idnits 2.17.1 draft-ietf-ipsp-config-policy-model-03.txt: -(758): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(782): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(1719): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(1723): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == There are 38 instances of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 8 longer pages, the longest (page 116) being 98 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 6 instances of too long lines in the document, the longest one being 27 characters in excess of 72. ** The abstract seems to contain references ([PCIM], DOI], [COMP,ESP,, AH,, [IKE]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 5 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 4457 has weird spacing: '...tion of a sub...' == Line 5146 has weird spacing: '...dentity initi...' == Line 5149 has weird spacing: '... "other secur...' == Line 5730 has weird spacing: '... "its subcl...' == Line 7438 has weird spacing: '... in the overa...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SARule serves as a base class for IKERule and IPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actions for both types of rules. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SAAction serves as the base class for IKE and IPsec actions. Although the class is concrete, it MUST not be instantiated. It is used for aggregating different types of actions to IKE and IPsec rules. The class definition for SAAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SAStaticAction serves as the base class for IKE and IPsec actions that do not require any negotiation. Although the class is concrete, it MUST not be instantiated. The class definition for SAStaticAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SANegotiationAction serves as the base class for IKE and IPsec actions that result in a IKE negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for SANegotiationAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IPsecAction is as follows: -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'SAProposal' is mentioned on line 2419, but not defined == Missing Reference: 'SATransform' is mentioned on line 2432, but not defined == Missing Reference: 'IN' is mentioned on line 4606, but not defined == Missing Reference: 'OUT' is mentioned on line 4607, but not defined == Unused Reference: 'COMP' is defined on line 4034, but no explicit reference was found in the text == Unused Reference: 'ESP' is defined on line 4037, but no explicit reference was found in the text == Unused Reference: 'AH' is defined on line 4040, but no explicit reference was found in the text == Unused Reference: 'IPSO' is defined on line 4065, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2393 (ref. 'COMP') (Obsoleted by RFC 3173) ** Obsolete normative reference: RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) ** Obsolete normative reference: RFC 2407 (ref. 'DOI') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2251 (ref. 'LDAP') (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513) ** Downref: Normative reference to an Historic draft: draft-ietf-rap-pr (ref. 'COPSPR') ** Downref: Normative reference to an Historic RFC: RFC 1108 (ref. 'IPSO') ** Obsolete normative reference: RFC 2401 (ref. 'IPSEC') (Obsoleted by RFC 4301) Summary: 16 errors (**), 0 flaws (~~), 25 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Jamie Jason 3 INTERNET DRAFT Intel Corporation 4 20-July-2001 Lee Rafalow 5 IBM 6 Eric Vyncke 7 Cisco Systems 9 IPsec Configuration Policy Model 10 draft-ietf-ipsp-config-policy-model-03.txt 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six 21 months and may be updated, replaced, or obsoleted by other documents 22 at any time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Abstract 33 This document presents an object-oriented model of IPsec policy 34 designed to: 35 o facilitate agreement about the content and semantics of IPsec 36 policy 37 o enable derivations of task-specific representations of IPsec 38 policy such as storage schema, distribution representations, 39 and policy specification languages used to configure IPsec- 40 enabled endpoints 41 The schema described in this document models the IKE phase one 42 parameters as described in [IKE] and the IKE phase two parameters 43 for the IPsec Domain of Interpretation as described in [COMP, ESP, 44 AH, DOI]. It is based upon the core policy classes as defined in 45 the Policy Core Information Model (PCIM) [PCIM]. 47 Table of Contents 49 Status of this Memo................................................1 50 Abstract...........................................................1 51 Table of Contents..................................................2 52 1. Introduction....................................................7 53 2. UML Conventions.................................................7 54 3. IPsec Policy Model Inheritance Hierarchy........................8 55 4. Policy Classes.................................................13 56 4.1. The Class IPsecPolicyGroup...................................14 57 4.2. The Class SARule.............................................15 58 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 59 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 60 PolicyDecisionStrategy............................................15 61 4.2.2 The Property ExecutionStrategy.............................15 62 4.2.3 The Property LimitNegotiation..............................17 63 4.3. The Class IKERule............................................18 64 4.3.1. The Property IdentityContexts..............................18 65 4.4. The Class IPsecRule..........................................19 66 4.6. The Association Class IPsecPolicyForEndpoint.................19 67 4.6.1. The Reference Antecedent...................................19 68 4.6.2. The Reference Dependent....................................19 69 4.7. The Association Class IPsecPolicyForSystem...................20 70 4.7.1. The Reference Antecedent...................................20 71 4.7.2. The Reference Dependent....................................20 72 4.8. The Aggregation Class RuleForIKENegotiation..................20 73 4.8.1. The Property Priority......................................20 74 4.8.2. The Reference GroupComponent...............................20 75 4.8.3. The Reference PartComponent................................21 76 4.9. The Aggregation Class RuleForIPsecNegotiation................21 77 4.9.1. The Property Priority......................................21 78 4.9.2. The Reference GroupComponent...............................21 79 4.9.3. The Reference PartComponent................................21 80 4.10. The Aggregation Class SAConditionInRule.....................21 81 4.10.1. The Properties GroupNumber and ConditionNegated...........22 82 4.10.2. The Reference GroupComponent..............................22 83 4.10.3. The Reference PartComponent...............................22 84 4.11. The Aggregation Class PolicyActionInSARule..................22 85 4.11.1. The Reference GroupComponent..............................22 86 4.11.2. The Reference PartComponent...............................23 87 4.11.3. The Property ActionOrder..................................23 88 5. Condition and Filter Classes...................................24 89 5.1. The Class SACondition........................................24 90 5.2. The Class IPHeaderFilter.....................................25 91 5.3. The Class CredentialFilterEntry..............................25 92 5.3.1. The Property MatchFieldName................................25 93 5.3.2. The Property MatchFieldValue...............................26 94 5.3.3. The Property CredentialType................................26 95 5.4. The Class IPSOFilterEntry....................................26 96 5.4.1. The Property MatchConditionType............................27 97 5.4.2. The Property MatchConditionValue...........................27 98 5.5. The Class PeerIDPayloadFilterEntry...........................27 99 5.5.1. The Property MatchIdentityType.............................28 100 5.5.2. The Property MatchIdentityValue............................28 101 5.6. The Association Class FilterOfSACondition....................29 102 5.6.1. The Reference Antecedent...................................29 103 5.6.2. The Reference Dependent....................................29 104 5.7. The Association Class AcceptCredentialFrom...................29 105 5.7.1. The Reference Antecedent...................................30 106 5.7.2. The Reference Dependent....................................30 107 6. Action Classes.................................................31 108 6.1. The Class SAAction...........................................32 109 6.1.1. The Property DoActionLogging...............................32 110 6.1.2. The Property DoPacketLogging...............................32 111 6.2. The Class SAStaticAction.....................................33 112 6.2.1. The Property LifetimeSeconds...............................33 113 6.3. The Class IPsecBypassAction..................................34 114 6.4. The Class IPsecDiscardAction.................................34 115 6.5. The Class IKERejectAction....................................34 116 6.6. The Class PreconfiguredSAAction..............................34 117 6.6.1. The Property LifetimeKilobytes.............................35 118 6.7. The Class PreconfiguredTransportAction.......................35 119 6.8. The Class PreconfiguredTunnelAction..........................36 120 6.8.1. The Property DFHandling....................................36 121 6.9. The Class SANegotiationAction................................36 122 6.9.1. The Property MinLifetimeSeconds............................37 123 6.9.2. The Property MinLifetimeKilobytes..........................37 124 6.9.3. The Property RefreshThresholdSeconds.......................37 125 6.9.4. The Property RefreshThresholdKilobytes.....................38 126 6.9.5. The Property IdleDurationSeconds...........................38 127 6.10. The Class IPsecAction.......................................38 128 6.10.1. The Property UsePFS.......................................39 129 6.10.2. The Property UseIKEGroup..................................39 130 6.10.3. The Property GroupId......................................39 131 6.10.4. The Property Granularity..................................40 132 6.10.5. The Property VendorID.....................................40 133 6.11. The Class IPsecTransportAction..............................40 134 6.12. The Class IPsecTunnelAction.................................40 135 6.12.1. The Property DFHandling...................................41 136 6.13. The Class IKEAction.........................................41 137 6.13.1. The Property RefreshThresholdDerivedKeys..................41 138 6.13.2. The Property ExchangeMode.................................42 139 6.13.3. The Property UseIKEIdentityType...........................42 140 6.13.4. The Property VendorID.....................................42 141 6.13.5. The Property AggressiveModeGroupId........................42 142 6.14. The Class PeerGateway.......................................43 143 6.14.1. The Property Name.........................................43 144 6.14.2. The Property PeerIdentityType.............................43 145 6.14.3. The Property PeerIdentity.................................44 146 6.15. The Association Class PeerGatewayForTunnel..................44 147 6.15.1. The Reference Antecedent..................................44 148 6.15.2. The Reference Dependent...................................44 149 6.15.3. The Property SequenceNumber...............................45 150 6.16. The Aggregation Class ContainedProposal.....................45 151 6.16.1. The Reference GroupComponent..............................45 152 6.16.2. The Reference PartComponent...............................45 153 6.16.3. The Property SequenceNumber...............................45 154 6.17. The Association Class HostedPeerGatewayInformation..........46 155 6.17.1. The Reference Antecedent..................................46 156 6.17.2. The Reference Dependent...................................46 157 6.18. The Association Class TransformOfPreconfiguredAction........46 158 6.18.1. The Reference Antecedent..................................47 159 6.18.2. The Reference Dependent...................................47 160 6.18.3. The Property SPI..........................................47 161 6.18.4. The Property Direction....................................47 162 6.19 The Association Class PeerGatewayForPreconfiguredTunnel......47 163 6.19.1. The Reference Antecedent..................................48 164 6.19.2. The Reference Dependent...................................48 165 7. Proposal and Transform Classes.................................49 166 7.1. The Abstract Class SAProposal................................49 167 7.1.1. The Property Name..........................................49 168 7.2. The Class IKEProposal........................................50 169 7.2.1. The Property LifetimeDerivedKeys...........................50 170 7.2.2. The Property CipherAlgorithm...............................50 171 7.2.3. The Property HashAlgorithm.................................51 172 7.2.4. The Property PRFAlgorithm..................................51 173 7.2.5. The Property GroupId.......................................51 174 7.2.6. The Property AuthenticationMethod..........................51 175 7.2.7. The Property MaxLifetimeSeconds............................52 176 7.2.8. The Property MaxLifetimeKilobytes..........................52 177 7.2.9. The Property VendorID......................................52 178 7.3. The Class IPsecProposal......................................52 179 7.4. The Abstract Class SATransform...............................53 180 7.4.1. The Property TransformName.................................53 181 7.4.2. The Property VendorID......................................53 182 7.4.3. The Property MaxLifetimeSeconds............................53 183 7.4.4. The Property MaxLifetimeKilobytes..........................54 184 7.5. The Class AHTransform........................................54 185 7.5.1. The Property AHTransformId.................................54 186 7.5.2. The Property UseReplayPrevention...........................54 187 7.5.3. The Property ReplayPreventionWindowSize....................55 188 7.6. The Class ESPTransform.......................................55 189 7.6.1. The Property IntegrityTransformId..........................55 190 7.6.2. The Property CipherTransformId.............................55 191 7.6.3. The Property CipherKeyLength...............................56 192 7.6.4. The Property CipherKeyRounds...............................56 193 7.6.5. The Property UseReplayPrevention...........................56 194 7.6.6. The Property ReplayPreventionWindowSize....................56 195 7.7. The Class IPCOMPTransform....................................57 196 7.7.1. The Property Algorithm.....................................57 197 7.7.2. The Property DictionarySize................................57 198 7.7.3. The Property PrivateAlgorithm..............................57 199 7.8. The Association Class SAProposalInSystem.....................57 200 7.8.1. The Reference Antecedent...................................58 201 7.8.2. The Reference Dependent....................................58 202 7.9. The Aggregation Class ContainedTransform.....................58 203 7.9.1. The Reference GroupComponent...............................58 204 7.9.2. The Reference PartComponent................................59 205 7.9.3. The Property SequenceNumber................................59 206 7.10. The Association Class SATransformInSystem...................59 207 7.10.1. The Reference Antecedent..................................59 208 7.10.2. The Reference Dependent...................................59 209 8. IKE Service and Identity Classes...............................61 210 8.1. The Class IKEService.........................................62 211 8.2. The Class PeerIdentityTable..................................62 212 8.3.1. The Property Name..........................................62 213 8.3. The Class PeerIdentityEntry..................................63 214 8.3.1. The Property PeerIdentity..................................63 215 8.3.2. The Property PeerIdentityType..............................63 216 8.3.3. The Property PeerAddress...................................63 217 8.3.4. The Property PeerAddressType...............................63 218 8.4. The Class AutostartIKEConfiguration..........................64 219 8.5. The Class AutostartIKESetting................................64 220 8.5.1. The Property Phase1Only....................................64 221 8.5.2. The Property AddressType...................................65 222 8.5.3. The Property SourceAddress.................................65 223 8.5.4. The Property SourcePort....................................65 224 8.5.5. The Property DestinationAddress............................65 225 8.5.6. The Property DestinationPort...............................66 226 8.5.7. The Property Protocol......................................66 227 8.6. The Class IKEIdentity........................................66 228 8.6.1. The Property IdentityType..................................67 229 8.6.2. The Property IdentityValue.................................67 230 8.6.3. The Property IdentityContexts..............................67 231 8.7. The Association Class HostedPeerIdentityTable................68 232 8.7.1. The Reference Antecedent...................................68 233 8.7.2. The Reference Dependent....................................68 234 8.8. The Aggregation Class PeerIdentityMember.....................68 235 8.8.1. The Reference Collection...................................68 236 8.8.2. The Reference Member.......................................69 237 8.9. The Association Class IKEServicePeerGateway..................69 238 8.9.1. The Reference Antecedent...................................69 239 8.9.2. The Reference Dependent....................................69 240 8.10. The Association Class IKEServicePeerIdentityTable...........69 241 8.10.1. The Reference Antecedent..................................70 242 8.10.2. The Reference Dependent...................................70 243 8.11. The Association Class IKEAutostartSetting...................70 244 8.11.1. The Reference Element.....................................70 245 8.11.2. The Reference Setting.....................................70 246 8.12. The Aggregation Class AutostartIKESettingContext............70 247 8.12.1. The Reference Context.....................................71 248 8.12.2. The Reference Setting.....................................71 249 8.12.3. The Property SequenceNumber...............................71 250 8.13. The Association Class IKEServiceForEndpoint.................71 251 8.13.1. The Reference Antecedent..................................72 252 8.13.2. The Reference Dependent...................................72 253 8.14. The Association Class IKEAutostartConfiguration.............72 254 8.14.1. The Reference Antecedent..................................72 255 8.14.2. The Reference Dependent...................................72 256 8.14.3. The Property Active.......................................72 257 8.15. The Association Class IKEUsesCredentialManagementService....73 258 8.15.1. The Reference Antecedent..................................73 259 8.15.2. The Reference Dependent...................................73 260 8.16. The Association Class EndpointHasLocalIKEIdentity...........73 261 8.16.1. The Reference Antecedent..................................74 262 8.16.2. The Reference Dependent...................................74 263 8.17. The Association Class CollectionHasLocalIKEIdentity.........74 264 8.17.1. The Reference Antecedent..................................74 265 8.17.2. The Reference Dependent...................................74 266 8.18. The Association Class IKEIdentitysCredential................75 267 8.18.1. The Reference Antecedent..................................75 268 8.18.2. The Reference Dependent...................................75 269 9. Implementation Requirements....................................75 270 10. Security Considerations.......................................79 271 11. Intellectual Property.........................................80 272 12. Acknowledgments...............................................80 273 13. References....................................................80 274 14. Disclaimer....................................................81 275 15. Authors' Addresses............................................81 276 16. Full Copyright Statement......................................82 277 Appendix A (DMTF Core Model MOF)..................................82 278 Appendix B (DMTF User Model MOF)..................................97 279 Appendix C (DMTF Network Model MOF)..............................112 280 Appendix D (DMTF Policy Model MOF)...............................121 282 1. Introduction 284 Internet Protocol security (IPsec) policy may assume a variety of 285 forms as it travels from storage to distribution point to decision 286 point. At each step, it needs to be represented in a way that is 287 convenient for the current task. For example, the policy could 288 exist as, but is not limited to: 290 o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in 291 a directory 292 o an on-the-wire representation over a transport protocol like the 293 Common Object Policy Service (COPS) [COPS, COPSPR] 294 o a text-based policy specification language suitable for editing 295 by an administrator 296 o an Extensible Markup Language (XML) document 298 Each of these task-specific representations should be derived from a 299 canonical representation that precisely specifies the content and 300 semantics of the IPsec policy. The purpose of this document is to 301 abstract IPsec policy into a task-independent representation that is 302 not constrained by any particular task-dependent representation. 304 This document is organized as follows: 306 o Section 2 provides a quick introduction to the Unified Modeling 307 Language (UML) graphical notation conventions used in this 308 document. 310 o Section 3 provides the inheritance hierarchy that describes 311 where the IPsec policy classes fit into the policy class 312 hierarchy already defined by the Policy Core Information Model 313 (PCIM). 315 o Sections 4 through 8 describes the class that make up the IPsec 316 policy model. 318 o Section 9 presents the implementation requirements for the 319 classes in the model (i.e., the MUST/MAY/SHOULD status). 321 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 322 "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 323 document are to be interpreted as described in [KEYWORDS]. 325 2. UML Conventions 327 For this document, a UML static class diagram was chosen as the 328 canonical representation for the IPsec policy model. The reason 329 behind this decision is that UML provides a graphical, task- 330 independent way to model systems. A treatise on the graphical 331 notation used in UML is beyond the scope of this paper. However, 332 given the use of ASCII drawing for UML static class diagrams, a 333 description of the notational conventions used in this document is 334 in order: 336 o Boxes represent classes, with class names in brackets ([]) 337 representing an abstract class. 338 o A line that terminates with an arrow (<, >, ^, v) denotes 339 inheritance. The arrow always points to the parent class. 340 Inheritance can also be called generalization or specialization 341 (depending upon the reference point). A base class is a 342 generalization of a derived class, and a derived class is a 343 specialization of a base class. 344 o Associations are used to model a relationship between two 345 classes. Classes that share an association are connected using 346 a line. A special kind of association is also used: an 347 aggregation. An aggregation models a whole-part relationship 348 between two classes. Associations, and therefore aggregations, 349 can also be modeled as classes. 350 o A line that begins with an "o" denotes aggregation. Aggregation 351 denotes containment in which the contained class and the 352 containing class have independent lifetimes. 353 o Next to a line representing an association appears a 354 cardinality. Cardinalities indicate the constraints on the 355 number of object instances in a set of relationships. Every 356 association instance has a single set of references. The 357 cardinality indicates the number of instances that may refer to 358 a given object instance. The cardinality may be: 359 - a range in the form "lower bound..upper bound" indicating the 360 minimum and maximum number of objects. 361 - a number that indicates the exact number of objects. 362 - an asterisk indicating any number of objects, including zero. 363 Using an asterisk is shorthand for 0..n. 364 - the letter n indicating from 1 to many. Using the letter n is 365 shorthand for 1..n. 366 o A class that has an association may have a "w" next to the line 367 representing the association. This is called a weak association 368 and is discussed in [PCIM]. 370 It should be noted that the UML static class diagram presented is a 371 conceptual view of IPsec policy designed to aid in understanding. 372 It does not necessarily get translated class for class into another 373 representation. For example, an LDAP implementation may flatten out 374 the representation to fewer classes (because of the inefficiency of 375 following references). 377 3. IPsec Policy Model Inheritance Hierarchy 379 Like PCIM from which it is derived, the IPsec Configuration Policy 380 Model derives from and uses classes defined in the DMTF Common 381 Information Model (CIM). The following tree represents the 382 inheritance hierarchy for the IPsec policy model classes and how 383 they fit into PCIM and the other DMTF models (see Appendices for 384 descriptions of classes that are not being introduced as part of 385 IPsec model). CIM classes that are not used as a superclass from 386 which to derive new classes but are only referenced are not included 387 this inheritance hierarchy, but are included in the appropriate 388 appendix. 390 ManagedElement (DMTF Core Model - Appendix A) 391 | 392 +--Collection (DMTF Core Model - Appendix A) 393 | | 394 | +--PeerIdentityTable 395 | 396 +--ManagedSystemElement (DMTF Core Model - Appendix A) 397 | | 398 | +--LogicalElement (DMTF Core Model - Appendix A) 399 | | 400 | +--FilterEntryBase (DMTF Network Model - Appendix C) 401 | | | 402 | | +--CredentialFilterEntry 403 | | | 404 | | +--IPHeaderFilter (DMTF Network Model - Appendix C) 405 | | | 406 | | +--IPSOFilterEntry 407 | | | 408 | | +--PeerIDPayloadFilterEntry 409 | | 410 | +--PeerGateway 411 | | 412 | +--PeerIdentityEntry 413 | | 414 | +--Service (DMTF Core Model - Appendix A) 415 | | 416 | +--NetworkService (DMTF Network Model - Appendix C) 417 | | 418 | +--IKEService 419 | 420 +--OrganizationalEntity (DMTF User Model - Appendix B) 421 | | 422 | +--UserEntity (DMTF User Model - Appendix B) 423 | | 424 | +--UsersAccess (DMTF User Model - Appendix B) 425 | | 426 | +--IKEIdentity 427 | 428 +--Policy (PCIM) 429 | | 430 | +--PolicyAction (PCIM) 431 | | | 432 | | +--CompoundPolicyAction (DMTF Policy Model - Appendix D) 433 | | | 434 | | +--SAAction 435 | | | 436 | | +--SANegotiationAction 437 | | | | 438 | | | +--IKEAction 439 | | | | 440 | | | +--IPsecAction 441 | | | | 442 | | | +--IPsecTransportAction 443 | | | | 444 | | | +--IPsecTunnelAction 445 | | | 446 | | +--SAStaticAction 447 | | | 448 | | +--IKERejectAction 449 | | | 450 | | +--IPsecBypassAction 451 | | | 452 | | +--IPsecDiscardAction 453 | | | 454 | | +--PreconfiguredSAAction 455 | | | 456 | | +--PreconfiguredTransportAction 457 | | | 458 | | +--PreconfiguredTunnelAction 459 | | 460 | +--PolicyCondition (PCIM) 461 | | | 462 | | +--SACondition 463 | | 464 | +--PolicySet (DMTF Policy Model - Appendix D) 465 | | | 466 | | +--PolicyGroup (PCIM) 467 | | | | 468 | | | +--IPsecPolicyGroup 469 | | | 470 | | +--PolicyRule (PCIM) 471 | | | 472 | | +--SARule 473 | | | 474 | | +--IKERule 475 | | | 476 | | +--IPsecRule 477 | | 478 | +--SAProposal 479 | | | 480 | | +--IKEProposal 481 | | | 482 | | +--IPsecProposal 483 | | 484 | +--SATransform 485 | | 486 | +--AHTransform 487 | | 488 | +--ESPTransform 489 | | 490 | +--IPCOMPTransform 491 | 492 +--Setting (DMTF Core Model - Appendix A) 493 | | 494 | +--SystemSetting (DMTF Core Model - Appendix A) 495 | | 496 | +--AutostartIKESetting 497 | 498 +--SystemConfiguration (DMTF Core Model - Appendix A) 499 | 500 +--AutostartIKEConfiguration 502 The following tree represents the inheritance hierarchy of the IPsec 503 policy model association classes and how they fit into PCIM and the 504 other DMTF models (see Appendices for description of associations 505 classes that are not being introduced as part of IPsec model). 507 Dependency (DMTF Core Model - Appendix A) 508 | 509 +--AcceptCredentialsFrom 510 | 511 +--ElementAsUser (DMTF User Model - Appendix B) 512 | | 513 | +--EndpointHasLocalIKEIdentity 514 | | 515 | +--CollectionHasLocalIKEIdentity 516 | 517 +--FilterOfSACondition 518 | 519 +--HostedPeerGatewayInformation 520 | 521 +--HostedPeerIdentityTable 522 | 523 +--IKEAutostartConfiguration 524 | 525 +--IKEServiceForEndpoint 526 | 527 +--IKEServicePeerGateway 528 | 529 +--IKEServicePeerIdentityTable 530 | 531 +--IKEUsesCredentialManagementService 532 | 533 +--IPsecPolicyForEndpoint 534 | 535 +--IPsecPolicyForSystem 536 | 537 +--PeerGatewayForPreconfiguredTunnel 538 | 539 +--PeerGatewayForTunnel 540 | 541 +--PolicyInSystem (PCIM) 542 | | 543 | +--SAProposalInSystem 544 | | 545 | +--SATransformInSystem 546 | 547 +--TransformOfPreconfiguredAction 548 | 549 +--UsersCredential (DMTF User Model - Appendix B) 550 | 551 +--IKEIdentitysCredential 553 ElementSetting (DMTF Core Model - Appendix A) 554 | 555 +--IKEAutostartSetting 557 MemberOfCollection (DMTF Core Model - Appendix A) 558 | 559 +--PeerIdentityMember 561 PolicyComponent (PCIM) 562 | 563 +--ContainedProposal 564 | 565 +--ContainedTransform 566 | 567 +--PolicyActionInPolicyRule (PCIM) 568 | | 569 | +--PolicyActionInSARule 570 | 571 +--PolicyConditionInPolicyRule (PCIM) 572 | | 573 | +--SAConditionInRule 574 | 575 +--PolicySetComponent (DMTF Policy Model - Appendix D) 576 | 577 +--RuleForIKENegotiation 578 | 579 +--RuleForIPsecNegotiation 581 SystemSettingContext (DMTF Core Model - Appendix A) 582 | 583 +--AutostartIKESettingContext 585 4. Policy Classes 587 The IPsec policy classes represent the set of policies that are 588 contained on a system. 590 +--------------+ 591 | PolicySet |* 592 | (Appendix D) |o--+ 593 +--------------+ | 594 ^ *| |(a) 595 | +------+ 596 | 597 +--------------------+ +-------------+ 598 | IPProtocolEndpoint | | PolicyGroup | 599 | (Appendix C) | | ([PCIM]) | 600 +--------------------+ +-------------+ 601 |* ^ 602 +-----------------+ | 603 |(b) | 604 | | 605 |0..1 | 606 +------------------+0..1 (c) *+------------+ 607 | IPsecPolicyGroup |-----------| System | 608 +------------------+ |(Appendix A)| 609 1 o o 1 +------------+ 610 (d) | | (e) 611 +-----------------------+ +--------------------------+ 612 | | 613 | +---------------------------+ | 614 | | PolicyTimePeriodCondition | | 615 | | ([PCIM]) | | 616 | +---------------------------+ | 617 | *| | 618 | |(f) | 619 | *o | 620 | +-------------+n *+--------+* n+--------------+ | 621 | | SACondition |------o| SARule |o-------| PolicyAction | | 622 | +-------------+ (g) +--------+ (h) | ([PCIM]) | | 623 | ^ +--------------+ | 624 | | *| ^ | 625 | | |(i) | | 626 | | *o | | 627 | +-----------------+ +----------------------+ | 628 | | | | CompoundPolicyAction | | 629 | | | | (Appendix D) | | 630 | | | +----------------------+ | 631 | *+---------+ +-----------+* | 632 +-----| IKERule | | IPsecRule |---------------------------+ 633 +---------+ +-----------+ 635 (a) PolicySetComponent (Appendix D) 636 (b) IPsecPolicyForEndpoint 637 (c) IPsecPolicyForSystem 638 (d) RuleForIKENegotiation 639 (e) RuleForIPsecNegotiation 640 (f) PolicyRuleValidityPeriod ([PCIM]) 641 (g) SAConditionInRule 642 (h) PolicyActionInSARule 643 (i) PolicyActionInPolicyAction 645 An IPsecPolicyGroup represents the set of policies that are used on 646 an interface. This IPsecPolicyGroup SHOULD be associated either 647 directly with the IPProtocolEndpoint class instance that represents 648 the interface (via the IPsecPolicyForEndpoint association) or 649 indirectly (via the IPsecPolicyForSystem association) associated 650 with the System that hosts the interface. 652 The IKE and IPsec rules are used to build or to negotiate the IPsec 653 SADB. The SADB itself is not modeled by this document. 655 The rules usage can be described as (see also section 6 about 656 actions): 658 o an egress unprotected packet will first be checked against the 659 SADB. If no match is found, the IPsec rules will be checked. If 660 IKE negotiation is required by an IPsec rule, the corresponding 661 IKE rules will be used if no IKE SA already exists. The 662 negotiated or preconfigured SA will then be installed in the 663 SADB. 664 o An ingress unprotected packet will first be checked against the 665 IPsec SADB. If no match is found, the IPsec rules will be 666 checked for a preconfigured SA. If a preconfigured SA exists, 667 this SA will be installed in the IPsec SADB. 668 o An ingress protected packet will be checked exactly as an 669 ingress unprotected packet. 670 o An ingress IKE negotiation packet, which is not part of an 671 existing IKE SA, will be checked against the IKE rules. The 672 negotiated SA will then be installed in the SADB. 674 4.1. The Class IPsecPolicyGroup 676 The class IPsecPolicyGroup serves as a container of either other 677 IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The 678 class definition for IPsecPolicyGroup is as follows: 680 NAME IPsecPolicyGroup 681 DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules 682 and a set of IPsecRules. 683 DERIVED FROM PolicyGroup (see [PCIM]) 684 ABSTRACT FALSE 685 PROPERTIES PolicyGroupName (from PolicyGroup) 686 PolicyDescisionStrategy (from PolicySet) 688 NOTE: for derivations of the schema that are used for policy 689 distribution to an IPsec device (for example, COPS-PR), the server 690 may follow all of PolicySetComponent associations and create one 691 policy group which is simply a set of all of the IKE rules and a set 692 of all of the IPsec rules. See the section on the 693 PolicySetComponent aggregation for information on merging multiple 694 IPsecPolicyGroups. 696 4.2. The Class SARule 698 The class SARule serves as a base class for IKERule and IPsecRule. 699 Even though the class is concrete, it MUST not be instantiated. It 700 defines a common connection point for associations to conditions and 701 actions for both types of rules. Through its derivation from 702 PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has 703 the PolicyRuleValidityPeriod association. 705 Each valid IpsecPolicyGroup MUST contain SARules that each have a 706 unique associated priority number in PolicySetComponent.Priority. 707 The class definition for SARule is as follows: 709 NAME SARule 710 DESCRIPTION A base class for IKERule and IPsecRule. 711 DERIVED FROM PolicyRule (see [PCIM]) 712 ABSTRACT FALSE 713 PROPERTIES PolicyRuleName (from PolicyRule) 714 Enabled (from PolicyRule) 715 ConditionListType (from PolicyRule) 716 RuleUsage (from PolicyRule) 717 Mandatory (from PolicyRule) 718 SequencedActions (from PolicyRule) 719 ExecutionStrategy (from PolicyRule) 720 PolicyRoles (from PolicyRule) 721 PolicyDecisionStrategy (from PolicySet) 722 LimitNegotiation 724 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 725 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 726 PolicyDecisionStrategy 728 For a description of these properties, see Appendix D. 730 In SARule subclass instances: 731 - if the property Mandatory exists, it MUST be set to "true" 732 - if the property SequencedActions exists, it MUST be set to 733 "mandatory" 734 - the property PolicyRoles is not used in the device-level model 735 - if the property PolicyDecisionStrategy exists, it must be set to 736 "FirstMatching" 738 4.2.2 The Property ExecutionStrategy 740 The ExecutionStrategy properties in the PolicyRule subclasses (and in 742 the CompoundPolicyAction class) determine the behavior of the 743 contained actions. It defines the strategy to be used in executing 745 the sequenced actions aggregated by a rule or a compound action. In 747 the case of actions within a rule, the PolicyActionInSARule 749 aggregation is used to collect the actions into an ordered set; in 751 the case of a compound action, the PolicyActionInPolicyAction 753 aggregation is used to collect the actions into an ordered subset. 755 There are three execution strategies: do until success, do all and 756 do until failure. 758 �Do Until Success� causes the execution of actions according to the 759 ActionOrder property in the aggregation instances until a successful 760 execution of a single action. These actions may be evaluated to 761 determine if they are appropriate to execute rather than blindly 762 trying each of the actions until one succeeds. For an initiator, 763 they are tried in the ActionOrder until the list is exhausted or one 764 completes successfully. For example, an IKE initiator may have 765 several IKEActions for the same SACondition. The initiator will try 766 all IKEActions in the order defined by ActionOrder. I.e. it will 767 possibly try several phase 1 negotiations possibly with different 768 modes (main mode then aggressive mode) and/or with possibly multiple 769 IKE peers. For a responder, when there is more than one action in 770 the rule with "do until success" condition clause this provides 771 alternative actions depending on the received proposals. For 772 example, the same IKERule may be used to handle aggressive mode and 773 main mode negotiations with different actions. The responder uses 774 the first appropriate action in the list of actions. 776 �Do All� causes the execution all of the actions in aggregated set 778 according to their defined order. The execution continues regardless 780 of failures. 782 �Do Until Failure� causes the execution of all actions according to 784 predefined order until the first failure in execution of an action 786 instance. 788 For example, in a nested SAs case the actions of an initiator�s rule 790 might be structured as: 792 IPsecRule.ExecutionStrategy=�Do All� 794 | 796 +---1--- IPsecTunnelAction // set up SA from host to gateway 798 | 800 +---2--- IPsecTransportAction // set up SA from host thru tunnel 802 // to remote host 804 Another example, showing a rule with fallback actions might be 806 structured as: 808 IPsecRule.ExecutionStrategy=�Do Until Success� 810 | 812 +---6--- IPsecTransportAction // negotiate SA with peer 814 | 816 +---9--- IPsecBypassAction // but if you must, allow in the 818 // clear 820 The CompoundPolicyAction class (See Appendix D) may be used in 822 constructing the actions of IKE and IPsec rules when those rules 824 specify both multiple actions and fallback actions. The 826 ExecutionStrategy property in CompoundPolicyAction is used in 828 conjunction with that in the PolicyRule. 830 For example, in nesting SAs with a fallback security gateway, the 832 actions of a rule might be structured as: 834 IPsecRule.ExecutionStrategy=�Do All� 836 | 838 +---1--- CompoundPolicyAction.ExecutionStrategy=�Do Until Success� 840 | | 842 | +---1--- IPsecTunnelAction // set up SA from host to 844 | | // gateway1 846 | | 848 | +---2--- IPsecTunnelAction // or set up SA to gateway2 850 | 852 +---2--- IPsecTransportAction // then set up SA from host 854 // thru tunnel to remote host 856 4.2.3 The Property LimitNegotiation 858 The property LimitNegotiation is used as part of processing either 859 an IKE or an IPsec rule. 861 Before proceeding with a phase 1 negotiation, this property is 862 checked to determine if the negotiation role of the rule matches 863 that defined for the negotiation being undertaken (e.g., Initiator, 864 Responder, or Both). If this check fails (e.g. the current role is 865 IKE responder while the rule specifies IKE initiator), then the IKE 866 negotiation is stopped. Note that this only applies to new IKE phase 867 1 negotiations and has no effect on either renegotiation or refresh 868 operations with peers for which an established SA already exists. 870 Before proceeding with a phase 2 negotiation, the LimitNegotiation 871 property of the IPsecRule is first checked to determine if the 872 negotiation role indicated for the rule matches that of the current 873 negotiation (Initiator, Responder, or Either). Note that this limit 874 applies only to new phase 2 negotiations. It is ignored when an 875 attempt is made to refresh an expiring SA (either side can initiate 876 a refresh operation). The IKE system can determine that the 877 negotiation is a refresh operation by checking to see if the 878 selector information matches that of an existing SA. If 879 LimitNegotiation does not match and the selector corresponds to a 880 new SA, the negotiation is stopped. 882 The property is defined as follows: 884 NAME LimitNegotiation 885 DESCRIPTION Limits the role to be undertaken during negotiation. 886 SYNTAX unsigned 16-bit integer 887 VALUE 1 � initiator-only 888 2 � responder-only 889 3 - both 891 4.3. The Class IKERule 893 The class IKERule associates Conditions and Actions for IKE phase 1 894 negotiations. The class definition for IKERule is as follows: 896 NAME IKERule 897 DESCRIPTION Associates Conditions and Actions for IKE phase 1 898 negotiations. 899 DERIVED FROM SARule 900 ABSTRACT FALSE 901 PROPERTIES same as SARule, plus 902 IdentityContexts 904 4.3.1. The Property IdentityContexts 906 The IKE service of a security endpoint may have multiple identities 907 for use in different situations. The combination of the interface 908 (represented by the IPProtocolEndpoint), the identity type (as 909 specified in the IKEAction) and the IdentityContexts specifies a 910 unique identity. 912 The IdentityContexts property specifies the context to select the 913 relevant IKE identity to be used during the further IKEAction. A 914 context may be a VPN name or other identifier for selecting the 915 appropriate identity for use on the protected IPProtocolEndpoint. 917 IdentityContexts is an array of strings. The multiple values in the 918 array are ORed together in evaluating the IdentityContexts. Each 919 value in the array may be the composition of multiple context names. 920 So, a single value may be a single context name (e.g., 921 "CompanyXVPN") or it may be combination of contexts. When an array 922 value is a composition, the individual values are ANDed together for 923 evaluation purposes and the syntax is: 925 [&&]* 927 where the individual context names appear in alphabetical order 928 (according to the collating sequence for UCS-2). So, for example, 929 the values "CompanyXVPN", "CompanyYVPN&&TopSecret", 930 "CompanyZVPN&&Confidential" means that, for the appropriate 931 IPProtocolEndpoint and IdentityType, the contexts are matched if the 932 identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or 933 "CompanyZVPN&&Confidential". 935 The property is defined as follows: 937 NAME IdentityContexts 938 DESCRIPTION Specifies the context in which to select the IKE 939 identity. 940 SYNTAX string array 942 4.4. The Class IPsecRule 944 The class IPsecRule associates Conditions and Actions for IKE phase 945 2 negotiations for the IPsec DOI. The class definition for 946 IPsecRule is as follows: 948 NAME IPsecRule 949 DESCRIPTION Associates Conditions and Actions for IKE phase 2 950 negotiations for the IPsec DOI. 951 DERIVED FROM SARule 952 ABSTRACT FALSE 953 PROPERTIES same as SARule 955 4.6. The Association Class IPsecPolicyForEndpoint 957 The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with 958 a specific network interface. If an IPProtocolEndpoint of a system 959 does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, 960 then the IPsecPolicyForSystem associated IPsecPolicyGroup is used 961 for that endpoint. The class definition for IPsecPolicyForEndpoint 962 is as follows: 964 NAME IPsecPolicyForEndpoint 965 DESCRIPTION Associates a policy group to a network interface. 966 DERIVED FROM Dependency (see Appendix A) 967 ABSTRACT FALSE 968 PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] 969 Dependent[ref IPsecPolicyGroup[0..1]] 971 4.6.1. The Reference Antecedent 973 The property Antecedent is inherited from Dependency and is 974 overridden to refer to an IPProtocolEndpoint instance. The [0..n] 975 cardinality indicates that an IPsecPolicyGroup instance may be 976 associated with zero or more IPProtocolEndpoint instances. 978 4.6.2. The Reference Dependent 980 The property Dependent is inherited from Dependency and is 981 overridden to refer to an IPsecPolicyGroup instance. The [0..1] 982 cardinality indicates that an IPProtocolEndpoint instance may have 983 an association to at most one IPsecPolicyGroup instance. 985 4.7. The Association Class IPsecPolicyForSystem 987 The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a 988 specific system. If an IPProtocolEndpoint of a system does not have 989 an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the 990 IPsecPolicyForSystem associated IPsecPolicyGroup is used for that 991 endpoint. The class definition for IPsecPolicyForSystem is as 992 follows: 994 NAME IPsecPolicyForSystem 995 DESCRIPTION Default policy group for a system. 996 DERIVED FROM Dependency (see Appendix A) 997 ABSTRACT FALSE 998 PROPERTIES Antecedent[ref System[0..n]] 999 Dependent[ref IPsecPolicyGroup[0..1]] 1001 4.7.1. The Reference Antecedent 1003 The property Antecedent is inherited from Dependency and is 1004 overridden to refer to a System instance. The [0..n] cardinality 1005 indicates that an IPsecPolicyGroup instance may have an association 1006 to zero or more System instances. 1008 4.7.2. The Reference Dependent 1010 The property Dependent is inherited from Dependency and is 1011 overridden to refer to an IPsecPolicyGroup instance. The [0..1] 1012 cardinality indicates that a System instance may have an association 1013 to at most one IPsecPolicyGroup instance. 1015 4.8. The Aggregation Class RuleForIKENegotiation 1017 The class RuleForIKENegotiation associates an IKERule with the 1018 IPsecPolicyGroup that contains it. The class definition for 1019 RuleForIKENegotiation is as follows: 1021 NAME RuleForIKENegotiation 1022 DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that 1023 contains it. 1024 DERIVED FROM PolicySetComponent (see Appendix D) 1025 ABSTRACT FALSE 1026 PROPERTIES Priority (from PolicySetComponent) 1027 GroupComponent [ref IPsecPolicyGroup [1..1]] 1028 PartComponent [ref IKERule [0..n]] 1030 4.8.1. The Property Priority 1032 For a description of this property, see Appendix D. 1034 4.8.2. The Reference GroupComponent 1035 The property GroupComponent is inherited from 1036 PolicyRuleInPolicyGroup and is overridden to refer to an 1037 IPsecPolicyGroup instance. The [1..1] cardinality indicates that an 1038 IKERule instance may be contained in one and only one 1039 IPsecPolicyGroup instance (i.e., IKERules are not shared across 1040 IPsecPolicyGroups). 1042 4.8.3. The Reference PartComponent 1044 The property PartComponent is inherited from PolicyRuleInPolicyGroup 1045 and is overridden to refer to an IKERule instance. The [0..n] 1046 cardinality indicates that an IPsecPolicyGroup instance may contain 1047 zero or more IKERule instances. 1049 4.9. The Aggregation Class RuleForIPsecNegotiation 1051 The class RuleForIPsecNegotiation associates an IPsecRule with the 1052 IPsecPolicyGroup that contains it. The class definition for 1053 RuleForIPsecNegotiation is as follows: 1055 NAME RuleForIPsecNegotiation 1056 DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that 1057 contains it. 1058 DERIVED FROM PolicySetComponent (see Appendix D) 1059 ABSTRACT FALSE 1060 PROPERTIES Priority (from PolicySetComponent) 1061 GroupComponent [ref IPsecPolicyGroup [1..1]] 1062 PartComponent [ref IPsecRule [0..n]] 1064 4.9.1. The Property Priority 1066 For a description of this property, see Appendix D. 1068 4.9.2. The Reference GroupComponent 1070 The property GroupComponent is inherited from 1071 PolicyRuleInPolicyGroup and is overridden to refer to an 1072 IPsecPolicyGroup instance. The [1..1] cardinality indicates that an 1073 IPsecRule instance may be contained in only one IPsecPolicyGroup 1074 instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 1076 4.9.3. The Reference PartComponent 1078 The property PartComponent is inherited from PolicyRuleInPolicyGroup 1079 and is overridden to refer to an IPsecRule instance. The [0..n] 1080 cardinality indicates that an IPsecPolicyGroup instance may contain 1081 zero or more IPsecRules instance. 1083 4.10. The Aggregation Class SAConditionInRule 1084 The class SAConditionInRule associates an SARule with the 1085 SACondition instance(s) that trigger(s) it. The class definition 1086 for SAConditionInRule is as follows: 1088 NAME SAConditionInRule 1089 DESCRIPTION Associates an SARule with the SACondition instance(s) 1090 that trigger(s) it. 1091 DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) 1092 ABSTRACT FALSE 1093 PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) 1094 ConditionNegated (from PolicyConditionInPolicyRule) 1095 GroupComponent [ref SARule [0..n]] 1096 PartComponent [ref SACondition [1..n]] 1098 4.10.1. The Properties GroupNumber and ConditionNegated 1100 For a description of these properties, see [PCIM]. 1102 4.10.2. The Reference GroupComponent 1104 The property GroupComponent is inherited from 1105 PolicyConditionInPolicyRule and is overridden to refer to an SARule 1106 instance. The [0..n] cardinality indicates that an SACondition 1107 instance may be contained in zero or more SARule instances. 1109 4.10.3. The Reference PartComponent 1111 The property PartComponent is inherited from 1112 PolicyConditionInPolicyRule and is overridden to refer to an 1113 SACondition instance. The [1..n] cardinality indicates that an 1114 SARule instance MUST contain at least one SACondition instance. 1116 4.11. The Aggregation Class PolicyActionInSARule 1118 The PolicyActionInSARule class associates an SARule with one or more 1119 PolicyAction instances. In all cases where an SARule is being used, 1120 the contained actions MUST be either subclasses of SAAction or 1121 instances of CompoundPolicyAction. For an IKERule, the contained 1122 actions MUST be related to phase 1 processing, i.e., IKEAction or 1123 IKERejectAction. Similarly, for an IPsecRule, contained actions 1124 MUST be related to phase 2 or preconfigured SA processing, e.g., 1125 IPsecTransportAction, IPsecBypassAction, etc. The class definition 1126 for PolicyActionInSARule is as follows: 1128 NAME PolicyActionInSARule 1129 DESCRIPTION Associates an SARule with its PolicyAction(s). 1130 DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) 1131 ABSTRACT FALSE 1132 PROPERTIES GroupComponent [ref SARule [0..n]] 1133 PartComponent [ref PolicyAction [1..n]] 1134 ActionOrder (from PolicyActionInPolicyRule) 1136 4.11.1. The Reference GroupComponent 1137 The property GroupComponent is inherited from 1138 PolicyActionInPolicyRule and is overridden to refer to an SARule 1139 instance. The [0..n] cardinality indicates that an SAAction 1140 instance may be contained in zero or more SARule instances. 1142 4.11.2. The Reference PartComponent 1144 The property PartComponent is inherited from 1145 PolicyActionInPolicyRule and is overridden to refer to an SAAction 1146 or CompoundPolicyAction instance. The [1..n] cardinality indicates 1147 that an SARule instance MUST contain at least one SAAction or 1148 CompoundPolicyAction instance. 1150 4.11.3. The Property ActionOrder 1152 The property ActionOrder is inherited from the superclass 1153 PolicyActionInPolicyRule. It specifies the relative position of 1154 this PolicyAction in the sequence of actions associated with a 1155 PolicyRule. The ActionOrder MUST be unique so as to provide a 1156 deterministic order. In addition, the actions in an SARule are 1157 executed as follows. See section 4.2.2 ExecutionStrategy for a 1158 discussion on the use of the ActionOrder property. 1160 The property is defined as follows: 1162 NAME ActionOrder 1163 DESCRIPTION Specifies the order of actions. 1164 SYNTAX unsigned 16-bit integer 1165 VALUE Any value between 1 and 2^16-1 inclusive. Lower values 1166 have higher precedence (i.e., 1 is the highest 1167 precedence). The merging order of two SAActions with 1168 the same precedence is undefined. 1170 5. Condition and Filter Classes 1172 The IPsec condition and filter classes are used to build the "if" 1173 part of the IKE and IPsec rules. 1175 *+-------------+ 1176 +--------------------| SACondition | 1177 | +-------------+ 1178 | * | 1179 | |(a) 1180 | 1 | 1181 | +--------------+ 1182 | | FilterList | 1183 | | (Appendix C) | 1184 | +--------------+ 1185 | 1 o 1186 |(b) |(c) 1187 | * | 1188 | +-----------------+ 1189 | | FilterEntryBase | 1190 | | (Appendix C) | 1191 | +-----------------+ 1192 | ^ 1193 | | 1194 | +----------------+ | +-----------------------+ 1195 | | IPHeaderFilter |----+----| CredentialFilterEntry | 1196 | | (Appendix C) | | +-----------------------+ 1197 | +----------------+ | 1198 | | 1199 | +-----------------+ | +--------------------------+ 1200 | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | 1201 | +-----------------+ +--------------------------+ 1202 | 1203 | *+-----------------------------+ 1204 +------------| CredentialManagementService | 1205 | (Appendix B) | 1206 +-----------------------------+ 1208 (a) FilterOfSACondition 1209 (b) AcceptCredentialsFrom 1210 (c) EntriesInFilterList (see Appendix C) 1212 5.1. The Class SACondition 1214 The class SACondition defines the conditions of rules for IKE and 1215 IPsec negotiations. Conditions are associated with policy rules via 1216 the SAConditionInRule aggregation. It is used as an anchor point to 1217 associate various types of filters with policy rules via the 1218 FilterOfSACondition association. It also defines whether Credentials 1219 can be accepted for a particular policy rule via the 1220 AcceptCredentialsFrom association. 1222 Associated objects represent components of the condition that may or 1223 may not apply at a given rule evaluation. For example, an 1224 AcceptCredentialsFrom evaluation is only performed when a credential 1225 is available to be evaluated against the list of trusted credential 1226 management services. Similarly, a PeerIDPayloadFilterEntry may only 1227 be evaluated when an IDPayload value is available to compared with 1228 the filter. Condition components that do not have corresponding 1229 values with which to evaluate are evaluated as TRUE unless the 1230 protocol has completed without providing the required information. 1232 The class definition for SACondition is as follows: 1234 NAME SACondition 1235 DESCRIPTION Defines the preconditions for IKE and IPsec 1236 negotiations. 1237 DERIVED FROM PolicyCondition (see [PCIM]) 1238 ABSTRACT FALSE 1239 PROPERTIES PolicyConditionName (from PolicyCondition) 1241 5.2. The Class IPHeaderFilter 1243 The class IPHeaderFilter is defined in appendix C with the following 1244 note: 1246 1) to specify 5-tuple filters that are to apply symmetrically (i.e., 1247 matches traffic in both directions of the same flow between the 1248 two peers), the Direction property of the FilterList should be 1249 set to "Mirrored". 1251 5.3. The Class CredentialFilterEntry 1253 The class CredentialFilterEntry defines an equivalence class that 1254 match credentials of IKE peers. Each CredentialFilterEntry includes 1255 a MatchFieldName that is interpreted according to the 1256 CredentialManagementService(s) associated with the SACondition 1257 (AcceptCredentialsFrom). 1259 These credentials can be X.509 certificates, Kerberos tickets, or 1260 other types of credentials obtained during the Phase 1 exchange. 1262 The class definition for CredentialFilterEntry is as follows: 1264 NAME CredentialFilterEntry 1265 DESCRIPTION Specifies a match filter based on the IKE credentials. 1266 DERIVED FROM FilterEntryBase (see Appendix C) 1267 ABSTRACT FALSE 1268 PROPERTIES Name (from FilterEntryBase) 1269 IsNegated (from FilterEntryBase) 1270 MatchFieldName 1271 MatchFieldValue 1272 CredentialType 1274 5.3.1. The Property MatchFieldName 1275 The property MatchFieldName specifies the sub-part of the credential 1276 to match against MatchFieldValue. The property is defined as 1277 follows: 1279 NAME MatchFieldName 1280 DESCRIPTION Specifies which sub-part of the credential to match. 1281 SYNTAX string 1282 VALUE 1284 5.3.2. The Property MatchFieldValue 1286 The property MatchFieldValue specifies the value to compare with the 1287 MatchFieldName in a credential to determine if the credential 1288 matches this filter entry. The property is defined as follows: 1290 NAME MatchFieldValue 1291 DESCRIPTION Specifies the value to be matched by the 1292 MatchFieldName. 1293 SYNTAX string 1294 VALUE NB: If the CredentialFilterEntry corresponds to a 1295 DistinguishedName, this value in the CIM class is 1296 represented by an ordinary string value. However, an 1297 implementation must convert this string to a DER- 1298 encoded string before matching against the values 1299 extracted from credentials at runtime. 1301 5.3.3. The Property CredentialType 1303 The property CredentialType specifies the particular type of 1304 credential that is being matched. The property is defined as 1305 follows: 1307 NAME CredentialType 1308 DESCRIPTION Defines the type of IKE credentials. 1309 SYNTAX unsigned 16-bit integer 1310 VALUE 1 � X.509 Certificate 1311 2 � Kerberos Ticket 1313 5.4. The Class IPSOFilterEntry 1315 The class IPSOFilterEntry is used to match traffic based on the IP 1316 Security Options header values (ClassificationLevel and 1317 ProtectionAuthority) as defined in RFC1108. This type of filter 1318 entry is used to adjust the IPsec encryption level according to the 1319 IPSO classification of the traffic (e.g., secret, confidential, 1320 restricted, etc. The class definition for IPSOFilterEntry is as 1321 follows: 1323 NAME IPSOFilterEntry 1324 DESCRIPTION Specifies the a match filter based on IP Security 1325 Options. 1326 DERIVED FROM FilterEntryBase (see Appendix C) 1327 ABSTRACT FALSE 1328 PROPERTIES Name (from FilterEntryBase) 1329 IsNegated (from FilterEntryBase) 1330 MatchConditionType 1331 MatchConditionValue 1333 5.4.1. The Property MatchConditionType 1335 The property MatchConditionType specifies the IPSO header field that 1336 will be matched (e.g., traffic classification level or protection 1337 authority). The property is defined as follows: 1339 NAME MatchConditionType 1340 DESCRIPTION Specifies the IPSO header field to be matched. 1341 SYNTAX unsigned 16-bit integer 1342 VALUE 1 � ClassificationLevel 1343 2 � ProtectionAuthority 1345 5.4.2. The Property MatchConditionValue 1347 The property MatchConditionValue specifies the value of the IPSO 1348 header field to be matched against. The property is defined as 1349 follows: 1351 NAME MatchConditionValue 1352 DESCRIPTION Specifies the value of the IPSO header field to be 1353 matched against. 1354 SYNTAX unsigned 16-bit integer 1355 VALUE For ClassificationLevel, the values are: 1356 61 � TopSecret 1357 90 � Secret 1358 150 � Confidential 1359 171 � Unclassified 1360 For ProtectionAuthority, the values are: 1361 0 � GENSER 1362 1 - SIOP-ESI 1363 2 � SCI 1364 3 � NSA 1365 4 - DOE 1367 5.5. The Class PeerIDPayloadFilterEntry 1369 The class PeerIDPayloadFilterEntry defines filters used to match ID 1370 payload values from the IKE protocol exchange. 1371 PeerIDPayloadFilterEntry permits the specification of certain ID 1372 payload values such as "*@company.com" or "193.190.125.0/24". 1374 Obviously this filter applies only to IKERules when acting as a 1375 responder. Moreover, this filter can be applied immediately in the 1376 case of aggressive mode but its application is to be delayed in the 1377 case of main mode. The class definition for 1378 PeerIDPayloadFilterEntry is as follows: 1380 NAME PeerIDPayloadFilterEntry 1381 DESCRIPTION Specifies a match filter based on IKE identity. 1382 DERIVED FROM FilterEntryBase (see Appendix C) 1383 ABSTRACT FALSE 1384 PROPERTIES Name (from FilterEntryBase) 1385 IsNegated (from FilterEntryBase) 1386 MatchIdentityType 1387 MatchIdentityValue 1389 5.5.1. The Property MatchIdentityType 1391 The property MatchIdentityType specifies the type of identity 1392 provided by the peer in the ID payload." The property is defined 1393 as follows: 1395 NAME MatchIdentityType 1396 DESCRIPTION Specifies the ID payload type. 1397 SYNTAX unsigned 16-bit integer 1398 VALUE 1 - IPv4 Address 1399 2 - FQDN 1400 3 - User FQDN 1401 4 - IPv4 Subnet 1402 5 - IPv6 Address 1403 6 - IPv6 Subnet 1404 7 - IPv4 Address Range 1405 8 - IPv6 Address Range 1406 9 - DER-Encoded ASN.1 X.500 Distinguished Name 1407 10 - DER-Encoded ASN.1 X.500 GeneralName 1408 11 - Key ID 1410 5.5.2. The Property MatchIdentityValue 1412 The property MatchIdentityValue specifies the filter value for 1413 comparison with the ID payload, e.g., "*@company.com" The property 1414 is defined as follows: 1416 NAME MatchIdentityValue 1417 DESCRIPTION Specifies the ID payload value. 1418 SYNTAX string 1419 VALUE NB: The syntax may need to be converted for comparison. 1420 If the PeerIDPayloadFilterEntry type is a 1421 DistinguishedName, the name in the MatchIdentityValue 1422 property is represented by an ordinary string value, 1423 but this value must be converted into a DER-encoded 1424 string before matching against the values extracted 1425 from IKE ID payloads at runtime. The same applies to 1426 IPv4 & IPv6 addresses. 1428 Wildcards can be used as well as the prefix notation 1429 for IPv4 addresses: 1430 - a MatchIdentityValue of "*@company.com" will match an 1431 ID payload of "JDOE@COMPANY.COM" 1432 - a MatchIdentityValue of "193.190.125.0/24" will match 1433 an ID payload of 193.190.125.10. 1435 5.6. The Association Class FilterOfSACondition 1437 The class FilterOfSACondition associates an SACondition with the 1438 filter specifications (FilterList) that make up the condition. The 1439 class definition for FilterOfSACondition is as follows: 1441 NAME FilterOfSACondition 1442 DESCRIPTION Associates a condition with the filter list that make 1443 up the individual condition elements. 1444 DERIVED FROM Dependency (see Appendix A) 1445 ABSTRACT FALSE 1446 PROPERTIES Antecedent [ref FilterList[1..1]] 1447 Dependent [ref SACondition[0..n]] 1449 5.6.1. The Reference Antecedent 1451 The property Antecedent is inherited from Dependency and is 1452 overridden to refer to a FilterList instance. The [1..1] 1453 cardinality indicates that an SACondition instance MUST be 1454 associated with one and only one FilterList instance. 1456 5.6.2. The Reference Dependent 1458 The property Dependent is inherited from Dependency and is 1459 overridden to refer to an SACondition instance. The [0..n] 1460 cardinality indicates that a FilterList instance may be associated 1461 with zero or more SAConditions instance. 1463 5.7. The Association Class AcceptCredentialFrom 1465 The class AcceptCredentialFrom specifies which credential management 1466 services (e.g., a CertificateAuthority or a Kerberos service) are to 1467 be trusted to certify peer credentials. This is used to validate 1468 that the credential being matched in the CredentialFilterEntry is a 1469 valid credential that has been supplied by an approved 1470 CredentialManagementService. If a CredentialManagementService is 1471 specified and a corresponding CredentialFilterEntry is used, but the 1472 credential supplied by the peer is not certified by that 1473 CredentialManagementService (or one of the 1474 CredentialManagementServices in its trust hierarchy), the 1475 CredentialFilterEntry is deemed not to match. If a credential is 1476 certified by a CredentialManagementService in the 1477 AcceptCredentialsFrom list of services but there is no 1478 CredentialFilterEntry, this is considered equivalent to a 1479 CredentialFilterEntry that matches all credentials from those 1480 services. 1482 The class definition for AcceptCredentialFrom is as follows: 1484 NAME AcceptCredentialFrom 1485 DESCRIPTION Associates a condition with the credential management 1486 services to be trusted. 1487 DERIVED FROM Dependency (see Appendix A) 1488 ABSTRACT FALSE 1489 PROPERTIES Antecedent [ref CredentialManagementService[0..n]] 1490 Dependent [ref SACondition[0..n]] 1492 5.7.1. The Reference Antecedent 1494 The property Antecedent is inherited from Dependency and is 1495 overridden to refer to a CredentialManagementService instance. The 1496 [0..n] cardinality indicates that an SACondition instance may be 1497 associated with zero or more CredentialManagementServices instance. 1499 5.7.2. The Reference Dependent 1501 The property Dependent is inherited from Dependency and is 1502 overridden to refer to an SACondition instance. The [0..n] 1503 cardinality indicates that a CredentialManagementService instance 1504 may be associated with zero or more SAConditions instance. 1506 6. Action Classes 1508 The action classes are used to model the different actions an IPsec 1509 device may take when the evaluation of the associated condition 1510 results in a match. 1512 +----------+ 1513 | SAAction | 1514 +----------+ 1515 ^ 1516 | 1517 +-----------+--------------+ 1518 | | 1519 *+----------------+ +---------------------+* 1520 | SAStaticAction | | SANegotiationAction |o-----+ 1521 +----------------+ +---------------------+ | 1522 ^ ^ | 1523 | | | 1524 | +-----------+-------+ | 1525 | | | | 1526 +-------------------+ | +-------------+ +-----------+ | 1527 | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | 1528 +-------------------+ | +-------------+ +-----------+ | 1529 | ^ | 1530 +--------------------+ | | +----------------------+ | 1531 | IPsecDiscardAction |---+ +----| IPsecTransportAction | | 1532 +--------------------+ | | +----------------------+ | 1533 | | | 1534 +-----------------+ | | +-------------------+ | 1535 | IKERejectAction |---+ +----| IPsecTunnelAction | | 1536 +-----------------+ | +-------------------+ | 1537 | *| | 1538 | +--------------+ | 1539 | | | 1540 +-----------------------+ | | +--------------+n | 1541 | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ 1542 +-----------------------+ | +--------------+ (b) 1543 *| ^ | 1544 | | | *+-------------+ 1545 | | +-------| PeerGateway | 1546 | | +-------------+ 1547 | | +-----------------------------+ |0..1 *w| 1548 | +--| PreconfiguredTransportAction| | |(c) 1549 | | +-----------------------------+ | 1| 1550 | | | +--------------+ 1551 | | +---------------------------+ * | | System | 1552 | +--| PreconfiguredTunnelAction |-----+ | (Appendix A) | 1553 | +---------------------------+ (e) +--------------+ 1554 | 1555 | 2..6+---------------+ 1556 +-------| [SATransform] | 1557 (d) +---------------+ 1559 (a) PeerGatewayForTunnel 1560 (b) ContainedProposal 1561 (c) HostedPeerGatewayInformation 1562 (d) TransformOfPreconfiguredAction 1563 (e) PeerGatewayForPreconfiguredTunnel 1565 6.1. The Class SAAction 1567 The class SAAction serves as the base class for IKE and IPsec 1568 actions. Although the class is concrete, it MUST not be 1569 instantiated. It is used for aggregating different types of actions 1570 to IKE and IPsec rules. The class definition for SAAction is as 1571 follows: 1573 NAME SAAction 1574 DESCRIPTION The base class for IKE and IPsec actions. 1575 DERIVED FROM PolicyAction (see [PCIM]) 1576 ABSTRACT FALSE 1577 PROPERTIES PolicyActionName (from PolicyAction) 1578 DoActionLogging 1579 DoPacketLogging 1581 6.1.1. The Property DoActionLogging 1583 The property DoActionLogging specifies whether a log message is to 1584 be generated when the action is performed. This applies for 1585 SANegotiationActions with the meaning of logging a message when the 1586 negotiation is attempted (with the success or failure result). This 1587 also applies for SAStaticAction only for PreconfiguredSAAction with 1588 the meaning of logging a message when the preconfigured SA is 1589 actually installed in the SADB. The property is defined as follows: 1591 NAME DoActionLogging 1592 DESCRIPTION Specifies the whether to log when the action is 1593 performed. 1594 SYNTAX boolean 1595 VALUE true - a log message is to be generated when action is 1596 performed. 1597 false - no log message is to be generated when action 1598 is performed. 1600 6.1.2. The Property DoPacketLogging 1602 The property DoPacketLogging specifies whether a log message is to 1603 be generated when the resulting security association is used to 1604 process the packet. If the SANegotiationAction successfully 1605 executes and results in the creation of one or several security 1606 associations or if the PreconfiguredSAAction executes, the value of 1607 DoPacketLogging SHOULD be propagated to an optional field of SADB. 1608 This optional field should be used to decide whether a log message 1609 is to be generated when the SA is used to process a packet. For 1610 SAStaticActions, a log message is to be generated when the 1611 IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed. 1612 The property is defined as follows: 1614 NAME DoPacketLogging 1615 DESCRIPTION Specifies the whether to log when the resulting 1616 security association is used to process the packet. 1617 SYNTAX boolean 1618 VALUE true - a log message is to be generated when the 1619 resulting security association is used to process the 1620 packet. 1621 false - no log message is to be generated. 1623 6.2. The Class SAStaticAction 1625 The class SAStaticAction serves as the base class for IKE and IPsec 1626 actions that do not require any negotiation. Although the class is 1627 concrete, it MUST not be instantiated. The class definition for 1628 SAStaticAction is as follows: 1630 NAME SAStaticAction 1631 DESCRIPTION The base class for IKE and IPsec actions that do not 1632 require any negotiation. 1633 DERIVED FROM SAAction 1634 ABSTRACT FALSE 1635 PROPERTIES LifetimeSeconds 1637 6.2.1. The Property LifetimeSeconds 1639 The property LifetimeSeconds specifies how long the security 1640 association derived from this action should be used. The property 1641 is defined as follows: 1643 NAME LifetimeSeconds 1644 DESCRIPTION Specifies the amount of time (in seconds) that a 1645 security association derived from this action should be 1646 used. 1647 SYNTAX unsigned 32-bit integer 1648 VALUE A value of zero indicates that there is not a lifetime 1649 associated with this action (i.e., infinite lifetime). 1650 A non-zero value is typically used in conjunction with 1651 alternate SAActions performed when there is a 1652 negotiation failure of some sort. 1654 Note: if the referenced SAStaticAction object is a 1655 PreconfiguredSAAction associated to several SATransforms, then the 1656 actual lifetime of the preconfigured SA will be the smallest of the 1657 value of this LifetimeSeconds property and of the value of the 1658 MaxLifetimeSeconds property of the associated SATransform. Except if 1659 the value of this LifetimeSeconds property is zero, then there will 1660 be no lifetime associated to this SA. 1662 It is expected that most SAStaticAction instances will have their 1663 LifetimeSeconds properties set to zero (meaning no expiration of the 1664 resulting SA). 1666 6.3. The Class IPsecBypassAction 1668 The class IPsecBypassAction is used when packets are allowed to be 1669 processed without applying IPsec encapsulation to them. This is the 1670 same as stating that packets are allowed to flow in the clear. The 1671 class definition for IPsecBypassAction is as follows: 1673 NAME IPsecBypassAction 1674 DESCRIPTION Specifies that packets are to be allowed to pass in the 1675 clear. 1676 DERIVED FROM SAStaticAction 1677 ABSTRACT FALSE 1679 6.4. The Class IPsecDiscardAction 1681 The class IPsecDiscardAction is used when packets are to be 1682 discarded. This is the same as stating that packets are to be 1683 denied. The class definition for IPsecDiscardAction is as follows: 1685 NAME IPsecDiscardAction 1686 DESCRIPTION Specifies that packets are to be discarded. 1687 DERIVED FROM SAStaticAction 1688 ABSTRACT FALSE 1690 6.5. The Class IKERejectAction 1692 The class IKERejectAction is used to prevent attempting an IKE 1693 negotiation with the peer(s). The main use of this class is to 1694 prevent some denial of service attacks when acting as IKE responder. 1695 It goes beyond a plain discard of UDP/500 IKE packets because the 1696 SACondition can be based on specific PeerIDPayloadFilterEntry (when 1697 aggressive mode is used). The class definition for IKERejectAction 1698 is as follows: 1700 NAME IKERejectAction 1701 DESCRIPTION Specifies that an IKE negotiation should not even be 1702 attempted or continued. 1703 DERIVED FROM SAStaticAction 1704 ABSTRACT FALSE 1706 6.6. The Class PreconfiguredSAAction 1708 The class PreconfiguredSAAction is used to create a security 1709 association using preconfigured, hard-wired algorithms and keys. 1711 Notes: 1713 - the SPI for a PreconfiguredSAAction is contained in the 1714 association, TransformOfPreconfiguredAction; 1716 - the session key (if applicable) is contained in an instance of the 1717 class SharedSecret (see appendix B). The session key is stored in 1718 the property secret, the property protocol contains either "ESP- 1719 encrypt�, �ESP-auth" or "AH", the property algorithm contains the 1720 algorithm used to protect the secret (can be "PLAINTEXT" if the 1721 IPsec entity has no secret storage), the value of property 1722 RemoteID is the concatenation of the remote IPsec peer IP address 1723 in dotted decimal, of the character "/", of �IN� (resp. �OUT�) for 1724 inbound SA (resp. outbound SA), of the character �/� and of the 1725 hexadecimal representation of the SPI. 1727 Although the class is concrete, it MUST not be instantiated. The 1728 class definition for PreconfiguredSAAction is as follows: 1730 NAME PreconfiguredSAAction 1731 DESCRIPTION Specifies preconfigured algorithm and keying 1732 information for creation of a security association. 1733 DERIVED FROM SAStaticAction 1734 ABSTRACT FALSE 1735 PROPERTIES LifetimeKilobytes 1737 6.6.1. The Property LifetimeKilobytes 1739 The property LifetimeKilobytes specifies a traffic limit in 1740 kilobytes that can be consumed before the SA is deleted.. The 1741 property is defined as follows: 1743 NAME LifetimeKilobytes 1744 DESCRIPTION Specifies the SA lifetime in kilobytes. 1745 SYNTAX unsigned 32-bit integer 1746 VALUE A value of zero indicates that there is not a lifetime 1747 associated with this action (i.e., infinite lifetime). 1748 A non-zero value is used to indicate that after this 1749 amount of kilobytes has been consumed the SA must be 1750 deleted from the SADB. 1752 Note: the actual lifetime of the preconfigured SA will be the 1753 smallest of the value of this LifetimeKilobytes property and of the 1754 value of the MaxLifetimeSeconds property of the associated 1755 SATransform. Except if the value of this LifetimeKilobytes property 1756 is zero, then there will be no lifetime associated with this action. 1758 It is expected that most PreconfiguredSAAction instances will have 1759 their LifetimeKilobyte properties set to zero (meaning no expiration 1760 of the resulting SA). 1762 6.7. The Class PreconfiguredTransportAction 1764 The class PreconfiguredTransportAction is used to create an IPsec 1765 transport-mode security association using preconfigured, hard-wired 1766 algorithms and keys. The class definition for 1767 PreconfiguredTransportAction is as follows: 1769 NAME PreconfiguredTransportAction 1770 DESCRIPTION Specifies preconfigured algorithm and keying 1771 information for creation of an IPsec transport security 1772 association. 1773 DERIVED FROM PreconfiguredSAAction 1774 ABSTRACT FALSE 1776 6.8. The Class PreconfiguredTunnelAction 1778 The class PreconfiguredTunnelAction is used to create an IPsec 1779 tunnel-mode security association using preconfigured, hard-wired 1780 algorithms and keys. The class definition for PreconfiguredSAAction 1781 is as follows: 1783 NAME PreconfiguredTunnelAction 1784 DESCRIPTION Specifies preconfigured algorithm and keying 1785 information for creation of an IPsec tunnel-mode 1786 security association. 1787 DERIVED FROM PreconfiguredSAAction 1788 ABSTRACT FALSE 1789 PROPERTIES DFHandling 1791 6.8.1. The Property DFHandling 1793 The property DFHandling specifies how the Don't Fragment bit of the 1794 internal IP header is to be handled during IPsec processing. The 1795 property is defined as follows: 1797 NAME DFHandling 1798 DESCRIPTION Specifies the processing of the DF bit. 1799 SYNTAX unsigned 16-bit integer 1800 VALUE 1 � Copy the DF bit from the internal IP header to the 1801 external IP header. 1802 2 � Set the DF bit of the external IP header to 1. 1803 3 � Clear the DF bit of the external IP header to 0. 1805 6.9. The Class SANegotiationAction 1807 The class SANegotiationAction serves as the base class for IKE and 1808 IPsec actions that result in a IKE negotiation. Although the class 1809 is concrete, is MUST not be instantiated. The class definition for 1810 SANegotiationAction is as follows: 1812 NAME SANegotiationAction 1813 DESCRIPTION A base class for IKE and IPsec actions that specifies 1814 the parameters that are common for IKE phase 1 and IKE 1815 phase 2 IPsec DOI negotiations. 1816 DERIVED FROM SAAction 1817 ABSTRACT FALSE 1818 PROPERTIES MinLifetimeSeconds 1819 MinLifetimeKilobytes 1820 RefreshThresholdSeconds 1821 RefreshThresholdKilobytes 1822 IdleDurationSeconds 1824 6.9.1. The Property MinLifetimeSeconds 1826 The property MinLifetimeSeconds specifies the minimum seconds 1827 lifetime that will be accepted from the peer. MinLifetimeSeconds is 1828 used to prevent certain denial of service attacks where the peer 1829 requests an arbitrarily low lifetime value, causing renegotiations 1830 with correspondingly expensive Diffie-Hellman operations. The 1831 property is defined as follows: 1833 NAME MinLifetimeSeconds 1834 DESCRIPTION Specifies the minimum acceptable seconds lifetime. 1835 SYNTAX unsigned 32-bit integer 1836 VALUE A value of zero indicates that there is no minimum 1837 value. A non-zero value specifies the minimum seconds 1838 lifetime. 1840 6.9.2. The Property MinLifetimeKilobytes 1842 The property MinLifetimeKilobytes specifies the minimum kilobytes 1843 lifetime that will be accepted from the peer. MinLifetimeKilobytes 1844 is used to prevent certain denial of service attacks where the peer 1845 requests an arbitrarily low lifetime value, causing renegotiations 1846 with correspondingly expensive Diffie-Hellman operations. Note that 1847 there has been considerable debate regarding the usefulness of 1848 applying kilobyte lifetimes to IKE phase 1 security associations, so 1849 it is likely that this property will only apply to the sub-class 1850 IPsecAction. The property is defined as follows: 1852 NAME MinLifetimeKilobytes 1853 DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. 1854 SYNTAX unsigned 32-bit integer 1855 VALUE A value of zero indicates that there is no minimum 1856 value. A non-zero value specifies the minimum 1857 kilobytes lifetime. 1859 6.9.3. The Property RefreshThresholdSeconds 1861 The property RefreshThresholdSeconds specifies what percentage of 1862 the seconds lifetime can expire before IKE should attempt to 1863 renegotiate the security association. A random value may be added 1864 to the calculated threshold (percentage x seconds lifetime) to 1865 reduce the chance of both peers attempting to renegotiate at the 1866 same time. The property is defined as follows: 1868 NAME RefreshThresholdSeconds 1869 DESCRIPTION Specifies the percentage of seconds lifetime that has 1870 expired before the security association is 1871 renegotiated. 1872 SYNTAX unsigned 8-bit integer 1873 VALUE A value between 1 and 100 representing a percentage. A 1874 value of 100 indicates that the security association 1875 should not be renegotiated until the seconds lifetime 1876 has been reached. 1878 6.9.4. The Property RefreshThresholdKilobytes 1880 The property RefreshThresholdKilobytes specifies what percentage of 1881 the kilobyte lifetime can expire before IKE should attempt to 1882 renegotiate the IPsec security association. A random value may be 1883 added to the calculated threshold (percentage x kilobyte lifetime) 1884 to reduce the chance of both peers attempting to renegotiate at the 1885 same time. Note, that as with the property MinLifetimeKilobytes, 1886 this property is probably only relevant to IPsecAction sub-classes. 1887 The property is defined as follows: 1889 NAME RefreshThresholdKilobytes 1890 DESCRIPTION Specifies the percentage of kilobyte lifetime that has 1891 expired before the IPsec security association is 1892 renegotiated. 1893 SYNTAX unsigned 8-bit integer 1894 VALUE A value between 1 and 100 representing a percentage. A 1895 value of 100 indicates that the IPsec security 1896 association should not be renegotiated until the 1897 kilobyte lifetime has been reached. 1899 6.9.5. The Property IdleDurationSeconds 1901 The property IdleDurationSeconds specifies how many seconds a 1902 security association may remain idle (i.e., no traffic protected 1903 using the security association) before it is deleted. The property 1904 is defined as follows: 1906 NAME IdleDurationSeconds 1907 DESCRIPTION Specifies how long, in seconds, a security association 1908 may remain unused before it is deleted. 1909 SYNTAX unsigned 32-bit integer 1910 VALUE A value of zero indicates that idle detection should 1911 not be used for the security association (only the 1912 seconds and kilobyte lifetimes will be used). Any non- 1913 zero value indicates the number of seconds the security 1914 association may remain unused. 1916 6.10. The Class IPsecAction 1918 The class IPsecAction serves as the base class for IPsec transport 1919 and tunnel actions. It specifies the parameters used for an IKE 1920 phase 2 IPsec DOI negotiation. Although the class is concrete, is 1921 MUST not be instantiated. The class definition for IPsecAction is 1922 as follows: 1924 NAME IPsecAction 1925 DESCRIPTION A base class for IPsec transport and tunnel actions 1926 that specifies the parameters for IKE phase 2 IPsec DOI 1927 negotiations. 1928 DERIVED FROM SANegotiationAction 1929 ABSTRACT FALSE 1930 PROPERTIES UsePFS 1931 UseIKEGroup 1932 GroupId 1933 Granularity 1934 VendorID 1936 6.10.1. The Property UsePFS 1938 The property UsePFS specifies whether or not perfect forward secrecy 1939 should be used when refreshing keys. The property is defined as 1940 follows: 1942 NAME UsePFS 1943 DESCRIPTION Specifies the whether or not to use PFS when refreshing 1944 keys. 1945 SYNTAX boolean 1946 VALUE A value of true indicates that PFS should be used. A 1947 value of false indicates that PFS should not be used. 1949 6.10.2. The Property UseIKEGroup 1951 The property UseIKEGroup specifies whether or not phase 2 should use 1952 the same key exchange group as was used in phase 1. UseIKEGroup is 1953 ignored if UsePFS is false. The property is defined as follows: 1955 NAME UseIKEGroup 1956 DESCRIPTION Specifies whether or not to use the same GroupId for 1957 phase 2 as was used in phase 1. If UsePFS is false, 1958 then UseIKEGroup is ignored. 1959 SYNTAX boolean 1960 VALUE A value of true indicates that the phase 2 GroupId 1961 should be the same as phase 1. A value of false 1962 indicates that the property GroupId will contain the 1963 key exchange group to use for phase 2. 1965 6.10.3. The Property GroupId 1967 The property GroupId specifies the key exchange group to use for 1968 phase 2. GroupId is ignored if (1) the property UsePFS is false, or 1969 (2) the property UsePFS is true and the property UseIKEGroup is 1970 true. If the GroupID number is from the vendor-specific range 1971 (32768-65535), the property VendorID qualifies the group number. 1972 The property is defined as follows: 1974 NAME GroupId 1975 DESCRIPTION Specifies the key exchange group to use for phase 2 1976 when the property UsePFS is true and the property 1977 UseIKEGroup is false. 1979 SYNTAX unsigned 16-bit integer 1980 VALUE Consult [IKE] for valid values. 1982 6.10.4. The Property Granularity 1984 The property Granularity specifies how the selector for the security 1985 association should be derived from the traffic that triggered the 1986 negotiation. The property is defined as follows: 1988 NAME Granularity 1989 DESCRIPTION Specifies the how the proposed selector for the 1990 security association will be created. 1991 SYNTAX unsigned 16-bit integer 1992 VALUE 1 � subnet: the source and destination subnet masks of 1993 the filter entry are used. 1994 2 � address: only the source and destination IP 1995 addresses of the triggering packet are used. 1996 3 � protocol: the source and destination IP addresses 1997 and the IP protocol of the triggering packet are used. 1998 4 � port: the source and destination IP addresses and 1999 the IP protocol and the source and destination layer 4 2000 ports of the triggering packet are used. 2002 6.10.5. The Property VendorID 2004 The property VendorID is used together with the property GroupID 2005 (when it is in the vendor-specific range) to identify the key 2006 exchange group. VendorID is ignored unless UsePFS is true and 2007 UseIKEGroup is false and GroupID is in the vendor-specific range 2008 (32768-65535). The property is defined as follows: 2010 NAME VendorID 2011 DESCRIPTION Specifies the IKE Vendor ID. 2012 SYNTAX string 2014 6.11. The Class IPsecTransportAction 2016 The class IPsecTransportAction is a subclass of IPsecAction that is 2017 used to specify use of an IPsec transport-mode security association. 2018 The class definition for IPsecTransportAction is as follows: 2020 NAME IPsecTransportAction 2021 DESCRIPTION Specifies that an IPsec transport-mode security 2022 association should be negotiated. 2023 DERIVED FROM IPsecAction 2024 ABSTRACT FALSE 2026 6.12. The Class IPsecTunnelAction 2028 The class IPsecTunnelAction is a subclass of IPsecAction that is 2029 used to specify use of an IPsec tunnel-mode security association. 2030 The class definition for IPsecTunnelAction is as follows: 2032 NAME IPsecTunnelAction 2033 DESCRIPTION Specifies that an IPsec tunnel-mode security 2034 association should be negotiated. 2035 DERIVED FROM IPsecAction 2036 ABSTRACT FALSE 2037 PROPERTIES DFHandling 2039 6.12.1. The Property DFHandling 2041 The property DFHandling specifies how the tunnel should manage the 2042 Don't Fragment (DF) bit. The property is defined as follows: 2044 NAME DFHandling 2045 DESCRIPTION Specifies how to process the DF bit. 2046 SYNTAX unsigned 16-bit integer 2047 VALUE 1 � Copy the DF bit from the internal IP header to the 2048 external IP header. 2049 2 � Set the DF bit of the external IP header to 1. 2050 3 � Clear the DF bit of the external IP header to 0. 2052 6.13. The Class IKEAction 2054 The class IKEAction specifies the parameters that are to be used for 2055 IKE phase 1 negotiation. The class definition for IKEAction is as 2056 follows: 2058 NAME IKEAction 2059 DESCRIPTION Specifies the IKE phase 1 negotiation parameters. 2060 DERIVED FROM SANegotiationAction 2061 ABSTRACT FALSE 2062 PROPERTIES RefreshThresholdDerivedKeys 2063 ExchangeMode 2064 UseIKEIdentityType 2065 VendorID 2066 AggressiveModeGroupId 2068 6.13.1. The Property RefreshThresholdDerivedKeys 2070 The property RefreshThresholdDerivedKeys specifies what percentage 2071 of the derived key limit (see the LifetimeDerivedKeys property of 2072 IKEProposal) can expire before IKE should attempt to renegotiate the 2073 IKE phase 1 security association. A random value may be added to 2074 the calculated threshold (percentage x derived key limit) to reduce 2075 the chance of both peers attempting to renegotiate at the same time. 2076 The property is defined as follows: 2078 NAME RefreshThresholdKilobytes 2079 DESCRIPTION Specifies the percentage of derived key limit that has 2080 expired before the IKE phase 1 security association is 2081 renegotiated. 2082 SYNTAX unsigned 8-bit integer 2083 VALUE A value between 1 and 100 representing a percentage. A 2084 value of 100 indicates that the IKE phase 1 security 2085 association should not be renegotiated until the 2086 derived key limit has been reached. 2088 6.13.2. The Property ExchangeMode 2090 The property ExchangeMode specifies which IKE mode should be used 2091 for IKE phase 1 negotiations. The property is defined as follows: 2093 NAME ExchangeMode 2094 DESCRIPTION Specifies the IKE negotiation mode for phase 1. 2095 SYNTAX unsigned 16-bit integer 2096 VALUE 1 - base mode 2097 2 - main mode 2098 4 - aggressive mode 2100 6.13.3. The Property UseIKEIdentityType 2102 The property UseIKEIdentityType specifies what IKE identity type 2103 should be used when negotiating with the peer. This information is 2104 used in conjunction with the IKE identities available on the system 2105 and the IdentityContexts of the matching IKERule. The property is 2106 defined as follows: 2108 NAME UseIKEIdentityType 2109 DESCRIPTION Specifies the IKE identity to use during negotiation. 2110 SYNTAX unsigned 16-bit integer 2111 VALUE 1 - IPv4 Address 2112 2 - FQDN 2113 3 - User FQDN 2114 4 - IPv4 Subnet 2115 5 - IPv6 Address 2116 6 - IPv6 Subnet 2117 7 - IPv4 Address Range 2118 8 - IPv6 Address Range 2119 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2120 10 - DER-Encoded ASN.1 X.500 GeneralName 2121 11 - Key ID 2123 6.13.4. The Property VendorID 2125 The property VendorID specifies the value to be used in the Vendor 2126 ID payload. The property is defined as follows: 2128 NAME VendorID 2129 DESCRIPTION Vendor ID Payload. 2130 SYNTAX string 2131 VALUE A value of NULL means that Vendor ID payload will be 2132 neither generated nor accepted. A non-NULL value means 2133 that a Vendor ID payload will be generated (when acting 2134 as an initiator) or is expected (when acting as a 2135 responder). 2137 6.13.5. The Property AggressiveModeGroupId 2138 The property AggressiveModeGroupId specifies which group ID is to be 2139 used in the first packets of the phase 1 negotiation. This property 2140 is ignored unless the property ExchangeMode is set to 4 (aggressive 2141 mode). If the AggressiveModeGroupID number is from the vendor- 2142 specific range (32768-65535), the property VendorID qualifies the 2143 group number. The property is defined as follows: 2145 NAME AggressiveModeGroupId 2146 DESCRIPTION Specifies the group ID to be used for aggressive mode. 2147 SYNTAX unsigned 16-bit integer 2149 6.14. The Class PeerGateway 2151 The class PeerGateway specifies the security gateway with which the 2152 IKE services negotiates. The class definition for PeerGateway is as 2153 follows: 2155 NAME PeerGateway 2156 DESCRIPTION Specifies the security gateway with which to negotiate. 2157 DERIVED FROM LogicalElement (see Appendix A) 2158 ABSTRACT FALSE 2159 PROPERTIES Name 2160 PeerIdentityType 2161 PeerIdentity 2163 6.14.1. The Property Name 2165 The property Name specifies a user-friendly name for this security 2166 gateway. The property is defined as follows: 2168 NAME Name 2169 DESCRIPTION Specifies a user-friendly name for this security 2170 gateway. 2171 SYNTAX string 2173 6.14.2. The Property PeerIdentityType 2175 The property PeerIdentityType specifies the IKE identity type of the 2176 security gateway. The property is defined as follows: 2178 NAME PeerIdentityType 2179 DESCRIPTION Specifies the IKE identity type of the security 2180 gateway. 2181 SYNTAX unsigned 16-bit integer 2182 VALUE 1 - IPv4 Address 2183 2 - FQDN 2184 3 - User FQDN 2185 4 - IPv4 Subnet 2186 5 - IPv6 Address 2187 6 - IPv6 Subnet 2188 7 - IPv4 Address Range 2189 8 - IPv6 Address Range 2190 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2191 10 - DER-Encoded ASN.1 X.500 GeneralName 2192 11 - Key ID 2194 6.14.3. The Property PeerIdentity 2196 The property PeerIdentity specifies the IKE identity value of the 2197 security gateway. A conversion may be needed between the 2198 PeerIdentity string representation and the real value used in the ID 2199 payload (e.g. IP address is to be converted from a dotted decimal 2200 string into 4 bytes). The property is defined as follows: 2202 NAME PeerIdentity 2203 DESCRIPTION Specifies the IKE identity value of the security 2204 gateway. 2205 SYNTAX string 2207 6.15. The Association Class PeerGatewayForTunnel 2209 The class PeerGatewayForTunnel associates IPsecTunnelActions with an 2210 ordered list of PeerGateways. The class definition for 2211 PeerGatewayForTunnel is as follows: 2213 NAME PeerGatewayForTunnel 2214 DESCRIPTION Associates IPsecTunnelActions with an ordered list of 2215 PeerGateways. 2216 DERIVED FROM Dependency (see Appendix A) 2217 ABSTRACT FALSE 2218 PROPERTIES Antecedent [ref PeerGateway[0..n]] 2219 Dependent [ref IPsecTunnelAction[0..n]] 2220 SequenceNumber 2222 6.15.1. The Reference Antecedent 2224 The property Antecedent is inherited from Dependency and is 2225 overridden to refer to a PeerGateway instance. The [0..n] 2226 cardinality indicates that there an IPsecTunnelAction instance may 2227 be associated with zero or more PeerGateway instances. 2229 Note: the cardinality 0 has a specific meaning: 2231 - when the IKE service acts as a responder, this means that the 2232 IKE service will accept phase 1 negotiation with any other 2233 security gateway; 2234 - when the IKE service acts as an initiator, this means that 2235 the IKE service will use the destination IP address (of the 2236 IP packets which triggered the SARule) as the IP address of 2237 the peer IKE entity. 2239 6.15.2. The Reference Dependent 2240 The property Dependent is inherited from Dependency and is 2241 overridden to refer to an IPsecTunnelAction instance. The [0..n] 2242 cardinality indicates that a PeerGateway instance may be associated 2243 with zero or more IPsecTunnelAction instances. 2245 6.15.3. The Property SequenceNumber 2247 The property SequenceNumber specifies the ordering to be used when 2248 evaluating PeerGateway instances for a given IPsecTunnelAction. . 2249 The property is defined as follows: 2251 NAME SequenceNumber 2252 DESCRIPTION Specifies the order of evaluation for PeerGateways. 2253 SYNTAX unsigned 16-bit integer 2254 VALUE Lower values are evaluated first. 2256 6.16. The Aggregation Class ContainedProposal 2258 The class ContainedProposal associates an ordered list of 2259 SAProposals with the SANegotiationAction that aggregates it. If the 2260 referenced SANegotiationAction object is an IKEAction, then the 2261 referenced SAProposal object(s) must be IKEProposal(s). If the 2262 referenced SANegotiationAction object is an IPsecTransportAction or 2263 an IPsecTunnelAction, then the referenced SAProposal object(s) must 2264 be IPsecProposal(s). The class definition for ContainedProposal is 2265 as follows: 2267 NAME ContainedProposal 2268 DESCRIPTION Associates an ordered list of SAProposals with an 2269 SANegotiationAction. 2270 DERIVED FROM PolicyComponent (see [PCIM]) 2271 ABSTRACT FALSE 2272 PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] 2273 PartComponent[ref SAProposal[1..n]] 2274 SequenceNumber 2276 6.16.1. The Reference GroupComponent 2278 - The property GroupComponent is inherited from PolicyComponent 2279 and is overridden to refer to an SANegotiationAction 2280 instance. The [0..n] cardinality indicates that an 2281 SAProposal instance may be associated with zero or more 2282 SANegotiationAction instances. 2284 6.16.2. The Reference PartComponent 2286 The property PartComponent is inherited from PolicyComponent and is 2287 overridden to refer to an SAProposal instance. The [1..n] 2288 cardinality indicates that an SANegotiationAction instance MUST be 2289 associated with at least one SAProposal instance. 2291 6.16.3. The Property SequenceNumber 2292 The property SequenceNumber specifies the order of preference for 2293 the SAProposals. The property is defined as follows: 2295 NAME SequenceNumber 2296 DESCRIPTION Specifies the preference order for the SAProposals. 2297 SYNTAX unsigned 16-bit integer 2298 VALUE Lower-valued proposals are preferred over proposals 2299 with higher values. For ContainedProposals that 2300 reference the same SANegotiationAction, SequenceNumber 2301 values must be unique. 2303 6.17. The Association Class HostedPeerGatewayInformation 2305 The class HostedPeerGatewayInformation weakly associates a 2306 PeerGateway with a System. The class definition for 2307 HostedPeerGatewayInformation is as follows: 2309 NAME HostedPeerGatewayInformation 2310 DESCRIPTION Weakly associates a PeerGateway with a System. 2311 DERIVED FROM Dependency (see Appendix A) 2312 ABSTRACT FALSE 2313 PROPERTIES Antecedent [ref System[1..1]] 2314 Dependent [ref PeerGateway[0..n] [weak]] 2316 6.17.1. The Reference Antecedent 2318 The property Antecedent is inherited from Dependency and is 2319 overridden to refer to a System instance. The [1..1] cardinality 2320 indicates that a PeerGateway instance MUST be associated with one 2321 and only one System instance. 2323 6.17.2. The Reference Dependent 2325 The property Dependent is inherited from Dependency and is 2326 overridden to refer to a PeerGateway instance. The [0..n] 2327 cardinality indicates that a System instance may be associated with 2328 zero or more PeerGateway instances. 2330 6.18. The Association Class TransformOfPreconfiguredAction 2332 The class TransformOfPreconfiguredAction associates a 2333 PreconfiguredSAAction with from two to six SATransforms that will be 2334 applied to the inbound and outbound traffic. The order of 2335 application of the SATransforms is implicitly defined in [IPSEC]. 2336 The class definition for TransformOfPreconfiguredAction is as 2337 follows: 2339 NAME TransformOfPreconfiguredAction 2340 DESCRIPTION Associates a PreconfiguredSAAction with from one to 2341 three SATransforms. 2342 DERIVED FROM Dependency (see Appendix A) 2343 ABSTRACT FALSE 2344 PROPERTIES Antecedent[ref SATransform[2..6]] 2345 Dependent[ref PreconfiguredSAAction[0..n]] 2346 SPI 2347 Direction 2349 6.18.1. The Reference Antecedent 2351 The property Antecedent is inherited from Dependency and is 2352 overridden to refer to an SATransform instance. The [2..6] 2353 cardinality indicates that an SANegotiationAction instance may be 2354 associated with from two to six SATransform instances. 2356 6.18.2. The Reference Dependent 2358 The property Dependent is inherited from Dependency and is 2359 overridden to refer to a PreconfiguredSAAction instance. The [0..n] 2360 cardinality indicates that an SATransform instance may be associated 2361 with zero or more PreconfiguredSAAction instances. 2363 6.18.3. The Property SPI 2365 The property SPI specifies the SPI to be used by the pre-configured 2366 action for the associated transform. The property is defined as 2367 follows: 2369 NAME SPI 2370 DESCRIPTION Specifies the SPI to be used with the SATransform. 2371 SYNTAX unsigned 32-bit integer 2373 6.18.4. The Property Direction 2375 The property Direction specifies whether the SPI property is for 2376 inbound or for outbound traffic. The property is defined as follows: 2378 NAME Direction 2379 DESCRIPTION Specifies whether the SA is for inbound or outbound 2380 traffic. 2381 SYNTAX unsigned 8-bit integer 2382 VALUE 1 � this SA is for inbound traffic 2383 2 � this SA is for outbound traffic 2385 6.19 The Association Class PeerGatewayForPreconfiguredTunnel 2387 The class PeerGatewayForPreconfiguredTunnel associates one or one 2388 PeerGateway with multiple PreconfiguredTunnelActions. The class 2389 definition for PeerGatewayForPreconfiguredTunnel is as follows: 2391 NAME PeerGatewayForPreconfiguredTunnel 2392 DESCRIPTION Associates a PeerGateway with multiple 2393 PreconfiguredTunnelAction. 2394 DERIVED FROM Dependency (see Appendix A) 2395 ABSTRACT FALSE 2396 PROPERTIES Antecedent[ref PeerGateway[0..1]] 2397 Dependent[ref PreconfiguredTunnelAction[0..n]] 2399 6.19.1. The Reference Antecedent 2401 The property Antecedent is inherited from Dependency and is 2402 overridden to refer to an PeerGateway instance. The [0..1] 2403 cardinality indicates that an PreconfiguredTunnelAction instance may 2404 be associated with one PeerGteway instance. 2406 6.19.2. The Reference Dependent 2408 The property Dependent is inherited from Dependency and is 2409 overridden to refer to a PreconfiguredTunnelAction instance. The 2410 [0..n] cardinality indicates that an PeerGateway instance may be 2411 associated with zero or more PreconfiguredSAAction instances. 2413 7. Proposal and Transform Classes 2415 The proposal and transform classes model the proposal settings an 2416 IPsec device will use during IKE phase 1 and 2 negotiations. 2418 +--------------+*w 1+--------------+ 2419 | [SAProposal] |--------| System | 2420 +--------------+ (a) | (Appendix A) | 2421 ^ +--------------+ 2422 | |1 2423 +----------------------+ | 2424 | | | 2425 +-------------+ +---------------+ | 2426 | IKEProposal | | IPsecProposal | | 2427 +-------------+ +---------------+ | 2428 *o | 2429 |(b) |(c) 2430 n| | 2431 +---------------+*w | 2432 | [SATransform] |----+ 2433 +---------------+ 2434 ^ 2435 | 2436 +--------------------+-----------+---------+ 2437 | | | 2438 +-------------+ +--------------+ +----------------+ 2439 | AHTransform | | ESPTransform | |IPCOMPTransform | 2440 +-------------+ +--------------+ +----------------+ 2442 (a) SAProposalInSystem 2443 (b) ContainedTransform 2444 (c) SATransformInSystem 2446 7.1. The Abstract Class SAProposal 2448 The abstract class SAProposal serves as the base class for the IKE 2449 and IPsec proposal classes. It specifies the parameters that are 2450 common to the two proposal types. The class definition for 2451 SAProposal is as follows: 2453 NAME SAProposal 2454 DESCRIPTION Specifies the common proposal parameters for IKE and 2455 IPsec security association negotiation. 2456 DERIVED FROM Policy ([PCIM]) 2457 ABSTRACT TRUE 2458 PROPERTIES Name 2460 7.1.1. The Property Name 2462 The property Name specifies a user-friendly name for the SAProposal. 2463 The property is defined as follows: 2465 NAME Name 2466 DESCRIPTION Specifies a user-friendly name for this proposal. 2467 SYNTAX string 2469 7.2. The Class IKEProposal 2471 The class IKEProposal specifies the proposal parameters necessary to 2472 drive an IKE security association negotiation. The class definition 2473 for IKEProposal is as follows: 2475 NAME IKEProposal 2476 DESCRIPTION Specifies the proposal parameters for IKE security 2477 association negotiation. 2478 DERIVED FROM SAProposal 2479 ABSTRACT FALSE 2480 PROPERTIES LifetimeDerivedKeys 2481 CipherAlgorithm 2482 HashAlgorithm 2483 PRFAlgorithm 2484 GroupId 2485 AuthenticationMethod 2486 MaxLifetimeSeconds 2487 MaxLifetimeKilobytes 2488 VendorID 2490 7.2.1. The Property LifetimeDerivedKeys 2492 The property LifetimeDerivedKeys specifies the number of times that 2493 a phase 1 key will be used to derive a phase 2 key before the phase 2494 1 security association needs renegotiated. Even though this is not 2495 a parameter that is sent in an IKE proposal, it is included in the 2496 proposal as the number of keys derived may be a result of the 2497 strength of the algorithms in the IKE proposal. The property is 2498 defined as follows: 2500 NAME LifetimeDerivedKeys 2501 DESCRIPTION Specifies the number of phase 2 keys that can be 2502 derived from the phase 1 key. 2503 SYNTAX unsigned 32-bit integer 2504 VALUE A value of zero indicates that there is no limit to the 2505 number of phase 2 keys that may be derived from the 2506 phase 1 key; instead the seconds and/or kilobytes 2507 lifetime will dictate the phase 1 rekeying. A non-zero 2508 value specifies the number of phase 2 keys that can be 2509 derived from the phase 1 key. 2511 7.2.2. The Property CipherAlgorithm 2513 The property CipherAlgorithm specifies the proposed phase 1 security 2514 association encryption algorithm. The property is defined as 2515 follows: 2517 NAME CipherAlgorithm 2518 DESCRIPTION Specifies the proposed encryption algorithm for the 2519 phase 1 security association. 2520 SYNTAX unsigned 16-bit integer 2521 VALUE Consult [IKE] for valid values. 2523 7.2.3. The Property HashAlgorithm 2525 The property HashAlgorithm specifies the proposed phase 1 security 2526 association hash algorithm. The property is defined as follows: 2528 NAME HashAlgorithm 2529 DESCRIPTION Specifies the proposed hash algorithm for the phase 1 2530 security association. 2531 SYNTAX unsigned 16-bit integer 2532 VALUE Consult [IKE] for valid values. 2534 7.2.4. The Property PRFAlgorithm 2536 The property PRFAlgorithm specifies the proposed phase 1 security 2537 association pseudo-random function. The property is defined as 2538 follows: 2540 NAME PRFAlgorithm 2541 DESCRIPTION Specifies the proposed pseudo-random function for the 2542 phase 1 security association. 2543 SYNTAX unsigned 16-bit integer 2544 VALUE Currently none defined. 2546 7.2.5. The Property GroupId 2548 The property GroupId specifies the proposed phase 1 security 2549 association key exchange group. This property is ignored for all 2550 aggressive mode exchanges. If the GroupID number is from the 2551 vendor-specific range (32768-65535), the property VendorID qualifies 2552 the group number. The property is defined as follows: 2554 NAME GroupId 2555 DESCRIPTION Specifies the proposed key exchange group for the phase 2556 1 security association. 2557 SYNTAX unsigned 16-bit integer 2558 VALUE 0 � Not applicable: used for aggressive mode. Consult 2559 [IKE] for other valid values. 2561 7.2.6. The Property AuthenticationMethod 2563 The property AuthenticationMethod specifies the proposed phase 1 2564 authentication method. The property is defined as follows: 2566 NAME AuthenticationMethod 2567 DESCRIPTION Specifies the proposed authentication method for the 2568 phase 1 security association. 2569 SYNTAX unsigned 16-bit integer 2570 VALUE 0 - a special value that indicates that this particular 2571 proposal should be repeated once for each 2572 authentication method that corresponds to the 2573 credentials installed on the machine. For example, if 2574 the system has a pre-shared key and a certificate, a 2575 proposal list could be constructed which includes a 2576 proposal that specifies pre-shared key and proposals 2577 for any of the public-key authentication methods. 2578 Consult [IKE] for valid values. 2580 7.2.7. The Property MaxLifetimeSeconds 2582 The property MaxLifetimeSeconds specifies the maximum amount of 2583 time, in seconds, to propose that a security association will remain 2584 valid after its creation. The property is defined as follows: 2586 NAME MaxLifetimeSeconds 2587 DESCRIPTION Specifies the maximum amount of time to propose a 2588 security association remain valid. 2589 SYNTAX unsigned 32-bit integer 2590 VALUE A value of zero indicates that the default of 8 hours 2591 be used. A non-zero value indicates the maximum 2592 seconds lifetime. 2594 7.2.8. The Property MaxLifetimeKilobytes 2596 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2597 lifetime to propose that a security association will remain valid 2598 after its creation. The property is defined as follows: 2600 NAME MaxLifetimeKilobytes 2601 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2602 security association remain valid. 2603 SYNTAX unsigned 32-bit integer 2604 VALUE A value of zero indicates that there should be no 2605 maximum kilobyte lifetime. A non-zero value specifies 2606 the desired kilobyte lifetime. 2608 7.2.9. The Property VendorID 2610 The property VendorID further qualifies the key exchange group. The 2611 property is ignored unless the exchange is not in aggressive mode 2612 and the property GroupID is in the vendor-specific range. The 2613 property is defined as follows: 2615 NAME VendorID 2616 DESCRIPTION Specifies the Vendor ID to further qualify the key 2617 exchange group. 2618 SYNTAX string 2620 7.3. The Class IPsecProposal 2621 The class IPsecProposal adds no new properties, but inherits 2622 proposal properties from SAProposal as well as aggregating the 2623 security association transforms necessary for building an IPsec 2624 proposal (see the aggregation class ContainedTransform). The class 2625 definition for IPsecProposal is as follows: 2627 NAME IPsecProposal 2628 DESCRIPTION Specifies the proposal parameters for IPsec security 2629 association negotiation. 2630 DERIVED FROM SAProposal 2631 ABSTRACT FALSE 2633 7.4. The Abstract Class SATransform 2635 The abstract class SATransform serves as the base class for the 2636 IPsec transforms that can be used to compose an IPsec proposal or to 2637 be used as a pre-configured action. The class definition for 2638 SATransform is as follows: 2640 NAME SATransform 2641 DESCRIPTION Base class for the different IPsec transforms. 2642 ABSTRACT TRUE 2643 PROPERTIES TransformName 2644 VendorID 2645 MaxLifetimeSeconds 2646 MaxLifetimeKilobytes 2648 7.4.1. The Property TransformName 2650 The property TransformName specifies a user-friendly name for the 2651 SATransform. The property is defined as follows: 2653 NAME TransformName 2654 DESCRIPTION Specifies a user-friendly name for this transform. 2655 SYNTAX string 2657 7.4.2. The Property VendorID 2659 The property VendorID specifies the vendor ID for vendor-defined 2660 transforms. The property is defined as follows: 2662 NAME VendorID 2663 DESCRIPTION Specifies the vendor ID for vendor-defined transforms. 2664 SYNTAX string 2665 VALUE An empty VendorID string indicates that the transform 2666 is a standard one. 2668 7.4.3. The Property MaxLifetimeSeconds 2670 The property MaxLifetimeSeconds specifies the maximum amount of 2671 time, in seconds, to propose that a security association will remain 2672 valid after its creation. The property is defined as follows: 2674 NAME MaxLifetimeSeconds 2675 DESCRIPTION Specifies the maximum amount of time to propose a 2676 security association remain valid. 2677 SYNTAX unsigned 32-bit integer 2678 VALUE A value of zero indicates that the default of 8 hours 2679 be used. A non-zero value indicates the maximum 2680 seconds lifetime. 2682 7.4.4. The Property MaxLifetimeKilobytes 2684 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2685 lifetime to propose that a security association will remain valid 2686 after its creation. The property is defined as follows: 2688 NAME MaxLifetimeKilobytes 2689 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2690 security association remain valid. 2691 SYNTAX unsigned 32-bit integer 2692 VALUE A value of zero indicates that there should be no 2693 maximum kilobyte lifetime. A non-zero value specifies 2694 the desired kilobyte lifetime. 2696 7.5. The Class AHTransform 2698 The class AHTransform specifies the AH algorithm to propose during 2699 IPsec security association negotiation. The class definition for 2700 AHTransform is as follows: 2702 NAME AHTransform 2703 DESCRIPTION Specifies the AH algorithm to propose. 2704 ABSTRACT FALSE 2705 PROPERTIES AHTransformId 2706 UseReplayPrevention 2707 ReplayPreventionWindowSize 2709 7.5.1. The Property AHTransformId 2711 The property AHTransformId specifies the transform ID of the AH 2712 algorithm to propose. The property is defined as follows: 2714 NAME AHTransformId 2715 DESCRIPTION Specifies the transform ID of the AH algorithm. 2716 SYNTAX unsigned 16-bit integer 2717 VALUE Consult [DOI] for valid values. 2719 7.5.2. The Property UseReplayPrevention 2721 The property UseReplayPrevention specifies whether replay prevention 2722 detection is to be used. The property is defined as follows: 2724 NAME UseReplayPrevention 2725 DESCRIPTION Specifies whether to enable replay prevention 2726 detection. 2728 SYNTAX boolean 2729 VALUE true - replay prevention detection is enabled. 2730 false - replay prevention detection is disabled. 2732 7.5.3. The Property ReplayPreventionWindowSize 2734 The property ReplayPreventionWindowSize specifies, in bits, the 2735 length of the sliding window used by the replay prevention detection 2736 mechanism. The value of this property is meaningless if 2737 UseReplayPrevention is false. It is assumed that the window size 2738 will be power of 2. The property is defined as follows: 2740 NAME ReplayPreventionWindowSize 2741 DESCRIPTION Specifies the length of the window used by replay 2742 prevention detection mechanism. 2743 SYNTAX unsigned 32-bit integer 2745 7.6. The Class ESPTransform 2747 The class ESPTransform specifies the ESP algorithms to propose 2748 during IPsec security association negotiation. The class definition 2749 for ESPTransform is as follows: 2751 NAME ESPTransform 2752 DESCRIPTION Specifies the ESP algorithms to propose. 2753 ABSTRACT FALSE 2754 PROPERTIES IntegrityTransformId 2755 CipherTransformId 2756 CipherKeyLength 2757 CipherKeyRounds 2758 UseReplayPrevention 2759 ReplayPreventionWindowSize 2761 7.6.1. The Property IntegrityTransformId 2763 The property IntegrityTransformId specifies the transform ID of the 2764 ESP integrity algorithm to propose. The property is defined as 2765 follows: 2767 NAME IntegrityTransformId 2768 DESCRIPTION Specifies the transform ID of the ESP integrity 2769 algorithm. 2770 SYNTAX unsigned 16-bit integer 2771 VALUE Consult [DOI] for valid values. 2773 7.6.2. The Property CipherTransformId 2775 The property CipherTransformId specifies the transform ID of the ESP 2776 encryption algorithm to propose. The property is defined as 2777 follows: 2779 NAME CipherTransformId 2780 DESCRIPTION Specifies the transform ID of the ESP encryption 2781 algorithm. 2782 SYNTAX unsigned 16-bit integer 2783 VALUE Consult [DOI] for valid values. 2785 7.6.3. The Property CipherKeyLength 2787 The property CipherKeyLength specifies, in bits, the key length for 2788 the ESP encryption algorithm. For encryption algorithms that use 2789 fixed-length keys, this value is ignored. The property is defined 2790 as follows: 2792 NAME CipherKeyLength 2793 DESCRIPTION Specifies the ESP encryption key length in bits. 2794 SYNTAX unsigned 16-bit integer 2796 7.6.4. The Property CipherKeyRounds 2798 The property CipherKeyRounds specifies the number of key rounds for 2799 the ESP encryption algorithm. For encryption algorithms that use 2800 fixed number of key rounds, this value is ignored. The property is 2801 defined as follows: 2803 NAME CipherKeyRounds 2804 DESCRIPTION Specifies the number of key rounds for the ESP 2805 encryption algorithm. 2806 SYNTAX unsigned 16-bit integer 2807 VALUE Currently, key rounds are not defined for any ESP 2808 encryption algorithms. 2810 7.6.5. The Property UseReplayPrevention 2812 The property UseReplayPrevention specifies whether replay prevention 2813 detection is to be used. The property is defined as follows: 2815 NAME UseReplayPrevention 2816 DESCRIPTION Specifies whether to enable replay prevention 2817 detection. 2818 SYNTAX boolean 2819 VALUE true - replay prevention detection is enabled. 2820 false - replay prevention detection is disabled. 2822 7.6.6. The Property ReplayPreventionWindowSize 2824 The property ReplayPreventionWindowSize specifies, in bits, the 2825 length of the sliding window used by the replay prevention detection 2826 mechanism. The value of this property is meaningless if 2827 UseReplayPrevention is false. It is assumed that the window size 2828 will be power of 2. The property is defined as follows: 2830 NAME ReplayPreventionWindowSize 2831 DESCRIPTION Specifies the length of the window used by replay 2832 prevention detection mechanism. 2834 SYNTAX unsigned 32-bit integer 2836 7.7. The Class IPCOMPTransform 2838 The class IPCOMPTransform specifies the IP compression (IPCOMP) 2839 algorithm to propose during IPsec security association negotiation. 2840 The class definition for IPCOMPTransform is as follows: 2842 NAME IPCOMPTransform 2843 DESCRIPTION Specifies the IPCOMP algorithm to propose. 2844 ABSTRACT FALSE 2845 PROPERTIES Algorithm 2846 DictionarySize 2847 PrivateAlgorithm 2849 7.7.1. The Property Algorithm 2851 The property Algorithm specifies the transform ID of the IPCOMP 2852 compression algorithm to propose. The property is defined as 2853 follows: 2855 NAME Algorithm 2856 DESCRIPTION Specifies the transform ID of the IPCOMP compression 2857 algorithm. 2858 SYNTAX unsigned 16-bit integer 2859 VALUE 1 � OUI: a vendor specific algorithm is used and 2860 specified in the property PrivateAlgorithm. Consult 2861 [DOI] for other valid values. 2863 7.7.2. The Property DictionarySize 2865 The property DictionarySize specifies the log2 maximum size of the 2866 dictionary for the compression algorithm. For compression 2867 algorithms that have pre-defined dictionary sizes, this value is 2868 ignored. The property is defined as follows: 2870 NAME DictionarySize 2871 DESCRIPTION Specifies the log2 maximum size of the dictionary. 2872 SYNTAX unsigned 16-bit integer 2874 7.7.3. The Property PrivateAlgorithm 2876 The property PrivateAlgorithm specifies a private vendor-specific 2877 compression algorithm. This value is only used when the property 2878 Algorithm is 1 (OUI). The property is defined as follows: 2880 NAME PrivateAlgorithm 2881 DESCRIPTION Specifies a private vendor-specific compression 2882 algorithm. 2883 SYNTAX unsigned 32-bit integer 2885 7.8. The Association Class SAProposalInSystem 2886 The class SAProposalInSystem weakly associates SAProposals with a 2887 System. The class definition for SAProposalInSystem is as follows: 2889 NAME SAProposalInSystem 2890 DESCRIPTION Weakly associates SAProposals with a System. 2891 DERIVED FROM PolicyInSystem (see [PCIM]) 2892 ABSTRACT FALSE 2893 PROPERTIES Antecedent[ref System [1..1]] 2894 Dependent[ref SAProposal[0..n] [weak]] 2896 7.8.1. The Reference Antecedent 2898 The property Antecedent is inherited from PolicyInSystem and is 2899 overridden to refer to a System instance. The [1..1] cardinality 2900 indicates that an SAProposal instance MUST be associated with one 2901 and only one System instance. 2903 7.8.2. The Reference Dependent 2905 The property Dependent is inherited from PolicyInSystem and is 2906 overridden to refer to an SAProposal instance. The [0..n] 2907 cardinality indicates that a System instance may be associated with 2908 zero or more SAProposal instances. 2910 7.9. The Aggregation Class ContainedTransform 2912 The class ContainedTransform associates an IPsecProposal with the 2913 set of SATransforms that make up the proposal. If multiple 2914 transforms of the same type are in a proposal, then they are to be 2915 logically ORed and the order of preference is dictated by the 2916 SequenceNumber property. Sets of transforms of different types are 2917 logically ANDed. For example, if the ordered proposal list were 2919 ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } 2920 AH = { MD5, SHA-1 } 2922 then the one sending the proposal would want the other side to pick 2923 one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND 2924 one from the AH transform list (preferably MD5). 2926 The class definition for ContainedTransform is as follows: 2928 NAME ContainedTransform 2929 DESCRIPTION Associates an IPsecProposal with the set of 2930 SATransforms that make up the proposal. 2931 DERIVED FROM PolicyComponent (see [PCIM]) 2932 ABSTRACT FALSE 2933 PROPERTIES GroupComponent[ref IPsecProposal[0..n]] 2934 PartComponent[ref SATransform[1..n]] 2935 SequenceNumber 2937 7.9.1. The Reference GroupComponent 2938 The property GroupComponent is inherited from PolicyComponent and is 2939 overridden to refer to an IPsecProposal instance. The [0..n] 2940 cardinality indicates that an SATransform instance may be associated 2941 with zero or more IPsecProposal instances. 2943 7.9.2. The Reference PartComponent 2945 The property PartComponent is inherited from PolicyComponent and is 2946 overridden to refer to an SATransform instance. The [1..n] 2947 cardinality indicates that an IPsecProposal instance MUST be 2948 associated with at least one SATransform instance. 2950 7.9.3. The Property SequenceNumber 2952 The property SequenceNumber specifies the order of preference for 2953 the SATransforms of the same type. The property is defined as 2954 follows: 2956 NAME SequenceNumber 2957 DESCRIPTION Specifies the preference order for the SATransforms of 2958 the same type. 2959 SYNTAX unsigned 16-bit integer 2960 VALUE Lower-valued transforms are preferred over transforms 2961 of the same type with higher values. For 2962 ContainedTransforms that reference the same 2963 IPsecProposal, SequenceNumber values must be unique. 2965 7.10. The Association Class SATransformInSystem 2967 The class SATransformInSystem weakly associates SATransforms with a 2968 System. The class definition for SATransformInSystem System is as 2969 follows: 2971 NAME SATransformInSystem 2972 DESCRIPTION Weakly associates SATransforms with a System. 2973 DERIVED FROM PolicyInSystem (see [PCIM]) 2974 ABSTRACT FALSE 2975 PROPERTIES Antecedent[ref System[1..1]] 2976 Dependent[ref SATransform[0..n] [weak]] 2978 7.10.1. The Reference Antecedent 2980 The property Antecedent is inherited from PolicyInSystem and is 2981 overridden to refer to a System instance. The [1..1] cardinality 2982 indicates that an SATransform instance MUST be associated with one 2983 and only one System instance. 2985 7.10.2. The Reference Dependent 2987 The property Dependent is inherited from PolicyInSystem and is 2988 overridden to refer to an SATransform instance. The [0..n] 2989 cardinality indicates that a System instance may be associated with 2990 zero or more SATransform instances. 2992 8. IKE Service and Identity Classes 2994 +--------------+ +-------------------+ 2995 | System | | PeerIdentityEntry | 2996 | (Appendix A) | +-------------------+ 2997 +--------------+ |*w 2998 1| (a) (b) | 2999 +---+ +------------+ 3000 | | 3001 |*w 1 o 3002 +-------------+ +-------------------+ +---------------------+ 3003 | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | 3004 +-------------+ +-------------------+ +---------------------+ 3005 *| *| *| *| 3006 +----------------------+ |(d) +----------+ | 3007 (c) *| *| *| (e) | 3008 *+------------+* |(f) 3009 +-----------------| IKEService |-----+ | 3010 | (g) +------------+ |(h) | 3011 0..1| *| *| *o 3012 +--------------------+ | +---------------------------+ 3013 | IPProtocolEndpoint | | | AutostartIKEConfiguration | 3014 | (Appendix C) | (i)| +---------------------------+ 3015 +--------------------+ | 3016 0..1| | 3017 |(j) +----------------+ 3018 *| |* 3019 +-------------+* (k) +------------+ +-----------------------------+ 3020 | IKEIdentity |-------| Collection | | CredentialManagementService | 3021 +-------------+ 0..1|(Appendix A)| | (Appendix B) | 3022 *| +------------+ +-----------------------------+ 3023 |(l) 3024 *| 3025 +--------------+ 3026 | Credential | 3027 | (Appendix B) | 3028 +--------------+ 3030 (a) HostedPeerIdentityTable 3031 (b) PeerIdentityMember 3032 (c) IKEServicePeerGateway 3033 (d) IKEServicePeerIdentityTable 3034 (e) IKEAutostartSetting 3035 (f) AutostartIKESettingContext 3036 (g) IKEServiceForEndpoint 3037 (h) IKEAutostartConfiguration 3038 (i) IKEUsesCredentialManagementService 3039 (j) EndpointHasLocalIKEIdentity 3040 (k) CollectionHasLocalIKEIdentity 3041 (l) IKEIdentitysCredential 3043 This portion of the model contains additional information that is 3044 useful in applying the policy. The IKEService class MAY be used to 3045 represent the IKE negotiation function in a system. The IKEService 3046 uses the various tables that contain information about IKE peers as 3047 well as the configuration for specifying security associations that 3048 are started automatically. The information in the PeerGateway, 3049 PeerIdentityTable and related classes is necessary to completely 3050 specify the policies. 3052 An interface (represented by an IPProtocolEndpoint) has an 3053 IKEService that provides the negotiation services for that 3054 interface. That service MAY also have a list of security 3055 associations for that are automatically started at the time the IKE 3056 service is initialized. 3058 The IKEService also has a set of identities that it may use in 3059 negotiations with its peers. Those identities are associated with 3060 the interfaces (or collections of interfaces). 3062 8.1. The Class IKEService 3064 The class IKEService represents the IKE negotiation function. An 3065 instance of this service may provide that negotiation service for 3066 one or more interfaces (represented by the IPProtocolEndpoint class) 3067 of a System. There may be multiple instances of IKE services on a 3068 System but only one per interface. The class definition for 3069 IKEService is as follows: 3071 NAME IKEService 3072 DESCRIPTION IKEService is used to represent the IKE negotiation 3073 function. 3074 DERIVED FROM NetworkService (see Appendix C) 3075 ABSTRACT FALSE 3077 8.2. The Class PeerIdentityTable 3079 The class PeerIdentityTable aggregates the table entries that 3080 provide mappings between identities and their addresses. The class 3081 definition for PeerIdentityTable is as follows: 3083 NAME PeerIdentityTable 3084 DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry 3085 instances to provide a table of identity-address 3086 mappings. 3087 DERIVED FROM Collection (see Appendix A) 3088 ABSTRACT FALSE 3089 PROPERTIES Name 3091 8.3.1. The Property Name 3093 The property Name uniquely identifies the table. The property is 3094 defined as follows: 3096 NAME Name 3097 DESCRIPTION Name uniquely identifies the table. 3099 SYNTAX string 3101 8.3. The Class PeerIdentityEntry 3103 The class PeerIdentityEntry specifies the mapping between peer 3104 identity and their address. The class definition for 3105 PeerIdentityEntry is as follows: 3107 NAME PeerIdentityEntry 3108 DESCRIPTION PeerIdentityEntry provides a mapping between a peer's 3109 identity and address. 3110 DERIVED FROM LogicalElement (see Appendix A) 3111 ABSTRACT FALSE 3112 PROPERTIES PeerIdentity 3113 PeerIdentityType 3114 PeerAddress 3115 PeerAddressType 3117 8.3.1. The Property PeerIdentity 3119 The property PeerIdentity contains a string encoding of the Identity 3120 payload for the IKE peer. The property is defined as follows: 3122 NAME PeerIdentity 3123 DESCRIPTION The PeerIdentity is the ID payload of a peer. 3124 SYNTAX string 3126 8.3.2. The Property PeerIdentityType 3128 The property PeerIdentityType is an enumeration that specifies the 3129 type of the PeerIdentity. The property is defined as follows: 3131 NAME PeerIdentityType 3132 DESCRIPTION PeerIdentityType is the type of the ID payload of a 3133 peer. 3134 SYNTAX unsigned 16-bit integer 3135 VALUE The enumeration values are specified in [DOI] section 3136 4.6.2.1. 3138 8.3.3. The Property PeerAddress 3140 The property PeerAddress specifies the string representation of the 3141 IP address of the peer formatted according to the appropriate 3142 convention as defined in the PeerAddressType property (e.g., dotted 3143 decimal notation). The property is defined as follows: 3145 NAME PeerAddress 3146 DESCRIPTION PeerAddress is the address of the peer with the ID 3147 payload. 3148 SYNTAX string 3149 VALUE String representation of an IPv4 or IPv6 address. 3151 8.3.4. The Property PeerAddressType 3152 The property PeerAddressType specifies the format of the PeerAddress 3153 property value. The property is defined as follows: 3155 NAME PeerAddressType 3156 DESCRIPTION PeerAddressType is the type of address in PeerAddress. 3157 SYNTAX unsigned 16-bit integer 3158 VALUE 0 - Unknown 3159 1 - IPv4 3160 2 - IPv6 3162 8.4. The Class AutostartIKEConfiguration 3164 The class AutostartIKEConfiguration groups AutostartIKESetting 3165 instances into configuration sets. When applied, the settings cause 3166 an IKE service to automatically start (negotiate or statically set 3167 as appropriate) the Security Associations. The class definition for 3168 AutostartIKEConfiguration is as follows: 3170 NAME AutostartIKEConfiguration 3171 DESCRIPTION A configuration set of AutostartIKESetting instances to 3172 be automatically started by the IKE service. 3173 DERIVED FROM SystemConfiguration (see Appendix A) 3174 ABSTRACT FALSE 3176 8.5. The Class AutostartIKESetting 3178 The class AutostartIKESetting is used to automatically initiate IKE 3179 negotiations with peers (or statically create an SA) as specified in 3180 the AutostartIKESetting properties. Appropriate actions are 3181 initiated according to the policy that matches the setting 3182 parameters. The class definition for AutostartIKESetting is as 3183 follows: 3185 NAME AutostartIKESetting 3186 DESCRIPTION AutostartIKESetting is used to automatically initiate 3187 IKE negotiations with peers or statically create an SA. 3188 DERIVED FROM SystemSetting (see Appendix A) 3189 ABSTRACT FALSE 3190 PROPERTIES Phase1Only 3191 AddressType 3192 SourceAddress 3193 SourcePort 3194 DestinationAddress 3195 DestinationPort 3196 Protocol 3198 8.5.1. The Property Phase1Only 3200 The property Phase1Only is used to limit the IKE negotiation to just 3201 setting up a phase 1 security association. When set to False, both 3202 phase 1 and 2 negotiations are initiated. 3203 The property is defined as follows: 3205 NAME Phase1Only 3206 DESCRIPTION Used to indicate which security associations to attempt 3207 to establish (phase 1 only, or phase 1 and 2). 3208 SYNTAX boolean 3209 VALUE true - attempt to establish a phase 1 security 3210 association 3211 false - attempt to establish phase 1 and 2 security 3212 associations 3214 8.5.2. The Property AddressType 3216 The property AddressType specifies type of the addresses in the 3217 SourceAddress and DestinationAddress properties. The property is 3218 defined as follows: 3220 NAME AddressType 3221 DESCRIPTION AddressType is the type of address in SourceAddress and 3222 DestinationAddress properties. 3223 SYNTAX unsigned 16-bit integer 3224 VALUE 0 - Unknown 3225 1 - IPv4 3226 2 - IPv6 3228 8.5.3. The Property SourceAddress 3230 The property SourceAddress specifies the dotted-decimal or colon- 3231 decimal formatted IP address used as the source address in comparing 3232 with policy filter entries and used in any phase 2 negotiations. 3233 The property is defined as follows: 3235 NAME SourceAddress 3236 DESCRIPTION The source address to compare with the filters to 3237 determine the appropriate policy rule. 3238 SYNTAX string 3239 VALUE dotted-decimal or colon-decimal formatted IP address 3241 8.5.4. The Property SourcePort 3243 The property SourcePort specifies the port number used as the source 3244 port in comparing with policy filter entries and used in any phase 2 3245 negotiations. The property is defined as follows: 3247 NAME SourcePort 3248 DESCRIPTION The source port to compare with the filters to 3249 determine the appropriate policy rule. 3250 SYNTAX unsigned 16-bit integer 3252 8.5.5. The Property DestinationAddress 3254 The property DestinationAddress specifies the dotted-decimal or 3255 colon-decimal formatted IP address used as the destination address 3256 in comparing with policy filter entries and used in any phase 2 3257 negotiations. The property is defined as follows: 3259 NAME DestinationAddress 3260 DESCRIPTION The destination address to compare with the filters to 3261 determine the appropriate policy rule. 3262 SYNTAX string 3263 VALUE dotted-decimal or colon-decimal formatted IP address 3265 8.5.6. The Property DestinationPort 3267 The property DestinationPort specifies the port number used as the 3268 destination port in comparing with policy filter entries and used in 3269 any phase 2 negotiations. The property is defined as follows: 3271 NAME DestinationPort 3272 DESCRIPTION The destination port to compare with the filters to 3273 determine the appropriate policy rule. 3274 SYNTAX unsigned 16-bit integer 3276 8.5.7. The Property Protocol 3278 The property Protocol specifies the protocol number used in 3279 comparing with policy filter entries and used in any phase 2 3280 negotiations. The property is defined as follows: 3282 NAME Protocol 3283 DESCRIPTION The protocol number used in comparing with policy 3284 filter entries. 3285 SYNTAX unsigned 8-bit integer 3287 8.6. The Class IKEIdentity 3289 The class IKEIdentity is used to represent the identities that may 3290 be used for an IPProtocolEndpoint (or collection of 3291 IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 3292 negotiations. The policy IKEAction.UseIKEIdentityType specifies 3293 which type of the available identities to use in a negotiation 3294 exchange and the IKERule.IdentityContexts specifies the match values 3295 to be used, along with the local address, in selecting the 3296 appropriate identity for a negotiation. The ElementID property value 3297 (defined in the parent class, UsersAccess) should be that of either 3298 the IPProtocolEndpoint or Collection of endpoints as appropriate. 3299 The class definition for IKEIdentity is as follows: 3301 NAME IKEIdentity 3302 DESCRIPTION IKEIdentity is used to represent the identities that 3303 may be used for an IPProtocolEndpoint (or collection of 3304 IPProtocolEndpoints) to identify the IKE Service in IKE 3305 phase 1 negotiations. 3306 DERIVED FROM UsersAccess (see Appendix B) 3307 ABSTRACT FALSE 3308 PROPERTIES IdentityType 3309 IdentityValue 3310 IdentityContexts 3312 8.6.1. The Property IdentityType 3314 The property IdentityType is an enumeration that specifies the type 3315 of the IdentityValue. The property is defined as follows: 3317 NAME IdentityType 3318 DESCRIPTION IdentityType is the type of the IdentityValue. 3319 SYNTAX unsigned 8-bit integer 3320 VALUE The enumeration values are specified in [DOI] section 3321 4.6.2.1. 3323 8.6.2. The Property IdentityValue 3325 The property Identity specifies Value contains a string encoding of 3326 the Identity payload. For IKEIdentity instances that are address 3327 types, the IdentityValue string value may be omitted and the 3328 associated IPProtocolEndpoint or appropriate member of the 3329 Collection of endpoints is used. The property is defined as 3330 follows: 3332 NAME IdentityValue 3333 DESCRIPTION IdentityValue contains a string encoding of the 3334 Identity payload. 3335 SYNTAX string 3337 8.6.3. The Property IdentityContexts 3339 The IdentityContexts property is used to constrain the use of 3340 IKEIdentity instances to match that specified in the 3341 IKERule.IdentityContexts. The IdentityContexts are formatted as 3342 policy roles and role combinations [PCIM]. Each value represents 3343 one context or context combination. Since this is a multi-valued 3344 property, more than one context or combination of contexts can be 3345 associated with a single IKEIdentity. Each value is a string of the 3346 form: [&&]* 3347 where the individual context names appear in alphabetical order 3348 (according to the collating sequence for UCS-2). If one or more 3349 values in the IKERule.IdentityContexts array match one or more 3350 IKEIdentity.IdentityContexts then the identity's context matches. 3351 (That is, each value of the IdentityContext array is an ORed 3352 condition.) In combination with the address of the 3353 IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 3354 1 and only 1 IKEIdentity. The property is defined as follows: 3356 NAME IdentityContexts 3357 DESCRIPTION The IKE service of a security endpoint may have 3358 multiple identities for use in different situations. 3359 The combination of the interface (represented by 3360 the IPProtocolEndpoint), the identity type (as 3361 specified in the IKEAction) and the IdentityContexts 3362 selects a unique identity. 3363 SYNTAX string array 3364 VALUE string of the form [&&]* 3366 8.7. The Association Class HostedPeerIdentityTable 3368 The class HostedPeerIdentityTable provides the name scoping 3369 relationship for PeerIdentityTable entries in a System. The 3370 PeerIdentityTable is weak to the System. The class definition for 3371 HostedPeerIdentityTable is as follows: 3373 NAME HostedPeerIdentityTable 3374 DESCRIPTION The PeerIdentityTable instances are weak (name scoped 3375 by) the owning System. 3376 DERIVED FROM Dependency (see Appendix A) 3377 ABSTRACT FALSE 3378 PROPERTIES Antecedent [ref System[1..1]] 3379 Dependent [ref PeerIdentityTable[0..n] [weak]] 3381 8.7.1. The Reference Antecedent 3383 The property Antecedent is inherited from Dependency and is 3384 overridden to refer to a System instance. The [1..1] cardinality 3385 indicates that a PeerIdentityTable instance MUST be associated in a 3386 weak relationship with one and only one System instance. 3388 8.7.2. The Reference Dependent 3390 The property Dependent is inherited from Dependency and is 3391 overridden to refer to a PeerIdentityTable instance. The [0..n] 3392 cardinality indicates that a System instance may be associated with 3393 zero or more PeerIdentityTable instances. 3395 8.8. The Aggregation Class PeerIdentityMember 3397 The class PeerIdentityMember aggregates PeerIdentityEntry instances 3398 into a PeerIdentityTable. This is a weak aggregation. The class 3399 definition for PeerIdentityMember is as follows: 3401 NAME PeerIdentityMember 3402 DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry 3403 instances into a PeerIdentityTable. 3404 DERIVED FROM MemberOfCollection (see Appendix A) 3405 ABSTRACT FALSE 3406 PROPERTIES Collection [ref PeerIdentityTable[1..1]] 3407 Member [ref PeerIdentityEntry [0..n] [weak]] 3409 8.8.1. The Reference Collection 3411 The property Collection is inherited from MemberOfCollection and is 3412 overridden to refer to a PeerIdentityTable instance. The [1..1] 3413 cardinality indicates that a PeerIdentityEntry instance MUST be 3414 associated with one and only one PeerIdentityTable instance (i.e., 3415 PeerIdentityEntry instances are not shared across 3416 PeerIdentityTables). 3418 8.8.2. The Reference Member 3420 The property Member is inherited from MemberOfCollection and is 3421 overridden to refer to a PeerIdentityEntry instance. The [0..n] 3422 cardinality indicates that a PeerIdentityTable instance may be 3423 associated with zero or more PeerIdentityEntry instances. 3425 8.9. The Association Class IKEServicePeerGateway 3427 The class IKEServicePeerGateway provides the association between an 3428 IKEService and the list of PeerGateway instances that it uses in 3429 negotiating with security gateways. The class definition for 3430 IKEServicePeerGateway is as follows: 3432 NAME IKEServicePeerGateway 3433 DESCRIPTION Associates an IKEService and the list of PeerGateway 3434 instances that it uses in negotiating with security 3435 gateways. 3436 DERIVED FROM Dependency (see Appendix A) 3437 ABSTRACT FALSE 3438 PROPERTIES Antecedent [ref PeerGateway[0..n]] 3439 Dependent [ref IKEService[0..n]] 3441 8.9.1. The Reference Antecedent 3443 The property Antecedent is inherited from Dependency and is 3444 overridden to refer to a PeerGateway instance. The [0..n] 3445 cardinality indicates that an IKEService instance may be associated 3446 with zero or more PeerGateway instances. 3448 8.9.2. The Reference Dependent 3450 The property Dependent is inherited from Dependency and is 3451 overridden to refer to an IKEService instance. The [0..n] 3452 cardinality indicates that a PeerGateway instance may be associated 3453 with zero or more IKEService instances. 3455 8.10. The Association Class IKEServicePeerIdentityTable 3457 The class IKEServicePeerIdentityTable provides the relationship 3458 between an IKEService and a PeerIdentityTable that it uses to map 3459 between addresses and identities as required. The class definition 3460 for IKEServicePeerIdentityTable is as follows: 3462 NAME IKEServicePeerIdentityTable 3463 DESCRIPTION IKEServicePeerIdentityTable provides the relationship 3464 between an IKEService and a PeerIdentityTable that it 3465 uses. 3466 DERIVED FROM Dependency (see Appendix A) 3467 ABSTRACT FALSE 3468 PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] 3469 Dependent [ref IKEService[0..n]] 3471 8.10.1. The Reference Antecedent 3473 The property Antecedent is inherited from Dependency and is 3474 overridden to refer to a PeerIdentityTable instance. The [0..n] 3475 cardinality indicates that an IKEService instance may be associated 3476 with zero or more PeerIdentityTable instances. 3478 8.10.2. The Reference Dependent 3480 The property Dependent is inherited from Dependency and is 3481 overridden to refer to an IKEService instance. The [0..n] 3482 cardinality indicates that a PeerIdentityTable instance may be 3483 associated with zero or more IKEService instances. 3485 8.11. The Association Class IKEAutostartSetting 3487 The class IKEAutostartSetting associates an AutostartIKESetting with 3488 an IKEService that may use it to automatically start an IKE 3489 negotiation or create a static SA. The class definition for 3490 IKEAutostartSetting is as follows: 3492 NAME IKEAutostartSetting 3493 DESCRIPTION Associates a AutostartIKESetting with an IKEService. 3494 DERIVED FROM ElementSetting (see Appendix A) 3495 ABSTRACT FALSE 3496 PROPERTIES Element [ref IKEService[0..n]] 3497 Setting [ref AutostartIKESetting[0..n]] 3499 8.11.1. The Reference Element 3501 The property Element is inherited from ElementSetting and is 3502 overridden to refer to an IKEService instance. The [0..n] 3503 cardinality indicates an AutostartIKESetting instance may be 3504 associated with zero or more IKEService instances. 3506 8.11.2. The Reference Setting 3508 The property Setting is inherited from ElementSetting and is 3509 overridden to refer to an AutostartIKESetting instance. The [0..n] 3510 cardinality indicates that an IKEService instance may be associated 3511 with zero or more AutostartIKESetting instances. 3513 8.12. The Aggregation Class AutostartIKESettingContext 3515 The class AutostartIKESettingContext aggregates the settings used to 3516 automatically start negotiations or create a static SA into a 3517 configuration set. The class definition for 3518 AutostartIKESettingContext is as follows: 3520 NAME AutostartIKESettingContext 3521 DESCRIPTION AutostartIKESettingContext aggregates the 3522 AutostartIKESetting instances into a configuration set. 3523 DERIVED FROM SystemSettingContext (see Appendix A) 3524 ABSTRACT FALSE 3525 PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] 3526 Setting [ref AutostartIKESetting [0..n]] 3527 SequenceNumber 3529 8.12.1. The Reference Context 3531 The property Context is inherited from SystemSettingContext and is 3532 overridden to refer to an AutostartIKEConfiguration instance. The 3533 [0..n] cardinality indicates that an AutostartIKESetting instance 3534 may be associated with zero or more AutostartIKEConfiguration 3535 instances (i.e., a setting may be in multiple configuration sets). 3537 8.12.2. The Reference Setting 3539 The property Setting is inherited from SystemSettingContext and is 3540 overridden to refer to an AutostartIKESetting instance. The [0..n] 3541 cardinality indicates that an AutostartIKEConfiguration instance may 3542 be associated with zero or more AutostartIKESetting instances. 3544 8.12.3. The Property SequenceNumber 3546 The property SequenceNumber specifies indicates the ordering to be 3547 used when starting negotiations or creating a static SA. A zero 3548 value indicates that order is not significant and settings may be 3549 applied in parallel with other settings. All other settings in the 3550 configuration are executed in sequence from lower values to high. 3551 Sequence numbers need not be unique in an AutostartIKEConfiguration 3552 and order is not significant for settings with the same sequence 3553 number. The property is defined as follows: 3555 NAME SequenceNumber 3556 DESCRIPTION The sequence in which the settings are applied within a 3557 configuration set. 3558 SYNTAX unsigned 16-bit integer 3560 8.13. The Association Class IKEServiceForEndpoint 3562 The class IKEServiceForEndpoint provides the association showing 3563 which IKE service, if any, provides IKE negotiation services for 3564 which network interfaces. The class definition for 3565 IKEServiceForEndpoint is as follows: 3567 NAME IKEServiceForEndpoint 3568 DESCRIPTION Associates an IPProtocolEndpoint with an IKEService 3569 that provides negotiation services for the endpoint. 3570 DERIVED FROM Dependency (see Appendix A) 3571 ABSTRACT FALSE 3572 PROPERTIES Antecedent [ref IKEService[0..1]] 3573 Dependent [ref IPProtocolEndpoint[0..n]] 3575 8.13.1. The Reference Antecedent 3577 The property Antecedent is inherited from Dependency and is 3578 overridden to refer to an IKEService instance. The [0..1] 3579 cardinality indicates that an IPProtocolEndpoint instance MUST by 3580 associated with at most one IKEService instance. 3582 8.13.2. The Reference Dependent 3584 The property Dependent is inherited from Dependency and is 3585 overridden to refer to an IPProtocolEndpoint that is associated with 3586 at most one IKEService. The [0..n] cardinality indicates an 3587 IKEService instance may be associated with zero or more 3588 IPProtocolEndpoint instances. 3590 8.14. The Association Class IKEAutostartConfiguration 3592 The class IKEAutostartConfiguration provides the relationship 3593 between an IKEService and a configuration set that it uses to 3594 automatically start a set of SAs. The class definition for 3595 IKEAutostartConfiguration is as follows: 3597 NAME IKEAutostartConfiguration 3598 DESCRIPTION IKEAutostartConfiguration provides the relationship 3599 between an IKEService and an AutostartIKEConfiguration 3600 that it uses to automatically start a set of SAs. 3601 DERIVED FROM Dependency (see Appendix A) 3602 ABSTRACT FALSE 3603 PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] 3604 Dependent [ref IKEService [0..n]] 3605 Active 3607 8.14.1. The Reference Antecedent 3609 The property Antecedent is inherited from Dependency and is 3610 overridden to refer to an AutostartIKEConfiguration instance. The 3611 [0..n] cardinality indicates that an IKEService instance may be 3612 associated with zero or more AutostartIKEConfiguration instances. 3614 8.14.2. The Reference Dependent 3616 The property Dependent is inherited from Dependency and is 3617 overridden to refer to an IKEService instance. The [0..n] 3618 cardinality indicates that an AutostartIKEConfiguration instance may 3619 be associated with zero or more IKEService instances. 3621 8.14.3. The Property Active 3623 The property Active specifies indicates whether the 3624 AutostartIKEConfiguration set is currently active for the associated 3625 IKEService. That is, at boot time, the active configuration is used 3626 to automatically start IKE negotiations and create static SAs. The 3627 property is defined as follows: 3629 NAME Active 3630 DESCRIPTION Active indicates whether the AutostartIKEConfiguration 3631 set is currently active for the associated IKEService. 3632 SYNTAX boolean 3633 VALUE true - AutostartIKEConfiguration is currently active 3634 for associated IKEService. 3635 false - AutostartIKEConfiguration is currently inactive 3636 for associated IKEService. 3638 8.15. The Association Class IKEUsesCredentialManagementService 3640 The class IKEUsesCredentialManagementService defines the set of 3641 CredentialManagementService(s) that are trusted sources of 3642 credentials for IKE phase 1 negotiations. The class definition for 3643 IKEUsesCredentialManagementService is as follows: 3645 NAME IKEUsesCredentialManagementService 3646 DESCRIPTION Associates the set of CredentialManagementService(s) 3647 that are trusted by the IKEService as sources of 3648 credentials used in IKE phase 1 negotiations. 3649 DERIVED FROM Dependency (see Appendix A) 3650 ABSTRACT FALSE 3651 PROPERTIES Antecedent [ref CredentialManagementService [0..n]] 3652 Dependent [ref IKEService [0..n]] 3654 8.15.1. The Reference Antecedent 3656 The property Antecedent is inherited from Dependency and is 3657 overridden to refer to a CredentialManagementService instance. The 3658 [0..n] cardinality indicates that an IKEService instance may be 3659 associated with zero or more CredentialManagementService instances. 3661 8.15.2. The Reference Dependent 3663 The property Dependent is inherited from Dependency and is 3664 overridden to refer to an IKEService instance. The [0..n] 3665 cardinality indicates that a CredentialManagementService instance 3666 may be associated with zero or more IKEService instances. 3668 8.16. The Association Class EndpointHasLocalIKEIdentity 3670 The class EndpointHasLocalIKEIdentity associates an 3671 IPProtocolEndpoint with a set of IKEIdentity instances that may be 3672 used in negotiating security associations on the endpoint. An 3673 IKEIdentity MUST be associated with either an IPProtocolEndpoint 3674 using this association or with a collection of IKEIdentity instances 3675 using the CollectionHasLocalIKEIdentity association. The class 3676 definition for EndpointHasLocalIKEIdentity is as follows: 3678 NAME EndpointHasLocalIKEIdentity 3679 DESCRIPTION EndpointHasLocalIKEIdentity associates an 3680 IPProtocolEndpoint with a set of IKEIdentity instances. 3681 DERIVED FROM ElementAsUser (see Appendix B) 3682 ABSTRACT FALSE 3683 PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] 3684 Dependent [ref IKEIdentity [0..n]] 3686 8.16.1. The Reference Antecedent 3688 The property Antecedent is inherited from ElementAsUser and is 3689 overridden to refer to an IPProtocolEndpoint instance. The [0..1] 3690 cardinality indicates that an IKEIdentity instance MUST be 3691 associated with at most one IPProtocolEndpoint instance. 3693 8.16.2. The Reference Dependent 3695 The property Dependent is inherited from ElementAsUser and is 3696 overridden to refer to an IKEIdentity instance. The [0..n] 3697 cardinality indicates that an IPProtocolEndpoint instance may be 3698 associated with zero or more IKEIdentity instances. 3700 8.17. The Association Class CollectionHasLocalIKEIdentity 3702 The class CollectionHasLocalIKEIdentity associates a Collection of 3703 IPProtocolEndpoint instances with a set of IKEIdentity instances 3704 that may be used in negotiating SAs for endpoints in the collection. 3705 An IKEIdentity MUST be associated with either an IPProtocolEndpoint 3706 using the EndpointHasLocalIKEIdentity association or with a 3707 collection of IKEIdentity instances using this association. The 3708 class definition for CollectionHasLocalIKEIdentity is as follows: 3710 NAME CollectionHasLocalIKEIdentity 3711 DESCRIPTION CollectionHasLocalIKEIdentity associates a collection 3712 of IPProtocolEndpoint instances with a set of 3713 IKEIdentity instances. 3714 DERIVED FROM ElementAsUser (see Appendix B) 3715 ABSTRACT FALSE 3716 PROPERTIES Antecedent [ref Collection [0..1]] 3717 Dependent [ref IKEIdentity [0..n]] 3719 8.17.1. The Reference Antecedent 3721 The property Antecedent is inherited from ElementAsUser and is 3722 overridden to refer to a Collection instance. The [0..1] 3723 cardinality indicates that an IKEIdentity instance MUST be 3724 associated with at most one Collection instance. 3726 8.17.2. The Reference Dependent 3728 The property Dependent is inherited from ElementAsUser and is 3729 overridden to refer to an IKEIdentity instance. The [0..n] 3730 cardinality indicates that a Collection instance may be associated 3731 with zero or more IKEIdentity instances. 3733 8.18. The Association Class IKEIdentitysCredential 3735 The class IKEIdentitysCredential is an association that relates a 3736 set of credentials to their corresponding local IKE Identities. The 3737 class definition for IKEIdentitysCredential is as follows: 3739 NAME IKEIdentitysCredential 3740 DESCRIPTION IKEIdentitysCredential associates a set of credentials 3741 to their corresponding local IKEIdentity. 3742 DERIVED FROM UsersCredential (see Appendix A) 3743 ABSTRACT FALSE 3744 PROPERTIES Antecedent [ref Credential [0..n]] 3745 Dependent [ref IKEIdentity [0..n]] 3747 8.18.1. The Reference Antecedent 3749 The property Antecedent is inherited from UsersCredential and is 3750 overridden to refer to a Credential instance. The [0..n] 3751 cardinality indicates that IKEIdentity instance may be associated 3752 with zero or more Credential instances. 3754 8.18.2. The Reference Dependent 3756 The property Dependent is inherited from UsersCredential and is 3757 overridden to refer to an IKEIdentity instance. The [0..n] 3758 cardinality indicates that a Credential instance may be associated 3759 with zero or more IKEIdentity instances. 3761 9. Implementation Requirements 3763 The following tables specifies which classes, properties, 3764 associations and aggregations MUST or SHOULD or MAY be implemented. 3766 4. Policy Classes 3767 4.1. The Class IPsecPolicyGroup................................MUST 3768 4.2. The Class SARule..........................................MUST 3769 4.2.1. The Property PolicyRuleName..............................MAY 3770 4.2.1. The Property Enabled....................................MUST 3771 4.2.1. The Property ConditionListType..........................MUST 3772 4.2.1. The Property RuleUsage...................................MAY 3773 4.2.1. The Property Mandatory...................................MAY 3774 4.2.1. The Property SequencedActions...........................MUST 3775 4.2.1. The Property PolicyRoles.................................MAY 3776 4.2.1. The Property PolicyDecisionStrategy......................MAY 3777 4.2.2 The Property ExecutionStrategy..........................MUST 3778 4.2.3 The Property LimitNegotiation............................MAY 3779 4.3. The Class IKERule.........................................MUST 3780 4.3.1. The Property IdentityContexts............................MAY 3781 4.4. The Class IPsecRule.......................................MUST 3782 4.5.3. The Property GroupPriority..............................MUST 3783 4.6. The Association Class IpsecPolicyForEndpoint...............MAY 3784 4.6.1. The Reference Antecedent................................MUST 3785 4.6.2. The Reference Dependent.................................MUST 3786 4.7. The Association Class IPsecPolicyForSystem.................MAY 3787 4.7.1. The Reference Antecedent................................MUST 3788 4.7.2. The Reference Dependent.................................MUST 3789 4.8. The Aggregation Class RuleForIKENegotiation...............MUST 3790 4.8.1. The Property Priority.................................SHOULD 3791 4.8.2. The Reference GroupComponent............................MUST 3792 4.8.3. The Reference PartComponent.............................MUST 3793 4.9. The Aggregation Class RuleForIPsecNegotiation.............MUST 3794 4.9.1. The Property Priority.................................SHOULD 3795 4.9.2. The Reference GroupComponent............................MUST 3796 4.9.3. The Reference PartComponent.............................MUST 3797 4.10. The Aggregation Class SAConditionInRule..................MUST 3798 4.10.1. The Property GroupNumber.............................SHOULD 3799 4.10.1. The Property ConditionNegated........................SHOULD 3800 4.10.2. The Reference GroupComponent...........................MUST 3801 4.10.3. The Reference PartComponent............................MUST 3802 4.11. The Aggregation Class PolicyActionInSARule...............MUST 3803 4.11.1. The Reference GroupComponent...........................MUST 3804 4.11.2. The Reference PartComponent............................MUST 3805 4.11.3. The Property ActionOrder.............................SHOULD 3806 5. Condition and Filter Classes 3807 5.1. The Class SACondition.....................................MUST 3808 5.2. The Class IPHeaderFilter................................SHOULD 3809 5.3. The Class CredentialFilterEntry............................MAY 3810 5.3.1. The Property MatchFieldName.............................MUST 3811 5.3.2. The Property MatchFieldValue............................MUST 3812 5.3.3. The Property CredentialType.............................MUST 3813 5.4. The Class IPSOFilterEntry..................................MAY 3814 5.4.1. The Property MatchConditionType.........................MUST 3815 5.4.2. The Property MatchConditionValue........................MUST 3816 5.5. The Class PeerIDPayloadFilterEntry.........................MAY 3817 5.5.1. The Property MatchIdentityType..........................MUST 3818 5.5.2. The Property MatchIdentityValue.........................MUST 3819 5.6. The Association Class FilterOfSACondition...............SHOULD 3820 5.6.1. The Reference Antecedent................................MUST 3821 5.6.2. The Reference Dependent.................................MUST 3822 5.7. The Association Class AcceptCredentialFrom.................MAY 3823 5.7.1. The Reference Antecedent................................MUST 3824 5.7.2. The Reference Dependent.................................MUST 3825 6. Action Classes 3826 6.1. The Class SAAction........................................MUST 3827 6.1.1. The Property DoActionLogging.............................MAY 3828 6.1.2. The Property DoPacketLogging.............................MAY 3829 6.2. The Class SAStaticAction..................................MUST 3830 6.2.1. The Property LifetimeSeconds............................MUST 3831 6.3. The Class IPsecBypassAction.............................SHOULD 3832 6.4. The Class IPsecDiscardAction............................SHOULD 3833 6.5. The Class IKERejectAction..................................MAY 3834 6.6. The Class PreconfiguredSAAction...........................MUST 3835 6.6.1. The Property LifetimeKilobytes..........................MUST 3836 6.7. The Class PreconfiguredTransportAction....................MUST 3837 6.8. The Class PreconfiguredTunnelAction.......................MUST 3838 6.8.1. The Property DFHandling.................................MUST 3839 6.9. The Class SANegotiationAction.............................MUST 3840 6.9.1. The Property MinLifetimeSeconds..........................MAY 3841 6.9.2. The Property MinLifetimeKilobytes........................MAY 3842 6.9.3. The Property RefreshThresholdSeconds.....................MAY 3843 6.9.4. The Property RefreshThresholdKilobytes...................MAY 3844 6.9.5. The Property IdleDurationSeconds.........................MAY 3845 6.10. The Class IPsecAction....................................MUST 3846 6.10.1. The Property UsePFS....................................MUST 3847 6.10.2. The Property UseIKEGroup................................MAY 3848 6.10.3. The Property GroupId...................................MUST 3849 6.10.4. The Property Granularity.............................SHOULD 3850 6.10.5. The Property VendorID...................................MAY 3851 6.11. The Class IPsecTransportAction...........................MUST 3852 6.12. The Class IPsecTunnelAction..............................MUST 3853 6.12.1. The Property DFHandling................................MUST 3854 6.13. The Class IKEAction......................................MUST 3855 6.13.1. The Property RefreshThresholdDerivedKeys................MAY 3856 6.13.2. The Property ExchangeMode..............................MUST 3857 6.13.3. The Property UseIKEIdentityType........................MUST 3858 6.13.4. The Property VendorID...................................MAY 3859 6.13.5. The Property AggressiveModeGroupId......................MAY 3860 6.14. The Class PeerGateway....................................MUST 3861 6.14.1. The Property Name....................................SHOULD 3862 6.14.2. The Property PeerIdentityType..........................MUST 3863 6.14.3. The Property PeerIdentity..............................MUST 3864 6.15. The Association Class PeerGatewayForTunnel...............MUST 3865 6.15.1. The Reference Antecedent...............................MUST 3866 6.15.2. The Reference Dependent................................MUST 3867 6.15.3. The Property SequenceNumber..........................SHOULD 3868 6.16. The Aggregation Class ContainedProposal..................MUST 3869 6.16.1. The Reference GroupComponent...........................MUST 3870 6.16.2. The Reference PartComponent............................MUST 3871 6.16.3. The Property SequenceNumber............................MUST 3872 6.17. The Association Class HostedPeerGatewayInformation........MAY 3873 6.17.1. The Reference Antecedent...............................MUST 3874 6.17.2. The Reference Dependent................................MUST 3875 6.18. The Association Class TransformOfPreconfiguredAction.....MUST 3876 6.18.1. The Reference Antecedent...............................MUST 3877 6.18.2. The Reference Dependent................................MUST 3878 6.18.3. The Property SPI.......................................MUST 3879 6.18.4. The Property Direction.................................MUST 3880 6.19. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 3881 6.19.1. The Reference Antecedent...............................MUST 3882 6.19.2. The Reference Dependent................................MUST 3883 7. Proposal and Transform Classes 3884 7.1. The Abstract Class SAProposal.............................MUST 3885 7.1.1. The Property Name.....................................SHOULD 3886 7.2. The Class IKEProposal.....................................MUST 3887 7.2.1. The Property LifetimeDerivedKeys.........................MAY 3888 7.2.2. The Property CipherAlgorithm............................MUST 3889 7.2.3. The Property HashAlgorithm..............................MUST 3890 7.2.4. The Property PRFAlgorithm................................MAY 3891 7.2.5. The Property GroupId....................................MUST 3892 7.2.6. The Property AuthenticationMethod.......................MUST 3893 7.2.7. The Property MaxLifetimeSeconds.........................MUST 3894 7.2.8. The Property MaxLifetimeKilobytes.......................MUST 3895 7.2.9. The Property VendorID....................................MAY 3896 7.3. The Class IPsecProposal...................................MUST 3897 7.4. The Abstract Class SATransform............................MUST 3898 7.4.1. The Property TransformName............................SHOULD 3899 7.4.2. The Property VendorID....................................MAY 3900 7.4.3. The Property MaxLifetimeSeconds.........................MUST 3901 7.4.4. The Property MaxLifetimeKilobytes.......................MUST 3902 7.5. The Class AHTransform.....................................MUST 3903 7.5.1. The Property AHTransformId..............................MUST 3904 7.5.2. The Property UseReplayPrevention.........................MAY 3905 7.5.3. The Property ReplayPreventionWindowSize..................MAY 3906 7.6. The Class ESPTransform....................................MUST 3907 7.6.1. The Property IntegrityTransformId.......................MUST 3908 7.6.2. The Property CipherTransformId..........................MUST 3909 7.6.3. The Property CipherKeyLength.............................MAY 3910 7.6.4. The Property CipherKeyRounds.............................MAY 3911 7.6.5. The Property UseReplayPrevention.........................MAY 3912 7.6.6. The Property ReplayPreventionWindowSize..................MAY 3913 7.7. The Class IPCOMPTransform..................................MAY 3914 7.7.1. The Property Algorithm..................................MUST 3915 7.7.2. The Property DictionarySize..............................MAY 3916 7.7.3. The Property PrivateAlgorithm............................MAY 3917 7.8. The Association Class SAProposalInSystem...................MAY 3918 7.8.1. The Reference Antecedent................................MUST 3919 7.8.2. The Reference Dependent.................................MUST 3920 7.9. The Aggregation Class ContainedTransform..................MUST 3921 7.9.1. The Reference GroupComponent............................MUST 3922 7.9.2. The Reference PartComponent.............................MUST 3923 7.9.3. The Property SequenceNumber.............................MUST 3924 7.10. The Association Class SATransformInSystem.................MAY 3925 7.10.1. The Reference Antecedent...............................MUST 3926 7.10.2. The Reference Dependent................................MUST 3927 8. IKE Service and Identity Classes 3928 8.1. The Class IKEService.......................................MAY 3929 8.2. The Class PeerIdentityTable................................MAY 3930 8.3.1. The Property Name.....................................SHOULD 3931 8.3. The Class PeerIdentityEntry................................MAY 3932 8.3.1. The Property PeerIdentity.............................SHOULD 3933 8.3.2. The Property PeerIdentityType.........................SHOULD 3934 8.3.3. The Property PeerAddress..............................SHOULD 3935 8.3.4. The Property PeerAddressType..........................SHOULD 3936 8.4. The Class AutostartIKEConfiguration........................MAY 3937 8.5. The Class AutostartIKESetting..............................MAY 3938 8.5.1. The Property Phase1Only..................................MAY 3939 8.5.2. The Property AddressType..............................SHOULD 3940 8.5.3. The Property SourceAddress..............................MUST 3941 8.5.4. The Property SourcePort.................................MUST 3942 8.5.5. The Property DestinationAddress.........................MUST 3943 8.5.6. The Property DestinationPort............................MUST 3944 8.5.7. The Property Protocol...................................MUST 3945 8.6. The Class IKEIdentity......................................MAY 3946 8.6.1. The Property IdentityType...............................MUST 3947 8.6.2. The Property IdentityValue..............................MUST 3948 8.6.3. The Property IdentityContexts............................MAY 3949 8.7. The Association Class HostedPeerIdentityTable..............MAY 3950 8.7.1. The Reference Antecedent................................MUST 3951 8.7.2. The Reference Dependent.................................MUST 3952 8.8. The Aggregation Class PeerIdentityMember...................MAY 3953 8.8.1. The Reference Collection................................MUST 3954 8.8.2. The Reference Member....................................MUST 3955 8.9. The Association Class IKEServicePeerGateway................MAY 3956 8.9.1. The Reference Antecedent................................MUST 3957 8.9.2. The Reference Dependent.................................MUST 3958 8.10. The Association Class IKEServicePeerIdentityTable.........MAY 3959 8.10.1. The Reference Antecedent...............................MUST 3960 8.10.2. The Reference Dependent................................MUST 3961 8.11. The Association Class IKEAutostartSetting.................MAY 3962 8.11.1. The Reference Element..................................MUST 3963 8.11.2. The Reference Setting..................................MUST 3964 8.12. The Aggregation Class AutostartIKESettingContext..........MAY 3965 8.12.1. The Reference Context..................................MUST 3966 8.12.2. The Reference Setting..................................MUST 3967 8.12.3. The Property SequenceNumber..........................SHOULD 3968 8.13. The Association Class IKEServiceForEndpoint...............MAY 3969 8.13.1. The Reference Antecedent...............................MUST 3970 8.13.2. The Reference Dependent................................MUST 3971 8.14. The Association Class IKEAutostartConfiguration...........MAY 3972 8.14.1. The Reference Antecedent...............................MUST 3973 8.14.2. The Reference Dependent................................MUST 3974 8.14.3. The Property Active..................................SHOULD 3975 8.15. The Association Class IKEUsesCredentialManagementService..MAY 3976 8.15.1. The Reference Antecedent...............................MUST 3977 8.15.2. The Reference Dependent................................MUST 3978 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY 3979 8.16.1. The Reference Antecedent...............................MUST 3980 8.16.2. The Reference Dependent................................MUST 3981 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 3982 8.17.1. The Reference Antecedent...............................MUST 3983 8.17.2. The Reference Dependent................................MUST 3984 8.18. The Association Class IKEIdentitysCredential..............MAY 3985 8.18.1. The Reference Antecedent...............................MUST 3986 8.18.2. The Reference Dependent................................MUST 3988 10. Security Considerations 3990 This document describes a schema for IPsec policy. It does not 3991 detail security requirements for storage or delivery of said schema. 3992 Storage and delivery security requirements should be detailed in a 3993 comprehensive security policy architecture document. 3995 11. Intellectual Property 3997 The IETF takes no position regarding the validity or scope of any 3998 intellectual property or other rights that might be claimed to 3999 pertain to the implementation or use of the technology described in 4000 this document or the extent to which any license under such rights 4001 might or might not be available; neither does it represent that it 4002 has made any effort to identify any such rights. Information on the 4003 IETF's procedures with respect to rights in standards-track and 4004 standards-related documentation can be found in BCP-11. 4006 Copies of claims of rights made available for publication and any 4007 assurances of licenses to be made available, or the result of an 4008 attempt made to obtain a general license or permission for the use 4009 of such proprietary rights by implementers or users of this 4010 specification can be obtained from the IETF Secretariat. 4012 The IETF invites any interested party to bring to its attention any 4013 copyrights, patents or patent applications, or other proprietary 4014 rights which may cover technology that may be required to practice 4015 this standard. Please address the information to the IETF Executive 4016 Director. 4018 12. Acknowledgments 4020 The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, 4021 Vic Lortz, and William Dixon for their contributions to this IPsec 4022 policy model. 4024 Additionally, this draft would not have been possible without the 4025 preceding IPsec schema drafts. For that, thanks go out to Rob 4026 Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju 4027 Rajan. 4029 13. References 4031 [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 4032 RFC 2409, November 1998. 4034 [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP 4035 Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 4037 [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload 4038 (ESP)", RFC 2406, November 1998. 4040 [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 4041 2402, November 1998. 4043 [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core 4044 Information Model -- Version 1 Specification", RFC 3060, February 4045 2001. 4047 [DOI] Piper, D., "The Internet IP Security Domain of Interpretation 4048 for ISAKMP", RFC 2407, November 1998. 4050 [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory 4051 Access Protocol (v3)", RFC 2251, December 1997. 4053 [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. 4054 Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, 4055 January 2000. Internet-Draft work in progress. 4057 [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, 4058 F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for 4059 Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. 4060 Internet-Draft work in progress. 4062 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 4063 Requirement Levels", BCP 14, RFC 2119, March 1997. 4065 [IPSO] Kent, S., "U.S. Department of Defense Security Options for 4066 the Internet Protocol", RFC 1108, November 1991. 4068 [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the 4069 Internet Protocol", RFC 2401, November 1998. 4071 14. Disclaimer 4073 The views and specification herein are those of the authors and are 4074 not necessarily those of their employer. The authors and their 4075 employer specifically disclaim responsibility for any problems 4076 arising from correct or incorrect implementation or use of this 4077 specification. 4079 15. Authors' Addresses 4081 Jamie Jason 4082 Intel Corporation 4083 MS JF3-206 4084 2111 NE 25th Ave. 4085 Hillsboro, OR 97124 4086 E-Mail: jamie.jason@intel.com 4088 Lee Rafalow 4089 IBM Corporation, BRQA/502 4090 4205 So. Miami Blvd. 4091 Research Triangle Park, NC 27709 4092 E-mail: rafalow@raleigh.ibm.com 4094 Eric Vyncke 4095 Cisco Systems 4096 Avenue Marcel Thiry, 77 4097 B-1200 Brussels 4098 Belgium 4099 E-mail: evyncke@cisco.com 4101 16. Full Copyright Statement 4103 Copyright (C) The Internet Society (1999). All Rights Reserved. 4105 This document and translations of it maybe copied and furnished to 4106 others, and derivative works that comment on or otherwise explain it 4107 or assist in its implementation may be prepared, copied, published 4108 and distributed, in whole or in part, without restriction of any 4109 kind, provided that the above copyright notice and this paragraph 4110 are included on all such copies and derivative works. However, this 4111 document itself may not be modified in any way, such as by removing 4112 the copyright notice or references to the Internet Society or other 4113 Internet organizations, except as needed for the purpose of 4114 developing Internet standards in which case the procedures for 4115 copyrights defined in the Internet Standards process must be 4116 followed, or as required to translate it into languages other then 4117 English. 4119 The limited permissions granted above are perpetual and will not be 4120 revoked by the Internet Society or its successors or assigns. 4122 This document and the information contained herein is provided on an 4123 "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING 4124 TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 4125 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON 4126 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF 4127 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 4129 Appendix A (DMTF Core Model MOF) 4131 // ================================================================== 4132 // ManagedElement 4133 // ================================================================== 4134 [Abstract, Description ( 4135 "ManagedElement is an abstract class that provides a common " 4136 "superclass (or top of the inheritance tree) for the " 4137 "non-association classes in the CIM Schema.")] 4138 class CIM_ManagedElement 4139 { 4140 [MaxLen (64), Description ( 4141 "The Caption property is a short textual description (one-" 4142 "line string) of the object.") ] 4143 string Caption; 4144 [Description ( 4145 "The Description property provides a textual description of " 4146 "the object.") ] 4147 string Description; 4148 }; 4150 // ================================================================== 4151 // Collection 4152 // ================================================================== 4154 [Abstract, Description ( 4155 "Collection is an abstract class that provides a common" 4156 "superclass for data elements that represent collections of " 4157 "ManagedElements and its subclasses.")] 4158 class CIM_Collection : CIM_ManagedElement 4159 { 4160 }; 4162 // ================================================================== 4163 // ManagedSystemElement 4164 // ================================================================== 4165 [Abstract, Description ( 4166 "CIM_ManagedSystemElement is the base class for the System " 4167 "Element hierarchy. Membership Criteria: Any distinguishable " 4168 "component of a System is a candidate for inclusion in this " 4169 "class. Examples: software components, such as files; and " 4170 "devices, such as disk drives and controllers, and physical " 4171 "components such as chips and cards.") ] 4172 class CIM_ManagedSystemElement : CIM_ManagedElement 4173 { 4174 [Description ( 4175 "A datetime value indicating when the object was installed. " 4176 "A lack of a value does not indicate that the object is not " 4177 "installed."), 4178 MappingStrings {"MIF.DMTF|ComponentID|001.5"} ] 4179 datetime InstallDate; 4180 [MaxLen (256), Description ( 4181 "The Name property defines the label by which the object is " 4182 "known. When subclassed, the Name property can be overridden " 4183 "to be a Key property.") ] 4184 string Name; 4185 [MaxLen (10), Description ( 4186 " A string indicating the current status of the object. " 4187 "Various operational and non-operational statuses are " 4188 "defined. Operational statuses are \"OK\", \"Degraded\", " 4189 "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that " 4190 "the Element is functioning, but needs attention. Examples " 4191 "of \"Stressed\" states are overload, overheated, etc. The " 4192 "condition \"Pred Fail\" (failure predicted) indicates that " 4193 "an Element is functioning properly but predicting a failure " 4194 "in the near future. An example is a SMART-enabled hard " 4195 "drive. \n" 4196 " Non-operational statuses can also be specified. These " 4197 "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", " 4198 "\"Stopped\", " 4199 "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\"" 4200 "indicates that a non-recoverable error has occurred. " 4201 "\"Service\" describes an Element being configured, " 4202 "maintained," 4203 "cleaned, or otherwise administered. This status could apply " 4204 "during mirror-resilvering of a disk, reload of a user " 4205 "permissions list, or other administrative task. Not all " 4206 "such " 4207 "work is on-line, yet the Element is neither \"OK\" nor in " 4208 "one of the other states. \"No Contact\" indicates that the " 4209 "current instance of the monitoring system has knowledge of " 4210 "this Element but has never been able to establish " 4211 "communications with it. \"Lost Comm\" indicates that " 4212 "the ManagedSystemElement is known to exist and has been " 4213 "contacted successfully in the past, but is currently " 4214 "unreachable." 4215 "\"Stopped\" indicates that the ManagedSystemElement is " 4216 "known " 4217 "to exist, it is not operational (i.e. it is unable to " 4218 "provide service to users), but it has not failed. It " 4219 "has purposely " 4220 "been made non-operational. The Element " 4221 "may have never been \"OK\", the Element may have initiated " 4222 "its " 4223 "own stop, or a management system may have initiated the " 4224 "stop."), 4225 ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail", 4226 "Starting", "Stopping", "Service", "Stressed", 4227 "NonRecover", "No Contact", "Lost Comm", "Stopped"} ] 4228 string Status; 4229 }; 4231 // ================================================================== 4232 // LogicalElement 4233 // ================================================================== 4234 [Abstract, Description ( 4235 "CIM_LogicalElement is a base class for all the components " 4236 "of " 4237 "a System that represent abstract system components, such " 4238 "as Files, Processes, or system capabilities in the form " 4239 "of Logical Devices.") ] 4240 class CIM_LogicalElement:CIM_ManagedSystemElement 4241 { 4242 }; 4244 // ================================================================== 4245 // CIM_SystemConfiguration 4246 // ================================================================== 4247 [Description ( 4248 "CIM_SystemConfiguration represents the general concept " 4249 "of a CIM_Configuration which is scoped by/weak to a " 4250 "System. This class is a peer of CIM_Configuration since " 4251 "the key structure of Configuration is currently " 4252 "defined and cannot be modified with additional " 4253 "properties.")] 4254 class CIM_SystemConfiguration : CIM_ManagedElement { 4255 [Propagated ("CIM_System.CreationClassName"), Key, 4256 MaxLen (256), Description ( 4257 "The scoping System's CreationClassName.") ] 4258 string SystemCreationClassName; 4259 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 4260 Description ("The scoping System's Name.") ] 4261 string SystemName; 4262 [Key, MaxLen (256), Description ( 4263 "CreationClassName indicates the name of the class or the " 4264 "subclass used in the creation of an instance. When used " 4265 "with the other key properties of this class, this property " 4266 "allows all instances of this class and its subclasses to " 4267 "be uniquely identified.") ] 4268 string CreationClassName; 4269 [Key, MaxLen (256), Description ( 4270 "The label by which the Configuration object is known.") ] 4271 string Name; 4272 }; 4274 // =================================================================== 4275 // Setting 4276 // =================================================================== 4277 [Abstract, Description ( 4278 "The Setting class represents configuration-related and " 4279 "operational parameters for one or more ManagedSystem" 4280 "Element(s). A ManagedSystemElement may have multiple " 4281 "Setting " 4282 "objects associated with it. The current operational values " 4283 "for an Element's parameters are reflected by properties in " 4284 "the Element itself or by properties in its associations. " 4285 "These properties do not have to be the same values present " 4286 "in the Setting object. For example, a modem may have a " 4287 "Setting baud rate of 56Kb/sec but be operating " 4288 "at 19.2Kb/sec.") ] 4289 class CIM_Setting : CIM_ManagedElement 4290 { 4291 [MaxLen (256), Description ( 4292 "The identifier by which the Setting object is known.") ] 4293 string SettingID; 4294 [Description ( 4295 "The VerifyOKToApplyToMSE method is used to verify that " 4296 "this Setting can be 'applied' to the referenced Managed" 4297 "SystemElement, at the given time or time interval. This " 4298 "method takes three input parameters: MSE (the Managed" 4299 "SystemElement that is being verified), TimeToApply (which, " 4300 "being a datetime, can be either a specific time or a time " 4301 "interval), and MustBeCompletedBy (which indicates the " 4302 "required completion time for the method). The return " 4303 "value should be 0 if it is OK to apply the Setting, 1 if " 4304 "the method is not supported, 2 if the Setting can not be " 4305 "applied within the specified times, and any other number " 4306 "if an error occurred. In a subclass, the " 4307 "set of possible return codes could be specified, using a " 4308 "ValueMap qualifier on the method. The strings to which the " 4309 "ValueMap contents are 'translated' may also be specified in " 4310 "the subclass as a Values array qualifier.") ] 4311 uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, 4312 [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 4314 [Description ( 4315 "The ApplyToMSE method performs the actual application of " 4316 "the Setting to the referenced ManagedSystemElement. It " 4317 "takes three input parameters: MSE (the ManagedSystem" 4318 "Element to which the Setting is being applied), " 4319 "TimeToApply (which, being a datetime, can be either a " 4320 "specific time or a time interval), and MustBeCompletedBy " 4321 "(which indicates the required completion time for the " 4322 "method). Note that the semantics of this method are that " 4323 "individual Settings are either wholly applied or not " 4324 "applied at all to their target ManagedSystemElement. The " 4325 "return value should be 0 if the Setting is successfully " 4326 "applied to the referenced ManagedSystemElement, 1 if the " 4327 "method is not supported, 2 if the Setting was not applied " 4328 "within the specified times, and any other number if an " 4329 "error occurred. In a subclass, the set of possible return " 4330 "codes could be specified, using a ValueMap qualifier on " 4331 "the method. The strings to which the ValueMap contents are " 4332 "'translated' may also be specified in the subclass as a " 4333 "Values array qualifier.\n" 4334 "Note: If an error occurs in applying the Setting to a " 4335 "ManagedSystemElement, the Element must be configured as " 4336 "when the 'apply' attempt began. That is, the Element " 4337 "should NOT be left in an indeterminate state.") ] 4338 uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, 4339 [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 4340 [Description ( 4341 "The VerifyOKToApplyToCollection method is used to verify " 4342 "that this Setting can be 'applied' to the referenced " 4343 "Collection of ManagedSystemElements, at the given time " 4344 "or time interval, without causing adverse effects to " 4345 "either the Collection itself or its surrounding " 4346 "environment. The net effect is to execute the " 4347 "VerifyOKToApply method against each of the Elements " 4348 "aggregated by the Collection. This method takes three " 4349 "input parameters: Collection (the Collection of Managed" 4350 "SystemElements that is being verified), TimeToApply (which, " 4351 "being a datetime, can be either a specific time or a time " 4352 "interval), and MustBeCompletedBy (which indicates the " 4353 "required completion time for the method). The return " 4354 "value should be 0 if it is OK to apply the Setting, 1 if " 4355 "the method is not supported, 2 if the Setting can not be " 4356 "applied within the specified times, and any other number if " 4357 "an error occurred. One output parameter is defined - " 4358 "CanNotApply - which is a string array that lists the keys " 4359 "of " 4360 "the ManagedSystemElements to which the Setting can NOT be " 4361 "applied. This enables those Elements to be revisited and " 4362 "either fixed, or other corrective action taken.\n" 4363 "In a subclass, the set of possible return codes could be " 4364 "specified, using a ValueMap qualifier on the method. The " 4365 "strings to which the ValueMap contents are 'translated' may " 4366 "also be specified in the subclass as a Values array " 4367 "qualifier.") ] 4368 uint32 VerifyOKToApplyToCollection ( 4369 [IN] CIM_CollectionOfMSEs ref Collection, 4370 [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, 4371 [OUT] string CanNotApply[]); 4372 [Description ( 4373 "The ApplyToCollection method performs the application of " 4374 "the Setting to the referenced Collection of ManagedSystem" 4375 "Elements. The net effect is to execute the ApplyToMSE " 4376 "method against each of the Elements aggregated by the " 4377 "Collection. If the input value ContinueOnError is FALSE, " 4378 "this method applies the Setting to all Elements in the " 4379 "Collection until it encounters an error, in which case it " 4380 "stops execution, logs the key of the Element that caused " 4381 "the error in the CanNotApply array, and issues a return " 4382 "code " 4383 "of 2. If the input value ContinueOnError is TRUE, then this " 4384 "method applies the Setting to all the ManagedSystemElements " 4385 "in the Collection, and reports the failed Elements in the " 4386 "array, CanNotApply. For the latter, processing will " 4387 "continue " 4388 "until the method is applied to all Elements in the " 4389 "Collection, regardless of any errors encountered. The key " 4390 "of " 4391 "each ManagedSystemElement to which the Setting could not be " 4392 "applied is logged into the CanNotApply array. This method " 4393 "takes four input parameters: Collection (the Collection of " 4394 "Elements to which the Setting is being applied), " 4395 "TimeToApply " 4396 "(which, being a datetime, can be either a specific time or " 4397 "a " 4398 "time interval), ContinueOnError (TRUE means to continue " 4399 "processing on encountering an error), and MustBeCompletedBy " 4400 "(which indicates the required completion time for the " 4401 "method). The return value should be 0 if the Setting is " 4402 "successfully applied to the referenced Collection, 1 if the " 4403 "method is not supported, 2 if the Setting was not applied " 4404 "within the specified times, 3 if the Setting can not be " 4405 "applied using the input value for ContinueOnError, and any " 4406 "other number if an error occurred. One output parameter is " 4407 "defined, CanNotApplystring, which is an array that lists " 4408 "the keys of the ManagedSystemElements to which the Setting " 4409 "was NOT able to be applied. This output parameter has " 4410 "meaning only when the ContinueOnError parameter is TRUE.\n" 4411 "In a subclass, the set of possible return codes could be " 4412 "specified, using a ValueMap qualifier on the method. The " 4413 "strings to which the ValueMap contents are 'translated' may " 4414 "also be specified in the subclass as a Values array " 4415 "qualifier.\n" 4416 "Note: if an error occurs in applying the Setting to a " 4417 "ManagedSystemElement in the Collection, the Element must be " 4418 "configured as when the 'apply' attempt began. That is, the " 4419 "Element should NOT be left in an indeterminate state.") ] 4421 uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection, 4422 [IN] datetime TimeToApply, [IN] boolean ContinueOnError, 4423 [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); 4424 [Description ( 4425 "The VerifyOKToApplyIncrementalChangeToMSE method " 4426 "is used to verify that a subset of the properties in " 4427 "this Setting can be 'applied' to the referenced Managed" 4428 "SystemElement, at the given time or time interval. This " 4429 "method takes four input parameters: MSE (the Managed" 4430 "SystemElement that is being verified), TimeToApply (which, " 4431 "being a datetime, can be either a specific time or a time " 4432 "interval), MustBeCompletedBy (which indicates the " 4433 "required completion time for the method), and a " 4434 "PropertiesToApply array (which contains a list of the " 4435 "property names whose values will be verified. " 4436 "If they array is null or empty or constains the string " 4437 "\"all\" " 4438 "as a property name then all Settings properties shall be " 4439 "verified. If it is set to \"none\" then no Settings " 4440 "properties " 4441 "will be verified). The return " 4442 "value should be 0 if it is OK to apply the Setting, 1 if " 4443 "the method is not supported, 2 if the Setting can not be " 4444 "applied within the specified times, and any other number " 4445 "if an error occurred. In a subclass, the " 4446 "set of possible return codes could be specified, using a " 4447 "ValueMap qualifier on the method. The strings to which the " 4448 "ValueMap contents are 'translated' may also be specified in " 4449 "the subclass as a Values array qualifier.") ] 4450 uint32 VerifyOKToApplyIncrementalChangeToMSE( 4451 [IN] CIM_ManagedSystemElement ref MSE, 4452 [IN] datetime TimeToApply, 4453 [IN] datetime MustBeCompletedBy, 4454 [IN] string PropertiesToApply[]); 4455 [Description ( 4456 "The ApplyIncrementalChangeToMSE method performs the " 4457 "actual application of a subset of the properties in " 4458 "the Setting to the referenced ManagedSystemElement. It " 4459 "takes four input parameters: MSE (the ManagedSystem" 4460 "Element to which the Setting is being applied), " 4461 "TimeToApply (which, being a datetime, can be either a " 4462 "specific time or a time interval), MustBeCompletedBy " 4463 "(which indicates the required completion time for the " 4464 "method), and a " 4465 "PropertiesToApply array (which contains a list of the " 4466 "property names whose values will be applied. If a " 4467 "property is not in this list, it will be ignored by the " 4468 "apply. " 4469 "If they array is null or empty or constains the string " 4470 "\"all\" " 4471 "as a property name then all Settings properties shall be " 4472 "applied. If it is set to \"none\" then no Settings " 4473 "properties " 4474 "will be applied. ). " 4475 "Note that the semantics of this method are that " 4476 "individual Settings are either wholly applied or not " 4477 "applied at all to their target ManagedSystemElement. The " 4478 "return value should be 0 if the Setting is successfully " 4479 "applied to the referenced ManagedSystemElement, 1 if the " 4480 "method is not supported, 2 if the Setting was not applied " 4481 "within the specified times, and any other number if an " 4482 "error occurred. In a subclass, the set of possible return " 4483 "codes could be specified, using a ValueMap qualifier on " 4484 "the method. The strings to which the ValueMap contents are " 4485 "'translated' may also be specified in the subclass as a " 4486 "Values array qualifier.\n" 4487 "Note: If an error occurs in applying the Setting to a " 4488 "ManagedSystemElement, the Element must be configured as " 4489 "when the 'apply' attempt began. That is, the Element " 4490 "should NOT be left in an indeterminate state.") ] 4491 uint32 ApplyIncrementalChangeToMSE( 4492 [IN] CIM_ManagedSystemElement ref MSE, 4493 [IN] datetime TimeToApply, 4494 [IN] datetime MustBeCompletedBy, 4495 [IN] string PropertiesToApply[]); 4496 [Description ( 4497 "The VerifyOKToApplyIncrementalChangeToCollection method " 4498 "is used to verify that a subset of the properties in " 4499 "this Setting can be 'applied' to the referenced " 4500 "Collection of ManagedSystemElements, at the given time " 4501 "or time interval, without causing adverse effects to " 4502 "either the Collection itself or its surrounding " 4503 "environment. The net effect is to execute the " 4504 "VerifyOKToApplyIncrementalChangeToMSE method " 4505 "against each of the Elements " 4506 "aggregated by the Collection. This method takes three " 4507 "input parameters: Collection (the Collection of Managed" 4508 "SystemElements that is being verified), TimeToApply (which, " 4509 "being a datetime, can be either a specific time or a time " 4510 "interval), MustBeCompletedBy (which indicates the " 4511 "required completion time for the method), and a " 4512 "PropertiesToApply array (which contains a list of the " 4513 "property names whose values will be verified. " 4514 "If they array is null or empty or contains the string " 4515 "\"all\" " 4516 "as a property name then all Settings properties shall be " 4517 "verified. If it is set to \"none\" then no Settings " 4518 "properties " 4519 "will be verified). The return " 4520 "value should be 0 if it is OK to apply the Setting, 1 if " 4521 "the method is not supported, 2 if the Setting can not be " 4522 "applied within the specified times, and any other number if " 4523 "an error occurred. One output parameter is defined - " 4524 "CanNotApply - which is a string array that lists the keys " 4525 "of " 4526 "the ManagedSystemElements to which the Setting can NOT be " 4527 "applied. This enables those Elements to be revisited and " 4528 "either fixed, or other corrective action taken.\n" 4529 "In a subclass, the set of possible return codes could be " 4530 "specified, using a ValueMap qualifier on the method. The " 4531 "strings to which the ValueMap contents are 'translated' may " 4532 "also be specified in the subclass as a Values array " 4533 "qualifier.") ] 4534 uint32 VerifyOKToApplyIncrementalChangeToCollection ( 4535 [IN] CIM_CollectionOfMSEs ref Collection, 4536 [IN] datetime TimeToApply, 4537 [IN] datetime MustBeCompletedBy, 4538 [IN] string PropertiesToApply[], 4539 [OUT] string CanNotApply[]); 4540 [Description ( 4541 "The ApplyIncrementalChangeToCollection method performs " 4542 "the application of a subset of the properties in this " 4543 "Setting to the referenced Collection of ManagedSystem" 4544 "Elements. The net effect is to execute the " 4545 "ApplyIncrementalChangeToMSE " 4546 "method against each of the Elements aggregated by the " 4547 "Collection. If the input value ContinueOnError is FALSE, " 4548 "this method applies the Setting to all Elements in the " 4549 "Collection until it encounters an error, in which case it " 4550 "stops execution, logs the key of the Element that caused " 4551 "the error in the CanNotApply array, and issues a return " 4552 "code " 4553 "of 2. If the input value ContinueOnError is TRUE, then this " 4554 "method applies the Setting to all the ManagedSystemElements " 4555 "in the Collection, and reports the failed Elements in the " 4556 "array, CanNotApply. For the latter, processing will " 4557 "continue " 4558 "until the method is applied to all Elements in the " 4559 "Collection, regardless of any errors encountered. The key " 4560 "of " 4561 "each ManagedSystemElement to which the Setting could not be " 4562 "applied is logged into the CanNotApply array. This method " 4563 "takes four input parameters: Collection (the Collection of " 4564 "Elements to which the Setting is being applied), " 4565 "TimeToApply " 4566 "(which, being a datetime, can be either a specific time or " 4567 "a " 4568 "time interval), ContinueOnError (TRUE means to continue " 4569 "processing on encountering an error), and MustBeCompletedBy " 4570 "(which indicates the required completion time for the " 4571 "method), and a PropertiesToApply array (which contains a " 4572 "list " 4573 "of the property names whose values will be applied. If a " 4574 "property is not in this list, it will be ignored by " 4575 "the apply. " 4576 "If they array is null or empty or constains the string " 4577 "\"all\" " 4578 "as a property name then all Settings properties shall be " 4579 "applied. If it is set to \"none\" then no Settings " 4580 "properties " 4581 "will be applied. ). " 4582 "The return value should be 0 if the Setting is " 4583 "successfully applied to the referenced Collection, 1 if the " 4584 "method is not supported, 2 if the Setting was not applied " 4585 "within the specified times, 3 if the Setting can not be " 4586 "applied using the input value for ContinueOnError, and any " 4587 "other number if an error occurred. One output parameter is " 4588 "defined, CanNotApplystring, which is an array that lists " 4589 "the keys of the ManagedSystemElements to which the Setting " 4590 "was NOT able to be applied. This output parameter has " 4591 "meaning only when the ContinueOnError parameter is TRUE.\n" 4592 "In a subclass, the set of possible return codes could be " 4593 "specified, using a ValueMap qualifier on the method. The " 4594 "strings to which the ValueMap contents are 'translated' may " 4595 "also be specified in the subclass as a Values array " 4596 "qualifier.\n" 4597 "Note: if an error occurs in applying the Setting to a " 4598 "ManagedSystemElement in the Collection, the Element must be " 4599 "configured as when the 'apply' attempt began. That is, the " 4600 "Element should NOT be left in an indeterminate state.") ] 4601 uint32 ApplyIncrementalChangeToCollection( 4602 [IN] CIM_CollectionOfMSEs ref Collection, 4603 [IN] datetime TimeToApply, 4604 [IN] boolean ContinueOnError, 4605 [IN] datetime MustBeCompletedBy, 4606 [IN] string PropertiesToApply[], 4607 [OUT] string CanNotApply[]); 4609 }; 4611 // ================================================================== 4612 // CIM_SystemSetting 4613 // ================================================================== 4614 [Abstract, Description ( 4615 "CIM_SystemSetting represents the general concept " 4616 "of a CIM_Setting which is scoped by/weak to a System.")] 4617 class CIM_SystemSetting : CIM_Setting { 4618 [Propagated ("CIM_System.CreationClassName"), Key, 4619 MaxLen (256), Description ( 4620 "The scoping System's CreationClassName.") ] 4621 string SystemCreationClassName; 4622 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 4623 Description ("The scoping System's Name.") ] 4624 string SystemName; 4625 [Key, MaxLen (256), Description ( 4626 "CreationClassName indicates the name of the class or the " 4627 "subclass used in the creation of an instance. When used " 4628 "with the other key properties of this class, this property " 4629 "allows all instances of this class and its subclasses to " 4630 "be uniquely identified.") ] 4631 string CreationClassName; 4632 [Override ("SettingID"), Key, MaxLen (256)] 4634 string SettingID; 4635 }; 4637 // ================================================================== 4638 // System 4639 // ================================================================== 4640 [Abstract, Description ( 4641 "A CIM_System is a LogicalElement that aggregates an " 4642 "enumerable set of Managed System Elements. The aggregation " 4643 "operates as a functional whole. Within any particular " 4644 "subclass of System, there is a well-defined list of " 4645 "Managed System Element classes whose instances must be " 4646 "aggregated.") ] 4647 class CIM_System:CIM_LogicalElement 4648 { 4649 [Key, MaxLen (256), Description ( 4650 "CreationClassName indicates the name of the class or the " 4651 "subclass used in the creation of an instance. When used " 4652 "with the other key properties of this class, this property " 4653 "allows all instances of this class and its subclasses to " 4654 "be uniquely identified.") ] 4655 string CreationClassName; 4656 [Key, MaxLen (256), Override ("Name"), Description ( 4657 "The inherited Name serves as key of a System instance in " 4658 "an enterprise environment.") ] 4659 string Name; 4660 [MaxLen (64), Description ( 4661 "The System object and its derivatives are Top Level Objects " 4662 "of CIM. They provide the scope for numerous components. " 4663 "Having unique System keys is required. A heuristic can be " 4664 "defined in individual System subclasses to attempt to " 4665 "always " 4666 "generate the same System Name Key. The NameFormat property " 4667 "identifies how the System name was generated, using " 4668 "the subclass' heuristic.") ] 4669 string NameFormat; 4670 [MaxLen (256), Description ( 4671 "A string that provides information on how the primary " 4672 "system " 4673 "owner can be reached (e.g. phone number, email address, " 4674 "...)."), 4675 MappingStrings {"MIF.DMTF|General Information|001.3"} ] 4676 string PrimaryOwnerContact; 4677 [MaxLen (64), Description ( 4678 "The name of the primary system owner."), 4679 MappingStrings {"MIF.DMTF|General Information|001.4"} ] 4680 string PrimaryOwnerName; 4681 [Description ( 4682 "An array (bag) of strings that specify the roles this " 4683 "System " 4684 "plays in the IT-environment. Subclasses of System may " 4685 "override this property to define explicit Roles values. " 4686 "Alternately, a Working Group may describe the heuristics, " 4687 "conventions and guidelines for specifying Roles. For " 4688 "example, for an instance of a networking system, the Roles " 4689 "property might contain the string, 'Switch' or 'Bridge'.") ] 4690 string Roles[]; 4691 }; 4693 // ================================================================== 4694 // Service 4695 // ================================================================== 4696 [Abstract, Description ( 4697 "A CIM_Service is a Logical Element that contains the " 4698 "information necessary to represent and manage the " 4699 "functionality provided by a Device and/or SoftwareFeature. " 4700 "A Service is a general-purpose object to configure and " 4701 "manage the implementation of functionality. It is not the " 4702 "functionality itself.") ] 4703 class CIM_Service:CIM_LogicalElement 4704 { 4705 [Key, MaxLen (256), Description ( 4706 "CreationClassName indicates the name of the class or the " 4707 "subclass used in the creation of an instance. When used " 4708 "with the other key properties of this class, this " 4709 "property " 4710 "allows all instances of this class and its subclasses to " 4711 "be uniquely identified.") ] 4712 string CreationClassName; 4713 [Override ("Name"), Key, MaxLen (256), 4714 Description ( 4715 "The Name property uniquely identifies the Service and " 4716 "provides an indication of the functionality that is " 4717 "managed. This functionality is described in more detail in " 4718 "the object's Description property. ") ] 4719 string Name; 4720 [MaxLen (10), Description ( 4721 "StartMode is a string value indicating whether the Service " 4722 "is automatically started by a System, Operating System, " 4723 "etc. " 4724 "or only started upon request."), 4725 ValueMap {"Automatic", "Manual"} ] 4726 string StartMode; 4727 [Description ( 4728 "Started is a boolean indicating whether the Service " 4729 "has been started (TRUE), or stopped (FALSE).") ] 4730 boolean Started; 4731 [Propagated ("CIM_System.CreationClassName"), Key, 4732 MaxLen (256), Description ( 4733 "The scoping System's CreationClassName. ") ] 4734 string SystemCreationClassName; 4735 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 4736 Description ("The scoping System's Name.") ] 4737 string SystemName; 4738 [Description ( 4739 "The StartService method places the Service in the started " 4740 "state. It returns an integer value of 0 if the Service was " 4741 "successfully started, 1 if the request is not supported and " 4742 "any other number to indicate an error. In a subclass, the " 4743 "set of possible return codes could be specified, using a " 4744 "ValueMap qualifier on the method. The strings to which the " 4745 "ValueMap contents are 'translated' may also be specified in " 4746 "the subclass as a Values array qualifier.") ] 4747 uint32 StartService(); 4748 [Description ( 4749 "The StopService method places the Service in the stopped " 4750 "state. It returns an integer value of 0 if the Service was " 4751 "successfully stopped, 1 if the request is not supported and " 4752 "any other number to indicate an error. In a subclass, the " 4753 "set of possible return codes could be specified, using a " 4754 "ValueMap qualifier on the method. The strings to which the " 4755 "ValueMap contents are 'translated' may also be specified in " 4756 "the subclass as a Values array qualifier.") ] 4757 uint32 StopService(); 4758 }; 4760 // ================================================================== 4761 // ServiceAccessPoint 4762 // ================================================================== 4763 [Abstract, Description ( 4764 "CIM_ServiceAccessPoint represents the ability to utilize or " 4765 "invoke a Service. Access points represent that a Service " 4766 "is made available to other entities for use.") ] 4767 class CIM_ServiceAccessPoint:CIM_LogicalElement 4768 { 4769 [Key, MaxLen (256), Description ( 4770 "CreationClassName indicates the name of the class or the " 4771 "subclass used in the creation of an instance. When used " 4772 "with the other key properties of this class, this " 4773 "property " 4774 "allows all instances of this class and its subclasses to " 4775 "be uniquely identified.") ] 4776 string CreationClassName; 4777 [Override ("Name"), Key, MaxLen (256), 4778 Description ( 4779 "The Name property uniquely identifies the " 4780 "ServiceAccessPoint " 4781 "and provides an indication of the functionality that is " 4782 "managed. This functionality is described in more detail in " 4783 "the object's Description property.") ] 4784 string Name; 4785 [Propagated ("CIM_System.CreationClassName"), Key, 4786 MaxLen (256), Description ( 4787 "The scoping System's CreationClassName.") ] 4788 string SystemCreationClassName; 4789 [Propagated ("CIM_System.Name"), Key, MaxLen (256), 4790 Description ("The scoping System's Name.") ] 4791 string SystemName; 4792 }; 4793 // ================================================================== 4794 // === Association class definitions === 4795 // ================================================================== 4797 // ================================================================== 4798 // Component 4799 // ================================================================== 4800 [Association, Abstract, Aggregation, Description ( 4801 "CIM_Component is a generic association used to establish " 4802 "'part of' relationships between Managed System Elements. " 4803 "For " 4804 "example, the SystemComponent association defines parts of " 4805 "a System.") ] 4806 class CIM_Component 4807 { 4808 [Aggregate, Key, Description ( 4809 "The parent element in the association.") ] 4810 CIM_ManagedSystemElement REF GroupComponent; 4811 [Key, Description ("The child element in the association.") ] 4812 CIM_ManagedSystemElement REF PartComponent; 4813 }; 4815 // ================================================================== 4816 // Dependency 4817 // ================================================================== 4818 [Association, Abstract, Description ( 4819 "CIM_Dependency is a generic association used to establish " 4820 "dependency relationships between ManagedElements.") ] 4821 class CIM_Dependency 4822 { 4823 [Key, Description ( 4824 "Antecedent represents the independent object in this " 4825 "association.") ] 4826 CIM_ManagedElement REF Antecedent; 4827 [Key, Description ( 4828 "Dependent represents the object dependent on the " 4829 "Antecedent.") ] 4830 CIM_ManagedElement REF Dependent; 4831 }; 4833 // =================================================================== 4834 // ElementSetting 4835 // =================================================================== 4836 [Association, Description ( 4837 "ElementSetting represents the association between Managed" 4838 "SystemElements and the Setting class(es) defined for them.") 4839 ] 4840 class CIM_ElementSetting 4841 { 4842 [Key, Description ("The ManagedSystemElement.") ] 4843 CIM_ManagedSystemElement REF Element; 4844 [Key, Description ( 4845 "The Setting object associated with the ManagedSystem" 4846 "Element.") ] 4847 CIM_Setting REF Setting; 4848 }; 4849 // ================================================================== 4850 // MemberOfCollection 4851 // ================================================================== 4852 [Association, Aggregation, Description ( 4853 "CIM_MemberOfCollection is an aggregation used to establish " 4854 "membership of ManagedElements in a Collection." ) ] 4855 class CIM_MemberOfCollection 4856 { 4857 [Key, Aggregate, Description ( 4858 "The Collection that aggregates members") ] 4859 CIM_Collection REF Collection; 4860 [Key, Description ("The aggregated member of the collection.") 4861 ] 4862 CIM_ManagedElement REF Member; 4863 }; 4865 // ================================================================== 4866 // CIM_SystemSettingContext 4867 // ================================================================== 4868 [Association, Aggregation, Description ( 4869 "This relationship associates System-specific Configuration " 4870 "objects with System-specific Setting objects, similar to " 4871 "the " 4872 "SettingContext association.")] 4873 class CIM_SystemSettingContext { 4874 [Aggregate, Key, Description ( 4875 "The Configuration object that aggregates the Setting.") ] 4876 CIM_SystemConfiguration REF Context; 4877 [Key, Description ("An aggregated Setting.")] 4878 CIM_SystemSetting REF Setting; 4879 }; 4880 Appendix B (DMTF User Model MOF) 4882 // ================================================================== 4883 // OrganizationalEntity 4884 // ================================================================== 4885 [Abstract, Description ( 4886 "OrganizationalEntity is an abstract class from which classes " 4887 "that fit into an organizational structure are derived.") ] 4888 class CIM_OrganizationalEntity : CIM_ManagedElement 4889 { 4890 }; 4892 // ================================================================== 4893 // UserEntity 4894 // ================================================================== 4895 [Abstract, Description ( 4896 "UserEntity is an abstract class that represents users.") ] 4897 class CIM_UserEntity : CIM_OrganizationalEntity 4898 { 4899 }; 4901 // ================================================================== 4902 // UsersAccess 4903 // ================================================================== 4904 [Description ( 4905 "The UsersAccess object class is used to specify a system user " 4906 "that permitted access to system resources. The ManagedElement " 4907 "that has access to system resources (represented in the model in " 4908 "the ElementAsUser association) may be a person, a service, a " 4909 "service access point or any collection thereof. Whereas the " 4910 "Account class represents the user's relationship to a system " 4911 "from the perspective of the security services of the system, the " 4912 "UserAccess class represents the relationships to the systems " 4913 "independent of a particular system or service.") ] 4914 class CIM_UsersAccess: CIM_UserEntity 4915 { 4916 [Key, MaxLen (256), Description ( 4917 "CreationClassName indicates the name of the class or the " 4918 "subclass used in the creation of an instance. When used " 4919 "with the other key properties of this class, this property " 4920 "allows all instances of this class and its subclasses to " 4921 "be uniquely identified.")] 4922 string CreationClassName; 4923 [Key, MaxLen (256),Description ( 4924 "The Name property defines the label by which the object is " 4925 "known.")] 4926 string Name; 4927 [Key, Description ( 4928 "The ElementID property uniquely specifies the ManagedElement " 4929 "object instance that is the user represented by the " 4930 "UsersAccess object instance. The ElementID is formatted " 4931 "similarly to a model path except that the property-value " 4932 "pairs are ordered in alphabetical order (US ASCII lexical " 4933 "order).")] 4934 string ElementID; 4935 [Description ( 4936 "Biometric information used to identify a person. The " 4937 "property value is left null or set to 'N/A' for non-human " 4938 "user or a user not using biometric information for " 4939 "authentication."), 4940 Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", 4941 "Voice", "DNA-RNA", "EEG"} ] 4942 uint16 Biometric[]; 4943 }; 4945 // ================================================================== 4946 // SecurityService 4947 // ================================================================== 4948 [ Abstract, Description ( 4949 "CIM_SecurityService ...") ] 4950 class CIM_SecurityService:CIM_Service 4951 { 4952 }; 4954 // ================================================================== 4955 // AuthenticationService 4956 // ================================================================== 4957 [Description ( 4958 "CIM_AuthenticationService verifies users' identities through " 4959 "some means. These services are decomposed into a subclass that " 4960 "provides credentials to users and a subclass that provides for " 4961 "the verification of the validity of a credential and, perhaps, " 4962 "the appropriateness of its use for access to target resources. " 4963 "The persistent state information used from one such verification " 4964 "to another is maintained in an Account for that Users Access on " 4965 "that AuthenticationService.") ] 4966 class CIM_AuthenticationService:CIM_SecurityService 4967 { 4968 }; 4970 // ================================================================== 4971 // CredentialManagementService 4972 // ================================================================== 4973 [Description ( 4974 "CIM_CredentialManagementService issues credentials and manages " 4975 "the credential lifecycle.") ] 4976 class CIM_CredentialManagementService:CIM_AuthenticationService 4977 { 4978 }; 4980 // ================================================================== 4981 // CertificateAuthority 4982 // ================================================================== 4983 [Description ("A Certificate Authority (CA) is a credential " 4984 "management service that issues and cryptographically " 4985 "signs certificates thus acting as an trusted third-party " 4986 "intermediary in establishing trust relationships. The CA " 4987 "authenicates the holder of the private key related to the " 4988 "certificate's public key; the authenicated entity is " 4989 "represented by the UsersAccess class.") ] 4990 class CIM_CertificateAuthority:CIM_CredentialManagementService 4991 { 4992 [Description ( 4993 "The CAPolicyStatement describes what care is taken by the " 4994 "CertificateAuthority when signing a new certificate. " 4995 "The CAPolicyStatment may be a dot-delimited ASN.1 OID " 4996 "string which identifies to the formal policy statement.") ] 4997 string CAPolicyStatement; 4998 [Description ( "A CRL, or CertificateRevocationList, is a " 4999 "list of certificates which the CertificateAuthority has " 5000 "revoked and which are not yet expired. Revocation is " 5001 "necessary when the private key associated with the public " 5002 "key of a certificate is lost or compromised, or when the " 5003 "person for whom the certificate is signed no longer is " 5004 "entitled to use the certificate."), Octetstring ] 5005 string CRL[]; 5006 [Description ("Certificate Revocation Lists may be " 5007 "available from a number of distribution points. " 5008 "CRLDistributionPoint array values provide URIs for those " 5009 "distribution points.")] 5010 string CRLDistributionPoint[]; 5011 [Description ( "Certificates refer to their issuing CA by " 5012 "its Distinguished Name (as defined in X.501)."), DN] 5013 string CADistinguishedName; 5014 [Description ( "The frequency, expressed in hours, at which " 5015 "the CA will update its Certificate Revocation List. Zero " 5016 "implies that the refresh frequency is unknown."), 5017 Units("Hours")] 5018 uint8 CRLRefreshFrequency; 5019 [Description ( "The maximum number of certificates in a " 5020 "certificate chain permitted for credentials issued by " 5021 "this certificate authority or it's subordinate CAs.\n" 5022 "The MaxChainLength of a superior CA in the trust " 5023 "hierarchy should be greater than this value and the " 5024 "MaxChainLength of a subordinate CA in the trust hierarchy " 5025 "should be less than this value.")] 5026 uint8 MaxChainLength; 5027 }; 5029 // ================================================================== 5030 // KerberosKeyDistributionCenter 5031 // ================================================================== 5032 [Description ( 5033 "CIM_KerberosKeyDistributionCenter ...") ] 5034 class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService 5035 { 5036 [Override ("Name"), 5037 Description ("The Realm served by this KDC.")] 5038 string Name; 5040 [Description ("The version of Kerberos supported by this " 5041 "service."), 5042 Values {"V4", "V5", "DCE", "MS"} ] 5043 uint16 Protocol[]; 5044 }; 5046 // ================================================================== 5047 // Notary 5048 // ================================================================== 5049 [Description ( 5050 "CIM_Notary is an AuthenticationService (credential " 5051 "management service) which compares the " 5052 "biometric characteristics of a person with the " 5053 "known characteristics of an Users Access, and determines " 5054 "whether the person is the UsersAccess. An example is " 5055 "a bank teller who compares a picture ID with the person " 5056 "trying to cash a check, or a biometric login service that " 5057 "uses voice recognition to identify a user.") ] 5058 class CIM_Notary:CIM_CredentialManagementService 5059 { 5060 [Description ( "The types of biometric information which " 5061 "this Notary can compare."), 5062 Values { "N/A", "Other", "Facial", "Retina", "Mark", 5063 "Finger", "Voice", "DNA-RNA", "EEG"} ] 5064 uint16 Comparitors; 5065 [Description ( 5066 "The SealProtocol is how the decision of the Notary is " 5067 "recorded for future use by parties who will rely on its " 5068 "decision. For instance, a drivers licence frequently " 5069 "includes tamper-resistent coatings and markings to protect " 5070 "the recorded decision that a driver, having various " 5071 "biometric characteristics of height, weight, hair and eye " 5072 "color, using a particular name, has features represented in " 5073 "a photograph of their face.")] 5074 string SealProtocol; 5075 [Description ( 5076 "CharterIssued documents when the Notary is first " 5077 "authorized, by whoever gave it responsibility, to perform " 5078 "its service.")] 5079 datetime CharterIssued; 5080 [Description ( 5081 "CharterExpired documents when the Notary is no longer " 5082 "authorized, by whoever gave it responsibility, to perform " 5083 "its service.")] 5084 datetime CharterExpired; 5085 }; 5087 // ================================================================== 5088 // LocalCredentialManagementService 5089 // ================================================================== 5090 [Description ( 5091 "CIM_LocalCredentialManagementService is a credential " 5092 "management service that provides local system " 5093 "management of credentials used by the local system.") ] 5094 class 5095 CIM_LocalCredentialManagementService:CIM_CredentialManagementService 5096 { 5097 }; 5099 // ================================================================== 5100 // SharedSecretService 5101 // ================================================================== 5102 [Description ( 5103 "CIM_SharedSecretService is a service which ascertains " 5104 "whether messages received are from the Principal with " 5105 "whom a secret is shared. Examples include a login " 5106 "service that proves identity on the basis of knowledge of " 5107 "the shared secret, or a transport integrity service (like " 5108 "Kerberos provides) that includes a message authenticity " 5109 "code that proves each message in the messsage stream came " 5110 "from someone who knows the shared secret session key.")] 5111 class CIM_SharedSecretService:CIM_LocalCredentialManagementService 5112 { 5113 [MaxLen (256), Description ( 5114 "The Algorithm used to convey the shared secret, such as " 5115 "HMAC-MD5,or PLAINTEXT.") ] 5116 string Algorithm; 5117 [Description ( 5118 "The Protocol supported by the SharedSecretService.")] 5119 string Protocol; 5120 }; 5122 // ================================================================== 5123 // PublicKeyManagementService 5124 // ================================================================== 5125 [Description ( 5126 "CIM_PublicKeyManagementService is a credential management " 5127 "service that provides local system management of public " 5128 "keys used by the local system.") ] 5129 class 5130 CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService 5131 { 5132 }; 5134 // ================================================================== 5135 // Credential 5136 // ================================================================== 5137 [Abstract, Description ( 5138 "Subclasses of CIM_Credential define materials, " 5139 "information, or other data which are used to prove the " 5140 "identity of a CIM_UsersAccess to a particular " 5141 "CIM_SecurityService. Generally, there may be some shared " 5142 "information, or credential material which is used to " 5143 "identify and authenticate ones self in the process of " 5144 "gaining access to, or permission to use, an Account. " 5145 "Such credential material may be used to authenticate a " 5146 "users access identity initially, as done by a " 5147 "CIM_AuthenticationService (see later), and additionally on " 5148 "an ongoing basis during the course of a connection or " 5149 "other security association, as proof that each received " 5150 "message or communication came from the owning user access " 5151 "of " 5152 "that credential material.") ] 5153 class CIM_Credential:CIM_ManagedElement 5154 { 5155 }; 5157 // ================================================================== 5158 // PublicKeyCertificate 5159 // ================================================================== 5160 [Description ("A Public Key Certificate is a credential " 5161 "that is cryptographically signed by a trusted Certificate " 5162 "Authority (CA) and issued to an authenticated entity " 5163 "(e.g., human user, service,etc.) called the Subject in " 5164 "the certificate and represented by the UsersAccess class. " 5165 "The public key in the certificate is cryptographically " 5166 "related to a private key that is to be held and kept " 5167 "private by the authenticated Subject. The certificate " 5168 "and its related private key can then be used for " 5169 "establishing trust relationships and securing " 5170 "communications with the Subject. Refer to the ITU/CCITT " 5171 "X.509 standard as an example of such certificates.") ] 5172 class CIM_PublicKeyCertificate:CIM_Credential 5173 { 5174 [Propagated ("CIM_System.CreationClassName"), 5175 Key, MaxLen (256), Description ("Scoping System")] 5176 string SystemCreationClassName; 5177 [Propagated ("CIM_System.Name"), 5178 Key, MaxLen (256),Description ("Scoping System")] 5179 string SystemName; 5180 [Propagated ("CIM_CertificateAuthority.CreationClassName"), 5181 Key, MaxLen (256), Description ("Scoping Service")] 5182 string ServiceCreationClassName; 5183 [Propagated ("CIM_CertificateAuthority.Name"), 5184 Key, MaxLen (256), Description ("Scoping Service")] 5185 string ServiceName; 5186 [Key, MaxLen (256), Description ( 5187 "Certificate subject identifier")] 5188 string Subject; 5189 [MaxLen (256), Description ( 5190 "Alternate subject identifier for the Certificate.")] 5191 string AltSubject; 5192 [Description ("The DER-encoded raw public key."), Octetstring] 5193 uint8 PublicKey[]; 5194 }; 5196 // ================================================================== 5197 // UnsignedPublicKey 5198 // ================================================================== 5200 [Description ( 5201 "A CIM_UnsignedPublicKey represents an unsigned public " 5202 "key credential. The local UsersAccess (or subclass " 5203 "thereof) accepts the public key as authentic because of " 5204 "a direct trust relationship rather than via a third-party " 5205 "Certificate Authority.") ] 5206 class CIM_UnsignedPublicKey:CIM_Credential 5207 { 5208 [Propagated ("CIM_System.CreationClassName"), 5209 Key, MaxLen (256), Description ("Scoping System")] 5210 string SystemCreationClassName; 5211 [Propagated ("CIM_System.Name"), 5212 Key, MaxLen (256),Description ("Scoping System")] 5213 string SystemName; 5214 [Propagated 5215 ("CIM_PublicKeyManagementService.CreationClassName"), 5216 Key, MaxLen (256), Description ("Scoping Service")] 5217 string ServiceCreationClassName; 5218 [Propagated ("CIM_PublicKeyManagementService.Name"), 5219 Key, MaxLen (256), Description ("Scoping Service")] 5220 string ServiceName; 5221 [Key, MaxLen (256), Description ( 5222 "The Identity of the Peer with whom a direct trust " 5223 "relationship exists. The public key may be used for " 5224 "security functions with the Peer."), 5225 ModelCorrespondence 5226 {"CIM_PublicKeyManagementService.PeerIdentityType" } ] 5227 string PeerIdentity; 5228 [Description ("PeerIdentityType is used to describe the " 5229 "type of the PeerIdentity. The currently defined values " 5230 "are used for IKE identities."), 5231 ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", 5232 "9", "10", "11"}, 5233 Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", 5234 "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 5235 "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 5236 "DER_ASN1_GN", "KEY_ID"}, 5237 ModelCorrespondence 5238 {"CIM_PublicKeyManagementService.PeerIdentity" } ] 5239 uint16 PeerIdentityType; 5240 [Description ("The DER-encoded raw public key."), 5241 Octetstring] 5242 uint8 PublicKey[]; 5243 }; 5245 // ================================================================== 5246 // KerberosTicket 5247 // ================================================================== 5248 [Description ( 5249 "A CIM_KerberosTicket represents a credential issued by a " 5250 "particular Kerberos Key Distribution Center (KDC) " 5251 "to a particular CIM_UsersAccess as the result of a " 5252 "successful authentication process. There are two types of " 5253 "tickets that a KDC may issue to a Users Access - a " 5254 "TicketGranting ticket, which is used to protect and " 5255 "authenticate communications between the Users Access and " 5256 "the " 5257 "KDC, and a Session ticket, which the KDC issues to two " 5258 "Users Access to allow them to communicate with each other. " 5259 ) ] 5260 class CIM_KerberosTicket:CIM_Credential 5261 { 5262 [Propagated ("CIM_System.CreationClassName"), Key, 5263 MaxLen (256), Description ("Scoping System")] 5264 string SystemCreationClassName; 5265 [Propagated ("CIM_System.Name"), Key, 5266 MaxLen (256),Description ("Scoping System")] 5267 string SystemName; 5268 [Key, MaxLen (256), Propagated 5269 ("CIM_KerberosKeyDistributionCenter.CreationClassName"), 5270 Description ("Scoping Service")] 5271 string ServiceCreationClassName; 5272 [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), 5273 Key, MaxLen (256), 5274 Description ("Scoping Service. The Kerberos KDC Realm of " 5275 "CIM_KerberosTicket is used to record the security " 5276 "authority, or Realm, name so that tickets issued by " 5277 "different Realms can be separately managed and " 5278 "enumerated.")] 5279 string ServiceName; 5280 [Key, MaxLen (256), Description ("The name of the service " 5281 "for which this ticket is used.")] 5282 string AccessesService; 5283 [Key, MaxLen (256), Description ( 5284 "RemoteID is the name by which the user is known at " 5285 "the KDC security service.")] 5286 string RemoteID; 5287 datetime Issued; 5288 datetime Expires; 5289 [Description ( 5290 "The Type of CIM_KerberosTicket is used to indicate whether " 5291 "the ticket in question was issued by the Kerberos Key " 5292 "Distribution Center (KDC) to support ongoing communication " 5293 "between the Users Access and the KDC (\"TicketGranting\"), " 5294 "or was issued by the KDC to support ongoing communication " 5295 "between two Users Access entities (\"Session\")." ), 5296 Values {"Session", "TicketGranting"}] 5297 uint16 TicketType; 5298 }; 5300 // ================================================================== 5301 // SharedSecret 5302 // ================================================================== 5303 [Description ( 5304 "CIM_SharedSecret is the secret shared between a Users " 5305 "Access " 5306 "and a particular SharedSecret security service. Secrets " 5307 "may be in the form of a password used for initial " 5308 "authentication, or as with a session key, used as part of " 5309 "a message authentication code to verify that a message " 5310 "originated by the pricinpal with whom the secret is shared. " 5311 "It is important to note that SharedSecret is not just the " 5312 "password, but rather is the password used with a particular " 5313 "security service.")] 5314 class CIM_SharedSecret:CIM_Credential 5315 { 5316 [Propagated ("CIM_System.CreationClassName"), Key, 5317 MaxLen (256), Description ("Scoping System")] 5318 string SystemCreationClassName; 5319 [Propagated ("CIM_System.Name"), Key, 5320 MaxLen (256),Description ("Scoping System")] 5321 string SystemName; 5322 [Key, MaxLen (256), Propagated 5323 ("CIM_SharedSecretService.CreationClassName"), 5324 Description ("Scoping Service")] 5325 string ServiceCreationClassName; 5326 [Propagated ("CIM_SharedSecretService.Name"), 5327 Key, MaxLen (256), 5328 Description ("Scoping Service")] 5329 string ServiceName; 5330 [Key, MaxLen (256), Description ( 5331 "RemoteID is the name by which the user is known at " 5332 "the remote secret key authentication service.")] 5333 string RemoteID; 5334 [Description ( 5335 "secret is the secret known by the Users Access.")] 5336 string secret; 5337 [Description ( 5338 "algorithm names the transformation algorithm, if any, used " 5339 "to protect passwords before use in the protocol. For " 5340 "instance, Kerberos doesn't store passwords as the shared " 5341 "secret, but rather, a hash of the password.")] 5342 string algorithm; 5343 [Description ( 5344 "protocol names the protocol with which the SharedSecret is " 5345 "used.")] 5346 string protocol; 5347 }; 5349 // ================================================================== 5350 // NamedSharedIKESecret 5351 // ================================================================== 5352 [Description ( 5353 "CIM_NamedSharedIKESecret indirectly represents a shared " 5354 "secret credential. The local identity, IKEIdentity, " 5355 "and the remote peer identity share the secret that is " 5356 "named by the SharedSecretName. The SharedSecretName is " 5357 "used SharedSecretService to reference the secret.") ] 5358 class CIM_NamedSharedIKESecret:CIM_Credential 5359 { 5360 [Propagated ("CIM_System.CreationClassName"), 5361 Key, MaxLen (256), Description ("Scoping System")] 5362 string SystemCreationClassName; 5363 [Propagated ("CIM_System.Name"), 5364 Key, MaxLen (256),Description ("Scoping System")] 5365 string SystemName; 5366 [Propagated ("CIM_SharedSecretService.CreationClassName"), 5367 Key, MaxLen (256), Description ("Scoping Service")] 5368 string ServiceCreationClassName; 5369 [Propagated ("CIM_SharedSecretService.Name"), 5370 Key, MaxLen (256), Description ("Scoping Service")] 5371 string ServiceName; 5372 [Key, MaxLen (256), Description ( 5373 "The local Identity with whom the direct trust " 5374 "relationship exists."), 5375 ModelCorrespondence 5376 {"CIM_NamedSharedIKESecret.LocalIdentityType" } ] 5377 string LocalIdentity; 5378 [Key, Description ("LocalIdentityType is used to describe " 5379 "the type of the LocalIdentity."), 5380 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", 5381 "9", "10", "11"}, 5382 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", 5383 "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 5384 "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 5385 "DER_ASN1_GN", "KEY_ID"}, 5386 ModelCorrespondence 5387 {"CIM_NamedSharedIKESecret.LocalIdentity" } ] 5388 uint16 LocalIdentityType; 5389 [Key, MaxLen (256), Description ( 5390 "The peer identity with whom the direct trust " 5391 "relationship exists."), 5392 ModelCorrespondence 5393 {"CIM_NamedSharedIKESecret.PeerIdentityType" } ] 5394 string PeerIdentity; 5395 [Key, Description ("PeerIdentityType is used to describe " 5396 "the type of the PeerIdentity."), 5397 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", 5398 "9", "10", "11"}, 5399 Values {"IPV4_ADDR", "FQDN", "USER_FQDN", 5400 "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", 5401 "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", 5402 "DER_ASN1_GN", "KEY_ID"}, 5403 ModelCorrespondence 5404 {"CIM_NamedSharedIKESecret.PeerIdentity" } ] 5405 uint16 PeerIdentityType; 5406 [Description ("SharedSecretName is an indirect reference " 5407 "to a shared secret. The SecretService does not expose " 5408 "the actual secret but rather provides access to the " 5409 "secret via a name.")] 5410 string SharedSecretName; 5411 }; 5412 // ================================================================== 5413 // === Association class definitions === 5414 // ================================================================== 5416 // ================================================================== 5417 // ElementAsUser 5418 // ================================================================== 5419 [Association, Description ( 5420 "CIM_ElementAsUser is an association used to establish the " 5421 "'ownership' of UsersAccess object instances. That is, the " 5422 "ManagedElement may have UsersAccess to systems and, therefore, " 5423 "be 'users' on those systems. UsersAccess instances must have an " 5424 "'owning' ManagedElement. Typically, the ManagedElements will be " 5425 "limited to Collection, Person, Service and ServiceAccessPoint. " 5426 "Other non-human ManagedElements that might be thought of as " 5427 "having UsersAccess (e.g., a device or system) have services that " 5428 "have the UsersAccess.")] 5429 class CIM_ElementAsUser : CIM_Dependency 5430 { 5431 [Min (1), Max (1), Override ("Antecedent"), 5432 Description ("The ManagedElement that has UsersAccess") ] 5433 CIM_ManagedElement REF Antecedent; 5434 [Override ("Dependent"), 5435 Description ("The 'owned' UsersAccess") ] 5436 CIM_UsersAccess REF Dependent; 5437 }; 5439 // ================================================================== 5440 // UsersCredential 5441 // ================================================================== 5442 [Association, Description ( 5443 "CIM_UsersCredential is an association used to establish the " 5444 "credentials that may be used for a UsersAccess to a system or " 5445 "set of systems. " )] 5446 class CIM_UsersCredential : CIM_Dependency 5447 { 5448 [Override ("Antecedent"), 5449 Description ("The issued credential that may be used.") ] 5450 CIM_Credential REF Antecedent; 5451 [Override ("Dependent"), 5452 Description ("The UsersAccess that has use of a credential") ] 5453 CIM_UsersAccess REF Dependent; 5454 }; 5456 // =================================================================== 5457 // PublicPrivateKeyPair 5458 // =================================================================== 5459 [Association, Description ( 5460 "This relationship associates a PublicKeyCertificate with " 5461 "the Principal who has the PrivateKey used with the " 5462 "PublicKey. The PrivateKey is not modeled, since it is not " 5463 "a data element that ever SHOULD be accessible via " 5464 "management applications, other than key recovery services, " 5465 "which are outside our scope.") ] 5466 class CIM_PublicPrivateKeyPair:CIM_UsersCredential 5467 { 5468 [ Override ("Antecedent") ] 5469 CIM_PublicKeyCertificate REF Antecedent; 5470 [ Override ("Dependent") ] 5471 CIM_UsersAccess REF Dependent; 5472 [Description ( "The Certificate may be used for signature " 5473 "only " 5474 "or for confidentiality as well as signature"), 5475 Values { "SignOnly", "ConfidentialityOrSignature"} ] 5476 uint16 Use; 5477 boolean NonRepudiation; 5478 boolean BackedUp; 5479 [Description ("The repository in which the certificate is " 5480 "backed up.")] 5481 string Repository; 5482 }; 5484 // =================================================================== 5485 // CAHasPublicCertificate 5486 // =================================================================== 5487 [Association, Description ( 5488 "A CertificateAuthority may have certificates issued by other CAs. " 5489 "This association is essentially an optimization of the CA having " 5490 "a UsersAccess instance with an association to a certificate thus " 5491 "mapping more closely to LDAP-based certificate authority " 5492 "implementations.") ] 5493 class CIM_CAHasPublicCertificate:CIM_Dependency 5494 { 5495 [Max (1), Override ("Antecedent"), 5496 Description ("The Certificate used by the CA")] 5497 CIM_PublicKeyCertificate REF Antecedent; 5498 [Override ("Dependent"), 5499 Description ("The CA that uses a Certificate")] 5500 CIM_CertificateAuthority REF Dependent; 5501 }; 5503 // =================================================================== 5504 // ManagedCredential 5505 // =================================================================== 5506 [Association, Description ( 5507 "This relationship associates a CredentialManagementService " 5508 "with the Credential it manages.") ] 5509 class CIM_ManagedCredential:CIM_Dependency 5510 { 5511 [Override ("Antecedent"), Min (1), Max (1), 5512 Description ( "The credential management service")] 5513 CIM_CredentialManagementService REF Antecedent; 5514 [Override ("Dependent"), 5515 Description ( "The managed credential")] 5517 CIM_Credential REF Dependent; 5518 }; 5520 // =================================================================== 5521 // CASignsPublicKeyCertificate 5522 // =================================================================== 5523 [Association, Description ( 5524 "This relationship associates a CertificateAuthority with " 5525 "the certificates it signs.") ] 5526 class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential 5527 { 5528 [Override ("Antecedent"), Min (1), Max (1), 5529 Description ( "The CA which signed the certificate")] 5530 CIM_CertificateAuthority REF Antecedent; 5531 [Override ("Dependent"), Weak, 5532 Description ( "The certificate issued by the CA")] 5533 CIM_PublicKeyCertificate REF Dependent; 5534 string SerialNumber; 5535 [ Octetstring ] 5536 uint8 Signature[]; 5537 datetime Expires; 5538 string CRLDistributionPoint[]; 5539 }; 5541 // ================================================================== 5542 // LocallyManagedPublicKey 5543 // ================================================================== 5544 [Association, Description ( 5545 "CIM_LocallyManagedPublicKey association provides the " 5546 "relationship between a PublicKeyManagementService and an " 5547 "UnsignedPublicKey.") ] 5548 class CIM_LocallyManagedPublicKey:CIM_ManagedCredential 5549 { 5550 [Override ("Antecedent"), Min (1), Max (1), 5551 Description ("The PublicKeyManagementService that manages " 5552 "an unsigned public key.") ] 5553 CIM_PublicKeyManagementService REF Antecedent; 5554 [Override ("Dependent"), Weak, Description ( 5555 "An unsigned public key.") ] 5556 CIM_UnsignedPublicKey REF Dependent; 5557 }; 5559 // =================================================================== 5560 // SharedSecretIsShared 5561 // =================================================================== 5562 [Association, Description ( 5563 "This relationship associates a SharedSecretService with the " 5564 "SecretKey it verifies.") ] 5565 class CIM_SharedSecretIsShared : CIM_ManagedCredential 5566 { 5567 [Override ("Antecedent"), Min (1), Max (1), 5568 Description ("The credential management service")] 5569 CIM_SharedSecretService REF Antecedent; 5571 [Override ("Dependent"), Weak, 5572 Description ( "The managed credential")] 5573 CIM_SharedSecret REF Dependent; 5574 }; 5576 // ================================================================== 5577 // IKESecretIsNamed 5578 // ================================================================== 5579 [Association, Description ( 5580 "CIM_IKESecretIsNamed association provides the " 5581 "relationship between a SharedSecretService and a " 5582 "NamedSharedIKESecret.") ] 5583 class CIM_IKESecretIsNamed:CIM_ManagedCredential 5584 { 5585 [Override ("Antecedent"), Min (1), Max (1), 5586 Description ("The SharedSecretService that manages a " 5587 "NamedSharedIKESecret.")] 5588 CIM_SharedSecretService REF Antecedent; 5589 [Override ("Dependent"), Weak, Description ( 5590 "The managed NamedSharedIKESecret.") ] 5591 CIM_NamedSharedIKESecret REF Dependent; 5592 }; 5594 // =================================================================== 5595 // KDCIssuesKerberosTicket 5596 // =================================================================== 5597 [Association, Description ( 5598 "The KDC issues and owns Kerberos tickets. This association " 5599 "captures the relationship between the KDC and its issued tickets." 5600 ) ] 5601 class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential 5602 { 5603 [Override ("Antecedent"), Min (1), Max (1), 5604 Description ( "The issuing KDC") ] 5605 CIM_KerberosKeyDistributionCenter REF Antecedent; 5606 [Override ("Dependent"), Weak, 5607 Description ( "The managed credential")] 5608 CIM_KerberosTicket REF Dependent; 5609 }; 5611 // =================================================================== 5612 // NotaryVerifiesBiometric 5613 // =================================================================== 5614 [Association, Description ( 5615 "This relationship associates a Notary service with the " 5616 "Users Access whose biometric information is verified.") ] 5617 class CIM_NotaryVerifiesBiometric : CIM_Dependency 5618 { 5619 [Override ("Antecedent"), 5620 Description ("The Notary service that verifies biometric " 5621 "information ") ] 5622 CIM_Notary REF Antecedent; 5623 [Override ("Dependent"), 5624 Description ( "The UsersAccess that represents a person using " 5625 "biometric information for authentication.")] 5626 CIM_UsersAccess REF Dependent; 5627 }; 5628 Appendix C (DMTF Network Model MOF) 5630 // ================================================================== 5631 // NetworkService 5632 // ================================================================== 5633 [Abstract, Description ( 5634 "This is an abstract base class, derived from the Service " 5635 "class. It serves as the root of the network service " 5636 "hierarchy. Network services represent generic functions " 5637 "that are available from the network that configure and/or " 5638 "modify the traffic being sent. For example, FTP is not a " 5639 "network service, as it simply passes data unchanged from " 5640 "source to destination. On the other hand, services " 5641 "that provide quality of service (e.g., DiffServ) and " 5642 "security (e.g., IPSec) do affect the traffic stream. " 5643 "Quality of service, IPSec, and other services are " 5644 "subclasses of this class. This class hierarchy enables " 5645 "developers to match services to users, groups, " 5646 "and other objects in the network.") ] 5648 class CIM_NetworkService : CIM_Service 5649 { 5650 [Description ( 5651 "This is a free-form array of strings that provide " 5652 "descriptive words and phrases that can be used in queries " 5653 "to help locate and identify instances of this service.") ] 5654 string Keywords [ ]; 5655 [Description ( 5656 "This is a URL that provides the protocol, network " 5657 "location, and other service-specific information required " 5658 "in order to access the service. This should be implemented " 5659 "as a LabeledURI, with syntax DirectoryString and a " 5660 "matching rule of CaseExactMatch, for directory " 5661 "implementors.") ] 5662 string ServiceURL; 5663 [Description ( 5664 "This is a free-form array of strings that specify any " 5665 "specific pre-conditions that must be met in order for this " 5666 "service to start correctly. It is expected that subclasses " 5667 "will refine the inherited StartService() and StopService()" 5668 "methods to suit their own application-specific needs. This " 5669 "property is used to specify application-specific conditions " 5670 "needed by the refined StartService and StopService" 5671 "methods.") ] 5672 string StartupConditions [ ]; 5673 [Description ( 5674 "This is a free-form array of strings that specify any " 5675 "specific parameters that must be supplied to the " 5676 "StartService() method in order for this service to start " 5677 "correctly. It is expected that subclasses will refine the " 5678 "inherited StartService() and StopService() methods to suit " 5679 "their own application-specific needs. This property is used " 5680 "to specify application-specific parameters needed by the " 5681 "refined StartService and StopService methods.") ] 5682 string StartupParameters [ ]; 5683 }; 5685 // ================================================================== 5686 // ProtocolEndpoint 5687 // ================================================================== 5688 [Description ( 5689 "A communication point from which data may be sent or " 5690 "received. ProtocolEndpoints link router interfaces and " 5691 "switch ports to LogicalNetworks.") ] 5693 class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint 5694 { 5695 [Override ("Name"), MaxLen(256), Description ( 5696 "A string which identifies this ProtocolEndpoint with either " 5697 "a port or an interface on a device. To ensure uniqueness, " 5698 "the Name property should be prepended or appended with " 5699 "information from the Type or OtherTypeDescription " 5700 "properties. The method chosen is described in the " 5701 "NameFormat property of this class.") ] 5702 string Name; 5703 [MaxLen (256), Description ( 5704 "NameFormat contains the naming heuristic that is chosen to " 5705 "ensure that the value of the Name property is unique. For " 5706 "example, one might choose to prepend the name of the port " 5707 "or interface with the Type of ProtocolEndpoint that this " 5708 "instance is (e.g., IPv4)followed by an underscore.") ] 5709 string NameFormat; 5710 [MaxLen (64), Description ( 5711 "ProtocolType is an enumeration that provides additional " 5712 "information that can be used to help categorize and " 5713 "classify different instances of this class."), 5714 ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", 5715 "10", "11", "12", "13", "14", "15", "16", "17", 5716 "18", "19", "20", "21"}, 5717 Values { "Unknown", "Other", "IPv4", "IPv6", "IPX", 5718 "AppleTalk", "DECnet", "SNA", "CONP", "CLNP", 5719 "VINES", "XNS", "ATM", "Frame Relay", 5720 "Ethernet", "TokenRing", "FDDI", "Infiniband", 5721 "Fibre Channel", "ISDN BRI Endpoint", 5722 "ISDN B Channel Endpoint", "ISDN D Channel Endpoint" 5723 }, 5724 ModelCorrespondence { 5725 "CIM_ProtocolEndpoint.OtherTypeDescription"} ] 5726 string ProtocolType; 5727 [MaxLen(64), Description ( 5728 "A string describing the type of ProtocolEndpoint that this " 5729 "instance is when the Type property of this class (or any of " 5730 "its subclasses) is set to 1 (e.g., 'Other'). The format of " 5731 "the string inserted in this property should be similar in " 5732 "format to the values defined for the Type property. This " 5733 "property should be set to NULL when the Type property is " 5734 "any value other than 1."), 5735 ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ] 5736 string OtherTypeDescription; 5737 }; 5739 // ================================================================== 5740 // IPProtocolEndpoint 5741 // ================================================================== 5742 [Description ( 5743 "A ProtocolEndpoint that is dedicated to running IP.") ] 5745 class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint 5746 { 5747 [Description ( 5748 "The IP address that this ProtocolEndpoint represents, " 5749 "formatted according to the appropriate convention as " 5750 "defined in the AddressType property of this class " 5751 " (e.g., 171.79.6.40).") ] 5752 string Address; 5753 [Description ( 5754 "The mask for the IP address of this ProtocolEndpoint, " 5755 "formatted according to the appropriate convention as " 5756 "defined in the AddressType property of this class " 5757 " (e.g., 255.255.252.0).") ] 5758 string SubnetMask; 5759 [Description ( 5760 "An enumeration that describes the format of the address " 5761 "property. Whenever possible, IPv4-compatible addresses " 5762 "should be used instead of native IPv6 addresses (see " 5763 "RFC 2373, section 2.5.4). In order to have a consistent " 5764 "format for IPv4 addresses in a mixed IPv4/v6 environment, " 5765 "all IPv4 addresses and both IPv4-compatible IPv6 addresses " 5766 "and IPv4-mapped IPv6 addresses, per RFC 2373, section " 5767 "2.5.4, should be formatted in standard IPv4 format. " 5768 "However, this (the 2.2) version of the Network Common " 5769 "Model will not explicitly support mixed IPv4/IPv6 " 5770 "environments. This will be added in a future release."), 5771 ValueMap { "0", "1", "2" }, 5772 Values { "Unknown", "IPv4", "IPv6" } ] 5773 uint16 AddressType; 5774 [Description ( 5775 "It is not possible to tell from the address alone if a " 5776 "given IPProtocolEndpoint can support IPv4 and IPv6, or " 5777 "just one of these. This property explicitly defines the " 5778 "support for different versions of IP that this " 5779 "IPProtocolEndpoint has. " 5780 "\n\n" 5781 "More implementation experience is needed in order to " 5782 "correctly model mixed IPv4/IPv6 networks; therefore, this " 5783 "version (2.2) of the Network Common Model will not support " 5784 "mixed IPv4/IPv6 environments. This will be looked at " 5785 "further in a future version."), 5786 ValueMap { "0", "1", "2" }, 5787 Values { "Unknown", "IPv4 Only", "IPv6 Only" } ] 5788 uint16 IPVersionSupport; 5789 }; 5791 // =================================================================== 5792 // CIM_FilterEntryBase 5793 // =================================================================== 5794 [Description ( 5795 " FilterEntryBase is an abstract class to define the naming " 5796 "of all filter entries, and to allow their common " 5797 "aggregation into FilterLists. The FilterEntry subclass " 5798 "represents packet filtering. Other types of Entries are " 5799 "possible - for example, to filter security credentials. \n" 5800 " FilterEntryBase is weak to the network device (e.g., the " 5801 "ComputerSystem) that contains it. Hence, the ComputerSystem " 5802 "keys are propagated to this class.") ] 5804 class CIM_FilterEntryBase : CIM_LogicalElement 5805 { 5806 [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, 5807 MaxLen (256), 5808 Description ( 5809 "The scoping ComputerSystem's CreationClassName. ") ] 5810 string SystemCreationClassName; 5811 [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), 5812 Description ( 5813 "The scoping ComputerSystem's Name.") ] 5814 string SystemName; 5815 [Key, MaxLen (256), 5816 Description ( 5817 "CreationClassName indicates the name of the class or the " 5818 "subclass used in the creation of an instance. When used " 5819 "with the other key properties of this class, this property " 5820 "allows all instances of this class and its subclasses to " 5821 "be uniquely identified.") ] 5822 string CreationClassName; 5823 [Key, MaxLen (256), 5824 Description ( 5825 "The Name property defines the label by which the Filter" 5826 "Entry is known and uniquely identified.") ] 5827 string Name; 5828 [Description ( 5829 "Boolean indicating that the match condition described " 5830 "in the properties of the FilterEntryBase subclass " 5831 "should be negated.") ] 5832 boolean IsNegated; 5833 }; 5835 // =================================================================== 5837 // CIM_IPHeaderFilter 5839 // =================================================================== 5841 [Description ("IPHeaderFilter contains the all of the " 5842 "properties necessary to perform filtering on an IP header " 5844 "or a portion thereof.")] 5846 class CIM_IPHeaderFilter : CIM_FilterEntryBase 5848 { 5850 [Description ("IpVersion identifies the version of the IP " 5852 "addresses for IP header filters. It is also used to " 5854 "determine the sizes of the OctetStrings in the four " 5856 "properties SrcAddress, SrcMask, DestAddress, and DestMask, " 5858 "as follows:\n" 5860 "ipv4(4): OctetString(SIZE (4))\n" 5862 "ipv6(6): OctetString(SIZE (16|20)), depending on whether\n" 5864 " a scope identifier is present"), 5866 ValueMap {"4", "6" }, 5868 Values { "IPv4", "IPv6" }, 5870 ModelCorrespondence { 5872 "CIM_IPHeaderFilter.SrcAddress", 5874 "CIM_IPHeaderFilter.SrcMask", 5876 "CIM_IPHeaderFilter.DestAddress", 5878 "CIM_IPHeaderFilter.DestMask" } ] 5880 uint8 IpVersion; 5882 [Description ("SrcAddress is an OctetString, of a size " 5884 "determined by the value of the IpVersion property, " 5886 "representing a source IP address. This value is compared to" 5888 " the source address in the IP header, subject to the mask " 5890 "represented in the SrcMask property."), 5892 OCTETSTRING, 5894 ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 5896 uint8 SrcAddress[]; 5898 [Description ("SrcMask is an OctetString, of a size determined" 5900 " by the value of the IpVersion property, representing a mask" 5902 " to be used in comparing the source address in the IP header" 5904 " with the value represented in the SrcAddress property."), 5906 OCTETSTRING, 5908 ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 5910 uint8 SrcMask[]; 5912 [Description ("DestAddress is an OctetString, of a size " 5914 "determined by the value of the IpVersion property, " 5916 "representing a destination IP address. This value is " 5918 "compared to the destination address in the IP header, " 5920 "subject to the mask represented in the DestMask property."), 5922 OCTETSTRING, 5924 ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 5926 uint8 DestAddress[]; 5928 [Description ("DestMask is an OctetString, of a size " 5930 "determined by the value of the IpVersion property, " 5932 "representing a mask to be used in comparing the destination " 5934 "address in the IP header with the value represented in the " 5936 "DestAddress property."), 5938 OCTETSTRING, 5940 ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 5942 uint8 DestMask[]; 5944 [Description ("ProtocolID is an 8-bit unsigned integer, " 5946 "representing an IP protocol type. This value is compared to" 5948 " the Protocol field in the IP header.")] 5950 uint8 ProtocolID; 5952 [Description ("SrcPortStart represents the lower end of a " 5954 "range of UDP or TCP source ports. The upper end of the " 5956 "range is represented by the SrcPortEnd property. The value " 5958 "of SrcPortStart MUST be no greater than the value of " 5960 "SrcPortEnd. A single port is indicated by equal values for " 5962 "SrcPortStart and SrcPortEnd.\n" 5964 "\n" 5966 "A source port filter is evaluated by testing whether the " 5968 "source port identified in the IP header falls within the " 5970 "range of values between SrcPortStart and SrcPortEnd, " 5972 "including these two end points.")] 5974 uint16 SrcPortStart; 5976 [Description ("SrcPortEnd represents the upper end of a range " 5978 "of UDP or TCP source ports. The lower end of the range is " 5980 "represented by the SrcPortStart property. The value of " 5982 "SrcPortEnd MUST be no less than the value of SrcPortStart. " 5984 "A single port is indicated by equal values for SrcPortStart " 5986 "and SrcPortEnd.\n" 5988 "\n" 5990 "A source port filter is evaluated by testing whether the " 5992 "source port identified in the IP header falls within the " 5994 "range of values between SrcPortStart and SrcPortEnd, " 5996 "including these two end points.")] 5998 uint16 SrcPortEnd; 6000 [Description ("DestPortStart represents the lower end of " 6002 "a range of UDP or TCP destination ports. The upper end of " 6004 "the range is represented by the DestPortEnd property. The " 6006 "value of DestPortStart MUST be no greater than the value of " 6008 "DestPortEnd. A single port is indicated by equal values for" 6009 " DestPortStart and DestPortEnd.\n" 6011 "\n" 6013 "A destination port filter is evaluated by testing whether " 6015 "the destination port identified in the IP header falls " 6017 "within the range of values between DestPortStart and " 6019 "DestPortEnd, including these two end points.")] 6021 uint16 DestPortStart; 6023 [Description ("DestPortEnd represents the upper end of a range" 6025 " of UDP or TCP destination ports. The lower end of the " 6027 "range is represented by the DestPortStart property. The " 6029 "value of DestPortEnd MUST be no less than the value of " 6031 "DestPortStart. A single port is indicated by equal values " 6033 "for DestPortStart and DestPortEnd.\n" 6035 "\n" 6037 "A destination port filter is evaluated by testing whether " 6039 "the destination port identified in the IP header falls " 6041 "within the range of values between DestPortStart and " 6043 "DestPortEnd, including these two end points.")] 6045 uint16 DestPortEnd; 6047 [Description ("DSCPs are defined as discrete code points, " 6049 "with no inherent structure, there is no semantically " 6051 "significant relationship between different DSCPs. " 6053 "Consequently, there is no provision for specifying a range " 6055 "of DSCPs in this property. Since, in IPv4, the DSCP field " 6057 "may contain bits to be interpreted as the TOS IP Precedence," 6059 " this property is also used to filter on IP Precedence. " 6061 "Similarly, the IPv6 Traffic Class field is also filtered " 6063 "using the value in this property."), 6065 MAXVALUE (63)] 6067 uint8 DSCP; 6069 [Description ("The 20-bit Flow Label field in the IPv6 header " 6071 "may be used by a source to label sequences of packets for " 6073 "which it requests special handling by the IPv6 devices, such" 6075 " as non-default quality of service or 'real-time' service. " 6077 "In the filter, this 20-bit string is encoded in a 24-bit " 6079 "octetstring by right-adjusting the value and padding on the " 6081 "left with b'0000'."), 6083 OCTETSTRING ] 6085 uint8 FlowLabel[]; 6087 }; 6089 // ================================================================== 6090 // FilterList 6091 // ================================================================== 6092 [Description ( 6093 "A FilterList is used by network devices to identify routes " 6094 "by aggregating a set of FilterEntries into a unit, called a " 6095 "FilterList. FilterLists can also be used to accept or deny " 6096 "routing updates." 6097 "\n\n" 6098 "A FilterList is weak to the network device (e.g., the " 6099 "ComputerSystem) that contains it. Hence, the ComputerSystem " 6100 "keys are propagated to this class.") ] 6102 class CIM_FilterList : CIM_LogicalElement 6103 { 6104 [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, 6105 MaxLen (256), Description ( 6106 "The scoping ComputerSystem's CreationClassName. ") ] 6107 string SystemCreationClassName; 6109 [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), 6110 Description ("The scoping ComputerSystem's Name.") ] 6111 string SystemName; 6113 [Key, Description ( 6114 "The type of class that this instance is.") ] 6115 string CreationClassName; 6116 [Key, MaxLen(256), Description ( 6117 "This is the name of the FilterList.") ] 6118 string Name; 6120 [Description ( 6121 "This defines whether the FilterList is used " 6122 "for input, output, or both input and output " 6123 "filtering. All values are used with respect to " 6124 "the interface for which the FilterList applies. " 6125 "\n\n" 6126 "\"Not Applicable\" (0) is used when there is no " 6127 "direction applicable to the FilterList.\n" 6128 "\"Input\" (1) is used when the FilterList applies " 6129 "to packets that are inbound on the related " 6130 "interface.\n" 6131 "\"Output\" (2) is used when the FilterList applies " 6132 "to packets that are outbound on the related " 6133 "interface.\n" 6134 "\"Both\" (3) is used to indicate that " 6135 "the direction is immaterial, e.g., to filter on " 6136 "a source subnet regardless of whether the flow is " 6137 "inbound or outbound.\n" 6138 "\"Mirrored\" (4) is also applicable to " 6139 "both inbound and outbound flow processing, but " 6140 "indicates that the filter criteria are applied " 6141 "asymmetrically to traffic in both directions " 6142 "and, thus, specifies the reversal of source and " 6143 "destination criteria (as opposed to the equality " 6144 "of these criteria as indicated by \"Both\"). " 6145 "The match conditions in the aggregated " 6146 "FilterEntryBase subclass instances are defined " 6147 "from the perspective of outbound flows and applied " 6148 "to inbound flows as well by reversing the source " 6149 "and destination criteria. So, for example, " 6150 "consider a FilterList with 3 FilterEntries " 6151 "indicating destination port = 80, and source and " 6152 "destination addresses of a and b, respectively. " 6153 "Then, for the outbound direction, the filter " 6154 "entries match as specified and the 'mirror' (for " 6155 "the inbound direction) matches on source " 6156 "port = 80 and source and destination addresses " 6157 "of b and a, respectively."), 6158 Values {"Not Applicable", "Input", "Output", 6159 "Both", "Mirrored" } ] 6160 uint16 Direction; 6161 }; 6163 // ================================================================== 6164 // === Association class definitions === 6165 // ================================================================== 6167 // ================================================================== 6168 // EntriesInFilterList 6169 // ================================================================== 6170 [Association, Aggregation, Description ( 6171 "This is a specialization of the CIM_Component aggregation " 6172 "which is used to define a set of filter entries (subclasses " 6173 "of FilterEntryBase) that are aggregated by a particular " 6174 "FilterList.") ] 6175 class CIM_EntriesInFilterList : CIM_Component 6176 { 6177 [Aggregate, Max(1), Override ("GroupComponent"), 6178 Description ( 6179 "The FilterList, which aggregates the set " 6180 "of FilterEntries.") ] 6181 CIM_FilterList REF GroupComponent; 6182 [Override ("PartComponent"), 6183 Description ( 6184 "Any subclass of FilterEntryBase which is a part of " 6185 "the FilterList.") ] 6186 CIM_FilterEntryBase REF PartComponent; 6187 [Description ( 6188 "The order of the Entry relative to all others in the " 6189 "FilterList. A value of zero indicates that all the Entries " 6190 "should be ANDed together. Use of the Sequence property " 6191 "should be consistent across the List. It is not valid to " 6192 "define some Entries as ANDed in the FilterList (Sequence" 6193 "=0) while other Entries have a non-zero Sequence number.") ] 6194 uint16 EntrySequence; 6195 }; 6196 Appendix D (DMTF Policy Model MOF) 6198 // ================================================================== 6199 // Policy 6200 // ================================================================== 6201 [Abstract, Description ( 6202 "An abstract class defining the common properties of the policy " 6203 "managed elements derived from CIM_Policy. The subclasses are " 6204 "used to create rules and groups of rules that work together to " 6205 "form a coherent set of policies within an administrative domain " 6206 "or set of domains.") 6207 ] 6208 class CIM_Policy : CIM_ManagedElement 6209 { 6210 [Description ( 6211 "A user-friendly name of this policy-related object.") 6212 ] 6213 string CommonName; 6214 [Description ( 6215 "An array of keywords for characterizing / categorizing " 6216 "policy objects. Keywords are of one of two types: \n" 6217 "- Keywords defined in this and other MOFs, or in DMTF" 6218 "white papers. These keywords provide a vendor-" 6219 "independent, installation-independent way of " 6220 "characterizing policy objects. \n" 6221 "- Installation-dependent keywords for characterizing " 6222 "policy objects. Examples include 'Engineering', " 6223 "'Billing', and 'Review in December 2000'. \n" 6224 "This MOF defines the following keywords: 'UNKNOWN', " 6225 "'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', " 6226 "'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These " 6227 "concepts are self-explanatory and are further discussed " 6228 "in the SLA/Policy White Paper. One additional keyword " 6229 "is defined: 'POLICY'. The role of this keyword is to " 6230 "identify policy-related instances that may not be otherwise " 6231 "identifiable, in some implementations. The keyword 'POLICY' " 6232 "is NOT mutually exclusive of the other keywords " 6233 "specified above.") 6234 ] 6235 string PolicyKeywords []; 6236 }; 6238 // ================================================================== 6239 // PolicySet 6240 // ================================================================== 6241 [Abstract, Description ("PolicySet is an abstract class that " 6242 "represents a set of policies that form a coherent set. The " 6243 "set of contained policies has a common decision strategy and " 6244 "a common set of policy roles. Subclasses include " 6245 "PolicyGroup and PolicyRule.")] 6246 class CIM_PolicySet : CIM_Policy 6247 { 6248 [Description ("PolicyDecisionStrategy defines the evaluation " 6249 "method used for policies contained in the PolicySet. " 6250 "FirstMatching enforces the actions of the first rule that " 6251 "evaluates to TRUE. It is the only value currently defined."), 6252 ValueMap { "1" }, 6253 Values { "FirstMatching" } 6254 ] 6255 uint16 PolicyDecisionStrategy; 6256 [Description ( 6257 "The PolicyRoles property represents the roles and role " 6258 "combinations associated with a PolicySet. All contained " 6259 "PolicySet instances inherit the values of the PolicyRoles of " 6260 "the aggregating PolicySet but the values are not copied. " 6261 "A contained PolicySet instance may, however, add additional " 6262 "PolicyRoles to those it inherits from its aggregating " 6263 "PolicySet(s)\n" 6264 "\n" 6265 "Each value represents one role or role combination. Since " 6266 "this is a multi-valued property, more than one role or " 6267 "combination can be associated with a single PolicySet. Each " 6268 "value is a string of the form:\n" 6269 " [&&]*\n" 6270 "where the individual role names appear in alphabetical order " 6271 "(according to the collating sequence for UCS-2).") ] 6272 string PolicyRoles []; 6274 }; 6276 // ================================================================== 6277 // PolicyGroup 6278 // ================================================================== 6279 [Description ( 6280 "An aggregation of PolicySet instances (PolicyGroups and/or " 6281 "PolicyRules) that have the same decision strategy and inherit " 6282 "policy roles. PolicyGroup instances are defined and named " 6283 "relative to the CIM_System that provides their context.") 6284 ] 6285 class CIM_PolicyGroup : CIM_PolicySet 6286 { 6287 [Propagated("CIM_System.CreationClassName"), 6288 Key, MaxLen (256), 6289 Description ("The scoping System's CreationClassName.") 6290 ] 6291 string SystemCreationClassName; 6292 [Propagated("CIM_System.Name"), 6293 Key, MaxLen (256), 6294 Description ("The scoping System's Name.") 6295 ] 6296 string SystemName; 6297 [Key, MaxLen (256), Description ( 6298 "CreationClassName indicates the name of the class or the " 6299 "subclass used in the creation of an instance. When used " 6300 "with the other key properties of this class, this property " 6301 "allows all instances of this class and its subclasses to " 6302 "be uniquely identified.") ] 6303 string CreationClassName; 6304 [Key, MaxLen (256), Description ( 6305 "A user-friendly name of this PolicyGroup.") 6306 ] 6307 string PolicyGroupName; 6308 }; 6310 // ================================================================== 6311 // PolicyRule 6312 // ================================================================== 6313 [Description ( 6314 "The central class used for representing the 'If Condition then " 6315 "Action' semantics of a policy rule. A PolicyRule condition, in " 6316 "the most general sense, is represented as either an ORed set of " 6317 "ANDed conditions (Disjunctive Normal Form, or DNF) or an ANDed " 6318 "set of ORed conditions (Conjunctive Normal Form, or CNF). " 6319 "Individual conditions may either be negated (NOT C) or " 6320 "unnegated (C). The actions specified by a PolicyRule are to be " 6321 "performed if and only if the PolicyRule condition (whether it " 6322 "is represented in DNF or CNF) evaluates to TRUE.\n" 6323 "\n" 6324 "The conditions and actions associated with a PolicyRule are " 6325 "modeled, respectively, with subclasses of PolicyCondition and " 6326 "PolicyAction. These condition and action objects are tied to " 6327 "instances of PolicyRule by the PolicyConditionInPolicyRule and " 6328 "PolicyActionInPolicyRule aggregations.\n" 6329 "\n" 6330 "A PolicyRule may also be associated with one or more policy " 6331 "time periods, indicating the schedule according to which the " 6332 "policy rule is active and inactive. In this case it is the " 6333 "PolicyRuleValidityPeriod aggregation that provides this " 6334 "linkage.\n" 6335 "\n" 6336 "The PolicyRule class uses the property ConditionListType, to " 6337 "indicate whether the conditions for the rule are in DNF or " 6338 "CNF. The PolicyConditionInPolicyRule aggregation contains " 6339 "two additional properties to complete the representation of " 6340 "the Rule's conditional expression. The first of these " 6341 "properties is an integer to partition the referenced " 6342 "PolicyConditions into one or more groups, and the second is a " 6343 "Boolean to indicate whether a referenced Condition is " 6344 "negated. An example shows how ConditionListType and these " 6345 "two additional properties provide a unique representation " 6346 "of a set of PolicyConditions in either DNF or CNF.\n" 6347 "\n" 6348 "Suppose we have a PolicyRule that aggregates five " 6349 "PolicyConditions C1 through C5, with the following values " 6350 "in the properties of the five PolicyConditionInPolicyRule " 6351 "associations:\n" 6352 " C1: GroupNumber = 1, ConditionNegated = FALSE\n" 6353 " C2: GroupNumber = 1, ConditionNegated = TRUE\n" 6354 " C3: GroupNumber = 1, ConditionNegated = FALSE\n" 6355 " C4: GroupNumber = 2, ConditionNegated = FALSE\n" 6356 " C5: GroupNumber = 2, ConditionNegated = FALSE\n" 6357 "\n" 6358 "If ConditionListType = DNF, then the overall condition for " 6359 "the PolicyRule is:\n" 6360 " (C1 AND (NOT C2) AND C3) OR (C4 AND C5)\n" 6361 "\n" 6362 "On the other hand, if ConditionListType = CNF, then the " 6363 "overall condition for the PolicyRule is:\n" 6364 " (C1 OR (NOT C2) OR C3) AND (C4 OR C5)\n" 6365 "\n" 6366 "In both cases, there is an unambiguous specification of " 6367 "the overall condition that is tested to determine whether " 6368 "to perform the PolicyActions associated with the PolicyRule.\n" 6369 "\n" 6370 "PolicyRule instances may also be used to aggregate other " 6371 "PolicyRules and/or PolicyGroups. When used in this way to " 6372 "implement nested rules, the conditions of the aggregating rule " 6373 "apply to the subordinate rules as well. However, any side " 6374 "effects of condition evaluation or the execution of actions MUST " 6375 "NOT affect the result of the evaluation of other conditions " 6376 "evaluated by the rule engine in the same evaluation pass. That " 6377 "is, an implementation of a rule engine MAY evaluate all " 6378 "conditions in any order before applying the priority and " 6379 "determining which actions are to be executed.") 6380 ] 6381 class CIM_PolicyRule : CIM_PolicySet 6382 { 6383 [Propagated("CIM_System.CreationClassName"), 6384 Key, MaxLen (256), 6385 Description ("The scoping System's CreationClassName.") 6386 ] 6387 string SystemCreationClassName; 6388 [Propagated("CIM_System.Name"), 6389 Key, MaxLen (256), 6390 Description ("The scoping System's Name.") 6391 ] 6392 string SystemName; 6393 [Key, MaxLen (256), Description ( 6394 "CreationClassName indicates the name of the class or the " 6395 "subclass used in the creation of an instance. When used " 6396 "with the other key properties of this class, this property " 6397 "allows all instances of this class and its subclasses to " 6398 "be uniquely identified.") ] 6399 string CreationClassName; 6400 [Key, MaxLen (256), Description ( 6401 "A user-friendly name of this PolicyRule.") 6402 ] 6403 string PolicyRuleName; 6404 [Description ( 6405 "Indicates whether this PolicyRule is administratively " 6406 "enabled, administratively disabled, or enabled for " 6407 "debug. When the property has the value 3 (\"enabledFor" 6408 "Debug\"), the entity evaluating the PolicyConditions is " 6409 "instructed to evaluate the conditions for the Rule, but not " 6410 "to perform the actions if the PolicyConditions evaluate to " 6411 "TRUE. This serves as a debug vehicle when attempting to " 6412 "determine what policies would execute in a particular " 6413 "scenario, without taking any actions to change state " 6414 "during the debugging. The default value is 1 " 6415 "(\"enabled\")."), 6416 ValueMap { "1", "2", "3" }, 6417 Values { "enabled", "disabled", "enabledForDebug" } 6418 ] 6419 uint16 Enabled; 6420 [Description ( 6421 "Indicates whether the list of PolicyConditions " 6422 "associated with this PolicyRule is in disjunctive " 6423 "normal form (DNF) or conjunctive normal form (CNF)." 6424 "The default value is 1 (\"DNF\")."), 6425 ValueMap { "1", "2" }, 6426 Values { "DNF", "CNF" } 6427 ] 6428 uint16 ConditionListType; 6429 [Description ( 6430 "A free-form string that can be used to provide " 6431 "guidelines on how this PolicyRule should be used.") 6432 ] 6433 string RuleUsage; 6434 [DEPRECATED {"CIM_PolicySetComponent.Priority"}, 6435 Description ( 6436 "PolicyRule.Priority is deprecated and replaced by " 6437 "providing the priority for a rule (and a group) in the " 6438 "context of the aggregating PolicySet instead of the " 6439 "priority being used for all aggregating PolicySet " 6440 "instances. Thus, the assignment of priority values is much " 6441 "simpler.\n" 6442 "\n" 6443 "A non-negative integer for prioritizing this Policy" 6444 "Rule relative to other Rules. A larger value " 6445 "indicates a higher priority. The default value is 0.") 6446 ] 6447 uint16 Priority; 6448 [Description ( 6449 "A flag indicating that the evaluation of the Policy" 6450 "Conditions and execution of PolicyActions (if the " 6451 "Conditions evaluate to TRUE) is required. The " 6452 "evaluation of a PolicyRule MUST be attempted if the " 6453 "Mandatory property value is TRUE. If the Mandatory " 6454 "property is FALSE, then the evaluation of the Rule " 6455 "is 'best effort' and MAY be ignored.") 6456 ] 6457 boolean Mandatory; 6458 [Description ( 6459 "This property gives a policy administrator a way " 6460 "of specifying how the ordering of the PolicyActions " 6461 "associated with this PolicyRule is to be interpreted. " 6462 "Three values are supported:\n" 6463 " o mandatory(1): Do the actions in the indicated " 6464 " order, or don't do them at all.\n" 6465 " o recommended(2): Do the actions in the indicated " 6466 " order if you can, but if you can't do them in this " 6467 " order, do them in another order if you can.\n" 6468 " o dontCare(3): Do them -- I don't care about the " 6469 " order.\n" 6470 "The default value is 3 (\"dontCare\")."), 6471 ValueMap { "1", "2", "3" }, 6472 Values { "mandatory", "recommended", "dontCare" } 6473 ] 6474 uint16 SequencedActions; 6475 [Description ( 6476 "ExecutionStrategy defines the strategy to be used in " 6477 "executing the sequenced actions aggregated by this " 6478 "PolicyRule. There are three execution strategies:\n" 6479 "\n" 6480 "Do Until Success - execute actions according to predefined\n" 6481 " order, until successful execution of a\n" 6482 " single action.\n" 6483 "Do All - execute ALL actions which are part of\n" 6484 " the modeled set, according to their\n" 6485 " predefined order. Continue doing this,\n" 6486 " even if one or more of the actions " 6487 " fails.\n" 6488 "Do Until Failure - execute actions according to predefined\n" 6489 " order, until the first failure in\n" 6490 " execution of an action instance."), 6491 Values {"1", "2", "3"}, 6492 ValueMap {"Do Until Success", "Do All", "Do Until Failure"}] 6493 uint16 ExecutionStrategy; 6494 }; 6496 // ================================================================== 6497 // ReusablePolicyContainer 6498 // ================================================================== 6499 [Description ( 6500 "A class representing an administratively defined " 6501 "container for reusable policy-related information. " 6502 "This class does not introduce any additional " 6503 "properties beyond those in its superclass " 6504 "AdminDomain. It does, however, participate in a " 6505 "unique association for containing policy elements." 6506 "\n\n" 6507 "An instance of this class uses the NameFormat value" 6508 "\"ReusablePolicyContainer\".") 6509 ] 6510 class CIM_ReusablePolicyContainer : CIM_AdminDomain 6511 { 6512 }; 6513 // ================================================================== 6514 // PolicyRepository *** deprecated 6515 // ================================================================== 6516 [DEPRECATED{"CIM_ReusablePolicyContainer"}, 6517 Description ( 6518 "The term 'PolicyRepository' has been confusing to both " 6519 "developers and users of the model. The replacement class " 6520 "name describes model element properly and is less likely " 6521 "to be confused with a data repository." 6522 "\n\n" 6523 "A class representing an administratively defined " 6524 "container for reusable policy-related information. " 6525 "This class does not introduce any additional " 6526 "properties beyond those in its superclass " 6527 "AdminDomain. It does, however, participate in a " 6528 "number of unique associations." 6529 "\n\n" 6530 "An instance of this class uses the NameFormat value" 6531 "\"PolicyRepository\".") 6532 ] 6533 class CIM_PolicyRepository : CIM_AdminDomain 6534 { 6535 }; 6537 // ================================================================== 6538 // PolicyCondition 6539 // ================================================================== 6540 [Abstract, Description ( 6541 "A class representing a rule-specific or reusable policy " 6542 "condition to be evaluated in conjunction with a Policy" 6543 "Rule. Since all operational details of a PolicyCondition " 6544 "are provided in subclasses of this object, this class is " 6545 "abstract.") 6546 ] 6547 class CIM_PolicyCondition : CIM_Policy 6548 { 6549 [Key, MaxLen (256), Description ( 6550 " The name of the class or the subclass used in the " 6551 "creation of the System object in whose scope this " 6552 "PolicyCondition is defined.\n\n" 6553 " " 6554 "This property helps to identify the System object in " 6555 "whose scope this instance of PolicyCondition exists. " 6556 "For a rule-specific PolicyCondition, this is the System " 6557 "in whose context the PolicyRule is defined. For a " 6558 "reusable PolicyCondition, this is the instance of " 6559 "PolicyRepository (which is a subclass of System) that " 6560 "holds the Condition.\n\n" 6561 " " 6562 "Note that this property, and the analogous property " 6563 "SystemName, do not represent propagated keys from an " 6564 "instance of the class System. Instead, they are " 6565 "properties defined in the context of this class, which " 6566 "repeat the values from the instance of System to which " 6567 "this PolicyCondition is related, either directly via the " 6568 "PolicyConditionInPolicyRepository association or indirectly" 6569 " via the PolicyConditionInPolicyRule aggregation.") 6570 ] 6571 string SystemCreationClassName; 6572 [Key, MaxLen (256), Description ( 6573 " The name of the System object in whose scope this " 6574 "PolicyCondition is defined.\n\n" 6575 " " 6576 "This property completes the identification of the System " 6577 "object in whose scope this instance of PolicyCondition " 6578 "exists. For a rule-specific PolicyCondition, this is the " 6579 "System in whose context the PolicyRule is defined. For a " 6580 "reusable PolicyCondition, this is the instance of " 6581 "PolicyRepository (which is a subclass of System) that " 6582 "holds the Condition.") 6583 ] 6584 string SystemName; 6585 [Key, MaxLen (256), Description ( 6586 "For a rule-specific PolicyCondition, the " 6587 "CreationClassName of the PolicyRule object with which " 6588 "this Condition is associated. For a reusable Policy" 6589 "Condition, a special value, 'NO RULE', should be used to " 6590 "indicate that this Condition is reusable and not " 6591 "associated with a single PolicyRule.") 6592 ] 6593 string PolicyRuleCreationClassName; 6594 [Key, MaxLen (256), Description ( 6595 "For a rule-specific PolicyCondition, the name of " 6596 "the PolicyRule object with which this Condition is " 6597 "associated. For a reusable PolicyCondition, a " 6598 "special value, 'NO RULE', should be used to indicate " 6599 "that this Condition is reusable and not associated " 6600 "with a single PolicyRule.") 6601 ] 6602 string PolicyRuleName; 6603 [Key, MaxLen (256), Description ( 6604 "CreationClassName indicates the name of the class or the " 6605 "subclass used in the creation of an instance. When used " 6606 "with the other key properties of this class, this property" 6607 " allows all instances of this class and its subclasses to " 6608 "be uniquely identified.") ] 6609 string CreationClassName; 6610 [Key, MaxLen (256), Description ( 6611 "A user-friendly name of this PolicyCondition.") 6612 ] 6613 string PolicyConditionName; 6614 }; 6616 // ================================================================== 6617 // PolicyTimePeriodCondition 6618 // ================================================================== 6619 [Description ( 6620 " This class provides a means of representing the time " 6621 "periods during which a PolicyRule is valid, i.e., active. " 6622 "At all times that fall outside these time periods, the " 6623 "PolicyRule has no effect. A Rule is treated as valid " 6624 "at ALL times, if it does not specify a " 6625 "PolicyTimePeriodCondition.\n\n" 6626 " " 6627 "In some cases a Policy Consumer may need to perform " 6628 "certain setup / cleanup actions when a PolicyRule becomes " 6629 "active / inactive. For example, sessions that were " 6630 "established while a Rule was active might need to " 6631 "be taken down when the Rule becomes inactive. In other " 6632 "cases, however, such sessions might be left up. In this " 6633 "case, the effect of deactivating the PolicyRule would " 6634 "just be to prevent the establishment of new sessions. \n\n" 6635 " " 6636 "Setup / cleanup behaviors on validity period " 6637 "transitions are not currently addressed by the Policy " 6638 "Model, and must be specified in 'guideline' documents or " 6639 "via subclasses of CIM_PolicyRule, CIM_PolicyTimePeriod" 6640 "Condition or other concrete subclasses of CIM_Policy. If " 6641 "such behaviors need to be under the control of the policy " 6642 "administrator, then a mechanism to allow this control " 6643 "must also be specified in the subclasses.\n\n" 6644 " " 6645 "PolicyTimePeriodCondition is defined as a subclass of " 6646 "PolicyCondition. This is to allow the inclusion of " 6647 "time-based criteria in the AND/OR condition definitions " 6648 "for a PolicyRule.\n\n" 6649 " " 6650 "Instances of this class may have up to five properties " 6651 "identifying time periods at different levels. The values " 6652 "of all the properties present in an instance are ANDed " 6653 "together to determine the validity period(s) for the " 6654 "instance. For example, an instance with an overall " 6655 "validity range of January 1, 2000 through December 31, " 6656 "2000; a month mask that selects March and April; a " 6657 "day-of-the-week mask that selects Fridays; and a time " 6658 "of day range of 0800 through 1600 would be represented " 6659 "using the following time periods:\n" 6660 " Friday, March 5, 2000, from 0800 through 1600;\n " 6661 " Friday, March 12, 2000, from 0800 through 1600;\n " 6662 " Friday, March 19, 2000, from 0800 through 1600;\n " 6663 " Friday, March 26, 2000, from 0800 through 1600;\n " 6664 " Friday, April 2, 2000, from 0800 through 1600;\n " 6665 " Friday, April 9, 2000, from 0800 through 1600;\n " 6666 " Friday, April 16, 2000, from 0800 through 1600;\n " 6667 " Friday, April 23, 2000, from 0800 through 1600;\n " 6668 " Friday, April 30, 2000, from 0800 through 1600.\n\n" 6669 " " 6670 "Properties not present in an instance of " 6671 "PolicyTimePeriodCondition are implicitly treated as having " 6672 "their value 'always enabled'. Thus, in the example above, " 6673 "the day-of-the-month mask is not present, and so the " 6674 "validity period for the instance implicitly includes a " 6675 "day-of-the-month mask that selects all days of the month. " 6676 "If this 'missing property' rule is applied to its fullest, " 6677 "we see that there is a second way to indicate that a Policy" 6678 "Rule is always enabled: associate with it an instance of " 6679 "PolicyTimePeriodCondition whose only properties with " 6680 "specific values are its key properties.") 6681 ] 6682 class CIM_PolicyTimePeriodCondition : CIM_PolicyCondition 6683 { 6684 [Description ( 6685 " This property identifies an overall range of calendar " 6686 "dates and times over which a PolicyRule is valid. It is " 6687 "formatted as a string representing a start date and time, " 6688 "in which the character 'T' indicates the beginning of the " 6689 "time portion, followed by the solidus character '/', " 6690 "followed by a similar string representing an end date and " 6691 "time. The first date indicates the beginning of the range, " 6692 "while the second date indicates the end. Thus, the second " 6693 "date and time must be later than the first. Date/times are " 6694 "expressed as substrings of the form yyyymmddThhmmss. For " 6695 "example: \n" 6696 " 20000101T080000/20000131T120000 defines \n" 6697 " January 1, 2000, 0800 through January 31, 2000, noon\n\n" 6698 " " 6699 "There are also two special cases in which one of the " 6700 "date/time strings is replaced with a special string defined " 6701 "in RFC 2445.\n " 6702 " o If the first date/time is replaced with the string " 6703 " 'THISANDPRIOR', then the property indicates that a " 6704 " PolicyRule is valid [from now] until the date/time " 6705 " that appears after the '/'.\n" 6706 " o If the second date/time is replaced with the string " 6707 " 'THISANDFUTURE', then the property indicates that a " 6708 " PolicyRule becomes valid on the date/time that " 6709 " appears before the '/', and remains valid from that " 6710 " point on. "), 6711 ModelCorrespondence { 6712 "CIM_PolicyTimePeriodCondition.MonthOfYearMask", 6713 "CIM_PolicyTimePeriodCondition.DayOfMonthMask", 6714 "CIM_PolicyTimePeriodCondition.DayOfWeekMask", 6715 "CIM_PolicyTimePeriodCondition.TimeOfDayMask", 6716 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} 6717 ] 6718 string TimePeriod; 6719 [Octetstring, Description ( 6720 " The purpose of this property is to refine the valid time " 6721 "period that is defined by the TimePeriod property, by " 6722 "explicitly specifying in which months the PolicyRule is " 6723 "valid. These properties work together, with the " 6724 "TimePeriod used to specify the overall time period in " 6725 "which the PolicyRule is valid, and the MonthOfYearMask used " 6726 "to pick out the months during which the Rule is valid.\n\n" 6727 " " 6728 "This property is formatted as an octet string, structured " 6729 "as follows:\n" 6730 " o a 4-octet length field, indicating the length of the " 6731 " entire octet string; this field is always set to " 6732 " 0x00000006 for this property;\n" 6733 " o a 2-octet field consisting of 12 bits identifying the " 6734 " 12 months of the year, beginning with January and " 6735 " ending with December, followed by 4 bits that are " 6736 " always set to '0'. For each month, the value '1' " 6737 " indicates that the policy is valid for that month, " 6738 " and the value '0' indicates that it is not valid.\n\n" 6739 " " 6740 "The value 0x000000060830, for example, indicates that a " 6741 "PolicyRule is valid only in the months May, November, " 6742 "and December.\n\n" 6743 " " 6744 "If a value for this property is not provided, then the " 6745 "PolicyRule is treated as valid for all twelve months, and " 6746 "only restricted by its TimePeriod property value and the " 6747 "other Mask properties."), 6748 ModelCorrespondence { 6749 "CIM_PolicyTimePeriodCondition.TimePeriod", 6750 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} 6751 ] 6752 uint8 MonthOfYearMask[]; 6753 [Octetstring, Description ( 6754 " The purpose of this property is to refine the valid time " 6755 "period that is defined by the TimePeriod property, by " 6756 "explicitly specifying in which days of the month the Policy" 6757 "Rule is valid. These properties work together, " 6758 "with the TimePeriod used to specify the overall time period " 6759 "in which the PolicyRule is valid, and the DayOfMonthMask " 6760 "used to pick out the days of the month during which the " 6761 "Rule is valid.\n\n " 6762 " " 6763 "This property is formatted as an octet string, structured " 6764 "as follows:\n" 6765 " o a 4-octet length field, indicating the length of the " 6766 " entire octet string; this field is always set to " 6767 " 0x0000000C for this property; \n" 6768 " o an 8-octet field consisting of 31 bits identifying " 6769 " the days of the month counting from the beginning, " 6770 " followed by 31 more bits identifying the days of the " 6771 " month counting from the end, followed by 2 bits that " 6772 " are always set to '0'. For each day, the value '1' " 6773 " indicates that the policy is valid for that day, and " 6774 " the value '0' indicates that it is not valid. \n\n" 6775 " " 6776 "The value 0x0000000C8000000100000000, for example, " 6777 "indicates that a PolicyRule is valid on the first and " 6778 "last days of the month.\n\n " 6779 " " 6780 "For months with fewer than 31 days, the digits corresponding" 6781 " to days that the months do not have (counting in both " 6782 "directions) are ignored.\n\n" 6783 " " 6784 "If a value for this property is not provided, then the " 6785 "PolicyRule is treated as valid for all days of the month, " 6786 "and only restricted by its TimePeriod property value and the" 6787 " other Mask properties."), 6788 ModelCorrespondence { 6789 "CIM_PolicyTimePeriodCondition.TimePeriod", 6790 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} 6791 ] 6792 uint8 DayOfMonthMask[]; 6793 [Octetstring, Description ( 6794 " The purpose of this property is to refine the valid time " 6795 "period that is defined by the TimePeriod property, by " 6796 "explicitly specifying in which days of the month the Policy" 6797 "Rule is valid. These properties work together, " 6798 "with the TimePeriod used to specify the overall time period " 6799 "in which the PolicyRule is valid, and the DayOfWeekMask used" 6800 " to pick out the days of the week during which the Rule " 6801 "is valid.\n\n " 6802 " " 6803 "This property is formatted as an octet string, structured " 6804 "as follows:\n " 6805 " o a 4-octet length field, indicating the length of the " 6806 " entire octet string; this field is always set to " 6807 " 0x00000005 for this property;\n" 6808 " o a 1-octet field consisting of 7 bits identifying the 7 " 6809 " days of the week, beginning with Sunday and ending with " 6810 " Saturday, followed by 1 bit that is always set to '0'. " 6811 " For each day of the week, the value '1' indicates that " 6812 " the policy is valid for that day, and the value '0' " 6813 " indicates that it is not valid. \n\n" 6814 " " 6815 "The value 0x000000057C, for example, indicates that a " 6816 "PolicyRule is valid Monday through Friday.\n\n" 6817 " " 6818 "If a value for this property is not provided, then the " 6819 "PolicyRule is treated as valid for all days of the week, " 6820 "and only restricted by its TimePeriod property value and " 6821 "the other Mask properties."), 6822 ModelCorrespondence { 6823 "CIM_PolicyTimePeriodCondition.TimePeriod", 6824 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} 6825 ] 6826 uint8 DayOfWeekMask[]; 6827 [Description ( 6828 " The purpose of this property is to refine the valid time " 6829 "period that is defined by the TimePeriod property, by " 6830 "explicitly specifying a range of times in a day during which" 6831 " the PolicyRule is valid. These properties work " 6832 "together, with the TimePeriod used to specify the overall " 6833 "time period in which the PolicyRule is valid, and the " 6834 "TimeOfDayMask used to pick out the range of time periods " 6835 "in a given day of during which the Rule is valid. \n\n" 6836 " " 6837 "This property is formatted in the style of RFC 2445: a " 6838 "time string beginning with the character 'T', followed by " 6839 "the solidus character '/', followed by a second time string." 6840 " The first time indicates the beginning of the range, while " 6841 "the second time indicates the end. Times are expressed as " 6842 "substrings of the form 'Thhmmss'. \n\n" 6843 " " 6844 "The second substring always identifies a later time than " 6845 "the first substring. To allow for ranges that span " 6846 "midnight, however, the value of the second string may be " 6847 "smaller than the value of the first substring. Thus, " 6848 "'T080000/T210000' identifies the range from 0800 until 2100," 6849 " while 'T210000/T080000' identifies the range from 2100 " 6850 "until 0800 of the following day. \n\n" 6851 " " 6852 "When a range spans midnight, it by definition includes " 6853 "parts of two successive days. When one of these days is " 6854 "also selected by either the MonthOfYearMask, " 6855 "DayOfMonthMask, and/or DayOfWeekMask, but the other day is " 6856 "not, then the policy is active only during the portion of " 6857 "the range that falls on the selected day. For example, if " 6858 "the range extends from 2100 until 0800, and the day of " 6859 "week mask selects Monday and Tuesday, then the policy is " 6860 "active during the following three intervals:\n" 6861 " From midnight Sunday until 0800 Monday; \n" 6862 " From 2100 Monday until 0800 Tuesday; \n" 6863 " From 2100 Tuesday until 23:59:59 Tuesday. \n\n" 6864 " " 6865 "If a value for this property is not provided, then the " 6866 "PolicyRule is treated as valid for all hours of the day, " 6867 "and only restricted by its TimePeriod property value and " 6868 "the other Mask properties."), 6869 ModelCorrespondence { 6870 "CIM_PolicyTimePeriodCondition.TimePeriod", 6871 "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"} 6872 ] 6873 string TimeOfDayMask; 6874 [Description ( 6875 " This property indicates whether the times represented " 6876 "in the TimePeriod property and in the various Mask " 6877 "properties represent local times or UTC times. There is " 6878 "no provision for mixing of local times and UTC times: the " 6879 "value of this property applies to all of the other " 6880 "time-related properties."), 6881 ValueMap { "1", "2" }, 6882 Values { "localTime", "utcTime" }, 6883 ModelCorrespondence { 6884 "CIM_PolicyTimePeriodCondition.TimePeriod", 6885 "CIM_PolicyTimePeriodCondition.MonthOfYearMask", 6886 "CIM_PolicyTimePeriodCondition.DayOfMonthMask", 6887 "CIM_PolicyTimePeriodCondition.DayOfWeekMask", 6888 "CIM_PolicyTimePeriodCondition.TimeOfDayMask"} 6889 ] 6890 uint16 LocalOrUtcTime; 6891 }; 6893 // ================================================================== 6894 // VendorPolicyCondition 6895 // ================================================================== 6896 [Description ( 6897 " A class that provides a general extension mechanism for " 6898 "representing PolicyConditions that have not been modeled " 6899 "with specific properties. Instead, the two properties " 6900 "Constraint and ConstraintEncoding are used to define the " 6901 "content and format of the Condition, as explained below.\n\n" 6902 " " 6903 "As its name suggests, VendorPolicyCondition is intended for " 6904 "vendor-specific extensions to the Policy Core Information " 6905 "Model. Standardized extensions are not expected to use " 6906 "this class.") 6907 ] 6908 class CIM_VendorPolicyCondition : CIM_PolicyCondition 6909 { 6910 [Octetstring, Description ( 6911 "This property provides a general extension mechanism for " 6912 "representing PolicyConditions that have not been " 6913 "modeled with specific properties. The format of the " 6914 "octet strings in the array is left unspecified in " 6915 "this definition. It is determined by the OID value " 6916 "stored in the property ConstraintEncoding. Since " 6917 "ConstraintEncoding is single-valued, all the values of " 6918 "Constraint share the same format and semantics."), 6919 ModelCorrespondence { 6920 "CIM_VendorPolicyCondition.ConstraintEncoding"} 6921 ] 6922 string Constraint []; 6923 [Description ( 6924 "An OID encoded as a string, identifying the format " 6925 "and semantics for this instance's Constraint property."), 6926 ModelCorrespondence { 6927 "CIM_VendorPolicyCondition.Constraint"} 6928 ] 6929 string ConstraintEncoding; 6930 }; 6932 // ================================================================== 6933 // PolicyAction 6934 // ================================================================== 6936 [Abstract, Description ( 6937 "A class representing a rule-specific or reusable policy " 6938 "action to be performed if the PolicyConditions for a Policy" 6939 "Rule evaluate to TRUE. Since all operational details of a " 6940 "PolicyAction are provided in subclasses of this object, " 6941 "this class is abstract.") 6942 ] 6943 class CIM_PolicyAction : CIM_Policy 6944 { 6945 [Key, MaxLen (256), Description ( 6946 " The name of the class or the subclass used in the " 6947 "creation of the System object in whose scope this " 6948 "PolicyAction is defined. \n\n" 6949 " " 6950 "This property helps to identify the System object in " 6951 "whose scope this instance of PolicyAction exists. " 6952 "For a rule-specific PolicyAction, this is the System " 6953 "in whose context the PolicyRule is defined. For a " 6954 "reusable PolicyAction, this is the instance of " 6955 "PolicyRepository (which is a subclass of System) that " 6956 "holds the Action. \n\n" 6957 " " 6958 "Note that this property, and the analogous property " 6959 "SystemName, do not represent propagated keys from an " 6960 "instance of the class System. Instead, they are " 6961 "properties defined in the context of this class, which " 6962 "repeat the values from the instance of System to which " 6963 "this PolicyAction is related, either directly via the " 6964 "PolicyActionInPolicyRepository association or indirectly " 6965 "via the PolicyActionInPolicyRule aggregation.") 6966 ] 6967 string SystemCreationClassName; 6968 [Key, MaxLen (256), Description ( 6969 " The name of the System object in whose scope this " 6970 "PolicyAction is defined. \n\n" 6971 " " 6972 "This property completes the identification of the System " 6973 "object in whose scope this instance of PolicyAction " 6974 "exists. For a rule-specific PolicyAction, this is the " 6975 "System in whose context the PolicyRule is defined. For " 6976 "a reusable PolicyAction, this is the instance of " 6977 "PolicyRepository (which is a subclass of System) that " 6978 "holds the Action.") 6979 ] 6980 string SystemName; 6981 [Key, MaxLen (256), Description ( 6982 "For a rule-specific PolicyAction, the CreationClassName " 6983 "of the PolicyRule object with which this Action is " 6984 "associated. For a reusable PolicyAction, a " 6985 "special value, 'NO RULE', should be used to " 6986 "indicate that this Action is reusable and not " 6987 "associated with a single PolicyRule.") 6988 ] 6990 string PolicyRuleCreationClassName; 6991 [Key, MaxLen (256), Description ( 6992 "For a rule-specific PolicyAction, the name of " 6993 "the PolicyRule object with which this Action is " 6994 "associated. For a reusable PolicyAction, a " 6995 "special value, 'NO RULE', should be used to " 6996 "indicate that this Action is reusable and not " 6997 "associated with a single PolicyRule.") 6998 ] 6999 string PolicyRuleName; 7000 [Key, MaxLen (256), Description ( 7001 "CreationClassName indicates the name of the class or the " 7002 "subclass used in the creation of an instance. When used " 7003 "with the other key properties of this class, this property" 7004 " allows all instances of this class and its subclasses to " 7005 "be uniquely identified.") ] 7006 string CreationClassName; 7007 [Key, MaxLen (256), Description ( 7008 "A user-friendly name of this PolicyAction.") 7009 ] 7010 string PolicyActionName; 7011 }; 7013 // ================================================================== 7014 // CompoundPolicyAction 7015 // ================================================================== 7016 [Description ("CompoundPolicyAction is used to represent an " 7017 "expression consisting of an ordered sequence of action " 7018 "terms. Each action term is represented as a subclass of " 7019 "the PolicyAction class. Compound actions are constructed " 7020 "by associating dependent action terms together using the " 7021 "PolicyActionInPolicyAction aggregation.") ] 7022 class CIM_CompoundPolicyAction : CIM_PolicyAction 7023 { 7024 [Description ( 7025 "This property gives a policy administrator a way " 7026 "of specifying how the ordering of the PolicyActions " 7027 "associated with this PolicyRule is to be interpreted. " 7028 "Three values are supported:\n" 7029 " o mandatory(1): Do the actions in the indicated " 7030 " order, or don't do them at all.\n" 7031 " o recommended(2): Do the actions in the indicated " 7032 " order if you can, but if you can't do them in this " 7033 " order, do them in another order if you can.\n" 7034 " o dontCare(3): Do them -- I don't care about the " 7035 " order.\n" 7036 "The default value is 3 (\"dontCare\")."), 7037 ValueMap { "1", "2", "3" }, 7038 Values { "mandatory", "recommended", "dontCare" }] 7039 uint16 SequencedActions; 7041 [Description ("ExecutionStrategy defines the strategy to be " 7042 "used in executing the sequenced actions aggregated by this " 7043 "CompoundPolicyAction. There are three execution strategies:" 7044 "\n\n" 7045 "Do Until Success - execute actions according to predefined\n" 7046 " order, until successful execution of a\n" 7047 " single action.\n" 7048 "Do All - execute ALL actions which are part of\n" 7049 " the modeled set, according to their\n" 7050 " predefined order. Continue doing this,\n" 7051 " even if one or more of the actions " 7052 " fails.\n" 7053 "Do Until Failure - execute actions according to predefined\n" 7054 " order, until the first failure in\n" 7055 " execution of an action instance." 7056 "The default value is 2 (\"Do All\")."), 7057 Values {"1", "2", "3"}, 7058 ValueMap {"Do Until Success", "Do All", "Do Until Failure"}] 7059 uint16 ExecutionStrategy; 7060 }; 7062 // ================================================================== 7063 // VendorPolicyAction 7064 // ================================================================== 7065 [Description ( 7066 " A class that provides a general extension mechanism for " 7067 "representing PolicyActions that have not been modeled " 7068 "with specific properties. Instead, the two properties " 7069 "ActionData and ActionEncoding are used to define the " 7070 "content and format of the Action, as explained below.\n\n" 7071 " " 7072 "As its name suggests, VendorPolicyAction is intended for " 7073 "vendor-specific extensions to the Policy Core Information " 7074 "Model. Standardized extensions are not expected to use " 7075 "this class.") ] 7076 class CIM_VendorPolicyAction : CIM_PolicyAction 7077 { 7078 [Octetstring, Description ( 7079 "This property provides a general extension mechanism for " 7080 "representing PolicyActions that have not been " 7081 "modeled with specific properties. The format of the " 7082 "octet strings in the array is left unspecified in " 7083 "this definition. It is determined by the OID value " 7084 "stored in the property ActionEncoding. Since " 7085 "ActionEncoding is single-valued, all the values of " 7086 "ActionData share the same format and semantics."), 7087 ModelCorrespondence { 7088 "CIM_VendorPolicyAction.ActionEncoding"} 7089 ] 7090 string ActionData []; 7091 [Description ( 7092 "An OID encoded as a string, identifying the format " 7093 "and semantics for this instance's ActionData property."), 7094 ModelCorrespondence { 7095 "CIM_VendorPolicyAction.ActionData"} 7097 ] 7098 string ActionEncoding; 7099 }; 7100 // ================================================================== 7101 // === Association classes === 7102 // ================================================================== 7104 // ================================================================== 7105 // PolicyComponent 7106 // ================================================================== 7107 [Association, Abstract, Aggregation, Description ( 7108 "CIM_PolicyComponent is a generic association used to " 7109 "establish 'part of' relationships between the subclasses of " 7110 "CIM_Policy. For example, the PolicyConditionInPolicyRule " 7111 "association defines that PolicyConditions are part of a " 7112 "PolicyRule.") 7113 ] 7114 class CIM_PolicyComponent 7115 { 7116 [Aggregate, Key, Description ( 7117 "The parent Policy in the association.") 7118 ] 7119 CIM_Policy REF GroupComponent; 7120 [Key, Description ( 7121 "The child/part Policy in the association.") 7122 ] 7123 CIM_Policy REF PartComponent; 7124 }; 7126 // ================================================================== 7127 // PolicyInSystem 7128 // ================================================================== 7129 [Association, Abstract, Description ( 7130 " CIM_PolicyInSystem is a generic association used to " 7131 "establish dependency relationships between Policies and the " 7132 "Systems that host them. These Systems may be ComputerSystems" 7133 " where Policies are 'running' or they may be Policy" 7134 "Repositories where Policies are stored. This relationship " 7135 "is similar to the concept of CIM_Services being dependent " 7136 "on CIM_Systems as defined by the HostedService " 7137 "association. \n" 7138 " Cardinality is Max(1) for the Antecedent/System " 7139 "reference since Policies can only be hosted in at most one " 7140 "System context. Some subclasses of the association will " 7141 "further refine this definition to make the Policies Weak " 7142 "to Systems. Other subclasses of PolicyInSystem will " 7143 "define an optional hosting relationship. Examples of each " 7144 "of these are the PolicyRuleInSystem and PolicyConditionIn" 7145 "PolicyRepository associations, respectively.") 7146 ] 7147 class CIM_PolicyInSystem : CIM_Dependency 7148 { 7150 [Override ("Antecedent"), Max (1), Description ( 7151 "The hosting System.") 7152 ] 7153 CIM_System REF Antecedent; 7154 [Override ("Dependent"), Description ( 7155 "The hosted Policy.") 7156 ] 7157 CIM_Policy REF Dependent; 7158 }; 7160 // ================================================================== 7161 // PolicySetInSystem 7162 // ================================================================== 7163 [Association, Abstract, Description ( 7164 "PolicySetInSystem is an abstract association class that " 7165 "represents a relationship between a System and a PolicySet used " 7166 "in the administrative scope of that system (e.g., AdminDomain, " 7167 "ComputerSystem). The Priority property is used to assign a " 7168 "relative priority to a PolicySet within the administrative " 7169 "scope in contexts where it is not a component of another " 7170 "PolicySet.") 7171 ] 7172 class CIM_PolicySetInSystem : CIM_PolicyInSystem 7173 { 7174 [Override ("Antecedent"), Min (1), Max(1), Description ( 7175 "The System in whose scope a PolicySet is defined.") 7176 ] 7177 CIM_System REF Antecedent; 7178 [Override ("Dependent"), Description ( 7179 "A PolicySet named within the scope of a System.") 7180 ] 7181 CIM_PolicySet REF Dependent; 7182 [Description ( 7183 "The Priority property is used to specify the relative " 7184 "priority of the referenced PolicySet when there are more " 7185 "than one PolicySet instances applied to a managed resource " 7186 "that are not PolicySetComponents and, therefore, have no " 7187 "other relative priority defined. The priority is a " 7188 "non-negative integer; a larger value indicates a higher " 7189 "priority.")] 7190 uint16 Priority; 7191 }; 7193 // ================================================================== 7194 // PolicyGroupInSystem 7195 // ================================================================== 7196 [Association, Description ( 7197 "An association that links a PolicyGroup to the System " 7198 "in whose scope the Group is defined.") 7199 ] 7200 class CIM_PolicyGroupInSystem : CIM_PolicySetInSystem 7201 { 7202 [Override ("Antecedent"), Min(1), Max(1), Description ( 7203 "The System in whose scope a PolicyGroup is defined.") 7204 ] 7205 CIM_System REF Antecedent; 7206 [Override ("Dependent"), Weak, Description ( 7207 "A PolicyGroup named within the scope of a System.") 7208 ] 7209 CIM_PolicyGroup REF Dependent; 7210 }; 7212 // ================================================================== 7213 // PolicyRuleInSystem 7214 // ================================================================== 7215 [Association, Description ( 7216 "An association that links a PolicyRule to the System " 7217 "in whose scope the Rule is defined.") 7218 ] 7219 class CIM_PolicyRuleInSystem : CIM_PolicySetInSystem 7220 { 7221 [Override ("Antecedent"), Min(1), Max(1), Description ( 7222 "The System in whose scope a PolicyRule is defined.") 7223 ] 7224 CIM_System REF Antecedent; 7225 [Override ("Dependent"), Weak, Description ( 7226 "A PolicyRule named within the scope of a System.") 7227 ] 7228 CIM_PolicyRule REF Dependent; 7229 }; 7231 // ================================================================== 7232 // PolicySetComponent 7233 // ================================================================== 7234 [Association, Aggregation, Description ( 7235 "PolicySetComponent is a concrete aggregation class that " 7236 "collects instances of PolicySet subclasses (PolicyGroups and " 7237 "PolicyRules) into coherent sets of policies that have the same " 7238 "decision strategy and are prioritized within the set.") 7239 ] 7240 class CIM_PolicySetComponent : CIM_PolicyComponent 7241 { 7242 [Override ("GroupComponent"), Aggregate, Description ( 7243 "A PolicySet that aggregates other PolicySet instances.") 7244 ] 7245 CIM_PolicySet REF GroupComponent; 7246 [Override ("PartComponent"), Description ( 7247 "A PolicySet aggregated into a PolicySet.") 7248 ] 7249 CIM_PolicySet REF PartComponent; 7250 [Description ( 7251 "A non-negative integer for prioritizing this PolicySet" 7252 "component relative to components of the same PolicySet. A " 7253 "larger value indicates a higher priority.") 7254 ] 7255 uint16 Priority; 7257 }; 7259 // ================================================================== 7260 // PolicyGroupInPolicyGroup *** deprecated 7261 // ================================================================== 7262 [Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"}, 7263 Description ( 7264 "PolicySetComponent provides a more general mechanism for " 7265 "aggregating both PolicyGroups and PolicyRules and doing so with " 7266 "the priority value applying only to the aggregated set rather " 7267 "than policy wide.\n" 7268 "\n" 7269 "A relationship that aggregates one or more lower-level " 7270 "PolicyGroups into a higher-level Group. A Policy" 7271 "Group may aggregate PolicyRules and/or other Policy" 7272 "Groups.") 7273 ] 7274 class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent 7275 { 7276 [Override ("GroupComponent"), Aggregate, Description ( 7277 "A PolicyGroup that aggregates other Groups.") 7278 ] 7279 CIM_PolicyGroup REF GroupComponent; 7280 [Override ("PartComponent"), Description ( 7281 "A PolicyGroup aggregated by another Group.") 7282 ] 7283 CIM_PolicyGroup REF PartComponent; 7284 }; 7286 // ================================================================== 7287 // PolicyRuleInPolicyGroup *** deprecated 7288 // ================================================================== 7289 [Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"}, 7290 Description ( 7291 "PolicySetComponent provides a more general mechanism for " 7292 "aggregating both PolicyGroups and PolicyRules and doing so with " 7293 "the priority value applying only to the aggregated set rather " 7294 "than policy wide.\n" 7295 "\n" 7296 "A relationship that aggregates one or more PolicyRules " 7297 "into a PolicyGroup. A PolicyGroup may aggregate " 7298 "PolicyRules and/or other PolicyGroups.") 7299 ] 7300 class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent 7301 { 7302 [Override ("GroupComponent"), Aggregate, Description ( 7303 "A PolicyGroup that aggregates one or more PolicyRules.") 7304 ] 7305 CIM_PolicyGroup REF GroupComponent; 7306 [Override ("PartComponent"), Description ( 7307 "A PolicyRule aggregated by a PolicyGroup.") 7308 ] 7309 CIM_PolicyRule REF PartComponent; 7311 }; 7313 // ================================================================== 7314 // PolicyConditionInPolicyRule 7315 // ================================================================== 7316 [Association, Aggregation, Description ( 7317 " A PolicyRule aggregates zero or more instances of the " 7318 "PolicyCondition class, via the PolicyConditionInPolicyRule " 7319 "association. A Rule that aggregates zero Conditions is not " 7320 "valid -- it may, however, be in the process of being entered " 7321 "into a PolicyRepository or being defined for a System. Note " 7322 "that a PolicyRule should have no effect until it is 7323 valid.\n\n" 7324 " " 7325 "The Conditions aggregated by a PolicyRule are grouped into " 7326 "two levels of lists: either an ORed set of ANDed sets of " 7327 "conditions (DNF, the default) or an ANDed set of ORed sets " 7328 "of conditions (CNF). Individual PolicyConditions in these " 7329 "lists may be negated. The property ConditionListType " 7330 "specifies which of these two grouping schemes applies to a " 7331 "particular PolicyRule.\n\n" 7332 " " 7333 "In either case, PolicyConditions are used to determine " 7334 "whether to perform the PolicyActions associated with the " 7335 "PolicyRule.\n\n" 7336 " " 7337 "One or more PolicyTimePeriodConditions may be among the " 7338 "conditions associated with a PolicyRule via the Policy" 7339 "ConditionInPolicyRule association. In this case, the time " 7340 "periods are simply additional Conditions to be evaluated " 7341 "along with any others that are specified for the Rule. ") 7342 ] 7343 class CIM_PolicyConditionInPolicyRule : CIM_PolicyComponent 7344 { 7345 [Override ("GroupComponent"), Aggregate, Description ( 7346 "This property represents the PolicyRule that " 7347 "contains one or more PolicyConditions.") 7348 ] 7349 CIM_PolicyRule REF GroupComponent; 7350 [Override ("PartComponent"), Description ( 7351 "This property holds the name of a PolicyCondition " 7352 "contained by one or more PolicyRules.") 7353 ] 7354 CIM_PolicyCondition REF PartComponent; 7355 [Description ( 7356 "Unsigned integer indicating the group to which the " 7357 "PolicyCondition identified by the ContainedCondition " 7358 "property belongs. This integer segments the Conditions " 7359 "into the ANDed sets (when the ConditionListType is " 7360 "\"DNF\") or similarly the ORed sets (when the Condition" 7361 "ListType is \"CNF\") that are then evaluated.") 7362 ] 7364 uint16 GroupNumber; 7365 [Description ( 7366 "Indication of whether the Condition identified by " 7367 "the ContainedCondition property is negated. TRUE " 7368 "indicates that the PolicyCondition IS negated, FALSE " 7369 "indicates that it IS NOT negated.") 7370 ] 7371 boolean ConditionNegated; 7372 }; 7374 // ================================================================== 7375 // PolicyRuleValidityPeriod 7376 // ================================================================== 7377 [Association, Aggregation, Description ( 7378 "The PolicyRuleValidityPeriod aggregation represents " 7379 "scheduled activation and deactivation of a PolicyRule. " 7380 "If a PolicyRule is associated with multiple policy time " 7381 "periods via this association, then the Rule is active if " 7382 "at least one of the time periods indicates that it is " 7383 "active. (In other words, the PolicyTimePeriodConditions " 7384 "are ORed to determine whether the Rule is active.) A Time" 7385 "Period may be aggregated by multiple PolicyRules. A Rule " 7386 "that does not point to a PolicyTimePeriodCondition via this " 7387 "association is, from the point of view of scheduling, " 7388 "always active. It may, however, be inactive for other " 7389 "reasons. For example, the Rule's Enabled property may " 7390 "be set to \"disabled\" (value=2).") 7391 ] 7392 class CIM_PolicyRuleValidityPeriod : CIM_PolicyComponent 7393 { 7394 [Override ("GroupComponent"), Aggregate, Description ( 7395 "This property contains the name of a PolicyRule that " 7396 "contains one or more PolicyTimePeriodConditions.") 7397 ] 7398 CIM_PolicyRule REF GroupComponent; 7399 [Override ("PartComponent"), Description ( 7400 "This property contains the name of a " 7401 "PolicyTimePeriodCondition defining the valid time periods " 7402 "for one or more PolicyRules.") 7403 ] 7404 CIM_PolicyTimePeriodCondition REF PartComponent; 7405 }; 7407 // ================================================================== 7408 // PolicyActionStructure 7409 // ================================================================== 7411 [Association, Aggregation, Abstract, Description ( 7412 "PolicyActions may be aggregated into rules and into " 7413 "compound actions. PolicyActionStructure is the abstract " 7414 "aggregation class for the structuring of policy actions.") 7415 ] 7417 class CIM_PolicyActionStructure : CIM_PolicyComponent 7418 { 7419 [Override ("GroupComponent"), Aggregate, Description ( 7420 "PolicyAction instances may be aggregated into either " 7421 "PolicyRule instances or CompoundPolicyAction instances.")] 7422 CIM_Policy REF GroupComponent; 7423 [Override ("PartComponent"), Description ( 7424 "A PolicyAction aggregated by a PolicyRule or " 7425 "CompoundPolicyAction.")] 7426 CIM_PolicyAction REF PartComponent; 7427 [Description ( 7428 "ActionOrder is an unsigned integer 'n' that indicates the " 7429 "relative position of a PolicyAction in the sequence of" 7430 "actions associated with a PolicyRule or " 7431 "CompoundPolicyAction. When 'n' is a positive integer, it " 7432 "indicates a place in the sequence of actions to be " 7433 "performed, with smaller integers indicating earlier " 7434 "positions in the sequence. The special value '0' indicates " 7435 "'don't care'. If two or more PolicyActions have the same " 7436 "non-zero sequence number, they may be performed in any " 7437 "order, but they must all be performed at the appropriate " 7438 "place in the overall action sequence.\n" 7439 "\n" 7440 "A series of examples will make ordering of PolicyActions " 7441 "clearer: \n" 7442 " o If all actions have the same sequence number,\n" 7443 " regardless of whether it is '0' or non-zero, any\n" 7444 " order is acceptable.\n" 7445 " o The values: \n" 7446 " 1:ACTION A \n" 7447 " 2:ACTION B \n" 7448 " 1:ACTION C \n" 7449 " 3:ACTION D \n" 7450 " indicate two acceptable orders: A,C,B,D or C,A,B,D,\n" 7451 " since A and C can be performed in either order, but\n" 7452 " only at the '1' position. \n" 7453 " o The values: \n" 7454 " 0:ACTION A \n" 7455 " 2:ACTION B \n" 7456 " 3:ACTION C \n" 7457 " 3:ACTION D \n" 7458 " require that B,C, and D occur either as B,C,D or as\n" 7459 " B,D,C. Action A may appear at any point relative to\n" 7460 " B, C, and D. Thus the complete set of acceptable\n" 7461 " orders is: A,B,C,D; B,A,C,D; B,C,A,D; B,C,D,A; \n" 7462 " A,B,D,C; B,A,D,C; B,D,A,C; B,D,C,A. \n" 7463 "\n" 7464 "Note that the non-zero sequence numbers need not start with " 7465 "'1', and they need not be consecutive. All that matters is " 7466 "their relative magnitude.")] 7467 uint16 ActionOrder; 7468 }; 7469 // ================================================================== 7470 // PolicyActionInPolicyRule 7471 // ================================================================== 7472 [Association, Aggregation, Description ( 7473 " A PolicyRule aggregates zero or more instances of the " 7474 "PolicyAction class, via the PolicyActionInPolicyRule " 7475 "association. A Rule that aggregates zero Actions is not " 7476 "valid--it may, however, be in the process of being entered " 7477 "into a PolicyRepository or being defined for a System. " 7478 "Alternately, the actions of the policy may be explicit in " 7479 "the definition of the PolicyRule. Note that a PolicyRule " 7480 "should have no effect until it is valid.\n\n" 7481 " " 7482 "The Actions associated with a PolicyRule may be given a " 7483 "required order, a recommended order, or no order at all. " 7484 "For Actions represented as separate objects, the " 7485 "PolicyActionInPolicyRule aggregation can be used to express " 7486 "an order." 7487 "\n\n" 7488 "This aggregation does not indicate whether a specified " 7489 "action order is required, recommended, or of no " 7490 "significance; the property SequencedActions in the " 7491 "aggregating instance of PolicyRule provides this " 7492 "indication.")] 7493 class CIM_PolicyActionInPolicyRule : CIM_PolicyActionStructure 7494 { 7495 [Override ("GroupComponent"), Aggregate, Description ( 7496 "This property represents the PolicyRule that " 7497 "contains one or more PolicyActions.") 7498 ] 7499 CIM_PolicyRule REF GroupComponent; 7500 [Override ("PartComponent"), Description ( 7501 "This property holds the name of a PolicyAction " 7502 "contained by one or more PolicyRules.") 7503 ] 7504 CIM_PolicyAction REF PartComponent; 7505 }; 7507 // ================================================================== 7508 // PolicyActionInPolicyAction 7509 // ================================================================== 7510 [Association, Aggregation, Description ( 7511 "PolicyActionInPolicyAction is used to represent the " 7512 "compounding of policy actions into a higher-level policy " 7513 "action.")] 7514 class CIM_PolicyActionInPolicyAction : CIM_PolicyActionStructure 7515 { 7516 [Override ("GroupComponent"), Aggregate, Description ( 7517 "This property represents the CompoundPolicyAction that " 7518 "contains one or more PolicyActions.") 7519 ] 7520 CIM_CompoundPolicyAction REF GroupComponent; 7522 [Override ("PartComponent"), Description ( 7523 "This property holds the name of a PolicyAction " 7524 "contained by one or more CompoundPolicyActions.") 7525 ] 7526 CIM_PolicyAction REF PartComponent; 7527 }; 7529 // ================================================================== 7530 // PolicyContainerInPolicyContainer 7531 // ================================================================== 7532 [Association, Aggregation, Description ( 7533 "A relationship that aggregates one or more lower-level " 7534 "ReusablePolicyContainer instances into a higher-level " 7535 "ReusablePolicyContainer.") 7536 ] 7537 class CIM_PolicyContainerInPolicyContainer: CIM_SystemComponent 7538 { 7539 [Override ("GroupComponent"), Aggregate, Description ( 7540 "A ReusablePolicyContainer that aggregates other " 7541 "ReusablePolicyContainers.") 7542 ] 7543 CIM_ReusablePolicyContainer REF GroupComponent; 7544 [Override ("PartComponent"), Description ( 7545 "A ReusablePolicyContainer aggregated by another " 7546 "ReusablePolicyContainer.") 7547 ] 7548 CIM_ReusablePolicyContainer REF PartComponent; 7549 }; 7551 // ================================================================== 7552 // PolicyRepositoryInPolicyRepository *** deprecated 7553 // ================================================================== 7554 [Association, Aggregation, 7555 DEPRECATED {"CIM_PolicyContainerInPolicyContainer"}, 7556 Description ( 7557 "The term 'PolicyRepository' has been confusing to both " 7558 "developers and users of the model. The replacement class " 7559 "name describes model element properly and is less likely " 7560 "to be confused with a data repository. ContainedDomain is a " 7561 "general purpose mechanism for expressing domain hierarchy." 7562 "\n\n" 7563 "A relationship that aggregates one or more lower-level " 7564 "PolicyRepositories into a higher-level Repository.") 7565 ] 7566 class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent 7567 { 7568 [Override ("GroupComponent"), Aggregate, Description ( 7569 "A PolicyRepository that aggregates other Repositories.") 7570 ] 7571 CIM_PolicyRepository REF GroupComponent; 7572 [Override ("PartComponent"), Description ( 7573 "A PolicyRepository aggregated by another Repository.") 7574 ] 7576 CIM_PolicyRepository REF PartComponent; 7577 }; 7579 // ================================================================== 7580 // ReusablePolicy 7581 // ================================================================== 7582 [Association, Description ( 7583 "The ReusablePolicy association provides for the reuse of any " 7584 "subclass of Policy in a ReusablePolicyContainer.") 7585 ] 7586 class CIM_ReusablePolicy : CIM_PolicyInSystem 7587 { 7588 [Override ("Antecedent"), Max(1), Description ( 7589 "This property identifies a ReusablePolicyContainer that " 7590 "provides the administrative scope for the reuse of the " 7591 "referenced policy element.") 7592 ] 7593 CIM_ReusablePolicyContainer REF Antecedent; 7594 [Override ("Dependent"), Description ( 7595 "A reusable policy element.") 7596 ] 7597 CIM_Policy REF Dependent; 7598 }; 7600 // ================================================================== 7601 // PolicyConditionInPolicyRepository *** deprecated 7602 // ================================================================== 7603 [Association, DEPRECATED {"CIM_ReusablePolicy"}, 7604 Description ( 7605 "The ReusablePolicy association is a more general relationship " 7606 "that incorporates both Conditions and Actions as well as any " 7607 "other policy subclass.\n" 7608 "\n" 7609 "A class representing the hosting of reusable " 7610 "PolicyConditions by a PolicyRepository. A reusable Policy" 7611 "Condition is always related to a single PolicyRepository, " 7612 "via this association.\n\n" 7613 " " 7614 "Note, that an instance of PolicyCondition can be either " 7615 "reusable or rule-specific. When the Condition is rule-" 7616 "specific, it shall not be related to any " 7617 "PolicyRepository via the PolicyConditionInPolicyRepository " 7618 "association.") 7619 ] 7620 class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem 7621 { 7622 [Override ("Antecedent"), Max(1), Description ( 7623 "This property identifies a PolicyRepository " 7624 "hosting one or more PolicyConditions. A reusable " 7625 "PolicyCondition is always related to exactly one " 7626 "PolicyRepository via the PolicyConditionInPolicyRepository " 7627 "association. The [0..1] cardinality for this property " 7628 "covers the two types of PolicyConditions: 0 for a " 7629 "rule-specific PolicyCondition, 1 for a reusable one.") 7630 ] 7631 CIM_PolicyRepository REF Antecedent; 7632 [Override ("Dependent"), Description ( 7633 "This property holds the name of a PolicyCondition" 7634 "hosted in the PolicyRepository. ") 7635 ] 7636 CIM_PolicyCondition REF Dependent; 7637 }; 7639 // ================================================================== 7640 // PolicyActionInPolicyRepository *** deprecated 7641 // ================================================================== 7642 [Association, DEPRECATED {"CIM_ReusablePolicy"}, 7643 Description ( 7644 "The ReusablePolicy association is a more general relationship " 7645 "that incorporates both Conditions and Actions as well as any " 7646 "other policy subclass.\n" 7647 "\n" 7648 "A class representing the hosting of reusable " 7649 "PolicyActions by a PolicyRepository. A reusable Policy" 7650 "Action is always related to a single PolicyRepository, " 7651 "via this association.\n\n" 7652 " " 7653 "Note, that an instance of PolicyAction can be either " 7654 "reusable or rule-specific. When the Action is rule-" 7655 "specific, it shall not be related to any " 7656 "PolicyRepository via the PolicyActionInPolicyRepository " 7657 "association.") 7658 ] 7659 class CIM_PolicyActionInPolicyRepository : CIM_PolicyInSystem 7660 { 7661 [Override ("Antecedent"), Max(1), Description ( 7662 "This property represents a PolicyRepository " 7663 "hosting one or more PolicyActions. A reusable " 7664 "PolicyAction is always related to exactly one " 7665 "PolicyRepository via the PolicyActionInPolicyRepository " 7666 "association. The [0..1] cardinality for this property " 7667 "covers the two types of PolicyActions: 0 for a 7668 "rule-specific PolicyAction, 1 for a reusable one.") 7669 ] 7670 CIM_PolicyRepository REF Antecedent; 7671 [Override ("Dependent"), Description ( 7672 "This property holds the name of a PolicyAction" 7673 "hosted in the PolicyRepository. ") 7674 ] 7675 CIM_PolicyAction REF Dependent; 7676 };