Internet Engineering Task Force Jamie Jason INTERNET DRAFT IntelCoroporation 9-March-2000Corporation 11-July-2000 IPsec Configuration Policy Modeldraft-ietf-ipsp-config-policy-model-00.txtdraft-ietf-ipsp-config-policy-model-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document presents an object-oriented model oflow-levelIPsec policy designed to: o facilitate agreement about the content and semantics of IPsec policy o enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec- enabled endpoints The schema described in this document models the IKE phase one parameters as described in[1][IKE] and the IKE phase two parameters for the IPsec Domain of Interpretation as described in[2, 3, 4, 5].[COMP, ESP, AH, DOI]. It is based upon the core policy classes as defined in the Policy Core Information Model (PCIM) [PCIM]. Table of Contents Status of this Memo................................................1 Abstract...........................................................1 Table of Contents..................................................2 1.Introduction....................................................4Introduction....................................................5 2. UMLConventions.................................................4Conventions.................................................5 3.Endpoint Classes................................................6 3.1.IPsec Policy Model Inheritance Heirarchy........................6 4. Policy Classes..................................................9 4.1. The ClassEndpoint............................................6 3.2.IPsecPolicyGroup....................................9 4.1.1. The Property IKERuleOverridePoint..........................10 4.1.2. The Property IPsecRuleOverridePoint........................10 4.2. The ClassFQDNEndpoint........................................6 3.3.SARule.............................................11 4.3. The ClassIPv4Endpoint........................................6 3.4.IKERule............................................11 4.4. The ClassIPv6Endpoint........................................7 4. IPsec Policy Classes............................................8 4.1.IPsecRule..........................................11 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........12 4.5.1. The Reference ContainingGroup..............................12 4.5.2. The Reference ContainedGroup...............................12 4.5.3. The Property Precedence....................................12 4.6. The Composition ClassIPsecPolicyList.....................................9 4.2.RuleForIKENegotiation..................12 4.6.1. The Reference ContainingGroup..............................13 4.6.2. The Reference ContainedRule................................13 4.7. The Composition ClassIPsecPolicy.........................................9 4.3.RuleForIPsecNegotiation................13 4.7.1. The Reference ContainingGroup..............................13 4.7.2. The Reference ContainedRule................................13 4.8. The Aggregation Class SAConditionInRule......................14 4.8.1. The Reference ContainingRule...............................14 4.8.2. The Reference ContainedCondition...........................14 4.8.3. The Property SequenceNumber................................14 4.9. The Aggregation Class SAActionInRule.........................14 4.9.1. The Reference ContainingRule...............................15 4.9.2. The Reference ContainedAction..............................15 4.10. The Aggregation ClassIPInterface.........................................9FallbackSAActionInRule................15 4.10.1. The Reference ContainingRule..............................15 4.10.2. The Reference ContainedAction.............................15 4.10.3. The Property SequenceNumber...............................16 5.IPsec Rule Classes.............................................10Condition and Filter Classes...................................17 5.1. The ClassSecurityAssociationRule............................10 6. IPSec Condition Classes........................................11 6.1.SACondition........................................18 5.1.1. The Property StartupCondition..............................18 5.2. The ClassSecurityAssociationCondition.......................11 6.2.FilterList.........................................18 5.2.1. The Property Name..........................................19 5.2.2. The Property Direction.....................................19 5.3. The Abstract ClassSecurityAssociationConditionExpression.............12 7. IPSec Filter Classes...........................................13 7.1.FilterEntryBase...........................19 5.3.1. The Property Name..........................................19 5.3.2. The Property IsNegated.....................................19 5.4. The Abstract ClassSecurityAssociationFilter..........................13 7.2.IPFilterEntry.............................20 5.5. The Abstract ClassPortFilter.........................................14 7.3.EndpointFilterEntry.......................20 5.5.1. The Property ApplyToDestination............................20 5.6. The ClassPortRangeFilter....................................14 7.4.IPv4AddressFilterEntry.............................20 5.6.1. The Property Address.......................................21 5.7. The ClassProtocolFilter.....................................14 7.5.IPv4RangeFilterEntry...............................21 5.7.1. The Property StartAddress..................................21 5.7.2. The Property EndAddress....................................21 5.8. The ClassAddressFilter......................................15 7.6.IPv4SubnetFilterEntry..............................21 5.8.1. The Property Address.......................................22 5.8.2. The Property Mask..........................................22 5.9. The ClassEndpointFilter.....................................15 7.7.IPv6AddressFilterEntry.............................22 5.9.1. The Property Address.......................................22 5.10. The ClassIPv4RangeFilter....................................15 7.8.IPv6RangeFilterEntry..............................22 5.10.1. The Property StartAddress.................................23 5.10.2. The Property EndAddress...................................23 5.11. The ClassIPv6RangeFilter....................................16 8. IKE and IPsec Action Classes...................................17 8.1.IPv6SubnetFilterEntry.............................23 5.11.1. The Property Address......................................23 5.11.2. The Property Mask.........................................24 5.12. The ClassSecurityAssociationAction..........................18 8.2.FQDNFilterEntry...................................24 5.12.1. The Property Name.........................................24 5.13. The ClassIKEAction..........................................19 8.3.ProtocolFilterEntry...............................24 5.13.1. The Property Protocol.....................................24 5.14. The ClassIPsecAction........................................20 8.4.UDPFilterEntry....................................25 5.14.1. The Property StartPort....................................25 5.14.2. The Property EndPort......................................25 5.15. The ClassIPsecTransportAction...............................20 8.5.TCPFilterEntry....................................25 5.15.1. The Property StartPort....................................26 5.15.2. The Property EndPort......................................26 5.16. The Abstract ClassIPsecTunnelAction..................................21 8.6.IPSOFilterEntry..........................26 5.17. The ClassIPsecBypassAction..................................21 8.6.ClassificationLevelFilterEntry....................26 5.17.1. The Property Level........................................26 5.18. The ClassIPsecDiscardAction.................................21 9. IKE and IPsec Proposal Classes.................................21 9.1.ProtectionAuthorityFilterEntry....................27 5.18.1. The Property Authority....................................27 5.19. The ClassSecurityAssociationProposal........................22 9.2.CredentialFilterEntry.............................27 5.20. The Aggregation ClassIKEProposal........................................22 9.3.FilterOfSACondition...................27 5.20.1. The Reference Antecedent..................................28 5.20.2. The Reference Dependent...................................28 5.21. The Composition ClassIPsecProposal......................................23 9.4.EntriesInFilterList...................28 5.21.1. The Reference Antecedent..................................28 5.21.2. The Reference Dependent...................................28 5.21.3. The Property EntrySequence................................29 6. Action Classes.................................................30 6.1. The ClassIPsecTransform.....................................24 9.5.SAAction...........................................30 6.2. The ClassESPTransform.......................................24 9.6.SAStaticAction.....................................30 6.2.1. The Property LifetimeSeconds...............................31 6.3. The ClassAHTransform........................................25 9.7.IPsecBypassAction..................................31 6.4. The ClassIPCompTransform....................................25 10. Diffie-Hellman Classes........................................26 10.1.IPsecDiscardAction.................................31 6.4.1. The Property DoLogging.....................................32 6.5. The ClassDiffieHellmanGroup................................27 10.2.IKERejectAction....................................32 6.5.1. The Property DoLogging.....................................32 6.6. The ClassNewGroupInfo......................................27 10.3.SAPreconfiguredAction..............................32 6.7. The ClassNewMODPGroupInfo..................................27 10.4.SANegotiationAction................................33 6.7.1. The Property MinLifetimeSeconds............................33 6.7.2. The Property MinLifetimeKilobytes..........................33 6.7.3. The Property RefreshThresholdSeconds.......................34 6.7.4. The Property RefreshThresholdKilobytes.....................34 6.7.5. The Property IdleDurationSeconds...........................34 6.8. The ClassNewECGroupInfo....................................27 10.5.IPsecAction........................................35 6.8.1. The Property UsePFS........................................35 6.8.2. The Property UseIKEGroup...................................35 6.8.3. The Property GroupId.......................................35 6.8.4. The Property Granularity...................................36 6.9. The ClassNewEC2NGroupInfo..................................28 10.6.IPsecTransportAction...............................36 6.10. The ClassNewECPGroupInfo...................................28 11. Security Considerations.......................................28 12. Intellectual Property.........................................28 13. Acknowledgments...............................................29 14. References....................................................29 15. Disclaimer....................................................30 16. Author's Address..............................................30 17. Full Copyright Statement......................................30 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a Lightweight Directory Access Protocol (LDAP) [6] schema in a directory o an on-the-wire representation over aIPsecTunnelAction.................................36 6.10.1. The Property PeerGateway..................................37 6.10.2. The Property DFHandling...................................37 6.11. The Class IKEAction.........................................37 6.11.1. The Property RefreshThresholdDerivedKeys..................37 6.11.2. The Property ExchangeMode.................................38 6.11.3. The Property UseIKEIdentityType...........................38 6.12. The Aggregation Class ContainedProposal.....................38 6.12.1. The Reference GroupComponent..............................39 6.12.2. The Reference PartComponent...............................39 6.12.3. The Property SequenceNumber...............................39 7. Proposal and Transform Classes.................................40 7.1. The Abstract Class SAProposal................................40 7.1.1. The Property Name..........................................40 7.1.2. The Property MaxLifetimeSeconds............................41 7.1.3. The Property MaxLifetimeKilobytes..........................41 7.2. The Class IKEProposal........................................41 7.2.1. The Property LifetimeDerivedKeys...........................41 7.2.2. The Property CipherAlgorithm...............................42 7.2.3. The Property HashAlgorithm.................................42 7.2.4. The Property PRFAlgorithm..................................42 7.2.5. The Property GroupId.......................................43 7.2.6. The Property AuthenticationMethod..........................43 7.3. The Class IPsecProposal......................................43 7.4. The Abstract Class SATransform...............................44 7.4.1. The Property Name..........................................44 7.4.1. The Property VendorID......................................44 7.5. The Class AHTransform........................................44 7.5.1. The Property AHTransformId.................................44 7.6. The Class ESPTransform.......................................45 7.6.1. The Property IntegrityTransformId..........................45 7.6.2. The Property CipherTransformId.............................45 7.6.3. The Property CipherKeyLength...............................46 7.6.4. The Property CipherKeyRounds...............................46 7.7. The Class IPCOMPTransform....................................46 7.7.1. The Property Algorithm.....................................46 7.7.2. The Property DictionarySize................................47 7.7.3. The Property PrivateAlgorithm..............................47 7.8. The Aggregation Class ContainedTransform.....................47 7.8.1. The Reference GroupComponent...............................48 7.8.2. The Reference PartComponent................................48 7.8.3. The Property SequenceNumber................................48 8. Security Considerations........................................48 9. Intellectual Property..........................................48 10. Acknowledgments...............................................49 11. References....................................................49 12. Disclaimer....................................................50 13. Author's Address..............................................50 14. Full Copyright Statement......................................50 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in a directory o an on-the-wire representation over a transport protocol like the Common Object Policy Service (COPS)[7][COPS, COPSPR] o a text-based policy specification language[8][SPSL] suitable for editing by an administrator o an Extensible Markup Language (XML) document Each of these task-specific representations should be derived from a canonical representation that precisely specifies the content and semantics of the IPsec policy. The purpose of this document is to abstract IPsec policy into a task-independent representation that is not constrained by any particular task-dependent representation. This document is organized as follows: o Section 2 provides a quick introduction to the Unified Modeling Language (UML) graphical notation conventions used in this document. o Section 3definesprovides theendpoint class, a utility class that is used as a building block for other classes. o Section 4 definesinheritance hierarchy which describes where the IPsec policyand associated classes. o Section 5 defines the rule class. o Section 6 definesclasses fit into thecondition and condition expression classes.policy class hierarchy already defined by PCIM. oSection 7 definesThe remainder of thefilter classes. o Section 8 definesdocument describes theIKE and IPsec action classes. o Section 9 definesclasses which make up theIKE andIPsecproposal classes. o Section 10 defines the Diffie-Hellman group class.policy model. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in[9].[KEYWORDS]. 2. UML Conventions For this document, a UML static class diagram was chosen as the canonical representation for the IPsec policy model. The reason behind this decision is that UML provides atask-independentgraphical, task- independent way to model systems. A treatise on the graphical notation used in UML is beyond the scope of this paper. However, given the use of ASCII drawing for UML static class diagrams, a description of the notational conventions used in this document is in order: o Boxes represent classes, with class names in brackets ([]) representing a virtual class.For example, ino A line that terminates with an arrow (<, >, ^, v) denotes inheritance. The arrow always points to theaction classes diagram, IKEActionparent class. Inheritance can also be called generalization or specialization (depending upon the reference point). A base class is aconcretegeneralization of a derived class, and a derived classwhile SecurityAssociationActionis avirtualspecialization of a base class. o Associations are used model a relationship between two classes. Classes that share an association are connected using a line. There are two special kinds of associations - aggregations and compositions. Both model a whole-part relationship between two classes. Associations, and therefore aggregations and compositions, can also be modeled as classes. o A line thatterminatesbegins with a "o" denotes aggregation. Aggregation denotesclasses with independent lifetimes. An aggregated object exists independently of the object that references it. For example,containment in which theaction classes diagram a SecurityAssocationProposal object exists independently ofcontained class and theSecurityAssociationAction object which references it.containing class have independent lifetimes. o A line thatterminatesbegins with an "x" denotes composition. Composition denotesclasses with coincident lifetimes. This implies that the lifetime ofcontainment in which the containedobject is the same asclass and theobject that contains it.contianing class have coincident lifetimes. o Next to a line representing an association appears a multiplicity. Multiplicities indicate the number of objectscontained (or referenced) as well asin thenumber of object that can contain (or reference) a particular object.relationship. The multiplicity may be: - a range in the form "lower bound..upper bound" indicating the minimum and maximum number of objects.For example, in the action classes diagram, an IPsecAction may contain either 0 or 1 DiffieHellmanGroup objects(essentially noting that the DiffieHellmanGroup is optional).- a number that indicates the exact number of objects.For example, in the proposal classes diagram, an IKEProposal has 1 and only 1 DiffieHellmanGroup. Using a number is equivalent to number..number.- an asterisk indicating any number of objects, including zero.For example, in the action classes diagram, a SecurityAssociationProposal object may be referenced by 0 to n SecurityAssociationAction objects.Using an asterisk isequivalent toshorthand for 0..n. - the letter n indicating from 1 to many.For example, in the action classes diagram, a SecurityAssociationAction references 1 to many SecurityAssociationProposals.Using the letter n isequivalent toshorthand for 1..n.o A line that terminates with an arrow (<, , ^, v) denotes generalization (inheritance) with the arrow pointing to the parent class. For example, in the action classes diagram the SecurityAssociationAction class is a generalization of the IKEAction class (or said another way, the IKEAction class derives from the SecurityAssociationAction class). o Occasionally there may be some text, or a reference to some text, enclosed by braces ({}). This indicates a constraint. Constraints are used to constrain the meaning of diagram so that a diagram does not provide the ability to define something that does not make sense. For example, in the action classes diagram there is a constraint placed upon the DiffieHellmanGroup class such that it is only used if the IPsecAction specifies the user of Perfect Forward Secrecy. It should be notedIt should be noted that the UML static class diagram presented is a conceptual view of IPsec policy designed to aid in understanding. It does not necessarily get translated class for class into another representation. For example, an LDAP implementation may flatten out the representation to fewer classes (because of the inefficiency of following references). 3.Endpoint Classes An endpoint is an abstraction used to represent an IP address or hostname. This class is used as a building block in further classes. +----------+IPsec Policy Model Inheritance Heirarchy The following diagram represents the inheritance hierarchy and how the IPsec policy model classes fit into PCIM. [unrooted] | +--Policy (PCIM) ||[Endpoint]|| |+----------+ ^+--PolicyGroup (PCIM) |+---------------------------+--------------------------+| | |+------------+ +------------+ +------------+| +--IPsecPolicyGroup (new class) | | | +--PolicyRule (PCIM) | ||FQDNEndpoint| |IPv4Endpoint| |IPv6Endpoint|| | | +--SARule (new abstract class) | | |+------------+ +------------+ +------------+ 3.1. The Class Endpoint The Endpoint class is used as an| | +--IKERule (new class) | | | | | +--IPsecRule (new class) | | | +--PolicyCondition (PCIM) | | | | | +--SACondition (new class) | | | +--PolicyAction (PCIM) | | | +--SAAction (new abstractbase class from which concrete endpoint classes are expected to derive from. 3.2. The Class FQDNEndpoint The FQDNEndpoint class is used to represent endpoints that can be expressed using a DNS name. It contains the following attribute: NAME name DESCRIPTION Either a fully-qualified or wild-carded (partially or fully) domain name. TYPE string VALUE MAY either be fully-qualified (for example, runner.jf.intel.com) or wild-carded (for example, *.intel.com). 3.3. The Class IPv4Endpoint The IPv4Endpoint class is used to represent endpoints that can be expressed using an IPv4 address. It contains the following attribute: NAME address DESCRIPTION The IPv4 address. TYPE unsigned 32-bit integer VALUE 0x00000000 (i.e., 0.0.0.0) - used to specify any IP address (i.e., a totally wild-carded address or "*"). Any other value specifies an IPv4 address. 3.4. The Class IPv6Endpointclass) | | | +--SAStaticAction (new abstract class) | | | | | +--IPsecBypassAction (new class) | | | | | +--IPsecDiscardAction (new class) | | | | | +--IKERejectAction (new class) | | | | | +--SAPreconfiguredAction (new class) | | | +--SANegotiationAction (new abstract class) | | | +--IPsecAction (new abstract class) | | | | | +--IPsecTransportAction (new class) | | | | | +--IPsecTunnelAction (new class) | | | +--IKEAction (new abstract class) | +--FilterList | +--FilterEntryBase | | | +--IPFilterEntry (new abstract class) | | | | | +--EndpointFilterEntry (new abstract class) | | | | | | | +--IPv4AddressFilterEntry (new class) | | | | | | | +--IPv4RangeFilterEntry (new class) | | | | | | | +--IPv4SubnetFilterEntry (new class) | | | | | | | +--IPv6AddressFilterEntry (new class) | | | | | | | +--IPv6RangeFilterEntry (new class) | | | | | | | +--IPv6SubnetFilterEntry (new class) | | | | | | | +--FQDNFilterEntry (new class) | | | | | +--PortFilterEntry (new class) | | | | | +--ProtocolFilterEntry (new class) | | | +--IPSOFilterEntry (new class) | | | +--CredentialFilterEntry (new class) | +--SAProposal (new abstract class) | | | +--IKEProposal (new class) | | | +--IPsecProposal (new class) | +--SATransform (new abstract class) | +--AHTransform (new class) | +--ESPTransform (new class) | +--IPCOMPTransform (new class) TheIPv6Endpoint class is used to represent endpoints that can be expressed using an IPv6 address. It contains thefollowingattribute: NAME address DESCRIPTION The IPv6 address. TYPE octet[16] VALUE all zero's (i.e., 0:0:0:0:0:0:0:0) - used to specify any IP address (i.e., a totally wild-carded address or "*"). Any other value specifies an IPv6 address. 4.diagram represents the inheritance hierarchy and how the IPsec policy model association classes fit into PCIM. [unrooted] | +--PolicyGroupInPolicyGroup (PCIM) | | | +--IPsecPolicyGroupInPolicyGroup (new class) | +--PolicyConditionInPolicyRule (PCIM) | | | +--SAConditionInRule (new class) | +--FallbackSAActionInRule (new class) | +--EntriesInFilterList (new class) | +--ContainedProposal (new class) | +--IPsecContainedTransform (new class) 4. Policy Classes The IPsec policy classes represent the set of policies that are contained on a system.In addition, they indicate the active policies as well as associate a policy with a particular interface on a system +---------------+(a) +------+ | |* ||IPsecPolicyList|*+------------------+ +---o| IPsecPolicyGroup | +------------------+ 1 x x 1 (b) |+---------------+ * o|(a)|(c) +-----------------------+ +---------------------+ |*|+-----------+ +-----------+||* (b) *|+---------------------------+ ||IPsecPolicy|o-----------|IPInterface|| |{1}PolicyTimePeriodCondition | |+-----------+ +-----------+ 1 x x 1 1 x| | (defined in [PCIM]) |(c)|{2} {3}|(d) (e)|{4}| | +---------------------------+ |*| *| |* 1|+----------------------+ +----------+| (d) | | *o ||SecurityAssocationRule| |[Endpoint]|| +-------------+* *+--------+* 1+----------+ | | |+----------------------+ +----------+ (a) Policies (b) TargetedInterfaceSACondition |------o| SARule |o-------| SAAction | | | +-------------+ (e) +--------+ (f) +----------+ | | ^ |* | | | +------+ | | +--------+--------+ | (g) | | | | *o | | *+---------+ +-----------+* | +---------------| IKERule | | IPsecRule |------------+ +---------+ +-----------+ (a) IPsecPolicyGroupInPolicyGroup (b) RuleForIKENegotiation (c)IKERulesRuleForIPsecNegotiation (d)IPsecRulesPolicyRuleValidityPeriod (defined in [PCIM]) (e)Identity {1} 1. If the policy is marked as enabled, then the IPsecPolicy object MUST reference an IPInterface object. 2. For each interface, there is only one IPsec policy marked as enabled. {2} IKE rules are ordered and are considered logically ORed. Rule search will stop once a rule that matches the input criteria is found. {3} IPsec rules are ordered and are considered logically ORed. Rule search will stop once a rule that matches the input criteria is found. {4} If the endpoint type is an FQDN, then the DNS name MUST be fully-qualifed (i.e., no wild-card values allowed). If the endpoint type is an IPv4 or IPv6 address, then the address value MUST NOT be the wild-card address.SAConditionInRule (f) SAActionInRule (g) FallbackSAActionInRule 4.1. The ClassIPsecPolicyListIPsecPolicyGroup TheIPsecPolicyListclassisIPsecPolicyGroup serves as a containerfor allofthe policies oneither other IPsecPolicyGroups or aparticular system. It contains the following reference: NAME Policies DESCRIPTION The policies installed onset of IKERules and aparticular system. Note that there isset of IPsecRules. Rules contained within an IPsecPolicyGroup MUST have adistinction betweenunique Priority value. The class definition for IPsecPolicyGroup is as follows: NAME IPsecPolicyGroup DESCRIPTION Either apolicy being installed onset of IPsecPolicyGroups or asystemset of IKERules andactually being actively enforceda set of IPsecRules. DERIVED FROM PolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyGroupName (from PolicyGroup) IKERuleOverridePoint IPsecRuleOverridePoint NOTE: for derivations of theIPsecPolicy class). Note: an IPsecPolicyList MAY contain no policies. Additionally, a policy MAY be defined which is not in any policy list. The latter case is only relevantschema that are used fora management station - in other words,policy distribution to an IPsec device (for example, COPS-PR), the server may follow all of IPsecPolicyGroupInPolicyGroup associations and create one policyhas been created but it has not yet been targeted to a system. 4.2. The Class IPsecPolicy The IPsecPolicy classgroup which is simply acontainer forset of all of the IKE rulesused to enforce the policy. It contains the following attribute/references: NAME enabled DESCRIPTION Indicates whether or not the policy is enabled (i.e., is actively being enforced). As stated inand a set of all of theconstraint {1}, ifIPsec rules. See thepolicy is enabled, it MUST be associated with a particular interfacesection on thesystem. This allowsIPsecPolicyGroupInPolicyGroup aggregation fordifferent policies to be enforcedinformation ondifferent interfaces. TYPE boolean VALUE true - policy is currently enabled false - policy is currently disabled NAME TargetedInterface DESCRIPTIONmerging multiple IPsecPolicyGroups. 4.1.1. Theinterface onProperty IKERuleOverridePoint This property specifies thesystem forrule priority at whichthisthe policy author is willing tobe enforced. As stated inallow IKERule insertions by a local administrator. For example, the IT department may define theconstraint {1}, for each interface there is only onepolicyenabled at any one given time. NAME IKERules DESCRIPTION The rules which govern when and howon a company- wide basis, but allow groups or individuals toperform IKE phase 1 negotiation. Theseinsert rules into the policy to override defaults. Rules areanorderedlist and are logically ORed. When processing the rules, the first rule matched is the one used. NAME IPsecRules DESCRIPTIONin decreasing order of their priority (i.e., higher priorities come first). Therules which govern when and how to perform IKE phase 2 negotiation. Theseoverride point specifies that if rules arean ordered list andinserted, they arelogically ORed. When processing the rules, the first rule matched is the one used. 4.3. The Class IPInterface The IPInterface class is usedtorepresent an interface on the system. It contains the following reference: NAME Identity DESCRIPTION Indicates the IP address or DNS name assignedbe inserted before all rules equal to or less than theinterface. No wild-card values are allowed for the endpoint object. 5. IPsec Rule Classes The IPsec rule classoverride priority value. For example, assume that there isused to associateaconditiongroup G1 withthe action whichIKE rules as follows: G1 = { Rule A (priority 50), Rule B (priority 25), Rule C (priority 15) } The IKE override value for G1 is 20. Now assume that a local administrator wants tobe performed when the condition evaluates to true. +-----------------------+ | | |SecurityAssociationRule| | | +-----------------------+ * o o * | | +----------+ +-----------+ | (a) (b) | 1 | | 1 +----------------------------+ +---------------------------+ | | | | |SecurityAssociationCondition| |[SecurityAssociationAction]| | | | | +----------------------------+ +---------------------------+ (a) Condition (b) Action 5.1. The Class SecurityAssociationRule The SecurityAssociationRule class is used to associateinsert aconditionset of IKE rules {Rule D, Rule E} where Rule D has a higher priority than Rule E. The new rules will be added before rules in G1 withthe IKE/IPsec action information that ispriority equal to or less than 20. So, when evaluating rules, the order of evaluation would beused duringA, B, D, E, C. Note that thenegotiation. It containspriority of thefollowing attribute/references:rules in override set are relative only to the set. The property is defined as follows: NAMEenabledIKERuleOverridePoint DESCRIPTIONIndicates whether or notSpecifies the rule priority at which the policy author isenabled. TYPE boolean VALUE true -willing to allow IKERule insertions by a local administrator. SYNTAX unsigned 16-bit integer 4.1.2. The Property IPsecRuleOverridePoint This property specifies the rule priority at which the policy author iscurrently enabled false - rulewilling to allow IPsecRule insertions by a local administrator. This property iscurrently disabled NAME Condition DESCRIPTION The condition, when evaluated againstthegiven input, that MUST evaluate to true in ordersame as IKERuleOverridePoint except it is used for theassociated action to be performed.IPsec rules in the IPsecPolicyGroup. The property is defined as follows: NAMEActionIPsecRuleOverridePoint DESCRIPTIONThe security association negotiation parameters to use whenSpecifies theassociated condition evaluatesrule priority at which the policy author is willing totrue. 6. IPSec Condition Classesallow IPsecRule insertions by a local administrator. SYNTAX unsigned 16-bit integer 4.2. TheconditionClass SARule The class SARule serves as a base class for IKERule and IPsecRule. Even though the class isusedconcrete, it MUST not be instantiated. It defines a common connection point for associations todetermine whenconditions and actions for both types of rules. Each SARule within a given IPsecPolicyGroup must contain a unique priority. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has theassociated IKE or IPsec actionPolicyRuleValidityPeriod association. The class definition for SARule isto be performed. +----------------------------+ | | |SecurityAssociationCondition| | | +----------------------------+ 1 x | {1}|(a) | * | +--------------------------------------+ | | |SecurityAssociationConditionExpression| | | +--------------------------------------+as follows: NAME SARule DESCRIPTION A base class for IKERule and IPsecRule. DERIVED FROM PolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule) Priority (from PolicyRule) PolicyRoles (from PolicyRule) 4.3. The Class IKERule The class IKERule associates Conditions and Actions for IKE phase 1| | {2}|(b) | * | +---------------------------+ | | |[SecurityAssociationFilter]| | | +---------------------------+ (a) Expressions (b) Filters {1} If using disjunctive normal form (DNF), each expression is logically ORed. If using conjunctive normal form (CNF), each expression is logically ANDed. {2} If using DNF, each filter is logically ANDed. If using CNF, each filternegotiations. The class definition for IKERule islogically ORed. 6.1.as follows: NAME IKERule DESCRIPTION Associates Conditions and Actions for IKE phase 1 negotiations. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same as SARule 4.4. The ClassSecurityAssociationConditionIPsecRule TheSecurityAssociationConditionclassspecifies the criteria that is applied toIPsecRule associates Conditions and Actions for IKE phase 2 negotiations for theinput information to determine if a particular conditionIPsec DOI. The class definition for IPsecRule ismet. It contains the following attributes/references:as follows: NAMEnegatedIKERule DESCRIPTIONIndicates whether or not the result ofAssociates Conditions and Actions for IKE phase 2 negotiations for therule evaluation is to be negated. TYPE boolean VALUE true - condition evaluation result isIPsec DOI. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same as SARule 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec policies to benegated false - condition evaluation result is notcombined tobe negated NAME useDNF DESCRIPTION Indicates whether or not theinto one effective policy. When merging policies, ruleis specifiedpriorities are used inDNF or CNF form. TYPE boolean VALUE true - condition is expressed as DNF. The expressions withinconjunction with thecondition are logically ORed.rule override point values to determine insertion points and for rule priority renumbering (if necessary to maintain uniqueness). Thefilters within an expression are logically ANDed. false - conditionclass definition for IPsecPolicyGroupInPolicyGroup isexpressedasCNF. The expressions withinfollows: NAME IPsecPolicyGroupInPolicyGroup DESCRIPTION Associates a nested IPsecPolicyGroup with thecondition are logically ANDed. The filters within an expression are logically ORed. 6.2.IPsecPolicyGroup that contains it. DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIES ContainingGroup[ref IPsecPolicyGroup[0..n]] ContainedGroup[ref IPsecPolicyGroup[0..n]] Precedence 4.5.1. TheClass SecurityAssociationConditionExpressionReference ContainingGroup TheSecurityAssociationConditionExpression classproperty ContainingGroup isusedinherited from PolicyGroupInPolicyGroup and is overridden tocombine several filters, which together constitute one logical expression. Itcontain object reference to an IPsecPolicyGroup that containsthe following reference: NAME Filters DESCRIPTIONone or more IPsecPolicyGroups. Theset of filters, which combined, are used to represent the expression. When using DNF, these filters are logically ANDed. When using CNF, these filters are logically ORed. 7. IPSec Filter Classes[0..n] cardinality indicates that there may be zero or more IPsecPolicyGroups that contain any given IPsecPolicyGroup. 4.5.2. Thefilter classes are usedReference ContainedGroup The property ContainedGroup is inherited from PolicyGroupInPolicyGroup and is overridden tospecify individual criteria which MUST be met before a condition will evaluatecontain an object reference totrue. +---------------------------+ | | |[SecurityAssociationFilter]| | | +---------------------------+ ^ | +----------------+---------+-------+-----------------+ {1}| | | | +-------------+ +----------+ +---------------+ +--------------+ | | | | | | | | |AddressFilter| |PortFilter| |PortRangeFilter| |ProtocolFilter| | | | | | | | | +-------------+ +----------+ +---------------+ +--------------+ ^ | +----------------------+---------------------+ | | | +--------------+ +---------------+ +---------------+ | | | | | | |EndpointFilter| |IPv4RangeFilter| |IPv6RangeFilter| | | | | | | +--------------+ +---------------+ +---------------+ 1 x | (a)| | 1 | +----------+ | | |[Endpoint]| | | +----------+ (a) Identity {1} When the rule is foranIKE phaseIPsecPolicyGroup contained by onenegotiation, the AddressFilter isor more IPsecPolicyGroups. The [0..n] cardinality indicates that an IPsecPolicyGroup may contain zero or more IPsecPolicyGroups. 4.5.3. The Property Precedence The property Precedence specifies theonly typemerge ordering offilter allowed. 7.1. The Class SecurityAssociationFilterthe nested IPsecPolicyGroups. TheSecurityAssociationFilter classproperty isuseddefined asan abstract base class from which all concrete filter class are expected to derive from. It contains the following attribute:follows: NAMEnegatedPrecedence DESCRIPTIONIndicates whether or notSpecifies theresultmerge ordering of thefilter evaluation is to be negated. TYPE booleannested IPsecPolicyGroups. SYNTAX unsigned 16-bit integer VALUEtrue - filter evaluationAny value between 1 and 2^16-1 inclusive. Lower values have higher precedence (i.e., 1 isto be negated false - filter evaluationthe highest precedence). The merging order of two ContainedGroups with the same precedence isnot to be negated 7.2.undefined. 4.6. The Composition ClassPortFilterRuleForIKENegotiation ThePortFilterclassspecifies a filterRuleForIKENegotiation associates an IKERule with the IPsecPolicyGroup thatis based upon a single port value. Itcontainsthe following attributes:it. The class definition for RuleForIKENegotiation is as follows: NAMEapplyToSourceRuleForIKENegotiation DESCRIPTIONIndicates whether or notAssociates an IKERule with theport specified isIPsecPolicyGroup that contains it. ABSTRACT FALSE PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IKERule [0..n]] 4.6.1. The Reference ContainingGroup The property ContainingGroup contains an object reference tobe interpreted as a source portan IPsecPolicyGroup that contains one ora destination port. TYPE boolean VALUE true - the port specified is to be interpreted as a source port false - the port specified is tomore IKERules. The [1..1] cardinality indicates that an IKERule may beinterpreted as a destination port NAME port DESCRIPTION Specifies the port value. TYPE unsigned 16-bit integer VALUE 0 - wild-card portcontained in only one IPsecPolicyGroup (i.e.,any port matches). Any other value specifies a specific port. 7.3.IKERules are not shared across IPsecPolicyGroups). 4.6.2. The Reference ContainedRule The property ContainedRule contains an object reference to an IKERule contained by an IPsecPolicyGroup. The [0..n] cardinality indicates that an IPsecPolicyGroup may contain zero or more IKERules. 4.7. The Composition ClassPortRangeFilterRuleForIPsecNegotiation ThePortRangeFilterclassspecifies a filterRuleForIPsecNegotiation associates an IPsecRule with the IPsecPolicyGroup thatis based upon a range of port values.contains it. Theport rangeclass definition for RuleForIPsecNegotiation isto be interpretedasinclusive. It contains the following attributes:follows: NAMEapplyToSourceRuleForIPsecNegotiation DESCRIPTIONIndicates whether or notAssociates an IPsecRule with theport specified isIPsecPolicyGroup that contains it. ABSTRACT FALSE PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IPsecRule [0..n]] 4.7.1. The Reference ContainingGroup The property ContainingGroup contains an object reference to an IPsecPolicyGroup that contains one or more IPsecRules. The [1..1] cardinality indicates that an IPsecRule may beinterpreted as a source port rangecontained in only one IPsecPolicyGroup (i.e., IPsecRules are not shared across IPsecPolicyGroups). 4.7.2. The Reference ContainedRule The property ContainedRule contains an object reference to an IPsecRule contained by an IPsecPolicyGroup. The [0..n] cardinality indicates that an IPsecPolicyGroup may contain zero ora destination port range. TYPE boolean VALUE true -more IPsecRules. 4.8. The Aggregation Class SAConditionInRule The class SAConditionInRule associates an SARule with theport range specified is to be interpreted as a source port range false -SACondition instances that trigger it. See [PCIM] for theport range specifiedusage for the properties GroupNumber and ConditionNegated. The class definition for SAConditionInRule isto be interpretedasa destination port rangefollows: NAMEfirstPortSAConditionInRule DESCRIPTIONSpecifiesAssociates an SARule with thefirst port in the range. TYPE unsigned 16-bit integer NAME lastPort DESCRIPTION Specifies the last port in the range. TYPE unsigned 16-bit integer VALUE The lastPort attribute value MUST be greater than or equal to the firstPort attribute value. 7.4.SACondition instances that trigger it. DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES ContainingRule [ref SARule [0..n]] ContainedCondition [ref SACondition [0..n]] GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) SequenceNumber 4.8.1. TheClass ProtocolFilterReference ContainingRule TheProtocolFilter class specifies a filter thatproperty ContainingRule isbased upon the IP protocol. It contains the following attribute: NAME protocol DESCRIPTION Specifies the IP protocol value. TYPE unsigned 8-bit integer VALUE 0 - wild-card protocol (i.e., any protocol). Any other value specifies a specific protocol. Note: if using DNF, it does not make senseinherited from PolicyConditionInPolicyRule and is overridden touse a PortFiltercontain an object reference to an SARule that contains one orPortRangeFilter when using a ProtocolFiltermore SAConditions. The [0..n] cardinality indicates thatis not either UDPan SACondition may be contained in zero orTCP. 7.5.more SARules. 4.8.2. TheClass AddressFilterReference ContainedCondition TheAddressFilter classproperty ContainedCondition isusedinherited from PolicyConditionInPolicyRule and is overridden torepresent filters which use a system's address or DNS name as a filter. Itcontain an object reference to an SACondition that isused ascontained by anabstract base class fromSARule. The [0..n] cardinality indicates that an SARule may contain zero or more SAConditions. 4.8.3. The Property SequenceNumber The property SequenceNumber specifies, for a given rule, the order in whichspecific address-based filtersthe SACondition instances will bederived.evaluated. Theaddress filters are always used to specifyproperty is defined as follows: NAME SequenceNumber DESCRIPTION Specifies theaddress/hostnameevaluation order of thedestination machine.SAConditions. SYNTAX unsigned 16-bit integer VALUE Lower valued SAConditions are evaluated first. Thereason is that the associationorder ofa policy with a particular interface implies the source address/hostname - one could look at the policy to interface mapping as another typeevaluation offilter. Note: for IKE rules, these areContainedConditions with theonly filter type allowed. 7.6.same SequenceNumber value is undefined. 4.9. The Aggregation ClassEndpointFilterSAActionInRule TheEndpointFilterSAActionInRule classis used to represent a filter that specifiesassociates anindividual interface on one system. ItSARule with its primary SAAction. The class definition for SAActionInRule isused to specifyas follows: NAME SAActionInRule DESCRIPTION Associates anFQDN,SARule with its primary SAAction. DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES ContainingRule [ref SARule [0..n]] ContainedAction [ref SAAction [1..1]] 4.9.1. The Reference ContainingRule The property ContainingRule is inherited from PolicyActionInPolicyRule and is overridden to contain anIPv4 address, orobject reference to anIPv6 address. ItSARule that containsthe following reference: NAME Identity DESCRIPTION Specifies the FQDN or IP address to use for the filter.an SAAction. Thevalue MAY[0..n] cardinality indicates that an SAAction may bewild-carded (see the Endpoint class description). 7.7.contained in zero or more SARules. 4.9.2. TheClass IPv4RangeFilterReference ContainedAction TheIPv4RangeFilterproperty ContainedAction isusedinherited from PolicyActionInPolicyRule and is overridden torepresent a filtercontain an object reference to an SAAction thatspecifies a range of IPv4 address.is contained by an SARule. Therange[1..1] cardinality indicates that an SARule may contain only one SAAction. 4.10. The Aggregation Class FallbackSAActionInRule The class FallbackSAActionInRule associates an SARule with its ordered set of fallback actions. Fallback actions allow an administrator to define what action is to beinterpreted as inclusive. It containstake if thefollowing attributes:SAAction referenced by SAActionInRule fails for any reason. The class definition for FallbackSAActionInRule is as follows: NAMEfirstAddressFallbackSAActionInRule DESCRIPTIONSpecifiesAssociates an SARule with thefirst addressordered set of fallback actions that should be attempted/applied in therange. TYPE unsigned 32-bit value NAME lastAddress DESCRIPTION Specifies the last address incase of failure of therange. TYPE unsigned 32-bit value VALUEprimary SAAction. ABSTRACT FALSE PROPERTIES ContainingRule [ref SARule [0..n]] ContaintedAction [ref SAAction [0..n]] SequenceNumber 4.10.1. ThelastAddress attribute value MUSTReference ContainingRule The property ContainingRule contains an object reference to an SARule that contains one or more fallback SAActions. The [0..n] cardinality indicates that an fallback SAAction may begreater thancontained in zero orequal to the firstAddress attribute value. 7.8.more SARules. 4.10.2. TheClass IPv6RangeFilterReference ContainedAction TheIPv6RangeFilter is usedproperty ContainedAction contains an object reference torepresentafilterfallback SAAction thatspecifies a range of IPv6 address. The rangeisto be interpreted as inclusive. It contains the following attributes: NAME firstAddress DESCRIPTION Specifiescontained by one or more SARules. The [0..n] cardinality indicates that an SARule may contain zero or more fallback SAActions. 4.10.3. The Property SequenceNumber The property SequenceNumber specifies, for a given rule, thefirst addressorder in which therange. TYPE octet[16]fallback SAActions should be attempted. Once a fallback SAAction is successfully applied, then subsequent fallback SAActions should be ignored. The property is defined as follows: NAMElastAddressSequenceNumber DESCRIPTION Specifies thelast address inorder of attempted application for therange. TYPE octet[16]fallback SAAction. SYNTAX unsigned 16-bit integer VALUE Lower valued fallback SAActions are attempted first. ThelastAddress attribute value MUST be greater than or equal to the firstAddress attribute value. 8. IKE and IPsec Action Classes An action is a setorder ofproposals combinedattempt of ContainedActions with thesecurity association level information thatsame SequenceNumber value is undefined. 5. Condition and Filter Classes The IPsec condition and filter classes are used toprotect a particular flow. +---------------------------+ | | |[SecurityAssociationAction]| | |o---+ +---------------------------+*build the "if" part of the IKE and IPsec rules. +-------------+* 0..1+------------+1 *+-------------------+ | SACondition |o--------| FilterList |x--------| [FilterEntryBase] | +-------------+ (a) +------------+ (b) +-------------------+ ^(a)|{1}|n|+---------------------+------------------------+ |+-----------------------------+| | +-----------------+ +-------------------+ +-----------------------+ | [IPFilterEntry] ||[SecurityAssociationProposal]|| [IPSOFilterEntry] | | CredentialFilterEntry |+-----------------------------++-----------------+ +-------------------+ +-----------------------+ ^ ^ |+---------+| | +-------------------+ | ||IKEAction|---+| | +--------------------------------+ |+---------++-| ClassificationLevelFilterEntry | |+-----------+|+------------------++--------------------------------+ ||---+| ||IPsecAction| (b) 0..1|DiffieHellmanGroup|||o--------------|+--------------------------------+ |+-----------+* {2} +------------------+ ^+-| ProtectionAuthorityFilterEntry |+--------+------------+-----------+------------+| +--------------------------------+ | +-----------------------------------------------+ | | +-----------------------+ +--------------------++-----------------+ | +-----------------+ || [EndpointFilterEntry] | |ProtocolFilterEntry | +-----------------------+ +--------------------+ ^ ^ | +----------------+ | +----------------------+ ||IPsecTransportAction| |IPsecTunnelAction|UDPFilterEntry |--+ ||IPsecBypassAction|+----------------+ | | | +-----------------+ | +----------------+ | | FQDNFilterEntry |----+ |+--------------------+TCPFilterEntry |--+ +-----------------+ |+-----------------+ 1 x+----------------+ | +------------------------+ | +------------------------+ |(c)|{3} +------------+IPv4AddressFilterEntry |----+----| IPv6AddressFilterEntry | +------------------------+ |+----------+ +------------------++------------------------+ | +----------------------+ | +----------------------+ | IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry | +----------------------+ ||[Endpoint]| |IPsecDiscardAction|+----------------------+ | +-----------------------+ | +-----------------------+ | IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry |+----------+ +------------------++-----------------------+ +-----------------------+ (a)ProposalsFilterOfSACondition (b)IPsecGroup (c) RemoteGateway {1} 1. For an IKEAction object, these MUST be IKEPropsal objects. For an IPsecAction object, these MUST be IPsec Action objects. 2. SecurityAssociationProposal objects are ordered from most preferable to least preferableEntriesInFilterList 5.1. The Class SACondition The class SACondition defines the preconditions for IKE andare logically ORed.IPsec negotiations. Themechanism by which ordering is accomplishedclass definition for SACondition isdependent upon the specific derivation ofas follows: NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsecschema. {2} If not using Perfect Forward Secrecy (PFS), thennegotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition) StartupCondition 5.1.1. The Property StartupCondition This property specifies theDiffieHellmanGroup object either does not exist or is ignored. Otherwise (PFS is used) iftriggering event that caused theDiffieHellmanGroup objectrule evaluation. The property isnot present, thendefined as follows: NAME StartupCondition DESCRIPTION Specifies theDiffie-Hellman Group from Phasetriggering event that cause the rule to be evaluated. SYNTAX unsigned 16-bit integer VALUE 1 (OnBoot) - the rule is triggered after system boot. The FilterList associated with the SACondition contains the information that will be usedfor Phase 2. Otherwise, useto build theDiffieHellmanGroup object. {3} Ifselectors. 2 (OnManual) - theendpoint typerule isan FQDN, thentriggered manually in response to user input. The FilterList associated with theDNS name MUSTSACondition contains the information that will befully-qualifed (i.e., no wild-card values allowed). Ifused to build theendpoint typeselectors. 3 (OnDataTraffic) - the rule isan IPv4triggered when packets without associated security associations are sent orIPv6 address, thenreceived (traffic directionality is indicated by theaddress MUST NOT beDirection field of thewild-card value. 8.1.associated FilterList). 4 (OnIKEMessage) - the rule is triggered when an incoming request for IKE negotiation is received. 5.2. The ClassSecurityAssociationActionFilterList TheSecurityAssociationActionclasscontains the parametersFilterList aggregates an ANDed set of filters that arecommon between the IKEused for determining when an SACondition evaluates to true andIPsec action classes. It containstherefore its associated SAAction should be performed. The class definition for FilterList is as follows: NAME FilterList DESCRIPTION Aggregates a set of filters for condition matching. ABSTRACT FALSE PROPERTIES Name Direction 5.2.1. The Property Name This property specifies a user-friendly name for thefollowing attributes/references:FilterList. The property is defined as follows: NAMErefreshThresholdSecondsName DESCRIPTION Specifies thepercentage of expiration (in other words,user-friendly name for therefresh threshold) of an established SA's seconds lifetime at which to begin renegotiation ofFilterList. SYNTAX string 5.2.2. The Property Direction This property specifies whether or theSA. TYPE integer VALUE Valid values areFilterList will be used on incoming, outgoing, or bi-directional traffic. Direction is only useful for filter types that inspect traffic parameters and when the StartupCondition property in therange 1SACondition is set to100 inclusive. A value of 100 means that renegotiation does not occur until the seconds lifetime value has expired. refreshThresholdSecondsOnDataTraffic (3). The property isnot a negotiated parameter.defined as follows: NAMErefreshThresholdKilobytesDirection DESCRIPTION Specifiesthe percentage of expiration of an established SA's kilobyte lifetime at which to begin renegotiationwhat kind ofthe SA. TYPEtraffic will be checked - incoming, outgoing, or bi-directional. SYNTAX unsigned 16-bit integer VALUEValid values are in the range1to 100 inclusive. A value of 100 means that renegotiation does not occur until- Incoming 2 - Outgoing 3 - Bi-directional 5.3. The Abstract Class FilterEntryBase The abstract class FilterEntryBase serves as thekilobyte lifetime value has expired. refreshThresholdKilobytesbase class for the specific filter class. The class definition for FilterEntryBase isnotas follows: NAME FilterEntryBase DESCRIPTION Serves as the base class for specific filter classes. ABSTRACT TRUE PROPERTIES Name IsNegated 5.3.1. The Property Name This property specifies anegotiated parameter.user-friendly name for the filter. The property is defined as follows: NAMEminLifetimeSecondsName DESCRIPTION Specifies theminimum SA seconds lifetime that will be accepted from a peer while negotiating an SA based upon this action.user-friendly name for the filter. SYNTAX string 5.3.2. ThepurposeProperty IsNegated This property specifies whether or not the result ofthis valuethe boolean result of the filter evaluation should be negated. The property is defined as follows: NAME IsNegated DESCRIPTION Specifies whether or not toprevent denial-of-service attacks in which a peer can select an arbitrarily low seconds lifetime, causingnegate theIKE server to perform renegotiations with correspondingly expensive Diffie-Hellman calculations. TYPE unsigned 32-bit integerresult of the evaluation of the filter. SYNTAX boolean VALUE0 - indicatesA value of true means thatthere is no minimum lifetime enforced. Any otherthe boolean result of the filter evaluation of the filter will be negated. A valuespecifies a required minimum seconds lifetime. minLifetimeSeconds isof false means that the boolean result of the evaluation of the filter will not be altered. 5.4. The Abstract Class IPFilterEntry The abstract class IPFilterEntry serves as anegotiated parameter.base class for filter entries which are used to match against the 5-tuple (i.e., source and destination address, protocol, and source and destination port) information in the IP packet. The class definition for IPFilterEntry is as follows: NAMEminLifetimeKilobytesIPFilterEntry DESCRIPTIONSpecifiesServes as theminimum kilobyte lifetime that will be accepted frombase class for IP 5-tuple filters. DERIVED FROM FilterEntryBase ABSTRACT TRUE 5.5. The Abstract Class EndpointFilterEntry The abstract class EndpointFilterEntry serves as anegotiating peer while negotiating an SA based upon this action.base class for filters which match against IP addresses (source or destination). Thepurpose of this valueclass definition for EndpointFilterEntry is as follows: NAME EndpointFilterEntry DESCRIPTION Serves as the base class for filters which match against IP addresses. DERIVED FROM IPFilterEntry ABSTRACT TRUE PROPERTIES ApplyToDestination 5.5.1. The Property ApplyToDestination This property specifies whether or not the address toprevent denial-of-service attacks intest against is the source or the destination IP address. The property is defined as follows: NAME ApplyToDestination DESCRIPTION Specifies whicha peer can selectIP address to test, source or destination. SYNTAX boolean VALUE A value of true means that the destination IP address should be tested against. A value of false means that the source IP address should be tested against. 5.6. The Class IPv4AddressFilterEntry The class IPv4AddressFilterEntry specifies a filter that will match against a single IPv4 address. The class definition for IPv4AddressFilterEntry is as follows: NAME IPv4AddressFilterEntry DESCRIPTION Defines the match filter for anarbitrarily low kilobyte lifetime, causingIPv4 address. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address 5.6.1. The Property Address This property specifies the IPv4 address that will be used in the equality test. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv4 address to match against. SYNTAX unsigned 32-bit integer 5.7. The Class IPv4RangeFilterEntry The class IPv4RangeFilterEntry specifies a filter for testing if an IPv4 address is between the start address and end address inclusively. The class definition for IPv4RangeFilterEntry is as follows: NAME IPv4RangeFilterEntry DESCRIPTION Defines the match filter for an IPv4 address range. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES StartAddress EndAddress 5.7.1. The Property StartAddress This property specifies the first IPv4 address in the address range. The property is defined as follows: NAME StartAddress DESCRIPTION Specifies the start of the IPv4 address range. SYNTAX unsigned 32-bit integer 5.7.2. The Property EndAddress This property specifies the last IPv4 address in the address range. The property is defined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv4 address. SYNTAX unsigned 32-bit integer VALUE EndAddress must be greater than or equal to StartAddress. 5.8. The Class IPv4SubnetFilterEntry The class IPv4SubnetFilterEntry specifies a filter for testing if an IPv4 address is in the specified subnet. The class definition for IPv4SubnetFilterEntry is as follows: NAME IPv4SubnetFilterEntry DESCRIPTION Defines the match filter for an IPv4 subnet. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address Mask 5.8.1. The Property Address This property specifies the IPv4 subnet. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv4 subnet. SYNTAX unsigned 32-bit integer 5.8.2. The Property Mask This property specifies the IPv4 mask. The property is defined as follows: NAME Mask DESCRIPTION Specifies the IPv4 mask. SYNTAX unsigned 32-bit integer VALUE A special value of 0.0.0.0, coupled with an Address value of 0.0.0.0 can be used to specify all addresses. 5.9. The Class IPv6AddressFilterEntry The class IPv6AddressFilterEntry specifies a filter that will match against a single IPv6 address. The class definition for IPv6AddressFilterEntry is as follows: NAME IPv6AddressFilterEntry DESCRIPTION Defines the match filter for an IPv4 address. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address 5.9.1. The Property Address This property specifies the IPv6 address that will be used in the equality test. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv6 address to match against. SYNTAX byte[16] 5.10. The Class IPv6RangeFilterEntry The class IPv6RangeFilterEntry specifies a filter for testing if an IPv6 address is between the start address and end address inclusively. The class definition for IPv6RangeFilterEntry is as follows: NAME IPv6RangeFilterEntry DESCRIPTION Defines the match filter for an IPv6 address range. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES StartAddress EndAddress 5.10.1. The Property StartAddress This property specifies the first IPv6 address in the address range. The property is defined as follows: NAME StartAddress DESCRIPTION Specifies the start of the IPv6 address range. SYNTAX byte[16] 5.10.2. The Property EndAddress This property specifies the last IPv6 address in the address range. The property is defined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv6 address. SYNTAX byte[16] VALUE EndAddress must be greater than or equal to StartAddress. 5.11. The Class IPv6SubnetFilterEntry The class IPv6SubnetFilterEntry specifies a filter for testing if an IPv6 address is in the specified subnet. The class definition for IPv4SubnetFilterEntry is as follows: NAME IPv6SubnetFilterEntry DESCRIPTION Defines the match filter for an IPv6 subnet. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address Mask 5.11.1. The Property Address This property specifies the IPv6 subnet. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv6 subnet. SYNTAX byte[16] 5.11.2. The Property Mask This property specifies the IPv6 mask. The property is defined as follows: NAME Mask DESCRIPTION Specifies the IPv6 mask. SYNTAX byte[16] VALUE A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0, coupled with an Address value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify all addresses. 5.12. The Class FQDNFilterEntry The class FQDNFilterEntry specifies a filter for mathcing against a single or wild-carded DNS name. The class definition for FQDNFilterEntry is as follows: NAME FQDNFilterEntry DESCRIPTION Defines the match filter for a DNS name. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Name 5.12.1. The Property Name This property specifies the DNS name to match against. The property is defined as follows: NAME Address DESCRIPTION Specifies the DNS name. SYNTAX string VALUE The DNS name can be fully qualified (for example, foo.intel.com) or partially qualified (*.intel.com). 5.13. The Class ProtocolFilterEntry The class ProtocolFilterEntry specifies a filter for testing against an IP protocol. The class definition for ProtocolFilterEntry is as follows: NAME ProtocolFilterEntry DESCRIPTION Defines a match filter for IP protocol. DERIVED FROM IPFilterEntry ABSTRACT FALSE PROPERTIES Protocol 5.13.1. The Property Protocol This property specifies the IP protocol to match against. The property is defined as follows: NAME Protocol DESCRIPTION Specifies the IP protocol. SYNTAX unsigned 8-bit integer VALUE A value of zero matches against any protocol. Any other value is the IP protocol number. 5.14. The Class UDPFilterEntry The class UDPFilterEntry specifies a filter for testing if a UDP port is between the start port and end port inclusively. It is assumed that the Protocol property from the ProtocolFilterEntry class will contain the value 17 (i.e., UDP). The class definition for UDPFilterEntry is as follows: NAME UDPFilterEntry DESCRIPTION Defines the match filter for a UDP port range. DERIVED FROM ProtocolFilterEntry ABSTRACT FALSE PROPERTIES StartPort EndPort 5.14.1. The Property StartPort This property specifies the first port in the UDP port range. The property is defined as follows: NAME StartPort DESCRIPTION Specifies the start of the UDP port range. SYNTAX unsigned 16-bit integer 5.14.2. The Property EndPort This property specifies the last port in the UDP port range. The property is defined as follows: NAME EndPort DESCRIPTION Specifies the end of the UDP port range. SYNTAX unsigned 16-bit integer VALUE EndPort must be greater than or equal to StartPort. 5.15. The Class TCPFilterEntry The class TCPFilterEntry specifies a filter for testing if a TCP port is between the start port and end port inclusively. It is assumed that the Protocol property from the ProtocolFilterEntry class will contain the value 6 (i.e., TCP). The class definition for TCPFilterEntry is as follows: NAME TCPFilterEntry DESCRIPTION Defines the match filter for a TCP port range. DERIVED FROM ProtocolFilterEntry ABSTRACT FALSE PROPERTIES StartPort EndPort 5.15.1. The Property StartPort This property specifies the first port in the TCP port range. The property is defined as follows: NAME StartPort DESCRIPTION Specifies the start of the TCP port range. SYNTAX unsigned 16-bit integer 5.15.2. The Property EndPort This property specifies the last port in the TCP port range. The property is defined as follows: NAME EndPort DESCRIPTION Specifies the end of the TCP port range. SYNTAX unsigned 16-bit integer VALUE EndPort must be greater than or equal to StartPort. 5.16. The Abstract Class IPSOFilterEntry The abstract class IPSOFilterEntry serves as a base class for the IP Security Option (IPSO) filters. The class definition for IPSOFilterEntry is as follows: NAME IPSOFilterEntry DESCRIPTION Serves as the base class for the IPSO filters. DERIVED FROM FilterEntryBase ABSTRACT TRUE 5.17. The Class ClassificationLevelFilterEntry The class ClassificationLevelFilterEntry specifies a filter for matching against the classification level IPSO field type. The class definition for ClassificationLevelFilterEntry is as follows: NAME ClassificationLevelFilterEntry DESCRIPTION Defines the filter for the IPSO classification level. DERIVED FROM IPSOFilterEntry ABSTRACT FALSE PROPERTIES Level 5.17.1. The Property Level This property specifies the classification level to match against. The property is defined as follows: NAME Level DESCRIPTION Specifies the classification level. SYNTAX unsigned 16-bit integer VALUE 61 - Top Secret 90 - Secret 150 - Confidential 171 - Unclassified 5.18. The Class ProtectionAuthorityFilterEntry The class ProtectionAuthorityFilterEntry specifies a filter for matching against the protection authority IPSO field type. The class definition for ProtectionAuthorityFilterEntry is as follows: NAME ProtectionAuthorityFilterEntry DESCRIPTION Defines the filter for the IPSO protection authority. DERIVED FROM IPSOFilterEntry ABSTRACT FALSE PROPERTIES Authority 5.18.1. The Property Authority This property specifies the protection authority to match against. The property is defined as follows: NAME Authority DESCRIPTION Specifies the protection authority. SYNTAX unsigned 16-bit integer VALUE 0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE 5.19. The Class CredentialFilterEntry The class CredentialFilterEntry defines a filter for matching against credential information that was obtained during the IKE phase 1 negotiation. This information can be identity information (such as User FQDN) or information retrieved from credential information (for example, fields from a certificate). This information can be used as a form of access control. The class definition for CredentialFilterEntry is as follows: NAME CredentialFilterEntry DESCRIPTION Defines the filter for matching against IKE phase 1 credential/identity information. DERIVED FROM FilterBaseEntry ABSTRACT FALSE PROPERTIES To Be Determined... 5.20. The Aggregation Class FilterOfSACondition The class FilterOfSACondition associates an SACondition with the filter specifications (FilterList) that make up the condition. The class definition for FilterOfSACondition is as follows: NAME FilterOfSACondition DESCRIPTION Associates a condition with the filter list that make up the individual condition elements. ABSTRACT FALSE PROPERTIES Antecedent [ref FilterList[0..1]] Dependent [ref SACondition [0..n]] 5.20.1. The Reference Antecedent The property Antecedent contains an object reference to a FilterList that is contained in one or more SAConditions. The [0..1] cardinality indicates that an SACondition may have zero or one FilterList. 5.20.2. The Reference Dependent The property Dependent contains an object reference to an SACondition that contains an FilterList. The [0..n] cardinality indicates that a FilterList may be contained in zero or more SAConditions. 5.21. The Composition Class EntriesInFilterList The class EntriesInFilterList associates the individual FilterEntryBases with a FilterList. Together these individual FilterEntryBases can create complex conditions. The class definition for EntriesInFilterList is as follows: NAME EntriesInFilterList DESCRIPTION Associates a FilterList with the set of individual filters. ABSTRACT FALSE PROPERTIES Antecedent [ref FilterEntryBase[0..n]] Dependent [ref FilterList [1..1]] EntrySequence 5.21.1. The Reference Antecedent The property Antecedent contains an object reference to a FilterEntryBase that is contained in a FilterList. The [0..n] cardinality indicates that a FilterList may have zero or more FilterEntryBases. 5.21.2. The Reference Dependent The property Dependent contains an object reference to a FilterList that contains zero or more FilterEntryBases. The [1..1] cardinality indicates that a FilterEntryBase may be contained in one and only one FilterLists (i.e., FilterEntryBases cannot be shared between FilterLists). 5.21.3. The Property EntrySequence The property EntrySequence specifies, for a given FilterList, the order in which the filters should be checked. The property is defined as follows: NAME EntrySequence DESCRIPTION Specifies the order to check the filters in a FilterList. SYNTAX unsigned 16-bit integer VALUE Lower valued filters are checked first. The order of checking of FilterEntryBases with the same EntrySequence value is undefined. 6. Action Classes The action classes are used to model the different actions an IPsec device may take when the evaluation of the associated condition results in a match. +----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | +----------------+ +---------------------+* | SAStaticAction | | SANegotiationAction |o-----+ +----------------+ +---------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | | +-----------------------+ | +--------------+n | | SAPreconfiguredAction |---+ | [SAProposal] |-------+ +-----------------------+ +--------------+ (a) (a) ContainedProposal 6.1. The Class SAAction The class SAAction serves as the base class for IKE and IPsec actions. Although the class is concrete, it MUST not be instantiated. The class definition for SAAction is as follows: NAME SAAction DESCRIPTION The base class for IKE and IPsec actions. DERIVED FROM PolicyAction (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyActionName (from PolicyAction) 6.2. The Class SAStaticAction The class SAStaticAction serves as the base class for IKE and IPsec actions that do not require any negotation. Although the class is concrete, it MUST not be instantiated. The class definition for SAStaticAction is as follows: NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation. DERIVED FROM SAAction ABSTRACT FALSE PROPERTIES LifetimeSeconds 6.2.1. The Property LifetimeSeconds The property LifetimeSeconds specifies how long the security association derived from this action should be used. The property is defined as follows: NAME LifetimeSeconds DESCRIPTION Specifies the amount of time (in seconds) that a security association derived from this action should be used. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A nono-zero value is typically used in conjunction with fallback actions performed when there is a negotiation failure of some sort. 6.3. The Class IPsecBypassAction The class IPsecBypassAction is used when packets are allowed to be processed without applying IPsec to them. This is the same as stating that packets are allowed to flow in the clear. The class definition for IPsecBypassAction is as follows: NAME IPsecBypassAction DESCRIPTION Specifies that packets are to be allowed to pass in the clear. DERIVED FROM SAStaticAction ABSTRACT FALSE 6.4. The Class IPsecDiscardAction The class IPsecDiscardAction is used when packets are to be discarded. This is the same as stating that packets are to be denied. The class definition for IPsecDiscardAction is as follows: NAME IPsecDiscardAction DESCRIPTION Specifies that packets are to be discarded. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging 6.4.1. The Property DoLogging The property DoLogging specifies whether or not an audit message should be logged when a packet is discarded. The property is defined as follows: NAME DoLogging DESCRIPTION Specifies if an audit message should be logged when a packet is discarded. SYNTAX boolean VALUE A value of true indicates that logging should be done for this action. A value of false indicates logging should not be done for this action. 6.5. The Class IKERejectAction The class IKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The class definition for IKERejectAction is as follows: NAME IKERejectAction DESCRIPTION Specifies that an IKE negotiation should not even be attempted. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging 6.5.1. The Property DoLogging The property DoLogging specifies whether or not an audit message should be logged when a determination is made to prevent an IKE negotiation. The property is defined as follows: NAME DoLogging DESCRIPTION Specifies if an audit message should be logged when IKE negotiation is prohibited. SYNTAX boolean VALUE A value of true indicates that logging should be done for this action. A value of false indicates logging should not be done for this action. 6.6. The Class SAPreconfiguredAction The class SAPreconfiguredAction is used to create a security association using preconfigured, hard-wired algorithms and keys. The class definition for SAPreconfiguredAction is as follows: NAME SAPreconfiguredAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of a security association. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES To Be Determined... 6.7. The Class SANegotiationAction The class SANegotiationAction serves as the base class for IKE and IPsec actions which result in a IKE negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for SANegotiationAction is as follows: NAME SANegotiationAction DESCRIPTION A base class for IKE and IPsec actions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. DERIVED FROM SAAction ABSTRACT FALSE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes RefreshThresholdSeconds RefreshThresholdKilobytes IdleDurationSeconds 6.7.1. The Property MinLifetimeSeconds The property MinLifetimeSeconds specifies the minimum seconds lifetime that will be accepted from the peer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeSeconds DESCRIPTION Specifies the minimum acceptable seconds lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum seconds lifetime. 6.7.2. The Property MinLifetimeKilobytes The property MinLifetimeKilobytes specifies the minimum kilobyte lifetime that will be accepted from the peer. MinLifetimeKilobytes is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeKilobytes DESCRIPTION Specifies the minimum acceptable kilobyte lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum kilobyte lifetime. 6.7.3. The Property RefreshThresholdSeconds The property RefreshThresholdSeconds specifies what percentage of the seconds lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A random value may be added to the calculated threshold (percentage x seconds lifetime) to reduce the chance of both peers attempting to renegotiate at the same time. The property is defined as follows: NAME RefreshThresholdSeconds DESCRIPTION Specifies the percentage of seconds lifetime that has expired before the IPsec security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the seconds lifetime has been reached. 6.7.4. The Property RefreshThresholdKilobytes The property RefreshThresholdKilobytes specifies what percentage of the kilobyte lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A random value may be added to the calculated threshold (percentage x kilobyte lifetime) to reduce the chance of both peers attempting to renegotiate at the same time. The property is defined as follows: NAME RefreshThresholdKilobytes DESCRIPTION Specifies the percentage of kilobyte lifetime that has expired before the IPsec security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the kilobyte lifetime has been reached. 6.7.5. The Property IdleDurationSeconds The property IdleDurationSeconds specifies how many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. The property is defined as follows: NAME IdleDurationSeconds DESCRIPTION Specifies how long, in seconds, a security association may remain unused before it is deleted. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that idle detection should not be used for the security association. Any non-zero value indicates the number of seconds the security association may remain unused. 6.8. The Class IPsecAction The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for IPsecAction is as follows: NAME IPsecAction DESCRIPTION A base class for IPsec transport and tunnel actions that specifies the parameters for IKE phase 2 IPsec DOI negotiations. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES UsePFS UseIKEGroup GroupId Granularity 6.8.1. The Property UsePFS The property UsePFS specifies whether or not perfect forward secrecy should be used when refreshing keys. The property is defined as follows: NAME UsePFS DESCRIPTION Specifies the whether or not to use PFS. SYNTAX boolean VALUE A value of true indicates that PFS should be used. A value of false indicates that PFS should not be used. 6.8.2. The Property UseIKEGroup The property UseIKEGroup specifies whether or not phase 2 should use the same Diffie-Hellman as was used in phase 1. UseIKEGroup is ignored if UsePFS is false. The property is defined as follows: NAME UseIKEGroup DESCRIPTION Specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAX boolean VALUE A value of true indicates that the phase 2 GroupId should be the same as phase 1. A value of false indicates that the property GroupId will contain the Diffie-Hellman group to use for phase 2. 6.8.3. The Property GroupId The property GroupId specifies the Diffie-Hellman group to use for phase 2. GroupId is ignored if (1) the property UsePFS is false, or (2) the property UsePFS is true and the property UseIKEGroup is true. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the Diffie-Hellman group to use for phase 2 when the property UsePFS is true and the property UseIKEGroup is false. SYNTAX unsigned 16-bit integer VALUE 1 - 768-bit MODP group 2 - 1024-bit MODP group 3 - EC2N group on GP[2^155] 4 - EC2N group on GP[2^185] 5 - 1536-bit MODP group 6.8.4. The Property Granularity The property Granularity specifies whether the proposed selector for the security association should be derived from theIKE server to perform renegotiations with correspondingly expensive Diffie-Hellman calculations. TYPE unsigned 32-bit integer VALUE 0 - indicatestraffic thatthere is no minimum lifetime enforced. Any other value specifies a required minimum kilobyte lifetime. minLifetimeKilobytestriggered the negotiation (Narrow) or from the FilterList of the Condition(s) that matched the rule (Wide). The property isnot a negotiated parameter.defined as follows: NAMEtrafficIdleTimeGranularity DESCRIPTION Specifies theamount of time in seconds an SA, negotiated usinghow thecontaining action object, may remain idle (in other words, no traffic protected byproposed selector for theSA) before it is deleted. TYPEsecurity association will be created. SYNTAX unsigned32-bit8-bit integer VALUE01 -thereThe selector isno idle time detection. In other words,created by using theexpiration ofFilterList information from theSA is solely dependent uponcondition that matched theexpiration of one oftraffic parameters. This is called a Wide selector as it could for instance contain a IP subnet or range. 2 - The selector is created by using thelifetime values. Any other value specifiestraffic parameters (i.e., thenumber5-tuple ofsecondstheSA may remain idle before it can be forcibly expired. trafficIdleTimetraffic). This isnotcalled anegotiated parameter.Narrow selector. 6.9. The Class IPsecTransportAction The class IPsecTransportAction is a subclass of IPsecAction that is used to specify use of an IPsec transport mode security association. The class definition for IPsecTransportAction is as follows: NAMEProposalsIPsecTransportAction DESCRIPTION Specifies that an IPsec transport mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE 6.10. The Class IPsecTunnelAction The class IPsecTunnelAction is alogically ORed setsubclass ofproposals, ORDERED from most preferable to least prefereable, which areIPsecAction that is usedduring negotiationto specify use ofthe SA. If the action isanIKEAction, then the set will contain IKEProposal objects. If the actionIPsec tunnel mode security association. The class definition for IPsecTunnelAction is as follows: NAME IPsecTunnelAction DESCRIPTION Specifies that anIPsecAction, then the set will contain IPsecProposal objects. A SecurityAssociationAction object will reference one to many SecurityAssociationProposal objects. A SecurityAssociationProposal object MAYIPsec tunnel mode security association should bereferenced by zero to many SecurityAssociationAction objects. See section 9 for a descriptionnegotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES PeerGateway DFHandling 6.10.1. The Property PeerGateway The property PeerGateway specifies the IP address or DNS name of theSecurityAssociationProposal and derived classes. 8.2.peer gateway. TheClass IKEAction IKEActionproperty is defined as follows: NAME PeerGateway DESCRIPTION Specifies peer gateway's IP address or DNS name. SYNTAX string VALUE Either (1) IPv4 address in dotted quad format, (2) IPv6 address in ... format, or (3) aspecialization of the SecurityAssociationAction class andDNS name. 6.10.2. The Property DFHandling The property DFHandling specifies how theparameters unique to an IKE action. It containsDon't Fragment (DF) bit should be managed by thefollowing attributes:tunnel. The property is defined as follows: NAMEexchangeModeDFHandling DESCRIPTION Specifies thenegotiation mode thatDF bit is managed by theIKE server will use for phase one. TYPEtunnel. SYNTAX unsigned16-bit8-bit integer VALUE 1 -base modeDF bit is copied. 2 -main mode 4DF bit is set. 3 -aggressive modeDF bit is cleared. 6.11. The Class IKEAction The class IKEAction specifies the parameters that are to be used for IKE phase 1 negotiation. The class definition for IKEAction is as follows: NAMErefreshThresholdDerivedKeysIKEAction DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES RefreshThresholdDerivedKeys ExchangeMode UseIKEIdentityType 6.11.1. The Property RefreshThresholdDerivedKeys The property RefreshThresholdDerivedKeys specifies what percentage ofexpirationthe derived key limit (see the LifetimeDerivedKeys property ofan establishedIKEProposal) can expire before IKESA's derived keys lifetime at whichshould attempt tobegin renegotiation of the SA. TYPE integer VALUE Valid values are inrenegotiate therangeIKE phase 1to 100 inclusive.security association. A random valueof 100 means that renegotiation does not occur untilmay be added to the calculated threshold (percentage x derived keylifetime value has expired. refreshThresholdDerivedKeys is not a negotiated parameter. 8.3. The Class IPsecAction IPsecAction is a specialization of the SecurityAssociationAction class and specifieslimit) to reduce theparameters uniquechance of both peers attempting toan IPsec action. It containsrenegotiate at thefollowing attributes/references:same time. The property is defined as follows: NAMEusePfsRefreshThresholdKilobytes DESCRIPTION Specifieswhether or not PFS should be used when negotiatingthephase two IPsec SA. TYPE boolean VALUE true false NAME IPsecGroup DESCRIPTION If PFS should be used duringpercentage of derived key limit that has expired before the IKE phasetwo, this specifies the Diffie-Hellman group to use. The DiffieHellmanGroup class1 security association isdescribed in section 10. DEFAULT Since an IPsecAction object MAY optionally containrenegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing aIPsecGroup object, absencepercentage. A value ofone when using PFS100 indicates that the IKE phasetwo negotiation1 security association shoulduse the same Diffie-Hellman group that was agreed upon duringnot be renegotiated until the derived key limit has been reached. 6.11.2. The Property ExchangeMode The property ExchangeMode specifies which IKE mode should be used for IKE phaseone negotiation. 8.4.1 key negotiations. TheClass IPsecTransportAction IPsecTransportAction is a specialization of IPsecAction, but does not add any attributes. Itproperty isused to signify that the phase two action will be fordefined as follows: NAME ExchangeMode DESCRIPTION Specifies the IKE negotiationof an IPsec transportmodeSA. 8.5.for phase 1. SYNTAX unsigned 16-bit integer VALUE 1 - base mode 2 - main mode 4 - aggressive mode 6.11.3. TheClass IPsecTunnelAction IPsecTunnelAction is a specialization of IPsecAction that isProperty UseIKEIdentityType The property UseIKEIdentityType specifies what IKE identity type should be usedto signify thatwhen negotiating with thephase two action will be forpeer. This information is used in conjunction thenegotiation of an IPsec tunnel mode SA. It containsIKE identities available on thefollowing reference:system. The property is defined as follows: NAMERemoteGatewayUseIKEIdentityType DESCRIPTIONTheSpecifies the IKE identity to use during negotiation. SYNTAX unsigned 16-bit integer VALUE 1 - IPv4 Address 2 - FQDN 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.12. The Aggregation Class ContainedProposal The class ContainedProposal associates an ordered list of SAProposals with thepoint whereSANegotiationAction that contains it. If the referenced SANegotiationAction object is an IKEAction, then thetunnel terminates onreferenced SAProposal object must be an IKEProposal. If theremote gateway. Note: since a particular IPsec policyreferenced SANegotiationAction object isdirectly associated with a particular interface in the system,an IPsecTransportAction or an IPsecTunnelAction, then thelocal gateway identity canreferenced SAProposal object must beimplicitly determined from this information. 8.6.an IPsecProposal. TheClass IPsecBypassAction IPsecBypassActionclass definition for ContainedProposal isa specializationas follows: NAME ContainedProposal DESCRIPTION Associates an ordered list ofIPsecAction, but does not add any attributes. It is usedSAProposals with an SANegotiationAction. ABSTRACT FALSE PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber 6.12.1. The Reference GroupComponent The property GroupComponent contains an object reference tosignifyan SANegotiationAction thatthe traffic is tocontains one or more SAProposals. The [0..n] cardinality indicates that there may beallowedzero or more SANegotiationActions that contain any given SAProposal. 6.12.2. The Reference PartComponent The property PartComponent contains an object reference topass inan SAProposal contained by one or more SANegotiationActions. The [1..n] cardinality indicates that an SANegotiationAction MUST contain at least one SAProposal. 6.12.3. The Property SequenceNumber The property SequenceNumber specifies theclear. 8.6.order of preference for the SAProposals. TheClass IPsecDiscardAction IPsecDiscardActionproperty isa specializationdefined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SAProposals. SYNTAX unsigned 16-bit integer VALUE Lower-valued proposals are preferred over proposals with higher values. If two proposals have the same SequenceNumber value, then the order ofIPsecAction, but does not add any attributes. Itpreference isused to signify that the traffic should be denied. 9. IKE and IPsecundefined. 7. Proposal and Transform ClassesAThe proposalcontainsand transform classes model thesecurity parameters thatproposal settings an IPsec device willbe useduse duringtheIKE phaseone1 andtwo2 negotiations.+-----------------------------+ | | |[SecurityAssociationProposal]|+--------------+ | [SAProposal] |+-----------------------------++--------------+ ^ |+---------------------------++----------------------+ | | +-------------++-----------+ | | | | |IPsecProposal| |IKEProposal|+---------------+ | IKEProposal | | IPsecProposal | +-------------++-----------+ * o * o |(a) |(b) n | 1 | +----------------+ +------------------+ | | | | |[IPsecTransform]| |DiffieHellmanGroup| | | | | +----------------+ +------------------+ ^ | +-------------+------------------+ | | | +------------+ +-----------++---------------+ *o | (a) n| +---------------+ | [SATransform] | +---------------+ ^ | +--------------------+-----------+---------+ | ||ESPTransform| |AHTransform| |IPCompTransform|| +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform |+------------+ +-----------+ +---------------++-------------+ +--------------+ +----------------+ (a)Transforms (b) IkeDhGroup 9.1.ContainedTransform 7.1. The Abstract ClassSecurityAssociationProposalSAProposal TheSecurityAssociationProposalabstract classcontainsSAProposal serves as theparameters that are common betweenbase class for the IKE and IPsec proposal classes. Itcontainsspecifies thefollowing attributes:parameters that are common to the two proposal types. The class definition for SAProposal is as follows: NAMElifetimeSecondsSAProposal DESCRIPTION Specifies theseconds lifetimecommon proposal parameters for IKE and IPsec security association negotiation. ABSTRACT TRUE PROPERTIES Name MaxLifetimeSeconds MaxLifetimeKilobytes 7.1.1. The Property Name The property Name specifies a user-friendly name for the SAProposal. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for thisparticularproposal.This valueSYNTAX string 7.1.2. The Property MaxLifetimeSeconds The property MaxLifetimeSeconds specifies the maximum amount of time, in seconds, to propose that a security association will remain valid after its creation. The property isused when sending this proposaldefined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the maximum amount of time to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that thenegotiating peer. Additionally, it maydefault of 8 hours beused, possibly in conjunction withused. A non-zero value indicates theminimummaximum seconds lifetime. 7.1.3. The Property MaxLifetimeKilobytes The property MaxLifetimeKilobytes specifies the maximum kilobyte lifetimevalue, when selectingto propose that aproposal fromsecurity association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeKilobytes DESCRIPTION Specifies thenegotiating peer. TYPEmaximum kilobyte lifetime to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE0 -A value of zero indicates thatthe lifetimethere should be no maximum kilobyte lifetime. A non-zero valuedefaultsspecifies the desired kilobyte lifetime. 7.2. The Class IKEProposal The class IKEProposal specifies the proposal parameters necessary to8 hours (28,800 seconds).drive an IKE security association negotiation. The class definition for IKEProposal is as follows: NAMElifetimeKilobytesIKEProposal DESCRIPTION Specifies thekilobyte lifetimeproposal parameters for IKE security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE PROPERTIES LifetimeDerivedKeys CipherAlgorithm HashAlgorithm PRFAlgorithm GroupId AuthenticationMethod 7.2.1. The Property LifetimeDerivedKeys The property LifetimeDerivedKeys specifies the number of times that a phase 1 key will be used to derive a phase 2 key before the phase 1 security association needs renegotiated. Even though thisparticular proposal. This valueisused when sending thisnot a parameter that is sent in an IKE proposal, it is included in the proposaltoas thenegotiating peer. Additionally, itnumber of keys derived may beused, possiblya result of the strength of the algorithms inconjunction withtheminimum kilobyte lifetime value, when selecting a proposalIKE propsoal. The property is defined as follows: NAME LifetimeDerivedKeys DESCRIPTION Specifies the number of phase 2 keys that can be derived from thenegotiating peer. TYPEphase 1 key. SYNTAX unsigned 32-bit integer VALUE0 -A value of zero indicates that there is nokilobyte lifetime. 9.2. The Class IKEProposal IKEProposal is a specializationlimit to the number of phase 2 keys which may be derived from theSecurityAssociationProposal class andphase 1 key; instead the seconds and/or kilobytes lifetime will dictate the phase 1 rekeying. A non-zero value specifies theparameters unique tonumber of phase 2 keys that can be derived from theIKE proposal. It containsphase 1 key. 7.2.2. The Property CipherAlgorithm The property CipherAlgorithm specifies thefollowing attributes/references:proposed phase 1 security association encryption algorithm. The property is defined as follows: NAMEcipherAlgorithmCipherAlgorithm DESCRIPTION Specifies the proposed encryption algorithm for theIKE server will propose. TYPEphase 1 security association. SYNTAX unsigned 16-bit integer VALUE 1 - DES-CBC 2 - IDEA-CBC 3 - Blowfish-CBC 4 - RC5-R16-B64-CBC 5 - 3DES-CBC 6 - CAST-CBC 7.2.3. The Property HashAlgorithm The property HashAlgorithm specifies the proposed phase 1 security assocation hash algorithm. The property is defined as follows: NAMEhashAlgorithmHashAlgorithm DESCRIPTION Specifies the proposed hash algorithm for theIKE server will propose. TYPEphase 1 security association. SYNTAX unsigned 16-bit integer VALUE 1 - MD5 2 - SHA-1 3 - Tiger 7.2.4. The Property PRFAlgorithm The property PRFAlgorithm specifies the proposed phase 1 security association psuedo-random function. The property is defined as follows: NAME PRFAlgorithm DESCRIPTION Specifies the proposed psuedo-random function for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Currently none defined. 7.2.5. The Property GroupId The property GroupId specifies the proposed phase 1 security assocation Diffie-Hellman group. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the proposed Diffie-Hellman group for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE 1 -MD5768-bit MODP group 2 -SHA-11024-bit MODP group 3 -TigerEC2N group on GP[2^155] 4 - EC2N group on GP[2^185] 5 - 1536-bit MODP group 7.2.6. The Property AuthenticationMethod The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows: NAMEauthenticationMethodAuthenticationMethod DESCRIPTION Specifies the proposed authentication method for theIKE server will propose. TYPEphase 1 security association. SYNTAX unsigned 16-bit integer VALUE 0 - a special value which indicates that this particular proposal should be repeated once for each authentication method that corresponds to the credentials installed on the machine. For example, if the system has a pre-shared key and a certificate, a proposal list could be constructed which includes a proposal that specifies pre-shared key and proposals for any of the public-key authentication methods. 1 -Preshared KeyPre-shared key 2 - DSSSignaturessignatures 3 - RSASignaturessignatures 4 -RSAEncryption with RSA 5 - Revised encryption with RSAEncryption6 -El-Gamal Encryption 7 - Revised El-Gamal Encyrption 65001 -KerberosNAME lifetimeDerivedKeys DESCRIPTION Specifies the number of times the IKE phase one key may be used to derive an IKE phase two key. TYPE unsigned 32-bit integer VALUE 0 - indicates that the number of times a IKE phase one key may be used to derive an IKE phase two key is limited by the seconds and/or kilobyte lifetimes. lifetimeDerivedKeys is not a negotiated parameter. Although(has thisvalue is not negotiated, it is included with thenumber been assigned???) 7.3. The Class IPsecProposal The class IPsecProposal adds no new properties, but inherits proposalinformationpropoerties from SAProposal asthe value is dependent upon the strength ofwell as aggregating the securityparameters in the proposal. NAME prfAlgorithm DESCRIPTION Specifies the Psuedo-Random Function (PRF) the IKE server will propose. TYPE unsigned 16-bit integer VALUE At this time, there are no negotiable PRFs defined. NAME IkeDhGroup DESCRIPTION Specifies the Diffie-Hellman group thatassociation transforms necessary for building an IPsec proposal (see theIKE server will propose. The DiffieHellmanGroupaggregation classis defined in section 10. 9.3.ContainedTransform). TheClass IPsecProposalclass definition for IPsecProposal isa specialization of the SecurityAssociationProposal class and specifies the parameters unique to the IPsec proposal. It contains the following reference:as follows: NAMETransformsIPsecProposal DESCRIPTION Specifiesa set of IPsecTransform objects that representtheEncapsulating Security Payload (ESP), Authentication Header (AH), and IP Payload Compression Protocol (IPComp)proposal parametersthat are to used to create anfor IPsecproposal. Transforms of the same type are to be grouped together and logically ORed and the order of the transforms of the same type MUST be preserved.security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE 7.4. Thetransform groups are to be logically ANDed. For example, ifAbstract Class SATransform The abstract class SATransform serves as theproposal hadbase class for thefollowing set ofIPsec transforms{ESP=DES,AH=MD5,ESP=3-DES,ESP=RC5,AH=SHA-1}, the proposal would be ((ESP = DES or 3-DES or RC5) and (AH = MD5 or SHA-1)). An IPsecProposal object MAY reference one to many IPsecTransform objects. An IPsecTransform object MAYthat can bereferenced by zeroused tomany IPsecProposal objects. 9.4. The Class IPsecTransformcompose an IPsec proposal. TheIPsecTransformclasscontains no properties and exists onlydefinition forthe purpose of modeling the is-a-kind-of relationshipSATransform is as follows: NAME SATransform DESCRIPTION Base class for the different IPsec transforms.For example, an ESPTransform isABSTRACT TRUE PROPERTIES Name VendorID 7.4.1. The Property Name The property Name specifies akind of IPsecTransform. 9.5.user-friendly name for the SATransform. TheClass ESPTransform ESPTransformproperty is defined as follows: NAME Name DESCRIPTION Specifies aspecialization of an IPsecTransform. Ituser-friendly name for this transform. SYNTAX string 7.4.1. The Property VendorID The property VendorID specifies theparametersvendor ID forone IPSec ESPvendor-defined transforms. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the vendor ID for vendor-defined transforms. SYNTAX string VALUE An empty VendorID string indicates that the transformwithin an IPsec proposal. It containsis one of thefollowing attributes:previously-defined ones. 7.5. The Class AHTransform The class AHTransform specifies the AH algorithm to propose during IPsec security association negotiation. The class definition for AHTransform is as follows: NAMEintegrityTransformIdAHTransform DESCRIPTION Specifies theESP integrityAH algorithm to propose.TYPE unsigned 16-bit integer VALUE 1 - HMAC MD5 2 - HMAC SHA-1 3 - HMAC DES 4 - KPDK NAME cipherTransformId DESCRIPTION SpecifiesABSTRACT FALSE PROPERTIES AHTransformId 7.5.1. The Property AHTransformId The property AHTransformId specifies theESP cipher/encryptiontransform ID of the AH algorithm to propose.TYPEThe property is defined as follows: NAME AHTransformId DESCRIPTION Specifies the transform ID of the AH algorithm. SYNTAX unsigned 16-bit integer VALUE1 - DES IV642 -DESMD5 3 -3-DESSHA-1 4 -RC5 5 - IDEA 6 - CAST 7 - Blowfish 8 - 3-IDEA 9 -DESIV32 10 - RC4 11 - NULL7.6. The Class ESPTransform The class ESPTransform specifies the ESP algorithms to propose during IPsec security association negotiation. The class definition for ESPTransform is as follows: NAMEcipherKeyRoundsESPTransform DESCRIPTION Specifies thenumberESP algorithms to propose. ABSTRACT FALSE PROPERTIES IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds 7.6.1. The Property IntegrityTransformId The property IntegrityTransformId specifies the transform ID ofkey rounds forthe ESPcipherintegrity algorithmspecified by the attribute cipherTransformId. TYPE unsigned 16-bit integer VALUE At this time, there are no cipher key roundsto propose. The property is definedfor any IPsec ESP algorithms.as follows: NAMEcipherKeyLengthIntegrityTransformId DESCRIPTION Specifies thelengthtransform ID of the ESPcipher key, in bits. If cipherTansformId specifies a cipher with a fixed- length key, cipherKeyLength is ignored. TYPEintegrity algorithm. SYNTAX unsigned 16-bit integer VALUE 0 -the cipher algorithm specified by the cipherTransformId attribute implies the key length. Any other value specifies a key length, in bits. 9.6. The Class AHTransform AHTransform is a specialization of an IPsecTransform. It specifies the parameters for one AH transform within an IPsec proposal. It contains the following property: NAME transformId DESCRIPTION Specifies the AH hash algorithm to propose. TYPE unsigned 16-bit integer VALUENone 1 - HMAC-MD5 2 -MD5HMAC-SHA 3 -SHA-1DES-MAC 4 -DES 9.7.KPDK 7.6.2. TheClass IPCompTransform IPCompTransform is a specialization of an IPsecTransform. ItProperty CipherTransformId The property CipherTransformId specifies theparameters for one IPComptransformwithin an IPsec proposal. It containsID of thefollowing properties: NAMEESP encryption algorithm to propose. The property is defined as follows: NAME CipherTransformId DESCRIPTION Specifies theIPComp compression algorithm to propose. TYPEtransform ID of the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE 1 -OUI (privateAlgorithm MUST contain a valid value)DES IV64 2 -DeflateDES 3 -LZS NAME dictionarySize DESCRIPTION Specifies3DES 4 - RC5 5 - IDEA 6 - CAST 7 - Blowfish 8 - 3IDEA 9 - DES IV32 10 - RC4 11 - NULL 7.6.3. The Property CipherKeyLength The property CipherKeyLength specifies, in bits, thedictionary sizekey length for thecompressionESP encryption algorithm.TYPE unsigned 16-bit integer VALUE 0 - the compression algorithm specified by the algorithm attribute dictates the dictionary size. Any otherFor encryption algorithms which use fixed-length keys, this value isto be interpretedignored. The property is defined as follows: NAME CipherKeyLength DESCRIPTION Specifies the ESP encryption key length in bits. SYNTAX unsigned 16-bit integer 7.6.4. The Property CipherKeyRounds The property CipherKeyRounds specifies thecontextnumber of key rounds for thecompressionESP encryption algorithm. The property is defined as follows: NAMEprivateAlgorithmCipherKeyRounds DESCRIPTIONIf the algorithm attribute specifiesSpecifies theusenumber ofa proprietary compression transform (OUI = 1), then this specifieskey rounds for thespecific vendor algorithm that will be used. Otherwise, this value is ignored. TYPEESP encryption algorithm. SYNTAX unsigned32-bit16-bit integer10. Diffie-Hellman Classes The Diffie-Hellman classesVALUE Currently, key rounds areused to definenot defined for any ESP encryption algorithms. 7.7. The Class IPCOMPTransform The class IPCOMPTransform specifies theDiffie-Hellman attributes that are usedIP compression (IPCOMP) algorithm to propose duringphase one (and possibly phase two) of the IKEIPsec security association negotiation.+------------------+ | | |DiffieHellmanGroup| | | +------------------+ * o (a) | {1} 0..1 | +--------------+ | | |[NewGroupInfo]| | | +--------------+ ^ | +----------------+----------------+ | | +----------------+ +----------------+ | | | | |NewMODPGroupInfo| |[NewECGroupInfo]| | | | | +----------------+ +----------------+ ^ | +-----------+----------+ | | +----------------+ +---------------+ | | | | |NewEC2NGroupInfo| |NewECPGroupInfo| | | | | +----------------+ +---------------+ (a) ExplicitGroupInfo {1} If the Diffie-Hellman GroupThe class definition for IPCOMPTransform isa well-known group (or previously agreed upon private group), thenas follows: NAME IPCOMPTransform DESCRIPTION Specifies theNewGroupInfo object doesn't exist (or is ignored). 10.1.IPCOMP algorithm to propose. ABSTRACT FALSE PROPERTIES Algorithm DictionarySize PrivateAlgorithm 7.7.1. TheClass DiffieHellmanGroup DiffieHellmanGroup describesProperty Algorithm The property Algorithm specifies thespecific Diffie-Hellman Group that will be proposed. It containstransform ID of thefollowing properties:IPCOMP compression algorithm to propose. The property is defined as follows: NAMEgroupDescriptionAlgorithm DESCRIPTION Specifies theDiffie-Hellman Group to propose. TYPEtransform ID of the IPCOMP compression algorithm. SYNTAX unsigned 16-bit integer VALUE 1 -768-bit MODP groupOUI (the property PrivateAlgorithm will contain the vendor-specific algorithm to use) 2 -1024-bit MODP groupDEFLATE 3 -EC2N group on GP[2^155]LZS 4 -EC2N group on GP[2^185] 5 - 1536-bit MODP groupV42BIS (has this number been assigned ???) 7.7.2. The Property DictionarySize The property DictionarySize specifies the log2 maximum size of the diction for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value is ignores. The property is defined as follows: NAMEExplicitGroupInfoDictionarySize DESCRIPTION SpecifiesDiffie-Hellman Group information if groupDescription is not onethe log2 maximum size of thewell-known values ordictionary. SYNTAX unsigned 16-bit integer 7.7.3. The Property PrivateAlgorithm The property PrivateAlgorithm specifies apreviously agreed uponprivategroup. If groupDescriptionvendor-specific compression algorithm. This value isone ofonly used when thewell-known values orproperty Algorithm is 1 (OUI). The property is defined as follows: NAME PrivateAlgorithm DESCRIPTION Specifies apreviously agreed uponprivategroup, the NewGroupInfo object will not exist or it is ignored. 10.2.vendor-specific compression algorithm. SYNTAX unsigned 32-bit integer 7.8. The Aggregation ClassNewGroupInfo NewGroupInfo is the abstract base class for the concrete new group information classes.ContainedTransform Thespecific derivedclassimpliesContainedTransform associates an IPsecProposal with thegroup type value. 10.3. The Class NewMODPGroupInfo NewMODPGroupInfo specifiesset of SATransforms that make up theDiffie-Hellman group information forproposal. If multiple tranforms of the same type are in aMODP group thatproposal, then they are to be logically ORed and the order of preference isproposed during new group mode. It containsdictated by thefollowing properties: NAME prime DESCRIPTION SpecifiesSequenceNumber property. Sets of transforms of different types are logically ANDed. For example, if the proposal list were ESP = { (HMAC-MD5, DES), (HMAC-MD5, 3DES) } AH = { MD5, SHA-1 } then the one sending the proposal wants the other side to pick one from the ESP transform list AND one from theprimeAH transform list. The class definition forthe MODP group. TYPE byte stringContainedProposal is as follows: NAMEgeneratorContainedTransform DESCRIPTIONSpecifiesAssociates an IPsecProposal with thegenerator forset of SATransforms that make up theMODP group. TYPE byte string 10.4.proposal. ABSTRACT FALSE PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PartComponent[ref SATransform[1..n]] SequenceNumber 7.8.1. TheClass NewECGroupInfo NewECGroupInfo isReference GroupComponent The property GroupComponent contains anabstract class that specifies the Diffie- Hellman group information forobject reference to anelliptic curve groupIPsecProposal thatis proposed during new group mode. Itcontains one or more SATransforms. The [0..n] cardinality indicates that there may be zero or more IPsecProposals that contain any given SATransform. 7.8.2. The Reference PartComponent The property PartComponent contains an object reference to an SATransform contained by one or more IPsecProposals. The [1..n] cardinality indicates that an IPsecPropsal MUST contain at least one SATransform. 7.8.3. The Property SequenceNumber The property SequenceNumber specifies thefollowing properties: NAME polynomial DESCRIPTION Specifies the polynomialorder of preference for theelliptic curve group. TYPE byte string NAME fieldSize DESCRIPTION Specifies the field size forSATransforms of theelliptic curve group. TYPE unsigned 32-bit integersame type. The property is defined as follows: NAMEorderSequenceNumber DESCRIPTION Specifies the preference order for theelliptic curve group. TYPESATransforms of the same type. SYNTAX unsigned32-bit16-bit integerNAME generatorOne DESCRIPTION Specifies generator one forVALUE Lower-valued transforms are preferred over transforms of theelliptic curve group. TYPE byte string NAME generatorTwo DESCRIPTION Specifies generatorsame type with higher values. If twofor the elliptic curve group. TYPE byte string NAME curveA DESCRIPTION Specifies curve A fortransforms of theelliptic curve group. TYPE byte string NAME curveB DESCRIPTION Specifies curve B forsame type have theelliptic curve group. TYPE byte string 10.5. The Class NewEC2NGroupInfo NewEC2NGroupInfo is a class that represents a new EC2N group. It contains no properties and exists only to implysame SequenceNumber value, then thegroup type. 10.6. The Class NewECPGroupInfo NewECPGroupInfoorder of preference isa class that represents a new ECP group. It contains no properties and exists only to imply the group type. 11.undefined. 8. Security Considerations This document describes a schema for IPsec policy. It does not detail security requirements for storage or delivery of said schema. Storage and delivery security requirements should be detailed in a comprehensive security policy architecture document.12.9. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.13.10. Acknowledgments The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz, and William Dixon for their contributions to this IPsec policy model. Additionally, this draft would not have been possible without the preceding IPsec schema drafts. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan.14.11. References[1][IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.[2][COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998.[3][ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.[4][AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998.[5][PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", draft-ietf-policy- core-infor-model-06.txt, May 2000. Internet-Draft work in progress. [DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998.[6][LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.[7][COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. Internet-Draft work in progress.[8][COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000. Internet-Draft work in progress. [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy Specification Language",draft-ietf-ipsec-spsl-01.txt, July 1999.draft-ietf-ipsp-spsl-00.txt, March 2000. Internet-Draft work in progress.[9][KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.15.12. Disclaimer The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification.16.13. Author's Address Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1-503-264-9531 Fax: +1-503-264-9428 E-Mail: jamie.jason@intel.com17.14. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it maybe copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other then English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.