how long, in seconds, a security association 1791 may remain unused before it is deleted. 1792 SYNTAX unsigned 32-bit integer 1793 VALUE A value of zero indicates that idle detection should 1794 not be used for the security association (only the 1795 seconds and kilobyte lifetimes will be used). Any non- 1796 zero value indicates the number of seconds the security 1797 association may remain unused. 1799 6.10. The Class IPsecAction 1801 The class IPsecAction serves as the base class for IPsec transport 1802 and tunnel actions. It specifies the parameters used for an IKE 1803 phase 2 IPsec DOI negotiation. Although the class is concrete, is 1804 MUST not be instantiated. The class definition for IPsecAction is 1805 as follows: 1807 NAME IPsecAction 1808 DESCRIPTION A base class for IPsec transport and tunnel actions 1809 that specifies the parameters for IKE phase 2 IPsec DOI 1810 negotiations. 1811 DERIVED FROM SANegotiationAction 1812 ABSTRACT FALSE 1813 PROPERTIES UsePFS 1814 UseIKEGroup 1815 GroupId 1816 Granularity 1817 VendorID 1819 6.10.1. The Property UsePFS 1821 The property UsePFS specifies whether or not perfect forward secrecy 1822 should be used when refreshing keys. The property is defined as 1823 follows: 1825 NAME UsePFS 1826 DESCRIPTION Specifies the whether or not to use PFS when refreshing 1827 keys. 1828 SYNTAX boolean 1829 VALUE A value of true indicates that PFS should be used. A 1830 value of false indicates that PFS should not be used. 1832 6.10.2. The Property UseIKEGroup 1834 The property UseIKEGroup specifies whether or not phase 2 should use 1835 the same key exchange group as was used in phase 1. UseIKEGroup is 1836 ignored if UsePFS is false. The property is defined as follows: 1838 NAME UseIKEGroup 1839 DESCRIPTION Specifies whether or not to use the same GroupId for 1840 phase 2 as was used in phase 1. If UsePFS is false, 1841 then UseIKEGroup is ignored. 1842 SYNTAX boolean 1843 VALUE A value of true indicates that the phase 2 GroupId 1844 should be the same as phase 1. A value of false 1845 indicates that the property GroupId will contain the 1846 key exchange group to use for phase 2. 1848 6.10.3. The Property GroupId 1850 The property GroupId specifies the key exchange group to use for 1851 phase 2. GroupId is ignored if (1) the property UsePFS is false, or 1852 (2) the property UsePFS is true and the property UseIKEGroup is 1853 true. If the GroupID number is from the vendor-specific range 1854 (32768-65535), the property VendorID qualifies the group number. 1855 The property is defined as follows: 1857 NAME GroupId 1858 DESCRIPTION Specifies the key exchange group to use for phase 2 1859 when the property UsePFS is true and the property 1860 UseIKEGroup is false. 1861 SYNTAX unsigned 16-bit integer 1862 VALUE Consult [IKE] for valid values. 1864 6.10.4. The Property Granularity 1866 The property Granularity specifies how the selector for the security 1867 association should be derived from the traffic that triggered the 1868 negotiation. The property is defined as follows: 1870 NAME Granularity 1871 DESCRIPTION Specifies the how the proposed selector for the 1872 security association will be created. 1873 SYNTAX unsigned 16-bit integer 1874 VALUE 1 - subnet: the source and destination subnet masks of 1875 the FilterEntry are used. 1876 2 - address: only the source and destination IP 1877 addresses of the triggering packet are used. 1878 3 - protocol: the source and destination IP addresses 1879 and the IP protocol of the triggering packet are used. 1880 4 - port: the source and destination IP addresses and 1881 the IP protocol and the source and destination layer 4 1882 ports of the triggering packet are used. 1884 6.10.5. The Property VendorID 1886 The property VendorID is used together with the property GroupID 1887 (when it is in the vendor-specific range) to identify the key 1888 exchange group. VendorID is ignored unless UsePFS is true and 1889 UseIKEGroup is false and GroupID is in the vendor-specific range 1890 (32768-65535). The property is defined as follows: 1892 NAME VendorID 1893 DESCRIPTION Specifies the IKE Vendor ID. 1894 SYNTAX string 1896 6.11. The Class IPsecTransportAction 1898 The class IPsecTransportAction is a subclass of IPsecAction that is 1899 used to specify use of an IPsec transport-mode security association. 1900 The class definition for IPsecTransportAction is as follows: 1902 NAME IPsecTransportAction 1903 DESCRIPTION Specifies that an IPsec transport-mode security 1904 association should be negotiated. 1905 DERIVED FROM IPsecAction 1906 ABSTRACT FALSE 1908 6.12. The Class IPsecTunnelAction 1909 The class IPsecTunnelAction is a subclass of IPsecAction that is 1910 used to specify use of an IPsec tunnel-mode security association. 1911 The class definition for IPsecTunnelAction is as follows: 1913 NAME IPsecTunnelAction 1914 DESCRIPTION Specifies that an IPsec tunnel-mode security 1915 association should be negotiated. 1916 DERIVED FROM IPsecAction 1917 ABSTRACT FALSE 1918 PROPERTIES DFHandling 1920 6.12.1. The Property DFHandling 1922 The property DFHandling specifies how the tunnel should manage the 1923 Don't Fragment (DF) bit. The property is defined as follows: 1925 NAME DFHandling 1926 DESCRIPTION Specifies how to process the DF bit. 1927 SYNTAX unsigned 16-bit integer 1928 VALUE 1 - Copy the DF bit from the internal IP header to the 1929 external IP header. 1930 2 - Set the DF bit of the external IP header to 1. 1931 3 - Clear the DF bit of the external IP header to 0. 1933 6.13. The Class IKEAction 1935 The class IKEAction specifies the parameters that are to be used for 1936 IKE phase 1 negotiation. The class definition for IKEAction is as 1937 follows: 1939 NAME IKEAction 1940 DESCRIPTION Specifies the IKE phase 1 negotiation parameters. 1941 DERIVED FROM SANegotiationAction 1942 ABSTRACT FALSE 1943 PROPERTIES RefreshThresholdDerivedKeys 1944 ExchangeMode 1945 UseIKEIdentityType 1946 VendorID 1947 AggressiveModeGroupId 1949 6.13.1. The Property RefreshThresholdDerivedKeys 1951 The property RefreshThresholdDerivedKeys specifies what percentage 1952 of the derived key limit (see the LifetimeDerivedKeys property of 1953 IKEProposal) can expire before IKE should attempt to renegotiate the 1954 IKE phase 1 security association. A random value may be added to 1955 the calculated threshold (percentage x derived key limit) to reduce 1956 the chance of both peers attempting to renegotiate at the same time. 1957 The property is defined as follows: 1959 NAME RefreshThresholdKilobytes 1960 DESCRIPTION Specifies the percentage of derived key limit that has 1961 expired before the IKE phase 1 security association is 1962 renegotiated. 1963 SYNTAX unsigned 8-bit integer 1964 VALUE A value between 1 and 100 representing a percentage. A 1965 value of 100 indicates that the IKE phase 1 security 1966 association should not be renegotiated until the 1967 derived key limit has been reached. 1969 6.13.2. The Property ExchangeMode 1971 The property ExchangeMode specifies which IKE mode should be used 1972 for IKE phase 1 negotiations. The property is defined as follows: 1974 NAME ExchangeMode 1975 DESCRIPTION Specifies the IKE negotiation mode for phase 1. 1976 SYNTAX unsigned 16-bit integer 1977 VALUE 1 - base mode 1978 2 - main mode 1979 4 - aggressive mode 1981 6.13.3. The Property UseIKEIdentityType 1983 The property UseIKEIdentityType specifies what IKE identity type 1984 should be used when negotiating with the peer. This information is 1985 used in conjunction with the IKE identities available on the system 1986 and the IdentityContexts of the matching IKERule. The property is 1987 defined as follows: 1989 NAME UseIKEIdentityType 1990 DESCRIPTION Specifies the IKE identity to use during negotiation. 1991 SYNTAX unsigned 16-bit integer 1992 VALUE 1 - IPv4 Address 1993 2 - FQDN 1994 3 - User FQDN 1995 4 - IPv4 Subnet 1996 5 - IPv6 Address 1997 6 - IPv6 Subnet 1998 7 - IPv4 Address Range 1999 8 - IPv6 Address Range 2000 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2001 10 - DER-Encoded ASN.1 X.500 GeneralName 2002 11 - Key ID 2004 6.13.4. The Property VendorID 2006 The property VendorID specifies the value to be used in the Vendor 2007 ID payload. The property is defined as follows: 2009 NAME VendorID 2010 DESCRIPTION Vendor ID Payload. 2011 SYNTAX string 2012 VALUE A value of NULL means that Vendor ID payload will be 2013 neither generated nor accepted. A non-NULL value means 2014 that a Vendor ID payload will be generated (when acting 2015 as an initiator) or is expected (when acting as a 2016 responder). 2018 6.13.5. The Property AggressiveModeGroupId 2020 The property AggressiveModeGroupId specifies which group ID is to be 2021 used in the first packets of the phase 1 negotiation. This property 2022 is ignored unless the property ExchangeMode is set to 4 (aggressive 2023 mode). If the AggressiveModeGroupID number is from the vendor- 2024 specific range (32768-65535), the property VendorID qualifies the 2025 group number. The property is defined as follows: 2027 NAME AggressiveModeGroupId 2028 DESCRIPTION Specifies the group ID to be used for aggressive mode. 2029 SYNTAX unsigned 16-bit integer 2031 6.14. The Class PeerGateway 2033 The class PeerGateway specifies the security gateway with which the 2034 IKE services negotiates. The class definition for PeerGateway is as 2035 follows: 2037 NAME PeerGateway 2038 DESCRIPTION Specifies the security gateway with which to negotiate. 2039 DERIVED FROM LogicalElement (see Appendix A) 2040 ABSTRACT FALSE 2041 PROPERTIES Name 2042 PeerIdentityType 2043 PeerIdentity 2045 6.14.1. The Property Name 2047 The property Name specifies a user-friendly name for this security 2048 gateway. The property is defined as follows: 2050 NAME Name 2051 DESCRIPTION Specifies a user-friendly name for this security 2052 gateway. 2053 SYNTAX string 2055 6.14.2. The Property PeerIdentityType 2057 The property PeerIdentityType specifies the IKE identity type of the 2058 security gateway. The property is defined as follows: 2060 NAME PeerIdentityType 2061 DESCRIPTION Specifies the IKE identity type of the security 2062 gateway. 2063 SYNTAX unsigned 16-bit integer 2064 VALUE 1 - IPv4 Address 2065 2 - FQDN 2066 3 - User FQDN 2067 4 - IPv4 Subnet 2068 5 - IPv6 Address 2069 6 - IPv6 Subnet 2070 7 - IPv4 Address Range 2071 8 - IPv6 Address Range 2072 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2073 10 - DER-Encoded ASN.1 X.500 GeneralName 2074 11 - Key ID 2076 6.14.3. The Property PeerIdentity 2078 The property PeerIdentity specifies the IKE identity value of the 2079 security gateway. A conversion may be needed between the 2080 PeerIdentity string representation and the real value used in the ID 2081 payload (e.g. IP address is to be converted from a dotted decimal 2082 string into 4 bytes). The property is defined as follows: 2084 NAME PeerIdentity 2085 DESCRIPTION Specifies the IKE identity value of the security 2086 gateway. 2087 SYNTAX string 2089 6.15. The Association Class PeerGatewayForTunnel 2091 The class PeerGatewayForTunnel associates IPsecTunnelActions with an 2092 ordered list of PeerGateways. The class definition for 2093 PeerGatewayForTunnel is as follows: 2095 NAME PeerGatewayForTunnel 2096 DESCRIPTION Associates IPsecTunnelActions with an ordered list of 2097 PeerGateways. 2098 DERIVED FROM Dependency (see Appendix A) 2099 ABSTRACT FALSE 2100 PROPERTIES Antecedent [ref PeerGateway[0..n]] 2101 Dependent [ref IPsecTunnelAction[0..n]] 2102 SequenceNumber 2104 6.15.1. The Reference Antecedent 2106 The property Antecedent is inherited from Dependency and is 2107 overridden to refer to a PeerGateway instance. The [0..n] 2108 cardinality indicates that there an IPsecTunnelAction instance may 2109 be associated with zero or more PeerGateway instances. 2111 Note: when there is no PeerGateway associated to an 2112 IPsecTunnelAction, this means that the IKE service acts as a 2113 responder and will accept phase 1 negotiation with any other 2114 security gateway. 2116 6.15.2. The Reference Dependent 2118 The property Dependent is inherited from Dependency and is 2119 overridden to refer to an IPsecTunnelAction instance. The [0..n] 2120 cardinality indicates that a PeerGateway instance may be associated 2121 with zero or more IPsecTunnelAction instances. 2123 6.15.3. The Property SequenceNumber 2125 The property SequenceNumber specifies the ordering to be used when 2126 evaluating PeerGateway instances for a given IPsecTunnelAction. . 2127 The property is defined as follows: 2129 NAME SequenceNumber 2130 DESCRIPTION Specifies the order of evaluation for PeerGateways. 2131 SYNTAX unsigned 16-bit integer 2132 VALUE Lower values are evaluated first. 2134 6.16. The Aggregation Class ContainedProposal 2136 The class ContainedProposal associates an ordered list of 2137 SAProposals with the SANegotiationAction that aggregates it. If the 2138 referenced SANegotiationAction object is an IKEAction, then the 2139 referenced SAProposal object(s) must be IKEProposal(s). If the 2140 referenced SANegotiationAction object is an IPsecTransportAction or 2141 an IPsecTunnelAction, then the referenced SAProposal object(s) must 2142 be IPsecProposal(s). The class definition for ContainedProposal is 2143 as follows: 2145 NAME ContainedProposal 2146 DESCRIPTION Associates an ordered list of SAProposals with an 2147 SANegotiationAction. 2148 DERIVED FROM PolicyComponent (see [PCIM]) 2149 ABSTRACT FALSE 2150 PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] 2151 PartComponent[ref SAProposal[1..n]] 2152 SequenceNumber 2154 6.16.1. The Reference GroupComponent 2156 The property GroupComponent is inherited from PolicyComponent and is 2157 overridden to refer to an SANegotiationAction instance. The [0..n] 2158 cardinality indicates that an SAProposal instance may be associated 2159 with zero or more SANegotiationAction instances. 2161 Note: the cardinality 0 has a specific meaning: 2163 - when the IKE service acts as a responder, this means that the 2164 IKE service will accept phase 1 negotiation with any other 2165 security gateway; 2166 - when the IKE service acts as an initiator, this means that 2167 the IKE service will use the destination IP address (of the 2168 IP packets which triggered the SARule) as the IP address of 2169 the peer IKE entity. 2171 6.16.2. The Reference PartComponent 2173 The property PartComponent is inherited from PolicyComponent and is 2174 overridden to refer to an SAProposal instance. The [1..n] 2175 cardinality indicates that an SANegotiationAction instance MUST be 2176 associated with at least one SAProposal instance. 2178 6.16.3. The Property SequenceNumber 2180 The property SequenceNumber specifies the order of preference for 2181 the SAProposals. The property is defined as follows: 2183 NAME SequenceNumber 2184 DESCRIPTION Specifies the preference order for the SAProposals. 2185 SYNTAX unsigned 16-bit integer 2186 VALUE Lower-valued proposals are preferred over proposals 2187 with higher values. For ContainedProposals that 2188 reference the same SANegotiationAction, SequenceNumber 2189 values must be unique. 2191 6.17. The Association Class HostedPeerGatewayInformation 2193 The class HostedPeerGatewayInformation weakly associates a 2194 PeerGateway with a System. The class definition for 2195 HostedPeerGatewayInformation is as follows: 2197 NAME HostedPeerGatewayInformation 2198 DESCRIPTION Weakly associates a PeerGateway with a System. 2199 DERIVED FROM Dependency (see Appendix A) 2200 ABSTRACT FALSE 2201 PROPERTIES Antecedent [ref System[1..1]] 2202 Dependent [ref PeerGateway[0..n] [weak]] 2204 6.17.1. The Reference Antecedent 2206 The property Antecedent is inherited from Dependency and is 2207 overridden to refer to a System instance. The [1..1] cardinality 2208 indicates that a PeerGateway instance MUST be associated with one 2209 and only one System instance. 2211 6.17.2. The Reference Dependent 2213 The property Dependent is inherited from Dependency and is 2214 overridden to refer to a PeerGateway instance. The [0..n] 2215 cardinality indicates that a System instance may be associated with 2216 zero or more PeerGateway instances. 2218 6.18. The Association Class TransformOfPreconfiguredAction 2219 The class TransformOfPreconfiguredAction associates a 2220 PreconfiguredSAAction with from one to three SATransforms that will 2221 be applied to the traffic. The order of application of the 2222 SATransforms is implicitly defined in [IPSEC]. The class definition 2223 for TransformOfPreconfiguredAction is as follows: 2225 NAME TransformOfPreconfiguredAction 2226 DESCRIPTION Associates a PreconfiguredSAAction with from one to 2227 three SATransforms. 2228 DERIVED FROM Dependency (see Appendix A) 2229 ABSTRACT FALSE 2230 PROPERTIES Antecedent[ref SATransform[1..3]] 2231 Dependent[ref PreconfiguredSAAction[0..n]] 2232 SPI 2234 6.18.1. The Reference Antecedent 2236 The property Antecedent is inherited from Dependency and is 2237 overridden to refer to an SATransform instance. The [1..3] 2238 cardinality indicates that an SANegotiationAction instance may be 2239 associated with from one to three SATransform instances. 2241 6.18.2. The Reference Dependent 2243 The property Dependent is inherited from Dependency and is 2244 overridden to refer to a PreconfiguredSAAction instance. The [0..n] 2245 cardinality indicates that an SATransform instance may be associated 2246 with zero or more PreconfiguredSAAction instances. 2248 6.18.3. The Property SPI 2250 The property SPI specifies the SPI to be used by the pre-configured 2251 action for the associated transform. The property is defined as 2252 follows: 2254 NAME SPI 2255 DESCRIPTION Specifies the SPI to be used with the SATransform. 2256 SYNTAX unsigned 32-bit integer 2258 7. Proposal and Transform Classes 2260 The proposal and transform classes model the proposal settings an 2261 IPsec device will use during IKE phase 1 and 2 negotiations. 2263 +--------------+*w 1+--------------+ 2264 | [SAProposal] |--------| System | 2265 +--------------+ (a) | (Appendix A) | 2266 ^ +--------------+ 2267 | |1 2268 +----------------------+ | 2269 | | | 2270 +-------------+ +---------------+ | 2271 | IKEProposal | | IPsecProposal | | 2272 +-------------+ +---------------+ | 2273 *o | 2274 |(b) |(c) 2275 n| | 2276 +---------------+*w | 2277 | [SATransform] |----+ 2278 +---------------+ 2279 ^ 2280 | 2281 +--------------------+-----------+---------+ 2282 | | | 2283 +-------------+ +--------------+ +----------------+ 2284 | AHTransform | | ESPTransform | |IPCOMPTransform | 2285 +-------------+ +--------------+ +----------------+ 2287 (a) SAProposalInSystem 2288 (b) ContainedTransform 2289 (c) SATransformInSystem 2291 7.1. The Abstract Class SAProposal 2293 The abstract class SAProposal serves as the base class for the IKE 2294 and IPsec proposal classes. It specifies the parameters that are 2295 common to the two proposal types. The class definition for 2296 SAProposal is as follows: 2298 NAME SAProposal 2299 DESCRIPTION Specifies the common proposal parameters for IKE and 2300 IPsec security association negotiation. 2301 DERIVED FROM Policy ([PCIM]) 2302 ABSTRACT TRUE 2303 PROPERTIES Name 2305 7.1.1. The Property Name 2307 The property Name specifies a user-friendly name for the SAProposal. 2308 The property is defined as follows: 2310 NAME Name 2311 DESCRIPTION Specifies a user-friendly name for this proposal. 2312 SYNTAX string 2314 7.2. The Class IKEProposal 2316 The class IKEProposal specifies the proposal parameters necessary to 2317 drive an IKE security association negotiation. The class definition 2318 for IKEProposal is as follows: 2320 NAME IKEProposal 2321 DESCRIPTION Specifies the proposal parameters for IKE security 2322 association negotiation. 2323 DERIVED FROM SAProposal 2324 ABSTRACT FALSE 2325 PROPERTIES LifetimeDerivedKeys 2326 CipherAlgorithm 2327 HashAlgorithm 2328 PRFAlgorithm 2329 GroupId 2330 AuthenticationMethod 2331 MaxLifetimeSeconds 2332 MaxLifetimeKilobytes 2333 VendorID 2335 7.2.1. The Property LifetimeDerivedKeys 2337 The property LifetimeDerivedKeys specifies the number of times that 2338 a phase 1 key will be used to derive a phase 2 key before the phase 2339 1 security association needs renegotiated. Even though this is not 2340 a parameter that is sent in an IKE proposal, it is included in the 2341 proposal as the number of keys derived may be a result of the 2342 strength of the algorithms in the IKE proposal. The property is 2343 defined as follows: 2345 NAME LifetimeDerivedKeys 2346 DESCRIPTION Specifies the number of phase 2 keys that can be 2347 derived from the phase 1 key. 2348 SYNTAX unsigned 32-bit integer 2349 VALUE A value of zero indicates that there is no limit to the 2350 number of phase 2 keys that may be derived from the 2351 phase 1 key; instead the seconds and/or kilobytes 2352 lifetime will dictate the phase 1 rekeying. A non-zero 2353 value specifies the number of phase 2 keys that can be 2354 derived from the phase 1 key. 2356 7.2.2. The Property CipherAlgorithm 2358 The property CipherAlgorithm specifies the proposed phase 1 security 2359 association encryption algorithm. The property is defined as 2360 follows: 2362 NAME CipherAlgorithm 2363 DESCRIPTION Specifies the proposed encryption algorithm for the 2364 phase 1 security association. 2365 SYNTAX unsigned 16-bit integer 2366 VALUE Consult [IKE] for valid values. 2368 7.2.3. The Property HashAlgorithm 2370 The property HashAlgorithm specifies the proposed phase 1 security 2371 association hash algorithm. The property is defined as follows: 2373 NAME HashAlgorithm 2374 DESCRIPTION Specifies the proposed hash algorithm for the phase 1 2375 security association. 2376 SYNTAX unsigned 16-bit integer 2377 VALUE Consult [IKE] for valid values. 2379 7.2.4. The Property PRFAlgorithm 2381 The property PRFAlgorithm specifies the proposed phase 1 security 2382 association pseudo-random function. The property is defined as 2383 follows: 2385 NAME PRFAlgorithm 2386 DESCRIPTION Specifies the proposed pseudo-random function for the 2387 phase 1 security association. 2388 SYNTAX unsigned 16-bit integer 2389 VALUE Currently none defined. 2391 7.2.5. The Property GroupId 2393 The property GroupId specifies the proposed phase 1 security 2394 association key exchange group. This property is ignored for all 2395 aggressive mode exchanges. If the GroupID number is from the 2396 vendor-specific range (32768-65535), the property VendorID qualifies 2397 the group number. The property is defined as follows: 2399 NAME GroupId 2400 DESCRIPTION Specifies the proposed key exchange group for the phase 2401 1 security association. 2402 SYNTAX unsigned 16-bit integer 2403 VALUE 0 - Not applicable: used for aggressive mode. Consult 2404 [IKE] for other valid values. 2406 7.2.6. The Property AuthenticationMethod 2408 The property AuthenticationMethod specifies the proposed phase 1 2409 authentication method. The property is defined as follows: 2411 NAME AuthenticationMethod 2412 DESCRIPTION Specifies the proposed authentication method for the 2413 phase 1 security association. 2414 SYNTAX unsigned 16-bit integer 2415 VALUE 0 - a special value that indicates that this particular 2416 proposal should be repeated once for each 2417 authentication method that corresponds to the 2418 credentials installed on the machine. For example, if 2419 the system has a pre-shared key and a certificate, a 2420 proposal list could be constructed which includes a 2421 proposal that specifies pre-shared key and proposals 2422 for any of the public-key authentication methods. 2423 Consult [IKE] for valid values. 2425 7.2.7. The Property MaxLifetimeSeconds 2427 The property MaxLifetimeSeconds specifies the maximum amount of 2428 time, in seconds, to propose that a security association will remain 2429 valid after its creation. The property is defined as follows: 2431 NAME MaxLifetimeSeconds 2432 DESCRIPTION Specifies the maximum amount of time to propose a 2433 security association remain valid. 2434 SYNTAX unsigned 32-bit integer 2435 VALUE A value of zero indicates that the default of 8 hours 2436 be used. A non-zero value indicates the maximum 2437 seconds lifetime. 2439 7.2.8. The Property MaxLifetimeKilobytes 2441 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2442 lifetime to propose that a security association will remain valid 2443 after its creation. The property is defined as follows: 2445 NAME MaxLifetimeKilobytes 2446 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2447 security association remain valid. 2448 SYNTAX unsigned 32-bit integer 2449 VALUE A value of zero indicates that there should be no 2450 maximum kilobyte lifetime. A non-zero value specifies 2451 the desired kilobyte lifetime. 2453 7.2.9. The Property VendorID 2455 The property VendorID further qualifies the key exchange group. The 2456 property is ignored unless the exchange is not in aggressive mode 2457 and the property GroupID is in the vendor-specific range. The 2458 property is defined as follows: 2460 NAME VendorID 2461 DESCRIPTION Specifies the Vendor ID to further qualify the key 2462 exchange group. 2463 SYNTAX string 2465 7.3. The Class IPsecProposal 2466 The class IPsecProposal adds no new properties, but inherits 2467 proposal properties from SAProposal as well as aggregating the 2468 security association transforms necessary for building an IPsec 2469 proposal (see the aggregation class ContainedTransform). The class 2470 definition for IPsecProposal is as follows: 2472 NAME IPsecProposal 2473 DESCRIPTION Specifies the proposal parameters for IPsec security 2474 association negotiation. 2475 DERIVED FROM SAProposal 2476 ABSTRACT FALSE 2478 7.4. The Abstract Class SATransform 2480 The abstract class SATransform serves as the base class for the 2481 IPsec transforms that can be used to compose an IPsec proposal or to 2482 be used as a pre-configured action. The class definition for 2483 SATransform is as follows: 2485 NAME SATransform 2486 DESCRIPTION Base class for the different IPsec transforms. 2487 ABSTRACT TRUE 2488 PROPERTIES TransformName 2489 VendorID 2490 MaxLifetimeSeconds 2491 MaxLifetimeKilobytes 2493 7.4.1. The Property TransformName 2495 The property TransformName specifies a user-friendly name for the 2496 SATransform. The property is defined as follows: 2498 NAME TransformName 2499 DESCRIPTION Specifies a user-friendly name for this transform. 2500 SYNTAX string 2502 7.4.2. The Property VendorID 2504 The property VendorID specifies the vendor ID for vendor-defined 2505 transforms. The property is defined as follows: 2507 NAME VendorID 2508 DESCRIPTION Specifies the vendor ID for vendor-defined transforms. 2509 SYNTAX string 2510 VALUE An empty VendorID string indicates that the transform 2511 is a standard one. 2513 7.4.3. The Property MaxLifetimeSeconds 2515 The property MaxLifetimeSeconds specifies the maximum amount of 2516 time, in seconds, to propose that a security association will remain 2517 valid after its creation. The property is defined as follows: 2519 NAME MaxLifetimeSeconds 2520 DESCRIPTION Specifies the maximum amount of time to propose a 2521 security association remain valid. 2522 SYNTAX unsigned 32-bit integer 2523 VALUE A value of zero indicates that the default of 8 hours 2524 be used. A non-zero value indicates the maximum 2525 seconds lifetime. 2527 7.4.4. The Property MaxLifetimeKilobytes 2529 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2530 lifetime to propose that a security association will remain valid 2531 after its creation. The property is defined as follows: 2533 NAME MaxLifetimeKilobytes 2534 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2535 security association remain valid. 2536 SYNTAX unsigned 32-bit integer 2537 VALUE A value of zero indicates that there should be no 2538 maximum kilobyte lifetime. A non-zero value specifies 2539 the desired kilobyte lifetime. 2541 7.5. The Class AHTransform 2543 The class AHTransform specifies the AH algorithm to propose during 2544 IPsec security association negotiation. The class definition for 2545 AHTransform is as follows: 2547 NAME AHTransform 2548 DESCRIPTION Specifies the AH algorithm to propose. 2549 ABSTRACT FALSE 2550 PROPERTIES AHTransformId 2551 UseReplayPrevention 2552 ReplayPreventionWindowSize 2554 7.5.1. The Property AHTransformId 2556 The property AHTransformId specifies the transform ID of the AH 2557 algorithm to propose. The property is defined as follows: 2559 NAME AHTransformId 2560 DESCRIPTION Specifies the transform ID of the AH algorithm. 2561 SYNTAX unsigned 16-bit integer 2562 VALUE Consult [DOI] for valid values. 2564 7.5.2. The Property UseReplayPrevention 2566 The property UseReplayPrevention specifies whether replay prevention 2567 detection is to be used. The property is defined as follows: 2569 NAME UseReplayPrevention 2570 DESCRIPTION Specifies whether to enable replay prevention 2571 detection. 2573 SYNTAX boolean 2574 VALUE true - replay prevention detection is enabled. 2575 false - replay prevention detection is disabled. 2577 7.5.3. The Property ReplayPreventionWindowSize 2579 The property ReplayPreventionWindowSize specifies, in bits, the 2580 length of the sliding window used by the replay prevention detection 2581 mechanism. The value of this property is meaningless if 2582 UseReplayPrevention is false. It is assumed that the window size 2583 will be power of 2. The property is defined as follows: 2585 NAME ReplayPreventionWindowSize 2586 DESCRIPTION Specifies the length of the window used by replay 2587 prevention detection mechanism. 2588 SYNTAX unsigned 32-bit integer 2590 7.6. The Class ESPTransform 2592 The class ESPTransform specifies the ESP algorithms to propose 2593 during IPsec security association negotiation. The class definition 2594 for ESPTransform is as follows: 2596 NAME ESPTransform 2597 DESCRIPTION Specifies the ESP algorithms to propose. 2598 ABSTRACT FALSE 2599 PROPERTIES IntegrityTransformId 2600 CipherTransformId 2601 CipherKeyLength 2602 CipherKeyRounds 2603 UseReplayPrevention 2604 ReplayPreventionWindowSize 2606 7.6.1. The Property IntegrityTransformId 2608 The property IntegrityTransformId specifies the transform ID of the 2609 ESP integrity algorithm to propose. The property is defined as 2610 follows: 2612 NAME IntegrityTransformId 2613 DESCRIPTION Specifies the transform ID of the ESP integrity 2614 algorithm. 2615 SYNTAX unsigned 16-bit integer 2616 VALUE Consult [DOI] for valid values. 2618 7.6.2. The Property CipherTransformId 2620 The property CipherTransformId specifies the transform ID of the ESP 2621 encryption algorithm to propose. The property is defined as 2622 follows: 2624 NAME CipherTransformId 2625 DESCRIPTION Specifies the transform ID of the ESP encryption 2626 algorithm. 2627 SYNTAX unsigned 16-bit integer 2628 VALUE Consult [DOI] for valid values. 2630 7.6.3. The Property CipherKeyLength 2632 The property CipherKeyLength specifies, in bits, the key length for 2633 the ESP encryption algorithm. For encryption algorithms that use 2634 fixed-length keys, this value is ignored. The property is defined 2635 as follows: 2637 NAME CipherKeyLength 2638 DESCRIPTION Specifies the ESP encryption key length in bits. 2639 SYNTAX unsigned 16-bit integer 2641 7.6.4. The Property CipherKeyRounds 2643 The property CipherKeyRounds specifies the number of key rounds for 2644 the ESP encryption algorithm. For encryption algorithms that use 2645 fixed number of key rounds, this value is ignored. The property is 2646 defined as follows: 2648 NAME CipherKeyRounds 2649 DESCRIPTION Specifies the number of key rounds for the ESP 2650 encryption algorithm. 2651 SYNTAX unsigned 16-bit integer 2652 VALUE Currently, key rounds are not defined for any ESP 2653 encryption algorithms. 2655 7.6.5. The Property UseReplayPrevention 2657 The property UseReplayPrevention specifies whether replay prevention 2658 detection is to be used. The property is defined as follows: 2660 NAME UseReplayPrevention 2661 DESCRIPTION Specifies whether to enable replay prevention 2662 detection. 2663 SYNTAX boolean 2664 VALUE true - replay prevention detection is enabled. 2665 false - replay prevention detection is disabled. 2667 7.6.6. The Property ReplayPreventionWindowSize 2669 The property ReplayPreventionWindowSize specifies, in bits, the 2670 length of the sliding window used by the replay prevention detection 2671 mechanism. The value of this property is meaningless if 2672 UseReplayPrevention is false. It is assumed that the window size 2673 will be power of 2. The property is defined as follows: 2675 NAME ReplayPreventionWindowSize 2676 DESCRIPTION Specifies the length of the window used by replay 2677 prevention detection mechanism. 2679 SYNTAX unsigned 32-bit integer 2681 7.7. The Class IPCOMPTransform 2683 The class IPCOMPTransform specifies the IP compression (IPCOMP) 2684 algorithm to propose during IPsec security association negotiation. 2685 The class definition for IPCOMPTransform is as follows: 2687 NAME IPCOMPTransform 2688 DESCRIPTION Specifies the IPCOMP algorithm to propose. 2689 ABSTRACT FALSE 2690 PROPERTIES Algorithm 2691 DictionarySize 2692 PrivateAlgorithm 2694 7.7.1. The Property Algorithm 2696 The property Algorithm specifies the transform ID of the IPCOMP 2697 compression algorithm to propose. The property is defined as 2698 follows: 2700 NAME Algorithm 2701 DESCRIPTION Specifies the transform ID of the IPCOMP compression 2702 algorithm. 2703 SYNTAX unsigned 16-bit integer 2704 VALUE 1 - OUI: a vendor specific algorithm is used and 2705 specified in the property PrivateAlgorithm. Consult 2706 [DOI] for other valid values. 2708 7.7.2. The Property DictionarySize 2710 The property DictionarySize specifies the log2 maximum size of the 2711 dictionary for the compression algorithm. For compression 2712 algorithms that have pre-defined dictionary sizes, this value is 2713 ignored. The property is defined as follows: 2715 NAME DictionarySize 2716 DESCRIPTION Specifies the log2 maximum size of the dictionary. 2717 SYNTAX unsigned 16-bit integer 2719 7.7.3. The Property PrivateAlgorithm 2721 The property PrivateAlgorithm specifies a private vendor-specific 2722 compression algorithm. This value is only used when the property 2723 Algorithm is 1 (OUI). The property is defined as follows: 2725 NAME PrivateAlgorithm 2726 DESCRIPTION Specifies a private vendor-specific compression 2727 algorithm. 2728 SYNTAX unsigned 32-bit integer 2730 7.8. The Association Class SAProposalInSystem 2731 The class SAProposalInSystem weakly associates SAProposals with a 2732 System. The class definition for SAProposalInSystem is as follows: 2734 NAME SAProposalInSystem 2735 DESCRIPTION Weakly associates SAProposals with a System. 2736 DERIVED FROM PolicyInSystem (see [PCIM]) 2737 ABSTRACT FALSE 2738 PROPERTIES Antecedent[ref System [1..1]] 2739 Dependent[ref SAProposal[0..n] [weak]] 2741 7.8.1. The Reference Antecedent 2743 The property Antecedent is inherited from PolicyInSystem and is 2744 overridden to refer to a System instance. The [1..1] cardinality 2745 indicates that an SAProposal instance MUST be associated with one 2746 and only one System instance. 2748 7.8.2. The Reference Dependent 2750 The property Dependent is inherited from PolicyInSystem and is 2751 overridden to refer to an SAProposal instance. The [0..n] 2752 cardinality indicates that a System instance may be associated with 2753 zero or more SAProposal instances. 2755 7.9. The Aggregation Class ContainedTransform 2757 The class ContainedTransform associates an IPsecProposal with the 2758 set of SATransforms that make up the proposal. If multiple 2759 transforms of the same type are in a proposal, then they are to be 2760 logically ORed and the order of preference is dictated by the 2761 SequenceNumber property. Sets of transforms of different types are 2762 logically ANDed. For example, if the ordered proposal list were 2764 ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } 2765 AH = { MD5, SHA-1 } 2767 then the one sending the proposal would want the other side to pick 2768 one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND 2769 one from the AH transform list (preferably MD5). 2771 The class definition for ContainedProposal is as follows: 2773 NAME ContainedTransform 2774 DESCRIPTION Associates an IPsecProposal with the set of 2775 SATransforms that make up the proposal. 2776 DERIVED FROM PolicyComponent (see [PCIM]) 2777 ABSTRACT FALSE 2778 PROPERTIES GroupComponent[ref IPsecProposal[0..n]] 2779 PartComponent[ref SATransform[1..n]] 2780 SequenceNumber 2782 7.9.1. The Reference GroupComponent 2783 The property GroupComponent is inherited from PolicyComponent and is 2784 overridden to refer to an IPsecProposal instance. The [0..n] 2785 cardinality indicates that an SATransform instance may be associated 2786 with zero or more IPsecProposal instances. 2788 7.9.2. The Reference PartComponent 2790 The property PartComponent is inherited from PolicyComponent and is 2791 overridden to refer to an SATransform instance. The [1..n] 2792 cardinality indicates that an IPsecProposal instance MUST be 2793 associated with at least one SATransform instance. 2795 7.9.3. The Property SequenceNumber 2797 The property SequenceNumber specifies the order of preference for 2798 the SATransforms of the same type. The property is defined as 2799 follows: 2801 NAME SequenceNumber 2802 DESCRIPTION Specifies the preference order for the SATransforms of 2803 the same type. 2804 SYNTAX unsigned 16-bit integer 2805 VALUE Lower-valued transforms are preferred over transforms 2806 of the same type with higher values. For 2807 ContainedTransforms that reference the same 2808 IPsecProposal, SequenceNumber values must be unique. 2810 7.10. The Association Class SATransformInSystem 2812 The class SATransformInSystem weakly associates SATransforms with a 2813 System. The class definition for SATransformInSystem System is as 2814 follows: 2816 NAME SATransformInSystem 2817 DESCRIPTION Weakly associates SATransforms with a System. 2818 DERIVED FROM PolicyInSystem (see [PCIM]) 2819 ABSTRACT FALSE 2820 PROPERTIES Antecedent[ref System[1..1]] 2821 Dependent[ref SATransform[0..n] [weak]] 2823 7.10.1. The Reference Antecedent 2825 The property Antecedent is inherited from PolicyInSystem and is 2826 overridden to refer to a System instance. The [1..1] cardinality 2827 indicates that an SATransform instance MUST be associated with one 2828 and only one System instance. 2830 7.10.2. The Reference Dependent 2832 The property Dependent is inherited from PolicyInSystem and is 2833 overridden to refer to an SATransform instance. The [0..n] 2834 cardinality indicates that a System instance may be associated with 2835 zero or more SATransform instances. 2837 8. IKE Service and Identity Classes 2839 +--------------+ +-------------------+ 2840 | System | | PeerIdentityEntry | 2841 | (Appendix A) | +-------------------+ 2842 +--------------+ |*w 2843 1| (a) (b) | 2844 +---+ +------------+ 2845 | | 2846 |*w 1 o 2847 +-------------+ +-------------------+ +---------------------+ 2848 | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | 2849 +-------------+ +-------------------+ +---------------------+ 2850 *| *| *| *| 2851 +----------------------+ |(d) +----------+ | 2852 (c) *| *| *| (e) | 2853 *+------------+* |(f) 2854 +-----------------| IKEService |-----+ | 2855 | (g) +------------+ |(h) | 2856 0..1| *| *| *o 2857 +--------------------+ | +---------------------------+ 2858 | IPProtocolEndpoint | | | AutostartIKEConfiguration | 2859 | (Appendix C) | (i)| +---------------------------+ 2860 +--------------------+ | 2861 0..1| | 2862 |(j) +----------------+ 2863 *| |* 2864 +-------------+* (k) +------------+ +-----------------------------+ 2865 | IKEIdentity |-------| Collection | | CredentialManagementService | 2866 +-------------+ 0..1|(Appendix A)| | (Appendix B) | 2867 *| +------------+ +-----------------------------+ 2868 |(l) 2869 *| 2870 +--------------+ 2871 | Credential | 2872 | (Appendix B) | 2873 +--------------+ 2875 (a) HostedPeerIdentityTable 2876 (b) PeerIdentityMember 2877 (c) IKEServicePeerGateway 2878 (d) IKEServicePeerIdentityTable 2879 (e) IKEAutostartSetting 2880 (f) AutostartIKESettingContext 2881 (g) IKEServiceForEndpoint 2882 (h) IKEAutostartConfiguration 2883 (i) IKEUsesCredentialManagementService 2884 (j) EndpointHasLocalIKEIdentity 2885 (k) CollectionHasLocalIKEIdentity 2886 (l) IKEIdentitysCredential 2888 This portion of the model contains additional information that is 2889 useful in applying the policy. The IKEService class MAY be used to 2890 represent the IKE negotiation function in a system. The IKEService 2891 uses the various tables that contain information about IKE peers as 2892 well as the configuration for specifying security associations that 2893 are started automatically. The information in the PeerGateway, 2894 PeerIdentityTable and related classes is necessary to completely 2895 specify the policies. 2897 An interface (represented by an IPProtocolEndpoint) has an 2898 IKEService that provides the negotiation services for that 2899 interface. That service MAY also have a list of security 2900 associations for that are automatically started at the time the IKE 2901 service is initialized. 2903 The IKEService also has a set of identities that it may use in 2904 negotiations with its peers. Those identities are associated with 2905 the interfaces (or collections of interfaces). 2907 8.1. The Class IKEService 2909 The class IKEService represents the IKE negotiation function. An 2910 instance of this service may provide that negotiation service for 2911 one or more interfaces (represented by the IPProtocolEndpoint class) 2912 of a System. There may be multiple instances of IKE services on a 2913 System but only one per interface. The class definition for 2914 IKEService is as follows: 2916 NAME IKEService 2917 DESCRIPTION IKEService is used to represent the IKE negotiation 2918 function. 2919 DERIVED FROM NetworkService (see Appendix C) 2920 ABSTRACT FALSE 2922 8.2. The Class PeerIdentityTable 2924 The class PeerIdentityTable aggregates the table entries that 2925 provide mappings between identities and their addresses. The class 2926 definition for PeerIdentityTable is as follows: 2928 NAME PeerIdentityTable 2929 DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry 2930 instances to provide a table of identity-address 2931 mappings. 2932 DERIVED FROM Collection (see Appendix A) 2933 ABSTRACT FALSE 2934 PROPERTIES Name 2936 8.3.1. The Property Name 2938 The property Name uniquely identifies the table. The property is 2939 defined as follows: 2941 NAME Name 2942 DESCRIPTION Name uniquely identifies the table. 2944 SYNTAX string 2946 8.3. The Class PeerIdentityEntry 2948 The class PeerIdentityEntry specifies the mapping between peer 2949 identity and their address. The class definition for 2950 PeerIdentityEntry is as follows: 2952 NAME PeerIdentityEntry 2953 DESCRIPTION PeerIdentityEntry provides a mapping between a peer's 2954 identity and address. 2955 DERIVED FROM LogicalElement (see Appendix A) 2956 ABSTRACT FALSE 2957 PROPERTIES PeerIdentity 2958 PeerIdentityType 2959 PeerAddress 2960 PeerAddressType 2962 8.3.1. The Property PeerIdentity 2964 The property PeerIdentity contains a string encoding of the Identity 2965 payload for the IKE peer. The property is defined as follows: 2967 NAME PeerIdentity 2968 DESCRIPTION The PeerIdentity is the ID payload of a peer. 2969 SYNTAX string 2971 8.3.2. The Property PeerIdentityType 2973 The property PeerIdentityType is an enumeration that specifies the 2974 type of the PeerIdentity. The property is defined as follows: 2976 NAME PeerIdentityType 2977 DESCRIPTION PeerIdentityType is the type of the ID payload of a 2978 peer. 2979 SYNTAX unsigned 16-bit integer 2980 VALUE The enumeration values are specified in [DOI] section 2981 4.6.2.1. 2983 8.3.3. The Property PeerAddress 2985 The property PeerAddress specifies the string representation of the 2986 IP address of the peer formatted according to the appropriate 2987 convention as defined in the PeerAddressType property (e.g., dotted 2988 decimal notation). The property is defined as follows: 2990 NAME PeerAddress 2991 DESCRIPTION PeerAddress is the address of the peer with the ID 2992 payload. 2993 SYNTAX string 2994 VALUE String representation of an IPv4 or IPv6 address. 2996 8.3.4. The Property PeerAddressType 2997 The property PeerAddressType specifies the format of the PeerAddress 2998 property value. The property is defined as follows: 3000 NAME PeerAddressType 3001 DESCRIPTION PeerAddressType is the type of address in PeerAddress. 3002 SYNTAX unsigned 16-bit integer 3003 VALUE 0 - Unknown 3004 1 - IPv4 3005 2 - IPv6 3007 8.4. The Class AutostartIKEConfiguration 3009 The class AutostartIKEConfiguration groups AutostartIKESetting 3010 instances into configuration sets. When applied, the settings cause 3011 an IKE service to automatically start (negotiate or statically set 3012 as appropriate) the Security Associations. The class definition for 3013 AutostartIKEConfiguration is as follows: 3015 NAME AutostartIKEConfiguration 3016 DESCRIPTION A configuration set of AutostartIKESetting instances to 3017 be automatically started by the IKE service. 3018 DERIVED FROM SystemConfiguration (see Appendix A) 3019 ABSTRACT FALSE 3021 8.5. The Class AutostartIKESetting 3023 The class AutostartIKESetting is used to automatically initiate IKE 3024 negotiations with peers (or statically create an SA) as specified in 3025 the AutostartIKESetting properties. Appropriate actions are 3026 initiated according to the policy that matches the setting 3027 parameters. The class definition for AutostartIKESetting is as 3028 follows: 3030 NAME AutostartIKESetting 3031 DESCRIPTION AutostartIKESetting is used to automatically initiate 3032 IKE negotiations with peers or statically create an SA. 3033 DERIVED FROM SystemSetting (see Appendix A) 3034 ABSTRACT FALSE 3035 PROPERTIES Phase1Only 3036 AddressType 3037 SourceAddress 3038 SourcePort 3039 DestinationAddress 3040 DestinationPort 3041 Protocol 3043 8.5.1. The Property Phase1Only 3045 The property Phase1Only is used to limit the IKE negotiation to just 3046 setting up a phase 1 security association. When set to False, both 3047 phase 1 and 2 negotiations are initiated. 3048 The property is defined as follows: 3050 NAME Phase1Only 3051 DESCRIPTION Used to indicate which security associations to attempt 3052 to establish (phase 1 only, or phase 1 and 2). 3053 SYNTAX boolean 3054 VALUE true - attempt to establish a phase 1 security 3055 association 3056 false - attempt to establish phase 1 and 2 security 3057 associations 3059 8.5.2. The Property AddressType 3061 The property AddressType specifies type of the addresses in the 3062 SourceAddress and DestinationAddress properties. The property is 3063 defined as follows: 3065 NAME AddressType 3066 DESCRIPTION AddressType is the type of address in SourceAddress and 3067 DestinationAddress properties. 3068 SYNTAX unsigned 16-bit integer 3069 VALUE 0 - Unknown 3070 1 - IPv4 3071 2 - IPv6 3073 8.5.3. The Property SourceAddress 3075 The property SourceAddress specifies the dotted-decimal or colon- 3076 decimal formatted IP address used as the source address in comparing 3077 with policy filter entries and used in any phase 2 negotiations. 3078 The property is defined as follows: 3080 NAME SourceAddress 3081 DESCRIPTION The source address to compare with the filters to 3082 determine the appropriate policy rule. 3083 SYNTAX string 3084 VALUE dotted-decimal or colon-decimal formatted IP address 3086 8.5.4. The Property SourcePort 3088 The property SourcePort specifies the port number used as the source 3089 port in comparing with policy filter entries and used in any phase 2 3090 negotiations. The property is defined as follows: 3092 NAME SourcePort 3093 DESCRIPTION The source port to compare with the filters to 3094 determine the appropriate policy rule. 3095 SYNTAX unsigned 16-bit integer 3097 8.5.5. The Property DestinationAddress 3099 The property DestinationAddress specifies the dotted-decimal or 3100 colon-decimal formatted IP address used as the destination address 3101 in comparing with policy filter entries and used in any phase 2 3102 negotiations. The property is defined as follows: 3104 NAME DestinationAddress 3105 DESCRIPTION The destination address to compare with the filters to 3106 determine the appropriate policy rule. 3107 SYNTAX string 3108 VALUE dotted-decimal or colon-decimal formatted IP address 3110 8.5.6. The Property DestinationPort 3112 The property DestinationPort specifies the port number used as the 3113 destination port in comparing with policy filter entries and used in 3114 any phase 2 negotiations. The property is defined as follows: 3116 NAME DestinationPort 3117 DESCRIPTION The destination port to compare with the filters to 3118 determine the appropriate policy rule. 3119 SYNTAX unsigned 16-bit integer 3121 8.5.7. The Property Protocol 3123 The property Protocol specifies the protocol number used in 3124 comparing with policy filter entries and used in any phase 2 3125 negotiations. The property is defined as follows: 3127 NAME Protocol 3128 DESCRIPTION The protocol number used in comparing with policy 3129 filter entries. 3130 SYNTAX unsigned 8-bit integer 3132 8.6. The Class IKEIdentity 3134 The class IKEIdentity is used to represent the identities that may 3135 be used for an IPProtocolEndpoint (or collection of 3136 IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 3137 negotiations. The policy IKEAction.UseIKEIdentityType specifies 3138 which type of the available identities to use in a negotiation 3139 exchange and the IKERule.IdentityContexts specifies the match values 3140 to be used, along with the local address, in selecting the 3141 appropriate identity for a negotiation. The ElementID property value 3142 (defined in the parent class, UsersAccess) should be that of either 3143 the IPProtocolEndpoint or Collection of endpoints as appropriate. 3144 The class definition for IKEIdentity is as follows: 3146 NAME IKEIdentity 3147 DESCRIPTION IKEIdentity is used to represent the identities that 3148 may be used for an IPProtocolEndpoint (or collection of 3149 IPProtocolEndpoints) to identify the IKE Service in IKE 3150 phase 1 negotiations. 3151 DERIVED FROM UsersAccess (see Appendix B) 3152 ABSTRACT FALSE 3153 PROPERTIES IdentityType 3154 IdentityValue 3155 IdentityContexts 3157 8.6.1. The Property IdentityType 3159 The property IdentityType is an enumeration that specifies the type 3160 of the IdentityValue. The property is defined as follows: 3162 NAME IdentityType 3163 DESCRIPTION IdentityType is the type of the IdentityValue. 3164 SYNTAX unsigned 8-bit integer 3165 VALUE The enumeration values are specified in [DOI] section 3166 4.6.2.1. 3168 8.6.2. The Property IdentityValue 3170 The property Identity specifies Value contains a string encoding of 3171 the Identity payload. For IKEIdentity instances that are address 3172 types, the IdentityValue string value may be omitted and the 3173 associated IPProtocolEndpoint or appropriate member of the 3174 Collection of endpoints is used. The property is defined as 3175 follows: 3177 NAME IdentityValue 3178 DESCRIPTION IdentityValue contains a string encoding of the 3179 Identity payload. 3180 SYNTAX string 3182 8.6.3. The Property IdentityContexts 3184 The IdentityContexts property is used to constrain the use of 3185 IKEIdentity instances to match that specified in the 3186 IKERule.IdentityContexts. The IdentityContexts are formatted as 3187 policy roles and role combinations [PCIM]. Each value represents 3188 one context or context combination. Since this is a multi-valued 3189 property, more than one context or combination of contexts can be 3190 associated with a single IKEIdentity. Each value is a string of the 3191 form: [&&]* 3192 where the individual context names appear in alphabetical order 3193 (according to the collating sequence for UCS-2). If one or more 3194 values in the IKERule.IdentityContexts array match one or more 3195 IKEIdentity.IdentityContexts then the identity's context matches. 3196 (That is, each value of the IdentityContext array is an ORed 3197 condition.) In combination with the address of the 3198 IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 3199 1 and only 1 IKEIdentity. The property is defined as follows: 3201 NAME IdentityContexts 3202 DESCRIPTION The IKE service of a security endpoint may have 3203 multiple identities for use in different situations. 3204 The combination of the interface (represented by 3205 the IPProtocolEndpoint), the identity type (as 3206 specified in the IKEAction) and the IdentityContexts 3207 selects a unique identity. 3208 SYNTAX string array 3209 VALUE string of the form [&&]* 3211 8.7. The Association Class HostedPeerIdentityTable 3213 The class HostedPeerIdentityTable provides the name scoping 3214 relationship for PeerIdentityTable entries in a System. The 3215 PeerIdentityTable is weak to the System. The class definition for 3216 HostedPeerIdentityTable is as follows: 3218 NAME HostedPeerIdentityTable 3219 DESCRIPTION The PeerIdentityTable instances are weak (name scoped 3220 by) the owning System. 3221 DERIVED FROM Dependency (see Appendix A) 3222 ABSTRACT FALSE 3223 PROPERTIES Antecedent [ref System[1..1]] 3224 Dependent [ref PeerIdentityTable[0..n] [weak]] 3226 8.7.1. The Reference Antecedent 3228 The property Antecedent is inherited from Dependency and is 3229 overridden to refer to a System instance. The [1..1] cardinality 3230 indicates that a PeerIdentityTable instance MUST be associated in a 3231 weak relationship with one and only one System instance. 3233 8.7.2. The Reference Dependent 3235 The property Dependent is inherited from Dependency and is 3236 overridden to refer to a PeerIdentityTable instance. The [0..n] 3237 cardinality indicates that a System instance may be associated with 3238 zero or more PeerIdentityTable instances. 3240 8.8. The Aggregation Class PeerIdentityMember 3242 The class PeerIdentityMember aggregates PeerIdentityEntry instances 3243 into a PeerIdentityTable. This is a weak aggregation. The class 3244 definition for PeerIdentityMember is as follows: 3246 NAME PeerIdentityMember 3247 DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry 3248 instances into a PeerIdentityTable. 3249 DERIVED FROM MemberOfCollection (see Appendix A) 3250 ABSTRACT FALSE 3251 PROPERTIES Collection [ref PeerIdentityTable[1..1]] 3252 Member [ref PeerIdentityEntry [0..n] [weak]] 3254 8.8.1. The Reference Collection 3256 The property Collection is inherited from MemberOfCollection and is 3257 overridden to refer to a PeerIdentityTable instance. The [1..1] 3258 cardinality indicates that a PeerIdentityEntry instance MUST be 3259 associated with one and only one PeerIdentityTable instance (i.e., 3260 PeerIdentityEntry instances are not shared across 3261 PeerIdentityTables). 3263 8.8.2. The Reference Member 3265 The property Member is inherited from MemberOfCollection and is 3266 overridden to refer to a PeerIdentityEntry instance. The [0..n] 3267 cardinality indicates that a PeerIdentityTable instance may be 3268 associated with zero or more PeerIdentityEntry instances. 3270 8.9. The Association Class IKEServicePeerGateway 3272 The class IKEServicePeerGateway provides the association between an 3273 IKEService and the list of PeerGateway instances that it uses in 3274 negotiating with security gateways. The class definition for 3275 IKEServicePeerGateway is as follows: 3277 NAME IKEServicePeerGateway 3278 DESCRIPTION Associates an IKEService and the list of PeerGateway 3279 instances that it uses in negotiating with security 3280 gateways. 3281 DERIVED FROM Dependency (see Appendix A) 3282 ABSTRACT FALSE 3283 PROPERTIES Antecedent [ref PeerGateway[0..n]] 3284 Dependent [ref IKEService[0..n]] 3286 8.9.1. The Reference Antecedent 3288 The property Antecedent is inherited from Dependency and is 3289 overridden to refer to a PeerGateway instance. The [0..n] 3290 cardinality indicates that an IKEService instance may be associated 3291 with zero or more PeerGateway instances. 3293 8.9.2. The Reference Dependent 3295 The property Dependent is inherited from Dependency and is 3296 overridden to refer to an IKEService instance. The [0..n] 3297 cardinality indicates that a PeerGateway instance may be associated 3298 with zero or more IKEService instances. 3300 8.10. The Association Class IKEServicePeerIdentityTable 3302 The class IKEServicePeerIdentityTable provides the relationship 3303 between an IKEService and a PeerIdentityTable that it uses to map 3304 between addresses and identities as required. The class definition 3305 for IKEServicePeerIdentityTable is as follows: 3307 NAME IKEServicePeerIdentityTable 3308 DESCRIPTION IKEServicePeerIdentityTable provides the relationship 3309 between an IKEService and a PeerIdentityTable that it 3310 uses. 3311 DERIVED FROM Dependency (see Appendix A) 3312 ABSTRACT FALSE 3313 PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] 3314 Dependent [ref IKEService[0..n]] 3316 8.10.1. The Reference Antecedent 3318 The property Antecedent is inherited from Dependency and is 3319 overridden to refer to a PeerIdentityTable instance. The [0..n] 3320 cardinality indicates that an IKEService instance may be associated 3321 with zero or more PeerIdentityTable instances. 3323 8.10.2. The Reference Dependent 3325 The property Dependent is inherited from Dependency and is 3326 overridden to refer to an IKEService instance. The [0..n] 3327 cardinality indicates that a PeerIdentityTable instance may be 3328 associated with zero or more IKEService instances. 3330 8.11. The Association Class IKEAutostartSetting 3332 The class IKEAutostartSetting associates an AutostartIKESetting with 3333 an IKEService that may use it to automatically start an IKE 3334 negotiation or create a static SA. The class definition for 3335 IKEAutostartSetting is as follows: 3337 NAME IKEAutostartSetting 3338 DESCRIPTION Associates a AutostartIKESetting with an IKEService. 3339 DERIVED FROM ElementSetting (see Appendix A) 3340 ABSTRACT FALSE 3341 PROPERTIES Element [ref IKEService[0..n]] 3342 Setting [ref AutostartIKESetting[0..n]] 3344 8.11.1. The Reference Element 3346 The property Element is inherited from ElementSetting and is 3347 overridden to refer to an IKEService instance. The [0..n] 3348 cardinality indicates an AutostartIKESetting instance may be 3349 associated with zero or more IKEService instances. 3351 8.11.2. The Reference Setting 3353 The property Setting is inherited from ElementSetting and is 3354 overridden to refer to an AutostartIKESetting instance. The [0..n] 3355 cardinality indicates that an IKEService instance may be associated 3356 with zero or more AutostartIKESetting instances. 3358 8.12. The Aggregation Class AutostartIKESettingContext 3360 The class AutostartIKESettingContext aggregates the settings used to 3361 automatically start negotiations or create a static SA into a 3362 configuration set. The class definition for 3363 AutostartIKESettingContext is as follows: 3365 NAME AutostartIKESettingContext 3366 DESCRIPTION AutostartIKESettingContext aggregates the 3367 AutostartIKESetting instances into a configuration set. 3368 DERIVED FROM SystemSettingContext (see Appendix A) 3369 ABSTRACT FALSE 3370 PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] 3371 Setting [ref AutostartIKESetting [0..n]] 3372 SequenceNumber 3374 8.12.1. The Reference Context 3376 The property Context is inherited from SystemSettingContext and is 3377 overridden to refer to an AutostartIKEConfiguration instance. The 3378 [0..n] cardinality indicates that an AutostartIKESetting instance 3379 may be associated with zero or more AutostartIKEConfiguration 3380 instances (i.e., a setting may be in multiple configuration sets). 3382 8.12.2. The Reference Setting 3384 The property Setting is inherited from SystemSettingContext and is 3385 overridden to refer to an AutostartIKESetting instance. The [0..n] 3386 cardinality indicates that an AutostartIKEConfiguration instance may 3387 be associated with zero or more AutostartIKESetting instances. 3389 8.12.3. The Property SequenceNumber 3391 The property SequenceNumber specifies indicates the ordering to be 3392 used when starting negotiations or creating a static SA. A zero 3393 value indicates that order is not significant and settings may be 3394 applied in parallel with other settings. All other settings in the 3395 configuration are executed in sequence from lower values to high. 3396 Sequence numbers need not be unique in an AutostartIKEConfiguration 3397 and order is not significant for settings with the same sequence 3398 number. The property is defined as follows: 3400 NAME SequenceNumber 3401 DESCRIPTION The sequence in which the settings are applied within a 3402 configuration set. 3403 SYNTAX unsigned 16-bit integer 3405 8.13. The Association Class IKEServiceForEndpoint 3407 The class IKEServiceForEndpoint provides the association showing 3408 which IKE service, if any, provides IKE negotiation services for 3409 which network interfaces. The class definition for 3410 IKEServiceForEndpoint is as follows: 3412 NAME IKEServiceForEndpoint 3413 DESCRIPTION Associates an IPProtocolEndpoint with an IKEService 3414 that provides negotiation services for the endpoint. 3415 DERIVED FROM Dependency (see Appendix A) 3416 ABSTRACT FALSE 3417 PROPERTIES Antecedent [ref IKEService[0..1]] 3418 Dependent [ref IPProtocolEndpoint[0..n]] 3420 8.13.1. The Reference Antecedent 3422 The property Antecedent is inherited from Dependency and is 3423 overridden to refer to an IKEService instance. The [0..1] 3424 cardinality indicates that an IPProtocolEndpoint instance MUST by 3425 associated with at most one IKEService instance. 3427 8.13.2. The Reference Dependent 3429 The property Dependent is inherited from Dependency and is 3430 overridden to refer to an IPProtocolEndpoint that is associated with 3431 at most one IKEService. The [0..n] cardinality indicates an 3432 IKEService instance may be associated with zero or more 3433 IPProtocolEndpoint instances. 3435 8.14. The Association Class IKEAutostartConfiguration 3437 The class IKEAutostartConfiguration provides the relationship 3438 between an IKEService and a configuration set that it uses to 3439 automatically start a set of SAs. The class definition for 3440 IKEAutostartConfiguration is as follows: 3442 NAME IKEAutostartConfiguration 3443 DESCRIPTION IKEAutostartConfiguration provides the relationship 3444 between an IKEService and an AutostartIKEConfiguration 3445 that it uses to automatically start a set of SAs. 3446 DERIVED FROM Dependency (see Appendix A) 3447 ABSTRACT FALSE 3448 PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] 3449 Dependent [ref IKEService [0..n]] 3450 Active 3452 8.14.1. The Reference Antecedent 3454 The property Antecedent is inherited from Dependency and is 3455 overridden to refer to an AutostartIKEConfiguration instance. The 3456 [0..n] cardinality indicates that an IKEService instance may be 3457 associated with zero or more AutostartIKEConfiguration instances. 3459 8.14.2. The Reference Dependent 3461 The property Dependent is inherited from Dependency and is 3462 overridden to refer to an IKEService instance. The [0..n] 3463 cardinality indicates that an AutostartIKEConfiguration instance may 3464 be associated with zero or more IKEService instances. 3466 8.14.3. The Property Active 3468 The property Active specifies indicates whether the 3469 AutostartIKEConfiguration set is currently active for the associated 3470 IKEService. That is, at boot time, the active configuration is used 3471 to automatically start IKE negotiations and create static SAs. The 3472 property is defined as follows: 3474 NAME Active 3475 DESCRIPTION Active indicates whether the AutostartIKEConfiguration 3476 set is currently active for the associated IKEService. 3477 SYNTAX boolean 3478 VALUE true - AutostartIKEConfiguration is currently active 3479 for associated IKEService. 3480 false - AutostartIKEConfiguration is currently inactive 3481 for associated IKEService. 3483 8.15. The Association Class IKEUsesCredentialManagementService 3485 The class IKEUsesCredentialManagementService defines the set of 3486 CredentialManagementService(s) that are trusted sources of 3487 credentials for IKE phase 1 negotiations. The class definition for 3488 IKEUsesCredentialManagementService is as follows: 3490 NAME IKEUsesCredentialManagementService 3491 DESCRIPTION Associates the set of CredentialManagementService(s) 3492 that are trusted by the IKEService as sources of 3493 credentials used in IKE phase 1 negotiations. 3494 DERIVED FROM Dependency (see Appendix A) 3495 ABSTRACT FALSE 3496 PROPERTIES Antecedent [ref CredentialManagementService [0..n]] 3497 Dependent [ref IKEService [0..n]] 3499 8.15.1. The Reference Antecedent 3501 The property Antecedent is inherited from Dependency and is 3502 overridden to refer to a CredentialManagementService instance. The 3503 [0..n] cardinality indicates that an IKEService instance may be 3504 associated with zero or more CredentialManagementService instances. 3506 8.15.2. The Reference Dependent 3508 The property Dependent is inherited from Dependency and is 3509 overridden to refer to an IKEService instance. The [0..n] 3510 cardinality indicates that a CredentialManagementService instance 3511 may be associated with zero or more IKEService instances. 3513 8.16. The Association Class EndpointHasLocalIKEIdentity 3515 The class EndpointHasLocalIKEIdentity associates an 3516 IPProtocolEndpoint with a set of IKEIdentity instances that may be 3517 used in negotiating security associations on the endpoint. An 3518 IKEIdentity MUST be associated with either an IPProtocolEndpoint 3519 using this association or with a collection of IKEIdentity instances 3520 using the CollectionHasLocalIKEIdentity association. The class 3521 definition for EndpointHasLocalIKEIdentity is as follows: 3523 NAME EndpointHasLocalIKEIdentity 3524 DESCRIPTION EndpointHasLocalIKEIdentity associates an 3525 IPProtocolEndpoint with a set of IKEIdentity instances. 3526 DERIVED FROM ElementAsUser (see Appendix B) 3527 ABSTRACT FALSE 3528 PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] 3529 Dependent [ref IKEIdentity [0..n]] 3531 8.16.1. The Reference Antecedent 3533 The property Antecedent is inherited from ElementAsUser and is 3534 overridden to refer to an IPProtocolEndpoint instance. The [0..1] 3535 cardinality indicates that an IKEIdentity instance MUST be 3536 associated with at most one IPProtocolEndpoint instance. 3538 8.16.2. The Reference Dependent 3540 The property Dependent is inherited from ElementAsUser and is 3541 overridden to refer to an IKEIdentity instance. The [0..n] 3542 cardinality indicates that an IPProtocolEndpoint instance may be 3543 associated with zero or more IKEIdentity instances. 3545 8.17. The Association Class CollectionHasLocalIKEIdentity 3547 The class CollectionHasLocalIKEIdentity associates a Collection of 3548 IPProtocolEndpoint instances with a set of IKEIdentity instances 3549 that may be used in negotiating SAs for endpoints in the collection. 3550 An IKEIdentity MUST be associated with either an IPProtocolEndpoint 3551 using the EndpointHasLocalIKEIdentity association or with a 3552 collection of IKEIdentity instances using this association. The 3553 class definition for CollectionHasLocalIKEIdentity is as follows: 3555 NAME CollectionHasLocalIKEIdentity 3556 DESCRIPTION CollectionHasLocalIKEIdentity associates a collection 3557 of IPProtocolEndpoint instances with a set of 3558 IKEIdentity instances. 3559 DERIVED FROM ElementAsUser (see Appendix B) 3560 ABSTRACT FALSE 3561 PROPERTIES Antecedent [ref Collection [0..1]] 3562 Dependent [ref IKEIdentity [0..n]] 3564 8.17.1. The Reference Antecedent 3566 The property Antecedent is inherited from ElementAsUser and is 3567 overridden to refer to a Collection instance. The [0..1] 3568 cardinality indicates that an IKEIdentity instance MUST be 3569 associated with at most one Collection instance. 3571 8.17.2. The Reference Dependent 3573 The property Dependent is inherited from ElementAsUser and is 3574 overridden to refer to an IKEIdentity instance. The [0..n] 3575 cardinality indicates that a Collection instance may be associated 3576 with zero or more IKEIdentity instances. 3578 8.18. The Association Class IKEIdentitysCredential 3580 The class IKEIdentitysCredential is an association that relates a 3581 set of credentials to their corresponding local IKE Identities. The 3582 class definition for IKEIdentitysCredential is as follows: 3584 NAME IKEIdentitysCredential 3585 DESCRIPTION IKEIdentitysCredential associates a set of credentials 3586 to their corresponding local IKEIdentity. 3587 DERIVED FROM UsersCredential (see Appendix A) 3588 ABSTRACT FALSE 3589 PROPERTIES Antecedent [ref Credential [0..n]] 3590 Dependent [ref IKEIdentity [0..n]] 3592 8.18.1. The Reference Antecedent 3594 The property Antecedent is inherited from UsersCredential and is 3595 overridden to refer to a Credential instance. The [0..n] 3596 cardinality indicates that IKEIdentity instance may be associated 3597 with zero or more Credential instances. 3599 8.18.2. The Reference Dependent 3601 The property Dependent is inherited from UsersCredential and is 3602 overridden to refer to an IKEIdentity instance. The [0..n] 3603 cardinality indicates that a Credential instance may be associated 3604 with zero or more IKEIdentity instances. 3606 9. Security Considerations 3608 This document describes a schema for IPsec policy. It does not 3609 detail security requirements for storage or delivery of said schema. 3610 Storage and delivery security requirements should be detailed in a 3611 comprehensive security policy architecture document. 3613 10. Intellectual Property 3615 The IETF takes no position regarding the validity or scope of any 3616 intellectual property or other rights that might be claimed to 3617 pertain to the implementation or use of the technology described in 3618 this document or the extent to which any license under such rights 3619 might or might not be available; neither does it represent that it 3620 has made any effort to identify any such rights. Information on the 3621 IETF's procedures with respect to rights in standards-track and 3622 standards-related documentation can be found in BCP-11. 3624 Copies of claims of rights made available for publication and any 3625 assurances of licenses to be made available, or the result of an 3626 attempt made to obtain a general license or permission for the use 3627 of such proprietary rights by implementers or users of this 3628 specification can be obtained from the IETF Secretariat. 3630 The IETF invites any interested party to bring to its attention any 3631 copyrights, patents or patent applications, or other proprietary 3632 rights which may cover technology that may be required to practice 3633 this standard. Please address the information to the IETF Executive 3634 Director. 3636 11. Acknowledgments 3638 The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, 3639 Vic Lortz, and William Dixon for their contributions to this IPsec 3640 policy model. 3642 Additionally, this draft would not have been possible without the 3643 preceding IPsec schema drafts. For that, thanks go out to Rob 3644 Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju 3645 Rajan. 3647 12. References 3649 [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 3650 RFC 2409, November 1998. 3652 [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP 3653 Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 3655 [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload 3656 (ESP)", RFC 2406, November 1998. 3658 [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 3659 2402, November 1998. 3661 [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core 3662 Information Model -- Version 1 Specification", RFC 3060, February 3663 2001. 3665 [DOI] Piper, D., "The Internet IP Security Domain of Interpretation 3666 for ISAKMP", RFC 2407, November 1998. 3668 [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory 3669 Access Protocol (v3)", RFC 2251, December 1997. 3671 [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. 3672 Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, 3673 January 2000. Internet-Draft work in progress. 3675 [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, 3676 F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for 3677 Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. 3678 Internet-Draft work in progress. 3680 [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy 3681 Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000. 3682 Internet-Draft work in progress. 3684 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 3685 Requirement Levels", BCP 14, RFC 2119, March 1997. 3687 [IPSO] Kent, S., "U.S. Department of Defense Security Options for 3688 the Internet Protocol", RFC 1108, November 1991. 3690 [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the 3691 Internet Protocol", RFC 2401, November 1998. 3693 13. Disclaimer 3695 The views and specification herein are those of the authors and are 3696 not necessarily those of their employer. The authors and their 3697 employer specifically disclaim responsibility for any problems 3698 arising from correct or incorrect implementation or use of this 3699 specification. 3701 14. Authors' Addresses 3703 Jamie Jason 3704 Intel Corporation 3705 MS JF3-206 3706 2111 NE 25th Ave. 3707 Hillsboro, OR 97124 3708 E-Mail: jamie.jason@intel.com 3710 Lee Rafalow 3711 IBM Corporation, BRQA/502 3712 4205 So. Miami Blvd. 3713 Research Triangle Park, NC 27709 3714 E-mail: rafalow@raleigh.ibm.com 3716 Eric Vyncke 3717 Cisco Systems 3718 Avenue Marcel Thiry, 77 3719 B-1200 Brussels 3720 Belgium 3721 E-mail: evyncke@cisco.com 3723 15. Full Copyright Statement 3725 Copyright (C) The Internet Society (1999). All Rights Reserved. 3727 This document and translations of it maybe copied and furnished to 3728 others, and derivative works that comment on or otherwise explain it 3729 or assist in its implementation may be prepared, copied, published 3730 and distributed, in whole or in part, without restriction of any 3731 kind, provided that the above copyright notice and this paragraph 3732 are included on all such copies and derivative works. However, this 3733 document itself may not be modified in any way, such as by removing 3734 the copyright notice or references to the Internet Society or other 3735 Internet organizations, except as needed for the purpose of 3736 developing Internet standards in which case the procedures for 3737 copyrights defined in the Internet Standards process must be 3738 followed, or as required to translate it into languages other then 3739 English. 3741 The limited permissions granted above are perpetual and will not be 3742 revoked by the Internet Society or its successors or assigns. 3744 This document and the information contained herein is provided on an 3745 "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING 3746 TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 3747 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON 3748 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF 3749 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3751 Appendix A (DMTF Core Model MOF) 3753 // ================================================================== 3754 // ManagedElement 3755 // ================================================================== 3756 [Abstract, Description ( 3757 "ManagedElement is an abstract class that provides a common " 3758 "superclass (or top of the inheritance tree) for the " 3759 "non-association classes in the CIM Schema.")] 3760 class CIM_ManagedElement 3761 { 3762 [MaxLen (64), Description ( 3763 "The Caption property is a short textual description (one-" 3764 "line string) of the object.") ] 3765 string Caption; 3766 [Description ( 3767 "The Description property provides a textual description of " 3768 "the object.") ] 3769 string Description; 3770 }; 3772 // ================================================================== 3773 // Collection 3774 // ================================================================== 3775 [Abstract, Description ( 3776 "Collection is an abstract class that provides a common" 3777 "superclass for data elements that represent collections of " 3778 "ManagedElements and its subclasses.")] 3779 class CIM_Collection : CIM_ManagedElement 3780 { 3781 }; 3783 // ================================================================== 3784 // ManagedSystemElement 3785 // ================================================================== 3787 [Abstract, Description ( 3788 "CIM_ManagedSystemElement is the base class for the System " 3789 "Element hierarchy. Membership Criteria: Any distinguishable " 3790 "component of a System is a candidate for inclusion in this " 3791 "class. Examples: software components, such as files; and " 3792 "devices, such as disk drives and controllers, and physical " 3793 "components such as chips and cards.") ] 3794 class CIM_ManagedSystemElement : CIM_ManagedElement 3795 { 3796 [Description ( 3797 "A datetime value indicating when the object was installed. " 3798 "A lack of a value does not indicate that the object is not " 3799 "installed."), 3800 MappingStrings {"MIF.DMTF|ComponentID|001.5"} ] 3801 datetime InstallDate; 3802 [MaxLen (256), Description ( 3803 "The Name property defines the label by which the object is " 3804 "known. When subclassed, the Name property can be overridden " 3805 "to be a Key property.") ] 3806 string Name; 3807 [MaxLen (10), Description ( 3808 " A string indicating the current status of the object. " 3809 "Various operational and non-operational statuses are " 3810 "defined. Operational statuses are \"OK\", \"Degraded\", " 3811 "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that " 3812 "the Element is functioning, but needs attention. Examples " 3813 "of \"Stressed\" states are overload, overheated, etc. The " 3814 "condition \"Pred Fail\" (failure predicted) indicates that " 3815 "an Element is functioning properly but predicting a failure " 3816 "in the near future. An example is a SMART-enabled hard " 3817 "drive. \n" 3818 " Non-operational statuses can also be specified. These " 3819 "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", " 3820 "\"Stopped\", " 3821 "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\"" 3822 "indicates that a non-recoverable error has occurred. " 3823 "\"Service\" describes an Element being configured, " 3824 "maintained," 3825 "cleaned, or otherwise administered. This status could apply " 3826 "during mirror-resilvering of a disk, reload of a user " 3827 "permissions list, or other administrative task. Not all " 3828 "such " 3829 "work is on-line, yet the Element is neither \"OK\" nor in " 3830 "one of the other states. \"No Contact\" indicates that the " 3831 "current instance of the monitoring system has knowledge of " 3832 "this Element but has never been able to establish " 3833 "communications with it. \"Lost Comm\" indicates that " 3834 "the ManagedSystemElement is known to exist and has been " 3835 "contacted successfully in the past, but is currently " 3836 "unreachable." 3837 "\"Stopped\" indicates that the ManagedSystemElement is " 3838 "known " 3839 "to exist, it is not operational (i.e. it is unable to " 3840 "provide service to users), but it has not failed. It " 3841 "has purposely " 3842 "been made non-operational. The Element " 3843 "may have never been \"OK\", the Element may have initiated " 3844 "its " 3845 "own stop, or a management system may have initiated the " 3846 "stop."), 3847 ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail", 3848 "Starting", "Stopping", "Service", "Stressed", 3849 "NonRecover", "No Contact", "Lost Comm", "Stopped"} ] 3850 string Status; 3851 }; 3853 // ================================================================== 3854 // LogicalElement 3855 // ================================================================== 3856 [Abstract, Description ( 3857 "CIM_LogicalElement is a base class for all the components " 3858 "of " 3859 "a System that represent abstract system components, such " 3860 "as Files, Processes, or system capabilities in the form " 3861 "of Logical Devices.") ] 3862 class CIM_LogicalElement:CIM_ManagedSystemElement 3863 { 3864 }; 3866 // ================================================================== 3867 // CIM_SystemConfiguration 3868 // ================================================================== 3869 [Description ( 3870 "CIM_SystemConfiguration represents the general concept " 3871 "of a CIM_Configuration which is scoped by/weak to a " 3872 "System. This class is a peer of CIM_Configuration since " 3873 "the key structure of Configuration is currently " 3874 "defined and cannot be modified with additional " 3875 "properties.")] 3876 class CIM_SystemConfiguration : CIM_ManagedElement { 3877 [Propagated ("CIM_System.CreationClassName"), Key, 3878 MaxLen (256), Description ( 3879 "The scoping System's CreationClassName.") ] 3880 string SystemCreationClassName; 3881 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 3882 Description ("The scoping System's Name.") ] 3883 string SystemName; 3884 [Key, MaxLen (256), Description ( 3885 "CreationClassName indicates the name of the class or the " 3886 "subclass used in the creation of an instance. When used " 3887 "with the other key properties of this class, this property " 3888 "allows all instances of this class and its subclasses to " 3889 "be uniquely identified.") ] 3890 string CreationClassName; 3891 [Key, MaxLen (256), Description ( 3892 "The label by which the Configuration object is known.") ] 3894 string Name; 3895 }; 3897 // =================================================================== 3898 // Setting 3899 // =================================================================== 3900 [Abstract, Description ( 3901 "The Setting class represents configuration-related and " 3902 "operational parameters for one or more ManagedSystem" 3903 "Element(s). A ManagedSystemElement may have multiple " 3904 "Setting " 3905 "objects associated with it. The current operational values " 3906 "for an Element's parameters are reflected by properties in " 3907 "the Element itself or by properties in its associations. " 3908 "These properties do not have to be the same values present " 3909 "in the Setting object. For example, a modem may have a " 3910 "Setting baud rate of 56Kb/sec but be operating " 3911 "at 19.2Kb/sec.") ] 3912 class CIM_Setting : CIM_ManagedElement 3913 { 3914 [MaxLen (256), Description ( 3915 "The identifier by which the Setting object is known.") ] 3916 string SettingID; 3917 [Description ( 3918 "The VerifyOKToApplyToMSE method is used to verify that " 3919 "this Setting can be 'applied' to the referenced Managed" 3920 "SystemElement, at the given time or time interval. This " 3921 "method takes three input parameters: MSE (the Managed" 3922 "SystemElement that is being verified), TimeToApply (which, " 3923 "being a datetime, can be either a specific time or a time " 3924 "interval), and MustBeCompletedBy (which indicates the " 3925 "required completion time for the method). The return " 3926 "value should be 0 if it is OK to apply the Setting, 1 if " 3927 "the method is not supported, 2 if the Setting can not be " 3928 "applied within the specified times, and any other number " 3929 "if an error occurred. In a subclass, the " 3930 "set of possible return codes could be specified, using a " 3931 "ValueMap qualifier on the method. The strings to which the " 3932 "ValueMap contents are 'translated' may also be specified in " 3933 "the subclass as a Values array qualifier.") ] 3934 uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, 3935 [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 3936 [Description ( 3937 "The ApplyToMSE method performs the actual application of " 3938 "the Setting to the referenced ManagedSystemElement. It " 3939 "takes three input parameters: MSE (the ManagedSystem" 3940 "Element to which the Setting is being applied), " 3941 "TimeToApply (which, being a datetime, can be either a " 3942 "specific time or a time interval), and MustBeCompletedBy " 3943 "(which indicates the required completion time for the " 3944 "method). Note that the semantics of this method are that " 3945 "individual Settings are either wholly applied or not " 3946 "applied at all to their target ManagedSystemElement. The " 3947 "return value should be 0 if the Setting is successfully " 3948 "applied to the referenced ManagedSystemElement, 1 if the " 3949 "method is not supported, 2 if the Setting was not applied " 3950 "within the specified times, and any other number if an " 3951 "error occurred. In a subclass, the set of possible return " 3952 "codes could be specified, using a ValueMap qualifier on " 3953 "the method. The strings to which the ValueMap contents are " 3954 "'translated' may also be specified in the subclass as a " 3955 "Values array qualifier.\n" 3956 "Note: If an error occurs in applying the Setting to a " 3957 "ManagedSystemElement, the Element must be configured as " 3958 "when the 'apply' attempt began. That is, the Element " 3959 "should NOT be left in an indeterminate state.") ] 3960 uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, 3961 [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 3962 [Description ( 3963 "The VerifyOKToApplyToCollection method is used to verify " 3964 "that this Setting can be 'applied' to the referenced " 3965 "Collection of ManagedSystemElements, at the given time " 3966 "or time interval, without causing adverse effects to " 3967 "either the Collection itself or its surrounding " 3968 "environment. The net effect is to execute the " 3969 "VerifyOKToApply method against each of the Elements " 3970 "aggregated by the Collection. This method takes three " 3971 "input parameters: Collection (the Collection of Managed" 3972 "SystemElements that is being verified), TimeToApply (which, " 3973 "being a datetime, can be either a specific time or a time " 3974 "interval), and MustBeCompletedBy (which indicates the " 3975 "required completion time for the method). The return " 3976 "value should be 0 if it is OK to apply the Setting, 1 if " 3977 "the method is not supported, 2 if the Setting can not be " 3978 "applied within the specified times, and any other number if " 3979 "an error occurred. One output parameter is defined - " 3980 "CanNotApply - which is a string array that lists the keys " 3981 "of " 3982 "the ManagedSystemElements to which the Setting can NOT be " 3983 "applied. This enables those Elements to be revisited and " 3984 "either fixed, or other corrective action taken.\n" 3985 "In a subclass, the set of possible return codes could be " 3986 "specified, using a ValueMap qualifier on the method. The " 3987 "strings to which the ValueMap contents are 'translated' may " 3988 "also be specified in the subclass as a Values array " 3989 "qualifier.") ] 3990 uint32 VerifyOKToApplyToCollection ( 3991 [IN] CIM_CollectionOfMSEs ref Collection, 3992 [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, 3993 [OUT] string CanNotApply[]); 3994 [Description ( 3995 "The ApplyToCollection method performs the application of " 3996 "the Setting to the referenced Collection of ManagedSystem" 3997 "Elements. The net effect is to execute the ApplyToMSE " 3998 "method against each of the Elements aggregated by the " 3999 "Collection. If the input value ContinueOnError is FALSE, " 4000 "this method applies the Setting to all Elements in the " 4001 "Collection until it encounters an error, in which case it " 4002 "stops execution, logs the key of the Element that caused " 4003 "the error in the CanNotApply array, and issues a return " 4004 "code " 4005 "of 2. If the input value ContinueOnError is TRUE, then this " 4006 "method applies the Setting to all the ManagedSystemElements " 4007 "in the Collection, and reports the failed Elements in the " 4008 "array, CanNotApply. For the latter, processing will " 4009 "continue " 4010 "until the method is applied to all Elements in the " 4011 "Collection, regardless of any errors encountered. The key " 4012 "of " 4013 "each ManagedSystemElement to which the Setting could not be " 4014 "applied is logged into the CanNotApply array. This method " 4015 "takes four input parameters: Collection (the Collection of " 4016 "Elements to which the Setting is being applied), " 4017 "TimeToApply " 4018 "(which, being a datetime, can be either a specific time or " 4019 "a " 4020 "time interval), ContinueOnError (TRUE means to continue " 4021 "processing on encountering an error), and MustBeCompletedBy " 4022 "(which indicates the required completion time for the " 4023 "method). The return value should be 0 if the Setting is " 4024 "successfully applied to the referenced Collection, 1 if the " 4025 "method is not supported, 2 if the Setting was not applied " 4026 "within the specified times, 3 if the Setting can not be " 4027 "applied using the input value for ContinueOnError, and any " 4028 "other number if an error occurred. One output parameter is " 4029 "defined, CanNotApplystring, which is an array that lists " 4030 "the keys of the ManagedSystemElements to which the Setting " 4031 "was NOT able to be applied. This output parameter has " 4032 "meaning only when the ContinueOnError parameter is TRUE.\n" 4033 "In a subclass, the set of possible return codes could be " 4034 "specified, using a ValueMap qualifier on the method. The " 4035 "strings to which the ValueMap contents are 'translated' may " 4036 "also be specified in the subclass as a Values array " 4037 "qualifier.\n" 4038 "Note: if an error occurs in applying the Setting to a " 4039 "ManagedSystemElement in the Collection, the Element must be " 4040 "configured as when the 'apply' attempt began. That is, the " 4041 "Element should NOT be left in an indeterminate state.") ] 4042 uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection, 4043 [IN] datetime TimeToApply, [IN] boolean ContinueOnError, 4044 [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); 4045 [Description ( 4046 "The VerifyOKToApplyIncrementalChangeToMSE method " 4047 "is used to verify that a subset of the properties in " 4048 "this Setting can be 'applied' to the referenced Managed" 4049 "SystemElement, at the given time or time interval. This " 4050 "method takes four input parameters: MSE (the Managed" 4051 "SystemElement that is being verified), TimeToApply (which, " 4052 "being a datetime, can be either a specific time or a time " 4053 "interval), MustBeCompletedBy (which indicates the " 4054 "required completion time for the method), and a " 4055 "PropertiesToApply array (which contains a list of the " 4056 "property names whose values will be verified. " 4057 "If they array is null or empty or constains the string " 4058 "\"all\" " 4059 "as a property name then all Settings properties shall be " 4060 "verified. If it is set to \"none\" then no Settings " 4061 "properties " 4062 "will be verified). The return " 4063 "value should be 0 if it is OK to apply the Setting, 1 if " 4064 "the method is not supported, 2 if the Setting can not be " 4065 "applied within the specified times, and any other number " 4066 "if an error occurred. In a subclass, the " 4067 "set of possible return codes could be specified, using a " 4068 "ValueMap qualifier on the method. The strings to which the " 4069 "ValueMap contents are 'translated' may also be specified in " 4070 "the subclass as a Values array qualifier.") ] 4071 uint32 VerifyOKToApplyIncrementalChangeToMSE( 4072 [IN] CIM_ManagedSystemElement ref MSE, 4073 [IN] datetime TimeToApply, 4074 [IN] datetime MustBeCompletedBy, 4075 [IN] string PropertiesToApply[]); 4076 [Description ( 4077 "The ApplyIncrementalChangeToMSE method performs the " 4078 "actual application of a subset of the properties in " 4079 "the Setting to the referenced ManagedSystemElement. It " 4080 "takes four input parameters: MSE (the ManagedSystem" 4081 "Element to which the Setting is being applied), " 4082 "TimeToApply (which, being a datetime, can be either a " 4083 "specific time or a time interval), MustBeCompletedBy " 4084 "(which indicates the required completion time for the " 4085 "method), and a " 4086 "PropertiesToApply array (which contains a list of the " 4087 "property names whose values will be applied. If a " 4088 "property is not in this list, it will be ignored by the " 4089 "apply. " 4090 "If they array is null or empty or constains the string " 4091 "\"all\" " 4092 "as a property name then all Settings properties shall be " 4093 "applied. If it is set to \"none\" then no Settings " 4094 "properties " 4095 "will be applied. ). " 4096 "Note that the semantics of this method are that " 4097 "individual Settings are either wholly applied or not " 4098 "applied at all to their target ManagedSystemElement. The " 4099 "return value should be 0 if the Setting is successfully " 4100 "applied to the referenced ManagedSystemElement, 1 if the " 4101 "method is not supported, 2 if the Setting was not applied " 4102 "within the specified times, and any other number if an " 4103 "error occurred. In a subclass, the set of possible return " 4104 "codes could be specified, using a ValueMap qualifier on " 4105 "the method. The strings to which the ValueMap contents are " 4106 "'translated' may also be specified in the subclass as a " 4107 "Values array qualifier.\n" 4108 "Note: If an error occurs in applying the Setting to a " 4109 "ManagedSystemElement, the Element must be configured as " 4110 "when the 'apply' attempt began. That is, the Element " 4111 "should NOT be left in an indeterminate state.") ] 4112 uint32 ApplyIncrementalChangeToMSE( 4113 [IN] CIM_ManagedSystemElement ref MSE, 4114 [IN] datetime TimeToApply, 4115 [IN] datetime MustBeCompletedBy, 4116 [IN] string PropertiesToApply[]); 4117 [Description ( 4118 "The VerifyOKToApplyIncrementalChangeToCollection method " 4119 "is used to verify that a subset of the properties in " 4120 "this Setting can be 'applied' to the referenced " 4121 "Collection of ManagedSystemElements, at the given time " 4122 "or time interval, without causing adverse effects to " 4123 "either the Collection itself or its surrounding " 4124 "environment. The net effect is to execute the " 4125 "VerifyOKToApplyIncrementalChangeToMSE method " 4126 "against each of the Elements " 4127 "aggregated by the Collection. This method takes three " 4128 "input parameters: Collection (the Collection of Managed" 4129 "SystemElements that is being verified), TimeToApply (which, " 4130 "being a datetime, can be either a specific time or a time " 4131 "interval), MustBeCompletedBy (which indicates the " 4132 "required completion time for the method), and a " 4133 "PropertiesToApply array (which contains a list of the " 4134 "property names whose values will be verified. " 4135 "If they array is null or empty or contains the string " 4136 "\"all\" " 4137 "as a property name then all Settings properties shall be " 4138 "verified. If it is set to \"none\" then no Settings " 4139 "properties " 4140 "will be verified). The return " 4141 "value should be 0 if it is OK to apply the Setting, 1 if " 4142 "the method is not supported, 2 if the Setting can not be " 4143 "applied within the specified times, and any other number if " 4144 "an error occurred. One output parameter is defined - " 4145 "CanNotApply - which is a string array that lists the keys " 4146 "of " 4147 "the ManagedSystemElements to which the Setting can NOT be " 4148 "applied. This enables those Elements to be revisited and " 4149 "either fixed, or other corrective action taken.\n" 4150 "In a subclass, the set of possible return codes could be " 4151 "specified, using a ValueMap qualifier on the method. The " 4152 "strings to which the ValueMap contents are 'translated' may " 4153 "also be specified in the subclass as a Values array " 4154 "qualifier.") ] 4155 uint32 VerifyOKToApplyIncrementalChangeToCollection ( 4156 [IN] CIM_CollectionOfMSEs ref Collection, 4157 [IN] datetime TimeToApply, 4158 [IN] datetime MustBeCompletedBy, 4160 [IN] string PropertiesToApply[], 4161 [OUT] string CanNotApply[]); 4162 [Description ( 4163 "The ApplyIncrementalChangeToCollection method performs " 4164 "the application of a subset of the properties in this " 4165 "Setting to the referenced Collection of ManagedSystem" 4166 "Elements. The net effect is to execute the " 4167 "ApplyIncrementalChangeToMSE " 4168 "method against each of the Elements aggregated by the " 4169 "Collection. If the input value ContinueOnError is FALSE, " 4170 "this method applies the Setting to all Elements in the " 4171 "Collection until it encounters an error, in which case it " 4172 "stops execution, logs the key of the Element that caused " 4173 "the error in the CanNotApply array, and issues a return " 4174 "code " 4175 "of 2. If the input value ContinueOnError is TRUE, then this " 4176 "method applies the Setting to all the ManagedSystemElements " 4177 "in the Collection, and reports the failed Elements in the " 4178 "array, CanNotApply. For the latter, processing will " 4179 "continue " 4180 "until the method is applied to all Elements in the " 4181 "Collection, regardless of any errors encountered. The key " 4182 "of " 4183 "each ManagedSystemElement to which the Setting could not be " 4184 "applied is logged into the CanNotApply array. This method " 4185 "takes four input parameters: Collection (the Collection of " 4186 "Elements to which the Setting is being applied), " 4187 "TimeToApply " 4188 "(which, being a datetime, can be either a specific time or " 4189 "a " 4190 "time interval), ContinueOnError (TRUE means to continue " 4191 "processing on encountering an error), and MustBeCompletedBy " 4192 "(which indicates the required completion time for the " 4193 "method), and a PropertiesToApply array (which contains a " 4194 "list " 4195 "of the property names whose values will be applied. If a " 4196 "property is not in this list, it will be ignored by " 4197 "the apply. " 4198 "If they array is null or empty or constains the string " 4199 "\"all\" " 4200 "as a property name then all Settings properties shall be " 4201 "applied. If it is set to \"none\" then no Settings " 4202 "properties " 4203 "will be applied. ). " 4204 "The return value should be 0 if the Setting is " 4205 "successfully applied to the referenced Collection, 1 if the " 4206 "method is not supported, 2 if the Setting was not applied " 4207 "within the specified times, 3 if the Setting can not be " 4208 "applied using the input value for ContinueOnError, and any " 4209 "other number if an error occurred. One output parameter is " 4210 "defined, CanNotApplystring, which is an array that lists " 4211 "the keys of the ManagedSystemElements to which the Setting " 4212 "was NOT able to be applied. This output parameter has " 4213 "meaning only when the ContinueOnError parameter is TRUE.\n" 4214 "In a subclass, the set of possible return codes could be " 4215 "specified, using a ValueMap qualifier on the method. The " 4216 "strings to which the ValueMap contents are 'translated' may " 4217 "also be specified in the subclass as a Values array " 4218 "qualifier.\n" 4219 "Note: if an error occurs in applying the Setting to a " 4220 "ManagedSystemElement in the Collection, the Element must be " 4221 "configured as when the 'apply' attempt began. That is, the " 4222 "Element should NOT be left in an indeterminate state.") ] 4223 uint32 ApplyIncrementalChangeToCollection( 4224 [IN] CIM_CollectionOfMSEs ref Collection, 4225 [IN] datetime TimeToApply, 4226 [IN] boolean ContinueOnError, 4227 [IN] datetime MustBeCompletedBy, 4228 [IN] string PropertiesToApply[], 4229 [OUT] string CanNotApply[]); 4231 }; 4233 // ================================================================== 4234 // CIM_SystemSetting 4235 // ================================================================== 4236 [Abstract, Description ( 4237 "CIM_SystemSetting represents the general concept " 4238 "of a CIM_Setting which is scoped by/weak to a System.")] 4239 class CIM_SystemSetting : CIM_Setting { 4240 [Propagated ("CIM_System.CreationClassName"), Key, 4241 MaxLen (256), Description ( 4242 "The scoping System's CreationClassName.") ] 4243 string SystemCreationClassName; 4244 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 4245 Description ("The scoping System's Name.") ] 4246 string SystemName; 4247 [Key, MaxLen (256), Description ( 4248 "CreationClassName indicates the name of the class or the " 4249 "subclass used in the creation of an instance. When used " 4250 "with the other key properties of this class, this property " 4251 "allows all instances of this class and its subclasses to " 4252 "be uniquely identified.") ] 4253 string CreationClassName; 4254 [Override ("SettingID"), Key, MaxLen (256)] 4255 string SettingID; 4256 }; 4258 // ================================================================== 4259 // System 4260 // ================================================================== 4261 [Abstract, Description ( 4262 "A CIM_System is a LogicalElement that aggregates an " 4263 "enumerable set of Managed System Elements. The aggregation " 4264 "operates as a functional whole. Within any particular " 4265 "subclass of System, there is a well-defined list of " 4266 "Managed System Element classes whose instances must be " 4267 "aggregated.") ] 4268 class CIM_System:CIM_LogicalElement 4269 { 4270 [Key, MaxLen (256), Description ( 4271 "CreationClassName indicates the name of the class or the " 4272 "subclass used in the creation of an instance. When used " 4273 "with the other key properties of this class, this property " 4274 "allows all instances of this class and its subclasses to " 4275 "be uniquely identified.") ] 4276 string CreationClassName; 4277 [Key, MaxLen (256), Override ("Name"), Description ( 4278 "The inherited Name serves as key of a System instance in " 4279 "an enterprise environment.") ] 4280 string Name; 4281 [MaxLen (64), Description ( 4282 "The System object and its derivatives are Top Level Objects " 4283 "of CIM. They provide the scope for numerous components. " 4284 "Having unique System keys is required. A heuristic can be " 4285 "defined in individual System subclasses to attempt to " 4286 "always " 4287 "generate the same System Name Key. The NameFormat property " 4288 "identifies how the System name was generated, using " 4289 "the subclass' heuristic.") ] 4290 string NameFormat; 4291 [MaxLen (256), Description ( 4292 "A string that provides information on how the primary " 4293 "system " 4294 "owner can be reached (e.g. phone number, email address, " 4295 "...)."), 4296 MappingStrings {"MIF.DMTF|General Information|001.3"} ] 4297 string PrimaryOwnerContact; 4298 [MaxLen (64), Description ( 4299 "The name of the primary system owner."), 4300 MappingStrings {"MIF.DMTF|General Information|001.4"} ] 4301 string PrimaryOwnerName; 4302 [Description ( 4303 "An array (bag) of strings that specify the roles this " 4304 "System " 4305 "plays in the IT-environment. Subclasses of System may " 4306 "override this property to define explicit Roles values. " 4307 "Alternately, a Working Group may describe the heuristics, " 4308 "conventions and guidelines for specifying Roles. For " 4309 "example, for an instance of a networking system, the Roles " 4310 "property might contain the string, 'Switch' or 'Bridge'.") ] 4311 string Roles[]; 4312 }; 4314 // ================================================================== 4315 // Service 4316 // ================================================================== 4317 [Abstract, Description ( 4318 "A CIM_Service is a Logical Element that contains the " 4319 "information necessary to represent and manage the " 4320 "functionality provided by a Device and/or SoftwareFeature. " 4321 "A Service is a general-purpose object to configure and " 4322 "manage the implementation of functionality. It is not the " 4323 "functionality itself.") ] 4324 class CIM_Service:CIM_LogicalElement 4325 { 4326 [Key, MaxLen (256), Description ( 4327 "CreationClassName indicates the name of the class or the " 4328 "subclass used in the creation of an instance. When used " 4329 "with the other key properties of this class, this " 4330 "property " 4331 "allows all instances of this class and its subclasses to " 4332 "be uniquely identified.") ] 4333 string CreationClassName; 4334 [Override ("Name"), Key, MaxLen (256), 4335 Description ( 4336 "The Name property uniquely identifies the Service and " 4337 "provides an indication of the functionality that is " 4338 "managed. This functionality is described in more detail in " 4339 "the object's Description property. ") ] 4340 string Name; 4341 [MaxLen (10), Description ( 4342 "StartMode is a string value indicating whether the Service " 4343 "is automatically started by a System, Operating System, " 4344 "etc. " 4345 "or only started upon request."), 4346 ValueMap {"Automatic", "Manual"} ] 4347 string StartMode; 4348 [Description ( 4349 "Started is a boolean indicating whether the Service " 4350 "has been started (TRUE), or stopped (FALSE).") ] 4351 boolean Started; 4352 [Propagated ("CIM_System.CreationClassName"), Key, 4353 MaxLen (256), Description ( 4354 "The scoping System's CreationClassName. ") ] 4355 string SystemCreationClassName; 4356 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 4357 Description ("The scoping System's Name.") ] 4358 string SystemName; 4359 [Description ( 4360 "The StartService method places the Service in the started " 4361 "state. It returns an integer value of 0 if the Service was " 4362 "successfully started, 1 if the request is not supported and " 4363 "any other number to indicate an error. In a subclass, the " 4364 "set of possible return codes could be specified, using a " 4365 "ValueMap qualifier on the method. The strings to which the " 4366 "ValueMap contents are 'translated' may also be specified in " 4367 "the subclass as a Values array qualifier.") ] 4368 uint32 StartService(); 4369 [Description ( 4370 "The StopService method places the Service in the stopped " 4371 "state. It returns an integer value of 0 if the Service was " 4372 "successfully stopped, 1 if the request is not supported and " 4373 "any other number to indicate an error. In a subclass, the " 4374 "set of possible return codes could be specified, using a " 4375 "ValueMap qualifier on the method. The strings to which the " 4376 "ValueMap contents are 'translated' may also be specified in " 4377 "the subclass as a Values array qualifier.") ] 4378 uint32 StopService(); 4379 }; 4381 // ================================================================== 4382 // ServiceAccessPoint 4383 // ================================================================== 4384 [Abstract, Description ( 4385 "CIM_ServiceAccessPoint represents the ability to utilize or " 4386 "invoke a Service. Access points represent that a Service " 4387 "is " 4388 "made available to other entities for use.") ] 4389 class CIM_ServiceAccessPoint:CIM_LogicalElement 4390 { 4391 [Key, MaxLen (256), Description ( 4392 "CreationClassName indicates the name of the class or the " 4393 "subclass used in the creation of an instance. When used " 4394 "with the other key properties of this class, this " 4395 "property " 4396 "allows all instances of this class and its subclasses to " 4397 "be uniquely identified.") ] 4398 string CreationClassName; 4399 [Override ("Name"), Key, MaxLen (256), 4400 Description ( 4401 "The Name property uniquely identifies the " 4402 "ServiceAccessPoint " 4403 "and provides an indication of the functionality that is " 4404 "managed. This functionality is described in more detail in " 4405 "the object's Description property.") ] 4406 string Name; 4407 [Propagated ("CIM_System.CreationClassName"), Key, 4408 MaxLen (256), Description ( 4409 "The scoping System's CreationClassName.") ] 4410 string SystemCreationClassName; 4411 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 4412 Description ("The scoping System's Name.") ] 4413 string SystemName; 4414 }; 4416 // ================================================================== 4417 // === Association class definitions === 4418 // ================================================================== 4420 // ================================================================== 4421 // Component 4422 // ================================================================== 4423 [Association, Abstract, Aggregation, Description ( 4424 "CIM_Component is a generic association used to establish " 4425 "'part of' relationships between Managed System Elements. " 4426 "For " 4427 "example, the SystemComponent association defines parts of " 4428 "a System.") ] 4429 class CIM_Component 4430 { 4431 [Aggregate, Key, Description ( 4432 "The parent element in the association.") ] 4433 CIM_ManagedSystemElement REF GroupComponent; 4434 [Key, Description ("The child element in the association.") ] 4435 CIM_ManagedSystemElement REF PartComponent; 4436 }; 4438 // ================================================================== 4439 // Dependency 4440 // ================================================================== 4441 [Association, Abstract, Description ( 4442 "CIM_Dependency is a generic association used to establish " 4443 "dependency relationships between ManagedElements.") ] 4444 class CIM_Dependency 4445 { 4446 [Key, Description ( 4447 "Antecedent represents the independent object in this " 4448 "association.") ] 4449 CIM_ManagedElement REF Antecedent; 4450 [Key, Description ( 4451 "Dependent represents the object dependent on the " 4452 "Antecedent.") ] 4453 CIM_ManagedElement REF Dependent; 4454 }; 4456 // =================================================================== 4457 // ElementSetting 4458 // =================================================================== 4459 [Association, Description ( 4460 "ElementSetting represents the association between Managed" 4461 "SystemElements and the Setting class(es) defined for them.") 4462 ] 4463 class CIM_ElementSetting 4464 { 4465 [Key, Description ("The ManagedSystemElement.") ] 4466 CIM_ManagedSystemElement REF Element; 4467 [Key, Description ( 4468 "The Setting object associated with the ManagedSystem" 4469 "Element.") ] 4470 CIM_Setting REF Setting; 4471 }; 4472 // ================================================================== 4473 // MemberOfCollection 4474 // ================================================================== 4475 [Association, Aggregation, Description ( 4476 "CIM_MemberOfCollection is an aggregation used to establish " 4477 "membership of ManagedElements in a Collection." ) ] 4479 class CIM_MemberOfCollection 4480 { 4481 [Key, Aggregate, Description ("The Collection that aggregates 4482 members") ] 4483 CIM_Collection REF Collection; 4484 [Key, Description ("The aggregated member of the collection.") 4485 ] 4486 CIM_ManagedElement REF Member; 4487 }; 4489 // ================================================================== 4490 // CIM_SystemSettingContext 4491 // ================================================================== 4492 [Association, Aggregation, Description ( 4493 "This relationship associates System-specific Configuration " 4494 "objects with System-specific Setting objects, similar to " 4495 "the " 4496 "SettingContext association.")] 4497 class CIM_SystemSettingContext { 4498 [Aggregate, Key, Description ( 4499 "The Configuration object that aggregates the Setting.") ] 4500 CIM_SystemConfiguration REF Context; 4501 [Key, Description ("An aggregated Setting.")] 4502 CIM_SystemSetting REF Setting; 4503 }; 4504 Appendix B (DMTF User Model MOF) 4506 // ================================================================== 4507 // OrganizationalEntity 4508 // ================================================================== 4509 [Abstract, Description ( 4510 "OrganizationalEntity is an abstract class from which classes " 4511 "that fit into an organizational structure are derived.") ] 4512 class CIM_OrganizationalEntity : CIM_ManagedElement 4513 { 4514 }; 4516 // ================================================================== 4517 // UserEntity 4518 // ================================================================== 4519 [Abstract, Description ( 4520 "UserEntity is an abstract class that represents users.") ] 4521 class CIM_UserEntity : CIM_OrganizationalEntity 4522 { 4523 }; 4525 // ================================================================== 4526 // UsersAccess 4527 // ================================================================== 4528 [Description ( 4529 "The UsersAccess object class is used to specify a system user " 4530 "that permitted access to system resources. The ManagedElement " 4531 "that has access to system resources (represented in the model in " 4532 "the ElementAsUser association) may be a person, a service, a " 4533 "service access point or any collection thereof. Whereas the " 4534 "Account class represents the user's relationship to a system " 4535 "from the perspective of the security services of the system, the " 4536 "UserAccess class represents the relationships to the systems " 4537 "independent of a particular system or service.") ] 4538 class CIM_UsersAccess: CIM_UserEntity 4539 { 4540 [Key, MaxLen (256), Description ( 4541 "CreationClassName indicates the name of the class or the " 4542 "subclass used in the creation of an instance. When used " 4543 "with the other key properties of this class, this property " 4544 "allows all instances of this class and its subclasses to " 4545 "be uniquely identified.")] 4546 string CreationClassName; 4547 [Key, MaxLen (256),Description ( 4548 "The Name property defines the label by which the object is " 4549 "known.")] 4550 string Name; 4551 [Key, Description ( 4552 "The ElementID property uniquely specifies the ManagedElement " 4553 "object instance that is the user represented by the " 4554 "UsersAccess object instance. The ElementID is formatted " 4555 "similarly to a model path except that the property-value " 4556 "pairs are ordered in alphabetical order (US ASCII lexical " 4557 "order).")] 4558 string ElementID; 4559 [Description ( 4560 "Biometric information used to identify a person. The " 4561 "property value is left null or set to 'N/A' for non-human " 4562 "user or a user not using biometric information for " 4563 "authentication."), 4564 Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", 4565 "Voice", "DNA-RNA", "EEG"} ] 4566 uint16 Biometric[]; 4567 }; 4569 // ================================================================== 4570 // SecurityService 4571 // ================================================================== 4572 [ Abstract, Description ( 4573 "CIM_SecurityService ...") ] 4574 class CIM_SecurityService:CIM_Service 4575 { 4576 }; 4578 // ================================================================== 4579 // AuthenticationService 4580 // ================================================================== 4581 [Description ( 4582 "CIM_AuthenticationService verifies users' identities through " 4583 "some means. These services are decomposed into a subclass that " 4584 "provides credentials to users and a subclass that provides for " 4585 "the verification of the validity of a credential and, perhaps, " 4586 "the appropriateness of its use for access to target resources. " 4587 "The persistent state information used from one such verification " 4588 "to another is maintained in an Account for that Users Access on " 4589 "that AuthenticationService.") ] 4590 class CIM_AuthenticationService:CIM_SecurityService 4591 { 4592 }; 4594 // ================================================================== 4595 // CredentialManagementService 4596 // ================================================================== 4597 [Description ( 4598 "CIM_CredentialManagementService issues credentials and manages " 4599 "the credential lifecycle.") ] 4600 class CIM_CredentialManagementService:CIM_AuthenticationService 4601 { 4602 }; 4604 // ================================================================== 4605 // CertificateAuthority 4606 // ================================================================== 4607 [Description ("A Certificate Authority (CA) is a credential " 4608 "management service that issues and cryptographically " 4609 "signs certificates thus acting as an trusted third-party " 4610 "intermediary in establishing trust relationships. The CA " 4611 "authenicates the holder of the private key related to the " 4612 "certificate's public key; the authenicated entity is " 4613 "represented by the UsersAccess class.") ] 4614 class CIM_CertificateAuthority:CIM_CredentialManagementService 4615 { 4616 [Description ( 4617 "The CAPolicyStatement describes what care is taken by the " 4618 "CertificateAuthority when signing a new certificate. " 4619 "The CAPolicyStatment may be a dot-delimited ASN.1 OID " 4620 "string which identifies to the formal policy statement.") ] 4621 string CAPolicyStatement; 4622 [Description ( "A CRL, or CertificateRevocationList, is a " 4623 "list of certificates which the CertificateAuthority has " 4624 "revoked and which are not yet expired. Revocation is " 4625 "necessary when the private key associated with the public " 4626 "key of a certificate is lost or compromised, or when the " 4627 "person for whom the certificate is signed no longer is " 4628 "entitled to use the certificate."), Octetstring ] 4629 string CRL[]; 4630 [Description ("Certificate Revocation Lists may be " 4631 "available from a number of distribution points. " 4632 "CRLDistributionPoint array values provide URIs for those " 4633 "distribution points.")] 4634 string CRLDistributionPoint[]; 4635 [Description ( "Certificates refer to their issuing CA by " 4636 "its Distinguished Name (as defined in X.501)."), DN] 4637 string CADistinguishedName; 4638 [Description ( "The frequency, expressed in hours, at which " 4639 "the CA will update its Certificate Revocation List. Zero " 4640 "implies that the refresh frequency is unknown."), 4641 Units("Hours")] 4642 uint8 CRLRefreshFrequency; 4643 [Description ( "The maximum number of certificates in a " 4644 "certificate chain permitted for credentials issued by " 4645 "this certificate authority or it's subordinate CAs.\n" 4646 "The MaxChainLength of a superior CA in the trust " 4647 "hierarchy should be greater than this value and the " 4648 "MaxChainLength of a subordinate CA in the trust hierarchy " 4649 "should be less than this value.")] 4650 uint8 MaxChainLength; 4651 }; 4653 // ================================================================== 4654 // KerberosKeyDistributionCenter 4655 // ================================================================== 4656 [Description ( 4657 "CIM_KerberosKeyDistributionCenter ...") ] 4658 class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService 4659 { 4660 [Override ("Name"), 4661 Description ("The Realm served by this KDC.")] 4662 string Name; 4664 [Description ("The version of Kerberos supported by this " 4665 "service."), 4666 Values {"V4", "V5", "DCE", "MS"} ] 4667 uint16 Protocol[]; 4668 }; 4670 // ================================================================== 4671 // Notary 4672 // ================================================================== 4673 [Description ( 4674 "CIM_Notary is an AuthenticationService (credential " 4675 "management service) which compares the " 4676 "biometric characteristics of a person with the " 4677 "known characteristics of an Users Access, and determines " 4678 "whether the person is the UsersAccess. An example is " 4679 "a bank teller who compares a picture ID with the person " 4680 "trying to cash a check, or a biometric login service that " 4681 "uses voice recognition to identify a user.") ] 4682 class CIM_Notary:CIM_CredentialManagementService 4683 { 4684 [Description ( "The types of biometric information which " 4685 "this Notary can compare."), 4686 Values { "N/A", "Other", "Facial", "Retina", "Mark", 4687 "Finger", "Voice", "DNA-RNA", "EEG"} ] 4688 uint16 Comparitors; 4689 [Description ( 4690 "The SealProtocol is how the decision of the Notary is " 4691 "recorded for future use by parties who will rely on its " 4692 "decision. For instance, a drivers licence frequently " 4693 "includes tamper-resistent coatings and markings to protect " 4694 "the recorded decision that a driver, having various " 4695 "biometric characteristics of height, weight, hair and eye " 4696 "color, using a particular name, has features represented in " 4697 "a photograph of their face.")] 4698 string SealProtocol; 4699 [Description ( 4700 "CharterIssued documents when the Notary is first " 4701 "authorized, by whoever gave it responsibility, to perform " 4702 "its service.")] 4703 datetime CharterIssued; 4704 [Description ( 4705 "CharterExpired documents when the Notary is no longer " 4706 "authorized, by whoever gave it responsibility, to perform " 4707 "its service.")] 4708 datetime CharterExpired; 4709 }; 4711 // ================================================================== 4712 // LocalCredentialManagementService 4713 // ================================================================== 4714 [Description ( 4715 "CIM_LocalCredentialManagementService is a credential " 4716 "management service that provides local system " 4717 "management of credentials used by the local system.") ] 4718 class 4719 CIM_LocalCredentialManagementService:CIM_CredentialManagementService 4720 { 4721 }; 4723 // ================================================================== 4724 // SharedSecretService 4725 // ================================================================== 4726 [Description ( 4727 "CIM_SharedSecretService is a service which ascertains " 4728 "whether messages received are from the Principal with " 4729 "whom a secret is shared. Examples include a login " 4730 "service that proves identity on the basis of knowledge of " 4731 "the shared secret, or a transport integrity service (like " 4732 "Kerberos provides) that includes a message authenticity " 4733 "code that proves each message in the messsage stream came " 4734 "from someone who knows the shared secret session key.")] 4735 class CIM_SharedSecretService:CIM_LocalCredentialManagementService 4736 { 4737 [MaxLen (256), Description ( 4738 "The Algorithm used to convey the shared secret, such as " 4739 "HMAC-MD5,or PLAINTEXT.") ] 4740 string Algorithm; 4741 [Description ( 4742 "The Protocol supported by the SharedSecretService.")] 4743 string Protocol; 4744 }; 4746 // ================================================================== 4747 // PublicKeyManagementService 4748 // ================================================================== 4749 [Description ( 4750 "CIM_PublicKeyManagementService is a credential management " 4751 "service that provides local system management of public " 4752 "keys used by the local system.") ] 4753 class 4754 CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService 4755 { 4756 }; 4758 // ================================================================== 4759 // Credential 4760 // ================================================================== 4761 [Abstract, Description ( 4762 "Subclasses of CIM_Credential define materials, " 4763 "information, or other data which are used to prove the " 4764 "identity of a CIM_UsersAccess to a particular " 4765 "CIM_SecurityService. Generally, there may be some shared " 4766 "information, or credential material which is used to " 4767 "identify and authenticate ones self in the process of " 4768 "gaining access to, or permission to use, an Account. " 4769 "Such credential material may be used to authenticate a " 4770 "users access identity initially, as done by a " 4771 "CIM_AuthenticationService (see later), and additionally on " 4772 "an ongoing basis during the course of a connection or " 4773 "other security association, as proof that each received " 4774 "message or communication came from the owning user access " 4775 "of " 4776 "that credential material.") ] 4777 class CIM_Credential:CIM_ManagedElement 4778 { 4779 }; 4781 // ================================================================== 4782 // PublicKeyCertificate 4783 // ================================================================== 4784 [Description ("A Public Key Certificate is a credential " 4785 "that is cryptographically signed by a trusted Certificate " 4786 "Authority (CA) and issued to an authenticated entity " 4787 "(e.g., human user, service,etc.) called the Subject in " 4788 "the certificate and represented by the UsersAccess class. " 4789 "The public key in the certificate is cryptographically " 4790 "related to a private key that is to be held and kept " 4791 "private by the authenticated Subject. The certificate " 4792 "and its related private key can then be used for " 4793 "establishing trust relationships and securing " 4794 "communications with the Subject. Refer to the ITU/CCITT " 4795 "X.509 standard as an example of such certificates.") ] 4796 class CIM_PublicKeyCertificate:CIM_Credential 4797 { 4798 [Propagated ("CIM_System.CreationClassName"), 4799 Key, MaxLen (256), Description ("Scoping System")] 4800 string SystemCreationClassName; 4801 [Propagated ("CIM_System.Name"), 4802 Key, MaxLen (256),Description ("Scoping System")] 4803 string SystemName; 4804 [Propagated ("CIM_CertificateAuthority.CreationClassName"), 4805 Key, MaxLen (256), Description ("Scoping Service")] 4806 string ServiceCreationClassName; 4807 [Propagated ("CIM_CertificateAuthority.Name"), 4808 Key, MaxLen (256), Description ("Scoping Service")] 4809 string ServiceName; 4810 [Key, MaxLen (256), Description ( 4811 "Certificate subject identifier")] 4812 string Subject; 4813 [MaxLen (256), Description ( 4814 "Alternate subject identifier for the Certificate.")] 4815 string AltSubject; 4816 [Description ("The DER-encoded raw public key."), Octetstring] 4817 uint8 PublicKey[]; 4818 }; 4820 // ================================================================== 4821 // UnsignedPublicKey 4822 // ================================================================== 4824 [Description ( 4825 "A CIM_UnsignedPublicKey represents an unsigned public " 4826 "key credential. The local UsersAccess (or subclass " 4827 "thereof) accepts the public key as authentic because of " 4828 "a direct trust relationship rather than via a third-party " 4829 "Certificate Authority.") ] 4830 class CIM_UnsignedPublicKey:CIM_Credential 4831 { 4832 [Propagated ("CIM_System.CreationClassName"), 4833 Key, MaxLen (256), Description ("Scoping System")] 4834 string SystemCreationClassName; 4835 [Propagated ("CIM_System.Name"), 4836 Key, MaxLen (256),Description ("Scoping System")] 4837 string SystemName; 4838 [Propagated 4839 ("CIM_PublicKeyManagementService.CreationClassName"), 4840 Key, MaxLen (256), Description ("Scoping Service")] 4841 string ServiceCreationClassName; 4842 [Propagated ("CIM_PublicKeyManagementService.Name"), 4843 Key, MaxLen (256), Description ("Scoping Service")] 4844 string ServiceName; 4845 [Key, MaxLen (256), Description ( 4846 "The Identity of the Peer with whom a direct trust " 4847 "relationship exists. The public key may be used for " 4848 "security functions with the Peer."), 4849 ModelCorrespondence 4850 {"CIM_PublicKeyManagementService.PeerIdentityType" } ] 4851 string PeerIdentity; 4852 [Description ("PeerIdentityType is used to describe the " 4853 "type of the PeerIdentity. The currently defined values " 4854 "are used for IKE identities."), 4855 ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", 4856 "9", "10", "11"}, 4857 Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", 4858 "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 4859 "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 4860 "DER_ASN1_GN", "KEY_ID"}, 4861 ModelCorrespondence 4862 {"CIM_PublicKeyManagementService.PeerIdentity" } ] 4863 uint16 PeerIdentityType; 4864 [Description ("The DER-encoded raw public key."), 4865 Octetstring] 4866 uint8 PublicKey[]; 4867 }; 4869 // ================================================================== 4870 // KerberosTicket 4871 // ================================================================== 4872 [Description ( 4873 "A CIM_KerberosTicket represents a credential issued by a " 4874 "particular Kerberos Key Distribution Center (KDC) " 4875 "to a particular CIM_UsersAccess as the result of a " 4876 "successful authentication process. There are two types of " 4877 "tickets that a KDC may issue to a Users Access - a " 4878 "TicketGranting ticket, which is used to protect and " 4879 "authenticate communications between the Users Access and " 4880 "the " 4881 "KDC, and a Session ticket, which the KDC issues to two " 4882 "Users Access to allow them to communicate with each other. " 4883 ) ] 4884 class CIM_KerberosTicket:CIM_Credential 4885 { 4886 [Propagated ("CIM_System.CreationClassName"), Key, 4887 MaxLen (256), Description ("Scoping System")] 4888 string SystemCreationClassName; 4889 [Propagated ("CIM_System.Name"), Key, 4890 MaxLen (256),Description ("Scoping System")] 4891 string SystemName; 4892 [Key, MaxLen (256), Propagated 4893 ("CIM_KerberosKeyDistributionCenter.CreationClassName"), 4894 Description ("Scoping Service")] 4895 string ServiceCreationClassName; 4896 [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), 4897 Key, MaxLen (256), 4898 Description ("Scoping Service. The Kerberos KDC Realm of " 4899 "CIM_KerberosTicket is used to record the security " 4900 "authority, or Realm, name so that tickets issued by " 4901 "different Realms can be separately managed and " 4902 "enumerated.")] 4903 string ServiceName; 4904 [Key, MaxLen (256), Description ("The name of the service " 4905 "for which this ticket is used.")] 4906 string AccessesService; 4907 [Key, MaxLen (256), Description ( 4908 "RemoteID is the name by which the user is known at " 4909 "the KDC security service.")] 4910 string RemoteID; 4911 datetime Issued; 4912 datetime Expires; 4913 [Description ( 4914 "The Type of CIM_KerberosTicket is used to indicate whether " 4915 "the ticket in question was issued by the Kerberos Key " 4916 "Distribution Center (KDC) to support ongoing communication " 4917 "between the Users Access and the KDC (\"TicketGranting\"), " 4918 "or was issued by the KDC to support ongoing communication " 4919 "between two Users Access entities (\"Session\")." ), 4920 Values {"Session", "TicketGranting"}] 4921 uint16 TicketType; 4922 }; 4924 // ================================================================== 4925 // SharedSecret 4926 // ================================================================== 4927 [Description ( 4928 "CIM_SharedSecret is the secret shared between a Users " 4929 "Access " 4930 "and a particular SharedSecret security service. Secrets " 4931 "may be in the form of a password used for initial " 4932 "authentication, or as with a session key, used as part of " 4933 "a message authentication code to verify that a message " 4934 "originated by the pricinpal with whom the secret is shared. " 4935 "It is important to note that SharedSecret is not just the " 4936 "password, but rather is the password used with a particular " 4937 "security service.")] 4938 class CIM_SharedSecret:CIM_Credential 4939 { 4940 [Propagated ("CIM_System.CreationClassName"), Key, 4941 MaxLen (256), Description ("Scoping System")] 4942 string SystemCreationClassName; 4943 [Propagated ("CIM_System.Name"), Key, 4944 MaxLen (256),Description ("Scoping System")] 4945 string SystemName; 4946 [Key, MaxLen (256), Propagated 4947 ("CIM_SharedSecretService.CreationClassName"), 4948 Description ("Scoping Service")] 4949 string ServiceCreationClassName; 4950 [Propagated ("CIM_SharedSecretService.Name"), 4951 Key, MaxLen (256), 4952 Description ("Scoping Service")] 4953 string ServiceName; 4954 [Key, MaxLen (256), Description ( 4955 "RemoteID is the name by which the user is known at " 4956 "the remote secret key authentication service.")] 4957 string RemoteID; 4958 [Description ( 4959 "secret is the secret known by the Users Access.")] 4960 string secret; 4961 [Description ( 4962 "algorithm names the transformation algorithm, if any, used " 4963 "to protect passwords before use in the protocol. For " 4964 "instance, Kerberos doesn't store passwords as the shared " 4965 "secret, but rather, a hash of the password.")] 4966 string algorithm; 4967 [Description ( 4968 "protocol names the protocol with which the SharedSecret is " 4969 "used.")] 4970 string protocol; 4971 }; 4973 // ================================================================== 4974 // NamedSharedIKESecret 4975 // ================================================================== 4976 [Description ( 4977 "CIM_NamedSharedIKESecret indirectly represents a shared " 4978 "secret credential. The local identity, IKEIdentity, " 4979 "and the remote peer identity share the secret that is " 4980 "named by the SharedSecretName. The SharedSecretName is " 4981 "used SharedSecretService to reference the secret.") ] 4982 class CIM_NamedSharedIKESecret:CIM_Credential 4983 { 4984 [Propagated ("CIM_System.CreationClassName"), 4985 Key, MaxLen (256), Description ("Scoping System")] 4986 string SystemCreationClassName; 4987 [Propagated ("CIM_System.Name"), 4988 Key, MaxLen (256),Description ("Scoping System")] 4989 string SystemName; 4990 [Propagated ("CIM_SharedSecretService.CreationClassName"), 4991 Key, MaxLen (256), Description ("Scoping Service")] 4992 string ServiceCreationClassName; 4993 [Propagated ("CIM_SharedSecretService.Name"), 4994 Key, MaxLen (256), Description ("Scoping Service")] 4995 string ServiceName; 4996 [Key, MaxLen (256), Description ( 4997 "The local Identity with whom the direct trust " 4998 "relationship exists."), 4999 ModelCorrespondence 5000 {"CIM_NamedSharedIKESecret.LocalIdentityType" } ] 5001 string LocalIdentity; 5002 [Key, Description ("LocalIdentityType is used to describe " 5003 "the type of the LocalIdentity."), 5004 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", 5005 "9", "10", "11"}, 5006 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", 5007 "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 5008 "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 5009 "DER_ASN1_GN", "KEY_ID"}, 5010 ModelCorrespondence 5011 {"CIM_NamedSharedIKESecret.LocalIdentity" } ] 5012 uint16 LocalIdentityType; 5013 [Key, MaxLen (256), Description ( 5014 "The peer identity with whom the direct trust " 5015 "relationship exists."), 5016 ModelCorrespondence 5017 {"CIM_NamedSharedIKESecret.PeerIdentityType" } ] 5018 string PeerIdentity; 5019 [Key, Description ("PeerIdentityType is used to describe " 5020 "the type of the PeerIdentity."), 5021 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", 5022 "9", "10", "11"}, 5023 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", 5024 "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 5025 "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 5026 "DER_ASN1_GN", "KEY_ID"}, 5027 ModelCorrespondence 5028 {"CIM_NamedSharedIKESecret.PeerIdentity" } ] 5029 uint16 PeerIdentityType; 5030 [Description ("SharedSecretName is an indirect reference " 5031 "to a shared secret. The SecretService does not expose " 5032 "the actual secret but rather provides access to the " 5033 "secret via a name.")] 5034 string SharedSecretName; 5035 }; 5036 // ================================================================== 5037 // === Association class definitions === 5038 // ================================================================== 5040 // ================================================================== 5041 // ElementAsUser 5042 // ================================================================== 5043 [Association, Description ( 5044 "CIM_ElementAsUser is an association used to establish the " 5045 "'ownership' of UsersAccess object instances. That is, the " 5046 "ManagedElement may have UsersAccess to systems and, therefore, " 5047 "be 'users' on those systems. UsersAccess instances must have an " 5048 "'owning' ManagedElement. Typically, the ManagedElements will be " 5049 "limited to Collection, Person, Service and ServiceAccessPoint. " 5050 "Other non-human ManagedElements that might be thought of as " 5051 "having UsersAccess (e.g., a device or system) have services that " 5052 "have the UsersAccess.")] 5053 class CIM_ElementAsUser : CIM_Dependency 5054 { 5055 [Min (1), Max (1), Override ("Antecedent"), 5056 Description ("The ManagedElement that has UsersAccess") ] 5057 CIM_ManagedElement REF Antecedent; 5058 [Override ("Dependent"), 5059 Description ("The 'owned' UsersAccess") ] 5060 CIM_UsersAccess REF Dependent; 5061 }; 5063 // ================================================================== 5064 // UsersCredential 5065 // ================================================================== 5066 [Association, Description ( 5067 "CIM_UsersCredential is an association used to establish the " 5068 "credentials that may be used for a UsersAccess to a system or " 5069 "set of systems. " )] 5070 class CIM_UsersCredential : CIM_Dependency 5071 { 5072 [Override ("Antecedent"), 5073 Description ("The issued credential that may be used.") ] 5074 CIM_Credential REF Antecedent; 5075 [Override ("Dependent"), 5076 Description ("The UsersAccess that has use of a credential") ] 5077 CIM_UsersAccess REF Dependent; 5078 }; 5080 // =================================================================== 5081 // PublicPrivateKeyPair 5082 // =================================================================== 5083 [Association, Description ( 5084 "This relationship associates a PublicKeyCertificate with " 5085 "the Principal who has the PrivateKey used with the " 5086 "PublicKey. The PrivateKey is not modeled, since it is not " 5087 "a data element that ever SHOULD be accessible via " 5088 "management applications, other than key recovery services, " 5089 "which are outside our scope.") ] 5090 class CIM_PublicPrivateKeyPair:CIM_UsersCredential 5091 { 5092 [ Override ("Antecedent") ] 5093 CIM_PublicKeyCertificate REF Antecedent; 5094 [ Override ("Dependent") ] 5095 CIM_UsersAccess REF Dependent; 5096 [Description ( "The Certificate may be used for signature " 5097 "only " 5098 "or for confidentiality as well as signature"), 5099 Values { "SignOnly", "ConfidentialityOrSignature"} ] 5100 uint16 Use; 5101 boolean NonRepudiation; 5102 boolean BackedUp; 5103 [Description ("The repository in which the certificate is " 5104 "backed up.")] 5105 string Repository; 5106 }; 5108 // =================================================================== 5109 // CAHasPublicCertificate 5110 // =================================================================== 5111 [Association, Description ( 5112 "A CertificateAuthority may have certificates issued by other CAs. " 5113 "This association is essentially an optimization of the CA having " 5114 "a UsersAccess instance with an association to a certificate thus " 5115 "mapping more closely to LDAP-based certificate authority " 5116 "implementations.") ] 5117 class CIM_CAHasPublicCertificate:CIM_Dependency 5118 { 5119 [Max (1), Override ("Antecedent"), 5120 Description ("The Certificate used by the CA")] 5121 CIM_PublicKeyCertificate REF Antecedent; 5122 [Override ("Dependent"), 5123 Description ("The CA that uses a Certificate")] 5124 CIM_CertificateAuthority REF Dependent; 5125 }; 5127 // =================================================================== 5128 // ManagedCredential 5129 // =================================================================== 5130 [Association, Description ( 5131 "This relationship associates a CredentialManagementService " 5132 "with the Credential it manages.") ] 5133 class CIM_ManagedCredential:CIM_Dependency 5134 { 5135 [Override ("Antecedent"), Min (1), Max (1), 5136 Description ( "The credential management service")] 5137 CIM_CredentialManagementService REF Antecedent; 5138 [Override ("Dependent"), 5139 Description ( "The managed credential")] 5141 CIM_Credential REF Dependent; 5142 }; 5144 // =================================================================== 5145 // CASignsPublicKeyCertificate 5146 // =================================================================== 5147 [Association, Description ( 5148 "This relationship associates a CertificateAuthority with " 5149 "the certificates it signs.") ] 5150 class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential 5151 { 5152 [Override ("Antecedent"), Min (1), Max (1), 5153 Description ( "The CA which signed the certificate")] 5154 CIM_CertificateAuthority REF Antecedent; 5155 [Override ("Dependent"), Weak, 5156 Description ( "The certificate issued by the CA")] 5157 CIM_PublicKeyCertificate REF Dependent; 5158 string SerialNumber; 5159 [ Octetstring ] 5160 uint8 Signature[]; 5161 datetime Expires; 5162 string CRLDistributionPoint[]; 5163 }; 5165 // ================================================================== 5166 // LocallyManagedPublicKey 5167 // ================================================================== 5168 [Association, Description ( 5169 "CIM_LocallyManagedPublicKey association provides the " 5170 "relationship between a PublicKeyManagementService and an " 5171 "UnsignedPublicKey.") ] 5172 class CIM_LocallyManagedPublicKey:CIM_ManagedCredential 5173 { 5174 [Override ("Antecedent"), Min (1), Max (1), 5175 Description ("The PublicKeyManagementService that manages " 5176 "an unsigned public key.") ] 5177 CIM_PublicKeyManagementService REF Antecedent; 5178 [Override ("Dependent"), Weak, Description ( 5179 "An unsigned public key.") ] 5180 CIM_UnsignedPublicKey REF Dependent; 5181 }; 5183 // =================================================================== 5184 // SharedSecretIsShared 5185 // =================================================================== 5186 [Association, Description ( 5187 "This relationship associates a SharedSecretService with the " 5188 "SecretKey it verifies.") ] 5189 class CIM_SharedSecretIsShared : CIM_ManagedCredential 5190 { 5191 [Override ("Antecedent"), Min (1), Max (1), 5192 Description ("The credential management service")] 5193 CIM_SharedSecretService REF Antecedent; 5195 [Override ("Dependent"), Weak, 5196 Description ( "The managed credential")] 5197 CIM_SharedSecret REF Dependent; 5198 }; 5200 // ================================================================== 5201 // IKESecretIsNamed 5202 // ================================================================== 5203 [Association, Description ( 5204 "CIM_IKESecretIsNamed association provides the " 5205 "relationship between a SharedSecretService and a " 5206 "NamedSharedIKESecret.") ] 5207 class CIM_IKESecretIsNamed:CIM_ManagedCredential 5208 { 5209 [Override ("Antecedent"), Min (1), Max (1), 5210 Description ("The SharedSecretService that manages a " 5211 "NamedSharedIKESecret.")] 5212 CIM_SharedSecretService REF Antecedent; 5213 [Override ("Dependent"), Weak, Description ( 5214 "The managed NamedSharedIKESecret.") ] 5215 CIM_NamedSharedIKESecret REF Dependent; 5216 }; 5218 // =================================================================== 5219 // KDCIssuesKerberosTicket 5220 // =================================================================== 5221 [Association, Description ( 5222 "The KDC issues and owns Kerberos tickets. This association " 5223 "captures the relationship between the KDC and its issued tickets." 5224 ) ] 5225 class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential 5226 { 5227 [Override ("Antecedent"), Min (1), Max (1), 5228 Description ( "The issuing KDC") ] 5229 CIM_KerberosKeyDistributionCenter REF Antecedent; 5230 [Override ("Dependent"), Weak, 5231 Description ( "The managed credential")] 5232 CIM_KerberosTicket REF Dependent; 5233 }; 5235 // =================================================================== 5236 // NotaryVerifiesBiometric 5237 // =================================================================== 5238 [Association, Description ( 5239 "This relationship associates a Notary service with the " 5240 "Users Access whose biometric information is verified.") ] 5241 class CIM_NotaryVerifiesBiometric : CIM_Dependency 5242 { 5243 [Override ("Antecedent"), 5244 Description ("The Notary service that verifies biometric " 5245 "information ") ] 5246 CIM_Notary REF Antecedent; 5247 [Override ("Dependent"), 5248 Description ( "The UsersAccess that represents a person using " 5249 "biometric information for authentication.")] 5250 CIM_UsersAccess REF Dependent; 5251 }; 5252 Appendix C (DMTF Network Model MOF) 5254 // ================================================================== 5255 // NetworkService 5256 // ================================================================== 5257 [Abstract, Description ( 5258 "This is an abstract base class, derived from the Service " 5259 "class. It serves as the root of the network service " 5260 "hierarchy. Network services represent generic functions " 5261 "that are available from the network that configure and/or " 5262 "modify the traffic being sent. For example, FTP is not a " 5263 "network service, as it simply passes data unchanged from " 5264 "source to destination. On the other hand, services " 5265 "that provide quality of service (e.g., DiffServ) and " 5266 "security (e.g., IPSec) do affect the traffic stream. " 5267 "Quality of service, IPSec, and other services are " 5268 "subclasses of this class. This class hierarchy enables " 5269 "developers to match services to users, groups, " 5270 "and other objects in the network.") ] 5272 class CIM_NetworkService : CIM_Service 5273 { 5274 [Description ( 5275 "This is a free-form array of strings that provide " 5276 "descriptive words and phrases that can be used in queries " 5277 "to help locate and identify instances of this service.") ] 5278 string Keywords [ ]; 5279 [Description ( 5280 "This is a URL that provides the protocol, network " 5281 "location, and other service-specific information required " 5282 "in order to access the service. This should be implemented " 5283 "as a LabeledURI, with syntax DirectoryString and a " 5284 "matching rule of CaseExactMatch, for directory " 5285 "implementors.") ] 5286 string ServiceURL; 5287 [Description ( 5288 "This is a free-form array of strings that specify any " 5289 "specific pre-conditions that must be met in order for this " 5290 "service to start correctly. It is expected that subclasses " 5291 "will refine the inherited StartService() and StopService()" 5292 "methods to suit their own application-specific needs. This " 5293 "property is used to specify application-specific conditions " 5294 "needed by the refined StartService and StopService" 5295 "methods.") ] 5296 string StartupConditions [ ]; 5297 [Description ( 5298 "This is a free-form array of strings that specify any " 5299 "specific parameters that must be supplied to the " 5300 "StartService() method in order for this service to start " 5301 "correctly. It is expected that subclasses will refine the " 5302 "inherited StartService() and StopService() methods to suit " 5303 "their own application-specific needs. This property is used " 5304 "to specify application-specific parameters needed by the " 5305 "refined StartService and StopService methods.") ] 5306 string StartupParameters [ ]; 5307 }; 5309 // ================================================================== 5310 // ProtocolEndpoint 5311 // ================================================================== 5312 [Description ( 5313 "A communication point from which data may be sent or " 5314 "received. ProtocolEndpoints link router interfaces and " 5315 "switch ports to LogicalNetworks.") ] 5317 class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint 5318 { 5319 [Override ("Name"), MaxLen(256), Description ( 5320 "A string which identifies this ProtocolEndpoint with either " 5321 "a port or an interface on a device. To ensure uniqueness, " 5322 "the Name property should be prepended or appended with " 5323 "information from the Type or OtherTypeDescription " 5324 "properties. The method chosen is described in the " 5325 "NameFormat property of this class.") ] 5326 string Name; 5327 [MaxLen (256), Description ( 5328 "NameFormat contains the naming heuristic that is chosen to " 5329 "ensure that the value of the Name property is unique. For " 5330 "example, one might choose to prepend the name of the port " 5331 "or interface with the Type of ProtocolEndpoint that this " 5332 "instance is (e.g., IPv4)followed by an underscore.") ] 5333 string NameFormat; 5334 [MaxLen (64), Description ( 5335 "ProtocolType is an enumeration that provides additional " 5336 "information that can be used to help categorize and " 5337 "classify different instances of this class."), 5338 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", 5339 "10", "11", "12", "13", "14", "15", "16", "17", 5340 "18", "19", "20", "21"}, 5341 Values { "Unknown", "Other", "IPv4", "IPv6", "IPX", 5342 "AppleTalk", "DECnet", "SNA", "CONP", "CLNP", 5343 "VINES", "XNS", "ATM", "Frame Relay", 5344 "Ethernet", "TokenRing", "FDDI", "Infiniband", 5345 "Fibre Channel", "ISDN BRI Endpoint", 5346 "ISDN B Channel Endpoint", "ISDN D Channel Endpoint" 5347 }, 5348 ModelCorrespondence { 5349 "CIM_ProtocolEndpoint.OtherTypeDescription"} ] 5350 string ProtocolType; 5351 [MaxLen(64), Description ( 5352 "A string describing the type of ProtocolEndpoint that this " 5353 "instance is when the Type property of this class (or any of " 5354 "its subclasses) is set to 1 (e.g., 'Other'). The format of " 5355 "the string inserted in this property should be similar in " 5356 "format to the values defined for the Type property. This " 5357 "property should be set to NULL when the Type property is " 5358 "any value other than 1."), 5359 ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ] 5360 string OtherTypeDescription; 5361 }; 5363 // ================================================================== 5364 // IPProtocolEndpoint 5365 // ================================================================== 5366 [Description ( 5367 "A ProtocolEndpoint that is dedicated to running IP.") ] 5369 class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint 5370 { 5371 [Description ( 5372 "The IP address that this ProtocolEndpoint represents, " 5373 "formatted according to the appropriate convention as " 5374 "defined in the AddressType property of this class " 5375 " (e.g., 171.79.6.40).") ] 5376 string Address; 5377 [Description ( 5378 "The mask for the IP address of this ProtocolEndpoint, " 5379 "formatted according to the appropriate convention as " 5380 "defined in the AddressType property of this class " 5381 " (e.g., 255.255.252.0).") ] 5382 string SubnetMask; 5383 [Description ( 5384 "An enumeration that describes the format of the address " 5385 "property. Whenever possible, IPv4-compatible addresses " 5386 "should be used instead of native IPv6 addresses (see " 5387 "RFC 2373, section 2.5.4). In order to have a consistent " 5388 "format for IPv4 addresses in a mixed IPv4/v6 environment, " 5389 "all IPv4 addresses and both IPv4-compatible IPv6 addresses " 5390 "and IPv4-mapped IPv6 addresses, per RFC 2373, section " 5391 "2.5.4, should be formatted in standard IPv4 format. " 5392 "However, this (the 2.2) version of the Network Common " 5393 "Model will not explicitly support mixed IPv4/IPv6 " 5394 "environments. This will be added in a future release."), 5395 ValueMap { "0", "1", "2" }, 5396 Values { "Unknown", "IPv4", "IPv6" } ] 5397 uint16 AddressType; 5398 [Description ( 5399 "It is not possible to tell from the address alone if a " 5400 "given IPProtocolEndpoint can support IPv4 and IPv6, or " 5401 "just one of these. This property explicitly defines the " 5402 "support for different versions of IP that this " 5403 "IPProtocolEndpoint has. " 5404 "\n\n" 5405 "More implementation experience is needed in order to " 5406 "correctly model mixed IPv4/IPv6 networks; therefore, this " 5407 "version (2.2) of the Network Common Model will not support " 5408 "mixed IPv4/IPv6 environments. This will be looked at " 5409 "further in a future version."), 5410 ValueMap { "0", "1", "2" }, 5411 Values { "Unknown", "IPv4 Only", "IPv6 Only" } ] 5412 uint16 IPVersionSupport; 5413 }; 5415 // =================================================================== 5416 // CIM_FilterEntryBase 5417 // =================================================================== 5418 [Description ( 5419 " FilterEntryBase is an abstract class to define the naming " 5420 "of all filter entries, and to allow their common " 5421 "aggregation into FilterLists. The FilterEntry subclass " 5422 "represents packet filtering. Other types of Entries are " 5423 "possible - for example, to filter security credentials. \n" 5424 " FilterEntryBase is weak to the network device (e.g., the " 5425 "ComputerSystem) that contains it. Hence, the ComputerSystem " 5426 "keys are propagated to this class.") ] 5428 class CIM_FilterEntryBase : CIM_LogicalElement 5429 { 5430 [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, 5431 MaxLen (256), 5432 Description ( 5433 "The scoping ComputerSystem's CreationClassName. ") ] 5434 string SystemCreationClassName; 5435 [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), 5436 Description ( 5437 "The scoping ComputerSystem's Name.") ] 5438 string SystemName; 5439 [Key, MaxLen (256), 5440 Description ( 5441 "CreationClassName indicates the name of the class or the " 5442 "subclass used in the creation of an instance. When used " 5443 "with the other key properties of this class, this property " 5444 "allows all instances of this class and its subclasses to " 5445 "be uniquely identified.") ] 5446 string CreationClassName; 5447 [Key, MaxLen (256), 5448 Description ( 5449 "The Name property defines the label by which the Filter" 5450 "Entry is known and uniquely identified.") ] 5451 string Name; 5452 [Description ( 5453 "Boolean indicating that the match condition described " 5454 "in the properties of the FilterEntryBase subclass " 5455 "should be negated.") ] 5456 boolean IsNegated; 5457 }; 5459 // ================================================================== 5460 // FilterEntry 5461 // ================================================================== 5462 [Description ( 5463 "A FilterEntry is used by network devices to identify " 5464 "traffic and either forward them (with possibly further " 5465 "processing) to their destination, or to deny their " 5466 "forwarding. They are the building block of FilterLists." 5467 "\n\n" 5468 "This class is oriented towards packet filtering. Other " 5469 "subclasses of FilterEntryBase can be defined to do other " 5470 "types of filtering. " 5471 "\n\n" 5472 "A FilterEntry is weak to the network device (e.g., the " 5473 "ComputerSystem) that contains it. Hence, the ComputerSystem " 5474 "keys are propagated to this class.") ] 5476 class CIM_FilterEntry : CIM_FilterEntryBase 5477 { 5478 [Description ( 5479 "This defines the type of traffic that is being filtered. " 5480 "This will affect the filtering rules in the MatchCondition " 5481 "property of this class."), 5482 ValueMap { "0", "1", "2", "3" }, 5483 Values { "Unknown", "IPv4", "IPX", "IPv6" } ] 5484 uint16 TrafficType; 5485 [Description ( 5486 "This specifies one of a set of ways to identify traffic. " 5487 "if the value is 1 (e.g., 'Other'), then the specific " 5488 "type of filtering is specified in the " 5489 "OtherMatchConditionType property of this class."), 5490 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", 5491 "10", "11", "12" }, 5492 Values {"Other", "Source Address and Mask", 5493 "Destination Address and Mask", "Source Port", 5494 "Source Port Range", "Destination Port", 5495 "Destination Port Range", "Protocol Type", 5496 "Protocol Type and Option", "DSCP", "ToS Value", 5497 "802.1P Priority Value" }, 5498 ModelCorrespondence { 5499 "CIM_FilterEntry.OtherMatchConditionType" } ] 5500 uint16 MatchConditionType; 5501 [Description ( 5502 "If the value of the MatchConditionType property in this " 5503 "class is 1 (e.g., 'Other'), then the specific type of " 5504 "filtering is specified in this property."), 5505 ModelCorrespondence { 5506 "CIM_FilterEntry.MatchConditionType" } ] 5507 string OtherMatchConditionType; 5508 [Description ( 5509 "This is the value of the condition that filters the " 5510 "traffic. It corresponds to the condition specified in the " 5511 "MatchConditionType property. If, however, the value of the " 5512 "MatchConditionProperty is 1, then it corresponds to the " 5513 "condition specified in the OtherMatchConditionType " 5514 "property.") ] 5515 string MatchConditionValue; 5516 [Description ( 5517 "This defines whether the action should be to forward or " 5518 "deny traffic meeting the match condition specified in " 5519 "this filter."), 5520 ValueMap { "1", "2" }, 5521 Values { "Permit", "Deny" } ] 5522 uint16 Action; 5523 [Description ( 5524 "This defines whether this FilterEntry is the default " 5525 "entry to use by its FilterList.") ] 5526 boolean DefaultFilter; 5527 [Description ( 5528 "This defines the traffic class that is being matched by " 5529 "this FilterEntry. Note that FilterEntries are aggregated " 5530 "into FilterLists by the EntriesInFilterList " 5531 "relationship. If the EntrySequence property of the " 5532 "aggregation is set to 0, this means that all the Filter" 5533 "Entries should be ANDed together. Consequently, the " 5534 "TrafficClass property of each of the aggregated Entries " 5535 "should be set to the same value."), 5536 ModelCorrespondence { "CIM_NextService.TrafficClass" } ] 5537 string TrafficClass; 5538 }; 5540 // ================================================================== 5541 // FilterList 5542 // ================================================================== 5543 [Description ( 5544 "A FilterList is used by network devices to identify routes " 5545 "by aggregating a set of FilterEntries into a unit, called a " 5546 "FilterList. FilterLists can also be used to accept or deny " 5547 "routing updates." 5548 "\n\n" 5549 "A FilterList is weak to the network device (e.g., the " 5550 "ComputerSystem) that contains it. Hence, the ComputerSystem " 5551 "keys are propagated to this class.") ] 5553 class CIM_FilterList : CIM_LogicalElement 5554 { 5555 [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, 5556 MaxLen (256), Description ( 5557 "The scoping ComputerSystem's CreationClassName. ") ] 5558 string SystemCreationClassName; 5560 [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), 5561 Description ("The scoping ComputerSystem's Name.") ] 5562 string SystemName; 5564 [Key, Description ( 5565 "The type of class that this instance is.") ] 5566 string CreationClassName; 5567 [Key, MaxLen(256), Description ( 5568 "This is the name of the FilterList.") ] 5569 string Name; 5571 [Description ( 5572 "This defines whether the FilterList is used " 5573 "for input, output, or both input and output " 5574 "filtering. All values are used with respect to " 5575 "the interface for which the FilterList applies. " 5576 "\n\n" 5577 "\"Not Applicable\" (0) is used when there is no " 5578 "direction applicable to the FilterList.\n" 5579 "\"Input\" (1) is used when the FilterList applies " 5580 "to packets that are inbound on the related " 5581 "interface.\n" 5582 "\"Output\" (2) is used when the FilterList applies " 5583 "to packets that are outbound on the related " 5584 "interface.\n" 5585 "\"Both\" (3) is used to indicate that " 5586 "the direction is immaterial, e.g., to filter on " 5587 "a source subnet regardless of whether the flow is " 5588 "inbound or outbound.\n" 5589 "\"Mirrored\" (4) is also applicable to " 5590 "both inbound and outbound flow processing, but " 5591 "indicates that the filter criteria are applied " 5592 "asymmetrically to traffic in both directions " 5593 "and, thus, specifies the reversal of source and " 5594 "destination criteria (as opposed to the equality " 5595 "of these criteria as indicated by \"Both\"). " 5596 "The match conditions in the aggregated " 5597 "FilterEntryBase subclass instances are defined " 5598 "from the perspective of outbound flows and applied " 5599 "to inbound flows as well by reversing the source " 5600 "and destination criteria. So, for example, " 5601 "consider a FilterList with 3 FilterEntries " 5602 "indicating destination port = 80, and source and " 5603 "destination addresses of a and b, respectively. " 5604 "Then, for the outbound direction, the filter " 5605 "entries match as specified and the 'mirror' (for " 5606 "the inbound direction) matches on source " 5607 "port = 80 and source and destination addresses " 5608 "of b and a, respectively."), 5609 Values {"Not Applicable", "Input", "Output", 5610 "Both", "Mirrored" } ] 5611 uint16 Direction; 5612 }; 5614 // ================================================================== 5615 // === Association class definitions === 5616 // ================================================================== 5618 // ================================================================== 5619 // EntriesInFilterList 5620 // ================================================================== 5621 [Association, Aggregation, Description ( 5622 "This is a specialization of the CIM_Component aggregation " 5623 "which is used to define a set of filter entries (subclasses " 5624 "of FilterEntryBase) that are aggregated by a particular " 5625 "FilterList.") ] 5626 class CIM_EntriesInFilterList : CIM_Component 5627 { 5628 [Aggregate, Max(1), Override ("GroupComponent"), 5629 Description ( 5630 "The FilterList, which aggregates the set " 5631 "of FilterEntries.") ] 5632 CIM_FilterList REF GroupComponent; 5633 [Override ("PartComponent"), 5634 Description ( 5635 "Any subclass of FilterEntryBase which is a part of " 5636 "the FilterList.") ] 5637 CIM_FilterEntryBase REF PartComponent; 5638 [Description ( 5639 "The order of the Entry relative to all others in the " 5640 "FilterList. A value of zero indicates that all the Entries " 5641 "should be ANDed together. Use of the Sequence property " 5642 "should be consistent across the List. It is not valid to " 5643 "define some Entries as ANDed in the FilterList (Sequence" 5644 "=0) while other Entries have a non-zero Sequence number.") ] 5645 uint16 EntrySequence; 5646 };