draft-ietf-ipsp-config-policy-model-01.txt   draft-ietf-ipsp-config-policy-model-02.txt 
Internet Engineering Task Force Jamie Jason Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation INTERNET DRAFT Intel Corporation
11-July-2000 1-March-2001 Lee Rafalow
IBM
Eric Vyncke
Cisco Systems
IPsec Configuration Policy Model IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-01.txt draft-ietf-ipsp-config-policy-model-02.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
skipping to change at page 2, line 10 skipping to change at page 2, line 10
parameters as described in [IKE] and the IKE phase two parameters parameters as described in [IKE] and the IKE phase two parameters
for the IPsec Domain of Interpretation as described in [COMP, ESP, for the IPsec Domain of Interpretation as described in [COMP, ESP,
AH, DOI]. It is based upon the core policy classes as defined in AH, DOI]. It is based upon the core policy classes as defined in
the Policy Core Information Model (PCIM) [PCIM]. the Policy Core Information Model (PCIM) [PCIM].
Table of Contents Table of Contents
Status of this Memo................................................1 Status of this Memo................................................1
Abstract...........................................................1 Abstract...........................................................1
Table of Contents..................................................2 Table of Contents..................................................2
1. Introduction....................................................5 1. Introduction....................................................7
2. UML Conventions.................................................5 2. UML Conventions.................................................7
3. IPsec Policy Model Inheritance Heirarchy........................6 3. IPsec Policy Model Inheritance Hierarchy........................8
4. Policy Classes..................................................9 4. Policy Classes.................................................13
4.1. The Class IPsecPolicyGroup....................................9 4.1. The Class IPsecPolicyGroup...................................14
4.1.1. The Property IKERuleOverridePoint..........................10 4.2. The Class SARule.............................................14
4.1.2. The Property IPsecRuleOverridePoint........................10 4.2.1. The Property LimitNegotiation..............................14
4.2. The Class SARule.............................................11 4.3. The Class IKERule............................................15
4.3. The Class IKERule............................................11 4.3.1. The Property IdentityContexts..............................15
4.4. The Class IPsecRule..........................................11 4.4. The Class IPsecRule..........................................16
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........12 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........16
4.5.1. The Reference ContainingGroup..............................12 4.5.1. The Reference GroupComponent...............................17
4.5.2. The Reference ContainedGroup...............................12 4.5.2. The Reference PartComponent................................17
4.5.3. The Property Precedence....................................12 4.5.3. The Property GroupPriority.................................17
4.6. The Composition Class RuleForIKENegotiation..................12 4.6. The Association Class IPsecPolicyForEndpoint.................17
4.6.1. The Reference ContainingGroup..............................13 4.6.1. The Reference Antecedent...................................18
4.6.2. The Reference ContainedRule................................13 4.6.2. The Reference Dependent....................................18
4.7. The Composition Class RuleForIPsecNegotiation................13 4.7. The Association Class IPsecPolicyForSystem...................18
4.7.1. The Reference ContainingGroup..............................13 4.7.1. The Reference Antecedent...................................18
4.7.2. The Reference ContainedRule................................13 4.7.2. The Reference Dependent....................................18
4.8. The Aggregation Class SAConditionInRule......................14 4.8. The Aggregation Class RuleForIKENegotiation..................19
4.8.1. The Reference ContainingRule...............................14 4.8.1. The Reference GroupComponent...............................19
4.8.2. The Reference ContainedCondition...........................14 4.8.2. The Reference PartComponent................................19
4.8.3. The Property SequenceNumber................................14 4.9. The Aggregation Class RuleForIPsecNegotiation................19
4.9. The Aggregation Class SAActionInRule.........................14 4.9.1. The Reference GroupComponent...............................19
4.9.1. The Reference ContainingRule...............................15 4.9.2. The Reference PartComponent................................20
4.9.2. The Reference ContainedAction..............................15 4.10. The Aggregation Class SAConditionInRule.....................20
4.10. The Aggregation Class FallbackSAActionInRule................15 4.10.1. The Reference GroupComponent..............................20
4.10.1. The Reference ContainingRule..............................15 4.10.2. The Reference PartComponent...............................20
4.10.2. The Reference ContainedAction.............................15 4.11. The Aggregation Class SAActionInRule........................20
4.10.3. The Property SequenceNumber...............................16 4.11.1. The Reference GroupComponent..............................21
5. Condition and Filter Classes...................................17 4.11.2. The Reference PartComponent...............................21
5.1. The Class SACondition........................................18 4.11.3. The Property ActionOrder..................................21
5.1.1. The Property StartupCondition..............................18 5. Condition and Filter Classes...................................22
5.2. The Class FilterList.........................................18 5.1. The Class SACondition........................................22
5.2.1. The Property Name..........................................19 5.2. The Class FilterEntry........................................23
5.2.2. The Property Direction.....................................19 5.3. The Class CredentialFilterEntry..............................23
5.3. The Abstract Class FilterEntryBase...........................19 5.3.1. The Property MatchFieldName................................24
5.3.1. The Property Name..........................................19 5.3.2. The Property MatchFieldValue...............................24
5.3.2. The Property IsNegated.....................................19 5.3.3. The Property CredentialType................................24
5.4. The Abstract Class IPFilterEntry.............................20 5.4. The Class IPSOFilterEntry....................................24
5.5. The Abstract Class EndpointFilterEntry.......................20 5.4.1. The Property MatchConditionType............................25
5.5.1. The Property ApplyToDestination............................20 5.4.2. The Property MatchConditionValue...........................25
5.6. The Class IPv4AddressFilterEntry.............................20 5.5. The Class PeerIDPayloadFilterEntry...........................25
5.6.1. The Property Address.......................................21 5.5.1. The Property MatchIdentityType.............................26
5.7. The Class IPv4RangeFilterEntry...............................21 5.5.2. The Property MatchIdentityValue............................26
5.7.1. The Property StartAddress..................................21 5.6. The Association Class FilterOfSACondition....................27
5.7.2. The Property EndAddress....................................21 5.6.1. The Reference Antecedent...................................27
5.8. The Class IPv4SubnetFilterEntry..............................21 5.6.2. The Reference Dependent....................................27
5.8.1. The Property Address.......................................22 5.7. The Association Class AcceptCredentialFrom...................27
5.8.2. The Property Mask..........................................22 5.7.1. The Reference Antecedent...................................28
5.9. The Class IPv6AddressFilterEntry.............................22 5.7.2. The Reference Dependent....................................28
5.9.1. The Property Address.......................................22 6. Action Classes.................................................29
5.10. The Class IPv6RangeFilterEntry..............................22
5.10.1. The Property StartAddress.................................23
5.10.2. The Property EndAddress...................................23
5.11. The Class IPv6SubnetFilterEntry.............................23
5.11.1. The Property Address......................................23
5.11.2. The Property Mask.........................................24
5.12. The Class FQDNFilterEntry...................................24
5.12.1. The Property Name.........................................24
5.13. The Class ProtocolFilterEntry...............................24
5.13.1. The Property Protocol.....................................24
5.14. The Class UDPFilterEntry....................................25
5.14.1. The Property StartPort....................................25
5.14.2. The Property EndPort......................................25
5.15. The Class TCPFilterEntry....................................25
5.15.1. The Property StartPort....................................26
5.15.2. The Property EndPort......................................26
5.16. The Abstract Class IPSOFilterEntry..........................26
5.17. The Class ClassificationLevelFilterEntry....................26
5.17.1. The Property Level........................................26
5.18. The Class ProtectionAuthorityFilterEntry....................27
5.18.1. The Property Authority....................................27
5.19. The Class CredentialFilterEntry.............................27
5.20. The Aggregation Class FilterOfSACondition...................27
5.20.1. The Reference Antecedent..................................28
5.20.2. The Reference Dependent...................................28
5.21. The Composition Class EntriesInFilterList...................28
5.21.1. The Reference Antecedent..................................28
5.21.2. The Reference Dependent...................................28
5.21.3. The Property EntrySequence................................29
6. Action Classes.................................................30
6.1. The Class SAAction...........................................30 6.1. The Class SAAction...........................................30
6.2. The Class SAStaticAction.....................................30 6.1.1. The Property DoActionLogging...............................30
6.1.2. The Property DoPacketLogging...............................30
6.2. The Class SAStaticAction.....................................31
6.2.1. The Property LifetimeSeconds...............................31 6.2.1. The Property LifetimeSeconds...............................31
6.3. The Class IPsecBypassAction..................................31 6.3. The Class IPsecBypassAction..................................31
6.4. The Class IPsecDiscardAction.................................31 6.4. The Class IPsecDiscardAction.................................31
6.4.1. The Property DoLogging.....................................32
6.5. The Class IKERejectAction....................................32 6.5. The Class IKERejectAction....................................32
6.5.1. The Property DoLogging.....................................32 6.6. The Class PreconfiguredSAAction..............................32
6.6. The Class SAPreconfiguredAction..............................32 6.6.1. The Property LifetimeKilobytes.............................33
6.7. The Class SANegotiationAction................................33 6.7. The Class PreconfiguredTransportAction.......................33
6.7.1. The Property MinLifetimeSeconds............................33 6.8. The Class PreconfiguredTunnelAction..........................33
6.7.2. The Property MinLifetimeKilobytes..........................33 6.8.1. The Property PeerGatewayAddressType........................33
6.7.3. The Property RefreshThresholdSeconds.......................34 6.8.2. The Property PeerGatewayAddress............................34
6.7.4. The Property RefreshThresholdKilobytes.....................34 6.8.3. The Property DFHandling....................................34
6.7.5. The Property IdleDurationSeconds...........................34 6.9. The Class SANegotiationAction................................34
6.8. The Class IPsecAction........................................35 6.9.1. The Property MinLifetimeSeconds............................35
6.8.1. The Property UsePFS........................................35 6.9.2. The Property MinLifetimeKilobytes..........................35
6.8.2. The Property UseIKEGroup...................................35 6.9.3. The Property RefreshThresholdSeconds.......................35
6.8.3. The Property GroupId.......................................35 6.9.4. The Property RefreshThresholdKilobytes.....................36
6.8.4. The Property Granularity...................................36 6.9.5. The Property IdleDurationSeconds...........................36
6.9. The Class IPsecTransportAction...............................36 6.10. The Class IPsecAction.......................................36
6.10. The Class IPsecTunnelAction.................................36 6.10.1. The Property UsePFS.......................................37
6.10.1. The Property PeerGateway..................................37 6.10.2. The Property UseIKEGroup..................................37
6.10.2. The Property DFHandling...................................37 6.10.3. The Property GroupId......................................37
6.11. The Class IKEAction.........................................37 6.10.4. The Property Granularity..................................38
6.11.1. The Property RefreshThresholdDerivedKeys..................37 6.10.5. The Property VendorID.....................................38
6.11.2. The Property ExchangeMode.................................38 6.11. The Class IPsecTransportAction..............................38
6.11.3. The Property UseIKEIdentityType...........................38 6.12. The Class IPsecTunnelAction.................................38
6.12. The Aggregation Class ContainedProposal.....................38 6.12.1. The Property DFHandling...................................39
6.12.1. The Reference GroupComponent..............................39 6.13. The Class IKEAction.........................................39
6.12.2. The Reference PartComponent...............................39 6.13.1. The Property RefreshThresholdDerivedKeys..................39
6.12.3. The Property SequenceNumber...............................39 6.13.2. The Property ExchangeMode.................................40
7. Proposal and Transform Classes.................................40 6.13.3. The Property UseIKEIdentityType...........................40
7.1. The Abstract Class SAProposal................................40 6.13.4. The Property VendorID.....................................40
7.1.1. The Property Name..........................................40 6.13.5. The Property AggressiveModeGroupId........................41
7.1.2. The Property MaxLifetimeSeconds............................41 6.14. The Class PeerGateway.......................................41
7.1.3. The Property MaxLifetimeKilobytes..........................41 6.14.1. The Property Name.........................................41
7.2. The Class IKEProposal........................................41 6.14.2. The Property PeerIdentityType.............................41
7.2.1. The Property LifetimeDerivedKeys...........................41 6.14.3. The Property PeerIdentity.................................42
7.2.2. The Property CipherAlgorithm...............................42 6.15. The Association Class PeerGatewayForTunnel..................42
7.2.3. The Property HashAlgorithm.................................42 6.15.1. The Reference Antecedent..................................42
7.2.4. The Property PRFAlgorithm..................................42 6.15.2. The Reference Dependent...................................43
7.2.5. The Property GroupId.......................................43 6.15.3. The Property SequenceNumber...............................43
7.2.6. The Property AuthenticationMethod..........................43 6.16. The Aggregation Class ContainedProposal.....................43
7.3. The Class IPsecProposal......................................43 6.16.1. The Reference GroupComponent..............................43
7.4. The Abstract Class SATransform...............................44 6.16.2. The Reference PartComponent...............................44
7.4.1. The Property Name..........................................44 6.16.3. The Property SequenceNumber...............................44
7.4.1. The Property VendorID......................................44 6.17. The Association Class HostedPeerGatewayInformation..........44
7.5. The Class AHTransform........................................44 6.17.1. The Reference Antecedent..................................44
7.5.1. The Property AHTransformId.................................44 6.17.2. The Reference Dependent...................................44
7.6. The Class ESPTransform.......................................45 6.18. The Association Class TransformOfPreconfiguredAction........44
7.6.1. The Property IntegrityTransformId..........................45 6.18.1. The Reference Antecedent..................................45
7.6.2. The Property CipherTransformId.............................45 6.18.2. The Reference Dependent...................................45
7.6.3. The Property CipherKeyLength...............................46 6.18.3. The Property SPI..........................................45
7.6.4. The Property CipherKeyRounds...............................46 7. Proposal and Transform Classes.................................46
7.7. The Class IPCOMPTransform....................................46 7.1. The Abstract Class SAProposal................................46
7.7.1. The Property Algorithm.....................................46 7.1.1. The Property Name..........................................46
7.7.2. The Property DictionarySize................................47 7.2. The Class IKEProposal........................................47
7.7.3. The Property PrivateAlgorithm..............................47 7.2.1. The Property LifetimeDerivedKeys...........................47
7.8. The Aggregation Class ContainedTransform.....................47 7.2.2. The Property CipherAlgorithm...............................47
7.8.1. The Reference GroupComponent...............................48 7.2.3. The Property HashAlgorithm.................................48
7.8.2. The Reference PartComponent................................48 7.2.4. The Property PRFAlgorithm..................................48
7.8.3. The Property SequenceNumber................................48 7.2.5. The Property GroupId.......................................48
8. Security Considerations........................................48 7.2.6. The Property AuthenticationMethod..........................48
9. Intellectual Property..........................................48 7.2.7. The Property MaxLifetimeSeconds............................49
10. Acknowledgments...............................................49 7.2.8. The Property MaxLifetimeKilobytes..........................49
11. References....................................................49 7.2.9. The Property VendorID......................................49
12. Disclaimer....................................................50 7.3. The Class IPsecProposal......................................49
13. Author's Address..............................................50 7.4. The Abstract Class SATransform...............................50
14. Full Copyright Statement......................................50 7.4.1. The Property TransformName.................................50
7.4.2. The Property VendorID......................................50
7.4.3. The Property MaxLifetimeSeconds............................50
7.4.4. The Property MaxLifetimeKilobytes..........................51
7.5. The Class AHTransform........................................51
7.5.1. The Property AHTransformId.................................51
7.5.2. The Property UseReplayPrevention...........................51
7.5.3. The Property ReplayPreventionWindowSize....................52
7.6. The Class ESPTransform.......................................52
7.6.1. The Property IntegrityTransformId..........................52
7.6.2. The Property CipherTransformId.............................52
7.6.3. The Property CipherKeyLength...............................53
7.6.4. The Property CipherKeyRounds...............................53
7.6.5. The Property UseReplayPrevention...........................53
7.6.6. The Property ReplayPreventionWindowSize....................53
7.7. The Class IPCOMPTransform....................................54
7.7.1. The Property Algorithm.....................................54
7.7.2. The Property DictionarySize................................54
7.7.3. The Property PrivateAlgorithm..............................54
7.8. The Association Class SAProposalInSystem.....................54
7.8.1. The Reference Antecedent...................................55
7.8.2. The Reference Dependent....................................55
7.9. The Aggregation Class ContainedTransform.....................55
7.9.1. The Reference GroupComponent...............................55
7.9.2. The Reference PartComponent................................56
7.9.3. The Property SequenceNumber................................56
7.10. The Association Class SATransformInSystem...................56
7.10.1. The Reference Antecedent..................................56
7.10.2. The Reference Dependent...................................56
8. IKE Service and Identity Classes...............................58
8.1. The Class IKEService.........................................59
8.2. The Class PeerIdentityTable..................................59
8.3.1. The Property Name..........................................59
8.3. The Class PeerIdentityEntry..................................60
8.3.1. The Property PeerIdentity..................................60
8.3.2. The Property PeerIdentityType..............................60
8.3.3. The Property PeerAddress...................................60
8.3.4. The Property PeerAddressType...............................60
8.4. The Class AutostartIKEConfiguration..........................61
8.5. The Class AutostartIKESetting................................61
8.5.1. The Property Phase1Only....................................61
8.5.2. The Property AddressType...................................62
8.5.3. The Property SourceAddress.................................62
8.5.4. The Property SourcePort....................................62
8.5.5. The Property DestinationAddress............................62
8.5.6. The Property DestinationPort...............................63
8.5.7. The Property Protocol......................................63
8.6. The Class IKEIdentity........................................63
8.6.1. The Property IdentityType..................................64
8.6.2. The Property IdentityValue.................................64
8.6.3. The Property IdentityContexts..............................64
8.7. The Association Class HostedPeerIdentityTable................65
8.7.1. The Reference Antecedent...................................65
8.7.2. The Reference Dependent....................................65
8.8. The Aggregation Class PeerIdentityMember.....................65
8.8.1. The Reference Collection...................................65
8.8.2. The Reference Member.......................................66
8.9. The Association Class IKEServicePeerGateway..................66
8.9.1. The Reference Antecedent...................................66
8.9.2. The Reference Dependent....................................66
8.10. The Association Class IKEServicePeerIdentityTable...........66
8.10.1. The Reference Antecedent..................................67
8.10.2. The Reference Dependent...................................67
8.11. The Association Class IKEAutostartSetting...................67
8.11.1. The Reference Element.....................................67
8.11.2. The Reference Setting.....................................67
8.12. The Aggregation Class AutostartIKESettingContext............67
8.12.1. The Reference Context.....................................68
8.12.2. The Reference Setting.....................................68
8.12.3. The Property SequenceNumber...............................68
8.13. The Association Class IKEServiceForEndpoint.................68
8.13.1. The Reference Antecedent..................................69
8.13.2. The Reference Dependent...................................69
8.14. The Association Class IKEAutostartConfiguration.............69
8.14.1. The Reference Antecedent..................................69
8.14.2. The Reference Dependent...................................69
8.14.3. The Property Active.......................................69
8.15. The Association Class IKEUsesCredentialManagementService....70
8.15.1. The Reference Antecedent..................................70
8.15.2. The Reference Dependent...................................70
8.16. The Association Class EndpointHasLocalIKEIdentity...........70
8.16.1. The Reference Antecedent..................................71
8.16.2. The Reference Dependent...................................71
8.17. The Association Class CollectionHasLocalIKEIdentity.........71
8.17.1. The Reference Antecedent..................................71
8.17.2. The Reference Dependent...................................71
8.18. The Association Class IKEIdentitysCredential................72
8.18.1. The Reference Antecedent..................................72
8.18.2. The Reference Dependent...................................72
9. Security Considerations........................................72
10. Intellectual Property.........................................72
11. Acknowledgments...............................................73
12. References....................................................73
13. Disclaimer....................................................74
14. Authors' Addresses............................................74
15. Full Copyright Statement......................................74
Appendix A (DMTF Core Model MOF)..................................75
Appendix B (DMTF User Model MOF)..................................90
Appendix C (DMTF Network Model MOF)..............................105
1. Introduction 1. Introduction
Internet Protocol security (IPsec) policy may assume a variety of Internet Protocol security (IPsec) policy may assume a variety of
forms as it travels from storage to distribution point to decision forms as it travels from storage to distribution point to decision
point. At each step, it needs to be represented in a way that is point. At each step, it needs to be represented in a way that is
convenient for the current task. For example, the policy could convenient for the current task. For example, the policy could
exist as, but is not limited to: exist as, but is not limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
skipping to change at page 5, line 33 skipping to change at page 7, line 33
semantics of the IPsec policy. The purpose of this document is to semantics of the IPsec policy. The purpose of this document is to
abstract IPsec policy into a task-independent representation that is abstract IPsec policy into a task-independent representation that is
not constrained by any particular task-dependent representation. not constrained by any particular task-dependent representation.
This document is organized as follows: This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this Language (UML) graphical notation conventions used in this
document. document.
o Section 3 provides the inheritance hierarchy which describes o Section 3 provides the inheritance hierarchy that describes
where the IPsec policy classes fit into the policy class where the IPsec policy classes fit into the policy class
hierarchy already defined by PCIM. hierarchy already defined by the Policy Core Information Model
(PCIM).
o The remainder of the document describes the classes which make o The remainder of the document describes the classes that make up
up the IPsec policy model. the IPsec policy model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
2. UML Conventions 2. UML Conventions
For this document, a UML static class diagram was chosen as the For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason canonical representation for the IPsec policy model. The reason
behind this decision is that UML provides a graphical, task- behind this decision is that UML provides a graphical, task-
independent way to model systems. A treatise on the graphical independent way to model systems. A treatise on the graphical
notation used in UML is beyond the scope of this paper. However, notation used in UML is beyond the scope of this paper. However,
given the use of ASCII drawing for UML static class diagrams, a given the use of ASCII drawing for UML static class diagrams, a
description of the notational conventions used in this document is description of the notational conventions used in this document is
in order: in order:
o Boxes represent classes, with class names in brackets ([]) o Boxes represent classes, with class names in brackets ([])
representing a virtual class. representing an abstract class.
o A line that terminates with an arrow (<, >, ^, v) denotes o A line that terminates with an arrow (<, >, ^, v) denotes
inheritance. The arrow always points to the parent class. inheritance. The arrow always points to the parent class.
Inheritance can also be called generalization or specialization Inheritance can also be called generalization or specialization
(depending upon the reference point). A base class is a (depending upon the reference point). A base class is a
generalization of a derived class, and a derived class is a generalization of a derived class, and a derived class is a
specialization of a base class. specialization of a base class.
o Associations are used model a relationship between two classes. o Associations are used to model a relationship between two
Classes that share an association are connected using a line. classes. Classes that share an association are connected using
There are two special kinds of associations - aggregations and a line. A special kind of association is also used: an
compositions. Both model a whole-part relationship between two aggregation. An aggregation models a whole-part relationship
classes. Associations, and therefore aggregations and between two classes. Associations, and therefore aggregations,
compositions, can also be modeled as classes. can also be modeled as classes.
o A line that begins with a "o" denotes aggregation. Aggregation o A line that begins with an "o" denotes aggregation. Aggregation
denotes containment in which the contained class and the denotes containment in which the contained class and the
containing class have independent lifetimes. containing class have independent lifetimes.
o A line that begins with an "x" denotes composition. Composition
denotes containment in which the contained class and the
contianing class have coincident lifetimes.
o Next to a line representing an association appears a o Next to a line representing an association appears a
multiplicity. Multiplicities indicate the number of objects in cardinality. Cardinalities indicate the constraints on the
the relationship. The multiplicity may be: number of object instances in a set of relationships. Every
association instance has a single set of references. The
cardinality indicates the number of instances that may refer to
a given object instance. The cardinality may be:
- a range in the form "lower bound..upper bound" indicating the - a range in the form "lower bound..upper bound" indicating the
minimum and maximum number of objects. minimum and maximum number of objects.
- a number that indicates the exact number of objects. - a number that indicates the exact number of objects.
- an asterisk indicating any number of objects, including zero. - an asterisk indicating any number of objects, including zero.
Using an asterisk is shorthand for 0..n. Using an asterisk is shorthand for 0..n.
- the letter n indicating from 1 to many. Using the letter n is - the letter n indicating from 1 to many. Using the letter n is
shorthand for 1..n. shorthand for 1..n.
o A class that has an association may have a "w" next to the line
representing the association. This is called a weak association
and is discussed in [PCIM].
It should be noted that the UML static class diagram presented is a It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding. conceptual view of IPsec policy designed to aid in understanding.
It does not necessarily get translated class for class into another It does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of the representation to fewer classes (because of the inefficiency of
following references). following references).
3. IPsec Policy Model Inheritance Heirarchy 3. IPsec Policy Model Inheritance Hierarchy
The following diagram represents the inheritance hierarchy and how Like PCIM from which it is derived, the IPsec Configuration Policy
the IPsec policy model classes fit into PCIM. Model derives from and uses classes defined in the DMTF Common
Information Model (CIM). The following tree represents the
inheritance hierarchy for the IPsec policy model classes and how
they fit into PCIM and the other DMTF models (see Appendices for
descriptions of classes that are not being introduced as part of
IPsec model). CIM classes that are not used as a superclass from
which to derive new classes but are only referenced are not included
this inheritance hierarchy, but are included in the appropriate
appendix.
[unrooted] ManagedElement (DMTF Core Model - Appendix A)
| |
+--Policy (PCIM) +--Collection (DMTF Core Model - Appendix A)
| | | |
| +--PolicyGroup (PCIM) | +--PeerIdentityTable
| | | |
| | +--IPsecPolicyGroup (new class) +--ManagedSystemElement (DMTF Core Model - Appendix A)
| | | |
| +--PolicyRule (PCIM) | +--LogicalElement (DMTF Core Model - Appendix A)
| |
| +--FilterEntryBase (DMTF Network Model - Appendix C)
| | | | | |
| | +--SARule (new abstract class) | | +--CredentialFilterEntry
| | | | | |
| | +--IKERule (new class) | | +--IPSOFilterEntry
| | | | | |
| | +--IPsecRule (new class) | | +--PeerIDPayloadFilterEntry
| | | |
| +--PolicyCondition (PCIM) | +--PeerGateway
| | |
| | +--SACondition (new class)
| | | |
| +--PolicyAction (PCIM) | +--PeerIdentityEntry
| | | |
| +--SAAction (new abstract class) | +--Service (DMTF Core Model - Appendix A)
| | | |
| +--SAStaticAction (new abstract class) | +--NetworkService (DMTF Network Model - Appendix C)
| | |
| | +--IPsecBypassAction (new class)
| | |
| | +--IPsecDiscardAction (new class)
| | |
| | +--IKERejectAction (new class)
| | |
| | +--SAPreconfiguredAction (new class)
| | | |
| +--SANegotiationAction (new abstract class) | +--IKEService
|
+--OrganizationalEntity (DMTF User Model - Appendix B)
| | | |
| +--IPsecAction (new abstract class) | +--UserEntity (DMTF User Model - Appendix B)
| | |
| | +--IPsecTransportAction (new class)
| | |
| | +--IPsecTunnelAction (new class)
| | | |
| +--IKEAction (new abstract class) | +--UsersAccess (DMTF User Model - Appendix B)
| | |
+--FilterList | +--IKEIdentity
| |
+--FilterEntryBase +--Policy (PCIM)
| | | |
| +--IPFilterEntry (new abstract class) | +--PolicyAction (PCIM)
| | | | | |
| | +--EndpointFilterEntry (new abstract class) | | +--SAAction
| | | | | | |
| | | +--IPv4AddressFilterEntry (new class) | | +--SANegotiationAction
| | | |
| | | +--IPv4RangeFilterEntry (new class)
| | | |
| | | +--IPv4SubnetFilterEntry (new class)
| | | | | | | |
| | | +--IPv6AddressFilterEntry (new class) | | | +--IKEAction
| | | | | | | |
| | | +--IPv6RangeFilterEntry (new class) | | | +--IPsecAction
| | | | | | | |
| | | +--IPv6SubnetFilterEntry (new class) | | | +--IPsecTransportAction
| | | | | | | |
| | | +--FQDNFilterEntry (new class) | | | +--IPsecTunnelAction
| | | | | |
| | +--PortFilterEntry (new class) | | +--SAStaticAction
| | | | | |
| | +--ProtocolFilterEntry (new class) | | +--IKERejectAction
| | |
| | +--IPsecBypassAction
| | |
| | +--IPsecDiscardAction
| | |
| | +--PreconfiguredSAAction
| | |
| | +--PreconfiguredTransportAction
| | |
| | +--PreconfiguredTunnelAction
| | | |
| +--IPSOFilterEntry (new class) | +--PolicyCondition (PCIM)
| | |
| | +--SACondition
| | | |
| +--CredentialFilterEntry (new class) | +--PolicyGroup (PCIM)
| | |
| | +--IPsecPolicyGroup
| |
| +--PolicyRule (PCIM)
| | |
| | +--SARule
| | |
| | +--IKERule
| | |
| | +--IPsecRule
| |
| +--SAProposal
| | |
| | +--IKEProposal
| | |
| | +--IPsecProposal
| |
| +--SATransform
| |
| +--AHTransform
| |
| +--ESPTransform
| |
| +--IPCOMPTransform
| |
+--SAProposal (new abstract class) +--Setting (DMTF Core Model - Appendix A)
| | | |
| +--IKEProposal (new class) | +--SystemSetting (DMTF Core Model - Appendix A)
| | | |
| +--IPsecProposal (new class) | +--AutostartIKESetting
| |
+--SATransform (new abstract class) +--SystemConfiguration (DMTF Core Model - Appendix A)
| |
+--AHTransform (new class) +--AutostartIKEConfiguration
The following tree represents the inheritance hierarchy of the IPsec
policy model association classes and how they fit into PCIM and the
other DMTF models (see Appendices for description of associations
classes that are not being introduced as part of IPsec model).
Dependency (DMTF Core Model - Appendix A)
| |
+--ESPTransform (new class) +--AcceptCredentialsFrom
| |
+--IPCOMPTransform (new class) +--ElementAsUser (DMTF User Model - Appendix B)
| |
| +--EndpointHasLocalIKEIdentity
| |
| +--CollectionHasLocalIKEIdentity
|
+--FilterOfSACondition
|
+--HostedPeerGatewayInformation
|
+--HostedPeerIdentityTable
|
+--IKEAutostartConfiguration
|
+--IKEServiceForEndpoint
|
+--IKEServicePeerGateway
|
+--IKEServicePeerIdentityTable
|
+--IKEUsesCredentialManagementService
|
+--IPsecPolicyForEndpoint
|
+--PeerGatewayForTunnel
|
+--PolicyInSystem (PCIM)
| |
| +--PolicyGroupInSystem (PCIM)
| |
| +--SAProposalInSystem
| |
| +--SATransformInSystem
|
+--IPsecPolicyForSystem
|
+--TransformOfPreconfiguredAction
|
+--UsersCredential (DMTF User Model - Appendix B)
|
+--IKEIdentitysCredential
The following diagram represents the inheritance hierarchy and how ElementSetting (DMTF Core Model - Appendix A)
the IPsec policy model association classes fit into PCIM. |
+--IKEAutostartSetting
[unrooted] MemberOfCollection (DMTF Core Model - Appendix A)
| |
+--PolicyGroupInPolicyGroup (PCIM) +--PeerIdentityMember
PolicyComponent (PCIM)
|
+--ContainedProposal
|
+--ContainedTransform
|
+--PolicyActionInPolicyRule (PCIM)
| | | |
| +--IPsecPolicyGroupInPolicyGroup (new class) | +--SAActionInRule
| |
+--PolicyConditionInPolicyRule (PCIM) +--PolicyConditionInPolicyRule (PCIM)
| | | |
| +--SAConditionInRule (new class) | +--SAConditionInRule
| |
+--FallbackSAActionInRule (new class) +--PolicyGroupInPolicyGroup (PCIM)
| |
| +--IPsecPolicyGroupInPolicyGroup
| |
+--EntriesInFilterList (new class) +--PolicyRuleInPolicyGroup
| |
+--ContainedProposal (new class) +--RuleForIKENegotiation
| |
+--IPsecContainedTransform (new class) +--RuleForIPsecNegotiation
SystemSettingContext (DMTF Core Model - Appendix A)
|
+--AutostartIKESettingContext
4. Policy Classes 4. Policy Classes
The IPsec policy classes represent the set of policies that are The IPsec policy classes represent the set of policies that are
contained on a system. contained on a system.
(a) +--------------------+
+------+ | IPProtocolEndpoint |
| |* | (Appendix C) |
| *+------------------+ +--------------------+
+---o| IPsecPolicyGroup | | *
+------------------+ |
1 x x 1 (a) | (b)
(b) | | (c) +------+ |
| |* | 0..1
| *+------------------+0..1 (c) *+------------+
+---o| IPsecPolicyGroup |-----------| System |
+------------------+ |(Appendix A)|
1 o o 1 +------------+
(d) | | (e)
+-----------------------+ +---------------------+ +-----------------------+ +---------------------+
| | | |
| +---------------------------+ | | +---------------------------+ |
| | PolicyTimePeriodCondition | | | | PolicyTimePeriodCondition | |
| | (defined in [PCIM]) | | | | (see [PCIM]) | |
| +---------------------------+ | | +---------------------------+ |
| *| | | *| |
| | (d) | | | (f) |
| *o | | *o |
| +-------------+* *+--------+* 1+----------+ | | +-------------+n *+--------+* n+----------+ |
| | SACondition |------o| SARule |o-------| SAAction | | | | SACondition |------o| SARule |o-------| SAAction | |
| +-------------+ (e) +--------+ (f) +----------+ | | +-------------+ (g) +--------+ (h) +----------+ |
| ^ |* | | ^ |
| | +------+ | | | |
| +--------+--------+ | (g) | | +--------+--------+ |
| | | *o | | | | |
| *+---------+ +-----------+* | | *+---------+ +-----------+* |
+---------------| IKERule | | IPsecRule |------------+ +---------------| IKERule | | IPsecRule |------------+
+---------+ +-----------+ +---------+ +-----------+
(a) IPsecPolicyGroupInPolicyGroup (a) IPsecPolicyGroupInPolicyGroup
(b) RuleForIKENegotiation (b) IPsecPolicyForEndpoint
(c) RuleForIPsecNegotiation (c) IPsecPolicyForSystem
(d) PolicyRuleValidityPeriod (defined in [PCIM]) (d) RuleForIKENegotiation
(e) SAConditionInRule (e) RuleForIPsecNegotiation
(f) SAActionInRule (f) PolicyRuleValidityPeriod (see [PCIM])
(g) FallbackSAActionInRule (g) SAConditionInRule
(h) SAActionInRule
An IPsecPolicyGroup represents the set of policies that are used on
an interface. This IPsecPolicyGroup SHOULD be associated either
directly with the IPProtocolEndpoint class instance that represents
the interface (via the IPsecPolicyForEndpoint association) or
indirectly (via the IPsecPolicyForSystem association) associated
with the System that hosts the interface.
4.1. The Class IPsecPolicyGroup 4.1. The Class IPsecPolicyGroup
The class IPsecPolicyGroup serves as a container of either other The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The
Rules contained within an IPsecPolicyGroup MUST have a unique class definition for IPsecPolicyGroup is as follows:
Priority value. The class definition for IPsecPolicyGroup is as
follows:
NAME IPsecPolicyGroup NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules
and a set of IPsecRules. and a set of IPsecRules.
DERIVED FROM PolicyGroup (see [PCIM]) DERIVED FROM PolicyGroup (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup) PROPERTIES PolicyGroupName (from PolicyGroup)
IKERuleOverridePoint
IPsecRuleOverridePoint
NOTE: for derivations of the schema that are used for policy NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server distribution to an IPsec device (for example, COPS-PR), the server
may follow all of IPsecPolicyGroupInPolicyGroup associations and may follow all of IPsecPolicyGroupInPolicyGroup associations and
create one policy group which is simply a set of all of the IKE create one policy group which is simply a set of all of the IKE
rules and a set of all of the IPsec rules. See the section on the rules and a set of all of the IPsec rules. See the section on the
IPsecPolicyGroupInPolicyGroup aggregation for information on merging IPsecPolicyGroupInPolicyGroup aggregation for information on merging
multiple IPsecPolicyGroups. multiple IPsecPolicyGroups.
4.1.1. The Property IKERuleOverridePoint
This property specifies the rule priority at which the policy author
is willing to allow IKERule insertions by a local administrator.
For example, the IT department may define the policy on a company-
wide basis, but allow groups or individuals to insert rules into the
policy to override defaults. Rules are ordered in decreasing order
of their priority (i.e., higher priorities come first). The
override point specifies that if rules are inserted, they are to be
inserted before all rules equal to or less than the override
priority value.
For example, assume that there is a group G1 with IKE rules as
follows:
G1 = { Rule A (priority 50),
Rule B (priority 25),
Rule C (priority 15) }
The IKE override value for G1 is 20. Now assume that a local
administrator wants to insert a set of IKE rules {Rule D, Rule E}
where Rule D has a higher priority than Rule E. The new rules will
be added before rules in G1 with priority equal to or less than 20.
So, when evaluating rules, the order of evaluation would be A, B, D,
E, C. Note that the priority of the rules in override set are
relative only to the set.
The property is defined as follows:
NAME IKERuleOverridePoint
DESCRIPTION Specifies the rule priority at which the policy author
is willing to allow IKERule insertions by a local
administrator.
SYNTAX unsigned 16-bit integer
4.1.2. The Property IPsecRuleOverridePoint
This property specifies the rule priority at which the policy author
is willing to allow IPsecRule insertions by a local administrator.
This property is the same as IKERuleOverridePoint except it is used
for the IPsec rules in the IPsecPolicyGroup. The property is
defined as follows:
NAME IPsecRuleOverridePoint
DESCRIPTION Specifies the rule priority at which the policy author
is willing to allow IPsecRule insertions by a local
administrator.
SYNTAX unsigned 16-bit integer
4.2. The Class SARule 4.2. The Class SARule
The class SARule serves as a base class for IKERule and IPsecRule. The class SARule serves as a base class for IKERule and IPsecRule.
Even though the class is concrete, it MUST not be instantiated. It Even though the class is concrete, it MUST not be instantiated. It
defines a common connection point for associations to conditions and defines a common connection point for associations to conditions and
actions for both types of rules. Each SARule within a given actions for both types of rules. Through its derivation from
IPsecPolicyGroup must contain a unique priority. Through its PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
derivation from PolicyRule, an SARule (and therefore IKERule and the PolicyRuleValidityPeriod association.
IPsecRule) also has the PolicyRuleValidityPeriod association. The
class definition for SARule is as follows: An SARule inherits the property Priority from PolicyRule. Since
there is a need for an unambiguous ordering of rules in an IPsec
system, all SARules contained within an IPsecPolicyGroup must have
unique priority values.
The class definition for SARule is as follows:
NAME SARule NAME SARule
DESCRIPTION A base class for IKERule and IPsecRule. DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM]) DERIVED FROM PolicyRule (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule) PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule) Enabled (from PolicyRule)
ConditionListType (from PolicyRule) ConditionListType (from PolicyRule)
Priority (from PolicyRule) LimitNegotiation
PolicyRoles (from PolicyRule)
4.2.1. The Property LimitNegotiation
The property LimitNegotiation is used as part of processing either
an IKE or an IPsec rule.
Before proceeding with a phase 1 negotiation, this property is
checked to determine if the negotiation role of the rule matches
that defined for the negotiation being undertaken (e.g., Initiator,
Responder, or Both). If this check fails (e.g. the current role is
IKE responder while the rule specifies IKE initiator), then the IKE
negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists.
Before proceeding with a phase 2 negotiation, the LimitNegotiation
property of the IPsecRule is first checked to determine if the
negotiation role indicated for the rule matches that of the current
negotiation (Initiator, Responder, or Either). Note that this limit
applies only to new phase 2 negotiations. It is ignored when an
attempt is made to refresh an expiring SA (either side can initiate
a refresh operation). The IKE system can determine that the
negotiation is a refresh operation by checking to see if the
selector information matches that of an existing SA. If
LimitNegotiation does not match and the selector corresponds to a
new SA, the negotiation is stopped.
The property is defined as follows:
NAME LimitNegotiation
DESCRIPTION Limits the role to be undertaken during negotiation.
SYNTAX unsigned 16-bit integer
VALUE 1 initiator-only
2 responder-only
3 - both
4.3. The Class IKERule 4.3. The Class IKERule
The class IKERule associates Conditions and Actions for IKE phase 1 The class IKERule associates Conditions and Actions for IKE phase 1
negotiations. The class definition for IKERule is as follows: negotiations. The class definition for IKERule is as follows:
NAME IKERule NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 1 DESCRIPTION Associates Conditions and Actions for IKE phase 1
negotiations. negotiations.
DERIVED FROM SARule DERIVED FROM SARule
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES same as SARule PROPERTIES same as SARule, plus
IdentityContexts
4.3.1. The Property IdentityContexts
The IKE service of a security endpoint may have multiple identities
for use in different situations. The combination of the interface
(represented by the IPProtocolEndpoint), the identity type (as
specified in the IKEAction) and the IdentityContexts specifies a
unique identity.
The IdentityContexts property specifies the context to select the
relevant IKE identity to be used during the further IKEAction. A
context may be a VPN name or other identifier for selecting the
appropriate identity for use on the protected IPProtocolEndpoint.
IdentityContexts is an array of strings. The multiple values in the
array are ORed together in evaluating the IdentityContexts. Each
value in the array may be the composition of multiple context names.
So, a single value may be a single context name (e.g.,
"CompanyXVPN") or it may be combination of contexts. When an array
value is a composition, the individual values are ANDed together for
evaluation purposes and the syntax is:
<ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). So, for example,
the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
"CompanyZVPN&&Confidential" means that, for the appropriate
IPProtocolEndpoint and IdentityType, the contexts are matched if the
identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
"CompanyZVPN&&Confidential".
The property is defined as follows:
NAME IdentityContexts
DESCRIPTION Specifies the context in which to select the IKE
identity.
SYNTAX string array
4.4. The Class IPsecRule 4.4. The Class IPsecRule
The class IPsecRule associates Conditions and Actions for IKE phase The class IPsecRule associates Conditions and Actions for IKE phase
2 negotiations for the IPsec DOI. The class definition for 2 negotiations for the IPsec DOI. The class definition for
IPsecRule is as follows: IPsecRule is as follows:
NAME IKERule NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 2 DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI. negotiations for the IPsec DOI.
DERIVED FROM SARule DERIVED FROM SARule
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES same as SARule PROPERTIES same as SARule
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup
The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
policies to be combined to into one effective policy. When merging policies to be combined into one effective policy. See [PCIM] for a
policies, rule priorities are used in conjunction with the rule description of the how policies are merged (see also the property
override point values to determine insertion points and for rule GroupPriority). The class definition for
priority renumbering (if necessary to maintain uniqueness). The IPsecPolicyGroupInPolicyGroup is as follows:
class definition for IPsecPolicyGroupInPolicyGroup is as follows:
NAME IPsecPolicyGroupInPolicyGroup NAME IPsecPolicyGroupInPolicyGroup
DESCRIPTION Associates a nested IPsecPolicyGroup with the DESCRIPTION Associates a nested IPsecPolicyGroup with the
IPsecPolicyGroup that contains it. IPsecPolicyGroup that contains it.
DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM]) DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES ContainingGroup[ref IPsecPolicyGroup[0..n]] PROPERTIES GroupComponent[ref IPsecPolicyGroup[0..n]]
ContainedGroup[ref IPsecPolicyGroup[0..n]] PartComponent[ref IPsecPolicyGroup[0..n]]
Precedence GroupPriority
4.5.1. The Reference ContainingGroup 4.5.1. The Reference GroupComponent
The property ContainingGroup is inherited from The property GroupComponent is inherited from
PolicyGroupInPolicyGroup and is overridden to contain object PolicyGroupInPolicyGroup and is overridden to refer to an
reference to an IPsecPolicyGroup that contains one or more IPsecPolicyGroup instance. The [0..n] cardinality indicates that a
IPsecPolicyGroups. The [0..n] cardinality indicates that there may given IPsecPolicyGroup instance may be a part of zero or more
be zero or more IPsecPolicyGroups that contain any given containing IPsecPolicyGroup instances (i.e., there may be zero or
IPsecPolicyGroup. more GroupComponent references per PartComponent).
4.5.2. The Reference ContainedGroup 4.5.2. The Reference PartComponent
The property ContainedGroup is inherited from The property PartComponent is inherited from
PolicyGroupInPolicyGroup and is overridden to contain an object PolicyGroupInPolicyGroup and is overridden to refer to an
reference to an IPsecPolicyGroup contained by one or more IPsecPolicyGroup instance. The [0..n] cardinality indicates that a
IPsecPolicyGroups. The [0..n] cardinality indicates that an given IPsecPolicyGroup instance may contain zero or more
IPsecPolicyGroup may contain zero or more IPsecPolicyGroups. IPsecPolicyGroup instances (i.e., there may be zero or more
PartComponent references per GroupComponent).
4.5.3. The Property Precedence 4.5.3. The Property GroupPriority
The property Precedence specifies the merge ordering of the nested Since policy groups, IPsecPolicyGroup, can contain both rules and
IPsecPolicyGroups. The property is defined as follows: other policy groups, the relative priorities of the rules of the
contained groups are established by setting the GroupPriority
property of IPsecPolicyGroupInPolicyGroup as a unique rule priority
in the containing group.
NAME Precedence The rules of the nested group are inserted in order at that position
DESCRIPTION Specifies the merge ordering of the nested (i.e. indicated by GroupPriority) in the containing group's rules
IPsecPolicyGroups.
The property is defined as follows:
NAME GroupPriority
DESCRIPTION Specifies the rule priority to be set to all nested
rules.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest have higher precedence (i.e., 1 is the highest
precedence). The merging order of two ContainedGroups precedence). The merging order of two ContainedGroups
with the same precedence is undefined. with the same precedence is undefined.
4.6. The Composition Class RuleForIKENegotiation 4.6. The Association Class IPsecPolicyForEndpoint
The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
a specific network interface. If an IPProtocolEndpoint of a system
does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
then the IPsecPolicyForSystem associated IPsecPolicyGroup is used
for that endpoint. The class definition for IPsecPolicyForEndpoint
is as follows:
NAME IPsecPolicyForEndpoint
DESCRIPTION Associates a policy group to a network interface.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]]
4.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may be
associated with zero or more IPProtocolEndpoint instances.
4.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecPolicyGroup instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance may have
an association to at most one IPsecPolicyGroup instance.
4.7. The Association Class IPsecPolicyForSystem
The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a
specific system. If an IPProtocolEndpoint of a system does not have
an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
IPsecPolicyForSystem associated IPsecPolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForSystem is as
follows:
NAME IPsecPolicyForSystem
DESCRIPTION Default policy group for a system.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent[ref System[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]]
4.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [0..n] cardinality
indicates that an IPsecPolicyGroup instance may have an association
to zero or more System instances.
4.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecPolicyGroup instance. The [0..1]
cardinality indicates that a System instance may have an association
to at most one IPsecPolicyGroup instance.
4.8. The Aggregation Class RuleForIKENegotiation
The class RuleForIKENegotiation associates an IKERule with the The class RuleForIKENegotiation associates an IKERule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation is as follows: RuleForIKENegotiation is as follows:
NAME RuleForIKENegotiation NAME RuleForIKENegotiation
DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]] PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]]
ContainedRule [ref IKERule [0..n]] PartComponent [ref IKERule [0..n]]
4.6.1. The Reference ContainingGroup 4.8.1. The Reference GroupComponent
The property ContainingGroup contains an object reference to an The property GroupComponent is inherited from
IPsecPolicyGroup that contains one or more IKERules. The [1..1] PolicyRuleInPolicyGroup and is overridden to refer to an
cardinality indicates that an IKERule may be contained in only one IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IPsecPolicyGroup (i.e., IKERules are not shared across IKERule instance may be contained in one and only one
IPsecPolicyGroup instance (i.e., IKERules are not shared across
IPsecPolicyGroups). IPsecPolicyGroups).
4.6.2. The Reference ContainedRule 4.8.2. The Reference PartComponent
The property ContainedRule contains an object reference to an The property PartComponent is inherited from PolicyRuleInPolicyGroup
IKERule contained by an IPsecPolicyGroup. The [0..n] cardinality and is overridden to refer to an IKERule instance. The [0..n]
indicates that an IPsecPolicyGroup may contain zero or more cardinality indicates that an IPsecPolicyGroup instance may contain
IKERules. zero or more IKERule instances.
4.7. The Composition Class RuleForIPsecNegotiation 4.9. The Aggregation Class RuleForIPsecNegotiation
The class RuleForIPsecNegotiation associates an IPsecRule with the The class RuleForIPsecNegotiation associates an IPsecRule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
RuleForIPsecNegotiation is as follows: RuleForIPsecNegotiation is as follows:
NAME RuleForIPsecNegotiation NAME RuleForIPsecNegotiation
DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]] PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]]
ContainedRule [ref IPsecRule [0..n]] PartComponent [ref IPsecRule [0..n]]
4.7.1. The Reference ContainingGroup 4.9.1. The Reference GroupComponent
The property ContainingGroup contains an object reference to an The property GroupComponent is inherited from
IPsecPolicyGroup that contains one or more IPsecRules. The [1..1] PolicyRuleInPolicyGroup and is overridden to refer to an
cardinality indicates that an IPsecRule may be contained in only one IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IPsecPolicyGroup (i.e., IPsecRules are not shared across IPsecRule instance may be contained in only one IPsecPolicyGroup
IPsecPolicyGroups). instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).
4.7.2. The Reference ContainedRule 4.9.2. The Reference PartComponent
The property ContainedRule contains an object reference to an The property PartComponent is inherited from PolicyRuleInPolicyGroup
IPsecRule contained by an IPsecPolicyGroup. The [0..n] cardinality and is overridden to refer to an IPsecRule instance. The [0..n]
indicates that an IPsecPolicyGroup may contain zero or more cardinality indicates that an IPsecPolicyGroup instance may contain
IPsecRules. zero or more IPsecRules instance.
4.8. The Aggregation Class SAConditionInRule 4.10. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the The class SAConditionInRule associates an SARule with the
SACondition instances that trigger it. See [PCIM] for the usage for SACondition instance(s) that trigger(s) it. See [PCIM] for the
the properties GroupNumber and ConditionNegated. The class usage for the properties GroupNumber and ConditionNegated. The
definition for SAConditionInRule is as follows: class definition for SAConditionInRule is as follows:
NAME SAConditionInRule NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instances DESCRIPTION Associates an SARule with the SACondition instance(s)
that trigger it. that trigger(s) it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]] PROPERTIES GroupComponent [ref SARule [0..n]]
ContainedCondition [ref SACondition [0..n]] PartComponent [ref SACondition [1..n]]
GroupNumber (from PolicyConditionInPolicyRule) GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule)
SequenceNumber
4.8.1. The Reference ContainingRule
The property ContainingRule is inherited from 4.10.1. The Reference GroupComponent
PolicyConditionInPolicyRule and is overridden to contain an object
reference to an SARule that contains one or more SAConditions. The
[0..n] cardinality indicates that an SACondition may be contained in
zero or more SARules.
4.8.2. The Reference ContainedCondition
The property ContainedCondition is inherited from The property GroupComponent is inherited from
PolicyConditionInPolicyRule and is overridden to contain an object PolicyConditionInPolicyRule and is overridden to refer to an SARule
reference to an SACondition that is contained by an SARule. The instance. The [0..n] cardinality indicates that an SACondition
[0..n] cardinality indicates that an SARule may contain zero or more instance may be contained in zero or more SARule instances.
SAConditions.
4.8.3. The Property SequenceNumber 4.10.2. The Reference PartComponent
The property SequenceNumber specifies, for a given rule, the order The property PartComponent is inherited from
in which the SACondition instances will be evaluated. The property PolicyConditionInPolicyRule and is overridden to refer to an
is defined as follows: SACondition instance. The [1..n] cardinality indicates that an
SARule instance MUST contain at least one SACondition instance.
NAME SequenceNumber 4.11. The Aggregation Class SAActionInRule
DESCRIPTION Specifies the evaluation order of the SAConditions.
SYNTAX unsigned 16-bit integer
VALUE Lower valued SAConditions are evaluated first. The
order of evaluation of ContainedConditions with the
same SequenceNumber value is undefined.
4.9. The Aggregation Class SAActionInRule
The SAActionInRule class associates an SARule with its primary The SAActionInRule class associates an SARule with its primary
SAAction. The class definition for SAActionInRule is as follows: SAAction. The class definition for SAActionInRule is as follows:
NAME SAActionInRule NAME SAActionInRule
DESCRIPTION Associates an SARule with its primary SAAction. DESCRIPTION Associates an SARule with its SAAction(s).
DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) DERIVED FROM PolicyActionInPolicyRule (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]] PROPERTIES GroupComponent [ref SARule [0..n]]
ContainedAction [ref SAAction [1..1]] PartComponent [ref SAAction [1..n]]
ActionOrder
4.9.1. The Reference ContainingRule
The property ContainingRule is inherited from
PolicyActionInPolicyRule and is overridden to contain an object
reference to an SARule that contains an SAAction. The [0..n]
cardinality indicates that an SAAction may be contained in zero or
more SARules.
4.9.2. The Reference ContainedAction
The property ContainedAction is inherited from 4.11.1. The Reference GroupComponent
PolicyActionInPolicyRule and is overridden to contain an object
reference to an SAAction that is contained by an SARule. The [1..1]
cardinality indicates that an SARule may contain only one SAAction.
4.10. The Aggregation Class FallbackSAActionInRule The property GroupComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SAAction
instance may be contained in zero or more SARule instances.
The class FallbackSAActionInRule associates an SARule with its 4.11.2. The Reference PartComponent
ordered set of fallback actions. Fallback actions allow an
administrator to define what action is to be take if the SAAction
referenced by SAActionInRule fails for any reason. The class
definition for FallbackSAActionInRule is as follows:
NAME FallbackSAActionInRule The property PartComponent is inherited from
DESCRIPTION Associates an SARule with the ordered set of fallback PolicyActionInPolicyRule and is overridden to refer to an SAAction
actions that should be attempted/applied in the case of instance. The [1..n] cardinality indicates that an SARule instance
failure of the primary SAAction. MUST contain at least one SAAction instance.
ABSTRACT FALSE
PROPERTIES ContainingRule [ref SARule [0..n]]
ContaintedAction [ref SAAction [0..n]]
SequenceNumber
4.10.1. The Reference ContainingRule 4.11.3. The Property ActionOrder
The property ContainingRule contains an object reference to an The property ActionOrder specifies the relative position of this
SARule that contains one or more fallback SAActions. The [0..n] SAAction in the sequence of actions associated with a PolicyRule.
cardinality indicates that an fallback SAAction may be contained in The ActionOrder MUST be unique so as to provide a deterministic
zero or more SARules. order. In addition, the actions in an SARule are executed as
follows.
4.10.2. The Reference ContainedAction For an initiator, if there is more than one action in the rule, the
additional actions are 'backup' actions in the event that the first
action is not able to be completed successfully. They are tried in
the ActionOrder until the list is exhausted or one completes
successfully. For example, an IKE initiator may have several
IKEActions for the same SACondition. The initiator will try all
IKEActions in the order defined by ActionOrder. I.e. it will
possibly try several phases 1 possibly with different modes (main
mode then aggressive mode) and/or with possibly multiple IKE peers.
The property ContainedAction contains an object reference to a For a responder, there can be more than one action in the rule, this
fallback SAAction that is contained by one or more SARules. The provides alternative actions depending on the received proposals.
[0..n] cardinality indicates that an SARule may contain zero or more For example, the same IKERule may be used to handle aggressive mode
fallback SAActions. and main mode negotiations with different actions. The first
appropriate action in the list of actions is used by the responder.
4.10.3. The Property SequenceNumber The property is defined as follows:
The property SequenceNumber specifies, for a given rule, the order [Need an explanation of what the action order means as it replaces
in which the fallback SAActions should be attempted. Once a the fallback association]
fallback SAAction is successfully applied, then subsequent fallback
SAActions should be ignored. The property is defined as follows:
NAME SequenceNumber NAME ActionOrder
DESCRIPTION Specifies the order of attempted application for the DESCRIPTION Specifies the order of actions.
fallback SAAction.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower valued fallback SAActions are attempted first. VALUE Any value between 1 and 2^16-1 inclusive. Lower values
The order of attempt of ContainedActions with the same have higher precedence (i.e., 1 is the highest
SequenceNumber value is undefined. precedence). The merging order of two SAActions with
the same precedence is undefined.
5. Condition and Filter Classes 5. Condition and Filter Classes
The IPsec condition and filter classes are used to build the "if" The IPsec condition and filter classes are used to build the "if"
part of the IKE and IPsec rules. part of the IKE and IPsec rules.
+-------------+* 0..1+------------+1 *+-------------------+ *+-------------+
| SACondition |o--------| FilterList |x--------| [FilterEntryBase] | +--------------------| SACondition |
+-------------+ (a) +------------+ (b) +-------------------+ | +-------------+
^ | * |
| | |(a)
+---------------------+------------------------+ | 1 |
| | | | +--------------+
+-----------------+ +-------------------+ +-----------------------+ | | FilterList |
| [IPFilterEntry] | | [IPSOFilterEntry] | | CredentialFilterEntry | | | (Appendix C) |
+-----------------+ +-------------------+ +-----------------------+ | +--------------+
^ ^ | 1 o
| | |(b) |(c)
| +-------------------+ | * |
| | | +-----------------+
| | +--------------------------------+ | | FilterEntryBase |
| +-| ClassificationLevelFilterEntry | | | (Appendix C) |
| | +--------------------------------+ | +-----------------+
| | | ^
| | +--------------------------------+
| +-| ProtectionAuthorityFilterEntry |
| +--------------------------------+
|
+-----------------------------------------------+
| | | |
+-----------------------+ +--------------------+ | +--------------+ | +-----------------------+
| [EndpointFilterEntry] | |ProtocolFilterEntry | | | FilterEntry |----+----| CredentialFilterEntry |
+-----------------------+ +--------------------+ | | (Appendix C) | | +-----------------------+
^ ^ | +--------------+ |
| +----------------+ |
+----------------------+ | UDPFilterEntry |--+
| +----------------+ |
| | | |
+-----------------+ | +----------------+ | | +-----------------+ | +--------------------------+
| FQDNFilterEntry |----+ | TCPFilterEntry |--+ | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
+-----------------+ | +----------------+ | +-----------------+ +--------------------------+
|
+------------------------+ | +------------------------+
| IPv4AddressFilterEntry |----+----| IPv6AddressFilterEntry |
+------------------------+ | +------------------------+
|
+----------------------+ | +----------------------+
| IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry |
+----------------------+ | +----------------------+
| |
+-----------------------+ | +-----------------------+ | *+-----------------------------+
| IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry | +------------| CredentialManagementService |
+-----------------------+ +-----------------------+ | (Appendix B) |
+-----------------------------+
(a) FilterOfSACondition (a) FilterOfSACondition
(b) EntriesInFilterList (b) AcceptCredentialsFrom
(c) EntriesInFilterList (see Appendix C)
5.1. The Class SACondition 5.1. The Class SACondition
The class SACondition defines the preconditions for IKE and IPsec The class SACondition defines the conditions of rules for IKE and
negotiations. The class definition for SACondition is as follows: IPsec negotiations. Conditions are associated with policy rules via
the SAConditionInRule aggregation. It is used as an anchor point to
associate various types of filters with policy rules via the
FilterOfSACondition association. It also defines whether Credentials
can be accepted for a particular policy rule via the
AcceptCredentialsFrom association.
Associated objects represent components of the condition that may or
may not apply at a given rule evaluation. For example, an
AcceptCredentialsFrom evaluation is only performed when a credential
is available to be evaluated against the list of trusted credential
management services. Similarly, a PeerIDPayloadFilterEntry may only
be evaluated when an IDPayload value is available to compared with
the filter. Condition components that do not have corresponding
values with which to evaluate are evaluated as TRUE unless the
protocol has completed without providing the required information.
The class definition for SACondition is as follows:
NAME SACondition NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations. negotiations.
DERIVED FROM PolicyCondition (see [PCIM]) DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition) PROPERTIES PolicyConditionName (from PolicyCondition)
StartupCondition
5.1.1. The Property StartupCondition
This property specifies the triggering event that caused the rule
evaluation. The property is defined as follows:
NAME StartupCondition
DESCRIPTION Specifies the triggering event that cause the rule to
be evaluated.
SYNTAX unsigned 16-bit integer
VALUE 1 (OnBoot) - the rule is triggered after system boot.
The FilterList associated with the SACondition contains
the information that will be used to build the
selectors.
2 (OnManual) - the rule is triggered manually in
response to user input. The FilterList associated with
the SACondition contains the information that will be
used to build the selectors.
3 (OnDataTraffic) - the rule is triggered when packets
without associated security associations are sent or
received (traffic directionality is indicated by the
Direction field of the associated FilterList).
4 (OnIKEMessage) - the rule is triggered when an
incoming request for IKE negotiation is received.
5.2. The Class FilterList
The class FilterList aggregates an ANDed set of filters that are
used for determining when an SACondition evaluates to true and
therefore its associated SAAction should be performed. The class
definition for FilterList is as follows:
NAME FilterList
DESCRIPTION Aggregates a set of filters for condition matching.
ABSTRACT FALSE
PROPERTIES Name
Direction
5.2.1. The Property Name
This property specifies a user-friendly name for the FilterList.
The property is defined as follows:
NAME Name
DESCRIPTION Specifies the user-friendly name for the FilterList.
SYNTAX string
5.2.2. The Property Direction
This property specifies whether or the FilterList will be used on
incoming, outgoing, or bi-directional traffic. Direction is only
useful for filter types that inspect traffic parameters and when the
StartupCondition property in the SACondition is set to OnDataTraffic
(3). The property is defined as follows:
NAME Direction
DESCRIPTION Specifies what kind of traffic will be checked -
incoming, outgoing, or bi-directional.
SYNTAX unsigned 16-bit integer
VALUE 1 - Incoming
2 - Outgoing
3 - Bi-directional
5.3. The Abstract Class FilterEntryBase
The abstract class FilterEntryBase serves as the base class for the
specific filter class. The class definition for FilterEntryBase is
as follows:
NAME FilterEntryBase
DESCRIPTION Serves as the base class for specific filter classes.
ABSTRACT TRUE
PROPERTIES Name
IsNegated
5.3.1. The Property Name
This property specifies a user-friendly name for the filter. The
property is defined as follows:
NAME Name
DESCRIPTION Specifies the user-friendly name for the filter.
SYNTAX string
5.3.2. The Property IsNegated
This property specifies whether or not the result of the boolean
result of the filter evaluation should be negated. The property is
defined as follows:
NAME IsNegated
DESCRIPTION Specifies whether or not to negate the result of the
evaluation of the filter.
SYNTAX boolean
VALUE A value of true means that the boolean result of the
filter evaluation of the filter will be negated. A
value of false means that the boolean result of the
evaluation of the filter will not be altered.
5.4. The Abstract Class IPFilterEntry
The abstract class IPFilterEntry serves as a base class for filter
entries which are used to match against the 5-tuple (i.e., source
and destination address, protocol, and source and destination port)
information in the IP packet. The class definition for
IPFilterEntry is as follows:
NAME IPFilterEntry
DESCRIPTION Serves as the base class for IP 5-tuple filters.
DERIVED FROM FilterEntryBase
ABSTRACT TRUE
5.5. The Abstract Class EndpointFilterEntry
The abstract class EndpointFilterEntry serves as a base class for
filters which match against IP addresses (source or destination).
The class definition for EndpointFilterEntry is as follows:
NAME EndpointFilterEntry
DESCRIPTION Serves as the base class for filters which match
against IP addresses.
DERIVED FROM IPFilterEntry
ABSTRACT TRUE
PROPERTIES ApplyToDestination
5.5.1. The Property ApplyToDestination
This property specifies whether or not the address to test against
is the source or the destination IP address. The property is
defined as follows:
NAME ApplyToDestination 5.2. The Class FilterEntry
DESCRIPTION Specifies which IP address to test, source or
destination.
SYNTAX boolean
VALUE A value of true means that the destination IP address
should be tested against. A value of false means that
the source IP address should be tested against.
5.6. The Class IPv4AddressFilterEntry
The class IPv4AddressFilterEntry specifies a filter that will match
against a single IPv4 address. The class definition for
IPv4AddressFilterEntry is as follows:
NAME IPv4AddressFilterEntry
DESCRIPTION Defines the match filter for an IPv4 address.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
5.6.1. The Property Address
This property specifies the IPv4 address that will be used in the
equality test. The property is defined as follows:
NAME Address
DESCRIPTION Specifies the IPv4 address to match against.
SYNTAX unsigned 32-bit integer
5.7. The Class IPv4RangeFilterEntry
The class IPv4RangeFilterEntry specifies a filter for testing if an
IPv4 address is between the start address and end address
inclusively. The class definition for IPv4RangeFilterEntry is as
follows:
NAME IPv4RangeFilterEntry
DESCRIPTION Defines the match filter for an IPv4 address range.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES StartAddress
EndAddress
5.7.1. The Property StartAddress
This property specifies the first IPv4 address in the address range.
The property is defined as follows:
NAME StartAddress
DESCRIPTION Specifies the start of the IPv4 address range.
SYNTAX unsigned 32-bit integer
5.7.2. The Property EndAddress
This property specifies the last IPv4 address in the address range.
The property is defined as follows:
NAME EndAddress
DESCRIPTION Specifies the end of the IPv4 address.
SYNTAX unsigned 32-bit integer
VALUE EndAddress must be greater than or equal to
StartAddress.
5.8. The Class IPv4SubnetFilterEntry
The class IPv4SubnetFilterEntry specifies a filter for testing if an
IPv4 address is in the specified subnet. The class definition for
IPv4SubnetFilterEntry is as follows:
NAME IPv4SubnetFilterEntry
DESCRIPTION Defines the match filter for an IPv4 subnet.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
Mask
5.8.1. The Property Address
This property specifies the IPv4 subnet. The property is defined as
follows:
NAME Address
DESCRIPTION Specifies the IPv4 subnet.
SYNTAX unsigned 32-bit integer
5.8.2. The Property Mask
This property specifies the IPv4 mask. The property is defined as
follows:
NAME Mask
DESCRIPTION Specifies the IPv4 mask.
SYNTAX unsigned 32-bit integer
VALUE A special value of 0.0.0.0, coupled with an Address
value of 0.0.0.0 can be used to specify all addresses.
5.9. The Class IPv6AddressFilterEntry
The class IPv6AddressFilterEntry specifies a filter that will match
against a single IPv6 address. The class definition for
IPv6AddressFilterEntry is as follows:
NAME IPv6AddressFilterEntry
DESCRIPTION Defines the match filter for an IPv4 address.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Address
5.9.1. The Property Address
This property specifies the IPv6 address that will be used in the
equality test. The property is defined as follows:
NAME Address
DESCRIPTION Specifies the IPv6 address to match against.
SYNTAX byte[16]
5.10. The Class IPv6RangeFilterEntry
The class IPv6RangeFilterEntry specifies a filter for testing if an
IPv6 address is between the start address and end address
inclusively. The class definition for IPv6RangeFilterEntry is as
follows:
NAME IPv6RangeFilterEntry
DESCRIPTION Defines the match filter for an IPv6 address range.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES StartAddress
EndAddress
5.10.1. The Property StartAddress
This property specifies the first IPv6 address in the address range. The class FilterEntry is defined in appendix C with the following
The property is defined as follows: notes:
NAME StartAddress 1) since actions in the IPsec Policy Model are not part of the
DESCRIPTION Specifies the start of the IPv6 address range. condition side of the rule, the Action property of each
SYNTAX byte[16] FilterEntry is ignored and should be set to "FilterOnly".
5.10.2. The Property EndAddress 2) to specify 5-tuple filters that are to apply symmetrically (i.e.,
matches traffic in both directions of the same flow between the
two peers), the Direction property of the FilterList should be
set to "Mirrored".
This property specifies the last IPv6 address in the address range. 5.3. The Class CredentialFilterEntry
The property is defined as follows:
NAME EndAddress The class CredentialFilterEntry defines an equivalence class that
DESCRIPTION Specifies the end of the IPv6 address. match credentials of IKE peers. Each CredentialFilterEntry includes
SYNTAX byte[16] a MatchFieldName that is interpreted according to the
VALUE EndAddress must be greater than or equal to CredentialManagementService(s) associated with the SACondition
StartAddress. (AcceptCredentialsFrom).
5.11. The Class IPv6SubnetFilterEntry These credentials can be X.509 certificates, Kerberos tickets, or
other types of credentials obtained during the Phase 1 exchange.
The class IPv6SubnetFilterEntry specifies a filter for testing if an The class definition for CredentialFilterEntry is as follows:
IPv6 address is in the specified subnet. The class definition for
IPv4SubnetFilterEntry is as follows:
NAME IPv6SubnetFilterEntry NAME CredentialFilterEntry
DESCRIPTION Defines the match filter for an IPv6 subnet. DESCRIPTION Specifies a match filter based on the IKE credentials.
DERIVED FROM EndpointFilterEntry DERIVED FROM FilterEntryBase (see Appendix C)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Address PROPERTIES Name (from FilterEntryBase)
Mask IsNegated (from FilterEntryBase)
MatchFieldName
5.11.1. The Property Address MatchFieldValue
CredentialType
This property specifies the IPv6 subnet. The property is defined as
follows:
NAME Address
DESCRIPTION Specifies the IPv6 subnet.
SYNTAX byte[16]
5.11.2. The Property Mask 5.3.1. The Property MatchFieldName
This property specifies the IPv6 mask. The property is defined as The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as
follows: follows:
NAME Mask NAME MatchFieldName
DESCRIPTION Specifies the IPv6 mask. DESCRIPTION Specifies which sub-part of the credential to match.
SYNTAX byte[16] SYNTAX string
VALUE A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0, VALUE
coupled with an Address value of
0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify
all addresses.
5.12. The Class FQDNFilterEntry
The class FQDNFilterEntry specifies a filter for mathcing against a
single or wild-carded DNS name. The class definition for
FQDNFilterEntry is as follows:
NAME FQDNFilterEntry
DESCRIPTION Defines the match filter for a DNS name.
DERIVED FROM EndpointFilterEntry
ABSTRACT FALSE
PROPERTIES Name
5.12.1. The Property Name 5.3.2. The Property MatchFieldValue
This property specifies the DNS name to match against. The property The property MatchFieldValue specifies the value to compare with the
is defined as follows: MatchFieldName in a credential to determine if the credential
matches this filter entry. The property is defined as follows:
NAME Address NAME MatchFieldValue
DESCRIPTION Specifies the DNS name. DESCRIPTION Specifies the value to be matched by the
MatchFieldName.
SYNTAX string SYNTAX string
VALUE The DNS name can be fully qualified (for example, VALUE NB: If the CredentialFilterEntry corresponds to a
foo.intel.com) or partially qualified (*.intel.com). DistinguishedName, this value in the CIM class is
represented by an ordinary string value. However, an
implementation must convert this string to a DER-
encoded string before matching against the values
extracted from credentials at runtime.
5.13. The Class ProtocolFilterEntry 5.3.3. The Property CredentialType
The class ProtocolFilterEntry specifies a filter for testing against The property CredentialType specifies the particular type of
an IP protocol. The class definition for ProtocolFilterEntry is as credential that is being matched. The property is defined as
follows: follows:
NAME ProtocolFilterEntry NAME CredentialType
DESCRIPTION Defines a match filter for IP protocol. DESCRIPTION Defines the type of IKE credentials.
DERIVED FROM IPFilterEntry
ABSTRACT FALSE
PROPERTIES Protocol
5.13.1. The Property Protocol
This property specifies the IP protocol to match against. The
property is defined as follows:
NAME Protocol
DESCRIPTION Specifies the IP protocol.
SYNTAX unsigned 8-bit integer
VALUE A value of zero matches against any protocol. Any
other value is the IP protocol number.
5.14. The Class UDPFilterEntry
The class UDPFilterEntry specifies a filter for testing if a UDP
port is between the start port and end port inclusively. It is
assumed that the Protocol property from the ProtocolFilterEntry
class will contain the value 17 (i.e., UDP). The class definition
for UDPFilterEntry is as follows:
NAME UDPFilterEntry
DESCRIPTION Defines the match filter for a UDP port range.
DERIVED FROM ProtocolFilterEntry
ABSTRACT FALSE
PROPERTIES StartPort
EndPort
5.14.1. The Property StartPort
This property specifies the first port in the UDP port range. The
property is defined as follows:
NAME StartPort
DESCRIPTION Specifies the start of the UDP port range.
SYNTAX unsigned 16-bit integer
5.14.2. The Property EndPort
This property specifies the last port in the UDP port range. The
property is defined as follows:
NAME EndPort
DESCRIPTION Specifies the end of the UDP port range.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE EndPort must be greater than or equal to StartPort. VALUE 1 - X.509 Certificate
2 - Kerberos Ticket
5.15. The Class TCPFilterEntry
The class TCPFilterEntry specifies a filter for testing if a TCP 5.4. The Class IPSOFilterEntry
port is between the start port and end port inclusively. It is
assumed that the Protocol property from the ProtocolFilterEntry
class will contain the value 6 (i.e., TCP). The class definition
for TCPFilterEntry is as follows:
NAME TCPFilterEntry The class IPSOFilterEntry is used to match traffic based on the IP
DESCRIPTION Defines the match filter for a TCP port range. Security Options header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC1108. This type of FilterEntry
is used to adjust the IPsec encryption level according to the IPSO
classification of the traffic (e.g., secret, confidential,
restricted, etc. The class definition for IPSOFilterEntry is as
follows:
DERIVED FROM ProtocolFilterEntry NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security
Options.
DERIVED FROM FilterEntryBase (see Appendix C)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES StartPort PROPERTIES Name (from FilterEntryBase)
EndPort IsNegated (from FilterEntryBase)
MatchConditionType
5.15.1. The Property StartPort MatchConditionValue
This property specifies the first port in the TCP port range. The
property is defined as follows:
NAME StartPort
DESCRIPTION Specifies the start of the TCP port range.
SYNTAX unsigned 16-bit integer
5.15.2. The Property EndPort 5.4.1. The Property MatchConditionType
This property specifies the last port in the TCP port range. The The property MatchConditionType specifies the IPSO header field that
property is defined as follows: will be matched (e.g., traffic classification level or protection
authority). The property is defined as follows:
NAME EndPort NAME MatchConditionType
DESCRIPTION Specifies the end of the TCP port range. DESCRIPTION Specifies the IPSO header field to be matched.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE EndPort must be greater than or equal to StartPort. VALUE 1 - ClassificationLevel
2 - ProtectionAuthority
5.16. The Abstract Class IPSOFilterEntry
The abstract class IPSOFilterEntry serves as a base class for the IP
Security Option (IPSO) filters. The class definition for
IPSOFilterEntry is as follows:
NAME IPSOFilterEntry
DESCRIPTION Serves as the base class for the IPSO filters.
DERIVED FROM FilterEntryBase
ABSTRACT TRUE
5.17. The Class ClassificationLevelFilterEntry
The class ClassificationLevelFilterEntry specifies a filter for
matching against the classification level IPSO field type. The
class definition for ClassificationLevelFilterEntry is as follows:
NAME ClassificationLevelFilterEntry
DESCRIPTION Defines the filter for the IPSO classification level.
DERIVED FROM IPSOFilterEntry
ABSTRACT FALSE
PROPERTIES Level
5.17.1. The Property Level 5.4.2. The Property MatchConditionValue
This property specifies the classification level to match against. The property MatchConditionValue specifies the value of the IPSO
The property is defined as follows: header field to be matched against. The property is defined as
follows:
NAME Level NAME MatchConditionValue
DESCRIPTION Specifies the classification level. DESCRIPTION Specifies the value of the IPSO header field to be
matched against.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 61 - Top Secret VALUE For ClassificationLevel, the values are:
61 - TopSecret
90 - Secret 90 - Secret
150 - Confidential 150 - Confidential
171 - Unclassified 171 - Unclassified
For ProtectionAuthority, the values are:
0 - GENSER
1 - SIOP-ESI
2 - SCI
3 - NSA
4 - DOE
5.18. The Class ProtectionAuthorityFilterEntry 5.5. The Class PeerIDPayloadFilterEntry
The class ProtectionAuthorityFilterEntry specifies a filter for The class PeerIDPayloadFilterEntry defines filters used to match ID
matching against the protection authority IPSO field type. The class payload values from the IKE protocol exchange.
definition for ProtectionAuthorityFilterEntry is as follows: PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@company.com" or "193.190.125.0/24".
NAME ProtectionAuthorityFilterEntry Obviously this filter applies only to IKERules when acting as a
DESCRIPTION Defines the filter for the IPSO protection authority. responder. Moreover, this filter can be applied immediately in the
DERIVED FROM IPSOFilterEntry case of aggressive mode but its application is to be delayed in the
case of main mode. The class definition for
PeerIDPayloadFilterEntry is as follows:
NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see Appendix C)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Authority PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchIdentityType
MatchIdentityValue
5.18.1. The Property Authority 5.5.1. The Property MatchIdentityType
This property specifies the protection authority to match against. The property MatchIdentityType specifies the type of identity
The property is defined as follows: provided by the peer in the ID payload." The property is defined
as follows:
NAME Authority NAME MatchIdentityType
DESCRIPTION Specifies the protection authority. DESCRIPTION Specifies the ID payload type.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - GENSER VALUE 1 - IPv4 Address
1 - SIOP-ESI 2 - FQDN
2 - SCI 3 - User FQDN
3 - NSA 4 - IPv4 Subnet
4 - DOE 5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
5.19. The Class CredentialFilterEntry 5.5.2. The Property MatchIdentityValue
The class CredentialFilterEntry defines a filter for matching The property MatchIdentityValue specifies the filter value for
against credential information that was obtained during the IKE comparison with the ID payload, e.g., "*@company.com" The property
phase 1 negotiation. This information can be identity information is defined as follows:
(such as User FQDN) or information retrieved from credential
information (for example, fields from a certificate). This
information can be used as a form of access control. The class
definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry NAME MatchIdentityValue
DESCRIPTION Defines the filter for matching against IKE phase 1 DESCRIPTION Specifies the ID payload value.
credential/identity information. SYNTAX string
DERIVED FROM FilterBaseEntry VALUE NB: The syntax may need to be converted for comparison.
ABSTRACT FALSE If the PeerIDPayloadFilterEntry type is a
PROPERTIES To Be Determined... DistinguishedName, the name in the MatchIdentityValue
property is represented by an ordinary string value,
but this value must be converted into a DER-encoded
string before matching against the values extracted
from IKE ID payloads at runtime. The same applies to
IPv4 & IPv6 addresses.
Wildcards can be used as well as the prefix notation
for IPv4 addresses:
- a MatchIdentityValue of "*@company.com" will match an
ID payload of "JDOE@COMPANY.COM"
- a MatchIdentityValue of "193.190.125.0/24" will match
an ID payload of 193.190.125.10.
5.6. The Association Class FilterOfSACondition
5.20. The Aggregation Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows: class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that make DESCRIPTION Associates a condition with the filter list that make
up the individual condition elements. up the individual condition elements.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[0..1]] PROPERTIES Antecedent [ref FilterList[1..1]]
Dependent [ref SACondition [0..n]] Dependent [ref SACondition [0..n]]
5.20.1. The Reference Antecedent 5.6.1. The Reference Antecedent
The property Antecedent contains an object reference to a FilterList
that is contained in one or more SAConditions. The [0..1]
cardinality indicates that an SACondition may have zero or one
FilterList.
5.20.2. The Reference Dependent
The property Dependent contains an object reference to an The property Antecedent is inherited from Dependency and is
SACondition that contains an FilterList. The [0..n] cardinality overridden to refer to a FilterList instance. The [1..1]
indicates that a FilterList may be contained in zero or more cardinality indicates that an SACondition instance MUST be
SAConditions. associated with one and only one FilterList instance.
5.21. The Composition Class EntriesInFilterList 5.6.2. The Reference Dependent
The class EntriesInFilterList associates the individual The property Dependent is inherited from Dependency and is
FilterEntryBases with a FilterList. Together these individual overridden to refer to an SACondition instance. The [0..n]
FilterEntryBases can create complex conditions. The class cardinality indicates that a FilterList instance may be associated
definition for EntriesInFilterList is as follows: with zero or more SAConditions instance.
NAME EntriesInFilterList 5.7. The Association Class AcceptCredentialFrom
DESCRIPTION Associates a FilterList with the set of individual
filters.
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterEntryBase[0..n]]
Dependent [ref FilterList [1..1]]
EntrySequence
5.21.1. The Reference Antecedent The class AcceptCredentialFrom specifies which credential management
services (e.g., a CertificateAuthority or a Kerberos service) are to
be trusted to certify peer credentials. This is used to validate
that the credential being matched in the CredentialFilterEntry is a
valid credential that has been supplied by an approved
CredentialManagementService. If a CredentialManagementService is
specified and a corresponding CredentialFilterEntry is used, but the
credential supplied by the peer is not certified by that
CredentialManagementService (or one of the
CredentialManagementServices in its trust hierarchy), the
CredentialFilterEntry is deemed not to match. If a credential is
certified by a CredentialManagementService in the
AcceptCredentialsFrom list of services but there is no
CredentialFilterEntry, this is considered equivalent to a
CredentialFilterEntry that matches all credentials from those
services.
The property Antecedent contains an object reference to a The class definition for AcceptCredentialFrom is as follows:
FilterEntryBase that is contained in a FilterList. The [0..n]
cardinality indicates that a FilterList may have zero or more
FilterEntryBases.
5.21.2. The Reference Dependent NAME AcceptCredentialFrom
DESCRIPTION Associates a condition with the credential management
services to be trusted.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService[0..n]]
Dependent [ref SACondition[0..n]]
The property Dependent contains an object reference to a FilterList 5.7.1. The Reference Antecedent
that contains zero or more FilterEntryBases. The [1..1] cardinality
indicates that a FilterEntryBase may be contained in one and only
one FilterLists (i.e., FilterEntryBases cannot be shared between
FilterLists).
5.21.3. The Property EntrySequence The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an SACondition instance may be
associated with zero or more CredentialManagementServices instance.
The property EntrySequence specifies, for a given FilterList, the 5.7.2. The Reference Dependent
order in which the filters should be checked. The property is
defined as follows:
NAME EntrySequence The property Dependent is inherited from Dependency and is
DESCRIPTION Specifies the order to check the filters in a overridden to refer to an SACondition instance. The [0..n]
FilterList. cardinality indicates that a CredentialManagementService instance
SYNTAX unsigned 16-bit integer may be associated with zero or more SAConditions instance.
VALUE Lower valued filters are checked first. The order of
checking of FilterEntryBases with the same
EntrySequence value is undefined.
6. Action Classes 6. Action Classes
The action classes are used to model the different actions an IPsec The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition device may take when the evaluation of the associated condition
results in a match. results in a match.
+----------+ +----------+
| SAAction | | SAAction |
+----------+ +----------+
^ ^
| |
+-----------+--------------+ +-----------+--------------+
| | | |
+----------------+ +---------------------+* *+----------------+ +---------------------+*
| SAStaticAction | | SANegotiationAction |o-----+ | SAStaticAction | | SANegotiationAction |o-----+
+----------------+ +---------------------+ | +----------------+ +---------------------+ |
^ ^ | ^ ^ |
| | | | | |
| +-----------+-------+ | | +-----------+-------+ |
| | | | | | | |
+-------------------+ | +-------------+ +-----------+ | +-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ | +-------------------+ | +-------------+ +-----------+ |
| ^ | | ^ |
+--------------------+ | | +----------------------+ | +--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | | | IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+--------------------+ | | +----------------------+ | +--------------------+ | | +----------------------+ |
| | | | | |
+-----------------+ | | +-------------------+ | +-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | | | IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ | +-----------------+ | +-------------------+ |
| | | *| |
+-----------------------+ | +--------------+n | | +--------------+ |
| SAPreconfiguredAction |---+ | [SAProposal] |-------+ | | |
+-----------------------+ +--------------+ (a) +-----------------------+ | | +--------------+n |
| PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+
(a) ContainedProposal +-----------------------+ | +--------------+ (b)
^ |
| | *+-------------+
+---------------------+ +-------| PeerGateway |
| +-------------+
+-----------------------------+ | *w|
| PreconfiguredTransportAction|--+ |(c)
+-----------------------------+ | 1|
| +--------------+
+-----------------------------+ | | System |
| PreconfiguredTransportAction|--+ | (Appendix A) |
+-----------------------------+ +--------------+
*|
| 1..3+---------------+
+-------| [SATransform] |
(d) +---------------+
(a) PeerGatewayForTunnel
(b) ContainedProposal
(c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction
6.1. The Class SAAction 6.1. The Class SAAction
The class SAAction serves as the base class for IKE and IPsec The class SAAction serves as the base class for IKE and IPsec
actions. Although the class is concrete, it MUST not be actions. Although the class is concrete, it MUST not be
instantiated. The class definition for SAAction is as follows: instantiated. It is used for aggregating different types of actions
to IKE and IPsec rules. The class definition for SAAction is as
follows:
NAME SAAction NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions. DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM]) DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyActionName (from PolicyAction) PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging
DoPacketLogging
6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to
be generated when the action is performed (even if the action
fails). The property is defined as follows:
NAME DoActionLogging
DESCRIPTION Specifies the whether to log when the action is
performed.
SYNTAX boolean
VALUE true - a log message is to be generated when action is
performed.
false - no log message is to be generated when action
is performed.
6.1.2. The Property DoPacketLogging
The property DoPacketLogging specifies whether a log message is to
be generated when the resulting security association is used to
process the packet. If the action successfully executes and results
in the creation of one or several security associations, the value
of DoPacketLogging SHOULD be propagated to an optional field of
SADB. This optional field should be used to decide whether a log
message is to be generated when the SA is used to process a packet.
The property is defined as follows:
NAME DoPacketLogging
DESCRIPTION Specifies the whether to log when the resulting
security association is used to process the packet.
SYNTAX boolean
VALUE true - a log message is to be generated when the
resulting security association is used to process the
packet.
false - no log message is to be generated.
6.2. The Class SAStaticAction 6.2. The Class SAStaticAction
The class SAStaticAction serves as the base class for IKE and IPsec The class SAStaticAction serves as the base class for IKE and IPsec
actions that do not require any negotation. Although the class is actions that do not require any negotiation. Although the class is
concrete, it MUST not be instantiated. The class definition for concrete, it MUST not be instantiated. The class definition for
SAStaticAction is as follows: SAStaticAction is as follows:
NAME SAStaticAction NAME SAStaticAction
DESCRIPTION The base class for IKE and IPsec actions that do not DESCRIPTION The base class for IKE and IPsec actions that do not
require any negotiation. require any negotiation.
DERIVED FROM SAAction DERIVED FROM SAAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES LifetimeSeconds PROPERTIES LifetimeSeconds
skipping to change at page 31, line 29 skipping to change at page 31, line 36
association derived from this action should be used. The property association derived from this action should be used. The property
is defined as follows: is defined as follows:
NAME LifetimeSeconds NAME LifetimeSeconds
DESCRIPTION Specifies the amount of time (in seconds) that a DESCRIPTION Specifies the amount of time (in seconds) that a
security association derived from this action should be security association derived from this action should be
used. used.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime). associated with this action (i.e., infinite lifetime).
A nono-zero value is typically used in conjunction with A non-zero value is typically used in conjunction with
fallback actions performed when there is a negotiation alternate SAActions performed when there is a
failure of some sort. negotiation failure of some sort.
6.3. The Class IPsecBypassAction 6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec to them. This is the same as processed without applying IPsec encapsulation to them. This is the
stating that packets are allowed to flow in the clear. The class same as stating that packets are allowed to flow in the clear. The
definition for IPsecBypassAction is as follows: class definition for IPsecBypassAction is as follows:
NAME IPsecBypassAction NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in the DESCRIPTION Specifies that packets are to be allowed to pass in the
clear. clear.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
6.4. The Class IPsecDiscardAction 6.4. The Class IPsecDiscardAction
The class IPsecDiscardAction is used when packets are to be The class IPsecDiscardAction is used when packets are to be
discarded. This is the same as stating that packets are to be discarded. This is the same as stating that packets are to be
denied. The class definition for IPsecDiscardAction is as follows: denied. The class definition for IPsecDiscardAction is as follows:
NAME IPsecDiscardAction NAME IPsecDiscardAction
DESCRIPTION Specifies that packets are to be discarded. DESCRIPTION Specifies that packets are to be discarded.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES DoLogging
6.4.1. The Property DoLogging
The property DoLogging specifies whether or not an audit message
should be logged when a packet is discarded. The property is
defined as follows:
NAME DoLogging
DESCRIPTION Specifies if an audit message should be logged when a
packet is discarded.
SYNTAX boolean
VALUE A value of true indicates that logging should be done
for this action. A value of false indicates logging
should not be done for this action.
6.5. The Class IKERejectAction 6.5. The Class IKERejectAction
The class IKERejectAction is used to prevent attempting an IKE The class IKERejectAction is used to prevent attempting an IKE
negotiation with the peer(s). The class definition for negotiation with the peer(s). The main use of this class is to
IKERejectAction is as follows: prevent some denial of service attacks when acting as IKE responder.
It goes beyond a plain discard of UDP/500 IKE packets because the
SACondition can be based on specific PeerIDPayloadFilterEntry (when
aggressive mode is used). The class definition for IKERejectAction
is as follows:
NAME IKERejectAction NAME IKERejectAction
DESCRIPTION Specifies that an IKE negotiation should not even be DESCRIPTION Specifies that an IKE negotiation should not even be
attempted. attempted or continued.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES DoLogging
6.5.1. The Property DoLogging 6.6. The Class PreconfiguredSAAction
The property DoLogging specifies whether or not an audit message The class PreconfiguredSAAction is used to create a security
should be logged when a determination is made to prevent an IKE association using preconfigured, hard-wired algorithms and keys.
negotiation. The property is defined as follows:
NAME DoLogging Notes:
DESCRIPTION Specifies if an audit message should be logged when IKE
negotiation is prohibited.
SYNTAX boolean
VALUE A value of true indicates that logging should be done
for this action. A value of false indicates logging
should not be done for this action.
6.6. The Class SAPreconfiguredAction - the SPI for a PreconfiguredSAAction is contained in the
association, TransformOfPreconfiguredAction;
The class SAPreconfiguredAction is used to create a security - the session key (if applicable) is contained in an instance of the
association using preconfigured, hard-wired algorithms and keys. class SharedSecret (see appendix B). The session key is stored in
The class definition for SAPreconfiguredAction is as follows: the property secret, the property protocol contains either "ESP"
or "AH", the property algorithm contains the algorithm used to
protect the secret (can be "PLAINTEXT" if the IPsec entity has no
secret storage), the value of property RemoteID is the
concatenation of the remote IPsec peer IP address in dotted
decimal, of the character "/", and of the hexadecimal
representation of the SPI.
NAME SAPreconfiguredAction Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows:
NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of a security association. information for creation of a security association.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES To Be Determined... PROPERTIES LifetimeKilobytes
6.7. The Class SANegotiationAction 6.6.1. The Property LifetimeKilobytes
The property LifetimeKilobytes specifies a traffic limit in
kilobytes that can be consumed before the SA is deleted.. The
property is defined as follows:
NAME LifetimeKilobytes
DESCRIPTION Specifies the SA lifetime in kilobytes.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime).
A non-zero value is used to indicate that after this
amount of kilobytes has been consumed the SA must be
deleted from the SADB.
6.7. The Class PreconfiguredTransportAction
The class PreconfiguredTransportAction is used to create an IPsec
transport-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for
PreconfiguredTransportAction is as follows:
NAME PreconfiguredTransportAction
DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of an IPsec transport security
association.
DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE
6.8. The Class PreconfiguredTunnelAction
The class PreconfiguredTunnelAction is used to create an IPsec
tunnel-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for PreconfiguredSAAction
is as follows:
NAME PreconfiguredTunnelAction
DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of an IPsec tunnel-mode
security association.
DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE
PROPERTIES PeerGatewayAddressType
PeerGatewayAddress
DFHandling
6.8.1. The Property PeerGatewayAddressType
The property PeerGatewayAddressType specifies the format of the
PeerGatewayAddress property. Addresses that can be formatted in
IPv4 format, must be formatted that way to ensure mixed IPv4/IPv6
support. When the tunnel peer is not a security gateway, this
property value is set to 0. The property is defined as follows:
NAME PeerGatewayAddressType
DESCRIPTION Specifies the format of PeerGatewayAddress.
SYNTAX unsigned 16-bit integer
VALUE 0 - unknown
1 - IPv4
2 - IPv6
6.8.2. The Property PeerGatewayAddress
The property PeerGatewayAddress specifies the IP address of the
tunnel peer security gateway formatted according to the appropriate
convention as defined in the PeerGatewayAddressType property of this
class (e.g., 171.79.6.40). When the tunnel peer is not a security
gateway, this property value is set to NULL. The property is
defined as follows:
NAME PeerGatewayAddress
DESCRIPTION Specifies the IP address of the tunnel peer.
SYNTAX string
VALUE When the value is NULL, this is a special meaning: the
IP address of the actual remote IKE entity is the
destination IP address of the IP packet that triggered
the SARule. Else, the value is a string representation
of an IPv4 or IPv6 address.
6.8.3. The Property DFHandling
The property DFHandling specifies how the Don't Fragment bit of the
internal IP header is to be handled during IPsec processing. The
property is defined as follows:
NAME DFHandling
DESCRIPTION Specifies the processing of the DF bit.
SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header.
2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0.
6.9. The Class SANegotiationAction
The class SANegotiationAction serves as the base class for IKE and The class SANegotiationAction serves as the base class for IKE and
IPsec actions which result in a IKE negotiation. Although the class IPsec actions that result in a IKE negotiation. Although the class
is concrete, is MUST not be instantiated. The class definition for is concrete, is MUST not be instantiated. The class definition for
SANegotiationAction is as follows: SANegotiationAction is as follows:
NAME SANegotiationAction NAME SANegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations. phase 2 IPsec DOI negotiations.
DERIVED FROM SAAction DERIVED FROM SAAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES MinLifetimeSeconds PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes MinLifetimeKilobytes
RefreshThresholdSeconds RefreshThresholdSeconds
RefreshThresholdKilobytes RefreshThresholdKilobytes
IdleDurationSeconds IdleDurationSeconds
6.7.1. The Property MinLifetimeSeconds 6.9.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds The property MinLifetimeSeconds specifies the minimum seconds
lifetime that will be accepted from the peer. MinLifetimeSeconds is lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The with correspondingly expensive Diffie-Hellman operations. The
property is defined as follows: property is defined as follows:
NAME MinLifetimeSeconds NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime. DESCRIPTION Specifies the minimum acceptable seconds lifetime.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum seconds value. A non-zero value specifies the minimum seconds
lifetime. lifetime.
6.7.2. The Property MinLifetimeKilobytes 6.9.2. The Property MinLifetimeKilobytes
The property MinLifetimeKilobytes specifies the minimum kilobyte The property MinLifetimeKilobytes specifies the minimum kilobytes
lifetime that will be accepted from the peer. MinLifetimeKilobytes lifetime that will be accepted from the peer. MinLifetimeKilobytes
is used to prevent certain denial of service attacks where the peer is used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The with correspondingly expensive Diffie-Hellman operations. Note that
property is defined as follows: there has been considerable debate regarding the usefulness of
applying kilobyte lifetimes to IKE phase 1 security associations, so
it is likely that this property will only apply to the sub-class
IPsecAction. The property is defined as follows:
NAME MinLifetimeKilobytes NAME MinLifetimeKilobytes
DESCRIPTION Specifies the minimum acceptable kilobyte lifetime. DESCRIPTION Specifies the minimum acceptable kilobytes lifetime.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum kilobyte value. A non-zero value specifies the minimum
lifetime. kilobytes lifetime.
6.7.3. The Property RefreshThresholdSeconds 6.9.3. The Property RefreshThresholdSeconds
The property RefreshThresholdSeconds specifies what percentage of The property RefreshThresholdSeconds specifies what percentage of
the seconds lifetime can expire before IKE should attempt to the seconds lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be renegotiate the security association. A random value may be added
added to the calculated threshold (percentage x seconds lifetime) to to the calculated threshold (percentage x seconds lifetime) to
reduce the chance of both peers attempting to renegotiate at the reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows: same time. The property is defined as follows:
NAME RefreshThresholdSeconds NAME RefreshThresholdSeconds
DESCRIPTION Specifies the percentage of seconds lifetime that has DESCRIPTION Specifies the percentage of seconds lifetime that has
expired before the IPsec security association is expired before the security association is
renegotiated. renegotiated.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security value of 100 indicates that the security association
association should not be renegotiated until the should not be renegotiated until the seconds lifetime
seconds lifetime has been reached. has been reached.
6.7.4. The Property RefreshThresholdKilobytes 6.9.4. The Property RefreshThresholdKilobytes
The property RefreshThresholdKilobytes specifies what percentage of The property RefreshThresholdKilobytes specifies what percentage of
the kilobyte lifetime can expire before IKE should attempt to the kilobyte lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be renegotiate the IPsec security association. A random value may be
added to the calculated threshold (percentage x kilobyte lifetime) added to the calculated threshold (percentage x kilobyte lifetime)
to reduce the chance of both peers attempting to renegotiate at the to reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows: same time. Note, that as with the property MinLifetimeKilobytes,
this property is probably only relevant to IPsecAction sub-classes.
The property is defined as follows:
NAME RefreshThresholdKilobytes NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of kilobyte lifetime that has DESCRIPTION Specifies the percentage of kilobyte lifetime that has
expired before the IPsec security association is expired before the IPsec security association is
renegotiated. renegotiated.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security value of 100 indicates that the IPsec security
association should not be renegotiated until the association should not be renegotiated until the
kilobyte lifetime has been reached. kilobyte lifetime has been reached.
6.7.5. The Property IdleDurationSeconds 6.9.5. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property using the security association) before it is deleted. The property
is defined as follows: is defined as follows:
NAME IdleDurationSeconds NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security association DESCRIPTION Specifies how long, in seconds, a security association
may remain unused before it is deleted. may remain unused before it is deleted.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that idle detection should VALUE A value of zero indicates that idle detection should
not be used for the security association. Any non-zero not be used for the security association (only the
value indicates the number of seconds the security seconds and kilobyte lifetimes will be used). Any non-
zero value indicates the number of seconds the security
association may remain unused. association may remain unused.
6.8. The Class IPsecAction 6.10. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. Although the class is concrete, is phase 2 IPsec DOI negotiation. Although the class is concrete, is
MUST not be instantiated. The class definition for IPsecAction is MUST not be instantiated. The class definition for IPsecAction is
as follows: as follows:
NAME IPsecAction NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions DESCRIPTION A base class for IPsec transport and tunnel actions
that specifies the parameters for IKE phase 2 IPsec DOI that specifies the parameters for IKE phase 2 IPsec DOI
negotiations. negotiations.
DERIVED FROM SANegotiationAction DERIVED FROM SANegotiationAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES UsePFS PROPERTIES UsePFS
UseIKEGroup UseIKEGroup
GroupId GroupId
Granularity Granularity
VendorID
6.8.1. The Property UsePFS 6.10.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy The property UsePFS specifies whether or not perfect forward secrecy
should be used when refreshing keys. The property is defined as should be used when refreshing keys. The property is defined as
follows: follows:
NAME UsePFS NAME UsePFS
DESCRIPTION Specifies the whether or not to use PFS. DESCRIPTION Specifies the whether or not to use PFS when refreshing
keys.
SYNTAX boolean SYNTAX boolean
VALUE A value of true indicates that PFS should be used. A VALUE A value of true indicates that PFS should be used. A
value of false indicates that PFS should not be used. value of false indicates that PFS should not be used.
6.8.2. The Property UseIKEGroup 6.10.2. The Property UseIKEGroup
The property UseIKEGroup specifies whether or not phase 2 should use The property UseIKEGroup specifies whether or not phase 2 should use
the same Diffie-Hellman as was used in phase 1. UseIKEGroup is the same key exchange group as was used in phase 1. UseIKEGroup is
ignored if UsePFS is false. The property is defined as follows: ignored if UsePFS is false. The property is defined as follows:
NAME UseIKEGroup NAME UseIKEGroup
DESCRIPTION Specifies whether or not to use the same GroupId for DESCRIPTION Specifies whether or not to use the same GroupId for
phase 2 as was used in phase 1. If UsePFS is false, phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored. then UseIKEGroup is ignored.
SYNTAX boolean SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false should be the same as phase 1. A value of false
indicates that the property GroupId will contain the indicates that the property GroupId will contain the
Diffie-Hellman group to use for phase 2. key exchange group to use for phase 2.
6.8.3. The Property GroupId 6.10.3. The Property GroupId
The property GroupId specifies the Diffie-Hellman group to use for
The property GroupId specifies the key exchange group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is (2) the property UsePFS is true and the property UseIKEGroup is
true. The property is defined as follows: true. If the GroupID number is from the vendor-specific range
(32768-65535), the property VendorID qualifies the group number.
The property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the Diffie-Hellman group to use for phase 2 DESCRIPTION Specifies the key exchange group to use for phase 2
when the property UsePFS is true and the property when the property UsePFS is true and the property
UseIKEGroup is false. UseIKEGroup is false.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - 768-bit MODP group VALUE Consult [IKE] for valid values.
2 - 1024-bit MODP group
3 - EC2N group on GP[2^155]
4 - EC2N group on GP[2^185]
5 - 1536-bit MODP group
6.8.4. The Property Granularity 6.10.4. The Property Granularity
The property Granularity specifies whether the proposed selector for The property Granularity specifies how the selector for the security
the security association should be derived from the traffic that association should be derived from the traffic that triggered the
triggered the negotiation (Narrow) or from the FilterList of the negotiation. The property is defined as follows:
Condition(s) that matched the rule (Wide). The property is defined
as follows:
NAME Granularity NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the DESCRIPTION Specifies the how the proposed selector for the
security association will be created. security association will be created.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - The selector is created by using the FilterList VALUE 1 - subnet: the source and destination subnet masks of
information from the condition that matched the traffic the FilterEntry are used.
parameters. This is called a Wide selector as it could 2 - address: only the source and destination IP
for instance contain a IP subnet or range. addresses of the triggering packet are used.
2 - The selector is created by using the traffic 3 - protocol: the source and destination IP addresses
parameters (i.e., the 5-tuple of the traffic). This is and the IP protocol of the triggering packet are used.
called a Narrow selector. 4 - port: the source and destination IP addresses and
the IP protocol and the source and destination layer 4
ports of the triggering packet are used.
6.9. The Class IPsecTransportAction 6.10.5. The Property VendorID
The property VendorID is used together with the property GroupID
(when it is in the vendor-specific range) to identify the key
exchange group. VendorID is ignored unless UsePFS is true and
UseIKEGroup is false and GroupID is in the vendor-specific range
(32768-65535). The property is defined as follows:
NAME VendorID
DESCRIPTION Specifies the IKE Vendor ID.
SYNTAX string
6.11. The Class IPsecTransportAction
The class IPsecTransportAction is a subclass of IPsecAction that is The class IPsecTransportAction is a subclass of IPsecAction that is
used to specify use of an IPsec transport mode security association. used to specify use of an IPsec transport-mode security association.
The class definition for IPsecTransportAction is as follows: The class definition for IPsecTransportAction is as follows:
NAME IPsecTransportAction NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport mode security DESCRIPTION Specifies that an IPsec transport-mode security
association should be negotiated. association should be negotiated.
DERIVED FROM IPsecAction DERIVED FROM IPsecAction
ABSTRACT FALSE ABSTRACT FALSE
6.10. The Class IPsecTunnelAction 6.12. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is The class IPsecTunnelAction is a subclass of IPsecAction that is
used to specify use of an IPsec tunnel mode security association. used to specify use of an IPsec tunnel-mode security association.
The class definition for IPsecTunnelAction is as follows: The class definition for IPsecTunnelAction is as follows:
NAME IPsecTunnelAction NAME IPsecTunnelAction
DESCRIPTION Specifies that an IPsec tunnel mode security DESCRIPTION Specifies that an IPsec tunnel-mode security
association should be negotiated. association should be negotiated.
DERIVED FROM IPsecAction DERIVED FROM IPsecAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PeerGateway PROPERTIES DFHandling
DFHandling
6.10.1. The Property PeerGateway
The property PeerGateway specifies the IP address or DNS name of the
peer gateway. The property is defined as follows:
NAME PeerGateway
DESCRIPTION Specifies peer gateway's IP address or DNS name.
SYNTAX string
VALUE Either (1) IPv4 address in dotted quad format, (2) IPv6
address in ... format, or (3) a DNS name.
6.10.2. The Property DFHandling 6.12.1. The Property DFHandling
The property DFHandling specifies how the Don't Fragment (DF) bit The property DFHandling specifies how the tunnel should manage the
should be managed by the tunnel. The property is defined as Don't Fragment (DF) bit. The property is defined as follows:
follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies the DF bit is managed by the tunnel. DESCRIPTION Specifies how to process the DF bit.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - DF bit is copied. VALUE 1 - Copy the DF bit from the internal IP header to the
2 - DF bit is set. external IP header.
3 - DF bit is cleared. 2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0.
6.11. The Class IKEAction 6.13. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as IKE phase 1 negotiation. The class definition for IKEAction is as
follows: follows:
NAME IKEAction NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM SANegotiationAction DERIVED FROM SANegotiationAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES RefreshThresholdDerivedKeys PROPERTIES RefreshThresholdDerivedKeys
ExchangeMode ExchangeMode
UseIKEIdentityType UseIKEIdentityType
VendorID
AggressiveModeGroupId
6.11.1. The Property RefreshThresholdDerivedKeys 6.13.1. The Property RefreshThresholdDerivedKeys
The property RefreshThresholdDerivedKeys specifies what percentage The property RefreshThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys property of of the derived key limit (see the LifetimeDerivedKeys property of
IKEProposal) can expire before IKE should attempt to renegotiate the IKEProposal) can expire before IKE should attempt to renegotiate the
IKE phase 1 security association. A random value may be added to IKE phase 1 security association. A random value may be added to
the calculated threshold (percentage x derived key limit) to reduce the calculated threshold (percentage x derived key limit) to reduce
the chance of both peers attempting to renegotiate at the same time. the chance of both peers attempting to renegotiate at the same time.
The property is defined as follows: The property is defined as follows:
NAME RefreshThresholdKilobytes NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of derived key limit that has DESCRIPTION Specifies the percentage of derived key limit that has
expired before the IKE phase 1 security association is expired before the IKE phase 1 security association is
renegotiated. renegotiated.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IKE phase 1 security value of 100 indicates that the IKE phase 1 security
association should not be renegotiated until the association should not be renegotiated until the
derived key limit has been reached. derived key limit has been reached.
6.11.2. The Property ExchangeMode 6.13.2. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used The property ExchangeMode specifies which IKE mode should be used
for IKE phase 1 key negotiations. The property is defined as for IKE phase 1 negotiations. The property is defined as follows:
follows:
NAME ExchangeMode NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1. DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - base mode VALUE 1 - base mode
2 - main mode 2 - main mode
4 - aggressive mode 4 - aggressive mode
6.11.3. The Property UseIKEIdentityType 6.13.3. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is should be used when negotiating with the peer. This information is
used in conjunction the IKE identities available on the system. The used in conjunction with the IKE identities available on the system
property is defined as follows: and the IdentityContexts of the matching IKERule. The property is
defined as follows:
NAME UseIKEIdentityType NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation. DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address VALUE 1 - IPv4 Address
2 - FQDN 2 - FQDN
3 - User FQDN 3 - User FQDN
4 - IPv4 Subnet 4 - IPv4 Subnet
5 - IPv6 Address 5 - IPv6 Address
6 - IPv6 Subnet 6 - IPv6 Subnet
7 - IPv4 Address Range 7 - IPv4 Address Range
8 - IPv6 Address Range 8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name 9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName 10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID 11 - Key ID
6.12. The Aggregation Class ContainedProposal 6.13.4. The Property VendorID
The property VendorID specifies the value to be used in the Vendor
ID payload. The property is defined as follows:
NAME VendorID
DESCRIPTION Vendor ID Payload.
SYNTAX string
VALUE A value of NULL means that Vendor ID payload will be
neither generated nor accepted. A non-NULL value means
that a Vendor ID payload will be generated (when acting
as an initiator) or is expected (when acting as a
responder).
6.13.5. The Property AggressiveModeGroupId
The property AggressiveModeGroupId specifies which group ID is to be
used in the first packets of the phase 1 negotiation. This property
is ignored unless the property ExchangeMode is set to 4 (aggressive
mode). If the AggressiveModeGroupID number is from the vendor-
specific range (32768-65535), the property VendorID qualifies the
group number. The property is defined as follows:
NAME AggressiveModeGroupId
DESCRIPTION Specifies the group ID to be used for aggressive mode.
SYNTAX unsigned 16-bit integer
6.14. The Class PeerGateway
The class PeerGateway specifies the security gateway with which the
IKE services negotiates. The class definition for PeerGateway is as
follows:
NAME PeerGateway
DESCRIPTION Specifies the security gateway with which to negotiate.
DERIVED FROM LogicalElement (see Appendix A)
ABSTRACT FALSE
PROPERTIES Name
PeerIdentityType
PeerIdentity
6.14.1. The Property Name
The property Name specifies a user-friendly name for this security
gateway. The property is defined as follows:
NAME Name
DESCRIPTION Specifies a user-friendly name for this security
gateway.
SYNTAX string
6.14.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows:
NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security
gateway.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
6.14.3. The Property PeerIdentity
The property PeerIdentity specifies the IKE identity value of the
security gateway. A conversion may be needed between the
PeerIdentity string representation and the real value used in the ID
payload (e.g. IP address is to be converted from a dotted decimal
string into 4 bytes). The property is defined as follows:
NAME PeerIdentity
DESCRIPTION Specifies the IKE identity value of the security
gateway.
SYNTAX string
6.15. The Association Class PeerGatewayForTunnel
The class PeerGatewayForTunnel associates IPsecTunnelActions with an
ordered list of PeerGateways. The class definition for
PeerGatewayForTunnel is as follows:
NAME PeerGatewayForTunnel
DESCRIPTION Associates IPsecTunnelActions with an ordered list of
PeerGateways.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IPsecTunnelAction[0..n]]
SequenceNumber
6.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that there an IPsecTunnelAction instance may
be associated with zero or more PeerGateway instances.
Note: when there is no PeerGateway associated to an
IPsecTunnelAction, this means that the IKE service acts as a
responder and will accept phase 1 negotiation with any other
security gateway.
6.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecTunnelAction instance. The [0..n]
cardinality indicates that a PeerGateway instance may be associated
with zero or more IPsecTunnelAction instances.
6.15.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when
evaluating PeerGateway instances for a given IPsecTunnelAction. .
The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the order of evaluation for PeerGateways.
SYNTAX unsigned 16-bit integer
VALUE Lower values are evaluated first.
6.16. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of The class ContainedProposal associates an ordered list of
SAProposals with the SANegotiationAction that contains it. If the SAProposals with the SANegotiationAction that aggregates it. If the
referenced SANegotiationAction object is an IKEAction, then the referenced SANegotiationAction object is an IKEAction, then the
referenced SAProposal object must be an IKEProposal. If the referenced SAProposal object(s) must be IKEProposal(s). If the
referenced SANegotiationAction object is an IPsecTransportAction or referenced SANegotiationAction object is an IPsecTransportAction or
an IPsecTunnelAction, then the referenced SAProposal object must be an IPsecTunnelAction, then the referenced SAProposal object(s) must
an IPsecProposal. The class definition for ContainedProposal is as be IPsecProposal(s). The class definition for ContainedProposal is
follows: as follows:
NAME ContainedProposal NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an DESCRIPTION Associates an ordered list of SAProposals with an
SANegotiationAction. SANegotiationAction.
DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] PROPERTIES GroupComponent[ref SANegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]] PartComponent[ref SAProposal[1..n]]
SequenceNumber SequenceNumber
6.12.1. The Reference GroupComponent 6.16.1. The Reference GroupComponent
The property GroupComponent contains an object reference to an The property GroupComponent is inherited from PolicyComponent and is
SANegotiationAction that contains one or more SAProposals. The overridden to refer to an SANegotiationAction instance. The [0..n]
[0..n] cardinality indicates that there may be zero or more cardinality indicates that an SAProposal instance may be associated
SANegotiationActions that contain any given SAProposal. with zero or more SANegotiationAction instances.
6.12.2. The Reference PartComponent Note: the cardinality 0 has a specific meaning:
The property PartComponent contains an object reference to an - when the IKE service acts as a responder, this means that the
SAProposal contained by one or more SANegotiationActions. The IKE service will accept phase 1 negotiation with any other
[1..n] cardinality indicates that an SANegotiationAction MUST security gateway;
contain at least one SAProposal. - when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of the
IP packets which triggered the SARule) as the IP address of
the peer IKE entity.
6.12.3. The Property SequenceNumber 6.16.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SAProposal instance. The [1..n]
cardinality indicates that an SANegotiationAction instance MUST be
associated with at least one SAProposal instance.
6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for The property SequenceNumber specifies the order of preference for
the SAProposals. The property is defined as follows: the SAProposals. The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals. DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals VALUE Lower-valued proposals are preferred over proposals
with higher values. If two proposals have the same with higher values. For ContainedProposals that
SequenceNumber value, then the order of preference is reference the same SANegotiationAction, SequenceNumber
undefined. values must be unique.
6.17. The Association Class HostedPeerGatewayInformation
The class HostedPeerGatewayInformation weakly associates a
PeerGateway with a System. The class definition for
HostedPeerGatewayInformation is as follows:
NAME HostedPeerGatewayInformation
DESCRIPTION Weakly associates a PeerGateway with a System.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerGateway[0..n] [weak]]
6.17.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerGateway instance MUST be associated with one
and only one System instance.
6.17.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more PeerGateway instances.
6.18. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with from one to three SATransforms that will
be applied to the traffic. The order of application of the
SATransforms is implicitly defined in [IPSEC]. The class definition
for TransformOfPreconfiguredAction is as follows:
NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent[ref SATransform[1..3]]
Dependent[ref PreconfiguredSAAction[0..n]]
SPI
6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an SATransform instance. The [1..3]
cardinality indicates that an SANegotiationAction instance may be
associated with from one to three SATransform instances.
6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to a PreconfiguredSAAction instance. The [0..n]
cardinality indicates that an SATransform instance may be associated
with zero or more PreconfiguredSAAction instances.
6.18.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured
action for the associated transform. The property is defined as
follows:
NAME SPI
DESCRIPTION Specifies the SPI to be used with the SATransform.
SYNTAX unsigned 32-bit integer
7. Proposal and Transform Classes 7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations. IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+ +--------------+*w 1+--------------+
| [SAProposal] | | [SAProposal] |--------| System |
+--------------+ +--------------+ (a) | (Appendix A) |
^ ^ +--------------+
| | |1
+----------------------+ +----------------------+ |
| | | | |
+-------------+ +---------------+ +-------------+ +---------------+ |
| IKEProposal | | IPsecProposal | | IKEProposal | | IPsecProposal | |
+-------------+ +---------------+ +-------------+ +---------------+ |
*o *o |
| (a) |(b) |(c)
n| n| |
+---------------+ +---------------+*w |
| [SATransform] | | [SATransform] |----+
+---------------+ +---------------+
^ ^
| |
+--------------------+-----------+---------+ +--------------------+-----------+---------+
| | | | | |
+-------------+ +--------------+ +----------------+ +-------------+ +--------------+ +----------------+
| AHTransform | | ESPTransform | |IPCOMPTransform | | AHTransform | | ESPTransform | |IPCOMPTransform |
+-------------+ +--------------+ +----------------+ +-------------+ +--------------+ +----------------+
(a) ContainedTransform (a) SAProposalInSystem
(b) ContainedTransform
(c) SATransformInSystem
7.1. The Abstract Class SAProposal 7.1. The Abstract Class SAProposal
The abstract class SAProposal serves as the base class for the IKE The abstract class SAProposal serves as the base class for the IKE
and IPsec proposal classes. It specifies the parameters that are and IPsec proposal classes. It specifies the parameters that are
common to the two proposal types. The class definition for common to the two proposal types. The class definition for
SAProposal is as follows: SAProposal is as follows:
NAME SAProposal NAME SAProposal
DESCRIPTION Specifies the common proposal parameters for IKE and DESCRIPTION Specifies the common proposal parameters for IKE and
IPsec security association negotiation. IPsec security association negotiation.
DERIVED FROM Policy ([PCIM])
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES Name PROPERTIES Name
MaxLifetimeSeconds
MaxLifetimeKilobytes
7.1.1. The Property Name 7.1.1. The Property Name
The property Name specifies a user-friendly name for the SAProposal. The property Name specifies a user-friendly name for the SAProposal.
The property is defined as follows: The property is defined as follows:
NAME Name NAME Name
DESCRIPTION Specifies a user-friendly name for this proposal. DESCRIPTION Specifies a user-friendly name for this proposal.
SYNTAX string SYNTAX string
7.1.2. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of
time, in seconds, to propose that a security association will remain
valid after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours
be used. A non-zero value indicates the maximum
seconds lifetime.
7.1.3. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.
7.2. The Class IKEProposal 7.2. The Class IKEProposal
The class IKEProposal specifies the proposal parameters necessary to The class IKEProposal specifies the proposal parameters necessary to
drive an IKE security association negotiation. The class definition drive an IKE security association negotiation. The class definition
for IKEProposal is as follows: for IKEProposal is as follows:
NAME IKEProposal NAME IKEProposal
DESCRIPTION Specifies the proposal parameters for IKE security DESCRIPTION Specifies the proposal parameters for IKE security
association negotiation. association negotiation.
DERIVED FROM SAProposal DERIVED FROM SAProposal
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES LifetimeDerivedKeys PROPERTIES LifetimeDerivedKeys
CipherAlgorithm CipherAlgorithm
HashAlgorithm HashAlgorithm
PRFAlgorithm PRFAlgorithm
GroupId GroupId
AuthenticationMethod AuthenticationMethod
MaxLifetimeSeconds
MaxLifetimeKilobytes
VendorID
7.2.1. The Property LifetimeDerivedKeys 7.2.1. The Property LifetimeDerivedKeys
The property LifetimeDerivedKeys specifies the number of times that The property LifetimeDerivedKeys specifies the number of times that
a phase 1 key will be used to derive a phase 2 key before the phase a phase 1 key will be used to derive a phase 2 key before the phase
1 security association needs renegotiated. Even though this is not 1 security association needs renegotiated. Even though this is not
a parameter that is sent in an IKE proposal, it is included in the a parameter that is sent in an IKE proposal, it is included in the
proposal as the number of keys derived may be a result of the proposal as the number of keys derived may be a result of the
strength of the algorithms in the IKE propsoal. The property is strength of the algorithms in the IKE proposal. The property is
defined as follows: defined as follows:
NAME LifetimeDerivedKeys NAME LifetimeDerivedKeys
DESCRIPTION Specifies the number of phase 2 keys that can be DESCRIPTION Specifies the number of phase 2 keys that can be
derived from the phase 1 key. derived from the phase 1 key.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no limit to the VALUE A value of zero indicates that there is no limit to the
number of phase 2 keys which may be derived from the number of phase 2 keys that may be derived from the
phase 1 key; instead the seconds and/or kilobytes phase 1 key; instead the seconds and/or kilobytes
lifetime will dictate the phase 1 rekeying. A non-zero lifetime will dictate the phase 1 rekeying. A non-zero
value specifies the number of phase 2 keys that can be value specifies the number of phase 2 keys that can be
derived from the phase 1 key. derived from the phase 1 key.
7.2.2. The Property CipherAlgorithm 7.2.2. The Property CipherAlgorithm
The property CipherAlgorithm specifies the proposed phase 1 security The property CipherAlgorithm specifies the proposed phase 1 security
association encryption algorithm. The property is defined as association encryption algorithm. The property is defined as
follows: follows:
NAME CipherAlgorithm NAME CipherAlgorithm
DESCRIPTION Specifies the proposed encryption algorithm for the DESCRIPTION Specifies the proposed encryption algorithm for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - DES-CBC VALUE Consult [IKE] for valid values.
2 - IDEA-CBC
3 - Blowfish-CBC
4 - RC5-R16-B64-CBC
5 - 3DES-CBC
6 - CAST-CBC
7.2.3. The Property HashAlgorithm 7.2.3. The Property HashAlgorithm
The property HashAlgorithm specifies the proposed phase 1 security The property HashAlgorithm specifies the proposed phase 1 security
assocation hash algorithm. The property is defined as follows: association hash algorithm. The property is defined as follows:
NAME HashAlgorithm NAME HashAlgorithm
DESCRIPTION Specifies the proposed hash algorithm for the phase 1 DESCRIPTION Specifies the proposed hash algorithm for the phase 1
security association. security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - MD5 VALUE Consult [IKE] for valid values.
2 - SHA-1
3 - Tiger
7.2.4. The Property PRFAlgorithm 7.2.4. The Property PRFAlgorithm
The property PRFAlgorithm specifies the proposed phase 1 security The property PRFAlgorithm specifies the proposed phase 1 security
association psuedo-random function. The property is defined as association pseudo-random function. The property is defined as
follows: follows:
NAME PRFAlgorithm NAME PRFAlgorithm
DESCRIPTION Specifies the proposed psuedo-random function for the DESCRIPTION Specifies the proposed pseudo-random function for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Currently none defined. VALUE Currently none defined.
7.2.5. The Property GroupId 7.2.5. The Property GroupId
The property GroupId specifies the proposed phase 1 security The property GroupId specifies the proposed phase 1 security
assocation Diffie-Hellman group. The property is defined as association key exchange group. This property is ignored for all
follows: aggressive mode exchanges. If the GroupID number is from the
vendor-specific range (32768-65535), the property VendorID qualifies
the group number. The property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the proposed Diffie-Hellman group for the DESCRIPTION Specifies the proposed key exchange group for the phase
phase 1 security association. 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - 768-bit MODP group VALUE 0 - Not applicable: used for aggressive mode. Consult
2 - 1024-bit MODP group [IKE] for other valid values.
3 - EC2N group on GP[2^155]
4 - EC2N group on GP[2^185]
5 - 1536-bit MODP group
7.2.6. The Property AuthenticationMethod 7.2.6. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1 The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows: authentication method. The property is defined as follows:
NAME AuthenticationMethod NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - a special value which indicates that this VALUE 0 - a special value that indicates that this particular
particular proposal should be repeated once for each proposal should be repeated once for each
authentication method that corresponds to the authentication method that corresponds to the
credentials installed on the machine. For example, if credentials installed on the machine. For example, if
the system has a pre-shared key and a certificate, a the system has a pre-shared key and a certificate, a
proposal list could be constructed which includes a proposal list could be constructed which includes a
proposal that specifies pre-shared key and proposals proposal that specifies pre-shared key and proposals
for any of the public-key authentication methods. for any of the public-key authentication methods.
1 - Pre-shared key Consult [IKE] for valid values.
2 - DSS signatures
3 - RSA signatures
4 - Encryption with RSA
5 - Revised encryption with RSA
6 - Kerberos (has this number been assigned???)
7.3. The Class IPsecProposal 7.2.7. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of
time, in seconds, to propose that a security association will remain
valid after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours
be used. A non-zero value indicates the maximum
seconds lifetime.
7.2.8. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.
7.2.9. The Property VendorID
The property VendorID further qualifies the key exchange group. The
property is ignored unless the exchange is not in aggressive mode
and the property GroupID is in the vendor-specific range. The
property is defined as follows:
NAME VendorID
DESCRIPTION Specifies the Vendor ID to further qualify the key
exchange group.
SYNTAX string
7.3. The Class IPsecProposal
The class IPsecProposal adds no new properties, but inherits The class IPsecProposal adds no new properties, but inherits
proposal propoerties from SAProposal as well as aggregating the proposal properties from SAProposal as well as aggregating the
security association transforms necessary for building an IPsec security association transforms necessary for building an IPsec
proposal (see the aggregation class ContainedTransform). The class proposal (see the aggregation class ContainedTransform). The class
definition for IPsecProposal is as follows: definition for IPsecProposal is as follows:
NAME IPsecProposal NAME IPsecProposal
DESCRIPTION Specifies the proposal parameters for IPsec security DESCRIPTION Specifies the proposal parameters for IPsec security
association negotiation. association negotiation.
DERIVED FROM SAProposal DERIVED FROM SAProposal
ABSTRACT FALSE ABSTRACT FALSE
7.4. The Abstract Class SATransform 7.4. The Abstract Class SATransform
The abstract class SATransform serves as the base class for the The abstract class SATransform serves as the base class for the
IPsec transforms that can be used to compose an IPsec proposal. The IPsec transforms that can be used to compose an IPsec proposal or to
class definition for SATransform is as follows: be used as a pre-configured action. The class definition for
SATransform is as follows:
NAME SATransform NAME SATransform
DESCRIPTION Base class for the different IPsec transforms. DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES Name PROPERTIES TransformName
VendorID VendorID
MaxLifetimeSeconds
MaxLifetimeKilobytes
7.4.1. The Property Name 7.4.1. The Property TransformName
The property Name specifies a user-friendly name for the The property TransformName specifies a user-friendly name for the
SATransform. The property is defined as follows: SATransform. The property is defined as follows:
NAME Name NAME TransformName
DESCRIPTION Specifies a user-friendly name for this transform. DESCRIPTION Specifies a user-friendly name for this transform.
SYNTAX string SYNTAX string
7.4.1. The Property VendorID 7.4.2. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows: transforms. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms. DESCRIPTION Specifies the vendor ID for vendor-defined transforms.
SYNTAX string SYNTAX string
VALUE An empty VendorID string indicates that the transform VALUE An empty VendorID string indicates that the transform
is one of the previously-defined ones. is a standard one.
7.4.3. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of
time, in seconds, to propose that a security association will remain
valid after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours
be used. A non-zero value indicates the maximum
seconds lifetime.
7.4.4. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.
7.5. The Class AHTransform 7.5. The Class AHTransform
The class AHTransform specifies the AH algorithm to propose during The class AHTransform specifies the AH algorithm to propose during
IPsec security association negotiation. The class definition for IPsec security association negotiation. The class definition for
AHTransform is as follows: AHTransform is as follows:
NAME AHTransform NAME AHTransform
DESCRIPTION Specifies the AH algorithm to propose. DESCRIPTION Specifies the AH algorithm to propose.
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES AHTransformId PROPERTIES AHTransformId
UseReplayPrevention
ReplayPreventionWindowSize
7.5.1. The Property AHTransformId 7.5.1. The Property AHTransformId
The property AHTransformId specifies the transform ID of the AH The property AHTransformId specifies the transform ID of the AH
algorithm to propose. The property is defined as follows: algorithm to propose. The property is defined as follows:
NAME AHTransformId NAME AHTransformId
DESCRIPTION Specifies the transform ID of the AH algorithm. DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 2 - MD5 VALUE Consult [DOI] for valid values.
3 - SHA-1
4 - DES 7.5.2. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows:
NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention
detection.
SYNTAX boolean
VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.
7.5.3. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size
will be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism.
SYNTAX unsigned 32-bit integer
7.6. The Class ESPTransform 7.6. The Class ESPTransform
The class ESPTransform specifies the ESP algorithms to propose The class ESPTransform specifies the ESP algorithms to propose
during IPsec security association negotiation. The class definition during IPsec security association negotiation. The class definition
for ESPTransform is as follows: for ESPTransform is as follows:
NAME ESPTransform NAME ESPTransform
DESCRIPTION Specifies the ESP algorithms to propose. DESCRIPTION Specifies the ESP algorithms to propose.
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES IntegrityTransformId PROPERTIES IntegrityTransformId
CipherTransformId CipherTransformId
CipherKeyLength CipherKeyLength
CipherKeyRounds CipherKeyRounds
UseReplayPrevention
ReplayPreventionWindowSize
7.6.1. The Property IntegrityTransformId 7.6.1. The Property IntegrityTransformId
The property IntegrityTransformId specifies the transform ID of the The property IntegrityTransformId specifies the transform ID of the
ESP integrity algorithm to propose. The property is defined as ESP integrity algorithm to propose. The property is defined as
follows: follows:
NAME IntegrityTransformId NAME IntegrityTransformId
DESCRIPTION Specifies the transform ID of the ESP integrity DESCRIPTION Specifies the transform ID of the ESP integrity
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - None VALUE Consult [DOI] for valid values.
1 - HMAC-MD5
2 - HMAC-SHA
3 - DES-MAC
4 - KPDK
7.6.2. The Property CipherTransformId 7.6.2. The Property CipherTransformId
The property CipherTransformId specifies the transform ID of the ESP The property CipherTransformId specifies the transform ID of the ESP
encryption algorithm to propose. The property is defined as encryption algorithm to propose. The property is defined as
follows: follows:
NAME CipherTransformId NAME CipherTransformId
DESCRIPTION Specifies the transform ID of the ESP encryption DESCRIPTION Specifies the transform ID of the ESP encryption
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - DES IV64 VALUE Consult [DOI] for valid values.
2 - DES
3 - 3DES
4 - RC5
5 - IDEA
6 - CAST
7 - Blowfish
8 - 3IDEA
9 - DES IV32
10 - RC4
11 - NULL
7.6.3. The Property CipherKeyLength 7.6.3. The Property CipherKeyLength
The property CipherKeyLength specifies, in bits, the key length for The property CipherKeyLength specifies, in bits, the key length for
the ESP encryption algorithm. For encryption algorithms which use the ESP encryption algorithm. For encryption algorithms that use
fixed-length keys, this value is ignored. The property is defined fixed-length keys, this value is ignored. The property is defined
as follows: as follows:
NAME CipherKeyLength NAME CipherKeyLength
DESCRIPTION Specifies the ESP encryption key length in bits. DESCRIPTION Specifies the ESP encryption key length in bits.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
7.6.4. The Property CipherKeyRounds 7.6.4. The Property CipherKeyRounds
The property CipherKeyRounds specifies the number of key rounds for The property CipherKeyRounds specifies the number of key rounds for
the ESP encryption algorithm. The property is defined as follows: the ESP encryption algorithm. For encryption algorithms that use
fixed number of key rounds, this value is ignored. The property is
defined as follows:
NAME CipherKeyRounds NAME CipherKeyRounds
DESCRIPTION Specifies the number of key rounds for the ESP DESCRIPTION Specifies the number of key rounds for the ESP
encryption algorithm. encryption algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP VALUE Currently, key rounds are not defined for any ESP
encryption algorithms. encryption algorithms.
7.6.5. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows:
NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention
detection.
SYNTAX boolean
VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.
7.6.6. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size
will be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism.
SYNTAX unsigned 32-bit integer
7.7. The Class IPCOMPTransform 7.7. The Class IPCOMPTransform
The class IPCOMPTransform specifies the IP compression (IPCOMP) The class IPCOMPTransform specifies the IP compression (IPCOMP)
algorithm to propose during IPsec security association negotiation. algorithm to propose during IPsec security association negotiation.
The class definition for IPCOMPTransform is as follows: The class definition for IPCOMPTransform is as follows:
NAME IPCOMPTransform NAME IPCOMPTransform
DESCRIPTION Specifies the IPCOMP algorithm to propose. DESCRIPTION Specifies the IPCOMP algorithm to propose.
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Algorithm PROPERTIES Algorithm
skipping to change at page 47, line 4 skipping to change at page 54, line 30
7.7.1. The Property Algorithm 7.7.1. The Property Algorithm
The property Algorithm specifies the transform ID of the IPCOMP The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as compression algorithm to propose. The property is defined as
follows: follows:
NAME Algorithm NAME Algorithm
DESCRIPTION Specifies the transform ID of the IPCOMP compression DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - OUI (the property PrivateAlgorithm will contain the VALUE 1 - OUI: a vendor specific algorithm is used and
vendor-specific algorithm to use) specified in the property PrivateAlgorithm. Consult
2 - DEFLATE [DOI] for other valid values.
3 - LZS
4 - V42BIS (has this number been assigned ???)
7.7.2. The Property DictionarySize 7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the The property DictionarySize specifies the log2 maximum size of the
diction for the compression algorithm. For compression algorithms dictionary for the compression algorithm. For compression
that have pre-defined dictionary sizes, this value is ignores. The algorithms that have pre-defined dictionary sizes, this value is
property is defined as follows: ignored. The property is defined as follows:
NAME DictionarySize NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary. DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
7.7.3. The Property PrivateAlgorithm 7.7.3. The Property PrivateAlgorithm
The property PrivateAlgorithm specifies a private vendor-specific The property PrivateAlgorithm specifies a private vendor-specific
compression algorithm. This value is only used when the property compression algorithm. This value is only used when the property
Algorithm is 1 (OUI). The property is defined as follows: Algorithm is 1 (OUI). The property is defined as follows:
NAME PrivateAlgorithm NAME PrivateAlgorithm
DESCRIPTION Specifies a private vendor-specific compression DESCRIPTION Specifies a private vendor-specific compression
algorithm. algorithm.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
7.8. The Aggregation Class ContainedTransform 7.8. The Association Class SAProposalInSystem
The class SAProposalInSystem weakly associates SAProposals with a
System. The class definition for SAProposalInSystem is as follows:
NAME SAProposalInSystem
DESCRIPTION Weakly associates SAProposals with a System.
DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System [1..1]]
Dependent[ref SAProposal[0..n] [weak]]
7.8.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that an SAProposal instance MUST be associated with one
and only one System instance.
7.8.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SAProposal instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more SAProposal instances.
7.9. The Aggregation Class ContainedTransform
The class ContainedTransform associates an IPsecProposal with the The class ContainedTransform associates an IPsecProposal with the
set of SATransforms that make up the proposal. If multiple set of SATransforms that make up the proposal. If multiple
tranforms of the same type are in a proposal, then they are to be transforms of the same type are in a proposal, then they are to be
logically ORed and the order of preference is dictated by the logically ORed and the order of preference is dictated by the
SequenceNumber property. Sets of transforms of different types are SequenceNumber property. Sets of transforms of different types are
logically ANDed. For example, if the proposal list were logically ANDed. For example, if the ordered proposal list were
ESP = { (HMAC-MD5, DES), (HMAC-MD5, 3DES) } ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 } AH = { MD5, SHA-1 }
then the one sending the proposal wants the other side to pick one then the one sending the proposal would want the other side to pick
from the ESP transform list AND one from the AH transform list. The one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND
class definition for ContainedProposal is as follows: one from the AH transform list (preferably MD5).
The class definition for ContainedProposal is as follows:
NAME ContainedTransform NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of DESCRIPTION Associates an IPsecProposal with the set of
SATransforms that make up the proposal. SATransforms that make up the proposal.
DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]] PartComponent[ref SATransform[1..n]]
SequenceNumber SequenceNumber
7.8.1. The Reference GroupComponent 7.9.1. The Reference GroupComponent
The property GroupComponent is inherited from PolicyComponent and is
The property GroupComponent contains an object reference to an overridden to refer to an IPsecProposal instance. The [0..n]
IPsecProposal that contains one or more SATransforms. The [0..n] cardinality indicates that an SATransform instance may be associated
cardinality indicates that there may be zero or more IPsecProposals with zero or more IPsecProposal instances.
that contain any given SATransform.
7.8.2. The Reference PartComponent 7.9.2. The Reference PartComponent
The property PartComponent contains an object reference to an The property PartComponent is inherited from PolicyComponent and is
SATransform contained by one or more IPsecProposals. The [1..n] overridden to refer to an SATransform instance. The [1..n]
cardinality indicates that an IPsecPropsal MUST contain at least one cardinality indicates that an IPsecProposal instance MUST be
SATransform. associated with at least one SATransform instance.
7.8.3. The Property SequenceNumber 7.9.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for The property SequenceNumber specifies the order of preference for
the SATransforms of the same type. The property is defined as the SATransforms of the same type. The property is defined as
follows: follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms of DESCRIPTION Specifies the preference order for the SATransforms of
the same type. the same type.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms VALUE Lower-valued transforms are preferred over transforms
of the same type with higher values. If two transforms of the same type with higher values. For
of the same type have the same SequenceNumber value, ContainedTransforms that reference the same
then the order of preference is undefined. IPsecProposal, SequenceNumber values must be unique.
8. Security Considerations 7.10. The Association Class SATransformInSystem
The class SATransformInSystem weakly associates SATransforms with a
System. The class definition for SATransformInSystem System is as
follows:
NAME SATransformInSystem
DESCRIPTION Weakly associates SATransforms with a System.
DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System[1..1]]
Dependent[ref SATransform[0..n] [weak]]
7.10.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that an SATransform instance MUST be associated with one
and only one System instance.
7.10.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SATransform instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more SATransform instances.
8. IKE Service and Identity Classes
+--------------+ +-------------------+
| System | | PeerIdentityEntry |
| (Appendix A) | +-------------------+
+--------------+ |*w
1| (a) (b) |
+---+ +------------+
| |
|*w 1 o
+-------------+ +-------------------+ +---------------------+
| PeerGateway | | PeerIdentityTable | | AutostartIKESetting |
+-------------+ +-------------------+ +---------------------+
*| *| *| *|
+----------------------+ |(d) +----------+ |
(c) *| *| *| (e) |
*+------------+* |(f)
+-----------------| IKEService |-----+ |
| (g) +------------+ |(h) |
0..1| *| *| *o
+--------------------+ | +---------------------------+
| IPProtocolEndpoint | | | AutostartIKEConfiguration |
| (Appendix C) | (i)| +---------------------------+
+--------------------+ |
0..1| |
|(j) +----------------+
*| |*
+-------------+* (k) +------------+ +-----------------------------+
| IKEIdentity |-------| Collection | | CredentialManagementService |
+-------------+ 0..1|(Appendix A)| | (Appendix B) |
*| +------------+ +-----------------------------+
|(l)
*|
+--------------+
| Credential |
| (Appendix B) |
+--------------+
(a) HostedPeerIdentityTable
(b) PeerIdentityMember
(c) IKEServicePeerGateway
(d) IKEServicePeerIdentityTable
(e) IKEAutostartSetting
(f) AutostartIKESettingContext
(g) IKEServiceForEndpoint
(h) IKEAutostartConfiguration
(i) IKEUsesCredentialManagementService
(j) EndpointHasLocalIKEIdentity
(k) CollectionHasLocalIKEIdentity
(l) IKEIdentitysCredential
This portion of the model contains additional information that is
useful in applying the policy. The IKEService class MAY be used to
represent the IKE negotiation function in a system. The IKEService
uses the various tables that contain information about IKE peers as
well as the configuration for specifying security associations that
are started automatically. The information in the PeerGateway,
PeerIdentityTable and related classes is necessary to completely
specify the policies.
An interface (represented by an IPProtocolEndpoint) has an
IKEService that provides the negotiation services for that
interface. That service MAY also have a list of security
associations for that are automatically started at the time the IKE
service is initialized.
The IKEService also has a set of identities that it may use in
negotiations with its peers. Those identities are associated with
the interfaces (or collections of interfaces).
8.1. The Class IKEService
The class IKEService represents the IKE negotiation function. An
instance of this service may provide that negotiation service for
one or more interfaces (represented by the IPProtocolEndpoint class)
of a System. There may be multiple instances of IKE services on a
System but only one per interface. The class definition for
IKEService is as follows:
NAME IKEService
DESCRIPTION IKEService is used to represent the IKE negotiation
function.
DERIVED FROM NetworkService (see Appendix C)
ABSTRACT FALSE
8.2. The Class PeerIdentityTable
The class PeerIdentityTable aggregates the table entries that
provide mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows:
NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry
instances to provide a table of identity-address
mappings.
DERIVED FROM Collection (see Appendix A)
ABSTRACT FALSE
PROPERTIES Name
8.3.1. The Property Name
The property Name uniquely identifies the table. The property is
defined as follows:
NAME Name
DESCRIPTION Name uniquely identifies the table.
SYNTAX string
8.3. The Class PeerIdentityEntry
The class PeerIdentityEntry specifies the mapping between peer
identity and their address. The class definition for
PeerIdentityEntry is as follows:
NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address.
DERIVED FROM LogicalElement (see Appendix A)
ABSTRACT FALSE
PROPERTIES PeerIdentity
PeerIdentityType
PeerAddress
PeerAddressType
8.3.1. The Property PeerIdentity
The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows:
NAME PeerIdentity
DESCRIPTION The PeerIdentity is the ID payload of a peer.
SYNTAX string
8.3.2. The Property PeerIdentityType
The property PeerIdentityType is an enumeration that specifies the
type of the PeerIdentity. The property is defined as follows:
NAME PeerIdentityType
DESCRIPTION PeerIdentityType is the type of the ID payload of a
peer.
SYNTAX unsigned 16-bit integer
VALUE The enumeration values are specified in [DOI] section
4.6.2.1.
8.3.3. The Property PeerAddress
The property PeerAddress specifies the string representation of the
IP address of the peer formatted according to the appropriate
convention as defined in the PeerAddressType property (e.g., dotted
decimal notation). The property is defined as follows:
NAME PeerAddress
DESCRIPTION PeerAddress is the address of the peer with the ID
payload.
SYNTAX string
VALUE String representation of an IPv4 or IPv6 address.
8.3.4. The Property PeerAddressType
The property PeerAddressType specifies the format of the PeerAddress
property value. The property is defined as follows:
NAME PeerAddressType
DESCRIPTION PeerAddressType is the type of address in PeerAddress.
SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown
1 - IPv4
2 - IPv6
8.4. The Class AutostartIKEConfiguration
The class AutostartIKEConfiguration groups AutostartIKESetting
instances into configuration sets. When applied, the settings cause
an IKE service to automatically start (negotiate or statically set
as appropriate) the Security Associations. The class definition for
AutostartIKEConfiguration is as follows:
NAME AutostartIKEConfiguration
DESCRIPTION A configuration set of AutostartIKESetting instances to
be automatically started by the IKE service.
DERIVED FROM SystemConfiguration (see Appendix A)
ABSTRACT FALSE
8.5. The Class AutostartIKESetting
The class AutostartIKESetting is used to automatically initiate IKE
negotiations with peers (or statically create an SA) as specified in
the AutostartIKESetting properties. Appropriate actions are
initiated according to the policy that matches the setting
parameters. The class definition for AutostartIKESetting is as
follows:
NAME AutostartIKESetting
DESCRIPTION AutostartIKESetting is used to automatically initiate
IKE negotiations with peers or statically create an SA.
DERIVED FROM SystemSetting (see Appendix A)
ABSTRACT FALSE
PROPERTIES Phase1Only
AddressType
SourceAddress
SourcePort
DestinationAddress
DestinationPort
Protocol
8.5.1. The Property Phase1Only
The property Phase1Only is used to limit the IKE negotiation to just
setting up a phase 1 security association. When set to False, both
phase 1 and 2 negotiations are initiated.
The property is defined as follows:
NAME Phase1Only
DESCRIPTION Used to indicate which security associations to attempt
to establish (phase 1 only, or phase 1 and 2).
SYNTAX boolean
VALUE true - attempt to establish a phase 1 security
association
false - attempt to establish phase 1 and 2 security
associations
8.5.2. The Property AddressType
The property AddressType specifies type of the addresses in the
SourceAddress and DestinationAddress properties. The property is
defined as follows:
NAME AddressType
DESCRIPTION AddressType is the type of address in SourceAddress and
DestinationAddress properties.
SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown
1 - IPv4
2 - IPv6
8.5.3. The Property SourceAddress
The property SourceAddress specifies the dotted-decimal or colon-
decimal formatted IP address used as the source address in comparing
with policy filter entries and used in any phase 2 negotiations.
The property is defined as follows:
NAME SourceAddress
DESCRIPTION The source address to compare with the filters to
determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address
8.5.4. The Property SourcePort
The property SourcePort specifies the port number used as the source
port in comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:
NAME SourcePort
DESCRIPTION The source port to compare with the filters to
determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer
8.5.5. The Property DestinationAddress
The property DestinationAddress specifies the dotted-decimal or
colon-decimal formatted IP address used as the destination address
in comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:
NAME DestinationAddress
DESCRIPTION The destination address to compare with the filters to
determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address
8.5.6. The Property DestinationPort
The property DestinationPort specifies the port number used as the
destination port in comparing with policy filter entries and used in
any phase 2 negotiations. The property is defined as follows:
NAME DestinationPort
DESCRIPTION The destination port to compare with the filters to
determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer
8.5.7. The Property Protocol
The property Protocol specifies the protocol number used in
comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:
NAME Protocol
DESCRIPTION The protocol number used in comparing with policy
filter entries.
SYNTAX unsigned 8-bit integer
8.6. The Class IKEIdentity
The class IKEIdentity is used to represent the identities that may
be used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify the IKE Service in IKE phase 1
negotiations. The policy IKEAction.UseIKEIdentityType specifies
which type of the available identities to use in a negotiation
exchange and the IKERule.IdentityContexts specifies the match values
to be used, along with the local address, in selecting the
appropriate identity for a negotiation. The ElementID property value
(defined in the parent class, UsersAccess) should be that of either
the IPProtocolEndpoint or Collection of endpoints as appropriate.
The class definition for IKEIdentity is as follows:
NAME IKEIdentity
DESCRIPTION IKEIdentity is used to represent the identities that
may be used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify the IKE Service in IKE
phase 1 negotiations.
DERIVED FROM UsersAccess (see Appendix B)
ABSTRACT FALSE
PROPERTIES IdentityType
IdentityValue
IdentityContexts
8.6.1. The Property IdentityType
The property IdentityType is an enumeration that specifies the type
of the IdentityValue. The property is defined as follows:
NAME IdentityType
DESCRIPTION IdentityType is the type of the IdentityValue.
SYNTAX unsigned 8-bit integer
VALUE The enumeration values are specified in [DOI] section
4.6.2.1.
8.6.2. The Property IdentityValue
The property Identity specifies Value contains a string encoding of
the Identity payload. For IKEIdentity instances that are address
types, the IdentityValue string value may be omitted and the
associated IPProtocolEndpoint or appropriate member of the
Collection of endpoints is used. The property is defined as
follows:
NAME IdentityValue
DESCRIPTION IdentityValue contains a string encoding of the
Identity payload.
SYNTAX string
8.6.3. The Property IdentityContexts
The IdentityContexts property is used to constrain the use of
IKEIdentity instances to match that specified in the
IKERule.IdentityContexts. The IdentityContexts are formatted as
policy roles and role combinations [PCIM]. Each value represents
one context or context combination. Since this is a multi-valued
property, more than one context or combination of contexts can be
associated with a single IKEIdentity. Each value is a string of the
form: <ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). If one or more
values in the IKERule.IdentityContexts array match one or more
IKEIdentity.IdentityContexts then the identity's context matches.
(That is, each value of the IdentityContext array is an ORed
condition.) In combination with the address of the
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
1 and only 1 IKEIdentity. The property is defined as follows:
NAME IdentityContexts
DESCRIPTION The IKE service of a security endpoint may have
multiple identities for use in different situations.
The combination of the interface (represented by
the IPProtocolEndpoint), the identity type (as
specified in the IKEAction) and the IdentityContexts
selects a unique identity.
SYNTAX string array
VALUE string of the form <ContextName>[&&<ContextName>]*
8.7. The Association Class HostedPeerIdentityTable
The class HostedPeerIdentityTable provides the name scoping
relationship for PeerIdentityTable entries in a System. The
PeerIdentityTable is weak to the System. The class definition for
HostedPeerIdentityTable is as follows:
NAME HostedPeerIdentityTable
DESCRIPTION The PeerIdentityTable instances are weak (name scoped
by) the owning System.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerIdentityTable[0..n] [weak]]
8.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerIdentityTable instance MUST be associated in a
weak relationship with one and only one System instance.
8.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more PeerIdentityTable instances.
8.8. The Aggregation Class PeerIdentityMember
The class PeerIdentityMember aggregates PeerIdentityEntry instances
into a PeerIdentityTable. This is a weak aggregation. The class
definition for PeerIdentityMember is as follows:
NAME PeerIdentityMember
DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
instances into a PeerIdentityTable.
DERIVED FROM MemberOfCollection (see Appendix A)
ABSTRACT FALSE
PROPERTIES Collection [ref PeerIdentityTable[1..1]]
Member [ref PeerIdentityEntry [0..n] [weak]]
8.8.1. The Reference Collection
The property Collection is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityTable instance. The [1..1]
cardinality indicates that a PeerIdentityEntry instance MUST be
associated with one and only one PeerIdentityTable instance (i.e.,
PeerIdentityEntry instances are not shared across
PeerIdentityTables).
8.8.2. The Reference Member
The property Member is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityEntry instance. The [0..n]
cardinality indicates that a PeerIdentityTable instance may be
associated with zero or more PeerIdentityEntry instances.
8.9. The Association Class IKEServicePeerGateway
The class IKEServicePeerGateway provides the association between an
IKEService and the list of PeerGateway instances that it uses in
negotiating with security gateways. The class definition for
IKEServicePeerGateway is as follows:
NAME IKEServicePeerGateway
DESCRIPTION Associates an IKEService and the list of PeerGateway
instances that it uses in negotiating with security
gateways.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IKEService[0..n]]
8.9.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more PeerGateway instances.
8.9.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that a PeerGateway instance may be associated
with zero or more IKEService instances.
8.10. The Association Class IKEServicePeerIdentityTable
The class IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it uses to map
between addresses and identities as required. The class definition
for IKEServicePeerIdentityTable is as follows:
NAME IKEServicePeerIdentityTable
DESCRIPTION IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it
uses.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerIdentityTable[0..n]]
Dependent [ref IKEService[0..n]]
8.10.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more PeerIdentityTable instances.
8.10.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that a PeerIdentityTable instance may be
associated with zero or more IKEService instances.
8.11. The Association Class IKEAutostartSetting
The class IKEAutostartSetting associates an AutostartIKESetting with
an IKEService that may use it to automatically start an IKE
negotiation or create a static SA. The class definition for
IKEAutostartSetting is as follows:
NAME IKEAutostartSetting
DESCRIPTION Associates a AutostartIKESetting with an IKEService.
DERIVED FROM ElementSetting (see Appendix A)
ABSTRACT FALSE
PROPERTIES Element [ref IKEService[0..n]]
Setting [ref AutostartIKESetting[0..n]]
8.11.1. The Reference Element
The property Element is inherited from ElementSetting and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates an AutostartIKESetting instance may be
associated with zero or more IKEService instances.
8.11.2. The Reference Setting
The property Setting is inherited from ElementSetting and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more AutostartIKESetting instances.
8.12. The Aggregation Class AutostartIKESettingContext
The class AutostartIKESettingContext aggregates the settings used to
automatically start negotiations or create a static SA into a
configuration set. The class definition for
AutostartIKESettingContext is as follows:
NAME AutostartIKESettingContext
DESCRIPTION AutostartIKESettingContext aggregates the
AutostartIKESetting instances into a configuration set.
DERIVED FROM SystemSettingContext (see Appendix A)
ABSTRACT FALSE
PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
Setting [ref AutostartIKESetting [0..n]]
SequenceNumber
8.12.1. The Reference Context
The property Context is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an AutostartIKESetting instance
may be associated with zero or more AutostartIKEConfiguration
instances (i.e., a setting may be in multiple configuration sets).
8.12.2. The Reference Setting
The property Setting is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more AutostartIKESetting instances.
8.12.3. The Property SequenceNumber
The property SequenceNumber specifies indicates the ordering to be
used when starting negotiations or creating a static SA. A zero
value indicates that order is not significant and settings may be
applied in parallel with other settings. All other settings in the
configuration are executed in sequence from lower values to high.
Sequence numbers need not be unique in an AutostartIKEConfiguration
and order is not significant for settings with the same sequence
number. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION The sequence in which the settings are applied within a
configuration set.
SYNTAX unsigned 16-bit integer
8.13. The Association Class IKEServiceForEndpoint
The class IKEServiceForEndpoint provides the association showing
which IKE service, if any, provides IKE negotiation services for
which network interfaces. The class definition for
IKEServiceForEndpoint is as follows:
NAME IKEServiceForEndpoint
DESCRIPTION Associates an IPProtocolEndpoint with an IKEService
that provides negotiation services for the endpoint.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref IKEService[0..1]]
Dependent [ref IPProtocolEndpoint[0..n]]
8.13.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance MUST by
associated with at most one IKEService instance.
8.13.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint that is associated with
at most one IKEService. The [0..n] cardinality indicates an
IKEService instance may be associated with zero or more
IPProtocolEndpoint instances.
8.14. The Association Class IKEAutostartConfiguration
The class IKEAutostartConfiguration provides the relationship
between an IKEService and a configuration set that it uses to
automatically start a set of SAs. The class definition for
IKEAutostartConfiguration is as follows:
NAME IKEAutostartConfiguration
DESCRIPTION IKEAutostartConfiguration provides the relationship
between an IKEService and an AutostartIKEConfiguration
that it uses to automatically start a set of SAs.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]]
Dependent [ref IKEService [0..n]]
Active
8.14.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an IKEService instance may be
associated with zero or more AutostartIKEConfiguration instances.
8.14.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more IKEService instances.
8.14.3. The Property Active
The property Active specifies indicates whether the
AutostartIKEConfiguration set is currently active for the associated
IKEService. That is, at boot time, the active configuration is used
to automatically start IKE negotiations and create static SAs. The
property is defined as follows:
NAME Active
DESCRIPTION Active indicates whether the AutostartIKEConfiguration
set is currently active for the associated IKEService.
SYNTAX boolean
VALUE true - AutostartIKEConfiguration is currently active
for associated IKEService.
false - AutostartIKEConfiguration is currently inactive
for associated IKEService.
8.15. The Association Class IKEUsesCredentialManagementService
The class IKEUsesCredentialManagementService defines the set of
CredentialManagementService(s) that are trusted sources of
credentials for IKE phase 1 negotiations. The class definition for
IKEUsesCredentialManagementService is as follows:
NAME IKEUsesCredentialManagementService
DESCRIPTION Associates the set of CredentialManagementService(s)
that are trusted by the IKEService as sources of
credentials used in IKE phase 1 negotiations.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
Dependent [ref IKEService [0..n]]
8.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an IKEService instance may be
associated with zero or more CredentialManagementService instances.
8.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates that a CredentialManagementService instance
may be associated with zero or more IKEService instances.
8.16. The Association Class EndpointHasLocalIKEIdentity
The class EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances that may be
used in negotiating security associations on the endpoint. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint
using this association or with a collection of IKEIdentity instances
using the CollectionHasLocalIKEIdentity association. The class
definition for EndpointHasLocalIKEIdentity is as follows:
NAME EndpointHasLocalIKEIdentity
DESCRIPTION EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances.
DERIVED FROM ElementAsUser (see Appendix B)
ABSTRACT FALSE
PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
Dependent [ref IKEIdentity [0..n]]
8.16.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is
overridden to refer to an IPProtocolEndpoint instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be
associated with at most one IPProtocolEndpoint instance.
8.16.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that an IPProtocolEndpoint instance may be
associated with zero or more IKEIdentity instances.
8.17. The Association Class CollectionHasLocalIKEIdentity
The class CollectionHasLocalIKEIdentity associates a Collection of
IPProtocolEndpoint instances with a set of IKEIdentity instances
that may be used in negotiating SAs for endpoints in the collection.
An IKEIdentity MUST be associated with either an IPProtocolEndpoint
using the EndpointHasLocalIKEIdentity association or with a
collection of IKEIdentity instances using this association. The
class definition for CollectionHasLocalIKEIdentity is as follows:
NAME CollectionHasLocalIKEIdentity
DESCRIPTION CollectionHasLocalIKEIdentity associates a collection
of IPProtocolEndpoint instances with a set of
IKEIdentity instances.
DERIVED FROM ElementAsUser (see Appendix B)
ABSTRACT FALSE
PROPERTIES Antecedent [ref Collection [0..1]]
Dependent [ref IKEIdentity [0..n]]
8.17.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is
overridden to refer to a Collection instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be
associated with at most one Collection instance.
8.17.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Collection instance may be associated
with zero or more IKEIdentity instances.
8.18. The Association Class IKEIdentitysCredential
The class IKEIdentitysCredential is an association that relates a
set of credentials to their corresponding local IKE Identities. The
class definition for IKEIdentitysCredential is as follows:
NAME IKEIdentitysCredential
DESCRIPTION IKEIdentitysCredential associates a set of credentials
to their corresponding local IKEIdentity.
DERIVED FROM UsersCredential (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent [ref Credential [0..n]]
Dependent [ref IKEIdentity [0..n]]
8.18.1. The Reference Antecedent
The property Antecedent is inherited from UsersCredential and is
overridden to refer to a Credential instance. The [0..n]
cardinality indicates that IKEIdentity instance may be associated
with zero or more Credential instances.
8.18.2. The Reference Dependent
The property Dependent is inherited from UsersCredential and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Credential instance may be associated
with zero or more IKEIdentity instances.
9. Security Considerations
This document describes a schema for IPsec policy. It does not This document describes a schema for IPsec policy. It does not
detail security requirements for storage or delivery of said schema. detail security requirements for storage or delivery of said schema.
Storage and delivery security requirements should be detailed in a Storage and delivery security requirements should be detailed in a
comprehensive security policy architecture document. comprehensive security policy architecture document.
9. Intellectual Property 10. Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. standards-related documentation can be found in BCP-11.
skipping to change at page 49, line 11 skipping to change at page 73, line 13
attempt made to obtain a general license or permission for the use attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this of such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat. specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
10. Acknowledgments 11. Acknowledgments
The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire, The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, and William Dixon for their contributions to this IPsec Vic Lortz, and William Dixon for their contributions to this IPsec
policy model. policy model.
Additionally, this draft would not have been possible without the Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob preceding IPsec schema drafts. For that, thanks go out to Rob
Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
Rajan. Rajan.
11. References 12. References
[IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998. RFC 2409, November 1998.
[COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August 1998. Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
[AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
2402, November 1998. 2402, November 1998.
[PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
Information Model -- Version 1 Specification", draft-ietf-policy- Information Model -- Version 1 Specification", RFC 3060, February
core-infor-model-06.txt, May 2000. Internet-Draft work in progress. 2001.
[DOI] Piper, D., "The Internet IP Security Domain of Interpretation [DOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998. for ISAKMP", RFC 2407, November 1998.
[LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997. Access Protocol (v3)", RFC 2251, December 1997.
[COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. Internet-Draft work in progress. January 2000. Internet-Draft work in progress.
[COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000. Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
Internet-Draft work in progress. Internet-Draft work in progress.
[SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000. Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
Internet-Draft work in progress. Internet-Draft work in progress.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
12. Disclaimer [IPSO] Kent, S., "U.S. Department of Defense Security Options for
the Internet Protocol", RFC 1108, November 1991.
[IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
13. Disclaimer
The views and specification herein are those of the authors and are The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this arising from correct or incorrect implementation or use of this
specification. specification.
13. Author's Address 14. Authors' Addresses
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
Phone: +1-503-264-9531
Fax: +1-503-264-9428
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
14. Full Copyright Statement Lee Rafalow
IBM Corporation, BRQA/502
4205 So. Miami Blvd.
Research Triangle Park, NC 27709
E-mail: rafalow@raleigh.ibm.com
Eric Vyncke
Cisco Systems
Avenue Marcel Thiry, 77
B-1200 Brussels
Belgium
E-mail: evyncke@cisco.com
15. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it maybe copied and furnished to This document and translations of it maybe copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
skipping to change at line 2531 skipping to change at page 75, line 21
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Appendix A (DMTF Core Model MOF)
// ==================================================================
// ManagedElement
// ==================================================================
[Abstract, Description (
"ManagedElement is an abstract class that provides a common "
"superclass (or top of the inheritance tree) for the "
"non-association classes in the CIM Schema.")]
class CIM_ManagedElement
{
[MaxLen (64), Description (
"The Caption property is a short textual description (one-"
"line string) of the object.") ]
string Caption;
[Description (
"The Description property provides a textual description of "
"the object.") ]
string Description;
};
// ==================================================================
// Collection
// ==================================================================
[Abstract, Description (
"Collection is an abstract class that provides a common"
"superclass for data elements that represent collections of "
"ManagedElements and its subclasses.")]
class CIM_Collection : CIM_ManagedElement
{
};
// ==================================================================
// ManagedSystemElement
// ==================================================================
[Abstract, Description (
"CIM_ManagedSystemElement is the base class for the System "
"Element hierarchy. Membership Criteria: Any distinguishable "
"component of a System is a candidate for inclusion in this "
"class. Examples: software components, such as files; and "
"devices, such as disk drives and controllers, and physical "
"components such as chips and cards.") ]
class CIM_ManagedSystemElement : CIM_ManagedElement
{
[Description (
"A datetime value indicating when the object was installed. "
"A lack of a value does not indicate that the object is not "
"installed."),
MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]
datetime InstallDate;
[MaxLen (256), Description (
"The Name property defines the label by which the object is "
"known. When subclassed, the Name property can be overridden "
"to be a Key property.") ]
string Name;
[MaxLen (10), Description (
" A string indicating the current status of the object. "
"Various operational and non-operational statuses are "
"defined. Operational statuses are \"OK\", \"Degraded\", "
"\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "
"the Element is functioning, but needs attention. Examples "
"of \"Stressed\" states are overload, overheated, etc. The "
"condition \"Pred Fail\" (failure predicted) indicates that "
"an Element is functioning properly but predicting a failure "
"in the near future. An example is a SMART-enabled hard "
"drive. \n"
" Non-operational statuses can also be specified. These "
"are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", "
"\"Stopped\", "
"\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\""
"indicates that a non-recoverable error has occurred. "
"\"Service\" describes an Element being configured, "
"maintained,"
"cleaned, or otherwise administered. This status could apply "
"during