idnits 2.17.1 draft-ietf-ipsp-config-policy-model-05.txt: -(923): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(1299): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding -(1448): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == There are 16 instances of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 72 longer pages, the longest (page 2) being 66 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([PCIME], [PCIM], [COMP,ESP,, [DOI,IKE], AH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 40 has weird spacing: '... models the...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SARule serves as a base class for IKERule and IPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actions for both types of rules. Through its derivation from PolicyRule, a SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class IKENegotiationAction is abstract and serves as the base class for IKE and IPsec actions that result in a IKE negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IKENegotiationAction is as follows: == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IPsecAction is as follows: -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'PCIMe' is mentioned on line 3300, but not defined == Missing Reference: 'SAProposal' is mentioned on line 2394, but not defined == Missing Reference: 'SATransform' is mentioned on line 2407, but not defined == Unused Reference: 'IPSO' is defined on line 4016, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2393 (ref. 'COMP') (Obsoleted by RFC 3173) ** Obsolete normative reference: RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) == Outdated reference: A later version (-08) exists of draft-ietf-policy-pcim-ext-05 ** Obsolete normative reference: RFC 2407 (ref. 'DOI') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2251 (ref. 'LDAP') (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513) ** Downref: Normative reference to an Historic draft: draft-ietf-rap-pr (ref. 'COPSPR') ** Downref: Normative reference to an Historic RFC: RFC 1108 (ref. 'IPSO') ** Obsolete normative reference: RFC 2401 (ref. 'IPSEC') (Obsoleted by RFC 4301) -- Possible downref: Non-RFC (?) normative reference: ref. 'DMTF' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMCORE' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMUSER' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMNETWORK' Summary: 15 errors (**), 0 flaws (~~), 16 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force Jamie Jason 2 INTERNET DRAFT Intel Corporation 3 February-2002 Lee Rafalow 4 IBM 5 Eric Vyncke 6 Cisco Systems 8 IPsec Configuration Policy Model 9 draft-ietf-ipsp-config-policy-model-05.txt 11 Status of this Memo 13 This document is an Internet-Draft and is in full conformance with 14 all provisions of Section 10 of RFC2026. Internet-Drafts are working 15 documents of the Internet Engineering Task Force (IETF), its areas, 16 and its working groups. Note that other groups may also distribute 17 working documents as Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 Abstract 32 This document presents an object-oriented information model of IPsec 33 policy designed to: 34 o facilitate agreement about the content and semantics of IPsec 35 policy 36 o enable derivations of task-specific representations of IPsec 37 policy such as storage schema, distribution representations, 38 and policy specification languages used to configure IPsec- 39 enabled endpoints 40 The information model described in this document models the 41 configuration parameters defined by the IP Security protocol [COMP, 42 ESP, AH]. The information model also covers the parameters found by 43 the Internet Key Exchange [DOI, IKE] protocol. Other key exchange 44 protocols could be easily added to the information model by a simple 45 extension. Other extensions can further be added easily due to the 46 object-oriented nature of the model. 48 This information model is based upon the core policy classes as 49 defined in the Policy Core Information Model (PCIM) [PCIM] and on 50 the Policy Core Information Model Extensions (PCIMe) [PCIME]. 52 Table of Contents 54 Status of this Memo................................................1 55 Abstract...........................................................1 56 Table of Contents..................................................2 57 1. Introduction....................................................6 58 1. Introduction....................................................6 59 2. UML Conventions.................................................6 60 3. IPsec Policy Model Inheritance Hierarchy........................7 61 4. Policy Classes.................................................12 62 4.1. The Class IPsecPolicyGroup...................................13 63 4.2. The Class SARule.............................................14 64 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 65 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 66 PolicyDecisionStrategy............................................14 67 4.2.2 The Property ExecutionStrategy.............................14 68 4.2.3 The Property LimitNegotiation..............................16 69 4.3. The Class IKERule............................................17 70 4.3.1. The Property IdentityContexts..............................17 71 4.4. The Class IPsecRule..........................................17 72 4.5. The Association Class IPsecPolicyForEndpoint.................18 73 4.5.1. The Reference Antecedent...................................18 74 4.5.2. The Reference Dependent....................................18 75 4.6. The Association Class IPsecPolicyForSystem...................18 76 4.6.1. The Reference Antecedent...................................18 77 4.6.2. The Reference Dependent....................................19 78 4.7. The Aggregation Class SARuleInPolicyGroup....................19 79 4.7.1. The Property Priority......................................19 80 4.7.2. The Reference GroupComponent...............................19 81 4.7.3. The Reference PartComponent................................19 82 4.8. The Aggregation Class SAConditionInRule......................19 83 4.8.1. The Properties GroupNumber and ConditionNegated............20 84 4.8.2. The Reference GroupComponent...............................20 85 4.8.3. The Reference PartComponent................................20 86 4.9. The Aggregation Class PolicyActionInSARule...................20 87 4.9.1. The Reference GroupComponent...............................20 88 4.9.2. The Reference PartComponent................................20 89 4.9.3. The Property ActionOrder...................................20 90 5. Condition and Filter Classes...................................22 91 5.1. The Class SACondition........................................22 92 5.2. The Class IPHeadersFilter....................................23 93 5.3. The Class CredentialFilterEntry..............................23 94 5.3.1. The Property MatchFieldName................................23 95 5.3.2. The Property MatchFieldValue...............................24 96 5.3.3. The Property CredentialType................................24 97 5.4. The Class IPSOFilterEntry....................................24 98 5.4.1. The Property MatchConditionType............................25 99 5.4.2. The Property MatchConditionValue...........................25 100 5.5. The Class PeerIDPayloadFilterEntry...........................25 101 5.5.1. The Property MatchIdentityType.............................25 102 5.5.2. The Property MatchIdentityValue............................26 103 5.6. The Association Class FilterOfSACondition....................26 104 5.6.1. The Reference Antecedent...................................27 105 5.6.2. The Reference Dependent....................................27 106 5.7. The Association Class AcceptCredentialFrom...................27 107 5.7.1. The Reference Antecedent...................................27 108 5.7.2. The Reference Dependent....................................28 109 6. Action Classes.................................................28 110 6.1. The Class SAAction...........................................29 111 6.1.1. The Property DoActionLogging...............................30 112 6.1.2. The Property DoPacketLogging...............................30 113 6.2. The Class SAStaticAction.....................................30 114 6.2.1. The Property LifetimeSeconds...............................31 115 6.3. The Class IPsecBypassAction..................................31 116 6.4. The Class IPsecDiscardAction.................................31 117 6.5. The Class IKERejectAction....................................32 118 6.6. The Class PreconfiguredSAAction..............................32 119 6.6.1. The Property LifetimeKilobytes.............................32 120 6.7. The Class PreconfiguredTransportAction.......................33 121 6.8. The Class PreconfiguredTunnelAction..........................33 122 6.8.1. The Property DFHandling....................................33 123 6.9. The Class SANegotiationAction................................33 124 6.10. The Class IKENegotiationAction..............................34 125 6.10.1. The Property MinLifetimeSeconds...........................34 126 6.10.2. The Property MinLifetimeKilobytes.........................34 127 6.10.3. The Property IdleDurationSeconds..........................35 128 6.11. The Class IPsecAction.......................................35 129 6.11.1. The Property UsePFS.......................................35 130 6.11.2. The Property UseIKEGroup..................................35 131 6.11.3. The Property GroupId......................................36 132 6.11.4. The Property Granularity..................................36 133 6.11.5. The Property VendorID.....................................36 134 6.12. The Class IPsecTransportAction..............................36 135 6.13. The Class IPsecTunnelAction.................................37 136 6.13.1. The Property DFHandling...................................37 137 6.14. The Class IKEAction.........................................37 138 6.14.1. The Property ExchangeMode.................................37 139 6.14.2. The Property UseIKEIdentityType...........................38 140 6.14.3. The Property VendorID.....................................38 141 6.14.4. The Property AggressiveModeGroupId........................38 142 6.15. The Class PeerGateway.......................................38 143 6.15.1. The Property Name.........................................39 144 6.15.2. The Property PeerIdentityType.............................39 145 6.15.3. The Property PeerIdentity.................................39 146 6.16. The Association Class PeerGatewayForTunnel..................39 147 6.16.1. The Reference Antecedent..................................40 148 6.16.2. The Reference Dependent...................................40 149 6.16.3. The Property SequenceNumber...............................40 150 6.17. The Aggregation Class ContainedProposal.....................40 151 6.17.1. The Reference GroupComponent..............................41 152 6.17.2. The Reference PartComponent...............................41 153 6.17.3. The Property SequenceNumber...............................41 154 6.18. The Association Class HostedPeerGatewayInformation..........41 155 6.18.1. The Reference Antecedent..................................41 156 6.18.2. The Reference Dependent...................................41 157 6.19. The Association Class TransformOfPreconfiguredAction........41 158 6.19.1. The Reference Antecedent..................................42 159 6.19.2. The Reference Dependent...................................42 160 6.19.3. The Property SPI..........................................42 161 6.19.4. The Property Direction....................................42 162 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......42 163 6.20.1. The Reference Antecedent..................................43 164 6.20.2. The Reference Dependent...................................43 165 7. Proposal and Transform Classes.................................44 166 7.1. The Abstract Class SAProposal................................44 167 7.1.1. The Property Name..........................................44 168 7.2. The Class IKEProposal........................................44 169 7.2.1. The Property CipherAlgorithm...............................45 170 7.2.2. The Property HashAlgorithm.................................45 171 7.2.3. The Property PRFAlgorithm..................................45 172 7.2.4. The Property GroupId.......................................45 173 7.2.5. The Property AuthenticationMethod..........................46 174 7.2.6. The Property MaxLifetimeSeconds............................46 175 7.2.7. The Property MaxLifetimeKilobytes..........................46 176 7.2.8. The Property VendorID......................................46 177 7.3. The Class IPsecProposal......................................47 178 7.4. The Abstract Class SATransform...............................47 179 7.4.1. The Property TransformName.................................47 180 7.4.2. The Property VendorID......................................47 181 7.4.3. The Property MaxLifetimeSeconds............................47 182 7.4.4. The Property MaxLifetimeKilobytes..........................48 183 7.5. The Class AHTransform........................................48 184 7.5.1. The Property AHTransformId.................................48 185 7.5.2. The Property UseReplayPrevention...........................48 186 7.5.3. The Property ReplayPreventionWindowSize....................48 187 7.6. The Class ESPTransform.......................................49 188 7.6.1. The Property IntegrityTransformId..........................49 189 7.6.2. The Property CipherTransformId.............................49 190 7.6.3. The Property CipherKeyLength...............................49 191 7.6.4. The Property CipherKeyRounds...............................49 192 7.6.5. The Property UseReplayPrevention...........................50 193 7.6.6. The Property ReplayPreventionWindowSize....................50 194 7.7. The Class IPCOMPTransform....................................50 195 7.7.1. The Property Algorithm.....................................50 196 7.7.2. The Property DictionarySize................................51 197 7.7.3. The Property PrivateAlgorithm..............................51 198 7.8. The Association Class SAProposalInSystem.....................51 199 7.8.1. The Reference Antecedent...................................51 200 7.8.2. The Reference Dependent....................................51 201 7.9. The Aggregation Class ContainedTransform.....................51 202 7.9.1. The Reference GroupComponent...............................52 203 7.9.2. The Reference PartComponent................................52 204 7.9.3. The Property SequenceNumber................................52 205 7.10. The Association Class SATransformInSystem...................52 206 7.10.1. The Reference Antecedent..................................53 207 7.10.2. The Reference Dependent...................................53 208 8. IKE Service and Identity Classes...............................54 209 8.1. The Class IKEService.........................................55 210 8.2. The Class PeerIdentityTable..................................55 211 8.3.1. The Property Name..........................................55 212 8.3. The Class PeerIdentityEntry..................................55 213 8.3.1. The Property PeerIdentity..................................56 214 8.3.2. The Property PeerIdentityType..............................56 215 8.3.3. The Property PeerAddress...................................56 216 8.3.4. The Property PeerAddressType...............................56 217 8.4. The Class AutostartIKEConfiguration..........................56 218 8.5. The Class AutostartIKESetting................................57 219 8.5.1. The Property Phase1Only....................................57 220 8.5.2. The Property AddressType...................................57 221 8.5.3. The Property SourceAddress.................................58 222 8.5.4. The Property SourcePort....................................58 223 8.5.5. The Property DestinationAddress............................58 224 8.5.6. The Property DestinationPort...............................58 225 8.5.7. The Property Protocol......................................58 226 8.6. The Class IKEIdentity........................................58 227 8.6.1. The Property IdentityType..................................59 228 8.6.2. The Property IdentityValue.................................59 229 8.6.3. The Property IdentityContexts..............................59 230 8.7. The Association Class HostedPeerIdentityTable................60 231 8.7.1. The Reference Antecedent...................................60 232 8.7.2. The Reference Dependent....................................60 233 8.8. The Aggregation Class PeerIdentityMember.....................60 234 8.8.1. The Reference Collection...................................60 235 8.8.2. The Reference Member.......................................61 236 8.9. The Association Class IKEServicePeerGateway..................61 237 8.9.1. The Reference Antecedent...................................61 238 8.9.2. The Reference Dependent....................................61 239 8.10. The Association Class IKEServicePeerIdentityTable...........61 240 8.10.1. The Reference Antecedent..................................61 241 8.10.2. The Reference Dependent...................................62 242 8.11. The Association Class IKEAutostartSetting...................62 243 8.11.1. The Reference Element.....................................62 244 8.11.2. The Reference Setting.....................................62 245 8.12. The Aggregation Class AutostartIKESettingContext............62 246 8.12.1. The Reference Context.....................................62 247 8.12.2. The Reference Setting.....................................63 248 8.12.3. The Property SequenceNumber...............................63 249 8.13. The Association Class IKEServiceForEndpoint.................63 250 8.13.1. The Reference Antecedent..................................63 251 8.13.2. The Reference Dependent...................................63 252 8.14. The Association Class IKEAutostartConfiguration.............63 253 8.14.1. The Reference Antecedent..................................64 254 8.14.2. The Reference Dependent...................................64 255 8.14.3. The Property Active.......................................64 256 8.15. The Association Class IKEUsesCredentialManagementService....64 257 8.15.1. The Reference Antecedent..................................64 258 8.15.2. The Reference Dependent...................................65 259 8.16. The Association Class EndpointHasLocalIKEIdentity...........65 260 8.16.1. The Reference Antecedent..................................65 261 8.16.2. The Reference Dependent...................................65 262 8.17. The Association Class CollectionHasLocalIKEIdentity.........65 263 8.17.1. The Reference Antecedent..................................66 264 8.17.2. The Reference Dependent...................................66 265 8.18. The Association Class IKEIdentitysCredential................66 266 8.18.1. The Reference Antecedent..................................66 267 8.18.2. The Reference Dependent...................................66 268 9. Implementation Requirements....................................66 269 10. Security Considerations.......................................70 270 11. Intellectual Property.........................................70 271 12. Acknowledgments...............................................70 272 13. References....................................................71 273 14. Disclaimer....................................................71 274 15. Authors' Addresses............................................72 275 16. Full Copyright Statement......................................72 277 1. Introduction 279 IP security (IPsec) policy may assume a variety of forms as it 280 travels from storage to distribution point to decision point. At 281 each step, it needs to be represented in a way that is convenient for 282 the current task. For example, the policy could exist as, but is not 283 limited to: 285 o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in 286 a directory 287 o an on-the-wire representation over a transport protocol like the 288 Common Object Policy Service (COPS) [COPS, COPSPR] 289 o a text-based policy specification language suitable for editing 290 by an administrator 291 o an Extensible Markup Language (XML) document 293 Each of these task-specific representations should be derived from a 294 canonical representation that precisely specifies the content and 295 semantics of the IPsec policy. This document captures this concept 296 and introduces a task-independent canonical representation for IPsec 297 policies. 299 In order to have a simple information model, this document focuses 300 mainly on the existing protocols [COMP, ESP, AH, DOI, IKE]. The 301 model can easily be extended if needed due to its object-oriented 302 nature. 304 This document is organized as follows: 306 o Section 2 provides a quick introduction to the Unified Modeling 307 Language (UML) graphical notation conventions used in this 308 document. 310 o Section 3 provides the inheritance hierarchy that describes 311 where the IPsec policy classes fit into the policy class 312 hierarchy already defined by the Policy Core Information Model 313 (PCIM) and Policy Core Information Model Extensions (PCIMe). 315 o Sections 4 through 8 describes the class that make up the IPsec 316 policy model. 318 o Section 9 presents the implementation requirements for the 319 classes in the model (i.e., the MUST/MAY/SHOULD status). 321 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 322 "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 323 document are to be interpreted as described in [KEYWORDS]. 325 2. UML Conventions 327 For this document, a UML static class diagram was chosen as the 328 canonical representation for the IPsec policy model. The reason 329 behind this decision is that UML provides a graphical, task- 330 independent way to model systems. A treatise on the graphical 331 notation used in UML is beyond the scope of this paper. However, 332 given the use of ASCII drawing for UML static class diagrams, a 333 description of the notational conventions used in this document is in 334 order: 336 o Boxes represent classes, with class names in brackets ([]) 337 representing an abstract class. 339 o A line that terminates with an arrow (<, >, ^, v) denotes 340 inheritance. The arrow always points to the parent class. 341 Inheritance can also be called generalization or specialization 342 (depending upon the reference point). A base class is a 343 generalization of a derived class, and a derived class is a 344 specialization of a base class. 345 o Associations are used to model a relationship between two 346 classes. Classes that share an association are connected using 347 a line. A special kind of association is also used: an 348 aggregation. An aggregation models a whole-part relationship 349 between two classes. Associations, and therefore aggregations, 350 can also be modeled as classes. 351 o A line that begins with an "o" denotes aggregation. Aggregation 352 denotes containment in which the contained class and the 353 containing class have independent lifetimes. 354 o Next to a line representing an association appears a 355 cardinality. Cardinalities indicate the constraints on the 356 number of object instances in a set of relationships. Every 357 association instance has a single set of references. The 358 cardinality indicates the number of instances that may refer to 359 a given object instance. The cardinality may be: 360 - a range in the form "lower bound..upper bound" indicating the 361 minimum and maximum number of objects. 362 - a number that indicates the exact number of objects. 363 - an asterisk indicating any number of objects, including zero. 364 Using an asterisk is shorthand for 0..n. 365 - the letter n indicating from 1 to many. Using the letter n is 366 shorthand for 1..n. 367 o A class that has an association may have a "w" next to the line 368 representing the association. This is called a weak association 369 and is discussed in [PCIM]. 371 It should be noted that the UML static class diagram presented is a 372 conceptual view of IPsec policy designed to aid in understanding. 373 It does not necessarily get translated class for class into another 374 representation. For example, an LDAP implementation may flatten out 375 the representation to fewer classes (because of the inefficiency of 376 following references). 378 3. IPsec Policy Model Inheritance Hierarchy 380 Like PCIM and PCIMe from which it is derived, the IPsec Configuration 381 Policy Model derives from and uses classes defined in the DMTF [DMTF] 382 Common Information Model (CIM). The following tree represents the 383 inheritance hierarchy for the IPsec policy model classes and how they 384 fit into PCIM, PCIMe and the other DMTF models (see Appendices for 385 descriptions of classes that are not being introduced as part of 386 IPsec model). CIM classes that are not used as a superclass from 387 which to derive new classes but are only referenced are not included 388 this inheritance hierarchy, but can be found in the appropriate DMTF 389 document [CIMCORE], [CIMUSER] or [CIMNETWORK]. 391 ManagedElement (DMTF Core Model - [CIMCORE]) 392 | 393 +--Collection (DMTF Core Model - [CIMCORE]) 394 | | 395 | +--PeerIdentityTable 396 | 397 +--ManagedSystemElement (DMTF Core Model - [CIMCORE]) 398 | | 399 | +--LogicalElement (DMTF Core Model - [CIMCORE]) 400 | | 401 | +--FilterEntryBase (DMTF Network Model - [CIMNETWORK]) 402 | | | 403 | | +--CredentialFilterEntry 404 | | | 405 | | +--IPHeadersFilter (PCIMe) 406 | | | 407 | | +--IPSOFilterEntry 408 | | | 409 | | +--PeerIDPayloadFilterEntry 410 | | 411 | +--PeerGateway 412 | | 413 | +--PeerIdentityEntry 414 | | 415 | +--Service (DMTF Core Model - [CIMCORE]) 416 | | 417 | +--IKEService 418 | 419 +--OrganizationalEntity (DMTF User Model - [CIMUSER]) 420 | | 421 | +--UserEntity (DMTF User Model - [CIMUSER]) 422 | | 423 | +--UsersAccess (DMTF User Model - [CIMUSER]) 424 | | 425 | +--IKEIdentity 426 | 427 +--Policy (PCIM) 428 | | 429 | +--PolicyAction (PCIM) 430 | | | 431 | | +--CompoundPolicyAction (PCIMe) 432 | | | 433 | | +--SAAction 434 | | | 435 | | +--SANegotiationAction 436 | | | | 437 | | | +--IKENegotiationAction 438 | | | | 439 | | | +--IKEAction 440 | | | | 441 | | | +--IPsecAction 442 | | | | 443 | | | +--IPsecTransportAction 444 | | | | 445 | | | +--IPsecTunnelAction 446 | | | 447 | | +--SAStaticAction 448 | | | 449 | | +--IKERejectAction 450 | | | 451 | | +--IPsecBypassAction 452 | | | 453 | | +--IPsecDiscardAction 454 | | | 455 | | +--PreconfiguredSAAction 456 | | | 457 | | +--PreconfiguredTransportAction 458 | | | 459 | | +--PreconfiguredTunnelAction 460 | | 461 | +--PolicyCondition (PCIM) 462 | | | 463 | | +--SACondition 464 | | 465 | +--PolicySet (PCIMe) 466 | | | 467 | | +--PolicyGroup (PCIM & PCIMe) 468 | | | | 469 | | | +--IPsecPolicyGroup 470 | | | 471 | | +--PolicyRule (PCIM & PCIMe) 472 | | | 473 | | +--SARule 474 | | | 475 | | +--IKERule 476 | | | 477 | | +--IPsecRule 478 | | 479 | +--SAProposal 480 | | | 481 | | +--IKEProposal 482 | | | 483 | | +--IPsecProposal 484 | | 485 | +--SATransform 486 | | 487 | +--AHTransform 488 | | 489 | +--ESPTransform 490 | | 491 | +--IPCOMPTransform 492 | 493 +--Setting (DMTF Core Model - [CIMCORE]) 494 | | 495 | +--SystemSetting (DMTF Core Model - [CIMCORE]) 496 | | 497 | +--AutostartIKESetting 498 | 499 +--SystemConfiguration (DMTF Core Model - [CIMCORE]) 500 | 501 +--AutostartIKEConfiguration 503 The following tree represents the inheritance hierarchy of the IPsec 504 policy model association classes and how they fit into PCIM and the 505 other DMTF models (see Appendices for description of associations 506 classes that are not being introduced as part of IPsec model). 508 Dependency (DMTF Core Model - [CIMCORE]) 509 | 510 +--AcceptCredentialsFrom 511 | 512 +--ElementAsUser (DMTF User Model - [CIMUSER]) 513 | | 514 | +--EndpointHasLocalIKEIdentity 515 | | 516 | +--CollectionHasLocalIKEIdentity 517 | 518 +--FilterOfSACondition 519 | 520 +--HostedPeerGatewayInformation 521 | 522 +--HostedPeerIdentityTable 523 | 524 +--IKEAutostartConfiguration 525 | 526 +--IKEServiceForEndpoint 527 | 528 +--IKEServicePeerGateway 529 | 530 +--IKEServicePeerIdentityTable 531 | 532 +--IKEUsesCredentialManagementService 533 | 534 +--IPsecPolicyForEndpoint 535 | 536 +--IPsecPolicyForSystem 537 | 538 +--PeerGatewayForPreconfiguredTunnel 539 | 540 +--PeerGatewayForTunnel 541 | 542 +--PolicyInSystem (PCIM) 543 | | 544 | +--SAProposalInSystem 545 | | 546 | +--SATransformInSystem 547 | 548 +--TransformOfPreconfiguredAction 549 | 550 +--UsersCredential (DMTF User Model - [CIMUSER]) 551 | 552 +--IKEIdentitysCredential 554 ElementSetting (DMTF Core Model - [CIMCORE]) 555 | 556 +--IKEAutostartSetting 558 MemberOfCollection (DMTF Core Model - [CIMCORE]) 559 | 560 +--PeerIdentityMember 562 PolicyComponent (PCIM) 563 | 564 +--ContainedProposal 565 | 566 +--ContainedTransform 567 | 568 +--PolicyActionStructure (PCIMe) 569 | | 570 | +--PolicyActionInPolicyRule (PCIM & PCIMe) 571 | | 572 | +--PolicyActionInSARule 573 | 574 +--PolicyConditionStructure (PCIMe) 575 | | 576 | +--PolicyConditionInPolicyRule (PCIM & PCIMe) 577 | | 578 | +--SAConditionInRule 579 | 580 +--PolicySetComponent (PCIMe) 581 | 582 +--SARuleInPolicyGroup 584 SystemSettingContext (DMTF Core Model - [CIMCORE]) 585 | 586 +--AutostartIKESettingContext 588 4. Policy Classes 590 The IPsec policy classes represent the set of policies that are 591 contained on a system. 593 +--------------+ 594 | PolicySet |* 595 | ([PCIMe]) |o--+ 596 +--------------+ | 597 ^ *| |(a) 598 | +------+ 599 | 600 +--------------------+ +-------------+ 601 | IPProtocolEndpoint | | PolicyGroup | 602 | ([CIMNETWORK]) | | ([PCIM]) | 603 +--------------------+ +-------------+ 604 |* ^ 605 +-----------------+ | 606 |(b) | 607 | | 608 |0..1 | 609 +------------------+0..1 (c) *+------------+ 610 | IPsecPolicyGroup |-----------| System | 611 +------------------+ | ([CIMCORE])| 612 1 o +------------+ 613 (d) | 614 +-----------------+ 615 | 616 | +---------------------------+ 617 | | PolicyTimePeriodCondition | 618 | | ([PCIM]) | 619 | +---------------------------+ 620 | *| 621 +-------------+ |(e) 622 *| o* 623 +-------------+n *+----------+* n+--------------+ 624 | SACondition |----o| SARule |o-------| PolicyAction | 625 +-------------+ (f) +----------+ (g) | ([PCIM]) | 626 ^ +--------------+ 627 | *| ^ 628 | |(h) | 629 | *o | 630 +-----------------+ +----------------------+ 631 | | | CompoundPolicyAction | 632 | | | ([PCIMe]) | 633 | | +----------------------+ 634 +---------+ +-----------+ 635 | IKERule | | IPsecRule | 636 +---------+ +-----------+ 638 (a) PolicySetComponent ([PCIMe]) 639 (b) IPsecPolicyForEndpoint 640 (c) IPsecPolicyForSystem 641 (d) SARuleInPolicyGroup 642 (e) PolicyRuleValidityPeriod ([PCIM]) 643 (f) SAConditionInRule 644 (g) PolicyActionInSARule 645 (h) PolicyActionInPolicyAction ([PCIMe]) 647 An IPsecPolicyGroup represents the set of policies that are used on 648 an interface. This IPsecPolicyGroup SHOULD be associated either 649 directly with the IPProtocolEndpoint class instance that represents 650 the interface (via the IPsecPolicyForEndpoint association) or 651 indirectly (via the IPsecPolicyForSystem association) associated 652 with the System that hosts the interface. 654 The IKE and IPsec rules are used to build or to negotiate the IPsec 655 SADB. The IPsec rules represent the Security Policy Database. The 656 SADB itself is not modeled by this document. 658 The IKE and IPsec rules usage can be described as (see also section 659 6 about actions): 661 o an egress unprotected packet will first be checked against the 662 IPsec rules. If a match is found, the SADB will be checked. If 663 there is no corresponding IPsec SA in the SADB and if IKE 664 negotiation is required by the IPsec rule, the corresponding IKE 665 rules will be used. The negotiated or preconfigured SA will then 666 be installed in the SADB. 667 o An ingress unprotected packet will first be checked against the 668 IPsec rules. If a match is found, the SADB will be checked for a 669 corresponding IPsec SA. If there is no corresponding IPsec SA 670 and a preconfigured SA exists, this preconfigured SA will be 671 installed in the IPsec SADB. This behavior should only apply to 672 bypass and discard actions. 673 o An ingress protected packet will first be checked against the 674 IPsec rules. If a match is found, the SADB will be checked for a 675 corresponding IPsec SA. If there is no corresponding IPsec SA 676 and a preconfigured SA exists, this preconfigured SA will be 677 installed in the IPsec SADB. 678 o An ingress IKE negotiation packet, which is not part of an 679 existing IKE SA, will be checked against the IKE rules. The 680 SACondition for the IKERule will usually be composed of a 681 PeerIDPayloadFilterEntry (typically for a aggressive mode IKE 682 negotiation) or a IPHeadersFilter. The negotiated SA will then 683 be installed in the SADB. 685 It is expected that when a IKE negotiation has to be initiated when 686 required by an IPsec rule, the set of IKE rules will be checked. The 687 IKE rules check will be based on the outgoing IKE packet using 688 IPHeadersFilter entries (typically using the HdrDstAddress property). 690 4.1. The Class IPsecPolicyGroup 692 The class IPsecPolicyGroup serves as a container of either other 693 IPsecPolicyGroups or a set of SARules. The class definition for 694 IPsecPolicyGroup is as follows: 696 NAME IPsecPolicyGroup 697 DESCRIPTION Either a set of IPsecPolicyGroups or a set of SARules. 698 DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) 699 ABSTRACT FALSE 700 PROPERTIES PolicyGroupName (from PolicyGroup) 701 PolicyDescisionStrategy (from PolicySet) 703 NOTE: for derivations of the schema that are used for policy 704 distribution to an IPsec device (for example, COPS-PR), the server 705 may follow all of PolicySetComponent associations and create one 706 policy group which is simply a set of all of the IKE rules and a set 707 of all of the IPsec rules. See the section on the 708 PolicySetComponent aggregation for information on merging multiple 709 IPsecPolicyGroups. 711 4.2. The Class SARule 713 The class SARule serves as a base class for IKERule and IPsecRule. 714 Even though the class is concrete, it MUST not be instantiated. It 715 defines a common connection point for associations to conditions and 716 actions for both types of rules. Through its derivation from 717 PolicyRule, a SARule (and therefore IKERule and IPsecRule) also has 718 the PolicyRuleValidityPeriod association. 720 Each valid IPsecPolicyGroup MUST contain SARules that each have a 721 unique associated priority number in PolicySetComponent.Priority. 722 The class definition for SARule is as follows: 724 NAME SARule 725 DESCRIPTION A base class for IKERule and IPsecRule. 726 DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) 727 ABSTRACT FALSE 728 PROPERTIES PolicyRuleName (from PolicyRule) 729 Enabled (from PolicyRule) 730 ConditionListType (from PolicyRule) 731 RuleUsage (from PolicyRule) 732 Mandatory (from PolicyRule) 733 SequencedActions (from PolicyRule) 734 ExecutionStrategy (from PolicyRule) 735 PolicyRoles (from PolicyRule) 736 PolicyDecisionStrategy (from PolicySet) 737 LimitNegotiation 739 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 740 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 741 PolicyDecisionStrategy 743 For a description of these properties, see [PCIM] and [PCIME]. 745 In SARule subclass instances: 746 - if the property Mandatory exists, it MUST be set to "true" 747 - if the property SequencedActions exists, it MUST be set to 748 "mandatory" 749 - the property PolicyRoles is not used in the device-level model 750 - if the property PolicyDecisionStrategy exists, it must be set to 751 "FirstMatching" 753 4.2.2 The Property ExecutionStrategy 755 The ExecutionStrategy properties in the PolicyRule subclasses (and in 756 the CompoundPolicyAction class) determine the behavior of the 757 contained actions. It defines the strategy to be used in executing 758 the sequenced actions aggregated by a rule or a compound action. In 759 the case of actions within a rule, the PolicyActionInSARule 760 aggregation is used to collect the actions into an ordered set; in 761 the case of a compound action, the PolicyActionInPolicyAction 762 aggregation is used to collect the actions into an ordered subset. 764 There are three execution strategies: do until success, do all and do 765 until failure. 767 "Do Until Success" causes the execution of actions according to the 768 ActionOrder property in the aggregation instances until a successful 769 execution of a single action. These actions may be evaluated to 770 determine if they are appropriate to execute rather than blindly 771 trying each of the actions until one succeeds. For an initiator, 772 they are tried in the ActionOrder until the list is exhausted or one 773 completes successfully. For example, an IKE initiator may have 774 several IKEActions for the same SACondition. The initiator will try 775 all IKEActions in the order defined by ActionOrder. I.e. it will 776 possibly try several phase 1 negotiations possibly with different 777 modes (main mode then aggressive mode) and/or with possibly multiple 778 IKE peers. For a responder, when there is more than one action in 779 the rule with "do until success" condition clause this provides 780 alternative actions depending on the received proposals. For 781 example, the same IKERule may be used to handle aggressive mode and 782 main mode negotiations with different actions. The responder uses 783 the first appropriate action in the list of actions. 785 "Do All" causes the execution all of the actions in aggregated set 786 according to their defined order. The execution continues regardless 787 of failures. 789 "Do Until Failure" causes the execution of all actions according to 790 predefined order until the first failure in execution of an action 791 instance. Please note that if all actions are successful then the 792 aggregated result is a failure. This execution strategy is inherited 793 from [PCIME] and is not expected to be of any use for IPsec 794 configuration. 796 For example, in a nested SAs case the actions of an initiator's rule 797 might be structured as: 799 IPsecRule.ExecutionStrategy='Do All' 800 | 801 +---1--- IPsecTunnelAction // set up SA from host to gateway 802 | 803 +---2--- IPsecTransportAction // set up SA from host through 804 // tunnel to remote host 806 Another example, showing a rule with fallback actions might be 807 structured as: 809 IPsecRule.ExecutionStrategy='Do Until Success' 810 | 811 +---6--- IPsecTransportAction // negotiate SA with peer 812 | 813 +---9--- IPsecBypassAction // but if you must, allow in the clear 815 The CompoundPolicyAction class (See [PCIME]) may be used in 816 constructing the actions of IKE and IPsec rules when those rules 817 specify both multiple actions and fallback actions. The 818 ExecutionStrategy property in CompoundPolicyAction is used in 819 conjunction with that in the PolicyRule. 821 For example, in nesting SAs with a fallback security gateway, the 822 actions of a rule might be structured as: 824 IPsecRule.ExecutionStrategy='Do All' 825 | 826 +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' 827 | | 828 | +---1--- IPsecTunnelAction // set up SA from host to 829 | | // gateway1 830 | | 831 | +---2--- IPsecTunnelAction // or set up SA to gateway2 832 | 833 +---2--- IPsecTransportAction // then set up SA from host 834 // through tunnel to remote 835 // host 837 In the case of "Do All", a couple of actions can be executed 838 successfully before a subsequent action fails. In this case, some IKE 839 or IPsec actions may have resulted in SAs creation. Even if the net 840 effect of the aggregated actions is failure, those created SAs MAY be 841 kept or MAY be deleted. 843 In the case of "Do All", the IPsec selectors to be used during IPsec 844 SA negotiation are: 846 - for the last IPsecAction of the aggregation (i.e. usually the 847 innermost IPsec SA): this is the combination of the IPHeadersFilter 848 class and of the Granularity property of the IPsecAction; 850 - for all other IPsecActions of the aggregation: the selector is the 851 source IP address being the local IP address and the destination IP 852 address being the PeerGateway IP address of the following IPsecAction 853 of the "Do All" aggregation. NB: the granularity is IP address to IP 854 address. 856 If the above behavior is not desirable, the alternative is to define 857 several SARules one for each IPsec SA to be built. This will allow 858 the definition of specific IPsec selectors for all IPsecActions. 860 4.2.3 The Property LimitNegotiation 862 The property LimitNegotiation is used as part of processing either an 863 IKE or an IPsec rule. 865 Before proceeding with a phase 1 negotiation, this property is 866 checked to determine if the negotiation role of the rule matches that 867 defined for the negotiation being undertaken (e.g., Initiator, 868 Responder, or Both). If this check fails (e.g. the current role is 869 IKE responder while the rule specifies IKE initiator), then the IKE 870 negotiation is stopped. Note that this only applies to new IKE phase 871 1 negotiations and has no effect on either renegotiation or refresh 872 operations with peers for which an established SA already exists. 874 Before proceeding with a phase 2 negotiation, the LimitNegotiation 875 property of the IPsecRule is first checked to determine if the 876 negotiation role indicated for the rule matches that of the current 877 negotiation (Initiator, Responder, or Either). Note that this limit 878 applies only to new phase 2 negotiations. It is ignored when an 879 attempt is made to refresh an expiring SA (either side can initiate a 880 refresh operation). The IKE system can determine that the 881 negotiation is a refresh operation by checking to see if the selector 882 information matches that of an existing SA. If LimitNegotiation does 883 not match and the selector corresponds to a new SA, the negotiation 884 is stopped. 886 The property is defined as follows: 888 NAME LimitNegotiation 889 DESCRIPTION Limits the role to be undertaken during negotiation. 890 SYNTAX unsigned 16-bit integer 891 VALUE 1 - initiator-only 892 2 - responder-only 893 3 - both 895 4.3. The Class IKERule 897 The class IKERule associates Conditions and Actions for IKE phase 1 898 negotiations. The class definition for IKERule is as follows: 900 NAME IKERule 901 DESCRIPTION Associates Conditions and Actions for IKE phase 1 902 negotiations. 903 DERIVED FROM SARule 904 ABSTRACT FALSE 905 PROPERTIES same as SARule, plus 906 IdentityContexts 908 4.3.1. The Property IdentityContexts 910 The IKE service of a security endpoint may have multiple identities 911 for use in different situations. The combination of the interface 912 (represented by the IPProtocolEndpoint or by a collection of 913 IPProtocolEndpoints), the identity type (as specified in the 914 IKEAction) and the IdentityContexts specifies a unique identity. 916 The IdentityContexts property specifies the context to select the 917 relevant IKE identity to be used during the further IKEAction. A 918 context may be a VPN name or other identifier for selecting the 919 appropriate identity for use on the protected IPProtocolEndpoint (or 920 collection of IPProtocolEndpoints). 922 IdentityContexts is an array of strings. The multiple values in the 923 array are logically OR�d together in evaluating the IdentityContexts. 924 Each value in the array may be the composition of multiple context 925 names. So, a single value may be a single context name (e.g., 926 "CompanyXVPN") or it may be combination of contexts. When an array 927 value is a composition, the individual values are logically AND�d 928 together for evaluation purposes and the syntax is: 930 [&&]* 932 where the individual context names appear in alphabetical order 933 (according to the collating sequence for UCS-2). So, for example, 934 the values "CompanyXVPN", "CompanyYVPN&&TopSecret", 935 "CompanyZVPN&&Confidential" means that, for the appropriate 936 IPProtocolEndpoint and IdentityType, the contexts are matched if the 937 identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or 938 "CompanyZVPN&&Confidential". 940 The property is defined as follows: 942 NAME IdentityContexts 943 DESCRIPTION Specifies the context in which to select the IKE 944 identity. 945 SYNTAX string array 947 4.4. The Class IPsecRule 949 The class IPsecRule associates Conditions and Actions for IKE phase 2 950 negotiations for the IPsec DOI. The class definition for IPsecRule 951 is as follows: 953 NAME IPsecRule 954 DESCRIPTION Associates Conditions and Actions for IKE phase 2 955 negotiations for the IPsec DOI. 956 DERIVED FROM SARule 957 ABSTRACT FALSE 958 PROPERTIES same as SARule 960 4.5. The Association Class IPsecPolicyForEndpoint 962 The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with 963 a specific network interface. If an IPProtocolEndpoint of a system 964 does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, 965 then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for 966 that endpoint. The class definition for IPsecPolicyForEndpoint is as 967 follows: 969 NAME IPsecPolicyForEndpoint 970 DESCRIPTION Associates a policy group to a network interface. 971 DERIVED FROM Dependency (see [CIMCORE]) 972 ABSTRACT FALSE 973 PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] 974 Dependent[ref IPsecPolicyGroup[0..1]] 976 4.5.1. The Reference Antecedent 978 The property Antecedent is inherited from Dependency and is 979 overridden to refer to an IPProtocolEndpoint instance. The [0..n] 980 cardinality indicates that an IPsecPolicyGroup instance may be 981 associated with zero or more IPProtocolEndpoint instances. 983 4.5.2. The Reference Dependent 985 The property Dependent is inherited from Dependency and is overridden 986 to refer to an IPsecPolicyGroup instance. The [0..1] cardinality 987 indicates that an IPProtocolEndpoint instance may have an association 988 to at most one IPsecPolicyGroup instance. 990 4.6. The Association Class IPsecPolicyForSystem 992 The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a 993 specific system. If an IPProtocolEndpoint of a system does not have 994 an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the 995 IPsecPolicyForSystem associated IPsecPolicyGroup is used for that 996 endpoint. The class definition for IPsecPolicyForSystem is as 997 follows: 999 NAME IPsecPolicyForSystem 1000 DESCRIPTION Default policy group for a system. 1001 DERIVED FROM Dependency (see [CIMCORE]) 1002 ABSTRACT FALSE 1003 PROPERTIES Antecedent[ref System[0..n]] 1004 Dependent[ref IPsecPolicyGroup[0..1]] 1006 4.6.1. The Reference Antecedent 1008 The property Antecedent is inherited from Dependency and is 1009 overridden to refer to a System instance. The [0..n] cardinality 1010 indicates that an IPsecPolicyGroup instance may have an association 1011 to zero or more System instances. 1013 4.6.2. The Reference Dependent 1015 The property Dependent is inherited from Dependency and is overridden 1016 to refer to an IPsecPolicyGroup instance. The [0..1] cardinality 1017 indicates that a System instance may have an association to at most 1018 one IPsecPolicyGroup instance. 1020 4.7. The Aggregation Class SARuleInPolicyGroup 1022 The class SARuleInPolicyGroup associates a SARule with the 1023 IPsecPolicyGroup that contains it. The class definition for 1024 SARuleInPolicyGroup is as follows: 1026 NAME SARuleInPolicyGroup 1027 DESCRIPTION Associates a SARule with the IPsecPolicyGroup that 1028 contains it. 1029 DERIVED FROM PolicySetComponent (see [PCIME]) 1030 ABSTRACT FALSE 1031 PROPERTIES Priority (from PolicySetComponent) 1032 GroupComponent [ref IPsecPolicyGroup [1..1]] 1033 PartComponent [ref SARule [0..n]] 1035 Note: an implementation can easily partition the set of SARules 1036 aggregated by a SARuleInPolicyGroup instance into one IKERule 1037 instances subset and into one IPsecRule instances subset based on the 1038 class type of the component instances (being either IKERule or 1039 IPsecRule instances). 1041 4.7.1. The Property Priority 1043 For a description of this property, see [PCIME]. 1045 4.7.2. The Reference GroupComponent 1047 The property GroupComponent is inherited from PolicyRuleInPolicyGroup 1048 and is overridden to refer to an IPsecPolicyGroup instance. The 1049 [1..1] cardinality indicates that a SARule instance may be contained 1050 in one and only one IPsecPolicyGroup instance (i.e., SARules are not 1051 shared across IPsecPolicyGroups). 1053 4.7.3. The Reference PartComponent 1055 The property PartComponent is inherited from PolicyRuleInPolicyGroup 1056 and is overridden to refer to a SARule instance. The [0..n] 1057 cardinality indicates that an IPsecPolicyGroup instance may contain 1058 zero or more SARule instances. 1060 4.8. The Aggregation Class SAConditionInRule 1062 The class SAConditionInRule associates an SARule with the SACondition 1063 instance(s) that trigger(s) it. The class definition for 1064 SAConditionInRule is as follows: 1066 NAME SAConditionInRule 1067 DESCRIPTION Associates an SARule with the SACondition instance(s) 1068 that trigger(s) it. 1069 DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe]) 1070 ABSTRACT FALSE 1071 PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) 1072 ConditionNegated (from PolicyConditionInPolicyRule) 1073 GroupComponent [ref SARule [0..n]] 1074 PartComponent [ref SACondition [1..n]] 1076 4.8.1. The Properties GroupNumber and ConditionNegated 1078 For a description of these properties, see [PCIM]. 1080 4.8.2. The Reference GroupComponent 1082 The property GroupComponent is inherited from 1083 PolicyConditionInPolicyRule and is overridden to refer to an SARule 1084 instance. The [0..n] cardinality indicates that an SACondition 1085 instance may be contained in zero or more SARule instances. 1087 Note: the 0 cardinality allows SACondition instances to exist 1088 without being contained in a SARule. 1090 4.8.3. The Reference PartComponent 1092 The property PartComponent is inherited from 1093 PolicyConditionInPolicyRule and is overridden to refer to an 1094 SACondition instance. The [1..n] cardinality indicates that an 1095 SARule instance MUST contain at least one SACondition instance. 1097 4.9. The Aggregation Class PolicyActionInSARule 1099 The PolicyActionInSARule class associates an SARule with one or more 1100 PolicyAction instances. In all cases where an SARule is being used, 1101 the contained actions MUST be either subclasses of SAAction or 1102 instances of CompoundPolicyAction. For an IKERule, the contained 1103 actions MUST be related to phase 1 processing, i.e., IKEAction or 1104 IKERejectAction. Similarly, for an IPsecRule, contained actions MUST 1105 be related to phase 2 or preconfigured SA processing, e.g., 1106 IPsecTransportAction, IPsecBypassAction, etc. The class definition 1107 for PolicyActionInSARule is as follows: 1109 NAME PolicyActionInSARule 1110 DESCRIPTION Associates an SARule with its PolicyAction(s). 1111 DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe]) 1112 ABSTRACT FALSE 1113 PROPERTIES GroupComponent [ref SARule [0..n]] 1114 PartComponent [ref PolicyAction [1..n]] 1115 ActionOrder (from PolicyActionInPolicyRule) 1117 4.9.1. The Reference GroupComponent 1119 The property GroupComponent is inherited from 1120 PolicyActionInPolicyRule and is overridden to refer to an SARule 1121 instance. The [0..n] cardinality indicates that an SAAction instance 1122 may be contained in zero or more SARule instances. 1124 4.9.2. The Reference PartComponent 1126 The property PartComponent is inherited from PolicyActionInPolicyRule 1127 and is overridden to refer to an SAAction or CompoundPolicyAction 1128 instance. The [1..n] cardinality indicates that an SARule instance 1129 MUST contain at least one SAAction or CompoundPolicyAction instance. 1131 4.9.3. The Property ActionOrder 1133 The property ActionOrder is inherited from the superclass 1134 PolicyActionInPolicyRule. It specifies the relative position of this 1135 PolicyAction in the sequence of actions associated with a PolicyRule. 1136 The ActionOrder MUST be unique so as to provide a deterministic 1137 order. In addition, the actions in an SARule are executed as 1138 follows. See section 4.2.2 ExecutionStrategy for a discussion on the 1139 use of the ActionOrder property. 1141 The property is defined as follows: 1143 NAME ActionOrder 1144 DESCRIPTION Specifies the order of actions. 1145 SYNTAX unsigned 16-bit integer 1146 VALUE Any value between 1 and 2^16-1 inclusive. Lower values 1147 have higher precedence (i.e., 1 is the highest 1148 precedence). The merging order of two SAActions with 1149 the same precedence is undefined. 1151 5. Condition and Filter Classes 1153 The IPsec condition and filter classes are used to build the "if" 1154 part of the IKE and IPsec rules. 1156 *+-------------+ 1157 +--------------------| SACondition | 1158 | +-------------+ 1159 | * | 1160 | |(a) 1161 | 1 | 1162 | +---------------+ 1163 | | FilterList | 1164 | |([CIMNETWORK]) | 1165 | +---------------+ 1166 | 1 o 1167 |(b) |(c) 1168 | * | 1169 | +-----------------+ 1170 | | FilterEntryBase | 1171 | | ([CIMNETWORK]) | 1172 | +-----------------+ 1173 | ^ 1174 | | 1175 | +-----------------+ | +-----------------------+ 1176 | | IPHeadersFilter |----+----| CredentialFilterEntry | 1177 | | ([PCIME]) | | +-----------------------+ 1178 | +-----------------+ | 1179 | | 1180 | +-----------------+ | +--------------------------+ 1181 | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | 1182 | +-----------------+ +--------------------------+ 1183 | 1184 | *+-----------------------------+ 1185 +------------| CredentialManagementService | 1186 | ([CIMUSER]) | 1187 +-----------------------------+ 1189 (a) FilterOfSACondition 1190 (b) AcceptCredentialsFrom 1191 (c) EntriesInFilterList (see [CIMNETWORK]) 1193 5.1. The Class SACondition 1195 The class SACondition defines the conditions of rules for IKE and 1196 IPsec negotiations. Conditions are associated with policy rules via 1197 the SAConditionInRule aggregation. It is used as an anchor point to 1198 associate various types of filters with policy rules via the 1199 FilterOfSACondition association. It also defines whether Credentials 1200 can be accepted for a particular policy rule via the 1201 AcceptCredentialsFrom association. 1203 Associated objects represent components of the condition that may or 1204 may not apply at a given rule evaluation. For example, an 1205 AcceptCredentialsFrom evaluation is only performed when a credential 1206 is available to be evaluated against the list of trusted credential 1207 management services. Similarly, a PeerIDPayloadFilterEntry may only 1208 be evaluated when an IDPayload value is available to compared with 1209 the filter. Condition components that do not have corresponding 1210 values with which to evaluate are evaluated as TRUE unless the 1211 protocol has completed without providing the required information. 1213 The class definition for SACondition is as follows: 1215 NAME SACondition 1216 DESCRIPTION Defines the preconditions for IKE and IPsec 1217 negotiations. 1218 DERIVED FROM PolicyCondition (see [PCIM]) 1219 ABSTRACT FALSE 1220 PROPERTIES PolicyConditionName (from PolicyCondition) 1222 5.2. The Class IPHeadersFilter 1224 The class IPHeadersFilter is defined in [PCIMe] with the following 1225 note: 1227 1) to specify 5-tuple filters that are to apply symmetrically (i.e., 1228 matches traffic in both directions of the same flows which is 1229 quite typical for SPD entries for ingress and egress traffic), 1230 the Direction property of the FilterList SHOULD be set to 1231 "Mirrored". 1233 5.3. The Class CredentialFilterEntry 1235 The class CredentialFilterEntry defines an equivalence class that 1236 match credentials of IKE peers. Each CredentialFilterEntry includes a 1237 MatchFieldName that is interpreted according to the 1238 CredentialManagementService(s) associated with the SACondition 1239 (AcceptCredentialsFrom). 1241 These credentials can be X.509 certificates, Kerberos tickets, or 1242 other types of credentials obtained during the Phase 1 exchange. 1244 Note: this filter entry will probably be checked while the IKE 1245 negotiation takes place. If the check is a failure, then the IKE 1246 negotiation MUST be stopped, and the result of the IKEAction which 1247 triggered this negotiation is a failure. 1249 The class definition for CredentialFilterEntry is as follows: 1251 NAME CredentialFilterEntry 1252 DESCRIPTION Specifies a match filter based on the IKE credentials. 1253 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1254 ABSTRACT FALSE 1255 PROPERTIES Name (from FilterEntryBase) 1256 IsNegated (from FilterEntryBase) 1257 MatchFieldName 1258 MatchFieldValue 1259 CredentialType 1261 5.3.1. The Property MatchFieldName 1263 The property MatchFieldName specifies the sub-part of the credential 1264 to match against MatchFieldValue. The property is defined as 1265 follows: 1267 NAME MatchFieldName 1268 DESCRIPTION Specifies which sub-part of the credential to match. 1269 SYNTAX string 1270 VALUE This is the string representation of a X.509 certificate 1271 attribute, e.g.: 1272 - �serialNumber� 1273 - �signatureAlgorithm� 1274 - �issuerName� 1275 - �subjectName� 1276 - �subjectAltName� 1277 - � 1279 5.3.2. The Property MatchFieldValue 1281 The property MatchFieldValue specifies the value to compare with the 1282 MatchFieldName in a credential to determine if the credential matches 1283 this filter entry. The property is defined as follows: 1285 NAME MatchFieldValue 1286 DESCRIPTION Specifies the value to be matched by the MatchFieldName. 1287 SYNTAX string 1288 VALUE NB: If the CredentialFilterEntry corresponds to a 1289 DistinguishedName, this value in the CIM class is 1290 represented by an ordinary string value. However, an 1291 implementation must convert this string to a DER-encoded 1292 string before matching against the values extracted from 1293 credentials at runtime. 1295 A wildcard mechanism can be used in the MatchFieldValue string. E.g., 1296 if the MatchFieldName is �subjectName� then a MatchFieldValue of 1297 �cn=*,ou=engineering,o=foo,c=be� will match successfully a 1298 certificate whose subject attribute is �cn=Jane 1299 Doe,ou=engineering,o=foo,c=be�. The wildcard character �*� can be 1300 used to represent 0 or several characters. 1302 5.3.3. The Property CredentialType 1304 The property CredentialType specifies the particular type of 1305 credential that is being matched. The property is defined as 1306 follows: 1308 NAME CredentialType 1309 DESCRIPTION Defines the type of IKE credentials. 1310 SYNTAX unsigned 16-bit integer 1311 VALUE 1 - X.509 Certificate 1312 2 - Kerberos Ticket 1314 5.4. The Class IPSOFilterEntry 1316 The class IPSOFilterEntry is used to match traffic based on the IP 1317 Security Options header values (ClassificationLevel and 1318 ProtectionAuthority) as defined in RFC1108. This type of filter entry 1319 is used to adjust the IPsec encryption level according to the IPSO 1320 classification of the traffic (e.g., secret, confidential, 1321 restricted, etc. The class definition for IPSOFilterEntry is as 1322 follows: 1324 NAME IPSOFilterEntry 1325 DESCRIPTION Specifies the a match filter based on IP Security 1326 Options. 1327 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1328 ABSTRACT FALSE 1329 PROPERTIES Name (from FilterEntryBase) 1330 IsNegated (from FilterEntryBase) 1331 MatchConditionType 1332 MatchConditionValue 1334 5.4.1. The Property MatchConditionType 1336 The property MatchConditionType specifies the IPSO header field that 1337 will be matched (e.g., traffic classification level or protection 1338 authority). The property is defined as follows: 1340 NAME MatchConditionType 1341 DESCRIPTION Specifies the IPSO header field to be matched. 1342 SYNTAX unsigned 16-bit integer 1343 VALUE 1 - ClassificationLevel 1344 2 - ProtectionAuthority 1346 5.4.2. The Property MatchConditionValue 1348 The property MatchConditionValue specifies the value of the IPSO 1349 header field to be matched against. The property is defined as 1350 follows: 1352 NAME MatchConditionValue 1353 DESCRIPTION Specifies the value of the IPSO header field to be 1354 matched against. 1355 SYNTAX unsigned 16-bit integer 1356 VALUE For ClassificationLevel, the values are: 1357 61 - TopSecret 1358 90 - Secret 1359 150 - Confidential 1360 171 - Unclassified 1361 For ProtectionAuthority, the values are: 1362 0 - GENSER 1363 1 - SIOP-ESI 1364 2 - SCI 1365 3 - NSA 1366 4 - DOE 1368 5.5. The Class PeerIDPayloadFilterEntry 1370 The class PeerIDPayloadFilterEntry defines filters used to match ID 1371 payload values from the IKE protocol exchange. 1372 PeerIDPayloadFilterEntry permits the specification of certain ID 1373 payload values such as "*@company.com" or "193.190.125.0/24". 1375 Obviously this filter applies only to IKERules when acting as a 1376 responder. Moreover, this filter can be applied immediately in the 1377 case of aggressive mode but its application is to be delayed in the 1378 case of main mode. The class definition for PeerIDPayloadFilterEntry 1379 is as follows: 1381 NAME PeerIDPayloadFilterEntry 1382 DESCRIPTION Specifies a match filter based on IKE identity. 1383 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1384 ABSTRACT FALSE 1385 PROPERTIES Name (from FilterEntryBase) 1386 IsNegated (from FilterEntryBase) 1387 MatchIdentityType 1388 MatchIdentityValue 1390 5.5.1. The Property MatchIdentityType 1391 The property MatchIdentityType specifies the type of identity 1392 provided by the peer in the ID payload." The property is defined as 1393 follows: 1395 NAME MatchIdentityType 1396 DESCRIPTION Specifies the ID payload type. 1397 SYNTAX unsigned 16-bit integer 1398 VALUE 1 - IPv4 Address 1399 2 - FQDN 1400 3 - User FQDN 1401 4 - IPv4 Subnet 1402 5 - IPv6 Address 1403 6 - IPv6 Subnet 1404 7 - IPv4 Address Range 1405 8 - IPv6 Address Range 1406 9 - DER-Encoded ASN.1 X.500 Distinguished Name 1407 10 - DER-Encoded ASN.1 X.500 GeneralName 1408 11 - Key ID 1410 5.5.2. The Property MatchIdentityValue 1412 The property MatchIdentityValue specifies the filter value for 1413 comparison with the ID payload, e.g., *@company.com. The property is 1414 defined as follows: 1416 NAME MatchIdentityValue 1417 DESCRIPTION Specifies the ID payload value. 1418 SYNTAX string 1419 VALUE NB: The syntax may need to be converted for comparison. 1420 If the PeerIDPayloadFilterEntry type is a 1421 DistinguishedName, the name in the MatchIdentityValue 1422 property is represented by an ordinary string value, 1423 but this value must be converted into a DER-encoded 1424 string before matching against the values extracted 1425 from IKE ID payloads at runtime. The same applies to 1426 IPv4 & IPv6 addresses. 1428 Different wildcard mechanisms can be used depending on the ID 1429 payload: 1431 - a MatchIdentityValue of "*@company.com" will match a user FQDN ID 1432 payload of "JDOE@COMPANY.COM" 1434 - a MatchIdentityValue of "*.company.com" will match a FQDN ID 1435 payload of �WWW.COMPANY.COM" 1437 - a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will 1438 match a DER DN ID payload of �cn=John 1439 Doe,ou=engineering,o=company,c=us" 1441 - a MatchIdentityValue of "193.190.125.0/24" will match an IPv4 1442 address ID payload of 193.190.125.10 1444 - a MatchIdentityValue of "193.190.125.*" will also match an IPv4 1445 address ID payload of 193.190.125.10. 1447 The above wildcard mechanisms MUST be supported for all ID payloads 1448 supported by the local IKE entity. The character �*� replaces 0 or 1449 multiple instances of any character. 1451 5.6. The Association Class FilterOfSACondition 1452 The class FilterOfSACondition associates an SACondition with the 1453 filter specifications (FilterList) that make up the condition. The 1454 class definition for FilterOfSACondition is as follows: 1456 NAME FilterOfSACondition 1457 DESCRIPTION Associates a condition with the filter list that makes 1458 up the individual condition elements. 1459 DERIVED FROM Dependency (see [CIMCORE]) 1460 ABSTRACT FALSE 1461 PROPERTIES Antecedent [ref FilterList[1..1]] 1462 Dependent [ref SACondition[0..n]] 1464 5.6.1. The Reference Antecedent 1466 The property Antecedent is inherited from Dependency and is 1467 overridden to refer to a FilterList instance. The [1..1] cardinality 1468 indicates that an SACondition instance MUST be associated with one 1469 and only one FilterList instance. 1471 5.6.2. The Reference Dependent 1473 The property Dependent is inherited from Dependency and is overridden 1474 to refer to an SACondition instance. The [0..n] cardinality 1475 indicates that a FilterList instance may be associated with zero or 1476 more SACondition instances. 1478 5.7. The Association Class AcceptCredentialFrom 1480 The class AcceptCredentialFrom specifies which credential management 1481 services (e.g., a CertificateAuthority or a Kerberos service) are to 1482 be trusted to certify peer credentials. This is used to assure that 1483 the credential being matched in the CredentialFilterEntry is a valid 1484 credential that has been supplied by an approved 1485 CredentialManagementService. If a CredentialManagementService is 1486 specified and a corresponding CredentialFilterEntry is used, but the 1487 credential supplied by the peer is not certified by that 1488 CredentialManagementService (or one of the 1489 CredentialManagementServices in its trust hierarchy), the 1490 CredentialFilterEntry is deemed not to match. If a credential is 1491 certified by a CredentialManagementService in the 1492 AcceptCredentialsFrom list of services but there is no 1493 CredentialFilterEntry, this is considered equivalent to a 1494 CredentialFilterEntry that matches all credentials from those 1495 services. 1497 The class definition for AcceptCredentialFrom is as follows: 1499 NAME AcceptCredentialFrom 1500 DESCRIPTION Associates a condition with the credential management 1501 services to be trusted. 1502 DERIVED FROM Dependency (see [CIMCORE]) 1503 ABSTRACT FALSE 1504 PROPERTIES Antecedent [ref CredentialManagementService[0..n]] 1505 Dependent [ref SACondition[0..n]] 1507 5.7.1. The Reference Antecedent 1509 The property Antecedent is inherited from Dependency and is 1510 overridden to refer to a CredentialManagementService instance. The 1512 [0..n] cardinality indicates that an SACondition instance may be 1513 associated with zero or more CredentialManagementService instances. 1515 5.7.2. The Reference Dependent 1517 The property Dependent is inherited from Dependency and is overridden 1518 to refer to an SACondition instance. The [0..n] cardinality 1519 indicates that a CredentialManagementService instance may be 1520 associated with zero or more SACondition instances. 1522 6. Action Classes 1524 The action classes are used to model the different actions an IPsec 1525 device may take when the evaluation of the associated condition 1526 results in a match. 1528 +----------+ 1529 | SAAction | 1530 +----------+ 1531 ^ 1532 | 1533 +-----------+--------------+ 1534 | | 1535 | +---------------------+ 1536 | | SaNegotiationAction | 1537 | +---------------------+ 1538 | ^ 1539 | | 1540 *+----------------+ +----------------------+* 1541 | SAStaticAction | | IKENegotiationAction |o----+ 1542 +----------------+ +----------------------+ | 1543 ^ ^ | 1544 | | | 1545 | +-----------+-------+ | 1546 | | | | 1547 +-------------------+ | +-------------+ +-----------+ | 1548 | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | 1549 +-------------------+ | +-------------+ +-----------+ | 1550 | ^ | 1551 +--------------------+ | | +----------------------+ | 1552 | IPsecDiscardAction |---+ +----| IPsecTransportAction | | 1553 +--------------------+ | | +----------------------+ | 1554 | | | 1555 +-----------------+ | | +-------------------+ | 1556 | IKERejectAction |---+ +----| IPsecTunnelAction | | 1557 +-----------------+ | +-------------------+ | 1558 | *| | 1559 | +--------------+ | 1560 | | | 1561 +-----------------------+ | | +--------------+n | 1562 | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ 1563 +-----------------------+ | +--------------+ (b) 1564 *| ^ | 1565 | | | *+-------------+ 1566 | | +-------| PeerGateway | 1567 | | +-------------+ 1568 | | +-----------------------------+ |0..1 *w| 1569 | +--| PreconfiguredTransportAction| | |(c) 1570 | | +-----------------------------+ | 1| 1571 | | | +--------------+ 1572 | | +---------------------------+ * | | System | 1573 | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | 1574 | +---------------------------+ (e) +--------------+ 1575 | 1576 | 2..6+---------------+ 1577 +-------| [SATransform] | 1578 (d) +---------------+ 1580 (a) PeerGatewayForTunnel 1581 (b) ContainedProposal 1582 (c) HostedPeerGatewayInformation 1583 (d) TransformOfPreconfiguredAction 1584 (e) PeerGatewayForPreconfiguredTunnel 1586 6.1. The Class SAAction 1587 The class SAAction is abstract and serves as the base class for IKE 1588 and IPsec actions. It is used for aggregating different types of 1589 actions to IKE and IPsec rules. The class definition for SAAction is 1590 as follows: 1592 NAME SAAction 1593 DESCRIPTION The base class for IKE and IPsec actions. 1594 DERIVED FROM PolicyAction (see [PCIM]) 1595 ABSTRACT TRUE 1596 PROPERTIES PolicyActionName (from PolicyAction) 1597 DoActionLogging 1598 DoPacketLogging 1600 6.1.1. The Property DoActionLogging 1602 The property DoActionLogging specifies whether a log message is to be 1603 generated when the action is performed. This applies for 1604 SANegotiationActions with the meaning of logging a message when the 1605 negotiation is attempted (with the success or failure result). This 1606 also applies for SAStaticAction only for PreconfiguredSAAction with 1607 the meaning of logging a message when the preconfigured SA is 1608 actually installed in the SADB. The property is defined as follows: 1610 NAME DoActionLogging 1611 DESCRIPTION Specifies the whether to log when the action is 1612 performed. 1613 SYNTAX boolean 1614 VALUE true - a log message is to be generated when action is 1615 performed. 1616 false - no log message is to be generated when action is 1617 performed. 1619 6.1.2. The Property DoPacketLogging 1621 The property DoPacketLogging specifies whether a log message is to be 1622 generated when the resulting security association is used to process 1623 the packet. If the SANegotiationAction successfully executes and 1624 results in the creation of one or several security associations or if 1625 the PreconfiguredSAAction executes, the value of DoPacketLogging 1626 SHOULD be propagated to an optional field of SADB. This optional 1627 field should be used to decide whether a log message is to be 1628 generated when the SA is used to process a packet. For 1629 SAStaticActions, a log message is to be generated when the 1630 IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed. 1631 The property is defined as follows: 1633 NAME DoPacketLogging 1634 DESCRIPTION Specifies the whether to log when the resulting security 1635 association is used to process the packet. 1636 SYNTAX boolean 1637 VALUE true - a log message is to be generated when the 1638 resulting security association is used to process the 1639 packet. 1640 false - no log message is to be generated. 1642 6.2. The Class SAStaticAction 1644 The class SAStaticAction is abstract and serves as the base class for 1645 IKE and IPsec actions that do not require any negotiation. The class 1646 definition for SAStaticAction is as follows: 1648 NAME SAStaticAction 1649 DESCRIPTION The base class for IKE and IPsec actions that do not 1650 require any negotiation. 1651 DERIVED FROM SAAction 1652 ABSTRACT TRUE 1653 PROPERTIES LifetimeSeconds 1655 6.2.1. The Property LifetimeSeconds 1657 The property LifetimeSeconds specifies how long the security 1658 association derived from this action should be used. The property is 1659 defined as follows: 1661 NAME LifetimeSeconds 1662 DESCRIPTION Specifies the amount of time (in seconds) that a 1663 security association derived from this action should be 1664 used. 1665 SYNTAX unsigned 32-bit integer 1666 VALUE A value of zero indicates that there is not a lifetime 1667 associated with this action (i.e., infinite lifetime). 1668 A non-zero value is typically used in conjunction with 1669 alternate SAActions performed when there is a 1670 negotiation failure of some sort. 1672 Note: if the referenced SAStaticAction object is a 1673 PreconfiguredSAAction associated to several SATransforms, then the 1674 actual lifetime of the preconfigured SA will be the lesser of the 1675 value of this LifetimeSeconds property and of the value of the 1676 MaxLifetimeSeconds property of the associated SATransform. If the 1677 value of this LifetimeSeconds property is zero, then there will be 1678 no lifetime associated to this SA. 1680 It is expected that most SAStaticAction instances will have their 1681 LifetimeSeconds properties set to zero (meaning no expiration of the 1682 resulting SA). 1684 6.3. The Class IPsecBypassAction 1686 The class IPsecBypassAction is used when packets are allowed to be 1687 processed without applying IPsec encapsulation to them. This is the 1688 same as stating that packets are allowed to flow in the clear. The 1689 class definition for IPsecBypassAction is as follows: 1691 NAME IPsecBypassAction 1692 DESCRIPTION Specifies that packets are to be allowed to pass in the 1693 clear. 1694 DERIVED FROM SAStaticAction 1695 ABSTRACT FALSE 1697 6.4. The Class IPsecDiscardAction 1699 The class IPsecDiscardAction is used when packets are to be 1700 discarded. This is the same as stating that packets are to be 1701 denied. The class definition for IPsecDiscardAction is as follows: 1703 NAME IPsecDiscardAction 1704 DESCRIPTION Specifies that packets are to be discarded. 1705 DERIVED FROM SAStaticAction 1706 ABSTRACT FALSE 1708 6.5. The Class IKERejectAction 1710 The class IKERejectAction is used to prevent attempting an IKE 1711 negotiation with the peer(s). The main use of this class is to 1712 prevent some denial of service attacks when acting as IKE responder. 1713 It goes beyond a plain discard of UDP/500 IKE packets because the 1714 SACondition can be based on specific PeerIDPayloadFilterEntry (when 1715 aggressive mode is used). The class definition for IKERejectAction 1716 is as follows: 1718 NAME IKERejectAction 1719 DESCRIPTION Specifies that an IKE negotiation should not even be 1720 attempted or continued. 1721 DERIVED FROM SAStaticAction 1722 ABSTRACT FALSE 1724 6.6. The Class PreconfiguredSAAction 1726 The class PreconfiguredSAAction is used to create a security 1727 association using preconfigured, hard-wired algorithms and keys. 1729 Notes: 1731 - the SPI for a PreconfiguredSAAction is contained in the 1732 association, TransformOfPreconfiguredAction; 1734 - the session key (if applicable) is contained in an instance of 1735 the class SharedSecret (see [CIMUSER]). The session key is 1736 stored in the property Secret, the property protocol contains 1737 either "ESP-encrypt", "ESP-auth" or "AH", the property 1738 algorithm contains the algorithm used to protect the secret 1739 (can be "PLAINTEXT" if the IPsec entity has no secret storage), 1740 the value of property RemoteID is the concatenation of the 1741 remote IPsec peer IP address in dotted decimal, of the 1742 character "/", of "IN" (respectively "OUT") for inbound SA 1743 (respectively outbound SA), of the character "/" and of the 1744 hexadecimal representation of the SPI. 1746 Although the class is concrete, it MUST not be instantiated. The 1747 class definition for PreconfiguredSAAction is as follows: 1749 NAME PreconfiguredSAAction 1750 DESCRIPTION Specifies preconfigured algorithm and keying information 1751 for creation of a security association. 1752 DERIVED FROM SAStaticAction 1753 ABSTRACT FALSE 1754 PROPERTIES LifetimeKilobytes 1756 6.6.1. The Property LifetimeKilobytes 1758 The property LifetimeKilobytes specifies a traffic limit in kilobytes 1759 that can be consumed before the SA is deleted.. The property is 1760 defined as follows: 1762 NAME LifetimeKilobytes 1763 DESCRIPTION Specifies the SA lifetime in kilobytes. 1764 SYNTAX unsigned 32-bit integer 1765 VALUE A value of zero indicates that there is not a lifetime 1766 associated with this action (i.e., infinite lifetime). 1767 A non-zero value is used to indicate that after this 1768 number of kilobytes has been consumed the SA must be 1769 deleted from the SADB. 1771 Note: the actual lifetime of the preconfigured SA will be the lesser 1772 of the value of this LifetimeKilobytes property and of the value of 1773 the MaxLifetimeSeconds property of the associated SATransform. If the 1774 value of this LifetimeKilobytes property is zero, then there will be 1775 no lifetime associated with this action. 1777 It is expected that most PreconfiguredSAAction instances will have 1778 their LifetimeKilobyte properties set to zero (meaning no expiration 1779 of the resulting SA). 1781 6.7. The Class PreconfiguredTransportAction 1783 The class PreconfiguredTransportAction is used to create an IPsec 1784 transport-mode security association using preconfigured, hard-wired 1785 algorithms and keys. The class definition for 1786 PreconfiguredTransportAction is as follows: 1788 NAME PreconfiguredTransportAction 1789 DESCRIPTION Specifies preconfigured algorithm and keying information 1790 for creation of an IPsec transport security association. 1791 DERIVED FROM PreconfiguredSAAction 1792 ABSTRACT FALSE 1794 6.8. The Class PreconfiguredTunnelAction 1796 The class PreconfiguredTunnelAction is used to create an IPsec 1797 tunnel-mode security association using preconfigured, hard-wired 1798 algorithms and keys. The class definition for PreconfiguredSAAction 1799 is as follows: 1801 NAME PreconfiguredTunnelAction 1802 DESCRIPTION Specifies preconfigured algorithm and keying information 1803 for creation of an IPsec tunnel-mode security 1804 association. 1805 DERIVED FROM PreconfiguredSAAction 1806 ABSTRACT FALSE 1807 PROPERTIES DFHandling 1809 6.8.1. The Property DFHandling 1811 The property DFHandling specifies how the Don't Fragment bit of the 1812 internal IP header is to be handled during IPsec processing. The 1813 property is defined as follows: 1815 NAME DFHandling 1816 DESCRIPTION Specifies the processing of the DF bit. 1817 SYNTAX unsigned 16-bit integer 1818 VALUE 1 - Copy the DF bit from the internal IP header to the 1819 external IP header. 1820 2 - Set the DF bit of the external IP header to 1. 1821 3 - Clear the DF bit of the external IP header to 0. 1823 6.9. The Class SANegotiationAction 1825 The class SANegotiationAction specifies an action requesting security 1826 policy negotiation. 1828 This is an abstract class. Currently, only one security policy 1829 negotiation protocol action is subclassed from SANegotiationAction: 1830 the IKENegotiationAction class. It is nevertheless expected that 1831 other security policy negotiation protocols will exist and the 1832 negotiation actions of those new protocols would be modeled as a 1833 subclass of SANegotiationAction. 1835 NAME SANegotiationAction 1836 DESCRIPTION Specifies a negotiation action . 1837 DERIVED FROM SAAction 1838 ABSTRACT TRUE 1840 6.10. The Class IKENegotiationAction 1842 The class IKENegotiationAction is abstract and serves as the base 1843 class for IKE and IPsec actions that result in a IKE negotiation. 1844 Although the class is concrete, is MUST not be instantiated. The 1845 class definition for IKENegotiationAction is as follows: 1847 NAME IKENegotiationAction 1848 DESCRIPTION A base class for IKE and IPsec actions that specifies 1849 the parameters that are common for IKE phase 1 and IKE 1850 phase 2 IPsec DOI negotiations. 1851 DERIVED FROM SANegotiationAction 1852 ABSTRACT TRUE 1853 PROPERTIES MinLifetimeSeconds 1854 MinLifetimeKilobytes 1856 IdleDurationSeconds 1858 6.10.1. The Property MinLifetimeSeconds 1860 The property MinLifetimeSeconds specifies the minimum seconds 1861 lifetime that will be accepted from the peer. MinLifetimeSeconds is 1862 used to prevent certain denial of service attacks where the peer 1863 requests an arbitrarily low lifetime value, causing renegotiations 1864 with expensive Diffie-Hellman operations. The property is defined as 1865 follows: 1867 NAME MinLifetimeSeconds 1868 DESCRIPTION Specifies the minimum acceptable seconds lifetime. 1869 SYNTAX unsigned 32-bit integer 1870 VALUE A value of zero indicates that there is no minimum 1871 value. A non-zero value specifies the minimum seconds 1872 lifetime. 1874 6.10.2. The Property MinLifetimeKilobytes 1876 The property MinLifetimeKilobytes specifies the minimum kilobytes 1877 lifetime that will be accepted from the peer. MinLifetimeKilobytes 1878 is used to prevent certain denial of service attacks where the peer 1879 requests an arbitrarily low lifetime value, causing renegotiations 1880 with correspondingly expensive Diffie-Hellman operations. Note that 1881 there has been considerable debate regarding the usefulness of 1882 applying kilobyte lifetimes to IKE phase 1 security associations, so 1883 it is likely that this property will only apply to the sub-class 1884 IPsecAction. The property is defined as follows: 1886 NAME MinLifetimeKilobytes 1887 DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. 1888 SYNTAX unsigned 32-bit integer 1889 VALUE A value of zero indicates that there is no minimum 1890 value. A non-zero value specifies the minimum kilobytes 1891 lifetime. 1893 6.10.3. The Property IdleDurationSeconds 1895 The property IdleDurationSeconds specifies how many seconds a 1896 security association may remain idle (i.e., no traffic protected 1897 using the security association) before it is deleted. The property 1898 is defined as follows: 1900 NAME IdleDurationSeconds 1901 DESCRIPTION Specifies how long, in seconds, a security association 1902 may remain unused before it is deleted. 1903 SYNTAX unsigned 32-bit integer 1904 VALUE A value of zero indicates that idle detection should not 1905 be used for the security association (only the seconds 1906 and kilobyte lifetimes will be used). Any non-zero 1907 value indicates the number of seconds the security 1908 association may remain unused. 1910 6.11. The Class IPsecAction 1912 The class IPsecAction serves as the base class for IPsec transport 1913 and tunnel actions. It specifies the parameters used for an IKE 1914 phase 2 IPsec DOI negotiation. Although the class is concrete, is 1915 MUST not be instantiated. The class definition for IPsecAction is as 1916 follows: 1918 NAME IPsecAction 1919 DESCRIPTION A base class for IPsec transport and tunnel actions that 1920 specifies the parameters for IKE phase 2 IPsec DOI 1921 negotiations. 1922 DERIVED FROM IKENegotiationAction 1923 ABSTRACT FALSE 1924 PROPERTIES UsePFS 1925 UseIKEGroup 1926 GroupId 1927 Granularity 1928 VendorID 1930 6.11.1. The Property UsePFS 1932 The property UsePFS specifies whether or not perfect forward secrecy 1933 should be used when refreshing keys. The property is defined as 1934 follows: 1936 NAME UsePFS 1937 DESCRIPTION Specifies the whether or not to use PFS when refreshing 1938 keys. 1939 SYNTAX boolean 1940 VALUE A value of true indicates that PFS should be used. A 1941 value of false indicates that PFS should not be used. 1943 6.11.2. The Property UseIKEGroup 1945 The property UseIKEGroup specifies whether or not phase 2 should use 1946 the same key exchange group as was used in phase 1. UseIKEGroup is 1947 ignored if UsePFS is false. The property is defined as follows: 1949 NAME UseIKEGroup 1950 DESCRIPTION Specifies whether or not to use the same GroupId for 1951 phase 2 as was used in phase 1. If UsePFS is false, 1952 then UseIKEGroup is ignored. 1953 SYNTAX boolean 1954 VALUE A value of true indicates that the phase 2 GroupId 1955 should be the same as phase 1. A value of false 1956 indicates that the property GroupId will contain the key 1957 exchange group to use for phase 2. 1959 6.11.3. The Property GroupId 1961 The property GroupId specifies the key exchange group to use for 1962 phase 2. GroupId is ignored if (1) the property UsePFS is false, or 1963 (2) the property UsePFS is true and the property UseIKEGroup is true. 1964 If the GroupID number is from the vendor-specific range (32768- 1965 65535), the property VendorID qualifies the group number. The 1966 property is defined as follows: 1968 NAME GroupId 1969 DESCRIPTION Specifies the key exchange group to use for phase 2 when 1970 the property UsePFS is true and the property UseIKEGroup 1971 is false. 1972 SYNTAX unsigned 16-bit integer 1973 VALUE Consult [IKE] for valid values. 1975 6.11.4. The Property Granularity 1977 The property Granularity specifies how the selector for the security 1978 association should be derived from the traffic that triggered the 1979 negotiation. The property is defined as follows: 1981 NAME Granularity 1982 DESCRIPTION Specifies the how the proposed selector for the security 1983 association will be created. 1984 SYNTAX unsigned 16-bit integer 1985 VALUE 1 - subnet: the source and destination subnet masks of 1986 the filter entry are used. 1987 2 - address: only the source and destination IP 1988 addresses of the triggering packet are used. 1989 3 - protocol: the source and destination IP addresses 1990 and the IP protocol of the triggering packet are used. 1991 4 - port: the source and destination IP addresses and 1992 the IP protocol and the source and destination layer 4 1993 ports of the triggering packet are used. 1995 6.11.5. The Property VendorID 1997 The property VendorID is used together with the property GroupID 1998 (when it is in the vendor-specific range) to identify the key 1999 exchange group. VendorID is ignored unless UsePFS is true and 2000 UseIKEGroup is false and GroupID is in the vendor-specific range 2001 (32768-65535). The property is defined as follows: 2003 NAME VendorID 2004 DESCRIPTION Specifies the IKE Vendor ID. 2005 SYNTAX string 2007 6.12. The Class IPsecTransportAction 2008 The class IPsecTransportAction is a subclass of IPsecAction that is 2009 used to specify use of an IPsec transport-mode security association. 2010 The class definition for IPsecTransportAction is as follows: 2012 NAME IPsecTransportAction 2013 DESCRIPTION Specifies that an IPsec transport-mode security 2014 association should be negotiated. 2015 DERIVED FROM IPsecAction 2016 ABSTRACT FALSE 2018 6.13. The Class IPsecTunnelAction 2020 The class IPsecTunnelAction is a subclass of IPsecAction that is used 2021 to specify use of an IPsec tunnel-mode security association. The 2022 class definition for IPsecTunnelAction is as follows: 2024 NAME IPsecTunnelAction 2025 DESCRIPTION Specifies that an IPsec tunnel-mode security association 2026 should be negotiated. 2027 DERIVED FROM IPsecAction 2028 ABSTRACT FALSE 2029 PROPERTIES DFHandling 2031 6.13.1. The Property DFHandling 2033 The property DFHandling specifies how the tunnel should manage the 2034 Don't Fragment (DF) bit. The property is defined as follows: 2036 NAME DFHandling 2037 DESCRIPTION Specifies how to process the DF bit. 2038 SYNTAX unsigned 16-bit integer 2039 VALUE 1 - Copy the DF bit from the internal IP header to the 2040 external IP header. 2041 2 - Set the DF bit of the external IP header to 1. 2042 3 - Clear the DF bit of the external IP header to 0. 2044 6.14. The Class IKEAction 2046 The class IKEAction specifies the parameters that are to be used for 2047 IKE phase 1 negotiation. The class definition for IKEAction is as 2048 follows: 2050 NAME IKEAction 2051 DESCRIPTION Specifies the IKE phase 1 negotiation parameters. 2052 DERIVED FROM IKENegotiationAction 2053 ABSTRACT FALSE 2054 PROPERTIES ExchangeMode 2055 UseIKEIdentityType 2056 VendorID 2057 AggressiveModeGroupId 2059 6.14.1. The Property ExchangeMode 2061 The property ExchangeMode specifies which IKE mode should be used for 2062 IKE phase 1 negotiations. The property is defined as follows: 2064 NAME ExchangeMode 2065 DESCRIPTION Specifies the IKE negotiation mode for phase 1. 2066 SYNTAX unsigned 16-bit integer 2067 VALUE 1 - base mode 2068 2 - main mode 2069 4 - aggressive mode 2071 6.14.2. The Property UseIKEIdentityType 2073 The property UseIKEIdentityType specifies what IKE identity type 2074 should be used when negotiating with the peer. This information is 2075 used in conjunction with the IKE identities available on the system 2076 and the IdentityContexts of the matching IKERule. The property is 2077 defined as follows: 2079 NAME UseIKEIdentityType 2080 DESCRIPTION Specifies the IKE identity to use during negotiation. 2081 SYNTAX unsigned 16-bit integer 2082 VALUE 1 - IPv4 Address 2083 2 - FQDN 2084 3 - User FQDN 2085 4 - IPv4 Subnet 2086 5 - IPv6 Address 2087 6 - IPv6 Subnet 2088 7 - IPv4 Address Range 2089 8 - IPv6 Address Range 2090 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2091 10 - DER-Encoded ASN.1 X.500 GeneralName 2092 11 - Key ID 2094 6.14.3. The Property VendorID 2096 The property VendorID specifies the value to be used in the Vendor ID 2097 payload. The property is defined as follows: 2099 NAME VendorID 2100 DESCRIPTION Vendor ID Payload. 2101 SYNTAX string 2102 VALUE A value of NULL means that Vendor ID payload will be 2103 neither generated nor accepted. A non-NULL value means 2104 that a Vendor ID payload will be generated (when acting 2105 as an initiator) or is expected (when acting as a 2106 responder). 2108 6.14.4. The Property AggressiveModeGroupId 2110 The property AggressiveModeGroupId specifies which group ID is to be 2111 used in the first packets of the phase 1 negotiation. This property 2112 is ignored unless the property ExchangeMode is set to 4 (aggressive 2113 mode). If the AggressiveModeGroupID number is from the vendor- 2114 specific range (32768-65535), the property VendorID qualifies the 2115 group number. The property is defined as follows: 2117 NAME AggressiveModeGroupId 2118 DESCRIPTION Specifies the group ID to be used for aggressive mode. 2119 SYNTAX unsigned 16-bit integer 2121 6.15. The Class PeerGateway 2123 The class PeerGateway specifies the security gateway with which the 2124 IKE services negotiates. The class definition for PeerGateway is as 2125 follows: 2127 NAME PeerGateway 2128 DESCRIPTION Specifies the security gateway with which to negotiate. 2129 DERIVED FROM LogicalElement (see [CIMCORE]) 2130 ABSTRACT FALSE 2131 PROPERTIES Name 2132 PeerIdentityType 2133 PeerIdentity 2135 Note: the class PeerIdentityEntry contains more information about the 2136 peer (namely its IP address). 2138 6.15.1. The Property Name 2140 The property Name specifies a user-friendly name for this security 2141 gateway. The property is defined as follows: 2143 NAME Name 2144 DESCRIPTION Specifies a user-friendly name for this security 2145 gateway. 2146 SYNTAX string 2148 6.15.2. The Property PeerIdentityType 2150 The property PeerIdentityType specifies the IKE identity type of the 2151 security gateway. The property is defined as follows: 2153 NAME PeerIdentityType 2154 DESCRIPTION Specifies the IKE identity type of the security gateway. 2155 SYNTAX unsigned 16-bit integer 2156 VALUE 1 - IPv4 Address 2157 2 - FQDN 2158 3 - User FQDN 2159 4 - IPv4 Subnet 2160 5 - IPv6 Address 2161 6 - IPv6 Subnet 2162 7 - IPv4 Address Range 2163 8 - IPv6 Address Range 2164 9 - DER-Encoded ASN.1 X.500 Distinguished Name 2165 10 - DER-Encoded ASN.1 X.500 GeneralName 2166 11 - Key ID 2168 6.15.3. The Property PeerIdentity 2170 The property PeerIdentity specifies the IKE identity value of the 2171 security gateway. A conversion may be needed between the 2172 PeerIdentity string representation and the real value used in the ID 2173 payload (e.g. IP address is to be converted from a dotted decimal 2174 string into 4 bytes). The property is defined as follows: 2176 NAME PeerIdentity 2177 DESCRIPTION Specifies the IKE identity value of the security 2178 gateway. 2179 SYNTAX string 2181 6.16. The Association Class PeerGatewayForTunnel 2183 The class PeerGatewayForTunnel associates IPsecTunnelActions with an 2184 ordered list of PeerGateways. The class definition for 2185 PeerGatewayForTunnel is as follows: 2187 NAME PeerGatewayForTunnel 2188 DESCRIPTION Associates IPsecTunnelActions with an ordered list of 2189 PeerGateways. 2190 DERIVED FROM Dependency (see [CIMCORE]) 2191 ABSTRACT FALSE 2192 PROPERTIES Antecedent [ref PeerGateway[0..n]] 2193 Dependent [ref IPsecTunnelAction[0..n]] 2194 SequenceNumber 2196 6.16.1. The Reference Antecedent 2198 The property Antecedent is inherited from Dependency and is 2199 overridden to refer to a PeerGateway instance. The [0..n] 2200 cardinality indicates that there an IPsecTunnelAction instance may be 2201 associated with zero or more PeerGateway instances. 2203 Note: the cardinality 0 has a specific meaning: 2205 - when the IKE service acts as a responder, this means that 2206 the IKE service will accept phase 1 negotiation with any 2207 other security gateway; 2208 - when the IKE service acts as an initiator, this means that 2209 the IKE service will use the destination IP address (of 2210 the IP packets which triggered the SARule) as the IP 2211 address of the peer IKE entity. 2213 6.16.2. The Reference Dependent 2215 The property Dependent is inherited from Dependency and is overridden 2216 to refer to an IPsecTunnelAction instance. The [0..n] cardinality 2217 indicates that a PeerGateway instance may be associated with zero or 2218 more IPsecTunnelAction instances. 2220 6.16.3. The Property SequenceNumber 2222 The property SequenceNumber specifies the ordering to be used when 2223 evaluating PeerGateway instances for a given IPsecTunnelAction. The 2224 property is defined as follows: 2226 NAME SequenceNumber 2227 DESCRIPTION Specifies the order of evaluation for PeerGateways. 2228 SYNTAX unsigned 16-bit integer 2229 VALUE Lower values are evaluated first. 2231 6.17. The Aggregation Class ContainedProposal 2233 The class ContainedProposal associates an ordered list of SAProposals 2234 with the IKENegotiationAction that aggregates it. If the referenced 2235 IKENegotiationAction object is an IKEAction, then the referenced 2236 SAProposal object(s) must be IKEProposal(s). If the referenced 2237 IKENegotiationAction object is an IPsecTransportAction or an 2238 IPsecTunnelAction, then the referenced SAProposal object(s) must be 2239 IPsecProposal(s). The class definition for ContainedProposal is as 2240 follows: 2242 NAME ContainedProposal 2243 DESCRIPTION Associates an ordered list of SAProposals with an 2244 IKENegotiationAction. 2245 DERIVED FROM PolicyComponent (see [PCIM]) 2246 ABSTRACT FALSE 2247 PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] 2248 PartComponent[ref SAProposal[1..n]] 2249 SequenceNumber 2251 6.17.1. The Reference GroupComponent 2253 - The property GroupComponent is inherited from 2254 PolicyComponent and is overridden to refer to an 2255 IKENegotiationAction instance. The [0..n] cardinality 2256 indicates that an SAProposal instance may be associated with 2257 zero or more IKENegotiationAction instances. 2259 6.17.2. The Reference PartComponent 2261 The property PartComponent is inherited from PolicyComponent and is 2262 overridden to refer to an SAProposal instance. The [1..n] 2263 cardinality indicates that an IKENegotiationAction instance MUST be 2264 associated with at least one SAProposal instance. 2266 6.17.3. The Property SequenceNumber 2268 The property SequenceNumber specifies the order of preference for the 2269 SAProposals. The property is defined as follows: 2271 NAME SequenceNumber 2272 DESCRIPTION Specifies the preference order for the SAProposals. 2273 SYNTAX unsigned 16-bit integer 2274 VALUE Lower-valued proposals are preferred over proposals with 2275 higher values. For ContainedProposals that reference 2276 the same IKENegotiationAction, SequenceNumber values 2277 must be unique. 2279 6.18. The Association Class HostedPeerGatewayInformation 2281 The class HostedPeerGatewayInformation weakly associates a 2282 PeerGateway with a System. The class definition for 2283 HostedPeerGatewayInformation is as follows: 2285 NAME HostedPeerGatewayInformation 2286 DESCRIPTION Weakly associates a PeerGateway with a System. 2287 DERIVED FROM Dependency (see [CIMCORE]) 2288 ABSTRACT FALSE 2289 PROPERTIES Antecedent [ref System[1..1]] 2290 Dependent [ref PeerGateway[0..n] [weak]] 2292 6.18.1. The Reference Antecedent 2294 The property Antecedent is inherited from Dependency and is 2295 overridden to refer to a System instance. The [1..1] cardinality 2296 indicates that a PeerGateway instance MUST be associated with one and 2297 only one System instance. 2299 6.18.2. The Reference Dependent 2301 The property Dependent is inherited from Dependency and is overridden 2302 to refer to a PeerGateway instance. The [0..n] cardinality indicates 2303 that a System instance may be associated with zero or more 2304 PeerGateway instances. 2306 6.19. The Association Class TransformOfPreconfiguredAction 2307 The class TransformOfPreconfiguredAction associates a 2308 PreconfiguredSAAction with from two to six SATransforms that will be 2309 applied to the inbound and outbound traffic. The order of 2310 application of the SATransforms is implicitly defined in [IPSEC]. 2311 The class definition for TransformOfPreconfiguredAction is as 2312 follows: 2314 NAME TransformOfPreconfiguredAction 2315 DESCRIPTION Associates a PreconfiguredSAAction with from one to 2316 three SATransforms. 2317 DERIVED FROM Dependency (see [CIMCORE]) 2318 ABSTRACT FALSE 2319 PROPERTIES Antecedent[ref SATransform[2..6]] 2320 Dependent[ref PreconfiguredSAAction[0..n]] 2321 SPI 2322 Direction 2324 6.19.1. The Reference Antecedent 2326 The property Antecedent is inherited from Dependency and is 2327 overridden to refer to an SATransform instance. The [2..6] 2328 cardinality indicates that an PreconfiguredSAAction instance may be 2329 associated with from two to six SATransform instances. 2331 6.19.2. The Reference Dependent 2333 The property Dependent is inherited from Dependency and is overridden 2334 to refer to a PreconfiguredSAAction instance. The [0..n] cardinality 2335 indicates that an SATransform instance may be associated with zero or 2336 more PreconfiguredSAAction instances. 2338 6.19.3. The Property SPI 2340 The property SPI specifies the SPI to be used by the pre-configured 2341 action for the associated transform. The property is defined as 2342 follows: 2344 NAME SPI 2345 DESCRIPTION Specifies the SPI to be used with the SATransform. 2346 SYNTAX unsigned 32-bit integer 2348 6.19.4. The Property Direction 2350 The property Direction specifies whether the SPI property is for 2351 inbound or for outbound traffic. The property is defined as follows: 2353 NAME Direction 2354 DESCRIPTION Specifies whether the SA is for inbound or outbound 2355 traffic. 2356 SYNTAX unsigned 8-bit integer 2357 VALUE 1 - this SA is for inbound traffic 2358 2 - this SA is for outbound traffic 2360 6.20 The Association Class PeerGatewayForPreconfiguredTunnel 2362 The class PeerGatewayForPreconfiguredTunnel associates one or one 2363 PeerGateway with multiple PreconfiguredTunnelActions. The class 2364 definition for PeerGatewayForPreconfiguredTunnel is as follows: 2366 NAME PeerGatewayForPreconfiguredTunnel 2367 DESCRIPTION Associates a PeerGateway with multiple 2368 PreconfiguredTunnelAction. 2369 DERIVED FROM Dependency (see [CIMCORE]) 2370 ABSTRACT FALSE 2371 PROPERTIES Antecedent[ref PeerGateway[0..1]] 2372 Dependent[ref PreconfiguredTunnelAction[0..n]] 2374 6.20.1. The Reference Antecedent 2376 The property Antecedent is inherited from Dependency and is 2377 overridden to refer to an PeerGateway instance. The [0..1] 2378 cardinality indicates that an PreconfiguredTunnelAction instance may 2379 be associated with one PeerGteway instance. 2381 6.20.2. The Reference Dependent 2383 The property Dependent is inherited from Dependency and is overridden 2384 to refer to a PreconfiguredTunnelAction instance. The [0..n] 2385 cardinality indicates that an PeerGateway instance may be associated 2386 with zero or more PreconfiguredSAAction instances. 2388 7. Proposal and Transform Classes 2390 The proposal and transform classes model the proposal settings an 2391 IPsec device will use during IKE phase 1 and 2 negotiations. 2393 +--------------+*w 1+--------------+ 2394 | [SAProposal] |--------| System | 2395 +--------------+ (a) | ([CIMCORE]) | 2396 ^ +--------------+ 2397 | |1 2398 +----------------------+ | 2399 | | | 2400 +-------------+ +---------------+ | 2401 | IKEProposal | | IPsecProposal | | 2402 +-------------+ +---------------+ | 2403 *o | 2404 |(b) |(c) 2405 n| | 2406 +---------------+*w | 2407 | [SATransform] |----+ 2408 +---------------+ 2409 ^ 2410 | 2411 +--------------------+-----------+---------+ 2412 | | | 2413 +-------------+ +--------------+ +----------------+ 2414 | AHTransform | | ESPTransform | |IPCOMPTransform | 2415 +-------------+ +--------------+ +----------------+ 2417 (a) SAProposalInSystem 2418 (b) ContainedTransform 2419 (c) SATransformInSystem 2421 7.1. The Abstract Class SAProposal 2423 The abstract class SAProposal serves as the base class for the IKE 2424 and IPsec proposal classes. It specifies the parameters that are 2425 common to the two proposal types. The class definition for 2426 SAProposal is as follows: 2428 NAME SAProposal 2429 DESCRIPTION Specifies the common proposal parameters for IKE and 2430 IPsec security association negotiation. 2431 DERIVED FROM Policy ([PCIM]) 2432 ABSTRACT TRUE 2433 PROPERTIES Name 2435 7.1.1. The Property Name 2437 The property Name specifies a user-friendly name for the SAProposal. 2438 The property is defined as follows: 2440 NAME Name 2441 DESCRIPTION Specifies a user-friendly name for this proposal. 2442 SYNTAX string 2444 7.2. The Class IKEProposal 2446 The class IKEProposal specifies the proposal parameters necessary to 2447 drive an IKE security association negotiation. The class definition 2448 for IKEProposal is as follows: 2450 NAME IKEProposal 2451 DESCRIPTION Specifies the proposal parameters for IKE security 2452 association negotiation. 2453 DERIVED FROM SAProposal 2454 ABSTRACT FALSE 2455 PROPERTIES CipherAlgorithm 2456 HashAlgorithm 2457 PRFAlgorithm 2458 GroupId 2459 AuthenticationMethod 2460 MaxLifetimeSeconds 2461 MaxLifetimeKilobytes 2462 VendorID 2464 7.2.1. The Property CipherAlgorithm 2466 The property CipherAlgorithm specifies the proposed phase 1 security 2467 association encryption algorithm. The property is defined as 2468 follows: 2470 NAME CipherAlgorithm 2471 DESCRIPTION Specifies the proposed encryption algorithm for the 2472 phase 1 security association. 2473 SYNTAX unsigned 16-bit integer 2474 VALUE Consult [IKE] for valid values. 2476 7.2.2. The Property HashAlgorithm 2478 The property HashAlgorithm specifies the proposed phase 1 security 2479 association hash algorithm. The property is defined as follows: 2481 NAME HashAlgorithm 2482 DESCRIPTION Specifies the proposed hash algorithm for the phase 1 2483 security association. 2484 SYNTAX unsigned 16-bit integer 2485 VALUE Consult [IKE] for valid values. 2487 7.2.3. The Property PRFAlgorithm 2489 The property PRFAlgorithm specifies the proposed phase 1 security 2490 association pseudo-random function. The property is defined as 2491 follows: 2493 NAME PRFAlgorithm 2494 DESCRIPTION Specifies the proposed pseudo-random function for the 2495 phase 1 security association. 2496 SYNTAX unsigned 16-bit integer 2497 VALUE Currently none defined in [IKE], if [IKE, DOI] are 2498 extended, then the values of [IKE, DOI] are to be used 2499 for values of PRFAlgorithm. 2501 7.2.4. The Property GroupId 2503 The property GroupId specifies the proposed phase 1 security 2504 association key exchange group. This property is ignored for all 2505 aggressive mode exchanges. If the GroupID number is from the vendor- 2506 specific range (32768-65535), the property VendorID qualifies the 2507 group number. The property is defined as follows: 2509 NAME GroupId 2510 DESCRIPTION Specifies the proposed key exchange group for the phase 2511 1 security association. 2512 SYNTAX unsigned 16-bit integer 2513 VALUE Consult [IKE] for valid values. 2515 Note: the value of this property is to be ignored when doing 2516 aggressive mode. 2518 7.2.5. The Property AuthenticationMethod 2520 The property AuthenticationMethod specifies the proposed phase 1 2521 authentication method. The property is defined as follows: 2523 NAME AuthenticationMethod 2524 DESCRIPTION Specifies the proposed authentication method for the 2525 phase 1 security association. 2526 SYNTAX unsigned 16-bit integer 2527 VALUE 0 - a special value that indicates that this particular 2528 proposal should be repeated once for each authentication 2529 method that corresponds to the credentials installed on 2530 the machine. For example, if the system has a pre- 2531 shared key and a certificate, a proposal list could be 2532 constructed which includes a proposal that specifies 2533 pre-shared key and proposals for any of the public-key 2534 authentication methods. 2535 Consult [IKE] for valid values. 2537 7.2.6. The Property MaxLifetimeSeconds 2539 The property MaxLifetimeSeconds specifies the maximum time, in 2540 seconds, to propose that a security association will remain valid 2541 after its creation. The property is defined as follows: 2543 NAME MaxLifetimeSeconds 2544 DESCRIPTION Specifies the maximum time to propose a security 2545 association remain valid. 2546 SYNTAX unsigned 32-bit integer 2547 VALUE A value of zero indicates that the default of 8 hours be 2548 used. A non-zero value indicates the maximum seconds 2549 lifetime. 2551 7.2.7. The Property MaxLifetimeKilobytes 2553 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2554 lifetime to propose that a security association will remain valid 2555 after its creation. The property is defined as follows: 2557 NAME MaxLifetimeKilobytes 2558 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2559 security association remain valid. 2560 SYNTAX unsigned 32-bit integer 2561 VALUE A value of zero indicates that there should be no 2562 maximum kilobyte lifetime. A non-zero value specifies 2563 the desired kilobyte lifetime. 2565 7.2.8. The Property VendorID 2567 The property VendorID further qualifies the key exchange group. The 2568 property is ignored unless the exchange is not in aggressive mode and 2569 the property GroupID is in the vendor-specific range. The property 2570 is defined as follows: 2572 NAME VendorID 2573 DESCRIPTION Specifies the Vendor ID to further qualify the key 2574 exchange group. 2575 SYNTAX string 2577 7.3. The Class IPsecProposal 2579 The class IPsecProposal adds no new properties, but inherits proposal 2580 properties from SAProposal as well as aggregating the security 2581 association transforms necessary for building an IPsec proposal (see 2582 the aggregation class ContainedTransform). The class definition for 2583 IPsecProposal is as follows: 2585 NAME IPsecProposal 2586 DESCRIPTION Specifies the proposal parameters for IPsec security 2587 association negotiation. 2588 DERIVED FROM SAProposal 2589 ABSTRACT FALSE 2591 7.4. The Abstract Class SATransform 2593 The abstract class SATransform serves as the base class for the IPsec 2594 transforms that can be used to compose an IPsec proposal or to be 2595 used as a pre-configured action. The class definition for 2596 SATransform is as follows: 2598 NAME SATransform 2599 DESCRIPTION Base class for the different IPsec transforms. 2600 ABSTRACT TRUE 2601 PROPERTIES TransformName 2602 VendorID 2603 MaxLifetimeSeconds 2604 MaxLifetimeKilobytes 2606 7.4.1. The Property TransformName 2608 The property TransformName specifies a user-friendly name for the 2609 SATransform. The property is defined as follows: 2611 NAME TransformName 2612 DESCRIPTION Specifies a user-friendly name for this transform. 2613 SYNTAX string 2615 7.4.2. The Property VendorID 2617 The property VendorID specifies the vendor ID for vendor-defined 2618 transforms. The property is defined as follows: 2620 NAME VendorID 2621 DESCRIPTION Specifies the vendor ID for vendor-defined transforms. 2622 SYNTAX string 2623 VALUE An empty VendorID string indicates that the transform is 2624 a standard one. 2626 7.4.3. The Property MaxLifetimeSeconds 2628 The property MaxLifetimeSeconds specifies the maximum time, in 2629 seconds, to propose that a security association will remain valid 2630 after its creation. The property is defined as follows: 2632 NAME MaxLifetimeSeconds 2633 DESCRIPTION Specifies the maximum time to propose a security 2634 association remain valid. 2635 SYNTAX unsigned 32-bit integer 2636 VALUE A value of zero indicates that the default of 8 hours be 2637 used. A non-zero value indicates the maximum seconds 2638 lifetime. 2640 7.4.4. The Property MaxLifetimeKilobytes 2642 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2643 lifetime to propose that a security association will remain valid 2644 after its creation. The property is defined as follows: 2646 NAME MaxLifetimeKilobytes 2647 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2648 security association remain valid. 2649 SYNTAX unsigned 32-bit integer 2650 VALUE A value of zero indicates that there should be no 2651 maximum kilobyte lifetime. A non-zero value specifies 2652 the desired kilobyte lifetime. 2654 7.5. The Class AHTransform 2656 The class AHTransform specifies the AH algorithm to propose during 2657 IPsec security association negotiation. The class definition for 2658 AHTransform is as follows: 2660 NAME AHTransform 2661 DESCRIPTION Specifies the AH algorithm to propose. 2662 ABSTRACT FALSE 2663 PROPERTIES AHTransformId 2664 UseReplayPrevention 2665 ReplayPreventionWindowSize 2667 7.5.1. The Property AHTransformId 2669 The property AHTransformId specifies the transform ID of the AH 2670 algorithm to propose. The property is defined as follows: 2672 NAME AHTransformId 2673 DESCRIPTION Specifies the transform ID of the AH algorithm. 2674 SYNTAX unsigned 16-bit integer 2675 VALUE Consult [DOI] for valid values. 2677 7.5.2. The Property UseReplayPrevention 2679 The property UseReplayPrevention specifies whether replay prevention 2680 detection is to be used. The property is defined as follows: 2682 NAME UseReplayPrevention 2683 DESCRIPTION Specifies whether to enable replay prevention detection. 2684 SYNTAX boolean 2685 VALUE true - replay prevention detection is enabled. 2686 false - replay prevention detection is disabled. 2688 7.5.3. The Property ReplayPreventionWindowSize 2690 The property ReplayPreventionWindowSize specifies, in bits, the 2691 length of the sliding window used by the replay prevention detection 2692 mechanism. The value of this property is meaningless if 2693 UseReplayPrevention is false. It is assumed that the window size will 2694 be power of 2. The property is defined as follows: 2696 NAME ReplayPreventionWindowSize 2697 DESCRIPTION Specifies the length of the window used by replay 2698 prevention detection mechanism. 2699 SYNTAX unsigned 32-bit integer 2701 7.6. The Class ESPTransform 2703 The class ESPTransform specifies the ESP algorithms to propose during 2704 IPsec security association negotiation. The class definition for 2705 ESPTransform is as follows: 2707 NAME ESPTransform 2708 DESCRIPTION Specifies the ESP algorithms to propose. 2709 ABSTRACT FALSE 2710 PROPERTIES IntegrityTransformId 2711 CipherTransformId 2712 CipherKeyLength 2713 CipherKeyRounds 2714 UseReplayPrevention 2715 ReplayPreventionWindowSize 2717 7.6.1. The Property IntegrityTransformId 2719 The property IntegrityTransformId specifies the transform ID of the 2720 ESP integrity algorithm to propose. The property is defined as 2721 follows: 2723 NAME IntegrityTransformId 2724 DESCRIPTION Specifies the transform ID of the ESP integrity 2725 algorithm. 2726 SYNTAX unsigned 16-bit integer 2727 VALUE Consult [DOI] for valid values. 2729 7.6.2. The Property CipherTransformId 2731 The property CipherTransformId specifies the transform ID of the ESP 2732 encryption algorithm to propose. The property is defined as follows: 2734 NAME CipherTransformId 2735 DESCRIPTION Specifies the transform ID of the ESP encryption 2736 algorithm. 2737 SYNTAX unsigned 16-bit integer 2738 VALUE Consult [DOI] for valid values. 2740 7.6.3. The Property CipherKeyLength 2742 The property CipherKeyLength specifies, in bits, the key length for 2743 the ESP encryption algorithm. For encryption algorithms that use 2744 fixed-length keys, this value is ignored. The property is defined as 2745 follows: 2747 NAME CipherKeyLength 2748 DESCRIPTION Specifies the ESP encryption key length in bits. 2749 SYNTAX unsigned 16-bit integer 2751 7.6.4. The Property CipherKeyRounds 2752 The property CipherKeyRounds specifies the number of key rounds for 2753 the ESP encryption algorithm. For encryption algorithms that use 2754 fixed number of key rounds, this value is ignored. The property is 2755 defined as follows: 2757 NAME CipherKeyRounds 2758 DESCRIPTION Specifies the number of key rounds for the ESP 2759 encryption algorithm. 2760 SYNTAX unsigned 16-bit integer 2761 VALUE Currently, key rounds are not defined for any ESP 2762 encryption algorithms. 2764 7.6.5. The Property UseReplayPrevention 2766 The property UseReplayPrevention specifies whether replay prevention 2767 detection is to be used. The property is defined as follows: 2769 NAME UseReplayPrevention 2770 DESCRIPTION Specifies whether to enable replay prevention detection. 2771 SYNTAX boolean 2772 VALUE true - replay prevention detection is enabled. 2773 false - replay prevention detection is disabled. 2775 7.6.6. The Property ReplayPreventionWindowSize 2777 The property ReplayPreventionWindowSize specifies, in bits, the 2778 length of the sliding window used by the replay prevention detection 2779 mechanism. The value of this property is meaningless if 2780 UseReplayPrevention is false. It is assumed that the window size will 2781 be power of 2. The property is defined as follows: 2783 NAME ReplayPreventionWindowSize 2784 DESCRIPTION Specifies the length of the window used by replay 2785 prevention detection mechanism. 2786 SYNTAX unsigned 32-bit integer 2788 7.7. The Class IPCOMPTransform 2790 The class IPCOMPTransform specifies the IP compression (IPCOMP) 2791 algorithm to propose during IPsec security association negotiation. 2792 The class definition for IPCOMPTransform is as follows: 2794 NAME IPCOMPTransform 2795 DESCRIPTION Specifies the IPCOMP algorithm to propose. 2796 ABSTRACT FALSE 2797 PROPERTIES Algorithm 2798 DictionarySize 2799 PrivateAlgorithm 2801 7.7.1. The Property Algorithm 2803 The property Algorithm specifies the transform ID of the IPCOMP 2804 compression algorithm to propose. The property is defined as 2805 follows: 2807 NAME Algorithm 2808 DESCRIPTION Specifies the transform ID of the IPCOMP compression 2809 algorithm. 2810 SYNTAX unsigned 16-bit integer 2811 VALUE 1 - OUI: a vendor specific algorithm is used and 2812 specified in the property PrivateAlgorithm. Consult 2813 [DOI] for other valid values. 2815 7.7.2. The Property DictionarySize 2817 The property DictionarySize specifies the log2 maximum size of the 2818 dictionary for the compression algorithm. For compression algorithms 2819 that have pre-defined dictionary sizes, this value is ignored. The 2820 property is defined as follows: 2822 NAME DictionarySize 2823 DESCRIPTION Specifies the log2 maximum size of the dictionary. 2824 SYNTAX unsigned 16-bit integer 2826 7.7.3. The Property PrivateAlgorithm 2828 The property PrivateAlgorithm specifies a private vendor-specific 2829 compression algorithm. This value is only used when the property 2830 Algorithm is 1 (OUI). The property is defined as follows: 2832 NAME PrivateAlgorithm 2833 DESCRIPTION Specifies a private vendor-specific compression 2834 algorithm. 2835 SYNTAX unsigned 32-bit integer 2837 7.8. The Association Class SAProposalInSystem 2839 The class SAProposalInSystem weakly associates SAProposals with a 2840 System. The class definition for SAProposalInSystem is as follows: 2842 NAME SAProposalInSystem 2843 DESCRIPTION Weakly associates SAProposals with a System. 2844 DERIVED FROM PolicyInSystem (see [PCIM]) 2845 ABSTRACT FALSE 2846 PROPERTIES Antecedent[ref System [1..1]] 2847 Dependent[ref SAProposal[0..n] [weak]] 2849 7.8.1. The Reference Antecedent 2851 The property Antecedent is inherited from PolicyInSystem and is 2852 overridden to refer to a System instance. The [1..1] cardinality 2853 indicates that an SAProposal instance MUST be associated with one and 2854 only one System instance. 2856 7.8.2. The Reference Dependent 2858 The property Dependent is inherited from PolicyInSystem and is 2859 overridden to refer to an SAProposal instance. The [0..n] 2860 cardinality indicates that a System instance may be associated with 2861 zero or more SAProposal instances. 2863 7.9. The Aggregation Class ContainedTransform 2865 The class ContainedTransform associates an IPsecProposal with the set 2866 of SATransforms that make up the proposal. If multiple transforms of 2867 the same type are in a proposal, then they are to be logically ORed 2868 and the order of preference is dictated by the SequenceNumber 2869 property. Sets of transforms of different types are logically ANDed. 2870 For example, if the ordered proposal list were 2871 ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } 2872 AH = { MD5, SHA-1 } 2874 then the one sending the proposal would want the other side to pick 2875 one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one 2876 from the AH transform list (preferably MD5). 2878 The class definition for ContainedTransform is as follows: 2880 NAME ContainedTransform 2881 DESCRIPTION Associates an IPsecProposal with the set of SATransforms 2882 that make up the proposal. 2883 DERIVED FROM PolicyComponent (see [PCIM]) 2884 ABSTRACT FALSE 2885 PROPERTIES GroupComponent[ref IPsecProposal[0..n]] 2886 PartComponent[ref SATransform[1..n]] 2887 SequenceNumber 2889 7.9.1. The Reference GroupComponent 2891 The property GroupComponent is inherited from PolicyComponent and is 2892 overridden to refer to an IPsecProposal instance. The [0..n] 2893 cardinality indicates that an SATransform instance may be associated 2894 with zero or more IPsecProposal instances. 2896 7.9.2. The Reference PartComponent 2898 The property PartComponent is inherited from PolicyComponent and is 2899 overridden to refer to an SATransform instance. The [1..n] 2900 cardinality indicates that an IPsecProposal instance MUST be 2901 associated with at least one SATransform instance. 2903 7.9.3. The Property SequenceNumber 2905 The property SequenceNumber specifies the order of preference for the 2906 SATransforms of the same type. The property is defined as follows: 2908 NAME SequenceNumber 2909 DESCRIPTION Specifies the preference order for the SATransforms of 2910 the same type. 2911 SYNTAX unsigned 16-bit integer 2912 VALUE Lower-valued transforms are preferred over transforms of 2913 the same type with higher values. For 2914 ContainedTransforms that reference the same 2915 IPsecProposal, SequenceNumber values must be unique. 2917 7.10. The Association Class SATransformInSystem 2919 The class SATransformInSystem weakly associates SATransforms with a 2920 System. The class definition for SATransformInSystem System is as 2921 follows: 2923 NAME SATransformInSystem 2924 DESCRIPTION Weakly associates SATransforms with a System. 2925 DERIVED FROM PolicyInSystem (see [PCIM]) 2926 ABSTRACT FALSE 2927 PROPERTIES Antecedent[ref System[1..1]] 2928 Dependent[ref SATransform[0..n] [weak]] 2930 7.10.1. The Reference Antecedent 2932 The property Antecedent is inherited from PolicyInSystem and is 2933 overridden to refer to a System instance. The [1..1] cardinality 2934 indicates that an SATransform instance MUST be associated with one 2935 and only one System instance. 2937 7.10.2. The Reference Dependent 2939 The property Dependent is inherited from PolicyInSystem and is 2940 overridden to refer to an SATransform instance. The [0..n] 2941 cardinality indicates that a System instance may be associated with 2942 zero or more SATransform instances. 2944 8. IKE Service and Identity Classes 2946 +--------------+ +-------------------+ 2947 | System | | PeerIdentityEntry | 2948 | ([CIMCORE]) | +-------------------+ 2949 +--------------+ |*w 2950 1| (a) (b) | 2951 +---+ +------------+ 2952 | | 2953 |*w 1 o 2954 +-------------+ +-------------------+ +---------------------+ 2955 | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | 2956 +-------------+ +-------------------+ +---------------------+ 2957 *| *| *| *| 2958 +----------------------+ |(d) +----------+ | 2959 (c) *| *| *| (e) | 2960 *+------------+* |(f) 2961 +-----------------| IKEService |-----+ | 2962 | (g) +------------+ |(h) | 2963 0..1| *| *| *o 2964 +--------------------+ | +---------------------------+ 2965 | IPProtocolEndpoint | | | AutostartIKEConfiguration | 2966 | ([CIMNETWORK]) | (i)| +---------------------------+ 2967 +--------------------+ | 2968 0..1| | 2969 |(j) +----------------+ 2970 *| |* 2971 +-------------+* (k) +------------+ +-----------------------------+ 2972 | IKEIdentity |-------| Collection | | CredentialManagementService | 2973 +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | 2974 *| +------------+ +-----------------------------+ 2975 |(l) 2976 *| 2977 +--------------+ 2978 | Credential | 2979 | ([CIMUSER]) | 2980 +--------------+ 2982 (a) HostedPeerIdentityTable 2983 (b) PeerIdentityMember 2984 (c) IKEServicePeerGateway 2985 (d) IKEServicePeerIdentityTable 2986 (e) IKEAutostartSetting 2987 (f) AutostartIKESettingContext 2988 (g) IKEServiceForEndpoint 2989 (h) IKEAutostartConfiguration 2990 (i) IKEUsesCredentialManagementService 2991 (j) EndpointHasLocalIKEIdentity 2992 (k) CollectionHasLocalIKEIdentity 2993 (l) IKEIdentitysCredential 2995 This portion of the model contains additional information that is 2996 useful in applying the policy. The IKEService class MAY be used to 2997 represent the IKE negotiation function in a system. The IKEService 2998 uses the various tables that contain information about IKE peers as 2999 well as the configuration for specifying security associations that 3000 are started automatically. The information in the PeerGateway, 3001 PeerIdentityTable and related classes is necessary to completely 3002 specify the policies. 3004 An interface (represented by an IPProtocolEndpoint) has an IKEService 3005 that provides the negotiation services for that interface. That 3006 service MAY also have a list of security associations automatically 3007 started at the time the IKE service is initialized. 3009 The IKEService also has a set of identities that it may use in 3010 negotiations with its peers. Those identities are associated with 3011 the interfaces (or collections of interfaces). 3013 8.1. The Class IKEService 3015 The class IKEService represents the IKE negotiation function. An 3016 instance of this service may provide that negotiation service for one 3017 or more interfaces (represented by the IPProtocolEndpoint class) of a 3018 System. There may be multiple instances of IKE services on a System 3019 but only one per interface. The class definition for IKEService is 3020 as follows: 3022 NAME IKEService 3023 DESCRIPTION IKEService is used to represent the IKE negotiation 3024 function. 3025 DERIVED FROM Service (see [CIMCORE]) 3026 ABSTRACT FALSE 3028 8.2. The Class PeerIdentityTable 3030 The class PeerIdentityTable aggregates the table entries that provide 3031 mappings between identities and their addresses. The class 3032 definition for PeerIdentityTable is as follows: 3034 NAME PeerIdentityTable 3035 DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances 3036 to provide a table of identity-address mappings. 3037 DERIVED FROM Collection (see [CIMCORE]) 3038 ABSTRACT FALSE 3039 PROPERTIES Name 3041 8.3.1. The Property Name 3043 The property Name uniquely identifies the table. The property is 3044 defined as follows: 3046 NAME Name 3047 DESCRIPTION Name uniquely identifies the table. 3048 SYNTAX string 3050 8.3. The Class PeerIdentityEntry 3052 The class PeerIdentityEntry specifies the mapping between peer 3053 identity and their IP address. The class definition for 3054 PeerIdentityEntry is as follows: 3056 NAME PeerIdentityEntry 3057 DESCRIPTION PeerIdentityEntry provides a mapping between a peer's 3058 identity and address. 3059 DERIVED FROM LogicalElement (see [CIMCORE]) 3060 ABSTRACT FALSE 3061 PROPERTIES PeerIdentity 3062 PeerIdentityType 3063 PeerAddress 3064 PeerAddressType 3066 The pre-shared key to be used with this peer (if applicable) is 3067 contained in an instance of the class SharedSecret (see [CIMUSER]). 3068 The pre-shared key is stored in the property Secret, the property 3069 protocol contains �IKE", the property algorithm contains the 3070 algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec 3071 entity has no secret storage), the value of property RemoteID must 3072 match the PeerIdentity property of the PeerIdentityEntry instance 3073 describing the IKE peer. 3075 8.3.1. The Property PeerIdentity 3077 The property PeerIdentity contains a string encoding of the Identity 3078 payload for the IKE peer. The property is defined as follows: 3080 NAME PeerIdentity 3081 DESCRIPTION The PeerIdentity is the ID payload of a peer. 3082 SYNTAX string 3084 8.3.2. The Property PeerIdentityType 3086 The property PeerIdentityType is an enumeration that specifies the 3087 type of the PeerIdentity. The property is defined as follows: 3089 NAME PeerIdentityType 3090 DESCRIPTION PeerIdentityType is the type of the ID payload of a 3091 peer. 3092 SYNTAX unsigned 16-bit integer 3093 VALUE The enumeration values are specified in [DOI] section 3094 4.6.2.1. 3096 8.3.3. The Property PeerAddress 3098 The property PeerAddress specifies the string representation of the 3099 IP address of the peer formatted according to the appropriate 3100 convention as defined in the PeerAddressType property (e.g., dotted 3101 decimal notation). The property is defined as follows: 3103 NAME PeerAddress 3104 DESCRIPTION PeerAddress is the address of the peer with the ID 3105 payload. 3106 SYNTAX string 3107 VALUE String representation of an IPv4 or IPv6 address. 3109 8.3.4. The Property PeerAddressType 3111 The property PeerAddressType specifies the format of the PeerAddress 3112 property value. The property is defined as follows: 3114 NAME PeerAddressType 3115 DESCRIPTION PeerAddressType is the type of address in PeerAddress. 3116 SYNTAX unsigned 16-bit integer 3117 VALUE 0 - Unknown 3118 1 - IPv4 3119 2 - IPv6 3121 8.4. The Class AutostartIKEConfiguration 3123 The class AutostartIKEConfiguration groups AutostartIKESetting 3124 instances into configuration sets. When applied, the settings cause 3125 an IKE service to automatically start (negotiate or statically set as 3126 appropriate) the Security Associations. The class definition for 3127 AutostartIKEConfiguration is as follows: 3129 NAME AutostartIKEConfiguration 3130 DESCRIPTION A configuration set of AutostartIKESetting instances to 3131 be automatically started by the IKE service. 3132 DERIVED FROM SystemConfiguration (see [CIMCORE]) 3133 ABSTRACT FALSE 3135 8.5. The Class AutostartIKESetting 3137 The class AutostartIKESetting is used to automatically initiate IKE 3138 negotiations with peers (or statically create an SA) as specified in 3139 the AutostartIKESetting properties. Appropriate actions are 3140 initiated according to the policy that matches the setting 3141 parameters. The class definition for AutostartIKESetting is as 3142 follows: 3144 NAME AutostartIKESetting 3145 DESCRIPTION AutostartIKESetting is used to automatically initiate 3146 IKE negotiations with peers or statically create an SA. 3147 DERIVED FROM SystemSetting (see [CIMCORE]) 3148 ABSTRACT FALSE 3149 PROPERTIES Phase1Only 3150 AddressType 3151 SourceAddress 3152 SourcePort 3153 DestinationAddress 3154 DestinationPort 3155 Protocol 3157 8.5.1. The Property Phase1Only 3159 The property Phase1Only is used to limit the IKE negotiation to a 3160 phase 1 SA establishment only. When set to False, both phase 1 and 3161 phase 2 SAs are negotiated. 3162 The property is defined as follows: 3164 NAME Phase1Only 3165 DESCRIPTION Used to indicate which security associations to attempt 3166 to establish (phase 1 only, or phase 1 and 2). 3167 SYNTAX boolean 3168 VALUE true - attempt to establish a phase 1 security 3169 association 3170 false - attempt to establish phase 1 and phase 2 3171 security associations 3173 8.5.2. The Property AddressType 3175 The property AddressType specifies type of the addresses in the 3176 SourceAddress and DestinationAddress properties. The property is 3177 defined as follows: 3179 NAME AddressType 3180 DESCRIPTION AddressType is the type of address in SourceAddress and 3181 DestinationAddress properties. 3182 SYNTAX unsigned 16-bit integer 3183 VALUE 0 - Unknown 3184 1 - IPv4 3185 2 - IPv6 3187 8.5.3. The Property SourceAddress 3189 The property SourceAddress specifies the dotted-decimal or colon- 3190 decimal formatted IP address used as the source address in comparing 3191 with policy filter entries and used in any phase 2 negotiations. The 3192 property is defined as follows: 3194 NAME SourceAddress 3195 DESCRIPTION The source address to compare with the filters to 3196 determine the appropriate policy rule. 3197 SYNTAX string 3198 VALUE dotted-decimal or colon-decimal formatted IP address 3200 8.5.4. The Property SourcePort 3202 The property SourcePort specifies the port number used as the source 3203 port in comparing with policy filter entries and used in any phase 2 3204 negotiations. The property is defined as follows: 3206 NAME SourcePort 3207 DESCRIPTION The source port to compare with the filters to determine 3208 the appropriate policy rule. 3209 SYNTAX unsigned 16-bit integer 3211 8.5.5. The Property DestinationAddress 3213 The property DestinationAddress specifies the dotted-decimal or 3214 colon-decimal formatted IP address used as the destination address in 3215 comparing with policy filter entries and used in any phase 2 3216 negotiations. The property is defined as follows: 3218 NAME DestinationAddress 3219 DESCRIPTION The destination address to compare with the filters to 3220 determine the appropriate policy rule. 3221 SYNTAX string 3222 VALUE dotted-decimal or colon-decimal formatted IP address 3224 8.5.6. The Property DestinationPort 3226 The property DestinationPort specifies the port number used as the 3227 destination port in comparing with policy filter entries and used in 3228 any phase 2 negotiations. The property is defined as follows: 3230 NAME DestinationPort 3231 DESCRIPTION The destination port to compare with the filters to 3232 determine the appropriate policy rule. 3233 SYNTAX unsigned 16-bit integer 3235 8.5.7. The Property Protocol 3237 The property Protocol specifies the protocol number used in comparing 3238 with policy filter entries and used in any phase 2 negotiations. The 3239 property is defined as follows: 3241 NAME Protocol 3242 DESCRIPTION The protocol number used in comparing with policy filter 3243 entries. 3244 SYNTAX unsigned 8-bit integer 3246 8.6. The Class IKEIdentity 3247 The class IKEIdentity is used to represent the identities that may be 3248 used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) 3249 to identify the IKE Service in IKE phase 1 negotiations. The policy 3250 IKEAction.UseIKEIdentityType specifies which type of the available 3251 identities to use in a negotiation exchange and the 3252 IKERule.IdentityContexts specifies the match values to be used, along 3253 with the local address, in selecting the appropriate identity for a 3254 negotiation. The ElementID property value (defined in the parent 3255 class, UsersAccess) should be that of either the IPProtocolEndpoint 3256 or Collection of endpoints as appropriate. The class definition for 3257 IKEIdentity is as follows: 3259 NAME IKEIdentity 3260 DESCRIPTION IKEIdentity is used to represent the identities that may 3261 be used for an IPProtocolEndpoint (or collection of 3262 IPProtocolEndpoints) to identify the IKE Service in IKE 3263 phase 1 negotiations. 3264 DERIVED FROM UsersAccess (see [CIMUSER]) 3265 ABSTRACT FALSE 3266 PROPERTIES IdentityType 3267 IdentityValue 3268 IdentityContexts 3270 8.6.1. The Property IdentityType 3272 The property IdentityType is an enumeration that specifies the type 3273 of the IdentityValue. The property is defined as follows: 3275 NAME IdentityType 3276 DESCRIPTION IdentityType is the type of the IdentityValue. 3277 SYNTAX unsigned 8-bit integer 3278 VALUE The enumeration values are specified in [DOI] section 3279 4.6.2.1. 3281 8.6.2. The Property IdentityValue 3283 The property IdentityValue contains a string encoding of the Identity 3284 payload. For IKEIdentity instances that are address types (i.e. IPv4 3285 or IPv6 addresses), the IdentityValue string value MAY be omitted; 3286 then the associated IPProtocolEndpoint (or appropriate member of the 3287 Collection of endpoints) is used as the identity value. The property 3288 is defined as follows: 3290 NAME IdentityValue 3291 DESCRIPTION IdentityValue contains a string encoding of the Identity 3292 payload. 3293 SYNTAX string 3295 8.6.3. The Property IdentityContexts 3297 The IdentityContexts property is used to constrain the use of 3298 IKEIdentity instances to match that specified in the 3299 IKERule.IdentityContexts. The IdentityContexts are formatted as 3300 policy roles and role combinations [PCIM] & [PCIMe]. Each value 3301 represents one context or context combination. Since this is a 3302 multi-valued property, more than one context or combination of 3303 contexts can be associated with a single IKEIdentity. Each value is 3304 a string of the form: [&&]* 3305 where the individual context names appear in alphabetical order 3306 (according to the collating sequence for UCS-2). If one or more 3307 values in the IKERule.IdentityContexts array match one or more 3308 IKEIdentity.IdentityContexts then the identity's context matches. 3309 (That is, each value of the IdentityContext array is an ORed 3310 condition.) In combination with the address of the 3311 IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 3312 exactly one IKEIdentity. The property is defined as follows: 3314 NAME IdentityContexts 3315 DESCRIPTION The IKE service of a security endpoint may have multiple 3316 identities for use in different situations. The 3317 combination of the interface (represented by 3318 the IPProtocolEndpoint), the identity type (as specified 3319 in the IKEAction) and the IdentityContexts selects a 3320 unique identity. 3321 SYNTAX string array 3322 VALUE string of the form [&&]* 3324 8.7. The Association Class HostedPeerIdentityTable 3326 The class HostedPeerIdentityTable provides the name scoping 3327 relationship for PeerIdentityTable entries in a System. The 3328 PeerIdentityTable is weak to the System. The class definition for 3329 HostedPeerIdentityTable is as follows: 3331 NAME HostedPeerIdentityTable 3332 DESCRIPTION The PeerIdentityTable instances are weak (name scoped 3333 by) the owning System. 3334 DERIVED FROM Dependency (see [CIMCORE]) 3335 ABSTRACT FALSE 3336 PROPERTIES Antecedent [ref System[1..1]] 3337 Dependent [ref PeerIdentityTable[0..n] [weak]] 3339 8.7.1. The Reference Antecedent 3341 The property Antecedent is inherited from Dependency and is 3342 overridden to refer to a System instance. The [1..1] cardinality 3343 indicates that a PeerIdentityTable instance MUST be associated in a 3344 weak relationship with one and only one System instance. 3346 8.7.2. The Reference Dependent 3348 The property Dependent is inherited from Dependency and is overridden 3349 to refer to a PeerIdentityTable instance. The [0..n] cardinality 3350 indicates that a System instance may be associated with zero or more 3351 PeerIdentityTable instances. 3353 8.8. The Aggregation Class PeerIdentityMember 3355 The class PeerIdentityMember aggregates PeerIdentityEntry instances 3356 into a PeerIdentityTable. This is a weak aggregation. The class 3357 definition for PeerIdentityMember is as follows: 3359 NAME PeerIdentityMember 3360 DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry 3361 instances into a PeerIdentityTable. 3362 DERIVED FROM MemberOfCollection (see [CIMCORE]) 3363 ABSTRACT FALSE 3364 PROPERTIES Collection [ref PeerIdentityTable[1..1]] 3365 Member [ref PeerIdentityEntry [0..n] [weak]] 3367 8.8.1. The Reference Collection 3368 The property Collection is inherited from MemberOfCollection and is 3369 overridden to refer to a PeerIdentityTable instance. The [1..1] 3370 cardinality indicates that a PeerIdentityEntry instance MUST be 3371 associated with one and only one PeerIdentityTable instance (i.e., 3372 PeerIdentityEntry instances are not shared across 3373 PeerIdentityTables). 3375 8.8.2. The Reference Member 3377 The property Member is inherited from MemberOfCollection and is 3378 overridden to refer to a PeerIdentityEntry instance. The [0..n] 3379 cardinality indicates that a PeerIdentityTable instance may be 3380 associated with zero or more PeerIdentityEntry instances. 3382 8.9. The Association Class IKEServicePeerGateway 3384 The class IKEServicePeerGateway provides the association between an 3385 IKEService and the list of PeerGateway instances that it uses in 3386 negotiating with security gateways. The class definition for 3387 IKEServicePeerGateway is as follows: 3389 NAME IKEServicePeerGateway 3390 DESCRIPTION Associates an IKEService and the list of PeerGateway 3391 instances that it uses in negotiating with security 3392 gateways. 3393 DERIVED FROM Dependency (see [CIMCORE]) 3394 ABSTRACT FALSE 3395 PROPERTIES Antecedent [ref PeerGateway[0..n]] 3396 Dependent [ref IKEService[0..n]] 3398 8.9.1. The Reference Antecedent 3400 The property Antecedent is inherited from Dependency and is 3401 overridden to refer to a PeerGateway instance. The [0..n] 3402 cardinality indicates that an IKEService instance may be associated 3403 with zero or more PeerGateway instances. 3405 8.9.2. The Reference Dependent 3407 The property Dependent is inherited from Dependency and is overridden 3408 to refer to an IKEService instance. The [0..n] cardinality indicates 3409 that a PeerGateway instance may be associated with zero or more 3410 IKEService instances. 3412 8.10. The Association Class IKEServicePeerIdentityTable 3414 The class IKEServicePeerIdentityTable provides the relationship 3415 between an IKEService and a PeerIdentityTable that it uses to map 3416 between addresses and identities as required. The class definition 3417 for IKEServicePeerIdentityTable is as follows: 3419 NAME IKEServicePeerIdentityTable 3420 DESCRIPTION IKEServicePeerIdentityTable provides the relationship 3421 between an IKEService and a PeerIdentityTable that it 3422 uses. 3423 DERIVED FROM Dependency (see [CIMCORE]) 3424 ABSTRACT FALSE 3425 PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] 3426 Dependent [ref IKEService[0..n]] 3428 8.10.1. The Reference Antecedent 3429 The property Antecedent is inherited from Dependency and is 3430 overridden to refer to a PeerIdentityTable instance. The [0..n] 3431 cardinality indicates that an IKEService instance may be associated 3432 with zero or more PeerIdentityTable instances. 3434 8.10.2. The Reference Dependent 3436 The property Dependent is inherited from Dependency and is overridden 3437 to refer to an IKEService instance. The [0..n] cardinality indicates 3438 that a PeerIdentityTable instance may be associated with zero or more 3439 IKEService instances. 3441 8.11. The Association Class IKEAutostartSetting 3443 The class IKEAutostartSetting associates an AutostartIKESetting with 3444 an IKEService that may use it to automatically start an IKE 3445 negotiation or create a static SA. The class definition for 3446 IKEAutostartSetting is as follows: 3448 NAME IKEAutostartSetting 3449 DESCRIPTION Associates a AutostartIKESetting with an IKEService. 3450 DERIVED FROM ElementSetting (see [CIMCORE]) 3451 ABSTRACT FALSE 3452 PROPERTIES Element [ref IKEService[0..n]] 3453 Setting [ref AutostartIKESetting[0..n]] 3455 8.11.1. The Reference Element 3457 The property Element is inherited from ElementSetting and is 3458 overridden to refer to an IKEService instance. The [0..n] 3459 cardinality indicates an AutostartIKESetting instance may be 3460 associated with zero or more IKEService instances. 3462 8.11.2. The Reference Setting 3464 The property Setting is inherited from ElementSetting and is 3465 overridden to refer to an AutostartIKESetting instance. The [0..n] 3466 cardinality indicates that an IKEService instance may be associated 3467 with zero or more AutostartIKESetting instances. 3469 8.12. The Aggregation Class AutostartIKESettingContext 3471 The class AutostartIKESettingContext aggregates the settings used to 3472 automatically start negotiations or create a static SA into a 3473 configuration set. The class definition for 3474 AutostartIKESettingContext is as follows: 3476 NAME AutostartIKESettingContext 3477 DESCRIPTION AutostartIKESettingContext aggregates the 3478 AutostartIKESetting instances into a configuration set. 3479 DERIVED FROM SystemSettingContext (see [CIMCORE]) 3480 ABSTRACT FALSE 3481 PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] 3482 Setting [ref AutostartIKESetting [0..n]] 3483 SequenceNumber 3485 8.12.1. The Reference Context 3487 The property Context is inherited from SystemSettingContext and is 3488 overridden to refer to an AutostartIKEConfiguration instance. The 3490 [0..n] cardinality indicates that an AutostartIKESetting instance may 3491 be associated with zero or more AutostartIKEConfiguration instances 3492 (i.e., a setting may be in multiple configuration sets). 3494 8.12.2. The Reference Setting 3496 The property Setting is inherited from SystemSettingContext and is 3497 overridden to refer to an AutostartIKESetting instance. The [0..n] 3498 cardinality indicates that an AutostartIKEConfiguration instance may 3499 be associated with zero or more AutostartIKESetting instances. 3501 8.12.3. The Property SequenceNumber 3503 The property SequenceNumber specifies indicates the ordering to be 3504 used when starting negotiations or creating a static SA. A zero 3505 value indicates that order is not significant and settings may be 3506 applied in parallel with other settings. All other settings in the 3507 configuration are executed in sequence from lower values to high. 3508 Sequence numbers need not be unique in an AutostartIKEConfiguration 3509 and order is not significant for settings with the same sequence 3510 number. The property is defined as follows: 3512 NAME SequenceNumber 3513 DESCRIPTION The sequence in which the settings are applied within a 3514 configuration set. 3515 SYNTAX unsigned 16-bit integer 3517 8.13. The Association Class IKEServiceForEndpoint 3519 The class IKEServiceForEndpoint provides the association showing 3520 which IKE service, if any, provides IKE negotiation services for 3521 which network interfaces. The class definition for 3522 IKEServiceForEndpoint is as follows: 3524 NAME IKEServiceForEndpoint 3525 DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that 3526 provides negotiation services for the endpoint. 3527 DERIVED FROM Dependency (see [CIMCORE]) 3528 ABSTRACT FALSE 3529 PROPERTIES Antecedent [ref IKEService[0..1]] 3530 Dependent [ref IPProtocolEndpoint[0..n]] 3532 8.13.1. The Reference Antecedent 3534 The property Antecedent is inherited from Dependency and is 3535 overridden to refer to an IKEService instance. The [0..1] 3536 cardinality indicates that an IPProtocolEndpoint instance MUST by 3537 associated with at most one IKEService instance. 3539 8.13.2. The Reference Dependent 3541 The property Dependent is inherited from Dependency and is overridden 3542 to refer to an IPProtocolEndpoint that is associated with at most one 3543 IKEService. The [0..n] cardinality indicates an IKEService instance 3544 may be associated with zero or more IPProtocolEndpoint instances. 3546 8.14. The Association Class IKEAutostartConfiguration 3548 The class IKEAutostartConfiguration provides the relationship between 3549 an IKEService and a configuration set that it uses to automatically 3550 start a set of SAs. The class definition for 3551 IKEAutostartConfiguration is as follows: 3553 NAME IKEAutostartConfiguration 3554 DESCRIPTION IKEAutostartConfiguration provides the relationship 3555 between an IKEService and an AutostartIKEConfiguration 3556 that it uses to automatically start a set of SAs. 3557 DERIVED FROM Dependency (see [CIMCORE]) 3558 ABSTRACT FALSE 3559 PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] 3560 Dependent [ref IKEService [0..n]] 3561 Active 3563 8.14.1. The Reference Antecedent 3565 The property Antecedent is inherited from Dependency and is 3566 overridden to refer to an AutostartIKEConfiguration instance. The 3567 [0..n] cardinality indicates that an IKEService instance may be 3568 associated with zero or more AutostartIKEConfiguration instances. 3570 8.14.2. The Reference Dependent 3572 The property Dependent is inherited from Dependency and is overridden 3573 to refer to an IKEService instance. The [0..n] cardinality indicates 3574 that an AutostartIKEConfiguration instance may be associated with 3575 zero or more IKEService instances. 3577 8.14.3. The Property Active 3579 The property Active specifies indicates whether the 3580 AutostartIKEConfiguration set is currently active for the associated 3581 IKEService. That is, at boot time, the active configuration is used 3582 to automatically start IKE negotiations and create static SAs. The 3583 property is defined as follows: 3585 NAME Active 3586 DESCRIPTION Active indicates whether the AutostartIKEConfiguration 3587 set is currently active for the associated IKEService. 3588 SYNTAX boolean 3589 VALUE true - AutostartIKEConfiguration is currently active for 3590 associated IKEService. 3591 false - AutostartIKEConfiguration is currently inactive 3592 for associated IKEService. 3594 8.15. The Association Class IKEUsesCredentialManagementService 3596 The class IKEUsesCredentialManagementService defines the set of 3597 CredentialManagementService(s) that are trusted sources of 3598 credentials for IKE phase 1 negotiations. The class definition for 3599 IKEUsesCredentialManagementService is as follows: 3601 NAME IKEUsesCredentialManagementService 3602 DESCRIPTION Associates the set of CredentialManagementService(s) 3603 that are trusted by the IKEService as sources of 3604 credentials used in IKE phase 1 negotiations. 3605 DERIVED FROM Dependency (see [CIMCORE]) 3606 ABSTRACT FALSE 3607 PROPERTIES Antecedent [ref CredentialManagementService [0..n]] 3608 Dependent [ref IKEService [0..n]] 3610 8.15.1. The Reference Antecedent 3611 The property Antecedent is inherited from Dependency and is 3612 overridden to refer to a CredentialManagementService instance. The 3613 [0..n] cardinality indicates that an IKEService instance may be 3614 associated with zero or more CredentialManagementService instances. 3616 8.15.2. The Reference Dependent 3618 The property Dependent is inherited from Dependency and is overridden 3619 to refer to an IKEService instance. The [0..n] cardinality indicates 3620 that a CredentialManagementService instance may be associated with 3621 zero or more IKEService instances. 3623 8.16. The Association Class EndpointHasLocalIKEIdentity 3625 The class EndpointHasLocalIKEIdentity associates an 3626 IPProtocolEndpoint with a set of IKEIdentity instances that may be 3627 used in negotiating security associations on the endpoint. An 3628 IKEIdentity MUST be associated with either an IPProtocolEndpoint 3629 using this association or with a collection of IKEIdentity instances 3630 using the CollectionHasLocalIKEIdentity association. The class 3631 definition for EndpointHasLocalIKEIdentity is as follows: 3633 NAME EndpointHasLocalIKEIdentity 3634 DESCRIPTION EndpointHasLocalIKEIdentity associates an 3635 IPProtocolEndpoint with a set of IKEIdentity instances. 3636 DERIVED FROM ElementAsUser (see [CIMUSER]) 3637 ABSTRACT FALSE 3638 PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] 3639 Dependent [ref IKEIdentity [0..n]] 3641 8.16.1. The Reference Antecedent 3643 The property Antecedent is inherited from ElementAsUser and is 3644 overridden to refer to an IPProtocolEndpoint instance. The [0..1] 3645 cardinality indicates that an IKEIdentity instance MUST be associated 3646 with at most one IPProtocolEndpoint instance. 3648 8.16.2. The Reference Dependent 3650 The property Dependent is inherited from ElementAsUser and is 3651 overridden to refer to an IKEIdentity instance. The [0..n] 3652 cardinality indicates that an IPProtocolEndpoint instance may be 3653 associated with zero or more IKEIdentity instances. 3655 8.17. The Association Class CollectionHasLocalIKEIdentity 3657 The class CollectionHasLocalIKEIdentity associates a Collection of 3658 IPProtocolEndpoint instances with a set of IKEIdentity instances that 3659 may be used in negotiating SAs for endpoints in the collection. An 3660 IKEIdentity MUST be associated with either an IPProtocolEndpoint 3661 using the EndpointHasLocalIKEIdentity association or with a 3662 collection of IKEIdentity instances using this association. The 3663 class definition for CollectionHasLocalIKEIdentity is as follows: 3665 NAME CollectionHasLocalIKEIdentity 3666 DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of 3667 IPProtocolEndpoint instances with a set of IKEIdentity 3668 instances. 3669 DERIVED FROM ElementAsUser (see [CIMUSER]) 3670 ABSTRACT FALSE 3671 PROPERTIES Antecedent [ref Collection [0..1]] 3672 Dependent [ref IKEIdentity [0..n]] 3674 8.17.1. The Reference Antecedent 3676 The property Antecedent is inherited from ElementAsUser and is 3677 overridden to refer to a Collection instance. The [0..1] cardinality 3678 indicates that an IKEIdentity instance MUST be associated with at 3679 most one Collection instance. 3681 8.17.2. The Reference Dependent 3683 The property Dependent is inherited from ElementAsUser and is 3684 overridden to refer to an IKEIdentity instance. The [0..n] 3685 cardinality indicates that a Collection instance may be associated 3686 with zero or more IKEIdentity instances. 3688 8.18. The Association Class IKEIdentitysCredential 3690 The class IKEIdentitysCredential is an association that relates a set 3691 of credentials to their corresponding local IKE Identities. The 3692 class definition for IKEIdentitysCredential is as follows: 3694 NAME IKEIdentitysCredential 3695 DESCRIPTION IKEIdentitysCredential associates a set of credentials 3696 to their corresponding local IKEIdentity. 3697 DERIVED FROM UsersCredential (see [CIMCORE]) 3698 ABSTRACT FALSE 3699 PROPERTIES Antecedent [ref Credential [0..n]] 3700 Dependent [ref IKEIdentity [0..n]] 3702 8.18.1. The Reference Antecedent 3704 The property Antecedent is inherited from UsersCredential and is 3705 overridden to refer to a Credential instance. The [0..n] cardinality 3706 indicates that IKEIdentity instance may be associated with zero or 3707 more Credential instances. 3709 8.18.2. The Reference Dependent 3711 The property Dependent is inherited from UsersCredential and is 3712 overridden to refer to an IKEIdentity instance. The [0..n] 3713 cardinality indicates that a Credential instance may be associated 3714 with zero or more IKEIdentity instances. 3716 9. Implementation Requirements 3718 The following table specifies which classes, properties, associations 3719 and aggregations MUST or SHOULD or MAY be implemented. 3721 4. Policy Classes 3722 4.1. The Class IPsecPolicyGroup................................MUST 3723 4.2. The Class SARule..........................................MUST 3724 4.2.1. The Property PolicyRuleName..............................MAY 3725 4.2.1. The Property Enabled....................................MUST 3726 4.2.1. The Property ConditionListType..........................MUST 3727 4.2.1. The Property RuleUsage...................................MAY 3728 4.2.1. The Property Mandatory...................................MAY 3729 4.2.1. The Property SequencedActions...........................MUST 3730 4.2.1. The Property PolicyRoles.................................MAY 3731 4.2.1. The Property PolicyDecisionStrategy......................MAY 3732 4.2.2 The Property ExecutionStrategy..........................MUST 3733 4.2.3 The Property LimitNegotiation............................MAY 3734 4.3. The Class IKERule.........................................MUST 3735 4.3.1. The Property IdentityContexts............................MAY 3736 4.4. The Class IPsecRule.......................................MUST 3737 4.5. The Association Class IPsecPolicyForEndpoint...............MAY 3738 4.5.1. The Reference Antecedent................................MUST 3739 4.5.2. The Reference Dependent.................................MUST 3740 4.6. The Association Class IPsecPolicyForSystem.................MAY 3741 4.6.1. The Reference Antecedent................................MUST 3742 4.6.2. The Reference Dependent.................................MUST 3743 4.7. The Aggregation Class SARuleInPolicyGroup.................MUST 3744 4.7.1. The Property Priority.................................SHOULD 3745 4.7.2. The Reference GroupComponent............................MUST 3746 4.7.3. The Reference PartComponent.............................MUST 3747 4.8. The Aggregation Class SAConditionInRule...................MUST 3748 4.8.1. The Property GroupNumber..............................SHOULD 3749 4.8.1. The Property ConditionNegated.........................SHOULD 3750 4.8.2. The Reference GroupComponent............................MUST 3751 4.8.3. The Reference PartComponent.............................MUST 3752 4.9. The Aggregation Class PolicyActionInSARule................MUST 3753 4.9.1. The Reference GroupComponent............................MUST 3754 4.9.2. The Reference PartComponent.............................MUST 3755 4.9.3. The Property ActionOrder..............................SHOULD 3756 5. Condition and Filter Classes 3757 5.1. The Class SACondition.....................................MUST 3758 5.2. The Class IPHeadersFilter...............................SHOULD 3759 5.3. The Class CredentialFilterEntry............................MAY 3760 5.3.1. The Property MatchFieldName.............................MUST 3761 5.3.2. The Property MatchFieldValue............................MUST 3762 5.3.3. The Property CredentialType.............................MUST 3763 5.4. The Class IPSOFilterEntry..................................MAY 3764 5.4.1. The Property MatchConditionType.........................MUST 3765 5.4.2. The Property MatchConditionValue........................MUST 3766 5.5. The Class PeerIDPayloadFilterEntry.........................MAY 3767 5.5.1. The Property MatchIdentityType..........................MUST 3768 5.5.2. The Property MatchIdentityValue.........................MUST 3769 5.6. The Association Class FilterOfSACondition...............SHOULD 3770 5.6.1. The Reference Antecedent................................MUST 3771 5.6.2. The Reference Dependent.................................MUST 3772 5.7. The Association Class AcceptCredentialFrom.................MAY 3773 5.7.1. The Reference Antecedent................................MUST 3774 5.7.2. The Reference Dependent.................................MUST 3775 6. Action Classes 3776 6.1. The Class SAAction........................................MUST 3777 6.1.1. The Property DoActionLogging.............................MAY 3778 6.1.2. The Property DoPacketLogging.............................MAY 3779 6.2. The Class SAStaticAction..................................MUST 3780 6.2.1. The Property LifetimeSeconds............................MUST 3781 6.3. The Class IPsecBypassAction.............................SHOULD 3782 6.4. The Class IPsecDiscardAction............................SHOULD 3783 6.5. The Class IKERejectAction..................................MAY 3784 6.6. The Class PreconfiguredSAAction...........................MUST 3785 6.6.1. The Property LifetimeKilobytes..........................MUST 3786 6.7. The Class PreconfiguredTransportAction....................MUST 3787 6.8. The Class PreconfiguredTunnelAction.......................MUST 3788 6.8.1. The Property DFHandling.................................MUST 3789 6.9. The Class SANegotiationAction.............................MUST 3790 6.10. The Class IKENegotiationAction...........................MUST 3791 6.10.1. The Property MinLifetimeSeconds.........................MAY 3792 6.10.2. The Property MinLifetimeKilobytes.......................MAY 3793 6.10.3. The Property IdleDurationSeconds........................MAY 3794 6.11. The Class IPsecAction....................................MUST 3795 6.11.1. The Property UsePFS....................................MUST 3796 6.11.2. The Property UseIKEGroup................................MAY 3797 6.11.3. The Property GroupId...................................MUST 3798 6.11.4. The Property Granularity.............................SHOULD 3799 6.11.5. The Property VendorID...................................MAY 3800 6.12. The Class IPsecTransportAction...........................MUST 3801 6.13. The Class IPsecTunnelAction..............................MUST 3802 6.13.1. The Property DFHandling................................MUST 3803 6.14. The Class IKEAction......................................MUST 3804 6.14.1. The Property ExchangeMode ............................MUST 3805 6.14.2. The Property UseIKEIdentityType........................MUST 3806 6.14.3. The Property VendorID...................................MAY 3807 6.14.4. The Property AggressiveModeGroupId......................MAY 3808 6.15. The Class PeerGateway....................................MUST 3809 6.15.1. The Property Name....................................SHOULD 3810 6.15.2. The Property PeerIdentityType..........................MUST 3811 6.15.3. The Property PeerIdentity..............................MUST 3812 6.16. The Association Class PeerGatewayForTunnel...............MUST 3813 6.16.1. The Reference Antecedent...............................MUST 3814 6.16.2. The Reference Dependent................................MUST 3815 6.16.3. The Property SequenceNumber..........................SHOULD 3816 6.17. The Aggregation Class ContainedProposal..................MUST 3817 6.17.1. The Reference GroupComponent...........................MUST 3818 6.17.2. The Reference PartComponent............................MUST 3819 6.17.3. The Property SequenceNumber............................MUST 3820 6.18. The Association Class HostedPeerGatewayInformation........MAY 3821 6.18.1. The Reference Antecedent...............................MUST 3822 6.18.2. The Reference Dependent................................MUST 3823 6.19. The Association Class TransformOfPreconfiguredAction.....MUST 3824 6.19.1. The Reference Antecedent...............................MUST 3825 6.19.2. The Reference Dependent................................MUST 3826 6.19.3. The Property SPI.......................................MUST 3827 6.19.4. The Property Direction.................................MUST 3828 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 3829 6.20.1. The Reference Antecedent...............................MUST 3830 6.20.2. The Reference Dependent................................MUST 3831 7. Proposal and Transform Classes 3832 7.1. The Abstract Class SAProposal.............................MUST 3833 7.1.1. The Property Name.....................................SHOULD 3834 7.2. The Class IKEProposal.....................................MUST 3835 7.2.1. The Property CipherAlgorithm............................MUST 3836 7.2.2. The Property HashAlgorithm..............................MUST 3837 7.2.3. The Property PRFAlgorithm................................MAY 3838 7.2.4. The Property GroupId....................................MUST 3839 7.2.5. The Property AuthenticationMethod.......................MUST 3840 7.2.6. The Property MaxLifetimeSeconds.........................MUST 3841 7.2.7. The Property MaxLifetimeKilobytes.......................MUST 3842 7.2.8. The Property VendorID....................................MAY 3843 7.3. The Class IPsecProposal...................................MUST 3844 7.4. The Abstract Class SATransform............................MUST 3845 7.4.1. The Property TransformName............................SHOULD 3846 7.4.2. The Property VendorID....................................MAY 3847 7.4.3. The Property MaxLifetimeSeconds.........................MUST 3848 7.4.4. The Property MaxLifetimeKilobytes.......................MUST 3849 7.5. The Class AHTransform.....................................MUST 3850 7.5.1. The Property AHTransformId..............................MUST 3851 7.5.2. The Property UseReplayPrevention.........................MAY 3852 7.5.3. The Property ReplayPreventionWindowSize..................MAY 3853 7.6. The Class ESPTransform....................................MUST 3854 7.6.1. The Property IntegrityTransformId.......................MUST 3855 7.6.2. The Property CipherTransformId..........................MUST 3856 7.6.3. The Property CipherKeyLength.............................MAY 3857 7.6.4. The Property CipherKeyRounds.............................MAY 3858 7.6.5. The Property UseReplayPrevention.........................MAY 3859 7.6.6. The Property ReplayPreventionWindowSize..................MAY 3860 7.7. The Class IPCOMPTransform..................................MAY 3861 7.7.1. The Property Algorithm..................................MUST 3862 7.7.2. The Property DictionarySize..............................MAY 3863 7.7.3. The Property PrivateAlgorithm............................MAY 3864 7.8. The Association Class SAProposalInSystem...................MAY 3865 7.8.1. The Reference Antecedent................................MUST 3866 7.8.2. The Reference Dependent.................................MUST 3867 7.9. The Aggregation Class ContainedTransform..................MUST 3868 7.9.1. The Reference GroupComponent............................MUST 3869 7.9.2. The Reference PartComponent.............................MUST 3870 7.9.3. The Property SequenceNumber.............................MUST 3871 7.10. The Association Class SATransformInSystem.................MAY 3872 7.10.1. The Reference Antecedent...............................MUST 3873 7.10.2. The Reference Dependent................................MUST 3874 8. IKE Service and Identity Classes 3875 8.1. The Class IKEService.......................................MAY 3876 8.2. The Class PeerIdentityTable................................MAY 3877 8.3.1. The Property Name.....................................SHOULD 3878 8.3. The Class PeerIdentityEntry................................MAY 3879 8.3.1. The Property PeerIdentity.............................SHOULD 3880 8.3.2. The Property PeerIdentityType.........................SHOULD 3881 8.3.3. The Property PeerAddress..............................SHOULD 3882 8.3.4. The Property PeerAddressType..........................SHOULD 3883 8.4. The Class AutostartIKEConfiguration........................MAY 3884 8.5. The Class AutostartIKESetting..............................MAY 3885 8.5.1. The Property Phase1Only..................................MAY 3886 8.5.2. The Property AddressType..............................SHOULD 3887 8.5.3. The Property SourceAddress..............................MUST 3888 8.5.4. The Property SourcePort.................................MUST 3889 8.5.5. The Property DestinationAddress.........................MUST 3890 8.5.6. The Property DestinationPort............................MUST 3891 8.5.7. The Property Protocol...................................MUST 3892 8.6. The Class IKEIdentity......................................MAY 3893 8.6.1. The Property IdentityType...............................MUST 3894 8.6.2. The Property IdentityValue..............................MUST 3895 8.6.3. The Property IdentityContexts............................MAY 3896 8.7. The Association Class HostedPeerIdentityTable..............MAY 3897 8.7.1. The Reference Antecedent................................MUST 3898 8.7.2. The Reference Dependent.................................MUST 3899 8.8. The Aggregation Class PeerIdentityMember...................MAY 3900 8.8.1. The Reference Collection................................MUST 3901 8.8.2. The Reference Member....................................MUST 3902 8.9. The Association Class IKEServicePeerGateway................MAY 3903 8.9.1. The Reference Antecedent................................MUST 3904 8.9.2. The Reference Dependent.................................MUST 3905 8.10. The Association Class IKEServicePeerIdentityTable.........MAY 3906 8.10.1. The Reference Antecedent...............................MUST 3907 8.10.2. The Reference Dependent................................MUST 3908 8.11. The Association Class IKEAutostartSetting.................MAY 3909 8.11.1. The Reference Element..................................MUST 3910 8.11.2. The Reference Setting..................................MUST 3911 8.12. The Aggregation Class AutostartIKESettingContext..........MAY 3912 8.12.1. The Reference Context..................................MUST 3913 8.12.2. The Reference Setting..................................MUST 3914 8.12.3. The Property SequenceNumber..........................SHOULD 3915 8.13. The Association Class IKEServiceForEndpoint...............MAY 3916 8.13.1. The Reference Antecedent...............................MUST 3917 8.13.2. The Reference Dependent................................MUST 3918 8.14. The Association Class IKEAutostartConfiguration...........MAY 3919 8.14.1. The Reference Antecedent...............................MUST 3920 8.14.2. The Reference Dependent................................MUST 3921 8.14.3. The Property Active..................................SHOULD 3922 8.15. The Association Class IKEUsesCredentialManagementService..MAY 3923 8.15.1. The Reference Antecedent...............................MUST 3924 8.15.2. The Reference Dependent................................MUST 3925 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY 3926 8.16.1. The Reference Antecedent...............................MUST 3927 8.16.2. The Reference Dependent................................MUST 3928 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 3929 8.17.1. The Reference Antecedent...............................MUST 3930 8.17.2. The Reference Dependent................................MUST 3931 8.18. The Association Class IKEIdentitysCredential..............MAY 3932 8.18.1. The Reference Antecedent...............................MUST 3933 8.18.2. The Reference Dependent................................MUST 3935 10. Security Considerations 3937 This document describes a schema for IPsec policy. It does not 3938 detail security requirements for storage or delivery of said schema. 3939 Storage and delivery security requirements should be detailed in a 3940 comprehensive security policy architecture document. 3942 11. Intellectual Property 3944 The IETF takes no position regarding the validity or scope of any 3945 intellectual property or other rights that might be claimed to 3946 pertain to the implementation or use of the technology described in 3947 this document or the extent to which any license under such rights 3948 might or might not be available; neither does it represent that it 3949 has made any effort to identify any such rights. Information on the 3950 IETF's procedures with respect to rights in standards-track and 3951 standards-related documentation can be found in BCP-11. 3953 Copies of claims of rights made available for publication and any 3954 assurances of licenses to be made available, or the result of an 3955 attempt made to obtain a general license or permission for the use of 3956 such proprietary rights by implementers or users of this 3957 specification can be obtained from the IETF Secretariat. 3959 The IETF invites any interested party to bring to its attention any 3960 copyrights, patents or patent applications, or other proprietary 3961 rights which may cover technology that may be required to practice 3962 this standard. Please address the information to the IETF Executive 3963 Director. 3965 12. Acknowledgments 3967 The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, 3968 Vic Lortz, William Dixon, Man Li and Ricky Charlet for their 3969 contributions to this IPsec policy model. 3971 Additionally, this draft would not have been possible without the 3972 preceding IPsec schema drafts. For that, thanks go out to Rob Adams, 3973 Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. 3975 13. References 3977 [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 3978 RFC 2409, November 1998. 3980 [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP 3981 Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 3983 [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload 3984 (ESP)", RFC 2406, November 1998. 3986 [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, 3987 November 1998. 3989 [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core 3990 Information Model -- Version 1 Specification", RFC 3060, February 3991 2001. 3993 [PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen, 3994 A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy 3995 Core Information Model Extensions", draft-ietf-policy-pcim-ext- 3996 05.txt, October 2001 Internet Draft work in progress 3998 [DOI] Piper, D., "The Internet IP Security Domain of Interpretation 3999 for ISAKMP", RFC 2407, November 1998. 4001 [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory 4002 Access Protocol (v3)", RFC 2251, December 1997. 4004 [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. 4005 Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, 4006 January 2000. Internet-Draft work in progress. 4008 [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, 4009 F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for 4010 Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. 4011 Internet-Draft work in progress. 4013 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 4014 Requirement Levels", BCP 14, RFC 2119, March 1997. 4016 [IPSO] Kent, S., "U.S. Department of Defense Security Options for the 4017 Internet Protocol", RFC 1108, November 1991. 4019 [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the 4020 Internet Protocol", RFC 2401, November 1998. 4022 [DMTF] Distributed Management Task Force, http://www.dmtf.org/ 4024 [CIMCORE] DMTF Common Information Model - Core Model v2.5, 4025 http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and 4026 http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof 4028 [CIMUSER] DMTF Common Information Model - User-Security Model v2.5, 4029 http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof 4031 [CIMNETWORK] DMTF Common Information Model - Network Model v2.5, 4032 http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof 4034 14. Disclaimer 4035 The views and specification herein are those of the authors and are 4036 not necessarily those of their employer. The authors and their 4037 employer specifically disclaim responsibility for any problems 4038 arising from correct or incorrect implementation or use of this 4039 specification. 4041 15. Authors' Addresses 4043 Jamie Jason 4044 Intel Corporation 4045 MS JF3-206 4046 2111 NE 25th Ave. 4047 Hillsboro, OR 97124 4048 E-Mail: jamie.jason@intel.com 4050 Lee Rafalow 4051 IBM Corporation, BRQA/502 4052 4205 So. Miami Blvd. 4053 Research Triangle Park, NC 27709 4054 E-mail: rafalow@watson.ibm.com 4056 Eric Vyncke 4057 Cisco Systems 4058 Avenue Marcel Thiry, 77 4059 B-1200 Brussels 4060 Belgium 4061 E-mail: evyncke@cisco.com 4063 16. Full Copyright Statement 4065 Copyright (C) The Internet Society (1999). All Rights Reserved. 4067 This document and translations of it maybe copied and furnished to 4068 others, and derivative works that comment on or otherwise explain it 4069 or assist in its implementation may be prepared, copied, published 4070 and distributed, in whole or in part, without restriction of any 4071 kind, provided that the above copyright notice and this paragraph are 4072 included on all such copies and derivative works. However, this 4073 document itself may not be modified in any way, such as by removing 4074 the copyright notice or references to the Internet Society or other 4075 Internet organizations, except as needed for the purpose of 4076 developing Internet standards in which case the procedures for 4077 copyrights defined in the Internet Standards process must be 4078 followed, or as required to translate it into languages other then 4079 English. 4081 The limited permissions granted above are perpetual and will not be 4082 revoked by the Internet Society or its successors or assigns. 4084 This document and the information contained herein is provided on an 4085 "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING 4086 TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 4087 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON 4088 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF 4089 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.