draft-ietf-ipsp-config-policy-model-00.txt   draft-ietf-ipsp-config-policy-model-01.txt 
Internet Engineering Task Force Jamie Jason Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Coroporation INTERNET DRAFT Intel Corporation
9-March-2000 11-July-2000
IPsec Configuration Policy Model IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-00.txt draft-ietf-ipsp-config-policy-model-01.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
skipping to change at page 1, line 30 skipping to change at page 1, line 31
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract Abstract
This document presents an object-oriented model of low-level IPsec This document presents an object-oriented model of IPsec policy
policy designed to: designed to:
o facilitate agreement about the content and semantics of IPsec o facilitate agreement about the content and semantics of IPsec
policy policy
o enable derivations of task-specific representations of IPsec o enable derivations of task-specific representations of IPsec
policy such as storage schema, distribution representations, policy such as storage schema, distribution representations,
and policy specification languages used to configure IPsec- and policy specification languages used to configure IPsec-
enabled endpoints enabled endpoints
The schema described in this document models the IKE phase one The schema described in this document models the IKE phase one
parameters as described in [1] and the IKE phase two parameters for parameters as described in [IKE] and the IKE phase two parameters
the IPsec Domain of Interpretation as described in [2, 3, 4, 5]. for the IPsec Domain of Interpretation as described in [COMP, ESP,
AH, DOI]. It is based upon the core policy classes as defined in
the Policy Core Information Model (PCIM) [PCIM].
Table of Contents Table of Contents
Status of this Memo................................................1 Status of this Memo................................................1
Abstract...........................................................1 Abstract...........................................................1
Table of Contents..................................................2 Table of Contents..................................................2
1. Introduction....................................................4 1. Introduction....................................................5
2. UML Conventions.................................................4 2. UML Conventions.................................................5
3. Endpoint Classes................................................6 3. IPsec Policy Model Inheritance Heirarchy........................6
3.1. The Class Endpoint............................................6 4. Policy Classes..................................................9
3.2. The Class FQDNEndpoint........................................6 4.1. The Class IPsecPolicyGroup....................................9
3.3. The Class IPv4Endpoint........................................6 4.1.1. The Property IKERuleOverridePoint..........................10
3.4. The Class IPv6Endpoint........................................7 4.1.2. The Property IPsecRuleOverridePoint........................10
4. IPsec Policy Classes............................................8 4.2. The Class SARule.............................................11
4.1. The Class IPsecPolicyList.....................................9 4.3. The Class IKERule............................................11
4.2. The Class IPsecPolicy.........................................9 4.4. The Class IPsecRule..........................................11
4.3. The Class IPInterface.........................................9 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........12
5. IPsec Rule Classes.............................................10 4.5.1. The Reference ContainingGroup..............................12
5.1. The Class SecurityAssociationRule............................10 4.5.2. The Reference ContainedGroup...............................12
6. IPSec Condition Classes........................................11 4.5.3. The Property Precedence....................................12
6.1. The Class SecurityAssociationCondition.......................11 4.6. The Composition Class RuleForIKENegotiation..................12
6.2. The Class SecurityAssociationConditionExpression.............12 4.6.1. The Reference ContainingGroup..............................13
7. IPSec Filter Classes...........................................13 4.6.2. The Reference ContainedRule................................13
7.1. The Class SecurityAssociationFilter..........................13 4.7. The Composition Class RuleForIPsecNegotiation................13
7.2. The Class PortFilter.........................................14 4.7.1. The Reference ContainingGroup..............................13
7.3. The Class PortRangeFilter....................................14 4.7.2. The Reference ContainedRule................................13
7.4. The Class ProtocolFilter.....................................14 4.8. The Aggregation Class SAConditionInRule......................14
7.5. The Class AddressFilter......................................15 4.8.1. The Reference ContainingRule...............................14
7.6. The Class EndpointFilter.....................................15 4.8.2. The Reference ContainedCondition...........................14
7.7. The Class IPv4RangeFilter....................................15 4.8.3. The Property SequenceNumber................................14
7.8. The Class IPv6RangeFilter....................................16 4.9. The Aggregation Class SAActionInRule.........................14
8. IKE and IPsec Action Classes...................................17 4.9.1. The Reference ContainingRule...............................15
8.1. The Class SecurityAssociationAction..........................18 4.9.2. The Reference ContainedAction..............................15
8.2. The Class IKEAction..........................................19 4.10. The Aggregation Class FallbackSAActionInRule................15
8.3. The Class IPsecAction........................................20 4.10.1. The Reference ContainingRule..............................15
8.4. The Class IPsecTransportAction...............................20 4.10.2. The Reference ContainedAction.............................15
8.5. The Class IPsecTunnelAction..................................21 4.10.3. The Property SequenceNumber...............................16
8.6. The Class IPsecBypassAction..................................21 5. Condition and Filter Classes...................................17
8.6. The Class IPsecDiscardAction.................................21 5.1. The Class SACondition........................................18
9. IKE and IPsec Proposal Classes.................................21 5.1.1. The Property StartupCondition..............................18
9.1. The Class SecurityAssociationProposal........................22 5.2. The Class FilterList.........................................18
9.2. The Class IKEProposal........................................22 5.2.1. The Property Name..........................................19
9.3. The Class IPsecProposal......................................23 5.2.2. The Property Direction.....................................19
9.4. The Class IPsecTransform.....................................24 5.3. The Abstract Class FilterEntryBase...........................19
9.5. The Class ESPTransform.......................................24 5.3.1. The Property Name..........................................19
9.6. The Class AHTransform........................................25 5.3.2. The Property IsNegated.....................................19
9.7. The Class IPCompTransform....................................25 5.4. The Abstract Class IPFilterEntry.............................20
10. Diffie-Hellman Classes........................................26 5.5. The Abstract Class EndpointFilterEntry.......................20
10.1. The Class DiffieHellmanGroup................................27 5.5.1. The Property ApplyToDestination............................20
10.2. The Class NewGroupInfo......................................27 5.6. The Class IPv4AddressFilterEntry.............................20
10.3. The Class NewMODPGroupInfo..................................27 5.6.1. The Property Address.......................................21
10.4. The Class NewECGroupInfo....................................27 5.7. The Class IPv4RangeFilterEntry...............................21
10.5. The Class NewEC2NGroupInfo..................................28 5.7.1. The Property StartAddress..................................21
10.6. The Class NewECPGroupInfo...................................28 5.7.2. The Property EndAddress....................................21
11. Security Considerations.......................................28 5.8. The Class IPv4SubnetFilterEntry..............................21
12. Intellectual Property.........................................28 5.8.1. The Property Address.......................................22
13. Acknowledgments...............................................29 5.8.2. The Property Mask..........................................22
14. References....................................................29 5.9. The Class IPv6AddressFilterEntry.............................22
15. Disclaimer....................................................30 5.9.1. The Property Address.......................................22
16. Author's Address..............................................30 5.10. The Class IPv6RangeFilterEntry..............................22
17. Full Copyright Statement......................................30 5.10.1. The Property StartAddress.................................23
5.10.2. The Property EndAddress...................................23
5.11. The Class IPv6SubnetFilterEntry.............................23
5.11.1. The Property Address......................................23
5.11.2. The Property Mask.........................................24
5.12. The Class FQDNFilterEntry...................................24
5.12.1. The Property Name.........................................24
5.13. The Class ProtocolFilterEntry...............................24
5.13.1. The Property Protocol.....................................24
5.14. The Class UDPFilterEntry....................................25
5.14.1. The Property StartPort....................................25
5.14.2. The Property EndPort......................................25
5.15. The Class TCPFilterEntry....................................25
5.15.1. The Property StartPort....................................26
5.15.2. The Property EndPort......................................26
5.16. The Abstract Class IPSOFilterEntry..........................26
5.17. The Class ClassificationLevelFilterEntry....................26
5.17.1. The Property Level........................................26
5.18. The Class ProtectionAuthorityFilterEntry....................27
5.18.1. The Property Authority....................................27
5.19. The Class CredentialFilterEntry.............................27
5.20. The Aggregation Class FilterOfSACondition...................27
5.20.1. The Reference Antecedent..................................28
5.20.2. The Reference Dependent...................................28
5.21. The Composition Class EntriesInFilterList...................28
5.21.1. The Reference Antecedent..................................28
5.21.2. The Reference Dependent...................................28
5.21.3. The Property EntrySequence................................29
6. Action Classes.................................................30
6.1. The Class SAAction...........................................30
6.2. The Class SAStaticAction.....................................30
6.2.1. The Property LifetimeSeconds...............................31
6.3. The Class IPsecBypassAction..................................31
6.4. The Class IPsecDiscardAction.................................31
6.4.1. The Property DoLogging.....................................32
6.5. The Class IKERejectAction....................................32
6.5.1. The Property DoLogging.....................................32
6.6. The Class SAPreconfiguredAction..............................32
6.7. The Class SANegotiationAction................................33
6.7.1. The Property MinLifetimeSeconds............................33
6.7.2. The Property MinLifetimeKilobytes..........................33
6.7.3. The Property RefreshThresholdSeconds.......................34
6.7.4. The Property RefreshThresholdKilobytes.....................34
6.7.5. The Property IdleDurationSeconds...........................34
6.8. The Class IPsecAction........................................35
6.8.1. The Property UsePFS........................................35
6.8.2. The Property UseIKEGroup...................................35
6.8.3. The Property GroupId.......................................35
6.8.4. The Property Granularity...................................36
6.9. The Class IPsecTransportAction...............................36
6.10. The Class IPsecTunnelAction.................................36
6.10.1. The Property PeerGateway..................................37
6.10.2. The Property DFHandling...................................37
6.11. The Class IKEAction.........................................37
6.11.1. The Property RefreshThresholdDerivedKeys..................37
6.11.2. The Property ExchangeMode.................................38
6.11.3. The Property UseIKEIdentityType...........................38
6.12. The Aggregation Class ContainedProposal.....................38
6.12.1. The Reference GroupComponent..............................39
6.12.2. The Reference PartComponent...............................39
6.12.3. The Property SequenceNumber...............................39
7. Proposal and Transform Classes.................................40
7.1. The Abstract Class SAProposal................................40
7.1.1. The Property Name..........................................40
7.1.2. The Property MaxLifetimeSeconds............................41
7.1.3. The Property MaxLifetimeKilobytes..........................41
7.2. The Class IKEProposal........................................41
7.2.1. The Property LifetimeDerivedKeys...........................41
7.2.2. The Property CipherAlgorithm...............................42
7.2.3. The Property HashAlgorithm.................................42
7.2.4. The Property PRFAlgorithm..................................42
7.2.5. The Property GroupId.......................................43
7.2.6. The Property AuthenticationMethod..........................43
7.3. The Class IPsecProposal......................................43
7.4. The Abstract Class SATransform...............................44
7.4.1. The Property Name..........................................44
7.4.1. The Property VendorID......................................44
7.5. The Class AHTransform........................................44
7.5.1. The Property AHTransformId.................................44
7.6. The Class ESPTransform.......................................45
7.6.1. The Property IntegrityTransformId..........................45
7.6.2. The Property CipherTransformId.............................45
7.6.3. The Property CipherKeyLength...............................46
7.6.4. The Property CipherKeyRounds...............................46
7.7. The Class IPCOMPTransform....................................46
7.7.1. The Property Algorithm.....................................46
7.7.2. The Property DictionarySize................................47
7.7.3. The Property PrivateAlgorithm..............................47
7.8. The Aggregation Class ContainedTransform.....................47
7.8.1. The Reference GroupComponent...............................48
7.8.2. The Reference PartComponent................................48
7.8.3. The Property SequenceNumber................................48
8. Security Considerations........................................48
9. Intellectual Property..........................................48
10. Acknowledgments...............................................49
11. References....................................................49
12. Disclaimer....................................................50
13. Author's Address..............................................50
14. Full Copyright Statement......................................50
1. Introduction 1. Introduction
Internet Protocol security (IPsec) policy may assume a variety of Internet Protocol security (IPsec) policy may assume a variety of
forms as it travels from storage to distribution point to decision forms as it travels from storage to distribution point to decision
point. At each step, it needs to be represented in a way that is point. At each step, it needs to be represented in a way that is
convenient for the current task. For example, the policy could convenient for the current task. For example, the policy could
exist as, but is not limited to: exist as, but is not limited to:
o a Lightweight Directory Access Protocol (LDAP) [6] schema in a o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
directory a directory
o an on-the-wire representation over a transport protocol like the o an on-the-wire representation over a transport protocol like the
Common Object Policy Service (COPS) [7] Common Object Policy Service (COPS) [COPS, COPSPR]
o a text-based policy specification language [8] suitable for o a text-based policy specification language [SPSL] suitable for
editing by an administrator editing by an administrator
o an Extensible Markup Language (XML) document o an Extensible Markup Language (XML) document
Each of these task-specific representations should be derived from a Each of these task-specific representations should be derived from a
canonical representation that precisely specifies the content and canonical representation that precisely specifies the content and
semantics of the IPsec policy. The purpose of this document is to semantics of the IPsec policy. The purpose of this document is to
abstract IPsec policy into a task-independent representation that is abstract IPsec policy into a task-independent representation that is
not constrained by any particular task-dependent representation. not constrained by any particular task-dependent representation.
This document is organized as follows: This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this Language (UML) graphical notation conventions used in this
document. document.
o Section 3 defines the endpoint class, a utility class that is o Section 3 provides the inheritance hierarchy which describes
used as a building block for other classes. where the IPsec policy classes fit into the policy class
hierarchy already defined by PCIM.
o Section 4 defines the IPsec policy and associated classes.
o Section 5 defines the rule class.
o Section 6 defines the condition and condition expression
classes.
o Section 7 defines the filter classes.
o Section 8 defines the IKE and IPsec action classes.
o Section 9 defines the IKE and IPsec proposal classes.
o Section 10 defines the Diffie-Hellman group class. o The remainder of the document describes the classes which make
up the IPsec policy model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [9]. document are to be interpreted as described in [KEYWORDS].
2. UML Conventions 2. UML Conventions
For this document, a UML static class diagram was chosen as the For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason canonical representation for the IPsec policy model. The reason
behind this decision is that UML provides a task-independent way to behind this decision is that UML provides a graphical, task-
model systems. A treatise on the graphical notation used in UML is independent way to model systems. A treatise on the graphical
beyond the scope of this paper. However, given the use of ASCII notation used in UML is beyond the scope of this paper. However,
drawing for UML static class diagrams, a description of the given the use of ASCII drawing for UML static class diagrams, a
notational conventions used in this document is in order: description of the notational conventions used in this document is
in order:
o Boxes represent classes, with class names in brackets ([]) o Boxes represent classes, with class names in brackets ([])
representing a virtual class. For example, in the action representing a virtual class.
classes diagram, IKEAction is a concrete class while
SecurityAssociationAction is a virtual class. o A line that terminates with an arrow (<, >, ^, v) denotes
o A line that terminates with a "o" denotes aggregation. inheritance. The arrow always points to the parent class.
Aggregation denotes classes with independent lifetimes. An Inheritance can also be called generalization or specialization
aggregated object exists independently of the object that (depending upon the reference point). A base class is a
references it. For example, in the action classes diagram a generalization of a derived class, and a derived class is a
SecurityAssocationProposal object exists independently of the specialization of a base class.
SecurityAssociationAction object which references it. o Associations are used model a relationship between two classes.
o A line that terminates with an "x" denotes composition. Classes that share an association are connected using a line.
Composition denotes classes with coincident lifetimes. This There are two special kinds of associations - aggregations and
implies that the lifetime of the contained object is the same as compositions. Both model a whole-part relationship between two
the object that contains it. classes. Associations, and therefore aggregations and
o Next to a line appears a multiplicity. Multiplicities indicate compositions, can also be modeled as classes.
the number of objects contained (or referenced) as well as the o A line that begins with a "o" denotes aggregation. Aggregation
number of object that can contain (or reference) a particular denotes containment in which the contained class and the
object. The multiplicity may be: containing class have independent lifetimes.
o A line that begins with an "x" denotes composition. Composition
denotes containment in which the contained class and the
contianing class have coincident lifetimes.
o Next to a line representing an association appears a
multiplicity. Multiplicities indicate the number of objects in
the relationship. The multiplicity may be:
- a range in the form "lower bound..upper bound" indicating the - a range in the form "lower bound..upper bound" indicating the
minimum and maximum number of objects. For example, in the minimum and maximum number of objects.
action classes diagram, an IPsecAction may contain either 0 or 1 - a number that indicates the exact number of objects.
DiffieHellmanGroup objects(essentially noting that the
DiffieHellmanGroup is optional).
- a number that indicates the exact number of objects. For
example, in the proposal classes diagram, an IKEProposal has 1
and only 1 DiffieHellmanGroup. Using a number is equivalent to
number..number.
- an asterisk indicating any number of objects, including zero. - an asterisk indicating any number of objects, including zero.
For example, in the action classes diagram, a Using an asterisk is shorthand for 0..n.
SecurityAssociationProposal object may be referenced by 0 to n - the letter n indicating from 1 to many. Using the letter n is
SecurityAssociationAction objects. Using an asterisk is shorthand for 1..n.
equivalent to 0..n.
- the letter n indicating from 1 to many. For example, in the
action classes diagram, a SecurityAssociationAction references 1
to many SecurityAssociationProposals. Using the letter n is
equivalent to 1..n.
o A line that terminates with an arrow (<, , ^, v) denotes
generalization (inheritance) with the arrow pointing to the
parent class. For example, in the action classes diagram the
SecurityAssociationAction class is a generalization of the
IKEAction class (or said another way, the IKEAction class
derives from the SecurityAssociationAction class).
o Occasionally there may be some text, or a reference to some
text, enclosed by braces ({}). This indicates a constraint.
Constraints are used to constrain the meaning of diagram so that
a diagram does not provide the ability to define something that
does not make sense. For example, in the action classes diagram
there is a constraint placed upon the DiffieHellmanGroup class
such that it is only used if the IPsecAction specifies the user
of Perfect Forward Secrecy.
It should be noted that the UML static class diagram presented is a It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding. conceptual view of IPsec policy designed to aid in understanding.
It does not necessarily get translated class for class into another It does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of the representation to fewer classes (because of the inefficiency of
following references). following references).
3. Endpoint Classes 3. IPsec Policy Model Inheritance Heirarchy
An endpoint is an abstraction used to represent an IP address or The following diagram represents the inheritance hierarchy and how
hostname. This class is used as a building block in further the IPsec policy model classes fit into PCIM.
classes.
+----------+ [unrooted]
|
+--Policy (PCIM)
| | | |
|[Endpoint]| | +--PolicyGroup (PCIM)
| | |
| | +--IPsecPolicyGroup (new class)
| | | |
+----------+ | +--PolicyRule (PCIM)
^ | | |
| | +--SARule (new abstract class)
| | |
| | +--IKERule (new class)
| | |
| | +--IPsecRule (new class)
| |
| +--PolicyCondition (PCIM)
| | |
| | +--SACondition (new class)
| |
| +--PolicyAction (PCIM)
| |
| +--SAAction (new abstract class)
| |
| +--SAStaticAction (new abstract class)
| | |
| | +--IPsecBypassAction (new class)
| | |
| | +--IPsecDiscardAction (new class)
| | |
| | +--IKERejectAction (new class)
| | |
| | +--SAPreconfiguredAction (new class)
| |
| +--SANegotiationAction (new abstract class)
| |
| +--IPsecAction (new abstract class)
| | |
| | +--IPsecTransportAction (new class)
| | |
| | +--IPsecTunnelAction (new class)
| |
| +--IKEAction (new abstract class)
| |
+---------------------------+--------------------------+ +--FilterList
|
+--FilterEntryBase
| |
| +--IPFilterEntry (new abstract class)
| | | | | |
+------------+ +------------+ +------------+ | | +--EndpointFilterEntry (new abstract class)
| | | | | | | | | |
|FQDNEndpoint| |IPv4Endpoint| |IPv6Endpoint| | | | +--IPv4AddressFilterEntry (new class)
| | | | | | | | | |
+------------+ +------------+ +------------+ | | | +--IPv4RangeFilterEntry (new class)
| | | |
| | | +--IPv4SubnetFilterEntry (new class)
| | | |
| | | +--IPv6AddressFilterEntry (new class)
| | | |
| | | +--IPv6RangeFilterEntry (new class)
| | | |
| | | +--IPv6SubnetFilterEntry (new class)
| | | |
| | | +--FQDNFilterEntry (new class)
| | |
| | +--PortFilterEntry (new class)
| | |
| | +--ProtocolFilterEntry (new class)
| |
| +--IPSOFilterEntry (new class)
| |
| +--CredentialFilterEntry (new class)
|
+--SAProposal (new abstract class)
| |
| +--IKEProposal (new class)
| |
| +--IPsecProposal (new class)
|
+--SATransform (new abstract class)
|
+--AHTransform (new class)
|
+--ESPTransform (new class)
|
+--IPCOMPTransform (new class)
3.1. The Class Endpoint The following diagram represents the inheritance hierarchy and how
the IPsec policy model association classes fit into PCIM.
The Endpoint class is used as an abstract base class from which [unrooted]
concrete endpoint classes are expected to derive from. |
+--PolicyGroupInPolicyGroup (PCIM)
| |
| +--IPsecPolicyGroupInPolicyGroup (new class)
|
+--PolicyConditionInPolicyRule (PCIM)
| |
| +--SAConditionInRule (new class)
|
+--FallbackSAActionInRule (new class)
|
+--EntriesInFilterList (new class)
|
+--ContainedProposal (new class)
|
+--IPsecContainedTransform (new class)
3.2. The Class FQDNEndpoint 4. Policy Classes
The FQDNEndpoint class is used to represent endpoints that can be The IPsec policy classes represent the set of policies that are
expressed using a DNS name. It contains the following attribute: contained on a system.
NAME name (a)
DESCRIPTION Either a fully-qualified or wild-carded (partially or +------+
fully) domain name. | |*
TYPE string | *+------------------+
VALUE MAY either be fully-qualified (for example, +---o| IPsecPolicyGroup |
runner.jf.intel.com) or wild-carded (for example, +------------------+
*.intel.com). 1 x x 1
(b) | | (c)
+-----------------------+ +---------------------+
| |
| +---------------------------+ |
| | PolicyTimePeriodCondition | |
| | (defined in [PCIM]) | |
| +---------------------------+ |
| *| |
| | (d) |
| *o |
| +-------------+* *+--------+* 1+----------+ |
| | SACondition |------o| SARule |o-------| SAAction | |
| +-------------+ (e) +--------+ (f) +----------+ |
| ^ |* |
| | +------+ |
| +--------+--------+ | (g) |
| | | *o |
| *+---------+ +-----------+* |
+---------------| IKERule | | IPsecRule |------------+
+---------+ +-----------+
3.3. The Class IPv4Endpoint (a) IPsecPolicyGroupInPolicyGroup
The IPv4Endpoint class is used to represent endpoints that can be (b) RuleForIKENegotiation
expressed using an IPv4 address. It contains the following (c) RuleForIPsecNegotiation
attribute: (d) PolicyRuleValidityPeriod (defined in [PCIM])
(e) SAConditionInRule
(f) SAActionInRule
(g) FallbackSAActionInRule
NAME address 4.1. The Class IPsecPolicyGroup
DESCRIPTION The IPv4 address.
TYPE unsigned 32-bit integer
VALUE 0x00000000 (i.e., 0.0.0.0) - used to specify any IP
address (i.e., a totally wild-carded address or "*").
Any other value specifies an IPv4 address.
3.4. The Class IPv6Endpoint The class IPsecPolicyGroup serves as a container of either other
The IPv6Endpoint class is used to represent endpoints that can be IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.
expressed using an IPv6 address. It contains the following Rules contained within an IPsecPolicyGroup MUST have a unique
attribute: Priority value. The class definition for IPsecPolicyGroup is as
follows:
NAME address NAME IPsecPolicyGroup
DESCRIPTION The IPv6 address. DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules
TYPE octet[16] and a set of IPsecRules.
VALUE all zero's (i.e., 0:0:0:0:0:0:0:0) - used to specify
any IP address (i.e., a totally wild-carded address or
"*"). Any other value specifies an IPv6 address.
4. IPsec Policy Classes DERIVED FROM PolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup)
IKERuleOverridePoint
IPsecRuleOverridePoint
The IPsec policy classes represent the set of policies that are NOTE: for derivations of the schema that are used for policy
contained on a system. In addition, they indicate the active distribution to an IPsec device (for example, COPS-PR), the server
policies as well as associate a policy with a particular interface may follow all of IPsecPolicyGroupInPolicyGroup associations and
on a system create one policy group which is simply a set of all of the IKE
rules and a set of all of the IPsec rules. See the section on the
IPsecPolicyGroupInPolicyGroup aggregation for information on merging
multiple IPsecPolicyGroups.
+---------------+ 4.1.1. The Property IKERuleOverridePoint
| |
|IPsecPolicyList|
| |
+---------------+
* o
|
(a)|
|
* |
+-----------+ +-----------+
| |* (b) *| |
|IPsecPolicy|o-----------|IPInterface|
| | {1} | |
+-----------+ +-----------+
1 x x 1 1 x
| | |
(c)|{2} {3}|(d) (e)|{4}
| | |
* | | * 1 |
+----------------------+ +----------+
| | | |
|SecurityAssocationRule| |[Endpoint]|
| | | |
+----------------------+ +----------+
(a) Policies This property specifies the rule priority at which the policy author
(b) TargetedInterface is willing to allow IKERule insertions by a local administrator.
(c) IKERules For example, the IT department may define the policy on a company-
(d) IPsecRules wide basis, but allow groups or individuals to insert rules into the
(e) Identity policy to override defaults. Rules are ordered in decreasing order
of their priority (i.e., higher priorities come first). The
override point specifies that if rules are inserted, they are to be
inserted before all rules equal to or less than the override
priority value.
{1} 1. If the policy is marked as enabled, then the IPsecPolicy For example, assume that there is a group G1 with IKE rules as
object MUST reference an IPInterface object. follows:
2. For each interface, there is only one IPsec policy marked
as enabled.
{2} IKE rules are ordered and are considered logically ORed. Rule
search will stop once a rule that matches the input criteria is
found.
{3} IPsec rules are ordered and are considered logically ORed.
Rule search will stop once a rule that matches the input
criteria is found.
{4} If the endpoint type is an FQDN, then the DNS name MUST be
fully-qualifed (i.e., no wild-card values allowed).
If the endpoint type is an IPv4 or IPv6 address, then the
address value MUST NOT be the wild-card address.
4.1. The Class IPsecPolicyList G1 = { Rule A (priority 50),
Rule B (priority 25),
Rule C (priority 15) }
The IPsecPolicyList class is a container for all of the policies on The IKE override value for G1 is 20. Now assume that a local
a particular system. It contains the following reference: administrator wants to insert a set of IKE rules {Rule D, Rule E}
where Rule D has a higher priority than Rule E. The new rules will
be added before rules in G1 with priority equal to or less than 20.
So, when evaluating rules, the order of evaluation would be A, B, D,
E, C. Note that the priority of the rules in override set are
relative only to the set.
NAME Policies The property is defined as follows:
DESCRIPTION The policies installed on a particular system. Note
that there is a distinction between a policy being
installed on a system and actually being actively
enforced (see the IPsecPolicy class).
Note: an IPsecPolicyList MAY contain no policies. Additionally, a NAME IKERuleOverridePoint
policy MAY be defined which is not in any policy list. The latter DESCRIPTION Specifies the rule priority at which the policy author
case is only relevant for a management station - in other words, an is willing to allow IKERule insertions by a local
IPsec policy has been created but it has not yet been targeted to a administrator.
system. SYNTAX unsigned 16-bit integer
4.2. The Class IPsecPolicy 4.1.2. The Property IPsecRuleOverridePoint
The IPsecPolicy class is a container for all of the rules used to This property specifies the rule priority at which the policy author
enforce the policy. It contains the following attribute/references: is willing to allow IPsecRule insertions by a local administrator.
NAME enabled This property is the same as IKERuleOverridePoint except it is used
DESCRIPTION Indicates whether or not the policy is enabled (i.e., for the IPsec rules in the IPsecPolicyGroup. The property is
is actively being enforced). As stated in the defined as follows:
constraint {1}, if the policy is enabled, it MUST be
associated with a particular interface on the system.
This allows for different policies to be enforced on
different interfaces.
TYPE boolean
VALUE true - policy is currently enabled
false - policy is currently disabled
NAME TargetedInterface NAME IPsecRuleOverridePoint
DESCRIPTION The interface on the system for which this policy is to DESCRIPTION Specifies the rule priority at which the policy author
be enforced. As stated in the constraint {1}, for each is willing to allow IPsecRule insertions by a local
interface there is only one policy enabled at any one administrator.
given time. SYNTAX unsigned 16-bit integer
NAME IKERules 4.2. The Class SARule
DESCRIPTION The rules which govern when and how to perform IKE
phase 1 negotiation. These rules are an ordered list
and are logically ORed. When processing the rules, the
first rule matched is the one used.
NAME IPsecRules The class SARule serves as a base class for IKERule and IPsecRule.
DESCRIPTION The rules which govern when and how to perform IKE Even though the class is concrete, it MUST not be instantiated. It
phase 2 negotiation. These rules are an ordered list defines a common connection point for associations to conditions and
and are logically ORed. When processing the rules, the actions for both types of rules. Each SARule within a given
first rule matched is the one used. IPsecPolicyGroup must contain a unique priority. Through its
derivation from PolicyRule, an SARule (and therefore IKERule and
IPsecRule) also has the PolicyRuleValidityPeriod association. The
class definition for SARule is as follows:
4.3. The Class IPInterface NAME SARule
The IPInterface class is used to represent an interface on the DESCRIPTION A base class for IKERule and IPsecRule.
system. It contains the following reference: DERIVED FROM PolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule)
ConditionListType (from PolicyRule)
Priority (from PolicyRule)
PolicyRoles (from PolicyRule)
NAME Identity 4.3. The Class IKERule
DESCRIPTION Indicates the IP address or DNS name assigned to the
interface. No wild-card values are allowed for the
endpoint object.
5. IPsec Rule Classes The class IKERule associates Conditions and Actions for IKE phase 1
negotiations. The class definition for IKERule is as follows:
The IPsec rule class is used to associate a condition with the NAME IKERule
action which is to be performed when the condition evaluates to DESCRIPTION Associates Conditions and Actions for IKE phase 1
true. negotiations.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule
+-----------------------+ 4.4. The Class IPsecRule
| |
|SecurityAssociationRule|
| |
+-----------------------+
* o o *
| |
+----------+ +-----------+
| (a) (b) |
1 | | 1
+----------------------------+ +---------------------------+
| | | |
|SecurityAssociationCondition| |[SecurityAssociationAction]|
| | | |
+----------------------------+ +---------------------------+
(a) Condition The class IPsecRule associates Conditions and Actions for IKE phase
(b) Action 2 negotiations for the IPsec DOI. The class definition for
IPsecRule is as follows:
5.1. The Class SecurityAssociationRule NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule
The SecurityAssociationRule class is used to associate a condition 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup
with the IKE/IPsec action information that is to be used during the
negotiation. It contains the following attribute/references:
NAME enabled The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
DESCRIPTION Indicates whether or not the rule is enabled. policies to be combined to into one effective policy. When merging
TYPE boolean policies, rule priorities are used in conjunction with the rule
VALUE true - rule is currently enabled override point values to determine insertion points and for rule
false - rule is currently disabled priority renumbering (if necessary to maintain uniqueness). The
class definition for IPsecPolicyGroupInPolicyGroup is as follows:
NAME Condition NAME IPsecPolicyGroupInPolicyGroup
DESCRIPTION The condition, when evaluated against the given input, DESCRIPTION Associates a nested IPsecPolicyGroup with the
that MUST evaluate to true in order for the associated IPsecPolicyGroup that contains it.
action to be performed. DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES ContainingGroup[ref IPsecPolicyGroup[0..n]]
ContainedGroup[ref IPsecPolicyGroup[0..n]]
Precedence
NAME Action 4.5.1. The Reference ContainingGroup
DESCRIPTION The security association negotiation parameters to use
when the associated condition evaluates to true.
6. IPSec Condition Classes The property ContainingGroup is inherited from
PolicyGroupInPolicyGroup and is overridden to contain object
reference to an IPsecPolicyGroup that contains one or more
IPsecPolicyGroups. The [0..n] cardinality indicates that there may
be zero or more IPsecPolicyGroups that contain any given
IPsecPolicyGroup.
The condition class is used to determine when the associated IKE or 4.5.2. The Reference ContainedGroup
IPsec action is to be performed.
+----------------------------+ The property ContainedGroup is inherited from
PolicyGroupInPolicyGroup and is overridden to contain an object
reference to an IPsecPolicyGroup contained by one or more
IPsecPolicyGroups. The [0..n] cardinality indicates that an
IPsecPolicyGroup may contain zero or more IPsecPolicyGroups.
4.5.3. The Property Precedence
The property Precedence specifies the merge ordering of the nested
IPsecPolicyGroups. The property is defined as follows:
NAME Precedence
DESCRIPTION Specifies the merge ordering of the nested
IPsecPolicyGroups.
SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest
precedence). The merging order of two ContainedGroups
with the same precedence is undefined.
4.6. The Composition Class RuleForIKENegotiation
The class RuleForIKENegotiation associates an IKERule with the
IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation is as follows:
NAME RuleForIKENegotiation
DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that
contains it.
ABSTRACT FALSE
PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]]
ContainedRule [ref IKERule [0..n]]
4.6.1. The Reference ContainingGroup
The property ContainingGroup contains an object reference to an
IPsecPolicyGroup that contains one or more IKERules. The [1..1]
cardinality indicates that an IKERule may be contained in only one
IPsecPolicyGroup (i.e., IKERules are not shared across
IPsecPolicyGroups).
4.6.2. The Reference ContainedRule
The property ContainedRule contains an object reference to an
IKERule contained by an IPsecPolicyGroup. The [0..n] cardinality
indicates that an IPsecPolicyGroup may contain zero or more
IKERules.
4.7. The Composition Class RuleForIPsecNegotiation
The class RuleForIPsecNegotiation associates an IPsecRule with the
IPsecPolicyGroup that contains it. The class definition for
RuleForIPsecNegotiation is as follows:
NAME RuleForIPsecNegotiation
DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that
contains it.
ABSTRACT FALSE
PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]]
ContainedRule [ref IPsecRule [0..n]]
4.7.1. The Reference ContainingGroup
The property ContainingGroup contains an object reference to an
IPsecPolicyGroup that contains one or more IPsecRules. The [1..1]
cardinality indicates that an IPsecRule may be contained in only one
IPsecPolicyGroup (i.e., IPsecRules are not shared across
IPsecPolicyGroups).
4.7.2. The Reference ContainedRule
The property ContainedRule contains an object reference to an
IPsecRule contained by an IPsecPolicyGroup. The [0..n] cardinality
indicates that an IPsecPolicyGroup may contain zero or more
IPsecRules.
4.8. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the
SACondition instances that trigger it. See [PCIM] for the usage for
the properties GroupNumber and ConditionNegated. The class
definition for SAConditionInRule is as follows:
NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instances
that trigger it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]]
ContainedCondition [ref SACondition [0..n]]
GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule)
SequenceNumber
4.8.1. The Reference ContainingRule
The property ContainingRule is inherited from
PolicyConditionInPolicyRule and is overridden to contain an object
reference to an SARule that contains one or more SAConditions. The
[0..n] cardinality indicates that an SACondition may be contained in
zero or more SARules.
4.8.2. The Reference ContainedCondition
The property ContainedCondition is inherited from
PolicyConditionInPolicyRule and is overridden to contain an object
reference to an SACondition that is contained by an SARule. The
[0..n] cardinality indicates that an SARule may contain zero or more
SAConditions.
4.8.3. The Property SequenceNumber
The property SequenceNumber specifies, for a given rule, the order
in which the SACondition instances will be evaluated. The property
is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the evaluation order of the SAConditions.
SYNTAX unsigned 16-bit integer
VALUE Lower valued SAConditions are evaluated first. The
order of evaluation of ContainedConditions with the
same SequenceNumber value is undefined.
4.9. The Aggregation Class SAActionInRule
The SAActionInRule class associates an SARule with its primary
SAAction. The class definition for SAActionInRule is as follows:
NAME SAActionInRule
DESCRIPTION Associates an SARule with its primary SAAction.
DERIVED FROM PolicyActionInPolicyRule (see [PCIM])
ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]]
ContainedAction [ref SAAction [1..1]]
4.9.1. The Reference ContainingRule
The property ContainingRule is inherited from
PolicyActionInPolicyRule and is overridden to contain an object
reference to an SARule that contains an SAAction. The [0..n]
cardinality indicates that an SAAction may be contained in zero or
more SARules.
4.9.2. The Reference ContainedAction
The property ContainedAction is inherited from
PolicyActionInPolicyRule and is overridden to contain an object
reference to an SAAction that is contained by an SARule. The [1..1]
cardinality indicates that an SARule may contain only one SAAction.
4.10. The Aggregation Class FallbackSAActionInRule
The class FallbackSAActionInRule associates an SARule with its
ordered set of fallback actions. Fallback actions allow an
administrator to define what action is to be take if the SAAction
referenced by SAActionInRule fails for any reason. The class
definition for FallbackSAActionInRule is as follows:
NAME FallbackSAActionInRule
DESCRIPTION Associates an SARule with the ordered set of fallback
actions that should be attempted/applied in the case of
failure of the primary SAAction.
ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]]
ContaintedAction [ref SAAction [0..n]]
SequenceNumber
4.10.1. The Reference ContainingRule
The property ContainingRule contains an object reference to an
SARule that contains one or more fallback SAActions. The [0..n]
cardinality indicates that an fallback SAAction may be contained in
zero or more SARules.
4.10.2. The Reference ContainedAction
The property ContainedAction contains an object reference to a
fallback SAAction that is contained by one or more SARules. The
[0..n] cardinality indicates that an SARule may contain zero or more
fallback SAActions.
4.10.3. The Property SequenceNumber
The property SequenceNumber specifies, for a given rule, the order
in which the fallback SAActions should be attempted. Once a
fallback SAAction is successfully applied, then subsequent fallback
SAActions should be ignored. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the order of attempted application for the
fallback SAAction.
SYNTAX unsigned 16-bit integer
VALUE Lower valued fallback SAActions are attempted first.
The order of attempt of ContainedActions with the same
SequenceNumber value is undefined.
5. Condition and Filter Classes
The IPsec condition and filter classes are used to build the "if"
part of the IKE and IPsec rules.
+-------------+* 0..1+------------+1 *+-------------------+
| SACondition |o--------| FilterList |x--------| [FilterEntryBase] |
+-------------+ (a) +------------+ (b) +-------------------+
^
|
+---------------------+------------------------+
| | |
+-----------------+ +-------------------+ +-----------------------+
| [IPFilterEntry] | | [IPSOFilterEntry] | | CredentialFilterEntry |
+-----------------+ +-------------------+ +-----------------------+
^ ^
| | | |
|SecurityAssociationCondition| | +-------------------+
| | | |
+----------------------------+ | | +--------------------------------+
1 x | +-| ClassificationLevelFilterEntry |
| | | +--------------------------------+
{1}|(a) | |
| | +--------------------------------+
| +-| ProtectionAuthorityFilterEntry |
| +--------------------------------+
| |
* | +-----------------------------------------------+
+--------------------------------------+
| | | |
|SecurityAssociationConditionExpression| +-----------------------+ +--------------------+
| [EndpointFilterEntry] | |ProtocolFilterEntry |
+-----------------------+ +--------------------+
^ ^
| +----------------+ |
+----------------------+ | UDPFilterEntry |--+
| +----------------+ |
| | | |
+--------------------------------------+ +-----------------+ | +----------------+ |
1 | | FQDNFilterEntry |----+ | TCPFilterEntry |--+
+-----------------+ | +----------------+
| |
{2}|(b) +------------------------+ | +------------------------+
| IPv4AddressFilterEntry |----+----| IPv6AddressFilterEntry |
+------------------------+ | +------------------------+
| |
* | +----------------------+ | +----------------------+
+---------------------------+ | IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry |
| | +----------------------+ | +----------------------+
|[SecurityAssociationFilter]| |
| | +-----------------------+ | +-----------------------+
+---------------------------+ | IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry |
+-----------------------+ +-----------------------+
(a) FilterOfSACondition
(b) EntriesInFilterList
(a) Expressions 5.1. The Class SACondition
(b) Filters
{1} If using disjunctive normal form (DNF), each expression is The class SACondition defines the preconditions for IKE and IPsec
logically ORed. If using conjunctive normal form (CNF), each negotiations. The class definition for SACondition is as follows:
expression is logically ANDed.
{2} If using DNF, each filter is logically ANDed. If using CNF,
each filter is logically ORed.
6.1. The Class SecurityAssociationCondition NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations.
DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition)
StartupCondition
The SecurityAssociationCondition class specifies the criteria that 5.1.1. The Property StartupCondition
is applied to the input information to determine if a particular
condition is met. It contains the following attributes/references:
NAME negated This property specifies the triggering event that caused the rule
DESCRIPTION Indicates whether or not the result of the rule evaluation. The property is defined as follows:
evaluation is to be negated.
TYPE boolean
VALUE true - condition evaluation result is to be negated
false - condition evaluation result is not to be
negated
NAME useDNF NAME StartupCondition
DESCRIPTION Indicates whether or not the rule is specified in DNF DESCRIPTION Specifies the triggering event that cause the rule to
or CNF form. be evaluated.
TYPE boolean SYNTAX unsigned 16-bit integer
VALUE true - condition is expressed as DNF. The expressions VALUE 1 (OnBoot) - the rule is triggered after system boot.
within the condition are logically ORed. The filters The FilterList associated with the SACondition contains
within an expression are logically ANDed. the information that will be used to build the
false - condition is expressed as CNF. The expressions selectors.
within the condition are logically ANDed. The filters 2 (OnManual) - the rule is triggered manually in
within an expression are logically ORed. response to user input. The FilterList associated with
the SACondition contains the information that will be
used to build the selectors.
3 (OnDataTraffic) - the rule is triggered when packets
without associated security associations are sent or
received (traffic directionality is indicated by the
Direction field of the associated FilterList).
4 (OnIKEMessage) - the rule is triggered when an
incoming request for IKE negotiation is received.
6.2. The Class SecurityAssociationConditionExpression 5.2. The Class FilterList
The SecurityAssociationConditionExpression class is used to combine The class FilterList aggregates an ANDed set of filters that are
several filters, which together constitute one logical expression. used for determining when an SACondition evaluates to true and
It contains the following reference: therefore its associated SAAction should be performed. The class
definition for FilterList is as follows:
NAME Filters NAME FilterList
DESCRIPTION The set of filters, which combined, are used to DESCRIPTION Aggregates a set of filters for condition matching.
represent the expression. When using DNF, these ABSTRACT FALSE
filters are logically ANDed. When using CNF, these PROPERTIES Name
filters are logically ORed. Direction
7. IPSec Filter Classes 5.2.1. The Property Name
The filter classes are used to specify individual criteria which This property specifies a user-friendly name for the FilterList.
MUST be met before a condition will evaluate to true. The property is defined as follows:
+---------------------------+ NAME Name
| | DESCRIPTION Specifies the user-friendly name for the FilterList.
|[SecurityAssociationFilter]| SYNTAX string
| |
+---------------------------+
^
|
+----------------+---------+-------+-----------------+
{1}| | | |
+-------------+ +----------+ +---------------+ +--------------+
| | | | | | | |
|AddressFilter| |PortFilter| |PortRangeFilter| |ProtocolFilter|
| | | | | | | |
+-------------+ +----------+ +---------------+ +--------------+
^
|
+----------------------+---------------------+
| | |
+--------------+ +---------------+ +---------------+
| | | | | |
|EndpointFilter| |IPv4RangeFilter| |IPv6RangeFilter|
| | | | | |
+--------------+ +---------------+ +---------------+
1 x
|
(a)|
|
1 |
+----------+
| |
|[Endpoint]|
| |
+----------+
(a) Identity 5.2.2. The Property Direction
{1} When the rule is for an IKE phase one negotiation, the This property specifies whether or the FilterList will be used on
AddressFilter is the only type of filter allowed. incoming, outgoing, or bi-directional traffic. Direction is only
useful for filter types that inspect traffic parameters and when the
StartupCondition property in the SACondition is set to OnDataTraffic
(3). The property is defined as follows:
7.1. The Class SecurityAssociationFilter NAME Direction
DESCRIPTION Specifies what kind of traffic will be checked -
incoming, outgoing, or bi-directional.
SYNTAX unsigned 16-bit integer
VALUE 1 - Incoming
2 - Outgoing
3 - Bi-directional
The SecurityAssociationFilter class is used as an abstract base 5.3. The Abstract Class FilterEntryBase
class from which all concrete filter class are expected to derive
from. It contains the following attribute:
NAME negated The abstract class FilterEntryBase serves as the base class for the
DESCRIPTION Indicates whether or not the result of the filter specific filter class. The class definition for FilterEntryBase is
evaluation is to be negated. as follows:
TYPE boolean NAME FilterEntryBase
VALUE true - filter evaluation is to be negated DESCRIPTION Serves as the base class for specific filter classes.
false - filter evaluation is not to be negated ABSTRACT TRUE
PROPERTIES Name
IsNegated
7.2. The Class PortFilter 5.3.1. The Property Name
The PortFilter class specifies a filter that is based upon a single This property specifies a user-friendly name for the filter. The
port value. It contains the following attributes: property is defined as follows:
NAME applyToSource NAME Name
DESCRIPTION Indicates whether or not the port specified is to be DESCRIPTION Specifies the user-friendly name for the filter.
interpreted as a source port or a destination port. SYNTAX string
TYPE boolean
VALUE true - the port specified is to be interpreted as a
source port
false - the port specified is to be interpreted as a
destination port
NAME port 5.3.2. The Property IsNegated
DESCRIPTION Specifies the port value.
TYPE unsigned 16-bit integer
VALUE 0 - wild-card port (i.e., any port matches). Any other
value specifies a specific port.
7.3. The Class PortRangeFilter This property specifies whether or not the result of the boolean
result of the filter evaluation should be negated. The property is
defined as follows:
The PortRangeFilter class specifies a filter that is based upon a NAME IsNegated
range of port values. The port range is to be interpreted as DESCRIPTION Specifies whether or not to negate the result of the
inclusive. It contains the following attributes: evaluation of the filter.
SYNTAX boolean
VALUE A value of true means that the boolean result of the
filter evaluation of the filter will be negated. A
value of false means that the boolean result of the
evaluation of the filter will not be altered.
NAME applyToSource 5.4. The Abstract Class IPFilterEntry
DESCRIPTION Indicates whether or not the port specified is to be
interpreted as a source port range or a destination
port range.
TYPE boolean
VALUE true - the port range specified is to be interpreted as
a source port range
false - the port range specified is to be interpreted
as a destination port range
NAME firstPort The abstract class IPFilterEntry serves as a base class for filter
DESCRIPTION Specifies the first port in the range. entries which are used to match against the 5-tuple (i.e., source
TYPE unsigned 16-bit integer and destination address, protocol, and source and destination port)
information in the IP packet. The class definition for
IPFilterEntry is as follows:
NAME lastPort NAME IPFilterEntry
DESCRIPTION Specifies the last port in the range. DESCRIPTION Serves as the base class for IP 5-tuple filters.
TYPE unsigned 16-bit integer DERIVED FROM FilterEntryBase
VALUE The lastPort attribute value MUST be greater than or ABSTRACT TRUE
equal to the firstPort attribute value.
7.4. The Class ProtocolFilter 5.5. The Abstract Class EndpointFilterEntry
The ProtocolFilter class specifies a filter that is based upon the
IP protocol. It contains the following attribute:
NAME protocol The abstract class EndpointFilterEntry serves as a base class for
DESCRIPTION Specifies the IP protocol value. filters which match against IP addresses (source or destination).
TYPE unsigned 8-bit integer The class definition for EndpointFilterEntry is as follows:
VALUE 0 - wild-card protocol (i.e., any protocol). Any other
value specifies a specific protocol.
Note: if using DNF, it does not make sense to use a PortFilter or NAME EndpointFilterEntry
PortRangeFilter when using a ProtocolFilter that is not either UDP DESCRIPTION Serves as the base class for filters which match
or TCP. against IP addresses.
DERIVED FROM IPFilterEntry
ABSTRACT TRUE
PROPERTIES ApplyToDestination
7.5. The Class AddressFilter 5.5.1. The Property ApplyToDestination
The AddressFilter class is used to represent filters which use a This property specifies whether or not the address to test against
system's address or DNS name as a filter. It is used as an abstract is the source or the destination IP address. The property is
base class from which specific address-based filters will be defined as follows:
derived. The address filters are always used to specify the
address/hostname of the destination machine. The reason is that the
association of a policy with a particular interface implies the
source address/hostname - one could look at the policy to interface
mapping as another type of filter.
Note: for IKE rules, these are the only filter type allowed. NAME ApplyToDestination
DESCRIPTION Specifies which IP address to test, source or
destination.
SYNTAX boolean
VALUE A value of true means that the destination IP address
should be tested against. A value of false means that
the source IP address should be tested against.
7.6. The Class EndpointFilter 5.6. The Class IPv4AddressFilterEntry
The EndpointFilter class is used to represent a filter that The class IPv4AddressFilterEntry specifies a filter that will match
specifies an individual interface on one system. It is used to against a single IPv4 address. The class definition for
specify an FQDN, an IPv4 address, or an IPv6 address. It contains IPv4AddressFilterEntry is as follows:
the following reference:
NAME Identity NAME IPv4AddressFilterEntry
DESCRIPTION Specifies the FQDN or IP address to use for the filter. DESCRIPTION Defines the match filter for an IPv4 address.
The value MAY be wild-carded (see the Endpoint class DERIVED FROM EndpointFilterEntry
description). ABSTRACT FALSE
PROPERTIES Address
7.7. The Class IPv4RangeFilter 5.6.1. The Property Address
The IPv4RangeFilter is used to represent a filter that specifies a This property specifies the IPv4 address that will be used in the
range of IPv4 address. The range is to be interpreted as inclusive. equality test. The property is defined as follows:
It contains the following attributes:
NAME firstAddress NAME Address
DESCRIPTION Specifies the first address in the range. DESCRIPTION Specifies the IPv4 address to match against.
TYPE unsigned 32-bit value SYNTAX unsigned 32-bit integer
NAME lastAddress 5.7. The Class IPv4RangeFilterEntry
DESCRIPTION Specifies the last address in the range.
TYPE unsigned 32-bit value
VALUE The lastAddress attribute value MUST be greater than or
equal to the firstAddress attribute value.
7.8. The Class IPv6RangeFilter The class IPv4RangeFilterEntry specifies a filter for testing if an
IPv4 address is between the start address and end address
inclusively. The class definition for IPv4RangeFilterEntry is as
follows:
The IPv6RangeFilter is used to represent a filter that specifies a NAME IPv4RangeFilterEntry
range of IPv6 address. The range is to be interpreted as inclusive. DESCRIPTION Defines the match filter for an IPv4 address range.
It contains the following attributes: DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES StartAddress
EndAddress
NAME firstAddress 5.7.1. The Property StartAddress
DESCRIPTION Specifies the first address in the range.
TYPE octet[16]
NAME lastAddress This property specifies the first IPv4 address in the address range.
DESCRIPTION Specifies the last address in the range. The property is defined as follows:
TYPE octet[16]
VALUE The lastAddress attribute value MUST be greater than or
equal to the firstAddress attribute value.
8. IKE and IPsec Action Classes NAME StartAddress
DESCRIPTION Specifies the start of the IPv4 address range.
SYNTAX unsigned 32-bit integer
An action is a set of proposals combined with the security 5.7.2. The Property EndAddress
association level information that is used to protect a particular
flow.
+---------------------------+ This property specifies the last IPv4 address in the address range.
| | The property is defined as follows:
|[SecurityAssociationAction]|
| |o---+ NAME EndAddress
+---------------------------+* | DESCRIPTION Specifies the end of the IPv4 address.
^ (a)|{1} SYNTAX unsigned 32-bit integer
| n| VALUE EndAddress must be greater than or equal to
| +-----------------------------+ StartAddress.
| | |
| |[SecurityAssociationProposal]| 5.8. The Class IPv4SubnetFilterEntry
| | | The class IPv4SubnetFilterEntry specifies a filter for testing if an
| +-----------------------------+ IPv4 address is in the specified subnet. The class definition for
| IPv4SubnetFilterEntry is as follows:
+---------+ |
| | | NAME IPv4SubnetFilterEntry
|IKEAction|---+ DESCRIPTION Defines the match filter for an IPv4 subnet.
| | | DERIVED FROM EndpointFilterEntry
+---------+ | ABSTRACT FALSE
| PROPERTIES Address
+-----------+ | +------------------+ Mask
| |---+ | |
|IPsecAction| (b) 0..1|DiffieHellmanGroup| 5.8.1. The Property Address
| |o--------------| |
+-----------+* {2} +------------------+ This property specifies the IPv4 subnet. The property is defined as
follows:
NAME Address
DESCRIPTION Specifies the IPv4 subnet.
SYNTAX unsigned 32-bit integer
5.8.2. The Property Mask
This property specifies the IPv4 mask. The property is defined as
follows:
NAME Mask
DESCRIPTION Specifies the IPv4 mask.
SYNTAX unsigned 32-bit integer
VALUE A special value of 0.0.0.0, coupled with an Address
value of 0.0.0.0 can be used to specify all addresses.
5.9. The Class IPv6AddressFilterEntry
The class IPv6AddressFilterEntry specifies a filter that will match
against a single IPv6 address. The class definition for
IPv6AddressFilterEntry is as follows:
NAME IPv6AddressFilterEntry
DESCRIPTION Defines the match filter for an IPv4 address.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
5.9.1. The Property Address
This property specifies the IPv6 address that will be used in the
equality test. The property is defined as follows:
NAME Address
DESCRIPTION Specifies the IPv6 address to match against.
SYNTAX byte[16]
5.10. The Class IPv6RangeFilterEntry
The class IPv6RangeFilterEntry specifies a filter for testing if an
IPv6 address is between the start address and end address
inclusively. The class definition for IPv6RangeFilterEntry is as
follows:
NAME IPv6RangeFilterEntry
DESCRIPTION Defines the match filter for an IPv6 address range.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES StartAddress
EndAddress
5.10.1. The Property StartAddress
This property specifies the first IPv6 address in the address range.
The property is defined as follows:
NAME StartAddress
DESCRIPTION Specifies the start of the IPv6 address range.
SYNTAX byte[16]
5.10.2. The Property EndAddress
This property specifies the last IPv6 address in the address range.
The property is defined as follows:
NAME EndAddress
DESCRIPTION Specifies the end of the IPv6 address.
SYNTAX byte[16]
VALUE EndAddress must be greater than or equal to
StartAddress.
5.11. The Class IPv6SubnetFilterEntry
The class IPv6SubnetFilterEntry specifies a filter for testing if an
IPv6 address is in the specified subnet. The class definition for
IPv4SubnetFilterEntry is as follows:
NAME IPv6SubnetFilterEntry
DESCRIPTION Defines the match filter for an IPv6 subnet.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
Mask
5.11.1. The Property Address
This property specifies the IPv6 subnet. The property is defined as
follows:
NAME Address
DESCRIPTION Specifies the IPv6 subnet.
SYNTAX byte[16]
5.11.2. The Property Mask
This property specifies the IPv6 mask. The property is defined as
follows:
NAME Mask
DESCRIPTION Specifies the IPv6 mask.
SYNTAX byte[16]
VALUE A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0,
coupled with an Address value of
0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify
all addresses.
5.12. The Class FQDNFilterEntry
The class FQDNFilterEntry specifies a filter for mathcing against a
single or wild-carded DNS name. The class definition for
FQDNFilterEntry is as follows:
NAME FQDNFilterEntry
DESCRIPTION Defines the match filter for a DNS name.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Name
5.12.1. The Property Name
This property specifies the DNS name to match against. The property
is defined as follows:
NAME Address
DESCRIPTION Specifies the DNS name.
SYNTAX string
VALUE The DNS name can be fully qualified (for example,
foo.intel.com) or partially qualified (*.intel.com).
5.13. The Class ProtocolFilterEntry
The class ProtocolFilterEntry specifies a filter for testing against
an IP protocol. The class definition for ProtocolFilterEntry is as
follows:
NAME ProtocolFilterEntry
DESCRIPTION Defines a match filter for IP protocol.
DERIVED FROM IPFilterEntry
ABSTRACT FALSE
PROPERTIES Protocol
5.13.1. The Property Protocol
This property specifies the IP protocol to match against. The
property is defined as follows:
NAME Protocol
DESCRIPTION Specifies the IP protocol.
SYNTAX unsigned 8-bit integer
VALUE A value of zero matches against any protocol. Any
other value is the IP protocol number.
5.14. The Class UDPFilterEntry
The class UDPFilterEntry specifies a filter for testing if a UDP
port is between the start port and end port inclusively. It is
assumed that the Protocol property from the ProtocolFilterEntry
class will contain the value 17 (i.e., UDP). The class definition
for UDPFilterEntry is as follows:
NAME UDPFilterEntry
DESCRIPTION Defines the match filter for a UDP port range.
DERIVED FROM ProtocolFilterEntry
ABSTRACT FALSE
PROPERTIES StartPort
EndPort
5.14.1. The Property StartPort
This property specifies the first port in the UDP port range. The
property is defined as follows:
NAME StartPort
DESCRIPTION Specifies the start of the UDP port range.
SYNTAX unsigned 16-bit integer
5.14.2. The Property EndPort
This property specifies the last port in the UDP port range. The
property is defined as follows:
NAME EndPort
DESCRIPTION Specifies the end of the UDP port range.
SYNTAX unsigned 16-bit integer
VALUE EndPort must be greater than or equal to StartPort.
5.15. The Class TCPFilterEntry
The class TCPFilterEntry specifies a filter for testing if a TCP
port is between the start port and end port inclusively. It is
assumed that the Protocol property from the ProtocolFilterEntry
class will contain the value 6 (i.e., TCP). The class definition
for TCPFilterEntry is as follows:
NAME TCPFilterEntry
DESCRIPTION Defines the match filter for a TCP port range.
DERIVED FROM ProtocolFilterEntry
ABSTRACT FALSE
PROPERTIES StartPort
EndPort
5.15.1. The Property StartPort
This property specifies the first port in the TCP port range. The
property is defined as follows:
NAME StartPort
DESCRIPTION Specifies the start of the TCP port range.
SYNTAX unsigned 16-bit integer
5.15.2. The Property EndPort
This property specifies the last port in the TCP port range. The
property is defined as follows:
NAME EndPort
DESCRIPTION Specifies the end of the TCP port range.
SYNTAX unsigned 16-bit integer
VALUE EndPort must be greater than or equal to StartPort.
5.16. The Abstract Class IPSOFilterEntry
The abstract class IPSOFilterEntry serves as a base class for the IP
Security Option (IPSO) filters. The class definition for
IPSOFilterEntry is as follows:
NAME IPSOFilterEntry
DESCRIPTION Serves as the base class for the IPSO filters.
DERIVED FROM FilterEntryBase
ABSTRACT TRUE
5.17. The Class ClassificationLevelFilterEntry
The class ClassificationLevelFilterEntry specifies a filter for
matching against the classification level IPSO field type. The
class definition for ClassificationLevelFilterEntry is as follows:
NAME ClassificationLevelFilterEntry
DESCRIPTION Defines the filter for the IPSO classification level.
DERIVED FROM IPSOFilterEntry
ABSTRACT FALSE
PROPERTIES Level
5.17.1. The Property Level
This property specifies the classification level to match against.
The property is defined as follows:
NAME Level
DESCRIPTION Specifies the classification level.
SYNTAX unsigned 16-bit integer
VALUE 61 - Top Secret
90 - Secret
150 - Confidential
171 - Unclassified
5.18. The Class ProtectionAuthorityFilterEntry
The class ProtectionAuthorityFilterEntry specifies a filter for
matching against the protection authority IPSO field type. The class
definition for ProtectionAuthorityFilterEntry is as follows:
NAME ProtectionAuthorityFilterEntry
DESCRIPTION Defines the filter for the IPSO protection authority.
DERIVED FROM IPSOFilterEntry
ABSTRACT FALSE
PROPERTIES Authority
5.18.1. The Property Authority
This property specifies the protection authority to match against.
The property is defined as follows:
NAME Authority
DESCRIPTION Specifies the protection authority.
SYNTAX unsigned 16-bit integer
VALUE 0 - GENSER
1 - SIOP-ESI
2 - SCI
3 - NSA
4 - DOE
5.19. The Class CredentialFilterEntry
The class CredentialFilterEntry defines a filter for matching
against credential information that was obtained during the IKE
phase 1 negotiation. This information can be identity information
(such as User FQDN) or information retrieved from credential
information (for example, fields from a certificate). This
information can be used as a form of access control. The class
definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry
DESCRIPTION Defines the filter for matching against IKE phase 1
credential/identity information.
DERIVED FROM FilterBaseEntry
ABSTRACT FALSE
PROPERTIES To Be Determined...
5.20. The Aggregation Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that make
up the individual condition elements.
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[0..1]]
Dependent [ref SACondition [0..n]]
5.20.1. The Reference Antecedent
The property Antecedent contains an object reference to a FilterList
that is contained in one or more SAConditions. The [0..1]
cardinality indicates that an SACondition may have zero or one
FilterList.
5.20.2. The Reference Dependent
The property Dependent contains an object reference to an
SACondition that contains an FilterList. The [0..n] cardinality
indicates that a FilterList may be contained in zero or more
SAConditions.
5.21. The Composition Class EntriesInFilterList
The class EntriesInFilterList associates the individual
FilterEntryBases with a FilterList. Together these individual
FilterEntryBases can create complex conditions. The class
definition for EntriesInFilterList is as follows:
NAME EntriesInFilterList
DESCRIPTION Associates a FilterList with the set of individual
filters.
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterEntryBase[0..n]]
Dependent [ref FilterList [1..1]]
EntrySequence
5.21.1. The Reference Antecedent
The property Antecedent contains an object reference to a
FilterEntryBase that is contained in a FilterList. The [0..n]
cardinality indicates that a FilterList may have zero or more
FilterEntryBases.
5.21.2. The Reference Dependent
The property Dependent contains an object reference to a FilterList
that contains zero or more FilterEntryBases. The [1..1] cardinality
indicates that a FilterEntryBase may be contained in one and only
one FilterLists (i.e., FilterEntryBases cannot be shared between
FilterLists).
5.21.3. The Property EntrySequence
The property EntrySequence specifies, for a given FilterList, the
order in which the filters should be checked. The property is
defined as follows:
NAME EntrySequence
DESCRIPTION Specifies the order to check the filters in a
FilterList.
SYNTAX unsigned 16-bit integer
VALUE Lower valued filters are checked first. The order of
checking of FilterEntryBases with the same
EntrySequence value is undefined.
6. Action Classes
The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition
results in a match.
+----------+
| SAAction |
+----------+
^ ^
| |
+--------+------------+-----------+------------+ +-----------+--------------+
| | | |
+--------------------+ +-----------------+ | +-----------------+
| | | | | | |
|IPsecTransportAction| |IPsecTunnelAction| | |IPsecBypassAction|
| | | | | | |
+--------------------+ +-----------------+ | +-----------------+
1 x |
| |
(c)|{3} +------------+
| | | |
+----------+ +------------------+ +----------------+ +---------------------+*
| | | | | SAStaticAction | | SANegotiationAction |o-----+
|[Endpoint]| |IPsecDiscardAction| +----------------+ +---------------------+ |
^ ^ |
| | |
| +-----------+-------+ |
| | | | | | | |
+----------+ +------------------+ +-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ |
| ^ |
+--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+--------------------+ | | +----------------------+ |
| | |
+-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ |
| |
+-----------------------+ | +--------------+n |
| SAPreconfiguredAction |---+ | [SAProposal] |-------+
+-----------------------+ +--------------+ (a)
(a) Proposals (a) ContainedProposal
(b) IPsecGroup
(c) RemoteGateway
{1} 1. For an IKEAction object, these MUST be IKEPropsal objects.
For an IPsecAction object, these MUST be IPsec Action objects.
2. SecurityAssociationProposal objects are ordered from most
preferable to least preferable and are logically ORed. The
mechanism by which ordering is accomplished is dependent upon
the specific derivation of the IPsec schema.
{2} If not using Perfect Forward Secrecy (PFS), then the
DiffieHellmanGroup object either does not exist or is ignored.
Otherwise (PFS is used) if the DiffieHellmanGroup object is not
present, then the Diffie-Hellman Group from Phase 1 will be
used for Phase 2. Otherwise, use the DiffieHellmanGroup
object.
{3} If the endpoint type is an FQDN, then the DNS name MUST be
fully-qualifed (i.e., no wild-card values allowed).
If the endpoint type is an IPv4 or IPv6 address, then the
address MUST NOT be the wild-card value.
8.1. The Class SecurityAssociationAction 6.1. The Class SAAction
The SecurityAssociationAction class contains the parameters that are The class SAAction serves as the base class for IKE and IPsec
common between the IKE and IPsec action classes. It contains the actions. Although the class is concrete, it MUST not be
following attributes/references: instantiated. The class definition for SAAction is as follows:
NAME refreshThresholdSeconds NAME SAAction
DESCRIPTION Specifies the percentage of expiration (in other words, DESCRIPTION The base class for IKE and IPsec actions.
the refresh threshold) of an established SA's seconds DERIVED FROM PolicyAction (see [PCIM])
lifetime at which to begin renegotiation of the SA. ABSTRACT FALSE
TYPE integer PROPERTIES PolicyActionName (from PolicyAction)
VALUE Valid values are in the range 1 to 100 inclusive. A
value of 100 means that renegotiation does not occur
until the seconds lifetime value has expired.
refreshThresholdSeconds is not a negotiated parameter. 6.2. The Class SAStaticAction
The class SAStaticAction serves as the base class for IKE and IPsec
actions that do not require any negotation. Although the class is
concrete, it MUST not be instantiated. The class definition for
SAStaticAction is as follows:
NAME refreshThresholdKilobytes NAME SAStaticAction
DESCRIPTION Specifies the percentage of expiration of an DESCRIPTION The base class for IKE and IPsec actions that do not
established SA's kilobyte lifetime at which to begin require any negotiation.
renegotiation of the SA. DERIVED FROM SAAction
TYPE integer ABSTRACT FALSE
VALUE Valid values are in the range 1 to 100 inclusive. A PROPERTIES LifetimeSeconds
value of 100 means that renegotiation does not occur
until the kilobyte lifetime value has expired.
refreshThresholdKilobytes is not a negotiated parameter. 6.2.1. The Property LifetimeSeconds
NAME minLifetimeSeconds The property LifetimeSeconds specifies how long the security
DESCRIPTION Specifies the minimum SA seconds lifetime that will be association derived from this action should be used. The property
accepted from a peer while negotiating an SA based upon is defined as follows:
this action. The purpose of this value is to prevent
denial-of-service attacks in which a peer can select an
arbitrarily low seconds lifetime, causing the IKE
server to perform renegotiations with correspondingly
expensive Diffie-Hellman calculations.
TYPE unsigned 32-bit integer NAME LifetimeSeconds
VALUE 0 - indicates that there is no minimum lifetime DESCRIPTION Specifies the amount of time (in seconds) that a
enforced. security association derived from this action should be
Any other value specifies a required minimum seconds used.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime).
A nono-zero value is typically used in conjunction with
fallback actions performed when there is a negotiation
failure of some sort.
6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec to them. This is the same as
stating that packets are allowed to flow in the clear. The class
definition for IPsecBypassAction is as follows:
NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in the
clear.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.4. The Class IPsecDiscardAction
The class IPsecDiscardAction is used when packets are to be
discarded. This is the same as stating that packets are to be
denied. The class definition for IPsecDiscardAction is as follows:
NAME IPsecDiscardAction
DESCRIPTION Specifies that packets are to be discarded.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
PROPERTIES DoLogging
6.4.1. The Property DoLogging
The property DoLogging specifies whether or not an audit message
should be logged when a packet is discarded. The property is
defined as follows:
NAME DoLogging
DESCRIPTION Specifies if an audit message should be logged when a
packet is discarded.
SYNTAX boolean
VALUE A value of true indicates that logging should be done
for this action. A value of false indicates logging
should not be done for this action.
6.5. The Class IKERejectAction
The class IKERejectAction is used to prevent attempting an IKE
negotiation with the peer(s). The class definition for
IKERejectAction is as follows:
NAME IKERejectAction
DESCRIPTION Specifies that an IKE negotiation should not even be
attempted.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
PROPERTIES DoLogging
6.5.1. The Property DoLogging
The property DoLogging specifies whether or not an audit message
should be logged when a determination is made to prevent an IKE
negotiation. The property is defined as follows:
NAME DoLogging
DESCRIPTION Specifies if an audit message should be logged when IKE
negotiation is prohibited.
SYNTAX boolean
VALUE A value of true indicates that logging should be done
for this action. A value of false indicates logging
should not be done for this action.
6.6. The Class SAPreconfiguredAction
The class SAPreconfiguredAction is used to create a security
association using preconfigured, hard-wired algorithms and keys.
The class definition for SAPreconfiguredAction is as follows:
NAME SAPreconfiguredAction
DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of a security association.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
PROPERTIES To Be Determined...
6.7. The Class SANegotiationAction
The class SANegotiationAction serves as the base class for IKE and
IPsec actions which result in a IKE negotiation. Although the class
is concrete, is MUST not be instantiated. The class definition for
SANegotiationAction is as follows:
NAME SANegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations.
DERIVED FROM SAAction
ABSTRACT FALSE
PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes
RefreshThresholdSeconds
RefreshThresholdKilobytes
IdleDurationSeconds
6.7.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds
lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The
property is defined as follows:
NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum seconds
lifetime. lifetime.
minLifetimeSeconds is not a negotiated parameter. 6.7.2. The Property MinLifetimeKilobytes
NAME minLifetimeKilobytes The property MinLifetimeKilobytes specifies the minimum kilobyte
DESCRIPTION Specifies the minimum kilobyte lifetime that will be lifetime that will be accepted from the peer. MinLifetimeKilobytes
accepted from a negotiating peer while negotiating an is used to prevent certain denial of service attacks where the peer
SA based upon this action. The purpose of this value requests an arbitrarily low lifetime value, causing renegotiations
is to prevent denial-of-service attacks in which a peer with correspondingly expensive Diffie-Hellman operations. The
can select an arbitrarily low kilobyte lifetime, property is defined as follows:
causing the IKE server to perform renegotiations with
correspondingly expensive Diffie-Hellman calculations. NAME MinLifetimeKilobytes
TYPE unsigned 32-bit integer DESCRIPTION Specifies the minimum acceptable kilobyte lifetime.
VALUE 0 - indicates that there is no minimum lifetime SYNTAX unsigned 32-bit integer
enforced. VALUE A value of zero indicates that there is no minimum
Any other value specifies a required minimum kilobyte value. A non-zero value specifies the minimum kilobyte
lifetime. lifetime.
minLifetimeKilobytes is not a negotiated parameter. 6.7.3. The Property RefreshThresholdSeconds
NAME trafficIdleTime The property RefreshThresholdSeconds specifies what percentage of
DESCRIPTION Specifies the amount of time in seconds an SA, the seconds lifetime can expire before IKE should attempt to
negotiated using the containing action object, may renegotiate the IPsec security association. A random value may be
remain idle (in other words, no traffic protected by added to the calculated threshold (percentage x seconds lifetime) to
the SA) before it is deleted. reduce the chance of both peers attempting to renegotiate at the
TYPE unsigned 32-bit integer same time. The property is defined as follows:
VALUE 0 - there is no idle time detection. In other words,
the expiration of the SA is solely dependent upon the
expiration of one of the lifetime values.
Any other value specifies the number of seconds the SA
may remain idle before it can be forcibly expired.
trafficIdleTime is not a negotiated parameter. NAME RefreshThresholdSeconds
DESCRIPTION Specifies the percentage of seconds lifetime that has
expired before the IPsec security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security
association should not be renegotiated until the
seconds lifetime has been reached.
NAME Proposals 6.7.4. The Property RefreshThresholdKilobytes
DESCRIPTION Specifies a logically ORed set of proposals, ORDERED
from most preferable to least prefereable, which are
used during negotiation of the SA. If the action is an
IKEAction, then the set will contain IKEProposal
objects. If the action is an IPsecAction, then the set
will contain IPsecProposal objects. A
SecurityAssociationAction object will reference one to
many SecurityAssociationProposal objects. A
SecurityAssociationProposal object MAY be referenced by
zero to many SecurityAssociationAction objects. See
section 9 for a description of the
SecurityAssociationProposal and derived classes.
8.2. The Class IKEAction The property RefreshThresholdKilobytes specifies what percentage of
IKEAction is a specialization of the SecurityAssociationAction class the kilobyte lifetime can expire before IKE should attempt to
and specifies the parameters unique to an IKE action. It contains renegotiate the IPsec security association. A random value may be
the following attributes: added to the calculated threshold (percentage x kilobyte lifetime)
to reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows:
NAME exchangeMode NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the negotiation mode that the IKE server will DESCRIPTION Specifies the percentage of kilobyte lifetime that has
use for phase one. expired before the IPsec security association is
TYPE unsigned 16-bit integer renegotiated.
VALUE 1 - base mode SYNTAX unsigned 8-bit integer
2 - main mode VALUE A value between 1 and 100 representing a percentage. A
4 - aggressive mode value of 100 indicates that the IPsec security
association should not be renegotiated until the
kilobyte lifetime has been reached.
NAME refreshThresholdDerivedKeys 6.7.5. The Property IdleDurationSeconds
DESCRIPTION Specifies the percentage of expiration of an
established IKE SA's derived keys lifetime at which to
begin renegotiation of the SA.
TYPE integer
VALUE Valid values are in the range 1 to 100 inclusive. A
value of 100 means that renegotiation does not occur
until the derived key lifetime value has expired.
refreshThresholdDerivedKeys is not a negotiated parameter. The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property
is defined as follows:
8.3. The Class IPsecAction NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security association
may remain unused before it is deleted.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that idle detection should
not be used for the security association. Any non-zero
value indicates the number of seconds the security
association may remain unused.
IPsecAction is a specialization of the SecurityAssociationAction 6.8. The Class IPsecAction
class and specifies the parameters unique to an IPsec action. It
contains the following attributes/references:
NAME usePfs The class IPsecAction serves as the base class for IPsec transport
DESCRIPTION Specifies whether or not PFS should be used when and tunnel actions. It specifies the parameters used for an IKE
negotiating the phase two IPsec SA. phase 2 IPsec DOI negotiation. Although the class is concrete, is
TYPE boolean MUST not be instantiated. The class definition for IPsecAction is
VALUE true as follows:
false
NAME IPsecGroup NAME IPsecAction
DESCRIPTION If PFS should be used during IKE phase two, this DESCRIPTION A base class for IPsec transport and tunnel actions
specifies the Diffie-Hellman group to use. The that specifies the parameters for IKE phase 2 IPsec DOI
DiffieHellmanGroup class is described in section 10. negotiations.
DEFAULT Since an IPsecAction object MAY optionally contain a DERIVED FROM SANegotiationAction
IPsecGroup object, absence of one when using PFS ABSTRACT FALSE
indicates that the IKE phase two negotiation should use PROPERTIES UsePFS
the same Diffie-Hellman group that was agreed upon UseIKEGroup
during the IKE phase one negotiation. GroupId
Granularity
8.4. The Class IPsecTransportAction 6.8.1. The Property UsePFS
IPsecTransportAction is a specialization of IPsecAction, but does The property UsePFS specifies whether or not perfect forward secrecy
not add any attributes. It is used to signify that the phase two should be used when refreshing keys. The property is defined as
action will be for the negotiation of an IPsec transport mode SA. follows:
8.5. The Class IPsecTunnelAction NAME UsePFS
DESCRIPTION Specifies the whether or not to use PFS.
SYNTAX boolean
VALUE A value of true indicates that PFS should be used. A
value of false indicates that PFS should not be used.
IPsecTunnelAction is a specialization of IPsecAction that is used to 6.8.2. The Property UseIKEGroup
signify that the phase two action will be for the negotiation of an
IPsec tunnel mode SA. It contains the following reference:
NAME RemoteGateway The property UseIKEGroup specifies whether or not phase 2 should use
DESCRIPTION The identity of the point where the tunnel terminates the same Diffie-Hellman as was used in phase 1. UseIKEGroup is
on the remote gateway. ignored if UsePFS is false. The property is defined as follows:
Note: since a particular IPsec policy is directly associated with a NAME UseIKEGroup
particular interface in the system, the local gateway identity can DESCRIPTION Specifies whether or not to use the same GroupId for
be implicitly determined from this information. phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored.
SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false
indicates that the property GroupId will contain the
Diffie-Hellman group to use for phase 2.
8.6. The Class IPsecBypassAction 6.8.3. The Property GroupId
The property GroupId specifies the Diffie-Hellman group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is
true. The property is defined as follows:
IPsecBypassAction is a specialization of IPsecAction, but does not NAME GroupId
add any attributes. It is used to signify that the traffic is to be DESCRIPTION Specifies the Diffie-Hellman group to use for phase 2
allowed to pass in the clear. when the property UsePFS is true and the property
UseIKEGroup is false.
SYNTAX unsigned 16-bit integer
VALUE 1 - 768-bit MODP group
2 - 1024-bit MODP group
3 - EC2N group on GP[2^155]
4 - EC2N group on GP[2^185]
5 - 1536-bit MODP group
8.6. The Class IPsecDiscardAction 6.8.4. The Property Granularity
IPsecDiscardAction is a specialization of IPsecAction, but does not The property Granularity specifies whether the proposed selector for
add any attributes. It is used to signify that the traffic should the security association should be derived from the traffic that
be denied. triggered the negotiation (Narrow) or from the FilterList of the
Condition(s) that matched the rule (Wide). The property is defined
as follows:
9. IKE and IPsec Proposal Classes NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the
security association will be created.
SYNTAX unsigned 8-bit integer
VALUE 1 - The selector is created by using the FilterList
information from the condition that matched the traffic
parameters. This is called a Wide selector as it could
for instance contain a IP subnet or range.
2 - The selector is created by using the traffic
parameters (i.e., the 5-tuple of the traffic). This is
called a Narrow selector.
A proposal contains the security parameters that will be used during 6.9. The Class IPsecTransportAction
the IKE phase one and two negotiations.
+-----------------------------+ The class IPsecTransportAction is a subclass of IPsecAction that is
| | used to specify use of an IPsec transport mode security association.
|[SecurityAssociationProposal]| The class definition for IPsecTransportAction is as follows:
| |
+-----------------------------+ NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
6.10. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is
used to specify use of an IPsec tunnel mode security association.
The class definition for IPsecTunnelAction is as follows:
NAME IPsecTunnelAction
DESCRIPTION Specifies that an IPsec tunnel mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
PROPERTIES PeerGateway
DFHandling
6.10.1. The Property PeerGateway
The property PeerGateway specifies the IP address or DNS name of the
peer gateway. The property is defined as follows:
NAME PeerGateway
DESCRIPTION Specifies peer gateway's IP address or DNS name.
SYNTAX string
VALUE Either (1) IPv4 address in dotted quad format, (2) IPv6
address in ... format, or (3) a DNS name.
6.10.2. The Property DFHandling
The property DFHandling specifies how the Don't Fragment (DF) bit
should be managed by the tunnel. The property is defined as
follows:
NAME DFHandling
DESCRIPTION Specifies the DF bit is managed by the tunnel.
SYNTAX unsigned 8-bit integer
VALUE 1 - DF bit is copied.
2 - DF bit is set.
3 - DF bit is cleared.
6.11. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as
follows:
NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM SANegotiationAction
ABSTRACT FALSE
PROPERTIES RefreshThresholdDerivedKeys
ExchangeMode
UseIKEIdentityType
6.11.1. The Property RefreshThresholdDerivedKeys
The property RefreshThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys property of
IKEProposal) can expire before IKE should attempt to renegotiate the
IKE phase 1 security association. A random value may be added to
the calculated threshold (percentage x derived key limit) to reduce
the chance of both peers attempting to renegotiate at the same time.
The property is defined as follows:
NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of derived key limit that has
expired before the IKE phase 1 security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IKE phase 1 security
association should not be renegotiated until the
derived key limit has been reached.
6.11.2. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used
for IKE phase 1 key negotiations. The property is defined as
follows:
NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer
VALUE 1 - base mode
2 - main mode
4 - aggressive mode
6.11.3. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is
used in conjunction the IKE identities available on the system. The
property is defined as follows:
NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
6.12. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of
SAProposals with the SANegotiationAction that contains it. If the
referenced SANegotiationAction object is an IKEAction, then the
referenced SAProposal object must be an IKEProposal. If the
referenced SANegotiationAction object is an IPsecTransportAction or
an IPsecTunnelAction, then the referenced SAProposal object must be
an IPsecProposal. The class definition for ContainedProposal is as
follows:
NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an
SANegotiationAction.
ABSTRACT FALSE
PROPERTIES GroupComponent[ref SANegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]]
SequenceNumber
6.12.1. The Reference GroupComponent
The property GroupComponent contains an object reference to an
SANegotiationAction that contains one or more SAProposals. The
[0..n] cardinality indicates that there may be zero or more
SANegotiationActions that contain any given SAProposal.
6.12.2. The Reference PartComponent
The property PartComponent contains an object reference to an
SAProposal contained by one or more SANegotiationActions. The
[1..n] cardinality indicates that an SANegotiationAction MUST
contain at least one SAProposal.
6.12.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for
the SAProposals. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals
with higher values. If two proposals have the same
SequenceNumber value, then the order of preference is
undefined.
7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+
| [SAProposal] |
+--------------+
^ ^
| |
+---------------------------+ +----------------------+
| | | |
+-------------+ +-----------+ +-------------+ +---------------+
| | | | | IKEProposal | | IPsecProposal |
|IPsecProposal| |IKEProposal| +-------------+ +---------------+
| | | | *o
+-------------+ +-----------+ | (a)
* o * o n|
|(a) |(b) +---------------+
n | 1 | | [SATransform] |
+----------------+ +------------------+ +---------------+
| | | |
|[IPsecTransform]| |DiffieHellmanGroup|
| | | |
+----------------+ +------------------+
^ ^
| |
+-------------+------------------+ +--------------------+-----------+---------+
| | | | | |
+------------+ +-----------+ +---------------+ +-------------+ +--------------+ +----------------+
| | | | | | | AHTransform | | ESPTransform | |IPCOMPTransform |
|ESPTransform| |AHTransform| |IPCompTransform| +-------------+ +--------------+ +----------------+
| | | | | |
+------------+ +-----------+ +---------------+
(a) Transforms (a) ContainedTransform
(b) IkeDhGroup
9.1. The Class SecurityAssociationProposal 7.1. The Abstract Class SAProposal
The SecurityAssociationProposal class contains the parameters that The abstract class SAProposal serves as the base class for the IKE
are common between the IKE and IPsec proposal classes. It contains and IPsec proposal classes. It specifies the parameters that are
the following attributes: common to the two proposal types. The class definition for
SAProposal is as follows:
NAME lifetimeSeconds NAME SAProposal
DESCRIPTION Specifies the seconds lifetime for this particular DESCRIPTION Specifies the common proposal parameters for IKE and
proposal. This value is used when sending this IPsec security association negotiation.
proposal to the negotiating peer. Additionally, it may ABSTRACT TRUE
be used, possibly in conjunction with the minimum PROPERTIES Name
seconds lifetime value, when selecting a proposal from MaxLifetimeSeconds
the negotiating peer. MaxLifetimeKilobytes
TYPE unsigned 32-bit integer
VALUE 0 - indicates that the lifetime value defaults to 8
hours (28,800 seconds).
NAME lifetimeKilobytes 7.1.1. The Property Name
DESCRIPTION Specifies the kilobyte lifetime for this particular
proposal. This value is used when sending this
proposal to the negotiating peer. Additionally, it may
be used, possibly in conjunction with the minimum
kilobyte lifetime value, when selecting a proposal from
the negotiating peer.
TYPE unsigned 32-bit integer
VALUE 0 - indicates that there is no kilobyte lifetime.
9.2. The Class IKEProposal The property Name specifies a user-friendly name for the SAProposal.
The property is defined as follows:
IKEProposal is a specialization of the SecurityAssociationProposal NAME Name
class and specifies the parameters unique to the IKE proposal. It DESCRIPTION Specifies a user-friendly name for this proposal.
contains the following attributes/references:
NAME cipherAlgorithm SYNTAX string
DESCRIPTION Specifies the encryption algorithm the IKE server will
propose. 7.1.2. The Property MaxLifetimeSeconds
TYPE unsigned 16-bit integer
The property MaxLifetimeSeconds specifies the maximum amount of
time, in seconds, to propose that a security association will remain
valid after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours
be used. A non-zero value indicates the maximum
seconds lifetime.
7.1.3. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.
7.2. The Class IKEProposal
The class IKEProposal specifies the proposal parameters necessary to
drive an IKE security association negotiation. The class definition
for IKEProposal is as follows:
NAME IKEProposal
DESCRIPTION Specifies the proposal parameters for IKE security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE
PROPERTIES LifetimeDerivedKeys
CipherAlgorithm
HashAlgorithm
PRFAlgorithm
GroupId
AuthenticationMethod
7.2.1. The Property LifetimeDerivedKeys
The property LifetimeDerivedKeys specifies the number of times that
a phase 1 key will be used to derive a phase 2 key before the phase
1 security association needs renegotiated. Even though this is not
a parameter that is sent in an IKE proposal, it is included in the
proposal as the number of keys derived may be a result of the
strength of the algorithms in the IKE propsoal. The property is
defined as follows:
NAME LifetimeDerivedKeys
DESCRIPTION Specifies the number of phase 2 keys that can be
derived from the phase 1 key.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no limit to the
number of phase 2 keys which may be derived from the
phase 1 key; instead the seconds and/or kilobytes
lifetime will dictate the phase 1 rekeying. A non-zero
value specifies the number of phase 2 keys that can be
derived from the phase 1 key.
7.2.2. The Property CipherAlgorithm
The property CipherAlgorithm specifies the proposed phase 1 security
association encryption algorithm. The property is defined as
follows:
NAME CipherAlgorithm
DESCRIPTION Specifies the proposed encryption algorithm for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE 1 - DES-CBC VALUE 1 - DES-CBC
2 - IDEA-CBC 2 - IDEA-CBC
3 - Blowfish-CBC 3 - Blowfish-CBC
4 - RC5-R16-B64-CBC 4 - RC5-R16-B64-CBC
5 - 3DES-CBC 5 - 3DES-CBC
6 - CAST-CBC 6 - CAST-CBC
NAME hashAlgorithm 7.2.3. The Property HashAlgorithm
DESCRIPTION Specifies the hash algorithm the IKE server will
propose. The property HashAlgorithm specifies the proposed phase 1 security
TYPE unsigned 16-bit integer assocation hash algorithm. The property is defined as follows:
NAME HashAlgorithm
DESCRIPTION Specifies the proposed hash algorithm for the phase 1
security association.
SYNTAX unsigned 16-bit integer
VALUE 1 - MD5 VALUE 1 - MD5
2 - SHA-1 2 - SHA-1
3 - Tiger 3 - Tiger
NAME authenticationMethod 7.2.4. The Property PRFAlgorithm
DESCRIPTION Specifies the authentication method the IKE server will
propose.
TYPE unsigned 16-bit integer
VALUE 1 - Preshared Key
2 - DSS Signatures
3 - RSA Signatures
4 - RSA Encryption
5 - Revised RSA Encryption
6 - El-Gamal Encryption
7 - Revised El-Gamal Encyrption
65001 - Kerberos
NAME lifetimeDerivedKeys The property PRFAlgorithm specifies the proposed phase 1 security
DESCRIPTION Specifies the number of times the IKE phase one key may association psuedo-random function. The property is defined as
be used to derive an IKE phase two key. follows:
TYPE unsigned 32-bit integer
VALUE 0 - indicates that the number of times a IKE phase one
key may be used to derive an IKE phase two key is
limited by the seconds and/or kilobyte lifetimes.
lifetimeDerivedKeys is not a negotiated parameter. Although this NAME PRFAlgorithm
value is not negotiated, it is included with the proposal DESCRIPTION Specifies the proposed psuedo-random function for the
information as the value is dependent upon the strength of the phase 1 security association.
security parameters in the proposal. SYNTAX unsigned 16-bit integer
VALUE Currently none defined.
NAME prfAlgorithm 7.2.5. The Property GroupId
DESCRIPTION Specifies the Psuedo-Random Function (PRF) the IKE
server will propose.
TYPE unsigned 16-bit integer
VALUE At this time, there are no negotiable PRFs defined.
NAME IkeDhGroup The property GroupId specifies the proposed phase 1 security
DESCRIPTION Specifies the Diffie-Hellman group that the IKE server assocation Diffie-Hellman group. The property is defined as
will propose. The DiffieHellmanGroup class is defined follows:
in section 10.
9.3. The Class IPsecProposal NAME GroupId
IPsecProposal is a specialization of the SecurityAssociationProposal DESCRIPTION Specifies the proposed Diffie-Hellman group for the
class and specifies the parameters unique to the IPsec proposal. It phase 1 security association.
contains the following reference: SYNTAX unsigned 16-bit integer
VALUE 1 - 768-bit MODP group
2 - 1024-bit MODP group
3 - EC2N group on GP[2^155]
4 - EC2N group on GP[2^185]
5 - 1536-bit MODP group
NAME Transforms 7.2.6. The Property AuthenticationMethod
DESCRIPTION Specifies a set of IPsecTransform objects that
represent the Encapsulating Security Payload (ESP),
Authentication Header (AH), and IP Payload Compression
Protocol (IPComp) parameters that are to used to create
an IPsec proposal. Transforms of the same type are to
be grouped together and logically ORed and the order of
the transforms of the same type MUST be preserved. The
transform groups are to be logically ANDed. For
example, if the proposal had the following set of
transforms {ESP=DES,AH=MD5,ESP=3-DES,ESP=RC5,AH=SHA-1},
the proposal would be ((ESP = DES or 3-DES or RC5) and
(AH = MD5 or SHA-1)). An IPsecProposal object MAY
reference one to many IPsecTransform objects. An
IPsecTransform object MAY be referenced by zero to many
IPsecProposal objects.
9.4. The Class IPsecTransform The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows:
The IPsecTransform class contains no properties and exists only for NAME AuthenticationMethod
the purpose of modeling the is-a-kind-of relationship for IPsec DESCRIPTION Specifies the proposed authentication method for the
transforms. For example, an ESPTransform is a kind of phase 1 security association.
IPsecTransform. SYNTAX unsigned 16-bit integer
VALUE 0 - a special value which indicates that this
particular proposal should be repeated once for each
authentication method that corresponds to the
credentials installed on the machine. For example, if
the system has a pre-shared key and a certificate, a
proposal list could be constructed which includes a
proposal that specifies pre-shared key and proposals
for any of the public-key authentication methods.
1 - Pre-shared key
2 - DSS signatures
3 - RSA signatures
4 - Encryption with RSA
5 - Revised encryption with RSA
6 - Kerberos (has this number been assigned???)
9.5. The Class ESPTransform 7.3. The Class IPsecProposal
ESPTransform is a specialization of an IPsecTransform. It specifies The class IPsecProposal adds no new properties, but inherits
the parameters for one IPSec ESP transform within an IPsec proposal. proposal propoerties from SAProposal as well as aggregating the
It contains the following attributes: security association transforms necessary for building an IPsec
proposal (see the aggregation class ContainedTransform). The class
definition for IPsecProposal is as follows:
NAME integrityTransformId NAME IPsecProposal
DESCRIPTION Specifies the ESP integrity algorithm to propose. DESCRIPTION Specifies the proposal parameters for IPsec security
TYPE unsigned 16-bit integer association negotiation.
VALUE 1 - HMAC MD5 DERIVED FROM SAProposal
2 - HMAC SHA-1 ABSTRACT FALSE
3 - HMAC DES
4 - KPDK
NAME cipherTransformId 7.4. The Abstract Class SATransform
DESCRIPTION Specifies the ESP cipher/encryption algorithm to
propose.
TYPE unsigned 16-bit integer
VALUE 1 - DES IV64
2 - DES
3 - 3-DES
4 - RC5
5 - IDEA
6 - CAST
7 - Blowfish
8 - 3-IDEA
9 - DES IV32
10 - RC4
11 - NULL
NAME cipherKeyRounds The abstract class SATransform serves as the base class for the
DESCRIPTION Specifies the number of key rounds for the ESP cipher IPsec transforms that can be used to compose an IPsec proposal. The
algorithm specified by the attribute cipherTransformId. class definition for SATransform is as follows:
TYPE unsigned 16-bit integer
VALUE At this time, there are no cipher key rounds defined
for any IPsec ESP algorithms.
NAME cipherKeyLength NAME SATransform
DESCRIPTION Specifies the length of the ESP cipher key, in bits. DESCRIPTION Base class for the different IPsec transforms.
If cipherTansformId specifies a cipher with a fixed- ABSTRACT TRUE
length key, cipherKeyLength is ignored. PROPERTIES Name
TYPE unsigned 16-bit integer VendorID
VALUE 0 - the cipher algorithm specified by the
cipherTransformId attribute implies the key length.
Any other value specifies a key length, in bits.
9.6. The Class AHTransform 7.4.1. The Property Name
AHTransform is a specialization of an IPsecTransform. It specifies The property Name specifies a user-friendly name for the
the parameters for one AH transform within an IPsec proposal. It SATransform. The property is defined as follows:
contains the following property:
NAME transformId NAME Name
DESCRIPTION Specifies the AH hash algorithm to propose. DESCRIPTION Specifies a user-friendly name for this transform.
TYPE unsigned 16-bit integer SYNTAX string
7.4.1. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows:
NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms.
SYNTAX string
VALUE An empty VendorID string indicates that the transform
is one of the previously-defined ones.
7.5. The Class AHTransform
The class AHTransform specifies the AH algorithm to propose during
IPsec security association negotiation. The class definition for
AHTransform is as follows:
NAME AHTransform
DESCRIPTION Specifies the AH algorithm to propose.
ABSTRACT FALSE
PROPERTIES AHTransformId
7.5.1. The Property AHTransformId
The property AHTransformId specifies the transform ID of the AH
algorithm to propose. The property is defined as follows:
NAME AHTransformId
DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer
VALUE 2 - MD5 VALUE 2 - MD5
3 - SHA-1 3 - SHA-1
4 - DES 4 - DES
9.7. The Class IPCompTransform 7.6. The Class ESPTransform
IPCompTransform is a specialization of an IPsecTransform. It The class ESPTransform specifies the ESP algorithms to propose
specifies the parameters for one IPComp transform within an IPsec during IPsec security association negotiation. The class definition
proposal. It contains the following properties: for ESPTransform is as follows:
NAME algorithm NAME ESPTransform
DESCRIPTION Specifies the IPComp compression algorithm to propose. DESCRIPTION Specifies the ESP algorithms to propose.
TYPE unsigned 16-bit integer ABSTRACT FALSE
VALUE 1 - OUI (privateAlgorithm MUST contain a valid value) PROPERTIES IntegrityTransformId
2 - Deflate CipherTransformId
3 - LZS CipherKeyLength
CipherKeyRounds
NAME dictionarySize 7.6.1. The Property IntegrityTransformId
DESCRIPTION Specifies the dictionary size for the compression
The property IntegrityTransformId specifies the transform ID of the
ESP integrity algorithm to propose. The property is defined as
follows:
NAME IntegrityTransformId
DESCRIPTION Specifies the transform ID of the ESP integrity
algorithm. algorithm.
TYPE unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - the compression algorithm specified by the VALUE 0 - None
algorithm attribute dictates the dictionary size. 1 - HMAC-MD5
2 - HMAC-SHA
3 - DES-MAC
4 - KPDK
Any other value is to be interpreted in the context of 7.6.2. The Property CipherTransformId
the compression algorithm.
NAME privateAlgorithm The property CipherTransformId specifies the transform ID of the ESP
DESCRIPTION If the algorithm attribute specifies the use of a encryption algorithm to propose. The property is defined as
proprietary compression transform (OUI = 1), then this follows:
specifies the specific vendor algorithm that will be
used. Otherwise, this value is ignored.
TYPE unsigned 32-bit integer
10. Diffie-Hellman Classes NAME CipherTransformId
DESCRIPTION Specifies the transform ID of the ESP encryption
algorithm.
SYNTAX unsigned 16-bit integer
VALUE 1 - DES IV64
2 - DES
3 - 3DES
4 - RC5
5 - IDEA
6 - CAST
7 - Blowfish
8 - 3IDEA
9 - DES IV32
10 - RC4
11 - NULL
The Diffie-Hellman classes are used to define the Diffie-Hellman 7.6.3. The Property CipherKeyLength
attributes that are used during phase one (and possibly phase two)
of the IKE negotiation.
+------------------+ The property CipherKeyLength specifies, in bits, the key length for
| | the ESP encryption algorithm. For encryption algorithms which use
|DiffieHellmanGroup| fixed-length keys, this value is ignored. The property is defined
| | as follows:
+------------------+
* o
(a) | {1}
0..1 |
+--------------+
| |
|[NewGroupInfo]|
| |
+--------------+
^
|
+----------------+----------------+
| |
+----------------+ +----------------+
| | | |
|NewMODPGroupInfo| |[NewECGroupInfo]|
| | | |
+----------------+ +----------------+
^
|
+-----------+----------+
| |
+----------------+ +---------------+
| | | |
|NewEC2NGroupInfo| |NewECPGroupInfo|
| | | |
+----------------+ +---------------+
(a) ExplicitGroupInfo NAME CipherKeyLength
DESCRIPTION Specifies the ESP encryption key length in bits.
SYNTAX unsigned 16-bit integer
{1} If the Diffie-Hellman Group is a well-known group (or previously 7.6.4. The Property CipherKeyRounds
agreed upon private group), then the NewGroupInfo object doesn't
exist (or is ignored).
10.1. The Class DiffieHellmanGroup The property CipherKeyRounds specifies the number of key rounds for
the ESP encryption algorithm. The property is defined as follows:
DiffieHellmanGroup describes the specific Diffie-Hellman Group that NAME CipherKeyRounds
will be proposed. It contains the following properties: DESCRIPTION Specifies the number of key rounds for the ESP
encryption algorithm.
SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP
encryption algorithms.
NAME groupDescription 7.7. The Class IPCOMPTransform
DESCRIPTION Specifies the Diffie-Hellman Group to propose.
TYPE unsigned 16-bit integer
VALUE 1 - 768-bit MODP group
2 - 1024-bit MODP group
3 - EC2N group on GP[2^155]
4 - EC2N group on GP[2^185]
5 - 1536-bit MODP group
NAME ExplicitGroupInfo The class IPCOMPTransform specifies the IP compression (IPCOMP)
DESCRIPTION Specifies Diffie-Hellman Group information if algorithm to propose during IPsec security association negotiation.
groupDescription is not one of the well-known values or The class definition for IPCOMPTransform is as follows:
a previously agreed upon private group. If
groupDescription is one of the well-known values or a
previously agreed upon private group, the NewGroupInfo
object will not exist or it is ignored.
10.2. The Class NewGroupInfo NAME IPCOMPTransform
DESCRIPTION Specifies the IPCOMP algorithm to propose.
ABSTRACT FALSE
PROPERTIES Algorithm
DictionarySize
PrivateAlgorithm
NewGroupInfo is the abstract base class for the concrete new group 7.7.1. The Property Algorithm
information classes. The specific derived class implies the group
type value.
10.3. The Class NewMODPGroupInfo The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as
follows:
NewMODPGroupInfo specifies the Diffie-Hellman group information for NAME Algorithm
a MODP group that is proposed during new group mode. It contains DESCRIPTION Specifies the transform ID of the IPCOMP compression
the following properties: algorithm.
SYNTAX unsigned 16-bit integer
VALUE 1 - OUI (the property PrivateAlgorithm will contain the
vendor-specific algorithm to use)
2 - DEFLATE
3 - LZS
4 - V42BIS (has this number been assigned ???)
NAME prime 7.7.2. The Property DictionarySize
DESCRIPTION Specifies the prime for the MODP group.
TYPE byte string
NAME generator The property DictionarySize specifies the log2 maximum size of the
DESCRIPTION Specifies the generator for the MODP group. diction for the compression algorithm. For compression algorithms
TYPE byte string that have pre-defined dictionary sizes, this value is ignores. The
property is defined as follows:
10.4. The Class NewECGroupInfo NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer
NewECGroupInfo is an abstract class that specifies the Diffie- 7.7.3. The Property PrivateAlgorithm
Hellman group information for an elliptic curve group that is
proposed during new group mode. It contains the following
properties:
NAME polynomial The property PrivateAlgorithm specifies a private vendor-specific
DESCRIPTION Specifies the polynomial for the elliptic curve group. compression algorithm. This value is only used when the property
TYPE byte string Algorithm is 1 (OUI). The property is defined as follows:
NAME fieldSize
DESCRIPTION Specifies the field size for the elliptic curve group.
TYPE unsigned 32-bit integer
NAME order NAME PrivateAlgorithm
DESCRIPTION Specifies the order for the elliptic curve group. DESCRIPTION Specifies a private vendor-specific compression
TYPE unsigned 32-bit integer algorithm.
SYNTAX unsigned 32-bit integer
NAME generatorOne 7.8. The Aggregation Class ContainedTransform
DESCRIPTION Specifies generator one for the elliptic curve group.
TYPE byte string
NAME generatorTwo The class ContainedTransform associates an IPsecProposal with the
DESCRIPTION Specifies generator two for the elliptic curve group. set of SATransforms that make up the proposal. If multiple
TYPE byte string tranforms of the same type are in a proposal, then they are to be
logically ORed and the order of preference is dictated by the
SequenceNumber property. Sets of transforms of different types are
logically ANDed. For example, if the proposal list were
NAME curveA ESP = { (HMAC-MD5, DES), (HMAC-MD5, 3DES) }
DESCRIPTION Specifies curve A for the elliptic curve group. AH = { MD5, SHA-1 }
TYPE byte string
NAME curveB then the one sending the proposal wants the other side to pick one
DESCRIPTION Specifies curve B for the elliptic curve group. from the ESP transform list AND one from the AH transform list. The
TYPE byte string class definition for ContainedProposal is as follows:
10.5. The Class NewEC2NGroupInfo NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of
SATransforms that make up the proposal.
ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]]
SequenceNumber
NewEC2NGroupInfo is a class that represents a new EC2N group. It 7.8.1. The Reference GroupComponent
contains no properties and exists only to imply the group type.
10.6. The Class NewECPGroupInfo The property GroupComponent contains an object reference to an
IPsecProposal that contains one or more SATransforms. The [0..n]
cardinality indicates that there may be zero or more IPsecProposals
that contain any given SATransform.
NewECPGroupInfo is a class that represents a new ECP group. It 7.8.2. The Reference PartComponent
contains no properties and exists only to imply the group type.
11. Security Considerations The property PartComponent contains an object reference to an
SATransform contained by one or more IPsecProposals. The [1..n]
cardinality indicates that an IPsecPropsal MUST contain at least one
SATransform.
7.8.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for
the SATransforms of the same type. The property is defined as
follows:
NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms of
the same type.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms
of the same type with higher values. If two transforms
of the same type have the same SequenceNumber value,
then the order of preference is undefined.
8. Security Considerations
This document describes a schema for IPsec policy. It does not This document describes a schema for IPsec policy. It does not
detail security requirements for storage or delivery of said schema. detail security requirements for storage or delivery of said schema.
Storage and delivery security requirements should be detailed in a Storage and delivery security requirements should be detailed in a
comprehensive security policy architecture document. comprehensive security policy architecture document.
12. Intellectual Property 9. Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. standards-related documentation can be found in BCP-11.
skipping to change at page 29, line 17 skipping to change at page 49, line 11
attempt made to obtain a general license or permission for the use attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this of such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat. specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
13. Acknowledgments 10. Acknowledgments
The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire, The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, and William Dixon for their contributions to this IPsec Vic Lortz, and William Dixon for their contributions to this IPsec
policy model. policy model.
Additionally, this draft would not have been possible without the Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob preceding IPsec schema drafts. For that, thanks go out to Rob
Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
Rajan. Rajan.
14. References 11. References
[1] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998. RFC 2409, November 1998.
[2] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP Payload [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
Compression Protocol (IPComp)", RFC 2393, August 1998. Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
[3] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
[4] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
November 1998. 2402, November 1998.
[5] Piper, D., "The Internet IP Security Domain of Interpretation [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
Information Model -- Version 1 Specification", draft-ietf-policy-
core-infor-model-06.txt, May 2000. Internet-Draft work in progress.
[DOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998. for ISAKMP", RFC 2407, November 1998.
[6] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory Access [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
Protocol (v3)", RFC 2251, December 1997. Access Protocol (v3)", RFC 2251, December 1997.
[7] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. Internet-Draft work in progress. January 2000. Internet-Draft work in progress.
[8] Condell, M., and C. Lynn, J. Zao, "Security Policy Specification [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
Language", draft-ietf-ipsec-spsl-01.txt, July 1999. Internet-Draft F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
work in progress. Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000.
Internet-Draft work in progress.
[9] Bradner, S., "Key words for use in RFCs to Indicate Requirement [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
Levels", BCP 14, RFC 2119, March 1997. Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
Internet-Draft work in progress.
15. Disclaimer [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
12. Disclaimer
The views and specification herein are those of the authors and are The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this arising from correct or incorrect implementation or use of this
specification. specification.
16. Author's Address 13. Author's Address
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1-503-264-9531 Phone: +1-503-264-9531
Fax: +1-503-264-9428 Fax: +1-503-264-9428
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
17. Full Copyright Statement 14. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it maybe copied and furnished to This document and translations of it maybe copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/