draft-ietf-ipsp-config-policy-model-02.txt   draft-ietf-ipsp-config-policy-model-03.txt 
Internet Engineering Task Force Jamie Jason Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation INTERNET DRAFT Intel Corporation
1-March-2001 Lee Rafalow 20-July-2001 Lee Rafalow
IBM IBM
Eric Vyncke Eric Vyncke
Cisco Systems Cisco Systems
IPsec Configuration Policy Model IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-02.txt draft-ietf-ipsp-config-policy-model-03.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Table of Contents Table of Contents
Status of this Memo................................................1 Status of this Memo................................................1
Abstract...........................................................1 Abstract...........................................................1
Table of Contents..................................................2 Table of Contents..................................................2
1. Introduction....................................................7 1. Introduction....................................................7
2. UML Conventions.................................................7 2. UML Conventions.................................................7
3. IPsec Policy Model Inheritance Hierarchy........................8 3. IPsec Policy Model Inheritance Hierarchy........................8
4. Policy Classes.................................................13 4. Policy Classes.................................................13
4.1. The Class IPsecPolicyGroup...................................14 4.1. The Class IPsecPolicyGroup...................................14
4.2. The Class SARule.............................................14 4.2. The Class SARule.............................................15
4.2.1. The Property LimitNegotiation..............................14 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
4.3. The Class IKERule............................................15 RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
4.3.1. The Property IdentityContexts..............................15 PolicyDecisionStrategy............................................15
4.4. The Class IPsecRule..........................................16 4.2.2 The Property ExecutionStrategy.............................15
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........16 4.2.3 The Property LimitNegotiation..............................17
4.5.1. The Reference GroupComponent...............................17 4.3. The Class IKERule............................................18
4.5.2. The Reference PartComponent................................17 4.3.1. The Property IdentityContexts..............................18
4.5.3. The Property GroupPriority.................................17 4.4. The Class IPsecRule..........................................19
4.6. The Association Class IPsecPolicyForEndpoint.................17 4.6. The Association Class IPsecPolicyForEndpoint.................19
4.6.1. The Reference Antecedent...................................18 4.6.1. The Reference Antecedent...................................19
4.6.2. The Reference Dependent....................................18 4.6.2. The Reference Dependent....................................19
4.7. The Association Class IPsecPolicyForSystem...................18 4.7. The Association Class IPsecPolicyForSystem...................20
4.7.1. The Reference Antecedent...................................18 4.7.1. The Reference Antecedent...................................20
4.7.2. The Reference Dependent....................................18 4.7.2. The Reference Dependent....................................20
4.8. The Aggregation Class RuleForIKENegotiation..................19 4.8. The Aggregation Class RuleForIKENegotiation..................20
4.8.1. The Reference GroupComponent...............................19 4.8.1. The Property Priority......................................20
4.8.2. The Reference PartComponent................................19 4.8.2. The Reference GroupComponent...............................20
4.9. The Aggregation Class RuleForIPsecNegotiation................19 4.8.3. The Reference PartComponent................................21
4.9.1. The Reference GroupComponent...............................19 4.9. The Aggregation Class RuleForIPsecNegotiation................21
4.9.2. The Reference PartComponent................................20 4.9.1. The Property Priority......................................21
4.10. The Aggregation Class SAConditionInRule.....................20 4.9.2. The Reference GroupComponent...............................21
4.10.1. The Reference GroupComponent..............................20 4.9.3. The Reference PartComponent................................21
4.10.2. The Reference PartComponent...............................20 4.10. The Aggregation Class SAConditionInRule.....................21
4.11. The Aggregation Class SAActionInRule........................20 4.10.1. The Properties GroupNumber and ConditionNegated...........22
4.11.1. The Reference GroupComponent..............................21 4.10.2. The Reference GroupComponent..............................22
4.11.2. The Reference PartComponent...............................21 4.10.3. The Reference PartComponent...............................22
4.11.3. The Property ActionOrder..................................21 4.11. The Aggregation Class PolicyActionInSARule..................22
5. Condition and Filter Classes...................................22 4.11.1. The Reference GroupComponent..............................22
5.1. The Class SACondition........................................22 4.11.2. The Reference PartComponent...............................23
5.2. The Class FilterEntry........................................23 4.11.3. The Property ActionOrder..................................23
5.3. The Class CredentialFilterEntry..............................23 5. Condition and Filter Classes...................................24
5.3.1. The Property MatchFieldName................................24 5.1. The Class SACondition........................................24
5.3.2. The Property MatchFieldValue...............................24 5.2. The Class IPHeaderFilter.....................................25
5.3.3. The Property CredentialType................................24 5.3. The Class CredentialFilterEntry..............................25
5.4. The Class IPSOFilterEntry....................................24 5.3.1. The Property MatchFieldName................................25
5.4.1. The Property MatchConditionType............................25 5.3.2. The Property MatchFieldValue...............................26
5.4.2. The Property MatchConditionValue...........................25 5.3.3. The Property CredentialType................................26
5.5. The Class PeerIDPayloadFilterEntry...........................25 5.4. The Class IPSOFilterEntry....................................26
5.5.1. The Property MatchIdentityType.............................26 5.4.1. The Property MatchConditionType............................27
5.5.2. The Property MatchIdentityValue............................26 5.4.2. The Property MatchConditionValue...........................27
5.6. The Association Class FilterOfSACondition....................27 5.5. The Class PeerIDPayloadFilterEntry...........................27
5.6.1. The Reference Antecedent...................................27 5.5.1. The Property MatchIdentityType.............................28
5.6.2. The Reference Dependent....................................27 5.5.2. The Property MatchIdentityValue............................28
5.7. The Association Class AcceptCredentialFrom...................27 5.6. The Association Class FilterOfSACondition....................29
5.7.1. The Reference Antecedent...................................28 5.6.1. The Reference Antecedent...................................29
5.7.2. The Reference Dependent....................................28 5.6.2. The Reference Dependent....................................29
6. Action Classes.................................................29 5.7. The Association Class AcceptCredentialFrom...................29
6.1. The Class SAAction...........................................30 5.7.1. The Reference Antecedent...................................30
6.1.1. The Property DoActionLogging...............................30 5.7.2. The Reference Dependent....................................30
6.1.2. The Property DoPacketLogging...............................30 6. Action Classes.................................................31
6.2. The Class SAStaticAction.....................................31 6.1. The Class SAAction...........................................32
6.2.1. The Property LifetimeSeconds...............................31 6.1.1. The Property DoActionLogging...............................32
6.3. The Class IPsecBypassAction..................................31 6.1.2. The Property DoPacketLogging...............................32
6.4. The Class IPsecDiscardAction.................................31 6.2. The Class SAStaticAction.....................................33
6.5. The Class IKERejectAction....................................32 6.2.1. The Property LifetimeSeconds...............................33
6.6. The Class PreconfiguredSAAction..............................32 6.3. The Class IPsecBypassAction..................................34
6.6.1. The Property LifetimeKilobytes.............................33 6.4. The Class IPsecDiscardAction.................................34
6.7. The Class PreconfiguredTransportAction.......................33 6.5. The Class IKERejectAction....................................34
6.8. The Class PreconfiguredTunnelAction..........................33 6.6. The Class PreconfiguredSAAction..............................34
6.8.1. The Property PeerGatewayAddressType........................33 6.6.1. The Property LifetimeKilobytes.............................35
6.8.2. The Property PeerGatewayAddress............................34 6.7. The Class PreconfiguredTransportAction.......................35
6.8.3. The Property DFHandling....................................34 6.8. The Class PreconfiguredTunnelAction..........................36
6.9. The Class SANegotiationAction................................34 6.8.1. The Property DFHandling....................................36
6.9.1. The Property MinLifetimeSeconds............................35 6.9. The Class SANegotiationAction................................36
6.9.2. The Property MinLifetimeKilobytes..........................35 6.9.1. The Property MinLifetimeSeconds............................37
6.9.3. The Property RefreshThresholdSeconds.......................35 6.9.2. The Property MinLifetimeKilobytes..........................37
6.9.4. The Property RefreshThresholdKilobytes.....................36 6.9.3. The Property RefreshThresholdSeconds.......................37
6.9.5. The Property IdleDurationSeconds...........................36 6.9.4. The Property RefreshThresholdKilobytes.....................38
6.10. The Class IPsecAction.......................................36 6.9.5. The Property IdleDurationSeconds...........................38
6.10.1. The Property UsePFS.......................................37 6.10. The Class IPsecAction.......................................38
6.10.2. The Property UseIKEGroup..................................37 6.10.1. The Property UsePFS.......................................39
6.10.3. The Property GroupId......................................37 6.10.2. The Property UseIKEGroup..................................39
6.10.4. The Property Granularity..................................38 6.10.3. The Property GroupId......................................39
6.10.5. The Property VendorID.....................................38 6.10.4. The Property Granularity..................................40
6.11. The Class IPsecTransportAction..............................38 6.10.5. The Property VendorID.....................................40
6.12. The Class IPsecTunnelAction.................................38 6.11. The Class IPsecTransportAction..............................40
6.12.1. The Property DFHandling...................................39 6.12. The Class IPsecTunnelAction.................................40
6.13. The Class IKEAction.........................................39 6.12.1. The Property DFHandling...................................41
6.13.1. The Property RefreshThresholdDerivedKeys..................39 6.13. The Class IKEAction.........................................41
6.13.2. The Property ExchangeMode.................................40 6.13.1. The Property RefreshThresholdDerivedKeys..................41
6.13.3. The Property UseIKEIdentityType...........................40 6.13.2. The Property ExchangeMode.................................42
6.13.4. The Property VendorID.....................................40 6.13.3. The Property UseIKEIdentityType...........................42
6.13.5. The Property AggressiveModeGroupId........................41 6.13.4. The Property VendorID.....................................42
6.14. The Class PeerGateway.......................................41 6.13.5. The Property AggressiveModeGroupId........................42
6.14.1. The Property Name.........................................41 6.14. The Class PeerGateway.......................................43
6.14.2. The Property PeerIdentityType.............................41 6.14.1. The Property Name.........................................43
6.14.3. The Property PeerIdentity.................................42 6.14.2. The Property PeerIdentityType.............................43
6.15. The Association Class PeerGatewayForTunnel..................42 6.14.3. The Property PeerIdentity.................................44
6.15.1. The Reference Antecedent..................................42 6.15. The Association Class PeerGatewayForTunnel..................44
6.15.2. The Reference Dependent...................................43 6.15.1. The Reference Antecedent..................................44
6.15.3. The Property SequenceNumber...............................43 6.15.2. The Reference Dependent...................................44
6.16. The Aggregation Class ContainedProposal.....................43 6.15.3. The Property SequenceNumber...............................45
6.16.1. The Reference GroupComponent..............................43 6.16. The Aggregation Class ContainedProposal.....................45
6.16.2. The Reference PartComponent...............................44 6.16.1. The Reference GroupComponent..............................45
6.16.3. The Property SequenceNumber...............................44 6.16.2. The Reference PartComponent...............................45
6.17. The Association Class HostedPeerGatewayInformation..........44 6.16.3. The Property SequenceNumber...............................45
6.17.1. The Reference Antecedent..................................44 6.17. The Association Class HostedPeerGatewayInformation..........46
6.17.2. The Reference Dependent...................................44 6.17.1. The Reference Antecedent..................................46
6.18. The Association Class TransformOfPreconfiguredAction........44 6.17.2. The Reference Dependent...................................46
6.18.1. The Reference Antecedent..................................45 6.18. The Association Class TransformOfPreconfiguredAction........46
6.18.2. The Reference Dependent...................................45 6.18.1. The Reference Antecedent..................................47
6.18.3. The Property SPI..........................................45 6.18.2. The Reference Dependent...................................47
7. Proposal and Transform Classes.................................46 6.18.3. The Property SPI..........................................47
7.1. The Abstract Class SAProposal................................46 6.18.4. The Property Direction....................................47
7.1.1. The Property Name..........................................46 6.19 The Association Class PeerGatewayForPreconfiguredTunnel......47
7.2. The Class IKEProposal........................................47 6.19.1. The Reference Antecedent..................................48
7.2.1. The Property LifetimeDerivedKeys...........................47 6.19.2. The Reference Dependent...................................48
7.2.2. The Property CipherAlgorithm...............................47 7. Proposal and Transform Classes.................................49
7.2.3. The Property HashAlgorithm.................................48 7.1. The Abstract Class SAProposal................................49
7.2.4. The Property PRFAlgorithm..................................48 7.1.1. The Property Name..........................................49
7.2.5. The Property GroupId.......................................48 7.2. The Class IKEProposal........................................50
7.2.6. The Property AuthenticationMethod..........................48 7.2.1. The Property LifetimeDerivedKeys...........................50
7.2.7. The Property MaxLifetimeSeconds............................49 7.2.2. The Property CipherAlgorithm...............................50
7.2.8. The Property MaxLifetimeKilobytes..........................49 7.2.3. The Property HashAlgorithm.................................51
7.2.9. The Property VendorID......................................49 7.2.4. The Property PRFAlgorithm..................................51
7.3. The Class IPsecProposal......................................49 7.2.5. The Property GroupId.......................................51
7.4. The Abstract Class SATransform...............................50 7.2.6. The Property AuthenticationMethod..........................51
7.4.1. The Property TransformName.................................50 7.2.7. The Property MaxLifetimeSeconds............................52
7.4.2. The Property VendorID......................................50 7.2.8. The Property MaxLifetimeKilobytes..........................52
7.4.3. The Property MaxLifetimeSeconds............................50 7.2.9. The Property VendorID......................................52
7.4.4. The Property MaxLifetimeKilobytes..........................51 7.3. The Class IPsecProposal......................................52
7.5. The Class AHTransform........................................51 7.4. The Abstract Class SATransform...............................53
7.5.1. The Property AHTransformId.................................51 7.4.1. The Property TransformName.................................53
7.5.2. The Property UseReplayPrevention...........................51 7.4.2. The Property VendorID......................................53
7.5.3. The Property ReplayPreventionWindowSize....................52 7.4.3. The Property MaxLifetimeSeconds............................53
7.6. The Class ESPTransform.......................................52 7.4.4. The Property MaxLifetimeKilobytes..........................54
7.6.1. The Property IntegrityTransformId..........................52 7.5. The Class AHTransform........................................54
7.6.2. The Property CipherTransformId.............................52 7.5.1. The Property AHTransformId.................................54
7.6.3. The Property CipherKeyLength...............................53 7.5.2. The Property UseReplayPrevention...........................54
7.6.4. The Property CipherKeyRounds...............................53 7.5.3. The Property ReplayPreventionWindowSize....................55
7.6.5. The Property UseReplayPrevention...........................53 7.6. The Class ESPTransform.......................................55
7.6.6. The Property ReplayPreventionWindowSize....................53 7.6.1. The Property IntegrityTransformId..........................55
7.7. The Class IPCOMPTransform....................................54 7.6.2. The Property CipherTransformId.............................55
7.7.1. The Property Algorithm.....................................54 7.6.3. The Property CipherKeyLength...............................56
7.7.2. The Property DictionarySize................................54 7.6.4. The Property CipherKeyRounds...............................56
7.7.3. The Property PrivateAlgorithm..............................54 7.6.5. The Property UseReplayPrevention...........................56
7.8. The Association Class SAProposalInSystem.....................54 7.6.6. The Property ReplayPreventionWindowSize....................56
7.8.1. The Reference Antecedent...................................55 7.7. The Class IPCOMPTransform....................................57
7.8.2. The Reference Dependent....................................55 7.7.1. The Property Algorithm.....................................57
7.9. The Aggregation Class ContainedTransform.....................55 7.7.2. The Property DictionarySize................................57
7.9.1. The Reference GroupComponent...............................55 7.7.3. The Property PrivateAlgorithm..............................57
7.9.2. The Reference PartComponent................................56 7.8. The Association Class SAProposalInSystem.....................57
7.9.3. The Property SequenceNumber................................56 7.8.1. The Reference Antecedent...................................58
7.10. The Association Class SATransformInSystem...................56 7.8.2. The Reference Dependent....................................58
7.10.1. The Reference Antecedent..................................56 7.9. The Aggregation Class ContainedTransform.....................58
7.10.2. The Reference Dependent...................................56 7.9.1. The Reference GroupComponent...............................58
8. IKE Service and Identity Classes...............................58 7.9.2. The Reference PartComponent................................59
8.1. The Class IKEService.........................................59 7.9.3. The Property SequenceNumber................................59
8.2. The Class PeerIdentityTable..................................59 7.10. The Association Class SATransformInSystem...................59
8.3.1. The Property Name..........................................59 7.10.1. The Reference Antecedent..................................59
8.3. The Class PeerIdentityEntry..................................60 7.10.2. The Reference Dependent...................................59
8.3.1. The Property PeerIdentity..................................60 8. IKE Service and Identity Classes...............................61
8.3.2. The Property PeerIdentityType..............................60 8.1. The Class IKEService.........................................62
8.3.3. The Property PeerAddress...................................60 8.2. The Class PeerIdentityTable..................................62
8.3.4. The Property PeerAddressType...............................60 8.3.1. The Property Name..........................................62
8.4. The Class AutostartIKEConfiguration..........................61 8.3. The Class PeerIdentityEntry..................................63
8.5. The Class AutostartIKESetting................................61 8.3.1. The Property PeerIdentity..................................63
8.5.1. The Property Phase1Only....................................61 8.3.2. The Property PeerIdentityType..............................63
8.5.2. The Property AddressType...................................62 8.3.3. The Property PeerAddress...................................63
8.5.3. The Property SourceAddress.................................62 8.3.4. The Property PeerAddressType...............................63
8.5.4. The Property SourcePort....................................62 8.4. The Class AutostartIKEConfiguration..........................64
8.5.5. The Property DestinationAddress............................62 8.5. The Class AutostartIKESetting................................64
8.5.6. The Property DestinationPort...............................63 8.5.1. The Property Phase1Only....................................64
8.5.7. The Property Protocol......................................63 8.5.2. The Property AddressType...................................65
8.6. The Class IKEIdentity........................................63 8.5.3. The Property SourceAddress.................................65
8.6.1. The Property IdentityType..................................64 8.5.4. The Property SourcePort....................................65
8.6.2. The Property IdentityValue.................................64 8.5.5. The Property DestinationAddress............................65
8.6.3. The Property IdentityContexts..............................64 8.5.6. The Property DestinationPort...............................66
8.7. The Association Class HostedPeerIdentityTable................65 8.5.7. The Property Protocol......................................66
8.7.1. The Reference Antecedent...................................65 8.6. The Class IKEIdentity........................................66
8.7.2. The Reference Dependent....................................65 8.6.1. The Property IdentityType..................................67
8.8. The Aggregation Class PeerIdentityMember.....................65 8.6.2. The Property IdentityValue.................................67
8.8.1. The Reference Collection...................................65 8.6.3. The Property IdentityContexts..............................67
8.8.2. The Reference Member.......................................66 8.7. The Association Class HostedPeerIdentityTable................68
8.9. The Association Class IKEServicePeerGateway..................66 8.7.1. The Reference Antecedent...................................68
8.9.1. The Reference Antecedent...................................66 8.7.2. The Reference Dependent....................................68
8.9.2. The Reference Dependent....................................66 8.8. The Aggregation Class PeerIdentityMember.....................68
8.10. The Association Class IKEServicePeerIdentityTable...........66 8.8.1. The Reference Collection...................................68
8.10.1. The Reference Antecedent..................................67 8.8.2. The Reference Member.......................................69
8.10.2. The Reference Dependent...................................67 8.9. The Association Class IKEServicePeerGateway..................69
8.11. The Association Class IKEAutostartSetting...................67 8.9.1. The Reference Antecedent...................................69
8.11.1. The Reference Element.....................................67 8.9.2. The Reference Dependent....................................69
8.11.2. The Reference Setting.....................................67 8.10. The Association Class IKEServicePeerIdentityTable...........69
8.12. The Aggregation Class AutostartIKESettingContext............67 8.10.1. The Reference Antecedent..................................70
8.12.1. The Reference Context.....................................68 8.10.2. The Reference Dependent...................................70
8.12.2. The Reference Setting.....................................68 8.11. The Association Class IKEAutostartSetting...................70
8.12.3. The Property SequenceNumber...............................68 8.11.1. The Reference Element.....................................70
8.13. The Association Class IKEServiceForEndpoint.................68 8.11.2. The Reference Setting.....................................70
8.13.1. The Reference Antecedent..................................69 8.12. The Aggregation Class AutostartIKESettingContext............70
8.13.2. The Reference Dependent...................................69 8.12.1. The Reference Context.....................................71
8.14. The Association Class IKEAutostartConfiguration.............69 8.12.2. The Reference Setting.....................................71
8.14.1. The Reference Antecedent..................................69 8.12.3. The Property SequenceNumber...............................71
8.14.2. The Reference Dependent...................................69 8.13. The Association Class IKEServiceForEndpoint.................71
8.14.3. The Property Active.......................................69 8.13.1. The Reference Antecedent..................................72
8.15. The Association Class IKEUsesCredentialManagementService....70 8.13.2. The Reference Dependent...................................72
8.15.1. The Reference Antecedent..................................70 8.14. The Association Class IKEAutostartConfiguration.............72
8.15.2. The Reference Dependent...................................70 8.14.1. The Reference Antecedent..................................72
8.16. The Association Class EndpointHasLocalIKEIdentity...........70 8.14.2. The Reference Dependent...................................72
8.16.1. The Reference Antecedent..................................71 8.14.3. The Property Active.......................................72
8.16.2. The Reference Dependent...................................71 8.15. The Association Class IKEUsesCredentialManagementService....73
8.17. The Association Class CollectionHasLocalIKEIdentity.........71 8.15.1. The Reference Antecedent..................................73
8.17.1. The Reference Antecedent..................................71 8.15.2. The Reference Dependent...................................73
8.17.2. The Reference Dependent...................................71 8.16. The Association Class EndpointHasLocalIKEIdentity...........73
8.18. The Association Class IKEIdentitysCredential................72 8.16.1. The Reference Antecedent..................................74
8.18.1. The Reference Antecedent..................................72 8.16.2. The Reference Dependent...................................74
8.18.2. The Reference Dependent...................................72 8.17. The Association Class CollectionHasLocalIKEIdentity.........74
9. Security Considerations........................................72 8.17.1. The Reference Antecedent..................................74
10. Intellectual Property.........................................72 8.17.2. The Reference Dependent...................................74
11. Acknowledgments...............................................73 8.18. The Association Class IKEIdentitysCredential................75
12. References....................................................73 8.18.1. The Reference Antecedent..................................75
13. Disclaimer....................................................74 8.18.2. The Reference Dependent...................................75
14. Authors' Addresses............................................74 9. Implementation Requirements....................................75
15. Full Copyright Statement......................................74 10. Security Considerations.......................................79
Appendix A (DMTF Core Model MOF)..................................75 11. Intellectual Property.........................................80
Appendix B (DMTF User Model MOF)..................................90 12. Acknowledgments...............................................80
Appendix C (DMTF Network Model MOF)..............................105 13. References....................................................80
14. Disclaimer....................................................81
15. Authors' Addresses............................................81
16. Full Copyright Statement......................................82
Appendix A (DMTF Core Model MOF)..................................82
Appendix B (DMTF User Model MOF)..................................97
Appendix C (DMTF Network Model MOF)..............................112
Appendix D (DMTF Policy Model MOF)...............................121
1. Introduction 1. Introduction
Internet Protocol security (IPsec) policy may assume a variety of Internet Protocol security (IPsec) policy may assume a variety of
forms as it travels from storage to distribution point to decision forms as it travels from storage to distribution point to decision
point. At each step, it needs to be represented in a way that is point. At each step, it needs to be represented in a way that is
convenient for the current task. For example, the policy could convenient for the current task. For example, the policy could
exist as, but is not limited to: exist as, but is not limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
a directory a directory
o an on-the-wire representation over a transport protocol like the o an on-the-wire representation over a transport protocol like the
Common Object Policy Service (COPS) [COPS, COPSPR] Common Object Policy Service (COPS) [COPS, COPSPR]
o a text-based policy specification language [SPSL] suitable for o a text-based policy specification language suitable for editing
editing by an administrator by an administrator
o an Extensible Markup Language (XML) document o an Extensible Markup Language (XML) document
Each of these task-specific representations should be derived from a Each of these task-specific representations should be derived from a
canonical representation that precisely specifies the content and canonical representation that precisely specifies the content and
semantics of the IPsec policy. The purpose of this document is to semantics of the IPsec policy. The purpose of this document is to
abstract IPsec policy into a task-independent representation that is abstract IPsec policy into a task-independent representation that is
not constrained by any particular task-dependent representation. not constrained by any particular task-dependent representation.
This document is organized as follows: This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this Language (UML) graphical notation conventions used in this
document. document.
o Section 3 provides the inheritance hierarchy that describes o Section 3 provides the inheritance hierarchy that describes
where the IPsec policy classes fit into the policy class where the IPsec policy classes fit into the policy class
hierarchy already defined by the Policy Core Information Model hierarchy already defined by the Policy Core Information Model
(PCIM). (PCIM).
o The remainder of the document describes the classes that make up o Sections 4 through 8 describes the class that make up the IPsec
the IPsec policy model. policy model.
o Section 9 presents the implementation requirements for the
classes in the model (i.e., the MUST/MAY/SHOULD status).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
2. UML Conventions 2. UML Conventions
For this document, a UML static class diagram was chosen as the For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason canonical representation for the IPsec policy model. The reason
behind this decision is that UML provides a graphical, task- behind this decision is that UML provides a graphical, task-
skipping to change at page 9, line 17 skipping to change at page 9, line 21
| +--PeerIdentityTable | +--PeerIdentityTable
| |
+--ManagedSystemElement (DMTF Core Model - Appendix A) +--ManagedSystemElement (DMTF Core Model - Appendix A)
| | | |
| +--LogicalElement (DMTF Core Model - Appendix A) | +--LogicalElement (DMTF Core Model - Appendix A)
| | | |
| +--FilterEntryBase (DMTF Network Model - Appendix C) | +--FilterEntryBase (DMTF Network Model - Appendix C)
| | | | | |
| | +--CredentialFilterEntry | | +--CredentialFilterEntry
| | | | | |
| | +--IPHeaderFilter (DMTF Network Model - Appendix C)
| | |
| | +--IPSOFilterEntry | | +--IPSOFilterEntry
| | | | | |
| | +--PeerIDPayloadFilterEntry | | +--PeerIDPayloadFilterEntry
| | | |
| +--PeerGateway | +--PeerGateway
| | | |
| +--PeerIdentityEntry | +--PeerIdentityEntry
| | | |
| +--Service (DMTF Core Model - Appendix A) | +--Service (DMTF Core Model - Appendix A)
| | | |
skipping to change at page 9, line 43 skipping to change at page 9, line 49
| +--UserEntity (DMTF User Model - Appendix B) | +--UserEntity (DMTF User Model - Appendix B)
| | | |
| +--UsersAccess (DMTF User Model - Appendix B) | +--UsersAccess (DMTF User Model - Appendix B)
| | | |
| +--IKEIdentity | +--IKEIdentity
| |
+--Policy (PCIM) +--Policy (PCIM)
| | | |
| +--PolicyAction (PCIM) | +--PolicyAction (PCIM)
| | | | | |
| | +--CompoundPolicyAction (DMTF Policy Model - Appendix D)
| | |
| | +--SAAction | | +--SAAction
| | | | | |
| | +--SANegotiationAction | | +--SANegotiationAction
| | | | | | | |
| | | +--IKEAction | | | +--IKEAction
| | | | | | | |
| | | +--IPsecAction | | | +--IPsecAction
| | | | | | | |
| | | +--IPsecTransportAction | | | +--IPsecTransportAction
| | | | | | | |
skipping to change at page 10, line 20 skipping to change at page 10, line 28
| | +--PreconfiguredSAAction | | +--PreconfiguredSAAction
| | | | | |
| | +--PreconfiguredTransportAction | | +--PreconfiguredTransportAction
| | | | | |
| | +--PreconfiguredTunnelAction | | +--PreconfiguredTunnelAction
| | | |
| +--PolicyCondition (PCIM) | +--PolicyCondition (PCIM)
| | | | | |
| | +--SACondition | | +--SACondition
| | | |
| +--PolicyGroup (PCIM) | +--PolicySet (DMTF Policy Model - Appendix D)
| | | | | |
| | +--IPsecPolicyGroup | | +--PolicyGroup (PCIM)
| | | | | |
| +--PolicyRule (PCIM) | | | +--IPsecPolicyGroup
| | |
| | +--PolicyRule (PCIM)
| | | | | |
| | +--SARule | | +--SARule
| | | | | |
| | +--IKERule | | +--IKERule
| | | | | |
| | +--IPsecRule | | +--IPsecRule
| | | |
| +--SAProposal | +--SAProposal
| | | | | |
| | +--IKEProposal | | +--IKEProposal
skipping to change at page 11, line 37 skipping to change at page 11, line 46
+--IKEServiceForEndpoint +--IKEServiceForEndpoint
| |
+--IKEServicePeerGateway +--IKEServicePeerGateway
| |
+--IKEServicePeerIdentityTable +--IKEServicePeerIdentityTable
| |
+--IKEUsesCredentialManagementService +--IKEUsesCredentialManagementService
| |
+--IPsecPolicyForEndpoint +--IPsecPolicyForEndpoint
| |
+--IPsecPolicyForSystem
|
+--PeerGatewayForPreconfiguredTunnel
|
+--PeerGatewayForTunnel +--PeerGatewayForTunnel
| |
+--PolicyInSystem (PCIM) +--PolicyInSystem (PCIM)
| | | |
| +--PolicyGroupInSystem (PCIM)
| |
| +--SAProposalInSystem | +--SAProposalInSystem
| | | |
| +--SATransformInSystem | +--SATransformInSystem
| |
+--IPsecPolicyForSystem
|
+--TransformOfPreconfiguredAction +--TransformOfPreconfiguredAction
| |
+--UsersCredential (DMTF User Model - Appendix B) +--UsersCredential (DMTF User Model - Appendix B)
| |
+--IKEIdentitysCredential +--IKEIdentitysCredential
ElementSetting (DMTF Core Model - Appendix A) ElementSetting (DMTF Core Model - Appendix A)
| |
+--IKEAutostartSetting +--IKEAutostartSetting
skipping to change at page 12, line 18 skipping to change at page 12, line 27
+--PeerIdentityMember +--PeerIdentityMember
PolicyComponent (PCIM) PolicyComponent (PCIM)
| |
+--ContainedProposal +--ContainedProposal
| |
+--ContainedTransform +--ContainedTransform
| |
+--PolicyActionInPolicyRule (PCIM) +--PolicyActionInPolicyRule (PCIM)
| | | |
| +--SAActionInRule | +--PolicyActionInSARule
| |
+--PolicyConditionInPolicyRule (PCIM) +--PolicyConditionInPolicyRule (PCIM)
| | | |
| +--SAConditionInRule | +--SAConditionInRule
| |
+--PolicyGroupInPolicyGroup (PCIM) +--PolicySetComponent (DMTF Policy Model - Appendix D)
| |
| +--IPsecPolicyGroupInPolicyGroup
|
+--PolicyRuleInPolicyGroup
| |
+--RuleForIKENegotiation +--RuleForIKENegotiation
| |
+--RuleForIPsecNegotiation +--RuleForIPsecNegotiation
SystemSettingContext (DMTF Core Model - Appendix A) SystemSettingContext (DMTF Core Model - Appendix A)
| |
+--AutostartIKESettingContext +--AutostartIKESettingContext
4. Policy Classes 4. Policy Classes
The IPsec policy classes represent the set of policies that are The IPsec policy classes represent the set of policies that are
contained on a system. contained on a system.
+--------------------+ +--------------+
| IPProtocolEndpoint | | PolicySet |*
| (Appendix C) | | (Appendix D) |o--+
+--------------------+ +--------------+ |
| * ^ *| |(a)
| +------+
| |
(a) | (b) +--------------------+ +-------------+
+------+ | | IPProtocolEndpoint | | PolicyGroup |
| |* | 0..1 | (Appendix C) | | ([PCIM]) |
| *+------------------+0..1 (c) *+------------+ +--------------------+ +-------------+
+---o| IPsecPolicyGroup |-----------| System | |* ^
+-----------------+ |
|(b) |
| |
|0..1 |
+------------------+0..1 (c) *+------------+
| IPsecPolicyGroup |-----------| System |
+------------------+ |(Appendix A)| +------------------+ |(Appendix A)|
1 o o 1 +------------+ 1 o o 1 +------------+
(d) | | (e) (d) | | (e)
+-----------------------+ +---------------------+ +-----------------------+ +--------------------------+
| | | |
| +---------------------------+ | | +---------------------------+ |
| | PolicyTimePeriodCondition | | | | PolicyTimePeriodCondition | |
| | (see [PCIM]) | | | | ([PCIM]) | |
| +---------------------------+ | | +---------------------------+ |
| *| | | *| |
| | (f) | | | (f) |
| *o | | *o |
| +-------------+n *+--------+* n+----------+ | | +-------------+n *+--------+* n+--------------+ |
| | SACondition |------o| SARule |o-------| SAAction | | | | SACondition |------o| SARule |o-------| PolicyAction | |
| +-------------+ (g) +--------+ (h) +----------+ | | +-------------+ (g) +--------+ (h) | ([PCIM]) | |
| ^ | | ^ +--------------+ |
| | | | | *| ^ |
| +--------+--------+ | | | |(i) | |
| | | | | | *o | |
| +-----------------+ +----------------------+ |
| | | | CompoundPolicyAction | |
| | | | (Appendix D) | |
| | | +----------------------+ |
| *+---------+ +-----------+* | | *+---------+ +-----------+* |
+---------------| IKERule | | IPsecRule |------------+ +-----| IKERule | | IPsecRule |---------------------------+
+---------+ +-----------+ +---------+ +-----------+
(a) IPsecPolicyGroupInPolicyGroup (a) PolicySetComponent (Appendix D)
(b) IPsecPolicyForEndpoint (b) IPsecPolicyForEndpoint
(c) IPsecPolicyForSystem (c) IPsecPolicyForSystem
(d) RuleForIKENegotiation (d) RuleForIKENegotiation
(e) RuleForIPsecNegotiation (e) RuleForIPsecNegotiation
(f) PolicyRuleValidityPeriod (see [PCIM]) (f) PolicyRuleValidityPeriod ([PCIM])
(g) SAConditionInRule (g) SAConditionInRule
(h) SAActionInRule (h) PolicyActionInSARule
(i) PolicyActionInPolicyAction
An IPsecPolicyGroup represents the set of policies that are used on An IPsecPolicyGroup represents the set of policies that are used on
an interface. This IPsecPolicyGroup SHOULD be associated either an interface. This IPsecPolicyGroup SHOULD be associated either
directly with the IPProtocolEndpoint class instance that represents directly with the IPProtocolEndpoint class instance that represents
the interface (via the IPsecPolicyForEndpoint association) or the interface (via the IPsecPolicyForEndpoint association) or
indirectly (via the IPsecPolicyForSystem association) associated indirectly (via the IPsecPolicyForSystem association) associated
with the System that hosts the interface. with the System that hosts the interface.
The IKE and IPsec rules are used to build or to negotiate the IPsec
SADB. The SADB itself is not modeled by this document.
The rules usage can be described as (see also section 6 about
actions):
o an egress unprotected packet will first be checked against the
SADB. If no match is found, the IPsec rules will be checked. If
IKE negotiation is required by an IPsec rule, the corresponding
IKE rules will be used if no IKE SA already exists. The
negotiated or preconfigured SA will then be installed in the
SADB.
o An ingress unprotected packet will first be checked against the
IPsec SADB. If no match is found, the IPsec rules will be
checked for a preconfigured SA. If a preconfigured SA exists,
this SA will be installed in the IPsec SADB.
o An ingress protected packet will be checked exactly as an
ingress unprotected packet.
o An ingress IKE negotiation packet, which is not part of an
existing IKE SA, will be checked against the IKE rules. The
negotiated SA will then be installed in the SADB.
4.1. The Class IPsecPolicyGroup 4.1. The Class IPsecPolicyGroup
The class IPsecPolicyGroup serves as a container of either other The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The
class definition for IPsecPolicyGroup is as follows: class definition for IPsecPolicyGroup is as follows:
NAME IPsecPolicyGroup NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules
and a set of IPsecRules. and a set of IPsecRules.
DERIVED FROM PolicyGroup (see [PCIM]) DERIVED FROM PolicyGroup (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup) PROPERTIES PolicyGroupName (from PolicyGroup)
PolicyDescisionStrategy (from PolicySet)
NOTE: for derivations of the schema that are used for policy NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server distribution to an IPsec device (for example, COPS-PR), the server
may follow all of IPsecPolicyGroupInPolicyGroup associations and may follow all of PolicySetComponent associations and create one
create one policy group which is simply a set of all of the IKE policy group which is simply a set of all of the IKE rules and a set
rules and a set of all of the IPsec rules. See the section on the of all of the IPsec rules. See the section on the
IPsecPolicyGroupInPolicyGroup aggregation for information on merging PolicySetComponent aggregation for information on merging multiple
multiple IPsecPolicyGroups. IPsecPolicyGroups.
4.2. The Class SARule 4.2. The Class SARule
The class SARule serves as a base class for IKERule and IPsecRule. The class SARule serves as a base class for IKERule and IPsecRule.
Even though the class is concrete, it MUST not be instantiated. It Even though the class is concrete, it MUST not be instantiated. It
defines a common connection point for associations to conditions and defines a common connection point for associations to conditions and
actions for both types of rules. Through its derivation from actions for both types of rules. Through its derivation from
PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
the PolicyRuleValidityPeriod association. the PolicyRuleValidityPeriod association.
An SARule inherits the property Priority from PolicyRule. Since Each valid IpsecPolicyGroup MUST contain SARules that each have a
there is a need for an unambiguous ordering of rules in an IPsec unique associated priority number in PolicySetComponent.Priority.
system, all SARules contained within an IPsecPolicyGroup must have
unique priority values.
The class definition for SARule is as follows: The class definition for SARule is as follows:
NAME SARule NAME SARule
DESCRIPTION A base class for IKERule and IPsecRule. DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM]) DERIVED FROM PolicyRule (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule) PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule) Enabled (from PolicyRule)
ConditionListType (from PolicyRule) ConditionListType (from PolicyRule)
RuleUsage (from PolicyRule)
Mandatory (from PolicyRule)
SequencedActions (from PolicyRule)
ExecutionStrategy (from PolicyRule)
PolicyRoles (from PolicyRule)
PolicyDecisionStrategy (from PolicySet)
LimitNegotiation LimitNegotiation
4.2.1. The Property LimitNegotiation 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy
For a description of these properties, see Appendix D.
In SARule subclass instances:
- if the property Mandatory exists, it MUST be set to "true"
- if the property SequencedActions exists, it MUST be set to
"mandatory"
- the property PolicyRoles is not used in the device-level model
- if the property PolicyDecisionStrategy exists, it must be set to
"FirstMatching"
4.2.2 The Property ExecutionStrategy
The ExecutionStrategy properties in the PolicyRule subclasses (and in
the CompoundPolicyAction class) determine the behavior of the
contained actions. It defines the strategy to be used in executing
the sequenced actions aggregated by a rule or a compound action. In
the case of actions within a rule, the PolicyActionInSARule
aggregation is used to collect the actions into an ordered set; in
the case of a compound action, the PolicyActionInPolicyAction
aggregation is used to collect the actions into an ordered subset.
There are three execution strategies: do until success, do all and
do until failure.
Do Until Success causes the execution of actions according to the
ActionOrder property in the aggregation instances until a successful
execution of a single action. These actions may be evaluated to
determine if they are appropriate to execute rather than blindly
trying each of the actions until one succeeds. For an initiator,
they are tried in the ActionOrder until the list is exhausted or one
completes successfully. For example, an IKE initiator may have
several IKEActions for the same SACondition. The initiator will try
all IKEActions in the order defined by ActionOrder. I.e. it will
possibly try several phase 1 negotiations possibly with different
modes (main mode then aggressive mode) and/or with possibly multiple
IKE peers. For a responder, when there is more than one action in
the rule with "do until success" condition clause this provides
alternative actions depending on the received proposals. For
example, the same IKERule may be used to handle aggressive mode and
main mode negotiations with different actions. The responder uses
the first appropriate action in the list of actions.
Do All causes the execution all of the actions in aggregated set
according to their defined order. The execution continues regardless
of failures.
Do Until Failure causes the execution of all actions according to
predefined order until the first failure in execution of an action
instance.
For example, in a nested SAs case the actions of an initiators rule
might be structured as:
IPsecRule.ExecutionStrategy=Do All
|
+---1--- IPsecTunnelAction // set up SA from host to gateway
|
+---2--- IPsecTransportAction // set up SA from host thru tunnel
// to remote host
Another example, showing a rule with fallback actions might be
structured as:
IPsecRule.ExecutionStrategy=Do Until Success
|
+---6--- IPsecTransportAction // negotiate SA with peer
|
+---9--- IPsecBypassAction // but if you must, allow in the
// clear
The CompoundPolicyAction class (See Appendix D) may be used in
constructing the actions of IKE and IPsec rules when those rules
specify both multiple actions and fallback actions. The
ExecutionStrategy property in CompoundPolicyAction is used in
conjunction with that in the PolicyRule.
For example, in nesting SAs with a fallback security gateway, the
actions of a rule might be structured as:
IPsecRule.ExecutionStrategy=Do All
|
+---1--- CompoundPolicyAction.ExecutionStrategy=Do Until Success
| |
| +---1--- IPsecTunnelAction // set up SA from host to
| | // gateway1
| |
| +---2--- IPsecTunnelAction // or set up SA to gateway2
|
+---2--- IPsecTransportAction // then set up SA from host
// thru tunnel to remote host
4.2.3 The Property LimitNegotiation
The property LimitNegotiation is used as part of processing either The property LimitNegotiation is used as part of processing either
an IKE or an IPsec rule. an IKE or an IPsec rule.
Before proceeding with a phase 1 negotiation, this property is Before proceeding with a phase 1 negotiation, this property is
checked to determine if the negotiation role of the rule matches checked to determine if the negotiation role of the rule matches
that defined for the negotiation being undertaken (e.g., Initiator, that defined for the negotiation being undertaken (e.g., Initiator,
Responder, or Both). If this check fails (e.g. the current role is Responder, or Both). If this check fails (e.g. the current role is
IKE responder while the rule specifies IKE initiator), then the IKE IKE responder while the rule specifies IKE initiator), then the IKE
negotiation is stopped. Note that this only applies to new IKE phase negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh 1 negotiations and has no effect on either renegotiation or refresh
skipping to change at page 15, line 33 skipping to change at page 18, line 14
negotiation is a refresh operation by checking to see if the negotiation is a refresh operation by checking to see if the
selector information matches that of an existing SA. If selector information matches that of an existing SA. If
LimitNegotiation does not match and the selector corresponds to a LimitNegotiation does not match and the selector corresponds to a
new SA, the negotiation is stopped. new SA, the negotiation is stopped.
The property is defined as follows: The property is defined as follows:
NAME LimitNegotiation NAME LimitNegotiation
DESCRIPTION Limits the role to be undertaken during negotiation. DESCRIPTION Limits the role to be undertaken during negotiation.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 initiator-only VALUE 1 initiator-only
2 responder-only 2 responder-only
3 - both 3 - both
4.3. The Class IKERule 4.3. The Class IKERule
The class IKERule associates Conditions and Actions for IKE phase 1 The class IKERule associates Conditions and Actions for IKE phase 1
negotiations. The class definition for IKERule is as follows: negotiations. The class definition for IKERule is as follows:
NAME IKERule NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 1 DESCRIPTION Associates Conditions and Actions for IKE phase 1
negotiations. negotiations.
skipping to change at page 16, line 41 skipping to change at page 19, line 22
DESCRIPTION Specifies the context in which to select the IKE DESCRIPTION Specifies the context in which to select the IKE
identity. identity.
SYNTAX string array SYNTAX string array
4.4. The Class IPsecRule 4.4. The Class IPsecRule
The class IPsecRule associates Conditions and Actions for IKE phase The class IPsecRule associates Conditions and Actions for IKE phase
2 negotiations for the IPsec DOI. The class definition for 2 negotiations for the IPsec DOI. The class definition for
IPsecRule is as follows: IPsecRule is as follows:
NAME IKERule NAME IPsecRule
DESCRIPTION Associates Conditions and Actions for IKE phase 2 DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI. negotiations for the IPsec DOI.
DERIVED FROM SARule DERIVED FROM SARule
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES same as SARule PROPERTIES same as SARule
4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup
The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
policies to be combined into one effective policy. See [PCIM] for a
description of the how policies are merged (see also the property
GroupPriority). The class definition for
IPsecPolicyGroupInPolicyGroup is as follows:
NAME IPsecPolicyGroupInPolicyGroup
DESCRIPTION Associates a nested IPsecPolicyGroup with the
IPsecPolicyGroup that contains it.
DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecPolicyGroup[0..n]]
PartComponent[ref IPsecPolicyGroup[0..n]]
GroupPriority
4.5.1. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyGroupInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [0..n] cardinality indicates that a
given IPsecPolicyGroup instance may be a part of zero or more
containing IPsecPolicyGroup instances (i.e., there may be zero or
more GroupComponent references per PartComponent).
4.5.2. The Reference PartComponent
The property PartComponent is inherited from
PolicyGroupInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [0..n] cardinality indicates that a
given IPsecPolicyGroup instance may contain zero or more
IPsecPolicyGroup instances (i.e., there may be zero or more
PartComponent references per GroupComponent).
4.5.3. The Property GroupPriority
Since policy groups, IPsecPolicyGroup, can contain both rules and
other policy groups, the relative priorities of the rules of the
contained groups are established by setting the GroupPriority
property of IPsecPolicyGroupInPolicyGroup as a unique rule priority
in the containing group.
The rules of the nested group are inserted in order at that position
(i.e. indicated by GroupPriority) in the containing group's rules
The property is defined as follows:
NAME GroupPriority
DESCRIPTION Specifies the rule priority to be set to all nested
rules.
SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest
precedence). The merging order of two ContainedGroups
with the same precedence is undefined.
4.6. The Association Class IPsecPolicyForEndpoint 4.6. The Association Class IPsecPolicyForEndpoint
The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
a specific network interface. If an IPProtocolEndpoint of a system a specific network interface. If an IPProtocolEndpoint of a system
does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
then the IPsecPolicyForSystem associated IPsecPolicyGroup is used then the IPsecPolicyForSystem associated IPsecPolicyGroup is used
for that endpoint. The class definition for IPsecPolicyForEndpoint for that endpoint. The class definition for IPsecPolicyForEndpoint
is as follows: is as follows:
NAME IPsecPolicyForEndpoint NAME IPsecPolicyForEndpoint
skipping to change at page 19, line 16 skipping to change at page 20, line 46
4.8. The Aggregation Class RuleForIKENegotiation 4.8. The Aggregation Class RuleForIKENegotiation
The class RuleForIKENegotiation associates an IKERule with the The class RuleForIKENegotiation associates an IKERule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation is as follows: RuleForIKENegotiation is as follows:
NAME RuleForIKENegotiation NAME RuleForIKENegotiation
DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM]) DERIVED FROM PolicySetComponent (see Appendix D)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]] PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IKERule [0..n]] PartComponent [ref IKERule [0..n]]
4.8.1. The Reference GroupComponent 4.8.1. The Property Priority
For a description of this property, see Appendix D.
4.8.2. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IKERule instance may be contained in one and only one IKERule instance may be contained in one and only one
IPsecPolicyGroup instance (i.e., IKERules are not shared across IPsecPolicyGroup instance (i.e., IKERules are not shared across
IPsecPolicyGroups). IPsecPolicyGroups).
4.8.2. The Reference PartComponent 4.8.3. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IKERule instance. The [0..n] and is overridden to refer to an IKERule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IKERule instances. zero or more IKERule instances.
4.9. The Aggregation Class RuleForIPsecNegotiation 4.9. The Aggregation Class RuleForIPsecNegotiation
The class RuleForIPsecNegotiation associates an IPsecRule with the The class RuleForIPsecNegotiation associates an IPsecRule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
RuleForIPsecNegotiation is as follows: RuleForIPsecNegotiation is as follows:
NAME RuleForIPsecNegotiation NAME RuleForIPsecNegotiation
DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM]) DERIVED FROM PolicySetComponent (see Appendix D)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent [ref IPsecPolicyGroup [1..1]] PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IPsecRule [0..n]] PartComponent [ref IPsecRule [0..n]]
4.9.1. The Reference GroupComponent 4.9.1. The Property Priority
For a description of this property, see Appendix D.
4.9.2. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IPsecRule instance may be contained in only one IPsecPolicyGroup IPsecRule instance may be contained in only one IPsecPolicyGroup
instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).
4.9.2. The Reference PartComponent 4.9.3. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IPsecRule instance. The [0..n] and is overridden to refer to an IPsecRule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IPsecRules instance. zero or more IPsecRules instance.
4.10. The Aggregation Class SAConditionInRule 4.10. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the The class SAConditionInRule associates an SARule with the
SACondition instance(s) that trigger(s) it. See [PCIM] for the SACondition instance(s) that trigger(s) it. The class definition
usage for the properties GroupNumber and ConditionNegated. The for SAConditionInRule is as follows:
class definition for SAConditionInRule is as follows:
NAME SAConditionInRule NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instance(s) DESCRIPTION Associates an SARule with the SACondition instance(s)
that trigger(s) it. that trigger(s) it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]] PROPERTIES GroupNumber (from PolicyConditionInPolicyRule)
PartComponent [ref SACondition [1..n]]
GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule)
GroupComponent [ref SARule [0..n]]
PartComponent [ref SACondition [1..n]]
4.10.1. The Reference GroupComponent 4.10.1. The Properties GroupNumber and ConditionNegated
For a description of these properties, see [PCIM].
4.10.2. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an SARule PolicyConditionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SACondition instance. The [0..n] cardinality indicates that an SACondition
instance may be contained in zero or more SARule instances. instance may be contained in zero or more SARule instances.
4.10.2. The Reference PartComponent 4.10.3. The Reference PartComponent
The property PartComponent is inherited from The property PartComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an PolicyConditionInPolicyRule and is overridden to refer to an
SACondition instance. The [1..n] cardinality indicates that an SACondition instance. The [1..n] cardinality indicates that an
SARule instance MUST contain at least one SACondition instance. SARule instance MUST contain at least one SACondition instance.
4.11. The Aggregation Class SAActionInRule 4.11. The Aggregation Class PolicyActionInSARule
The SAActionInRule class associates an SARule with its primary The PolicyActionInSARule class associates an SARule with one or more
SAAction. The class definition for SAActionInRule is as follows: PolicyAction instances. In all cases where an SARule is being used,
the contained actions MUST be either subclasses of SAAction or
instances of CompoundPolicyAction. For an IKERule, the contained
actions MUST be related to phase 1 processing, i.e., IKEAction or
IKERejectAction. Similarly, for an IPsecRule, contained actions
MUST be related to phase 2 or preconfigured SA processing, e.g.,
IPsecTransportAction, IPsecBypassAction, etc. The class definition
for PolicyActionInSARule is as follows:
NAME SAActionInRule NAME PolicyActionInSARule
DESCRIPTION Associates an SARule with its SAAction(s). DESCRIPTION Associates an SARule with its PolicyAction(s).
DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) DERIVED FROM PolicyActionInPolicyRule (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]] PROPERTIES GroupComponent [ref SARule [0..n]]
PartComponent [ref SAAction [1..n]] PartComponent [ref PolicyAction [1..n]]
ActionOrder ActionOrder (from PolicyActionInPolicyRule)
4.11.1. The Reference GroupComponent 4.11.1. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SARule PolicyActionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SAAction instance. The [0..n] cardinality indicates that an SAAction
instance may be contained in zero or more SARule instances. instance may be contained in zero or more SARule instances.
4.11.2. The Reference PartComponent 4.11.2. The Reference PartComponent
The property PartComponent is inherited from The property PartComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SAAction PolicyActionInPolicyRule and is overridden to refer to an SAAction
instance. The [1..n] cardinality indicates that an SARule instance or CompoundPolicyAction instance. The [1..n] cardinality indicates
MUST contain at least one SAAction instance. that an SARule instance MUST contain at least one SAAction or
CompoundPolicyAction instance.
4.11.3. The Property ActionOrder 4.11.3. The Property ActionOrder
The property ActionOrder specifies the relative position of this The property ActionOrder is inherited from the superclass
SAAction in the sequence of actions associated with a PolicyRule. PolicyActionInPolicyRule. It specifies the relative position of
The ActionOrder MUST be unique so as to provide a deterministic this PolicyAction in the sequence of actions associated with a
order. In addition, the actions in an SARule are executed as PolicyRule. The ActionOrder MUST be unique so as to provide a
follows. deterministic order. In addition, the actions in an SARule are
executed as follows. See section 4.2.2 ExecutionStrategy for a
For an initiator, if there is more than one action in the rule, the discussion on the use of the ActionOrder property.
additional actions are 'backup' actions in the event that the first
action is not able to be completed successfully. They are tried in
the ActionOrder until the list is exhausted or one completes
successfully. For example, an IKE initiator may have several
IKEActions for the same SACondition. The initiator will try all
IKEActions in the order defined by ActionOrder. I.e. it will
possibly try several phases 1 possibly with different modes (main
mode then aggressive mode) and/or with possibly multiple IKE peers.
For a responder, there can be more than one action in the rule, this
provides alternative actions depending on the received proposals.
For example, the same IKERule may be used to handle aggressive mode
and main mode negotiations with different actions. The first
appropriate action in the list of actions is used by the responder.
The property is defined as follows: The property is defined as follows:
[Need an explanation of what the action order means as it replaces
the fallback association]
NAME ActionOrder NAME ActionOrder
DESCRIPTION Specifies the order of actions. DESCRIPTION Specifies the order of actions.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest have higher precedence (i.e., 1 is the highest
precedence). The merging order of two SAActions with precedence). The merging order of two SAActions with
the same precedence is undefined. the same precedence is undefined.
5. Condition and Filter Classes 5. Condition and Filter Classes
skipping to change at page 22, line 29 skipping to change at page 24, line 29
| +--------------+ | +--------------+
| 1 o | 1 o
|(b) |(c) |(b) |(c)
| * | | * |
| +-----------------+ | +-----------------+
| | FilterEntryBase | | | FilterEntryBase |
| | (Appendix C) | | | (Appendix C) |
| +-----------------+ | +-----------------+
| ^ | ^
| | | |
| +--------------+ | +-----------------------+ | +----------------+ | +-----------------------+
| | FilterEntry |----+----| CredentialFilterEntry | | | IPHeaderFilter |----+----| CredentialFilterEntry |
| | (Appendix C) | | +-----------------------+ | | (Appendix C) | | +-----------------------+
| +--------------+ | | +----------------+ |
| | | |
| +-----------------+ | +--------------------------+ | +-----------------+ | +--------------------------+
| | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
| +-----------------+ +--------------------------+ | +-----------------+ +--------------------------+
| |
| *+-----------------------------+ | *+-----------------------------+
+------------| CredentialManagementService | +------------| CredentialManagementService |
| (Appendix B) | | (Appendix B) |
+-----------------------------+ +-----------------------------+
skipping to change at page 23, line 24 skipping to change at page 25, line 24
The class definition for SACondition is as follows: The class definition for SACondition is as follows:
NAME SACondition NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations. negotiations.
DERIVED FROM PolicyCondition (see [PCIM]) DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition) PROPERTIES PolicyConditionName (from PolicyCondition)
5.2. The Class FilterEntry 5.2. The Class IPHeaderFilter
The class FilterEntry is defined in appendix C with the following
notes:
1) since actions in the IPsec Policy Model are not part of the The class IPHeaderFilter is defined in appendix C with the following
condition side of the rule, the Action property of each note:
FilterEntry is ignored and should be set to "FilterOnly".
2) to specify 5-tuple filters that are to apply symmetrically (i.e., 1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
matches traffic in both directions of the same flow between the matches traffic in both directions of the same flow between the
two peers), the Direction property of the FilterList should be two peers), the Direction property of the FilterList should be
set to "Mirrored". set to "Mirrored".
5.3. The Class CredentialFilterEntry 5.3. The Class CredentialFilterEntry
The class CredentialFilterEntry defines an equivalence class that The class CredentialFilterEntry defines an equivalence class that
match credentials of IKE peers. Each CredentialFilterEntry includes match credentials of IKE peers. Each CredentialFilterEntry includes
a MatchFieldName that is interpreted according to the a MatchFieldName that is interpreted according to the
CredentialManagementService(s) associated with the SACondition CredentialManagementService(s) associated with the SACondition
skipping to change at page 24, line 44 skipping to change at page 26, line 39
5.3.3. The Property CredentialType 5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as credential that is being matched. The property is defined as
follows: follows:
NAME CredentialType NAME CredentialType
DESCRIPTION Defines the type of IKE credentials. DESCRIPTION Defines the type of IKE credentials.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - X.509 Certificate VALUE 1 X.509 Certificate
2 - Kerberos Ticket 2 Kerberos Ticket
5.4. The Class IPSOFilterEntry 5.4. The Class IPSOFilterEntry
The class IPSOFilterEntry is used to match traffic based on the IP The class IPSOFilterEntry is used to match traffic based on the IP
Security Options header values (ClassificationLevel and Security Options header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC1108. This type of FilterEntry ProtectionAuthority) as defined in RFC1108. This type of filter
is used to adjust the IPsec encryption level according to the IPSO entry is used to adjust the IPsec encryption level according to the
classification of the traffic (e.g., secret, confidential, IPSO classification of the traffic (e.g., secret, confidential,
restricted, etc. The class definition for IPSOFilterEntry is as restricted, etc. The class definition for IPSOFilterEntry is as
follows: follows:
NAME IPSOFilterEntry NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security DESCRIPTION Specifies the a match filter based on IP Security
Options. Options.
DERIVED FROM FilterEntryBase (see Appendix C) DERIVED FROM FilterEntryBase (see Appendix C)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
skipping to change at page 25, line 24 skipping to change at page 27, line 19
5.4.1. The Property MatchConditionType 5.4.1. The Property MatchConditionType
The property MatchConditionType specifies the IPSO header field that The property MatchConditionType specifies the IPSO header field that
will be matched (e.g., traffic classification level or protection will be matched (e.g., traffic classification level or protection
authority). The property is defined as follows: authority). The property is defined as follows:
NAME MatchConditionType NAME MatchConditionType
DESCRIPTION Specifies the IPSO header field to be matched. DESCRIPTION Specifies the IPSO header field to be matched.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - ClassificationLevel VALUE 1 ClassificationLevel
2 - ProtectionAuthority 2 ProtectionAuthority
5.4.2. The Property MatchConditionValue 5.4.2. The Property MatchConditionValue
The property MatchConditionValue specifies the value of the IPSO The property MatchConditionValue specifies the value of the IPSO
header field to be matched against. The property is defined as header field to be matched against. The property is defined as
follows: follows:
NAME MatchConditionValue NAME MatchConditionValue
DESCRIPTION Specifies the value of the IPSO header field to be DESCRIPTION Specifies the value of the IPSO header field to be
matched against. matched against.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE For ClassificationLevel, the values are: VALUE For ClassificationLevel, the values are:
61 - TopSecret 61 TopSecret
90 - Secret 90 Secret
150 - Confidential 150 Confidential
171 - Unclassified 171 Unclassified
For ProtectionAuthority, the values are: For ProtectionAuthority, the values are:
0 - GENSER 0 GENSER
1 - SIOP-ESI 1 - SIOP-ESI
2 - SCI 2 SCI
3 - NSA 3 NSA
4 - DOE 4 - DOE
5.5. The Class PeerIDPayloadFilterEntry 5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange. payload values from the IKE protocol exchange.
PeerIDPayloadFilterEntry permits the specification of certain ID PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@company.com" or "193.190.125.0/24". payload values such as "*@company.com" or "193.190.125.0/24".
Obviously this filter applies only to IKERules when acting as a Obviously this filter applies only to IKERules when acting as a
skipping to change at page 29, line 42 skipping to change at page 31, line 42
| | | | | |
+-----------------+ | | +-------------------+ | +-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | | | IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ | +-----------------+ | +-------------------+ |
| *| | | *| |
| +--------------+ | | +--------------+ |
| | | | | |
+-----------------------+ | | +--------------+n | +-----------------------+ | | +--------------+n |
| PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+
+-----------------------+ | +--------------+ (b) +-----------------------+ | +--------------+ (b)
^ | *| ^ |
| | *+-------------+ | | | *+-------------+
+---------------------+ +-------| PeerGateway | | | +-------| PeerGateway |
| +-------------+ | | +-------------+
+-----------------------------+ | *w| | | +-----------------------------+ |0..1 *w|
| PreconfiguredTransportAction|--+ |(c) | +--| PreconfiguredTransportAction| | |(c)
+-----------------------------+ | 1| | | +-----------------------------+ | 1|
| +--------------+ | | | +--------------+
+-----------------------------+ | | System | | | +---------------------------+ * | | System |
| PreconfiguredTransportAction|--+ | (Appendix A) | | +--| PreconfiguredTunnelAction |-----+ | (Appendix A) |
+-----------------------------+ +--------------+ | +---------------------------+ (e) +--------------+
*| |
| 1..3+---------------+ | 2..6+---------------+
+-------| [SATransform] | +-------| [SATransform] |
(d) +---------------+ (d) +---------------+
(a) PeerGatewayForTunnel (a) PeerGatewayForTunnel
(b) ContainedProposal (b) ContainedProposal
(c) HostedPeerGatewayInformation (c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction (d) TransformOfPreconfiguredAction
(e) PeerGatewayForPreconfiguredTunnel
6.1. The Class SAAction 6.1. The Class SAAction
The class SAAction serves as the base class for IKE and IPsec The class SAAction serves as the base class for IKE and IPsec
actions. Although the class is concrete, it MUST not be actions. Although the class is concrete, it MUST not be
instantiated. It is used for aggregating different types of actions instantiated. It is used for aggregating different types of actions
to IKE and IPsec rules. The class definition for SAAction is as to IKE and IPsec rules. The class definition for SAAction is as
follows: follows:
NAME SAAction NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions. DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM]) DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyActionName (from PolicyAction) PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging DoActionLogging
DoPacketLogging DoPacketLogging
6.1.1. The Property DoActionLogging 6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to The property DoActionLogging specifies whether a log message is to
be generated when the action is performed (even if the action be generated when the action is performed. This applies for
fails). The property is defined as follows: SANegotiationActions with the meaning of logging a message when the
negotiation is attempted (with the success or failure result). This
also applies for SAStaticAction only for PreconfiguredSAAction with
the meaning of logging a message when the preconfigured SA is
actually installed in the SADB. The property is defined as follows:
NAME DoActionLogging NAME DoActionLogging
DESCRIPTION Specifies the whether to log when the action is DESCRIPTION Specifies the whether to log when the action is
performed. performed.
SYNTAX boolean SYNTAX boolean
VALUE true - a log message is to be generated when action is VALUE true - a log message is to be generated when action is
performed. performed.
false - no log message is to be generated when action false - no log message is to be generated when action
is performed. is performed.
6.1.2. The Property DoPacketLogging 6.1.2. The Property DoPacketLogging
The property DoPacketLogging specifies whether a log message is to The property DoPacketLogging specifies whether a log message is to
be generated when the resulting security association is used to be generated when the resulting security association is used to
process the packet. If the action successfully executes and results process the packet. If the SANegotiationAction successfully
in the creation of one or several security associations, the value executes and results in the creation of one or several security
of DoPacketLogging SHOULD be propagated to an optional field of associations or if the PreconfiguredSAAction executes, the value of
SADB. This optional field should be used to decide whether a log DoPacketLogging SHOULD be propagated to an optional field of SADB.
message is to be generated when the SA is used to process a packet. This optional field should be used to decide whether a log message
is to be generated when the SA is used to process a packet. For
SAStaticActions, a log message is to be generated when the
IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed.
The property is defined as follows: The property is defined as follows:
NAME DoPacketLogging NAME DoPacketLogging
DESCRIPTION Specifies the whether to log when the resulting DESCRIPTION Specifies the whether to log when the resulting
security association is used to process the packet. security association is used to process the packet.
SYNTAX boolean SYNTAX boolean
VALUE true - a log message is to be generated when the VALUE true - a log message is to be generated when the
resulting security association is used to process the resulting security association is used to process the
packet. packet.
false - no log message is to be generated. false - no log message is to be generated.
skipping to change at page 31, line 40 skipping to change at page 33, line 47
DESCRIPTION Specifies the amount of time (in seconds) that a DESCRIPTION Specifies the amount of time (in seconds) that a
security association derived from this action should be security association derived from this action should be
used. used.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime). associated with this action (i.e., infinite lifetime).
A non-zero value is typically used in conjunction with A non-zero value is typically used in conjunction with
alternate SAActions performed when there is a alternate SAActions performed when there is a
negotiation failure of some sort. negotiation failure of some sort.
Note: if the referenced SAStaticAction object is a
PreconfiguredSAAction associated to several SATransforms, then the
actual lifetime of the preconfigured SA will be the smallest of the
value of this LifetimeSeconds property and of the value of the
MaxLifetimeSeconds property of the associated SATransform. Except if
the value of this LifetimeSeconds property is zero, then there will
be no lifetime associated to this SA.
It is expected that most SAStaticAction instances will have their
LifetimeSeconds properties set to zero (meaning no expiration of the
resulting SA).
6.3. The Class IPsecBypassAction 6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec encapsulation to them. This is the processed without applying IPsec encapsulation to them. This is the
same as stating that packets are allowed to flow in the clear. The same as stating that packets are allowed to flow in the clear. The
class definition for IPsecBypassAction is as follows: class definition for IPsecBypassAction is as follows:
NAME IPsecBypassAction NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in the DESCRIPTION Specifies that packets are to be allowed to pass in the
clear. clear.
skipping to change at page 32, line 38 skipping to change at page 35, line 4
6.6. The Class PreconfiguredSAAction 6.6. The Class PreconfiguredSAAction
The class PreconfiguredSAAction is used to create a security The class PreconfiguredSAAction is used to create a security
association using preconfigured, hard-wired algorithms and keys. association using preconfigured, hard-wired algorithms and keys.
Notes: Notes:
- the SPI for a PreconfiguredSAAction is contained in the - the SPI for a PreconfiguredSAAction is contained in the
association, TransformOfPreconfiguredAction; association, TransformOfPreconfiguredAction;
- the session key (if applicable) is contained in an instance of the - the session key (if applicable) is contained in an instance of the
class SharedSecret (see appendix B). The session key is stored in class SharedSecret (see appendix B). The session key is stored in
the property secret, the property protocol contains either "ESP" the property secret, the property protocol contains either "ESP-
or "AH", the property algorithm contains the algorithm used to encrypt, ESP-auth" or "AH", the property algorithm contains the
protect the secret (can be "PLAINTEXT" if the IPsec entity has no algorithm used to protect the secret (can be "PLAINTEXT" if the
secret storage), the value of property RemoteID is the IPsec entity has no secret storage), the value of property
concatenation of the remote IPsec peer IP address in dotted RemoteID is the concatenation of the remote IPsec peer IP address
decimal, of the character "/", and of the hexadecimal in dotted decimal, of the character "/", of IN (resp. OUT) for
representation of the SPI. inbound SA (resp. outbound SA), of the character / and of the
hexadecimal representation of the SPI.
Although the class is concrete, it MUST not be instantiated. The Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows: class definition for PreconfiguredSAAction is as follows:
NAME PreconfiguredSAAction NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of a security association. information for creation of a security association.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES LifetimeKilobytes PROPERTIES LifetimeKilobytes
skipping to change at page 33, line 21 skipping to change at page 35, line 40
NAME LifetimeKilobytes NAME LifetimeKilobytes
DESCRIPTION Specifies the SA lifetime in kilobytes. DESCRIPTION Specifies the SA lifetime in kilobytes.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime). associated with this action (i.e., infinite lifetime).
A non-zero value is used to indicate that after this A non-zero value is used to indicate that after this
amount of kilobytes has been consumed the SA must be amount of kilobytes has been consumed the SA must be
deleted from the SADB. deleted from the SADB.
Note: the actual lifetime of the preconfigured SA will be the
smallest of the value of this LifetimeKilobytes property and of the
value of the MaxLifetimeSeconds property of the associated
SATransform. Except if the value of this LifetimeKilobytes property
is zero, then there will be no lifetime associated with this action.
It is expected that most PreconfiguredSAAction instances will have
their LifetimeKilobyte properties set to zero (meaning no expiration
of the resulting SA).
6.7. The Class PreconfiguredTransportAction 6.7. The Class PreconfiguredTransportAction
The class PreconfiguredTransportAction is used to create an IPsec The class PreconfiguredTransportAction is used to create an IPsec
transport-mode security association using preconfigured, hard-wired transport-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for algorithms and keys. The class definition for
PreconfiguredTransportAction is as follows: PreconfiguredTransportAction is as follows:
NAME PreconfiguredTransportAction NAME PreconfiguredTransportAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of an IPsec transport security information for creation of an IPsec transport security
skipping to change at page 33, line 48 skipping to change at page 36, line 25
tunnel-mode security association using preconfigured, hard-wired tunnel-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for PreconfiguredSAAction algorithms and keys. The class definition for PreconfiguredSAAction
is as follows: is as follows:
NAME PreconfiguredTunnelAction NAME PreconfiguredTunnelAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of an IPsec tunnel-mode information for creation of an IPsec tunnel-mode
security association. security association.
DERIVED FROM PreconfiguredSAAction DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PeerGatewayAddressType PROPERTIES DFHandling
PeerGatewayAddress
DFHandling
6.8.1. The Property PeerGatewayAddressType
The property PeerGatewayAddressType specifies the format of the
PeerGatewayAddress property. Addresses that can be formatted in
IPv4 format, must be formatted that way to ensure mixed IPv4/IPv6
support. When the tunnel peer is not a security gateway, this
property value is set to 0. The property is defined as follows:
NAME PeerGatewayAddressType
DESCRIPTION Specifies the format of PeerGatewayAddress.
SYNTAX unsigned 16-bit integer
VALUE 0 - unknown
1 - IPv4
2 - IPv6
6.8.2. The Property PeerGatewayAddress
The property PeerGatewayAddress specifies the IP address of the
tunnel peer security gateway formatted according to the appropriate
convention as defined in the PeerGatewayAddressType property of this
class (e.g., 171.79.6.40). When the tunnel peer is not a security
gateway, this property value is set to NULL. The property is
defined as follows:
NAME PeerGatewayAddress
DESCRIPTION Specifies the IP address of the tunnel peer.
SYNTAX string
VALUE When the value is NULL, this is a special meaning: the
IP address of the actual remote IKE entity is the
destination IP address of the IP packet that triggered
the SARule. Else, the value is a string representation
of an IPv4 or IPv6 address.
6.8.3. The Property DFHandling 6.8.1. The Property DFHandling
The property DFHandling specifies how the Don't Fragment bit of the The property DFHandling specifies how the Don't Fragment bit of the
internal IP header is to be handled during IPsec processing. The internal IP header is to be handled during IPsec processing. The
property is defined as follows: property is defined as follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies the processing of the DF bit. DESCRIPTION Specifies the processing of the DF bit.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the VALUE 1 Copy the DF bit from the internal IP header to the
external IP header. external IP header.
2 - Set the DF bit of the external IP header to 1. 2 Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0. 3 Clear the DF bit of the external IP header to 0.
6.9. The Class SANegotiationAction 6.9. The Class SANegotiationAction
The class SANegotiationAction serves as the base class for IKE and The class SANegotiationAction serves as the base class for IKE and
IPsec actions that result in a IKE negotiation. Although the class IPsec actions that result in a IKE negotiation. Although the class
is concrete, is MUST not be instantiated. The class definition for is concrete, is MUST not be instantiated. The class definition for
SANegotiationAction is as follows: SANegotiationAction is as follows:
NAME SANegotiationAction NAME SANegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies DESCRIPTION A base class for IKE and IPsec actions that specifies
skipping to change at page 38, line 22 skipping to change at page 40, line 18
6.10.4. The Property Granularity 6.10.4. The Property Granularity
The property Granularity specifies how the selector for the security The property Granularity specifies how the selector for the security
association should be derived from the traffic that triggered the association should be derived from the traffic that triggered the
negotiation. The property is defined as follows: negotiation. The property is defined as follows:
NAME Granularity NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the DESCRIPTION Specifies the how the proposed selector for the
security association will be created. security association will be created.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - subnet: the source and destination subnet masks of VALUE 1 subnet: the source and destination subnet masks of
the FilterEntry are used. the filter entry are used.
2 - address: only the source and destination IP 2 address: only the source and destination IP
addresses of the triggering packet are used. addresses of the triggering packet are used.
3 - protocol: the source and destination IP addresses 3 protocol: the source and destination IP addresses
and the IP protocol of the triggering packet are used. and the IP protocol of the triggering packet are used.
4 - port: the source and destination IP addresses and 4 port: the source and destination IP addresses and
the IP protocol and the source and destination layer 4 the IP protocol and the source and destination layer 4
ports of the triggering packet are used. ports of the triggering packet are used.
6.10.5. The Property VendorID 6.10.5. The Property VendorID
The property VendorID is used together with the property GroupID The property VendorID is used together with the property GroupID
(when it is in the vendor-specific range) to identify the key (when it is in the vendor-specific range) to identify the key
exchange group. VendorID is ignored unless UsePFS is true and exchange group. VendorID is ignored unless UsePFS is true and
UseIKEGroup is false and GroupID is in the vendor-specific range UseIKEGroup is false and GroupID is in the vendor-specific range
(32768-65535). The property is defined as follows: (32768-65535). The property is defined as follows:
skipping to change at page 39, line 23 skipping to change at page 41, line 20
PROPERTIES DFHandling PROPERTIES DFHandling
6.12.1. The Property DFHandling 6.12.1. The Property DFHandling
The property DFHandling specifies how the tunnel should manage the The property DFHandling specifies how the tunnel should manage the
Don't Fragment (DF) bit. The property is defined as follows: Don't Fragment (DF) bit. The property is defined as follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies how to process the DF bit. DESCRIPTION Specifies how to process the DF bit.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the VALUE 1 Copy the DF bit from the internal IP header to the
external IP header. external IP header.
2 - Set the DF bit of the external IP header to 1. 2 Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0. 3 Clear the DF bit of the external IP header to 0.
6.13. The Class IKEAction 6.13. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as IKE phase 1 negotiation. The class definition for IKEAction is as
follows: follows:
NAME IKEAction NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM SANegotiationAction DERIVED FROM SANegotiationAction
skipping to change at page 42, line 51 skipping to change at page 44, line 43
Dependent [ref IPsecTunnelAction[0..n]] Dependent [ref IPsecTunnelAction[0..n]]
SequenceNumber SequenceNumber
6.15.1. The Reference Antecedent 6.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that there an IPsecTunnelAction instance may cardinality indicates that there an IPsecTunnelAction instance may
be associated with zero or more PeerGateway instances. be associated with zero or more PeerGateway instances.
Note: when there is no PeerGateway associated to an Note: the cardinality 0 has a specific meaning:
IPsecTunnelAction, this means that the IKE service acts as a
responder and will accept phase 1 negotiation with any other
security gateway.
6.15.2. The Reference Dependent - when the IKE service acts as a responder, this means that the
IKE service will accept phase 1 negotiation with any other
security gateway;
- when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of the
IP packets which triggered the SARule) as the IP address of
the peer IKE entity.
6.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecTunnelAction instance. The [0..n] overridden to refer to an IPsecTunnelAction instance. The [0..n]
cardinality indicates that a PeerGateway instance may be associated cardinality indicates that a PeerGateway instance may be associated
with zero or more IPsecTunnelAction instances. with zero or more IPsecTunnelAction instances.
6.15.3. The Property SequenceNumber 6.15.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when The property SequenceNumber specifies the ordering to be used when
evaluating PeerGateway instances for a given IPsecTunnelAction. . evaluating PeerGateway instances for a given IPsecTunnelAction. .
The property is defined as follows: The property is defined as follows:
skipping to change at page 43, line 45 skipping to change at page 45, line 42
DESCRIPTION Associates an ordered list of SAProposals with an DESCRIPTION Associates an ordered list of SAProposals with an
SANegotiationAction. SANegotiationAction.
DERIVED FROM PolicyComponent (see [PCIM]) DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] PROPERTIES GroupComponent[ref SANegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]] PartComponent[ref SAProposal[1..n]]
SequenceNumber SequenceNumber
6.16.1. The Reference GroupComponent 6.16.1. The Reference GroupComponent
The property GroupComponent is inherited from PolicyComponent and is - The property GroupComponent is inherited from PolicyComponent
overridden to refer to an SANegotiationAction instance. The [0..n] and is overridden to refer to an SANegotiationAction
cardinality indicates that an SAProposal instance may be associated instance. The [0..n] cardinality indicates that an
with zero or more SANegotiationAction instances. SAProposal instance may be associated with zero or more
SANegotiationAction instances.
Note: the cardinality 0 has a specific meaning:
- when the IKE service acts as a responder, this means that the
IKE service will accept phase 1 negotiation with any other
security gateway;
- when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of the
IP packets which triggered the SARule) as the IP address of
the peer IKE entity.
6.16.2. The Reference PartComponent 6.16.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SAProposal instance. The [1..n] overridden to refer to an SAProposal instance. The [1..n]
cardinality indicates that an SANegotiationAction instance MUST be cardinality indicates that an SANegotiationAction instance MUST be
associated with at least one SAProposal instance. associated with at least one SAProposal instance.
6.16.3. The Property SequenceNumber 6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for The property SequenceNumber specifies the order of preference for
the SAProposals. The property is defined as follows: the SAProposals. The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals. DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals VALUE Lower-valued proposals are preferred over proposals
with higher values. For ContainedProposals that with higher values. For ContainedProposals that
reference the same SANegotiationAction, SequenceNumber reference the same SANegotiationAction, SequenceNumber
values must be unique. values must be unique.
skipping to change at page 45, line 4 skipping to change at page 46, line 43
and only one System instance. and only one System instance.
6.17.2. The Reference Dependent 6.17.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that a System instance may be associated with cardinality indicates that a System instance may be associated with
zero or more PeerGateway instances. zero or more PeerGateway instances.
6.18. The Association Class TransformOfPreconfiguredAction 6.18. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with from one to three SATransforms that will PreconfiguredSAAction with from two to six SATransforms that will be
be applied to the traffic. The order of application of the applied to the inbound and outbound traffic. The order of
SATransforms is implicitly defined in [IPSEC]. The class definition application of the SATransforms is implicitly defined in [IPSEC].
for TransformOfPreconfiguredAction is as follows: The class definition for TransformOfPreconfiguredAction is as
follows:
NAME TransformOfPreconfiguredAction NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms. three SATransforms.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref SATransform[1..3]] PROPERTIES Antecedent[ref SATransform[2..6]]
Dependent[ref PreconfiguredSAAction[0..n]] Dependent[ref PreconfiguredSAAction[0..n]]
SPI SPI
Direction
6.18.1. The Reference Antecedent 6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an SATransform instance. The [1..3] overridden to refer to an SATransform instance. The [2..6]
cardinality indicates that an SANegotiationAction instance may be cardinality indicates that an SANegotiationAction instance may be
associated with from one to three SATransform instances. associated with from two to six SATransform instances.
6.18.2. The Reference Dependent 6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is
overridden to refer to a PreconfiguredSAAction instance. The [0..n] overridden to refer to a PreconfiguredSAAction instance. The [0..n]
cardinality indicates that an SATransform instance may be associated cardinality indicates that an SATransform instance may be associated
with zero or more PreconfiguredSAAction instances. with zero or more PreconfiguredSAAction instances.
6.18.3. The Property SPI 6.18.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured The property SPI specifies the SPI to be used by the pre-configured
action for the associated transform. The property is defined as action for the associated transform. The property is defined as
follows: follows:
NAME SPI NAME SPI
DESCRIPTION Specifies the SPI to be used with the SATransform. DESCRIPTION Specifies the SPI to be used with the SATransform.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
6.18.4. The Property Direction
The property Direction specifies whether the SPI property is for
inbound or for outbound traffic. The property is defined as follows:
NAME Direction
DESCRIPTION Specifies whether the SA is for inbound or outbound
traffic.
SYNTAX unsigned 8-bit integer
VALUE 1 this SA is for inbound traffic
2 this SA is for outbound traffic
6.19 The Association Class PeerGatewayForPreconfiguredTunnel
The class PeerGatewayForPreconfiguredTunnel associates one or one
PeerGateway with multiple PreconfiguredTunnelActions. The class
definition for PeerGatewayForPreconfiguredTunnel is as follows:
NAME PeerGatewayForPreconfiguredTunnel
DESCRIPTION Associates a PeerGateway with multiple
PreconfiguredTunnelAction.
DERIVED FROM Dependency (see Appendix A)
ABSTRACT FALSE
PROPERTIES Antecedent[ref PeerGateway[0..1]]
Dependent[ref PreconfiguredTunnelAction[0..n]]
6.19.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an PeerGateway instance. The [0..1]
cardinality indicates that an PreconfiguredTunnelAction instance may
be associated with one PeerGteway instance.
6.19.2. The Reference Dependent
The property Dependent is inherited from Dependency and is
overridden to refer to a PreconfiguredTunnelAction instance. The
[0..n] cardinality indicates that an PeerGateway instance may be
associated with zero or more PreconfiguredSAAction instances.
7. Proposal and Transform Classes 7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations. IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+*w 1+--------------+ +--------------+*w 1+--------------+
| [SAProposal] |--------| System | | [SAProposal] |--------| System |
+--------------+ (a) | (Appendix A) | +--------------+ (a) | (Appendix A) |
^ +--------------+ ^ +--------------+
| |1 | |1
skipping to change at page 48, line 44 skipping to change at page 51, line 44
The property GroupId specifies the proposed phase 1 security The property GroupId specifies the proposed phase 1 security
association key exchange group. This property is ignored for all association key exchange group. This property is ignored for all
aggressive mode exchanges. If the GroupID number is from the aggressive mode exchanges. If the GroupID number is from the
vendor-specific range (32768-65535), the property VendorID qualifies vendor-specific range (32768-65535), the property VendorID qualifies
the group number. The property is defined as follows: the group number. The property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the proposed key exchange group for the phase DESCRIPTION Specifies the proposed key exchange group for the phase
1 security association. 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - Not applicable: used for aggressive mode. Consult VALUE 0 Not applicable: used for aggressive mode. Consult
[IKE] for other valid values. [IKE] for other valid values.
7.2.6. The Property AuthenticationMethod 7.2.6. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1 The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows: authentication method. The property is defined as follows:
NAME AuthenticationMethod NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association. phase 1 security association.
skipping to change at page 54, line 30 skipping to change at page 57, line 30
7.7.1. The Property Algorithm 7.7.1. The Property Algorithm
The property Algorithm specifies the transform ID of the IPCOMP The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as compression algorithm to propose. The property is defined as
follows: follows:
NAME Algorithm NAME Algorithm
DESCRIPTION Specifies the transform ID of the IPCOMP compression DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - OUI: a vendor specific algorithm is used and VALUE 1 OUI: a vendor specific algorithm is used and
specified in the property PrivateAlgorithm. Consult specified in the property PrivateAlgorithm. Consult
[DOI] for other valid values. [DOI] for other valid values.
7.7.2. The Property DictionarySize 7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the The property DictionarySize specifies the log2 maximum size of the
dictionary for the compression algorithm. For compression dictionary for the compression algorithm. For compression
algorithms that have pre-defined dictionary sizes, this value is algorithms that have pre-defined dictionary sizes, this value is
ignored. The property is defined as follows: ignored. The property is defined as follows:
skipping to change at page 55, line 44 skipping to change at page 58, line 44
SequenceNumber property. Sets of transforms of different types are SequenceNumber property. Sets of transforms of different types are
logically ANDed. For example, if the ordered proposal list were logically ANDed. For example, if the ordered proposal list were
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 } AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to pick then the one sending the proposal would want the other side to pick
one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND
one from the AH transform list (preferably MD5). one from the AH transform list (preferably MD5).
The class definition for ContainedProposal is as follows: The class definition for ContainedTransform is as follows:
NAME ContainedTransform NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of DESCRIPTION Associates an IPsecProposal with the set of
SATransforms that make up the proposal. SATransforms that make up the proposal.
DERIVED FROM PolicyComponent (see [PCIM]) DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]] PartComponent[ref SATransform[1..n]]
SequenceNumber SequenceNumber
skipping to change at page 72, line 35 skipping to change at page 75, line 35
cardinality indicates that IKEIdentity instance may be associated cardinality indicates that IKEIdentity instance may be associated
with zero or more Credential instances. with zero or more Credential instances.
8.18.2. The Reference Dependent 8.18.2. The Reference Dependent
The property Dependent is inherited from UsersCredential and is The property Dependent is inherited from UsersCredential and is
overridden to refer to an IKEIdentity instance. The [0..n] overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Credential instance may be associated cardinality indicates that a Credential instance may be associated
with zero or more IKEIdentity instances. with zero or more IKEIdentity instances.
9. Security Considerations 9. Implementation Requirements
The following tables specifies which classes, properties,
associations and aggregations MUST or SHOULD or MAY be implemented.
4. Policy Classes
4.1. The Class IPsecPolicyGroup................................MUST
4.2. The Class SARule..........................................MUST
4.2.1. The Property PolicyRuleName..............................MAY
4.2.1. The Property Enabled....................................MUST
4.2.1. The Property ConditionListType..........................MUST
4.2.1. The Property RuleUsage...................................MAY
4.2.1. The Property Mandatory...................................MAY
4.2.1. The Property SequencedActions...........................MUST
4.2.1. The Property PolicyRoles.................................MAY
4.2.1. The Property PolicyDecisionStrategy......................MAY
4.2.2 The Property ExecutionStrategy..........................MUST
4.2.3 The Property LimitNegotiation............................MAY
4.3. The Class IKERule.........................................MUST
4.3.1. The Property IdentityContexts............................MAY
4.4. The Class IPsecRule.......................................MUST
4.5.3. The Property GroupPriority..............................MUST
4.6. The Association Class IpsecPolicyForEndpoint...............MAY
4.6.1. The Reference Antecedent................................MUST
4.6.2. The Reference Dependent.................................MUST
4.7. The Association Class IPsecPolicyForSystem.................MAY
4.7.1. The Reference Antecedent................................MUST
4.7.2. The Reference Dependent.................................MUST
4.8. The Aggregation Class RuleForIKENegotiation...............MUST
4.8.1. The Property Priority.................................SHOULD
4.8.2. The Reference GroupComponent............................MUST
4.8.3. The Reference PartComponent.............................MUST
4.9. The Aggregation Class RuleForIPsecNegotiation.............MUST
4.9.1. The Property Priority.................................SHOULD
4.9.2. The Reference GroupComponent............................MUST
4.9.3. The Reference PartComponent.............................MUST
4.10. The Aggregation Class SAConditionInRule..................MUST
4.10.1. The Property GroupNumber.............................SHOULD
4.10.1. The Property ConditionNegated........................SHOULD
4.10.2. The Reference GroupComponent...........................MUST
4.10.3. The Reference PartComponent............................MUST
4.11. The Aggregation Class PolicyActionInSARule...............MUST
4.11.1. The Reference GroupComponent...........................MUST
4.11.2. The Reference PartComponent............................MUST
4.11.3. The Property ActionOrder.............................SHOULD
5. Condition and Filter Classes
5.1. The Class SACondition.....................................MUST
5.2. The Class IPHeaderFilter................................SHOULD
5.3. The Class CredentialFilterEntry............................MAY
5.3.1. The Property MatchFieldName.............................MUST
5.3.2. The Property MatchFieldValue............................MUST
5.3.3. The Property CredentialType.............................MUST
5.4. The Class IPSOFilterEntry..................................MAY
5.4.1. The Property MatchConditionType.........................MUST
5.4.2. The Property MatchConditionValue........................MUST
5.5. The Class PeerIDPayloadFilterEntry.........................MAY
5.5.1. The Property MatchIdentityType..........................MUST
5.5.2. The Property MatchIdentityValue.........................MUST
5.6. The Association Class FilterOfSACondition...............SHOULD
5.6.1. The Reference Antecedent................................MUST
5.6.2. The Reference Dependent.................................MUST
5.7. The Association Class AcceptCredentialFrom.................MAY
5.7.1. The Reference Antecedent................................MUST
5.7.2. The Reference Dependent.................................MUST
6. Action Classes
6.1. The Class SAAction........................................MUST
6.1.1. The Property DoActionLogging.............................MAY
6.1.2. The Property DoPacketLogging.............................MAY
6.2. The Class SAStaticAction..................................MUST
6.2.1. The Property LifetimeSeconds............................MUST
6.3. The Class IPsecBypassAction.............................SHOULD
6.4. The Class IPsecDiscardAction............................SHOULD
6.5. The Class IKERejectAction..................................MAY
6.6. The Class PreconfiguredSAAction...........................MUST
6.6.1. The Property LifetimeKilobytes..........................MUST
6.7. The Class PreconfiguredTransportAction....................MUST
6.8. The Class PreconfiguredTunnelAction.......................MUST
6.8.1. The Property DFHandling.................................MUST
6.9. The Class SANegotiationAction.............................MUST
6.9.1. The Property MinLifetimeSeconds..........................MAY
6.9.2. The Property MinLifetimeKilobytes........................MAY
6.9.3. The Property RefreshThresholdSeconds.....................MAY
6.9.4. The Property RefreshThresholdKilobytes...................MAY
6.9.5. The Property IdleDurationSeconds.........................MAY
6.10. The Class IPsecAction....................................MUST
6.10.1. The Property UsePFS....................................MUST
6.10.2. The Property UseIKEGroup................................MAY
6.10.3. The Property GroupId...................................MUST
6.10.4. The Property Granularity.............................SHOULD
6.10.5. The Property VendorID...................................MAY
6.11. The Class IPsecTransportAction...........................MUST
6.12. The Class IPsecTunnelAction..............................MUST
6.12.1. The Property DFHandling................................MUST
6.13. The Class IKEAction......................................MUST
6.13.1. The Property RefreshThresholdDerivedKeys................MAY
6.13.2. The Property ExchangeMode..............................MUST
6.13.3. The Property UseIKEIdentityType........................MUST
6.13.4. The Property VendorID...................................MAY
6.13.5. The Property AggressiveModeGroupId......................MAY
6.14. The Class PeerGateway....................................MUST
6.14.1. The Property Name....................................SHOULD
6.14.2. The Property PeerIdentityType..........................MUST
6.14.3. The Property PeerIdentity..............................MUST
6.15. The Association Class PeerGatewayForTunnel...............MUST
6.15.1. The Reference Antecedent...............................MUST
6.15.2. The Reference Dependent................................MUST
6.15.3. The Property SequenceNumber..........................SHOULD
6.16. The Aggregation Class ContainedProposal..................MUST
6.16.1. The Reference GroupComponent...........................MUST
6.16.2. The Reference PartComponent............................MUST
6.16.3. The Property SequenceNumber............................MUST
6.17. The Association Class HostedPeerGatewayInformation........MAY
6.17.1. The Reference Antecedent...............................MUST
6.17.2. The Reference Dependent................................MUST
6.18. The Association Class TransformOfPreconfiguredAction.....MUST
6.18.1. The Reference Antecedent...............................MUST
6.18.2. The Reference Dependent................................MUST
6.18.3. The Property SPI.......................................MUST
6.18.4. The Property Direction.................................MUST
6.19. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
6.19.1. The Reference Antecedent...............................MUST
6.19.2. The Reference Dependent................................MUST
7. Proposal and Transform Classes
7.1. The Abstract Class SAProposal.............................MUST
7.1.1. The Property Name.....................................SHOULD
7.2. The Class IKEProposal.....................................MUST
7.2.1. The Property LifetimeDerivedKeys.........................MAY
7.2.2. The Property CipherAlgorithm............................MUST
7.2.3. The Property HashAlgorithm..............................MUST
7.2.4. The Property PRFAlgorithm................................MAY
7.2.5. The Property GroupId....................................MUST
7.2.6. The Property AuthenticationMethod.......................MUST
7.2.7. The Property MaxLifetimeSeconds.........................MUST
7.2.8. The Property MaxLifetimeKilobytes.......................MUST
7.2.9. The Property VendorID....................................MAY
7.3. The Class IPsecProposal...................................MUST
7.4. The Abstract Class SATransform............................MUST
7.4.1. The Property TransformName............................SHOULD
7.4.2. The Property VendorID....................................MAY
7.4.3. The Property MaxLifetimeSeconds.........................MUST
7.4.4. The Property MaxLifetimeKilobytes.......................MUST
7.5. The Class AHTransform.....................................MUST
7.5.1. The Property AHTransformId..............................MUST
7.5.2. The Property UseReplayPrevention.........................MAY
7.5.3. The Property ReplayPreventionWindowSize..................MAY
7.6. The Class ESPTransform....................................MUST
7.6.1. The Property IntegrityTransformId.......................MUST
7.6.2. The Property CipherTransformId..........................MUST
7.6.3. The Property CipherKeyLength.............................MAY
7.6.4. The Property CipherKeyRounds.............................MAY
7.6.5. The Property UseReplayPrevention.........................MAY
7.6.6. The Property ReplayPreventionWindowSize..................MAY
7.7. The Class IPCOMPTransform..................................MAY
7.7.1. The Property Algorithm..................................MUST
7.7.2. The Property DictionarySize..............................MAY
7.7.3. The Property PrivateAlgorithm............................MAY
7.8. The Association Class SAProposalInSystem...................MAY
7.8.1. The Reference Antecedent................................MUST
7.8.2. The Reference Dependent.................................MUST
7.9. The Aggregation Class ContainedTransform..................MUST
7.9.1. The Reference GroupComponent............................MUST
7.9.2. The Reference PartComponent.............................MUST
7.9.3. The Property SequenceNumber.............................MUST
7.10. The Association Class SATransformInSystem.................MAY
7.10.1. The Reference Antecedent...............................MUST
7.10.2. The Reference Dependent................................MUST
8. IKE Service and Identity Classes
8.1. The Class IKEService.......................................MAY
8.2. The Class PeerIdentityTable................................MAY
8.3.1. The Property Name.....................................SHOULD
8.3. The Class PeerIdentityEntry................................MAY
8.3.1. The Property PeerIdentity.............................SHOULD
8.3.2. The Property PeerIdentityType.........................SHOULD
8.3.3. The Property PeerAddress..............................SHOULD
8.3.4. The Property PeerAddressType..........................SHOULD
8.4. The Class AutostartIKEConfiguration........................MAY
8.5. The Class AutostartIKESetting..............................MAY
8.5.1. The Property Phase1Only..................................MAY
8.5.2. The Property AddressType..............................SHOULD
8.5.3. The Property SourceAddress..............................MUST
8.5.4. The Property SourcePort.................................MUST
8.5.5. The Property DestinationAddress.........................MUST
8.5.6. The Property DestinationPort............................MUST
8.5.7. The Property Protocol...................................MUST
8.6. The Class IKEIdentity......................................MAY
8.6.1. The Property IdentityType...............................MUST
8.6.2. The Property IdentityValue..............................MUST
8.6.3. The Property IdentityContexts............................MAY
8.7. The Association Class HostedPeerIdentityTable..............MAY
8.7.1. The Reference Antecedent................................MUST
8.7.2. The Reference Dependent.................................MUST
8.8. The Aggregation Class PeerIdentityMember...................MAY
8.8.1. The Reference Collection................................MUST
8.8.2. The Reference Member....................................MUST
8.9. The Association Class IKEServicePeerGateway................MAY
8.9.1. The Reference Antecedent................................MUST
8.9.2. The Reference Dependent.................................MUST
8.10. The Association Class IKEServicePeerIdentityTable.........MAY
8.10.1. The Reference Antecedent...............................MUST
8.10.2. The Reference Dependent................................MUST
8.11. The Association Class IKEAutostartSetting.................MAY
8.11.1. The Reference Element..................................MUST
8.11.2. The Reference Setting..................................MUST
8.12. The Aggregation Class AutostartIKESettingContext..........MAY
8.12.1. The Reference Context..................................MUST
8.12.2. The Reference Setting..................................MUST
8.12.3. The Property SequenceNumber..........................SHOULD
8.13. The Association Class IKEServiceForEndpoint...............MAY
8.13.1. The Reference Antecedent...............................MUST
8.13.2. The Reference Dependent................................MUST
8.14. The Association Class IKEAutostartConfiguration...........MAY
8.14.1. The Reference Antecedent...............................MUST
8.14.2. The Reference Dependent................................MUST
8.14.3. The Property Active..................................SHOULD
8.15. The Association Class IKEUsesCredentialManagementService..MAY
8.15.1. The Reference Antecedent...............................MUST
8.15.2. The Reference Dependent................................MUST
8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
8.16.1. The Reference Antecedent...............................MUST
8.16.2. The Reference Dependent................................MUST
8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
8.17.1. The Reference Antecedent...............................MUST
8.17.2. The Reference Dependent................................MUST
8.18. The Association Class IKEIdentitysCredential..............MAY
8.18.1. The Reference Antecedent...............................MUST
8.18.2. The Reference Dependent................................MUST
10. Security Considerations
This document describes a schema for IPsec policy. It does not This document describes a schema for IPsec policy. It does not
detail security requirements for storage or delivery of said schema. detail security requirements for storage or delivery of said schema.
Storage and delivery security requirements should be detailed in a Storage and delivery security requirements should be detailed in a
comprehensive security policy architecture document. comprehensive security policy architecture document.
10. Intellectual Property 11. Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. standards-related documentation can be found in BCP-11.
skipping to change at page 73, line 13 skipping to change at page 80, line 28
attempt made to obtain a general license or permission for the use attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this of such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat. specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
11. Acknowledgments 12. Acknowledgments
The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, and William Dixon for their contributions to this IPsec Vic Lortz, and William Dixon for their contributions to this IPsec
policy model. policy model.
Additionally, this draft would not have been possible without the Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob preceding IPsec schema drafts. For that, thanks go out to Rob
Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
Rajan. Rajan.
12. References 13. References
[IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998. RFC 2409, November 1998.
[COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August 1998. Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
skipping to change at page 74, line 5 skipping to change at page 81, line 20
[COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. Internet-Draft work in progress. January 2000. Internet-Draft work in progress.
[COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
Internet-Draft work in progress. Internet-Draft work in progress.
[SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
Internet-Draft work in progress.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[IPSO] Kent, S., "U.S. Department of Defense Security Options for [IPSO] Kent, S., "U.S. Department of Defense Security Options for
the Internet Protocol", RFC 1108, November 1991. the Internet Protocol", RFC 1108, November 1991.
[IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998. Internet Protocol", RFC 2401, November 1998.
13. Disclaimer 14. Disclaimer
The views and specification herein are those of the authors and are The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this arising from correct or incorrect implementation or use of this
specification. specification.
14. Authors' Addresses 15. Authors' Addresses
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
Lee Rafalow Lee Rafalow
IBM Corporation, BRQA/502 IBM Corporation, BRQA/502
skipping to change at page 74, line 48 skipping to change at page 82, line 5
Research Triangle Park, NC 27709 Research Triangle Park, NC 27709
E-mail: rafalow@raleigh.ibm.com E-mail: rafalow@raleigh.ibm.com
Eric Vyncke Eric Vyncke
Cisco Systems Cisco Systems
Avenue Marcel Thiry, 77 Avenue Marcel Thiry, 77
B-1200 Brussels B-1200 Brussels
Belgium Belgium
E-mail: evyncke@cisco.com E-mail: evyncke@cisco.com
15. Full Copyright Statement 16. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it maybe copied and furnished to This document and translations of it maybe copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
skipping to change at page 87, line 19 skipping to change at page 94, line 30
"the subclass as a Values array qualifier.") ] "the subclass as a Values array qualifier.") ]
uint32 StopService(); uint32 StopService();
}; };
// ================================================================== // ==================================================================
// ServiceAccessPoint // ServiceAccessPoint
// ================================================================== // ==================================================================
[Abstract, Description ( [Abstract, Description (
"CIM_ServiceAccessPoint represents the ability to utilize or " "CIM_ServiceAccessPoint represents the ability to utilize or "
"invoke a Service. Access points represent that a Service " "invoke a Service. Access points represent that a Service "
"is " "is made available to other entities for use.") ]
"made available to other entities for use.") ]
class CIM_ServiceAccessPoint:CIM_LogicalElement class CIM_ServiceAccessPoint:CIM_LogicalElement
{ {
[Key, MaxLen (256), Description ( [Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the " "CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used " "subclass used in the creation of an instance. When used "
"with the other key properties of this class, this " "with the other key properties of this class, this "
"property " "property "
"allows all instances of this class and its subclasses to " "allows all instances of this class and its subclasses to "
"be uniquely identified.") ] "be uniquely identified.") ]
string CreationClassName; string CreationClassName;
skipping to change at page 89, line 4 skipping to change at page 96, line 14
"The Setting object associated with the ManagedSystem" "The Setting object associated with the ManagedSystem"
"Element.") ] "Element.") ]
CIM_Setting REF Setting; CIM_Setting REF Setting;
}; };
// ================================================================== // ==================================================================
// MemberOfCollection // MemberOfCollection
// ================================================================== // ==================================================================
[Association, Aggregation, Description ( [Association, Aggregation, Description (
"CIM_MemberOfCollection is an aggregation used to establish " "CIM_MemberOfCollection is an aggregation used to establish "
"membership of ManagedElements in a Collection." ) ] "membership of ManagedElements in a Collection." ) ]
class CIM_MemberOfCollection class CIM_MemberOfCollection
{ {
[Key, Aggregate, Description ("The Collection that aggregates [Key, Aggregate, Description (
members") ] "The Collection that aggregates members") ]
CIM_Collection REF Collection; CIM_Collection REF Collection;
[Key, Description ("The aggregated member of the collection.") [Key, Description ("The aggregated member of the collection.")
] ]
CIM_ManagedElement REF Member; CIM_ManagedElement REF Member;
}; };
// ================================================================== // ==================================================================
// CIM_SystemSettingContext // CIM_SystemSettingContext
// ================================================================== // ==================================================================
[Association, Aggregation, Description ( [Association, Aggregation, Description (
skipping to change at page 108, line 52 skipping to change at page 115, line 52
"The Name property defines the label by which the Filter" "The Name property defines the label by which the Filter"
"Entry is known and uniquely identified.") ] "Entry is known and uniquely identified.") ]
string Name; string Name;
[Description ( [Description (
"Boolean indicating that the match condition described " "Boolean indicating that the match condition described "
"in the properties of the FilterEntryBase subclass " "in the properties of the FilterEntryBase subclass "
"should be negated.") ] "should be negated.") ]
boolean IsNegated; boolean IsNegated;
}; };
// ================================================================== // ===================================================================
// FilterEntry
// ================================================================== // CIM_IPHeaderFilter
[Description (
"A FilterEntry is used by network devices to identify " // ===================================================================
"traffic and either forward them (with possibly further "
"processing) to their destination, or to deny their " [Description ("IPHeaderFilter contains the all of the "
"forwarding. They are the building block of FilterLists." "properties necessary to perform filtering on an IP header "
"\n\n"
"This class is oriented towards packet filtering. Other " "or a portion thereof.")]
"subclasses of FilterEntryBase can be defined to do other "
"types of filtering. " class CIM_IPHeaderFilter : CIM_FilterEntryBase
"\n\n"
"A FilterEntry is weak to the network device (e.g., the "
"ComputerSystem) that contains it. Hence, the ComputerSystem "
"keys are propagated to this class.") ]
class CIM_FilterEntry : CIM_FilterEntryBase
{ {
[Description (
"This defines the type of traffic that is being filtered. " [Description ("IpVersion identifies the version of the IP "
"This will affect the filtering rules in the MatchCondition "
"property of this class."), "addresses for IP header filters. It is also used to "
ValueMap { "0", "1", "2", "3" },
Values { "Unknown", "IPv4", "IPX", "IPv6" } ] "determine the sizes of the OctetStrings in the four "
uint16 TrafficType;
[Description ( "properties SrcAddress, SrcMask, DestAddress, and DestMask, "
"This specifies one of a set of ways to identify traffic. "
"if the value is 1 (e.g., 'Other'), then the specific " "as follows:\n"
"type of filtering is specified in the "
"OtherMatchConditionType property of this class."), "ipv4(4): OctetString(SIZE (4))\n"
ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9",
"10", "11", "12" }, "ipv6(6): OctetString(SIZE (16|20)), depending on whether\n"
Values {"Other", "Source Address and Mask",
"Destination Address and Mask", "Source Port", " a scope identifier is present"),
"Source Port Range", "Destination Port",
"Destination Port Range", "Protocol Type", ValueMap {"4", "6" },
"Protocol Type and Option", "DSCP", "ToS Value",
"802.1P Priority Value" }, Values { "IPv4", "IPv6" },
ModelCorrespondence {
"CIM_FilterEntry.OtherMatchConditionType" } ]
uint16 MatchConditionType;
[Description (
"If the value of the MatchConditionType property in this "
"class is 1 (e.g., 'Other'), then the specific type of "
"filtering is specified in this property."),
ModelCorrespondence { ModelCorrespondence {
"CIM_FilterEntry.MatchConditionType" } ]
string OtherMatchConditionType; "CIM_IPHeaderFilter.SrcAddress",
[Description (
"This is the value of the condition that filters the " "CIM_IPHeaderFilter.SrcMask",
"traffic. It corresponds to the condition specified in the "
"MatchConditionType property. If, however, the value of the " "CIM_IPHeaderFilter.DestAddress",
"MatchConditionProperty is 1, then it corresponds to the "
"condition specified in the OtherMatchConditionType " "CIM_IPHeaderFilter.DestMask" } ]
"property.") ]
string MatchConditionValue; uint8 IpVersion;
[Description (
"This defines whether the action should be to forward or " [Description ("SrcAddress is an OctetString, of a size "
"deny traffic meeting the match condition specified in "
"this filter."), "determined by the value of the IpVersion property, "
ValueMap { "1", "2" },
Values { "Permit", "Deny" } ] "representing a source IP address. This value is compared to"
uint16 Action;
[Description ( " the source address in the IP header, subject to the mask "
"This defines whether this FilterEntry is the default "
"entry to use by its FilterList.") ] "represented in the SrcMask property."),
boolean DefaultFilter;
[Description ( OCTETSTRING,
"This defines the traffic class that is being matched by "
"this FilterEntry. Note that FilterEntries are aggregated " ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
"into FilterLists by the EntriesInFilterList "
"relationship. If the EntrySequence property of the " uint8 SrcAddress[];
"aggregation is set to 0, this means that all the Filter"
"Entries should be ANDed together. Consequently, the " [Description ("SrcMask is an OctetString, of a size determined"
"TrafficClass property of each of the aggregated Entries "
"should be set to the same value."), " by the value of the IpVersion property, representing a mask"
ModelCorrespondence { "CIM_NextService.TrafficClass" } ]
string TrafficClass; " to be used in comparing the source address in the IP header"
" with the value represented in the SrcAddress property."),
OCTETSTRING,
ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
uint8 SrcMask[];
[Description ("DestAddress is an OctetString, of a size "
"determined by the value of the IpVersion property, "
"representing a destination IP address. This value is "
"compared to the destination address in the IP header, "
"subject to the mask represented in the DestMask property."),
OCTETSTRING,
ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
uint8 DestAddress[];
[Description ("DestMask is an OctetString, of a size "
"determined by the value of the IpVersion property, "
"representing a mask to be used in comparing the destination "
"address in the IP header with the value represented in the "
"DestAddress property."),
OCTETSTRING,
ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
uint8 DestMask[];
[Description ("ProtocolID is an 8-bit unsigned integer, "
"representing an IP protocol type. This value is compared to"
" the Protocol field in the IP header.")]
uint8 ProtocolID;
[Description ("SrcPortStart represents the lower end of a "
"range of UDP or TCP source ports. The upper end of the "
"range is represented by the SrcPortEnd property. The value "
"of SrcPortStart MUST be no greater than the value of "
"SrcPortEnd. A single port is indicated by equal values for "
"SrcPortStart and SrcPortEnd.\n"
"\n"
"A source port filter is evaluated by testing whether the "
"source port identified in the IP header falls within the "
"range of values between SrcPortStart and SrcPortEnd, "
"including these two end points.")]
uint16 SrcPortStart;
[Description ("SrcPortEnd represents the upper end of a range "
"of UDP or TCP source ports. The lower end of the range is "
"represented by the SrcPortStart property. The value of "
"SrcPortEnd MUST be no less than the value of SrcPortStart. "
"A single port is indicated by equal values for SrcPortStart "
"and SrcPortEnd.\n"
"\n"
"A source port filter is evaluated by testing whether the "
"source port identified in the IP header falls within the "
"range of values between SrcPortStart and SrcPortEnd, "
"including these two end points.")]
uint16 SrcPortEnd;
[Description ("DestPortStart represents the lower end of "
"a range of UDP or TCP destination ports. The upper end of "
"the range is represented by the DestPortEnd property. The "
"value of DestPortStart MUST be no greater than the value of "
"DestPortEnd. A single port is indicated by equal values for"
" DestPortStart and DestPortEnd.\n"
"\n"
"A destination port filter is evaluated by testing whether "
"the destination port identified in the IP header falls "
"within the range of values between DestPortStart and "
"DestPortEnd, including these two end points.")]
uint16 DestPortStart;
[Description ("DestPortEnd represents the upper end of a range"
" of UDP or TCP destination ports. The lower end of the "
"range is represented by the DestPortStart property. The "
"value of DestPortEnd MUST be no less than the value of "
"DestPortStart. A single port is indicated by equal values "
"for DestPortStart and DestPortEnd.\n"
"\n"
"A destination port filter is evaluated by testing whether "
"the destination port identified in the IP header falls "
"within the range of values between DestPortStart and "
"DestPortEnd, including these two end points.")]
uint16 DestPortEnd;
[Description ("DSCPs are defined as discrete code points, "
"with no inherent structure, there is no semantically "
"significant relationship between different DSCPs. "
"Consequently, there is no provision for specifying a range "
"of DSCPs in this property. Since, in IPv4, the DSCP field "
"may contain bits to be interpreted as the TOS IP Precedence,"
" this property is also used to filter on IP Precedence. "
"Similarly, the IPv6 Traffic Class field is also filtered "
"using the value in this property."),
MAXVALUE (63)]
uint8 DSCP;
[Description ("The 20-bit Flow Label field in the IPv6 header "
"may be used by a source to label sequences of packets for "
"which it requests special handling by the IPv6 devices, such"
" as non-default quality of service or 'real-time' service. "
"In the filter, this 20-bit string is encoded in a 24-bit "
"octetstring by right-adjusting the value and padding on the "
"left with b'0000'."),
OCTETSTRING ]
uint8 FlowLabel[];
}; };
// ================================================================== // ==================================================================
// FilterList // FilterList
// ================================================================== // ==================================================================
[Description ( [Description (
"A FilterList is used by network devices to identify routes " "A FilterList is used by network devices to identify routes "
"by aggregating a set of FilterEntries into a unit, called a " "by aggregating a set of FilterEntries into a unit, called a "
"FilterList. FilterLists can also be used to accept or deny " "FilterList. FilterLists can also be used to accept or deny "
"routing updates." "routing updates."
"\n\n" "\n\n"
"A FilterList is weak to the network device (e.g., the " "A FilterList is weak to the network device (e.g., the "
"ComputerSystem) that contains it. Hence, the ComputerSystem " "ComputerSystem) that contains it. Hence, the ComputerSystem "
"keys are propagated to this class.") ] "keys are propagated to this class.") ]
skipping to change at page 112, line 27 skipping to change at page 120, line 55
"the FilterList.") ] "the FilterList.") ]
CIM_FilterEntryBase REF PartComponent; CIM_FilterEntryBase REF PartComponent;
[Description ( [Description (
"The order of the Entry relative to all others in the " "The order of the Entry relative to all others in the "
"FilterList. A value of zero indicates that all the Entries " "FilterList. A value of zero indicates that all the Entries "
"should be ANDed together. Use of the Sequence property " "should be ANDed together. Use of the Sequence property "
"should be consistent across the List. It is not valid to " "should be consistent across the List. It is not valid to "
"define some Entries as ANDed in the FilterList (Sequence" "define some Entries as ANDed in the FilterList (Sequence"
"=0) while other Entries have a non-zero Sequence number.") ] "=0) while other Entries have a non-zero Sequence number.") ]
uint16 EntrySequence; uint16 EntrySequence;
};
Appendix D (DMTF Policy Model MOF)
// ==================================================================
// Policy
// ==================================================================
[Abstract, Description (
"An abstract class defining the common properties of the policy "
"managed elements derived from CIM_Policy. The subclasses are "
"used to create rules and groups of rules that work together to "
"form a coherent set of policies within an administrative domain "
"or set of domains.")
]
class CIM_Policy : CIM_ManagedElement
{
[Description (
"A user-friendly name of this policy-related object.")
]
string CommonName;
[Description (
"An array of keywords for characterizing / categorizing "
"policy objects. Keywords are of one of two types: \n"
"- Keywords defined in this and other MOFs, or in DMTF"
"white papers. These keywords provide a vendor-"
"independent, installation-independent way of "
"characterizing policy objects. \n"
"- Installation-dependent keywords for characterizing "
"policy objects. Examples include 'Engineering', "
"'Billing', and 'Review in December 2000'. \n"
"This MOF defines the following keywords: 'UNKNOWN', "
"'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', "
"'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These "
"concepts are self-explanatory and are further discussed "
"in the SLA/Policy White Paper. One additional keyword "
"is defined: 'POLICY'. The role of this keyword is to "
"identify policy-related instances that may not be otherwise "
"identifiable, in some implementations. The keyword 'POLICY' "
"is NOT mutually exclusive of the other keywords "
"specified above.")
]
string PolicyKeywords [];
};
// ==================================================================
// PolicySet
// ==================================================================
[Abstract, Description ("PolicySet is an abstract class that "
"represents a set of policies that form a coherent set. The "
"set of contained policies has a common decision strategy and "
"a common set of policy roles. Subclasses include "
"PolicyGroup and PolicyRule.")]
class CIM_PolicySet : CIM_Policy
{
[Description ("PolicyDecisionStrategy defines the evaluation "
"method used for policies contained in the PolicySet. "
"FirstMatching enforces the actions of the first rule that "
"evaluates to TRUE. It is the only value currently defined."),
ValueMap { "1" },
Values { "FirstMatching" }
]
uint16 PolicyDecisionStrategy;
[Description (
"The PolicyRoles property represents the roles and role "
"combinations associated with a PolicySet. All contained "
"PolicySet instances inherit the values of the PolicyRoles of "
"the aggregating PolicySet but the values are not copied. "
"A contained PolicySet instance may, however, add additional "
"PolicyRoles to those it inherits from its aggregating "
"PolicySet(s)\n"
"\n"
"Each value represents one role or role combination. Since "
"this is a multi-valued property, more than one role or "
"combination can be associated with a single PolicySet. Each "
"value is a string of the form:\n"
" <RoleName>[&&<RoleName>]*\n"
"where the individual role names appear in alphabetical order "
"(according to the collating sequence for UCS-2).") ]
string PolicyRoles [];
};
// ==================================================================
// PolicyGroup
// ==================================================================
[Description (
"An aggregation of PolicySet instances (PolicyGroups and/or "
"PolicyRules) that have the same decision strategy and inherit "
"policy roles. PolicyGroup instances are defined and named "
"relative to the CIM_System that provides their context.")
]
class CIM_PolicyGroup : CIM_PolicySet
{
[Propagated("CIM_System.CreationClassName"),
Key, MaxLen (256),
Description ("The scoping System's CreationClassName.")
]
string SystemCreationClassName;
[Propagated("CIM_System.Name"),
Key, MaxLen (256),
Description ("The scoping System's Name.")
]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyGroup.")
]
string PolicyGroupName;
};
// ==================================================================
// PolicyRule
// ==================================================================
[Description (
"The central class used for representing the 'If Condition then "
"Action' semantics of a policy rule. A PolicyRule condition, in "
"the most general sense, is represented as either an ORed set of "
"ANDed conditions (Disjunctive Normal Form, or DNF) or an ANDed "
"set of ORed conditions (Conjunctive Normal Form, or CNF). "
"Individual conditions may either be negated (NOT C) or "
"unnegated (C). The actions specified by a PolicyRule are to be "
"performed if and only if the PolicyRule condition (whether it "
"is represented in DNF or CNF) evaluates to TRUE.\n"
"\n"
"The conditions and actions associated with a PolicyRule are "
"modeled, respectively, with subclasses of PolicyCondition and "
"PolicyAction. These condition and action objects are tied to "
"instances of PolicyRule by the PolicyConditionInPolicyRule and "
"PolicyActionInPolicyRule aggregations.\n"
"\n"
"A PolicyRule may also be associated with one or more policy "
"time periods, indicating the schedule according to which the "
"policy rule is active and inactive. In this case it is the "
"PolicyRuleValidityPeriod aggregation that provides this "
"linkage.\n"
"\n"
"The PolicyRule class uses the property ConditionListType, to "
"indicate whether the conditions for the rule are in DNF or "
"CNF. The PolicyConditionInPolicyRule aggregation contains "
"two additional properties to complete the representation of "
"the Rule's conditional expression. The first of these "
"properties is an integer to partition the referenced "
"PolicyConditions into one or more groups, and the second is a "
"Boolean to indicate whether a referenced Condition is "
"negated. An example shows how ConditionListType and these "
"two additional properties provide a unique representation "
"of a set of PolicyConditions in either DNF or CNF.\n"
"\n"
"Suppose we have a PolicyRule that aggregates five "
"PolicyConditions C1 through C5, with the following values "
"in the properties of the five PolicyConditionInPolicyRule "
"associations:\n"
" C1: GroupNumber = 1, ConditionNegated = FALSE\n"
" C2: GroupNumber = 1, ConditionNegated = TRUE\n"
" C3: GroupNumber = 1, ConditionNegated = FALSE\n"
" C4: GroupNumber = 2, ConditionNegated = FALSE\n"
" C5: GroupNumber = 2, ConditionNegated = FALSE\n"
"\n"
"If ConditionListType = DNF, then the overall condition for "
"the PolicyRule is:\n"
" (C1 AND (NOT C2) AND C3) OR (C4 AND C5)\n"
"\n"
"On the other hand, if ConditionListType = CNF, then the "
"overall condition for the PolicyRule is:\n"
" (C1 OR (NOT C2) OR C3) AND (C4 OR C5)\n"
"\n"
"In both cases, there is an unambiguous specification of "
"the overall condition that is tested to determine whether "
"to perform the PolicyActions associated with the PolicyRule.\n"
"\n"
"PolicyRule instances may also be used to aggregate other "
"PolicyRules and/or PolicyGroups. When used in this way to "
"implement nested rules, the conditions of the aggregating rule "
"apply to the subordinate rules as well. However, any side "
"effects of condition evaluation or the execution of actions MUST "
"NOT affect the result of the evaluation of other conditions "
"evaluated by the rule engine in the same evaluation pass. That "
"is, an implementation of a rule engine MAY evaluate all "
"conditions in any order before applying the priority and "
"determining which actions are to be executed.")
]
class CIM_PolicyRule : CIM_PolicySet
{
[Propagated("CIM_System.CreationClassName"),
Key, MaxLen (256),
Description ("The scoping System's CreationClassName.")
]
string SystemCreationClassName;
[Propagated("CIM_System.Name"),
Key, MaxLen (256),
Description ("The scoping System's Name.")
]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyRule.")
]
string PolicyRuleName;
[Description (
"Indicates whether this PolicyRule is administratively "
"enabled, administratively disabled, or enabled for "
"debug. When the property has the value 3 (\"enabledFor"
"Debug\"), the entity evaluating the PolicyConditions is "
"instructed to evaluate the conditions for the Rule, but not "
"to perform the actions if the PolicyConditions evaluate to "
"TRUE. This serves as a debug vehicle when attempting to "
"determine what policies would execute in a particular "
"scenario, without taking any actions to change state "
"during the debugging. The default value is 1 "
"(\"enabled\")."),
ValueMap { "1", "2", "3" },
Values { "enabled", "disabled", "enabledForDebug" }
]
uint16 Enabled;
[Description (
"Indicates whether the list of PolicyConditions "
"associated with this PolicyRule is in disjunctive "
"normal form (DNF) or conjunctive normal form (CNF)."
"The default value is 1 (\"DNF\")."),
ValueMap { "1", "2" },
Values { "DNF", "CNF" }
]
uint16 ConditionListType;
[Description (
"A free-form string that can be used to provide "
"guidelines on how this PolicyRule should be used.")
]
string RuleUsage;
[DEPRECATED {"CIM_PolicySetComponent.Priority"},
Description (
"PolicyRule.Priority is deprecated and replaced by "
"providing the priority for a rule (and a group) in the "
"context of the aggregating PolicySet instead of the "
"priority being used for all aggregating PolicySet "
"instances. Thus, the assignment of priority values is much "
"simpler.\n"
"\n"
"A non-negative integer for prioritizing this Policy"
"Rule relative to other Rules. A larger value "
"indicates a higher priority. The default value is 0.")
]
uint16 Priority;
[Description (
"A flag indicating that the evaluation of the Policy"
"Conditions and execution of PolicyActions (if the "
"Conditions evaluate to TRUE) is required. The "
"evaluation of a PolicyRule MUST be attempted if the "
"Mandatory property value is TRUE. If the Mandatory "
"property is FALSE, then the evaluation of the Rule "
"is 'best effort' and MAY be ignored.")
]
boolean Mandatory;
[Description (
"This property gives a policy administrator a way "
"of specifying how the ordering of the PolicyActions "
"associated with this PolicyRule is to be interpreted. "
"Three values are supported:\n"
" o mandatory(1): Do the actions in the indicated "
" order, or don't do them at all.\n"
" o recommended(2): Do the actions in the indicated "
" order if you can, but if you can't do them in this "
" order, do them in another order if you can.\n"
" o dontCare(3): Do them -- I don't care about the "
" order.\n"
"The default value is 3 (\"dontCare\")."),
ValueMap { "1", "2", "3" },
Values { "mandatory", "recommended", "dontCare" }
]
uint16 SequencedActions;
[Description (
"ExecutionStrategy defines the strategy to be used in "
"executing the sequenced actions aggregated by this "
"PolicyRule. There are three execution strategies:\n"
"\n"
"Do Until Success - execute actions according to predefined\n"
" order, until successful execution of a\n"
" single action.\n"
"Do All - execute ALL actions which are part of\n"
" the modeled set, according to their\n"
" predefined order. Continue doing this,\n"
" even if one or more of the actions "
" fails.\n"
"Do Until Failure - execute actions according to predefined\n"
" order, until the first failure in\n"
" execution of an action instance."),
Values {"1", "2", "3"},
ValueMap {"Do Until Success", "Do All", "Do Until Failure"}]
uint16 ExecutionStrategy;
};
// ==================================================================
// ReusablePolicyContainer
// ==================================================================
[Description (
"A class representing an administratively defined "
"container for reusable policy-related information. "
"This class does not introduce any additional "
"properties beyond those in its superclass "
"AdminDomain. It does, however, participate in a "
"unique association for containing policy elements."
"\n\n"
"An instance of this class uses the NameFormat value"
"\"ReusablePolicyContainer\".")
]
class CIM_ReusablePolicyContainer : CIM_AdminDomain
{
};
// ==================================================================
// PolicyRepository *** deprecated
// ==================================================================
[DEPRECATED{"CIM_ReusablePolicyContainer"},
Description (
"The term 'PolicyRepository' has been confusing to both "
"developers and users of the model. The replacement class "
"name describes model element properly and is less likely "
"to be confused with a data repository."
"\n\n"
"A class representing an administratively defined "
"container for reusable policy-related information. "
"This class does not introduce any additional "
"properties beyond those in its superclass "
"AdminDomain. It does, however, participate in a "
"number of unique associations."
"\n\n"
"An instance of this class uses the NameFormat value"
"\"PolicyRepository\".")
]
class CIM_PolicyRepository : CIM_AdminDomain
{
};
// ==================================================================
// PolicyCondition
// ==================================================================
[Abstract, Description (
"A class representing a rule-specific or reusable policy "
"condition to be evaluated in conjunction with a Policy"
"Rule. Since all operational details of a PolicyCondition "
"are provided in subclasses of this object, this class is "
"abstract.")
]
class CIM_PolicyCondition : CIM_Policy
{
[Key, MaxLen (256), Description (
" The name of the class or the subclass used in the "
"creation of the System object in whose scope this "
"PolicyCondition is defined.\n\n"
" "
"This property helps to identify the System object in "
"whose scope this instance of PolicyCondition exists. "
"For a rule-specific PolicyCondition, this is the System "
"in whose context the PolicyRule is defined. For a "
"reusable PolicyCondition, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Condition.\n\n"
" "
"Note that this property, and the analogous property "
"SystemName, do not represent propagated keys from an "
"instance of the class System. Instead, they are "
"properties defined in the context of this class, which "
"repeat the values from the instance of System to which "
"this PolicyCondition is related, either directly via the "
"PolicyConditionInPolicyRepository association or indirectly"
" via the PolicyConditionInPolicyRule aggregation.")
]
string SystemCreationClassName;
[Key, MaxLen (256), Description (
" The name of the System object in whose scope this "
"PolicyCondition is defined.\n\n"
" "
"This property completes the identification of the System "
"object in whose scope this instance of PolicyCondition "
"exists. For a rule-specific PolicyCondition, this is the "
"System in whose context the PolicyRule is defined. For a "
"reusable PolicyCondition, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Condition.")
]
string SystemName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyCondition, the "
"CreationClassName of the PolicyRule object with which "
"this Condition is associated. For a reusable Policy"
"Condition, a special value, 'NO RULE', should be used to "
"indicate that this Condition is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleCreationClassName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyCondition, the name of "
"the PolicyRule object with which this Condition is "
"associated. For a reusable PolicyCondition, a "
"special value, 'NO RULE', should be used to indicate "
"that this Condition is reusable and not associated "
"with a single PolicyRule.")
]
string PolicyRuleName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property"
" allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyCondition.")
]
string PolicyConditionName;
};
// ==================================================================
// PolicyTimePeriodCondition
// ==================================================================
[Description (
" This class provides a means of representing the time "
"periods during which a PolicyRule is valid, i.e., active. "
"At all times that fall outside these time periods, the "
"PolicyRule has no effect. A Rule is treated as valid "
"at ALL times, if it does not specify a "
"PolicyTimePeriodCondition.\n\n"
" "
"In some cases a Policy Consumer may need to perform "
"certain setup / cleanup actions when a PolicyRule becomes "
"active / inactive. For example, sessions that were "
"established while a Rule was active might need to "
"be taken down when the Rule becomes inactive. In other "
"cases, however, such sessions might be left up. In this "
"case, the effect of deactivating the PolicyRule would "
"just be to prevent the establishment of new sessions. \n\n"
" "
"Setup / cleanup behaviors on validity period "
"transitions are not currently addressed by the Policy "
"Model, and must be specified in 'guideline' documents or "
"via subclasses of CIM_PolicyRule, CIM_PolicyTimePeriod"
"Condition or other concrete subclasses of CIM_Policy. If "
"such behaviors need to be under the control of the policy "
"administrator, then a mechanism to allow this control "
"must also be specified in the subclasses.\n\n"
" "
"PolicyTimePeriodCondition is defined as a subclass of "
"PolicyCondition. This is to allow the inclusion of "
"time-based criteria in the AND/OR condition definitions "
"for a PolicyRule.\n\n"
" "
"Instances of this class may have up to five properties "
"identifying time periods at different levels. The values "
"of all the properties present in an instance are ANDed "
"together to determine the validity period(s) for the "
"instance. For example, an instance with an overall "
"validity range of January 1, 2000 through December 31, "
"2000; a month mask that selects March and April; a "
"day-of-the-week mask that selects Fridays; and a time "
"of day range of 0800 through 1600 would be represented "
"using the following time periods:\n"
" Friday, March 5, 2000, from 0800 through 1600;\n "
" Friday, March 12, 2000, from 0800 through 1600;\n "
" Friday, March 19, 2000, from 0800 through 1600;\n "
" Friday, March 26, 2000, from 0800 through 1600;\n "
" Friday, April 2, 2000, from 0800 through 1600;\n "
" Friday, April 9, 2000, from 0800 through 1600;\n "
" Friday, April 16, 2000, from 0800 through 1600;\n "
" Friday, April 23, 2000, from 0800 through 1600;\n "
" Friday, April 30, 2000, from 0800 through 1600.\n\n"
" "
"Properties not present in an instance of "
"PolicyTimePeriodCondition are implicitly treated as having "
"their value 'always enabled'. Thus, in the example above, "
"the day-of-the-month mask is not present, and so the "
"validity period for the instance implicitly includes a "
"day-of-the-month mask that selects all days of the month. "
"If this 'missing property' rule is applied to its fullest, "
"we see that there is a second way to indicate that a Policy"
"Rule is always enabled: associate with it an instance of "
"PolicyTimePeriodCondition whose only properties with "
"specific values are its key properties.")
]
class CIM_PolicyTimePeriodCondition : CIM_PolicyCondition
{
[Description (
" This property identifies an overall range of calendar "
"dates and times over which a PolicyRule is valid. It is "
"formatted as a string representing a start date and time, "
"in which the character 'T' indicates the beginning of the "
"time portion, followed by the solidus character '/', "
"followed by a similar string representing an end date and "
"time. The first date indicates the beginning of the range, "
"while the second date indicates the end. Thus, the second "
"date and time must be later than the first. Date/times are "
"expressed as substrings of the form yyyymmddThhmmss. For "
"example: \n"
" 20000101T080000/20000131T120000 defines \n"
" January 1, 2000, 0800 through January 31, 2000, noon\n\n"
" "
"There are also two special cases in which one of the "
"date/time strings is replaced with a special string defined "
"in RFC 2445.\n "
" o If the first date/time is replaced with the string "
" 'THISANDPRIOR', then the property indicates that a "
" PolicyRule is valid [from now] until the date/time "
" that appears after the '/'.\n"
" o If the second date/time is replaced with the string "
" 'THISANDFUTURE', then the property indicates that a "
" PolicyRule becomes valid on the date/time that "
" appears before the '/', and remains valid from that "
" point on. "),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.MonthOfYearMask",
"CIM_PolicyTimePeriodCondition.DayOfMonthMask",
"CIM_PolicyTimePeriodCondition.DayOfWeekMask",
"CIM_PolicyTimePeriodCondition.TimeOfDayMask",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
string TimePeriod;
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which months the PolicyRule is "
"valid. These properties work together, with the "
"TimePeriod used to specify the overall time period in "
"which the PolicyRule is valid, and the MonthOfYearMask used "
"to pick out the months during which the Rule is valid.\n\n"
" "
"This property is formatted as an octet string, structured "
"as follows:\n"
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x00000006 for this property;\n"
" o a 2-octet field consisting of 12 bits identifying the "
" 12 months of the year, beginning with January and "
" ending with December, followed by 4 bits that are "
" always set to '0'. For each month, the value '1' "
" indicates that the policy is valid for that month, "
" and the value '0' indicates that it is not valid.\n\n"
" "
"The value 0x000000060830, for example, indicates that a "
"PolicyRule is valid only in the months May, November, "
"and December.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all twelve months, and "
"only restricted by its TimePeriod property value and the "
"other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 MonthOfYearMask[];
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which days of the month the Policy"
"Rule is valid. These properties work together, "
"with the TimePeriod used to specify the overall time period "
"in which the PolicyRule is valid, and the DayOfMonthMask "
"used to pick out the days of the month during which the "
"Rule is valid.\n\n "
" "
"This property is formatted as an octet string, structured "
"as follows:\n"
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x0000000C for this property; \n"
" o an 8-octet field consisting of 31 bits identifying "
" the days of the month counting from the beginning, "
" followed by 31 more bits identifying the days of the "
" month counting from the end, followed by 2 bits that "
" are always set to '0'. For each day, the value '1' "
" indicates that the policy is valid for that day, and "
" the value '0' indicates that it is not valid. \n\n"
" "
"The value 0x0000000C8000000100000000, for example, "
"indicates that a PolicyRule is valid on the first and "
"last days of the month.\n\n "
" "
"For months with fewer than 31 days, the digits corresponding"
" to days that the months do not have (counting in both "
"directions) are ignored.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all days of the month, "
"and only restricted by its TimePeriod property value and the"
" other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 DayOfMonthMask[];
[Octetstring, Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying in which days of the month the Policy"
"Rule is valid. These properties work together, "
"with the TimePeriod used to specify the overall time period "
"in which the PolicyRule is valid, and the DayOfWeekMask used"
" to pick out the days of the week during which the Rule "
"is valid.\n\n "
" "
"This property is formatted as an octet string, structured "
"as follows:\n "
" o a 4-octet length field, indicating the length of the "
" entire octet string; this field is always set to "
" 0x00000005 for this property;\n"
" o a 1-octet field consisting of 7 bits identifying the 7 "
" days of the week, beginning with Sunday and ending with "
" Saturday, followed by 1 bit that is always set to '0'. "
" For each day of the week, the value '1' indicates that "
" the policy is valid for that day, and the value '0' "
" indicates that it is not valid. \n\n"
" "
"The value 0x000000057C, for example, indicates that a "
"PolicyRule is valid Monday through Friday.\n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all days of the week, "
"and only restricted by its TimePeriod property value and "
"the other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
uint8 DayOfWeekMask[];
[Description (
" The purpose of this property is to refine the valid time "
"period that is defined by the TimePeriod property, by "
"explicitly specifying a range of times in a day during which"
" the PolicyRule is valid. These properties work "
"together, with the TimePeriod used to specify the overall "
"time period in which the PolicyRule is valid, and the "
"TimeOfDayMask used to pick out the range of time periods "
"in a given day of during which the Rule is valid. \n\n"
" "
"This property is formatted in the style of RFC 2445: a "
"time string beginning with the character 'T', followed by "
"the solidus character '/', followed by a second time string."
" The first time indicates the beginning of the range, while "
"the second time indicates the end. Times are expressed as "
"substrings of the form 'Thhmmss'. \n\n"
" "
"The second substring always identifies a later time than "
"the first substring. To allow for ranges that span "
"midnight, however, the value of the second string may be "
"smaller than the value of the first substring. Thus, "
"'T080000/T210000' identifies the range from 0800 until 2100,"
" while 'T210000/T080000' identifies the range from 2100 "
"until 0800 of the following day. \n\n"
" "
"When a range spans midnight, it by definition includes "
"parts of two successive days. When one of these days is "
"also selected by either the MonthOfYearMask, "
"DayOfMonthMask, and/or DayOfWeekMask, but the other day is "
"not, then the policy is active only during the portion of "
"the range that falls on the selected day. For example, if "
"the range extends from 2100 until 0800, and the day of "
"week mask selects Monday and Tuesday, then the policy is "
"active during the following three intervals:\n"
" From midnight Sunday until 0800 Monday; \n"
" From 2100 Monday until 0800 Tuesday; \n"
" From 2100 Tuesday until 23:59:59 Tuesday. \n\n"
" "
"If a value for this property is not provided, then the "
"PolicyRule is treated as valid for all hours of the day, "
"and only restricted by its TimePeriod property value and "
"the other Mask properties."),
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
]
string TimeOfDayMask;
[Description (
" This property indicates whether the times represented "
"in the TimePeriod property and in the various Mask "
"properties represent local times or UTC times. There is "
"no provision for mixing of local times and UTC times: the "
"value of this property applies to all of the other "
"time-related properties."),
ValueMap { "1", "2" },
Values { "localTime", "utcTime" },
ModelCorrespondence {
"CIM_PolicyTimePeriodCondition.TimePeriod",
"CIM_PolicyTimePeriodCondition.MonthOfYearMask",
"CIM_PolicyTimePeriodCondition.DayOfMonthMask",
"CIM_PolicyTimePeriodCondition.DayOfWeekMask",
"CIM_PolicyTimePeriodCondition.TimeOfDayMask"}
]
uint16 LocalOrUtcTime;
};
// ==================================================================
// VendorPolicyCondition
// ==================================================================
[Description (
" A class that provides a general extension mechanism for "
"representing PolicyConditions that have not been modeled "
"with specific properties. Instead, the two properties "
"Constraint and ConstraintEncoding are used to define the "
"content and format of the Condition, as explained below.\n\n"
" "
"As its name suggests, VendorPolicyCondition is intended for "
"vendor-specific extensions to the Policy Core Information "
"Model. Standardized extensions are not expected to use "
"this class.")
]
class CIM_VendorPolicyCondition : CIM_PolicyCondition
{
[Octetstring, Description (
"This property provides a general extension mechanism for "
"representing PolicyConditions that have not been "
"modeled with specific properties. The format of the "
"octet strings in the array is left unspecified in "
"this definition. It is determined by the OID value "
"stored in the property ConstraintEncoding. Since "
"ConstraintEncoding is single-valued, all the values of "
"Constraint share the same format and semantics."),
ModelCorrespondence {
"CIM_VendorPolicyCondition.ConstraintEncoding"}
]
string Constraint [];
[Description (
"An OID encoded as a string, identifying the format "
"and semantics for this instance's Constraint property."),
ModelCorrespondence {
"CIM_VendorPolicyCondition.Constraint"}
]
string ConstraintEncoding;
};
// ==================================================================
// PolicyAction
// ==================================================================
[Abstract, Description (
"A class representing a rule-specific or reusable policy "
"action to be performed if the PolicyConditions for a Policy"
"Rule evaluate to TRUE. Since all operational details of a "
"PolicyAction are provided in subclasses of this object, "
"this class is abstract.")
]
class CIM_PolicyAction : CIM_Policy
{
[Key, MaxLen (256), Description (
" The name of the class or the subclass used in the "
"creation of the System object in whose scope this "
"PolicyAction is defined. \n\n"
" "
"This property helps to identify the System object in "
"whose scope this instance of PolicyAction exists. "
"For a rule-specific PolicyAction, this is the System "
"in whose context the PolicyRule is defined. For a "
"reusable PolicyAction, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Action. \n\n"
" "
"Note that this property, and the analogous property "
"SystemName, do not represent propagated keys from an "
"instance of the class System. Instead, they are "
"properties defined in the context of this class, which "
"repeat the values from the instance of System to which "
"this PolicyAction is related, either directly via the "
"PolicyActionInPolicyRepository association or indirectly "
"via the PolicyActionInPolicyRule aggregation.")
]
string SystemCreationClassName;
[Key, MaxLen (256), Description (
" The name of the System object in whose scope this "
"PolicyAction is defined. \n\n"
" "
"This property completes the identification of the System "
"object in whose scope this instance of PolicyAction "
"exists. For a rule-specific PolicyAction, this is the "
"System in whose context the PolicyRule is defined. For "
"a reusable PolicyAction, this is the instance of "
"PolicyRepository (which is a subclass of System) that "
"holds the Action.")
]
string SystemName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyAction, the CreationClassName "
"of the PolicyRule object with which this Action is "
"associated. For a reusable PolicyAction, a "
"special value, 'NO RULE', should be used to "
"indicate that this Action is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleCreationClassName;
[Key, MaxLen (256), Description (
"For a rule-specific PolicyAction, the name of "
"the PolicyRule object with which this Action is "
"associated. For a reusable PolicyAction, a "
"special value, 'NO RULE', should be used to "
"indicate that this Action is reusable and not "
"associated with a single PolicyRule.")
]
string PolicyRuleName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property"
" allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"A user-friendly name of this PolicyAction.")
]
string PolicyActionName;
};
// ==================================================================
// CompoundPolicyAction
// ==================================================================
[Description ("CompoundPolicyAction is used to represent an "
"expression consisting of an ordered sequence of action "
"terms. Each action term is represented as a subclass of "
"the PolicyAction class. Compound actions are constructed "
"by associating dependent action terms together using the "
"PolicyActionInPolicyAction aggregation.") ]
class CIM_CompoundPolicyAction : CIM_PolicyAction
{
[Description (
"This property gives a policy administrator a way "
"of specifying how the ordering of the PolicyActions "
"associated with this PolicyRule is to be interpreted. "
"Three values are supported:\n"
" o mandatory(1): Do the actions in the indicated "
" order, or don't do them at all.\n"
" o recommended(2): Do the actions in the indicated "
" order if you can, but if you can't do them in this "
" order, do them in another order if you can.\n"
" o dontCare(3): Do them -- I don't care about the "
" order.\n"
"The default value is 3 (\"dontCare\")."),
ValueMap { "1", "2", "3" },
Values { "mandatory", "recommended", "dontCare" }]
uint16 SequencedActions;
[Description ("ExecutionStrategy defines the strategy to be "
"used in executing the sequenced actions aggregated by this "
"CompoundPolicyAction. There are three execution strategies:"
"\n\n"
"Do Until Success - execute actions according to predefined\n"
" order, until successful execution of a\n"
" single action.\n"
"Do All - execute ALL actions which are part of\n"
" the modeled set, according to their\n"
" predefined order. Continue doing this,\n"
" even if one or more of the actions "
" fails.\n"
"Do Until Failure - execute actions according to predefined\n"
" order, until the first failure in\n"
" execution of an action instance."
"The default value is 2 (\"Do All\")."),
Values {"1", "2", "3"},
ValueMap {"Do Until Success", "Do All", "Do Until Failure"}]
uint16 ExecutionStrategy;
};
// ==================================================================
// VendorPolicyAction
// ==================================================================
[Description (
" A class that provides a general extension mechanism for "
"representing PolicyActions that have not been modeled "
"with specific properties. Instead, the two properties "
"ActionData and ActionEncoding are used to define the "
"content and format of the Action, as explained below.\n\n"
" "
"As its name suggests, VendorPolicyAction is intended for "
"vendor-specific extensions to the Policy Core Information "
"Model. Standardized extensions are not expected to use "
"this class.") ]
class CIM_VendorPolicyAction : CIM_PolicyAction
{
[Octetstring, Description (
"This property provides a general extension mechanism for "
"representing PolicyActions that have not been "
"modeled with specific properties. The format of the "
"octet strings in the array is left unspecified in "
"this definition. It is determined by the OID value "
"stored in the property ActionEncoding. Since "
"ActionEncoding is single-valued, all the values of "
"ActionData share the same format and semantics."),
ModelCorrespondence {
"CIM_VendorPolicyAction.ActionEncoding"}
]
string ActionData [];
[Description (
"An OID encoded as a string, identifying the format "
"and semantics for this instance's ActionData property."),
ModelCorrespondence {
"CIM_VendorPolicyAction.ActionData"}
]
string ActionEncoding;
};
// ==================================================================
// === Association classes ===
// ==================================================================
// ==================================================================
// PolicyComponent
// ==================================================================
[Association, Abstract, Aggregation, Description (
"CIM_PolicyComponent is a generic association used to "
"establish 'part of' relationships between the subclasses of "
"CIM_Policy. For example, the PolicyConditionInPolicyRule "
"association defines that PolicyConditions are part of a "
"PolicyRule.")
]
class CIM_PolicyComponent
{
[Aggregate, Key, Description (
"The parent Policy in the association.")
]
CIM_Policy REF GroupComponent;
[Key, Description (
"The child/part Policy in the association.")
]
CIM_Policy REF PartComponent;
};
// ==================================================================
// PolicyInSystem
// ==================================================================
[Association, Abstract, Description (
" CIM_PolicyInSystem is a generic association used to "
"establish dependency relationships between Policies and the "
"Systems that host them. These Systems may be ComputerSystems"
" where Policies are 'running' or they may be Policy"
"Repositories where Policies are stored. This relationship "
"is similar to the concept of CIM_Services being dependent "
"on CIM_Systems as defined by the HostedService "
"association. \n"
" Cardinality is Max(1) for the Antecedent/System "
"reference since Policies can only be hosted in at most one "
"System context. Some subclasses of the association will "
"further refine this definition to make the Policies Weak "
"to Systems. Other subclasses of PolicyInSystem will "
"define an optional hosting relationship. Examples of each "
"of these are the PolicyRuleInSystem and PolicyConditionIn"
"PolicyRepository associations, respectively.")
]
class CIM_PolicyInSystem : CIM_Dependency
{
[Override ("Antecedent"), Max (1), Description (
"The hosting System.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Description (
"The hosted Policy.")
]
CIM_Policy REF Dependent;
};
// ==================================================================
// PolicySetInSystem
// ==================================================================
[Association, Abstract, Description (
"PolicySetInSystem is an abstract association class that "
"represents a relationship between a System and a PolicySet used "
"in the administrative scope of that system (e.g., AdminDomain, "
"ComputerSystem). The Priority property is used to assign a "
"relative priority to a PolicySet within the administrative "
"scope in contexts where it is not a component of another "
"PolicySet.")
]
class CIM_PolicySetInSystem : CIM_PolicyInSystem
{
[Override ("Antecedent"), Min (1), Max(1), Description (
"The System in whose scope a PolicySet is defined.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Description (
"A PolicySet named within the scope of a System.")
]
CIM_PolicySet REF Dependent;
[Description (
"The Priority property is used to specify the relative "
"priority of the referenced PolicySet when there are more "
"than one PolicySet instances applied to a managed resource "
"that are not PolicySetComponents and, therefore, have no "
"other relative priority defined. The priority is a "
"non-negative integer; a larger value indicates a higher "
"priority.")]
uint16 Priority;
};
// ==================================================================
// PolicyGroupInSystem
// ==================================================================
[Association, Description (
"An association that links a PolicyGroup to the System "
"in whose scope the Group is defined.")
]
class CIM_PolicyGroupInSystem : CIM_PolicySetInSystem
{
[Override ("Antecedent"), Min(1), Max(1), Description (
"The System in whose scope a PolicyGroup is defined.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A PolicyGroup named within the scope of a System.")
]
CIM_PolicyGroup REF Dependent;
};
// ==================================================================
// PolicyRuleInSystem
// ==================================================================
[Association, Description (
"An association that links a PolicyRule to the System "
"in whose scope the Rule is defined.")
]
class CIM_PolicyRuleInSystem : CIM_PolicySetInSystem
{
[Override ("Antecedent"), Min(1), Max(1), Description (
"The System in whose scope a PolicyRule is defined.")
]
CIM_System REF Antecedent;
[Override ("Dependent"), Weak, Description (
"A PolicyRule named within the scope of a System.")
]
CIM_PolicyRule REF Dependent;
};
// ==================================================================
// PolicySetComponent
// ==================================================================
[Association, Aggregation, Description (
"PolicySetComponent is a concrete aggregation class that "
"collects instances of PolicySet subclasses (PolicyGroups and "
"PolicyRules) into coherent sets of policies that have the same "
"decision strategy and are prioritized within the set.")
]
class CIM_PolicySetComponent : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicySet that aggregates other PolicySet instances.")
]
CIM_PolicySet REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicySet aggregated into a PolicySet.")
]
CIM_PolicySet REF PartComponent;
[Description (
"A non-negative integer for prioritizing this PolicySet"
"component relative to components of the same PolicySet. A "
"larger value indicates a higher priority.")
]
uint16 Priority;
};
// ==================================================================
// PolicyGroupInPolicyGroup *** deprecated
// ==================================================================
[Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"},
Description (
"PolicySetComponent provides a more general mechanism for "
"aggregating both PolicyGroups and PolicyRules and doing so with "
"the priority value applying only to the aggregated set rather "
"than policy wide.\n"
"\n"
"A relationship that aggregates one or more lower-level "
"PolicyGroups into a higher-level Group. A Policy"
"Group may aggregate PolicyRules and/or other Policy"
"Groups.")
]
class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyGroup that aggregates other Groups.")
]
CIM_PolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyGroup aggregated by another Group.")
]
CIM_PolicyGroup REF PartComponent;
};
// ==================================================================
// PolicyRuleInPolicyGroup *** deprecated
// ==================================================================
[Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"},
Description (
"PolicySetComponent provides a more general mechanism for "
"aggregating both PolicyGroups and PolicyRules and doing so with "
"the priority value applying only to the aggregated set rather "
"than policy wide.\n"
"\n"
"A relationship that aggregates one or more PolicyRules "
"into a PolicyGroup. A PolicyGroup may aggregate "
"PolicyRules and/or other PolicyGroups.")
]
class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyGroup that aggregates one or more PolicyRules.")
]
CIM_PolicyGroup REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyRule aggregated by a PolicyGroup.")
]
CIM_PolicyRule REF PartComponent;
};
// ==================================================================
// PolicyConditionInPolicyRule
// ==================================================================
[Association, Aggregation, Description (
" A PolicyRule aggregates zero or more instances of the "
"PolicyCondition class, via the PolicyConditionInPolicyRule "
"association. A Rule that aggregates zero Conditions is not "
"valid -- it may, however, be in the process of being entered "
"into a PolicyRepository or being defined for a System. Note "
"that a PolicyRule should have no effect until it is
valid.\n\n"
" "
"The Conditions aggregated by a PolicyRule are grouped into "
"two levels of lists: either an ORed set of ANDed sets of "
"conditions (DNF, the default) or an ANDed set of ORed sets "
"of conditions (CNF). Individual PolicyConditions in these "
"lists may be negated. The property ConditionListType "
"specifies which of these two grouping schemes applies to a "
"particular PolicyRule.\n\n"
" "
"In either case, PolicyConditions are used to determine "
"whether to perform the PolicyActions associated with the "
"PolicyRule.\n\n"
" "
"One or more PolicyTimePeriodConditions may be among the "
"conditions associated with a PolicyRule via the Policy"
"ConditionInPolicyRule association. In this case, the time "
"periods are simply additional Conditions to be evaluated "
"along with any others that are specified for the Rule. ")
]
class CIM_PolicyConditionInPolicyRule : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property represents the PolicyRule that "
"contains one or more PolicyConditions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property holds the name of a PolicyCondition "
"contained by one or more PolicyRules.")
]
CIM_PolicyCondition REF PartComponent;
[Description (
"Unsigned integer indicating the group to which the "
"PolicyCondition identified by the ContainedCondition "
"property belongs. This integer segments the Conditions "
"into the ANDed sets (when the ConditionListType is "
"\"DNF\") or similarly the ORed sets (when the Condition"
"ListType is \"CNF\") that are then evaluated.")
]
uint16 GroupNumber;
[Description (
"Indication of whether the Condition identified by "
"the ContainedCondition property is negated. TRUE "
"indicates that the PolicyCondition IS negated, FALSE "
"indicates that it IS NOT negated.")
]
boolean ConditionNegated;
};
// ==================================================================
// PolicyRuleValidityPeriod
// ==================================================================
[Association, Aggregation, Description (
"The PolicyRuleValidityPeriod aggregation represents "
"scheduled activation and deactivation of a PolicyRule. "
"If a PolicyRule is associated with multiple policy time "
"periods via this association, then the Rule is active if "
"at least one of the time periods indicates that it is "
"active. (In other words, the PolicyTimePeriodConditions "
"are ORed to determine whether the Rule is active.) A Time"
"Period may be aggregated by multiple PolicyRules. A Rule "
"that does not point to a PolicyTimePeriodCondition via this "
"association is, from the point of view of scheduling, "
"always active. It may, however, be inactive for other "
"reasons. For example, the Rule's Enabled property may "
"be set to \"disabled\" (value=2).")
]
class CIM_PolicyRuleValidityPeriod : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"This property contains the name of a PolicyRule that "
"contains one or more PolicyTimePeriodConditions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property contains the name of a "
"PolicyTimePeriodCondition defining the valid time periods "
"for one or more PolicyRules.")
]
CIM_PolicyTimePeriodCondition REF PartComponent;
};
// ==================================================================
// PolicyActionStructure
// ==================================================================
[Association, Aggregation, Abstract, Description (
"PolicyActions may be aggregated into rules and into "
"compound actions. PolicyActionStructure is the abstract "
"aggregation class for the structuring of policy actions.")
]
class CIM_PolicyActionStructure : CIM_PolicyComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"PolicyAction instances may be aggregated into either "
"PolicyRule instances or CompoundPolicyAction instances.")]
CIM_Policy REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyAction aggregated by a PolicyRule or "
"CompoundPolicyAction.")]
CIM_PolicyAction REF PartComponent;
[Description (
"ActionOrder is an unsigned integer 'n' that indicates the "
"relative position of a PolicyAction in the sequence of"
"actions associated with a PolicyRule or "
"CompoundPolicyAction. When 'n' is a positive integer, it "
"indicates a place in the sequence of actions to be "
"performed, with smaller integers indicating earlier "
"positions in the sequence. The special value '0' indicates "
"'don't care'. If two or more PolicyActions have the same "
"non-zero sequence number, they may be performed in any "
"order, but they must all be performed at the appropriate "
"place in the overall action sequence.\n"
"\n"
"A series of examples will make ordering of PolicyActions "
"clearer: \n"
" o If all actions have the same sequence number,\n"
" regardless of whether it is '0' or non-zero, any\n"
" order is acceptable.\n"
" o The values: \n"
" 1:ACTION A \n"
" 2:ACTION B \n"
" 1:ACTION C \n"
" 3:ACTION D \n"
" indicate two acceptable orders: A,C,B,D or C,A,B,D,\n"
" since A and C can be performed in either order, but\n"
" only at the '1' position. \n"
" o The values: \n"
" 0:ACTION A \n"
" 2:ACTION B \n"
" 3:ACTION C \n"
" 3:ACTION D \n"
" require that B,C, and D occur either as B,C,D or as\n"
" B,D,C. Action A may appear at any point relative to\n"
" B, C, and D. Thus the complete set of acceptable\n"
" orders is: A,B,C,D; B,A,C,D; B,C,A,D; B,C,D,A; \n"
" A,B,D,C; B,A,D,C; B,D,A,C; B,D,C,A. \n"
"\n"
"Note that the non-zero sequence numbers need not start with "
"'1', and they need not be consecutive. All that matters is "
"their relative magnitude.")]
uint16 ActionOrder;
};
// ==================================================================
// PolicyActionInPolicyRule
// ==================================================================
[Association, Aggregation, Description (
" A PolicyRule aggregates zero or more instances of the "
"PolicyAction class, via the PolicyActionInPolicyRule "
"association. A Rule that aggregates zero Actions is not "
"valid--it may, however, be in the process of being entered "
"into a PolicyRepository or being defined for a System. "
"Alternately, the actions of the policy may be explicit in "
"the definition of the PolicyRule. Note that a PolicyRule "
"should have no effect until it is valid.\n\n"
" "
"The Actions associated with a PolicyRule may be given a "
"required order, a recommended order, or no order at all. "
"For Actions represented as separate objects, the "
"PolicyActionInPolicyRule aggregation can be used to express "
"an order."
"\n\n"
"This aggregation does not indicate whether a specified "
"action order is required, recommended, or of no "
"significance; the property SequencedActions in the "
"aggregating instance of PolicyRule provides this "
"indication.")]
class CIM_PolicyActionInPolicyRule : CIM_PolicyActionStructure
{
[Override ("GroupComponent"), Aggregate, Description (
"This property represents the PolicyRule that "
"contains one or more PolicyActions.")
]
CIM_PolicyRule REF GroupComponent;
[Override ("PartComponent"), Description (
"This property holds the name of a PolicyAction "
"contained by one or more PolicyRules.")
]
CIM_PolicyAction REF PartComponent;
};
// ==================================================================
// PolicyActionInPolicyAction
// ==================================================================
[Association, Aggregation, Description (
"PolicyActionInPolicyAction is used to represent the "
"compounding of policy actions into a higher-level policy "
"action.")]
class CIM_PolicyActionInPolicyAction : CIM_PolicyActionStructure
{
[Override ("GroupComponent"), Aggregate, Description (
"This property represents the CompoundPolicyAction that "
"contains one or more PolicyActions.")
]
CIM_CompoundPolicyAction REF GroupComponent;
[Override ("PartComponent"), Description (
"This property holds the name of a PolicyAction "
"contained by one or more CompoundPolicyActions.")
]
CIM_PolicyAction REF PartComponent;
};
// ==================================================================
// PolicyContainerInPolicyContainer
// ==================================================================
[Association, Aggregation, Description (
"A relationship that aggregates one or more lower-level "
"ReusablePolicyContainer instances into a higher-level "
"ReusablePolicyContainer.")
]
class CIM_PolicyContainerInPolicyContainer: CIM_SystemComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A ReusablePolicyContainer that aggregates other "
"ReusablePolicyContainers.")
]
CIM_ReusablePolicyContainer REF GroupComponent;
[Override ("PartComponent"), Description (
"A ReusablePolicyContainer aggregated by another "
"ReusablePolicyContainer.")
]
CIM_ReusablePolicyContainer REF PartComponent;
};
// ==================================================================
// PolicyRepositoryInPolicyRepository *** deprecated
// ==================================================================
[Association, Aggregation,
DEPRECATED {"CIM_PolicyContainerInPolicyContainer"},
Description (
"The term 'PolicyRepository' has been confusing to both "
"developers and users of the model. The replacement class "
"name describes model element properly and is less likely "
"to be confused with a data repository. ContainedDomain is a "
"general purpose mechanism for expressing domain hierarchy."
"\n\n"
"A relationship that aggregates one or more lower-level "
"PolicyRepositories into a higher-level Repository.")
]
class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent
{
[Override ("GroupComponent"), Aggregate, Description (
"A PolicyRepository that aggregates other Repositories.")
]
CIM_PolicyRepository REF GroupComponent;
[Override ("PartComponent"), Description (
"A PolicyRepository aggregated by another Repository.")
]
CIM_PolicyRepository REF PartComponent;
};
// ==================================================================
// ReusablePolicy
// ==================================================================
[Association, Description (
"The ReusablePolicy association provides for the reuse of any "
"subclass of Policy in a ReusablePolicyContainer.")
]
class CIM_ReusablePolicy : CIM_PolicyInSystem
{
[Override ("Antecedent"), Max(1), Description (
"This property identifies a ReusablePolicyContainer that "
"provides the administrative scope for the reuse of the "
"referenced policy element.")
]
CIM_ReusablePolicyContainer REF Antecedent;
[Override ("Dependent"), Description (
"A reusable policy element.")
]
CIM_Policy REF Dependent;
};
// ==================================================================
// PolicyConditionInPolicyRepository *** deprecated
// ==================================================================
[Association, DEPRECATED {"CIM_ReusablePolicy"},
Description (
"The ReusablePolicy association is a more general relationship "
"that incorporates both Conditions and Actions as well as any "
"other policy subclass.\n"
"\n"
"A class representing the hosting of reusable "
"PolicyConditions by a PolicyRepository. A reusable Policy"
"Condition is always related to a single PolicyRepository, "
"via this association.\n\n"
" "
"Note, that an instance of PolicyCondition can be either "
"reusable or rule-specific. When the Condition is rule-"
"specific, it shall not be related to any "
"PolicyRepository via the PolicyConditionInPolicyRepository "
"association.")
]
class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Max(1), Description (
"This property identifies a PolicyRepository "
"hosting one or more PolicyConditions. A reusable "
"PolicyCondition is always related to exactly one "
"PolicyRepository via the PolicyConditionInPolicyRepository "
"association. The [0..1] cardinality for this property "
"covers the two types of PolicyConditions: 0 for a "
"rule-specific PolicyCondition, 1 for a reusable one.")
]
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Description (
"This property holds the name of a PolicyCondition"
"hosted in the PolicyRepository. ")
]
CIM_PolicyCondition REF Dependent;
};
// ==================================================================
// PolicyActionInPolicyRepository *** deprecated
// ==================================================================
[Association, DEPRECATED {"CIM_ReusablePolicy"},
Description (
"The ReusablePolicy association is a more general relationship "
"that incorporates both Conditions and Actions as well as any "
"other policy subclass.\n"
"\n"
"A class representing the hosting of reusable "
"PolicyActions by a PolicyRepository. A reusable Policy"
"Action is always related to a single PolicyRepository, "
"via this association.\n\n"
" "
"Note, that an instance of PolicyAction can be either "
"reusable or rule-specific. When the Action is rule-"
"specific, it shall not be related to any "
"PolicyRepository via the PolicyActionInPolicyRepository "
"association.")
]
class CIM_PolicyActionInPolicyRepository : CIM_PolicyInSystem
{
[Override ("Antecedent"), Max(1), Description (
"This property represents a PolicyRepository "
"hosting one or more PolicyActions. A reusable "
"PolicyAction is always related to exactly one "
"PolicyRepository via the PolicyActionInPolicyRepository "
"association. The [0..1] cardinality for this property "
"covers the two types of PolicyActions: 0 for a
"rule-specific PolicyAction, 1 for a reusable one.")
]
CIM_PolicyRepository REF Antecedent;
[Override ("Dependent"), Description (
"This property holds the name of a PolicyAction"
"hosted in the PolicyRepository. ")
]
CIM_PolicyAction REF Dependent;
}; };
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/