Internet Engineering Task Force                          Jamie Jason
   INTERNET DRAFT                                     Intel Corporation
   11-July-2000
   1-March-2001                                             Lee Rafalow
                                                                    IBM
                                                            Eric Vyncke
                                                          Cisco Systems

                     IPsec Configuration Policy Model
                draft-ietf-ipsp-config-policy-model-01.txt
                draft-ietf-ipsp-config-policy-model-02.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
         http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
         http://www.ietf.org/shadow.html.

Abstract

   This document presents an object-oriented model of IPsec policy
   designed to:
   o    facilitate agreement about the content and semantics of IPsec
        policy
   o    enable derivations of task-specific representations of IPsec
        policy such as storage schema, distribution representations,
        and policy specification languages used to configure IPsec-
        enabled endpoints
   The schema described in this document models the IKE phase one
   parameters as described in [IKE] and the IKE phase two parameters
   for the IPsec Domain of Interpretation as described in [COMP, ESP,
   AH, DOI].  It is based upon the core policy classes as defined in
   the Policy Core Information Model (PCIM) [PCIM].

Table of Contents

   Status of this Memo................................................1
   Abstract...........................................................1
   Table of Contents..................................................2
   1. Introduction....................................................5 Introduction....................................................7
   2. UML Conventions.................................................5 Conventions.................................................7
   3. IPsec Policy Model Inheritance Heirarchy........................6 Hierarchy........................8
   4. Policy Classes..................................................9 Classes.................................................13
   4.1. The Class IPsecPolicyGroup....................................9
   4.1.1. The Property IKERuleOverridePoint..........................10
   4.1.2. The Property IPsecRuleOverridePoint........................10 IPsecPolicyGroup...................................14
   4.2. The Class SARule.............................................11 SARule.............................................14
   4.2.1. The Property LimitNegotiation..............................14
   4.3. The Class IKERule............................................11 IKERule............................................15
   4.3.1. The Property IdentityContexts..............................15
   4.4. The Class IPsecRule..........................................11 IPsecRule..........................................16
   4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........12 IPsecPolicyGroupInPolicyGroup..........16
   4.5.1. The Reference ContainingGroup..............................12 GroupComponent...............................17
   4.5.2. The Reference ContainedGroup...............................12 PartComponent................................17
   4.5.3. The Property Precedence....................................12 GroupPriority.................................17
   4.6. The Composition Association Class RuleForIKENegotiation..................12 IPsecPolicyForEndpoint.................17
   4.6.1. The Reference ContainingGroup..............................13 Antecedent...................................18
   4.6.2. The Reference ContainedRule................................13 Dependent....................................18
   4.7. The Composition Association Class RuleForIPsecNegotiation................13 IPsecPolicyForSystem...................18
   4.7.1. The Reference ContainingGroup..............................13 Antecedent...................................18
   4.7.2. The Reference ContainedRule................................13 Dependent....................................18
   4.8. The Aggregation Class SAConditionInRule......................14 RuleForIKENegotiation..................19
   4.8.1. The Reference ContainingRule...............................14 GroupComponent...............................19
   4.8.2. The Reference ContainedCondition...........................14
   4.8.3. The Property SequenceNumber................................14 PartComponent................................19
   4.9. The Aggregation Class SAActionInRule.........................14 RuleForIPsecNegotiation................19
   4.9.1. The Reference ContainingRule...............................15 GroupComponent...............................19
   4.9.2. The Reference ContainedAction..............................15 PartComponent................................20
   4.10. The Aggregation Class FallbackSAActionInRule................15 SAConditionInRule.....................20
   4.10.1. The Reference ContainingRule..............................15 GroupComponent..............................20
   4.10.2. The Reference ContainedAction.............................15
   4.10.3. PartComponent...............................20
   4.11. The Aggregation Class SAActionInRule........................20
   4.11.1. The Reference GroupComponent..............................21
   4.11.2. The Reference PartComponent...............................21
   4.11.3. The Property SequenceNumber...............................16 ActionOrder..................................21
   5. Condition and Filter Classes...................................17 Classes...................................22
   5.1. The Class SACondition........................................18
   5.1.1. The Property StartupCondition..............................18 SACondition........................................22
   5.2. The Class FilterList.........................................18
   5.2.1. The Property Name..........................................19
   5.2.2. The Property Direction.....................................19 FilterEntry........................................23
   5.3. The Abstract Class FilterEntryBase...........................19 CredentialFilterEntry..............................23
   5.3.1. The Property Name..........................................19 MatchFieldName................................24
   5.3.2. The Property IsNegated.....................................19 MatchFieldValue...............................24
   5.3.3. The Property CredentialType................................24
   5.4. The Abstract Class IPFilterEntry.............................20 IPSOFilterEntry....................................24
   5.4.1. The Property MatchConditionType............................25
   5.4.2. The Property MatchConditionValue...........................25
   5.5. The Abstract Class EndpointFilterEntry.......................20 PeerIDPayloadFilterEntry...........................25
   5.5.1. The Property ApplyToDestination............................20 MatchIdentityType.............................26
   5.5.2. The Property MatchIdentityValue............................26
   5.6. The Association Class IPv4AddressFilterEntry.............................20 FilterOfSACondition....................27
   5.6.1. The Property Address.......................................21 Reference Antecedent...................................27
   5.6.2. The Reference Dependent....................................27
   5.7. The Association Class IPv4RangeFilterEntry...............................21 AcceptCredentialFrom...................27
   5.7.1. The Property StartAddress..................................21 Reference Antecedent...................................28
   5.7.2. The Property EndAddress....................................21
   5.8. Reference Dependent....................................28
   6. Action Classes.................................................29
   6.1. The Class IPv4SubnetFilterEntry..............................21
   5.8.1. SAAction...........................................30
   6.1.1. The Property Address.......................................22
   5.8.2. DoActionLogging...............................30
   6.1.2. The Property Mask..........................................22
   5.9. DoPacketLogging...............................30
   6.2. The Class IPv6AddressFilterEntry.............................22
   5.9.1. SAStaticAction.....................................31
   6.2.1. The Property Address.......................................22
   5.10. LifetimeSeconds...............................31
   6.3. The Class IPv6RangeFilterEntry..............................22
   5.10.1. The Property StartAddress.................................23
   5.10.2. IPsecBypassAction..................................31
   6.4. The Property EndAddress...................................23
   5.11. Class IPsecDiscardAction.................................31
   6.5. The Class IPv6SubnetFilterEntry.............................23
   5.11.1. IKERejectAction....................................32
   6.6. The Property Address......................................23
   5.11.2. Class PreconfiguredSAAction..............................32
   6.6.1. The Property Mask.........................................24
   5.12. LifetimeKilobytes.............................33
   6.7. The Class FQDNFilterEntry...................................24
   5.12.1. The Property Name.........................................24
   5.13. PreconfiguredTransportAction.......................33
   6.8. The Class ProtocolFilterEntry...............................24
   5.13.1. PreconfiguredTunnelAction..........................33
   6.8.1. The Property Protocol.....................................24
   5.14. The Class UDPFilterEntry....................................25
   5.14.1. PeerGatewayAddressType........................33
   6.8.2. The Property StartPort....................................25
   5.14.2. PeerGatewayAddress............................34
   6.8.3. The Property EndPort......................................25
   5.15. DFHandling....................................34
   6.9. The Class TCPFilterEntry....................................25
   5.15.1. SANegotiationAction................................34
   6.9.1. The Property StartPort....................................26
   5.15.2. MinLifetimeSeconds............................35
   6.9.2. The Property EndPort......................................26
   5.16. The Abstract Class IPSOFilterEntry..........................26
   5.17. The Class ClassificationLevelFilterEntry....................26
   5.17.1. MinLifetimeKilobytes..........................35
   6.9.3. The Property Level........................................26
   5.18. The Class ProtectionAuthorityFilterEntry....................27
   5.18.1. RefreshThresholdSeconds.......................35
   6.9.4. The Property Authority....................................27
   5.19. The Class CredentialFilterEntry.............................27
   5.20. The Aggregation Class FilterOfSACondition...................27
   5.20.1. RefreshThresholdKilobytes.....................36
   6.9.5. The Reference Antecedent..................................28
   5.20.2. The Reference Dependent...................................28
   5.21. Property IdleDurationSeconds...........................36
   6.10. The Composition Class EntriesInFilterList...................28
   5.21.1. The Reference Antecedent..................................28
   5.21.2. The Reference Dependent...................................28
   5.21.3. IPsecAction.......................................36
   6.10.1. The Property EntrySequence................................29
   6. Action Classes.................................................30
   6.1. UsePFS.......................................37
   6.10.2. The Class SAAction...........................................30
   6.2. Property UseIKEGroup..................................37
   6.10.3. The Class SAStaticAction.....................................30
   6.2.1. Property GroupId......................................37
   6.10.4. The Property LifetimeSeconds...............................31
   6.3. Granularity..................................38
   6.10.5. The Class IPsecBypassAction..................................31
   6.4. Property VendorID.....................................38
   6.11. The Class IPsecDiscardAction.................................31
   6.4.1. The Property DoLogging.....................................32
   6.5. IPsecTransportAction..............................38
   6.12. The Class IKERejectAction....................................32
   6.5.1. IPsecTunnelAction.................................38
   6.12.1. The Property DoLogging.....................................32
   6.6. DFHandling...................................39
   6.13. The Class SAPreconfiguredAction..............................32
   6.7. The Class SANegotiationAction................................33
   6.7.1. IKEAction.........................................39
   6.13.1. The Property MinLifetimeSeconds............................33
   6.7.2. RefreshThresholdDerivedKeys..................39
   6.13.2. The Property MinLifetimeKilobytes..........................33
   6.7.3. ExchangeMode.................................40
   6.13.3. The Property RefreshThresholdSeconds.......................34
   6.7.4. UseIKEIdentityType...........................40
   6.13.4. The Property RefreshThresholdKilobytes.....................34
   6.7.5. VendorID.....................................40
   6.13.5. The Property IdleDurationSeconds...........................34
   6.8. AggressiveModeGroupId........................41
   6.14. The Class IPsecAction........................................35
   6.8.1. The Property UsePFS........................................35
   6.8.2. PeerGateway.......................................41
   6.14.1. The Property UseIKEGroup...................................35
   6.8.3. Name.........................................41
   6.14.2. The Property GroupId.......................................35
   6.8.4. PeerIdentityType.............................41
   6.14.3. The Property Granularity...................................36
   6.9. PeerIdentity.................................42
   6.15. The Association Class IPsecTransportAction...............................36
   6.10. PeerGatewayForTunnel..................42
   6.15.1. The Class IPsecTunnelAction.................................36
   6.10.1. Reference Antecedent..................................42
   6.15.2. The Property PeerGateway..................................37
   6.10.2. Reference Dependent...................................43
   6.15.3. The Property DFHandling...................................37
   6.11. SequenceNumber...............................43
   6.16. The Aggregation Class IKEAction.........................................37
   6.11.1. ContainedProposal.....................43
   6.16.1. The Property RefreshThresholdDerivedKeys..................37
   6.11.2. Reference GroupComponent..............................43
   6.16.2. The Property ExchangeMode.................................38
   6.11.3. Reference PartComponent...............................44
   6.16.3. The Property UseIKEIdentityType...........................38
   6.12. SequenceNumber...............................44
   6.17. The Aggregation Association Class ContainedProposal.....................38
   6.12.1. HostedPeerGatewayInformation..........44
   6.17.1. The Reference Antecedent..................................44
   6.17.2. The Reference Dependent...................................44
   6.18. The Association Class TransformOfPreconfiguredAction........44
   6.18.1. The Reference GroupComponent..............................39
   6.12.2. Antecedent..................................45
   6.18.2. The Reference PartComponent...............................39
   6.12.3. Dependent...................................45
   6.18.3. The Property SequenceNumber...............................39 SPI..........................................45
   7. Proposal and Transform Classes.................................40 Classes.................................46
   7.1. The Abstract Class SAProposal................................40 SAProposal................................46
   7.1.1. The Property Name..........................................40
   7.1.2. The Property MaxLifetimeSeconds............................41
   7.1.3. The Property MaxLifetimeKilobytes..........................41 Name..........................................46
   7.2. The Class IKEProposal........................................41 IKEProposal........................................47
   7.2.1. The Property LifetimeDerivedKeys...........................41 LifetimeDerivedKeys...........................47
   7.2.2. The Property CipherAlgorithm...............................42 CipherAlgorithm...............................47
   7.2.3. The Property HashAlgorithm.................................42 HashAlgorithm.................................48
   7.2.4. The Property PRFAlgorithm..................................42 PRFAlgorithm..................................48
   7.2.5. The Property GroupId.......................................43 GroupId.......................................48
   7.2.6. The Property AuthenticationMethod..........................43 AuthenticationMethod..........................48
   7.2.7. The Property MaxLifetimeSeconds............................49
   7.2.8. The Property MaxLifetimeKilobytes..........................49
   7.2.9. The Property VendorID......................................49
   7.3. The Class IPsecProposal......................................43 IPsecProposal......................................49
   7.4. The Abstract Class SATransform...............................44 SATransform...............................50
   7.4.1. The Property Name..........................................44
   7.4.1. TransformName.................................50
   7.4.2. The Property VendorID......................................50
   7.4.3. The Property MaxLifetimeSeconds............................50
   7.4.4. The Property VendorID......................................44 MaxLifetimeKilobytes..........................51
   7.5. The Class AHTransform........................................44 AHTransform........................................51
   7.5.1. The Property AHTransformId.................................44 AHTransformId.................................51
   7.5.2. The Property UseReplayPrevention...........................51
   7.5.3. The Property ReplayPreventionWindowSize....................52
   7.6. The Class ESPTransform.......................................45 ESPTransform.......................................52
   7.6.1. The Property IntegrityTransformId..........................45 IntegrityTransformId..........................52
   7.6.2. The Property CipherTransformId.............................45 CipherTransformId.............................52
   7.6.3. The Property CipherKeyLength...............................46 CipherKeyLength...............................53
   7.6.4. The Property CipherKeyRounds...............................46 CipherKeyRounds...............................53
   7.6.5. The Property UseReplayPrevention...........................53
   7.6.6. The Property ReplayPreventionWindowSize....................53
   7.7. The Class IPCOMPTransform....................................46 IPCOMPTransform....................................54
   7.7.1. The Property Algorithm.....................................46 Algorithm.....................................54
   7.7.2. The Property DictionarySize................................47 DictionarySize................................54
   7.7.3. The Property PrivateAlgorithm..............................47 PrivateAlgorithm..............................54
   7.8. The Aggregation Association Class ContainedTransform.....................47 SAProposalInSystem.....................54
   7.8.1. The Reference GroupComponent...............................48 Antecedent...................................55
   7.8.2. The Reference PartComponent................................48
   7.8.3. Dependent....................................55
   7.9. The Aggregation Class ContainedTransform.....................55
   7.9.1. The Reference GroupComponent...............................55
   7.9.2. The Reference PartComponent................................56
   7.9.3. The Property SequenceNumber................................48 SequenceNumber................................56
   7.10. The Association Class SATransformInSystem...................56
   7.10.1. The Reference Antecedent..................................56
   7.10.2. The Reference Dependent...................................56
   8. Security Considerations........................................48
   9. Intellectual Property..........................................48
   10. Acknowledgments...............................................49
   11. References....................................................49
   12. Disclaimer....................................................50
   13. Author's Address..............................................50
   14. Full Copyright Statement......................................50

1. Introduction

   Internet Protocol security (IPsec) policy may assume a variety of
   forms as it travels from storage to distribution point to decision
   point.  At each step, it needs to be represented in a way that is
   convenient for the current task.  For example, the policy could
   exist as, but is not limited to:

   o   a Lightweight IKE Service and Identity Classes...............................58
   8.1. The Class IKEService.........................................59
   8.2. The Class PeerIdentityTable..................................59
   8.3.1. The Property Name..........................................59
   8.3. The Class PeerIdentityEntry..................................60
   8.3.1. The Property PeerIdentity..................................60
   8.3.2. The Property PeerIdentityType..............................60
   8.3.3. The Property PeerAddress...................................60
   8.3.4. The Property PeerAddressType...............................60
   8.4. The Class AutostartIKEConfiguration..........................61
   8.5. The Class AutostartIKESetting................................61
   8.5.1. The Property Phase1Only....................................61
   8.5.2. The Property AddressType...................................62
   8.5.3. The Property SourceAddress.................................62
   8.5.4. The Property SourcePort....................................62
   8.5.5. The Property DestinationAddress............................62
   8.5.6. The Property DestinationPort...............................63
   8.5.7. The Property Protocol......................................63
   8.6. The Class IKEIdentity........................................63
   8.6.1. The Property IdentityType..................................64
   8.6.2. The Property IdentityValue.................................64
   8.6.3. The Property IdentityContexts..............................64
   8.7. The Association Class HostedPeerIdentityTable................65
   8.7.1. The Reference Antecedent...................................65
   8.7.2. The Reference Dependent....................................65
   8.8. The Aggregation Class PeerIdentityMember.....................65
   8.8.1. The Reference Collection...................................65
   8.8.2. The Reference Member.......................................66
   8.9. The Association Class IKEServicePeerGateway..................66
   8.9.1. The Reference Antecedent...................................66
   8.9.2. The Reference Dependent....................................66
   8.10. The Association Class IKEServicePeerIdentityTable...........66
   8.10.1. The Reference Antecedent..................................67
   8.10.2. The Reference Dependent...................................67
   8.11. The Association Class IKEAutostartSetting...................67
   8.11.1. The Reference Element.....................................67
   8.11.2. The Reference Setting.....................................67
   8.12. The Aggregation Class AutostartIKESettingContext............67
   8.12.1. The Reference Context.....................................68
   8.12.2. The Reference Setting.....................................68
   8.12.3. The Property SequenceNumber...............................68
   8.13. The Association Class IKEServiceForEndpoint.................68
   8.13.1. The Reference Antecedent..................................69
   8.13.2. The Reference Dependent...................................69
   8.14. The Association Class IKEAutostartConfiguration.............69
   8.14.1. The Reference Antecedent..................................69
   8.14.2. The Reference Dependent...................................69
   8.14.3. The Property Active.......................................69
   8.15. The Association Class IKEUsesCredentialManagementService....70
   8.15.1. The Reference Antecedent..................................70
   8.15.2. The Reference Dependent...................................70
   8.16. The Association Class EndpointHasLocalIKEIdentity...........70
   8.16.1. The Reference Antecedent..................................71
   8.16.2. The Reference Dependent...................................71
   8.17. The Association Class CollectionHasLocalIKEIdentity.........71
   8.17.1. The Reference Antecedent..................................71
   8.17.2. The Reference Dependent...................................71
   8.18. The Association Class IKEIdentitysCredential................72
   8.18.1. The Reference Antecedent..................................72
   8.18.2. The Reference Dependent...................................72
   9. Security Considerations........................................72
   10. Intellectual Property.........................................72
   11. Acknowledgments...............................................73
   12. References....................................................73
   13. Disclaimer....................................................74
   14. Authors' Addresses............................................74
   15. Full Copyright Statement......................................74
   Appendix A (DMTF Core Model MOF)..................................75
   Appendix B (DMTF User Model MOF)..................................90
   Appendix C (DMTF Network Model MOF)..............................105

1. Introduction

   Internet Protocol security (IPsec) policy may assume a variety of
   forms as it travels from storage to distribution point to decision
   point.  At each step, it needs to be represented in a way that is
   convenient for the current task.  For example, the policy could
   exist as, but is not limited to:

   o   a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
       a directory
   o   an on-the-wire representation over a transport protocol like the
       Common Object Policy Service (COPS) [COPS, COPSPR]
   o   a text-based policy specification language [SPSL] suitable for
       editing by an administrator
   o   an Extensible Markup Language (XML) document

   Each of these task-specific representations should be derived from a
   canonical representation that precisely specifies the content and
   semantics of the IPsec policy.  The purpose of this document is to
   abstract IPsec policy into a task-independent representation that is
   not constrained by any particular task-dependent representation.

   This document is organized as follows:

   o   Section 2 provides a quick introduction to the Unified Modeling
       Language (UML) graphical notation conventions used in this
       document.

   o   Section 3 provides the inheritance hierarchy which that describes
       where the IPsec policy classes fit into the policy class
       hierarchy already defined by PCIM. the Policy Core Information Model
       (PCIM).

   o   The remainder of the document describes the classes which that make up
       the IPsec policy model.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [KEYWORDS].

2. UML Conventions

   For this document, a UML static class diagram was chosen as the
   canonical representation for the IPsec policy model.  The reason
   behind this decision is that UML provides a graphical, task-
   independent way to model systems.  A treatise on the graphical
   notation used in UML is beyond the scope of this paper.  However,
   given the use of ASCII drawing for UML static class diagrams, a
   description of the notational conventions used in this document is
   in order:

   o   Boxes represent classes, with class names in brackets ([])
       representing a virtual an abstract class.

   o   A line that terminates with an arrow (<, >, ^, v) denotes
       inheritance.  The arrow always points to the parent class.
       Inheritance can also be called generalization or specialization
       (depending upon the reference point).  A base class is a
       generalization of a derived class, and a derived class is a
       specialization of a base class.
   o   Associations are used to model a relationship between two
       classes.  Classes that share an association are connected using
       a line.
       There are two  A special kinds kind of associations - aggregations and
       compositions.  Both model association is also used:  an
       aggregation.  An aggregation models a whole-part relationship
       between two classes.  Associations, and therefore aggregations and
       compositions, aggregations,
       can also be modeled as classes.
   o   A line that begins with a an "o" denotes aggregation.  Aggregation
       denotes containment in which the contained class and the
       containing class have independent lifetimes.
   o   A line that begins with an "x" denotes composition.  Composition
       denotes containment in which the contained class and the
       contianing class have coincident lifetimes.
   o   Next to a line representing an association appears a
       multiplicity.  Multiplicities
       cardinality.  Cardinalities indicate the constraints on the
       number of objects object instances in a set of relationships.  Every
       association instance has a single set of references.  The
       cardinality indicates the relationship. number of instances that may refer to
       a given object instance.  The multiplicity cardinality may be:
       - a range in the form "lower bound..upper bound" indicating the
       minimum and maximum number of objects.
       - a number that indicates the exact number of objects.
       - an asterisk indicating any number of objects, including zero.
       Using an asterisk is shorthand for 0..n.
       - the letter n indicating from 1 to many.  Using the letter n is
       shorthand for 1..n.
   o   A class that has an association may have a "w" next to the line
       representing the association.  This is called a weak association
       and is discussed in [PCIM].

   It should be noted that the UML static class diagram presented is a
   conceptual view of IPsec policy designed to aid in understanding.
   It does not necessarily get translated class for class into another
   representation.  For example, an LDAP implementation may flatten out
   the representation to fewer classes (because of the inefficiency of
   following references).

3. IPsec Policy Model Inheritance Heirarchy Hierarchy

   Like PCIM from which it is derived, the IPsec Configuration Policy
   Model derives from and uses classes defined in the DMTF Common
   Information Model (CIM).  The following diagram tree represents the
   inheritance hierarchy and how for the IPsec policy model classes and how
   they fit into PCIM.

   [unrooted] PCIM and the other DMTF models (see Appendices for
   descriptions of classes that are not being introduced as part of
   IPsec model).  CIM classes that are not used as a superclass from
   which to derive new classes but are only referenced are not included
   this inheritance hierarchy, but are included in the appropriate
   appendix.

   ManagedElement (DMTF Core Model - Appendix A)
   |
   +--Policy (PCIM)
   +--Collection (DMTF Core Model - Appendix A)
   |  |
   |  +--PolicyGroup (PCIM)  +--PeerIdentityTable
   |
   +--ManagedSystemElement (DMTF Core Model - Appendix A)
   |  |
   |  +--LogicalElement (DMTF Core Model - Appendix A)
   |     |  +--IPsecPolicyGroup (new class)
   |     +--FilterEntryBase (DMTF Network Model - Appendix C)
   |     |  +--PolicyRule (PCIM)  |
   |     |  +--CredentialFilterEntry
   |     |  +--SARule (new abstract class)  |
   |     |  +--IPSOFilterEntry
   |     |     +--IKERule (new class)  |
   |     |  +--PeerIDPayloadFilterEntry
   |     |     +--IPsecRule (new class)
   |     +--PeerGateway
   |     |  +--PolicyCondition (PCIM)
   |     +--PeerIdentityEntry
   |     |
   |     +--Service (DMTF Core Model - Appendix A)
   |  +--SACondition (new class)        |
   |        +--NetworkService (DMTF Network Model - Appendix C)
   |  +--PolicyAction (PCIM)           |
   |           +--IKEService
   |     +--SAAction (new abstract class)
   +--OrganizationalEntity (DMTF User Model - Appendix B)
   |  |
   |        +--SAStaticAction (new abstract class)  +--UserEntity (DMTF User Model - Appendix B)
   |     |
   |     +--UsersAccess (DMTF User Model - Appendix B)
   |        |  +--IPsecBypassAction (new class)
   |        +--IKEIdentity
   |
   +--Policy (PCIM)
   |  |
   |  +--IPsecDiscardAction (new class)  +--PolicyAction (PCIM)
   |  |  |
   |  |  +--IKERejectAction (new class)  +--SAAction
   |  |     |
   |  |  +--SAPreconfiguredAction (new class)     +--SANegotiationAction
   |  |     |        +--SANegotiationAction (new abstract class)  |
   |  |           +--IPsecAction (new abstract class)     |  +--IKEAction
   |  |     |  |  +--IPsecTransportAction (new class)
   |  |     |  +--IPsecAction
   |  |  +--IPsecTunnelAction (new class)     |     |
   |           +--IKEAction (new abstract class)  |
   +--FilterList     |
   +--FilterEntryBase     +--IPsecTransportAction
   |  |     |  +--IPFilterEntry (new abstract class)     |
   |  |     |     +--IPsecTunnelAction
   |  +--EndpointFilterEntry (new abstract class)  |     |
   |  |     +--SAStaticAction
   |  |        |  +--IPv4AddressFilterEntry (new class)
   |  |        +--IKERejectAction
   |  |        |
   |  |  +--IPv4RangeFilterEntry (new class)        +--IPsecBypassAction
   |  |        |
   |  |        +--IPsecDiscardAction
   |  |  +--IPv4SubnetFilterEntry (new class)        |
   |  |        +--PreconfiguredSAAction
   |  |           |
   |  +--IPv6AddressFilterEntry (new class)  |           +--PreconfiguredTransportAction
   |  |           |
   |  |           +--PreconfiguredTunnelAction
   |  +--IPv6RangeFilterEntry (new class)  |
   |  +--PolicyCondition (PCIM)
   |  |  |
   |  |  +--SACondition
   |  |  +--IPv6SubnetFilterEntry (new class)
   |  +--PolicyGroup (PCIM)
   |  |  |
   |  |  +--IPsecPolicyGroup
   |  +--FQDNFilterEntry (new class)  |
   |  +--PolicyRule (PCIM)
   |  |  |
   |  +--PortFilterEntry (new class)  |  +--SARule
   |  |     |
   |  +--ProtocolFilterEntry (new class)  |     +--IKERule
   |  |  +--IPSOFilterEntry (new class)     |
   |  |  +--CredentialFilterEntry (new class)     +--IPsecRule
   |  |
   |  +--SAProposal (new abstract class)
   |  |  |
   |  |  +--IKEProposal (new class)
   |  |  |
   |  |  +--IPsecProposal (new class)
   |  |
   |  +--SATransform (new abstract class)
   |
      +--AHTransform (new class)     |
   |     +--AHTransform
   |     |
   |     +--ESPTransform (new class)
   |     |
   |     +--IPCOMPTransform (new class)
   |
   +--Setting (DMTF Core Model - Appendix A)
   |  |
   |  +--SystemSetting (DMTF Core Model - Appendix A)
   |     |
   |     +--AutostartIKESetting
   |
   +--SystemConfiguration (DMTF Core Model - Appendix A)
      |
      +--AutostartIKEConfiguration
   The following diagram tree represents the inheritance hierarchy and how of the IPsec
   policy model association classes and how they fit into PCIM.

   [unrooted] PCIM and the
   other DMTF models (see Appendices for description of associations
   classes that are not being introduced as part of IPsec model).

   Dependency (DMTF Core Model - Appendix A)
   |
   +--PolicyGroupInPolicyGroup
   +--AcceptCredentialsFrom
   |
   +--ElementAsUser (DMTF User Model - Appendix B)
   |  |
   |  +--EndpointHasLocalIKEIdentity
   |  |
   |  +--CollectionHasLocalIKEIdentity
   |
   +--FilterOfSACondition
   |
   +--HostedPeerGatewayInformation
   |
   +--HostedPeerIdentityTable
   |
   +--IKEAutostartConfiguration
   |
   +--IKEServiceForEndpoint
   |
   +--IKEServicePeerGateway
   |
   +--IKEServicePeerIdentityTable
   |
   +--IKEUsesCredentialManagementService
   |
   +--IPsecPolicyForEndpoint
   |
   +--PeerGatewayForTunnel
   |
   +--PolicyInSystem (PCIM)
   |  |
   |  +--IPsecPolicyGroupInPolicyGroup (new class)  +--PolicyGroupInSystem (PCIM)
   |  |
   |  +--SAProposalInSystem
   |  |
   |  +--SATransformInSystem
   |
   +--IPsecPolicyForSystem
   |
   +--TransformOfPreconfiguredAction
   |
   +--UsersCredential (DMTF User Model - Appendix B)
      |
      +--IKEIdentitysCredential

   ElementSetting (DMTF Core Model - Appendix A)
   |
   +--IKEAutostartSetting

   MemberOfCollection (DMTF Core Model - Appendix A)
   |
   +--PeerIdentityMember

   PolicyComponent (PCIM)
   |
   +--ContainedProposal
   |
   +--ContainedTransform
   |
   +--PolicyActionInPolicyRule (PCIM)
   |  |
   |  +--SAActionInRule
   |
   +--PolicyConditionInPolicyRule (PCIM)
   |  |
   |  +--SAConditionInRule (new class)
   |
   +--FallbackSAActionInRule (new class)
   +--PolicyGroupInPolicyGroup (PCIM)
   |
   +--EntriesInFilterList (new class)  |
   +--ContainedProposal (new class)
   |
   +--IPsecContainedTransform (new class)  +--IPsecPolicyGroupInPolicyGroup
   |
   +--PolicyRuleInPolicyGroup
     |
     +--RuleForIKENegotiation
     |
     +--RuleForIPsecNegotiation

   SystemSettingContext (DMTF Core Model - Appendix A)
   |
   +--AutostartIKESettingContext

4. Policy Classes

   The IPsec policy classes represent the set of policies that are
   contained on a system.

                         +--------------------+
                         | IPProtocolEndpoint |
                         |    (Appendix C)    |
                         +--------------------+
                                   | *
                                   |
                        (a)        | (b)
                     +------+      |
                     |      |*     |   *+------------------+ 0..1
                     |   *+------------------+0..1 (c)  *+------------+
                     +---o| IPsecPolicyGroup |-----------|   System   |
                          +------------------+           |(Appendix A)|
                            1 x          x o          o 1
                (b)             +------------+
                (d)           |          |         (c)         (e)
      +-----------------------+          +---------------------+
      |                                                        |
      |               +---------------------------+            |
      |               | PolicyTimePeriodCondition |            |
      |               |    (defined in       (see [PCIM])        |            |
      |               +---------------------------+            |
      |                           *|                           |
      |                            | (d) (f)                       |
      |                           *o                           |
      |  +-------------+*  +-------------+n     *+--------+*      1+----------+      n+----------+  |
      |  | SACondition |------o| SARule |o-------| SAAction |  |
      |  +-------------+ (e) (g)   +--------+    (f)    (h) +----------+  |
      |                            ^                   |*                           |
      |                            |            +------+                           |
      |                   +--------+--------+                  |  (g)         |
      |                   |                 |  *o                  |
      |              *+---------+     +-----------+*           |
      +---------------| IKERule |     | IPsecRule |------------+
                      +---------+     +-----------+

   (a)  IPsecPolicyGroupInPolicyGroup
   (b)  RuleForIKENegotiation  IPsecPolicyForEndpoint
   (c)  RuleForIPsecNegotiation  IPsecPolicyForSystem
   (d)  RuleForIKENegotiation
   (e)  RuleForIPsecNegotiation
   (f)  PolicyRuleValidityPeriod (defined in (see [PCIM])
   (e)
   (g)  SAConditionInRule
   (f)
   (h)  SAActionInRule
   (g)  FallbackSAActionInRule

   An IPsecPolicyGroup represents the set of policies that are used on
   an interface.   This IPsecPolicyGroup SHOULD be associated either
   directly with the IPProtocolEndpoint class instance that represents
   the interface (via the IPsecPolicyForEndpoint association) or
   indirectly (via the IPsecPolicyForSystem association) associated
   with the System that hosts the interface.

4.1. The Class IPsecPolicyGroup

   The class IPsecPolicyGroup serves as a container of either other
   IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.
   Rules contained within an IPsecPolicyGroup MUST have a unique
   Priority value.  The
   class definition for IPsecPolicyGroup is as follows:

   NAME         IPsecPolicyGroup
   DESCRIPTION  Either a set of IPsecPolicyGroups or a set of IKERules
                and a set of IPsecRules.
   DERIVED FROM PolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyGroupName (from PolicyGroup)
                IKERuleOverridePoint
                IPsecRuleOverridePoint

   NOTE:  for derivations of the schema that are used for policy
   distribution to an IPsec device (for example, COPS-PR), the server
   may follow all of IPsecPolicyGroupInPolicyGroup associations and
   create one policy group which is simply a set of all of the IKE
   rules and a set of all of the IPsec rules.  See the section on the
   IPsecPolicyGroupInPolicyGroup aggregation for information on merging
   multiple IPsecPolicyGroups.

4.1.1.

4.2. The Property IKERuleOverridePoint

   This property specifies the rule priority at which the policy author
   is willing to allow IKERule insertions by Class SARule

   The class SARule serves as a local administrator.
   For example, the IT department may define the policy on a company-
   wide basis, but allow groups or individuals to insert rules into the
   policy to override defaults.  Rules are ordered in decreasing order
   of their priority (i.e., higher priorities come first).  The
   override point specifies that if rules are inserted, they are to be
   inserted before all rules equal to or less than the override
   priority value.

   For example, assume that there is a group G1 with IKE rules as
   follows:

   G1 = { Rule A (priority 50),
          Rule B (priority 25),
          Rule C (priority 15) }

   The IKE override value for G1 is 20.  Now assume that a local
   administrator wants to insert a set of IKE rules {Rule D, Rule E}
   where Rule D has a higher priority than Rule E.  The new rules will
   be added before rules in G1 with priority equal to or less than 20.
   So, when evaluating rules, the order of evaluation would be A, B, D,
   E, C.  Note that the priority of the rules in override set are
   relative only to the set.

   The property is defined as follows:

   NAME         IKERuleOverridePoint
   DESCRIPTION  Specifies the rule priority at which the policy author
                is willing to allow IKERule insertions by a local
                administrator.
   SYNTAX       unsigned 16-bit integer

4.1.2. The Property IPsecRuleOverridePoint

   This property specifies the rule priority at which the policy author
   is willing to allow IPsecRule insertions by a local administrator.

   This property is the same as IKERuleOverridePoint except it is used
   for the IPsec rules in the IPsecPolicyGroup.  The property is
   defined as follows:

   NAME         IPsecRuleOverridePoint
   DESCRIPTION  Specifies the rule priority at which the policy author
                is willing to allow IPsecRule insertions by a local
                administrator.
   SYNTAX       unsigned 16-bit integer

4.2. The Class SARule

   The class SARule serves as a base class for IKERule and IPsecRule.
   Even though base class for IKERule and IPsecRule.
   Even though the class is concrete, it MUST not be instantiated.  It
   defines a common connection point for associations to conditions and
   actions for both types of rules.  Each SARule within a given
   IPsecPolicyGroup must contain a unique priority.  Through its derivation from
   PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
   the PolicyRuleValidityPeriod association.  The
   class definition for

   An SARule is as follows:

   NAME inherits the property Priority from PolicyRule.  Since
   there is a need for an unambiguous ordering of rules in an IPsec
   system, all SARules contained within an IPsecPolicyGroup must have
   unique priority values.

   The class definition for SARule is as follows:

   NAME         SARule
   DESCRIPTION  A base class for IKERule and IPsecRule.
   DERIVED FROM PolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyRuleName (from PolicyRule)
                Enabled (from PolicyRule)
                ConditionListType (from PolicyRule)
                Priority (from PolicyRule)
                PolicyRoles (from PolicyRule)
                LimitNegotiation

4.2.1. The Property LimitNegotiation
   The property LimitNegotiation is used as part of processing either
   an IKE or an IPsec rule.

   Before proceeding with a phase 1 negotiation, this property is
   checked to determine if the negotiation role of the rule matches
   that defined for the negotiation being undertaken (e.g., Initiator,
   Responder, or Both). If this check fails (e.g. the current role is
   IKE responder while the rule specifies IKE initiator), then the IKE
   negotiation is stopped. Note that this only applies to new IKE phase
   1 negotiations and has no effect on either renegotiation or refresh
   operations with peers for which an established SA already exists.

   Before proceeding with a phase 2 negotiation, the LimitNegotiation
   property of the IPsecRule is first checked to determine if the
   negotiation role indicated for the rule matches that of the current
   negotiation (Initiator, Responder, or Either).  Note that this limit
   applies only to new phase 2 negotiations.  It is ignored when an
   attempt is made to refresh an expiring SA (either side can initiate
   a refresh operation).  The IKE system can determine that the
   negotiation is a refresh operation by checking to see if the
   selector information matches that of an existing SA. If
   LimitNegotiation does not match and the selector corresponds to a
   new SA, the negotiation is stopped.

   The property is defined as follows:

   NAME         LimitNegotiation
   DESCRIPTION  Limits the role to be undertaken during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1  initiator-only
                2  responder-only
                3 - both

4.3. The Class IKERule

   The class IKERule associates Conditions and Actions for IKE phase 1
   negotiations.  The class definition for IKERule is as follows:

   NAME         IKERule
   DESCRIPTION  Associates Conditions and Actions for IKE phase 1
                negotiations.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule

4.4. SARule, plus
                IdentityContexts

4.3.1. The Class IPsecRule Property IdentityContexts

   The class IPsecRule associates Conditions and Actions for IKE phase
   2 negotiations service of a security endpoint may have multiple identities
   for the IPsec DOI. use in different situations.  The class combination of the interface
   (represented by the IPProtocolEndpoint), the identity type (as
   specified in the IKEAction) and the IdentityContexts specifies a
   unique identity.

   The IdentityContexts property specifies the context to select the
   relevant IKE identity to be used during the further IKEAction.  A
   context may be a VPN name or other identifier for selecting the
   appropriate identity for use on the protected IPProtocolEndpoint.

   IdentityContexts is an array of strings.  The multiple values in the
   array are ORed together in evaluating the IdentityContexts.  Each
   value in the array may be the composition of multiple context names.
   So, a single value may be a single context name (e.g.,
   "CompanyXVPN") or it may be combination of contexts.  When an array
   value is a composition, the individual values are ANDed together for
   evaluation purposes and the syntax is:

        <ContextName>[&&<ContextName>]*

   where the individual context names appear in alphabetical order
   (according to the collating sequence for UCS-2).  So, for example,
   the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
   "CompanyZVPN&&Confidential" means that, for the appropriate
   IPProtocolEndpoint and IdentityType, the contexts are matched if the
   identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
   "CompanyZVPN&&Confidential".

   The property is defined as follows:

   NAME         IdentityContexts
   DESCRIPTION  Specifies the context in which to select the IKE
                identity.
   SYNTAX       string array

4.4. The Class IPsecRule

   The class IPsecRule associates Conditions and Actions for IKE phase
   2 negotiations for the IPsec DOI.  The class definition for
   IPsecRule is as follows:

   NAME         IKERule
   DESCRIPTION  Associates Conditions and Actions for IKE phase 2
                negotiations for the IPsec DOI.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule

4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup

   The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
   policies to be combined to into one effective policy.  When merging
   policies, rule priorities  See [PCIM] for a
   description of the how policies are used in conjunction with merged (see also the rule
   override point values to determine insertion points and for rule
   priority renumbering (if necessary to maintain uniqueness). property
   GroupPriority).  The class definition for
   IPsecPolicyGroupInPolicyGroup is as follows:

   NAME         IPsecPolicyGroupInPolicyGroup
   DESCRIPTION  Associates a nested IPsecPolicyGroup with the
                IPsecPolicyGroup that contains it.
   DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   ContainingGroup[ref   GroupComponent[ref IPsecPolicyGroup[0..n]]
                ContainedGroup[ref
                PartComponent[ref IPsecPolicyGroup[0..n]]
                Precedence
                GroupPriority

4.5.1. The Reference ContainingGroup GroupComponent

   The property ContainingGroup GroupComponent is inherited from
   PolicyGroupInPolicyGroup and is overridden to contain object
   reference refer to an
   IPsecPolicyGroup that contains one or more
   IPsecPolicyGroups. instance.  The [0..n] cardinality indicates that a
   given IPsecPolicyGroup instance may be a part of zero or more
   containing IPsecPolicyGroup instances (i.e., there may be zero or
   more IPsecPolicyGroups that contain any given
   IPsecPolicyGroup. GroupComponent references per PartComponent).

4.5.2. The Reference ContainedGroup PartComponent

   The property ContainedGroup PartComponent is inherited from
   PolicyGroupInPolicyGroup and is overridden to contain an object
   reference refer to an
   IPsecPolicyGroup contained by one or more
   IPsecPolicyGroups. instance.  The [0..n] cardinality indicates that an a
   given IPsecPolicyGroup instance may contain zero or more IPsecPolicyGroups.

4.5.3. The Property Precedence

   The property Precedence specifies the merge ordering of
   IPsecPolicyGroup instances (i.e., there may be zero or more
   PartComponent references per GroupComponent).

4.5.3. The Property GroupPriority

   Since policy groups, IPsecPolicyGroup, can contain both rules and
   other policy groups, the relative priorities of the rules of the
   contained groups are established by setting the GroupPriority
   property of IPsecPolicyGroupInPolicyGroup as a unique rule priority
   in the containing group.

   The rules of the nested
   IPsecPolicyGroups. group are inserted in order at that position
   (i.e. indicated by GroupPriority) in the containing group's rules

   The property is defined as follows:

   NAME         Precedence         GroupPriority
   DESCRIPTION  Specifies the merge ordering of the rule priority to be set to all nested
                IPsecPolicyGroups.
                rules.
   SYNTAX       unsigned 16-bit integer
   VALUE        Any value between 1 and 2^16-1 inclusive.  Lower values
                have higher precedence (i.e., 1 is the highest
                precedence).  The merging order of two ContainedGroups
                with the same precedence is undefined.

4.6. The Composition Association Class RuleForIKENegotiation IPsecPolicyForEndpoint

   The class RuleForIKENegotiation IPsecPolicyForEndpoint associates an IKERule IPsecPolicyGroup with
   a specific network interface.  If an IPProtocolEndpoint of a system
   does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
   then the IPsecPolicyForSystem associated IPsecPolicyGroup is used
   for that contains it. endpoint.  The class definition for
   RuleForIKENegotiation IPsecPolicyForEndpoint
   is as follows:

   NAME         RuleForIKENegotiation         IPsecPolicyForEndpoint
   DESCRIPTION  Associates an IKERule with the IPsecPolicyGroup that
                contains it. a policy group to a network interface.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   ContainingGroup [ref IPsecPolicyGroup [1..1]]
                ContainedRule [ref IKERule [0..n]]   Antecedent[ref IPProtocolEndpoint[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.6.1. The Reference ContainingGroup Antecedent

   The property ContainingGroup contains an object reference Antecedent is inherited from Dependency and is
   overridden to refer to an
   IPsecPolicyGroup that contains one or more IKERules. IPProtocolEndpoint instance.  The [1..1] [0..n]
   cardinality indicates that an IKERule IPsecPolicyGroup instance may be contained in only one
   IPsecPolicyGroup (i.e., IKERules are not shared across
   IPsecPolicyGroups).
   associated with zero or more IPProtocolEndpoint instances.

4.6.2. The Reference ContainedRule Dependent

   The property ContainedRule contains an object reference Dependent is inherited from Dependency and is
   overridden to refer to an
   IKERule contained by an IPsecPolicyGroup. IPsecPolicyGroup instance.  The [0..n] [0..1]
   cardinality indicates that an IPsecPolicyGroup IPProtocolEndpoint instance may contain zero or more
   IKERules. have
   an association to at most one IPsecPolicyGroup instance.

4.7. The Composition Association Class RuleForIPsecNegotiation IPsecPolicyForSystem

   The class RuleForIPsecNegotiation IPsecPolicyForSystem associates an IPsecRule IPsecPolicyGroup with a
   specific system.  If an IPProtocolEndpoint of a system does not have
   an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
   IPsecPolicyForSystem associated IPsecPolicyGroup is used for that contains it.
   endpoint.  The class definition for
   RuleForIPsecNegotiation IPsecPolicyForSystem is as
   follows:

   NAME         RuleForIPsecNegotiation         IPsecPolicyForSystem
   DESCRIPTION  Associates an IPsecRule with the IPsecPolicyGroup that
                contains it.  Default policy group for a system.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   ContainingGroup [ref IPsecPolicyGroup [1..1]]
                ContainedRule [ref IPsecRule [0..n]]   Antecedent[ref System[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.7.1. The Reference ContainingGroup Antecedent

   The property ContainingGroup contains an object reference to an
   IPsecPolicyGroup that contains one or more IPsecRules. Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] [0..n] cardinality
   indicates that an IPsecRule may be contained in only one IPsecPolicyGroup (i.e., IPsecRules are not shared across
   IPsecPolicyGroups). instance may have an association
   to zero or more System instances.

4.7.2. The Reference ContainedRule Dependent

   The property ContainedRule contains an object reference Dependent is inherited from Dependency and is
   overridden to refer to an
   IPsecRule contained by an IPsecPolicyGroup. IPsecPolicyGroup instance.  The [0..n] [0..1]
   cardinality indicates that a System instance may have an association
   to at most one IPsecPolicyGroup may contain zero or more
   IPsecRules. instance.

4.8. The Aggregation Class SAConditionInRule RuleForIKENegotiation

   The class SAConditionInRule RuleForIKENegotiation associates an SARule IKERule with the
   SACondition instances
   IPsecPolicyGroup that trigger contains it.  See [PCIM] for the usage for
   the properties GroupNumber and ConditionNegated.  The class definition for SAConditionInRule
   RuleForIKENegotiation is as follows:

   NAME         SAConditionInRule         RuleForIKENegotiation
   DESCRIPTION  Associates an SARule IKERule with the SACondition instances IPsecPolicyGroup that trigger
                contains it.
   DERIVED FROM PolicyConditionInPolicyRule PolicyRuleInPolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   ContainingRule   GroupComponent [ref SARule [0..n]]
                ContainedCondition IPsecPolicyGroup [1..1]]
                PartComponent [ref SACondition IKERule [0..n]]
                GroupNumber (from PolicyConditionInPolicyRule)
                ConditionNegated (from PolicyConditionInPolicyRule)
                SequenceNumber

4.8.1. The Reference ContainingRule GroupComponent

   The property ContainingRule GroupComponent is inherited from
   PolicyConditionInPolicyRule
   PolicyRuleInPolicyGroup and is overridden to contain an object
   reference refer to an SARule that contains one or more SAConditions.
   IPsecPolicyGroup instance.  The
   [0..n] [1..1] cardinality indicates that an SACondition
   IKERule instance may be contained in
   zero or more SARules. one and only one
   IPsecPolicyGroup instance (i.e., IKERules are not shared across
   IPsecPolicyGroups).

4.8.2. The Reference ContainedCondition PartComponent

   The property ContainedCondition PartComponent is inherited from
   PolicyConditionInPolicyRule PolicyRuleInPolicyGroup
   and is overridden to contain an object
   reference refer to an SACondition that is contained by an SARule. IKERule instance.  The [0..n]
   cardinality indicates that an SARule IPsecPolicyGroup instance may contain
   zero or more
   SAConditions.

4.8.3. The Property SequenceNumber

   The property SequenceNumber specifies, for a given rule, the order
   in which the SACondition instances will be evaluated.  The property
   is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the evaluation order of the SAConditions.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower valued SAConditions are evaluated first.  The
                order of evaluation of ContainedConditions with the
                same SequenceNumber value is undefined. IKERule instances.

4.9. The Aggregation Class SAActionInRule RuleForIPsecNegotiation

   The SAActionInRule class RuleForIPsecNegotiation associates an SARule IPsecRule with its primary
   SAAction. the
   IPsecPolicyGroup that contains it.  The class definition for SAActionInRule
   RuleForIPsecNegotiation is as follows:

   NAME         SAActionInRule         RuleForIPsecNegotiation
   DESCRIPTION  Associates an SARule IPsecRule with its primary SAAction.
   DERIVED FROM PolicyActionInPolicyRule the IPsecPolicyGroup that
                contains it.
   DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   ContainingRule [ref SARule [0..n]]
                ContainedAction   GroupComponent [ref SAAction IPsecPolicyGroup [1..1]]
                PartComponent [ref IPsecRule [0..n]]

4.9.1. The Reference ContainingRule GroupComponent

   The property ContainingRule GroupComponent is inherited from
   PolicyActionInPolicyRule
   PolicyRuleInPolicyGroup and is overridden to contain an object
   reference refer to an SARule that contains an SAAction.
   IPsecPolicyGroup instance.  The [0..n] [1..1] cardinality indicates that an SAAction
   IPsecRule instance may be contained in zero or
   more SARules. only one IPsecPolicyGroup
   instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).

4.9.2. The Reference ContainedAction PartComponent

   The property ContainedAction PartComponent is inherited from
   PolicyActionInPolicyRule PolicyRuleInPolicyGroup
   and is overridden to contain an object
   reference refer to an SAAction that is contained by an SARule. IPsecRule instance.  The [1..1] [0..n]
   cardinality indicates that an SARule IPsecPolicyGroup instance may contain only one SAAction.
   zero or more IPsecRules instance.

4.10. The Aggregation Class FallbackSAActionInRule SAConditionInRule

   The class FallbackSAActionInRule SAConditionInRule associates an SARule with its
   ordered set of fallback actions.  Fallback actions allow an
   administrator to define what action is to be take if the SAAction
   referenced by SAActionInRule fails
   SACondition instance(s) that trigger(s) it.  See [PCIM] for any reason. the
   usage for the properties GroupNumber and ConditionNegated.  The
   class definition for FallbackSAActionInRule SAConditionInRule is as follows:

   NAME         FallbackSAActionInRule         SAConditionInRule
   DESCRIPTION  Associates an SARule with the ordered set of fallback
                actions SACondition instance(s)
                that should be attempted/applied in the case of
                failure of the primary SAAction. trigger(s) it.
   DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   ContainingRule   GroupComponent [ref SARule [0..n]]
                ContaintedAction
                PartComponent [ref SAAction [0..n]]
                SequenceNumber SACondition [1..n]]
                GroupNumber (from PolicyConditionInPolicyRule)
                ConditionNegated (from PolicyConditionInPolicyRule)

4.10.1. The Reference ContainingRule GroupComponent

   The property ContainingRule contains an object reference GroupComponent is inherited from
   PolicyConditionInPolicyRule and is overridden to refer to an SARule that contains one or more fallback SAActions.
   instance.  The [0..n] cardinality indicates that an fallback SAAction SACondition
   instance may be contained in zero or more SARules. SARule instances.

4.10.2. The Reference ContainedAction PartComponent

   The property ContainedAction contains an object reference to a
   fallback SAAction that PartComponent is contained by one or more SARules. inherited from
   PolicyConditionInPolicyRule and is overridden to refer to an
   SACondition instance.  The
   [0..n] [1..n] cardinality indicates that an
   SARule may instance MUST contain zero or more
   fallback SAActions.

4.10.3. at least one SACondition instance.

4.11. The Property SequenceNumber Aggregation Class SAActionInRule

   The property SequenceNumber specifies, SAActionInRule class associates an SARule with its primary
   SAAction.  The class definition for a given rule, the order
   in which the fallback SAActions should be attempted.  Once a
   fallback SAAction SAActionInRule is successfully applied, then subsequent fallback
   SAActions should as follows:

   NAME         SAActionInRule
   DESCRIPTION  Associates an SARule with its SAAction(s).
   DERIVED FROM PolicyActionInPolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent [ref SARule [0..n]]
                PartComponent [ref SAAction [1..n]]
                ActionOrder

4.11.1. The Reference GroupComponent

   The property GroupComponent is inherited from
   PolicyActionInPolicyRule and is overridden to refer to an SARule
   instance.  The [0..n] cardinality indicates that an SAAction
   instance may be ignored. contained in zero or more SARule instances.

4.11.2. The Reference PartComponent

   The property PartComponent is inherited from
   PolicyActionInPolicyRule and is overridden to refer to an SAAction
   instance.  The [1..n] cardinality indicates that an SARule instance
   MUST contain at least one SAAction instance.

4.11.3. The Property ActionOrder

   The property ActionOrder specifies the relative position of this
   SAAction in the sequence of actions associated with a PolicyRule.
   The ActionOrder MUST be unique so as to provide a deterministic
   order.  In addition, the actions in an SARule are executed as
   follows.

   For an initiator, if there is more than one action in the rule, the
   additional actions are 'backup' actions in the event that the first
   action is not able to be completed successfully.  They are tried in
   the ActionOrder until the list is exhausted or one completes
   successfully.  For example, an IKE initiator may have several
   IKEActions for the same SACondition. The initiator will try all
   IKEActions in the order defined by ActionOrder.  I.e. it will
   possibly try several phases 1 possibly with different modes (main
   mode then aggressive mode) and/or with possibly multiple IKE peers.

   For a responder, there can be more than one action in the rule, this
   provides alternative actions depending on the received proposals.
   For example, the same IKERule may be used to handle aggressive mode
   and main mode negotiations with different actions.  The first
   appropriate action in the list of actions is used by the responder.

   The property is defined as follows:

   [Need an explanation of what the action order means as it replaces
   the fallback association]

   NAME         SequenceNumber         ActionOrder
   DESCRIPTION  Specifies the order of attempted application for the
                fallback SAAction. actions.
   SYNTAX       unsigned 16-bit integer
   VALUE        Any value between 1 and 2^16-1 inclusive.  Lower valued fallback SAActions are attempted first. values
                have higher precedence (i.e., 1 is the highest
                precedence).  The merging order of attempt of ContainedActions two SAActions with
                the same
                SequenceNumber value precedence is undefined.

5. Condition and Filter Classes

   The IPsec condition and filter classes are used to build the "if"
   part of the IKE and IPsec rules.

   +-------------+*    0..1+------------+1       *+-------------------+
   |

                             *+-------------+
         +--------------------| SACondition |o--------| FilterList |x--------| [FilterEntryBase] |
   +-------------+   (a)   +------------+   (b)   +-------------------+
                                                           ^ |
            +---------------------+------------------------+
         |                    +-------------+
         |                         * |
   +-----------------+  +-------------------+ +-----------------------+
         | [IPFilterEntry]                           |(a)
         |                         1 | [IPSOFilterEntry]
         |                    +--------------+
         | CredentialFilterEntry                    |
   +-----------------+  +-------------------+ +-----------------------+
            ^                     ^  FilterList  |
         |                    | +-------------------+ (Appendix C) |
         |                    +--------------+
         |                         1 o
         |(b)                        |(c)
         | +--------------------------------+                         * | +-| ClassificationLevelFilterEntry
         |                   +-----------------+
         |                   | +--------------------------------+ FilterEntryBase |
         |                   |  (Appendix C)   | +--------------------------------+
         | +-| ProtectionAuthorityFilterEntry                   +-----------------+
         |                           ^
         |   +--------------------------------+                           |
            +-----------------------------------------------+
         |       +--------------+    |    +-----------------------+                     +--------------------+
   | [EndpointFilterEntry]
         |                     |ProtocolFilterEntry       |
   +-----------------------+                     +--------------------+
              ^                                                   ^
              |                               +----------------+ FilterEntry  |----+----| CredentialFilterEntry |
              +----------------------+
         | UDPFilterEntry |--+       |        +----------------+ (Appendix C) |    |    +-----------------------+
         |
              +-----------------+       +--------------+    |        +----------------+
         |                           | FQDNFilterEntry |----+
         | TCPFilterEntry |--+    +-----------------+    |        +----------------+
                                     |
       +------------------------+    +--------------------------+
         |    +------------------------+    | IPv4AddressFilterEntry IPSOFilterEntry |----+----| IPv6AddressFilterEntry |
       +------------------------+    |    +------------------------+
                                     |
         +----------------------+    |    +----------------------+ PeerIDPayloadFilterEntry | IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry
         |
         +----------------------+    +-----------------+         +--------------------------+
         |    +----------------------+
         |
        +-----------------------+           *+-----------------------------+
         +------------| CredentialManagementService |    +-----------------------+
                      | IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry         (Appendix B)        |
        +-----------------------+         +-----------------------+
                      +-----------------------------+

   (a)  FilterOfSACondition
   (b)  AcceptCredentialsFrom
   (c)  EntriesInFilterList (see Appendix C)

5.1. The Class SACondition

   The class SACondition defines the preconditions conditions of rules for IKE and
   IPsec negotiations.  Conditions are associated with policy rules via
   the SAConditionInRule aggregation. It is used as an anchor point to
   associate various types of filters with policy rules via the
   FilterOfSACondition association. It also defines whether Credentials
   can be accepted for a particular policy rule via the
   AcceptCredentialsFrom association.

   Associated objects represent components of the condition that may or
   may not apply at a given rule evaluation.  For example, an
   AcceptCredentialsFrom evaluation is only performed when a credential
   is available to be evaluated against the list of trusted credential
   management services.  Similarly, a PeerIDPayloadFilterEntry may only
   be evaluated when an IDPayload value is available to compared with
   the filter.  Condition components that do not have corresponding
   values with which to evaluate are evaluated as TRUE unless the
   protocol has completed without providing the required information.

   The class definition for SACondition is as follows:

   NAME         SACondition
   DESCRIPTION  Defines the preconditions for IKE and IPsec
                negotiations.
   DERIVED FROM PolicyCondition (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyConditionName (from PolicyCondition)
                StartupCondition

5.1.1.

5.2. The Property StartupCondition

   This property specifies the triggering event that caused the rule
   evaluation. Class FilterEntry

   The property class FilterEntry is defined as follows:

   NAME         StartupCondition
   DESCRIPTION  Specifies the triggering event that cause in appendix C with the rule to
                be evaluated.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 (OnBoot) - following
   notes:

   1) since actions in the rule is triggered after system boot.
                The FilterList associated with the SACondition contains IPsec Policy Model are not part of the information that will be used to build
      condition side of the
                selectors.
                2 (OnManual) - rule, the rule Action property of each
      FilterEntry is triggered manually in
                response ignored and should be set to user input.  The FilterList associated with
                the SACondition contains the information "FilterOnly".

   2) to specify 5-tuple filters that will be
                used are to build apply symmetrically (i.e.,
      matches traffic in both directions of the selectors.
                3 (OnDataTraffic) - same flow between the rule is triggered when packets
                without associated security associations are sent or
                received (traffic directionality is indicated by
      two peers), the Direction field property of the associated FilterList).
                4 (OnIKEMessage) - the rule is triggered when an
                incoming request for IKE negotiation is received.

5.2. FilterList should be
      set to "Mirrored".

5.3. The Class FilterList CredentialFilterEntry

   The class FilterList aggregates CredentialFilterEntry defines an ANDed set equivalence class that
   match credentials of filters IKE peers. Each CredentialFilterEntry includes
   a MatchFieldName that are
   used for determining when an SACondition evaluates is interpreted according to true and
   therefore its the
   CredentialManagementService(s) associated SAAction should with the SACondition
   (AcceptCredentialsFrom).

   These credentials can be performed. X.509 certificates, Kerberos tickets, or
   other types of credentials obtained during the Phase 1 exchange.

   The class definition for FilterList CredentialFilterEntry is as follows:

   NAME         FilterList         CredentialFilterEntry
   DESCRIPTION  Aggregates  Specifies a set of filters for condition matching. match filter based on the IKE credentials.
   DERIVED FROM FilterEntryBase (see Appendix C)
   ABSTRACT     FALSE
   PROPERTIES   Name
                Direction

5.2.1. (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchFieldName
                MatchFieldValue
                CredentialType

5.3.1. The Property Name

   This MatchFieldName

   The property MatchFieldName specifies a user-friendly name for the FilterList. sub-part of the credential
   to match against MatchFieldValue.  The property is defined as
   follows:

   NAME         Name         MatchFieldName
   DESCRIPTION  Specifies which sub-part of the user-friendly name for the FilterList. credential to match.
   SYNTAX       string

5.2.2.
   VALUE

5.3.2. The Property Direction

   This MatchFieldValue

   The property MatchFieldValue specifies whether or the FilterList will be used on
   incoming, outgoing, or bi-directional traffic.  Direction is only
   useful for filter types that inspect traffic parameters and when value to compare with the
   StartupCondition property
   MatchFieldName in the SACondition is set a credential to OnDataTraffic
   (3). determine if the credential
   matches this filter entry.  The property is defined as follows:

   NAME         Direction         MatchFieldValue
   DESCRIPTION  Specifies what kind of traffic will the value to be checked -
                incoming, outgoing, or bi-directional. matched by the
                MatchFieldName.
   SYNTAX       string
   VALUE        NB: If the CredentialFilterEntry corresponds to a
                DistinguishedName, this value in the CIM class is
                represented by an ordinary string value.  However, an
                implementation must convert this string to a DER-
                encoded string before matching against the values
                extracted from credentials at runtime.

5.3.3. The Property CredentialType

   The property CredentialType specifies the particular type of
   credential that is being matched.  The property is defined as
   follows:

   NAME         CredentialType
   DESCRIPTION  Defines the type of IKE credentials.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - Incoming X.509 Certificate
                2 - Outgoing
                3 - Bi-directional

5.3. Kerberos Ticket

5.4. The Abstract Class FilterEntryBase IPSOFilterEntry

   The abstract class FilterEntryBase serves IPSOFilterEntry is used to match traffic based on the IP
   Security Options header values (ClassificationLevel and
   ProtectionAuthority) as defined in RFC1108. This type of FilterEntry
   is used to adjust the base class for IPsec encryption level according to the
   specific filter class. IPSO
   classification of the traffic (e.g., secret, confidential,
   restricted, etc.  The class definition for FilterEntryBase IPSOFilterEntry is as
   follows:

   NAME         FilterEntryBase         IPSOFilterEntry
   DESCRIPTION  Serves as  Specifies the base class for specific a match filter classes. based on IP Security
                Options.
   DERIVED FROM FilterEntryBase (see Appendix C)
   ABSTRACT     TRUE     FALSE
   PROPERTIES   Name (from FilterEntryBase)
                IsNegated

5.3.1. (from FilterEntryBase)
                MatchConditionType
                MatchConditionValue

5.4.1. The Property Name

   This MatchConditionType

   The property MatchConditionType specifies a user-friendly name for the filter. IPSO header field that
   will be matched (e.g., traffic classification level or protection
   authority).  The property is defined as follows:

   NAME         Name         MatchConditionType
   DESCRIPTION  Specifies the user-friendly name for the filter. IPSO header field to be matched.
   SYNTAX       string

5.3.2.       unsigned 16-bit integer
   VALUE        1 - ClassificationLevel
                2 - ProtectionAuthority

5.4.2. The Property IsNegated

   This MatchConditionValue

   The property MatchConditionValue specifies whether or not the result of the boolean
   result value of the filter evaluation should IPSO
   header field to be negated. matched against.  The property is defined as
   follows:

   NAME         IsNegated         MatchConditionValue
   DESCRIPTION  Specifies whether or not to negate the result of the
                evaluation value of the filter. IPSO header field to be
                matched against.
   SYNTAX       boolean       unsigned 16-bit integer
   VALUE        A value of true means that the boolean result of        For ClassificationLevel, the
                filter evaluation of values are:
                61 - TopSecret
                90 - Secret
                150 - Confidential
                171 - Unclassified
                For ProtectionAuthority, the filter will be negated.  A
                value of false means that the boolean result of the
                evaluation of the filter will not be altered.

5.4. values are:
                0 - GENSER
                1 - SIOP-ESI
                2 - SCI
                3 - NSA
                4 - DOE

5.5. The Abstract Class IPFilterEntry PeerIDPayloadFilterEntry

   The abstract class IPFilterEntry serves as a base class for filter
   entries which are PeerIDPayloadFilterEntry defines filters used to match against ID
   payload values from the 5-tuple (i.e., source
   and destination address, protocol, and source and destination port)
   information in IKE protocol exchange.
   PeerIDPayloadFilterEntry permits the IP packet.  The class definition for
   IPFilterEntry is as follows:

   NAME         IPFilterEntry
   DESCRIPTION  Serves specification of certain ID
   payload values such as the base class for IP 5-tuple filters.
   DERIVED FROM FilterEntryBase
   ABSTRACT     TRUE

5.5. The Abstract Class EndpointFilterEntry

   The abstract class EndpointFilterEntry serves "*@company.com" or "193.190.125.0/24".

   Obviously this filter applies only to IKERules when acting as a base class for
   filters which match against IP addresses (source or destination).
   responder.  Moreover, this filter can be applied immediately in the
   case of aggressive mode but its application is to be delayed in the
   case of main mode.  The class definition for EndpointFilterEntry
   PeerIDPayloadFilterEntry is as follows:

   NAME         EndpointFilterEntry         PeerIDPayloadFilterEntry
   DESCRIPTION  Serves as the base class for filters which  Specifies a match
                against IP addresses. filter based on IKE identity.
   DERIVED FROM IPFilterEntry FilterEntryBase (see Appendix C)
   ABSTRACT     TRUE     FALSE
   PROPERTIES   ApplyToDestination   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchIdentityType
                MatchIdentityValue

5.5.1. The Property ApplyToDestination

   This MatchIdentityType

   The property MatchIdentityType specifies whether or not the address to test against
   is type of identity
   provided by the source or peer in the destination IP address. ID payload."   The property is defined
   as follows:

   NAME         ApplyToDestination         MatchIdentityType
   DESCRIPTION  Specifies which IP address to test, source or
                destination. the ID payload type.
   SYNTAX       boolean       unsigned 16-bit integer
   VALUE        A value of true means that the destination IP address
                should be tested against.  A value of false means that
                the source IP address should be tested against.

5.6. The Class IPv4AddressFilterEntry

   The class IPv4AddressFilterEntry specifies a filter that will match
   against a single        1 - IPv4 address.  The class definition for
   IPv4AddressFilterEntry is as follows:

   NAME         IPv4AddressFilterEntry
   DESCRIPTION  Defines the match filter for an Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 address.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES Subnet
                5 - IPv6 Address

5.6.1.
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

5.5.2. The Property Address

   This MatchIdentityValue

   The property MatchIdentityValue specifies the IPv4 address that will be used in filter value for
   comparison with the
   equality test. ID payload, e.g., "*@company.com"  The property
   is defined as follows:

   NAME         Address         MatchIdentityValue
   DESCRIPTION  Specifies the IPv4 address ID payload value.
   SYNTAX       string
   VALUE        NB: The syntax may need to be converted for comparison.
                If the PeerIDPayloadFilterEntry type is a
                DistinguishedName, the name in the MatchIdentityValue
                property is represented by an ordinary string value,
                but this value must be converted into a DER-encoded
                string before matching against the values extracted
                from IKE ID payloads at runtime.  The same applies to
                IPv4 & IPv6 addresses.

                Wildcards can be used as well as the prefix notation
                for IPv4 addresses:
                - a MatchIdentityValue of "*@company.com" will match against.
   SYNTAX       unsigned 32-bit integer

5.7. an
                ID payload of "JDOE@COMPANY.COM"
                - a MatchIdentityValue of "193.190.125.0/24" will match
                an ID payload of 193.190.125.10.

5.6. The Association Class IPv4RangeFilterEntry FilterOfSACondition

   The class IPv4RangeFilterEntry specifies a filter for testing if FilterOfSACondition associates an
   IPv4 address is between SACondition with the start address and end address
   inclusively.
   filter specifications (FilterList) that make up the condition.  The
   class definition for IPv4RangeFilterEntry FilterOfSACondition is as follows:

   NAME         IPv4RangeFilterEntry         FilterOfSACondition
   DESCRIPTION  Defines  Associates a condition with the match filter for an IPv4 address range. list that make
                up the individual condition elements.
   DERIVED FROM EndpointFilterEntry Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   StartAddress
                EndAddress

5.7.1.   Antecedent [ref FilterList[1..1]]
                Dependent [ref SACondition[0..n]]

5.6.1. The Property StartAddress

   This property specifies the first IPv4 address in the address range. Reference Antecedent

   The property Antecedent is defined as follows:

   NAME         StartAddress
   DESCRIPTION  Specifies the start of the IPv4 address range.
   SYNTAX       unsigned 32-bit integer

5.7.2. inherited from Dependency and is
   overridden to refer to a FilterList instance.  The Property EndAddress

   This property specifies the last IPv4 address in the address range. [1..1]
   cardinality indicates that an SACondition instance MUST be
   associated with one and only one FilterList instance.

5.6.2. The Reference Dependent

   The property Dependent is defined as follows:

   NAME         EndAddress
   DESCRIPTION  Specifies the end of the IPv4 address.
   SYNTAX       unsigned 32-bit integer
   VALUE        EndAddress must inherited from Dependency and is
   overridden to refer to an SACondition instance.  The [0..n]
   cardinality indicates that a FilterList instance may be greater than associated
   with zero or equal to
                StartAddress.

5.8. more SAConditions instance.

5.7. The Association Class IPv4SubnetFilterEntry AcceptCredentialFrom

   The class IPv4SubnetFilterEntry AcceptCredentialFrom specifies which credential management
   services (e.g., a filter for testing if an
   IPv4 address CertificateAuthority or a Kerberos service) are to
   be trusted to certify peer credentials.  This is used to validate
   that the credential being matched in the CredentialFilterEntry is a
   valid credential that has been supplied by an approved
   CredentialManagementService.  If a CredentialManagementService is
   specified subnet.  The class definition for
   IPv4SubnetFilterEntry and a corresponding CredentialFilterEntry is as follows:

   NAME         IPv4SubnetFilterEntry
   DESCRIPTION  Defines used, but the match filter for an IPv4 subnet.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Address
                Mask

5.8.1. The Property Address

   This property specifies
   credential supplied by the IPv4 subnet.  The property peer is defined as
   follows:

   NAME         Address
   DESCRIPTION  Specifies not certified by that
   CredentialManagementService (or one of the IPv4 subnet.
   SYNTAX       unsigned 32-bit integer

5.8.2. The Property Mask

   This property specifies
   CredentialManagementServices in its trust hierarchy), the IPv4 mask.  The property
   CredentialFilterEntry is defined as
   follows:

   NAME         Mask
   DESCRIPTION  Specifies deemed not to match.  If a credential is
   certified by a CredentialManagementService in the IPv4 mask.
   SYNTAX       unsigned 32-bit integer
   VALUE        A special value of 0.0.0.0, coupled with an Address
                value
   AcceptCredentialsFrom list of 0.0.0.0 can be used services but there is no
   CredentialFilterEntry, this is considered equivalent to specify all addresses.

5.9. The Class IPv6AddressFilterEntry

   The class IPv6AddressFilterEntry specifies a filter
   CredentialFilterEntry that will match
   against a single IPv6 address. matches all credentials from those
   services.

   The class definition for
   IPv6AddressFilterEntry AcceptCredentialFrom is as follows:

   NAME         IPv6AddressFilterEntry         AcceptCredentialFrom
   DESCRIPTION  Defines  Associates a condition with the match filter for an IPv4 address. credential management
                services to be trusted.
   DERIVED FROM EndpointFilterEntry Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Address

5.9.1.   Antecedent [ref CredentialManagementService[0..n]]
                Dependent [ref SACondition[0..n]]

5.7.1. The Property Address

   This property specifies the IPv6 address that will be used in the
   equality test. Reference Antecedent

   The property Antecedent is defined as follows:

   NAME         Address
   DESCRIPTION  Specifies the IPv6 address inherited from Dependency and is
   overridden to refer to match against.
   SYNTAX       byte[16]

5.10. The Class IPv6RangeFilterEntry
   The class IPv6RangeFilterEntry specifies a filter for testing if an
   IPv6 address is between the start address and end address
   inclusively. CredentialManagementService instance.  The class definition for IPv6RangeFilterEntry is as
   follows:

   NAME         IPv6RangeFilterEntry
   DESCRIPTION  Defines the match filter for
   [0..n] cardinality indicates that an IPv6 address range.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   StartAddress
                EndAddress

5.10.1. SACondition instance may be
   associated with zero or more CredentialManagementServices instance.

5.7.2. The Property StartAddress

   This property specifies the first IPv6 address in the address range. Reference Dependent

   The property Dependent is defined as follows:

   NAME         StartAddress
   DESCRIPTION  Specifies the start of the IPv6 address range.
   SYNTAX       byte[16]

5.10.2. The Property EndAddress

   This property specifies the last IPv6 address in the address range.
   The property inherited from Dependency and is defined as follows:

   NAME         EndAddress
   DESCRIPTION  Specifies the end of the IPv6 address.
   SYNTAX       byte[16]
   VALUE        EndAddress must be greater than or equal
   overridden to
                StartAddress.

5.11. The Class IPv6SubnetFilterEntry refer to an SACondition instance.  The class IPv6SubnetFilterEntry specifies [0..n]
   cardinality indicates that a filter for testing if an
   IPv6 address is in the specified subnet. CredentialManagementService instance
   may be associated with zero or more SAConditions instance.

6. Action Classes

   The class definition for
   IPv4SubnetFilterEntry is as follows:

   NAME         IPv6SubnetFilterEntry
   DESCRIPTION  Defines action classes are used to model the match filter for different actions an IPv6 subnet.
   DERIVED FROM EndpointFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Address
                Mask

5.11.1. The Property Address

   This property specifies the IPv6 subnet.  The property is defined as
   follows:

   NAME         Address
   DESCRIPTION  Specifies the IPv6 subnet.

   SYNTAX       byte[16]

5.11.2. The Property Mask

   This property specifies IPsec
   device may take when the IPv6 mask.  The property is defined as
   follows:

   NAME         Mask
   DESCRIPTION  Specifies evaluation of the IPv6 mask.
   SYNTAX       byte[16]
   VALUE        A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0,
                coupled with an Address value of
                0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify
                all addresses.

5.12. associated condition
   results in a match.

                                +----------+
                                | SAAction |
                                +----------+
                                     ^
                                     |
                         +-----------+--------------+
                         |                          |
                *+----------------+      +---------------------+*
                 | SAStaticAction |      | SANegotiationAction |o-----+
                 +----------------+      +---------------------+      |
                               ^                     ^                |
                               |                     |                |
                               |         +-----------+-------+        |
                               |         |                   |        |
       +-------------------+   |   +-------------+     +-----------+  |
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
       +-------------------+   |   +-------------+     +-----------+  |
                               |       ^                              |
      +--------------------+   |       |    +----------------------+  |
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
      +--------------------+   |       |    +----------------------+  |
                               |       |                              |
         +-----------------+   |       |    +-------------------+     |
         | IKERejectAction |---+       +----| IPsecTunnelAction |     |
         +-----------------+   |            +-------------------+     |
                               |                     *|               |
                               |       +--------------+               |
                               |       |                              |
   +-----------------------+   |       |       +--------------+n      |
   | PreconfiguredSAAction |---+       |(a)    | [SAProposal] |-------+
   +-----------------------+           |       +--------------+   (b)
              ^                        |
              |                        |      *+-------------+
              +---------------------+  +-------| PeerGateway |
                                    |          +-------------+
   +-----------------------------+  |               *w|
   | PreconfiguredTransportAction|--+                 |(c)
   +-----------------------------+  |                1|
                                    |          +--------------+
   +-----------------------------+  |          |    System    |
   | PreconfiguredTransportAction|--+          | (Appendix A) |
   +-----------------------------+             +--------------+
               *|
                |   1..3+---------------+
                +-------| [SATransform] |
                  (d)   +---------------+
   (a)  PeerGatewayForTunnel
   (b)  ContainedProposal
   (c)  HostedPeerGatewayInformation
   (d)  TransformOfPreconfiguredAction

6.1. The Class FQDNFilterEntry SAAction

   The class FQDNFilterEntry specifies a filter SAAction serves as the base class for mathcing against a
   single or wild-carded DNS name. IKE and IPsec
   actions.  Although the class is concrete, it MUST not be
   instantiated.  It is used for aggregating different types of actions
   to IKE and IPsec rules.  The class definition for
   FQDNFilterEntry SAAction is as
   follows:

   NAME         FQDNFilterEntry         SAAction
   DESCRIPTION  Defines the match filter  The base class for a DNS name. IKE and IPsec actions.
   DERIVED FROM EndpointFilterEntry PolicyAction (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Name

5.12.1.   PolicyActionName (from PolicyAction)
                DoActionLogging
                DoPacketLogging

6.1.1. The Property Name

   This DoActionLogging

   The property DoActionLogging specifies the DNS name whether a log message is to match against.
   be generated when the action is performed (even if the action
   fails).  The property is defined as follows:

   NAME         Address         DoActionLogging
   DESCRIPTION  Specifies the DNS name. whether to log when the action is
                performed.
   SYNTAX       string       boolean
   VALUE        The DNS name can        true - a log message is to be fully qualified (for example,
                foo.intel.com) or partially qualified (*.intel.com).

5.13. generated when action is
                performed.
                false - no log message is to be generated when action
                is performed.

6.1.2. The Class ProtocolFilterEntry Property DoPacketLogging

   The class ProtocolFilterEntry property DoPacketLogging specifies whether a filter for testing against
   an IP protocol.  The class definition for ProtocolFilterEntry log message is as
   follows:

   NAME         ProtocolFilterEntry
   DESCRIPTION  Defines a match filter for IP protocol.
   DERIVED FROM IPFilterEntry
   ABSTRACT     FALSE
   PROPERTIES   Protocol

5.13.1. The Property Protocol to
   be generated when the resulting security association is used to
   process the packet.  If the action successfully executes and results
   in the creation of one or several security associations, the value
   of DoPacketLogging SHOULD be propagated to an optional field of
   SADB.  This property specifies optional field should be used to decide whether a log
   message is to be generated when the IP protocol SA is used to match against. process a packet.
   The property is defined as follows:

   NAME         Protocol         DoPacketLogging
   DESCRIPTION  Specifies the IP protocol. whether to log when the resulting
                security association is used to process the packet.
   SYNTAX       unsigned 8-bit integer       boolean
   VALUE        A value of zero matches against any protocol.  Any
                other value        true - a log message is to be generated when the IP protocol number.

5.14.
                resulting security association is used to process the
                packet.
                false - no log message is to be generated.

6.2. The Class UDPFilterEntry SAStaticAction

   The class UDPFilterEntry specifies a filter for testing if a UDP
   port is between SAStaticAction serves as the start port base class for IKE and end port inclusively.  It is
   assumed IPsec
   actions that do not require any negotiation.  Although the Protocol property from the ProtocolFilterEntry class will contain the value 17 (i.e., UDP). is
   concrete, it MUST not be instantiated.  The class definition for UDPFilterEntry
   SAStaticAction is as follows:

   NAME         UDPFilterEntry         SAStaticAction
   DESCRIPTION  Defines the match filter  The base class for a UDP port range. IKE and IPsec actions that do not
                require any negotiation.
   DERIVED FROM ProtocolFilterEntry SAAction
   ABSTRACT     FALSE
   PROPERTIES   StartPort
                EndPort

5.14.1. The   LifetimeSeconds

6.2.1. The Property StartPort

   This LifetimeSeconds

   The property LifetimeSeconds specifies how long the first port in the UDP port range. security
   association derived from this action should be used.  The property
   is defined as follows:

   NAME         StartPort         LifetimeSeconds
   DESCRIPTION  Specifies the start amount of the UDP port range. time (in seconds) that a
                security association derived from this action should be
                used.
   SYNTAX       unsigned 16-bit 32-bit integer

5.14.2.
   VALUE        A value of zero indicates that there is not a lifetime
                associated with this action (i.e., infinite lifetime).
                A non-zero value is typically used in conjunction with
                alternate SAActions performed when there is a
                negotiation failure of some sort.

6.3. The Property EndPort Class IPsecBypassAction

   The class IPsecBypassAction is used when packets are allowed to be
   processed without applying IPsec encapsulation to them.  This property specifies is the last port
   same as stating that packets are allowed to flow in the UDP port range. clear.  The
   property
   class definition for IPsecBypassAction is defined as follows:

   NAME         EndPort         IPsecBypassAction
   DESCRIPTION  Specifies the end of the UDP port range.
   SYNTAX       unsigned 16-bit integer
   VALUE        EndPort must that packets are to be greater than or equal allowed to StartPort.

5.15. pass in the
                clear.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.4. The Class TCPFilterEntry IPsecDiscardAction
   The class TCPFilterEntry specifies a filter for testing if a TCP
   port IPsecDiscardAction is between the start port and end port inclusively.  It used when packets are to be
   discarded.  This is
   assumed that the Protocol property from the ProtocolFilterEntry
   class will contain the value 6 (i.e., TCP). same as stating that packets are to be
   denied.  The class definition for TCPFilterEntry IPsecDiscardAction is as follows:

   NAME         TCPFilterEntry         IPsecDiscardAction
   DESCRIPTION  Defines the match filter for a TCP port range.  Specifies that packets are to be discarded.
   DERIVED FROM ProtocolFilterEntry SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   StartPort
                EndPort

5.15.1.

6.5. The Property StartPort

   This property specifies the first port in the TCP port range. Class IKERejectAction

   The
   property class IKERejectAction is defined as follows:

   NAME         StartPort
   DESCRIPTION  Specifies used to prevent attempting an IKE
   negotiation with the start of the TCP port range.
   SYNTAX       unsigned 16-bit integer

5.15.2. The Property EndPort

   This property specifies the last port in the TCP port range. peer(s).  The
   property is defined as follows:

   NAME         EndPort
   DESCRIPTION  Specifies the end main use of the TCP port range.
   SYNTAX       unsigned 16-bit integer
   VALUE        EndPort must be greater than or equal to StartPort.

5.16. The Abstract Class IPSOFilterEntry

   The abstract this class IPSOFilterEntry serves is to
   prevent some denial of service attacks when acting as IKE responder.
   It goes beyond a base class for plain discard of UDP/500 IKE packets because the IP
   Security Option (IPSO) filters.
   SACondition can be based on specific PeerIDPayloadFilterEntry (when
   aggressive mode is used).  The class definition for
   IPSOFilterEntry IKERejectAction
   is as follows:

   NAME         IPSOFilterEntry         IKERejectAction
   DESCRIPTION  Serves as the base class for the IPSO filters.  Specifies that an IKE negotiation should not even be
                attempted or continued.
   DERIVED FROM FilterEntryBase SAStaticAction
   ABSTRACT     TRUE

5.17.     FALSE

6.6. The Class ClassificationLevelFilterEntry PreconfiguredSAAction

   The class ClassificationLevelFilterEntry specifies PreconfiguredSAAction is used to create a filter security
   association using preconfigured, hard-wired algorithms and keys.

   Notes:

   - the SPI for
   matching against a PreconfiguredSAAction is contained in the classification level IPSO field type.
     association, TransformOfPreconfiguredAction;

   - the session key (if applicable) is contained in an instance of the
     class SharedSecret (see appendix B). The session key is stored in
     the property secret, the property protocol contains either "ESP"
     or "AH", the property algorithm contains the algorithm used to
     protect the secret (can be "PLAINTEXT" if the IPsec entity has no
     secret storage), the value of property RemoteID is the
     concatenation of the remote IPsec peer IP address in dotted
     decimal, of the character "/", and of the hexadecimal
     representation of the SPI.

   Although the class is concrete, it MUST not be instantiated.  The
   class definition for ClassificationLevelFilterEntry PreconfiguredSAAction is as follows:

   NAME         ClassificationLevelFilterEntry         PreconfiguredSAAction
   DESCRIPTION  Defines the filter  Specifies preconfigured algorithm and keying
                information for the IPSO classification level. creation of a security association.
   DERIVED FROM IPSOFilterEntry SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   Level

5.17.1.   LifetimeKilobytes

6.6.1. The Property Level

   This LifetimeKilobytes

   The property LifetimeKilobytes specifies a traffic limit in
   kilobytes that can be consumed before the classification level to match against. SA is deleted..  The
   property is defined as follows:

   NAME         Level         LifetimeKilobytes
   DESCRIPTION  Specifies the classification level. SA lifetime in kilobytes.
   SYNTAX       unsigned 16-bit 32-bit integer
   VALUE        61 - Top Secret
                90 - Secret
                150 - Confidential
                171 - Unclassified

5.18.        A value of zero indicates that there is not a lifetime
                associated with this action (i.e., infinite lifetime).
                A non-zero value is used to indicate that after this
                amount of kilobytes has been consumed the SA must be
                deleted from the SADB.

6.7. The Class ProtectionAuthorityFilterEntry PreconfiguredTransportAction

   The class ProtectionAuthorityFilterEntry specifies a filter PreconfiguredTransportAction is used to create an IPsec
   transport-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for
   matching against the protection authority IPSO field type.
   PreconfiguredTransportAction is as follows:

   NAME         PreconfiguredTransportAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of an IPsec transport security
                association.
   DERIVED FROM PreconfiguredSAAction
   ABSTRACT     FALSE

6.8. The Class PreconfiguredTunnelAction

   The class PreconfiguredTunnelAction is used to create an IPsec
   tunnel-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for ProtectionAuthorityFilterEntry PreconfiguredSAAction
   is as follows:

   NAME         ProtectionAuthorityFilterEntry         PreconfiguredTunnelAction
   DESCRIPTION  Defines the filter  Specifies preconfigured algorithm and keying
                information for the IPSO protection authority. creation of an IPsec tunnel-mode
                security association.
   DERIVED FROM IPSOFilterEntry PreconfiguredSAAction
   ABSTRACT     FALSE
   PROPERTIES   Authority

5.18.1.   PeerGatewayAddressType
                PeerGatewayAddress
                DFHandling

6.8.1. The Property Authority

   This PeerGatewayAddressType

   The property PeerGatewayAddressType specifies the protection authority format of the
   PeerGatewayAddress property.  Addresses that can be formatted in
   IPv4 format, must be formatted that way to match against. ensure mixed IPv4/IPv6
   support.  When the tunnel peer is not a security gateway, this
   property value is set to 0.  The property is defined as follows:

   NAME         Authority         PeerGatewayAddressType
   DESCRIPTION  Specifies the protection authority. format of PeerGatewayAddress.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - GENSER unknown
                1 - SIOP-ESI IPv4
                2 - SCI
                3 - NSA
                4 - DOE

5.19. IPv6

6.8.2. The Class CredentialFilterEntry Property PeerGatewayAddress

   The class CredentialFilterEntry defines a filter for matching
   against credential information that was obtained during property PeerGatewayAddress specifies the IKE
   phase 1 negotiation.  This information can be identity information
   (such as User FQDN) or information retrieved from credential
   information (for example, fields from a certificate).  This
   information can be used IP address of the
   tunnel peer security gateway formatted according to the appropriate
   convention as a form defined in the PeerGatewayAddressType property of access control.  The this
   class
   definition for CredentialFilterEntry is (e.g., 171.79.6.40).  When the tunnel peer is not a security
   gateway, this property value is set to NULL.  The property is
   defined as follows:

   NAME         CredentialFilterEntry         PeerGatewayAddress
   DESCRIPTION  Defines  Specifies the filter for matching against IP address of the tunnel peer.
   SYNTAX       string
   VALUE        When the value is NULL, this is a special meaning: the
                IP address of the actual remote IKE phase entity is the
                destination IP address of the IP packet that triggered
                the SARule.  Else, the value is a string representation
                of an IPv4 or IPv6 address.

6.8.3. The Property DFHandling

   The property DFHandling specifies how the Don't Fragment bit of the
   internal IP header is to be handled during IPsec processing.  The
   property is defined as follows:

   NAME         DFHandling
   DESCRIPTION  Specifies the processing of the DF bit.
   SYNTAX       unsigned 16-bit integer
   VALUE        1
                credential/identity information.
   DERIVED FROM FilterBaseEntry
   ABSTRACT     FALSE
   PROPERTIES   To Be Determined...

5.20. - Copy the DF bit from the internal IP header to the
                external IP header.
                2 - Set the DF bit of the external IP header to 1.
                3 - Clear the DF bit of the external IP header to 0.

6.9. The Aggregation Class FilterOfSACondition SANegotiationAction

   The class FilterOfSACondition associates an SACondition with SANegotiationAction serves as the
   filter specifications (FilterList) base class for IKE and
   IPsec actions that make up result in a IKE negotiation.  Although the condition. class
   is concrete, is MUST not be instantiated.  The class definition for FilterOfSACondition
   SANegotiationAction is as follows:

   NAME         FilterOfSACondition         SANegotiationAction
   DESCRIPTION  Associates a condition with the filter list  A base class for IKE and IPsec actions that make
                up specifies
                the individual condition elements. parameters that are common for IKE phase 1 and IKE
                phase 2 IPsec DOI negotiations.

   DERIVED FROM SAAction
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref FilterList[0..1]]
                Dependent [ref SACondition [0..n]]

5.20.1.   MinLifetimeSeconds
                MinLifetimeKilobytes
                RefreshThresholdSeconds
                RefreshThresholdKilobytes
                IdleDurationSeconds

6.9.1. The Reference Antecedent Property MinLifetimeSeconds

   The property Antecedent contains an object reference to a FilterList
   that is contained in one or more SAConditions.  The [0..1]
   cardinality indicates that an SACondition may have zero or one
   FilterList.

5.20.2. The Reference Dependent

   The property Dependent contains an object reference to an
   SACondition that contains an FilterList.  The [0..n] cardinality
   indicates MinLifetimeSeconds specifies the minimum seconds
   lifetime that a FilterList may will be contained in zero or more
   SAConditions.

5.21. The Composition Class EntriesInFilterList

   The class EntriesInFilterList associates accepted from the individual
   FilterEntryBases peer.  MinLifetimeSeconds is
   used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with a FilterList.  Together these individual
   FilterEntryBases can create complex conditions. correspondingly expensive Diffie-Hellman operations.  The class
   definition for EntriesInFilterList
   property is defined as follows:

   NAME         EntriesInFilterList         MinLifetimeSeconds
   DESCRIPTION  Associates a FilterList with  Specifies the set minimum acceptable seconds lifetime.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of individual
                filters.
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref FilterEntryBase[0..n]]
                Dependent [ref FilterList [1..1]]
                EntrySequence

5.21.1. The Reference Antecedent

   The property Antecedent contains an object reference to a
   FilterEntryBase that is contained in a FilterList.  The [0..n]
   cardinality indicates that a FilterList may have zero or more
   FilterEntryBases.

5.21.2. The Reference Dependent

   The property Dependent contains an object reference to a FilterList
   that contains zero or more FilterEntryBases.  The [1..1] cardinality indicates that a FilterEntryBase may be contained in one and only
   one FilterLists (i.e., FilterEntryBases cannot be shared between
   FilterLists).

5.21.3. there is no minimum
                value.  A non-zero value specifies the minimum seconds
                lifetime.

6.9.2. The Property EntrySequence MinLifetimeKilobytes

   The property EntrySequence specifies, for a given FilterList, the
   order in which MinLifetimeKilobytes specifies the filters should minimum kilobytes
   lifetime that will be checked.  The property is
   defined as follows:

   NAME         EntrySequence
   DESCRIPTION  Specifies accepted from the order peer.  MinLifetimeKilobytes
   is used to check prevent certain denial of service attacks where the filters in a
                FilterList. peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  Note that
   there has been considerable debate regarding the usefulness of
   applying kilobyte lifetimes to IKE phase 1 security associations, so
   it is likely that this property will only apply to the sub-class
   IPsecAction.  The property is defined as follows:

   NAME         MinLifetimeKilobytes
   DESCRIPTION  Specifies the minimum acceptable kilobytes lifetime.
   SYNTAX       unsigned 16-bit 32-bit integer
   VALUE        Lower valued filters are checked first.        A value of zero indicates that there is no minimum
                value.  A non-zero value specifies the minimum
                kilobytes lifetime.

6.9.3. The order Property RefreshThresholdSeconds

   The property RefreshThresholdSeconds specifies what percentage of
                checking
   the seconds lifetime can expire before IKE should attempt to
   renegotiate the security association.  A random value may be added
   to the calculated threshold (percentage x seconds lifetime) to
   reduce the chance of FilterEntryBases with both peers attempting to renegotiate at the
   same
                EntrySequence value time.  The property is undefined.

6. Action Classes defined as follows:

   NAME         RefreshThresholdSeconds
   DESCRIPTION  Specifies the percentage of seconds lifetime that has
                expired before the security association is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the security association
                should not be renegotiated until the seconds lifetime
                has been reached.

6.9.4. The action classes are used Property RefreshThresholdKilobytes

   The property RefreshThresholdKilobytes specifies what percentage of
   the kilobyte lifetime can expire before IKE should attempt to model
   renegotiate the different actions an IPsec
   device security association.  A random value may take when be
   added to the evaluation calculated threshold (percentage x kilobyte lifetime)
   to reduce the chance of both peers attempting to renegotiate at the associated condition
   results in a match.

                                +----------+
                                | SAAction |
                                +----------+
                                     ^
                                     |
                         +-----------+--------------+
                         |                          |
                 +----------------+      +---------------------+*
                 | SAStaticAction |      | SANegotiationAction |o-----+
                 +----------------+      +---------------------+      |
                               ^                     ^                |
                               |                     |                |
                               |         +-----------+-------+        |
                               |         |                   |        |
       +-------------------+   |   +-------------+     +-----------+  |
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
       +-------------------+   |   +-------------+     +-----------+  |
                               |       ^                              |
      +--------------------+   |       |    +----------------------+  |
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
      +--------------------+   |       |    +----------------------+  |
                               |       |                              |
         +-----------------+   |       |    +-------------------+     |
         | IKERejectAction |---+       +----| IPsecTunnelAction |     |
         +-----------------+   |            +-------------------+     |
                               |                                      |
   +-----------------------+   |               +--------------+n      |
   | SAPreconfiguredAction |---+               | [SAProposal] |-------+
   +-----------------------+                   +--------------+   (a)

   (a)  ContainedProposal

6.1. The Class SAAction

   The class SAAction serves
   same time.  Note, that as with the base class for IKE and IPsec
   actions.  Although the class property MinLifetimeKilobytes,
   this property is concrete, it MUST not be
   instantiated. probably only relevant to IPsecAction sub-classes.
   The class definition for SAAction property is defined as follows:

   NAME         SAAction         RefreshThresholdKilobytes
   DESCRIPTION  The base class for IKE and IPsec actions.
   DERIVED FROM PolicyAction (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyActionName (from PolicyAction)

6.2. The Class SAStaticAction
   The class SAStaticAction serves as  Specifies the base class for IKE and IPsec
   actions percentage of kilobyte lifetime that do not require any negotation.  Although has
                expired before the class IPsec security association is
   concrete, it MUST
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IPsec security
                association should not be instantiated. renegotiated until the
                kilobyte lifetime has been reached.

6.9.5. The class definition for
   SAStaticAction is as follows:

   NAME         SAStaticAction
   DESCRIPTION  The base class for IKE and IPsec actions that do not
                require any negotiation.
   DERIVED FROM SAAction
   ABSTRACT     FALSE
   PROPERTIES   LifetimeSeconds

6.2.1. The Property LifetimeSeconds Property IdleDurationSeconds

   The property LifetimeSeconds IdleDurationSeconds specifies how long the many seconds a
   security association derived from this action should be used. may remain idle (i.e., no traffic protected
   using the security association) before it is deleted.  The property
   is defined as follows:

   NAME         LifetimeSeconds         IdleDurationSeconds
   DESCRIPTION  Specifies the amount of time (in seconds) that how long, in seconds, a security association derived from this action should be
                used.
                may remain unused before it is deleted.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is idle detection should
                not a lifetime
                associated with this action (i.e., infinite lifetime).
                A nono-zero value is typically be used in conjunction with
                fallback actions performed when there is a negotiation
                failure for the security association (only the
                seconds and kilobyte lifetimes will be used).  Any non-
                zero value indicates the number of some sort.

6.3. seconds the security
                association may remain unused.

6.10. The Class IPsecBypassAction IPsecAction

   The class IPsecBypassAction is used when packets are allowed to be
   processed without applying IPsecAction serves as the base class for IPsec to them.  This is transport
   and tunnel actions.  It specifies the same as
   stating that packets are allowed to flow in parameters used for an IKE
   phase 2 IPsec DOI negotiation.  Although the clear. class is concrete, is
   MUST not be instantiated.  The class definition for IPsecBypassAction IPsecAction is
   as follows:

   NAME         IPsecBypassAction         IPsecAction
   DESCRIPTION  Specifies  A base class for IPsec transport and tunnel actions
                that packets are to be allowed to pass in specifies the
                clear. parameters for IKE phase 2 IPsec DOI
                negotiations.
   DERIVED FROM SAStaticAction SANegotiationAction
   ABSTRACT     FALSE

6.4.
   PROPERTIES   UsePFS
                UseIKEGroup
                GroupId
                Granularity
                VendorID

6.10.1. The Class IPsecDiscardAction Property UsePFS

   The class IPsecDiscardAction is property UsePFS specifies whether or not perfect forward secrecy
   should be used when packets are to be
   discarded.  This is the same as stating that packets are to be
   denied. refreshing keys.  The class definition for IPsecDiscardAction property is defined as
   follows:

   NAME         IPsecDiscardAction         UsePFS
   DESCRIPTION  Specifies that packets are to be discarded.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   DoLogging

6.4.1. The Property DoLogging

   The property DoLogging specifies the whether or not an audit message
   should be logged when a packet is discarded.  The property is
   defined as follows:

   NAME         DoLogging
   DESCRIPTION  Specifies if an audit message should be logged to use PFS when a
                packet is discarded. refreshing
                keys.
   SYNTAX       boolean
   VALUE        A value of true indicates that logging PFS should be done
                for this action. used.  A
                value of false indicates logging
                should not be done for this action.

6.5. The Class IKERejectAction

   The class IKERejectAction is used to prevent attempting an IKE
   negotiation with the peer(s).  The class definition for
   IKERejectAction is as follows:

   NAME         IKERejectAction
   DESCRIPTION  Specifies that an IKE negotiation PFS should not even be
                attempted.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   DoLogging

6.5.1. used.

6.10.2. The Property DoLogging UseIKEGroup

   The property DoLogging UseIKEGroup specifies whether or not an audit message phase 2 should be logged when a determination use
   the same key exchange group as was used in phase 1.  UseIKEGroup is made to prevent an IKE
   negotiation.
   ignored if UsePFS is false.  The property is defined as follows:

   NAME         DoLogging         UseIKEGroup
   DESCRIPTION  Specifies if an audit message should be logged when IKE
                negotiation whether or not to use the same GroupId for
                phase 2 as was used in phase 1.  If UsePFS is false,
                then UseIKEGroup is prohibited. ignored.
   SYNTAX       boolean
   VALUE        A value of true indicates that logging the phase 2 GroupId
                should be done
                for this action. the same as phase 1.  A value of false
                indicates logging
                should not be done that the property GroupId will contain the
                key exchange group to use for this action.

6.6. phase 2.

6.10.3. The Class SAPreconfiguredAction Property GroupId

   The class SAPreconfiguredAction is used property GroupId specifies the key exchange group to create a security
   association using preconfigured, hard-wired algorithms and keys.
   The class definition use for SAPreconfiguredAction
   phase 2.  GroupId is as follows:

   NAME         SAPreconfiguredAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of a security association.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   To Be Determined...

6.7. The Class SANegotiationAction

   The class SANegotiationAction serves as ignored if (1) the base class for IKE property UsePFS is false, or
   (2) the property UsePFS is true and
   IPsec actions which result in a IKE negotiation.  Although the class property UseIKEGroup is concrete,
   true.  If the GroupID number is MUST not be instantiated. from the vendor-specific range
   (32768-65535), the property VendorID qualifies the group number.
   The class definition for
   SANegotiationAction property is defined as follows:

   NAME         SANegotiationAction         GroupId
   DESCRIPTION  A base class for IKE and IPsec actions that specifies  Specifies the parameters that are common key exchange group to use for IKE phase 1 and IKE phase 2 IPsec DOI negotiations.
   DERIVED FROM SAAction
   ABSTRACT     FALSE
   PROPERTIES   MinLifetimeSeconds
                MinLifetimeKilobytes
                RefreshThresholdSeconds
                RefreshThresholdKilobytes
                IdleDurationSeconds

6.7.1.
                when the property UsePFS is true and the property
                UseIKEGroup is false.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [IKE] for valid values.

6.10.4. The Property MinLifetimeSeconds Granularity

   The property MinLifetimeSeconds Granularity specifies how the minimum seconds
   lifetime that will selector for the security
   association should be accepted derived from the peer.  MinLifetimeSeconds is
   used to prevent certain denial of service attacks where traffic that triggered the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.
   negotiation.  The property is defined as follows:

   NAME         MinLifetimeSeconds         Granularity
   DESCRIPTION  Specifies the minimum acceptable seconds lifetime. how the proposed selector for the
                security association will be created.
   SYNTAX       unsigned 32-bit 16-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value.  A non-zero value specifies        1 - subnet: the minimum seconds
                lifetime.

6.7.2. The Property MinLifetimeKilobytes

   The property MinLifetimeKilobytes specifies source and destination subnet masks of
                the minimum kilobyte
   lifetime that will be accepted from FilterEntry are used.
                2 - address: only the peer.  MinLifetimeKilobytes source and destination IP
                addresses of the triggering packet are used.
                3 - protocol: the source and destination IP addresses
                and the IP protocol of the triggering packet are used.
                4 - port: the source and destination IP addresses and
                the IP protocol and the source and destination layer 4
                ports of the triggering packet are used.

6.10.5. The Property VendorID

   The property VendorID is used together with the property GroupID
   (when it is in the vendor-specific range) to prevent certain denial of service attacks where identify the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations. key
   exchange group.  VendorID is ignored unless UsePFS is true and
   UseIKEGroup is false and GroupID is in the vendor-specific range
   (32768-65535).  The property is defined as follows:

   NAME         MinLifetimeKilobytes         VendorID
   DESCRIPTION  Specifies the minimum acceptable kilobyte lifetime. IKE Vendor ID.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value.  A non-zero value specifies the minimum kilobyte
                lifetime.

6.7.3.       string

6.11. The Property RefreshThresholdSeconds Class IPsecTransportAction

   The property RefreshThresholdSeconds specifies what percentage class IPsecTransportAction is a subclass of
   the seconds lifetime can expire before IKE should attempt IPsecAction that is
   used to
   renegotiate the specify use of an IPsec transport-mode security association.  A random value may be
   added to the calculated threshold (percentage x seconds lifetime) to
   reduce the chance of both peers attempting to renegotiate at the
   same time.
   The property class definition for IPsecTransportAction is defined as follows:

   NAME         RefreshThresholdSeconds         IPsecTransportAction
   DESCRIPTION  Specifies the percentage of seconds lifetime that has
                expired before the an IPsec transport-mode security
                association should be negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE

6.12. The Class IPsecTunnelAction
   The class IPsecTunnelAction is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value subclass of 100 indicates IPsecAction that the is
   used to specify use of an IPsec tunnel-mode security association.
   The class definition for IPsecTunnelAction is as follows:

   NAME         IPsecTunnelAction
   DESCRIPTION  Specifies that an IPsec tunnel-mode security
                association should not be renegotiated until negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE
   PROPERTIES   DFHandling

6.12.1. The Property DFHandling

   The property DFHandling specifies how the
                seconds lifetime has been reached.

6.7.4. tunnel should manage the
   Don't Fragment (DF) bit.  The property is defined as follows:

   NAME         DFHandling
   DESCRIPTION  Specifies how to process the DF bit.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - Copy the DF bit from the internal IP header to the
                external IP header.
                2 - Set the DF bit of the external IP header to 1.
                3 - Clear the DF bit of the external IP header to 0.

6.13. The Class IKEAction

   The class IKEAction specifies the parameters that are to be used for
   IKE phase 1 negotiation.  The class definition for IKEAction is as
   follows:

   NAME         IKEAction
   DESCRIPTION  Specifies the IKE phase 1 negotiation parameters.
   DERIVED FROM SANegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   RefreshThresholdDerivedKeys
                ExchangeMode
                UseIKEIdentityType
                VendorID
                AggressiveModeGroupId

6.13.1. The Property RefreshThresholdKilobytes RefreshThresholdDerivedKeys

   The property RefreshThresholdKilobytes RefreshThresholdDerivedKeys specifies what percentage
   of the kilobyte lifetime derived key limit (see the LifetimeDerivedKeys property of
   IKEProposal) can expire before IKE should attempt to renegotiate the IPsec
   IKE phase 1 security association.  A random value may be added to
   the calculated threshold (percentage x kilobyte lifetime) derived key limit) to reduce
   the chance of both peers attempting to renegotiate at the same time.
   The property is defined as follows:

   NAME         RefreshThresholdKilobytes
   DESCRIPTION  Specifies the percentage of kilobyte lifetime derived key limit that has
                expired before the IPsec IKE phase 1 security association is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IPsec IKE phase 1 security
                association should not be renegotiated until the
                kilobyte lifetime
                derived key limit has been reached.

6.7.5.

6.13.2. The Property IdleDurationSeconds ExchangeMode

   The property IdleDurationSeconds ExchangeMode specifies how many seconds a
   security association may remain idle (i.e., no traffic protected
   using the security association) before it is deleted. which IKE mode should be used
   for IKE phase 1 negotiations.  The property is defined as follows:

   NAME         IdleDurationSeconds         ExchangeMode
   DESCRIPTION  Specifies how long, in seconds, a security association
                may remain unused before it is deleted. the IKE negotiation mode for phase 1.
   SYNTAX       unsigned 32-bit 16-bit integer
   VALUE        A value of zero indicates that idle detection        1 - base mode
                2 - main mode
                4 - aggressive mode

6.13.3. The Property UseIKEIdentityType

   The property UseIKEIdentityType specifies what IKE identity type
   should
                not be used for the security association.  Any non-zero
                value indicates when negotiating with the number of seconds peer.  This information is
   used in conjunction with the security
                association may remain unused.

6.8. The Class IPsecAction

   The class IPsecAction serves as IKE identities available on the base class for IPsec transport system
   and tunnel actions.  It specifies the parameters used for an IKE
   phase 2 IPsec DOI negotiation.  Although IdentityContexts of the class is concrete, is
   MUST not be instantiated. matching IKERule.  The class definition for IPsecAction property is
   defined as follows:

   NAME         IPsecAction         UseIKEIdentityType
   DESCRIPTION  A base class for IPsec transport and tunnel actions
                that specifies  Specifies the parameters for IKE phase identity to use during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 IPsec DOI
                negotiations.
   DERIVED FROM SANegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   UsePFS
                UseIKEGroup
                GroupId
                Granularity

6.8.1. - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.13.4. The Property UsePFS VendorID

   The property UsePFS VendorID specifies whether or not perfect forward secrecy
   should the value to be used when refreshing keys. in the Vendor
   ID payload.  The property is defined as follows:

   NAME         UsePFS         VendorID
   DESCRIPTION  Specifies the whether or not to use PFS.  Vendor ID Payload.
   SYNTAX       boolean       string
   VALUE        A value of true indicates NULL means that PFS should Vendor ID payload will be used.
                neither generated nor accepted. A non-NULL value of false indicates means
                that PFS should not a Vendor ID payload will be used.

6.8.2. generated (when acting
                as an initiator) or is expected (when acting as a
                responder).

6.13.5. The Property UseIKEGroup AggressiveModeGroupId

   The property UseIKEGroup AggressiveModeGroupId specifies whether or not phase 2 should use
   the same Diffie-Hellman as was which group ID is to be
   used in the first packets of the phase 1.  UseIKEGroup 1 negotiation.  This property
   is ignored if UsePFS unless the property ExchangeMode is false. set to 4 (aggressive
   mode). If the AggressiveModeGroupID number is from the vendor-
   specific range (32768-65535), the property VendorID qualifies the
   group number.  The property is defined as follows:

   NAME         UseIKEGroup         AggressiveModeGroupId
   DESCRIPTION  Specifies whether or not to use the same GroupId for
                phase 2 as was group ID to be used in phase 1.  If UsePFS is false,
                then UseIKEGroup is ignored. for aggressive mode.
   SYNTAX       boolean
   VALUE        A value of true indicates that       unsigned 16-bit integer

6.14. The Class PeerGateway

   The class PeerGateway specifies the phase 2 GroupId
                should be security gateway with which the same
   IKE services negotiates.  The class definition for PeerGateway is as phase 1.  A value of false
                indicates that the property GroupId will contain
   follows:

   NAME         PeerGateway
   DESCRIPTION  Specifies the
                Diffie-Hellman group security gateway with which to use for phase 2.

6.8.3. negotiate.
   DERIVED FROM LogicalElement (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Name
                PeerIdentityType
                PeerIdentity

6.14.1. The Property GroupId Name

   The property GroupId Name specifies the Diffie-Hellman group to use a user-friendly name for
   phase 2.  GroupId is ignored if (1) the this security
   gateway.  The property UsePFS is false, or
   (2) the defined as follows:

   NAME         Name
   DESCRIPTION  Specifies a user-friendly name for this security
                gateway.
   SYNTAX       string

6.14.2. The Property PeerIdentityType

   The property UsePFS is true and PeerIdentityType specifies the property UseIKEGroup is
   true. IKE identity type of the
   security gateway.  The property is defined as follows:

   NAME         GroupId         PeerIdentityType
   DESCRIPTION  Specifies the Diffie-Hellman group to use for phase 2
                when the property UsePFS is true and IKE identity type of the property
                UseIKEGroup is false. security
                gateway.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - 768-bit MODP group IPv4 Address
                2 - 1024-bit MODP group FQDN
                3 - EC2N group on GP[2^155] User FQDN
                4 - EC2N group on GP[2^185] IPv4 Subnet
                5 - 1536-bit MODP group

6.8.4. IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.14.3. The Property Granularity PeerIdentity

   The property Granularity PeerIdentity specifies whether the proposed selector for IKE identity value of the
   security association should gateway.  A conversion may be derived from the traffic that
   triggered the negotiation (Narrow) or from needed between the FilterList of
   PeerIdentity string representation and the
   Condition(s) that matched real value used in the rule (Wide). ID
   payload (e.g. IP address is to be converted from a dotted decimal
   string into 4 bytes).  The property is defined as follows:

   NAME         Granularity         PeerIdentity
   DESCRIPTION  Specifies the how the proposed selector for IKE identity value of the security association will be created.
                gateway.
   SYNTAX       unsigned 8-bit integer
   VALUE        1 - The selector is created by using the FilterList
                information from the condition that matched the traffic
                parameters.  This is called a Wide selector as it could
                for instance contain a IP subnet or range.
                2 - The selector is created by using the traffic
                parameters (i.e., the 5-tuple of the traffic).  This is
                called a Narrow selector.

6.9.       string

6.15. The Association Class IPsecTransportAction PeerGatewayForTunnel

   The class IPsecTransportAction is a subclass of IPsecAction that is
   used to specify use of PeerGatewayForTunnel associates IPsecTunnelActions with an IPsec transport mode security association.
   ordered list of PeerGateways.  The class definition for IPsecTransportAction
   PeerGatewayForTunnel is as follows:

   NAME         IPsecTransportAction         PeerGatewayForTunnel
   DESCRIPTION  Specifies that  Associates IPsecTunnelActions with an IPsec transport mode security
                association should be negotiated. ordered list of
                PeerGateways.
   DERIVED FROM IPsecAction Dependency (see Appendix A)
   ABSTRACT     FALSE

6.10.
   PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                Dependent [ref IPsecTunnelAction[0..n]]
                SequenceNumber

6.15.1. The Class IPsecTunnelAction Reference Antecedent

   The class IPsecTunnelAction property Antecedent is a subclass of IPsecAction that inherited from Dependency and is
   used
   overridden to specify use of an IPsec tunnel mode security association. refer to a PeerGateway instance.  The class definition for IPsecTunnelAction is as follows:

   NAME         IPsecTunnelAction
   DESCRIPTION  Specifies [0..n]
   cardinality indicates that there an IPsec tunnel mode security
                association should IPsecTunnelAction instance may
   be negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE
   PROPERTIES   PeerGateway
                DFHandling

6.10.1. The Property associated with zero or more PeerGateway

   The property instances.

   Note: when there is no PeerGateway specifies the IP address or DNS name of associated to an
   IPsecTunnelAction, this means that the
   peer IKE service acts as a
   responder and will accept phase 1 negotiation with any other
   security gateway.

6.15.2. The Reference Dependent

   The property Dependent is defined as follows:

   NAME inherited from Dependency and is
   overridden to refer to an IPsecTunnelAction instance.  The [0..n]
   cardinality indicates that a PeerGateway
   DESCRIPTION  Specifies peer gateway's IP address or DNS name.
   SYNTAX       string
   VALUE        Either (1) IPv4 address in dotted quad format, (2) IPv6
                address in ... format, instance may be associated
   with zero or (3) a DNS name.

6.10.2. more IPsecTunnelAction instances.

6.15.3. The Property DFHandling SequenceNumber

   The property DFHandling SequenceNumber specifies how the Don't Fragment (DF) bit
   should ordering to be managed by the tunnel. used when
   evaluating PeerGateway instances for a given IPsecTunnelAction.  .
   The property is defined as follows:

   NAME         DFHandling         SequenceNumber
   DESCRIPTION  Specifies the DF bit is managed by the tunnel. order of evaluation for PeerGateways.
   SYNTAX       unsigned 8-bit 16-bit integer
   VALUE        1 - DF bit is copied.
                2 - DF bit is set.
                3 - DF bit is cleared.

6.11.        Lower values are evaluated first.

6.16. The Aggregation Class IKEAction ContainedProposal

   The class IKEAction specifies ContainedProposal associates an ordered list of
   SAProposals with the parameters SANegotiationAction that are to aggregates it.  If the
   referenced SANegotiationAction object is an IKEAction, then the
   referenced SAProposal object(s) must be used for
   IKE phase 1 negotiation. IKEProposal(s).  If the
   referenced SANegotiationAction object is an IPsecTransportAction or
   an IPsecTunnelAction, then the referenced SAProposal object(s) must
   be IPsecProposal(s).  The class definition for IKEAction ContainedProposal is
   as follows:

   NAME         IKEAction         ContainedProposal
   DESCRIPTION  Specifies the IKE phase 1 negotiation parameters.
   DERIVED FROM SANegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   RefreshThresholdDerivedKeys
                ExchangeMode
                UseIKEIdentityType

6.11.1.  Associates an ordered list of SAProposals with an
                SANegotiationAction.
   DERIVED FROM PolicyComponent (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref SANegotiationAction[0..n]]
                PartComponent[ref SAProposal[1..n]]
                SequenceNumber

6.16.1. The Property RefreshThresholdDerivedKeys Reference GroupComponent

   The property RefreshThresholdDerivedKeys specifies what percentage
   of GroupComponent is inherited from PolicyComponent and is
   overridden to refer to an SANegotiationAction instance.  The [0..n]
   cardinality indicates that an SAProposal instance may be associated
   with zero or more SANegotiationAction instances.

   Note: the derived key limit (see cardinality 0 has a specific meaning:

        - when the LifetimeDerivedKeys property of
   IKEProposal) can expire before IKE should attempt to renegotiate service acts as a responder, this means that the
          IKE service will accept phase 1 negotiation with any other
          security association.  A random value may be added to gateway;
        - when the calculated threshold (percentage x derived key limit) to reduce IKE service acts as an initiator, this means that
          the chance of both peers attempting to renegotiate at IKE service will use the same time.
   The property is defined destination IP address (of the
          IP packets which triggered the SARule) as follows:

   NAME         RefreshThresholdKilobytes
   DESCRIPTION  Specifies the percentage IP address of derived key limit that has
                expired before
          the peer IKE phase 1 security association entity.

6.16.2. The Reference PartComponent

   The property PartComponent is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 inherited from PolicyComponent and 100 representing a percentage.  A
                value of 100 is
   overridden to refer to an SAProposal instance.  The [1..n]
   cardinality indicates that the IKE phase 1 security
                association should not an SANegotiationAction instance MUST be renegotiated until the
                derived key limit has been reached.

6.11.2.
   associated with at least one SAProposal instance.

6.16.3. The Property ExchangeMode SequenceNumber

   The property ExchangeMode SequenceNumber specifies which IKE mode should be used the order of preference for IKE phase 1 key negotiations.
   the SAProposals.  The property is defined as follows:

   NAME         ExchangeMode         SequenceNumber
   DESCRIPTION  Specifies the IKE negotiation mode preference order for phase 1. the SAProposals.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - base mode
                2 - main mode
                4 - aggressive mode

6.11.3. The Property UseIKEIdentityType

   The property UseIKEIdentityType specifies what IKE identity type
   should be used when negotiating        Lower-valued proposals are preferred over proposals
                with higher values.  For ContainedProposals that
                reference the peer.  This information is
   used in conjunction the IKE identities available on the system.  The
   property is defined as follows:

   NAME         UseIKEIdentityType
   DESCRIPTION  Specifies the IKE identity to use during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.12. same SANegotiationAction, SequenceNumber
                values must be unique.

6.17. The Aggregation Association Class ContainedProposal HostedPeerGatewayInformation

   The class ContainedProposal HostedPeerGatewayInformation weakly associates an ordered list of
   SAProposals a
   PeerGateway with the SANegotiationAction that contains it.  If the
   referenced SANegotiationAction object is an IKEAction, then the
   referenced SAProposal object must be an IKEProposal.  If the
   referenced SANegotiationAction object is an IPsecTransportAction or
   an IPsecTunnelAction, then the referenced SAProposal object must be
   an IPsecProposal. a System.  The class definition for ContainedProposal
   HostedPeerGatewayInformation is as follows:

   NAME         ContainedProposal         HostedPeerGatewayInformation
   DESCRIPTION  Associates an ordered list of SAProposals  Weakly associates a PeerGateway with an
                SANegotiationAction. a System.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref SANegotiationAction[0..n]]
                PartComponent[ref SAProposal[1..n]]
                SequenceNumber

6.12.1.   Antecedent [ref System[1..1]]
                Dependent [ref PeerGateway[0..n] [weak]]

6.17.1. The Reference GroupComponent Antecedent

   The property GroupComponent contains an object reference Antecedent is inherited from Dependency and is
   overridden to an
   SANegotiationAction that contains one or more SAProposals. refer to a System instance.  The
   [0..n] [1..1] cardinality
   indicates that there may a PeerGateway instance MUST be zero or more
   SANegotiationActions that contain any given SAProposal.

6.12.2. The Reference PartComponent associated with one
   and only one System instance.

6.17.2. The Reference Dependent

   The property PartComponent contains an object reference Dependent is inherited from Dependency and is
   overridden to an
   SAProposal contained by one refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more SANegotiationActions. PeerGateway instances.

6.18. The
   [1..n] Association Class TransformOfPreconfiguredAction
   The class TransformOfPreconfiguredAction associates a
   PreconfiguredSAAction with from one to three SATransforms that will
   be applied to the traffic.  The order of application of the
   SATransforms is implicitly defined in [IPSEC].  The class definition
   for TransformOfPreconfiguredAction is as follows:

   NAME         TransformOfPreconfiguredAction
   DESCRIPTION  Associates a PreconfiguredSAAction with from one to
                three SATransforms.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref SATransform[1..3]]
                Dependent[ref PreconfiguredSAAction[0..n]]
                SPI

6.18.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an SATransform instance.  The [1..3]
   cardinality indicates that an SANegotiationAction MUST
   contain at least instance may be
   associated with from one SAProposal.

6.12.3. to three SATransform instances.

6.18.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PreconfiguredSAAction instance.  The [0..n]
   cardinality indicates that an SATransform instance may be associated
   with zero or more PreconfiguredSAAction instances.

6.18.3. The Property SequenceNumber SPI

   The property SequenceNumber SPI specifies the order of preference SPI to be used by the pre-configured
   action for the SAProposals. associated transform.  The property is defined as
   follows:

   NAME         SequenceNumber         SPI
   DESCRIPTION  Specifies the preference order for SPI to be used with the SAProposals. SATransform.
   SYNTAX       unsigned 16-bit 32-bit integer
   VALUE        Lower-valued proposals are preferred over proposals
                with higher values.  If two proposals have the same
                SequenceNumber value, then the order of preference is
                undefined.

7. Proposal and Transform Classes

   The proposal and transform classes model the proposal settings an
   IPsec device will use during IKE phase 1 and 2 negotiations.

                             +--------------+

                             +--------------+*w     1+--------------+
                             | [SAProposal] |--------|   System     |
                             +--------------+  (a)   | (Appendix A) |
                                    ^                +--------------+
                                    |                        |1
                         +----------------------+            |
                         |                      |            |
                  +-------------+       +---------------+    |
                  | IKEProposal |       | IPsecProposal |    |
                  +-------------+       +---------------+    |
                                               *o            | (a)
                                                |(b)         |(c)
                                               n|
                                        +---------------+            | [SATransform]
                                        +---------------+*w  |
                                        | [SATransform] |----+
                                        +---------------+
                                                ^
                                                |
               +--------------------+-----------+---------+
               |                    |                     |
        +-------------+     +--------------+     +----------------+
        | AHTransform |     | ESPTransform |     |IPCOMPTransform |
        +-------------+     +--------------+     +----------------+

   (a)  SAProposalInSystem
   (b)  ContainedTransform
   (c)  SATransformInSystem

7.1. The Abstract Class SAProposal

   The abstract class SAProposal serves as the base class for the IKE
   and IPsec proposal classes.  It specifies the parameters that are
   common to the two proposal types.  The class definition for
   SAProposal is as follows:

   NAME         SAProposal
   DESCRIPTION  Specifies the common proposal parameters for IKE and
                IPsec security association negotiation.
   DERIVED FROM Policy ([PCIM])
   ABSTRACT     TRUE
   PROPERTIES   Name
                MaxLifetimeSeconds
                MaxLifetimeKilobytes

7.1.1. The Property Name

   The property Name specifies a user-friendly name for the SAProposal.
   The property is defined as follows:

   NAME         Name
   DESCRIPTION  Specifies a user-friendly name for this proposal.
   SYNTAX       string

7.1.2.

7.2. The Property MaxLifetimeSeconds Class IKEProposal

   The property MaxLifetimeSeconds class IKEProposal specifies the maximum amount of
   time, in seconds, proposal parameters necessary to propose that a
   drive an IKE security association will remain
   valid after its creation.  The property is defined as follows:

   NAME         MaxLifetimeSeconds
   DESCRIPTION  Specifies the maximum amount of time to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the default of 8 hours
                be used.  A non-zero value indicates the maximum
                seconds lifetime.

7.1.3. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime to propose that a security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there should be no
                maximum kilobyte lifetime.  A non-zero value specifies
                the desired kilobyte lifetime.

7.2. The Class IKEProposal

   The class IKEProposal specifies the proposal parameters necessary to
   drive an IKE security association negotiation. negotiation.  The class definition
   for IKEProposal is as follows:

   NAME         IKEProposal
   DESCRIPTION  Specifies the proposal parameters for IKE security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE
   PROPERTIES   LifetimeDerivedKeys
                CipherAlgorithm
                HashAlgorithm
                PRFAlgorithm
                GroupId
                AuthenticationMethod
                MaxLifetimeSeconds
                MaxLifetimeKilobytes
                VendorID

7.2.1. The Property LifetimeDerivedKeys

   The property LifetimeDerivedKeys specifies the number of times that
   a phase 1 key will be used to derive a phase 2 key before the phase
   1 security association needs renegotiated.  Even though this is not
   a parameter that is sent in an IKE proposal, it is included in the
   proposal as the number of keys derived may be a result of the
   strength of the algorithms in the IKE propsoal. proposal.  The property is
   defined as follows:

   NAME         LifetimeDerivedKeys
   DESCRIPTION  Specifies the number of phase 2 keys that can be
                derived from the phase 1 key.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no limit to the
                number of phase 2 keys which that may be derived from the
                phase 1 key; instead the seconds and/or kilobytes
                lifetime will dictate the phase 1 rekeying.  A non-zero
                value specifies the number of phase 2 keys that can be
                derived from the phase 1 key.

7.2.2. The Property CipherAlgorithm

   The property CipherAlgorithm specifies the proposed phase 1 security
   association encryption algorithm.  The property is defined as
   follows:

   NAME         CipherAlgorithm
   DESCRIPTION  Specifies the proposed encryption algorithm for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - DES-CBC
                2 - IDEA-CBC
                3 - Blowfish-CBC
                4 - RC5-R16-B64-CBC
                5 - 3DES-CBC
                6 - CAST-CBC        Consult [IKE] for valid values.

7.2.3. The Property HashAlgorithm

   The property HashAlgorithm specifies the proposed phase 1 security
   assocation
   association hash algorithm.  The property is defined as follows:

   NAME         HashAlgorithm
   DESCRIPTION  Specifies the proposed hash algorithm for the phase 1
                security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - MD5
                2 - SHA-1
                3 - Tiger        Consult [IKE] for valid values.

7.2.4. The Property PRFAlgorithm

   The property PRFAlgorithm specifies the proposed phase 1 security
   association psuedo-random pseudo-random function.  The property is defined as
   follows:

   NAME         PRFAlgorithm
   DESCRIPTION  Specifies the proposed psuedo-random pseudo-random function for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Currently none defined.

7.2.5. The Property GroupId

   The property GroupId specifies the proposed phase 1 security
   assocation Diffie-Hellman
   association key exchange group.  This property is ignored for all
   aggressive mode exchanges.  If the GroupID number is from the
   vendor-specific range (32768-65535), the property VendorID qualifies
   the group number.  The property is defined as follows:

   NAME         GroupId
   DESCRIPTION  Specifies the proposed Diffie-Hellman key exchange group for the phase
                1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - 768-bit MODP group
                2 - 1024-bit MODP group
                3 - EC2N group on GP[2^155]
                4 - EC2N group on GP[2^185]
                5        0 - 1536-bit MODP group Not applicable: used for aggressive mode.  Consult
                [IKE] for other valid values.

7.2.6. The Property AuthenticationMethod

   The property AuthenticationMethod specifies the proposed phase 1
   authentication method.  The property is defined as follows:

   NAME         AuthenticationMethod
   DESCRIPTION  Specifies the proposed authentication method for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - a special value which that indicates that this particular
                proposal should be repeated once for each
                authentication method that corresponds to the
                credentials installed on the machine.  For example, if
                the system has a pre-shared key and a certificate, a
                proposal list could be constructed which includes a
                proposal that specifies pre-shared key and proposals
                for any of the public-key authentication methods.
                1 - Pre-shared key
                2 - DSS signatures
                3 - RSA signatures
                4 - Encryption with RSA
                5 - Revised encryption with RSA
                6 - Kerberos (has this number been assigned???)

7.3.
                Consult [IKE] for valid values.

7.2.7. The Class IPsecProposal Property MaxLifetimeSeconds

   The class IPsecProposal property MaxLifetimeSeconds specifies the maximum amount of
   time, in seconds, to propose that a security association will remain
   valid after its creation.  The property is defined as follows:

   NAME         MaxLifetimeSeconds
   DESCRIPTION  Specifies the maximum amount of time to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the default of 8 hours
                be used.  A non-zero value indicates the maximum
                seconds lifetime.

7.2.8. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime to propose that a security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there should be no
                maximum kilobyte lifetime.  A non-zero value specifies
                the desired kilobyte lifetime.

7.2.9. The Property VendorID

   The property VendorID further qualifies the key exchange group.  The
   property is ignored unless the exchange is not in aggressive mode
   and the property GroupID is in the vendor-specific range.  The
   property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Specifies the Vendor ID to further qualify the key
                exchange group.
   SYNTAX       string

7.3. The Class IPsecProposal
   The class IPsecProposal adds no new properties, but inherits
   proposal propoerties properties from SAProposal as well as aggregating the
   security association transforms necessary for building an IPsec
   proposal (see the aggregation class ContainedTransform).  The class
   definition for IPsecProposal is as follows:

   NAME         IPsecProposal
   DESCRIPTION  Specifies the proposal parameters for IPsec security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE

7.4. The Abstract Class SATransform

   The abstract class SATransform serves as the base class for the
   IPsec transforms that can be used to compose an IPsec proposal. proposal or to
   be used as a pre-configured action.  The class definition for
   SATransform is as follows:

   NAME         SATransform
   DESCRIPTION  Base class for the different IPsec transforms.
   ABSTRACT     TRUE
   PROPERTIES   Name   TransformName
                VendorID
                MaxLifetimeSeconds
                MaxLifetimeKilobytes

7.4.1. The Property Name TransformName

   The property Name TransformName specifies a user-friendly name for the
   SATransform.  The property is defined as follows:

   NAME         Name         TransformName
   DESCRIPTION  Specifies a user-friendly name for this transform.
   SYNTAX       string

7.4.1.

7.4.2. The Property VendorID

   The property VendorID specifies the vendor ID for vendor-defined
   transforms.  The property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Specifies the vendor ID for vendor-defined transforms.
   SYNTAX       string
   VALUE        An empty VendorID string indicates that the transform
                is one of the previously-defined ones.

7.5. a standard one.

7.4.3. The Class AHTransform Property MaxLifetimeSeconds

   The class AHTransform property MaxLifetimeSeconds specifies the AH algorithm maximum amount of
   time, in seconds, to propose during
   IPsec that a security association negotiation. will remain
   valid after its creation.  The class definition for
   AHTransform property is defined as follows:

   NAME         AHTransform         MaxLifetimeSeconds
   DESCRIPTION  Specifies the AH algorithm maximum amount of time to propose. propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the default of 8 hours
                be used.  A non-zero value indicates the maximum
                seconds lifetime.

7.4.4. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime to propose that a security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there should be no
                maximum kilobyte lifetime.  A non-zero value specifies
                the desired kilobyte lifetime.

7.5. The Class AHTransform

   The class AHTransform specifies the AH algorithm to propose during
   IPsec security association negotiation.  The class definition for
   AHTransform is as follows:

   NAME         AHTransform
   DESCRIPTION  Specifies the AH algorithm to propose.
   ABSTRACT     FALSE
   PROPERTIES   AHTransformId
                UseReplayPrevention
                ReplayPreventionWindowSize

7.5.1. The Property AHTransformId

   The property AHTransformId specifies the transform ID of the AH
   algorithm to propose.  The property is defined as follows:

   NAME         AHTransformId
   DESCRIPTION  Specifies the transform ID of the AH algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        2 - MD5
                3        Consult [DOI] for valid values.

7.5.2. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

   NAME         UseReplayPrevention
   DESCRIPTION  Specifies whether to enable replay prevention
                detection.

   SYNTAX       boolean
   VALUE        true - SHA-1
                4 replay prevention detection is enabled.
                false - DES replay prevention detection is disabled.

7.5.3. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism. The value of this property is meaningless if
   UseReplayPrevention is false. It is assumed that the window size
   will be power of 2.  The property is defined as follows:

   NAME         ReplayPreventionWindowSize
   DESCRIPTION  Specifies the length of the window used by replay
                prevention detection mechanism.
   SYNTAX       unsigned 32-bit integer

7.6. The Class ESPTransform

   The class ESPTransform specifies the ESP algorithms to propose
   during IPsec security association negotiation.  The class definition
   for ESPTransform is as follows:

   NAME         ESPTransform
   DESCRIPTION  Specifies the ESP algorithms to propose.
   ABSTRACT     FALSE
   PROPERTIES   IntegrityTransformId
                CipherTransformId
                CipherKeyLength
                CipherKeyRounds
                UseReplayPrevention
                ReplayPreventionWindowSize

7.6.1. The Property IntegrityTransformId

   The property IntegrityTransformId specifies the transform ID of the
   ESP integrity algorithm to propose.  The property is defined as
   follows:

   NAME         IntegrityTransformId
   DESCRIPTION  Specifies the transform ID of the ESP integrity
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - None
                1 - HMAC-MD5
                2 - HMAC-SHA
                3 - DES-MAC
                4 - KPDK        Consult [DOI] for valid values.

7.6.2. The Property CipherTransformId

   The property CipherTransformId specifies the transform ID of the ESP
   encryption algorithm to propose.  The property is defined as
   follows:

   NAME         CipherTransformId
   DESCRIPTION  Specifies the transform ID of the ESP encryption
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - DES IV64
                2 - DES
                3 - 3DES
                4 - RC5
                5 - IDEA
                6 - CAST
                7 - Blowfish
                8 - 3IDEA
                9 - DES IV32
                10 - RC4
                11 - NULL        Consult [DOI] for valid values.

7.6.3. The Property CipherKeyLength

   The property CipherKeyLength specifies, in bits, the key length for
   the ESP encryption algorithm.  For encryption algorithms which that use
   fixed-length keys, this value is ignored.  The property is defined
   as follows:

   NAME         CipherKeyLength
   DESCRIPTION  Specifies the ESP encryption key length in bits.
   SYNTAX       unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

   The property CipherKeyRounds specifies the number of key rounds for
   the ESP encryption algorithm.  For encryption algorithms that use
   fixed number of key rounds, this value is ignored.  The property is
   defined as follows:

   NAME         CipherKeyRounds
   DESCRIPTION  Specifies the number of key rounds for the ESP
                encryption algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Currently, key rounds are not defined for any ESP
                encryption algorithms.

7.6.5. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

   NAME         UseReplayPrevention
   DESCRIPTION  Specifies whether to enable replay prevention
                detection.
   SYNTAX       boolean
   VALUE        true - replay prevention detection is enabled.
                false - replay prevention detection is disabled.

7.6.6. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism. The value of this property is meaningless if
   UseReplayPrevention is false. It is assumed that the window size
   will be power of 2.  The property is defined as follows:

   NAME         ReplayPreventionWindowSize
   DESCRIPTION  Specifies the length of the window used by replay
                prevention detection mechanism.

   SYNTAX       unsigned 32-bit integer

7.7. The Class IPCOMPTransform

   The class IPCOMPTransform specifies the IP compression (IPCOMP)
   algorithm to propose during IPsec security association negotiation.
   The class definition for IPCOMPTransform is as follows:

   NAME         IPCOMPTransform
   DESCRIPTION  Specifies the IPCOMP algorithm to propose.
   ABSTRACT     FALSE
   PROPERTIES   Algorithm
                DictionarySize
                PrivateAlgorithm

7.7.1. The Property Algorithm

   The property Algorithm specifies the transform ID of the IPCOMP
   compression algorithm to propose.  The property is defined as
   follows:

   NAME         Algorithm
   DESCRIPTION  Specifies the transform ID of the IPCOMP compression
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - OUI (the property PrivateAlgorithm will contain the
                vendor-specific OUI: a vendor specific algorithm to use)
                2 - DEFLATE
                3 - LZS
                4 - V42BIS (has this number been assigned ???) is used and
                specified in the property PrivateAlgorithm.  Consult
                [DOI] for other valid values.

7.7.2. The Property DictionarySize

   The property DictionarySize specifies the log2 maximum size of the
   diction
   dictionary for the compression algorithm.  For compression
   algorithms that have pre-defined dictionary sizes, this value is ignores.
   ignored.  The property is defined as follows:

   NAME         DictionarySize
   DESCRIPTION  Specifies the log2 maximum size of the dictionary.
   SYNTAX       unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

   The property PrivateAlgorithm specifies a private vendor-specific
   compression algorithm.  This value is only used when the property
   Algorithm is 1 (OUI).  The property is defined as follows:

   NAME         PrivateAlgorithm
   DESCRIPTION  Specifies a private vendor-specific compression
                algorithm.
   SYNTAX       unsigned 32-bit integer

7.8. The Association Class SAProposalInSystem
   The class SAProposalInSystem weakly associates SAProposals with a
   System.  The class definition for SAProposalInSystem is as follows:

   NAME         SAProposalInSystem
   DESCRIPTION  Weakly associates SAProposals with a System.
   DERIVED FROM PolicyInSystem (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System [1..1]]
                Dependent[ref SAProposal[0..n] [weak]]

7.8.1. The Reference Antecedent

   The property Antecedent is inherited from PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that an SAProposal instance MUST be associated with one
   and only one System instance.

7.8.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SAProposal instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more SAProposal instances.

7.9. The Aggregation Class ContainedTransform

   The class ContainedTransform associates an IPsecProposal with the
   set of SATransforms that make up the proposal.  If multiple
   tranforms
   transforms of the same type are in a proposal, then they are to be
   logically ORed and the order of preference is dictated by the
   SequenceNumber property.  Sets of transforms of different types are
   logically ANDed.  For example, if the ordered proposal list were

   ESP = { (HMAC-MD5, DES), 3DES), (HMAC-MD5, 3DES) DES) }
   AH  = { MD5, SHA-1 }

   then the one sending the proposal wants would want the other side to pick
   one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND
   one from the AH transform list. list (preferably MD5).

   The class definition for ContainedProposal is as follows:

   NAME         ContainedTransform
   DESCRIPTION  Associates an IPsecProposal with the set of
                SATransforms that make up the proposal.
   DERIVED FROM PolicyComponent (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref IPsecProposal[0..n]]
                PartComponent[ref SATransform[1..n]]
                SequenceNumber

7.8.1.

7.9.1. The Reference GroupComponent
   The property GroupComponent contains an object reference is inherited from PolicyComponent and is
   overridden to refer to an IPsecProposal that contains one or more SATransforms. instance.  The [0..n]
   cardinality indicates that there an SATransform instance may be associated
   with zero or more IPsecProposals
   that contain any given SATransform.

7.8.2. IPsecProposal instances.

7.9.2. The Reference PartComponent

   The property PartComponent contains an object reference is inherited from PolicyComponent and is
   overridden to refer to an SATransform contained by one or more IPsecProposals. instance.  The [1..n]
   cardinality indicates that an IPsecPropsal IPsecProposal instance MUST contain be
   associated with at least one
   SATransform.

7.8.3. SATransform instance.

7.9.3. The Property SequenceNumber

   The property SequenceNumber specifies the order of preference for
   the SATransforms of the same type.  The property is defined as
   follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the preference order for the SATransforms of
                the same type.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower-valued transforms are preferred over transforms
                of the same type with higher values.  If two transforms
                of the same type have  For
                ContainedTransforms that reference the same
                IPsecProposal, SequenceNumber value,
                then the order of preference is undefined.

8. Security Considerations

   This document describes values must be unique.

7.10. The Association Class SATransformInSystem

   The class SATransformInSystem weakly associates SATransforms with a schema for IPsec policy.  It does not
   detail security requirements
   System.  The class definition for storage or delivery of said schema.
   Storage and delivery security requirements should be detailed in SATransformInSystem System is as
   follows:

   NAME         SATransformInSystem
   DESCRIPTION  Weakly associates SATransforms with a
   comprehensive security policy architecture document.

9. Intellectual Property System.
   DERIVED FROM PolicyInSystem (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System[1..1]]
                Dependent[ref SATransform[0..n] [weak]]

7.10.1. The Reference Antecedent

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights Antecedent is inherited from PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that might an SATransform instance MUST be claimed to
   pertain associated with one
   and only one System instance.

7.10.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to the implementation or use of the technology described in
   this document or the extent refer to which any license under such rights
   might or might not be available; neither does it represent an SATransform instance.  The [0..n]
   cardinality indicates that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures a System instance may be associated with respect to rights in standards-track
   zero or more SATransform instances.

8. IKE Service and
   standards-related documentation can Identity Classes

                +--------------+           +-------------------+
                |    System    |           | PeerIdentityEntry |
                | (Appendix A) |           +-------------------+
                +--------------+                     |*w
                      1| (a)                 (b)     |
                       +---+            +------------+
                           |            |
                           |*w        1 o
   +-------------+     +-------------------+    +---------------------+
   | PeerGateway |     | PeerIdentityTable |    | AutostartIKESetting |
   +-------------+     +-------------------+    +---------------------+
        *|                          *|               *|    *|
         +----------------------+    |(d)  +----------+     |
                  (c)          *|   *|    *|     (e)        |
                              *+------------+*              |(f)
             +-----------------| IKEService |-----+         |
             |      (g)        +------------+     |(h)      |
         0..1|                      *|           *|        *o
   +--------------------+            |    +---------------------------+
   | IPProtocolEndpoint |            |    | AutostartIKEConfiguration |
   |    (Appendix C)    |         (i)|    +---------------------------+
   +--------------------+            |
      0..1|                          |
          |(j)                       +----------------+
         *|                                           |*
   +-------------+* (k)  +------------+ +-----------------------------+
   | IKEIdentity |-------| Collection | | CredentialManagementService |
   +-------------+   0..1|(Appendix A)| |        (Appendix B)         |
         *|              +------------+ +-----------------------------+
          |(l)
         *|
   +--------------+
   |  Credential  |
   | (Appendix B) |
   +--------------+

   (a)  HostedPeerIdentityTable
   (b)  PeerIdentityMember
   (c)  IKEServicePeerGateway
   (d)  IKEServicePeerIdentityTable
   (e)  IKEAutostartSetting
   (f)  AutostartIKESettingContext
   (g)  IKEServiceForEndpoint
   (h)  IKEAutostartConfiguration
   (i)  IKEUsesCredentialManagementService
   (j)  EndpointHasLocalIKEIdentity
   (k)  CollectionHasLocalIKEIdentity
   (l)  IKEIdentitysCredential

   This portion of the model contains additional information that is
   useful in applying the policy.  The IKEService class MAY be found used to
   represent the IKE negotiation function in BCP-11.

   Copies of claims of rights made available a system. The IKEService
   uses the various tables that contain information about IKE peers as
   well as the configuration for publication specifying security associations that
   are started automatically.  The information in the PeerGateway,
   PeerIdentityTable and any
   assurances of licenses related classes is necessary to be made available, or completely
   specify the result of policies.

   An interface (represented by an
   attempt made to obtain IPProtocolEndpoint) has an
   IKEService that provides the negotiation services for that
   interface.  That service MAY also have a general license or permission list of security
   associations for that are automatically started at the time the IKE
   service is initialized.

   The IKEService also has a set of identities that it may use in
   negotiations with its peers.  Those identities are associated with
   the interfaces (or collections of such proprietary rights by implementers or users interfaces).

8.1. The Class IKEService

   The class IKEService represents the IKE negotiation function.  An
   instance of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which service may cover technology provide that negotiation service for
   one or more interfaces (represented by the IPProtocolEndpoint class)
   of a System.  There may be required to practice
   this standard. Please address the information multiple instances of IKE services on a
   System but only one per interface.  The class definition for
   IKEService is as follows:

   NAME         IKEService
   DESCRIPTION  IKEService is used to represent the IETF Executive
   Director.

10. Acknowledgments IKE negotiation
                function.
   DERIVED FROM NetworkService (see Appendix C)
   ABSTRACT     FALSE

8.2. The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
   Vic Lortz, Class PeerIdentityTable

   The class PeerIdentityTable aggregates the table entries that
   provide mappings between identities and William Dixon for their contributions addresses.  The class
   definition for PeerIdentityTable is as follows:

   NAME         PeerIdentityTable
   DESCRIPTION  PeerIdentityTable aggregates PeerIdentityEntry
                instances to this IPsec
   policy model.

   Additionally, this draft would not have been possible without provide a table of identity-address
                mappings.
   DERIVED FROM Collection (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Name

8.3.1. The Property Name

   The property Name uniquely identifies the
   preceding IPsec schema drafts.  For that, thanks go out to Rob
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
   Rajan.

11. References

   [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

   [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

   [ESP] Kent, S., table.  The property is
   defined as follows:

   NAME         Name
   DESCRIPTION  Name uniquely identifies the table.

   SYNTAX       string

8.3. The Class PeerIdentityEntry

   The class PeerIdentityEntry specifies the mapping between peer
   identity and R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

   [AH] Kent, S., their address. The class definition for
   PeerIdentityEntry is as follows:

   NAME         PeerIdentityEntry
   DESCRIPTION  PeerIdentityEntry provides a mapping between a peer's
                identity and R. Atkinson, "IP address.
   DERIVED FROM LogicalElement (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   PeerIdentity
                PeerIdentityType
                PeerAddress
                PeerAddressType

8.3.1. The Property PeerIdentity

   The property PeerIdentity contains a string encoding of the Identity
   payload for the IKE peer.  The property is defined as follows:

   NAME         PeerIdentity
   DESCRIPTION  The PeerIdentity is the ID payload of a peer.
   SYNTAX       string

8.3.2. The Property PeerIdentityType

   The property PeerIdentityType is an enumeration that specifies the
   type of the PeerIdentity.  The property is defined as follows:

   NAME         PeerIdentityType
   DESCRIPTION  PeerIdentityType is the type of the ID payload of a
                peer.
   SYNTAX       unsigned 16-bit integer
   VALUE        The enumeration values are specified in [DOI] section
                4.6.2.1.

8.3.3. The Property PeerAddress

   The property PeerAddress specifies the string representation of the
   IP address of the peer formatted according to the appropriate
   convention as defined in the PeerAddressType property (e.g., dotted
   decimal notation).  The property is defined as follows:

   NAME         PeerAddress
   DESCRIPTION  PeerAddress is the address of the peer with the ID
                payload.
   SYNTAX       string
   VALUE        String representation of an IPv4 or IPv6 address.

8.3.4. The Property PeerAddressType
   The property PeerAddressType specifies the format of the PeerAddress
   property value.  The property is defined as follows:

   NAME         PeerAddressType
   DESCRIPTION  PeerAddressType is the type of address in PeerAddress.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - Unknown
                1 - IPv4
                2 - IPv6

8.4. The Class AutostartIKEConfiguration

   The class AutostartIKEConfiguration groups AutostartIKESetting
   instances into configuration sets.  When applied, the settings cause
   an IKE service to automatically start (negotiate or statically set
   as appropriate) the Security Associations.  The class definition for
   AutostartIKEConfiguration is as follows:

   NAME         AutostartIKEConfiguration
   DESCRIPTION  A configuration set of AutostartIKESetting instances to
                be automatically started by the IKE service.
   DERIVED FROM SystemConfiguration (see Appendix A)
   ABSTRACT     FALSE

8.5. The Class AutostartIKESetting

   The class AutostartIKESetting is used to automatically initiate IKE
   negotiations with peers (or statically create an SA) as specified in
   the AutostartIKESetting properties.  Appropriate actions are
   initiated according to the policy that matches the setting
   parameters. The class definition for AutostartIKESetting is as
   follows:

   NAME         AutostartIKESetting
   DESCRIPTION  AutostartIKESetting is used to automatically initiate
                IKE negotiations with peers or statically create an SA.
   DERIVED FROM SystemSetting (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Phase1Only
                AddressType
                SourceAddress
                SourcePort
                DestinationAddress
                DestinationPort
                Protocol

8.5.1. The Property Phase1Only

   The property Phase1Only is used to limit the IKE negotiation to just
   setting up a phase 1 security association.  When set to False, both
   phase 1 and 2 negotiations are initiated.
   The property is defined as follows:

   NAME         Phase1Only
   DESCRIPTION  Used to indicate which security associations to attempt
                to establish (phase 1 only, or phase 1 and 2).
   SYNTAX       boolean
   VALUE        true - attempt to establish a phase 1 security
                association
                false - attempt to establish phase 1 and 2 security
                associations

8.5.2. The Property AddressType

   The property AddressType specifies type of the addresses in the
   SourceAddress and DestinationAddress properties.  The property is
   defined as follows:

   NAME         AddressType
   DESCRIPTION  AddressType is the type of address in SourceAddress and
                DestinationAddress properties.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - Unknown
                1 - IPv4
                2 - IPv6

8.5.3. The Property SourceAddress

   The property SourceAddress specifies the dotted-decimal or colon-
   decimal formatted IP address used as the source address in comparing
   with policy filter entries and used in any phase 2 negotiations.
   The property is defined as follows:

   NAME         SourceAddress
   DESCRIPTION  The source address to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       string
   VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.4. The Property SourcePort

   The property SourcePort specifies the port number used as the source
   port in comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         SourcePort
   DESCRIPTION  The source port to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       unsigned 16-bit integer

8.5.5. The Property DestinationAddress

   The property DestinationAddress specifies the dotted-decimal or
   colon-decimal formatted IP address used as the destination address
   in comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         DestinationAddress
   DESCRIPTION  The destination address to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       string
   VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.6. The Property DestinationPort

   The property DestinationPort specifies the port number used as the
   destination port in comparing with policy filter entries and used in
   any phase 2 negotiations.  The property is defined as follows:

   NAME         DestinationPort
   DESCRIPTION  The destination port to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       unsigned 16-bit integer

8.5.7. The Property Protocol

   The property Protocol specifies the protocol number used in
   comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         Protocol
   DESCRIPTION  The protocol number used in comparing with policy
                filter entries.
   SYNTAX       unsigned 8-bit integer

8.6. The Class IKEIdentity

   The class IKEIdentity is used to represent the identities that may
   be used for an IPProtocolEndpoint (or collection of
   IPProtocolEndpoints) to identify the IKE Service in IKE phase 1
   negotiations.  The policy IKEAction.UseIKEIdentityType specifies
   which type of the available identities to use in a negotiation
   exchange and the IKERule.IdentityContexts specifies the match values
   to be used, along with the local address, in selecting the
   appropriate identity for a negotiation. The ElementID property value
   (defined in the parent class, UsersAccess) should be that of either
   the IPProtocolEndpoint or Collection of endpoints as appropriate.
   The class definition for IKEIdentity is as follows:

   NAME         IKEIdentity
   DESCRIPTION  IKEIdentity is used to represent the identities that
                may be used for an IPProtocolEndpoint (or collection of
                IPProtocolEndpoints) to identify the IKE Service in IKE
                phase 1 negotiations.
   DERIVED FROM UsersAccess (see Appendix B)
   ABSTRACT     FALSE
   PROPERTIES   IdentityType
                IdentityValue
                IdentityContexts

8.6.1. The Property IdentityType

   The property IdentityType is an enumeration that specifies the type
   of the IdentityValue.  The property is defined as follows:

   NAME         IdentityType
   DESCRIPTION  IdentityType is the type of the IdentityValue.
   SYNTAX       unsigned 8-bit integer
   VALUE        The enumeration values are specified in [DOI] section
                4.6.2.1.

8.6.2. The Property IdentityValue

   The property Identity specifies Value contains a string encoding of
   the Identity payload.  For IKEIdentity instances that are address
   types, the IdentityValue string value may be omitted and the
   associated IPProtocolEndpoint or appropriate member of the
   Collection of endpoints is used.  The property is defined as
   follows:

   NAME         IdentityValue
   DESCRIPTION  IdentityValue contains a string encoding of the
                Identity payload.
   SYNTAX       string

8.6.3. The Property IdentityContexts

   The IdentityContexts property is used to constrain the use of
   IKEIdentity instances to match that specified in the
   IKERule.IdentityContexts.  The IdentityContexts are formatted as
   policy roles and role combinations [PCIM].  Each value represents
   one context or context combination.  Since this is a multi-valued
   property, more than one context or combination of contexts can be
   associated with a single IKEIdentity.  Each value is a string of the
   form:        <ContextName>[&&<ContextName>]*
   where the individual context names appear in alphabetical order
   (according to the collating sequence for UCS-2). If one or more
   values in the IKERule.IdentityContexts array match one or more
   IKEIdentity.IdentityContexts then the identity's context matches.
   (That is, each value of the IdentityContext array is an ORed
   condition.)  In combination with the address of the
   IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
   1 and only 1 IKEIdentity.  The property is defined as follows:

   NAME         IdentityContexts
   DESCRIPTION  The IKE service of a security endpoint may have
                multiple identities for use in different situations.
                The combination of the interface (represented by
                the IPProtocolEndpoint), the identity type (as
                specified in the IKEAction) and the IdentityContexts
                selects a unique identity.
   SYNTAX       string array
   VALUE        string of the form <ContextName>[&&<ContextName>]*

8.7. The Association Class HostedPeerIdentityTable

   The class HostedPeerIdentityTable provides the name scoping
   relationship for PeerIdentityTable entries in a System.  The
   PeerIdentityTable is weak to the System.  The class definition for
   HostedPeerIdentityTable is as follows:

   NAME         HostedPeerIdentityTable
   DESCRIPTION  The PeerIdentityTable instances are weak (name scoped
                by) the owning System.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref System[1..1]]
                Dependent [ref PeerIdentityTable[0..n] [weak]]

8.7.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that a PeerIdentityTable instance MUST be associated in a
   weak relationship with one and only one System instance.

8.7.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PeerIdentityTable instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more PeerIdentityTable instances.

8.8. The Aggregation Class PeerIdentityMember

   The class PeerIdentityMember aggregates PeerIdentityEntry instances
   into a PeerIdentityTable.  This is a weak aggregation.  The class
   definition for PeerIdentityMember is as follows:

   NAME         PeerIdentityMember
   DESCRIPTION  PeerIdentityMember aggregates PeerIdentityEntry
                instances into a PeerIdentityTable.
   DERIVED FROM MemberOfCollection (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Collection [ref PeerIdentityTable[1..1]]
                Member [ref PeerIdentityEntry [0..n] [weak]]

8.8.1. The Reference Collection

   The property Collection is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityTable instance.  The [1..1]
   cardinality indicates that a PeerIdentityEntry instance MUST be
   associated with one and only one PeerIdentityTable instance (i.e.,
   PeerIdentityEntry instances are not shared across
   PeerIdentityTables).

8.8.2. The Reference Member

   The property Member is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityEntry instance.  The [0..n]
   cardinality indicates that a PeerIdentityTable instance may be
   associated with zero or more PeerIdentityEntry instances.

8.9. The Association Class IKEServicePeerGateway

   The class IKEServicePeerGateway provides the association between an
   IKEService and the list of PeerGateway instances that it uses in
   negotiating with security gateways.  The class definition for
   IKEServicePeerGateway is as follows:

   NAME         IKEServicePeerGateway
   DESCRIPTION  Associates an IKEService and the list of PeerGateway
                instances that it uses in negotiating with security
                gateways.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                Dependent [ref IKEService[0..n]]

8.9.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerGateway instances.

8.9.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a PeerGateway instance may be associated
   with zero or more IKEService instances.

8.10. The Association Class IKEServicePeerIdentityTable

   The class IKEServicePeerIdentityTable provides the relationship
   between an IKEService and a PeerIdentityTable that it uses to map
   between addresses and identities as required.  The class definition
   for IKEServicePeerIdentityTable is as follows:

   NAME         IKEServicePeerIdentityTable
   DESCRIPTION  IKEServicePeerIdentityTable provides the relationship
                between an IKEService and a PeerIdentityTable that it
                uses.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref PeerIdentityTable[0..n]]
                Dependent [ref IKEService[0..n]]

8.10.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerIdentityTable instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerIdentityTable instances.

8.10.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a PeerIdentityTable instance may be
   associated with zero or more IKEService instances.

8.11. The Association Class IKEAutostartSetting

   The class IKEAutostartSetting associates an AutostartIKESetting with
   an IKEService that may use it to automatically start an IKE
   negotiation or create a static SA.  The class definition for
   IKEAutostartSetting is as follows:

   NAME         IKEAutostartSetting
   DESCRIPTION  Associates a AutostartIKESetting with an IKEService.
   DERIVED FROM ElementSetting (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Element [ref IKEService[0..n]]
                Setting [ref AutostartIKESetting[0..n]]

8.11.1. The Reference Element

   The property Element is inherited from ElementSetting and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates an AutostartIKESetting instance may be
   associated with zero or more IKEService instances.

8.11.2. The Reference Setting

   The property Setting is inherited from ElementSetting and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more AutostartIKESetting instances.

8.12. The Aggregation Class AutostartIKESettingContext

   The class AutostartIKESettingContext aggregates the settings used to
   automatically start negotiations or create a static SA into a
   configuration set.  The class definition for
   AutostartIKESettingContext is as follows:

   NAME         AutostartIKESettingContext
   DESCRIPTION  AutostartIKESettingContext aggregates the
                AutostartIKESetting instances into a configuration set.
   DERIVED FROM SystemSettingContext (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Context [ref AutostartIKEConfiguration [0..n]]
                Setting [ref AutostartIKESetting [0..n]]
                SequenceNumber

8.12.1. The Reference Context

   The property Context is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an AutostartIKESetting instance
   may be associated with zero or more AutostartIKEConfiguration
   instances (i.e., a setting may be in multiple configuration sets).

8.12.2. The Reference Setting

   The property Setting is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an AutostartIKEConfiguration instance may
   be associated with zero or more AutostartIKESetting instances.

8.12.3. The Property SequenceNumber

   The property SequenceNumber specifies indicates the ordering to be
   used when starting negotiations or creating a static SA.  A zero
   value indicates that order is not significant and settings may be
   applied in parallel with other settings.  All other settings in the
   configuration are executed in sequence from lower values to high.
   Sequence numbers need not be unique in an AutostartIKEConfiguration
   and order is not significant for settings with the same sequence
   number.  The property is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  The sequence in which the settings are applied within a
                configuration set.
   SYNTAX       unsigned 16-bit integer

8.13. The Association Class IKEServiceForEndpoint

   The class IKEServiceForEndpoint provides the association showing
   which IKE service, if any, provides IKE negotiation services for
   which network interfaces.  The class definition for
   IKEServiceForEndpoint is as follows:

   NAME         IKEServiceForEndpoint
   DESCRIPTION  Associates an IPProtocolEndpoint with an IKEService
                that provides negotiation services for the endpoint.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref IKEService[0..1]]
                Dependent [ref IPProtocolEndpoint[0..n]]

8.13.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..1]
   cardinality indicates that an IPProtocolEndpoint instance MUST by
   associated with at most one IKEService instance.

8.13.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPProtocolEndpoint that is associated with
   at most one IKEService.  The [0..n] cardinality indicates an
   IKEService instance may be associated with zero or more
   IPProtocolEndpoint instances.

8.14. The Association Class IKEAutostartConfiguration

   The class IKEAutostartConfiguration provides the relationship
   between an IKEService and a configuration set that it uses to
   automatically start a set of SAs.  The class definition for
   IKEAutostartConfiguration is as follows:

   NAME         IKEAutostartConfiguration
   DESCRIPTION  IKEAutostartConfiguration provides the relationship
                between an IKEService and an AutostartIKEConfiguration
                that it uses to automatically start a set of SAs.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref AutostartIKEConfiguration [0..n]]
                Dependent [ref IKEService [0..n]]
                Active

8.14.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more AutostartIKEConfiguration instances.

8.14.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that an AutostartIKEConfiguration instance may
   be associated with zero or more IKEService instances.

8.14.3. The Property Active

   The property Active specifies indicates whether the
   AutostartIKEConfiguration set is currently active for the associated
   IKEService.  That is, at boot time, the active configuration is used
   to automatically start IKE negotiations and create static SAs.  The
   property is defined as follows:

   NAME         Active
   DESCRIPTION  Active indicates whether the AutostartIKEConfiguration
                set is currently active for the associated IKEService.
   SYNTAX       boolean
   VALUE        true - AutostartIKEConfiguration is currently active
                for associated IKEService.
                false - AutostartIKEConfiguration is currently inactive
                for associated IKEService.

8.15. The Association Class IKEUsesCredentialManagementService

   The class IKEUsesCredentialManagementService defines the set of
   CredentialManagementService(s) that are trusted sources of
   credentials for IKE phase 1 negotiations.  The class definition for
   IKEUsesCredentialManagementService is as follows:

   NAME         IKEUsesCredentialManagementService
   DESCRIPTION  Associates the set of CredentialManagementService(s)
                that are trusted by the IKEService as sources of
                credentials used in IKE phase 1 negotiations.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref CredentialManagementService [0..n]]
                Dependent [ref IKEService [0..n]]

8.15.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more CredentialManagementService instances.

8.15.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a CredentialManagementService instance
   may be associated with zero or more IKEService instances.

8.16. The Association Class EndpointHasLocalIKEIdentity

   The class EndpointHasLocalIKEIdentity associates an
   IPProtocolEndpoint with a set of IKEIdentity instances that may be
   used in negotiating security associations on the endpoint.  An
   IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using this association or with a collection of IKEIdentity instances
   using the CollectionHasLocalIKEIdentity association.  The class
   definition for EndpointHasLocalIKEIdentity is as follows:

   NAME         EndpointHasLocalIKEIdentity
   DESCRIPTION  EndpointHasLocalIKEIdentity associates an
                IPProtocolEndpoint with a set of IKEIdentity instances.
   DERIVED FROM ElementAsUser (see Appendix B)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref IPProtocolEndpoint [0..1]]
                Dependent [ref IKEIdentity [0..n]]

8.16.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to an IPProtocolEndpoint instance.  The [0..1]
   cardinality indicates that an IKEIdentity instance MUST be
   associated with at most one IPProtocolEndpoint instance.

8.16.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that an IPProtocolEndpoint instance may be
   associated with zero or more IKEIdentity instances.

8.17. The Association Class CollectionHasLocalIKEIdentity

   The class CollectionHasLocalIKEIdentity associates a Collection of
   IPProtocolEndpoint instances with a set of IKEIdentity instances
   that may be used in negotiating SAs for endpoints in the collection.
   An IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using the EndpointHasLocalIKEIdentity association or with a
   collection of IKEIdentity instances using this association.  The
   class definition for CollectionHasLocalIKEIdentity is as follows:

   NAME         CollectionHasLocalIKEIdentity
   DESCRIPTION  CollectionHasLocalIKEIdentity associates a collection
                of IPProtocolEndpoint instances with a set of
                IKEIdentity instances.
   DERIVED FROM ElementAsUser (see Appendix B)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref Collection [0..1]]
                Dependent [ref IKEIdentity [0..n]]

8.17.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to a Collection instance.  The [0..1]
   cardinality indicates that an IKEIdentity instance MUST be
   associated with at most one Collection instance.

8.17.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that a Collection instance may be associated
   with zero or more IKEIdentity instances.

8.18. The Association Class IKEIdentitysCredential

   The class IKEIdentitysCredential is an association that relates a
   set of credentials to their corresponding local IKE Identities.  The
   class definition for IKEIdentitysCredential is as follows:

   NAME         IKEIdentitysCredential
   DESCRIPTION  IKEIdentitysCredential associates a set of credentials
                to their corresponding local IKEIdentity.
   DERIVED FROM UsersCredential (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref Credential [0..n]]
                Dependent [ref IKEIdentity [0..n]]

8.18.1. The Reference Antecedent

   The property Antecedent is inherited from UsersCredential and is
   overridden to refer to a Credential instance.  The [0..n]
   cardinality indicates that IKEIdentity instance may be associated
   with zero or more Credential instances.

8.18.2. The Reference Dependent

   The property Dependent is inherited from UsersCredential and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that a Credential instance may be associated
   with zero or more IKEIdentity instances.

9. Security Considerations

   This document describes a schema for IPsec policy.  It does not
   detail security requirements for storage or delivery of said schema.
   Storage and delivery security requirements should be detailed in a
   comprehensive security policy architecture document.

10. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.

11. Acknowledgments

   The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
   Vic Lortz, and William Dixon for their contributions to this IPsec
   policy model.

   Additionally, this draft would not have been possible without the
   preceding IPsec schema drafts.  For that, thanks go out to Rob
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
   Rajan.

12. References

   [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

   [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

   [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

   [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
   2402,
   2402, November 1998.

   [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
   Information Model -- Version 1 Specification", RFC 3060, February
   2001.

   [DOI] Piper, D., "The Internet IP Security Domain of Interpretation
   for ISAKMP", RFC 2407, November 1998.

   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
   Access Protocol (v3)", RFC 2251, December 1997.

   [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
   Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
   January 2000.  Internet-Draft work in progress.

   [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
   Internet-Draft work in progress.

   [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
   Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
   Internet-Draft work in progress.

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", BCP 14, RFC 2119, March 1997.

   [IPSO] Kent, S., "U.S. Department of Defense Security Options for
   the Internet Protocol", RFC 1108, November 1991.

   [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
   Internet Protocol", RFC 2401, November 1998.

   [PCIM] Moore, B.,

13. Disclaimer

   The views and specification herein are those of the authors and are
   not necessarily those of their employer.  The authors and their
   employer specifically disclaim responsibility for any problems
   arising from correct or incorrect implementation or use of this
   specification.

14. Authors' Addresses

      Jamie Jason
      Intel Corporation
      MS JF3-206
      2111 NE 25th Ave.
      Hillsboro, OR 97124
      E-Mail: jamie.jason@intel.com

      Lee Rafalow
      IBM Corporation, BRQA/502
      4205 So. Miami Blvd.
      Research Triangle Park, NC 27709
      E-mail:  rafalow@raleigh.ibm.com

      Eric Vyncke
      Cisco Systems
      Avenue Marcel Thiry, 77
      B-1200 Brussels
      Belgium
      E-mail: evyncke@cisco.com

15. Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it maybe copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other then
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Appendix A (DMTF Core Model MOF)

// ==================================================================
// ManagedElement
// ==================================================================
   [Abstract, Description (
   "ManagedElement is an abstract class that provides a common "
        "superclass (or top of the inheritance tree) for the "
        "non-association classes in the CIM Schema.")]
   class CIM_ManagedElement
   {
     [MaxLen (64), Description (
      "The Caption property is a short textual description (one-"
      "line string) of the object.") ]
     string Caption;
     [Description (
      "The Description property provides a textual description of "
      "the object.") ]
     string Description;
   };

// ==================================================================
// Collection
// ==================================================================
  [Abstract, Description (
   "Collection is an abstract class that provides a common"
   "superclass for data elements that represent collections of "
   "ManagedElements and its subclasses.")]
  class CIM_Collection : CIM_ManagedElement
  {
  };

// ==================================================================
//    ManagedSystemElement
// ==================================================================
        [Abstract, Description (
         "CIM_ManagedSystemElement is the base class for the System "
         "Element hierarchy. Membership Criteria: Any distinguishable "
         "component of a System is a candidate for inclusion in this "
         "class. Examples: software components, such as files; and "
         "devices, such as disk drives and controllers, and physical "
           "components such as chips and cards.") ]
class CIM_ManagedSystemElement : CIM_ManagedElement
{
        [Description (
         "A datetime value indicating when the object was installed. "
         "A lack of a value does not indicate that the object is not "
         "installed."),
         MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]
    datetime InstallDate;
        [MaxLen (256), Description (
         "The Name property defines the label by which the object is "
         "known. When subclassed, the Name property can be overridden "
         "to be a Key property.") ]
    string Name;
         [MaxLen (10), Description (
         "  A string indicating the current status of the object. "
         "Various operational and non-operational statuses are "
         "defined. Operational statuses are \"OK\", \"Degraded\", "
         "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "
         "the Element is functioning, but needs attention. Examples "
         "of \"Stressed\" states are overload, overheated, etc. The "
         "condition \"Pred Fail\" (failure predicted) indicates that "
         "an Element is functioning properly but predicting a failure "
         "in the near future. An example is a SMART-enabled hard "
         "drive. \n"
         "  Non-operational statuses can also be specified. These "
         "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", "
         "\"Stopped\", "
         "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\""
         "indicates that a non-recoverable error has occurred. "
         "\"Service\" describes an Element being configured, "
         "maintained,"
         "cleaned, or otherwise administered. This status could apply "
         "during mirror-resilvering of a disk, reload of a user "
         "permissions list, or other administrative task. Not all "
         "such "
         "work is on-line, yet the Element is neither \"OK\" nor in "
         "one of the other states. \"No Contact\" indicates that the "
         "current instance of the monitoring system has knowledge of "
         "this Element but has never been able to establish "
         "communications with it. \"Lost Comm\" indicates that "
         "the ManagedSystemElement is known to exist and has been "
         "contacted successfully in the past, but is currently "
         "unreachable."
         "\"Stopped\" indicates that the ManagedSystemElement is "
         "known "
         "to exist, it is not operational (i.e. it is unable to "
         "provide service to users), but it has not failed. It "
         "has purposely "
         "been made non-operational. The Element "
         "may have never been \"OK\", the Element may have initiated "
         "its "
         "own stop, or a management system may have initiated the "
         "stop."),
         ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail",
             "Starting", "Stopping", "Service", "Stressed",
             "NonRecover", "No Contact", "Lost Comm", "Stopped"} ]
    string Status;
};

// ==================================================================
//    LogicalElement
// ==================================================================
        [Abstract, Description (
         "CIM_LogicalElement is a base class for all the components "
         "of "
         "a System that represent abstract system components, such "
         "as Files, Processes, or system capabilities in the form "
         "of Logical Devices.") ]
class CIM_LogicalElement:CIM_ManagedSystemElement
{
};

// ==================================================================
//     CIM_SystemConfiguration
// ==================================================================
        [Description (
         "CIM_SystemConfiguration represents the general concept "
         "of a CIM_Configuration which is scoped by/weak to a "
         "System. This class is a peer of CIM_Configuration since "
         "the key structure of Configuration is currently "
         "defined and cannot be modified with additional "
         "properties.")]
class CIM_SystemConfiguration : CIM_ManagedElement {
       [Propagated ("CIM_System.CreationClassName"), Key,
        MaxLen (256), Description (
        "The scoping System's CreationClassName.") ]
    string SystemCreationClassName;
       [Propagated ("CIM_System.Name"), Key, MaxLen (256),
        Description ("The scoping System's Name.") ]
    string SystemName;
       [Key, MaxLen (256), Description (
        "CreationClassName indicates the name of the class or the "
        "subclass used in the creation of an instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class and its subclasses to "
        "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256), Description (
         "The label by which the Configuration object is known.") ]
   string Name;
};

// ===================================================================
//    Setting
// ===================================================================
        [Abstract, Description (
         "The Setting class represents configuration-related and "
         "operational parameters for one or more ManagedSystem"
         "Element(s). A ManagedSystemElement may have multiple "
         "Setting "
         "objects associated with it. The current operational values "
         "for an Element's parameters are reflected by properties in "
         "the Element itself or by properties in its associations. "
         "These properties do not have to be the same values present "
         "in the Setting object. For example, a modem may have a "
         "Setting baud rate of 56Kb/sec but be operating "
         "at 19.2Kb/sec.") ]
class CIM_Setting : CIM_ManagedElement
{
        [MaxLen (256), Description (
         "The identifier by which the Setting object is known.") ]
   string SettingID;
         [Description (
         "The VerifyOKToApplyToMSE method is used to verify that "
         "this Setting can be 'applied' to the referenced Managed"
         "SystemElement, at the given time or time interval. This "
         "method takes three input parameters: MSE (the Managed"
         "SystemElement that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), and MustBeCompletedBy (which indicates the "
         "required completion time for the method). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number "
         "if an error occurred. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the "
         "ValueMap contents are 'translated' may also be specified in "
         "the subclass as a Values array qualifier.") ]
   uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
        [Description (
         "The ApplyToMSE method performs the actual application of "
         "the Setting to the referenced ManagedSystemElement. It "
         "takes three input parameters: MSE (the ManagedSystem"
         "Element to which the Setting is being applied), "
         "TimeToApply (which, being a datetime, can be either a "
         "specific time or a time interval), and MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method). Note that the semantics of this method are that "
         "individual Settings are either wholly applied or not "
         "applied at all to their target ManagedSystemElement. The "
         "return value should be 0 if the Setting is successfully "
         "applied to the referenced ManagedSystemElement, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, and any other number if an "
         "error occurred. In a subclass, the set of possible return "
         "codes could be specified, using a ValueMap qualifier on "
         "the method. The strings to which the ValueMap contents are "
         "'translated' may also be specified in the subclass as a "
         "Values array qualifier.\n"
         "Note: If an error occurs in applying the Setting to a "
         "ManagedSystemElement, the Element must be configured as "
         "when the 'apply' attempt began. That is, the Element "
         "should NOT be left in an indeterminate state.") ]
   uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
        [Description (
         "The VerifyOKToApplyToCollection method is used to verify "
         "that this Setting can be 'applied' to the referenced "
         "Collection of ManagedSystemElements, at the given time "
         "or time interval, without causing adverse effects to "
         "either the Collection itself or its surrounding "
         "environment. The net effect is to execute the "
         "VerifyOKToApply method against each of the Elements "
         "aggregated by the Collection. This method takes three "
         "input parameters: Collection (the Collection of Managed"
         "SystemElements that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), and MustBeCompletedBy (which indicates the "
         "required completion time for the method). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number if "
         "an error occurred. One output parameter is defined - "
         "CanNotApply - which is a string array that lists the keys "
         "of "
         "the ManagedSystemElements to which the Setting can NOT be "
         "applied. This enables those Elements to be revisited and "
         "either fixed, or other corrective action taken.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.") ]
   uint32 VerifyOKToApplyToCollection (
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy,
    [OUT] string CanNotApply[]);
        [Description (
         "The ApplyToCollection method performs the application of "
         "the Setting to the referenced Collection of ManagedSystem"
         "Elements. The net effect is to execute the ApplyToMSE "
         "method against each of the Elements aggregated by the "
         "Collection. If the input value ContinueOnError is FALSE, "
         "this method applies the Setting to all Elements in the "
         "Collection until it encounters an error, in which case it "
         "stops execution, logs the key of the Element that caused "
         "the error in the CanNotApply array, and issues a return "
         "code "
         "of 2. If the input value ContinueOnError is TRUE, then this "
         "method applies the Setting to all the ManagedSystemElements "
         "in the Collection, and reports the failed Elements in the "
         "array, CanNotApply. For the latter, processing will "
         "continue "
         "until the method is applied to all Elements in the "
         "Collection, regardless of any errors encountered. The key "
         "of "
         "each ManagedSystemElement to which the Setting could not be "
         "applied is logged into the CanNotApply array. This method "
         "takes four input parameters: Collection (the Collection of "
         "Elements to which the Setting is being applied), "
         "TimeToApply "
         "(which, being a datetime, can be either a specific time or "
         "a "
         "time interval), ContinueOnError (TRUE means to continue "
         "processing on encountering an error), and MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method). The return value should be 0 if the Setting is "
         "successfully applied to the referenced Collection, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, 3 if the Setting can not be "
         "applied using the input value for ContinueOnError, and any "
         "other number if an error occurred. One output parameter is "
         "defined, CanNotApplystring, which is an array that lists "
         "the keys of the ManagedSystemElements to which the Setting "
         "was NOT able to be applied. This output parameter has "
         "meaning only when the ContinueOnError parameter is TRUE.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.\n"
         "Note: if an error occurs in applying the Setting to a "
         "ManagedSystemElement in the Collection, the Element must be "
         "configured as when the 'apply' attempt began. That is, the "
         "Element should NOT be left in an indeterminate state.") ]
   uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply, [IN] boolean ContinueOnError,
    [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]);
                 [Description (
         "The VerifyOKToApplyIncrementalChangeToMSE method "
         "is used to verify that a subset of the properties in "
         "this Setting can be 'applied' to the referenced Managed"
         "SystemElement, at the given time or time interval. This "
         "method takes four input parameters: MSE (the Managed"
         "SystemElement that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), MustBeCompletedBy (which indicates the "
         "required completion time for the method), and a "
         "PropertiesToApply array (which contains a list of the "
         "property names whose values will be verified. "
         "If they array is null or empty or constains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "verified.  If it is set to \"none\" then no Settings "
         "properties "
         "will be verified). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number "
         "if an error occurred. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the "
         "ValueMap contents are 'translated' may also be specified in "
         "the subclass as a Values array qualifier.") ]
   uint32 VerifyOKToApplyIncrementalChangeToMSE(
    [IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[]);
        [Description (
         "The ApplyIncrementalChangeToMSE method performs the "
         "actual application of  a subset of the properties in "
         "the Setting to the referenced ManagedSystemElement. It "
         "takes four input parameters: MSE (the ManagedSystem"
         "Element to which the Setting is being applied), "
         "TimeToApply (which, being a datetime, can be either a "
         "specific time or a time interval), MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method), and a "
         "PropertiesToApply array (which contains a list of the "
         "property names whose values will be applied. If a "
         "property is not in this list, it will be ignored by the "
         "apply. "
         "If they array is null or empty or constains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "applied.  If it is set to \"none\" then no Settings "
         "properties "
         "will be applied. ). "
         "Note that the semantics of this method are that "
         "individual Settings are either wholly applied or not "
         "applied at all to their target ManagedSystemElement. The "
         "return value should be 0 if the Setting is successfully "
         "applied to the referenced ManagedSystemElement, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, and any other number if an "
         "error occurred. In a subclass, the set of possible return "
         "codes could be specified, using a ValueMap qualifier on "
         "the method. The strings to which the ValueMap contents are "
         "'translated' may also be specified in the subclass as a "
         "Values array qualifier.\n"
         "Note: If an error occurs in applying the Setting to a "
         "ManagedSystemElement, the Element must be configured as "
         "when the 'apply' attempt began. That is, the Element "
         "should NOT be left in an indeterminate state.") ]
   uint32 ApplyIncrementalChangeToMSE(
    [IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[]);
        [Description (
         "The VerifyOKToApplyIncrementalChangeToCollection method "
         "is used to verify that a subset of the properties in "
         "this Setting can be 'applied' to the referenced "
         "Collection of ManagedSystemElements, at the given time "
         "or time interval, without causing adverse effects to "
         "either the Collection itself or its surrounding "
         "environment. The net effect is to execute the "
         "VerifyOKToApplyIncrementalChangeToMSE method "
         "against each of the Elements "
         "aggregated by the Collection. This method takes three "
         "input parameters: Collection (the Collection of Managed"
         "SystemElements that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), MustBeCompletedBy (which indicates the "
         "required completion time for the method), and a "
         "PropertiesToApply array (which contains a list of the "
         "property names whose values will be verified. "
         "If they array is null or empty or contains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "verified.  If it is set to \"none\" then no Settings "
         "properties "
         "will be verified). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number if "
         "an error occurred. One output parameter is defined - "
         "CanNotApply - which is a string array that lists the keys "
         "of "
         "the ManagedSystemElements to which the Setting can NOT be "
         "applied. This enables those Elements to be revisited and "
         "either fixed, or other corrective action taken.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.") ]
   uint32 VerifyOKToApplyIncrementalChangeToCollection (
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[],
    [OUT] string CanNotApply[]);
        [Description (
         "The ApplyIncrementalChangeToCollection method performs "
         "the application of a subset of the properties in this "
         "Setting to the referenced Collection of ManagedSystem"
         "Elements. The net effect is to execute the "
         "ApplyIncrementalChangeToMSE "
         "method against each of the Elements aggregated by the "
         "Collection. If the input value ContinueOnError is FALSE, "
         "this method applies the Setting to all Elements in the "
         "Collection until it encounters an error, in which case it "
         "stops execution, logs the key of the Element that caused "
         "the error in the CanNotApply array, and issues a return "
         "code "
         "of 2. If the input value ContinueOnError is TRUE, then this "
         "method applies the Setting to all the ManagedSystemElements "
         "in the Collection, and reports the failed Elements in the "
         "array, CanNotApply. For the latter, processing will "
         "continue "
         "until the method is applied to all Elements in the "
         "Collection, regardless of any errors encountered. The key "
         "of "
         "each ManagedSystemElement to which the Setting could not be "
         "applied is logged into the CanNotApply array. This method "
         "takes four input parameters: Collection (the Collection of "
         "Elements to which the Setting is being applied), "
         "TimeToApply "
         "(which, being a datetime, can be either a specific time or "
         "a "
         "time interval), ContinueOnError (TRUE means to continue "
         "processing on encountering an error), and MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method), and a PropertiesToApply array (which contains a "
         "list "
         "of the property names whose values will be applied. If a "
         "property is not in this list, it will be ignored by "
         "the apply. "
         "If they array is null or empty or constains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "applied.  If it is set to \"none\" then no Settings "
         "properties "
         "will be applied. ). "
         "The return value should be 0 if the Setting is "
         "successfully applied to the referenced Collection, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, 3 if the Setting can not be "
         "applied using the input value for ContinueOnError, and any "
         "other number if an error occurred. One output parameter is "
         "defined, CanNotApplystring, which is an array that lists "
         "the keys of the ManagedSystemElements to which the Setting "
         "was NOT able to be applied. This output parameter has "
         "meaning only when the ContinueOnError parameter is TRUE.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.\n"
         "Note: if an error occurs in applying the Setting to a "
         "ManagedSystemElement in the Collection, the Element must be "
         "configured as when the 'apply' attempt began. That is, the "
         "Element should NOT be left in an indeterminate state.") ]
   uint32 ApplyIncrementalChangeToCollection(
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply,
    [IN] boolean ContinueOnError,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[],
    [OUT] string CanNotApply[]);

};

// ==================================================================
//     CIM_SystemSetting
// ==================================================================
        [Abstract, Description (
         "CIM_SystemSetting represents the general concept "
         "of a CIM_Setting which is scoped by/weak to a System.")]
class CIM_SystemSetting : CIM_Setting {
       [Propagated ("CIM_System.CreationClassName"), Key,
        MaxLen (256), Description (
        "The scoping System's CreationClassName.") ]
    string SystemCreationClassName;
       [Propagated ("CIM_System.Name"), Key, MaxLen (256),
        Description ("The scoping System's Name.") ]
    string SystemName;
       [Key, MaxLen (256), Description (
        "CreationClassName indicates the name of the class or the "
        "subclass used in the creation of an instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class and its subclasses to "
        "be uniquely identified.") ]
    string CreationClassName;
       [Override ("SettingID"), Key, MaxLen (256)]
    string SettingID;
};

// ==================================================================
//    System
// ==================================================================
        [Abstract, Description (
         "A CIM_System is a LogicalElement that aggregates an "
         "enumerable set of Managed System Elements. The aggregation "
         "operates as a functional whole. Within any particular "
         "subclass of System, there is a well-defined list of "
         "Managed System Element classes whose instances must be "
         "aggregated.") ]
class CIM_System:CIM_LogicalElement
{
        [Key, MaxLen (256), Description (
         "CreationClassName indicates the name of the class or the "
         "subclass used in the creation of an instance. When used "
         "with the other key properties of this class, this property "
         "allows all instances of this class and its subclasses to "
         "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256), Override ("Name"), Description (
         "The inherited Name serves as key of a System instance in "
         "an enterprise environment.") ]
    string Name;
        [MaxLen (64), Description (
         "The System object and its derivatives are Top Level Objects "
         "of CIM. They provide the scope for numerous components. "
         "Having unique System keys is required. A heuristic can be "
         "defined in individual System subclasses to attempt to "
         "always "
         "generate the same System Name Key. The NameFormat property "
         "identifies how the System name was generated, using "
         "the subclass' heuristic.") ]
    string NameFormat;
        [MaxLen (256), Description (
         "A string that provides information on how the primary "
         "system "
         "owner can be reached (e.g. phone number, email address, "
           "...)."),
         MappingStrings {"MIF.DMTF|General Information|001.3"} ]
    string PrimaryOwnerContact;
        [MaxLen (64), Description (
           "The name of the primary system owner."),
         MappingStrings {"MIF.DMTF|General Information|001.4"} ]
    string PrimaryOwnerName;
        [Description (
         "An array (bag) of strings that specify the roles this "
         "System "
         "plays in the IT-environment. Subclasses of System may "
         "override this property to define explicit Roles values. "
         "Alternately, a Working Group may describe the heuristics, "
         "conventions and guidelines for specifying Roles. For "
         "example, for an instance of a networking system, the Roles "
         "property might contain the string, 'Switch' or 'Bridge'.") ]
    string Roles[];
};

// ==================================================================
//    Service
// ==================================================================
        [Abstract, Description (
         "A CIM_Service is a Logical Element that contains the "
         "information necessary to represent and manage the "
         "functionality provided by a Device and/or SoftwareFeature. "
         "A Service is a general-purpose object to configure and "
         "manage the implementation of functionality.  It is not the "
         "functionality itself.") ]
class CIM_Service:CIM_LogicalElement
{
        [Key, MaxLen (256), Description (
           "CreationClassName indicates the name of the class or the "
           "subclass used in the creation of an instance. When used "
           "with the other key properties of this class, this "
           "property "
           "allows all instances of this class and its subclasses to "
           "be uniquely identified.") ]
    string CreationClassName;
        [Override ("Name"), Key, MaxLen (256),
         Description (
         "The Name property uniquely identifies the Service and "
         "provides an indication of the functionality that is "
         "managed. This functionality is described in more detail in "
         "the object's Description property. ") ]
    string Name;
        [MaxLen (10), Description (
         "StartMode is a string value indicating whether the Service "
         "is automatically started by a System, Operating System, "
         "etc. "
         "or only started upon request."),
           ValueMap {"Automatic", "Manual"} ]
    string StartMode;
        [Description (
         "Started is a boolean indicating whether the Service "
         "has been started (TRUE), or stopped (FALSE).") ]
    boolean Started;
        [Propagated ("CIM_System.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping System's CreationClassName. ") ]
    string SystemCreationClassName;
        [Propagated ("CIM_System.Name"), Key, MaxLen (256),
         Description ("The scoping System's Name.") ]
    string SystemName;
        [Description (
         "The StartService method places the Service in the started "
         "state. It returns an integer value of 0 if the Service was "
         "successfully started, 1 if the request is not supported and "
         "any other number to indicate an error. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the "
         "ValueMap contents are 'translated' may also be specified in "
         "the subclass as a Values array qualifier.") ]
    uint32 StartService();
        [Description (
         "The StopService method places the Service in the stopped "
         "state. It returns an integer value of 0 if the Service was "
         "successfully stopped, 1 if the request is not supported and "
         "any other number to indicate an error. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the "
         "ValueMap contents are 'translated' may also be specified in "
         "the subclass as a Values array qualifier.") ]
    uint32 StopService();
};

// ==================================================================
//    ServiceAccessPoint
// ==================================================================
        [Abstract, Description (
         "CIM_ServiceAccessPoint represents the ability to utilize or "
         "invoke a Service.  Access points represent that a Service "
         "is "
         "made available to other entities for use.") ]
class CIM_ServiceAccessPoint:CIM_LogicalElement
{
        [Key, MaxLen (256), Description (
           "CreationClassName indicates the name of the class or the "
         "subclass used in the creation of an instance. When used "
           "with the other key properties of this class, this "
           "property "
           "allows all instances of this class and its subclasses to "
           "be uniquely identified.") ]
    string CreationClassName;
        [Override ("Name"), Key, MaxLen (256),
         Description (
         "The Name property uniquely identifies the "
         "ServiceAccessPoint "
         "and provides an indication of the functionality that is "
         "managed.  This functionality is described in more detail in "
         "the object's Description property.") ]
    string Name;
        [Propagated ("CIM_System.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping System's CreationClassName.") ]
    string SystemCreationClassName;
        [Propagated ("CIM_System.Name"), Key, MaxLen (256),
           Description ("The scoping System's Name.") ]
    string SystemName;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
//    Component
// ==================================================================
        [Association, Abstract, Aggregation, Description (
         "CIM_Component is a generic association used to establish "
         "'part of' relationships between Managed System Elements. "
         "For "
         "example, the SystemComponent association defines parts of "
         "a System.") ]
class CIM_Component
{
        [Aggregate, Key, Description (
         "The parent element in the association.") ]
    CIM_ManagedSystemElement REF GroupComponent;
        [Key, Description ("The child element in the association.") ]
    CIM_ManagedSystemElement REF PartComponent;
};

// ==================================================================
// Dependency
// ==================================================================
        [Association, Abstract, Description (
        "CIM_Dependency is a generic association used to establish "
        "dependency relationships between ManagedElements.") ]
class CIM_Dependency
{
        [Key, Description (
        "Antecedent represents the independent object in this "
        "association.") ]
  CIM_ManagedElement REF Antecedent;
        [Key, Description (
    "Dependent represents the object dependent on the "
    "Antecedent.") ]
  CIM_ManagedElement REF Dependent;
};

// ===================================================================
//    ElementSetting
// ===================================================================
        [Association, Description (
         "ElementSetting represents the association between Managed"
         "SystemElements and the Setting class(es) defined for them.")
]
class CIM_ElementSetting
{
        [Key, Description ("The ManagedSystemElement.") ]
   CIM_ManagedSystemElement REF Element;
        [Key, Description (
         "The Setting object associated with the ManagedSystem"
         "Element.") ]
   CIM_Setting REF Setting;
};
// ==================================================================
// MemberOfCollection
// ==================================================================
        [Association, Aggregation, Description (
        "CIM_MemberOfCollection is an aggregation used to establish "
        "membership of ManagedElements in a Collection." ) ]

class CIM_MemberOfCollection
{
        [Key, Aggregate, Description ("The Collection that aggregates
members") ]
  CIM_Collection REF Collection;
        [Key, Description ("The aggregated member of the collection.")
]
  CIM_ManagedElement REF Member;
};

// ==================================================================
//     CIM_SystemSettingContext
// ==================================================================
        [Association, Aggregation, Description (
         "This relationship associates System-specific Configuration "
         "objects with System-specific Setting objects, similar to "
         "the "
         "SettingContext association.")]
class CIM_SystemSettingContext {
        [Aggregate, Key, Description (
         "The Configuration object that aggregates the Setting.") ]
   CIM_SystemConfiguration REF Context;
        [Key, Description ("An aggregated Setting.")]
   CIM_SystemSetting REF Setting;
};

Appendix B (DMTF User Model MOF)

// ==================================================================
// OrganizationalEntity
// ==================================================================
   [Abstract, Description (
   "OrganizationalEntity is an abstract class from which classes "
   "that fit into an organizational structure are derived.") ]
class CIM_OrganizationalEntity : CIM_ManagedElement
   {
   };

// ==================================================================
// UserEntity
// ==================================================================
   [Abstract, Description (
   "UserEntity is an abstract class that represents users.") ]
class CIM_UserEntity : CIM_OrganizationalEntity
   {
   };

// ==================================================================
// UsersAccess
// ==================================================================
   [Description (
   "The UsersAccess object class is used to specify a system user "
   "that permitted access to system resources.  The ManagedElement "
   "that has access to system resources (represented in the model in "
   "the ElementAsUser association) may be a person, a service, a "
   "service access point or any collection thereof. Whereas the "
   "Account class represents the user's relationship to a system "
   "from the perspective of the security services of the system, the "
   "UserAccess class represents the relationships to the systems "
   "independent of a particular system or service.") ]
class CIM_UsersAccess: CIM_UserEntity
   {
      [Key, MaxLen (256), Description (
        "CreationClassName indicates the name of the class or the "
        "subclass used in the creation of an instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class and its subclasses to "
        "be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (256),Description (
      "The Name property defines the label by which the object is "
        "known.")]
   string Name;
      [Key, Description (
        "The ElementID property uniquely specifies the ManagedElement "
        "object instance that is the user represented by the "
        "UsersAccess object instance.  The ElementID is formatted "
        "similarly to a model path except that the property-value "
        "pairs are ordered in alphabetical order (US ASCII lexical "
        "order).")]
   string ElementID;
      [Description (
        "Biometric information used to identify a person.  The "
        "property value is left null or set to 'N/A' for non-human "
        "user or a user not using biometric information for "
        "authentication."),
        Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger",
                 "Voice", "DNA-RNA", "EEG"} ]
   uint16 Biometric[];
   };

// ==================================================================
//    SecurityService
// ==================================================================
        [ Abstract, Description (
         "CIM_SecurityService ...") ]
class CIM_SecurityService:CIM_Service
{
};

// ==================================================================
//    AuthenticationService
// ==================================================================
   [Description (
   "CIM_AuthenticationService verifies users' identities through "
   "some means.  These services are decomposed into a subclass that "
   "provides credentials to users and a subclass that provides for "
   "the verification of the validity of a credential and, perhaps, "
   "the appropriateness of its use for access to target resources. "
   "The persistent state information used from one such verification "
   "to another is maintained in an Account for that Users Access on "
   "that AuthenticationService.") ]
class CIM_AuthenticationService:CIM_SecurityService
   {
   };

// ==================================================================
//    CredentialManagementService
// ==================================================================
   [Description (
   "CIM_CredentialManagementService issues credentials and manages "
   "the credential lifecycle.") ]
class CIM_CredentialManagementService:CIM_AuthenticationService
   {
   };

// ==================================================================
//    CertificateAuthority
// ==================================================================
        [Description ("A Certificate Authority (CA) is a credential "
         "management service that issues and cryptographically "
         "signs certificates thus acting as an trusted third-party "
         "intermediary in establishing trust relationships. The CA "
         "authenicates the holder of the private key related to the "
         "certificate's public key; the authenicated entity is "
         "represented by the UsersAccess class.") ]
class CIM_CertificateAuthority:CIM_CredentialManagementService
{
        [Description (
         "The CAPolicyStatement describes what care is taken by the "
         "CertificateAuthority when signing a new certificate.  "
         "The CAPolicyStatment may be a dot-delimited ASN.1 OID "
         "string which identifies to the formal policy statement.") ]
    string CAPolicyStatement;
        [Description ( "A CRL, or CertificateRevocationList, is a "
         "list of certificates which the CertificateAuthority has "
         "revoked and which are not yet expired.  Revocation is "
         "necessary when the private key associated with the public "
         "key of a certificate is lost or compromised, or when the "
         "person for whom the certificate is signed no longer is "
         "entitled to use the certificate."), Octetstring ]
    string CRL[];
        [Description ("Certificate Revocation Lists may be "
         "available from a number of distribution points.  "
         "CRLDistributionPoint array values provide URIs for those "
         "distribution points.")]
    string CRLDistributionPoint[];
        [Description ( "Certificates refer to their issuing CA by "
         "its Distinguished Name (as defined in X.501)."), DN]
    string CADistinguishedName;
        [Description ( "The frequency, expressed in hours, at which "
           "the CA will update its Certificate Revocation List.  Zero "
           "implies that the refresh frequency is unknown."),
           Units("Hours")]
    uint8 CRLRefreshFrequency;
        [Description ( "The maximum number of certificates in a "
         "certificate chain permitted for credentials issued by "
         "this certificate authority or it's subordinate CAs.\n"
         "The MaxChainLength of a superior CA in the trust "
         "hierarchy should be greater than this value and the "
         "MaxChainLength of a subordinate CA in the trust hierarchy "
         "should be less than this value.")]
    uint8 MaxChainLength;
};

// ==================================================================
//    KerberosKeyDistributionCenter
// ==================================================================
        [Description (
         "CIM_KerberosKeyDistributionCenter ...") ]
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService
{
        [Override ("Name"),
         Description ("The Realm served by this KDC.")]
    string Name;
        [Description ("The version of Kerberos supported by this "
         "service."),
         Values {"V4", "V5", "DCE", "MS"} ]
    uint16 Protocol[];
};

// ==================================================================
//    Notary
// ==================================================================
        [Description (
         "CIM_Notary is an AuthenticationService (credential "
         "management service) which compares the "
         "biometric characteristics of a person with the "
         "known characteristics of an Users Access, and determines "
         "whether the person is the UsersAccess.  An example is "
         "a bank teller who compares a picture ID with the person "
         "trying to cash a check, or a biometric login service that "
         "uses voice recognition to identify a user.") ]
class CIM_Notary:CIM_CredentialManagementService
{
        [Description ( "The types of biometric information which "
           "this Notary can compare."),
         Values { "N/A", "Other", "Facial", "Retina", "Mark",
                  "Finger", "Voice", "DNA-RNA", "EEG"} ]
    uint16 Comparitors;
        [Description (
         "The SealProtocol is how the decision of the Notary is "
         "recorded for future use by parties who will rely on its "
         "decision.  For instance, a drivers licence frequently "
         "includes tamper-resistent coatings and markings to protect "
         "the recorded decision that a driver, having various "
         "biometric characteristics of height, weight, hair and eye "
         "color, using a particular name, has features represented in "
         "a photograph of their face.")]
    string SealProtocol;
        [Description (
         "CharterIssued documents when the Notary is first "
         "authorized, by whoever gave it responsibility, to perform "
         "its service.")]
    datetime CharterIssued;
        [Description (
         "CharterExpired documents when the Notary is no longer "
         "authorized, by whoever gave it responsibility, to perform "
         "its service.")]
    datetime CharterExpired;
};

// ==================================================================
//    LocalCredentialManagementService
// ==================================================================
        [Description (
         "CIM_LocalCredentialManagementService is a credential "
         "management service that provides local system "
         "management of credentials used by the local system.") ]
class
CIM_LocalCredentialManagementService:CIM_CredentialManagementService
{
};

// ==================================================================
//    SharedSecretService
// ==================================================================
        [Description (
         "CIM_SharedSecretService is a service which ascertains "
         "whether messages received are from the Principal with "
         "whom a secret is shared.  Examples include a login "
         "service that proves identity on the basis of knowledge of "
         "the shared secret, or a transport integrity service (like "
         "Kerberos provides) that includes a message authenticity "
         "code that proves each message in the messsage stream came "
         "from someone who knows the shared secret session key.")]
class CIM_SharedSecretService:CIM_LocalCredentialManagementService
{
        [MaxLen (256), Description (
         "The Algorithm used to convey the shared secret, such as "
         "HMAC-MD5,or PLAINTEXT.") ]
    string Algorithm;
        [Description (
         "The Protocol supported by the SharedSecretService.")]
    string Protocol;
};

// ==================================================================
//    PublicKeyManagementService
// ==================================================================
        [Description (
         "CIM_PublicKeyManagementService is a credential management "
         "service that provides local system management of public "
         "keys used by the local system.") ]
class
CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService
{
};

// ==================================================================
//    Credential
// ==================================================================
        [Abstract, Description (
         "Subclasses of CIM_Credential define materials, "
         "information, or other data which are used to prove the "
         "identity of a CIM_UsersAccess to a particular "
         "CIM_SecurityService.  Generally, there may be some shared "
         "information, or credential material which is used to "
         "identify and authenticate ones self in the process of "
         "gaining access to, or permission to use, an Account. "
         "Such credential material may be used to authenticate a "
         "users access identity  initially, as done by a "
         "CIM_AuthenticationService (see later), and additionally on "
         "an ongoing basis during the course of a connection or "
         "other  security association, as proof that each received "
         "message or communication came from the owning user access "
         "of "
         "that credential material.") ]
class CIM_Credential:CIM_ManagedElement
{
};

// ==================================================================
//    PublicKeyCertificate
// ==================================================================
        [Description ("A Public Key Certificate is a credential "
         "that is cryptographically signed by a trusted Certificate "
         "Authority (CA) and issued to an authenticated entity "
         "(e.g., human user, service,etc.) called the Subject in "
         "the certificate and represented by the UsersAccess class. "
         "The public key in the certificate is cryptographically "
         "related to a private key that is to be held and kept "
         "private by the authenticated Subject.  The certificate "
         "and its related private key can then be used for "
         "establishing trust relationships and securing "
         "communications with the Subject.  Refer to the ITU/CCITT "
         "X.509 standard as an example of such certificates.") ]
class CIM_PublicKeyCertificate:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_CertificateAuthority.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_CertificateAuthority.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description (
          "Certificate subject identifier")]
     string Subject;
         [MaxLen (256), Description (
          "Alternate subject identifier for the Certificate.")]
     string AltSubject;
         [Description ("The DER-encoded raw public key."), Octetstring]
     uint8 PublicKey[];
};

// ==================================================================
//    UnsignedPublicKey
// ==================================================================
        [Description (
         "A CIM_UnsignedPublicKey represents an unsigned public "
         "key credential.  The local UsersAccess (or subclass "
         "thereof) accepts the public key as authentic because of "
         "a direct trust relationship rather than via a third-party "
         "Certificate Authority.") ]
class CIM_UnsignedPublicKey:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated
("CIM_PublicKeyManagementService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_PublicKeyManagementService.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description (
          "The Identity of the Peer with whom a direct trust "
          "relationship exists.  The public key may be used for "
          "security functions with the Peer."),
         ModelCorrespondence
           {"CIM_PublicKeyManagementService.PeerIdentityType" } ]
     string PeerIdentity;
           [Description ("PeerIdentityType is used to describe the "
          "type of the PeerIdentity.  The currently defined values "
          "are used for IKE identities."),
           ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_PublicKeyManagementService.PeerIdentity" } ]
     uint16 PeerIdentityType;
         [Description ("The DER-encoded raw public key."),
          Octetstring]
     uint8 PublicKey[];
};

// ==================================================================
//    KerberosTicket
// ==================================================================
        [Description (
         "A CIM_KerberosTicket represents a credential issued by a "
         "particular Kerberos Key Distribution Center (KDC) "
         "to a particular CIM_UsersAccess as the result of a "
         "successful authentication process.  There are two types of "
         "tickets that a KDC may issue to a Users Access - a "
         "TicketGranting ticket, which is used to protect and "
         "authenticate communications between the Users Access and "
         "the "
         "KDC, and a Session ticket, which the KDC issues to two "
         "Users Access to allow them to communicate with each other. "
          ) ]
class CIM_KerberosTicket:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"), Key,
         MaxLen (256), Description ("Scoping System")]
        string SystemCreationClassName;
         [Propagated ("CIM_System.Name"), Key,
         MaxLen (256),Description ("Scoping System")]
        string SystemName;
         [Key, MaxLen (256), Propagated
         ("CIM_KerberosKeyDistributionCenter.CreationClassName"),
         Description ("Scoping Service")]
        string ServiceCreationClassName;
         [Propagated ("CIM_KerberosKeyDistributionCenter.Name"),
         Key, MaxLen (256),
         Description ("Scoping Service.  The Kerberos KDC Realm of "
        "CIM_KerberosTicket is used to record the security "
        "authority, or Realm, name so that tickets issued by "
        "different Realms can be separately managed and "
          "enumerated.")]
        string ServiceName;
        [Key, MaxLen (256), Description ("The name of the service "
           "for which this ticket is used.")]
        string AccessesService;
        [Key, MaxLen (256), Description (
         "RemoteID is the name by which the user is known at "
         "the KDC security service.")]
        string RemoteID;
        datetime Issued;
        datetime Expires;
          [Description (
          "The Type of CIM_KerberosTicket is used to indicate whether "
          "the ticket in question was issued by the Kerberos Key "
          "Distribution Center (KDC) to support ongoing communication "
          "between the Users Access and the KDC (\"TicketGranting\"), "
          "or was issued by the KDC to support ongoing communication "
          "between two Users Access entities (\"Session\")." ),
          Values {"Session", "TicketGranting"}]
        uint16 TicketType;
};

// ==================================================================
//    SharedSecret
// ==================================================================
        [Description (
         "CIM_SharedSecret is the secret shared between a Users "
         "Access "
         "and a particular SharedSecret security service.  Secrets "
         "may be in the form of a password used for initial "
         "authentication, or as with a session key, used as part of "
         "a message authentication code to verify that a message "
         "originated by the pricinpal with whom the secret is shared. "
         "It is important to note that SharedSecret is not just the "
         "password, but rather is the password used with a particular "
         "security service.")]
class CIM_SharedSecret:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"), Key,
          MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"), Key,
          MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Key, MaxLen (256), Propagated
          ("CIM_SharedSecretService.CreationClassName"),
          Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"),
          Key, MaxLen (256),
          Description ("Scoping Service")]
     string ServiceName;
        [Key, MaxLen (256), Description (
         "RemoteID is the name by which the user is known at "
         "the remote secret key authentication service.")]
     string RemoteID;
        [Description (
         "secret is the secret known by the Users Access.")]
     string secret;
        [Description (
         "algorithm names the transformation algorithm, if any, used "
         "to protect passwords before use in the protocol.  For "
         "instance, Kerberos doesn't store passwords as the shared "
         "secret, but rather, a hash of the password.")]
     string algorithm;
        [Description (
         "protocol names the protocol with which the SharedSecret is "
         "used.")]
     string protocol;
};

// ==================================================================
//    NamedSharedIKESecret
// ==================================================================
        [Description (
         "CIM_NamedSharedIKESecret indirectly represents a shared "
         "secret credential.  The local identity, IKEIdentity, "
         "and the remote peer identity share the secret that is "
         "named by the SharedSecretName.  The SharedSecretName is "
         "used SharedSecretService to reference the secret.") ]
class CIM_NamedSharedIKESecret:CIM_Credential

{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_SharedSecretService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description (
          "The local Identity with whom the direct trust "
          "relationship exists."),
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.LocalIdentityType" } ]
     string LocalIdentity;
           [Key, Description ("LocalIdentityType is used to describe "
          "the type of the LocalIdentity."),
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.LocalIdentity" } ]
    uint16 LocalIdentityType;
         [Key, MaxLen (256), Description (
          "The peer identity with whom the direct trust "
          "relationship exists."),
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.PeerIdentityType" } ]
     string PeerIdentity;
           [Key, Description ("PeerIdentityType is used to describe "
          "the type of the PeerIdentity."),
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.PeerIdentity" } ]
     uint16 PeerIdentityType;
         [Description ("SharedSecretName is an indirect reference "
          "to a shared secret.  The SecretService does not expose "
          "the actual secret but rather provides access to the "
          "secret via a name.")]
     string SharedSecretName;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
// ElementAsUser
// ==================================================================
   [Association, Description (
   "CIM_ElementAsUser is an association used to establish the "
   "'ownership' of UsersAccess object instances.  That is, the "
   "ManagedElement may have UsersAccess to systems and, therefore, "
   "be 'users' on those systems.  UsersAccess instances must have an "
   "'owning' ManagedElement.  Typically, the ManagedElements will be "
   "limited to Collection, Person, Service and ServiceAccessPoint. "
   "Other non-human ManagedElements that might be thought of as "
   "having UsersAccess (e.g., a device or system) have services that "
   "have the UsersAccess.")]
class CIM_ElementAsUser : CIM_Dependency
   {
        [Min (1), Max (1), Override ("Antecedent"),
        Description ("The ManagedElement that has UsersAccess") ]
   CIM_ManagedElement REF Antecedent;
        [Override ("Dependent"),
        Description ("The 'owned' UsersAccess") ]
   CIM_UsersAccess REF Dependent;
   };

// ==================================================================
// UsersCredential
// ==================================================================
   [Association, Description (
   "CIM_UsersCredential is an association used to establish the "
   "credentials that may be used for a UsersAccess to a system or "
   "set of systems. "    )]
class CIM_UsersCredential : CIM_Dependency
   {
        [Override ("Antecedent"),
        Description ("The issued credential that may be used.") ]
   CIM_Credential REF Antecedent;
        [Override ("Dependent"),
        Description ("The UsersAccess that has use of a credential") ]
   CIM_UsersAccess REF Dependent;
   };

// ===================================================================
//    PublicPrivateKeyPair
// ===================================================================
        [Association, Description (
         "This relationship associates a PublicKeyCertificate with "
         "the Principal who has the PrivateKey used with the "
         "PublicKey.  The PrivateKey is not modeled, since it is not "
         "a data element that ever SHOULD be accessible via "
         "management applications, other than key recovery services, "
         "which are outside our scope.") ]
class CIM_PublicPrivateKeyPair:CIM_UsersCredential
{
      [ Override ("Antecedent") ]
   CIM_PublicKeyCertificate REF Antecedent;
      [ Override ("Dependent") ]
   CIM_UsersAccess REF Dependent;
        [Description ( "The Certificate may be used for signature "
        "only "
        "or for confidentiality as well as signature"),
        Values { "SignOnly", "ConfidentialityOrSignature"} ]
   uint16 Use;
   boolean NonRepudiation;
   boolean BackedUp;
        [Description ("The repository in which the certificate is "
        "backed up.")]
   string Repository;
};

// ===================================================================
//    CAHasPublicCertificate
// ===================================================================
   [Association, Description (
   "A CertificateAuthority may have certificates issued by other CAs. "
   "This association is essentially an optimization of the CA having "
   "a UsersAccess instance with an association to a certificate thus "
   "mapping more closely to LDAP-based certificate authority "
   "implementations.") ]
class CIM_CAHasPublicCertificate:CIM_Dependency
{
        [Max (1), Override ("Antecedent"),
        Description ("The Certificate used by the CA")]
   CIM_PublicKeyCertificate REF Antecedent;
        [Override ("Dependent"),
        Description ("The CA that uses a Certificate")]
   CIM_CertificateAuthority REF Dependent;
};

// ===================================================================
//    ManagedCredential
// ===================================================================
        [Association, Description (
         "This relationship associates a CredentialManagementService "
         "with the Credential it manages.") ]
class CIM_ManagedCredential:CIM_Dependency
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The credential management service")]
   CIM_CredentialManagementService REF Antecedent;
        [Override ("Dependent"),
        Description ( "The managed credential")]
   CIM_Credential REF Dependent;
};

// ===================================================================
//    CASignsPublicKeyCertificate
// ===================================================================
        [Association, Description (
         "This relationship associates a CertificateAuthority with "
         "the certificates it signs.") ]
class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The CA which signed the certificate")]
   CIM_CertificateAuthority REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The certificate issued by the CA")]
   CIM_PublicKeyCertificate REF Dependent;
   string SerialNumber;
      [ Octetstring ]
   uint8 Signature[];
   datetime Expires;
   string CRLDistributionPoint[];
};

// ==================================================================
//    LocallyManagedPublicKey
// ==================================================================
        [Association, Description (
         "CIM_LocallyManagedPublicKey association provides the "
         "relationship between a PublicKeyManagementService and an "
         "UnsignedPublicKey.") ]
class CIM_LocallyManagedPublicKey:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
         Description ("The PublicKeyManagementService that manages "
         "an unsigned public key.") ]
    CIM_PublicKeyManagementService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "An unsigned public key.") ]
    CIM_UnsignedPublicKey REF Dependent;
};

// ===================================================================
//    SharedSecretIsShared
// ===================================================================
        [Association, Description (
         "This relationship associates a SharedSecretService with the "
         "SecretKey it verifies.") ]
class CIM_SharedSecretIsShared : CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ("The credential management service")]
   CIM_SharedSecretService REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The managed credential")]
   CIM_SharedSecret REF Dependent;
};

// ==================================================================
//    IKESecretIsNamed
// ==================================================================
        [Association, Description (
         "CIM_IKESecretIsNamed association provides the "
         "relationship between a SharedSecretService and a "
         "NamedSharedIKESecret.") ]
class CIM_IKESecretIsNamed:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
         Description ("The SharedSecretService that manages a "
         "NamedSharedIKESecret.")]
    CIM_SharedSecretService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "The managed NamedSharedIKESecret.") ]
    CIM_NamedSharedIKESecret  REF Dependent;
};

// ===================================================================
//    KDCIssuesKerberosTicket
// ===================================================================
   [Association, Description (
   "The KDC issues and owns Kerberos tickets.  This association "
   "captures the relationship between the KDC and its issued tickets."
   ) ]
class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The issuing KDC") ]
   CIM_KerberosKeyDistributionCenter REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The managed credential")]
   CIM_KerberosTicket REF Dependent;
};

// ===================================================================
//    NotaryVerifiesBiometric
// ===================================================================
        [Association, Description (
         "This relationship associates a Notary service with the "
         "Users Access whose biometric information is verified.") ]
class CIM_NotaryVerifiesBiometric : CIM_Dependency
{
        [Override ("Antecedent"),
        Description ("The Notary service that verifies biometric "
        "information ") ]
   CIM_Notary REF Antecedent;
        [Override ("Dependent"),
        Description ( "The UsersAccess that represents a person using "
        "biometric information for authentication.")]
   CIM_UsersAccess REF Dependent;
};

Appendix C (DMTF Network Model MOF)

// ==================================================================
//     NetworkService
// ==================================================================
        [Abstract, Description (
         "This is an abstract base class, derived from the Service "
         "class. It serves as the root of the network service "
         "hierarchy. Network services represent generic functions "
         "that are available from the network that configure and/or "
         "modify the traffic being sent. For example, FTP is not a "
         "network service, as it simply passes data unchanged from "
         "source to destination. On the other hand, services "
         "that provide quality of service (e.g., DiffServ) and "
         "security (e.g., IPSec) do affect the traffic stream. "
         "Quality of service, IPSec, and other services are "
         "subclasses of this class. This class hierarchy enables "
         "developers to match services to users, groups, "
         "and other objects in the network.") ]

class CIM_NetworkService : CIM_Service
{
        [Description (
         "This is a free-form array of strings that provide "
         "descriptive words and phrases that can be used in queries "
         "to help locate and identify instances of this service.") ]
    string Keywords [ ];
        [Description (
         "This is a URL that provides the protocol, network "
         "location, and E. Ellesson, J. Strassner, "Policy Core
   Information Model -- Version other service-specific information required "
         "in order to access the service. This should be implemented "
         "as a LabeledURI, with syntax DirectoryString and a "
         "matching rule of CaseExactMatch, for directory "
         "implementors.") ]
    string ServiceURL;
        [Description (
         "This is a free-form array of strings that specify any "
         "specific pre-conditions that must be met in order for this "
         "service to start correctly. It is expected that subclasses "
         "will refine the inherited StartService() and StopService()"
         "methods to suit their own application-specific needs. This "
         "property is used to specify application-specific conditions "
         "needed by the refined StartService and StopService"
         "methods.") ]
    string StartupConditions [ ];
         [Description (
         "This is a free-form array of strings that specify any "
         "specific parameters that must be supplied to the "
         "StartService() method in order for this service to start "
         "correctly. It is expected that subclasses will refine the "
         "inherited StartService() and StopService() methods to suit "
         "their own application-specific needs. This property is used "
         "to specify application-specific parameters needed by the "
         "refined StartService and StopService methods.") ]
    string StartupParameters [ ];
};

// ==================================================================
//     ProtocolEndpoint
// ==================================================================
        [Description (
         "A communication point from which data may be sent or "
         "received. ProtocolEndpoints link router interfaces and "
         "switch ports to LogicalNetworks.") ]

class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint
{
        [Override ("Name"), MaxLen(256), Description (
         "A string which identifies this ProtocolEndpoint with either "
         "a port or an interface on a device. To ensure uniqueness, "
         "the Name property should be prepended or appended with "
         "information from the Type or OtherTypeDescription "
         "properties. The method chosen is described in the "
         "NameFormat property of this class.") ]
    string Name;
        [MaxLen (256), Description (
         "NameFormat contains the naming heuristic that is chosen to "
         "ensure that the value of the Name property is unique. For "
         "example, one might choose to prepend the name of the port "
         "or interface with the Type of ProtocolEndpoint that this "
         "instance is (e.g., IPv4)followed by an underscore.") ]
    string NameFormat;
        [MaxLen (64), Description (
         "ProtocolType is an enumeration that provides additional "
         "information that can be used to help categorize and "
         "classify different instances of this class."),
          ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
                   "10", "11", "12", "13", "14", "15", "16", "17",
                   "18", "19", "20", "21"},
         Values { "Unknown", "Other", "IPv4", "IPv6", "IPX",
                 "AppleTalk", "DECnet", "SNA", "CONP", "CLNP",
                 "VINES", "XNS", "ATM", "Frame Relay",
                 "Ethernet", "TokenRing", "FDDI", "Infiniband",
                 "Fibre Channel", "ISDN BRI Endpoint",
                 "ISDN B Channel Endpoint", "ISDN D Channel Endpoint"
},
          ModelCorrespondence {
                 "CIM_ProtocolEndpoint.OtherTypeDescription"} ]
    string ProtocolType;
        [MaxLen(64), Description (
         "A string describing the type of ProtocolEndpoint that this "
         "instance is when the Type property of this class (or any of "
         "its  subclasses) is set to 1 Specification", draft-ietf-policy-
   core-infor-model-06.txt, May 2000.  Internet-Draft work (e.g., 'Other'). The format of "
         "the string inserted in progress.

   [DOI] Piper, D., this property should be similar in "
         "format to the values defined for the Type property. This "
         "property should be set to NULL when the Type property is "
         "any value other than 1."),
           ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ]
   string OtherTypeDescription;
};

// ==================================================================
//     IPProtocolEndpoint
// ==================================================================
        [Description (
         "A ProtocolEndpoint that is dedicated to running IP.") ]

class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint
{
        [Description (
         "The IP address that this ProtocolEndpoint represents, "
         "formatted according to the appropriate convention as "
         "defined in the AddressType property of this class "
         " (e.g., 171.79.6.40).") ]
    string Address;
        [Description (
         "The Internet mask for the IP Security Domain address of Interpretation this ProtocolEndpoint, "
         "formatted according to the appropriate convention as "
         "defined in the AddressType property of this class "
         " (e.g., 255.255.252.0).") ]
    string SubnetMask;
        [Description (
         "An enumeration that describes the format of the address "
         "property. Whenever possible, IPv4-compatible addresses "
         "should be used instead of native IPv6 addresses (see "
         "RFC 2373, section 2.5.4). In order to have a consistent "
         "format for ISAKMP", RFC 2407, November 1998.

   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
   Access Protocol (v3)", RFC 2251, December 1997.

   [COPS] Boyle, J., IPv4 addresses in a mixed IPv4/v6 environment, "
         "all IPv4 addresses and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
   Sastry, "The COPS (Common Open Policy Service) Protocol", both IPv4-compatible IPv6 addresses "
         "and IPv4-mapped IPv6 addresses, per RFC 2748,
   January 2000.  Internet-Draft work 2373, section "
         "2.5.4, should be formatted in progress.

   [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000.
   Internet-Draft work standard IPv4 format. "
         "However, this (the 2.2) version of the Network Common "
         "Model will not explicitly support mixed IPv4/IPv6 "
         "environments. This will be added in progress.

   [SPSL] Condell, M., a future release."),
        ValueMap { "0", "1", "2" },
        Values { "Unknown", "IPv4", "IPv6" } ]
    uint16 AddressType;
        [Description (
         "It is not possible to tell from the address alone if a "
         "given IPProtocolEndpoint can support IPv4 and C. Lynn, J. Zao, "Security Policy
   Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
   Internet-Draft work in progress.

   [KEYWORDS] Bradner, S., "Key words IPv6, or "
         "just one of these. This property explicitly defines the "
         "support for use different versions of IP that this "
         "IPProtocolEndpoint has. "
         "\n\n"
         "More implementation experience is needed in RFCs order to Indicate
   Requirement Levels", BCP 14, RFC 2119, March 1997.

12. Disclaimer

   The views "
         "correctly model mixed IPv4/IPv6 networks; therefore, this "
         "version (2.2) of the Network Common Model will not support "
         "mixed IPv4/IPv6 environments. This will be looked at "
         "further in a future version."),
        ValueMap { "0", "1", "2" },
        Values { "Unknown", "IPv4 Only", "IPv6 Only" } ]
    uint16 IPVersionSupport;
};

// ===================================================================
//     CIM_FilterEntryBase
// ===================================================================
        [Description (
         "  FilterEntryBase is an abstract class to define the naming "
         "of all filter entries, and specification herein to allow their common "
         "aggregation into FilterLists. The FilterEntry subclass "
         "represents packet filtering. Other types of Entries are "
         "possible - for example, to filter security credentials. \n"
         "  FilterEntryBase is weak to the network device (e.g., the "
         "ComputerSystem) that contains it. Hence, the ComputerSystem "
         "keys are those propagated to this class.") ]

class CIM_FilterEntryBase : CIM_LogicalElement
{
        [Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
           MaxLen (256),
         Description (
          "The scoping ComputerSystem's CreationClassName. ") ]
    string SystemCreationClassName;
        [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
         Description (
          "The scoping ComputerSystem's Name.") ]
    string SystemName;
        [Key, MaxLen (256),
         Description (
          "CreationClassName indicates the name of the authors class or the "
          "subclass used in the creation of an instance. When used "
          "with the other key properties of this class, this property "
          "allows all instances of this class and are
   not necessarily those its subclasses to "
          "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256),
         Description (
          "The Name property defines the label by which the Filter"
            "Entry is known and uniquely identified.") ]
    string Name;
        [Description (
          "Boolean indicating that the match condition described "
          "in the properties of their employer.  The authors the FilterEntryBase subclass "
          "should be negated.") ]
    boolean IsNegated;
};

// ==================================================================
//     FilterEntry
// ==================================================================
        [Description (
         "A FilterEntry is used by network devices to identify "
         "traffic and either forward them (with possibly further "
         "processing) to their
   employer specifically disclaim responsibility for any problems
   arising from correct or incorrect implementation destination, or use to deny their "
         "forwarding. They are the building block of FilterLists."
         "\n\n"
         "This class is oriented towards packet filtering. Other "
         "subclasses of FilterEntryBase can be defined to do other "
         "types of filtering. "
         "\n\n"
         "A FilterEntry is weak to the network device (e.g., the "
         "ComputerSystem) that contains it. Hence, the ComputerSystem "
         "keys are propagated to this
   specification.

13. Author's class.") ]

class CIM_FilterEntry : CIM_FilterEntryBase
{
        [Description (
         "This defines the type of traffic that is being filtered. "
         "This will affect the filtering rules in the MatchCondition "
         "property of this class."),
        ValueMap { "0", "1", "2", "3" },
        Values { "Unknown", "IPv4", "IPX", "IPv6" } ]
    uint16 TrafficType;
        [Description (
         "This specifies one of a set of ways to identify traffic. "
         "if the value is 1 (e.g., 'Other'), then the specific "
         "type of filtering is specified in the "
         "OtherMatchConditionType property of this class."),
         ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9",
                   "10", "11", "12" },
         Values {"Other", "Source Address

      Jamie Jason
      Intel Corporation
      MS JF3-206
      2111 NE 25th Ave.
      Hillsboro, OR 97124
      Phone: +1-503-264-9531
      Fax: +1-503-264-9428
      E-Mail: jamie.jason@intel.com

14. Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations Mask",
           "Destination Address and Mask", "Source Port",
           "Source Port Range", "Destination Port",
           "Destination Port Range", "Protocol Type",
           "Protocol Type and Option", "DSCP", "ToS Value",
           "802.1P Priority Value" },
         ModelCorrespondence {
           "CIM_FilterEntry.OtherMatchConditionType" } ]
    uint16 MatchConditionType;
        [Description (
         "If the value of the MatchConditionType property in this "
         "class is 1 (e.g., 'Other'), then the specific type of "
         "filtering is specified in this property."),
         ModelCorrespondence {
          "CIM_FilterEntry.MatchConditionType" } ]
    string OtherMatchConditionType;
        [Description (
         "This is the value of the condition that filters the "
         "traffic. It corresponds to the condition specified in the "
         "MatchConditionType property. If, however, the value of the "
         "MatchConditionProperty is 1, then it maybe copied and furnished corresponds to
   others, and derivative works that comment on or otherwise explain it the "
         "condition specified in the OtherMatchConditionType "
         "property.") ]
    string MatchConditionValue;
        [Description (
         "This defines whether the action should be to forward or assist "
         "deny traffic meeting the match condition specified in "
         "this filter."),
         ValueMap { "1", "2" },
         Values { "Permit", "Deny" } ]
    uint16 Action;
        [Description (
         "This defines whether this FilterEntry is the default "
         "entry to use by its implementation may FilterList.") ]
    boolean DefaultFilter;
        [Description (
         "This defines the traffic class that is being matched by "
         "this FilterEntry. Note that FilterEntries are aggregated "
         "into FilterLists by the EntriesInFilterList "
         "relationship. If the EntrySequence property of the "
         "aggregation is set to 0, this means that all the Filter"
         "Entries should be prepared, copied, published
   and distributed, in whole ANDed together. Consequently, the "
         "TrafficClass property of each of the aggregated Entries "
         "should be set to the same value."),
         ModelCorrespondence { "CIM_NextService.TrafficClass" } ]
    string TrafficClass;
};

// ==================================================================
//     FilterList
// ==================================================================
        [Description (
         "A FilterList is used by network devices to identify routes "
         "by aggregating a set of FilterEntries into a unit, called a "
         "FilterList. FilterLists can also be used to accept or in part, without restriction deny "
         "routing updates."
         "\n\n"
         "A FilterList is weak to the network device (e.g., the "
         "ComputerSystem) that contains it. Hence, the ComputerSystem "
         "keys are propagated to this class.") ]

class CIM_FilterList : CIM_LogicalElement
{
        [Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping ComputerSystem's CreationClassName. ") ]
    string SystemCreationClassName;

        [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
         Description ("The scoping ComputerSystem's Name.") ]
    string SystemName;

        [Key, Description (
         "The type of any
   kind, provided class that this instance is.") ]
    string CreationClassName;
        [Key, MaxLen(256), Description (
         "This is the above copyright notice name of the FilterList.") ]
    string Name;
        [Description (
         "This defines whether the FilterList is used "
         "for input, output, or both input and this paragraph output "
         "filtering. All values are included used with respect to "
         "the interface for which the FilterList applies. "
         "\n\n"
         "\"Not Applicable\" (0) is used when there is no "
         "direction applicable to the FilterList.\n"
         "\"Input\" (1) is used when the FilterList applies "
         "to packets that are inbound on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing the copyright notice related "
         "interface.\n"
         "\"Output\" (2) is used when the FilterList applies "
         "to packets that are outbound on the related "
         "interface.\n"
         "\"Both\" (3) is used to indicate that "
         "the direction is immaterial, e.g., to filter on "
         "a source subnet regardless of whether the flow is "
         "inbound or references outbound.\n"
         "\"Mirrored\" (4) is also applicable to "
         "both inbound and outbound flow processing, but "
         "indicates that the Internet Society or other
   Internet organizations, except as needed for filter criteria are applied "
         "asymmetrically to traffic in both directions "
         "and, thus, specifies the purpose reversal of
   developing Internet standards in which case source and "
         "destination criteria (as opposed to the procedures for
   copyrights defined equality "
         "of these criteria as indicated by \"Both\"). "
         "The match conditions in the Internet Standards process must be
   followed, or as required to translate it into languages other then
   English.

   The limited permissions granted above aggregated "
         "FilterEntryBase subclass instances are perpetual defined "
         "from the perspective of outbound flows and will not be
   revoked applied "
         "to inbound flows as well by reversing the Internet Society or its successors or assigns.

   This document source "
         "and destination criteria. So, for example, "
         "consider a FilterList with 3 FilterEntries "
         "indicating destination port = 80, and source and "
         "destination addresses of a and b, respectively. "
         "Then, for the outbound direction, the filter "
         "entries match as specified and the information contained herein is provided 'mirror' (for "
         "the inbound direction) matches on an
   "AS IS" basis source "
         "port = 80 and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
   MERCHANTABILITY OR FITNESS FOR source and destination addresses "
         "of b and a, respectively."),
         Values {"Not Applicable", "Input", "Output",
               "Both", "Mirrored" } ]
    uint16 Direction;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
//    EntriesInFilterList
// ==================================================================
        [Association, Aggregation, Description (
         "This is a specialization of the CIM_Component aggregation "
         "which is used to define a set of filter entries (subclasses "
         "of FilterEntryBase) that are aggregated by a particular "
         "FilterList.") ]
class CIM_EntriesInFilterList : CIM_Component
{
        [Aggregate, Max(1), Override ("GroupComponent"),
         Description (
          "The FilterList, which aggregates the set "
          "of FilterEntries.") ]
    CIM_FilterList REF GroupComponent;
        [Override ("PartComponent"),
         Description (
          "Any subclass of FilterEntryBase which is a part of "
          "the FilterList.") ]
    CIM_FilterEntryBase REF PartComponent;
        [Description (
          "The order of the Entry relative to all others in the "
          "FilterList. A PARTICULAR PURPOSE. value of zero indicates that all the Entries "
          "should be ANDed together. Use of the Sequence property "
          "should be consistent across the List. It is not valid to "
          "define some Entries as ANDed in the FilterList (Sequence"
          "=0) while other Entries have a non-zero Sequence number.") ]
    uint16 EntrySequence;
};