idnits 2.17.1 draft-ietf-ipsp-config-policy-model-06.txt: -(924): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about Internet-Drafts being working documents. == There are 2 instances of lines with non-ascii characters in the document. == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 69 longer pages, the longest (page 2) being 71 lines == It seems as if not all pages are separated by form feeds - found 0 form feeds but 69 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** The abstract seems to contain references ([PCIME], [PCIM], [COMP,ESP,, [DOI,IKE], AH]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 4 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 41 has weird spacing: '... models the...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: The class SARule serves as a base class for IKERule and IPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actions for both types of rules. Through its derivation from PolicyRule, a SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association. == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'MUST not' in this paragraph: Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- Couldn't find a document date in the document -- date freshness check skipped. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'PCIMe' is mentioned on line 3273, but not defined == Missing Reference: 'SAProposal' is mentioned on line 2362, but not defined == Missing Reference: 'SATransform' is mentioned on line 2375, but not defined == Unused Reference: 'IPSO' is defined on line 3990, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2409 (ref. 'IKE') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2393 (ref. 'COMP') (Obsoleted by RFC 3173) ** Obsolete normative reference: RFC 2406 (ref. 'ESP') (Obsoleted by RFC 4303, RFC 4305) ** Obsolete normative reference: RFC 2402 (ref. 'AH') (Obsoleted by RFC 4302, RFC 4305) == Outdated reference: A later version (-08) exists of draft-ietf-policy-pcim-ext-05 ** Obsolete normative reference: RFC 2407 (ref. 'DOI') (Obsoleted by RFC 4306) ** Obsolete normative reference: RFC 2251 (ref. 'LDAP') (Obsoleted by RFC 4510, RFC 4511, RFC 4512, RFC 4513) ** Downref: Normative reference to an Historic draft: draft-ietf-rap-pr (ref. 'COPSPR') ** Downref: Normative reference to an Historic RFC: RFC 1108 (ref. 'IPSO') ** Obsolete normative reference: RFC 2401 (ref. 'IPSEC') (Obsoleted by RFC 4301) -- Possible downref: Non-RFC (?) normative reference: ref. 'DMTF' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMCORE' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMUSER' -- Possible downref: Non-RFC (?) normative reference: ref. 'CIMNETWORK' Summary: 15 errors (**), 0 flaws (~~), 15 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force Jamie Jason 3 INTERNET DRAFT Intel Corporation 4 August-2002 Lee Rafalow 5 IBM 6 Eric Vyncke 7 Cisco Systems 9 IPsec Configuration Policy Model 10 draft-ietf-ipsp-config-policy-model-06.txt 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026. Internet-Drafts are working 16 documents of the Internet Engineering Task Force (IETF), its areas, 17 and its working groups. Note that other groups may also distribute 18 working documents as Internet-Drafts. 20 Internet-Drafts are draft documents valid for a maximum of six months 21 and may be updated, replaced, or obsoleted by other documents at any 22 time. It is inappropriate to use Internet-Drafts as reference 23 material or to cite them other than as "work in progress." 25 The list of current Internet-Drafts can be accessed at 26 http://www.ietf.org/ietf/1id-abstracts.txt 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 31 Abstract 33 This document presents an object-oriented information model of IPsec 34 policy designed to: 35 o facilitate agreement about the content and semantics of IPsec 36 policy 37 o enable derivations of task-specific representations of IPsec 38 policy such as storage schema, distribution representations, 39 and policy specification languages used to configure IPsec- 40 enabled endpoints 41 The information model described in this document models the 42 configuration parameters defined by the IP Security protocol [COMP, 43 ESP, AH]. The information model also covers the parameters found by 44 the Internet Key Exchange [DOI, IKE] protocol. Other key exchange 45 protocols could be easily added to the information model by a simple 46 extension. Other extensions can further be added easily due to the 47 object-oriented nature of the model. 49 This information model is based upon the core policy classes as 50 defined in the Policy Core Information Model (PCIM) [PCIM] and on 51 the Policy Core Information Model Extensions (PCIMe) [PCIME]. 53 Table of Contents 55 Status of this Memo..............................................1 56 Abstract.........................................................1 57 Table of Contents................................................2 58 1. Introduction.................................................10 59 1. Introduction.................................................10 60 2. UML Conventions..............................................10 61 3. IPsec Policy Model Inheritance Hierarchy......................11 62 4. Policy Classes...............................................16 63 4.1. The Class IPsecPolicyGroup..................................17 64 4.2. The Class SARule...........................................18 65 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 66 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 67 PolicyDecisionStrategy..........................................18 68 4.2.2 The Property ExecutionStrategy............................18 69 4.2.3 The Property LimitNegotiation.............................20 70 4.3. The Class IKERule..........................................21 71 4.3.1. The Property IdentityContexts.............................21 72 4.4. The Class IPsecRule........................................22 73 4.5. The Association Class IPsecPolicyForEndpoint................22 74 4.5.1. The Reference Antecedent..................................22 75 4.5.2. The Reference Dependent...................................22 76 4.6. The Association Class IPsecPolicyForSystem..................22 77 4.6.1. The Reference Antecedent..................................23 78 4.6.2. The Reference Dependent...................................23 79 4.7. The Aggregation Class SARuleInPolicyGroup...................23 80 4.7.1. The Property Priority.....................................23 81 4.7.2. The Reference GroupComponent..............................23 82 4.7.3. The Reference PartComponent...............................23 83 4.8. The Aggregation Class SAConditionInRule.....................24 84 4.8.1. The Properties GroupNumber and ConditionNegated...........24 85 4.8.2. The Reference GroupComponent..............................24 86 4.8.3. The Reference PartComponent...............................25 87 4.9. The Aggregation Class PolicyActionInSARule..................25 88 4.9.1. The Reference GroupComponent..............................25 89 4.9.2. The Reference PartComponent...............................25 90 4.9.3. The Property ActionOrder..................................25 91 5. Condition and Filter Classes..................................26 92 5.1. The Class SACondition......................................26 93 5.2. The Class IPHeadersFilter...................................27 94 5.3. The Class CredentialFilterEntry.............................27 95 5.3.1. The Property MatchFieldName...............................27 96 5.3.2. The Property MatchFieldValue..............................28 97 5.3.3. The Property CredentialType...............................28 98 5.4. The Class IPSOFilterEntry...................................28 99 5.4.1. The Property MatchConditionType...........................29 100 5.4.2. The Property MatchConditionValue..........................29 101 5.5. The Class PeerIDPayloadFilterEntry..........................29 102 5.5.1. The Property MatchIdentityType............................30 103 5.5.2. The Property MatchIdentityValue...........................30 104 5.6. The Association Class FilterOfSACondition...................31 105 5.6.1. The Reference Antecedent..................................31 106 5.6.2. The Reference Dependent...................................31 107 5.7. The Association Class AcceptCredentialFrom..................31 108 5.7.1. The Reference Antecedent..................................32 109 5.7.2. The Reference Dependent...................................32 110 6. Action Classes...............................................33 111 6.1. The Class SAAction.........................................34 112 6.1.1. The Property DoActionLogging..............................34 113 6.1.2. The Property DoPacketLogging..............................34 114 6.2. The Class SAStaticAction....................................35 115 6.2.1. The Property LifetimeSeconds..............................35 116 6.3. The Class IPsecBypassAction.................................35 117 6.4. The Class IPsecDiscardAction................................35 118 6.5. The Class IKERejectAction...................................36 119 6.6. The Class PreconfiguredSAAction.............................36 120 6.6.1. The Property LifetimeKilobytes............................36 121 6.7. The Class PreconfiguredTransportAction......................37 122 6.8. The Class PreconfiguredTunnelAction.........................37 123 6.8.1. The Property DFHandling...................................37 124 6.9. The Class SANegotiationAction...............................37 125 6.10. The Class IKENegotiationAction.............................38 126 6.10.1. The Property MinLifetimeSeconds..........................38 127 6.10.2. The Property MinLifetimeKilobytes........................38 128 6.10.3. The Property IdleDurationSeconds.........................39 129 6.11. The Class IPsecAction.....................................40 130 6.11.1. The Property UsePFS.....................................40 131 6.11.2. The Property UseIKEGroup.................................40 132 6.11.3. The Property GroupId.....................................40 133 6.11.4. The Property Granularity.................................41 134 6.11.5. The Property VendorID....................................41 135 6.12. The Class IPsecTransportAction.............................41 136 6.13. The Class IPsecTunnelAction................................41 137 6.13.1. The Property DFHandling..................................42 138 6.14. The Class IKEAction.......................................42 139 6.14.1. The Property ExchangeMode................................42 140 6.14.2. The Property UseIKEIdentityType..........................43 141 6.14.3. The Property VendorID....................................43 142 6.14.4. The Property AggressiveModeGroupId.......................43 143 6.15. The Class PeerGateway.....................................43 144 6.15.1. The Property Name.......................................44 145 6.15.2. The Property PeerIdentityType............................44 146 6.15.3. The Property PeerIdentity................................44 147 6.16. The Association Class PeerGatewayForTunnel.................44 148 6.16.1. The Reference Antecedent.................................45 149 6.16.2. The Reference Dependent..................................45 150 6.16.3. The Property SequenceNumber..............................45 151 6.17. The Aggregation Class ContainedProposal....................45 152 6.17.1. The Reference GroupComponent.............................46 153 6.17.2. The Reference PartComponent..............................46 154 6.17.3. The Property SequenceNumber..............................46 155 6.18. The Association Class HostedPeerGatewayInformation.........46 156 6.18.1. The Reference Antecedent.................................46 157 6.18.2. The Reference Dependent..................................46 158 6.19. The Association Class TransformOfPreconfiguredAction.......46 159 6.19.1. The Reference Antecedent.................................47 160 6.19.2. The Reference Dependent..................................47 161 6.19.3. The Property SPI........................................47 162 6.19.4. The Property Direction...................................47 163 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......47 164 6.20.1. The Reference Antecedent.................................48 165 6.20.2. The Reference Dependent..................................48 166 7. Proposal and Transform Classes................................49 167 7.1. The Abstract Class SAProposal...............................49 168 7.1.1. The Property Name........................................49 169 7.2. The Class IKEProposal......................................49 170 7.2.1. The Property CipherAlgorithm..............................50 171 7.2.2. The Property HashAlgorithm................................50 172 7.2.3. The Property PRFAlgorithm.................................50 173 7.2.4. The Property GroupId.....................................51 174 7.2.5. The Property AuthenticationMethod.........................51 175 7.2.6. The Property MaxLifetimeSeconds...........................51 176 7.2.7. The Property MaxLifetimeKilobytes.........................52 177 7.2.8. The Property VendorID.....................................52 178 7.3. The Class IPsecProposal.....................................52 179 7.4. The Abstract Class SATransform..............................52 180 7.4.1. The Property CommonName...................................52 181 7.4.2. The Property VendorID.....................................53 182 7.4.3. The Property MaxLifetimeSeconds...........................53 183 7.4.4. The Property MaxLifetimeKilobytes.........................53 184 7.5. The Class AHTransform......................................53 185 7.5.1. The Property AHTransformId................................54 186 7.5.2. The Property UseReplayPrevention..........................54 187 7.5.3. The Property ReplayPreventionWindowSize...................54 188 7.6. The Class ESPTransform.....................................54 189 7.6.1. The Property IntegrityTransformId.........................54 190 7.6.2. The Property CipherTransformId............................55 191 7.6.3. The Property CipherKeyLength..............................55 192 7.6.4. The Property CipherKeyRounds..............................55 193 7.6.5. The Property UseReplayPrevention..........................55 194 7.6.6. The Property ReplayPreventionWindowSize...................55 195 7.7. The Class IPCOMPTransform...................................56 196 7.7.1. The Property Algorithm....................................56 197 7.7.2. The Property DictionarySize...............................56 198 7.7.3. The Property PrivateAlgorithm.............................56 199 7.8. The Association Class SAProposalInSystem....................56 200 7.8.1. The Reference Antecedent..................................57 201 7.8.2. The Reference Dependent...................................57 202 7.9. The Aggregation Class ContainedTransform....................57 203 7.9.1. The Reference GroupComponent..............................57 204 7.9.2. The Reference PartComponent...............................57 205 7.9.3. The Property SequenceNumber...............................57 206 7.10. The Association Class SATransformInSystem..................58 207 7.10.1. The Reference Antecedent.................................58 208 7.10.2. The Reference Dependent..................................58 209 8. IKE Service and Identity Classes..............................59 210 8.1. The Class IKEService.......................................60 211 8.2. The Class PeerIdentityTable.................................60 212 8.2.1. The Property Name........................................60 213 8.3. The Class PeerIdentityEntry.................................60 214 8.3.1. The Property PeerIdentity.................................61 215 8.3.2. The Property PeerIdentityType.............................61 216 8.3.3. The Property PeerAddress..................................61 217 8.3.4. The Property PeerAddressType..............................61 218 8.4. The Class AutostartIKEConfiguration.........................61 219 8.5. The Class AutostartIKESetting...............................62 220 8.5.1. The Property Phase1Only...................................62 221 8.5.2. The Property AddressType..................................62 222 8.5.3. The Property SourceAddress................................63 223 8.5.4. The Property SourcePort...................................63 224 8.5.5. The Property DestinationAddress...........................63 225 8.5.6. The Property DestinationPort..............................63 226 8.5.7. The Property Protocol.....................................63 227 8.6. The Class IKEIdentity......................................63 228 8.6.1. The Property IdentityType.................................64 229 8.6.2. The Property IdentityValue................................64 230 8.6.3. The Property IdentityContexts.............................64 231 8.7. The Association Class HostedPeerIdentityTable...............65 232 8.7.1. The Reference Antecedent..................................65 233 8.7.2. The Reference Dependent...................................65 234 8.8. The Aggregation Class PeerIdentityMember....................65 235 8.8.1. The Reference Collection..................................66 236 8.8.2. The Reference Member.....................................66 237 8.9. The Association Class IKEServicePeerGateway.................66 238 8.9.1. The Reference Antecedent..................................66 239 8.9.2. The Reference Dependent...................................66 240 8.10. The Association Class IKEServicePeerIdentityTable..........66 241 8.10.1. The Reference Antecedent.................................67 242 8.10.2. The Reference Dependent..................................67 243 8.11. The Association Class IKEAutostartSetting..................67 244 8.11.1. The Reference Element....................................67 245 8.11.2. The Reference Setting....................................67 246 8.12. The Aggregation Class AutostartIKESettingContext...........67 247 8.12.1. The Reference Context....................................67 248 8.12.2. The Reference Setting....................................68 249 8.12.3. The Property SequenceNumber..............................68 250 8.13. The Association Class IKEServiceForEndpoint................68 251 8.13.1. The Reference Antecedent.................................68 252 8.13.2. The Reference Dependent..................................68 253 8.14. The Association Class IKEAutostartConfiguration............68 254 8.14.1. The Reference Antecedent.................................69 255 8.14.2. The Reference Dependent..................................69 256 8.14.3. The Property Active.....................................69 257 8.15. The Association Class IKEUsesCredentialManagementService....69 258 8.15.1. The Reference Antecedent.................................70 259 8.15.2. The Reference Dependent..................................70 260 8.16. The Association Class EndpointHasLocalIKEIdentity..........70 261 8.16.1. The Reference Antecedent.................................70 262 8.16.2. The Reference Dependent..................................70 263 8.17. The Association Class CollectionHasLocalIKEIdentity........70 264 8.17.1. The Reference Antecedent.................................71 265 8.17.2. The Reference Dependent..................................71 266 8.18. The Association Class IKEIdentitysCredential...............71 267 8.18.1. The Reference Antecedent.................................71 268 8.18.2. The Reference Dependent..................................71 269 9. Implementation Requirements...................................71 270 10. Security Considerations.....................................75 271 11. Intellectual Property.......................................75 272 12. Acknowledgments.............................................76 273 13. References..................................................76 274 14. Disclaimer..................................................77 275 15. Authors' Addresses..........................................77 276 16. Full Copyright Statement.....................................77 278 1. Introduction 280 IP security (IPsec) policy may assume a variety of forms as it 281 travels from storage to distribution point to decision point. At 282 each step, it needs to be represented in a way that is convenient for 283 the current task. For example, the policy could exist as, but is not 284 limited to: 286 o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in 287 a directory 288 o an on-the-wire representation over a transport protocol like the 289 Common Object Policy Service (COPS) [COPS, COPSPR] 290 o a text-based policy specification language suitable for editing 291 by an administrator 292 o an Extensible Markup Language (XML) document 294 Each of these task-specific representations should be derived from a 295 canonical representation that precisely specifies the content and 296 semantics of the IPsec policy. This document captures this concept 297 and introduces a task-independent canonical representation for IPsec 298 policies. 300 In order to have a simple information model, this document focuses 301 mainly on the existing protocols [COMP, ESP, AH, DOI, IKE]. The 302 model can easily be extended if needed due to its object-oriented 303 nature. 305 This document is organized as follows: 307 o Section 2 provides a quick introduction to the Unified Modeling 308 Language (UML) graphical notation conventions used in this 309 document. 311 o Section 3 provides the inheritance hierarchy that describes 312 where the IPsec policy classes fit into the policy class 313 hierarchy already defined by the Policy Core Information Model 314 (PCIM) and Policy Core Information Model Extensions (PCIMe). 316 o Sections 4 through 8 describes the class that make up the IPsec 317 policy model. 319 o Section 9 presents the implementation requirements for the 320 classes in the model (i.e., the MUST/MAY/SHOULD status). 322 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 323 "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 324 document are to be interpreted as described in [KEYWORDS]. 326 2. UML Conventions 328 For this document, a UML static class diagram was chosen as the 329 canonical representation for the IPsec policy model. The reason 330 behind this decision is that UML provides a graphical, task- 331 independent way to model systems. A treatise on the graphical 332 notation used in UML is beyond the scope of this paper. However, 333 given the use of ASCII drawing for UML static class diagrams, a 334 description of the notational conventions used in this document is in 335 order: 337 o Boxes represent classes, with class names in brackets ([]) 338 representing an abstract class. 340 o A line that terminates with an arrow (<, >, ^, v) denotes 341 inheritance. The arrow always points to the parent class. 342 Inheritance can also be called generalization or specialization 343 (depending upon the reference point). A base class is a 344 generalization of a derived class, and a derived class is a 345 specialization of a base class. 346 o Associations are used to model a relationship between two 347 classes. Classes that share an association are connected using 348 a line. A special kind of association is also used: an 349 aggregation. An aggregation models a whole-part relationship 350 between two classes. Associations, and therefore aggregations, 351 can also be modeled as classes. 352 o A line that begins with an "o" denotes aggregation. Aggregation 353 denotes containment in which the contained class and the 354 containing class have independent lifetimes. 355 o Next to a line representing an association appears a 356 cardinality. Cardinalities indicate the constraints on the 357 number of object instances in a set of relationships. Every 358 association instance has a single set of references. The 359 cardinality indicates the number of instances that may refer to 360 a given object instance. The cardinality may be: 361 - a range in the form "lower bound..upper bound" indicating the 362 minimum and maximum number of objects. 363 - a number that indicates the exact number of objects. 364 - an asterisk indicating any number of objects, including zero. 365 Using an asterisk is shorthand for 0..n. 366 - the letter n indicating from 1 to many. Using the letter n is 367 shorthand for 1..n. 368 o A class that has an association may have a "w" next to the line 369 representing the association. This is called a weak association 370 and is discussed in [PCIM]. 372 It should be noted that the UML static class diagram presented is a 373 conceptual view of IPsec policy designed to aid in understanding. 374 It does not necessarily get translated class for class into another 375 representation. For example, an LDAP implementation may flatten out 376 the representation to fewer classes (because of the inefficiency of 377 following references). 379 3. IPsec Policy Model Inheritance Hierarchy 381 Like PCIM and PCIMe from which it is derived, the IPsec Configuration 382 Policy Model derives from and uses classes defined in the DMTF [DMTF] 383 Common Information Model (CIM). The following tree represents the 384 inheritance hierarchy for the IPsec policy model classes and how they 385 fit into PCIM, PCIMe and the other DMTF models (see Appendices for 386 descriptions of classes that are not being introduced as part of 387 IPsec model). CIM classes that are not used as a superclass from 388 which to derive new classes but are only referenced are not included 389 this inheritance hierarchy, but can be found in the appropriate DMTF 390 document [CIMCORE], [CIMUSER] or [CIMNETWORK]. 392 ManagedElement (DMTF Core Model - [CIMCORE]) 393 | 394 +--Collection (DMTF Core Model - [CIMCORE]) 395 | | 396 | +--PeerIdentityTable 397 | 398 +--ManagedSystemElement (DMTF Core Model - [CIMCORE]) 399 | | 400 | +--LogicalElement (DMTF Core Model - [CIMCORE]) 401 | | 402 | +--FilterEntryBase (DMTF Network Model - [CIMNETWORK]) 403 | | | 404 | | +--CredentialFilterEntry 405 | | | 406 | | +--IPHeadersFilter (PCIMe) 407 | | | 408 | | +--IPSOFilterEntry 409 | | | 410 | | +--PeerIDPayloadFilterEntry 411 | | 412 | +--PeerGateway 413 | | 414 | +--PeerIdentityEntry 415 | | 416 | +--Service (DMTF Core Model - [CIMCORE]) 417 | | 418 | +--IKEService 419 | 420 +--OrganizationalEntity (DMTF User Model - [CIMUSER]) 421 | | 422 | +--UserEntity (DMTF User Model - [CIMUSER]) 423 | | 424 | +--UsersAccess (DMTF User Model - [CIMUSER]) 425 | | 426 | +--IKEIdentity 427 | 428 +--Policy (PCIM) 429 | | 430 | +--PolicyAction (PCIM) 431 | | | 432 | | +--CompoundPolicyAction (PCIMe) 433 | | | 434 | | +--SAAction 435 | | | 436 | | +--SANegotiationAction 437 | | | | 438 | | | +--IKENegotiationAction 439 | | | | 440 | | | +--IKEAction 441 | | | | 442 | | | +--IPsecAction 443 | | | | 444 | | | +--IPsecTransportAction 445 | | | | 446 | | | +--IPsecTunnelAction 447 | | | 448 | | +--SAStaticAction 449 | | | 450 | | +--IKERejectAction 451 | | | 452 | | +--IPsecBypassAction 453 | | | 454 | | +--IPsecDiscardAction 455 | | | 456 | | +--PreconfiguredSAAction 457 | | | 458 | | +--PreconfiguredTransportAction 459 | | | 460 | | +--PreconfiguredTunnelAction 461 | | 462 | +--PolicyCondition (PCIM) 463 | | | 464 | | +--SACondition 465 | | 466 | +--PolicySet (PCIMe) 467 | | | 468 | | +--PolicyGroup (PCIM & PCIMe) 469 | | | | 470 | | | +--IPsecPolicyGroup 471 | | | 472 | | +--PolicyRule (PCIM & PCIMe) 473 | | | 474 | | +--SARule 475 | | | 476 | | +--IKERule 477 | | | 478 | | +--IPsecRule 479 | | 480 | +--SAProposal 481 | | | 482 | | +--IKEProposal 483 | | | 484 | | +--IPsecProposal 485 | | 486 | +--SATransform 487 | | 488 | +--AHTransform 489 | | 490 | +--ESPTransform 491 | | 492 | +--IPCOMPTransform 493 | 494 +--Setting (DMTF Core Model - [CIMCORE]) 495 | | 496 | +--SystemSetting (DMTF Core Model - [CIMCORE]) 497 | | 498 | +--AutostartIKESetting 499 | 500 +--SystemConfiguration (DMTF Core Model - [CIMCORE]) 501 | 502 +--AutostartIKEConfiguration 504 The following tree represents the inheritance hierarchy of the IPsec 505 policy model association classes and how they fit into PCIM and the 506 other DMTF models (see Appendices for description of associations 507 classes that are not being introduced as part of IPsec model). 509 Dependency (DMTF Core Model - [CIMCORE]) 510 | 511 +--AcceptCredentialsFrom 512 | 513 +--ElementAsUser (DMTF User Model - [CIMUSER]) 514 | | 515 | +--EndpointHasLocalIKEIdentity 516 | | 517 | +--CollectionHasLocalIKEIdentity 518 | 519 +--FilterOfSACondition 520 | 521 +--HostedPeerGatewayInformation 522 | 523 +--HostedPeerIdentityTable 524 | 525 +--IKEAutostartConfiguration 526 | 527 +--IKEServiceForEndpoint 528 | 529 +--IKEServicePeerGateway 530 | 531 +--IKEServicePeerIdentityTable 532 | 533 +--IKEUsesCredentialManagementService 534 | 535 +--IPsecPolicyForEndpoint 536 | 537 +--IPsecPolicyForSystem 538 | 539 +--PeerGatewayForPreconfiguredTunnel 540 | 541 +--PeerGatewayForTunnel 542 | 543 +--PolicyInSystem (PCIM) 544 | | 545 | +--SAProposalInSystem 546 | | 547 | +--SATransformInSystem 548 | 549 +--TransformOfPreconfiguredAction 550 | 551 +--UsersCredential (DMTF User Model - [CIMUSER]) 552 | 553 +--IKEIdentitysCredential 555 ElementSetting (DMTF Core Model - [CIMCORE]) 556 | 557 +--IKEAutostartSetting 559 MemberOfCollection (DMTF Core Model - [CIMCORE]) 560 | 561 +--PeerIdentityMember 563 PolicyComponent (PCIM) 564 | 565 +--ContainedProposal 566 | 567 +--ContainedTransform 568 | 569 +--PolicyActionStructure (PCIMe) 570 | | 571 | +--PolicyActionInPolicyRule (PCIM & PCIMe) 572 | | 573 | +--PolicyActionInSARule 574 | 575 +--PolicyConditionStructure (PCIMe) 576 | | 577 | +--PolicyConditionInPolicyRule (PCIM & PCIMe) 578 | | 579 | +--SAConditionInRule 580 | 581 +--PolicySetComponent (PCIMe) 582 | 583 +--SARuleInPolicyGroup 585 SystemSettingContext (DMTF Core Model - [CIMCORE]) 586 | 587 +--AutostartIKESettingContext 589 4. Policy Classes 591 The IPsec policy classes represent the set of policies that are 592 contained on a system. 594 +--------------+ 595 | PolicySet |* 596 | ([PCIMe]) |o--+ 597 +--------------+ | 598 ^ *| |(a) 599 | +------+ 600 | 601 +--------------------+ +-------------+ 602 | IPProtocolEndpoint | | PolicyGroup | 603 | ([CIMNETWORK]) | | ([PCIM]) | 604 +--------------------+ +-------------+ 605 |* ^ 606 +-----------------+ | 607 |(b) | 608 | | 609 |0..1 | 610 +------------------+0..1 (c) *+------------+ 611 | IPsecPolicyGroup |-----------| System | 612 +------------------+ | ([CIMCORE])| 613 1 o +------------+ 614 (d) | 615 +-----------------+ 616 | 617 | +---------------------------+ 618 | | PolicyTimePeriodCondition | 619 | | ([PCIM]) | 620 | +---------------------------+ 621 | *| 622 +-------------+ |(e) 623 *| o* 624 +-------------+n *+----------+* n+--------------+ 625 | SACondition |----o| SARule |o-------| PolicyAction | 626 +-------------+ (f) +----------+ (g) | ([PCIM]) | 627 ^ +--------------+ 628 | *| ^ 629 | |(h) | 630 | *o | 631 +-----------------+ +----------------------+ 632 | | | CompoundPolicyAction | 633 | | | ([PCIMe]) | 634 | | +----------------------+ 635 +---------+ +-----------+ 636 | IKERule | | IPsecRule | 637 +---------+ +-----------+ 639 (a) PolicySetComponent ([PCIMe]) 640 (b) IPsecPolicyForEndpoint 641 (c) IPsecPolicyForSystem 642 (d) SARuleInPolicyGroup 643 (e) PolicyRuleValidityPeriod ([PCIM]) 644 (f) SAConditionInRule 645 (g) PolicyActionInSARule 646 (h) PolicyActionInPolicyAction ([PCIMe]) 648 An IPsecPolicyGroup represents the set of policies that are used on 649 an interface. This IPsecPolicyGroup SHOULD be associated either 650 directly with the IPProtocolEndpoint class instance that represents 651 the interface (via the IPsecPolicyForEndpoint association) or 652 indirectly (via the IPsecPolicyForSystem association) associated 653 with the System that hosts the interface. 655 The IKE and IPsec rules are used to build or to negotiate the IPsec 656 SADB. The IPsec rules represent the Security Policy Database. The 657 SADB itself is not modeled by this document. 659 The IKE and IPsec rules usage can be described as (see also section 660 6 about actions): 662 o an egress unprotected packet will first be checked against the 663 IPsec rules. If a match is found, the SADB will be checked. If 664 there is no corresponding IPsec SA in the SADB and if IKE 665 negotiation is required by the IPsec rule, the corresponding IKE 666 rules will be used. The negotiated or preconfigured SA will then 667 be installed in the SADB. 668 o An ingress unprotected packet will first be checked against the 669 IPsec rules. If a match is found, the SADB will be checked for a 670 corresponding IPsec SA. If there is no corresponding IPsec SA 671 and a preconfigured SA exists, this preconfigured SA will be 672 installed in the IPsec SADB. This behavior should only apply to 673 bypass and discard actions. 674 o An ingress protected packet will first be checked against the 675 IPsec rules. If a match is found, the SADB will be checked for a 676 corresponding IPsec SA. If there is no corresponding IPsec SA 677 and a preconfigured SA exists, this preconfigured SA will be 678 installed in the IPsec SADB. 679 o An ingress IKE negotiation packet, which is not part of an 680 existing IKE SA, will be checked against the IKE rules. The 681 SACondition for the IKERule will usually be composed of a 682 PeerIDPayloadFilterEntry (typically for a aggressive mode IKE 683 negotiation) or a IPHeadersFilter. The negotiated SA will then 684 be installed in the SADB. 686 It is expected that when a IKE negotiation has to be initiated when 687 required by an IPsec rule, the set of IKE rules will be checked. The 688 IKE rules check will be based on the outgoing IKE packet using 689 IPHeadersFilter entries (typically using the HdrDstAddress property). 691 4.1. The Class IPsecPolicyGroup 693 The class IPsecPolicyGroup serves as a container of either other 694 IPsecPolicyGroups or a set of SARules. The class definition for 695 IPsecPolicyGroup is as follows: 697 NAME IPsecPolicyGroup 698 DESCRIPTION Either a set of IPsecPolicyGroups or a set of SARules. 699 DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) 700 ABSTRACT FALSE 701 PROPERTIES PolicyGroupName (from PolicyGroup) 702 PolicyDecisionStrategy (from PolicySet) 703 PolicyRoles (from PolicySet) 705 NOTE: for derivations of the schema that are used for policy 706 distribution to an IPsec device (for example, COPS-PR), the server 707 may follow all of PolicySetComponent associations and create one 708 policy group which is simply a set of all of the IKE rules and a set 709 of all of the IPsec rules. See the section on the 710 PolicySetComponent aggregation for information on merging multiple 711 IPsecPolicyGroups. 713 4.2. The Class SARule 715 The class SARule serves as a base class for IKERule and IPsecRule. 716 Even though the class is concrete, it MUST not be instantiated. It 717 defines a common connection point for associations to conditions and 718 actions for both types of rules. Through its derivation from 719 PolicyRule, a SARule (and therefore IKERule and IPsecRule) also has 720 the PolicyRuleValidityPeriod association. 722 Each valid IPsecPolicyGroup MUST contain SARules that each have a 723 unique associated priority number in PolicySetComponent.Priority. 724 The class definition for SARule is as follows: 726 NAME SARule 727 DESCRIPTION A base class for IKERule and IPsecRule. 728 DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) 729 ABSTRACT FALSE 730 PROPERTIES PolicyRuleName (from PolicyRule) 731 Enabled (from PolicyRule) 732 ConditionListType (from PolicyRule) 733 RuleUsage (from PolicyRule) 734 Mandatory (from PolicyRule) 735 SequencedActions (from PolicyRule) 736 ExecutionStrategy (from PolicyRule) 737 PolicyRoles (from PolicySet) 738 PolicyDecisionStrategy (from PolicySet) 739 LimitNegotiation 741 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 742 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 743 PolicyDecisionStrategy 745 For a description of these properties, see [PCIM] and [PCIME]. 747 In SARule subclass instances: 748 - if the property Mandatory exists, it MUST be set to "true" 749 - if the property SequencedActions exists, it MUST be set to 750 "mandatory" 751 - the property PolicyRoles is not used in the device-level model 752 - if the property PolicyDecisionStrategy exists, it must be set to 753 "FirstMatching" 755 4.2.2 The Property ExecutionStrategy 757 The ExecutionStrategy properties in the PolicyRule subclasses (and in 758 the CompoundPolicyAction class) determine the behavior of the 759 contained actions. It defines the strategy to be used in executing 760 the sequenced actions aggregated by a rule or a compound action. In 761 the case of actions within a rule, the PolicyActionInSARule 762 aggregation is used to collect the actions into an ordered set; in 763 the case of a compound action, the PolicyActionInPolicyAction 764 aggregation is used to collect the actions into an ordered subset. 766 There are three execution strategies: do until success, do all and do 767 until failure. 769 "Do Until Success" causes the execution of actions according to the 770 ActionOrder property in the aggregation instances until a successful 771 execution of a single action. These actions may be evaluated to 772 determine if they are appropriate to execute rather than blindly 773 trying each of the actions until one succeeds. For an initiator, 774 they are tried in the ActionOrder until the list is exhausted or one 775 completes successfully. For example, an IKE initiator may have 776 several IKEActions for the same SACondition. The initiator will try 777 all IKEActions in the order defined by ActionOrder. I.e. it will 778 possibly try several phase 1 negotiations possibly with different 779 modes (main mode then aggressive mode) and/or with possibly multiple 780 IKE peers. For a responder, when there is more than one action in 781 the rule with "do until success" condition clause this provides 782 alternative actions depending on the received proposals. For 783 example, the same IKERule may be used to handle aggressive mode and 784 main mode negotiations with different actions. The responder uses 785 the first appropriate action in the list of actions. 787 "Do All" causes the execution all of the actions in aggregated set 788 according to their defined order. The execution continues regardless 789 of failures. 791 "Do Until Failure" causes the execution of all actions according to 792 predefined order until the first failure in execution of an action 793 instance. Please note that if all actions are successful then the 794 aggregated result is a failure. This execution strategy is inherited 795 from [PCIME] and is not expected to be of any use for IPsec 796 configuration. 798 For example, in a nested SAs case the actions of an initiator's rule 799 might be structured as: 801 IPsecRule.ExecutionStrategy='Do All' 802 | 803 +---1--- IPsecTunnelAction // set up SA from host to gateway 804 | 805 +---2--- IPsecTransportAction // set up SA from host through 806 // tunnel to remote host 808 Another example, showing a rule with fallback actions might be 809 structured as: 811 IPsecRule.ExecutionStrategy='Do Until Success' 812 | 813 +---6--- IPsecTransportAction // negotiate SA with peer 814 | 815 +---9--- IPsecBypassAction // but if you must, allow in the clear 817 The CompoundPolicyAction class (See [PCIME]) may be used in 818 constructing the actions of IKE and IPsec rules when those rules 819 specify both multiple actions and fallback actions. The 820 ExecutionStrategy property in CompoundPolicyAction is used in 821 conjunction with that in the PolicyRule. 823 For example, in nesting SAs with a fallback security gateway, the 824 actions of a rule might be structured as: 826 IPsecRule.ExecutionStrategy='Do All' 827 | 828 +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' 829 | | 830 | +---1--- IPsecTunnelAction // set up SA from host to 831 | | // gateway1 832 | | 833 | +---2--- IPsecTunnelAction // or set up SA to gateway2 834 | 835 +---2--- IPsecTransportAction // then set up SA from host 836 // through tunnel to remote 837 // host 839 In the case of "Do All", a couple of actions can be executed 840 successfully before a subsequent action fails. In this case, some IKE 841 or IPsec actions may have resulted in SAs creation. Even if the net 842 effect of the aggregated actions is failure, those created SAs MAY be 843 kept or MAY be deleted. 845 In the case of "Do All", the IPsec selectors to be used during IPsec 846 SA negotiation are: 848 - for the last IPsecAction of the aggregation (i.e. usually the 849 innermost IPsec SA): this is the combination of the IPHeadersFilter 850 class and of the Granularity property of the IPsecAction; 852 - for all other IPsecActions of the aggregation: the selector is the 853 source IP address being the local IP address and the destination IP 854 address being the PeerGateway IP address of the following IPsecAction 855 of the "Do All" aggregation. NB: the granularity is IP address to IP 856 address. 858 If the above behavior is not desirable, the alternative is to define 859 several SARules one for each IPsec SA to be built. This will allow 860 the definition of specific IPsec selectors for all IPsecActions. 862 4.2.3 The Property LimitNegotiation 864 The property LimitNegotiation is used as part of processing either an 865 IKE or an IPsec rule. 867 Before proceeding with a phase 1 negotiation, this property is 868 checked to determine if the negotiation role of the rule matches that 869 defined for the negotiation being undertaken (e.g., Initiator, 870 Responder, or Both). If this check fails (e.g. the current role is 871 IKE responder while the rule specifies IKE initiator), then the IKE 872 negotiation is stopped. Note that this only applies to new IKE phase 873 1 negotiations and has no effect on either renegotiation or refresh 874 operations with peers for which an established SA already exists. 876 Before proceeding with a phase 2 negotiation, the LimitNegotiation 877 property of the IPsecRule is first checked to determine if the 878 negotiation role indicated for the rule matches that of the current 879 negotiation (Initiator, Responder, or Either). Note that this limit 880 applies only to new phase 2 negotiations. It is ignored when an 881 attempt is made to refresh an expiring SA (either side can initiate a 882 refresh operation). The IKE system can determine that the 883 negotiation is a refresh operation by checking to see if the selector 884 information matches that of an existing SA. If LimitNegotiation does 885 not match and the selector corresponds to a new SA, the negotiation 886 is stopped. 888 The property is defined as follows: 890 NAME LimitNegotiation 891 DESCRIPTION Limits the role to be undertaken during negotiation. 892 SYNTAX unsigned 16-bit integer 893 VALUE 1 - initiator-only 894 2 - responder-only 895 3 - both 897 4.3. The Class IKERule 898 The class IKERule associates Conditions and Actions for IKE phase 1 899 negotiations. The class definition for IKERule is as follows: 901 NAME IKERule 902 DESCRIPTION Associates Conditions and Actions for IKE phase 1 903 negotiations. 904 DERIVED FROM SARule 905 ABSTRACT FALSE 906 PROPERTIES same as SARule, plus 907 IdentityContexts 909 4.3.1. The Property IdentityContexts 911 The IKE service of a security endpoint may have multiple identities 912 for use in different situations. The combination of the interface 913 (represented by the IPProtocolEndpoint or by a collection of 914 IPProtocolEndpoints), the identity type (as specified in the 915 IKEAction) and the IdentityContexts specifies a unique identity. 917 The IdentityContexts property specifies the context to select the 918 relevant IKE identity to be used during the further IKEAction. A 919 context may be a VPN name or other identifier for selecting the 920 appropriate identity for use on the protected IPProtocolEndpoint (or 921 collection of IPProtocolEndpoints). 923 IdentityContexts is an array of strings. The multiple values in the 924 array are logically OR�d together in evaluating the IdentityContexts. 925 Each value in the array may be the composition of multiple context 926 names. So, a single value may be a single context name (e.g., 927 "CompanyXVPN") or it may be combination of contexts. When an array 928 value is a composition, the individual values are logically AND�d 929 together for evaluation purposes and the syntax is: 931 [&&]* 933 where the individual context names appear in alphabetical order 934 (according to the collating sequence for UCS-2). So, for example, 935 the values "CompanyXVPN", "CompanyYVPN&&TopSecret", 936 "CompanyZVPN&&Confidential" means that, for the appropriate 937 IPProtocolEndpoint and IdentityType, the contexts are matched if the 938 identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or 939 "CompanyZVPN&&Confidential". 941 The property is defined as follows: 943 NAME IdentityContexts 944 DESCRIPTION Specifies the context in which to select the IKE 945 identity. 946 SYNTAX string array 948 4.4. The Class IPsecRule 950 The class IPsecRule associates Conditions and Actions for IKE phase 2 951 negotiations for the IPsec DOI. The class definition for IPsecRule 952 is as follows: 954 NAME IPsecRule 955 DESCRIPTION Associates Conditions and Actions for IKE phase 2 956 negotiations for the IPsec DOI. 957 DERIVED FROM SARule 958 ABSTRACT FALSE 959 PROPERTIES same as SARule 961 4.5. The Association Class IPsecPolicyForEndpoint 963 The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with 964 a specific network interface. If an IPProtocolEndpoint of a system 965 does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, 966 then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for 967 that endpoint. The class definition for IPsecPolicyForEndpoint is as 968 follows: 970 NAME IPsecPolicyForEndpoint 971 DESCRIPTION Associates a policy group to a network interface. 972 DERIVED FROM Dependency (see [CIMCORE]) 973 ABSTRACT FALSE 974 PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] 975 Dependent[ref IPsecPolicyGroup[0..1]] 977 4.5.1. The Reference Antecedent 979 The property Antecedent is inherited from Dependency and is 980 overridden to refer to an IPProtocolEndpoint instance. The [0..n] 981 cardinality indicates that an IPsecPolicyGroup instance may be 982 associated with zero or more IPProtocolEndpoint instances. 984 4.5.2. The Reference Dependent 986 The property Dependent is inherited from Dependency and is overridden 987 to refer to an IPsecPolicyGroup instance. The [0..1] cardinality 988 indicates that an IPProtocolEndpoint instance may have an association 989 to at most one IPsecPolicyGroup instance. 991 4.6. The Association Class IPsecPolicyForSystem 993 The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a 994 specific system. If an IPProtocolEndpoint of a system does not have 995 an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the 996 IPsecPolicyForSystem associated IPsecPolicyGroup is used for that 997 endpoint. The class definition for IPsecPolicyForSystem is as 998 follows: 1000 NAME IPsecPolicyForSystem 1001 DESCRIPTION Default policy group for a system. 1002 DERIVED FROM Dependency (see [CIMCORE]) 1003 ABSTRACT FALSE 1004 PROPERTIES Antecedent[ref System[0..n]] 1005 Dependent[ref IPsecPolicyGroup[0..1]] 1007 4.6.1. The Reference Antecedent 1009 The property Antecedent is inherited from Dependency and is 1010 overridden to refer to a System instance. The [0..n] cardinality 1011 indicates that an IPsecPolicyGroup instance may have an association 1012 to zero or more System instances. 1014 4.6.2. The Reference Dependent 1016 The property Dependent is inherited from Dependency and is overridden 1017 to refer to an IPsecPolicyGroup instance. The [0..1] cardinality 1018 indicates that a System instance may have an association to at most 1019 one IPsecPolicyGroup instance. 1021 4.7. The Aggregation Class SARuleInPolicyGroup 1023 The class SARuleInPolicyGroup associates a SARule with the 1024 IPsecPolicyGroup that contains it. The class definition for 1025 SARuleInPolicyGroup is as follows: 1027 NAME SARuleInPolicyGroup 1028 DESCRIPTION Associates a SARule with the IPsecPolicyGroup that 1029 contains it. 1030 DERIVED FROM PolicySetComponent (see [PCIME]) 1031 ABSTRACT FALSE 1032 PROPERTIES Priority (from PolicySetComponent) 1033 GroupComponent [ref IPsecPolicyGroup [0..n]] 1034 PartComponent [ref SARule [0..n]] 1036 Note: an implementation can easily partition the set of SARules 1037 aggregated by a SARuleInPolicyGroup instance into one IKERule 1038 instances subset and into one IPsecRule instances subset based on the 1039 class type of the component instances (being either IKERule or 1040 IPsecRule instances). 1042 4.7.1. The Property Priority 1044 For a description of this property, see [PCIME]. 1046 4.7.2. The Reference GroupComponent 1048 The property GroupComponent is inherited from PolicyRuleInPolicyGroup 1049 and is overridden to refer to an IPsecPolicyGroup instance. The 1050 [0..n] cardinality indicates that a SARule instance may be shared 1051 across multiple IPsecPolicyGroups). 1053 4.7.3. The Reference PartComponent 1055 The property PartComponent is inherited from PolicyRuleInPolicyGroup 1056 and is overridden to refer to a SARule instance. The [0..n] 1057 cardinality indicates that an IPsecPolicyGroup instance may contain 1058 zero or more SARule instances. 1060 4.8. The Aggregation Class SAConditionInRule 1062 The class SAConditionInRule associates an SARule with the SACondition 1063 instance(s) that trigger(s) it. The class definition for 1064 SAConditionInRule is as follows: 1066 NAME SAConditionInRule 1067 DESCRIPTION Associates an SARule with the SACondition instance(s) 1068 that trigger(s) it. 1069 DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe]) 1070 ABSTRACT FALSE 1071 PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) 1072 ConditionNegated (from PolicyConditionInPolicyRule) 1073 GroupComponent [ref SARule [0..n]] 1074 PartComponent [ref SACondition [1..n]] 1076 4.8.1. The Properties GroupNumber and ConditionNegated 1078 For a description of these properties, see [PCIM]. 1080 4.8.2. The Reference GroupComponent 1081 The property GroupComponent is inherited from 1082 PolicyConditionInPolicyRule and is overridden to refer to an SARule 1083 instance. The [0..n] cardinality indicates that an SACondition 1084 instance may be contained in zero or more SARule instances. 1086 Note: the 0 cardinality allows SACondition instances to exist 1087 without being contained in a SARule. 1089 4.8.3. The Reference PartComponent 1091 The property PartComponent is inherited from 1092 PolicyConditionInPolicyRule and is overridden to refer to an 1093 SACondition instance. The [1..n] cardinality indicates that an 1094 SARule instance MUST contain at least one SACondition instance. 1096 4.9. The Aggregation Class PolicyActionInSARule 1098 The PolicyActionInSARule class associates an SARule with one or more 1099 PolicyAction instances. In all cases where an SARule is being used, 1100 the contained actions MUST be either subclasses of SAAction or 1101 instances of CompoundPolicyAction. For an IKERule, the contained 1102 actions MUST be related to phase 1 processing, i.e., IKEAction or 1103 IKERejectAction. Similarly, for an IPsecRule, contained actions MUST 1104 be related to phase 2 or preconfigured SA processing, e.g., 1105 IPsecTransportAction, IPsecBypassAction, etc. The class definition 1106 for PolicyActionInSARule is as follows: 1108 NAME PolicyActionInSARule 1109 DESCRIPTION Associates an SARule with its PolicyAction(s). 1110 DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe]) 1111 ABSTRACT FALSE 1112 PROPERTIES GroupComponent [ref SARule [0..n]] 1113 PartComponent [ref PolicyAction [1..n]] 1114 ActionOrder (from PolicyActionInPolicyRule) 1116 4.9.1. The Reference GroupComponent 1118 The property GroupComponent is inherited from 1119 PolicyActionInPolicyRule and is overridden to refer to an SARule 1120 instance. The [0..n] cardinality indicates that an SAAction instance 1121 may be contained in zero or more SARule instances. 1123 4.9.2. The Reference PartComponent 1125 The property PartComponent is inherited from PolicyActionInPolicyRule 1126 and is overridden to refer to an SAAction or CompoundPolicyAction 1127 instance. The [1..n] cardinality indicates that an SARule instance 1128 MUST contain at least one SAAction or CompoundPolicyAction instance. 1130 4.9.3. The Property ActionOrder 1132 The property ActionOrder is inherited from the superclass 1133 PolicyActionInPolicyRule. It specifies the relative position of this 1134 PolicyAction in the sequence of actions associated with a PolicyRule. 1135 The ActionOrder MUST be unique so as to provide a deterministic 1136 order. In addition, the actions in an SARule are executed as 1137 follows. See section 4.2.2 ExecutionStrategy for a discussion on the 1138 use of the ActionOrder property. 1140 The property is defined as follows: 1142 NAME ActionOrder 1143 DESCRIPTION Specifies the order of actions. 1144 SYNTAX unsigned 16-bit integer 1145 VALUE Any value between 1 and 2^16-1 inclusive. Lower values 1146 have higher precedence (i.e., 1 is the highest 1147 precedence). The merging order of two SAActions with 1148 the same precedence is undefined. 1150 5. Condition and Filter Classes 1152 The IPsec condition and filter classes are used to build the "if" 1153 part of the IKE and IPsec rules. 1155 *+-------------+ 1156 +--------------------| SACondition | 1157 | +-------------+ 1158 | * | 1159 | |(a) 1160 | 1 | 1161 | +---------------+ 1162 | | FilterList | 1163 | |([CIMNETWORK]) | 1164 | +---------------+ 1165 | 1 o 1166 |(b) |(c) 1167 | * | 1168 | +-----------------+ 1169 | | FilterEntryBase | 1170 | | ([CIMNETWORK]) | 1171 | +-----------------+ 1172 | ^ 1173 | | 1174 | +-----------------+ | +-----------------------+ 1175 | | IPHeadersFilter |----+----| CredentialFilterEntry | 1176 | | ([PCIME]) | | +-----------------------+ 1177 | +-----------------+ | 1178 | | 1179 | +-----------------+ | +--------------------------+ 1180 | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | 1181 | +-----------------+ +--------------------------+ 1182 | 1183 | *+-----------------------------+ 1184 +------------| CredentialManagementService | 1185 | ([CIMUSER]) | 1186 +-----------------------------+ 1188 (a) FilterOfSACondition 1189 (b) AcceptCredentialsFrom 1190 (c) EntriesInFilterList (see [CIMNETWORK]) 1192 5.1. The Class SACondition 1194 The class SACondition defines the conditions of rules for IKE and 1195 IPsec negotiations. Conditions are associated with policy rules via 1196 the SAConditionInRule aggregation. It is used as an anchor point to 1197 associate various types of filters with policy rules via the 1198 FilterOfSACondition association. It also defines whether Credentials 1199 can be accepted for a particular policy rule via the 1200 AcceptCredentialsFrom association. 1202 Associated objects represent components of the condition that may or 1203 may not apply at a given rule evaluation. For example, an 1204 AcceptCredentialsFrom evaluation is only performed when a credential 1205 is available to be evaluated against the list of trusted credential 1206 management services. Similarly, a PeerIDPayloadFilterEntry may only 1207 be evaluated when an IDPayload value is available to compare with the 1208 filter. Condition components that do not have corresponding values 1209 with which to evaluate are evaluated as TRUE unless the protocol has 1210 completed without providing the required information. 1212 The class definition for SACondition is as follows: 1214 NAME SACondition 1215 DESCRIPTION Defines the preconditions for IKE and IPsec 1216 negotiations. 1217 DERIVED FROM PolicyCondition (see [PCIM]) 1218 ABSTRACT FALSE 1219 PROPERTIES PolicyConditionName (from PolicyCondition) 1221 5.2. The Class IPHeadersFilter 1223 The class IPHeadersFilter is defined in [PCIMe] with the following 1224 note: 1226 1) to specify 5-tuple filters that are to apply symmetrically (i.e., 1227 matches traffic in both directions of the same flows which is 1228 quite typical for SPD entries for ingress and egress traffic), 1229 the Direction property of the FilterList SHOULD be set to 1230 "Mirrored". 1232 5.3. The Class CredentialFilterEntry 1234 The class CredentialFilterEntry defines an equivalence class that 1235 match credentials of IKE peers. Each CredentialFilterEntry includes a 1236 MatchFieldName that is interpreted according to the 1237 CredentialManagementService(s) associated with the SACondition 1238 (AcceptCredentialsFrom). 1240 These credentials can be X.509 certificates, Kerberos tickets, or 1241 other types of credentials obtained during the Phase 1 exchange. 1243 Note: this filter entry will probably be checked while the IKE 1244 negotiation takes place. If the check is a failure, then the IKE 1245 negotiation MUST be stopped, and the result of the IKEAction which 1246 triggered this negotiation is a failure. 1248 The class definition for CredentialFilterEntry is as follows: 1250 NAME CredentialFilterEntry 1251 DESCRIPTION Specifies a match filter based on the IKE credentials. 1252 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1253 ABSTRACT FALSE 1254 PROPERTIES Name (from FilterEntryBase) 1255 IsNegated (from FilterEntryBase) 1256 MatchFieldName 1257 MatchFieldValue 1258 CredentialType 1260 5.3.1. The Property MatchFieldName 1262 The property MatchFieldName specifies the sub-part of the credential 1263 to match against MatchFieldValue. The property is defined as 1264 follows: 1266 NAME MatchFieldName 1267 DESCRIPTION Specifies which sub-part of the credential to match. 1268 SYNTAX string 1269 VALUE This is the string representation of a X.509 certificate 1270 attribute, e.g.: 1271 - "serialNumber" 1272 - "signatureAlgorithm" 1273 - "issuerName" 1274 - "subjectName" 1275 - "subjectAltName" 1276 - ... 1278 5.3.2. The Property MatchFieldValue 1280 The property MatchFieldValue specifies the value to compare with the 1281 MatchFieldName in a credential to determine if the credential matches 1282 this filter entry. The property is defined as follows: 1284 NAME MatchFieldValue 1285 DESCRIPTION Specifies the value to be matched by the MatchFieldName. 1286 SYNTAX string 1287 VALUE NB: If the CredentialFilterEntry corresponds to a 1288 DistinguishedName, this value in the CIM class is 1289 represented by an ordinary string value. However, an 1290 implementation must convert this string to a DER-encoded 1291 string before matching against the values extracted from 1292 credentials at runtime. 1294 A wildcard mechanism can be used in the MatchFieldValue string. E.g., 1295 if the MatchFieldName is "subjectName" then a MatchFieldValue of 1296 "cn=*,ou=engineering,o=foo,c=be" will match successfully a 1297 certificate whose subject attribute is "cn=Jane 1298 Doe,ou=engineering,o=foo,c=be". The wildcard character '*' can be 1299 used to represent 0 or several characters. 1301 5.3.3. The Property CredentialType 1303 The property CredentialType specifies the particular type of 1304 credential that is being matched. The property is defined as 1305 follows: 1307 NAME CredentialType 1308 DESCRIPTION Defines the type of IKE credentials. 1309 SYNTAX unsigned 16-bit integer 1310 VALUE 1 - X.509 Certificate 1311 2 - Kerberos Ticket 1313 5.4. The Class IPSOFilterEntry 1315 The class IPSOFilterEntry is used to match traffic based on the IP 1316 Security Options header values (ClassificationLevel and 1317 ProtectionAuthority) as defined in RFC1108. This type of filter entry 1318 is used to adjust the IPsec encryption level according to the IPSO 1319 classification of the traffic (e.g., secret, confidential, 1320 restricted, etc. The class definition for IPSOFilterEntry is as 1321 follows: 1323 NAME IPSOFilterEntry 1324 DESCRIPTION Specifies the a match filter based on IP Security 1325 Options. 1326 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1327 ABSTRACT FALSE 1328 PROPERTIES Name (from FilterEntryBase) 1329 IsNegated (from FilterEntryBase) 1330 MatchConditionType 1331 MatchConditionValue 1333 5.4.1. The Property MatchConditionType 1334 The property MatchConditionType specifies the IPSO header field that 1335 will be matched (e.g., traffic classification level or protection 1336 authority). The property is defined as follows: 1338 NAME MatchConditionType 1339 DESCRIPTION Specifies the IPSO header field to be matched. 1340 SYNTAX unsigned 16-bit integer 1341 VALUE 1 - ClassificationLevel 1342 2 - ProtectionAuthority 1344 5.4.2. The Property MatchConditionValue 1346 The property MatchConditionValue specifies the value of the IPSO 1347 header field to be matched against. The property is defined as 1348 follows: 1350 NAME MatchConditionValue 1351 DESCRIPTION Specifies the value of the IPSO header field to be 1352 matched against. 1353 SYNTAX unsigned 16-bit integer 1354 VALUE The values MUST be one of values listed in RFC 1108 (or 1355 any further IANA Assigned Numbers document). Some 1356 examples for ClassificationLevel are: 1357 61 - TopSecret 1358 90 - Secret 1359 150 - Confidential 1360 171 - Unclassified 1361 For ProtectionAuthority, some examples are: 1362 0 - GENSER 1363 1 - SIOP-ESI 1364 2 - SCI 1365 3 - NSA 1366 4 - DOE 1368 5.5. The Class PeerIDPayloadFilterEntry 1370 The class PeerIDPayloadFilterEntry defines filters used to match ID 1371 payload values from the IKE protocol exchange. 1372 PeerIDPayloadFilterEntry permits the specification of certain ID 1373 payload values such as "*@company.com" or "193.190.125.0/24". 1375 Obviously this filter applies only to IKERules when acting as a 1376 responder. Moreover, this filter can be applied immediately in the 1377 case of aggressive mode but its application is to be delayed in the 1378 case of main mode. The class definition for PeerIDPayloadFilterEntry 1379 is as follows: 1381 NAME PeerIDPayloadFilterEntry 1382 DESCRIPTION Specifies a match filter based on IKE identity. 1383 DERIVED FROM FilterEntryBase (see [CIMNETWORK]) 1384 ABSTRACT FALSE 1385 PROPERTIES Name (from FilterEntryBase) 1386 IsNegated (from FilterEntryBase) 1387 MatchIdentityType 1388 MatchIdentityValue 1390 5.5.1. The Property MatchIdentityType 1392 The property MatchIdentityType specifies the type of identity 1393 provided by the peer in the ID payload. The property is defined as 1394 follows: 1396 NAME MatchIdentityType 1397 DESCRIPTION Specifies the ID payload type. 1398 SYNTAX unsigned 16-bit integer 1399 VALUE Consult [DOI] for valid values. 1401 5.5.2. The Property MatchIdentityValue 1403 The property MatchIdentityValue specifies the filter value for 1404 comparison with the ID payload, e.g., "*@company.com". The property 1405 is defined as follows: 1407 NAME MatchIdentityValue 1408 DESCRIPTION Specifies the ID payload value. 1409 SYNTAX string 1410 VALUE NB: The syntax may need to be converted for comparison. 1411 If the PeerIDPayloadFilterEntry type is a 1412 DistinguishedName, the name in the MatchIdentityValue 1413 property is represented by an ordinary string value, 1414 but this value must be converted into a DER-encoded 1415 string before matching against the values extracted 1416 from IKE ID payloads at runtime. The same applies to 1417 IPv4 & IPv6 addresses. 1419 Different wildcard mechanisms can be used depending on the ID 1420 payload: 1422 - a MatchIdentityValue of "*@company.com" will match a user FQDN ID 1423 payload of "JDOE@COMPANY.COM" 1425 - a MatchIdentityValue of "*.company.com" will match a FQDN ID 1426 payload of "WWW.COMPANY.COM" 1428 - a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will 1429 match a DER DN ID payload of "cn=John 1430 Doe,ou=engineering,o=company,c=us" 1432 - a MatchIdentityValue of "193.190.125.0/24" will match an IPv4 1433 address ID payload of 193.190.125.10 1435 - a MatchIdentityValue of "193.190.125.*" will also match an IPv4 1436 address ID payload of 193.190.125.10. 1438 The above wildcard mechanisms MUST be supported for all ID payloads 1439 supported by the local IKE entity. The character '*' replaces 0 or 1440 multiple instances of any character. 1442 5.6. The Association Class FilterOfSACondition 1444 The class FilterOfSACondition associates an SACondition with the 1445 filter specifications (FilterList) that make up the condition. The 1446 class definition for FilterOfSACondition is as follows: 1448 NAME FilterOfSACondition 1449 DESCRIPTION Associates a condition with the filter list that makes 1450 up the individual condition elements. 1451 DERIVED FROM Dependency (see [CIMCORE]) 1452 ABSTRACT FALSE 1453 PROPERTIES Antecedent [ref FilterList[1..1]] 1454 Dependent [ref SACondition[0..n]] 1456 5.6.1. The Reference Antecedent 1457 The property Antecedent is inherited from Dependency and is 1458 overridden to refer to a FilterList instance. The [1..1] cardinality 1459 indicates that an SACondition instance MUST be associated with one 1460 and only one FilterList instance. 1462 5.6.2. The Reference Dependent 1464 The property Dependent is inherited from Dependency and is overridden 1465 to refer to an SACondition instance. The [0..n] cardinality 1466 indicates that a FilterList instance may be associated with zero or 1467 more SACondition instances. 1469 5.7. The Association Class AcceptCredentialFrom 1471 The class AcceptCredentialFrom specifies which credential management 1472 services (e.g., a CertificateAuthority or a Kerberos service) are to 1473 be trusted to certify peer credentials. This is used to assure that 1474 the credential being matched in the CredentialFilterEntry is a valid 1475 credential that has been supplied by an approved 1476 CredentialManagementService. If a CredentialManagementService is 1477 specified and a corresponding CredentialFilterEntry is used, but the 1478 credential supplied by the peer is not certified by that 1479 CredentialManagementService (or one of the 1480 CredentialManagementServices in its trust hierarchy), the 1481 CredentialFilterEntry is deemed not to match. If a credential is 1482 certified by a CredentialManagementService in the 1483 AcceptCredentialsFrom list of services but there is no 1484 CredentialFilterEntry, this is considered equivalent to a 1485 CredentialFilterEntry that matches all credentials from those 1486 services. 1488 The class definition for AcceptCredentialFrom is as follows: 1490 NAME AcceptCredentialFrom 1491 DESCRIPTION Associates a condition with the credential management 1492 services to be trusted. 1493 DERIVED FROM Dependency (see [CIMCORE]) 1494 ABSTRACT FALSE 1495 PROPERTIES Antecedent [ref CredentialManagementService[0..n]] 1496 Dependent [ref SACondition[0..n]] 1498 5.7.1. The Reference Antecedent 1500 The property Antecedent is inherited from Dependency and is 1501 overridden to refer to a CredentialManagementService instance. The 1502 [0..n] cardinality indicates that an SACondition instance may be 1503 associated with zero or more CredentialManagementService instances. 1505 5.7.2. The Reference Dependent 1507 The property Dependent is inherited from Dependency and is overridden 1508 to refer to a SACondition instance. The [0..n] cardinality indicates 1509 that a CredentialManagementService instance may be associated with 1510 zero or more SACondition instances. 1512 6. Action Classes 1514 The action classes are used to model the different actions an IPsec 1515 device may take when the evaluation of the associated condition 1516 results in a match. 1518 +----------+ 1519 | SAAction | 1520 +----------+ 1521 ^ 1522 | 1523 +-----------+--------------+ 1524 | | 1525 | +---------------------+ 1526 | | SaNegotiationAction | 1527 | +---------------------+ 1528 | ^ 1529 | | 1530 *+----------------+ +----------------------+* 1531 | SAStaticAction | | IKENegotiationAction |o----+ 1532 +----------------+ +----------------------+ | 1533 ^ ^ | 1534 | | | 1535 | +-----------+-------+ | 1536 | | | | 1537 +-------------------+ | +-------------+ +-----------+ | 1538 | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | 1539 +-------------------+ | +-------------+ +-----------+ | 1540 | ^ | 1541 +--------------------+ | | +----------------------+ | 1542 | IPsecDiscardAction |---+ +----| IPsecTransportAction | | 1543 +--------------------+ | | +----------------------+ | 1544 | | | 1545 +-----------------+ | | +-------------------+ | 1546 | IKERejectAction |---+ +----| IPsecTunnelAction | | 1547 +-----------------+ | +-------------------+ | 1548 | *| | 1549 | +--------------+ | 1550 | | | 1551 +-----------------------+ | | +--------------+n | 1552 | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ 1553 +-----------------------+ | +--------------+ (b) 1554 *| ^ | 1555 | | | *+-------------+ 1556 | | +-------| PeerGateway | 1557 | | +-------------+ 1558 | | +-----------------------------+ |0..1 *w| 1559 | +--| PreconfiguredTransportAction| | |(c) 1560 | | +-----------------------------+ | 1| 1561 | | | +--------------+ 1562 | | +---------------------------+ * | | System | 1563 | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | 1564 | +---------------------------+ (e) +--------------+ 1565 | 1566 | 2..6+---------------+ 1567 +-------| [SATransform] | 1568 (d) +---------------+ 1570 (a) PeerGatewayForTunnel 1571 (b) ContainedProposal 1572 (c) HostedPeerGatewayInformation 1573 (d) TransformOfPreconfiguredAction 1574 (e) PeerGatewayForPreconfiguredTunnel 1576 6.1. The Class SAAction 1578 The class SAAction is abstract and serves as the base class for IKE 1579 and IPsec actions. It is used for aggregating different types of 1580 actions to IKE and IPsec rules. The class definition for SAAction is 1581 as follows: 1583 NAME SAAction 1584 DESCRIPTION The base class for IKE and IPsec actions. 1585 DERIVED FROM PolicyAction (see [PCIM]) 1586 ABSTRACT TRUE 1587 PROPERTIES PolicyActionName (from PolicyAction) 1588 DoActionLogging 1589 DoPacketLogging 1591 6.1.1. The Property DoActionLogging 1593 The property DoActionLogging specifies whether a log message is to be 1594 generated when the action is performed. This applies for 1595 SANegotiationActions with the meaning of logging a message when the 1596 negotiation is attempted (with the success or failure result). This 1597 also applies for SAStaticAction only for PreconfiguredSAAction with 1598 the meaning of logging a message when the preconfigured SA is 1599 actually installed in the SADB. The property is defined as follows: 1601 NAME DoActionLogging 1602 DESCRIPTION Specifies the whether to log when the action is 1603 performed. 1604 SYNTAX boolean 1605 VALUE true - a log message is to be generated when action is 1606 performed. 1607 false - no log message is to be generated when action is 1608 performed. 1610 6.1.2. The Property DoPacketLogging 1612 The property DoPacketLogging specifies whether a log message is to be 1613 generated when the resulting security association is used to process 1614 the packet. If the SANegotiationAction successfully executes and 1615 results in the creation of one or several security associations or if 1616 the PreconfiguredSAAction executes, the value of DoPacketLogging 1617 SHOULD be propagated to an optional field of SADB. This optional 1618 field should be used to decide whether a log message is to be 1619 generated when the SA is used to process a packet. For 1620 SAStaticActions, a log message is to be generated when the 1621 IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed. 1622 The property is defined as follows: 1624 NAME DoPacketLogging 1625 DESCRIPTION Specifies the whether to log when the resulting security 1626 association is used to process the packet. 1627 SYNTAX boolean 1628 VALUE true - a log message is to be generated when the 1629 resulting security association is used to process the 1630 packet. 1631 false - no log message is to be generated. 1633 6.2. The Class SAStaticAction 1635 The class SAStaticAction is abstract and serves as the base class for 1636 IKE and IPsec actions that do not require any negotiation. The class 1637 definition for SAStaticAction is as follows: 1639 NAME SAStaticAction 1640 DESCRIPTION The base class for IKE and IPsec actions that do not 1641 require any negotiation. 1642 DERIVED FROM SAAction 1643 ABSTRACT TRUE 1644 PROPERTIES LifetimeSeconds 1646 6.2.1. The Property LifetimeSeconds 1648 The property LifetimeSeconds specifies how long the security 1649 association derived from this action should be used. The property is 1650 defined as follows: 1652 NAME LifetimeSeconds 1653 DESCRIPTION Specifies the amount of time (in seconds) that a 1654 security association derived from this action should be 1655 used. 1656 SYNTAX unsigned 32-bit integer 1657 VALUE A value of zero indicates that there is not a lifetime 1658 associated with this action (i.e., infinite lifetime). 1659 A non-zero value is typically used in conjunction with 1660 alternate SAActions performed when there is a 1661 negotiation failure of some sort. 1663 Note: if the referenced SAStaticAction object is a 1664 PreconfiguredSAAction associated to several SATransforms, then the 1665 actual lifetime of the preconfigured SA will be the lesser of the 1666 value of this LifetimeSeconds property and of the value of the 1667 MaxLifetimeSeconds property of the associated SATransform. If the 1668 value of this LifetimeSeconds property is zero, then there will be 1669 no lifetime associated to this SA. 1671 It is expected that most SAStaticAction instances will have their 1672 LifetimeSeconds properties set to zero (meaning no expiration of the 1673 resulting SA). 1675 6.3. The Class IPsecBypassAction 1677 The class IPsecBypassAction is used when packets are allowed to be 1678 processed without applying IPsec encapsulation to them. This is the 1679 same as stating that packets are allowed to flow in the clear. The 1680 class definition for IPsecBypassAction is as follows: 1682 NAME IPsecBypassAction 1683 DESCRIPTION Specifies that packets are to be allowed to pass in the 1684 clear. 1685 DERIVED FROM SAStaticAction 1686 ABSTRACT FALSE 1688 6.4. The Class IPsecDiscardAction 1690 The class IPsecDiscardAction is used when packets are to be 1691 discarded. This is the same as stating that packets are to be 1692 denied. The class definition for IPsecDiscardAction is as follows: 1694 NAME IPsecDiscardAction 1695 DESCRIPTION Specifies that packets are to be discarded. 1696 DERIVED FROM SAStaticAction 1697 ABSTRACT FALSE 1699 6.5. The Class IKERejectAction 1700 The class IKERejectAction is used to prevent attempting an IKE 1701 negotiation with the peer(s). The main use of this class is to 1702 prevent some denial of service attacks when acting as IKE responder. 1703 It goes beyond a plain discard of UDP/500 IKE packets because the 1704 SACondition can be based on specific PeerIDPayloadFilterEntry (when 1705 aggressive mode is used). The class definition for IKERejectAction 1706 is as follows: 1708 NAME IKERejectAction 1709 DESCRIPTION Specifies that an IKE negotiation should not even be 1710 attempted or continued. 1711 DERIVED FROM SAStaticAction 1712 ABSTRACT FALSE 1714 6.6. The Class PreconfiguredSAAction 1716 The class PreconfiguredSAAction is used to create a security 1717 association using preconfigured, hard-wired algorithms and keys. 1719 Notes: 1721 - the SPI for a PreconfiguredSAAction is contained in the 1722 association, TransformOfPreconfiguredAction; 1724 - the session key (if applicable) is contained in an instance of 1725 the class SharedSecret (see [CIMUSER]). The session key is 1726 stored in the property Secret, the property protocol contains 1727 either "ESP-encrypt", "ESP-auth" or "AH", the property 1728 algorithm contains the algorithm used to protect the secret 1729 (can be "PLAINTEXT" if the IPsec entity has no secret storage), 1730 the value of property RemoteID is the concatenation of the 1731 remote IPsec peer IP address in dotted decimal, of the 1732 character "/", of "IN" (respectively "OUT") for inbound SA 1733 (respectively outbound SA), of the character "/" and of the 1734 hexadecimal representation of the SPI. 1736 Although the class is concrete, it MUST not be instantiated. The 1737 class definition for PreconfiguredSAAction is as follows: 1739 NAME PreconfiguredSAAction 1740 DESCRIPTION Specifies preconfigured algorithm and keying information 1741 for creation of a security association. 1742 DERIVED FROM SAStaticAction 1743 ABSTRACT TRUE 1744 PROPERTIES LifetimeKilobytes 1746 6.6.1. The Property LifetimeKilobytes 1748 The property LifetimeKilobytes specifies a traffic limit in kilobytes 1749 that can be consumed before the SA is deleted.. The property is 1750 defined as follows: 1752 NAME LifetimeKilobytes 1753 DESCRIPTION Specifies the SA lifetime in kilobytes. 1754 SYNTAX unsigned 32-bit integer 1755 VALUE A value of zero indicates that there is not a lifetime 1756 associated with this action (i.e., infinite lifetime). 1757 A non-zero value is used to indicate that after this 1758 number of kilobytes has been consumed the SA must be 1759 deleted from the SADB. 1761 Note: the actual lifetime of the preconfigured SA will be the lesser 1762 of the value of this LifetimeKilobytes property and of the value of 1763 the MaxLifetimeSeconds property of the associated SATransform. If the 1764 value of this LifetimeKilobytes property is zero, then there will be 1765 no lifetime associated with this action. 1767 It is expected that most PreconfiguredSAAction instances will have 1768 their LifetimeKilobyte properties set to zero (meaning no expiration 1769 of the resulting SA). 1771 6.7. The Class PreconfiguredTransportAction 1773 The class PreconfiguredTransportAction is used to create an IPsec 1774 transport-mode security association using preconfigured, hard-wired 1775 algorithms and keys. The class definition for 1776 PreconfiguredTransportAction is as follows: 1778 NAME PreconfiguredTransportAction 1779 DESCRIPTION Specifies preconfigured algorithm and keying information 1780 for creation of an IPsec transport security association. 1781 DERIVED FROM PreconfiguredSAAction 1782 ABSTRACT FALSE 1784 6.8. The Class PreconfiguredTunnelAction 1786 The class PreconfiguredTunnelAction is used to create an IPsec 1787 tunnel-mode security association using preconfigured, hard-wired 1788 algorithms and keys. The class definition for PreconfiguredSAAction 1789 is as follows: 1791 NAME PreconfiguredTunnelAction 1792 DESCRIPTION Specifies preconfigured algorithm and keying information 1793 for creation of an IPsec tunnel-mode security 1794 association. 1795 DERIVED FROM PreconfiguredSAAction 1796 ABSTRACT FALSE 1797 PROPERTIES DFHandling 1799 6.8.1. The Property DFHandling 1801 The property DFHandling specifies how the Don't Fragment bit of the 1802 internal IP header is to be handled during IPsec processing. The 1803 property is defined as follows: 1805 NAME DFHandling 1806 DESCRIPTION Specifies the processing of the DF bit. 1807 SYNTAX unsigned 16-bit integer 1808 VALUE 1 - Copy the DF bit from the internal IP header to the 1809 external IP header. 1810 2 - Set the DF bit of the external IP header to 1. 1811 3 - Clear the DF bit of the external IP header to 0. 1813 6.9. The Class SANegotiationAction 1815 The class SANegotiationAction specifies an action requesting security 1816 policy negotiation. 1818 This is an abstract class. Currently, only one security policy 1819 negotiation protocol action is subclassed from SANegotiationAction: 1820 the IKENegotiationAction class. It is nevertheless expected that 1821 other security policy negotiation protocols will exist and the 1822 negotiation actions of those new protocols would be modeled as a 1823 subclass of SANegotiationAction. 1825 NAME SANegotiationAction 1826 DESCRIPTION Specifies a negotiation action . 1827 DERIVED FROM SAAction 1828 ABSTRACT TRUE 1830 6.10. The Class IKENegotiationAction 1832 The class IKENegotiationAction is abstract and serves as the base 1833 class for IKE and IPsec actions that result in a IKE negotiation. 1834 The class definition for IKENegotiationAction is as follows: 1836 NAME IKENegotiationAction 1837 DESCRIPTION A base class for IKE and IPsec actions that specifies 1838 the parameters that are common for IKE phase 1 and IKE 1839 phase 2 IPsec DOI negotiations. 1840 DERIVED FROM SANegotiationAction 1841 ABSTRACT TRUE 1842 PROPERTIES MinLifetimeSeconds 1843 MinLifetimeKilobytes 1845 IdleDurationSeconds 1847 6.10.1. The Property MinLifetimeSeconds 1849 The property MinLifetimeSeconds specifies the minimum seconds 1850 lifetime that will be accepted from the peer. MinLifetimeSeconds is 1851 used to prevent certain denial of service attacks where the peer 1852 requests an arbitrarily low lifetime value, causing renegotiations 1853 with expensive Diffie-Hellman operations. The property is defined as 1854 follows: 1856 NAME MinLifetimeSeconds 1857 DESCRIPTION Specifies the minimum acceptable seconds lifetime. 1858 SYNTAX unsigned 32-bit integer 1859 VALUE A value of zero indicates that there is no minimum 1860 value. A non-zero value specifies the minimum seconds 1861 lifetime. 1863 6.10.2. The Property MinLifetimeKilobytes 1865 The property MinLifetimeKilobytes specifies the minimum kilobytes 1866 lifetime that will be accepted from the peer. MinLifetimeKilobytes 1867 is used to prevent certain denial of service attacks where the peer 1868 requests an arbitrarily low lifetime value, causing renegotiations 1869 with correspondingly expensive Diffie-Hellman operations. Note that 1870 there has been considerable debate regarding the usefulness of 1871 applying kilobyte lifetimes to IKE phase 1 security associations, so 1872 it is likely that this property will only apply to the sub-class 1873 IPsecAction. The property is defined as follows: 1875 NAME MinLifetimeKilobytes 1876 DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. 1877 SYNTAX unsigned 32-bit integer 1878 VALUE A value of zero indicates that there is no minimum 1879 value. A non-zero value specifies the minimum kilobytes 1880 lifetime. 1882 6.10.3. The Property IdleDurationSeconds 1883 The property IdleDurationSeconds specifies how many seconds a 1884 security association may remain idle (i.e., no traffic protected 1885 using the security association) before it is deleted. The property 1886 is defined as follows: 1888 NAME IdleDurationSeconds 1889 DESCRIPTION Specifies how long, in seconds, a security association 1890 may remain unused before it is deleted. 1891 SYNTAX unsigned 32-bit integer 1892 VALUE A value of zero indicates that idle detection should not 1893 be used for the security association (only the seconds 1894 and kilobyte lifetimes will be used). Any non-zero 1895 value indicates the number of seconds the security 1896 association may remain unused. 1898 6.11. The Class IPsecAction 1900 The class IPsecAction serves as the base class for IPsec transport 1901 and tunnel actions. It specifies the parameters used for an IKE 1902 phase 2 IPsec DOI negotiation. The class definition for IPsecAction 1903 is as follows: 1905 NAME IPsecAction 1906 DESCRIPTION A base class for IPsec transport and tunnel actions that 1907 specifies the parameters for IKE phase 2 IPsec DOI 1908 negotiations. 1909 DERIVED FROM IKENegotiationAction 1910 ABSTRACT TRUE 1911 PROPERTIES UsePFS 1912 UseIKEGroup 1913 GroupId 1914 Granularity 1915 VendorID 1917 6.11.1. The Property UsePFS 1919 The property UsePFS specifies whether or not perfect forward secrecy 1920 should be used when refreshing keys. The property is defined as 1921 follows: 1923 NAME UsePFS 1924 DESCRIPTION Specifies the whether or not to use PFS when refreshing 1925 keys. 1926 SYNTAX boolean 1927 VALUE A value of true indicates that PFS should be used. A 1928 value of false indicates that PFS should not be used. 1930 6.11.2. The Property UseIKEGroup 1932 The property UseIKEGroup specifies whether or not phase 2 should use 1933 the same key exchange group as was used in phase 1. UseIKEGroup is 1934 ignored if UsePFS is false. The property is defined as follows: 1936 NAME UseIKEGroup 1937 DESCRIPTION Specifies whether or not to use the same GroupId for 1938 phase 2 as was used in phase 1. If UsePFS is false, 1939 then UseIKEGroup is ignored. 1940 SYNTAX boolean 1941 VALUE A value of true indicates that the phase 2 GroupId 1942 should be the same as phase 1. A value of false 1943 indicates that the property GroupId will contain the key 1944 exchange group to use for phase 2. 1946 6.11.3. The Property GroupId 1948 The property GroupId specifies the key exchange group to use for 1949 phase 2. GroupId is ignored if (1) the property UsePFS is false, or 1950 (2) the property UsePFS is true and the property UseIKEGroup is true. 1951 If the GroupID number is from the vendor-specific range (32768- 1952 65535), the property VendorID qualifies the group number. The 1953 property is defined as follows: 1955 NAME GroupId 1956 DESCRIPTION Specifies the key exchange group to use for phase 2 when 1957 the property UsePFS is true and the property UseIKEGroup 1958 is false. 1959 SYNTAX unsigned 16-bit integer 1960 VALUE Consult [IKE] for valid values. 1962 6.11.4. The Property Granularity 1964 The property Granularity specifies how the selector for the security 1965 association should be derived from the traffic that triggered the 1966 negotiation. The property is defined as follows: 1968 NAME Granularity 1969 DESCRIPTION Specifies the how the proposed selector for the security 1970 association will be created. 1971 SYNTAX unsigned 16-bit integer 1972 VALUE 1 - subnet: the source and destination subnet masks of 1973 the filter entry are used. 1974 2 - address: only the source and destination IP 1975 addresses of the triggering packet are used. 1976 3 - protocol: the source and destination IP addresses 1977 and the IP protocol of the triggering packet are used. 1978 4 - port: the source and destination IP addresses and 1979 the IP protocol and the source and destination layer 4 1980 ports of the triggering packet are used. 1982 6.11.5. The Property VendorID 1984 The property VendorID is used together with the property GroupID 1985 (when it is in the vendor-specific range) to identify the key 1986 exchange group. VendorID is ignored unless UsePFS is true and 1987 UseIKEGroup is false and GroupID is in the vendor-specific range 1988 (32768-65535). The property is defined as follows: 1990 NAME VendorID 1991 DESCRIPTION Specifies the IKE Vendor ID. 1992 SYNTAX string 1994 6.12. The Class IPsecTransportAction 1996 The class IPsecTransportAction is a subclass of IPsecAction that is 1997 used to specify use of an IPsec transport-mode security association. 1998 The class definition for IPsecTransportAction is as follows: 2000 NAME IPsecTransportAction 2001 DESCRIPTION Specifies that an IPsec transport-mode security 2002 association should be negotiated. 2003 DERIVED FROM IPsecAction 2004 ABSTRACT FALSE 2006 6.13. The Class IPsecTunnelAction 2007 The class IPsecTunnelAction is a subclass of IPsecAction that is used 2008 to specify use of an IPsec tunnel-mode security association. The 2009 class definition for IPsecTunnelAction is as follows: 2011 NAME IPsecTunnelAction 2012 DESCRIPTION Specifies that an IPsec tunnel-mode security association 2013 should be negotiated. 2014 DERIVED FROM IPsecAction 2015 ABSTRACT FALSE 2016 PROPERTIES DFHandling 2018 6.13.1. The Property DFHandling 2020 The property DFHandling specifies how the tunnel should manage the 2021 Don't Fragment (DF) bit. The property is defined as follows: 2023 NAME DFHandling 2024 DESCRIPTION Specifies how to process the DF bit. 2025 SYNTAX unsigned 16-bit integer 2026 VALUE 1 - Copy the DF bit from the internal IP header to the 2027 external IP header. 2028 2 - Set the DF bit of the external IP header to 1. 2029 3 - Clear the DF bit of the external IP header to 0. 2031 6.14. The Class IKEAction 2033 The class IKEAction specifies the parameters that are to be used for 2034 IKE phase 1 negotiation. The class definition for IKEAction is as 2035 follows: 2037 NAME IKEAction 2038 DESCRIPTION Specifies the IKE phase 1 negotiation parameters. 2039 DERIVED FROM IKENegotiationAction 2040 ABSTRACT FALSE 2041 PROPERTIES ExchangeMode 2042 UseIKEIdentityType 2043 VendorID 2044 AggressiveModeGroupId 2046 6.14.1. The Property ExchangeMode 2048 The property ExchangeMode specifies which IKE mode should be used for 2049 IKE phase 1 negotiations. The property is defined as follows: 2051 NAME ExchangeMode 2052 DESCRIPTION Specifies the IKE negotiation mode for phase 1. 2053 SYNTAX unsigned 16-bit integer 2054 VALUE 1 - base mode 2055 2 - main mode 2056 4 - aggressive mode 2058 6.14.2. The Property UseIKEIdentityType 2060 The property UseIKEIdentityType specifies what IKE identity type 2061 should be used when negotiating with the peer. This information is 2062 used in conjunction with the IKE identities available on the system 2063 and the IdentityContexts of the matching IKERule. The property is 2064 defined as follows: 2066 NAME UseIKEIdentityType 2067 DESCRIPTION Specifies the IKE identity to use during negotiation. 2069 SYNTAX unsigned 16-bit integer 2070 VALUE Consult [DOI] for valid values. 2072 6.14.3. The Property VendorID 2074 The property VendorID specifies the value to be used in the Vendor ID 2075 payload. The property is defined as follows: 2077 NAME VendorID 2078 DESCRIPTION Vendor ID Payload. 2079 SYNTAX string 2080 VALUE A value of NULL means that Vendor ID payload will be 2081 neither generated nor accepted. A non-NULL value means 2082 that a Vendor ID payload will be generated (when acting 2083 as an initiator) or is expected (when acting as a 2084 responder). 2086 6.14.4. The Property AggressiveModeGroupId 2088 The property AggressiveModeGroupId specifies which group ID is to be 2089 used in the first packets of the phase 1 negotiation. This property 2090 is ignored unless the property ExchangeMode is set to 4 (aggressive 2091 mode). If the AggressiveModeGroupID number is from the vendor- 2092 specific range (32768-65535), the property VendorID qualifies the 2093 group number. The property is defined as follows: 2095 NAME AggressiveModeGroupId 2096 DESCRIPTION Specifies the group ID to be used for aggressive mode. 2097 SYNTAX unsigned 16-bit integer 2099 6.15. The Class PeerGateway 2101 The class PeerGateway specifies the security gateway with which the 2102 IKE services negotiates. The class definition for PeerGateway is as 2103 follows: 2105 NAME PeerGateway 2106 DESCRIPTION Specifies the security gateway with which to negotiate. 2107 DERIVED FROM LogicalElement (see [CIMCORE]) 2108 ABSTRACT FALSE 2109 PROPERTIES Name 2110 PeerIdentityType 2111 PeerIdentity 2113 Note: the class PeerIdentityEntry contains more information about the 2114 peer (namely its IP address). 2116 6.15.1. The Property Name 2118 The property Name specifies a user-friendly name for this security 2119 gateway. The property is defined as follows: 2121 NAME Name 2122 DESCRIPTION Specifies a user-friendly name for this security 2123 gateway. 2124 SYNTAX string 2126 6.15.2. The Property PeerIdentityType 2128 The property PeerIdentityType specifies the IKE identity type of the 2129 security gateway. The property is defined as follows: 2131 NAME PeerIdentityType 2132 DESCRIPTION Specifies the IKE identity type of the security gateway. 2133 SYNTAX unsigned 16-bit integer 2134 VALUE Consult [DOI] for valid values. 2136 6.15.3. The Property PeerIdentity 2138 The property PeerIdentity specifies the IKE identity value of the 2139 security gateway. A conversion may be needed between the 2140 PeerIdentity string representation and the real value used in the ID 2141 payload (e.g. IP address is to be converted from a dotted decimal 2142 string into 4 bytes). The property is defined as follows: 2144 NAME PeerIdentity 2145 DESCRIPTION Specifies the IKE identity value of the security 2146 gateway. 2147 SYNTAX string 2149 6.16. The Association Class PeerGatewayForTunnel 2151 The class PeerGatewayForTunnel associates IPsecTunnelActions with an 2152 ordered list of PeerGateways. The class definition for 2153 PeerGatewayForTunnel is as follows: 2155 NAME PeerGatewayForTunnel 2156 DESCRIPTION Associates IPsecTunnelActions with an ordered list of 2157 PeerGateways. 2158 DERIVED FROM Dependency (see [CIMCORE]) 2159 ABSTRACT FALSE 2160 PROPERTIES Antecedent [ref PeerGateway[0..n]] 2161 Dependent [ref IPsecTunnelAction[0..n]] 2162 SequenceNumber 2164 6.16.1. The Reference Antecedent 2166 The property Antecedent is inherited from Dependency and is 2167 overridden to refer to a PeerGateway instance. The [0..n] 2168 cardinality indicates that there an IPsecTunnelAction instance may be 2169 associated with zero or more PeerGateway instances. 2171 Note: the cardinality 0 has a specific meaning: 2173 - when the IKE service acts as a responder, this means that 2174 the IKE service will accept phase 1 negotiation with any 2175 other security gateway; 2176 - when the IKE service acts as an initiator, this means that 2177 the IKE service will use the destination IP address (of 2178 the IP packets which triggered the SARule) as the IP 2179 address of the peer IKE entity. 2181 6.16.2. The Reference Dependent 2183 The property Dependent is inherited from Dependency and is overridden 2184 to refer to an IPsecTunnelAction instance. The [0..n] cardinality 2185 indicates that a PeerGateway instance may be associated with zero or 2186 more IPsecTunnelAction instances. 2188 6.16.3. The Property SequenceNumber 2189 The property SequenceNumber specifies the ordering to be used when 2190 evaluating PeerGateway instances for a given IPsecTunnelAction. The 2191 property is defined as follows: 2193 NAME SequenceNumber 2194 DESCRIPTION Specifies the order of evaluation for PeerGateways. 2195 SYNTAX unsigned 16-bit integer 2196 VALUE Lower values are evaluated first. 2198 6.17. The Aggregation Class ContainedProposal 2200 The class ContainedProposal associates an ordered list of SAProposals 2201 with the IKENegotiationAction that aggregates it. If the referenced 2202 IKENegotiationAction object is an IKEAction, then the referenced 2203 SAProposal object(s) must be IKEProposal(s). If the referenced 2204 IKENegotiationAction object is an IPsecTransportAction or an 2205 IPsecTunnelAction, then the referenced SAProposal object(s) must be 2206 IPsecProposal(s). The class definition for ContainedProposal is as 2207 follows: 2209 NAME ContainedProposal 2210 DESCRIPTION Associates an ordered list of SAProposals with an 2211 IKENegotiationAction. 2212 DERIVED FROM PolicyComponent (see [PCIM]) 2213 ABSTRACT FALSE 2214 PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] 2215 PartComponent[ref SAProposal[1..n]] 2216 SequenceNumber 2218 6.17.1. The Reference GroupComponent 2220 - The property GroupComponent is inherited from 2221 PolicyComponent and is overridden to refer to an 2222 IKENegotiationAction instance. The [0..n] cardinality 2223 indicates that an SAProposal instance may be associated with 2224 zero or more IKENegotiationAction instances. 2226 6.17.2. The Reference PartComponent 2228 The property PartComponent is inherited from PolicyComponent and is 2229 overridden to refer to an SAProposal instance. The [1..n] 2230 cardinality indicates that an IKENegotiationAction instance MUST be 2231 associated with at least one SAProposal instance. 2233 6.17.3. The Property SequenceNumber 2235 The property SequenceNumber specifies the order of preference for the 2236 SAProposals. The property is defined as follows: 2238 NAME SequenceNumber 2239 DESCRIPTION Specifies the preference order for the SAProposals. 2240 SYNTAX unsigned 16-bit integer 2241 VALUE Lower-valued proposals are preferred over proposals with 2242 higher values. For ContainedProposals that reference 2243 the same IKENegotiationAction, SequenceNumber values 2244 must be unique. 2246 6.18. The Association Class HostedPeerGatewayInformation 2248 The class HostedPeerGatewayInformation weakly associates a 2249 PeerGateway with a System. The class definition for 2250 HostedPeerGatewayInformation is as follows: 2252 NAME HostedPeerGatewayInformation 2253 DESCRIPTION Weakly associates a PeerGateway with a System. 2254 DERIVED FROM Dependency (see [CIMCORE]) 2255 ABSTRACT FALSE 2256 PROPERTIES Antecedent [ref System[1..1]] 2257 Dependent [ref PeerGateway[0..n] [weak]] 2259 6.18.1. The Reference Antecedent 2261 The property Antecedent is inherited from Dependency and is 2262 overridden to refer to a System instance. The [1..1] cardinality 2263 indicates that a PeerGateway instance MUST be associated with one and 2264 only one System instance. 2266 6.18.2. The Reference Dependent 2268 The property Dependent is inherited from Dependency and is overridden 2269 to refer to a PeerGateway instance. The [0..n] cardinality indicates 2270 that a System instance may be associated with zero or more 2271 PeerGateway instances. 2273 6.19. The Association Class TransformOfPreconfiguredAction 2275 The class TransformOfPreconfiguredAction associates a 2276 PreconfiguredSAAction with two, four or six SATransforms that will be 2277 applied to the inbound and outbound traffic. The order of 2278 application of the SATransforms is implicitly defined in [IPSEC]. 2279 The class definition for TransformOfPreconfiguredAction is as 2280 follows: 2282 NAME TransformOfPreconfiguredAction 2283 DESCRIPTION Associates a PreconfiguredSAAction with from one to 2284 three SATransforms. 2285 DERIVED FROM Dependency (see [CIMCORE]) 2286 ABSTRACT FALSE 2287 PROPERTIES Antecedent[ref SATransform[2..6]] 2288 Dependent[ref PreconfiguredSAAction[0..n]] 2289 SPI 2290 Direction 2292 6.19.1. The Reference Antecedent 2294 The property Antecedent is inherited from Dependency and is 2295 overridden to refer to an SATransform instance. The [2..6] 2296 cardinality indicates that an PreconfiguredSAAction instance may be 2297 associated with from two to six SATransform instances. 2299 6.19.2. The Reference Dependent 2301 The property Dependent is inherited from Dependency and is overridden 2302 to refer to a PreconfiguredSAAction instance. The [0..n] cardinality 2303 indicates that an SATransform instance may be associated with zero or 2304 more PreconfiguredSAAction instances. 2306 6.19.3. The Property SPI 2308 The property SPI specifies the SPI to be used by the pre-configured 2309 action for the associated transform. The property is defined as 2310 follows: 2312 NAME SPI 2313 DESCRIPTION Specifies the SPI to be used with the SATransform. 2314 SYNTAX unsigned 32-bit integer 2316 6.19.4. The Property Direction 2318 The property Direction specifies whether the SPI property is for 2319 inbound or for outbound traffic. The property is defined as follows: 2321 NAME Direction 2322 DESCRIPTION Specifies whether the SA is for inbound or outbound 2323 traffic. 2324 SYNTAX unsigned 8-bit integer 2325 VALUE 1 - this SA is for inbound traffic 2326 2 - this SA is for outbound traffic 2328 6.20 The Association Class PeerGatewayForPreconfiguredTunnel 2330 The class PeerGatewayForPreconfiguredTunnel associates zero or one 2331 PeerGateway with multiple PreconfiguredTunnelActions. The class 2332 definition for PeerGatewayForPreconfiguredTunnel is as follows: 2334 NAME PeerGatewayForPreconfiguredTunnel 2335 DESCRIPTION Associates a PeerGateway with multiple 2336 PreconfiguredTunnelAction. 2337 DERIVED FROM Dependency (see [CIMCORE]) 2338 ABSTRACT FALSE 2339 PROPERTIES Antecedent[ref PeerGateway[0..1]] 2340 Dependent[ref PreconfiguredTunnelAction[0..n]] 2342 6.20.1. The Reference Antecedent 2344 The property Antecedent is inherited from Dependency and is 2345 overridden to refer to an PeerGateway instance. The [0..1] 2346 cardinality indicates that an PreconfiguredTunnelAction instance may 2347 be associated with one PeerGteway instance. 2349 6.20.2. The Reference Dependent 2351 The property Dependent is inherited from Dependency and is overridden 2352 to refer to a PreconfiguredTunnelAction instance. The [0..n] 2353 cardinality indicates that an PeerGateway instance may be associated 2354 with zero or more PreconfiguredSAAction instances. 2356 7. Proposal and Transform Classes 2358 The proposal and transform classes model the proposal settings an 2359 IPsec device will use during IKE phase 1 and 2 negotiations. 2361 +--------------+*w 1+--------------+ 2362 | [SAProposal] |--------| System | 2363 +--------------+ (a) | ([CIMCORE]) | 2364 ^ +--------------+ 2365 | |1 2366 +----------------------+ | 2367 | | | 2368 +-------------+ +---------------+ | 2369 | IKEProposal | | IPsecProposal | | 2370 +-------------+ +---------------+ | 2371 *o | 2372 |(b) |(c) 2373 n| | 2374 +---------------+*w | 2375 | [SATransform] |----+ 2376 +---------------+ 2377 ^ 2378 | 2379 +--------------------+-----------+---------+ 2380 | | | 2381 +-------------+ +--------------+ +----------------+ 2382 | AHTransform | | ESPTransform | |IPCOMPTransform | 2383 +-------------+ +--------------+ +----------------+ 2385 (a) SAProposalInSystem 2386 (b) ContainedTransform 2387 (c) SATransformInSystem 2389 7.1. The Abstract Class SAProposal 2391 The abstract class SAProposal serves as the base class for the IKE 2392 and IPsec proposal classes. It specifies the parameters that are 2393 common to the two proposal types. The class definition for 2394 SAProposal is as follows: 2396 NAME SAProposal 2397 DESCRIPTION Specifies the common proposal parameters for IKE and 2398 IPsec security association negotiation. 2399 DERIVED FROM Policy ([PCIM]) 2400 ABSTRACT TRUE 2401 PROPERTIES Name 2403 7.1.1. The Property Name 2405 The property Name specifies a user-friendly name for the SAProposal. 2406 The property is defined as follows: 2408 NAME Name 2409 DESCRIPTION Specifies a user-friendly name for this proposal. 2410 SYNTAX string 2412 7.2. The Class IKEProposal 2414 The class IKEProposal specifies the proposal parameters necessary to 2415 drive an IKE security association negotiation. The class definition 2416 for IKEProposal is as follows: 2418 NAME IKEProposal 2419 DESCRIPTION Specifies the proposal parameters for IKE security 2420 association negotiation. 2421 DERIVED FROM SAProposal 2422 ABSTRACT FALSE 2423 PROPERTIES CipherAlgorithm 2424 HashAlgorithm 2425 PRFAlgorithm 2426 GroupId 2427 AuthenticationMethod 2428 MaxLifetimeSeconds 2429 MaxLifetimeKilobytes 2430 VendorID 2432 7.2.1. The Property CipherAlgorithm 2434 The property CipherAlgorithm specifies the proposed phase 1 security 2435 association encryption algorithm. The property is defined as 2436 follows: 2438 NAME CipherAlgorithm 2439 DESCRIPTION Specifies the proposed encryption algorithm for the 2440 phase 1 security association. 2441 SYNTAX unsigned 16-bit integer 2442 VALUE Consult [IKE] for valid values. 2444 7.2.2. The Property HashAlgorithm 2446 The property HashAlgorithm specifies the proposed phase 1 security 2447 association hash algorithm. The property is defined as follows: 2449 NAME HashAlgorithm 2450 DESCRIPTION Specifies the proposed hash algorithm for the phase 1 2451 security association. 2452 SYNTAX unsigned 16-bit integer 2453 VALUE Consult [IKE] for valid values. 2455 7.2.3. The Property PRFAlgorithm 2457 The property PRFAlgorithm specifies the proposed phase 1 security 2458 association pseudo-random function. The property is defined as 2459 follows: 2461 NAME PRFAlgorithm 2462 DESCRIPTION Specifies the proposed pseudo-random function for the 2463 phase 1 security association. 2464 SYNTAX unsigned 16-bit integer 2465 VALUE Currently none defined in [IKE], if [IKE, DOI] are 2466 extended, then the values of [IKE, DOI] are to be used 2467 for values of PRFAlgorithm. 2469 7.2.4. The Property GroupId 2471 The property GroupId specifies the proposed phase 1 security 2472 association key exchange group. This property is ignored for all 2473 aggressive mode exchanges. If the GroupID number is from the vendor- 2474 specific range (32768-65535), the property VendorID qualifies the 2475 group number. The property is defined as follows: 2477 NAME GroupId 2478 DESCRIPTION Specifies the proposed key exchange group for the phase 2479 1 security association. 2481 SYNTAX unsigned 16-bit integer 2482 VALUE Consult [IKE] for valid values. 2484 Note: the value of this property is to be ignored when doing 2485 aggressive mode. 2487 7.2.5. The Property AuthenticationMethod 2489 The property AuthenticationMethod specifies the proposed phase 1 2490 authentication method. The property is defined as follows: 2492 NAME AuthenticationMethod 2493 DESCRIPTION Specifies the proposed authentication method for the 2494 phase 1 security association. 2495 SYNTAX unsigned 16-bit integer 2496 VALUE 0 - a special value that indicates that this particular 2497 proposal should be repeated once for each authentication 2498 method that corresponds to the credentials installed on 2499 the machine. For example, if the system has a pre- 2500 shared key and a certificate, a proposal list could be 2501 constructed which includes a proposal that specifies 2502 pre-shared key and proposals for any of the public-key 2503 authentication methods. 2504 Consult [IKE] for valid values. 2506 7.2.6. The Property MaxLifetimeSeconds 2508 The property MaxLifetimeSeconds specifies the maximum time, in 2509 seconds, to propose that a security association will remain valid 2510 after its creation. The property is defined as follows: 2512 NAME MaxLifetimeSeconds 2513 DESCRIPTION Specifies the maximum time to propose a security 2514 association remain valid. 2515 SYNTAX unsigned 32-bit integer 2516 VALUE A value of zero indicates that the default of 8 hours be 2517 used. A non-zero value indicates the maximum seconds 2518 lifetime. 2520 7.2.7. The Property MaxLifetimeKilobytes 2522 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2523 lifetime to propose that a security association will remain valid 2524 after its creation. The property is defined as follows: 2526 NAME MaxLifetimeKilobytes 2527 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2528 security association remain valid. 2529 SYNTAX unsigned 32-bit integer 2530 VALUE A value of zero indicates that there should be no 2531 maximum kilobyte lifetime. A non-zero value specifies 2532 the desired kilobyte lifetime. 2534 7.2.8. The Property VendorID 2536 The property VendorID further qualifies the key exchange group. The 2537 property is ignored unless the exchange is not in aggressive mode and 2538 the property GroupID is in the vendor-specific range. The property 2539 is defined as follows: 2541 NAME VendorID 2542 DESCRIPTION Specifies the Vendor ID to further qualify the key 2543 exchange group. 2544 SYNTAX string 2546 7.3. The Class IPsecProposal 2548 The class IPsecProposal adds no new properties, but inherits proposal 2549 properties from SAProposal as well as aggregating the security 2550 association transforms necessary for building an IPsec proposal (see 2551 the aggregation class ContainedTransform). The class definition for 2552 IPsecProposal is as follows: 2554 NAME IPsecProposal 2555 DESCRIPTION Specifies the proposal parameters for IPsec security 2556 association negotiation. 2557 DERIVED FROM SAProposal 2558 ABSTRACT FALSE 2560 7.4. The Abstract Class SATransform 2562 The abstract class SATransform serves as the base class for the IPsec 2563 transforms that can be used to compose an IPsec proposal or to be 2564 used as a pre-configured action. The class definition for 2565 SATransform is as follows: 2567 NAME SATransform 2568 DESCRIPTION Base class for the different IPsec transforms. 2569 ABSTRACT TRUE 2570 PROPERTIES CommonName (from Policy) 2571 VendorID 2572 MaxLifetimeSeconds 2573 MaxLifetimeKilobytes 2575 7.4.1. The Property CommonName 2577 The property CommonName is inherited from Policy [PCIM] and specifies 2578 a user-friendly name for the SATransform. The property is defined as 2579 follows: 2581 NAME CommonName 2582 DESCRIPTION Specifies a user-friendly name for this Policy-related 2583 object. 2584 SYNTAX string 2586 7.4.2. The Property VendorID 2588 The property VendorID specifies the vendor ID for vendor-defined 2589 transforms. The property is defined as follows: 2591 NAME VendorID 2592 DESCRIPTION Specifies the vendor ID for vendor-defined transforms. 2593 SYNTAX string 2594 VALUE An empty VendorID string indicates that the transform is 2595 a standard one. 2597 7.4.3. The Property MaxLifetimeSeconds 2599 The property MaxLifetimeSeconds specifies the maximum time, in 2600 seconds, to propose that a security association will remain valid 2601 after its creation. The property is defined as follows: 2603 NAME MaxLifetimeSeconds 2604 DESCRIPTION Specifies the maximum time to propose a security 2605 association remain valid. 2606 SYNTAX unsigned 32-bit integer 2607 VALUE A value of zero indicates that the default of 8 hours be 2608 used. A non-zero value indicates the maximum seconds 2609 lifetime. 2611 7.4.4. The Property MaxLifetimeKilobytes 2613 The property MaxLifetimeKilobytes specifies the maximum kilobyte 2614 lifetime to propose that a security association will remain valid 2615 after its creation. The property is defined as follows: 2617 NAME MaxLifetimeKilobytes 2618 DESCRIPTION Specifies the maximum kilobyte lifetime to propose a 2619 security association remain valid. 2620 SYNTAX unsigned 32-bit integer 2621 VALUE A value of zero indicates that there should be no 2622 maximum kilobyte lifetime. A non-zero value specifies 2623 the desired kilobyte lifetime. 2625 7.5. The Class AHTransform 2627 The class AHTransform specifies the AH algorithm to propose during 2628 IPsec security association negotiation. The class definition for 2629 AHTransform is as follows: 2631 NAME AHTransform 2632 DESCRIPTION Specifies the AH algorithm to propose. 2633 ABSTRACT FALSE 2634 PROPERTIES AHTransformId 2635 UseReplayPrevention 2636 ReplayPreventionWindowSize 2638 7.5.1. The Property AHTransformId 2640 The property AHTransformId specifies the transform ID of the AH 2641 algorithm to propose. The property is defined as follows: 2643 NAME AHTransformId 2644 DESCRIPTION Specifies the transform ID of the AH algorithm. 2645 SYNTAX unsigned 16-bit integer 2646 VALUE Consult [DOI] for valid values. 2648 7.5.2. The Property UseReplayPrevention 2650 The property UseReplayPrevention specifies whether replay prevention 2651 detection is to be used. The property is defined as follows: 2653 NAME UseReplayPrevention 2654 DESCRIPTION Specifies whether to enable replay prevention detection. 2655 SYNTAX boolean 2656 VALUE true - replay prevention detection is enabled. 2657 false - replay prevention detection is disabled. 2659 7.5.3. The Property ReplayPreventionWindowSize 2661 The property ReplayPreventionWindowSize specifies, in bits, the 2662 length of the sliding window used by the replay prevention detection 2663 mechanism. The value of this property is meaningless if 2664 UseReplayPrevention is false. It is assumed that the window size will 2665 be power of 2. The property is defined as follows: 2667 NAME ReplayPreventionWindowSize 2668 DESCRIPTION Specifies the length of the window used by replay 2669 prevention detection mechanism. 2670 SYNTAX unsigned 32-bit integer 2672 7.6. The Class ESPTransform 2674 The class ESPTransform specifies the ESP algorithms to propose during 2675 IPsec security association negotiation. The class definition for 2676 ESPTransform is as follows: 2678 NAME ESPTransform 2679 DESCRIPTION Specifies the ESP algorithms to propose. 2680 ABSTRACT FALSE 2681 PROPERTIES IntegrityTransformId 2682 CipherTransformId 2683 CipherKeyLength 2684 CipherKeyRounds 2685 UseReplayPrevention 2686 ReplayPreventionWindowSize 2688 7.6.1. The Property IntegrityTransformId 2690 The property IntegrityTransformId specifies the transform ID of the 2691 ESP integrity algorithm to propose. The property is defined as 2692 follows: 2694 NAME IntegrityTransformId 2695 DESCRIPTION Specifies the transform ID of the ESP integrity 2696 algorithm. 2697 SYNTAX unsigned 16-bit integer 2698 VALUE Consult [DOI] for valid values. 2700 7.6.2. The Property CipherTransformId 2702 The property CipherTransformId specifies the transform ID of the ESP 2703 encryption algorithm to propose. The property is defined as follows: 2705 NAME CipherTransformId 2706 DESCRIPTION Specifies the transform ID of the ESP encryption 2707 algorithm. 2708 SYNTAX unsigned 16-bit integer 2709 VALUE Consult [DOI] for valid values. 2711 7.6.3. The Property CipherKeyLength 2713 The property CipherKeyLength specifies, in bits, the key length for 2714 the ESP encryption algorithm. For encryption algorithms that use 2715 fixed-length keys, this value is ignored. The property is defined as 2716 follows: 2718 NAME CipherKeyLength 2719 DESCRIPTION Specifies the ESP encryption key length in bits. 2720 SYNTAX unsigned 16-bit integer 2722 7.6.4. The Property CipherKeyRounds 2724 The property CipherKeyRounds specifies the number of key rounds for 2725 the ESP encryption algorithm. For encryption algorithms that use 2726 fixed number of key rounds, this value is ignored. The property is 2727 defined as follows: 2729 NAME CipherKeyRounds 2730 DESCRIPTION Specifies the number of key rounds for the ESP 2731 encryption algorithm. 2732 SYNTAX unsigned 16-bit integer 2733 VALUE Currently, key rounds are not defined for any ESP 2734 encryption algorithms. 2736 7.6.5. The Property UseReplayPrevention 2738 The property UseReplayPrevention specifies whether replay prevention 2739 detection is to be used. The property is defined as follows: 2741 NAME UseReplayPrevention 2742 DESCRIPTION Specifies whether to enable replay prevention detection. 2743 SYNTAX boolean 2744 VALUE true - replay prevention detection is enabled. 2745 false - replay prevention detection is disabled. 2747 7.6.6. The Property ReplayPreventionWindowSize 2749 The property ReplayPreventionWindowSize specifies, in bits, the 2750 length of the sliding window used by the replay prevention detection 2751 mechanism. The value of this property is meaningless if 2752 UseReplayPrevention is false. It is assumed that the window size will 2753 be power of 2. The property is defined as follows: 2755 NAME ReplayPreventionWindowSize 2756 DESCRIPTION Specifies the length of the window used by replay 2757 prevention detection mechanism. 2758 SYNTAX unsigned 32-bit integer 2760 7.7. The Class IPCOMPTransform 2762 The class IPCOMPTransform specifies the IP compression (IPCOMP) 2763 algorithm to propose during IPsec security association negotiation. 2764 The class definition for IPCOMPTransform is as follows: 2766 NAME IPCOMPTransform 2767 DESCRIPTION Specifies the IPCOMP algorithm to propose. 2768 ABSTRACT FALSE 2769 PROPERTIES Algorithm 2770 DictionarySize 2771 PrivateAlgorithm 2773 7.7.1. The Property Algorithm 2775 The property Algorithm specifies the transform ID of the IPCOMP 2776 compression algorithm to propose. The property is defined as 2777 follows: 2779 NAME Algorithm 2780 DESCRIPTION Specifies the transform ID of the IPCOMP compression 2781 algorithm. 2782 SYNTAX unsigned 16-bit integer 2783 VALUE 1 - OUI: a vendor specific algorithm is used and 2784 specified in the property PrivateAlgorithm. Consult 2785 [DOI] for other valid values. 2787 7.7.2. The Property DictionarySize 2788 The property DictionarySize specifies the log2 maximum size of the 2789 dictionary for the compression algorithm. For compression algorithms 2790 that have pre-defined dictionary sizes, this value is ignored. The 2791 property is defined as follows: 2793 NAME DictionarySize 2794 DESCRIPTION Specifies the log2 maximum size of the dictionary. 2795 SYNTAX unsigned 16-bit integer 2797 7.7.3. The Property PrivateAlgorithm 2799 The property PrivateAlgorithm specifies a private vendor-specific 2800 compression algorithm. This value is only used when the property 2801 Algorithm is 1 (OUI). The property is defined as follows: 2803 NAME PrivateAlgorithm 2804 DESCRIPTION Specifies a private vendor-specific compression 2805 algorithm. 2806 SYNTAX unsigned 32-bit integer 2808 7.8. The Association Class SAProposalInSystem 2810 The class SAProposalInSystem weakly associates SAProposals with a 2811 System. The class definition for SAProposalInSystem is as follows: 2813 NAME SAProposalInSystem 2814 DESCRIPTION Weakly associates SAProposals with a System. 2815 DERIVED FROM PolicyInSystem (see [PCIM]) 2816 ABSTRACT FALSE 2817 PROPERTIES Antecedent[ref System [1..1]] 2818 Dependent[ref SAProposal[0..n] [weak]] 2820 7.8.1. The Reference Antecedent 2822 The property Antecedent is inherited from PolicyInSystem and is 2823 overridden to refer to a System instance. The [1..1] cardinality 2824 indicates that an SAProposal instance MUST be associated with one and 2825 only one System instance. 2827 7.8.2. The Reference Dependent 2829 The property Dependent is inherited from PolicyInSystem and is 2830 overridden to refer to an SAProposal instance. The [0..n] 2831 cardinality indicates that a System instance may be associated with 2832 zero or more SAProposal instances. 2834 7.9. The Aggregation Class ContainedTransform 2836 The class ContainedTransform associates an IPsecProposal with the set 2837 of SATransforms that make up the proposal. If multiple transforms of 2838 the same type are in a proposal, then they are to be logically ORed 2839 and the order of preference is dictated by the SequenceNumber 2840 property. Sets of transforms of different types are logically ANDed. 2841 For example, if the ordered proposal list were 2843 ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } 2844 AH = { MD5, SHA-1 } 2846 then the one sending the proposal would want the other side to pick 2847 one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one 2848 from the AH transform list (preferably MD5). 2850 The class definition for ContainedTransform is as follows: 2852 NAME ContainedTransform 2853 DESCRIPTION Associates an IPsecProposal with the set of SATransforms 2854 that make up the proposal. 2855 DERIVED FROM PolicyComponent (see [PCIM]) 2856 ABSTRACT FALSE 2857 PROPERTIES GroupComponent[ref IPsecProposal[0..n]] 2858 PartComponent[ref SATransform[1..n]] 2859 SequenceNumber 2861 7.9.1. The Reference GroupComponent 2863 The property GroupComponent is inherited from PolicyComponent and is 2864 overridden to refer to an IPsecProposal instance. The [0..n] 2865 cardinality indicates that an SATransform instance may be associated 2866 with zero or more IPsecProposal instances. 2868 7.9.2. The Reference PartComponent 2870 The property PartComponent is inherited from PolicyComponent and is 2871 overridden to refer to an SATransform instance. The [1..n] 2872 cardinality indicates that an IPsecProposal instance MUST be 2873 associated with at least one SATransform instance. 2875 7.9.3. The Property SequenceNumber 2877 The property SequenceNumber specifies the order of preference for the 2878 SATransforms of the same type. The property is defined as follows: 2880 NAME SequenceNumber 2881 DESCRIPTION Specifies the preference order for the SATransforms of 2882 the same type. 2883 SYNTAX unsigned 16-bit integer 2884 VALUE Lower-valued transforms are preferred over transforms of 2885 the same type with higher values. For 2886 ContainedTransforms that reference the same 2887 IPsecProposal, SequenceNumber values must be unique. 2889 7.10. The Association Class SATransformInSystem 2891 The class SATransformInSystem weakly associates SATransforms with a 2892 System. The class definition for SATransformInSystem System is as 2893 follows: 2895 NAME SATransformInSystem 2896 DESCRIPTION Weakly associates SATransforms with a System. 2897 DERIVED FROM PolicyInSystem (see [PCIM]) 2898 ABSTRACT FALSE 2899 PROPERTIES Antecedent[ref System[1..1]] 2900 Dependent[ref SATransform[0..n] [weak]] 2902 7.10.1. The Reference Antecedent 2904 The property Antecedent is inherited from PolicyInSystem and is 2905 overridden to refer to a System instance. The [1..1] cardinality 2906 indicates that an SATransform instance MUST be associated with one 2907 and only one System instance. 2909 7.10.2. The Reference Dependent 2910 The property Dependent is inherited from PolicyInSystem and is 2911 overridden to refer to an SATransform instance. The [0..n] 2912 cardinality indicates that a System instance may be associated with 2913 zero or more SATransform instances. 2915 8. IKE Service and Identity Classes 2917 +--------------+ +-------------------+ 2918 | System | | PeerIdentityEntry | 2919 | ([CIMCORE]) | +-------------------+ 2920 +--------------+ |*w 2921 1| (a) (b) | 2922 +---+ +------------+ 2923 | | 2924 |*w 1 o 2925 +-------------+ +-------------------+ +---------------------+ 2926 | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | 2927 +-------------+ +-------------------+ +---------------------+ 2928 *| *| *| *| 2929 +----------------------+ |(d) +----------+ | 2930 (c) *| *| *| (e) | 2931 *+------------+* |(f) 2932 +-----------------| IKEService |-----+ | 2933 | (g) +------------+ |(h) | 2934 0..1| *| *| *o 2935 +--------------------+ | +---------------------------+ 2936 | IPProtocolEndpoint | | | AutostartIKEConfiguration | 2937 | ([CIMNETWORK]) | (i)| +---------------------------+ 2938 +--------------------+ | 2939 0..1| | 2940 |(j) +----------------+ 2941 *| |* 2942 +-------------+* (k) +------------+ +-----------------------------+ 2943 | IKEIdentity |-------| Collection | | CredentialManagementService | 2944 +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | 2945 *| +------------+ +-----------------------------+ 2946 |(l) 2947 *| 2948 +--------------+ 2949 | Credential | 2950 | ([CIMUSER]) | 2951 +--------------+ 2953 (a) HostedPeerIdentityTable 2954 (b) PeerIdentityMember 2955 (c) IKEServicePeerGateway 2956 (d) IKEServicePeerIdentityTable 2957 (e) IKEAutostartSetting 2958 (f) AutostartIKESettingContext 2959 (g) IKEServiceForEndpoint 2960 (h) IKEAutostartConfiguration 2961 (i) IKEUsesCredentialManagementService 2962 (j) EndpointHasLocalIKEIdentity 2963 (k) CollectionHasLocalIKEIdentity 2964 (l) IKEIdentitysCredential 2966 This portion of the model contains additional information that is 2967 useful in applying the policy. The IKEService class MAY be used to 2968 represent the IKE negotiation function in a system. The IKEService 2969 uses the various tables that contain information about IKE peers as 2970 well as the configuration for specifying security associations that 2971 are started automatically. The information in the PeerGateway, 2972 PeerIdentityTable and related classes is necessary to completely 2973 specify the policies. 2975 An interface (represented by an IPProtocolEndpoint) has an IKEService 2976 that provides the negotiation services for that interface. That 2977 service MAY also have a list of security associations automatically 2978 started at the time the IKE service is initialized. 2980 The IKEService also has a set of identities that it may use in 2981 negotiations with its peers. Those identities are associated with 2982 the interfaces (or collections of interfaces). 2984 8.1. The Class IKEService 2986 The class IKEService represents the IKE negotiation function. An 2987 instance of this service may provide that negotiation service for one 2988 or more interfaces (represented by the IPProtocolEndpoint class) of a 2989 System. There may be multiple instances of IKE services on a System 2990 but only one per interface. The class definition for IKEService is 2991 as follows: 2993 NAME IKEService 2994 DESCRIPTION IKEService is used to represent the IKE negotiation 2995 function. 2996 DERIVED FROM Service (see [CIMCORE]) 2997 ABSTRACT FALSE 2999 8.2. The Class PeerIdentityTable 3001 The class PeerIdentityTable aggregates the table entries that provide 3002 mappings between identities and their addresses. The class 3003 definition for PeerIdentityTable is as follows: 3005 NAME PeerIdentityTable 3006 DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances 3007 to provide a table of identity-address mappings. 3008 DERIVED FROM Collection (see [CIMCORE]) 3009 ABSTRACT FALSE 3010 PROPERTIES Name 3012 8.2.1. The Property Name 3014 The property Name uniquely identifies the table. The property is 3015 defined as follows: 3017 NAME Name 3018 DESCRIPTION Name uniquely identifies the table. 3019 SYNTAX string 3021 8.3. The Class PeerIdentityEntry 3023 The class PeerIdentityEntry specifies the mapping between peer 3024 identity and their IP address. The class definition for 3025 PeerIdentityEntry is as follows: 3027 NAME PeerIdentityEntry 3028 DESCRIPTION PeerIdentityEntry provides a mapping between a peer's 3029 identity and address. 3030 DERIVED FROM LogicalElement (see [CIMCORE]) 3031 ABSTRACT FALSE 3032 PROPERTIES PeerIdentity 3033 PeerIdentityType 3034 PeerAddress 3035 PeerAddressType 3037 The pre-shared key to be used with this peer (if applicable) is 3038 contained in an instance of the class SharedSecret (see [CIMUSER]). 3040 The pre-shared key is stored in the property Secret, the property 3041 protocol contains "IKE", the property algorithm contains the 3042 algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec 3043 entity has no secret storage), the value of property RemoteID must 3044 match the PeerIdentity property of the PeerIdentityEntry instance 3045 describing the IKE peer. 3047 8.3.1. The Property PeerIdentity 3049 The property PeerIdentity contains a string encoding of the Identity 3050 payload for the IKE peer. The property is defined as follows: 3052 NAME PeerIdentity 3053 DESCRIPTION The PeerIdentity is the ID payload of a peer. 3054 SYNTAX string 3056 8.3.2. The Property PeerIdentityType 3058 The property PeerIdentityType is an enumeration that specifies the 3059 type of the PeerIdentity. The property is defined as follows: 3061 NAME PeerIdentityType 3062 DESCRIPTION PeerIdentityType is the type of the ID payload of a 3063 peer. 3064 SYNTAX unsigned 16-bit integer 3065 VALUE The enumeration values are specified in [DOI] section 3066 4.6.2.1. 3068 8.3.3. The Property PeerAddress 3070 The property PeerAddress specifies the string representation of the 3071 IP address of the peer formatted according to the appropriate 3072 convention as defined in the PeerAddressType property (e.g., dotted 3073 decimal notation). The property is defined as follows: 3075 NAME PeerAddress 3076 DESCRIPTION PeerAddress is the address of the peer with the ID 3077 payload. 3078 SYNTAX string 3079 VALUE String representation of an IPv4 or IPv6 address. 3081 8.3.4. The Property PeerAddressType 3083 The property PeerAddressType specifies the format of the PeerAddress 3084 property value. The property is defined as follows: 3086 NAME PeerAddressType 3087 DESCRIPTION PeerAddressType is the type of address in PeerAddress. 3088 SYNTAX unsigned 16-bit integer 3089 VALUE 0 - Unknown 3090 1 - IPv4 3091 2 - IPv6 3093 8.4. The Class AutostartIKEConfiguration 3095 The class AutostartIKEConfiguration groups AutostartIKESetting 3096 instances into configuration sets. When applied, the settings cause 3097 an IKE service to automatically start (negotiate or statically set as 3098 appropriate) the Security Associations. The class definition for 3099 AutostartIKEConfiguration is as follows: 3101 NAME AutostartIKEConfiguration 3102 DESCRIPTION A configuration set of AutostartIKESetting instances to 3103 be automatically started by the IKE service. 3104 DERIVED FROM SystemConfiguration (see [CIMCORE]) 3105 ABSTRACT FALSE 3107 8.5. The Class AutostartIKESetting 3109 The class AutostartIKESetting is used to automatically initiate IKE 3110 negotiations with peers (or statically create an SA) as specified in 3111 the AutostartIKESetting properties. Appropriate actions are 3112 initiated according to the policy that matches the setting 3113 parameters. The class definition for AutostartIKESetting is as 3114 follows: 3116 NAME AutostartIKESetting 3117 DESCRIPTION AutostartIKESetting is used to automatically initiate 3118 IKE negotiations with peers or statically create an SA. 3119 DERIVED FROM SystemSetting (see [CIMCORE]) 3120 ABSTRACT FALSE 3121 PROPERTIES Phase1Only 3122 AddressType 3123 SourceAddress 3124 SourcePort 3125 DestinationAddress 3126 DestinationPort 3127 Protocol 3129 8.5.1. The Property Phase1Only 3131 The property Phase1Only is used to limit the IKE negotiation to a 3132 phase 1 SA establishment only. When set to False, both phase 1 and 3133 phase 2 SAs are negotiated. 3134 The property is defined as follows: 3136 NAME Phase1Only 3137 DESCRIPTION Used to indicate which security associations to attempt 3138 to establish (phase 1 only, or phase 1 and 2). 3139 SYNTAX boolean 3140 VALUE true - attempt to establish a phase 1 security 3141 association 3142 false - attempt to establish phase 1 and phase 2 3143 security associations 3145 8.5.2. The Property AddressType 3147 The property AddressType specifies type of the addresses in the 3148 SourceAddress and DestinationAddress properties. The property is 3149 defined as follows: 3151 NAME AddressType 3152 DESCRIPTION AddressType is the type of address in SourceAddress and 3153 DestinationAddress properties. 3154 SYNTAX unsigned 16-bit integer 3155 VALUE 0 - Unknown 3156 1 - IPv4 3157 2 - IPv6 3159 8.5.3. The Property SourceAddress 3161 The property SourceAddress specifies the dotted-decimal or colon- 3162 decimal formatted IP address used as the source address in comparing 3163 with policy filter entries and used in any phase 2 negotiations. The 3164 property is defined as follows: 3166 NAME SourceAddress 3167 DESCRIPTION The source address to compare with the filters to 3168 determine the appropriate policy rule. 3169 SYNTAX string 3170 VALUE dotted-decimal or colon-decimal formatted IP address 3172 8.5.4. The Property SourcePort 3174 The property SourcePort specifies the port number used as the source 3175 port in comparing with policy filter entries and used in any phase 2 3176 negotiations. The property is defined as follows: 3178 NAME SourcePort 3179 DESCRIPTION The source port to compare with the filters to determine 3180 the appropriate policy rule. 3181 SYNTAX unsigned 16-bit integer 3183 8.5.5. The Property DestinationAddress 3185 The property DestinationAddress specifies the dotted-decimal or 3186 colon-decimal formatted IP address used as the destination address in 3187 comparing with policy filter entries and used in any phase 2 3188 negotiations. The property is defined as follows: 3190 NAME DestinationAddress 3191 DESCRIPTION The destination address to compare with the filters to 3192 determine the appropriate policy rule. 3193 SYNTAX string 3194 VALUE dotted-decimal or colon-decimal formatted IP address 3196 8.5.6. The Property DestinationPort 3198 The property DestinationPort specifies the port number used as the 3199 destination port in comparing with policy filter entries and used in 3200 any phase 2 negotiations. The property is defined as follows: 3202 NAME DestinationPort 3203 DESCRIPTION The destination port to compare with the filters to 3204 determine the appropriate policy rule. 3205 SYNTAX unsigned 16-bit integer 3207 8.5.7. The Property Protocol 3209 The property Protocol specifies the protocol number used in comparing 3210 with policy filter entries and used in any phase 2 negotiations. The 3211 property is defined as follows: 3213 NAME Protocol 3214 DESCRIPTION The protocol number used in comparing with policy filter 3215 entries. 3216 SYNTAX unsigned 8-bit integer 3218 8.6. The Class IKEIdentity 3220 The class IKEIdentity is used to represent the identities that may be 3221 used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) 3222 to identify the IKE Service in IKE phase 1 negotiations. The policy 3223 IKEAction.UseIKEIdentityType specifies which type of the available 3224 identities to use in a negotiation exchange and the 3225 IKERule.IdentityContexts specifies the match values to be used, along 3226 with the local address, in selecting the appropriate identity for a 3227 negotiation. The ElementID property value (defined in the parent 3228 class, UsersAccess) should be that of either the IPProtocolEndpoint 3229 or Collection of endpoints as appropriate. The class definition for 3230 IKEIdentity is as follows: 3232 NAME IKEIdentity 3233 DESCRIPTION IKEIdentity is used to represent the identities that may 3234 be used for an IPProtocolEndpoint (or collection of 3235 IPProtocolEndpoints) to identify the IKE Service in IKE 3236 phase 1 negotiations. 3237 DERIVED FROM UsersAccess (see [CIMUSER]) 3238 ABSTRACT FALSE 3239 PROPERTIES IdentityType 3240 IdentityValue 3241 IdentityContexts 3243 8.6.1. The Property IdentityType 3245 The property IdentityType is an enumeration that specifies the type 3246 of the IdentityValue. The property is defined as follows: 3248 NAME IdentityType 3249 DESCRIPTION IdentityType is the type of the IdentityValue. 3250 SYNTAX unsigned 16-bit integer 3251 VALUE The enumeration values are specified in [DOI] section 3252 4.6.2.1. 3254 8.6.2. The Property IdentityValue 3256 The property IdentityValue contains a string encoding of the Identity 3257 payload. For IKEIdentity instances that are address types (i.e. IPv4 3258 or IPv6 addresses), the IdentityValue string value MAY be omitted; 3259 then the associated IPProtocolEndpoint (or appropriate member of the 3260 Collection of endpoints) is used as the identity value. The property 3261 is defined as follows: 3263 NAME IdentityValue 3264 DESCRIPTION IdentityValue contains a string encoding of the Identity 3265 payload. 3266 SYNTAX string 3268 8.6.3. The Property IdentityContexts 3270 The IdentityContexts property is used to constrain the use of 3271 IKEIdentity instances to match that specified in the 3272 IKERule.IdentityContexts. The IdentityContexts are formatted as 3273 policy roles and role combinations [PCIM] & [PCIMe]. Each value 3274 represents one context or context combination. Since this is a 3275 multi-valued property, more than one context or combination of 3276 contexts can be associated with a single IKEIdentity. Each value is 3277 a string of the form: [&&]* 3278 where the individual context names appear in alphabetical order 3279 (according to the collating sequence for UCS-2). If one or more 3280 values in the IKERule.IdentityContexts array match one or more 3281 IKEIdentity.IdentityContexts then the identity's context matches. 3282 (That is, each value of the IdentityContext array is an ORed 3283 condition.) In combination with the address of the 3284 IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 3285 exactly one IKEIdentity. The property is defined as follows: 3287 NAME IdentityContexts 3288 DESCRIPTION The IKE service of a security endpoint may have multiple 3289 identities for use in different situations. The 3290 combination of the interface (represented by 3291 the IPProtocolEndpoint), the identity type (as specified 3292 in the IKEAction) and the IdentityContexts selects a 3293 unique identity. 3294 SYNTAX string array 3295 VALUE string of the form [&&]* 3297 8.7. The Association Class HostedPeerIdentityTable 3299 The class HostedPeerIdentityTable provides the name scoping 3300 relationship for PeerIdentityTable entries in a System. The 3301 PeerIdentityTable is weak to the System. The class definition for 3302 HostedPeerIdentityTable is as follows: 3304 NAME HostedPeerIdentityTable 3305 DESCRIPTION The PeerIdentityTable instances are weak (name scoped 3306 by) the owning System. 3307 DERIVED FROM Dependency (see [CIMCORE]) 3308 ABSTRACT FALSE 3309 PROPERTIES Antecedent [ref System[1..1]] 3310 Dependent [ref PeerIdentityTable[0..n] [weak]] 3312 8.7.1. The Reference Antecedent 3314 The property Antecedent is inherited from Dependency and is 3315 overridden to refer to a System instance. The [1..1] cardinality 3316 indicates that a PeerIdentityTable instance MUST be associated in a 3317 weak relationship with one and only one System instance. 3319 8.7.2. The Reference Dependent 3321 The property Dependent is inherited from Dependency and is overridden 3322 to refer to a PeerIdentityTable instance. The [0..n] cardinality 3323 indicates that a System instance may be associated with zero or more 3324 PeerIdentityTable instances. 3326 8.8. The Aggregation Class PeerIdentityMember 3328 The class PeerIdentityMember aggregates PeerIdentityEntry instances 3329 into a PeerIdentityTable. This is a weak aggregation. The class 3330 definition for PeerIdentityMember is as follows: 3332 NAME PeerIdentityMember 3333 DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry 3334 instances into a PeerIdentityTable. 3335 DERIVED FROM MemberOfCollection (see [CIMCORE]) 3336 ABSTRACT FALSE 3337 PROPERTIES Collection [ref PeerIdentityTable[1..1]] 3338 Member [ref PeerIdentityEntry [0..n] [weak]] 3340 8.8.1. The Reference Collection 3342 The property Collection is inherited from MemberOfCollection and is 3343 overridden to refer to a PeerIdentityTable instance. The [1..1] 3344 cardinality indicates that a PeerIdentityEntry instance MUST be 3345 associated with one and only one PeerIdentityTable instance (i.e., 3346 PeerIdentityEntry instances are not shared across 3347 PeerIdentityTables). 3349 8.8.2. The Reference Member 3351 The property Member is inherited from MemberOfCollection and is 3352 overridden to refer to a PeerIdentityEntry instance. The [0..n] 3353 cardinality indicates that a PeerIdentityTable instance may be 3354 associated with zero or more PeerIdentityEntry instances. 3356 8.9. The Association Class IKEServicePeerGateway 3358 The class IKEServicePeerGateway provides the association between an 3359 IKEService and the list of PeerGateway instances that it uses in 3360 negotiating with security gateways. The class definition for 3361 IKEServicePeerGateway is as follows: 3363 NAME IKEServicePeerGateway 3364 DESCRIPTION Associates an IKEService and the list of PeerGateway 3365 instances that it uses in negotiating with security 3366 gateways. 3367 DERIVED FROM Dependency (see [CIMCORE]) 3368 ABSTRACT FALSE 3369 PROPERTIES Antecedent [ref PeerGateway[0..n]] 3370 Dependent [ref IKEService[0..n]] 3372 8.9.1. The Reference Antecedent 3374 The property Antecedent is inherited from Dependency and is 3375 overridden to refer to a PeerGateway instance. The [0..n] 3376 cardinality indicates that an IKEService instance may be associated 3377 with zero or more PeerGateway instances. 3379 8.9.2. The Reference Dependent 3381 The property Dependent is inherited from Dependency and is overridden 3382 to refer to an IKEService instance. The [0..n] cardinality indicates 3383 that a PeerGateway instance may be associated with zero or more 3384 IKEService instances. 3386 8.10. The Association Class IKEServicePeerIdentityTable 3388 The class IKEServicePeerIdentityTable provides the relationship 3389 between an IKEService and a PeerIdentityTable that it uses to map 3390 between addresses and identities as required. The class definition 3391 for IKEServicePeerIdentityTable is as follows: 3393 NAME IKEServicePeerIdentityTable 3394 DESCRIPTION IKEServicePeerIdentityTable provides the relationship 3395 between an IKEService and a PeerIdentityTable that it 3396 uses. 3397 DERIVED FROM Dependency (see [CIMCORE]) 3398 ABSTRACT FALSE 3399 PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] 3400 Dependent [ref IKEService[0..n]] 3402 8.10.1. The Reference Antecedent 3404 The property Antecedent is inherited from Dependency and is 3405 overridden to refer to a PeerIdentityTable instance. The [0..n] 3406 cardinality indicates that an IKEService instance may be associated 3407 with zero or more PeerIdentityTable instances. 3409 8.10.2. The Reference Dependent 3410 The property Dependent is inherited from Dependency and is overridden 3411 to refer to an IKEService instance. The [0..n] cardinality indicates 3412 that a PeerIdentityTable instance may be associated with zero or more 3413 IKEService instances. 3415 8.11. The Association Class IKEAutostartSetting 3417 The class IKEAutostartSetting associates an AutostartIKESetting with 3418 an IKEService that may use it to automatically start an IKE 3419 negotiation or create a static SA. The class definition for 3420 IKEAutostartSetting is as follows: 3422 NAME IKEAutostartSetting 3423 DESCRIPTION Associates a AutostartIKESetting with an IKEService. 3424 DERIVED FROM ElementSetting (see [CIMCORE]) 3425 ABSTRACT FALSE 3426 PROPERTIES Element [ref IKEService[0..n]] 3427 Setting [ref AutostartIKESetting[0..n]] 3429 8.11.1. The Reference Element 3431 The property Element is inherited from ElementSetting and is 3432 overridden to refer to an IKEService instance. The [0..n] 3433 cardinality indicates an AutostartIKESetting instance may be 3434 associated with zero or more IKEService instances. 3436 8.11.2. The Reference Setting 3438 The property Setting is inherited from ElementSetting and is 3439 overridden to refer to an AutostartIKESetting instance. The [0..n] 3440 cardinality indicates that an IKEService instance may be associated 3441 with zero or more AutostartIKESetting instances. 3443 8.12. The Aggregation Class AutostartIKESettingContext 3445 The class AutostartIKESettingContext aggregates the settings used to 3446 automatically start negotiations or create a static SA into a 3447 configuration set. The class definition for 3448 AutostartIKESettingContext is as follows: 3450 NAME AutostartIKESettingContext 3451 DESCRIPTION AutostartIKESettingContext aggregates the 3452 AutostartIKESetting instances into a configuration set. 3453 DERIVED FROM SystemSettingContext (see [CIMCORE]) 3454 ABSTRACT FALSE 3455 PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] 3456 Setting [ref AutostartIKESetting [0..n]] 3457 SequenceNumber 3459 8.12.1. The Reference Context 3461 The property Context is inherited from SystemSettingContext and is 3462 overridden to refer to an AutostartIKEConfiguration instance. The 3463 [0..n] cardinality indicates that an AutostartIKESetting instance may 3464 be associated with zero or more AutostartIKEConfiguration instances 3465 (i.e., a setting may be in multiple configuration sets). 3467 8.12.2. The Reference Setting 3469 The property Setting is inherited from SystemSettingContext and is 3470 overridden to refer to an AutostartIKESetting instance. The [0..n] 3471 cardinality indicates that an AutostartIKEConfiguration instance may 3472 be associated with zero or more AutostartIKESetting instances. 3474 8.12.3. The Property SequenceNumber 3476 The property SequenceNumber specifies indicates the ordering to be 3477 used when starting negotiations or creating a static SA. A zero 3478 value indicates that order is not significant and settings may be 3479 applied in parallel with other settings. All other settings in the 3480 configuration are executed in sequence from lower values to high. 3481 Sequence numbers need not be unique in an AutostartIKEConfiguration 3482 and order is not significant for settings with the same sequence 3483 number. The property is defined as follows: 3485 NAME SequenceNumber 3486 DESCRIPTION The sequence in which the settings are applied within a 3487 configuration set. 3488 SYNTAX unsigned 16-bit integer 3490 8.13. The Association Class IKEServiceForEndpoint 3492 The class IKEServiceForEndpoint provides the association showing 3493 which IKE service, if any, provides IKE negotiation services for 3494 which network interfaces. The class definition for 3495 IKEServiceForEndpoint is as follows: 3497 NAME IKEServiceForEndpoint 3498 DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that 3499 provides negotiation services for the endpoint. 3500 DERIVED FROM Dependency (see [CIMCORE]) 3501 ABSTRACT FALSE 3502 PROPERTIES Antecedent [ref IKEService[0..1]] 3503 Dependent [ref IPProtocolEndpoint[0..n]] 3505 8.13.1. The Reference Antecedent 3507 The property Antecedent is inherited from Dependency and is 3508 overridden to refer to an IKEService instance. The [0..1] 3509 cardinality indicates that an IPProtocolEndpoint instance MUST by 3510 associated with at most one IKEService instance. 3512 8.13.2. The Reference Dependent 3514 The property Dependent is inherited from Dependency and is overridden 3515 to refer to an IPProtocolEndpoint that is associated with at most one 3516 IKEService. The [0..n] cardinality indicates an IKEService instance 3517 may be associated with zero or more IPProtocolEndpoint instances. 3519 8.14. The Association Class IKEAutostartConfiguration 3521 The class IKEAutostartConfiguration provides the relationship between 3522 an IKEService and a configuration set that it uses to automatically 3523 start a set of SAs. The class definition for 3524 IKEAutostartConfiguration is as follows: 3526 NAME IKEAutostartConfiguration 3527 DESCRIPTION IKEAutostartConfiguration provides the relationship 3528 between an IKEService and an AutostartIKEConfiguration 3529 that it uses to automatically start a set of SAs. 3530 DERIVED FROM Dependency (see [CIMCORE]) 3531 ABSTRACT FALSE 3532 PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] 3533 Dependent [ref IKEService [0..n]] 3534 Active 3536 8.14.1. The Reference Antecedent 3538 The property Antecedent is inherited from Dependency and is 3539 overridden to refer to an AutostartIKEConfiguration instance. The 3540 [0..n] cardinality indicates that an IKEService instance may be 3541 associated with zero or more AutostartIKEConfiguration instances. 3543 8.14.2. The Reference Dependent 3545 The property Dependent is inherited from Dependency and is overridden 3546 to refer to an IKEService instance. The [0..n] cardinality indicates 3547 that an AutostartIKEConfiguration instance may be associated with 3548 zero or more IKEService instances. 3550 8.14.3. The Property Active 3552 The property Active specifies indicates whether the 3553 AutostartIKEConfiguration set is currently active for the associated 3554 IKEService. That is, at boot time, the active configuration is used 3555 to automatically start IKE negotiations and create static SAs. The 3556 property is defined as follows: 3558 NAME Active 3559 DESCRIPTION Active indicates whether the AutostartIKEConfiguration 3560 set is currently active for the associated IKEService. 3561 SYNTAX boolean 3562 VALUE true - AutostartIKEConfiguration is currently active for 3563 associated IKEService. 3564 false - AutostartIKEConfiguration is currently inactive 3565 for associated IKEService. 3567 8.15. The Association Class IKEUsesCredentialManagementService 3569 The class IKEUsesCredentialManagementService defines the set of 3570 CredentialManagementService(s) that are trusted sources of 3571 credentials for IKE phase 1 negotiations. The class definition for 3572 IKEUsesCredentialManagementService is as follows: 3574 NAME IKEUsesCredentialManagementService 3575 DESCRIPTION Associates the set of CredentialManagementService(s) 3576 that are trusted by the IKEService as sources of 3577 credentials used in IKE phase 1 negotiations. 3578 DERIVED FROM Dependency (see [CIMCORE]) 3579 ABSTRACT FALSE 3580 PROPERTIES Antecedent [ref CredentialManagementService [0..n]] 3581 Dependent [ref IKEService [0..n]] 3583 8.15.1. The Reference Antecedent 3585 The property Antecedent is inherited from Dependency and is 3586 overridden to refer to a CredentialManagementService instance. The 3587 [0..n] cardinality indicates that an IKEService instance may be 3588 associated with zero or more CredentialManagementService instances. 3590 8.15.2. The Reference Dependent 3592 The property Dependent is inherited from Dependency and is overridden 3593 to refer to an IKEService instance. The [0..n] cardinality indicates 3594 that a CredentialManagementService instance may be associated with 3595 zero or more IKEService instances. 3597 8.16. The Association Class EndpointHasLocalIKEIdentity 3599 The class EndpointHasLocalIKEIdentity associates an 3600 IPProtocolEndpoint with a set of IKEIdentity instances that may be 3601 used in negotiating security associations on the endpoint. An 3602 IKEIdentity MUST be associated with either an IPProtocolEndpoint 3603 using this association or with a collection of IKEIdentity instances 3604 using the CollectionHasLocalIKEIdentity association. The class 3605 definition for EndpointHasLocalIKEIdentity is as follows: 3607 NAME EndpointHasLocalIKEIdentity 3608 DESCRIPTION EndpointHasLocalIKEIdentity associates an 3609 IPProtocolEndpoint with a set of IKEIdentity instances. 3610 DERIVED FROM ElementAsUser (see [CIMUSER]) 3611 ABSTRACT FALSE 3612 PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] 3613 Dependent [ref IKEIdentity [0..n]] 3615 8.16.1. The Reference Antecedent 3617 The property Antecedent is inherited from ElementAsUser and is 3618 overridden to refer to an IPProtocolEndpoint instance. The [0..1] 3619 cardinality indicates that an IKEIdentity instance MUST be associated 3620 with at most one IPProtocolEndpoint instance. 3622 8.16.2. The Reference Dependent 3624 The property Dependent is inherited from ElementAsUser and is 3625 overridden to refer to an IKEIdentity instance. The [0..n] 3626 cardinality indicates that an IPProtocolEndpoint instance may be 3627 associated with zero or more IKEIdentity instances. 3629 8.17. The Association Class CollectionHasLocalIKEIdentity 3631 The class CollectionHasLocalIKEIdentity associates a Collection of 3632 IPProtocolEndpoint instances with a set of IKEIdentity instances that 3633 may be used in negotiating SAs for endpoints in the collection. An 3634 IKEIdentity MUST be associated with either an IPProtocolEndpoint 3635 using the EndpointHasLocalIKEIdentity association or with a 3636 collection of IKEIdentity instances using this association. The 3637 class definition for CollectionHasLocalIKEIdentity is as follows: 3639 NAME CollectionHasLocalIKEIdentity 3640 DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of 3641 IPProtocolEndpoint instances with a set of IKEIdentity 3642 instances. 3643 DERIVED FROM ElementAsUser (see [CIMUSER]) 3644 ABSTRACT FALSE 3645 PROPERTIES Antecedent [ref Collection [0..1]] 3646 Dependent [ref IKEIdentity [0..n]] 3648 8.17.1. The Reference Antecedent 3650 The property Antecedent is inherited from ElementAsUser and is 3651 overridden to refer to a Collection instance. The [0..1] cardinality 3652 indicates that an IKEIdentity instance MUST be associated with at 3653 most one Collection instance. 3655 8.17.2. The Reference Dependent 3656 The property Dependent is inherited from ElementAsUser and is 3657 overridden to refer to an IKEIdentity instance. The [0..n] 3658 cardinality indicates that a Collection instance may be associated 3659 with zero or more IKEIdentity instances. 3661 8.18. The Association Class IKEIdentitysCredential 3663 The class IKEIdentitysCredential is an association that relates a set 3664 of credentials to their corresponding local IKE Identities. The 3665 class definition for IKEIdentitysCredential is as follows: 3667 NAME IKEIdentitysCredential 3668 DESCRIPTION IKEIdentitysCredential associates a set of credentials 3669 to their corresponding local IKEIdentity. 3670 DERIVED FROM UsersCredential (see [CIMCORE]) 3671 ABSTRACT FALSE 3672 PROPERTIES Antecedent [ref Credential [0..n]] 3673 Dependent [ref IKEIdentity [0..n]] 3675 8.18.1. The Reference Antecedent 3677 The property Antecedent is inherited from UsersCredential and is 3678 overridden to refer to a Credential instance. The [0..n] cardinality 3679 indicates that IKEIdentity instance may be associated with zero or 3680 more Credential instances. 3682 8.18.2. The Reference Dependent 3684 The property Dependent is inherited from UsersCredential and is 3685 overridden to refer to an IKEIdentity instance. The [0..n] 3686 cardinality indicates that a Credential instance may be associated 3687 with zero or more IKEIdentity instances. 3689 9. Implementation Requirements 3691 The following table specifies which classes, properties, associations 3692 and aggregations MUST or SHOULD or MAY be implemented. 3694 4. Policy Classes 3695 4.1. The Class IPsecPolicyGroup...............................MUST 3696 4.2. The Class SARule........................................MUST 3697 4.2.1. The Property PolicyRuleName.............................MAY 3698 4.2.1. The Property Enabled..................................MUST 3699 4.2.1. The Property ConditionListType.........................MUST 3700 4.2.1. The Property RuleUsage..................................MAY 3701 4.2.1. The Property Mandatory..................................MAY 3702 4.2.1. The Property SequencedActions..........................MUST 3703 4.2.1. The Property PolicyRoles................................MAY 3704 4.2.1. The Property PolicyDecisionStrategy.....................MAY 3705 4.2.2 The Property ExecutionStrategy.........................MUST 3706 4.2.3 The Property LimitNegotiation...........................MAY 3707 4.3. The Class IKERule.......................................MUST 3708 4.3.1. The Property IdentityContexts...........................MAY 3709 4.4. The Class IPsecRule.....................................MUST 3710 4.5. The Association Class IPsecPolicyForEndpoint..............MAY 3711 4.5.1. The Reference Antecedent...............................MUST 3712 4.5.2. The Reference Dependent................................MUST 3713 4.6. The Association Class IPsecPolicyForSystem................MAY 3714 4.6.1. The Reference Antecedent...............................MUST 3715 4.6.2. The Reference Dependent................................MUST 3716 4.7. The Aggregation Class SARuleInPolicyGroup................MUST 3717 4.7.1. The Property Priority................................SHOULD 3718 4.7.2. The Reference GroupComponent...........................MUST 3719 4.7.3. The Reference PartComponent............................MUST 3720 4.8. The Aggregation Class SAConditionInRule..................MUST 3721 4.8.1. The Property GroupNumber.............................SHOULD 3722 4.8.1. The Property ConditionNegated........................SHOULD 3723 4.8.2. The Reference GroupComponent...........................MUST 3724 4.8.3. The Reference PartComponent............................MUST 3725 4.9. The Aggregation Class PolicyActionInSARule...............MUST 3726 4.9.1. The Reference GroupComponent...........................MUST 3727 4.9.2. The Reference PartComponent............................MUST 3728 4.9.3. The Property ActionOrder.............................SHOULD 3729 5. Condition and Filter Classes 3730 5.1. The Class SACondition...................................MUST 3731 5.2. The Class IPHeadersFilter..............................SHOULD 3732 5.3. The Class CredentialFilterEntry...........................MAY 3733 5.3.1. The Property MatchFieldName............................MUST 3734 5.3.2. The Property MatchFieldValue...........................MUST 3735 5.3.3. The Property CredentialType............................MUST 3736 5.4. The Class IPSOFilterEntry.................................MAY 3737 5.4.1. The Property MatchConditionType........................MUST 3738 5.4.2. The Property MatchConditionValue.......................MUST 3739 5.5. The Class PeerIDPayloadFilterEntry........................MAY 3740 5.5.1. The Property MatchIdentityType.........................MUST 3741 5.5.2. The Property MatchIdentityValue........................MUST 3742 5.6. The Association Class FilterOfSACondition..............SHOULD 3743 5.6.1. The Reference Antecedent...............................MUST 3744 5.6.2. The Reference Dependent................................MUST 3745 5.7. The Association Class AcceptCredentialFrom................MAY 3746 5.7.1. The Reference Antecedent...............................MUST 3747 5.7.2. The Reference Dependent................................MUST 3748 6. Action Classes 3749 6.1. The Class SAAction......................................MUST 3750 6.1.1. The Property DoActionLogging............................MAY 3751 6.1.2. The Property DoPacketLogging............................MAY 3752 6.2. The Class SAStaticAction.................................MUST 3753 6.2.1. The Property LifetimeSeconds...........................MUST 3754 6.3. The Class IPsecBypassAction............................SHOULD 3755 6.4. The Class IPsecDiscardAction...........................SHOULD 3756 6.5. The Class IKERejectAction.................................MAY 3757 6.6. The Class PreconfiguredSAAction..........................MUST 3758 6.6.1. The Property LifetimeKilobytes.........................MUST 3759 6.7. The Class PreconfiguredTransportAction...................MUST 3760 6.8. The Class PreconfiguredTunnelAction......................MUST 3761 6.8.1. The Property DFHandling................................MUST 3762 6.9. The Class SANegotiationAction............................MUST 3763 6.10. The Class IKENegotiationAction..........................MUST 3764 6.10.1. The Property MinLifetimeSeconds........................MAY 3765 6.10.2. The Property MinLifetimeKilobytes......................MAY 3767 6.10.3. The Property IdleDurationSeconds.......................MAY 3768 6.11. The Class IPsecAction..................................MUST 3769 6.11.1. The Property UsePFS..................................MUST 3770 6.11.2. The Property UseIKEGroup...............................MAY 3771 6.11.3. The Property GroupId..................................MUST 3772 6.11.4. The Property Granularity............................SHOULD 3773 6.11.5. The Property VendorID..................................MAY 3774 6.12. The Class IPsecTransportAction..........................MUST 3775 6.13. The Class IPsecTunnelAction.............................MUST 3776 6.13.1. The Property DFHandling...............................MUST 3777 6.14. The Class IKEAction....................................MUST 3778 6.14.1. The Property ExchangeMode ...........................MUST 3779 6.14.2. The Property UseIKEIdentityType.......................MUST 3780 6.14.3. The Property VendorID..................................MAY 3781 6.14.4. The Property AggressiveModeGroupId.....................MAY 3782 6.15. The Class PeerGateway..................................MUST 3783 6.15.1. The Property Name..................................SHOULD 3784 6.15.2. The Property PeerIdentityType.........................MUST 3785 6.15.3. The Property PeerIdentity.............................MUST 3786 6.16. The Association Class PeerGatewayForTunnel..............MUST 3787 6.16.1. The Reference Antecedent..............................MUST 3788 6.16.2. The Reference Dependent...............................MUST 3789 6.16.3. The Property SequenceNumber.........................SHOULD 3790 6.17. The Aggregation Class ContainedProposal.................MUST 3791 6.17.1. The Reference GroupComponent..........................MUST 3792 6.17.2. The Reference PartComponent...........................MUST 3793 6.17.3. The Property SequenceNumber...........................MUST 3794 6.18. The Association Class HostedPeerGatewayInformation.......MAY 3795 6.18.1. The Reference Antecedent..............................MUST 3796 6.18.2. The Reference Dependent...............................MUST 3797 6.19. The Association Class TransformOfPreconfiguredAction....MUST 3798 6.19.1. The Reference Antecedent..............................MUST 3799 6.19.2. The Reference Dependent...............................MUST 3800 6.19.3. The Property SPI.....................................MUST 3801 6.19.4. The Property Direction................................MUST 3802 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 3803 6.20.1. The Reference Antecedent..............................MUST 3804 6.20.2. The Reference Dependent...............................MUST 3805 7. Proposal and Transform Classes 3806 7.1. The Abstract Class SAProposal............................MUST 3807 7.1.1. The Property Name...................................SHOULD 3808 7.2. The Class IKEProposal...................................MUST 3809 7.2.1. The Property CipherAlgorithm...........................MUST 3810 7.2.2. The Property HashAlgorithm.............................MUST 3811 7.2.3. The Property PRFAlgorithm...............................MAY 3812 7.2.4. The Property GroupId..................................MUST 3813 7.2.5. The Property AuthenticationMethod......................MUST 3814 7.2.6. The Property MaxLifetimeSeconds........................MUST 3815 7.2.7. The Property MaxLifetimeKilobytes......................MUST 3816 7.2.8. The Property VendorID...................................MAY 3817 7.3. The Class IPsecProposal..................................MUST 3818 7.4. The Abstract Class SATransform...........................MUST 3819 7.4.1. The Property TransformName...........................SHOULD 3820 7.4.2. The Property VendorID...................................MAY 3821 7.4.3. The Property MaxLifetimeSeconds........................MUST 3822 7.4.4. The Property MaxLifetimeKilobytes......................MUST 3823 7.5. The Class AHTransform...................................MUST 3824 7.5.1. The Property AHTransformId.............................MUST 3825 7.5.2. The Property UseReplayPrevention........................MAY 3826 7.5.3. The Property ReplayPreventionWindowSize.................MAY 3827 7.6. The Class ESPTransform..................................MUST 3828 7.6.1. The Property IntegrityTransformId......................MUST 3829 7.6.2. The Property CipherTransformId.........................MUST 3830 7.6.3. The Property CipherKeyLength............................MAY 3831 7.6.4. The Property CipherKeyRounds............................MAY 3832 7.6.5. The Property UseReplayPrevention........................MAY 3833 7.6.6. The Property ReplayPreventionWindowSize.................MAY 3834 7.7. The Class IPCOMPTransform.................................MAY 3835 7.7.1. The Property Algorithm.................................MUST 3836 7.7.2. The Property DictionarySize.............................MAY 3837 7.7.3. The Property PrivateAlgorithm...........................MAY 3838 7.8. The Association Class SAProposalInSystem..................MAY 3839 7.8.1. The Reference Antecedent...............................MUST 3840 7.8.2. The Reference Dependent................................MUST 3841 7.9. The Aggregation Class ContainedTransform.................MUST 3842 7.9.1. The Reference GroupComponent...........................MUST 3843 7.9.2. The Reference PartComponent............................MUST 3844 7.9.3. The Property SequenceNumber............................MUST 3845 7.10. The Association Class SATransformInSystem................MAY 3846 7.10.1. The Reference Antecedent..............................MUST 3847 7.10.2. The Reference Dependent...............................MUST 3848 8. IKE Service and Identity Classes 3849 8.1. The Class IKEService.....................................MAY 3850 8.2. The Class PeerIdentityTable...............................MAY 3851 8.3.1. The Property Name...................................SHOULD 3852 8.3. The Class PeerIdentityEntry...............................MAY 3853 8.3.1. The Property PeerIdentity............................SHOULD 3854 8.3.2. The Property PeerIdentityType........................SHOULD 3855 8.3.3. The Property PeerAddress.............................SHOULD 3856 8.3.4. The Property PeerAddressType.........................SHOULD 3857 8.4. The Class AutostartIKEConfiguration.......................MAY 3858 8.5. The Class AutostartIKESetting.............................MAY 3859 8.5.1. The Property Phase1Only.................................MAY 3860 8.5.2. The Property AddressType.............................SHOULD 3861 8.5.3. The Property SourceAddress.............................MUST 3862 8.5.4. The Property SourcePort................................MUST 3863 8.5.5. The Property DestinationAddress........................MUST 3864 8.5.6. The Property DestinationPort...........................MUST 3865 8.5.7. The Property Protocol..................................MUST 3866 8.6. The Class IKEIdentity....................................MAY 3867 8.6.1. The Property IdentityType..............................MUST 3868 8.6.2. The Property IdentityValue.............................MUST 3869 8.6.3. The Property IdentityContexts...........................MAY 3870 8.7. The Association Class HostedPeerIdentityTable.............MAY 3871 8.7.1. The Reference Antecedent...............................MUST 3872 8.7.2. The Reference Dependent................................MUST 3873 8.8. The Aggregation Class PeerIdentityMember..................MAY 3874 8.8.1. The Reference Collection...............................MUST 3875 8.8.2. The Reference Member..................................MUST 3876 8.9. The Association Class IKEServicePeerGateway...............MAY 3877 8.9.1. The Reference Antecedent...............................MUST 3878 8.9.2. The Reference Dependent................................MUST 3879 8.10. The Association Class IKEServicePeerIdentityTable........MAY 3880 8.10.1. The Reference Antecedent..............................MUST 3881 8.10.2. The Reference Dependent...............................MUST 3882 8.11. The Association Class IKEAutostartSetting................MAY 3883 8.11.1. The Reference Element.................................MUST 3884 8.11.2. The Reference Setting.................................MUST 3885 8.12. The Aggregation Class AutostartIKESettingContext.........MAY 3886 8.12.1. The Reference Context.................................MUST 3887 8.12.2. The Reference Setting.................................MUST 3888 8.12.3. The Property SequenceNumber.........................SHOULD 3889 8.13. The Association Class IKEServiceForEndpoint..............MAY 3890 8.13.1. The Reference Antecedent..............................MUST 3891 8.13.2. The Reference Dependent...............................MUST 3892 8.14. The Association Class IKEAutostartConfiguration..........MAY 3893 8.14.1. The Reference Antecedent..............................MUST 3894 8.14.2. The Reference Dependent...............................MUST 3895 8.14.3. The Property Active................................SHOULD 3896 8.15. The Association Class IKEUsesCredentialManagementService..MAY 3897 8.15.1. The Reference Antecedent..............................MUST 3898 8.15.2. The Reference Dependent...............................MUST 3899 8.16. The Association Class EndpointHasLocalIKEIdentity........MAY 3900 8.16.1. The Reference Antecedent..............................MUST 3901 8.16.2. The Reference Dependent...............................MUST 3902 8.17. The Association Class CollectionHasLocalIKEIdentity......MAY 3903 8.17.1. The Reference Antecedent..............................MUST 3904 8.17.2. The Reference Dependent...............................MUST 3905 8.18. The Association Class IKEIdentitysCredential.............MAY 3906 8.18.1. The Reference Antecedent..............................MUST 3907 8.18.2. The Reference Dependent...............................MUST 3909 10. Security Considerations 3911 This document describes a schema for IPsec policy. It does not 3912 detail security requirements for storage or delivery of said schema. 3913 Storage and delivery security requirements should be detailed in a 3914 comprehensive security policy architecture document. 3916 11. Intellectual Property 3918 The IETF takes no position regarding the validity or scope of any 3919 intellectual property or other rights that might be claimed to 3920 pertain to the implementation or use of the technology described in 3921 this document or the extent to which any license under such rights 3922 might or might not be available; neither does it represent that it 3923 has made any effort to identify any such rights. Information on the 3924 IETF's procedures with respect to rights in standards-track and 3925 standards-related documentation can be found in BCP-11. 3927 Copies of claims of rights made available for publication and any 3928 assurances of licenses to be made available, or the result of an 3929 attempt made to obtain a general license or permission for the use of 3930 such proprietary rights by implementers or users of this 3931 specification can be obtained from the IETF Secretariat. 3933 The IETF invites any interested party to bring to its attention any 3934 copyrights, patents or patent applications, or other proprietary 3935 rights which may cover technology that may be required to practice 3936 this standard. Please address the information to the IETF Executive 3937 Director. 3939 12. Acknowledgments 3941 The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, 3942 Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for 3943 their contributions to this IPsec policy model. 3945 Additionally, this draft would not have been possible without the 3946 preceding IPsec schema drafts. For that, thanks go out to Rob Adams, 3947 Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. 3949 13. References 3951 [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 3952 RFC 2409, November 1998. 3954 [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP 3955 Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 3957 [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload 3958 (ESP)", RFC 2406, November 1998. 3960 [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, 3961 November 1998. 3963 [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core 3964 Information Model -- Version 1 Specification", RFC 3060, February 3965 2001. 3967 [PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen, 3968 A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy 3969 Core Information Model Extensions", draft-ietf-policy-pcim-ext- 3970 05.txt, October 2001 Internet Draft work in progress 3972 [DOI] Piper, D., "The Internet IP Security Domain of Interpretation 3973 for ISAKMP", RFC 2407, November 1998. 3975 [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory 3976 Access Protocol (v3)", RFC 2251, December 1997. 3978 [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. 3979 Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, 3980 January 2000. Internet-Draft work in progress. 3982 [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, 3983 F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for 3984 Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. 3985 Internet-Draft work in progress. 3987 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 3988 Requirement Levels", BCP 14, RFC 2119, March 1997. 3990 [IPSO] Kent, S., "U.S. Department of Defense Security Options for the 3991 Internet Protocol", RFC 1108, November 1991. 3993 [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the 3994 Internet Protocol", RFC 2401, November 1998. 3996 [DMTF] Distributed Management Task Force, http://www.dmtf.org/ 3998 [CIMCORE] DMTF Common Information Model - Core Model v2.6 which can 3999 be found at http://www.dmtf.org/standards/cim_schema_v26.php 4001 [CIMUSER] DMTF Common Information Model - User-Security Model v2.6 4002 which can be found at 4003 http://www.dmtf.org/standards/cim_schema_v26.php 4004 [CIMNETWORK] DMTF Common Information Model - Network Model v2.6 which 4005 can be found at http://www.dmtf.org/standards/cim_schema_v26.php 4006 14. Disclaimer 4008 The views and specification herein are those of the authors and are 4009 not necessarily those of their employer. The authors and their 4010 employer specifically disclaim responsibility for any problems 4011 arising from correct or incorrect implementation or use of this 4012 specification. 4014 15. Authors' Addresses 4016 Jamie Jason 4017 Intel Corporation 4018 MS JF3-206 4019 2111 NE 25th Ave. 4020 Hillsboro, OR 97124 4021 E-Mail: jamie.jason@intel.com 4023 Lee Rafalow 4024 IBM Corporation, BRQA/502 4025 4205 So. Miami Blvd. 4026 Research Triangle Park, NC 27709 4027 E-mail: rafalow@watson.ibm.com 4029 Eric Vyncke 4030 Cisco Systems 4031 Avenue Marcel Thiry, 77 4032 B-1200 Brussels 4033 Belgium 4034 E-mail: evyncke@cisco.com 4036 16. Full Copyright Statement 4038 Copyright (C) The Internet Society (1999). All Rights Reserved. 4040 This document and translations of it maybe copied and furnished to 4041 others, and derivative works that comment on or otherwise explain it 4042 or assist in its implementation may be prepared, copied, published 4043 and distributed, in whole or in part, without restriction of any 4044 kind, provided that the above copyright notice and this paragraph are 4045 included on all such copies and derivative works. However, this 4046 document itself may not be modified in any way, such as by removing 4047 the copyright notice or references to the Internet Society or other 4048 Internet organizations, except as needed for the purpose of 4049 developing Internet standards in which case the procedures for 4050 copyrights defined in the Internet Standards process must be 4051 followed, or as required to translate it into languages other then 4052 English. 4054 The limited permissions granted above are perpetual and will not be 4055 revoked by the Internet Society or its successors or assigns. 4057 This document and the information contained herein is provided on an 4058 "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING 4059 TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 4060 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON 4061 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF 4062 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.