Internet Engineering Task Force                          Jamie Jason
   INTERNET DRAFT                                     Intel Coroporation
    9-March-2000 Corporation
   11-July-2000

                     IPsec Configuration Policy Model
                 draft-ietf-ipsp-config-policy-model-00.txt
                draft-ietf-ipsp-config-policy-model-01.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
         http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
         http://www.ietf.org/shadow.html.

Abstract

   This document presents an object-oriented model of low-level IPsec policy
   designed to:
   o    facilitate agreement about the content and semantics of IPsec
        policy
   o    enable derivations of task-specific representations of IPsec
        policy such as storage schema, distribution representations,
        and policy specification languages used to configure IPsec-
        enabled endpoints
   The schema described in this document models the IKE phase one
   parameters as described in [1] [IKE] and the IKE phase two parameters
   for the IPsec Domain of Interpretation as described in [2, 3, 4, 5]. [COMP, ESP,
   AH, DOI].  It is based upon the core policy classes as defined in
   the Policy Core Information Model (PCIM) [PCIM].

Table of Contents

   Status of this Memo................................................1
   Abstract...........................................................1
   Table of Contents..................................................2
   1. Introduction....................................................4 Introduction....................................................5
   2. UML Conventions.................................................4 Conventions.................................................5
   3. Endpoint Classes................................................6
    3.1. IPsec Policy Model Inheritance Heirarchy........................6
   4. Policy Classes..................................................9
   4.1. The Class Endpoint............................................6
    3.2. IPsecPolicyGroup....................................9
   4.1.1. The Property IKERuleOverridePoint..........................10
   4.1.2. The Property IPsecRuleOverridePoint........................10
   4.2. The Class FQDNEndpoint........................................6
    3.3. SARule.............................................11
   4.3. The Class IPv4Endpoint........................................6
    3.4. IKERule............................................11
   4.4. The Class IPv6Endpoint........................................7
    4. IPsec Policy Classes............................................8
    4.1. IPsecRule..........................................11
   4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........12
   4.5.1. The Reference ContainingGroup..............................12
   4.5.2. The Reference ContainedGroup...............................12
   4.5.3. The Property Precedence....................................12
   4.6. The Composition Class IPsecPolicyList.....................................9
    4.2. RuleForIKENegotiation..................12
   4.6.1. The Reference ContainingGroup..............................13
   4.6.2. The Reference ContainedRule................................13
   4.7. The Composition Class IPsecPolicy.........................................9
    4.3. RuleForIPsecNegotiation................13
   4.7.1. The Reference ContainingGroup..............................13
   4.7.2. The Reference ContainedRule................................13
   4.8. The Aggregation Class SAConditionInRule......................14
   4.8.1. The Reference ContainingRule...............................14
   4.8.2. The Reference ContainedCondition...........................14
   4.8.3. The Property SequenceNumber................................14
   4.9. The Aggregation Class SAActionInRule.........................14
   4.9.1. The Reference ContainingRule...............................15
   4.9.2. The Reference ContainedAction..............................15
   4.10. The Aggregation Class IPInterface.........................................9 FallbackSAActionInRule................15
   4.10.1. The Reference ContainingRule..............................15
   4.10.2. The Reference ContainedAction.............................15
   4.10.3. The Property SequenceNumber...............................16
   5. IPsec Rule Classes.............................................10 Condition and Filter Classes...................................17
   5.1. The Class SecurityAssociationRule............................10
    6. IPSec Condition Classes........................................11
    6.1. SACondition........................................18
   5.1.1. The Property StartupCondition..............................18
   5.2. The Class SecurityAssociationCondition.......................11
    6.2. FilterList.........................................18
   5.2.1. The Property Name..........................................19
   5.2.2. The Property Direction.....................................19
   5.3. The Abstract Class SecurityAssociationConditionExpression.............12
    7. IPSec Filter Classes...........................................13
    7.1. FilterEntryBase...........................19
   5.3.1. The Property Name..........................................19
   5.3.2. The Property IsNegated.....................................19
   5.4. The Abstract Class SecurityAssociationFilter..........................13
    7.2. IPFilterEntry.............................20
   5.5. The Abstract Class PortFilter.........................................14
    7.3. EndpointFilterEntry.......................20
   5.5.1. The Property ApplyToDestination............................20
   5.6. The Class PortRangeFilter....................................14
    7.4. IPv4AddressFilterEntry.............................20
   5.6.1. The Property Address.......................................21
   5.7. The Class ProtocolFilter.....................................14
    7.5. IPv4RangeFilterEntry...............................21
   5.7.1. The Property StartAddress..................................21
   5.7.2. The Property EndAddress....................................21
   5.8. The Class AddressFilter......................................15
    7.6. IPv4SubnetFilterEntry..............................21
   5.8.1. The Property Address.......................................22
   5.8.2. The Property Mask..........................................22
   5.9. The Class EndpointFilter.....................................15
    7.7. IPv6AddressFilterEntry.............................22
   5.9.1. The Property Address.......................................22
   5.10. The Class IPv4RangeFilter....................................15
    7.8. IPv6RangeFilterEntry..............................22
   5.10.1. The Property StartAddress.................................23
   5.10.2. The Property EndAddress...................................23
   5.11. The Class IPv6RangeFilter....................................16
    8. IKE and IPsec Action Classes...................................17
    8.1. IPv6SubnetFilterEntry.............................23
   5.11.1. The Property Address......................................23
   5.11.2. The Property Mask.........................................24
   5.12. The Class SecurityAssociationAction..........................18
    8.2. FQDNFilterEntry...................................24
   5.12.1. The Property Name.........................................24
   5.13. The Class IKEAction..........................................19
    8.3. ProtocolFilterEntry...............................24
   5.13.1. The Property Protocol.....................................24
   5.14. The Class IPsecAction........................................20
    8.4. UDPFilterEntry....................................25
   5.14.1. The Property StartPort....................................25
   5.14.2. The Property EndPort......................................25
   5.15. The Class IPsecTransportAction...............................20
    8.5. TCPFilterEntry....................................25
   5.15.1. The Property StartPort....................................26
   5.15.2. The Property EndPort......................................26
   5.16. The Abstract Class IPsecTunnelAction..................................21
    8.6. IPSOFilterEntry..........................26
   5.17. The Class IPsecBypassAction..................................21
    8.6. ClassificationLevelFilterEntry....................26
   5.17.1. The Property Level........................................26
   5.18. The Class IPsecDiscardAction.................................21
    9. IKE and IPsec Proposal Classes.................................21
    9.1. ProtectionAuthorityFilterEntry....................27
   5.18.1. The Property Authority....................................27
   5.19. The Class SecurityAssociationProposal........................22
    9.2. CredentialFilterEntry.............................27
   5.20. The Aggregation Class IKEProposal........................................22
    9.3. FilterOfSACondition...................27
   5.20.1. The Reference Antecedent..................................28
   5.20.2. The Reference Dependent...................................28
   5.21. The Composition Class IPsecProposal......................................23
    9.4. EntriesInFilterList...................28
   5.21.1. The Reference Antecedent..................................28
   5.21.2. The Reference Dependent...................................28
   5.21.3. The Property EntrySequence................................29
   6. Action Classes.................................................30
   6.1. The Class IPsecTransform.....................................24
    9.5. SAAction...........................................30
   6.2. The Class ESPTransform.......................................24
    9.6. SAStaticAction.....................................30
   6.2.1. The Property LifetimeSeconds...............................31
   6.3. The Class AHTransform........................................25
    9.7. IPsecBypassAction..................................31
   6.4. The Class IPCompTransform....................................25
    10. Diffie-Hellman Classes........................................26
    10.1. IPsecDiscardAction.................................31
   6.4.1. The Property DoLogging.....................................32
   6.5. The Class DiffieHellmanGroup................................27
    10.2. IKERejectAction....................................32
   6.5.1. The Property DoLogging.....................................32
   6.6. The Class NewGroupInfo......................................27
    10.3. SAPreconfiguredAction..............................32
   6.7. The Class NewMODPGroupInfo..................................27
    10.4. SANegotiationAction................................33
   6.7.1. The Property MinLifetimeSeconds............................33
   6.7.2. The Property MinLifetimeKilobytes..........................33
   6.7.3. The Property RefreshThresholdSeconds.......................34
   6.7.4. The Property RefreshThresholdKilobytes.....................34
   6.7.5. The Property IdleDurationSeconds...........................34
   6.8. The Class NewECGroupInfo....................................27
    10.5. IPsecAction........................................35
   6.8.1. The Property UsePFS........................................35
   6.8.2. The Property UseIKEGroup...................................35
   6.8.3. The Property GroupId.......................................35
   6.8.4. The Property Granularity...................................36
   6.9. The Class NewEC2NGroupInfo..................................28
    10.6. IPsecTransportAction...............................36
   6.10. The Class NewECPGroupInfo...................................28
    11. Security Considerations.......................................28
    12. Intellectual Property.........................................28
    13. Acknowledgments...............................................29
    14. References....................................................29
    15. Disclaimer....................................................30
    16. Author's Address..............................................30
    17. Full Copyright Statement......................................30
 1. Introduction

    Internet Protocol security (IPsec) policy may assume a variety of
    forms as it travels from storage to distribution point to decision
    point.  At each step, it needs to be represented in a way that is
    convenient for the current task.  For example, the policy could
    exist as, but is not limited to:

    o   a Lightweight Directory Access Protocol (LDAP) [6] schema in a
        directory
    o   an on-the-wire representation over a IPsecTunnelAction.................................36
   6.10.1. The Property PeerGateway..................................37
   6.10.2. The Property DFHandling...................................37
   6.11. The Class IKEAction.........................................37
   6.11.1. The Property RefreshThresholdDerivedKeys..................37
   6.11.2. The Property ExchangeMode.................................38
   6.11.3. The Property UseIKEIdentityType...........................38
   6.12. The Aggregation Class ContainedProposal.....................38
   6.12.1. The Reference GroupComponent..............................39
   6.12.2. The Reference PartComponent...............................39
   6.12.3. The Property SequenceNumber...............................39
   7. Proposal and Transform Classes.................................40
   7.1. The Abstract Class SAProposal................................40
   7.1.1. The Property Name..........................................40
   7.1.2. The Property MaxLifetimeSeconds............................41
   7.1.3. The Property MaxLifetimeKilobytes..........................41
   7.2. The Class IKEProposal........................................41
   7.2.1. The Property LifetimeDerivedKeys...........................41
   7.2.2. The Property CipherAlgorithm...............................42
   7.2.3. The Property HashAlgorithm.................................42
   7.2.4. The Property PRFAlgorithm..................................42
   7.2.5. The Property GroupId.......................................43
   7.2.6. The Property AuthenticationMethod..........................43
   7.3. The Class IPsecProposal......................................43
   7.4. The Abstract Class SATransform...............................44
   7.4.1. The Property Name..........................................44
   7.4.1. The Property VendorID......................................44
   7.5. The Class AHTransform........................................44
   7.5.1. The Property AHTransformId.................................44
   7.6. The Class ESPTransform.......................................45
   7.6.1. The Property IntegrityTransformId..........................45
   7.6.2. The Property CipherTransformId.............................45
   7.6.3. The Property CipherKeyLength...............................46
   7.6.4. The Property CipherKeyRounds...............................46
   7.7. The Class IPCOMPTransform....................................46
   7.7.1. The Property Algorithm.....................................46
   7.7.2. The Property DictionarySize................................47
   7.7.3. The Property PrivateAlgorithm..............................47
   7.8. The Aggregation Class ContainedTransform.....................47
   7.8.1. The Reference GroupComponent...............................48
   7.8.2. The Reference PartComponent................................48
   7.8.3. The Property SequenceNumber................................48
   8. Security Considerations........................................48
   9. Intellectual Property..........................................48
   10. Acknowledgments...............................................49
   11. References....................................................49
   12. Disclaimer....................................................50
   13. Author's Address..............................................50
   14. Full Copyright Statement......................................50

1. Introduction

   Internet Protocol security (IPsec) policy may assume a variety of
   forms as it travels from storage to distribution point to decision
   point.  At each step, it needs to be represented in a way that is
   convenient for the current task.  For example, the policy could
   exist as, but is not limited to:

   o   a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
       a directory
   o   an on-the-wire representation over a transport protocol like the
       Common Object Policy Service (COPS) [7] [COPS, COPSPR]
   o   a text-based policy specification language [8] [SPSL] suitable for
       editing by an administrator
   o   an Extensible Markup Language (XML) document

   Each of these task-specific representations should be derived from a
   canonical representation that precisely specifies the content and
   semantics of the IPsec policy.  The purpose of this document is to
   abstract IPsec policy into a task-independent representation that is
   not constrained by any particular task-dependent representation.

   This document is organized as follows:

   o   Section 2 provides a quick introduction to the Unified Modeling
       Language (UML) graphical notation conventions used in this
       document.

   o   Section 3 defines provides the endpoint class, a utility class that is
        used as a building block for other classes.

    o   Section 4 defines inheritance hierarchy which describes
       where the IPsec policy and associated classes.

    o   Section 5 defines the rule class.

    o   Section 6 defines classes fit into the condition and condition expression
        classes. policy class
       hierarchy already defined by PCIM.

   o   Section 7 defines   The remainder of the filter classes.

    o   Section 8 defines document describes the IKE and IPsec action classes.

    o   Section 9 defines classes which make
       up the IKE and IPsec proposal classes.

    o   Section 10 defines the Diffie-Hellman group class. policy model.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [9]. [KEYWORDS].

2. UML Conventions

   For this document, a UML static class diagram was chosen as the
   canonical representation for the IPsec policy model.  The reason
   behind this decision is that UML provides a task-independent graphical, task-
   independent way to model systems.  A treatise on the graphical
   notation used in UML is beyond the scope of this paper.  However,
   given the use of ASCII drawing for UML static class diagrams, a
   description of the notational conventions used in this document is
   in order:

   o   Boxes represent classes, with class names in brackets ([])
       representing a virtual class.  For example, in

   o   A line that terminates with an arrow (<, >, ^, v) denotes
       inheritance.  The arrow always points to the action
        classes diagram, IKEAction parent class.
       Inheritance can also be called generalization or specialization
       (depending upon the reference point).  A base class is a concrete
       generalization of a derived class, and a derived class while
        SecurityAssociationAction is a virtual
       specialization of a base class.
   o   Associations are used model a relationship between two classes.
       Classes that share an association are connected using a line.
       There are two special kinds of associations - aggregations and
       compositions.  Both model a whole-part relationship between two
       classes.  Associations, and therefore aggregations and
       compositions, can also be modeled as classes.
   o   A line that terminates begins with a "o" denotes aggregation.  Aggregation
       denotes classes with independent lifetimes.  An
        aggregated object exists independently of the object that
        references it.  For example, containment in which the action classes diagram a
        SecurityAssocationProposal object exists independently of contained class and the
        SecurityAssociationAction object which references it.
       containing class have independent lifetimes.
   o   A line that terminates begins with an "x" denotes composition.  Composition
       denotes classes with coincident lifetimes.  This
        implies that the lifetime of containment in which the contained object is the same as class and the object that contains it.
       contianing class have coincident lifetimes.
   o   Next to a line representing an association appears a
       multiplicity.  Multiplicities indicate the number of objects contained (or referenced) as well as in
       the
        number of object that can contain (or reference) a particular
        object. relationship.  The multiplicity may be:
       - a range in the form "lower bound..upper bound" indicating the
       minimum and maximum number of objects.  For example, in the
        action classes diagram, an IPsecAction may contain either 0 or 1
        DiffieHellmanGroup objects(essentially noting that the
        DiffieHellmanGroup is optional).
       - a number that indicates the exact number of objects.  For
        example, in the proposal classes diagram, an IKEProposal has 1
        and only 1 DiffieHellmanGroup.  Using a number is equivalent to
        number..number.
       - an asterisk indicating any number of objects, including zero.
        For example, in the action classes diagram, a
        SecurityAssociationProposal object may be referenced by 0 to n
        SecurityAssociationAction objects.
       Using an asterisk is
        equivalent to shorthand for 0..n.
       - the letter n indicating from 1 to many.  For example, in the
        action classes diagram, a SecurityAssociationAction references 1
        to many SecurityAssociationProposals.  Using the letter n is
        equivalent to
       shorthand for 1..n.
    o   A line that terminates with an arrow (<, , ^, v) denotes
        generalization (inheritance) with the arrow pointing to the
        parent class.  For example, in the action classes diagram the
        SecurityAssociationAction class is a generalization of the
        IKEAction class (or said another way, the IKEAction class
        derives from the SecurityAssociationAction class).
    o   Occasionally there may be some text, or a reference to some
        text, enclosed by braces ({}).  This indicates a constraint.
        Constraints are used to constrain the meaning of diagram so that
        a diagram does not provide the ability to define something that
        does not make sense.  For example, in the action classes diagram
        there is a constraint placed upon the DiffieHellmanGroup class
        such that it is only used if the IPsecAction specifies the user
        of Perfect Forward Secrecy.

    It should be noted

   It should be noted that the UML static class diagram presented is a
   conceptual view of IPsec policy designed to aid in understanding.
   It does not necessarily get translated class for class into another
   representation.  For example, an LDAP implementation may flatten out
   the representation to fewer classes (because of the inefficiency of
   following references).

3. Endpoint Classes

    An endpoint is an abstraction used to represent an IP address or
    hostname.  This class is used as a building block in further
    classes.

                                +----------+ IPsec Policy Model Inheritance Heirarchy

   The following diagram represents the inheritance hierarchy and how
   the IPsec policy model classes fit into PCIM.

   [unrooted]
   |
   +--Policy (PCIM)
   |
                                |[Endpoint]|  |
   |
                                +----------+
                                      ^  +--PolicyGroup (PCIM)
   |
          +---------------------------+--------------------------+  |  |
   |
    +------------+              +------------+            +------------+  |  +--IPsecPolicyGroup (new class)
   |  |
   |  +--PolicyRule (PCIM)
   |  |
    |FQDNEndpoint|              |IPv4Endpoint|            |IPv6Endpoint|  |
   |  |  +--SARule (new abstract class)
   |  |     |
    +------------+              +------------+            +------------+

 3.1. The Class Endpoint

    The Endpoint class is used as an
   |  |     +--IKERule (new class)
   |  |     |
   |  |     +--IPsecRule (new class)
   |  |
   |  +--PolicyCondition (PCIM)
   |  |  |
   |  |  +--SACondition (new class)
   |  |
   |  +--PolicyAction (PCIM)
   |     |
   |     +--SAAction (new abstract base class from which
    concrete endpoint classes are expected to derive from.

 3.2. The Class FQDNEndpoint

    The FQDNEndpoint class is used to represent endpoints that can be
    expressed using a DNS name.  It contains the following attribute:

    NAME         name
    DESCRIPTION  Either a fully-qualified or wild-carded (partially or
                 fully) domain name.
    TYPE         string
    VALUE        MAY either be fully-qualified (for example,
                 runner.jf.intel.com) or wild-carded (for example,
                 *.intel.com).

 3.3. The Class IPv4Endpoint
    The IPv4Endpoint class is used to represent endpoints that can be
    expressed using an IPv4 address.  It contains the following
    attribute:

    NAME         address
    DESCRIPTION  The IPv4 address.
    TYPE         unsigned 32-bit integer
    VALUE        0x00000000 (i.e., 0.0.0.0) - used to specify any IP
                 address (i.e., a totally wild-carded address or "*").
                 Any other value specifies an IPv4 address.

 3.4. The Class IPv6Endpoint class)
   |        |
   |        +--SAStaticAction (new abstract class)
   |        |  |
   |        |  +--IPsecBypassAction (new class)
   |        |  |
   |        |  +--IPsecDiscardAction (new class)
   |        |  |
   |        |  +--IKERejectAction (new class)
   |        |  |
   |        |  +--SAPreconfiguredAction (new class)
   |        |
   |        +--SANegotiationAction (new abstract class)
   |           |
   |           +--IPsecAction (new abstract class)
   |           |  |
   |           |  +--IPsecTransportAction (new class)
   |           |  |
   |           |  +--IPsecTunnelAction (new class)
   |           |
   |           +--IKEAction (new abstract class)
   |
   +--FilterList
   |
   +--FilterEntryBase
   |  |
   |  +--IPFilterEntry (new abstract class)
   |  |  |
   |  |  +--EndpointFilterEntry (new abstract class)
   |  |  |  |
   |  |  |  +--IPv4AddressFilterEntry (new class)
   |  |  |  |
   |  |  |  +--IPv4RangeFilterEntry (new class)
   |  |  |  |
   |  |  |  +--IPv4SubnetFilterEntry (new class)
   |  |  |  |
   |  |  |  +--IPv6AddressFilterEntry (new class)
   |  |  |  |
   |  |  |  +--IPv6RangeFilterEntry (new class)
   |  |  |  |
   |  |  |  +--IPv6SubnetFilterEntry (new class)
   |  |  |  |
   |  |  |  +--FQDNFilterEntry (new class)
   |  |  |
   |  |  +--PortFilterEntry (new class)
   |  |  |
   |  |  +--ProtocolFilterEntry (new class)
   |  |
   |  +--IPSOFilterEntry (new class)
   |  |
   |  +--CredentialFilterEntry (new class)
   |
   +--SAProposal (new abstract class)
   |  |
   |  +--IKEProposal (new class)
   |  |
   |  +--IPsecProposal (new class)
   |
   +--SATransform (new abstract class)
      |
      +--AHTransform (new class)
      |
      +--ESPTransform (new class)
      |
      +--IPCOMPTransform (new class)

   The IPv6Endpoint class is used to represent endpoints that can be
    expressed using an IPv6 address.  It contains the following
    attribute:

    NAME         address
    DESCRIPTION  The IPv6 address.
    TYPE         octet[16]
    VALUE        all zero's (i.e., 0:0:0:0:0:0:0:0) - used to specify
                 any IP address (i.e., a totally wild-carded address or
                 "*").  Any other value specifies an IPv6 address.

 4. diagram represents the inheritance hierarchy and how
   the IPsec policy model association classes fit into PCIM.

   [unrooted]
   |
   +--PolicyGroupInPolicyGroup (PCIM)
   |  |
   |  +--IPsecPolicyGroupInPolicyGroup (new class)
   |
   +--PolicyConditionInPolicyRule (PCIM)
   |  |
   |  +--SAConditionInRule (new class)
   |
   +--FallbackSAActionInRule (new class)
   |
   +--EntriesInFilterList (new class)
   |
   +--ContainedProposal (new class)
   |
   +--IPsecContainedTransform (new class)

4. Policy Classes

   The IPsec policy classes represent the set of policies that are
   contained on a system.  In addition, they indicate the active
    policies as well as associate a policy with a particular interface
    on a system

                            +---------------+

                        (a)
                     +------+
                     |      |*
                     |
                            |IPsecPolicyList|   *+------------------+
                     +---o| IPsecPolicyGroup |
                          +------------------+
                            1 x          x 1
                (b)           |
                            +---------------+
                                  * o          |
                                 (a)|         (c)
      +-----------------------+          +---------------------+
      |
                                  *                                                        |
                               +-----------+            +-----------+
      |           |*    (b)   *|               +---------------------------+            |
                               |IPsecPolicy|o-----------|IPInterface|
      |               |     {1} PolicyTimePeriodCondition |            |
                               +-----------+            +-----------+
                               1 x       x 1                1 x
      |               |    (defined in [PCIM])    |
                              (c)|{2} {3}|(d)              (e)|{4}            |
      |               +---------------------------+            |
                               *
      |                           *|                           | *                1
      |
                          +----------------------+       +----------+                            | (d)                       |
      |                           *o                           |
                          |SecurityAssocationRule|       |[Endpoint]|
      |  +-------------+*     *+--------+*      1+----------+  |
      |  |
                          +----------------------+       +----------+

    (a)  Policies
    (b)  TargetedInterface SACondition |------o| SARule |o-------| SAAction |  |
      |  +-------------+ (e)   +--------+    (f) +----------+  |
      |                            ^                   |*      |
      |                            |            +------+       |
      |                   +--------+--------+   |  (g)         |
      |                   |                 |  *o              |
      |              *+---------+     +-----------+*           |
      +---------------| IKERule |     | IPsecRule |------------+
                      +---------+     +-----------+

   (a)  IPsecPolicyGroupInPolicyGroup
   (b)  RuleForIKENegotiation
   (c)  IKERules  RuleForIPsecNegotiation
   (d)  IPsecRules  PolicyRuleValidityPeriod (defined in [PCIM])
   (e)  Identity

    {1}  1.  If the policy is marked as enabled, then the IPsecPolicy
         object MUST reference an IPInterface object.
         2.  For each interface, there is only one IPsec policy marked
         as enabled.
    {2}  IKE rules are ordered and are considered logically ORed.  Rule
         search will stop once a rule that matches the input criteria is
         found.
    {3}  IPsec rules are ordered and are considered logically ORed.
         Rule search will stop once a rule that matches the input
         criteria is found.
    {4}  If the endpoint type is an FQDN, then the DNS name MUST be
         fully-qualifed (i.e., no wild-card values allowed).
         If the endpoint type is an IPv4 or IPv6 address, then the
         address value MUST NOT be the wild-card address.  SAConditionInRule
   (f)  SAActionInRule
   (g)  FallbackSAActionInRule

4.1. The Class IPsecPolicyList IPsecPolicyGroup

   The IPsecPolicyList class is IPsecPolicyGroup serves as a container for all of the policies on either other
   IPsecPolicyGroups or a particular system.  It contains the following reference:

    NAME         Policies
    DESCRIPTION  The policies installed on set of IKERules and a particular system.  Note
                 that there is set of IPsecRules.
   Rules contained within an IPsecPolicyGroup MUST have a distinction between unique
   Priority value.  The class definition for IPsecPolicyGroup is as
   follows:

   NAME         IPsecPolicyGroup
   DESCRIPTION  Either a policy being
                 installed on set of IPsecPolicyGroups or a system set of IKERules
                and actually being actively
                 enforced a set of IPsecRules.

   DERIVED FROM PolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyGroupName (from PolicyGroup)
                IKERuleOverridePoint
                IPsecRuleOverridePoint

   NOTE:  for derivations of the IPsecPolicy class).

    Note:  an IPsecPolicyList MAY contain no policies.  Additionally, a
    policy MAY be defined which is not in any policy list.  The latter
    case is only relevant schema that are used for a management station - in other words, policy
   distribution to an IPsec device (for example, COPS-PR), the server
   may follow all of IPsecPolicyGroupInPolicyGroup associations and
   create one policy has been created but it has not yet been targeted to a
    system.

 4.2. The Class IPsecPolicy

    The IPsecPolicy class group which is simply a container for set of all of the IKE
   rules used to
    enforce the policy.  It contains the following attribute/references:

    NAME         enabled
    DESCRIPTION  Indicates whether or not the policy is enabled (i.e.,
                 is actively being enforced).  As stated in and a set of all of the
                 constraint {1}, if IPsec rules.  See the policy is enabled, it MUST be
                 associated with a particular interface section on the system.
                 This allows
   IPsecPolicyGroupInPolicyGroup aggregation for different policies to be enforced information on
                 different interfaces.
    TYPE         boolean
    VALUE        true - policy is currently enabled
                 false - policy is currently disabled

    NAME         TargetedInterface
    DESCRIPTION merging
   multiple IPsecPolicyGroups.

4.1.1. The interface on Property IKERuleOverridePoint

   This property specifies the system for rule priority at which this the policy author
   is willing to
                 be enforced. As stated in allow IKERule insertions by a local administrator.
   For example, the IT department may define the constraint {1}, for each
                 interface there is only one policy enabled at any one
                 given time.

    NAME         IKERules
    DESCRIPTION  The rules which govern when and how on a company-
   wide basis, but allow groups or individuals to perform IKE
                 phase 1 negotiation.  These insert rules into the
   policy to override defaults.  Rules are an ordered list
                 and are logically ORed.  When processing the rules, the
                 first rule matched is the one used.

    NAME         IPsecRules
    DESCRIPTION in decreasing order
   of their priority (i.e., higher priorities come first).  The rules which govern when and how to perform IKE
                 phase 2 negotiation.  These
   override point specifies that if rules are an ordered list
                 and inserted, they are logically ORed.  When processing the rules, the
                 first rule matched is the one used.

 4.3. The Class IPInterface
    The IPInterface class is used to represent an interface on the
    system.  It contains the following reference:

    NAME         Identity
    DESCRIPTION  Indicates the IP address or DNS name assigned be
   inserted before all rules equal to or less than the
                 interface.  No wild-card values are allowed for the
                 endpoint object.

 5. IPsec Rule Classes

    The IPsec rule class override
   priority value.

   For example, assume that there is used to associate a condition group G1 with the
    action which IKE rules as
   follows:

   G1 = { Rule A (priority 50),
          Rule B (priority 25),
          Rule C (priority 15) }

   The IKE override value for G1 is 20.  Now assume that a local
   administrator wants to be performed when the condition evaluates to
    true.

                          +-----------------------+
                          |                       |
                          |SecurityAssociationRule|
                          |                       |
                          +-----------------------+
                             * o             o *
                               |             |
                    +----------+             +-----------+
                    |   (a)                       (b)    |
                  1 |                                    | 1
       +----------------------------+     +---------------------------+
       |                            |     |                           |
       |SecurityAssociationCondition|     |[SecurityAssociationAction]|
       |                            |     |                           |
       +----------------------------+     +---------------------------+

    (a)  Condition
    (b)  Action

 5.1. The Class SecurityAssociationRule

    The SecurityAssociationRule class is used to associate insert a condition set of IKE rules {Rule D, Rule E}
   where Rule D has a higher priority than Rule E.  The new rules will
   be added before rules in G1 with the IKE/IPsec action information that is priority equal to or less than 20.
   So, when evaluating rules, the order of evaluation would be used during A, B, D,
   E, C.  Note that the
    negotiation.  It contains priority of the following attribute/references: rules in override set are
   relative only to the set.

   The property is defined as follows:

   NAME         enabled         IKERuleOverridePoint
   DESCRIPTION  Indicates whether or not  Specifies the rule priority at which the policy author
                is enabled.
    TYPE         boolean
    VALUE        true - willing to allow IKERule insertions by a local
                administrator.
   SYNTAX       unsigned 16-bit integer

4.1.2. The Property IPsecRuleOverridePoint

   This property specifies the rule priority at which the policy author
   is currently enabled
                 false - rule willing to allow IPsecRule insertions by a local administrator.

   This property is currently disabled

    NAME         Condition
    DESCRIPTION  The condition, when evaluated against the given input,
                 that MUST evaluate to true in order same as IKERuleOverridePoint except it is used
   for the associated
                 action to be performed. IPsec rules in the IPsecPolicyGroup.  The property is
   defined as follows:

   NAME         Action         IPsecRuleOverridePoint
   DESCRIPTION  The security association negotiation parameters to use
                 when  Specifies the associated condition evaluates rule priority at which the policy author
                is willing to true.

 6. IPSec Condition Classes allow IPsecRule insertions by a local
                administrator.
   SYNTAX       unsigned 16-bit integer

4.2. The condition Class SARule

   The class SARule serves as a base class for IKERule and IPsecRule.
   Even though the class is used concrete, it MUST not be instantiated.  It
   defines a common connection point for associations to determine when conditions and
   actions for both types of rules.  Each SARule within a given
   IPsecPolicyGroup must contain a unique priority.  Through its
   derivation from PolicyRule, an SARule (and therefore IKERule and
   IPsecRule) also has the associated IKE or
    IPsec action PolicyRuleValidityPeriod association.  The
   class definition for SARule is to be performed.

                       +----------------------------+
                       |                            |
                       |SecurityAssociationCondition|
                       |                            |
                       +----------------------------+
                                    1 x
                                      |
                                   {1}|(a)
                                      |
                                    * |
                   +--------------------------------------+
                   |                                      |
                   |SecurityAssociationConditionExpression|
                   |                                      |
                   +--------------------------------------+ as follows:

   NAME         SARule
   DESCRIPTION  A base class for IKERule and IPsecRule.
   DERIVED FROM PolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyRuleName (from PolicyRule)
                Enabled (from PolicyRule)
                ConditionListType (from PolicyRule)
                Priority (from PolicyRule)
                PolicyRoles (from PolicyRule)

4.3. The Class IKERule

   The class IKERule associates Conditions and Actions for IKE phase 1 |
                                      |
                                   {2}|(b)
                                      |
                                    * |
                        +---------------------------+
                        |                           |
                        |[SecurityAssociationFilter]|
                        |                           |
                        +---------------------------+

    (a)  Expressions
    (b)  Filters

    {1}  If using disjunctive normal form (DNF), each expression is
         logically ORed.  If using conjunctive normal form (CNF), each
         expression is logically ANDed.
    {2}  If using DNF, each filter is logically ANDed.  If using CNF,
         each filter
   negotiations.  The class definition for IKERule is logically ORed.

 6.1. as follows:

   NAME         IKERule
   DESCRIPTION  Associates Conditions and Actions for IKE phase 1
                negotiations.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule

4.4. The Class SecurityAssociationCondition IPsecRule

   The SecurityAssociationCondition class specifies the criteria that
    is applied to IPsecRule associates Conditions and Actions for IKE phase
   2 negotiations for the input information to determine if a particular
    condition IPsec DOI.  The class definition for
   IPsecRule is met.  It contains the following attributes/references: as follows:

   NAME         negated         IKERule
   DESCRIPTION  Indicates whether or not the result of  Associates Conditions and Actions for IKE phase 2
                negotiations for the rule
                 evaluation is to be negated.
    TYPE         boolean
    VALUE        true - condition evaluation result is IPsec DOI.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule

4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup

   The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
   policies to be negated
                 false - condition evaluation result is not combined to be
                 negated

    NAME         useDNF
    DESCRIPTION  Indicates whether or not the into one effective policy.  When merging
   policies, rule is specified priorities are used in DNF
                 or CNF form.
    TYPE         boolean
    VALUE        true - condition is expressed as DNF.  The expressions
                 within conjunction with the condition are logically ORed. rule
   override point values to determine insertion points and for rule
   priority renumbering (if necessary to maintain uniqueness).  The filters
                 within an expression are logically ANDed.
                 false - condition
   class definition for IPsecPolicyGroupInPolicyGroup is expressed as CNF.  The expressions
                 within follows:

   NAME         IPsecPolicyGroupInPolicyGroup
   DESCRIPTION  Associates a nested IPsecPolicyGroup with the condition are logically ANDed.  The filters
                 within an expression are logically ORed.

 6.2.
                IPsecPolicyGroup that contains it.
   DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   ContainingGroup[ref IPsecPolicyGroup[0..n]]
                ContainedGroup[ref IPsecPolicyGroup[0..n]]
                Precedence

4.5.1. The Class SecurityAssociationConditionExpression Reference ContainingGroup

   The SecurityAssociationConditionExpression class property ContainingGroup is used inherited from
   PolicyGroupInPolicyGroup and is overridden to combine
    several filters, which together constitute one logical expression.
    It contain object
   reference to an IPsecPolicyGroup that contains the following reference:

    NAME         Filters
    DESCRIPTION one or more
   IPsecPolicyGroups.  The set of filters, which combined, are used to
                 represent the expression.  When using DNF, these
                 filters are logically ANDed.  When using CNF, these
                 filters are logically ORed.

 7. IPSec Filter Classes [0..n] cardinality indicates that there may
   be zero or more IPsecPolicyGroups that contain any given
   IPsecPolicyGroup.

4.5.2. The filter classes are used Reference ContainedGroup

   The property ContainedGroup is inherited from
   PolicyGroupInPolicyGroup and is overridden to specify individual criteria which
    MUST be met before a condition will evaluate contain an object
   reference to true.

                        +---------------------------+
                        |                           |
                        |[SecurityAssociationFilter]|
                        |                           |
                        +---------------------------+
                                     ^
                                     |
          +----------------+---------+-------+-----------------+
       {1}|                |                 |                 |
    +-------------+   +----------+   +---------------+  +--------------+
    |             |   |          |   |               |  |              |
    |AddressFilter|   |PortFilter|   |PortRangeFilter|  |ProtocolFilter|
    |             |   |          |   |               |  |              |
    +-------------+   +----------+   +---------------+  +--------------+
          ^
          |
          +----------------------+---------------------+
          |                      |                     |
    +--------------+     +---------------+     +---------------+
    |              |     |               |     |               |
    |EndpointFilter|     |IPv4RangeFilter|     |IPv6RangeFilter|
    |              |     |               |     |               |
    +--------------+     +---------------+     +---------------+
        1 x
          |
       (a)|
          |
        1 |
    +----------+
    |          |
    |[Endpoint]|
    |          |
    +----------+

    (a)  Identity

    {1}  When the rule is for an IKE phase IPsecPolicyGroup contained by one negotiation, the
         AddressFilter is or more
   IPsecPolicyGroups.  The [0..n] cardinality indicates that an
   IPsecPolicyGroup may contain zero or more IPsecPolicyGroups.

4.5.3. The Property Precedence

   The property Precedence specifies the only type merge ordering of filter allowed.

 7.1. The Class SecurityAssociationFilter the nested
   IPsecPolicyGroups.  The SecurityAssociationFilter class property is used defined as an abstract base
    class from which all concrete filter class are expected to derive
    from.  It contains the following attribute: follows:

   NAME         negated         Precedence
   DESCRIPTION  Indicates whether or not  Specifies the result merge ordering of the filter
                 evaluation is to be negated.

    TYPE         boolean nested
                IPsecPolicyGroups.
   SYNTAX       unsigned 16-bit integer
   VALUE        true - filter evaluation        Any value between 1 and 2^16-1 inclusive.  Lower values
                have higher precedence (i.e., 1 is to be negated
                 false - filter evaluation the highest
                precedence).  The merging order of two ContainedGroups
                with the same precedence is not to be negated

 7.2. undefined.

4.6. The Composition Class PortFilter RuleForIKENegotiation
   The PortFilter class specifies a filter RuleForIKENegotiation associates an IKERule with the
   IPsecPolicyGroup that is based upon a single
    port value.  It contains the following attributes: it.  The class definition for
   RuleForIKENegotiation is as follows:

   NAME         applyToSource         RuleForIKENegotiation
   DESCRIPTION  Indicates whether or not  Associates an IKERule with the port specified is IPsecPolicyGroup that
                contains it.
   ABSTRACT     FALSE
   PROPERTIES   ContainingGroup [ref IPsecPolicyGroup [1..1]]
                ContainedRule [ref IKERule [0..n]]

4.6.1. The Reference ContainingGroup

   The property ContainingGroup contains an object reference to be
                 interpreted as a source port an
   IPsecPolicyGroup that contains one or a destination port.
    TYPE         boolean
    VALUE        true - the port specified is to be interpreted as a
                 source port
                 false - the port specified is to more IKERules.  The [1..1]
   cardinality indicates that an IKERule may be interpreted as a
                 destination port

    NAME         port
    DESCRIPTION  Specifies the port value.
    TYPE         unsigned 16-bit integer
    VALUE        0 - wild-card port contained in only one
   IPsecPolicyGroup (i.e., any port matches).  Any other
                 value specifies a specific port.

 7.3. IKERules are not shared across
   IPsecPolicyGroups).

4.6.2. The Reference ContainedRule

   The property ContainedRule contains an object reference to an
   IKERule contained by an IPsecPolicyGroup.  The [0..n] cardinality
   indicates that an IPsecPolicyGroup may contain zero or more
   IKERules.

4.7. The Composition Class PortRangeFilter RuleForIPsecNegotiation

   The PortRangeFilter class specifies a filter RuleForIPsecNegotiation associates an IPsecRule with the
   IPsecPolicyGroup that is based upon a
    range of port values. contains it.  The port range class definition for
   RuleForIPsecNegotiation is to be interpreted as
    inclusive.  It contains the following attributes: follows:

   NAME         applyToSource         RuleForIPsecNegotiation
   DESCRIPTION  Indicates whether or not  Associates an IPsecRule with the port specified is IPsecPolicyGroup that
                contains it.
   ABSTRACT     FALSE
   PROPERTIES   ContainingGroup [ref IPsecPolicyGroup [1..1]]
                ContainedRule [ref IPsecRule [0..n]]

4.7.1. The Reference ContainingGroup

   The property ContainingGroup contains an object reference to an
   IPsecPolicyGroup that contains one or more IPsecRules.  The [1..1]
   cardinality indicates that an IPsecRule may be
                 interpreted as a source port range contained in only one
   IPsecPolicyGroup (i.e., IPsecRules are not shared across
   IPsecPolicyGroups).

4.7.2. The Reference ContainedRule

   The property ContainedRule contains an object reference to an
   IPsecRule contained by an IPsecPolicyGroup.  The [0..n] cardinality
   indicates that an IPsecPolicyGroup may contain zero or a destination
                 port range.
    TYPE         boolean
    VALUE        true - more
   IPsecRules.

4.8. The Aggregation Class SAConditionInRule

   The class SAConditionInRule associates an SARule with the port range specified is to be interpreted as
                 a source port range
                 false -
   SACondition instances that trigger it.  See [PCIM] for the port range specified usage for
   the properties GroupNumber and ConditionNegated.  The class
   definition for SAConditionInRule is to be interpreted as a destination port range follows:

   NAME         firstPort         SAConditionInRule
   DESCRIPTION  Specifies  Associates an SARule with the first port in the range.
    TYPE         unsigned 16-bit integer

    NAME         lastPort
    DESCRIPTION  Specifies the last port in the range.
    TYPE         unsigned 16-bit integer
    VALUE        The lastPort attribute value MUST be greater than or
                 equal to the firstPort attribute value.

 7.4. SACondition instances
                that trigger it.
   DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   ContainingRule [ref SARule [0..n]]
                ContainedCondition [ref SACondition [0..n]]
                GroupNumber (from PolicyConditionInPolicyRule)
                ConditionNegated (from PolicyConditionInPolicyRule)
                SequenceNumber

4.8.1. The Class ProtocolFilter Reference ContainingRule

   The ProtocolFilter class specifies a filter that property ContainingRule is based upon the
    IP protocol.  It contains the following attribute:

    NAME         protocol
    DESCRIPTION  Specifies the IP protocol value.
    TYPE         unsigned 8-bit integer
    VALUE        0 - wild-card protocol (i.e., any protocol).  Any other
                 value specifies a specific protocol.

    Note:  if using DNF, it does not make sense inherited from
   PolicyConditionInPolicyRule and is overridden to use a PortFilter contain an object
   reference to an SARule that contains one or
    PortRangeFilter when using a ProtocolFilter more SAConditions.  The
   [0..n] cardinality indicates that is not either UDP an SACondition may be contained in
   zero or TCP.

 7.5. more SARules.

4.8.2. The Class AddressFilter Reference ContainedCondition

   The AddressFilter class property ContainedCondition is used inherited from
   PolicyConditionInPolicyRule and is overridden to represent filters which use a
    system's address or DNS name as a filter.  It contain an object
   reference to an SACondition that is used as contained by an abstract
    base class from SARule.  The
   [0..n] cardinality indicates that an SARule may contain zero or more
   SAConditions.

4.8.3. The Property SequenceNumber

   The property SequenceNumber specifies, for a given rule, the order
   in which specific address-based filters the SACondition instances will be
    derived. evaluated.  The address filters are always used to specify property
   is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the
    address/hostname evaluation order of the destination machine. SAConditions.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower valued SAConditions are evaluated first.  The reason is that the
    association
                order of a policy with a particular interface implies the
    source address/hostname - one could look at the policy to interface
    mapping as another type evaluation of filter.

    Note:  for IKE rules, these are ContainedConditions with the only filter type allowed.

 7.6.
                same SequenceNumber value is undefined.

4.9. The Aggregation Class EndpointFilter SAActionInRule
   The EndpointFilter SAActionInRule class is used to represent a filter that
    specifies associates an individual interface on one system.  It SARule with its primary
   SAAction.  The class definition for SAActionInRule is used to
    specify as follows:

   NAME         SAActionInRule
   DESCRIPTION  Associates an FQDN, SARule with its primary SAAction.
   DERIVED FROM PolicyActionInPolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   ContainingRule [ref SARule [0..n]]
                ContainedAction [ref SAAction [1..1]]

4.9.1. The Reference ContainingRule

   The property ContainingRule is inherited from
   PolicyActionInPolicyRule and is overridden to contain an IPv4 address, or object
   reference to an IPv6 address.  It SARule that contains
    the following reference:

    NAME         Identity
    DESCRIPTION  Specifies the FQDN or IP address to use for the filter. an SAAction.  The value MAY [0..n]
   cardinality indicates that an SAAction may be wild-carded (see the Endpoint class
                 description).

 7.7. contained in zero or
   more SARules.

4.9.2. The Class IPv4RangeFilter Reference ContainedAction

   The IPv4RangeFilter property ContainedAction is used inherited from
   PolicyActionInPolicyRule and is overridden to represent a filter contain an object
   reference to an SAAction that specifies a
    range of IPv4 address. is contained by an SARule.  The range [1..1]
   cardinality indicates that an SARule may contain only one SAAction.

4.10. The Aggregation Class FallbackSAActionInRule

   The class FallbackSAActionInRule associates an SARule with its
   ordered set of fallback actions.  Fallback actions allow an
   administrator to define what action is to be interpreted as inclusive.
    It contains take if the following attributes: SAAction
   referenced by SAActionInRule fails for any reason.  The class
   definition for FallbackSAActionInRule is as follows:

   NAME         firstAddress         FallbackSAActionInRule
   DESCRIPTION  Specifies  Associates an SARule with the first address ordered set of fallback
                actions that should be attempted/applied in the range.
    TYPE         unsigned 32-bit value

    NAME         lastAddress
    DESCRIPTION  Specifies the last address in case of
                failure of the range.
    TYPE         unsigned 32-bit value
    VALUE primary SAAction.
   ABSTRACT     FALSE
   PROPERTIES   ContainingRule [ref SARule [0..n]]
                ContaintedAction [ref SAAction [0..n]]
                SequenceNumber

4.10.1. The lastAddress attribute value MUST Reference ContainingRule

   The property ContainingRule contains an object reference to an
   SARule that contains one or more fallback SAActions.  The [0..n]
   cardinality indicates that an fallback SAAction may be greater than contained in
   zero or
                 equal to the firstAddress attribute value.

 7.8. more SARules.

4.10.2. The Class IPv6RangeFilter Reference ContainedAction

   The IPv6RangeFilter is used property ContainedAction contains an object reference to represent a filter
   fallback SAAction that specifies a
    range of IPv6 address.  The range is to be interpreted as inclusive.
    It contains the following attributes:

    NAME         firstAddress
    DESCRIPTION  Specifies contained by one or more SARules.  The
   [0..n] cardinality indicates that an SARule may contain zero or more
   fallback SAActions.

4.10.3. The Property SequenceNumber

   The property SequenceNumber specifies, for a given rule, the first address order
   in which the range.
    TYPE         octet[16] fallback SAActions should be attempted.  Once a
   fallback SAAction is successfully applied, then subsequent fallback
   SAActions should be ignored.  The property is defined as follows:

   NAME         lastAddress         SequenceNumber
   DESCRIPTION  Specifies the last address in order of attempted application for the range.
    TYPE         octet[16]
                fallback SAAction.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower valued fallback SAActions are attempted first.
                The lastAddress attribute value MUST be greater than or
                 equal to the firstAddress attribute value.

 8. IKE and IPsec Action Classes

    An action is a set order of proposals combined attempt of ContainedActions with the security
    association level information that same
                SequenceNumber value is undefined.

5. Condition and Filter Classes

   The IPsec condition and filter classes are used to protect a particular
    flow.

                     +---------------------------+
                     |                           |
                     |[SecurityAssociationAction]|
                     |                           |o---+
                     +---------------------------+* build the "if"
   part of the IKE and IPsec rules.

   +-------------+*    0..1+------------+1       *+-------------------+
   | SACondition |o--------| FilterList |x--------| [FilterEntryBase] |
   +-------------+   (a)   +------------+   (b)   +-------------------+
                                                           ^                 (a)|{1}
                                                           |                   n|
            +---------------------+------------------------+
            |       +-----------------------------+                     |                        |
   +-----------------+  +-------------------+ +-----------------------+
   | [IPFilterEntry] |       |[SecurityAssociationProposal]|  | [IPSOFilterEntry] | | CredentialFilterEntry |       +-----------------------------+
   +-----------------+  +-------------------+ +-----------------------+
            ^                     ^
            |
                   +---------+                     |
            | +-------------------+
            | |
                   |IKEAction|---+
            | | +--------------------------------+
            |
                   +---------+ +-| ClassificationLevelFilterEntry |
            |
                 +-----------+ |           +------------------+ +--------------------------------+
            |           |---+ |
            |
                 |IPsecAction|      (b)  0..1|DiffieHellmanGroup| |           |o--------------| +--------------------------------+
            |
                 +-----------+*     {2}      +------------------+
                       ^ +-| ProtectionAuthorityFilterEntry |
              +--------+------------+-----------+------------+
            |   +--------------------------------+
            |
            +-----------------------------------------------+
            |                                               |
   +-----------------------+                     +--------------------+ +-----------------+  |   +-----------------+
    |
   | [EndpointFilterEntry] |                     |ProtocolFilterEntry |
   +-----------------------+                     +--------------------+
              ^                                                   ^
              |                               +----------------+  |
              +----------------------+        |
    |IPsecTransportAction| |IPsecTunnelAction| UDPFilterEntry |--+
                                     |   |IPsecBypassAction|        +----------------+  |
                                     |                            |
              +-----------------+    |        +----------------+  |
              | FQDNFilterEntry |----+        |
    +--------------------+ TCPFilterEntry |--+
              +-----------------+    |   +-----------------+
                                  1 x        +----------------+
                                     |
       +------------------------+    |    +------------------------+
       |
                                 (c)|{3}        +------------+ IPv4AddressFilterEntry |----+----| IPv6AddressFilterEntry |
       +------------------------+    |
                              +----------+          +------------------+    +------------------------+
                                     |
         +----------------------+    |    +----------------------+
         | IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry |
         +----------------------+    |
                              |[Endpoint]|          |IPsecDiscardAction|    +----------------------+
                                     |
        +-----------------------+    |    +-----------------------+
        | IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry |
                              +----------+          +------------------+
        +-----------------------+         +-----------------------+
   (a)  Proposals  FilterOfSACondition
   (b)  IPsecGroup
    (c)  RemoteGateway
    {1}  1.  For an IKEAction object, these MUST be IKEPropsal objects.
         For an IPsecAction object, these MUST be IPsec Action objects.
         2.  SecurityAssociationProposal objects are ordered from most
         preferable to least preferable  EntriesInFilterList

5.1. The Class SACondition

   The class SACondition defines the preconditions for IKE and are logically ORed. IPsec
   negotiations.  The
         mechanism by which ordering is accomplished class definition for SACondition is dependent upon
         the specific derivation of as follows:

   NAME         SACondition
   DESCRIPTION  Defines the preconditions for IKE and IPsec schema.
    {2}  If not using Perfect Forward Secrecy (PFS), then
                negotiations.
   DERIVED FROM PolicyCondition (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyConditionName (from PolicyCondition)
                StartupCondition

5.1.1. The Property StartupCondition

   This property specifies the
         DiffieHellmanGroup object either does not exist or is ignored.
         Otherwise (PFS is used) if triggering event that caused the DiffieHellmanGroup object rule
   evaluation.  The property is not
         present, then defined as follows:

   NAME         StartupCondition
   DESCRIPTION  Specifies the Diffie-Hellman Group from Phase triggering event that cause the rule to
                be evaluated.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 (OnBoot) - the rule is triggered after system boot.
                The FilterList associated with the SACondition contains
                the information that will be used for Phase 2.  Otherwise, use to build the DiffieHellmanGroup
         object.
    {3}  If
                selectors.
                2 (OnManual) - the endpoint type rule is an FQDN, then triggered manually in
                response to user input.  The FilterList associated with
                the DNS name MUST SACondition contains the information that will be
         fully-qualifed (i.e., no wild-card values allowed).
         If
                used to build the endpoint type selectors.
                3 (OnDataTraffic) - the rule is an IPv4 triggered when packets
                without associated security associations are sent or IPv6 address, then
                received (traffic directionality is indicated by the
         address MUST NOT be
                Direction field of the wild-card value.

 8.1. associated FilterList).
                4 (OnIKEMessage) - the rule is triggered when an
                incoming request for IKE negotiation is received.

5.2. The Class SecurityAssociationAction FilterList

   The SecurityAssociationAction class contains the parameters FilterList aggregates an ANDed set of filters that are
    common between the IKE
   used for determining when an SACondition evaluates to true and IPsec action classes.  It contains
   therefore its associated SAAction should be performed.  The class
   definition for FilterList is as follows:

   NAME         FilterList
   DESCRIPTION  Aggregates a set of filters for condition matching.
   ABSTRACT     FALSE
   PROPERTIES   Name
                Direction

5.2.1. The Property Name

   This property specifies a user-friendly name for the
    following attributes/references: FilterList.
   The property is defined as follows:

   NAME         refreshThresholdSeconds         Name
   DESCRIPTION  Specifies the percentage of expiration (in other words, user-friendly name for the refresh threshold) of an established SA's seconds
                 lifetime at which to begin renegotiation of FilterList.
   SYNTAX       string

5.2.2. The Property Direction

   This property specifies whether or the SA.
    TYPE         integer
    VALUE        Valid values are FilterList will be used on
   incoming, outgoing, or bi-directional traffic.  Direction is only
   useful for filter types that inspect traffic parameters and when the
   StartupCondition property in the range 1 SACondition is set to 100 inclusive.  A
                 value of 100 means that renegotiation does not occur
                 until the seconds lifetime value has expired.

    refreshThresholdSeconds OnDataTraffic
   (3).  The property is not a negotiated parameter. defined as follows:

   NAME         refreshThresholdKilobytes         Direction
   DESCRIPTION  Specifies the percentage of expiration of an
                 established SA's kilobyte lifetime at which to begin
                 renegotiation what kind of the SA.
    TYPE traffic will be checked -
                incoming, outgoing, or bi-directional.
   SYNTAX       unsigned 16-bit integer
   VALUE        Valid values are in the range        1 to 100 inclusive.  A
                 value of 100 means that renegotiation does not occur
                 until - Incoming
                2 - Outgoing
                3 - Bi-directional

5.3. The Abstract Class FilterEntryBase

   The abstract class FilterEntryBase serves as the kilobyte lifetime value has expired.

    refreshThresholdKilobytes base class for the
   specific filter class.  The class definition for FilterEntryBase is not
   as follows:

   NAME         FilterEntryBase
   DESCRIPTION  Serves as the base class for specific filter classes.
   ABSTRACT     TRUE
   PROPERTIES   Name
                IsNegated

5.3.1. The Property Name

   This property specifies a negotiated parameter. user-friendly name for the filter.  The
   property is defined as follows:

   NAME         minLifetimeSeconds         Name
   DESCRIPTION  Specifies the minimum SA seconds lifetime that will be
                 accepted from a peer while negotiating an SA based upon
                 this action. user-friendly name for the filter.
   SYNTAX       string

5.3.2. The purpose Property IsNegated

   This property specifies whether or not the result of this value the boolean
   result of the filter evaluation should be negated.  The property is
   defined as follows:

   NAME         IsNegated
   DESCRIPTION  Specifies whether or not to prevent
                 denial-of-service attacks in which a peer can select an
                 arbitrarily low seconds lifetime, causing negate the IKE
                 server to perform renegotiations with correspondingly
                 expensive Diffie-Hellman calculations.

    TYPE         unsigned 32-bit integer result of the
                evaluation of the filter.
   SYNTAX       boolean
   VALUE        0 - indicates        A value of true means that there is no minimum lifetime
                 enforced.
                 Any other the boolean result of the
                filter evaluation of the filter will be negated.  A
                value specifies a required minimum seconds
                 lifetime.

    minLifetimeSeconds is of false means that the boolean result of the
                evaluation of the filter will not be altered.

5.4. The Abstract Class IPFilterEntry

   The abstract class IPFilterEntry serves as a negotiated parameter. base class for filter
   entries which are used to match against the 5-tuple (i.e., source
   and destination address, protocol, and source and destination port)
   information in the IP packet.  The class definition for
   IPFilterEntry is as follows:

   NAME         minLifetimeKilobytes         IPFilterEntry
   DESCRIPTION  Specifies  Serves as the minimum kilobyte lifetime that will be
                 accepted from base class for IP 5-tuple filters.
   DERIVED FROM FilterEntryBase
   ABSTRACT     TRUE

5.5. The Abstract Class EndpointFilterEntry

   The abstract class EndpointFilterEntry serves as a negotiating peer while negotiating an
                 SA based upon this action. base class for
   filters which match against IP addresses (source or destination).
   The purpose of this value class definition for EndpointFilterEntry is as follows:

   NAME         EndpointFilterEntry
   DESCRIPTION  Serves as the base class for filters which match
                against IP addresses.
   DERIVED FROM IPFilterEntry
   ABSTRACT     TRUE
   PROPERTIES   ApplyToDestination

5.5.1. The Property ApplyToDestination

   This property specifies whether or not the address to prevent denial-of-service attacks in test against
   is the source or the destination IP address.  The property is
   defined as follows:

   NAME         ApplyToDestination
   DESCRIPTION  Specifies which a peer
                 can select IP address to test, source or
                destination.
   SYNTAX       boolean
   VALUE        A value of true means that the destination IP address
                should be tested against.  A value of false means that
                the source IP address should be tested against.

5.6. The Class IPv4AddressFilterEntry

   The class IPv4AddressFilterEntry specifies a filter that will match
   against a single IPv4 address.  The class definition for
   IPv4AddressFilterEntry is as follows:

   NAME         IPv4AddressFilterEntry
   DESCRIPTION  Defines the match filter for an arbitrarily low kilobyte lifetime,
                 causing IPv4 address.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Address

5.6.1. The Property Address

   This property specifies the IPv4 address that will be used in the
   equality test.  The property is defined as follows:

   NAME         Address
   DESCRIPTION  Specifies the IPv4 address to match against.
   SYNTAX       unsigned 32-bit integer

5.7. The Class IPv4RangeFilterEntry

   The class IPv4RangeFilterEntry specifies a filter for testing if an
   IPv4 address is between the start address and end address
   inclusively.  The class definition for IPv4RangeFilterEntry is as
   follows:

   NAME         IPv4RangeFilterEntry
   DESCRIPTION  Defines the match filter for an IPv4 address range.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   StartAddress
                EndAddress

5.7.1. The Property StartAddress

   This property specifies the first IPv4 address in the address range.
   The property is defined as follows:

   NAME         StartAddress
   DESCRIPTION  Specifies the start of the IPv4 address range.
   SYNTAX       unsigned 32-bit integer

5.7.2. The Property EndAddress

   This property specifies the last IPv4 address in the address range.
   The property is defined as follows:

   NAME         EndAddress
   DESCRIPTION  Specifies the end of the IPv4 address.
   SYNTAX       unsigned 32-bit integer
   VALUE        EndAddress must be greater than or equal to
                StartAddress.

5.8. The Class IPv4SubnetFilterEntry
   The class IPv4SubnetFilterEntry specifies a filter for testing if an
   IPv4 address is in the specified subnet.  The class definition for
   IPv4SubnetFilterEntry is as follows:

   NAME         IPv4SubnetFilterEntry
   DESCRIPTION  Defines the match filter for an IPv4 subnet.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Address
                Mask

5.8.1. The Property Address

   This property specifies the IPv4 subnet.  The property is defined as
   follows:

   NAME         Address
   DESCRIPTION  Specifies the IPv4 subnet.
   SYNTAX       unsigned 32-bit integer

5.8.2. The Property Mask

   This property specifies the IPv4 mask.  The property is defined as
   follows:

   NAME         Mask
   DESCRIPTION  Specifies the IPv4 mask.
   SYNTAX       unsigned 32-bit integer
   VALUE        A special value of 0.0.0.0, coupled with an Address
                value of 0.0.0.0 can be used to specify all addresses.

5.9. The Class IPv6AddressFilterEntry

   The class IPv6AddressFilterEntry specifies a filter that will match
   against a single IPv6 address.  The class definition for
   IPv6AddressFilterEntry is as follows:

   NAME         IPv6AddressFilterEntry
   DESCRIPTION  Defines the match filter for an IPv4 address.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Address

5.9.1. The Property Address

   This property specifies the IPv6 address that will be used in the
   equality test.  The property is defined as follows:

   NAME         Address
   DESCRIPTION  Specifies the IPv6 address to match against.
   SYNTAX       byte[16]

5.10. The Class IPv6RangeFilterEntry
   The class IPv6RangeFilterEntry specifies a filter for testing if an
   IPv6 address is between the start address and end address
   inclusively.  The class definition for IPv6RangeFilterEntry is as
   follows:

   NAME         IPv6RangeFilterEntry
   DESCRIPTION  Defines the match filter for an IPv6 address range.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   StartAddress
                EndAddress

5.10.1. The Property StartAddress

   This property specifies the first IPv6 address in the address range.
   The property is defined as follows:

   NAME         StartAddress
   DESCRIPTION  Specifies the start of the IPv6 address range.
   SYNTAX       byte[16]

5.10.2. The Property EndAddress

   This property specifies the last IPv6 address in the address range.
   The property is defined as follows:

   NAME         EndAddress
   DESCRIPTION  Specifies the end of the IPv6 address.
   SYNTAX       byte[16]
   VALUE        EndAddress must be greater than or equal to
                StartAddress.

5.11. The Class IPv6SubnetFilterEntry

   The class IPv6SubnetFilterEntry specifies a filter for testing if an
   IPv6 address is in the specified subnet.  The class definition for
   IPv4SubnetFilterEntry is as follows:

   NAME         IPv6SubnetFilterEntry
   DESCRIPTION  Defines the match filter for an IPv6 subnet.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Address
                Mask

5.11.1. The Property Address

   This property specifies the IPv6 subnet.  The property is defined as
   follows:

   NAME         Address
   DESCRIPTION  Specifies the IPv6 subnet.

   SYNTAX       byte[16]

5.11.2. The Property Mask

   This property specifies the IPv6 mask.  The property is defined as
   follows:

   NAME         Mask
   DESCRIPTION  Specifies the IPv6 mask.
   SYNTAX       byte[16]
   VALUE        A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0,
                coupled with an Address value of
                0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify
                all addresses.

5.12. The Class FQDNFilterEntry

   The class FQDNFilterEntry specifies a filter for mathcing against a
   single or wild-carded DNS name.  The class definition for
   FQDNFilterEntry is as follows:

   NAME         FQDNFilterEntry
   DESCRIPTION  Defines the match filter for a DNS name.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Name

5.12.1. The Property Name

   This property specifies the DNS name to match against.  The property
   is defined as follows:

   NAME         Address
   DESCRIPTION  Specifies the DNS name.
   SYNTAX       string
   VALUE        The DNS name can be fully qualified (for example,
                foo.intel.com) or partially qualified (*.intel.com).

5.13. The Class ProtocolFilterEntry

   The class ProtocolFilterEntry specifies a filter for testing against
   an IP protocol.  The class definition for ProtocolFilterEntry is as
   follows:

   NAME         ProtocolFilterEntry
   DESCRIPTION  Defines a match filter for IP protocol.
   DERIVED FROM IPFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Protocol

5.13.1. The Property Protocol
   This property specifies the IP protocol to match against.  The
   property is defined as follows:

   NAME         Protocol
   DESCRIPTION  Specifies the IP protocol.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value of zero matches against any protocol.  Any
                other value is the IP protocol number.

5.14. The Class UDPFilterEntry

   The class UDPFilterEntry specifies a filter for testing if a UDP
   port is between the start port and end port inclusively.  It is
   assumed that the Protocol property from the ProtocolFilterEntry
   class will contain the value 17 (i.e., UDP).  The class definition
   for UDPFilterEntry is as follows:

   NAME         UDPFilterEntry
   DESCRIPTION  Defines the match filter for a UDP port range.
   DERIVED FROM ProtocolFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   StartPort
                EndPort

5.14.1. The Property StartPort

   This property specifies the first port in the UDP port range.  The
   property is defined as follows:

   NAME         StartPort
   DESCRIPTION  Specifies the start of the UDP port range.
   SYNTAX       unsigned 16-bit integer

5.14.2. The Property EndPort

   This property specifies the last port in the UDP port range.  The
   property is defined as follows:

   NAME         EndPort
   DESCRIPTION  Specifies the end of the UDP port range.
   SYNTAX       unsigned 16-bit integer
   VALUE        EndPort must be greater than or equal to StartPort.

5.15. The Class TCPFilterEntry

   The class TCPFilterEntry specifies a filter for testing if a TCP
   port is between the start port and end port inclusively.  It is
   assumed that the Protocol property from the ProtocolFilterEntry
   class will contain the value 6 (i.e., TCP).  The class definition
   for TCPFilterEntry is as follows:

   NAME         TCPFilterEntry
   DESCRIPTION  Defines the match filter for a TCP port range.

   DERIVED FROM ProtocolFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   StartPort
                EndPort

5.15.1. The Property StartPort

   This property specifies the first port in the TCP port range.  The
   property is defined as follows:

   NAME         StartPort
   DESCRIPTION  Specifies the start of the TCP port range.
   SYNTAX       unsigned 16-bit integer

5.15.2. The Property EndPort

   This property specifies the last port in the TCP port range.  The
   property is defined as follows:

   NAME         EndPort
   DESCRIPTION  Specifies the end of the TCP port range.
   SYNTAX       unsigned 16-bit integer
   VALUE        EndPort must be greater than or equal to StartPort.

5.16. The Abstract Class IPSOFilterEntry

   The abstract class IPSOFilterEntry serves as a base class for the IP
   Security Option (IPSO) filters.  The class definition for
   IPSOFilterEntry is as follows:

   NAME         IPSOFilterEntry
   DESCRIPTION  Serves as the base class for the IPSO filters.
   DERIVED FROM FilterEntryBase
   ABSTRACT     TRUE

5.17. The Class ClassificationLevelFilterEntry

   The class ClassificationLevelFilterEntry specifies a filter for
   matching against the classification level IPSO field type.  The
   class definition for ClassificationLevelFilterEntry is as follows:

   NAME         ClassificationLevelFilterEntry
   DESCRIPTION  Defines the filter for the IPSO classification level.
   DERIVED FROM IPSOFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Level

5.17.1. The Property Level

   This property specifies the classification level to match against.
   The property is defined as follows:

   NAME         Level
   DESCRIPTION  Specifies the classification level.
   SYNTAX       unsigned 16-bit integer
   VALUE        61 - Top Secret
                90 - Secret
                150 - Confidential
                171 - Unclassified

5.18. The Class ProtectionAuthorityFilterEntry

   The class ProtectionAuthorityFilterEntry specifies a filter for
   matching against the protection authority IPSO field type. The class
   definition for ProtectionAuthorityFilterEntry is as follows:

   NAME         ProtectionAuthorityFilterEntry
   DESCRIPTION  Defines the filter for the IPSO protection authority.
   DERIVED FROM IPSOFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Authority

5.18.1. The Property Authority

   This property specifies the protection authority to match against.
   The property is defined as follows:

   NAME         Authority
   DESCRIPTION  Specifies the protection authority.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - GENSER
                1 - SIOP-ESI
                2 - SCI
                3 - NSA
                4 - DOE

5.19. The Class CredentialFilterEntry

   The class CredentialFilterEntry defines a filter for matching
   against credential information that was obtained during the IKE
   phase 1 negotiation.  This information can be identity information
   (such as User FQDN) or information retrieved from credential
   information (for example, fields from a certificate).  This
   information can be used as a form of access control.  The class
   definition for CredentialFilterEntry is as follows:

   NAME         CredentialFilterEntry
   DESCRIPTION  Defines the filter for matching against IKE phase 1
                credential/identity information.
   DERIVED FROM FilterBaseEntry
   ABSTRACT     FALSE
   PROPERTIES   To Be Determined...

5.20. The Aggregation Class FilterOfSACondition
   The class FilterOfSACondition associates an SACondition with the
   filter specifications (FilterList) that make up the condition.  The
   class definition for FilterOfSACondition is as follows:

   NAME         FilterOfSACondition
   DESCRIPTION  Associates a condition with the filter list that make
                up the individual condition elements.
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref FilterList[0..1]]
                Dependent [ref SACondition [0..n]]

5.20.1. The Reference Antecedent

   The property Antecedent contains an object reference to a FilterList
   that is contained in one or more SAConditions.  The [0..1]
   cardinality indicates that an SACondition may have zero or one
   FilterList.

5.20.2. The Reference Dependent

   The property Dependent contains an object reference to an
   SACondition that contains an FilterList.  The [0..n] cardinality
   indicates that a FilterList may be contained in zero or more
   SAConditions.

5.21. The Composition Class EntriesInFilterList

   The class EntriesInFilterList associates the individual
   FilterEntryBases with a FilterList.  Together these individual
   FilterEntryBases can create complex conditions.  The class
   definition for EntriesInFilterList is as follows:

   NAME         EntriesInFilterList
   DESCRIPTION  Associates a FilterList with the set of individual
                filters.
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref FilterEntryBase[0..n]]
                Dependent [ref FilterList [1..1]]
                EntrySequence

5.21.1. The Reference Antecedent

   The property Antecedent contains an object reference to a
   FilterEntryBase that is contained in a FilterList.  The [0..n]
   cardinality indicates that a FilterList may have zero or more
   FilterEntryBases.

5.21.2. The Reference Dependent

   The property Dependent contains an object reference to a FilterList
   that contains zero or more FilterEntryBases.  The [1..1] cardinality
   indicates that a FilterEntryBase may be contained in one and only
   one FilterLists (i.e., FilterEntryBases cannot be shared between
   FilterLists).

5.21.3. The Property EntrySequence

   The property EntrySequence specifies, for a given FilterList, the
   order in which the filters should be checked.  The property is
   defined as follows:

   NAME         EntrySequence
   DESCRIPTION  Specifies the order to check the filters in a
                FilterList.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower valued filters are checked first.  The order of
                checking of FilterEntryBases with the same
                EntrySequence value is undefined.

6. Action Classes

   The action classes are used to model the different actions an IPsec
   device may take when the evaluation of the associated condition
   results in a match.

                                +----------+
                                | SAAction |
                                +----------+
                                     ^
                                     |
                         +-----------+--------------+
                         |                          |
                 +----------------+      +---------------------+*
                 | SAStaticAction |      | SANegotiationAction |o-----+
                 +----------------+      +---------------------+      |
                               ^                     ^                |
                               |                     |                |
                               |         +-----------+-------+        |
                               |         |                   |        |
       +-------------------+   |   +-------------+     +-----------+  |
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
       +-------------------+   |   +-------------+     +-----------+  |
                               |       ^                              |
      +--------------------+   |       |    +----------------------+  |
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
      +--------------------+   |       |    +----------------------+  |
                               |       |                              |
         +-----------------+   |       |    +-------------------+     |
         | IKERejectAction |---+       +----| IPsecTunnelAction |     |
         +-----------------+   |            +-------------------+     |
                               |                                      |
   +-----------------------+   |               +--------------+n      |
   | SAPreconfiguredAction |---+               | [SAProposal] |-------+
   +-----------------------+                   +--------------+   (a)

   (a)  ContainedProposal

6.1. The Class SAAction

   The class SAAction serves as the base class for IKE and IPsec
   actions.  Although the class is concrete, it MUST not be
   instantiated.  The class definition for SAAction is as follows:

   NAME         SAAction
   DESCRIPTION  The base class for IKE and IPsec actions.
   DERIVED FROM PolicyAction (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyActionName (from PolicyAction)

6.2. The Class SAStaticAction
   The class SAStaticAction serves as the base class for IKE and IPsec
   actions that do not require any negotation.  Although the class is
   concrete, it MUST not be instantiated.  The class definition for
   SAStaticAction is as follows:

   NAME         SAStaticAction
   DESCRIPTION  The base class for IKE and IPsec actions that do not
                require any negotiation.
   DERIVED FROM SAAction
   ABSTRACT     FALSE
   PROPERTIES   LifetimeSeconds

6.2.1. The Property LifetimeSeconds

   The property LifetimeSeconds specifies how long the security
   association derived from this action should be used.  The property
   is defined as follows:

   NAME         LifetimeSeconds
   DESCRIPTION  Specifies the amount of time (in seconds) that a
                security association derived from this action should be
                used.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is not a lifetime
                associated with this action (i.e., infinite lifetime).
                A nono-zero value is typically used in conjunction with
                fallback actions performed when there is a negotiation
                failure of some sort.

6.3. The Class IPsecBypassAction

   The class IPsecBypassAction is used when packets are allowed to be
   processed without applying IPsec to them.  This is the same as
   stating that packets are allowed to flow in the clear.  The class
   definition for IPsecBypassAction is as follows:

   NAME         IPsecBypassAction
   DESCRIPTION  Specifies that packets are to be allowed to pass in the
                clear.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.4. The Class IPsecDiscardAction

   The class IPsecDiscardAction is used when packets are to be
   discarded.  This is the same as stating that packets are to be
   denied.  The class definition for IPsecDiscardAction is as follows:

   NAME         IPsecDiscardAction
   DESCRIPTION  Specifies that packets are to be discarded.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   DoLogging

6.4.1. The Property DoLogging

   The property DoLogging specifies whether or not an audit message
   should be logged when a packet is discarded.  The property is
   defined as follows:

   NAME         DoLogging
   DESCRIPTION  Specifies if an audit message should be logged when a
                packet is discarded.
   SYNTAX       boolean
   VALUE        A value of true indicates that logging should be done
                for this action.  A value of false indicates logging
                should not be done for this action.

6.5. The Class IKERejectAction

   The class IKERejectAction is used to prevent attempting an IKE
   negotiation with the peer(s).  The class definition for
   IKERejectAction is as follows:

   NAME         IKERejectAction
   DESCRIPTION  Specifies that an IKE negotiation should not even be
                attempted.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   DoLogging

6.5.1. The Property DoLogging

   The property DoLogging specifies whether or not an audit message
   should be logged when a determination is made to prevent an IKE
   negotiation.  The property is defined as follows:

   NAME         DoLogging
   DESCRIPTION  Specifies if an audit message should be logged when IKE
                negotiation is prohibited.
   SYNTAX       boolean
   VALUE        A value of true indicates that logging should be done
                for this action.  A value of false indicates logging
                should not be done for this action.

6.6. The Class SAPreconfiguredAction

   The class SAPreconfiguredAction is used to create a security
   association using preconfigured, hard-wired algorithms and keys.
   The class definition for SAPreconfiguredAction is as follows:

   NAME         SAPreconfiguredAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of a security association.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   To Be Determined...

6.7. The Class SANegotiationAction

   The class SANegotiationAction serves as the base class for IKE and
   IPsec actions which result in a IKE negotiation.  Although the class
   is concrete, is MUST not be instantiated.  The class definition for
   SANegotiationAction is as follows:

   NAME         SANegotiationAction
   DESCRIPTION  A base class for IKE and IPsec actions that specifies
                the parameters that are common for IKE phase 1 and IKE
                phase 2 IPsec DOI negotiations.
   DERIVED FROM SAAction
   ABSTRACT     FALSE
   PROPERTIES   MinLifetimeSeconds
                MinLifetimeKilobytes
                RefreshThresholdSeconds
                RefreshThresholdKilobytes
                IdleDurationSeconds

6.7.1. The Property MinLifetimeSeconds

   The property MinLifetimeSeconds specifies the minimum seconds
   lifetime that will be accepted from the peer.  MinLifetimeSeconds is
   used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  The
   property is defined as follows:

   NAME         MinLifetimeSeconds
   DESCRIPTION  Specifies the minimum acceptable seconds lifetime.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value.  A non-zero value specifies the minimum seconds
                lifetime.

6.7.2. The Property MinLifetimeKilobytes

   The property MinLifetimeKilobytes specifies the minimum kilobyte
   lifetime that will be accepted from the peer.  MinLifetimeKilobytes
   is used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  The
   property is defined as follows:

   NAME         MinLifetimeKilobytes
   DESCRIPTION  Specifies the minimum acceptable kilobyte lifetime.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value.  A non-zero value specifies the minimum kilobyte
                lifetime.

6.7.3. The Property RefreshThresholdSeconds

   The property RefreshThresholdSeconds specifies what percentage of
   the seconds lifetime can expire before IKE should attempt to
   renegotiate the IPsec security association.  A random value may be
   added to the calculated threshold (percentage x seconds lifetime) to
   reduce the chance of both peers attempting to renegotiate at the
   same time.  The property is defined as follows:

   NAME         RefreshThresholdSeconds
   DESCRIPTION  Specifies the percentage of seconds lifetime that has
                expired before the IPsec security association is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IPsec security
                association should not be renegotiated until the
                seconds lifetime has been reached.

6.7.4. The Property RefreshThresholdKilobytes

   The property RefreshThresholdKilobytes specifies what percentage of
   the kilobyte lifetime can expire before IKE should attempt to
   renegotiate the IPsec security association.  A random value may be
   added to the calculated threshold (percentage x kilobyte lifetime)
   to reduce the chance of both peers attempting to renegotiate at the
   same time.  The property is defined as follows:

   NAME         RefreshThresholdKilobytes
   DESCRIPTION  Specifies the percentage of kilobyte lifetime that has
                expired before the IPsec security association is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IPsec security
                association should not be renegotiated until the
                kilobyte lifetime has been reached.

6.7.5. The Property IdleDurationSeconds

   The property IdleDurationSeconds specifies how many seconds a
   security association may remain idle (i.e., no traffic protected
   using the security association) before it is deleted.  The property
   is defined as follows:

   NAME         IdleDurationSeconds
   DESCRIPTION  Specifies how long, in seconds, a security association
                may remain unused before it is deleted.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that idle detection should
                not be used for the security association.  Any non-zero
                value indicates the number of seconds the security
                association may remain unused.

6.8. The Class IPsecAction

   The class IPsecAction serves as the base class for IPsec transport
   and tunnel actions.  It specifies the parameters used for an IKE
   phase 2 IPsec DOI negotiation.  Although the class is concrete, is
   MUST not be instantiated.  The class definition for IPsecAction is
   as follows:

   NAME         IPsecAction
   DESCRIPTION  A base class for IPsec transport and tunnel actions
                that specifies the parameters for IKE phase 2 IPsec DOI
                negotiations.
   DERIVED FROM SANegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   UsePFS
                UseIKEGroup
                GroupId
                Granularity

6.8.1. The Property UsePFS

   The property UsePFS specifies whether or not perfect forward secrecy
   should be used when refreshing keys.  The property is defined as
   follows:

   NAME         UsePFS
   DESCRIPTION  Specifies the whether or not to use PFS.
   SYNTAX       boolean
   VALUE        A value of true indicates that PFS should be used.  A
                value of false indicates that PFS should not be used.

6.8.2. The Property UseIKEGroup

   The property UseIKEGroup specifies whether or not phase 2 should use
   the same Diffie-Hellman as was used in phase 1.  UseIKEGroup is
   ignored if UsePFS is false.  The property is defined as follows:

   NAME         UseIKEGroup
   DESCRIPTION  Specifies whether or not to use the same GroupId for
                phase 2 as was used in phase 1.  If UsePFS is false,
                then UseIKEGroup is ignored.
   SYNTAX       boolean
   VALUE        A value of true indicates that the phase 2 GroupId
                should be the same as phase 1.  A value of false
                indicates that the property GroupId will contain the
                Diffie-Hellman group to use for phase 2.

6.8.3. The Property GroupId
   The property GroupId specifies the Diffie-Hellman group to use for
   phase 2.  GroupId is ignored if (1) the property UsePFS is false, or
   (2) the property UsePFS is true and the property UseIKEGroup is
   true.  The property is defined as follows:

   NAME         GroupId
   DESCRIPTION  Specifies the Diffie-Hellman group to use for phase 2
                when the property UsePFS is true and the property
                UseIKEGroup is false.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - 768-bit MODP group
                2 - 1024-bit MODP group
                3 - EC2N group on GP[2^155]
                4 - EC2N group on GP[2^185]
                5 - 1536-bit MODP group

6.8.4. The Property Granularity

   The property Granularity specifies whether the proposed selector for
   the security association should be derived from the IKE server to perform renegotiations with
                 correspondingly expensive Diffie-Hellman calculations.
    TYPE         unsigned 32-bit integer
    VALUE        0 - indicates traffic that there is no minimum lifetime
                 enforced.
                 Any other value specifies a required minimum kilobyte
                 lifetime.

    minLifetimeKilobytes
   triggered the negotiation (Narrow) or from the FilterList of the
   Condition(s) that matched the rule (Wide).  The property is not a negotiated parameter. defined
   as follows:

   NAME         trafficIdleTime         Granularity
   DESCRIPTION  Specifies the amount of time in seconds an SA,
                 negotiated using how the containing action object, may
                 remain idle (in other words, no traffic protected by proposed selector for the SA) before it is deleted.
    TYPE
                security association will be created.
   SYNTAX       unsigned 32-bit 8-bit integer
   VALUE        0        1 - there The selector is no idle time detection.  In other words, created by using the expiration of FilterList
                information from the SA is solely dependent upon condition that matched the
                 expiration of one of traffic
                parameters.  This is called a Wide selector as it could
                for instance contain a IP subnet or range.
                2 - The selector is created by using the lifetime values.
                 Any other value specifies traffic
                parameters (i.e., the number 5-tuple of seconds the SA
                 may remain idle before it can be forcibly expired.

    trafficIdleTime traffic).  This is not
                called a negotiated parameter. Narrow selector.

6.9. The Class IPsecTransportAction

   The class IPsecTransportAction is a subclass of IPsecAction that is
   used to specify use of an IPsec transport mode security association.
   The class definition for IPsecTransportAction is as follows:

   NAME         Proposals         IPsecTransportAction
   DESCRIPTION  Specifies that an IPsec transport mode security
                association should be negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE

6.10. The Class IPsecTunnelAction

   The class IPsecTunnelAction is a logically ORed set subclass of proposals, ORDERED
                 from most preferable to least prefereable, which are IPsecAction that is
   used during negotiation to specify use of the SA.  If the action is an
                 IKEAction, then the set will contain IKEProposal
                 objects.  If the action IPsec tunnel mode security association.
   The class definition for IPsecTunnelAction is as follows:

   NAME         IPsecTunnelAction
   DESCRIPTION  Specifies that an IPsecAction, then the set
                 will contain IPsecProposal objects.  A
                 SecurityAssociationAction object will reference one to
                 many SecurityAssociationProposal objects.  A
                 SecurityAssociationProposal object MAY IPsec tunnel mode security
                association should be referenced by
                 zero to many SecurityAssociationAction objects.  See
                 section 9 for a description negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE
   PROPERTIES   PeerGateway
                DFHandling

6.10.1. The Property PeerGateway

   The property PeerGateway specifies the IP address or DNS name of the
                 SecurityAssociationProposal and derived classes.

 8.2.
   peer gateway.  The Class IKEAction
    IKEAction property is defined as follows:

   NAME         PeerGateway
   DESCRIPTION  Specifies peer gateway's IP address or DNS name.
   SYNTAX       string
   VALUE        Either (1) IPv4 address in dotted quad format, (2) IPv6
                address in ... format, or (3) a specialization of the SecurityAssociationAction class
    and DNS name.

6.10.2. The Property DFHandling

   The property DFHandling specifies how the parameters unique to an IKE action.  It contains Don't Fragment (DF) bit
   should be managed by the following attributes: tunnel.  The property is defined as
   follows:

   NAME         exchangeMode         DFHandling
   DESCRIPTION  Specifies the negotiation mode that DF bit is managed by the IKE server will
                 use for phase one.
    TYPE tunnel.
   SYNTAX       unsigned 16-bit 8-bit integer
   VALUE        1 - base mode DF bit is copied.
                2 - main mode
                 4 DF bit is set.
                3 - aggressive mode DF bit is cleared.

6.11. The Class IKEAction

   The class IKEAction specifies the parameters that are to be used for
   IKE phase 1 negotiation.  The class definition for IKEAction is as
   follows:

   NAME         refreshThresholdDerivedKeys         IKEAction
   DESCRIPTION  Specifies the IKE phase 1 negotiation parameters.
   DERIVED FROM SANegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   RefreshThresholdDerivedKeys
                ExchangeMode
                UseIKEIdentityType

6.11.1. The Property RefreshThresholdDerivedKeys

   The property RefreshThresholdDerivedKeys specifies what percentage
   of expiration the derived key limit (see the LifetimeDerivedKeys property of an
                 established
   IKEProposal) can expire before IKE SA's derived keys lifetime at which should attempt to
                 begin renegotiation of the SA.
    TYPE         integer
    VALUE        Valid values are in renegotiate the range
   IKE phase 1 to 100 inclusive. security association.  A random value of 100 means that renegotiation does not occur
                 until may be added to
   the calculated threshold (percentage x derived key lifetime value has expired.

    refreshThresholdDerivedKeys is not a negotiated parameter.

 8.3. The Class IPsecAction

    IPsecAction is a specialization of the SecurityAssociationAction
    class and specifies limit) to reduce
   the parameters unique chance of both peers attempting to an IPsec action.  It
    contains renegotiate at the following attributes/references: same time.
   The property is defined as follows:

   NAME         usePfs         RefreshThresholdKilobytes
   DESCRIPTION  Specifies whether or not PFS should be used when
                 negotiating the phase two IPsec SA.
    TYPE         boolean
    VALUE        true
                 false

    NAME         IPsecGroup
    DESCRIPTION  If PFS should be used during percentage of derived key limit that has
                expired before the IKE phase two, this
                 specifies the Diffie-Hellman group to use.  The
                 DiffieHellmanGroup class 1 security association is described in section 10.
    DEFAULT      Since an IPsecAction object MAY optionally contain
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a
                 IPsecGroup object, absence percentage.  A
                value of one when using PFS 100 indicates that the IKE phase two negotiation 1 security
                association should use
                 the same Diffie-Hellman group that was agreed upon
                 during not be renegotiated until the
                derived key limit has been reached.

6.11.2. The Property ExchangeMode

   The property ExchangeMode specifies which IKE mode should be used
   for IKE phase one negotiation.

 8.4. 1 key negotiations.  The Class IPsecTransportAction

    IPsecTransportAction is a specialization of IPsecAction, but does
    not add any attributes.  It property is used to signify that the phase two
    action will be for defined as
   follows:

   NAME         ExchangeMode
   DESCRIPTION  Specifies the IKE negotiation of an IPsec transport mode SA.

 8.5. for phase 1.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - base mode
                2 - main mode
                4 - aggressive mode

6.11.3. The Class IPsecTunnelAction

    IPsecTunnelAction is a specialization of IPsecAction that is Property UseIKEIdentityType

   The property UseIKEIdentityType specifies what IKE identity type
   should be used to
    signify that when negotiating with the phase two action will be for peer.  This information is
   used in conjunction the negotiation of an
    IPsec tunnel mode SA.  It contains IKE identities available on the following reference: system.  The
   property is defined as follows:

   NAME         RemoteGateway         UseIKEIdentityType
   DESCRIPTION  The  Specifies the IKE identity to use during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.12. The Aggregation Class ContainedProposal

   The class ContainedProposal associates an ordered list of
   SAProposals with the point where SANegotiationAction that contains it.  If the
   referenced SANegotiationAction object is an IKEAction, then the tunnel terminates
                 on
   referenced SAProposal object must be an IKEProposal.  If the remote gateway.

    Note:  since a particular IPsec policy
   referenced SANegotiationAction object is directly associated with a
    particular interface in the system, an IPsecTransportAction or
   an IPsecTunnelAction, then the local gateway identity can referenced SAProposal object must be implicitly determined from this information.

 8.6.
   an IPsecProposal.  The Class IPsecBypassAction

    IPsecBypassAction class definition for ContainedProposal is a specialization as
   follows:

   NAME         ContainedProposal
   DESCRIPTION  Associates an ordered list of IPsecAction, but does not
    add any attributes.  It is used SAProposals with an
                SANegotiationAction.
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref SANegotiationAction[0..n]]
                PartComponent[ref SAProposal[1..n]]
                SequenceNumber

6.12.1. The Reference GroupComponent

   The property GroupComponent contains an object reference to signify an
   SANegotiationAction that the traffic is to contains one or more SAProposals.  The
   [0..n] cardinality indicates that there may be
    allowed zero or more
   SANegotiationActions that contain any given SAProposal.

6.12.2. The Reference PartComponent

   The property PartComponent contains an object reference to pass in an
   SAProposal contained by one or more SANegotiationActions.  The
   [1..n] cardinality indicates that an SANegotiationAction MUST
   contain at least one SAProposal.

6.12.3. The Property SequenceNumber

   The property SequenceNumber specifies the clear.

 8.6. order of preference for
   the SAProposals.  The Class IPsecDiscardAction

    IPsecDiscardAction property is a specialization defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the preference order for the SAProposals.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower-valued proposals are preferred over proposals
                with higher values.  If two proposals have the same
                SequenceNumber value, then the order of IPsecAction, but does not
    add any attributes.  It preference is used to signify that the traffic should
    be denied.

 9. IKE and IPsec
                undefined.

7. Proposal and Transform Classes

    A

   The proposal contains and transform classes model the security parameters that proposal settings an
   IPsec device will be used use during
    the IKE phase one 1 and two 2 negotiations.

                       +-----------------------------+
                       |                             |
                       |[SecurityAssociationProposal]|

                             +--------------+
                             | [SAProposal] |
                       +-----------------------------+
                             +--------------+
                                    ^
                                    |
                        +---------------------------+
                         +----------------------+
                         |                      |
                  +-------------+             +-----------+
                  |             |             |           |
                  |IPsecProposal|             |IKEProposal|       +---------------+
                  | IKEProposal |       | IPsecProposal |
                  +-------------+             +-----------+
                      * o                         * o
                        |(a)                        |(b)
                      n |                         1 |
                 +----------------+        +------------------+
                 |                |        |                  |
                 |[IPsecTransform]|        |DiffieHellmanGroup|
                 |                |        |                  |
                 +----------------+        +------------------+
                        ^
                        |
          +-------------+------------------+
          |             |                  |
    +------------+  +-----------+       +---------------+
                                               *o
                                                | (a)
                                               n|
                                        +---------------+
                                        | [SATransform] |
                                        +---------------+
                                                ^
                                                |
               +--------------------+-----------+---------+
               |                    |
    |ESPTransform|  |AHTransform|  |IPCompTransform|                     |
        +-------------+     +--------------+     +----------------+
        | AHTransform |     | ESPTransform |     |IPCOMPTransform |
    +------------+  +-----------+  +---------------+
        +-------------+     +--------------+     +----------------+

   (a) Transforms
    (b) IkeDhGroup

 9.1.  ContainedTransform

7.1. The Abstract Class SecurityAssociationProposal SAProposal

   The SecurityAssociationProposal abstract class contains SAProposal serves as the parameters that
    are common between base class for the IKE
   and IPsec proposal classes.  It contains specifies the following attributes: parameters that are
   common to the two proposal types.  The class definition for
   SAProposal is as follows:

   NAME         lifetimeSeconds         SAProposal
   DESCRIPTION  Specifies the seconds lifetime common proposal parameters for IKE and
                IPsec security association negotiation.
   ABSTRACT     TRUE
   PROPERTIES   Name
                MaxLifetimeSeconds
                MaxLifetimeKilobytes

7.1.1. The Property Name

   The property Name specifies a user-friendly name for the SAProposal.
   The property is defined as follows:

   NAME         Name
   DESCRIPTION  Specifies a user-friendly name for this particular proposal.  This value

   SYNTAX       string

7.1.2. The Property MaxLifetimeSeconds

   The property MaxLifetimeSeconds specifies the maximum amount of
   time, in seconds, to propose that a security association will remain
   valid after its creation.  The property is used when sending this
                 proposal defined as follows:

   NAME         MaxLifetimeSeconds
   DESCRIPTION  Specifies the maximum amount of time to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the negotiating peer.  Additionally, it may default of 8 hours
                be used, possibly in conjunction with used.  A non-zero value indicates the minimum maximum
                seconds lifetime.

7.1.3. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime value, when selecting to propose that a proposal from security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the negotiating peer.
    TYPE maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        0 -        A value of zero indicates that the lifetime there should be no
                maximum kilobyte lifetime.  A non-zero value defaults specifies
                the desired kilobyte lifetime.

7.2. The Class IKEProposal

   The class IKEProposal specifies the proposal parameters necessary to 8
                 hours (28,800 seconds).
   drive an IKE security association negotiation.  The class definition
   for IKEProposal is as follows:

   NAME         lifetimeKilobytes         IKEProposal
   DESCRIPTION  Specifies the kilobyte lifetime proposal parameters for IKE security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE
   PROPERTIES   LifetimeDerivedKeys
                CipherAlgorithm
                HashAlgorithm
                PRFAlgorithm
                GroupId
                AuthenticationMethod

7.2.1. The Property LifetimeDerivedKeys

   The property LifetimeDerivedKeys specifies the number of times that
   a phase 1 key will be used to derive a phase 2 key before the phase
   1 security association needs renegotiated.  Even though this particular
                 proposal.  This value is used when sending this not
   a parameter that is sent in an IKE proposal, it is included in the
   proposal to as the negotiating peer.  Additionally, it number of keys derived may be used, possibly a result of the
   strength of the algorithms in conjunction with the minimum
                 kilobyte lifetime value, when selecting a proposal IKE propsoal.  The property is
   defined as follows:

   NAME         LifetimeDerivedKeys
   DESCRIPTION  Specifies the number of phase 2 keys that can be
                derived from the negotiating peer.
    TYPE phase 1 key.
   SYNTAX       unsigned 32-bit integer
   VALUE        0 -        A value of zero indicates that there is no kilobyte lifetime.

 9.2. The Class IKEProposal

    IKEProposal is a specialization limit to the
                number of phase 2 keys which may be derived from the SecurityAssociationProposal
    class and
                phase 1 key; instead the seconds and/or kilobytes
                lifetime will dictate the phase 1 rekeying.  A non-zero
                value specifies the parameters unique to number of phase 2 keys that can be
                derived from the IKE proposal.  It
    contains phase 1 key.

7.2.2. The Property CipherAlgorithm

   The property CipherAlgorithm specifies the following attributes/references: proposed phase 1 security
   association encryption algorithm.  The property is defined as
   follows:

   NAME         cipherAlgorithm         CipherAlgorithm
   DESCRIPTION  Specifies the proposed encryption algorithm for the IKE server will
                 propose.
    TYPE
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - DES-CBC
                2 - IDEA-CBC
                3 - Blowfish-CBC
                4 - RC5-R16-B64-CBC
                5 - 3DES-CBC
                6 - CAST-CBC

7.2.3. The Property HashAlgorithm

   The property HashAlgorithm specifies the proposed phase 1 security
   assocation hash algorithm.  The property is defined as follows:

   NAME         hashAlgorithm         HashAlgorithm
   DESCRIPTION  Specifies the proposed hash algorithm for the IKE server will
                 propose.
    TYPE phase 1
                security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - MD5
                2 - SHA-1
                3 - Tiger

7.2.4. The Property PRFAlgorithm

   The property PRFAlgorithm specifies the proposed phase 1 security
   association psuedo-random function.  The property is defined as
   follows:

   NAME         PRFAlgorithm
   DESCRIPTION  Specifies the proposed psuedo-random function for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Currently none defined.

7.2.5. The Property GroupId

   The property GroupId specifies the proposed phase 1 security
   assocation Diffie-Hellman group.  The property is defined as
   follows:

   NAME         GroupId
   DESCRIPTION  Specifies the proposed Diffie-Hellman group for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - MD5 768-bit MODP group
                2 - SHA-1 1024-bit MODP group
                3 - Tiger EC2N group on GP[2^155]
                4 - EC2N group on GP[2^185]
                5 - 1536-bit MODP group

7.2.6. The Property AuthenticationMethod

   The property AuthenticationMethod specifies the proposed phase 1
   authentication method.  The property is defined as follows:

   NAME         authenticationMethod         AuthenticationMethod
   DESCRIPTION  Specifies the proposed authentication method for the IKE server will
                 propose.
    TYPE
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - a special value which indicates that this
                particular proposal should be repeated once for each
                authentication method that corresponds to the
                credentials installed on the machine.  For example, if
                the system has a pre-shared key and a certificate, a
                proposal list could be constructed which includes a
                proposal that specifies pre-shared key and proposals
                for any of the public-key authentication methods.
                1 - Preshared Key Pre-shared key
                2 - DSS Signatures signatures
                3 - RSA Signatures signatures
                4 - RSA Encryption with RSA
                5 - Revised encryption with RSA Encryption
                6 - El-Gamal Encryption
                 7 - Revised El-Gamal Encyrption
                 65001 - Kerberos

    NAME         lifetimeDerivedKeys
    DESCRIPTION  Specifies the number of times the IKE phase one key may
                 be used to derive an IKE phase two key.
    TYPE         unsigned 32-bit integer
    VALUE        0 - indicates that the number of times a IKE phase one
                 key may be used to derive an IKE phase two key is
                 limited by the seconds and/or kilobyte lifetimes.

    lifetimeDerivedKeys is not a negotiated parameter.  Although (has this
    value is not negotiated, it is included with the number been assigned???)

7.3. The Class IPsecProposal

   The class IPsecProposal adds no new properties, but inherits
   proposal
    information propoerties from SAProposal as the value is dependent upon the strength of well as aggregating the
   security parameters in the proposal.

    NAME         prfAlgorithm
    DESCRIPTION  Specifies the Psuedo-Random Function (PRF) the IKE
                 server will propose.
    TYPE         unsigned 16-bit integer
    VALUE        At this time, there are no negotiable PRFs defined.

    NAME         IkeDhGroup
    DESCRIPTION  Specifies the Diffie-Hellman group that association transforms necessary for building an IPsec
   proposal (see the IKE server
                 will propose.  The DiffieHellmanGroup aggregation class is defined
                 in section 10.

 9.3. ContainedTransform).  The Class IPsecProposal class
   definition for IPsecProposal is a specialization of the SecurityAssociationProposal
    class and specifies the parameters unique to the IPsec proposal.  It
    contains the following reference: as follows:

   NAME         Transforms         IPsecProposal
   DESCRIPTION  Specifies a set of IPsecTransform objects that
                 represent the Encapsulating Security Payload (ESP),
                 Authentication Header (AH), and IP Payload Compression
                 Protocol (IPComp) proposal parameters that are to used to create
                 an for IPsec proposal.  Transforms of the same type are to
                 be grouped together and logically ORed and the order of
                 the transforms of the same type MUST be preserved. security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE

7.4. The
                 transform groups are to be logically ANDed.  For
                 example, if Abstract Class SATransform

   The abstract class SATransform serves as the proposal had base class for the following set of
   IPsec transforms {ESP=DES,AH=MD5,ESP=3-DES,ESP=RC5,AH=SHA-1},
                 the proposal would be ((ESP = DES or 3-DES or RC5) and
                 (AH = MD5 or SHA-1)).  An IPsecProposal object MAY
                 reference one to many IPsecTransform objects.  An
                 IPsecTransform object MAY that can be referenced by zero used to many
                 IPsecProposal objects.

 9.4. The Class IPsecTransform compose an IPsec proposal.  The IPsecTransform
   class contains no properties and exists only definition for
    the purpose of modeling the is-a-kind-of relationship SATransform is as follows:

   NAME         SATransform
   DESCRIPTION  Base class for the different IPsec transforms.  For example, an ESPTransform is
   ABSTRACT     TRUE
   PROPERTIES   Name
                VendorID

7.4.1. The Property Name

   The property Name specifies a kind of
    IPsecTransform.

 9.5. user-friendly name for the
   SATransform.  The Class ESPTransform

    ESPTransform property is defined as follows:

   NAME         Name
   DESCRIPTION  Specifies a specialization of an IPsecTransform.  It user-friendly name for this transform.
   SYNTAX       string

7.4.1. The Property VendorID

   The property VendorID specifies the parameters vendor ID for one IPSec ESP vendor-defined
   transforms.  The property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Specifies the vendor ID for vendor-defined transforms.
   SYNTAX       string
   VALUE        An empty VendorID string indicates that the transform within an IPsec proposal.
    It contains
                is one of the following attributes: previously-defined ones.

7.5. The Class AHTransform

   The class AHTransform specifies the AH algorithm to propose during
   IPsec security association negotiation.  The class definition for
   AHTransform is as follows:

   NAME         integrityTransformId         AHTransform
   DESCRIPTION  Specifies the ESP integrity AH algorithm to propose.
    TYPE         unsigned 16-bit integer
    VALUE        1 - HMAC MD5
                 2 - HMAC SHA-1
                 3 - HMAC DES
                 4 - KPDK

    NAME         cipherTransformId
    DESCRIPTION  Specifies
   ABSTRACT     FALSE
   PROPERTIES   AHTransformId

7.5.1. The Property AHTransformId

   The property AHTransformId specifies the ESP cipher/encryption transform ID of the AH
   algorithm to propose.
    TYPE  The property is defined as follows:

   NAME         AHTransformId
   DESCRIPTION  Specifies the transform ID of the AH algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - DES IV64        2 - DES MD5
                3 - 3-DES SHA-1
                4 - RC5
                 5 - IDEA
                 6 - CAST
                 7 - Blowfish
                 8 - 3-IDEA
                 9 - DES IV32
                 10 - RC4
                 11 - NULL

7.6. The Class ESPTransform

   The class ESPTransform specifies the ESP algorithms to propose
   during IPsec security association negotiation.  The class definition
   for ESPTransform is as follows:

   NAME         cipherKeyRounds         ESPTransform
   DESCRIPTION  Specifies the number ESP algorithms to propose.
   ABSTRACT     FALSE
   PROPERTIES   IntegrityTransformId
                CipherTransformId
                CipherKeyLength
                CipherKeyRounds

7.6.1. The Property IntegrityTransformId

   The property IntegrityTransformId specifies the transform ID of key rounds for the
   ESP cipher integrity algorithm specified by the attribute cipherTransformId.
    TYPE         unsigned 16-bit integer
    VALUE        At this time, there are no cipher key rounds to propose.  The property is defined
                 for any IPsec ESP algorithms. as
   follows:

   NAME         cipherKeyLength         IntegrityTransformId
   DESCRIPTION  Specifies the length transform ID of the ESP cipher key, in bits.
                 If cipherTansformId specifies a cipher with a fixed-
                 length key, cipherKeyLength is ignored.
    TYPE integrity
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - the cipher algorithm specified by the
                 cipherTransformId attribute implies the key length.
                 Any other value specifies a key length, in bits.

 9.6. The Class AHTransform

    AHTransform is a specialization of an IPsecTransform.  It specifies
    the parameters for one AH transform within an IPsec proposal.  It
    contains the following property:

    NAME         transformId
    DESCRIPTION  Specifies the AH hash algorithm to propose.
    TYPE         unsigned 16-bit integer
    VALUE None
                1 - HMAC-MD5
                2 - MD5 HMAC-SHA
                3 - SHA-1 DES-MAC
                4 - DES

 9.7. KPDK

7.6.2. The Class IPCompTransform

    IPCompTransform is a specialization of an IPsecTransform.  It Property CipherTransformId

   The property CipherTransformId specifies the parameters for one IPComp transform within an IPsec
    proposal.  It contains ID of the following properties:

    NAME ESP
   encryption algorithm to propose.  The property is defined as
   follows:

   NAME         CipherTransformId
   DESCRIPTION  Specifies the IPComp compression algorithm to propose.
    TYPE transform ID of the ESP encryption
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - OUI (privateAlgorithm MUST contain a valid value) DES IV64
                2 - Deflate DES
                3 - LZS

    NAME         dictionarySize
    DESCRIPTION  Specifies 3DES
                4 - RC5
                5 - IDEA
                6 - CAST
                7 - Blowfish
                8 - 3IDEA
                9 - DES IV32
                10 - RC4
                11 - NULL

7.6.3. The Property CipherKeyLength

   The property CipherKeyLength specifies, in bits, the dictionary size key length for
   the compression ESP encryption algorithm.
    TYPE         unsigned 16-bit integer
    VALUE        0 - the compression algorithm specified by the
                 algorithm attribute dictates the dictionary size.

                 Any other  For encryption algorithms which use
   fixed-length keys, this value is to be interpreted ignored.  The property is defined
   as follows:

   NAME         CipherKeyLength
   DESCRIPTION  Specifies the ESP encryption key length in bits.
   SYNTAX       unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

   The property CipherKeyRounds specifies the context number of key rounds for
   the compression ESP encryption algorithm.  The property is defined as follows:

   NAME         privateAlgorithm         CipherKeyRounds
   DESCRIPTION  If the algorithm attribute specifies  Specifies the use number of a
                 proprietary compression transform (OUI = 1), then this
                 specifies key rounds for the specific vendor algorithm that will be
                 used.  Otherwise, this value is ignored.
    TYPE ESP
                encryption algorithm.
   SYNTAX       unsigned 32-bit 16-bit integer

 10. Diffie-Hellman Classes

    The Diffie-Hellman classes
   VALUE        Currently, key rounds are used to define not defined for any ESP
                encryption algorithms.

7.7. The Class IPCOMPTransform

   The class IPCOMPTransform specifies the Diffie-Hellman
    attributes that are used IP compression (IPCOMP)
   algorithm to propose during phase one (and possibly phase two)
    of the IKE IPsec security association negotiation.

                        +------------------+
                        |                  |
                        |DiffieHellmanGroup|
                        |                  |
                        +------------------+
                               * o
                             (a) | {1}
                            0..1 |
                          +--------------+
                          |              |
                          |[NewGroupInfo]|
                          |              |
                          +--------------+
                                 ^
                                 |
                +----------------+----------------+
                |                                 |
        +----------------+                +----------------+
        |                |                |                |
        |NewMODPGroupInfo|                |[NewECGroupInfo]|
        |                |                |                |
        +----------------+                +----------------+
                                                  ^
                                                  |
                                      +-----------+----------+
                                      |                      |
                              +----------------+     +---------------+
                              |                |     |               |
                              |NewEC2NGroupInfo|     |NewECPGroupInfo|
                              |                |     |               |
                              +----------------+     +---------------+

    (a) ExplicitGroupInfo

    {1} If the Diffie-Hellman Group
   The class definition for IPCOMPTransform is a well-known group (or previously
        agreed upon private group), then as follows:

   NAME         IPCOMPTransform
   DESCRIPTION  Specifies the NewGroupInfo object doesn't
        exist (or is ignored).

 10.1. IPCOMP algorithm to propose.
   ABSTRACT     FALSE
   PROPERTIES   Algorithm
                DictionarySize
                PrivateAlgorithm

7.7.1. The Class DiffieHellmanGroup

    DiffieHellmanGroup describes Property Algorithm

   The property Algorithm specifies the specific Diffie-Hellman Group that
    will be proposed.  It contains transform ID of the following properties: IPCOMP
   compression algorithm to propose.  The property is defined as
   follows:

   NAME         groupDescription         Algorithm
   DESCRIPTION  Specifies the Diffie-Hellman Group to propose.
    TYPE transform ID of the IPCOMP compression
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - 768-bit MODP group OUI (the property PrivateAlgorithm will contain the
                vendor-specific algorithm to use)
                2 - 1024-bit MODP group DEFLATE
                3 - EC2N group on GP[2^155] LZS
                4 - EC2N group on GP[2^185]
                 5 - 1536-bit MODP group V42BIS (has this number been assigned ???)

7.7.2. The Property DictionarySize

   The property DictionarySize specifies the log2 maximum size of the
   diction for the compression algorithm.  For compression algorithms
   that have pre-defined dictionary sizes, this value is ignores.  The
   property is defined as follows:

   NAME         ExplicitGroupInfo         DictionarySize
   DESCRIPTION  Specifies Diffie-Hellman Group information if
                 groupDescription is not one the log2 maximum size of the well-known values or dictionary.
   SYNTAX       unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

   The property PrivateAlgorithm specifies a previously agreed upon private group.  If
                 groupDescription vendor-specific
   compression algorithm.  This value is one of only used when the well-known values or property
   Algorithm is 1 (OUI).  The property is defined as follows:

   NAME         PrivateAlgorithm
   DESCRIPTION  Specifies a
                 previously agreed upon private group, the NewGroupInfo
                 object will not exist or it is ignored.

 10.2. vendor-specific compression
                algorithm.
   SYNTAX       unsigned 32-bit integer

7.8. The Aggregation Class NewGroupInfo

    NewGroupInfo is the abstract base class for the concrete new group
    information classes. ContainedTransform

   The specific derived class implies ContainedTransform associates an IPsecProposal with the group
    type value.

 10.3. The Class NewMODPGroupInfo

    NewMODPGroupInfo specifies
   set of SATransforms that make up the Diffie-Hellman group information for proposal.  If multiple
   tranforms of the same type are in a MODP group that proposal, then they are to be
   logically ORed and the order of preference is proposed during new group mode.  It contains dictated by the following properties:

    NAME         prime
    DESCRIPTION  Specifies
   SequenceNumber property.  Sets of transforms of different types are
   logically ANDed.  For example, if the proposal list were

   ESP = { (HMAC-MD5, DES), (HMAC-MD5, 3DES) }
   AH  = { MD5, SHA-1 }

   then the one sending the proposal wants the other side to pick one
   from the ESP transform list AND one from the prime AH transform list.  The
   class definition for the MODP group.
    TYPE         byte string ContainedProposal is as follows:

   NAME         generator         ContainedTransform
   DESCRIPTION  Specifies  Associates an IPsecProposal with the generator for set of
                SATransforms that make up the MODP group.
    TYPE         byte string

 10.4. proposal.
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref IPsecProposal[0..n]]
                PartComponent[ref SATransform[1..n]]
                SequenceNumber

7.8.1. The Class NewECGroupInfo

    NewECGroupInfo is Reference GroupComponent

   The property GroupComponent contains an abstract class that specifies the Diffie-
    Hellman group information for object reference to an elliptic curve group
   IPsecProposal that is
    proposed during new group mode.  It contains one or more SATransforms.  The [0..n]
   cardinality indicates that there may be zero or more IPsecProposals
   that contain any given SATransform.

7.8.2. The Reference PartComponent

   The property PartComponent contains an object reference to an
   SATransform contained by one or more IPsecProposals.  The [1..n]
   cardinality indicates that an IPsecPropsal MUST contain at least one
   SATransform.

7.8.3. The Property SequenceNumber

   The property SequenceNumber specifies the following
    properties:

    NAME         polynomial
    DESCRIPTION  Specifies the polynomial order of preference for
   the elliptic curve group.
    TYPE         byte string
    NAME         fieldSize
    DESCRIPTION  Specifies the field size for SATransforms of the elliptic curve group.
    TYPE         unsigned 32-bit integer same type.  The property is defined as
   follows:

   NAME         order         SequenceNumber
   DESCRIPTION  Specifies the preference order for the elliptic curve group.
    TYPE SATransforms of
                the same type.
   SYNTAX       unsigned 32-bit 16-bit integer

    NAME         generatorOne
    DESCRIPTION  Specifies generator one for
   VALUE        Lower-valued transforms are preferred over transforms
                of the elliptic curve group.
    TYPE         byte string

    NAME         generatorTwo
    DESCRIPTION  Specifies generator same type with higher values.  If two for the elliptic curve group.
    TYPE         byte string

    NAME         curveA
    DESCRIPTION  Specifies curve A for transforms
                of the elliptic curve group.
    TYPE         byte string

    NAME         curveB
    DESCRIPTION  Specifies curve B for same type have the elliptic curve group.
    TYPE         byte string

 10.5. The Class NewEC2NGroupInfo

    NewEC2NGroupInfo is a class that represents a new EC2N group.  It
    contains no properties and exists only to imply same SequenceNumber value,
                then the group type.

 10.6. The Class NewECPGroupInfo

    NewECPGroupInfo order of preference is a class that represents a new ECP group.  It
    contains no properties and exists only to imply the group type.

 11. undefined.

8. Security Considerations

   This document describes a schema for IPsec policy.  It does not
   detail security requirements for storage or delivery of said schema.
   Storage and delivery security requirements should be detailed in a
   comprehensive security policy architecture document.

 12.

9. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.

 13.

10. Acknowledgments

   The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
   Vic Lortz, and William Dixon for their contributions to this IPsec
   policy model.

   Additionally, this draft would not have been possible without the
   preceding IPsec schema drafts.  For that, thanks go out to Rob
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
   Rajan.

 14.

11. References

    [1]

   [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

    [2]

   [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

    [3]

   [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

    [4]

   [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
   2402, November 1998.

    [5]

   [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
   Information Model -- Version 1 Specification", draft-ietf-policy-
   core-infor-model-06.txt, May 2000.  Internet-Draft work in progress.

   [DOI] Piper, D., "The Internet IP Security Domain of Interpretation
   for ISAKMP", RFC 2407, November 1998.

    [6]

   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
   Access Protocol (v3)", RFC 2251, December 1997.

    [7]

   [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
   Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
   January 2000.  Internet-Draft work in progress.

    [8]

   [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000.
   Internet-Draft work in progress.

   [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
   Specification Language", draft-ietf-ipsec-spsl-01.txt, July 1999. draft-ietf-ipsp-spsl-00.txt, March 2000.
   Internet-Draft work in progress.

    [9]

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", BCP 14, RFC 2119, March 1997.

 15.

12. Disclaimer

   The views and specification herein are those of the authors and are
   not necessarily those of their employer.  The authors and their
   employer specifically disclaim responsibility for any problems
   arising from correct or incorrect implementation or use of this
   specification.

 16.

13. Author's Address

      Jamie Jason
      Intel Corporation
      MS JF3-206
      2111 NE 25th Ave.
      Hillsboro, OR 97124
      Phone: +1-503-264-9531
      Fax: +1-503-264-9428
      E-Mail: jamie.jason@intel.com

 17.

14. Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it maybe copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other then
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.