Internet Engineering Task Force                          Jamie Jason
   INTERNET DRAFT                                     Intel Corporation
   November-2001                                            Lee Rafalow
                                                                    IBM
                                                            Eric Vyncke
                                                          Cisco Systems


                     IPsec Configuration Policy Model
                draft-ietf-ipsp-config-policy-model-04.txt


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
         http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
         http://www.ietf.org/shadow.html.

Abstract

   This document presents an object-oriented model of IPsec policy
   designed to:
   o    facilitate agreement about the content and semantics of IPsec
        policy
   o    enable derivations of task-specific representations of IPsec
        policy such as storage schema, distribution representations,
        and policy specification languages used to configure IPsec-
        enabled endpoints
   The schema described in this document models the IKE phase one
   parameters as described in [IKE] and the IKE phase two parameters
   for the IPsec Domain of Interpretation as described in [COMP, ESP,
   AH, DOI].  It is based upon the core policy classes as defined in
   the Policy Core Information Model (PCIM) [PCIM] and on the Policy
   Core Information Model Extensions (PCIMe) [PCIME].









Jason, et al                                                  [Page 1]


Internet Draft     IPsec Configuration Policy Model      November 2001


Table of Contents

   Status of this Memo................................................1
   Abstract...........................................................1
   Table of Contents..................................................2
   1. Introduction....................................................7
   2. UML Conventions.................................................7
   3. IPsec Policy Model Inheritance Hierarchy........................8
   4. Policy Classes.................................................13
   4.1. The Class IPsecPolicyGroup...................................14
   4.2. The Class SARule.............................................15
   4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
   RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
   PolicyDecisionStrategy............................................15
   4.2.2 The Property ExecutionStrategy.............................16
   4.2.3  The Property LimitNegotiation..............................17
   4.3. The Class IKERule............................................18
   4.3.1. The Property IdentityContexts..............................18
   4.4. The Class IPsecRule..........................................19
   4.6. The Association Class IPsecPolicyForEndpoint.................19
   4.6.1. The Reference Antecedent...................................20
   4.6.2. The Reference Dependent....................................20
   4.7. The Association Class IPsecPolicyForSystem...................20
   4.7.1. The Reference Antecedent...................................20
   4.7.2. The Reference Dependent....................................20
   4.8. The Aggregation Class RuleForIKENegotiation..................21
   4.8.1. The Property Priority......................................21
   4.8.2. The Reference GroupComponent...............................21
   4.8.3. The Reference PartComponent................................21
   4.9. The Aggregation Class RuleForIPsecNegotiation................21
   4.9.1. The Property Priority......................................21
   4.9.2. The Reference GroupComponent...............................22
   4.9.3. The Reference PartComponent................................22
   4.10. The Aggregation Class SAConditionInRule.....................22
   4.10.1. The Properties GroupNumber and ConditionNegated...........22
   4.10.2. The Reference GroupComponent..............................22
   4.10.3. The Reference PartComponent...............................22
   4.11. The Aggregation Class PolicyActionInSARule..................22
   4.11.1. The Reference GroupComponent..............................23
   4.11.2. The Reference PartComponent...............................23
   4.11.3. The Property ActionOrder..................................23
   5. Condition and Filter Classes...................................24
   5.1. The Class SACondition........................................24
   5.2. The Class IPHeaderFilter.....................................25
   5.3. The Class CredentialFilterEntry..............................25
   5.3.1. The Property MatchFieldName................................25
   5.3.2. The Property MatchFieldValue...............................26
   5.3.3. The Property CredentialType................................26
   5.4. The Class IPSOFilterEntry....................................26
   5.4.1. The Property MatchConditionType............................27
   5.4.2. The Property MatchConditionValue...........................27
   5.5. The Class PeerIDPayloadFilterEntry...........................27
   5.5.1. The Property MatchIdentityType.............................28

Jason, et al               Expires May-2002                   [Page 2]


Internet Draft     IPsec Configuration Policy Model      November 2001


   5.5.2. The Property MatchIdentityValue............................28
   5.6. The Association Class FilterOfSACondition....................29
   5.6.1. The Reference Antecedent...................................29
   5.6.2. The Reference Dependent....................................29
   5.7. The Association Class AcceptCredentialFrom...................29
   5.7.1. The Reference Antecedent...................................30
   5.7.2. The Reference Dependent....................................30
   6. Action Classes.................................................31
   6.1. The Class SAAction...........................................32
   6.1.1. The Property DoActionLogging...............................32
   6.1.2. The Property DoPacketLogging...............................32
   6.2. The Class SAStaticAction.....................................33
   6.2.1. The Property LifetimeSeconds...............................33
   6.3. The Class IPsecBypassAction..................................34
   6.4. The Class IPsecDiscardAction.................................34
   6.5. The Class IKERejectAction....................................34
   6.6. The Class PreconfiguredSAAction..............................34
   6.6.1. The Property LifetimeKilobytes.............................35
   6.7. The Class PreconfiguredTransportAction.......................35
   6.8. The Class PreconfiguredTunnelAction..........................36
   6.8.1. The Property DFHandling....................................36
   6.9. The Class SANegotiationAction................................36
   6.10. The Class IKENegotiationAction..............................37
   6.10.1. The Property MinLifetimeSeconds...........................37
   6.10.2. The Property MinLifetimeKilobytes.........................37
   6.10.3. The Property RefreshThresholdSeconds......................38
   6.10.4. The Property RefreshThresholdKilobytes....................38
   6.10.5. The Property IdleDurationSeconds..........................38
   6.11. The Class IPsecAction.......................................39
   6.11.1. The Property UsePFS.......................................39
   6.11.2. The Property UseIKEGroup..................................39
   6.11.3. The Property GroupId......................................40
   6.11.4. The Property Granularity..................................40
   6.11.5. The Property VendorID.....................................40
   6.12. The Class IPsecTransportAction..............................41
   6.13. The Class IPsecTunnelAction.................................41
   6.13.1. The Property DFHandling...................................41
   6.14. The Class IKEAction.........................................41
   6.14.1. The Property RefreshThresholdDerivedKeys..................42
   6.14.2. The Property ExchangeMode.................................42
   6.14.3. The Property UseIKEIdentityType...........................42
   6.14.4. The Property VendorID.....................................43
   6.14.5. The Property AggressiveModeGroupId........................43
   6.15. The Class PeerGateway.......................................43
   6.15.1. The Property Name.........................................43
   6.15.2. The Property PeerIdentityType.............................44
   6.15.3. The Property PeerIdentity.................................44
   6.16. The Association Class PeerGatewayForTunnel..................44
   6.16.1. The Reference Antecedent..................................45
   6.16.2. The Reference Dependent...................................45
   6.16.3. The Property SequenceNumber...............................45
   6.17. The Aggregation Class ContainedProposal.....................45
   6.17.1. The Reference GroupComponent..............................46

Jason, et al               Expires May-2002                   [Page 3]


Internet Draft     IPsec Configuration Policy Model      November 2001


   6.17.2. The Reference PartComponent...............................46
   6.17.3. The Property SequenceNumber...............................46
   6.18. The Association Class HostedPeerGatewayInformation..........46
   6.18.1. The Reference Antecedent..................................46
   6.18.2. The Reference Dependent...................................47
   6.19. The Association Class TransformOfPreconfiguredAction........47
   6.19.1. The Reference Antecedent..................................47
   6.19.2. The Reference Dependent...................................47
   6.19.3. The Property SPI..........................................47
   6.19.4. The Property Direction....................................48
   6.20 The Association Class PeerGatewayForPreconfiguredTunnel......48
   6.20.1. The Reference Antecedent..................................48
   6.20.2. The Reference Dependent...................................48
   7. Proposal and Transform Classes.................................49
   7.1. The Abstract Class SAProposal................................49
   7.1.1. The Property Name..........................................49
   7.2. The Class IKEProposal........................................50
   7.2.1. The Property LifetimeDerivedKeys...........................50
   7.2.2. The Property CipherAlgorithm...............................50
   7.2.3. The Property HashAlgorithm.................................51
   7.2.4. The Property PRFAlgorithm..................................51
   7.2.5. The Property GroupId.......................................51
   7.2.6. The Property AuthenticationMethod..........................51
   7.2.7. The Property MaxLifetimeSeconds............................52
   7.2.8. The Property MaxLifetimeKilobytes..........................52
   7.2.9. The Property VendorID......................................52
   7.3. The Class IPsecProposal......................................52
   7.4. The Abstract Class SATransform...............................53
   7.4.1. The Property TransformName.................................53
   7.4.2. The Property VendorID......................................53
   7.4.3. The Property MaxLifetimeSeconds............................53
   7.4.4. The Property MaxLifetimeKilobytes..........................54
   7.5. The Class AHTransform........................................54
   7.5.1. The Property AHTransformId.................................54
   7.5.2. The Property UseReplayPrevention...........................54
   7.5.3. The Property ReplayPreventionWindowSize....................55
   7.6. The Class ESPTransform.......................................55
   7.6.1. The Property IntegrityTransformId..........................55
   7.6.2. The Property CipherTransformId.............................55
   7.6.3. The Property CipherKeyLength...............................56
   7.6.4. The Property CipherKeyRounds...............................56
   7.6.5. The Property UseReplayPrevention...........................56
   7.6.6. The Property ReplayPreventionWindowSize....................56
   7.7. The Class IPCOMPTransform....................................57
   7.7.1. The Property Algorithm.....................................57
   7.7.2. The Property DictionarySize................................57
   7.7.3. The Property PrivateAlgorithm..............................57
   7.8. The Association Class SAProposalInSystem.....................57
   7.8.1. The Reference Antecedent...................................58
   7.8.2. The Reference Dependent....................................58
   7.9. The Aggregation Class ContainedTransform.....................58
   7.9.1. The Reference GroupComponent...............................58
   7.9.2. The Reference PartComponent................................59

Jason, et al               Expires May-2002                   [Page 4]


Internet Draft     IPsec Configuration Policy Model      November 2001


   7.9.3. The Property SequenceNumber................................59
   7.10. The Association Class SATransformInSystem...................59
   7.10.1. The Reference Antecedent..................................59
   7.10.2. The Reference Dependent...................................59
   8. IKE Service and Identity Classes...............................61
   8.1. The Class IKEService.........................................62
   8.2. The Class PeerIdentityTable..................................62
   8.3.1. The Property Name..........................................62
   8.3. The Class PeerIdentityEntry..................................63
   8.3.1. The Property PeerIdentity..................................63
   8.3.2. The Property PeerIdentityType..............................63
   8.3.3. The Property PeerAddress...................................63
   8.3.4. The Property PeerAddressType...............................63
   8.4. The Class AutostartIKEConfiguration..........................64
   8.5. The Class AutostartIKESetting................................64
   8.5.1. The Property Phase1Only....................................64
   8.5.2. The Property AddressType...................................65
   8.5.3. The Property SourceAddress.................................65
   8.5.4. The Property SourcePort....................................65
   8.5.5. The Property DestinationAddress............................65
   8.5.6. The Property DestinationPort...............................66
   8.5.7. The Property Protocol......................................66
   8.6. The Class IKEIdentity........................................66
   8.6.1. The Property IdentityType..................................67
   8.6.2. The Property IdentityValue.................................67
   8.6.3. The Property IdentityContexts..............................67
   8.7. The Association Class HostedPeerIdentityTable................68
   8.7.1. The Reference Antecedent...................................68
   8.7.2. The Reference Dependent....................................68
   8.8. The Aggregation Class PeerIdentityMember.....................68
   8.8.1. The Reference Collection...................................68
   8.8.2. The Reference Member.......................................69
   8.9. The Association Class IKEServicePeerGateway..................69
   8.9.1. The Reference Antecedent...................................69
   8.9.2. The Reference Dependent....................................69
   8.10. The Association Class IKEServicePeerIdentityTable...........69
   8.10.1. The Reference Antecedent..................................70
   8.10.2. The Reference Dependent...................................70
   8.11. The Association Class IKEAutostartSetting...................70
   8.11.1. The Reference Element.....................................70
   8.11.2. The Reference Setting.....................................70
   8.12. The Aggregation Class AutostartIKESettingContext............70
   8.12.1. The Reference Context.....................................71
   8.12.2. The Reference Setting.....................................71
   8.12.3. The Property SequenceNumber...............................71
   8.13. The Association Class IKEServiceForEndpoint.................71
   8.13.1. The Reference Antecedent..................................72
   8.13.2. The Reference Dependent...................................72
   8.14. The Association Class IKEAutostartConfiguration.............72
   8.14.1. The Reference Antecedent..................................72
   8.14.2. The Reference Dependent...................................72
   8.14.3. The Property Active.......................................72
   8.15. The Association Class IKEUsesCredentialManagementService....73

Jason, et al               Expires May-2002                   [Page 5]


Internet Draft     IPsec Configuration Policy Model      November 2001


   8.15.1. The Reference Antecedent..................................73
   8.15.2. The Reference Dependent...................................73
   8.16. The Association Class EndpointHasLocalIKEIdentity...........73
   8.16.1. The Reference Antecedent..................................74
   8.16.2. The Reference Dependent...................................74
   8.17. The Association Class CollectionHasLocalIKEIdentity.........74
   8.17.1. The Reference Antecedent..................................74
   8.17.2. The Reference Dependent...................................74
   8.18. The Association Class IKEIdentitysCredential................75
   8.18.1. The Reference Antecedent..................................75
   8.18.2. The Reference Dependent...................................75
   9. Implementation Requirements....................................75
   10. Security Considerations.......................................79
   11. Intellectual Property.........................................80
   12. Acknowledgments...............................................80
   13. References....................................................80
   14. Disclaimer....................................................81
   15. Authors' Addresses............................................82
   16. Full Copyright Statement......................................82



































Jason, et al               Expires May-2002                   [Page 6]


Internet Draft     IPsec Configuration Policy Model      November 2001


1. Introduction

   Internet Protocol security (IPsec) policy may assume a variety of
   forms as it travels from storage to distribution point to decision
   point.  At each step, it needs to be represented in a way that is
   convenient for the current task.  For example, the policy could
   exist as, but is not limited to:

   o   a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
       a directory
   o   an on-the-wire representation over a transport protocol like the
       Common Object Policy Service (COPS) [COPS, COPSPR]
   o   a text-based policy specification language suitable for editing
       by an administrator
   o   an Extensible Markup Language (XML) document

   Each of these task-specific representations should be derived from a
   canonical representation that precisely specifies the content and
   semantics of the IPsec policy.  The purpose of this document is to
   abstract IPsec policy into a task-independent representation that is
   not constrained by any particular task-dependent representation.

   This document is organized as follows:

   o   Section 2 provides a quick introduction to the Unified Modeling
       Language (UML) graphical notation conventions used in this
       document.

   o   Section 3 provides the inheritance hierarchy that describes
       where the IPsec policy classes fit into the policy class
       hierarchy already defined by the Policy Core Information Model
       (PCIM) and Policy Core Information Model Extensions (PCIMe).

   o   Sections 4 through 8 describes the class that make up the IPsec
       policy model.

   o   Section 9 presents the implementation requirements for the
       classes in the model (i.e., the MUST/MAY/SHOULD status).

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [KEYWORDS].

2. UML Conventions

   For this document, a UML static class diagram was chosen as the
   canonical representation for the IPsec policy model.  The reason
   behind this decision is that UML provides a graphical, task-
   independent way to model systems.  A treatise on the graphical
   notation used in UML is beyond the scope of this paper.  However,
   given the use of ASCII drawing for UML static class diagrams, a
   description of the notational conventions used in this document is
   in order:

Jason, et al               Expires May-2002                   [Page 7]


Internet Draft     IPsec Configuration Policy Model      November 2001



   o   Boxes represent classes, with class names in brackets ([])
       representing an abstract class.
   o   A line that terminates with an arrow (<, >, ^, v) denotes
       inheritance.  The arrow always points to the parent class.
       Inheritance can also be called generalization or specialization
       (depending upon the reference point).  A base class is a
       generalization of a derived class, and a derived class is a
       specialization of a base class.
   o   Associations are used to model a relationship between two
       classes.  Classes that share an association are connected using
       a line.  A special kind of association is also used:  an
       aggregation.  An aggregation models a whole-part relationship
       between two classes.  Associations, and therefore aggregations,
       can also be modeled as classes.
   o   A line that begins with an "o" denotes aggregation.  Aggregation
       denotes containment in which the contained class and the
       containing class have independent lifetimes.
   o   Next to a line representing an association appears a
       cardinality.  Cardinalities indicate the constraints on the
       number of object instances in a set of relationships.  Every
       association instance has a single set of references.  The
       cardinality indicates the number of instances that may refer to
       a given object instance.  The cardinality may be:
       - a range in the form "lower bound..upper bound" indicating the
       minimum and maximum number of objects.
       - a number that indicates the exact number of objects.
       - an asterisk indicating any number of objects, including zero.
       Using an asterisk is shorthand for 0..n.
       - the letter n indicating from 1 to many.  Using the letter n is
       shorthand for 1..n.
   o   A class that has an association may have a "w" next to the line
       representing the association.  This is called a weak association
       and is discussed in [PCIM].


   It should be noted that the UML static class diagram presented is a
   conceptual view of IPsec policy designed to aid in understanding.
   It does not necessarily get translated class for class into another
   representation.  For example, an LDAP implementation may flatten out
   the representation to fewer classes (because of the inefficiency of
   following references).

3. IPsec Policy Model Inheritance Hierarchy

   Like PCIM and PCIMe from which it is derived, the IPsec
   Configuration Policy Model derives from and uses classes defined in
   the DMTF [DMTF] Common Information Model (CIM).  The following tree
   represents the inheritance hierarchy for the IPsec policy model
   classes and how they fit into PCIM, PCIMe and the other DMTF models
   (see Appendices for descriptions of classes that are not being
   introduced as part of IPsec model).  CIM classes that are not used
   as a superclass from which to derive new classes but are only
   referenced are not included this inheritance hierarchy, but can be


Jason, et al               Expires May-2002                   [Page 8]


Internet Draft     IPsec Configuration Policy Model      November 2001


   found in the appropriate DMTF document [CIMCORE], [CIMUSER] or
   [CIMNETWORK].

   ManagedElement (DMTF Core Model - [CIMCORE])
   |
   +--Collection (DMTF Core Model - [CIMCORE])
   |  |
   |  +--PeerIdentityTable
   |
   +--ManagedSystemElement (DMTF Core Model - [CIMCORE])
   |  |
   |  +--LogicalElement (DMTF Core Model - [CIMCORE])
   |     |
   |     +--FilterEntryBase (DMTF Network Model - [CIMNETWORK])
   |     |  |
   |     |  +--CredentialFilterEntry
   |     |  |
   |     |  +--IPHeaderFilter (PCIMe)
   |     |  |
   |     |  +--IPSOFilterEntry
   |     |  |
   |     |  +--PeerIDPayloadFilterEntry
   |     |
   |     +--PeerGateway
   |     |
   |     +--PeerIdentityEntry
   |     |
   |     +--Service (DMTF Core Model - [CIMCORE])
   |        |
   |        +--IKEService
   |
   +--OrganizationalEntity (DMTF User Model - [CIMUSER])
   |  |
   |  +--UserEntity (DMTF User Model - [CIMUSER])
   |     |
   |     +--UsersAccess (DMTF User Model - [CIMUSER])
   |        |
   |        +--IKEIdentity
   |
   +--Policy (PCIM)
   |  |
   |  +--PolicyAction (PCIM)
   |  |  |
   |  |  +--CompoundPolicyAction (PCIMe)
   |  |  |
   |  |  +--SAAction
   |  |     |
   |  |     +--SANegotiationAction
   |  |     |  |
   |  |     |  +--IKENegotiationAction
   |  |     |     |
   |  |     |     +--IKEAction
   |  |     |     |

Jason, et al               Expires May-2002                   [Page 9]


Internet Draft     IPsec Configuration Policy Model      November 2001


   |  |     |     +--IPsecAction
   |  |     |        |
   |  |     |        +--IPsecTransportAction
   |  |     |        |
   |  |     |        +--IPsecTunnelAction
   |  |     |
   |  |     +--SAStaticAction
   |  |        |
   |  |        +--IKERejectAction
   |  |        |
   |  |        +--IPsecBypassAction
   |  |        |
   |  |        +--IPsecDiscardAction
   |  |        |
   |  |        +--PreconfiguredSAAction
   |  |           |
   |  |           +--PreconfiguredTransportAction
   |  |           |
   |  |           +--PreconfiguredTunnelAction
   |  |
   |  +--PolicyCondition (PCIM)
   |  |  |
   |  |  +--SACondition
   |  |
   |  +--PolicySet (PCIMe)
   |  |  |
   |  |  +--PolicyGroup (PCIM & PCIMe)
   |  |  |  |
   |  |  |  +--IPsecPolicyGroup
   |  |  |
   |  |  +--PolicyRule (PCIM & PCIMe)
   |  |     |
   |  |     +--SARule
   |  |        |
   |  |        +--IKERule
   |  |        |
   |  |        +--IPsecRule
   |  |
   |  +--SAProposal
   |  |  |
   |  |  +--IKEProposal
   |  |  |
   |  |  +--IPsecProposal
   |  |
   |  +--SATransform
   |     |
   |     +--AHTransform
   |     |
   |     +--ESPTransform
   |     |
   |     +--IPCOMPTransform
   |
   +--Setting (DMTF Core Model - [CIMCORE])

Jason, et al               Expires May-2002                  [Page 10]


Internet Draft     IPsec Configuration Policy Model      November 2001


   |  |
   |  +--SystemSetting (DMTF Core Model - [CIMCORE])
   |     |
   |     +--AutostartIKESetting
   |
   +--SystemConfiguration (DMTF Core Model - [CIMCORE])
      |
      +--AutostartIKEConfiguration

   The following tree represents the inheritance hierarchy of the IPsec
   policy model association classes and how they fit into PCIM and the
   other DMTF models (see Appendices for description of associations
   classes that are not being introduced as part of IPsec model).

   Dependency (DMTF Core Model - [CIMCORE])
   |
   +--AcceptCredentialsFrom
   |
   +--ElementAsUser (DMTF User Model - [CIMUSER])
   |  |
   |  +--EndpointHasLocalIKEIdentity
   |  |
   |  +--CollectionHasLocalIKEIdentity
   |
   +--FilterOfSACondition
   |
   +--HostedPeerGatewayInformation
   |
   +--HostedPeerIdentityTable
   |
   +--IKEAutostartConfiguration
   |
   +--IKEServiceForEndpoint
   |
   +--IKEServicePeerGateway
   |
   +--IKEServicePeerIdentityTable
   |
   +--IKEUsesCredentialManagementService
   |
   +--IPsecPolicyForEndpoint
   |
   +--IPsecPolicyForSystem
   |
   +--PeerGatewayForPreconfiguredTunnel
   |
   +--PeerGatewayForTunnel
   |
   +--PolicyInSystem (PCIM)
   |  |
   |  +--SAProposalInSystem
   |  |
   |  +--SATransformInSystem

Jason, et al               Expires May-2002                  [Page 11]


Internet Draft     IPsec Configuration Policy Model      November 2001


   |
   +--TransformOfPreconfiguredAction
   |
   +--UsersCredential (DMTF User Model - [CIMUSER])
      |
      +--IKEIdentitysCredential

   ElementSetting (DMTF Core Model - [CIMCORE])
   |
   +--IKEAutostartSetting

   MemberOfCollection (DMTF Core Model - [CIMCORE])
   |
   +--PeerIdentityMember

   PolicyComponent (PCIM)
   |
   +--ContainedProposal
   |
   +--ContainedTransform
   |
   +--PolicyActionStructure (PCIMe)
   |  |
   |  +--PolicyActionInPolicyRule (PCIM & PCIMe)
   |     |
   |     +--PolicyActionInSARule
   |
   +--PolicyConditionStructure (PCIMe)
   |  |
   |  +--PolicyConditionInPolicyRule (PCIM & PCIMe)
   |     |
   |     +--SAConditionInRule
   |
   +--PolicySetComponent (PCIMe)
      |
      +--RuleForIKENegotiation
      |
      +--RuleForIPsecNegotiation

   SystemSettingContext (DMTF Core Model - [CIMCORE])
   |
   +--AutostartIKESettingContext












Jason, et al               Expires May-2002                  [Page 12]


Internet Draft     IPsec Configuration Policy Model      November 2001


4. Policy Classes

   The IPsec policy classes represent the set of policies that are
   contained on a system.

                                  +--------------+
                                  |  PolicySet   |*
                                  |  ([PCIMe])   |o--+
                                  +--------------+   |
                                        ^    *|      |(a)
                                        |     +------+
                                        |
     +--------------------+       +-------------+
     | IPProtocolEndpoint |       | PolicyGroup |
     |   ([CIMNETWORK])   |       |  ([PCIM])   |
     +--------------------+       +-------------+
              |*                        ^
              +-----------------+       |
                                |(b)    |
                                |       |
                                |0..1   |
                          +------------------+0..1 (c)  *+------------+
                          | IPsecPolicyGroup |-----------|   System   |
                          +------------------+           | ([CIMCORE])|
                            1 o          o 1             +------------+
                (d)           |          |         (e)
      +-----------------------+          +--------------------------+
      |                                                             |
      |               +---------------------------+                 |
      |               | PolicyTimePeriodCondition |                 |
      |               |         ([PCIM])          |                 |
      |               +---------------------------+                 |
      |                           *|                                |
      |                            |(f)                             |
      |                           *o                                |
      |  +-------------+n     *+--------+*      n+--------------+   |
      |  | SACondition |------o| SARule |o-------| PolicyAction |   |
      |  +-------------+ (g)   +--------+    (h) |   ([PCIM])   |   |
      |                            ^             +--------------+   |
      |                            |               *|        ^      |
      |                            |                |(i)     |      |
      |                            |               *o        |      |
      |          +-----------------+       +----------------------+ |
      |          |                 |       | CompoundPolicyAction | |
      |          |                 |       |       ([PCIMe])      | |
      |          |                 |       +----------------------+ |
      |    *+---------+     +-----------+*                          |
      +-----| IKERule |     | IPsecRule |---------------------------+
            +---------+     +-----------+

   (a)  PolicySetComponent ([PCIMe])
   (b)  IPsecPolicyForEndpoint
   (c)  IPsecPolicyForSystem

Jason, et al               Expires May-2002                  [Page 13]


Internet Draft     IPsec Configuration Policy Model      November 2001


   (d)  RuleForIKENegotiation
   (e)  RuleForIPsecNegotiation
   (f)  PolicyRuleValidityPeriod ([PCIM])
   (g)  SAConditionInRule
   (h)  PolicyActionInSARule
   (i)  PolicyActionInPolicyAction ([PCIMe])

   An IPsecPolicyGroup represents the set of policies that are used on
   an interface.   This IPsecPolicyGroup SHOULD be associated either
   directly with the IPProtocolEndpoint class instance that represents
   the interface (via the IPsecPolicyForEndpoint association) or
   indirectly (via the IPsecPolicyForSystem association) associated
   with the System that hosts the interface.

   The IKE and IPsec rules are used to build or to negotiate the IPsec
   SADB. The IPsec rules represent the Security Policy Database. The
   SADB itself is not modeled by this document.

   The rules usage can be described as (see also section 6 about
   actions):

   o   an egress unprotected packet will first be checked against the
       IPsec rules. If a match is found, the SADB will be checked. If
       there is no corresponding IPsec SA in the SADB and if IKE
       negotiation is required by the IPsec rule, the corresponding IKE
       rules will be used. The negotiated or preconfigured SA will then
       be installed in the SADB.
   o   An ingress unprotected packet will first be checked against the
       IPsec rules. If a match is found, the SADB will be checked for a
       corresponding IPsec SA. If there is no corresponding IPsec SA
       and a preconfigured SA exists, this preconfigured SA will be
       installed in the IPsec SADB. This behavior should only apply to
       bypass and discard actions.
   o   An ingress protected packet will first be checked against the
       IPsec rules. If a match is found, the SADB will be checked for a
       corresponding IPsec SA. If there is no corresponding IPsec SA
       and a preconfigured SA exists, this preconfigured SA will be
       installed in the IPsec SADB.
   o   An ingress IKE negotiation packet, which is not part of an
       existing IKE SA, will be checked against the IKE rules. The
       negotiated SA will then be installed in the SADB.

4.1. The Class IPsecPolicyGroup

   The class IPsecPolicyGroup serves as a container of either other
   IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.  The
   class definition for IPsecPolicyGroup is as follows:

   NAME         IPsecPolicyGroup
   DESCRIPTION  Either a set of IPsecPolicyGroups or a set of IKERules
                and a set of IPsecRules.
   DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe])
   ABSTRACT     FALSE

Jason, et al               Expires May-2002                  [Page 14]


Internet Draft     IPsec Configuration Policy Model      November 2001


   PROPERTIES   PolicyGroupName (from PolicyGroup)
                PolicyDescisionStrategy (from PolicySet)


   NOTE:  for derivations of the schema that are used for policy
   distribution to an IPsec device (for example, COPS-PR), the server
   may follow all of PolicySetComponent associations and create one
   policy group which is simply a set of all of the IKE rules and a set
   of all of the IPsec rules.  See the section on the
   PolicySetComponent aggregation for information on merging multiple
   IPsecPolicyGroups.

4.2. The Class SARule

   The class SARule serves as a base class for IKERule and IPsecRule.
   Even though the class is concrete, it MUST not be instantiated.  It
   defines a common connection point for associations to conditions and
   actions for both types of rules.  Through its derivation from
   PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
   the PolicyRuleValidityPeriod association.

   Each valid IpsecPolicyGroup MUST contain SARules that each have a
   unique associated priority number in PolicySetComponent.Priority.
   The class definition for SARule is as follows:

   NAME         SARule
   DESCRIPTION  A base class for IKERule and IPsecRule.
   DERIVED FROM PolicyRule (see [PCIM] & [PCIMe])
   ABSTRACT     FALSE
   PROPERTIES   PolicyRuleName (from PolicyRule)
                Enabled (from PolicyRule)
                ConditionListType (from PolicyRule)
                RuleUsage (from PolicyRule)
                Mandatory (from PolicyRule)
                SequencedActions (from PolicyRule)
                ExecutionStrategy (from PolicyRule)
                PolicyRoles (from PolicyRule)
                PolicyDecisionStrategy (from PolicySet)
                LimitNegotiation

4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy

   For a description of these properties, see [PCIM] and [PCIME].

   In SARule subclass instances:
   - if the property Mandatory exists, it MUST be set to "true"
   - if the property SequencedActions exists, it MUST be set to
   "mandatory"
   - the property PolicyRoles is not used in the device-level model
   - if the property PolicyDecisionStrategy exists, it must be set to
   "FirstMatching"

Jason, et al               Expires May-2002                  [Page 15]


Internet Draft     IPsec Configuration Policy Model      November 2001



4.2.2  The Property ExecutionStrategy

   The ExecutionStrategy properties in the PolicyRule subclasses (and
   in the CompoundPolicyAction class) determine the behavior of the
   contained actions.  It defines the strategy to be used in executing
   the sequenced actions aggregated by a rule or a compound action. In
   the case of actions within a rule, the PolicyActionInSARule
   aggregation is used to collect the actions into an ordered set; in
   the case of a compound action, the PolicyActionInPolicyAction
   aggregation is used to collect the actions into an ordered subset.

   There are three execution strategies: do until success, do all and
   do until failure.

   "Do Until Success" causes the execution of actions according to the
   ActionOrder property in the aggregation instances until a successful
   execution of a single action.  These actions may be evaluated to
   determine if they are appropriate to execute rather than blindly
   trying each of the actions until one succeeds.  For an initiator,
   they are tried in the ActionOrder until the list is exhausted or one
   completes successfully.  For example, an IKE initiator may have
   several IKEActions for the same SACondition. The initiator will try
   all IKEActions in the order defined by ActionOrder.  I.e. it will
   possibly try several phase 1 negotiations possibly with different
   modes (main mode then aggressive mode) and/or with possibly multiple
   IKE peers.  For a responder, when there is more than one action in
   the rule with "do until success" condition clause this provides
   alternative actions depending on the received proposals.  For
   example, the same IKERule may be used to handle aggressive mode and
   main mode negotiations with different actions.  The responder uses
   the first appropriate action in the list of actions.

   "Do All" causes the execution all of the actions in aggregated set
   according to their defined order. The execution continues regardless
   of failures.

   "Do Until Failure" causes the execution of all actions according to
   predefined order until the first failure in execution of an action
   instance.

   For example, in a nested SAs case the actions of an initiator's rule
   might be structured as:

   IPsecRule.ExecutionStrategy='Do All'
   |
   +---1--- IPsecTunnelAction    // set up SA from host to gateway
   |
   +---2--- IPsecTransportAction // set up SA from host through
                                 // tunnel to remote host

   Another example, showing a rule with fallback actions might be
   structured as:

Jason, et al               Expires May-2002                  [Page 16]


Internet Draft     IPsec Configuration Policy Model      November 2001



   IPsecRule.ExecutionStrategy='Do Until Success'
   |
   +---6--- IPsecTransportAction // negotiate SA with peer
   |
   +---9--- IPsecBypassAction    // but if you must, allow in the clear

   The CompoundPolicyAction class (See [PCIME]) may be used in
   constructing the actions of IKE and IPsec rules when those rules
   specify both multiple actions and fallback actions.  The
   ExecutionStrategy property in CompoundPolicyAction is used in
   conjunction with that in the PolicyRule.

   For example, in nesting SAs with a fallback security gateway, the
   actions of a rule might be structured as:

   IPsecRule.ExecutionStrategy='Do All'
   |
   +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success'
   |        |
   |        +---1--- IPsecTunnelAction  // set up SA from host to
   |        |                           // gateway1
   |        |
   |        +---2--- IPsecTunnelAction  // or set up SA to gateway2
   |
   +---2--- IPsecTransportAction        // then set up SA from host
                                        // through tunnel to remote
                                        // host

   In the case of "Do All", a couple of actions can be executed
   successfully before a subsequent action fails. In this case, some
   IKE or IPsec actions may have resulted in SA creation. Even if the
   net effect of the aggregated actions is failure, those created SA
   MAY be kept or MAY be deleted.

   In the case of "Do All", the IPsec selectors to be used during IPsec
   SA negotiation are:

   for the last IPsecAction of the aggregation (i.e. usually the
   innermost IPsec SA): this is the combination of the IPHeadersFilter
   class and of the Granularity property of the IpsecAction;

   for all other IPsecActions of the aggregation: the selector is the
   source IP address being the local IP address and the destination IP
   address being the PeerGateway IP address of the following
   IPsecAction of the "Do All" aggregation. NB: the granularity is IP
   address to IP address.

   If the above behavior is not desirable, the alternative is to define
   several SARules one for each IPsec SA to be built. This will allow
   the definition of specific IPsec selectors for all IpsecActions.

4.2.3  The Property LimitNegotiation

Jason, et al               Expires May-2002                  [Page 17]


Internet Draft     IPsec Configuration Policy Model      November 2001



   The property LimitNegotiation is used as part of processing either
   an IKE or an IPsec rule.

   Before proceeding with a phase 1 negotiation, this property is
   checked to determine if the negotiation role of the rule matches
   that defined for the negotiation being undertaken (e.g., Initiator,
   Responder, or Both). If this check fails (e.g. the current role is
   IKE responder while the rule specifies IKE initiator), then the IKE
   negotiation is stopped. Note that this only applies to new IKE phase
   1 negotiations and has no effect on either renegotiation or refresh
   operations with peers for which an established SA already exists.

   Before proceeding with a phase 2 negotiation, the LimitNegotiation
   property of the IPsecRule is first checked to determine if the
   negotiation role indicated for the rule matches that of the current
   negotiation (Initiator, Responder, or Either).  Note that this limit
   applies only to new phase 2 negotiations.  It is ignored when an
   attempt is made to refresh an expiring SA (either side can initiate
   a refresh operation).  The IKE system can determine that the
   negotiation is a refresh operation by checking to see if the
   selector information matches that of an existing SA. If
   LimitNegotiation does not match and the selector corresponds to a
   new SA, the negotiation is stopped.

   The property is defined as follows:

   NAME         LimitNegotiation
   DESCRIPTION  Limits the role to be undertaken during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - initiator-only
                2 - responder-only
                3 - both

4.3. The Class IKERule

   The class IKERule associates Conditions and Actions for IKE phase 1
   negotiations.  The class definition for IKERule is as follows:

   NAME         IKERule
   DESCRIPTION  Associates Conditions and Actions for IKE phase 1
                negotiations.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule, plus
                IdentityContexts

4.3.1. The Property IdentityContexts

   The IKE service of a security endpoint may have multiple identities
   for use in different situations.  The combination of the interface
   (represented by the IPProtocolEndpoint), the identity type (as


Jason, et al               Expires May-2002                  [Page 18]


Internet Draft     IPsec Configuration Policy Model      November 2001


   specified in the IKEAction) and the IdentityContexts specifies a
   unique identity.

   The IdentityContexts property specifies the context to select the
   relevant IKE identity to be used during the further IKEAction.  A
   context may be a VPN name or other identifier for selecting the
   appropriate identity for use on the protected IPProtocolEndpoint.

   IdentityContexts is an array of strings.  The multiple values in the
   array are ORed together in evaluating the IdentityContexts.  Each
   value in the array may be the composition of multiple context names.
   So, a single value may be a single context name (e.g.,
   "CompanyXVPN") or it may be combination of contexts.  When an array
   value is a composition, the individual values are ANDed together for
   evaluation purposes and the syntax is:

        <ContextName>[&&<ContextName>]*

   where the individual context names appear in alphabetical order
   (according to the collating sequence for UCS-2).  So, for example,
   the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
   "CompanyZVPN&&Confidential" means that, for the appropriate
   IPProtocolEndpoint and IdentityType, the contexts are matched if the
   identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
   "CompanyZVPN&&Confidential".

   The property is defined as follows:

   NAME         IdentityContexts
   DESCRIPTION  Specifies the context in which to select the IKE
                identity.
   SYNTAX       string array

4.4. The Class IPsecRule

   The class IPsecRule associates Conditions and Actions for IKE phase
   2 negotiations for the IPsec DOI.  The class definition for
   IPsecRule is as follows:

   NAME         IPsecRule
   DESCRIPTION  Associates Conditions and Actions for IKE phase 2
                negotiations for the IPsec DOI.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule

4.6. The Association Class IPsecPolicyForEndpoint

   The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
   a specific network interface.  If an IPProtocolEndpoint of a system
   does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
   then the IPsecPolicyForSystem associated IPsecPolicyGroup is used


Jason, et al               Expires May-2002                  [Page 19]


Internet Draft     IPsec Configuration Policy Model      November 2001


   for that endpoint.  The class definition for IPsecPolicyForEndpoint
   is as follows:

   NAME         IPsecPolicyForEndpoint
   DESCRIPTION  Associates a policy group to a network interface.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref IPProtocolEndpoint[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.6.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an IPProtocolEndpoint instance.  The [0..n]
   cardinality indicates that an IPsecPolicyGroup instance may be
   associated with zero or more IPProtocolEndpoint instances.

4.6.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPsecPolicyGroup instance.  The [0..1]
   cardinality indicates that an IPProtocolEndpoint instance may have
   an association to at most one IPsecPolicyGroup instance.

4.7. The Association Class IPsecPolicyForSystem

   The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a
   specific system.  If an IPProtocolEndpoint of a system does not have
   an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
   IPsecPolicyForSystem associated IPsecPolicyGroup is used for that
   endpoint.  The class definition for IPsecPolicyForSystem is as
   follows:

   NAME         IPsecPolicyForSystem
   DESCRIPTION  Default policy group for a system.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.7.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [0..n] cardinality
   indicates that an IPsecPolicyGroup instance may have an association
   to zero or more System instances.

4.7.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPsecPolicyGroup instance.  The [0..1]
   cardinality indicates that a System instance may have an association
   to at most one IPsecPolicyGroup instance.

Jason, et al               Expires May-2002                  [Page 20]


Internet Draft     IPsec Configuration Policy Model      November 2001



4.8. The Aggregation Class RuleForIKENegotiation

   The class RuleForIKENegotiation associates an IKERule with the
   IPsecPolicyGroup that contains it.  The class definition for
   RuleForIKENegotiation is as follows:

   NAME         RuleForIKENegotiation
   DESCRIPTION  Associates an IKERule with the IPsecPolicyGroup that
                contains it.
   DERIVED FROM PolicySetComponent (see [PCIME])
   ABSTRACT     FALSE
   PROPERTIES   Priority (from PolicySetComponent)
                GroupComponent [ref IPsecPolicyGroup [1..1]]
                PartComponent [ref IKERule [0..n]]

4.8.1. The Property Priority

   For a description of this property, see [PCIME].

4.8.2. The Reference GroupComponent

   The property GroupComponent is inherited from
   PolicyRuleInPolicyGroup and is overridden to refer to an
   IPsecPolicyGroup instance.  The [1..1] cardinality indicates that an
   IKERule instance may be contained in one and only one
   IPsecPolicyGroup instance (i.e., IKERules are not shared across
   IPsecPolicyGroups).

4.8.3. The Reference PartComponent

   The property PartComponent is inherited from PolicyRuleInPolicyGroup
   and is overridden to refer to an IKERule instance.  The [0..n]
   cardinality indicates that an IPsecPolicyGroup instance may contain
   zero or more IKERule instances.

4.9. The Aggregation Class RuleForIPsecNegotiation

   The class RuleForIPsecNegotiation associates an IPsecRule with the
   IPsecPolicyGroup that contains it.  The class definition for
   RuleForIPsecNegotiation is as follows:

   NAME         RuleForIPsecNegotiation
   DESCRIPTION  Associates an IPsecRule with the IPsecPolicyGroup that
                contains it.
   DERIVED FROM PolicySetComponent (see [PCIME])
   ABSTRACT     FALSE
   PROPERTIES   Priority (from PolicySetComponent)
                GroupComponent [ref IPsecPolicyGroup [1..1]]
                PartComponent [ref IPsecRule [0..n]]

4.9.1. The Property Priority


Jason, et al               Expires May-2002                  [Page 21]


Internet Draft     IPsec Configuration Policy Model      November 2001


   For a description of this property, see [PCIME].

4.9.2. The Reference GroupComponent

   The property GroupComponent is inherited from
   PolicyRuleInPolicyGroup and is overridden to refer to an
   IPsecPolicyGroup instance.  The [1..1] cardinality indicates that an
   IPsecRule instance may be contained in only one IPsecPolicyGroup
   instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).

4.9.3. The Reference PartComponent

   The property PartComponent is inherited from PolicyRuleInPolicyGroup
   and is overridden to refer to an IPsecRule instance.  The [0..n]
   cardinality indicates that an IPsecPolicyGroup instance may contain
   zero or more IPsecRules instance.

4.10. The Aggregation Class SAConditionInRule

   The class SAConditionInRule associates an SARule with the
   SACondition instance(s) that trigger(s) it.  The class definition
   for SAConditionInRule is as follows:

   NAME         SAConditionInRule
   DESCRIPTION  Associates an SARule with the SACondition instance(s)
                that trigger(s) it.
   DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe])
   ABSTRACT     FALSE
   PROPERTIES   GroupNumber (from PolicyConditionInPolicyRule)
                ConditionNegated (from PolicyConditionInPolicyRule)
                GroupComponent [ref SARule [0..n]]
                PartComponent [ref SACondition [1..n]]

4.10.1. The Properties GroupNumber and ConditionNegated

   For a description of these properties, see [PCIM].

4.10.2. The Reference GroupComponent

   The property GroupComponent is inherited from
   PolicyConditionInPolicyRule and is overridden to refer to an SARule
   instance.  The [0..n] cardinality indicates that an SACondition
   instance may be contained in zero or more SARule instances.

4.10.3. The Reference PartComponent

   The property PartComponent is inherited from
   PolicyConditionInPolicyRule and is overridden to refer to an
   SACondition instance.  The [1..n] cardinality indicates that an
   SARule instance MUST contain at least one SACondition instance.

4.11. The Aggregation Class PolicyActionInSARule


Jason, et al               Expires May-2002                  [Page 22]


Internet Draft     IPsec Configuration Policy Model      November 2001


   The PolicyActionInSARule class associates an SARule with one or more
   PolicyAction instances.  In all cases where an SARule is being used,
   the contained actions MUST be either subclasses of SAAction or
   instances of CompoundPolicyAction.  For an IKERule, the contained
   actions MUST be related to phase 1 processing, i.e., IKEAction or
   IKERejectAction.  Similarly, for an IPsecRule, contained actions
   MUST be related to phase 2 or preconfigured SA processing, e.g.,
   IPsecTransportAction, IPsecBypassAction, etc.  The class definition
   for PolicyActionInSARule is as follows:

   NAME         PolicyActionInSARule
   DESCRIPTION  Associates an SARule with its PolicyAction(s).
   DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent [ref SARule [0..n]]
                PartComponent [ref PolicyAction [1..n]]
                ActionOrder (from PolicyActionInPolicyRule)

4.11.1. The Reference GroupComponent

   The property GroupComponent is inherited from
   PolicyActionInPolicyRule and is overridden to refer to an SARule
   instance.  The [0..n] cardinality indicates that an SAAction
   instance may be contained in zero or more SARule instances.

4.11.2. The Reference PartComponent

   The property PartComponent is inherited from
   PolicyActionInPolicyRule and is overridden to refer to an SAAction
   or CompoundPolicyAction instance.  The [1..n] cardinality indicates
   that an SARule instance MUST contain at least one SAAction or
   CompoundPolicyAction instance.

4.11.3. The Property ActionOrder

   The property ActionOrder is inherited from the superclass
   PolicyActionInPolicyRule.  It specifies the relative position of
   this PolicyAction in the sequence of actions associated with a
   PolicyRule.  The ActionOrder MUST be unique so as to provide a
   deterministic order.  In addition, the actions in an SARule are
   executed as follows.  See section 4.2.2 ExecutionStrategy for a
   discussion on the use of the ActionOrder property.

   The property is defined as follows:

   NAME         ActionOrder
   DESCRIPTION  Specifies the order of actions.
   SYNTAX       unsigned 16-bit integer
   VALUE        Any value between 1 and 2^16-1 inclusive.  Lower values
                have higher precedence (i.e., 1 is the highest
                precedence).  The merging order of two SAActions with
                the same precedence is undefined.


Jason, et al               Expires May-2002                  [Page 23]


Internet Draft     IPsec Configuration Policy Model      November 2001


5. Condition and Filter Classes

   The IPsec condition and filter classes are used to build the "if"
   part of the IKE and IPsec rules.

                             *+-------------+
         +--------------------| SACondition |
         |                    +-------------+
         |                         * |
         |                           |(a)
         |                         1 |
         |                   +---------------+
         |                   |  FilterList   |
         |                   |([CIMNETWORK]) |
         |                   +---------------+
         |                         1 o
         |(b)                        |(c)
         |                         * |
         |                   +-----------------+
         |                   | FilterEntryBase |
         |                   | ([CIMNETWORK])  |
         |                   +-----------------+
         |                           ^
         |                           |
         |     +----------------+    |    +-----------------------+
         |     | IPHeaderFilter |----+----| CredentialFilterEntry |
         |     |   ([PCIME])    |    |    +-----------------------+
         |     +----------------+    |
         |                           |
         |    +-----------------+    |    +--------------------------+
         |    | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
         |    +-----------------+         +--------------------------+
         |
         |           *+-----------------------------+
         +------------| CredentialManagementService |
                      |         ([CIMUSER])         |
                      +-----------------------------+


   (a)  FilterOfSACondition
   (b)  AcceptCredentialsFrom
   (c)  EntriesInFilterList (see [CIMNETWORK])

5.1. The Class SACondition

   The class SACondition defines the conditions of rules for IKE and
   IPsec negotiations.  Conditions are associated with policy rules via
   the SAConditionInRule aggregation. It is used as an anchor point to
   associate various types of filters with policy rules via the
   FilterOfSACondition association. It also defines whether Credentials
   can be accepted for a particular policy rule via the
   AcceptCredentialsFrom association.


Jason, et al               Expires May-2002                  [Page 24]


Internet Draft     IPsec Configuration Policy Model      November 2001


   Associated objects represent components of the condition that may or
   may not apply at a given rule evaluation.  For example, an
   AcceptCredentialsFrom evaluation is only performed when a credential
   is available to be evaluated against the list of trusted credential
   management services.  Similarly, a PeerIDPayloadFilterEntry may only
   be evaluated when an IDPayload value is available to compared with
   the filter.  Condition components that do not have corresponding
   values with which to evaluate are evaluated as TRUE unless the
   protocol has completed without providing the required information.

   The class definition for SACondition is as follows:

   NAME         SACondition
   DESCRIPTION  Defines the preconditions for IKE and IPsec
                negotiations.
   DERIVED FROM PolicyCondition (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyConditionName (from PolicyCondition)

5.2. The Class IPHeaderFilter

   The class IPHeaderFilter is defined in [PCIMe] with the following
   note:

   1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
      matches traffic in both directions of the same flow between the
      two peers), the Direction property of the FilterList should be
      set to "Mirrored".

5.3. The Class CredentialFilterEntry

   The class CredentialFilterEntry defines an equivalence class that
   match credentials of IKE peers. Each CredentialFilterEntry includes
   a MatchFieldName that is interpreted according to the
   CredentialManagementService(s) associated with the SACondition
   (AcceptCredentialsFrom).

   These credentials can be X.509 certificates, Kerberos tickets, or
   other types of credentials obtained during the Phase 1 exchange.

   The class definition for CredentialFilterEntry is as follows:

   NAME         CredentialFilterEntry
   DESCRIPTION  Specifies a match filter based on the IKE credentials.
   DERIVED FROM FilterEntryBase (see [CIMNETWORK])
   ABSTRACT     FALSE
   PROPERTIES   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchFieldName
                MatchFieldValue
                CredentialType

5.3.1. The Property MatchFieldName

Jason, et al               Expires May-2002                  [Page 25]


Internet Draft     IPsec Configuration Policy Model      November 2001



   The property MatchFieldName specifies the sub-part of the credential
   to match against MatchFieldValue.  The property is defined as
   follows:

   NAME         MatchFieldName
   DESCRIPTION  Specifies which sub-part of the credential to match.
   SYNTAX       string
   VALUE

5.3.2. The Property MatchFieldValue

   The property MatchFieldValue specifies the value to compare with the
   MatchFieldName in a credential to determine if the credential
   matches this filter entry.  The property is defined as follows:

   NAME         MatchFieldValue
   DESCRIPTION  Specifies the value to be matched by the
                MatchFieldName.
   SYNTAX       string
   VALUE        NB: If the CredentialFilterEntry corresponds to a
                DistinguishedName, this value in the CIM class is
                represented by an ordinary string value.  However, an
                implementation must convert this string to a DER-
                encoded string before matching against the values
                extracted from credentials at runtime.

5.3.3. The Property CredentialType

   The property CredentialType specifies the particular type of
   credential that is being matched.  The property is defined as
   follows:

   NAME         CredentialType
   DESCRIPTION  Defines the type of IKE credentials.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - X.509 Certificate
                2 - Kerberos Ticket

5.4. The Class IPSOFilterEntry

   The class IPSOFilterEntry is used to match traffic based on the IP
   Security Options header values (ClassificationLevel and
   ProtectionAuthority) as defined in RFC1108. This type of filter
   entry is used to adjust the IPsec encryption level according to the
   IPSO classification of the traffic (e.g., secret, confidential,
   restricted, etc.  The class definition for IPSOFilterEntry is as
   follows:

   NAME         IPSOFilterEntry
   DESCRIPTION  Specifies the a match filter based on IP Security
                Options.
   DERIVED FROM FilterEntryBase (see [CIMNETWORK])

Jason, et al               Expires May-2002                  [Page 26]


Internet Draft     IPsec Configuration Policy Model      November 2001


   ABSTRACT     FALSE
   PROPERTIES   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchConditionType
                MatchConditionValue

5.4.1. The Property MatchConditionType

   The property MatchConditionType specifies the IPSO header field that
   will be matched (e.g., traffic classification level or protection
   authority).  The property is defined as follows:

   NAME         MatchConditionType
   DESCRIPTION  Specifies the IPSO header field to be matched.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - ClassificationLevel
                2 - ProtectionAuthority

5.4.2. The Property MatchConditionValue

   The property MatchConditionValue specifies the value of the IPSO
   header field to be matched against.  The property is defined as
   follows:

   NAME         MatchConditionValue
   DESCRIPTION  Specifies the value of the IPSO header field to be
                matched against.
   SYNTAX       unsigned 16-bit integer
   VALUE        For ClassificationLevel, the values are:
                61 - TopSecret
                90 - Secret
                150 - Confidential
                171 - Unclassified
                For ProtectionAuthority, the values are:
                0 - GENSER
                1 - SIOP-ESI
                2 - SCI
                3 - NSA
                4 - DOE

5.5. The Class PeerIDPayloadFilterEntry

   The class PeerIDPayloadFilterEntry defines filters used to match ID
   payload values from the IKE protocol exchange.
   PeerIDPayloadFilterEntry permits the specification of certain ID
   payload values such as "*@company.com" or "193.190.125.0/24".

   Obviously this filter applies only to IKERules when acting as a
   responder.  Moreover, this filter can be applied immediately in the
   case of aggressive mode but its application is to be delayed in the
   case of main mode.  The class definition for
   PeerIDPayloadFilterEntry is as follows:


Jason, et al               Expires May-2002                  [Page 27]


Internet Draft     IPsec Configuration Policy Model      November 2001


   NAME         PeerIDPayloadFilterEntry
   DESCRIPTION  Specifies a match filter based on IKE identity.
   DERIVED FROM FilterEntryBase (see [CIMNETWORK])
   ABSTRACT     FALSE
   PROPERTIES   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchIdentityType
                MatchIdentityValue

5.5.1. The Property MatchIdentityType

   The property MatchIdentityType specifies the type of identity
   provided by the peer in the ID payload."   The property is defined
   as follows:

   NAME         MatchIdentityType
   DESCRIPTION  Specifies the ID payload type.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

5.5.2. The Property MatchIdentityValue

   The property MatchIdentityValue specifies the filter value for
   comparison with the ID payload, e.g., "*@company.com"  The property
   is defined as follows:

   NAME         MatchIdentityValue
   DESCRIPTION  Specifies the ID payload value.
   SYNTAX       string
   VALUE        NB: The syntax may need to be converted for comparison.
                If the PeerIDPayloadFilterEntry type is a
                DistinguishedName, the name in the MatchIdentityValue
                property is represented by an ordinary string value,
                but this value must be converted into a DER-encoded
                string before matching against the values extracted
                from IKE ID payloads at runtime.  The same applies to
                IPv4 & IPv6 addresses.

                Wildcards can be used as well as the prefix notation
                for IPv4 addresses:
                - a MatchIdentityValue of "*@company.com" will match an
                ID payload of "JDOE@COMPANY.COM"


Jason, et al               Expires May-2002                  [Page 28]


Internet Draft     IPsec Configuration Policy Model      November 2001


                - a MatchIdentityValue of "193.190.125.0/24" will match
                an ID payload of 193.190.125.10.

5.6. The Association Class FilterOfSACondition

   The class FilterOfSACondition associates an SACondition with the
   filter specifications (FilterList) that make up the condition.  The
   class definition for FilterOfSACondition is as follows:

   NAME         FilterOfSACondition
   DESCRIPTION  Associates a condition with the filter list that make
                up the individual condition elements.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref FilterList[1..1]]
                Dependent [ref SACondition[0..n]]

5.6.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a FilterList instance.  The [1..1]
   cardinality indicates that an SACondition instance MUST be
   associated with one and only one FilterList instance.

5.6.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an SACondition instance.  The [0..n]
   cardinality indicates that a FilterList instance may be associated
   with zero or more SAConditions instance.

5.7. The Association Class AcceptCredentialFrom

   The class AcceptCredentialFrom specifies which credential management
   services (e.g., a CertificateAuthority or a Kerberos service) are to
   be trusted to certify peer credentials.  This is used to validate
   that the credential being matched in the CredentialFilterEntry is a
   valid credential that has been supplied by an approved
   CredentialManagementService.  If a CredentialManagementService is
   specified and a corresponding CredentialFilterEntry is used, but the
   credential supplied by the peer is not certified by that
   CredentialManagementService (or one of the
   CredentialManagementServices in its trust hierarchy), the
   CredentialFilterEntry is deemed not to match.  If a credential is
   certified by a CredentialManagementService in the
   AcceptCredentialsFrom list of services but there is no
   CredentialFilterEntry, this is considered equivalent to a
   CredentialFilterEntry that matches all credentials from those
   services.

   The class definition for AcceptCredentialFrom is as follows:

   NAME         AcceptCredentialFrom

Jason, et al               Expires May-2002                  [Page 29]


Internet Draft     IPsec Configuration Policy Model      November 2001


   DESCRIPTION  Associates a condition with the credential management
                services to be trusted.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref CredentialManagementService[0..n]]
                Dependent [ref SACondition[0..n]]

5.7.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an SACondition instance may be
   associated with zero or more CredentialManagementServices instance.

5.7.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an SACondition instance.  The [0..n]
   cardinality indicates that a CredentialManagementService instance
   may be associated with zero or more SAConditions instance.


































Jason, et al               Expires May-2002                  [Page 30]


Internet Draft     IPsec Configuration Policy Model      November 2001


6. Action Classes

   The action classes are used to model the different actions an IPsec
   device may take when the evaluation of the associated condition
   results in a match.

                                +----------+
                                | SAAction |
                                +----------+
                                     ^
                                     |
                         +-----------+--------------+
                         |                          |
                         |               +---------------------+
                         |               | SaNegotiationAction |
                         |               +---------------------+
                         |                          ^
                         |                          |
                *+----------------+      +----------------------+*
                 | SAStaticAction |      | IKENegotiationAction |o----+
                 +----------------+      +----------------------+     |
                               ^                     ^                |
                               |                     |                |
                               |         +-----------+-------+        |
                               |         |                   |        |
       +-------------------+   |   +-------------+     +-----------+  |
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
       +-------------------+   |   +-------------+     +-----------+  |
                               |       ^                              |
      +--------------------+   |       |    +----------------------+  |
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
      +--------------------+   |       |    +----------------------+  |
                               |       |                              |
         +-----------------+   |       |    +-------------------+     |
         | IKERejectAction |---+       +----| IPsecTunnelAction |     |
         +-----------------+   |            +-------------------+     |
                               |                     *|               |
                               |       +--------------+               |
                               |       |                              |
   +-----------------------+   |       |       +--------------+n      |
   | PreconfiguredSAAction |---+       |(a)    | [SAProposal] |-------+
   +-----------------------+           |       +--------------+   (b)
      *|    ^                          |
       |    |                          |      *+-------------+
       |    |                          +-------| PeerGateway |
       |    |                                  +-------------+
       |    |  +-----------------------------+   |0..1  *w|
       |    +--| PreconfiguredTransportAction|   |        |(c)
       |    |  +-----------------------------+   |       1|
       |    |                                    |  +--------------+
       |    |  +---------------------------+ *   |  |    System    |
       |    +--| PreconfiguredTunnelAction |-----+  |  ([CIMCORE]) |
       |       +---------------------------+  (e)   +--------------+

Jason, et al               Expires May-2002                  [Page 31]


Internet Draft     IPsec Configuration Policy Model      November 2001


       |
       |   2..6+---------------+
       +-------| [SATransform] |
         (d)   +---------------+

   (a)  PeerGatewayForTunnel
   (b)  ContainedProposal
   (c)  HostedPeerGatewayInformation
   (d)  TransformOfPreconfiguredAction
   (e)  PeerGatewayForPreconfiguredTunnel

6.1. The Class SAAction

   The class SAAction is abstract and serves as the base class for IKE
   and IPsec actions.  It is used for aggregating different types of
   actions to IKE and IPsec rules.  The class definition for SAAction
   is as follows:

   NAME         SAAction
   DESCRIPTION  The base class for IKE and IPsec actions.
   DERIVED FROM PolicyAction (see [PCIM])
   ABSTRACT     TRUE
   PROPERTIES   PolicyActionName (from PolicyAction)
                DoActionLogging
                DoPacketLogging

6.1.1. The Property DoActionLogging

   The property DoActionLogging specifies whether a log message is to
   be generated when the action is performed.  This applies for
   SANegotiationActions with the meaning of logging a message when the
   negotiation is attempted (with the success or failure result). This
   also applies for SAStaticAction only for PreconfiguredSAAction with
   the meaning of logging a message when the preconfigured SA is
   actually installed in the SADB. The property is defined as follows:

   NAME         DoActionLogging
   DESCRIPTION  Specifies the whether to log when the action is
                performed.
   SYNTAX       boolean
   VALUE        true - a log message is to be generated when action is
                performed.
                false - no log message is to be generated when action
                is performed.

6.1.2. The Property DoPacketLogging

   The property DoPacketLogging specifies whether a log message is to
   be generated when the resulting security association is used to
   process the packet.  If the SANegotiationAction successfully
   executes and results in the creation of one or several security
   associations or if the PreconfiguredSAAction executes, the value of
   DoPacketLogging SHOULD be propagated to an optional field of SADB.

Jason, et al               Expires May-2002                  [Page 32]


Internet Draft     IPsec Configuration Policy Model      November 2001


   This optional field should be used to decide whether a log message
   is to be generated when the SA is used to process a packet.  For
   SAStaticActions, a log message is to be generated when the
   IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed.
   The property is defined as follows:


   NAME         DoPacketLogging
   DESCRIPTION  Specifies the whether to log when the resulting
                security association is used to process the packet.
   SYNTAX       boolean
   VALUE        true - a log message is to be generated when the
                resulting security association is used to process the
                packet.
                false - no log message is to be generated.

6.2. The Class SAStaticAction

   The class SAStaticAction is abstract and serves as the base class
   for IKE and IPsec actions that do not require any negotiation.  The
   class definition for SAStaticAction is as follows:

   NAME         SAStaticAction
   DESCRIPTION  The base class for IKE and IPsec actions that do not
                require any negotiation.
   DERIVED FROM SAAction
   ABSTRACT     TRUE
   PROPERTIES   LifetimeSeconds

6.2.1. The Property LifetimeSeconds

   The property LifetimeSeconds specifies how long the security
   association derived from this action should be used.  The property
   is defined as follows:

   NAME         LifetimeSeconds
   DESCRIPTION  Specifies the amount of time (in seconds) that a
                security association derived from this action should be
                used.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is not a lifetime
                associated with this action (i.e., infinite lifetime).
                A non-zero value is typically used in conjunction with
                alternate SAActions performed when there is a
                negotiation failure of some sort.

   Note: if the referenced SAStaticAction object is a
   PreconfiguredSAAction associated to several SATransforms, then the
   actual lifetime of the preconfigured SA will be the smallest of the
   value of this LifetimeSeconds property and of the value of the
   MaxLifetimeSeconds property of the associated SATransform. Except if
   the value of this LifetimeSeconds property is zero, then there will
   be no lifetime associated to this SA.

Jason, et al               Expires May-2002                  [Page 33]


Internet Draft     IPsec Configuration Policy Model      November 2001



   It is expected that most SAStaticAction instances will have their
   LifetimeSeconds properties set to zero (meaning no expiration of the
   resulting SA).

6.3. The Class IPsecBypassAction

   The class IPsecBypassAction is used when packets are allowed to be
   processed without applying IPsec encapsulation to them.  This is the
   same as stating that packets are allowed to flow in the clear.  The
   class definition for IPsecBypassAction is as follows:

   NAME         IPsecBypassAction
   DESCRIPTION  Specifies that packets are to be allowed to pass in the
                clear.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.4. The Class IPsecDiscardAction

   The class IPsecDiscardAction is used when packets are to be
   discarded.  This is the same as stating that packets are to be
   denied.  The class definition for IPsecDiscardAction is as follows:

   NAME         IPsecDiscardAction
   DESCRIPTION  Specifies that packets are to be discarded.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.5. The Class IKERejectAction

   The class IKERejectAction is used to prevent attempting an IKE
   negotiation with the peer(s).  The main use of this class is to
   prevent some denial of service attacks when acting as IKE responder.
   It goes beyond a plain discard of UDP/500 IKE packets because the
   SACondition can be based on specific PeerIDPayloadFilterEntry (when
   aggressive mode is used).  The class definition for IKERejectAction
   is as follows:

   NAME         IKERejectAction
   DESCRIPTION  Specifies that an IKE negotiation should not even be
                attempted or continued.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.6. The Class PreconfiguredSAAction

   The class PreconfiguredSAAction is used to create a security
   association using preconfigured, hard-wired algorithms and keys.

   Notes:



Jason, et al               Expires May-2002                  [Page 34]


Internet Draft     IPsec Configuration Policy Model      November 2001


   -    the SPI for a PreconfiguredSAAction is contained in the
        association, TransformOfPreconfiguredAction;

   -    the session key (if applicable) is contained in an instance of
        the class SharedSecret (see [CIMUSER]). The session key is
        stored in the property secret, the property protocol contains
        either "ESP-encrypt", "ESP-auth" or "AH", the property
        algorithm contains the algorithm used to protect the secret
        (can be "PLAINTEXT" if the IPsec entity has no secret storage),
        the value of property RemoteID is the concatenation of the
        remote IPsec peer IP address in dotted decimal, of the
        character "/", of "IN" (resp. "OUT") for inbound SA (resp.
        outbound SA), of the character "/" and of the hexadecimal
        representation of the SPI.

   Although the class is concrete, it MUST not be instantiated.  The
   class definition for PreconfiguredSAAction is as follows:

   NAME         PreconfiguredSAAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of a security association.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   LifetimeKilobytes

6.6.1. The Property LifetimeKilobytes

   The property LifetimeKilobytes specifies a traffic limit in
   kilobytes that can be consumed before the SA is deleted..  The
   property is defined as follows:

   NAME         LifetimeKilobytes
   DESCRIPTION  Specifies the SA lifetime in kilobytes.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is not a lifetime
                associated with this action (i.e., infinite lifetime).
                A non-zero value is used to indicate that after this
                amount of kilobytes has been consumed the SA must be
                deleted from the SADB.

   Note: the actual lifetime of the preconfigured SA will be the
   smallest of the value of this LifetimeKilobytes property and of the
   value of the MaxLifetimeSeconds property of the associated
   SATransform. Except if the value of this LifetimeKilobytes property
   is zero, then there will be no lifetime associated with this action.

   It is expected that most PreconfiguredSAAction instances will have
   their LifetimeKilobyte properties set to zero (meaning no expiration
   of the resulting SA).

6.7. The Class PreconfiguredTransportAction



Jason, et al               Expires May-2002                  [Page 35]


Internet Draft     IPsec Configuration Policy Model      November 2001


   The class PreconfiguredTransportAction is used to create an IPsec
   transport-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for
   PreconfiguredTransportAction is as follows:

   NAME         PreconfiguredTransportAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of an IPsec transport security
                association.
   DERIVED FROM PreconfiguredSAAction
   ABSTRACT     FALSE

6.8. The Class PreconfiguredTunnelAction

   The class PreconfiguredTunnelAction is used to create an IPsec
   tunnel-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for PreconfiguredSAAction
   is as follows:

   NAME         PreconfiguredTunnelAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of an IPsec tunnel-mode
                security association.
   DERIVED FROM PreconfiguredSAAction
   ABSTRACT     FALSE
   PROPERTIES   DFHandling

6.8.1. The Property DFHandling

   The property DFHandling specifies how the Don't Fragment bit of the
   internal IP header is to be handled during IPsec processing.  The
   property is defined as follows:

   NAME         DFHandling
   DESCRIPTION  Specifies the processing of the DF bit.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - Copy the DF bit from the internal IP header to the
                external IP header.
                2 - Set the DF bit of the external IP header to 1.
                3 - Clear the DF bit of the external IP header to 0.

6.9. The Class SANegotiationAction

   The class SANegotiationAction specifies an action requesting
   security policy negotiation.

   This is an abstract class. Currently, only one security policy
   negotiation protocol action is subclassed from SANegotiationAction:
   the IKENegotiationAction class. It is nevertheless expected that
   other security policy negotiation protocols will exist and the
   negotiation actions of those new protocols would be modeled as a
   subclass of SANegotiationAction.


Jason, et al               Expires May-2002                  [Page 36]


Internet Draft     IPsec Configuration Policy Model      November 2001


   NAME         SANegotiationAction
   DESCRIPTION  Specifies a negotiation action .
   DERIVED FROM SAAction
   ABSTRACT     TRUE

6.10. The Class IKENegotiationAction

   The class IKENegotiationAction is abstract and serves as the base
   class for IKE and IPsec actions that result in a IKE negotiation.
   Although the class is concrete, is MUST not be instantiated.  The
   class definition for IKENegotiationAction is as follows:

   NAME         IKENegotiationAction
   DESCRIPTION  A base class for IKE and IPsec actions that specifies
                the parameters that are common for IKE phase 1 and IKE
                phase 2 IPsec DOI negotiations.
   DERIVED FROM SANegotiationAction
   ABSTRACT     TRUE
   PROPERTIES   MinLifetimeSeconds
                MinLifetimeKilobytes
                RefreshThresholdSeconds
                RefreshThresholdKilobytes
                IdleDurationSeconds

6.10.1. The Property MinLifetimeSeconds

   The property MinLifetimeSeconds specifies the minimum seconds
   lifetime that will be accepted from the peer.  MinLifetimeSeconds is
   used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  The
   property is defined as follows:

   NAME         MinLifetimeSeconds
   DESCRIPTION  Specifies the minimum acceptable seconds lifetime.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value.  A non-zero value specifies the minimum seconds
                lifetime.

6.10.2. The Property MinLifetimeKilobytes

   The property MinLifetimeKilobytes specifies the minimum kilobytes
   lifetime that will be accepted from the peer.  MinLifetimeKilobytes
   is used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  Note that
   there has been considerable debate regarding the usefulness of
   applying kilobyte lifetimes to IKE phase 1 security associations, so
   it is likely that this property will only apply to the sub-class
   IPsecAction.  The property is defined as follows:

   NAME         MinLifetimeKilobytes

Jason, et al               Expires May-2002                  [Page 37]


Internet Draft     IPsec Configuration Policy Model      November 2001


   DESCRIPTION  Specifies the minimum acceptable kilobytes lifetime.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value.  A non-zero value specifies the minimum
                kilobytes lifetime.


6.10.3. The Property RefreshThresholdSeconds

   The property RefreshThresholdSeconds specifies what percentage of
   the seconds lifetime can expire before IKE should attempt to
   renegotiate the security association.  A random value may be added
   to the calculated threshold (percentage x seconds lifetime) to
   reduce the chance of both peers attempting to renegotiate at the
   same time.  The property is defined as follows:

   NAME         RefreshThresholdSeconds
   DESCRIPTION  Specifies the percentage of seconds lifetime that has
                expired before the security association is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the security association
                should not be renegotiated until the seconds lifetime
                has been reached.

6.10.4. The Property RefreshThresholdKilobytes

   The property RefreshThresholdKilobytes specifies what percentage of
   the kilobyte lifetime can expire before IKE should attempt to
   renegotiate the IPsec security association.  A random value may be
   added to the calculated threshold (percentage x kilobyte lifetime)
   to reduce the chance of both peers attempting to renegotiate at the
   same time.  Note, that as with the property MinLifetimeKilobytes,
   this property is probably only relevant to IPsecAction sub-classes.
   The property is defined as follows:

   NAME         RefreshThresholdKilobytes
   DESCRIPTION  Specifies the percentage of kilobyte lifetime that has
                expired before the IPsec security association is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IPsec security
                association should not be renegotiated until the
                kilobyte lifetime has been reached.

6.10.5. The Property IdleDurationSeconds

   The property IdleDurationSeconds specifies how many seconds a
   security association may remain idle (i.e., no traffic protected
   using the security association) before it is deleted.  The property
   is defined as follows:

Jason, et al               Expires May-2002                  [Page 38]


Internet Draft     IPsec Configuration Policy Model      November 2001



   NAME         IdleDurationSeconds
   DESCRIPTION  Specifies how long, in seconds, a security association
                may remain unused before it is deleted.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that idle detection should
                not be used for the security association (only the
                seconds and kilobyte lifetimes will be used).  Any non-
                zero value indicates the number of seconds the security
                association may remain unused.

6.11. The Class IPsecAction

   The class IPsecAction serves as the base class for IPsec transport
   and tunnel actions.  It specifies the parameters used for an IKE
   phase 2 IPsec DOI negotiation.  Although the class is concrete, is
   MUST not be instantiated.  The class definition for IPsecAction is
   as follows:

   NAME         IPsecAction
   DESCRIPTION  A base class for IPsec transport and tunnel actions
                that specifies the parameters for IKE phase 2 IPsec DOI
                negotiations.
   DERIVED FROM IKENegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   UsePFS
                UseIKEGroup
                GroupId
                Granularity
                VendorID

6.11.1. The Property UsePFS

   The property UsePFS specifies whether or not perfect forward secrecy
   should be used when refreshing keys.  The property is defined as
   follows:

   NAME         UsePFS
   DESCRIPTION  Specifies the whether or not to use PFS when refreshing
                keys.
   SYNTAX       boolean
   VALUE        A value of true indicates that PFS should be used.  A
                value of false indicates that PFS should not be used.

6.11.2. The Property UseIKEGroup

   The property UseIKEGroup specifies whether or not phase 2 should use
   the same key exchange group as was used in phase 1.  UseIKEGroup is
   ignored if UsePFS is false.  The property is defined as follows:

   NAME         UseIKEGroup



Jason, et al               Expires May-2002                  [Page 39]


Internet Draft     IPsec Configuration Policy Model      November 2001


   DESCRIPTION  Specifies whether or not to use the same GroupId for
                phase 2 as was used in phase 1.  If UsePFS is false,
                then UseIKEGroup is ignored.
   SYNTAX       boolean
   VALUE        A value of true indicates that the phase 2 GroupId
                should be the same as phase 1.  A value of false
                indicates that the property GroupId will contain the
                key exchange group to use for phase 2.

6.11.3. The Property GroupId

   The property GroupId specifies the key exchange group to use for
   phase 2.  GroupId is ignored if (1) the property UsePFS is false, or
   (2) the property UsePFS is true and the property UseIKEGroup is
   true.  If the GroupID number is from the vendor-specific range
   (32768-65535), the property VendorID qualifies the group number.
   The property is defined as follows:

   NAME         GroupId
   DESCRIPTION  Specifies the key exchange group to use for phase 2
                when the property UsePFS is true and the property
                UseIKEGroup is false.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [IKE] for valid values.

6.11.4. The Property Granularity

   The property Granularity specifies how the selector for the security
   association should be derived from the traffic that triggered the
   negotiation.  The property is defined as follows:

   NAME         Granularity
   DESCRIPTION  Specifies the how the proposed selector for the
                security association will be created.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - subnet: the source and destination subnet masks of
                the filter entry are used.
                2 - address: only the source and destination IP
                addresses of the triggering packet are used.
                3 - protocol: the source and destination IP addresses
                and the IP protocol of the triggering packet are used.
                4 - port: the source and destination IP addresses and
                the IP protocol and the source and destination layer 4
                ports of the triggering packet are used.

6.11.5. The Property VendorID

   The property VendorID is used together with the property GroupID
   (when it is in the vendor-specific range) to identify the key
   exchange group.  VendorID is ignored unless UsePFS is true and
   UseIKEGroup is false and GroupID is in the vendor-specific range
   (32768-65535).  The property is defined as follows:


Jason, et al               Expires May-2002                  [Page 40]


Internet Draft     IPsec Configuration Policy Model      November 2001


   NAME         VendorID
   DESCRIPTION  Specifies the IKE Vendor ID.
   SYNTAX       string

6.12. The Class IPsecTransportAction

   The class IPsecTransportAction is a subclass of IPsecAction that is
   used to specify use of an IPsec transport-mode security association.
   The class definition for IPsecTransportAction is as follows:

   NAME         IPsecTransportAction
   DESCRIPTION  Specifies that an IPsec transport-mode security
                association should be negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE

6.13. The Class IPsecTunnelAction

   The class IPsecTunnelAction is a subclass of IPsecAction that is
   used to specify use of an IPsec tunnel-mode security association.
   The class definition for IPsecTunnelAction is as follows:

   NAME         IPsecTunnelAction
   DESCRIPTION  Specifies that an IPsec tunnel-mode security
                association should be negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE
   PROPERTIES   DFHandling

6.13.1. The Property DFHandling

   The property DFHandling specifies how the tunnel should manage the
   Don't Fragment (DF) bit.  The property is defined as follows:

   NAME         DFHandling
   DESCRIPTION  Specifies how to process the DF bit.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - Copy the DF bit from the internal IP header to the
                external IP header.
                2 - Set the DF bit of the external IP header to 1.
                3 - Clear the DF bit of the external IP header to 0.

6.14. The Class IKEAction

   The class IKEAction specifies the parameters that are to be used for
   IKE phase 1 negotiation.  The class definition for IKEAction is as
   follows:

   NAME         IKEAction
   DESCRIPTION  Specifies the IKE phase 1 negotiation parameters.
   DERIVED FROM IKENegotiationAction
   ABSTRACT     FALSE


Jason, et al               Expires May-2002                  [Page 41]


Internet Draft     IPsec Configuration Policy Model      November 2001


   PROPERTIES   RefreshThresholdDerivedKeys
                ExchangeMode
                UseIKEIdentityType
                VendorID
                AggressiveModeGroupId

6.14.1. The Property RefreshThresholdDerivedKeys

   The property RefreshThresholdDerivedKeys specifies what percentage
   of the derived key limit (see the LifetimeDerivedKeys property of
   IKEProposal) can expire before IKE should attempt to renegotiate the
   IKE phase 1 security association.  A random value may be added to
   the calculated threshold (percentage x derived key limit) to reduce
   the chance of both peers attempting to renegotiate at the same time.
   The property is defined as follows:

   NAME         RefreshThresholdKilobytes
   DESCRIPTION  Specifies the percentage of derived key limit that has
                expired before the IKE phase 1 security association is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IKE phase 1 security
                association should not be renegotiated until the
                derived key limit has been reached.

6.14.2. The Property ExchangeMode

   The property ExchangeMode specifies which IKE mode should be used
   for IKE phase 1 negotiations.  The property is defined as follows:

   NAME         ExchangeMode
   DESCRIPTION  Specifies the IKE negotiation mode for phase 1.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - base mode
                2 - main mode
                4 - aggressive mode

6.14.3. The Property UseIKEIdentityType

   The property UseIKEIdentityType specifies what IKE identity type
   should be used when negotiating with the peer.  This information is
   used in conjunction with the IKE identities available on the system
   and the IdentityContexts of the matching IKERule.  The property is
   defined as follows:

   NAME         UseIKEIdentityType
   DESCRIPTION  Specifies the IKE identity to use during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet

Jason, et al               Expires May-2002                  [Page 42]


Internet Draft     IPsec Configuration Policy Model      November 2001


                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.14.4. The Property VendorID

   The property VendorID specifies the value to be used in the Vendor
   ID payload.  The property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Vendor ID Payload.
   SYNTAX       string
   VALUE        A value of NULL means that Vendor ID payload will be
                neither generated nor accepted. A non-NULL value means
                that a Vendor ID payload will be generated (when acting
                as an initiator) or is expected (when acting as a
                responder).

6.14.5. The Property AggressiveModeGroupId

   The property AggressiveModeGroupId specifies which group ID is to be
   used in the first packets of the phase 1 negotiation.  This property
   is ignored unless the property ExchangeMode is set to 4 (aggressive
   mode). If the AggressiveModeGroupID number is from the vendor-
   specific range (32768-65535), the property VendorID qualifies the
   group number.  The property is defined as follows:

   NAME         AggressiveModeGroupId
   DESCRIPTION  Specifies the group ID to be used for aggressive mode.
   SYNTAX       unsigned 16-bit integer

6.15. The Class PeerGateway

   The class PeerGateway specifies the security gateway with which the
   IKE services negotiates.  The class definition for PeerGateway is as
   follows:

   NAME         PeerGateway
   DESCRIPTION  Specifies the security gateway with which to negotiate.
   DERIVED FROM LogicalElement (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Name
                PeerIdentityType
                PeerIdentity

6.15.1. The Property Name

   The property Name specifies a user-friendly name for this security
   gateway.  The property is defined as follows:

Jason, et al               Expires May-2002                  [Page 43]


Internet Draft     IPsec Configuration Policy Model      November 2001



   NAME         Name
   DESCRIPTION  Specifies a user-friendly name for this security
                gateway.
   SYNTAX       string

6.15.2. The Property PeerIdentityType

   The property PeerIdentityType specifies the IKE identity type of the
   security gateway.  The property is defined as follows:

   NAME         PeerIdentityType
   DESCRIPTION  Specifies the IKE identity type of the security
                gateway.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.15.3. The Property PeerIdentity

   The property PeerIdentity specifies the IKE identity value of the
   security gateway.  A conversion may be needed between the
   PeerIdentity string representation and the real value used in the ID
   payload (e.g. IP address is to be converted from a dotted decimal
   string into 4 bytes).  The property is defined as follows:

   NAME         PeerIdentity
   DESCRIPTION  Specifies the IKE identity value of the security
                gateway.
   SYNTAX       string

6.16. The Association Class PeerGatewayForTunnel

   The class PeerGatewayForTunnel associates IPsecTunnelActions with an
   ordered list of PeerGateways.  The class definition for
   PeerGatewayForTunnel is as follows:


   NAME         PeerGatewayForTunnel
   DESCRIPTION  Associates IPsecTunnelActions with an ordered list of
                PeerGateways.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE


Jason, et al               Expires May-2002                  [Page 44]


Internet Draft     IPsec Configuration Policy Model      November 2001


   PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                Dependent [ref IPsecTunnelAction[0..n]]
                SequenceNumber

6.16.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that there an IPsecTunnelAction instance may
   be associated with zero or more PeerGateway instances.

   Note: the cardinality 0 has a specific meaning:

        -    when the IKE service acts as a responder, this means that
             the IKE service will accept phase 1 negotiation with any
             other security gateway;
        -    when the IKE service acts as an initiator, this means that
             the IKE service will use the destination IP address (of
             the IP packets which triggered the SARule) as the IP
             address of the peer IKE entity.

6.16.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPsecTunnelAction instance.  The [0..n]
   cardinality indicates that a PeerGateway instance may be associated
   with zero or more IPsecTunnelAction instances.

6.16.3. The Property SequenceNumber

   The property SequenceNumber specifies the ordering to be used when
   evaluating PeerGateway instances for a given IPsecTunnelAction.  .
   The property is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the order of evaluation for PeerGateways.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower values are evaluated first.

6.17. The Aggregation Class ContainedProposal

   The class ContainedProposal associates an ordered list of
   SAProposals with the IKENegotiationAction that aggregates it.  If
   the referenced IKENegotiationAction object is an IKEAction, then the
   referenced SAProposal object(s) must be IKEProposal(s).  If the
   referenced IKENegotiationAction object is an IPsecTransportAction or
   an IPsecTunnelAction, then the referenced SAProposal object(s) must
   be IPsecProposal(s).  The class definition for ContainedProposal is
   as follows:

   NAME         ContainedProposal
   DESCRIPTION  Associates an ordered list of SAProposals with an
                IKENegotiationAction.

Jason, et al               Expires May-2002                  [Page 45]


Internet Draft     IPsec Configuration Policy Model      November 2001


   DERIVED FROM PolicyComponent (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref IKENegotiationAction[0..n]]
                PartComponent[ref SAProposal[1..n]]
                SequenceNumber

6.17.1. The Reference GroupComponent

        -  The property GroupComponent is inherited from
           PolicyComponent and is overridden to refer to an
           IKENegotiationAction instance.  The [0..n] cardinality
           indicates that an SAProposal instance may be associated with
           zero or more IKENegotiationAction instances.

6.17.2. The Reference PartComponent

   The property PartComponent is inherited from PolicyComponent and is
   overridden to refer to an SAProposal instance.  The [1..n]
   cardinality indicates that an IKENegotiationAction instance MUST be
   associated with at least one SAProposal instance.

6.17.3. The Property SequenceNumber

   The property SequenceNumber specifies the order of preference for
   the SAProposals.  The property is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the preference order for the SAProposals.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower-valued proposals are preferred over proposals
                with higher values.  For ContainedProposals that
                reference the same IKENegotiationAction, SequenceNumber
                values must be unique.

6.18. The Association Class HostedPeerGatewayInformation

   The class HostedPeerGatewayInformation weakly associates a
   PeerGateway with a System.  The class definition for
   HostedPeerGatewayInformation is as follows:


   NAME         HostedPeerGatewayInformation
   DESCRIPTION  Weakly associates a PeerGateway with a System.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref System[1..1]]
                Dependent [ref PeerGateway[0..n] [weak]]

6.18.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] cardinality


Jason, et al               Expires May-2002                  [Page 46]


Internet Draft     IPsec Configuration Policy Model      November 2001


   indicates that a PeerGateway instance MUST be associated with one
   and only one System instance.

6.18.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more PeerGateway instances.

6.19. The Association Class TransformOfPreconfiguredAction

   The class TransformOfPreconfiguredAction associates a
   PreconfiguredSAAction with from two to six SATransforms that will be
   applied to the inbound and outbound traffic.  The order of
   application of the SATransforms is implicitly defined in [IPSEC].
   The class definition for TransformOfPreconfiguredAction is as
   follows:

   NAME         TransformOfPreconfiguredAction
   DESCRIPTION  Associates a PreconfiguredSAAction with from one to
                three SATransforms.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref SATransform[2..6]]
                Dependent[ref PreconfiguredSAAction[0..n]]
                SPI
                Direction

6.19.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an SATransform instance.  The [2..6]
   cardinality indicates that an PreconfiguredSAAction instance may be
   associated with from two to six SATransform instances.

6.19.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PreconfiguredSAAction instance.  The [0..n]
   cardinality indicates that an SATransform instance may be associated
   with zero or more PreconfiguredSAAction instances.

6.19.3. The Property SPI

   The property SPI specifies the SPI to be used by the pre-configured
   action for the associated transform.  The property is defined as
   follows:

   NAME         SPI
   DESCRIPTION  Specifies the SPI to be used with the SATransform.
   SYNTAX       unsigned 32-bit integer


Jason, et al               Expires May-2002                  [Page 47]


Internet Draft     IPsec Configuration Policy Model      November 2001


6.19.4. The Property Direction

   The property Direction specifies whether the SPI property is for
   inbound or for outbound traffic. The property is defined as follows:

   NAME         Direction
   DESCRIPTION Specifies whether the SA is for inbound or outbound
               traffic.
   SYNTAX      unsigned 8-bit integer
   VALUE       1 - this SA is for inbound traffic
               2 - this SA is for outbound traffic

6.20 The Association Class PeerGatewayForPreconfiguredTunnel

   The class PeerGatewayForPreconfiguredTunnel associates one or one
   PeerGateway with multiple PreconfiguredTunnelActions. The class
   definition for PeerGatewayForPreconfiguredTunnel is as follows:

   NAME         PeerGatewayForPreconfiguredTunnel
   DESCRIPTION  Associates a PeerGateway with multiple
                PreconfiguredTunnelAction.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref PeerGateway[0..1]]
                Dependent[ref PreconfiguredTunnelAction[0..n]]

6.20.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an PeerGateway instance.  The [0..1]
   cardinality indicates that an PreconfiguredTunnelAction instance may
   be associated with one PeerGteway instance.

6.20.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PreconfiguredTunnelAction instance.  The
   [0..n] cardinality indicates that an PeerGateway instance may be
   associated with zero or more PreconfiguredSAAction instances.















Jason, et al               Expires May-2002                  [Page 48]


Internet Draft     IPsec Configuration Policy Model      November 2001


7. Proposal and Transform Classes

   The proposal and transform classes model the proposal settings an
   IPsec device will use during IKE phase 1 and 2 negotiations.

                             +--------------+*w     1+--------------+
                             | [SAProposal] |--------|   System     |
                             +--------------+  (a)   | ([CIMCORE])  |
                                    ^                +--------------+
                                    |                        |1
                         +----------------------+            |
                         |                      |            |
                  +-------------+       +---------------+    |
                  | IKEProposal |       | IPsecProposal |    |
                  +-------------+       +---------------+    |
                                               *o            |
                                                |(b)         |(c)
                                               n|            |
                                        +---------------+*w  |
                                        | [SATransform] |----+
                                        +---------------+
                                                ^
                                                |
               +--------------------+-----------+---------+
               |                    |                     |
        +-------------+     +--------------+     +----------------+
        | AHTransform |     | ESPTransform |     |IPCOMPTransform |
        +-------------+     +--------------+     +----------------+

   (a)  SAProposalInSystem
   (b)  ContainedTransform
   (c)  SATransformInSystem

7.1. The Abstract Class SAProposal

   The abstract class SAProposal serves as the base class for the IKE
   and IPsec proposal classes.  It specifies the parameters that are
   common to the two proposal types.  The class definition for
   SAProposal is as follows:

   NAME         SAProposal
   DESCRIPTION  Specifies the common proposal parameters for IKE and
                IPsec security association negotiation.
   DERIVED FROM Policy ([PCIM])
   ABSTRACT     TRUE
   PROPERTIES   Name

7.1.1. The Property Name

   The property Name specifies a user-friendly name for the SAProposal.
   The property is defined as follows:

   NAME         Name

Jason, et al               Expires May-2002                  [Page 49]


Internet Draft     IPsec Configuration Policy Model      November 2001


   DESCRIPTION  Specifies a user-friendly name for this proposal.
   SYNTAX       string

7.2. The Class IKEProposal

   The class IKEProposal specifies the proposal parameters necessary to
   drive an IKE security association negotiation.  The class definition
   for IKEProposal is as follows:

   NAME         IKEProposal
   DESCRIPTION  Specifies the proposal parameters for IKE security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE
   PROPERTIES   LifetimeDerivedKeys
                CipherAlgorithm
                HashAlgorithm
                PRFAlgorithm
                GroupId
                AuthenticationMethod
                MaxLifetimeSeconds
                MaxLifetimeKilobytes
                VendorID

7.2.1. The Property LifetimeDerivedKeys

   The property LifetimeDerivedKeys specifies the number of times that
   a phase 1 key will be used to derive a phase 2 key before the phase
   1 security association needs renegotiated.  Even though this is not
   a parameter that is sent in an IKE proposal, it is included in the
   proposal as the number of keys derived may be a result of the
   strength of the algorithms in the IKE proposal.  The property is
   defined as follows:

   NAME         LifetimeDerivedKeys
   DESCRIPTION  Specifies the number of phase 2 keys that can be
                derived from the phase 1 key.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no limit to the
                number of phase 2 keys that may be derived from the
                phase 1 key; instead the seconds and/or kilobytes
                lifetime will dictate the phase 1 rekeying.  A non-zero
                value specifies the number of phase 2 keys that can be
                derived from the phase 1 key.

7.2.2. The Property CipherAlgorithm

   The property CipherAlgorithm specifies the proposed phase 1 security
   association encryption algorithm.  The property is defined as
   follows:

   NAME         CipherAlgorithm


Jason, et al               Expires May-2002                  [Page 50]


Internet Draft     IPsec Configuration Policy Model      November 2001


   DESCRIPTION  Specifies the proposed encryption algorithm for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [IKE] for valid values.

7.2.3. The Property HashAlgorithm

   The property HashAlgorithm specifies the proposed phase 1 security
   association hash algorithm.  The property is defined as follows:

   NAME         HashAlgorithm
   DESCRIPTION  Specifies the proposed hash algorithm for the phase 1
                security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [IKE] for valid values.

7.2.4. The Property PRFAlgorithm

   The property PRFAlgorithm specifies the proposed phase 1 security
   association pseudo-random function.  The property is defined as
   follows:

   NAME         PRFAlgorithm
   DESCRIPTION  Specifies the proposed pseudo-random function for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Currently none defined.

7.2.5. The Property GroupId

   The property GroupId specifies the proposed phase 1 security
   association key exchange group.  This property is ignored for all
   aggressive mode exchanges.  If the GroupID number is from the
   vendor-specific range (32768-65535), the property VendorID qualifies
   the group number.  The property is defined as follows:

   NAME         GroupId
   DESCRIPTION  Specifies the proposed key exchange group for the phase
                1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - Not applicable: used for aggressive mode.  Consult
                [IKE] for other valid values.

7.2.6. The Property AuthenticationMethod

   The property AuthenticationMethod specifies the proposed phase 1
   authentication method.  The property is defined as follows:

   NAME         AuthenticationMethod
   DESCRIPTION  Specifies the proposed authentication method for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer


Jason, et al               Expires May-2002                  [Page 51]


Internet Draft     IPsec Configuration Policy Model      November 2001


   VALUE        0 - a special value that indicates that this particular
                proposal should be repeated once for each
                authentication method that corresponds to the
                credentials installed on the machine.  For example, if
                the system has a pre-shared key and a certificate, a
                proposal list could be constructed which includes a
                proposal that specifies pre-shared key and proposals
                for any of the public-key authentication methods.
                Consult [IKE] for valid values.

7.2.7. The Property MaxLifetimeSeconds

   The property MaxLifetimeSeconds specifies the maximum amount of
   time, in seconds, to propose that a security association will remain
   valid after its creation.  The property is defined as follows:

   NAME         MaxLifetimeSeconds
   DESCRIPTION  Specifies the maximum amount of time to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the default of 8 hours
                be used.  A non-zero value indicates the maximum
                seconds lifetime.

7.2.8. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime to propose that a security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there should be no
                maximum kilobyte lifetime.  A non-zero value specifies
                the desired kilobyte lifetime.

7.2.9. The Property VendorID

   The property VendorID further qualifies the key exchange group.  The
   property is ignored unless the exchange is not in aggressive mode
   and the property GroupID is in the vendor-specific range.  The
   property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Specifies the Vendor ID to further qualify the key
                exchange group.
   SYNTAX       string

7.3. The Class IPsecProposal



Jason, et al               Expires May-2002                  [Page 52]


Internet Draft     IPsec Configuration Policy Model      November 2001


   The class IPsecProposal adds no new properties, but inherits
   proposal properties from SAProposal as well as aggregating the
   security association transforms necessary for building an IPsec
   proposal (see the aggregation class ContainedTransform).  The class
   definition for IPsecProposal is as follows:

   NAME         IPsecProposal
   DESCRIPTION  Specifies the proposal parameters for IPsec security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE

7.4. The Abstract Class SATransform

   The abstract class SATransform serves as the base class for the
   IPsec transforms that can be used to compose an IPsec proposal or to
   be used as a pre-configured action.  The class definition for
   SATransform is as follows:

   NAME         SATransform
   DESCRIPTION  Base class for the different IPsec transforms.
   ABSTRACT     TRUE
   PROPERTIES   TransformName
                VendorID
                MaxLifetimeSeconds
                MaxLifetimeKilobytes

7.4.1. The Property TransformName

   The property TransformName specifies a user-friendly name for the
   SATransform.  The property is defined as follows:

   NAME         TransformName
   DESCRIPTION  Specifies a user-friendly name for this transform.
   SYNTAX       string

7.4.2. The Property VendorID

   The property VendorID specifies the vendor ID for vendor-defined
   transforms.  The property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Specifies the vendor ID for vendor-defined transforms.
   SYNTAX       string
   VALUE        An empty VendorID string indicates that the transform
                is a standard one.

7.4.3. The Property MaxLifetimeSeconds

   The property MaxLifetimeSeconds specifies the maximum amount of
   time, in seconds, to propose that a security association will remain
   valid after its creation.  The property is defined as follows:


Jason, et al               Expires May-2002                  [Page 53]


Internet Draft     IPsec Configuration Policy Model      November 2001


   NAME         MaxLifetimeSeconds
   DESCRIPTION  Specifies the maximum amount of time to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the default of 8 hours
                be used.  A non-zero value indicates the maximum
                seconds lifetime.

7.4.4. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime to propose that a security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there should be no
                maximum kilobyte lifetime.  A non-zero value specifies
                the desired kilobyte lifetime.

7.5. The Class AHTransform

   The class AHTransform specifies the AH algorithm to propose during
   IPsec security association negotiation.  The class definition for
   AHTransform is as follows:

   NAME         AHTransform
   DESCRIPTION  Specifies the AH algorithm to propose.
   ABSTRACT     FALSE
   PROPERTIES   AHTransformId
                UseReplayPrevention
                ReplayPreventionWindowSize

7.5.1. The Property AHTransformId

   The property AHTransformId specifies the transform ID of the AH
   algorithm to propose.  The property is defined as follows:

   NAME         AHTransformId
   DESCRIPTION  Specifies the transform ID of the AH algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [DOI] for valid values.

7.5.2. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

   NAME         UseReplayPrevention
   DESCRIPTION  Specifies whether to enable replay prevention
                detection.

Jason, et al               Expires May-2002                  [Page 54]


Internet Draft     IPsec Configuration Policy Model      November 2001


   SYNTAX       boolean
   VALUE        true - replay prevention detection is enabled.
                false - replay prevention detection is disabled.

7.5.3. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism. The value of this property is meaningless if
   UseReplayPrevention is false. It is assumed that the window size
   will be power of 2.  The property is defined as follows:

   NAME         ReplayPreventionWindowSize
   DESCRIPTION  Specifies the length of the window used by replay
                prevention detection mechanism.
   SYNTAX       unsigned 32-bit integer

7.6. The Class ESPTransform

   The class ESPTransform specifies the ESP algorithms to propose
   during IPsec security association negotiation.  The class definition
   for ESPTransform is as follows:

   NAME         ESPTransform
   DESCRIPTION  Specifies the ESP algorithms to propose.
   ABSTRACT     FALSE
   PROPERTIES   IntegrityTransformId
                CipherTransformId
                CipherKeyLength
                CipherKeyRounds
                UseReplayPrevention
                ReplayPreventionWindowSize

7.6.1. The Property IntegrityTransformId

   The property IntegrityTransformId specifies the transform ID of the
   ESP integrity algorithm to propose.  The property is defined as
   follows:

   NAME         IntegrityTransformId
   DESCRIPTION  Specifies the transform ID of the ESP integrity
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [DOI] for valid values.

7.6.2. The Property CipherTransformId

   The property CipherTransformId specifies the transform ID of the ESP
   encryption algorithm to propose.  The property is defined as
   follows:

   NAME         CipherTransformId


Jason, et al               Expires May-2002                  [Page 55]


Internet Draft     IPsec Configuration Policy Model      November 2001


   DESCRIPTION  Specifies the transform ID of the ESP encryption
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [DOI] for valid values.

7.6.3. The Property CipherKeyLength

   The property CipherKeyLength specifies, in bits, the key length for
   the ESP encryption algorithm.  For encryption algorithms that use
   fixed-length keys, this value is ignored.  The property is defined
   as follows:

   NAME         CipherKeyLength
   DESCRIPTION  Specifies the ESP encryption key length in bits.
   SYNTAX       unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

   The property CipherKeyRounds specifies the number of key rounds for
   the ESP encryption algorithm.  For encryption algorithms that use
   fixed number of key rounds, this value is ignored.  The property is
   defined as follows:

   NAME         CipherKeyRounds
   DESCRIPTION  Specifies the number of key rounds for the ESP
                encryption algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Currently, key rounds are not defined for any ESP
                encryption algorithms.

7.6.5. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

   NAME         UseReplayPrevention
   DESCRIPTION  Specifies whether to enable replay prevention
                detection.
   SYNTAX       boolean
   VALUE        true - replay prevention detection is enabled.
                false - replay prevention detection is disabled.

7.6.6. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism. The value of this property is meaningless if
   UseReplayPrevention is false. It is assumed that the window size
   will be power of 2.  The property is defined as follows:

   NAME         ReplayPreventionWindowSize
   DESCRIPTION  Specifies the length of the window used by replay
                prevention detection mechanism.

Jason, et al               Expires May-2002                  [Page 56]


Internet Draft     IPsec Configuration Policy Model      November 2001


   SYNTAX       unsigned 32-bit integer

7.7. The Class IPCOMPTransform

   The class IPCOMPTransform specifies the IP compression (IPCOMP)
   algorithm to propose during IPsec security association negotiation.
   The class definition for IPCOMPTransform is as follows:

   NAME         IPCOMPTransform
   DESCRIPTION  Specifies the IPCOMP algorithm to propose.
   ABSTRACT     FALSE
   PROPERTIES   Algorithm
                DictionarySize
                PrivateAlgorithm

7.7.1. The Property Algorithm

   The property Algorithm specifies the transform ID of the IPCOMP
   compression algorithm to propose.  The property is defined as
   follows:

   NAME         Algorithm
   DESCRIPTION  Specifies the transform ID of the IPCOMP compression
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - OUI: a vendor specific algorithm is used and
                specified in the property PrivateAlgorithm.  Consult
                [DOI] for other valid values.

7.7.2. The Property DictionarySize

   The property DictionarySize specifies the log2 maximum size of the
   dictionary for the compression algorithm.  For compression
   algorithms that have pre-defined dictionary sizes, this value is
   ignored.  The property is defined as follows:

   NAME         DictionarySize
   DESCRIPTION  Specifies the log2 maximum size of the dictionary.
   SYNTAX       unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

   The property PrivateAlgorithm specifies a private vendor-specific
   compression algorithm.  This value is only used when the property
   Algorithm is 1 (OUI).  The property is defined as follows:

   NAME         PrivateAlgorithm
   DESCRIPTION  Specifies a private vendor-specific compression
                algorithm.
   SYNTAX       unsigned 32-bit integer

7.8. The Association Class SAProposalInSystem


Jason, et al               Expires May-2002                  [Page 57]


Internet Draft     IPsec Configuration Policy Model      November 2001


   The class SAProposalInSystem weakly associates SAProposals with a
   System.  The class definition for SAProposalInSystem is as follows:


   NAME         SAProposalInSystem
   DESCRIPTION  Weakly associates SAProposals with a System.
   DERIVED FROM PolicyInSystem (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System [1..1]]
                Dependent[ref SAProposal[0..n] [weak]]

7.8.1. The Reference Antecedent

   The property Antecedent is inherited from PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that an SAProposal instance MUST be associated with one
   and only one System instance.

7.8.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SAProposal instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more SAProposal instances.

7.9. The Aggregation Class ContainedTransform

   The class ContainedTransform associates an IPsecProposal with the
   set of SATransforms that make up the proposal.  If multiple
   transforms of the same type are in a proposal, then they are to be
   logically ORed and the order of preference is dictated by the
   SequenceNumber property.  Sets of transforms of different types are
   logically ANDed.  For example, if the ordered proposal list were

   ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
   AH  = { MD5, SHA-1 }

   then the one sending the proposal would want the other side to pick
   one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND
   one from the AH transform list (preferably MD5).

   The class definition for ContainedTransform is as follows:

   NAME         ContainedTransform
   DESCRIPTION  Associates an IPsecProposal with the set of
                SATransforms that make up the proposal.
   DERIVED FROM PolicyComponent (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref IPsecProposal[0..n]]
                PartComponent[ref SATransform[1..n]]
                SequenceNumber

7.9.1. The Reference GroupComponent

Jason, et al               Expires May-2002                  [Page 58]


Internet Draft     IPsec Configuration Policy Model      November 2001



   The property GroupComponent is inherited from PolicyComponent and is
   overridden to refer to an IPsecProposal instance.  The [0..n]
   cardinality indicates that an SATransform instance may be associated
   with zero or more IPsecProposal instances.

7.9.2. The Reference PartComponent

   The property PartComponent is inherited from PolicyComponent and is
   overridden to refer to an SATransform instance.  The [1..n]
   cardinality indicates that an IPsecProposal instance MUST be
   associated with at least one SATransform instance.

7.9.3. The Property SequenceNumber

   The property SequenceNumber specifies the order of preference for
   the SATransforms of the same type.  The property is defined as
   follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the preference order for the SATransforms of
                the same type.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower-valued transforms are preferred over transforms
                of the same type with higher values.  For
                ContainedTransforms that reference the same
                IPsecProposal, SequenceNumber values must be unique.

7.10. The Association Class SATransformInSystem

   The class SATransformInSystem weakly associates SATransforms with a
   System.  The class definition for SATransformInSystem System is as
   follows:


   NAME         SATransformInSystem
   DESCRIPTION  Weakly associates SATransforms with a System.
   DERIVED FROM PolicyInSystem (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System[1..1]]
                Dependent[ref SATransform[0..n] [weak]]

7.10.1. The Reference Antecedent

   The property Antecedent is inherited from PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that an SATransform instance MUST be associated with one
   and only one System instance.

7.10.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SATransform instance.  The [0..n]

Jason, et al               Expires May-2002                  [Page 59]


Internet Draft     IPsec Configuration Policy Model      November 2001


   cardinality indicates that a System instance may be associated with
   zero or more SATransform instances.




















































Jason, et al               Expires May-2002                  [Page 60]


Internet Draft     IPsec Configuration Policy Model      November 2001


8. IKE Service and Identity Classes

                +--------------+           +-------------------+
                |    System    |           | PeerIdentityEntry |
                |  ([CIMCORE]) |           +-------------------+
                +--------------+                     |*w
                      1| (a)                 (b)     |
                       +---+            +------------+
                           |            |
                           |*w        1 o
   +-------------+     +-------------------+    +---------------------+
   | PeerGateway |     | PeerIdentityTable |    | AutostartIKESetting |
   +-------------+     +-------------------+    +---------------------+
        *|                          *|               *|    *|
         +----------------------+    |(d)  +----------+     |
                  (c)          *|   *|    *|     (e)        |
                              *+------------+*              |(f)
             +-----------------| IKEService |-----+         |
             |      (g)        +------------+     |(h)      |
         0..1|                      *|           *|        *o
   +--------------------+            |    +---------------------------+
   | IPProtocolEndpoint |            |    | AutostartIKEConfiguration |
   |  ([CIMNETWORK])    |         (i)|    +---------------------------+
   +--------------------+            |
      0..1|                          |
          |(j)                       +----------------+
         *|                                           |*
   +-------------+* (k)  +------------+ +-----------------------------+
   | IKEIdentity |-------| Collection | | CredentialManagementService |
   +-------------+   0..1| ([CIMCORE])| |         ([CIMUSER])         |
         *|              +------------+ +-----------------------------+
          |(l)
         *|
   +--------------+
   |  Credential  |
   |  ([CIMUSER]) |
   +--------------+

   (a)  HostedPeerIdentityTable
   (b)  PeerIdentityMember
   (c)  IKEServicePeerGateway
   (d)  IKEServicePeerIdentityTable
   (e)  IKEAutostartSetting
   (f)  AutostartIKESettingContext
   (g)  IKEServiceForEndpoint
   (h)  IKEAutostartConfiguration
   (i)  IKEUsesCredentialManagementService
   (j)  EndpointHasLocalIKEIdentity
   (k)  CollectionHasLocalIKEIdentity
   (l)  IKEIdentitysCredential

   This portion of the model contains additional information that is
   useful in applying the policy.  The IKEService class MAY be used to

Jason, et al               Expires May-2002                  [Page 61]


Internet Draft     IPsec Configuration Policy Model      November 2001


   represent the IKE negotiation function in a system. The IKEService
   uses the various tables that contain information about IKE peers as
   well as the configuration for specifying security associations that
   are started automatically.  The information in the PeerGateway,
   PeerIdentityTable and related classes is necessary to completely
   specify the policies.

   An interface (represented by an IPProtocolEndpoint) has an
   IKEService that provides the negotiation services for that
   interface.  That service MAY also have a list of security
   associations for that are automatically started at the time the IKE
   service is initialized.

   The IKEService also has a set of identities that it may use in
   negotiations with its peers.  Those identities are associated with
   the interfaces (or collections of interfaces).

8.1. The Class IKEService

   The class IKEService represents the IKE negotiation function.  An
   instance of this service may provide that negotiation service for
   one or more interfaces (represented by the IPProtocolEndpoint class)
   of a System.  There may be multiple instances of IKE services on a
   System but only one per interface.  The class definition for
   IKEService is as follows:

   NAME         IKEService
   DESCRIPTION  IKEService is used to represent the IKE negotiation
                function.
   DERIVED FROM Service (see [CIMCORE])
   ABSTRACT     FALSE

8.2. The Class PeerIdentityTable

   The class PeerIdentityTable aggregates the table entries that
   provide mappings between identities and their addresses.  The class
   definition for PeerIdentityTable is as follows:

   NAME         PeerIdentityTable
   DESCRIPTION  PeerIdentityTable aggregates PeerIdentityEntry
                instances to provide a table of identity-address
                mappings.
   DERIVED FROM Collection (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Name

8.3.1. The Property Name

   The property Name uniquely identifies the table.  The property is
   defined as follows:

   NAME         Name
   DESCRIPTION  Name uniquely identifies the table.

Jason, et al               Expires May-2002                  [Page 62]


Internet Draft     IPsec Configuration Policy Model      November 2001


   SYNTAX       string

8.3. The Class PeerIdentityEntry

   The class PeerIdentityEntry specifies the mapping between peer
   identity and their address. The class definition for
   PeerIdentityEntry is as follows:

   NAME         PeerIdentityEntry
   DESCRIPTION  PeerIdentityEntry provides a mapping between a peer's
                identity and address.
   DERIVED FROM LogicalElement (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   PeerIdentity
                PeerIdentityType
                PeerAddress
                PeerAddressType

8.3.1. The Property PeerIdentity

   The property PeerIdentity contains a string encoding of the Identity
   payload for the IKE peer.  The property is defined as follows:

   NAME         PeerIdentity
   DESCRIPTION  The PeerIdentity is the ID payload of a peer.
   SYNTAX       string

8.3.2. The Property PeerIdentityType

   The property PeerIdentityType is an enumeration that specifies the
   type of the PeerIdentity.  The property is defined as follows:

   NAME         PeerIdentityType
   DESCRIPTION  PeerIdentityType is the type of the ID payload of a
                peer.
   SYNTAX       unsigned 16-bit integer
   VALUE        The enumeration values are specified in [DOI] section
                4.6.2.1.

8.3.3. The Property PeerAddress

   The property PeerAddress specifies the string representation of the
   IP address of the peer formatted according to the appropriate
   convention as defined in the PeerAddressType property (e.g., dotted
   decimal notation).  The property is defined as follows:

   NAME         PeerAddress
   DESCRIPTION  PeerAddress is the address of the peer with the ID
                payload.
   SYNTAX       string
   VALUE        String representation of an IPv4 or IPv6 address.

8.3.4. The Property PeerAddressType

Jason, et al               Expires May-2002                  [Page 63]


Internet Draft     IPsec Configuration Policy Model      November 2001



   The property PeerAddressType specifies the format of the PeerAddress
   property value.  The property is defined as follows:

   NAME         PeerAddressType
   DESCRIPTION  PeerAddressType is the type of address in PeerAddress.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - Unknown
                1 - IPv4
                2 - IPv6

8.4. The Class AutostartIKEConfiguration

   The class AutostartIKEConfiguration groups AutostartIKESetting
   instances into configuration sets.  When applied, the settings cause
   an IKE service to automatically start (negotiate or statically set
   as appropriate) the Security Associations.  The class definition for
   AutostartIKEConfiguration is as follows:

   NAME         AutostartIKEConfiguration
   DESCRIPTION  A configuration set of AutostartIKESetting instances to
                be automatically started by the IKE service.
   DERIVED FROM SystemConfiguration (see [CIMCORE])
   ABSTRACT     FALSE

8.5. The Class AutostartIKESetting

   The class AutostartIKESetting is used to automatically initiate IKE
   negotiations with peers (or statically create an SA) as specified in
   the AutostartIKESetting properties.  Appropriate actions are
   initiated according to the policy that matches the setting
   parameters. The class definition for AutostartIKESetting is as
   follows:

   NAME         AutostartIKESetting
   DESCRIPTION  AutostartIKESetting is used to automatically initiate
                IKE negotiations with peers or statically create an SA.
   DERIVED FROM SystemSetting (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Phase1Only
                AddressType
                SourceAddress
                SourcePort
                DestinationAddress
                DestinationPort
                Protocol

8.5.1. The Property Phase1Only

   The property Phase1Only is used to limit the IKE negotiation to just
   setting up a phase 1 security association.  When set to False, both
   phase 1 and 2 negotiations are initiated.
   The property is defined as follows:

Jason, et al               Expires May-2002                  [Page 64]


Internet Draft     IPsec Configuration Policy Model      November 2001



   NAME         Phase1Only
   DESCRIPTION  Used to indicate which security associations to attempt
                to establish (phase 1 only, or phase 1 and 2).
   SYNTAX       boolean
   VALUE        true - attempt to establish a phase 1 security
                association
                false - attempt to establish phase 1 and 2 security
                associations

8.5.2. The Property AddressType

   The property AddressType specifies type of the addresses in the
   SourceAddress and DestinationAddress properties.  The property is
   defined as follows:

   NAME         AddressType
   DESCRIPTION  AddressType is the type of address in SourceAddress and
                DestinationAddress properties.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - Unknown
                1 - IPv4
                2 - IPv6

8.5.3. The Property SourceAddress

   The property SourceAddress specifies the dotted-decimal or colon-
   decimal formatted IP address used as the source address in comparing
   with policy filter entries and used in any phase 2 negotiations.
   The property is defined as follows:

   NAME         SourceAddress
   DESCRIPTION  The source address to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       string
   VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.4. The Property SourcePort

   The property SourcePort specifies the port number used as the source
   port in comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         SourcePort
   DESCRIPTION  The source port to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       unsigned 16-bit integer

8.5.5. The Property DestinationAddress

   The property DestinationAddress specifies the dotted-decimal or
   colon-decimal formatted IP address used as the destination address


Jason, et al               Expires May-2002                  [Page 65]


Internet Draft     IPsec Configuration Policy Model      November 2001


   in comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         DestinationAddress
   DESCRIPTION  The destination address to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       string
   VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.6. The Property DestinationPort

   The property DestinationPort specifies the port number used as the
   destination port in comparing with policy filter entries and used in
   any phase 2 negotiations.  The property is defined as follows:

   NAME         DestinationPort
   DESCRIPTION  The destination port to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       unsigned 16-bit integer

8.5.7. The Property Protocol

   The property Protocol specifies the protocol number used in
   comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         Protocol
   DESCRIPTION  The protocol number used in comparing with policy
                filter entries.
   SYNTAX       unsigned 8-bit integer

8.6. The Class IKEIdentity

   The class IKEIdentity is used to represent the identities that may
   be used for an IPProtocolEndpoint (or collection of
   IPProtocolEndpoints) to identify the IKE Service in IKE phase 1
   negotiations.  The policy IKEAction.UseIKEIdentityType specifies
   which type of the available identities to use in a negotiation
   exchange and the IKERule.IdentityContexts specifies the match values
   to be used, along with the local address, in selecting the
   appropriate identity for a negotiation. The ElementID property value
   (defined in the parent class, UsersAccess) should be that of either
   the IPProtocolEndpoint or Collection of endpoints as appropriate.
   The class definition for IKEIdentity is as follows:

   NAME         IKEIdentity
   DESCRIPTION  IKEIdentity is used to represent the identities that
                may be used for an IPProtocolEndpoint (or collection of
                IPProtocolEndpoints) to identify the IKE Service in IKE
                phase 1 negotiations.
   DERIVED FROM UsersAccess (see [CIMUSER])
   ABSTRACT     FALSE


Jason, et al               Expires May-2002                  [Page 66]


Internet Draft     IPsec Configuration Policy Model      November 2001


   PROPERTIES   IdentityType
                IdentityValue
                IdentityContexts

8.6.1. The Property IdentityType

   The property IdentityType is an enumeration that specifies the type
   of the IdentityValue.  The property is defined as follows:

   NAME         IdentityType
   DESCRIPTION  IdentityType is the type of the IdentityValue.
   SYNTAX       unsigned 8-bit integer
   VALUE        The enumeration values are specified in [DOI] section
                4.6.2.1.

8.6.2. The Property IdentityValue

   The property Identity specifies Value contains a string encoding of
   the Identity payload.  For IKEIdentity instances that are address
   types, the IdentityValue string value may be omitted and the
   associated IPProtocolEndpoint or appropriate member of the
   Collection of endpoints is used.  The property is defined as
   follows:

   NAME         IdentityValue
   DESCRIPTION  IdentityValue contains a string encoding of the
                Identity payload.
   SYNTAX       string

8.6.3. The Property IdentityContexts

   The IdentityContexts property is used to constrain the use of
   IKEIdentity instances to match that specified in the
   IKERule.IdentityContexts.  The IdentityContexts are formatted as
   policy roles and role combinations [PCIM] & [PCIMe].  Each value
   represents one context or context combination.  Since this is a
   multi-valued property, more than one context or combination of
   contexts can be associated with a single IKEIdentity.  Each value is
   a string of the form:        <ContextName>[&&<ContextName>]*
   where the individual context names appear in alphabetical order
   (according to the collating sequence for UCS-2). If one or more
   values in the IKERule.IdentityContexts array match one or more
   IKEIdentity.IdentityContexts then the identity's context matches.
   (That is, each value of the IdentityContext array is an ORed
   condition.)  In combination with the address of the
   IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
   1 and only 1 IKEIdentity.  The property is defined as follows:

   NAME         IdentityContexts
   DESCRIPTION  The IKE service of a security endpoint may have
                multiple identities for use in different situations.
                The combination of the interface (represented by
                the IPProtocolEndpoint), the identity type (as

Jason, et al               Expires May-2002                  [Page 67]


Internet Draft     IPsec Configuration Policy Model      November 2001


                specified in the IKEAction) and the IdentityContexts
                selects a unique identity.
   SYNTAX       string array
   VALUE        string of the form <ContextName>[&&<ContextName>]*

8.7. The Association Class HostedPeerIdentityTable

   The class HostedPeerIdentityTable provides the name scoping
   relationship for PeerIdentityTable entries in a System.  The
   PeerIdentityTable is weak to the System.  The class definition for
   HostedPeerIdentityTable is as follows:

   NAME         HostedPeerIdentityTable
   DESCRIPTION  The PeerIdentityTable instances are weak (name scoped
                by) the owning System.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref System[1..1]]
                Dependent [ref PeerIdentityTable[0..n] [weak]]

8.7.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that a PeerIdentityTable instance MUST be associated in a
   weak relationship with one and only one System instance.

8.7.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PeerIdentityTable instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more PeerIdentityTable instances.

8.8. The Aggregation Class PeerIdentityMember

   The class PeerIdentityMember aggregates PeerIdentityEntry instances
   into a PeerIdentityTable.  This is a weak aggregation.  The class
   definition for PeerIdentityMember is as follows:

   NAME         PeerIdentityMember
   DESCRIPTION  PeerIdentityMember aggregates PeerIdentityEntry
                instances into a PeerIdentityTable.
   DERIVED FROM MemberOfCollection (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Collection [ref PeerIdentityTable[1..1]]
                Member [ref PeerIdentityEntry [0..n] [weak]]

8.8.1. The Reference Collection

   The property Collection is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityTable instance.  The [1..1]
   cardinality indicates that a PeerIdentityEntry instance MUST be

Jason, et al               Expires May-2002                  [Page 68]


Internet Draft     IPsec Configuration Policy Model      November 2001


   associated with one and only one PeerIdentityTable instance (i.e.,
   PeerIdentityEntry instances are not shared across
   PeerIdentityTables).

8.8.2. The Reference Member

   The property Member is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityEntry instance.  The [0..n]
   cardinality indicates that a PeerIdentityTable instance may be
   associated with zero or more PeerIdentityEntry instances.

8.9. The Association Class IKEServicePeerGateway

   The class IKEServicePeerGateway provides the association between an
   IKEService and the list of PeerGateway instances that it uses in
   negotiating with security gateways.  The class definition for
   IKEServicePeerGateway is as follows:

   NAME         IKEServicePeerGateway
   DESCRIPTION  Associates an IKEService and the list of PeerGateway
                instances that it uses in negotiating with security
                gateways.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                Dependent [ref IKEService[0..n]]

8.9.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerGateway instances.

8.9.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a PeerGateway instance may be associated
   with zero or more IKEService instances.

8.10. The Association Class IKEServicePeerIdentityTable

   The class IKEServicePeerIdentityTable provides the relationship
   between an IKEService and a PeerIdentityTable that it uses to map
   between addresses and identities as required.  The class definition
   for IKEServicePeerIdentityTable is as follows:

   NAME         IKEServicePeerIdentityTable
   DESCRIPTION  IKEServicePeerIdentityTable provides the relationship
                between an IKEService and a PeerIdentityTable that it
                uses.
   DERIVED FROM Dependency (see [CIMCORE])

Jason, et al               Expires May-2002                  [Page 69]


Internet Draft     IPsec Configuration Policy Model      November 2001


   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref PeerIdentityTable[0..n]]
                Dependent [ref IKEService[0..n]]

8.10.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerIdentityTable instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerIdentityTable instances.

8.10.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a PeerIdentityTable instance may be
   associated with zero or more IKEService instances.

8.11. The Association Class IKEAutostartSetting

   The class IKEAutostartSetting associates an AutostartIKESetting with
   an IKEService that may use it to automatically start an IKE
   negotiation or create a static SA.  The class definition for
   IKEAutostartSetting is as follows:

   NAME         IKEAutostartSetting
   DESCRIPTION  Associates a AutostartIKESetting with an IKEService.
   DERIVED FROM ElementSetting (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Element [ref IKEService[0..n]]
                Setting [ref AutostartIKESetting[0..n]]

8.11.1. The Reference Element

   The property Element is inherited from ElementSetting and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates an AutostartIKESetting instance may be
   associated with zero or more IKEService instances.

8.11.2. The Reference Setting

   The property Setting is inherited from ElementSetting and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more AutostartIKESetting instances.

8.12. The Aggregation Class AutostartIKESettingContext

   The class AutostartIKESettingContext aggregates the settings used to
   automatically start negotiations or create a static SA into a
   configuration set.  The class definition for
   AutostartIKESettingContext is as follows:


Jason, et al               Expires May-2002                  [Page 70]


Internet Draft     IPsec Configuration Policy Model      November 2001


   NAME         AutostartIKESettingContext
   DESCRIPTION  AutostartIKESettingContext aggregates the
                AutostartIKESetting instances into a configuration set.
   DERIVED FROM SystemSettingContext (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Context [ref AutostartIKEConfiguration [0..n]]
                Setting [ref AutostartIKESetting [0..n]]
                SequenceNumber

8.12.1. The Reference Context

   The property Context is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an AutostartIKESetting instance
   may be associated with zero or more AutostartIKEConfiguration
   instances (i.e., a setting may be in multiple configuration sets).

8.12.2. The Reference Setting

   The property Setting is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an AutostartIKEConfiguration instance may
   be associated with zero or more AutostartIKESetting instances.

8.12.3. The Property SequenceNumber

   The property SequenceNumber specifies indicates the ordering to be
   used when starting negotiations or creating a static SA.  A zero
   value indicates that order is not significant and settings may be
   applied in parallel with other settings.  All other settings in the
   configuration are executed in sequence from lower values to high.
   Sequence numbers need not be unique in an AutostartIKEConfiguration
   and order is not significant for settings with the same sequence
   number.  The property is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  The sequence in which the settings are applied within a
                configuration set.
   SYNTAX       unsigned 16-bit integer

8.13. The Association Class IKEServiceForEndpoint

   The class IKEServiceForEndpoint provides the association showing
   which IKE service, if any, provides IKE negotiation services for
   which network interfaces.  The class definition for
   IKEServiceForEndpoint is as follows:

   NAME         IKEServiceForEndpoint
   DESCRIPTION  Associates an IPProtocolEndpoint with an IKEService
                that provides negotiation services for the endpoint.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE


Jason, et al               Expires May-2002                  [Page 71]


Internet Draft     IPsec Configuration Policy Model      November 2001


   PROPERTIES   Antecedent [ref IKEService[0..1]]
                Dependent [ref IPProtocolEndpoint[0..n]]

8.13.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..1]
   cardinality indicates that an IPProtocolEndpoint instance MUST by
   associated with at most one IKEService instance.

8.13.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPProtocolEndpoint that is associated with
   at most one IKEService.  The [0..n] cardinality indicates an
   IKEService instance may be associated with zero or more
   IPProtocolEndpoint instances.

8.14. The Association Class IKEAutostartConfiguration

   The class IKEAutostartConfiguration provides the relationship
   between an IKEService and a configuration set that it uses to
   automatically start a set of SAs.  The class definition for
   IKEAutostartConfiguration is as follows:

   NAME         IKEAutostartConfiguration
   DESCRIPTION  IKEAutostartConfiguration provides the relationship
                between an IKEService and an AutostartIKEConfiguration
                that it uses to automatically start a set of SAs.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref AutostartIKEConfiguration [0..n]]
                Dependent [ref IKEService [0..n]]
                Active

8.14.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more AutostartIKEConfiguration instances.

8.14.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that an AutostartIKEConfiguration instance may
   be associated with zero or more IKEService instances.

8.14.3. The Property Active

   The property Active specifies indicates whether the
   AutostartIKEConfiguration set is currently active for the associated

Jason, et al               Expires May-2002                  [Page 72]


Internet Draft     IPsec Configuration Policy Model      November 2001


   IKEService.  That is, at boot time, the active configuration is used
   to automatically start IKE negotiations and create static SAs.  The
   property is defined as follows:

   NAME         Active
   DESCRIPTION  Active indicates whether the AutostartIKEConfiguration
                set is currently active for the associated IKEService.
   SYNTAX       boolean
   VALUE        true - AutostartIKEConfiguration is currently active
                for associated IKEService.
                false - AutostartIKEConfiguration is currently inactive
                for associated IKEService.

8.15. The Association Class IKEUsesCredentialManagementService

   The class IKEUsesCredentialManagementService defines the set of
   CredentialManagementService(s) that are trusted sources of
   credentials for IKE phase 1 negotiations.  The class definition for
   IKEUsesCredentialManagementService is as follows:

   NAME         IKEUsesCredentialManagementService
   DESCRIPTION  Associates the set of CredentialManagementService(s)
                that are trusted by the IKEService as sources of
                credentials used in IKE phase 1 negotiations.
   DERIVED FROM Dependency (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref CredentialManagementService [0..n]]
                Dependent [ref IKEService [0..n]]

8.15.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more CredentialManagementService instances.

8.15.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a CredentialManagementService instance
   may be associated with zero or more IKEService instances.

8.16. The Association Class EndpointHasLocalIKEIdentity

   The class EndpointHasLocalIKEIdentity associates an
   IPProtocolEndpoint with a set of IKEIdentity instances that may be
   used in negotiating security associations on the endpoint.  An
   IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using this association or with a collection of IKEIdentity instances
   using the CollectionHasLocalIKEIdentity association.  The class
   definition for EndpointHasLocalIKEIdentity is as follows:


Jason, et al               Expires May-2002                  [Page 73]


Internet Draft     IPsec Configuration Policy Model      November 2001


   NAME         EndpointHasLocalIKEIdentity
   DESCRIPTION  EndpointHasLocalIKEIdentity associates an
                IPProtocolEndpoint with a set of IKEIdentity instances.
   DERIVED FROM ElementAsUser (see [CIMUSER])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref IPProtocolEndpoint [0..1]]
                Dependent [ref IKEIdentity [0..n]]

8.16.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to an IPProtocolEndpoint instance.  The [0..1]
   cardinality indicates that an IKEIdentity instance MUST be
   associated with at most one IPProtocolEndpoint instance.

8.16.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that an IPProtocolEndpoint instance may be
   associated with zero or more IKEIdentity instances.

8.17. The Association Class CollectionHasLocalIKEIdentity

   The class CollectionHasLocalIKEIdentity associates a Collection of
   IPProtocolEndpoint instances with a set of IKEIdentity instances
   that may be used in negotiating SAs for endpoints in the collection.
   An IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using the EndpointHasLocalIKEIdentity association or with a
   collection of IKEIdentity instances using this association.  The
   class definition for CollectionHasLocalIKEIdentity is as follows:

   NAME         CollectionHasLocalIKEIdentity
   DESCRIPTION  CollectionHasLocalIKEIdentity associates a collection
                of IPProtocolEndpoint instances with a set of
                IKEIdentity instances.
   DERIVED FROM ElementAsUser (see [CIMUSER])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref Collection [0..1]]
                Dependent [ref IKEIdentity [0..n]]

8.17.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to a Collection instance.  The [0..1]
   cardinality indicates that an IKEIdentity instance MUST be
   associated with at most one Collection instance.

8.17.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]


Jason, et al               Expires May-2002                  [Page 74]


Internet Draft     IPsec Configuration Policy Model      November 2001


   cardinality indicates that a Collection instance may be associated
   with zero or more IKEIdentity instances.

8.18. The Association Class IKEIdentitysCredential

   The class IKEIdentitysCredential is an association that relates a
   set of credentials to their corresponding local IKE Identities.  The
   class definition for IKEIdentitysCredential is as follows:

   NAME         IKEIdentitysCredential
   DESCRIPTION  IKEIdentitysCredential associates a set of credentials
                to their corresponding local IKEIdentity.
   DERIVED FROM UsersCredential (see [CIMCORE])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref Credential [0..n]]
                Dependent [ref IKEIdentity [0..n]]

8.18.1. The Reference Antecedent

   The property Antecedent is inherited from UsersCredential and is
   overridden to refer to a Credential instance.  The [0..n]
   cardinality indicates that IKEIdentity instance may be associated
   with zero or more Credential instances.

8.18.2. The Reference Dependent

   The property Dependent is inherited from UsersCredential and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that a Credential instance may be associated
   with zero or more IKEIdentity instances.

9. Implementation Requirements

   The following tables specifies which classes, properties,
   associations and aggregations MUST or SHOULD or MAY be implemented.

   4. Policy Classes
   4.1. The Class IPsecPolicyGroup................................MUST
   4.2. The Class SARule..........................................MUST
   4.2.1. The Property PolicyRuleName..............................MAY
   4.2.1. The Property Enabled....................................MUST
   4.2.1. The Property ConditionListType..........................MUST
   4.2.1. The Property RuleUsage...................................MAY
   4.2.1. The Property Mandatory...................................MAY
   4.2.1. The Property SequencedActions...........................MUST
   4.2.1. The Property PolicyRoles.................................MAY
   4.2.1. The Property PolicyDecisionStrategy......................MAY
   4.2.2  The Property ExecutionStrategy..........................MUST
   4.2.3  The Property LimitNegotiation............................MAY
   4.3. The Class IKERule.........................................MUST
   4.3.1. The Property IdentityContexts............................MAY
   4.4. The Class IPsecRule.......................................MUST
   4.5.3. The Property GroupPriority..............................MUST

Jason, et al               Expires May-2002                  [Page 75]


Internet Draft     IPsec Configuration Policy Model      November 2001


   4.6. The Association Class IpsecPolicyForEndpoint...............MAY
   4.6.1. The Reference Antecedent................................MUST
   4.6.2. The Reference Dependent.................................MUST
   4.7. The Association Class IPsecPolicyForSystem.................MAY
   4.7.1. The Reference Antecedent................................MUST
   4.7.2. The Reference Dependent.................................MUST
   4.8. The Aggregation Class RuleForIKENegotiation...............MUST
   4.8.1. The Property Priority.................................SHOULD
   4.8.2. The Reference GroupComponent............................MUST
   4.8.3. The Reference PartComponent.............................MUST
   4.9. The Aggregation Class RuleForIPsecNegotiation.............MUST
   4.9.1. The Property Priority.................................SHOULD
   4.9.2. The Reference GroupComponent............................MUST
   4.9.3. The Reference PartComponent.............................MUST
   4.10. The Aggregation Class SAConditionInRule..................MUST
   4.10.1. The Property GroupNumber.............................SHOULD
   4.10.1. The Property ConditionNegated........................SHOULD
   4.10.2. The Reference GroupComponent...........................MUST
   4.10.3. The Reference PartComponent............................MUST
   4.11. The Aggregation Class PolicyActionInSARule...............MUST
   4.11.1. The Reference GroupComponent...........................MUST
   4.11.2. The Reference PartComponent............................MUST
   4.11.3. The Property ActionOrder.............................SHOULD
   5. Condition and Filter Classes
   5.1. The Class SACondition.....................................MUST
   5.2. The Class IPHeaderFilter................................SHOULD
   5.3. The Class CredentialFilterEntry............................MAY
   5.3.1. The Property MatchFieldName.............................MUST
   5.3.2. The Property MatchFieldValue............................MUST
   5.3.3. The Property CredentialType.............................MUST
   5.4. The Class IPSOFilterEntry..................................MAY
   5.4.1. The Property MatchConditionType.........................MUST
   5.4.2. The Property MatchConditionValue........................MUST
   5.5. The Class PeerIDPayloadFilterEntry.........................MAY
   5.5.1. The Property MatchIdentityType..........................MUST
   5.5.2. The Property MatchIdentityValue.........................MUST
   5.6. The Association Class FilterOfSACondition...............SHOULD
   5.6.1. The Reference Antecedent................................MUST
   5.6.2. The Reference Dependent.................................MUST
   5.7. The Association Class AcceptCredentialFrom.................MAY
   5.7.1. The Reference Antecedent................................MUST
   5.7.2. The Reference Dependent.................................MUST
   6. Action Classes
   6.1. The Class SAAction........................................MUST
   6.1.1. The Property DoActionLogging.............................MAY
   6.1.2. The Property DoPacketLogging.............................MAY
   6.2. The Class SAStaticAction..................................MUST
   6.2.1. The Property LifetimeSeconds............................MUST
   6.3. The Class IPsecBypassAction.............................SHOULD
   6.4. The Class IPsecDiscardAction............................SHOULD
   6.5. The Class IKERejectAction..................................MAY
   6.6. The Class PreconfiguredSAAction...........................MUST
   6.6.1. The Property LifetimeKilobytes..........................MUST

Jason, et al               Expires May-2002                  [Page 76]


Internet Draft     IPsec Configuration Policy Model      November 2001


   6.7. The Class PreconfiguredTransportAction....................MUST
   6.8. The Class PreconfiguredTunnelAction.......................MUST
   6.8.1. The Property DFHandling.................................MUST
   6.9. The Class SANegotiationAction.............................MUST
   6.10. The Class IKENegotiationAction...........................MUST
   6.10.1. The Property MinLifetimeSeconds.........................MAY
   6.10.2. The Property MinLifetimeKilobytes.......................MAY
   6.10.3. The Property RefreshThresholdSeconds....................MAY
   6.10.4. The Property RefreshThresholdKilobytes..................MAY
   6.10.5. The Property IdleDurationSeconds........................MAY
   6.11. The Class IPsecAction....................................MUST
   6.11.1. The Property UsePFS....................................MUST
   6.11.2. The Property UseIKEGroup................................MAY
   6.11.3. The Property GroupId...................................MUST
   6.11.4. The Property Granularity.............................SHOULD
   6.11.5. The Property VendorID...................................MAY
   6.12. The Class IPsecTransportAction...........................MUST
   6.13. The Class IPsecTunnelAction..............................MUST
   6.13.1. The Property DFHandling................................MUST
   6.14. The Class IKEAction......................................MUST
   6.14.1. The Property RefreshThresholdDerivedKeys................MAY
   6.14.2. The Property ExchangeMode..............................MUST
   6.14.3. The Property UseIKEIdentityType........................MUST
   6.14.4. The Property VendorID...................................MAY
   6.14.5. The Property AggressiveModeGroupId......................MAY
   6.15. The Class PeerGateway....................................MUST
   6.15.1. The Property Name....................................SHOULD
   6.15.2. The Property PeerIdentityType..........................MUST
   6.15.3. The Property PeerIdentity..............................MUST
   6.16. The Association Class PeerGatewayForTunnel...............MUST
   6.16.1. The Reference Antecedent...............................MUST
   6.16.2. The Reference Dependent................................MUST
   6.16.3. The Property SequenceNumber..........................SHOULD
   6.17. The Aggregation Class ContainedProposal..................MUST
   6.17.1. The Reference GroupComponent...........................MUST
   6.17.2. The Reference PartComponent............................MUST
   6.17.3. The Property SequenceNumber............................MUST
   6.18. The Association Class HostedPeerGatewayInformation........MAY
   6.18.1. The Reference Antecedent...............................MUST
   6.18.2. The Reference Dependent................................MUST
   6.19. The Association Class TransformOfPreconfiguredAction.....MUST
   6.19.1. The Reference Antecedent...............................MUST
   6.19.2. The Reference Dependent................................MUST
   6.19.3. The Property SPI.......................................MUST
   6.19.4. The Property Direction.................................MUST
   6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
   6.20.1. The Reference Antecedent...............................MUST
   6.20.2. The Reference Dependent................................MUST
   7. Proposal and Transform Classes
   7.1. The Abstract Class SAProposal.............................MUST
   7.1.1. The Property Name.....................................SHOULD
   7.2. The Class IKEProposal.....................................MUST
   7.2.1. The Property LifetimeDerivedKeys.........................MAY

Jason, et al               Expires May-2002                  [Page 77]


Internet Draft     IPsec Configuration Policy Model      November 2001


   7.2.2. The Property CipherAlgorithm............................MUST
   7.2.3. The Property HashAlgorithm..............................MUST
   7.2.4. The Property PRFAlgorithm................................MAY
   7.2.5. The Property GroupId....................................MUST
   7.2.6. The Property AuthenticationMethod.......................MUST
   7.2.7. The Property MaxLifetimeSeconds.........................MUST
   7.2.8. The Property MaxLifetimeKilobytes.......................MUST
   7.2.9. The Property VendorID....................................MAY
   7.3. The Class IPsecProposal...................................MUST
   7.4. The Abstract Class SATransform............................MUST
   7.4.1. The Property TransformName............................SHOULD
   7.4.2. The Property VendorID....................................MAY
   7.4.3. The Property MaxLifetimeSeconds.........................MUST
   7.4.4. The Property MaxLifetimeKilobytes.......................MUST
   7.5. The Class AHTransform.....................................MUST
   7.5.1. The Property AHTransformId..............................MUST
   7.5.2. The Property UseReplayPrevention.........................MAY
   7.5.3. The Property ReplayPreventionWindowSize..................MAY
   7.6. The Class ESPTransform....................................MUST
   7.6.1. The Property IntegrityTransformId.......................MUST
   7.6.2. The Property CipherTransformId..........................MUST
   7.6.3. The Property CipherKeyLength.............................MAY
   7.6.4. The Property CipherKeyRounds.............................MAY
   7.6.5. The Property UseReplayPrevention.........................MAY
   7.6.6. The Property ReplayPreventionWindowSize..................MAY
   7.7. The Class IPCOMPTransform..................................MAY
   7.7.1. The Property Algorithm..................................MUST
   7.7.2. The Property DictionarySize..............................MAY
   7.7.3. The Property PrivateAlgorithm............................MAY
   7.8. The Association Class SAProposalInSystem...................MAY
   7.8.1. The Reference Antecedent................................MUST
   7.8.2. The Reference Dependent.................................MUST
   7.9. The Aggregation Class ContainedTransform..................MUST
   7.9.1. The Reference GroupComponent............................MUST
   7.9.2. The Reference PartComponent.............................MUST
   7.9.3. The Property SequenceNumber.............................MUST
   7.10. The Association Class SATransformInSystem.................MAY
   7.10.1. The Reference Antecedent...............................MUST
   7.10.2. The Reference Dependent................................MUST
   8. IKE Service and Identity Classes
   8.1. The Class IKEService.......................................MAY
   8.2. The Class PeerIdentityTable................................MAY
   8.3.1. The Property Name.....................................SHOULD
   8.3. The Class PeerIdentityEntry................................MAY
   8.3.1. The Property PeerIdentity.............................SHOULD
   8.3.2. The Property PeerIdentityType.........................SHOULD
   8.3.3. The Property PeerAddress..............................SHOULD
   8.3.4. The Property PeerAddressType..........................SHOULD
   8.4. The Class AutostartIKEConfiguration........................MAY
   8.5. The Class AutostartIKESetting..............................MAY
   8.5.1. The Property Phase1Only..................................MAY
   8.5.2. The Property AddressType..............................SHOULD
   8.5.3. The Property SourceAddress..............................MUST

Jason, et al               Expires May-2002                  [Page 78]


Internet Draft     IPsec Configuration Policy Model      November 2001


   8.5.4. The Property SourcePort.................................MUST
   8.5.5. The Property DestinationAddress.........................MUST
   8.5.6. The Property DestinationPort............................MUST
   8.5.7. The Property Protocol...................................MUST
   8.6. The Class IKEIdentity......................................MAY
   8.6.1. The Property IdentityType...............................MUST
   8.6.2. The Property IdentityValue..............................MUST
   8.6.3. The Property IdentityContexts............................MAY
   8.7. The Association Class HostedPeerIdentityTable..............MAY
   8.7.1. The Reference Antecedent................................MUST
   8.7.2. The Reference Dependent.................................MUST
   8.8. The Aggregation Class PeerIdentityMember...................MAY
   8.8.1. The Reference Collection................................MUST
   8.8.2. The Reference Member....................................MUST
   8.9. The Association Class IKEServicePeerGateway................MAY
   8.9.1. The Reference Antecedent................................MUST
   8.9.2. The Reference Dependent.................................MUST
   8.10. The Association Class IKEServicePeerIdentityTable.........MAY
   8.10.1. The Reference Antecedent...............................MUST
   8.10.2. The Reference Dependent................................MUST
   8.11. The Association Class IKEAutostartSetting.................MAY
   8.11.1. The Reference Element..................................MUST
   8.11.2. The Reference Setting..................................MUST
   8.12. The Aggregation Class AutostartIKESettingContext..........MAY
   8.12.1. The Reference Context..................................MUST
   8.12.2. The Reference Setting..................................MUST
   8.12.3. The Property SequenceNumber..........................SHOULD
   8.13. The Association Class IKEServiceForEndpoint...............MAY
   8.13.1. The Reference Antecedent...............................MUST
   8.13.2. The Reference Dependent................................MUST
   8.14. The Association Class IKEAutostartConfiguration...........MAY
   8.14.1. The Reference Antecedent...............................MUST
   8.14.2. The Reference Dependent................................MUST
   8.14.3. The Property Active..................................SHOULD
   8.15. The Association Class IKEUsesCredentialManagementService..MAY
   8.15.1. The Reference Antecedent...............................MUST
   8.15.2. The Reference Dependent................................MUST
   8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
   8.16.1. The Reference Antecedent...............................MUST
   8.16.2. The Reference Dependent................................MUST
   8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
   8.17.1. The Reference Antecedent...............................MUST
   8.17.2. The Reference Dependent................................MUST
   8.18. The Association Class IKEIdentitysCredential..............MAY
   8.18.1. The Reference Antecedent...............................MUST
   8.18.2. The Reference Dependent................................MUST


10. Security Considerations

   This document describes a schema for IPsec policy.  It does not
   detail security requirements for storage or delivery of said schema.


Jason, et al               Expires May-2002                  [Page 79]


Internet Draft     IPsec Configuration Policy Model      November 2001


   Storage and delivery security requirements should be detailed in a
   comprehensive security policy architecture document.

11. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.

12. Acknowledgments

   The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
   Vic Lortz, and William Dixon for their contributions to this IPsec
   policy model.

   Additionally, this draft would not have been possible without the
   preceding IPsec schema drafts.  For that, thanks go out to Rob
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
   Rajan.

13. References

   [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

   [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

   [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

   [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
   2402, November 1998.




Jason, et al               Expires May-2002                  [Page 80]


Internet Draft     IPsec Configuration Policy Model      November 2001


   [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
   Information Model -- Version 1 Specification", RFC 3060, February
   2001.

   [PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen,
   A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy
   Core Information Model Extensions", draft-ietf-policy-pcim-ext-
   05.txt, October 2001  Internet Draft work in progress

   [DOI] Piper, D., "The Internet IP Security Domain of Interpretation
   for ISAKMP", RFC 2407, November 1998.

   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
   Access Protocol (v3)", RFC 2251, December 1997.

   [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
   Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
   January 2000.  Internet-Draft work in progress.

   [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
   Internet-Draft work in progress.

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", BCP 14, RFC 2119, March 1997.

   [IPSO] Kent, S., "U.S. Department of Defense Security Options for
   the Internet Protocol", RFC 1108, November 1991.

   [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
   Internet Protocol", RFC 2401, November 1998.

   [DMTF] Distributed Management Task Force, http://www.dmtf.org/

   [CIMCORE] DMTF Common Information Model - Core Model v2.5,
   http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and
   http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof

   [CIMUSER] DMTF Common Information Model - User-Security Model v2.5,
   http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof

   [CIMNETWORK] DMTF Common Information Model - Network Model v2.5,
   http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof

14. Disclaimer

   The views and specification herein are those of the authors and are
   not necessarily those of their employer.  The authors and their
   employer specifically disclaim responsibility for any problems
   arising from correct or incorrect implementation or use of this
   specification.


Jason, et al               Expires May-2002                  [Page 81]


Internet Draft     IPsec Configuration Policy Model      November 2001


15. Authors' Addresses

      Jamie Jason
      Intel Corporation
      MS JF3-206
      2111 NE 25th Ave.
      Hillsboro, OR 97124
      E-Mail: jamie.jason@intel.com

      Lee Rafalow
      IBM Corporation, BRQA/502
      4205 So. Miami Blvd.
      Research Triangle Park, NC 27709
      E-mail:  rafalow@watson.ibm.com

      Eric Vyncke
      Cisco Systems
      Avenue Marcel Thiry, 77
      B-1200 Brussels
      Belgium
      E-mail: evyncke@cisco.com

16. Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it maybe copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other then
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.





Jason, et al               Expires May-2002                  [Page 82]