Internet Engineering Task Force                          Jamie Jason
   INTERNET DRAFT                                     Intel Corporation
   1-March-2001
   20-July-2001                                             Lee Rafalow
                                                                    IBM
                                                            Eric Vyncke
                                                          Cisco Systems

                     IPsec Configuration Policy Model
                draft-ietf-ipsp-config-policy-model-02.txt
                draft-ietf-ipsp-config-policy-model-03.txt

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups. Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
         http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
         http://www.ietf.org/shadow.html.

Abstract

   This document presents an object-oriented model of IPsec policy
   designed to:
   o    facilitate agreement about the content and semantics of IPsec
        policy
   o    enable derivations of task-specific representations of IPsec
        policy such as storage schema, distribution representations,
        and policy specification languages used to configure IPsec-
        enabled endpoints
   The schema described in this document models the IKE phase one
   parameters as described in [IKE] and the IKE phase two parameters
   for the IPsec Domain of Interpretation as described in [COMP, ESP,
   AH, DOI].  It is based upon the core policy classes as defined in
   the Policy Core Information Model (PCIM) [PCIM].

Table of Contents

   Status of this Memo................................................1
   Abstract...........................................................1
   Table of Contents..................................................2
   1. Introduction....................................................7
   2. UML Conventions.................................................7
   3. IPsec Policy Model Inheritance Hierarchy........................8
   4. Policy Classes.................................................13
   4.1. The Class IPsecPolicyGroup...................................14
   4.2. The Class SARule.............................................14 SARule.............................................15
   4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
   RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
   PolicyDecisionStrategy............................................15
   4.2.2 The Property ExecutionStrategy.............................15
   4.2.3  The Property LimitNegotiation..............................14 LimitNegotiation..............................17
   4.3. The Class IKERule............................................15 IKERule............................................18
   4.3.1. The Property IdentityContexts..............................15 IdentityContexts..............................18
   4.4. The Class IPsecRule..........................................16
   4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........16
   4.5.1. The Reference GroupComponent...............................17
   4.5.2. The Reference PartComponent................................17
   4.5.3. The Property GroupPriority.................................17 IPsecRule..........................................19
   4.6. The Association Class IPsecPolicyForEndpoint.................17 IPsecPolicyForEndpoint.................19
   4.6.1. The Reference Antecedent...................................18 Antecedent...................................19
   4.6.2. The Reference Dependent....................................18 Dependent....................................19
   4.7. The Association Class IPsecPolicyForSystem...................18 IPsecPolicyForSystem...................20
   4.7.1. The Reference Antecedent...................................18 Antecedent...................................20
   4.7.2. The Reference Dependent....................................18 Dependent....................................20
   4.8. The Aggregation Class RuleForIKENegotiation..................19 RuleForIKENegotiation..................20
   4.8.1. The Reference GroupComponent...............................19 Property Priority......................................20
   4.8.2. The Reference PartComponent................................19 GroupComponent...............................20
   4.8.3. The Reference PartComponent................................21
   4.9. The Aggregation Class RuleForIPsecNegotiation................19 RuleForIPsecNegotiation................21
   4.9.1. The Reference GroupComponent...............................19 Property Priority......................................21
   4.9.2. The Reference PartComponent................................20 GroupComponent...............................21
   4.9.3. The Reference PartComponent................................21
   4.10. The Aggregation Class SAConditionInRule.....................20 SAConditionInRule.....................21
   4.10.1. The Reference GroupComponent..............................20 Properties GroupNumber and ConditionNegated...........22
   4.10.2. The Reference PartComponent...............................20 GroupComponent..............................22
   4.10.3. The Reference PartComponent...............................22
   4.11. The Aggregation Class SAActionInRule........................20 PolicyActionInSARule..................22
   4.11.1. The Reference GroupComponent..............................21 GroupComponent..............................22
   4.11.2. The Reference PartComponent...............................21 PartComponent...............................23
   4.11.3. The Property ActionOrder..................................21 ActionOrder..................................23
   5. Condition and Filter Classes...................................22 Classes...................................24
   5.1. The Class SACondition........................................22 SACondition........................................24
   5.2. The Class FilterEntry........................................23 IPHeaderFilter.....................................25
   5.3. The Class CredentialFilterEntry..............................23 CredentialFilterEntry..............................25
   5.3.1. The Property MatchFieldName................................24 MatchFieldName................................25
   5.3.2. The Property MatchFieldValue...............................24 MatchFieldValue...............................26
   5.3.3. The Property CredentialType................................24 CredentialType................................26
   5.4. The Class IPSOFilterEntry....................................24 IPSOFilterEntry....................................26
   5.4.1. The Property MatchConditionType............................25 MatchConditionType............................27
   5.4.2. The Property MatchConditionValue...........................25 MatchConditionValue...........................27
   5.5. The Class PeerIDPayloadFilterEntry...........................25 PeerIDPayloadFilterEntry...........................27
   5.5.1. The Property MatchIdentityType.............................26 MatchIdentityType.............................28
   5.5.2. The Property MatchIdentityValue............................26 MatchIdentityValue............................28
   5.6. The Association Class FilterOfSACondition....................27 FilterOfSACondition....................29
   5.6.1. The Reference Antecedent...................................27 Antecedent...................................29
   5.6.2. The Reference Dependent....................................27 Dependent....................................29
   5.7. The Association Class AcceptCredentialFrom...................27 AcceptCredentialFrom...................29
   5.7.1. The Reference Antecedent...................................28 Antecedent...................................30
   5.7.2. The Reference Dependent....................................28 Dependent....................................30
   6. Action Classes.................................................29 Classes.................................................31
   6.1. The Class SAAction...........................................30 SAAction...........................................32
   6.1.1. The Property DoActionLogging...............................30 DoActionLogging...............................32
   6.1.2. The Property DoPacketLogging...............................30 DoPacketLogging...............................32
   6.2. The Class SAStaticAction.....................................31 SAStaticAction.....................................33
   6.2.1. The Property LifetimeSeconds...............................31 LifetimeSeconds...............................33
   6.3. The Class IPsecBypassAction..................................31 IPsecBypassAction..................................34
   6.4. The Class IPsecDiscardAction.................................31 IPsecDiscardAction.................................34
   6.5. The Class IKERejectAction....................................32 IKERejectAction....................................34
   6.6. The Class PreconfiguredSAAction..............................32 PreconfiguredSAAction..............................34
   6.6.1. The Property LifetimeKilobytes.............................33 LifetimeKilobytes.............................35
   6.7. The Class PreconfiguredTransportAction.......................33 PreconfiguredTransportAction.......................35
   6.8. The Class PreconfiguredTunnelAction..........................33 PreconfiguredTunnelAction..........................36
   6.8.1. The Property PeerGatewayAddressType........................33
   6.8.2. The Property PeerGatewayAddress............................34
   6.8.3. The Property DFHandling....................................34 DFHandling....................................36
   6.9. The Class SANegotiationAction................................34 SANegotiationAction................................36
   6.9.1. The Property MinLifetimeSeconds............................35 MinLifetimeSeconds............................37
   6.9.2. The Property MinLifetimeKilobytes..........................35 MinLifetimeKilobytes..........................37
   6.9.3. The Property RefreshThresholdSeconds.......................35 RefreshThresholdSeconds.......................37
   6.9.4. The Property RefreshThresholdKilobytes.....................36 RefreshThresholdKilobytes.....................38
   6.9.5. The Property IdleDurationSeconds...........................36 IdleDurationSeconds...........................38
   6.10. The Class IPsecAction.......................................36 IPsecAction.......................................38
   6.10.1. The Property UsePFS.......................................37 UsePFS.......................................39
   6.10.2. The Property UseIKEGroup..................................37 UseIKEGroup..................................39
   6.10.3. The Property GroupId......................................37 GroupId......................................39
   6.10.4. The Property Granularity..................................38 Granularity..................................40
   6.10.5. The Property VendorID.....................................38 VendorID.....................................40
   6.11. The Class IPsecTransportAction..............................38 IPsecTransportAction..............................40
   6.12. The Class IPsecTunnelAction.................................38 IPsecTunnelAction.................................40
   6.12.1. The Property DFHandling...................................39 DFHandling...................................41
   6.13. The Class IKEAction.........................................39 IKEAction.........................................41
   6.13.1. The Property RefreshThresholdDerivedKeys..................39 RefreshThresholdDerivedKeys..................41
   6.13.2. The Property ExchangeMode.................................40 ExchangeMode.................................42
   6.13.3. The Property UseIKEIdentityType...........................40 UseIKEIdentityType...........................42
   6.13.4. The Property VendorID.....................................40 VendorID.....................................42
   6.13.5. The Property AggressiveModeGroupId........................41 AggressiveModeGroupId........................42
   6.14. The Class PeerGateway.......................................41 PeerGateway.......................................43
   6.14.1. The Property Name.........................................41 Name.........................................43
   6.14.2. The Property PeerIdentityType.............................41 PeerIdentityType.............................43
   6.14.3. The Property PeerIdentity.................................42 PeerIdentity.................................44
   6.15. The Association Class PeerGatewayForTunnel..................42 PeerGatewayForTunnel..................44
   6.15.1. The Reference Antecedent..................................42 Antecedent..................................44
   6.15.2. The Reference Dependent...................................43 Dependent...................................44
   6.15.3. The Property SequenceNumber...............................43 SequenceNumber...............................45
   6.16. The Aggregation Class ContainedProposal.....................43 ContainedProposal.....................45
   6.16.1. The Reference GroupComponent..............................43 GroupComponent..............................45
   6.16.2. The Reference PartComponent...............................44 PartComponent...............................45
   6.16.3. The Property SequenceNumber...............................44 SequenceNumber...............................45
   6.17. The Association Class HostedPeerGatewayInformation..........44 HostedPeerGatewayInformation..........46
   6.17.1. The Reference Antecedent..................................44 Antecedent..................................46
   6.17.2. The Reference Dependent...................................44 Dependent...................................46
   6.18. The Association Class TransformOfPreconfiguredAction........44 TransformOfPreconfiguredAction........46
   6.18.1. The Reference Antecedent..................................45 Antecedent..................................47
   6.18.2. The Reference Dependent...................................45 Dependent...................................47
   6.18.3. The Property SPI..........................................45 SPI..........................................47
   6.18.4. The Property Direction....................................47
   6.19 The Association Class PeerGatewayForPreconfiguredTunnel......47
   6.19.1. The Reference Antecedent..................................48
   6.19.2. The Reference Dependent...................................48
   7. Proposal and Transform Classes.................................46 Classes.................................49
   7.1. The Abstract Class SAProposal................................46 SAProposal................................49
   7.1.1. The Property Name..........................................46 Name..........................................49
   7.2. The Class IKEProposal........................................47 IKEProposal........................................50
   7.2.1. The Property LifetimeDerivedKeys...........................47 LifetimeDerivedKeys...........................50
   7.2.2. The Property CipherAlgorithm...............................47 CipherAlgorithm...............................50
   7.2.3. The Property HashAlgorithm.................................48 HashAlgorithm.................................51
   7.2.4. The Property PRFAlgorithm..................................48 PRFAlgorithm..................................51
   7.2.5. The Property GroupId.......................................48 GroupId.......................................51
   7.2.6. The Property AuthenticationMethod..........................48 AuthenticationMethod..........................51
   7.2.7. The Property MaxLifetimeSeconds............................49 MaxLifetimeSeconds............................52
   7.2.8. The Property MaxLifetimeKilobytes..........................49 MaxLifetimeKilobytes..........................52
   7.2.9. The Property VendorID......................................49 VendorID......................................52
   7.3. The Class IPsecProposal......................................49 IPsecProposal......................................52
   7.4. The Abstract Class SATransform...............................50 SATransform...............................53
   7.4.1. The Property TransformName.................................50 TransformName.................................53
   7.4.2. The Property VendorID......................................50 VendorID......................................53
   7.4.3. The Property MaxLifetimeSeconds............................50 MaxLifetimeSeconds............................53
   7.4.4. The Property MaxLifetimeKilobytes..........................51 MaxLifetimeKilobytes..........................54
   7.5. The Class AHTransform........................................51 AHTransform........................................54
   7.5.1. The Property AHTransformId.................................51 AHTransformId.................................54
   7.5.2. The Property UseReplayPrevention...........................51 UseReplayPrevention...........................54
   7.5.3. The Property ReplayPreventionWindowSize....................52 ReplayPreventionWindowSize....................55
   7.6. The Class ESPTransform.......................................52 ESPTransform.......................................55
   7.6.1. The Property IntegrityTransformId..........................52 IntegrityTransformId..........................55
   7.6.2. The Property CipherTransformId.............................52 CipherTransformId.............................55
   7.6.3. The Property CipherKeyLength...............................53 CipherKeyLength...............................56
   7.6.4. The Property CipherKeyRounds...............................53 CipherKeyRounds...............................56
   7.6.5. The Property UseReplayPrevention...........................53 UseReplayPrevention...........................56
   7.6.6. The Property ReplayPreventionWindowSize....................53 ReplayPreventionWindowSize....................56
   7.7. The Class IPCOMPTransform....................................54 IPCOMPTransform....................................57
   7.7.1. The Property Algorithm.....................................54 Algorithm.....................................57
   7.7.2. The Property DictionarySize................................54 DictionarySize................................57
   7.7.3. The Property PrivateAlgorithm..............................54 PrivateAlgorithm..............................57
   7.8. The Association Class SAProposalInSystem.....................54 SAProposalInSystem.....................57
   7.8.1. The Reference Antecedent...................................55 Antecedent...................................58
   7.8.2. The Reference Dependent....................................55 Dependent....................................58
   7.9. The Aggregation Class ContainedTransform.....................55 ContainedTransform.....................58
   7.9.1. The Reference GroupComponent...............................55 GroupComponent...............................58
   7.9.2. The Reference PartComponent................................56 PartComponent................................59
   7.9.3. The Property SequenceNumber................................56 SequenceNumber................................59
   7.10. The Association Class SATransformInSystem...................56 SATransformInSystem...................59
   7.10.1. The Reference Antecedent..................................56 Antecedent..................................59
   7.10.2. The Reference Dependent...................................56 Dependent...................................59
   8. IKE Service and Identity Classes...............................58 Classes...............................61
   8.1. The Class IKEService.........................................59 IKEService.........................................62
   8.2. The Class PeerIdentityTable..................................59 PeerIdentityTable..................................62
   8.3.1. The Property Name..........................................59 Name..........................................62
   8.3. The Class PeerIdentityEntry..................................60 PeerIdentityEntry..................................63
   8.3.1. The Property PeerIdentity..................................60 PeerIdentity..................................63
   8.3.2. The Property PeerIdentityType..............................60 PeerIdentityType..............................63
   8.3.3. The Property PeerAddress...................................60 PeerAddress...................................63
   8.3.4. The Property PeerAddressType...............................60 PeerAddressType...............................63
   8.4. The Class AutostartIKEConfiguration..........................61 AutostartIKEConfiguration..........................64
   8.5. The Class AutostartIKESetting................................61 AutostartIKESetting................................64
   8.5.1. The Property Phase1Only....................................61 Phase1Only....................................64
   8.5.2. The Property AddressType...................................62 AddressType...................................65
   8.5.3. The Property SourceAddress.................................62 SourceAddress.................................65
   8.5.4. The Property SourcePort....................................62 SourcePort....................................65
   8.5.5. The Property DestinationAddress............................62 DestinationAddress............................65
   8.5.6. The Property DestinationPort...............................63 DestinationPort...............................66
   8.5.7. The Property Protocol......................................63 Protocol......................................66
   8.6. The Class IKEIdentity........................................63 IKEIdentity........................................66
   8.6.1. The Property IdentityType..................................64 IdentityType..................................67
   8.6.2. The Property IdentityValue.................................64 IdentityValue.................................67
   8.6.3. The Property IdentityContexts..............................64 IdentityContexts..............................67
   8.7. The Association Class HostedPeerIdentityTable................65 HostedPeerIdentityTable................68
   8.7.1. The Reference Antecedent...................................65 Antecedent...................................68
   8.7.2. The Reference Dependent....................................65 Dependent....................................68
   8.8. The Aggregation Class PeerIdentityMember.....................65 PeerIdentityMember.....................68
   8.8.1. The Reference Collection...................................65 Collection...................................68
   8.8.2. The Reference Member.......................................66 Member.......................................69
   8.9. The Association Class IKEServicePeerGateway..................66 IKEServicePeerGateway..................69
   8.9.1. The Reference Antecedent...................................66 Antecedent...................................69
   8.9.2. The Reference Dependent....................................66 Dependent....................................69
   8.10. The Association Class IKEServicePeerIdentityTable...........66 IKEServicePeerIdentityTable...........69
   8.10.1. The Reference Antecedent..................................67 Antecedent..................................70
   8.10.2. The Reference Dependent...................................67 Dependent...................................70
   8.11. The Association Class IKEAutostartSetting...................67 IKEAutostartSetting...................70
   8.11.1. The Reference Element.....................................67 Element.....................................70
   8.11.2. The Reference Setting.....................................67 Setting.....................................70
   8.12. The Aggregation Class AutostartIKESettingContext............67 AutostartIKESettingContext............70
   8.12.1. The Reference Context.....................................68 Context.....................................71
   8.12.2. The Reference Setting.....................................68 Setting.....................................71
   8.12.3. The Property SequenceNumber...............................68 SequenceNumber...............................71
   8.13. The Association Class IKEServiceForEndpoint.................68 IKEServiceForEndpoint.................71
   8.13.1. The Reference Antecedent..................................69 Antecedent..................................72
   8.13.2. The Reference Dependent...................................69 Dependent...................................72
   8.14. The Association Class IKEAutostartConfiguration.............69 IKEAutostartConfiguration.............72
   8.14.1. The Reference Antecedent..................................69 Antecedent..................................72
   8.14.2. The Reference Dependent...................................69 Dependent...................................72
   8.14.3. The Property Active.......................................69 Active.......................................72
   8.15. The Association Class IKEUsesCredentialManagementService....70 IKEUsesCredentialManagementService....73
   8.15.1. The Reference Antecedent..................................70 Antecedent..................................73
   8.15.2. The Reference Dependent...................................70 Dependent...................................73
   8.16. The Association Class EndpointHasLocalIKEIdentity...........70 EndpointHasLocalIKEIdentity...........73
   8.16.1. The Reference Antecedent..................................71 Antecedent..................................74
   8.16.2. The Reference Dependent...................................71 Dependent...................................74
   8.17. The Association Class CollectionHasLocalIKEIdentity.........71 CollectionHasLocalIKEIdentity.........74
   8.17.1. The Reference Antecedent..................................71 Antecedent..................................74
   8.17.2. The Reference Dependent...................................71 Dependent...................................74
   8.18. The Association Class IKEIdentitysCredential................72 IKEIdentitysCredential................75
   8.18.1. The Reference Antecedent..................................72 Antecedent..................................75
   8.18.2. The Reference Dependent...................................72 Dependent...................................75
   9. Security Considerations........................................72 Implementation Requirements....................................75
   10. Intellectual Property.........................................72 Security Considerations.......................................79
   11. Acknowledgments...............................................73 Intellectual Property.........................................80
   12. References....................................................73 Acknowledgments...............................................80
   13. Disclaimer....................................................74 References....................................................80
   14. Authors' Addresses............................................74 Disclaimer....................................................81
   15. Authors' Addresses............................................81
   16. Full Copyright Statement......................................74 Statement......................................82
   Appendix A (DMTF Core Model MOF)..................................75 MOF)..................................82
   Appendix B (DMTF User Model MOF)..................................90 MOF)..................................97
   Appendix C (DMTF Network Model MOF)..............................105 MOF)..............................112
   Appendix D (DMTF Policy Model MOF)...............................121

1. Introduction

   Internet Protocol security (IPsec) policy may assume a variety of
   forms as it travels from storage to distribution point to decision
   point.  At each step, it needs to be represented in a way that is
   convenient for the current task.  For example, the policy could
   exist as, but is not limited to:

   o   a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
       a directory
   o   an on-the-wire representation over a transport protocol like the
       Common Object Policy Service (COPS) [COPS, COPSPR]
   o   a text-based policy specification language [SPSL] suitable for editing
       by an administrator
   o   an Extensible Markup Language (XML) document

   Each of these task-specific representations should be derived from a
   canonical representation that precisely specifies the content and
   semantics of the IPsec policy.  The purpose of this document is to
   abstract IPsec policy into a task-independent representation that is
   not constrained by any particular task-dependent representation.

   This document is organized as follows:

   o   Section 2 provides a quick introduction to the Unified Modeling
       Language (UML) graphical notation conventions used in this
       document.

   o   Section 3 provides the inheritance hierarchy that describes
       where the IPsec policy classes fit into the policy class
       hierarchy already defined by the Policy Core Information Model
       (PCIM).

   o   The remainder of the document   Sections 4 through 8 describes the classes class that make up the IPsec
       policy model.

   o   Section 9 presents the implementation requirements for the
       classes in the model (i.e., the MUST/MAY/SHOULD status).

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [KEYWORDS].

2. UML Conventions

   For this document, a UML static class diagram was chosen as the
   canonical representation for the IPsec policy model.  The reason
   behind this decision is that UML provides a graphical, task-
   independent way to model systems.  A treatise on the graphical
   notation used in UML is beyond the scope of this paper.  However,
   given the use of ASCII drawing for UML static class diagrams, a
   description of the notational conventions used in this document is
   in order:

   o   Boxes represent classes, with class names in brackets ([])
       representing an abstract class.
   o   A line that terminates with an arrow (<, >, ^, v) denotes
       inheritance.  The arrow always points to the parent class.
       Inheritance can also be called generalization or specialization
       (depending upon the reference point).  A base class is a
       generalization of a derived class, and a derived class is a
       specialization of a base class.
   o   Associations are used to model a relationship between two
       classes.  Classes that share an association are connected using
       a line.  A special kind of association is also used:  an
       aggregation.  An aggregation models a whole-part relationship
       between two classes.  Associations, and therefore aggregations,
       can also be modeled as classes.
   o   A line that begins with an "o" denotes aggregation.  Aggregation
       denotes containment in which the contained class and the
       containing class have independent lifetimes.
   o   Next to a line representing an association appears a
       cardinality.  Cardinalities indicate the constraints on the
       number of object instances in a set of relationships.  Every
       association instance has a single set of references.  The
       cardinality indicates the number of instances that may refer to
       a given object instance.  The cardinality may be:
       - a range in the form "lower bound..upper bound" indicating the
       minimum and maximum number of objects.
       - a number that indicates the exact number of objects.
       - an asterisk indicating any number of objects, including zero.
       Using an asterisk is shorthand for 0..n.
       - the letter n indicating from 1 to many.  Using the letter n is
       shorthand for 1..n.
   o   A class that has an association may have a "w" next to the line
       representing the association.  This is called a weak association
       and is discussed in [PCIM].

   It should be noted that the UML static class diagram presented is a
   conceptual view of IPsec policy designed to aid in understanding.
   It does not necessarily get translated class for class into another
   representation.  For example, an LDAP implementation may flatten out
   the representation to fewer classes (because of the inefficiency of
   following references).

3. IPsec Policy Model Inheritance Hierarchy

   Like PCIM from which it is derived, the IPsec Configuration Policy
   Model derives from and uses classes defined in the DMTF Common
   Information Model (CIM).  The following tree represents the
   inheritance hierarchy for the IPsec policy model classes and how
   they fit into PCIM and the other DMTF models (see Appendices for
   descriptions of classes that are not being introduced as part of
   IPsec model).  CIM classes that are not used as a superclass from
   which to derive new classes but are only referenced are not included
   this inheritance hierarchy, but are included in the appropriate
   appendix.

   ManagedElement (DMTF Core Model - Appendix A)
   |
   +--Collection (DMTF Core Model - Appendix A)
   |  |
   |  +--PeerIdentityTable
   |
   +--ManagedSystemElement (DMTF Core Model - Appendix A)
   |  |
   |  +--LogicalElement (DMTF Core Model - Appendix A)
   |     |
   |     +--FilterEntryBase (DMTF Network Model - Appendix C)
   |     |  |
   |     |  +--CredentialFilterEntry
   |     |  |
   |     |  +--IPHeaderFilter (DMTF Network Model - Appendix C)
   |     |  |
   |     |  +--IPSOFilterEntry
   |     |  |
   |     |  +--PeerIDPayloadFilterEntry
   |     |
   |     +--PeerGateway
   |     |
   |     +--PeerIdentityEntry
   |     |
   |     +--Service (DMTF Core Model - Appendix A)
   |        |
   |        +--NetworkService (DMTF Network Model - Appendix C)
   |           |
   |           +--IKEService
   |
   +--OrganizationalEntity (DMTF User Model - Appendix B)
   |  |
   |  +--UserEntity (DMTF User Model - Appendix B)
   |     |
   |     +--UsersAccess (DMTF User Model - Appendix B)
   |        |
   |        +--IKEIdentity
   |
   +--Policy (PCIM)
   |  |
   |  +--PolicyAction (PCIM)
   |  |  |
   |  |  +--CompoundPolicyAction (DMTF Policy Model - Appendix D)
   |  |  |
   |  |  +--SAAction
   |  |     |
   |  |     +--SANegotiationAction
   |  |     |  |
   |  |     |  +--IKEAction
   |  |     |  |
   |  |     |  +--IPsecAction
   |  |     |     |
   |  |     |     +--IPsecTransportAction
   |  |     |     |
   |  |     |     +--IPsecTunnelAction
   |  |     |
   |  |     +--SAStaticAction
   |  |        |
   |  |        +--IKERejectAction
   |  |        |
   |  |        +--IPsecBypassAction
   |  |        |
   |  |        +--IPsecDiscardAction
   |  |        |
   |  |        +--PreconfiguredSAAction
   |  |           |
   |  |           +--PreconfiguredTransportAction
   |  |           |
   |  |           +--PreconfiguredTunnelAction
   |  |
   |  +--PolicyCondition (PCIM)
   |  |  |
   |  |  +--SACondition
   |  |
   |  +--PolicySet (DMTF Policy Model - Appendix D)
   |  |  |
   |  |  +--PolicyGroup (PCIM)
   |  |  |  |
   |  |  |  +--IPsecPolicyGroup
   |  |  |
   |  |  +--PolicyRule (PCIM)
   |  |     |
   |  |     +--SARule
   |  |        |
   |  |        +--IKERule
   |  |        |
   |  |        +--IPsecRule
   |  |
   |  +--SAProposal
   |  |  |
   |  |  +--IKEProposal
   |  |  |
   |  |  +--IPsecProposal
   |  |
   |  +--SATransform
   |     |
   |     +--AHTransform
   |     |
   |     +--ESPTransform
   |     |
   |     +--IPCOMPTransform
   |
   +--Setting (DMTF Core Model - Appendix A)
   |  |
   |  +--SystemSetting (DMTF Core Model - Appendix A)
   |     |
   |     +--AutostartIKESetting
   |
   +--SystemConfiguration (DMTF Core Model - Appendix A)
      |
      +--AutostartIKEConfiguration

   The following tree represents the inheritance hierarchy of the IPsec
   policy model association classes and how they fit into PCIM and the
   other DMTF models (see Appendices for description of associations
   classes that are not being introduced as part of IPsec model).

   Dependency (DMTF Core Model - Appendix A)
   |
   +--AcceptCredentialsFrom
   |
   +--ElementAsUser (DMTF User Model - Appendix B)
   |  |
   |  +--EndpointHasLocalIKEIdentity
   |  |
   |  +--CollectionHasLocalIKEIdentity
   |
   +--FilterOfSACondition
   |
   +--HostedPeerGatewayInformation
   |
   +--HostedPeerIdentityTable
   |
   +--IKEAutostartConfiguration
   |
   +--IKEServiceForEndpoint
   |
   +--IKEServicePeerGateway
   |
   +--IKEServicePeerIdentityTable
   |
   +--IKEUsesCredentialManagementService
   |
   +--IPsecPolicyForEndpoint
   |
   +--PeerGatewayForTunnel
   |
   +--PolicyInSystem (PCIM)
   +--IPsecPolicyForSystem
   |
   +--PeerGatewayForPreconfiguredTunnel
   |
   +--PeerGatewayForTunnel
   |  +--PolicyGroupInSystem
   +--PolicyInSystem (PCIM)
   |  |
   |  +--SAProposalInSystem
   |  |
   |  +--SATransformInSystem
   |
   +--IPsecPolicyForSystem
   |
   +--TransformOfPreconfiguredAction
   |
   +--UsersCredential (DMTF User Model - Appendix B)
      |
      +--IKEIdentitysCredential

   ElementSetting (DMTF Core Model - Appendix A)
   |
   +--IKEAutostartSetting

   MemberOfCollection (DMTF Core Model - Appendix A)
   |
   +--PeerIdentityMember

   PolicyComponent (PCIM)
   |
   +--ContainedProposal
   |
   +--ContainedTransform
   |
   +--PolicyActionInPolicyRule (PCIM)
   |  |
   |  +--SAActionInRule  +--PolicyActionInSARule
   |
   +--PolicyConditionInPolicyRule (PCIM)
   |  |
   |  +--SAConditionInRule
   |
   +--PolicyGroupInPolicyGroup (PCIM)
   |  |
   |  +--IPsecPolicyGroupInPolicyGroup
   |
   +--PolicyRuleInPolicyGroup
   +--PolicySetComponent (DMTF Policy Model - Appendix D)
      |
      +--RuleForIKENegotiation
      |
      +--RuleForIPsecNegotiation

   SystemSettingContext (DMTF Core Model - Appendix A)
   |
   +--AutostartIKESettingContext

4. Policy Classes

   The IPsec policy classes represent the set of policies that are
   contained on a system.

                                  +--------------+
                                  |  PolicySet   |*
                                  | (Appendix D) |o--+
                                  +--------------+   |
                                        ^    *|      |(a)
                                        |     +------+
                                        |
     +--------------------+       +-------------+
     | IPProtocolEndpoint |       | PolicyGroup |
     |    (Appendix C)    |
                         +--------------------+       | *  ([PCIM])   |
                        (a)
     +--------------------+       +-------------+
              |*                        ^
              +-----------------+       | (b)
                     +------+
                                |(b)    |
                                |      |*       | 0..1
                                |0..1   |   *+------------------+0..1
                          +------------------+0..1 (c)  *+------------+
                     +---o|
                          | IPsecPolicyGroup |-----------|   System   |
                          +------------------+           |(Appendix A)|
                            1 o          o 1             +------------+
                (d)           |          |         (e)
      +-----------------------+          +---------------------+          +--------------------------+
      |                                                             |
      |               +---------------------------+                 |
      |               | PolicyTimePeriodCondition |                 |
      |               |       (see [PCIM])         ([PCIM])          |                 |
      |               +---------------------------+                 |
      |                           *|                                |
      |                            | (f)                            |(f)                             |
      |                           *o                                |
      |  +-------------+n     *+--------+*      n+----------+      n+--------------+   |
      |  | SACondition |------o| SARule |o-------| SAAction PolicyAction |   |
      |  +-------------+ (g)   +--------+    (h) +----------+ |   ([PCIM])   |   |
      |                            ^             +--------------+   |
      |                            |               *|        ^      |
      |                            |                |(i)     |      |
      |                            |               *o        |      |
      |          +-----------------+       +----------------------+ |
      |          |                 |       | CompoundPolicyAction | |
      |          |                 |       |     (Appendix D)     |                   +--------+--------+ |
      |          |                 |       +----------------------+ |
      |    *+---------+     +-----------+*                          |
      +---------------|
      +-----| IKERule |     | IPsecRule |------------+ |---------------------------+
            +---------+     +-----------+

   (a)  IPsecPolicyGroupInPolicyGroup  PolicySetComponent (Appendix D)
   (b)  IPsecPolicyForEndpoint
   (c)  IPsecPolicyForSystem
   (d)  RuleForIKENegotiation
   (e)  RuleForIPsecNegotiation
   (f)  PolicyRuleValidityPeriod (see [PCIM]) ([PCIM])
   (g)  SAConditionInRule
   (h)  SAActionInRule  PolicyActionInSARule
   (i)  PolicyActionInPolicyAction

   An IPsecPolicyGroup represents the set of policies that are used on
   an interface.   This IPsecPolicyGroup SHOULD be associated either
   directly with the IPProtocolEndpoint class instance that represents
   the interface (via the IPsecPolicyForEndpoint association) or
   indirectly (via the IPsecPolicyForSystem association) associated
   with the System that hosts the interface.

4.1.

   The Class IPsecPolicyGroup IKE and IPsec rules are used to build or to negotiate the IPsec
   SADB. The class IPsecPolicyGroup serves SADB itself is not modeled by this document.

   The rules usage can be described as a (see also section 6 about
   actions):

   o   an egress unprotected packet will first be checked against the
       SADB. If no match is found, the IPsec rules will be checked. If
       IKE negotiation is required by an IPsec rule, the corresponding
       IKE rules will be used if no IKE SA already exists. The
       negotiated or preconfigured SA will then be installed in the
       SADB.
   o   An ingress unprotected packet will first be checked against the
       IPsec SADB. If no match is found, the IPsec rules will be
       checked for a preconfigured SA. If a preconfigured SA exists,
       this SA will be installed in the IPsec SADB.
   o   An ingress protected packet will be checked exactly as an
       ingress unprotected packet.
   o   An ingress IKE negotiation packet, which is not part of an
       existing IKE SA, will be checked against the IKE rules. The
       negotiated SA will then be installed in the SADB.

4.1. The Class IPsecPolicyGroup

   The class IPsecPolicyGroup serves as a container of either other
   IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.  The
   class definition for IPsecPolicyGroup is as follows:

   NAME         IPsecPolicyGroup
   DESCRIPTION  Either a set of IPsecPolicyGroups or a set of IKERules
                and a set of IPsecRules.
   DERIVED FROM PolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyGroupName (from PolicyGroup)
                PolicyDescisionStrategy (from PolicySet)

   NOTE:  for derivations of the schema that are used for policy
   distribution to an IPsec device (for example, COPS-PR), the server
   may follow all of IPsecPolicyGroupInPolicyGroup PolicySetComponent associations and create one
   policy group which is simply a set of all of the IKE rules and a set
   of all of the IPsec rules.  See the section on the
   IPsecPolicyGroupInPolicyGroup
   PolicySetComponent aggregation for information on merging multiple
   IPsecPolicyGroups.

4.2. The Class SARule

   The class SARule serves as a base class for IKERule and IPsecRule.
   Even though the class is concrete, it MUST not be instantiated.  It
   defines a common connection point for associations to conditions and
   actions for both types of rules.  Through its derivation from
   PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
   the PolicyRuleValidityPeriod association.

   An SARule inherits the property Priority from PolicyRule.  Since
   there is a need for an unambiguous ordering of rules in an IPsec
   system, all

   Each valid IpsecPolicyGroup MUST contain SARules contained within an IPsecPolicyGroup must that each have a
   unique associated priority values. number in PolicySetComponent.Priority.
   The class definition for SARule is as follows:

   NAME         SARule
   DESCRIPTION  A base class for IKERule and IPsecRule.
   DERIVED FROM PolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyRuleName (from PolicyRule)
                Enabled (from PolicyRule)
                ConditionListType (from PolicyRule)
                RuleUsage (from PolicyRule)
                Mandatory (from PolicyRule)
                SequencedActions (from PolicyRule)
                ExecutionStrategy (from PolicyRule)
                PolicyRoles (from PolicyRule)
                PolicyDecisionStrategy (from PolicySet)
                LimitNegotiation

4.2.1. The Property LimitNegotiation
   The property LimitNegotiation is used as part of processing either
   an IKE or an IPsec rule.

   Before proceeding with Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy

   For a phase 1 negotiation, this description of these properties, see Appendix D.

   In SARule subclass instances:
   - if the property is
   checked Mandatory exists, it MUST be set to determine "true"
   - if the negotiation role of property SequencedActions exists, it MUST be set to
   "mandatory"
   - the rule matches
   that defined for the negotiation being undertaken (e.g., Initiator,
   Responder, or Both). If this check fails (e.g. the current role property PolicyRoles is
   IKE responder while not used in the rule specifies IKE initiator), then device-level model
   - if the IKE
   negotiation is stopped. Note that this only applies property PolicyDecisionStrategy exists, it must be set to new IKE phase
   1 negotiations and has no effect on either renegotiation or refresh
   operations with peers for which an established SA already exists.

   Before proceeding with a phase 2 negotiation,
   "FirstMatching"

4.2.2  The Property ExecutionStrategy

  The ExecutionStrategy properties in the LimitNegotiation
   property of PolicyRule subclasses (and in

  the IPsecRule is first checked to CompoundPolicyAction class) determine if the
   negotiation role indicated for behavior of the
  contained actions.  It defines the strategy to be used in executing

  the sequenced actions aggregated by a rule matches that or a compound action. In

  the case of actions within a rule, the current
   negotiation (Initiator, Responder, or Either).  Note that this limit
   applies only to new phase 2 negotiations.  It is ignored when an
   attempt PolicyActionInSARule

  aggregation is made used to refresh collect the actions into an expiring SA (either side can initiate ordered set; in

  the case of a refresh operation).  The IKE system can determine that compound action, the
   negotiation PolicyActionInPolicyAction

  aggregation is a refresh operation by checking used to see if collect the
   selector information matches that of actions into an existing SA. If
   LimitNegotiation does not match ordered subset.

   There are three execution strategies: do until success, do all and
   do until failure.

   Do Until Success causes the selector corresponds execution of actions according to a
   new SA, the negotiation is stopped.

   The
   ActionOrder property is defined as follows:

   NAME         LimitNegotiation
   DESCRIPTION  Limits in the role to aggregation instances until a successful
   execution of a single action.  These actions may be undertaken during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1  initiator-only
                2  responder-only
                3 - both

4.3. The Class IKERule

   The class IKERule associates Conditions and Actions for IKE phase 1
   negotiations.  The class definition for IKERule evaluated to
   determine if they are appropriate to execute rather than blindly
   trying each of the actions until one succeeds.  For an initiator,
   they are tried in the ActionOrder until the list is as follows:

   NAME         IKERule
   DESCRIPTION  Associates Conditions and Actions for IKE phase 1
                negotiations.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule, plus
                IdentityContexts

4.3.1. The Property IdentityContexts

   The exhausted or one
   completes successfully.  For example, an IKE service of a security endpoint initiator may have multiple identities
   several IKEActions for use in different situations.  The combination of the interface
   (represented by the IPProtocolEndpoint), the identity type (as
   specified same SACondition. The initiator will try
   all IKEActions in the IKEAction) and the IdentityContexts specifies order defined by ActionOrder.  I.e. it will
   possibly try several phase 1 negotiations possibly with different
   modes (main mode then aggressive mode) and/or with possibly multiple
   IKE peers.  For a
   unique identity.

   The IdentityContexts property specifies responder, when there is more than one action in
   the context to select rule with "do until success" condition clause this provides
   alternative actions depending on the
   relevant IKE identity to be used during received proposals.  For
   example, the further IKEAction.  A
   context same IKERule may be a VPN name or other identifier for selecting used to handle aggressive mode and
   main mode negotiations with different actions.  The responder uses
   the first appropriate identity for use on action in the protected IPProtocolEndpoint.

   IdentityContexts is an array list of strings.  The multiple values in actions.

  Do All causes the
   array are ORed together in evaluating execution all of the IdentityContexts.  Each
   value actions in aggregated set

  according to their defined order. The execution continues regardless

  of failures.

  Do Until Failure causes the array may be the composition execution of multiple context names.
   So, a single value may be a single context name (e.g.,
   "CompanyXVPN") or it may be combination all actions according to

  predefined order until the first failure in execution of contexts.  When an array
   value is action

  instance.

  For example, in a composition, the individual values are ANDed together for
   evaluation purposes and the syntax is:

        <ContextName>[&&<ContextName>]*

   where nested SAs case the individual context names appear in alphabetical order
   (according actions of an initiators rule

  might be structured as:

  IPsecRule.ExecutionStrategy=Do All

  |

  +---1--- IPsecTunnelAction   // set up SA from host to the collating sequence for UCS-2).  So, for gateway

  |

  +---2--- IPsecTransportAction                                 // set up SA from host thru tunnel

                                // to remote host

  Another example,
   the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
   "CompanyZVPN&&Confidential" means that, for the appropriate
   IPProtocolEndpoint and IdentityType, the contexts are matched showing a rule with fallback actions might be

  structured as:

  IPsecRule.ExecutionStrategy=Do Until Success

  |

  +---6--- IPsecTransportAction // negotiate SA with peer

  |

  +---9--- IPsecBypassAction   // but if you must, allow in the
   identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
   "CompanyZVPN&&Confidential".

                                // clear

  The property is defined as follows:

   NAME         IdentityContexts
   DESCRIPTION  Specifies the context CompoundPolicyAction class (See Appendix D) may be used in which to select

  constructing the actions of IKE
                identity.
   SYNTAX       string array

4.4. The Class IPsecRule

   The class IPsecRule associates Conditions and Actions for IKE phase
   2 negotiations for the IPsec DOI. rules when those rules

  specify both multiple actions and fallback actions.  The class definition for
   IPsecRule

  ExecutionStrategy property in CompoundPolicyAction is as follows:

   NAME         IKERule
   DESCRIPTION  Associates Conditions and Actions for IKE phase 2
                negotiations for used in

  conjunction with that in the IPsec DOI.
   DERIVED FROM SARule
   ABSTRACT     FALSE
   PROPERTIES   same as SARule

4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup

   The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec
   policies to be combined into one effective policy.  See [PCIM] for PolicyRule.

  For example, in nesting SAs with a
   description of the how policies are merged (see also fallback security gateway, the property
   GroupPriority).  The class definition for
   IPsecPolicyGroupInPolicyGroup is as follows:

   NAME         IPsecPolicyGroupInPolicyGroup
   DESCRIPTION  Associates

  actions of a nested IPsecPolicyGroup with the
                IPsecPolicyGroup that contains it.
   DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref IPsecPolicyGroup[0..n]]
                PartComponent[ref IPsecPolicyGroup[0..n]]
                GroupPriority

4.5.1. The Reference GroupComponent

   The property GroupComponent is inherited rule might be structured as:

  IPsecRule.ExecutionStrategy=Do All

  |

  +---1--- CompoundPolicyAction.ExecutionStrategy=Do Until Success

  |        |

  |        +---1--- IPsecTunnelAction  // set up SA from
   PolicyGroupInPolicyGroup and is overridden host to refer

  |        |                           // gateway1

  |        |

  |        +---2--- IPsecTunnelAction  // or set up SA to an
   IPsecPolicyGroup instance. gateway2

  |

  +---2--- IPsecTransportAction                                         // then set up SA from host

                                        // thru tunnel to remote host

4.2.3  The [0..n] cardinality indicates that a
   given IPsecPolicyGroup instance may be a Property LimitNegotiation

   The property LimitNegotiation is used as part of zero or more
   containing IPsecPolicyGroup instances (i.e., there may be zero processing either
   an IKE or
   more GroupComponent references per PartComponent).

4.5.2. The Reference PartComponent

   The an IPsec rule.

   Before proceeding with a phase 1 negotiation, this property PartComponent is inherited from
   PolicyGroupInPolicyGroup and is overridden to refer
   checked to an
   IPsecPolicyGroup instance.  The [0..n] cardinality indicates that a
   given IPsecPolicyGroup instance may contain zero or more
   IPsecPolicyGroup instances (i.e., there may be zero or more
   PartComponent references per GroupComponent).

4.5.3. The Property GroupPriority

   Since policy groups, IPsecPolicyGroup, can contain both rules and
   other policy groups, the relative priorities of determine if the rules negotiation role of the
   contained groups are established by setting the GroupPriority
   property of IPsecPolicyGroupInPolicyGroup as a unique rule priority
   in matches
   that defined for the containing group.

   The rules of the nested group are inserted in order at that position
   (i.e. indicated by GroupPriority) in negotiation being undertaken (e.g., Initiator,
   Responder, or Both). If this check fails (e.g. the containing group's rules

   The property current role is defined as follows:

   NAME         GroupPriority
   DESCRIPTION  Specifies
   IKE responder while the rule priority to be set specifies IKE initiator), then the IKE
   negotiation is stopped. Note that this only applies to all nested
                rules.
   SYNTAX       unsigned 16-bit integer
   VALUE        Any value between new IKE phase
   1 negotiations and 2^16-1 inclusive.  Lower values
                have higher precedence (i.e., 1 has no effect on either renegotiation or refresh
   operations with peers for which an established SA already exists.

   Before proceeding with a phase 2 negotiation, the LimitNegotiation
   property of the IPsecRule is first checked to determine if the highest
                precedence).  The merging order
   negotiation role indicated for the rule matches that of two ContainedGroups
                with the same precedence current
   negotiation (Initiator, Responder, or Either).  Note that this limit
   applies only to new phase 2 negotiations.  It is undefined.

4.6. The Association Class IPsecPolicyForEndpoint

   The class IPsecPolicyForEndpoint associates ignored when an IPsecPolicyGroup with
   a specific network interface.  If
   attempt is made to refresh an IPProtocolEndpoint of expiring SA (either side can initiate
   a refresh operation).  The IKE system can determine that the
   negotiation is a refresh operation by checking to see if the
   selector information matches that of an existing SA. If
   LimitNegotiation does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
   then match and the IPsecPolicyForSystem associated IPsecPolicyGroup selector corresponds to a
   new SA, the negotiation is used
   for that endpoint. stopped.

   The class definition for IPsecPolicyForEndpoint property is defined as follows:

   NAME         IPsecPolicyForEndpoint         LimitNegotiation
   DESCRIPTION  Associates a policy group  Limits the role to a network interface.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref IPProtocolEndpoint[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.6.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an IPProtocolEndpoint instance.  The [0..n]
   cardinality indicates that an IPsecPolicyGroup instance may be
   associated with zero or more IPProtocolEndpoint instances.

4.6.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPsecPolicyGroup instance.  The [0..1]
   cardinality indicates that an IPProtocolEndpoint instance may have
   an association to at most one IPsecPolicyGroup instance.

4.7. undertaken during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1  initiator-only
                2  responder-only
                3 - both

4.3. The Association Class IPsecPolicyForSystem IKERule

   The class IPsecPolicyForSystem IKERule associates an IPsecPolicyGroup with a
   specific system.  If an IPProtocolEndpoint of a system does not have
   an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
   IPsecPolicyForSystem associated IPsecPolicyGroup is used Conditions and Actions for that
   endpoint. IKE phase 1
   negotiations.  The class definition for IPsecPolicyForSystem IKERule is as follows:

   NAME         IPsecPolicyForSystem         IKERule
   DESCRIPTION  Default policy group  Associates Conditions and Actions for a system. IKE phase 1
                negotiations.
   DERIVED FROM Dependency (see Appendix A) SARule
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.7.1.   same as SARule, plus
                IdentityContexts

4.3.1. The Reference Antecedent Property IdentityContexts

   The property Antecedent is inherited from Dependency and is
   overridden to refer to IKE service of a System instance.  The [0..n] cardinality
   indicates that an IPsecPolicyGroup instance security endpoint may have an association
   to zero or more System instances.

4.7.2. multiple identities
   for use in different situations.  The Reference Dependent combination of the interface
   (represented by the IPProtocolEndpoint), the identity type (as
   specified in the IKEAction) and the IdentityContexts specifies a
   unique identity.

   The IdentityContexts property Dependent is inherited from Dependency and is
   overridden specifies the context to refer select the
   relevant IKE identity to be used during the further IKEAction.  A
   context may be a VPN name or other identifier for selecting the
   appropriate identity for use on the protected IPProtocolEndpoint.

   IdentityContexts is an IPsecPolicyGroup instance. array of strings.  The [0..1]
   cardinality indicates that multiple values in the
   array are ORed together in evaluating the IdentityContexts.  Each
   value in the array may be the composition of multiple context names.
   So, a System instance single value may have be a single context name (e.g.,
   "CompanyXVPN") or it may be combination of contexts.  When an association array
   value is a composition, the individual values are ANDed together for
   evaluation purposes and the syntax is:

        <ContextName>[&&<ContextName>]*

   where the individual context names appear in alphabetical order
   (according to at most one IPsecPolicyGroup instance.

4.8. the collating sequence for UCS-2).  So, for example,
   the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
   "CompanyZVPN&&Confidential" means that, for the appropriate
   IPProtocolEndpoint and IdentityType, the contexts are matched if the
   identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
   "CompanyZVPN&&Confidential".

   The property is defined as follows:

   NAME         IdentityContexts
   DESCRIPTION  Specifies the context in which to select the IKE
                identity.
   SYNTAX       string array

4.4. The Aggregation Class RuleForIKENegotiation IPsecRule

   The class RuleForIKENegotiation IPsecRule associates an IKERule with Conditions and Actions for IKE phase
   2 negotiations for the
   IPsecPolicyGroup that contains it. IPsec DOI.  The class definition for
   RuleForIKENegotiation
   IPsecRule is as follows:

   NAME         RuleForIKENegotiation         IPsecRule
   DESCRIPTION  Associates an IKERule with Conditions and Actions for IKE phase 2
                negotiations for the IPsecPolicyGroup that
                contains it. IPsec DOI.
   DERIVED FROM PolicyRuleInPolicyGroup (see [PCIM]) SARule
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent [ref IPsecPolicyGroup [1..1]]
                PartComponent [ref IKERule [0..n]]

4.8.1. The Reference GroupComponent   same as SARule

4.6. The property GroupComponent Association Class IPsecPolicyForEndpoint

   The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
   a specific network interface.  If an IPProtocolEndpoint of a system
   does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
   then the IPsecPolicyForSystem associated IPsecPolicyGroup is used
   for that endpoint.  The class definition for IPsecPolicyForEndpoint
   is as follows:

   NAME         IPsecPolicyForEndpoint
   DESCRIPTION  Associates a policy group to a network interface.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref IPProtocolEndpoint[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.6.1. The Reference Antecedent

   The property Antecedent is inherited from
   PolicyRuleInPolicyGroup Dependency and is
   overridden to refer to an
   IPsecPolicyGroup IPProtocolEndpoint instance.  The [1..1] [0..n]
   cardinality indicates that an
   IKERule IPsecPolicyGroup instance may be contained in one and only one
   IPsecPolicyGroup instance (i.e., IKERules are not shared across
   IPsecPolicyGroups).

4.8.2.
   associated with zero or more IPProtocolEndpoint instances.

4.6.2. The Reference PartComponent Dependent

   The property PartComponent Dependent is inherited from PolicyRuleInPolicyGroup Dependency and is
   overridden to refer to an IKERule IPsecPolicyGroup instance.  The [0..n] [0..1]
   cardinality indicates that an IPsecPolicyGroup IPProtocolEndpoint instance may contain
   zero or more IKERule instances.

4.9. have
   an association to at most one IPsecPolicyGroup instance.

4.7. The Aggregation Association Class RuleForIPsecNegotiation IPsecPolicyForSystem

   The class RuleForIPsecNegotiation IPsecPolicyForSystem associates an IPsecRule IPsecPolicyGroup with a
   specific system.  If an IPProtocolEndpoint of a system does not have
   an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
   IPsecPolicyForSystem associated IPsecPolicyGroup is used for that contains it.
   endpoint.  The class definition for
   RuleForIPsecNegotiation IPsecPolicyForSystem is as
   follows:

   NAME         RuleForIPsecNegotiation         IPsecPolicyForSystem
   DESCRIPTION  Associates an IPsecRule with the IPsecPolicyGroup that
                contains it.  Default policy group for a system.
   DERIVED FROM PolicyRuleInPolicyGroup Dependency (see [PCIM]) Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent [ref IPsecPolicyGroup [1..1]]
                PartComponent [ref IPsecRule [0..n]]

4.9.1.   Antecedent[ref System[0..n]]
                Dependent[ref IPsecPolicyGroup[0..1]]

4.7.1. The Reference GroupComponent Antecedent

   The property GroupComponent Antecedent is inherited from
   PolicyRuleInPolicyGroup Dependency and is
   overridden to refer to an
   IPsecPolicyGroup a System instance.  The [1..1] [0..n] cardinality
   indicates that an
   IPsecRule instance may be contained in only one IPsecPolicyGroup instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).

4.9.2. may have an association
   to zero or more System instances.

4.7.2. The Reference PartComponent Dependent

   The property PartComponent Dependent is inherited from PolicyRuleInPolicyGroup Dependency and is
   overridden to refer to an IPsecRule IPsecPolicyGroup instance.  The [0..n] [0..1]
   cardinality indicates that an IPsecPolicyGroup a System instance may contain
   zero or more IPsecRules have an association
   to at most one IPsecPolicyGroup instance.

4.10.

4.8. The Aggregation Class SAConditionInRule RuleForIKENegotiation

   The class SAConditionInRule RuleForIKENegotiation associates an SARule IKERule with the
   SACondition instance(s)
   IPsecPolicyGroup that trigger(s) contains it.  See [PCIM] for the
   usage for the properties GroupNumber and ConditionNegated.  The class definition for SAConditionInRule
   RuleForIKENegotiation is as follows:

   NAME         SAConditionInRule         RuleForIKENegotiation
   DESCRIPTION  Associates an SARule IKERule with the SACondition instance(s) IPsecPolicyGroup that trigger(s)
                contains it.
   DERIVED FROM PolicyConditionInPolicyRule PolicySetComponent (see [PCIM]) Appendix D)
   ABSTRACT     FALSE
   PROPERTIES   Priority (from PolicySetComponent)
                GroupComponent [ref SARule [0..n]] IPsecPolicyGroup [1..1]]
                PartComponent [ref SACondition [1..n]]
                GroupNumber (from PolicyConditionInPolicyRule)
                ConditionNegated (from PolicyConditionInPolicyRule)

4.10.1. IKERule [0..n]]

4.8.1. The Property Priority

   For a description of this property, see Appendix D.

4.8.2. The Reference GroupComponent
   The property GroupComponent is inherited from
   PolicyConditionInPolicyRule
   PolicyRuleInPolicyGroup and is overridden to refer to an SARule
   IPsecPolicyGroup instance.  The [0..n] [1..1] cardinality indicates that an SACondition
   IKERule instance may be contained in zero or more SARule instances.

4.10.2. one and only one
   IPsecPolicyGroup instance (i.e., IKERules are not shared across
   IPsecPolicyGroups).

4.8.3. The Reference PartComponent

   The property PartComponent is inherited from
   PolicyConditionInPolicyRule PolicyRuleInPolicyGroup
   and is overridden to refer to an
   SACondition IKERule instance.  The [1..n] [0..n]
   cardinality indicates that an
   SARule IPsecPolicyGroup instance MUST may contain at least one SACondition instance.

4.11.
   zero or more IKERule instances.

4.9. The Aggregation Class SAActionInRule RuleForIPsecNegotiation

   The SAActionInRule class RuleForIPsecNegotiation associates an SARule IPsecRule with its primary
   SAAction. the
   IPsecPolicyGroup that contains it.  The class definition for SAActionInRule
   RuleForIPsecNegotiation is as follows:

   NAME         SAActionInRule         RuleForIPsecNegotiation
   DESCRIPTION  Associates an SARule IPsecRule with its SAAction(s). the IPsecPolicyGroup that
                contains it.
   DERIVED FROM PolicyActionInPolicyRule PolicySetComponent (see [PCIM]) Appendix D)
   ABSTRACT     FALSE
   PROPERTIES   Priority (from PolicySetComponent)
                GroupComponent [ref SARule [0..n]] IPsecPolicyGroup [1..1]]
                PartComponent [ref SAAction [1..n]]
                ActionOrder

4.11.1. IPsecRule [0..n]]

4.9.1. The Property Priority

   For a description of this property, see Appendix D.

4.9.2. The Reference GroupComponent

   The property GroupComponent is inherited from
   PolicyActionInPolicyRule
   PolicyRuleInPolicyGroup and is overridden to refer to an SARule
   IPsecPolicyGroup instance.  The [0..n] [1..1] cardinality indicates that an SAAction
   IPsecRule instance may be contained in zero or more SARule instances.

4.11.2. only one IPsecPolicyGroup
   instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).

4.9.3. The Reference PartComponent

   The property PartComponent is inherited from
   PolicyActionInPolicyRule PolicyRuleInPolicyGroup
   and is overridden to refer to an SAAction IPsecRule instance.  The [1..n] [0..n]
   cardinality indicates that an SARule IPsecPolicyGroup instance
   MUST may contain at least one SAAction
   zero or more IPsecRules instance.

4.11.3.

4.10. The Property ActionOrder Aggregation Class SAConditionInRule
   The property ActionOrder specifies the relative position of this
   SAAction in the sequence of actions associated class SAConditionInRule associates an SARule with a PolicyRule. the
   SACondition instance(s) that trigger(s) it.  The ActionOrder MUST be unique so class definition
   for SAConditionInRule is as to provide a deterministic
   order.  In addition, the actions in follows:

   NAME         SAConditionInRule
   DESCRIPTION  Associates an SARule are executed as
   follows.

   For an initiator, if there is more than one action in the rule, the
   additional actions are 'backup' actions in with the event SACondition instance(s)
                that the first
   action trigger(s) it.
   DERIVED FROM PolicyConditionInPolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupNumber (from PolicyConditionInPolicyRule)
                ConditionNegated (from PolicyConditionInPolicyRule)
                GroupComponent [ref SARule [0..n]]
                PartComponent [ref SACondition [1..n]]

4.10.1. The Properties GroupNumber and ConditionNegated

   For a description of these properties, see [PCIM].

4.10.2. The Reference GroupComponent

   The property GroupComponent is not able to be completed successfully.  They are tried in
   the ActionOrder until the list inherited from
   PolicyConditionInPolicyRule and is exhausted or one completes
   successfully.  For example, overridden to refer to an IKE initiator may have several
   IKEActions for the same SACondition. SARule
   instance.  The initiator will try all
   IKEActions in the order defined by ActionOrder.  I.e. it will
   possibly try several phases 1 possibly with different modes (main
   mode then aggressive mode) and/or with possibly multiple IKE peers.

   For a responder, there can be more than one action in the rule, this
   provides alternative actions depending on the received proposals.
   For example, the same IKERule [0..n] cardinality indicates that an SACondition
   instance may be used to handle aggressive mode
   and main mode negotiations with different actions.  The first
   appropriate action contained in the list of actions is used by the responder. zero or more SARule instances.

4.10.3. The Reference PartComponent

   The property PartComponent is defined as follows:

   [Need an explanation of what the action order means as it replaces
   the fallback association]

   NAME         ActionOrder
   DESCRIPTION  Specifies the order of actions.
   SYNTAX       unsigned 16-bit integer
   VALUE        Any value between 1 inherited from
   PolicyConditionInPolicyRule and 2^16-1 inclusive.  Lower values
                have higher precedence (i.e., 1 is the highest
                precedence).  The merging order of two SAActions with
                the same precedence is undefined.

5. Condition and Filter Classes

   The IPsec condition and filter classes are used overridden to build the "if"
   part of the IKE and IPsec rules.

                             *+-------------+
         +--------------------| refer to an
   SACondition |
         |                    +-------------+
         |                         * |
         |                           |(a)
         |                         1 |
         |                    +--------------+
         |                    |  FilterList  |
         |                    | (Appendix C) |
         |                    +--------------+
         |                         1 o
         |(b)                        |(c)
         |                         * |
         |                   +-----------------+
         |                   | FilterEntryBase |
         |                   |  (Appendix C)   |
         |                   +-----------------+
         |                           ^
         |                           |
         |       +--------------+    |    +-----------------------+
         |       | FilterEntry  |----+----| CredentialFilterEntry |
         |       | (Appendix C) |    |    +-----------------------+
         |       +--------------+    |
         |                           |
         |    +-----------------+    |    +--------------------------+
         |    | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
         |    +-----------------+         +--------------------------+
         |
         |           *+-----------------------------+
         +------------| CredentialManagementService |
                      |         (Appendix B)        |
                      +-----------------------------+

   (a)  FilterOfSACondition
   (b)  AcceptCredentialsFrom
   (c)  EntriesInFilterList (see Appendix C)

5.1. instance.  The Class [1..n] cardinality indicates that an
   SARule instance MUST contain at least one SACondition instance.

4.11. The Aggregation Class PolicyActionInSARule

   The PolicyActionInSARule class SACondition defines the conditions of rules for IKE and
   IPsec negotiations.  Conditions are associated with policy rules via
   the SAConditionInRule aggregation. It is used as associates an anchor point to
   associate various types of filters SARule with policy rules via one or more
   PolicyAction instances.  In all cases where an SARule is being used,
   the
   FilterOfSACondition association. It also defines whether Credentials
   can contained actions MUST be accepted for a particular policy rule via the
   AcceptCredentialsFrom association.

   Associated objects represent components either subclasses of the condition that may SAAction or
   may not apply at a given rule evaluation.
   instances of CompoundPolicyAction.  For example, an
   AcceptCredentialsFrom evaluation is only performed when a credential
   is available to be evaluated against IKERule, the list of trusted credential
   management services.  Similarly, a PeerIDPayloadFilterEntry may only contained
   actions MUST be evaluated when an IDPayload value is available related to compared with
   the filter.  Condition components that do not have corresponding
   values with which phase 1 processing, i.e., IKEAction or
   IKERejectAction.  Similarly, for an IPsecRule, contained actions
   MUST be related to evaluate are evaluated as TRUE unless the
   protocol has completed without providing the required information. phase 2 or preconfigured SA processing, e.g.,
   IPsecTransportAction, IPsecBypassAction, etc.  The class definition
   for SACondition PolicyActionInSARule is as follows:

   NAME         SACondition         PolicyActionInSARule
   DESCRIPTION  Defines the preconditions for IKE and IPsec
                negotiations.  Associates an SARule with its PolicyAction(s).
   DERIVED FROM PolicyCondition PolicyActionInPolicyRule (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   PolicyConditionName   GroupComponent [ref SARule [0..n]]
                PartComponent [ref PolicyAction [1..n]]
                ActionOrder (from PolicyCondition)

5.2. PolicyActionInPolicyRule)

4.11.1. The Class FilterEntry Reference GroupComponent
   The class FilterEntry is defined in appendix C with the following
   notes:

   1) since actions in the IPsec Policy Model are not part of the
      condition side of the rule, the Action property of each
      FilterEntry GroupComponent is ignored inherited from
   PolicyActionInPolicyRule and should be set is overridden to "FilterOnly".

   2) refer to specify 5-tuple filters an SARule
   instance.  The [0..n] cardinality indicates that are to apply symmetrically (i.e.,
      matches traffic in both directions of the same flow between the
      two peers), the Direction property of the FilterList should an SAAction
   instance may be
      set to "Mirrored".

5.3. contained in zero or more SARule instances.

4.11.2. The Class CredentialFilterEntry Reference PartComponent

   The class CredentialFilterEntry defines an equivalence class that
   match credentials of IKE peers. Each CredentialFilterEntry includes
   a MatchFieldName that property PartComponent is interpreted according inherited from
   PolicyActionInPolicyRule and is overridden to the
   CredentialManagementService(s) associated with the SACondition
   (AcceptCredentialsFrom).

   These credentials can be X.509 certificates, Kerberos tickets, refer to an SAAction
   or
   other types of credentials obtained during the Phase 1 exchange. CompoundPolicyAction instance.  The class definition for CredentialFilterEntry is as follows:

   NAME         CredentialFilterEntry
   DESCRIPTION  Specifies a match filter based on the IKE credentials.
   DERIVED FROM FilterEntryBase (see Appendix C)
   ABSTRACT     FALSE
   PROPERTIES   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchFieldName
                MatchFieldValue
                CredentialType

5.3.1. [1..n] cardinality indicates
   that an SARule instance MUST contain at least one SAAction or
   CompoundPolicyAction instance.

4.11.3. The Property MatchFieldName ActionOrder

   The property MatchFieldName ActionOrder is inherited from the superclass
   PolicyActionInPolicyRule.  It specifies the sub-part relative position of
   this PolicyAction in the credential
   to match against MatchFieldValue.  The property is defined as
   follows:

   NAME         MatchFieldName
   DESCRIPTION  Specifies which sub-part sequence of the credential to match.
   SYNTAX       string
   VALUE

5.3.2. The Property MatchFieldValue actions associated with a
   PolicyRule.  The property MatchFieldValue specifies the value ActionOrder MUST be unique so as to compare with provide a
   deterministic order.  In addition, the
   MatchFieldName actions in an SARule are
   executed as follows.  See section 4.2.2 ExecutionStrategy for a credential to determine if
   discussion on the credential
   matches this filter entry. use of the ActionOrder property.

   The property is defined as follows:

   NAME         MatchFieldValue         ActionOrder
   DESCRIPTION  Specifies the value to be matched by the
                MatchFieldName. order of actions.
   SYNTAX       string       unsigned 16-bit integer
   VALUE        NB: If the CredentialFilterEntry corresponds to a
                DistinguishedName, this        Any value in the CIM class between 1 and 2^16-1 inclusive.  Lower values
                have higher precedence (i.e., 1 is
                represented by an ordinary string value.  However, an
                implementation must convert this string to a DER-
                encoded string before matching against the values
                extracted from credentials at runtime.

5.3.3. The Property CredentialType highest
                precedence).  The property CredentialType specifies the particular type merging order of
   credential that two SAActions with
                the same precedence is being matched. undefined.

5. Condition and Filter Classes

   The property is defined as
   follows:

   NAME         CredentialType
   DESCRIPTION  Defines IPsec condition and filter classes are used to build the type "if"
   part of the IKE credentials.
   SYNTAX       unsigned 16-bit integer
   VALUE and IPsec rules.

                             *+-------------+
         +--------------------| SACondition |
         |                    +-------------+
         |                         * |
         |                           |(a)
         |                         1 - X.509 Certificate
                2 - Kerberos Ticket

5.4. |
         |                    +--------------+
         |                    |  FilterList  |
         |                    | (Appendix C) |
         |                    +--------------+
         |                         1 o
         |(b)                        |(c)
         |                         * |
         |                   +-----------------+
         |                   | FilterEntryBase |
         |                   |  (Appendix C)   |
         |                   +-----------------+
         |                           ^
         |                           |
         |     +----------------+    |    +-----------------------+
         |     | IPHeaderFilter |----+----| CredentialFilterEntry |
         |     |  (Appendix C)  |    |    +-----------------------+
         |     +----------------+    |
         |                           |
         |    +-----------------+    |    +--------------------------+
         |    | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
         |    +-----------------+         +--------------------------+
         |
         |           *+-----------------------------+
         +------------| CredentialManagementService |
                      |         (Appendix B)        |
                      +-----------------------------+

   (a)  FilterOfSACondition
   (b)  AcceptCredentialsFrom
   (c)  EntriesInFilterList (see Appendix C)

5.1. The Class IPSOFilterEntry SACondition

   The class IPSOFilterEntry is used to match traffic based on SACondition defines the IP
   Security Options header values (ClassificationLevel and
   ProtectionAuthority) as defined in RFC1108. This type conditions of FilterEntry rules for IKE and
   IPsec negotiations.  Conditions are associated with policy rules via
   the SAConditionInRule aggregation. It is used as an anchor point to adjust the IPsec encryption level according to the IPSO
   classification
   associate various types of filters with policy rules via the traffic (e.g., secret, confidential,
   restricted, etc.
   FilterOfSACondition association. It also defines whether Credentials
   can be accepted for a particular policy rule via the
   AcceptCredentialsFrom association.

   Associated objects represent components of the condition that may or
   may not apply at a given rule evaluation.  For example, an
   AcceptCredentialsFrom evaluation is only performed when a credential
   is available to be evaluated against the list of trusted credential
   management services.  Similarly, a PeerIDPayloadFilterEntry may only
   be evaluated when an IDPayload value is available to compared with
   the filter.  Condition components that do not have corresponding
   values with which to evaluate are evaluated as TRUE unless the
   protocol has completed without providing the required information.

   The class definition for IPSOFilterEntry SACondition is as follows:

   NAME         IPSOFilterEntry         SACondition
   DESCRIPTION  Specifies  Defines the a match filter based on IP Security
                Options. preconditions for IKE and IPsec
                negotiations.
   DERIVED FROM FilterEntryBase PolicyCondition (see Appendix C) [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Name (from FilterEntryBase)
                IsNegated   PolicyConditionName (from FilterEntryBase)
                MatchConditionType
                MatchConditionValue

5.4.1. The Property MatchConditionType PolicyCondition)

5.2. The property MatchConditionType specifies the IPSO header field that
   will be matched (e.g., traffic classification level or protection
   authority). Class IPHeaderFilter

   The property class IPHeaderFilter is defined as follows:

   NAME         MatchConditionType
   DESCRIPTION  Specifies in appendix C with the IPSO header field following
   note:

   1) to be matched.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - ClassificationLevel
                2 - ProtectionAuthority

5.4.2. The Property MatchConditionValue

   The property MatchConditionValue specifies specify 5-tuple filters that are to apply symmetrically (i.e.,
      matches traffic in both directions of the value same flow between the
      two peers), the Direction property of the IPSO
   header field to FilterList should be matched against.  The property is defined as
   follows:

   NAME         MatchConditionValue
   DESCRIPTION  Specifies the value of the IPSO header field to be
                matched against.
   SYNTAX       unsigned 16-bit integer
   VALUE        For ClassificationLevel, the values are:
                61 - TopSecret
                90 - Secret
                150 - Confidential
                171 - Unclassified
                For ProtectionAuthority, the values are:
                0 - GENSER
                1 - SIOP-ESI
                2 - SCI
                3 - NSA
                4 - DOE

5.5.
      set to "Mirrored".

5.3. The Class PeerIDPayloadFilterEntry CredentialFilterEntry

   The class PeerIDPayloadFilterEntry CredentialFilterEntry defines filters used to an equivalence class that
   match ID
   payload values from the IKE protocol exchange.
   PeerIDPayloadFilterEntry permits the specification credentials of certain ID
   payload values such as "*@company.com" or "193.190.125.0/24".

   Obviously this filter applies only to IKERules when acting as IKE peers. Each CredentialFilterEntry includes
   a
   responder.  Moreover, this filter can be applied immediately in the
   case of aggressive mode but its application MatchFieldName that is interpreted according to be delayed in the
   case
   CredentialManagementService(s) associated with the SACondition
   (AcceptCredentialsFrom).

   These credentials can be X.509 certificates, Kerberos tickets, or
   other types of main mode. credentials obtained during the Phase 1 exchange.

   The class definition for
   PeerIDPayloadFilterEntry CredentialFilterEntry is as follows:

   NAME         PeerIDPayloadFilterEntry         CredentialFilterEntry
   DESCRIPTION  Specifies a match filter based on the IKE identity. credentials.
   DERIVED FROM FilterEntryBase (see Appendix C)
   ABSTRACT     FALSE
   PROPERTIES   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchIdentityType
                MatchIdentityValue

5.5.1.
                MatchFieldName
                MatchFieldValue
                CredentialType

5.3.1. The Property MatchIdentityType MatchFieldName
   The property MatchIdentityType MatchFieldName specifies the type sub-part of identity
   provided by the peer credential
   to match against MatchFieldValue.  The property is defined as
   follows:

   NAME         MatchFieldName
   DESCRIPTION  Specifies which sub-part of the credential to match.
   SYNTAX       string
   VALUE

5.3.2. The Property MatchFieldValue

   The property MatchFieldValue specifies the value to compare with the
   MatchFieldName in a credential to determine if the ID payload." credential
   matches this filter entry.  The property is defined as follows:

   NAME         MatchIdentityType         MatchFieldValue
   DESCRIPTION  Specifies the ID payload type. value to be matched by the
                MatchFieldName.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

5.5.2. The Property MatchIdentityValue

   The property MatchIdentityValue specifies the filter value for
   comparison with the ID payload, e.g., "*@company.com"  The property
   is defined as follows:

   NAME         MatchIdentityValue
   DESCRIPTION  Specifies the ID payload value.
   SYNTAX       string       string
   VALUE        NB: The syntax may need to be converted for comparison. If the PeerIDPayloadFilterEntry type is CredentialFilterEntry corresponds to a
                DistinguishedName, the name this value in the MatchIdentityValue
                property CIM class is
                represented by an ordinary string value,
                but this value value.  However, an
                implementation must be converted into convert this string to a DER-encoded DER-
                encoded string before matching against the values
                extracted from IKE ID payloads credentials at runtime.

5.3.3. The same applies to
                IPv4 & IPv6 addresses.

                Wildcards can be used as well as the prefix notation
                for IPv4 addresses:
                - a MatchIdentityValue of "*@company.com" will match an
                ID payload of "JDOE@COMPANY.COM"
                - a MatchIdentityValue of "193.190.125.0/24" will match
                an ID payload of 193.190.125.10.

5.6. The Association Class FilterOfSACondition Property CredentialType

   The class FilterOfSACondition associates an SACondition with property CredentialType specifies the
   filter specifications (FilterList) particular type of
   credential that make up the condition. is being matched.  The
   class definition for FilterOfSACondition property is defined as
   follows:

   NAME         FilterOfSACondition         CredentialType
   DESCRIPTION  Associates a condition with  Defines the filter list that make
                up type of IKE credentials.
   SYNTAX       unsigned 16-bit integer
   VALUE        1  X.509 Certificate
                2  Kerberos Ticket

5.4. The Class IPSOFilterEntry

   The class IPSOFilterEntry is used to match traffic based on the individual condition elements.
   DERIVED FROM Dependency IP
   Security Options header values (ClassificationLevel and
   ProtectionAuthority) as defined in RFC1108. This type of filter
   entry is used to adjust the IPsec encryption level according to the
   IPSO classification of the traffic (e.g., secret, confidential,
   restricted, etc.  The class definition for IPSOFilterEntry is as
   follows:

   NAME         IPSOFilterEntry
   DESCRIPTION  Specifies the a match filter based on IP Security
                Options.
   DERIVED FROM FilterEntryBase (see Appendix A) C)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref FilterList[1..1]]
                Dependent [ref SACondition[0..n]]

5.6.1.   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchConditionType
                MatchConditionValue

5.4.1. The Reference Antecedent Property MatchConditionType

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a FilterList instance.  The [1..1]
   cardinality indicates MatchConditionType specifies the IPSO header field that an SACondition instance MUST
   will be
   associated with one and only one FilterList instance.

5.6.2. The Reference Dependent matched (e.g., traffic classification level or protection
   authority).  The property Dependent is inherited from Dependency and is
   overridden to refer defined as follows:

   NAME         MatchConditionType
   DESCRIPTION  Specifies the IPSO header field to an SACondition instance.  The [0..n]
   cardinality indicates that a FilterList instance may be associated
   with zero or more SAConditions instance.

5.7. matched.
   SYNTAX       unsigned 16-bit integer
   VALUE        1  ClassificationLevel
                2  ProtectionAuthority

5.4.2. The Association Class AcceptCredentialFrom Property MatchConditionValue

   The class AcceptCredentialFrom property MatchConditionValue specifies which credential management
   services (e.g., a CertificateAuthority or a Kerberos service) are the value of the IPSO
   header field to be trusted to certify peer credentials.  This matched against.  The property is used to validate
   that defined as
   follows:

   NAME         MatchConditionValue
   DESCRIPTION  Specifies the credential being value of the IPSO header field to be
                matched in against.
   SYNTAX       unsigned 16-bit integer
   VALUE        For ClassificationLevel, the CredentialFilterEntry is a
   valid credential that has been supplied by an approved
   CredentialManagementService.  If a CredentialManagementService is
   specified and a corresponding CredentialFilterEntry is used, but the
   credential supplied by values are:
                61  TopSecret
                90  Secret
                150  Confidential
                171  Unclassified
                For ProtectionAuthority, the peer is not certified by that
   CredentialManagementService (or one of values are:
                0  GENSER
                1 - SIOP-ESI
                2  SCI
                3  NSA
                4 - DOE

5.5. The Class PeerIDPayloadFilterEntry

   The class PeerIDPayloadFilterEntry defines filters used to match ID
   payload values from the
   CredentialManagementServices in its trust hierarchy), IKE protocol exchange.
   PeerIDPayloadFilterEntry permits the
   CredentialFilterEntry is deemed not specification of certain ID
   payload values such as "*@company.com" or "193.190.125.0/24".

   Obviously this filter applies only to match.  If a credential is
   certified by IKERules when acting as a CredentialManagementService
   responder.  Moreover, this filter can be applied immediately in the
   AcceptCredentialsFrom list
   case of services aggressive mode but there is no
   CredentialFilterEntry, this its application is considered equivalent to a
   CredentialFilterEntry that matches all credentials from those
   services. be delayed in the
   case of main mode.  The class definition for AcceptCredentialFrom
   PeerIDPayloadFilterEntry is as follows:

   NAME         AcceptCredentialFrom         PeerIDPayloadFilterEntry
   DESCRIPTION  Associates  Specifies a condition with the credential management
                services to be trusted. match filter based on IKE identity.
   DERIVED FROM Dependency FilterEntryBase (see Appendix A) C)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref CredentialManagementService[0..n]]
                Dependent [ref SACondition[0..n]]

5.7.1.   Name (from FilterEntryBase)
                IsNegated (from FilterEntryBase)
                MatchIdentityType
                MatchIdentityValue

5.5.1. The Reference Antecedent Property MatchIdentityType

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an SACondition instance may be
   associated with zero or more CredentialManagementServices instance.

5.7.2. The Reference Dependent MatchIdentityType specifies the type of identity
   provided by the peer in the ID payload."   The property Dependent is inherited from Dependency and defined
   as follows:

   NAME         MatchIdentityType
   DESCRIPTION  Specifies the ID payload type.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

5.5.2. The Property MatchIdentityValue

   The property MatchIdentityValue specifies the filter value for
   comparison with the ID payload, e.g., "*@company.com"  The property
   is
   overridden to refer to an SACondition instance. defined as follows:

   NAME         MatchIdentityValue
   DESCRIPTION  Specifies the ID payload value.
   SYNTAX       string
   VALUE        NB: The [0..n]
   cardinality indicates that a CredentialManagementService instance syntax may need to be associated with zero or more SAConditions instance.

6. Action Classes converted for comparison.
                If the PeerIDPayloadFilterEntry type is a
                DistinguishedName, the name in the MatchIdentityValue
                property is represented by an ordinary string value,
                but this value must be converted into a DER-encoded
                string before matching against the values extracted
                from IKE ID payloads at runtime.  The action classes are used same applies to model
                IPv4 & IPv6 addresses.

                Wildcards can be used as well as the different actions prefix notation
                for IPv4 addresses:
                - a MatchIdentityValue of "*@company.com" will match an IPsec
   device may take when the evaluation
                ID payload of the associated condition
   results in "JDOE@COMPANY.COM"
                - a match.

                                +----------+
                                | SAAction |
                                +----------+
                                     ^
                                     |
                         +-----------+--------------+
                         |                          |
                *+----------------+      +---------------------+*
                 | SAStaticAction |      | SANegotiationAction |o-----+
                 +----------------+      +---------------------+      |
                               ^                     ^                |
                               |                     |                |
                               |         +-----------+-------+        |
                               |         |                   |        |
       +-------------------+   |   +-------------+     +-----------+  |
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
       +-------------------+   |   +-------------+     +-----------+  |
                               |       ^                              |
      +--------------------+   |       |    +----------------------+  |
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
      +--------------------+   |       |    +----------------------+  |
                               |       |                              |
         +-----------------+   |       |    +-------------------+     |
         | IKERejectAction |---+       +----| IPsecTunnelAction |     |
         +-----------------+   |            +-------------------+     |
                               |                     *|               |
                               |       +--------------+               |
                               |       |                              |
   +-----------------------+   |       |       +--------------+n      |
   | PreconfiguredSAAction |---+       |(a)    | [SAProposal] |-------+
   +-----------------------+           |       +--------------+   (b)
              ^                        |
              |                        |      *+-------------+
              +---------------------+  +-------| PeerGateway |
                                    |          +-------------+
   +-----------------------------+  |               *w|
   | PreconfiguredTransportAction|--+                 |(c)
   +-----------------------------+  |                1|
                                    |          +--------------+
   +-----------------------------+  |          |    System    |
   | PreconfiguredTransportAction|--+          | (Appendix A) |
   +-----------------------------+             +--------------+
               *|
                |   1..3+---------------+
                +-------| [SATransform] |
                  (d)   +---------------+
   (a)  PeerGatewayForTunnel
   (b)  ContainedProposal
   (c)  HostedPeerGatewayInformation
   (d)  TransformOfPreconfiguredAction

6.1. MatchIdentityValue of "193.190.125.0/24" will match
                an ID payload of 193.190.125.10.

5.6. The Association Class SAAction FilterOfSACondition

   The class SAAction serves as FilterOfSACondition associates an SACondition with the base class for IKE and IPsec
   actions.  Although
   filter specifications (FilterList) that make up the class is concrete, it MUST not be
   instantiated.  It is used for aggregating different types of actions
   to IKE and IPsec rules. condition.  The
   class definition for SAAction FilterOfSACondition is as follows:

   NAME         SAAction         FilterOfSACondition
   DESCRIPTION  The base class for IKE and IPsec actions.  Associates a condition with the filter list that make
                up the individual condition elements.
   DERIVED FROM PolicyAction Dependency (see [PCIM]) Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   PolicyActionName (from PolicyAction)
                DoActionLogging
                DoPacketLogging

6.1.1.   Antecedent [ref FilterList[1..1]]
                Dependent [ref SACondition[0..n]]

5.6.1. The Property DoActionLogging Reference Antecedent

   The property DoActionLogging specifies whether a log message Antecedent is inherited from Dependency and is
   overridden to
   be generated when the action is performed (even if the action
   fails).  The property is defined as follows:

   NAME         DoActionLogging
   DESCRIPTION  Specifies the whether refer to log when the action is
                performed.
   SYNTAX       boolean
   VALUE        true - a log message is to FilterList instance.  The [1..1]
   cardinality indicates that an SACondition instance MUST be generated when action
   associated with one and only one FilterList instance.

5.6.2. The Reference Dependent

   The property Dependent is
                performed.
                false - no log message inherited from Dependency and is
   overridden to refer to an SACondition instance.  The [0..n]
   cardinality indicates that a FilterList instance may be generated when action
                is performed.

6.1.2. associated
   with zero or more SAConditions instance.

5.7. The Property DoPacketLogging Association Class AcceptCredentialFrom

   The property DoPacketLogging class AcceptCredentialFrom specifies whether which credential management
   services (e.g., a log message is CertificateAuthority or a Kerberos service) are to
   be generated when the resulting security association trusted to certify peer credentials.  This is used to
   process the packet.  If validate
   that the action successfully executes and results credential being matched in the creation of one or several security associations, the value
   of DoPacketLogging SHOULD be propagated to CredentialFilterEntry is a
   valid credential that has been supplied by an optional field of
   SADB.  This optional field should be used to decide whether approved
   CredentialManagementService.  If a log
   message is to be generated when the SA CredentialManagementService is used to process
   specified and a packet.
   The property corresponding CredentialFilterEntry is defined as follows:

   NAME         DoPacketLogging
   DESCRIPTION  Specifies used, but the whether to log when
   credential supplied by the resulting
                security association peer is used to process not certified by that
   CredentialManagementService (or one of the packet.
   SYNTAX       boolean
   VALUE        true - a log message is to be generated when
   CredentialManagementServices in its trust hierarchy), the
                resulting security association
   CredentialFilterEntry is used deemed not to process match.  If a credential is
   certified by a CredentialManagementService in the
                packet.
                false -
   AcceptCredentialsFrom list of services but there is no log message
   CredentialFilterEntry, this is considered equivalent to be generated.

6.2. The Class SAStaticAction

   The class SAStaticAction serves as the base class for IKE and IPsec
   actions a
   CredentialFilterEntry that do not require any negotiation.  Although the class is
   concrete, it MUST not be instantiated. matches all credentials from those
   services.

   The class definition for
   SAStaticAction AcceptCredentialFrom is as follows:

   NAME         SAStaticAction         AcceptCredentialFrom
   DESCRIPTION  The base class for IKE and IPsec actions that do not
                require any negotiation.  Associates a condition with the credential management
                services to be trusted.
   DERIVED FROM SAAction Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   LifetimeSeconds

6.2.1.   Antecedent [ref CredentialManagementService[0..n]]
                Dependent [ref SACondition[0..n]]

5.7.1. The Property LifetimeSeconds Reference Antecedent

   The property LifetimeSeconds specifies how long the security
   association derived Antecedent is inherited from this action should Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an SACondition instance may be used.
   associated with zero or more CredentialManagementServices instance.

5.7.2. The Reference Dependent

   The property Dependent is defined as follows:

   NAME         LifetimeSeconds
   DESCRIPTION  Specifies the amount of time (in seconds) that a
                security association derived inherited from this action should be
                used.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero Dependency and is
   overridden to refer to an SACondition instance.  The [0..n]
   cardinality indicates that there is not a lifetime CredentialManagementService instance
   may be associated with this zero or more SAConditions instance.

6. Action Classes

   The action (i.e., infinite lifetime).
                A non-zero value is typically classes are used in conjunction with
                alternate SAActions performed to model the different actions an IPsec
   device may take when there is a
                negotiation failure the evaluation of some sort.

6.3. the associated condition
   results in a match.

                                +----------+
                                | SAAction |
                                +----------+
                                     ^
                                     |
                         +-----------+--------------+
                         |                          |
                *+----------------+      +---------------------+*
                 | SAStaticAction |      | SANegotiationAction |o-----+
                 +----------------+      +---------------------+      |
                               ^                     ^                |
                               |                     |                |
                               |         +-----------+-------+        |
                               |         |                   |        |
       +-------------------+   |   +-------------+     +-----------+  |
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
       +-------------------+   |   +-------------+     +-----------+  |
                               |       ^                              |
      +--------------------+   |       |    +----------------------+  |
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
      +--------------------+   |       |    +----------------------+  |
                               |       |                              |
         +-----------------+   |       |    +-------------------+     |
         | IKERejectAction |---+       +----| IPsecTunnelAction |     |
         +-----------------+   |            +-------------------+     |
                               |                     *|               |
                               |       +--------------+               |
                               |       |                              |
   +-----------------------+   |       |       +--------------+n      |
   | PreconfiguredSAAction |---+       |(a)    | [SAProposal] |-------+
   +-----------------------+           |       +--------------+   (b)
      *|    ^                          |
       |    |                          |      *+-------------+
       |    |                          +-------| PeerGateway |
       |    |                                  +-------------+
       |    |  +-----------------------------+   |0..1  *w|
       |    +--| PreconfiguredTransportAction|   |        |(c)
       |    |  +-----------------------------+   |       1|
       |    |                                    |  +--------------+
       |    |  +---------------------------+ *   |  |    System    |
       |    +--| PreconfiguredTunnelAction |-----+  | (Appendix A) |
       |       +---------------------------+  (e)   +--------------+
       |
       |   2..6+---------------+
       +-------| [SATransform] |
         (d)   +---------------+
   (a)  PeerGatewayForTunnel
   (b)  ContainedProposal
   (c)  HostedPeerGatewayInformation
   (d)  TransformOfPreconfiguredAction
   (e)  PeerGatewayForPreconfiguredTunnel

6.1. The Class IPsecBypassAction SAAction

   The class IPsecBypassAction is used when packets are allowed to be
   processed without applying IPsec encapsulation to them.  This is the
   same SAAction serves as stating that packets are allowed to flow in the clear.  The base class definition for IPsecBypassAction is as follows:

   NAME         IPsecBypassAction
   DESCRIPTION  Specifies that packets are to be allowed to pass in IKE and IPsec
   actions.  Although the
                clear.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.4. The Class IPsecDiscardAction
   The class IPsecDiscardAction is used when packets are to concrete, it MUST not be
   discarded.  This
   instantiated.  It is the same as stating that packets are used for aggregating different types of actions
   to be
   denied. IKE and IPsec rules.  The class definition for IPsecDiscardAction SAAction is as
   follows:

   NAME         IPsecDiscardAction         SAAction
   DESCRIPTION  Specifies that packets are to be discarded.  The base class for IKE and IPsec actions.
   DERIVED FROM SAStaticAction PolicyAction (see [PCIM])
   ABSTRACT     FALSE

6.5.
   PROPERTIES   PolicyActionName (from PolicyAction)
                DoActionLogging
                DoPacketLogging

6.1.1. The Class IKERejectAction Property DoActionLogging

   The class IKERejectAction property DoActionLogging specifies whether a log message is used to prevent attempting an IKE
   negotiation
   be generated when the action is performed.  This applies for
   SANegotiationActions with the peer(s).  The main use meaning of this class logging a message when the
   negotiation is to
   prevent some denial attempted (with the success or failure result). This
   also applies for SAStaticAction only for PreconfiguredSAAction with
   the meaning of service attacks when acting as IKE responder.
   It goes beyond logging a plain discard of UDP/500 IKE packets because message when the
   SACondition can be based on specific PeerIDPayloadFilterEntry (when
   aggressive mode preconfigured SA is used).
   actually installed in the SADB. The class definition for IKERejectAction property is defined as follows:

   NAME         IKERejectAction         DoActionLogging
   DESCRIPTION  Specifies that an IKE negotiation should not even be
                attempted or continued.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.6. The Class PreconfiguredSAAction

   The class PreconfiguredSAAction is used the whether to create a security
   association using preconfigured, hard-wired algorithms and keys.

   Notes:

   - log when the SPI for a PreconfiguredSAAction action is contained in the
     association, TransformOfPreconfiguredAction;
                performed.
   SYNTAX       boolean
   VALUE        true - the session key (if applicable) a log message is contained in an instance of the
     class SharedSecret (see appendix B). to be generated when action is
                performed.
                false - no log message is to be generated when action
                is performed.

6.1.2. The session key Property DoPacketLogging

   The property DoPacketLogging specifies whether a log message is stored in to
   be generated when the property secret, resulting security association is used to
   process the property protocol contains either "ESP" packet.  If the SANegotiationAction successfully
   executes and results in the creation of one or "AH", several security
   associations or if the property algorithm contains PreconfiguredSAAction executes, the algorithm value of
   DoPacketLogging SHOULD be propagated to an optional field of SADB.
   This optional field should be used to
     protect the secret (can decide whether a log message
   is to be "PLAINTEXT" if generated when the IPsec entity has no
     secret storage), SA is used to process a packet.  For
   SAStaticActions, a log message is to be generated when the value of
   IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed.
   The property RemoteID is defined as follows:

   NAME         DoPacketLogging
   DESCRIPTION  Specifies the
     concatenation of whether to log when the remote IPsec peer IP address in dotted
     decimal, of resulting
                security association is used to process the character "/", and of packet.
   SYNTAX       boolean
   VALUE        true - a log message is to be generated when the hexadecimal
     representation of
                resulting security association is used to process the SPI.
                packet.
                false - no log message is to be generated.

6.2. The Class SAStaticAction

   The class SAStaticAction serves as the base class for IKE and IPsec
   actions that do not require any negotiation.  Although the class is
   concrete, it MUST not be instantiated.  The class definition for PreconfiguredSAAction
   SAStaticAction is as follows:

   NAME         PreconfiguredSAAction         SAStaticAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information  The base class for creation of a security association. IKE and IPsec actions that do not
                require any negotiation.
   DERIVED FROM SAStaticAction SAAction
   ABSTRACT     FALSE
   PROPERTIES   LifetimeKilobytes

6.6.1.   LifetimeSeconds

6.2.1. The Property LifetimeKilobytes LifetimeSeconds

   The property LifetimeKilobytes LifetimeSeconds specifies a traffic limit in
   kilobytes that can be consumed before how long the SA is deleted.. security
   association derived from this action should be used.  The property
   is defined as follows:

   NAME         LifetimeKilobytes         LifetimeSeconds
   DESCRIPTION  Specifies the SA lifetime in kilobytes. amount of time (in seconds) that a
                security association derived from this action should be
                used.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is not a lifetime
                associated with this action (i.e., infinite lifetime).
                A non-zero value is typically used in conjunction with
                alternate SAActions performed when there is a
                negotiation failure of some sort.

   Note: if the referenced SAStaticAction object is a
   PreconfiguredSAAction associated to indicate that after this
                amount several SATransforms, then the
   actual lifetime of kilobytes has been consumed the preconfigured SA must will be
                deleted from the SADB.

6.7. smallest of the
   value of this LifetimeSeconds property and of the value of the
   MaxLifetimeSeconds property of the associated SATransform. Except if
   the value of this LifetimeSeconds property is zero, then there will
   be no lifetime associated to this SA.

   It is expected that most SAStaticAction instances will have their
   LifetimeSeconds properties set to zero (meaning no expiration of the
   resulting SA).

6.3. The Class PreconfiguredTransportAction IPsecBypassAction

   The class PreconfiguredTransportAction IPsecBypassAction is used when packets are allowed to create an be
   processed without applying IPsec
   transport-mode security association using preconfigured, hard-wired
   algorithms and keys. encapsulation to them.  This is the
   same as stating that packets are allowed to flow in the clear.  The
   class definition for
   PreconfiguredTransportAction IPsecBypassAction is as follows:

   NAME         PreconfiguredTransportAction         IPsecBypassAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of an IPsec transport security
                association. that packets are to be allowed to pass in the
                clear.
   DERIVED FROM PreconfiguredSAAction SAStaticAction
   ABSTRACT     FALSE

6.8.

6.4. The Class PreconfiguredTunnelAction IPsecDiscardAction

   The class PreconfiguredTunnelAction IPsecDiscardAction is used when packets are to create an IPsec
   tunnel-mode security association using preconfigured, hard-wired
   algorithms and keys. be
   discarded.  This is the same as stating that packets are to be
   denied.  The class definition for PreconfiguredSAAction IPsecDiscardAction is as follows:

   NAME         PreconfiguredTunnelAction         IPsecDiscardAction
   DESCRIPTION  Specifies preconfigured algorithm and keying
                information for creation of an IPsec tunnel-mode
                security association. that packets are to be discarded.
   DERIVED FROM PreconfiguredSAAction SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   PeerGatewayAddressType
                PeerGatewayAddress
                DFHandling

6.8.1.

6.5. The Property PeerGatewayAddressType Class IKERejectAction

   The property PeerGatewayAddressType specifies class IKERejectAction is used to prevent attempting an IKE
   negotiation with the format peer(s).  The main use of this class is to
   prevent some denial of service attacks when acting as IKE responder.
   It goes beyond a plain discard of UDP/500 IKE packets because the
   PeerGatewayAddress property.  Addresses that
   SACondition can be formatted in
   IPv4 format, must be formatted that way to ensure mixed IPv4/IPv6
   support.  When the tunnel peer is not a security gateway, this
   property value based on specific PeerIDPayloadFilterEntry (when
   aggressive mode is set to 0. used).  The property class definition for IKERejectAction
   is defined as follows:

   NAME         PeerGatewayAddressType         IKERejectAction
   DESCRIPTION  Specifies the format of PeerGatewayAddress.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - unknown
                1 - IPv4
                2 - IPv6

6.8.2. that an IKE negotiation should not even be
                attempted or continued.
   DERIVED FROM SAStaticAction
   ABSTRACT     FALSE

6.6. The Property PeerGatewayAddress Class PreconfiguredSAAction

   The property PeerGatewayAddress specifies the IP address of the
   tunnel peer security gateway formatted according to the appropriate
   convention as defined in the PeerGatewayAddressType property of this class (e.g., 171.79.6.40).  When the tunnel peer PreconfiguredSAAction is not used to create a security
   gateway, this property value is set to NULL.  The property
   association using preconfigured, hard-wired algorithms and keys.

   Notes:

   -    the SPI for a PreconfiguredSAAction is
   defined as follows:

   NAME         PeerGatewayAddress
   DESCRIPTION  Specifies contained in the IP address of
     association, TransformOfPreconfiguredAction;
   -    the tunnel peer.
   SYNTAX       string
   VALUE        When the value is NULL, this session key (if applicable) is a special meaning: the
                IP address contained in an instance of the actual remote IKE entity
     class SharedSecret (see appendix B). The session key is stored in
     the
                destination IP address of the IP packet that triggered
                the SARule.  Else, property secret, the value is a string representation
                of an IPv4 or IPv6 address.

6.8.3. The Property DFHandling

   The property DFHandling specifies how protocol contains either "ESP-
     encrypt, ESP-auth" or "AH", the Don't Fragment bit of property algorithm contains the
   internal IP header is
     algorithm used to protect the secret (can be handled during "PLAINTEXT" if the
     IPsec processing.  The entity has no secret storage), the value of property
     RemoteID is defined as follows:

   NAME         DFHandling
   DESCRIPTION  Specifies the processing concatenation of the DF bit.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - Copy the DF bit from the internal IP header to the
                external remote IPsec peer IP header.
                2 - Set the DF bit address
     in dotted decimal, of the external IP header to 1.
                3 - Clear character "/", of IN (resp. OUT) for
     inbound SA (resp. outbound SA), of the DF bit character / and of the external IP header to 0.

6.9. The Class SANegotiationAction

   The class SANegotiationAction serves as
     hexadecimal representation of the base class for IKE and
   IPsec actions that result in a IKE negotiation. SPI.

   Although the class is concrete, is it MUST not be instantiated.  The
   class definition for
   SANegotiationAction PreconfiguredSAAction is as follows:

   NAME         SANegotiationAction         PreconfiguredSAAction
   DESCRIPTION  A base class for IKE  Specifies preconfigured algorithm and IPsec actions that specifies
                the parameters that are common keying
                information for IKE phase 1 and IKE
                phase 2 IPsec DOI negotiations. creation of a security association.
   DERIVED FROM SAAction SAStaticAction
   ABSTRACT     FALSE
   PROPERTIES   MinLifetimeSeconds
                MinLifetimeKilobytes
                RefreshThresholdSeconds
                RefreshThresholdKilobytes
                IdleDurationSeconds

6.9.1.   LifetimeKilobytes

6.6.1. The Property MinLifetimeSeconds LifetimeKilobytes

   The property MinLifetimeSeconds LifetimeKilobytes specifies the minimum seconds
   lifetime a traffic limit in
   kilobytes that will can be accepted from consumed before the peer.  MinLifetimeSeconds SA is
   used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations. deleted..  The
   property is defined as follows:

   NAME         MinLifetimeSeconds         LifetimeKilobytes
   DESCRIPTION  Specifies the minimum acceptable seconds lifetime. SA lifetime in kilobytes.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value. not a lifetime
                associated with this action (i.e., infinite lifetime).
                A non-zero value specifies the minimum seconds
                lifetime.

6.9.2. The Property MinLifetimeKilobytes

   The property MinLifetimeKilobytes specifies the minimum kilobytes
   lifetime that will be accepted from the peer.  MinLifetimeKilobytes is used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  Note indicate that
   there after this
                amount of kilobytes has been considerable debate regarding consumed the usefulness SA must be
                deleted from the SADB.

   Note: the actual lifetime of
   applying kilobyte lifetimes to IKE phase 1 security associations, so
   it is likely that this property the preconfigured SA will only apply to be the sub-class
   IPsecAction.  The property is defined as follows:

   NAME         MinLifetimeKilobytes
   DESCRIPTION  Specifies
   smallest of the minimum acceptable kilobytes lifetime.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no minimum
                value.  A non-zero this LifetimeKilobytes property and of the
   value specifies of the minimum
                kilobytes lifetime.

6.9.3. The Property RefreshThresholdSeconds

   The MaxLifetimeSeconds property RefreshThresholdSeconds specifies what percentage of the seconds lifetime can expire before IKE should attempt to
   renegotiate associated
   SATransform. Except if the security association.  A random value may be added
   to the calculated threshold (percentage x seconds lifetime) to
   reduce the chance of both peers attempting to renegotiate at the
   same time.  The this LifetimeKilobytes property
   is defined as zero, then there will be no lifetime associated with this action.

   It is expected that most PreconfiguredSAAction instances will have
   their LifetimeKilobyte properties set to zero (meaning no expiration
   of the resulting SA).

6.7. The Class PreconfiguredTransportAction

   The class PreconfiguredTransportAction is used to create an IPsec
   transport-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for
   PreconfiguredTransportAction is as follows:

   NAME         RefreshThresholdSeconds         PreconfiguredTransportAction
   DESCRIPTION  Specifies the percentage preconfigured algorithm and keying
                information for creation of seconds lifetime that has
                expired before the an IPsec transport security
                association.
   DERIVED FROM PreconfiguredSAAction
   ABSTRACT     FALSE

6.8. The Class PreconfiguredTunnelAction

   The class PreconfiguredTunnelAction is used to create an IPsec
   tunnel-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for PreconfiguredSAAction
   is
                renegotiated.
   SYNTAX       unsigned 8-bit integer
   VALUE        A value between 1 as follows:

   NAME         PreconfiguredTunnelAction
   DESCRIPTION  Specifies preconfigured algorithm and 100 representing a percentage.  A
                value keying
                information for creation of 100 indicates that the an IPsec tunnel-mode
                security association
                should not be renegotiated until the seconds lifetime
                has been reached.

6.9.4. association.
   DERIVED FROM PreconfiguredSAAction
   ABSTRACT     FALSE
   PROPERTIES   DFHandling

6.8.1. The Property RefreshThresholdKilobytes DFHandling

   The property RefreshThresholdKilobytes DFHandling specifies what percentage of
   the kilobyte lifetime can expire before IKE should attempt to
   renegotiate the IPsec security association.  A random value may be
   added to the calculated threshold (percentage x kilobyte lifetime)
   to reduce how the chance Don't Fragment bit of both peers attempting to renegotiate at the
   same time.  Note, that as with the property MinLifetimeKilobytes,
   this property
   internal IP header is probably only relevant to IPsecAction sub-classes. be handled during IPsec processing.  The
   property is defined as follows:

   NAME         RefreshThresholdKilobytes         DFHandling
   DESCRIPTION  Specifies the percentage processing of kilobyte lifetime that has
                expired before the IPsec security association is
                renegotiated.
   SYNTAX DF bit.
   SYNTAX       unsigned 8-bit 16-bit integer
   VALUE        A value between        1 and 100 representing a percentage.  A
                value of 100 indicates that  Copy the IPsec security
                association should not be renegotiated until DF bit from the
                kilobyte lifetime has been reached.

6.9.5. The Property IdleDurationSeconds

   The property IdleDurationSeconds specifies how many seconds a
   security association may remain idle (i.e., no traffic protected
   using internal IP header to the security association) before it is deleted.  The property
   is defined as follows:

   NAME         IdleDurationSeconds
   DESCRIPTION  Specifies how long, in seconds, a security association
                may remain unused before it is deleted.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that idle detection should
                not be used for
                external IP header.
                2  Set the security association (only DF bit of the
                seconds and kilobyte lifetimes will be used).  Any non-
                zero value indicates external IP header to 1.
                3  Clear the number DF bit of seconds the security
                association may remain unused.

6.10. external IP header to 0.

6.9. The Class IPsecAction SANegotiationAction

   The class IPsecAction SANegotiationAction serves as the base class for IPsec transport
   and tunnel actions.  It specifies the parameters used for an IKE
   phase 2 and
   IPsec DOI actions that result in a IKE negotiation.  Although the class
   is concrete, is MUST not be instantiated.  The class definition for IPsecAction
   SANegotiationAction is as follows:

   NAME         IPsecAction         SANegotiationAction
   DESCRIPTION  A base class for IPsec transport IKE and tunnel IPsec actions that specifies
                the parameters that are common for IKE phase 1 and IKE
                phase 2 IPsec DOI negotiations.
   DERIVED FROM SANegotiationAction SAAction
   ABSTRACT     FALSE
   PROPERTIES   UsePFS
                UseIKEGroup
                GroupId
                Granularity
                VendorID

6.10.1.   MinLifetimeSeconds
                MinLifetimeKilobytes
                RefreshThresholdSeconds
                RefreshThresholdKilobytes
                IdleDurationSeconds

6.9.1. The Property UsePFS MinLifetimeSeconds

   The property UsePFS MinLifetimeSeconds specifies whether or not perfect forward secrecy
   should the minimum seconds
   lifetime that will be used when refreshing keys.  The property is defined as
   follows:

   NAME         UsePFS
   DESCRIPTION  Specifies accepted from the whether or not peer.  MinLifetimeSeconds is
   used to use PFS when refreshing
                keys. prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  The
   property is defined as follows:

   NAME         MinLifetimeSeconds
   DESCRIPTION  Specifies the minimum acceptable seconds lifetime.
   SYNTAX       boolean       unsigned 32-bit integer
   VALUE        A value of true zero indicates that PFS should be used. there is no minimum
                value.  A non-zero value of false indicates that PFS should not be used.

6.10.2. specifies the minimum seconds
                lifetime.

6.9.2. The Property UseIKEGroup MinLifetimeKilobytes

   The property UseIKEGroup MinLifetimeKilobytes specifies whether or not phase 2 should use the same key exchange group as was minimum kilobytes
   lifetime that will be accepted from the peer.  MinLifetimeKilobytes
   is used in to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  Note that
   there has been considerable debate regarding the usefulness of
   applying kilobyte lifetimes to IKE phase 1.  UseIKEGroup is
   ignored if UsePFS 1 security associations, so
   it is false. likely that this property will only apply to the sub-class
   IPsecAction.  The property is defined as follows:

   NAME         UseIKEGroup         MinLifetimeKilobytes
   DESCRIPTION  Specifies whether or not to use the same GroupId for
                phase 2 as was used in phase 1.  If UsePFS is false,
                then UseIKEGroup is ignored. minimum acceptable kilobytes lifetime.
   SYNTAX       boolean       unsigned 32-bit integer
   VALUE        A value of true zero indicates that the phase 2 GroupId
                should be the same as phase 1. there is no minimum
                value.  A non-zero value of false
                indicates that the property GroupId will contain specifies the
                key exchange group to use for phase 2.

6.10.3. minimum
                kilobytes lifetime.

6.9.3. The Property GroupId RefreshThresholdSeconds

   The property GroupId RefreshThresholdSeconds specifies what percentage of
   the key exchange group seconds lifetime can expire before IKE should attempt to use for
   phase 2.  GroupId is ignored if (1) the property UsePFS is false, or
   (2) the property UsePFS is true and the property UseIKEGroup is
   true.  If
   renegotiate the GroupID number is from security association.  A random value may be added
   to the vendor-specific range
   (32768-65535), calculated threshold (percentage x seconds lifetime) to
   reduce the property VendorID qualifies chance of both peers attempting to renegotiate at the group number.
   same time.  The property is defined as follows:

   NAME         GroupId         RefreshThresholdSeconds
   DESCRIPTION  Specifies the key exchange group to use for phase 2
                when the property UsePFS is true and percentage of seconds lifetime that has
                expired before the property
                UseIKEGroup security association is false.
                renegotiated.
   SYNTAX       unsigned 16-bit 8-bit integer
   VALUE        Consult [IKE] for valid values.

6.10.4.        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the security association
                should not be renegotiated until the seconds lifetime
                has been reached.

6.9.4. The Property Granularity RefreshThresholdKilobytes

   The property Granularity RefreshThresholdKilobytes specifies how what percentage of
   the selector for kilobyte lifetime can expire before IKE should attempt to
   renegotiate the IPsec security
   association should association.  A random value may be derived from
   added to the traffic calculated threshold (percentage x kilobyte lifetime)
   to reduce the chance of both peers attempting to renegotiate at the
   same time.  Note, that triggered as with the
   negotiation. property MinLifetimeKilobytes,
   this property is probably only relevant to IPsecAction sub-classes.
   The property is defined as follows:

   NAME         Granularity         RefreshThresholdKilobytes
   DESCRIPTION  Specifies the how the proposed selector for percentage of kilobyte lifetime that has
                expired before the IPsec security association will be created. is
                renegotiated.
   SYNTAX       unsigned 16-bit 8-bit integer
   VALUE        A value between 1 - subnet: the source and destination subnet masks 100 representing a percentage.  A
                value of 100 indicates that the FilterEntry are used.
                2 - address: only the source and destination IP
                addresses of the triggering packet are used.
                3 - protocol: the source and destination IP addresses
                and the IP protocol of the triggering packet are used.
                4 - port: the source and destination IP addresses and
                the IP protocol and the source and destination layer 4
                ports of IPsec security
                association should not be renegotiated until the triggering packet are used.

6.10.5.
                kilobyte lifetime has been reached.

6.9.5. The Property VendorID IdleDurationSeconds

   The property VendorID is used together with IdleDurationSeconds specifies how many seconds a
   security association may remain idle (i.e., no traffic protected
   using the property GroupID
   (when security association) before it is in the vendor-specific range) to identify the key
   exchange group.  VendorID is ignored unless UsePFS is true and
   UseIKEGroup is false and GroupID is in the vendor-specific range
   (32768-65535). deleted.  The property
   is defined as follows:

   NAME         VendorID         IdleDurationSeconds
   DESCRIPTION  Specifies the IKE Vendor ID. how long, in seconds, a security association
                may remain unused before it is deleted.
   SYNTAX       string

6.11.       unsigned 32-bit integer
   VALUE        A value of zero indicates that idle detection should
                not be used for the security association (only the
                seconds and kilobyte lifetimes will be used).  Any non-
                zero value indicates the number of seconds the security
                association may remain unused.

6.10. The Class IPsecTransportAction IPsecAction

   The class IPsecTransportAction is a subclass of IPsecAction that is serves as the base class for IPsec transport
   and tunnel actions.  It specifies the parameters used to specify use of for an IKE
   phase 2 IPsec transport-mode security association. DOI negotiation.  Although the class is concrete, is
   MUST not be instantiated.  The class definition for IPsecTransportAction IPsecAction is
   as follows:

   NAME         IPsecTransportAction         IPsecAction
   DESCRIPTION  Specifies that an  A base class for IPsec transport-mode security
                association should be negotiated. transport and tunnel actions
                that specifies the parameters for IKE phase 2 IPsec DOI
                negotiations.
   DERIVED FROM IPsecAction SANegotiationAction
   ABSTRACT     FALSE

6.12.
   PROPERTIES   UsePFS
                UseIKEGroup
                GroupId
                Granularity
                VendorID

6.10.1. The Class IPsecTunnelAction Property UsePFS

   The class IPsecTunnelAction is a subclass of IPsecAction that is property UsePFS specifies whether or not perfect forward secrecy
   should be used to specify use of an IPsec tunnel-mode security association. when refreshing keys.  The class definition for IPsecTunnelAction property is defined as
   follows:

   NAME         IPsecTunnelAction         UsePFS
   DESCRIPTION  Specifies the whether or not to use PFS when refreshing
                keys.
   SYNTAX       boolean
   VALUE        A value of true indicates that an IPsec tunnel-mode security
                association PFS should be negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE
   PROPERTIES   DFHandling

6.12.1. used.  A
                value of false indicates that PFS should not be used.

6.10.2. The Property DFHandling UseIKEGroup

   The property DFHandling UseIKEGroup specifies how the tunnel whether or not phase 2 should manage use
   the
   Don't Fragment (DF) bit. same key exchange group as was used in phase 1.  UseIKEGroup is
   ignored if UsePFS is false.  The property is defined as follows:

   NAME         DFHandling         UseIKEGroup
   DESCRIPTION  Specifies how whether or not to process use the DF bit. same GroupId for
                phase 2 as was used in phase 1.  If UsePFS is false,
                then UseIKEGroup is ignored.
   SYNTAX       unsigned 16-bit integer       boolean
   VALUE        1 - Copy the DF bit from the internal IP header to        A value of true indicates that the
                external IP header. phase 2 - Set the DF bit of GroupId
                should be the external IP header to same as phase 1.
                3 - Clear the DF bit  A value of false
                indicates that the external IP header property GroupId will contain the
                key exchange group to 0.

6.13. use for phase 2.

6.10.3. The Class IKEAction Property GroupId

   The class IKEAction property GroupId specifies the parameters that are key exchange group to be used use for
   IKE
   phase 1 negotiation.  The class definition for IKEAction 2.  GroupId is as
   follows:

   NAME         IKEAction
   DESCRIPTION  Specifies ignored if (1) the IKE phase 1 negotiation parameters.
   DERIVED FROM SANegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   RefreshThresholdDerivedKeys
                ExchangeMode
                UseIKEIdentityType
                VendorID
                AggressiveModeGroupId

6.13.1. The Property RefreshThresholdDerivedKeys

   The property RefreshThresholdDerivedKeys specifies what percentage
   of UsePFS is false, or
   (2) the derived key limit (see property UsePFS is true and the LifetimeDerivedKeys property of
   IKEProposal) can expire before IKE should attempt to renegotiate UseIKEGroup is
   true.  If the
   IKE phase 1 security association.  A random value may be added to GroupID number is from the calculated threshold (percentage x derived key limit) to reduce vendor-specific range
   (32768-65535), the chance of both peers attempting to renegotiate at property VendorID qualifies the same time. group number.
   The property is defined as follows:

   NAME         RefreshThresholdKilobytes         GroupId
   DESCRIPTION  Specifies the percentage of derived key limit that has
                expired before the IKE exchange group to use for phase 1 security association 2
                when the property UsePFS is
                renegotiated. true and the property
                UseIKEGroup is false.

   SYNTAX       unsigned 8-bit 16-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IKE phase 1 security
                association should not be renegotiated until the
                derived key limit has been reached.

6.13.2.        Consult [IKE] for valid values.

6.10.4. The Property ExchangeMode Granularity

   The property ExchangeMode Granularity specifies which IKE mode how the selector for the security
   association should be used
   for IKE phase 1 negotiations. derived from the traffic that triggered the
   negotiation.  The property is defined as follows:

   NAME         ExchangeMode         Granularity
   DESCRIPTION  Specifies the IKE negotiation mode how the proposed selector for phase 1. the
                security association will be created.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - base mode  subnet: the source and destination subnet masks of
                the filter entry are used.
                2 - main mode  address: only the source and destination IP
                addresses of the triggering packet are used.
                3  protocol: the source and destination IP addresses
                and the IP protocol of the triggering packet are used.
                4 - aggressive mode

6.13.3.  port: the source and destination IP addresses and
                the IP protocol and the source and destination layer 4
                ports of the triggering packet are used.

6.10.5. The Property UseIKEIdentityType VendorID

   The property UseIKEIdentityType specifies what IKE identity type
   should be VendorID is used when negotiating together with the peer.  This information property GroupID
   (when it is
   used in conjunction with the IKE identities available on vendor-specific range) to identify the system key
   exchange group.  VendorID is ignored unless UsePFS is true and
   UseIKEGroup is false and GroupID is in the IdentityContexts of the matching IKERule. vendor-specific range
   (32768-65535).  The property is defined as follows:

   NAME         UseIKEIdentityType         VendorID
   DESCRIPTION  Specifies the IKE identity to use during negotiation. Vendor ID.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.13.4.       string

6.11. The Property VendorID Class IPsecTransportAction

   The property VendorID specifies the value to be class IPsecTransportAction is a subclass of IPsecAction that is
   used in the Vendor
   ID payload. to specify use of an IPsec transport-mode security association.
   The property class definition for IPsecTransportAction is defined as follows:

   NAME         VendorID         IPsecTransportAction
   DESCRIPTION  Vendor ID Payload.
   SYNTAX       string
   VALUE        A value of NULL means  Specifies that Vendor ID payload will an IPsec transport-mode security
                association should be
                neither generated nor accepted. A non-NULL value means
                that negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE

6.12. The Class IPsecTunnelAction

   The class IPsecTunnelAction is a Vendor ID payload will be generated (when acting
                as subclass of IPsecAction that is
   used to specify use of an initiator) or IPsec tunnel-mode security association.
   The class definition for IPsecTunnelAction is expected (when acting as a
                responder).

6.13.5. follows:

   NAME         IPsecTunnelAction
   DESCRIPTION  Specifies that an IPsec tunnel-mode security
                association should be negotiated.
   DERIVED FROM IPsecAction
   ABSTRACT     FALSE
   PROPERTIES   DFHandling

6.12.1. The Property AggressiveModeGroupId DFHandling

   The property AggressiveModeGroupId DFHandling specifies which group ID is to be
   used in the first packets of the phase 1 negotiation.  This property
   is ignored unless the property ExchangeMode is set to 4 (aggressive
   mode). If the AggressiveModeGroupID number is from the vendor-
   specific range (32768-65535), how the property VendorID qualifies tunnel should manage the
   group number.
   Don't Fragment (DF) bit.  The property is defined as follows:

   NAME         AggressiveModeGroupId         DFHandling
   DESCRIPTION  Specifies the group ID how to be used for aggressive mode. process the DF bit.
   SYNTAX       unsigned 16-bit integer

6.14.
   VALUE        1  Copy the DF bit from the internal IP header to the
                external IP header.
                2  Set the DF bit of the external IP header to 1.
                3  Clear the DF bit of the external IP header to 0.

6.13. The Class PeerGateway IKEAction

   The class PeerGateway IKEAction specifies the security gateway with which the parameters that are to be used for
   IKE services negotiates. phase 1 negotiation.  The class definition for PeerGateway IKEAction is as
   follows:

   NAME         PeerGateway         IKEAction
   DESCRIPTION  Specifies the security gateway with which to negotiate. IKE phase 1 negotiation parameters.
   DERIVED FROM LogicalElement (see Appendix A) SANegotiationAction
   ABSTRACT     FALSE
   PROPERTIES   Name
                PeerIdentityType
                PeerIdentity

6.14.1. The Property Name

   The property Name   RefreshThresholdDerivedKeys
                ExchangeMode
                UseIKEIdentityType
                VendorID
                AggressiveModeGroupId

6.13.1. The Property RefreshThresholdDerivedKeys

   The property RefreshThresholdDerivedKeys specifies a user-friendly name for this what percentage
   of the derived key limit (see the LifetimeDerivedKeys property of
   IKEProposal) can expire before IKE should attempt to renegotiate the
   IKE phase 1 security
   gateway. association.  A random value may be added to
   the calculated threshold (percentage x derived key limit) to reduce
   the chance of both peers attempting to renegotiate at the same time.
   The property is defined as follows:

   NAME         Name         RefreshThresholdKilobytes
   DESCRIPTION  Specifies a user-friendly name for this the percentage of derived key limit that has
                expired before the IKE phase 1 security
                gateway. association is
                renegotiated.
   SYNTAX       string

6.14.2.       unsigned 8-bit integer
   VALUE        A value between 1 and 100 representing a percentage.  A
                value of 100 indicates that the IKE phase 1 security
                association should not be renegotiated until the
                derived key limit has been reached.

6.13.2. The Property PeerIdentityType ExchangeMode

   The property PeerIdentityType ExchangeMode specifies which IKE mode should be used
   for IKE phase 1 negotiations.  The property is defined as follows:

   NAME         ExchangeMode
   DESCRIPTION  Specifies the IKE negotiation mode for phase 1.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - base mode
                2 - main mode
                4 - aggressive mode

6.13.3. The Property UseIKEIdentityType

   The property UseIKEIdentityType specifies what IKE identity type
   should be used when negotiating with the peer.  This information is
   used in conjunction with the IKE identities available on the system
   and the IdentityContexts of the
   security gateway. matching IKERule.  The property is
   defined as follows:

   NAME         PeerIdentityType         UseIKEIdentityType
   DESCRIPTION  Specifies the IKE identity type of the security
                gateway. to use during negotiation.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.14.3.

6.13.4. The Property PeerIdentity VendorID

   The property PeerIdentity VendorID specifies the IKE identity value of the
   security gateway.  A conversion may to be needed between used in the
   PeerIdentity Vendor
   ID payload.  The property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Vendor ID Payload.
   SYNTAX       string representation and the real
   VALUE        A value used in the of NULL means that Vendor ID payload (e.g. IP address will be
                neither generated nor accepted. A non-NULL value means
                that a Vendor ID payload will be generated (when acting
                as an initiator) or is expected (when acting as a
                responder).

6.13.5. The Property AggressiveModeGroupId
   The property AggressiveModeGroupId specifies which group ID is to be converted from a dotted decimal
   string into
   used in the first packets of the phase 1 negotiation.  This property
   is ignored unless the property ExchangeMode is set to 4 bytes). (aggressive
   mode). If the AggressiveModeGroupID number is from the vendor-
   specific range (32768-65535), the property VendorID qualifies the
   group number.  The property is defined as follows:

   NAME         PeerIdentity         AggressiveModeGroupId
   DESCRIPTION  Specifies the IKE identity value of the security
                gateway. group ID to be used for aggressive mode.
   SYNTAX       string

6.15.       unsigned 16-bit integer

6.14. The Association Class PeerGatewayForTunnel PeerGateway

   The class PeerGatewayForTunnel associates IPsecTunnelActions PeerGateway specifies the security gateway with an
   ordered list of PeerGateways. which the
   IKE services negotiates.  The class definition for
   PeerGatewayForTunnel PeerGateway is as
   follows:

   NAME         PeerGatewayForTunnel         PeerGateway
   DESCRIPTION  Associates IPsecTunnelActions  Specifies the security gateway with an ordered list of
                PeerGateways. which to negotiate.
   DERIVED FROM Dependency LogicalElement (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                Dependent [ref IPsecTunnelAction[0..n]]
                SequenceNumber

6.15.1.   Name
                PeerIdentityType
                PeerIdentity

6.14.1. The Reference Antecedent Property Name

   The property Antecedent is inherited from Dependency and is
   overridden to refer to Name specifies a PeerGateway instance. user-friendly name for this security
   gateway.  The [0..n]
   cardinality indicates that there an IPsecTunnelAction instance may
   be associated with zero or more PeerGateway instances.

   Note: when there property is no PeerGateway associated to an
   IPsecTunnelAction, this means that the IKE service acts defined as follows:

   NAME         Name
   DESCRIPTION  Specifies a
   responder and will accept phase 1 negotiation with any other user-friendly name for this security
                gateway.

6.15.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPsecTunnelAction instance.  The [0..n]
   cardinality indicates that a PeerGateway instance may be associated
   with zero or more IPsecTunnelAction instances.

6.15.3.
   SYNTAX       string

6.14.2. The Property SequenceNumber PeerIdentityType

   The property SequenceNumber PeerIdentityType specifies the ordering to be used when
   evaluating PeerGateway instances for a given IPsecTunnelAction.  . IKE identity type of the
   security gateway.  The property is defined as follows:

   NAME         SequenceNumber         PeerIdentityType
   DESCRIPTION  Specifies the order IKE identity type of evaluation for PeerGateways. the security
                gateway.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower values are evaluated first.

6.16.        1 - IPv4 Address
                2 - FQDN
                3 - User FQDN
                4 - IPv4 Subnet
                5 - IPv6 Address
                6 - IPv6 Subnet
                7 - IPv4 Address Range
                8 - IPv6 Address Range
                9 - DER-Encoded ASN.1 X.500 Distinguished Name
                10 - DER-Encoded ASN.1 X.500 GeneralName
                11 - Key ID

6.14.3. The Aggregation Class ContainedProposal Property PeerIdentity

   The class ContainedProposal associates an ordered list property PeerIdentity specifies the IKE identity value of
   SAProposals with the SANegotiationAction that aggregates it.  If
   security gateway.  A conversion may be needed between the
   referenced SANegotiationAction object is an IKEAction, then
   PeerIdentity string representation and the
   referenced SAProposal object(s) must be IKEProposal(s).  If real value used in the
   referenced SANegotiationAction object ID
   payload (e.g. IP address is an IPsecTransportAction or
   an IPsecTunnelAction, then the referenced SAProposal object(s) must to be IPsecProposal(s). converted from a dotted decimal
   string into 4 bytes).  The class definition for ContainedProposal property is defined as follows:

   NAME         ContainedProposal         PeerIdentity
   DESCRIPTION  Associates an ordered list of SAProposals  Specifies the IKE identity value of the security
                gateway.
   SYNTAX       string

6.15. The Association Class PeerGatewayForTunnel

   The class PeerGatewayForTunnel associates IPsecTunnelActions with an
                SANegotiationAction.
   ordered list of PeerGateways.  The class definition for
   PeerGatewayForTunnel is as follows:

   NAME         PeerGatewayForTunnel
   DESCRIPTION  Associates IPsecTunnelActions with an ordered list of
                PeerGateways.
   DERIVED FROM PolicyComponent Dependency (see [PCIM]) Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref SANegotiationAction[0..n]]
                PartComponent[ref SAProposal[1..n]]   Antecedent [ref PeerGateway[0..n]]
                Dependent [ref IPsecTunnelAction[0..n]]
                SequenceNumber

6.16.1.

6.15.1. The Reference GroupComponent Antecedent

   The property GroupComponent Antecedent is inherited from PolicyComponent Dependency and is
   overridden to refer to an SANegotiationAction a PeerGateway instance.  The [0..n]
   cardinality indicates that there an SAProposal IPsecTunnelAction instance may
   be associated with zero or more SANegotiationAction PeerGateway instances.

   Note: the cardinality 0 has a specific meaning:

        -         when the IKE service acts as a responder, this means that the
          IKE service will accept phase 1 negotiation with any other
          security gateway;
        -         when the IKE service acts as an initiator, this means that
          the IKE service will use the destination IP address (of the
          IP packets which triggered the SARule) as the IP address of
          the peer IKE entity.

6.16.2.

6.15.2. The Reference PartComponent Dependent
   The property PartComponent Dependent is inherited from PolicyComponent Dependency and is
   overridden to refer to an SAProposal IPsecTunnelAction instance.  The [1..n] [0..n]
   cardinality indicates that an SANegotiationAction a PeerGateway instance MUST may be associated
   with at least one SAProposal instance.

6.16.3. zero or more IPsecTunnelAction instances.

6.15.3. The Property SequenceNumber

   The property SequenceNumber specifies the order of preference ordering to be used when
   evaluating PeerGateway instances for
   the SAProposals. a given IPsecTunnelAction.  .
   The property is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the preference order of evaluation for the SAProposals. PeerGateways.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower-valued proposals are preferred over proposals
                with higher values.  For ContainedProposals that
                reference the same SANegotiationAction, SequenceNumber        Lower values must be unique.

6.17. are evaluated first.

6.16. The Association Aggregation Class HostedPeerGatewayInformation ContainedProposal

   The class HostedPeerGatewayInformation weakly ContainedProposal associates a
   PeerGateway an ordered list of
   SAProposals with a System. the SANegotiationAction that aggregates it.  If the
   referenced SANegotiationAction object is an IKEAction, then the
   referenced SAProposal object(s) must be IKEProposal(s).  If the
   referenced SANegotiationAction object is an IPsecTransportAction or
   an IPsecTunnelAction, then the referenced SAProposal object(s) must
   be IPsecProposal(s).  The class definition for
   HostedPeerGatewayInformation ContainedProposal is
   as follows:

   NAME         HostedPeerGatewayInformation         ContainedProposal
   DESCRIPTION  Weakly associates a PeerGateway  Associates an ordered list of SAProposals with a System. an
                SANegotiationAction.
   DERIVED FROM Dependency PolicyComponent (see Appendix A) [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref System[1..1]]
                Dependent [ref PeerGateway[0..n] [weak]]

6.17.1.   GroupComponent[ref SANegotiationAction[0..n]]
                PartComponent[ref SAProposal[1..n]]
                SequenceNumber

6.16.1. The Reference Antecedent GroupComponent

        -         The property Antecedent GroupComponent is inherited from Dependency PolicyComponent
          and is overridden to refer to an SANegotiationAction
          instance.  The [0..n] cardinality indicates that an
          SAProposal instance may be associated with zero or more
          SANegotiationAction instances.

6.16.2. The Reference PartComponent

   The property PartComponent is inherited from PolicyComponent and is
   overridden to refer to an SAProposal instance.  The [1..n]
   cardinality indicates that an SANegotiationAction instance MUST be
   associated with at least one SAProposal instance.

6.16.3. The Property SequenceNumber
   The property SequenceNumber specifies the order of preference for
   the SAProposals.  The property is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the preference order for the SAProposals.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower-valued proposals are preferred over proposals
                with higher values.  For ContainedProposals that
                reference the same SANegotiationAction, SequenceNumber
                values must be unique.

6.17. The Association Class HostedPeerGatewayInformation

   The class HostedPeerGatewayInformation weakly associates a
   PeerGateway with a System.  The class definition for
   HostedPeerGatewayInformation is as follows:

   NAME         HostedPeerGatewayInformation
   DESCRIPTION  Weakly associates a PeerGateway with a System.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref System[1..1]]
                Dependent [ref PeerGateway[0..n] [weak]]

6.17.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that a PeerGateway instance MUST be associated with one
   and only one System instance.

6.17.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more PeerGateway instances.

6.18. The Association Class TransformOfPreconfiguredAction

   The class TransformOfPreconfiguredAction associates a
   PreconfiguredSAAction with from one two to three six SATransforms that will be
   applied to the inbound and outbound traffic.  The order of
   application of the SATransforms is implicitly defined in [IPSEC].
   The class definition for TransformOfPreconfiguredAction is as
   follows:

   NAME         TransformOfPreconfiguredAction
   DESCRIPTION  Associates a PreconfiguredSAAction with from one to
                three SATransforms.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref SATransform[1..3]] SATransform[2..6]]
                Dependent[ref PreconfiguredSAAction[0..n]]
                SPI
                Direction

6.18.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an SATransform instance.  The [1..3] [2..6]
   cardinality indicates that an SANegotiationAction instance may be
   associated with from one two to three six SATransform instances.

6.18.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PreconfiguredSAAction instance.  The [0..n]
   cardinality indicates that an SATransform instance may be associated
   with zero or more PreconfiguredSAAction instances.

6.18.3. The Property SPI

   The property SPI specifies the SPI to be used by the pre-configured
   action for the associated transform.  The property is defined as
   follows:

   NAME         SPI
   DESCRIPTION  Specifies the SPI to be used with the SATransform.
   SYNTAX       unsigned 32-bit integer

7. Proposal and Transform Classes

6.18.4. The proposal and transform classes model Property Direction

   The property Direction specifies whether the proposal settings an
   IPsec device will use during IKE phase SPI property is for
   inbound or for outbound traffic. The property is defined as follows:

   NAME                         Direction
   DESCRIPTION Specifies whether the SA is for inbound or outbound
               traffic.
   SYNTAX      unsigned 8-bit integer
   VALUE       1 and 2 negotiations.  this SA is for inbound traffic
                2  this SA is for outbound traffic

6.19 The Association Class PeerGatewayForPreconfiguredTunnel

   The class PeerGatewayForPreconfiguredTunnel associates one or one
   PeerGateway with multiple PreconfiguredTunnelActions. The class
   definition for PeerGatewayForPreconfiguredTunnel is as follows:

   NAME         PeerGatewayForPreconfiguredTunnel
   DESCRIPTION  Associates a PeerGateway with multiple
                PreconfiguredTunnelAction.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref PeerGateway[0..1]]
                Dependent[ref PreconfiguredTunnelAction[0..n]]

6.19.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an PeerGateway instance.  The [0..1]
   cardinality indicates that an PreconfiguredTunnelAction instance may
   be associated with one PeerGteway instance.

6.19.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PreconfiguredTunnelAction instance.  The
   [0..n] cardinality indicates that an PeerGateway instance may be
   associated with zero or more PreconfiguredSAAction instances.

7. Proposal and Transform Classes

   The proposal and transform classes model the proposal settings an
   IPsec device will use during IKE phase 1 and 2 negotiations.

                             +--------------+*w     1+--------------+
                             | [SAProposal] |--------|   System     |
                             +--------------+  (a)   | (Appendix A) |
                                    ^                +--------------+
                                    |                        |1
                         +----------------------+            |
                         |                      |            |
                  +-------------+       +---------------+    |
                  | IKEProposal |       | IPsecProposal |    |
                  +-------------+       +---------------+    |
                                               *o            |
                                                |(b)         |(c)
                                               n|            |
                                        +---------------+*w  |
                                        | [SATransform] |----+
                                        +---------------+
                                                ^
                                                |
               +--------------------+-----------+---------+
               |                    |                     |
        +-------------+     +--------------+     +----------------+
        | AHTransform |     | ESPTransform |     |IPCOMPTransform |
        +-------------+     +--------------+     +----------------+

   (a)  SAProposalInSystem
   (b)  ContainedTransform
   (c)  SATransformInSystem

7.1. The Abstract Class SAProposal

   The abstract class SAProposal serves as the base class for the IKE
   and IPsec proposal classes.  It specifies the parameters that are
   common to the two proposal types.  The class definition for
   SAProposal is as follows:

   NAME         SAProposal
   DESCRIPTION  Specifies the common proposal parameters for IKE and
                IPsec security association negotiation.
   DERIVED FROM Policy ([PCIM])
   ABSTRACT     TRUE
   PROPERTIES   Name

7.1.1. The Property Name

   The property Name specifies a user-friendly name for the SAProposal.
   The property is defined as follows:

   NAME         Name
   DESCRIPTION  Specifies a user-friendly name for this proposal.
   SYNTAX       string

7.2. The Class IKEProposal

   The class IKEProposal specifies the proposal parameters necessary to
   drive an IKE security association negotiation.  The class definition
   for IKEProposal is as follows:

   NAME         IKEProposal
   DESCRIPTION  Specifies the proposal parameters for IKE security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE
   PROPERTIES   LifetimeDerivedKeys
                CipherAlgorithm
                HashAlgorithm
                PRFAlgorithm
                GroupId
                AuthenticationMethod
                MaxLifetimeSeconds
                MaxLifetimeKilobytes
                VendorID

7.2.1. The Property LifetimeDerivedKeys

   The property LifetimeDerivedKeys specifies the number of times that
   a phase 1 key will be used to derive a phase 2 key before the phase
   1 security association needs renegotiated.  Even though this is not
   a parameter that is sent in an IKE proposal, it is included in the
   proposal as the number of keys derived may be a result of the
   strength of the algorithms in the IKE proposal.  The property is
   defined as follows:

   NAME         LifetimeDerivedKeys
   DESCRIPTION  Specifies the number of phase 2 keys that can be
                derived from the phase 1 key.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there is no limit to the
                number of phase 2 keys that may be derived from the
                phase 1 key; instead the seconds and/or kilobytes
                lifetime will dictate the phase 1 rekeying.  A non-zero
                value specifies the number of phase 2 keys that can be
                derived from the phase 1 key.

7.2.2. The Property CipherAlgorithm

   The property CipherAlgorithm specifies the proposed phase 1 security
   association encryption algorithm.  The property is defined as
   follows:

   NAME         CipherAlgorithm
   DESCRIPTION  Specifies the proposed encryption algorithm for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [IKE] for valid values.

7.2.3. The Property HashAlgorithm

   The property HashAlgorithm specifies the proposed phase 1 security
   association hash algorithm.  The property is defined as follows:

   NAME         HashAlgorithm
   DESCRIPTION  Specifies the proposed hash algorithm for the phase 1
                security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [IKE] for valid values.

7.2.4. The Property PRFAlgorithm

   The property PRFAlgorithm specifies the proposed phase 1 security
   association pseudo-random function.  The property is defined as
   follows:

   NAME         PRFAlgorithm
   DESCRIPTION  Specifies the proposed pseudo-random function for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        Currently none defined.

7.2.5. The Property GroupId

   The property GroupId specifies the proposed phase 1 security
   association key exchange group.  This property is ignored for all
   aggressive mode exchanges.  If the GroupID number is from the
   vendor-specific range (32768-65535), the property VendorID qualifies
   the group number.  The property is defined as follows:

   NAME         GroupId
   DESCRIPTION  Specifies the proposed key exchange group for the phase
                1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 -  Not applicable: used for aggressive mode.  Consult
                [IKE] for other valid values.

7.2.6. The Property AuthenticationMethod

   The property AuthenticationMethod specifies the proposed phase 1
   authentication method.  The property is defined as follows:

   NAME         AuthenticationMethod
   DESCRIPTION  Specifies the proposed authentication method for the
                phase 1 security association.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - a special value that indicates that this particular
                proposal should be repeated once for each
                authentication method that corresponds to the
                credentials installed on the machine.  For example, if
                the system has a pre-shared key and a certificate, a
                proposal list could be constructed which includes a
                proposal that specifies pre-shared key and proposals
                for any of the public-key authentication methods.
                Consult [IKE] for valid values.

7.2.7. The Property MaxLifetimeSeconds

   The property MaxLifetimeSeconds specifies the maximum amount of
   time, in seconds, to propose that a security association will remain
   valid after its creation.  The property is defined as follows:

   NAME         MaxLifetimeSeconds
   DESCRIPTION  Specifies the maximum amount of time to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the default of 8 hours
                be used.  A non-zero value indicates the maximum
                seconds lifetime.

7.2.8. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime to propose that a security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there should be no
                maximum kilobyte lifetime.  A non-zero value specifies
                the desired kilobyte lifetime.

7.2.9. The Property VendorID

   The property VendorID further qualifies the key exchange group.  The
   property is ignored unless the exchange is not in aggressive mode
   and the property GroupID is in the vendor-specific range.  The
   property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Specifies the Vendor ID to further qualify the key
                exchange group.
   SYNTAX       string

7.3. The Class IPsecProposal
   The class IPsecProposal adds no new properties, but inherits
   proposal properties from SAProposal as well as aggregating the
   security association transforms necessary for building an IPsec
   proposal (see the aggregation class ContainedTransform).  The class
   definition for IPsecProposal is as follows:

   NAME         IPsecProposal
   DESCRIPTION  Specifies the proposal parameters for IPsec security
                association negotiation.
   DERIVED FROM SAProposal
   ABSTRACT     FALSE

7.4. The Abstract Class SATransform

   The abstract class SATransform serves as the base class for the
   IPsec transforms that can be used to compose an IPsec proposal or to
   be used as a pre-configured action.  The class definition for
   SATransform is as follows:

   NAME         SATransform
   DESCRIPTION  Base class for the different IPsec transforms.
   ABSTRACT     TRUE
   PROPERTIES   TransformName
                VendorID
                MaxLifetimeSeconds
                MaxLifetimeKilobytes

7.4.1. The Property TransformName

   The property TransformName specifies a user-friendly name for the
   SATransform.  The property is defined as follows:

   NAME         TransformName
   DESCRIPTION  Specifies a user-friendly name for this transform.
   SYNTAX       string

7.4.2. The Property VendorID

   The property VendorID specifies the vendor ID for vendor-defined
   transforms.  The property is defined as follows:

   NAME         VendorID
   DESCRIPTION  Specifies the vendor ID for vendor-defined transforms.
   SYNTAX       string
   VALUE        An empty VendorID string indicates that the transform
                is a standard one.

7.4.3. The Property MaxLifetimeSeconds

   The property MaxLifetimeSeconds specifies the maximum amount of
   time, in seconds, to propose that a security association will remain
   valid after its creation.  The property is defined as follows:

   NAME         MaxLifetimeSeconds
   DESCRIPTION  Specifies the maximum amount of time to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that the default of 8 hours
                be used.  A non-zero value indicates the maximum
                seconds lifetime.

7.4.4. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the maximum kilobyte
   lifetime to propose that a security association will remain valid
   after its creation.  The property is defined as follows:

   NAME         MaxLifetimeKilobytes
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a
                security association remain valid.
   SYNTAX       unsigned 32-bit integer
   VALUE        A value of zero indicates that there should be no
                maximum kilobyte lifetime.  A non-zero value specifies
                the desired kilobyte lifetime.

7.5. The Class AHTransform

   The class AHTransform specifies the AH algorithm to propose during
   IPsec security association negotiation.  The class definition for
   AHTransform is as follows:

   NAME         AHTransform
   DESCRIPTION  Specifies the AH algorithm to propose.
   ABSTRACT     FALSE
   PROPERTIES   AHTransformId
                UseReplayPrevention
                ReplayPreventionWindowSize

7.5.1. The Property AHTransformId

   The property AHTransformId specifies the transform ID of the AH
   algorithm to propose.  The property is defined as follows:

   NAME         AHTransformId
   DESCRIPTION  Specifies the transform ID of the AH algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [DOI] for valid values.

7.5.2. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

   NAME         UseReplayPrevention
   DESCRIPTION  Specifies whether to enable replay prevention
                detection.

   SYNTAX       boolean
   VALUE        true - replay prevention detection is enabled.
                false - replay prevention detection is disabled.

7.5.3. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism. The value of this property is meaningless if
   UseReplayPrevention is false. It is assumed that the window size
   will be power of 2.  The property is defined as follows:

   NAME         ReplayPreventionWindowSize
   DESCRIPTION  Specifies the length of the window used by replay
                prevention detection mechanism.
   SYNTAX       unsigned 32-bit integer

7.6. The Class ESPTransform

   The class ESPTransform specifies the ESP algorithms to propose
   during IPsec security association negotiation.  The class definition
   for ESPTransform is as follows:

   NAME         ESPTransform
   DESCRIPTION  Specifies the ESP algorithms to propose.
   ABSTRACT     FALSE
   PROPERTIES   IntegrityTransformId
                CipherTransformId
                CipherKeyLength
                CipherKeyRounds
                UseReplayPrevention
                ReplayPreventionWindowSize

7.6.1. The Property IntegrityTransformId

   The property IntegrityTransformId specifies the transform ID of the
   ESP integrity algorithm to propose.  The property is defined as
   follows:

   NAME         IntegrityTransformId
   DESCRIPTION  Specifies the transform ID of the ESP integrity
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [DOI] for valid values.

7.6.2. The Property CipherTransformId

   The property CipherTransformId specifies the transform ID of the ESP
   encryption algorithm to propose.  The property is defined as
   follows:

   NAME         CipherTransformId
   DESCRIPTION  Specifies the transform ID of the ESP encryption
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Consult [DOI] for valid values.

7.6.3. The Property CipherKeyLength

   The property CipherKeyLength specifies, in bits, the key length for
   the ESP encryption algorithm.  For encryption algorithms that use
   fixed-length keys, this value is ignored.  The property is defined
   as follows:

   NAME         CipherKeyLength
   DESCRIPTION  Specifies the ESP encryption key length in bits.
   SYNTAX       unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

   The property CipherKeyRounds specifies the number of key rounds for
   the ESP encryption algorithm.  For encryption algorithms that use
   fixed number of key rounds, this value is ignored.  The property is
   defined as follows:

   NAME         CipherKeyRounds
   DESCRIPTION  Specifies the number of key rounds for the ESP
                encryption algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        Currently, key rounds are not defined for any ESP
                encryption algorithms.

7.6.5. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

   NAME         UseReplayPrevention
   DESCRIPTION  Specifies whether to enable replay prevention
                detection.
   SYNTAX       boolean
   VALUE        true - replay prevention detection is enabled.
                false - replay prevention detection is disabled.

7.6.6. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism. The value of this property is meaningless if
   UseReplayPrevention is false. It is assumed that the window size
   will be power of 2.  The property is defined as follows:

   NAME         ReplayPreventionWindowSize
   DESCRIPTION  Specifies the length of the window used by replay
                prevention detection mechanism.

   SYNTAX       unsigned 32-bit integer

7.7. The Class IPCOMPTransform

   The class IPCOMPTransform specifies the IP compression (IPCOMP)
   algorithm to propose during IPsec security association negotiation.
   The class definition for IPCOMPTransform is as follows:

   NAME         IPCOMPTransform
   DESCRIPTION  Specifies the IPCOMP algorithm to propose.
   ABSTRACT     FALSE
   PROPERTIES   Algorithm
                DictionarySize
                PrivateAlgorithm

7.7.1. The Property Algorithm

   The property Algorithm specifies the transform ID of the IPCOMP
   compression algorithm to propose.  The property is defined as
   follows:

   NAME         Algorithm
   DESCRIPTION  Specifies the transform ID of the IPCOMP compression
                algorithm.
   SYNTAX       unsigned 16-bit integer
   VALUE        1 -  OUI: a vendor specific algorithm is used and
                specified in the property PrivateAlgorithm.  Consult
                [DOI] for other valid values.

7.7.2. The Property DictionarySize

   The property DictionarySize specifies the log2 maximum size of the
   dictionary for the compression algorithm.  For compression
   algorithms that have pre-defined dictionary sizes, this value is
   ignored.  The property is defined as follows:

   NAME         DictionarySize
   DESCRIPTION  Specifies the log2 maximum size of the dictionary.
   SYNTAX       unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

   The property PrivateAlgorithm specifies a private vendor-specific
   compression algorithm.  This value is only used when the property
   Algorithm is 1 (OUI).  The property is defined as follows:

   NAME         PrivateAlgorithm
   DESCRIPTION  Specifies a private vendor-specific compression
                algorithm.
   SYNTAX       unsigned 32-bit integer

7.8. The Association Class SAProposalInSystem
   The class SAProposalInSystem weakly associates SAProposals with a
   System.  The class definition for SAProposalInSystem is as follows:

   NAME         SAProposalInSystem
   DESCRIPTION  Weakly associates SAProposals with a System.
   DERIVED FROM PolicyInSystem (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System [1..1]]
                Dependent[ref SAProposal[0..n] [weak]]

7.8.1. The Reference Antecedent

   The property Antecedent is inherited from PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that an SAProposal instance MUST be associated with one
   and only one System instance.

7.8.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SAProposal instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more SAProposal instances.

7.9. The Aggregation Class ContainedTransform

   The class ContainedTransform associates an IPsecProposal with the
   set of SATransforms that make up the proposal.  If multiple
   transforms of the same type are in a proposal, then they are to be
   logically ORed and the order of preference is dictated by the
   SequenceNumber property.  Sets of transforms of different types are
   logically ANDed.  For example, if the ordered proposal list were

   ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
   AH  = { MD5, SHA-1 }

   then the one sending the proposal would want the other side to pick
   one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND
   one from the AH transform list (preferably MD5).

   The class definition for ContainedProposal ContainedTransform is as follows:

   NAME         ContainedTransform
   DESCRIPTION  Associates an IPsecProposal with the set of
                SATransforms that make up the proposal.
   DERIVED FROM PolicyComponent (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   GroupComponent[ref IPsecProposal[0..n]]
                PartComponent[ref SATransform[1..n]]
                SequenceNumber

7.9.1. The Reference GroupComponent
   The property GroupComponent is inherited from PolicyComponent and is
   overridden to refer to an IPsecProposal instance.  The [0..n]
   cardinality indicates that an SATransform instance may be associated
   with zero or more IPsecProposal instances.

7.9.2. The Reference PartComponent

   The property PartComponent is inherited from PolicyComponent and is
   overridden to refer to an SATransform instance.  The [1..n]
   cardinality indicates that an IPsecProposal instance MUST be
   associated with at least one SATransform instance.

7.9.3. The Property SequenceNumber

   The property SequenceNumber specifies the order of preference for
   the SATransforms of the same type.  The property is defined as
   follows:

   NAME         SequenceNumber
   DESCRIPTION  Specifies the preference order for the SATransforms of
                the same type.
   SYNTAX       unsigned 16-bit integer
   VALUE        Lower-valued transforms are preferred over transforms
                of the same type with higher values.  For
                ContainedTransforms that reference the same
                IPsecProposal, SequenceNumber values must be unique.

7.10. The Association Class SATransformInSystem

   The class SATransformInSystem weakly associates SATransforms with a
   System.  The class definition for SATransformInSystem System is as
   follows:

   NAME         SATransformInSystem
   DESCRIPTION  Weakly associates SATransforms with a System.
   DERIVED FROM PolicyInSystem (see [PCIM])
   ABSTRACT     FALSE
   PROPERTIES   Antecedent[ref System[1..1]]
                Dependent[ref SATransform[0..n] [weak]]

7.10.1. The Reference Antecedent

   The property Antecedent is inherited from PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that an SATransform instance MUST be associated with one
   and only one System instance.

7.10.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SATransform instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more SATransform instances.

8. IKE Service and Identity Classes

                +--------------+           +-------------------+
                |    System    |           | PeerIdentityEntry |
                | (Appendix A) |           +-------------------+
                +--------------+                     |*w
                      1| (a)                 (b)     |
                       +---+            +------------+
                           |            |
                           |*w        1 o
   +-------------+     +-------------------+    +---------------------+
   | PeerGateway |     | PeerIdentityTable |    | AutostartIKESetting |
   +-------------+     +-------------------+    +---------------------+
        *|                          *|               *|    *|
         +----------------------+    |(d)  +----------+     |
                  (c)          *|   *|    *|     (e)        |
                              *+------------+*              |(f)
             +-----------------| IKEService |-----+         |
             |      (g)        +------------+     |(h)      |
         0..1|                      *|           *|        *o
   +--------------------+            |    +---------------------------+
   | IPProtocolEndpoint |            |    | AutostartIKEConfiguration |
   |    (Appendix C)    |         (i)|    +---------------------------+
   +--------------------+            |
      0..1|                          |
          |(j)                       +----------------+
         *|                                           |*
   +-------------+* (k)  +------------+ +-----------------------------+
   | IKEIdentity |-------| Collection | | CredentialManagementService |
   +-------------+   0..1|(Appendix A)| |        (Appendix B)         |
         *|              +------------+ +-----------------------------+
          |(l)
         *|
   +--------------+
   |  Credential  |
   | (Appendix B) |
   +--------------+

   (a)  HostedPeerIdentityTable
   (b)  PeerIdentityMember
   (c)  IKEServicePeerGateway
   (d)  IKEServicePeerIdentityTable
   (e)  IKEAutostartSetting
   (f)  AutostartIKESettingContext
   (g)  IKEServiceForEndpoint
   (h)  IKEAutostartConfiguration
   (i)  IKEUsesCredentialManagementService
   (j)  EndpointHasLocalIKEIdentity
   (k)  CollectionHasLocalIKEIdentity
   (l)  IKEIdentitysCredential

   This portion of the model contains additional information that is
   useful in applying the policy.  The IKEService class MAY be used to
   represent the IKE negotiation function in a system. The IKEService
   uses the various tables that contain information about IKE peers as
   well as the configuration for specifying security associations that
   are started automatically.  The information in the PeerGateway,
   PeerIdentityTable and related classes is necessary to completely
   specify the policies.

   An interface (represented by an IPProtocolEndpoint) has an
   IKEService that provides the negotiation services for that
   interface.  That service MAY also have a list of security
   associations for that are automatically started at the time the IKE
   service is initialized.

   The IKEService also has a set of identities that it may use in
   negotiations with its peers.  Those identities are associated with
   the interfaces (or collections of interfaces).

8.1. The Class IKEService

   The class IKEService represents the IKE negotiation function.  An
   instance of this service may provide that negotiation service for
   one or more interfaces (represented by the IPProtocolEndpoint class)
   of a System.  There may be multiple instances of IKE services on a
   System but only one per interface.  The class definition for
   IKEService is as follows:

   NAME         IKEService
   DESCRIPTION  IKEService is used to represent the IKE negotiation
                function.
   DERIVED FROM NetworkService (see Appendix C)
   ABSTRACT     FALSE

8.2. The Class PeerIdentityTable

   The class PeerIdentityTable aggregates the table entries that
   provide mappings between identities and their addresses.  The class
   definition for PeerIdentityTable is as follows:

   NAME         PeerIdentityTable
   DESCRIPTION  PeerIdentityTable aggregates PeerIdentityEntry
                instances to provide a table of identity-address
                mappings.
   DERIVED FROM Collection (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Name

8.3.1. The Property Name

   The property Name uniquely identifies the table.  The property is
   defined as follows:

   NAME         Name
   DESCRIPTION  Name uniquely identifies the table.

   SYNTAX       string

8.3. The Class PeerIdentityEntry

   The class PeerIdentityEntry specifies the mapping between peer
   identity and their address. The class definition for
   PeerIdentityEntry is as follows:

   NAME         PeerIdentityEntry
   DESCRIPTION  PeerIdentityEntry provides a mapping between a peer's
                identity and address.
   DERIVED FROM LogicalElement (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   PeerIdentity
                PeerIdentityType
                PeerAddress
                PeerAddressType

8.3.1. The Property PeerIdentity

   The property PeerIdentity contains a string encoding of the Identity
   payload for the IKE peer.  The property is defined as follows:

   NAME         PeerIdentity
   DESCRIPTION  The PeerIdentity is the ID payload of a peer.
   SYNTAX       string

8.3.2. The Property PeerIdentityType

   The property PeerIdentityType is an enumeration that specifies the
   type of the PeerIdentity.  The property is defined as follows:

   NAME         PeerIdentityType
   DESCRIPTION  PeerIdentityType is the type of the ID payload of a
                peer.
   SYNTAX       unsigned 16-bit integer
   VALUE        The enumeration values are specified in [DOI] section
                4.6.2.1.

8.3.3. The Property PeerAddress

   The property PeerAddress specifies the string representation of the
   IP address of the peer formatted according to the appropriate
   convention as defined in the PeerAddressType property (e.g., dotted
   decimal notation).  The property is defined as follows:

   NAME         PeerAddress
   DESCRIPTION  PeerAddress is the address of the peer with the ID
                payload.
   SYNTAX       string
   VALUE        String representation of an IPv4 or IPv6 address.

8.3.4. The Property PeerAddressType
   The property PeerAddressType specifies the format of the PeerAddress
   property value.  The property is defined as follows:

   NAME         PeerAddressType
   DESCRIPTION  PeerAddressType is the type of address in PeerAddress.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - Unknown
                1 - IPv4
                2 - IPv6

8.4. The Class AutostartIKEConfiguration

   The class AutostartIKEConfiguration groups AutostartIKESetting
   instances into configuration sets.  When applied, the settings cause
   an IKE service to automatically start (negotiate or statically set
   as appropriate) the Security Associations.  The class definition for
   AutostartIKEConfiguration is as follows:

   NAME         AutostartIKEConfiguration
   DESCRIPTION  A configuration set of AutostartIKESetting instances to
                be automatically started by the IKE service.
   DERIVED FROM SystemConfiguration (see Appendix A)
   ABSTRACT     FALSE

8.5. The Class AutostartIKESetting

   The class AutostartIKESetting is used to automatically initiate IKE
   negotiations with peers (or statically create an SA) as specified in
   the AutostartIKESetting properties.  Appropriate actions are
   initiated according to the policy that matches the setting
   parameters. The class definition for AutostartIKESetting is as
   follows:

   NAME         AutostartIKESetting
   DESCRIPTION  AutostartIKESetting is used to automatically initiate
                IKE negotiations with peers or statically create an SA.
   DERIVED FROM SystemSetting (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Phase1Only
                AddressType
                SourceAddress
                SourcePort
                DestinationAddress
                DestinationPort
                Protocol

8.5.1. The Property Phase1Only

   The property Phase1Only is used to limit the IKE negotiation to just
   setting up a phase 1 security association.  When set to False, both
   phase 1 and 2 negotiations are initiated.
   The property is defined as follows:

   NAME         Phase1Only
   DESCRIPTION  Used to indicate which security associations to attempt
                to establish (phase 1 only, or phase 1 and 2).
   SYNTAX       boolean
   VALUE        true - attempt to establish a phase 1 security
                association
                false - attempt to establish phase 1 and 2 security
                associations

8.5.2. The Property AddressType

   The property AddressType specifies type of the addresses in the
   SourceAddress and DestinationAddress properties.  The property is
   defined as follows:

   NAME         AddressType
   DESCRIPTION  AddressType is the type of address in SourceAddress and
                DestinationAddress properties.
   SYNTAX       unsigned 16-bit integer
   VALUE        0 - Unknown
                1 - IPv4
                2 - IPv6

8.5.3. The Property SourceAddress

   The property SourceAddress specifies the dotted-decimal or colon-
   decimal formatted IP address used as the source address in comparing
   with policy filter entries and used in any phase 2 negotiations.
   The property is defined as follows:

   NAME         SourceAddress
   DESCRIPTION  The source address to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       string
   VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.4. The Property SourcePort

   The property SourcePort specifies the port number used as the source
   port in comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         SourcePort
   DESCRIPTION  The source port to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       unsigned 16-bit integer

8.5.5. The Property DestinationAddress

   The property DestinationAddress specifies the dotted-decimal or
   colon-decimal formatted IP address used as the destination address
   in comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         DestinationAddress
   DESCRIPTION  The destination address to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       string
   VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.6. The Property DestinationPort

   The property DestinationPort specifies the port number used as the
   destination port in comparing with policy filter entries and used in
   any phase 2 negotiations.  The property is defined as follows:

   NAME         DestinationPort
   DESCRIPTION  The destination port to compare with the filters to
                determine the appropriate policy rule.
   SYNTAX       unsigned 16-bit integer

8.5.7. The Property Protocol

   The property Protocol specifies the protocol number used in
   comparing with policy filter entries and used in any phase 2
   negotiations.  The property is defined as follows:

   NAME         Protocol
   DESCRIPTION  The protocol number used in comparing with policy
                filter entries.
   SYNTAX       unsigned 8-bit integer

8.6. The Class IKEIdentity

   The class IKEIdentity is used to represent the identities that may
   be used for an IPProtocolEndpoint (or collection of
   IPProtocolEndpoints) to identify the IKE Service in IKE phase 1
   negotiations.  The policy IKEAction.UseIKEIdentityType specifies
   which type of the available identities to use in a negotiation
   exchange and the IKERule.IdentityContexts specifies the match values
   to be used, along with the local address, in selecting the
   appropriate identity for a negotiation. The ElementID property value
   (defined in the parent class, UsersAccess) should be that of either
   the IPProtocolEndpoint or Collection of endpoints as appropriate.
   The class definition for IKEIdentity is as follows:

   NAME         IKEIdentity
   DESCRIPTION  IKEIdentity is used to represent the identities that
                may be used for an IPProtocolEndpoint (or collection of
                IPProtocolEndpoints) to identify the IKE Service in IKE
                phase 1 negotiations.
   DERIVED FROM UsersAccess (see Appendix B)
   ABSTRACT     FALSE
   PROPERTIES   IdentityType
                IdentityValue
                IdentityContexts

8.6.1. The Property IdentityType

   The property IdentityType is an enumeration that specifies the type
   of the IdentityValue.  The property is defined as follows:

   NAME         IdentityType
   DESCRIPTION  IdentityType is the type of the IdentityValue.
   SYNTAX       unsigned 8-bit integer
   VALUE        The enumeration values are specified in [DOI] section
                4.6.2.1.

8.6.2. The Property IdentityValue

   The property Identity specifies Value contains a string encoding of
   the Identity payload.  For IKEIdentity instances that are address
   types, the IdentityValue string value may be omitted and the
   associated IPProtocolEndpoint or appropriate member of the
   Collection of endpoints is used.  The property is defined as
   follows:

   NAME         IdentityValue
   DESCRIPTION  IdentityValue contains a string encoding of the
                Identity payload.
   SYNTAX       string

8.6.3. The Property IdentityContexts

   The IdentityContexts property is used to constrain the use of
   IKEIdentity instances to match that specified in the
   IKERule.IdentityContexts.  The IdentityContexts are formatted as
   policy roles and role combinations [PCIM].  Each value represents
   one context or context combination.  Since this is a multi-valued
   property, more than one context or combination of contexts can be
   associated with a single IKEIdentity.  Each value is a string of the
   form:        <ContextName>[&&<ContextName>]*
   where the individual context names appear in alphabetical order
   (according to the collating sequence for UCS-2). If one or more
   values in the IKERule.IdentityContexts array match one or more
   IKEIdentity.IdentityContexts then the identity's context matches.
   (That is, each value of the IdentityContext array is an ORed
   condition.)  In combination with the address of the
   IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
   1 and only 1 IKEIdentity.  The property is defined as follows:

   NAME         IdentityContexts
   DESCRIPTION  The IKE service of a security endpoint may have
                multiple identities for use in different situations.
                The combination of the interface (represented by
                the IPProtocolEndpoint), the identity type (as
                specified in the IKEAction) and the IdentityContexts
                selects a unique identity.
   SYNTAX       string array
   VALUE        string of the form <ContextName>[&&<ContextName>]*

8.7. The Association Class HostedPeerIdentityTable

   The class HostedPeerIdentityTable provides the name scoping
   relationship for PeerIdentityTable entries in a System.  The
   PeerIdentityTable is weak to the System.  The class definition for
   HostedPeerIdentityTable is as follows:

   NAME         HostedPeerIdentityTable
   DESCRIPTION  The PeerIdentityTable instances are weak (name scoped
                by) the owning System.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref System[1..1]]
                Dependent [ref PeerIdentityTable[0..n] [weak]]

8.7.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that a PeerIdentityTable instance MUST be associated in a
   weak relationship with one and only one System instance.

8.7.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to a PeerIdentityTable instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more PeerIdentityTable instances.

8.8. The Aggregation Class PeerIdentityMember

   The class PeerIdentityMember aggregates PeerIdentityEntry instances
   into a PeerIdentityTable.  This is a weak aggregation.  The class
   definition for PeerIdentityMember is as follows:

   NAME         PeerIdentityMember
   DESCRIPTION  PeerIdentityMember aggregates PeerIdentityEntry
                instances into a PeerIdentityTable.
   DERIVED FROM MemberOfCollection (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Collection [ref PeerIdentityTable[1..1]]
                Member [ref PeerIdentityEntry [0..n] [weak]]

8.8.1. The Reference Collection

   The property Collection is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityTable instance.  The [1..1]
   cardinality indicates that a PeerIdentityEntry instance MUST be
   associated with one and only one PeerIdentityTable instance (i.e.,
   PeerIdentityEntry instances are not shared across
   PeerIdentityTables).

8.8.2. The Reference Member

   The property Member is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityEntry instance.  The [0..n]
   cardinality indicates that a PeerIdentityTable instance may be
   associated with zero or more PeerIdentityEntry instances.

8.9. The Association Class IKEServicePeerGateway

   The class IKEServicePeerGateway provides the association between an
   IKEService and the list of PeerGateway instances that it uses in
   negotiating with security gateways.  The class definition for
   IKEServicePeerGateway is as follows:

   NAME         IKEServicePeerGateway
   DESCRIPTION  Associates an IKEService and the list of PeerGateway
                instances that it uses in negotiating with security
                gateways.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                Dependent [ref IKEService[0..n]]

8.9.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerGateway instances.

8.9.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a PeerGateway instance may be associated
   with zero or more IKEService instances.

8.10. The Association Class IKEServicePeerIdentityTable

   The class IKEServicePeerIdentityTable provides the relationship
   between an IKEService and a PeerIdentityTable that it uses to map
   between addresses and identities as required.  The class definition
   for IKEServicePeerIdentityTable is as follows:

   NAME         IKEServicePeerIdentityTable
   DESCRIPTION  IKEServicePeerIdentityTable provides the relationship
                between an IKEService and a PeerIdentityTable that it
                uses.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref PeerIdentityTable[0..n]]
                Dependent [ref IKEService[0..n]]

8.10.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerIdentityTable instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerIdentityTable instances.

8.10.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a PeerIdentityTable instance may be
   associated with zero or more IKEService instances.

8.11. The Association Class IKEAutostartSetting

   The class IKEAutostartSetting associates an AutostartIKESetting with
   an IKEService that may use it to automatically start an IKE
   negotiation or create a static SA.  The class definition for
   IKEAutostartSetting is as follows:

   NAME         IKEAutostartSetting
   DESCRIPTION  Associates a AutostartIKESetting with an IKEService.
   DERIVED FROM ElementSetting (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Element [ref IKEService[0..n]]
                Setting [ref AutostartIKESetting[0..n]]

8.11.1. The Reference Element

   The property Element is inherited from ElementSetting and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates an AutostartIKESetting instance may be
   associated with zero or more IKEService instances.

8.11.2. The Reference Setting

   The property Setting is inherited from ElementSetting and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more AutostartIKESetting instances.

8.12. The Aggregation Class AutostartIKESettingContext

   The class AutostartIKESettingContext aggregates the settings used to
   automatically start negotiations or create a static SA into a
   configuration set.  The class definition for
   AutostartIKESettingContext is as follows:

   NAME         AutostartIKESettingContext
   DESCRIPTION  AutostartIKESettingContext aggregates the
                AutostartIKESetting instances into a configuration set.
   DERIVED FROM SystemSettingContext (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Context [ref AutostartIKEConfiguration [0..n]]
                Setting [ref AutostartIKESetting [0..n]]
                SequenceNumber

8.12.1. The Reference Context

   The property Context is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an AutostartIKESetting instance
   may be associated with zero or more AutostartIKEConfiguration
   instances (i.e., a setting may be in multiple configuration sets).

8.12.2. The Reference Setting

   The property Setting is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an AutostartIKEConfiguration instance may
   be associated with zero or more AutostartIKESetting instances.

8.12.3. The Property SequenceNumber

   The property SequenceNumber specifies indicates the ordering to be
   used when starting negotiations or creating a static SA.  A zero
   value indicates that order is not significant and settings may be
   applied in parallel with other settings.  All other settings in the
   configuration are executed in sequence from lower values to high.
   Sequence numbers need not be unique in an AutostartIKEConfiguration
   and order is not significant for settings with the same sequence
   number.  The property is defined as follows:

   NAME         SequenceNumber
   DESCRIPTION  The sequence in which the settings are applied within a
                configuration set.
   SYNTAX       unsigned 16-bit integer

8.13. The Association Class IKEServiceForEndpoint

   The class IKEServiceForEndpoint provides the association showing
   which IKE service, if any, provides IKE negotiation services for
   which network interfaces.  The class definition for
   IKEServiceForEndpoint is as follows:

   NAME         IKEServiceForEndpoint
   DESCRIPTION  Associates an IPProtocolEndpoint with an IKEService
                that provides negotiation services for the endpoint.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref IKEService[0..1]]
                Dependent [ref IPProtocolEndpoint[0..n]]

8.13.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..1]
   cardinality indicates that an IPProtocolEndpoint instance MUST by
   associated with at most one IKEService instance.

8.13.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IPProtocolEndpoint that is associated with
   at most one IKEService.  The [0..n] cardinality indicates an
   IKEService instance may be associated with zero or more
   IPProtocolEndpoint instances.

8.14. The Association Class IKEAutostartConfiguration

   The class IKEAutostartConfiguration provides the relationship
   between an IKEService and a configuration set that it uses to
   automatically start a set of SAs.  The class definition for
   IKEAutostartConfiguration is as follows:

   NAME         IKEAutostartConfiguration
   DESCRIPTION  IKEAutostartConfiguration provides the relationship
                between an IKEService and an AutostartIKEConfiguration
                that it uses to automatically start a set of SAs.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref AutostartIKEConfiguration [0..n]]
                Dependent [ref IKEService [0..n]]
                Active

8.14.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more AutostartIKEConfiguration instances.

8.14.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that an AutostartIKEConfiguration instance may
   be associated with zero or more IKEService instances.

8.14.3. The Property Active

   The property Active specifies indicates whether the
   AutostartIKEConfiguration set is currently active for the associated
   IKEService.  That is, at boot time, the active configuration is used
   to automatically start IKE negotiations and create static SAs.  The
   property is defined as follows:

   NAME         Active
   DESCRIPTION  Active indicates whether the AutostartIKEConfiguration
                set is currently active for the associated IKEService.
   SYNTAX       boolean
   VALUE        true - AutostartIKEConfiguration is currently active
                for associated IKEService.
                false - AutostartIKEConfiguration is currently inactive
                for associated IKEService.

8.15. The Association Class IKEUsesCredentialManagementService

   The class IKEUsesCredentialManagementService defines the set of
   CredentialManagementService(s) that are trusted sources of
   credentials for IKE phase 1 negotiations.  The class definition for
   IKEUsesCredentialManagementService is as follows:

   NAME         IKEUsesCredentialManagementService
   DESCRIPTION  Associates the set of CredentialManagementService(s)
                that are trusted by the IKEService as sources of
                credentials used in IKE phase 1 negotiations.
   DERIVED FROM Dependency (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref CredentialManagementService [0..n]]
                Dependent [ref IKEService [0..n]]

8.15.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more CredentialManagementService instances.

8.15.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates that a CredentialManagementService instance
   may be associated with zero or more IKEService instances.

8.16. The Association Class EndpointHasLocalIKEIdentity

   The class EndpointHasLocalIKEIdentity associates an
   IPProtocolEndpoint with a set of IKEIdentity instances that may be
   used in negotiating security associations on the endpoint.  An
   IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using this association or with a collection of IKEIdentity instances
   using the CollectionHasLocalIKEIdentity association.  The class
   definition for EndpointHasLocalIKEIdentity is as follows:

   NAME         EndpointHasLocalIKEIdentity
   DESCRIPTION  EndpointHasLocalIKEIdentity associates an
                IPProtocolEndpoint with a set of IKEIdentity instances.
   DERIVED FROM ElementAsUser (see Appendix B)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref IPProtocolEndpoint [0..1]]
                Dependent [ref IKEIdentity [0..n]]

8.16.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to an IPProtocolEndpoint instance.  The [0..1]
   cardinality indicates that an IKEIdentity instance MUST be
   associated with at most one IPProtocolEndpoint instance.

8.16.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that an IPProtocolEndpoint instance may be
   associated with zero or more IKEIdentity instances.

8.17. The Association Class CollectionHasLocalIKEIdentity

   The class CollectionHasLocalIKEIdentity associates a Collection of
   IPProtocolEndpoint instances with a set of IKEIdentity instances
   that may be used in negotiating SAs for endpoints in the collection.
   An IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using the EndpointHasLocalIKEIdentity association or with a
   collection of IKEIdentity instances using this association.  The
   class definition for CollectionHasLocalIKEIdentity is as follows:

   NAME         CollectionHasLocalIKEIdentity
   DESCRIPTION  CollectionHasLocalIKEIdentity associates a collection
                of IPProtocolEndpoint instances with a set of
                IKEIdentity instances.
   DERIVED FROM ElementAsUser (see Appendix B)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref Collection [0..1]]
                Dependent [ref IKEIdentity [0..n]]

8.17.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to a Collection instance.  The [0..1]
   cardinality indicates that an IKEIdentity instance MUST be
   associated with at most one Collection instance.

8.17.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that a Collection instance may be associated
   with zero or more IKEIdentity instances.

8.18. The Association Class IKEIdentitysCredential

   The class IKEIdentitysCredential is an association that relates a
   set of credentials to their corresponding local IKE Identities.  The
   class definition for IKEIdentitysCredential is as follows:

   NAME         IKEIdentitysCredential
   DESCRIPTION  IKEIdentitysCredential associates a set of credentials
                to their corresponding local IKEIdentity.
   DERIVED FROM UsersCredential (see Appendix A)
   ABSTRACT     FALSE
   PROPERTIES   Antecedent [ref Credential [0..n]]
                Dependent [ref IKEIdentity [0..n]]

8.18.1. The Reference Antecedent

   The property Antecedent is inherited from UsersCredential and is
   overridden to refer to a Credential instance.  The [0..n]
   cardinality indicates that IKEIdentity instance may be associated
   with zero or more Credential instances.

8.18.2. The Reference Dependent

   The property Dependent is inherited from UsersCredential and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that a Credential instance may be associated
   with zero or more IKEIdentity instances.

9. Security Considerations

   This document describes a schema for IPsec policy.  It does not
   detail security requirements for storage or delivery of said schema.
   Storage and delivery security requirements should be detailed in a
   comprehensive security policy architecture document.

10. Intellectual Property Implementation Requirements

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to following tables specifies which any license under such rights
   might classes, properties,
   associations and aggregations MUST or might not SHOULD or MAY be available; neither does it represent that it
   has made implemented.

   4. Policy Classes
   4.1. The Class IPsecPolicyGroup................................MUST
   4.2. The Class SARule..........................................MUST
   4.2.1. The Property PolicyRuleName..............................MAY
   4.2.1. The Property Enabled....................................MUST
   4.2.1. The Property ConditionListType..........................MUST
   4.2.1. The Property RuleUsage...................................MAY
   4.2.1. The Property Mandatory...................................MAY
   4.2.1. The Property SequencedActions...........................MUST
   4.2.1. The Property PolicyRoles.................................MAY
   4.2.1. The Property PolicyDecisionStrategy......................MAY
   4.2.2  The Property ExecutionStrategy..........................MUST
   4.2.3  The Property LimitNegotiation............................MAY
   4.3. The Class IKERule.........................................MUST
   4.3.1. The Property IdentityContexts............................MAY
   4.4. The Class IPsecRule.......................................MUST
   4.5.3. The Property GroupPriority..............................MUST
   4.6. The Association Class IpsecPolicyForEndpoint...............MAY
   4.6.1. The Reference Antecedent................................MUST
   4.6.2. The Reference Dependent.................................MUST
   4.7. The Association Class IPsecPolicyForSystem.................MAY
   4.7.1. The Reference Antecedent................................MUST
   4.7.2. The Reference Dependent.................................MUST
   4.8. The Aggregation Class RuleForIKENegotiation...............MUST
   4.8.1. The Property Priority.................................SHOULD
   4.8.2. The Reference GroupComponent............................MUST
   4.8.3. The Reference PartComponent.............................MUST
   4.9. The Aggregation Class RuleForIPsecNegotiation.............MUST
   4.9.1. The Property Priority.................................SHOULD
   4.9.2. The Reference GroupComponent............................MUST
   4.9.3. The Reference PartComponent.............................MUST
   4.10. The Aggregation Class SAConditionInRule..................MUST
   4.10.1. The Property GroupNumber.............................SHOULD
   4.10.1. The Property ConditionNegated........................SHOULD
   4.10.2. The Reference GroupComponent...........................MUST
   4.10.3. The Reference PartComponent............................MUST
   4.11. The Aggregation Class PolicyActionInSARule...............MUST
   4.11.1. The Reference GroupComponent...........................MUST
   4.11.2. The Reference PartComponent............................MUST
   4.11.3. The Property ActionOrder.............................SHOULD
   5. Condition and Filter Classes
   5.1. The Class SACondition.....................................MUST
   5.2. The Class IPHeaderFilter................................SHOULD
   5.3. The Class CredentialFilterEntry............................MAY
   5.3.1. The Property MatchFieldName.............................MUST
   5.3.2. The Property MatchFieldValue............................MUST
   5.3.3. The Property CredentialType.............................MUST
   5.4. The Class IPSOFilterEntry..................................MAY
   5.4.1. The Property MatchConditionType.........................MUST
   5.4.2. The Property MatchConditionValue........................MUST
   5.5. The Class PeerIDPayloadFilterEntry.........................MAY
   5.5.1. The Property MatchIdentityType..........................MUST
   5.5.2. The Property MatchIdentityValue.........................MUST
   5.6. The Association Class FilterOfSACondition...............SHOULD
   5.6.1. The Reference Antecedent................................MUST
   5.6.2. The Reference Dependent.................................MUST
   5.7. The Association Class AcceptCredentialFrom.................MAY
   5.7.1. The Reference Antecedent................................MUST
   5.7.2. The Reference Dependent.................................MUST
   6. Action Classes
   6.1. The Class SAAction........................................MUST
   6.1.1. The Property DoActionLogging.............................MAY
   6.1.2. The Property DoPacketLogging.............................MAY
   6.2. The Class SAStaticAction..................................MUST
   6.2.1. The Property LifetimeSeconds............................MUST
   6.3. The Class IPsecBypassAction.............................SHOULD
   6.4. The Class IPsecDiscardAction............................SHOULD
   6.5. The Class IKERejectAction..................................MAY
   6.6. The Class PreconfiguredSAAction...........................MUST
   6.6.1. The Property LifetimeKilobytes..........................MUST
   6.7. The Class PreconfiguredTransportAction....................MUST
   6.8. The Class PreconfiguredTunnelAction.......................MUST
   6.8.1. The Property DFHandling.................................MUST
   6.9. The Class SANegotiationAction.............................MUST
   6.9.1. The Property MinLifetimeSeconds..........................MAY
   6.9.2. The Property MinLifetimeKilobytes........................MAY
   6.9.3. The Property RefreshThresholdSeconds.....................MAY
   6.9.4. The Property RefreshThresholdKilobytes...................MAY
   6.9.5. The Property IdleDurationSeconds.........................MAY
   6.10. The Class IPsecAction....................................MUST
   6.10.1. The Property UsePFS....................................MUST
   6.10.2. The Property UseIKEGroup................................MAY
   6.10.3. The Property GroupId...................................MUST
   6.10.4. The Property Granularity.............................SHOULD
   6.10.5. The Property VendorID...................................MAY
   6.11. The Class IPsecTransportAction...........................MUST
   6.12. The Class IPsecTunnelAction..............................MUST
   6.12.1. The Property DFHandling................................MUST
   6.13. The Class IKEAction......................................MUST
   6.13.1. The Property RefreshThresholdDerivedKeys................MAY
   6.13.2. The Property ExchangeMode..............................MUST
   6.13.3. The Property UseIKEIdentityType........................MUST
   6.13.4. The Property VendorID...................................MAY
   6.13.5. The Property AggressiveModeGroupId......................MAY
   6.14. The Class PeerGateway....................................MUST
   6.14.1. The Property Name....................................SHOULD
   6.14.2. The Property PeerIdentityType..........................MUST
   6.14.3. The Property PeerIdentity..............................MUST
   6.15. The Association Class PeerGatewayForTunnel...............MUST
   6.15.1. The Reference Antecedent...............................MUST
   6.15.2. The Reference Dependent................................MUST
   6.15.3. The Property SequenceNumber..........................SHOULD
   6.16. The Aggregation Class ContainedProposal..................MUST
   6.16.1. The Reference GroupComponent...........................MUST
   6.16.2. The Reference PartComponent............................MUST
   6.16.3. The Property SequenceNumber............................MUST
   6.17. The Association Class HostedPeerGatewayInformation........MAY
   6.17.1. The Reference Antecedent...............................MUST
   6.17.2. The Reference Dependent................................MUST
   6.18. The Association Class TransformOfPreconfiguredAction.....MUST
   6.18.1. The Reference Antecedent...............................MUST
   6.18.2. The Reference Dependent................................MUST
   6.18.3. The Property SPI.......................................MUST
   6.18.4. The Property Direction.................................MUST
   6.19. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
   6.19.1. The Reference Antecedent...............................MUST
   6.19.2. The Reference Dependent................................MUST
   7. Proposal and Transform Classes
   7.1. The Abstract Class SAProposal.............................MUST
   7.1.1. The Property Name.....................................SHOULD
   7.2. The Class IKEProposal.....................................MUST
   7.2.1. The Property LifetimeDerivedKeys.........................MAY
   7.2.2. The Property CipherAlgorithm............................MUST
   7.2.3. The Property HashAlgorithm..............................MUST
   7.2.4. The Property PRFAlgorithm................................MAY
   7.2.5. The Property GroupId....................................MUST
   7.2.6. The Property AuthenticationMethod.......................MUST
   7.2.7. The Property MaxLifetimeSeconds.........................MUST
   7.2.8. The Property MaxLifetimeKilobytes.......................MUST
   7.2.9. The Property VendorID....................................MAY
   7.3. The Class IPsecProposal...................................MUST
   7.4. The Abstract Class SATransform............................MUST
   7.4.1. The Property TransformName............................SHOULD
   7.4.2. The Property VendorID....................................MAY
   7.4.3. The Property MaxLifetimeSeconds.........................MUST
   7.4.4. The Property MaxLifetimeKilobytes.......................MUST
   7.5. The Class AHTransform.....................................MUST
   7.5.1. The Property AHTransformId..............................MUST
   7.5.2. The Property UseReplayPrevention.........................MAY
   7.5.3. The Property ReplayPreventionWindowSize..................MAY
   7.6. The Class ESPTransform....................................MUST
   7.6.1. The Property IntegrityTransformId.......................MUST
   7.6.2. The Property CipherTransformId..........................MUST
   7.6.3. The Property CipherKeyLength.............................MAY
   7.6.4. The Property CipherKeyRounds.............................MAY
   7.6.5. The Property UseReplayPrevention.........................MAY
   7.6.6. The Property ReplayPreventionWindowSize..................MAY
   7.7. The Class IPCOMPTransform..................................MAY
   7.7.1. The Property Algorithm..................................MUST
   7.7.2. The Property DictionarySize..............................MAY
   7.7.3. The Property PrivateAlgorithm............................MAY
   7.8. The Association Class SAProposalInSystem...................MAY
   7.8.1. The Reference Antecedent................................MUST
   7.8.2. The Reference Dependent.................................MUST
   7.9. The Aggregation Class ContainedTransform..................MUST
   7.9.1. The Reference GroupComponent............................MUST
   7.9.2. The Reference PartComponent.............................MUST
   7.9.3. The Property SequenceNumber.............................MUST
   7.10. The Association Class SATransformInSystem.................MAY
   7.10.1. The Reference Antecedent...............................MUST
   7.10.2. The Reference Dependent................................MUST
   8. IKE Service and Identity Classes
   8.1. The Class IKEService.......................................MAY
   8.2. The Class PeerIdentityTable................................MAY
   8.3.1. The Property Name.....................................SHOULD
   8.3. The Class PeerIdentityEntry................................MAY
   8.3.1. The Property PeerIdentity.............................SHOULD
   8.3.2. The Property PeerIdentityType.........................SHOULD
   8.3.3. The Property PeerAddress..............................SHOULD
   8.3.4. The Property PeerAddressType..........................SHOULD
   8.4. The Class AutostartIKEConfiguration........................MAY
   8.5. The Class AutostartIKESetting..............................MAY
   8.5.1. The Property Phase1Only..................................MAY
   8.5.2. The Property AddressType..............................SHOULD
   8.5.3. The Property SourceAddress..............................MUST
   8.5.4. The Property SourcePort.................................MUST
   8.5.5. The Property DestinationAddress.........................MUST
   8.5.6. The Property DestinationPort............................MUST
   8.5.7. The Property Protocol...................................MUST
   8.6. The Class IKEIdentity......................................MAY
   8.6.1. The Property IdentityType...............................MUST
   8.6.2. The Property IdentityValue..............................MUST
   8.6.3. The Property IdentityContexts............................MAY
   8.7. The Association Class HostedPeerIdentityTable..............MAY
   8.7.1. The Reference Antecedent................................MUST
   8.7.2. The Reference Dependent.................................MUST
   8.8. The Aggregation Class PeerIdentityMember...................MAY
   8.8.1. The Reference Collection................................MUST
   8.8.2. The Reference Member....................................MUST
   8.9. The Association Class IKEServicePeerGateway................MAY
   8.9.1. The Reference Antecedent................................MUST
   8.9.2. The Reference Dependent.................................MUST
   8.10. The Association Class IKEServicePeerIdentityTable.........MAY
   8.10.1. The Reference Antecedent...............................MUST
   8.10.2. The Reference Dependent................................MUST
   8.11. The Association Class IKEAutostartSetting.................MAY
   8.11.1. The Reference Element..................................MUST
   8.11.2. The Reference Setting..................................MUST
   8.12. The Aggregation Class AutostartIKESettingContext..........MAY
   8.12.1. The Reference Context..................................MUST
   8.12.2. The Reference Setting..................................MUST
   8.12.3. The Property SequenceNumber..........................SHOULD
   8.13. The Association Class IKEServiceForEndpoint...............MAY
   8.13.1. The Reference Antecedent...............................MUST
   8.13.2. The Reference Dependent................................MUST
   8.14. The Association Class IKEAutostartConfiguration...........MAY
   8.14.1. The Reference Antecedent...............................MUST
   8.14.2. The Reference Dependent................................MUST
   8.14.3. The Property Active..................................SHOULD
   8.15. The Association Class IKEUsesCredentialManagementService..MAY
   8.15.1. The Reference Antecedent...............................MUST
   8.15.2. The Reference Dependent................................MUST
   8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
   8.16.1. The Reference Antecedent...............................MUST
   8.16.2. The Reference Dependent................................MUST
   8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
   8.17.1. The Reference Antecedent...............................MUST
   8.17.2. The Reference Dependent................................MUST
   8.18. The Association Class IKEIdentitysCredential..............MAY
   8.18.1. The Reference Antecedent...............................MUST
   8.18.2. The Reference Dependent................................MUST

10. Security Considerations

   This document describes a schema for IPsec policy.  It does not
   detail security requirements for storage or delivery of said schema.
   Storage and delivery security requirements should be detailed in a
   comprehensive security policy architecture document.

11. Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11.

   Copies of claims of rights made available for publication and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.

12. Acknowledgments

   The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
   Vic Lortz, and William Dixon for their contributions to this IPsec
   policy model.

   Additionally, this draft would not have been possible without the
   preceding IPsec schema drafts.  For that, thanks go out to Rob
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
   Rajan.

13. References

   [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

   [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

   [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

   [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
   2402, November 1998.

   [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
   Information Model -- Version 1 Specification", RFC 3060, February
   2001.

   [DOI] Piper, D., "The Internet IP Security Domain of Interpretation
   for ISAKMP", RFC 2407, November 1998.

   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
   Access Protocol (v3)", RFC 2251, December 1997.

   [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
   Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
   January 2000.  Internet-Draft work in progress.

   [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
   Internet-Draft work in progress.

   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
   Requirement Levels", BCP 14, RFC 2119, March 1997.

   [IPSO] Kent, S., "U.S. Department of Defense Security Options for
   the Internet Protocol", RFC 1108, November 1991.

   [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
   Internet Protocol", RFC 2401, November 1998.

14. Disclaimer

   The views and specification herein are those of the authors and are
   not necessarily those of their employer.  The authors and their
   employer specifically disclaim responsibility for any problems
   arising from correct or incorrect implementation or use of this
   specification.

15. Authors' Addresses

      Jamie Jason
      Intel Corporation
      MS JF3-206
      2111 NE 25th Ave.
      Hillsboro, OR 97124
      E-Mail: jamie.jason@intel.com

      Lee Rafalow
      IBM Corporation, BRQA/502
      4205 So. Miami Blvd.
      Research Triangle Park, NC 27709
      E-mail:  rafalow@raleigh.ibm.com

      Eric Vyncke
      Cisco Systems
      Avenue Marcel Thiry, 77
      B-1200 Brussels
      Belgium
      E-mail: evyncke@cisco.com

16. Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it maybe copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph
   are included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other then
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Appendix A (DMTF Core Model MOF)

// ==================================================================
// ManagedElement
// ==================================================================
   [Abstract, Description (
   "ManagedElement is an abstract class that provides a common "
        "superclass (or top of the inheritance tree) for the "
        "non-association classes in the CIM Schema.")]
   class CIM_ManagedElement
   {
     [MaxLen (64), Description (
      "The Caption property is a short textual description (one-"
      "line string) of the object.") ]
     string Caption;
     [Description (
      "The Description property provides a textual description of "
      "the object.") ]
     string Description;
   };

// ==================================================================
// Collection
// ==================================================================
  [Abstract, Description (
   "Collection is an abstract class that provides a common"
   "superclass for data elements that represent collections of "
   "ManagedElements and its subclasses.")]
  class CIM_Collection : CIM_ManagedElement
  {
  };

// ==================================================================
//    ManagedSystemElement
// ==================================================================
        [Abstract, Description (
         "CIM_ManagedSystemElement is the base class for the System "
         "Element hierarchy. Membership Criteria: Any distinguishable "
         "component of a System is a candidate for inclusion in this "
         "class. Examples: software components, such as files; and "
         "devices, such as disk drives and controllers, and physical "
         "components such as chips and cards.") ]
class CIM_ManagedSystemElement : CIM_ManagedElement
{
        [Description (
         "A datetime value indicating when the object was installed. "
         "A lack of a value does not indicate that the object is not "
         "installed."),
         MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]
    datetime InstallDate;
        [MaxLen (256), Description (
         "The Name property defines the label by which the object is "
         "known. When subclassed, the Name property can be overridden "
         "to be a Key property.") ]
    string Name;
         [MaxLen (10), Description (
         "  A string indicating the current status of the object. "
         "Various operational and non-operational statuses are "
         "defined. Operational statuses are \"OK\", \"Degraded\", "
         "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "
         "the Element is functioning, but needs attention. Examples "
         "of \"Stressed\" states are overload, overheated, etc. The "
         "condition \"Pred Fail\" (failure predicted) indicates that "
         "an Element is functioning properly but predicting a failure "
         "in the near future. An example is a SMART-enabled hard "
         "drive. \n"
         "  Non-operational statuses can also be specified. These "
         "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", "
         "\"Stopped\", "
         "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\""
         "indicates that a non-recoverable error has occurred. "
         "\"Service\" describes an Element being configured, "
         "maintained,"
         "cleaned, or otherwise administered. This status could apply "
         "during mirror-resilvering of a disk, reload of a user "
         "permissions list, or other administrative task. Not all "
         "such "
         "work is on-line, yet the Element is neither \"OK\" nor in "
         "one of the other states. \"No Contact\" indicates that the "
         "current instance of the monitoring system has knowledge of "
         "this Element but has never been able to establish "
         "communications with it. \"Lost Comm\" indicates that "
         "the ManagedSystemElement is known to exist and has been "
         "contacted successfully in the past, but is currently "
         "unreachable."
         "\"Stopped\" indicates that the ManagedSystemElement is "
         "known "
         "to exist, it is not operational (i.e. it is unable to "
         "provide service to users), but it has not failed. It "
         "has purposely "
         "been made non-operational. The Element "
         "may have never been \"OK\", the Element may have initiated "
         "its "
         "own stop, or a management system may have initiated the "
         "stop."),
         ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail",
             "Starting", "Stopping", "Service", "Stressed",
             "NonRecover", "No Contact", "Lost Comm", "Stopped"} ]
    string Status;
};

// ==================================================================
//    LogicalElement
// ==================================================================
        [Abstract, Description (
         "CIM_LogicalElement is a base class for all the components "
         "of "
         "a System that represent abstract system components, such "
         "as Files, Processes, or system capabilities in the form "
         "of Logical Devices.") ]
class CIM_LogicalElement:CIM_ManagedSystemElement
{
};

// ==================================================================
//     CIM_SystemConfiguration
// ==================================================================
        [Description (
         "CIM_SystemConfiguration represents the general concept "
         "of a CIM_Configuration which is scoped by/weak to a "
         "System. This class is a peer of CIM_Configuration since "
         "the key structure of Configuration is currently "
         "defined and cannot be modified with additional "
         "properties.")]
class CIM_SystemConfiguration : CIM_ManagedElement {
       [Propagated ("CIM_System.CreationClassName"), Key,
        MaxLen (256), Description (
        "The scoping System's CreationClassName.") ]
    string SystemCreationClassName;
       [Propagated ("CIM_System.Name"), Key, MaxLen (256),
        Description ("The scoping System's Name.") ]
    string SystemName;
       [Key, MaxLen (256), Description (
        "CreationClassName indicates the name of the class or the "
        "subclass used in the creation of an instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class and its subclasses to "
        "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256), Description (
         "The label by which the Configuration object is known.") ]
   string Name;
};

// ===================================================================
//    Setting
// ===================================================================
        [Abstract, Description (
         "The Setting class represents configuration-related and "
         "operational parameters for one or more ManagedSystem"
         "Element(s). A ManagedSystemElement may have multiple "
         "Setting "
         "objects associated with it. The current operational values "
         "for an Element's parameters are reflected by properties in "
         "the Element itself or by properties in its associations. "
         "These properties do not have to be the same values present "
         "in the Setting object. For example, a modem may have a "
         "Setting baud rate of 56Kb/sec but be operating "
         "at 19.2Kb/sec.") ]
class CIM_Setting : CIM_ManagedElement
{
        [MaxLen (256), Description (
         "The identifier by which the Setting object is known.") ]
   string SettingID;
         [Description (
         "The VerifyOKToApplyToMSE method is used to verify that "
         "this Setting can be 'applied' to the referenced Managed"
         "SystemElement, at the given time or time interval. This "
         "method takes three input parameters: MSE (the Managed"
         "SystemElement that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), and MustBeCompletedBy (which indicates the "
         "required completion time for the method). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number "
         "if an error occurred. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the "
         "ValueMap contents are 'translated' may also be specified in "
         "the subclass as a Values array qualifier.") ]
   uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
        [Description (
         "The ApplyToMSE method performs the actual application of "
         "the Setting to the referenced ManagedSystemElement. It "
         "takes three input parameters: MSE (the ManagedSystem"
         "Element to which the Setting is being applied), "
         "TimeToApply (which, being a datetime, can be either a "
         "specific time or a time interval), and MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method). Note that the semantics of this method are that "
         "individual Settings are either wholly applied or not "
         "applied at all to their target ManagedSystemElement. The "
         "return value should be 0 if the Setting is successfully "
         "applied to the referenced ManagedSystemElement, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, and any other number if an "
         "error occurred. In a subclass, the set of possible return "
         "codes could be specified, using a ValueMap qualifier on "
         "the method. The strings to which the ValueMap contents are "
         "'translated' may also be specified in the subclass as a "
         "Values array qualifier.\n"
         "Note: If an error occurs in applying the Setting to a "
         "ManagedSystemElement, the Element must be configured as "
         "when the 'apply' attempt began. That is, the Element "
         "should NOT be left in an indeterminate state.") ]
   uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
        [Description (
         "The VerifyOKToApplyToCollection method is used to verify "
         "that this Setting can be 'applied' to the referenced "
         "Collection of ManagedSystemElements, at the given time "
         "or time interval, without causing adverse effects to "
         "either the Collection itself or its surrounding "
         "environment. The net effect is to execute the "
         "VerifyOKToApply method against each of the Elements "
         "aggregated by the Collection. This method takes three "
         "input parameters: Collection (the Collection of Managed"
         "SystemElements that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), and MustBeCompletedBy (which indicates the "
         "required completion time for the method). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number if "
         "an error occurred. One output parameter is defined - "
         "CanNotApply - which is a string array that lists the keys "
         "of "
         "the ManagedSystemElements to which the Setting can NOT be "
         "applied. This enables those Elements to be revisited and "
         "either fixed, or other corrective action taken.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.") ]
   uint32 VerifyOKToApplyToCollection (
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy,
    [OUT] string CanNotApply[]);
        [Description (
         "The ApplyToCollection method performs the application of "
         "the Setting to the referenced Collection of ManagedSystem"
         "Elements. The net effect is to execute the ApplyToMSE "
         "method against each of the Elements aggregated by the "
         "Collection. If the input value ContinueOnError is FALSE, "
         "this method applies the Setting to all Elements in the "
         "Collection until it encounters an error, in which case it "
         "stops execution, logs the key of the Element that caused "
         "the error in the CanNotApply array, and issues a return "
         "code "
         "of 2. If the input value ContinueOnError is TRUE, then this "
         "method applies the Setting to all the ManagedSystemElements "
         "in the Collection, and reports the failed Elements in the "
         "array, CanNotApply. For the latter, processing will "
         "continue "
         "until the method is applied to all Elements in the "
         "Collection, regardless of any errors encountered. The key "
         "of "
         "each ManagedSystemElement to which the Setting could not be "
         "applied is logged into the CanNotApply array. This method "
         "takes four input parameters: Collection (the Collection of "
         "Elements to which the Setting is being applied), "
         "TimeToApply "
         "(which, being a datetime, can be either a specific time or "
         "a "
         "time interval), ContinueOnError (TRUE means to continue "
         "processing on encountering an error), and MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method). The return value should be 0 if the Setting is "
         "successfully applied to the referenced Collection, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, 3 if the Setting can not be "
         "applied using the input value for ContinueOnError, and any "
         "other number if an error occurred. One output parameter is "
         "defined, CanNotApplystring, which is an array that lists "
         "the keys of the ManagedSystemElements to which the Setting "
         "was NOT able to be applied. This output parameter has "
         "meaning only when the ContinueOnError parameter is TRUE.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.\n"
         "Note: if an error occurs in applying the Setting to a "
         "ManagedSystemElement in the Collection, the Element must be "
         "configured as when the 'apply' attempt began. That is, the "
         "Element should NOT be left in an indeterminate state.") ]
   uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply, [IN] boolean ContinueOnError,
    [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]);
                 [Description (
         "The VerifyOKToApplyIncrementalChangeToMSE method "
         "is used to verify that a subset of the properties in "
         "this Setting can be 'applied' to the referenced Managed"
         "SystemElement, at the given time or time interval. This "
         "method takes four input parameters: MSE (the Managed"
         "SystemElement that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), MustBeCompletedBy (which indicates the "
         "required completion time for the method), and a "
         "PropertiesToApply array (which contains a list of the "
         "property names whose values will be verified. "
         "If they array is null or empty or constains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "verified.  If it is set to \"none\" then no Settings "
         "properties "
         "will be verified). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number "
         "if an error occurred. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the "
         "ValueMap contents are 'translated' may also be specified in "
         "the subclass as a Values array qualifier.") ]
   uint32 VerifyOKToApplyIncrementalChangeToMSE(
    [IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[]);
        [Description (
         "The ApplyIncrementalChangeToMSE method performs the "
         "actual application of  a subset of the properties in "
         "the Setting to the referenced ManagedSystemElement. It "
         "takes four input parameters: MSE (the ManagedSystem"
         "Element to which the Setting is being applied), "
         "TimeToApply (which, being a datetime, can be either a "
         "specific time or a time interval), MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method), and a "
         "PropertiesToApply array (which contains a list of the "
         "property names whose values will be applied. If a "
         "property is not in this list, it will be ignored by the "
         "apply. "
         "If they array is null or empty or constains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "applied.  If it is set to \"none\" then no Settings "
         "properties "
         "will be applied. ). "
         "Note that the semantics of this method are that "
         "individual Settings are either wholly applied or not "
         "applied at all to their target ManagedSystemElement. The "
         "return value should be 0 if the Setting is successfully "
         "applied to the referenced ManagedSystemElement, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, and any other number if an "
         "error occurred. In a subclass, the set of possible return "
         "codes could be specified, using a ValueMap qualifier on "
         "the method. The strings to which the ValueMap contents are "
         "'translated' may also be specified in the subclass as a "
         "Values array qualifier.\n"
         "Note: If an error occurs in applying the Setting to a "
         "ManagedSystemElement, the Element must be configured as "
         "when the 'apply' attempt began. That is, the Element "
         "should NOT be left in an indeterminate state.") ]
   uint32 ApplyIncrementalChangeToMSE(
    [IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[]);
        [Description (
         "The VerifyOKToApplyIncrementalChangeToCollection method "
         "is used to verify that a subset of the properties in "
         "this Setting can be 'applied' to the referenced "
         "Collection of ManagedSystemElements, at the given time "
         "or time interval, without causing adverse effects to "
         "either the Collection itself or its surrounding "
         "environment. The net effect is to execute the "
         "VerifyOKToApplyIncrementalChangeToMSE method "
         "against each of the Elements "
         "aggregated by the Collection. This method takes three "
         "input parameters: Collection (the Collection of Managed"
         "SystemElements that is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), MustBeCompletedBy (which indicates the "
         "required completion time for the method), and a "
         "PropertiesToApply array (which contains a list of the "
         "property names whose values will be verified. "
         "If they array is null or empty or contains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "verified.  If it is set to \"none\" then no Settings "
         "properties "
         "will be verified). The return "
         "value should be 0 if it is OK to apply the Setting, 1 if "
         "the method is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any other number if "
         "an error occurred. One output parameter is defined - "
         "CanNotApply - which is a string array that lists the keys "
         "of "
         "the ManagedSystemElements to which the Setting can NOT be "
         "applied. This enables those Elements to be revisited and "
         "either fixed, or other corrective action taken.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.") ]
   uint32 VerifyOKToApplyIncrementalChangeToCollection (
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[],
    [OUT] string CanNotApply[]);
        [Description (
         "The ApplyIncrementalChangeToCollection method performs "
         "the application of a subset of the properties in this "
         "Setting to the referenced Collection of ManagedSystem"
         "Elements. The net effect is to execute the "
         "ApplyIncrementalChangeToMSE "
         "method against each of the Elements aggregated by the "
         "Collection. If the input value ContinueOnError is FALSE, "
         "this method applies the Setting to all Elements in the "
         "Collection until it encounters an error, in which case it "
         "stops execution, logs the key of the Element that caused "
         "the error in the CanNotApply array, and issues a return "
         "code "
         "of 2. If the input value ContinueOnError is TRUE, then this "
         "method applies the Setting to all the ManagedSystemElements "
         "in the Collection, and reports the failed Elements in the "
         "array, CanNotApply. For the latter, processing will "
         "continue "
         "until the method is applied to all Elements in the "
         "Collection, regardless of any errors encountered. The key "
         "of "
         "each ManagedSystemElement to which the Setting could not be "
         "applied is logged into the CanNotApply array. This method "
         "takes four input parameters: Collection (the Collection of "
         "Elements to which the Setting is being applied), "
         "TimeToApply "
         "(which, being a datetime, can be either a specific time or "
         "a "
         "time interval), ContinueOnError (TRUE means to continue "
         "processing on encountering an error), and MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method), and a PropertiesToApply array (which contains a "
         "list "
         "of the property names whose values will be applied. If a "
         "property is not in this list, it will be ignored by "
         "the apply. "
         "If they array is null or empty or constains the string "
         "\"all\" "
         "as a property name then all Settings properties shall be "
         "applied.  If it is set to \"none\" then no Settings "
         "properties "
         "will be applied. ). "
         "The return value should be 0 if the Setting is "
         "successfully applied to the referenced Collection, 1 if the "
         "method is not supported, 2 if the Setting was not applied "
         "within the specified times, 3 if the Setting can not be "
         "applied using the input value for ContinueOnError, and any "
         "other number if an error occurred. One output parameter is "
         "defined, CanNotApplystring, which is an array that lists "
         "the keys of the ManagedSystemElements to which the Setting "
         "was NOT able to be applied. This output parameter has "
         "meaning only when the ContinueOnError parameter is TRUE.\n"
         "In a subclass, the set of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as a Values array "
         "qualifier.\n"
         "Note: if an error occurs in applying the Setting to a "
         "ManagedSystemElement in the Collection, the Element must be "
         "configured as when the 'apply' attempt began. That is, the "
         "Element should NOT be left in an indeterminate state.") ]
   uint32 ApplyIncrementalChangeToCollection(
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply,
    [IN] boolean ContinueOnError,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[],
    [OUT] string CanNotApply[]);

};

// ==================================================================
//     CIM_SystemSetting
// ==================================================================
        [Abstract, Description (
         "CIM_SystemSetting represents the general concept "
         "of a CIM_Setting which is scoped by/weak to a System.")]
class CIM_SystemSetting : CIM_Setting {
       [Propagated ("CIM_System.CreationClassName"), Key,
        MaxLen (256), Description (
        "The scoping System's CreationClassName.") ]
    string SystemCreationClassName;
       [Propagated ("CIM_System.Name"), Key, MaxLen (256),
        Description ("The scoping System's Name.") ]
    string SystemName;
       [Key, MaxLen (256), Description (
        "CreationClassName indicates the name of the class or the "
        "subclass used in the creation of an instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class and its subclasses to "
        "be uniquely identified.") ]
    string CreationClassName;
       [Override ("SettingID"), Key, MaxLen (256)]
    string SettingID;
};

// ==================================================================
//    System
// ==================================================================
        [Abstract, Description (
         "A CIM_System is a LogicalElement that aggregates an "
         "enumerable set of Managed System Elements. The aggregation "
         "operates as a functional whole. Within any effort particular "
         "subclass of System, there is a well-defined list of "
         "Managed System Element classes whose instances must be "
         "aggregated.") ]
class CIM_System:CIM_LogicalElement
{
        [Key, MaxLen (256), Description (
         "CreationClassName indicates the name of the class or the "
         "subclass used in the creation of an instance. When used "
         "with the other key properties of this class, this property "
         "allows all instances of this class and its subclasses to "
         "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256), Override ("Name"), Description (
         "The inherited Name serves as key of a System instance in "
         "an enterprise environment.") ]
    string Name;
        [MaxLen (64), Description (
         "The System object and its derivatives are Top Level Objects "
         "of CIM. They provide the scope for numerous components. "
         "Having unique System keys is required. A heuristic can be "
         "defined in individual System subclasses to attempt to "
         "always "
         "generate the same System Name Key. The NameFormat property "
         "identifies how the System name was generated, using "
         "the subclass' heuristic.") ]
    string NameFormat;
        [MaxLen (256), Description (
         "A string that provides information on how the primary "
         "system "
         "owner can be reached (e.g. phone number, email address, "
           "...)."),
         MappingStrings {"MIF.DMTF|General Information|001.3"} ]
    string PrimaryOwnerContact;
        [MaxLen (64), Description (
           "The name of the primary system owner."),
         MappingStrings {"MIF.DMTF|General Information|001.4"} ]
    string PrimaryOwnerName;
        [Description (
         "An array (bag) of strings that specify the roles this "
         "System "
         "plays in the IT-environment. Subclasses of System may "
         "override this property to define explicit Roles values. "
         "Alternately, a Working Group may describe the heuristics, "
         "conventions and guidelines for specifying Roles. For "
         "example, for an instance of a networking system, the Roles "
         "property might contain the string, 'Switch' or 'Bridge'.") ]
    string Roles[];
};

// ==================================================================
//    Service
// ==================================================================
        [Abstract, Description (
         "A CIM_Service is a Logical Element that contains the "
         "information necessary to represent and manage the "
         "functionality provided by a Device and/or SoftwareFeature. "
         "A Service is a general-purpose object to configure and "
         "manage the implementation of functionality.  It is not the "
         "functionality itself.") ]
class CIM_Service:CIM_LogicalElement
{
        [Key, MaxLen (256), Description (
           "CreationClassName indicates the name of the class or the "
           "subclass used in the creation of an instance. When used "
           "with the other key properties of this class, this "
           "property "
           "allows all instances of this class and its subclasses to "
           "be uniquely identified.") ]
    string CreationClassName;
        [Override ("Name"), Key, MaxLen (256),
         Description (
         "The Name property uniquely identifies the Service and "
         "provides an indication of the functionality that is "
         "managed. This functionality is described in more detail in "
         "the object's Description property. ") ]
    string Name;
        [MaxLen (10), Description (
         "StartMode is a string value indicating whether the Service "
         "is automatically started by a System, Operating System, "
         "etc. "
         "or only started upon request."),
           ValueMap {"Automatic", "Manual"} ]
    string StartMode;
        [Description (
         "Started is a boolean indicating whether the Service "
         "has been started (TRUE), or stopped (FALSE).") ]
    boolean Started;
        [Propagated ("CIM_System.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping System's CreationClassName. ") ]
    string SystemCreationClassName;
        [Propagated ("CIM_System.Name"), Key, MaxLen (256),
         Description ("The scoping System's Name.") ]
    string SystemName;
        [Description (
         "The StartService method places the Service in the started "
         "state. It returns an integer value of 0 if the Service was "
         "successfully started, 1 if the request is not supported and "
         "any other number to identify any such rights. Information indicate an error. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the "
         "ValueMap contents are 'translated' may also be specified in "
         "the subclass as a Values array qualifier.") ]
    uint32 StartService();
        [Description (
         "The StopService method places the Service in the stopped "
         "state. It returns an integer value of 0 if the Service was "
         "successfully stopped, 1 if the request is not supported and "
         "any other number to indicate an error. In a subclass, the "
         "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the
   IETF's procedures with respect method. The strings to rights in standards-track and
   standards-related documentation can which the "
         "ValueMap contents are 'translated' may also be found specified in BCP-11.

   Copies of claims of rights "
         "the subclass as a Values array qualifier.") ]
    uint32 StopService();
};

// ==================================================================
//    ServiceAccessPoint
// ==================================================================
        [Abstract, Description (
         "CIM_ServiceAccessPoint represents the ability to utilize or "
         "invoke a Service.  Access points represent that a Service "
         "is made available to other entities for publication use.") ]
class CIM_ServiceAccessPoint:CIM_LogicalElement
{
        [Key, MaxLen (256), Description (
         "CreationClassName indicates the name of the class or the "
         "subclass used in the creation of an instance. When used "
         "with the other key properties of this class, this "
         "property "
         "allows all instances of this class and any
   assurances its subclasses to "
         "be uniquely identified.") ]
    string CreationClassName;
        [Override ("Name"), Key, MaxLen (256),
         Description (
         "The Name property uniquely identifies the "
         "ServiceAccessPoint "
         "and provides an indication of licenses the functionality that is "
         "managed.  This functionality is described in more detail in "
         "the object's Description property.") ]
    string Name;
        [Propagated ("CIM_System.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping System's CreationClassName.") ]
    string SystemCreationClassName;
        [Propagated ("CIM_System.Name"), Key, MaxLen (256),
           Description ("The scoping System's Name.") ]
    string SystemName;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
//    Component
// ==================================================================
        [Association, Abstract, Aggregation, Description (
         "CIM_Component is a generic association used to be made available, or establish "
         "'part of' relationships between Managed System Elements. "
         "For "
         "example, the result SystemComponent association defines parts of an
   attempt made to obtain a general license or permission for "
         "a System.") ]
class CIM_Component
{
        [Aggregate, Key, Description (
         "The parent element in the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from association.") ]
    CIM_ManagedSystemElement REF GroupComponent;
        [Key, Description ("The child element in the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required association.") ]
    CIM_ManagedSystemElement REF PartComponent;
};

// ==================================================================
// Dependency
// ==================================================================
        [Association, Abstract, Description (
        "CIM_Dependency is a generic association used to practice establish "
        "dependency relationships between ManagedElements.") ]
class CIM_Dependency
{
        [Key, Description (
        "Antecedent represents the independent object in this standard. Please address "
        "association.") ]
  CIM_ManagedElement REF Antecedent;
        [Key, Description (
    "Dependent represents the information to object dependent on the IETF Executive
   Director.

11. Acknowledgments

   The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
   Vic Lortz, "
    "Antecedent.") ]
  CIM_ManagedElement REF Dependent;
};

// ===================================================================
//    ElementSetting
// ===================================================================
        [Association, Description (
         "ElementSetting represents the association between Managed"
         "SystemElements and William Dixon the Setting class(es) defined for their contributions to this IPsec
   policy model.

   Additionally, this draft would not have been possible without them.")
]
class CIM_ElementSetting
{
        [Key, Description ("The ManagedSystemElement.") ]
   CIM_ManagedSystemElement REF Element;
        [Key, Description (
         "The Setting object associated with the ManagedSystem"
         "Element.") ]
   CIM_Setting REF Setting;
};
// ==================================================================
// MemberOfCollection
// ==================================================================
        [Association, Aggregation, Description (
        "CIM_MemberOfCollection is an aggregation used to establish "
        "membership of ManagedElements in a Collection." ) ]
class CIM_MemberOfCollection
{
        [Key, Aggregate, Description (
         "The Collection that aggregates members") ]
  CIM_Collection REF Collection;
        [Key, Description ("The aggregated member of the
   preceding IPsec schema drafts.  For that, thanks go out collection.")
]
  CIM_ManagedElement REF Member;
};

// ==================================================================
//     CIM_SystemSettingContext
// ==================================================================
        [Association, Aggregation, Description (
         "This relationship associates System-specific Configuration "
         "objects with System-specific Setting objects, similar to Rob
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
   Rajan.

12. References

   [IKE] Harkins, D., and D. Carrel, "
         "the "
         "SettingContext association.")]
class CIM_SystemSettingContext {
        [Aggregate, Key, Description (
         "The Internet Key Exchange (IKE)",
   RFC 2409, November 1998.

   [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

   [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
   (ESP)", RFC 2406, November 1998.

   [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
   2402, November 1998.

   [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
   Information Configuration object that aggregates the Setting.") ]
   CIM_SystemConfiguration REF Context;
        [Key, Description ("An aggregated Setting.")]
   CIM_SystemSetting REF Setting;
};

Appendix B (DMTF User Model -- Version 1 Specification", RFC 3060, February
   2001.

   [DOI] Piper, D., "The Internet IP Security Domain of Interpretation
   for ISAKMP", RFC 2407, November 1998.

   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
   Access Protocol (v3)", RFC 2251, December 1997.

   [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
   Sastry, MOF)

// ==================================================================
// OrganizationalEntity
// ==================================================================
   [Abstract, Description (
   "OrganizationalEntity is an abstract class from which classes "
   "that fit into an organizational structure are derived.") ]
class CIM_OrganizationalEntity : CIM_ManagedElement
   {
   };

// ==================================================================
// UserEntity
// ==================================================================
   [Abstract, Description (
   "UserEntity is an abstract class that represents users.") ]
class CIM_UserEntity : CIM_OrganizationalEntity
   {
   };

// ==================================================================
// UsersAccess
// ==================================================================
   [Description (
   "The COPS (Common Open Policy Service) Protocol", RFC 2748,
   January 2000.  Internet-Draft work in progress.

   [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
   Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
   Internet-Draft work in progress.

   [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy
   Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.
   Internet-Draft work UsersAccess object class is used to specify a system user "
   "that permitted access to system resources.  The ManagedElement "
   "that has access to system resources (represented in progress.

   [KEYWORDS] Bradner, S., "Key words for use the model in RFCs "
   "the ElementAsUser association) may be a person, a service, a "
   "service access point or any collection thereof. Whereas the "
   "Account class represents the user's relationship to Indicate
   Requirement Levels", BCP 14, RFC 2119, March 1997.

   [IPSO] Kent, S., "U.S. Department a system "
   "from the perspective of Defense Security Options for the Internet Protocol", RFC 1108, November 1991.

   [IPSEC] Kent, S., security services of the system, the "
   "UserAccess class represents the relationships to the systems "
   "independent of a particular system or service.") ]
class CIM_UsersAccess: CIM_UserEntity
   {
      [Key, MaxLen (256), Description (
        "CreationClassName indicates the name of the class or the "
        "subclass used in the creation of an instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class and Atkinson, R., "Security Architecture for its subclasses to "
        "be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (256),Description (
      "The Name property defines the
   Internet Protocol", RFC 2401, November 1998.

13. Disclaimer label by which the object is "
        "known.")]
   string Name;
      [Key, Description (
        "The ElementID property uniquely specifies the ManagedElement "
        "object instance that is the user represented by the "
        "UsersAccess object instance.  The views and specification herein are those of ElementID is formatted "
        "similarly to a model path except that the authors and property-value "
        "pairs are
   not necessarily those of their employer. ordered in alphabetical order (US ASCII lexical "
        "order).")]
   string ElementID;
      [Description (
        "Biometric information used to identify a person.  The authors and their
   employer specifically disclaim responsibility for any problems
   arising from correct "
        "property value is left null or incorrect implementation set to 'N/A' for non-human "
        "user or use of this
   specification.

14. Authors' Addresses

      Jamie Jason
      Intel Corporation
      MS JF3-206
      2111 NE 25th Ave.
      Hillsboro, OR 97124
      E-Mail: jamie.jason@intel.com

      Lee Rafalow
      IBM Corporation, BRQA/502
      4205 So. Miami Blvd.
      Research Triangle Park, NC 27709
      E-mail:  rafalow@raleigh.ibm.com

      Eric Vyncke
      Cisco Systems
      Avenue Marcel Thiry, 77
      B-1200 Brussels
      Belgium
      E-mail: evyncke@cisco.com

15. Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document a user not using biometric information for "
        "authentication."),
        Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger",
                 "Voice", "DNA-RNA", "EEG"} ]
   uint16 Biometric[];
   };

// ==================================================================
//    SecurityService
// ==================================================================
        [ Abstract, Description (
         "CIM_SecurityService ...") ]
class CIM_SecurityService:CIM_Service
{
};

// ==================================================================
//    AuthenticationService
// ==================================================================
   [Description (
   "CIM_AuthenticationService verifies users' identities through "
   "some means.  These services are decomposed into a subclass that "
   "provides credentials to users and translations a subclass that provides for "
   "the verification of it maybe copied and furnished the validity of a credential and, perhaps, "
   "the appropriateness of its use for access to
   others, and derivative works target resources. "
   "The persistent state information used from one such verification "
   "to another is maintained in an Account for that comment Users Access on or otherwise explain it
   or assist "
   "that AuthenticationService.") ]
class CIM_AuthenticationService:CIM_SecurityService
   {
   };

// ==================================================================
//    CredentialManagementService
// ==================================================================
   [Description (
   "CIM_CredentialManagementService issues credentials and manages "
   "the credential lifecycle.") ]
class CIM_CredentialManagementService:CIM_AuthenticationService
   {
   };

// ==================================================================
//    CertificateAuthority
// ==================================================================
        [Description ("A Certificate Authority (CA) is a credential "
         "management service that issues and cryptographically "
         "signs certificates thus acting as an trusted third-party "
         "intermediary in its implementation establishing trust relationships. The CA "
         "authenicates the holder of the private key related to the "
         "certificate's public key; the authenicated entity is "
         "represented by the UsersAccess class.") ]
class CIM_CertificateAuthority:CIM_CredentialManagementService
{
        [Description (
         "The CAPolicyStatement describes what care is taken by the "
         "CertificateAuthority when signing a new certificate.  "
         "The CAPolicyStatment may be prepared, copied, published
   and distributed, in whole a dot-delimited ASN.1 OID "
         "string which identifies to the formal policy statement.") ]
    string CAPolicyStatement;
        [Description ( "A CRL, or in part, without restriction CertificateRevocationList, is a "
         "list of any
   kind, provided that certificates which the above copyright notice CertificateAuthority has "
         "revoked and this paragraph which are included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing yet expired.  Revocation is "
         "necessary when the copyright notice or references to private key associated with the Internet Society public "
         "key of a certificate is lost or other
   Internet organizations, except as needed compromised, or when the "
         "person for whom the purpose of
   developing Internet standards in which case certificate is signed no longer is "
         "entitled to use the procedures certificate."), Octetstring ]
    string CRL[];
        [Description ("Certificate Revocation Lists may be "
         "available from a number of distribution points.  "
         "CRLDistributionPoint array values provide URIs for
   copyrights those "
         "distribution points.")]
    string CRLDistributionPoint[];
        [Description ( "Certificates refer to their issuing CA by "
         "its Distinguished Name (as defined in the Internet Standards process must be
   followed, or as required to translate it into languages other then
   English.

   The limited permissions granted above are perpetual and X.501)."), DN]
    string CADistinguishedName;
        [Description ( "The frequency, expressed in hours, at which "
           "the CA will not be
   revoked by the Internet Society or update its successors Certificate Revocation List.  Zero "
           "implies that the refresh frequency is unknown."),
           Units("Hours")]
    uint8 CRLRefreshFrequency;
        [Description ( "The maximum number of certificates in a "
         "certificate chain permitted for credentials issued by "
         "this certificate authority or assigns.

   This document it's subordinate CAs.\n"
         "The MaxChainLength of a superior CA in the trust "
         "hierarchy should be greater than this value and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Appendix A (DMTF Core Model MOF) "
         "MaxChainLength of a subordinate CA in the trust hierarchy "
         "should be less than this value.")]
    uint8 MaxChainLength;
};

// ==================================================================
// ManagedElement    KerberosKeyDistributionCenter
// ==================================================================
   [Abstract,
        [Description (
         "CIM_KerberosKeyDistributionCenter ...") ]
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService
{
        [Override ("Name"),
         Description ("The Realm served by this KDC.")]
    string Name;
        [Description ("The version of Kerberos supported by this "
         "service."),
         Values {"V4", "V5", "DCE", "MS"} ]
    uint16 Protocol[];
};

// ==================================================================
//    Notary
// ==================================================================
        [Description (
   "ManagedElement
         "CIM_Notary is an abstract AuthenticationService (credential "
         "management service) which compares the "
         "biometric characteristics of a person with the "
         "known characteristics of an Users Access, and determines "
         "whether the person is the UsersAccess.  An example is "
         "a bank teller who compares a picture ID with the person "
         "trying to cash a check, or a biometric login service that "
         "uses voice recognition to identify a user.") ]
class CIM_Notary:CIM_CredentialManagementService
{
        [Description ( "The types of biometric information which "
           "this Notary can compare."),
         Values { "N/A", "Other", "Facial", "Retina", "Mark",
                  "Finger", "Voice", "DNA-RNA", "EEG"} ]
    uint16 Comparitors;
        [Description (
         "The SealProtocol is how the decision of the Notary is "
         "recorded for future use by parties who will rely on its "
         "decision.  For instance, a drivers licence frequently "
         "includes tamper-resistent coatings and markings to protect "
         "the recorded decision that provides a common driver, having various "
        "superclass (or top
         "biometric characteristics of the inheritance tree) for the height, weight, hair and eye "
        "non-association classes in the CIM Schema.")]
   class CIM_ManagedElement
   {
     [MaxLen (64), Description (
      "The Caption property is
         "color, using a short textual description (one-"
      "line string) particular name, has features represented in "
         "a photograph of the object.") ] their face.")]
    string Caption; SealProtocol;
        [Description (
      "The Description property provides a textual description of
         "CharterIssued documents when the Notary is first "
      "the object.") ]
     string Description;
         "authorized, by whoever gave it responsibility, to perform "
         "its service.")]
    datetime CharterIssued;
        [Description (
         "CharterExpired documents when the Notary is no longer "
         "authorized, by whoever gave it responsibility, to perform "
         "its service.")]
    datetime CharterExpired;
};

// ==================================================================
// Collection    LocalCredentialManagementService
// ==================================================================
  [Abstract, Description
        [Description (
   "Collection
         "CIM_LocalCredentialManagementService is an abstract class that provides a common"
   "superclass for data elements credential "
         "management service that represent collections of provides local system "
   "ManagedElements and its subclasses.")]
         "management of credentials used by the local system.") ]
class CIM_Collection : CIM_ManagedElement
CIM_LocalCredentialManagementService:CIM_CredentialManagementService
{
};

// ==================================================================
//    ManagedSystemElement    SharedSecretService
// ==================================================================
        [Abstract, Description (
         "CIM_ManagedSystemElement is the base class for the System "
         "Element hierarchy. Membership Criteria: Any distinguishable "
         "component of a System is a candidate for inclusion in this "
         "class. Examples: software components, such as files; and "
         "devices, such as disk drives and controllers, and physical "
           "components such as chips and cards.") ]
class CIM_ManagedSystemElement : CIM_ManagedElement
{
        [Description (
         "A datetime value indicating when
         "CIM_SharedSecretService is a service which ascertains "
         "whether messages received are from the object was installed. Principal with "
         "A lack
         "whom a secret is shared.  Examples include a login "
         "service that proves identity on the basis of knowledge of "
         "the shared secret, or a value does not indicate transport integrity service (like "
         "Kerberos provides) that includes a message authenticity "
         "code that proves each message in the object is not messsage stream came "
         "installed."),
         MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]
    datetime InstallDate;
         "from someone who knows the shared secret session key.")]
class CIM_SharedSecretService:CIM_LocalCredentialManagementService
{
        [MaxLen (256), Description (
         "The Name property defines Algorithm used to convey the label shared secret, such as "
         "HMAC-MD5,or PLAINTEXT.") ]
    string Algorithm;
        [Description (
         "The Protocol supported by which the object SharedSecretService.")]
    string Protocol;
};

// ==================================================================
//    PublicKeyManagementService
// ==================================================================
        [Description (
         "CIM_PublicKeyManagementService is a credential management "
         "known. When subclassed, the Name property can be overridden
         "service that provides local system management of public "
         "to be a Key property.")
         "keys used by the local system.") ]
    string Name;
         [MaxLen (10),
class
CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService
{
};

// ==================================================================
//    Credential
// ==================================================================
        [Abstract, Description (
         "  A string indicating the current status
         "Subclasses of the object. "
         "Various operational and non-operational statuses are "
         "defined. Operational statuses are \"OK\", \"Degraded\", "
         "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "
         "the Element is functioning, but needs attention. Examples CIM_Credential define materials, "
         "of \"Stressed\" states
         "information, or other data which are overload, overheated, etc. The "
         "condition \"Pred Fail\" (failure predicted) indicates that "
         "an Element is functioning properly but predicting a failure "
         "in the near future. An example is a SMART-enabled hard used to prove the "
         "drive. \n"
         "identity of a CIM_UsersAccess to a particular "  Non-operational statuses can also
         "CIM_SecurityService.  Generally, there may be specified. These "
         "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", some shared "
         "\"Stopped\",
         "information, or credential material which is used to "
         "\"Service\",\"No Contact\"
         "identify and \"Lost Comm\". \"NonRecover\""
         "indicates that a non-recoverable error has occurred. authenticate ones self in the process of "
         "\"Service\" describes
         "gaining access to, or permission to use, an Element being configured, Account. "
         "maintained,"
         "cleaned, or otherwise administered. This status could apply
         "Such credential material may be used to authenticate a "
         "during mirror-resilvering of
         "users access identity  initially, as done by a disk, reload "
         "CIM_AuthenticationService (see later), and additionally on "
         "an ongoing basis during the course of a user "
         "permissions list, connection or other administrative task. Not all "
         "such
         "other  security association, as proof that each received "
         "work is on-line, yet
         "message or communication came from the Element is neither \"OK\" nor in owning user access "
         "one of the other states. \"No Contact\" indicates that the
         "of "
         "current instance of the monitoring system has knowledge of
         "that credential material.") ]
class CIM_Credential:CIM_ManagedElement
{
};

// ==================================================================
//    PublicKeyCertificate
// ==================================================================
        [Description ("A Public Key Certificate is a credential "
         "this Element but has never been able
         "that is cryptographically signed by a trusted Certificate "
         "Authority (CA) and issued to establish an authenticated entity "
         "communications with it. \"Lost Comm\" indicates that
         "(e.g., human user, service,etc.) called the Subject in "
         "the ManagedSystemElement is known to exist certificate and has been represented by the UsersAccess class. "
         "contacted successfully
         "The public key in the past, but the certificate is currently cryptographically "
         "unreachable."
         "\"Stopped\" indicates
         "related to a private key that the ManagedSystemElement is to be held and kept "
         "known
         "private by the authenticated Subject.  The certificate "
         "to exist, it is not operational (i.e. it is unable to
         "and its related private key can then be used for "
         "provide service
         "establishing trust relationships and securing "
         "communications with the Subject.  Refer to users), but it has not failed. It the ITU/CCITT "
         "has purposely
         "X.509 standard as an example of such certificates.") ]
class CIM_PublicKeyCertificate:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_CertificateAuthority.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_CertificateAuthority.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description (
          "Certificate subject identifier")]
     string Subject;
         [MaxLen (256), Description (
          "Alternate subject identifier for the Certificate.")]
     string AltSubject;
         [Description ("The DER-encoded raw public key."), Octetstring]
     uint8 PublicKey[];
};

// ==================================================================
//    UnsignedPublicKey
// ==================================================================
        [Description (
         "A CIM_UnsignedPublicKey represents an unsigned public "
         "been made non-operational.
         "key credential.  The Element local UsersAccess (or subclass "
         "may have never been \"OK\",
         "thereof) accepts the Element may have initiated public key as authentic because of "
         "its
         "a direct trust relationship rather than via a third-party "
         "own stop, or
         "Certificate Authority.") ]
class CIM_UnsignedPublicKey:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated
("CIM_PublicKeyManagementService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_PublicKeyManagementService.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description (
          "The Identity of the Peer with whom a management system direct trust "
          "relationship exists.  The public key may have initiated the be used for "
         "stop."),
         ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail",
             "Starting", "Stopping", "Service", "Stressed",
             "NonRecover", "No Contact", "Lost Comm", "Stopped"}
          "security functions with the Peer."),
         ModelCorrespondence
           {"CIM_PublicKeyManagementService.PeerIdentityType" } ]
     string Status;
};

// ==================================================================
//    LogicalElement
// ==================================================================
        [Abstract, Description (
         "CIM_LogicalElement PeerIdentity;
           [Description ("PeerIdentityType is a base class for all used to describe the components "
         "of "
         "a System that represent abstract system components, such "
         "as Files, Processes, or system capabilities in
          "type of the form PeerIdentity.  The currently defined values "
         "of Logical Devices.")
          "are used for IKE identities."),
           ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_PublicKeyManagementService.PeerIdentity" } ]
class CIM_LogicalElement:CIM_ManagedSystemElement
{
     uint16 PeerIdentityType;
         [Description ("The DER-encoded raw public key."),
          Octetstring]
     uint8 PublicKey[];
};

// ==================================================================
//     CIM_SystemConfiguration    KerberosTicket
// ==================================================================
        [Description (
         "CIM_SystemConfiguration
         "A CIM_KerberosTicket represents a credential issued by a "
         "particular Kerberos Key Distribution Center (KDC) "
         "to a particular CIM_UsersAccess as the general concept result of a "
         "of
         "successful authentication process.  There are two types of "
         "tickets that a CIM_Configuration which is scoped by/weak KDC may issue to a Users Access - a "
         "System. This class
         "TicketGranting ticket, which is a peer of CIM_Configuration since used to protect and "
         "authenticate communications between the Users Access and "
         "the key structure of Configuration is currently "
         "defined
         "KDC, and cannot be modified a Session ticket, which the KDC issues to two "
         "Users Access to allow them to communicate with additional each other. "
         "properties.")]
          ) ]
class CIM_SystemConfiguration : CIM_ManagedElement CIM_KerberosTicket:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"), Key,
         MaxLen (256), Description (
        "The scoping System's CreationClassName.") ] ("Scoping System")]
        string SystemCreationClassName;
         [Propagated ("CIM_System.Name"), Key,
         MaxLen (256),
        Description ("The scoping System's Name.") ] (256),Description ("Scoping System")]
        string SystemName;
         [Key, MaxLen (256), Propagated
         ("CIM_KerberosKeyDistributionCenter.CreationClassName"),
         Description (
        "CreationClassName indicates the name ("Scoping Service")]
        string ServiceCreationClassName;
         [Propagated ("CIM_KerberosKeyDistributionCenter.Name"),
         Key, MaxLen (256),
         Description ("Scoping Service.  The Kerberos KDC Realm of the class or the "
        "subclass
        "CIM_KerberosTicket is used in to record the creation of an instance. When used security "
        "with the other key properties of this class, this property
        "authority, or Realm, name so that tickets issued by "
        "allows all instances of this class
        "different Realms can be separately managed and its subclasses to "
        "be uniquely identified.") ]
          "enumerated.")]
        string CreationClassName; ServiceName;
        [Key, MaxLen (256), Description (
         "The label by which ("The name of the Configuration object is known.") ]
   string Name;
};

// ===================================================================
//    Setting
// ===================================================================
        [Abstract, Description (
         "The Setting class represents configuration-related and "
         "operational parameters for one or more ManagedSystem"
         "Element(s). A ManagedSystemElement may have multiple "
         "Setting "
         "objects associated with it. The current operational values service "
           "for an Element's parameters are reflected by properties in "
         "the Element itself or by properties in its associations. "
         "These properties do not have to be the same values present "
         "in the Setting object. For example, a modem may have a "
         "Setting baud rate of 56Kb/sec but be operating "
         "at 19.2Kb/sec.") ]
class CIM_Setting : CIM_ManagedElement
{
        [MaxLen which this ticket is used.")]
        string AccessesService;
        [Key, MaxLen (256), Description (
         "The identifier
         "RemoteID is the name by which the Setting object user is known.") ] known at "
         "the KDC security service.")]
        string SettingID; RemoteID;
        datetime Issued;
        datetime Expires;
          [Description (
          "The VerifyOKToApplyToMSE method Type of CIM_KerberosTicket is used to verify that indicate whether "
         "this Setting can be 'applied'
          "the ticket in question was issued by the Kerberos Key "
          "Distribution Center (KDC) to support ongoing communication "
          "between the referenced Managed"
         "SystemElement, at Users Access and the given time or time interval. This KDC (\"TicketGranting\"), "
         "method takes three input parameters: MSE (the Managed"
         "SystemElement that
          "or was issued by the KDC to support ongoing communication "
          "between two Users Access entities (\"Session\")." ),
          Values {"Session", "TicketGranting"}]
        uint16 TicketType;
};

// ==================================================================
//    SharedSecret
// ==================================================================
        [Description (
         "CIM_SharedSecret is being verified), TimeToApply (which, the secret shared between a Users "
         "being
         "Access "
         "and a datetime, can particular SharedSecret security service.  Secrets "
         "may be either in the form of a specific time password used for initial "
         "authentication, or as with a time session key, used as part of "
         "interval), and MustBeCompletedBy (which indicates the
         "a message authentication code to verify that a message "
         "required completion time for
         "originated by the method). The return pricinpal with whom the secret is shared. "
         "value should be 0 if it
         "It is OK important to apply note that SharedSecret is not just the Setting, 1 if "
         "password, but rather is the password used with a particular "
         "security service.")]
class CIM_SharedSecret:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"), Key,
          MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"), Key,
          MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Key, MaxLen (256), Propagated
          ("CIM_SharedSecretService.CreationClassName"),
          Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"),
          Key, MaxLen (256),
          Description ("Scoping Service")]
     string ServiceName;
        [Key, MaxLen (256), Description (
         "RemoteID is the name by which the user is known at "
         "the method remote secret key authentication service.")]
     string RemoteID;
        [Description (
         "secret is not supported, 2 the secret known by the Users Access.")]
     string secret;
        [Description (
         "algorithm names the transformation algorithm, if any, used "
         "to protect passwords before use in the Setting can not be protocol.  For "
         "applied within
         "instance, Kerberos doesn't store passwords as the specified times, and any other number shared "
         "if an error occurred. In
         "secret, but rather, a subclass, hash of the password.")]
     string algorithm;
        [Description (
         "protocol names the protocol with which the SharedSecret is "
         "set of possible return codes could be specified, using
         "used.")]
     string protocol;
};

// ==================================================================
//    NamedSharedIKESecret
// ==================================================================
        [Description (
         "CIM_NamedSharedIKESecret indirectly represents a shared "
         "ValueMap qualifier on
         "secret credential.  The local identity, IKEIdentity, "
         "and the method. remote peer identity share the secret that is "
         "named by the SharedSecretName.  The strings SharedSecretName is "
         "used SharedSecretService to which reference the secret.") ]
class CIM_NamedSharedIKESecret:CIM_Credential

{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_SharedSecretService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description (
          "The local Identity with whom the direct trust "
         "ValueMap contents are 'translated' may also be specified in
          "relationship exists."),
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.LocalIdentityType" } ]
     string LocalIdentity;
           [Key, Description ("LocalIdentityType is used to describe "
          "the subclass as a type of the LocalIdentity."),
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values array qualifier.") {"IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.LocalIdentity" } ]
   uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
        [Description
    uint16 LocalIdentityType;
         [Key, MaxLen (256), Description (
          "The ApplyToMSE method performs peer identity with whom the actual application of direct trust "
         "the Setting
          "relationship exists."),
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.PeerIdentityType" } ]
     string PeerIdentity;
           [Key, Description ("PeerIdentityType is used to the referenced ManagedSystemElement. It describe "
         "takes three input parameters: MSE (the ManagedSystem"
         "Element to which
          "the type of the Setting PeerIdentity."),
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.PeerIdentity" } ]
     uint16 PeerIdentityType;
         [Description ("SharedSecretName is being applied), "
         "TimeToApply (which, being a datetime, can be either a an indirect reference "
         "specific time or
          "to a time interval), and MustBeCompletedBy "
         "(which indicates the required completion time for the "
         "method). Note that the semantics of this method are that "
         "individual Settings are either wholly applied or shared secret.  The SecretService does not expose "
         "applied at all
          "the actual secret but rather provides access to their target ManagedSystemElement. The "
         "return value should be 0 if the Setting is successfully "
         "applied
          "secret via a name.")]
     string SharedSecretName;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
// ElementAsUser
// ==================================================================
   [Association, Description (
   "CIM_ElementAsUser is an association used to the referenced ManagedSystemElement, 1 if establish the "
         "method is not supported, 2 if
   "'ownership' of UsersAccess object instances.  That is, the Setting was not applied "
         "within
   "ManagedElement may have UsersAccess to systems and, therefore, "
   "be 'users' on those systems.  UsersAccess instances must have an "
   "'owning' ManagedElement.  Typically, the specified times, ManagedElements will be "
   "limited to Collection, Person, Service and any other number if an ServiceAccessPoint. "
         "error occurred. In a subclass, the set
   "Other non-human ManagedElements that might be thought of possible return as "
         "codes could be specified, using
   "having UsersAccess (e.g., a ValueMap qualifier on device or system) have services that "
         "the method. The strings
   "have the UsersAccess.")]
class CIM_ElementAsUser : CIM_Dependency
   {
        [Min (1), Max (1), Override ("Antecedent"),
        Description ("The ManagedElement that has UsersAccess") ]
   CIM_ManagedElement REF Antecedent;
        [Override ("Dependent"),
        Description ("The 'owned' UsersAccess") ]
   CIM_UsersAccess REF Dependent;
   };

// ==================================================================
// UsersCredential
// ==================================================================
   [Association, Description (
   "CIM_UsersCredential is an association used to which establish the ValueMap contents are "
         "'translated'
   "credentials that may also be specified in the subclass as used for a "
         "Values array qualifier.\n"
         "Note: If an error occurs in applying the Setting UsersAccess to a system or "
         "ManagedSystemElement, the Element must
   "set of systems. "    )]
class CIM_UsersCredential : CIM_Dependency
   {
        [Override ("Antecedent"),
        Description ("The issued credential that may be configured as used.") ]
   CIM_Credential REF Antecedent;
        [Override ("Dependent"),
        Description ("The UsersAccess that has use of a credential") ]
   CIM_UsersAccess REF Dependent;
   };

// ===================================================================
//    PublicPrivateKeyPair
// ===================================================================
        [Association, Description (
         "This relationship associates a PublicKeyCertificate with "
         "when
         "the Principal who has the 'apply' attempt began. That is, PrivateKey used with the Element "
         "should NOT
         "PublicKey.  The PrivateKey is not modeled, since it is not "
         "a data element that ever SHOULD be left in an indeterminate state.") accessible via "
         "management applications, other than key recovery services, "
         "which are outside our scope.") ]
   uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
class CIM_PublicPrivateKeyPair:CIM_UsersCredential
{
      [ Override ("Antecedent") ]
   CIM_PublicKeyCertificate REF Antecedent;
      [ Override ("Dependent") ]
   CIM_UsersAccess REF Dependent;
        [Description ( "The VerifyOKToApplyToCollection method is Certificate may be used to verify for signature "
         "that this Setting can be 'applied' to the referenced
        "only "
         "Collection of ManagedSystemElements, at
        "or for confidentiality as well as signature"),
        Values { "SignOnly", "ConfidentialityOrSignature"} ]
   uint16 Use;
   boolean NonRepudiation;
   boolean BackedUp;
        [Description ("The repository in which the given time certificate is "
         "or time interval, without causing adverse effects to
        "backed up.")]
   string Repository;
};

// ===================================================================
//    CAHasPublicCertificate
// ===================================================================
   [Association, Description (
   "A CertificateAuthority may have certificates issued by other CAs. "
         "either
   "This association is essentially an optimization of the Collection itself or its surrounding CA having "
         "environment. The net effect is
   "a UsersAccess instance with an association to execute the a certificate thus "
         "VerifyOKToApply method against each of the Elements
   "mapping more closely to LDAP-based certificate authority "
         "aggregated
   "implementations.") ]
class CIM_CAHasPublicCertificate:CIM_Dependency
{
        [Max (1), Override ("Antecedent"),
        Description ("The Certificate used by the Collection. This method takes three "
         "input parameters: Collection (the Collection of Managed"
         "SystemElements CA")]
   CIM_PublicKeyCertificate REF Antecedent;
        [Override ("Dependent"),
        Description ("The CA that is being verified), TimeToApply (which, "
         "being uses a datetime, can be either Certificate")]
   CIM_CertificateAuthority REF Dependent;
};

// ===================================================================
//    ManagedCredential
// ===================================================================
        [Association, Description (
         "This relationship associates a specific time or CredentialManagementService "
         "with the Credential it manages.") ]
class CIM_ManagedCredential:CIM_Dependency
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The credential management service")]
   CIM_CredentialManagementService REF Antecedent;
        [Override ("Dependent"),
        Description ( "The managed credential")]
   CIM_Credential REF Dependent;
};

// ===================================================================
//    CASignsPublicKeyCertificate
// ===================================================================
        [Association, Description (
         "This relationship associates a time "
         "interval), and MustBeCompletedBy (which indicates the "
         "required completion time for the method). The return CertificateAuthority with "
         "value should be 0 if
         "the certificates it is OK to apply signs.") ]
class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The CA which signed the Setting, 1 if "
         "the method is not supported, 2 if certificate")]
   CIM_CertificateAuthority REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The certificate issued by the Setting can not be "
         "applied within CA")]
   CIM_PublicKeyCertificate REF Dependent;
   string SerialNumber;
      [ Octetstring ]
   uint8 Signature[];
   datetime Expires;
   string CRLDistributionPoint[];
};

// ==================================================================
//    LocallyManagedPublicKey
// ==================================================================
        [Association, Description (
         "CIM_LocallyManagedPublicKey association provides the specified times, "
         "relationship between a PublicKeyManagementService and any other number if an "
         "an error occurred. One output parameter is defined -
         "UnsignedPublicKey.") ]
class CIM_LocallyManagedPublicKey:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
         Description ("The PublicKeyManagementService that manages "
         "CanNotApply - which is
         "an unsigned public key.") ]
    CIM_PublicKeyManagementService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "An unsigned public key.") ]
    CIM_UnsignedPublicKey REF Dependent;
};

// ===================================================================
//    SharedSecretIsShared
// ===================================================================
        [Association, Description (
         "This relationship associates a string array that lists SharedSecretService with the keys "
         "of "
         "the ManagedSystemElements to which
         "SecretKey it verifies.") ]
class CIM_SharedSecretIsShared : CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ("The credential management service")]
   CIM_SharedSecretService REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The managed credential")]
   CIM_SharedSecret REF Dependent;
};

// ==================================================================
//    IKESecretIsNamed
// ==================================================================
        [Association, Description (
         "CIM_IKESecretIsNamed association provides the Setting can NOT be "
         "applied. This enables those Elements to be revisited and "
         "either fixed, or other corrective action taken.\n"
         "In
         "relationship between a subclass, the set of possible return codes could be "
         "specified, using SharedSecretService and a ValueMap qualifier on the method. The "
         "strings to which the ValueMap contents are 'translated' may "
         "also be specified in the subclass as
         "NamedSharedIKESecret.") ]
class CIM_IKESecretIsNamed:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
         Description ("The SharedSecretService that manages a Values array "
         "qualifier.") ]
   uint32 VerifyOKToApplyToCollection
         "NamedSharedIKESecret.")]
    CIM_SharedSecretService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy,
    [OUT] string CanNotApply[]);
        [Description
         "The managed NamedSharedIKESecret.") ]
    CIM_NamedSharedIKESecret  REF Dependent;
};

// ===================================================================
//    KDCIssuesKerberosTicket
// ===================================================================
   [Association, Description (
   "The ApplyToCollection method performs the application of "
         "the Setting to the referenced Collection of ManagedSystem"
         "Elements. The net effect is to execute the ApplyToMSE "
         "method against each of the Elements aggregated by the "
         "Collection. If the input value ContinueOnError is FALSE, KDC issues and owns Kerberos tickets.  This association "
         "this method applies the Setting to all Elements in
   "captures the "
         "Collection until it encounters an error, in which case it "
         "stops execution, logs relationship between the key of KDC and its issued tickets."
   ) ]
class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The issuing KDC") ]
   CIM_KerberosKeyDistributionCenter REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The managed credential")]
   CIM_KerberosTicket REF Dependent;
};

// ===================================================================
//    NotaryVerifiesBiometric
// ===================================================================
        [Association, Description (
         "This relationship associates a Notary service with the Element "
         "Users Access whose biometric information is verified.") ]
class CIM_NotaryVerifiesBiometric : CIM_Dependency
{
        [Override ("Antecedent"),
        Description ("The Notary service that caused verifies biometric "
         "the error in the CanNotApply array, and issues
        "information ") ]
   CIM_Notary REF Antecedent;
        [Override ("Dependent"),
        Description ( "The UsersAccess that represents a return "
         "code person using "
         "of 2. If the input value ContinueOnError
        "biometric information for authentication.")]
   CIM_UsersAccess REF Dependent;
};

Appendix C (DMTF Network Model MOF)

// ==================================================================
//     NetworkService
// ==================================================================
        [Abstract, Description (
         "This is TRUE, then this "
         "method applies the Setting to all an abstract base class, derived from the ManagedSystemElements Service "
         "in the Collection, and reports
         "class. It serves as the failed Elements in root of the network service "
         "array, CanNotApply. For the latter, processing will
         "hierarchy. Network services represent generic functions "
         "continue
         "that are available from the network that configure and/or "
         "until
         "modify the method traffic being sent. For example, FTP is applied not a "
         "network service, as it simply passes data unchanged from "
         "source to all Elements in destination. On the other hand, services "
         "Collection, regardless
         "that provide quality of any errors encountered. The key "
         "of service (e.g., DiffServ) and "
         "each ManagedSystemElement to which
         "security (e.g., IPSec) do affect the Setting could not be traffic stream. "
         "applied is logged into the CanNotApply array. This method
         "Quality of service, IPSec, and other services are "
         "takes four input parameters: Collection (the Collection
         "subclasses of this class. This class hierarchy enables "
         "Elements
         "developers to which match services to users, groups, "
         "and other objects in the Setting network.") ]

class CIM_NetworkService : CIM_Service
{
        [Description (
         "This is being applied), "
         "TimeToApply "
         "(which, being a datetime, free-form array of strings that provide "
         "descriptive words and phrases that can be either used in queries "
         "to help locate and identify instances of this service.") ]
    string Keywords [ ];
        [Description (
         "This is a specific time or URL that provides the protocol, network "
         "a
         "location, and other service-specific information required "
         "time interval), ContinueOnError (TRUE means
         "in order to continue access the service. This should be implemented "
         "processing on encountering an error),
         "as a LabeledURI, with syntax DirectoryString and MustBeCompletedBy a "
         "(which indicates the required completion time
         "matching rule of CaseExactMatch, for the directory "
         "method). The return value should be 0 if the Setting
         "implementors.") ]
    string ServiceURL;
        [Description (
         "This is a free-form array of strings that specify any "
         "successfully applied to the referenced Collection, 1 if the
         "specific pre-conditions that must be met in order for this "
         "method
         "service to start correctly. It is not supported, 2 if the Setting was not applied "
         "within the specified times, 3 if the Setting can not be expected that subclasses "
         "applied using
         "will refine the input value for ContinueOnError, inherited StartService() and any StopService()"
         "methods to suit their own application-specific needs. This "
         "other number if an error occurred. One output parameter
         "property is used to specify application-specific conditions "
         "defined, CanNotApplystring, which
         "needed by the refined StartService and StopService"
         "methods.") ]
    string StartupConditions [ ];
         [Description (
         "This is an a free-form array of strings that lists specify any "
         "the keys of
         "specific parameters that must be supplied to the ManagedSystemElements "
         "StartService() method in order for this service to which start "
         "correctly. It is expected that subclasses will refine the Setting "
         "was NOT able
         "inherited StartService() and StopService() methods to be applied. This output parameter has suit "
         "meaning only when the ContinueOnError parameter
         "their own application-specific needs. This property is TRUE.\n"
         "In a subclass, the set of possible return codes could be used "
         "specified, using a ValueMap qualifier on
         "to specify application-specific parameters needed by the method. The "
         "strings to
         "refined StartService and StopService methods.") ]
    string StartupParameters [ ];
};

// ==================================================================
//     ProtocolEndpoint
// ==================================================================
        [Description (
         "A communication point from which the ValueMap contents are 'translated' data may "
         "also be specified in the subclass as a Values array sent or "
         "qualifier.\n"
         "Note: if an error occurs in applying the Setting
         "received. ProtocolEndpoints link router interfaces and "
         "switch ports to LogicalNetworks.") ]

class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint
{
        [Override ("Name"), MaxLen(256), Description (
         "A string which identifies this ProtocolEndpoint with either "
         "a port or an interface on a device. To ensure uniqueness, "
         "ManagedSystemElement in the Collection, the Element must
         "the Name property should be prepended or appended with "
         "configured as when the 'apply' attempt began. That is,
         "information from the Type or OtherTypeDescription "
         "Element should NOT be left
         "properties. The method chosen is described in an indeterminate state.") the "
         "NameFormat property of this class.") ]
   uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply, [IN] boolean ContinueOnError,
    [IN] datetime MustBeCompletedBy, [OUT]
    string CanNotApply[]);
                 [Description Name;
        [MaxLen (256), Description (
         "The VerifyOKToApplyIncrementalChangeToMSE method "
         "is used
         "NameFormat contains the naming heuristic that is chosen to verify "
         "ensure that a subset the value of the properties in Name property is unique. For "
         "this Setting can be 'applied'
         "example, one might choose to prepend the referenced Managed"
         "SystemElement, at name of the given time or time interval. This port "
         "method takes four input parameters: MSE (the Managed"
         "SystemElement
         "or interface with the Type of ProtocolEndpoint that this "
         "instance is being verified), TimeToApply (which, (e.g., IPv4)followed by an underscore.") ]
    string NameFormat;
        [MaxLen (64), Description (
         "ProtocolType is an enumeration that provides additional "
         "being a datetime,
         "information that can be either a specific time or a time "
         "interval), MustBeCompletedBy (which indicates the "
         "required completion time for the method), used to help categorize and a "
         "PropertiesToApply array (which contains a list
         "classify different instances of this class."),
          ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
                   "10", "11", "12", "13", "14", "15", "16", "17",
                   "18", "19", "20", "21"},
         Values { "Unknown", "Other", "IPv4", "IPv6", "IPX",
                 "AppleTalk", "DECnet", "SNA", "CONP", "CLNP",
                 "VINES", "XNS", "ATM", "Frame Relay",
                 "Ethernet", "TokenRing", "FDDI", "Infiniband",
                 "Fibre Channel", "ISDN BRI Endpoint",
                 "ISDN B Channel Endpoint", "ISDN D Channel Endpoint"
},
          ModelCorrespondence {
                 "CIM_ProtocolEndpoint.OtherTypeDescription"} ]
    string ProtocolType;
        [MaxLen(64), Description (
         "A string describing the type of ProtocolEndpoint that this "
         "property names whose values will be verified. "
         "If they array
         "instance is null or empty or constains when the string "
         "\"all\" "
         "as a Type property name then all Settings properties shall be of this class (or any of "
         "verified.  If it
         "its  subclasses) is set to \"none\" then no Settings "
         "properties 1 (e.g., 'Other'). The format of "
         "will
         "the string inserted in this property should be verified). The return similar in "
         "format to the values defined for the Type property. This "
         "value
         "property should be 0 if it is OK set to apply NULL when the Setting, 1 if "
         "the method Type property is not supported, 2 if the Setting can not be "
         "applied within the specified times, and any
         "any value other number than 1."),
           ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ]
   string OtherTypeDescription;
};

// ==================================================================
//     IPProtocolEndpoint
// ==================================================================
        [Description (
         "A ProtocolEndpoint that is dedicated to running IP.") ]

class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint
{
        [Description (
         "The IP address that this ProtocolEndpoint represents, "
         "if an error occurred. In a subclass,
         "formatted according to the appropriate convention as "
         "set
         "defined in the AddressType property of possible return codes could be specified, using a this class "
         "ValueMap qualifier on
         " (e.g., 171.79.6.40).") ]
    string Address;
        [Description (
         "The mask for the method. The strings IP address of this ProtocolEndpoint, "
         "formatted according to which the appropriate convention as "
         "ValueMap contents are 'translated' may also be specified
         "defined in the AddressType property of this class "
         "the subclass as a Values array qualifier.")
         " (e.g., 255.255.252.0).") ]
   uint32 VerifyOKToApplyIncrementalChangeToMSE(
    [IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN]
    string PropertiesToApply[]); SubnetMask;
        [Description (
         "The ApplyIncrementalChangeToMSE method performs
         "An enumeration that describes the "
         "actual application of  a subset format of the properties in "
         "the Setting to the referenced ManagedSystemElement. It address "
         "takes four input parameters: MSE (the ManagedSystem"
         "Element to which the Setting is being applied),
         "property. Whenever possible, IPv4-compatible addresses "
         "TimeToApply (which, being a datetime, can
         "should be either a used instead of native IPv6 addresses (see "
         "specific time or
         "RFC 2373, section 2.5.4). In order to have a time interval), MustBeCompletedBy consistent "
         "(which indicates the required completion time
         "format for the IPv4 addresses in a mixed IPv4/v6 environment, "
         "method),
         "all IPv4 addresses and a both IPv4-compatible IPv6 addresses "
         "PropertiesToApply array (which contains a list
         "and IPv4-mapped IPv6 addresses, per RFC 2373, section "
         "2.5.4, should be formatted in standard IPv4 format. "
         "However, this (the 2.2) version of the Network Common "
         "property names whose values
         "Model will not explicitly support mixed IPv4/IPv6 "
         "environments. This will be applied. If added in a "
         "property future release."),
        ValueMap { "0", "1", "2" },
        Values { "Unknown", "IPv4", "IPv6" } ]
    uint16 AddressType;
        [Description (
         "It is not in this list, it will be ignored by possible to tell from the address alone if a "
         "apply. "
         "If they array is null or empty
         "given IPProtocolEndpoint can support IPv4 and IPv6, or constains "
         "just one of these. This property explicitly defines the string "
         "\"all\"
         "support for different versions of IP that this "
         "as a property name then all Settings properties shall be
         "IPProtocolEndpoint has. "
         "applied.  If it
         "\n\n"
         "More implementation experience is set needed in order to \"none\" then no Settings "
         "properties "
         "will be applied. ). "
         "Note that the semantics of
         "correctly model mixed IPv4/IPv6 networks; therefore, this method are that "
         "individual Settings are either wholly applied or
         "version (2.2) of the Network Common Model will not support "
         "mixed IPv4/IPv6 environments. This will be looked at "
         "further in a future version."),
        ValueMap { "0", "1", "2" },
        Values { "Unknown", "IPv4 Only", "IPv6 Only" } ]
    uint16 IPVersionSupport;
};

// ===================================================================
//     CIM_FilterEntryBase
// ===================================================================
        [Description (
         "
         "applied at  FilterEntryBase is an abstract class to define the naming "
         "of all filter entries, and to allow their target ManagedSystemElement. common "
         "aggregation into FilterLists. The FilterEntry subclass "
         "return value should be 0 if the Setting is successfully
         "represents packet filtering. Other types of Entries are "
         "applied
         "possible - for example, to the referenced ManagedSystemElement, 1 if the filter security credentials. \n"
         "
         "method  FilterEntryBase is not supported, 2 if weak to the Setting was not applied "
         "within network device (e.g., the specified times, and any other number if an "
         "error occurred. In a subclass,
         "ComputerSystem) that contains it. Hence, the set of possible return "
         "codes could be specified, using a ValueMap qualifier on ComputerSystem "
         "the method. The strings
         "keys are propagated to which this class.") ]

class CIM_FilterEntryBase : CIM_LogicalElement
{
        [Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
           MaxLen (256),
         Description (
          "The scoping ComputerSystem's CreationClassName. ") ]
    string SystemCreationClassName;
        [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
         Description (
          "The scoping ComputerSystem's Name.") ]
    string SystemName;
        [Key, MaxLen (256),
         Description (
          "CreationClassName indicates the ValueMap contents are "
         "'translated' may also be specified in name of the class or the subclass as a "
         "Values array qualifier.\n"
         "Note: If an error occurs
          "subclass used in applying the Setting to a creation of an instance. When used "
         "ManagedSystemElement,
          "with the Element must be configured as other key properties of this class, this property "
         "when the 'apply' attempt began. That is, the Element
          "allows all instances of this class and its subclasses to "
         "should NOT be left in an indeterminate state.")
          "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256),
         Description (
          "The Name property defines the label by which the Filter"
            "Entry is known and uniquely identified.") ]
   uint32 ApplyIncrementalChangeToMSE(
    [IN] CIM_ManagedSystemElement ref MSE,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN]
    string PropertiesToApply[]); Name;
        [Description (
         "The VerifyOKToApplyIncrementalChangeToCollection method "
         "is used to verify
          "Boolean indicating that a subset of the match condition described "
          "in the properties in of the FilterEntryBase subclass "
         "this Setting can
          "should be 'applied' to negated.") ]
    boolean IsNegated;
};

// ===================================================================

//     CIM_IPHeaderFilter

// ===================================================================

        [Description ("IPHeaderFilter contains the referenced "
         "Collection all of ManagedSystemElements, at the given time "
         "or time interval, without causing adverse effects
         "properties necessary to perform filtering on an IP header "
         "either the Collection itself or its surrounding "
         "environment. The net effect is to execute

         "or a portion thereof.")]

class CIM_IPHeaderFilter : CIM_FilterEntryBase

{

        [Description ("IpVersion identifies the "
         "VerifyOKToApplyIncrementalChangeToMSE method "
         "against each version of the Elements "
         "aggregated by the Collection. This method takes three IP "
         "input parameters: Collection (the Collection of Managed"
         "SystemElements that

         "addresses for IP header filters.  It is being verified), TimeToApply (which, "
         "being a datetime, can be either a specific time or a time "
         "interval), MustBeCompletedBy (which indicates the also used to "
         "required completion time for

         "determine the method), and a "
         "PropertiesToApply array (which contains a list sizes of the "
         "property names whose values will be verified. "
         "If they array is null or empty or contains OctetStrings in the string four "
         "\"all\"

         "properties SrcAddress, SrcMask, DestAddress, and DestMask, "

         "as a property name then all Settings properties shall be follows:\n"

         "ipv4(4):  OctetString(SIZE (4))\n"

         "ipv6(6):  OctetString(SIZE (16|20)), depending on whether\n"

         "
         "verified.  If it          a scope identifier is set to \"none\" then no Settings "
         "properties present"),

        ValueMap {"4", "6" },

        Values { "IPv4", "IPv6" },

        ModelCorrespondence {

         "CIM_IPHeaderFilter.SrcAddress",

         "CIM_IPHeaderFilter.SrcMask",

         "CIM_IPHeaderFilter.DestAddress",

         "CIM_IPHeaderFilter.DestMask" } ]

   uint8 IpVersion;

        [Description ("SrcAddress is an OctetString, of a size "
         "will be verified). The return

         "determined by the value of the IpVersion property, "
         "value should be 0 if it

         "representing a source IP address.  This value is OK compared to"

         " the source address in the IP header, subject to apply the Setting, 1 if mask "
         "the method is not supported, 2 if

         "represented in the Setting can not be SrcMask property."),

        OCTETSTRING,

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]

   uint8 SrcAddress[];

        [Description ("SrcMask is an OctetString, of a size determined"

         "
         "applied within by the specified times, and any other number if value of the IpVersion property, representing a mask"

         "
         "an error occurred. One output parameter is defined - to be used in comparing the source address in the IP header"

         "
         "CanNotApply - which with the value represented in the SrcAddress property."),

        OCTETSTRING,

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]

   uint8 SrcMask[];

        [Description ("DestAddress is an OctetString, of a string array that lists size "

         "determined by the keys value of the IpVersion property, "
         "of

         "representing a destination IP address.  This value is "
         "the ManagedSystemElements

         "compared to which the Setting can NOT be destination address in the IP header, "
         "applied. This enables those Elements

         "subject to be revisited and "
         "either fixed, or other corrective action taken.\n"
         "In a subclass, the set mask represented in the DestMask property."),

        OCTETSTRING,

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]

   uint8 DestAddress[];
        [Description ("DestMask is an OctetString, of possible return codes could be "
         "specified, using a ValueMap qualifier on size "

         "determined by the method. The value of the IpVersion property, "
         "strings

         "representing a mask to which be used in comparing the ValueMap contents are 'translated' may destination "
         "also be specified

         "address in the IP header with the value represented in the subclass as a Values array "
         "qualifier.") ]
   uint32 VerifyOKToApplyIncrementalChangeToCollection (
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[],
    [OUT] string CanNotApply[]);

         "DestAddress property."),

        OCTETSTRING,

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]

   uint8 DestMask[];

        [Description (
         "The ApplyIncrementalChangeToCollection method performs ("ProtocolID is an 8-bit unsigned integer, "
         "the application

         "representing an IP protocol type.  This value is compared to"

         " the Protocol field in the IP header.")]

   uint8 ProtocolID;

        [Description ("SrcPortStart represents the lower end of a subset "

         "range of UDP or TCP source ports.  The upper end of the properties in this "
         "Setting to

         "range is represented by the referenced Collection of ManagedSystem"
         "Elements. SrcPortEnd property.  The net effect value "

         "of SrcPortStart MUST be no greater than the value of "

         "SrcPortEnd.  A single port is to execute indicated by equal values for "

         "SrcPortStart and SrcPortEnd.\n"

         "\n"

         "A source port filter is evaluated by testing whether the "
         "ApplyIncrementalChangeToMSE

         "source port identified in the IP header falls within the "
         "method against each

         "range of values between SrcPortStart and SrcPortEnd, "

         "including these two end points.")]

   uint16 SrcPortStart;

        [Description ("SrcPortEnd represents the upper end of a range "

         "of UDP or TCP source ports.  The lower end of the Elements aggregated range is "

         "represented by the SrcPortStart property.  The value of "
         "Collection. If

         "SrcPortEnd MUST be no less than the input value ContinueOnError of SrcPortStart.  "

         "A single port is FALSE, indicated by equal values for SrcPortStart "
         "this method applies

         "and SrcPortEnd.\n"

         "\n"

         "A source port filter is evaluated by testing whether the Setting to all Elements "

         "source port identified in the IP header falls within the "
         "Collection until it encounters an error, in which case it

         "range of values between SrcPortStart and SrcPortEnd, "
         "stops execution, logs

         "including these two end points.")]

   uint16 SrcPortEnd;

        [Description ("DestPortStart represents the key lower end of "

         "a range of UDP or TCP destination ports.  The upper end of the Element that caused "

         "the error in range is represented by the CanNotApply array, and issues a return "
         "code DestPortEnd property.  The "
         "of 2. If

         "value of DestPortStart MUST be no greater than the input value ContinueOnError of "

         "DestPortEnd.  A single port is TRUE, then this indicated by equal values for"
         "
         "method applies the Setting to all DestPortStart and DestPortEnd.\n"

         "\n"

         "A destination port filter is evaluated by testing whether "

         "the destination port identified in the ManagedSystemElements IP header falls "
         "in

         "within the Collection, range of values between DestPortStart and reports the failed Elements in the "
         "array, CanNotApply. For

         "DestPortEnd, including these two end points.")]

   uint16 DestPortStart;

        [Description ("DestPortEnd represents the latter, processing will "
         "continue upper end of a range"

         "
         "until of UDP or TCP destination ports.  The lower end of the method "

         "range is applied to all Elements in represented by the "
         "Collection, regardless of any errors encountered. DestPortStart property.  The key "
         "of "
         "each ManagedSystemElement to which the Setting could not

         "value of DestPortEnd MUST be no less than the value of "
         "applied

         "DestPortStart. A single port is logged into indicated by equal values "

         "for DestPortStart and DestPortEnd.\n"

         "\n"

         "A destination port filter is evaluated by testing whether "

         "the destination port identified in the CanNotApply array. This method IP header falls "
         "takes four input parameters: Collection (the Collection

         "within the range of values between DestPortStart and "
         "Elements to which the Setting

         "DestPortEnd, including these two end points.")]

   uint16 DestPortEnd;

        [Description ("DSCPs are defined as discrete code points, "

         "with no inherent structure, there is being applied), no semantically "
         "TimeToApply

         "significant relationship between different DSCPs.  "
         "(which, being a datetime, can be either

         "Consequently, there is no provision for specifying a specific time or range "
         "a

         "of DSCPs in this property.  Since, in IPv4, the DSCP field "
         "time interval), ContinueOnError (TRUE means

         "may contain bits to continue be interpreted as the TOS IP Precedence,"

         "
         "processing this property is also used to filter on encountering an error), and MustBeCompletedBy IP Precedence. "
         "(which indicates

         "Similarly, the required completion time for the "
         "method), and a PropertiesToApply array (which contains a "
         "list IPv6 Traffic Class field is also filtered "
         "of

         "using the property names whose values will be applied. If a "
         "property is not value in this list, property."),

        MAXVALUE (63)]

   uint8 DSCP;

        [Description ("The 20-bit Flow Label field in the IPv6 header "

         "may be used by a source to label sequences of packets for "

         "which it will be ignored requests special handling by the IPv6 devices, such"

         "
         "the apply. "
         "If they array is null or empty as non-default quality of service or constains 'real-time' service.  "

         "In the filter, this 20-bit string is encoded in a 24-bit "
         "\"all\"

         "octetstring by right-adjusting the value and padding on the "
         "as

         "left with b'0000'."),

        OCTETSTRING ]

   uint8 FlowLabel[];

};

// ==================================================================
//     FilterList

// ==================================================================
        [Description (
         "A FilterList is used by network devices to identify routes "
         "by aggregating a property name then all Settings properties shall set of FilterEntries into a unit, called a "
         "FilterList. FilterLists can also be used to accept or deny "
         "applied.  If it
         "routing updates."
         "\n\n"
         "A FilterList is set weak to \"none\" then no Settings "
         "properties the network device (e.g., the "
         "will be applied. ).
         "ComputerSystem) that contains it. Hence, the ComputerSystem "
         "keys are propagated to this class.") ]

class CIM_FilterList : CIM_LogicalElement
{
        [Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
           MaxLen (256), Description (
         "The return value should be 0 if scoping ComputerSystem's CreationClassName. ") ]
    string SystemCreationClassName;

        [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
         Description ("The scoping ComputerSystem's Name.") ]
    string SystemName;

        [Key, Description (
         "The type of class that this instance is.") ]
    string CreationClassName;
        [Key, MaxLen(256), Description (
         "This is the Setting name of the FilterList.") ]
    string Name;

        [Description (
         "This defines whether the FilterList is used "
         "successfully applied
         "for input, output, or both input and output "
         "filtering. All values are used with respect to "
         "the interface for which the referenced Collection, 1 if the FilterList applies. "
         "method
         "\n\n"
         "\"Not Applicable\" (0) is not supported, 2 if the Setting was not applied used when there is no "
         "within
         "direction applicable to the specified times, 3 if FilterList.\n"
         "\"Input\" (1) is used when the Setting can not be FilterList applies "
         "applied using
         "to packets that are inbound on the input value for ContinueOnError, and any related "
         "other number if an error occurred. One output parameter
         "interface.\n"
         "\"Output\" (2) is used when the FilterList applies "
         "defined, CanNotApplystring, which
         "to packets that are outbound on the related "
         "interface.\n"
         "\"Both\" (3) is an array used to indicate that lists "
         "the keys direction is immaterial, e.g., to filter on "
         "a source subnet regardless of whether the ManagedSystemElements flow is "
         "inbound or outbound.\n"
         "\"Mirrored\" (4) is also applicable to which "
         "both inbound and outbound flow processing, but "
         "indicates that the Setting filter criteria are applied "
         "was NOT able
         "asymmetrically to be applied. This output parameter has traffic in both directions "
         "meaning only when the ContinueOnError parameter is TRUE.\n"
         "In a subclass,
         "and, thus, specifies the set reversal of possible return codes could be "
         "specified, using a ValueMap qualifier on the method. The source and "
         "strings
         "destination criteria (as opposed to which the ValueMap contents are 'translated' may equality "
         "also be specified
         "of these criteria as indicated by \"Both\"). "
         "The match conditions in the aggregated "
         "FilterEntryBase subclass instances are defined "
         "from the perspective of outbound flows and applied "
         "to inbound flows as well by reversing the source "
         "and destination criteria. So, for example, "
         "consider a Values array FilterList with 3 FilterEntries "
         "qualifier.\n"
         "Note: if an error occurs in applying the Setting to
         "indicating destination port = 80, and source and "
         "destination addresses of a and b, respectively. "
         "ManagedSystemElement in
         "Then, for the Collection, outbound direction, the Element must be filter "
         "configured
         "entries match as when the 'apply' attempt began. That is, specified and the 'mirror' (for "
         "Element should NOT be left in an indeterminate state.")
         "the inbound direction) matches on source "
         "port = 80 and source and destination addresses "
         "of b and a, respectively."),
         Values {"Not Applicable", "Input", "Output",
               "Both", "Mirrored" } ]
   uint32 ApplyIncrementalChangeToCollection(
    [IN] CIM_CollectionOfMSEs ref Collection,
    [IN] datetime TimeToApply,
    [IN] boolean ContinueOnError,
    [IN] datetime MustBeCompletedBy,
    [IN] string PropertiesToApply[],
    [OUT] string CanNotApply[]);
    uint16 Direction;
};

// ==================================================================
//     CIM_SystemSetting ===              Association class definitions                 ===
// ==================================================================
        [Abstract,

// ==================================================================
//    EntriesInFilterList
// ==================================================================
        [Association, Aggregation, Description (
         "CIM_SystemSetting represents
         "This is a specialization of the general concept CIM_Component aggregation "
         "of a CIM_Setting which
         "which is scoped by/weak used to define a System.")] set of filter entries (subclasses "
         "of FilterEntryBase) that are aggregated by a particular "
         "FilterList.") ]
class CIM_SystemSetting CIM_EntriesInFilterList : CIM_Setting CIM_Component
{
       [Propagated ("CIM_System.CreationClassName"), Key,
        MaxLen (256),
        [Aggregate, Max(1), Override ("GroupComponent"),
         Description (
          "The scoping System's CreationClassName.") FilterList, which aggregates the set "
          "of FilterEntries.") ]
    string SystemCreationClassName;
       [Propagated ("CIM_System.Name"), Key, MaxLen (256),
    CIM_FilterList REF GroupComponent;
        [Override ("PartComponent"),
         Description ("The scoping System's Name.") (
          "Any subclass of FilterEntryBase which is a part of "
          "the FilterList.") ]
    string SystemName;
       [Key, MaxLen (256), Description
    CIM_FilterEntryBase REF PartComponent;
        [Description (
        "CreationClassName indicates the name
          "The order of the class or the "
        "subclass used Entry relative to all others in the creation of an instance. When used "
        "with
          "FilterList. A value of zero indicates that all the other key properties Entries "
          "should be ANDed together. Use of this class, this the Sequence property "
        "allows all instances of this class and its subclasses
          "should be consistent across the List. It is not valid to "
        "be uniquely identified.")
          "define some Entries as ANDed in the FilterList (Sequence"
          "=0) while other Entries have a non-zero Sequence number.") ]
    string CreationClassName;
       [Override ("SettingID"), Key, MaxLen (256)]
    string SettingID;
    uint16 EntrySequence;
};

Appendix D (DMTF Policy Model MOF)

// ==================================================================
//    System Policy
// ==================================================================
   [Abstract, Description (
         "A CIM_System is a LogicalElement that aggregates an "
         "enumerable set
   "An abstract class defining the common properties of Managed System Elements. The aggregation the policy "
         "operates as a functional whole. Within any particular
   "managed elements derived from CIM_Policy.  The subclasses are "
         "subclass
   "used to create rules and groups of System, there is rules that work together to "
   "form a well-defined list coherent set of policies within an administrative domain "
         "Managed System Element classes whose instances must be "
         "aggregated.")
   "or set of domains.")
   ]
class CIM_System:CIM_LogicalElement CIM_Policy : CIM_ManagedElement
{
        [Key, MaxLen (256), Description
        [Description (
         "CreationClassName indicates the
      "A user-friendly name of the class or the "
         "subclass used in the creation this policy-related object.")
      ]
   string CommonName;
      [Description (
      "An array of an instance. When used keywords for characterizing / categorizing "
         "with the other key properties
      "policy objects. Keywords are of this class, this property "
         "allows all instances one of two types: \n"
      "- Keywords defined in this class and its subclasses to "
         "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256), Override ("Name"), Description (
         "The inherited Name serves as key of other MOFs, or in DMTF"
      "white papers. These keywords provide a System instance vendor-"
      "independent, installation-independent way of "
      "characterizing policy objects. \n"
      "- Installation-dependent keywords for characterizing "
      "policy objects. Examples include 'Engineering', "
      "'Billing', and 'Review in December 2000'. \n"
      "This MOF defines the following keywords:  'UNKNOWN', "
         "an enterprise environment.") ]
    string Name;
        [MaxLen (64), Description (
         "The System object
      "'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', "
      "'MOTIVATIONAL', 'INSTALLATION', and its derivatives 'EVENT'. These "
      "concepts are Top Level Objects self-explanatory and are further discussed "
         "of CIM. They provide
      "in the scope for numerous components. SLA/Policy White Paper. One additional keyword "
         "Having unique System keys
      "is defined: 'POLICY'. The role of this keyword is required. A heuristic can be "
         "defined in individual System subclasses to attempt to "
         "always
      "identify policy-related instances that may not be otherwise "
         "generate the same System Name Key.
      "identifiable, in some implementations. The NameFormat property keyword 'POLICY' "
         "identifies how
      "is NOT mutually exclusive of the System name was generated, using other keywords "
         "the subclass' heuristic.")
      "specified above.")
      ]
   string NameFormat;
        [MaxLen (256), PolicyKeywords [];
};

// ==================================================================
// PolicySet
// ==================================================================
   [Abstract, Description (
         "A string ("PolicySet is an abstract class that provides information on how the primary "
         "system
        "represents a set of policies that form a coherent set.  The "
         "owner can be reached (e.g. phone number, email address,
        "set of contained policies has a common decision strategy and "
           "...)."),
         MappingStrings {"MIF.DMTF|General Information|001.3"} ]
    string PrimaryOwnerContact;
        [MaxLen (64), Description (
           "The name
        "a common set of policy roles.  Subclasses include "
        "PolicyGroup and PolicyRule.")]
class CIM_PolicySet : CIM_Policy
{
        [Description ("PolicyDecisionStrategy defines the primary system owner."),
         MappingStrings {"MIF.DMTF|General Information|001.4"} evaluation "
        "method used for policies contained in the PolicySet.  "
        "FirstMatching enforces the actions of the first rule that "
        "evaluates to TRUE.  It is the only value currently defined."),
        ValueMap { "1" },
        Values { "FirstMatching" }
      ]
    string PrimaryOwnerName;
   uint16 PolicyDecisionStrategy;
        [Description (
         "An array (bag) of strings that specify
        "The PolicyRoles property represents the roles this and role "
         "System
        "combinations associated with a PolicySet.  All contained "
         "plays in
        "PolicySet instances inherit the IT-environment. Subclasses values of the PolicyRoles of System may "
         "override this property
        "the aggregating PolicySet but the values are not copied. "
        "A contained PolicySet instance may, however, add additional "
        "PolicyRoles to define explicit Roles values. those it inherits from its aggregating "
        "PolicySet(s)\n"
        "\n"
        "Each value represents one role or role combination.  Since "
        "this is a multi-valued property, more than one role or "
         "Alternately,
        "combination can be associated with a Working Group may describe the heuristics, "
         "conventions and guidelines for specifying Roles. For single PolicySet.  Each "
         "example, for an instance of
        "value is a networking system, string of the Roles form:\n"
        "
         "property might contain  <RoleName>[&&<RoleName>]*\n"
        "where the string, 'Switch' or 'Bridge'.") individual role names appear in alphabetical order "
        "(according to the collating sequence for UCS-2).") ]
    string Roles[]; PolicyRoles [];

};

// ==================================================================
//    Service PolicyGroup
// ==================================================================
        [Abstract, Description
   [Description (
         "A CIM_Service is a Logical Element
   "An aggregation of PolicySet instances (PolicyGroups and/or "
   "PolicyRules) that contains have the "
         "information necessary to represent same decision strategy and manage the "
         "functionality provided by a Device and/or SoftwareFeature. inherit "
         "A Service is a general-purpose object to configure
   "policy roles.   PolicyGroup instances are defined and named "
         "manage the implementation of functionality.  It is not
   "relative to the "
         "functionality itself.") CIM_System that provides their context.")
   ]
class CIM_Service:CIM_LogicalElement CIM_PolicyGroup : CIM_PolicySet
{
      [Propagated("CIM_System.CreationClassName"),
         Key, MaxLen (256),
         Description ("The scoping System's CreationClassName.")
      ]
   string SystemCreationClassName;
      [Propagated("CIM_System.Name"),
         Key, MaxLen (256),
         Description ("The scoping System's Name.")
      ]
   string SystemName;
      [Key, MaxLen (256), Description (
         "CreationClassName indicates the name of the class or the "
         "subclass used in the creation of an instance. When used "
         "with the other key properties of this class, this "
           "property "
           "allows all instances of this class and its subclasses to "
           "be uniquely identified.") ]
    string CreationClassName;
        [Override ("Name"), Key, MaxLen (256),
         Description (
         "The Name property uniquely identifies the Service and "
         "provides an indication of the functionality that is "
         "managed. This functionality is described in more detail in "
         "the object's Description property. ") ]
    string Name;
        [MaxLen (10), Description (
         "StartMode is a string value indicating whether the Service "
         "is automatically started by a System, Operating System, "
         "etc. "
         "or only started upon request."),
           ValueMap {"Automatic", "Manual"} ]
    string StartMode;
        [Description (
         "Started is a boolean indicating whether the Service class, this property "
         "has been started (TRUE), or stopped (FALSE).") ]
    boolean Started;
        [Propagated ("CIM_System.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping System's CreationClassName. ")
         "allows all instances of this class and its subclasses to "
         "be uniquely identified.") ]
   string SystemCreationClassName;
        [Propagated ("CIM_System.Name"), Key, CreationClassName;
      [Key, MaxLen (256), Description ("The scoping System's Name.") (
         "A user-friendly name of this PolicyGroup.")
      ]
   string SystemName; PolicyGroupName;
};

// ==================================================================
// PolicyRule
// ==================================================================
   [Description (
   "The StartService method places the Service in central class used for representing the started 'If Condition then "
         "state. It returns an integer value
   "Action' semantics of 0 if the Service was a policy rule. A PolicyRule condition, in "
         "successfully started, 1 if the request
   "the most general sense, is not supported and represented as either an ORed set of "
         "any other number to indicate
   "ANDed conditions (Disjunctive Normal Form, or DNF) or an error. In a subclass, the ANDed "
   "set of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings to which the ORed conditions (Conjunctive Normal Form, or CNF).  "
         "ValueMap contents are 'translated'
   "Individual conditions may also either be specified in negated (NOT C) or "
         "the subclass as
   "unnegated (C).  The actions specified by a Values array qualifier.") ]
    uint32 StartService();
        [Description (
         "The StopService method places the Service in the stopped PolicyRule are to be "
         "state. It returns an integer value of 0
   "performed if the Service was "
         "successfully stopped, 1 and only if the request is not supported and PolicyRule condition (whether it "
         "any other number
   "is represented in DNF or CNF) evaluates to indicate an error. In TRUE.\n"
   "\n"
   "The conditions and actions associated with a subclass, the PolicyRule are "
         "set
   "modeled, respectively, with subclasses of possible return codes could be specified, using a "
         "ValueMap qualifier on the method. The strings PolicyCondition and "
   "PolicyAction.  These condition and action objects are tied to which "
   "instances of PolicyRule by the PolicyConditionInPolicyRule and "
         "ValueMap contents are 'translated'
   "PolicyActionInPolicyRule aggregations.\n"
   "\n"
   "A PolicyRule may also be specified in associated with one or more policy "
         "the subclass as a Values array qualifier.") ]
    uint32 StopService();
};

// ==================================================================
//    ServiceAccessPoint
// ==================================================================
        [Abstract, Description (
         "CIM_ServiceAccessPoint represents
   "time periods, indicating the ability schedule according to utilize or which the "
         "invoke a Service.  Access points represent that a Service
   "policy rule is active and inactive.  In this case it is the "
         "is
   "PolicyRuleValidityPeriod aggregation that provides this "
         "made available to other entities for use.") ]
class CIM_ServiceAccessPoint:CIM_LogicalElement
{
        [Key, MaxLen (256), Description (
           "CreationClassName indicates the name of the
   "linkage.\n"
   "\n"
   "The PolicyRule class or uses the property ConditionListType, to "
         "subclass used in
   "indicate whether the creation of an instance. When used "
           "with conditions for the other key properties of this class, this rule are in DNF or "
           "property
   "CNF.  The PolicyConditionInPolicyRule aggregation contains "
           "allows all instances of this class and its subclasses
   "two additional properties to "
           "be uniquely identified.") ]
    string CreationClassName;
        [Override ("Name"), Key, MaxLen (256),
         Description (
         "The Name property uniquely identifies complete the representation of "
         "ServiceAccessPoint "
         "and provides an indication
   "the Rule's conditional expression.  The first of the functionality that is these "
         "managed.  This functionality
   "properties is described in more detail in "
         "the object's Description property.") ]
    string Name;
        [Propagated ("CIM_System.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping System's CreationClassName.") ]
    string SystemCreationClassName;
        [Propagated ("CIM_System.Name"), Key, MaxLen (256),
           Description ("The scoping System's Name.") ]
    string SystemName;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
//    Component
// ==================================================================
        [Association, Abstract, Aggregation, Description (
         "CIM_Component an integer to partition the referenced "
   "PolicyConditions into one or more groups, and the second is a generic association used "
   "Boolean to establish indicate whether a referenced Condition is "
         "'part of' relationships between Managed System Elements.
   "negated.  An example shows how ConditionListType and these "
         "For
   "two additional properties provide a unique representation "
         "example, the SystemComponent association defines parts
   "of a set of "
         "a System.") ]
class CIM_Component
{
        [Aggregate, Key, Description (
         "The parent element PolicyConditions in the association.") ]
    CIM_ManagedSystemElement REF GroupComponent;
        [Key, Description ("The child element in the association.") ]
    CIM_ManagedSystemElement REF PartComponent;
};

// ==================================================================
// Dependency
// ==================================================================
        [Association, Abstract, Description (
        "CIM_Dependency is either DNF or CNF.\n"
   "\n"
   "Suppose we have a generic association used to establish PolicyRule that aggregates five "
        "dependency relationships between ManagedElements.") ]
class CIM_Dependency
{
        [Key, Description (
        "Antecedent represents
   "PolicyConditions C1  through C5, with the independent object in this following values "
        "association.") ]
  CIM_ManagedElement REF Antecedent;
        [Key, Description (
    "Dependent represents
   "in the object dependent on properties of the five PolicyConditionInPolicyRule "
    "Antecedent.") ]
  CIM_ManagedElement REF Dependent;
};

// ===================================================================
//    ElementSetting
// ===================================================================
        [Association, Description (
         "ElementSetting represents
   "associations:\n"
   "    C1:  GroupNumber = 1, ConditionNegated = FALSE\n"
   "    C2:  GroupNumber = 1, ConditionNegated = TRUE\n"
   "    C3:  GroupNumber = 1, ConditionNegated = FALSE\n"
   "    C4:  GroupNumber = 2, ConditionNegated = FALSE\n"
   "    C5:  GroupNumber = 2, ConditionNegated = FALSE\n"
   "\n"
   "If ConditionListType = DNF, then the association between Managed"
         "SystemElements and overall condition for "
   "the PolicyRule is:\n"
   "        (C1 AND (NOT C2) AND C3) OR (C4 AND C5)\n"
   "\n"
   "On the Setting class(es) defined other hand, if ConditionListType = CNF, then the "
   "overall condition for them.")
]
class CIM_ElementSetting
{
        [Key, Description ("The ManagedSystemElement.") ]
   CIM_ManagedSystemElement REF Element;
        [Key, Description (
         "The Setting object the PolicyRule is:\n"
   "        (C1 OR (NOT C2) OR C3) AND (C4 OR C5)\n"
   "\n"
   "In both cases, there is an unambiguous specification of "
   "the overall condition that is tested to determine whether "
   "to perform the PolicyActions associated with the ManagedSystem"
         "Element.") ]
   CIM_Setting REF Setting;
};
// ==================================================================
// MemberOfCollection
// ==================================================================
        [Association, Aggregation, Description (
        "CIM_MemberOfCollection is an aggregation PolicyRule.\n"
   "\n"
   "PolicyRule instances may also be used to establish aggregate other "
        "membership
   "PolicyRules and/or PolicyGroups.  When used in this way to "
   "implement nested rules, the conditions of ManagedElements the aggregating rule "
   "apply to the subordinate rules as well.  However, any side "
   "effects of condition evaluation or the execution of actions MUST "
   "NOT affect the result of the evaluation of other conditions "
   "evaluated by the rule engine in the same evaluation pass.  That "
   "is, an implementation of a Collection." ) rule engine MAY evaluate all "
   "conditions in any order before applying the priority and "
   "determining which actions are to be executed.")
   ]
class CIM_MemberOfCollection CIM_PolicyRule : CIM_PolicySet
{
        [Key, Aggregate,
        [Propagated("CIM_System.CreationClassName"),
         Key, MaxLen (256),
         Description ("The Collection that aggregates
members") scoping System's CreationClassName.")
        ]
  CIM_Collection REF Collection;
        [Key,
    string SystemCreationClassName;
        [Propagated("CIM_System.Name"),
         Key, MaxLen (256),
         Description ("The aggregated member of the collection.") scoping System's Name.")
        ]
  CIM_ManagedElement REF Member;
};

// ==================================================================
//     CIM_SystemSettingContext
// ==================================================================
        [Association, Aggregation,
    string SystemName;
        [Key, MaxLen (256), Description (
         "This relationship associates System-specific Configuration "
         "objects with System-specific Setting objects, similar to "
         "the "
         "SettingContext association.")]
        "CreationClassName indicates the name of the class CIM_SystemSettingContext {
        [Aggregate, Key, Description (
         "The Configuration object that aggregates or the Setting.") ]
   CIM_SystemConfiguration REF Context;
        [Key, Description ("An aggregated Setting.")]
   CIM_SystemSetting REF Setting;
};

Appendix B (DMTF User Model MOF)

// ==================================================================
// OrganizationalEntity
// ==================================================================
   [Abstract, Description (
   "OrganizationalEntity is "
        "subclass used in the creation of an abstract instance. When used "
        "with the other key properties of this class, this property "
        "allows all instances of this class from which classes and its subclasses to "
   "that fit into an organizational structure are derived.")
        "be uniquely identified.") ]
class CIM_OrganizationalEntity : CIM_ManagedElement
   {
   };

// ==================================================================
// UserEntity
// ==================================================================
   [Abstract,
    string CreationClassName;
        [Key, MaxLen (256), Description (
   "UserEntity is an abstract class that represents users.")
        "A user-friendly name of this PolicyRule.")
        ]
class CIM_UserEntity : CIM_OrganizationalEntity
   {
   };

// ==================================================================
// UsersAccess
// ==================================================================
    string PolicyRuleName;
        [Description (
   "The UsersAccess object class
        "Indicates whether this PolicyRule is used administratively "
        "enabled, administratively disabled, or enabled for "
        "debug. When the property has the value 3 (\"enabledFor"
        "Debug\"), the entity evaluating the PolicyConditions is "
        "instructed to specify a system user evaluate the conditions for the Rule, but not "
   "that permitted access
        "to perform the actions if the PolicyConditions evaluate to system resources.  The ManagedElement "
   "that has access
        "TRUE. This serves as a debug vehicle when attempting to system resources (represented "
        "determine what policies would execute in a particular "
        "scenario, without taking any actions to change state "
        "during the model debugging. The default value is 1 "
        "(\"enabled\")."),
        ValueMap { "1", "2", "3" },
        Values { "enabled", "disabled", "enabledForDebug" }
        ]
    uint16 Enabled;
        [Description (
        "Indicates whether the list of PolicyConditions "
        "associated with this PolicyRule is in disjunctive "
   "the ElementAsUser association) may
        "normal form (DNF) or conjunctive normal form (CNF)."
        "The default value is 1 (\"DNF\")."),
        ValueMap { "1", "2" },
        Values { "DNF", "CNF" }
        ]
    uint16 ConditionListType;
        [Description (
        "A free-form string that can be used to provide "
        "guidelines on how this PolicyRule should be used.")
        ]
    string RuleUsage;
        [DEPRECATED {"CIM_PolicySetComponent.Priority"},
        Description (
        "PolicyRule.Priority is deprecated and replaced by "
        "providing the priority for a person, a service, rule (and a group) in the "
   "service access point or any collection thereof. Whereas
        "context of the aggregating PolicySet instead of the "
   "Account class represents
        "priority being used for all aggregating PolicySet "
        "instances.  Thus, the user's relationship assignment of priority values is much "
        "simpler.\n"
        "\n"
        "A non-negative integer for prioritizing this Policy"
        "Rule relative to a system other Rules. A larger value "
   "from
        "indicates a higher priority. The default value is 0.")
        ]
    uint16 Priority;
        [Description (
        "A flag indicating that the perspective evaluation of the security services Policy"
        "Conditions and execution of the system, PolicyActions (if the "
   "UserAccess class represents the relationships
        "Conditions evaluate to the systems TRUE) is required. The "
   "independent
        "evaluation of a particular system or service.") ]
class CIM_UsersAccess: CIM_UserEntity
   {
      [Key, MaxLen (256), Description (
        "CreationClassName indicates the name of the class or PolicyRule MUST be attempted if the "
        "subclass used in
        "Mandatory property value is TRUE.  If the creation of an instance. When used Mandatory "
        "with
        "property is FALSE, then the other key properties evaluation of this class, this property the Rule "
        "allows all instances of this class
        "is 'best effort' and its subclasses to "
        "be uniquely identified.")]
   string CreationClassName;
      [Key, MaxLen (256),Description MAY be ignored.")
        ]
    boolean Mandatory;
        [Description (
      "The Name
        "This property defines gives a policy administrator a way "
        "of specifying how the label by which ordering of the object PolicyActions "
        "associated with this PolicyRule is to be interpreted. "
        "known.")]
   string Name;
      [Key, Description (
        "The ElementID property uniquely specifies
        "Three values are supported:\n"
        "  o mandatory(1): Do the ManagedElement actions in the indicated "
        "object instance that is
        "    order, or don't do them at all.\n"
        "  o recommended(2): Do the user represented by actions in the indicated "
        "UsersAccess object instance.  The ElementID is formatted
        "
        "similarly    order if you can, but if you can't do them in this "
        "    order, do them in another order if you can.\n"
        "  o dontCare(3): Do them -- I don't care about the "
        "    order.\n"
        "The default value is 3 (\"dontCare\")."),
        ValueMap { "1", "2", "3" },
        Values { "mandatory", "recommended", "dontCare" }
        ]
    uint16 SequencedActions;
        [Description (
        "ExecutionStrategy defines the strategy to a model path except that be used in "
        "executing the property-value sequenced actions aggregated by this "
        "PolicyRule. There are three execution strategies:\n"
        "\n"
        "Do Until Success - execute actions according to predefined\n"
        "
        "pairs                   order, until successful execution of a\n"
        "                   single action.\n"
        "Do All -           execute ALL actions which are ordered in alphabetical order (US ASCII lexical part of\n"
        "
        "order).")]
   string ElementID;
      [Description (
        "Biometric information used                   the modeled set, according to identify a person.  The their\n"
        "
        "property value is left null                   predefined order. Continue doing this,\n"
        "                   even if one or set more of the actions "
        "                   fails.\n"
        "Do Until Failure - execute actions according to 'N/A' for non-human predefined\n"
        "
        "user or a user not using biometric information for                   order, until the first failure in\n"
        "
        "authentication."),                   execution of an action instance."),
        Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger",
                 "Voice", "DNA-RNA", "EEG"} ] {"1", "2", "3"},
        ValueMap {"Do Until Success", "Do All", "Do Until Failure"}]
    uint16 Biometric[]; ExecutionStrategy;
};

// ==================================================================
//    SecurityService ReusablePolicyContainer
// ==================================================================
        [ Abstract, Description
   [Description (
         "CIM_SecurityService ...")
         "A class representing an administratively defined "
         "container for reusable policy-related information. "
         "This class does not introduce any additional "
         "properties beyond those in its superclass "
         "AdminDomain.  It does, however, participate in a "
         "unique association for containing policy elements."
         "\n\n"
         "An instance of this class uses the NameFormat value"
         "\"ReusablePolicyContainer\".")
   ]
class CIM_SecurityService:CIM_Service CIM_ReusablePolicyContainer : CIM_AdminDomain
{
};

// ==================================================================
//    AuthenticationService PolicyRepository  *** deprecated
// ==================================================================
   [Description
   [DEPRECATED{"CIM_ReusablePolicyContainer"},
           Description (
   "CIM_AuthenticationService verifies users' identities through "
   "some means.  These services are decomposed into a subclass that "
   "provides credentials
         "The term 'PolicyRepository' has been confusing to users and a subclass that provides for both "
   "the verification
           "developers and users of the validity of model.  The replacement class "
           "name describes model element properly and is less likely "
           "to be confused with a credential and, perhaps, data repository."
           "\n\n"
         "A class representing an administratively defined "
   "the appropriateness of its use
         "container for access to target resources. reusable policy-related information. "
   "The persistent state information used from one such verification
         "This class does not introduce any additional "
   "to another is maintained
         "properties beyond those in an Account for that Users Access on its superclass "
         "AdminDomain.  It does, however, participate in a "
   "that AuthenticationService.")
         "number of unique associations."
         "\n\n"
         "An instance of this class uses the NameFormat value"
         "\"PolicyRepository\".")
   ]
class CIM_AuthenticationService:CIM_SecurityService CIM_PolicyRepository : CIM_AdminDomain
{
};

// ==================================================================
//    CredentialManagementService PolicyCondition
// ==================================================================
   [Description
   [Abstract, Description (
   "CIM_CredentialManagementService issues credentials and manages
         "A class representing a rule-specific or reusable policy "
   "the credential lifecycle.") ]
         "condition to be evaluated in conjunction with a Policy"
         "Rule. Since all operational details of a PolicyCondition "
         "are provided in subclasses of this object, this class CIM_CredentialManagementService:CIM_AuthenticationService
   {
   };

// ==================================================================
//    CertificateAuthority
// ==================================================================
        [Description ("A Certificate Authority (CA) is a credential "
         "management service that issues and cryptographically
         "abstract.")
   ]
class CIM_PolicyCondition : CIM_Policy
{
        [Key, MaxLen (256), Description (
          "
         "signs certificates thus acting as an trusted third-party  The name of the class or the subclass used in the "
         "intermediary
          "creation of the System object in establishing trust relationships. The CA whose scope this "
         "authenicates
          "PolicyCondition is defined.\n\n"
          "  "
          "This property helps to identify the holder System object in "
          "whose scope this instance of PolicyCondition exists. "
          "For a rule-specific PolicyCondition, this is the private key related to System "
          "in whose context the PolicyRule is defined. For a "
         "certificate's public key;
          "reusable PolicyCondition, this is the authenicated entity instance of "
          "PolicyRepository (which is a subclass of System) that "
         "represented by
          "holds the Condition.\n\n"
          "  "
          "Note that this property, and the analogous property "
          "SystemName, do not represent propagated keys from an "
          "instance of the UsersAccess class.") ] class CIM_CertificateAuthority:CIM_CredentialManagementService
{
        [Description (
         "The CAPolicyStatement describes what care is taken by System. Instead, they are "
          "properties defined in the context of this class, which "
          "repeat the values from the instance of System to which "
         "CertificateAuthority when signing a new certificate.
          "this PolicyCondition is related, either directly via the "
         "The CAPolicyStatment may be a dot-delimited ASN.1 OID
          "PolicyConditionInPolicyRepository association or indirectly"
          "
         "string which identifies to via the formal policy statement.") PolicyConditionInPolicyRule aggregation.")
        ]
    string CAPolicyStatement;
        [Description SystemCreationClassName;
        [Key, MaxLen (256), Description ( "A CRL, or CertificateRevocationList, is a
         "
         "list  The name of certificates which the CertificateAuthority has System object in whose scope this "
         "revoked and which are not yet expired.  Revocation
         "PolicyCondition is defined.\n\n"
         "
         "necessary when  "
         "This property completes the private key associated with identification of the public System "
         "key
         "object in whose scope this instance of PolicyCondition "
         "exists.  For a certificate rule-specific PolicyCondition, this is lost or compromised, or when the "
         "person for whom
         "System in whose context the certificate is signed no longer PolicyRule is defined.  For a "
         "entitled to use
         "reusable PolicyCondition, this is the certificate."), Octetstring ]
    string CRL[];
        [Description ("Certificate Revocation Lists may be instance of "
         "available from
         "PolicyRepository (which is a number subclass of distribution points.  "
         "CRLDistributionPoint array values provide URIs for those System) that "
         "distribution points.")]
         "holds the Condition.")
        ]
    string CRLDistributionPoint[];
        [Description SystemName;
        [Key, MaxLen (256), Description ( "Certificates refer to their issuing CA by
         "For a rule-specific PolicyCondition, the "
         "its Distinguished Name (as defined in X.501)."), DN]
    string CADistinguishedName;
        [Description ( "The frequency, expressed in hours, at
         "CreationClassName of the PolicyRule object with which "
           "the CA will update its Certificate Revocation List.  Zero "
           "implies that the refresh frequency
         "this Condition is unknown."),
           Units("Hours")]
    uint8 CRLRefreshFrequency;
        [Description ( "The maximum number of certificates in associated.  For a reusable Policy"
         "Condition, a special value, 'NO RULE', should be used to "
         "certificate chain permitted for credentials issued by
         "indicate that this Condition is reusable and not "
         "this certificate authority or it's subordinate CAs.\n"
         "The MaxChainLength of
         "associated with a superior CA in single PolicyRule.")
        ]
    string PolicyRuleCreationClassName;
        [Key, MaxLen (256), Description (
         "For a rule-specific PolicyCondition, the trust name of "
         "the PolicyRule object with which this Condition is "
         "hierarchy
         "associated.  For a reusable PolicyCondition, a "
         "special value, 'NO RULE', should be greater than used to indicate "
         "that this value Condition is reusable and the not associated "
         "MaxChainLength of
         "with a subordinate CA single PolicyRule.")
        ]
    string PolicyRuleName;
        [Key, MaxLen (256), Description (
           "CreationClassName indicates the name of the class or the "
           "subclass used in the trust hierarchy creation of an instance. When used "
         "should be less than
           "with the other key properties of this value.")]
    uint8 MaxChainLength;
};

// ==================================================================
//    KerberosKeyDistributionCenter
// ==================================================================
        [Description (
         "CIM_KerberosKeyDistributionCenter ...") ]
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService
{
        [Override ("Name"),
         Description ("The Realm served by class, this KDC.")]
    string Name;
        [Description ("The version property"
           " allows all instances of Kerberos supported by this class and its subclasses to "
         "service."),
         Values {"V4", "V5", "DCE", "MS"}
           "be uniquely identified.") ]
    uint16 Protocol[];
    string CreationClassName;
        [Key, MaxLen (256), Description (
           "A user-friendly name of this PolicyCondition.")
        ]
    string PolicyConditionName;
};

// ==================================================================

//    Notary PolicyTimePeriodCondition
// ==================================================================
   [Description (
         "CIM_Notary is an AuthenticationService (credential
         "
         "management service)  This class provides a means of representing the time "
         "periods during which compares a PolicyRule is valid, i.e., active. "
         "At all times that fall outside these time periods, the "
         "biometric characteristics of
         "PolicyRule has no effect.  A Rule is treated as valid "
         "at ALL times, if it does not specify a person with "
         "PolicyTimePeriodCondition.\n\n"
         "  "
         "In some cases a Policy Consumer may need to perform "
         "certain setup / cleanup actions when a PolicyRule becomes "
         "active / inactive.  For example, sessions that were "
         "established while a Rule was active might need to "
         "be taken down when the Rule becomes inactive.  In other "
         "cases, however, such sessions might be left up.  In this "
         "case, the effect of deactivating the PolicyRule would "
         "just be to prevent the establishment of new sessions. \n\n"
         "  "
         "Setup / cleanup behaviors on validity period "
         "transitions are not currently addressed by the Policy "
         "Model, and must be specified in 'guideline' documents or "
         "known characteristics
         "via subclasses of an Users Access, and determines CIM_PolicyRule, CIM_PolicyTimePeriod"
         "Condition or other concrete subclasses of CIM_Policy. If "
         "whether
         "such behaviors need to be under the person is control of the UsersAccess.  An example is policy "
         "a bank teller who compares
         "administrator, then a picture ID with mechanism to allow this control "
         "must also be specified in the person subclasses.\n\n"
         "
         "trying to cash a check, or a biometric login service that  "
         "uses voice recognition to identify
         "PolicyTimePeriodCondition is defined as a user.") ]
class CIM_Notary:CIM_CredentialManagementService
{
        [Description ( "The types subclass of biometric information which "
           "this Notary can compare."),
         Values { "N/A", "Other", "Facial", "Retina", "Mark",
                  "Finger", "Voice", "DNA-RNA", "EEG"} ]
    uint16 Comparitors;
        [Description (
         "The SealProtocol
         "PolicyCondition. This is how to allow the decision inclusion of "
         "time-based criteria in the Notary is AND/OR condition definitions "
         "recorded
         "for a PolicyRule.\n\n"
         "  "
         "Instances of this class may have up to five properties "
         "identifying time periods at different levels. The values "
         "of all the properties present in an instance are ANDed "
         "together to determine the validity period(s) for future use by parties who will rely on its the "
         "decision.
         "instance. For instance, a drivers licence frequently example, an instance with an overall "
         "includes tamper-resistent coatings
         "validity range of January 1, 2000 through December 31, "
         "2000; a month mask that selects March and markings to protect April; a "
         "the recorded decision
         "day-of-the-week mask that selects Fridays; and a driver, time "
         "of day range of 0800 through 1600 would be represented "
         "using the following time periods:\n"
         "   Friday, March  5, 2000, from 0800 through 1600;\n "
         "   Friday, March 12, 2000, from 0800 through 1600;\n "
         "   Friday, March 19, 2000, from 0800 through 1600;\n "
         "   Friday, March 26, 2000, from 0800 through 1600;\n "
         "   Friday, April  2, 2000, from 0800 through 1600;\n "
         "   Friday, April  9, 2000, from 0800 through 1600;\n "
         "   Friday, April 16, 2000, from 0800 through 1600;\n "
         "   Friday, April 23, 2000, from 0800 through 1600;\n "
         "   Friday, April 30, 2000, from 0800 through 1600.\n\n"
         "  "
         "Properties not present in an instance of "
         "PolicyTimePeriodCondition are implicitly treated as having various "
         "biometric characteristics of height, weight, hair
         "their value 'always enabled'. Thus, in the example above, "
         "the day-of-the-month mask is not present, and eye so the "
         "color, using
         "validity period for the instance implicitly includes a particular name, has features represented in "
         "a photograph
         "day-of-the-month mask that selects all days of their face.")]
    string SealProtocol;
        [Description (
         "CharterIssued documents when the Notary is first "
         "authorized, by whoever gave it responsibility, to perform month. "
         "its service.")]
    datetime CharterIssued;
        [Description (
         "CharterExpired documents when the Notary
         "If this 'missing property' rule is no longer "
         "authorized, by whoever gave it responsibility, applied to perform its fullest, "
         "its service.")]
    datetime CharterExpired;
};

// ==================================================================
//    LocalCredentialManagementService
// ==================================================================
        [Description (
         "CIM_LocalCredentialManagementService
         "we see that there is a credential "
         "management service second way to indicate that provides local system "
         "management a Policy"
         "Rule is always enabled: associate with it an instance of credentials used by the local system.") "
         "PolicyTimePeriodCondition whose only properties with "
         "specific values are its key properties.")
   ]
class
CIM_LocalCredentialManagementService:CIM_CredentialManagementService CIM_PolicyTimePeriodCondition : CIM_PolicyCondition
{
};

// ==================================================================
//    SharedSecretService
// ==================================================================
        [Description (
         "CIM_SharedSecretService is a service which ascertains
         "
         "whether messages received are from the Principal with  This property identifies an overall range of calendar "
         "whom
         "dates and times over which a secret PolicyRule is valid.  It is shared.  Examples include a login "
         "service that proves identity on the basis of knowledge of "
         "the shared secret, or
         "formatted as a transport integrity service (like "
         "Kerberos provides) that includes string representing a message authenticity start date and time, "
         "code that proves each message in
         "in which the messsage stream came "
         "from someone who knows character 'T' indicates the shared secret session key.")]
class CIM_SharedSecretService:CIM_LocalCredentialManagementService
{
        [MaxLen (256), Description (
         "The Algorithm used to convey beginning of the shared secret, such as "
         "HMAC-MD5,or PLAINTEXT.") ]
    string Algorithm;
        [Description (
         "The Protocol supported
         "time portion, followed by the SharedSecretService.")]
    string Protocol;
};

// ==================================================================
//    PublicKeyManagementService
// ==================================================================
        [Description (
         "CIM_PublicKeyManagementService is solidus character '/', "
         "followed by a credential management similar string representing an end date and "
         "service that provides local system management
         "time.  The first date indicates the beginning of public the range, "
         "keys used by
         "while the local system.") ]
class
CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService
{
};

// ==================================================================
//    Credential
// ==================================================================
        [Abstract, Description (
         "Subclasses of CIM_Credential define materials, second date indicates the end.  Thus, the second "
         "information, or other data which are used to prove
         "date and time must be later than the first.  Date/times are "
         "identity
         "expressed as substrings of a CIM_UsersAccess to a particular the form yyyymmddThhmmss.  For "
         "CIM_SecurityService.  Generally, there may be some shared
         "example: \n"
         "
         "information, or credential material   20000101T080000/20000131T120000 defines \n"
         "   January 1, 2000, 0800 through January 31, 2000, noon\n\n"
         "  "
         "There are also two special cases in which one of the "
         "date/time strings is used to replaced with a special string defined "
         "identify and authenticate ones self in
         "in RFC 2445.\n "
         "   o If the process of first date/time is replaced with the string "
         "gaining access to, or permission to use, an Account.
         "
         "Such credential material may be used to authenticate     'THISANDPRIOR', then the property indicates that a "
         "users access identity  initially, as done by a
         "
         "CIM_AuthenticationService (see later), and additionally on     PolicyRule is valid [from now] until the date/time "
         "an ongoing basis during
         "     that appears after the course of '/'.\n"
         "   o If the second date/time is replaced with the string "
         "     'THISANDFUTURE', then the property indicates that a connection or "
         "other  security association, as proof
         "     PolicyRule becomes valid on the date/time that each received "
         "message or communication came from
         "     appears before the owning user access '/', and remains valid from that "
         "of
         "
         "that credential material.") ]
class CIM_Credential:CIM_ManagedElement     point on. "),
         ModelCorrespondence {
};

// ==================================================================
//    PublicKeyCertificate
// ==================================================================
        [Description ("A Public Key Certificate
        "CIM_PolicyTimePeriodCondition.MonthOfYearMask",
        "CIM_PolicyTimePeriodCondition.DayOfMonthMask",
        "CIM_PolicyTimePeriodCondition.DayOfWeekMask",
        "CIM_PolicyTimePeriodCondition.TimeOfDayMask",
        "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
        ]
    string TimePeriod;
        [Octetstring, Description (
         "  The purpose of this property is a credential to refine the valid time "
         "that
         "period that is cryptographically signed defined by the TimePeriod property, by a trusted Certificate "
         "Authority (CA) and issued to an authenticated entity
         "explicitly specifying in which months the PolicyRule is "
         "(e.g., human user, service,etc.) called
         "valid. These properties work together, with the Subject "
         "TimePeriod used to specify the overall time period in "
         "the certificate
         "which the PolicyRule is valid, and represented by the UsersAccess class. MonthOfYearMask used "
         "The public key in
         "to pick out the certificate months during which the Rule is cryptographically valid.\n\n"
         "
         "related to  "
         "This property is formatted as an octet string, structured "
         "as follows:\n"
         "   o a private key that 4-octet length field, indicating the length of the "
         "    entire octet string; this field is always set to be held and kept "
         "private by the authenticated Subject.  The certificate
         "
         "and its related private key can then be used    0x00000006 for this property;\n"
         "
         "establishing trust relationships   o a 2-octet field consisting of 12 bits identifying the "
         "     12 months of the year, beginning with January and securing "
         "communications
         "     ending with the Subject.  Refer to the ITU/CCITT December, followed by 4 bits that are "
         "X.509 standard as an example of such certificates.") ]
class CIM_PublicKeyCertificate:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_CertificateAuthority.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_CertificateAuthority.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description (
          "Certificate subject identifier")]
     string Subject;
         [MaxLen (256), Description (
          "Alternate subject identifier
         "     always set to '0'.  For each month, the value '1' "
         "     indicates that the policy is valid for that month, "
         "     and the Certificate.")]
     string AltSubject;
         [Description ("The DER-encoded raw public key."), Octetstring]
     uint8 PublicKey[];
};

// ==================================================================
//    UnsignedPublicKey
// ==================================================================
        [Description (
         "A CIM_UnsignedPublicKey represents an unsigned public value '0' indicates that it is not valid.\n\n"
         "
         "key credential.  The local UsersAccess (or subclass  "
         "thereof) accepts
         "The value 0x000000060830, for example, indicates that a "
         "PolicyRule is valid only in the public key as authentic because of months May, November, "
         "a direct trust relationship rather than via
         "and December.\n\n"
         "  "
         "If a third-party value for this property is not provided, then the "
         "Certificate Authority.") ]
class CIM_UnsignedPublicKey:CIM_Credential
         "PolicyRule is treated as valid for all twelve months, and "
         "only restricted by its TimePeriod property value and the "
         "other Mask properties."),
        ModelCorrespondence {
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated
("CIM_PublicKeyManagementService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_PublicKeyManagementService.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256),
        "CIM_PolicyTimePeriodCondition.TimePeriod",
        "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
        ]
    uint8 MonthOfYearMask[];
        [Octetstring, Description (
          "The Identity
         "  The purpose of this property is to refine the Peer with whom a direct trust valid time "
          "relationship exists.  The public key may be
         "period that is defined by the TimePeriod property, by "
         "explicitly specifying in which days of the month the Policy"
         "Rule is valid. These properties work together, "
         "with the TimePeriod used for to specify the overall time period "
          "security functions with
         "in which the PolicyRule is valid, and the DayOfMonthMask "
         "used to pick out the days of the month during which the "
         "Rule is valid.\n\n "
         "  "
         "This property is formatted as an octet string, structured "
         "as follows:\n"
         "   o a 4-octet length field, indicating the length of the Peer."),
         ModelCorrespondence
           {"CIM_PublicKeyManagementService.PeerIdentityType" } ]
     string PeerIdentity;
           [Description ("PeerIdentityType "
         "     entire octet string; this field is used always set to describe the "
          "type of the PeerIdentity.  The currently defined values
         "
          "are used     0x0000000C for IKE identities."),
           ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_PublicKeyManagementService.PeerIdentity" } ]
     uint16 PeerIdentityType;
         [Description ("The DER-encoded raw public key."),
          Octetstring]
     uint8 PublicKey[];
};

// ==================================================================
//    KerberosTicket
// ==================================================================
        [Description (
         "A CIM_KerberosTicket represents a credential issued by a this property; \n"
         "   o an 8-octet field consisting of 31 bits identifying "
         "particular Kerberos Key Distribution Center (KDC)
         "
         "to a particular CIM_UsersAccess as     the result days of a the month counting from the beginning, "
         "successful authentication process.  There are two types
         "     followed by 31 more bits identifying the days of the "
         "tickets
         "     month counting from the end, followed by 2 bits that a KDC may issue to a Users Access - a "
         "TicketGranting ticket, which is used
         "     are always set to protect and '0'.  For each day, the value '1' "
         "authenticate communications between
         "     indicates that the Users Access policy is valid for that day, and "
         "the
         "
         "KDC, and a Session ticket, which     the KDC issues to two value '0' indicates that it is not valid. \n\n"
         "
         "Users Access to allow them to communicate with each other.  "
          ) ]
class CIM_KerberosTicket:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"), Key,
         MaxLen (256), Description ("Scoping System")]
        string SystemCreationClassName;
         [Propagated ("CIM_System.Name"), Key,
         MaxLen (256),Description ("Scoping System")]
        string SystemName;
         [Key, MaxLen (256), Propagated
         ("CIM_KerberosKeyDistributionCenter.CreationClassName"),
         Description ("Scoping Service")]
        string ServiceCreationClassName;
         [Propagated ("CIM_KerberosKeyDistributionCenter.Name"),
         Key, MaxLen (256),
         Description ("Scoping Service.  The Kerberos KDC Realm
         "The value 0x0000000C8000000100000000, for example, "
         "indicates that a PolicyRule is valid on the first and "
         "last days of the month.\n\n "
        "CIM_KerberosTicket is used to record
         "  "
         "For months with fewer than 31 days, the security digits corresponding"
         "
        "authority, or Realm, name so to days that tickets issued by the months do not have (counting in both "
        "different Realms can be separately managed and
         "directions) are ignored.\n\n"
         "
          "enumerated.")]
        string ServiceName;
        [Key, MaxLen (256), Description ("The name of the service  "
           "for which
         "If a value for this ticket property is used.")]
        string AccessesService;
        [Key, MaxLen (256), Description (
         "RemoteID not provided, then the "
         "PolicyRule is treated as valid for all days of the name month, "
         "and only restricted by which the user is known at its TimePeriod property value and the"
         "
         "the KDC security service.")]
        string RemoteID;
        datetime Issued;
        datetime Expires;
          [Description other Mask properties."),
        ModelCorrespondence {
        "CIM_PolicyTimePeriodCondition.TimePeriod",
        "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
        ]
    uint8 DayOfMonthMask[];
        [Octetstring, Description (
          "The Type
         "  The purpose of CIM_KerberosTicket this property is used to indicate whether refine the valid time "
          "the ticket in question was issued
         "period that is defined by the Kerberos Key TimePeriod property, by "
          "Distribution Center (KDC)
         "explicitly specifying in which days of the month the Policy"
         "Rule is valid. These properties work together, "
         "with the TimePeriod used to support ongoing communication specify the overall time period "
          "between
         "in which the Users Access PolicyRule is valid, and the KDC (\"TicketGranting\"), DayOfWeekMask used"
         "
          "or was issued by the KDC to support ongoing communication pick out the days of the week during which the Rule "
          "between two Users Access entities (\"Session\")." ),
          Values {"Session", "TicketGranting"}]
        uint16 TicketType;
};

// ==================================================================
//    SharedSecret
// ==================================================================
        [Description (
         "CIM_SharedSecret
         "is valid.\n\n "
         "  "
         "This property is the secret shared between a Users formatted as an octet string, structured "
         "Access
         "as follows:\n "
         "and a particular SharedSecret security service.  Secrets
         "
         "may be in  o a 4-octet length field, indicating the form length of a password used the "
         "    entire octet string; this field is always set to "
         "    0x00000005 for initial this property;\n"
         "
         "authentication, or as with  o a session key, used as part 1-octet field consisting of 7 bits identifying the 7 "
         "a message authentication code to verify that a message
         "
         "originated by    days of the pricinpal week, beginning with Sunday and ending with whom the secret is shared. "
         "It
         "    Saturday, followed by 1 bit that is important always set to note '0'. "
         "    For each day of the week, the value '1' indicates that SharedSecret "
         "    the policy is not just valid for that day, and the value '0' "
         "password, but rather
         "    indicates that it is the password used with not valid. \n\n"
         "  "
         "The value 0x000000057C, for example, indicates that a particular "
         "security service.")]
class CIM_SharedSecret:CIM_Credential
{
         [Propagated ("CIM_System.CreationClassName"), Key,
          MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"), Key,
          MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Key, MaxLen (256), Propagated
          ("CIM_SharedSecretService.CreationClassName"),
          Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"),
          Key, MaxLen (256),
          Description ("Scoping Service")]
     string ServiceName;
        [Key, MaxLen (256), Description (
         "RemoteID
         "PolicyRule is valid Monday through Friday.\n\n"
         "  "
         "If a value for this property is not provided, then the name by which the user "
         "PolicyRule is known at treated as valid for all days of the week, "
         "and only restricted by its TimePeriod property value and "
         "the remote secret key authentication service.")]
     string RemoteID; other Mask properties."),
        ModelCorrespondence {
        "CIM_PolicyTimePeriodCondition.TimePeriod",
        "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
        ]
    uint8 DayOfWeekMask[];
        [Description (
         "secret
         "  The purpose of this property is to refine the secret known valid time "
         "period that is defined by the Users Access.")]
     string secret;
        [Description (
         "algorithm names TimePeriod property, by "
         "explicitly specifying a range of times in a day during which"
         " the transformation algorithm, if any, PolicyRule is valid. These properties work "
         "together, with the TimePeriod used to specify the overall "
         "to protect passwords before use
         "time period in which the protocol.  For "
         "instance, Kerberos doesn't store passwords as PolicyRule is valid, and the shared "
         "secret, but rather,
         "TimeOfDayMask used to pick out the range of time periods "
         "in a hash given day of the password.")]
     string algorithm;
        [Description (
         "protocol names the protocol with during which the SharedSecret Rule is valid. \n\n"
         "
         "used.")]  "
         "This property is formatted in the style of RFC 2445:  a "
         "time string protocol;
};

// ==================================================================
//    NamedSharedIKESecret
// ==================================================================
        [Description (
         "CIM_NamedSharedIKESecret indirectly represents beginning with the character 'T', followed by "
         "the solidus character '/', followed by a shared second time string."
         "
         "secret credential. The local identity, IKEIdentity, "
         "and first time indicates the remote peer identity share beginning of the secret that is range, while "
         "named by
         "the second time indicates the SharedSecretName.  The SharedSecretName is end.  Times are expressed as "
         "used SharedSecretService to reference
         "substrings of the secret.") ]
class CIM_NamedSharedIKESecret:CIM_Credential

{
         [Propagated ("CIM_System.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping System")]
     string SystemCreationClassName;
         [Propagated ("CIM_System.Name"),
          Key, MaxLen (256),Description ("Scoping System")]
     string SystemName;
         [Propagated ("CIM_SharedSecretService.CreationClassName"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceCreationClassName;
         [Propagated ("CIM_SharedSecretService.Name"),
          Key, MaxLen (256), Description ("Scoping Service")]
     string ServiceName;
         [Key, MaxLen (256), Description ( form 'Thhmmss'. \n\n"
         "  "
         "The local Identity with whom the direct trust second substring always identifies a later time than "
          "relationship exists."),
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.LocalIdentityType" } ]
         "the first substring.  To allow for ranges that span "
         "midnight, however, the value of the second string LocalIdentity;
           [Key, Description ("LocalIdentityType is used to describe may be "
          "the type
         "smaller than the value of the LocalIdentity."),
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.LocalIdentity" } ]
    uint16 LocalIdentityType;
         [Key, MaxLen (256), Description (
          "The peer identity with whom first substring.  Thus, "
         "'T080000/T210000' identifies the range from 0800 until 2100,"
         " while 'T210000/T080000' identifies the range from 2100 "
         "until 0800 of the direct trust following day. \n\n"
         "
          "relationship exists."),
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.PeerIdentityType" } ]
     string PeerIdentity;
           [Key, Description ("PeerIdentityType  "
         "When a range spans midnight, it by definition includes "
         "parts of two successive days.  When one of these days is used to describe "
         "also selected by either the MonthOfYearMask, "
         "DayOfMonthMask, and/or DayOfWeekMask, but the other day is "
         "not, then the policy is active only during the portion of "
         "the type range that falls on the selected day.  For example, if "
         "the range extends from 2100 until 0800, and the day of "
         "week mask selects Monday and Tuesday, then the PeerIdentity."),
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
          "9", "10", "11"},
           Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
          "DER_ASN1_GN", "KEY_ID"},
         ModelCorrespondence
           {"CIM_NamedSharedIKESecret.PeerIdentity" } ]
     uint16 PeerIdentityType;
         [Description ("SharedSecretName policy is an indirect reference "
          "to
         "active during the following three intervals:\n"
         "    From midnight Sunday until 0800 Monday; \n"
         "    From 2100 Monday until 0800 Tuesday; \n"
         "    From 2100 Tuesday until 23:59:59 Tuesday. \n\n"
         "  "
         "If a shared secret.  The SecretService does value for this property is not expose provided, then the "
          "the actual secret but rather provides access to
         "PolicyRule is treated as valid for all hours of the day, "
          "secret via a name.")]
         "and only restricted by its TimePeriod property value and "
         "the other Mask properties."),
        ModelCorrespondence {
        "CIM_PolicyTimePeriodCondition.TimePeriod",
        "CIM_PolicyTimePeriodCondition.LocalOrUtcTime"}
        ]
    string SharedSecretName;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
// ElementAsUser
// ==================================================================
   [Association, Description TimeOfDayMask;
        [Description (
   "CIM_ElementAsUser is an association used to establish the
         "
   "'ownership' of UsersAccess object instances.  That is,  This property indicates whether the times represented "
   "ManagedElement may have UsersAccess to systems and, therefore,
         "in the TimePeriod property and in the various Mask "
   "be 'users' on those systems.  UsersAccess instances must have an
         "properties represent local times or UTC times.  There is "
   "'owning' ManagedElement.  Typically,
         "no provision for mixing of local times and UTC times:  the ManagedElements will be "
   "limited
         "value of this property applies to Collection, Person, Service and ServiceAccessPoint. "
   "Other non-human ManagedElements that might be thought all of as "
   "having UsersAccess (e.g., a device or system) have services that "
   "have the UsersAccess.")]
class CIM_ElementAsUser : CIM_Dependency other "
         "time-related properties."),
         ValueMap {
        [Min (1), Max (1), Override ("Antecedent"),
        Description ("The ManagedElement that has UsersAccess") ]
   CIM_ManagedElement REF Antecedent;
        [Override ("Dependent"),
        Description ("The 'owned' UsersAccess") "1", "2" },
         Values { "localTime", "utcTime" },
         ModelCorrespondence {
         "CIM_PolicyTimePeriodCondition.TimePeriod",
         "CIM_PolicyTimePeriodCondition.MonthOfYearMask",
         "CIM_PolicyTimePeriodCondition.DayOfMonthMask",
         "CIM_PolicyTimePeriodCondition.DayOfWeekMask",
         "CIM_PolicyTimePeriodCondition.TimeOfDayMask"}
        ]
   CIM_UsersAccess REF Dependent;
    uint16 LocalOrUtcTime;
};

// ==================================================================
// UsersCredential VendorPolicyCondition
// ==================================================================
   [Association, Description
   [Description (
   "CIM_UsersCredential is an association
         "  A class that provides a general extension mechanism for "
         "representing PolicyConditions that have not been modeled "
         "with specific properties. Instead, the two properties "
         "Constraint and ConstraintEncoding are used to establish define the "
   "credentials that may be used
         "content and format of the Condition, as explained below.\n\n"
         "  "
         "As its name suggests, VendorPolicyCondition is intended for a UsersAccess "
         "vendor-specific extensions to a system or the Policy Core Information "
   "set of systems.
         "Model.  Standardized extensions are not expected to use "    )]
         "this class.")
   ]
class CIM_UsersCredential CIM_VendorPolicyCondition : CIM_Dependency CIM_PolicyCondition
{
        [Override ("Antecedent"),
        Description ("The issued credential that may be used.") ]
   CIM_Credential REF Antecedent;
        [Override ("Dependent"),
        Description ("The UsersAccess that has use of a credential") ]
   CIM_UsersAccess REF Dependent;
   };

// ===================================================================
//    PublicPrivateKeyPair
// ===================================================================
        [Association,
        [Octetstring, Description (
         "This relationship associates property provides a PublicKeyCertificate with general extension mechanism for "
         "the Principal who has the PrivateKey used
         "representing PolicyConditions that have not been "
         "modeled with specific properties. The format of the "
         "PublicKey.  The PrivateKey is not modeled, since it
         "octet strings in the array is not left unspecified in "
         "a data element that ever SHOULD be accessible via
         "this definition.  It is determined by the OID value "
         "management applications, other than key recovery services,
         "stored in the property ConstraintEncoding.  Since "
         "which are outside our scope.") ]
class CIM_PublicPrivateKeyPair:CIM_UsersCredential
         "ConstraintEncoding is single-valued, all the values of "
         "Constraint share the same format and semantics."),
         ModelCorrespondence {
      [ Override ("Antecedent") ]
   CIM_PublicKeyCertificate REF Antecedent;
      [ Override ("Dependent")
            "CIM_VendorPolicyCondition.ConstraintEncoding"}
        ]
   CIM_UsersAccess REF Dependent;
    string Constraint [];
        [Description ( "The Certificate may be used for signature "
        "only
         "An OID encoded as a string, identifying the format "
        "or
         "and semantics for confidentiality as well as signature"),
        Values this instance's Constraint property."),
         ModelCorrespondence { "SignOnly", "ConfidentialityOrSignature"}
            "CIM_VendorPolicyCondition.Constraint"}
        ]
   uint16 Use;
   boolean NonRepudiation;
   boolean BackedUp;
        [Description ("The repository in which the certificate is "
        "backed up.")]
    string Repository; ConstraintEncoding;
};

// =================================================================== ==================================================================
//    CAHasPublicCertificate PolicyAction
// ===================================================================
   [Association, ==================================================================
   [Abstract, Description (
         "A CertificateAuthority may have certificates issued by other CAs. class representing a rule-specific or reusable policy "
   "This association is essentially an optimization of
         "action to be performed if the CA having "
   "a UsersAccess instance with an association PolicyConditions for a Policy"
         "Rule evaluate to TRUE. Since all operational details of a certificate thus "
   "mapping more closely to LDAP-based certificate authority
         "PolicyAction are provided in subclasses of this object, "
   "implementations.")
         "this class is abstract.")
   ]
class CIM_CAHasPublicCertificate:CIM_Dependency CIM_PolicyAction : CIM_Policy
{
        [Max (1), Override ("Antecedent"),
        Description ("The Certificate used by the CA")]
   CIM_PublicKeyCertificate REF Antecedent;
        [Override ("Dependent"),
        Description ("The CA that uses a Certificate")]
   CIM_CertificateAuthority REF Dependent;
};

// ===================================================================
//    ManagedCredential
// ===================================================================
        [Association,
        [Key, MaxLen (256), Description (
         "This relationship associates a CredentialManagementService
         "
         "with  The name of the Credential it manages.") ] class CIM_ManagedCredential:CIM_Dependency
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The credential management service")]
   CIM_CredentialManagementService REF Antecedent;
        [Override ("Dependent"),
        Description ( "The managed credential")]
   CIM_Credential REF Dependent;
};

// ===================================================================
//    CASignsPublicKeyCertificate
// ===================================================================
        [Association, Description ( or the subclass used in the "
         "creation of the System object in whose scope this "
         "PolicyAction is defined. \n\n"
         "  "
         "This relationship associates property helps to identify the System object in "
         "whose scope this instance of PolicyAction exists. "
         "For a CertificateAuthority with rule-specific PolicyAction, this is the System "
         "the certificates it signs.") ]
         "in whose context the PolicyRule is defined. For a "
         "reusable PolicyAction, this is the instance of "
         "PolicyRepository (which is a subclass of System) that "
         "holds the Action. \n\n"
         "  "
         "Note that this property, and the analogous property "
         "SystemName, do not represent propagated keys from an "
         "instance of the class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The CA System. Instead, they are "
         "properties defined in the context of this class, which signed "
         "repeat the certificate")]
   CIM_CertificateAuthority REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The certificate issued by values from the CA")]
   CIM_PublicKeyCertificate REF Dependent;
   string SerialNumber;
      [ Octetstring instance of System to which "
         "this PolicyAction is related, either directly via the "
         "PolicyActionInPolicyRepository association or indirectly "
         "via the PolicyActionInPolicyRule aggregation.")
        ]
   uint8 Signature[];
   datetime Expires;
    string CRLDistributionPoint[];
};

// ==================================================================
//    LocallyManagedPublicKey
// ==================================================================
        [Association, SystemCreationClassName;
        [Key, MaxLen (256), Description (
         "CIM_LocallyManagedPublicKey association provides
         "  The name of the System object in whose scope this "
         "PolicyAction is defined. \n\n"
         "  "
         "This property completes the identification of the System "
         "relationship between
         "object in whose scope this instance of PolicyAction "
         "exists.  For a PublicKeyManagementService and an rule-specific PolicyAction, this is the "
         "UnsignedPublicKey.") ]
class CIM_LocallyManagedPublicKey:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
         Description ("The PublicKeyManagementService that manages
         "System in whose context the PolicyRule is defined.  For "
         "an unsigned public key.") ]
    CIM_PublicKeyManagementService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "An unsigned public key.")
         "a reusable PolicyAction, this is the instance of "
         "PolicyRepository (which is a subclass of System) that "
         "holds the Action.")
        ]
    CIM_UnsignedPublicKey REF Dependent;
};

// ===================================================================
//    SharedSecretIsShared
// ===================================================================
        [Association,
    string SystemName;
        [Key, MaxLen (256), Description (
         "This relationship associates
         "For a SharedSecretService with rule-specific PolicyAction, the CreationClassName "
         "SecretKey it verifies.")
         "of the PolicyRule object with which this Action is "
         "associated.  For a reusable PolicyAction, a "
         "special value, 'NO RULE', should be used to "
         "indicate that this Action is reusable and not "
         "associated with a single PolicyRule.")
        ]
class CIM_SharedSecretIsShared : CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ("The credential management service")]
   CIM_SharedSecretService REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The managed credential")]
   CIM_SharedSecret REF Dependent;
};

// ==================================================================
//    IKESecretIsNamed
// ==================================================================
        [Association,
    string PolicyRuleCreationClassName;
        [Key, MaxLen (256), Description (
         "CIM_IKESecretIsNamed association provides
         "For a rule-specific PolicyAction, the name of "
         "relationship between
         "the PolicyRule object with which this Action is "
         "associated.  For a SharedSecretService and reusable PolicyAction, a "
         "NamedSharedIKESecret.") ]
class CIM_IKESecretIsNamed:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
         Description ("The SharedSecretService
         "special value, 'NO RULE', should be used to "
         "indicate that manages a this Action is reusable and not "
         "NamedSharedIKESecret.")]
    CIM_SharedSecretService REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "The managed NamedSharedIKESecret.")
         "associated with a single PolicyRule.")
        ]
    CIM_NamedSharedIKESecret  REF Dependent;
};

// ===================================================================
//    KDCIssuesKerberosTicket
// ===================================================================
   [Association,
    string PolicyRuleName;
        [Key, MaxLen (256), Description (
   "The KDC issues and owns Kerberos tickets.  This association "
   "captures
           "CreationClassName indicates the relationship between name of the KDC and its issued tickets."
   ) ] class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential
{
        [Override ("Antecedent"), Min (1), Max (1),
        Description ( "The issuing KDC") ]
   CIM_KerberosKeyDistributionCenter REF Antecedent;
        [Override ("Dependent"), Weak,
        Description ( "The managed credential")]
   CIM_KerberosTicket REF Dependent;
};

// ===================================================================
//    NotaryVerifiesBiometric
// ===================================================================
        [Association, Description (
         "This relationship associates a Notary service with or the "
           "subclass used in the creation of an instance. When used "
         "Users Access whose biometric information is verified.") ]
           "with the other key properties of this class, this property"
           " allows all instances of this class CIM_NotaryVerifiesBiometric : CIM_Dependency
{
        [Override ("Antecedent"),
        Description ("The Notary service that verifies biometric and its subclasses to "
        "information ")
           "be uniquely identified.") ]
   CIM_Notary REF Antecedent;
        [Override ("Dependent"),
    string CreationClassName;
        [Key, MaxLen (256), Description ( "The UsersAccess that represents a person using "
        "biometric information for authentication.")]
   CIM_UsersAccess REF Dependent;
         "A user-friendly name of this PolicyAction.")
        ]
    string PolicyActionName;
};

Appendix C (DMTF Network Model MOF)

// ==================================================================
//     NetworkService CompoundPolicyAction
// ==================================================================
        [Abstract, Description (
         "This
        [Description ("CompoundPolicyAction is used to represent an abstract base class, derived from the Service "
         "class. It serves
         "expression consisting of an ordered sequence of action "
         "terms.  Each action term is represented as a subclass of "
         "the PolicyAction class.  Compound actions are constructed "
         "by associating dependent action terms together using the root "
         "PolicyActionInPolicyAction aggregation.")  ]
class CIM_CompoundPolicyAction : CIM_PolicyAction
{
        [Description (
         "This property gives a policy administrator a way "
         "of specifying how the ordering of the network service PolicyActions "
         "hierarchy. Network services represent generic functions
         "associated with this PolicyRule is to be interpreted. "
         "that
         "Three values are available from supported:\n"
         "  o mandatory(1): Do the network that configure and/or actions in the indicated "
         "modify
         "    order, or don't do them at all.\n"
         "  o recommended(2): Do the traffic being sent. For example, FTP is not a actions in the indicated "
         "network service, as it simply passes data unchanged from
         "
         "source to destination. On    order if you can, but if you can't do them in this "
         "    order, do them in another order if you can.\n"
         "  o dontCare(3): Do them -- I don't care about the "
         "    order.\n"
         "The default value is 3 (\"dontCare\")."),
        ValueMap { "1", "2", "3" },
        Values { "mandatory", "recommended", "dontCare" }]
   uint16 SequencedActions;

        [Description ("ExecutionStrategy defines the other hand, services "
         "that provide quality of service (e.g., DiffServ) and strategy to be "
         "security (e.g., IPSec) do affect
         "used in executing the traffic stream. sequenced actions aggregated by this "
         "Quality of service, IPSec, and other services
         "CompoundPolicyAction. There are three execution strategies:"
         "\n\n"
         "Do Until Success - execute actions according to predefined\n"
         "
         "subclasses                   order, until successful execution of this class. This class hierarchy enables a\n"
         "
         "developers to match services to users, groups,                   single action.\n"
         "Do All -           execute ALL actions which are part of\n"
         "
         "and other objects in                   the network.") ]

class CIM_NetworkService : CIM_Service
{
        [Description (
         "This is a free-form array of strings that provide modeled set, according to their\n"
         "
         "descriptive words and phrases that can be used in queries                   predefined order. Continue doing this,\n"
         "
         "to help locate and identify instances                   even if one or more of this service.") ]
    string Keywords [ ];
        [Description (
         "This is a URL that provides the protocol, network actions "
         "location, and other service-specific information required
         "
         "in order                   fails.\n"
         "Do Until Failure - execute actions according to access the service. This should be implemented predefined\n"
         "
         "as a LabeledURI, with syntax DirectoryString and a                   order, until the first failure in\n"
         "
         "matching rule                   execution of CaseExactMatch, for directory "
         "implementors.") ]
    string ServiceURL; an action instance."
         "The default value is 2 (\"Do All\")."),
        Values {"1", "2", "3"},
        ValueMap {"Do Until Success", "Do All", "Do Until Failure"}]
   uint16 ExecutionStrategy;
};

// ==================================================================
// VendorPolicyAction
// ==================================================================
   [Description (
         "This is a free-form array of strings that specify any
         "
         "specific pre-conditions  A class that must be met in order provides a general extension mechanism for this "
         "service to start correctly. It is expected
         "representing PolicyActions that subclasses have not been modeled "
         "will refine
         "with specific properties. Instead, the inherited StartService() two properties "
         "ActionData and StopService()"
         "methods ActionEncoding are used to suit their own application-specific needs. This define the "
         "content and format of the Action, as explained below.\n\n"
         "
         "property  "
         "As its name suggests, VendorPolicyAction is used to specify application-specific conditions intended for "
         "needed by
         "vendor-specific extensions to the refined StartService and StopService"
         "methods.") Policy Core Information "
         "Model.  Standardized extensions are not expected to use "
         "this class.")  ]
    string StartupConditions [ ];
         [Description
class CIM_VendorPolicyAction : CIM_PolicyAction
{
        [Octetstring, Description (
         "This is property provides a free-form array of strings that specify any general extension mechanism for "
         "specific parameters
         "representing PolicyActions that must be supplied to have not been "
         "modeled with specific properties. The format of the "
         "StartService() method
         "octet strings in the array is left unspecified in order for this service to start "
         "correctly.
         "this definition.  It is expected that subclasses will refine determined by the OID value "
         "inherited StartService() and StopService() methods to suit "
         "their own application-specific needs. This
         "stored in the property is used ActionEncoding.  Since "
         "to specify application-specific parameters needed by
         "ActionEncoding is single-valued, all the values of "
         "refined StartService
         "ActionData share the same format and StopService methods.") semantics."),
         ModelCorrespondence {
            "CIM_VendorPolicyAction.ActionEncoding"}
        ]
    string StartupParameters [ ]; ActionData [];
        [Description (
         "An OID encoded as a string, identifying the format "
         "and semantics for this instance's ActionData property."),
         ModelCorrespondence {
            "CIM_VendorPolicyAction.ActionData"}
        ]
    string ActionEncoding;
};
// ==================================================================
//     ProtocolEndpoint ===                   Association classes                      ===
// ==================================================================
        [Description (
         "A communication point from which data may be sent or "
         "received. ProtocolEndpoints link router interfaces and "
         "switch ports to LogicalNetworks.") ]

class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint
{
        [Override ("Name"), MaxLen(256),

// ==================================================================
//    PolicyComponent
// ==================================================================
   [Association, Abstract, Aggregation, Description (
         "A string which identifies this ProtocolEndpoint with either "
         "a port or an interface on
   "CIM_PolicyComponent is a device. To ensure uniqueness, generic association used to "
         "the Name property should be prepended or appended with
   "establish 'part of' relationships between the subclasses of "
         "information from
   "CIM_Policy. For example, the Type or OtherTypeDescription PolicyConditionInPolicyRule "
         "properties. The method chosen is described
   "association defines that PolicyConditions are part of a "
   "PolicyRule.")
   ]
class CIM_PolicyComponent
{
       [Aggregate, Key, Description (
         "The parent Policy in the "
         "NameFormat property of this class.") association.")
       ]
    string Name;
        [MaxLen (256),
    CIM_Policy REF GroupComponent;
       [Key, Description (
         "NameFormat contains
         "The child/part Policy in the naming heuristic that association.")
       ]
    CIM_Policy REF PartComponent;
};

// ==================================================================
//    PolicyInSystem
// ==================================================================
   [Association, Abstract, Description (
         "  CIM_PolicyInSystem is chosen a generic association used to "
         "ensure
         "establish dependency relationships between Policies and the "
         "Systems that host them. These Systems may be ComputerSystems"
         " where Policies are 'running' or they may be Policy"
         "Repositories where Policies are stored. This relationship "
         "is similar to the value concept of CIM_Services being dependent "
         "on CIM_Systems as defined by the Name property HostedService "
         "association. \n"
         "  Cardinality is unique. For Max(1) for the Antecedent/System "
         "example,
         "reference since Policies can only be hosted in at most one might choose to prepend the name "
         "System context. Some subclasses of the port association will "
         "or interface with
         "further refine this definition to make the Type Policies Weak "
         "to Systems. Other subclasses of ProtocolEndpoint that this PolicyInSystem will "
         "instance is (e.g., IPv4)followed by an underscore.") ]
    string NameFormat;
        [MaxLen (64), Description (
         "ProtocolType is
         "define an enumeration that provides additional optional hosting relationship. Examples of each "
         "information that can be used to help categorize
         "of these are the PolicyRuleInSystem and "
         "classify different instances of this class."),
          ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
                   "10", "11", "12", "13", "14", "15", "16", "17",
                   "18", "19", "20", "21"},
         Values { "Unknown", "Other", "IPv4", "IPv6", "IPX",
                 "AppleTalk", "DECnet", "SNA", "CONP", "CLNP",
                 "VINES", "XNS", "ATM", "Frame Relay",
                 "Ethernet", "TokenRing", "FDDI", "Infiniband",
                 "Fibre Channel", "ISDN BRI Endpoint",
                 "ISDN B Channel Endpoint", "ISDN D Channel Endpoint"
},
          ModelCorrespondence PolicyConditionIn"
         "PolicyRepository associations, respectively.")
   ]
class CIM_PolicyInSystem : CIM_Dependency
{
                 "CIM_ProtocolEndpoint.OtherTypeDescription"}
       [Override ("Antecedent"), Max (1), Description (
         "The hosting System.")
       ]
    string ProtocolType;
        [MaxLen(64),
    CIM_System REF Antecedent;
       [Override ("Dependent"), Description (
         "A string describing
         "The hosted Policy.")
       ]
    CIM_Policy REF Dependent;
};

// ==================================================================
//    PolicySetInSystem
// ==================================================================
   [Association, Abstract, Description (
   "PolicySetInSystem is an abstract association class that "
   "represents a relationship between a System and a PolicySet used "
   "in the type administrative scope of ProtocolEndpoint that this system (e.g., AdminDomain, "
         "instance
   "ComputerSystem).  The Priority property is when used to assign a "
   "relative priority to a PolicySet within the Type property of this class (or any of administrative "
         "its  subclasses)
   "scope in contexts where it is set to 1 (e.g., 'Other'). The format not a component of another "
         "the string inserted
   "PolicySet.")
   ]
class CIM_PolicySetInSystem : CIM_PolicyInSystem
{
        [Override ("Antecedent"), Min (1), Max(1), Description (
      "The System in this whose scope a PolicySet is defined.")
      ]
    CIM_System REF Antecedent;
      [Override ("Dependent"), Description (
      "A PolicySet named within the scope of a System.")
      ]
    CIM_PolicySet REF Dependent;
        [Description (
        "The Priority property should be similar in "
         "format is used to specify the values defined for relative "
        "priority of the Type property. This referenced PolicySet when there are more "
         "property should be set
        "than one PolicySet instances applied to NULL when the Type property a managed resource "
        "that are not PolicySetComponents and, therefore, have no "
        "other relative priority defined.  The priority is a "
         "any
        "non-negative integer; a larger value other than 1."),
           ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} indicates a higher "
        "priority.")]
    uint16 Priority;
};

// ==================================================================
//    PolicyGroupInSystem
// ==================================================================
   [Association, Description (
         "An association that links a PolicyGroup to the System "
         "in whose scope the Group is defined.")
   ]
   string OtherTypeDescription;
class CIM_PolicyGroupInSystem : CIM_PolicySetInSystem
{
        [Override ("Antecedent"), Min(1), Max(1), Description (
         "The System in whose scope a PolicyGroup is defined.")
        ]
    CIM_System REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "A PolicyGroup named within the scope of a System.")
        ]
    CIM_PolicyGroup REF Dependent;
};

// ==================================================================
//     IPProtocolEndpoint    PolicyRuleInSystem
// ==================================================================
        [Description
   [Association, Description (
         "A ProtocolEndpoint
         "An association that is dedicated links a PolicyRule to running IP.") the System "
         "in whose scope the Rule is defined.")
   ]
class CIM_IPProtocolEndpoint CIM_PolicyRuleInSystem : CIM_ProtocolEndpoint CIM_PolicySetInSystem
{
        [Description
        [Override ("Antecedent"), Min(1), Max(1), Description (
         "The IP address that this ProtocolEndpoint represents, "
         "formatted according to the appropriate convention as "
         "defined System in whose scope a PolicyRule is defined.")
        ]
    CIM_System REF Antecedent;
        [Override ("Dependent"), Weak, Description (
         "A PolicyRule named within the AddressType property scope of this class "
         " (e.g., 171.79.6.40).") a System.")
        ]
    string Address;
        [Description
    CIM_PolicyRule REF Dependent;
};

// ==================================================================
//    PolicySetComponent
// ==================================================================
   [Association, Aggregation, Description (
         "The mask for the IP address
   "PolicySetComponent is a concrete aggregation class that "
   "collects instances of this ProtocolEndpoint, PolicySet subclasses (PolicyGroups and "
         "formatted according to
   "PolicyRules) into coherent sets of policies that have the appropriate convention as same "
         "defined in
   "decision strategy and are prioritized within the AddressType property of this set.")
   ]
class "
         " (e.g., 255.255.252.0).") CIM_PolicySetComponent : CIM_PolicyComponent
{
        [Override ("GroupComponent"), Aggregate, Description (
      "A PolicySet that aggregates other PolicySet instances.")
      ]
    string SubnetMask;
    CIM_PolicySet REF GroupComponent;
      [Override ("PartComponent"), Description (
      "A PolicySet aggregated into a PolicySet.")
      ]
    CIM_PolicySet REF PartComponent;
        [Description (
         "An enumeration that describes the format
      "A non-negative integer for prioritizing this PolicySet"
      "component relative to components of the address "
         "property. Whenever possible, IPv4-compatible addresses "
         "should be used instead of native IPv6 addresses (see same PolicySet. A "
         "RFC 2373, section 2.5.4). In order to have
      "larger value indicates a consistent "
         "format for IPv4 addresses in higher priority.")
      ]
    uint16 Priority;

};

// ==================================================================
//    PolicyGroupInPolicyGroup *** deprecated
// ==================================================================
   [Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"},
   Description (
   "PolicySetComponent provides a mixed IPv4/v6 environment, more general mechanism for "
         "all IPv4 addresses and
   "aggregating both IPv4-compatible IPv6 addresses "
         "and IPv4-mapped IPv6 addresses, per RFC 2373, section "
         "2.5.4, should be formatted in standard IPv4 format. PolicyGroups and PolicyRules and doing so with "
         "However, this (the 2.2) version of
   "the priority value applying only to the Network Common aggregated set rather "
         "Model will not explicitly support mixed IPv4/IPv6
   "than policy wide.\n"
   "\n"
   "A relationship that aggregates one or more lower-level "
         "environments. This will be added in
   "PolicyGroups into a future release."),
        ValueMap { "0", "1", "2" },
        Values higher-level Group.  A Policy"
   "Group may aggregate PolicyRules and/or other Policy"
   "Groups.")
   ]
class CIM_PolicyGroupInPolicyGroup : CIM_PolicyComponent
{ "Unknown", "IPv4", "IPv6" }
        [Override ("GroupComponent"), Aggregate, Description (
         "A PolicyGroup that aggregates other Groups.")
        ]
    uint16 AddressType;
        [Description
    CIM_PolicyGroup REF GroupComponent;
        [Override ("PartComponent"), Description (
         "It is not possible to tell from the address alone if
         "A PolicyGroup aggregated by another Group.")
        ]
    CIM_PolicyGroup REF PartComponent;
};

// ==================================================================
//    PolicyRuleInPolicyGroup *** deprecated
// ==================================================================
   [Association, Aggregation, DEPRECATED {"CIM_PolicySetComponent"},
   Description (
   "PolicySetComponent provides a more general mechanism for "
         "given IPProtocolEndpoint can support IPv4
   "aggregating both PolicyGroups and IPv6, or PolicyRules and doing so with "
         "just one of these. This property explicitly defines
   "the priority value applying only to the aggregated set rather "
         "support for different versions of IP
   "than policy wide.\n"
   "\n"
   "A relationship that this "
         "IPProtocolEndpoint has. aggregates one or more PolicyRules "
         "\n\n"
         "More implementation experience is needed in order to
   "into a PolicyGroup.  A PolicyGroup may aggregate "
         "correctly model mixed IPv4/IPv6 networks; therefore, this
   "PolicyRules and/or other PolicyGroups.")
   ]
class CIM_PolicyRuleInPolicyGroup : CIM_PolicyComponent
{
        [Override ("GroupComponent"), Aggregate, Description (
         "A PolicyGroup that aggregates one or more PolicyRules.")
        ]
    CIM_PolicyGroup REF GroupComponent;
        [Override ("PartComponent"), Description (
         "A PolicyRule aggregated by a PolicyGroup.")
        ]
    CIM_PolicyRule REF PartComponent;

};

// ==================================================================
//    PolicyConditionInPolicyRule
// ==================================================================
   [Association, Aggregation, Description (
        "
         "version (2.2)  A PolicyRule aggregates zero or more instances of the Network Common Model will not support "
         "mixed IPv4/IPv6 environments. This will be looked at
        "PolicyCondition class, via the PolicyConditionInPolicyRule "
        "association.  A Rule that aggregates zero Conditions is not "
         "further
        "valid -- it may, however, be in the process of being entered "
        "into a future version."),
        ValueMap { "0", "1", "2" },
        Values { "Unknown", "IPv4 Only", "IPv6 Only" } ]
    uint16 IPVersionSupport;
};

// ===================================================================
//     CIM_FilterEntryBase
// ===================================================================
        [Description ( PolicyRepository or being defined for a System. Note "  FilterEntryBase
        "that a PolicyRule should have no effect until it is
valid.\n\n"
        "  "
        "The Conditions aggregated by a PolicyRule are grouped into "
        "two levels of lists: either an abstract class to define ORed set of ANDed sets of "
        "conditions (DNF, the naming default) or an ANDed set of ORed sets "
        "of all filter entries, and to allow their common conditions (CNF).  Individual PolicyConditions in these "
         "aggregation into FilterLists.
        "lists may be negated.  The FilterEntry subclass property ConditionListType "
         "represents packet filtering. Other types
        "specifies which of Entries are these two grouping schemes applies to a "
         "possible - for example,
        "particular PolicyRule.\n\n"
        "  "
        "In either case, PolicyConditions are used to filter security credentials. \n" determine "  FilterEntryBase is weak
        "whether to perform the network device (e.g., PolicyActions associated with the "
         "ComputerSystem) that contains it. Hence,
        "PolicyRule.\n\n"
        "  "
        "One or more PolicyTimePeriodConditions may be among the ComputerSystem "
         "keys
        "conditions associated with a PolicyRule via the Policy"
        "ConditionInPolicyRule association.  In this case, the time "
        "periods are propagated simply additional Conditions to this class.") be evaluated "
        "along with any others that are specified for the Rule. ")
   ]
class CIM_FilterEntryBase CIM_PolicyConditionInPolicyRule : CIM_LogicalElement CIM_PolicyComponent
{
        [Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
           MaxLen (256),
         Description (
          "The scoping ComputerSystem's CreationClassName. ") ]
    string SystemCreationClassName;
        [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
        [Override ("GroupComponent"), Aggregate, Description (
          "The scoping ComputerSystem's Name.")
         "This property represents the PolicyRule that "
         "contains one or more PolicyConditions.")
        ]
    string SystemName;
        [Key, MaxLen (256),
    CIM_PolicyRule REF GroupComponent;
        [Override ("PartComponent"), Description (
          "CreationClassName indicates
         "This property holds the name of a PolicyCondition "
         "contained by one or more PolicyRules.")
        ]
    CIM_PolicyCondition REF PartComponent;
        [Description (
         "Unsigned integer indicating the class or group to which the "
          "subclass used in
         "PolicyCondition identified by the creation of an instance. When used ContainedCondition "
          "with
         "property belongs. This integer segments the other key properties of this class, this property Conditions "
          "allows all instances of this class and its subclasses to
         "into the ANDed sets (when the ConditionListType is "
          "be uniquely identified.") ]
    string CreationClassName;
        [Key, MaxLen (256),
         Description (
          "The Name property defines
         "\"DNF\") or similarly the label by which ORed sets (when the Filter"
            "Entry Condition"
         "ListType is known and uniquely identified.") \"CNF\") that are then evaluated.")
        ]
    string Name;
    uint16 GroupNumber;
        [Description (
          "Boolean indicating that
         "Indication of whether the match condition described Condition identified by "
          "in the properties of
         "the ContainedCondition property is negated.  TRUE "
         "indicates that the FilterEntryBase subclass PolicyCondition IS negated, FALSE "
          "should be
         "indicates that it IS NOT negated.")
        ]
    boolean IsNegated; ConditionNegated;
};

// ==================================================================
//     FilterEntry    PolicyRuleValidityPeriod
// ==================================================================
        [Description
   [Association, Aggregation, Description (
         "A FilterEntry is used by network devices to identify
         "The PolicyRuleValidityPeriod aggregation represents "
         "traffic
         "scheduled activation and either forward them (with possibly further deactivation of a PolicyRule. "
         "processing) to their destination, or to deny their
         "If a PolicyRule is associated with multiple policy time "
         "forwarding. They are
         "periods via this association, then the building block of FilterLists."
         "\n\n"
         "This class Rule is oriented towards packet filtering. Other active if "
         "subclasses
         "at least one of FilterEntryBase can be defined to do other the time periods indicates that it is "
         "types of filtering.
         "active.  (In other words, the PolicyTimePeriodConditions "
         "\n\n"
         "A FilterEntry is weak
         "are ORed to determine whether the network device (e.g., Rule is active.)  A Time"
         "Period may be aggregated by multiple PolicyRules.  A Rule "
         "that does not point to a PolicyTimePeriodCondition via this "
         "association is, from the point of view of scheduling, "
         "ComputerSystem) that contains it. Hence,
         "always active.  It may, however, be inactive for other "
         "reasons.  For example, the ComputerSystem Rule's Enabled property may "
         "keys are propagated
         "be set to this class.") \"disabled\" (value=2).")
   ]
class CIM_FilterEntry CIM_PolicyRuleValidityPeriod : CIM_FilterEntryBase CIM_PolicyComponent
{
        [Description
        [Override ("GroupComponent"), Aggregate, Description (
         "This defines property contains the type name of traffic a PolicyRule that is being filtered. "
         "This will affect the filtering rules in the MatchCondition "
         "property of this class."),
        ValueMap { "0", "1", "2", "3" },
        Values { "Unknown", "IPv4", "IPX", "IPv6" }
         "contains one or more PolicyTimePeriodConditions.")
        ]
    uint16 TrafficType;
        [Description
    CIM_PolicyRule REF GroupComponent;
        [Override ("PartComponent"), Description (
         "This specifies one property contains the name of a set of ways to identify traffic. "
         "if
         "PolicyTimePeriodCondition defining the value is 1 (e.g., 'Other'), then the specific valid time periods "
         "type of filtering
         "for one or more PolicyRules.")
        ]
    CIM_PolicyTimePeriodCondition REF PartComponent;
};

// ==================================================================
//    PolicyActionStructure
// ==================================================================

        [Association, Aggregation, Abstract, Description (
         "PolicyActions may be aggregated into rules and into "
         "compound actions.  PolicyActionStructure is specified in the abstract "
         "OtherMatchConditionType property
         "aggregation class for the structuring of this class."),
         ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9",
                   "10", "11", "12" },
         Values {"Other", "Source Address and Mask",
           "Destination Address and Mask", "Source Port",
           "Source Port Range", "Destination Port",
           "Destination Port Range", "Protocol Type",
           "Protocol Type and Option", "DSCP", "ToS Value",
           "802.1P Priority Value" },
         ModelCorrespondence {
           "CIM_FilterEntry.OtherMatchConditionType" } policy actions.")
   ]
    uint16 MatchConditionType;

class CIM_PolicyActionStructure : CIM_PolicyComponent
{
        [Override ("GroupComponent"), Aggregate, Description (
         "PolicyAction instances may be aggregated into either "
         "PolicyRule instances or CompoundPolicyAction instances.")]
    CIM_Policy REF GroupComponent;
        [Override ("PartComponent"), Description (
         "A PolicyAction aggregated by a PolicyRule or "
         "CompoundPolicyAction.")]
    CIM_PolicyAction REF PartComponent;
        [Description (
         "If
         "ActionOrder is an unsigned integer 'n' that indicates the value "
         "relative position of the MatchConditionType property a PolicyAction in this the sequence of"
         "actions associated with a PolicyRule or "
         "class
         "CompoundPolicyAction.  When 'n' is 1 (e.g., 'Other'), then a positive integer, it "
         "indicates a place in the specific type sequence of actions to be "
         "filtering is specified
         "performed, with smaller integers indicating earlier "
         "positions in this property."),
         ModelCorrespondence {
          "CIM_FilterEntry.MatchConditionType" } ]
    string OtherMatchConditionType;
        [Description (
         "This is the sequence. The special value of '0' indicates "
         "'don't care'.  If two or more PolicyActions have the condition that filters same "
         "non-zero sequence number, they may be performed in any "
         "order, but they must all be performed at the appropriate "
         "traffic. It corresponds to the condition specified
         "place in the  overall action sequence.\n"
         "\n"
         "A series of examples will make ordering of PolicyActions "
         "MatchConditionType property. If, however,
         "clearer: \n"
         "    o If all actions have the value same sequence number,\n"
         "      regardless of the whether it is '0' or non-zero, any\n"
         "
         "MatchConditionProperty      order is 1, then it corresponds to the acceptable.\n"
         "
         "condition specified    o The values: \n"
         "          1:ACTION A \n"
         "          2:ACTION B \n"
         "          1:ACTION C \n"
         "          3:ACTION D \n"
         "      indicate two acceptable orders: A,C,B,D or C,A,B,D,\n"
         "      since A and C can be performed in the OtherMatchConditionType either order, but\n"
         "
         "property.") ]
    string MatchConditionValue;
        [Description (
         "This defines whether      only at the action should be to forward '1' position. \n"
         "    o The values: \n"
         "          0:ACTION A \n"
         "          2:ACTION B \n"
         "          3:ACTION C \n"
         "          3:ACTION D \n"
         "      require that B,C, and D occur either as B,C,D or as\n"
         "
         "deny traffic meeting the match condition specified in      B,D,C.  Action A may appear at any point relative to\n"
         "
         "this filter."),
         ValueMap { "1", "2" },
         Values { "Permit", "Deny" } ]
    uint16 Action;
        [Description (
         "This defines whether this FilterEntry is      B, C, and D. Thus the default complete set of acceptable\n"
         "
         "entry to use by its FilterList.") ]
    boolean DefaultFilter;
        [Description (
         "This defines      orders is:  A,B,C,D; B,A,C,D; B,C,A,D; B,C,D,A; \n"
         "      A,B,D,C; B,A,D,C; B,D,A,C; B,D,C,A. \n"
         "\n"
         "Note that the traffic class non-zero sequence numbers need not start with "
         "'1', and they need not be consecutive.  All that matters is being matched by "
         "this FilterEntry. Note that FilterEntries are aggregated
         "their relative magnitude.")]
    uint16 ActionOrder;
};

// ==================================================================
//    PolicyActionInPolicyRule
// ==================================================================
   [Association, Aggregation, Description (
       "
         "into FilterLists by  A PolicyRule aggregates zero or more instances of the EntriesInFilterList "
         "relationship. If the EntrySequence property of
       "PolicyAction class, via the PolicyActionInPolicyRule "
         "aggregation is set to 0, this means
       "association.  A Rule that all aggregates zero Actions is not "
       "valid--it may, however, be in the process of being entered "
       "into a PolicyRepository or being defined for a System. "
       "Alternately, the Filter"
         "Entries should be ANDed together. Consequently, actions of the policy may be explicit in "
         "TrafficClass property of each
       "the definition of the aggregated Entries PolicyRule. Note that a PolicyRule "
       "should be set to the same value."),
         ModelCorrespondence { "CIM_NextService.TrafficClass" } ]
    string TrafficClass;
};

// ==================================================================
//     FilterList
// ==================================================================
        [Description (
         "A FilterList have no effect until it is used by network devices to identify routes valid.\n\n"
       "
         "by aggregating  "
       "The Actions associated with a set of FilterEntries into PolicyRule may be given a unit, called "
       "required order, a recommended order, or no order at all.  "
         "FilterList. FilterLists
       "For Actions represented as separate objects, the "
       "PolicyActionInPolicyRule aggregation can also be used to accept or deny express "
         "routing updates."
       "an order."
       "\n\n"
         "A FilterList
       "This aggregation does not indicate whether a specified "
       "action order is weak to the network device (e.g., the required, recommended, or of no "
         "ComputerSystem) that contains it. Hence,
       "significance; the property SequencedActions in the ComputerSystem "
         "keys are propagated to
       "aggregating instance of PolicyRule provides this class.") ] "
       "indication.")]
class CIM_FilterList CIM_PolicyActionInPolicyRule : CIM_LogicalElement CIM_PolicyActionStructure
{
        [Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
           MaxLen (256), Description (
         "The scoping ComputerSystem's CreationClassName. ") ]
    string SystemCreationClassName;

        [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
         Description ("The scoping ComputerSystem's Name.") ]
    string SystemName;

        [Key,
        [Override ("GroupComponent"), Aggregate, Description (
         "The type of class
         "This property represents the PolicyRule that this instance is.") "
         "contains one or more PolicyActions.")
        ]
    string CreationClassName;
        [Key, MaxLen(256),
    CIM_PolicyRule REF GroupComponent;
        [Override ("PartComponent"), Description (
         "This is property holds the name of the FilterList.") ]
    string Name;
        [Description (
         "This defines whether the FilterList is used "
         "for input, output, or both input and output "
         "filtering. All values are used with respect to "
         "the interface for which the FilterList applies. "
         "\n\n"
         "\"Not Applicable\" (0) is used when there is no a PolicyAction "
         "direction applicable to the FilterList.\n"
         "\"Input\" (1)
         "contained by one or more PolicyRules.")
        ]
    CIM_PolicyAction REF PartComponent;
};

// ==================================================================
//    PolicyActionInPolicyAction
// ==================================================================
        [Association, Aggregation, Description (
         "PolicyActionInPolicyAction is used when to represent the FilterList applies "
         "to packets that are inbound on
         "compounding of policy actions into a higher-level policy "
         "action.")]
class CIM_PolicyActionInPolicyAction : CIM_PolicyActionStructure
{
        [Override ("GroupComponent"), Aggregate, Description (
         "This property represents the related CompoundPolicyAction that "
         "interface.\n"
         "\"Output\" (2) is used when
         "contains one or more PolicyActions.")
        ]
    CIM_CompoundPolicyAction REF GroupComponent;
        [Override ("PartComponent"), Description (
         "This property holds the FilterList applies name of a PolicyAction "
         "to packets
         "contained by one or more CompoundPolicyActions.")
        ]
    CIM_PolicyAction REF PartComponent;
};

// ==================================================================
//    PolicyContainerInPolicyContainer
// ==================================================================
   [Association, Aggregation, Description (
   "A relationship that are outbound on the related aggregates one or more lower-level "
         "interface.\n"
         "\"Both\" (3) is used to indicate
   "ReusablePolicyContainer instances into a higher-level "
   "ReusablePolicyContainer.")
   ]
class CIM_PolicyContainerInPolicyContainer: CIM_SystemComponent
{
        [Override ("GroupComponent"), Aggregate, Description (
      "A ReusablePolicyContainer that aggregates other "
         "the direction is immaterial, e.g.,
        "ReusablePolicyContainers.")
      ]
    CIM_ReusablePolicyContainer REF GroupComponent;
      [Override ("PartComponent"), Description (
      "A ReusablePolicyContainer aggregated by another "
        "ReusablePolicyContainer.")
      ]
    CIM_ReusablePolicyContainer REF PartComponent;
};

// ==================================================================
//    PolicyRepositoryInPolicyRepository *** deprecated
// ==================================================================
   [Association, Aggregation,
   DEPRECATED {"CIM_PolicyContainerInPolicyContainer"},
   Description (
   "The term 'PolicyRepository' has been confusing to filter on both "
         "a source subnet regardless
   "developers and users of whether the flow model.  The replacement class "
   "name describes model element properly and is less likely "
         "inbound or outbound.\n"
         "\"Mirrored\" (4)
   "to be confused with a data repository.  ContainedDomain is also applicable to a "
         "both inbound and outbound flow processing, but
   "general purpose mechanism for expressing domain hierarchy."
   "\n\n"
   "A relationship that aggregates one or more lower-level "
         "indicates
   "PolicyRepositories into a higher-level Repository.")
   ]
class CIM_PolicyRepositoryInPolicyRepository : CIM_SystemComponent
{
        [Override ("GroupComponent"), Aggregate, Description (
         "A PolicyRepository that aggregates other Repositories.")
        ]
    CIM_PolicyRepository REF GroupComponent;
        [Override ("PartComponent"), Description (
         "A PolicyRepository aggregated by another Repository.")
        ]
    CIM_PolicyRepository REF PartComponent;
};

// ==================================================================
//    ReusablePolicy
// ==================================================================
   [Association, Description (
   "The ReusablePolicy association provides for the filter criteria are applied reuse of any "
         "asymmetrically to traffic
   "subclass of Policy in both directions a ReusablePolicyContainer.")
   ]
class CIM_ReusablePolicy : CIM_PolicyInSystem
{
        [Override ("Antecedent"), Max(1), Description (
      "This property identifies a ReusablePolicyContainer that "
         "and, thus, specifies
        "provides the reversal administrative scope for the reuse of source and "
         "destination criteria (as opposed to the equality "
         "of these criteria as indicated by \"Both\"). "
        "referenced policy element.")
      ]
    CIM_ReusablePolicyContainer REF Antecedent;
      [Override ("Dependent"), Description (
        "A reusable policy element.")
        ]
    CIM_Policy REF Dependent;
};

// ==================================================================
//    PolicyConditionInPolicyRepository *** deprecated
// ==================================================================
   [Association, DEPRECATED {"CIM_ReusablePolicy"},
   Description (
   "The match conditions in the aggregated "
         "FilterEntryBase subclass instances are defined ReusablePolicy association is a more general relationship "
         "from the perspective of outbound flows
   "that incorporates both Conditions and applied "
         "to inbound flows Actions as well by reversing the source as any "
         "and destination criteria. So, for example,
   "other policy subclass.\n"
   "\n"
   "A class representing the hosting of reusable "
         "consider
   "PolicyConditions by a FilterList with 3 FilterEntries PolicyRepository. A reusable Policy"
   "Condition is always related to a single PolicyRepository, "
         "indicating destination port = 80, and source and
   "via this association.\n\n"
   "
         "destination addresses  "
   "Note, that an instance of a and b, respectively. PolicyCondition can be either "
         "Then, for the outbound direction,
   "reusable or rule-specific.  When the filter Condition is rule-"
   "specific, it shall not be related to any "
         "entries match as specified and
   "PolicyRepository via the 'mirror' (for PolicyConditionInPolicyRepository "
         "the inbound direction) matches on source
   "association.")
   ]
class CIM_PolicyConditionInPolicyRepository : CIM_PolicyInSystem
{
        [Override ("Antecedent"), Max(1), Description (
         "This property identifies a PolicyRepository "
         "port = 80 and source and destination addresses
         "hosting one or more PolicyConditions.  A reusable "
         "of b and a, respectively."),
         Values {"Not Applicable", "Input", "Output",
               "Both", "Mirrored" }
         "PolicyCondition is always related to exactly one "
         "PolicyRepository via the PolicyConditionInPolicyRepository "
         "association.  The [0..1] cardinality for this property "
         "covers the two types of PolicyConditions:  0 for a "
         "rule-specific PolicyCondition, 1 for a reusable one.")
        ]
    uint16 Direction;
    CIM_PolicyRepository REF Antecedent;
        [Override ("Dependent"), Description (
         "This property holds the name of a PolicyCondition"
         "hosted in the PolicyRepository. ")
        ]
    CIM_PolicyCondition REF Dependent;
};

// ==================================================================
// ===              Association class definitions                 ===
// ==================================================================

// ==================================================================
//    EntriesInFilterList    PolicyActionInPolicyRepository *** deprecated
// ==================================================================
   [Association, Aggregation, DEPRECATED {"CIM_ReusablePolicy"},
   Description (
         "This
   "The ReusablePolicy association is a specialization of more general relationship "
   "that incorporates both Conditions and Actions as well as any "
   "other policy subclass.\n"
   "\n"
   "A class representing the CIM_Component aggregation hosting of reusable "
         "which
   "PolicyActions by a PolicyRepository. A reusable Policy"
   "Action is used always related to define a set of filter entries (subclasses single PolicyRepository, "
         "of FilterEntryBase)
   "via this association.\n\n"
   "  "
   "Note, that are aggregated by a particular an instance of PolicyAction can be either "
         "FilterList.")
   "reusable or rule-specific.  When the Action is rule-"
   "specific, it shall not be related to any "
   "PolicyRepository via the PolicyActionInPolicyRepository "
   "association.")
   ]
class CIM_EntriesInFilterList CIM_PolicyActionInPolicyRepository : CIM_Component CIM_PolicyInSystem
{
        [Aggregate, Max(1), Override ("GroupComponent"),
         Description (
          "The FilterList, which aggregates the set "
          "of FilterEntries.") ]
    CIM_FilterList REF GroupComponent;
        [Override ("PartComponent"), ("Antecedent"), Max(1), Description (
          "Any subclass of FilterEntryBase which is
         "This property represents a part of PolicyRepository "
          "the FilterList.") ]
    CIM_FilterEntryBase REF PartComponent;
        [Description (
          "The order of the Entry relative
         "hosting one or more PolicyActions.  A reusable "
         "PolicyAction is always related to all others in the exactly one "
          "FilterList. A value of zero indicates that all
         "PolicyRepository via the Entries PolicyActionInPolicyRepository "
          "should be ANDed together. Use of the Sequence
         "association.  The [0..1] cardinality for this property "
          "should be consistent across
         "covers the List. It is not valid to "
          "define some Entries as ANDed in two types of PolicyActions:  0 for a
      "rule-specific PolicyAction, 1 for a reusable one.")
        ]
    CIM_PolicyRepository REF Antecedent;
        [Override ("Dependent"), Description (
         "This property holds the FilterList (Sequence"
          "=0) while other Entries have name of a non-zero Sequence number.") PolicyAction"
         "hosted in the PolicyRepository. ")
        ]
    uint16 EntrySequence;
    CIM_PolicyAction REF Dependent;
};