Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation
1-March-2001 Lee Rafalow
IBM
Eric Vyncke
Cisco Systems
IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-02.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document presents an object-oriented model of IPsec policy
designed to:
o facilitate agreement about the content and semantics of IPsec
policy
o enable derivations of task-specific representations of IPsec
policy such as storage schema, distribution representations,
and policy specification languages used to configure IPsec-
enabled endpoints
The schema described in this document models the IKE phase one
parameters as described in [IKE] and the IKE phase two parameters
for the IPsec Domain of Interpretation as described in [COMP, ESP,
AH, DOI]. It is based upon the core policy classes as defined in
the Policy Core Information Model (PCIM) [PCIM].
Jason, et al [Page 1]
Internet Draft IPsec Configuration Policy Model March 2001
Table of Contents
Status of this Memo................................................1
Abstract...........................................................1
Table of Contents..................................................2
1. Introduction....................................................7
2. UML Conventions.................................................7
3. IPsec Policy Model Inheritance Hierarchy........................8
4. Policy Classes.................................................13
4.1. The Class IPsecPolicyGroup...................................14
4.2. The Class SARule.............................................14
4.2.1. The Property LimitNegotiation..............................14
4.3. The Class IKERule............................................15
4.3.1. The Property IdentityContexts..............................15
4.4. The Class IPsecRule..........................................16
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........16
4.5.1. The Reference GroupComponent...............................17
4.5.2. The Reference PartComponent................................17
4.5.3. The Property GroupPriority.................................17
4.6. The Association Class IPsecPolicyForEndpoint.................17
4.6.1. The Reference Antecedent...................................18
4.6.2. The Reference Dependent....................................18
4.7. The Association Class IPsecPolicyForSystem...................18
4.7.1. The Reference Antecedent...................................18
4.7.2. The Reference Dependent....................................18
4.8. The Aggregation Class RuleForIKENegotiation..................19
4.8.1. The Reference GroupComponent...............................19
4.8.2. The Reference PartComponent................................19
4.9. The Aggregation Class RuleForIPsecNegotiation................19
4.9.1. The Reference GroupComponent...............................19
4.9.2. The Reference PartComponent................................20
4.10. The Aggregation Class SAConditionInRule.....................20
4.10.1. The Reference GroupComponent..............................20
4.10.2. The Reference PartComponent...............................20
4.11. The Aggregation Class SAActionInRule........................20
4.11.1. The Reference GroupComponent..............................21
4.11.2. The Reference PartComponent...............................21
4.11.3. The Property ActionOrder..................................21
5. Condition and Filter Classes...................................22
5.1. The Class SACondition........................................22
5.2. The Class FilterEntry........................................23
5.3. The Class CredentialFilterEntry..............................23
5.3.1. The Property MatchFieldName................................24
5.3.2. The Property MatchFieldValue...............................24
5.3.3. The Property CredentialType................................24
5.4. The Class IPSOFilterEntry....................................24
5.4.1. The Property MatchConditionType............................25
5.4.2. The Property MatchConditionValue...........................25
5.5. The Class PeerIDPayloadFilterEntry...........................25
5.5.1. The Property MatchIdentityType.............................26
5.5.2. The Property MatchIdentityValue............................26
5.6. The Association Class FilterOfSACondition....................27
5.6.1. The Reference Antecedent...................................27
Jason, et al Expires September 2001 [Page 2]
Internet Draft IPsec Configuration Policy Model March 2001
5.6.2. The Reference Dependent....................................27
5.7. The Association Class AcceptCredentialFrom...................27
5.7.1. The Reference Antecedent...................................28
5.7.2. The Reference Dependent....................................28
6. Action Classes.................................................29
6.1. The Class SAAction...........................................30
6.1.1. The Property DoActionLogging...............................30
6.1.2. The Property DoPacketLogging...............................30
6.2. The Class SAStaticAction.....................................31
6.2.1. The Property LifetimeSeconds...............................31
6.3. The Class IPsecBypassAction..................................31
6.4. The Class IPsecDiscardAction.................................31
6.5. The Class IKERejectAction....................................32
6.6. The Class PreconfiguredSAAction..............................32
6.6.1. The Property LifetimeKilobytes.............................33
6.7. The Class PreconfiguredTransportAction.......................33
6.8. The Class PreconfiguredTunnelAction..........................33
6.8.1. The Property PeerGatewayAddressType........................33
6.8.2. The Property PeerGatewayAddress............................34
6.8.3. The Property DFHandling....................................34
6.9. The Class SANegotiationAction................................34
6.9.1. The Property MinLifetimeSeconds............................35
6.9.2. The Property MinLifetimeKilobytes..........................35
6.9.3. The Property RefreshThresholdSeconds.......................35
6.9.4. The Property RefreshThresholdKilobytes.....................36
6.9.5. The Property IdleDurationSeconds...........................36
6.10. The Class IPsecAction.......................................36
6.10.1. The Property UsePFS.......................................37
6.10.2. The Property UseIKEGroup..................................37
6.10.3. The Property GroupId......................................37
6.10.4. The Property Granularity..................................38
6.10.5. The Property VendorID.....................................38
6.11. The Class IPsecTransportAction..............................38
6.12. The Class IPsecTunnelAction.................................38
6.12.1. The Property DFHandling...................................39
6.13. The Class IKEAction.........................................39
6.13.1. The Property RefreshThresholdDerivedKeys..................39
6.13.2. The Property ExchangeMode.................................40
6.13.3. The Property UseIKEIdentityType...........................40
6.13.4. The Property VendorID.....................................40
6.13.5. The Property AggressiveModeGroupId........................41
6.14. The Class PeerGateway.......................................41
6.14.1. The Property Name.........................................41
6.14.2. The Property PeerIdentityType.............................41
6.14.3. The Property PeerIdentity.................................42
6.15. The Association Class PeerGatewayForTunnel..................42
6.15.1. The Reference Antecedent..................................42
6.15.2. The Reference Dependent...................................43
6.15.3. The Property SequenceNumber...............................43
6.16. The Aggregation Class ContainedProposal.....................43
6.16.1. The Reference GroupComponent..............................43
6.16.2. The Reference PartComponent...............................44
6.16.3. The Property SequenceNumber...............................44
Jason, et al Expires September 2001 [Page 3]
Internet Draft IPsec Configuration Policy Model March 2001
6.17. The Association Class HostedPeerGatewayInformation..........44
6.17.1. The Reference Antecedent..................................44
6.17.2. The Reference Dependent...................................44
6.18. The Association Class TransformOfPreconfiguredAction........44
6.18.1. The Reference Antecedent..................................45
6.18.2. The Reference Dependent...................................45
6.18.3. The Property SPI..........................................45
7. Proposal and Transform Classes.................................46
7.1. The Abstract Class SAProposal................................46
7.1.1. The Property Name..........................................46
7.2. The Class IKEProposal........................................47
7.2.1. The Property LifetimeDerivedKeys...........................47
7.2.2. The Property CipherAlgorithm...............................47
7.2.3. The Property HashAlgorithm.................................48
7.2.4. The Property PRFAlgorithm..................................48
7.2.5. The Property GroupId.......................................48
7.2.6. The Property AuthenticationMethod..........................48
7.2.7. The Property MaxLifetimeSeconds............................49
7.2.8. The Property MaxLifetimeKilobytes..........................49
7.2.9. The Property VendorID......................................49
7.3. The Class IPsecProposal......................................49
7.4. The Abstract Class SATransform...............................50
7.4.1. The Property TransformName.................................50
7.4.2. The Property VendorID......................................50
7.4.3. The Property MaxLifetimeSeconds............................50
7.4.4. The Property MaxLifetimeKilobytes..........................51
7.5. The Class AHTransform........................................51
7.5.1. The Property AHTransformId.................................51
7.5.2. The Property UseReplayPrevention...........................51
7.5.3. The Property ReplayPreventionWindowSize....................52
7.6. The Class ESPTransform.......................................52
7.6.1. The Property IntegrityTransformId..........................52
7.6.2. The Property CipherTransformId.............................52
7.6.3. The Property CipherKeyLength...............................53
7.6.4. The Property CipherKeyRounds...............................53
7.6.5. The Property UseReplayPrevention...........................53
7.6.6. The Property ReplayPreventionWindowSize....................53
7.7. The Class IPCOMPTransform....................................54
7.7.1. The Property Algorithm.....................................54
7.7.2. The Property DictionarySize................................54
7.7.3. The Property PrivateAlgorithm..............................54
7.8. The Association Class SAProposalInSystem.....................54
7.8.1. The Reference Antecedent...................................55
7.8.2. The Reference Dependent....................................55
7.9. The Aggregation Class ContainedTransform.....................55
7.9.1. The Reference GroupComponent...............................55
7.9.2. The Reference PartComponent................................56
7.9.3. The Property SequenceNumber................................56
7.10. The Association Class SATransformInSystem...................56
7.10.1. The Reference Antecedent..................................56
7.10.2. The Reference Dependent...................................56
8. IKE Service and Identity Classes...............................58
8.1. The Class IKEService.........................................59
Jason, et al Expires September 2001 [Page 4]
Internet Draft IPsec Configuration Policy Model March 2001
8.2. The Class PeerIdentityTable..................................59
8.3.1. The Property Name..........................................59
8.3. The Class PeerIdentityEntry..................................60
8.3.1. The Property PeerIdentity..................................60
8.3.2. The Property PeerIdentityType..............................60
8.3.3. The Property PeerAddress...................................60
8.3.4. The Property PeerAddressType...............................60
8.4. The Class AutostartIKEConfiguration..........................61
8.5. The Class AutostartIKESetting................................61
8.5.1. The Property Phase1Only....................................61
8.5.2. The Property AddressType...................................62
8.5.3. The Property SourceAddress.................................62
8.5.4. The Property SourcePort....................................62
8.5.5. The Property DestinationAddress............................62
8.5.6. The Property DestinationPort...............................63
8.5.7. The Property Protocol......................................63
8.6. The Class IKEIdentity........................................63
8.6.1. The Property IdentityType..................................64
8.6.2. The Property IdentityValue.................................64
8.6.3. The Property IdentityContexts..............................64
8.7. The Association Class HostedPeerIdentityTable................65
8.7.1. The Reference Antecedent...................................65
8.7.2. The Reference Dependent....................................65
8.8. The Aggregation Class PeerIdentityMember.....................65
8.8.1. The Reference Collection...................................65
8.8.2. The Reference Member.......................................66
8.9. The Association Class IKEServicePeerGateway..................66
8.9.1. The Reference Antecedent...................................66
8.9.2. The Reference Dependent....................................66
8.10. The Association Class IKEServicePeerIdentityTable...........66
8.10.1. The Reference Antecedent..................................67
8.10.2. The Reference Dependent...................................67
8.11. The Association Class IKEAutostartSetting...................67
8.11.1. The Reference Element.....................................67
8.11.2. The Reference Setting.....................................67
8.12. The Aggregation Class AutostartIKESettingContext............67
8.12.1. The Reference Context.....................................68
8.12.2. The Reference Setting.....................................68
8.12.3. The Property SequenceNumber...............................68
8.13. The Association Class IKEServiceForEndpoint.................68
8.13.1. The Reference Antecedent..................................69
8.13.2. The Reference Dependent...................................69
8.14. The Association Class IKEAutostartConfiguration.............69
8.14.1. The Reference Antecedent..................................69
8.14.2. The Reference Dependent...................................69
8.14.3. The Property Active.......................................69
8.15. The Association Class IKEUsesCredentialManagementService....70
8.15.1. The Reference Antecedent..................................70
8.15.2. The Reference Dependent...................................70
8.16. The Association Class EndpointHasLocalIKEIdentity...........70
8.16.1. The Reference Antecedent..................................71
8.16.2. The Reference Dependent...................................71
8.17. The Association Class CollectionHasLocalIKEIdentity.........71
Jason, et al Expires September 2001 [Page 5]
Internet Draft IPsec Configuration Policy Model March 2001
8.17.1. The Reference Antecedent..................................71
8.17.2. The Reference Dependent...................................71
8.18. The Association Class IKEIdentitysCredential................72
8.18.1. The Reference Antecedent..................................72
8.18.2. The Reference Dependent...................................72
9. Security Considerations........................................72
10. Intellectual Property.........................................72
11. Acknowledgments...............................................73
12. References....................................................73
13. Disclaimer....................................................74
14. Authors' Addresses............................................74
15. Full Copyright Statement......................................74
Appendix A (DMTF Core Model MOF)..................................75
Appendix B (DMTF User Model MOF)..................................90
Appendix C (DMTF Network Model MOF)..............................105
Jason, et al Expires September 2001 [Page 6]
Internet Draft IPsec Configuration Policy Model March 2001
1. Introduction
Internet Protocol security (IPsec) policy may assume a variety of
forms as it travels from storage to distribution point to decision
point. At each step, it needs to be represented in a way that is
convenient for the current task. For example, the policy could
exist as, but is not limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
a directory
o an on-the-wire representation over a transport protocol like the
Common Object Policy Service (COPS) [COPS, COPSPR]
o a text-based policy specification language [SPSL] suitable for
editing by an administrator
o an Extensible Markup Language (XML) document
Each of these task-specific representations should be derived from a
canonical representation that precisely specifies the content and
semantics of the IPsec policy. The purpose of this document is to
abstract IPsec policy into a task-independent representation that is
not constrained by any particular task-dependent representation.
This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this
document.
o Section 3 provides the inheritance hierarchy that describes
where the IPsec policy classes fit into the policy class
hierarchy already defined by the Policy Core Information Model
(PCIM).
o The remainder of the document describes the classes that make up
the IPsec policy model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS].
2. UML Conventions
For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason
behind this decision is that UML provides a graphical, task-
independent way to model systems. A treatise on the graphical
notation used in UML is beyond the scope of this paper. However,
given the use of ASCII drawing for UML static class diagrams, a
description of the notational conventions used in this document is
in order:
o Boxes represent classes, with class names in brackets ([])
representing an abstract class.
Jason, et al Expires September 2001 [Page 7]
Internet Draft IPsec Configuration Policy Model March 2001
o A line that terminates with an arrow (<, >, ^, v) denotes
inheritance. The arrow always points to the parent class.
Inheritance can also be called generalization or specialization
(depending upon the reference point). A base class is a
generalization of a derived class, and a derived class is a
specialization of a base class.
o Associations are used to model a relationship between two
classes. Classes that share an association are connected using
a line. A special kind of association is also used: an
aggregation. An aggregation models a whole-part relationship
between two classes. Associations, and therefore aggregations,
can also be modeled as classes.
o A line that begins with an "o" denotes aggregation. Aggregation
denotes containment in which the contained class and the
containing class have independent lifetimes.
o Next to a line representing an association appears a
cardinality. Cardinalities indicate the constraints on the
number of object instances in a set of relationships. Every
association instance has a single set of references. The
cardinality indicates the number of instances that may refer to
a given object instance. The cardinality may be:
- a range in the form "lower bound..upper bound" indicating the
minimum and maximum number of objects.
- a number that indicates the exact number of objects.
- an asterisk indicating any number of objects, including zero.
Using an asterisk is shorthand for 0..n.
- the letter n indicating from 1 to many. Using the letter n is
shorthand for 1..n.
o A class that has an association may have a "w" next to the line
representing the association. This is called a weak association
and is discussed in [PCIM].
It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding.
It does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of
following references).
3. IPsec Policy Model Inheritance Hierarchy
Like PCIM from which it is derived, the IPsec Configuration Policy
Model derives from and uses classes defined in the DMTF Common
Information Model (CIM). The following tree represents the
inheritance hierarchy for the IPsec policy model classes and how
they fit into PCIM and the other DMTF models (see Appendices for
descriptions of classes that are not being introduced as part of
IPsec model). CIM classes that are not used as a superclass from
which to derive new classes but are only referenced are not included
this inheritance hierarchy, but are included in the appropriate
appendix.
ManagedElement (DMTF Core Model - Appendix A)
Jason, et al Expires September 2001 [Page 8]
Internet Draft IPsec Configuration Policy Model March 2001
|
+--Collection (DMTF Core Model - Appendix A)
| |
| +--PeerIdentityTable
|
+--ManagedSystemElement (DMTF Core Model - Appendix A)
| |
| +--LogicalElement (DMTF Core Model - Appendix A)
| |
| +--FilterEntryBase (DMTF Network Model - Appendix C)
| | |
| | +--CredentialFilterEntry
| | |
| | +--IPSOFilterEntry
| | |
| | +--PeerIDPayloadFilterEntry
| |
| +--PeerGateway
| |
| +--PeerIdentityEntry
| |
| +--Service (DMTF Core Model - Appendix A)
| |
| +--NetworkService (DMTF Network Model - Appendix C)
| |
| +--IKEService
|
+--OrganizationalEntity (DMTF User Model - Appendix B)
| |
| +--UserEntity (DMTF User Model - Appendix B)
| |
| +--UsersAccess (DMTF User Model - Appendix B)
| |
| +--IKEIdentity
|
+--Policy (PCIM)
| |
| +--PolicyAction (PCIM)
| | |
| | +--SAAction
| | |
| | +--SANegotiationAction
| | | |
| | | +--IKEAction
| | | |
| | | +--IPsecAction
| | | |
| | | +--IPsecTransportAction
| | | |
| | | +--IPsecTunnelAction
| | |
| | +--SAStaticAction
| | |
Jason, et al Expires September 2001 [Page 9]
Internet Draft IPsec Configuration Policy Model March 2001
| | +--IKERejectAction
| | |
| | +--IPsecBypassAction
| | |
| | +--IPsecDiscardAction
| | |
| | +--PreconfiguredSAAction
| | |
| | +--PreconfiguredTransportAction
| | |
| | +--PreconfiguredTunnelAction
| |
| +--PolicyCondition (PCIM)
| | |
| | +--SACondition
| |
| +--PolicyGroup (PCIM)
| | |
| | +--IPsecPolicyGroup
| |
| +--PolicyRule (PCIM)
| | |
| | +--SARule
| | |
| | +--IKERule
| | |
| | +--IPsecRule
| |
| +--SAProposal
| | |
| | +--IKEProposal
| | |
| | +--IPsecProposal
| |
| +--SATransform
| |
| +--AHTransform
| |
| +--ESPTransform
| |
| +--IPCOMPTransform
|
+--Setting (DMTF Core Model - Appendix A)
| |
| +--SystemSetting (DMTF Core Model - Appendix A)
| |
| +--AutostartIKESetting
|
+--SystemConfiguration (DMTF Core Model - Appendix A)
|
+--AutostartIKEConfiguration
Jason, et al Expires September 2001 [Page 10]
Internet Draft IPsec Configuration Policy Model March 2001
The following tree represents the inheritance hierarchy of the IPsec
policy model association classes and how they fit into PCIM and the
other DMTF models (see Appendices for description of associations
classes that are not being introduced as part of IPsec model).
Dependency (DMTF Core Model - Appendix A)
|
+--AcceptCredentialsFrom
|
+--ElementAsUser (DMTF User Model - Appendix B)
| |
| +--EndpointHasLocalIKEIdentity
| |
| +--CollectionHasLocalIKEIdentity
|
+--FilterOfSACondition
|
+--HostedPeerGatewayInformation
|
+--HostedPeerIdentityTable
|
+--IKEAutostartConfiguration
|
+--IKEServiceForEndpoint
|
+--IKEServicePeerGateway
|
+--IKEServicePeerIdentityTable
|
+--IKEUsesCredentialManagementService
|
+--IPsecPolicyForEndpoint
|
+--PeerGatewayForTunnel
|
+--PolicyInSystem (PCIM)
| |
| +--PolicyGroupInSystem (PCIM)
| |
| +--SAProposalInSystem
| |
| +--SATransformInSystem
|
+--IPsecPolicyForSystem
|
+--TransformOfPreconfiguredAction
|
+--UsersCredential (DMTF User Model - Appendix B)
|
+--IKEIdentitysCredential
ElementSetting (DMTF Core Model - Appendix A)
|
Jason, et al Expires September 2001 [Page 11]
Internet Draft IPsec Configuration Policy Model March 2001
+--IKEAutostartSetting
MemberOfCollection (DMTF Core Model - Appendix A)
|
+--PeerIdentityMember
PolicyComponent (PCIM)
|
+--ContainedProposal
|
+--ContainedTransform
|
+--PolicyActionInPolicyRule (PCIM)
| |
| +--SAActionInRule
|
+--PolicyConditionInPolicyRule (PCIM)
| |
| +--SAConditionInRule
|
+--PolicyGroupInPolicyGroup (PCIM)
| |
| +--IPsecPolicyGroupInPolicyGroup
|
+--PolicyRuleInPolicyGroup
|
+--RuleForIKENegotiation
|
+--RuleForIPsecNegotiation
SystemSettingContext (DMTF Core Model - Appendix A)
|
+--AutostartIKESettingContext
Jason, et al Expires September 2001 [Page 12]
Internet Draft IPsec Configuration Policy Model March 2001
4. Policy Classes
The IPsec policy classes represent the set of policies that are
contained on a system.
+--------------------+
| IPProtocolEndpoint |
| (Appendix C) |
+--------------------+
| *
|
(a) | (b)
+------+ |
| |* | 0..1
| *+------------------+0..1 (c) *+------------+
+---o| IPsecPolicyGroup |-----------| System |
+------------------+ |(Appendix A)|
1 o o 1 +------------+
(d) | | (e)
+-----------------------+ +---------------------+
| |
| +---------------------------+ |
| | PolicyTimePeriodCondition | |
| | (see [PCIM]) | |
| +---------------------------+ |
| *| |
| | (f) |
| *o |
| +-------------+n *+--------+* n+----------+ |
| | SACondition |------o| SARule |o-------| SAAction | |
| +-------------+ (g) +--------+ (h) +----------+ |
| ^ |
| | |
| +--------+--------+ |
| | | |
| *+---------+ +-----------+* |
+---------------| IKERule | | IPsecRule |------------+
+---------+ +-----------+
(a) IPsecPolicyGroupInPolicyGroup
(b) IPsecPolicyForEndpoint
(c) IPsecPolicyForSystem
(d) RuleForIKENegotiation
(e) RuleForIPsecNegotiation
(f) PolicyRuleValidityPeriod (see [PCIM])
(g) SAConditionInRule
(h) SAActionInRule
An IPsecPolicyGroup represents the set of policies that are used on
an interface. This IPsecPolicyGroup SHOULD be associated either
directly with the IPProtocolEndpoint class instance that represents
the interface (via the IPsecPolicyForEndpoint association) or
Jason, et al Expires September 2001 [Page 13]
Internet Draft IPsec Configuration Policy Model March 2001
indirectly (via the IPsecPolicyForSystem association) associated
with the System that hosts the interface.
4.1. The Class IPsecPolicyGroup
The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The
class definition for IPsecPolicyGroup is as follows:
NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules
and a set of IPsecRules.
DERIVED FROM PolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup)
NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server
may follow all of IPsecPolicyGroupInPolicyGroup associations and
create one policy group which is simply a set of all of the IKE
rules and a set of all of the IPsec rules. See the section on the
IPsecPolicyGroupInPolicyGroup aggregation for information on merging
multiple IPsecPolicyGroups.
4.2. The Class SARule
The class SARule serves as a base class for IKERule and IPsecRule.
Even though the class is concrete, it MUST not be instantiated. It
defines a common connection point for associations to conditions and
actions for both types of rules. Through its derivation from
PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
the PolicyRuleValidityPeriod association.
An SARule inherits the property Priority from PolicyRule. Since
there is a need for an unambiguous ordering of rules in an IPsec
system, all SARules contained within an IPsecPolicyGroup must have
unique priority values.
The class definition for SARule is as follows:
NAME SARule
DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule)
ConditionListType (from PolicyRule)
LimitNegotiation
4.2.1. The Property LimitNegotiation
Jason, et al Expires September 2001 [Page 14]
Internet Draft IPsec Configuration Policy Model March 2001
The property LimitNegotiation is used as part of processing either
an IKE or an IPsec rule.
Before proceeding with a phase 1 negotiation, this property is
checked to determine if the negotiation role of the rule matches
that defined for the negotiation being undertaken (e.g., Initiator,
Responder, or Both). If this check fails (e.g. the current role is
IKE responder while the rule specifies IKE initiator), then the IKE
negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists.
Before proceeding with a phase 2 negotiation, the LimitNegotiation
property of the IPsecRule is first checked to determine if the
negotiation role indicated for the rule matches that of the current
negotiation (Initiator, Responder, or Either). Note that this limit
applies only to new phase 2 negotiations. It is ignored when an
attempt is made to refresh an expiring SA (either side can initiate
a refresh operation). The IKE system can determine that the
negotiation is a refresh operation by checking to see if the
selector information matches that of an existing SA. If
LimitNegotiation does not match and the selector corresponds to a
new SA, the negotiation is stopped.
The property is defined as follows:
NAME LimitNegotiation
DESCRIPTION Limits the role to be undertaken during negotiation.
SYNTAX unsigned 16-bit integer
VALUE 1 “ initiator-only
2 “ responder-only
3 - both
4.3. The Class IKERule
The class IKERule associates Conditions and Actions for IKE phase 1
negotiations. The class definition for IKERule is as follows:
NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 1
negotiations.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule, plus
IdentityContexts
4.3.1. The Property IdentityContexts
The IKE service of a security endpoint may have multiple identities
for use in different situations. The combination of the interface
(represented by the IPProtocolEndpoint), the identity type (as
specified in the IKEAction) and the IdentityContexts specifies a
unique identity.
Jason, et al Expires September 2001 [Page 15]
Internet Draft IPsec Configuration Policy Model March 2001
The IdentityContexts property specifies the context to select the
relevant IKE identity to be used during the further IKEAction. A
context may be a VPN name or other identifier for selecting the
appropriate identity for use on the protected IPProtocolEndpoint.
IdentityContexts is an array of strings. The multiple values in the
array are ORed together in evaluating the IdentityContexts. Each
value in the array may be the composition of multiple context names.
So, a single value may be a single context name (e.g.,
"CompanyXVPN") or it may be combination of contexts. When an array
value is a composition, the individual values are ANDed together for
evaluation purposes and the syntax is:
<ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). So, for example,
the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
"CompanyZVPN&&Confidential" means that, for the appropriate
IPProtocolEndpoint and IdentityType, the contexts are matched if the
identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
"CompanyZVPN&&Confidential".
The property is defined as follows:
NAME IdentityContexts
DESCRIPTION Specifies the context in which to select the IKE
identity.
SYNTAX string array
4.4. The Class IPsecRule
The class IPsecRule associates Conditions and Actions for IKE phase
2 negotiations for the IPsec DOI. The class definition for
IPsecRule is as follows:
NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup
The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
policies to be combined into one effective policy. See [PCIM] for a
description of the how policies are merged (see also the property
GroupPriority). The class definition for
IPsecPolicyGroupInPolicyGroup is as follows:
NAME IPsecPolicyGroupInPolicyGroup
Jason, et al Expires September 2001 [Page 16]
Internet Draft IPsec Configuration Policy Model March 2001
DESCRIPTION Associates a nested IPsecPolicyGroup with the
IPsecPolicyGroup that contains it.
DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecPolicyGroup[0..n]]
PartComponent[ref IPsecPolicyGroup[0..n]]
GroupPriority
4.5.1. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyGroupInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [0..n] cardinality indicates that a
given IPsecPolicyGroup instance may be a part of zero or more
containing IPsecPolicyGroup instances (i.e., there may be zero or
more GroupComponent references per PartComponent).
4.5.2. The Reference PartComponent
The property PartComponent is inherited from
PolicyGroupInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [0..n] cardinality indicates that a
given IPsecPolicyGroup instance may contain zero or more
IPsecPolicyGroup instances (i.e., there may be zero or more
PartComponent references per GroupComponent).
4.5.3. The Property GroupPriority
Since policy groups, IPsecPolicyGroup, can contain both rules and
other policy groups, the relative priorities of the rules of the
contained groups are established by setting the GroupPriority
property of IPsecPolicyGroupInPolicyGroup as a unique rule priority
in the containing group.
The rules of the nested group are inserted in order at that position
(i.e. indicated by GroupPriority) in the containing group's rules
The property is defined as follows:
NAME GroupPriority
DESCRIPTION Specifies the rule priority to be set to all nested
rules.
SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest
precedence). The merging order of two ContainedGroups
with the same precedence is undefined.
4.6. The Association Class IPsecPolicyForEndpoint
The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
a specific network interface. If an IPProtocolEndpoint of a system
does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
Jason, et al Expires September 2001 [Page 17]
Internet Draft IPsec Configuration Policy Model March 2001
then the IPsecPolicyForSystem associated IPsecPolicyGroup is used
for that endpoint. The class definition for IPsecPolicyForEndpoint
is as follows:
NAME IPsecPolicyForEndpoint
DESCRIPTION Associates a policy group to a network interface.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]]
4.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may be
associated with zero or more IPProtocolEndpoint instances.
4.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecPolicyGroup instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance may have
an association to at most one IPsecPolicyGroup instance.
4.7. The Association Class IPsecPolicyForSystem
The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a
specific system. If an IPProtocolEndpoint of a system does not have
an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
IPsecPolicyForSystem associated IPsecPolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForSystem is as
follows:
NAME IPsecPolicyForSystem
DESCRIPTION Default policy group for a system.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent[ref System[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]]
4.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [0..n] cardinality
indicates that an IPsecPolicyGroup instance may have an association
to zero or more System instances.
4.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecPolicyGroup instance. The [0..1]
Jason, et al Expires September 2001 [Page 18]
Internet Draft IPsec Configuration Policy Model March 2001
cardinality indicates that a System instance may have an association
to at most one IPsecPolicyGroup instance.
4.8. The Aggregation Class RuleForIKENegotiation
The class RuleForIKENegotiation associates an IKERule with the
IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation is as follows:
NAME RuleForIKENegotiation
DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that
contains it.
DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IKERule [0..n]]
4.8.1. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IKERule instance may be contained in one and only one
IPsecPolicyGroup instance (i.e., IKERules are not shared across
IPsecPolicyGroups).
4.8.2. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IKERule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IKERule instances.
4.9. The Aggregation Class RuleForIPsecNegotiation
The class RuleForIPsecNegotiation associates an IPsecRule with the
IPsecPolicyGroup that contains it. The class definition for
RuleForIPsecNegotiation is as follows:
NAME RuleForIPsecNegotiation
DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that
contains it.
DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IPsecRule [0..n]]
4.9.1. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
Jason, et al Expires September 2001 [Page 19]
Internet Draft IPsec Configuration Policy Model March 2001
IPsecRule instance may be contained in only one IPsecPolicyGroup
instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).
4.9.2. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IPsecRule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IPsecRules instance.
4.10. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the
SACondition instance(s) that trigger(s) it. See [PCIM] for the
usage for the properties GroupNumber and ConditionNegated. The
class definition for SAConditionInRule is as follows:
NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instance(s)
that trigger(s) it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]]
PartComponent [ref SACondition [1..n]]
GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule)
4.10.1. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SACondition
instance may be contained in zero or more SARule instances.
4.10.2. The Reference PartComponent
The property PartComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an
SACondition instance. The [1..n] cardinality indicates that an
SARule instance MUST contain at least one SACondition instance.
4.11. The Aggregation Class SAActionInRule
The SAActionInRule class associates an SARule with its primary
SAAction. The class definition for SAActionInRule is as follows:
NAME SAActionInRule
DESCRIPTION Associates an SARule with its SAAction(s).
DERIVED FROM PolicyActionInPolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]]
PartComponent [ref SAAction [1..n]]
ActionOrder
Jason, et al Expires September 2001 [Page 20]
Internet Draft IPsec Configuration Policy Model March 2001
4.11.1. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SAAction
instance may be contained in zero or more SARule instances.
4.11.2. The Reference PartComponent
The property PartComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SAAction
instance. The [1..n] cardinality indicates that an SARule instance
MUST contain at least one SAAction instance.
4.11.3. The Property ActionOrder
The property ActionOrder specifies the relative position of this
SAAction in the sequence of actions associated with a PolicyRule.
The ActionOrder MUST be unique so as to provide a deterministic
order. In addition, the actions in an SARule are executed as
follows.
For an initiator, if there is more than one action in the rule, the
additional actions are 'backup' actions in the event that the first
action is not able to be completed successfully. They are tried in
the ActionOrder until the list is exhausted or one completes
successfully. For example, an IKE initiator may have several
IKEActions for the same SACondition. The initiator will try all
IKEActions in the order defined by ActionOrder. I.e. it will
possibly try several phases 1 possibly with different modes (main
mode then aggressive mode) and/or with possibly multiple IKE peers.
For a responder, there can be more than one action in the rule, this
provides alternative actions depending on the received proposals.
For example, the same IKERule may be used to handle aggressive mode
and main mode negotiations with different actions. The first
appropriate action in the list of actions is used by the responder.
The property is defined as follows:
[Need an explanation of what the action order means as it replaces
the fallback association]
NAME ActionOrder
DESCRIPTION Specifies the order of actions.
SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest
precedence). The merging order of two SAActions with
the same precedence is undefined.
Jason, et al Expires September 2001 [Page 21]
Internet Draft IPsec Configuration Policy Model March 2001
5. Condition and Filter Classes
The IPsec condition and filter classes are used to build the "if"
part of the IKE and IPsec rules.
*+-------------+
+--------------------| SACondition |
| +-------------+
| * |
| |(a)
| 1 |
| +--------------+
| | FilterList |
| | (Appendix C) |
| +--------------+
| 1 o
|(b) |(c)
| * |
| +-----------------+
| | FilterEntryBase |
| | (Appendix C) |
| +-----------------+
| ^
| |
| +--------------+ | +-----------------------+
| | FilterEntry |----+----| CredentialFilterEntry |
| | (Appendix C) | | +-----------------------+
| +--------------+ |
| |
| +-----------------+ | +--------------------------+
| | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
| +-----------------+ +--------------------------+
|
| *+-----------------------------+
+------------| CredentialManagementService |
| (Appendix B) |
+-----------------------------+
(a) FilterOfSACondition
(b) AcceptCredentialsFrom
(c) EntriesInFilterList (see Appendix C)
5.1. The Class SACondition
The class SACondition defines the conditions of rules for IKE and
IPsec negotiations. Conditions are associated with policy rules via
the SAConditionInRule aggregation. It is used as an anchor point to
associate various types of filters with policy rules via the
FilterOfSACondition association. It also defines whether Credentials
can be accepted for a particular policy rule via the
AcceptCredentialsFrom association.
Jason, et al Expires September 2001 [Page 22]
Internet Draft IPsec Configuration Policy Model March 2001
Associated objects represent components of the condition that may or
may not apply at a given rule evaluation. For example, an
AcceptCredentialsFrom evaluation is only performed when a credential
is available to be evaluated against the list of trusted credential
management services. Similarly, a PeerIDPayloadFilterEntry may only
be evaluated when an IDPayload value is available to compared with
the filter. Condition components that do not have corresponding
values with which to evaluate are evaluated as TRUE unless the
protocol has completed without providing the required information.
The class definition for SACondition is as follows:
NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations.
DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition)
5.2. The Class FilterEntry
The class FilterEntry is defined in appendix C with the following
notes:
1) since actions in the IPsec Policy Model are not part of the
condition side of the rule, the Action property of each
FilterEntry is ignored and should be set to "FilterOnly".
2) to specify 5-tuple filters that are to apply symmetrically (i.e.,
matches traffic in both directions of the same flow between the
two peers), the Direction property of the FilterList should be
set to "Mirrored".
5.3. The Class CredentialFilterEntry
The class CredentialFilterEntry defines an equivalence class that
match credentials of IKE peers. Each CredentialFilterEntry includes
a MatchFieldName that is interpreted according to the
CredentialManagementService(s) associated with the SACondition
(AcceptCredentialsFrom).
These credentials can be X.509 certificates, Kerberos tickets, or
other types of credentials obtained during the Phase 1 exchange.
The class definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry
DESCRIPTION Specifies a match filter based on the IKE credentials.
DERIVED FROM FilterEntryBase (see Appendix C)
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchFieldName
Jason, et al Expires September 2001 [Page 23]
Internet Draft IPsec Configuration Policy Model March 2001
MatchFieldValue
CredentialType
5.3.1. The Property MatchFieldName
The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as
follows:
NAME MatchFieldName
DESCRIPTION Specifies which sub-part of the credential to match.
SYNTAX string
VALUE
5.3.2. The Property MatchFieldValue
The property MatchFieldValue specifies the value to compare with the
MatchFieldName in a credential to determine if the credential
matches this filter entry. The property is defined as follows:
NAME MatchFieldValue
DESCRIPTION Specifies the value to be matched by the
MatchFieldName.
SYNTAX string
VALUE NB: If the CredentialFilterEntry corresponds to a
DistinguishedName, this value in the CIM class is
represented by an ordinary string value. However, an
implementation must convert this string to a DER-
encoded string before matching against the values
extracted from credentials at runtime.
5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as
follows:
NAME CredentialType
DESCRIPTION Defines the type of IKE credentials.
SYNTAX unsigned 16-bit integer
VALUE 1 - X.509 Certificate
2 - Kerberos Ticket
5.4. The Class IPSOFilterEntry
The class IPSOFilterEntry is used to match traffic based on the IP
Security Options header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC1108. This type of FilterEntry
is used to adjust the IPsec encryption level according to the IPSO
classification of the traffic (e.g., secret, confidential,
restricted, etc. The class definition for IPSOFilterEntry is as
follows:
Jason, et al Expires September 2001 [Page 24]
Internet Draft IPsec Configuration Policy Model March 2001
NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security
Options.
DERIVED FROM FilterEntryBase (see Appendix C)
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchConditionType
MatchConditionValue
5.4.1. The Property MatchConditionType
The property MatchConditionType specifies the IPSO header field that
will be matched (e.g., traffic classification level or protection
authority). The property is defined as follows:
NAME MatchConditionType
DESCRIPTION Specifies the IPSO header field to be matched.
SYNTAX unsigned 16-bit integer
VALUE 1 - ClassificationLevel
2 - ProtectionAuthority
5.4.2. The Property MatchConditionValue
The property MatchConditionValue specifies the value of the IPSO
header field to be matched against. The property is defined as
follows:
NAME MatchConditionValue
DESCRIPTION Specifies the value of the IPSO header field to be
matched against.
SYNTAX unsigned 16-bit integer
VALUE For ClassificationLevel, the values are:
61 - TopSecret
90 - Secret
150 - Confidential
171 - Unclassified
For ProtectionAuthority, the values are:
0 - GENSER
1 - SIOP-ESI
2 - SCI
3 - NSA
4 - DOE
5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange.
PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@company.com" or "193.190.125.0/24".
Obviously this filter applies only to IKERules when acting as a
responder. Moreover, this filter can be applied immediately in the
Jason, et al Expires September 2001 [Page 25]
Internet Draft IPsec Configuration Policy Model March 2001
case of aggressive mode but its application is to be delayed in the
case of main mode. The class definition for
PeerIDPayloadFilterEntry is as follows:
NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see Appendix C)
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchIdentityType
MatchIdentityValue
5.5.1. The Property MatchIdentityType
The property MatchIdentityType specifies the type of identity
provided by the peer in the ID payload." The property is defined
as follows:
NAME MatchIdentityType
DESCRIPTION Specifies the ID payload type.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
5.5.2. The Property MatchIdentityValue
The property MatchIdentityValue specifies the filter value for
comparison with the ID payload, e.g., "*@company.com" The property
is defined as follows:
NAME MatchIdentityValue
DESCRIPTION Specifies the ID payload value.
SYNTAX string
VALUE NB: The syntax may need to be converted for comparison.
If the PeerIDPayloadFilterEntry type is a
DistinguishedName, the name in the MatchIdentityValue
property is represented by an ordinary string value,
but this value must be converted into a DER-encoded
string before matching against the values extracted
from IKE ID payloads at runtime. The same applies to
IPv4 & IPv6 addresses.
Wildcards can be used as well as the prefix notation
Jason, et al Expires September 2001 [Page 26]
Internet Draft IPsec Configuration Policy Model March 2001
for IPv4 addresses:
- a MatchIdentityValue of "*@company.com" will match an
ID payload of "JDOE@COMPANY.COM"
- a MatchIdentityValue of "193.190.125.0/24" will match
an ID payload of 193.190.125.10.
5.6. The Association Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that make
up the individual condition elements.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[1..1]]
Dependent [ref SACondition[0..n]]
5.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a FilterList instance. The [1..1]
cardinality indicates that an SACondition instance MUST be
associated with one and only one FilterList instance.
5.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an SACondition instance. The [0..n]
cardinality indicates that a FilterList instance may be associated
with zero or more SAConditions instance.
5.7. The Association Class AcceptCredentialFrom
The class AcceptCredentialFrom specifies which credential management
services (e.g., a CertificateAuthority or a Kerberos service) are to
be trusted to certify peer credentials. This is used to validate
that the credential being matched in the CredentialFilterEntry is a
valid credential that has been supplied by an approved
CredentialManagementService. If a CredentialManagementService is
specified and a corresponding CredentialFilterEntry is used, but the
credential supplied by the peer is not certified by that
CredentialManagementService (or one of the
CredentialManagementServices in its trust hierarchy), the
CredentialFilterEntry is deemed not to match. If a credential is
certified by a CredentialManagementService in the
AcceptCredentialsFrom list of services but there is no
CredentialFilterEntry, this is considered equivalent to a
CredentialFilterEntry that matches all credentials from those
services.
Jason, et al Expires September 2001 [Page 27]
Internet Draft IPsec Configuration Policy Model March 2001
The class definition for AcceptCredentialFrom is as follows:
NAME AcceptCredentialFrom
DESCRIPTION Associates a condition with the credential management
services to be trusted.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService[0..n]]
Dependent [ref SACondition[0..n]]
5.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an SACondition instance may be
associated with zero or more CredentialManagementServices instance.
5.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an SACondition instance. The [0..n]
cardinality indicates that a CredentialManagementService instance
may be associated with zero or more SAConditions instance.
Jason, et al Expires September 2001 [Page 28]
Internet Draft IPsec Configuration Policy Model March 2001
6. Action Classes
The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition
results in a match.
+----------+
| SAAction |
+----------+
^
|
+-----------+--------------+
| |
*+----------------+ +---------------------+*
| SAStaticAction | | SANegotiationAction |o-----+
+----------------+ +---------------------+ |
^ ^ |
| | |
| +-----------+-------+ |
| | | |
+-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ |
| ^ |
+--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+--------------------+ | | +----------------------+ |
| | |
+-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ |
| *| |
| +--------------+ |
| | |
+-----------------------+ | | +--------------+n |
| PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+
+-----------------------+ | +--------------+ (b)
^ |
| | *+-------------+
+---------------------+ +-------| PeerGateway |
| +-------------+
+-----------------------------+ | *w|
| PreconfiguredTransportAction|--+ |(c)
+-----------------------------+ | 1|
| +--------------+
+-----------------------------+ | | System |
| PreconfiguredTransportAction|--+ | (Appendix A) |
+-----------------------------+ +--------------+
*|
| 1..3+---------------+
+-------| [SATransform] |
(d) +---------------+
Jason, et al Expires September 2001 [Page 29]
Internet Draft IPsec Configuration Policy Model March 2001
(a) PeerGatewayForTunnel
(b) ContainedProposal
(c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction
6.1. The Class SAAction
The class SAAction serves as the base class for IKE and IPsec
actions. Although the class is concrete, it MUST not be
instantiated. It is used for aggregating different types of actions
to IKE and IPsec rules. The class definition for SAAction is as
follows:
NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging
DoPacketLogging
6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to
be generated when the action is performed (even if the action
fails). The property is defined as follows:
NAME DoActionLogging
DESCRIPTION Specifies the whether to log when the action is
performed.
SYNTAX boolean
VALUE true - a log message is to be generated when action is
performed.
false - no log message is to be generated when action
is performed.
6.1.2. The Property DoPacketLogging
The property DoPacketLogging specifies whether a log message is to
be generated when the resulting security association is used to
process the packet. If the action successfully executes and results
in the creation of one or several security associations, the value
of DoPacketLogging SHOULD be propagated to an optional field of
SADB. This optional field should be used to decide whether a log
message is to be generated when the SA is used to process a packet.
The property is defined as follows:
NAME DoPacketLogging
DESCRIPTION Specifies the whether to log when the resulting
security association is used to process the packet.
SYNTAX boolean
Jason, et al Expires September 2001 [Page 30]
Internet Draft IPsec Configuration Policy Model March 2001
VALUE true - a log message is to be generated when the
resulting security association is used to process the
packet.
false - no log message is to be generated.
6.2. The Class SAStaticAction
The class SAStaticAction serves as the base class for IKE and IPsec
actions that do not require any negotiation. Although the class is
concrete, it MUST not be instantiated. The class definition for
SAStaticAction is as follows:
NAME SAStaticAction
DESCRIPTION The base class for IKE and IPsec actions that do not
require any negotiation.
DERIVED FROM SAAction
ABSTRACT FALSE
PROPERTIES LifetimeSeconds
6.2.1. The Property LifetimeSeconds
The property LifetimeSeconds specifies how long the security
association derived from this action should be used. The property
is defined as follows:
NAME LifetimeSeconds
DESCRIPTION Specifies the amount of time (in seconds) that a
security association derived from this action should be
used.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime).
A non-zero value is typically used in conjunction with
alternate SAActions performed when there is a
negotiation failure of some sort.
6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec encapsulation to them. This is the
same as stating that packets are allowed to flow in the clear. The
class definition for IPsecBypassAction is as follows:
NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in the
clear.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.4. The Class IPsecDiscardAction
Jason, et al Expires September 2001 [Page 31]
Internet Draft IPsec Configuration Policy Model March 2001
The class IPsecDiscardAction is used when packets are to be
discarded. This is the same as stating that packets are to be
denied. The class definition for IPsecDiscardAction is as follows:
NAME IPsecDiscardAction
DESCRIPTION Specifies that packets are to be discarded.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.5. The Class IKERejectAction
The class IKERejectAction is used to prevent attempting an IKE
negotiation with the peer(s). The main use of this class is to
prevent some denial of service attacks when acting as IKE responder.
It goes beyond a plain discard of UDP/500 IKE packets because the
SACondition can be based on specific PeerIDPayloadFilterEntry (when
aggressive mode is used). The class definition for IKERejectAction
is as follows:
NAME IKERejectAction
DESCRIPTION Specifies that an IKE negotiation should not even be
attempted or continued.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.6. The Class PreconfiguredSAAction
The class PreconfiguredSAAction is used to create a security
association using preconfigured, hard-wired algorithms and keys.
Notes:
- the SPI for a PreconfiguredSAAction is contained in the
association, TransformOfPreconfiguredAction;
- the session key (if applicable) is contained in an instance of the
class SharedSecret (see appendix B). The session key is stored in
the property secret, the property protocol contains either "ESP"
or "AH", the property algorithm contains the algorithm used to
protect the secret (can be "PLAINTEXT" if the IPsec entity has no
secret storage), the value of property RemoteID is the
concatenation of the remote IPsec peer IP address in dotted
decimal, of the character "/", and of the hexadecimal
representation of the SPI.
Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows:
NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of a security association.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
Jason, et al Expires September 2001 [Page 32]
Internet Draft IPsec Configuration Policy Model March 2001
PROPERTIES LifetimeKilobytes
6.6.1. The Property LifetimeKilobytes
The property LifetimeKilobytes specifies a traffic limit in
kilobytes that can be consumed before the SA is deleted.. The
property is defined as follows:
NAME LifetimeKilobytes
DESCRIPTION Specifies the SA lifetime in kilobytes.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime).
A non-zero value is used to indicate that after this
amount of kilobytes has been consumed the SA must be
deleted from the SADB.
6.7. The Class PreconfiguredTransportAction
The class PreconfiguredTransportAction is used to create an IPsec
transport-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for
PreconfiguredTransportAction is as follows:
NAME PreconfiguredTransportAction
DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of an IPsec transport security
association.
DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE
6.8. The Class PreconfiguredTunnelAction
The class PreconfiguredTunnelAction is used to create an IPsec
tunnel-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for PreconfiguredSAAction
is as follows:
NAME PreconfiguredTunnelAction
DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of an IPsec tunnel-mode
security association.
DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE
PROPERTIES PeerGatewayAddressType
PeerGatewayAddress
DFHandling
6.8.1. The Property PeerGatewayAddressType
The property PeerGatewayAddressType specifies the format of the
PeerGatewayAddress property. Addresses that can be formatted in
IPv4 format, must be formatted that way to ensure mixed IPv4/IPv6
Jason, et al Expires September 2001 [Page 33]
Internet Draft IPsec Configuration Policy Model March 2001
support. When the tunnel peer is not a security gateway, this
property value is set to 0. The property is defined as follows:
NAME PeerGatewayAddressType
DESCRIPTION Specifies the format of PeerGatewayAddress.
SYNTAX unsigned 16-bit integer
VALUE 0 - unknown
1 - IPv4
2 - IPv6
6.8.2. The Property PeerGatewayAddress
The property PeerGatewayAddress specifies the IP address of the
tunnel peer security gateway formatted according to the appropriate
convention as defined in the PeerGatewayAddressType property of this
class (e.g., 171.79.6.40). When the tunnel peer is not a security
gateway, this property value is set to NULL. The property is
defined as follows:
NAME PeerGatewayAddress
DESCRIPTION Specifies the IP address of the tunnel peer.
SYNTAX string
VALUE When the value is NULL, this is a special meaning: the
IP address of the actual remote IKE entity is the
destination IP address of the IP packet that triggered
the SARule. Else, the value is a string representation
of an IPv4 or IPv6 address.
6.8.3. The Property DFHandling
The property DFHandling specifies how the Don't Fragment bit of the
internal IP header is to be handled during IPsec processing. The
property is defined as follows:
NAME DFHandling
DESCRIPTION Specifies the processing of the DF bit.
SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header.
2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0.
6.9. The Class SANegotiationAction
The class SANegotiationAction serves as the base class for IKE and
IPsec actions that result in a IKE negotiation. Although the class
is concrete, is MUST not be instantiated. The class definition for
SANegotiationAction is as follows:
NAME SANegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations.
Jason, et al Expires September 2001 [Page 34]
Internet Draft IPsec Configuration Policy Model March 2001
DERIVED FROM SAAction
ABSTRACT FALSE
PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes
RefreshThresholdSeconds
RefreshThresholdKilobytes
IdleDurationSeconds
6.9.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds
lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The
property is defined as follows:
NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum seconds
lifetime.
6.9.2. The Property MinLifetimeKilobytes
The property MinLifetimeKilobytes specifies the minimum kilobytes
lifetime that will be accepted from the peer. MinLifetimeKilobytes
is used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. Note that
there has been considerable debate regarding the usefulness of
applying kilobyte lifetimes to IKE phase 1 security associations, so
it is likely that this property will only apply to the sub-class
IPsecAction. The property is defined as follows:
NAME MinLifetimeKilobytes
DESCRIPTION Specifies the minimum acceptable kilobytes lifetime.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum
kilobytes lifetime.
6.9.3. The Property RefreshThresholdSeconds
The property RefreshThresholdSeconds specifies what percentage of
the seconds lifetime can expire before IKE should attempt to
renegotiate the security association. A random value may be added
to the calculated threshold (percentage x seconds lifetime) to
reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows:
Jason, et al Expires September 2001 [Page 35]
Internet Draft IPsec Configuration Policy Model March 2001
NAME RefreshThresholdSeconds
DESCRIPTION Specifies the percentage of seconds lifetime that has
expired before the security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the security association
should not be renegotiated until the seconds lifetime
has been reached.
6.9.4. The Property RefreshThresholdKilobytes
The property RefreshThresholdKilobytes specifies what percentage of
the kilobyte lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be
added to the calculated threshold (percentage x kilobyte lifetime)
to reduce the chance of both peers attempting to renegotiate at the
same time. Note, that as with the property MinLifetimeKilobytes,
this property is probably only relevant to IPsecAction sub-classes.
The property is defined as follows:
NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of kilobyte lifetime that has
expired before the IPsec security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security
association should not be renegotiated until the
kilobyte lifetime has been reached.
6.9.5. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property
is defined as follows:
NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security association
may remain unused before it is deleted.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that idle detection should
not be used for the security association (only the
seconds and kilobyte lifetimes will be used). Any non-
zero value indicates the number of seconds the security
association may remain unused.
6.10. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. Although the class is concrete, is
Jason, et al Expires September 2001 [Page 36]
Internet Draft IPsec Configuration Policy Model March 2001
MUST not be instantiated. The class definition for IPsecAction is
as follows:
NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions
that specifies the parameters for IKE phase 2 IPsec DOI
negotiations.
DERIVED FROM SANegotiationAction
ABSTRACT FALSE
PROPERTIES UsePFS
UseIKEGroup
GroupId
Granularity
VendorID
6.10.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy
should be used when refreshing keys. The property is defined as
follows:
NAME UsePFS
DESCRIPTION Specifies the whether or not to use PFS when refreshing
keys.
SYNTAX boolean
VALUE A value of true indicates that PFS should be used. A
value of false indicates that PFS should not be used.
6.10.2. The Property UseIKEGroup
The property UseIKEGroup specifies whether or not phase 2 should use
the same key exchange group as was used in phase 1. UseIKEGroup is
ignored if UsePFS is false. The property is defined as follows:
NAME UseIKEGroup
DESCRIPTION Specifies whether or not to use the same GroupId for
phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored.
SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false
indicates that the property GroupId will contain the
key exchange group to use for phase 2.
6.10.3. The Property GroupId
The property GroupId specifies the key exchange group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is
true. If the GroupID number is from the vendor-specific range
(32768-65535), the property VendorID qualifies the group number.
The property is defined as follows:
Jason, et al Expires September 2001 [Page 37]
Internet Draft IPsec Configuration Policy Model March 2001
NAME GroupId
DESCRIPTION Specifies the key exchange group to use for phase 2
when the property UsePFS is true and the property
UseIKEGroup is false.
SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values.
6.10.4. The Property Granularity
The property Granularity specifies how the selector for the security
association should be derived from the traffic that triggered the
negotiation. The property is defined as follows:
NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the
security association will be created.
SYNTAX unsigned 16-bit integer
VALUE 1 - subnet: the source and destination subnet masks of
the FilterEntry are used.
2 - address: only the source and destination IP
addresses of the triggering packet are used.
3 - protocol: the source and destination IP addresses
and the IP protocol of the triggering packet are used.
4 - port: the source and destination IP addresses and
the IP protocol and the source and destination layer 4
ports of the triggering packet are used.
6.10.5. The Property VendorID
The property VendorID is used together with the property GroupID
(when it is in the vendor-specific range) to identify the key
exchange group. VendorID is ignored unless UsePFS is true and
UseIKEGroup is false and GroupID is in the vendor-specific range
(32768-65535). The property is defined as follows:
NAME VendorID
DESCRIPTION Specifies the IKE Vendor ID.
SYNTAX string
6.11. The Class IPsecTransportAction
The class IPsecTransportAction is a subclass of IPsecAction that is
used to specify use of an IPsec transport-mode security association.
The class definition for IPsecTransportAction is as follows:
NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport-mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
6.12. The Class IPsecTunnelAction
Jason, et al Expires September 2001 [Page 38]
Internet Draft IPsec Configuration Policy Model March 2001
The class IPsecTunnelAction is a subclass of IPsecAction that is
used to specify use of an IPsec tunnel-mode security association.
The class definition for IPsecTunnelAction is as follows:
NAME IPsecTunnelAction
DESCRIPTION Specifies that an IPsec tunnel-mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
PROPERTIES DFHandling
6.12.1. The Property DFHandling
The property DFHandling specifies how the tunnel should manage the
Don't Fragment (DF) bit. The property is defined as follows:
NAME DFHandling
DESCRIPTION Specifies how to process the DF bit.
SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header.
2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0.
6.13. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as
follows:
NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM SANegotiationAction
ABSTRACT FALSE
PROPERTIES RefreshThresholdDerivedKeys
ExchangeMode
UseIKEIdentityType
VendorID
AggressiveModeGroupId
6.13.1. The Property RefreshThresholdDerivedKeys
The property RefreshThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys property of
IKEProposal) can expire before IKE should attempt to renegotiate the
IKE phase 1 security association. A random value may be added to
the calculated threshold (percentage x derived key limit) to reduce
the chance of both peers attempting to renegotiate at the same time.
The property is defined as follows:
NAME RefreshThresholdKilobytes
Jason, et al Expires September 2001 [Page 39]
Internet Draft IPsec Configuration Policy Model March 2001
DESCRIPTION Specifies the percentage of derived key limit that has
expired before the IKE phase 1 security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IKE phase 1 security
association should not be renegotiated until the
derived key limit has been reached.
6.13.2. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used
for IKE phase 1 negotiations. The property is defined as follows:
NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer
VALUE 1 - base mode
2 - main mode
4 - aggressive mode
6.13.3. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is
used in conjunction with the IKE identities available on the system
and the IdentityContexts of the matching IKERule. The property is
defined as follows:
NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
6.13.4. The Property VendorID
The property VendorID specifies the value to be used in the Vendor
ID payload. The property is defined as follows:
NAME VendorID
DESCRIPTION Vendor ID Payload.
SYNTAX string
Jason, et al Expires September 2001 [Page 40]
Internet Draft IPsec Configuration Policy Model March 2001
VALUE A value of NULL means that Vendor ID payload will be
neither generated nor accepted. A non-NULL value means
that a Vendor ID payload will be generated (when acting
as an initiator) or is expected (when acting as a
responder).
6.13.5. The Property AggressiveModeGroupId
The property AggressiveModeGroupId specifies which group ID is to be
used in the first packets of the phase 1 negotiation. This property
is ignored unless the property ExchangeMode is set to 4 (aggressive
mode). If the AggressiveModeGroupID number is from the vendor-
specific range (32768-65535), the property VendorID qualifies the
group number. The property is defined as follows:
NAME AggressiveModeGroupId
DESCRIPTION Specifies the group ID to be used for aggressive mode.
SYNTAX unsigned 16-bit integer
6.14. The Class PeerGateway
The class PeerGateway specifies the security gateway with which the
IKE services negotiates. The class definition for PeerGateway is as
follows:
NAME PeerGateway
DESCRIPTION Specifies the security gateway with which to negotiate.
DERIVED FROM LogicalElement (see Appendix A)
ABSTRACT FALSE
PROPERTIES Name
PeerIdentityType
PeerIdentity
6.14.1. The Property Name
The property Name specifies a user-friendly name for this security
gateway. The property is defined as follows:
NAME Name
DESCRIPTION Specifies a user-friendly name for this security
gateway.
SYNTAX string
6.14.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows:
NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security
gateway.
SYNTAX unsigned 16-bit integer
Jason, et al Expires September 2001 [Page 41]
Internet Draft IPsec Configuration Policy Model March 2001
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
6.14.3. The Property PeerIdentity
The property PeerIdentity specifies the IKE identity value of the
security gateway. A conversion may be needed between the
PeerIdentity string representation and the real value used in the ID
payload (e.g. IP address is to be converted from a dotted decimal
string into 4 bytes). The property is defined as follows:
NAME PeerIdentity
DESCRIPTION Specifies the IKE identity value of the security
gateway.
SYNTAX string
6.15. The Association Class PeerGatewayForTunnel
The class PeerGatewayForTunnel associates IPsecTunnelActions with an
ordered list of PeerGateways. The class definition for
PeerGatewayForTunnel is as follows:
NAME PeerGatewayForTunnel
DESCRIPTION Associates IPsecTunnelActions with an ordered list of
PeerGateways.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IPsecTunnelAction[0..n]]
SequenceNumber
6.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that there an IPsecTunnelAction instance may
be associated with zero or more PeerGateway instances.
Note: when there is no PeerGateway associated to an
IPsecTunnelAction, this means that the IKE service acts as a
responder and will accept phase 1 negotiation with any other
security gateway.
Jason, et al Expires September 2001 [Page 42]
Internet Draft IPsec Configuration Policy Model March 2001
6.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecTunnelAction instance. The [0..n]
cardinality indicates that a PeerGateway instance may be associated
with zero or more IPsecTunnelAction instances.
6.15.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when
evaluating PeerGateway instances for a given IPsecTunnelAction. .
The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the order of evaluation for PeerGateways.
SYNTAX unsigned 16-bit integer
VALUE Lower values are evaluated first.
6.16. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of
SAProposals with the SANegotiationAction that aggregates it. If the
referenced SANegotiationAction object is an IKEAction, then the
referenced SAProposal object(s) must be IKEProposal(s). If the
referenced SANegotiationAction object is an IPsecTransportAction or
an IPsecTunnelAction, then the referenced SAProposal object(s) must
be IPsecProposal(s). The class definition for ContainedProposal is
as follows:
NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an
SANegotiationAction.
DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent[ref SANegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]]
SequenceNumber
6.16.1. The Reference GroupComponent
The property GroupComponent is inherited from PolicyComponent and is
overridden to refer to an SANegotiationAction instance. The [0..n]
cardinality indicates that an SAProposal instance may be associated
with zero or more SANegotiationAction instances.
Note: the cardinality 0 has a specific meaning:
- when the IKE service acts as a responder, this means that the
IKE service will accept phase 1 negotiation with any other
security gateway;
- when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of the
Jason, et al Expires September 2001 [Page 43]
Internet Draft IPsec Configuration Policy Model March 2001
IP packets which triggered the SARule) as the IP address of
the peer IKE entity.
6.16.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SAProposal instance. The [1..n]
cardinality indicates that an SANegotiationAction instance MUST be
associated with at least one SAProposal instance.
6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for
the SAProposals. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals
with higher values. For ContainedProposals that
reference the same SANegotiationAction, SequenceNumber
values must be unique.
6.17. The Association Class HostedPeerGatewayInformation
The class HostedPeerGatewayInformation weakly associates a
PeerGateway with a System. The class definition for
HostedPeerGatewayInformation is as follows:
NAME HostedPeerGatewayInformation
DESCRIPTION Weakly associates a PeerGateway with a System.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerGateway[0..n] [weak]]
6.17.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerGateway instance MUST be associated with one
and only one System instance.
6.17.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more PeerGateway instances.
6.18. The Association Class TransformOfPreconfiguredAction
Jason, et al Expires September 2001 [Page 44]
Internet Draft IPsec Configuration Policy Model March 2001
The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with from one to three SATransforms that will
be applied to the traffic. The order of application of the
SATransforms is implicitly defined in [IPSEC]. The class definition
for TransformOfPreconfiguredAction is as follows:
NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent[ref SATransform[1..3]]
Dependent[ref PreconfiguredSAAction[0..n]]
SPI
6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an SATransform instance. The [1..3]
cardinality indicates that an SANegotiationAction instance may be
associated with from one to three SATransform instances.
6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to a PreconfiguredSAAction instance. The [0..n]
cardinality indicates that an SATransform instance may be associated
with zero or more PreconfiguredSAAction instances.
6.18.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured
action for the associated transform. The property is defined as
follows:
NAME SPI
DESCRIPTION Specifies the SPI to be used with the SATransform.
SYNTAX unsigned 32-bit integer
Jason, et al Expires September 2001 [Page 45]
Internet Draft IPsec Configuration Policy Model March 2001
7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+*w 1+--------------+
| [SAProposal] |--------| System |
+--------------+ (a) | (Appendix A) |
^ +--------------+
| |1
+----------------------+ |
| | |
+-------------+ +---------------+ |
| IKEProposal | | IPsecProposal | |
+-------------+ +---------------+ |
*o |
|(b) |(c)
n| |
+---------------+*w |
| [SATransform] |----+
+---------------+
^
|
+--------------------+-----------+---------+
| | |
+-------------+ +--------------+ +----------------+
| AHTransform | | ESPTransform | |IPCOMPTransform |
+-------------+ +--------------+ +----------------+
(a) SAProposalInSystem
(b) ContainedTransform
(c) SATransformInSystem
7.1. The Abstract Class SAProposal
The abstract class SAProposal serves as the base class for the IKE
and IPsec proposal classes. It specifies the parameters that are
common to the two proposal types. The class definition for
SAProposal is as follows:
NAME SAProposal
DESCRIPTION Specifies the common proposal parameters for IKE and
IPsec security association negotiation.
DERIVED FROM Policy ([PCIM])
ABSTRACT TRUE
PROPERTIES Name
7.1.1. The Property Name
The property Name specifies a user-friendly name for the SAProposal.
The property is defined as follows:
NAME Name
Jason, et al Expires September 2001 [Page 46]
Internet Draft IPsec Configuration Policy Model March 2001
DESCRIPTION Specifies a user-friendly name for this proposal.
SYNTAX string
7.2. The Class IKEProposal
The class IKEProposal specifies the proposal parameters necessary to
drive an IKE security association negotiation. The class definition
for IKEProposal is as follows:
NAME IKEProposal
DESCRIPTION Specifies the proposal parameters for IKE security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE
PROPERTIES LifetimeDerivedKeys
CipherAlgorithm
HashAlgorithm
PRFAlgorithm
GroupId
AuthenticationMethod
MaxLifetimeSeconds
MaxLifetimeKilobytes
VendorID
7.2.1. The Property LifetimeDerivedKeys
The property LifetimeDerivedKeys specifies the number of times that
a phase 1 key will be used to derive a phase 2 key before the phase
1 security association needs renegotiated. Even though this is not
a parameter that is sent in an IKE proposal, it is included in the
proposal as the number of keys derived may be a result of the
strength of the algorithms in the IKE proposal. The property is
defined as follows:
NAME LifetimeDerivedKeys
DESCRIPTION Specifies the number of phase 2 keys that can be
derived from the phase 1 key.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no limit to the
number of phase 2 keys that may be derived from the
phase 1 key; instead the seconds and/or kilobytes
lifetime will dictate the phase 1 rekeying. A non-zero
value specifies the number of phase 2 keys that can be
derived from the phase 1 key.
7.2.2. The Property CipherAlgorithm
The property CipherAlgorithm specifies the proposed phase 1 security
association encryption algorithm. The property is defined as
follows:
NAME CipherAlgorithm
Jason, et al Expires September 2001 [Page 47]
Internet Draft IPsec Configuration Policy Model March 2001
DESCRIPTION Specifies the proposed encryption algorithm for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values.
7.2.3. The Property HashAlgorithm
The property HashAlgorithm specifies the proposed phase 1 security
association hash algorithm. The property is defined as follows:
NAME HashAlgorithm
DESCRIPTION Specifies the proposed hash algorithm for the phase 1
security association.
SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values.
7.2.4. The Property PRFAlgorithm
The property PRFAlgorithm specifies the proposed phase 1 security
association pseudo-random function. The property is defined as
follows:
NAME PRFAlgorithm
DESCRIPTION Specifies the proposed pseudo-random function for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE Currently none defined.
7.2.5. The Property GroupId
The property GroupId specifies the proposed phase 1 security
association key exchange group. This property is ignored for all
aggressive mode exchanges. If the GroupID number is from the
vendor-specific range (32768-65535), the property VendorID qualifies
the group number. The property is defined as follows:
NAME GroupId
DESCRIPTION Specifies the proposed key exchange group for the phase
1 security association.
SYNTAX unsigned 16-bit integer
VALUE 0 - Not applicable: used for aggressive mode. Consult
[IKE] for other valid values.
7.2.6. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows:
NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
Jason, et al Expires September 2001 [Page 48]
Internet Draft IPsec Configuration Policy Model March 2001
VALUE 0 - a special value that indicates that this particular
proposal should be repeated once for each
authentication method that corresponds to the
credentials installed on the machine. For example, if
the system has a pre-shared key and a certificate, a
proposal list could be constructed which includes a
proposal that specifies pre-shared key and proposals
for any of the public-key authentication methods.
Consult [IKE] for valid values.
7.2.7. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of
time, in seconds, to propose that a security association will remain
valid after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours
be used. A non-zero value indicates the maximum
seconds lifetime.
7.2.8. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.
7.2.9. The Property VendorID
The property VendorID further qualifies the key exchange group. The
property is ignored unless the exchange is not in aggressive mode
and the property GroupID is in the vendor-specific range. The
property is defined as follows:
NAME VendorID
DESCRIPTION Specifies the Vendor ID to further qualify the key
exchange group.
SYNTAX string
7.3. The Class IPsecProposal
Jason, et al Expires September 2001 [Page 49]
Internet Draft IPsec Configuration Policy Model March 2001
The class IPsecProposal adds no new properties, but inherits
proposal properties from SAProposal as well as aggregating the
security association transforms necessary for building an IPsec
proposal (see the aggregation class ContainedTransform). The class
definition for IPsecProposal is as follows:
NAME IPsecProposal
DESCRIPTION Specifies the proposal parameters for IPsec security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE
7.4. The Abstract Class SATransform
The abstract class SATransform serves as the base class for the
IPsec transforms that can be used to compose an IPsec proposal or to
be used as a pre-configured action. The class definition for
SATransform is as follows:
NAME SATransform
DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE
PROPERTIES TransformName
VendorID
MaxLifetimeSeconds
MaxLifetimeKilobytes
7.4.1. The Property TransformName
The property TransformName specifies a user-friendly name for the
SATransform. The property is defined as follows:
NAME TransformName
DESCRIPTION Specifies a user-friendly name for this transform.
SYNTAX string
7.4.2. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows:
NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms.
SYNTAX string
VALUE An empty VendorID string indicates that the transform
is a standard one.
7.4.3. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of
time, in seconds, to propose that a security association will remain
valid after its creation. The property is defined as follows:
Jason, et al Expires September 2001 [Page 50]
Internet Draft IPsec Configuration Policy Model March 2001
NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours
be used. A non-zero value indicates the maximum
seconds lifetime.
7.4.4. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.
7.5. The Class AHTransform
The class AHTransform specifies the AH algorithm to propose during
IPsec security association negotiation. The class definition for
AHTransform is as follows:
NAME AHTransform
DESCRIPTION Specifies the AH algorithm to propose.
ABSTRACT FALSE
PROPERTIES AHTransformId
UseReplayPrevention
ReplayPreventionWindowSize
7.5.1. The Property AHTransformId
The property AHTransformId specifies the transform ID of the AH
algorithm to propose. The property is defined as follows:
NAME AHTransformId
DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
7.5.2. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows:
NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention
detection.
Jason, et al Expires September 2001 [Page 51]
Internet Draft IPsec Configuration Policy Model March 2001
SYNTAX boolean
VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.
7.5.3. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size
will be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism.
SYNTAX unsigned 32-bit integer
7.6. The Class ESPTransform
The class ESPTransform specifies the ESP algorithms to propose
during IPsec security association negotiation. The class definition
for ESPTransform is as follows:
NAME ESPTransform
DESCRIPTION Specifies the ESP algorithms to propose.
ABSTRACT FALSE
PROPERTIES IntegrityTransformId
CipherTransformId
CipherKeyLength
CipherKeyRounds
UseReplayPrevention
ReplayPreventionWindowSize
7.6.1. The Property IntegrityTransformId
The property IntegrityTransformId specifies the transform ID of the
ESP integrity algorithm to propose. The property is defined as
follows:
NAME IntegrityTransformId
DESCRIPTION Specifies the transform ID of the ESP integrity
algorithm.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
7.6.2. The Property CipherTransformId
The property CipherTransformId specifies the transform ID of the ESP
encryption algorithm to propose. The property is defined as
follows:
NAME CipherTransformId
Jason, et al Expires September 2001 [Page 52]
Internet Draft IPsec Configuration Policy Model March 2001
DESCRIPTION Specifies the transform ID of the ESP encryption
algorithm.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
7.6.3. The Property CipherKeyLength
The property CipherKeyLength specifies, in bits, the key length for
the ESP encryption algorithm. For encryption algorithms that use
fixed-length keys, this value is ignored. The property is defined
as follows:
NAME CipherKeyLength
DESCRIPTION Specifies the ESP encryption key length in bits.
SYNTAX unsigned 16-bit integer
7.6.4. The Property CipherKeyRounds
The property CipherKeyRounds specifies the number of key rounds for
the ESP encryption algorithm. For encryption algorithms that use
fixed number of key rounds, this value is ignored. The property is
defined as follows:
NAME CipherKeyRounds
DESCRIPTION Specifies the number of key rounds for the ESP
encryption algorithm.
SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP
encryption algorithms.
7.6.5. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows:
NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention
detection.
SYNTAX boolean
VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.
7.6.6. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size
will be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism.
Jason, et al Expires September 2001 [Page 53]
Internet Draft IPsec Configuration Policy Model March 2001
SYNTAX unsigned 32-bit integer
7.7. The Class IPCOMPTransform
The class IPCOMPTransform specifies the IP compression (IPCOMP)
algorithm to propose during IPsec security association negotiation.
The class definition for IPCOMPTransform is as follows:
NAME IPCOMPTransform
DESCRIPTION Specifies the IPCOMP algorithm to propose.
ABSTRACT FALSE
PROPERTIES Algorithm
DictionarySize
PrivateAlgorithm
7.7.1. The Property Algorithm
The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as
follows:
NAME Algorithm
DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm.
SYNTAX unsigned 16-bit integer
VALUE 1 - OUI: a vendor specific algorithm is used and
specified in the property PrivateAlgorithm. Consult
[DOI] for other valid values.
7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the
dictionary for the compression algorithm. For compression
algorithms that have pre-defined dictionary sizes, this value is
ignored. The property is defined as follows:
NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer
7.7.3. The Property PrivateAlgorithm
The property PrivateAlgorithm specifies a private vendor-specific
compression algorithm. This value is only used when the property
Algorithm is 1 (OUI). The property is defined as follows:
NAME PrivateAlgorithm
DESCRIPTION Specifies a private vendor-specific compression
algorithm.
SYNTAX unsigned 32-bit integer
7.8. The Association Class SAProposalInSystem
Jason, et al Expires September 2001 [Page 54]
Internet Draft IPsec Configuration Policy Model March 2001
The class SAProposalInSystem weakly associates SAProposals with a
System. The class definition for SAProposalInSystem is as follows:
NAME SAProposalInSystem
DESCRIPTION Weakly associates SAProposals with a System.
DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System [1..1]]
Dependent[ref SAProposal[0..n] [weak]]
7.8.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that an SAProposal instance MUST be associated with one
and only one System instance.
7.8.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SAProposal instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more SAProposal instances.
7.9. The Aggregation Class ContainedTransform
The class ContainedTransform associates an IPsecProposal with the
set of SATransforms that make up the proposal. If multiple
transforms of the same type are in a proposal, then they are to be
logically ORed and the order of preference is dictated by the
SequenceNumber property. Sets of transforms of different types are
logically ANDed. For example, if the ordered proposal list were
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to pick
one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND
one from the AH transform list (preferably MD5).
The class definition for ContainedProposal is as follows:
NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of
SATransforms that make up the proposal.
DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]]
SequenceNumber
7.9.1. The Reference GroupComponent
Jason, et al Expires September 2001 [Page 55]
Internet Draft IPsec Configuration Policy Model March 2001
The property GroupComponent is inherited from PolicyComponent and is
overridden to refer to an IPsecProposal instance. The [0..n]
cardinality indicates that an SATransform instance may be associated
with zero or more IPsecProposal instances.
7.9.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SATransform instance. The [1..n]
cardinality indicates that an IPsecProposal instance MUST be
associated with at least one SATransform instance.
7.9.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for
the SATransforms of the same type. The property is defined as
follows:
NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms of
the same type.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms
of the same type with higher values. For
ContainedTransforms that reference the same
IPsecProposal, SequenceNumber values must be unique.
7.10. The Association Class SATransformInSystem
The class SATransformInSystem weakly associates SATransforms with a
System. The class definition for SATransformInSystem System is as
follows:
NAME SATransformInSystem
DESCRIPTION Weakly associates SATransforms with a System.
DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System[1..1]]
Dependent[ref SATransform[0..n] [weak]]
7.10.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that an SATransform instance MUST be associated with one
and only one System instance.
7.10.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SATransform instance. The [0..n]
Jason, et al Expires September 2001 [Page 56]
Internet Draft IPsec Configuration Policy Model March 2001
cardinality indicates that a System instance may be associated with
zero or more SATransform instances.
Jason, et al Expires September 2001 [Page 57]
Internet Draft IPsec Configuration Policy Model March 2001
8. IKE Service and Identity Classes
+--------------+ +-------------------+
| System | | PeerIdentityEntry |
| (Appendix A) | +-------------------+
+--------------+ |*w
1| (a) (b) |
+---+ +------------+
| |
|*w 1 o
+-------------+ +-------------------+ +---------------------+
| PeerGateway | | PeerIdentityTable | | AutostartIKESetting |
+-------------+ +-------------------+ +---------------------+
*| *| *| *|
+----------------------+ |(d) +----------+ |
(c) *| *| *| (e) |
*+------------+* |(f)
+-----------------| IKEService |-----+ |
| (g) +------------+ |(h) |
0..1| *| *| *o
+--------------------+ | +---------------------------+
| IPProtocolEndpoint | | | AutostartIKEConfiguration |
| (Appendix C) | (i)| +---------------------------+
+--------------------+ |
0..1| |
|(j) +----------------+
*| |*
+-------------+* (k) +------------+ +-----------------------------+
| IKEIdentity |-------| Collection | | CredentialManagementService |
+-------------+ 0..1|(Appendix A)| | (Appendix B) |
*| +------------+ +-----------------------------+
|(l)
*|
+--------------+
| Credential |
| (Appendix B) |
+--------------+
(a) HostedPeerIdentityTable
(b) PeerIdentityMember
(c) IKEServicePeerGateway
(d) IKEServicePeerIdentityTable
(e) IKEAutostartSetting
(f) AutostartIKESettingContext
(g) IKEServiceForEndpoint
(h) IKEAutostartConfiguration
(i) IKEUsesCredentialManagementService
(j) EndpointHasLocalIKEIdentity
(k) CollectionHasLocalIKEIdentity
(l) IKEIdentitysCredential
This portion of the model contains additional information that is
useful in applying the policy. The IKEService class MAY be used to
Jason, et al Expires September 2001 [Page 58]
Internet Draft IPsec Configuration Policy Model March 2001
represent the IKE negotiation function in a system. The IKEService
uses the various tables that contain information about IKE peers as
well as the configuration for specifying security associations that
are started automatically. The information in the PeerGateway,
PeerIdentityTable and related classes is necessary to completely
specify the policies.
An interface (represented by an IPProtocolEndpoint) has an
IKEService that provides the negotiation services for that
interface. That service MAY also have a list of security
associations for that are automatically started at the time the IKE
service is initialized.
The IKEService also has a set of identities that it may use in
negotiations with its peers. Those identities are associated with
the interfaces (or collections of interfaces).
8.1. The Class IKEService
The class IKEService represents the IKE negotiation function. An
instance of this service may provide that negotiation service for
one or more interfaces (represented by the IPProtocolEndpoint class)
of a System. There may be multiple instances of IKE services on a
System but only one per interface. The class definition for
IKEService is as follows:
NAME IKEService
DESCRIPTION IKEService is used to represent the IKE negotiation
function.
DERIVED FROM NetworkService (see Appendix C)
ABSTRACT FALSE
8.2. The Class PeerIdentityTable
The class PeerIdentityTable aggregates the table entries that
provide mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows:
NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry
instances to provide a table of identity-address
mappings.
DERIVED FROM Collection (see Appendix A)
ABSTRACT FALSE
PROPERTIES Name
8.3.1. The Property Name
The property Name uniquely identifies the table. The property is
defined as follows:
NAME Name
DESCRIPTION Name uniquely identifies the table.
Jason, et al Expires September 2001 [Page 59]
Internet Draft IPsec Configuration Policy Model March 2001
SYNTAX string
8.3. The Class PeerIdentityEntry
The class PeerIdentityEntry specifies the mapping between peer
identity and their address. The class definition for
PeerIdentityEntry is as follows:
NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address.
DERIVED FROM LogicalElement (see Appendix A)
ABSTRACT FALSE
PROPERTIES PeerIdentity
PeerIdentityType
PeerAddress
PeerAddressType
8.3.1. The Property PeerIdentity
The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows:
NAME PeerIdentity
DESCRIPTION The PeerIdentity is the ID payload of a peer.
SYNTAX string
8.3.2. The Property PeerIdentityType
The property PeerIdentityType is an enumeration that specifies the
type of the PeerIdentity. The property is defined as follows:
NAME PeerIdentityType
DESCRIPTION PeerIdentityType is the type of the ID payload of a
peer.
SYNTAX unsigned 16-bit integer
VALUE The enumeration values are specified in [DOI] section
4.6.2.1.
8.3.3. The Property PeerAddress
The property PeerAddress specifies the string representation of the
IP address of the peer formatted according to the appropriate
convention as defined in the PeerAddressType property (e.g., dotted
decimal notation). The property is defined as follows:
NAME PeerAddress
DESCRIPTION PeerAddress is the address of the peer with the ID
payload.
SYNTAX string
VALUE String representation of an IPv4 or IPv6 address.
8.3.4. The Property PeerAddressType
Jason, et al Expires September 2001 [Page 60]
Internet Draft IPsec Configuration Policy Model March 2001
The property PeerAddressType specifies the format of the PeerAddress
property value. The property is defined as follows:
NAME PeerAddressType
DESCRIPTION PeerAddressType is the type of address in PeerAddress.
SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown
1 - IPv4
2 - IPv6
8.4. The Class AutostartIKEConfiguration
The class AutostartIKEConfiguration groups AutostartIKESetting
instances into configuration sets. When applied, the settings cause
an IKE service to automatically start (negotiate or statically set
as appropriate) the Security Associations. The class definition for
AutostartIKEConfiguration is as follows:
NAME AutostartIKEConfiguration
DESCRIPTION A configuration set of AutostartIKESetting instances to
be automatically started by the IKE service.
DERIVED FROM SystemConfiguration (see Appendix A)
ABSTRACT FALSE
8.5. The Class AutostartIKESetting
The class AutostartIKESetting is used to automatically initiate IKE
negotiations with peers (or statically create an SA) as specified in
the AutostartIKESetting properties. Appropriate actions are
initiated according to the policy that matches the setting
parameters. The class definition for AutostartIKESetting is as
follows:
NAME AutostartIKESetting
DESCRIPTION AutostartIKESetting is used to automatically initiate
IKE negotiations with peers or statically create an SA.
DERIVED FROM SystemSetting (see Appendix A)
ABSTRACT FALSE
PROPERTIES Phase1Only
AddressType
SourceAddress
SourcePort
DestinationAddress
DestinationPort
Protocol
8.5.1. The Property Phase1Only
The property Phase1Only is used to limit the IKE negotiation to just
setting up a phase 1 security association. When set to False, both
phase 1 and 2 negotiations are initiated.
The property is defined as follows:
Jason, et al Expires September 2001 [Page 61]
Internet Draft IPsec Configuration Policy Model March 2001
NAME Phase1Only
DESCRIPTION Used to indicate which security associations to attempt
to establish (phase 1 only, or phase 1 and 2).
SYNTAX boolean
VALUE true - attempt to establish a phase 1 security
association
false - attempt to establish phase 1 and 2 security
associations
8.5.2. The Property AddressType
The property AddressType specifies type of the addresses in the
SourceAddress and DestinationAddress properties. The property is
defined as follows:
NAME AddressType
DESCRIPTION AddressType is the type of address in SourceAddress and
DestinationAddress properties.
SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown
1 - IPv4
2 - IPv6
8.5.3. The Property SourceAddress
The property SourceAddress specifies the dotted-decimal or colon-
decimal formatted IP address used as the source address in comparing
with policy filter entries and used in any phase 2 negotiations.
The property is defined as follows:
NAME SourceAddress
DESCRIPTION The source address to compare with the filters to
determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address
8.5.4. The Property SourcePort
The property SourcePort specifies the port number used as the source
port in comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:
NAME SourcePort
DESCRIPTION The source port to compare with the filters to
determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer
8.5.5. The Property DestinationAddress
The property DestinationAddress specifies the dotted-decimal or
colon-decimal formatted IP address used as the destination address
Jason, et al Expires September 2001 [Page 62]
Internet Draft IPsec Configuration Policy Model March 2001
in comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:
NAME DestinationAddress
DESCRIPTION The destination address to compare with the filters to
determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address
8.5.6. The Property DestinationPort
The property DestinationPort specifies the port number used as the
destination port in comparing with policy filter entries and used in
any phase 2 negotiations. The property is defined as follows:
NAME DestinationPort
DESCRIPTION The destination port to compare with the filters to
determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer
8.5.7. The Property Protocol
The property Protocol specifies the protocol number used in
comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:
NAME Protocol
DESCRIPTION The protocol number used in comparing with policy
filter entries.
SYNTAX unsigned 8-bit integer
8.6. The Class IKEIdentity
The class IKEIdentity is used to represent the identities that may
be used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify the IKE Service in IKE phase 1
negotiations. The policy IKEAction.UseIKEIdentityType specifies
which type of the available identities to use in a negotiation
exchange and the IKERule.IdentityContexts specifies the match values
to be used, along with the local address, in selecting the
appropriate identity for a negotiation. The ElementID property value
(defined in the parent class, UsersAccess) should be that of either
the IPProtocolEndpoint or Collection of endpoints as appropriate.
The class definition for IKEIdentity is as follows:
NAME IKEIdentity
DESCRIPTION IKEIdentity is used to represent the identities that
may be used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify the IKE Service in IKE
phase 1 negotiations.
DERIVED FROM UsersAccess (see Appendix B)
ABSTRACT FALSE
Jason, et al Expires September 2001 [Page 63]
Internet Draft IPsec Configuration Policy Model March 2001
PROPERTIES IdentityType
IdentityValue
IdentityContexts
8.6.1. The Property IdentityType
The property IdentityType is an enumeration that specifies the type
of the IdentityValue. The property is defined as follows:
NAME IdentityType
DESCRIPTION IdentityType is the type of the IdentityValue.
SYNTAX unsigned 8-bit integer
VALUE The enumeration values are specified in [DOI] section
4.6.2.1.
8.6.2. The Property IdentityValue
The property Identity specifies Value contains a string encoding of
the Identity payload. For IKEIdentity instances that are address
types, the IdentityValue string value may be omitted and the
associated IPProtocolEndpoint or appropriate member of the
Collection of endpoints is used. The property is defined as
follows:
NAME IdentityValue
DESCRIPTION IdentityValue contains a string encoding of the
Identity payload.
SYNTAX string
8.6.3. The Property IdentityContexts
The IdentityContexts property is used to constrain the use of
IKEIdentity instances to match that specified in the
IKERule.IdentityContexts. The IdentityContexts are formatted as
policy roles and role combinations [PCIM]. Each value represents
one context or context combination. Since this is a multi-valued
property, more than one context or combination of contexts can be
associated with a single IKEIdentity. Each value is a string of the
form: <ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). If one or more
values in the IKERule.IdentityContexts array match one or more
IKEIdentity.IdentityContexts then the identity's context matches.
(That is, each value of the IdentityContext array is an ORed
condition.) In combination with the address of the
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
1 and only 1 IKEIdentity. The property is defined as follows:
NAME IdentityContexts
DESCRIPTION The IKE service of a security endpoint may have
multiple identities for use in different situations.
The combination of the interface (represented by
the IPProtocolEndpoint), the identity type (as
Jason, et al Expires September 2001 [Page 64]
Internet Draft IPsec Configuration Policy Model March 2001
specified in the IKEAction) and the IdentityContexts
selects a unique identity.
SYNTAX string array
VALUE string of the form <ContextName>[&&<ContextName>]*
8.7. The Association Class HostedPeerIdentityTable
The class HostedPeerIdentityTable provides the name scoping
relationship for PeerIdentityTable entries in a System. The
PeerIdentityTable is weak to the System. The class definition for
HostedPeerIdentityTable is as follows:
NAME HostedPeerIdentityTable
DESCRIPTION The PeerIdentityTable instances are weak (name scoped
by) the owning System.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerIdentityTable[0..n] [weak]]
8.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerIdentityTable instance MUST be associated in a
weak relationship with one and only one System instance.
8.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more PeerIdentityTable instances.
8.8. The Aggregation Class PeerIdentityMember
The class PeerIdentityMember aggregates PeerIdentityEntry instances
into a PeerIdentityTable. This is a weak aggregation. The class
definition for PeerIdentityMember is as follows:
NAME PeerIdentityMember
DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
instances into a PeerIdentityTable.
DERIVED FROM MemberOfCollection (see Appendix A)
ABSTRACT FALSE
PROPERTIES Collection [ref PeerIdentityTable[1..1]]
Member [ref PeerIdentityEntry [0..n] [weak]]
8.8.1. The Reference Collection
The property Collection is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityTable instance. The [1..1]
cardinality indicates that a PeerIdentityEntry instance MUST be
Jason, et al Expires September 2001 [Page 65]
Internet Draft IPsec Configuration Policy Model March 2001
associated with one and only one PeerIdentityTable instance (i.e.,
PeerIdentityEntry instances are not shared across
PeerIdentityTables).
8.8.2. The Reference Member
The property Member is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityEntry instance. The [0..n]
cardinality indicates that a PeerIdentityTable instance may be
associated with zero or more PeerIdentityEntry instances.
8.9. The Association Class IKEServicePeerGateway
The class IKEServicePeerGateway provides the association between an
IKEService and the list of PeerGateway instances that it uses in
negotiating with security gateways. The class definition for
IKEServicePeerGateway is as follows:
NAME IKEServicePeerGateway
DESCRIPTION Associates an IKEService and the list of PeerGateway
instances that it uses in negotiating with security
gateways.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IKEService[0..n]]
8.9.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more PeerGateway instances.
8.9.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that a PeerGateway instance may be associated
with zero or more IKEService instances.
8.10. The Association Class IKEServicePeerIdentityTable
The class IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it uses to map
between addresses and identities as required. The class definition
for IKEServicePeerIdentityTable is as follows:
NAME IKEServicePeerIdentityTable
DESCRIPTION IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it
uses.
DERIVED FROM Dependency (see Appendix A)
Jason, et al Expires September 2001 [Page 66]
Internet Draft IPsec Configuration Policy Model March 2001
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerIdentityTable[0..n]]
Dependent [ref IKEService[0..n]]
8.10.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more PeerIdentityTable instances.
8.10.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that a PeerIdentityTable instance may be
associated with zero or more IKEService instances.
8.11. The Association Class IKEAutostartSetting
The class IKEAutostartSetting associates an AutostartIKESetting with
an IKEService that may use it to automatically start an IKE
negotiation or create a static SA. The class definition for
IKEAutostartSetting is as follows:
NAME IKEAutostartSetting
DESCRIPTION Associates a AutostartIKESetting with an IKEService.
DERIVED FROM ElementSetting (see Appendix A)
ABSTRACT FALSE
PROPERTIES Element [ref IKEService[0..n]]
Setting [ref AutostartIKESetting[0..n]]
8.11.1. The Reference Element
The property Element is inherited from ElementSetting and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates an AutostartIKESetting instance may be
associated with zero or more IKEService instances.
8.11.2. The Reference Setting
The property Setting is inherited from ElementSetting and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more AutostartIKESetting instances.
8.12. The Aggregation Class AutostartIKESettingContext
The class AutostartIKESettingContext aggregates the settings used to
automatically start negotiations or create a static SA into a
configuration set. The class definition for
AutostartIKESettingContext is as follows:
Jason, et al Expires September 2001 [Page 67]
Internet Draft IPsec Configuration Policy Model March 2001
NAME AutostartIKESettingContext
DESCRIPTION AutostartIKESettingContext aggregates the
AutostartIKESetting instances into a configuration set.
DERIVED FROM SystemSettingContext (see Appendix A)
ABSTRACT FALSE
PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
Setting [ref AutostartIKESetting [0..n]]
SequenceNumber
8.12.1. The Reference Context
The property Context is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an AutostartIKESetting instance
may be associated with zero or more AutostartIKEConfiguration
instances (i.e., a setting may be in multiple configuration sets).
8.12.2. The Reference Setting
The property Setting is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more AutostartIKESetting instances.
8.12.3. The Property SequenceNumber
The property SequenceNumber specifies indicates the ordering to be
used when starting negotiations or creating a static SA. A zero
value indicates that order is not significant and settings may be
applied in parallel with other settings. All other settings in the
configuration are executed in sequence from lower values to high.
Sequence numbers need not be unique in an AutostartIKEConfiguration
and order is not significant for settings with the same sequence
number. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION The sequence in which the settings are applied within a
configuration set.
SYNTAX unsigned 16-bit integer
8.13. The Association Class IKEServiceForEndpoint
The class IKEServiceForEndpoint provides the association showing
which IKE service, if any, provides IKE negotiation services for
which network interfaces. The class definition for
IKEServiceForEndpoint is as follows:
NAME IKEServiceForEndpoint
DESCRIPTION Associates an IPProtocolEndpoint with an IKEService
that provides negotiation services for the endpoint.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
Jason, et al Expires September 2001 [Page 68]
Internet Draft IPsec Configuration Policy Model March 2001
PROPERTIES Antecedent [ref IKEService[0..1]]
Dependent [ref IPProtocolEndpoint[0..n]]
8.13.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance MUST by
associated with at most one IKEService instance.
8.13.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint that is associated with
at most one IKEService. The [0..n] cardinality indicates an
IKEService instance may be associated with zero or more
IPProtocolEndpoint instances.
8.14. The Association Class IKEAutostartConfiguration
The class IKEAutostartConfiguration provides the relationship
between an IKEService and a configuration set that it uses to
automatically start a set of SAs. The class definition for
IKEAutostartConfiguration is as follows:
NAME IKEAutostartConfiguration
DESCRIPTION IKEAutostartConfiguration provides the relationship
between an IKEService and an AutostartIKEConfiguration
that it uses to automatically start a set of SAs.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]]
Dependent [ref IKEService [0..n]]
Active
8.14.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an IKEService instance may be
associated with zero or more AutostartIKEConfiguration instances.
8.14.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more IKEService instances.
8.14.3. The Property Active
The property Active specifies indicates whether the
AutostartIKEConfiguration set is currently active for the associated
Jason, et al Expires September 2001 [Page 69]
Internet Draft IPsec Configuration Policy Model March 2001
IKEService. That is, at boot time, the active configuration is used
to automatically start IKE negotiations and create static SAs. The
property is defined as follows:
NAME Active
DESCRIPTION Active indicates whether the AutostartIKEConfiguration
set is currently active for the associated IKEService.
SYNTAX boolean
VALUE true - AutostartIKEConfiguration is currently active
for associated IKEService.
false - AutostartIKEConfiguration is currently inactive
for associated IKEService.
8.15. The Association Class IKEUsesCredentialManagementService
The class IKEUsesCredentialManagementService defines the set of
CredentialManagementService(s) that are trusted sources of
credentials for IKE phase 1 negotiations. The class definition for
IKEUsesCredentialManagementService is as follows:
NAME IKEUsesCredentialManagementService
DESCRIPTION Associates the set of CredentialManagementService(s)
that are trusted by the IKEService as sources of
credentials used in IKE phase 1 negotiations.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
Dependent [ref IKEService [0..n]]
8.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an IKEService instance may be
associated with zero or more CredentialManagementService instances.
8.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that a CredentialManagementService instance
may be associated with zero or more IKEService instances.
8.16. The Association Class EndpointHasLocalIKEIdentity
The class EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances that may be
used in negotiating security associations on the endpoint. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint
using this association or with a collection of IKEIdentity instances
using the CollectionHasLocalIKEIdentity association. The class
definition for EndpointHasLocalIKEIdentity is as follows:
Jason, et al Expires September 2001 [Page 70]
Internet Draft IPsec Configuration Policy Model March 2001
NAME EndpointHasLocalIKEIdentity
DESCRIPTION EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances.
DERIVED FROM ElementAsUser (see Appendix B)
ABSTRACT FALSE
PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
Dependent [ref IKEIdentity [0..n]]
8.16.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is
overridden to refer to an IPProtocolEndpoint instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be
associated with at most one IPProtocolEndpoint instance.
8.16.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that an IPProtocolEndpoint instance may be
associated with zero or more IKEIdentity instances.
8.17. The Association Class CollectionHasLocalIKEIdentity
The class CollectionHasLocalIKEIdentity associates a Collection of
IPProtocolEndpoint instances with a set of IKEIdentity instances
that may be used in negotiating SAs for endpoints in the collection.
An IKEIdentity MUST be associated with either an IPProtocolEndpoint
using the EndpointHasLocalIKEIdentity association or with a
collection of IKEIdentity instances using this association. The
class definition for CollectionHasLocalIKEIdentity is as follows:
NAME CollectionHasLocalIKEIdentity
DESCRIPTION CollectionHasLocalIKEIdentity associates a collection
of IPProtocolEndpoint instances with a set of
IKEIdentity instances.
DERIVED FROM ElementAsUser (see Appendix B)
ABSTRACT FALSE
PROPERTIES Antecedent [ref Collection [0..1]]
Dependent [ref IKEIdentity [0..n]]
8.17.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is
overridden to refer to a Collection instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be
associated with at most one Collection instance.
8.17.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n]
Jason, et al Expires September 2001 [Page 71]
Internet Draft IPsec Configuration Policy Model March 2001
cardinality indicates that a Collection instance may be associated
with zero or more IKEIdentity instances.
8.18. The Association Class IKEIdentitysCredential
The class IKEIdentitysCredential is an association that relates a
set of credentials to their corresponding local IKE Identities. The
class definition for IKEIdentitysCredential is as follows:
NAME IKEIdentitysCredential
DESCRIPTION IKEIdentitysCredential associates a set of credentials
to their corresponding local IKEIdentity.
DERIVED FROM UsersCredential (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref Credential [0..n]]
Dependent [ref IKEIdentity [0..n]]
8.18.1. The Reference Antecedent
The property Antecedent is inherited from UsersCredential and is
overridden to refer to a Credential instance. The [0..n]
cardinality indicates that IKEIdentity instance may be associated
with zero or more Credential instances.
8.18.2. The Reference Dependent
The property Dependent is inherited from UsersCredential and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Credential instance may be associated
with zero or more IKEIdentity instances.
9. Security Considerations
This document describes a schema for IPsec policy. It does not
detail security requirements for storage or delivery of said schema.
Storage and delivery security requirements should be detailed in a
comprehensive security policy architecture document.
10. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11.
Copies of claims of rights made available for publication and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
Jason, et al Expires September 2001 [Page 72]
Internet Draft IPsec Configuration Policy Model March 2001
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
11. Acknowledgments
The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, and William Dixon for their contributions to this IPsec
policy model.
Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob
Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
Rajan.
12. References
[IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998.
[COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998.
[AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
2402, November 1998.
[PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
Information Model -- Version 1 Specification", RFC 3060, February
2001.
[DOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998.
[LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.
[COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. Internet-Draft work in progress.
[COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
Internet-Draft work in progress.
Jason, et al Expires September 2001 [Page 73]
Internet Draft IPsec Configuration Policy Model March 2001
[SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
Internet-Draft work in progress.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[IPSO] Kent, S., "U.S. Department of Defense Security Options for
the Internet Protocol", RFC 1108, November 1991.
[IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
13. Disclaimer
The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this
specification.
14. Authors' Addresses
Jamie Jason
Intel Corporation
MS JF3-206
2111 NE 25th Ave.
Hillsboro, OR 97124
E-Mail: jamie.jason@intel.com
Lee Rafalow
IBM Corporation, BRQA/502
4205 So. Miami Blvd.
Research Triangle Park, NC 27709
E-mail: rafalow@raleigh.ibm.com
Eric Vyncke
Cisco Systems
Avenue Marcel Thiry, 77
B-1200 Brussels
Belgium
E-mail: evyncke@cisco.com
15. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it maybe copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
Jason, et al Expires September 2001 [Page 74]
Internet Draft IPsec Configuration Policy Model March 2001
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other then
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Appendix A (DMTF Core Model MOF)
// ==================================================================
// ManagedElement
// ==================================================================
[Abstract, Description (
"ManagedElement is an abstract class that provides a common "
"superclass (or top of the inheritance tree) for the "
"non-association classes in the CIM Schema.")]
class CIM_ManagedElement
{
[MaxLen (64), Description (
"The Caption property is a short textual description (one-"
"line string) of the object.") ]
string Caption;
[Description (
"The Description property provides a textual description of "
"the object.") ]
string Description;
};
// ==================================================================
// Collection
// ==================================================================
[Abstract, Description (
"Collection is an abstract class that provides a common"
"superclass for data elements that represent collections of "
"ManagedElements and its subclasses.")]
class CIM_Collection : CIM_ManagedElement
{
};
// ==================================================================
// ManagedSystemElement
// ==================================================================
Jason, et al Expires September 2001 [Page 75]
Internet Draft IPsec Configuration Policy Model March 2001
[Abstract, Description (
"CIM_ManagedSystemElement is the base class for the System "
"Element hierarchy. Membership Criteria: Any distinguishable "
"component of a System is a candidate for inclusion in this "
"class. Examples: software components, such as files; and "
"devices, such as disk drives and controllers, and physical "
"components such as chips and cards.") ]
class CIM_ManagedSystemElement : CIM_ManagedElement
{
[Description (
"A datetime value indicating when the object was installed. "
"A lack of a value does not indicate that the object is not "
"installed."),
MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]
datetime InstallDate;
[MaxLen (256), Description (
"The Name property defines the label by which the object is "
"known. When subclassed, the Name property can be overridden "
"to be a Key property.") ]
string Name;
[MaxLen (10), Description (
" A string indicating the current status of the object. "
"Various operational and non-operational statuses are "
"defined. Operational statuses are \"OK\", \"Degraded\", "
"\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "
"the Element is functioning, but needs attention. Examples "
"of \"Stressed\" states are overload, overheated, etc. The "
"condition \"Pred Fail\" (failure predicted) indicates that "
"an Element is functioning properly but predicting a failure "
"in the near future. An example is a SMART-enabled hard "
"drive. \n"
" Non-operational statuses can also be specified. These "
"are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", "
"\"Stopped\", "
"\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\""
"indicates that a non-recoverable error has occurred. "
"\"Service\" describes an Element being configured, "
"maintained,"
"cleaned, or otherwise administered. This status could apply "
"during mirror-resilvering of a disk, reload of a user "
"permissions list, or other administrative task. Not all "
"such "
"work is on-line, yet the Element is neither \"OK\" nor in "
"one of the other states. \"No Contact\" indicates that the "
"current instance of the monitoring system has knowledge of "
"this Element but has never been able to establish "
"communications with it. \"Lost Comm\" indicates that "
"the ManagedSystemElement is known to exist and has been "
"contacted successfully in the past, but is currently "
"unreachable."
"\"Stopped\" indicates that the ManagedSystemElement is "
"known "
"to exist, it is not operational (i.e. it is unable to "
Jason, et al Expires September 2001 [Page 76]
Internet Draft IPsec Configuration Policy Model March 2001
"provide service to users), but it has not failed. It "
"has purposely "
"been made non-operational. The Element "
"may have never been \"OK\", the Element may have initiated "
"its "
"own stop, or a management system may have initiated the "
"stop."),
ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail",
"Starting", "Stopping", "Service", "Stressed",
"NonRecover", "No Contact", "Lost Comm", "Stopped"} ]
string Status;
};
// ==================================================================
// LogicalElement
// ==================================================================
[Abstract, Description (
"CIM_LogicalElement is a base class for all the components "
"of "
"a System that represent abstract system components, such "
"as Files, Processes, or system capabilities in the form "
"of Logical Devices.") ]
class CIM_LogicalElement:CIM_ManagedSystemElement
{
};
// ==================================================================
// CIM_SystemConfiguration
// ==================================================================
[Description (
"CIM_SystemConfiguration represents the general concept "
"of a CIM_Configuration which is scoped by/weak to a "
"System. This class is a peer of CIM_Configuration since "
"the key structure of Configuration is currently "
"defined and cannot be modified with additional "
"properties.")]
class CIM_SystemConfiguration : CIM_ManagedElement {
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"The label by which the Configuration object is known.") ]
Jason, et al Expires September 2001 [Page 77]
Internet Draft IPsec Configuration Policy Model March 2001
string Name;
};
// ===================================================================
// Setting
// ===================================================================
[Abstract, Description (
"The Setting class represents configuration-related and "
"operational parameters for one or more ManagedSystem"
"Element(s). A ManagedSystemElement may have multiple "
"Setting "
"objects associated with it. The current operational values "
"for an Element's parameters are reflected by properties in "
"the Element itself or by properties in its associations. "
"These properties do not have to be the same values present "
"in the Setting object. For example, a modem may have a "
"Setting baud rate of 56Kb/sec but be operating "
"at 19.2Kb/sec.") ]
class CIM_Setting : CIM_ManagedElement
{
[MaxLen (256), Description (
"The identifier by which the Setting object is known.") ]
string SettingID;
[Description (
"The VerifyOKToApplyToMSE method is used to verify that "
"this Setting can be 'applied' to the referenced Managed"
"SystemElement, at the given time or time interval. This "
"method takes three input parameters: MSE (the Managed"
"SystemElement that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
"interval), and MustBeCompletedBy (which indicates the "
"required completion time for the method). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number "
"if an error occurred. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
[Description (
"The ApplyToMSE method performs the actual application of "
"the Setting to the referenced ManagedSystemElement. It "
"takes three input parameters: MSE (the ManagedSystem"
"Element to which the Setting is being applied), "
"TimeToApply (which, being a datetime, can be either a "
"specific time or a time interval), and MustBeCompletedBy "
"(which indicates the required completion time for the "
"method). Note that the semantics of this method are that "
"individual Settings are either wholly applied or not "
"applied at all to their target ManagedSystemElement. The "
Jason, et al Expires September 2001 [Page 78]
Internet Draft IPsec Configuration Policy Model March 2001
"return value should be 0 if the Setting is successfully "
"applied to the referenced ManagedSystemElement, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, and any other number if an "
"error occurred. In a subclass, the set of possible return "
"codes could be specified, using a ValueMap qualifier on "
"the method. The strings to which the ValueMap contents are "
"'translated' may also be specified in the subclass as a "
"Values array qualifier.\n"
"Note: If an error occurs in applying the Setting to a "
"ManagedSystemElement, the Element must be configured as "
"when the 'apply' attempt began. That is, the Element "
"should NOT be left in an indeterminate state.") ]
uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
[Description (
"The VerifyOKToApplyToCollection method is used to verify "
"that this Setting can be 'applied' to the referenced "
"Collection of ManagedSystemElements, at the given time "
"or time interval, without causing adverse effects to "
"either the Collection itself or its surrounding "
"environment. The net effect is to execute the "
"VerifyOKToApply method against each of the Elements "
"aggregated by the Collection. This method takes three "
"input parameters: Collection (the Collection of Managed"
"SystemElements that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
"interval), and MustBeCompletedBy (which indicates the "
"required completion time for the method). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number if "
"an error occurred. One output parameter is defined - "
"CanNotApply - which is a string array that lists the keys "
"of "
"the ManagedSystemElements to which the Setting can NOT be "
"applied. This enables those Elements to be revisited and "
"either fixed, or other corrective action taken.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.") ]
uint32 VerifyOKToApplyToCollection (
[IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy,
[OUT] string CanNotApply[]);
[Description (
"The ApplyToCollection method performs the application of "
"the Setting to the referenced Collection of ManagedSystem"
"Elements. The net effect is to execute the ApplyToMSE "
"method against each of the Elements aggregated by the "
"Collection. If the input value ContinueOnError is FALSE, "
Jason, et al Expires September 2001 [Page 79]
Internet Draft IPsec Configuration Policy Model March 2001
"this method applies the Setting to all Elements in the "
"Collection until it encounters an error, in which case it "
"stops execution, logs the key of the Element that caused "
"the error in the CanNotApply array, and issues a return "
"code "
"of 2. If the input value ContinueOnError is TRUE, then this "
"method applies the Setting to all the ManagedSystemElements "
"in the Collection, and reports the failed Elements in the "
"array, CanNotApply. For the latter, processing will "
"continue "
"until the method is applied to all Elements in the "
"Collection, regardless of any errors encountered. The key "
"of "
"each ManagedSystemElement to which the Setting could not be "
"applied is logged into the CanNotApply array. This method "
"takes four input parameters: Collection (the Collection of "
"Elements to which the Setting is being applied), "
"TimeToApply "
"(which, being a datetime, can be either a specific time or "
"a "
"time interval), ContinueOnError (TRUE means to continue "
"processing on encountering an error), and MustBeCompletedBy "
"(which indicates the required completion time for the "
"method). The return value should be 0 if the Setting is "
"successfully applied to the referenced Collection, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, 3 if the Setting can not be "
"applied using the input value for ContinueOnError, and any "
"other number if an error occurred. One output parameter is "
"defined, CanNotApplystring, which is an array that lists "
"the keys of the ManagedSystemElements to which the Setting "
"was NOT able to be applied. This output parameter has "
"meaning only when the ContinueOnError parameter is TRUE.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.\n"
"Note: if an error occurs in applying the Setting to a "
"ManagedSystemElement in the Collection, the Element must be "
"configured as when the 'apply' attempt began. That is, the "
"Element should NOT be left in an indeterminate state.") ]
uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply, [IN] boolean ContinueOnError,
[IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]);
[Description (
"The VerifyOKToApplyIncrementalChangeToMSE method "
"is used to verify that a subset of the properties in "
"this Setting can be 'applied' to the referenced Managed"
"SystemElement, at the given time or time interval. This "
"method takes four input parameters: MSE (the Managed"
"SystemElement that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
Jason, et al Expires September 2001 [Page 80]
Internet Draft IPsec Configuration Policy Model March 2001
"interval), MustBeCompletedBy (which indicates the "
"required completion time for the method), and a "
"PropertiesToApply array (which contains a list of the "
"property names whose values will be verified. "
"If they array is null or empty or constains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"verified. If it is set to \"none\" then no Settings "
"properties "
"will be verified). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number "
"if an error occurred. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 VerifyOKToApplyIncrementalChangeToMSE(
[IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply,
[IN] datetime MustBeCompletedBy,
[IN] string PropertiesToApply[]);
[Description (
"The ApplyIncrementalChangeToMSE method performs the "
"actual application of a subset of the properties in "
"the Setting to the referenced ManagedSystemElement. It "
"takes four input parameters: MSE (the ManagedSystem"
"Element to which the Setting is being applied), "
"TimeToApply (which, being a datetime, can be either a "
"specific time or a time interval), MustBeCompletedBy "
"(which indicates the required completion time for the "
"method), and a "
"PropertiesToApply array (which contains a list of the "
"property names whose values will be applied. If a "
"property is not in this list, it will be ignored by the "
"apply. "
"If they array is null or empty or constains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"applied. If it is set to \"none\" then no Settings "
"properties "
"will be applied. ). "
"Note that the semantics of this method are that "
"individual Settings are either wholly applied or not "
"applied at all to their target ManagedSystemElement. The "
"return value should be 0 if the Setting is successfully "
"applied to the referenced ManagedSystemElement, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, and any other number if an "
"error occurred. In a subclass, the set of possible return "
"codes could be specified, using a ValueMap qualifier on "
"the method. The strings to which the ValueMap contents are "
Jason, et al Expires September 2001 [Page 81]
Internet Draft IPsec Configuration Policy Model March 2001
"'translated' may also be specified in the subclass as a "
"Values array qualifier.\n"
"Note: If an error occurs in applying the Setting to a "
"ManagedSystemElement, the Element must be configured as "
"when the 'apply' attempt began. That is, the Element "
"should NOT be left in an indeterminate state.") ]
uint32 ApplyIncrementalChangeToMSE(
[IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply,
[IN] datetime MustBeCompletedBy,
[IN] string PropertiesToApply[]);
[Description (
"The VerifyOKToApplyIncrementalChangeToCollection method "
"is used to verify that a subset of the properties in "
"this Setting can be 'applied' to the referenced "
"Collection of ManagedSystemElements, at the given time "
"or time interval, without causing adverse effects to "
"either the Collection itself or its surrounding "
"environment. The net effect is to execute the "
"VerifyOKToApplyIncrementalChangeToMSE method "
"against each of the Elements "
"aggregated by the Collection. This method takes three "
"input parameters: Collection (the Collection of Managed"
"SystemElements that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
"interval), MustBeCompletedBy (which indicates the "
"required completion time for the method), and a "
"PropertiesToApply array (which contains a list of the "
"property names whose values will be verified. "
"If they array is null or empty or contains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"verified. If it is set to \"none\" then no Settings "
"properties "
"will be verified). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number if "
"an error occurred. One output parameter is defined - "
"CanNotApply - which is a string array that lists the keys "
"of "
"the ManagedSystemElements to which the Setting can NOT be "
"applied. This enables those Elements to be revisited and "
"either fixed, or other corrective action taken.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.") ]
uint32 VerifyOKToApplyIncrementalChangeToCollection (
[IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply,
[IN] datetime MustBeCompletedBy,
Jason, et al Expires September 2001 [Page 82]
Internet Draft IPsec Configuration Policy Model March 2001
[IN] string PropertiesToApply[],
[OUT] string CanNotApply[]);
[Description (
"The ApplyIncrementalChangeToCollection method performs "
"the application of a subset of the properties in this "
"Setting to the referenced Collection of ManagedSystem"
"Elements. The net effect is to execute the "
"ApplyIncrementalChangeToMSE "
"method against each of the Elements aggregated by the "
"Collection. If the input value ContinueOnError is FALSE, "
"this method applies the Setting to all Elements in the "
"Collection until it encounters an error, in which case it "
"stops execution, logs the key of the Element that caused "
"the error in the CanNotApply array, and issues a return "
"code "
"of 2. If the input value ContinueOnError is TRUE, then this "
"method applies the Setting to all the ManagedSystemElements "
"in the Collection, and reports the failed Elements in the "
"array, CanNotApply. For the latter, processing will "
"continue "
"until the method is applied to all Elements in the "
"Collection, regardless of any errors encountered. The key "
"of "
"each ManagedSystemElement to which the Setting could not be "
"applied is logged into the CanNotApply array. This method "
"takes four input parameters: Collection (the Collection of "
"Elements to which the Setting is being applied), "
"TimeToApply "
"(which, being a datetime, can be either a specific time or "
"a "
"time interval), ContinueOnError (TRUE means to continue "
"processing on encountering an error), and MustBeCompletedBy "
"(which indicates the required completion time for the "
"method), and a PropertiesToApply array (which contains a "
"list "
"of the property names whose values will be applied. If a "
"property is not in this list, it will be ignored by "
"the apply. "
"If they array is null or empty or constains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"applied. If it is set to \"none\" then no Settings "
"properties "
"will be applied. ). "
"The return value should be 0 if the Setting is "
"successfully applied to the referenced Collection, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, 3 if the Setting can not be "
"applied using the input value for ContinueOnError, and any "
"other number if an error occurred. One output parameter is "
"defined, CanNotApplystring, which is an array that lists "
"the keys of the ManagedSystemElements to which the Setting "
"was NOT able to be applied. This output parameter has "
Jason, et al Expires September 2001 [Page 83]
Internet Draft IPsec Configuration Policy Model March 2001
"meaning only when the ContinueOnError parameter is TRUE.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.\n"
"Note: if an error occurs in applying the Setting to a "
"ManagedSystemElement in the Collection, the Element must be "
"configured as when the 'apply' attempt began. That is, the "
"Element should NOT be left in an indeterminate state.") ]
uint32 ApplyIncrementalChangeToCollection(
[IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply,
[IN] boolean ContinueOnError,
[IN] datetime MustBeCompletedBy,
[IN] string PropertiesToApply[],
[OUT] string CanNotApply[]);
};
// ==================================================================
// CIM_SystemSetting
// ==================================================================
[Abstract, Description (
"CIM_SystemSetting represents the general concept "
"of a CIM_Setting which is scoped by/weak to a System.")]
class CIM_SystemSetting : CIM_Setting {
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Override ("SettingID"), Key, MaxLen (256)]
string SettingID;
};
// ==================================================================
// System
// ==================================================================
[Abstract, Description (
"A CIM_System is a LogicalElement that aggregates an "
"enumerable set of Managed System Elements. The aggregation "
"operates as a functional whole. Within any particular "
"subclass of System, there is a well-defined list of "
Jason, et al Expires September 2001 [Page 84]
Internet Draft IPsec Configuration Policy Model March 2001
"Managed System Element classes whose instances must be "
"aggregated.") ]
class CIM_System:CIM_LogicalElement
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Override ("Name"), Description (
"The inherited Name serves as key of a System instance in "
"an enterprise environment.") ]
string Name;
[MaxLen (64), Description (
"The System object and its derivatives are Top Level Objects "
"of CIM. They provide the scope for numerous components. "
"Having unique System keys is required. A heuristic can be "
"defined in individual System subclasses to attempt to "
"always "
"generate the same System Name Key. The NameFormat property "
"identifies how the System name was generated, using "
"the subclass' heuristic.") ]
string NameFormat;
[MaxLen (256), Description (
"A string that provides information on how the primary "
"system "
"owner can be reached (e.g. phone number, email address, "
"...)."),
MappingStrings {"MIF.DMTF|General Information|001.3"} ]
string PrimaryOwnerContact;
[MaxLen (64), Description (
"The name of the primary system owner."),
MappingStrings {"MIF.DMTF|General Information|001.4"} ]
string PrimaryOwnerName;
[Description (
"An array (bag) of strings that specify the roles this "
"System "
"plays in the IT-environment. Subclasses of System may "
"override this property to define explicit Roles values. "
"Alternately, a Working Group may describe the heuristics, "
"conventions and guidelines for specifying Roles. For "
"example, for an instance of a networking system, the Roles "
"property might contain the string, 'Switch' or 'Bridge'.") ]
string Roles[];
};
// ==================================================================
// Service
// ==================================================================
[Abstract, Description (
"A CIM_Service is a Logical Element that contains the "
Jason, et al Expires September 2001 [Page 85]
Internet Draft IPsec Configuration Policy Model March 2001
"information necessary to represent and manage the "
"functionality provided by a Device and/or SoftwareFeature. "
"A Service is a general-purpose object to configure and "
"manage the implementation of functionality. It is not the "
"functionality itself.") ]
class CIM_Service:CIM_LogicalElement
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this "
"property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Override ("Name"), Key, MaxLen (256),
Description (
"The Name property uniquely identifies the Service and "
"provides an indication of the functionality that is "
"managed. This functionality is described in more detail in "
"the object's Description property. ") ]
string Name;
[MaxLen (10), Description (
"StartMode is a string value indicating whether the Service "
"is automatically started by a System, Operating System, "
"etc. "
"or only started upon request."),
ValueMap {"Automatic", "Manual"} ]
string StartMode;
[Description (
"Started is a boolean indicating whether the Service "
"has been started (TRUE), or stopped (FALSE).") ]
boolean Started;
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Description (
"The StartService method places the Service in the started "
"state. It returns an integer value of 0 if the Service was "
"successfully started, 1 if the request is not supported and "
"any other number to indicate an error. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 StartService();
[Description (
"The StopService method places the Service in the stopped "
"state. It returns an integer value of 0 if the Service was "
Jason, et al Expires September 2001 [Page 86]
Internet Draft IPsec Configuration Policy Model March 2001
"successfully stopped, 1 if the request is not supported and "
"any other number to indicate an error. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 StopService();
};
// ==================================================================
// ServiceAccessPoint
// ==================================================================
[Abstract, Description (
"CIM_ServiceAccessPoint represents the ability to utilize or "
"invoke a Service. Access points represent that a Service "
"is "
"made available to other entities for use.") ]
class CIM_ServiceAccessPoint:CIM_LogicalElement
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this "
"property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Override ("Name"), Key, MaxLen (256),
Description (
"The Name property uniquely identifies the "
"ServiceAccessPoint "
"and provides an indication of the functionality that is "
"managed. This functionality is described in more detail in "
"the object's Description property.") ]
string Name;
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
};
// ==================================================================
// === Association class definitions ===
// ==================================================================
// ==================================================================
// Component
// ==================================================================
[Association, Abstract, Aggregation, Description (
"CIM_Component is a generic association used to establish "
Jason, et al Expires September 2001 [Page 87]
Internet Draft IPsec Configuration Policy Model March 2001
"'part of' relationships between Managed System Elements. "
"For "
"example, the SystemComponent association defines parts of "
"a System.") ]
class CIM_Component
{
[Aggregate, Key, Description (
"The parent element in the association.") ]
CIM_ManagedSystemElement REF GroupComponent;
[Key, Description ("The child element in the association.") ]
CIM_ManagedSystemElement REF PartComponent;
};
// ==================================================================
// Dependency
// ==================================================================
[Association, Abstract, Description (
"CIM_Dependency is a generic association used to establish "
"dependency relationships between ManagedElements.") ]
class CIM_Dependency
{
[Key, Description (
"Antecedent represents the independent object in this "
"association.") ]
CIM_ManagedElement REF Antecedent;
[Key, Description (
"Dependent represents the object dependent on the "
"Antecedent.") ]
CIM_ManagedElement REF Dependent;
};
// ===================================================================
// ElementSetting
// ===================================================================
[Association, Description (
"ElementSetting represents the association between Managed"
"SystemElements and the Setting class(es) defined for them.")
]
class CIM_ElementSetting
{
[Key, Description ("The ManagedSystemElement.") ]
CIM_ManagedSystemElement REF Element;
[Key, Description (
"The Setting object associated with the ManagedSystem"
"Element.") ]
CIM_Setting REF Setting;
};
// ==================================================================
// MemberOfCollection
// ==================================================================
[Association, Aggregation, Description (
"CIM_MemberOfCollection is an aggregation used to establish "
"membership of ManagedElements in a Collection." ) ]
Jason, et al Expires September 2001 [Page 88]
Internet Draft IPsec Configuration Policy Model March 2001
class CIM_MemberOfCollection
{
[Key, Aggregate, Description ("The Collection that aggregates
members") ]
CIM_Collection REF Collection;
[Key, Description ("The aggregated member of the collection.")
]
CIM_ManagedElement REF Member;
};
// ==================================================================
// CIM_SystemSettingContext
// ==================================================================
[Association, Aggregation, Description (
"This relationship associates System-specific Configuration "
"objects with System-specific Setting objects, similar to "
"the "
"SettingContext association.")]
class CIM_SystemSettingContext {
[Aggregate, Key, Description (
"The Configuration object that aggregates the Setting.") ]
CIM_SystemConfiguration REF Context;
[Key, Description ("An aggregated Setting.")]
CIM_SystemSetting REF Setting;
};
Jason, et al Expires September 2001 [Page 89]
Internet Draft IPsec Configuration Policy Model March 2001
Appendix B (DMTF User Model MOF)
// ==================================================================
// OrganizationalEntity
// ==================================================================
[Abstract, Description (
"OrganizationalEntity is an abstract class from which classes "
"that fit into an organizational structure are derived.") ]
class CIM_OrganizationalEntity : CIM_ManagedElement
{
};
// ==================================================================
// UserEntity
// ==================================================================
[Abstract, Description (
"UserEntity is an abstract class that represents users.") ]
class CIM_UserEntity : CIM_OrganizationalEntity
{
};
// ==================================================================
// UsersAccess
// ==================================================================
[Description (
"The UsersAccess object class is used to specify a system user "
"that permitted access to system resources. The ManagedElement "
"that has access to system resources (represented in the model in "
"the ElementAsUser association) may be a person, a service, a "
"service access point or any collection thereof. Whereas the "
"Account class represents the user's relationship to a system "
"from the perspective of the security services of the system, the "
"UserAccess class represents the relationships to the systems "
"independent of a particular system or service.") ]
class CIM_UsersAccess: CIM_UserEntity
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.")]
string CreationClassName;
[Key, MaxLen (256),Description (
"The Name property defines the label by which the object is "
"known.")]
string Name;
[Key, Description (
"The ElementID property uniquely specifies the ManagedElement "
"object instance that is the user represented by the "
"UsersAccess object instance. The ElementID is formatted "
"similarly to a model path except that the property-value "
"pairs are ordered in alphabetical order (US ASCII lexical "
Jason, et al Expires September 2001 [Page 90]
Internet Draft IPsec Configuration Policy Model March 2001
"order).")]
string ElementID;
[Description (
"Biometric information used to identify a person. The "
"property value is left null or set to 'N/A' for non-human "
"user or a user not using biometric information for "
"authentication."),
Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger",
"Voice", "DNA-RNA", "EEG"} ]
uint16 Biometric[];
};
// ==================================================================
// SecurityService
// ==================================================================
[ Abstract, Description (
"CIM_SecurityService ...") ]
class CIM_SecurityService:CIM_Service
{
};
// ==================================================================
// AuthenticationService
// ==================================================================
[Description (
"CIM_AuthenticationService verifies users' identities through "
"some means. These services are decomposed into a subclass that "
"provides credentials to users and a subclass that provides for "
"the verification of the validity of a credential and, perhaps, "
"the appropriateness of its use for access to target resources. "
"The persistent state information used from one such verification "
"to another is maintained in an Account for that Users Access on "
"that AuthenticationService.") ]
class CIM_AuthenticationService:CIM_SecurityService
{
};
// ==================================================================
// CredentialManagementService
// ==================================================================
[Description (
"CIM_CredentialManagementService issues credentials and manages "
"the credential lifecycle.") ]
class CIM_CredentialManagementService:CIM_AuthenticationService
{
};
// ==================================================================
// CertificateAuthority
// ==================================================================
[Description ("A Certificate Authority (CA) is a credential "
"management service that issues and cryptographically "
"signs certificates thus acting as an trusted third-party "
Jason, et al Expires September 2001 [Page 91]
Internet Draft IPsec Configuration Policy Model March 2001
"intermediary in establishing trust relationships. The CA "
"authenicates the holder of the private key related to the "
"certificate's public key; the authenicated entity is "
"represented by the UsersAccess class.") ]
class CIM_CertificateAuthority:CIM_CredentialManagementService
{
[Description (
"The CAPolicyStatement describes what care is taken by the "
"CertificateAuthority when signing a new certificate. "
"The CAPolicyStatment may be a dot-delimited ASN.1 OID "
"string which identifies to the formal policy statement.") ]
string CAPolicyStatement;
[Description ( "A CRL, or CertificateRevocationList, is a "
"list of certificates which the CertificateAuthority has "
"revoked and which are not yet expired. Revocation is "
"necessary when the private key associated with the public "
"key of a certificate is lost or compromised, or when the "
"person for whom the certificate is signed no longer is "
"entitled to use the certificate."), Octetstring ]
string CRL[];
[Description ("Certificate Revocation Lists may be "
"available from a number of distribution points. "
"CRLDistributionPoint array values provide URIs for those "
"distribution points.")]
string CRLDistributionPoint[];
[Description ( "Certificates refer to their issuing CA by "
"its Distinguished Name (as defined in X.501)."), DN]
string CADistinguishedName;
[Description ( "The frequency, expressed in hours, at which "
"the CA will update its Certificate Revocation List. Zero "
"implies that the refresh frequency is unknown."),
Units("Hours")]
uint8 CRLRefreshFrequency;
[Description ( "The maximum number of certificates in a "
"certificate chain permitted for credentials issued by "
"this certificate authority or it's subordinate CAs.\n"
"The MaxChainLength of a superior CA in the trust "
"hierarchy should be greater than this value and the "
"MaxChainLength of a subordinate CA in the trust hierarchy "
"should be less than this value.")]
uint8 MaxChainLength;
};
// ==================================================================
// KerberosKeyDistributionCenter
// ==================================================================
[Description (
"CIM_KerberosKeyDistributionCenter ...") ]
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService
{
[Override ("Name"),
Description ("The Realm served by this KDC.")]
string Name;
Jason, et al Expires September 2001 [Page 92]
Internet Draft IPsec Configuration Policy Model March 2001
[Description ("The version of Kerberos supported by this "
"service."),
Values {"V4", "V5", "DCE", "MS"} ]
uint16 Protocol[];
};
// ==================================================================
// Notary
// ==================================================================
[Description (
"CIM_Notary is an AuthenticationService (credential "
"management service) which compares the "
"biometric characteristics of a person with the "
"known characteristics of an Users Access, and determines "
"whether the person is the UsersAccess. An example is "
"a bank teller who compares a picture ID with the person "
"trying to cash a check, or a biometric login service that "
"uses voice recognition to identify a user.") ]
class CIM_Notary:CIM_CredentialManagementService
{
[Description ( "The types of biometric information which "
"this Notary can compare."),
Values { "N/A", "Other", "Facial", "Retina", "Mark",
"Finger", "Voice", "DNA-RNA", "EEG"} ]
uint16 Comparitors;
[Description (
"The SealProtocol is how the decision of the Notary is "
"recorded for future use by parties who will rely on its "
"decision. For instance, a drivers licence frequently "
"includes tamper-resistent coatings and markings to protect "
"the recorded decision that a driver, having various "
"biometric characteristics of height, weight, hair and eye "
"color, using a particular name, has features represented in "
"a photograph of their face.")]
string SealProtocol;
[Description (
"CharterIssued documents when the Notary is first "
"authorized, by whoever gave it responsibility, to perform "
"its service.")]
datetime CharterIssued;
[Description (
"CharterExpired documents when the Notary is no longer "
"authorized, by whoever gave it responsibility, to perform "
"its service.")]
datetime CharterExpired;
};
// ==================================================================
// LocalCredentialManagementService
// ==================================================================
[Description (
"CIM_LocalCredentialManagementService is a credential "
"management service that provides local system "
Jason, et al Expires September 2001 [Page 93]
Internet Draft IPsec Configuration Policy Model March 2001
"management of credentials used by the local system.") ]
class
CIM_LocalCredentialManagementService:CIM_CredentialManagementService
{
};
// ==================================================================
// SharedSecretService
// ==================================================================
[Description (
"CIM_SharedSecretService is a service which ascertains "
"whether messages received are from the Principal with "
"whom a secret is shared. Examples include a login "
"service that proves identity on the basis of knowledge of "
"the shared secret, or a transport integrity service (like "
"Kerberos provides) that includes a message authenticity "
"code that proves each message in the messsage stream came "
"from someone who knows the shared secret session key.")]
class CIM_SharedSecretService:CIM_LocalCredentialManagementService
{
[MaxLen (256), Description (
"The Algorithm used to convey the shared secret, such as "
"HMAC-MD5,or PLAINTEXT.") ]
string Algorithm;
[Description (
"The Protocol supported by the SharedSecretService.")]
string Protocol;
};
// ==================================================================
// PublicKeyManagementService
// ==================================================================
[Description (
"CIM_PublicKeyManagementService is a credential management "
"service that provides local system management of public "
"keys used by the local system.") ]
class
CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService
{
};
// ==================================================================
// Credential
// ==================================================================
[Abstract, Description (
"Subclasses of CIM_Credential define materials, "
"information, or other data which are used to prove the "
"identity of a CIM_UsersAccess to a particular "
"CIM_SecurityService. Generally, there may be some shared "
"information, or credential material which is used to "
"identify and authenticate ones self in the process of "
"gaining access to, or permission to use, an Account. "
"Such credential material may be used to authenticate a "
Jason, et al Expires September 2001 [Page 94]
Internet Draft IPsec Configuration Policy Model March 2001
"users access identity initially, as done by a "
"CIM_AuthenticationService (see later), and additionally on "
"an ongoing basis during the course of a connection or "
"other security association, as proof that each received "
"message or communication came from the owning user access "
"of "
"that credential material.") ]
class CIM_Credential:CIM_ManagedElement
{
};
// ==================================================================
// PublicKeyCertificate
// ==================================================================
[Description ("A Public Key Certificate is a credential "
"that is cryptographically signed by a trusted Certificate "
"Authority (CA) and issued to an authenticated entity "
"(e.g., human user, service,etc.) called the Subject in "
"the certificate and represented by the UsersAccess class. "
"The public key in the certificate is cryptographically "
"related to a private key that is to be held and kept "
"private by the authenticated Subject. The certificate "
"and its related private key can then be used for "
"establishing trust relationships and securing "
"communications with the Subject. Refer to the ITU/CCITT "
"X.509 standard as an example of such certificates.") ]
class CIM_PublicKeyCertificate:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"),
Key, MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"),
Key, MaxLen (256),Description ("Scoping System")]
string SystemName;
[Propagated ("CIM_CertificateAuthority.CreationClassName"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_CertificateAuthority.Name"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"Certificate subject identifier")]
string Subject;
[MaxLen (256), Description (
"Alternate subject identifier for the Certificate.")]
string AltSubject;
[Description ("The DER-encoded raw public key."), Octetstring]
uint8 PublicKey[];
};
// ==================================================================
// UnsignedPublicKey
// ==================================================================
Jason, et al Expires September 2001 [Page 95]
Internet Draft IPsec Configuration Policy Model March 2001
[Description (
"A CIM_UnsignedPublicKey represents an unsigned public "
"key credential. The local UsersAccess (or subclass "
"thereof) accepts the public key as authentic because of "
"a direct trust relationship rather than via a third-party "
"Certificate Authority.") ]
class CIM_UnsignedPublicKey:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"),
Key, MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"),
Key, MaxLen (256),Description ("Scoping System")]
string SystemName;
[Propagated
("CIM_PublicKeyManagementService.CreationClassName"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_PublicKeyManagementService.Name"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"The Identity of the Peer with whom a direct trust "
"relationship exists. The public key may be used for "
"security functions with the Peer."),
ModelCorrespondence
{"CIM_PublicKeyManagementService.PeerIdentityType" } ]
string PeerIdentity;
[Description ("PeerIdentityType is used to describe the "
"type of the PeerIdentity. The currently defined values "
"are used for IKE identities."),
ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8",
"9", "10", "11"},
Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN",
"IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
"IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
"DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence
{"CIM_PublicKeyManagementService.PeerIdentity" } ]
uint16 PeerIdentityType;
[Description ("The DER-encoded raw public key."),
Octetstring]
uint8 PublicKey[];
};
// ==================================================================
// KerberosTicket
// ==================================================================
[Description (
"A CIM_KerberosTicket represents a credential issued by a "
"particular Kerberos Key Distribution Center (KDC) "
"to a particular CIM_UsersAccess as the result of a "
"successful authentication process. There are two types of "
Jason, et al Expires September 2001 [Page 96]
Internet Draft IPsec Configuration Policy Model March 2001
"tickets that a KDC may issue to a Users Access - a "
"TicketGranting ticket, which is used to protect and "
"authenticate communications between the Users Access and "
"the "
"KDC, and a Session ticket, which the KDC issues to two "
"Users Access to allow them to communicate with each other. "
) ]
class CIM_KerberosTicket:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key,
MaxLen (256),Description ("Scoping System")]
string SystemName;
[Key, MaxLen (256), Propagated
("CIM_KerberosKeyDistributionCenter.CreationClassName"),
Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_KerberosKeyDistributionCenter.Name"),
Key, MaxLen (256),
Description ("Scoping Service. The Kerberos KDC Realm of "
"CIM_KerberosTicket is used to record the security "
"authority, or Realm, name so that tickets issued by "
"different Realms can be separately managed and "
"enumerated.")]
string ServiceName;
[Key, MaxLen (256), Description ("The name of the service "
"for which this ticket is used.")]
string AccessesService;
[Key, MaxLen (256), Description (
"RemoteID is the name by which the user is known at "
"the KDC security service.")]
string RemoteID;
datetime Issued;
datetime Expires;
[Description (
"The Type of CIM_KerberosTicket is used to indicate whether "
"the ticket in question was issued by the Kerberos Key "
"Distribution Center (KDC) to support ongoing communication "
"between the Users Access and the KDC (\"TicketGranting\"), "
"or was issued by the KDC to support ongoing communication "
"between two Users Access entities (\"Session\")." ),
Values {"Session", "TicketGranting"}]
uint16 TicketType;
};
// ==================================================================
// SharedSecret
// ==================================================================
[Description (
"CIM_SharedSecret is the secret shared between a Users "
"Access "
Jason, et al Expires September 2001 [Page 97]
Internet Draft IPsec Configuration Policy Model March 2001
"and a particular SharedSecret security service. Secrets "
"may be in the form of a password used for initial "
"authentication, or as with a session key, used as part of "
"a message authentication code to verify that a message "
"originated by the pricinpal with whom the secret is shared. "
"It is important to note that SharedSecret is not just the "
"password, but rather is the password used with a particular "
"security service.")]
class CIM_SharedSecret:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key,
MaxLen (256),Description ("Scoping System")]
string SystemName;
[Key, MaxLen (256), Propagated
("CIM_SharedSecretService.CreationClassName"),
Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_SharedSecretService.Name"),
Key, MaxLen (256),
Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"RemoteID is the name by which the user is known at "
"the remote secret key authentication service.")]
string RemoteID;
[Description (
"secret is the secret known by the Users Access.")]
string secret;
[Description (
"algorithm names the transformation algorithm, if any, used "
"to protect passwords before use in the protocol. For "
"instance, Kerberos doesn't store passwords as the shared "
"secret, but rather, a hash of the password.")]
string algorithm;
[Description (
"protocol names the protocol with which the SharedSecret is "
"used.")]
string protocol;
};
// ==================================================================
// NamedSharedIKESecret
// ==================================================================
[Description (
"CIM_NamedSharedIKESecret indirectly represents a shared "
"secret credential. The local identity, IKEIdentity, "
"and the remote peer identity share the secret that is "
"named by the SharedSecretName. The SharedSecretName is "
"used SharedSecretService to reference the secret.") ]
class CIM_NamedSharedIKESecret:CIM_Credential
Jason, et al Expires September 2001 [Page 98]
Internet Draft IPsec Configuration Policy Model March 2001
{
[Propagated ("CIM_System.CreationClassName"),
Key, MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"),
Key, MaxLen (256),Description ("Scoping System")]
string SystemName;
[Propagated ("CIM_SharedSecretService.CreationClassName"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_SharedSecretService.Name"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"The local Identity with whom the direct trust "
"relationship exists."),
ModelCorrespondence
{"CIM_NamedSharedIKESecret.LocalIdentityType" } ]
string LocalIdentity;
[Key, Description ("LocalIdentityType is used to describe "
"the type of the LocalIdentity."),
ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
"9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
"IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
"IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
"DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence
{"CIM_NamedSharedIKESecret.LocalIdentity" } ]
uint16 LocalIdentityType;
[Key, MaxLen (256), Description (
"The peer identity with whom the direct trust "
"relationship exists."),
ModelCorrespondence
{"CIM_NamedSharedIKESecret.PeerIdentityType" } ]
string PeerIdentity;
[Key, Description ("PeerIdentityType is used to describe "
"the type of the PeerIdentity."),
ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
"9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
"IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
"IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
"DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence
{"CIM_NamedSharedIKESecret.PeerIdentity" } ]
uint16 PeerIdentityType;
[Description ("SharedSecretName is an indirect reference "
"to a shared secret. The SecretService does not expose "
"the actual secret but rather provides access to the "
"secret via a name.")]
string SharedSecretName;
};
Jason, et al Expires September 2001 [Page 99]
Internet Draft IPsec Configuration Policy Model March 2001
// ==================================================================
// === Association class definitions ===
// ==================================================================
// ==================================================================
// ElementAsUser
// ==================================================================
[Association, Description (
"CIM_ElementAsUser is an association used to establish the "
"'ownership' of UsersAccess object instances. That is, the "
"ManagedElement may have UsersAccess to systems and, therefore, "
"be 'users' on those systems. UsersAccess instances must have an "
"'owning' ManagedElement. Typically, the ManagedElements will be "
"limited to Collection, Person, Service and ServiceAccessPoint. "
"Other non-human ManagedElements that might be thought of as "
"having UsersAccess (e.g., a device or system) have services that "
"have the UsersAccess.")]
class CIM_ElementAsUser : CIM_Dependency
{
[Min (1), Max (1), Override ("Antecedent"),
Description ("The ManagedElement that has UsersAccess") ]
CIM_ManagedElement REF Antecedent;
[Override ("Dependent"),
Description ("The 'owned' UsersAccess") ]
CIM_UsersAccess REF Dependent;
};
// ==================================================================
// UsersCredential
// ==================================================================
[Association, Description (
"CIM_UsersCredential is an association used to establish the "
"credentials that may be used for a UsersAccess to a system or "
"set of systems. " )]
class CIM_UsersCredential : CIM_Dependency
{
[Override ("Antecedent"),
Description ("The issued credential that may be used.") ]
CIM_Credential REF Antecedent;
[Override ("Dependent"),
Description ("The UsersAccess that has use of a credential") ]
CIM_UsersAccess REF Dependent;
};
// ===================================================================
// PublicPrivateKeyPair
// ===================================================================
[Association, Description (
"This relationship associates a PublicKeyCertificate with "
"the Principal who has the PrivateKey used with the "
"PublicKey. The PrivateKey is not modeled, since it is not "
"a data element that ever SHOULD be accessible via "
Jason, et al Expires September 2001 [Page 100]
Internet Draft IPsec Configuration Policy Model March 2001
"management applications, other than key recovery services, "
"which are outside our scope.") ]
class CIM_PublicPrivateKeyPair:CIM_UsersCredential
{
[ Override ("Antecedent") ]
CIM_PublicKeyCertificate REF Antecedent;
[ Override ("Dependent") ]
CIM_UsersAccess REF Dependent;
[Description ( "The Certificate may be used for signature "
"only "
"or for confidentiality as well as signature"),
Values { "SignOnly", "ConfidentialityOrSignature"} ]
uint16 Use;
boolean NonRepudiation;
boolean BackedUp;
[Description ("The repository in which the certificate is "
"backed up.")]
string Repository;
};
// ===================================================================
// CAHasPublicCertificate
// ===================================================================
[Association, Description (
"A CertificateAuthority may have certificates issued by other CAs. "
"This association is essentially an optimization of the CA having "
"a UsersAccess instance with an association to a certificate thus "
"mapping more closely to LDAP-based certificate authority "
"implementations.") ]
class CIM_CAHasPublicCertificate:CIM_Dependency
{
[Max (1), Override ("Antecedent"),
Description ("The Certificate used by the CA")]
CIM_PublicKeyCertificate REF Antecedent;
[Override ("Dependent"),
Description ("The CA that uses a Certificate")]
CIM_CertificateAuthority REF Dependent;
};
// ===================================================================
// ManagedCredential
// ===================================================================
[Association, Description (
"This relationship associates a CredentialManagementService "
"with the Credential it manages.") ]
class CIM_ManagedCredential:CIM_Dependency
{
[Override ("Antecedent"), Min (1), Max (1),
Description ( "The credential management service")]
CIM_CredentialManagementService REF Antecedent;
[Override ("Dependent"),
Description ( "The managed credential")]
Jason, et al Expires September 2001 [Page 101]
Internet Draft IPsec Configuration Policy Model March 2001
CIM_Credential REF Dependent;
};
// ===================================================================
// CASignsPublicKeyCertificate
// ===================================================================
[Association, Description (
"This relationship associates a CertificateAuthority with "
"the certificates it signs.") ]
class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ( "The CA which signed the certificate")]
CIM_CertificateAuthority REF Antecedent;
[Override ("Dependent"), Weak,
Description ( "The certificate issued by the CA")]
CIM_PublicKeyCertificate REF Dependent;
string SerialNumber;
[ Octetstring ]
uint8 Signature[];
datetime Expires;
string CRLDistributionPoint[];
};
// ==================================================================
// LocallyManagedPublicKey
// ==================================================================
[Association, Description (
"CIM_LocallyManagedPublicKey association provides the "
"relationship between a PublicKeyManagementService and an "
"UnsignedPublicKey.") ]
class CIM_LocallyManagedPublicKey:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ("The PublicKeyManagementService that manages "
"an unsigned public key.") ]
CIM_PublicKeyManagementService REF Antecedent;
[Override ("Dependent"), Weak, Description (
"An unsigned public key.") ]
CIM_UnsignedPublicKey REF Dependent;
};
// ===================================================================
// SharedSecretIsShared
// ===================================================================
[Association, Description (
"This relationship associates a SharedSecretService with the "
"SecretKey it verifies.") ]
class CIM_SharedSecretIsShared : CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ("The credential management service")]
CIM_SharedSecretService REF Antecedent;
Jason, et al Expires September 2001 [Page 102]
Internet Draft IPsec Configuration Policy Model March 2001
[Override ("Dependent"), Weak,
Description ( "The managed credential")]
CIM_SharedSecret REF Dependent;
};
// ==================================================================
// IKESecretIsNamed
// ==================================================================
[Association, Description (
"CIM_IKESecretIsNamed association provides the "
"relationship between a SharedSecretService and a "
"NamedSharedIKESecret.") ]
class CIM_IKESecretIsNamed:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ("The SharedSecretService that manages a "
"NamedSharedIKESecret.")]
CIM_SharedSecretService REF Antecedent;
[Override ("Dependent"), Weak, Description (
"The managed NamedSharedIKESecret.") ]
CIM_NamedSharedIKESecret REF Dependent;
};
// ===================================================================
// KDCIssuesKerberosTicket
// ===================================================================
[Association, Description (
"The KDC issues and owns Kerberos tickets. This association "
"captures the relationship between the KDC and its issued tickets."
) ]
class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ( "The issuing KDC") ]
CIM_KerberosKeyDistributionCenter REF Antecedent;
[Override ("Dependent"), Weak,
Description ( "The managed credential")]
CIM_KerberosTicket REF Dependent;
};
// ===================================================================
// NotaryVerifiesBiometric
// ===================================================================
[Association, Description (
"This relationship associates a Notary service with the "
"Users Access whose biometric information is verified.") ]
class CIM_NotaryVerifiesBiometric : CIM_Dependency
{
[Override ("Antecedent"),
Description ("The Notary service that verifies biometric "
"information ") ]
CIM_Notary REF Antecedent;
[Override ("Dependent"),
Jason, et al Expires September 2001 [Page 103]
Internet Draft IPsec Configuration Policy Model March 2001
Description ( "The UsersAccess that represents a person using "
"biometric information for authentication.")]
CIM_UsersAccess REF Dependent;
};
Jason, et al Expires September 2001 [Page 104]
Internet Draft IPsec Configuration Policy Model March 2001
Appendix C (DMTF Network Model MOF)
// ==================================================================
// NetworkService
// ==================================================================
[Abstract, Description (
"This is an abstract base class, derived from the Service "
"class. It serves as the root of the network service "
"hierarchy. Network services represent generic functions "
"that are available from the network that configure and/or "
"modify the traffic being sent. For example, FTP is not a "
"network service, as it simply passes data unchanged from "
"source to destination. On the other hand, services "
"that provide quality of service (e.g., DiffServ) and "
"security (e.g., IPSec) do affect the traffic stream. "
"Quality of service, IPSec, and other services are "
"subclasses of this class. This class hierarchy enables "
"developers to match services to users, groups, "
"and other objects in the network.") ]
class CIM_NetworkService : CIM_Service
{
[Description (
"This is a free-form array of strings that provide "
"descriptive words and phrases that can be used in queries "
"to help locate and identify instances of this service.") ]
string Keywords [ ];
[Description (
"This is a URL that provides the protocol, network "
"location, and other service-specific information required "
"in order to access the service. This should be implemented "
"as a LabeledURI, with syntax DirectoryString and a "
"matching rule of CaseExactMatch, for directory "
"implementors.") ]
string ServiceURL;
[Description (
"This is a free-form array of strings that specify any "
"specific pre-conditions that must be met in order for this "
"service to start correctly. It is expected that subclasses "
"will refine the inherited StartService() and StopService()"
"methods to suit their own application-specific needs. This "
"property is used to specify application-specific conditions "
"needed by the refined StartService and StopService"
"methods.") ]
string StartupConditions [ ];
[Description (
"This is a free-form array of strings that specify any "
"specific parameters that must be supplied to the "
"StartService() method in order for this service to start "
"correctly. It is expected that subclasses will refine the "
"inherited StartService() and StopService() methods to suit "
"their own application-specific needs. This property is used "
"to specify application-specific parameters needed by the "
Jason, et al Expires September 2001 [Page 105]
Internet Draft IPsec Configuration Policy Model March 2001
"refined StartService and StopService methods.") ]
string StartupParameters [ ];
};
// ==================================================================
// ProtocolEndpoint
// ==================================================================
[Description (
"A communication point from which data may be sent or "
"received. ProtocolEndpoints link router interfaces and "
"switch ports to LogicalNetworks.") ]
class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint
{
[Override ("Name"), MaxLen(256), Description (
"A string which identifies this ProtocolEndpoint with either "
"a port or an interface on a device. To ensure uniqueness, "
"the Name property should be prepended or appended with "
"information from the Type or OtherTypeDescription "
"properties. The method chosen is described in the "
"NameFormat property of this class.") ]
string Name;
[MaxLen (256), Description (
"NameFormat contains the naming heuristic that is chosen to "
"ensure that the value of the Name property is unique. For "
"example, one might choose to prepend the name of the port "
"or interface with the Type of ProtocolEndpoint that this "
"instance is (e.g., IPv4)followed by an underscore.") ]
string NameFormat;
[MaxLen (64), Description (
"ProtocolType is an enumeration that provides additional "
"information that can be used to help categorize and "
"classify different instances of this class."),
ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
"10", "11", "12", "13", "14", "15", "16", "17",
"18", "19", "20", "21"},
Values { "Unknown", "Other", "IPv4", "IPv6", "IPX",
"AppleTalk", "DECnet", "SNA", "CONP", "CLNP",
"VINES", "XNS", "ATM", "Frame Relay",
"Ethernet", "TokenRing", "FDDI", "Infiniband",
"Fibre Channel", "ISDN BRI Endpoint",
"ISDN B Channel Endpoint", "ISDN D Channel Endpoint"
},
ModelCorrespondence {
"CIM_ProtocolEndpoint.OtherTypeDescription"} ]
string ProtocolType;
[MaxLen(64), Description (
"A string describing the type of ProtocolEndpoint that this "
"instance is when the Type property of this class (or any of "
"its subclasses) is set to 1 (e.g., 'Other'). The format of "
"the string inserted in this property should be similar in "
"format to the values defined for the Type property. This "
"property should be set to NULL when the Type property is "
Jason, et al Expires September 2001 [Page 106]
Internet Draft IPsec Configuration Policy Model March 2001
"any value other than 1."),
ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ]
string OtherTypeDescription;
};
// ==================================================================
// IPProtocolEndpoint
// ==================================================================
[Description (
"A ProtocolEndpoint that is dedicated to running IP.") ]
class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint
{
[Description (
"The IP address that this ProtocolEndpoint represents, "
"formatted according to the appropriate convention as "
"defined in the AddressType property of this class "
" (e.g., 171.79.6.40).") ]
string Address;
[Description (
"The mask for the IP address of this ProtocolEndpoint, "
"formatted according to the appropriate convention as "
"defined in the AddressType property of this class "
" (e.g., 255.255.252.0).") ]
string SubnetMask;
[Description (
"An enumeration that describes the format of the address "
"property. Whenever possible, IPv4-compatible addresses "
"should be used instead of native IPv6 addresses (see "
"RFC 2373, section 2.5.4). In order to have a consistent "
"format for IPv4 addresses in a mixed IPv4/v6 environment, "
"all IPv4 addresses and both IPv4-compatible IPv6 addresses "
"and IPv4-mapped IPv6 addresses, per RFC 2373, section "
"2.5.4, should be formatted in standard IPv4 format. "
"However, this (the 2.2) version of the Network Common "
"Model will not explicitly support mixed IPv4/IPv6 "
"environments. This will be added in a future release."),
ValueMap { "0", "1", "2" },
Values { "Unknown", "IPv4", "IPv6" } ]
uint16 AddressType;
[Description (
"It is not possible to tell from the address alone if a "
"given IPProtocolEndpoint can support IPv4 and IPv6, or "
"just one of these. This property explicitly defines the "
"support for different versions of IP that this "
"IPProtocolEndpoint has. "
"\n\n"
"More implementation experience is needed in order to "
"correctly model mixed IPv4/IPv6 networks; therefore, this "
"version (2.2) of the Network Common Model will not support "
"mixed IPv4/IPv6 environments. This will be looked at "
"further in a future version."),
ValueMap { "0", "1", "2" },
Jason, et al Expires September 2001 [Page 107]
Internet Draft IPsec Configuration Policy Model March 2001
Values { "Unknown", "IPv4 Only", "IPv6 Only" } ]
uint16 IPVersionSupport;
};
// ===================================================================
// CIM_FilterEntryBase
// ===================================================================
[Description (
" FilterEntryBase is an abstract class to define the naming "
"of all filter entries, and to allow their common "
"aggregation into FilterLists. The FilterEntry subclass "
"represents packet filtering. Other types of Entries are "
"possible - for example, to filter security credentials. \n"
" FilterEntryBase is weak to the network device (e.g., the "
"ComputerSystem) that contains it. Hence, the ComputerSystem "
"keys are propagated to this class.") ]
class CIM_FilterEntryBase : CIM_LogicalElement
{
[Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
MaxLen (256),
Description (
"The scoping ComputerSystem's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
Description (
"The scoping ComputerSystem's Name.") ]
string SystemName;
[Key, MaxLen (256),
Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256),
Description (
"The Name property defines the label by which the Filter"
"Entry is known and uniquely identified.") ]
string Name;
[Description (
"Boolean indicating that the match condition described "
"in the properties of the FilterEntryBase subclass "
"should be negated.") ]
boolean IsNegated;
};
// ==================================================================
// FilterEntry
// ==================================================================
[Description (
"A FilterEntry is used by network devices to identify "
Jason, et al Expires September 2001 [Page 108]
Internet Draft IPsec Configuration Policy Model March 2001
"traffic and either forward them (with possibly further "
"processing) to their destination, or to deny their "
"forwarding. They are the building block of FilterLists."
"\n\n"
"This class is oriented towards packet filtering. Other "
"subclasses of FilterEntryBase can be defined to do other "
"types of filtering. "
"\n\n"
"A FilterEntry is weak to the network device (e.g., the "
"ComputerSystem) that contains it. Hence, the ComputerSystem "
"keys are propagated to this class.") ]
class CIM_FilterEntry : CIM_FilterEntryBase
{
[Description (
"This defines the type of traffic that is being filtered. "
"This will affect the filtering rules in the MatchCondition "
"property of this class."),
ValueMap { "0", "1", "2", "3" },
Values { "Unknown", "IPv4", "IPX", "IPv6" } ]
uint16 TrafficType;
[Description (
"This specifies one of a set of ways to identify traffic. "
"if the value is 1 (e.g., 'Other'), then the specific "
"type of filtering is specified in the "
"OtherMatchConditionType property of this class."),
ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9",
"10", "11", "12" },
Values {"Other", "Source Address and Mask",
"Destination Address and Mask", "Source Port",
"Source Port Range", "Destination Port",
"Destination Port Range", "Protocol Type",
"Protocol Type and Option", "DSCP", "ToS Value",
"802.1P Priority Value" },
ModelCorrespondence {
"CIM_FilterEntry.OtherMatchConditionType" } ]
uint16 MatchConditionType;
[Description (
"If the value of the MatchConditionType property in this "
"class is 1 (e.g., 'Other'), then the specific type of "
"filtering is specified in this property."),
ModelCorrespondence {
"CIM_FilterEntry.MatchConditionType" } ]
string OtherMatchConditionType;
[Description (
"This is the value of the condition that filters the "
"traffic. It corresponds to the condition specified in the "
"MatchConditionType property. If, however, the value of the "
"MatchConditionProperty is 1, then it corresponds to the "
"condition specified in the OtherMatchConditionType "
"property.") ]
string MatchConditionValue;
[Description (
Jason, et al Expires September 2001 [Page 109]
Internet Draft IPsec Configuration Policy Model March 2001
"This defines whether the action should be to forward or "
"deny traffic meeting the match condition specified in "
"this filter."),
ValueMap { "1", "2" },
Values { "Permit", "Deny" } ]
uint16 Action;
[Description (
"This defines whether this FilterEntry is the default "
"entry to use by its FilterList.") ]
boolean DefaultFilter;
[Description (
"This defines the traffic class that is being matched by "
"this FilterEntry. Note that FilterEntries are aggregated "
"into FilterLists by the EntriesInFilterList "
"relationship. If the EntrySequence property of the "
"aggregation is set to 0, this means that all the Filter"
"Entries should be ANDed together. Consequently, the "
"TrafficClass property of each of the aggregated Entries "
"should be set to the same value."),
ModelCorrespondence { "CIM_NextService.TrafficClass" } ]
string TrafficClass;
};
// ==================================================================
// FilterList
// ==================================================================
[Description (
"A FilterList is used by network devices to identify routes "
"by aggregating a set of FilterEntries into a unit, called a "
"FilterList. FilterLists can also be used to accept or deny "
"routing updates."
"\n\n"
"A FilterList is weak to the network device (e.g., the "
"ComputerSystem) that contains it. Hence, the ComputerSystem "
"keys are propagated to this class.") ]
class CIM_FilterList : CIM_LogicalElement
{
[Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping ComputerSystem's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
Description ("The scoping ComputerSystem's Name.") ]
string SystemName;
[Key, Description (
"The type of class that this instance is.") ]
string CreationClassName;
[Key, MaxLen(256), Description (
"This is the name of the FilterList.") ]
string Name;
Jason, et al Expires September 2001 [Page 110]
Internet Draft IPsec Configuration Policy Model March 2001
[Description (
"This defines whether the FilterList is used "
"for input, output, or both input and output "
"filtering. All values are used with respect to "
"the interface for which the FilterList applies. "
"\n\n"
"\"Not Applicable\" (0) is used when there is no "
"direction applicable to the FilterList.\n"
"\"Input\" (1) is used when the FilterList applies "
"to packets that are inbound on the related "
"interface.\n"
"\"Output\" (2) is used when the FilterList applies "
"to packets that are outbound on the related "
"interface.\n"
"\"Both\" (3) is used to indicate that "
"the direction is immaterial, e.g., to filter on "
"a source subnet regardless of whether the flow is "
"inbound or outbound.\n"
"\"Mirrored\" (4) is also applicable to "
"both inbound and outbound flow processing, but "
"indicates that the filter criteria are applied "
"asymmetrically to traffic in both directions "
"and, thus, specifies the reversal of source and "
"destination criteria (as opposed to the equality "
"of these criteria as indicated by \"Both\"). "
"The match conditions in the aggregated "
"FilterEntryBase subclass instances are defined "
"from the perspective of outbound flows and applied "
"to inbound flows as well by reversing the source "
"and destination criteria. So, for example, "
"consider a FilterList with 3 FilterEntries "
"indicating destination port = 80, and source and "
"destination addresses of a and b, respectively. "
"Then, for the outbound direction, the filter "
"entries match as specified and the 'mirror' (for "
"the inbound direction) matches on source "
"port = 80 and source and destination addresses "
"of b and a, respectively."),
Values {"Not Applicable", "Input", "Output",
"Both", "Mirrored" } ]
uint16 Direction;
};
// ==================================================================
// === Association class definitions ===
// ==================================================================
// ==================================================================
// EntriesInFilterList
// ==================================================================
[Association, Aggregation, Description (
"This is a specialization of the CIM_Component aggregation "
Jason, et al Expires September 2001 [Page 111]
Internet Draft IPsec Configuration Policy Model March 2001
"which is used to define a set of filter entries (subclasses "
"of FilterEntryBase) that are aggregated by a particular "
"FilterList.") ]
class CIM_EntriesInFilterList : CIM_Component
{
[Aggregate, Max(1), Override ("GroupComponent"),
Description (
"The FilterList, which aggregates the set "
"of FilterEntries.") ]
CIM_FilterList REF GroupComponent;
[Override ("PartComponent"),
Description (
"Any subclass of FilterEntryBase which is a part of "
"the FilterList.") ]
CIM_FilterEntryBase REF PartComponent;
[Description (
"The order of the Entry relative to all others in the "
"FilterList. A value of zero indicates that all the Entries "
"should be ANDed together. Use of the Sequence property "
"should be consistent across the List. It is not valid to "
"define some Entries as ANDed in the FilterList (Sequence"
"=0) while other Entries have a non-zero Sequence number.") ]
uint16 EntrySequence;
};
Jason, et al Expires September 2001 [Page 112]