Internet Engineering Task Force Jamie Jason INTERNET DRAFT Intel Corporation11-July-20001-March-2001 Lee Rafalow IBM Eric Vyncke Cisco Systems IPsec Configuration Policy Modeldraft-ietf-ipsp-config-policy-model-01.txtdraft-ietf-ipsp-config-policy-model-02.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document presents an object-oriented model of IPsec policy designed to: o facilitate agreement about the content and semantics of IPsec policy o enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec- enabled endpoints The schema described in this document models the IKE phase one parameters as described in [IKE] and the IKE phase two parameters for the IPsec Domain of Interpretation as described in [COMP, ESP, AH, DOI]. It is based upon the core policy classes as defined in the Policy Core Information Model (PCIM) [PCIM]. Table of Contents Status of this Memo................................................1 Abstract...........................................................1 Table of Contents..................................................2 1.Introduction....................................................5Introduction....................................................7 2. UMLConventions.................................................5Conventions.................................................7 3. IPsec Policy Model InheritanceHeirarchy........................6Hierarchy........................8 4. PolicyClasses..................................................9Classes.................................................13 4.1. The ClassIPsecPolicyGroup....................................9 4.1.1. The Property IKERuleOverridePoint..........................10 4.1.2. The Property IPsecRuleOverridePoint........................10IPsecPolicyGroup...................................14 4.2. The ClassSARule.............................................11SARule.............................................14 4.2.1. The Property LimitNegotiation..............................14 4.3. The ClassIKERule............................................11IKERule............................................15 4.3.1. The Property IdentityContexts..............................15 4.4. The ClassIPsecRule..........................................11IPsecRule..........................................16 4.5. The Aggregation ClassIPsecPolicyGroupInPolicyGroup..........12IPsecPolicyGroupInPolicyGroup..........16 4.5.1. The ReferenceContainingGroup..............................12GroupComponent...............................17 4.5.2. The ReferenceContainedGroup...............................12PartComponent................................17 4.5.3. The PropertyPrecedence....................................12GroupPriority.................................17 4.6. TheCompositionAssociation ClassRuleForIKENegotiation..................12IPsecPolicyForEndpoint.................17 4.6.1. The ReferenceContainingGroup..............................13Antecedent...................................18 4.6.2. The ReferenceContainedRule................................13Dependent....................................18 4.7. TheCompositionAssociation ClassRuleForIPsecNegotiation................13IPsecPolicyForSystem...................18 4.7.1. The ReferenceContainingGroup..............................13Antecedent...................................18 4.7.2. The ReferenceContainedRule................................13Dependent....................................18 4.8. The Aggregation ClassSAConditionInRule......................14RuleForIKENegotiation..................19 4.8.1. The ReferenceContainingRule...............................14GroupComponent...............................19 4.8.2. The ReferenceContainedCondition...........................14 4.8.3. The Property SequenceNumber................................14PartComponent................................19 4.9. The Aggregation ClassSAActionInRule.........................14RuleForIPsecNegotiation................19 4.9.1. The ReferenceContainingRule...............................15GroupComponent...............................19 4.9.2. The ReferenceContainedAction..............................15PartComponent................................20 4.10. The Aggregation ClassFallbackSAActionInRule................15SAConditionInRule.....................20 4.10.1. The ReferenceContainingRule..............................15GroupComponent..............................20 4.10.2. The ReferenceContainedAction.............................15 4.10.3.PartComponent...............................20 4.11. The Aggregation Class SAActionInRule........................20 4.11.1. The Reference GroupComponent..............................21 4.11.2. The Reference PartComponent...............................21 4.11.3. The PropertySequenceNumber...............................16ActionOrder..................................21 5. Condition and FilterClasses...................................17Classes...................................22 5.1. The ClassSACondition........................................18 5.1.1. The Property StartupCondition..............................18SACondition........................................22 5.2. The ClassFilterList.........................................18 5.2.1. The Property Name..........................................19 5.2.2. The Property Direction.....................................19FilterEntry........................................23 5.3. TheAbstractClassFilterEntryBase...........................19CredentialFilterEntry..............................23 5.3.1. The PropertyName..........................................19MatchFieldName................................24 5.3.2. The PropertyIsNegated.....................................19MatchFieldValue...............................24 5.3.3. The Property CredentialType................................24 5.4. TheAbstractClassIPFilterEntry.............................20IPSOFilterEntry....................................24 5.4.1. The Property MatchConditionType............................25 5.4.2. The Property MatchConditionValue...........................25 5.5. TheAbstractClassEndpointFilterEntry.......................20PeerIDPayloadFilterEntry...........................25 5.5.1. The PropertyApplyToDestination............................20MatchIdentityType.............................26 5.5.2. The Property MatchIdentityValue............................26 5.6. The Association ClassIPv4AddressFilterEntry.............................20FilterOfSACondition....................27 5.6.1. TheProperty Address.......................................21Reference Antecedent...................................27 5.6.2. The Reference Dependent....................................27 5.7. The Association ClassIPv4RangeFilterEntry...............................21AcceptCredentialFrom...................27 5.7.1. TheProperty StartAddress..................................21Reference Antecedent...................................28 5.7.2. TheProperty EndAddress....................................21 5.8.Reference Dependent....................................28 6. Action Classes.................................................29 6.1. The ClassIPv4SubnetFilterEntry..............................21 5.8.1.SAAction...........................................30 6.1.1. The PropertyAddress.......................................22 5.8.2.DoActionLogging...............................30 6.1.2. The PropertyMask..........................................22 5.9.DoPacketLogging...............................30 6.2. The ClassIPv6AddressFilterEntry.............................22 5.9.1.SAStaticAction.....................................31 6.2.1. The PropertyAddress.......................................22 5.10.LifetimeSeconds...............................31 6.3. The ClassIPv6RangeFilterEntry..............................22 5.10.1. The Property StartAddress.................................23 5.10.2.IPsecBypassAction..................................31 6.4. TheProperty EndAddress...................................23 5.11.Class IPsecDiscardAction.................................31 6.5. The ClassIPv6SubnetFilterEntry.............................23 5.11.1.IKERejectAction....................................32 6.6. TheProperty Address......................................23 5.11.2.Class PreconfiguredSAAction..............................32 6.6.1. The PropertyMask.........................................24 5.12.LifetimeKilobytes.............................33 6.7. The ClassFQDNFilterEntry...................................24 5.12.1. The Property Name.........................................24 5.13.PreconfiguredTransportAction.......................33 6.8. The ClassProtocolFilterEntry...............................24 5.13.1.PreconfiguredTunnelAction..........................33 6.8.1. The PropertyProtocol.....................................24 5.14. The Class UDPFilterEntry....................................25 5.14.1.PeerGatewayAddressType........................33 6.8.2. The PropertyStartPort....................................25 5.14.2.PeerGatewayAddress............................34 6.8.3. The PropertyEndPort......................................25 5.15.DFHandling....................................34 6.9. The ClassTCPFilterEntry....................................25 5.15.1.SANegotiationAction................................34 6.9.1. The PropertyStartPort....................................26 5.15.2.MinLifetimeSeconds............................35 6.9.2. The PropertyEndPort......................................26 5.16. The Abstract Class IPSOFilterEntry..........................26 5.17. The Class ClassificationLevelFilterEntry....................26 5.17.1.MinLifetimeKilobytes..........................35 6.9.3. The PropertyLevel........................................26 5.18. The Class ProtectionAuthorityFilterEntry....................27 5.18.1.RefreshThresholdSeconds.......................35 6.9.4. The PropertyAuthority....................................27 5.19. The Class CredentialFilterEntry.............................27 5.20. The Aggregation Class FilterOfSACondition...................27 5.20.1.RefreshThresholdKilobytes.....................36 6.9.5. TheReference Antecedent..................................28 5.20.2. The Reference Dependent...................................28 5.21.Property IdleDurationSeconds...........................36 6.10. TheCompositionClassEntriesInFilterList...................28 5.21.1. The Reference Antecedent..................................28 5.21.2. The Reference Dependent...................................28 5.21.3.IPsecAction.......................................36 6.10.1. The PropertyEntrySequence................................29 6. Action Classes.................................................30 6.1.UsePFS.......................................37 6.10.2. TheClass SAAction...........................................30 6.2.Property UseIKEGroup..................................37 6.10.3. TheClass SAStaticAction.....................................30 6.2.1.Property GroupId......................................37 6.10.4. The PropertyLifetimeSeconds...............................31 6.3.Granularity..................................38 6.10.5. TheClass IPsecBypassAction..................................31 6.4.Property VendorID.....................................38 6.11. The ClassIPsecDiscardAction.................................31 6.4.1. The Property DoLogging.....................................32 6.5.IPsecTransportAction..............................38 6.12. The ClassIKERejectAction....................................32 6.5.1.IPsecTunnelAction.................................38 6.12.1. The PropertyDoLogging.....................................32 6.6.DFHandling...................................39 6.13. The ClassSAPreconfiguredAction..............................32 6.7. The Class SANegotiationAction................................33 6.7.1.IKEAction.........................................39 6.13.1. The PropertyMinLifetimeSeconds............................33 6.7.2.RefreshThresholdDerivedKeys..................39 6.13.2. The PropertyMinLifetimeKilobytes..........................33 6.7.3.ExchangeMode.................................40 6.13.3. The PropertyRefreshThresholdSeconds.......................34 6.7.4.UseIKEIdentityType...........................40 6.13.4. The PropertyRefreshThresholdKilobytes.....................34 6.7.5.VendorID.....................................40 6.13.5. The PropertyIdleDurationSeconds...........................34 6.8.AggressiveModeGroupId........................41 6.14. The ClassIPsecAction........................................35 6.8.1. The Property UsePFS........................................35 6.8.2.PeerGateway.......................................41 6.14.1. The PropertyUseIKEGroup...................................35 6.8.3.Name.........................................41 6.14.2. The PropertyGroupId.......................................35 6.8.4.PeerIdentityType.............................41 6.14.3. The PropertyGranularity...................................36 6.9.PeerIdentity.................................42 6.15. The Association ClassIPsecTransportAction...............................36 6.10.PeerGatewayForTunnel..................42 6.15.1. TheClass IPsecTunnelAction.................................36 6.10.1.Reference Antecedent..................................42 6.15.2. TheProperty PeerGateway..................................37 6.10.2.Reference Dependent...................................43 6.15.3. The PropertyDFHandling...................................37 6.11.SequenceNumber...............................43 6.16. The Aggregation ClassIKEAction.........................................37 6.11.1.ContainedProposal.....................43 6.16.1. TheProperty RefreshThresholdDerivedKeys..................37 6.11.2.Reference GroupComponent..............................43 6.16.2. TheProperty ExchangeMode.................................38 6.11.3.Reference PartComponent...............................44 6.16.3. The PropertyUseIKEIdentityType...........................38 6.12.SequenceNumber...............................44 6.17. TheAggregationAssociation ClassContainedProposal.....................38 6.12.1.HostedPeerGatewayInformation..........44 6.17.1. The Reference Antecedent..................................44 6.17.2. The Reference Dependent...................................44 6.18. The Association Class TransformOfPreconfiguredAction........44 6.18.1. The ReferenceGroupComponent..............................39 6.12.2.Antecedent..................................45 6.18.2. The ReferencePartComponent...............................39 6.12.3.Dependent...................................45 6.18.3. The PropertySequenceNumber...............................39SPI..........................................45 7. Proposal and TransformClasses.................................40Classes.................................46 7.1. The Abstract ClassSAProposal................................40SAProposal................................46 7.1.1. The PropertyName..........................................40 7.1.2. The Property MaxLifetimeSeconds............................41 7.1.3. The Property MaxLifetimeKilobytes..........................41Name..........................................46 7.2. The ClassIKEProposal........................................41IKEProposal........................................47 7.2.1. The PropertyLifetimeDerivedKeys...........................41LifetimeDerivedKeys...........................47 7.2.2. The PropertyCipherAlgorithm...............................42CipherAlgorithm...............................47 7.2.3. The PropertyHashAlgorithm.................................42HashAlgorithm.................................48 7.2.4. The PropertyPRFAlgorithm..................................42PRFAlgorithm..................................48 7.2.5. The PropertyGroupId.......................................43GroupId.......................................48 7.2.6. The PropertyAuthenticationMethod..........................43AuthenticationMethod..........................48 7.2.7. The Property MaxLifetimeSeconds............................49 7.2.8. The Property MaxLifetimeKilobytes..........................49 7.2.9. The Property VendorID......................................49 7.3. The ClassIPsecProposal......................................43IPsecProposal......................................49 7.4. The Abstract ClassSATransform...............................44SATransform...............................50 7.4.1. The PropertyName..........................................44 7.4.1.TransformName.................................50 7.4.2. The Property VendorID......................................50 7.4.3. The Property MaxLifetimeSeconds............................50 7.4.4. The PropertyVendorID......................................44MaxLifetimeKilobytes..........................51 7.5. The ClassAHTransform........................................44AHTransform........................................51 7.5.1. The PropertyAHTransformId.................................44AHTransformId.................................51 7.5.2. The Property UseReplayPrevention...........................51 7.5.3. The Property ReplayPreventionWindowSize....................52 7.6. The ClassESPTransform.......................................45ESPTransform.......................................52 7.6.1. The PropertyIntegrityTransformId..........................45IntegrityTransformId..........................52 7.6.2. The PropertyCipherTransformId.............................45CipherTransformId.............................52 7.6.3. The PropertyCipherKeyLength...............................46CipherKeyLength...............................53 7.6.4. The PropertyCipherKeyRounds...............................46CipherKeyRounds...............................53 7.6.5. The Property UseReplayPrevention...........................53 7.6.6. The Property ReplayPreventionWindowSize....................53 7.7. The ClassIPCOMPTransform....................................46IPCOMPTransform....................................54 7.7.1. The PropertyAlgorithm.....................................46Algorithm.....................................54 7.7.2. The PropertyDictionarySize................................47DictionarySize................................54 7.7.3. The PropertyPrivateAlgorithm..............................47PrivateAlgorithm..............................54 7.8. TheAggregationAssociation ClassContainedTransform.....................47SAProposalInSystem.....................54 7.8.1. The ReferenceGroupComponent...............................48Antecedent...................................55 7.8.2. The ReferencePartComponent................................48 7.8.3.Dependent....................................55 7.9. The Aggregation Class ContainedTransform.....................55 7.9.1. The Reference GroupComponent...............................55 7.9.2. The Reference PartComponent................................56 7.9.3. The PropertySequenceNumber................................48SequenceNumber................................56 7.10. The Association Class SATransformInSystem...................56 7.10.1. The Reference Antecedent..................................56 7.10.2. The Reference Dependent...................................56 8.Security Considerations........................................48 9. Intellectual Property..........................................48 10. Acknowledgments...............................................49 11. References....................................................49 12. Disclaimer....................................................50 13. Author's Address..............................................50 14. Full Copyright Statement......................................50 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a LightweightIKE Service and Identity Classes...............................58 8.1. The Class IKEService.........................................59 8.2. The Class PeerIdentityTable..................................59 8.3.1. The Property Name..........................................59 8.3. The Class PeerIdentityEntry..................................60 8.3.1. The Property PeerIdentity..................................60 8.3.2. The Property PeerIdentityType..............................60 8.3.3. The Property PeerAddress...................................60 8.3.4. The Property PeerAddressType...............................60 8.4. The Class AutostartIKEConfiguration..........................61 8.5. The Class AutostartIKESetting................................61 8.5.1. The Property Phase1Only....................................61 8.5.2. The Property AddressType...................................62 8.5.3. The Property SourceAddress.................................62 8.5.4. The Property SourcePort....................................62 8.5.5. The Property DestinationAddress............................62 8.5.6. The Property DestinationPort...............................63 8.5.7. The Property Protocol......................................63 8.6. The Class IKEIdentity........................................63 8.6.1. The Property IdentityType..................................64 8.6.2. The Property IdentityValue.................................64 8.6.3. The Property IdentityContexts..............................64 8.7. The Association Class HostedPeerIdentityTable................65 8.7.1. The Reference Antecedent...................................65 8.7.2. The Reference Dependent....................................65 8.8. The Aggregation Class PeerIdentityMember.....................65 8.8.1. The Reference Collection...................................65 8.8.2. The Reference Member.......................................66 8.9. The Association Class IKEServicePeerGateway..................66 8.9.1. The Reference Antecedent...................................66 8.9.2. The Reference Dependent....................................66 8.10. The Association Class IKEServicePeerIdentityTable...........66 8.10.1. The Reference Antecedent..................................67 8.10.2. The Reference Dependent...................................67 8.11. The Association Class IKEAutostartSetting...................67 8.11.1. The Reference Element.....................................67 8.11.2. The Reference Setting.....................................67 8.12. The Aggregation Class AutostartIKESettingContext............67 8.12.1. The Reference Context.....................................68 8.12.2. The Reference Setting.....................................68 8.12.3. The Property SequenceNumber...............................68 8.13. The Association Class IKEServiceForEndpoint.................68 8.13.1. The Reference Antecedent..................................69 8.13.2. The Reference Dependent...................................69 8.14. The Association Class IKEAutostartConfiguration.............69 8.14.1. The Reference Antecedent..................................69 8.14.2. The Reference Dependent...................................69 8.14.3. The Property Active.......................................69 8.15. The Association Class IKEUsesCredentialManagementService....70 8.15.1. The Reference Antecedent..................................70 8.15.2. The Reference Dependent...................................70 8.16. The Association Class EndpointHasLocalIKEIdentity...........70 8.16.1. The Reference Antecedent..................................71 8.16.2. The Reference Dependent...................................71 8.17. The Association Class CollectionHasLocalIKEIdentity.........71 8.17.1. The Reference Antecedent..................................71 8.17.2. The Reference Dependent...................................71 8.18. The Association Class IKEIdentitysCredential................72 8.18.1. The Reference Antecedent..................................72 8.18.2. The Reference Dependent...................................72 9. Security Considerations........................................72 10. Intellectual Property.........................................72 11. Acknowledgments...............................................73 12. References....................................................73 13. Disclaimer....................................................74 14. Authors' Addresses............................................74 15. Full Copyright Statement......................................74 Appendix A (DMTF Core Model MOF)..................................75 Appendix B (DMTF User Model MOF)..................................90 Appendix C (DMTF Network Model MOF)..............................105 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in a directory o an on-the-wire representation over a transport protocol like the Common Object Policy Service (COPS) [COPS, COPSPR] o a text-based policy specification language [SPSL] suitable for editing by an administrator o an Extensible Markup Language (XML) document Each of these task-specific representations should be derived from a canonical representation that precisely specifies the content and semantics of the IPsec policy. The purpose of this document is to abstract IPsec policy into a task-independent representation that is not constrained by any particular task-dependent representation. This document is organized as follows: o Section 2 provides a quick introduction to the Unified Modeling Language (UML) graphical notation conventions used in this document. o Section 3 provides the inheritance hierarchywhichthat describes where the IPsec policy classes fit into the policy class hierarchy already defined byPCIM.the Policy Core Information Model (PCIM). o The remainder of the document describes the classeswhichthat make up the IPsec policy model. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. 2. UML Conventions For this document, a UML static class diagram was chosen as the canonical representation for the IPsec policy model. The reason behind this decision is that UML provides a graphical, task- independent way to model systems. A treatise on the graphical notation used in UML is beyond the scope of this paper. However, given the use of ASCII drawing for UML static class diagrams, a description of the notational conventions used in this document is in order: o Boxes represent classes, with class names in brackets ([]) representinga virtualan abstract class. o A line that terminates with an arrow (<, >, ^, v) denotes inheritance. The arrow always points to the parent class. Inheritance can also be called generalization or specialization (depending upon the reference point). A base class is a generalization of a derived class, and a derived class is a specialization of a base class. o Associations are used to model a relationship between two classes. Classes that share an association are connected using a line.There are twoA specialkindskind ofassociations - aggregations and compositions. Both modelassociation is also used: an aggregation. An aggregation models a whole-part relationship between two classes. Associations, and thereforeaggregations and compositions,aggregations, can also be modeled as classes. o A line that begins withaan "o" denotes aggregation. Aggregation denotes containment in which the contained class and the containing class have independent lifetimes. oA line that begins with an "x" denotes composition. Composition denotes containment in which the contained class and the contianing class have coincident lifetimes. oNext to a line representing an association appears amultiplicity. Multiplicitiescardinality. Cardinalities indicate the constraints on the number ofobjectsobject instances in a set of relationships. Every association instance has a single set of references. The cardinality indicates therelationship.number of instances that may refer to a given object instance. Themultiplicitycardinality may be: - a range in the form "lower bound..upper bound" indicating the minimum and maximum number of objects. - a number that indicates the exact number of objects. - an asterisk indicating any number of objects, including zero. Using an asterisk is shorthand for 0..n. - the letter n indicating from 1 to many. Using the letter n is shorthand for 1..n. o A class that has an association may have a "w" next to the line representing the association. This is called a weak association and is discussed in [PCIM]. It should be noted that the UML static class diagram presented is a conceptual view of IPsec policy designed to aid in understanding. It does not necessarily get translated class for class into another representation. For example, an LDAP implementation may flatten out the representation to fewer classes (because of the inefficiency of following references). 3. IPsec Policy Model InheritanceHeirarchyHierarchy Like PCIM from which it is derived, the IPsec Configuration Policy Model derives from and uses classes defined in the DMTF Common Information Model (CIM). The followingdiagramtree represents the inheritance hierarchyand howfor the IPsec policy model classes and how they fit intoPCIM. [unrooted]PCIM and the other DMTF models (see Appendices for descriptions of classes that are not being introduced as part of IPsec model). CIM classes that are not used as a superclass from which to derive new classes but are only referenced are not included this inheritance hierarchy, but are included in the appropriate appendix. ManagedElement (DMTF Core Model - Appendix A) |+--Policy (PCIM)+--Collection (DMTF Core Model - Appendix A) | | |+--PolicyGroup (PCIM)+--PeerIdentityTable | +--ManagedSystemElement (DMTF Core Model - Appendix A) | | | +--LogicalElement (DMTF Core Model - Appendix A) | |+--IPsecPolicyGroup (new class)| +--FilterEntryBase (DMTF Network Model - Appendix C) | |+--PolicyRule (PCIM)| | | +--CredentialFilterEntry | |+--SARule (new abstract class)| | | +--IPSOFilterEntry | |+--IKERule (new class)| | | +--PeerIDPayloadFilterEntry | |+--IPsecRule (new class)| +--PeerGateway | |+--PolicyCondition (PCIM)| +--PeerIdentityEntry | | | +--Service (DMTF Core Model - Appendix A) |+--SACondition (new class)| | +--NetworkService (DMTF Network Model - Appendix C) |+--PolicyAction (PCIM)| | +--IKEService |+--SAAction (new abstract class)+--OrganizationalEntity (DMTF User Model - Appendix B) | | |+--SAStaticAction (new abstract class)+--UserEntity (DMTF User Model - Appendix B) | | | +--UsersAccess (DMTF User Model - Appendix B) | |+--IPsecBypassAction (new class)| +--IKEIdentity | +--Policy (PCIM) | | |+--IPsecDiscardAction (new class)+--PolicyAction (PCIM) | | | | |+--IKERejectAction (new class)+--SAAction | | | | |+--SAPreconfiguredAction (new class)+--SANegotiationAction | | |+--SANegotiationAction (new abstract class)| | |+--IPsecAction (new abstract class)| +--IKEAction | | | |+--IPsecTransportAction (new class)| | | +--IPsecAction | |+--IPsecTunnelAction (new class)| | |+--IKEAction (new abstract class)|+--FilterList|+--FilterEntryBase+--IPsecTransportAction | | |+--IPFilterEntry (new abstract class)| | | | +--IPsecTunnelAction |+--EndpointFilterEntry (new abstract class)| | | | +--SAStaticAction | | |+--IPv4AddressFilterEntry (new class)| | +--IKERejectAction | | | | |+--IPv4RangeFilterEntry (new class)+--IPsecBypassAction | | | | | +--IPsecDiscardAction | |+--IPv4SubnetFilterEntry (new class)| | | +--PreconfiguredSAAction | | | |+--IPv6AddressFilterEntry (new class)| +--PreconfiguredTransportAction | | | | | +--PreconfiguredTunnelAction |+--IPv6RangeFilterEntry (new class)| | +--PolicyCondition (PCIM) | | | | | +--SACondition | |+--IPv6SubnetFilterEntry (new class)| +--PolicyGroup (PCIM) | | | | | +--IPsecPolicyGroup |+--FQDNFilterEntry (new class)| | +--PolicyRule (PCIM) | | | |+--PortFilterEntry (new class)| +--SARule | | | |+--ProtocolFilterEntry (new class)| +--IKERule | |+--IPSOFilterEntry (new class)| | |+--CredentialFilterEntry (new class)+--IPsecRule | | | +--SAProposal(new abstract class)| | | | | +--IKEProposal(new class)| | | | | +--IPsecProposal(new class)| | | +--SATransform(new abstract class)|+--AHTransform (new class)| | +--AHTransform | | | +--ESPTransform(new class)| | | +--IPCOMPTransform(new class)| +--Setting (DMTF Core Model - Appendix A) | | | +--SystemSetting (DMTF Core Model - Appendix A) | | | +--AutostartIKESetting | +--SystemConfiguration (DMTF Core Model - Appendix A) | +--AutostartIKEConfiguration The followingdiagramtree represents the inheritance hierarchyand howof the IPsec policy model association classes and how they fit intoPCIM. [unrooted]PCIM and the other DMTF models (see Appendices for description of associations classes that are not being introduced as part of IPsec model). Dependency (DMTF Core Model - Appendix A) |+--PolicyGroupInPolicyGroup+--AcceptCredentialsFrom | +--ElementAsUser (DMTF User Model - Appendix B) | | | +--EndpointHasLocalIKEIdentity | | | +--CollectionHasLocalIKEIdentity | +--FilterOfSACondition | +--HostedPeerGatewayInformation | +--HostedPeerIdentityTable | +--IKEAutostartConfiguration | +--IKEServiceForEndpoint | +--IKEServicePeerGateway | +--IKEServicePeerIdentityTable | +--IKEUsesCredentialManagementService | +--IPsecPolicyForEndpoint | +--PeerGatewayForTunnel | +--PolicyInSystem (PCIM) | | |+--IPsecPolicyGroupInPolicyGroup (new class)+--PolicyGroupInSystem (PCIM) | | | +--SAProposalInSystem | | | +--SATransformInSystem | +--IPsecPolicyForSystem | +--TransformOfPreconfiguredAction | +--UsersCredential (DMTF User Model - Appendix B) | +--IKEIdentitysCredential ElementSetting (DMTF Core Model - Appendix A) | +--IKEAutostartSetting MemberOfCollection (DMTF Core Model - Appendix A) | +--PeerIdentityMember PolicyComponent (PCIM) | +--ContainedProposal | +--ContainedTransform | +--PolicyActionInPolicyRule (PCIM) | | | +--SAActionInRule | +--PolicyConditionInPolicyRule (PCIM) | | | +--SAConditionInRule(new class)|+--FallbackSAActionInRule (new class)+--PolicyGroupInPolicyGroup (PCIM) |+--EntriesInFilterList (new class)|+--ContainedProposal (new class)|+--IPsecContainedTransform (new class)+--IPsecPolicyGroupInPolicyGroup | +--PolicyRuleInPolicyGroup | +--RuleForIKENegotiation | +--RuleForIPsecNegotiation SystemSettingContext (DMTF Core Model - Appendix A) | +--AutostartIKESettingContext 4. Policy Classes The IPsec policy classes represent the set of policies that are contained on a system. +--------------------+ | IPProtocolEndpoint | | (Appendix C) | +--------------------+ | * | (a) | (b) +------+ | | |* |*+------------------+0..1 | *+------------------+0..1 (c) *+------------+ +---o| IPsecPolicyGroup |-----------| System | +------------------+ |(Appendix A)| 1x xo o 1(b)+------------+ (d) | |(c)(e) +-----------------------+ +---------------------+ | | | +---------------------------+ | | | PolicyTimePeriodCondition | | | |(defined in(see [PCIM]) | | | +---------------------------+ | | *| | | |(d)(f) | | *o | |+-------------+*+-------------+n *+--------+*1+----------+n+----------+ | | | SACondition |------o| SARule |o-------| SAAction | | | +-------------+(e)(g) +--------+(f)(h) +----------+ | | ^|*| | |+------+| | +--------+--------+ |(g) || | |*o| | *+---------+ +-----------+* | +---------------| IKERule | | IPsecRule |------------+ +---------+ +-----------+ (a) IPsecPolicyGroupInPolicyGroup (b)RuleForIKENegotiationIPsecPolicyForEndpoint (c)RuleForIPsecNegotiationIPsecPolicyForSystem (d) RuleForIKENegotiation (e) RuleForIPsecNegotiation (f) PolicyRuleValidityPeriod(defined in(see [PCIM])(e)(g) SAConditionInRule(f)(h) SAActionInRule(g) FallbackSAActionInRuleAn IPsecPolicyGroup represents the set of policies that are used on an interface. This IPsecPolicyGroup SHOULD be associated either directly with the IPProtocolEndpoint class instance that represents the interface (via the IPsecPolicyForEndpoint association) or indirectly (via the IPsecPolicyForSystem association) associated with the System that hosts the interface. 4.1. The Class IPsecPolicyGroup The class IPsecPolicyGroup serves as a container of either other IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.Rules contained within an IPsecPolicyGroup MUST have a unique Priority value.The class definition for IPsecPolicyGroup is as follows: NAME IPsecPolicyGroup DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. DERIVED FROM PolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyGroupName (from PolicyGroup)IKERuleOverridePoint IPsecRuleOverridePointNOTE: for derivations of the schema that are used for policy distribution to an IPsec device (for example, COPS-PR), the server may follow all of IPsecPolicyGroupInPolicyGroup associations and create one policy group which is simply a set of all of the IKE rules and a set of all of the IPsec rules. See the section on the IPsecPolicyGroupInPolicyGroup aggregation for information on merging multiple IPsecPolicyGroups.4.1.1.4.2. TheProperty IKERuleOverridePoint This property specifies the rule priority at which the policy author is willing to allow IKERule insertions byClass SARule The class SARule serves as alocal administrator. For example, the IT department may define the policy on a company- wide basis, but allow groups or individuals to insert rules into the policy to override defaults. Rules are ordered in decreasing order of their priority (i.e., higher priorities come first). The override point specifies that if rules are inserted, they are to be inserted before all rules equal to or less than the override priority value. For example, assume that there is a group G1 with IKE rules as follows: G1 = { Rule A (priority 50), Rule B (priority 25), Rule C (priority 15) } The IKE override value for G1 is 20. Now assume that a local administrator wants to insert a set of IKE rules {Rule D, Rule E} where Rule D has a higher priority than Rule E. The new rules will be added before rules in G1 with priority equal to or less than 20. So, when evaluating rules, the order of evaluation would be A, B, D, E, C. Note that the priority of the rules in override set are relative only to the set. The property is defined as follows: NAME IKERuleOverridePoint DESCRIPTION Specifies the rule priority at which the policy author is willing to allow IKERule insertions by a local administrator. SYNTAX unsigned 16-bit integer 4.1.2. The Property IPsecRuleOverridePoint This property specifies the rule priority at which the policy author is willing to allow IPsecRule insertions by a local administrator. This property is the same as IKERuleOverridePoint except it is used for the IPsec rules in the IPsecPolicyGroup. The property is defined as follows: NAME IPsecRuleOverridePoint DESCRIPTION Specifies the rule priority at which the policy author is willing to allow IPsecRule insertions by a local administrator. SYNTAX unsigned 16-bit integer 4.2. The Class SARule The class SARule serves as a base class for IKERule and IPsecRule. Even thoughbase class for IKERule and IPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actions for both types of rules.Each SARule within a given IPsecPolicyGroup must contain a unique priority.Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association.The class definition forAn SARuleis as follows: NAMEinherits the property Priority from PolicyRule. Since there is a need for an unambiguous ordering of rules in an IPsec system, all SARules contained within an IPsecPolicyGroup must have unique priority values. The class definition for SARule is as follows: NAME SARule DESCRIPTION A base class for IKERule and IPsecRule. DERIVED FROM PolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule)Priority (from PolicyRule) PolicyRoles (from PolicyRule)LimitNegotiation 4.2.1. The Property LimitNegotiation The property LimitNegotiation is used as part of processing either an IKE or an IPsec rule. Before proceeding with a phase 1 negotiation, this property is checked to determine if the negotiation role of the rule matches that defined for the negotiation being undertaken (e.g., Initiator, Responder, or Both). If this check fails (e.g. the current role is IKE responder while the rule specifies IKE initiator), then the IKE negotiation is stopped. Note that this only applies to new IKE phase 1 negotiations and has no effect on either renegotiation or refresh operations with peers for which an established SA already exists. Before proceeding with a phase 2 negotiation, the LimitNegotiation property of the IPsecRule is first checked to determine if the negotiation role indicated for the rule matches that of the current negotiation (Initiator, Responder, or Either). Note that this limit applies only to new phase 2 negotiations. It is ignored when an attempt is made to refresh an expiring SA (either side can initiate a refresh operation). The IKE system can determine that the negotiation is a refresh operation by checking to see if the selector information matches that of an existing SA. If LimitNegotiation does not match and the selector corresponds to a new SA, the negotiation is stopped. The property is defined as follows: NAME LimitNegotiation DESCRIPTION Limits the role to be undertaken during negotiation. SYNTAX unsigned 16-bit integer VALUE 1 “ initiator-only 2 “ responder-only 3 - both 4.3. The Class IKERule The class IKERule associates Conditions and Actions for IKE phase 1 negotiations. The class definition for IKERule is as follows: NAME IKERule DESCRIPTION Associates Conditions and Actions for IKE phase 1 negotiations. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same asSARule 4.4.SARule, plus IdentityContexts 4.3.1. TheClass IPsecRuleProperty IdentityContexts Theclass IPsecRule associates Conditions and Actions forIKEphase 2 negotiationsservice of a security endpoint may have multiple identities forthe IPsec DOI.use in different situations. Theclasscombination of the interface (represented by the IPProtocolEndpoint), the identity type (as specified in the IKEAction) and the IdentityContexts specifies a unique identity. The IdentityContexts property specifies the context to select the relevant IKE identity to be used during the further IKEAction. A context may be a VPN name or other identifier for selecting the appropriate identity for use on the protected IPProtocolEndpoint. IdentityContexts is an array of strings. The multiple values in the array are ORed together in evaluating the IdentityContexts. Each value in the array may be the composition of multiple context names. So, a single value may be a single context name (e.g., "CompanyXVPN") or it may be combination of contexts. When an array value is a composition, the individual values are ANDed together for evaluation purposes and the syntax is: <ContextName>[&&<ContextName>]* where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). So, for example, the values "CompanyXVPN", "CompanyYVPN&&TopSecret", "CompanyZVPN&&Confidential" means that, for the appropriate IPProtocolEndpoint and IdentityType, the contexts are matched if the identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or "CompanyZVPN&&Confidential". The property is defined as follows: NAME IdentityContexts DESCRIPTION Specifies the context in which to select the IKE identity. SYNTAX string array 4.4. The Class IPsecRule The class IPsecRule associates Conditions and Actions for IKE phase 2 negotiations for the IPsec DOI. The class definition for IPsecRule is as follows: NAME IKERule DESCRIPTION Associates Conditions and Actions for IKE phase 2 negotiations for the IPsec DOI. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same as SARule 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec policies to be combinedtointo one effective policy.When merging policies, rule prioritiesSee [PCIM] for a description of the how policies areused in conjunction withmerged (see also therule override point values to determine insertion points and for rule priority renumbering (if necessary to maintain uniqueness).property GroupPriority). The class definition for IPsecPolicyGroupInPolicyGroup is as follows: NAME IPsecPolicyGroupInPolicyGroup DESCRIPTION Associates a nested IPsecPolicyGroup with the IPsecPolicyGroup that contains it. DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingGroup[refGroupComponent[ref IPsecPolicyGroup[0..n]]ContainedGroup[refPartComponent[ref IPsecPolicyGroup[0..n]]PrecedenceGroupPriority 4.5.1. The ReferenceContainingGroupGroupComponent The propertyContainingGroupGroupComponent is inherited from PolicyGroupInPolicyGroup and is overridden tocontain object referencerefer to an IPsecPolicyGroupthat contains one or more IPsecPolicyGroups.instance. The [0..n] cardinality indicates that a given IPsecPolicyGroup instance may be a part of zero or more containing IPsecPolicyGroup instances (i.e., there may be zero or moreIPsecPolicyGroups that contain any given IPsecPolicyGroup.GroupComponent references per PartComponent). 4.5.2. The ReferenceContainedGroupPartComponent The propertyContainedGroupPartComponent is inherited from PolicyGroupInPolicyGroup and is overridden tocontain an object referencerefer to an IPsecPolicyGroupcontained by one or more IPsecPolicyGroups.instance. The [0..n] cardinality indicates thatana given IPsecPolicyGroup instance may contain zero or moreIPsecPolicyGroups. 4.5.3. The Property Precedence The property Precedence specifies the merge ordering ofIPsecPolicyGroup instances (i.e., there may be zero or more PartComponent references per GroupComponent). 4.5.3. The Property GroupPriority Since policy groups, IPsecPolicyGroup, can contain both rules and other policy groups, the relative priorities of the rules of the contained groups are established by setting the GroupPriority property of IPsecPolicyGroupInPolicyGroup as a unique rule priority in the containing group. The rules of the nestedIPsecPolicyGroups.group are inserted in order at that position (i.e. indicated by GroupPriority) in the containing group's rules The property is defined as follows: NAMEPrecedenceGroupPriority DESCRIPTION Specifies themerge ordering of therule priority to be set to all nestedIPsecPolicyGroups.rules. SYNTAX unsigned 16-bit integer VALUE Any value between 1 and 2^16-1 inclusive. Lower values have higher precedence (i.e., 1 is the highest precedence). The merging order of two ContainedGroups with the same precedence is undefined. 4.6. TheCompositionAssociation ClassRuleForIKENegotiationIPsecPolicyForEndpoint The classRuleForIKENegotiationIPsecPolicyForEndpoint associates anIKERuleIPsecPolicyGroup with a specific network interface. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for thatcontains it.endpoint. The class definition forRuleForIKENegotiationIPsecPolicyForEndpoint is as follows: NAMERuleForIKENegotiationIPsecPolicyForEndpoint DESCRIPTION Associatesan IKERule with the IPsecPolicyGroup that contains it.a policy group to a network interface. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIESContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IKERule [0..n]]Antecedent[ref IPProtocolEndpoint[0..n]] Dependent[ref IPsecPolicyGroup[0..1]] 4.6.1. The ReferenceContainingGroupAntecedent The propertyContainingGroup contains an object referenceAntecedent is inherited from Dependency and is overridden to refer to anIPsecPolicyGroup that contains one or more IKERules.IPProtocolEndpoint instance. The[1..1][0..n] cardinality indicates that anIKERuleIPsecPolicyGroup instance may becontained in only one IPsecPolicyGroup (i.e., IKERules are not shared across IPsecPolicyGroups).associated with zero or more IPProtocolEndpoint instances. 4.6.2. The ReferenceContainedRuleDependent The propertyContainedRule contains an object referenceDependent is inherited from Dependency and is overridden to refer to anIKERule contained by an IPsecPolicyGroup.IPsecPolicyGroup instance. The[0..n][0..1] cardinality indicates that anIPsecPolicyGroupIPProtocolEndpoint instance maycontain zero or more IKERules.have an association to at most one IPsecPolicyGroup instance. 4.7. TheCompositionAssociation ClassRuleForIPsecNegotiationIPsecPolicyForSystem The classRuleForIPsecNegotiationIPsecPolicyForSystem associates anIPsecRuleIPsecPolicyGroup with a specific system. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for thatcontains it.endpoint. The class definition forRuleForIPsecNegotiationIPsecPolicyForSystem is as follows: NAMERuleForIPsecNegotiationIPsecPolicyForSystem DESCRIPTIONAssociates an IPsecRule with the IPsecPolicyGroup that contains it.Default policy group for a system. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIESContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IPsecRule [0..n]]Antecedent[ref System[0..n]] Dependent[ref IPsecPolicyGroup[0..1]] 4.7.1. The ReferenceContainingGroupAntecedent The propertyContainingGroup contains an object reference to an IPsecPolicyGroup that contains one or more IPsecRules.Antecedent is inherited from Dependency and is overridden to refer to a System instance. The[1..1][0..n] cardinality indicates that anIPsecRule may be contained in only oneIPsecPolicyGroup(i.e., IPsecRules are not shared across IPsecPolicyGroups).instance may have an association to zero or more System instances. 4.7.2. The ReferenceContainedRuleDependent The propertyContainedRule contains an object referenceDependent is inherited from Dependency and is overridden to refer to anIPsecRule contained by an IPsecPolicyGroup.IPsecPolicyGroup instance. The[0..n][0..1] cardinality indicates that a System instance may have an association to at most one IPsecPolicyGroupmay contain zero or more IPsecRules.instance. 4.8. The Aggregation ClassSAConditionInRuleRuleForIKENegotiation The classSAConditionInRuleRuleForIKENegotiation associates anSARuleIKERule with theSACondition instancesIPsecPolicyGroup thattriggercontains it.See [PCIM] for the usage for the properties GroupNumber and ConditionNegated.The class definition forSAConditionInRuleRuleForIKENegotiation is as follows: NAMESAConditionInRuleRuleForIKENegotiation DESCRIPTION Associates anSARuleIKERule with theSACondition instancesIPsecPolicyGroup thattriggercontains it. DERIVED FROMPolicyConditionInPolicyRulePolicyRuleInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingRuleGroupComponent [refSARule [0..n]] ContainedConditionIPsecPolicyGroup [1..1]] PartComponent [refSAConditionIKERule [0..n]]GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) SequenceNumber4.8.1. The ReferenceContainingRuleGroupComponent The propertyContainingRuleGroupComponent is inherited fromPolicyConditionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontain an object referencerefer to anSARule that contains one or more SAConditions.IPsecPolicyGroup instance. The[0..n][1..1] cardinality indicates that anSAConditionIKERule instance may be contained inzero or more SARules.one and only one IPsecPolicyGroup instance (i.e., IKERules are not shared across IPsecPolicyGroups). 4.8.2. The ReferenceContainedConditionPartComponent The propertyContainedConditionPartComponent is inherited fromPolicyConditionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontain an object referencerefer to anSACondition that is contained by an SARule.IKERule instance. The [0..n] cardinality indicates that anSARuleIPsecPolicyGroup instance may contain zero or moreSAConditions. 4.8.3. The Property SequenceNumber The property SequenceNumber specifies, for a given rule, the order in which the SACondition instances will be evaluated. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the evaluation order of the SAConditions. SYNTAX unsigned 16-bit integer VALUE Lower valued SAConditions are evaluated first. The order of evaluation of ContainedConditions with the same SequenceNumber value is undefined.IKERule instances. 4.9. The Aggregation ClassSAActionInRuleRuleForIPsecNegotiation TheSAActionInRuleclass RuleForIPsecNegotiation associates anSARuleIPsecRule withits primary SAAction.the IPsecPolicyGroup that contains it. The class definition forSAActionInRuleRuleForIPsecNegotiation is as follows: NAMESAActionInRuleRuleForIPsecNegotiation DESCRIPTION Associates anSARuleIPsecRule withits primary SAAction. DERIVED FROM PolicyActionInPolicyRulethe IPsecPolicyGroup that contains it. DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingRule [ref SARule [0..n]] ContainedActionGroupComponent [refSAActionIPsecPolicyGroup [1..1]] PartComponent [ref IPsecRule [0..n]] 4.9.1. The ReferenceContainingRuleGroupComponent The propertyContainingRuleGroupComponent is inherited fromPolicyActionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontain an object referencerefer to anSARule that contains an SAAction.IPsecPolicyGroup instance. The[0..n][1..1] cardinality indicates that anSAActionIPsecRule instance may be contained inzero or more SARules.only one IPsecPolicyGroup instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 4.9.2. The ReferenceContainedActionPartComponent The propertyContainedActionPartComponent is inherited fromPolicyActionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontain an object referencerefer to anSAAction that is contained by an SARule.IPsecRule instance. The[1..1][0..n] cardinality indicates that anSARuleIPsecPolicyGroup instance may containonly one SAAction.zero or more IPsecRules instance. 4.10. The Aggregation ClassFallbackSAActionInRuleSAConditionInRule The classFallbackSAActionInRuleSAConditionInRule associates an SARule withits ordered set of fallback actions. Fallback actions allow an administrator to define what action is to be take iftheSAAction referenced by SAActionInRule failsSACondition instance(s) that trigger(s) it. See [PCIM] forany reason.the usage for the properties GroupNumber and ConditionNegated. The class definition forFallbackSAActionInRuleSAConditionInRule is as follows: NAMEFallbackSAActionInRuleSAConditionInRule DESCRIPTION Associates an SARule with theordered set of fallback actionsSACondition instance(s) thatshould be attempted/applied in the case of failure of the primary SAAction.trigger(s) it. DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingRuleGroupComponent [ref SARule [0..n]]ContaintedActionPartComponent [refSAAction [0..n]] SequenceNumberSACondition [1..n]] GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) 4.10.1. The ReferenceContainingRuleGroupComponent The propertyContainingRule contains an object referenceGroupComponent is inherited from PolicyConditionInPolicyRule and is overridden to refer to an SARulethat contains one or more fallback SAActions.instance. The [0..n] cardinality indicates that anfallback SAActionSACondition instance may be contained in zero or moreSARules.SARule instances. 4.10.2. The ReferenceContainedActionPartComponent The propertyContainedAction contains an object reference to a fallback SAAction thatPartComponent iscontained by one or more SARules.inherited from PolicyConditionInPolicyRule and is overridden to refer to an SACondition instance. The[0..n][1..n] cardinality indicates that an SARulemayinstance MUST containzero or more fallback SAActions. 4.10.3.at least one SACondition instance. 4.11. TheProperty SequenceNumberAggregation Class SAActionInRule Theproperty SequenceNumber specifies,SAActionInRule class associates an SARule with its primary SAAction. The class definition fora given rule, the order in which the fallback SAActions should be attempted. Once a fallback SAActionSAActionInRule issuccessfully applied, then subsequent fallback SAActions shouldas follows: NAME SAActionInRule DESCRIPTION Associates an SARule with its SAAction(s). DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent [ref SARule [0..n]] PartComponent [ref SAAction [1..n]] ActionOrder 4.11.1. The Reference GroupComponent The property GroupComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SARule instance. The [0..n] cardinality indicates that an SAAction instance may beignored.contained in zero or more SARule instances. 4.11.2. The Reference PartComponent The property PartComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SAAction instance. The [1..n] cardinality indicates that an SARule instance MUST contain at least one SAAction instance. 4.11.3. The Property ActionOrder The property ActionOrder specifies the relative position of this SAAction in the sequence of actions associated with a PolicyRule. The ActionOrder MUST be unique so as to provide a deterministic order. In addition, the actions in an SARule are executed as follows. For an initiator, if there is more than one action in the rule, the additional actions are 'backup' actions in the event that the first action is not able to be completed successfully. They are tried in the ActionOrder until the list is exhausted or one completes successfully. For example, an IKE initiator may have several IKEActions for the same SACondition. The initiator will try all IKEActions in the order defined by ActionOrder. I.e. it will possibly try several phases 1 possibly with different modes (main mode then aggressive mode) and/or with possibly multiple IKE peers. For a responder, there can be more than one action in the rule, this provides alternative actions depending on the received proposals. For example, the same IKERule may be used to handle aggressive mode and main mode negotiations with different actions. The first appropriate action in the list of actions is used by the responder. The property is defined as follows: [Need an explanation of what the action order means as it replaces the fallback association] NAMESequenceNumberActionOrder DESCRIPTION Specifies the order ofattempted application for the fallback SAAction.actions. SYNTAX unsigned 16-bit integer VALUE Any value between 1 and 2^16-1 inclusive. Lowervalued fallback SAActions are attempted first.values have higher precedence (i.e., 1 is the highest precedence). The merging order ofattempt of ContainedActionstwo SAActions with the sameSequenceNumber valueprecedence is undefined. 5. Condition and Filter Classes The IPsec condition and filter classes are used to build the "if" part of the IKE and IPsec rules.+-------------+* 0..1+------------+1 *+-------------------+ |*+-------------+ +--------------------| SACondition|o--------| FilterList |x--------| [FilterEntryBase] | +-------------+ (a) +------------+ (b) +-------------------+ ^|+---------------------+------------------------+| +-------------+ | * |+-----------------+ +-------------------+ +-----------------------+|[IPFilterEntry]|(a) | 1 |[IPSOFilterEntry]| +--------------+ |CredentialFilterEntry|+-----------------+ +-------------------+ +-----------------------+ ^ ^FilterList | | |+-------------------+(Appendix C) | | +--------------+ | 1 o |(b) |(c) |+--------------------------------+* |+-| ClassificationLevelFilterEntry| +-----------------+ | |+--------------------------------+FilterEntryBase | | | (Appendix C) |+--------------------------------+|+-| ProtectionAuthorityFilterEntry+-----------------+ | ^ |+--------------------------------+|+-----------------------------------------------+| +--------------+ | +-----------------------++--------------------+ | [EndpointFilterEntry]||ProtocolFilterEntry|+-----------------------+ +--------------------+ ^ ^ | +----------------+FilterEntry |----+----| CredentialFilterEntry |+----------------------+|UDPFilterEntry |--+|+----------------+(Appendix C) | | +-----------------------+ |+-----------------++--------------+ |+----------------+| |FQDNFilterEntry |----+|TCPFilterEntry |--++-----------------+ |+----------------+ | +------------------------++--------------------------+ |+------------------------+|IPv4AddressFilterEntryIPSOFilterEntry |----+----|IPv6AddressFilterEntry | +------------------------+ | +------------------------+ | +----------------------+ | +----------------------+PeerIDPayloadFilterEntry |IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry|+----------------------++-----------------+ +--------------------------+ |+----------------------+|+-----------------------+*+-----------------------------+ +------------| CredentialManagementService |+-----------------------+|IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry(Appendix B) |+-----------------------+ +-----------------------++-----------------------------+ (a) FilterOfSACondition (b) AcceptCredentialsFrom (c) EntriesInFilterList (see Appendix C) 5.1. The Class SACondition The class SACondition defines thepreconditionsconditions of rules for IKE and IPsec negotiations. Conditions are associated with policy rules via the SAConditionInRule aggregation. It is used as an anchor point to associate various types of filters with policy rules via the FilterOfSACondition association. It also defines whether Credentials can be accepted for a particular policy rule via the AcceptCredentialsFrom association. Associated objects represent components of the condition that may or may not apply at a given rule evaluation. For example, an AcceptCredentialsFrom evaluation is only performed when a credential is available to be evaluated against the list of trusted credential management services. Similarly, a PeerIDPayloadFilterEntry may only be evaluated when an IDPayload value is available to compared with the filter. Condition components that do not have corresponding values with which to evaluate are evaluated as TRUE unless the protocol has completed without providing the required information. The class definition for SACondition is as follows: NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition)StartupCondition 5.1.1.5.2. TheProperty StartupCondition This property specifies the triggering event that caused the rule evaluation.Class FilterEntry Thepropertyclass FilterEntry is definedas follows: NAME StartupCondition DESCRIPTION Specifies the triggering event that causein appendix C with therule to be evaluated. SYNTAX unsigned 16-bit integer VALUE 1 (OnBoot) -following notes: 1) since actions in therule is triggered after system boot. The FilterList associated with the SACondition containsIPsec Policy Model are not part of theinformation that will be used to buildcondition side of theselectors. 2 (OnManual) -rule, theruleAction property of each FilterEntry istriggered manually in responseignored and should be set touser input. The FilterList associated with the SACondition contains the information"FilterOnly". 2) to specify 5-tuple filters thatwill be usedare tobuildapply symmetrically (i.e., matches traffic in both directions of theselectors. 3 (OnDataTraffic) -same flow between therule is triggered when packets without associated security associations are sent or received (traffic directionality is indicated bytwo peers), the Directionfieldproperty of theassociated FilterList). 4 (OnIKEMessage) - the rule is triggered when an incoming request for IKE negotiation is received. 5.2.FilterList should be set to "Mirrored". 5.3. The ClassFilterListCredentialFilterEntry The classFilterList aggregatesCredentialFilterEntry defines anANDed setequivalence class that match credentials offiltersIKE peers. Each CredentialFilterEntry includes a MatchFieldName thatare used for determining when an SACondition evaluatesis interpreted according totrue and therefore itsthe CredentialManagementService(s) associatedSAAction shouldwith the SACondition (AcceptCredentialsFrom). These credentials can beperformed.X.509 certificates, Kerberos tickets, or other types of credentials obtained during the Phase 1 exchange. The class definition forFilterListCredentialFilterEntry is as follows: NAMEFilterListCredentialFilterEntry DESCRIPTIONAggregatesSpecifies aset of filters for condition matching.match filter based on the IKE credentials. DERIVED FROM FilterEntryBase (see Appendix C) ABSTRACT FALSE PROPERTIES NameDirection 5.2.1.(from FilterEntryBase) IsNegated (from FilterEntryBase) MatchFieldName MatchFieldValue CredentialType 5.3.1. The PropertyName ThisMatchFieldName The property MatchFieldName specifiesa user-friendly name fortheFilterList.sub-part of the credential to match against MatchFieldValue. The property is defined as follows: NAMENameMatchFieldName DESCRIPTION Specifies which sub-part of theuser-friendly name for the FilterList.credential to match. SYNTAX string5.2.2.VALUE 5.3.2. The PropertyDirection ThisMatchFieldValue The property MatchFieldValue specifieswhether ortheFilterList will be used on incoming, outgoing, or bi-directional traffic. Direction is only useful for filter types that inspect traffic parameters and whenvalue to compare with theStartupCondition propertyMatchFieldName inthe SACondition is seta credential toOnDataTraffic (3).determine if the credential matches this filter entry. The property is defined as follows: NAMEDirectionMatchFieldValue DESCRIPTION Specifieswhat kind of traffic willthe value to bechecked - incoming, outgoing, or bi-directional.matched by the MatchFieldName. SYNTAX string VALUE NB: If the CredentialFilterEntry corresponds to a DistinguishedName, this value in the CIM class is represented by an ordinary string value. However, an implementation must convert this string to a DER- encoded string before matching against the values extracted from credentials at runtime. 5.3.3. The Property CredentialType The property CredentialType specifies the particular type of credential that is being matched. The property is defined as follows: NAME CredentialType DESCRIPTION Defines the type of IKE credentials. SYNTAX unsigned 16-bit integer VALUE 1 -IncomingX.509 Certificate 2 -Outgoing 3 - Bi-directional 5.3.Kerberos Ticket 5.4. TheAbstractClassFilterEntryBaseIPSOFilterEntry TheabstractclassFilterEntryBase servesIPSOFilterEntry is used to match traffic based on the IP Security Options header values (ClassificationLevel and ProtectionAuthority) as defined in RFC1108. This type of FilterEntry is used to adjust thebase class forIPsec encryption level according to thespecific filter class.IPSO classification of the traffic (e.g., secret, confidential, restricted, etc. The class definition forFilterEntryBaseIPSOFilterEntry is as follows: NAMEFilterEntryBaseIPSOFilterEntry DESCRIPTIONServes asSpecifies thebase class for specifica match filterclasses.based on IP Security Options. DERIVED FROM FilterEntryBase (see Appendix C) ABSTRACTTRUEFALSE PROPERTIES Name (from FilterEntryBase) IsNegated5.3.1.(from FilterEntryBase) MatchConditionType MatchConditionValue 5.4.1. The PropertyName ThisMatchConditionType The property MatchConditionType specifiesa user-friendly name forthefilter.IPSO header field that will be matched (e.g., traffic classification level or protection authority). The property is defined as follows: NAMENameMatchConditionType DESCRIPTION Specifies theuser-friendly name for the filter.IPSO header field to be matched. SYNTAXstring 5.3.2.unsigned 16-bit integer VALUE 1 - ClassificationLevel 2 - ProtectionAuthority 5.4.2. The PropertyIsNegated ThisMatchConditionValue The property MatchConditionValue specifieswhether or not the result oftheboolean resultvalue of thefilter evaluation shouldIPSO header field to benegated.matched against. The property is defined as follows: NAMEIsNegatedMatchConditionValue DESCRIPTION Specifieswhether or not to negate the result oftheevaluationvalue of thefilter.IPSO header field to be matched against. SYNTAXbooleanunsigned 16-bit integer VALUEA value of true means that the boolean result ofFor ClassificationLevel, thefilter evaluation ofvalues are: 61 - TopSecret 90 - Secret 150 - Confidential 171 - Unclassified For ProtectionAuthority, thefilter will be negated. A value of false means that the boolean result of the evaluation of the filter will not be altered. 5.4.values are: 0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE 5.5. TheAbstractClassIPFilterEntryPeerIDPayloadFilterEntry Theabstract class IPFilterEntry serves as a baseclassfor filter entries which arePeerIDPayloadFilterEntry defines filters used to matchagainstID payload values from the5-tuple (i.e., source and destination address, protocol, and source and destination port) information inIKE protocol exchange. PeerIDPayloadFilterEntry permits theIP packet. The class definition for IPFilterEntry is as follows: NAME IPFilterEntry DESCRIPTION Servesspecification of certain ID payload values such asthe base class for IP 5-tuple filters. DERIVED FROM FilterEntryBase ABSTRACT TRUE 5.5. The Abstract Class EndpointFilterEntry The abstract class EndpointFilterEntry serves"*@company.com" or "193.190.125.0/24". Obviously this filter applies only to IKERules when acting as abase class for filters which match against IP addresses (source or destination).responder. Moreover, this filter can be applied immediately in the case of aggressive mode but its application is to be delayed in the case of main mode. The class definition forEndpointFilterEntryPeerIDPayloadFilterEntry is as follows: NAMEEndpointFilterEntryPeerIDPayloadFilterEntry DESCRIPTIONServes as the base class for filters whichSpecifies a matchagainst IP addresses.filter based on IKE identity. DERIVED FROMIPFilterEntryFilterEntryBase (see Appendix C) ABSTRACTTRUEFALSE PROPERTIESApplyToDestinationName (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchIdentityType MatchIdentityValue 5.5.1. The PropertyApplyToDestination ThisMatchIdentityType The property MatchIdentityType specifieswhether or nottheaddress to test against istype of identity provided by thesource orpeer in thedestination IP address.ID payload." The property is defined as follows: NAMEApplyToDestinationMatchIdentityType DESCRIPTION Specifieswhich IP address to test, source or destination.the ID payload type. SYNTAXbooleanunsigned 16-bit integer VALUEA value of true means that the destination IP address should be tested against. A value of false means that the source IP address should be tested against. 5.6. The Class IPv4AddressFilterEntry The class IPv4AddressFilterEntry specifies a filter that will match against a single1 - IPv4address. The class definition for IPv4AddressFilterEntry is as follows: NAME IPv4AddressFilterEntry DESCRIPTION Defines the match filter for anAddress 2 - FQDN 3 - User FQDN 4 - IPv4address. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIESSubnet 5 - IPv6 Address5.6.1.6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 5.5.2. The PropertyAddress ThisMatchIdentityValue The property MatchIdentityValue specifies theIPv4 address that will be used infilter value for comparison with theequality test.ID payload, e.g., "*@company.com" The property is defined as follows: NAMEAddressMatchIdentityValue DESCRIPTION Specifies theIPv4 addressID payload value. SYNTAX string VALUE NB: The syntax may need to be converted for comparison. If the PeerIDPayloadFilterEntry type is a DistinguishedName, the name in the MatchIdentityValue property is represented by an ordinary string value, but this value must be converted into a DER-encoded string before matching against the values extracted from IKE ID payloads at runtime. The same applies to IPv4 & IPv6 addresses. Wildcards can be used as well as the prefix notation for IPv4 addresses: - a MatchIdentityValue of "*@company.com" will matchagainst. SYNTAX unsigned 32-bit integer 5.7.an ID payload of "JDOE@COMPANY.COM" - a MatchIdentityValue of "193.190.125.0/24" will match an ID payload of 193.190.125.10. 5.6. The Association ClassIPv4RangeFilterEntryFilterOfSACondition The classIPv4RangeFilterEntry specifies a filter for testing ifFilterOfSACondition associates anIPv4 address is betweenSACondition with thestart address and end address inclusively.filter specifications (FilterList) that make up the condition. The class definition forIPv4RangeFilterEntryFilterOfSACondition is as follows: NAMEIPv4RangeFilterEntryFilterOfSACondition DESCRIPTIONDefinesAssociates a condition with thematchfilterfor an IPv4 address range.list that make up the individual condition elements. DERIVED FROMEndpointFilterEntryDependency (see Appendix A) ABSTRACT FALSE PROPERTIESStartAddress EndAddress 5.7.1.Antecedent [ref FilterList[1..1]] Dependent [ref SACondition[0..n]] 5.6.1. TheProperty StartAddress This property specifies the first IPv4 address in the address range.Reference Antecedent The property Antecedent isdefined as follows: NAME StartAddress DESCRIPTION Specifies the start of the IPv4 address range. SYNTAX unsigned 32-bit integer 5.7.2.inherited from Dependency and is overridden to refer to a FilterList instance. TheProperty EndAddress This property specifies the last IPv4 address in the address range.[1..1] cardinality indicates that an SACondition instance MUST be associated with one and only one FilterList instance. 5.6.2. The Reference Dependent The property Dependent isdefined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv4 address. SYNTAX unsigned 32-bit integer VALUE EndAddress mustinherited from Dependency and is overridden to refer to an SACondition instance. The [0..n] cardinality indicates that a FilterList instance may begreater thanassociated with zero orequal to StartAddress. 5.8.more SAConditions instance. 5.7. The Association ClassIPv4SubnetFilterEntryAcceptCredentialFrom The classIPv4SubnetFilterEntryAcceptCredentialFrom specifies which credential management services (e.g., afilter for testing if an IPv4 addressCertificateAuthority or a Kerberos service) are to be trusted to certify peer credentials. This is used to validate that the credential being matched in the CredentialFilterEntry is a valid credential that has been supplied by an approved CredentialManagementService. If a CredentialManagementService is specifiedsubnet. The class definition for IPv4SubnetFilterEntryand a corresponding CredentialFilterEntry isas follows: NAME IPv4SubnetFilterEntry DESCRIPTION Definesused, but thematch filter for an IPv4 subnet. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address Mask 5.8.1. The Property Address This property specifiescredential supplied by theIPv4 subnet. The propertypeer isdefined as follows: NAME Address DESCRIPTION Specifiesnot certified by that CredentialManagementService (or one of theIPv4 subnet. SYNTAX unsigned 32-bit integer 5.8.2. The Property Mask This property specifiesCredentialManagementServices in its trust hierarchy), theIPv4 mask. The propertyCredentialFilterEntry isdefined as follows: NAME Mask DESCRIPTION Specifiesdeemed not to match. If a credential is certified by a CredentialManagementService in theIPv4 mask. SYNTAX unsigned 32-bit integer VALUE A special value of 0.0.0.0, coupled with an Address valueAcceptCredentialsFrom list of0.0.0.0 can be usedservices but there is no CredentialFilterEntry, this is considered equivalent tospecify all addresses. 5.9. The Class IPv6AddressFilterEntry The class IPv6AddressFilterEntry specifiesafilterCredentialFilterEntry thatwill match against a single IPv6 address.matches all credentials from those services. The class definition forIPv6AddressFilterEntryAcceptCredentialFrom is as follows: NAMEIPv6AddressFilterEntryAcceptCredentialFrom DESCRIPTIONDefinesAssociates a condition with thematch filter for an IPv4 address.credential management services to be trusted. DERIVED FROMEndpointFilterEntryDependency (see Appendix A) ABSTRACT FALSE PROPERTIESAddress 5.9.1.Antecedent [ref CredentialManagementService[0..n]] Dependent [ref SACondition[0..n]] 5.7.1. TheProperty Address This property specifies the IPv6 address that will be used in the equality test.Reference Antecedent The property Antecedent isdefined as follows: NAME Address DESCRIPTION Specifies the IPv6 addressinherited from Dependency and is overridden to refer tomatch against. SYNTAX byte[16] 5.10. The Class IPv6RangeFilterEntry The class IPv6RangeFilterEntry specifiesafilter for testing if an IPv6 address is between the start address and end address inclusively.CredentialManagementService instance. Theclass definition for IPv6RangeFilterEntry is as follows: NAME IPv6RangeFilterEntry DESCRIPTION Defines the match filter for[0..n] cardinality indicates that anIPv6 address range. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES StartAddress EndAddress 5.10.1.SACondition instance may be associated with zero or more CredentialManagementServices instance. 5.7.2. TheProperty StartAddress This property specifies the first IPv6 address in the address range.Reference Dependent The property Dependent isdefined as follows: NAME StartAddress DESCRIPTION Specifies the start of the IPv6 address range. SYNTAX byte[16] 5.10.2. The Property EndAddress This property specifies the last IPv6 address in the address range. The propertyinherited from Dependency and isdefined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv6 address. SYNTAX byte[16] VALUE EndAddress must be greater than or equaloverridden toStartAddress. 5.11. The Class IPv6SubnetFilterEntryrefer to an SACondition instance. Theclass IPv6SubnetFilterEntry specifies[0..n] cardinality indicates that afilter for testing if an IPv6 address is in the specified subnet.CredentialManagementService instance may be associated with zero or more SAConditions instance. 6. Action Classes Theclass definition for IPv4SubnetFilterEntry is as follows: NAME IPv6SubnetFilterEntry DESCRIPTION Definesaction classes are used to model thematch filter fordifferent actions anIPv6 subnet. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address Mask 5.11.1. The Property Address This property specifies the IPv6 subnet. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv6 subnet. SYNTAX byte[16] 5.11.2. The Property Mask This property specifiesIPsec device may take when theIPv6 mask. The property is defined as follows: NAME Mask DESCRIPTION Specifiesevaluation of theIPv6 mask. SYNTAX byte[16] VALUE A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0, coupled with an Address value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify all addresses. 5.12.associated condition results in a match. +----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | *+----------------+ +---------------------+* | SAStaticAction | | SANegotiationAction |o-----+ +----------------+ +---------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | *| | | +--------------+ | | | | +-----------------------+ | | +--------------+n | | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ +-----------------------+ | +--------------+ (b) ^ | | | *+-------------+ +---------------------+ +-------| PeerGateway | | +-------------+ +-----------------------------+ | *w| | PreconfiguredTransportAction|--+ |(c) +-----------------------------+ | 1| | +--------------+ +-----------------------------+ | | System | | PreconfiguredTransportAction|--+ | (Appendix A) | +-----------------------------+ +--------------+ *| | 1..3+---------------+ +-------| [SATransform] | (d) +---------------+ (a) PeerGatewayForTunnel (b) ContainedProposal (c) HostedPeerGatewayInformation (d) TransformOfPreconfiguredAction 6.1. The ClassFQDNFilterEntrySAAction The classFQDNFilterEntry specifies a filterSAAction serves as the base class formathcing against a single or wild-carded DNS name.IKE and IPsec actions. Although the class is concrete, it MUST not be instantiated. It is used for aggregating different types of actions to IKE and IPsec rules. The class definition forFQDNFilterEntrySAAction is as follows: NAMEFQDNFilterEntrySAAction DESCRIPTIONDefines the match filterThe base class fora DNS name.IKE and IPsec actions. DERIVED FROMEndpointFilterEntryPolicyAction (see [PCIM]) ABSTRACT FALSE PROPERTIESName 5.12.1.PolicyActionName (from PolicyAction) DoActionLogging DoPacketLogging 6.1.1. The PropertyName ThisDoActionLogging The property DoActionLogging specifiesthe DNS namewhether a log message is tomatch against.be generated when the action is performed (even if the action fails). The property is defined as follows: NAMEAddressDoActionLogging DESCRIPTION Specifies theDNS name.whether to log when the action is performed. SYNTAXstringboolean VALUEThe DNS name cantrue - a log message is to befully qualified (for example, foo.intel.com) or partially qualified (*.intel.com). 5.13.generated when action is performed. false - no log message is to be generated when action is performed. 6.1.2. TheClass ProtocolFilterEntryProperty DoPacketLogging Theclass ProtocolFilterEntryproperty DoPacketLogging specifies whether afilter for testing against an IP protocol. The class definition for ProtocolFilterEntrylog message isas follows: NAME ProtocolFilterEntry DESCRIPTION Defines a match filter for IP protocol. DERIVED FROM IPFilterEntry ABSTRACT FALSE PROPERTIES Protocol 5.13.1. The Property Protocolto be generated when the resulting security association is used to process the packet. If the action successfully executes and results in the creation of one or several security associations, the value of DoPacketLogging SHOULD be propagated to an optional field of SADB. Thisproperty specifiesoptional field should be used to decide whether a log message is to be generated when theIP protocolSA is used tomatch against.process a packet. The property is defined as follows: NAMEProtocolDoPacketLogging DESCRIPTION Specifies theIP protocol.whether to log when the resulting security association is used to process the packet. SYNTAXunsigned 8-bit integerboolean VALUEA value of zero matches against any protocol. Any other valuetrue - a log message is to be generated when theIP protocol number. 5.14.resulting security association is used to process the packet. false - no log message is to be generated. 6.2. The ClassUDPFilterEntrySAStaticAction The classUDPFilterEntry specifies a filter for testing if a UDP port is betweenSAStaticAction serves as thestart portbase class for IKE andend port inclusively. It is assumedIPsec actions that do not require any negotiation. Although theProtocol property from the ProtocolFilterEntryclasswill contain the value 17 (i.e., UDP).is concrete, it MUST not be instantiated. The class definition forUDPFilterEntrySAStaticAction is as follows: NAMEUDPFilterEntrySAStaticAction DESCRIPTIONDefines the match filterThe base class fora UDP port range.IKE and IPsec actions that do not require any negotiation. DERIVED FROMProtocolFilterEntrySAAction ABSTRACT FALSE PROPERTIESStartPort EndPort 5.14.1. TheLifetimeSeconds 6.2.1. The PropertyStartPort ThisLifetimeSeconds The property LifetimeSeconds specifies how long thefirst port in the UDP port range.security association derived from this action should be used. The property is defined as follows: NAMEStartPortLifetimeSeconds DESCRIPTION Specifies thestartamount ofthe UDP port range.time (in seconds) that a security association derived from this action should be used. SYNTAX unsigned16-bit32-bit integer5.14.2.VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is typically used in conjunction with alternate SAActions performed when there is a negotiation failure of some sort. 6.3. TheProperty EndPortClass IPsecBypassAction The class IPsecBypassAction is used when packets are allowed to be processed without applying IPsec encapsulation to them. Thisproperty specifiesis thelast portsame as stating that packets are allowed to flow in theUDP port range.clear. Thepropertyclass definition for IPsecBypassAction isdefinedas follows: NAMEEndPortIPsecBypassAction DESCRIPTION Specifiesthe end of the UDP port range. SYNTAX unsigned 16-bit integer VALUE EndPort mustthat packets are to begreater than or equalallowed toStartPort. 5.15.pass in the clear. DERIVED FROM SAStaticAction ABSTRACT FALSE 6.4. The ClassTCPFilterEntryIPsecDiscardAction The classTCPFilterEntry specifies a filter for testing if a TCP portIPsecDiscardAction isbetween the start port and end port inclusively. Itused when packets are to be discarded. This isassumed that the Protocol property from the ProtocolFilterEntry class will containthevalue 6 (i.e., TCP).same as stating that packets are to be denied. The class definition forTCPFilterEntryIPsecDiscardAction is as follows: NAMETCPFilterEntryIPsecDiscardAction DESCRIPTIONDefines the match filter for a TCP port range.Specifies that packets are to be discarded. DERIVED FROMProtocolFilterEntrySAStaticAction ABSTRACT FALSEPROPERTIES StartPort EndPort 5.15.1.6.5. TheProperty StartPort This property specifies the first port in the TCP port range.Class IKERejectAction Thepropertyclass IKERejectAction isdefined as follows: NAME StartPort DESCRIPTION Specifiesused to prevent attempting an IKE negotiation with thestart of the TCP port range. SYNTAX unsigned 16-bit integer 5.15.2. The Property EndPort This property specifies the last port in the TCP port range.peer(s). Theproperty is defined as follows: NAME EndPort DESCRIPTION Specifies the endmain use ofthe TCP port range. SYNTAX unsigned 16-bit integer VALUE EndPort must be greater than or equal to StartPort. 5.16. The Abstract Class IPSOFilterEntry The abstractthis classIPSOFilterEntry servesis to prevent some denial of service attacks when acting as IKE responder. It goes beyond abase class forplain discard of UDP/500 IKE packets because theIP Security Option (IPSO) filters.SACondition can be based on specific PeerIDPayloadFilterEntry (when aggressive mode is used). The class definition forIPSOFilterEntryIKERejectAction is as follows: NAMEIPSOFilterEntryIKERejectAction DESCRIPTIONServes as the base class for the IPSO filters.Specifies that an IKE negotiation should not even be attempted or continued. DERIVED FROMFilterEntryBaseSAStaticAction ABSTRACTTRUE 5.17.FALSE 6.6. The ClassClassificationLevelFilterEntryPreconfiguredSAAction The classClassificationLevelFilterEntry specifiesPreconfiguredSAAction is used to create afiltersecurity association using preconfigured, hard-wired algorithms and keys. Notes: - the SPI formatching againsta PreconfiguredSAAction is contained in theclassification level IPSO field type.association, TransformOfPreconfiguredAction; - the session key (if applicable) is contained in an instance of the class SharedSecret (see appendix B). The session key is stored in the property secret, the property protocol contains either "ESP" or "AH", the property algorithm contains the algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID is the concatenation of the remote IPsec peer IP address in dotted decimal, of the character "/", and of the hexadecimal representation of the SPI. Although the class is concrete, it MUST not be instantiated. The class definition forClassificationLevelFilterEntryPreconfiguredSAAction is as follows: NAMEClassificationLevelFilterEntryPreconfiguredSAAction DESCRIPTIONDefines the filterSpecifies preconfigured algorithm and keying information forthe IPSO classification level.creation of a security association. DERIVED FROMIPSOFilterEntrySAStaticAction ABSTRACT FALSE PROPERTIESLevel 5.17.1.LifetimeKilobytes 6.6.1. The PropertyLevel ThisLifetimeKilobytes The property LifetimeKilobytes specifies a traffic limit in kilobytes that can be consumed before theclassification level to match against.SA is deleted.. The property is defined as follows: NAMELevelLifetimeKilobytes DESCRIPTION Specifies theclassification level.SA lifetime in kilobytes. SYNTAX unsigned16-bit32-bit integer VALUE61 - Top Secret 90 - Secret 150 - Confidential 171 - Unclassified 5.18.A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is used to indicate that after this amount of kilobytes has been consumed the SA must be deleted from the SADB. 6.7. The ClassProtectionAuthorityFilterEntryPreconfiguredTransportAction The classProtectionAuthorityFilterEntry specifies a filterPreconfiguredTransportAction is used to create an IPsec transport-mode security association using preconfigured, hard-wired algorithms and keys. The class definition formatching against the protection authority IPSO field type.PreconfiguredTransportAction is as follows: NAME PreconfiguredTransportAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of an IPsec transport security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE 6.8. The Class PreconfiguredTunnelAction The class PreconfiguredTunnelAction is used to create an IPsec tunnel-mode security association using preconfigured, hard-wired algorithms and keys. The class definition forProtectionAuthorityFilterEntryPreconfiguredSAAction is as follows: NAMEProtectionAuthorityFilterEntryPreconfiguredTunnelAction DESCRIPTIONDefines the filterSpecifies preconfigured algorithm and keying information forthe IPSO protection authority.creation of an IPsec tunnel-mode security association. DERIVED FROMIPSOFilterEntryPreconfiguredSAAction ABSTRACT FALSE PROPERTIESAuthority 5.18.1.PeerGatewayAddressType PeerGatewayAddress DFHandling 6.8.1. The PropertyAuthority ThisPeerGatewayAddressType The property PeerGatewayAddressType specifies theprotection authorityformat of the PeerGatewayAddress property. Addresses that can be formatted in IPv4 format, must be formatted that way tomatch against.ensure mixed IPv4/IPv6 support. When the tunnel peer is not a security gateway, this property value is set to 0. The property is defined as follows: NAMEAuthorityPeerGatewayAddressType DESCRIPTION Specifies theprotection authority.format of PeerGatewayAddress. SYNTAX unsigned 16-bit integer VALUE 0 -GENSERunknown 1 -SIOP-ESIIPv4 2 -SCI 3 - NSA 4 - DOE 5.19.IPv6 6.8.2. TheClass CredentialFilterEntryProperty PeerGatewayAddress Theclass CredentialFilterEntry defines a filter for matching against credential information that was obtained duringproperty PeerGatewayAddress specifies theIKE phase 1 negotiation. This information can be identity information (such as User FQDN) or information retrieved from credential information (for example, fields from a certificate). This information can be usedIP address of the tunnel peer security gateway formatted according to the appropriate convention asa formdefined in the PeerGatewayAddressType property ofaccess control. Thethis classdefinition for CredentialFilterEntry is(e.g., 171.79.6.40). When the tunnel peer is not a security gateway, this property value is set to NULL. The property is defined as follows: NAMECredentialFilterEntryPeerGatewayAddress DESCRIPTIONDefinesSpecifies thefilter for matching againstIP address of the tunnel peer. SYNTAX string VALUE When the value is NULL, this is a special meaning: the IP address of the actual remote IKEphaseentity is the destination IP address of the IP packet that triggered the SARule. Else, the value is a string representation of an IPv4 or IPv6 address. 6.8.3. The Property DFHandling The property DFHandling specifies how the Don't Fragment bit of the internal IP header is to be handled during IPsec processing. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies the processing of the DF bit. SYNTAX unsigned 16-bit integer VALUE 1credential/identity information. DERIVED FROM FilterBaseEntry ABSTRACT FALSE PROPERTIES To Be Determined... 5.20.- Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0. 6.9. TheAggregationClassFilterOfSAConditionSANegotiationAction The classFilterOfSACondition associates an SACondition withSANegotiationAction serves as thefilter specifications (FilterList)base class for IKE and IPsec actions thatmake upresult in a IKE negotiation. Although thecondition.class is concrete, is MUST not be instantiated. The class definition forFilterOfSAConditionSANegotiationAction is as follows: NAMEFilterOfSAConditionSANegotiationAction DESCRIPTIONAssociates a condition with the filter listA base class for IKE and IPsec actions thatmake upspecifies theindividual condition elements.parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. DERIVED FROM SAAction ABSTRACT FALSE PROPERTIESAntecedent [ref FilterList[0..1]] Dependent [ref SACondition [0..n]] 5.20.1.MinLifetimeSeconds MinLifetimeKilobytes RefreshThresholdSeconds RefreshThresholdKilobytes IdleDurationSeconds 6.9.1. TheReference AntecedentProperty MinLifetimeSeconds The propertyAntecedent contains an object reference to a FilterList that is contained in one or more SAConditions. The [0..1] cardinality indicates that an SACondition may have zero or one FilterList. 5.20.2. The Reference Dependent The property Dependent contains an object reference to an SACondition that contains an FilterList. The [0..n] cardinality indicatesMinLifetimeSeconds specifies the minimum seconds lifetime thata FilterList maywill becontained in zero or more SAConditions. 5.21. The Composition Class EntriesInFilterList The class EntriesInFilterList associatesaccepted from theindividual FilterEntryBasespeer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations witha FilterList. Together these individual FilterEntryBases can create complex conditions.correspondingly expensive Diffie-Hellman operations. Theclass definition for EntriesInFilterListproperty is defined as follows: NAMEEntriesInFilterListMinLifetimeSeconds DESCRIPTIONAssociates a FilterList withSpecifies thesetminimum acceptable seconds lifetime. SYNTAX unsigned 32-bit integer VALUE A value ofindividual filters. ABSTRACT FALSE PROPERTIES Antecedent [ref FilterEntryBase[0..n]] Dependent [ref FilterList [1..1]] EntrySequence 5.21.1. The Reference Antecedent The property Antecedent contains an object reference to a FilterEntryBase that is contained in a FilterList. The [0..n] cardinality indicates that a FilterList may have zero or more FilterEntryBases. 5.21.2. The Reference Dependent The property Dependent contains an object reference to a FilterList that containszeroor more FilterEntryBases. The [1..1] cardinalityindicates thata FilterEntryBase may be contained in one and only one FilterLists (i.e., FilterEntryBases cannot be shared between FilterLists). 5.21.3.there is no minimum value. A non-zero value specifies the minimum seconds lifetime. 6.9.2. The PropertyEntrySequenceMinLifetimeKilobytes The propertyEntrySequence specifies, for a given FilterList, the order in whichMinLifetimeKilobytes specifies thefilters shouldminimum kilobytes lifetime that will bechecked. The property is defined as follows: NAME EntrySequence DESCRIPTION Specifiesaccepted from theorderpeer. MinLifetimeKilobytes is used tocheckprevent certain denial of service attacks where thefilters in a FilterList.peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. Note that there has been considerable debate regarding the usefulness of applying kilobyte lifetimes to IKE phase 1 security associations, so it is likely that this property will only apply to the sub-class IPsecAction. The property is defined as follows: NAME MinLifetimeKilobytes DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. SYNTAX unsigned16-bit32-bit integer VALUELower valued filters are checked first.A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum kilobytes lifetime. 6.9.3. TheorderProperty RefreshThresholdSeconds The property RefreshThresholdSeconds specifies what percentage ofcheckingthe seconds lifetime can expire before IKE should attempt to renegotiate the security association. A random value may be added to the calculated threshold (percentage x seconds lifetime) to reduce the chance ofFilterEntryBases withboth peers attempting to renegotiate at the sameEntrySequence valuetime. The property isundefined. 6. Action Classesdefined as follows: NAME RefreshThresholdSeconds DESCRIPTION Specifies the percentage of seconds lifetime that has expired before the security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the security association should not be renegotiated until the seconds lifetime has been reached. 6.9.4. Theaction classes are usedProperty RefreshThresholdKilobytes The property RefreshThresholdKilobytes specifies what percentage of the kilobyte lifetime can expire before IKE should attempt tomodelrenegotiate thedifferent actions anIPsecdevicesecurity association. A random value maytake whenbe added to theevaluationcalculated threshold (percentage x kilobyte lifetime) to reduce the chance of both peers attempting to renegotiate at theassociated condition results in a match. +----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | +----------------+ +---------------------+* | SAStaticAction | | SANegotiationAction |o-----+ +----------------+ +---------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | | +-----------------------+ | +--------------+n | | SAPreconfiguredAction |---+ | [SAProposal] |-------+ +-----------------------+ +--------------+ (a) (a) ContainedProposal 6.1. The Class SAAction The class SAAction servessame time. Note, that as with thebase class for IKE and IPsec actions. Although the classproperty MinLifetimeKilobytes, this property isconcrete, it MUST not be instantiated.probably only relevant to IPsecAction sub-classes. Theclass definition for SAActionproperty is defined as follows: NAMESAActionRefreshThresholdKilobytes DESCRIPTIONThe base class for IKE and IPsec actions. DERIVED FROM PolicyAction (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyActionName (from PolicyAction) 6.2. The Class SAStaticAction The class SAStaticAction serves asSpecifies thebase class for IKE and IPsec actionspercentage of kilobyte lifetime thatdo not require any negotation. Althoughhas expired before theclassIPsec security association isconcrete, it MUSTrenegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not beinstantiated.renegotiated until the kilobyte lifetime has been reached. 6.9.5. Theclass definition for SAStaticAction is as follows: NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation. DERIVED FROM SAAction ABSTRACT FALSE PROPERTIES LifetimeSeconds 6.2.1. The Property LifetimeSecondsProperty IdleDurationSeconds The propertyLifetimeSecondsIdleDurationSeconds specifies howlong themany seconds a security associationderived from this action should be used.may remain idle (i.e., no traffic protected using the security association) before it is deleted. The property is defined as follows: NAMELifetimeSecondsIdleDurationSeconds DESCRIPTION Specifiesthe amount of time (in seconds) thathow long, in seconds, a security associationderived from this action should be used.may remain unused before it is deleted. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates thatthere isidle detection should nota lifetime associated with this action (i.e., infinite lifetime). A nono-zero value is typicallybe usedin conjunction with fallback actions performed when there is a negotiation failurefor the security association (only the seconds and kilobyte lifetimes will be used). Any non- zero value indicates the number ofsome sort. 6.3.seconds the security association may remain unused. 6.10. The ClassIPsecBypassActionIPsecAction The classIPsecBypassAction is used when packets are allowed to be processed without applyingIPsecAction serves as the base class for IPsecto them. This istransport and tunnel actions. It specifies thesame as stating that packets are allowed to flow inparameters used for an IKE phase 2 IPsec DOI negotiation. Although theclear.class is concrete, is MUST not be instantiated. The class definition forIPsecBypassActionIPsecAction is as follows: NAMEIPsecBypassActionIPsecAction DESCRIPTIONSpecifiesA base class for IPsec transport and tunnel actions thatpackets are to be allowed to pass inspecifies theclear.parameters for IKE phase 2 IPsec DOI negotiations. DERIVED FROMSAStaticActionSANegotiationAction ABSTRACT FALSE6.4.PROPERTIES UsePFS UseIKEGroup GroupId Granularity VendorID 6.10.1. TheClass IPsecDiscardActionProperty UsePFS Theclass IPsecDiscardAction isproperty UsePFS specifies whether or not perfect forward secrecy should be used whenpackets are to be discarded. This is the same as stating that packets are to be denied.refreshing keys. Theclass definition for IPsecDiscardActionproperty is defined as follows: NAMEIPsecDiscardActionUsePFS DESCRIPTION Specifiesthat packets are to be discarded. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging 6.4.1. The Property DoLogging The property DoLogging specifiesthe whether or notan audit message should be logged when a packet is discarded. The property is defined as follows: NAME DoLogging DESCRIPTION Specifies if an audit message should be loggedto use PFS whena packet is discarded.refreshing keys. SYNTAX boolean VALUE A value of true indicates thatloggingPFS should bedone for this action.used. A value of false indicateslogging should not be done for this action. 6.5. The Class IKERejectAction The class IKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The class definition for IKERejectAction is as follows: NAME IKERejectAction DESCRIPTION Specifiesthatan IKE negotiationPFS should notevenbeattempted. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging 6.5.1.used. 6.10.2. The PropertyDoLoggingUseIKEGroup The propertyDoLoggingUseIKEGroup specifies whether or notan audit messagephase 2 shouldbe logged when a determinationuse the same key exchange group as was used in phase 1. UseIKEGroup ismade to prevent an IKE negotiation.ignored if UsePFS is false. The property is defined as follows: NAMEDoLoggingUseIKEGroup DESCRIPTION Specifiesif an audit message should be logged when IKE negotiationwhether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then UseIKEGroup isprohibited.ignored. SYNTAX boolean VALUE A value of true indicates thatloggingthe phase 2 GroupId should bedone for this action.the same as phase 1. A value of false indicateslogging should not be donethat the property GroupId will contain the key exchange group to use forthis action. 6.6.phase 2. 6.10.3. TheClass SAPreconfiguredActionProperty GroupId Theclass SAPreconfiguredAction is usedproperty GroupId specifies the key exchange group tocreate a security association using preconfigured, hard-wired algorithms and keys. The class definitionuse forSAPreconfiguredActionphase 2. GroupId isas follows: NAME SAPreconfiguredAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of a security association. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES To Be Determined... 6.7. The Class SANegotiationAction The class SANegotiationAction serves asignored if (1) thebase class for IKEproperty UsePFS is false, or (2) the property UsePFS is true andIPsec actions which result in a IKE negotiation. Althoughtheclassproperty UseIKEGroup isconcrete,true. If the GroupID number isMUST not be instantiated.from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. Theclass definition for SANegotiationActionproperty is defined as follows: NAMESANegotiationActionGroupId DESCRIPTIONA base class for IKE and IPsec actions that specifiesSpecifies theparameters that are commonkey exchange group to use forIKE phase 1 and IKEphase 2IPsec DOI negotiations. DERIVED FROM SAAction ABSTRACT FALSE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes RefreshThresholdSeconds RefreshThresholdKilobytes IdleDurationSeconds 6.7.1.when the property UsePFS is true and the property UseIKEGroup is false. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values. 6.10.4. The PropertyMinLifetimeSecondsGranularity The propertyMinLifetimeSecondsGranularity specifies how theminimum seconds lifetime that willselector for the security association should beacceptedderived from thepeer. MinLifetimeSeconds is used to prevent certain denial of service attacks wheretraffic that triggered thepeer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations.negotiation. The property is defined as follows: NAMEMinLifetimeSecondsGranularity DESCRIPTION Specifies theminimum acceptable seconds lifetime.how the proposed selector for the security association will be created. SYNTAX unsigned32-bit16-bit integer VALUEA value of zero indicates that there is no minimum value. A non-zero value specifies1 - subnet: theminimum seconds lifetime. 6.7.2. The Property MinLifetimeKilobytes The property MinLifetimeKilobytes specifiessource and destination subnet masks of theminimum kilobyte lifetime that will be accepted fromFilterEntry are used. 2 - address: only thepeer. MinLifetimeKilobytessource and destination IP addresses of the triggering packet are used. 3 - protocol: the source and destination IP addresses and the IP protocol of the triggering packet are used. 4 - port: the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used. 6.10.5. The Property VendorID The property VendorID is used together with the property GroupID (when it is in the vendor-specific range) toprevent certain denial of service attacks whereidentify thepeer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations.key exchange group. VendorID is ignored unless UsePFS is true and UseIKEGroup is false and GroupID is in the vendor-specific range (32768-65535). The property is defined as follows: NAMEMinLifetimeKilobytesVendorID DESCRIPTION Specifies theminimum acceptable kilobyte lifetime.IKE Vendor ID. SYNTAXunsigned 32-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum kilobyte lifetime. 6.7.3.string 6.11. TheProperty RefreshThresholdSecondsClass IPsecTransportAction Theproperty RefreshThresholdSeconds specifies what percentageclass IPsecTransportAction is a subclass ofthe seconds lifetime can expire before IKE should attemptIPsecAction that is used torenegotiate thespecify use of an IPsec transport-mode security association.A random value may be added to the calculated threshold (percentage x seconds lifetime) to reduce the chance of both peers attempting to renegotiate at the same time.Thepropertyclass definition for IPsecTransportAction isdefinedas follows: NAMERefreshThresholdSecondsIPsecTransportAction DESCRIPTION Specifiesthe percentage of seconds lifetimethathas expired before thean IPsec transport-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE 6.12. The Class IPsecTunnelAction The class IPsecTunnelAction isrenegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representingapercentage. A valuesubclass of100 indicatesIPsecAction thattheis used to specify use of an IPsec tunnel-mode security association. The class definition for IPsecTunnelAction is as follows: NAME IPsecTunnelAction DESCRIPTION Specifies that an IPsec tunnel-mode security association shouldnotberenegotiated untilnegotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES DFHandling 6.12.1. The Property DFHandling The property DFHandling specifies how theseconds lifetime has been reached. 6.7.4.tunnel should manage the Don't Fragment (DF) bit. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies how to process the DF bit. SYNTAX unsigned 16-bit integer VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0. 6.13. The Class IKEAction The class IKEAction specifies the parameters that are to be used for IKE phase 1 negotiation. The class definition for IKEAction is as follows: NAME IKEAction DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES RefreshThresholdDerivedKeys ExchangeMode UseIKEIdentityType VendorID AggressiveModeGroupId 6.13.1. The PropertyRefreshThresholdKilobytesRefreshThresholdDerivedKeys The propertyRefreshThresholdKilobytesRefreshThresholdDerivedKeys specifies what percentage of thekilobyte lifetimederived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE should attempt to renegotiate theIPsecIKE phase 1 security association. A random value may be added to the calculated threshold (percentage xkilobyte lifetime)derived key limit) to reduce the chance of both peers attempting to renegotiate at the same time. The property is defined as follows: NAME RefreshThresholdKilobytes DESCRIPTION Specifies the percentage ofkilobyte lifetimederived key limit that has expired before theIPsecIKE phase 1 security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that theIPsecIKE phase 1 security association should not be renegotiated until thekilobyte lifetimederived key limit has been reached.6.7.5.6.13.2. The PropertyIdleDurationSecondsExchangeMode The propertyIdleDurationSecondsExchangeMode specifieshow many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted.which IKE mode should be used for IKE phase 1 negotiations. The property is defined as follows: NAMEIdleDurationSecondsExchangeMode DESCRIPTION Specifieshow long, in seconds, a security association may remain unused before it is deleted.the IKE negotiation mode for phase 1. SYNTAX unsigned32-bit16-bit integer VALUEA value of zero indicates that idle detection1 - base mode 2 - main mode 4 - aggressive mode 6.13.3. The Property UseIKEIdentityType The property UseIKEIdentityType specifies what IKE identity type shouldnotbe usedfor the security association. Any non-zero value indicateswhen negotiating with thenumber of secondspeer. This information is used in conjunction with thesecurity association may remain unused. 6.8. The Class IPsecAction The class IPsecAction serves asIKE identities available on thebase class for IPsec transportsystem andtunnel actions. It specifiestheparameters used for an IKE phase 2 IPsec DOI negotiation. AlthoughIdentityContexts of theclass is concrete, is MUST not be instantiated.matching IKERule. Theclass definition for IPsecActionproperty is defined as follows: NAMEIPsecActionUseIKEIdentityType DESCRIPTIONA base class for IPsec transport and tunnel actions that specifiesSpecifies theparameters forIKEphaseidentity to use during negotiation. SYNTAX unsigned 16-bit integer VALUE 1 - IPv4 Address 2IPsec DOI negotiations. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES UsePFS UseIKEGroup GroupId Granularity 6.8.1.- FQDN 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.13.4. The PropertyUsePFSVendorID The propertyUsePFSVendorID specifieswhether or not perfect forward secrecy shouldthe value to be usedwhen refreshing keys.in the Vendor ID payload. The property is defined as follows: NAMEUsePFSVendorID DESCRIPTIONSpecifies the whether or not to use PFS.Vendor ID Payload. SYNTAXbooleanstring VALUE A value oftrue indicatesNULL means thatPFS shouldVendor ID payload will beused.neither generated nor accepted. A non-NULL valueof false indicatesmeans thatPFS should nota Vendor ID payload will beused. 6.8.2.generated (when acting as an initiator) or is expected (when acting as a responder). 6.13.5. The PropertyUseIKEGroupAggressiveModeGroupId The propertyUseIKEGroupAggressiveModeGroupId specifieswhether or not phase 2 should use the same Diffie-Hellman as waswhich group ID is to be used in the first packets of the phase1. UseIKEGroup1 negotiation. This property is ignoredif UsePFSunless the property ExchangeMode isfalse.set to 4 (aggressive mode). If the AggressiveModeGroupID number is from the vendor- specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAMEUseIKEGroupAggressiveModeGroupId DESCRIPTION Specifieswhether or not to usethesame GroupId for phase 2 as wasgroup ID to be usedin phase 1. If UsePFS is false, then UseIKEGroup is ignored.for aggressive mode. SYNTAXboolean VALUE A value of true indicates thatunsigned 16-bit integer 6.14. The Class PeerGateway The class PeerGateway specifies thephase 2 GroupId should besecurity gateway with which thesameIKE services negotiates. The class definition for PeerGateway is asphase 1. A value of false indicates that the property GroupId will containfollows: NAME PeerGateway DESCRIPTION Specifies theDiffie-Hellman groupsecurity gateway with which touse for phase 2. 6.8.3.negotiate. DERIVED FROM LogicalElement (see Appendix A) ABSTRACT FALSE PROPERTIES Name PeerIdentityType PeerIdentity 6.14.1. The PropertyGroupIdName The propertyGroupIdName specifiesthe Diffie-Hellman group to usea user-friendly name forphase 2. GroupId is ignored if (1) thethis security gateway. The propertyUsePFSisfalse, or (2) thedefined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this security gateway. SYNTAX string 6.14.2. The Property PeerIdentityType The propertyUsePFS is true andPeerIdentityType specifies theproperty UseIKEGroup is true.IKE identity type of the security gateway. The property is defined as follows: NAMEGroupIdPeerIdentityType DESCRIPTION Specifies theDiffie-Hellman group to use for phase 2 when the property UsePFS is true andIKE identity type of theproperty UseIKEGroup is false.security gateway. SYNTAX unsigned 16-bit integer VALUE 1 -768-bit MODP groupIPv4 Address 2 -1024-bit MODP groupFQDN 3 -EC2N group on GP[2^155]User FQDN 4 -EC2N group on GP[2^185]IPv4 Subnet 5 -1536-bit MODP group 6.8.4.IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.14.3. The PropertyGranularityPeerIdentity The propertyGranularityPeerIdentity specifieswhethertheproposed selector forIKE identity value of the securityassociation shouldgateway. A conversion may bederived from the traffic that triggered the negotiation (Narrow) or fromneeded between theFilterList ofPeerIdentity string representation and theCondition(s) that matchedreal value used in therule (Wide).ID payload (e.g. IP address is to be converted from a dotted decimal string into 4 bytes). The property is defined as follows: NAMEGranularityPeerIdentity DESCRIPTION Specifies thehow the proposed selector forIKE identity value of the securityassociation will be created.gateway. SYNTAXunsigned 8-bit integer VALUE 1 - The selector is created by using the FilterList information from the condition that matched the traffic parameters. This is called a Wide selector as it could for instance contain a IP subnet or range. 2 - The selector is created by using the traffic parameters (i.e., the 5-tuple of the traffic). This is called a Narrow selector. 6.9.string 6.15. The Association ClassIPsecTransportActionPeerGatewayForTunnel The classIPsecTransportAction is a subclass of IPsecAction that is used to specify use ofPeerGatewayForTunnel associates IPsecTunnelActions with anIPsec transport mode security association.ordered list of PeerGateways. The class definition forIPsecTransportActionPeerGatewayForTunnel is as follows: NAMEIPsecTransportActionPeerGatewayForTunnel DESCRIPTIONSpecifies thatAssociates IPsecTunnelActions with anIPsec transport mode security association should be negotiated.ordered list of PeerGateways. DERIVED FROMIPsecActionDependency (see Appendix A) ABSTRACT FALSE6.10.PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IPsecTunnelAction[0..n]] SequenceNumber 6.15.1. TheClass IPsecTunnelActionReference Antecedent Theclass IPsecTunnelActionproperty Antecedent isa subclass of IPsecAction thatinherited from Dependency and isusedoverridden tospecify use of an IPsec tunnel mode security association.refer to a PeerGateway instance. Theclass definition for IPsecTunnelAction is as follows: NAME IPsecTunnelAction DESCRIPTION Specifies[0..n] cardinality indicates that there anIPsec tunnel mode security association shouldIPsecTunnelAction instance may benegotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES PeerGateway DFHandling 6.10.1. The Propertyassociated with zero or more PeerGatewayThe propertyinstances. Note: when there is no PeerGatewayspecifies the IP address or DNS name ofassociated to an IPsecTunnelAction, this means that thepeerIKE service acts as a responder and will accept phase 1 negotiation with any other security gateway. 6.15.2. The Reference Dependent The property Dependent isdefined as follows: NAMEinherited from Dependency and is overridden to refer to an IPsecTunnelAction instance. The [0..n] cardinality indicates that a PeerGatewayDESCRIPTION Specifies peer gateway's IP address or DNS name. SYNTAX string VALUE Either (1) IPv4 address in dotted quad format, (2) IPv6 address in ... format,instance may be associated with zero or(3) a DNS name. 6.10.2.more IPsecTunnelAction instances. 6.15.3. The PropertyDFHandlingSequenceNumber The propertyDFHandlingSequenceNumber specifieshowtheDon't Fragment (DF) bit shouldordering to bemanaged by the tunnel.used when evaluating PeerGateway instances for a given IPsecTunnelAction. . The property is defined as follows: NAMEDFHandlingSequenceNumber DESCRIPTION Specifies theDF bit is managed by the tunnel.order of evaluation for PeerGateways. SYNTAX unsigned8-bit16-bit integer VALUE1 - DF bit is copied. 2 - DF bit is set. 3 - DF bit is cleared. 6.11.Lower values are evaluated first. 6.16. The Aggregation ClassIKEActionContainedProposal The classIKEAction specifiesContainedProposal associates an ordered list of SAProposals with theparametersSANegotiationAction thatare toaggregates it. If the referenced SANegotiationAction object is an IKEAction, then the referenced SAProposal object(s) must beused for IKE phase 1 negotiation.IKEProposal(s). If the referenced SANegotiationAction object is an IPsecTransportAction or an IPsecTunnelAction, then the referenced SAProposal object(s) must be IPsecProposal(s). The class definition forIKEActionContainedProposal is as follows: NAMEIKEActionContainedProposal DESCRIPTIONSpecifies the IKE phase 1 negotiation parameters. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES RefreshThresholdDerivedKeys ExchangeMode UseIKEIdentityType 6.11.1.Associates an ordered list of SAProposals with an SANegotiationAction. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber 6.16.1. TheProperty RefreshThresholdDerivedKeysReference GroupComponent The propertyRefreshThresholdDerivedKeys specifies what percentage ofGroupComponent is inherited from PolicyComponent and is overridden to refer to an SANegotiationAction instance. The [0..n] cardinality indicates that an SAProposal instance may be associated with zero or more SANegotiationAction instances. Note: thederived key limit (seecardinality 0 has a specific meaning: - when theLifetimeDerivedKeys property of IKEProposal) can expire beforeIKEshould attempt to renegotiateservice acts as a responder, this means that the IKE service will accept phase 1 negotiation with any other securityassociation. A random value may be added togateway; - when thecalculated threshold (percentage x derived key limit) to reduceIKE service acts as an initiator, this means that thechance of both peers attempting to renegotiate atIKE service will use thesame time. The property is defineddestination IP address (of the IP packets which triggered the SARule) asfollows: NAME RefreshThresholdKilobytes DESCRIPTION SpecifiesthepercentageIP address ofderived key limit that has expired beforethe peer IKEphase 1 security associationentity. 6.16.2. The Reference PartComponent The property PartComponent isrenegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1inherited from PolicyComponent and100 representing a percentage. A value of 100is overridden to refer to an SAProposal instance. The [1..n] cardinality indicates thatthe IKE phase 1 security association should notan SANegotiationAction instance MUST berenegotiated until the derived key limit has been reached. 6.11.2.associated with at least one SAProposal instance. 6.16.3. The PropertyExchangeModeSequenceNumber The propertyExchangeModeSequenceNumber specifieswhich IKE mode should be usedthe order of preference forIKE phase 1 key negotiations.the SAProposals. The property is defined as follows: NAMEExchangeModeSequenceNumber DESCRIPTION Specifies theIKE negotiation modepreference order forphase 1.the SAProposals. SYNTAX unsigned 16-bit integer VALUE1 - base mode 2 - main mode 4 - aggressive mode 6.11.3. The Property UseIKEIdentityType The property UseIKEIdentityType specifies what IKE identity type should be used when negotiatingLower-valued proposals are preferred over proposals with higher values. For ContainedProposals that reference thepeer. This information is used in conjunction the IKE identities available on the system. The property is defined as follows: NAME UseIKEIdentityType DESCRIPTION Specifies the IKE identity to use during negotiation. SYNTAX unsigned 16-bit integer VALUE 1 - IPv4 Address 2 - FQDN 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.12.same SANegotiationAction, SequenceNumber values must be unique. 6.17. TheAggregationAssociation ClassContainedProposalHostedPeerGatewayInformation The classContainedProposalHostedPeerGatewayInformation weakly associatesan ordered list of SAProposalsa PeerGateway withthe SANegotiationAction that contains it. If the referenced SANegotiationAction object is an IKEAction, then the referenced SAProposal object must be an IKEProposal. If the referenced SANegotiationAction object is an IPsecTransportAction or an IPsecTunnelAction, then the referenced SAProposal object must be an IPsecProposal.a System. The class definition forContainedProposalHostedPeerGatewayInformation is as follows: NAMEContainedProposalHostedPeerGatewayInformation DESCRIPTIONAssociates an ordered list of SAProposalsWeakly associates a PeerGateway withan SANegotiationAction.a System. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIESGroupComponent[ref SANegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber 6.12.1.Antecedent [ref System[1..1]] Dependent [ref PeerGateway[0..n] [weak]] 6.17.1. The ReferenceGroupComponentAntecedent The propertyGroupComponent contains an object referenceAntecedent is inherited from Dependency and is overridden toan SANegotiationAction that contains one or more SAProposals.refer to a System instance. The[0..n][1..1] cardinality indicates thatthere maya PeerGateway instance MUST bezero or more SANegotiationActions that contain any given SAProposal. 6.12.2. The Reference PartComponentassociated with one and only one System instance. 6.17.2. The Reference Dependent The propertyPartComponent contains an object referenceDependent is inherited from Dependency and is overridden toan SAProposal contained by onerefer to a PeerGateway instance. The [0..n] cardinality indicates that a System instance may be associated with zero or moreSANegotiationActions.PeerGateway instances. 6.18. The[1..n]Association Class TransformOfPreconfiguredAction The class TransformOfPreconfiguredAction associates a PreconfiguredSAAction with from one to three SATransforms that will be applied to the traffic. The order of application of the SATransforms is implicitly defined in [IPSEC]. The class definition for TransformOfPreconfiguredAction is as follows: NAME TransformOfPreconfiguredAction DESCRIPTION Associates a PreconfiguredSAAction with from one to three SATransforms. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent[ref SATransform[1..3]] Dependent[ref PreconfiguredSAAction[0..n]] SPI 6.18.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an SATransform instance. The [1..3] cardinality indicates that an SANegotiationActionMUST contain at leastinstance may be associated with from oneSAProposal. 6.12.3.to three SATransform instances. 6.18.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredSAAction instance. The [0..n] cardinality indicates that an SATransform instance may be associated with zero or more PreconfiguredSAAction instances. 6.18.3. The PropertySequenceNumberSPI The propertySequenceNumberSPI specifies theorder of preferenceSPI to be used by the pre-configured action for theSAProposals.associated transform. The property is defined as follows: NAMESequenceNumberSPI DESCRIPTION Specifies thepreference order forSPI to be used with theSAProposals.SATransform. SYNTAX unsigned16-bit32-bit integerVALUE Lower-valued proposals are preferred over proposals with higher values. If two proposals have the same SequenceNumber value, then the order of preference is undefined.7. Proposal and Transform Classes The proposal and transform classes model the proposal settings an IPsec device will use during IKE phase 1 and 2 negotiations.+--------------++--------------+*w 1+--------------+ | [SAProposal] |--------| System | +--------------+ (a) | (Appendix A) | ^ +--------------+ | |1 +----------------------+ | | | | +-------------+ +---------------+ | | IKEProposal | | IPsecProposal | | +-------------+ +---------------+ | *o |(a)|(b) |(c) n|+---------------+|[SATransform]+---------------+*w | | [SATransform] |----+ +---------------+ ^ | +--------------------+-----------+---------+ | | | +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform | +-------------+ +--------------+ +----------------+ (a) SAProposalInSystem (b) ContainedTransform (c) SATransformInSystem 7.1. The Abstract Class SAProposal The abstract class SAProposal serves as the base class for the IKE and IPsec proposal classes. It specifies the parameters that are common to the two proposal types. The class definition for SAProposal is as follows: NAME SAProposal DESCRIPTION Specifies the common proposal parameters for IKE and IPsec security association negotiation. DERIVED FROM Policy ([PCIM]) ABSTRACT TRUE PROPERTIES NameMaxLifetimeSeconds MaxLifetimeKilobytes7.1.1. The Property Name The property Name specifies a user-friendly name for the SAProposal. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this proposal. SYNTAX string7.1.2.7.2. TheProperty MaxLifetimeSecondsClass IKEProposal Theproperty MaxLifetimeSecondsclass IKEProposal specifies themaximum amount of time, in seconds,proposal parameters necessary topropose that adrive an IKE security associationwill remain valid after its creation. The property is defined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the maximum amount of time to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. 7.1.3. The Property MaxLifetimeKilobytes The property MaxLifetimeKilobytes specifies the maximum kilobyte lifetime to propose that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeKilobytes DESCRIPTION Specifies the maximum kilobyte lifetime to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime. 7.2. The Class IKEProposal The class IKEProposal specifies the proposal parameters necessary to drive an IKE security association negotiation.negotiation. The class definition for IKEProposal is as follows: NAME IKEProposal DESCRIPTION Specifies the proposal parameters for IKE security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE PROPERTIES LifetimeDerivedKeys CipherAlgorithm HashAlgorithm PRFAlgorithm GroupId AuthenticationMethod MaxLifetimeSeconds MaxLifetimeKilobytes VendorID 7.2.1. The Property LifetimeDerivedKeys The property LifetimeDerivedKeys specifies the number of times that a phase 1 key will be used to derive a phase 2 key before the phase 1 security association needs renegotiated. Even though this is not a parameter that is sent in an IKE proposal, it is included in the proposal as the number of keys derived may be a result of the strength of the algorithms in the IKEpropsoal.proposal. The property is defined as follows: NAME LifetimeDerivedKeys DESCRIPTION Specifies the number of phase 2 keys that can be derived from the phase 1 key. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is no limit to the number of phase 2 keyswhichthat may be derived from the phase 1 key; instead the seconds and/or kilobytes lifetime will dictate the phase 1 rekeying. A non-zero value specifies the number of phase 2 keys that can be derived from the phase 1 key. 7.2.2. The Property CipherAlgorithm The property CipherAlgorithm specifies the proposed phase 1 security association encryption algorithm. The property is defined as follows: NAME CipherAlgorithm DESCRIPTION Specifies the proposed encryption algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE1 - DES-CBC 2 - IDEA-CBC 3 - Blowfish-CBC 4 - RC5-R16-B64-CBC 5 - 3DES-CBC 6 - CAST-CBCConsult [IKE] for valid values. 7.2.3. The Property HashAlgorithm The property HashAlgorithm specifies the proposed phase 1 securityassocationassociation hash algorithm. The property is defined as follows: NAME HashAlgorithm DESCRIPTION Specifies the proposed hash algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE1 - MD5 2 - SHA-1 3 - TigerConsult [IKE] for valid values. 7.2.4. The Property PRFAlgorithm The property PRFAlgorithm specifies the proposed phase 1 security associationpsuedo-randompseudo-random function. The property is defined as follows: NAME PRFAlgorithm DESCRIPTION Specifies the proposedpsuedo-randompseudo-random function for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Currently none defined. 7.2.5. The Property GroupId The property GroupId specifies the proposed phase 1 securityassocation Diffie-Hellmanassociation key exchange group. This property is ignored for all aggressive mode exchanges. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the proposedDiffie-Hellmankey exchange group for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE1 - 768-bit MODP group 2 - 1024-bit MODP group 3 - EC2N group on GP[2^155] 4 - EC2N group on GP[2^185] 50 -1536-bit MODP groupNot applicable: used for aggressive mode. Consult [IKE] for other valid values. 7.2.6. The Property AuthenticationMethod The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows: NAME AuthenticationMethod DESCRIPTION Specifies the proposed authentication method for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE 0 - a special valuewhichthat indicates that this particular proposal should be repeated once for each authentication method that corresponds to the credentials installed on the machine. For example, if the system has a pre-shared key and a certificate, a proposal list could be constructed which includes a proposal that specifies pre-shared key and proposals for any of the public-key authentication methods.1 - Pre-shared key 2 - DSS signatures 3 - RSA signatures 4 - Encryption with RSA 5 - Revised encryption with RSA 6 - Kerberos (has this number been assigned???) 7.3.Consult [IKE] for valid values. 7.2.7. TheClass IPsecProposalProperty MaxLifetimeSeconds Theclass IPsecProposalproperty MaxLifetimeSeconds specifies the maximum amount of time, in seconds, to propose that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the maximum amount of time to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. 7.2.8. The Property MaxLifetimeKilobytes The property MaxLifetimeKilobytes specifies the maximum kilobyte lifetime to propose that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeKilobytes DESCRIPTION Specifies the maximum kilobyte lifetime to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime. 7.2.9. The Property VendorID The property VendorID further qualifies the key exchange group. The property is ignored unless the exchange is not in aggressive mode and the property GroupID is in the vendor-specific range. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the Vendor ID to further qualify the key exchange group. SYNTAX string 7.3. The Class IPsecProposal The class IPsecProposal adds no new properties, but inherits proposalpropoertiesproperties from SAProposal as well as aggregating the security association transforms necessary for building an IPsec proposal (see the aggregation class ContainedTransform). The class definition for IPsecProposal is as follows: NAME IPsecProposal DESCRIPTION Specifies the proposal parameters for IPsec security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE 7.4. The Abstract Class SATransform The abstract class SATransform serves as the base class for the IPsec transforms that can be used to compose an IPsecproposal.proposal or to be used as a pre-configured action. The class definition for SATransform is as follows: NAME SATransform DESCRIPTION Base class for the different IPsec transforms. ABSTRACT TRUE PROPERTIESNameTransformName VendorID MaxLifetimeSeconds MaxLifetimeKilobytes 7.4.1. The PropertyNameTransformName The propertyNameTransformName specifies a user-friendly name for the SATransform. The property is defined as follows: NAMENameTransformName DESCRIPTION Specifies a user-friendly name for this transform. SYNTAX string7.4.1.7.4.2. The Property VendorID The property VendorID specifies the vendor ID for vendor-defined transforms. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the vendor ID for vendor-defined transforms. SYNTAX string VALUE An empty VendorID string indicates that the transform isone of the previously-defined ones. 7.5.a standard one. 7.4.3. TheClass AHTransformProperty MaxLifetimeSeconds Theclass AHTransformproperty MaxLifetimeSeconds specifies theAH algorithmmaximum amount of time, in seconds, to proposeduring IPsecthat a security associationnegotiation.will remain valid after its creation. Theclass definition for AHTransformproperty is defined as follows: NAMEAHTransformMaxLifetimeSeconds DESCRIPTION Specifies theAH algorithmmaximum amount of time topropose.propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. 7.4.4. The Property MaxLifetimeKilobytes The property MaxLifetimeKilobytes specifies the maximum kilobyte lifetime to propose that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeKilobytes DESCRIPTION Specifies the maximum kilobyte lifetime to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime. 7.5. The Class AHTransform The class AHTransform specifies the AH algorithm to propose during IPsec security association negotiation. The class definition for AHTransform is as follows: NAME AHTransform DESCRIPTION Specifies the AH algorithm to propose. ABSTRACT FALSE PROPERTIES AHTransformId UseReplayPrevention ReplayPreventionWindowSize 7.5.1. The Property AHTransformId The property AHTransformId specifies the transform ID of the AH algorithm to propose. The property is defined as follows: NAME AHTransformId DESCRIPTION Specifies the transform ID of the AH algorithm. SYNTAX unsigned 16-bit integer VALUE2 - MD5 3Consult [DOI] for valid values. 7.5.2. The Property UseReplayPrevention The property UseReplayPrevention specifies whether replay prevention detection is to be used. The property is defined as follows: NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true -SHA-1 4replay prevention detection is enabled. false -DESreplay prevention detection is disabled. 7.5.3. The Property ReplayPreventionWindowSize The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by replay prevention detection mechanism. SYNTAX unsigned 32-bit integer 7.6. The Class ESPTransform The class ESPTransform specifies the ESP algorithms to propose during IPsec security association negotiation. The class definition for ESPTransform is as follows: NAME ESPTransform DESCRIPTION Specifies the ESP algorithms to propose. ABSTRACT FALSE PROPERTIES IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds UseReplayPrevention ReplayPreventionWindowSize 7.6.1. The Property IntegrityTransformId The property IntegrityTransformId specifies the transform ID of the ESP integrity algorithm to propose. The property is defined as follows: NAME IntegrityTransformId DESCRIPTION Specifies the transform ID of the ESP integrity algorithm. SYNTAX unsigned 16-bit integer VALUE0 - None 1 - HMAC-MD5 2 - HMAC-SHA 3 - DES-MAC 4 - KPDKConsult [DOI] for valid values. 7.6.2. The Property CipherTransformId The property CipherTransformId specifies the transform ID of the ESP encryption algorithm to propose. The property is defined as follows: NAME CipherTransformId DESCRIPTION Specifies the transform ID of the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE1 - DES IV64 2 - DES 3 - 3DES 4 - RC5 5 - IDEA 6 - CAST 7 - Blowfish 8 - 3IDEA 9 - DES IV32 10 - RC4 11 - NULLConsult [DOI] for valid values. 7.6.3. The Property CipherKeyLength The property CipherKeyLength specifies, in bits, the key length for the ESP encryption algorithm. For encryption algorithmswhichthat use fixed-length keys, this value is ignored. The property is defined as follows: NAME CipherKeyLength DESCRIPTION Specifies the ESP encryption key length in bits. SYNTAX unsigned 16-bit integer 7.6.4. The Property CipherKeyRounds The property CipherKeyRounds specifies the number of key rounds for the ESP encryption algorithm. For encryption algorithms that use fixed number of key rounds, this value is ignored. The property is defined as follows: NAME CipherKeyRounds DESCRIPTION Specifies the number of key rounds for the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Currently, key rounds are not defined for any ESP encryption algorithms. 7.6.5. The Property UseReplayPrevention The property UseReplayPrevention specifies whether replay prevention detection is to be used. The property is defined as follows: NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled. 7.6.6. The Property ReplayPreventionWindowSize The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by replay prevention detection mechanism. SYNTAX unsigned 32-bit integer 7.7. The Class IPCOMPTransform The class IPCOMPTransform specifies the IP compression (IPCOMP) algorithm to propose during IPsec security association negotiation. The class definition for IPCOMPTransform is as follows: NAME IPCOMPTransform DESCRIPTION Specifies the IPCOMP algorithm to propose. ABSTRACT FALSE PROPERTIES Algorithm DictionarySize PrivateAlgorithm 7.7.1. The Property Algorithm The property Algorithm specifies the transform ID of the IPCOMP compression algorithm to propose. The property is defined as follows: NAME Algorithm DESCRIPTION Specifies the transform ID of the IPCOMP compression algorithm. SYNTAX unsigned 16-bit integer VALUE 1 -OUI (the property PrivateAlgorithm will contain the vendor-specificOUI: a vendor specific algorithmto use) 2 - DEFLATE 3 - LZS 4 - V42BIS (has this number been assigned ???)is used and specified in the property PrivateAlgorithm. Consult [DOI] for other valid values. 7.7.2. The Property DictionarySize The property DictionarySize specifies the log2 maximum size of thedictiondictionary for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value isignores.ignored. The property is defined as follows: NAME DictionarySize DESCRIPTION Specifies the log2 maximum size of the dictionary. SYNTAX unsigned 16-bit integer 7.7.3. The Property PrivateAlgorithm The property PrivateAlgorithm specifies a private vendor-specific compression algorithm. This value is only used when the property Algorithm is 1 (OUI). The property is defined as follows: NAME PrivateAlgorithm DESCRIPTION Specifies a private vendor-specific compression algorithm. SYNTAX unsigned 32-bit integer 7.8. The Association Class SAProposalInSystem The class SAProposalInSystem weakly associates SAProposals with a System. The class definition for SAProposalInSystem is as follows: NAME SAProposalInSystem DESCRIPTION Weakly associates SAProposals with a System. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System [1..1]] Dependent[ref SAProposal[0..n] [weak]] 7.8.1. The Reference Antecedent The property Antecedent is inherited from PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates that an SAProposal instance MUST be associated with one and only one System instance. 7.8.2. The Reference Dependent The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SAProposal instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SAProposal instances. 7.9. The Aggregation Class ContainedTransform The class ContainedTransform associates an IPsecProposal with the set of SATransforms that make up the proposal. If multipletranformstransforms of the same type are in a proposal, then they are to be logically ORed and the order of preference is dictated by the SequenceNumber property. Sets of transforms of different types are logically ANDed. For example, if the ordered proposal list were ESP = { (HMAC-MD5,DES),3DES), (HMAC-MD5,3DES)DES) } AH = { MD5, SHA-1 } then the one sending the proposalwantswould want the other side to pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one from the AH transformlist.list (preferably MD5). The class definition for ContainedProposal is as follows: NAME ContainedTransform DESCRIPTION Associates an IPsecProposal with the set of SATransforms that make up the proposal. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PartComponent[ref SATransform[1..n]] SequenceNumber7.8.1.7.9.1. The Reference GroupComponent The property GroupComponentcontains an object referenceis inherited from PolicyComponent and is overridden to refer to an IPsecProposalthat contains one or more SATransforms.instance. The [0..n] cardinality indicates thattherean SATransform instance may be associated with zero or moreIPsecProposals that contain any given SATransform. 7.8.2.IPsecProposal instances. 7.9.2. The Reference PartComponent The property PartComponentcontains an object referenceis inherited from PolicyComponent and is overridden to refer to an SATransformcontained by one or more IPsecProposals.instance. The [1..n] cardinality indicates that anIPsecPropsalIPsecProposal instance MUSTcontainbe associated with at least oneSATransform. 7.8.3.SATransform instance. 7.9.3. The Property SequenceNumber The property SequenceNumber specifies the order of preference for the SATransforms of the same type. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SATransforms of the same type. SYNTAX unsigned 16-bit integer VALUE Lower-valued transforms are preferred over transforms of the same type with higher values.If two transforms of the same type haveFor ContainedTransforms that reference the same IPsecProposal, SequenceNumbervalue, then the order of preference is undefined. 8. Security Considerations This document describesvalues must be unique. 7.10. The Association Class SATransformInSystem The class SATransformInSystem weakly associates SATransforms with aschema for IPsec policy. It does not detail security requirementsSystem. The class definition forstorage or delivery of said schema. Storage and delivery security requirements should be detailed inSATransformInSystem System is as follows: NAME SATransformInSystem DESCRIPTION Weakly associates SATransforms with acomprehensive security policy architecture document. 9. Intellectual PropertySystem. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref SATransform[0..n] [weak]] 7.10.1. The Reference Antecedent TheIETF takes no position regarding the validity or scope of any intellectualpropertyor other rightsAntecedent is inherited from PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates thatmightan SATransform instance MUST beclaimed to pertainassociated with one and only one System instance. 7.10.2. The Reference Dependent The property Dependent is inherited from PolicyInSystem and is overridden tothe implementation or use of the technology described in this document or the extentrefer towhich any license under such rights might or might not be available; neither does it representan SATransform instance. The [0..n] cardinality indicates thatit has made any effort to identify any such rights. Information on the IETF's proceduresa System instance may be associated withrespect to rights in standards-trackzero or more SATransform instances. 8. IKE Service andstandards-related documentation canIdentity Classes +--------------+ +-------------------+ | System | | PeerIdentityEntry | | (Appendix A) | +-------------------+ +--------------+ |*w 1| (a) (b) | +---+ +------------+ | | |*w 1 o +-------------+ +-------------------+ +---------------------+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | +-------------+ +-------------------+ +---------------------+ *| *| *| *| +----------------------+ |(d) +----------+ | (c) *| *| *| (e) | *+------------+* |(f) +-----------------| IKEService |-----+ | | (g) +------------+ |(h) | 0..1| *| *| *o +--------------------+ | +---------------------------+ | IPProtocolEndpoint | | | AutostartIKEConfiguration | | (Appendix C) | (i)| +---------------------------+ +--------------------+ | 0..1| | |(j) +----------------+ *| |* +-------------+* (k) +------------+ +-----------------------------+ | IKEIdentity |-------| Collection | | CredentialManagementService | +-------------+ 0..1|(Appendix A)| | (Appendix B) | *| +------------+ +-----------------------------+ |(l) *| +--------------+ | Credential | | (Appendix B) | +--------------+ (a) HostedPeerIdentityTable (b) PeerIdentityMember (c) IKEServicePeerGateway (d) IKEServicePeerIdentityTable (e) IKEAutostartSetting (f) AutostartIKESettingContext (g) IKEServiceForEndpoint (h) IKEAutostartConfiguration (i) IKEUsesCredentialManagementService (j) EndpointHasLocalIKEIdentity (k) CollectionHasLocalIKEIdentity (l) IKEIdentitysCredential This portion of the model contains additional information that is useful in applying the policy. The IKEService class MAY befoundused to represent the IKE negotiation function inBCP-11. Copies of claims of rights made availablea system. The IKEService uses the various tables that contain information about IKE peers as well as the configuration forpublicationspecifying security associations that are started automatically. The information in the PeerGateway, PeerIdentityTable andany assurances of licensesrelated classes is necessary tobe made available, orcompletely specify theresult ofpolicies. An interface (represented by anattempt made to obtainIPProtocolEndpoint) has an IKEService that provides the negotiation services for that interface. That service MAY also have ageneral license or permissionlist of security associations for that are automatically started at the time the IKE service is initialized. The IKEService also has a set of identities that it may use in negotiations with its peers. Those identities are associated with the interfaces (or collections ofsuch proprietary rights by implementers or usersinterfaces). 8.1. The Class IKEService The class IKEService represents the IKE negotiation function. An instance of thisspecification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights whichservice maycover technologyprovide that negotiation service for one or more interfaces (represented by the IPProtocolEndpoint class) of a System. There may berequired to practice this standard. Please address the informationmultiple instances of IKE services on a System but only one per interface. The class definition for IKEService is as follows: NAME IKEService DESCRIPTION IKEService is used to represent theIETF Executive Director. 10. AcknowledgmentsIKE negotiation function. DERIVED FROM NetworkService (see Appendix C) ABSTRACT FALSE 8.2. Theauthor would like to thank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz,Class PeerIdentityTable The class PeerIdentityTable aggregates the table entries that provide mappings between identities andWilliam Dixon fortheircontributionsaddresses. The class definition for PeerIdentityTable is as follows: NAME PeerIdentityTable DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances tothis IPsec policy model. Additionally, this draft would not have been possible withoutprovide a table of identity-address mappings. DERIVED FROM Collection (see Appendix A) ABSTRACT FALSE PROPERTIES Name 8.3.1. The Property Name The property Name uniquely identifies thepreceding IPsec schema drafts. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. 11. References [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. [ESP] Kent, S.,table. The property is defined as follows: NAME Name DESCRIPTION Name uniquely identifies the table. SYNTAX string 8.3. The Class PeerIdentityEntry The class PeerIdentityEntry specifies the mapping between peer identity andR. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [AH] Kent, S.,their address. The class definition for PeerIdentityEntry is as follows: NAME PeerIdentityEntry DESCRIPTION PeerIdentityEntry provides a mapping between a peer's identity andR. Atkinson, "IPaddress. DERIVED FROM LogicalElement (see Appendix A) ABSTRACT FALSE PROPERTIES PeerIdentity PeerIdentityType PeerAddress PeerAddressType 8.3.1. The Property PeerIdentity The property PeerIdentity contains a string encoding of the Identity payload for the IKE peer. The property is defined as follows: NAME PeerIdentity DESCRIPTION The PeerIdentity is the ID payload of a peer. SYNTAX string 8.3.2. The Property PeerIdentityType The property PeerIdentityType is an enumeration that specifies the type of the PeerIdentity. The property is defined as follows: NAME PeerIdentityType DESCRIPTION PeerIdentityType is the type of the ID payload of a peer. SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1. 8.3.3. The Property PeerAddress The property PeerAddress specifies the string representation of the IP address of the peer formatted according to the appropriate convention as defined in the PeerAddressType property (e.g., dotted decimal notation). The property is defined as follows: NAME PeerAddress DESCRIPTION PeerAddress is the address of the peer with the ID payload. SYNTAX string VALUE String representation of an IPv4 or IPv6 address. 8.3.4. The Property PeerAddressType The property PeerAddressType specifies the format of the PeerAddress property value. The property is defined as follows: NAME PeerAddressType DESCRIPTION PeerAddressType is the type of address in PeerAddress. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6 8.4. The Class AutostartIKEConfiguration The class AutostartIKEConfiguration groups AutostartIKESetting instances into configuration sets. When applied, the settings cause an IKE service to automatically start (negotiate or statically set as appropriate) the Security Associations. The class definition for AutostartIKEConfiguration is as follows: NAME AutostartIKEConfiguration DESCRIPTION A configuration set of AutostartIKESetting instances to be automatically started by the IKE service. DERIVED FROM SystemConfiguration (see Appendix A) ABSTRACT FALSE 8.5. The Class AutostartIKESetting The class AutostartIKESetting is used to automatically initiate IKE negotiations with peers (or statically create an SA) as specified in the AutostartIKESetting properties. Appropriate actions are initiated according to the policy that matches the setting parameters. The class definition for AutostartIKESetting is as follows: NAME AutostartIKESetting DESCRIPTION AutostartIKESetting is used to automatically initiate IKE negotiations with peers or statically create an SA. DERIVED FROM SystemSetting (see Appendix A) ABSTRACT FALSE PROPERTIES Phase1Only AddressType SourceAddress SourcePort DestinationAddress DestinationPort Protocol 8.5.1. The Property Phase1Only The property Phase1Only is used to limit the IKE negotiation to just setting up a phase 1 security association. When set to False, both phase 1 and 2 negotiations are initiated. The property is defined as follows: NAME Phase1Only DESCRIPTION Used to indicate which security associations to attempt to establish (phase 1 only, or phase 1 and 2). SYNTAX boolean VALUE true - attempt to establish a phase 1 security association false - attempt to establish phase 1 and 2 security associations 8.5.2. The Property AddressType The property AddressType specifies type of the addresses in the SourceAddress and DestinationAddress properties. The property is defined as follows: NAME AddressType DESCRIPTION AddressType is the type of address in SourceAddress and DestinationAddress properties. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6 8.5.3. The Property SourceAddress The property SourceAddress specifies the dotted-decimal or colon- decimal formatted IP address used as the source address in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME SourceAddress DESCRIPTION The source address to compare with the filters to determine the appropriate policy rule. SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address 8.5.4. The Property SourcePort The property SourcePort specifies the port number used as the source port in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME SourcePort DESCRIPTION The source port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer 8.5.5. The Property DestinationAddress The property DestinationAddress specifies the dotted-decimal or colon-decimal formatted IP address used as the destination address in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME DestinationAddress DESCRIPTION The destination address to compare with the filters to determine the appropriate policy rule. SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address 8.5.6. The Property DestinationPort The property DestinationPort specifies the port number used as the destination port in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME DestinationPort DESCRIPTION The destination port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer 8.5.7. The Property Protocol The property Protocol specifies the protocol number used in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME Protocol DESCRIPTION The protocol number used in comparing with policy filter entries. SYNTAX unsigned 8-bit integer 8.6. The Class IKEIdentity The class IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. The policy IKEAction.UseIKEIdentityType specifies which type of the available identities to use in a negotiation exchange and the IKERule.IdentityContexts specifies the match values to be used, along with the local address, in selecting the appropriate identity for a negotiation. The ElementID property value (defined in the parent class, UsersAccess) should be that of either the IPProtocolEndpoint or Collection of endpoints as appropriate. The class definition for IKEIdentity is as follows: NAME IKEIdentity DESCRIPTION IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. DERIVED FROM UsersAccess (see Appendix B) ABSTRACT FALSE PROPERTIES IdentityType IdentityValue IdentityContexts 8.6.1. The Property IdentityType The property IdentityType is an enumeration that specifies the type of the IdentityValue. The property is defined as follows: NAME IdentityType DESCRIPTION IdentityType is the type of the IdentityValue. SYNTAX unsigned 8-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1. 8.6.2. The Property IdentityValue The property Identity specifies Value contains a string encoding of the Identity payload. For IKEIdentity instances that are address types, the IdentityValue string value may be omitted and the associated IPProtocolEndpoint or appropriate member of the Collection of endpoints is used. The property is defined as follows: NAME IdentityValue DESCRIPTION IdentityValue contains a string encoding of the Identity payload. SYNTAX string 8.6.3. The Property IdentityContexts The IdentityContexts property is used to constrain the use of IKEIdentity instances to match that specified in the IKERule.IdentityContexts. The IdentityContexts are formatted as policy roles and role combinations [PCIM]. Each value represents one context or context combination. Since this is a multi-valued property, more than one context or combination of contexts can be associated with a single IKEIdentity. Each value is a string of the form: <ContextName>[&&<ContextName>]* where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). If one or more values in the IKERule.IdentityContexts array match one or more IKEIdentity.IdentityContexts then the identity's context matches. (That is, each value of the IdentityContext array is an ORed condition.) In combination with the address of the IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 1 and only 1 IKEIdentity. The property is defined as follows: NAME IdentityContexts DESCRIPTION The IKE service of a security endpoint may have multiple identities for use in different situations. The combination of the interface (represented by the IPProtocolEndpoint), the identity type (as specified in the IKEAction) and the IdentityContexts selects a unique identity. SYNTAX string array VALUE string of the form <ContextName>[&&<ContextName>]* 8.7. The Association Class HostedPeerIdentityTable The class HostedPeerIdentityTable provides the name scoping relationship for PeerIdentityTable entries in a System. The PeerIdentityTable is weak to the System. The class definition for HostedPeerIdentityTable is as follows: NAME HostedPeerIdentityTable DESCRIPTION The PeerIdentityTable instances are weak (name scoped by) the owning System. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerIdentityTable[0..n] [weak]] 8.7.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerIdentityTable instance MUST be associated in a weak relationship with one and only one System instance. 8.7.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerIdentityTable instances. 8.8. The Aggregation Class PeerIdentityMember The class PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. This is a weak aggregation. The class definition for PeerIdentityMember is as follows: NAME PeerIdentityMember DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. DERIVED FROM MemberOfCollection (see Appendix A) ABSTRACT FALSE PROPERTIES Collection [ref PeerIdentityTable[1..1]] Member [ref PeerIdentityEntry [0..n] [weak]] 8.8.1. The Reference Collection The property Collection is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityTable instance. The [1..1] cardinality indicates that a PeerIdentityEntry instance MUST be associated with one and only one PeerIdentityTable instance (i.e., PeerIdentityEntry instances are not shared across PeerIdentityTables). 8.8.2. The Reference Member The property Member is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityEntry instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more PeerIdentityEntry instances. 8.9. The Association Class IKEServicePeerGateway The class IKEServicePeerGateway provides the association between an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. The class definition for IKEServicePeerGateway is as follows: NAME IKEServicePeerGateway DESCRIPTION Associates an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IKEService[0..n]] 8.9.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerGateway instances. 8.9.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IKEService instances. 8.10. The Association Class IKEServicePeerIdentityTable The class IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses to map between addresses and identities as required. The class definition for IKEServicePeerIdentityTable is as follows: NAME IKEServicePeerIdentityTable DESCRIPTION IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] Dependent [ref IKEService[0..n]] 8.10.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerIdentityTable instances. 8.10.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more IKEService instances. 8.11. The Association Class IKEAutostartSetting The class IKEAutostartSetting associates an AutostartIKESetting with an IKEService that may use it to automatically start an IKE negotiation or create a static SA. The class definition for IKEAutostartSetting is as follows: NAME IKEAutostartSetting DESCRIPTION Associates a AutostartIKESetting with an IKEService. DERIVED FROM ElementSetting (see Appendix A) ABSTRACT FALSE PROPERTIES Element [ref IKEService[0..n]] Setting [ref AutostartIKESetting[0..n]] 8.11.1. The Reference Element The property Element is inherited from ElementSetting and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates an AutostartIKESetting instance may be associated with zero or more IKEService instances. 8.11.2. The Reference Setting The property Setting is inherited from ElementSetting and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKESetting instances. 8.12. The Aggregation Class AutostartIKESettingContext The class AutostartIKESettingContext aggregates the settings used to automatically start negotiations or create a static SA into a configuration set. The class definition for AutostartIKESettingContext is as follows: NAME AutostartIKESettingContext DESCRIPTION AutostartIKESettingContext aggregates the AutostartIKESetting instances into a configuration set. DERIVED FROM SystemSettingContext (see Appendix A) ABSTRACT FALSE PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] Setting [ref AutostartIKESetting [0..n]] SequenceNumber 8.12.1. The Reference Context The property Context is inherited from SystemSettingContext and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an AutostartIKESetting instance may be associated with zero or more AutostartIKEConfiguration instances (i.e., a setting may be in multiple configuration sets). 8.12.2. The Reference Setting The property Setting is inherited from SystemSettingContext and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more AutostartIKESetting instances. 8.12.3. The Property SequenceNumber The property SequenceNumber specifies indicates the ordering to be used when starting negotiations or creating a static SA. A zero value indicates that order is not significant and settings may be applied in parallel with other settings. All other settings in the configuration are executed in sequence from lower values to high. Sequence numbers need not be unique in an AutostartIKEConfiguration and order is not significant for settings with the same sequence number. The property is defined as follows: NAME SequenceNumber DESCRIPTION The sequence in which the settings are applied within a configuration set. SYNTAX unsigned 16-bit integer 8.13. The Association Class IKEServiceForEndpoint The class IKEServiceForEndpoint provides the association showing which IKE service, if any, provides IKE negotiation services for which network interfaces. The class definition for IKEServiceForEndpoint is as follows: NAME IKEServiceForEndpoint DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that provides negotiation services for the endpoint. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref IKEService[0..1]] Dependent [ref IPProtocolEndpoint[0..n]] 8.13.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..1] cardinality indicates that an IPProtocolEndpoint instance MUST by associated with at most one IKEService instance. 8.13.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IPProtocolEndpoint that is associated with at most one IKEService. The [0..n] cardinality indicates an IKEService instance may be associated with zero or more IPProtocolEndpoint instances. 8.14. The Association Class IKEAutostartConfiguration The class IKEAutostartConfiguration provides the relationship between an IKEService and a configuration set that it uses to automatically start a set of SAs. The class definition for IKEAutostartConfiguration is as follows: NAME IKEAutostartConfiguration DESCRIPTION IKEAutostartConfiguration provides the relationship between an IKEService and an AutostartIKEConfiguration that it uses to automatically start a set of SAs. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] Dependent [ref IKEService [0..n]] Active 8.14.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKEConfiguration instances. 8.14.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more IKEService instances. 8.14.3. The Property Active The property Active specifies indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. That is, at boot time, the active configuration is used to automatically start IKE negotiations and create static SAs. The property is defined as follows: NAME Active DESCRIPTION Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. SYNTAX boolean VALUE true - AutostartIKEConfiguration is currently active for associated IKEService. false - AutostartIKEConfiguration is currently inactive for associated IKEService. 8.15. The Association Class IKEUsesCredentialManagementService The class IKEUsesCredentialManagementService defines the set of CredentialManagementService(s) that are trusted sources of credentials for IKE phase 1 negotiations. The class definition for IKEUsesCredentialManagementService is as follows: NAME IKEUsesCredentialManagementService DESCRIPTION Associates the set of CredentialManagementService(s) that are trusted by the IKEService as sources of credentials used in IKE phase 1 negotiations. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService [0..n]] Dependent [ref IKEService [0..n]] 8.15.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more CredentialManagementService instances. 8.15.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more IKEService instances. 8.16. The Association Class EndpointHasLocalIKEIdentity The class EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances that may be used in negotiating security associations on the endpoint. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using this association or with a collection of IKEIdentity instances using the CollectionHasLocalIKEIdentity association. The class definition for EndpointHasLocalIKEIdentity is as follows: NAME EndpointHasLocalIKEIdentity DESCRIPTION EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances. DERIVED FROM ElementAsUser (see Appendix B) ABSTRACT FALSE PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] Dependent [ref IKEIdentity [0..n]] 8.16.1. The Reference Antecedent The property Antecedent is inherited from ElementAsUser and is overridden to refer to an IPProtocolEndpoint instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one IPProtocolEndpoint instance. 8.16.2. The Reference Dependent The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that an IPProtocolEndpoint instance may be associated with zero or more IKEIdentity instances. 8.17. The Association Class CollectionHasLocalIKEIdentity The class CollectionHasLocalIKEIdentity associates a Collection of IPProtocolEndpoint instances with a set of IKEIdentity instances that may be used in negotiating SAs for endpoints in the collection. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using the EndpointHasLocalIKEIdentity association or with a collection of IKEIdentity instances using this association. The class definition for CollectionHasLocalIKEIdentity is as follows: NAME CollectionHasLocalIKEIdentity DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of IPProtocolEndpoint instances with a set of IKEIdentity instances. DERIVED FROM ElementAsUser (see Appendix B) ABSTRACT FALSE PROPERTIES Antecedent [ref Collection [0..1]] Dependent [ref IKEIdentity [0..n]] 8.17.1. The Reference Antecedent The property Antecedent is inherited from ElementAsUser and is overridden to refer to a Collection instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one Collection instance. 8.17.2. The Reference Dependent The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Collection instance may be associated with zero or more IKEIdentity instances. 8.18. The Association Class IKEIdentitysCredential The class IKEIdentitysCredential is an association that relates a set of credentials to their corresponding local IKE Identities. The class definition for IKEIdentitysCredential is as follows: NAME IKEIdentitysCredential DESCRIPTION IKEIdentitysCredential associates a set of credentials to their corresponding local IKEIdentity. DERIVED FROM UsersCredential (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref Credential [0..n]] Dependent [ref IKEIdentity [0..n]] 8.18.1. The Reference Antecedent The property Antecedent is inherited from UsersCredential and is overridden to refer to a Credential instance. The [0..n] cardinality indicates that IKEIdentity instance may be associated with zero or more Credential instances. 8.18.2. The Reference Dependent The property Dependent is inherited from UsersCredential and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Credential instance may be associated with zero or more IKEIdentity instances. 9. Security Considerations This document describes a schema for IPsec policy. It does not detail security requirements for storage or delivery of said schema. Storage and delivery security requirements should be detailed in a comprehensive security policy architecture document. 10. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 11. Acknowledgments The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz, and William Dixon for their contributions to this IPsec policy model. Additionally, this draft would not have been possible without the preceding IPsec schema drafts. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. 12. References [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC2402,2402, November 1998. [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. [DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. Internet-Draft work in progress. [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. Internet-Draft work in progress. [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000. Internet-Draft work in progress. [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [IPSO] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991. [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998.[PCIM] Moore, B.,13. Disclaimer The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification. 14. Authors' Addresses Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 E-Mail: jamie.jason@intel.com Lee Rafalow IBM Corporation, BRQA/502 4205 So. Miami Blvd. Research Triangle Park, NC 27709 E-mail: rafalow@raleigh.ibm.com Eric Vyncke Cisco Systems Avenue Marcel Thiry, 77 B-1200 Brussels Belgium E-mail: evyncke@cisco.com 15. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it maybe copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other then English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Appendix A (DMTF Core Model MOF) // ================================================================== // ManagedElement // ================================================================== [Abstract, Description ( "ManagedElement is an abstract class that provides a common " "superclass (or top of the inheritance tree) for the " "non-association classes in the CIM Schema.")] class CIM_ManagedElement { [MaxLen (64), Description ( "The Caption property is a short textual description (one-" "line string) of the object.") ] string Caption; [Description ( "The Description property provides a textual description of " "the object.") ] string Description; }; // ================================================================== // Collection // ================================================================== [Abstract, Description ( "Collection is an abstract class that provides a common" "superclass for data elements that represent collections of " "ManagedElements and its subclasses.")] class CIM_Collection : CIM_ManagedElement { }; // ================================================================== // ManagedSystemElement // ================================================================== [Abstract, Description ( "CIM_ManagedSystemElement is the base class for the System " "Element hierarchy. Membership Criteria: Any distinguishable " "component of a System is a candidate for inclusion in this " "class. Examples: software components, such as files; and " "devices, such as disk drives and controllers, and physical " "components such as chips and cards.") ] class CIM_ManagedSystemElement : CIM_ManagedElement { [Description ( "A datetime value indicating when the object was installed. " "A lack of a value does not indicate that the object is not " "installed."), MappingStrings {"MIF.DMTF|ComponentID|001.5"} ] datetime InstallDate; [MaxLen (256), Description ( "The Name property defines the label by which the object is " "known. When subclassed, the Name property can be overridden " "to be a Key property.") ] string Name; [MaxLen (10), Description ( " A string indicating the current status of the object. " "Various operational and non-operational statuses are " "defined. Operational statuses are \"OK\", \"Degraded\", " "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that " "the Element is functioning, but needs attention. Examples " "of \"Stressed\" states are overload, overheated, etc. The " "condition \"Pred Fail\" (failure predicted) indicates that " "an Element is functioning properly but predicting a failure " "in the near future. An example is a SMART-enabled hard " "drive. \n" " Non-operational statuses can also be specified. These " "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", " "\"Stopped\", " "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\"" "indicates that a non-recoverable error has occurred. " "\"Service\" describes an Element being configured, " "maintained," "cleaned, or otherwise administered. This status could apply " "during mirror-resilvering of a disk, reload of a user " "permissions list, or other administrative task. Not all " "such " "work is on-line, yet the Element is neither \"OK\" nor in " "one of the other states. \"No Contact\" indicates that the " "current instance of the monitoring system has knowledge of " "this Element but has never been able to establish " "communications with it. \"Lost Comm\" indicates that " "the ManagedSystemElement is known to exist and has been " "contacted successfully in the past, but is currently " "unreachable." "\"Stopped\" indicates that the ManagedSystemElement is " "known " "to exist, it is not operational (i.e. it is unable to " "provide service to users), but it has not failed. It " "has purposely " "been made non-operational. The Element " "may have never been \"OK\", the Element may have initiated " "its " "own stop, or a management system may have initiated the " "stop."), ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail", "Starting", "Stopping", "Service", "Stressed", "NonRecover", "No Contact", "Lost Comm", "Stopped"} ] string Status; }; // ================================================================== // LogicalElement // ================================================================== [Abstract, Description ( "CIM_LogicalElement is a base class for all the components " "of " "a System that represent abstract system components, such " "as Files, Processes, or system capabilities in the form " "of Logical Devices.") ] class CIM_LogicalElement:CIM_ManagedSystemElement { }; // ================================================================== // CIM_SystemConfiguration // ================================================================== [Description ( "CIM_SystemConfiguration represents the general concept " "of a CIM_Configuration which is scoped by/weak to a " "System. This class is a peer of CIM_Configuration since " "the key structure of Configuration is currently " "defined and cannot be modified with additional " "properties.")] class CIM_SystemConfiguration : CIM_ManagedElement { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName.") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Key, MaxLen (256), Description ( "The label by which the Configuration object is known.") ] string Name; }; // =================================================================== // Setting // =================================================================== [Abstract, Description ( "The Setting class represents configuration-related and " "operational parameters for one or more ManagedSystem" "Element(s). A ManagedSystemElement may have multiple " "Setting " "objects associated with it. The current operational values " "for an Element's parameters are reflected by properties in " "the Element itself or by properties in its associations. " "These properties do not have to be the same values present " "in the Setting object. For example, a modem may have a " "Setting baud rate of 56Kb/sec but be operating " "at 19.2Kb/sec.") ] class CIM_Setting : CIM_ManagedElement { [MaxLen (256), Description ( "The identifier by which the Setting object is known.") ] string SettingID; [Description ( "The VerifyOKToApplyToMSE method is used to verify that " "this Setting can be 'applied' to the referenced Managed" "SystemElement, at the given time or time interval. This " "method takes three input parameters: MSE (the Managed" "SystemElement that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " "interval), and MustBeCompletedBy (which indicates the " "required completion time for the method). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number " "if an error occurred. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); [Description ( "The ApplyToMSE method performs the actual application of " "the Setting to the referenced ManagedSystemElement. It " "takes three input parameters: MSE (the ManagedSystem" "Element to which the Setting is being applied), " "TimeToApply (which, being a datetime, can be either a " "specific time or a time interval), and MustBeCompletedBy " "(which indicates the required completion time for the " "method). Note that the semantics of this method are that " "individual Settings are either wholly applied or not " "applied at all to their target ManagedSystemElement. The " "return value should be 0 if the Setting is successfully " "applied to the referenced ManagedSystemElement, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, and any other number if an " "error occurred. In a subclass, the set of possible return " "codes could be specified, using a ValueMap qualifier on " "the method. The strings to which the ValueMap contents are " "'translated' may also be specified in the subclass as a " "Values array qualifier.\n" "Note: If an error occurs in applying the Setting to a " "ManagedSystemElement, the Element must be configured as " "when the 'apply' attempt began. That is, the Element " "should NOT be left in an indeterminate state.") ] uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); [Description ( "The VerifyOKToApplyToCollection method is used to verify " "that this Setting can be 'applied' to the referenced " "Collection of ManagedSystemElements, at the given time " "or time interval, without causing adverse effects to " "either the Collection itself or its surrounding " "environment. The net effect is to execute the " "VerifyOKToApply method against each of the Elements " "aggregated by the Collection. This method takes three " "input parameters: Collection (the Collection of Managed" "SystemElements that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " "interval), and MustBeCompletedBy (which indicates the " "required completion time for the method). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number if " "an error occurred. One output parameter is defined - " "CanNotApply - which is a string array that lists the keys " "of " "the ManagedSystemElements to which the Setting can NOT be " "applied. This enables those Elements to be revisited and " "either fixed, or other corrective action taken.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.") ] uint32 VerifyOKToApplyToCollection ( [IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); [Description ( "The ApplyToCollection method performs the application of " "the Setting to the referenced Collection of ManagedSystem" "Elements. The net effect is to execute the ApplyToMSE " "method against each of the Elements aggregated by the " "Collection. If the input value ContinueOnError is FALSE, " "this method applies the Setting to all Elements in the " "Collection until it encounters an error, in which case it " "stops execution, logs the key of the Element that caused " "the error in the CanNotApply array, and issues a return " "code " "of 2. If the input value ContinueOnError is TRUE, then this " "method applies the Setting to all the ManagedSystemElements " "in the Collection, and reports the failed Elements in the " "array, CanNotApply. For the latter, processing will " "continue " "until the method is applied to all Elements in the " "Collection, regardless of any errors encountered. The key " "of " "each ManagedSystemElement to which the Setting could not be " "applied is logged into the CanNotApply array. This method " "takes four input parameters: Collection (the Collection of " "Elements to which the Setting is being applied), " "TimeToApply " "(which, being a datetime, can be either a specific time or " "a " "time interval), ContinueOnError (TRUE means to continue " "processing on encountering an error), and MustBeCompletedBy " "(which indicates the required completion time for the " "method). The return value should be 0 if the Setting is " "successfully applied to the referenced Collection, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, 3 if the Setting can not be " "applied using the input value for ContinueOnError, and any " "other number if an error occurred. One output parameter is " "defined, CanNotApplystring, which is an array that lists " "the keys of the ManagedSystemElements to which the Setting " "was NOT able to be applied. This output parameter has " "meaning only when the ContinueOnError parameter is TRUE.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.\n" "Note: if an error occurs in applying the Setting to a " "ManagedSystemElement in the Collection, the Element must be " "configured as when the 'apply' attempt began. That is, the " "Element should NOT be left in an indeterminate state.") ] uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] boolean ContinueOnError, [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); [Description ( "The VerifyOKToApplyIncrementalChangeToMSE method " "is used to verify that a subset of the properties in " "this Setting can be 'applied' to the referenced Managed" "SystemElement, at the given time or time interval. This " "method takes four input parameters: MSE (the Managed" "SystemElement that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " "interval), MustBeCompletedBy (which indicates the " "required completion time for the method), and a " "PropertiesToApply array (which contains a list of the " "property names whose values will be verified. " "If they array is null or empty or constains the string " "\"all\" " "as a property name then all Settings properties shall be " "verified. If it is set to \"none\" then no Settings " "properties " "will be verified). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number " "if an error occurred. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 VerifyOKToApplyIncrementalChangeToMSE( [IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, [IN] string PropertiesToApply[]); [Description ( "The ApplyIncrementalChangeToMSE method performs the " "actual application of a subset of the properties in " "the Setting to the referenced ManagedSystemElement. It " "takes four input parameters: MSE (the ManagedSystem" "Element to which the Setting is being applied), " "TimeToApply (which, being a datetime, can be either a " "specific time or a time interval), MustBeCompletedBy " "(which indicates the required completion time for the " "method), and a " "PropertiesToApply array (which contains a list of the " "property names whose values will be applied. If a " "property is not in this list, it will be ignored by the " "apply. " "If they array is null or empty or constains the string " "\"all\" " "as a property name then all Settings properties shall be " "applied. If it is set to \"none\" then no Settings " "properties " "will be applied. ). " "Note that the semantics of this method are that " "individual Settings are either wholly applied or not " "applied at all to their target ManagedSystemElement. The " "return value should be 0 if the Setting is successfully " "applied to the referenced ManagedSystemElement, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, and any other number if an " "error occurred. In a subclass, the set of possible return " "codes could be specified, using a ValueMap qualifier on " "the method. The strings to which the ValueMap contents are " "'translated' may also be specified in the subclass as a " "Values array qualifier.\n" "Note: If an error occurs in applying the Setting to a " "ManagedSystemElement, the Element must be configured as " "when the 'apply' attempt began. That is, the Element " "should NOT be left in an indeterminate state.") ] uint32 ApplyIncrementalChangeToMSE( [IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, [IN] string PropertiesToApply[]); [Description ( "The VerifyOKToApplyIncrementalChangeToCollection method " "is used to verify that a subset of the properties in " "this Setting can be 'applied' to the referenced " "Collection of ManagedSystemElements, at the given time " "or time interval, without causing adverse effects to " "either the Collection itself or its surrounding " "environment. The net effect is to execute the " "VerifyOKToApplyIncrementalChangeToMSE method " "against each of the Elements " "aggregated by the Collection. This method takes three " "input parameters: Collection (the Collection of Managed" "SystemElements that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " "interval), MustBeCompletedBy (which indicates the " "required completion time for the method), and a " "PropertiesToApply array (which contains a list of the " "property names whose values will be verified. " "If they array is null or empty or contains the string " "\"all\" " "as a property name then all Settings properties shall be " "verified. If it is set to \"none\" then no Settings " "properties " "will be verified). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number if " "an error occurred. One output parameter is defined - " "CanNotApply - which is a string array that lists the keys " "of " "the ManagedSystemElements to which the Setting can NOT be " "applied. This enables those Elements to be revisited and " "either fixed, or other corrective action taken.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.") ] uint32 VerifyOKToApplyIncrementalChangeToCollection ( [IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, [IN] string PropertiesToApply[], [OUT] string CanNotApply[]); [Description ( "The ApplyIncrementalChangeToCollection method performs " "the application of a subset of the properties in this " "Setting to the referenced Collection of ManagedSystem" "Elements. The net effect is to execute the " "ApplyIncrementalChangeToMSE " "method against each of the Elements aggregated by the " "Collection. If the input value ContinueOnError is FALSE, " "this method applies the Setting to all Elements in the " "Collection until it encounters an error, in which case it " "stops execution, logs the key of the Element that caused " "the error in the CanNotApply array, and issues a return " "code " "of 2. If the input value ContinueOnError is TRUE, then this " "method applies the Setting to all the ManagedSystemElements " "in the Collection, and reports the failed Elements in the " "array, CanNotApply. For the latter, processing will " "continue " "until the method is applied to all Elements in the " "Collection, regardless of any errors encountered. The key " "of " "each ManagedSystemElement to which the Setting could not be " "applied is logged into the CanNotApply array. This method " "takes four input parameters: Collection (the Collection of " "Elements to which the Setting is being applied), " "TimeToApply " "(which, being a datetime, can be either a specific time or " "a " "time interval), ContinueOnError (TRUE means to continue " "processing on encountering an error), and MustBeCompletedBy " "(which indicates the required completion time for the " "method), and a PropertiesToApply array (which contains a " "list " "of the property names whose values will be applied. If a " "property is not in this list, it will be ignored by " "the apply. " "If they array is null or empty or constains the string " "\"all\" " "as a property name then all Settings properties shall be " "applied. If it is set to \"none\" then no Settings " "properties " "will be applied. ). " "The return value should be 0 if the Setting is " "successfully applied to the referenced Collection, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, 3 if the Setting can not be " "applied using the input value for ContinueOnError, and any " "other number if an error occurred. One output parameter is " "defined, CanNotApplystring, which is an array that lists " "the keys of the ManagedSystemElements to which the Setting " "was NOT able to be applied. This output parameter has " "meaning only when the ContinueOnError parameter is TRUE.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.\n" "Note: if an error occurs in applying the Setting to a " "ManagedSystemElement in the Collection, the Element must be " "configured as when the 'apply' attempt began. That is, the " "Element should NOT be left in an indeterminate state.") ] uint32 ApplyIncrementalChangeToCollection( [IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] boolean ContinueOnError, [IN] datetime MustBeCompletedBy, [IN] string PropertiesToApply[], [OUT] string CanNotApply[]); }; // ================================================================== // CIM_SystemSetting // ================================================================== [Abstract, Description ( "CIM_SystemSetting represents the general concept " "of a CIM_Setting which is scoped by/weak to a System.")] class CIM_SystemSetting : CIM_Setting { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName.") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Override ("SettingID"), Key, MaxLen (256)] string SettingID; }; // ================================================================== // System // ================================================================== [Abstract, Description ( "A CIM_System is a LogicalElement that aggregates an " "enumerable set of Managed System Elements. The aggregation " "operates as a functional whole. Within any particular " "subclass of System, there is a well-defined list of " "Managed System Element classes whose instances must be " "aggregated.") ] class CIM_System:CIM_LogicalElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Key, MaxLen (256), Override ("Name"), Description ( "The inherited Name serves as key of a System instance in " "an enterprise environment.") ] string Name; [MaxLen (64), Description ( "The System object and its derivatives are Top Level Objects " "of CIM. They provide the scope for numerous components. " "Having unique System keys is required. A heuristic can be " "defined in individual System subclasses to attempt to " "always " "generate the same System Name Key. The NameFormat property " "identifies how the System name was generated, using " "the subclass' heuristic.") ] string NameFormat; [MaxLen (256), Description ( "A string that provides information on how the primary " "system " "owner can be reached (e.g. phone number, email address, " "...)."), MappingStrings {"MIF.DMTF|General Information|001.3"} ] string PrimaryOwnerContact; [MaxLen (64), Description ( "The name of the primary system owner."), MappingStrings {"MIF.DMTF|General Information|001.4"} ] string PrimaryOwnerName; [Description ( "An array (bag) of strings that specify the roles this " "System " "plays in the IT-environment. Subclasses of System may " "override this property to define explicit Roles values. " "Alternately, a Working Group may describe the heuristics, " "conventions and guidelines for specifying Roles. For " "example, for an instance of a networking system, the Roles " "property might contain the string, 'Switch' or 'Bridge'.") ] string Roles[]; }; // ================================================================== // Service // ================================================================== [Abstract, Description ( "A CIM_Service is a Logical Element that contains the " "information necessary to represent and manage the " "functionality provided by a Device and/or SoftwareFeature. " "A Service is a general-purpose object to configure and " "manage the implementation of functionality. It is not the " "functionality itself.") ] class CIM_Service:CIM_LogicalElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this " "property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Override ("Name"), Key, MaxLen (256), Description ( "The Name property uniquely identifies the Service and " "provides an indication of the functionality that is " "managed. This functionality is described in more detail in " "the object's Description property. ") ] string Name; [MaxLen (10), Description ( "StartMode is a string value indicating whether the Service " "is automatically started by a System, Operating System, " "etc. " "or only started upon request."), ValueMap {"Automatic", "Manual"} ] string StartMode; [Description ( "Started is a boolean indicating whether the Service " "has been started (TRUE), or stopped (FALSE).") ] boolean Started; [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName. ") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; [Description ( "The StartService method places the Service in the started " "state. It returns an integer value of 0 if the Service was " "successfully started, 1 if the request is not supported and " "any other number to indicate an error. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 StartService(); [Description ( "The StopService method places the Service in the stopped " "state. It returns an integer value of 0 if the Service was " "successfully stopped, 1 if the request is not supported and " "any other number to indicate an error. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 StopService(); }; // ================================================================== // ServiceAccessPoint // ================================================================== [Abstract, Description ( "CIM_ServiceAccessPoint represents the ability to utilize or " "invoke a Service. Access points represent that a Service " "is " "made available to other entities for use.") ] class CIM_ServiceAccessPoint:CIM_LogicalElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this " "property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Override ("Name"), Key, MaxLen (256), Description ( "The Name property uniquely identifies the " "ServiceAccessPoint " "and provides an indication of the functionality that is " "managed. This functionality is described in more detail in " "the object's Description property.") ] string Name; [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName.") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; }; // ================================================================== // === Association class definitions === // ================================================================== // ================================================================== // Component // ================================================================== [Association, Abstract, Aggregation, Description ( "CIM_Component is a generic association used to establish " "'part of' relationships between Managed System Elements. " "For " "example, the SystemComponent association defines parts of " "a System.") ] class CIM_Component { [Aggregate, Key, Description ( "The parent element in the association.") ] CIM_ManagedSystemElement REF GroupComponent; [Key, Description ("The child element in the association.") ] CIM_ManagedSystemElement REF PartComponent; }; // ================================================================== // Dependency // ================================================================== [Association, Abstract, Description ( "CIM_Dependency is a generic association used to establish " "dependency relationships between ManagedElements.") ] class CIM_Dependency { [Key, Description ( "Antecedent represents the independent object in this " "association.") ] CIM_ManagedElement REF Antecedent; [Key, Description ( "Dependent represents the object dependent on the " "Antecedent.") ] CIM_ManagedElement REF Dependent; }; // =================================================================== // ElementSetting // =================================================================== [Association, Description ( "ElementSetting represents the association between Managed" "SystemElements and the Setting class(es) defined for them.") ] class CIM_ElementSetting { [Key, Description ("The ManagedSystemElement.") ] CIM_ManagedSystemElement REF Element; [Key, Description ( "The Setting object associated with the ManagedSystem" "Element.") ] CIM_Setting REF Setting; }; // ================================================================== // MemberOfCollection // ================================================================== [Association, Aggregation, Description ( "CIM_MemberOfCollection is an aggregation used to establish " "membership of ManagedElements in a Collection." ) ] class CIM_MemberOfCollection { [Key, Aggregate, Description ("The Collection that aggregates members") ] CIM_Collection REF Collection; [Key, Description ("The aggregated member of the collection.") ] CIM_ManagedElement REF Member; }; // ================================================================== // CIM_SystemSettingContext // ================================================================== [Association, Aggregation, Description ( "This relationship associates System-specific Configuration " "objects with System-specific Setting objects, similar to " "the " "SettingContext association.")] class CIM_SystemSettingContext { [Aggregate, Key, Description ( "The Configuration object that aggregates the Setting.") ] CIM_SystemConfiguration REF Context; [Key, Description ("An aggregated Setting.")] CIM_SystemSetting REF Setting; }; Appendix B (DMTF User Model MOF) // ================================================================== // OrganizationalEntity // ================================================================== [Abstract, Description ( "OrganizationalEntity is an abstract class from which classes " "that fit into an organizational structure are derived.") ] class CIM_OrganizationalEntity : CIM_ManagedElement { }; // ================================================================== // UserEntity // ================================================================== [Abstract, Description ( "UserEntity is an abstract class that represents users.") ] class CIM_UserEntity : CIM_OrganizationalEntity { }; // ================================================================== // UsersAccess // ================================================================== [Description ( "The UsersAccess object class is used to specify a system user " "that permitted access to system resources. The ManagedElement " "that has access to system resources (represented in the model in " "the ElementAsUser association) may be a person, a service, a " "service access point or any collection thereof. Whereas the " "Account class represents the user's relationship to a system " "from the perspective of the security services of the system, the " "UserAccess class represents the relationships to the systems " "independent of a particular system or service.") ] class CIM_UsersAccess: CIM_UserEntity { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (256),Description ( "The Name property defines the label by which the object is " "known.")] string Name; [Key, Description ( "The ElementID property uniquely specifies the ManagedElement " "object instance that is the user represented by the " "UsersAccess object instance. The ElementID is formatted " "similarly to a model path except that the property-value " "pairs are ordered in alphabetical order (US ASCII lexical " "order).")] string ElementID; [Description ( "Biometric information used to identify a person. The " "property value is left null or set to 'N/A' for non-human " "user or a user not using biometric information for " "authentication."), Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", "Voice", "DNA-RNA", "EEG"} ] uint16 Biometric[]; }; // ================================================================== // SecurityService // ================================================================== [ Abstract, Description ( "CIM_SecurityService ...") ] class CIM_SecurityService:CIM_Service { }; // ================================================================== // AuthenticationService // ================================================================== [Description ( "CIM_AuthenticationService verifies users' identities through " "some means. These services are decomposed into a subclass that " "provides credentials to users and a subclass that provides for " "the verification of the validity of a credential and, perhaps, " "the appropriateness of its use for access to target resources. " "The persistent state information used from one such verification " "to another is maintained in an Account for that Users Access on " "that AuthenticationService.") ] class CIM_AuthenticationService:CIM_SecurityService { }; // ================================================================== // CredentialManagementService // ================================================================== [Description ( "CIM_CredentialManagementService issues credentials and manages " "the credential lifecycle.") ] class CIM_CredentialManagementService:CIM_AuthenticationService { }; // ================================================================== // CertificateAuthority // ================================================================== [Description ("A Certificate Authority (CA) is a credential " "management service that issues and cryptographically " "signs certificates thus acting as an trusted third-party " "intermediary in establishing trust relationships. The CA " "authenicates the holder of the private key related to the " "certificate's public key; the authenicated entity is " "represented by the UsersAccess class.") ] class CIM_CertificateAuthority:CIM_CredentialManagementService { [Description ( "The CAPolicyStatement describes what care is taken by the " "CertificateAuthority when signing a new certificate. " "The CAPolicyStatment may be a dot-delimited ASN.1 OID " "string which identifies to the formal policy statement.") ] string CAPolicyStatement; [Description ( "A CRL, or CertificateRevocationList, is a " "list of certificates which the CertificateAuthority has " "revoked and which are not yet expired. Revocation is " "necessary when the private key associated with the public " "key of a certificate is lost or compromised, or when the " "person for whom the certificate is signed no longer is " "entitled to use the certificate."), Octetstring ] string CRL[]; [Description ("Certificate Revocation Lists may be " "available from a number of distribution points. " "CRLDistributionPoint array values provide URIs for those " "distribution points.")] string CRLDistributionPoint[]; [Description ( "Certificates refer to their issuing CA by " "its Distinguished Name (as defined in X.501)."), DN] string CADistinguishedName; [Description ( "The frequency, expressed in hours, at which " "the CA will update its Certificate Revocation List. Zero " "implies that the refresh frequency is unknown."), Units("Hours")] uint8 CRLRefreshFrequency; [Description ( "The maximum number of certificates in a " "certificate chain permitted for credentials issued by " "this certificate authority or it's subordinate CAs.\n" "The MaxChainLength of a superior CA in the trust " "hierarchy should be greater than this value and the " "MaxChainLength of a subordinate CA in the trust hierarchy " "should be less than this value.")] uint8 MaxChainLength; }; // ================================================================== // KerberosKeyDistributionCenter // ================================================================== [Description ( "CIM_KerberosKeyDistributionCenter ...") ] class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService { [Override ("Name"), Description ("The Realm served by this KDC.")] string Name; [Description ("The version of Kerberos supported by this " "service."), Values {"V4", "V5", "DCE", "MS"} ] uint16 Protocol[]; }; // ================================================================== // Notary // ================================================================== [Description ( "CIM_Notary is an AuthenticationService (credential " "management service) which compares the " "biometric characteristics of a person with the " "known characteristics of an Users Access, and determines " "whether the person is the UsersAccess. An example is " "a bank teller who compares a picture ID with the person " "trying to cash a check, or a biometric login service that " "uses voice recognition to identify a user.") ] class CIM_Notary:CIM_CredentialManagementService { [Description ( "The types of biometric information which " "this Notary can compare."), Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", "Voice", "DNA-RNA", "EEG"} ] uint16 Comparitors; [Description ( "The SealProtocol is how the decision of the Notary is " "recorded for future use by parties who will rely on its " "decision. For instance, a drivers licence frequently " "includes tamper-resistent coatings and markings to protect " "the recorded decision that a driver, having various " "biometric characteristics of height, weight, hair and eye " "color, using a particular name, has features represented in " "a photograph of their face.")] string SealProtocol; [Description ( "CharterIssued documents when the Notary is first " "authorized, by whoever gave it responsibility, to perform " "its service.")] datetime CharterIssued; [Description ( "CharterExpired documents when the Notary is no longer " "authorized, by whoever gave it responsibility, to perform " "its service.")] datetime CharterExpired; }; // ================================================================== // LocalCredentialManagementService // ================================================================== [Description ( "CIM_LocalCredentialManagementService is a credential " "management service that provides local system " "management of credentials used by the local system.") ] class CIM_LocalCredentialManagementService:CIM_CredentialManagementService { }; // ================================================================== // SharedSecretService // ================================================================== [Description ( "CIM_SharedSecretService is a service which ascertains " "whether messages received are from the Principal with " "whom a secret is shared. Examples include a login " "service that proves identity on the basis of knowledge of " "the shared secret, or a transport integrity service (like " "Kerberos provides) that includes a message authenticity " "code that proves each message in the messsage stream came " "from someone who knows the shared secret session key.")] class CIM_SharedSecretService:CIM_LocalCredentialManagementService { [MaxLen (256), Description ( "The Algorithm used to convey the shared secret, such as " "HMAC-MD5,or PLAINTEXT.") ] string Algorithm; [Description ( "The Protocol supported by the SharedSecretService.")] string Protocol; }; // ================================================================== // PublicKeyManagementService // ================================================================== [Description ( "CIM_PublicKeyManagementService is a credential management " "service that provides local system management of public " "keys used by the local system.") ] class CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService { }; // ================================================================== // Credential // ================================================================== [Abstract, Description ( "Subclasses of CIM_Credential define materials, " "information, or other data which are used to prove the " "identity of a CIM_UsersAccess to a particular " "CIM_SecurityService. Generally, there may be some shared " "information, or credential material which is used to " "identify and authenticate ones self in the process of " "gaining access to, or permission to use, an Account. " "Such credential material may be used to authenticate a " "users access identity initially, as done by a " "CIM_AuthenticationService (see later), and additionally on " "an ongoing basis during the course of a connection or " "other security association, as proof that each received " "message or communication came from the owning user access " "of " "that credential material.") ] class CIM_Credential:CIM_ManagedElement { }; // ================================================================== // PublicKeyCertificate // ================================================================== [Description ("A Public Key Certificate is a credential " "that is cryptographically signed by a trusted Certificate " "Authority (CA) and issued to an authenticated entity " "(e.g., human user, service,etc.) called the Subject in " "the certificate and represented by the UsersAccess class. " "The public key in the certificate is cryptographically " "related to a private key that is to be held and kept " "private by the authenticated Subject. The certificate " "and its related private key can then be used for " "establishing trust relationships and securing " "communications with the Subject. Refer to the ITU/CCITT " "X.509 standard as an example of such certificates.") ] class CIM_PublicKeyCertificate:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Propagated ("CIM_CertificateAuthority.CreationClassName"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_CertificateAuthority.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "Certificate subject identifier")] string Subject; [MaxLen (256), Description ( "Alternate subject identifier for the Certificate.")] string AltSubject; [Description ("The DER-encoded raw public key."), Octetstring] uint8 PublicKey[]; }; // ================================================================== // UnsignedPublicKey // ================================================================== [Description ( "A CIM_UnsignedPublicKey represents an unsigned public " "key credential. The local UsersAccess (or subclass " "thereof) accepts the public key as authentic because of " "a direct trust relationship rather than via a third-party " "Certificate Authority.") ] class CIM_UnsignedPublicKey:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Propagated ("CIM_PublicKeyManagementService.CreationClassName"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_PublicKeyManagementService.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "The Identity of the Peer with whom a direct trust " "relationship exists. The public key may be used for " "security functions with the Peer."), ModelCorrespondence {"CIM_PublicKeyManagementService.PeerIdentityType" } ] string PeerIdentity; [Description ("PeerIdentityType is used to describe the " "type of the PeerIdentity. The currently defined values " "are used for IKE identities."), ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, ModelCorrespondence {"CIM_PublicKeyManagementService.PeerIdentity" } ] uint16 PeerIdentityType; [Description ("The DER-encoded raw public key."), Octetstring] uint8 PublicKey[]; }; // ================================================================== // KerberosTicket // ================================================================== [Description ( "A CIM_KerberosTicket represents a credential issued by a " "particular Kerberos Key Distribution Center (KDC) " "to a particular CIM_UsersAccess as the result of a " "successful authentication process. There are two types of " "tickets that a KDC may issue to a Users Access - a " "TicketGranting ticket, which is used to protect and " "authenticate communications between the Users Access and " "the " "KDC, and a Session ticket, which the KDC issues to two " "Users Access to allow them to communicate with each other. " ) ] class CIM_KerberosTicket:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Key, MaxLen (256), Propagated ("CIM_KerberosKeyDistributionCenter.CreationClassName"), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), Key, MaxLen (256), Description ("Scoping Service. The Kerberos KDC Realm of " "CIM_KerberosTicket is used to record the security " "authority, or Realm, name so that tickets issued by " "different Realms can be separately managed and " "enumerated.")] string ServiceName; [Key, MaxLen (256), Description ("The name of the service " "for which this ticket is used.")] string AccessesService; [Key, MaxLen (256), Description ( "RemoteID is the name by which the user is known at " "the KDC security service.")] string RemoteID; datetime Issued; datetime Expires; [Description ( "The Type of CIM_KerberosTicket is used to indicate whether " "the ticket in question was issued by the Kerberos Key " "Distribution Center (KDC) to support ongoing communication " "between the Users Access and the KDC (\"TicketGranting\"), " "or was issued by the KDC to support ongoing communication " "between two Users Access entities (\"Session\")." ), Values {"Session", "TicketGranting"}] uint16 TicketType; }; // ================================================================== // SharedSecret // ================================================================== [Description ( "CIM_SharedSecret is the secret shared between a Users " "Access " "and a particular SharedSecret security service. Secrets " "may be in the form of a password used for initial " "authentication, or as with a session key, used as part of " "a message authentication code to verify that a message " "originated by the pricinpal with whom the secret is shared. " "It is important to note that SharedSecret is not just the " "password, but rather is the password used with a particular " "security service.")] class CIM_SharedSecret:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Key, MaxLen (256), Propagated ("CIM_SharedSecretService.CreationClassName"), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_SharedSecretService.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "RemoteID is the name by which the user is known at " "the remote secret key authentication service.")] string RemoteID; [Description ( "secret is the secret known by the Users Access.")] string secret; [Description ( "algorithm names the transformation algorithm, if any, used " "to protect passwords before use in the protocol. For " "instance, Kerberos doesn't store passwords as the shared " "secret, but rather, a hash of the password.")] string algorithm; [Description ( "protocol names the protocol with which the SharedSecret is " "used.")] string protocol; }; // ================================================================== // NamedSharedIKESecret // ================================================================== [Description ( "CIM_NamedSharedIKESecret indirectly represents a shared " "secret credential. The local identity, IKEIdentity, " "and the remote peer identity share the secret that is " "named by the SharedSecretName. The SharedSecretName is " "used SharedSecretService to reference the secret.") ] class CIM_NamedSharedIKESecret:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Propagated ("CIM_SharedSecretService.CreationClassName"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_SharedSecretService.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "The local Identity with whom the direct trust " "relationship exists."), ModelCorrespondence {"CIM_NamedSharedIKESecret.LocalIdentityType" } ] string LocalIdentity; [Key, Description ("LocalIdentityType is used to describe " "the type of the LocalIdentity."), ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, ModelCorrespondence {"CIM_NamedSharedIKESecret.LocalIdentity" } ] uint16 LocalIdentityType; [Key, MaxLen (256), Description ( "The peer identity with whom the direct trust " "relationship exists."), ModelCorrespondence {"CIM_NamedSharedIKESecret.PeerIdentityType" } ] string PeerIdentity; [Key, Description ("PeerIdentityType is used to describe " "the type of the PeerIdentity."), ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, ModelCorrespondence {"CIM_NamedSharedIKESecret.PeerIdentity" } ] uint16 PeerIdentityType; [Description ("SharedSecretName is an indirect reference " "to a shared secret. The SecretService does not expose " "the actual secret but rather provides access to the " "secret via a name.")] string SharedSecretName; }; // ================================================================== // === Association class definitions === // ================================================================== // ================================================================== // ElementAsUser // ================================================================== [Association, Description ( "CIM_ElementAsUser is an association used to establish the " "'ownership' of UsersAccess object instances. That is, the " "ManagedElement may have UsersAccess to systems and, therefore, " "be 'users' on those systems. UsersAccess instances must have an " "'owning' ManagedElement. Typically, the ManagedElements will be " "limited to Collection, Person, Service and ServiceAccessPoint. " "Other non-human ManagedElements that might be thought of as " "having UsersAccess (e.g., a device or system) have services that " "have the UsersAccess.")] class CIM_ElementAsUser : CIM_Dependency { [Min (1), Max (1), Override ("Antecedent"), Description ("The ManagedElement that has UsersAccess") ] CIM_ManagedElement REF Antecedent; [Override ("Dependent"), Description ("The 'owned' UsersAccess") ] CIM_UsersAccess REF Dependent; }; // ================================================================== // UsersCredential // ================================================================== [Association, Description ( "CIM_UsersCredential is an association used to establish the " "credentials that may be used for a UsersAccess to a system or " "set of systems. " )] class CIM_UsersCredential : CIM_Dependency { [Override ("Antecedent"), Description ("The issued credential that may be used.") ] CIM_Credential REF Antecedent; [Override ("Dependent"), Description ("The UsersAccess that has use of a credential") ] CIM_UsersAccess REF Dependent; }; // =================================================================== // PublicPrivateKeyPair // =================================================================== [Association, Description ( "This relationship associates a PublicKeyCertificate with " "the Principal who has the PrivateKey used with the " "PublicKey. The PrivateKey is not modeled, since it is not " "a data element that ever SHOULD be accessible via " "management applications, other than key recovery services, " "which are outside our scope.") ] class CIM_PublicPrivateKeyPair:CIM_UsersCredential { [ Override ("Antecedent") ] CIM_PublicKeyCertificate REF Antecedent; [ Override ("Dependent") ] CIM_UsersAccess REF Dependent; [Description ( "The Certificate may be used for signature " "only " "or for confidentiality as well as signature"), Values { "SignOnly", "ConfidentialityOrSignature"} ] uint16 Use; boolean NonRepudiation; boolean BackedUp; [Description ("The repository in which the certificate is " "backed up.")] string Repository; }; // =================================================================== // CAHasPublicCertificate // =================================================================== [Association, Description ( "A CertificateAuthority may have certificates issued by other CAs. " "This association is essentially an optimization of the CA having " "a UsersAccess instance with an association to a certificate thus " "mapping more closely to LDAP-based certificate authority " "implementations.") ] class CIM_CAHasPublicCertificate:CIM_Dependency { [Max (1), Override ("Antecedent"), Description ("The Certificate used by the CA")] CIM_PublicKeyCertificate REF Antecedent; [Override ("Dependent"), Description ("The CA that uses a Certificate")] CIM_CertificateAuthority REF Dependent; }; // =================================================================== // ManagedCredential // =================================================================== [Association, Description ( "This relationship associates a CredentialManagementService " "with the Credential it manages.") ] class CIM_ManagedCredential:CIM_Dependency { [Override ("Antecedent"), Min (1), Max (1), Description ( "The credential management service")] CIM_CredentialManagementService REF Antecedent; [Override ("Dependent"), Description ( "The managed credential")] CIM_Credential REF Dependent; }; // =================================================================== // CASignsPublicKeyCertificate // =================================================================== [Association, Description ( "This relationship associates a CertificateAuthority with " "the certificates it signs.") ] class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ( "The CA which signed the certificate")] CIM_CertificateAuthority REF Antecedent; [Override ("Dependent"), Weak, Description ( "The certificate issued by the CA")] CIM_PublicKeyCertificate REF Dependent; string SerialNumber; [ Octetstring ] uint8 Signature[]; datetime Expires; string CRLDistributionPoint[]; }; // ================================================================== // LocallyManagedPublicKey // ================================================================== [Association, Description ( "CIM_LocallyManagedPublicKey association provides the " "relationship between a PublicKeyManagementService and an " "UnsignedPublicKey.") ] class CIM_LocallyManagedPublicKey:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The PublicKeyManagementService that manages " "an unsigned public key.") ] CIM_PublicKeyManagementService REF Antecedent; [Override ("Dependent"), Weak, Description ( "An unsigned public key.") ] CIM_UnsignedPublicKey REF Dependent; }; // =================================================================== // SharedSecretIsShared // =================================================================== [Association, Description ( "This relationship associates a SharedSecretService with the " "SecretKey it verifies.") ] class CIM_SharedSecretIsShared : CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The credential management service")] CIM_SharedSecretService REF Antecedent; [Override ("Dependent"), Weak, Description ( "The managed credential")] CIM_SharedSecret REF Dependent; }; // ================================================================== // IKESecretIsNamed // ================================================================== [Association, Description ( "CIM_IKESecretIsNamed association provides the " "relationship between a SharedSecretService and a " "NamedSharedIKESecret.") ] class CIM_IKESecretIsNamed:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The SharedSecretService that manages a " "NamedSharedIKESecret.")] CIM_SharedSecretService REF Antecedent; [Override ("Dependent"), Weak, Description ( "The managed NamedSharedIKESecret.") ] CIM_NamedSharedIKESecret REF Dependent; }; // =================================================================== // KDCIssuesKerberosTicket // =================================================================== [Association, Description ( "The KDC issues and owns Kerberos tickets. This association " "captures the relationship between the KDC and its issued tickets." ) ] class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ( "The issuing KDC") ] CIM_KerberosKeyDistributionCenter REF Antecedent; [Override ("Dependent"), Weak, Description ( "The managed credential")] CIM_KerberosTicket REF Dependent; }; // =================================================================== // NotaryVerifiesBiometric // =================================================================== [Association, Description ( "This relationship associates a Notary service with the " "Users Access whose biometric information is verified.") ] class CIM_NotaryVerifiesBiometric : CIM_Dependency { [Override ("Antecedent"), Description ("The Notary service that verifies biometric " "information ") ] CIM_Notary REF Antecedent; [Override ("Dependent"), Description ( "The UsersAccess that represents a person using " "biometric information for authentication.")] CIM_UsersAccess REF Dependent; }; Appendix C (DMTF Network Model MOF) // ================================================================== // NetworkService // ================================================================== [Abstract, Description ( "This is an abstract base class, derived from the Service " "class. It serves as the root of the network service " "hierarchy. Network services represent generic functions " "that are available from the network that configure and/or " "modify the traffic being sent. For example, FTP is not a " "network service, as it simply passes data unchanged from " "source to destination. On the other hand, services " "that provide quality of service (e.g., DiffServ) and " "security (e.g., IPSec) do affect the traffic stream. " "Quality of service, IPSec, and other services are " "subclasses of this class. This class hierarchy enables " "developers to match services to users, groups, " "and other objects in the network.") ] class CIM_NetworkService : CIM_Service { [Description ( "This is a free-form array of strings that provide " "descriptive words and phrases that can be used in queries " "to help locate and identify instances of this service.") ] string Keywords [ ]; [Description ( "This is a URL that provides the protocol, network " "location, andE. Ellesson, J. Strassner, "Policy Core Information Model -- Versionother service-specific information required " "in order to access the service. This should be implemented " "as a LabeledURI, with syntax DirectoryString and a " "matching rule of CaseExactMatch, for directory " "implementors.") ] string ServiceURL; [Description ( "This is a free-form array of strings that specify any " "specific pre-conditions that must be met in order for this " "service to start correctly. It is expected that subclasses " "will refine the inherited StartService() and StopService()" "methods to suit their own application-specific needs. This " "property is used to specify application-specific conditions " "needed by the refined StartService and StopService" "methods.") ] string StartupConditions [ ]; [Description ( "This is a free-form array of strings that specify any " "specific parameters that must be supplied to the " "StartService() method in order for this service to start " "correctly. It is expected that subclasses will refine the " "inherited StartService() and StopService() methods to suit " "their own application-specific needs. This property is used " "to specify application-specific parameters needed by the " "refined StartService and StopService methods.") ] string StartupParameters [ ]; }; // ================================================================== // ProtocolEndpoint // ================================================================== [Description ( "A communication point from which data may be sent or " "received. ProtocolEndpoints link router interfaces and " "switch ports to LogicalNetworks.") ] class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint { [Override ("Name"), MaxLen(256), Description ( "A string which identifies this ProtocolEndpoint with either " "a port or an interface on a device. To ensure uniqueness, " "the Name property should be prepended or appended with " "information from the Type or OtherTypeDescription " "properties. The method chosen is described in the " "NameFormat property of this class.") ] string Name; [MaxLen (256), Description ( "NameFormat contains the naming heuristic that is chosen to " "ensure that the value of the Name property is unique. For " "example, one might choose to prepend the name of the port " "or interface with the Type of ProtocolEndpoint that this " "instance is (e.g., IPv4)followed by an underscore.") ] string NameFormat; [MaxLen (64), Description ( "ProtocolType is an enumeration that provides additional " "information that can be used to help categorize and " "classify different instances of this class."), ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21"}, Values { "Unknown", "Other", "IPv4", "IPv6", "IPX", "AppleTalk", "DECnet", "SNA", "CONP", "CLNP", "VINES", "XNS", "ATM", "Frame Relay", "Ethernet", "TokenRing", "FDDI", "Infiniband", "Fibre Channel", "ISDN BRI Endpoint", "ISDN B Channel Endpoint", "ISDN D Channel Endpoint" }, ModelCorrespondence { "CIM_ProtocolEndpoint.OtherTypeDescription"} ] string ProtocolType; [MaxLen(64), Description ( "A string describing the type of ProtocolEndpoint that this " "instance is when the Type property of this class (or any of " "its subclasses) is set to 1Specification", draft-ietf-policy- core-infor-model-06.txt, May 2000. Internet-Draft work(e.g., 'Other'). The format of " "the string inserted inprogress. [DOI] Piper, D.,this property should be similar in " "format to the values defined for the Type property. This " "property should be set to NULL when the Type property is " "any value other than 1."), ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ] string OtherTypeDescription; }; // ================================================================== // IPProtocolEndpoint // ================================================================== [Description ( "A ProtocolEndpoint that is dedicated to running IP.") ] class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint { [Description ( "The IP address that this ProtocolEndpoint represents, " "formatted according to the appropriate convention as " "defined in the AddressType property of this class " " (e.g., 171.79.6.40).") ] string Address; [Description ( "TheInternetmask for the IPSecurity Domainaddress ofInterpretationthis ProtocolEndpoint, " "formatted according to the appropriate convention as " "defined in the AddressType property of this class " " (e.g., 255.255.252.0).") ] string SubnetMask; [Description ( "An enumeration that describes the format of the address " "property. Whenever possible, IPv4-compatible addresses " "should be used instead of native IPv6 addresses (see " "RFC 2373, section 2.5.4). In order to have a consistent " "format forISAKMP", RFC 2407, November 1998. [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [COPS] Boyle, J.,IPv4 addresses in a mixed IPv4/v6 environment, " "all IPv4 addresses andR. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol",both IPv4-compatible IPv6 addresses " "and IPv4-mapped IPv6 addresses, per RFC2748, January 2000. Internet-Draft work2373, section " "2.5.4, should be formatted inprogress. [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000. Internet-Draft workstandard IPv4 format. " "However, this (the 2.2) version of the Network Common " "Model will not explicitly support mixed IPv4/IPv6 " "environments. This will be added inprogress. [SPSL] Condell, M.,a future release."), ValueMap { "0", "1", "2" }, Values { "Unknown", "IPv4", "IPv6" } ] uint16 AddressType; [Description ( "It is not possible to tell from the address alone if a " "given IPProtocolEndpoint can support IPv4 andC. Lynn, J. Zao, "Security Policy Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000. Internet-Draft work in progress. [KEYWORDS] Bradner, S., "Key wordsIPv6, or " "just one of these. This property explicitly defines the " "support forusedifferent versions of IP that this " "IPProtocolEndpoint has. " "\n\n" "More implementation experience is needed inRFCsorder toIndicate Requirement Levels", BCP 14, RFC 2119, March 1997. 12. Disclaimer The views" "correctly model mixed IPv4/IPv6 networks; therefore, this " "version (2.2) of the Network Common Model will not support " "mixed IPv4/IPv6 environments. This will be looked at " "further in a future version."), ValueMap { "0", "1", "2" }, Values { "Unknown", "IPv4 Only", "IPv6 Only" } ] uint16 IPVersionSupport; }; // =================================================================== // CIM_FilterEntryBase // =================================================================== [Description ( " FilterEntryBase is an abstract class to define the naming " "of all filter entries, andspecification hereinto allow their common " "aggregation into FilterLists. The FilterEntry subclass " "represents packet filtering. Other types of Entries are " "possible - for example, to filter security credentials. \n" " FilterEntryBase is weak to the network device (e.g., the " "ComputerSystem) that contains it. Hence, the ComputerSystem " "keys arethosepropagated to this class.") ] class CIM_FilterEntryBase : CIM_LogicalElement { [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, MaxLen (256), Description ( "The scoping ComputerSystem's CreationClassName. ") ] string SystemCreationClassName; [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), Description ( "The scoping ComputerSystem's Name.") ] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of theauthorsclass or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class andare not necessarily thoseits subclasses to " "be uniquely identified.") ] string CreationClassName; [Key, MaxLen (256), Description ( "The Name property defines the label by which the Filter" "Entry is known and uniquely identified.") ] string Name; [Description ( "Boolean indicating that the match condition described " "in the properties oftheir employer. The authorsthe FilterEntryBase subclass " "should be negated.") ] boolean IsNegated; }; // ================================================================== // FilterEntry // ================================================================== [Description ( "A FilterEntry is used by network devices to identify " "traffic and either forward them (with possibly further " "processing) to theiremployer specifically disclaim responsibility for any problems arising from correct or incorrect implementationdestination, oruseto deny their " "forwarding. They are the building block of FilterLists." "\n\n" "This class is oriented towards packet filtering. Other " "subclasses of FilterEntryBase can be defined to do other " "types of filtering. " "\n\n" "A FilterEntry is weak to the network device (e.g., the " "ComputerSystem) that contains it. Hence, the ComputerSystem " "keys are propagated to thisspecification. 13. Author'sclass.") ] class CIM_FilterEntry : CIM_FilterEntryBase { [Description ( "This defines the type of traffic that is being filtered. " "This will affect the filtering rules in the MatchCondition " "property of this class."), ValueMap { "0", "1", "2", "3" }, Values { "Unknown", "IPv4", "IPX", "IPv6" } ] uint16 TrafficType; [Description ( "This specifies one of a set of ways to identify traffic. " "if the value is 1 (e.g., 'Other'), then the specific " "type of filtering is specified in the " "OtherMatchConditionType property of this class."), ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" }, Values {"Other", "Source AddressJamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1-503-264-9531 Fax: +1-503-264-9428 E-Mail: jamie.jason@intel.com 14. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This documentandtranslationsMask", "Destination Address and Mask", "Source Port", "Source Port Range", "Destination Port", "Destination Port Range", "Protocol Type", "Protocol Type and Option", "DSCP", "ToS Value", "802.1P Priority Value" }, ModelCorrespondence { "CIM_FilterEntry.OtherMatchConditionType" } ] uint16 MatchConditionType; [Description ( "If the value of the MatchConditionType property in this " "class is 1 (e.g., 'Other'), then the specific type of " "filtering is specified in this property."), ModelCorrespondence { "CIM_FilterEntry.MatchConditionType" } ] string OtherMatchConditionType; [Description ( "This is the value of the condition that filters the " "traffic. It corresponds to the condition specified in the " "MatchConditionType property. If, however, the value of the " "MatchConditionProperty is 1, then itmaybe copied and furnishedcorresponds toothers, and derivative works that comment on or otherwise explain itthe " "condition specified in the OtherMatchConditionType " "property.") ] string MatchConditionValue; [Description ( "This defines whether the action should be to forward orassist" "deny traffic meeting the match condition specified in " "this filter."), ValueMap { "1", "2" }, Values { "Permit", "Deny" } ] uint16 Action; [Description ( "This defines whether this FilterEntry is the default " "entry to use by itsimplementation mayFilterList.") ] boolean DefaultFilter; [Description ( "This defines the traffic class that is being matched by " "this FilterEntry. Note that FilterEntries are aggregated " "into FilterLists by the EntriesInFilterList " "relationship. If the EntrySequence property of the " "aggregation is set to 0, this means that all the Filter" "Entries should beprepared, copied, published and distributed, in wholeANDed together. Consequently, the " "TrafficClass property of each of the aggregated Entries " "should be set to the same value."), ModelCorrespondence { "CIM_NextService.TrafficClass" } ] string TrafficClass; }; // ================================================================== // FilterList // ================================================================== [Description ( "A FilterList is used by network devices to identify routes " "by aggregating a set of FilterEntries into a unit, called a " "FilterList. FilterLists can also be used to accept orin part, without restrictiondeny " "routing updates." "\n\n" "A FilterList is weak to the network device (e.g., the " "ComputerSystem) that contains it. Hence, the ComputerSystem " "keys are propagated to this class.") ] class CIM_FilterList : CIM_LogicalElement { [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, MaxLen (256), Description ( "The scoping ComputerSystem's CreationClassName. ") ] string SystemCreationClassName; [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), Description ("The scoping ComputerSystem's Name.") ] string SystemName; [Key, Description ( "The type ofany kind, providedclass that this instance is.") ] string CreationClassName; [Key, MaxLen(256), Description ( "This is theabove copyright noticename of the FilterList.") ] string Name; [Description ( "This defines whether the FilterList is used " "for input, output, or both input andthis paragraphoutput " "filtering. All values areincludedused with respect to " "the interface for which the FilterList applies. " "\n\n" "\"Not Applicable\" (0) is used when there is no " "direction applicable to the FilterList.\n" "\"Input\" (1) is used when the FilterList applies " "to packets that are inbound onall such copies and derivative works. However, this document itself may not be modified in any way, such as by removingthecopyright noticerelated " "interface.\n" "\"Output\" (2) is used when the FilterList applies " "to packets that are outbound on the related " "interface.\n" "\"Both\" (3) is used to indicate that " "the direction is immaterial, e.g., to filter on " "a source subnet regardless of whether the flow is " "inbound orreferencesoutbound.\n" "\"Mirrored\" (4) is also applicable to " "both inbound and outbound flow processing, but " "indicates that theInternet Society or other Internet organizations, except as needed forfilter criteria are applied " "asymmetrically to traffic in both directions " "and, thus, specifies thepurposereversal ofdeveloping Internet standards in which casesource and " "destination criteria (as opposed to theprocedures for copyrights definedequality " "of these criteria as indicated by \"Both\"). " "The match conditions in theInternet Standards process must be followed, or as required to translate it into languages other then English. The limited permissions granted aboveaggregated " "FilterEntryBase subclass instances areperpetualdefined " "from the perspective of outbound flows andwill not be revokedapplied " "to inbound flows as well by reversing theInternet Society or its successors or assigns. This documentsource " "and destination criteria. So, for example, " "consider a FilterList with 3 FilterEntries " "indicating destination port = 80, and source and " "destination addresses of a and b, respectively. " "Then, for the outbound direction, the filter " "entries match as specified and theinformation contained herein is provided'mirror' (for " "the inbound direction) matches onan "AS IS" basissource " "port = 80 andTHE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF MERCHANTABILITY OR FITNESS FORsource and destination addresses " "of b and a, respectively."), Values {"Not Applicable", "Input", "Output", "Both", "Mirrored" } ] uint16 Direction; }; // ================================================================== // === Association class definitions === // ================================================================== // ================================================================== // EntriesInFilterList // ================================================================== [Association, Aggregation, Description ( "This is a specialization of the CIM_Component aggregation " "which is used to define a set of filter entries (subclasses " "of FilterEntryBase) that are aggregated by a particular " "FilterList.") ] class CIM_EntriesInFilterList : CIM_Component { [Aggregate, Max(1), Override ("GroupComponent"), Description ( "The FilterList, which aggregates the set " "of FilterEntries.") ] CIM_FilterList REF GroupComponent; [Override ("PartComponent"), Description ( "Any subclass of FilterEntryBase which is a part of " "the FilterList.") ] CIM_FilterEntryBase REF PartComponent; [Description ( "The order of the Entry relative to all others in the " "FilterList. APARTICULAR PURPOSE.value of zero indicates that all the Entries " "should be ANDed together. Use of the Sequence property " "should be consistent across the List. It is not valid to " "define some Entries as ANDed in the FilterList (Sequence" "=0) while other Entries have a non-zero Sequence number.") ] uint16 EntrySequence; };