idnits 2.17.1 draft-ietf-ipsp-config-policy-model-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 8) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([PCIME], [PCIM], DOI], [COMP,ESP,, AH,, [IKE]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 3 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SARule serves as a base class for IKERule and IPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actions for both types of rules. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class IKENegotiationAction is abstract and serves as the base class for IKE and IPsec actions that result in a IKE negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IKENegotiationAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IPsecAction is as follows: -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'PCIMe' is mentioned on line 3361, but not defined == Missing Reference: 'SAProposal' is mentioned on line 2438, but not defined == Missing Reference: 'SATransform' is mentioned on line 2451, but not defined == Unused Reference: 'COMP' is defined on line 4055, but no explicit reference was found in the text == Unused Reference: 'ESP' is defined on line 4058, but no explicit reference was found in the text == Unused Reference: 'AH' is defined on line 4061, but no explicit reference was found in the text == Unused Reference: 'IPSO' is defined on line 4091, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2393 (ref. 'COMP') (Obsoleted by RFC 3173) ** Obsolete normative reference: RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) == Outdated reference: A later version (-08) exists of draft-ietf-policy-pcim-ext-05 ** Obsolete normative reference: RFC 2407 (ref. 'DOI') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2251 (ref. 'LDAP') (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513) ** Downref: Normative reference to an Historic draft: draft-ietf-rap-pr (ref. 'COPSPR') ** Downref: Normative reference to an Historic RFC: RFC 1108 (ref. 'IPSO') ** Obsolete normative reference: RFC 2401 (ref. 'IPSEC') (Obsoleted by RFC 4301) -- Possible downref: Non-RFC (?) normative reference: ref. 'DMTF' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMCORE' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMUSER' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMNETWORK' Summary: 15 errors (**), 0 flaws (~~), 17 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Jamie Jason 3 INTERNET DRAFT Intel Corporation 4 November-2001 Lee Rafalow 5 IBM 6 Eric Vyncke 7 Cisco Systems 9 IPsec Configuration Policy Model 10 draft-ietf-ipsp-config-policy-model-04.txt 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six 21 months and may be updated, replaced, or obsoleted by other documents 22 at any time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Abstract 33 This document presents an object-oriented model of IPsec policy 34 designed to: 35 o facilitate agreement about the content and semantics of IPsec 36 policy 37 o enable derivations of task-specific representations of IPsec 38 policy such as storage schema, distribution representations, 39 and policy specification languages used to configure IPsec- 40 enabled endpoints 41 The schema described in this document models the IKE phase one 42 parameters as described in [IKE] and the IKE phase two parameters 43 for the IPsec Domain of Interpretation as described in [COMP, ESP, 44 AH, DOI]. It is based upon the core policy classes as defined in 45 the Policy Core Information Model (PCIM) [PCIM] and on the Policy 46 Core Information Model Extensions (PCIMe) [PCIME]. 48 Table of Contents 50 Status of this Memo................................................1 51 Abstract...........................................................1 52 Table of Contents..................................................2 53 1. Introduction....................................................7 54 2. UML Conventions.................................................7 55 3. IPsec Policy Model Inheritance Hierarchy........................8 56 4. Policy Classes.................................................13 57 4.1. The Class IPsecPolicyGroup...................................14 58 4.2. The Class SARule.............................................15 59 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 60 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 61 PolicyDecisionStrategy............................................15 62 4.2.2 The Property ExecutionStrategy.............................16 63 4.2.3 The Property LimitNegotiation..............................17 64 4.3. The Class IKERule............................................18 65 4.3.1. The Property IdentityContexts..............................18 66 4.4. The Class IPsecRule..........................................19 67 4.6. The Association Class IPsecPolicyForEndpoint.................19 68 4.6.1. The Reference Antecedent...................................20 69 4.6.2. The Reference Dependent....................................20 70 4.7. The Association Class IPsecPolicyForSystem...................20 71 4.7.1. The Reference Antecedent...................................20 72 4.7.2. The Reference Dependent....................................20 73 4.8. The Aggregation Class RuleForIKENegotiation..................21 74 4.8.1. The Property Priority......................................21 75 4.8.2. The Reference GroupComponent...............................21 76 4.8.3. The Reference PartComponent................................21 77 4.9. The Aggregation Class RuleForIPsecNegotiation................21 78 4.9.1. The Property Priority......................................21 79 4.9.2. The Reference GroupComponent...............................22 80 4.9.3. The Reference PartComponent................................22 81 4.10. The Aggregation Class SAConditionInRule.....................22 82 4.10.1. The Properties GroupNumber and ConditionNegated...........22 83 4.10.2. The Reference GroupComponent..............................22 84 4.10.3. The Reference PartComponent...............................22 85 4.11. The Aggregation Class PolicyActionInSARule..................22 86 4.11.1. The Reference GroupComponent..............................23 87 4.11.2. The Reference PartComponent...............................23 88 4.11.3. The Property ActionOrder..................................23 89 5. Condition and Filter Classes...................................24 90 5.1. The Class SACondition........................................24 91 5.2. The Class IPHeaderFilter.....................................25 92 5.3. The Class CredentialFilterEntry..............................25 93 5.3.1. The Property MatchFieldName................................25 94 5.3.2. The Property MatchFieldValue...............................26 95 5.3.3. The Property CredentialType................................26 96 5.4. The Class IPSOFilterEntry....................................26 97 5.4.1. The Property MatchConditionType............................27 98 5.4.2. The Property MatchConditionValue...........................27 99 5.5. The Class PeerIDPayloadFilterEntry...........................27 100 5.5.1. The Property MatchIdentityType.............................28 101 5.5.2. The Property MatchIdentityValue............................28 102 5.6. The Association Class FilterOfSACondition....................29 103 5.6.1. The Reference Antecedent...................................29 104 5.6.2. The Reference Dependent....................................29 105 5.7. The Association Class AcceptCredentialFrom...................29 106 5.7.1. The Reference Antecedent...................................30 107 5.7.2. The Reference Dependent....................................30 108 6. Action Classes.................................................31 109 6.1. The Class SAAction...........................................32 110 6.1.1. The Property DoActionLogging...............................32 111 6.1.2. The Property DoPacketLogging...............................32 112 6.2. The Class SAStaticAction.....................................33 113 6.2.1. The Property LifetimeSeconds...............................33 114 6.3. The Class IPsecBypassAction..................................34 115 6.4. The Class IPsecDiscardAction.................................34 116 6.5. The Class IKERejectAction....................................34 117 6.6. The Class PreconfiguredSAAction..............................34 118 6.6.1. The Property LifetimeKilobytes.............................35 119 6.7. The Class PreconfiguredTransportAction.......................35 120 6.8. The Class PreconfiguredTunnelAction..........................36 121 6.8.1. The Property DFHandling....................................36 122 6.9. The Class SANegotiationAction................................36 123 6.10. The Class IKENegotiationAction..............................37 124 6.10.1. The Property MinLifetimeSeconds...........................37 125 6.10.2. The Property MinLifetimeKilobytes.........................37 126 6.10.3. The Property RefreshThresholdSeconds......................38 127 6.10.4. The Property RefreshThresholdKilobytes....................38 128 6.10.5. The Property IdleDurationSeconds..........................38 129 6.11. The Class IPsecAction.......................................39 130 6.11.1. The Property UsePFS.......................................39 131 6.11.2. The Property UseIKEGroup..................................39 132 6.11.3. The Property GroupId......................................40 133 6.11.4. The Property Granularity..................................40 134 6.11.5. The Property VendorID.....................................40 135 6.12. The Class IPsecTransportAction..............................41 136 6.13. The Class IPsecTunnelAction.................................41 137 6.13.1. The Property DFHandling...................................41 138 6.14. The Class IKEAction.........................................41 139 6.14.1. The Property RefreshThresholdDerivedKeys..................42 140 6.14.2. The Property ExchangeMode.................................42 141 6.14.3. The Property UseIKEIdentityType...........................42 142 6.14.4. The Property VendorID.....................................43 143 6.14.5. The Property AggressiveModeGroupId........................43 144 6.15. The Class PeerGateway.......................................43 145 6.15.1. The Property Name.........................................43 146 6.15.2. The Property PeerIdentityType.............................44 147 6.15.3. The Property PeerIdentity.................................44 148 6.16. The Association Class PeerGatewayForTunnel..................44 149 6.16.1. The Reference Antecedent..................................45 150 6.16.2. The Reference Dependent...................................45 151 6.16.3. The Property SequenceNumber...............................45 152 6.17. The Aggregation Class ContainedProposal.....................45 153 6.17.1. The Reference GroupComponent..............................46 154 6.17.2. The Reference PartComponent...............................46 155 6.17.3. The Property SequenceNumber...............................46 156 6.18. The Association Class HostedPeerGatewayInformation..........46 157 6.18.1. The Reference Antecedent..................................46 158 6.18.2. The Reference Dependent...................................47 159 6.19. The Association Class TransformOfPreconfiguredAction........47 160 6.19.1. The Reference Antecedent..................................47 161 6.19.2. The Reference Dependent...................................47 162 6.19.3. The Property SPI..........................................47 163 6.19.4. The Property Direction....................................48 164 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......48 165 6.20.1. The Reference Antecedent..................................48 166 6.20.2. The Reference Dependent...................................48 167 7. Proposal and Transform Classes.................................49 168 7.1. The Abstract Class SAProposal................................49 169 7.1.1. The Property Name..........................................49 170 7.2. The Class IKEProposal........................................50 171 7.2.1. The Property LifetimeDerivedKeys...........................50 172 7.2.2. The Property CipherAlgorithm...............................50 173 7.2.3. The Property HashAlgorithm.................................51 174 7.2.4. The Property PRFAlgorithm..................................51 175 7.2.5. The Property GroupId.......................................51 176 7.2.6. The Property AuthenticationMethod..........................51 177 7.2.7. The Property MaxLifetimeSeconds............................52 178 7.2.8. The Property MaxLifetimeKilobytes..........................52 179 7.2.9. The Property VendorID......................................52 180 7.3. The Class IPsecProposal......................................52 181 7.4. The Abstract Class SATransform...............................53 182 7.4.1. The Property TransformName.................................53 183 7.4.2. The Property VendorID......................................53 184 7.4.3. The Property MaxLifetimeSeconds............................53 185 7.4.4. The Property MaxLifetimeKilobytes..........................54 186 7.5. The Class AHTransform........................................54 187 7.5.1. The Property AHTransformId.................................54 188 7.5.2. The Property UseReplayPrevention...........................54 189 7.5.3. The Property ReplayPreventionWindowSize....................55 190 7.6. The Class ESPTransform.......................................55 191 7.6.1. The Property IntegrityTransformId..........................55 192 7.6.2. The Property CipherTransformId.............................55 193 7.6.3. The Property CipherKeyLength...............................56 194 7.6.4. The Property CipherKeyRounds...............................56 195 7.6.5. The Property UseReplayPrevention...........................56 196 7.6.6. The Property ReplayPreventionWindowSize....................56 197 7.7. The Class IPCOMPTransform....................................57 198 7.7.1. The Property Algorithm.....................................57 199 7.7.2. The Property DictionarySize................................57 200 7.7.3. The Property PrivateAlgorithm..............................57 201 7.8. The Association Class SAProposalInSystem.....................57 202 7.8.1. The Reference Antecedent...................................58 203 7.8.2. The Reference Dependent....................................58 204 7.9. The Aggregation Class ContainedTransform.....................58 205 7.9.1. The Reference GroupComponent...............................58 206 7.9.2. The Reference PartComponent................................59 207 7.9.3. The Property SequenceNumber................................59 208 7.10. The Association Class SATransformInSystem...................59 209 7.10.1. The Reference Antecedent..................................59 210 7.10.2. The Reference Dependent...................................59 211 8. IKE Service and Identity Classes...............................61 212 8.1. The Class IKEService.........................................62 213 8.2. The Class PeerIdentityTable..................................62 214 8.3.1. The Property Name..........................................62 215 8.3. The Class PeerIdentityEntry..................................63 216 8.3.1. The Property PeerIdentity..................................63 217 8.3.2. The Property PeerIdentityType..............................63 218 8.3.3. The Property PeerAddress...................................63 219 8.3.4. The Property PeerAddressType...............................63 220 8.4. The Class AutostartIKEConfiguration..........................64 221 8.5. The Class AutostartIKESetting................................64 222 8.5.1. The Property Phase1Only....................................64 223 8.5.2. The Property AddressType...................................65 224 8.5.3. The Property SourceAddress.................................65 225 8.5.4. The Property SourcePort....................................65 226 8.5.5. The Property DestinationAddress............................65 227 8.5.6. The Property DestinationPort...............................66 228 8.5.7. The Property Protocol......................................66 229 8.6. The Class IKEIdentity........................................66 230 8.6.1. The Property IdentityType..................................67 231 8.6.2. The Property IdentityValue.................................67 232 8.6.3. The Property IdentityContexts..............................67 233 8.7. The Association Class HostedPeerIdentityTable................68 234 8.7.1. The Reference Antecedent...................................68 235 8.7.2. The Reference Dependent....................................68 236 8.8. The Aggregation Class PeerIdentityMember.....................68 237 8.8.1. The Reference Collection...................................68 238 8.8.2. The Reference Member.......................................69 239 8.9. The Association Class IKEServicePeerGateway..................69 240 8.9.1. The Reference Antecedent...................................69 241 8.9.2. The Reference Dependent....................................69 242 8.10. The Association Class IKEServicePeerIdentityTable...........69 243 8.10.1. The Reference Antecedent..................................70 244 8.10.2. The Reference Dependent...................................70 245 8.11. The Association Class IKEAutostartSetting...................70 246 8.11.1. The Reference Element.....................................70 247 8.11.2. The Reference Setting.....................................70 248 8.12. The Aggregation Class AutostartIKESettingContext............70 249 8.12.1. The Reference Context.....................................71 250 8.12.2. The Reference Setting.....................................71 251 8.12.3. The Property SequenceNumber...............................71 252 8.13. The Association Class IKEServiceForEndpoint.................71 253 8.13.1. The Reference Antecedent..................................72 254 8.13.2. The Reference Dependent...................................72 255 8.14. The Association Class IKEAutostartConfiguration.............72 256 8.14.1. The Reference Antecedent..................................72 257 8.14.2. The Reference Dependent...................................72 258 8.14.3. The Property Active.......................................72 259 8.15. The Association Class IKEUsesCredentialManagementService....73 260 8.15.1. The Reference Antecedent..................................73 261 8.15.2. The Reference Dependent...................................73 262 8.16. The Association Class EndpointHasLocalIKEIdentity...........73 263 8.16.1. The Reference Antecedent..................................74 264 8.16.2. The Reference Dependent...................................74 265 8.17. The Association Class CollectionHasLocalIKEIdentity.........74 266 8.17.1. The Reference Antecedent..................................74 267 8.17.2. The Reference Dependent...................................74 268 8.18. The Association Class IKEIdentitysCredential................75 269 8.18.1. The Reference Antecedent..................................75 270 8.18.2. The Reference Dependent...................................75 271 9. Implementation Requirements....................................75 272 10. Security Considerations.......................................79 273 11. Intellectual Property.........................................80 274 12. Acknowledgments...............................................80 275 13. References....................................................80 276 14. Disclaimer....................................................81 277 15. Authors' Addresses............................................82 278 16. Full Copyright Statement......................................82 280 1. Introduction 282 Internet Protocol security (IPsec) policy may assume a variety of 283 forms as it travels from storage to distribution point to decision 284 point. At each step, it needs to be represented in a way that is 285 convenient for the current task. For example, the policy could 286 exist as, but is not limited to: 288 o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in 289 a directory 290 o an on-the-wire representation over a transport protocol like the 291 Common Object Policy Service (COPS) [COPS, COPSPR] 292 o a text-based policy specification language suitable for editing 293 by an administrator 294 o an Extensible Markup Language (XML) document 296 Each of these task-specific representations should be derived from a 297 canonical representation that precisely specifies the content and 298 semantics of the IPsec policy. The purpose of this document is to 299 abstract IPsec policy into a task-independent representation that is 300 not constrained by any particular task-dependent representation. 302 This document is organized as follows: 304 o Section 2 provides a quick introduction to the Unified Modeling 305 Language (UML) graphical notation conventions used in this 306 document. 308 o Section 3 provides the inheritance hierarchy that describes 309 where the IPsec policy classes fit into the policy class 310 hierarchy already defined by the Policy Core Information Model 311 (PCIM) and Policy Core Information Model Extensions (PCIMe). 313 o Sections 4 through 8 describes the class that make up the IPsec 314 policy model. 316 o Section 9 presents the implementation requirements for the 317 classes in the model (i.e., the MUST/MAY/SHOULD status). 319 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 320 "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 321 document are to be interpreted as described in [KEYWORDS]. 323 2. UML Conventions 325 For this document, a UML static class diagram was chosen as the 326 canonical representation for the IPsec policy model. The reason 327 behind this decision is that UML provides a graphical, task- 328 independent way to model systems. A treatise on the graphical 329 notation used in UML is beyond the scope of this paper. However, 330 given the use of ASCII drawing for UML static class diagrams, a 331 description of the notational conventions used in this document is 332 in order: 334 o Boxes represent classes, with class names in brackets ([]) 335 representing an abstract class. 336 o A line that terminates with an arrow (<, >, ^, v) denotes 337 inheritance. The arrow always points to the parent class. 338 Inheritance can also be called generalization or specialization 339 (depending upon the reference point). A base class is a 340 generalization of a derived class, and a derived class is a 341 specialization of a base class. 342 o Associations are used to model a relationship between two 343 classes. Classes that share an association are connected using 344 a line. A special kind of association is also used: an 345 aggregation. An aggregation models a whole-part relationship 346 between two classes. Associations, and therefore aggregations, 347 can also be modeled as classes. 348 o A line that begins with an "o" denotes aggregation. Aggregation 349 denotes containment in which the contained class and the 350 containing class have independent lifetimes. 351 o Next to a line representing an association appears a 352 cardinality. Cardinalities indicate the constraints on the 353 number of object instances in a set of relationships. Every 354 association instance has a single set of references. The 355 cardinality indicates the number of instances that may refer to 356 a given object instance. The cardinality may be: 357 - a range in the form "lower bound..upper bound" indicating the 358 minimum and maximum number of objects. 359 - a number that indicates the exact number of objects. 360 - an asterisk indicating any number of objects, including zero. 361 Using an asterisk is shorthand for 0..n. 362 - the letter n indicating from 1 to many. Using the letter n is 363 shorthand for 1..n. 364 o A class that has an association may have a "w" next to the line 365 representing the association. This is called a weak association 366 and is discussed in [PCIM]. 368 It should be noted that the UML static class diagram presented is a 369 conceptual view of IPsec policy designed to aid in understanding. 370 It does not necessarily get translated class for class into another 371 representation. For example, an LDAP implementation may flatten out 372 the representation to fewer classes (because of the inefficiency of 373 following references). 375 3. IPsec Policy Model Inheritance Hierarchy 377 Like PCIM and PCIMe from which it is derived, the IPsec 378 Configuration Policy Model derives from and uses classes defined in 379 the DMTF [DMTF] Common Information Model (CIM). The following tree 380 represents the inheritance hierarchy for the IPsec policy model 381 classes and how they fit into PCIM, PCIMe and the other DMTF models 382 (see Appendices for descriptions of classes that are not being 383 introduced as part of IPsec model). CIM classes that are not used 384 as a superclass from which to derive new classes but are only 385 referenced are not included this inheritance hierarchy, but can be 386 found in the appropriate DMTF document [CIMCORE], [CIMUSER] or 387 [CIMNETWORK]. 389 ManagedElement (DMTF Core Model - [CIMCORE]) 390 | 391 +--Collection (DMTF Core Model - [CIMCORE]) 392 | | 393 | +--PeerIdentityTable 394 | 395 +--ManagedSystemElement (DMTF Core Model - [CIMCORE]) 396 | | 397 | +--LogicalElement (DMTF Core Model - [CIMCORE]) 398 | | 399 | +--FilterEntryBase (DMTF Network Model - [CIMNETWORK]) 400 | | | 401 | | +--CredentialFilterEntry 402 | | | 403 | | +--IPHeaderFilter (PCIMe) 404 | | | 405 | | +--IPSOFilterEntry 406 | | | 407 | | +--PeerIDPayloadFilterEntry 408 | | 409 | +--PeerGateway 410 | | 411 | +--PeerIdentityEntry 412 | | 413 | +--Service (DMTF Core Model - [CIMCORE]) 414 | | 415 | +--IKEService 416 | 417 +--OrganizationalEntity (DMTF User Model - [CIMUSER]) 418 | | 419 | +--UserEntity (DMTF User Model - [CIMUSER]) 420 | | 421 | +--UsersAccess (DMTF User Model - [CIMUSER]) 422 | | 423 | +--IKEIdentity 424 | 425 +--Policy (PCIM) 426 | | 427 | +--PolicyAction (PCIM) 428 | | | 429 | | +--CompoundPolicyAction (PCIMe) 430 | | | 431 | | +--SAAction 432 | | | 433 | | +--SANegotiationAction 434 | | | | 435 | | | +--IKENegotiationAction 436 | | | | 437 | | | +--IKEAction 438 | | | | 439 | | | +--IPsecAction 440 | | | | 441 | | | +--IPsecTransportAction 442 | | | | 443 | | | +--IPsecTunnelAction 444 | | | 445 | | +--SAStaticAction 446 | | | 447 | | +--IKERejectAction 448 | | | 449 | | +--IPsecBypassAction 450 | | | 451 | | +--IPsecDiscardAction 452 | | | 453 | | +--PreconfiguredSAAction 454 | | | 455 | | +--PreconfiguredTransportAction 456 | | | 457 | | +--PreconfiguredTunnelAction 458 | | 459 | +--PolicyCondition (PCIM) 460 | | | 461 | | +--SACondition 462 | | 463 | +--PolicySet (PCIMe) 464 | | | 465 | | +--PolicyGroup (PCIM & PCIMe) 466 | | | | 467 | | | +--IPsecPolicyGroup 468 | | | 469 | | +--PolicyRule (PCIM & PCIMe) 470 | | | 471 | | +--SARule 472 | | | 473 | | +--IKERule 474 | | | 475 | | +--IPsecRule 476 | | 477 | +--SAProposal 478 | | | 479 | | +--IKEProposal 480 | | | 481 | | +--IPsecProposal 482 | | 483 | +--SATransform 484 | | 485 | +--AHTransform 486 | | 487 | +--ESPTransform 488 | | 489 | +--IPCOMPTransform 490 | 491 +--Setting (DMTF Core Model - [CIMCORE]) 492 | | 493 | +--SystemSetting (DMTF Core Model - [CIMCORE]) 494 | | 495 | +--AutostartIKESetting 496 | 497 +--SystemConfiguration (DMTF Core Model - [CIMCORE]) 498 | 499 +--AutostartIKEConfiguration 501 The following tree represents the inheritance hierarchy of the IPsec 502 policy model association classes and how they fit into PCIM and the 503 other DMTF models (see Appendices for description of associations 504 classes that are not being introduced as part of IPsec model). 506 Dependency (DMTF Core Model - [CIMCORE]) 507 | 508 +--AcceptCredentialsFrom 509 | 510 +--ElementAsUser (DMTF User Model - [CIMUSER]) 511 | | 512 | +--EndpointHasLocalIKEIdentity 513 | | 514 | +--CollectionHasLocalIKEIdentity 515 | 516 +--FilterOfSACondition 517 | 518 +--HostedPeerGatewayInformation 519 | 520 +--HostedPeerIdentityTable 521 | 522 +--IKEAutostartConfiguration 523 | 524 +--IKEServiceForEndpoint 525 | 526 +--IKEServicePeerGateway 527 | 528 +--IKEServicePeerIdentityTable 529 | 530 +--IKEUsesCredentialManagementService 531 | 532 +--IPsecPolicyForEndpoint 533 | 534 +--IPsecPolicyForSystem 535 | 536 +--PeerGatewayForPreconfiguredTunnel 537 | 538 +--PeerGatewayForTunnel 539 | 540 +--PolicyInSystem (PCIM) 541 | | 542 | +--SAProposalInSystem 543 | | 544 | +--SATransformInSystem 545 | 546 +--TransformOfPreconfiguredAction 547 | 548 +--UsersCredential (DMTF User Model - [CIMUSER]) 549 | 550 +--IKEIdentitysCredential 552 ElementSetting (DMTF Core Model - [CIMCORE]) 553 | 554 +--IKEAutostartSetting 556 MemberOfCollection (DMTF Core Model - [CIMCORE]) 557 | 558 +--PeerIdentityMember 560 PolicyComponent (PCIM) 561 | 562 +--ContainedProposal 563 | 564 +--ContainedTransform 565 | 566 +--PolicyActionStructure (PCIMe) 567 | | 568 | +--PolicyActionInPolicyRule (PCIM & PCIMe) 569 | | 570 | +--PolicyActionInSARule 571 | 572 +--PolicyConditionStructure (PCIMe) 573 | | 574 | +--PolicyConditionInPolicyRule (PCIM & PCIMe) 575 | | 576 | +--SAConditionInRule 577 | 578 +--PolicySetComponent (PCIMe) 579 | 580 +--RuleForIKENegotiation 581 | 582 +--RuleForIPsecNegotiation 584 SystemSettingContext (DMTF Core Model - [CIMCORE]) 585 | 586 +--AutostartIKESettingContext 588 4. Policy Classes 590 The IPsec policy classes represent the set of policies that are 591 contained on a system. 593 +--------------+ 594 | PolicySet |* 595 | ([PCIMe]) |o--+ 596 +--------------+ | 597 ^ *| |(a) 598 | +------+ 599 | 600 +--------------------+ +-------------+ 601 | IPProtocolEndpoint | | PolicyGroup | 602 | ([CIMNETWORK]) | | ([PCIM]) | 603 +--------------------+ +-------------+ 604 |* ^ 605 +-----------------+ | 606 |(b) | 607 | | 608 |0..1 | 609 +------------------+0..1 (c) *+------------+ 610 | IPsecPolicyGroup |-----------| System | 611 +------------------+ | ([CIMCORE])| 612 1 o o 1 +------------+ 613 (d) | | (e) 614 +-----------------------+ +--------------------------+ 615 | | 616 | +---------------------------+ | 617 | | PolicyTimePeriodCondition | | 618 | | ([PCIM]) | | 619 | +---------------------------+ | 620 | *| | 621 | |(f) | 622 | *o | 623 | +-------------+n *+--------+* n+--------------+ | 624 | | SACondition |------o| SARule |o-------| PolicyAction | | 625 | +-------------+ (g) +--------+ (h) | ([PCIM]) | | 626 | ^ +--------------+ | 627 | | *| ^ | 628 | | |(i) | | 629 | | *o | | 630 | +-----------------+ +----------------------+ | 631 | | | | CompoundPolicyAction | | 632 | | | | ([PCIMe]) | | 633 | | | +----------------------+ | 634 | *+---------+ +-----------+* | 635 +-----| IKERule | | IPsecRule |---------------------------+ 636 +---------+ +-----------+ 638 (a) PolicySetComponent ([PCIMe]) 639 (b) IPsecPolicyForEndpoint 640 (c) IPsecPolicyForSystem 641 (d) RuleForIKENegotiation 642 (e) RuleForIPsecNegotiation 643 (f) PolicyRuleValidityPeriod ([PCIM]) 644 (g) SAConditionInRule 645 (h) PolicyActionInSARule 646 (i) PolicyActionInPolicyAction ([PCIMe]) 648 An IPsecPolicyGroup represents the set of policies that are used on 649 an interface. This IPsecPolicyGroup SHOULD be associated either 650 directly with the IPProtocolEndpoint class instance that represents 651 the interface (via the IPsecPolicyForEndpoint association) or 652 indirectly (via the IPsecPolicyForSystem association) associated 653 with the System that hosts the interface. 655 The IKE and IPsec rules are used to build or to negotiate the IPsec 656 SADB. The IPsec rules represent the Security Policy Database. The 657 SADB itself is not modeled by this document. 659 The rules usage can be described as (see also section 6 about 660 actions): 662 o an egress unprotected packet will first be checked against the 663 IPsec rules. If a match is found, the SADB will be checked. If 664 there is no corresponding IPsec SA in the SADB and if IKE 665 negotiation is required by the IPsec rule, the corresponding IKE 666 rules will be used. The negotiated or preconfigured SA will then 667 be installed in the SADB. 668 o An ingress unprotected packet will first be checked against the 669 IPsec rules. If a match is found, the SADB will be checked for a 670 corresponding IPsec SA. If there is no corresponding IPsec SA 671 and a preconfigured SA exists, this preconfigured SA will be 672 installed in the IPsec SADB. This behavior should only apply to 673 bypass and discard actions. 674 o An ingress protected packet will first be checked against the 675 IPsec rules. If a match is found, the SADB will be checked for a 676 corresponding IPsec SA. If there is no corresponding IPsec SA 677 and a preconfigured SA exists, this preconfigured SA will be 678 installed in the IPsec SADB. 679 o An ingress IKE negotiation packet, which is not part of an 680 existing IKE SA, will be checked against the IKE rules. The 681 negotiated SA will then be installed in the SADB. 683 4.1. The Class IPsecPolicyGroup 685 The class IPsecPolicyGroup serves as a container of either other 686 IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The 687 class definition for IPsecPolicyGroup is as follows: 689 NAME IPsecPolicyGroup 690 DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules 691 and a set of IPsecRules. 692 DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) 693 ABSTRACT FALSE 694 PROPERTIES PolicyGroupName (from PolicyGroup) 695 PolicyDescisionStrategy (from PolicySet) 697 NOTE: for derivations of the schema that are used for policy 698 distribution to an IPsec device (for example, COPS-PR), the server 699 may follow all of PolicySetComponent associations and create one 700 policy group which is simply a set of all of the IKE rules and a set 701 of all of the IPsec rules. See the section on the 702 PolicySetComponent aggregation for information on merging multiple 703 IPsecPolicyGroups. 705 4.2. The Class SARule 707 The class SARule serves as a base class for IKERule and IPsecRule. 708 Even though the class is concrete, it MUST not be instantiated. It 709 defines a common connection point for associations to conditions and 710 actions for both types of rules. Through its derivation from 711 PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has 712 the PolicyRuleValidityPeriod association. 714 Each valid IpsecPolicyGroup MUST contain SARules that each have a 715 unique associated priority number in PolicySetComponent.Priority. 716 The class definition for SARule is as follows: 718 NAME SARule 719 DESCRIPTION A base class for IKERule and IPsecRule. 720 DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) 721 ABSTRACT FALSE 722 PROPERTIES PolicyRuleName (from PolicyRule) 723 Enabled (from PolicyRule) 724 ConditionListType (from PolicyRule) 725 RuleUsage (from PolicyRule) 726 Mandatory (from PolicyRule) 727 SequencedActions (from PolicyRule) 728 ExecutionStrategy (from PolicyRule) 729 PolicyRoles (from PolicyRule) 730 PolicyDecisionStrategy (from PolicySet) 731 LimitNegotiation 733 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 734 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 735 PolicyDecisionStrategy 737 For a description of these properties, see [PCIM] and [PCIME]. 739 In SARule subclass instances: 740 - if the property Mandatory exists, it MUST be set to "true" 741 - if the property SequencedActions exists, it MUST be set to 742 "mandatory" 743 - the property PolicyRoles is not used in the device-level model 744 - if the property PolicyDecisionStrategy exists, it must be set to 745 "FirstMatching" 747 4.2.2 The Property ExecutionStrategy 749 The ExecutionStrategy properties in the PolicyRule subclasses (and 750 in the CompoundPolicyAction class) determine the behavior of the 751 contained actions. It defines the strategy to be used in executing 752 the sequenced actions aggregated by a rule or a compound action. In 753 the case of actions within a rule, the PolicyActionInSARule 754 aggregation is used to collect the actions into an ordered set; in 755 the case of a compound action, the PolicyActionInPolicyAction 756 aggregation is used to collect the actions into an ordered subset. 758 There are three execution strategies: do until success, do all and 759 do until failure. 761 "Do Until Success" causes the execution of actions according to the 762 ActionOrder property in the aggregation instances until a successful 763 execution of a single action. These actions may be evaluated to 764 determine if they are appropriate to execute rather than blindly 765 trying each of the actions until one succeeds. For an initiator, 766 they are tried in the ActionOrder until the list is exhausted or one 767 completes successfully. For example, an IKE initiator may have 768 several IKEActions for the same SACondition. The initiator will try 769 all IKEActions in the order defined by ActionOrder. I.e. it will 770 possibly try several phase 1 negotiations possibly with different 771 modes (main mode then aggressive mode) and/or with possibly multiple 772 IKE peers. For a responder, when there is more than one action in 773 the rule with "do until success" condition clause this provides 774 alternative actions depending on the received proposals. For 775 example, the same IKERule may be used to handle aggressive mode and 776 main mode negotiations with different actions. The responder uses 777 the first appropriate action in the list of actions. 779 "Do All" causes the execution all of the actions in aggregated set 780 according to their defined order. The execution continues regardless 781 of failures. 783 "Do Until Failure" causes the execution of all actions according to 784 predefined order until the first failure in execution of an action 785 instance. 787 For example, in a nested SAs case the actions of an initiator's rule 788 might be structured as: 790 IPsecRule.ExecutionStrategy='Do All' 791 | 792 +---1--- IPsecTunnelAction // set up SA from host to gateway 793 | 794 +---2--- IPsecTransportAction // set up SA from host through 795 // tunnel to remote host 797 Another example, showing a rule with fallback actions might be 798 structured as: 800 IPsecRule.ExecutionStrategy='Do Until Success' 801 | 802 +---6--- IPsecTransportAction // negotiate SA with peer 803 | 804 +---9--- IPsecBypassAction // but if you must, allow in the clear 806 The CompoundPolicyAction class (See [PCIME]) may be used in 807 constructing the actions of IKE and IPsec rules when those rules 808 specify both multiple actions and fallback actions. The 809 ExecutionStrategy property in CompoundPolicyAction is used in 810 conjunction with that in the PolicyRule. 812 For example, in nesting SAs with a fallback security gateway, the 813 actions of a rule might be structured as: 815 IPsecRule.ExecutionStrategy='Do All' 816 | 817 +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' 818 | | 819 | +---1--- IPsecTunnelAction // set up SA from host to 820 | | // gateway1 821 | | 822 | +---2--- IPsecTunnelAction // or set up SA to gateway2 823 | 824 +---2--- IPsecTransportAction // then set up SA from host 825 // through tunnel to remote 826 // host 828 In the case of "Do All", a couple of actions can be executed 829 successfully before a subsequent action fails. In this case, some 830 IKE or IPsec actions may have resulted in SA creation. Even if the 831 net effect of the aggregated actions is failure, those created SA 832 MAY be kept or MAY be deleted. 834 In the case of "Do All", the IPsec selectors to be used during IPsec 835 SA negotiation are: 837 for the last IPsecAction of the aggregation (i.e. usually the 838 innermost IPsec SA): this is the combination of the IPHeadersFilter 839 class and of the Granularity property of the IpsecAction; 841 for all other IPsecActions of the aggregation: the selector is the 842 source IP address being the local IP address and the destination IP 843 address being the PeerGateway IP address of the following 844 IPsecAction of the "Do All" aggregation. NB: the granularity is IP 845 address to IP address. 847 If the above behavior is not desirable, the alternative is to define 848 several SARules one for each IPsec SA to be built. This will allow 849 the definition of specific IPsec selectors for all IpsecActions. 851 4.2.3 The Property LimitNegotiation 852 The property LimitNegotiation is used as part of processing either 853 an IKE or an IPsec rule. 855 Before proceeding with a phase 1 negotiation, this property is 856 checked to determine if the negotiation role of the rule matches 857 that defined for the negotiation being undertaken (e.g., Initiator, 858 Responder, or Both). If this check fails (e.g. the current role is 859 IKE responder while the rule specifies IKE initiator), then the IKE 860 negotiation is stopped. Note that this only applies to new IKE phase 861 1 negotiations and has no effect on either renegotiation or refresh 862 operations with peers for which an established SA already exists. 864 Before proceeding with a phase 2 negotiation, the LimitNegotiation 865 property of the IPsecRule is first checked to determine if the 866 negotiation role indicated for the rule matches that of the current 867 negotiation (Initiator, Responder, or Either). Note that this limit 868 applies only to new phase 2 negotiations. It is ignored when an 869 attempt is made to refresh an expiring SA (either side can initiate 870 a refresh operation). The IKE system can determine that the 871 negotiation is a refresh operation by checking to see if the 872 selector information matches that of an existing SA. If 873 LimitNegotiation does not match and the selector corresponds to a 874 new SA, the negotiation is stopped. 876 The property is defined as follows: 878 NAME LimitNegotiation 879 DESCRIPTION Limits the role to be undertaken during negotiation. 880 SYNTAX unsigned 16-bit integer 881 VALUE 1 - initiator-only 882 2 - responder-only 883 3 - both 885 4.3. The Class IKERule 887 The class IKERule associates Conditions and Actions for IKE phase 1 888 negotiations. The class definition for IKERule is as follows: 890 NAME IKERule 891 DESCRIPTION Associates Conditions and Actions for IKE phase 1 892 negotiations. 893 DERIVED FROM SARule 894 ABSTRACT FALSE 895 PROPERTIES same as SARule, plus 896 IdentityContexts 898 4.3.1. The Property IdentityContexts 900 The IKE service of a security endpoint may have multiple identities 901 for use in different situations. The combination of the interface 902 (represented by the IPProtocolEndpoint), the identity type (as 903 specified in the IKEAction) and the IdentityContexts specifies a 904 unique identity. 906 The IdentityContexts property specifies the context to select the 907 relevant IKE identity to be used during the further IKEAction. A 908 context may be a VPN name or other identifier for selecting the 909 appropriate identity for use on the protected IPProtocolEndpoint. 911 IdentityContexts is an array of strings. The multiple values in the 912 array are ORed together in evaluating the IdentityContexts. Each 913 value in the array may be the composition of multiple context names. 914 So, a single value may be a single context name (e.g., 915 "CompanyXVPN") or it may be combination of contexts. When an array 916 value is a composition, the individual values are ANDed together for 917 evaluation purposes and the syntax is: 919 [&&]* 921 where the individual context names appear in alphabetical order 922 (according to the collating sequence for UCS-2). So, for example, 923 the values "CompanyXVPN", "CompanyYVPN&&TopSecret", 924 "CompanyZVPN&&Confidential" means that, for the appropriate 925 IPProtocolEndpoint and IdentityType, the contexts are matched if the 926 identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or 927 "CompanyZVPN&&Confidential". 929 The property is defined as follows: 931 NAME IdentityContexts 932 DESCRIPTION Specifies the context in which to select the IKE 933 identity. 934 SYNTAX string array 936 4.4. The Class IPsecRule 938 The class IPsecRule associates Conditions and Actions for IKE phase 939 2 negotiations for the IPsec DOI. The class definition for 940 IPsecRule is as follows: 942 NAME IPsecRule 943 DESCRIPTION Associates Conditions and Actions for IKE phase 2 944 negotiations for the IPsec DOI. 945 DERIVED FROM SARule 946 ABSTRACT FALSE 947 PROPERTIES same as SARule 949 4.6. The Association Class IPsecPolicyForEndpoint 951 The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with 952 a specific network interface. If an IPProtocolEndpoint of a system 953 does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, 954 then the IPsecPolicyForSystem associated IPsecPolicyGroup is used 955 for that endpoint. The class definition for IPsecPolicyForEndpoint 956 is as follows: 958 NAME IPsecPolicyForEndpoint 959 DESCRIPTION Associates a policy group to a network interface. 960 DERIVED FROM Dependency (see [CIMCORE]) 961 ABSTRACT FALSE 962 PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] 963 Dependent[ref IPsecPolicyGroup[0..1]] 965 4.6.1. The Reference Antecedent 967 The property Antecedent is inherited from Dependency and is 968 overridden to refer to an IPProtocolEndpoint instance. The [0..n] 969 cardinality indicates that an IPsecPolicyGroup instance may be 970 associated with zero or more IPProtocolEndpoint instances. 972 4.6.2. The Reference Dependent 974 The property Dependent is inherited from Dependency and is 975 overridden to refer to an IPsecPolicyGroup instance. The [0..1] 976 cardinality indicates that an IPProtocolEndpoint instance may have 977 an association to at most one IPsecPolicyGroup instance. 979 4.7. The Association Class IPsecPolicyForSystem 981 The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a 982 specific system. If an IPProtocolEndpoint of a system does not have 983 an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the 984 IPsecPolicyForSystem associated IPsecPolicyGroup is used for that 985 endpoint. The class definition for IPsecPolicyForSystem is as 986 follows: 988 NAME IPsecPolicyForSystem 989 DESCRIPTION Default policy group for a system. 990 DERIVED FROM Dependency (see [CIMCORE]) 991 ABSTRACT FALSE 992 PROPERTIES Antecedent[ref System[0..n]] 993 Dependent[ref IPsecPolicyGroup[0..1]] 995 4.7.1. The Reference Antecedent 997 The property Antecedent is inherited from Dependency and is 998 overridden to refer to a System instance. The [0..n] cardinality 999 indicates that an IPsecPolicyGroup instance may have an association 1000 to zero or more System instances. 1002 4.7.2. The Reference Dependent 1004 The property Dependent is inherited from Dependency and is 1005 overridden to refer to an IPsecPolicyGroup instance. The [0..1] 1006 cardinality indicates that a System instance may have an association 1007 to at most one IPsecPolicyGroup instance. 1009 4.8. The Aggregation Class RuleForIKENegotiation 1011 The class RuleForIKENegotiation associates an IKERule with the 1012 IPsecPolicyGroup that contains it. The class definition for 1013 RuleForIKENegotiation is as follows: 1015 NAME RuleForIKENegotiation 1016 DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that 1017 contains it. 1018 DERIVED FROM PolicySetComponent (see [PCIME]) 1019 ABSTRACT FALSE 1020 PROPERTIES Priority (from PolicySetComponent) 1021 GroupComponent [ref IPsecPolicyGroup [1..1]] 1022 PartComponent [ref IKERule [0..n]] 1024 4.8.1. The Property Priority 1026 For a description of this property, see [PCIME]. 1028 4.8.2. The Reference GroupComponent 1030 The property GroupComponent is inherited from 1031 PolicyRuleInPolicyGroup and is overridden to refer to an 1032 IPsecPolicyGroup instance. The [1..1] cardinality indicates that an 1033 IKERule instance may be contained in one and only one 1034 IPsecPolicyGroup instance (i.e., IKERules are not shared across 1035 IPsecPolicyGroups). 1037 4.8.3. The Reference PartComponent 1039 The property PartComponent is inherited from PolicyRuleInPolicyGroup 1040 and is overridden to refer to an IKERule instance. The [0..n] 1041 cardinality indicates that an IPsecPolicyGroup instance may contain 1042 zero or more IKERule instances. 1044 4.9. The Aggregation Class RuleForIPsecNegotiation 1046 The class RuleForIPsecNegotiation associates an IPsecRule with the 1047 IPsecPolicyGroup that contains it. The class definition for 1048 RuleForIPsecNegotiation is as follows: 1050 NAME RuleForIPsecNegotiation 1051 DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that 1052 contains it. 1053 DERIVED FROM PolicySetComponent (see [PCIME]) 1054 ABSTRACT FALSE 1055 PROPERTIES Priority (from PolicySetComponent) 1056 GroupComponent [ref IPsecPolicyGroup [1..1]] 1057 PartComponent [ref IPsecRule [0..n]] 1059 4.9.1. The Property Priority 1060 For a description of this property, see [PCIME]. 1062 4.9.2. The Reference GroupComponent 1064 The property GroupComponent is inherited from 1065 PolicyRuleInPolicyGroup and is overridden to refer to an 1066 IPsecPolicyGroup instance. The [1..1] cardinality indicates that an 1067 IPsecRule instance may be contained in only one IPsecPolicyGroup 1068 instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 1070 4.9.3. The Reference PartComponent 1072 The property PartComponent is inherited from PolicyRuleInPolicyGroup 1073 and is overridden to refer to an IPsecRule instance. The [0..n] 1074 cardinality indicates that an IPsecPolicyGroup instance may contain 1075 zero or more IPsecRules instance. 1077 4.10. The Aggregation Class SAConditionInRule 1079 The class SAConditionInRule associates an SARule with the 1080 SACondition instance(s) that trigger(s) it. The class definition 1081 for SAConditionInRule is as follows: 1083 NAME SAConditionInRule 1084 DESCRIPTION Associates an SARule with the SACondition instance(s) 1085 that trigger(s) it. 1086 DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe]) 1087 ABSTRACT FALSE 1088 PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) 1089 ConditionNegated (from PolicyConditionInPolicyRule) 1090 GroupComponent [ref SARule [0..n]] 1091 PartComponent [ref SACondition [1..n]] 1093 4.10.1. The Properties GroupNumber and ConditionNegated 1095 For a description of these properties, see [PCIM]. 1097 4.10.2. The Reference GroupComponent 1099 The property GroupComponent is inherited from 1100 PolicyConditionInPolicyRule and is overridden to refer to an SARule 1101 instance. The [0..n] cardinality indicates that an SACondition 1102 instance may be contained in zero or more SARule instances. 1104 4.10.3. The Reference PartComponent 1106 The property PartComponent is inherited from 1107 PolicyConditionInPolicyRule and is overridden to refer to an 1108 SACondition instance. The [1..n] cardinality indicates that an 1109 SARule instance MUST contain at least one SACondition instance. 1111 4.11. The Aggregation Class PolicyActionInSARule 1112 The PolicyActionInSARule class associates an SARule with one or more 1113 PolicyAction instances. In all cases where an SARule is being used, 1114 the contained actions MUST be either subclasses of SAAction or 1115 instances of CompoundPolicyAction. For an IKERule, the contained 1116 actions MUST be related to phase 1 processing, i.e., IKEAction or 1117 IKERejectAction. Similarly, for an IPsecRule, contained actions 1118 MUST be related to phase 2 or preconfigured SA processing, e.g., 1119 IPsecTransportAction, IPsecBypassAction, etc. The class definition 1120 for PolicyActionInSARule is as follows: 1122 NAME PolicyActionInSARule 1123 DESCRIPTION Associates an SARule with its PolicyAction(s). 1124 DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe]) 1125 ABSTRACT FALSE 1126 PROPERTIES GroupComponent [ref SARule [0..n]] 1127 PartComponent [ref PolicyAction [1..n]] 1128 ActionOrder (from PolicyActionInPolicyRule) 1130 4.11.1. The Reference GroupComponent 1132 The property GroupComponent is inherited from 1133 PolicyActionInPolicyRule and is overridden to refer to an SARule 1134 instance. The [0..n] cardinality indicates that an SAAction 1135 instance may be contained in zero or more SARule instances. 1137 4.11.2. The Reference PartComponent 1139 The property PartComponent is inherited from 1140 PolicyActionInPolicyRule and is overridden to refer to an SAAction 1141 or CompoundPolicyAction instance. The [1..n] cardinality indicates 1142 that an SARule instance MUST contain at least one SAAction or 1143 CompoundPolicyAction instance. 1145 4.11.3. The Property ActionOrder 1147 The property ActionOrder is inherited from the superclass 1148 PolicyActionInPolicyRule. It specifies the relative position of 1149 this PolicyAction in the sequence of actions associated with a 1150 PolicyRule. The ActionOrder MUST be unique so as to provide a 1151 deterministic order. In addition, the actions in an SARule are 1152 executed as follows. See section 4.2.2 ExecutionStrategy for a 1153 discussion on the use of the ActionOrder property. 1155 The property is defined as follows: 1157 NAME ActionOrder 1158 DESCRIPTION Specifies the order of actions. 1159 SYNTAX unsigned 16-bit integer 1160 VALUE Any value between 1 and 2^16-1 inclusive. Lower values 1161 have higher precedence (i.e., 1 is the highest 1162 precedence). The merging order of two SAActions with 1163 the same precedence is undefined. 1165 5. Condition and Filter Classes 1167 The IPsec condition and filter classes are used to build the "if" 1168 part of the IKE and IPsec rules. 1170 *+-------------+ 1171 +--------------------| SACondition | 1172 | +-------------+ 1173 | * | 1174 | |(a) 1175 | 1 | 1176 | +---------------+ 1177 | | FilterList | 1178 | |([CIMNETWORK]) | 1179 | +---------------+ 1180 | 1 o 1181 |(b) |(c) 1182 | * | 1183 | +-----------------+ 1184 | | FilterEntryBase | 1185 | | ([CIMNETWORK]) | 1186 | +-----------------+ 1187 | ^ 1188 | | 1189 | +----------------+ | +-----------------------+ 1190 | | IPHeaderFilter |----+----| CredentialFilterEntry | 1191 | | ([PCIME]) | | +-----------------------+ 1192 | +----------------+ | 1193 | | 1194 | +-----------------+ | +--------------------------+ 1195 | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | 1196 | +-----------------+ +--------------------------+ 1197 | 1198 | *+-----------------------------+ 1199 +------------| CredentialManagementService | 1200 | ([CIMUSER]) | 1201 +-----------------------------+ 1203 (a) FilterOfSACondition 1204 (b) AcceptCredentialsFrom 1205 (c) EntriesInFilterList (see [CIMNETWORK]) 1207 5.1. The Class SACondition 1209 The class SACondition defines the conditions of rules for IKE and 1210 IPsec negotiations. Conditions are associated with policy rules via 1211 the SAConditionInRule aggregation. It is used as an anchor point to 1212 associate various types of filters with policy rules via the 1213 FilterOfSACondition association. It also defines whether Credentials 1214 can be accepted for a particular policy rule via the 1215 AcceptCredentialsFrom association. 1217 Associated objects represent components of the condition that may or 1218 may not apply at a given rule evaluation. For example, an 1219 AcceptCredentialsFrom evaluation is only performed when a credential 1220 is available to be evaluated against the list of trusted credential 1221 management services. Similarly, a PeerIDPayloadFilterEntry may only 1222 be evaluated when an IDPayload value is available to compared with 1223 the filter. Condition components that do not have corresponding 1224 values with which to evaluate are evaluated as TRUE unless the 1225 protocol has completed without providing the required information. 1227 The class definition for SACondition is as follows: 1229 NAME SACondition 1230 DESCRIPTION Defines the preconditions for IKE and IPsec 1231 negotiations. 1232 DERIVED FROM PolicyCondition (see [PCIM]) 1233 ABSTRACT FALSE 1234 PROPERTIES PolicyConditionName (from PolicyCondition) 1236 5.2. The Class IPHeaderFilter 1238 The class IPHeaderFilter is defined in [PCIMe] with the following 1239 note: 1241 1) to specify 5-tuple filters that are to apply symmetrically (i.e., 1242 matches traffic in both directions of the same flow between the 1243 two peers), the Direction property of the FilterList should be 1244 set to "Mirrored". 1246 5.3. The Class CredentialFilterEntry 1248 The class CredentialFilterEntry defines an equivalence class that 1249 match credentials of IKE peers. Each CredentialFilterEntry includes 1250 a MatchFieldName that is interpreted according to the 1251 CredentialManagementService(s) associated with the SACondition 1252 (AcceptCredentialsFrom). 1254 These credentials can be X.509 certificates, Kerberos tickets, or 1255 other types of credentials obtained during the Phase 1 exchange. 1257 The class definition for CredentialFilterEntry is as follows: 1259 NAME CredentialFilterEntry 1260 DESCRIPTION Specifies a match filter based on the IKE credentials. 1261 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1262 ABSTRACT FALSE 1263 PROPERTIES Name (from FilterEntryBase) 1264 IsNegated (from FilterEntryBase) 1265 MatchFieldName 1266 MatchFieldValue 1267 CredentialType 1269 5.3.1. The Property MatchFieldName 1270 The property MatchFieldName specifies the sub-part of the credential 1271 to match against MatchFieldValue. The property is defined as 1272 follows: 1274 NAME MatchFieldName 1275 DESCRIPTION Specifies which sub-part of the credential to match. 1276 SYNTAX string 1277 VALUE 1279 5.3.2. The Property MatchFieldValue 1281 The property MatchFieldValue specifies the value to compare with the 1282 MatchFieldName in a credential to determine if the credential 1283 matches this filter entry. The property is defined as follows: 1285 NAME MatchFieldValue 1286 DESCRIPTION Specifies the value to be matched by the 1287 MatchFieldName. 1288 SYNTAX string 1289 VALUE NB: If the CredentialFilterEntry corresponds to a 1290 DistinguishedName, this value in the CIM class is 1291 represented by an ordinary string value. However, an 1292 implementation must convert this string to a DER- 1293 encoded string before matching against the values 1294 extracted from credentials at runtime. 1296 5.3.3. The Property CredentialType 1298 The property CredentialType specifies the particular type of 1299 credential that is being matched. The property is defined as 1300 follows: 1302 NAME CredentialType 1303 DESCRIPTION Defines the type of IKE credentials. 1304 SYNTAX unsigned 16-bit integer 1305 VALUE 1 - X.509 Certificate 1306 2 - Kerberos Ticket 1308 5.4. The Class IPSOFilterEntry 1310 The class IPSOFilterEntry is used to match traffic based on the IP 1311 Security Options header values (ClassificationLevel and 1312 ProtectionAuthority) as defined in RFC1108. This type of filter 1313 entry is used to adjust the IPsec encryption level according to the 1314 IPSO classification of the traffic (e.g., secret, confidential, 1315 restricted, etc. The class definition for IPSOFilterEntry is as 1316 follows: 1318 NAME IPSOFilterEntry 1319 DESCRIPTION Specifies the a match filter based on IP Security 1320 Options. 1321 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1322 ABSTRACT FALSE 1323 PROPERTIES Name (from FilterEntryBase) 1324 IsNegated (from FilterEntryBase) 1325 MatchConditionType 1326 MatchConditionValue 1328 5.4.1. The Property MatchConditionType 1330 The property MatchConditionType specifies the IPSO header field that 1331 will be matched (e.g., traffic classification level or protection 1332 authority). The property is defined as follows: 1334 NAME MatchConditionType 1335 DESCRIPTION Specifies the IPSO header field to be matched. 1336 SYNTAX unsigned 16-bit integer 1337 VALUE 1 - ClassificationLevel 1338 2 - ProtectionAuthority 1340 5.4.2. The Property MatchConditionValue 1342 The property MatchConditionValue specifies the value of the IPSO 1343 header field to be matched against. The property is defined as 1344 follows: 1346 NAME MatchConditionValue 1347 DESCRIPTION Specifies the value of the IPSO header field to be 1348 matched against. 1349 SYNTAX unsigned 16-bit integer 1350 VALUE For ClassificationLevel, the values are: 1351 61 - TopSecret 1352 90 - Secret 1353 150 - Confidential 1354 171 - Unclassified 1355 For ProtectionAuthority, the values are: 1356 0 - GENSER 1357 1 - SIOP-ESI 1358 2 - SCI 1359 3 - NSA 1360 4 - DOE 1362 5.5. The Class PeerIDPayloadFilterEntry 1364 The class PeerIDPayloadFilterEntry defines filters used to match ID 1365 payload values from the IKE protocol exchange. 1366 PeerIDPayloadFilterEntry permits the specification of certain ID 1367 payload values such as "*@company.com" or "193.190.125.0/24". 1369 Obviously this filter applies only to IKERules when acting as a 1370 responder. Moreover, this filter can be applied immediately in the 1371 case of aggressive mode but its application is to be delayed in the 1372 case of main mode. The class definition for 1373 PeerIDPayloadFilterEntry is as follows: 1375 NAME PeerIDPayloadFilterEntry 1376 DESCRIPTION Specifies a match filter based on IKE identity. 1377 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1378 ABSTRACT FALSE 1379 PROPERTIES Name (from FilterEntryBase) 1380 IsNegated (from FilterEntryBase) 1381 MatchIdentityType 1382 MatchIdentityValue 1384 5.5.1. The Property MatchIdentityType 1386 The property MatchIdentityType specifies the type of identity 1387 provided by the peer in the ID payload." The property is defined 1388 as follows: 1390 NAME MatchIdentityType 1391 DESCRIPTION Specifies the ID payload type. 1392 SYNTAX unsigned 16-bit integer 1393 VALUE 1 - IPv4 Address 1394 2 - FQDN 1395 3 - User FQDN 1396 4 - IPv4 Subnet 1397 5 - IPv6 Address 1398 6 - IPv6 Subnet 1399 7 - IPv4 Address Range 1400 8 - IPv6 Address Range 1401 9 - DER-Encoded ASN.1 X.500 Distinguished Name 1402 10 - DER-Encoded ASN.1 X.500 GeneralName 1403 11 - Key ID 1405 5.5.2. The Property MatchIdentityValue 1407 The property MatchIdentityValue specifies the filter value for 1408 comparison with the ID payload, e.g., "*@company.com" The property 1409 is defined as follows: 1411 NAME MatchIdentityValue 1412 DESCRIPTION Specifies the ID payload value. 1413 SYNTAX string 1414 VALUE NB: The syntax may need to be converted for comparison. 1415 If the PeerIDPayloadFilterEntry type is a 1416 DistinguishedName, the name in the MatchIdentityValue 1417 property is represented by an ordinary string value, 1418 but this value must be converted into a DER-encoded 1419 string before matching against the values extracted 1420 from IKE ID payloads at runtime. The same applies to 1421 IPv4 & IPv6 addresses. 1423 Wildcards can be used as well as the prefix notation 1424 for IPv4 addresses: 1425 - a MatchIdentityValue of "*@company.com" will match an 1426 ID payload of "JDOE@COMPANY.COM" 1427 - a MatchIdentityValue of "193.190.125.0/24" will match 1428 an ID payload of 193.190.125.10. 1430 5.6. The Association Class FilterOfSACondition 1432 The class FilterOfSACondition associates an SACondition with the 1433 filter specifications (FilterList) that make up the condition. The 1434 class definition for FilterOfSACondition is as follows: 1436 NAME FilterOfSACondition 1437 DESCRIPTION Associates a condition with the filter list that make 1438 up the individual condition elements. 1439 DERIVED FROM Dependency (see [CIMCORE]) 1440 ABSTRACT FALSE 1441 PROPERTIES Antecedent [ref FilterList[1..1]] 1442 Dependent [ref SACondition[0..n]] 1444 5.6.1. The Reference Antecedent 1446 The property Antecedent is inherited from Dependency and is 1447 overridden to refer to a FilterList instance. The [1..1] 1448 cardinality indicates that an SACondition instance MUST be 1449 associated with one and only one FilterList instance. 1451 5.6.2. The Reference Dependent 1453 The property Dependent is inherited from Dependency and is 1454 overridden to refer to an SACondition instance. The [0..n] 1455 cardinality indicates that a FilterList instance may be associated 1456 with zero or more SAConditions instance. 1458 5.7. The Association Class AcceptCredentialFrom 1460 The class AcceptCredentialFrom specifies which credential management 1461 services (e.g., a CertificateAuthority or a Kerberos service) are to 1462 be trusted to certify peer credentials. This is used to validate 1463 that the credential being matched in the CredentialFilterEntry is a 1464 valid credential that has been supplied by an approved 1465 CredentialManagementService. If a CredentialManagementService is 1466 specified and a corresponding CredentialFilterEntry is used, but the 1467 credential supplied by the peer is not certified by that 1468 CredentialManagementService (or one of the 1469 CredentialManagementServices in its trust hierarchy), the 1470 CredentialFilterEntry is deemed not to match. If a credential is 1471 certified by a CredentialManagementService in the 1472 AcceptCredentialsFrom list of services but there is no 1473 CredentialFilterEntry, this is considered equivalent to a 1474 CredentialFilterEntry that matches all credentials from those 1475 services. 1477 The class definition for AcceptCredentialFrom is as follows: 1479 NAME AcceptCredentialFrom 1480 DESCRIPTION Associates a condition with the credential management 1481 services to be trusted. 1482 DERIVED FROM Dependency (see [CIMCORE]) 1483 ABSTRACT FALSE 1484 PROPERTIES Antecedent [ref CredentialManagementService[0..n]] 1485 Dependent [ref SACondition[0..n]] 1487 5.7.1. The Reference Antecedent 1489 The property Antecedent is inherited from Dependency and is 1490 overridden to refer to a CredentialManagementService instance. The 1491 [0..n] cardinality indicates that an SACondition instance may be 1492 associated with zero or more CredentialManagementServices instance. 1494 5.7.2. The Reference Dependent 1496 The property Dependent is inherited from Dependency and is 1497 overridden to refer to an SACondition instance. The [0..n] 1498 cardinality indicates that a CredentialManagementService instance 1499 may be associated with zero or more SAConditions instance. 1501 6. Action Classes 1503 The action classes are used to model the different actions an IPsec 1504 device may take when the evaluation of the associated condition 1505 results in a match. 1507 +----------+ 1508 | SAAction | 1509 +----------+ 1510 ^ 1511 | 1512 +-----------+--------------+ 1513 | | 1514 | +---------------------+ 1515 | | SaNegotiationAction | 1516 | +---------------------+ 1517 | ^ 1518 | | 1519 *+----------------+ +----------------------+* 1520 | SAStaticAction | | IKENegotiationAction |o----+ 1521 +----------------+ +----------------------+ | 1522 ^ ^ | 1523 | | | 1524 | +-----------+-------+ | 1525 | | | | 1526 +-------------------+ | +-------------+ +-----------+ | 1527 | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | 1528 +-------------------+ | +-------------+ +-----------+ | 1529 | ^ | 1530 +--------------------+ | | +----------------------+ | 1531 | IPsecDiscardAction |---+ +----| IPsecTransportAction | | 1532 +--------------------+ | | +----------------------+ | 1533 | | | 1534 +-----------------+ | | +-------------------+ | 1535 | IKERejectAction |---+ +----| IPsecTunnelAction | | 1536 +-----------------+ | +-------------------+ | 1537 | *| | 1538 | +--------------+ | 1539 | | | 1540 +-----------------------+ | | +--------------+n | 1541 | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ 1542 +-----------------------+ | +--------------+ (b) 1543 *| ^ | 1544 | | | *+-------------+ 1545 | | +-------| PeerGateway | 1546 | | +-------------+ 1547 | | +-----------------------------+ |0..1 *w| 1548 | +--| PreconfiguredTransportAction| | |(c) 1549 | | +-----------------------------+ | 1| 1550 | | | +--------------+ 1551 | | +---------------------------+ * | | System | 1552 | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | 1553 | +---------------------------+ (e) +--------------+ 1554 | 1555 | 2..6+---------------+ 1556 +-------| [SATransform] | 1557 (d) +---------------+ 1559 (a) PeerGatewayForTunnel 1560 (b) ContainedProposal 1561 (c) HostedPeerGatewayInformation 1562 (d) TransformOfPreconfiguredAction 1563 (e) PeerGatewayForPreconfiguredTunnel 1565 6.1. The Class SAAction 1567 The class SAAction is abstract and serves as the base class for IKE 1568 and IPsec actions. It is used for aggregating different types of 1569 actions to IKE and IPsec rules. The class definition for SAAction 1570 is as follows: 1572 NAME SAAction 1573 DESCRIPTION The base class for IKE and IPsec actions. 1574 DERIVED FROM PolicyAction (see [PCIM]) 1575 ABSTRACT TRUE 1576 PROPERTIES PolicyActionName (from PolicyAction) 1577 DoActionLogging 1578 DoPacketLogging 1580 6.1.1. The Property DoActionLogging 1582 The property DoActionLogging specifies whether a log message is to 1583 be generated when the action is performed. This applies for 1584 SANegotiationActions with the meaning of logging a message when the 1585 negotiation is attempted (with the success or failure result). This 1586 also applies for SAStaticAction only for PreconfiguredSAAction with 1587 the meaning of logging a message when the preconfigured SA is 1588 actually installed in the SADB. The property is defined as follows: 1590 NAME DoActionLogging 1591 DESCRIPTION Specifies the whether to log when the action is 1592 performed. 1593 SYNTAX boolean 1594 VALUE true - a log message is to be generated when action is 1595 performed. 1596 false - no log message is to be generated when action 1597 is performed. 1599 6.1.2. The Property DoPacketLogging 1601 The property DoPacketLogging specifies whether a log message is to 1602 be generated when the resulting security association is used to 1603 process the packet. If the SANegotiationAction successfully 1604 executes and results in the creation of one or several security 1605 associations or if the PreconfiguredSAAction executes, the value of 1606 DoPacketLogging SHOULD be propagated to an optional field of SADB. 1608 This optional field should be used to decide whether a log message 1609 is to be generated when the SA is used to process a packet. For 1610 SAStaticActions, a log message is to be generated when the 1611 IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed. 1612 The property is defined as follows: 1614 NAME DoPacketLogging 1615 DESCRIPTION Specifies the whether to log when the resulting 1616 security association is used to process the packet. 1617 SYNTAX boolean 1618 VALUE true - a log message is to be generated when the 1619 resulting security association is used to process the 1620 packet. 1621 false - no log message is to be generated. 1623 6.2. The Class SAStaticAction 1625 The class SAStaticAction is abstract and serves as the base class 1626 for IKE and IPsec actions that do not require any negotiation. The 1627 class definition for SAStaticAction is as follows: 1629 NAME SAStaticAction 1630 DESCRIPTION The base class for IKE and IPsec actions that do not 1631 require any negotiation. 1632 DERIVED FROM SAAction 1633 ABSTRACT TRUE 1634 PROPERTIES LifetimeSeconds 1636 6.2.1. The Property LifetimeSeconds 1638 The property LifetimeSeconds specifies how long the security 1639 association derived from this action should be used. The property 1640 is defined as follows: 1642 NAME LifetimeSeconds 1643 DESCRIPTION Specifies the amount of time (in seconds) that a 1644 security association derived from this action should be 1645 used. 1646 SYNTAX unsigned 32-bit integer 1647 VALUE A value of zero indicates that there is not a lifetime 1648 associated with this action (i.e., infinite lifetime). 1649 A non-zero value is typically used in conjunction with 1650 alternate SAActions performed when there is a 1651 negotiation failure of some sort. 1653 Note: if the referenced SAStaticAction object is a 1654 PreconfiguredSAAction associated to several SATransforms, then the 1655 actual lifetime of the preconfigured SA will be the smallest of the 1656 value of this LifetimeSeconds property and of the value of the 1657 MaxLifetimeSeconds property of the associated SATransform. Except if 1658 the value of this LifetimeSeconds property is zero, then there will 1659 be no lifetime associated to this SA. 1661 It is expected that most SAStaticAction instances will have their 1662 LifetimeSeconds properties set to zero (meaning no expiration of the 1663 resulting SA). 1665 6.3. The Class IPsecBypassAction 1667 The class IPsecBypassAction is used when packets are allowed to be 1668 processed without applying IPsec encapsulation to them. This is the 1669 same as stating that packets are allowed to flow in the clear. The 1670 class definition for IPsecBypassAction is as follows: 1672 NAME IPsecBypassAction 1673 DESCRIPTION Specifies that packets are to be allowed to pass in the 1674 clear. 1675 DERIVED FROM SAStaticAction 1676 ABSTRACT FALSE 1678 6.4. The Class IPsecDiscardAction 1680 The class IPsecDiscardAction is used when packets are to be 1681 discarded. This is the same as stating that packets are to be 1682 denied. The class definition for IPsecDiscardAction is as follows: 1684 NAME IPsecDiscardAction 1685 DESCRIPTION Specifies that packets are to be discarded. 1686 DERIVED FROM SAStaticAction 1687 ABSTRACT FALSE 1689 6.5. The Class IKERejectAction 1691 The class IKERejectAction is used to prevent attempting an IKE 1692 negotiation with the peer(s). The main use of this class is to 1693 prevent some denial of service attacks when acting as IKE responder. 1694 It goes beyond a plain discard of UDP/500 IKE packets because the 1695 SACondition can be based on specific PeerIDPayloadFilterEntry (when 1696 aggressive mode is used). The class definition for IKERejectAction 1697 is as follows: 1699 NAME IKERejectAction 1700 DESCRIPTION Specifies that an IKE negotiation should not even be 1701 attempted or continued. 1702 DERIVED FROM SAStaticAction 1703 ABSTRACT FALSE 1705 6.6. The Class PreconfiguredSAAction 1707 The class PreconfiguredSAAction is used to create a security 1708 association using preconfigured, hard-wired algorithms and keys. 1710 Notes: 1712 - the SPI for a PreconfiguredSAAction is contained in the 1713 association, TransformOfPreconfiguredAction; 1715 - the session key (if applicable) is contained in an instance of 1716 the class SharedSecret (see [CIMUSER]). The session key is 1717 stored in the property secret, the property protocol contains 1718 either "ESP-encrypt", "ESP-auth" or "AH", the property 1719 algorithm contains the algorithm used to protect the secret 1720 (can be "PLAINTEXT" if the IPsec entity has no secret storage), 1721 the value of property RemoteID is the concatenation of the 1722 remote IPsec peer IP address in dotted decimal, of the 1723 character "/", of "IN" (resp. "OUT") for inbound SA (resp. 1724 outbound SA), of the character "/" and of the hexadecimal 1725 representation of the SPI. 1727 Although the class is concrete, it MUST not be instantiated. The 1728 class definition for PreconfiguredSAAction is as follows: 1730 NAME PreconfiguredSAAction 1731 DESCRIPTION Specifies preconfigured algorithm and keying 1732 information for creation of a security association. 1733 DERIVED FROM SAStaticAction 1734 ABSTRACT FALSE 1735 PROPERTIES LifetimeKilobytes 1737 6.6.1. The Property LifetimeKilobytes 1739 The property LifetimeKilobytes specifies a traffic limit in 1740 kilobytes that can be consumed before the SA is deleted.. The 1741 property is defined as follows: 1743 NAME LifetimeKilobytes 1744 DESCRIPTION Specifies the SA lifetime in kilobytes. 1745 SYNTAX unsigned 32-bit integer 1746 VALUE A value of zero indicates that there is not a lifetime 1747 associated with this action (i.e., infinite lifetime). 1748 A non-zero value is used to indicate that after this 1749 amount of kilobytes has been consumed the SA must be 1750 deleted from the SADB. 1752 Note: the actual lifetime of the preconfigured SA will be the 1753 smallest of the value of this LifetimeKilobytes property and of the 1754 value of the MaxLifetimeSeconds property of the associated 1755 SATransform. Except if the value of this LifetimeKilobytes property 1756 is zero, then there will be no lifetime associated with this action. 1758 It is expected that most PreconfiguredSAAction instances will have 1759 their LifetimeKilobyte properties set to zero (meaning no expiration 1760 of the resulting SA). 1762 6.7. The Class PreconfiguredTransportAction 1763 The class PreconfiguredTransportAction is used to create an IPsec 1764 transport-mode security association using preconfigured, hard-wired 1765 algorithms and keys. The class definition for 1766 PreconfiguredTransportAction is as follows: 1768 NAME PreconfiguredTransportAction 1769 DESCRIPTION Specifies preconfigured algorithm and keying 1770 information for creation of an IPsec transport security 1771 association. 1772 DERIVED FROM PreconfiguredSAAction 1773 ABSTRACT FALSE 1775 6.8. The Class PreconfiguredTunnelAction 1777 The class PreconfiguredTunnelAction is used to create an IPsec 1778 tunnel-mode security association using preconfigured, hard-wired 1779 algorithms and keys. The class definition for PreconfiguredSAAction 1780 is as follows: 1782 NAME PreconfiguredTunnelAction 1783 DESCRIPTION Specifies preconfigured algorithm and keying 1784 information for creation of an IPsec tunnel-mode 1785 security association. 1786 DERIVED FROM PreconfiguredSAAction 1787 ABSTRACT FALSE 1788 PROPERTIES DFHandling 1790 6.8.1. The Property DFHandling 1792 The property DFHandling specifies how the Don't Fragment bit of the 1793 internal IP header is to be handled during IPsec processing. The 1794 property is defined as follows: 1796 NAME DFHandling 1797 DESCRIPTION Specifies the processing of the DF bit. 1798 SYNTAX unsigned 16-bit integer 1799 VALUE 1 - Copy the DF bit from the internal IP header to the 1800 external IP header. 1801 2 - Set the DF bit of the external IP header to 1. 1802 3 - Clear the DF bit of the external IP header to 0. 1804 6.9. The Class SANegotiationAction 1806 The class SANegotiationAction specifies an action requesting 1807 security policy negotiation. 1809 This is an abstract class. Currently, only one security policy 1810 negotiation protocol action is subclassed from SANegotiationAction: 1811 the IKENegotiationAction class. It is nevertheless expected that 1812 other security policy negotiation protocols will exist and the 1813 negotiation actions of those new protocols would be modeled as a 1814 subclass of SANegotiationAction. 1816 NAME SANegotiationAction 1817 DESCRIPTION Specifies a negotiation action . 1818 DERIVED FROM SAAction 1819 ABSTRACT TRUE 1821 6.10. The Class IKENegotiationAction 1823 The class IKENegotiationAction is abstract and serves as the base 1824 class for IKE and IPsec actions that result in a IKE negotiation. 1825 Although the class is concrete, is MUST not be instantiated. The 1826 class definition for IKENegotiationAction is as follows: 1828 NAME IKENegotiationAction 1829 DESCRIPTION A base class for IKE and IPsec actions that specifies 1830 the parameters that are common for IKE phase 1 and IKE 1831 phase 2 IPsec DOI negotiations. 1832 DERIVED FROM SANegotiationAction 1833 ABSTRACT TRUE 1834 PROPERTIES MinLifetimeSeconds 1835 MinLifetimeKilobytes 1836 RefreshThresholdSeconds 1837 RefreshThresholdKilobytes 1838 IdleDurationSeconds 1840 6.10.1. The Property MinLifetimeSeconds 1842 The property MinLifetimeSeconds specifies the minimum seconds 1843 lifetime that will be accepted from the peer. MinLifetimeSeconds is 1844 used to prevent certain denial of service attacks where the peer 1845 requests an arbitrarily low lifetime value, causing renegotiations 1846 with correspondingly expensive Diffie-Hellman operations. The 1847 property is defined as follows: 1849 NAME MinLifetimeSeconds 1850 DESCRIPTION Specifies the minimum acceptable seconds lifetime. 1851 SYNTAX unsigned 32-bit integer 1852 VALUE A value of zero indicates that there is no minimum 1853 value. A non-zero value specifies the minimum seconds 1854 lifetime. 1856 6.10.2. The Property MinLifetimeKilobytes 1858 The property MinLifetimeKilobytes specifies the minimum kilobytes 1859 lifetime that will be accepted from the peer. MinLifetimeKilobytes 1860 is used to prevent certain denial of service attacks where the peer 1861 requests an arbitrarily low lifetime value, causing renegotiations 1862 with correspondingly expensive Diffie-Hellman operations. Note that 1863 there has been considerable debate regarding the usefulness of 1864 applying kilobyte lifetimes to IKE phase 1 security associations, so 1865 it is likely that this property will only apply to the sub-class 1866 IPsecAction. The property is defined as follows: 1868 NAME MinLifetimeKilobytes 1869 DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. 1870 SYNTAX unsigned 32-bit integer 1871 VALUE A value of zero indicates that there is no minimum 1872 value. A non-zero value specifies the minimum 1873 kilobytes lifetime. 1875 6.10.3. The Property RefreshThresholdSeconds 1877 The property RefreshThresholdSeconds specifies what percentage of 1878 the seconds lifetime can expire before IKE should attempt to 1879 renegotiate the security association. A random value may be added 1880 to the calculated threshold (percentage x seconds lifetime) to 1881 reduce the chance of both peers attempting to renegotiate at the 1882 same time. The property is defined as follows: 1884 NAME RefreshThresholdSeconds 1885 DESCRIPTION Specifies the percentage of seconds lifetime that has 1886 expired before the security association is 1887 renegotiated. 1888 SYNTAX unsigned 8-bit integer 1889 VALUE A value between 1 and 100 representing a percentage. A 1890 value of 100 indicates that the security association 1891 should not be renegotiated until the seconds lifetime 1892 has been reached. 1894 6.10.4. The Property RefreshThresholdKilobytes 1896 The property RefreshThresholdKilobytes specifies what percentage of 1897 the kilobyte lifetime can expire before IKE should attempt to 1898 renegotiate the IPsec security association. A random value may be 1899 added to the calculated threshold (percentage x kilobyte lifetime) 1900 to reduce the chance of both peers attempting to renegotiate at the 1901 same time. Note, that as with the property MinLifetimeKilobytes, 1902 this property is probably only relevant to IPsecAction sub-classes. 1903 The property is defined as follows: 1905 NAME RefreshThresholdKilobytes 1906 DESCRIPTION Specifies the percentage of kilobyte lifetime that has 1907 expired before the IPsec security association is 1908 renegotiated. 1909 SYNTAX unsigned 8-bit integer 1910 VALUE A value between 1 and 100 representing a percentage. A 1911 value of 100 indicates that the IPsec security 1912 association should not be renegotiated until the 1913 kilobyte lifetime has been reached. 1915 6.10.5. The Property IdleDurationSeconds 1917 The property IdleDurationSeconds specifies how many seconds a 1918 security association may remain idle (i.e., no traffic protected 1919 using the security association) before it is deleted. The property 1920 is defined as follows: 1922 NAME IdleDurationSeconds 1923 DESCRIPTION Specifies how long, in seconds, a security association 1924 may remain unused before it is deleted. 1925 SYNTAX unsigned 32-bit integer 1926 VALUE A value of zero indicates that idle detection should 1927 not be used for the security association (only the 1928 seconds and kilobyte lifetimes will be used). Any non- 1929 zero value indicates the number of seconds the security 1930 association may remain unused. 1932 6.11. The Class IPsecAction 1934 The class IPsecAction serves as the base class for IPsec transport 1935 and tunnel actions. It specifies the parameters used for an IKE 1936 phase 2 IPsec DOI negotiation. Although the class is concrete, is 1937 MUST not be instantiated. The class definition for IPsecAction is 1938 as follows: 1940 NAME IPsecAction 1941 DESCRIPTION A base class for IPsec transport and tunnel actions 1942 that specifies the parameters for IKE phase 2 IPsec DOI 1943 negotiations. 1944 DERIVED FROM IKENegotiationAction 1945 ABSTRACT FALSE 1946 PROPERTIES UsePFS 1947 UseIKEGroup 1948 GroupId 1949 Granularity 1950 VendorID 1952 6.11.1. The Property UsePFS 1954 The property UsePFS specifies whether or not perfect forward secrecy 1955 should be used when refreshing keys. The property is defined as 1956 follows: 1958 NAME UsePFS 1959 DESCRIPTION Specifies the whether or not to use PFS when refreshing 1960 keys. 1961 SYNTAX boolean 1962 VALUE A value of true indicates that PFS should be used. A 1963 value of false indicates that PFS should not be used. 1965 6.11.2. The Property UseIKEGroup 1967 The property UseIKEGroup specifies whether or not phase 2 should use 1968 the same key exchange group as was used in phase 1. UseIKEGroup is 1969 ignored if UsePFS is false. The property is defined as follows: 1971 NAME UseIKEGroup 1972 DESCRIPTION Specifies whether or not to use the same GroupId for 1973 phase 2 as was used in phase 1. If UsePFS is false, 1974 then UseIKEGroup is ignored. 1975 SYNTAX boolean 1976 VALUE A value of true indicates that the phase 2 GroupId 1977 should be the same as phase 1. A value of false 1978 indicates that the property GroupId will contain the 1979 key exchange group to use for phase 2. 1981 6.11.3. The Property GroupId 1983 The property GroupId specifies the key exchange group to use for 1984 phase 2. GroupId is ignored if (1) the property UsePFS is false, or 1985 (2) the property UsePFS is true and the property UseIKEGroup is 1986 true. If the GroupID number is from the vendor-specific range 1987 (32768-65535), the property VendorID qualifies the group number. 1988 The property is defined as follows: 1990 NAME GroupId 1991 DESCRIPTION Specifies the key exchange group to use for phase 2 1992 when the property UsePFS is true and the property 1993 UseIKEGroup is false. 1994 SYNTAX unsigned 16-bit integer 1995 VALUE Consult [IKE] for valid values. 1997 6.11.4. The Property Granularity 1999 The property Granularity specifies how the selector for the security 2000 association should be derived from the traffic that triggered the 2001 negotiation. The property is defined as follows: 2003 NAME Granularity 2004 DESCRIPTION Specifies the how the proposed selector for the 2005 security association will be created. 2006 SYNTAX unsigned 16-bit integer 2007 VALUE 1 - subnet: the source and destination subnet masks of 2008 the filter entry are used. 2009 2 - address: only the source and destination IP 2010 addresses of the triggering packet are used. 2011 3 - protocol: the source and destination IP addresses 2012 and the IP protocol of the triggering packet are used. 2013 4 - port: the source and destination IP addresses and 2014 the IP protocol and the source and destination layer 4 2015 ports of the triggering packet are used. 2017 6.11.5. The Property VendorID 2019 The property VendorID is used together with the property GroupID 2020 (when it is in the vendor-specific range) to identify the key 2021 exchange group. VendorID is ignored unless UsePFS is true and 2022 UseIKEGroup is false and GroupID is in the vendor-specific range 2023 (32768-65535). The property is defined as follows: 2025 NAME VendorID 2026 DESCRIPTION Specifies the IKE Vendor ID. 2027 SYNTAX string 2029 6.12. The Class IPsecTransportAction 2031 The class IPsecTransportAction is a subclass of IPsecAction that is 2032 used to specify use of an IPsec transport-mode security association. 2033 The class definition for IPsecTransportAction is as follows: 2035 NAME IPsecTransportAction 2036 DESCRIPTION Specifies that an IPsec transport-mode security 2037 association should be negotiated. 2038 DERIVED FROM IPsecAction 2039 ABSTRACT FALSE 2041 6.13. The Class IPsecTunnelAction 2043 The class IPsecTunnelAction is a subclass of IPsecAction that is 2044 used to specify use of an IPsec tunnel-mode security association. 2045 The class definition for IPsecTunnelAction is as follows: 2047 NAME IPsecTunnelAction 2048 DESCRIPTION Specifies that an IPsec tunnel-mode security 2049 association should be negotiated. 2050 DERIVED FROM IPsecAction 2051 ABSTRACT FALSE 2052 PROPERTIES DFHandling 2054 6.13.1. The Property DFHandling 2056 The property DFHandling specifies how the tunnel should manage the 2057 Don't Fragment (DF) bit. The property is defined as follows: 2059 NAME DFHandling 2060 DESCRIPTION Specifies how to process the DF bit. 2061 SYNTAX unsigned 16-bit integer 2062 VALUE 1 - Copy the DF bit from the internal IP header to the 2063 external IP header. 2064 2 - Set the DF bit of the external IP header to 1. 2065 3 - Clear the DF bit of the external IP header to 0. 2067 6.14. The Class IKEAction 2069 The class IKEAction specifies the parameters that are to be used for 2070 IKE phase 1 negotiation. The class definition for IKEAction is as 2071 follows: 2073 NAME IKEAction 2074 DESCRIPTION Specifies the IKE phase 1 negotiation parameters. 2075 DERIVED FROM IKENegotiationAction 2076 ABSTRACT FALSE 2077 PROPERTIES RefreshThresholdDerivedKeys 2078 ExchangeMode 2079 UseIKEIdentityType 2080 VendorID 2081 AggressiveModeGroupId 2083 6.14.1. The Property RefreshThresholdDerivedKeys 2085 The property RefreshThresholdDerivedKeys specifies what percentage 2086 of the derived key limit (see the LifetimeDerivedKeys property of 2087 IKEProposal) can expire before IKE should attempt to renegotiate the 2088 IKE phase 1 security association. A random value may be added to 2089 the calculated threshold (percentage x derived key limit) to reduce 2090 the chance of both peers attempting to renegotiate at the same time. 2091 The property is defined as follows: 2093 NAME RefreshThresholdKilobytes 2094 DESCRIPTION Specifies the percentage of derived key limit that has 2095 expired before the IKE phase 1 security association is 2096 renegotiated. 2097 SYNTAX unsigned 8-bit integer 2098 VALUE A value between 1 and 100 representing a percentage. A 2099 value of 100 indicates that the IKE phase 1 security 2100 association should not be renegotiated until the 2101 derived key limit has been reached. 2103 6.14.2. The Property ExchangeMode 2105 The property ExchangeMode specifies which IKE mode should be used 2106 for IKE phase 1 negotiations. The property is defined as follows: 2108 NAME ExchangeMode 2109 DESCRIPTION Specifies the IKE negotiation mode for phase 1. 2110 SYNTAX unsigned 16-bit integer 2111 VALUE 1 - base mode 2112 2 - main mode 2113 4 - aggressive mode 2115 6.14.3. The Property UseIKEIdentityType 2117 The property UseIKEIdentityType specifies what IKE identity type 2118 should be used when negotiating with the peer. This information is 2119 used in conjunction with the IKE identities available on the system 2120 and the IdentityContexts of the matching IKERule. The property is 2121 defined as follows: 2123 NAME UseIKEIdentityType 2124 DESCRIPTION Specifies the IKE identity to use during negotiation. 2125 SYNTAX unsigned 16-bit integer 2126 VALUE 1 - IPv4 Address 2127 2 - FQDN 2128 3 - User FQDN 2129 4 - IPv4 Subnet 2130 5 - IPv6 Address 2131 6 - IPv6 Subnet 2132 7 - IPv4 Address Range 2133 8 - IPv6 Address Range 2134 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2135 10 - DER-Encoded ASN.1 X.500 GeneralName 2136 11 - Key ID 2138 6.14.4. The Property VendorID 2140 The property VendorID specifies the value to be used in the Vendor 2141 ID payload. The property is defined as follows: 2143 NAME VendorID 2144 DESCRIPTION Vendor ID Payload. 2145 SYNTAX string 2146 VALUE A value of NULL means that Vendor ID payload will be 2147 neither generated nor accepted. A non-NULL value means 2148 that a Vendor ID payload will be generated (when acting 2149 as an initiator) or is expected (when acting as a 2150 responder). 2152 6.14.5. The Property AggressiveModeGroupId 2154 The property AggressiveModeGroupId specifies which group ID is to be 2155 used in the first packets of the phase 1 negotiation. This property 2156 is ignored unless the property ExchangeMode is set to 4 (aggressive 2157 mode). If the AggressiveModeGroupID number is from the vendor- 2158 specific range (32768-65535), the property VendorID qualifies the 2159 group number. The property is defined as follows: 2161 NAME AggressiveModeGroupId 2162 DESCRIPTION Specifies the group ID to be used for aggressive mode. 2163 SYNTAX unsigned 16-bit integer 2165 6.15. The Class PeerGateway 2167 The class PeerGateway specifies the security gateway with which the 2168 IKE services negotiates. The class definition for PeerGateway is as 2169 follows: 2171 NAME PeerGateway 2172 DESCRIPTION Specifies the security gateway with which to negotiate. 2173 DERIVED FROM LogicalElement (see [CIMCORE]) 2174 ABSTRACT FALSE 2175 PROPERTIES Name 2176 PeerIdentityType 2177 PeerIdentity 2179 6.15.1. The Property Name 2181 The property Name specifies a user-friendly name for this security 2182 gateway. The property is defined as follows: 2184 NAME Name 2185 DESCRIPTION Specifies a user-friendly name for this security 2186 gateway. 2187 SYNTAX string 2189 6.15.2. The Property PeerIdentityType 2191 The property PeerIdentityType specifies the IKE identity type of the 2192 security gateway. The property is defined as follows: 2194 NAME PeerIdentityType 2195 DESCRIPTION Specifies the IKE identity type of the security 2196 gateway. 2197 SYNTAX unsigned 16-bit integer 2198 VALUE 1 - IPv4 Address 2199 2 - FQDN 2200 3 - User FQDN 2201 4 - IPv4 Subnet 2202 5 - IPv6 Address 2203 6 - IPv6 Subnet 2204 7 - IPv4 Address Range 2205 8 - IPv6 Address Range 2206 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2207 10 - DER-Encoded ASN.1 X.500 GeneralName 2208 11 - Key ID 2210 6.15.3. The Property PeerIdentity 2212 The property PeerIdentity specifies the IKE identity value of the 2213 security gateway. A conversion may be needed between the 2214 PeerIdentity string representation and the real value used in the ID 2215 payload (e.g. IP address is to be converted from a dotted decimal 2216 string into 4 bytes). The property is defined as follows: 2218 NAME PeerIdentity 2219 DESCRIPTION Specifies the IKE identity value of the security 2220 gateway. 2221 SYNTAX string 2223 6.16. The Association Class PeerGatewayForTunnel 2225 The class PeerGatewayForTunnel associates IPsecTunnelActions with an 2226 ordered list of PeerGateways. The class definition for 2227 PeerGatewayForTunnel is as follows: 2229 NAME PeerGatewayForTunnel 2230 DESCRIPTION Associates IPsecTunnelActions with an ordered list of 2231 PeerGateways. 2232 DERIVED FROM Dependency (see [CIMCORE]) 2233 ABSTRACT FALSE 2234 PROPERTIES Antecedent [ref PeerGateway[0..n]] 2235 Dependent [ref IPsecTunnelAction[0..n]] 2236 SequenceNumber 2238 6.16.1. The Reference Antecedent 2240 The property Antecedent is inherited from Dependency and is 2241 overridden to refer to a PeerGateway instance. The [0..n] 2242 cardinality indicates that there an IPsecTunnelAction instance may 2243 be associated with zero or more PeerGateway instances. 2245 Note: the cardinality 0 has a specific meaning: 2247 - when the IKE service acts as a responder, this means that 2248 the IKE service will accept phase 1 negotiation with any 2249 other security gateway; 2250 - when the IKE service acts as an initiator, this means that 2251 the IKE service will use the destination IP address (of 2252 the IP packets which triggered the SARule) as the IP 2253 address of the peer IKE entity. 2255 6.16.2. The Reference Dependent 2257 The property Dependent is inherited from Dependency and is 2258 overridden to refer to an IPsecTunnelAction instance. The [0..n] 2259 cardinality indicates that a PeerGateway instance may be associated 2260 with zero or more IPsecTunnelAction instances. 2262 6.16.3. The Property SequenceNumber 2264 The property SequenceNumber specifies the ordering to be used when 2265 evaluating PeerGateway instances for a given IPsecTunnelAction. . 2266 The property is defined as follows: 2268 NAME SequenceNumber 2269 DESCRIPTION Specifies the order of evaluation for PeerGateways. 2270 SYNTAX unsigned 16-bit integer 2271 VALUE Lower values are evaluated first. 2273 6.17. The Aggregation Class ContainedProposal 2275 The class ContainedProposal associates an ordered list of 2276 SAProposals with the IKENegotiationAction that aggregates it. If 2277 the referenced IKENegotiationAction object is an IKEAction, then the 2278 referenced SAProposal object(s) must be IKEProposal(s). If the 2279 referenced IKENegotiationAction object is an IPsecTransportAction or 2280 an IPsecTunnelAction, then the referenced SAProposal object(s) must 2281 be IPsecProposal(s). The class definition for ContainedProposal is 2282 as follows: 2284 NAME ContainedProposal 2285 DESCRIPTION Associates an ordered list of SAProposals with an 2286 IKENegotiationAction. 2288 DERIVED FROM PolicyComponent (see [PCIM]) 2289 ABSTRACT FALSE 2290 PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] 2291 PartComponent[ref SAProposal[1..n]] 2292 SequenceNumber 2294 6.17.1. The Reference GroupComponent 2296 - The property GroupComponent is inherited from 2297 PolicyComponent and is overridden to refer to an 2298 IKENegotiationAction instance. The [0..n] cardinality 2299 indicates that an SAProposal instance may be associated with 2300 zero or more IKENegotiationAction instances. 2302 6.17.2. The Reference PartComponent 2304 The property PartComponent is inherited from PolicyComponent and is 2305 overridden to refer to an SAProposal instance. The [1..n] 2306 cardinality indicates that an IKENegotiationAction instance MUST be 2307 associated with at least one SAProposal instance. 2309 6.17.3. The Property SequenceNumber 2311 The property SequenceNumber specifies the order of preference for 2312 the SAProposals. The property is defined as follows: 2314 NAME SequenceNumber 2315 DESCRIPTION Specifies the preference order for the SAProposals. 2316 SYNTAX unsigned 16-bit integer 2317 VALUE Lower-valued proposals are preferred over proposals 2318 with higher values. For ContainedProposals that 2319 reference the same IKENegotiationAction, SequenceNumber 2320 values must be unique. 2322 6.18. The Association Class HostedPeerGatewayInformation 2324 The class HostedPeerGatewayInformation weakly associates a 2325 PeerGateway with a System. The class definition for 2326 HostedPeerGatewayInformation is as follows: 2328 NAME HostedPeerGatewayInformation 2329 DESCRIPTION Weakly associates a PeerGateway with a System. 2330 DERIVED FROM Dependency (see [CIMCORE]) 2331 ABSTRACT FALSE 2332 PROPERTIES Antecedent [ref System[1..1]] 2333 Dependent [ref PeerGateway[0..n] [weak]] 2335 6.18.1. The Reference Antecedent 2337 The property Antecedent is inherited from Dependency and is 2338 overridden to refer to a System instance. The [1..1] cardinality 2339 indicates that a PeerGateway instance MUST be associated with one 2340 and only one System instance. 2342 6.18.2. The Reference Dependent 2344 The property Dependent is inherited from Dependency and is 2345 overridden to refer to a PeerGateway instance. The [0..n] 2346 cardinality indicates that a System instance may be associated with 2347 zero or more PeerGateway instances. 2349 6.19. The Association Class TransformOfPreconfiguredAction 2351 The class TransformOfPreconfiguredAction associates a 2352 PreconfiguredSAAction with from two to six SATransforms that will be 2353 applied to the inbound and outbound traffic. The order of 2354 application of the SATransforms is implicitly defined in [IPSEC]. 2355 The class definition for TransformOfPreconfiguredAction is as 2356 follows: 2358 NAME TransformOfPreconfiguredAction 2359 DESCRIPTION Associates a PreconfiguredSAAction with from one to 2360 three SATransforms. 2361 DERIVED FROM Dependency (see [CIMCORE]) 2362 ABSTRACT FALSE 2363 PROPERTIES Antecedent[ref SATransform[2..6]] 2364 Dependent[ref PreconfiguredSAAction[0..n]] 2365 SPI 2366 Direction 2368 6.19.1. The Reference Antecedent 2370 The property Antecedent is inherited from Dependency and is 2371 overridden to refer to an SATransform instance. The [2..6] 2372 cardinality indicates that an PreconfiguredSAAction instance may be 2373 associated with from two to six SATransform instances. 2375 6.19.2. The Reference Dependent 2377 The property Dependent is inherited from Dependency and is 2378 overridden to refer to a PreconfiguredSAAction instance. The [0..n] 2379 cardinality indicates that an SATransform instance may be associated 2380 with zero or more PreconfiguredSAAction instances. 2382 6.19.3. The Property SPI 2384 The property SPI specifies the SPI to be used by the pre-configured 2385 action for the associated transform. The property is defined as 2386 follows: 2388 NAME SPI 2389 DESCRIPTION Specifies the SPI to be used with the SATransform. 2390 SYNTAX unsigned 32-bit integer 2392 6.19.4. The Property Direction 2394 The property Direction specifies whether the SPI property is for 2395 inbound or for outbound traffic. The property is defined as follows: 2397 NAME Direction 2398 DESCRIPTION Specifies whether the SA is for inbound or outbound 2399 traffic. 2400 SYNTAX unsigned 8-bit integer 2401 VALUE 1 - this SA is for inbound traffic 2402 2 - this SA is for outbound traffic 2404 6.20 The Association Class PeerGatewayForPreconfiguredTunnel 2406 The class PeerGatewayForPreconfiguredTunnel associates one or one 2407 PeerGateway with multiple PreconfiguredTunnelActions. The class 2408 definition for PeerGatewayForPreconfiguredTunnel is as follows: 2410 NAME PeerGatewayForPreconfiguredTunnel 2411 DESCRIPTION Associates a PeerGateway with multiple 2412 PreconfiguredTunnelAction. 2413 DERIVED FROM Dependency (see [CIMCORE]) 2414 ABSTRACT FALSE 2415 PROPERTIES Antecedent[ref PeerGateway[0..1]] 2416 Dependent[ref PreconfiguredTunnelAction[0..n]] 2418 6.20.1. The Reference Antecedent 2420 The property Antecedent is inherited from Dependency and is 2421 overridden to refer to an PeerGateway instance. The [0..1] 2422 cardinality indicates that an PreconfiguredTunnelAction instance may 2423 be associated with one PeerGteway instance. 2425 6.20.2. The Reference Dependent 2427 The property Dependent is inherited from Dependency and is 2428 overridden to refer to a PreconfiguredTunnelAction instance. The 2429 [0..n] cardinality indicates that an PeerGateway instance may be 2430 associated with zero or more PreconfiguredSAAction instances. 2432 7. Proposal and Transform Classes 2434 The proposal and transform classes model the proposal settings an 2435 IPsec device will use during IKE phase 1 and 2 negotiations. 2437 +--------------+*w 1+--------------+ 2438 | [SAProposal] |--------| System | 2439 +--------------+ (a) | ([CIMCORE]) | 2440 ^ +--------------+ 2441 | |1 2442 +----------------------+ | 2443 | | | 2444 +-------------+ +---------------+ | 2445 | IKEProposal | | IPsecProposal | | 2446 +-------------+ +---------------+ | 2447 *o | 2448 |(b) |(c) 2449 n| | 2450 +---------------+*w | 2451 | [SATransform] |----+ 2452 +---------------+ 2453 ^ 2454 | 2455 +--------------------+-----------+---------+ 2456 | | | 2457 +-------------+ +--------------+ +----------------+ 2458 | AHTransform | | ESPTransform | |IPCOMPTransform | 2459 +-------------+ +--------------+ +----------------+ 2461 (a) SAProposalInSystem 2462 (b) ContainedTransform 2463 (c) SATransformInSystem 2465 7.1. The Abstract Class SAProposal 2467 The abstract class SAProposal serves as the base class for the IKE 2468 and IPsec proposal classes. It specifies the parameters that are 2469 common to the two proposal types. The class definition for 2470 SAProposal is as follows: 2472 NAME SAProposal 2473 DESCRIPTION Specifies the common proposal parameters for IKE and 2474 IPsec security association negotiation. 2475 DERIVED FROM Policy ([PCIM]) 2476 ABSTRACT TRUE 2477 PROPERTIES Name 2479 7.1.1. The Property Name 2481 The property Name specifies a user-friendly name for the SAProposal. 2482 The property is defined as follows: 2484 NAME Name 2485 DESCRIPTION Specifies a user-friendly name for this proposal. 2486 SYNTAX string 2488 7.2. The Class IKEProposal 2490 The class IKEProposal specifies the proposal parameters necessary to 2491 drive an IKE security association negotiation. The class definition 2492 for IKEProposal is as follows: 2494 NAME IKEProposal 2495 DESCRIPTION Specifies the proposal parameters for IKE security 2496 association negotiation. 2497 DERIVED FROM SAProposal 2498 ABSTRACT FALSE 2499 PROPERTIES LifetimeDerivedKeys 2500 CipherAlgorithm 2501 HashAlgorithm 2502 PRFAlgorithm 2503 GroupId 2504 AuthenticationMethod 2505 MaxLifetimeSeconds 2506 MaxLifetimeKilobytes 2507 VendorID 2509 7.2.1. The Property LifetimeDerivedKeys 2511 The property LifetimeDerivedKeys specifies the number of times that 2512 a phase 1 key will be used to derive a phase 2 key before the phase 2513 1 security association needs renegotiated. Even though this is not 2514 a parameter that is sent in an IKE proposal, it is included in the 2515 proposal as the number of keys derived may be a result of the 2516 strength of the algorithms in the IKE proposal. The property is 2517 defined as follows: 2519 NAME LifetimeDerivedKeys 2520 DESCRIPTION Specifies the number of phase 2 keys that can be 2521 derived from the phase 1 key. 2522 SYNTAX unsigned 32-bit integer 2523 VALUE A value of zero indicates that there is no limit to the 2524 number of phase 2 keys that may be derived from the 2525 phase 1 key; instead the seconds and/or kilobytes 2526 lifetime will dictate the phase 1 rekeying. A non-zero 2527 value specifies the number of phase 2 keys that can be 2528 derived from the phase 1 key. 2530 7.2.2. The Property CipherAlgorithm 2532 The property CipherAlgorithm specifies the proposed phase 1 security 2533 association encryption algorithm. The property is defined as 2534 follows: 2536 NAME CipherAlgorithm 2537 DESCRIPTION Specifies the proposed encryption algorithm for the 2538 phase 1 security association. 2539 SYNTAX unsigned 16-bit integer 2540 VALUE Consult [IKE] for valid values. 2542 7.2.3. The Property HashAlgorithm 2544 The property HashAlgorithm specifies the proposed phase 1 security 2545 association hash algorithm. The property is defined as follows: 2547 NAME HashAlgorithm 2548 DESCRIPTION Specifies the proposed hash algorithm for the phase 1 2549 security association. 2550 SYNTAX unsigned 16-bit integer 2551 VALUE Consult [IKE] for valid values. 2553 7.2.4. The Property PRFAlgorithm 2555 The property PRFAlgorithm specifies the proposed phase 1 security 2556 association pseudo-random function. The property is defined as 2557 follows: 2559 NAME PRFAlgorithm 2560 DESCRIPTION Specifies the proposed pseudo-random function for the 2561 phase 1 security association. 2562 SYNTAX unsigned 16-bit integer 2563 VALUE Currently none defined. 2565 7.2.5. The Property GroupId 2567 The property GroupId specifies the proposed phase 1 security 2568 association key exchange group. This property is ignored for all 2569 aggressive mode exchanges. If the GroupID number is from the 2570 vendor-specific range (32768-65535), the property VendorID qualifies 2571 the group number. The property is defined as follows: 2573 NAME GroupId 2574 DESCRIPTION Specifies the proposed key exchange group for the phase 2575 1 security association. 2576 SYNTAX unsigned 16-bit integer 2577 VALUE 0 - Not applicable: used for aggressive mode. Consult 2578 [IKE] for other valid values. 2580 7.2.6. The Property AuthenticationMethod 2582 The property AuthenticationMethod specifies the proposed phase 1 2583 authentication method. The property is defined as follows: 2585 NAME AuthenticationMethod 2586 DESCRIPTION Specifies the proposed authentication method for the 2587 phase 1 security association. 2588 SYNTAX unsigned 16-bit integer 2589 VALUE 0 - a special value that indicates that this particular 2590 proposal should be repeated once for each 2591 authentication method that corresponds to the 2592 credentials installed on the machine. For example, if 2593 the system has a pre-shared key and a certificate, a 2594 proposal list could be constructed which includes a 2595 proposal that specifies pre-shared key and proposals 2596 for any of the public-key authentication methods. 2597 Consult [IKE] for valid values. 2599 7.2.7. The Property MaxLifetimeSeconds 2601 The property MaxLifetimeSeconds specifies the maximum amount of 2602 time, in seconds, to propose that a security association will remain 2603 valid after its creation. The property is defined as follows: 2605 NAME MaxLifetimeSeconds 2606 DESCRIPTION Specifies the maximum amount of time to propose a 2607 security association remain valid. 2608 SYNTAX unsigned 32-bit integer 2609 VALUE A value of zero indicates that the default of 8 hours 2610 be used. A non-zero value indicates the maximum 2611 seconds lifetime. 2613 7.2.8. The Property MaxLifetimeKilobytes 2615 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2616 lifetime to propose that a security association will remain valid 2617 after its creation. The property is defined as follows: 2619 NAME MaxLifetimeKilobytes 2620 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2621 security association remain valid. 2622 SYNTAX unsigned 32-bit integer 2623 VALUE A value of zero indicates that there should be no 2624 maximum kilobyte lifetime. A non-zero value specifies 2625 the desired kilobyte lifetime. 2627 7.2.9. The Property VendorID 2629 The property VendorID further qualifies the key exchange group. The 2630 property is ignored unless the exchange is not in aggressive mode 2631 and the property GroupID is in the vendor-specific range. The 2632 property is defined as follows: 2634 NAME VendorID 2635 DESCRIPTION Specifies the Vendor ID to further qualify the key 2636 exchange group. 2637 SYNTAX string 2639 7.3. The Class IPsecProposal 2640 The class IPsecProposal adds no new properties, but inherits 2641 proposal properties from SAProposal as well as aggregating the 2642 security association transforms necessary for building an IPsec 2643 proposal (see the aggregation class ContainedTransform). The class 2644 definition for IPsecProposal is as follows: 2646 NAME IPsecProposal 2647 DESCRIPTION Specifies the proposal parameters for IPsec security 2648 association negotiation. 2649 DERIVED FROM SAProposal 2650 ABSTRACT FALSE 2652 7.4. The Abstract Class SATransform 2654 The abstract class SATransform serves as the base class for the 2655 IPsec transforms that can be used to compose an IPsec proposal or to 2656 be used as a pre-configured action. The class definition for 2657 SATransform is as follows: 2659 NAME SATransform 2660 DESCRIPTION Base class for the different IPsec transforms. 2661 ABSTRACT TRUE 2662 PROPERTIES TransformName 2663 VendorID 2664 MaxLifetimeSeconds 2665 MaxLifetimeKilobytes 2667 7.4.1. The Property TransformName 2669 The property TransformName specifies a user-friendly name for the 2670 SATransform. The property is defined as follows: 2672 NAME TransformName 2673 DESCRIPTION Specifies a user-friendly name for this transform. 2674 SYNTAX string 2676 7.4.2. The Property VendorID 2678 The property VendorID specifies the vendor ID for vendor-defined 2679 transforms. The property is defined as follows: 2681 NAME VendorID 2682 DESCRIPTION Specifies the vendor ID for vendor-defined transforms. 2683 SYNTAX string 2684 VALUE An empty VendorID string indicates that the transform 2685 is a standard one. 2687 7.4.3. The Property MaxLifetimeSeconds 2689 The property MaxLifetimeSeconds specifies the maximum amount of 2690 time, in seconds, to propose that a security association will remain 2691 valid after its creation. The property is defined as follows: 2693 NAME MaxLifetimeSeconds 2694 DESCRIPTION Specifies the maximum amount of time to propose a 2695 security association remain valid. 2696 SYNTAX unsigned 32-bit integer 2697 VALUE A value of zero indicates that the default of 8 hours 2698 be used. A non-zero value indicates the maximum 2699 seconds lifetime. 2701 7.4.4. The Property MaxLifetimeKilobytes 2703 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2704 lifetime to propose that a security association will remain valid 2705 after its creation. The property is defined as follows: 2707 NAME MaxLifetimeKilobytes 2708 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2709 security association remain valid. 2710 SYNTAX unsigned 32-bit integer 2711 VALUE A value of zero indicates that there should be no 2712 maximum kilobyte lifetime. A non-zero value specifies 2713 the desired kilobyte lifetime. 2715 7.5. The Class AHTransform 2717 The class AHTransform specifies the AH algorithm to propose during 2718 IPsec security association negotiation. The class definition for 2719 AHTransform is as follows: 2721 NAME AHTransform 2722 DESCRIPTION Specifies the AH algorithm to propose. 2723 ABSTRACT FALSE 2724 PROPERTIES AHTransformId 2725 UseReplayPrevention 2726 ReplayPreventionWindowSize 2728 7.5.1. The Property AHTransformId 2730 The property AHTransformId specifies the transform ID of the AH 2731 algorithm to propose. The property is defined as follows: 2733 NAME AHTransformId 2734 DESCRIPTION Specifies the transform ID of the AH algorithm. 2735 SYNTAX unsigned 16-bit integer 2736 VALUE Consult [DOI] for valid values. 2738 7.5.2. The Property UseReplayPrevention 2740 The property UseReplayPrevention specifies whether replay prevention 2741 detection is to be used. The property is defined as follows: 2743 NAME UseReplayPrevention 2744 DESCRIPTION Specifies whether to enable replay prevention 2745 detection. 2747 SYNTAX boolean 2748 VALUE true - replay prevention detection is enabled. 2749 false - replay prevention detection is disabled. 2751 7.5.3. The Property ReplayPreventionWindowSize 2753 The property ReplayPreventionWindowSize specifies, in bits, the 2754 length of the sliding window used by the replay prevention detection 2755 mechanism. The value of this property is meaningless if 2756 UseReplayPrevention is false. It is assumed that the window size 2757 will be power of 2. The property is defined as follows: 2759 NAME ReplayPreventionWindowSize 2760 DESCRIPTION Specifies the length of the window used by replay 2761 prevention detection mechanism. 2762 SYNTAX unsigned 32-bit integer 2764 7.6. The Class ESPTransform 2766 The class ESPTransform specifies the ESP algorithms to propose 2767 during IPsec security association negotiation. The class definition 2768 for ESPTransform is as follows: 2770 NAME ESPTransform 2771 DESCRIPTION Specifies the ESP algorithms to propose. 2772 ABSTRACT FALSE 2773 PROPERTIES IntegrityTransformId 2774 CipherTransformId 2775 CipherKeyLength 2776 CipherKeyRounds 2777 UseReplayPrevention 2778 ReplayPreventionWindowSize 2780 7.6.1. The Property IntegrityTransformId 2782 The property IntegrityTransformId specifies the transform ID of the 2783 ESP integrity algorithm to propose. The property is defined as 2784 follows: 2786 NAME IntegrityTransformId 2787 DESCRIPTION Specifies the transform ID of the ESP integrity 2788 algorithm. 2789 SYNTAX unsigned 16-bit integer 2790 VALUE Consult [DOI] for valid values. 2792 7.6.2. The Property CipherTransformId 2794 The property CipherTransformId specifies the transform ID of the ESP 2795 encryption algorithm to propose. The property is defined as 2796 follows: 2798 NAME CipherTransformId 2799 DESCRIPTION Specifies the transform ID of the ESP encryption 2800 algorithm. 2801 SYNTAX unsigned 16-bit integer 2802 VALUE Consult [DOI] for valid values. 2804 7.6.3. The Property CipherKeyLength 2806 The property CipherKeyLength specifies, in bits, the key length for 2807 the ESP encryption algorithm. For encryption algorithms that use 2808 fixed-length keys, this value is ignored. The property is defined 2809 as follows: 2811 NAME CipherKeyLength 2812 DESCRIPTION Specifies the ESP encryption key length in bits. 2813 SYNTAX unsigned 16-bit integer 2815 7.6.4. The Property CipherKeyRounds 2817 The property CipherKeyRounds specifies the number of key rounds for 2818 the ESP encryption algorithm. For encryption algorithms that use 2819 fixed number of key rounds, this value is ignored. The property is 2820 defined as follows: 2822 NAME CipherKeyRounds 2823 DESCRIPTION Specifies the number of key rounds for the ESP 2824 encryption algorithm. 2825 SYNTAX unsigned 16-bit integer 2826 VALUE Currently, key rounds are not defined for any ESP 2827 encryption algorithms. 2829 7.6.5. The Property UseReplayPrevention 2831 The property UseReplayPrevention specifies whether replay prevention 2832 detection is to be used. The property is defined as follows: 2834 NAME UseReplayPrevention 2835 DESCRIPTION Specifies whether to enable replay prevention 2836 detection. 2837 SYNTAX boolean 2838 VALUE true - replay prevention detection is enabled. 2839 false - replay prevention detection is disabled. 2841 7.6.6. The Property ReplayPreventionWindowSize 2843 The property ReplayPreventionWindowSize specifies, in bits, the 2844 length of the sliding window used by the replay prevention detection 2845 mechanism. The value of this property is meaningless if 2846 UseReplayPrevention is false. It is assumed that the window size 2847 will be power of 2. The property is defined as follows: 2849 NAME ReplayPreventionWindowSize 2850 DESCRIPTION Specifies the length of the window used by replay 2851 prevention detection mechanism. 2853 SYNTAX unsigned 32-bit integer 2855 7.7. The Class IPCOMPTransform 2857 The class IPCOMPTransform specifies the IP compression (IPCOMP) 2858 algorithm to propose during IPsec security association negotiation. 2859 The class definition for IPCOMPTransform is as follows: 2861 NAME IPCOMPTransform 2862 DESCRIPTION Specifies the IPCOMP algorithm to propose. 2863 ABSTRACT FALSE 2864 PROPERTIES Algorithm 2865 DictionarySize 2866 PrivateAlgorithm 2868 7.7.1. The Property Algorithm 2870 The property Algorithm specifies the transform ID of the IPCOMP 2871 compression algorithm to propose. The property is defined as 2872 follows: 2874 NAME Algorithm 2875 DESCRIPTION Specifies the transform ID of the IPCOMP compression 2876 algorithm. 2877 SYNTAX unsigned 16-bit integer 2878 VALUE 1 - OUI: a vendor specific algorithm is used and 2879 specified in the property PrivateAlgorithm. Consult 2880 [DOI] for other valid values. 2882 7.7.2. The Property DictionarySize 2884 The property DictionarySize specifies the log2 maximum size of the 2885 dictionary for the compression algorithm. For compression 2886 algorithms that have pre-defined dictionary sizes, this value is 2887 ignored. The property is defined as follows: 2889 NAME DictionarySize 2890 DESCRIPTION Specifies the log2 maximum size of the dictionary. 2891 SYNTAX unsigned 16-bit integer 2893 7.7.3. The Property PrivateAlgorithm 2895 The property PrivateAlgorithm specifies a private vendor-specific 2896 compression algorithm. This value is only used when the property 2897 Algorithm is 1 (OUI). The property is defined as follows: 2899 NAME PrivateAlgorithm 2900 DESCRIPTION Specifies a private vendor-specific compression 2901 algorithm. 2902 SYNTAX unsigned 32-bit integer 2904 7.8. The Association Class SAProposalInSystem 2905 The class SAProposalInSystem weakly associates SAProposals with a 2906 System. The class definition for SAProposalInSystem is as follows: 2908 NAME SAProposalInSystem 2909 DESCRIPTION Weakly associates SAProposals with a System. 2910 DERIVED FROM PolicyInSystem (see [PCIM]) 2911 ABSTRACT FALSE 2912 PROPERTIES Antecedent[ref System [1..1]] 2913 Dependent[ref SAProposal[0..n] [weak]] 2915 7.8.1. The Reference Antecedent 2917 The property Antecedent is inherited from PolicyInSystem and is 2918 overridden to refer to a System instance. The [1..1] cardinality 2919 indicates that an SAProposal instance MUST be associated with one 2920 and only one System instance. 2922 7.8.2. The Reference Dependent 2924 The property Dependent is inherited from PolicyInSystem and is 2925 overridden to refer to an SAProposal instance. The [0..n] 2926 cardinality indicates that a System instance may be associated with 2927 zero or more SAProposal instances. 2929 7.9. The Aggregation Class ContainedTransform 2931 The class ContainedTransform associates an IPsecProposal with the 2932 set of SATransforms that make up the proposal. If multiple 2933 transforms of the same type are in a proposal, then they are to be 2934 logically ORed and the order of preference is dictated by the 2935 SequenceNumber property. Sets of transforms of different types are 2936 logically ANDed. For example, if the ordered proposal list were 2938 ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } 2939 AH = { MD5, SHA-1 } 2941 then the one sending the proposal would want the other side to pick 2942 one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND 2943 one from the AH transform list (preferably MD5). 2945 The class definition for ContainedTransform is as follows: 2947 NAME ContainedTransform 2948 DESCRIPTION Associates an IPsecProposal with the set of 2949 SATransforms that make up the proposal. 2950 DERIVED FROM PolicyComponent (see [PCIM]) 2951 ABSTRACT FALSE 2952 PROPERTIES GroupComponent[ref IPsecProposal[0..n]] 2953 PartComponent[ref SATransform[1..n]] 2954 SequenceNumber 2956 7.9.1. The Reference GroupComponent 2957 The property GroupComponent is inherited from PolicyComponent and is 2958 overridden to refer to an IPsecProposal instance. The [0..n] 2959 cardinality indicates that an SATransform instance may be associated 2960 with zero or more IPsecProposal instances. 2962 7.9.2. The Reference PartComponent 2964 The property PartComponent is inherited from PolicyComponent and is 2965 overridden to refer to an SATransform instance. The [1..n] 2966 cardinality indicates that an IPsecProposal instance MUST be 2967 associated with at least one SATransform instance. 2969 7.9.3. The Property SequenceNumber 2971 The property SequenceNumber specifies the order of preference for 2972 the SATransforms of the same type. The property is defined as 2973 follows: 2975 NAME SequenceNumber 2976 DESCRIPTION Specifies the preference order for the SATransforms of 2977 the same type. 2978 SYNTAX unsigned 16-bit integer 2979 VALUE Lower-valued transforms are preferred over transforms 2980 of the same type with higher values. For 2981 ContainedTransforms that reference the same 2982 IPsecProposal, SequenceNumber values must be unique. 2984 7.10. The Association Class SATransformInSystem 2986 The class SATransformInSystem weakly associates SATransforms with a 2987 System. The class definition for SATransformInSystem System is as 2988 follows: 2990 NAME SATransformInSystem 2991 DESCRIPTION Weakly associates SATransforms with a System. 2992 DERIVED FROM PolicyInSystem (see [PCIM]) 2993 ABSTRACT FALSE 2994 PROPERTIES Antecedent[ref System[1..1]] 2995 Dependent[ref SATransform[0..n] [weak]] 2997 7.10.1. The Reference Antecedent 2999 The property Antecedent is inherited from PolicyInSystem and is 3000 overridden to refer to a System instance. The [1..1] cardinality 3001 indicates that an SATransform instance MUST be associated with one 3002 and only one System instance. 3004 7.10.2. The Reference Dependent 3006 The property Dependent is inherited from PolicyInSystem and is 3007 overridden to refer to an SATransform instance. The [0..n] 3008 cardinality indicates that a System instance may be associated with 3009 zero or more SATransform instances. 3011 8. IKE Service and Identity Classes 3013 +--------------+ +-------------------+ 3014 | System | | PeerIdentityEntry | 3015 | ([CIMCORE]) | +-------------------+ 3016 +--------------+ |*w 3017 1| (a) (b) | 3018 +---+ +------------+ 3019 | | 3020 |*w 1 o 3021 +-------------+ +-------------------+ +---------------------+ 3022 | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | 3023 +-------------+ +-------------------+ +---------------------+ 3024 *| *| *| *| 3025 +----------------------+ |(d) +----------+ | 3026 (c) *| *| *| (e) | 3027 *+------------+* |(f) 3028 +-----------------| IKEService |-----+ | 3029 | (g) +------------+ |(h) | 3030 0..1| *| *| *o 3031 +--------------------+ | +---------------------------+ 3032 | IPProtocolEndpoint | | | AutostartIKEConfiguration | 3033 | ([CIMNETWORK]) | (i)| +---------------------------+ 3034 +--------------------+ | 3035 0..1| | 3036 |(j) +----------------+ 3037 *| |* 3038 +-------------+* (k) +------------+ +-----------------------------+ 3039 | IKEIdentity |-------| Collection | | CredentialManagementService | 3040 +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | 3041 *| +------------+ +-----------------------------+ 3042 |(l) 3043 *| 3044 +--------------+ 3045 | Credential | 3046 | ([CIMUSER]) | 3047 +--------------+ 3049 (a) HostedPeerIdentityTable 3050 (b) PeerIdentityMember 3051 (c) IKEServicePeerGateway 3052 (d) IKEServicePeerIdentityTable 3053 (e) IKEAutostartSetting 3054 (f) AutostartIKESettingContext 3055 (g) IKEServiceForEndpoint 3056 (h) IKEAutostartConfiguration 3057 (i) IKEUsesCredentialManagementService 3058 (j) EndpointHasLocalIKEIdentity 3059 (k) CollectionHasLocalIKEIdentity 3060 (l) IKEIdentitysCredential 3062 This portion of the model contains additional information that is 3063 useful in applying the policy. The IKEService class MAY be used to 3064 represent the IKE negotiation function in a system. The IKEService 3065 uses the various tables that contain information about IKE peers as 3066 well as the configuration for specifying security associations that 3067 are started automatically. The information in the PeerGateway, 3068 PeerIdentityTable and related classes is necessary to completely 3069 specify the policies. 3071 An interface (represented by an IPProtocolEndpoint) has an 3072 IKEService that provides the negotiation services for that 3073 interface. That service MAY also have a list of security 3074 associations for that are automatically started at the time the IKE 3075 service is initialized. 3077 The IKEService also has a set of identities that it may use in 3078 negotiations with its peers. Those identities are associated with 3079 the interfaces (or collections of interfaces). 3081 8.1. The Class IKEService 3083 The class IKEService represents the IKE negotiation function. An 3084 instance of this service may provide that negotiation service for 3085 one or more interfaces (represented by the IPProtocolEndpoint class) 3086 of a System. There may be multiple instances of IKE services on a 3087 System but only one per interface. The class definition for 3088 IKEService is as follows: 3090 NAME IKEService 3091 DESCRIPTION IKEService is used to represent the IKE negotiation 3092 function. 3093 DERIVED FROM Service (see [CIMCORE]) 3094 ABSTRACT FALSE 3096 8.2. The Class PeerIdentityTable 3098 The class PeerIdentityTable aggregates the table entries that 3099 provide mappings between identities and their addresses. The class 3100 definition for PeerIdentityTable is as follows: 3102 NAME PeerIdentityTable 3103 DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry 3104 instances to provide a table of identity-address 3105 mappings. 3106 DERIVED FROM Collection (see [CIMCORE]) 3107 ABSTRACT FALSE 3108 PROPERTIES Name 3110 8.3.1. The Property Name 3112 The property Name uniquely identifies the table. The property is 3113 defined as follows: 3115 NAME Name 3116 DESCRIPTION Name uniquely identifies the table. 3118 SYNTAX string 3120 8.3. The Class PeerIdentityEntry 3122 The class PeerIdentityEntry specifies the mapping between peer 3123 identity and their address. The class definition for 3124 PeerIdentityEntry is as follows: 3126 NAME PeerIdentityEntry 3127 DESCRIPTION PeerIdentityEntry provides a mapping between a peer's 3128 identity and address. 3129 DERIVED FROM LogicalElement (see [CIMCORE]) 3130 ABSTRACT FALSE 3131 PROPERTIES PeerIdentity 3132 PeerIdentityType 3133 PeerAddress 3134 PeerAddressType 3136 8.3.1. The Property PeerIdentity 3138 The property PeerIdentity contains a string encoding of the Identity 3139 payload for the IKE peer. The property is defined as follows: 3141 NAME PeerIdentity 3142 DESCRIPTION The PeerIdentity is the ID payload of a peer. 3143 SYNTAX string 3145 8.3.2. The Property PeerIdentityType 3147 The property PeerIdentityType is an enumeration that specifies the 3148 type of the PeerIdentity. The property is defined as follows: 3150 NAME PeerIdentityType 3151 DESCRIPTION PeerIdentityType is the type of the ID payload of a 3152 peer. 3153 SYNTAX unsigned 16-bit integer 3154 VALUE The enumeration values are specified in [DOI] section 3155 4.6.2.1. 3157 8.3.3. The Property PeerAddress 3159 The property PeerAddress specifies the string representation of the 3160 IP address of the peer formatted according to the appropriate 3161 convention as defined in the PeerAddressType property (e.g., dotted 3162 decimal notation). The property is defined as follows: 3164 NAME PeerAddress 3165 DESCRIPTION PeerAddress is the address of the peer with the ID 3166 payload. 3167 SYNTAX string 3168 VALUE String representation of an IPv4 or IPv6 address. 3170 8.3.4. The Property PeerAddressType 3171 The property PeerAddressType specifies the format of the PeerAddress 3172 property value. The property is defined as follows: 3174 NAME PeerAddressType 3175 DESCRIPTION PeerAddressType is the type of address in PeerAddress. 3176 SYNTAX unsigned 16-bit integer 3177 VALUE 0 - Unknown 3178 1 - IPv4 3179 2 - IPv6 3181 8.4. The Class AutostartIKEConfiguration 3183 The class AutostartIKEConfiguration groups AutostartIKESetting 3184 instances into configuration sets. When applied, the settings cause 3185 an IKE service to automatically start (negotiate or statically set 3186 as appropriate) the Security Associations. The class definition for 3187 AutostartIKEConfiguration is as follows: 3189 NAME AutostartIKEConfiguration 3190 DESCRIPTION A configuration set of AutostartIKESetting instances to 3191 be automatically started by the IKE service. 3192 DERIVED FROM SystemConfiguration (see [CIMCORE]) 3193 ABSTRACT FALSE 3195 8.5. The Class AutostartIKESetting 3197 The class AutostartIKESetting is used to automatically initiate IKE 3198 negotiations with peers (or statically create an SA) as specified in 3199 the AutostartIKESetting properties. Appropriate actions are 3200 initiated according to the policy that matches the setting 3201 parameters. The class definition for AutostartIKESetting is as 3202 follows: 3204 NAME AutostartIKESetting 3205 DESCRIPTION AutostartIKESetting is used to automatically initiate 3206 IKE negotiations with peers or statically create an SA. 3207 DERIVED FROM SystemSetting (see [CIMCORE]) 3208 ABSTRACT FALSE 3209 PROPERTIES Phase1Only 3210 AddressType 3211 SourceAddress 3212 SourcePort 3213 DestinationAddress 3214 DestinationPort 3215 Protocol 3217 8.5.1. The Property Phase1Only 3219 The property Phase1Only is used to limit the IKE negotiation to just 3220 setting up a phase 1 security association. When set to False, both 3221 phase 1 and 2 negotiations are initiated. 3222 The property is defined as follows: 3224 NAME Phase1Only 3225 DESCRIPTION Used to indicate which security associations to attempt 3226 to establish (phase 1 only, or phase 1 and 2). 3227 SYNTAX boolean 3228 VALUE true - attempt to establish a phase 1 security 3229 association 3230 false - attempt to establish phase 1 and 2 security 3231 associations 3233 8.5.2. The Property AddressType 3235 The property AddressType specifies type of the addresses in the 3236 SourceAddress and DestinationAddress properties. The property is 3237 defined as follows: 3239 NAME AddressType 3240 DESCRIPTION AddressType is the type of address in SourceAddress and 3241 DestinationAddress properties. 3242 SYNTAX unsigned 16-bit integer 3243 VALUE 0 - Unknown 3244 1 - IPv4 3245 2 - IPv6 3247 8.5.3. The Property SourceAddress 3249 The property SourceAddress specifies the dotted-decimal or colon- 3250 decimal formatted IP address used as the source address in comparing 3251 with policy filter entries and used in any phase 2 negotiations. 3252 The property is defined as follows: 3254 NAME SourceAddress 3255 DESCRIPTION The source address to compare with the filters to 3256 determine the appropriate policy rule. 3257 SYNTAX string 3258 VALUE dotted-decimal or colon-decimal formatted IP address 3260 8.5.4. The Property SourcePort 3262 The property SourcePort specifies the port number used as the source 3263 port in comparing with policy filter entries and used in any phase 2 3264 negotiations. The property is defined as follows: 3266 NAME SourcePort 3267 DESCRIPTION The source port to compare with the filters to 3268 determine the appropriate policy rule. 3269 SYNTAX unsigned 16-bit integer 3271 8.5.5. The Property DestinationAddress 3273 The property DestinationAddress specifies the dotted-decimal or 3274 colon-decimal formatted IP address used as the destination address 3275 in comparing with policy filter entries and used in any phase 2 3276 negotiations. The property is defined as follows: 3278 NAME DestinationAddress 3279 DESCRIPTION The destination address to compare with the filters to 3280 determine the appropriate policy rule. 3281 SYNTAX string 3282 VALUE dotted-decimal or colon-decimal formatted IP address 3284 8.5.6. The Property DestinationPort 3286 The property DestinationPort specifies the port number used as the 3287 destination port in comparing with policy filter entries and used in 3288 any phase 2 negotiations. The property is defined as follows: 3290 NAME DestinationPort 3291 DESCRIPTION The destination port to compare with the filters to 3292 determine the appropriate policy rule. 3293 SYNTAX unsigned 16-bit integer 3295 8.5.7. The Property Protocol 3297 The property Protocol specifies the protocol number used in 3298 comparing with policy filter entries and used in any phase 2 3299 negotiations. The property is defined as follows: 3301 NAME Protocol 3302 DESCRIPTION The protocol number used in comparing with policy 3303 filter entries. 3304 SYNTAX unsigned 8-bit integer 3306 8.6. The Class IKEIdentity 3308 The class IKEIdentity is used to represent the identities that may 3309 be used for an IPProtocolEndpoint (or collection of 3310 IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 3311 negotiations. The policy IKEAction.UseIKEIdentityType specifies 3312 which type of the available identities to use in a negotiation 3313 exchange and the IKERule.IdentityContexts specifies the match values 3314 to be used, along with the local address, in selecting the 3315 appropriate identity for a negotiation. The ElementID property value 3316 (defined in the parent class, UsersAccess) should be that of either 3317 the IPProtocolEndpoint or Collection of endpoints as appropriate. 3318 The class definition for IKEIdentity is as follows: 3320 NAME IKEIdentity 3321 DESCRIPTION IKEIdentity is used to represent the identities that 3322 may be used for an IPProtocolEndpoint (or collection of 3323 IPProtocolEndpoints) to identify the IKE Service in IKE 3324 phase 1 negotiations. 3325 DERIVED FROM UsersAccess (see [CIMUSER]) 3326 ABSTRACT FALSE 3327 PROPERTIES IdentityType 3328 IdentityValue 3329 IdentityContexts 3331 8.6.1. The Property IdentityType 3333 The property IdentityType is an enumeration that specifies the type 3334 of the IdentityValue. The property is defined as follows: 3336 NAME IdentityType 3337 DESCRIPTION IdentityType is the type of the IdentityValue. 3338 SYNTAX unsigned 8-bit integer 3339 VALUE The enumeration values are specified in [DOI] section 3340 4.6.2.1. 3342 8.6.2. The Property IdentityValue 3344 The property Identity specifies Value contains a string encoding of 3345 the Identity payload. For IKEIdentity instances that are address 3346 types, the IdentityValue string value may be omitted and the 3347 associated IPProtocolEndpoint or appropriate member of the 3348 Collection of endpoints is used. The property is defined as 3349 follows: 3351 NAME IdentityValue 3352 DESCRIPTION IdentityValue contains a string encoding of the 3353 Identity payload. 3354 SYNTAX string 3356 8.6.3. The Property IdentityContexts 3358 The IdentityContexts property is used to constrain the use of 3359 IKEIdentity instances to match that specified in the 3360 IKERule.IdentityContexts. The IdentityContexts are formatted as 3361 policy roles and role combinations [PCIM] & [PCIMe]. Each value 3362 represents one context or context combination. Since this is a 3363 multi-valued property, more than one context or combination of 3364 contexts can be associated with a single IKEIdentity. Each value is 3365 a string of the form: [&&]* 3366 where the individual context names appear in alphabetical order 3367 (according to the collating sequence for UCS-2). If one or more 3368 values in the IKERule.IdentityContexts array match one or more 3369 IKEIdentity.IdentityContexts then the identity's context matches. 3370 (That is, each value of the IdentityContext array is an ORed 3371 condition.) In combination with the address of the 3372 IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 3373 1 and only 1 IKEIdentity. The property is defined as follows: 3375 NAME IdentityContexts 3376 DESCRIPTION The IKE service of a security endpoint may have 3377 multiple identities for use in different situations. 3378 The combination of the interface (represented by 3379 the IPProtocolEndpoint), the identity type (as 3380 specified in the IKEAction) and the IdentityContexts 3381 selects a unique identity. 3382 SYNTAX string array 3383 VALUE string of the form [&&]* 3385 8.7. The Association Class HostedPeerIdentityTable 3387 The class HostedPeerIdentityTable provides the name scoping 3388 relationship for PeerIdentityTable entries in a System. The 3389 PeerIdentityTable is weak to the System. The class definition for 3390 HostedPeerIdentityTable is as follows: 3392 NAME HostedPeerIdentityTable 3393 DESCRIPTION The PeerIdentityTable instances are weak (name scoped 3394 by) the owning System. 3395 DERIVED FROM Dependency (see [CIMCORE]) 3396 ABSTRACT FALSE 3397 PROPERTIES Antecedent [ref System[1..1]] 3398 Dependent [ref PeerIdentityTable[0..n] [weak]] 3400 8.7.1. The Reference Antecedent 3402 The property Antecedent is inherited from Dependency and is 3403 overridden to refer to a System instance. The [1..1] cardinality 3404 indicates that a PeerIdentityTable instance MUST be associated in a 3405 weak relationship with one and only one System instance. 3407 8.7.2. The Reference Dependent 3409 The property Dependent is inherited from Dependency and is 3410 overridden to refer to a PeerIdentityTable instance. The [0..n] 3411 cardinality indicates that a System instance may be associated with 3412 zero or more PeerIdentityTable instances. 3414 8.8. The Aggregation Class PeerIdentityMember 3416 The class PeerIdentityMember aggregates PeerIdentityEntry instances 3417 into a PeerIdentityTable. This is a weak aggregation. The class 3418 definition for PeerIdentityMember is as follows: 3420 NAME PeerIdentityMember 3421 DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry 3422 instances into a PeerIdentityTable. 3423 DERIVED FROM MemberOfCollection (see [CIMCORE]) 3424 ABSTRACT FALSE 3425 PROPERTIES Collection [ref PeerIdentityTable[1..1]] 3426 Member [ref PeerIdentityEntry [0..n] [weak]] 3428 8.8.1. The Reference Collection 3430 The property Collection is inherited from MemberOfCollection and is 3431 overridden to refer to a PeerIdentityTable instance. The [1..1] 3432 cardinality indicates that a PeerIdentityEntry instance MUST be 3433 associated with one and only one PeerIdentityTable instance (i.e., 3434 PeerIdentityEntry instances are not shared across 3435 PeerIdentityTables). 3437 8.8.2. The Reference Member 3439 The property Member is inherited from MemberOfCollection and is 3440 overridden to refer to a PeerIdentityEntry instance. The [0..n] 3441 cardinality indicates that a PeerIdentityTable instance may be 3442 associated with zero or more PeerIdentityEntry instances. 3444 8.9. The Association Class IKEServicePeerGateway 3446 The class IKEServicePeerGateway provides the association between an 3447 IKEService and the list of PeerGateway instances that it uses in 3448 negotiating with security gateways. The class definition for 3449 IKEServicePeerGateway is as follows: 3451 NAME IKEServicePeerGateway 3452 DESCRIPTION Associates an IKEService and the list of PeerGateway 3453 instances that it uses in negotiating with security 3454 gateways. 3455 DERIVED FROM Dependency (see [CIMCORE]) 3456 ABSTRACT FALSE 3457 PROPERTIES Antecedent [ref PeerGateway[0..n]] 3458 Dependent [ref IKEService[0..n]] 3460 8.9.1. The Reference Antecedent 3462 The property Antecedent is inherited from Dependency and is 3463 overridden to refer to a PeerGateway instance. The [0..n] 3464 cardinality indicates that an IKEService instance may be associated 3465 with zero or more PeerGateway instances. 3467 8.9.2. The Reference Dependent 3469 The property Dependent is inherited from Dependency and is 3470 overridden to refer to an IKEService instance. The [0..n] 3471 cardinality indicates that a PeerGateway instance may be associated 3472 with zero or more IKEService instances. 3474 8.10. The Association Class IKEServicePeerIdentityTable 3476 The class IKEServicePeerIdentityTable provides the relationship 3477 between an IKEService and a PeerIdentityTable that it uses to map 3478 between addresses and identities as required. The class definition 3479 for IKEServicePeerIdentityTable is as follows: 3481 NAME IKEServicePeerIdentityTable 3482 DESCRIPTION IKEServicePeerIdentityTable provides the relationship 3483 between an IKEService and a PeerIdentityTable that it 3484 uses. 3485 DERIVED FROM Dependency (see [CIMCORE]) 3486 ABSTRACT FALSE 3487 PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] 3488 Dependent [ref IKEService[0..n]] 3490 8.10.1. The Reference Antecedent 3492 The property Antecedent is inherited from Dependency and is 3493 overridden to refer to a PeerIdentityTable instance. The [0..n] 3494 cardinality indicates that an IKEService instance may be associated 3495 with zero or more PeerIdentityTable instances. 3497 8.10.2. The Reference Dependent 3499 The property Dependent is inherited from Dependency and is 3500 overridden to refer to an IKEService instance. The [0..n] 3501 cardinality indicates that a PeerIdentityTable instance may be 3502 associated with zero or more IKEService instances. 3504 8.11. The Association Class IKEAutostartSetting 3506 The class IKEAutostartSetting associates an AutostartIKESetting with 3507 an IKEService that may use it to automatically start an IKE 3508 negotiation or create a static SA. The class definition for 3509 IKEAutostartSetting is as follows: 3511 NAME IKEAutostartSetting 3512 DESCRIPTION Associates a AutostartIKESetting with an IKEService. 3513 DERIVED FROM ElementSetting (see [CIMCORE]) 3514 ABSTRACT FALSE 3515 PROPERTIES Element [ref IKEService[0..n]] 3516 Setting [ref AutostartIKESetting[0..n]] 3518 8.11.1. The Reference Element 3520 The property Element is inherited from ElementSetting and is 3521 overridden to refer to an IKEService instance. The [0..n] 3522 cardinality indicates an AutostartIKESetting instance may be 3523 associated with zero or more IKEService instances. 3525 8.11.2. The Reference Setting 3527 The property Setting is inherited from ElementSetting and is 3528 overridden to refer to an AutostartIKESetting instance. The [0..n] 3529 cardinality indicates that an IKEService instance may be associated 3530 with zero or more AutostartIKESetting instances. 3532 8.12. The Aggregation Class AutostartIKESettingContext 3534 The class AutostartIKESettingContext aggregates the settings used to 3535 automatically start negotiations or create a static SA into a 3536 configuration set. The class definition for 3537 AutostartIKESettingContext is as follows: 3539 NAME AutostartIKESettingContext 3540 DESCRIPTION AutostartIKESettingContext aggregates the 3541 AutostartIKESetting instances into a configuration set. 3542 DERIVED FROM SystemSettingContext (see [CIMCORE]) 3543 ABSTRACT FALSE 3544 PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] 3545 Setting [ref AutostartIKESetting [0..n]] 3546 SequenceNumber 3548 8.12.1. The Reference Context 3550 The property Context is inherited from SystemSettingContext and is 3551 overridden to refer to an AutostartIKEConfiguration instance. The 3552 [0..n] cardinality indicates that an AutostartIKESetting instance 3553 may be associated with zero or more AutostartIKEConfiguration 3554 instances (i.e., a setting may be in multiple configuration sets). 3556 8.12.2. The Reference Setting 3558 The property Setting is inherited from SystemSettingContext and is 3559 overridden to refer to an AutostartIKESetting instance. The [0..n] 3560 cardinality indicates that an AutostartIKEConfiguration instance may 3561 be associated with zero or more AutostartIKESetting instances. 3563 8.12.3. The Property SequenceNumber 3565 The property SequenceNumber specifies indicates the ordering to be 3566 used when starting negotiations or creating a static SA. A zero 3567 value indicates that order is not significant and settings may be 3568 applied in parallel with other settings. All other settings in the 3569 configuration are executed in sequence from lower values to high. 3570 Sequence numbers need not be unique in an AutostartIKEConfiguration 3571 and order is not significant for settings with the same sequence 3572 number. The property is defined as follows: 3574 NAME SequenceNumber 3575 DESCRIPTION The sequence in which the settings are applied within a 3576 configuration set. 3577 SYNTAX unsigned 16-bit integer 3579 8.13. The Association Class IKEServiceForEndpoint 3581 The class IKEServiceForEndpoint provides the association showing 3582 which IKE service, if any, provides IKE negotiation services for 3583 which network interfaces. The class definition for 3584 IKEServiceForEndpoint is as follows: 3586 NAME IKEServiceForEndpoint 3587 DESCRIPTION Associates an IPProtocolEndpoint with an IKEService 3588 that provides negotiation services for the endpoint. 3589 DERIVED FROM Dependency (see [CIMCORE]) 3590 ABSTRACT FALSE 3591 PROPERTIES Antecedent [ref IKEService[0..1]] 3592 Dependent [ref IPProtocolEndpoint[0..n]] 3594 8.13.1. The Reference Antecedent 3596 The property Antecedent is inherited from Dependency and is 3597 overridden to refer to an IKEService instance. The [0..1] 3598 cardinality indicates that an IPProtocolEndpoint instance MUST by 3599 associated with at most one IKEService instance. 3601 8.13.2. The Reference Dependent 3603 The property Dependent is inherited from Dependency and is 3604 overridden to refer to an IPProtocolEndpoint that is associated with 3605 at most one IKEService. The [0..n] cardinality indicates an 3606 IKEService instance may be associated with zero or more 3607 IPProtocolEndpoint instances. 3609 8.14. The Association Class IKEAutostartConfiguration 3611 The class IKEAutostartConfiguration provides the relationship 3612 between an IKEService and a configuration set that it uses to 3613 automatically start a set of SAs. The class definition for 3614 IKEAutostartConfiguration is as follows: 3616 NAME IKEAutostartConfiguration 3617 DESCRIPTION IKEAutostartConfiguration provides the relationship 3618 between an IKEService and an AutostartIKEConfiguration 3619 that it uses to automatically start a set of SAs. 3620 DERIVED FROM Dependency (see [CIMCORE]) 3621 ABSTRACT FALSE 3622 PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] 3623 Dependent [ref IKEService [0..n]] 3624 Active 3626 8.14.1. The Reference Antecedent 3628 The property Antecedent is inherited from Dependency and is 3629 overridden to refer to an AutostartIKEConfiguration instance. The 3630 [0..n] cardinality indicates that an IKEService instance may be 3631 associated with zero or more AutostartIKEConfiguration instances. 3633 8.14.2. The Reference Dependent 3635 The property Dependent is inherited from Dependency and is 3636 overridden to refer to an IKEService instance. The [0..n] 3637 cardinality indicates that an AutostartIKEConfiguration instance may 3638 be associated with zero or more IKEService instances. 3640 8.14.3. The Property Active 3642 The property Active specifies indicates whether the 3643 AutostartIKEConfiguration set is currently active for the associated 3644 IKEService. That is, at boot time, the active configuration is used 3645 to automatically start IKE negotiations and create static SAs. The 3646 property is defined as follows: 3648 NAME Active 3649 DESCRIPTION Active indicates whether the AutostartIKEConfiguration 3650 set is currently active for the associated IKEService. 3651 SYNTAX boolean 3652 VALUE true - AutostartIKEConfiguration is currently active 3653 for associated IKEService. 3654 false - AutostartIKEConfiguration is currently inactive 3655 for associated IKEService. 3657 8.15. The Association Class IKEUsesCredentialManagementService 3659 The class IKEUsesCredentialManagementService defines the set of 3660 CredentialManagementService(s) that are trusted sources of 3661 credentials for IKE phase 1 negotiations. The class definition for 3662 IKEUsesCredentialManagementService is as follows: 3664 NAME IKEUsesCredentialManagementService 3665 DESCRIPTION Associates the set of CredentialManagementService(s) 3666 that are trusted by the IKEService as sources of 3667 credentials used in IKE phase 1 negotiations. 3668 DERIVED FROM Dependency (see [CIMCORE]) 3669 ABSTRACT FALSE 3670 PROPERTIES Antecedent [ref CredentialManagementService [0..n]] 3671 Dependent [ref IKEService [0..n]] 3673 8.15.1. The Reference Antecedent 3675 The property Antecedent is inherited from Dependency and is 3676 overridden to refer to a CredentialManagementService instance. The 3677 [0..n] cardinality indicates that an IKEService instance may be 3678 associated with zero or more CredentialManagementService instances. 3680 8.15.2. The Reference Dependent 3682 The property Dependent is inherited from Dependency and is 3683 overridden to refer to an IKEService instance. The [0..n] 3684 cardinality indicates that a CredentialManagementService instance 3685 may be associated with zero or more IKEService instances. 3687 8.16. The Association Class EndpointHasLocalIKEIdentity 3689 The class EndpointHasLocalIKEIdentity associates an 3690 IPProtocolEndpoint with a set of IKEIdentity instances that may be 3691 used in negotiating security associations on the endpoint. An 3692 IKEIdentity MUST be associated with either an IPProtocolEndpoint 3693 using this association or with a collection of IKEIdentity instances 3694 using the CollectionHasLocalIKEIdentity association. The class 3695 definition for EndpointHasLocalIKEIdentity is as follows: 3697 NAME EndpointHasLocalIKEIdentity 3698 DESCRIPTION EndpointHasLocalIKEIdentity associates an 3699 IPProtocolEndpoint with a set of IKEIdentity instances. 3700 DERIVED FROM ElementAsUser (see [CIMUSER]) 3701 ABSTRACT FALSE 3702 PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] 3703 Dependent [ref IKEIdentity [0..n]] 3705 8.16.1. The Reference Antecedent 3707 The property Antecedent is inherited from ElementAsUser and is 3708 overridden to refer to an IPProtocolEndpoint instance. The [0..1] 3709 cardinality indicates that an IKEIdentity instance MUST be 3710 associated with at most one IPProtocolEndpoint instance. 3712 8.16.2. The Reference Dependent 3714 The property Dependent is inherited from ElementAsUser and is 3715 overridden to refer to an IKEIdentity instance. The [0..n] 3716 cardinality indicates that an IPProtocolEndpoint instance may be 3717 associated with zero or more IKEIdentity instances. 3719 8.17. The Association Class CollectionHasLocalIKEIdentity 3721 The class CollectionHasLocalIKEIdentity associates a Collection of 3722 IPProtocolEndpoint instances with a set of IKEIdentity instances 3723 that may be used in negotiating SAs for endpoints in the collection. 3724 An IKEIdentity MUST be associated with either an IPProtocolEndpoint 3725 using the EndpointHasLocalIKEIdentity association or with a 3726 collection of IKEIdentity instances using this association. The 3727 class definition for CollectionHasLocalIKEIdentity is as follows: 3729 NAME CollectionHasLocalIKEIdentity 3730 DESCRIPTION CollectionHasLocalIKEIdentity associates a collection 3731 of IPProtocolEndpoint instances with a set of 3732 IKEIdentity instances. 3733 DERIVED FROM ElementAsUser (see [CIMUSER]) 3734 ABSTRACT FALSE 3735 PROPERTIES Antecedent [ref Collection [0..1]] 3736 Dependent [ref IKEIdentity [0..n]] 3738 8.17.1. The Reference Antecedent 3740 The property Antecedent is inherited from ElementAsUser and is 3741 overridden to refer to a Collection instance. The [0..1] 3742 cardinality indicates that an IKEIdentity instance MUST be 3743 associated with at most one Collection instance. 3745 8.17.2. The Reference Dependent 3747 The property Dependent is inherited from ElementAsUser and is 3748 overridden to refer to an IKEIdentity instance. The [0..n] 3749 cardinality indicates that a Collection instance may be associated 3750 with zero or more IKEIdentity instances. 3752 8.18. The Association Class IKEIdentitysCredential 3754 The class IKEIdentitysCredential is an association that relates a 3755 set of credentials to their corresponding local IKE Identities. The 3756 class definition for IKEIdentitysCredential is as follows: 3758 NAME IKEIdentitysCredential 3759 DESCRIPTION IKEIdentitysCredential associates a set of credentials 3760 to their corresponding local IKEIdentity. 3761 DERIVED FROM UsersCredential (see [CIMCORE]) 3762 ABSTRACT FALSE 3763 PROPERTIES Antecedent [ref Credential [0..n]] 3764 Dependent [ref IKEIdentity [0..n]] 3766 8.18.1. The Reference Antecedent 3768 The property Antecedent is inherited from UsersCredential and is 3769 overridden to refer to a Credential instance. The [0..n] 3770 cardinality indicates that IKEIdentity instance may be associated 3771 with zero or more Credential instances. 3773 8.18.2. The Reference Dependent 3775 The property Dependent is inherited from UsersCredential and is 3776 overridden to refer to an IKEIdentity instance. The [0..n] 3777 cardinality indicates that a Credential instance may be associated 3778 with zero or more IKEIdentity instances. 3780 9. Implementation Requirements 3782 The following tables specifies which classes, properties, 3783 associations and aggregations MUST or SHOULD or MAY be implemented. 3785 4. Policy Classes 3786 4.1. The Class IPsecPolicyGroup................................MUST 3787 4.2. The Class SARule..........................................MUST 3788 4.2.1. The Property PolicyRuleName..............................MAY 3789 4.2.1. The Property Enabled....................................MUST 3790 4.2.1. The Property ConditionListType..........................MUST 3791 4.2.1. The Property RuleUsage...................................MAY 3792 4.2.1. The Property Mandatory...................................MAY 3793 4.2.1. The Property SequencedActions...........................MUST 3794 4.2.1. The Property PolicyRoles.................................MAY 3795 4.2.1. The Property PolicyDecisionStrategy......................MAY 3796 4.2.2 The Property ExecutionStrategy..........................MUST 3797 4.2.3 The Property LimitNegotiation............................MAY 3798 4.3. The Class IKERule.........................................MUST 3799 4.3.1. The Property IdentityContexts............................MAY 3800 4.4. The Class IPsecRule.......................................MUST 3801 4.5.3. The Property GroupPriority..............................MUST 3802 4.6. The Association Class IpsecPolicyForEndpoint...............MAY 3803 4.6.1. The Reference Antecedent................................MUST 3804 4.6.2. The Reference Dependent.................................MUST 3805 4.7. The Association Class IPsecPolicyForSystem.................MAY 3806 4.7.1. The Reference Antecedent................................MUST 3807 4.7.2. The Reference Dependent.................................MUST 3808 4.8. The Aggregation Class RuleForIKENegotiation...............MUST 3809 4.8.1. The Property Priority.................................SHOULD 3810 4.8.2. The Reference GroupComponent............................MUST 3811 4.8.3. The Reference PartComponent.............................MUST 3812 4.9. The Aggregation Class RuleForIPsecNegotiation.............MUST 3813 4.9.1. The Property Priority.................................SHOULD 3814 4.9.2. The Reference GroupComponent............................MUST 3815 4.9.3. The Reference PartComponent.............................MUST 3816 4.10. The Aggregation Class SAConditionInRule..................MUST 3817 4.10.1. The Property GroupNumber.............................SHOULD 3818 4.10.1. The Property ConditionNegated........................SHOULD 3819 4.10.2. The Reference GroupComponent...........................MUST 3820 4.10.3. The Reference PartComponent............................MUST 3821 4.11. The Aggregation Class PolicyActionInSARule...............MUST 3822 4.11.1. The Reference GroupComponent...........................MUST 3823 4.11.2. The Reference PartComponent............................MUST 3824 4.11.3. The Property ActionOrder.............................SHOULD 3825 5. Condition and Filter Classes 3826 5.1. The Class SACondition.....................................MUST 3827 5.2. The Class IPHeaderFilter................................SHOULD 3828 5.3. The Class CredentialFilterEntry............................MAY 3829 5.3.1. The Property MatchFieldName.............................MUST 3830 5.3.2. The Property MatchFieldValue............................MUST 3831 5.3.3. The Property CredentialType.............................MUST 3832 5.4. The Class IPSOFilterEntry..................................MAY 3833 5.4.1. The Property MatchConditionType.........................MUST 3834 5.4.2. The Property MatchConditionValue........................MUST 3835 5.5. The Class PeerIDPayloadFilterEntry.........................MAY 3836 5.5.1. The Property MatchIdentityType..........................MUST 3837 5.5.2. The Property MatchIdentityValue.........................MUST 3838 5.6. The Association Class FilterOfSACondition...............SHOULD 3839 5.6.1. The Reference Antecedent................................MUST 3840 5.6.2. The Reference Dependent.................................MUST 3841 5.7. The Association Class AcceptCredentialFrom.................MAY 3842 5.7.1. The Reference Antecedent................................MUST 3843 5.7.2. The Reference Dependent.................................MUST 3844 6. Action Classes 3845 6.1. The Class SAAction........................................MUST 3846 6.1.1. The Property DoActionLogging.............................MAY 3847 6.1.2. The Property DoPacketLogging.............................MAY 3848 6.2. The Class SAStaticAction..................................MUST 3849 6.2.1. The Property LifetimeSeconds............................MUST 3850 6.3. The Class IPsecBypassAction.............................SHOULD 3851 6.4. The Class IPsecDiscardAction............................SHOULD 3852 6.5. The Class IKERejectAction..................................MAY 3853 6.6. The Class PreconfiguredSAAction...........................MUST 3854 6.6.1. The Property LifetimeKilobytes..........................MUST 3855 6.7. The Class PreconfiguredTransportAction....................MUST 3856 6.8. The Class PreconfiguredTunnelAction.......................MUST 3857 6.8.1. The Property DFHandling.................................MUST 3858 6.9. The Class SANegotiationAction.............................MUST 3859 6.10. The Class IKENegotiationAction...........................MUST 3860 6.10.1. The Property MinLifetimeSeconds.........................MAY 3861 6.10.2. The Property MinLifetimeKilobytes.......................MAY 3862 6.10.3. The Property RefreshThresholdSeconds....................MAY 3863 6.10.4. The Property RefreshThresholdKilobytes..................MAY 3864 6.10.5. The Property IdleDurationSeconds........................MAY 3865 6.11. The Class IPsecAction....................................MUST 3866 6.11.1. The Property UsePFS....................................MUST 3867 6.11.2. The Property UseIKEGroup................................MAY 3868 6.11.3. The Property GroupId...................................MUST 3869 6.11.4. The Property Granularity.............................SHOULD 3870 6.11.5. The Property VendorID...................................MAY 3871 6.12. The Class IPsecTransportAction...........................MUST 3872 6.13. The Class IPsecTunnelAction..............................MUST 3873 6.13.1. The Property DFHandling................................MUST 3874 6.14. The Class IKEAction......................................MUST 3875 6.14.1. The Property RefreshThresholdDerivedKeys................MAY 3876 6.14.2. The Property ExchangeMode..............................MUST 3877 6.14.3. The Property UseIKEIdentityType........................MUST 3878 6.14.4. The Property VendorID...................................MAY 3879 6.14.5. The Property AggressiveModeGroupId......................MAY 3880 6.15. The Class PeerGateway....................................MUST 3881 6.15.1. The Property Name....................................SHOULD 3882 6.15.2. The Property PeerIdentityType..........................MUST 3883 6.15.3. The Property PeerIdentity..............................MUST 3884 6.16. The Association Class PeerGatewayForTunnel...............MUST 3885 6.16.1. The Reference Antecedent...............................MUST 3886 6.16.2. The Reference Dependent................................MUST 3887 6.16.3. The Property SequenceNumber..........................SHOULD 3888 6.17. The Aggregation Class ContainedProposal..................MUST 3889 6.17.1. The Reference GroupComponent...........................MUST 3890 6.17.2. The Reference PartComponent............................MUST 3891 6.17.3. The Property SequenceNumber............................MUST 3892 6.18. The Association Class HostedPeerGatewayInformation........MAY 3893 6.18.1. The Reference Antecedent...............................MUST 3894 6.18.2. The Reference Dependent................................MUST 3895 6.19. The Association Class TransformOfPreconfiguredAction.....MUST 3896 6.19.1. The Reference Antecedent...............................MUST 3897 6.19.2. The Reference Dependent................................MUST 3898 6.19.3. The Property SPI.......................................MUST 3899 6.19.4. The Property Direction.................................MUST 3900 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 3901 6.20.1. The Reference Antecedent...............................MUST 3902 6.20.2. The Reference Dependent................................MUST 3903 7. Proposal and Transform Classes 3904 7.1. The Abstract Class SAProposal.............................MUST 3905 7.1.1. The Property Name.....................................SHOULD 3906 7.2. The Class IKEProposal.....................................MUST 3907 7.2.1. The Property LifetimeDerivedKeys.........................MAY 3908 7.2.2. The Property CipherAlgorithm............................MUST 3909 7.2.3. The Property HashAlgorithm..............................MUST 3910 7.2.4. The Property PRFAlgorithm................................MAY 3911 7.2.5. The Property GroupId....................................MUST 3912 7.2.6. The Property AuthenticationMethod.......................MUST 3913 7.2.7. The Property MaxLifetimeSeconds.........................MUST 3914 7.2.8. The Property MaxLifetimeKilobytes.......................MUST 3915 7.2.9. The Property VendorID....................................MAY 3916 7.3. The Class IPsecProposal...................................MUST 3917 7.4. The Abstract Class SATransform............................MUST 3918 7.4.1. The Property TransformName............................SHOULD 3919 7.4.2. The Property VendorID....................................MAY 3920 7.4.3. The Property MaxLifetimeSeconds.........................MUST 3921 7.4.4. The Property MaxLifetimeKilobytes.......................MUST 3922 7.5. The Class AHTransform.....................................MUST 3923 7.5.1. The Property AHTransformId..............................MUST 3924 7.5.2. The Property UseReplayPrevention.........................MAY 3925 7.5.3. The Property ReplayPreventionWindowSize..................MAY 3926 7.6. The Class ESPTransform....................................MUST 3927 7.6.1. The Property IntegrityTransformId.......................MUST 3928 7.6.2. The Property CipherTransformId..........................MUST 3929 7.6.3. The Property CipherKeyLength.............................MAY 3930 7.6.4. The Property CipherKeyRounds.............................MAY 3931 7.6.5. The Property UseReplayPrevention.........................MAY 3932 7.6.6. The Property ReplayPreventionWindowSize..................MAY 3933 7.7. The Class IPCOMPTransform..................................MAY 3934 7.7.1. The Property Algorithm..................................MUST 3935 7.7.2. The Property DictionarySize..............................MAY 3936 7.7.3. The Property PrivateAlgorithm............................MAY 3937 7.8. The Association Class SAProposalInSystem...................MAY 3938 7.8.1. The Reference Antecedent................................MUST 3939 7.8.2. The Reference Dependent.................................MUST 3940 7.9. The Aggregation Class ContainedTransform..................MUST 3941 7.9.1. The Reference GroupComponent............................MUST 3942 7.9.2. The Reference PartComponent.............................MUST 3943 7.9.3. The Property SequenceNumber.............................MUST 3944 7.10. The Association Class SATransformInSystem.................MAY 3945 7.10.1. The Reference Antecedent...............................MUST 3946 7.10.2. The Reference Dependent................................MUST 3947 8. IKE Service and Identity Classes 3948 8.1. The Class IKEService.......................................MAY 3949 8.2. The Class PeerIdentityTable................................MAY 3950 8.3.1. The Property Name.....................................SHOULD 3951 8.3. The Class PeerIdentityEntry................................MAY 3952 8.3.1. The Property PeerIdentity.............................SHOULD 3953 8.3.2. The Property PeerIdentityType.........................SHOULD 3954 8.3.3. The Property PeerAddress..............................SHOULD 3955 8.3.4. The Property PeerAddressType..........................SHOULD 3956 8.4. The Class AutostartIKEConfiguration........................MAY 3957 8.5. The Class AutostartIKESetting..............................MAY 3958 8.5.1. The Property Phase1Only..................................MAY 3959 8.5.2. The Property AddressType..............................SHOULD 3960 8.5.3. The Property SourceAddress..............................MUST 3961 8.5.4. The Property SourcePort.................................MUST 3962 8.5.5. The Property DestinationAddress.........................MUST 3963 8.5.6. The Property DestinationPort............................MUST 3964 8.5.7. The Property Protocol...................................MUST 3965 8.6. The Class IKEIdentity......................................MAY 3966 8.6.1. The Property IdentityType...............................MUST 3967 8.6.2. The Property IdentityValue..............................MUST 3968 8.6.3. The Property IdentityContexts............................MAY 3969 8.7. The Association Class HostedPeerIdentityTable..............MAY 3970 8.7.1. The Reference Antecedent................................MUST 3971 8.7.2. The Reference Dependent.................................MUST 3972 8.8. The Aggregation Class PeerIdentityMember...................MAY 3973 8.8.1. The Reference Collection................................MUST 3974 8.8.2. The Reference Member....................................MUST 3975 8.9. The Association Class IKEServicePeerGateway................MAY 3976 8.9.1. The Reference Antecedent................................MUST 3977 8.9.2. The Reference Dependent.................................MUST 3978 8.10. The Association Class IKEServicePeerIdentityTable.........MAY 3979 8.10.1. The Reference Antecedent...............................MUST 3980 8.10.2. The Reference Dependent................................MUST 3981 8.11. The Association Class IKEAutostartSetting.................MAY 3982 8.11.1. The Reference Element..................................MUST 3983 8.11.2. The Reference Setting..................................MUST 3984 8.12. The Aggregation Class AutostartIKESettingContext..........MAY 3985 8.12.1. The Reference Context..................................MUST 3986 8.12.2. The Reference Setting..................................MUST 3987 8.12.3. The Property SequenceNumber..........................SHOULD 3988 8.13. The Association Class IKEServiceForEndpoint...............MAY 3989 8.13.1. The Reference Antecedent...............................MUST 3990 8.13.2. The Reference Dependent................................MUST 3991 8.14. The Association Class IKEAutostartConfiguration...........MAY 3992 8.14.1. The Reference Antecedent...............................MUST 3993 8.14.2. The Reference Dependent................................MUST 3994 8.14.3. The Property Active..................................SHOULD 3995 8.15. The Association Class IKEUsesCredentialManagementService..MAY 3996 8.15.1. The Reference Antecedent...............................MUST 3997 8.15.2. The Reference Dependent................................MUST 3998 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY 3999 8.16.1. The Reference Antecedent...............................MUST 4000 8.16.2. The Reference Dependent................................MUST 4001 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 4002 8.17.1. The Reference Antecedent...............................MUST 4003 8.17.2. The Reference Dependent................................MUST 4004 8.18. The Association Class IKEIdentitysCredential..............MAY 4005 8.18.1. The Reference Antecedent...............................MUST 4006 8.18.2. The Reference Dependent................................MUST 4008 10. Security Considerations 4010 This document describes a schema for IPsec policy. It does not 4011 detail security requirements for storage or delivery of said schema. 4013 Storage and delivery security requirements should be detailed in a 4014 comprehensive security policy architecture document. 4016 11. Intellectual Property 4018 The IETF takes no position regarding the validity or scope of any 4019 intellectual property or other rights that might be claimed to 4020 pertain to the implementation or use of the technology described in 4021 this document or the extent to which any license under such rights 4022 might or might not be available; neither does it represent that it 4023 has made any effort to identify any such rights. Information on the 4024 IETF's procedures with respect to rights in standards-track and 4025 standards-related documentation can be found in BCP-11. 4027 Copies of claims of rights made available for publication and any 4028 assurances of licenses to be made available, or the result of an 4029 attempt made to obtain a general license or permission for the use 4030 of such proprietary rights by implementers or users of this 4031 specification can be obtained from the IETF Secretariat. 4033 The IETF invites any interested party to bring to its attention any 4034 copyrights, patents or patent applications, or other proprietary 4035 rights which may cover technology that may be required to practice 4036 this standard. Please address the information to the IETF Executive 4037 Director. 4039 12. Acknowledgments 4041 The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, 4042 Vic Lortz, and William Dixon for their contributions to this IPsec 4043 policy model. 4045 Additionally, this draft would not have been possible without the 4046 preceding IPsec schema drafts. For that, thanks go out to Rob 4047 Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju 4048 Rajan. 4050 13. References 4052 [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 4053 RFC 2409, November 1998. 4055 [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP 4056 Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 4058 [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload 4059 (ESP)", RFC 2406, November 1998. 4061 [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 4062 2402, November 1998. 4064 [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core 4065 Information Model -- Version 1 Specification", RFC 3060, February 4066 2001. 4068 [PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen, 4069 A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy 4070 Core Information Model Extensions", draft-ietf-policy-pcim-ext- 4071 05.txt, October 2001 Internet Draft work in progress 4073 [DOI] Piper, D., "The Internet IP Security Domain of Interpretation 4074 for ISAKMP", RFC 2407, November 1998. 4076 [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory 4077 Access Protocol (v3)", RFC 2251, December 1997. 4079 [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. 4080 Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, 4081 January 2000. Internet-Draft work in progress. 4083 [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, 4084 F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for 4085 Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. 4086 Internet-Draft work in progress. 4088 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 4089 Requirement Levels", BCP 14, RFC 2119, March 1997. 4091 [IPSO] Kent, S., "U.S. Department of Defense Security Options for 4092 the Internet Protocol", RFC 1108, November 1991. 4094 [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the 4095 Internet Protocol", RFC 2401, November 1998. 4097 [DMTF] Distributed Management Task Force, http://www.dmtf.org/ 4099 [CIMCORE] DMTF Common Information Model - Core Model v2.5, 4100 http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and 4101 http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof 4103 [CIMUSER] DMTF Common Information Model - User-Security Model v2.5, 4104 http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof 4106 [CIMNETWORK] DMTF Common Information Model - Network Model v2.5, 4107 http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof 4109 14. Disclaimer 4111 The views and specification herein are those of the authors and are 4112 not necessarily those of their employer. The authors and their 4113 employer specifically disclaim responsibility for any problems 4114 arising from correct or incorrect implementation or use of this 4115 specification. 4117 15. Authors' Addresses 4119 Jamie Jason 4120 Intel Corporation 4121 MS JF3-206 4122 2111 NE 25th Ave. 4123 Hillsboro, OR 97124 4124 E-Mail: jamie.jason@intel.com 4126 Lee Rafalow 4127 IBM Corporation, BRQA/502 4128 4205 So. Miami Blvd. 4129 Research Triangle Park, NC 27709 4130 E-mail: rafalow@watson.ibm.com 4132 Eric Vyncke 4133 Cisco Systems 4134 Avenue Marcel Thiry, 77 4135 B-1200 Brussels 4136 Belgium 4137 E-mail: evyncke@cisco.com 4139 16. Full Copyright Statement 4141 Copyright (C) The Internet Society (1999). All Rights Reserved. 4143 This document and translations of it maybe copied and furnished to 4144 others, and derivative works that comment on or otherwise explain it 4145 or assist in its implementation may be prepared, copied, published 4146 and distributed, in whole or in part, without restriction of any 4147 kind, provided that the above copyright notice and this paragraph 4148 are included on all such copies and derivative works. However, this 4149 document itself may not be modified in any way, such as by removing 4150 the copyright notice or references to the Internet Society or other 4151 Internet organizations, except as needed for the purpose of 4152 developing Internet standards in which case the procedures for 4153 copyrights defined in the Internet Standards process must be 4154 followed, or as required to translate it into languages other then 4155 English. 4157 The limited permissions granted above are perpetual and will not be 4158 revoked by the Internet Society or its successors or assigns. 4160 This document and the information contained herein is provided on an 4161 "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING 4162 TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 4163 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON 4164 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF 4165 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.