IPsec Configuration Policy Information Model
RFC 3585

Document Type RFC - Proposed Standard (August 2003; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3585 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
Send notices to (None)
Network Working Group                                           J. Jason
Request for Comments: 3585                             Intel Corporation
Category: Standards Track                                     L. Rafalow
                                                                     IBM
                                                               E. Vyncke
                                                           Cisco Systems
                                                             August 2003

             IPsec Configuration Policy Information Model

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document presents an object-oriented information model of IP
   Security (IPsec) policy designed to facilitate agreement about the
   content and semantics of IPsec policy, and enable derivations of
   task-specific representations of IPsec policy such as storage schema,
   distribution representations, and policy specification languages used
   to configure IPsec-enabled endpoints.  The information model
   described in this document models the configuration parameters
   defined by IPSec.  The information model also covers the parameters
   found by the Internet Key Exchange protocol (IKE).  Other key
   exchange protocols could easily be added to the information model by
   a simple extension.  Further extensions can further be added easily
   due to the object-oriented nature of the model.

   This information model is based upon the core policy classes as
   defined in the Policy Core Information Model (PCIM) and in the Policy
   Core Information Model Extensions (PCIMe).

Jason, et al.               Standards Track                     [Page 1]
RFC 3585            IPsec Configuration Policy Model         August 2003

Table of Contents

   1.  Introduction..................................................  3
   2.  UML Conventions...............................................  4
   3.  IPsec Policy Model Inheritance Hierarchy......................  6
   4.  Policy Classes................................................ 11
       4.1.  The Class SARule........................................ 13
       4.2.  The Class IKERule....................................... 17
       4.3.  The Class IPsecRule..................................... 18
       4.4.  The Association Class IPsecPolicyForEndpoint............ 18
       4.5.  The Association Class IPsecPolicyForSystem.............. 19
       4.6.  The Aggregation Class SAConditionInRule................. 19
       4.7.  The Aggregation Class PolicyActionInSARule.............. 20
   5.  Condition and Filter Classes.................................. 22
       5.1.  The Class SACondition................................... 23
       5.2.  The Class IPHeadersFilter............................... 23
       5.3.  The Class CredentialFilterEntry......................... 23
       5.4.  The Class IPSOFilterEntry............................... 25
       5.5.  The Class PeerIDPayloadFilterEntry...................... 26
       5.6.  The Association Class FilterOfSACondition............... 28
       5.7.  The Association Class AcceptCredentialFrom.............. 29
   6.  Action Classes................................................ 30
       6.1.  The Class SAAction...................................... 32
       6.2.  The Class SAStaticAction................................ 33
       6.3.  The Class IPsecBypassAction............................. 34
       6.4.  The Class IPsecDiscardAction............................ 34
       6.5.  The Class IKERejectAction............................... 35
       6.6.  The Class PreconfiguredSAAction......................... 35
       6.7.  The Class PreconfiguredTransportAction.................. 36
       6.8.  The Class PreconfiguredTunnelAction..................... 37
       6.9.  The Class SANegotiationAction........................... 37
       6.10. The Class IKENegotiationAction.......................... 38
       6.11. The Class IPsecAction................................... 39
       6.12. The Class IPsecTransportAction.......................... 41
       6.13. The Class IPsecTunnelAction............................. 42
       6.14. The Class IKEAction..................................... 42
       6.15. The Class PeerGateway................................... 44
       6.16. The Association Class PeerGatewayForTunnel.............. 45
       6.17. The Aggregation Class ContainedProposal................. 46
       6.18. The Association Class HostedPeerGatewayInformation...... 47
Show full document text