draft-ietf-ipsp-config-policy-model-03.txt   draft-ietf-ipsp-config-policy-model-04.txt 
Internet Engineering Task Force Jamie Jason Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation INTERNET DRAFT Intel Corporation
20-July-2001 Lee Rafalow November-2001 Lee Rafalow
IBM IBM
Eric Vyncke Eric Vyncke
Cisco Systems Cisco Systems
IPsec Configuration Policy Model IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-03.txt draft-ietf-ipsp-config-policy-model-04.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
skipping to change at page 1, line 46 skipping to change at page 1, line 46
o facilitate agreement about the content and semantics of IPsec o facilitate agreement about the content and semantics of IPsec
policy policy
o enable derivations of task-specific representations of IPsec o enable derivations of task-specific representations of IPsec
policy such as storage schema, distribution representations, policy such as storage schema, distribution representations,
and policy specification languages used to configure IPsec- and policy specification languages used to configure IPsec-
enabled endpoints enabled endpoints
The schema described in this document models the IKE phase one The schema described in this document models the IKE phase one
parameters as described in [IKE] and the IKE phase two parameters parameters as described in [IKE] and the IKE phase two parameters
for the IPsec Domain of Interpretation as described in [COMP, ESP, for the IPsec Domain of Interpretation as described in [COMP, ESP,
AH, DOI]. It is based upon the core policy classes as defined in AH, DOI]. It is based upon the core policy classes as defined in
the Policy Core Information Model (PCIM) [PCIM]. the Policy Core Information Model (PCIM) [PCIM] and on the Policy
Core Information Model Extensions (PCIMe) [PCIME].
Table of Contents Table of Contents
Status of this Memo................................................1 Status of this Memo................................................1
Abstract...........................................................1 Abstract...........................................................1
Table of Contents..................................................2 Table of Contents..................................................2
1. Introduction....................................................7 1. Introduction....................................................7
2. UML Conventions.................................................7 2. UML Conventions.................................................7
3. IPsec Policy Model Inheritance Hierarchy........................8 3. IPsec Policy Model Inheritance Hierarchy........................8
4. Policy Classes.................................................13 4. Policy Classes.................................................13
4.1. The Class IPsecPolicyGroup...................................14 4.1. The Class IPsecPolicyGroup...................................14
4.2. The Class SARule.............................................15 4.2. The Class SARule.............................................15
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy............................................15 PolicyDecisionStrategy............................................15
4.2.2 The Property ExecutionStrategy.............................15 4.2.2 The Property ExecutionStrategy.............................16
4.2.3 The Property LimitNegotiation..............................17 4.2.3 The Property LimitNegotiation..............................17
4.3. The Class IKERule............................................18 4.3. The Class IKERule............................................18
4.3.1. The Property IdentityContexts..............................18 4.3.1. The Property IdentityContexts..............................18
4.4. The Class IPsecRule..........................................19 4.4. The Class IPsecRule..........................................19
4.6. The Association Class IPsecPolicyForEndpoint.................19 4.6. The Association Class IPsecPolicyForEndpoint.................19
4.6.1. The Reference Antecedent...................................19 4.6.1. The Reference Antecedent...................................20
4.6.2. The Reference Dependent....................................19 4.6.2. The Reference Dependent....................................20
4.7. The Association Class IPsecPolicyForSystem...................20 4.7. The Association Class IPsecPolicyForSystem...................20
4.7.1. The Reference Antecedent...................................20 4.7.1. The Reference Antecedent...................................20
4.7.2. The Reference Dependent....................................20 4.7.2. The Reference Dependent....................................20
4.8. The Aggregation Class RuleForIKENegotiation..................20 4.8. The Aggregation Class RuleForIKENegotiation..................21
4.8.1. The Property Priority......................................20 4.8.1. The Property Priority......................................21
4.8.2. The Reference GroupComponent...............................20 4.8.2. The Reference GroupComponent...............................21
4.8.3. The Reference PartComponent................................21 4.8.3. The Reference PartComponent................................21
4.9. The Aggregation Class RuleForIPsecNegotiation................21 4.9. The Aggregation Class RuleForIPsecNegotiation................21
4.9.1. The Property Priority......................................21 4.9.1. The Property Priority......................................21
4.9.2. The Reference GroupComponent...............................21 4.9.2. The Reference GroupComponent...............................22
4.9.3. The Reference PartComponent................................21 4.9.3. The Reference PartComponent................................22
4.10. The Aggregation Class SAConditionInRule.....................21 4.10. The Aggregation Class SAConditionInRule.....................22
4.10.1. The Properties GroupNumber and ConditionNegated...........22 4.10.1. The Properties GroupNumber and ConditionNegated...........22
4.10.2. The Reference GroupComponent..............................22 4.10.2. The Reference GroupComponent..............................22
4.10.3. The Reference PartComponent...............................22 4.10.3. The Reference PartComponent...............................22
4.11. The Aggregation Class PolicyActionInSARule..................22 4.11. The Aggregation Class PolicyActionInSARule..................22
4.11.1. The Reference GroupComponent..............................22 4.11.1. The Reference GroupComponent..............................23
4.11.2. The Reference PartComponent...............................23 4.11.2. The Reference PartComponent...............................23
4.11.3. The Property ActionOrder..................................23 4.11.3. The Property ActionOrder..................................23
5. Condition and Filter Classes...................................24 5. Condition and Filter Classes...................................24
5.1. The Class SACondition........................................24 5.1. The Class SACondition........................................24
5.2. The Class IPHeaderFilter.....................................25 5.2. The Class IPHeaderFilter.....................................25
5.3. The Class CredentialFilterEntry..............................25 5.3. The Class CredentialFilterEntry..............................25
5.3.1. The Property MatchFieldName................................25 5.3.1. The Property MatchFieldName................................25
5.3.2. The Property MatchFieldValue...............................26 5.3.2. The Property MatchFieldValue...............................26
5.3.3. The Property CredentialType................................26 5.3.3. The Property CredentialType................................26
5.4. The Class IPSOFilterEntry....................................26 5.4. The Class IPSOFilterEntry....................................26
skipping to change at page 3, line 26 skipping to change at page 3, line 26
6.2.1. The Property LifetimeSeconds...............................33 6.2.1. The Property LifetimeSeconds...............................33
6.3. The Class IPsecBypassAction..................................34 6.3. The Class IPsecBypassAction..................................34
6.4. The Class IPsecDiscardAction.................................34 6.4. The Class IPsecDiscardAction.................................34
6.5. The Class IKERejectAction....................................34 6.5. The Class IKERejectAction....................................34
6.6. The Class PreconfiguredSAAction..............................34 6.6. The Class PreconfiguredSAAction..............................34
6.6.1. The Property LifetimeKilobytes.............................35 6.6.1. The Property LifetimeKilobytes.............................35
6.7. The Class PreconfiguredTransportAction.......................35 6.7. The Class PreconfiguredTransportAction.......................35
6.8. The Class PreconfiguredTunnelAction..........................36 6.8. The Class PreconfiguredTunnelAction..........................36
6.8.1. The Property DFHandling....................................36 6.8.1. The Property DFHandling....................................36
6.9. The Class SANegotiationAction................................36 6.9. The Class SANegotiationAction................................36
6.9.1. The Property MinLifetimeSeconds............................37 6.10. The Class IKENegotiationAction..............................37
6.9.2. The Property MinLifetimeKilobytes..........................37 6.10.1. The Property MinLifetimeSeconds...........................37
6.9.3. The Property RefreshThresholdSeconds.......................37 6.10.2. The Property MinLifetimeKilobytes.........................37
6.9.4. The Property RefreshThresholdKilobytes.....................38 6.10.3. The Property RefreshThresholdSeconds......................38
6.9.5. The Property IdleDurationSeconds...........................38 6.10.4. The Property RefreshThresholdKilobytes....................38
6.10. The Class IPsecAction.......................................38 6.10.5. The Property IdleDurationSeconds..........................38
6.10.1. The Property UsePFS.......................................39 6.11. The Class IPsecAction.......................................39
6.10.2. The Property UseIKEGroup..................................39 6.11.1. The Property UsePFS.......................................39
6.10.3. The Property GroupId......................................39 6.11.2. The Property UseIKEGroup..................................39
6.10.4. The Property Granularity..................................40 6.11.3. The Property GroupId......................................40
6.10.5. The Property VendorID.....................................40 6.11.4. The Property Granularity..................................40
6.11. The Class IPsecTransportAction..............................40 6.11.5. The Property VendorID.....................................40
6.12. The Class IPsecTunnelAction.................................40 6.12. The Class IPsecTransportAction..............................41
6.12.1. The Property DFHandling...................................41 6.13. The Class IPsecTunnelAction.................................41
6.13. The Class IKEAction.........................................41 6.13.1. The Property DFHandling...................................41
6.13.1. The Property RefreshThresholdDerivedKeys..................41 6.14. The Class IKEAction.........................................41
6.13.2. The Property ExchangeMode.................................42 6.14.1. The Property RefreshThresholdDerivedKeys..................42
6.13.3. The Property UseIKEIdentityType...........................42 6.14.2. The Property ExchangeMode.................................42
6.13.4. The Property VendorID.....................................42 6.14.3. The Property UseIKEIdentityType...........................42
6.13.5. The Property AggressiveModeGroupId........................42 6.14.4. The Property VendorID.....................................43
6.14. The Class PeerGateway.......................................43 6.14.5. The Property AggressiveModeGroupId........................43
6.14.1. The Property Name.........................................43 6.15. The Class PeerGateway.......................................43
6.14.2. The Property PeerIdentityType.............................43 6.15.1. The Property Name.........................................43
6.14.3. The Property PeerIdentity.................................44 6.15.2. The Property PeerIdentityType.............................44
6.15. The Association Class PeerGatewayForTunnel..................44 6.15.3. The Property PeerIdentity.................................44
6.15.1. The Reference Antecedent..................................44 6.16. The Association Class PeerGatewayForTunnel..................44
6.15.2. The Reference Dependent...................................44 6.16.1. The Reference Antecedent..................................45
6.15.3. The Property SequenceNumber...............................45 6.16.2. The Reference Dependent...................................45
6.16. The Aggregation Class ContainedProposal.....................45
6.16.1. The Reference GroupComponent..............................45
6.16.2. The Reference PartComponent...............................45
6.16.3. The Property SequenceNumber...............................45 6.16.3. The Property SequenceNumber...............................45
6.17. The Association Class HostedPeerGatewayInformation..........46 6.17. The Aggregation Class ContainedProposal.....................45
6.17.1. The Reference Antecedent..................................46 6.17.1. The Reference GroupComponent..............................46
6.17.2. The Reference Dependent...................................46 6.17.2. The Reference PartComponent...............................46
6.18. The Association Class TransformOfPreconfiguredAction........46 6.17.3. The Property SequenceNumber...............................46
6.18.1. The Reference Antecedent..................................47 6.18. The Association Class HostedPeerGatewayInformation..........46
6.18.1. The Reference Antecedent..................................46
6.18.2. The Reference Dependent...................................47 6.18.2. The Reference Dependent...................................47
6.18.3. The Property SPI..........................................47 6.19. The Association Class TransformOfPreconfiguredAction........47
6.18.4. The Property Direction....................................47 6.19.1. The Reference Antecedent..................................47
6.19 The Association Class PeerGatewayForPreconfiguredTunnel......47 6.19.2. The Reference Dependent...................................47
6.19.1. The Reference Antecedent..................................48 6.19.3. The Property SPI..........................................47
6.19.2. The Reference Dependent...................................48 6.19.4. The Property Direction....................................48
6.20 The Association Class PeerGatewayForPreconfiguredTunnel......48
6.20.1. The Reference Antecedent..................................48
6.20.2. The Reference Dependent...................................48
7. Proposal and Transform Classes.................................49 7. Proposal and Transform Classes.................................49
7.1. The Abstract Class SAProposal................................49 7.1. The Abstract Class SAProposal................................49
7.1.1. The Property Name..........................................49 7.1.1. The Property Name..........................................49
7.2. The Class IKEProposal........................................50 7.2. The Class IKEProposal........................................50
7.2.1. The Property LifetimeDerivedKeys...........................50 7.2.1. The Property LifetimeDerivedKeys...........................50
7.2.2. The Property CipherAlgorithm...............................50 7.2.2. The Property CipherAlgorithm...............................50
7.2.3. The Property HashAlgorithm.................................51 7.2.3. The Property HashAlgorithm.................................51
7.2.4. The Property PRFAlgorithm..................................51 7.2.4. The Property PRFAlgorithm..................................51
7.2.5. The Property GroupId.......................................51 7.2.5. The Property GroupId.......................................51
7.2.6. The Property AuthenticationMethod..........................51 7.2.6. The Property AuthenticationMethod..........................51
skipping to change at page 6, line 20 skipping to change at page 6, line 21
8.17.2. The Reference Dependent...................................74 8.17.2. The Reference Dependent...................................74
8.18. The Association Class IKEIdentitysCredential................75 8.18. The Association Class IKEIdentitysCredential................75
8.18.1. The Reference Antecedent..................................75 8.18.1. The Reference Antecedent..................................75
8.18.2. The Reference Dependent...................................75 8.18.2. The Reference Dependent...................................75
9. Implementation Requirements....................................75 9. Implementation Requirements....................................75
10. Security Considerations.......................................79 10. Security Considerations.......................................79
11. Intellectual Property.........................................80 11. Intellectual Property.........................................80
12. Acknowledgments...............................................80 12. Acknowledgments...............................................80
13. References....................................................80 13. References....................................................80
14. Disclaimer....................................................81 14. Disclaimer....................................................81
15. Authors' Addresses............................................81 15. Authors' Addresses............................................82
16. Full Copyright Statement......................................82 16. Full Copyright Statement......................................82
Appendix A (DMTF Core Model MOF)..................................82
Appendix B (DMTF User Model MOF)..................................97
Appendix C (DMTF Network Model MOF)..............................112
Appendix D (DMTF Policy Model MOF)...............................121
1. Introduction 1. Introduction
Internet Protocol security (IPsec) policy may assume a variety of Internet Protocol security (IPsec) policy may assume a variety of
forms as it travels from storage to distribution point to decision forms as it travels from storage to distribution point to decision
point. At each step, it needs to be represented in a way that is point. At each step, it needs to be represented in a way that is
convenient for the current task. For example, the policy could convenient for the current task. For example, the policy could
exist as, but is not limited to: exist as, but is not limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
skipping to change at page 7, line 36 skipping to change at page 7, line 36
This document is organized as follows: This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this Language (UML) graphical notation conventions used in this
document. document.
o Section 3 provides the inheritance hierarchy that describes o Section 3 provides the inheritance hierarchy that describes
where the IPsec policy classes fit into the policy class where the IPsec policy classes fit into the policy class
hierarchy already defined by the Policy Core Information Model hierarchy already defined by the Policy Core Information Model
(PCIM). (PCIM) and Policy Core Information Model Extensions (PCIMe).
o Sections 4 through 8 describes the class that make up the IPsec o Sections 4 through 8 describes the class that make up the IPsec
policy model. policy model.
o Section 9 presents the implementation requirements for the o Section 9 presents the implementation requirements for the
classes in the model (i.e., the MUST/MAY/SHOULD status). classes in the model (i.e., the MUST/MAY/SHOULD status).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
skipping to change at page 8, line 48 skipping to change at page 8, line 48
It should be noted that the UML static class diagram presented is a It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding. conceptual view of IPsec policy designed to aid in understanding.
It does not necessarily get translated class for class into another It does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of the representation to fewer classes (because of the inefficiency of
following references). following references).
3. IPsec Policy Model Inheritance Hierarchy 3. IPsec Policy Model Inheritance Hierarchy
Like PCIM from which it is derived, the IPsec Configuration Policy Like PCIM and PCIMe from which it is derived, the IPsec
Model derives from and uses classes defined in the DMTF Common Configuration Policy Model derives from and uses classes defined in
Information Model (CIM). The following tree represents the the DMTF [DMTF] Common Information Model (CIM). The following tree
inheritance hierarchy for the IPsec policy model classes and how represents the inheritance hierarchy for the IPsec policy model
they fit into PCIM and the other DMTF models (see Appendices for classes and how they fit into PCIM, PCIMe and the other DMTF models
descriptions of classes that are not being introduced as part of (see Appendices for descriptions of classes that are not being
IPsec model). CIM classes that are not used as a superclass from introduced as part of IPsec model). CIM classes that are not used
which to derive new classes but are only referenced are not included as a superclass from which to derive new classes but are only
this inheritance hierarchy, but are included in the appropriate referenced are not included this inheritance hierarchy, but can be
appendix. found in the appropriate DMTF document [CIMCORE], [CIMUSER] or
[CIMNETWORK].
ManagedElement (DMTF Core Model - Appendix A) ManagedElement (DMTF Core Model - [CIMCORE])
| |
+--Collection (DMTF Core Model - Appendix A) +--Collection (DMTF Core Model - [CIMCORE])
| | | |
| +--PeerIdentityTable | +--PeerIdentityTable
| |
+--ManagedSystemElement (DMTF Core Model - Appendix A) +--ManagedSystemElement (DMTF Core Model - [CIMCORE])
| | | |
| +--LogicalElement (DMTF Core Model - Appendix A) | +--LogicalElement (DMTF Core Model - [CIMCORE])
| | | |
| +--FilterEntryBase (DMTF Network Model - Appendix C) | +--FilterEntryBase (DMTF Network Model - [CIMNETWORK])
| | | | | |
| | +--CredentialFilterEntry | | +--CredentialFilterEntry
| | | | | |
| | +--IPHeaderFilter (DMTF Network Model - Appendix C) | | +--IPHeaderFilter (PCIMe)
| | | | | |
| | +--IPSOFilterEntry | | +--IPSOFilterEntry
| | | | | |
| | +--PeerIDPayloadFilterEntry | | +--PeerIDPayloadFilterEntry
| | | |
| +--PeerGateway | +--PeerGateway
| | | |
| +--PeerIdentityEntry | +--PeerIdentityEntry
| | | |
| +--Service (DMTF Core Model - Appendix A) | +--Service (DMTF Core Model - [CIMCORE])
| |
| +--NetworkService (DMTF Network Model - Appendix C)
| | | |
| +--IKEService | +--IKEService
| |
+--OrganizationalEntity (DMTF User Model - Appendix B) +--OrganizationalEntity (DMTF User Model - [CIMUSER])
| | | |
| +--UserEntity (DMTF User Model - Appendix B) | +--UserEntity (DMTF User Model - [CIMUSER])
| | | |
| +--UsersAccess (DMTF User Model - Appendix B) | +--UsersAccess (DMTF User Model - [CIMUSER])
| | | |
| +--IKEIdentity | +--IKEIdentity
| |
+--Policy (PCIM) +--Policy (PCIM)
| | | |
| +--PolicyAction (PCIM) | +--PolicyAction (PCIM)
| | | | | |
| | +--CompoundPolicyAction (DMTF Policy Model - Appendix D) | | +--CompoundPolicyAction (PCIMe)
| | | | | |
| | +--SAAction | | +--SAAction
| | | | | |
| | +--SANegotiationAction | | +--SANegotiationAction
| | | | | | | |
| | | +--IKENegotiationAction
| | | |
| | | +--IKEAction | | | +--IKEAction
| | | | | | | |
| | | +--IPsecAction | | | +--IPsecAction
| | | | | | | |
| | | +--IPsecTransportAction | | | +--IPsecTransportAction
| | | | | | | |
| | | +--IPsecTunnelAction | | | +--IPsecTunnelAction
| | | | | |
| | +--SAStaticAction | | +--SAStaticAction
| | | | | |
skipping to change at page 10, line 28 skipping to change at page 10, line 28
| | +--PreconfiguredSAAction | | +--PreconfiguredSAAction
| | | | | |
| | +--PreconfiguredTransportAction | | +--PreconfiguredTransportAction
| | | | | |
| | +--PreconfiguredTunnelAction | | +--PreconfiguredTunnelAction
| | | |
| +--PolicyCondition (PCIM) | +--PolicyCondition (PCIM)
| | | | | |
| | +--SACondition | | +--SACondition
| | | |
| +--PolicySet (DMTF Policy Model - Appendix D) | +--PolicySet (PCIMe)
| | | | | |
| | +--PolicyGroup (PCIM) | | +--PolicyGroup (PCIM & PCIMe)
| | | | | | | |
| | | +--IPsecPolicyGroup | | | +--IPsecPolicyGroup
| | | | | |
| | +--PolicyRule (PCIM) | | +--PolicyRule (PCIM & PCIMe)
| | | | | |
| | +--SARule | | +--SARule
| | | | | |
| | +--IKERule | | +--IKERule
| | | | | |
| | +--IPsecRule | | +--IPsecRule
| | | |
| +--SAProposal | +--SAProposal
| | | | | |
| | +--IKEProposal | | +--IKEProposal
skipping to change at page 10, line 56 skipping to change at page 10, line 56
| | +--IPsecProposal | | +--IPsecProposal
| | | |
| +--SATransform | +--SATransform
| | | |
| +--AHTransform | +--AHTransform
| | | |
| +--ESPTransform | +--ESPTransform
| | | |
| +--IPCOMPTransform | +--IPCOMPTransform
| |
+--Setting (DMTF Core Model - Appendix A) +--Setting (DMTF Core Model - [CIMCORE])
| | | |
| +--SystemSetting (DMTF Core Model - Appendix A) | +--SystemSetting (DMTF Core Model - [CIMCORE])
| | | |
| +--AutostartIKESetting | +--AutostartIKESetting
| |
+--SystemConfiguration (DMTF Core Model - Appendix A) +--SystemConfiguration (DMTF Core Model - [CIMCORE])
| |
+--AutostartIKEConfiguration +--AutostartIKEConfiguration
The following tree represents the inheritance hierarchy of the IPsec The following tree represents the inheritance hierarchy of the IPsec
policy model association classes and how they fit into PCIM and the policy model association classes and how they fit into PCIM and the
other DMTF models (see Appendices for description of associations other DMTF models (see Appendices for description of associations
classes that are not being introduced as part of IPsec model). classes that are not being introduced as part of IPsec model).
Dependency (DMTF Core Model - Appendix A) Dependency (DMTF Core Model - [CIMCORE])
| |
+--AcceptCredentialsFrom +--AcceptCredentialsFrom
| |
+--ElementAsUser (DMTF User Model - Appendix B) +--ElementAsUser (DMTF User Model - [CIMUSER])
| | | |
| +--EndpointHasLocalIKEIdentity | +--EndpointHasLocalIKEIdentity
| | | |
| +--CollectionHasLocalIKEIdentity | +--CollectionHasLocalIKEIdentity
| |
+--FilterOfSACondition +--FilterOfSACondition
| |
+--HostedPeerGatewayInformation +--HostedPeerGatewayInformation
| |
+--HostedPeerIdentityTable +--HostedPeerIdentityTable
skipping to change at page 12, line 7 skipping to change at page 12, line 7
+--PeerGatewayForTunnel +--PeerGatewayForTunnel
| |
+--PolicyInSystem (PCIM) +--PolicyInSystem (PCIM)
| | | |
| +--SAProposalInSystem | +--SAProposalInSystem
| | | |
| +--SATransformInSystem | +--SATransformInSystem
| |
+--TransformOfPreconfiguredAction +--TransformOfPreconfiguredAction
| |
+--UsersCredential (DMTF User Model - Appendix B) +--UsersCredential (DMTF User Model - [CIMUSER])
| |
+--IKEIdentitysCredential +--IKEIdentitysCredential
ElementSetting (DMTF Core Model - Appendix A) ElementSetting (DMTF Core Model - [CIMCORE])
| |
+--IKEAutostartSetting +--IKEAutostartSetting
MemberOfCollection (DMTF Core Model - Appendix A) MemberOfCollection (DMTF Core Model - [CIMCORE])
| |
+--PeerIdentityMember +--PeerIdentityMember
PolicyComponent (PCIM) PolicyComponent (PCIM)
| |
+--ContainedProposal +--ContainedProposal
| |
+--ContainedTransform +--ContainedTransform
| |
+--PolicyActionInPolicyRule (PCIM) +--PolicyActionStructure (PCIMe)
| |
| +--PolicyActionInPolicyRule (PCIM & PCIMe)
| | | |
| +--PolicyActionInSARule | +--PolicyActionInSARule
| |
+--PolicyConditionInPolicyRule (PCIM) +--PolicyConditionStructure (PCIMe)
| |
| +--PolicyConditionInPolicyRule (PCIM & PCIMe)
| | | |
| +--SAConditionInRule | +--SAConditionInRule
| |
+--PolicySetComponent (DMTF Policy Model - Appendix D) +--PolicySetComponent (PCIMe)
| |
+--RuleForIKENegotiation +--RuleForIKENegotiation
| |
+--RuleForIPsecNegotiation +--RuleForIPsecNegotiation
SystemSettingContext (DMTF Core Model - Appendix A) SystemSettingContext (DMTF Core Model - [CIMCORE])
| |
+--AutostartIKESettingContext +--AutostartIKESettingContext
4. Policy Classes 4. Policy Classes
The IPsec policy classes represent the set of policies that are The IPsec policy classes represent the set of policies that are
contained on a system. contained on a system.
+--------------+ +--------------+
| PolicySet |* | PolicySet |*
| (Appendix D) |o--+ | ([PCIMe]) |o--+
+--------------+ | +--------------+ |
^ *| |(a) ^ *| |(a)
| +------+ | +------+
| |
+--------------------+ +-------------+ +--------------------+ +-------------+
| IPProtocolEndpoint | | PolicyGroup | | IPProtocolEndpoint | | PolicyGroup |
| (Appendix C) | | ([PCIM]) | | ([CIMNETWORK]) | | ([PCIM]) |
+--------------------+ +-------------+ +--------------------+ +-------------+
|* ^ |* ^
+-----------------+ | +-----------------+ |
|(b) | |(b) |
| | | |
|0..1 | |0..1 |
+------------------+0..1 (c) *+------------+ +------------------+0..1 (c) *+------------+
| IPsecPolicyGroup |-----------| System | | IPsecPolicyGroup |-----------| System |
+------------------+ |(Appendix A)| +------------------+ | ([CIMCORE])|
1 o o 1 +------------+ 1 o o 1 +------------+
(d) | | (e) (d) | | (e)
+-----------------------+ +--------------------------+ +-----------------------+ +--------------------------+
| | | |
| +---------------------------+ | | +---------------------------+ |
| | PolicyTimePeriodCondition | | | | PolicyTimePeriodCondition | |
| | ([PCIM]) | | | | ([PCIM]) | |
| +---------------------------+ | | +---------------------------+ |
| *| | | *| |
| |(f) | | |(f) |
| *o | | *o |
| +-------------+n *+--------+* n+--------------+ | | +-------------+n *+--------+* n+--------------+ |
| | SACondition |------o| SARule |o-------| PolicyAction | | | | SACondition |------o| SARule |o-------| PolicyAction | |
| +-------------+ (g) +--------+ (h) | ([PCIM]) | | | +-------------+ (g) +--------+ (h) | ([PCIM]) | |
| ^ +--------------+ | | ^ +--------------+ |
| | *| ^ | | | *| ^ |
| | |(i) | | | | |(i) | |
| | *o | | | | *o | |
| +-----------------+ +----------------------+ | | +-----------------+ +----------------------+ |
| | | | CompoundPolicyAction | | | | | | CompoundPolicyAction | |
| | | | (Appendix D) | | | | | | ([PCIMe]) | |
| | | +----------------------+ | | | | +----------------------+ |
| *+---------+ +-----------+* | | *+---------+ +-----------+* |
+-----| IKERule | | IPsecRule |---------------------------+ +-----| IKERule | | IPsecRule |---------------------------+
+---------+ +-----------+ +---------+ +-----------+
(a) PolicySetComponent (Appendix D) (a) PolicySetComponent ([PCIMe])
(b) IPsecPolicyForEndpoint (b) IPsecPolicyForEndpoint
(c) IPsecPolicyForSystem (c) IPsecPolicyForSystem
(d) RuleForIKENegotiation (d) RuleForIKENegotiation
(e) RuleForIPsecNegotiation (e) RuleForIPsecNegotiation
(f) PolicyRuleValidityPeriod ([PCIM]) (f) PolicyRuleValidityPeriod ([PCIM])
(g) SAConditionInRule (g) SAConditionInRule
(h) PolicyActionInSARule (h) PolicyActionInSARule
(i) PolicyActionInPolicyAction (i) PolicyActionInPolicyAction ([PCIMe])
An IPsecPolicyGroup represents the set of policies that are used on An IPsecPolicyGroup represents the set of policies that are used on
an interface. This IPsecPolicyGroup SHOULD be associated either an interface. This IPsecPolicyGroup SHOULD be associated either
directly with the IPProtocolEndpoint class instance that represents directly with the IPProtocolEndpoint class instance that represents
the interface (via the IPsecPolicyForEndpoint association) or the interface (via the IPsecPolicyForEndpoint association) or
indirectly (via the IPsecPolicyForSystem association) associated indirectly (via the IPsecPolicyForSystem association) associated
with the System that hosts the interface. with the System that hosts the interface.
The IKE and IPsec rules are used to build or to negotiate the IPsec The IKE and IPsec rules are used to build or to negotiate the IPsec
SADB. The SADB itself is not modeled by this document. SADB. The IPsec rules represent the Security Policy Database. The
SADB itself is not modeled by this document.
The rules usage can be described as (see also section 6 about The rules usage can be described as (see also section 6 about
actions): actions):
o an egress unprotected packet will first be checked against the o an egress unprotected packet will first be checked against the
SADB. If no match is found, the IPsec rules will be checked. If IPsec rules. If a match is found, the SADB will be checked. If
IKE negotiation is required by an IPsec rule, the corresponding there is no corresponding IPsec SA in the SADB and if IKE
IKE rules will be used if no IKE SA already exists. The negotiation is required by the IPsec rule, the corresponding IKE
negotiated or preconfigured SA will then be installed in the rules will be used. The negotiated or preconfigured SA will then
SADB. be installed in the SADB.
o An ingress unprotected packet will first be checked against the o An ingress unprotected packet will first be checked against the
IPsec SADB. If no match is found, the IPsec rules will be IPsec rules. If a match is found, the SADB will be checked for a
checked for a preconfigured SA. If a preconfigured SA exists, corresponding IPsec SA. If there is no corresponding IPsec SA
this SA will be installed in the IPsec SADB. and a preconfigured SA exists, this preconfigured SA will be
o An ingress protected packet will be checked exactly as an installed in the IPsec SADB. This behavior should only apply to
ingress unprotected packet. bypass and discard actions.
o An ingress protected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA
and a preconfigured SA exists, this preconfigured SA will be
installed in the IPsec SADB.
o An ingress IKE negotiation packet, which is not part of an o An ingress IKE negotiation packet, which is not part of an
existing IKE SA, will be checked against the IKE rules. The existing IKE SA, will be checked against the IKE rules. The
negotiated SA will then be installed in the SADB. negotiated SA will then be installed in the SADB.
4.1. The Class IPsecPolicyGroup 4.1. The Class IPsecPolicyGroup
The class IPsecPolicyGroup serves as a container of either other The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The
class definition for IPsecPolicyGroup is as follows: class definition for IPsecPolicyGroup is as follows:
NAME IPsecPolicyGroup NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules
and a set of IPsecRules. and a set of IPsecRules.
DERIVED FROM PolicyGroup (see [PCIM]) DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup) PROPERTIES PolicyGroupName (from PolicyGroup)
PolicyDescisionStrategy (from PolicySet) PolicyDescisionStrategy (from PolicySet)
NOTE: for derivations of the schema that are used for policy NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server distribution to an IPsec device (for example, COPS-PR), the server
may follow all of PolicySetComponent associations and create one may follow all of PolicySetComponent associations and create one
policy group which is simply a set of all of the IKE rules and a set policy group which is simply a set of all of the IKE rules and a set
of all of the IPsec rules. See the section on the of all of the IPsec rules. See the section on the
PolicySetComponent aggregation for information on merging multiple PolicySetComponent aggregation for information on merging multiple
skipping to change at page 15, line 25 skipping to change at page 15, line 30
actions for both types of rules. Through its derivation from actions for both types of rules. Through its derivation from
PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
the PolicyRuleValidityPeriod association. the PolicyRuleValidityPeriod association.
Each valid IpsecPolicyGroup MUST contain SARules that each have a Each valid IpsecPolicyGroup MUST contain SARules that each have a
unique associated priority number in PolicySetComponent.Priority. unique associated priority number in PolicySetComponent.Priority.
The class definition for SARule is as follows: The class definition for SARule is as follows:
NAME SARule NAME SARule
DESCRIPTION A base class for IKERule and IPsecRule. DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM]) DERIVED FROM PolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule) PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule) Enabled (from PolicyRule)
ConditionListType (from PolicyRule) ConditionListType (from PolicyRule)
RuleUsage (from PolicyRule) RuleUsage (from PolicyRule)
Mandatory (from PolicyRule) Mandatory (from PolicyRule)
SequencedActions (from PolicyRule) SequencedActions (from PolicyRule)
ExecutionStrategy (from PolicyRule) ExecutionStrategy (from PolicyRule)
PolicyRoles (from PolicyRule) PolicyRoles (from PolicyRule)
PolicyDecisionStrategy (from PolicySet) PolicyDecisionStrategy (from PolicySet)
LimitNegotiation LimitNegotiation
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy PolicyDecisionStrategy
For a description of these properties, see Appendix D. For a description of these properties, see [PCIM] and [PCIME].
In SARule subclass instances: In SARule subclass instances:
- if the property Mandatory exists, it MUST be set to "true" - if the property Mandatory exists, it MUST be set to "true"
- if the property SequencedActions exists, it MUST be set to - if the property SequencedActions exists, it MUST be set to
"mandatory" "mandatory"
- the property PolicyRoles is not used in the device-level model - the property PolicyRoles is not used in the device-level model
- if the property PolicyDecisionStrategy exists, it must be set to - if the property PolicyDecisionStrategy exists, it must be set to
"FirstMatching" "FirstMatching"
4.2.2 The Property ExecutionStrategy 4.2.2 The Property ExecutionStrategy
The ExecutionStrategy properties in the PolicyRule subclasses (and in The ExecutionStrategy properties in the PolicyRule subclasses (and
in the CompoundPolicyAction class) determine the behavior of the
the CompoundPolicyAction class) determine the behavior of the
contained actions. It defines the strategy to be used in executing contained actions. It defines the strategy to be used in executing
the sequenced actions aggregated by a rule or a compound action. In the sequenced actions aggregated by a rule or a compound action. In
the case of actions within a rule, the PolicyActionInSARule the case of actions within a rule, the PolicyActionInSARule
aggregation is used to collect the actions into an ordered set; in aggregation is used to collect the actions into an ordered set; in
the case of a compound action, the PolicyActionInPolicyAction the case of a compound action, the PolicyActionInPolicyAction
aggregation is used to collect the actions into an ordered subset. aggregation is used to collect the actions into an ordered subset.
There are three execution strategies: do until success, do all and There are three execution strategies: do until success, do all and
do until failure. do until failure.
Do Until Success causes the execution of actions according to the "Do Until Success" causes the execution of actions according to the
ActionOrder property in the aggregation instances until a successful ActionOrder property in the aggregation instances until a successful
execution of a single action. These actions may be evaluated to execution of a single action. These actions may be evaluated to
determine if they are appropriate to execute rather than blindly determine if they are appropriate to execute rather than blindly
trying each of the actions until one succeeds. For an initiator, trying each of the actions until one succeeds. For an initiator,
they are tried in the ActionOrder until the list is exhausted or one they are tried in the ActionOrder until the list is exhausted or one
completes successfully. For example, an IKE initiator may have completes successfully. For example, an IKE initiator may have
several IKEActions for the same SACondition. The initiator will try several IKEActions for the same SACondition. The initiator will try
all IKEActions in the order defined by ActionOrder. I.e. it will all IKEActions in the order defined by ActionOrder. I.e. it will
possibly try several phase 1 negotiations possibly with different possibly try several phase 1 negotiations possibly with different
modes (main mode then aggressive mode) and/or with possibly multiple modes (main mode then aggressive mode) and/or with possibly multiple
IKE peers. For a responder, when there is more than one action in IKE peers. For a responder, when there is more than one action in
the rule with "do until success" condition clause this provides the rule with "do until success" condition clause this provides
alternative actions depending on the received proposals. For alternative actions depending on the received proposals. For
example, the same IKERule may be used to handle aggressive mode and example, the same IKERule may be used to handle aggressive mode and
main mode negotiations with different actions. The responder uses main mode negotiations with different actions. The responder uses
the first appropriate action in the list of actions. the first appropriate action in the list of actions.
Do All causes the execution all of the actions in aggregated set "Do All" causes the execution all of the actions in aggregated set
according to their defined order. The execution continues regardless according to their defined order. The execution continues regardless
of failures. of failures.
Do Until Failure causes the execution of all actions according to "Do Until Failure" causes the execution of all actions according to
predefined order until the first failure in execution of an action predefined order until the first failure in execution of an action
instance. instance.
For example, in a nested SAs case the actions of an initiators rule For example, in a nested SAs case the actions of an initiator's rule
might be structured as: might be structured as:
IPsecRule.ExecutionStrategy=Do All IPsecRule.ExecutionStrategy='Do All'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway +---1--- IPsecTunnelAction // set up SA from host to gateway
| |
+---2--- IPsecTransportAction // set up SA from host through
+---2--- IPsecTransportAction // set up SA from host thru tunnel // tunnel to remote host
// to remote host
Another example, showing a rule with fallback actions might be Another example, showing a rule with fallback actions might be
structured as: structured as:
IPsecRule.ExecutionStrategy=Do Until Success IPsecRule.ExecutionStrategy='Do Until Success'
| |
+---6--- IPsecTransportAction // negotiate SA with peer +---6--- IPsecTransportAction // negotiate SA with peer
| |
+---9--- IPsecBypassAction // but if you must, allow in the clear
+---9--- IPsecBypassAction // but if you must, allow in the The CompoundPolicyAction class (See [PCIME]) may be used in
// clear
The CompoundPolicyAction class (See Appendix D) may be used in
constructing the actions of IKE and IPsec rules when those rules constructing the actions of IKE and IPsec rules when those rules
specify both multiple actions and fallback actions. The specify both multiple actions and fallback actions. The
ExecutionStrategy property in CompoundPolicyAction is used in ExecutionStrategy property in CompoundPolicyAction is used in
conjunction with that in the PolicyRule. conjunction with that in the PolicyRule.
For example, in nesting SAs with a fallback security gateway, the For example, in nesting SAs with a fallback security gateway, the
actions of a rule might be structured as: actions of a rule might be structured as:
IPsecRule.ExecutionStrategy=Do All IPsecRule.ExecutionStrategy='Do All'
| |
+---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success'
+---1--- CompoundPolicyAction.ExecutionStrategy=Do Until Success
| | | |
| +---1--- IPsecTunnelAction // set up SA from host to | +---1--- IPsecTunnelAction // set up SA from host to
| | // gateway1 | | // gateway1
| | | |
| +---2--- IPsecTunnelAction // or set up SA to gateway2 | +---2--- IPsecTunnelAction // or set up SA to gateway2
| |
+---2--- IPsecTransportAction // then set up SA from host +---2--- IPsecTransportAction // then set up SA from host
// through tunnel to remote
// host
// thru tunnel to remote host In the case of "Do All", a couple of actions can be executed
successfully before a subsequent action fails. In this case, some
IKE or IPsec actions may have resulted in SA creation. Even if the
net effect of the aggregated actions is failure, those created SA
MAY be kept or MAY be deleted.
4.2.3 The Property LimitNegotiation In the case of "Do All", the IPsec selectors to be used during IPsec
SA negotiation are:
for the last IPsecAction of the aggregation (i.e. usually the
innermost IPsec SA): this is the combination of the IPHeadersFilter
class and of the Granularity property of the IpsecAction;
for all other IPsecActions of the aggregation: the selector is the
source IP address being the local IP address and the destination IP
address being the PeerGateway IP address of the following
IPsecAction of the "Do All" aggregation. NB: the granularity is IP
address to IP address.
If the above behavior is not desirable, the alternative is to define
several SARules one for each IPsec SA to be built. This will allow
the definition of specific IPsec selectors for all IpsecActions.
4.2.3 The Property LimitNegotiation
The property LimitNegotiation is used as part of processing either The property LimitNegotiation is used as part of processing either
an IKE or an IPsec rule. an IKE or an IPsec rule.
Before proceeding with a phase 1 negotiation, this property is Before proceeding with a phase 1 negotiation, this property is
checked to determine if the negotiation role of the rule matches checked to determine if the negotiation role of the rule matches
that defined for the negotiation being undertaken (e.g., Initiator, that defined for the negotiation being undertaken (e.g., Initiator,
Responder, or Both). If this check fails (e.g. the current role is Responder, or Both). If this check fails (e.g. the current role is
IKE responder while the rule specifies IKE initiator), then the IKE IKE responder while the rule specifies IKE initiator), then the IKE
negotiation is stopped. Note that this only applies to new IKE phase negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh 1 negotiations and has no effect on either renegotiation or refresh
skipping to change at page 18, line 14 skipping to change at page 18, line 33
negotiation is a refresh operation by checking to see if the negotiation is a refresh operation by checking to see if the
selector information matches that of an existing SA. If selector information matches that of an existing SA. If
LimitNegotiation does not match and the selector corresponds to a LimitNegotiation does not match and the selector corresponds to a
new SA, the negotiation is stopped. new SA, the negotiation is stopped.
The property is defined as follows: The property is defined as follows:
NAME LimitNegotiation NAME LimitNegotiation
DESCRIPTION Limits the role to be undertaken during negotiation. DESCRIPTION Limits the role to be undertaken during negotiation.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 initiator-only VALUE 1 - initiator-only
2 responder-only 2 - responder-only
3 - both 3 - both
4.3. The Class IKERule 4.3. The Class IKERule
The class IKERule associates Conditions and Actions for IKE phase 1 The class IKERule associates Conditions and Actions for IKE phase 1
negotiations. The class definition for IKERule is as follows: negotiations. The class definition for IKERule is as follows:
NAME IKERule NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 1 DESCRIPTION Associates Conditions and Actions for IKE phase 1
negotiations. negotiations.
skipping to change at page 19, line 40 skipping to change at page 20, line 9
The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
a specific network interface. If an IPProtocolEndpoint of a system a specific network interface. If an IPProtocolEndpoint of a system
does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
then the IPsecPolicyForSystem associated IPsecPolicyGroup is used then the IPsecPolicyForSystem associated IPsecPolicyGroup is used
for that endpoint. The class definition for IPsecPolicyForEndpoint for that endpoint. The class definition for IPsecPolicyForEndpoint
is as follows: is as follows:
NAME IPsecPolicyForEndpoint NAME IPsecPolicyForEndpoint
DESCRIPTION Associates a policy group to a network interface. DESCRIPTION Associates a policy group to a network interface.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]] Dependent[ref IPsecPolicyGroup[0..1]]
4.6.1. The Reference Antecedent 4.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint instance. The [0..n] overridden to refer to an IPProtocolEndpoint instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may be cardinality indicates that an IPsecPolicyGroup instance may be
associated with zero or more IPProtocolEndpoint instances. associated with zero or more IPProtocolEndpoint instances.
skipping to change at page 20, line 18 skipping to change at page 20, line 39
The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a
specific system. If an IPProtocolEndpoint of a system does not have specific system. If an IPProtocolEndpoint of a system does not have
an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
IPsecPolicyForSystem associated IPsecPolicyGroup is used for that IPsecPolicyForSystem associated IPsecPolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForSystem is as endpoint. The class definition for IPsecPolicyForSystem is as
follows: follows:
NAME IPsecPolicyForSystem NAME IPsecPolicyForSystem
DESCRIPTION Default policy group for a system. DESCRIPTION Default policy group for a system.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref System[0..n]] PROPERTIES Antecedent[ref System[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]] Dependent[ref IPsecPolicyGroup[0..1]]
4.7.1. The Reference Antecedent 4.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [0..n] cardinality overridden to refer to a System instance. The [0..n] cardinality
indicates that an IPsecPolicyGroup instance may have an association indicates that an IPsecPolicyGroup instance may have an association
to zero or more System instances. to zero or more System instances.
skipping to change at page 20, line 46 skipping to change at page 21, line 14
4.8. The Aggregation Class RuleForIKENegotiation 4.8. The Aggregation Class RuleForIKENegotiation
The class RuleForIKENegotiation associates an IKERule with the The class RuleForIKENegotiation associates an IKERule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation is as follows: RuleForIKENegotiation is as follows:
NAME RuleForIKENegotiation NAME RuleForIKENegotiation
DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicySetComponent (see Appendix D) DERIVED FROM PolicySetComponent (see [PCIME])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent) PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]] GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IKERule [0..n]] PartComponent [ref IKERule [0..n]]
4.8.1. The Property Priority 4.8.1. The Property Priority
For a description of this property, see Appendix D. For a description of this property, see [PCIME].
4.8.2. The Reference GroupComponent 4.8.2. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IKERule instance may be contained in one and only one IKERule instance may be contained in one and only one
IPsecPolicyGroup instance (i.e., IKERules are not shared across IPsecPolicyGroup instance (i.e., IKERules are not shared across
IPsecPolicyGroups). IPsecPolicyGroups).
4.8.3. The Reference PartComponent 4.8.3. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup The property PartComponent is inherited from PolicyRuleInPolicyGroup
skipping to change at page 21, line 27 skipping to change at page 21, line 49
4.9. The Aggregation Class RuleForIPsecNegotiation 4.9. The Aggregation Class RuleForIPsecNegotiation
The class RuleForIPsecNegotiation associates an IPsecRule with the The class RuleForIPsecNegotiation associates an IPsecRule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
RuleForIPsecNegotiation is as follows: RuleForIPsecNegotiation is as follows:
NAME RuleForIPsecNegotiation NAME RuleForIPsecNegotiation
DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicySetComponent (see Appendix D) DERIVED FROM PolicySetComponent (see [PCIME])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent) PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]] GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IPsecRule [0..n]] PartComponent [ref IPsecRule [0..n]]
4.9.1. The Property Priority 4.9.1. The Property Priority
For a description of this property, see [PCIME].
For a description of this property, see Appendix D.
4.9.2. The Reference GroupComponent 4.9.2. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IPsecRule instance may be contained in only one IPsecPolicyGroup IPsecRule instance may be contained in only one IPsecPolicyGroup
instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).
4.9.3. The Reference PartComponent 4.9.3. The Reference PartComponent
skipping to change at page 22, line 4 skipping to change at page 22, line 22
instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). instance (i.e., IPsecRules are not shared across IPsecPolicyGroups).
4.9.3. The Reference PartComponent 4.9.3. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IPsecRule instance. The [0..n] and is overridden to refer to an IPsecRule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IPsecRules instance. zero or more IPsecRules instance.
4.10. The Aggregation Class SAConditionInRule 4.10. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the The class SAConditionInRule associates an SARule with the
SACondition instance(s) that trigger(s) it. The class definition SACondition instance(s) that trigger(s) it. The class definition
for SAConditionInRule is as follows: for SAConditionInRule is as follows:
NAME SAConditionInRule NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instance(s) DESCRIPTION Associates an SARule with the SACondition instance(s)
that trigger(s) it. that trigger(s) it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) PROPERTIES GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule)
GroupComponent [ref SARule [0..n]] GroupComponent [ref SARule [0..n]]
PartComponent [ref SACondition [1..n]] PartComponent [ref SACondition [1..n]]
4.10.1. The Properties GroupNumber and ConditionNegated 4.10.1. The Properties GroupNumber and ConditionNegated
For a description of these properties, see [PCIM]. For a description of these properties, see [PCIM].
skipping to change at page 22, line 50 skipping to change at page 23, line 16
the contained actions MUST be either subclasses of SAAction or the contained actions MUST be either subclasses of SAAction or
instances of CompoundPolicyAction. For an IKERule, the contained instances of CompoundPolicyAction. For an IKERule, the contained
actions MUST be related to phase 1 processing, i.e., IKEAction or actions MUST be related to phase 1 processing, i.e., IKEAction or
IKERejectAction. Similarly, for an IPsecRule, contained actions IKERejectAction. Similarly, for an IPsecRule, contained actions
MUST be related to phase 2 or preconfigured SA processing, e.g., MUST be related to phase 2 or preconfigured SA processing, e.g.,
IPsecTransportAction, IPsecBypassAction, etc. The class definition IPsecTransportAction, IPsecBypassAction, etc. The class definition
for PolicyActionInSARule is as follows: for PolicyActionInSARule is as follows:
NAME PolicyActionInSARule NAME PolicyActionInSARule
DESCRIPTION Associates an SARule with its PolicyAction(s). DESCRIPTION Associates an SARule with its PolicyAction(s).
DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]] PROPERTIES GroupComponent [ref SARule [0..n]]
PartComponent [ref PolicyAction [1..n]] PartComponent [ref PolicyAction [1..n]]
ActionOrder (from PolicyActionInPolicyRule) ActionOrder (from PolicyActionInPolicyRule)
4.11.1. The Reference GroupComponent 4.11.1. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SARule PolicyActionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SAAction instance. The [0..n] cardinality indicates that an SAAction
instance may be contained in zero or more SARule instances. instance may be contained in zero or more SARule instances.
4.11.2. The Reference PartComponent 4.11.2. The Reference PartComponent
The property PartComponent is inherited from The property PartComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SAAction PolicyActionInPolicyRule and is overridden to refer to an SAAction
or CompoundPolicyAction instance. The [1..n] cardinality indicates or CompoundPolicyAction instance. The [1..n] cardinality indicates
skipping to change at page 24, line 16 skipping to change at page 24, line 16
The IPsec condition and filter classes are used to build the "if" The IPsec condition and filter classes are used to build the "if"
part of the IKE and IPsec rules. part of the IKE and IPsec rules.
*+-------------+ *+-------------+
+--------------------| SACondition | +--------------------| SACondition |
| +-------------+ | +-------------+
| * | | * |
| |(a) | |(a)
| 1 | | 1 |
| +--------------+ | +---------------+
| | FilterList | | | FilterList |
| | (Appendix C) | | |([CIMNETWORK]) |
| +--------------+ | +---------------+
| 1 o | 1 o
|(b) |(c) |(b) |(c)
| * | | * |
| +-----------------+ | +-----------------+
| | FilterEntryBase | | | FilterEntryBase |
| | (Appendix C) | | | ([CIMNETWORK]) |
| +-----------------+ | +-----------------+
| ^ | ^
| | | |
| +----------------+ | +-----------------------+ | +----------------+ | +-----------------------+
| | IPHeaderFilter |----+----| CredentialFilterEntry | | | IPHeaderFilter |----+----| CredentialFilterEntry |
| | (Appendix C) | | +-----------------------+ | | ([PCIME]) | | +-----------------------+
| +----------------+ | | +----------------+ |
| | | |
| +-----------------+ | +--------------------------+ | +-----------------+ | +--------------------------+
| | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
| +-----------------+ +--------------------------+ | +-----------------+ +--------------------------+
| |
| *+-----------------------------+ | *+-----------------------------+
+------------| CredentialManagementService | +------------| CredentialManagementService |
| (Appendix B) | | ([CIMUSER]) |
+-----------------------------+ +-----------------------------+
(a) FilterOfSACondition (a) FilterOfSACondition
(b) AcceptCredentialsFrom (b) AcceptCredentialsFrom
(c) EntriesInFilterList (see Appendix C) (c) EntriesInFilterList (see [CIMNETWORK])
5.1. The Class SACondition 5.1. The Class SACondition
The class SACondition defines the conditions of rules for IKE and The class SACondition defines the conditions of rules for IKE and
IPsec negotiations. Conditions are associated with policy rules via IPsec negotiations. Conditions are associated with policy rules via
the SAConditionInRule aggregation. It is used as an anchor point to the SAConditionInRule aggregation. It is used as an anchor point to
associate various types of filters with policy rules via the associate various types of filters with policy rules via the
FilterOfSACondition association. It also defines whether Credentials FilterOfSACondition association. It also defines whether Credentials
can be accepted for a particular policy rule via the can be accepted for a particular policy rule via the
AcceptCredentialsFrom association. AcceptCredentialsFrom association.
skipping to change at page 25, line 26 skipping to change at page 25, line 26
NAME SACondition NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations. negotiations.
DERIVED FROM PolicyCondition (see [PCIM]) DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition) PROPERTIES PolicyConditionName (from PolicyCondition)
5.2. The Class IPHeaderFilter 5.2. The Class IPHeaderFilter
The class IPHeaderFilter is defined in appendix C with the following The class IPHeaderFilter is defined in [PCIMe] with the following
note: note:
1) to specify 5-tuple filters that are to apply symmetrically (i.e., 1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
matches traffic in both directions of the same flow between the matches traffic in both directions of the same flow between the
two peers), the Direction property of the FilterList should be two peers), the Direction property of the FilterList should be
set to "Mirrored". set to "Mirrored".
5.3. The Class CredentialFilterEntry 5.3. The Class CredentialFilterEntry
The class CredentialFilterEntry defines an equivalence class that The class CredentialFilterEntry defines an equivalence class that
skipping to change at page 25, line 49 skipping to change at page 25, line 49
CredentialManagementService(s) associated with the SACondition CredentialManagementService(s) associated with the SACondition
(AcceptCredentialsFrom). (AcceptCredentialsFrom).
These credentials can be X.509 certificates, Kerberos tickets, or These credentials can be X.509 certificates, Kerberos tickets, or
other types of credentials obtained during the Phase 1 exchange. other types of credentials obtained during the Phase 1 exchange.
The class definition for CredentialFilterEntry is as follows: The class definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry NAME CredentialFilterEntry
DESCRIPTION Specifies a match filter based on the IKE credentials. DESCRIPTION Specifies a match filter based on the IKE credentials.
DERIVED FROM FilterEntryBase (see Appendix C) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchFieldName MatchFieldName
MatchFieldValue MatchFieldValue
CredentialType CredentialType
5.3.1. The Property MatchFieldName 5.3.1. The Property MatchFieldName
The property MatchFieldName specifies the sub-part of the credential The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as to match against MatchFieldValue. The property is defined as
skipping to change at page 26, line 39 skipping to change at page 26, line 39
5.3.3. The Property CredentialType 5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as credential that is being matched. The property is defined as
follows: follows:
NAME CredentialType NAME CredentialType
DESCRIPTION Defines the type of IKE credentials. DESCRIPTION Defines the type of IKE credentials.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 X.509 Certificate VALUE 1 - X.509 Certificate
2 Kerberos Ticket 2 - Kerberos Ticket
5.4. The Class IPSOFilterEntry 5.4. The Class IPSOFilterEntry
The class IPSOFilterEntry is used to match traffic based on the IP The class IPSOFilterEntry is used to match traffic based on the IP
Security Options header values (ClassificationLevel and Security Options header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC1108. This type of filter ProtectionAuthority) as defined in RFC1108. This type of filter
entry is used to adjust the IPsec encryption level according to the entry is used to adjust the IPsec encryption level according to the
IPSO classification of the traffic (e.g., secret, confidential, IPSO classification of the traffic (e.g., secret, confidential,
restricted, etc. The class definition for IPSOFilterEntry is as restricted, etc. The class definition for IPSOFilterEntry is as
follows: follows:
NAME IPSOFilterEntry NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security DESCRIPTION Specifies the a match filter based on IP Security
Options. Options.
DERIVED FROM FilterEntryBase (see Appendix C) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchConditionType MatchConditionType
MatchConditionValue MatchConditionValue
5.4.1. The Property MatchConditionType 5.4.1. The Property MatchConditionType
The property MatchConditionType specifies the IPSO header field that The property MatchConditionType specifies the IPSO header field that
will be matched (e.g., traffic classification level or protection will be matched (e.g., traffic classification level or protection
authority). The property is defined as follows: authority). The property is defined as follows:
NAME MatchConditionType NAME MatchConditionType
DESCRIPTION Specifies the IPSO header field to be matched. DESCRIPTION Specifies the IPSO header field to be matched.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 ClassificationLevel VALUE 1 - ClassificationLevel
2 ProtectionAuthority 2 - ProtectionAuthority
5.4.2. The Property MatchConditionValue 5.4.2. The Property MatchConditionValue
The property MatchConditionValue specifies the value of the IPSO The property MatchConditionValue specifies the value of the IPSO
header field to be matched against. The property is defined as header field to be matched against. The property is defined as
follows: follows:
NAME MatchConditionValue NAME MatchConditionValue
DESCRIPTION Specifies the value of the IPSO header field to be DESCRIPTION Specifies the value of the IPSO header field to be
matched against. matched against.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE For ClassificationLevel, the values are: VALUE For ClassificationLevel, the values are:
61 TopSecret 61 - TopSecret
90 Secret 90 - Secret
150 Confidential 150 - Confidential
171 Unclassified 171 - Unclassified
For ProtectionAuthority, the values are: For ProtectionAuthority, the values are:
0 GENSER 0 - GENSER
1 - SIOP-ESI 1 - SIOP-ESI
2 SCI 2 - SCI
3 NSA 3 - NSA
4 - DOE 4 - DOE
5.5. The Class PeerIDPayloadFilterEntry 5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange. payload values from the IKE protocol exchange.
PeerIDPayloadFilterEntry permits the specification of certain ID PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@company.com" or "193.190.125.0/24". payload values such as "*@company.com" or "193.190.125.0/24".
Obviously this filter applies only to IKERules when acting as a Obviously this filter applies only to IKERules when acting as a
responder. Moreover, this filter can be applied immediately in the responder. Moreover, this filter can be applied immediately in the
case of aggressive mode but its application is to be delayed in the case of aggressive mode but its application is to be delayed in the
case of main mode. The class definition for case of main mode. The class definition for
PeerIDPayloadFilterEntry is as follows: PeerIDPayloadFilterEntry is as follows:
NAME PeerIDPayloadFilterEntry NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity. DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see Appendix C) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchIdentityType MatchIdentityType
MatchIdentityValue MatchIdentityValue
5.5.1. The Property MatchIdentityType 5.5.1. The Property MatchIdentityType
The property MatchIdentityType specifies the type of identity The property MatchIdentityType specifies the type of identity
provided by the peer in the ID payload." The property is defined provided by the peer in the ID payload." The property is defined
skipping to change at page 29, line 16 skipping to change at page 29, line 16
5.6. The Association Class FilterOfSACondition 5.6. The Association Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows: class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that make DESCRIPTION Associates a condition with the filter list that make
up the individual condition elements. up the individual condition elements.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[1..1]] PROPERTIES Antecedent [ref FilterList[1..1]]
Dependent [ref SACondition[0..n]] Dependent [ref SACondition[0..n]]
5.6.1. The Reference Antecedent 5.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a FilterList instance. The [1..1] overridden to refer to a FilterList instance. The [1..1]
cardinality indicates that an SACondition instance MUST be cardinality indicates that an SACondition instance MUST be
associated with one and only one FilterList instance. associated with one and only one FilterList instance.
skipping to change at page 30, line 6 skipping to change at page 30, line 6
AcceptCredentialsFrom list of services but there is no AcceptCredentialsFrom list of services but there is no
CredentialFilterEntry, this is considered equivalent to a CredentialFilterEntry, this is considered equivalent to a
CredentialFilterEntry that matches all credentials from those CredentialFilterEntry that matches all credentials from those
services. services.
The class definition for AcceptCredentialFrom is as follows: The class definition for AcceptCredentialFrom is as follows:
NAME AcceptCredentialFrom NAME AcceptCredentialFrom
DESCRIPTION Associates a condition with the credential management DESCRIPTION Associates a condition with the credential management
services to be trusted. services to be trusted.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService[0..n]] PROPERTIES Antecedent [ref CredentialManagementService[0..n]]
Dependent [ref SACondition[0..n]] Dependent [ref SACondition[0..n]]
5.7.1. The Reference Antecedent 5.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an SACondition instance may be [0..n] cardinality indicates that an SACondition instance may be
associated with zero or more CredentialManagementServices instance. associated with zero or more CredentialManagementServices instance.
skipping to change at page 31, line 18 skipping to change at page 31, line 18
device may take when the evaluation of the associated condition device may take when the evaluation of the associated condition
results in a match. results in a match.
+----------+ +----------+
| SAAction | | SAAction |
+----------+ +----------+
^ ^
| |
+-----------+--------------+ +-----------+--------------+
| | | |
*+----------------+ +---------------------+* | +---------------------+
| SAStaticAction | | SANegotiationAction |o-----+ | | SaNegotiationAction |
+----------------+ +---------------------+ | | +---------------------+
| ^
| |
*+----------------+ +----------------------+*
| SAStaticAction | | IKENegotiationAction |o----+
+----------------+ +----------------------+ |
^ ^ | ^ ^ |
| | | | | |
| +-----------+-------+ | | +-----------+-------+ |
| | | | | | | |
+-------------------+ | +-------------+ +-----------+ | +-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ | +-------------------+ | +-------------+ +-----------+ |
| ^ | | ^ |
+--------------------+ | | +----------------------+ | +--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | | | IPsecDiscardAction |---+ +----| IPsecTransportAction | |
skipping to change at page 31, line 51 skipping to change at page 31, line 56
+-----------------------+ | +--------------+ (b) +-----------------------+ | +--------------+ (b)
*| ^ | *| ^ |
| | | *+-------------+ | | | *+-------------+
| | +-------| PeerGateway | | | +-------| PeerGateway |
| | +-------------+ | | +-------------+
| | +-----------------------------+ |0..1 *w| | | +-----------------------------+ |0..1 *w|
| +--| PreconfiguredTransportAction| | |(c) | +--| PreconfiguredTransportAction| | |(c)
| | +-----------------------------+ | 1| | | +-----------------------------+ | 1|
| | | +--------------+ | | | +--------------+
| | +---------------------------+ * | | System | | | +---------------------------+ * | | System |
| +--| PreconfiguredTunnelAction |-----+ | (Appendix A) | | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) |
| +---------------------------+ (e) +--------------+ | +---------------------------+ (e) +--------------+
| |
| 2..6+---------------+ | 2..6+---------------+
+-------| [SATransform] | +-------| [SATransform] |
(d) +---------------+ (d) +---------------+
(a) PeerGatewayForTunnel (a) PeerGatewayForTunnel
(b) ContainedProposal (b) ContainedProposal
(c) HostedPeerGatewayInformation (c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction (d) TransformOfPreconfiguredAction
(e) PeerGatewayForPreconfiguredTunnel (e) PeerGatewayForPreconfiguredTunnel
6.1. The Class SAAction 6.1. The Class SAAction
The class SAAction serves as the base class for IKE and IPsec The class SAAction is abstract and serves as the base class for IKE
actions. Although the class is concrete, it MUST not be and IPsec actions. It is used for aggregating different types of
instantiated. It is used for aggregating different types of actions actions to IKE and IPsec rules. The class definition for SAAction
to IKE and IPsec rules. The class definition for SAAction is as is as follows:
follows:
NAME SAAction NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions. DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM]) DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT FALSE ABSTRACT TRUE
PROPERTIES PolicyActionName (from PolicyAction) PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging DoActionLogging
DoPacketLogging DoPacketLogging
6.1.1. The Property DoActionLogging 6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to The property DoActionLogging specifies whether a log message is to
be generated when the action is performed. This applies for be generated when the action is performed. This applies for
SANegotiationActions with the meaning of logging a message when the SANegotiationActions with the meaning of logging a message when the
negotiation is attempted (with the success or failure result). This negotiation is attempted (with the success or failure result). This
skipping to change at page 33, line 18 skipping to change at page 33, line 22
DESCRIPTION Specifies the whether to log when the resulting DESCRIPTION Specifies the whether to log when the resulting
security association is used to process the packet. security association is used to process the packet.
SYNTAX boolean SYNTAX boolean
VALUE true - a log message is to be generated when the VALUE true - a log message is to be generated when the
resulting security association is used to process the resulting security association is used to process the
packet. packet.
false - no log message is to be generated. false - no log message is to be generated.
6.2. The Class SAStaticAction 6.2. The Class SAStaticAction
The class SAStaticAction serves as the base class for IKE and IPsec The class SAStaticAction is abstract and serves as the base class
actions that do not require any negotiation. Although the class is for IKE and IPsec actions that do not require any negotiation. The
concrete, it MUST not be instantiated. The class definition for class definition for SAStaticAction is as follows:
SAStaticAction is as follows:
NAME SAStaticAction NAME SAStaticAction
DESCRIPTION The base class for IKE and IPsec actions that do not DESCRIPTION The base class for IKE and IPsec actions that do not
require any negotiation. require any negotiation.
DERIVED FROM SAAction DERIVED FROM SAAction
ABSTRACT FALSE ABSTRACT TRUE
PROPERTIES LifetimeSeconds PROPERTIES LifetimeSeconds
6.2.1. The Property LifetimeSeconds 6.2.1. The Property LifetimeSeconds
The property LifetimeSeconds specifies how long the security The property LifetimeSeconds specifies how long the security
association derived from this action should be used. The property association derived from this action should be used. The property
is defined as follows: is defined as follows:
NAME LifetimeSeconds NAME LifetimeSeconds
DESCRIPTION Specifies the amount of time (in seconds) that a DESCRIPTION Specifies the amount of time (in seconds) that a
skipping to change at page 35, line 4 skipping to change at page 35, line 7
6.6. The Class PreconfiguredSAAction 6.6. The Class PreconfiguredSAAction
The class PreconfiguredSAAction is used to create a security The class PreconfiguredSAAction is used to create a security
association using preconfigured, hard-wired algorithms and keys. association using preconfigured, hard-wired algorithms and keys.
Notes: Notes:
- the SPI for a PreconfiguredSAAction is contained in the - the SPI for a PreconfiguredSAAction is contained in the
association, TransformOfPreconfiguredAction; association, TransformOfPreconfiguredAction;
- the session key (if applicable) is contained in an instance of the
class SharedSecret (see appendix B). The session key is stored in - the session key (if applicable) is contained in an instance of
the property secret, the property protocol contains either "ESP- the class SharedSecret (see [CIMUSER]). The session key is
encrypt, ESP-auth" or "AH", the property algorithm contains the stored in the property secret, the property protocol contains
algorithm used to protect the secret (can be "PLAINTEXT" if the either "ESP-encrypt", "ESP-auth" or "AH", the property
IPsec entity has no secret storage), the value of property algorithm contains the algorithm used to protect the secret
RemoteID is the concatenation of the remote IPsec peer IP address (can be "PLAINTEXT" if the IPsec entity has no secret storage),
in dotted decimal, of the character "/", of IN (resp. OUT) for the value of property RemoteID is the concatenation of the
inbound SA (resp. outbound SA), of the character / and of the remote IPsec peer IP address in dotted decimal, of the
hexadecimal representation of the SPI. character "/", of "IN" (resp. "OUT") for inbound SA (resp.
outbound SA), of the character "/" and of the hexadecimal
representation of the SPI.
Although the class is concrete, it MUST not be instantiated. The Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows: class definition for PreconfiguredSAAction is as follows:
NAME PreconfiguredSAAction NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying
information for creation of a security association. information for creation of a security association.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES LifetimeKilobytes PROPERTIES LifetimeKilobytes
skipping to change at page 36, line 36 skipping to change at page 36, line 40
6.8.1. The Property DFHandling 6.8.1. The Property DFHandling
The property DFHandling specifies how the Don't Fragment bit of the The property DFHandling specifies how the Don't Fragment bit of the
internal IP header is to be handled during IPsec processing. The internal IP header is to be handled during IPsec processing. The
property is defined as follows: property is defined as follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies the processing of the DF bit. DESCRIPTION Specifies the processing of the DF bit.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 Copy the DF bit from the internal IP header to the VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header. external IP header.
2 Set the DF bit of the external IP header to 1. 2 - Set the DF bit of the external IP header to 1.
3 Clear the DF bit of the external IP header to 0. 3 - Clear the DF bit of the external IP header to 0.
6.9. The Class SANegotiationAction 6.9. The Class SANegotiationAction
The class SANegotiationAction serves as the base class for IKE and The class SANegotiationAction specifies an action requesting
IPsec actions that result in a IKE negotiation. Although the class security policy negotiation.
is concrete, is MUST not be instantiated. The class definition for
SANegotiationAction is as follows: This is an abstract class. Currently, only one security policy
negotiation protocol action is subclassed from SANegotiationAction:
the IKENegotiationAction class. It is nevertheless expected that
other security policy negotiation protocols will exist and the
negotiation actions of those new protocols would be modeled as a
subclass of SANegotiationAction.
NAME SANegotiationAction NAME SANegotiationAction
DESCRIPTION Specifies a negotiation action .
DERIVED FROM SAAction
ABSTRACT TRUE
6.10. The Class IKENegotiationAction
The class IKENegotiationAction is abstract and serves as the base
class for IKE and IPsec actions that result in a IKE negotiation.
Although the class is concrete, is MUST not be instantiated. The
class definition for IKENegotiationAction is as follows:
NAME IKENegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations. phase 2 IPsec DOI negotiations.
DERIVED FROM SAAction DERIVED FROM SANegotiationAction
ABSTRACT FALSE ABSTRACT TRUE
PROPERTIES MinLifetimeSeconds PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes MinLifetimeKilobytes
RefreshThresholdSeconds RefreshThresholdSeconds
RefreshThresholdKilobytes RefreshThresholdKilobytes
IdleDurationSeconds IdleDurationSeconds
6.9.1. The Property MinLifetimeSeconds 6.10.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds The property MinLifetimeSeconds specifies the minimum seconds
lifetime that will be accepted from the peer. MinLifetimeSeconds is lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The with correspondingly expensive Diffie-Hellman operations. The
property is defined as follows: property is defined as follows:
NAME MinLifetimeSeconds NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime. DESCRIPTION Specifies the minimum acceptable seconds lifetime.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum seconds value. A non-zero value specifies the minimum seconds
lifetime. lifetime.
6.9.2. The Property MinLifetimeKilobytes 6.10.2. The Property MinLifetimeKilobytes
The property MinLifetimeKilobytes specifies the minimum kilobytes The property MinLifetimeKilobytes specifies the minimum kilobytes
lifetime that will be accepted from the peer. MinLifetimeKilobytes lifetime that will be accepted from the peer. MinLifetimeKilobytes
is used to prevent certain denial of service attacks where the peer is used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. Note that with correspondingly expensive Diffie-Hellman operations. Note that
there has been considerable debate regarding the usefulness of there has been considerable debate regarding the usefulness of
applying kilobyte lifetimes to IKE phase 1 security associations, so applying kilobyte lifetimes to IKE phase 1 security associations, so
it is likely that this property will only apply to the sub-class it is likely that this property will only apply to the sub-class
IPsecAction. The property is defined as follows: IPsecAction. The property is defined as follows:
NAME MinLifetimeKilobytes NAME MinLifetimeKilobytes
DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. DESCRIPTION Specifies the minimum acceptable kilobytes lifetime.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum value. A non-zero value specifies the minimum
kilobytes lifetime. kilobytes lifetime.
6.9.3. The Property RefreshThresholdSeconds 6.10.3. The Property RefreshThresholdSeconds
The property RefreshThresholdSeconds specifies what percentage of The property RefreshThresholdSeconds specifies what percentage of
the seconds lifetime can expire before IKE should attempt to the seconds lifetime can expire before IKE should attempt to
renegotiate the security association. A random value may be added renegotiate the security association. A random value may be added
to the calculated threshold (percentage x seconds lifetime) to to the calculated threshold (percentage x seconds lifetime) to
reduce the chance of both peers attempting to renegotiate at the reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows: same time. The property is defined as follows:
NAME RefreshThresholdSeconds NAME RefreshThresholdSeconds
DESCRIPTION Specifies the percentage of seconds lifetime that has DESCRIPTION Specifies the percentage of seconds lifetime that has
expired before the security association is expired before the security association is
renegotiated. renegotiated.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the security association value of 100 indicates that the security association
should not be renegotiated until the seconds lifetime should not be renegotiated until the seconds lifetime
has been reached. has been reached.
6.9.4. The Property RefreshThresholdKilobytes 6.10.4. The Property RefreshThresholdKilobytes
The property RefreshThresholdKilobytes specifies what percentage of The property RefreshThresholdKilobytes specifies what percentage of
the kilobyte lifetime can expire before IKE should attempt to the kilobyte lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be renegotiate the IPsec security association. A random value may be
added to the calculated threshold (percentage x kilobyte lifetime) added to the calculated threshold (percentage x kilobyte lifetime)
to reduce the chance of both peers attempting to renegotiate at the to reduce the chance of both peers attempting to renegotiate at the
same time. Note, that as with the property MinLifetimeKilobytes, same time. Note, that as with the property MinLifetimeKilobytes,
this property is probably only relevant to IPsecAction sub-classes. this property is probably only relevant to IPsecAction sub-classes.
The property is defined as follows: The property is defined as follows:
NAME RefreshThresholdKilobytes NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of kilobyte lifetime that has DESCRIPTION Specifies the percentage of kilobyte lifetime that has
expired before the IPsec security association is expired before the IPsec security association is
renegotiated. renegotiated.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security value of 100 indicates that the IPsec security
association should not be renegotiated until the association should not be renegotiated until the
kilobyte lifetime has been reached. kilobyte lifetime has been reached.
6.9.5. The Property IdleDurationSeconds 6.10.5. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property using the security association) before it is deleted. The property
is defined as follows: is defined as follows:
NAME IdleDurationSeconds NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security association DESCRIPTION Specifies how long, in seconds, a security association
may remain unused before it is deleted. may remain unused before it is deleted.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that idle detection should VALUE A value of zero indicates that idle detection should
not be used for the security association (only the not be used for the security association (only the
seconds and kilobyte lifetimes will be used). Any non- seconds and kilobyte lifetimes will be used). Any non-
zero value indicates the number of seconds the security zero value indicates the number of seconds the security
association may remain unused. association may remain unused.
6.10. The Class IPsecAction 6.11. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. Although the class is concrete, is phase 2 IPsec DOI negotiation. Although the class is concrete, is
MUST not be instantiated. The class definition for IPsecAction is MUST not be instantiated. The class definition for IPsecAction is
as follows: as follows:
NAME IPsecAction NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions DESCRIPTION A base class for IPsec transport and tunnel actions
that specifies the parameters for IKE phase 2 IPsec DOI that specifies the parameters for IKE phase 2 IPsec DOI
negotiations. negotiations.
DERIVED FROM SANegotiationAction DERIVED FROM IKENegotiationAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES UsePFS PROPERTIES UsePFS
UseIKEGroup UseIKEGroup
GroupId GroupId
Granularity Granularity
VendorID VendorID
6.10.1. The Property UsePFS 6.11.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy The property UsePFS specifies whether or not perfect forward secrecy
should be used when refreshing keys. The property is defined as should be used when refreshing keys. The property is defined as
follows: follows:
NAME UsePFS NAME UsePFS
DESCRIPTION Specifies the whether or not to use PFS when refreshing DESCRIPTION Specifies the whether or not to use PFS when refreshing
keys. keys.
SYNTAX boolean SYNTAX boolean
VALUE A value of true indicates that PFS should be used. A VALUE A value of true indicates that PFS should be used. A
value of false indicates that PFS should not be used. value of false indicates that PFS should not be used.
6.10.2. The Property UseIKEGroup 6.11.2. The Property UseIKEGroup
The property UseIKEGroup specifies whether or not phase 2 should use The property UseIKEGroup specifies whether or not phase 2 should use
the same key exchange group as was used in phase 1. UseIKEGroup is the same key exchange group as was used in phase 1. UseIKEGroup is
ignored if UsePFS is false. The property is defined as follows: ignored if UsePFS is false. The property is defined as follows:
NAME UseIKEGroup NAME UseIKEGroup
DESCRIPTION Specifies whether or not to use the same GroupId for DESCRIPTION Specifies whether or not to use the same GroupId for
phase 2 as was used in phase 1. If UsePFS is false, phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored. then UseIKEGroup is ignored.
SYNTAX boolean SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false should be the same as phase 1. A value of false
indicates that the property GroupId will contain the indicates that the property GroupId will contain the
key exchange group to use for phase 2. key exchange group to use for phase 2.
6.10.3. The Property GroupId 6.11.3. The Property GroupId
The property GroupId specifies the key exchange group to use for The property GroupId specifies the key exchange group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is (2) the property UsePFS is true and the property UseIKEGroup is
true. If the GroupID number is from the vendor-specific range true. If the GroupID number is from the vendor-specific range
(32768-65535), the property VendorID qualifies the group number. (32768-65535), the property VendorID qualifies the group number.
The property is defined as follows: The property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the key exchange group to use for phase 2 DESCRIPTION Specifies the key exchange group to use for phase 2
skipping to change at page 40, line 4 skipping to change at page 40, line 26
phase 2. GroupId is ignored if (1) the property UsePFS is false, or phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is (2) the property UsePFS is true and the property UseIKEGroup is
true. If the GroupID number is from the vendor-specific range true. If the GroupID number is from the vendor-specific range
(32768-65535), the property VendorID qualifies the group number. (32768-65535), the property VendorID qualifies the group number.
The property is defined as follows: The property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the key exchange group to use for phase 2 DESCRIPTION Specifies the key exchange group to use for phase 2
when the property UsePFS is true and the property when the property UsePFS is true and the property
UseIKEGroup is false. UseIKEGroup is false.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values. VALUE Consult [IKE] for valid values.
6.10.4. The Property Granularity 6.11.4. The Property Granularity
The property Granularity specifies how the selector for the security The property Granularity specifies how the selector for the security
association should be derived from the traffic that triggered the association should be derived from the traffic that triggered the
negotiation. The property is defined as follows: negotiation. The property is defined as follows:
NAME Granularity NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the DESCRIPTION Specifies the how the proposed selector for the
security association will be created. security association will be created.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 subnet: the source and destination subnet masks of VALUE 1 - subnet: the source and destination subnet masks of
the filter entry are used. the filter entry are used.
2 address: only the source and destination IP 2 - address: only the source and destination IP
addresses of the triggering packet are used. addresses of the triggering packet are used.
3 protocol: the source and destination IP addresses 3 - protocol: the source and destination IP addresses
and the IP protocol of the triggering packet are used. and the IP protocol of the triggering packet are used.
4 port: the source and destination IP addresses and 4 - port: the source and destination IP addresses and
the IP protocol and the source and destination layer 4 the IP protocol and the source and destination layer 4
ports of the triggering packet are used. ports of the triggering packet are used.
6.10.5. The Property VendorID 6.11.5. The Property VendorID
The property VendorID is used together with the property GroupID The property VendorID is used together with the property GroupID
(when it is in the vendor-specific range) to identify the key (when it is in the vendor-specific range) to identify the key
exchange group. VendorID is ignored unless UsePFS is true and exchange group. VendorID is ignored unless UsePFS is true and
UseIKEGroup is false and GroupID is in the vendor-specific range UseIKEGroup is false and GroupID is in the vendor-specific range
(32768-65535). The property is defined as follows: (32768-65535). The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the IKE Vendor ID. DESCRIPTION Specifies the IKE Vendor ID.
SYNTAX string SYNTAX string
6.11. The Class IPsecTransportAction 6.12. The Class IPsecTransportAction
The class IPsecTransportAction is a subclass of IPsecAction that is The class IPsecTransportAction is a subclass of IPsecAction that is
used to specify use of an IPsec transport-mode security association. used to specify use of an IPsec transport-mode security association.
The class definition for IPsecTransportAction is as follows: The class definition for IPsecTransportAction is as follows:
NAME IPsecTransportAction NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport-mode security DESCRIPTION Specifies that an IPsec transport-mode security
association should be negotiated. association should be negotiated.
DERIVED FROM IPsecAction DERIVED FROM IPsecAction
ABSTRACT FALSE ABSTRACT FALSE
6.12. The Class IPsecTunnelAction 6.13. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is The class IPsecTunnelAction is a subclass of IPsecAction that is
used to specify use of an IPsec tunnel-mode security association. used to specify use of an IPsec tunnel-mode security association.
The class definition for IPsecTunnelAction is as follows: The class definition for IPsecTunnelAction is as follows:
NAME IPsecTunnelAction NAME IPsecTunnelAction
DESCRIPTION Specifies that an IPsec tunnel-mode security DESCRIPTION Specifies that an IPsec tunnel-mode security
association should be negotiated. association should be negotiated.
DERIVED FROM IPsecAction DERIVED FROM IPsecAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES DFHandling PROPERTIES DFHandling
6.12.1. The Property DFHandling 6.13.1. The Property DFHandling
The property DFHandling specifies how the tunnel should manage the The property DFHandling specifies how the tunnel should manage the
Don't Fragment (DF) bit. The property is defined as follows: Don't Fragment (DF) bit. The property is defined as follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies how to process the DF bit. DESCRIPTION Specifies how to process the DF bit.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 Copy the DF bit from the internal IP header to the VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header. external IP header.
2 Set the DF bit of the external IP header to 1. 2 - Set the DF bit of the external IP header to 1.
3 Clear the DF bit of the external IP header to 0. 3 - Clear the DF bit of the external IP header to 0.
6.13. The Class IKEAction 6.14. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as IKE phase 1 negotiation. The class definition for IKEAction is as
follows: follows:
NAME IKEAction NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM SANegotiationAction DERIVED FROM IKENegotiationAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES RefreshThresholdDerivedKeys PROPERTIES RefreshThresholdDerivedKeys
ExchangeMode ExchangeMode
UseIKEIdentityType UseIKEIdentityType
VendorID VendorID
AggressiveModeGroupId AggressiveModeGroupId
6.13.1. The Property RefreshThresholdDerivedKeys 6.14.1. The Property RefreshThresholdDerivedKeys
The property RefreshThresholdDerivedKeys specifies what percentage The property RefreshThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys property of of the derived key limit (see the LifetimeDerivedKeys property of
IKEProposal) can expire before IKE should attempt to renegotiate the IKEProposal) can expire before IKE should attempt to renegotiate the
IKE phase 1 security association. A random value may be added to IKE phase 1 security association. A random value may be added to
the calculated threshold (percentage x derived key limit) to reduce the calculated threshold (percentage x derived key limit) to reduce
the chance of both peers attempting to renegotiate at the same time. the chance of both peers attempting to renegotiate at the same time.
The property is defined as follows: The property is defined as follows:
NAME RefreshThresholdKilobytes NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of derived key limit that has DESCRIPTION Specifies the percentage of derived key limit that has
expired before the IKE phase 1 security association is expired before the IKE phase 1 security association is
renegotiated. renegotiated.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IKE phase 1 security value of 100 indicates that the IKE phase 1 security
association should not be renegotiated until the association should not be renegotiated until the
derived key limit has been reached. derived key limit has been reached.
6.13.2. The Property ExchangeMode 6.14.2. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used The property ExchangeMode specifies which IKE mode should be used
for IKE phase 1 negotiations. The property is defined as follows: for IKE phase 1 negotiations. The property is defined as follows:
NAME ExchangeMode NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1. DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - base mode VALUE 1 - base mode
2 - main mode 2 - main mode
4 - aggressive mode 4 - aggressive mode
6.13.3. The Property UseIKEIdentityType 6.14.3. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is should be used when negotiating with the peer. This information is
used in conjunction with the IKE identities available on the system used in conjunction with the IKE identities available on the system
and the IdentityContexts of the matching IKERule. The property is and the IdentityContexts of the matching IKERule. The property is
defined as follows: defined as follows:
NAME UseIKEIdentityType NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation. DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
skipping to change at page 42, line 42 skipping to change at page 43, line 12
3 - User FQDN 3 - User FQDN
4 - IPv4 Subnet 4 - IPv4 Subnet
5 - IPv6 Address 5 - IPv6 Address
6 - IPv6 Subnet 6 - IPv6 Subnet
7 - IPv4 Address Range 7 - IPv4 Address Range
8 - IPv6 Address Range 8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name 9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName 10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID 11 - Key ID
6.13.4. The Property VendorID 6.14.4. The Property VendorID
The property VendorID specifies the value to be used in the Vendor The property VendorID specifies the value to be used in the Vendor
ID payload. The property is defined as follows: ID payload. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Vendor ID Payload. DESCRIPTION Vendor ID Payload.
SYNTAX string SYNTAX string
VALUE A value of NULL means that Vendor ID payload will be VALUE A value of NULL means that Vendor ID payload will be
neither generated nor accepted. A non-NULL value means neither generated nor accepted. A non-NULL value means
that a Vendor ID payload will be generated (when acting that a Vendor ID payload will be generated (when acting
as an initiator) or is expected (when acting as a as an initiator) or is expected (when acting as a
responder). responder).
6.13.5. The Property AggressiveModeGroupId 6.14.5. The Property AggressiveModeGroupId
The property AggressiveModeGroupId specifies which group ID is to be The property AggressiveModeGroupId specifies which group ID is to be
used in the first packets of the phase 1 negotiation. This property used in the first packets of the phase 1 negotiation. This property
is ignored unless the property ExchangeMode is set to 4 (aggressive is ignored unless the property ExchangeMode is set to 4 (aggressive
mode). If the AggressiveModeGroupID number is from the vendor- mode). If the AggressiveModeGroupID number is from the vendor-
specific range (32768-65535), the property VendorID qualifies the specific range (32768-65535), the property VendorID qualifies the
group number. The property is defined as follows: group number. The property is defined as follows:
NAME AggressiveModeGroupId NAME AggressiveModeGroupId
DESCRIPTION Specifies the group ID to be used for aggressive mode. DESCRIPTION Specifies the group ID to be used for aggressive mode.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
6.14. The Class PeerGateway 6.15. The Class PeerGateway
The class PeerGateway specifies the security gateway with which the The class PeerGateway specifies the security gateway with which the
IKE services negotiates. The class definition for PeerGateway is as IKE services negotiates. The class definition for PeerGateway is as
follows: follows:
NAME PeerGateway NAME PeerGateway
DESCRIPTION Specifies the security gateway with which to negotiate. DESCRIPTION Specifies the security gateway with which to negotiate.
DERIVED FROM LogicalElement (see Appendix A) DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name PROPERTIES Name
PeerIdentityType PeerIdentityType
PeerIdentity PeerIdentity
6.14.1. The Property Name 6.15.1. The Property Name
The property Name specifies a user-friendly name for this security The property Name specifies a user-friendly name for this security
gateway. The property is defined as follows: gateway. The property is defined as follows:
NAME Name NAME Name
DESCRIPTION Specifies a user-friendly name for this security DESCRIPTION Specifies a user-friendly name for this security
gateway. gateway.
SYNTAX string SYNTAX string
6.14.2. The Property PeerIdentityType 6.15.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows: security gateway. The property is defined as follows:
NAME PeerIdentityType NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security DESCRIPTION Specifies the IKE identity type of the security
gateway. gateway.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address VALUE 1 - IPv4 Address
2 - FQDN 2 - FQDN
3 - User FQDN 3 - User FQDN
4 - IPv4 Subnet 4 - IPv4 Subnet
5 - IPv6 Address 5 - IPv6 Address
6 - IPv6 Subnet 6 - IPv6 Subnet
7 - IPv4 Address Range 7 - IPv4 Address Range
8 - IPv6 Address Range 8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name 9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName 10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID 11 - Key ID
6.14.3. The Property PeerIdentity 6.15.3. The Property PeerIdentity
The property PeerIdentity specifies the IKE identity value of the The property PeerIdentity specifies the IKE identity value of the
security gateway. A conversion may be needed between the security gateway. A conversion may be needed between the
PeerIdentity string representation and the real value used in the ID PeerIdentity string representation and the real value used in the ID
payload (e.g. IP address is to be converted from a dotted decimal payload (e.g. IP address is to be converted from a dotted decimal
string into 4 bytes). The property is defined as follows: string into 4 bytes). The property is defined as follows:
NAME PeerIdentity NAME PeerIdentity
DESCRIPTION Specifies the IKE identity value of the security DESCRIPTION Specifies the IKE identity value of the security
gateway. gateway.
SYNTAX string SYNTAX string
6.15. The Association Class PeerGatewayForTunnel 6.16. The Association Class PeerGatewayForTunnel
The class PeerGatewayForTunnel associates IPsecTunnelActions with an The class PeerGatewayForTunnel associates IPsecTunnelActions with an
ordered list of PeerGateways. The class definition for ordered list of PeerGateways. The class definition for
PeerGatewayForTunnel is as follows: PeerGatewayForTunnel is as follows:
NAME PeerGatewayForTunnel NAME PeerGatewayForTunnel
DESCRIPTION Associates IPsecTunnelActions with an ordered list of DESCRIPTION Associates IPsecTunnelActions with an ordered list of
PeerGateways. PeerGateways.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]] PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IPsecTunnelAction[0..n]] Dependent [ref IPsecTunnelAction[0..n]]
SequenceNumber SequenceNumber
6.15.1. The Reference Antecedent 6.16.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that there an IPsecTunnelAction instance may cardinality indicates that there an IPsecTunnelAction instance may
be associated with zero or more PeerGateway instances. be associated with zero or more PeerGateway instances.
Note: the cardinality 0 has a specific meaning: Note: the cardinality 0 has a specific meaning:
- when the IKE service acts as a responder, this means that the - when the IKE service acts as a responder, this means that
IKE service will accept phase 1 negotiation with any other the IKE service will accept phase 1 negotiation with any
security gateway; other security gateway;
- when the IKE service acts as an initiator, this means that - when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of the the IKE service will use the destination IP address (of
IP packets which triggered the SARule) as the IP address of the IP packets which triggered the SARule) as the IP
the peer IKE entity. address of the peer IKE entity.
6.16.2. The Reference Dependent
6.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is
overridden to refer to an IPsecTunnelAction instance. The [0..n] overridden to refer to an IPsecTunnelAction instance. The [0..n]
cardinality indicates that a PeerGateway instance may be associated cardinality indicates that a PeerGateway instance may be associated
with zero or more IPsecTunnelAction instances. with zero or more IPsecTunnelAction instances.
6.15.3. The Property SequenceNumber 6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when The property SequenceNumber specifies the ordering to be used when
evaluating PeerGateway instances for a given IPsecTunnelAction. . evaluating PeerGateway instances for a given IPsecTunnelAction. .
The property is defined as follows: The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the order of evaluation for PeerGateways. DESCRIPTION Specifies the order of evaluation for PeerGateways.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower values are evaluated first. VALUE Lower values are evaluated first.
6.16. The Aggregation Class ContainedProposal 6.17. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of The class ContainedProposal associates an ordered list of
SAProposals with the SANegotiationAction that aggregates it. If the SAProposals with the IKENegotiationAction that aggregates it. If
referenced SANegotiationAction object is an IKEAction, then the the referenced IKENegotiationAction object is an IKEAction, then the
referenced SAProposal object(s) must be IKEProposal(s). If the referenced SAProposal object(s) must be IKEProposal(s). If the
referenced SANegotiationAction object is an IPsecTransportAction or referenced IKENegotiationAction object is an IPsecTransportAction or
an IPsecTunnelAction, then the referenced SAProposal object(s) must an IPsecTunnelAction, then the referenced SAProposal object(s) must
be IPsecProposal(s). The class definition for ContainedProposal is be IPsecProposal(s). The class definition for ContainedProposal is
as follows: as follows:
NAME ContainedProposal NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an DESCRIPTION Associates an ordered list of SAProposals with an
SANegotiationAction. IKENegotiationAction.
DERIVED FROM PolicyComponent (see [PCIM]) DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]] PartComponent[ref SAProposal[1..n]]
SequenceNumber SequenceNumber
6.16.1. The Reference GroupComponent 6.17.1. The Reference GroupComponent
- The property GroupComponent is inherited from PolicyComponent - The property GroupComponent is inherited from
and is overridden to refer to an SANegotiationAction PolicyComponent and is overridden to refer to an
instance. The [0..n] cardinality indicates that an IKENegotiationAction instance. The [0..n] cardinality
SAProposal instance may be associated with zero or more indicates that an SAProposal instance may be associated with
SANegotiationAction instances. zero or more IKENegotiationAction instances.
6.16.2. The Reference PartComponent 6.17.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SAProposal instance. The [1..n] overridden to refer to an SAProposal instance. The [1..n]
cardinality indicates that an SANegotiationAction instance MUST be cardinality indicates that an IKENegotiationAction instance MUST be
associated with at least one SAProposal instance. associated with at least one SAProposal instance.
6.16.3. The Property SequenceNumber 6.17.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for The property SequenceNumber specifies the order of preference for
the SAProposals. The property is defined as follows: the SAProposals. The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals. DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals VALUE Lower-valued proposals are preferred over proposals
with higher values. For ContainedProposals that with higher values. For ContainedProposals that
reference the same SANegotiationAction, SequenceNumber reference the same IKENegotiationAction, SequenceNumber
values must be unique. values must be unique.
6.17. The Association Class HostedPeerGatewayInformation 6.18. The Association Class HostedPeerGatewayInformation
The class HostedPeerGatewayInformation weakly associates a The class HostedPeerGatewayInformation weakly associates a
PeerGateway with a System. The class definition for PeerGateway with a System. The class definition for
HostedPeerGatewayInformation is as follows: HostedPeerGatewayInformation is as follows:
NAME HostedPeerGatewayInformation NAME HostedPeerGatewayInformation
DESCRIPTION Weakly associates a PeerGateway with a System. DESCRIPTION Weakly associates a PeerGateway with a System.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]] PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerGateway[0..n] [weak]] Dependent [ref PeerGateway[0..n] [weak]]
6.17.1. The Reference Antecedent 6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerGateway instance MUST be associated with one indicates that a PeerGateway instance MUST be associated with one
and only one System instance. and only one System instance.
6.17.2. The Reference Dependent 6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that a System instance may be associated with cardinality indicates that a System instance may be associated with
zero or more PeerGateway instances. zero or more PeerGateway instances.
6.18. The Association Class TransformOfPreconfiguredAction 6.19. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with from two to six SATransforms that will be PreconfiguredSAAction with from two to six SATransforms that will be
applied to the inbound and outbound traffic. The order of applied to the inbound and outbound traffic. The order of
application of the SATransforms is implicitly defined in [IPSEC]. application of the SATransforms is implicitly defined in [IPSEC].
The class definition for TransformOfPreconfiguredAction is as The class definition for TransformOfPreconfiguredAction is as
follows: follows:
NAME TransformOfPreconfiguredAction NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms. three SATransforms.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref SATransform[2..6]] PROPERTIES Antecedent[ref SATransform[2..6]]
Dependent[ref PreconfiguredSAAction[0..n]] Dependent[ref PreconfiguredSAAction[0..n]]
SPI SPI
Direction Direction
6.18.1. The Reference Antecedent 6.19.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an SATransform instance. The [2..6] overridden to refer to an SATransform instance. The [2..6]
cardinality indicates that an SANegotiationAction instance may be cardinality indicates that an PreconfiguredSAAction instance may be
associated with from two to six SATransform instances. associated with from two to six SATransform instances.
6.18.2. The Reference Dependent 6.19.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is
overridden to refer to a PreconfiguredSAAction instance. The [0..n] overridden to refer to a PreconfiguredSAAction instance. The [0..n]
cardinality indicates that an SATransform instance may be associated cardinality indicates that an SATransform instance may be associated
with zero or more PreconfiguredSAAction instances. with zero or more PreconfiguredSAAction instances.
6.18.3. The Property SPI 6.19.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured The property SPI specifies the SPI to be used by the pre-configured
action for the associated transform. The property is defined as action for the associated transform. The property is defined as
follows: follows:
NAME SPI NAME SPI
DESCRIPTION Specifies the SPI to be used with the SATransform. DESCRIPTION Specifies the SPI to be used with the SATransform.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
6.18.4. The Property Direction 6.19.4. The Property Direction
The property Direction specifies whether the SPI property is for The property Direction specifies whether the SPI property is for
inbound or for outbound traffic. The property is defined as follows: inbound or for outbound traffic. The property is defined as follows:
NAME Direction NAME Direction
DESCRIPTION Specifies whether the SA is for inbound or outbound DESCRIPTION Specifies whether the SA is for inbound or outbound
traffic. traffic.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE 1 this SA is for inbound traffic VALUE 1 - this SA is for inbound traffic
2 this SA is for outbound traffic 2 - this SA is for outbound traffic
6.19 The Association Class PeerGatewayForPreconfiguredTunnel 6.20 The Association Class PeerGatewayForPreconfiguredTunnel
The class PeerGatewayForPreconfiguredTunnel associates one or one The class PeerGatewayForPreconfiguredTunnel associates one or one
PeerGateway with multiple PreconfiguredTunnelActions. The class PeerGateway with multiple PreconfiguredTunnelActions. The class
definition for PeerGatewayForPreconfiguredTunnel is as follows: definition for PeerGatewayForPreconfiguredTunnel is as follows:
NAME PeerGatewayForPreconfiguredTunnel NAME PeerGatewayForPreconfiguredTunnel
DESCRIPTION Associates a PeerGateway with multiple DESCRIPTION Associates a PeerGateway with multiple
PreconfiguredTunnelAction. PreconfiguredTunnelAction.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref PeerGateway[0..1]] PROPERTIES Antecedent[ref PeerGateway[0..1]]
Dependent[ref PreconfiguredTunnelAction[0..n]] Dependent[ref PreconfiguredTunnelAction[0..n]]
6.19.1. The Reference Antecedent 6.20.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an PeerGateway instance. The [0..1] overridden to refer to an PeerGateway instance. The [0..1]
cardinality indicates that an PreconfiguredTunnelAction instance may cardinality indicates that an PreconfiguredTunnelAction instance may
be associated with one PeerGteway instance. be associated with one PeerGteway instance.
6.19.2. The Reference Dependent 6.20.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is
overridden to refer to a PreconfiguredTunnelAction instance. The overridden to refer to a PreconfiguredTunnelAction instance. The
[0..n] cardinality indicates that an PeerGateway instance may be [0..n] cardinality indicates that an PeerGateway instance may be
associated with zero or more PreconfiguredSAAction instances. associated with zero or more PreconfiguredSAAction instances.
7. Proposal and Transform Classes 7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations. IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+*w 1+--------------+ +--------------+*w 1+--------------+
| [SAProposal] |--------| System | | [SAProposal] |--------| System |
+--------------+ (a) | (Appendix A) | +--------------+ (a) | ([CIMCORE]) |
^ +--------------+ ^ +--------------+
| |1 | |1
+----------------------+ | +----------------------+ |
| | | | | |
+-------------+ +---------------+ | +-------------+ +---------------+ |
| IKEProposal | | IPsecProposal | | | IKEProposal | | IPsecProposal | |
+-------------+ +---------------+ | +-------------+ +---------------+ |
*o | *o |
|(b) |(c) |(b) |(c)
n| | n| |
skipping to change at page 51, line 44 skipping to change at page 51, line 44
The property GroupId specifies the proposed phase 1 security The property GroupId specifies the proposed phase 1 security
association key exchange group. This property is ignored for all association key exchange group. This property is ignored for all
aggressive mode exchanges. If the GroupID number is from the aggressive mode exchanges. If the GroupID number is from the
vendor-specific range (32768-65535), the property VendorID qualifies vendor-specific range (32768-65535), the property VendorID qualifies
the group number. The property is defined as follows: the group number. The property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the proposed key exchange group for the phase DESCRIPTION Specifies the proposed key exchange group for the phase
1 security association. 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 Not applicable: used for aggressive mode. Consult VALUE 0 - Not applicable: used for aggressive mode. Consult
[IKE] for other valid values. [IKE] for other valid values.
7.2.6. The Property AuthenticationMethod 7.2.6. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1 The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows: authentication method. The property is defined as follows:
NAME AuthenticationMethod NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association. phase 1 security association.
skipping to change at page 57, line 30 skipping to change at page 57, line 30
7.7.1. The Property Algorithm 7.7.1. The Property Algorithm
The property Algorithm specifies the transform ID of the IPCOMP The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as compression algorithm to propose. The property is defined as
follows: follows:
NAME Algorithm NAME Algorithm
DESCRIPTION Specifies the transform ID of the IPCOMP compression DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 OUI: a vendor specific algorithm is used and VALUE 1 - OUI: a vendor specific algorithm is used and
specified in the property PrivateAlgorithm. Consult specified in the property PrivateAlgorithm. Consult
[DOI] for other valid values. [DOI] for other valid values.
7.7.2. The Property DictionarySize 7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the The property DictionarySize specifies the log2 maximum size of the
dictionary for the compression algorithm. For compression dictionary for the compression algorithm. For compression
algorithms that have pre-defined dictionary sizes, this value is algorithms that have pre-defined dictionary sizes, this value is
ignored. The property is defined as follows: ignored. The property is defined as follows:
skipping to change at page 61, line 9 skipping to change at page 61, line 9
The property Dependent is inherited from PolicyInSystem and is The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SATransform instance. The [0..n] overridden to refer to an SATransform instance. The [0..n]
cardinality indicates that a System instance may be associated with cardinality indicates that a System instance may be associated with
zero or more SATransform instances. zero or more SATransform instances.
8. IKE Service and Identity Classes 8. IKE Service and Identity Classes
+--------------+ +-------------------+ +--------------+ +-------------------+
| System | | PeerIdentityEntry | | System | | PeerIdentityEntry |
| (Appendix A) | +-------------------+ | ([CIMCORE]) | +-------------------+
+--------------+ |*w +--------------+ |*w
1| (a) (b) | 1| (a) (b) |
+---+ +------------+ +---+ +------------+
| | | |
|*w 1 o |*w 1 o
+-------------+ +-------------------+ +---------------------+ +-------------+ +-------------------+ +---------------------+
| PeerGateway | | PeerIdentityTable | | AutostartIKESetting | | PeerGateway | | PeerIdentityTable | | AutostartIKESetting |
+-------------+ +-------------------+ +---------------------+ +-------------+ +-------------------+ +---------------------+
*| *| *| *| *| *| *| *|
+----------------------+ |(d) +----------+ | +----------------------+ |(d) +----------+ |
(c) *| *| *| (e) | (c) *| *| *| (e) |
*+------------+* |(f) *+------------+* |(f)
+-----------------| IKEService |-----+ | +-----------------| IKEService |-----+ |
| (g) +------------+ |(h) | | (g) +------------+ |(h) |
0..1| *| *| *o 0..1| *| *| *o
+--------------------+ | +---------------------------+ +--------------------+ | +---------------------------+
| IPProtocolEndpoint | | | AutostartIKEConfiguration | | IPProtocolEndpoint | | | AutostartIKEConfiguration |
| (Appendix C) | (i)| +---------------------------+ | ([CIMNETWORK]) | (i)| +---------------------------+
+--------------------+ | +--------------------+ |
0..1| | 0..1| |
|(j) +----------------+ |(j) +----------------+
*| |* *| |*
+-------------+* (k) +------------+ +-----------------------------+ +-------------+* (k) +------------+ +-----------------------------+
| IKEIdentity |-------| Collection | | CredentialManagementService | | IKEIdentity |-------| Collection | | CredentialManagementService |
+-------------+ 0..1|(Appendix A)| | (Appendix B) | +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) |
*| +------------+ +-----------------------------+ *| +------------+ +-----------------------------+
|(l) |(l)
*| *|
+--------------+ +--------------+
| Credential | | Credential |
| (Appendix B) | | ([CIMUSER]) |
+--------------+ +--------------+
(a) HostedPeerIdentityTable (a) HostedPeerIdentityTable
(b) PeerIdentityMember (b) PeerIdentityMember
(c) IKEServicePeerGateway (c) IKEServicePeerGateway
(d) IKEServicePeerIdentityTable (d) IKEServicePeerIdentityTable
(e) IKEAutostartSetting (e) IKEAutostartSetting
(f) AutostartIKESettingContext (f) AutostartIKESettingContext
(g) IKEServiceForEndpoint (g) IKEServiceForEndpoint
(h) IKEAutostartConfiguration (h) IKEAutostartConfiguration
skipping to change at page 62, line 33 skipping to change at page 62, line 33
The class IKEService represents the IKE negotiation function. An The class IKEService represents the IKE negotiation function. An
instance of this service may provide that negotiation service for instance of this service may provide that negotiation service for
one or more interfaces (represented by the IPProtocolEndpoint class) one or more interfaces (represented by the IPProtocolEndpoint class)
of a System. There may be multiple instances of IKE services on a of a System. There may be multiple instances of IKE services on a
System but only one per interface. The class definition for System but only one per interface. The class definition for
IKEService is as follows: IKEService is as follows:
NAME IKEService NAME IKEService
DESCRIPTION IKEService is used to represent the IKE negotiation DESCRIPTION IKEService is used to represent the IKE negotiation
function. function.
DERIVED FROM NetworkService (see Appendix C) DERIVED FROM Service (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
8.2. The Class PeerIdentityTable 8.2. The Class PeerIdentityTable
The class PeerIdentityTable aggregates the table entries that The class PeerIdentityTable aggregates the table entries that
provide mappings between identities and their addresses. The class provide mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows: definition for PeerIdentityTable is as follows:
NAME PeerIdentityTable NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry
instances to provide a table of identity-address instances to provide a table of identity-address
mappings. mappings.
DERIVED FROM Collection (see Appendix A) DERIVED FROM Collection (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name PROPERTIES Name
8.3.1. The Property Name 8.3.1. The Property Name
The property Name uniquely identifies the table. The property is The property Name uniquely identifies the table. The property is
defined as follows: defined as follows:
NAME Name NAME Name
DESCRIPTION Name uniquely identifies the table. DESCRIPTION Name uniquely identifies the table.
skipping to change at page 63, line 16 skipping to change at page 63, line 16
8.3. The Class PeerIdentityEntry 8.3. The Class PeerIdentityEntry
The class PeerIdentityEntry specifies the mapping between peer The class PeerIdentityEntry specifies the mapping between peer
identity and their address. The class definition for identity and their address. The class definition for
PeerIdentityEntry is as follows: PeerIdentityEntry is as follows:
NAME PeerIdentityEntry NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address. identity and address.
DERIVED FROM LogicalElement (see Appendix A) DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PeerIdentity PROPERTIES PeerIdentity
PeerIdentityType PeerIdentityType
PeerAddress PeerAddress
PeerAddressType PeerAddressType
8.3.1. The Property PeerIdentity 8.3.1. The Property PeerIdentity
The property PeerIdentity contains a string encoding of the Identity The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows: payload for the IKE peer. The property is defined as follows:
skipping to change at page 64, line 25 skipping to change at page 64, line 25
The class AutostartIKEConfiguration groups AutostartIKESetting The class AutostartIKEConfiguration groups AutostartIKESetting
instances into configuration sets. When applied, the settings cause instances into configuration sets. When applied, the settings cause
an IKE service to automatically start (negotiate or statically set an IKE service to automatically start (negotiate or statically set
as appropriate) the Security Associations. The class definition for as appropriate) the Security Associations. The class definition for
AutostartIKEConfiguration is as follows: AutostartIKEConfiguration is as follows:
NAME AutostartIKEConfiguration NAME AutostartIKEConfiguration
DESCRIPTION A configuration set of AutostartIKESetting instances to DESCRIPTION A configuration set of AutostartIKESetting instances to
be automatically started by the IKE service. be automatically started by the IKE service.
DERIVED FROM SystemConfiguration (see Appendix A) DERIVED FROM SystemConfiguration (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
8.5. The Class AutostartIKESetting 8.5. The Class AutostartIKESetting
The class AutostartIKESetting is used to automatically initiate IKE The class AutostartIKESetting is used to automatically initiate IKE
negotiations with peers (or statically create an SA) as specified in negotiations with peers (or statically create an SA) as specified in
the AutostartIKESetting properties. Appropriate actions are the AutostartIKESetting properties. Appropriate actions are
initiated according to the policy that matches the setting initiated according to the policy that matches the setting
parameters. The class definition for AutostartIKESetting is as parameters. The class definition for AutostartIKESetting is as
follows: follows:
NAME AutostartIKESetting NAME AutostartIKESetting
DESCRIPTION AutostartIKESetting is used to automatically initiate DESCRIPTION AutostartIKESetting is used to automatically initiate
IKE negotiations with peers or statically create an SA. IKE negotiations with peers or statically create an SA.
DERIVED FROM SystemSetting (see Appendix A) DERIVED FROM SystemSetting (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Phase1Only PROPERTIES Phase1Only
AddressType AddressType
SourceAddress SourceAddress
SourcePort SourcePort
DestinationAddress DestinationAddress
DestinationPort DestinationPort
Protocol Protocol
8.5.1. The Property Phase1Only 8.5.1. The Property Phase1Only
skipping to change at page 66, line 54 skipping to change at page 66, line 54
appropriate identity for a negotiation. The ElementID property value appropriate identity for a negotiation. The ElementID property value
(defined in the parent class, UsersAccess) should be that of either (defined in the parent class, UsersAccess) should be that of either
the IPProtocolEndpoint or Collection of endpoints as appropriate. the IPProtocolEndpoint or Collection of endpoints as appropriate.
The class definition for IKEIdentity is as follows: The class definition for IKEIdentity is as follows:
NAME IKEIdentity NAME IKEIdentity
DESCRIPTION IKEIdentity is used to represent the identities that DESCRIPTION IKEIdentity is used to represent the identities that
may be used for an IPProtocolEndpoint (or collection of may be used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify the IKE Service in IKE IPProtocolEndpoints) to identify the IKE Service in IKE
phase 1 negotiations. phase 1 negotiations.
DERIVED FROM UsersAccess (see Appendix B) DERIVED FROM UsersAccess (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES IdentityType PROPERTIES IdentityType
IdentityValue IdentityValue
IdentityContexts IdentityContexts
8.6.1. The Property IdentityType 8.6.1. The Property IdentityType
The property IdentityType is an enumeration that specifies the type The property IdentityType is an enumeration that specifies the type
of the IdentityValue. The property is defined as follows: of the IdentityValue. The property is defined as follows:
skipping to change at page 67, line 38 skipping to change at page 67, line 38
NAME IdentityValue NAME IdentityValue
DESCRIPTION IdentityValue contains a string encoding of the DESCRIPTION IdentityValue contains a string encoding of the
Identity payload. Identity payload.
SYNTAX string SYNTAX string
8.6.3. The Property IdentityContexts 8.6.3. The Property IdentityContexts
The IdentityContexts property is used to constrain the use of The IdentityContexts property is used to constrain the use of
IKEIdentity instances to match that specified in the IKEIdentity instances to match that specified in the
IKERule.IdentityContexts. The IdentityContexts are formatted as IKERule.IdentityContexts. The IdentityContexts are formatted as
policy roles and role combinations [PCIM]. Each value represents policy roles and role combinations [PCIM] & [PCIMe]. Each value
one context or context combination. Since this is a multi-valued represents one context or context combination. Since this is a
property, more than one context or combination of contexts can be multi-valued property, more than one context or combination of
associated with a single IKEIdentity. Each value is a string of the contexts can be associated with a single IKEIdentity. Each value is
form: <ContextName>[&&<ContextName>]* a string of the form: <ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). If one or more (according to the collating sequence for UCS-2). If one or more
values in the IKERule.IdentityContexts array match one or more values in the IKERule.IdentityContexts array match one or more
IKEIdentity.IdentityContexts then the identity's context matches. IKEIdentity.IdentityContexts then the identity's context matches.
(That is, each value of the IdentityContext array is an ORed (That is, each value of the IdentityContext array is an ORed
condition.) In combination with the address of the condition.) In combination with the address of the
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
1 and only 1 IKEIdentity. The property is defined as follows: 1 and only 1 IKEIdentity. The property is defined as follows:
NAME IdentityContexts NAME IdentityContexts
skipping to change at page 68, line 19 skipping to change at page 68, line 19
8.7. The Association Class HostedPeerIdentityTable 8.7. The Association Class HostedPeerIdentityTable
The class HostedPeerIdentityTable provides the name scoping The class HostedPeerIdentityTable provides the name scoping
relationship for PeerIdentityTable entries in a System. The relationship for PeerIdentityTable entries in a System. The
PeerIdentityTable is weak to the System. The class definition for PeerIdentityTable is weak to the System. The class definition for
HostedPeerIdentityTable is as follows: HostedPeerIdentityTable is as follows:
NAME HostedPeerIdentityTable NAME HostedPeerIdentityTable
DESCRIPTION The PeerIdentityTable instances are weak (name scoped DESCRIPTION The PeerIdentityTable instances are weak (name scoped
by) the owning System. by) the owning System.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]] PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerIdentityTable[0..n] [weak]] Dependent [ref PeerIdentityTable[0..n] [weak]]
8.7.1. The Reference Antecedent 8.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerIdentityTable instance MUST be associated in a indicates that a PeerIdentityTable instance MUST be associated in a
weak relationship with one and only one System instance. weak relationship with one and only one System instance.
skipping to change at page 68, line 47 skipping to change at page 68, line 47
8.8. The Aggregation Class PeerIdentityMember 8.8. The Aggregation Class PeerIdentityMember
The class PeerIdentityMember aggregates PeerIdentityEntry instances The class PeerIdentityMember aggregates PeerIdentityEntry instances
into a PeerIdentityTable. This is a weak aggregation. The class into a PeerIdentityTable. This is a weak aggregation. The class
definition for PeerIdentityMember is as follows: definition for PeerIdentityMember is as follows:
NAME PeerIdentityMember NAME PeerIdentityMember
DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
instances into a PeerIdentityTable. instances into a PeerIdentityTable.
DERIVED FROM MemberOfCollection (see Appendix A) DERIVED FROM MemberOfCollection (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Collection [ref PeerIdentityTable[1..1]] PROPERTIES Collection [ref PeerIdentityTable[1..1]]
Member [ref PeerIdentityEntry [0..n] [weak]] Member [ref PeerIdentityEntry [0..n] [weak]]
8.8.1. The Reference Collection 8.8.1. The Reference Collection
The property Collection is inherited from MemberOfCollection and is The property Collection is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityTable instance. The [1..1] overridden to refer to a PeerIdentityTable instance. The [1..1]
cardinality indicates that a PeerIdentityEntry instance MUST be cardinality indicates that a PeerIdentityEntry instance MUST be
associated with one and only one PeerIdentityTable instance (i.e., associated with one and only one PeerIdentityTable instance (i.e.,
skipping to change at page 69, line 26 skipping to change at page 69, line 26
The class IKEServicePeerGateway provides the association between an The class IKEServicePeerGateway provides the association between an
IKEService and the list of PeerGateway instances that it uses in IKEService and the list of PeerGateway instances that it uses in
negotiating with security gateways. The class definition for negotiating with security gateways. The class definition for
IKEServicePeerGateway is as follows: IKEServicePeerGateway is as follows:
NAME IKEServicePeerGateway NAME IKEServicePeerGateway
DESCRIPTION Associates an IKEService and the list of PeerGateway DESCRIPTION Associates an IKEService and the list of PeerGateway
instances that it uses in negotiating with security instances that it uses in negotiating with security
gateways. gateways.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]] PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IKEService[0..n]] Dependent [ref IKEService[0..n]]
8.9.1. The Reference Antecedent 8.9.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that an IKEService instance may be associated cardinality indicates that an IKEService instance may be associated
with zero or more PeerGateway instances. with zero or more PeerGateway instances.
skipping to change at page 69, line 56 skipping to change at page 69, line 56
The class IKEServicePeerIdentityTable provides the relationship The class IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it uses to map between an IKEService and a PeerIdentityTable that it uses to map
between addresses and identities as required. The class definition between addresses and identities as required. The class definition
for IKEServicePeerIdentityTable is as follows: for IKEServicePeerIdentityTable is as follows:
NAME IKEServicePeerIdentityTable NAME IKEServicePeerIdentityTable
DESCRIPTION IKEServicePeerIdentityTable provides the relationship DESCRIPTION IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it between an IKEService and a PeerIdentityTable that it
uses. uses.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] PROPERTIES Antecedent [ref PeerIdentityTable[0..n]]
Dependent [ref IKEService[0..n]] Dependent [ref IKEService[0..n]]
8.10.1. The Reference Antecedent 8.10.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n] overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that an IKEService instance may be associated cardinality indicates that an IKEService instance may be associated
with zero or more PeerIdentityTable instances. with zero or more PeerIdentityTable instances.
skipping to change at page 70, line 31 skipping to change at page 70, line 31
8.11. The Association Class IKEAutostartSetting 8.11. The Association Class IKEAutostartSetting
The class IKEAutostartSetting associates an AutostartIKESetting with The class IKEAutostartSetting associates an AutostartIKESetting with
an IKEService that may use it to automatically start an IKE an IKEService that may use it to automatically start an IKE
negotiation or create a static SA. The class definition for negotiation or create a static SA. The class definition for
IKEAutostartSetting is as follows: IKEAutostartSetting is as follows:
NAME IKEAutostartSetting NAME IKEAutostartSetting
DESCRIPTION Associates a AutostartIKESetting with an IKEService. DESCRIPTION Associates a AutostartIKESetting with an IKEService.
DERIVED FROM ElementSetting (see Appendix A) DERIVED FROM ElementSetting (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Element [ref IKEService[0..n]] PROPERTIES Element [ref IKEService[0..n]]
Setting [ref AutostartIKESetting[0..n]] Setting [ref AutostartIKESetting[0..n]]
8.11.1. The Reference Element 8.11.1. The Reference Element
The property Element is inherited from ElementSetting and is The property Element is inherited from ElementSetting and is
overridden to refer to an IKEService instance. The [0..n] overridden to refer to an IKEService instance. The [0..n]
cardinality indicates an AutostartIKESetting instance may be cardinality indicates an AutostartIKESetting instance may be
associated with zero or more IKEService instances. associated with zero or more IKEService instances.
skipping to change at page 71, line 8 skipping to change at page 71, line 8
8.12. The Aggregation Class AutostartIKESettingContext 8.12. The Aggregation Class AutostartIKESettingContext
The class AutostartIKESettingContext aggregates the settings used to The class AutostartIKESettingContext aggregates the settings used to
automatically start negotiations or create a static SA into a automatically start negotiations or create a static SA into a
configuration set. The class definition for configuration set. The class definition for
AutostartIKESettingContext is as follows: AutostartIKESettingContext is as follows:
NAME AutostartIKESettingContext NAME AutostartIKESettingContext
DESCRIPTION AutostartIKESettingContext aggregates the DESCRIPTION AutostartIKESettingContext aggregates the
AutostartIKESetting instances into a configuration set. AutostartIKESetting instances into a configuration set.
DERIVED FROM SystemSettingContext (see Appendix A) DERIVED FROM SystemSettingContext (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
Setting [ref AutostartIKESetting [0..n]] Setting [ref AutostartIKESetting [0..n]]
SequenceNumber SequenceNumber
8.12.1. The Reference Context 8.12.1. The Reference Context
The property Context is inherited from SystemSettingContext and is The property Context is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKEConfiguration instance. The overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an AutostartIKESetting instance [0..n] cardinality indicates that an AutostartIKESetting instance
skipping to change at page 71, line 55 skipping to change at page 71, line 55
8.13. The Association Class IKEServiceForEndpoint 8.13. The Association Class IKEServiceForEndpoint
The class IKEServiceForEndpoint provides the association showing The class IKEServiceForEndpoint provides the association showing
which IKE service, if any, provides IKE negotiation services for which IKE service, if any, provides IKE negotiation services for
which network interfaces. The class definition for which network interfaces. The class definition for
IKEServiceForEndpoint is as follows: IKEServiceForEndpoint is as follows:
NAME IKEServiceForEndpoint NAME IKEServiceForEndpoint
DESCRIPTION Associates an IPProtocolEndpoint with an IKEService DESCRIPTION Associates an IPProtocolEndpoint with an IKEService
that provides negotiation services for the endpoint. that provides negotiation services for the endpoint.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref IKEService[0..1]] PROPERTIES Antecedent [ref IKEService[0..1]]
Dependent [ref IPProtocolEndpoint[0..n]] Dependent [ref IPProtocolEndpoint[0..n]]
8.13.1. The Reference Antecedent 8.13.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..1] overridden to refer to an IKEService instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance MUST by cardinality indicates that an IPProtocolEndpoint instance MUST by
associated with at most one IKEService instance. associated with at most one IKEService instance.
skipping to change at page 72, line 33 skipping to change at page 72, line 33
The class IKEAutostartConfiguration provides the relationship The class IKEAutostartConfiguration provides the relationship
between an IKEService and a configuration set that it uses to between an IKEService and a configuration set that it uses to
automatically start a set of SAs. The class definition for automatically start a set of SAs. The class definition for
IKEAutostartConfiguration is as follows: IKEAutostartConfiguration is as follows:
NAME IKEAutostartConfiguration NAME IKEAutostartConfiguration
DESCRIPTION IKEAutostartConfiguration provides the relationship DESCRIPTION IKEAutostartConfiguration provides the relationship
between an IKEService and an AutostartIKEConfiguration between an IKEService and an AutostartIKEConfiguration
that it uses to automatically start a set of SAs. that it uses to automatically start a set of SAs.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]]
Dependent [ref IKEService [0..n]] Dependent [ref IKEService [0..n]]
Active Active
8.14.1. The Reference Antecedent 8.14.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an AutostartIKEConfiguration instance. The overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an IKEService instance may be [0..n] cardinality indicates that an IKEService instance may be
skipping to change at page 73, line 28 skipping to change at page 73, line 28
The class IKEUsesCredentialManagementService defines the set of The class IKEUsesCredentialManagementService defines the set of
CredentialManagementService(s) that are trusted sources of CredentialManagementService(s) that are trusted sources of
credentials for IKE phase 1 negotiations. The class definition for credentials for IKE phase 1 negotiations. The class definition for
IKEUsesCredentialManagementService is as follows: IKEUsesCredentialManagementService is as follows:
NAME IKEUsesCredentialManagementService NAME IKEUsesCredentialManagementService
DESCRIPTION Associates the set of CredentialManagementService(s) DESCRIPTION Associates the set of CredentialManagementService(s)
that are trusted by the IKEService as sources of that are trusted by the IKEService as sources of
credentials used in IKE phase 1 negotiations. credentials used in IKE phase 1 negotiations.
DERIVED FROM Dependency (see Appendix A) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService [0..n]] PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
Dependent [ref IKEService [0..n]] Dependent [ref IKEService [0..n]]
8.15.1. The Reference Antecedent 8.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an IKEService instance may be [0..n] cardinality indicates that an IKEService instance may be
associated with zero or more CredentialManagementService instances. associated with zero or more CredentialManagementService instances.
skipping to change at page 74, line 8 skipping to change at page 74, line 8
IPProtocolEndpoint with a set of IKEIdentity instances that may be IPProtocolEndpoint with a set of IKEIdentity instances that may be
used in negotiating security associations on the endpoint. An used in negotiating security associations on the endpoint. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint IKEIdentity MUST be associated with either an IPProtocolEndpoint
using this association or with a collection of IKEIdentity instances using this association or with a collection of IKEIdentity instances
using the CollectionHasLocalIKEIdentity association. The class using the CollectionHasLocalIKEIdentity association. The class
definition for EndpointHasLocalIKEIdentity is as follows: definition for EndpointHasLocalIKEIdentity is as follows:
NAME EndpointHasLocalIKEIdentity NAME EndpointHasLocalIKEIdentity
DESCRIPTION EndpointHasLocalIKEIdentity associates an DESCRIPTION EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances. IPProtocolEndpoint with a set of IKEIdentity instances.
DERIVED FROM ElementAsUser (see Appendix B) DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.16.1. The Reference Antecedent 8.16.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is The property Antecedent is inherited from ElementAsUser and is
overridden to refer to an IPProtocolEndpoint instance. The [0..1] overridden to refer to an IPProtocolEndpoint instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be cardinality indicates that an IKEIdentity instance MUST be
associated with at most one IPProtocolEndpoint instance. associated with at most one IPProtocolEndpoint instance.
skipping to change at page 74, line 41 skipping to change at page 74, line 41
that may be used in negotiating SAs for endpoints in the collection. that may be used in negotiating SAs for endpoints in the collection.
An IKEIdentity MUST be associated with either an IPProtocolEndpoint An IKEIdentity MUST be associated with either an IPProtocolEndpoint
using the EndpointHasLocalIKEIdentity association or with a using the EndpointHasLocalIKEIdentity association or with a
collection of IKEIdentity instances using this association. The collection of IKEIdentity instances using this association. The
class definition for CollectionHasLocalIKEIdentity is as follows: class definition for CollectionHasLocalIKEIdentity is as follows:
NAME CollectionHasLocalIKEIdentity NAME CollectionHasLocalIKEIdentity
DESCRIPTION CollectionHasLocalIKEIdentity associates a collection DESCRIPTION CollectionHasLocalIKEIdentity associates a collection
of IPProtocolEndpoint instances with a set of of IPProtocolEndpoint instances with a set of
IKEIdentity instances. IKEIdentity instances.
DERIVED FROM ElementAsUser (see Appendix B) DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref Collection [0..1]] PROPERTIES Antecedent [ref Collection [0..1]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.17.1. The Reference Antecedent 8.17.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is The property Antecedent is inherited from ElementAsUser and is
overridden to refer to a Collection instance. The [0..1] overridden to refer to a Collection instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be cardinality indicates that an IKEIdentity instance MUST be
associated with at most one Collection instance. associated with at most one Collection instance.
skipping to change at page 75, line 16 skipping to change at page 75, line 16
8.18. The Association Class IKEIdentitysCredential 8.18. The Association Class IKEIdentitysCredential
The class IKEIdentitysCredential is an association that relates a The class IKEIdentitysCredential is an association that relates a
set of credentials to their corresponding local IKE Identities. The set of credentials to their corresponding local IKE Identities. The
class definition for IKEIdentitysCredential is as follows: class definition for IKEIdentitysCredential is as follows:
NAME IKEIdentitysCredential NAME IKEIdentitysCredential
DESCRIPTION IKEIdentitysCredential associates a set of credentials DESCRIPTION IKEIdentitysCredential associates a set of credentials
to their corresponding local IKEIdentity. to their corresponding local IKEIdentity.
DERIVED FROM UsersCredential (see Appendix A) DERIVED FROM UsersCredential (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref Credential [0..n]] PROPERTIES Antecedent [ref Credential [0..n]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.18.1. The Reference Antecedent 8.18.1. The Reference Antecedent
The property Antecedent is inherited from UsersCredential and is The property Antecedent is inherited from UsersCredential and is
overridden to refer to a Credential instance. The [0..n] overridden to refer to a Credential instance. The [0..n]
cardinality indicates that IKEIdentity instance may be associated cardinality indicates that IKEIdentity instance may be associated
with zero or more Credential instances. with zero or more Credential instances.
skipping to change at page 77, line 8 skipping to change at page 77, line 8
6.2.1. The Property LifetimeSeconds............................MUST 6.2.1. The Property LifetimeSeconds............................MUST
6.3. The Class IPsecBypassAction.............................SHOULD 6.3. The Class IPsecBypassAction.............................SHOULD
6.4. The Class IPsecDiscardAction............................SHOULD 6.4. The Class IPsecDiscardAction............................SHOULD
6.5. The Class IKERejectAction..................................MAY 6.5. The Class IKERejectAction..................................MAY
6.6. The Class PreconfiguredSAAction...........................MUST 6.6. The Class PreconfiguredSAAction...........................MUST
6.6.1. The Property LifetimeKilobytes..........................MUST 6.6.1. The Property LifetimeKilobytes..........................MUST
6.7. The Class PreconfiguredTransportAction....................MUST 6.7. The Class PreconfiguredTransportAction....................MUST
6.8. The Class PreconfiguredTunnelAction.......................MUST 6.8. The Class PreconfiguredTunnelAction.......................MUST
6.8.1. The Property DFHandling.................................MUST 6.8.1. The Property DFHandling.................................MUST
6.9. The Class SANegotiationAction.............................MUST 6.9. The Class SANegotiationAction.............................MUST
6.9.1. The Property MinLifetimeSeconds..........................MAY 6.10. The Class IKENegotiationAction...........................MUST
6.9.2. The Property MinLifetimeKilobytes........................MAY 6.10.1. The Property MinLifetimeSeconds.........................MAY
6.9.3. The Property RefreshThresholdSeconds.....................MAY 6.10.2. The Property MinLifetimeKilobytes.......................MAY
6.9.4. The Property RefreshThresholdKilobytes...................MAY 6.10.3. The Property RefreshThresholdSeconds....................MAY
6.9.5. The Property IdleDurationSeconds.........................MAY 6.10.4. The Property RefreshThresholdKilobytes..................MAY
6.10. The Class IPsecAction....................................MUST 6.10.5. The Property IdleDurationSeconds........................MAY
6.10.1. The Property UsePFS....................................MUST 6.11. The Class IPsecAction....................................MUST
6.10.2. The Property UseIKEGroup................................MAY 6.11.1. The Property UsePFS....................................MUST
6.10.3. The Property GroupId...................................MUST 6.11.2. The Property UseIKEGroup................................MAY
6.10.4. The Property Granularity.............................SHOULD 6.11.3. The Property GroupId...................................MUST
6.10.5. The Property VendorID...................................MAY 6.11.4. The Property Granularity.............................SHOULD
6.11. The Class IPsecTransportAction...........................MUST 6.11.5. The Property VendorID...................................MAY
6.12. The Class IPsecTunnelAction..............................MUST 6.12. The Class IPsecTransportAction...........................MUST
6.12.1. The Property DFHandling................................MUST 6.13. The Class IPsecTunnelAction..............................MUST
6.13. The Class IKEAction......................................MUST 6.13.1. The Property DFHandling................................MUST
6.13.1. The Property RefreshThresholdDerivedKeys................MAY 6.14. The Class IKEAction......................................MUST
6.13.2. The Property ExchangeMode..............................MUST 6.14.1. The Property RefreshThresholdDerivedKeys................MAY
6.13.3. The Property UseIKEIdentityType........................MUST 6.14.2. The Property ExchangeMode..............................MUST
6.13.4. The Property VendorID...................................MAY 6.14.3. The Property UseIKEIdentityType........................MUST
6.13.5. The Property AggressiveModeGroupId......................MAY 6.14.4. The Property VendorID...................................MAY
6.14. The Class PeerGateway....................................MUST 6.14.5. The Property AggressiveModeGroupId......................MAY
6.14.1. The Property Name....................................SHOULD 6.15. The Class PeerGateway....................................MUST
6.14.2. The Property PeerIdentityType..........................MUST 6.15.1. The Property Name....................................SHOULD
6.14.3. The Property PeerIdentity..............................MUST 6.15.2. The Property PeerIdentityType..........................MUST
6.15. The Association Class PeerGatewayForTunnel...............MUST 6.15.3. The Property PeerIdentity..............................MUST
6.15.1. The Reference Antecedent...............................MUST 6.16. The Association Class PeerGatewayForTunnel...............MUST
6.15.2. The Reference Dependent................................MUST 6.16.1. The Reference Antecedent...............................MUST
6.15.3. The Property SequenceNumber..........................SHOULD 6.16.2. The Reference Dependent................................MUST
6.16. The Aggregation Class ContainedProposal..................MUST 6.16.3. The Property SequenceNumber..........................SHOULD
6.16.1. The Reference GroupComponent...........................MUST 6.17. The Aggregation Class ContainedProposal..................MUST
6.16.2. The Reference PartComponent............................MUST 6.17.1. The Reference GroupComponent...........................MUST
6.16.3. The Property SequenceNumber............................MUST 6.17.2. The Reference PartComponent............................MUST
6.17. The Association Class HostedPeerGatewayInformation........MAY 6.17.3. The Property SequenceNumber............................MUST
6.17.1. The Reference Antecedent...............................MUST 6.18. The Association Class HostedPeerGatewayInformation........MAY
6.17.2. The Reference Dependent................................MUST
6.18. The Association Class TransformOfPreconfiguredAction.....MUST
6.18.1. The Reference Antecedent...............................MUST 6.18.1. The Reference Antecedent...............................MUST
6.18.2. The Reference Dependent................................MUST 6.18.2. The Reference Dependent................................MUST
6.18.3. The Property SPI.......................................MUST 6.19. The Association Class TransformOfPreconfiguredAction.....MUST
6.18.4. The Property Direction.................................MUST
6.19. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
6.19.1. The Reference Antecedent...............................MUST 6.19.1. The Reference Antecedent...............................MUST
6.19.2. The Reference Dependent................................MUST 6.19.2. The Reference Dependent................................MUST
6.19.3. The Property SPI.......................................MUST
6.19.4. The Property Direction.................................MUST
6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
6.20.1. The Reference Antecedent...............................MUST
6.20.2. The Reference Dependent................................MUST
7. Proposal and Transform Classes 7. Proposal and Transform Classes
7.1. The Abstract Class SAProposal.............................MUST 7.1. The Abstract Class SAProposal.............................MUST
7.1.1. The Property Name.....................................SHOULD 7.1.1. The Property Name.....................................SHOULD
7.2. The Class IKEProposal.....................................MUST 7.2. The Class IKEProposal.....................................MUST
7.2.1. The Property LifetimeDerivedKeys.........................MAY 7.2.1. The Property LifetimeDerivedKeys.........................MAY
7.2.2. The Property CipherAlgorithm............................MUST 7.2.2. The Property CipherAlgorithm............................MUST
7.2.3. The Property HashAlgorithm..............................MUST 7.2.3. The Property HashAlgorithm..............................MUST
7.2.4. The Property PRFAlgorithm................................MAY 7.2.4. The Property PRFAlgorithm................................MAY
7.2.5. The Property GroupId....................................MUST 7.2.5. The Property GroupId....................................MUST
7.2.6. The Property AuthenticationMethod.......................MUST 7.2.6. The Property AuthenticationMethod.......................MUST
skipping to change at page 81, line 5 skipping to change at page 81, line 9
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
[AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
2402, November 1998. 2402, November 1998.
[PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
Information Model -- Version 1 Specification", RFC 3060, February Information Model -- Version 1 Specification", RFC 3060, February
2001. 2001.
[PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen,
A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy
Core Information Model Extensions", draft-ietf-policy-pcim-ext-
05.txt, October 2001 Internet Draft work in progress
[DOI] Piper, D., "The Internet IP Security Domain of Interpretation [DOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998. for ISAKMP", RFC 2407, November 1998.
[LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997. Access Protocol (v3)", RFC 2251, December 1997.
[COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. Internet-Draft work in progress. January 2000. Internet-Draft work in progress.
skipping to change at page 81, line 29 skipping to change at page 81, line 38
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[IPSO] Kent, S., "U.S. Department of Defense Security Options for [IPSO] Kent, S., "U.S. Department of Defense Security Options for
the Internet Protocol", RFC 1108, November 1991. the Internet Protocol", RFC 1108, November 1991.
[IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998. Internet Protocol", RFC 2401, November 1998.
[DMTF] Distributed Management Task Force, http://www.dmtf.org/
[CIMCORE] DMTF Common Information Model - Core Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof
[CIMUSER] DMTF Common Information Model - User-Security Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof
[CIMNETWORK] DMTF Common Information Model - Network Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof
14. Disclaimer 14. Disclaimer
The views and specification herein are those of the authors and are The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this arising from correct or incorrect implementation or use of this
specification. specification.
15. Authors' Addresses 15. Authors' Addresses
skipping to change at page 81, line 50 skipping to change at page 82, line 18
Intel Corporation Intel Corporation
MS JF3-206 MS JF3-206
2111 NE 25th Ave. 2111 NE 25th Ave.
Hillsboro, OR 97124 Hillsboro, OR 97124
E-Mail: jamie.jason@intel.com E-Mail: jamie.jason@intel.com
Lee Rafalow Lee Rafalow
IBM Corporation, BRQA/502 IBM Corporation, BRQA/502
4205 So. Miami Blvd. 4205 So. Miami Blvd.
Research Triangle Park, NC 27709 Research Triangle Park, NC 27709
E-mail: rafalow@raleigh.ibm.com E-mail: rafalow@watson.ibm.com
Eric Vyncke Eric Vyncke
Cisco Systems Cisco Systems
Avenue Marcel Thiry, 77 Avenue Marcel Thiry, 77
B-1200 Brussels B-1200 Brussels
Belgium Belgium
E-mail: evyncke@cisco.com E-mail: evyncke@cisco.com
16. Full Copyright Statement 16. Full Copyright Statement
skipping to change at page 82, line 32 skipping to change at line 4166
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Appendix A (DMTF Core Model MOF)
// ==================================================================
// ManagedElement
// ==================================================================
[Abstract, Description (
"ManagedElement is an abstract class that provides a common "
"superclass (or top of the inheritance tree) for the "
"non-association classes in the CIM Schema.")]
class CIM_ManagedElement
{
[MaxLen (64), Description (
"The Caption property is a short textual description (one-"
"line string) of the object.") ]
string Caption;
[Description (
"The Description property provides a textual description of "
"the object.") ]
string Description;
};
// ==================================================================
// Collection
// ==================================================================
[Abstract, Description (
"Collection is an abstract class that provides a common"
"superclass for data elements that represent collections of "
"ManagedElements and its subclasses.")]
class CIM_Collection : CIM_ManagedElement
{
};
// ==================================================================
// ManagedSystemElement
// ==================================================================
[Abstract, Description (
"CIM_ManagedSystemElement is the base class for the System "
"Element hierarchy. Membership Criteria: Any distinguishable "
"component of a System is a candidate for inclusion in this "
"class. Examples: software components, such as files; and "
"devices, such as disk drives and controllers, and physical "
"components such as chips and cards.") ]
class CIM_ManagedSystemElement : CIM_ManagedElement
{
[Description (
"A datetime value indicating when the object was installed. "
"A lack of a value does not indicate that the object is not "
"installed."),
MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]
datetime InstallDate;
[MaxLen (256), Description (
"The Name property defines the label by which the object is "
"known. When subclassed, the Name property can be overridden "
"to be a Key property.") ]
string Name;
[MaxLen (10), Description (
" A string indicating the current status of the object. "
"Various operational and non-operational statuses are "
"defined. Operational statuses are \"OK\", \"Degraded\", "
"\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "
"the Element is functioning, but needs attention. Examples "
"of \"Stressed\" states are overload, overheated, etc. The "
"condition \"Pred Fail\" (failure predicted) indicates that "
"an Element is functioning properly but predicting a failure "
"in the near future. An example is a SMART-enabled hard "
"drive. \n"
" Non-operational statuses can also be specified. These "
"are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", "
"\"Stopped\", "
"\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\""
"indicates that a non-recoverable error has occurred. "
"\"Service\" describes an Element being configured, "
"maintained,"
"cleaned, or otherwise administered. This status could apply "
"during mirror-resilvering of a disk, reload of a user "
"permissions list, or other administrative task. Not all "
"such "
"work is on-line, yet the Element is neither \"OK\" nor in "
"one of the other states. \"No Contact\" indicates that the "
"current instance of the monitoring system has knowledge of "
"this Element but has never been able to establish "
"communications with it. \"Lost Comm\" indicates that "
"the ManagedSystemElement is known to exist and has been "
"contacted successfully in the past, but is currently "
"unreachable."
"\"Stopped\" indicates that the ManagedSystemElement is "
"known "
"to exist, it is not operational (i.e. it is unable to "
"provide service to users), but it has not failed. It "
"has purposely "
"been made non-operational. The Element "
"may have never been \"OK\", the Element may have initiated "
"its "
"own stop, or a management system may have initiated the "
"stop."),
ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail",
"Starting", "Stopping", "Service", "Stressed",
"NonRecover", "No Contact", "Lost Comm", "Stopped"} ]
string Status;
};
// ==================================================================
// LogicalElement
// ==================================================================
[Abstract, Description (
"CIM_LogicalElement is a base class for all the components "
"of "
"a System that represent abstract system components, such "
"as Files, Processes, or system capabilities in the form "
"of Logical Devices.") ]
class CIM_LogicalElement:CIM_ManagedSystemElement
{
};
// ==================================================================
// CIM_SystemConfiguration
// ==================================================================
[Description (
"CIM_SystemConfiguration represents the general concept "
"of a CIM_Configuration which is scoped by/weak to a "
"System. This class is a peer of CIM_Configuration since "
"the key structure of Configuration is currently "
"defined and cannot be modified with additional "
"properties.")]
class CIM_SystemConfiguration : CIM_ManagedElement {
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Description (
"The label by which the Configuration object is known.") ]
string Name;
};
// ===================================================================
// Setting
// ===================================================================
[Abstract, Description (
"The Setting class represents configuration-related and "
"operational parameters for one or more ManagedSystem"
"Element(s). A ManagedSystemElement may have multiple "
"Setting "
"objects associated with it. The current operational values "
"for an Element's parameters are reflected by properties in "
"the Element itself or by properties in its associations. "
"These properties do not have to be the same values present "
"in the Setting object. For example, a modem may have a "
"Setting baud rate of 56Kb/sec but be operating "
"at 19.2Kb/sec.") ]
class CIM_Setting : CIM_ManagedElement
{
[MaxLen (256), Description (
"The identifier by which the Setting object is known.") ]
string SettingID;
[Description (
"The VerifyOKToApplyToMSE method is used to verify that "
"this Setting can be 'applied' to the referenced Managed"
"SystemElement, at the given time or time interval. This "
"method takes three input parameters: MSE (the Managed"
"SystemElement that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
"interval), and MustBeCompletedBy (which indicates the "
"required completion time for the method). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number "
"if an error occurred. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
[Description (
"The ApplyToMSE method performs the actual application of "
"the Setting to the referenced ManagedSystemElement. It "
"takes three input parameters: MSE (the ManagedSystem"
"Element to which the Setting is being applied), "
"TimeToApply (which, being a datetime, can be either a "
"specific time or a time interval), and MustBeCompletedBy "
"(which indicates the required completion time for the "
"method). Note that the semantics of this method are that "
"individual Settings are either wholly applied or not "
"applied at all to their target ManagedSystemElement. The "
"return value should be 0 if the Setting is successfully "
"applied to the referenced ManagedSystemElement, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, and any other number if an "
"error occurred. In a subclass, the set of possible return "
"codes could be specified, using a ValueMap qualifier on "
"the method. The strings to which the ValueMap contents are "
"'translated' may also be specified in the subclass as a "
"Values array qualifier.\n"
"Note: If an error occurs in applying the Setting to a "
"ManagedSystemElement, the Element must be configured as "
"when the 'apply' attempt began. That is, the Element "
"should NOT be left in an indeterminate state.") ]
uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy);
[Description (
"The VerifyOKToApplyToCollection method is used to verify "
"that this Setting can be 'applied' to the referenced "
"Collection of ManagedSystemElements, at the given time "
"or time interval, without causing adverse effects to "
"either the Collection itself or its surrounding "
"environment. The net effect is to execute the "
"VerifyOKToApply method against each of the Elements "
"aggregated by the Collection. This method takes three "
"input parameters: Collection (the Collection of Managed"
"SystemElements that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
"interval), and MustBeCompletedBy (which indicates the "
"required completion time for the method). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number if "
"an error occurred. One output parameter is defined - "
"CanNotApply - which is a string array that lists the keys "
"of "
"the ManagedSystemElements to which the Setting can NOT be "
"applied. This enables those Elements to be revisited and "
"either fixed, or other corrective action taken.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.") ]
uint32 VerifyOKToApplyToCollection (
[IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy,
[OUT] string CanNotApply[]);
[Description (
"The ApplyToCollection method performs the application of "
"the Setting to the referenced Collection of ManagedSystem"
"Elements. The net effect is to execute the ApplyToMSE "
"method against each of the Elements aggregated by the "
"Collection. If the input value ContinueOnError is FALSE, "
"this method applies the Setting to all Elements in the "
"Collection until it encounters an error, in which case it "
"stops execution, logs the key of the Element that caused "
"the error in the CanNotApply array, and issues a return "
"code "
"of 2. If the input value ContinueOnError is TRUE, then this "
"method applies the Setting to all the ManagedSystemElements "
"in the Collection, and reports the failed Elements in the "
"array, CanNotApply. For the latter, processing will "
"continue "
"until the method is applied to all Elements in the "
"Collection, regardless of any errors encountered. The key "
"of "
"each ManagedSystemElement to which the Setting could not be "
"applied is logged into the CanNotApply array. This method "
"takes four input parameters: Collection (the Collection of "
"Elements to which the Setting is being applied), "
"TimeToApply "
"(which, being a datetime, can be either a specific time or "
"a "
"time interval), ContinueOnError (TRUE means to continue "
"processing on encountering an error), and MustBeCompletedBy "
"(which indicates the required completion time for the "
"method). The return value should be 0 if the Setting is "
"successfully applied to the referenced Collection, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, 3 if the Setting can not be "
"applied using the input value for ContinueOnError, and any "
"other number if an error occurred. One output parameter is "
"defined, CanNotApplystring, which is an array that lists "
"the keys of the ManagedSystemElements to which the Setting "
"was NOT able to be applied. This output parameter has "
"meaning only when the ContinueOnError parameter is TRUE.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.\n"
"Note: if an error occurs in applying the Setting to a "
"ManagedSystemElement in the Collection, the Element must be "
"configured as when the 'apply' attempt began. That is, the "
"Element should NOT be left in an indeterminate state.") ]
uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply, [IN] boolean ContinueOnError,
[IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]);
[Description (
"The VerifyOKToApplyIncrementalChangeToMSE method "
"is used to verify that a subset of the properties in "
"this Setting can be 'applied' to the referenced Managed"
"SystemElement, at the given time or time interval. This "
"method takes four input parameters: MSE (the Managed"
"SystemElement that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
"interval), MustBeCompletedBy (which indicates the "
"required completion time for the method), and a "
"PropertiesToApply array (which contains a list of the "
"property names whose values will be verified. "
"If they array is null or empty or constains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"verified. If it is set to \"none\" then no Settings "
"properties "
"will be verified). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number "
"if an error occurred. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 VerifyOKToApplyIncrementalChangeToMSE(
[IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply,
[IN] datetime MustBeCompletedBy,
[IN] string PropertiesToApply[]);
[Description (
"The ApplyIncrementalChangeToMSE method performs the "
"actual application of a subset of the properties in "
"the Setting to the referenced ManagedSystemElement. It "
"takes four input parameters: MSE (the ManagedSystem"
"Element to which the Setting is being applied), "
"TimeToApply (which, being a datetime, can be either a "
"specific time or a time interval), MustBeCompletedBy "
"(which indicates the required completion time for the "
"method), and a "
"PropertiesToApply array (which contains a list of the "
"property names whose values will be applied. If a "
"property is not in this list, it will be ignored by the "
"apply. "
"If they array is null or empty or constains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"applied. If it is set to \"none\" then no Settings "
"properties "
"will be applied. ). "
"Note that the semantics of this method are that "
"individual Settings are either wholly applied or not "
"applied at all to their target ManagedSystemElement. The "
"return value should be 0 if the Setting is successfully "
"applied to the referenced ManagedSystemElement, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, and any other number if an "
"error occurred. In a subclass, the set of possible return "
"codes could be specified, using a ValueMap qualifier on "
"the method. The strings to which the ValueMap contents are "
"'translated' may also be specified in the subclass as a "
"Values array qualifier.\n"
"Note: If an error occurs in applying the Setting to a "
"ManagedSystemElement, the Element must be configured as "
"when the 'apply' attempt began. That is, the Element "
"should NOT be left in an indeterminate state.") ]
uint32 ApplyIncrementalChangeToMSE(
[IN] CIM_ManagedSystemElement ref MSE,
[IN] datetime TimeToApply,
[IN] datetime MustBeCompletedBy,
[IN] string PropertiesToApply[]);
[Description (
"The VerifyOKToApplyIncrementalChangeToCollection method "
"is used to verify that a subset of the properties in "
"this Setting can be 'applied' to the referenced "
"Collection of ManagedSystemElements, at the given time "
"or time interval, without causing adverse effects to "
"either the Collection itself or its surrounding "
"environment. The net effect is to execute the "
"VerifyOKToApplyIncrementalChangeToMSE method "
"against each of the Elements "
"aggregated by the Collection. This method takes three "
"input parameters: Collection (the Collection of Managed"
"SystemElements that is being verified), TimeToApply (which, "
"being a datetime, can be either a specific time or a time "
"interval), MustBeCompletedBy (which indicates the "
"required completion time for the method), and a "
"PropertiesToApply array (which contains a list of the "
"property names whose values will be verified. "
"If they array is null or empty or contains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"verified. If it is set to \"none\" then no Settings "
"properties "
"will be verified). The return "
"value should be 0 if it is OK to apply the Setting, 1 if "
"the method is not supported, 2 if the Setting can not be "
"applied within the specified times, and any other number if "
"an error occurred. One output parameter is defined - "
"CanNotApply - which is a string array that lists the keys "
"of "
"the ManagedSystemElements to which the Setting can NOT be "
"applied. This enables those Elements to be revisited and "
"either fixed, or other corrective action taken.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.") ]
uint32 VerifyOKToApplyIncrementalChangeToCollection (
[IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply,
[IN] datetime MustBeCompletedBy,
[IN] string PropertiesToApply[],
[OUT] string CanNotApply[]);
[Description (
"The ApplyIncrementalChangeToCollection method performs "
"the application of a subset of the properties in this "
"Setting to the referenced Collection of ManagedSystem"
"Elements. The net effect is to execute the "
"ApplyIncrementalChangeToMSE "
"method against each of the Elements aggregated by the "
"Collection. If the input value ContinueOnError is FALSE, "
"this method applies the Setting to all Elements in the "
"Collection until it encounters an error, in which case it "
"stops execution, logs the key of the Element that caused "
"the error in the CanNotApply array, and issues a return "
"code "
"of 2. If the input value ContinueOnError is TRUE, then this "
"method applies the Setting to all the ManagedSystemElements "
"in the Collection, and reports the failed Elements in the "
"array, CanNotApply. For the latter, processing will "
"continue "
"until the method is applied to all Elements in the "
"Collection, regardless of any errors encountered. The key "
"of "
"each ManagedSystemElement to which the Setting could not be "
"applied is logged into the CanNotApply array. This method "
"takes four input parameters: Collection (the Collection of "
"Elements to which the Setting is being applied), "
"TimeToApply "
"(which, being a datetime, can be either a specific time or "
"a "
"time interval), ContinueOnError (TRUE means to continue "
"processing on encountering an error), and MustBeCompletedBy "
"(which indicates the required completion time for the "
"method), and a PropertiesToApply array (which contains a "
"list "
"of the property names whose values will be applied. If a "
"property is not in this list, it will be ignored by "
"the apply. "
"If they array is null or empty or constains the string "
"\"all\" "
"as a property name then all Settings properties shall be "
"applied. If it is set to \"none\" then no Settings "
"properties "
"will be applied. ). "
"The return value should be 0 if the Setting is "
"successfully applied to the referenced Collection, 1 if the "
"method is not supported, 2 if the Setting was not applied "
"within the specified times, 3 if the Setting can not be "
"applied using the input value for ContinueOnError, and any "
"other number if an error occurred. One output parameter is "
"defined, CanNotApplystring, which is an array that lists "
"the keys of the ManagedSystemElements to which the Setting "
"was NOT able to be applied. This output parameter has "
"meaning only when the ContinueOnError parameter is TRUE.\n"
"In a subclass, the set of possible return codes could be "
"specified, using a ValueMap qualifier on the method. The "
"strings to which the ValueMap contents are 'translated' may "
"also be specified in the subclass as a Values array "
"qualifier.\n"
"Note: if an error occurs in applying the Setting to a "
"ManagedSystemElement in the Collection, the Element must be "
"configured as when the 'apply' attempt began. That is, the "
"Element should NOT be left in an indeterminate state.") ]
uint32 ApplyIncrementalChangeToCollection(
[IN] CIM_CollectionOfMSEs ref Collection,
[IN] datetime TimeToApply,
[IN] boolean ContinueOnError,
[IN] datetime MustBeCompletedBy,
[IN] string PropertiesToApply[],
[OUT] string CanNotApply[]);
};
// ==================================================================
// CIM_SystemSetting
// ==================================================================
[Abstract, Description (
"CIM_SystemSetting represents the general concept "
"of a CIM_Setting which is scoped by/weak to a System.")]
class CIM_SystemSetting : CIM_Setting {
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Override ("SettingID"), Key, MaxLen (256)]
string SettingID;
};
// ==================================================================
// System
// ==================================================================
[Abstract, Description (
"A CIM_System is a LogicalElement that aggregates an "
"enumerable set of Managed System Elements. The aggregation "
"operates as a functional whole. Within any particular "
"subclass of System, there is a well-defined list of "
"Managed System Element classes whose instances must be "
"aggregated.") ]
class CIM_System:CIM_LogicalElement
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256), Override ("Name"), Description (
"The inherited Name serves as key of a System instance in "
"an enterprise environment.") ]
string Name;
[MaxLen (64), Description (
"The System object and its derivatives are Top Level Objects "
"of CIM. They provide the scope for numerous components. "
"Having unique System keys is required. A heuristic can be "
"defined in individual System subclasses to attempt to "
"always "
"generate the same System Name Key. The NameFormat property "
"identifies how the System name was generated, using "
"the subclass' heuristic.") ]
string NameFormat;
[MaxLen (256), Description (
"A string that provides information on how the primary "
"system "
"owner can be reached (e.g. phone number, email address, "
"...)."),
MappingStrings {"MIF.DMTF|General Information|001.3"} ]
string PrimaryOwnerContact;
[MaxLen (64), Description (
"The name of the primary system owner."),
MappingStrings {"MIF.DMTF|General Information|001.4"} ]
string PrimaryOwnerName;
[Description (
"An array (bag) of strings that specify the roles this "
"System "
"plays in the IT-environment. Subclasses of System may "
"override this property to define explicit Roles values. "
"Alternately, a Working Group may describe the heuristics, "
"conventions and guidelines for specifying Roles. For "
"example, for an instance of a networking system, the Roles "
"property might contain the string, 'Switch' or 'Bridge'.") ]
string Roles[];
};
// ==================================================================
// Service
// ==================================================================
[Abstract, Description (
"A CIM_Service is a Logical Element that contains the "
"information necessary to represent and manage the "
"functionality provided by a Device and/or SoftwareFeature. "
"A Service is a general-purpose object to configure and "
"manage the implementation of functionality. It is not the "
"functionality itself.") ]
class CIM_Service:CIM_LogicalElement
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this "
"property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Override ("Name"), Key, MaxLen (256),
Description (
"The Name property uniquely identifies the Service and "
"provides an indication of the functionality that is "
"managed. This functionality is described in more detail in "
"the object's Description property. ") ]
string Name;
[MaxLen (10), Description (
"StartMode is a string value indicating whether the Service "
"is automatically started by a System, Operating System, "
"etc. "
"or only started upon request."),
ValueMap {"Automatic", "Manual"} ]
string StartMode;
[Description (
"Started is a boolean indicating whether the Service "
"has been started (TRUE), or stopped (FALSE).") ]
boolean Started;
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
[Description (
"The StartService method places the Service in the started "
"state. It returns an integer value of 0 if the Service was "
"successfully started, 1 if the request is not supported and "
"any other number to indicate an error. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 StartService();
[Description (
"The StopService method places the Service in the stopped "
"state. It returns an integer value of 0 if the Service was "
"successfully stopped, 1 if the request is not supported and "
"any other number to indicate an error. In a subclass, the "
"set of possible return codes could be specified, using a "
"ValueMap qualifier on the method. The strings to which the "
"ValueMap contents are 'translated' may also be specified in "
"the subclass as a Values array qualifier.") ]
uint32 StopService();
};
// ==================================================================
// ServiceAccessPoint
// ==================================================================
[Abstract, Description (
"CIM_ServiceAccessPoint represents the ability to utilize or "
"invoke a Service. Access points represent that a Service "
"is made available to other entities for use.") ]
class CIM_ServiceAccessPoint:CIM_LogicalElement
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this "
"property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Override ("Name"), Key, MaxLen (256),
Description (
"The Name property uniquely identifies the "
"ServiceAccessPoint "
"and provides an indication of the functionality that is "
"managed. This functionality is described in more detail in "
"the object's Description property.") ]
string Name;
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description (
"The scoping System's CreationClassName.") ]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key, MaxLen (256),
Description ("The scoping System's Name.") ]
string SystemName;
};
// ==================================================================
// === Association class definitions ===
// ==================================================================
// ==================================================================
// Component
// ==================================================================
[Association, Abstract, Aggregation, Description (
"CIM_Component is a generic association used to establish "
"'part of' relationships between Managed System Elements. "
"For "
"example, the SystemComponent association defines parts of "
"a System.") ]
class CIM_Component
{
[Aggregate, Key, Description (
"The parent element in the association.") ]
CIM_ManagedSystemElement REF GroupComponent;
[Key, Description ("The child element in the association.") ]
CIM_ManagedSystemElement REF PartComponent;
};
// ==================================================================
// Dependency
// ==================================================================
[Association, Abstract, Description (
"CIM_Dependency is a generic association used to establish "
"dependency relationships between ManagedElements.") ]
class CIM_Dependency
{
[Key, Description (
"Antecedent represents the independent object in this "
"association.") ]
CIM_ManagedElement REF Antecedent;
[Key, Description (
"Dependent represents the object dependent on the "
"Antecedent.") ]
CIM_ManagedElement REF Dependent;
};
// ===================================================================
// ElementSetting
// ===================================================================
[Association, Description (
"ElementSetting represents the association between Managed"
"SystemElements and the Setting class(es) defined for them.")
]
class CIM_ElementSetting
{
[Key, Description ("The ManagedSystemElement.") ]
CIM_ManagedSystemElement REF Element;
[Key, Description (
"The Setting object associated with the ManagedSystem"
"Element.") ]
CIM_Setting REF Setting;
};
// ==================================================================
// MemberOfCollection
// ==================================================================
[Association, Aggregation, Description (
"CIM_MemberOfCollection is an aggregation used to establish "
"membership of ManagedElements in a Collection." ) ]
class CIM_MemberOfCollection
{
[Key, Aggregate, Description (
"The Collection that aggregates members") ]
CIM_Collection REF Collection;
[Key, Description ("The aggregated member of the collection.")
]
CIM_ManagedElement REF Member;
};
// ==================================================================
// CIM_SystemSettingContext
// ==================================================================
[Association, Aggregation, Description (
"This relationship associates System-specific Configuration "
"objects with System-specific Setting objects, similar to "
"the "
"SettingContext association.")]
class CIM_SystemSettingContext {
[Aggregate, Key, Description (
"The Configuration object that aggregates the Setting.") ]
CIM_SystemConfiguration REF Context;
[Key, Description ("An aggregated Setting.")]
CIM_SystemSetting REF Setting;
};
Appendix B (DMTF User Model MOF)
// ==================================================================
// OrganizationalEntity
// ==================================================================
[Abstract, Description (
"OrganizationalEntity is an abstract class from which classes "
"that fit into an organizational structure are derived.") ]
class CIM_OrganizationalEntity : CIM_ManagedElement
{
};
// ==================================================================
// UserEntity
// ==================================================================
[Abstract, Description (
"UserEntity is an abstract class that represents users.") ]
class CIM_UserEntity : CIM_OrganizationalEntity
{
};
// ==================================================================
// UsersAccess
// ==================================================================
[Description (
"The UsersAccess object class is used to specify a system user "
"that permitted access to system resources. The ManagedElement "
"that has access to system resources (represented in the model in "
"the ElementAsUser association) may be a person, a service, a "
"service access point or any collection thereof. Whereas the "
"Account class represents the user's relationship to a system "
"from the perspective of the security services of the system, the "
"UserAccess class represents the relationships to the systems "
"independent of a particular system or service.") ]
class CIM_UsersAccess: CIM_UserEntity
{
[Key, MaxLen (256), Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.")]
string CreationClassName;
[Key, MaxLen (256),Description (
"The Name property defines the label by which the object is "
"known.")]
string Name;
[Key, Description (
"The ElementID property uniquely specifies the ManagedElement "
"object instance that is the user represented by the "
"UsersAccess object instance. The ElementID is formatted "
"similarly to a model path except that the property-value "
"pairs are ordered in alphabetical order (US ASCII lexical "
"order).")]
string ElementID;
[Description (
"Biometric information used to identify a person. The "
"property value is left null or set to 'N/A' for non-human "
"user or a user not using biometric information for "
"authentication."),
Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger",
"Voice", "DNA-RNA", "EEG"} ]
uint16 Biometric[];
};
// ==================================================================
// SecurityService
// ==================================================================
[ Abstract, Description (
"CIM_SecurityService ...") ]
class CIM_SecurityService:CIM_Service
{
};
// ==================================================================
// AuthenticationService
// ==================================================================
[Description (
"CIM_AuthenticationService verifies users' identities through "
"some means. These services are decomposed into a subclass that "
"provides credentials to users and a subclass that provides for "
"the verification of the validity of a credential and, perhaps, "
"the appropriateness of its use for access to target resources. "
"The persistent state information used from one such verification "
"to another is maintained in an Account for that Users Access on "
"that AuthenticationService.") ]
class CIM_AuthenticationService:CIM_SecurityService
{
};
// ==================================================================
// CredentialManagementService
// ==================================================================
[Description (
"CIM_CredentialManagementService issues credentials and manages "
"the credential lifecycle.") ]
class CIM_CredentialManagementService:CIM_AuthenticationService
{
};
// ==================================================================
// CertificateAuthority
// ==================================================================
[Description ("A Certificate Authority (CA) is a credential "
"management service that issues and cryptographically "
"signs certificates thus acting as an trusted third-party "
"intermediary in establishing trust relationships. The CA "
"authenicates the holder of the private key related to the "
"certificate's public key; the authenicated entity is "
"represented by the UsersAccess class.") ]
class CIM_CertificateAuthority:CIM_CredentialManagementService
{
[Description (
"The CAPolicyStatement describes what care is taken by the "
"CertificateAuthority when signing a new certificate. "
"The CAPolicyStatment may be a dot-delimited ASN.1 OID "
"string which identifies to the formal policy statement.") ]
string CAPolicyStatement;
[Description ( "A CRL, or CertificateRevocationList, is a "
"list of certificates which the CertificateAuthority has "
"revoked and which are not yet expired. Revocation is "
"necessary when the private key associated with the public "
"key of a certificate is lost or compromised, or when the "
"person for whom the certificate is signed no longer is "
"entitled to use the certificate."), Octetstring ]
string CRL[];
[Description ("Certificate Revocation Lists may be "
"available from a number of distribution points. "
"CRLDistributionPoint array values provide URIs for those "
"distribution points.")]
string CRLDistributionPoint[];
[Description ( "Certificates refer to their issuing CA by "
"its Distinguished Name (as defined in X.501)."), DN]
string CADistinguishedName;
[Description ( "The frequency, expressed in hours, at which "
"the CA will update its Certificate Revocation List. Zero "
"implies that the refresh frequency is unknown."),
Units("Hours")]
uint8 CRLRefreshFrequency;
[Description ( "The maximum number of certificates in a "
"certificate chain permitted for credentials issued by "
"this certificate authority or it's subordinate CAs.\n"
"The MaxChainLength of a superior CA in the trust "
"hierarchy should be greater than this value and the "
"MaxChainLength of a subordinate CA in the trust hierarchy "
"should be less than this value.")]
uint8 MaxChainLength;
};
// ==================================================================
// KerberosKeyDistributionCenter
// ==================================================================
[Description (
"CIM_KerberosKeyDistributionCenter ...") ]
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService
{
[Override ("Name"),
Description ("The Realm served by this KDC.")]
string Name;
[Description ("The version of Kerberos supported by this "
"service."),
Values {"V4", "V5", "DCE", "MS"} ]
uint16 Protocol[];
};
// ==================================================================
// Notary
// ==================================================================
[Description (
"CIM_Notary is an AuthenticationService (credential "
"management service) which compares the "
"biometric characteristics of a person with the "
"known characteristics of an Users Access, and determines "
"whether the person is the UsersAccess. An example is "
"a bank teller who compares a picture ID with the person "
"trying to cash a check, or a biometric login service that "
"uses voice recognition to identify a user.") ]
class CIM_Notary:CIM_CredentialManagementService
{
[Description ( "The types of biometric information which "
"this Notary can compare."),
Values { "N/A", "Other", "Facial", "Retina", "Mark",
"Finger", "Voice", "DNA-RNA", "EEG"} ]
uint16 Comparitors;
[Description (
"The SealProtocol is how the decision of the Notary is "
"recorded for future use by parties who will rely on its "
"decision. For instance, a drivers licence frequently "
"includes tamper-resistent coatings and markings to protect "
"the recorded decision that a driver, having various "
"biometric characteristics of height, weight, hair and eye "
"color, using a particular name, has features represented in "
"a photograph of their face.")]
string SealProtocol;
[Description (
"CharterIssued documents when the Notary is first "
"authorized, by whoever gave it responsibility, to perform "
"its service.")]
datetime CharterIssued;
[Description (
"CharterExpired documents when the Notary is no longer "
"authorized, by whoever gave it responsibility, to perform "
"its service.")]
datetime CharterExpired;
};
// ==================================================================
// LocalCredentialManagementService
// ==================================================================
[Description (
"CIM_LocalCredentialManagementService is a credential "
"management service that provides local system "
"management of credentials used by the local system.") ]
class
CIM_LocalCredentialManagementService:CIM_CredentialManagementService
{
};
// ==================================================================
// SharedSecretService
// ==================================================================
[Description (
"CIM_SharedSecretService is a service which ascertains "
"whether messages received are from the Principal with "
"whom a secret is shared. Examples include a login "
"service that proves identity on the basis of knowledge of "
"the shared secret, or a transport integrity service (like "
"Kerberos provides) that includes a message authenticity "
"code that proves each message in the messsage stream came "
"from someone who knows the shared secret session key.")]
class CIM_SharedSecretService:CIM_LocalCredentialManagementService
{
[MaxLen (256), Description (
"The Algorithm used to convey the shared secret, such as "
"HMAC-MD5,or PLAINTEXT.") ]
string Algorithm;
[Description (
"The Protocol supported by the SharedSecretService.")]
string Protocol;
};
// ==================================================================
// PublicKeyManagementService
// ==================================================================
[Description (
"CIM_PublicKeyManagementService is a credential management "
"service that provides local system management of public "
"keys used by the local system.") ]
class
CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService
{
};
// ==================================================================
// Credential
// ==================================================================
[Abstract, Description (
"Subclasses of CIM_Credential define materials, "
"information, or other data which are used to prove the "
"identity of a CIM_UsersAccess to a particular "
"CIM_SecurityService. Generally, there may be some shared "
"information, or credential material which is used to "
"identify and authenticate ones self in the process of "
"gaining access to, or permission to use, an Account. "
"Such credential material may be used to authenticate a "
"users access identity initially, as done by a "
"CIM_AuthenticationService (see later), and additionally on "
"an ongoing basis during the course of a connection or "
"other security association, as proof that each received "
"message or communication came from the owning user access "
"of "
"that credential material.") ]
class CIM_Credential:CIM_ManagedElement
{
};
// ==================================================================
// PublicKeyCertificate
// ==================================================================
[Description ("A Public Key Certificate is a credential "
"that is cryptographically signed by a trusted Certificate "
"Authority (CA) and issued to an authenticated entity "
"(e.g., human user, service,etc.) called the Subject in "
"the certificate and represented by the UsersAccess class. "
"The public key in the certificate is cryptographically "
"related to a private key that is to be held and kept "
"private by the authenticated Subject. The certificate "
"and its related private key can then be used for "
"establishing trust relationships and securing "
"communications with the Subject. Refer to the ITU/CCITT "
"X.509 standard as an example of such certificates.") ]
class CIM_PublicKeyCertificate:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"),
Key, MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"),
Key, MaxLen (256),Description ("Scoping System")]
string SystemName;
[Propagated ("CIM_CertificateAuthority.CreationClassName"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_CertificateAuthority.Name"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"Certificate subject identifier")]
string Subject;
[MaxLen (256), Description (
"Alternate subject identifier for the Certificate.")]
string AltSubject;
[Description ("The DER-encoded raw public key."), Octetstring]
uint8 PublicKey[];
};
// ==================================================================
// UnsignedPublicKey
// ==================================================================
[Description (
"A CIM_UnsignedPublicKey represents an unsigned public "
"key credential. The local UsersAccess (or subclass "
"thereof) accepts the public key as authentic because of "
"a direct trust relationship rather than via a third-party "
"Certificate Authority.") ]
class CIM_UnsignedPublicKey:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"),
Key, MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"),
Key, MaxLen (256),Description ("Scoping System")]
string SystemName;
[Propagated
("CIM_PublicKeyManagementService.CreationClassName"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_PublicKeyManagementService.Name"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"The Identity of the Peer with whom a direct trust "
"relationship exists. The public key may be used for "
"security functions with the Peer."),
ModelCorrespondence
{"CIM_PublicKeyManagementService.PeerIdentityType" } ]
string PeerIdentity;
[Description ("PeerIdentityType is used to describe the "
"type of the PeerIdentity. The currently defined values "
"are used for IKE identities."),
ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8",
"9", "10", "11"},
Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN",
"IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
"IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
"DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence
{"CIM_PublicKeyManagementService.PeerIdentity" } ]
uint16 PeerIdentityType;
[Description ("The DER-encoded raw public key."),
Octetstring]
uint8 PublicKey[];
};
// ==================================================================
// KerberosTicket
// ==================================================================
[Description (
"A CIM_KerberosTicket represents a credential issued by a "
"particular Kerberos Key Distribution Center (KDC) "
"to a particular CIM_UsersAccess as the result of a "
"successful authentication process. There are two types of "
"tickets that a KDC may issue to a Users Access - a "
"TicketGranting ticket, which is used to protect and "
"authenticate communications between the Users Access and "
"the "
"KDC, and a Session ticket, which the KDC issues to two "
"Users Access to allow them to communicate with each other. "
) ]
class CIM_KerberosTicket:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key,
MaxLen (256),Description ("Scoping System")]
string SystemName;
[Key, MaxLen (256), Propagated
("CIM_KerberosKeyDistributionCenter.CreationClassName"),
Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_KerberosKeyDistributionCenter.Name"),
Key, MaxLen (256),
Description ("Scoping Service. The Kerberos KDC Realm of "
"CIM_KerberosTicket is used to record the security "
"authority, or Realm, name so that tickets issued by "
"different Realms can be separately managed and "
"enumerated.")]
string ServiceName;
[Key, MaxLen (256), Description ("The name of the service "
"for which this ticket is used.")]
string AccessesService;
[Key, MaxLen (256), Description (
"RemoteID is the name by which the user is known at "
"the KDC security service.")]
string RemoteID;
datetime Issued;
datetime Expires;
[Description (
"The Type of CIM_KerberosTicket is used to indicate whether "
"the ticket in question was issued by the Kerberos Key "
"Distribution Center (KDC) to support ongoing communication "
"between the Users Access and the KDC (\"TicketGranting\"), "
"or was issued by the KDC to support ongoing communication "
"between two Users Access entities (\"Session\")." ),
Values {"Session", "TicketGranting"}]
uint16 TicketType;
};
// ==================================================================
// SharedSecret
// ==================================================================
[Description (
"CIM_SharedSecret is the secret shared between a Users "
"Access "
"and a particular SharedSecret security service. Secrets "
"may be in the form of a password used for initial "
"authentication, or as with a session key, used as part of "
"a message authentication code to verify that a message "
"originated by the pricinpal with whom the secret is shared. "
"It is important to note that SharedSecret is not just the "
"password, but rather is the password used with a particular "
"security service.")]
class CIM_SharedSecret:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"), Key,
MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"), Key,
MaxLen (256),Description ("Scoping System")]
string SystemName;
[Key, MaxLen (256), Propagated
("CIM_SharedSecretService.CreationClassName"),
Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_SharedSecretService.Name"),
Key, MaxLen (256),
Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"RemoteID is the name by which the user is known at "
"the remote secret key authentication service.")]
string RemoteID;
[Description (
"secret is the secret known by the Users Access.")]
string secret;
[Description (
"algorithm names the transformation algorithm, if any, used "
"to protect passwords before use in the protocol. For "
"instance, Kerberos doesn't store passwords as the shared "
"secret, but rather, a hash of the password.")]
string algorithm;
[Description (
"protocol names the protocol with which the SharedSecret is "
"used.")]
string protocol;
};
// ==================================================================
// NamedSharedIKESecret
// ==================================================================
[Description (
"CIM_NamedSharedIKESecret indirectly represents a shared "
"secret credential. The local identity, IKEIdentity, "
"and the remote peer identity share the secret that is "
"named by the SharedSecretName. The SharedSecretName is "
"used SharedSecretService to reference the secret.") ]
class CIM_NamedSharedIKESecret:CIM_Credential
{
[Propagated ("CIM_System.CreationClassName"),
Key, MaxLen (256), Description ("Scoping System")]
string SystemCreationClassName;
[Propagated ("CIM_System.Name"),
Key, MaxLen (256),Description ("Scoping System")]
string SystemName;
[Propagated ("CIM_SharedSecretService.CreationClassName"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceCreationClassName;
[Propagated ("CIM_SharedSecretService.Name"),
Key, MaxLen (256), Description ("Scoping Service")]
string ServiceName;
[Key, MaxLen (256), Description (
"The local Identity with whom the direct trust "
"relationship exists."),
ModelCorrespondence
{"CIM_NamedSharedIKESecret.LocalIdentityType" } ]
string LocalIdentity;
[Key, Description ("LocalIdentityType is used to describe "
"the type of the LocalIdentity."),
ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
"9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
"IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
"IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
"DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence
{"CIM_NamedSharedIKESecret.LocalIdentity" } ]
uint16 LocalIdentityType;
[Key, MaxLen (256), Description (
"The peer identity with whom the direct trust "
"relationship exists."),
ModelCorrespondence
{"CIM_NamedSharedIKESecret.PeerIdentityType" } ]
string PeerIdentity;
[Key, Description ("PeerIdentityType is used to describe "
"the type of the PeerIdentity."),
ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",
"9", "10", "11"},
Values {"IPV4_ADDR", "FQDN", "USER_FQDN",
"IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",
"IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",
"DER_ASN1_GN", "KEY_ID"},
ModelCorrespondence
{"CIM_NamedSharedIKESecret.PeerIdentity" } ]
uint16 PeerIdentityType;
[Description ("SharedSecretName is an indirect reference "
"to a shared secret. The SecretService does not expose "
"the actual secret but rather provides access to the "
"secret via a name.")]
string SharedSecretName;
};
// ==================================================================
// === Association class definitions ===
// ==================================================================
// ==================================================================
// ElementAsUser
// ==================================================================
[Association, Description (
"CIM_ElementAsUser is an association used to establish the "
"'ownership' of UsersAccess object instances. That is, the "
"ManagedElement may have UsersAccess to systems and, therefore, "
"be 'users' on those systems. UsersAccess instances must have an "
"'owning' ManagedElement. Typically, the ManagedElements will be "
"limited to Collection, Person, Service and ServiceAccessPoint. "
"Other non-human ManagedElements that might be thought of as "
"having UsersAccess (e.g., a device or system) have services that "
"have the UsersAccess.")]
class CIM_ElementAsUser : CIM_Dependency
{
[Min (1), Max (1), Override ("Antecedent"),
Description ("The ManagedElement that has UsersAccess") ]
CIM_ManagedElement REF Antecedent;
[Override ("Dependent"),
Description ("The 'owned' UsersAccess") ]
CIM_UsersAccess REF Dependent;
};
// ==================================================================
// UsersCredential
// ==================================================================
[Association, Description (
"CIM_UsersCredential is an association used to establish the "
"credentials that may be used for a UsersAccess to a system or "
"set of systems. " )]
class CIM_UsersCredential : CIM_Dependency
{
[Override ("Antecedent"),
Description ("The issued credential that may be used.") ]
CIM_Credential REF Antecedent;
[Override ("Dependent"),
Description ("The UsersAccess that has use of a credential") ]
CIM_UsersAccess REF Dependent;
};
// ===================================================================
// PublicPrivateKeyPair
// ===================================================================
[Association, Description (
"This relationship associates a PublicKeyCertificate with "
"the Principal who has the PrivateKey used with the "
"PublicKey. The PrivateKey is not modeled, since it is not "
"a data element that ever SHOULD be accessible via "
"management applications, other than key recovery services, "
"which are outside our scope.") ]
class CIM_PublicPrivateKeyPair:CIM_UsersCredential
{
[ Override ("Antecedent") ]
CIM_PublicKeyCertificate REF Antecedent;
[ Override ("Dependent") ]
CIM_UsersAccess REF Dependent;
[Description ( "The Certificate may be used for signature "
"only "
"or for confidentiality as well as signature"),
Values { "SignOnly", "ConfidentialityOrSignature"} ]
uint16 Use;
boolean NonRepudiation;
boolean BackedUp;
[Description ("The repository in which the certificate is "
"backed up.")]
string Repository;
};
// ===================================================================
// CAHasPublicCertificate
// ===================================================================
[Association, Description (
"A CertificateAuthority may have certificates issued by other CAs. "
"This association is essentially an optimization of the CA having "
"a UsersAccess instance with an association to a certificate thus "
"mapping more closely to LDAP-based certificate authority "
"implementations.") ]
class CIM_CAHasPublicCertificate:CIM_Dependency
{
[Max (1), Override ("Antecedent"),
Description ("The Certificate used by the CA")]
CIM_PublicKeyCertificate REF Antecedent;
[Override ("Dependent"),
Description ("The CA that uses a Certificate")]
CIM_CertificateAuthority REF Dependent;
};
// ===================================================================
// ManagedCredential
// ===================================================================
[Association, Description (
"This relationship associates a CredentialManagementService "
"with the Credential it manages.") ]
class CIM_ManagedCredential:CIM_Dependency
{
[Override ("Antecedent"), Min (1), Max (1),
Description ( "The credential management service")]
CIM_CredentialManagementService REF Antecedent;
[Override ("Dependent"),
Description ( "The managed credential")]
CIM_Credential REF Dependent;
};
// ===================================================================
// CASignsPublicKeyCertificate
// ===================================================================
[Association, Description (
"This relationship associates a CertificateAuthority with "
"the certificates it signs.") ]
class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ( "The CA which signed the certificate")]
CIM_CertificateAuthority REF Antecedent;
[Override ("Dependent"), Weak,
Description ( "The certificate issued by the CA")]
CIM_PublicKeyCertificate REF Dependent;
string SerialNumber;
[ Octetstring ]
uint8 Signature[];
datetime Expires;
string CRLDistributionPoint[];
};
// ==================================================================
// LocallyManagedPublicKey
// ==================================================================
[Association, Description (
"CIM_LocallyManagedPublicKey association provides the "
"relationship between a PublicKeyManagementService and an "
"UnsignedPublicKey.") ]
class CIM_LocallyManagedPublicKey:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ("The PublicKeyManagementService that manages "
"an unsigned public key.") ]
CIM_PublicKeyManagementService REF Antecedent;
[Override ("Dependent"), Weak, Description (
"An unsigned public key.") ]
CIM_UnsignedPublicKey REF Dependent;
};
// ===================================================================
// SharedSecretIsShared
// ===================================================================
[Association, Description (
"This relationship associates a SharedSecretService with the "
"SecretKey it verifies.") ]
class CIM_SharedSecretIsShared : CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ("The credential management service")]
CIM_SharedSecretService REF Antecedent;
[Override ("Dependent"), Weak,
Description ( "The managed credential")]
CIM_SharedSecret REF Dependent;
};
// ==================================================================
// IKESecretIsNamed
// ==================================================================
[Association, Description (
"CIM_IKESecretIsNamed association provides the "
"relationship between a SharedSecretService and a "
"NamedSharedIKESecret.") ]
class CIM_IKESecretIsNamed:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ("The SharedSecretService that manages a "
"NamedSharedIKESecret.")]
CIM_SharedSecretService REF Antecedent;
[Override ("Dependent"), Weak, Description (
"The managed NamedSharedIKESecret.") ]
CIM_NamedSharedIKESecret REF Dependent;
};
// ===================================================================
// KDCIssuesKerberosTicket
// ===================================================================
[Association, Description (
"The KDC issues and owns Kerberos tickets. This association "
"captures the relationship between the KDC and its issued tickets."
) ]
class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential
{
[Override ("Antecedent"), Min (1), Max (1),
Description ( "The issuing KDC") ]
CIM_KerberosKeyDistributionCenter REF Antecedent;
[Override ("Dependent"), Weak,
Description ( "The managed credential")]
CIM_KerberosTicket REF Dependent;
};
// ===================================================================
// NotaryVerifiesBiometric
// ===================================================================
[Association, Description (
"This relationship associates a Notary service with the "
"Users Access whose biometric information is verified.") ]
class CIM_NotaryVerifiesBiometric : CIM_Dependency
{
[Override ("Antecedent"),
Description ("The Notary service that verifies biometric "
"information ") ]
CIM_Notary REF Antecedent;
[Override ("Dependent"),
Description ( "The UsersAccess that represents a person using "
"biometric information for authentication.")]
CIM_UsersAccess REF Dependent;
};
Appendix C (DMTF Network Model MOF)
// ==================================================================
// NetworkService
// ==================================================================
[Abstract, Description (
"This is an abstract base class, derived from the Service "
"class. It serves as the root of the network service "
"hierarchy. Network services represent generic functions "
"that are available from the network that configure and/or "
"modify the traffic being sent. For example, FTP is not a "
"network service, as it simply passes data unchanged from "
"source to destination. On the other hand, services "
"that provide quality of service (e.g., DiffServ) and "
"security (e.g., IPSec) do affect the traffic stream. "
"Quality of service, IPSec, and other services are "
"subclasses of this class. This class hierarchy enables "
"developers to match services to users, groups, "
"and other objects in the network.") ]
class CIM_NetworkService : CIM_Service
{
[Description (
"This is a free-form array of strings that provide "
"descriptive words and phrases that can be used in queries "
"to help locate and identify instances of this service.") ]
string Keywords [ ];
[Description (
"This is a URL that provides the protocol, network "
"location, and other service-specific information required "
"in order to access the service. This should be implemented "
"as a LabeledURI, with syntax DirectoryString and a "
"matching rule of CaseExactMatch, for directory "
"implementors.") ]
string ServiceURL;
[Description (
"This is a free-form array of strings that specify any "
"specific pre-conditions that must be met in order for this "
"service to start correctly. It is expected that subclasses "
"will refine the inherited StartService() and StopService()"
"methods to suit their own application-specific needs. This "
"property is used to specify application-specific conditions "
"needed by the refined StartService and StopService"
"methods.") ]
string StartupConditions [ ];
[Description (
"This is a free-form array of strings that specify any "
"specific parameters that must be supplied to the "
"StartService() method in order for this service to start "
"correctly. It is expected that subclasses will refine the "
"inherited StartService() and StopService() methods to suit "
"their own application-specific needs. This property is used "
"to specify application-specific parameters needed by the "
"refined StartService and StopService methods.") ]
string StartupParameters [ ];
};
// ==================================================================
// ProtocolEndpoint
// ==================================================================
[Description (
"A communication point from which data may be sent or "
"received. ProtocolEndpoints link router interfaces and "
"switch ports to LogicalNetworks.") ]
class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint
{
[Override ("Name"), MaxLen(256), Description (
"A string which identifies this ProtocolEndpoint with either "
"a port or an interface on a device. To ensure uniqueness, "
"the Name property should be prepended or appended with "
"information from the Type or OtherTypeDescription "
"properties. The method chosen is described in the "
"NameFormat property of this class.") ]
string Name;
[MaxLen (256), Description (
"NameFormat contains the naming heuristic that is chosen to "
"ensure that the value of the Name property is unique. For "
"example, one might choose to prepend the name of the port "
"or interface with the Type of ProtocolEndpoint that this "
"instance is (e.g., IPv4)followed by an underscore.") ]
string NameFormat;
[MaxLen (64), Description (
"ProtocolType is an enumeration that provides additional "
"information that can be used to help categorize and "
"classify different instances of this class."),
ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
"10", "11", "12", "13", "14", "15", "16", "17",
"18", "19", "20", "21"},
Values { "Unknown", "Other", "IPv4", "IPv6", "IPX",
"AppleTalk", "DECnet", "SNA", "CONP", "CLNP",
"VINES", "XNS", "ATM", "Frame Relay",
"Ethernet", "TokenRing", "FDDI", "Infiniband",
"Fibre Channel", "ISDN BRI Endpoint",
"ISDN B Channel Endpoint", "ISDN D Channel Endpoint"
},
ModelCorrespondence {
"CIM_ProtocolEndpoint.OtherTypeDescription"} ]
string ProtocolType;
[MaxLen(64), Description (
"A string describing the type of ProtocolEndpoint that this "
"instance is when the Type property of this class (or any of "
"its subclasses) is set to 1 (e.g., 'Other'). The format of "
"the string inserted in this property should be similar in "
"format to the values defined for the Type property. This "
"property should be set to NULL when the Type property is "
"any value other than 1."),
ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ]
string OtherTypeDescription;
};
// ==================================================================
// IPProtocolEndpoint
// ==================================================================
[Description (
"A ProtocolEndpoint that is dedicated to running IP.") ]
class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint
{
[Description (
"The IP address that this ProtocolEndpoint represents, "
"formatted according to the appropriate convention as "
"defined in the AddressType property of this class "
" (e.g., 171.79.6.40).") ]
string Address;
[Description (
"The mask for the IP address of this ProtocolEndpoint, "
"formatted according to the appropriate convention as "
"defined in the AddressType property of this class "
" (e.g., 255.255.252.0).") ]
string SubnetMask;
[Description (
"An enumeration that describes the format of the address "
"property. Whenever possible, IPv4-compatible addresses "
"should be used instead of native IPv6 addresses (see "
"RFC 2373, section 2.5.4). In order to have a consistent "
"format for IPv4 addresses in a mixed IPv4/v6 environment, "
"all IPv4 addresses and both IPv4-compatible IPv6 addresses "
"and IPv4-mapped IPv6 addresses, per RFC 2373, section "
"2.5.4, should be formatted in standard IPv4 format. "
"However, this (the 2.2) version of the Network Common "
"Model will not explicitly support mixed IPv4/IPv6 "
"environments. This will be added in a future release."),
ValueMap { "0", "1", "2" },
Values { "Unknown", "IPv4", "IPv6" } ]
uint16 AddressType;
[Description (
"It is not possible to tell from the address alone if a "
"given IPProtocolEndpoint can support IPv4 and IPv6, or "
"just one of these. This property explicitly defines the "
"support for different versions of IP that this "
"IPProtocolEndpoint has. "
"\n\n"
"More implementation experience is needed in order to "
"correctly model mixed IPv4/IPv6 networks; therefore, this "
"version (2.2) of the Network Common Model will not support "
"mixed IPv4/IPv6 environments. This will be looked at "
"further in a future version."),
ValueMap { "0", "1", "2" },
Values { "Unknown", "IPv4 Only", "IPv6 Only" } ]
uint16 IPVersionSupport;
};
// ===================================================================
// CIM_FilterEntryBase
// ===================================================================
[Description (
" FilterEntryBase is an abstract class to define the naming "
"of all filter entries, and to allow their common "
"aggregation into FilterLists. The FilterEntry subclass "
"represents packet filtering. Other types of Entries are "
"possible - for example, to filter security credentials. \n"
" FilterEntryBase is weak to the network device (e.g., the "
"ComputerSystem) that contains it. Hence, the ComputerSystem "
"keys are propagated to this class.") ]
class CIM_FilterEntryBase : CIM_LogicalElement
{
[Propagated ("CIM_ComputerSystem.CreationClassName"), Key,
MaxLen (256),
Description (
"The scoping ComputerSystem's CreationClassName. ") ]
string SystemCreationClassName;
[Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256),
Description (
"The scoping ComputerSystem's Name.") ]
string SystemName;
[Key, MaxLen (256),
Description (
"CreationClassName indicates the name of the class or the "
"subclass used in the creation of an instance. When used "
"with the other key properties of this class, this property "
"allows all instances of this class and its subclasses to "
"be uniquely identified.") ]
string CreationClassName;
[Key, MaxLen (256),
Description (
"The Name property defines the label by which the Filter"
"Entry is known and uniquely identified.") ]
string Name;
[Description (
"Boolean indicating that the match condition described "
"in the properties of the FilterEntryBase subclass "
"should be negated.") ]
boolean IsNegated;
};
// ===================================================================
// CIM_IPHeaderFilter
// ===================================================================
[Description ("IPHeaderFilter contains the all of the "
"properties necessary to perform filtering on an IP header "
"or a portion thereof.")]
class CIM_IPHeaderFilter : CIM_FilterEntryBase
{
[Description ("IpVersion identifies the version of the IP "
"addresses for IP header filters. It is also used to "
"determine the sizes of the OctetStrings in the four "
"properties SrcAddress, SrcMask, DestAddress, and DestMask, "
"as follows:\n"
"ipv4(4): OctetString(SIZE (4))\n"
"ipv6(6): OctetString(SIZE (16|20)), depending on whether\n"
" a scope identifier is present"),
ValueMap {"4", "6" },
Values { "IPv4", "IPv6" },
ModelCorrespondence {
"CIM_IPHeaderFilter.SrcAddress",
"CIM_IPHeaderFilter.SrcMask",
"CIM_IPHeaderFilter.DestAddress",
"CIM_IPHeaderFilter.DestMask" } ]
uint8 IpVersion;
[Description ("SrcAddress is an OctetString, of a size "
"determined by the value of the IpVersion property, "
"representing a source IP address. This value is compared to"
" the source address in the IP header, subject to the mask "
"represented in the SrcMask property."),
OCTETSTRING,
ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
uint8 SrcAddress[];
[Description ("SrcMask is an OctetString, of a size determined"
" by the value of the IpVersion property, representing a mask"
" to be used in comparing the source address in the IP header"
" with the value represented in the SrcAddress property."),
OCTETSTRING,
ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
uint8 SrcMask[];
[Description ("DestAddress is an OctetString, of a size "
"determined by the value of the IpVersion property, "
"representing a destination IP address. This value is "
"compared to the destination address in the IP header, "
"subject to the mask represented in the DestMask property."),
OCTETSTRING,
ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
uint8 DestAddress[];
[Description ("DestMask is an OctetString, of a size "
"determined by the value of the IpVersion property, "
"representing a mask to be used in comparing the destination "
"address in the IP header with the value represented in the "
"DestAddress property."),
OCTETSTRING,
ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}]
uint8 DestMask[];
[Description ("ProtocolID is an 8-bit unsigned integer, "
"representing an IP protocol type. This value is compared to"
" the Protocol field in the IP header.")]
uint8 ProtocolID;
[Description ("SrcPortStart represents the lower end of a "
"range of UDP or TCP source ports. The upper end of the "
"range is represented by the SrcPortEnd property. The value "
"of SrcPortStart MUST be no greater than the value of "
"SrcPortEnd. A single port is indicated by equal values for "
"SrcPortStart and SrcPortEnd.\n"
"\n"
"A source port filter is evaluated by testing whether the "
"source port identified in the IP header falls within the "
"range of values between SrcPortStart and SrcPortEnd, "
"including these two end points.")]
uint16 SrcPortStart;
[Description ("SrcPortEnd represents the upper end of a range "
"of UDP or TCP source ports. The lower end of the range is "