| draft-ietf-ipsp-config-policy-model-03.txt | | draft-ietf-ipsp-config-policy-model-04.txt | |
| | | | |
| Internet Engineering Task Force Jamie Jason | | Internet Engineering Task Force Jamie Jason | |
| INTERNET DRAFT Intel Corporation | | INTERNET DRAFT Intel Corporation | |
|
| 20-July-2001 Lee Rafalow | | November-2001 Lee Rafalow | |
| IBM | | IBM | |
| Eric Vyncke | | Eric Vyncke | |
| Cisco Systems | | Cisco Systems | |
| | | | |
| IPsec Configuration Policy Model | | IPsec Configuration Policy Model | |
|
| draft-ietf-ipsp-config-policy-model-03.txt | | draft-ietf-ipsp-config-policy-model-04.txt | |
| | | | |
| Status of this Memo | | Status of this Memo | |
| | | | |
| This document is an Internet-Draft and is in full conformance with | | This document is an Internet-Draft and is in full conformance with | |
| all provisions of Section 10 of RFC2026. Internet-Drafts are working | | all provisions of Section 10 of RFC2026. Internet-Drafts are working | |
| documents of the Internet Engineering Task Force (IETF), its areas, | | documents of the Internet Engineering Task Force (IETF), its areas, | |
| and its working groups. Note that other groups may also distribute | | and its working groups. Note that other groups may also distribute | |
| working documents as Internet-Drafts. | | working documents as Internet-Drafts. | |
| | | | |
| Internet-Drafts are draft documents valid for a maximum of six | | Internet-Drafts are draft documents valid for a maximum of six | |
| | | | |
| skipping to change at page 1, line 46 | | skipping to change at page 1, line 46 | |
| o facilitate agreement about the content and semantics of IPsec | | o facilitate agreement about the content and semantics of IPsec | |
| policy | | policy | |
| o enable derivations of task-specific representations of IPsec | | o enable derivations of task-specific representations of IPsec | |
| policy such as storage schema, distribution representations, | | policy such as storage schema, distribution representations, | |
| and policy specification languages used to configure IPsec- | | and policy specification languages used to configure IPsec- | |
| enabled endpoints | | enabled endpoints | |
| The schema described in this document models the IKE phase one | | The schema described in this document models the IKE phase one | |
| parameters as described in [IKE] and the IKE phase two parameters | | parameters as described in [IKE] and the IKE phase two parameters | |
| for the IPsec Domain of Interpretation as described in [COMP, ESP, | | for the IPsec Domain of Interpretation as described in [COMP, ESP, | |
| AH, DOI]. It is based upon the core policy classes as defined in | | AH, DOI]. It is based upon the core policy classes as defined in | |
|
| the Policy Core Information Model (PCIM) [PCIM]. | | the Policy Core Information Model (PCIM) [PCIM] and on the Policy | |
| | | Core Information Model Extensions (PCIMe) [PCIME]. | |
| | | | |
| Table of Contents | | Table of Contents | |
| | | | |
| Status of this Memo................................................1 | | Status of this Memo................................................1 | |
| Abstract...........................................................1 | | Abstract...........................................................1 | |
| Table of Contents..................................................2 | | Table of Contents..................................................2 | |
| 1. Introduction....................................................7 | | 1. Introduction....................................................7 | |
| 2. UML Conventions.................................................7 | | 2. UML Conventions.................................................7 | |
| 3. IPsec Policy Model Inheritance Hierarchy........................8 | | 3. IPsec Policy Model Inheritance Hierarchy........................8 | |
| 4. Policy Classes.................................................13 | | 4. Policy Classes.................................................13 | |
| 4.1. The Class IPsecPolicyGroup...................................14 | | 4.1. The Class IPsecPolicyGroup...................................14 | |
| 4.2. The Class SARule.............................................15 | | 4.2. The Class SARule.............................................15 | |
| 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, | | 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, | |
| RuleUsage, Mandatory, SequencedActions, PolicyRoles, and | | RuleUsage, Mandatory, SequencedActions, PolicyRoles, and | |
| PolicyDecisionStrategy............................................15 | | PolicyDecisionStrategy............................................15 | |
|
| 4.2.2 The Property ExecutionStrategy.............................15 | | 4.2.2 The Property ExecutionStrategy.............................16 | |
| 4.2.3 The Property LimitNegotiation..............................17 | | 4.2.3 The Property LimitNegotiation..............................17 | |
| 4.3. The Class IKERule............................................18 | | 4.3. The Class IKERule............................................18 | |
| 4.3.1. The Property IdentityContexts..............................18 | | 4.3.1. The Property IdentityContexts..............................18 | |
| 4.4. The Class IPsecRule..........................................19 | | 4.4. The Class IPsecRule..........................................19 | |
| 4.6. The Association Class IPsecPolicyForEndpoint.................19 | | 4.6. The Association Class IPsecPolicyForEndpoint.................19 | |
|
| 4.6.1. The Reference Antecedent...................................19 | | 4.6.1. The Reference Antecedent...................................20 | |
| 4.6.2. The Reference Dependent....................................19 | | 4.6.2. The Reference Dependent....................................20 | |
| 4.7. The Association Class IPsecPolicyForSystem...................20 | | 4.7. The Association Class IPsecPolicyForSystem...................20 | |
| 4.7.1. The Reference Antecedent...................................20 | | 4.7.1. The Reference Antecedent...................................20 | |
| 4.7.2. The Reference Dependent....................................20 | | 4.7.2. The Reference Dependent....................................20 | |
|
| 4.8. The Aggregation Class RuleForIKENegotiation..................20 | | 4.8. The Aggregation Class RuleForIKENegotiation..................21 | |
| 4.8.1. The Property Priority......................................20 | | 4.8.1. The Property Priority......................................21 | |
| 4.8.2. The Reference GroupComponent...............................20 | | 4.8.2. The Reference GroupComponent...............................21 | |
| 4.8.3. The Reference PartComponent................................21 | | 4.8.3. The Reference PartComponent................................21 | |
| 4.9. The Aggregation Class RuleForIPsecNegotiation................21 | | 4.9. The Aggregation Class RuleForIPsecNegotiation................21 | |
| 4.9.1. The Property Priority......................................21 | | 4.9.1. The Property Priority......................................21 | |
|
| 4.9.2. The Reference GroupComponent...............................21 | | 4.9.2. The Reference GroupComponent...............................22 | |
| 4.9.3. The Reference PartComponent................................21 | | 4.9.3. The Reference PartComponent................................22 | |
| 4.10. The Aggregation Class SAConditionInRule.....................21 | | 4.10. The Aggregation Class SAConditionInRule.....................22 | |
| 4.10.1. The Properties GroupNumber and ConditionNegated...........22 | | 4.10.1. The Properties GroupNumber and ConditionNegated...........22 | |
| 4.10.2. The Reference GroupComponent..............................22 | | 4.10.2. The Reference GroupComponent..............................22 | |
| 4.10.3. The Reference PartComponent...............................22 | | 4.10.3. The Reference PartComponent...............................22 | |
| 4.11. The Aggregation Class PolicyActionInSARule..................22 | | 4.11. The Aggregation Class PolicyActionInSARule..................22 | |
|
| 4.11.1. The Reference GroupComponent..............................22 | | 4.11.1. The Reference GroupComponent..............................23 | |
| 4.11.2. The Reference PartComponent...............................23 | | 4.11.2. The Reference PartComponent...............................23 | |
| 4.11.3. The Property ActionOrder..................................23 | | 4.11.3. The Property ActionOrder..................................23 | |
| 5. Condition and Filter Classes...................................24 | | 5. Condition and Filter Classes...................................24 | |
| 5.1. The Class SACondition........................................24 | | 5.1. The Class SACondition........................................24 | |
| 5.2. The Class IPHeaderFilter.....................................25 | | 5.2. The Class IPHeaderFilter.....................................25 | |
| 5.3. The Class CredentialFilterEntry..............................25 | | 5.3. The Class CredentialFilterEntry..............................25 | |
| 5.3.1. The Property MatchFieldName................................25 | | 5.3.1. The Property MatchFieldName................................25 | |
| 5.3.2. The Property MatchFieldValue...............................26 | | 5.3.2. The Property MatchFieldValue...............................26 | |
| 5.3.3. The Property CredentialType................................26 | | 5.3.3. The Property CredentialType................................26 | |
| 5.4. The Class IPSOFilterEntry....................................26 | | 5.4. The Class IPSOFilterEntry....................................26 | |
| | | | |
| skipping to change at page 3, line 26 | | skipping to change at page 3, line 26 | |
| 6.2.1. The Property LifetimeSeconds...............................33 | | 6.2.1. The Property LifetimeSeconds...............................33 | |
| 6.3. The Class IPsecBypassAction..................................34 | | 6.3. The Class IPsecBypassAction..................................34 | |
| 6.4. The Class IPsecDiscardAction.................................34 | | 6.4. The Class IPsecDiscardAction.................................34 | |
| 6.5. The Class IKERejectAction....................................34 | | 6.5. The Class IKERejectAction....................................34 | |
| 6.6. The Class PreconfiguredSAAction..............................34 | | 6.6. The Class PreconfiguredSAAction..............................34 | |
| 6.6.1. The Property LifetimeKilobytes.............................35 | | 6.6.1. The Property LifetimeKilobytes.............................35 | |
| 6.7. The Class PreconfiguredTransportAction.......................35 | | 6.7. The Class PreconfiguredTransportAction.......................35 | |
| 6.8. The Class PreconfiguredTunnelAction..........................36 | | 6.8. The Class PreconfiguredTunnelAction..........................36 | |
| 6.8.1. The Property DFHandling....................................36 | | 6.8.1. The Property DFHandling....................................36 | |
| 6.9. The Class SANegotiationAction................................36 | | 6.9. The Class SANegotiationAction................................36 | |
|
| 6.9.1. The Property MinLifetimeSeconds............................37 | | 6.10. The Class IKENegotiationAction..............................37 | |
| 6.9.2. The Property MinLifetimeKilobytes..........................37 | | 6.10.1. The Property MinLifetimeSeconds...........................37 | |
| 6.9.3. The Property RefreshThresholdSeconds.......................37 | | 6.10.2. The Property MinLifetimeKilobytes.........................37 | |
| 6.9.4. The Property RefreshThresholdKilobytes.....................38 | | 6.10.3. The Property RefreshThresholdSeconds......................38 | |
| 6.9.5. The Property IdleDurationSeconds...........................38 | | 6.10.4. The Property RefreshThresholdKilobytes....................38 | |
| 6.10. The Class IPsecAction.......................................38 | | 6.10.5. The Property IdleDurationSeconds..........................38 | |
| 6.10.1. The Property UsePFS.......................................39 | | 6.11. The Class IPsecAction.......................................39 | |
| 6.10.2. The Property UseIKEGroup..................................39 | | 6.11.1. The Property UsePFS.......................................39 | |
| 6.10.3. The Property GroupId......................................39 | | 6.11.2. The Property UseIKEGroup..................................39 | |
| 6.10.4. The Property Granularity..................................40 | | 6.11.3. The Property GroupId......................................40 | |
| 6.10.5. The Property VendorID.....................................40 | | 6.11.4. The Property Granularity..................................40 | |
| 6.11. The Class IPsecTransportAction..............................40 | | 6.11.5. The Property VendorID.....................................40 | |
| 6.12. The Class IPsecTunnelAction.................................40 | | 6.12. The Class IPsecTransportAction..............................41 | |
| 6.12.1. The Property DFHandling...................................41 | | 6.13. The Class IPsecTunnelAction.................................41 | |
| 6.13. The Class IKEAction.........................................41 | | 6.13.1. The Property DFHandling...................................41 | |
| 6.13.1. The Property RefreshThresholdDerivedKeys..................41 | | 6.14. The Class IKEAction.........................................41 | |
| 6.13.2. The Property ExchangeMode.................................42 | | 6.14.1. The Property RefreshThresholdDerivedKeys..................42 | |
| 6.13.3. The Property UseIKEIdentityType...........................42 | | 6.14.2. The Property ExchangeMode.................................42 | |
| 6.13.4. The Property VendorID.....................................42 | | 6.14.3. The Property UseIKEIdentityType...........................42 | |
| 6.13.5. The Property AggressiveModeGroupId........................42 | | 6.14.4. The Property VendorID.....................................43 | |
| 6.14. The Class PeerGateway.......................................43 | | 6.14.5. The Property AggressiveModeGroupId........................43 | |
| 6.14.1. The Property Name.........................................43 | | 6.15. The Class PeerGateway.......................................43 | |
| 6.14.2. The Property PeerIdentityType.............................43 | | 6.15.1. The Property Name.........................................43 | |
| 6.14.3. The Property PeerIdentity.................................44 | | 6.15.2. The Property PeerIdentityType.............................44 | |
| 6.15. The Association Class PeerGatewayForTunnel..................44 | | 6.15.3. The Property PeerIdentity.................................44 | |
| 6.15.1. The Reference Antecedent..................................44 | | 6.16. The Association Class PeerGatewayForTunnel..................44 | |
| 6.15.2. The Reference Dependent...................................44 | | 6.16.1. The Reference Antecedent..................................45 | |
| 6.15.3. The Property SequenceNumber...............................45 | | 6.16.2. The Reference Dependent...................................45 | |
| 6.16. The Aggregation Class ContainedProposal.....................45 | | | |
| 6.16.1. The Reference GroupComponent..............................45 | | | |
| 6.16.2. The Reference PartComponent...............................45 | | | |
| 6.16.3. The Property SequenceNumber...............................45 | | 6.16.3. The Property SequenceNumber...............................45 | |
|
| 6.17. The Association Class HostedPeerGatewayInformation..........46 | | 6.17. The Aggregation Class ContainedProposal.....................45 | |
| 6.17.1. The Reference Antecedent..................................46 | | 6.17.1. The Reference GroupComponent..............................46 | |
| 6.17.2. The Reference Dependent...................................46 | | 6.17.2. The Reference PartComponent...............................46 | |
| 6.18. The Association Class TransformOfPreconfiguredAction........46 | | 6.17.3. The Property SequenceNumber...............................46 | |
| 6.18.1. The Reference Antecedent..................................47 | | 6.18. The Association Class HostedPeerGatewayInformation..........46 | |
| | | 6.18.1. The Reference Antecedent..................................46 | |
| 6.18.2. The Reference Dependent...................................47 | | 6.18.2. The Reference Dependent...................................47 | |
|
| 6.18.3. The Property SPI..........................................47 | | 6.19. The Association Class TransformOfPreconfiguredAction........47 | |
| 6.18.4. The Property Direction....................................47 | | 6.19.1. The Reference Antecedent..................................47 | |
| 6.19 The Association Class PeerGatewayForPreconfiguredTunnel......47 | | 6.19.2. The Reference Dependent...................................47 | |
| 6.19.1. The Reference Antecedent..................................48 | | 6.19.3. The Property SPI..........................................47 | |
| 6.19.2. The Reference Dependent...................................48 | | 6.19.4. The Property Direction....................................48 | |
| | | 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......48 | |
| | | 6.20.1. The Reference Antecedent..................................48 | |
| | | 6.20.2. The Reference Dependent...................................48 | |
| 7. Proposal and Transform Classes.................................49 | | 7. Proposal and Transform Classes.................................49 | |
| 7.1. The Abstract Class SAProposal................................49 | | 7.1. The Abstract Class SAProposal................................49 | |
| 7.1.1. The Property Name..........................................49 | | 7.1.1. The Property Name..........................................49 | |
| 7.2. The Class IKEProposal........................................50 | | 7.2. The Class IKEProposal........................................50 | |
| 7.2.1. The Property LifetimeDerivedKeys...........................50 | | 7.2.1. The Property LifetimeDerivedKeys...........................50 | |
| 7.2.2. The Property CipherAlgorithm...............................50 | | 7.2.2. The Property CipherAlgorithm...............................50 | |
| 7.2.3. The Property HashAlgorithm.................................51 | | 7.2.3. The Property HashAlgorithm.................................51 | |
| 7.2.4. The Property PRFAlgorithm..................................51 | | 7.2.4. The Property PRFAlgorithm..................................51 | |
| 7.2.5. The Property GroupId.......................................51 | | 7.2.5. The Property GroupId.......................................51 | |
| 7.2.6. The Property AuthenticationMethod..........................51 | | 7.2.6. The Property AuthenticationMethod..........................51 | |
| | | | |
| skipping to change at page 6, line 20 | | skipping to change at page 6, line 21 | |
| 8.17.2. The Reference Dependent...................................74 | | 8.17.2. The Reference Dependent...................................74 | |
| 8.18. The Association Class IKEIdentitysCredential................75 | | 8.18. The Association Class IKEIdentitysCredential................75 | |
| 8.18.1. The Reference Antecedent..................................75 | | 8.18.1. The Reference Antecedent..................................75 | |
| 8.18.2. The Reference Dependent...................................75 | | 8.18.2. The Reference Dependent...................................75 | |
| 9. Implementation Requirements....................................75 | | 9. Implementation Requirements....................................75 | |
| 10. Security Considerations.......................................79 | | 10. Security Considerations.......................................79 | |
| 11. Intellectual Property.........................................80 | | 11. Intellectual Property.........................................80 | |
| 12. Acknowledgments...............................................80 | | 12. Acknowledgments...............................................80 | |
| 13. References....................................................80 | | 13. References....................................................80 | |
| 14. Disclaimer....................................................81 | | 14. Disclaimer....................................................81 | |
|
| 15. Authors' Addresses............................................81 | | 15. Authors' Addresses............................................82 | |
| 16. Full Copyright Statement......................................82 | | 16. Full Copyright Statement......................................82 | |
|
| Appendix A (DMTF Core Model MOF)..................................82 | | | |
| Appendix B (DMTF User Model MOF)..................................97 | | | |
| Appendix C (DMTF Network Model MOF)..............................112 | | | |
| Appendix D (DMTF Policy Model MOF)...............................121 | | | |
| | | | |
| 1. Introduction | | 1. Introduction | |
| | | | |
| Internet Protocol security (IPsec) policy may assume a variety of | | Internet Protocol security (IPsec) policy may assume a variety of | |
| forms as it travels from storage to distribution point to decision | | forms as it travels from storage to distribution point to decision | |
| point. At each step, it needs to be represented in a way that is | | point. At each step, it needs to be represented in a way that is | |
| convenient for the current task. For example, the policy could | | convenient for the current task. For example, the policy could | |
| exist as, but is not limited to: | | exist as, but is not limited to: | |
| | | | |
| o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in | | o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in | |
| | | | |
| skipping to change at page 7, line 36 | | skipping to change at page 7, line 36 | |
| | | | |
| This document is organized as follows: | | This document is organized as follows: | |
| | | | |
| o Section 2 provides a quick introduction to the Unified Modeling | | o Section 2 provides a quick introduction to the Unified Modeling | |
| Language (UML) graphical notation conventions used in this | | Language (UML) graphical notation conventions used in this | |
| document. | | document. | |
| | | | |
| o Section 3 provides the inheritance hierarchy that describes | | o Section 3 provides the inheritance hierarchy that describes | |
| where the IPsec policy classes fit into the policy class | | where the IPsec policy classes fit into the policy class | |
| hierarchy already defined by the Policy Core Information Model | | hierarchy already defined by the Policy Core Information Model | |
|
| (PCIM). | | (PCIM) and Policy Core Information Model Extensions (PCIMe). | |
| | | | |
| o Sections 4 through 8 describes the class that make up the IPsec | | o Sections 4 through 8 describes the class that make up the IPsec | |
| policy model. | | policy model. | |
| | | | |
| o Section 9 presents the implementation requirements for the | | o Section 9 presents the implementation requirements for the | |
| classes in the model (i.e., the MUST/MAY/SHOULD status). | | classes in the model (i.e., the MUST/MAY/SHOULD status). | |
| | | | |
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |
| "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | | "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |
| document are to be interpreted as described in [KEYWORDS]. | | document are to be interpreted as described in [KEYWORDS]. | |
| | | | |
| skipping to change at page 8, line 48 | | skipping to change at page 8, line 48 | |
| | | | |
| It should be noted that the UML static class diagram presented is a | | It should be noted that the UML static class diagram presented is a | |
| conceptual view of IPsec policy designed to aid in understanding. | | conceptual view of IPsec policy designed to aid in understanding. | |
| It does not necessarily get translated class for class into another | | It does not necessarily get translated class for class into another | |
| representation. For example, an LDAP implementation may flatten out | | representation. For example, an LDAP implementation may flatten out | |
| the representation to fewer classes (because of the inefficiency of | | the representation to fewer classes (because of the inefficiency of | |
| following references). | | following references). | |
| | | | |
| 3. IPsec Policy Model Inheritance Hierarchy | | 3. IPsec Policy Model Inheritance Hierarchy | |
| | | | |
|
| Like PCIM from which it is derived, the IPsec Configuration Policy | | Like PCIM and PCIMe from which it is derived, the IPsec | |
| Model derives from and uses classes defined in the DMTF Common | | Configuration Policy Model derives from and uses classes defined in | |
| Information Model (CIM). The following tree represents the | | the DMTF [DMTF] Common Information Model (CIM). The following tree | |
| inheritance hierarchy for the IPsec policy model classes and how | | represents the inheritance hierarchy for the IPsec policy model | |
| they fit into PCIM and the other DMTF models (see Appendices for | | classes and how they fit into PCIM, PCIMe and the other DMTF models | |
| descriptions of classes that are not being introduced as part of | | (see Appendices for descriptions of classes that are not being | |
| IPsec model). CIM classes that are not used as a superclass from | | introduced as part of IPsec model). CIM classes that are not used | |
| which to derive new classes but are only referenced are not included | | as a superclass from which to derive new classes but are only | |
| this inheritance hierarchy, but are included in the appropriate | | referenced are not included this inheritance hierarchy, but can be | |
| appendix. | | found in the appropriate DMTF document [CIMCORE], [CIMUSER] or | |
| | | [CIMNETWORK]. | |
| | | | |
|
| ManagedElement (DMTF Core Model - Appendix A) | | ManagedElement (DMTF Core Model - [CIMCORE]) | |
| | | | | | |
|
| +--Collection (DMTF Core Model - Appendix A) | | +--Collection (DMTF Core Model - [CIMCORE]) | |
| | | | | | | | |
| | +--PeerIdentityTable | | | +--PeerIdentityTable | |
| | | | | | |
|
| +--ManagedSystemElement (DMTF Core Model - Appendix A) | | +--ManagedSystemElement (DMTF Core Model - [CIMCORE]) | |
| | | | | | | | |
|
| | +--LogicalElement (DMTF Core Model - Appendix A) | | | +--LogicalElement (DMTF Core Model - [CIMCORE]) | |
| | | | | | | | |
|
| | +--FilterEntryBase (DMTF Network Model - Appendix C) | | | +--FilterEntryBase (DMTF Network Model - [CIMNETWORK]) | |
| | | | | | | | | | |
| | | +--CredentialFilterEntry | | | | +--CredentialFilterEntry | |
| | | | | | | | | | |
|
| | | +--IPHeaderFilter (DMTF Network Model - Appendix C) | | | | +--IPHeaderFilter (PCIMe) | |
| | | | | | | | | | |
| | | +--IPSOFilterEntry | | | | +--IPSOFilterEntry | |
| | | | | | | | | | |
| | | +--PeerIDPayloadFilterEntry | | | | +--PeerIDPayloadFilterEntry | |
| | | | | | | | |
| | +--PeerGateway | | | +--PeerGateway | |
| | | | | | | | |
| | +--PeerIdentityEntry | | | +--PeerIdentityEntry | |
| | | | | | | | |
|
| | +--Service (DMTF Core Model - Appendix A) | | | +--Service (DMTF Core Model - [CIMCORE]) | |
| | | | | | |
| | +--NetworkService (DMTF Network Model - Appendix C) | | | |
| | | | | | | | |
| | +--IKEService | | | +--IKEService | |
| | | | | | |
|
| +--OrganizationalEntity (DMTF User Model - Appendix B) | | +--OrganizationalEntity (DMTF User Model - [CIMUSER]) | |
| | | | | | | | |
|
| | +--UserEntity (DMTF User Model - Appendix B) | | | +--UserEntity (DMTF User Model - [CIMUSER]) | |
| | | | | | | | |
|
| | +--UsersAccess (DMTF User Model - Appendix B) | | | +--UsersAccess (DMTF User Model - [CIMUSER]) | |
| | | | | | | | |
| | +--IKEIdentity | | | +--IKEIdentity | |
| | | | | | |
| +--Policy (PCIM) | | +--Policy (PCIM) | |
| | | | | | | | |
| | +--PolicyAction (PCIM) | | | +--PolicyAction (PCIM) | |
| | | | | | | | | | |
|
| | | +--CompoundPolicyAction (DMTF Policy Model - Appendix D) | | | | +--CompoundPolicyAction (PCIMe) | |
| | | | | | | | | | |
| | | +--SAAction | | | | +--SAAction | |
| | | | | | | | | | |
| | | +--SANegotiationAction | | | | +--SANegotiationAction | |
| | | | | | | | | | | | |
|
| | | | | | +--IKENegotiationAction | |
| | | | | | | | |
| | | | +--IKEAction | | | | | +--IKEAction | |
| | | | | | | | | | | | |
| | | | +--IPsecAction | | | | | +--IPsecAction | |
| | | | | | | | | | | | |
| | | | +--IPsecTransportAction | | | | | +--IPsecTransportAction | |
| | | | | | | | | | | | |
| | | | +--IPsecTunnelAction | | | | | +--IPsecTunnelAction | |
| | | | | | | | | | |
| | | +--SAStaticAction | | | | +--SAStaticAction | |
| | | | | | | | | | |
| | | | |
| skipping to change at page 10, line 28 | | skipping to change at page 10, line 28 | |
| | | +--PreconfiguredSAAction | | | | +--PreconfiguredSAAction | |
| | | | | | | | | | |
| | | +--PreconfiguredTransportAction | | | | +--PreconfiguredTransportAction | |
| | | | | | | | | | |
| | | +--PreconfiguredTunnelAction | | | | +--PreconfiguredTunnelAction | |
| | | | | | | | |
| | +--PolicyCondition (PCIM) | | | +--PolicyCondition (PCIM) | |
| | | | | | | | | | |
| | | +--SACondition | | | | +--SACondition | |
| | | | | | | | |
|
| | +--PolicySet (DMTF Policy Model - Appendix D) | | | +--PolicySet (PCIMe) | |
| | | | | | | | | | |
|
| | | +--PolicyGroup (PCIM) | | | | +--PolicyGroup (PCIM & PCIMe) | |
| | | | | | | | | | | | |
| | | | +--IPsecPolicyGroup | | | | | +--IPsecPolicyGroup | |
| | | | | | | | | | |
|
| | | +--PolicyRule (PCIM) | | | | +--PolicyRule (PCIM & PCIMe) | |
| | | | | | | | | | |
| | | +--SARule | | | | +--SARule | |
| | | | | | | | | | |
| | | +--IKERule | | | | +--IKERule | |
| | | | | | | | | | |
| | | +--IPsecRule | | | | +--IPsecRule | |
| | | | | | | | |
| | +--SAProposal | | | +--SAProposal | |
| | | | | | | | | | |
| | | +--IKEProposal | | | | +--IKEProposal | |
| | | | |
| skipping to change at page 10, line 56 | | skipping to change at page 10, line 56 | |
| | | +--IPsecProposal | | | | +--IPsecProposal | |
| | | | | | | | |
| | +--SATransform | | | +--SATransform | |
| | | | | | | | |
| | +--AHTransform | | | +--AHTransform | |
| | | | | | | | |
| | +--ESPTransform | | | +--ESPTransform | |
| | | | | | | | |
| | +--IPCOMPTransform | | | +--IPCOMPTransform | |
| | | | | | |
|
| +--Setting (DMTF Core Model - Appendix A) | | +--Setting (DMTF Core Model - [CIMCORE]) | |
| | | | | | | | |
|
| | +--SystemSetting (DMTF Core Model - Appendix A) | | | +--SystemSetting (DMTF Core Model - [CIMCORE]) | |
| | | | | | | | |
| | +--AutostartIKESetting | | | +--AutostartIKESetting | |
| | | | | | |
|
| +--SystemConfiguration (DMTF Core Model - Appendix A) | | +--SystemConfiguration (DMTF Core Model - [CIMCORE]) | |
| | | | | | |
| +--AutostartIKEConfiguration | | +--AutostartIKEConfiguration | |
| | | | |
| The following tree represents the inheritance hierarchy of the IPsec | | The following tree represents the inheritance hierarchy of the IPsec | |
| policy model association classes and how they fit into PCIM and the | | policy model association classes and how they fit into PCIM and the | |
| other DMTF models (see Appendices for description of associations | | other DMTF models (see Appendices for description of associations | |
| classes that are not being introduced as part of IPsec model). | | classes that are not being introduced as part of IPsec model). | |
| | | | |
|
| Dependency (DMTF Core Model - Appendix A) | | Dependency (DMTF Core Model - [CIMCORE]) | |
| | | | | | |
| +--AcceptCredentialsFrom | | +--AcceptCredentialsFrom | |
| | | | | | |
|
| +--ElementAsUser (DMTF User Model - Appendix B) | | +--ElementAsUser (DMTF User Model - [CIMUSER]) | |
| | | | | | | | |
| | +--EndpointHasLocalIKEIdentity | | | +--EndpointHasLocalIKEIdentity | |
| | | | | | | | |
| | +--CollectionHasLocalIKEIdentity | | | +--CollectionHasLocalIKEIdentity | |
| | | | | | |
| +--FilterOfSACondition | | +--FilterOfSACondition | |
| | | | | | |
| +--HostedPeerGatewayInformation | | +--HostedPeerGatewayInformation | |
| | | | | | |
| +--HostedPeerIdentityTable | | +--HostedPeerIdentityTable | |
| | | | |
| skipping to change at page 12, line 7 | | skipping to change at page 12, line 7 | |
| +--PeerGatewayForTunnel | | +--PeerGatewayForTunnel | |
| | | | | | |
| +--PolicyInSystem (PCIM) | | +--PolicyInSystem (PCIM) | |
| | | | | | | | |
| | +--SAProposalInSystem | | | +--SAProposalInSystem | |
| | | | | | | | |
| | +--SATransformInSystem | | | +--SATransformInSystem | |
| | | | | | |
| +--TransformOfPreconfiguredAction | | +--TransformOfPreconfiguredAction | |
| | | | | | |
|
| +--UsersCredential (DMTF User Model - Appendix B) | | +--UsersCredential (DMTF User Model - [CIMUSER]) | |
| | | | | | |
| +--IKEIdentitysCredential | | +--IKEIdentitysCredential | |
| | | | |
|
| ElementSetting (DMTF Core Model - Appendix A) | | ElementSetting (DMTF Core Model - [CIMCORE]) | |
| | | | | | |
| +--IKEAutostartSetting | | +--IKEAutostartSetting | |
| | | | |
|
| MemberOfCollection (DMTF Core Model - Appendix A) | | MemberOfCollection (DMTF Core Model - [CIMCORE]) | |
| | | | | | |
| +--PeerIdentityMember | | +--PeerIdentityMember | |
| | | | |
| PolicyComponent (PCIM) | | PolicyComponent (PCIM) | |
| | | | | | |
| +--ContainedProposal | | +--ContainedProposal | |
| | | | | | |
| +--ContainedTransform | | +--ContainedTransform | |
| | | | | | |
|
| +--PolicyActionInPolicyRule (PCIM) | | +--PolicyActionStructure (PCIMe) | |
| | | | | | |
| | | | +--PolicyActionInPolicyRule (PCIM & PCIMe) | |
| | | | | | | | |
| | +--PolicyActionInSARule | | | +--PolicyActionInSARule | |
| | | | | | |
|
| +--PolicyConditionInPolicyRule (PCIM) | | +--PolicyConditionStructure (PCIMe) | |
| | | | | | |
| | | | +--PolicyConditionInPolicyRule (PCIM & PCIMe) | |
| | | | | | | | |
| | +--SAConditionInRule | | | +--SAConditionInRule | |
| | | | | | |
|
| +--PolicySetComponent (DMTF Policy Model - Appendix D) | | +--PolicySetComponent (PCIMe) | |
| | | | | | |
| +--RuleForIKENegotiation | | +--RuleForIKENegotiation | |
| | | | | | |
| +--RuleForIPsecNegotiation | | +--RuleForIPsecNegotiation | |
| | | | |
|
| SystemSettingContext (DMTF Core Model - Appendix A) | | SystemSettingContext (DMTF Core Model - [CIMCORE]) | |
| | | | | | |
| +--AutostartIKESettingContext | | +--AutostartIKESettingContext | |
| | | | |
| 4. Policy Classes | | 4. Policy Classes | |
| | | | |
| The IPsec policy classes represent the set of policies that are | | The IPsec policy classes represent the set of policies that are | |
| contained on a system. | | contained on a system. | |
| | | | |
| +--------------+ | | +--------------+ | |
| | PolicySet |* | | | PolicySet |* | |
|
| | (Appendix D) |o--+ | | | ([PCIMe]) |o--+ | |
| +--------------+ | | | +--------------+ | | |
| ^ *| |(a) | | ^ *| |(a) | |
| | +------+ | | | +------+ | |
| | | | | | |
| +--------------------+ +-------------+ | | +--------------------+ +-------------+ | |
| | IPProtocolEndpoint | | PolicyGroup | | | | IPProtocolEndpoint | | PolicyGroup | | |
|
| | (Appendix C) | | ([PCIM]) | | | | ([CIMNETWORK]) | | ([PCIM]) | | |
| +--------------------+ +-------------+ | | +--------------------+ +-------------+ | |
| |* ^ | | |* ^ | |
| +-----------------+ | | | +-----------------+ | | |
| |(b) | | | |(b) | | |
| | | | | | | | |
| |0..1 | | | |0..1 | | |
| +------------------+0..1 (c) *+------------+ | | +------------------+0..1 (c) *+------------+ | |
| | IPsecPolicyGroup |-----------| System | | | | IPsecPolicyGroup |-----------| System | | |
|
| +------------------+ |(Appendix A)| | | +------------------+ | ([CIMCORE])| | |
| 1 o o 1 +------------+ | | 1 o o 1 +------------+ | |
| (d) | | (e) | | (d) | | (e) | |
| +-----------------------+ +--------------------------+ | | +-----------------------+ +--------------------------+ | |
| | | | | | | | |
| | +---------------------------+ | | | | +---------------------------+ | | |
| | | PolicyTimePeriodCondition | | | | | | PolicyTimePeriodCondition | | | |
| | | ([PCIM]) | | | | | | ([PCIM]) | | | |
| | +---------------------------+ | | | | +---------------------------+ | | |
| | *| | | | | *| | | |
| | |(f) | | | | |(f) | | |
| | *o | | | | *o | | |
| | +-------------+n *+--------+* n+--------------+ | | | | +-------------+n *+--------+* n+--------------+ | | |
| | | SACondition |------o| SARule |o-------| PolicyAction | | | | | | SACondition |------o| SARule |o-------| PolicyAction | | | |
| | +-------------+ (g) +--------+ (h) | ([PCIM]) | | | | | +-------------+ (g) +--------+ (h) | ([PCIM]) | | | |
| | ^ +--------------+ | | | | ^ +--------------+ | | |
| | | *| ^ | | | | | *| ^ | | |
| | | |(i) | | | | | | |(i) | | | |
| | | *o | | | | | | *o | | | |
| | +-----------------+ +----------------------+ | | | | +-----------------+ +----------------------+ | | |
| | | | | CompoundPolicyAction | | | | | | | | CompoundPolicyAction | | | |
|
| | | | | (Appendix D) | | | | | | | | ([PCIMe]) | | | |
| | | | +----------------------+ | | | | | | +----------------------+ | | |
| | *+---------+ +-----------+* | | | | *+---------+ +-----------+* | | |
| +-----| IKERule | | IPsecRule |---------------------------+ | | +-----| IKERule | | IPsecRule |---------------------------+ | |
| +---------+ +-----------+ | | +---------+ +-----------+ | |
| | | | |
|
| (a) PolicySetComponent (Appendix D) | | (a) PolicySetComponent ([PCIMe]) | |
| (b) IPsecPolicyForEndpoint | | (b) IPsecPolicyForEndpoint | |
| (c) IPsecPolicyForSystem | | (c) IPsecPolicyForSystem | |
| (d) RuleForIKENegotiation | | (d) RuleForIKENegotiation | |
| (e) RuleForIPsecNegotiation | | (e) RuleForIPsecNegotiation | |
| (f) PolicyRuleValidityPeriod ([PCIM]) | | (f) PolicyRuleValidityPeriod ([PCIM]) | |
| (g) SAConditionInRule | | (g) SAConditionInRule | |
| (h) PolicyActionInSARule | | (h) PolicyActionInSARule | |
|
| (i) PolicyActionInPolicyAction | | (i) PolicyActionInPolicyAction ([PCIMe]) | |
| | | | |
| An IPsecPolicyGroup represents the set of policies that are used on | | An IPsecPolicyGroup represents the set of policies that are used on | |
| an interface. This IPsecPolicyGroup SHOULD be associated either | | an interface. This IPsecPolicyGroup SHOULD be associated either | |
| directly with the IPProtocolEndpoint class instance that represents | | directly with the IPProtocolEndpoint class instance that represents | |
| the interface (via the IPsecPolicyForEndpoint association) or | | the interface (via the IPsecPolicyForEndpoint association) or | |
| indirectly (via the IPsecPolicyForSystem association) associated | | indirectly (via the IPsecPolicyForSystem association) associated | |
| with the System that hosts the interface. | | with the System that hosts the interface. | |
| | | | |
| The IKE and IPsec rules are used to build or to negotiate the IPsec | | The IKE and IPsec rules are used to build or to negotiate the IPsec | |
|
| SADB. The SADB itself is not modeled by this document. | | SADB. The IPsec rules represent the Security Policy Database. The | |
| | | SADB itself is not modeled by this document. | |
| | | | |
| The rules usage can be described as (see also section 6 about | | The rules usage can be described as (see also section 6 about | |
| actions): | | actions): | |
| | | | |
| o an egress unprotected packet will first be checked against the | | o an egress unprotected packet will first be checked against the | |
|
| SADB. If no match is found, the IPsec rules will be checked. If | | IPsec rules. If a match is found, the SADB will be checked. If | |
| IKE negotiation is required by an IPsec rule, the corresponding | | there is no corresponding IPsec SA in the SADB and if IKE | |
| IKE rules will be used if no IKE SA already exists. The | | negotiation is required by the IPsec rule, the corresponding IKE | |
| negotiated or preconfigured SA will then be installed in the | | rules will be used. The negotiated or preconfigured SA will then | |
| SADB. | | be installed in the SADB. | |
| o An ingress unprotected packet will first be checked against the | | o An ingress unprotected packet will first be checked against the | |
|
| IPsec SADB. If no match is found, the IPsec rules will be | | IPsec rules. If a match is found, the SADB will be checked for a | |
| checked for a preconfigured SA. If a preconfigured SA exists, | | corresponding IPsec SA. If there is no corresponding IPsec SA | |
| this SA will be installed in the IPsec SADB. | | and a preconfigured SA exists, this preconfigured SA will be | |
| o An ingress protected packet will be checked exactly as an | | installed in the IPsec SADB. This behavior should only apply to | |
| ingress unprotected packet. | | bypass and discard actions. | |
| | | o An ingress protected packet will first be checked against the | |
| | | IPsec rules. If a match is found, the SADB will be checked for a | |
| | | corresponding IPsec SA. If there is no corresponding IPsec SA | |
| | | and a preconfigured SA exists, this preconfigured SA will be | |
| | | installed in the IPsec SADB. | |
| o An ingress IKE negotiation packet, which is not part of an | | o An ingress IKE negotiation packet, which is not part of an | |
| existing IKE SA, will be checked against the IKE rules. The | | existing IKE SA, will be checked against the IKE rules. The | |
| negotiated SA will then be installed in the SADB. | | negotiated SA will then be installed in the SADB. | |
| | | | |
| 4.1. The Class IPsecPolicyGroup | | 4.1. The Class IPsecPolicyGroup | |
| | | | |
| The class IPsecPolicyGroup serves as a container of either other | | The class IPsecPolicyGroup serves as a container of either other | |
| IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The | | IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The | |
| class definition for IPsecPolicyGroup is as follows: | | class definition for IPsecPolicyGroup is as follows: | |
| | | | |
| NAME IPsecPolicyGroup | | NAME IPsecPolicyGroup | |
| DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules | | DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules | |
| and a set of IPsecRules. | | and a set of IPsecRules. | |
|
| DERIVED FROM PolicyGroup (see [PCIM]) | | DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES PolicyGroupName (from PolicyGroup) | | PROPERTIES PolicyGroupName (from PolicyGroup) | |
| PolicyDescisionStrategy (from PolicySet) | | PolicyDescisionStrategy (from PolicySet) | |
| | | | |
| NOTE: for derivations of the schema that are used for policy | | NOTE: for derivations of the schema that are used for policy | |
| distribution to an IPsec device (for example, COPS-PR), the server | | distribution to an IPsec device (for example, COPS-PR), the server | |
| may follow all of PolicySetComponent associations and create one | | may follow all of PolicySetComponent associations and create one | |
| policy group which is simply a set of all of the IKE rules and a set | | policy group which is simply a set of all of the IKE rules and a set | |
| of all of the IPsec rules. See the section on the | | of all of the IPsec rules. See the section on the | |
| PolicySetComponent aggregation for information on merging multiple | | PolicySetComponent aggregation for information on merging multiple | |
| | | | |
| skipping to change at page 15, line 25 | | skipping to change at page 15, line 30 | |
| actions for both types of rules. Through its derivation from | | actions for both types of rules. Through its derivation from | |
| PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has | | PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has | |
| the PolicyRuleValidityPeriod association. | | the PolicyRuleValidityPeriod association. | |
| | | | |
| Each valid IpsecPolicyGroup MUST contain SARules that each have a | | Each valid IpsecPolicyGroup MUST contain SARules that each have a | |
| unique associated priority number in PolicySetComponent.Priority. | | unique associated priority number in PolicySetComponent.Priority. | |
| The class definition for SARule is as follows: | | The class definition for SARule is as follows: | |
| | | | |
| NAME SARule | | NAME SARule | |
| DESCRIPTION A base class for IKERule and IPsecRule. | | DESCRIPTION A base class for IKERule and IPsecRule. | |
|
| DERIVED FROM PolicyRule (see [PCIM]) | | DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES PolicyRuleName (from PolicyRule) | | PROPERTIES PolicyRuleName (from PolicyRule) | |
| Enabled (from PolicyRule) | | Enabled (from PolicyRule) | |
| ConditionListType (from PolicyRule) | | ConditionListType (from PolicyRule) | |
| RuleUsage (from PolicyRule) | | RuleUsage (from PolicyRule) | |
| Mandatory (from PolicyRule) | | Mandatory (from PolicyRule) | |
| SequencedActions (from PolicyRule) | | SequencedActions (from PolicyRule) | |
| ExecutionStrategy (from PolicyRule) | | ExecutionStrategy (from PolicyRule) | |
| PolicyRoles (from PolicyRule) | | PolicyRoles (from PolicyRule) | |
| PolicyDecisionStrategy (from PolicySet) | | PolicyDecisionStrategy (from PolicySet) | |
| LimitNegotiation | | LimitNegotiation | |
| | | | |
| 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, | | 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, | |
| RuleUsage, Mandatory, SequencedActions, PolicyRoles, and | | RuleUsage, Mandatory, SequencedActions, PolicyRoles, and | |
| PolicyDecisionStrategy | | PolicyDecisionStrategy | |
| | | | |
|
| For a description of these properties, see Appendix D. | | For a description of these properties, see [PCIM] and [PCIME]. | |
| | | | |
| In SARule subclass instances: | | In SARule subclass instances: | |
| - if the property Mandatory exists, it MUST be set to "true" | | - if the property Mandatory exists, it MUST be set to "true" | |
| - if the property SequencedActions exists, it MUST be set to | | - if the property SequencedActions exists, it MUST be set to | |
| "mandatory" | | "mandatory" | |
| - the property PolicyRoles is not used in the device-level model | | - the property PolicyRoles is not used in the device-level model | |
| - if the property PolicyDecisionStrategy exists, it must be set to | | - if the property PolicyDecisionStrategy exists, it must be set to | |
| "FirstMatching" | | "FirstMatching" | |
| | | | |
| 4.2.2 The Property ExecutionStrategy | | 4.2.2 The Property ExecutionStrategy | |
| | | | |
|
| The ExecutionStrategy properties in the PolicyRule subclasses (and in | | The ExecutionStrategy properties in the PolicyRule subclasses (and | |
| | | in the CompoundPolicyAction class) determine the behavior of the | |
| the CompoundPolicyAction class) determine the behavior of the | | | |
| contained actions. It defines the strategy to be used in executing | | contained actions. It defines the strategy to be used in executing | |
|
| | | | |
| the sequenced actions aggregated by a rule or a compound action. In | | the sequenced actions aggregated by a rule or a compound action. In | |
|
| | | | |
| the case of actions within a rule, the PolicyActionInSARule | | the case of actions within a rule, the PolicyActionInSARule | |
|
| | | | |
| aggregation is used to collect the actions into an ordered set; in | | aggregation is used to collect the actions into an ordered set; in | |
|
| | | | |
| the case of a compound action, the PolicyActionInPolicyAction | | the case of a compound action, the PolicyActionInPolicyAction | |
|
| | | | |
| aggregation is used to collect the actions into an ordered subset. | | aggregation is used to collect the actions into an ordered subset. | |
| | | | |
| There are three execution strategies: do until success, do all and | | There are three execution strategies: do until success, do all and | |
| do until failure. | | do until failure. | |
| | | | |
|
| ôDo Until Successö causes the execution of actions according to the | | "Do Until Success" causes the execution of actions according to the | |
| ActionOrder property in the aggregation instances until a successful | | ActionOrder property in the aggregation instances until a successful | |
| execution of a single action. These actions may be evaluated to | | execution of a single action. These actions may be evaluated to | |
| determine if they are appropriate to execute rather than blindly | | determine if they are appropriate to execute rather than blindly | |
| trying each of the actions until one succeeds. For an initiator, | | trying each of the actions until one succeeds. For an initiator, | |
| they are tried in the ActionOrder until the list is exhausted or one | | they are tried in the ActionOrder until the list is exhausted or one | |
| completes successfully. For example, an IKE initiator may have | | completes successfully. For example, an IKE initiator may have | |
| several IKEActions for the same SACondition. The initiator will try | | several IKEActions for the same SACondition. The initiator will try | |
| all IKEActions in the order defined by ActionOrder. I.e. it will | | all IKEActions in the order defined by ActionOrder. I.e. it will | |
| possibly try several phase 1 negotiations possibly with different | | possibly try several phase 1 negotiations possibly with different | |
| modes (main mode then aggressive mode) and/or with possibly multiple | | modes (main mode then aggressive mode) and/or with possibly multiple | |
| IKE peers. For a responder, when there is more than one action in | | IKE peers. For a responder, when there is more than one action in | |
| the rule with "do until success" condition clause this provides | | the rule with "do until success" condition clause this provides | |
| alternative actions depending on the received proposals. For | | alternative actions depending on the received proposals. For | |
| example, the same IKERule may be used to handle aggressive mode and | | example, the same IKERule may be used to handle aggressive mode and | |
| main mode negotiations with different actions. The responder uses | | main mode negotiations with different actions. The responder uses | |
| the first appropriate action in the list of actions. | | the first appropriate action in the list of actions. | |
| | | | |
|
| ôDo Allö causes the execution all of the actions in aggregated set | | "Do All" causes the execution all of the actions in aggregated set | |
| | | | |
| according to their defined order. The execution continues regardless | | according to their defined order. The execution continues regardless | |
|
| | | | |
| of failures. | | of failures. | |
| | | | |
|
| ôDo Until Failureö causes the execution of all actions according to | | "Do Until Failure" causes the execution of all actions according to | |
| | | | |
| predefined order until the first failure in execution of an action | | predefined order until the first failure in execution of an action | |
|
| | | | |
| instance. | | instance. | |
| | | | |
|
| For example, in a nested SAs case the actions of an initiatorÆs rule | | For example, in a nested SAs case the actions of an initiator's rule | |
| | | | |
| might be structured as: | | might be structured as: | |
| | | | |
|
| IPsecRule.ExecutionStrategy=ÆDo AllÆ | | IPsecRule.ExecutionStrategy='Do All' | |
| | | | |
| | | | | | |
|
| | | | |
| +---1--- IPsecTunnelAction // set up SA from host to gateway | | +---1--- IPsecTunnelAction // set up SA from host to gateway | |
|
| | | | |
| | | | | | |
|
| | | +---2--- IPsecTransportAction // set up SA from host through | |
| +---2--- IPsecTransportAction // set up SA from host thru tunnel | | // tunnel to remote host | |
| | | | |
| // to remote host | | | |
| | | | |
| Another example, showing a rule with fallback actions might be | | Another example, showing a rule with fallback actions might be | |
|
| | | | |
| structured as: | | structured as: | |
| | | | |
|
| IPsecRule.ExecutionStrategy=ÆDo Until SuccessÆ | | IPsecRule.ExecutionStrategy='Do Until Success' | |
| | | | |
| | | | | | |
|
| | | | |
| +---6--- IPsecTransportAction // negotiate SA with peer | | +---6--- IPsecTransportAction // negotiate SA with peer | |
|
| | | | |
| | | | | | |
|
| | | +---9--- IPsecBypassAction // but if you must, allow in the clear | |
| | | | |
|
| +---9--- IPsecBypassAction // but if you must, allow in the | | The CompoundPolicyAction class (See [PCIME]) may be used in | |
| | | | |
| // clear | | | |
| | | | |
| The CompoundPolicyAction class (See Appendix D) may be used in | | | |
| | | | |
| constructing the actions of IKE and IPsec rules when those rules | | constructing the actions of IKE and IPsec rules when those rules | |
|
| | | | |
| specify both multiple actions and fallback actions. The | | specify both multiple actions and fallback actions. The | |
|
| | | | |
| ExecutionStrategy property in CompoundPolicyAction is used in | | ExecutionStrategy property in CompoundPolicyAction is used in | |
|
| | | | |
| conjunction with that in the PolicyRule. | | conjunction with that in the PolicyRule. | |
| | | | |
| For example, in nesting SAs with a fallback security gateway, the | | For example, in nesting SAs with a fallback security gateway, the | |
|
| | | | |
| actions of a rule might be structured as: | | actions of a rule might be structured as: | |
| | | | |
|
| IPsecRule.ExecutionStrategy=ÆDo AllÆ | | IPsecRule.ExecutionStrategy='Do All' | |
| | | | |
| | | | | | |
|
| | | +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' | |
| +---1--- CompoundPolicyAction.ExecutionStrategy=ÆDo Until SuccessÆ | | | |
| | | | |
| | | | | | | | |
|
| | | | |
| | +---1--- IPsecTunnelAction // set up SA from host to | | | +---1--- IPsecTunnelAction // set up SA from host to | |
|
| | | | |
| | | // gateway1 | | | | // gateway1 | |
|
| | | | |
| | | | | | | | |
|
| | | | |
| | +---2--- IPsecTunnelAction // or set up SA to gateway2 | | | +---2--- IPsecTunnelAction // or set up SA to gateway2 | |
|
| | | | |
| | | | | | |
|
| | | | |
| +---2--- IPsecTransportAction // then set up SA from host | | +---2--- IPsecTransportAction // then set up SA from host | |
|
| | | // through tunnel to remote | |
| | | // host | |
| | | | |
|
| // thru tunnel to remote host | | In the case of "Do All", a couple of actions can be executed | |
| | | successfully before a subsequent action fails. In this case, some | |
| | | IKE or IPsec actions may have resulted in SA creation. Even if the | |
| | | net effect of the aggregated actions is failure, those created SA | |
| | | MAY be kept or MAY be deleted. | |
| | | | |
|
| 4.2.3 The Property LimitNegotiation | | In the case of "Do All", the IPsec selectors to be used during IPsec | |
| | | SA negotiation are: | |
| | | | |
| | | for the last IPsecAction of the aggregation (i.e. usually the | |
| | | innermost IPsec SA): this is the combination of the IPHeadersFilter | |
| | | class and of the Granularity property of the IpsecAction; | |
| | | | |
|
| | | for all other IPsecActions of the aggregation: the selector is the | |
| | | source IP address being the local IP address and the destination IP | |
| | | address being the PeerGateway IP address of the following | |
| | | IPsecAction of the "Do All" aggregation. NB: the granularity is IP | |
| | | address to IP address. | |
| | | | |
| | | If the above behavior is not desirable, the alternative is to define | |
| | | several SARules one for each IPsec SA to be built. This will allow | |
| | | the definition of specific IPsec selectors for all IpsecActions. | |
| | | | |
| | | 4.2.3 The Property LimitNegotiation | |
| The property LimitNegotiation is used as part of processing either | | The property LimitNegotiation is used as part of processing either | |
| an IKE or an IPsec rule. | | an IKE or an IPsec rule. | |
| | | | |
| Before proceeding with a phase 1 negotiation, this property is | | Before proceeding with a phase 1 negotiation, this property is | |
| checked to determine if the negotiation role of the rule matches | | checked to determine if the negotiation role of the rule matches | |
| that defined for the negotiation being undertaken (e.g., Initiator, | | that defined for the negotiation being undertaken (e.g., Initiator, | |
| Responder, or Both). If this check fails (e.g. the current role is | | Responder, or Both). If this check fails (e.g. the current role is | |
| IKE responder while the rule specifies IKE initiator), then the IKE | | IKE responder while the rule specifies IKE initiator), then the IKE | |
| negotiation is stopped. Note that this only applies to new IKE phase | | negotiation is stopped. Note that this only applies to new IKE phase | |
| 1 negotiations and has no effect on either renegotiation or refresh | | 1 negotiations and has no effect on either renegotiation or refresh | |
| | | | |
| skipping to change at page 18, line 14 | | skipping to change at page 18, line 33 | |
| negotiation is a refresh operation by checking to see if the | | negotiation is a refresh operation by checking to see if the | |
| selector information matches that of an existing SA. If | | selector information matches that of an existing SA. If | |
| LimitNegotiation does not match and the selector corresponds to a | | LimitNegotiation does not match and the selector corresponds to a | |
| new SA, the negotiation is stopped. | | new SA, the negotiation is stopped. | |
| | | | |
| The property is defined as follows: | | The property is defined as follows: | |
| | | | |
| NAME LimitNegotiation | | NAME LimitNegotiation | |
| DESCRIPTION Limits the role to be undertaken during negotiation. | | DESCRIPTION Limits the role to be undertaken during negotiation. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 1 û initiator-only | | VALUE 1 - initiator-only | |
| 2 û responder-only | | 2 - responder-only | |
| 3 - both | | 3 - both | |
| | | | |
| 4.3. The Class IKERule | | 4.3. The Class IKERule | |
| | | | |
| The class IKERule associates Conditions and Actions for IKE phase 1 | | The class IKERule associates Conditions and Actions for IKE phase 1 | |
| negotiations. The class definition for IKERule is as follows: | | negotiations. The class definition for IKERule is as follows: | |
| | | | |
| NAME IKERule | | NAME IKERule | |
| DESCRIPTION Associates Conditions and Actions for IKE phase 1 | | DESCRIPTION Associates Conditions and Actions for IKE phase 1 | |
| negotiations. | | negotiations. | |
| | | | |
| skipping to change at page 19, line 40 | | skipping to change at page 20, line 9 | |
| | | | |
| The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with | | The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with | |
| a specific network interface. If an IPProtocolEndpoint of a system | | a specific network interface. If an IPProtocolEndpoint of a system | |
| does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, | | does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, | |
| then the IPsecPolicyForSystem associated IPsecPolicyGroup is used | | then the IPsecPolicyForSystem associated IPsecPolicyGroup is used | |
| for that endpoint. The class definition for IPsecPolicyForEndpoint | | for that endpoint. The class definition for IPsecPolicyForEndpoint | |
| is as follows: | | is as follows: | |
| | | | |
| NAME IPsecPolicyForEndpoint | | NAME IPsecPolicyForEndpoint | |
| DESCRIPTION Associates a policy group to a network interface. | | DESCRIPTION Associates a policy group to a network interface. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] | | PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] | |
| Dependent[ref IPsecPolicyGroup[0..1]] | | Dependent[ref IPsecPolicyGroup[0..1]] | |
| | | | |
| 4.6.1. The Reference Antecedent | | 4.6.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to an IPProtocolEndpoint instance. The [0..n] | | overridden to refer to an IPProtocolEndpoint instance. The [0..n] | |
| cardinality indicates that an IPsecPolicyGroup instance may be | | cardinality indicates that an IPsecPolicyGroup instance may be | |
| associated with zero or more IPProtocolEndpoint instances. | | associated with zero or more IPProtocolEndpoint instances. | |
| | | | |
| skipping to change at page 20, line 18 | | skipping to change at page 20, line 39 | |
| | | | |
| The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a | | The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a | |
| specific system. If an IPProtocolEndpoint of a system does not have | | specific system. If an IPProtocolEndpoint of a system does not have | |
| an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the | | an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the | |
| IPsecPolicyForSystem associated IPsecPolicyGroup is used for that | | IPsecPolicyForSystem associated IPsecPolicyGroup is used for that | |
| endpoint. The class definition for IPsecPolicyForSystem is as | | endpoint. The class definition for IPsecPolicyForSystem is as | |
| follows: | | follows: | |
| | | | |
| NAME IPsecPolicyForSystem | | NAME IPsecPolicyForSystem | |
| DESCRIPTION Default policy group for a system. | | DESCRIPTION Default policy group for a system. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent[ref System[0..n]] | | PROPERTIES Antecedent[ref System[0..n]] | |
| Dependent[ref IPsecPolicyGroup[0..1]] | | Dependent[ref IPsecPolicyGroup[0..1]] | |
| | | | |
| 4.7.1. The Reference Antecedent | | 4.7.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a System instance. The [0..n] cardinality | | overridden to refer to a System instance. The [0..n] cardinality | |
| indicates that an IPsecPolicyGroup instance may have an association | | indicates that an IPsecPolicyGroup instance may have an association | |
| to zero or more System instances. | | to zero or more System instances. | |
| | | | |
| skipping to change at page 20, line 46 | | skipping to change at page 21, line 14 | |
| | | | |
| 4.8. The Aggregation Class RuleForIKENegotiation | | 4.8. The Aggregation Class RuleForIKENegotiation | |
| | | | |
| The class RuleForIKENegotiation associates an IKERule with the | | The class RuleForIKENegotiation associates an IKERule with the | |
| IPsecPolicyGroup that contains it. The class definition for | | IPsecPolicyGroup that contains it. The class definition for | |
| RuleForIKENegotiation is as follows: | | RuleForIKENegotiation is as follows: | |
| | | | |
| NAME RuleForIKENegotiation | | NAME RuleForIKENegotiation | |
| DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that | | DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that | |
| contains it. | | contains it. | |
|
| DERIVED FROM PolicySetComponent (see Appendix D) | | DERIVED FROM PolicySetComponent (see [PCIME]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Priority (from PolicySetComponent) | | PROPERTIES Priority (from PolicySetComponent) | |
| GroupComponent [ref IPsecPolicyGroup [1..1]] | | GroupComponent [ref IPsecPolicyGroup [1..1]] | |
| PartComponent [ref IKERule [0..n]] | | PartComponent [ref IKERule [0..n]] | |
| | | | |
| 4.8.1. The Property Priority | | 4.8.1. The Property Priority | |
| | | | |
|
| For a description of this property, see Appendix D. | | For a description of this property, see [PCIME]. | |
| | | | |
| 4.8.2. The Reference GroupComponent | | 4.8.2. The Reference GroupComponent | |
|
| | | | |
| The property GroupComponent is inherited from | | The property GroupComponent is inherited from | |
| PolicyRuleInPolicyGroup and is overridden to refer to an | | PolicyRuleInPolicyGroup and is overridden to refer to an | |
| IPsecPolicyGroup instance. The [1..1] cardinality indicates that an | | IPsecPolicyGroup instance. The [1..1] cardinality indicates that an | |
| IKERule instance may be contained in one and only one | | IKERule instance may be contained in one and only one | |
| IPsecPolicyGroup instance (i.e., IKERules are not shared across | | IPsecPolicyGroup instance (i.e., IKERules are not shared across | |
| IPsecPolicyGroups). | | IPsecPolicyGroups). | |
| | | | |
| 4.8.3. The Reference PartComponent | | 4.8.3. The Reference PartComponent | |
| | | | |
| The property PartComponent is inherited from PolicyRuleInPolicyGroup | | The property PartComponent is inherited from PolicyRuleInPolicyGroup | |
| | | | |
| skipping to change at page 21, line 27 | | skipping to change at page 21, line 49 | |
| | | | |
| 4.9. The Aggregation Class RuleForIPsecNegotiation | | 4.9. The Aggregation Class RuleForIPsecNegotiation | |
| | | | |
| The class RuleForIPsecNegotiation associates an IPsecRule with the | | The class RuleForIPsecNegotiation associates an IPsecRule with the | |
| IPsecPolicyGroup that contains it. The class definition for | | IPsecPolicyGroup that contains it. The class definition for | |
| RuleForIPsecNegotiation is as follows: | | RuleForIPsecNegotiation is as follows: | |
| | | | |
| NAME RuleForIPsecNegotiation | | NAME RuleForIPsecNegotiation | |
| DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that | | DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that | |
| contains it. | | contains it. | |
|
| DERIVED FROM PolicySetComponent (see Appendix D) | | DERIVED FROM PolicySetComponent (see [PCIME]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Priority (from PolicySetComponent) | | PROPERTIES Priority (from PolicySetComponent) | |
| GroupComponent [ref IPsecPolicyGroup [1..1]] | | GroupComponent [ref IPsecPolicyGroup [1..1]] | |
| PartComponent [ref IPsecRule [0..n]] | | PartComponent [ref IPsecRule [0..n]] | |
| | | | |
| 4.9.1. The Property Priority | | 4.9.1. The Property Priority | |
|
| | | For a description of this property, see [PCIME]. | |
| For a description of this property, see Appendix D. | | | |
| | | | |
| 4.9.2. The Reference GroupComponent | | 4.9.2. The Reference GroupComponent | |
| | | | |
| The property GroupComponent is inherited from | | The property GroupComponent is inherited from | |
| PolicyRuleInPolicyGroup and is overridden to refer to an | | PolicyRuleInPolicyGroup and is overridden to refer to an | |
| IPsecPolicyGroup instance. The [1..1] cardinality indicates that an | | IPsecPolicyGroup instance. The [1..1] cardinality indicates that an | |
| IPsecRule instance may be contained in only one IPsecPolicyGroup | | IPsecRule instance may be contained in only one IPsecPolicyGroup | |
| instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). | | instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). | |
| | | | |
| 4.9.3. The Reference PartComponent | | 4.9.3. The Reference PartComponent | |
| | | | |
| skipping to change at page 22, line 4 | | skipping to change at page 22, line 22 | |
| instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). | | instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). | |
| | | | |
| 4.9.3. The Reference PartComponent | | 4.9.3. The Reference PartComponent | |
| | | | |
| The property PartComponent is inherited from PolicyRuleInPolicyGroup | | The property PartComponent is inherited from PolicyRuleInPolicyGroup | |
| and is overridden to refer to an IPsecRule instance. The [0..n] | | and is overridden to refer to an IPsecRule instance. The [0..n] | |
| cardinality indicates that an IPsecPolicyGroup instance may contain | | cardinality indicates that an IPsecPolicyGroup instance may contain | |
| zero or more IPsecRules instance. | | zero or more IPsecRules instance. | |
| | | | |
| 4.10. The Aggregation Class SAConditionInRule | | 4.10. The Aggregation Class SAConditionInRule | |
|
| | | | |
| The class SAConditionInRule associates an SARule with the | | The class SAConditionInRule associates an SARule with the | |
| SACondition instance(s) that trigger(s) it. The class definition | | SACondition instance(s) that trigger(s) it. The class definition | |
| for SAConditionInRule is as follows: | | for SAConditionInRule is as follows: | |
| | | | |
| NAME SAConditionInRule | | NAME SAConditionInRule | |
| DESCRIPTION Associates an SARule with the SACondition instance(s) | | DESCRIPTION Associates an SARule with the SACondition instance(s) | |
| that trigger(s) it. | | that trigger(s) it. | |
|
| DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) | | DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) | | PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) | |
| ConditionNegated (from PolicyConditionInPolicyRule) | | ConditionNegated (from PolicyConditionInPolicyRule) | |
| GroupComponent [ref SARule [0..n]] | | GroupComponent [ref SARule [0..n]] | |
| PartComponent [ref SACondition [1..n]] | | PartComponent [ref SACondition [1..n]] | |
| | | | |
| 4.10.1. The Properties GroupNumber and ConditionNegated | | 4.10.1. The Properties GroupNumber and ConditionNegated | |
| | | | |
| For a description of these properties, see [PCIM]. | | For a description of these properties, see [PCIM]. | |
| | | | |
| | | | |
| skipping to change at page 22, line 50 | | skipping to change at page 23, line 16 | |
| the contained actions MUST be either subclasses of SAAction or | | the contained actions MUST be either subclasses of SAAction or | |
| instances of CompoundPolicyAction. For an IKERule, the contained | | instances of CompoundPolicyAction. For an IKERule, the contained | |
| actions MUST be related to phase 1 processing, i.e., IKEAction or | | actions MUST be related to phase 1 processing, i.e., IKEAction or | |
| IKERejectAction. Similarly, for an IPsecRule, contained actions | | IKERejectAction. Similarly, for an IPsecRule, contained actions | |
| MUST be related to phase 2 or preconfigured SA processing, e.g., | | MUST be related to phase 2 or preconfigured SA processing, e.g., | |
| IPsecTransportAction, IPsecBypassAction, etc. The class definition | | IPsecTransportAction, IPsecBypassAction, etc. The class definition | |
| for PolicyActionInSARule is as follows: | | for PolicyActionInSARule is as follows: | |
| | | | |
| NAME PolicyActionInSARule | | NAME PolicyActionInSARule | |
| DESCRIPTION Associates an SARule with its PolicyAction(s). | | DESCRIPTION Associates an SARule with its PolicyAction(s). | |
|
| DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) | | DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES GroupComponent [ref SARule [0..n]] | | PROPERTIES GroupComponent [ref SARule [0..n]] | |
| PartComponent [ref PolicyAction [1..n]] | | PartComponent [ref PolicyAction [1..n]] | |
| ActionOrder (from PolicyActionInPolicyRule) | | ActionOrder (from PolicyActionInPolicyRule) | |
| | | | |
| 4.11.1. The Reference GroupComponent | | 4.11.1. The Reference GroupComponent | |
|
| | | | |
| The property GroupComponent is inherited from | | The property GroupComponent is inherited from | |
| PolicyActionInPolicyRule and is overridden to refer to an SARule | | PolicyActionInPolicyRule and is overridden to refer to an SARule | |
| instance. The [0..n] cardinality indicates that an SAAction | | instance. The [0..n] cardinality indicates that an SAAction | |
| instance may be contained in zero or more SARule instances. | | instance may be contained in zero or more SARule instances. | |
| | | | |
| 4.11.2. The Reference PartComponent | | 4.11.2. The Reference PartComponent | |
| | | | |
| The property PartComponent is inherited from | | The property PartComponent is inherited from | |
| PolicyActionInPolicyRule and is overridden to refer to an SAAction | | PolicyActionInPolicyRule and is overridden to refer to an SAAction | |
| or CompoundPolicyAction instance. The [1..n] cardinality indicates | | or CompoundPolicyAction instance. The [1..n] cardinality indicates | |
| | | | |
| skipping to change at page 24, line 16 | | skipping to change at page 24, line 16 | |
| | | | |
| The IPsec condition and filter classes are used to build the "if" | | The IPsec condition and filter classes are used to build the "if" | |
| part of the IKE and IPsec rules. | | part of the IKE and IPsec rules. | |
| | | | |
| *+-------------+ | | *+-------------+ | |
| +--------------------| SACondition | | | +--------------------| SACondition | | |
| | +-------------+ | | | +-------------+ | |
| | * | | | | * | | |
| | |(a) | | | |(a) | |
| | 1 | | | | 1 | | |
|
| | +--------------+ | | | +---------------+ | |
| | | FilterList | | | | | FilterList | | |
|
| | | (Appendix C) | | | | |([CIMNETWORK]) | | |
| | +--------------+ | | | +---------------+ | |
| | 1 o | | | 1 o | |
| |(b) |(c) | | |(b) |(c) | |
| | * | | | | * | | |
| | +-----------------+ | | | +-----------------+ | |
| | | FilterEntryBase | | | | | FilterEntryBase | | |
|
| | | (Appendix C) | | | | | ([CIMNETWORK]) | | |
| | +-----------------+ | | | +-----------------+ | |
| | ^ | | | ^ | |
| | | | | | | | |
| | +----------------+ | +-----------------------+ | | | +----------------+ | +-----------------------+ | |
| | | IPHeaderFilter |----+----| CredentialFilterEntry | | | | | IPHeaderFilter |----+----| CredentialFilterEntry | | |
|
| | | (Appendix C) | | +-----------------------+ | | | | ([PCIME]) | | +-----------------------+ | |
| | +----------------+ | | | | +----------------+ | | |
| | | | | | | | |
| | +-----------------+ | +--------------------------+ | | | +-----------------+ | +--------------------------+ | |
| | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | | | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | |
| | +-----------------+ +--------------------------+ | | | +-----------------+ +--------------------------+ | |
| | | | | | |
| | *+-----------------------------+ | | | *+-----------------------------+ | |
| +------------| CredentialManagementService | | | +------------| CredentialManagementService | | |
|
| | (Appendix B) | | | | ([CIMUSER]) | | |
| +-----------------------------+ | | +-----------------------------+ | |
| | | | |
| (a) FilterOfSACondition | | (a) FilterOfSACondition | |
| (b) AcceptCredentialsFrom | | (b) AcceptCredentialsFrom | |
|
| (c) EntriesInFilterList (see Appendix C) | | (c) EntriesInFilterList (see [CIMNETWORK]) | |
| | | | |
| 5.1. The Class SACondition | | 5.1. The Class SACondition | |
| | | | |
| The class SACondition defines the conditions of rules for IKE and | | The class SACondition defines the conditions of rules for IKE and | |
| IPsec negotiations. Conditions are associated with policy rules via | | IPsec negotiations. Conditions are associated with policy rules via | |
| the SAConditionInRule aggregation. It is used as an anchor point to | | the SAConditionInRule aggregation. It is used as an anchor point to | |
| associate various types of filters with policy rules via the | | associate various types of filters with policy rules via the | |
| FilterOfSACondition association. It also defines whether Credentials | | FilterOfSACondition association. It also defines whether Credentials | |
| can be accepted for a particular policy rule via the | | can be accepted for a particular policy rule via the | |
| AcceptCredentialsFrom association. | | AcceptCredentialsFrom association. | |
| | | | |
| skipping to change at page 25, line 26 | | skipping to change at page 25, line 26 | |
| | | | |
| NAME SACondition | | NAME SACondition | |
| DESCRIPTION Defines the preconditions for IKE and IPsec | | DESCRIPTION Defines the preconditions for IKE and IPsec | |
| negotiations. | | negotiations. | |
| DERIVED FROM PolicyCondition (see [PCIM]) | | DERIVED FROM PolicyCondition (see [PCIM]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES PolicyConditionName (from PolicyCondition) | | PROPERTIES PolicyConditionName (from PolicyCondition) | |
| | | | |
| 5.2. The Class IPHeaderFilter | | 5.2. The Class IPHeaderFilter | |
| | | | |
|
| The class IPHeaderFilter is defined in appendix C with the following | | The class IPHeaderFilter is defined in [PCIMe] with the following | |
| note: | | note: | |
| | | | |
| 1) to specify 5-tuple filters that are to apply symmetrically (i.e., | | 1) to specify 5-tuple filters that are to apply symmetrically (i.e., | |
| matches traffic in both directions of the same flow between the | | matches traffic in both directions of the same flow between the | |
| two peers), the Direction property of the FilterList should be | | two peers), the Direction property of the FilterList should be | |
| set to "Mirrored". | | set to "Mirrored". | |
| | | | |
| 5.3. The Class CredentialFilterEntry | | 5.3. The Class CredentialFilterEntry | |
| | | | |
| The class CredentialFilterEntry defines an equivalence class that | | The class CredentialFilterEntry defines an equivalence class that | |
| | | | |
| skipping to change at page 25, line 49 | | skipping to change at page 25, line 49 | |
| CredentialManagementService(s) associated with the SACondition | | CredentialManagementService(s) associated with the SACondition | |
| (AcceptCredentialsFrom). | | (AcceptCredentialsFrom). | |
| | | | |
| These credentials can be X.509 certificates, Kerberos tickets, or | | These credentials can be X.509 certificates, Kerberos tickets, or | |
| other types of credentials obtained during the Phase 1 exchange. | | other types of credentials obtained during the Phase 1 exchange. | |
| | | | |
| The class definition for CredentialFilterEntry is as follows: | | The class definition for CredentialFilterEntry is as follows: | |
| | | | |
| NAME CredentialFilterEntry | | NAME CredentialFilterEntry | |
| DESCRIPTION Specifies a match filter based on the IKE credentials. | | DESCRIPTION Specifies a match filter based on the IKE credentials. | |
|
| DERIVED FROM FilterEntryBase (see Appendix C) | | DERIVED FROM FilterEntryBase (see [CIMNETWORK]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Name (from FilterEntryBase) | | PROPERTIES Name (from FilterEntryBase) | |
| IsNegated (from FilterEntryBase) | | IsNegated (from FilterEntryBase) | |
| MatchFieldName | | MatchFieldName | |
| MatchFieldValue | | MatchFieldValue | |
| CredentialType | | CredentialType | |
| | | | |
| 5.3.1. The Property MatchFieldName | | 5.3.1. The Property MatchFieldName | |
| The property MatchFieldName specifies the sub-part of the credential | | The property MatchFieldName specifies the sub-part of the credential | |
| to match against MatchFieldValue. The property is defined as | | to match against MatchFieldValue. The property is defined as | |
| | | | |
| skipping to change at page 26, line 39 | | skipping to change at page 26, line 39 | |
| | | | |
| 5.3.3. The Property CredentialType | | 5.3.3. The Property CredentialType | |
| | | | |
| The property CredentialType specifies the particular type of | | The property CredentialType specifies the particular type of | |
| credential that is being matched. The property is defined as | | credential that is being matched. The property is defined as | |
| follows: | | follows: | |
| | | | |
| NAME CredentialType | | NAME CredentialType | |
| DESCRIPTION Defines the type of IKE credentials. | | DESCRIPTION Defines the type of IKE credentials. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 1 û X.509 Certificate | | VALUE 1 - X.509 Certificate | |
| 2 û Kerberos Ticket | | 2 - Kerberos Ticket | |
| | | | |
| 5.4. The Class IPSOFilterEntry | | 5.4. The Class IPSOFilterEntry | |
| | | | |
| The class IPSOFilterEntry is used to match traffic based on the IP | | The class IPSOFilterEntry is used to match traffic based on the IP | |
| Security Options header values (ClassificationLevel and | | Security Options header values (ClassificationLevel and | |
| ProtectionAuthority) as defined in RFC1108. This type of filter | | ProtectionAuthority) as defined in RFC1108. This type of filter | |
| entry is used to adjust the IPsec encryption level according to the | | entry is used to adjust the IPsec encryption level according to the | |
| IPSO classification of the traffic (e.g., secret, confidential, | | IPSO classification of the traffic (e.g., secret, confidential, | |
| restricted, etc. The class definition for IPSOFilterEntry is as | | restricted, etc. The class definition for IPSOFilterEntry is as | |
| follows: | | follows: | |
| | | | |
| NAME IPSOFilterEntry | | NAME IPSOFilterEntry | |
| DESCRIPTION Specifies the a match filter based on IP Security | | DESCRIPTION Specifies the a match filter based on IP Security | |
| Options. | | Options. | |
|
| DERIVED FROM FilterEntryBase (see Appendix C) | | DERIVED FROM FilterEntryBase (see [CIMNETWORK]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Name (from FilterEntryBase) | | PROPERTIES Name (from FilterEntryBase) | |
| IsNegated (from FilterEntryBase) | | IsNegated (from FilterEntryBase) | |
| MatchConditionType | | MatchConditionType | |
| MatchConditionValue | | MatchConditionValue | |
| | | | |
| 5.4.1. The Property MatchConditionType | | 5.4.1. The Property MatchConditionType | |
| | | | |
| The property MatchConditionType specifies the IPSO header field that | | The property MatchConditionType specifies the IPSO header field that | |
| will be matched (e.g., traffic classification level or protection | | will be matched (e.g., traffic classification level or protection | |
| authority). The property is defined as follows: | | authority). The property is defined as follows: | |
| | | | |
| NAME MatchConditionType | | NAME MatchConditionType | |
| DESCRIPTION Specifies the IPSO header field to be matched. | | DESCRIPTION Specifies the IPSO header field to be matched. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 1 û ClassificationLevel | | VALUE 1 - ClassificationLevel | |
| 2 û ProtectionAuthority | | 2 - ProtectionAuthority | |
| | | | |
| 5.4.2. The Property MatchConditionValue | | 5.4.2. The Property MatchConditionValue | |
| | | | |
| The property MatchConditionValue specifies the value of the IPSO | | The property MatchConditionValue specifies the value of the IPSO | |
| header field to be matched against. The property is defined as | | header field to be matched against. The property is defined as | |
| follows: | | follows: | |
| | | | |
| NAME MatchConditionValue | | NAME MatchConditionValue | |
| DESCRIPTION Specifies the value of the IPSO header field to be | | DESCRIPTION Specifies the value of the IPSO header field to be | |
| matched against. | | matched against. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| VALUE For ClassificationLevel, the values are: | | VALUE For ClassificationLevel, the values are: | |
|
| 61 û TopSecret | | 61 - TopSecret | |
| 90 û Secret | | 90 - Secret | |
| 150 û Confidential | | 150 - Confidential | |
| 171 û Unclassified | | 171 - Unclassified | |
| For ProtectionAuthority, the values are: | | For ProtectionAuthority, the values are: | |
|
| 0 û GENSER | | 0 - GENSER | |
| 1 - SIOP-ESI | | 1 - SIOP-ESI | |
|
| 2 û SCI | | 2 - SCI | |
| 3 û NSA | | 3 - NSA | |
| 4 - DOE | | 4 - DOE | |
| | | | |
| 5.5. The Class PeerIDPayloadFilterEntry | | 5.5. The Class PeerIDPayloadFilterEntry | |
| | | | |
| The class PeerIDPayloadFilterEntry defines filters used to match ID | | The class PeerIDPayloadFilterEntry defines filters used to match ID | |
| payload values from the IKE protocol exchange. | | payload values from the IKE protocol exchange. | |
| PeerIDPayloadFilterEntry permits the specification of certain ID | | PeerIDPayloadFilterEntry permits the specification of certain ID | |
| payload values such as "*@company.com" or "193.190.125.0/24". | | payload values such as "*@company.com" or "193.190.125.0/24". | |
| | | | |
| Obviously this filter applies only to IKERules when acting as a | | Obviously this filter applies only to IKERules when acting as a | |
| responder. Moreover, this filter can be applied immediately in the | | responder. Moreover, this filter can be applied immediately in the | |
| case of aggressive mode but its application is to be delayed in the | | case of aggressive mode but its application is to be delayed in the | |
| case of main mode. The class definition for | | case of main mode. The class definition for | |
| PeerIDPayloadFilterEntry is as follows: | | PeerIDPayloadFilterEntry is as follows: | |
| | | | |
| NAME PeerIDPayloadFilterEntry | | NAME PeerIDPayloadFilterEntry | |
| DESCRIPTION Specifies a match filter based on IKE identity. | | DESCRIPTION Specifies a match filter based on IKE identity. | |
|
| DERIVED FROM FilterEntryBase (see Appendix C) | | DERIVED FROM FilterEntryBase (see [CIMNETWORK]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Name (from FilterEntryBase) | | PROPERTIES Name (from FilterEntryBase) | |
| IsNegated (from FilterEntryBase) | | IsNegated (from FilterEntryBase) | |
| MatchIdentityType | | MatchIdentityType | |
| MatchIdentityValue | | MatchIdentityValue | |
| | | | |
| 5.5.1. The Property MatchIdentityType | | 5.5.1. The Property MatchIdentityType | |
| | | | |
| The property MatchIdentityType specifies the type of identity | | The property MatchIdentityType specifies the type of identity | |
| provided by the peer in the ID payload." The property is defined | | provided by the peer in the ID payload." The property is defined | |
| | | | |
| skipping to change at page 29, line 16 | | skipping to change at page 29, line 16 | |
| | | | |
| 5.6. The Association Class FilterOfSACondition | | 5.6. The Association Class FilterOfSACondition | |
| | | | |
| The class FilterOfSACondition associates an SACondition with the | | The class FilterOfSACondition associates an SACondition with the | |
| filter specifications (FilterList) that make up the condition. The | | filter specifications (FilterList) that make up the condition. The | |
| class definition for FilterOfSACondition is as follows: | | class definition for FilterOfSACondition is as follows: | |
| | | | |
| NAME FilterOfSACondition | | NAME FilterOfSACondition | |
| DESCRIPTION Associates a condition with the filter list that make | | DESCRIPTION Associates a condition with the filter list that make | |
| up the individual condition elements. | | up the individual condition elements. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref FilterList[1..1]] | | PROPERTIES Antecedent [ref FilterList[1..1]] | |
| Dependent [ref SACondition[0..n]] | | Dependent [ref SACondition[0..n]] | |
| | | | |
| 5.6.1. The Reference Antecedent | | 5.6.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a FilterList instance. The [1..1] | | overridden to refer to a FilterList instance. The [1..1] | |
| cardinality indicates that an SACondition instance MUST be | | cardinality indicates that an SACondition instance MUST be | |
| associated with one and only one FilterList instance. | | associated with one and only one FilterList instance. | |
| | | | |
| skipping to change at page 30, line 6 | | skipping to change at page 30, line 6 | |
| AcceptCredentialsFrom list of services but there is no | | AcceptCredentialsFrom list of services but there is no | |
| CredentialFilterEntry, this is considered equivalent to a | | CredentialFilterEntry, this is considered equivalent to a | |
| CredentialFilterEntry that matches all credentials from those | | CredentialFilterEntry that matches all credentials from those | |
| services. | | services. | |
| | | | |
| The class definition for AcceptCredentialFrom is as follows: | | The class definition for AcceptCredentialFrom is as follows: | |
| | | | |
| NAME AcceptCredentialFrom | | NAME AcceptCredentialFrom | |
| DESCRIPTION Associates a condition with the credential management | | DESCRIPTION Associates a condition with the credential management | |
| services to be trusted. | | services to be trusted. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref CredentialManagementService[0..n]] | | PROPERTIES Antecedent [ref CredentialManagementService[0..n]] | |
| Dependent [ref SACondition[0..n]] | | Dependent [ref SACondition[0..n]] | |
| | | | |
| 5.7.1. The Reference Antecedent | | 5.7.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a CredentialManagementService instance. The | | overridden to refer to a CredentialManagementService instance. The | |
| [0..n] cardinality indicates that an SACondition instance may be | | [0..n] cardinality indicates that an SACondition instance may be | |
| associated with zero or more CredentialManagementServices instance. | | associated with zero or more CredentialManagementServices instance. | |
| | | | |
| skipping to change at page 31, line 18 | | skipping to change at page 31, line 18 | |
| device may take when the evaluation of the associated condition | | device may take when the evaluation of the associated condition | |
| results in a match. | | results in a match. | |
| | | | |
| +----------+ | | +----------+ | |
| | SAAction | | | | SAAction | | |
| +----------+ | | +----------+ | |
| ^ | | ^ | |
| | | | | | |
| +-----------+--------------+ | | +-----------+--------------+ | |
| | | | | | | | |
|
| *+----------------+ +---------------------+* | | | +---------------------+ | |
| | SAStaticAction | | SANegotiationAction |o-----+ | | | | SaNegotiationAction | | |
| +----------------+ +---------------------+ | | | | +---------------------+ | |
| | | | ^ | |
| | | | | | |
| | | *+----------------+ +----------------------+* | |
| | | | SAStaticAction | | IKENegotiationAction |o----+ | |
| | | +----------------+ +----------------------+ | | |
| ^ ^ | | | ^ ^ | | |
| | | | | | | | | | |
| | +-----------+-------+ | | | | +-----------+-------+ | | |
| | | | | | | | | | | | |
| +-------------------+ | +-------------+ +-----------+ | | | +-------------------+ | +-------------+ +-----------+ | | |
| | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | | | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | | |
| +-------------------+ | +-------------+ +-----------+ | | | +-------------------+ | +-------------+ +-----------+ | | |
| | ^ | | | | ^ | | |
| +--------------------+ | | +----------------------+ | | | +--------------------+ | | +----------------------+ | | |
| | IPsecDiscardAction |---+ +----| IPsecTransportAction | | | | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | | |
| | | | |
| skipping to change at page 31, line 51 | | skipping to change at page 31, line 56 | |
| +-----------------------+ | +--------------+ (b) | | +-----------------------+ | +--------------+ (b) | |
| *| ^ | | | *| ^ | | |
| | | | *+-------------+ | | | | | *+-------------+ | |
| | | +-------| PeerGateway | | | | | +-------| PeerGateway | | |
| | | +-------------+ | | | | +-------------+ | |
| | | +-----------------------------+ |0..1 *w| | | | | +-----------------------------+ |0..1 *w| | |
| | +--| PreconfiguredTransportAction| | |(c) | | | +--| PreconfiguredTransportAction| | |(c) | |
| | | +-----------------------------+ | 1| | | | | +-----------------------------+ | 1| | |
| | | | +--------------+ | | | | | +--------------+ | |
| | | +---------------------------+ * | | System | | | | | +---------------------------+ * | | System | | |
|
| | +--| PreconfiguredTunnelAction |-----+ | (Appendix A) | | | | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | | |
| | +---------------------------+ (e) +--------------+ | | | +---------------------------+ (e) +--------------+ | |
| | | | | | |
| | 2..6+---------------+ | | | 2..6+---------------+ | |
| +-------| [SATransform] | | | +-------| [SATransform] | | |
| (d) +---------------+ | | (d) +---------------+ | |
|
| | | | |
| (a) PeerGatewayForTunnel | | (a) PeerGatewayForTunnel | |
| (b) ContainedProposal | | (b) ContainedProposal | |
| (c) HostedPeerGatewayInformation | | (c) HostedPeerGatewayInformation | |
| (d) TransformOfPreconfiguredAction | | (d) TransformOfPreconfiguredAction | |
| (e) PeerGatewayForPreconfiguredTunnel | | (e) PeerGatewayForPreconfiguredTunnel | |
| | | | |
| 6.1. The Class SAAction | | 6.1. The Class SAAction | |
| | | | |
|
| The class SAAction serves as the base class for IKE and IPsec | | The class SAAction is abstract and serves as the base class for IKE | |
| actions. Although the class is concrete, it MUST not be | | and IPsec actions. It is used for aggregating different types of | |
| instantiated. It is used for aggregating different types of actions | | actions to IKE and IPsec rules. The class definition for SAAction | |
| to IKE and IPsec rules. The class definition for SAAction is as | | is as follows: | |
| follows: | | | |
| | | | |
| NAME SAAction | | NAME SAAction | |
| DESCRIPTION The base class for IKE and IPsec actions. | | DESCRIPTION The base class for IKE and IPsec actions. | |
| DERIVED FROM PolicyAction (see [PCIM]) | | DERIVED FROM PolicyAction (see [PCIM]) | |
|
| ABSTRACT FALSE | | ABSTRACT TRUE | |
| PROPERTIES PolicyActionName (from PolicyAction) | | PROPERTIES PolicyActionName (from PolicyAction) | |
| DoActionLogging | | DoActionLogging | |
| DoPacketLogging | | DoPacketLogging | |
| | | | |
| 6.1.1. The Property DoActionLogging | | 6.1.1. The Property DoActionLogging | |
| | | | |
| The property DoActionLogging specifies whether a log message is to | | The property DoActionLogging specifies whether a log message is to | |
| be generated when the action is performed. This applies for | | be generated when the action is performed. This applies for | |
| SANegotiationActions with the meaning of logging a message when the | | SANegotiationActions with the meaning of logging a message when the | |
| negotiation is attempted (with the success or failure result). This | | negotiation is attempted (with the success or failure result). This | |
| | | | |
| skipping to change at page 33, line 18 | | skipping to change at page 33, line 22 | |
| DESCRIPTION Specifies the whether to log when the resulting | | DESCRIPTION Specifies the whether to log when the resulting | |
| security association is used to process the packet. | | security association is used to process the packet. | |
| SYNTAX boolean | | SYNTAX boolean | |
| VALUE true - a log message is to be generated when the | | VALUE true - a log message is to be generated when the | |
| resulting security association is used to process the | | resulting security association is used to process the | |
| packet. | | packet. | |
| false - no log message is to be generated. | | false - no log message is to be generated. | |
| | | | |
| 6.2. The Class SAStaticAction | | 6.2. The Class SAStaticAction | |
| | | | |
|
| The class SAStaticAction serves as the base class for IKE and IPsec | | The class SAStaticAction is abstract and serves as the base class | |
| actions that do not require any negotiation. Although the class is | | for IKE and IPsec actions that do not require any negotiation. The | |
| concrete, it MUST not be instantiated. The class definition for | | class definition for SAStaticAction is as follows: | |
| SAStaticAction is as follows: | | | |
| | | | |
| NAME SAStaticAction | | NAME SAStaticAction | |
| DESCRIPTION The base class for IKE and IPsec actions that do not | | DESCRIPTION The base class for IKE and IPsec actions that do not | |
| require any negotiation. | | require any negotiation. | |
| DERIVED FROM SAAction | | DERIVED FROM SAAction | |
|
| ABSTRACT FALSE | | ABSTRACT TRUE | |
| PROPERTIES LifetimeSeconds | | PROPERTIES LifetimeSeconds | |
| | | | |
| 6.2.1. The Property LifetimeSeconds | | 6.2.1. The Property LifetimeSeconds | |
| | | | |
| The property LifetimeSeconds specifies how long the security | | The property LifetimeSeconds specifies how long the security | |
| association derived from this action should be used. The property | | association derived from this action should be used. The property | |
| is defined as follows: | | is defined as follows: | |
| | | | |
| NAME LifetimeSeconds | | NAME LifetimeSeconds | |
| DESCRIPTION Specifies the amount of time (in seconds) that a | | DESCRIPTION Specifies the amount of time (in seconds) that a | |
| | | | |
| skipping to change at page 35, line 4 | | skipping to change at page 35, line 7 | |
| | | | |
| 6.6. The Class PreconfiguredSAAction | | 6.6. The Class PreconfiguredSAAction | |
| | | | |
| The class PreconfiguredSAAction is used to create a security | | The class PreconfiguredSAAction is used to create a security | |
| association using preconfigured, hard-wired algorithms and keys. | | association using preconfigured, hard-wired algorithms and keys. | |
| | | | |
| Notes: | | Notes: | |
| | | | |
| - the SPI for a PreconfiguredSAAction is contained in the | | - the SPI for a PreconfiguredSAAction is contained in the | |
| association, TransformOfPreconfiguredAction; | | association, TransformOfPreconfiguredAction; | |
|
| - the session key (if applicable) is contained in an instance of the | | | |
| class SharedSecret (see appendix B). The session key is stored in | | - the session key (if applicable) is contained in an instance of | |
| the property secret, the property protocol contains either "ESP- | | the class SharedSecret (see [CIMUSER]). The session key is | |
| encryptö, ôESP-auth" or "AH", the property algorithm contains the | | stored in the property secret, the property protocol contains | |
| algorithm used to protect the secret (can be "PLAINTEXT" if the | | either "ESP-encrypt", "ESP-auth" or "AH", the property | |
| IPsec entity has no secret storage), the value of property | | algorithm contains the algorithm used to protect the secret | |
| RemoteID is the concatenation of the remote IPsec peer IP address | | (can be "PLAINTEXT" if the IPsec entity has no secret storage), | |
| in dotted decimal, of the character "/", of ôINö (resp. ôOUTö) for | | the value of property RemoteID is the concatenation of the | |
| inbound SA (resp. outbound SA), of the character ô/ö and of the | | remote IPsec peer IP address in dotted decimal, of the | |
| hexadecimal representation of the SPI. | | character "/", of "IN" (resp. "OUT") for inbound SA (resp. | |
| | | outbound SA), of the character "/" and of the hexadecimal | |
| | | representation of the SPI. | |
| | | | |
| Although the class is concrete, it MUST not be instantiated. The | | Although the class is concrete, it MUST not be instantiated. The | |
| class definition for PreconfiguredSAAction is as follows: | | class definition for PreconfiguredSAAction is as follows: | |
| | | | |
| NAME PreconfiguredSAAction | | NAME PreconfiguredSAAction | |
| DESCRIPTION Specifies preconfigured algorithm and keying | | DESCRIPTION Specifies preconfigured algorithm and keying | |
| information for creation of a security association. | | information for creation of a security association. | |
| DERIVED FROM SAStaticAction | | DERIVED FROM SAStaticAction | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES LifetimeKilobytes | | PROPERTIES LifetimeKilobytes | |
| | | | |
| skipping to change at page 36, line 36 | | skipping to change at page 36, line 40 | |
| | | | |
| 6.8.1. The Property DFHandling | | 6.8.1. The Property DFHandling | |
| | | | |
| The property DFHandling specifies how the Don't Fragment bit of the | | The property DFHandling specifies how the Don't Fragment bit of the | |
| internal IP header is to be handled during IPsec processing. The | | internal IP header is to be handled during IPsec processing. The | |
| property is defined as follows: | | property is defined as follows: | |
| | | | |
| NAME DFHandling | | NAME DFHandling | |
| DESCRIPTION Specifies the processing of the DF bit. | | DESCRIPTION Specifies the processing of the DF bit. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 1 û Copy the DF bit from the internal IP header to the | | VALUE 1 - Copy the DF bit from the internal IP header to the | |
| external IP header. | | external IP header. | |
|
| 2 û Set the DF bit of the external IP header to 1. | | 2 - Set the DF bit of the external IP header to 1. | |
| 3 û Clear the DF bit of the external IP header to 0. | | 3 - Clear the DF bit of the external IP header to 0. | |
| | | | |
| 6.9. The Class SANegotiationAction | | 6.9. The Class SANegotiationAction | |
| | | | |
|
| The class SANegotiationAction serves as the base class for IKE and | | The class SANegotiationAction specifies an action requesting | |
| IPsec actions that result in a IKE negotiation. Although the class | | security policy negotiation. | |
| is concrete, is MUST not be instantiated. The class definition for | | | |
| SANegotiationAction is as follows: | | This is an abstract class. Currently, only one security policy | |
| | | negotiation protocol action is subclassed from SANegotiationAction: | |
| | | the IKENegotiationAction class. It is nevertheless expected that | |
| | | other security policy negotiation protocols will exist and the | |
| | | negotiation actions of those new protocols would be modeled as a | |
| | | subclass of SANegotiationAction. | |
| | | | |
| NAME SANegotiationAction | | NAME SANegotiationAction | |
|
| | | DESCRIPTION Specifies a negotiation action . | |
| | | DERIVED FROM SAAction | |
| | | ABSTRACT TRUE | |
| | | | |
| | | 6.10. The Class IKENegotiationAction | |
| | | | |
| | | The class IKENegotiationAction is abstract and serves as the base | |
| | | class for IKE and IPsec actions that result in a IKE negotiation. | |
| | | Although the class is concrete, is MUST not be instantiated. The | |
| | | class definition for IKENegotiationAction is as follows: | |
| | | | |
| | | NAME IKENegotiationAction | |
| DESCRIPTION A base class for IKE and IPsec actions that specifies | | DESCRIPTION A base class for IKE and IPsec actions that specifies | |
| the parameters that are common for IKE phase 1 and IKE | | the parameters that are common for IKE phase 1 and IKE | |
| phase 2 IPsec DOI negotiations. | | phase 2 IPsec DOI negotiations. | |
|
| DERIVED FROM SAAction | | DERIVED FROM SANegotiationAction | |
| ABSTRACT FALSE | | ABSTRACT TRUE | |
| PROPERTIES MinLifetimeSeconds | | PROPERTIES MinLifetimeSeconds | |
| MinLifetimeKilobytes | | MinLifetimeKilobytes | |
| RefreshThresholdSeconds | | RefreshThresholdSeconds | |
| RefreshThresholdKilobytes | | RefreshThresholdKilobytes | |
| IdleDurationSeconds | | IdleDurationSeconds | |
| | | | |
|
| 6.9.1. The Property MinLifetimeSeconds | | 6.10.1. The Property MinLifetimeSeconds | |
| | | | |
| The property MinLifetimeSeconds specifies the minimum seconds | | The property MinLifetimeSeconds specifies the minimum seconds | |
| lifetime that will be accepted from the peer. MinLifetimeSeconds is | | lifetime that will be accepted from the peer. MinLifetimeSeconds is | |
| used to prevent certain denial of service attacks where the peer | | used to prevent certain denial of service attacks where the peer | |
| requests an arbitrarily low lifetime value, causing renegotiations | | requests an arbitrarily low lifetime value, causing renegotiations | |
| with correspondingly expensive Diffie-Hellman operations. The | | with correspondingly expensive Diffie-Hellman operations. The | |
| property is defined as follows: | | property is defined as follows: | |
| | | | |
| NAME MinLifetimeSeconds | | NAME MinLifetimeSeconds | |
| DESCRIPTION Specifies the minimum acceptable seconds lifetime. | | DESCRIPTION Specifies the minimum acceptable seconds lifetime. | |
| SYNTAX unsigned 32-bit integer | | SYNTAX unsigned 32-bit integer | |
| VALUE A value of zero indicates that there is no minimum | | VALUE A value of zero indicates that there is no minimum | |
| value. A non-zero value specifies the minimum seconds | | value. A non-zero value specifies the minimum seconds | |
| lifetime. | | lifetime. | |
| | | | |
|
| 6.9.2. The Property MinLifetimeKilobytes | | 6.10.2. The Property MinLifetimeKilobytes | |
| | | | |
| The property MinLifetimeKilobytes specifies the minimum kilobytes | | The property MinLifetimeKilobytes specifies the minimum kilobytes | |
| lifetime that will be accepted from the peer. MinLifetimeKilobytes | | lifetime that will be accepted from the peer. MinLifetimeKilobytes | |
| is used to prevent certain denial of service attacks where the peer | | is used to prevent certain denial of service attacks where the peer | |
| requests an arbitrarily low lifetime value, causing renegotiations | | requests an arbitrarily low lifetime value, causing renegotiations | |
| with correspondingly expensive Diffie-Hellman operations. Note that | | with correspondingly expensive Diffie-Hellman operations. Note that | |
| there has been considerable debate regarding the usefulness of | | there has been considerable debate regarding the usefulness of | |
| applying kilobyte lifetimes to IKE phase 1 security associations, so | | applying kilobyte lifetimes to IKE phase 1 security associations, so | |
| it is likely that this property will only apply to the sub-class | | it is likely that this property will only apply to the sub-class | |
| IPsecAction. The property is defined as follows: | | IPsecAction. The property is defined as follows: | |
| | | | |
| NAME MinLifetimeKilobytes | | NAME MinLifetimeKilobytes | |
| DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. | | DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. | |
| SYNTAX unsigned 32-bit integer | | SYNTAX unsigned 32-bit integer | |
| VALUE A value of zero indicates that there is no minimum | | VALUE A value of zero indicates that there is no minimum | |
| value. A non-zero value specifies the minimum | | value. A non-zero value specifies the minimum | |
| kilobytes lifetime. | | kilobytes lifetime. | |
| | | | |
|
| 6.9.3. The Property RefreshThresholdSeconds | | 6.10.3. The Property RefreshThresholdSeconds | |
| | | | |
| The property RefreshThresholdSeconds specifies what percentage of | | The property RefreshThresholdSeconds specifies what percentage of | |
| the seconds lifetime can expire before IKE should attempt to | | the seconds lifetime can expire before IKE should attempt to | |
| renegotiate the security association. A random value may be added | | renegotiate the security association. A random value may be added | |
| to the calculated threshold (percentage x seconds lifetime) to | | to the calculated threshold (percentage x seconds lifetime) to | |
| reduce the chance of both peers attempting to renegotiate at the | | reduce the chance of both peers attempting to renegotiate at the | |
| same time. The property is defined as follows: | | same time. The property is defined as follows: | |
| | | | |
| NAME RefreshThresholdSeconds | | NAME RefreshThresholdSeconds | |
| DESCRIPTION Specifies the percentage of seconds lifetime that has | | DESCRIPTION Specifies the percentage of seconds lifetime that has | |
| expired before the security association is | | expired before the security association is | |
| renegotiated. | | renegotiated. | |
| SYNTAX unsigned 8-bit integer | | SYNTAX unsigned 8-bit integer | |
| VALUE A value between 1 and 100 representing a percentage. A | | VALUE A value between 1 and 100 representing a percentage. A | |
| value of 100 indicates that the security association | | value of 100 indicates that the security association | |
| should not be renegotiated until the seconds lifetime | | should not be renegotiated until the seconds lifetime | |
| has been reached. | | has been reached. | |
| | | | |
|
| 6.9.4. The Property RefreshThresholdKilobytes | | 6.10.4. The Property RefreshThresholdKilobytes | |
| | | | |
| The property RefreshThresholdKilobytes specifies what percentage of | | The property RefreshThresholdKilobytes specifies what percentage of | |
| the kilobyte lifetime can expire before IKE should attempt to | | the kilobyte lifetime can expire before IKE should attempt to | |
| renegotiate the IPsec security association. A random value may be | | renegotiate the IPsec security association. A random value may be | |
| added to the calculated threshold (percentage x kilobyte lifetime) | | added to the calculated threshold (percentage x kilobyte lifetime) | |
| to reduce the chance of both peers attempting to renegotiate at the | | to reduce the chance of both peers attempting to renegotiate at the | |
| same time. Note, that as with the property MinLifetimeKilobytes, | | same time. Note, that as with the property MinLifetimeKilobytes, | |
| this property is probably only relevant to IPsecAction sub-classes. | | this property is probably only relevant to IPsecAction sub-classes. | |
| The property is defined as follows: | | The property is defined as follows: | |
| | | | |
| NAME RefreshThresholdKilobytes | | NAME RefreshThresholdKilobytes | |
| DESCRIPTION Specifies the percentage of kilobyte lifetime that has | | DESCRIPTION Specifies the percentage of kilobyte lifetime that has | |
| expired before the IPsec security association is | | expired before the IPsec security association is | |
| renegotiated. | | renegotiated. | |
| SYNTAX unsigned 8-bit integer | | SYNTAX unsigned 8-bit integer | |
| VALUE A value between 1 and 100 representing a percentage. A | | VALUE A value between 1 and 100 representing a percentage. A | |
| value of 100 indicates that the IPsec security | | value of 100 indicates that the IPsec security | |
| association should not be renegotiated until the | | association should not be renegotiated until the | |
| kilobyte lifetime has been reached. | | kilobyte lifetime has been reached. | |
| | | | |
|
| 6.9.5. The Property IdleDurationSeconds | | 6.10.5. The Property IdleDurationSeconds | |
| | | | |
| The property IdleDurationSeconds specifies how many seconds a | | The property IdleDurationSeconds specifies how many seconds a | |
| security association may remain idle (i.e., no traffic protected | | security association may remain idle (i.e., no traffic protected | |
| using the security association) before it is deleted. The property | | using the security association) before it is deleted. The property | |
| is defined as follows: | | is defined as follows: | |
| | | | |
| NAME IdleDurationSeconds | | NAME IdleDurationSeconds | |
| DESCRIPTION Specifies how long, in seconds, a security association | | DESCRIPTION Specifies how long, in seconds, a security association | |
| may remain unused before it is deleted. | | may remain unused before it is deleted. | |
| SYNTAX unsigned 32-bit integer | | SYNTAX unsigned 32-bit integer | |
| VALUE A value of zero indicates that idle detection should | | VALUE A value of zero indicates that idle detection should | |
| not be used for the security association (only the | | not be used for the security association (only the | |
| seconds and kilobyte lifetimes will be used). Any non- | | seconds and kilobyte lifetimes will be used). Any non- | |
| zero value indicates the number of seconds the security | | zero value indicates the number of seconds the security | |
| association may remain unused. | | association may remain unused. | |
| | | | |
|
| 6.10. The Class IPsecAction | | 6.11. The Class IPsecAction | |
| | | | |
| The class IPsecAction serves as the base class for IPsec transport | | The class IPsecAction serves as the base class for IPsec transport | |
| and tunnel actions. It specifies the parameters used for an IKE | | and tunnel actions. It specifies the parameters used for an IKE | |
| phase 2 IPsec DOI negotiation. Although the class is concrete, is | | phase 2 IPsec DOI negotiation. Although the class is concrete, is | |
| MUST not be instantiated. The class definition for IPsecAction is | | MUST not be instantiated. The class definition for IPsecAction is | |
| as follows: | | as follows: | |
| | | | |
| NAME IPsecAction | | NAME IPsecAction | |
| DESCRIPTION A base class for IPsec transport and tunnel actions | | DESCRIPTION A base class for IPsec transport and tunnel actions | |
| that specifies the parameters for IKE phase 2 IPsec DOI | | that specifies the parameters for IKE phase 2 IPsec DOI | |
| negotiations. | | negotiations. | |
|
| DERIVED FROM SANegotiationAction | | DERIVED FROM IKENegotiationAction | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES UsePFS | | PROPERTIES UsePFS | |
| UseIKEGroup | | UseIKEGroup | |
| GroupId | | GroupId | |
| Granularity | | Granularity | |
| VendorID | | VendorID | |
| | | | |
|
| 6.10.1. The Property UsePFS | | 6.11.1. The Property UsePFS | |
| | | | |
| The property UsePFS specifies whether or not perfect forward secrecy | | The property UsePFS specifies whether or not perfect forward secrecy | |
| should be used when refreshing keys. The property is defined as | | should be used when refreshing keys. The property is defined as | |
| follows: | | follows: | |
| | | | |
| NAME UsePFS | | NAME UsePFS | |
| DESCRIPTION Specifies the whether or not to use PFS when refreshing | | DESCRIPTION Specifies the whether or not to use PFS when refreshing | |
| keys. | | keys. | |
| SYNTAX boolean | | SYNTAX boolean | |
| VALUE A value of true indicates that PFS should be used. A | | VALUE A value of true indicates that PFS should be used. A | |
| value of false indicates that PFS should not be used. | | value of false indicates that PFS should not be used. | |
| | | | |
|
| 6.10.2. The Property UseIKEGroup | | 6.11.2. The Property UseIKEGroup | |
| | | | |
| The property UseIKEGroup specifies whether or not phase 2 should use | | The property UseIKEGroup specifies whether or not phase 2 should use | |
| the same key exchange group as was used in phase 1. UseIKEGroup is | | the same key exchange group as was used in phase 1. UseIKEGroup is | |
| ignored if UsePFS is false. The property is defined as follows: | | ignored if UsePFS is false. The property is defined as follows: | |
| | | | |
| NAME UseIKEGroup | | NAME UseIKEGroup | |
| DESCRIPTION Specifies whether or not to use the same GroupId for | | DESCRIPTION Specifies whether or not to use the same GroupId for | |
| phase 2 as was used in phase 1. If UsePFS is false, | | phase 2 as was used in phase 1. If UsePFS is false, | |
| then UseIKEGroup is ignored. | | then UseIKEGroup is ignored. | |
| SYNTAX boolean | | SYNTAX boolean | |
| VALUE A value of true indicates that the phase 2 GroupId | | VALUE A value of true indicates that the phase 2 GroupId | |
| should be the same as phase 1. A value of false | | should be the same as phase 1. A value of false | |
| indicates that the property GroupId will contain the | | indicates that the property GroupId will contain the | |
| key exchange group to use for phase 2. | | key exchange group to use for phase 2. | |
| | | | |
|
| 6.10.3. The Property GroupId | | 6.11.3. The Property GroupId | |
| | | | |
| The property GroupId specifies the key exchange group to use for | | The property GroupId specifies the key exchange group to use for | |
| phase 2. GroupId is ignored if (1) the property UsePFS is false, or | | phase 2. GroupId is ignored if (1) the property UsePFS is false, or | |
| (2) the property UsePFS is true and the property UseIKEGroup is | | (2) the property UsePFS is true and the property UseIKEGroup is | |
| true. If the GroupID number is from the vendor-specific range | | true. If the GroupID number is from the vendor-specific range | |
| (32768-65535), the property VendorID qualifies the group number. | | (32768-65535), the property VendorID qualifies the group number. | |
| The property is defined as follows: | | The property is defined as follows: | |
| | | | |
| NAME GroupId | | NAME GroupId | |
| DESCRIPTION Specifies the key exchange group to use for phase 2 | | DESCRIPTION Specifies the key exchange group to use for phase 2 | |
| | | | |
| skipping to change at page 40, line 4 | | skipping to change at page 40, line 26 | |
| phase 2. GroupId is ignored if (1) the property UsePFS is false, or | | phase 2. GroupId is ignored if (1) the property UsePFS is false, or | |
| (2) the property UsePFS is true and the property UseIKEGroup is | | (2) the property UsePFS is true and the property UseIKEGroup is | |
| true. If the GroupID number is from the vendor-specific range | | true. If the GroupID number is from the vendor-specific range | |
| (32768-65535), the property VendorID qualifies the group number. | | (32768-65535), the property VendorID qualifies the group number. | |
| The property is defined as follows: | | The property is defined as follows: | |
| | | | |
| NAME GroupId | | NAME GroupId | |
| DESCRIPTION Specifies the key exchange group to use for phase 2 | | DESCRIPTION Specifies the key exchange group to use for phase 2 | |
| when the property UsePFS is true and the property | | when the property UsePFS is true and the property | |
| UseIKEGroup is false. | | UseIKEGroup is false. | |
|
| | | | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| VALUE Consult [IKE] for valid values. | | VALUE Consult [IKE] for valid values. | |
| | | | |
|
| 6.10.4. The Property Granularity | | 6.11.4. The Property Granularity | |
| | | | |
| The property Granularity specifies how the selector for the security | | The property Granularity specifies how the selector for the security | |
| association should be derived from the traffic that triggered the | | association should be derived from the traffic that triggered the | |
| negotiation. The property is defined as follows: | | negotiation. The property is defined as follows: | |
| | | | |
| NAME Granularity | | NAME Granularity | |
| DESCRIPTION Specifies the how the proposed selector for the | | DESCRIPTION Specifies the how the proposed selector for the | |
| security association will be created. | | security association will be created. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 1 û subnet: the source and destination subnet masks of | | VALUE 1 - subnet: the source and destination subnet masks of | |
| the filter entry are used. | | the filter entry are used. | |
|
| 2 û address: only the source and destination IP | | 2 - address: only the source and destination IP | |
| addresses of the triggering packet are used. | | addresses of the triggering packet are used. | |
|
| 3 û protocol: the source and destination IP addresses | | 3 - protocol: the source and destination IP addresses | |
| and the IP protocol of the triggering packet are used. | | and the IP protocol of the triggering packet are used. | |
|
| 4 û port: the source and destination IP addresses and | | 4 - port: the source and destination IP addresses and | |
| the IP protocol and the source and destination layer 4 | | the IP protocol and the source and destination layer 4 | |
| ports of the triggering packet are used. | | ports of the triggering packet are used. | |
| | | | |
|
| 6.10.5. The Property VendorID | | 6.11.5. The Property VendorID | |
| | | | |
| The property VendorID is used together with the property GroupID | | The property VendorID is used together with the property GroupID | |
| (when it is in the vendor-specific range) to identify the key | | (when it is in the vendor-specific range) to identify the key | |
| exchange group. VendorID is ignored unless UsePFS is true and | | exchange group. VendorID is ignored unless UsePFS is true and | |
| UseIKEGroup is false and GroupID is in the vendor-specific range | | UseIKEGroup is false and GroupID is in the vendor-specific range | |
| (32768-65535). The property is defined as follows: | | (32768-65535). The property is defined as follows: | |
| | | | |
| NAME VendorID | | NAME VendorID | |
| DESCRIPTION Specifies the IKE Vendor ID. | | DESCRIPTION Specifies the IKE Vendor ID. | |
| SYNTAX string | | SYNTAX string | |
| | | | |
|
| 6.11. The Class IPsecTransportAction | | 6.12. The Class IPsecTransportAction | |
| | | | |
| The class IPsecTransportAction is a subclass of IPsecAction that is | | The class IPsecTransportAction is a subclass of IPsecAction that is | |
| used to specify use of an IPsec transport-mode security association. | | used to specify use of an IPsec transport-mode security association. | |
| The class definition for IPsecTransportAction is as follows: | | The class definition for IPsecTransportAction is as follows: | |
| | | | |
| NAME IPsecTransportAction | | NAME IPsecTransportAction | |
| DESCRIPTION Specifies that an IPsec transport-mode security | | DESCRIPTION Specifies that an IPsec transport-mode security | |
| association should be negotiated. | | association should be negotiated. | |
| DERIVED FROM IPsecAction | | DERIVED FROM IPsecAction | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| | | | |
|
| 6.12. The Class IPsecTunnelAction | | 6.13. The Class IPsecTunnelAction | |
| | | | |
| The class IPsecTunnelAction is a subclass of IPsecAction that is | | The class IPsecTunnelAction is a subclass of IPsecAction that is | |
| used to specify use of an IPsec tunnel-mode security association. | | used to specify use of an IPsec tunnel-mode security association. | |
| The class definition for IPsecTunnelAction is as follows: | | The class definition for IPsecTunnelAction is as follows: | |
| | | | |
| NAME IPsecTunnelAction | | NAME IPsecTunnelAction | |
| DESCRIPTION Specifies that an IPsec tunnel-mode security | | DESCRIPTION Specifies that an IPsec tunnel-mode security | |
| association should be negotiated. | | association should be negotiated. | |
| DERIVED FROM IPsecAction | | DERIVED FROM IPsecAction | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES DFHandling | | PROPERTIES DFHandling | |
| | | | |
|
| 6.12.1. The Property DFHandling | | 6.13.1. The Property DFHandling | |
| | | | |
| The property DFHandling specifies how the tunnel should manage the | | The property DFHandling specifies how the tunnel should manage the | |
| Don't Fragment (DF) bit. The property is defined as follows: | | Don't Fragment (DF) bit. The property is defined as follows: | |
| | | | |
| NAME DFHandling | | NAME DFHandling | |
| DESCRIPTION Specifies how to process the DF bit. | | DESCRIPTION Specifies how to process the DF bit. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 1 û Copy the DF bit from the internal IP header to the | | VALUE 1 - Copy the DF bit from the internal IP header to the | |
| external IP header. | | external IP header. | |
|
| 2 û Set the DF bit of the external IP header to 1. | | 2 - Set the DF bit of the external IP header to 1. | |
| 3 û Clear the DF bit of the external IP header to 0. | | 3 - Clear the DF bit of the external IP header to 0. | |
| | | | |
|
| 6.13. The Class IKEAction | | 6.14. The Class IKEAction | |
| | | | |
| The class IKEAction specifies the parameters that are to be used for | | The class IKEAction specifies the parameters that are to be used for | |
| IKE phase 1 negotiation. The class definition for IKEAction is as | | IKE phase 1 negotiation. The class definition for IKEAction is as | |
| follows: | | follows: | |
| | | | |
| NAME IKEAction | | NAME IKEAction | |
| DESCRIPTION Specifies the IKE phase 1 negotiation parameters. | | DESCRIPTION Specifies the IKE phase 1 negotiation parameters. | |
|
| DERIVED FROM SANegotiationAction | | DERIVED FROM IKENegotiationAction | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES RefreshThresholdDerivedKeys | | PROPERTIES RefreshThresholdDerivedKeys | |
| ExchangeMode | | ExchangeMode | |
| UseIKEIdentityType | | UseIKEIdentityType | |
| VendorID | | VendorID | |
| AggressiveModeGroupId | | AggressiveModeGroupId | |
| | | | |
|
| 6.13.1. The Property RefreshThresholdDerivedKeys | | 6.14.1. The Property RefreshThresholdDerivedKeys | |
| | | | |
| The property RefreshThresholdDerivedKeys specifies what percentage | | The property RefreshThresholdDerivedKeys specifies what percentage | |
| of the derived key limit (see the LifetimeDerivedKeys property of | | of the derived key limit (see the LifetimeDerivedKeys property of | |
| IKEProposal) can expire before IKE should attempt to renegotiate the | | IKEProposal) can expire before IKE should attempt to renegotiate the | |
| IKE phase 1 security association. A random value may be added to | | IKE phase 1 security association. A random value may be added to | |
| the calculated threshold (percentage x derived key limit) to reduce | | the calculated threshold (percentage x derived key limit) to reduce | |
| the chance of both peers attempting to renegotiate at the same time. | | the chance of both peers attempting to renegotiate at the same time. | |
| The property is defined as follows: | | The property is defined as follows: | |
| | | | |
| NAME RefreshThresholdKilobytes | | NAME RefreshThresholdKilobytes | |
| DESCRIPTION Specifies the percentage of derived key limit that has | | DESCRIPTION Specifies the percentage of derived key limit that has | |
| expired before the IKE phase 1 security association is | | expired before the IKE phase 1 security association is | |
| renegotiated. | | renegotiated. | |
| SYNTAX unsigned 8-bit integer | | SYNTAX unsigned 8-bit integer | |
| VALUE A value between 1 and 100 representing a percentage. A | | VALUE A value between 1 and 100 representing a percentage. A | |
| value of 100 indicates that the IKE phase 1 security | | value of 100 indicates that the IKE phase 1 security | |
| association should not be renegotiated until the | | association should not be renegotiated until the | |
| derived key limit has been reached. | | derived key limit has been reached. | |
| | | | |
|
| 6.13.2. The Property ExchangeMode | | 6.14.2. The Property ExchangeMode | |
| | | | |
| The property ExchangeMode specifies which IKE mode should be used | | The property ExchangeMode specifies which IKE mode should be used | |
| for IKE phase 1 negotiations. The property is defined as follows: | | for IKE phase 1 negotiations. The property is defined as follows: | |
| | | | |
| NAME ExchangeMode | | NAME ExchangeMode | |
| DESCRIPTION Specifies the IKE negotiation mode for phase 1. | | DESCRIPTION Specifies the IKE negotiation mode for phase 1. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| VALUE 1 - base mode | | VALUE 1 - base mode | |
| 2 - main mode | | 2 - main mode | |
| 4 - aggressive mode | | 4 - aggressive mode | |
| | | | |
|
| 6.13.3. The Property UseIKEIdentityType | | 6.14.3. The Property UseIKEIdentityType | |
| | | | |
| The property UseIKEIdentityType specifies what IKE identity type | | The property UseIKEIdentityType specifies what IKE identity type | |
| should be used when negotiating with the peer. This information is | | should be used when negotiating with the peer. This information is | |
| used in conjunction with the IKE identities available on the system | | used in conjunction with the IKE identities available on the system | |
| and the IdentityContexts of the matching IKERule. The property is | | and the IdentityContexts of the matching IKERule. The property is | |
| defined as follows: | | defined as follows: | |
| | | | |
| NAME UseIKEIdentityType | | NAME UseIKEIdentityType | |
| DESCRIPTION Specifies the IKE identity to use during negotiation. | | DESCRIPTION Specifies the IKE identity to use during negotiation. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| | | | |
| skipping to change at page 42, line 42 | | skipping to change at page 43, line 12 | |
| 3 - User FQDN | | 3 - User FQDN | |
| 4 - IPv4 Subnet | | 4 - IPv4 Subnet | |
| 5 - IPv6 Address | | 5 - IPv6 Address | |
| 6 - IPv6 Subnet | | 6 - IPv6 Subnet | |
| 7 - IPv4 Address Range | | 7 - IPv4 Address Range | |
| 8 - IPv6 Address Range | | 8 - IPv6 Address Range | |
| 9 - DER-Encoded ASN.1 X.500 Distinguished Name | | 9 - DER-Encoded ASN.1 X.500 Distinguished Name | |
| 10 - DER-Encoded ASN.1 X.500 GeneralName | | 10 - DER-Encoded ASN.1 X.500 GeneralName | |
| 11 - Key ID | | 11 - Key ID | |
| | | | |
|
| 6.13.4. The Property VendorID | | 6.14.4. The Property VendorID | |
| | | | |
| The property VendorID specifies the value to be used in the Vendor | | The property VendorID specifies the value to be used in the Vendor | |
| ID payload. The property is defined as follows: | | ID payload. The property is defined as follows: | |
| | | | |
| NAME VendorID | | NAME VendorID | |
| DESCRIPTION Vendor ID Payload. | | DESCRIPTION Vendor ID Payload. | |
| SYNTAX string | | SYNTAX string | |
| VALUE A value of NULL means that Vendor ID payload will be | | VALUE A value of NULL means that Vendor ID payload will be | |
| neither generated nor accepted. A non-NULL value means | | neither generated nor accepted. A non-NULL value means | |
| that a Vendor ID payload will be generated (when acting | | that a Vendor ID payload will be generated (when acting | |
| as an initiator) or is expected (when acting as a | | as an initiator) or is expected (when acting as a | |
| responder). | | responder). | |
| | | | |
|
| 6.13.5. The Property AggressiveModeGroupId | | 6.14.5. The Property AggressiveModeGroupId | |
| | | | |
| The property AggressiveModeGroupId specifies which group ID is to be | | The property AggressiveModeGroupId specifies which group ID is to be | |
| used in the first packets of the phase 1 negotiation. This property | | used in the first packets of the phase 1 negotiation. This property | |
| is ignored unless the property ExchangeMode is set to 4 (aggressive | | is ignored unless the property ExchangeMode is set to 4 (aggressive | |
| mode). If the AggressiveModeGroupID number is from the vendor- | | mode). If the AggressiveModeGroupID number is from the vendor- | |
| specific range (32768-65535), the property VendorID qualifies the | | specific range (32768-65535), the property VendorID qualifies the | |
| group number. The property is defined as follows: | | group number. The property is defined as follows: | |
| | | | |
| NAME AggressiveModeGroupId | | NAME AggressiveModeGroupId | |
| DESCRIPTION Specifies the group ID to be used for aggressive mode. | | DESCRIPTION Specifies the group ID to be used for aggressive mode. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| | | | |
|
| 6.14. The Class PeerGateway | | 6.15. The Class PeerGateway | |
| | | | |
| The class PeerGateway specifies the security gateway with which the | | The class PeerGateway specifies the security gateway with which the | |
| IKE services negotiates. The class definition for PeerGateway is as | | IKE services negotiates. The class definition for PeerGateway is as | |
| follows: | | follows: | |
| | | | |
| NAME PeerGateway | | NAME PeerGateway | |
| DESCRIPTION Specifies the security gateway with which to negotiate. | | DESCRIPTION Specifies the security gateway with which to negotiate. | |
|
| DERIVED FROM LogicalElement (see Appendix A) | | DERIVED FROM LogicalElement (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Name | | PROPERTIES Name | |
| PeerIdentityType | | PeerIdentityType | |
| PeerIdentity | | PeerIdentity | |
| | | | |
|
| 6.14.1. The Property Name | | 6.15.1. The Property Name | |
| | | | |
| The property Name specifies a user-friendly name for this security | | The property Name specifies a user-friendly name for this security | |
| gateway. The property is defined as follows: | | gateway. The property is defined as follows: | |
| | | | |
| NAME Name | | NAME Name | |
| DESCRIPTION Specifies a user-friendly name for this security | | DESCRIPTION Specifies a user-friendly name for this security | |
| gateway. | | gateway. | |
| SYNTAX string | | SYNTAX string | |
| | | | |
|
| 6.14.2. The Property PeerIdentityType | | 6.15.2. The Property PeerIdentityType | |
| | | | |
| The property PeerIdentityType specifies the IKE identity type of the | | The property PeerIdentityType specifies the IKE identity type of the | |
| security gateway. The property is defined as follows: | | security gateway. The property is defined as follows: | |
| | | | |
| NAME PeerIdentityType | | NAME PeerIdentityType | |
| DESCRIPTION Specifies the IKE identity type of the security | | DESCRIPTION Specifies the IKE identity type of the security | |
| gateway. | | gateway. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| VALUE 1 - IPv4 Address | | VALUE 1 - IPv4 Address | |
| 2 - FQDN | | 2 - FQDN | |
| 3 - User FQDN | | 3 - User FQDN | |
| 4 - IPv4 Subnet | | 4 - IPv4 Subnet | |
| 5 - IPv6 Address | | 5 - IPv6 Address | |
| 6 - IPv6 Subnet | | 6 - IPv6 Subnet | |
| 7 - IPv4 Address Range | | 7 - IPv4 Address Range | |
| 8 - IPv6 Address Range | | 8 - IPv6 Address Range | |
| 9 - DER-Encoded ASN.1 X.500 Distinguished Name | | 9 - DER-Encoded ASN.1 X.500 Distinguished Name | |
| 10 - DER-Encoded ASN.1 X.500 GeneralName | | 10 - DER-Encoded ASN.1 X.500 GeneralName | |
| 11 - Key ID | | 11 - Key ID | |
| | | | |
|
| 6.14.3. The Property PeerIdentity | | 6.15.3. The Property PeerIdentity | |
| | | | |
| The property PeerIdentity specifies the IKE identity value of the | | The property PeerIdentity specifies the IKE identity value of the | |
| security gateway. A conversion may be needed between the | | security gateway. A conversion may be needed between the | |
| PeerIdentity string representation and the real value used in the ID | | PeerIdentity string representation and the real value used in the ID | |
| payload (e.g. IP address is to be converted from a dotted decimal | | payload (e.g. IP address is to be converted from a dotted decimal | |
| string into 4 bytes). The property is defined as follows: | | string into 4 bytes). The property is defined as follows: | |
| | | | |
| NAME PeerIdentity | | NAME PeerIdentity | |
| DESCRIPTION Specifies the IKE identity value of the security | | DESCRIPTION Specifies the IKE identity value of the security | |
| gateway. | | gateway. | |
| SYNTAX string | | SYNTAX string | |
| | | | |
|
| 6.15. The Association Class PeerGatewayForTunnel | | 6.16. The Association Class PeerGatewayForTunnel | |
| | | | |
| The class PeerGatewayForTunnel associates IPsecTunnelActions with an | | The class PeerGatewayForTunnel associates IPsecTunnelActions with an | |
| ordered list of PeerGateways. The class definition for | | ordered list of PeerGateways. The class definition for | |
| PeerGatewayForTunnel is as follows: | | PeerGatewayForTunnel is as follows: | |
| | | | |
| NAME PeerGatewayForTunnel | | NAME PeerGatewayForTunnel | |
| DESCRIPTION Associates IPsecTunnelActions with an ordered list of | | DESCRIPTION Associates IPsecTunnelActions with an ordered list of | |
| PeerGateways. | | PeerGateways. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref PeerGateway[0..n]] | | PROPERTIES Antecedent [ref PeerGateway[0..n]] | |
| Dependent [ref IPsecTunnelAction[0..n]] | | Dependent [ref IPsecTunnelAction[0..n]] | |
| SequenceNumber | | SequenceNumber | |
| | | | |
|
| 6.15.1. The Reference Antecedent | | 6.16.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a PeerGateway instance. The [0..n] | | overridden to refer to a PeerGateway instance. The [0..n] | |
| cardinality indicates that there an IPsecTunnelAction instance may | | cardinality indicates that there an IPsecTunnelAction instance may | |
| be associated with zero or more PeerGateway instances. | | be associated with zero or more PeerGateway instances. | |
| | | | |
| Note: the cardinality 0 has a specific meaning: | | Note: the cardinality 0 has a specific meaning: | |
| | | | |
|
| - when the IKE service acts as a responder, this means that the | | - when the IKE service acts as a responder, this means that | |
| IKE service will accept phase 1 negotiation with any other | | the IKE service will accept phase 1 negotiation with any | |
| security gateway; | | other security gateway; | |
| - when the IKE service acts as an initiator, this means that | | - when the IKE service acts as an initiator, this means that | |
|
| the IKE service will use the destination IP address (of the | | the IKE service will use the destination IP address (of | |
| IP packets which triggered the SARule) as the IP address of | | the IP packets which triggered the SARule) as the IP | |
| the peer IKE entity. | | address of the peer IKE entity. | |
| | | | |
| | | 6.16.2. The Reference Dependent | |
| | | | |
|
| 6.15.2. The Reference Dependent | | | |
| The property Dependent is inherited from Dependency and is | | The property Dependent is inherited from Dependency and is | |
| overridden to refer to an IPsecTunnelAction instance. The [0..n] | | overridden to refer to an IPsecTunnelAction instance. The [0..n] | |
| cardinality indicates that a PeerGateway instance may be associated | | cardinality indicates that a PeerGateway instance may be associated | |
| with zero or more IPsecTunnelAction instances. | | with zero or more IPsecTunnelAction instances. | |
| | | | |
|
| 6.15.3. The Property SequenceNumber | | 6.16.3. The Property SequenceNumber | |
| | | | |
| The property SequenceNumber specifies the ordering to be used when | | The property SequenceNumber specifies the ordering to be used when | |
| evaluating PeerGateway instances for a given IPsecTunnelAction. . | | evaluating PeerGateway instances for a given IPsecTunnelAction. . | |
| The property is defined as follows: | | The property is defined as follows: | |
| | | | |
| NAME SequenceNumber | | NAME SequenceNumber | |
| DESCRIPTION Specifies the order of evaluation for PeerGateways. | | DESCRIPTION Specifies the order of evaluation for PeerGateways. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| VALUE Lower values are evaluated first. | | VALUE Lower values are evaluated first. | |
| | | | |
|
| 6.16. The Aggregation Class ContainedProposal | | 6.17. The Aggregation Class ContainedProposal | |
| | | | |
| The class ContainedProposal associates an ordered list of | | The class ContainedProposal associates an ordered list of | |
|
| SAProposals with the SANegotiationAction that aggregates it. If the | | SAProposals with the IKENegotiationAction that aggregates it. If | |
| referenced SANegotiationAction object is an IKEAction, then the | | the referenced IKENegotiationAction object is an IKEAction, then the | |
| referenced SAProposal object(s) must be IKEProposal(s). If the | | referenced SAProposal object(s) must be IKEProposal(s). If the | |
|
| referenced SANegotiationAction object is an IPsecTransportAction or | | referenced IKENegotiationAction object is an IPsecTransportAction or | |
| an IPsecTunnelAction, then the referenced SAProposal object(s) must | | an IPsecTunnelAction, then the referenced SAProposal object(s) must | |
| be IPsecProposal(s). The class definition for ContainedProposal is | | be IPsecProposal(s). The class definition for ContainedProposal is | |
| as follows: | | as follows: | |
| | | | |
| NAME ContainedProposal | | NAME ContainedProposal | |
| DESCRIPTION Associates an ordered list of SAProposals with an | | DESCRIPTION Associates an ordered list of SAProposals with an | |
|
| SANegotiationAction. | | IKENegotiationAction. | |
| | | | |
| DERIVED FROM PolicyComponent (see [PCIM]) | | DERIVED FROM PolicyComponent (see [PCIM]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
|
| PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] | | PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] | |
| PartComponent[ref SAProposal[1..n]] | | PartComponent[ref SAProposal[1..n]] | |
| SequenceNumber | | SequenceNumber | |
| | | | |
|
| 6.16.1. The Reference GroupComponent | | 6.17.1. The Reference GroupComponent | |
| | | | |
|
| - The property GroupComponent is inherited from PolicyComponent | | - The property GroupComponent is inherited from | |
| and is overridden to refer to an SANegotiationAction | | PolicyComponent and is overridden to refer to an | |
| instance. The [0..n] cardinality indicates that an | | IKENegotiationAction instance. The [0..n] cardinality | |
| SAProposal instance may be associated with zero or more | | indicates that an SAProposal instance may be associated with | |
| SANegotiationAction instances. | | zero or more IKENegotiationAction instances. | |
| | | | |
|
| 6.16.2. The Reference PartComponent | | 6.17.2. The Reference PartComponent | |
| | | | |
| The property PartComponent is inherited from PolicyComponent and is | | The property PartComponent is inherited from PolicyComponent and is | |
| overridden to refer to an SAProposal instance. The [1..n] | | overridden to refer to an SAProposal instance. The [1..n] | |
|
| cardinality indicates that an SANegotiationAction instance MUST be | | cardinality indicates that an IKENegotiationAction instance MUST be | |
| associated with at least one SAProposal instance. | | associated with at least one SAProposal instance. | |
| | | | |
|
| 6.16.3. The Property SequenceNumber | | 6.17.3. The Property SequenceNumber | |
| | | | |
| The property SequenceNumber specifies the order of preference for | | The property SequenceNumber specifies the order of preference for | |
| the SAProposals. The property is defined as follows: | | the SAProposals. The property is defined as follows: | |
| | | | |
| NAME SequenceNumber | | NAME SequenceNumber | |
| DESCRIPTION Specifies the preference order for the SAProposals. | | DESCRIPTION Specifies the preference order for the SAProposals. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
| VALUE Lower-valued proposals are preferred over proposals | | VALUE Lower-valued proposals are preferred over proposals | |
| with higher values. For ContainedProposals that | | with higher values. For ContainedProposals that | |
|
| reference the same SANegotiationAction, SequenceNumber | | reference the same IKENegotiationAction, SequenceNumber | |
| values must be unique. | | values must be unique. | |
| | | | |
|
| 6.17. The Association Class HostedPeerGatewayInformation | | 6.18. The Association Class HostedPeerGatewayInformation | |
| | | | |
| The class HostedPeerGatewayInformation weakly associates a | | The class HostedPeerGatewayInformation weakly associates a | |
| PeerGateway with a System. The class definition for | | PeerGateway with a System. The class definition for | |
| HostedPeerGatewayInformation is as follows: | | HostedPeerGatewayInformation is as follows: | |
| | | | |
| NAME HostedPeerGatewayInformation | | NAME HostedPeerGatewayInformation | |
| DESCRIPTION Weakly associates a PeerGateway with a System. | | DESCRIPTION Weakly associates a PeerGateway with a System. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref System[1..1]] | | PROPERTIES Antecedent [ref System[1..1]] | |
| Dependent [ref PeerGateway[0..n] [weak]] | | Dependent [ref PeerGateway[0..n] [weak]] | |
| | | | |
|
| 6.17.1. The Reference Antecedent | | 6.18.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a System instance. The [1..1] cardinality | | overridden to refer to a System instance. The [1..1] cardinality | |
| indicates that a PeerGateway instance MUST be associated with one | | indicates that a PeerGateway instance MUST be associated with one | |
| and only one System instance. | | and only one System instance. | |
| | | | |
|
| 6.17.2. The Reference Dependent | | 6.18.2. The Reference Dependent | |
| | | | |
| The property Dependent is inherited from Dependency and is | | The property Dependent is inherited from Dependency and is | |
| overridden to refer to a PeerGateway instance. The [0..n] | | overridden to refer to a PeerGateway instance. The [0..n] | |
| cardinality indicates that a System instance may be associated with | | cardinality indicates that a System instance may be associated with | |
| zero or more PeerGateway instances. | | zero or more PeerGateway instances. | |
| | | | |
|
| 6.18. The Association Class TransformOfPreconfiguredAction | | 6.19. The Association Class TransformOfPreconfiguredAction | |
| | | | |
| The class TransformOfPreconfiguredAction associates a | | The class TransformOfPreconfiguredAction associates a | |
| PreconfiguredSAAction with from two to six SATransforms that will be | | PreconfiguredSAAction with from two to six SATransforms that will be | |
| applied to the inbound and outbound traffic. The order of | | applied to the inbound and outbound traffic. The order of | |
| application of the SATransforms is implicitly defined in [IPSEC]. | | application of the SATransforms is implicitly defined in [IPSEC]. | |
| The class definition for TransformOfPreconfiguredAction is as | | The class definition for TransformOfPreconfiguredAction is as | |
| follows: | | follows: | |
| | | | |
| NAME TransformOfPreconfiguredAction | | NAME TransformOfPreconfiguredAction | |
| DESCRIPTION Associates a PreconfiguredSAAction with from one to | | DESCRIPTION Associates a PreconfiguredSAAction with from one to | |
| three SATransforms. | | three SATransforms. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent[ref SATransform[2..6]] | | PROPERTIES Antecedent[ref SATransform[2..6]] | |
| Dependent[ref PreconfiguredSAAction[0..n]] | | Dependent[ref PreconfiguredSAAction[0..n]] | |
| SPI | | SPI | |
| Direction | | Direction | |
| | | | |
|
| 6.18.1. The Reference Antecedent | | 6.19.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to an SATransform instance. The [2..6] | | overridden to refer to an SATransform instance. The [2..6] | |
|
| cardinality indicates that an SANegotiationAction instance may be | | cardinality indicates that an PreconfiguredSAAction instance may be | |
| associated with from two to six SATransform instances. | | associated with from two to six SATransform instances. | |
| | | | |
|
| 6.18.2. The Reference Dependent | | 6.19.2. The Reference Dependent | |
| | | | |
| The property Dependent is inherited from Dependency and is | | The property Dependent is inherited from Dependency and is | |
| overridden to refer to a PreconfiguredSAAction instance. The [0..n] | | overridden to refer to a PreconfiguredSAAction instance. The [0..n] | |
| cardinality indicates that an SATransform instance may be associated | | cardinality indicates that an SATransform instance may be associated | |
| with zero or more PreconfiguredSAAction instances. | | with zero or more PreconfiguredSAAction instances. | |
| | | | |
|
| 6.18.3. The Property SPI | | 6.19.3. The Property SPI | |
| | | | |
| The property SPI specifies the SPI to be used by the pre-configured | | The property SPI specifies the SPI to be used by the pre-configured | |
| action for the associated transform. The property is defined as | | action for the associated transform. The property is defined as | |
| follows: | | follows: | |
| | | | |
| NAME SPI | | NAME SPI | |
| DESCRIPTION Specifies the SPI to be used with the SATransform. | | DESCRIPTION Specifies the SPI to be used with the SATransform. | |
| SYNTAX unsigned 32-bit integer | | SYNTAX unsigned 32-bit integer | |
| | | | |
|
| 6.18.4. The Property Direction | | 6.19.4. The Property Direction | |
| | | | |
| The property Direction specifies whether the SPI property is for | | The property Direction specifies whether the SPI property is for | |
| inbound or for outbound traffic. The property is defined as follows: | | inbound or for outbound traffic. The property is defined as follows: | |
| | | | |
| NAME Direction | | NAME Direction | |
| DESCRIPTION Specifies whether the SA is for inbound or outbound | | DESCRIPTION Specifies whether the SA is for inbound or outbound | |
| traffic. | | traffic. | |
| SYNTAX unsigned 8-bit integer | | SYNTAX unsigned 8-bit integer | |
|
| VALUE 1 û this SA is for inbound traffic | | VALUE 1 - this SA is for inbound traffic | |
| 2 û this SA is for outbound traffic | | 2 - this SA is for outbound traffic | |
| | | | |
|
| 6.19 The Association Class PeerGatewayForPreconfiguredTunnel | | 6.20 The Association Class PeerGatewayForPreconfiguredTunnel | |
| | | | |
| The class PeerGatewayForPreconfiguredTunnel associates one or one | | The class PeerGatewayForPreconfiguredTunnel associates one or one | |
| PeerGateway with multiple PreconfiguredTunnelActions. The class | | PeerGateway with multiple PreconfiguredTunnelActions. The class | |
| definition for PeerGatewayForPreconfiguredTunnel is as follows: | | definition for PeerGatewayForPreconfiguredTunnel is as follows: | |
| | | | |
| NAME PeerGatewayForPreconfiguredTunnel | | NAME PeerGatewayForPreconfiguredTunnel | |
| DESCRIPTION Associates a PeerGateway with multiple | | DESCRIPTION Associates a PeerGateway with multiple | |
| PreconfiguredTunnelAction. | | PreconfiguredTunnelAction. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent[ref PeerGateway[0..1]] | | PROPERTIES Antecedent[ref PeerGateway[0..1]] | |
| Dependent[ref PreconfiguredTunnelAction[0..n]] | | Dependent[ref PreconfiguredTunnelAction[0..n]] | |
| | | | |
|
| 6.19.1. The Reference Antecedent | | 6.20.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to an PeerGateway instance. The [0..1] | | overridden to refer to an PeerGateway instance. The [0..1] | |
| cardinality indicates that an PreconfiguredTunnelAction instance may | | cardinality indicates that an PreconfiguredTunnelAction instance may | |
| be associated with one PeerGteway instance. | | be associated with one PeerGteway instance. | |
| | | | |
|
| 6.19.2. The Reference Dependent | | 6.20.2. The Reference Dependent | |
| | | | |
| The property Dependent is inherited from Dependency and is | | The property Dependent is inherited from Dependency and is | |
| overridden to refer to a PreconfiguredTunnelAction instance. The | | overridden to refer to a PreconfiguredTunnelAction instance. The | |
| [0..n] cardinality indicates that an PeerGateway instance may be | | [0..n] cardinality indicates that an PeerGateway instance may be | |
| associated with zero or more PreconfiguredSAAction instances. | | associated with zero or more PreconfiguredSAAction instances. | |
| | | | |
| 7. Proposal and Transform Classes | | 7. Proposal and Transform Classes | |
| | | | |
| The proposal and transform classes model the proposal settings an | | The proposal and transform classes model the proposal settings an | |
| IPsec device will use during IKE phase 1 and 2 negotiations. | | IPsec device will use during IKE phase 1 and 2 negotiations. | |
| | | | |
| +--------------+*w 1+--------------+ | | +--------------+*w 1+--------------+ | |
| | [SAProposal] |--------| System | | | | [SAProposal] |--------| System | | |
|
| +--------------+ (a) | (Appendix A) | | | +--------------+ (a) | ([CIMCORE]) | | |
| ^ +--------------+ | | ^ +--------------+ | |
| | |1 | | | |1 | |
| +----------------------+ | | | +----------------------+ | | |
| | | | | | | | | | |
| +-------------+ +---------------+ | | | +-------------+ +---------------+ | | |
| | IKEProposal | | IPsecProposal | | | | | IKEProposal | | IPsecProposal | | | |
| +-------------+ +---------------+ | | | +-------------+ +---------------+ | | |
| *o | | | *o | | |
| |(b) |(c) | | |(b) |(c) | |
| n| | | | n| | | |
| | | | |
| skipping to change at page 51, line 44 | | skipping to change at page 51, line 44 | |
| The property GroupId specifies the proposed phase 1 security | | The property GroupId specifies the proposed phase 1 security | |
| association key exchange group. This property is ignored for all | | association key exchange group. This property is ignored for all | |
| aggressive mode exchanges. If the GroupID number is from the | | aggressive mode exchanges. If the GroupID number is from the | |
| vendor-specific range (32768-65535), the property VendorID qualifies | | vendor-specific range (32768-65535), the property VendorID qualifies | |
| the group number. The property is defined as follows: | | the group number. The property is defined as follows: | |
| | | | |
| NAME GroupId | | NAME GroupId | |
| DESCRIPTION Specifies the proposed key exchange group for the phase | | DESCRIPTION Specifies the proposed key exchange group for the phase | |
| 1 security association. | | 1 security association. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 0 û Not applicable: used for aggressive mode. Consult | | VALUE 0 - Not applicable: used for aggressive mode. Consult | |
| [IKE] for other valid values. | | [IKE] for other valid values. | |
| | | | |
| 7.2.6. The Property AuthenticationMethod | | 7.2.6. The Property AuthenticationMethod | |
| | | | |
| The property AuthenticationMethod specifies the proposed phase 1 | | The property AuthenticationMethod specifies the proposed phase 1 | |
| authentication method. The property is defined as follows: | | authentication method. The property is defined as follows: | |
| | | | |
| NAME AuthenticationMethod | | NAME AuthenticationMethod | |
| DESCRIPTION Specifies the proposed authentication method for the | | DESCRIPTION Specifies the proposed authentication method for the | |
| phase 1 security association. | | phase 1 security association. | |
| | | | |
| skipping to change at page 57, line 30 | | skipping to change at page 57, line 30 | |
| 7.7.1. The Property Algorithm | | 7.7.1. The Property Algorithm | |
| | | | |
| The property Algorithm specifies the transform ID of the IPCOMP | | The property Algorithm specifies the transform ID of the IPCOMP | |
| compression algorithm to propose. The property is defined as | | compression algorithm to propose. The property is defined as | |
| follows: | | follows: | |
| | | | |
| NAME Algorithm | | NAME Algorithm | |
| DESCRIPTION Specifies the transform ID of the IPCOMP compression | | DESCRIPTION Specifies the transform ID of the IPCOMP compression | |
| algorithm. | | algorithm. | |
| SYNTAX unsigned 16-bit integer | | SYNTAX unsigned 16-bit integer | |
|
| VALUE 1 û OUI: a vendor specific algorithm is used and | | VALUE 1 - OUI: a vendor specific algorithm is used and | |
| specified in the property PrivateAlgorithm. Consult | | specified in the property PrivateAlgorithm. Consult | |
| [DOI] for other valid values. | | [DOI] for other valid values. | |
| | | | |
| 7.7.2. The Property DictionarySize | | 7.7.2. The Property DictionarySize | |
| | | | |
| The property DictionarySize specifies the log2 maximum size of the | | The property DictionarySize specifies the log2 maximum size of the | |
| dictionary for the compression algorithm. For compression | | dictionary for the compression algorithm. For compression | |
| algorithms that have pre-defined dictionary sizes, this value is | | algorithms that have pre-defined dictionary sizes, this value is | |
| ignored. The property is defined as follows: | | ignored. The property is defined as follows: | |
| | | | |
| | | | |
| skipping to change at page 61, line 9 | | skipping to change at page 61, line 9 | |
| | | | |
| The property Dependent is inherited from PolicyInSystem and is | | The property Dependent is inherited from PolicyInSystem and is | |
| overridden to refer to an SATransform instance. The [0..n] | | overridden to refer to an SATransform instance. The [0..n] | |
| cardinality indicates that a System instance may be associated with | | cardinality indicates that a System instance may be associated with | |
| zero or more SATransform instances. | | zero or more SATransform instances. | |
| | | | |
| 8. IKE Service and Identity Classes | | 8. IKE Service and Identity Classes | |
| | | | |
| +--------------+ +-------------------+ | | +--------------+ +-------------------+ | |
| | System | | PeerIdentityEntry | | | | System | | PeerIdentityEntry | | |
|
| | (Appendix A) | +-------------------+ | | | ([CIMCORE]) | +-------------------+ | |
| +--------------+ |*w | | +--------------+ |*w | |
| 1| (a) (b) | | | 1| (a) (b) | | |
| +---+ +------------+ | | +---+ +------------+ | |
| | | | | | | | |
| |*w 1 o | | |*w 1 o | |
| +-------------+ +-------------------+ +---------------------+ | | +-------------+ +-------------------+ +---------------------+ | |
| | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | | | | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | | |
| +-------------+ +-------------------+ +---------------------+ | | +-------------+ +-------------------+ +---------------------+ | |
| *| *| *| *| | | *| *| *| *| | |
| +----------------------+ |(d) +----------+ | | | +----------------------+ |(d) +----------+ | | |
| (c) *| *| *| (e) | | | (c) *| *| *| (e) | | |
| *+------------+* |(f) | | *+------------+* |(f) | |
| +-----------------| IKEService |-----+ | | | +-----------------| IKEService |-----+ | | |
| | (g) +------------+ |(h) | | | | (g) +------------+ |(h) | | |
| 0..1| *| *| *o | | 0..1| *| *| *o | |
| +--------------------+ | +---------------------------+ | | +--------------------+ | +---------------------------+ | |
| | IPProtocolEndpoint | | | AutostartIKEConfiguration | | | | IPProtocolEndpoint | | | AutostartIKEConfiguration | | |
|
| | (Appendix C) | (i)| +---------------------------+ | | | ([CIMNETWORK]) | (i)| +---------------------------+ | |
| +--------------------+ | | | +--------------------+ | | |
| 0..1| | | | 0..1| | | |
| |(j) +----------------+ | | |(j) +----------------+ | |
| *| |* | | *| |* | |
| +-------------+* (k) +------------+ +-----------------------------+ | | +-------------+* (k) +------------+ +-----------------------------+ | |
| | IKEIdentity |-------| Collection | | CredentialManagementService | | | | IKEIdentity |-------| Collection | | CredentialManagementService | | |
|
| +-------------+ 0..1|(Appendix A)| | (Appendix B) | | | +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | | |
| *| +------------+ +-----------------------------+ | | *| +------------+ +-----------------------------+ | |
| |(l) | | |(l) | |
| *| | | *| | |
| +--------------+ | | +--------------+ | |
| | Credential | | | | Credential | | |
|
| | (Appendix B) | | | | ([CIMUSER]) | | |
| +--------------+ | | +--------------+ | |
| | | | |
| (a) HostedPeerIdentityTable | | (a) HostedPeerIdentityTable | |
| (b) PeerIdentityMember | | (b) PeerIdentityMember | |
| (c) IKEServicePeerGateway | | (c) IKEServicePeerGateway | |
| (d) IKEServicePeerIdentityTable | | (d) IKEServicePeerIdentityTable | |
| (e) IKEAutostartSetting | | (e) IKEAutostartSetting | |
| (f) AutostartIKESettingContext | | (f) AutostartIKESettingContext | |
| (g) IKEServiceForEndpoint | | (g) IKEServiceForEndpoint | |
| (h) IKEAutostartConfiguration | | (h) IKEAutostartConfiguration | |
| | | | |
| skipping to change at page 62, line 33 | | skipping to change at page 62, line 33 | |
| The class IKEService represents the IKE negotiation function. An | | The class IKEService represents the IKE negotiation function. An | |
| instance of this service may provide that negotiation service for | | instance of this service may provide that negotiation service for | |
| one or more interfaces (represented by the IPProtocolEndpoint class) | | one or more interfaces (represented by the IPProtocolEndpoint class) | |
| of a System. There may be multiple instances of IKE services on a | | of a System. There may be multiple instances of IKE services on a | |
| System but only one per interface. The class definition for | | System but only one per interface. The class definition for | |
| IKEService is as follows: | | IKEService is as follows: | |
| | | | |
| NAME IKEService | | NAME IKEService | |
| DESCRIPTION IKEService is used to represent the IKE negotiation | | DESCRIPTION IKEService is used to represent the IKE negotiation | |
| function. | | function. | |
|
| DERIVED FROM NetworkService (see Appendix C) | | DERIVED FROM Service (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| | | | |
| 8.2. The Class PeerIdentityTable | | 8.2. The Class PeerIdentityTable | |
| | | | |
| The class PeerIdentityTable aggregates the table entries that | | The class PeerIdentityTable aggregates the table entries that | |
| provide mappings between identities and their addresses. The class | | provide mappings between identities and their addresses. The class | |
| definition for PeerIdentityTable is as follows: | | definition for PeerIdentityTable is as follows: | |
| | | | |
| NAME PeerIdentityTable | | NAME PeerIdentityTable | |
| DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry | | DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry | |
| instances to provide a table of identity-address | | instances to provide a table of identity-address | |
| mappings. | | mappings. | |
|
| DERIVED FROM Collection (see Appendix A) | | DERIVED FROM Collection (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Name | | PROPERTIES Name | |
| | | | |
| 8.3.1. The Property Name | | 8.3.1. The Property Name | |
| | | | |
| The property Name uniquely identifies the table. The property is | | The property Name uniquely identifies the table. The property is | |
| defined as follows: | | defined as follows: | |
| | | | |
| NAME Name | | NAME Name | |
| DESCRIPTION Name uniquely identifies the table. | | DESCRIPTION Name uniquely identifies the table. | |
| | | | |
| skipping to change at page 63, line 16 | | skipping to change at page 63, line 16 | |
| | | | |
| 8.3. The Class PeerIdentityEntry | | 8.3. The Class PeerIdentityEntry | |
| | | | |
| The class PeerIdentityEntry specifies the mapping between peer | | The class PeerIdentityEntry specifies the mapping between peer | |
| identity and their address. The class definition for | | identity and their address. The class definition for | |
| PeerIdentityEntry is as follows: | | PeerIdentityEntry is as follows: | |
| | | | |
| NAME PeerIdentityEntry | | NAME PeerIdentityEntry | |
| DESCRIPTION PeerIdentityEntry provides a mapping between a peer's | | DESCRIPTION PeerIdentityEntry provides a mapping between a peer's | |
| identity and address. | | identity and address. | |
|
| DERIVED FROM LogicalElement (see Appendix A) | | DERIVED FROM LogicalElement (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES PeerIdentity | | PROPERTIES PeerIdentity | |
| PeerIdentityType | | PeerIdentityType | |
| PeerAddress | | PeerAddress | |
| PeerAddressType | | PeerAddressType | |
| | | | |
| 8.3.1. The Property PeerIdentity | | 8.3.1. The Property PeerIdentity | |
| | | | |
| The property PeerIdentity contains a string encoding of the Identity | | The property PeerIdentity contains a string encoding of the Identity | |
| payload for the IKE peer. The property is defined as follows: | | payload for the IKE peer. The property is defined as follows: | |
| | | | |
| skipping to change at page 64, line 25 | | skipping to change at page 64, line 25 | |
| | | | |
| The class AutostartIKEConfiguration groups AutostartIKESetting | | The class AutostartIKEConfiguration groups AutostartIKESetting | |
| instances into configuration sets. When applied, the settings cause | | instances into configuration sets. When applied, the settings cause | |
| an IKE service to automatically start (negotiate or statically set | | an IKE service to automatically start (negotiate or statically set | |
| as appropriate) the Security Associations. The class definition for | | as appropriate) the Security Associations. The class definition for | |
| AutostartIKEConfiguration is as follows: | | AutostartIKEConfiguration is as follows: | |
| | | | |
| NAME AutostartIKEConfiguration | | NAME AutostartIKEConfiguration | |
| DESCRIPTION A configuration set of AutostartIKESetting instances to | | DESCRIPTION A configuration set of AutostartIKESetting instances to | |
| be automatically started by the IKE service. | | be automatically started by the IKE service. | |
|
| DERIVED FROM SystemConfiguration (see Appendix A) | | DERIVED FROM SystemConfiguration (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| | | | |
| 8.5. The Class AutostartIKESetting | | 8.5. The Class AutostartIKESetting | |
| | | | |
| The class AutostartIKESetting is used to automatically initiate IKE | | The class AutostartIKESetting is used to automatically initiate IKE | |
| negotiations with peers (or statically create an SA) as specified in | | negotiations with peers (or statically create an SA) as specified in | |
| the AutostartIKESetting properties. Appropriate actions are | | the AutostartIKESetting properties. Appropriate actions are | |
| initiated according to the policy that matches the setting | | initiated according to the policy that matches the setting | |
| parameters. The class definition for AutostartIKESetting is as | | parameters. The class definition for AutostartIKESetting is as | |
| follows: | | follows: | |
| | | | |
| NAME AutostartIKESetting | | NAME AutostartIKESetting | |
| DESCRIPTION AutostartIKESetting is used to automatically initiate | | DESCRIPTION AutostartIKESetting is used to automatically initiate | |
| IKE negotiations with peers or statically create an SA. | | IKE negotiations with peers or statically create an SA. | |
|
| DERIVED FROM SystemSetting (see Appendix A) | | DERIVED FROM SystemSetting (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Phase1Only | | PROPERTIES Phase1Only | |
| AddressType | | AddressType | |
| SourceAddress | | SourceAddress | |
| SourcePort | | SourcePort | |
| DestinationAddress | | DestinationAddress | |
| DestinationPort | | DestinationPort | |
| Protocol | | Protocol | |
| | | | |
| 8.5.1. The Property Phase1Only | | 8.5.1. The Property Phase1Only | |
| | | | |
| skipping to change at page 66, line 54 | | skipping to change at page 66, line 54 | |
| appropriate identity for a negotiation. The ElementID property value | | appropriate identity for a negotiation. The ElementID property value | |
| (defined in the parent class, UsersAccess) should be that of either | | (defined in the parent class, UsersAccess) should be that of either | |
| the IPProtocolEndpoint or Collection of endpoints as appropriate. | | the IPProtocolEndpoint or Collection of endpoints as appropriate. | |
| The class definition for IKEIdentity is as follows: | | The class definition for IKEIdentity is as follows: | |
| | | | |
| NAME IKEIdentity | | NAME IKEIdentity | |
| DESCRIPTION IKEIdentity is used to represent the identities that | | DESCRIPTION IKEIdentity is used to represent the identities that | |
| may be used for an IPProtocolEndpoint (or collection of | | may be used for an IPProtocolEndpoint (or collection of | |
| IPProtocolEndpoints) to identify the IKE Service in IKE | | IPProtocolEndpoints) to identify the IKE Service in IKE | |
| phase 1 negotiations. | | phase 1 negotiations. | |
|
| DERIVED FROM UsersAccess (see Appendix B) | | DERIVED FROM UsersAccess (see [CIMUSER]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES IdentityType | | PROPERTIES IdentityType | |
| IdentityValue | | IdentityValue | |
| IdentityContexts | | IdentityContexts | |
| | | | |
| 8.6.1. The Property IdentityType | | 8.6.1. The Property IdentityType | |
| | | | |
| The property IdentityType is an enumeration that specifies the type | | The property IdentityType is an enumeration that specifies the type | |
| of the IdentityValue. The property is defined as follows: | | of the IdentityValue. The property is defined as follows: | |
| | | | |
| | | | |
| skipping to change at page 67, line 38 | | skipping to change at page 67, line 38 | |
| NAME IdentityValue | | NAME IdentityValue | |
| DESCRIPTION IdentityValue contains a string encoding of the | | DESCRIPTION IdentityValue contains a string encoding of the | |
| Identity payload. | | Identity payload. | |
| SYNTAX string | | SYNTAX string | |
| | | | |
| 8.6.3. The Property IdentityContexts | | 8.6.3. The Property IdentityContexts | |
| | | | |
| The IdentityContexts property is used to constrain the use of | | The IdentityContexts property is used to constrain the use of | |
| IKEIdentity instances to match that specified in the | | IKEIdentity instances to match that specified in the | |
| IKERule.IdentityContexts. The IdentityContexts are formatted as | | IKERule.IdentityContexts. The IdentityContexts are formatted as | |
|
| policy roles and role combinations [PCIM]. Each value represents | | policy roles and role combinations [PCIM] & [PCIMe]. Each value | |
| one context or context combination. Since this is a multi-valued | | represents one context or context combination. Since this is a | |
| property, more than one context or combination of contexts can be | | multi-valued property, more than one context or combination of | |
| associated with a single IKEIdentity. Each value is a string of the | | contexts can be associated with a single IKEIdentity. Each value is | |
| form: <ContextName>[&&<ContextName>]* | | a string of the form: <ContextName>[&&<ContextName>]* | |
| where the individual context names appear in alphabetical order | | where the individual context names appear in alphabetical order | |
| (according to the collating sequence for UCS-2). If one or more | | (according to the collating sequence for UCS-2). If one or more | |
| values in the IKERule.IdentityContexts array match one or more | | values in the IKERule.IdentityContexts array match one or more | |
| IKEIdentity.IdentityContexts then the identity's context matches. | | IKEIdentity.IdentityContexts then the identity's context matches. | |
| (That is, each value of the IdentityContext array is an ORed | | (That is, each value of the IdentityContext array is an ORed | |
| condition.) In combination with the address of the | | condition.) In combination with the address of the | |
| IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be | | IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be | |
| 1 and only 1 IKEIdentity. The property is defined as follows: | | 1 and only 1 IKEIdentity. The property is defined as follows: | |
| | | | |
| NAME IdentityContexts | | NAME IdentityContexts | |
| | | | |
| skipping to change at page 68, line 19 | | skipping to change at page 68, line 19 | |
| 8.7. The Association Class HostedPeerIdentityTable | | 8.7. The Association Class HostedPeerIdentityTable | |
| | | | |
| The class HostedPeerIdentityTable provides the name scoping | | The class HostedPeerIdentityTable provides the name scoping | |
| relationship for PeerIdentityTable entries in a System. The | | relationship for PeerIdentityTable entries in a System. The | |
| PeerIdentityTable is weak to the System. The class definition for | | PeerIdentityTable is weak to the System. The class definition for | |
| HostedPeerIdentityTable is as follows: | | HostedPeerIdentityTable is as follows: | |
| | | | |
| NAME HostedPeerIdentityTable | | NAME HostedPeerIdentityTable | |
| DESCRIPTION The PeerIdentityTable instances are weak (name scoped | | DESCRIPTION The PeerIdentityTable instances are weak (name scoped | |
| by) the owning System. | | by) the owning System. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref System[1..1]] | | PROPERTIES Antecedent [ref System[1..1]] | |
| Dependent [ref PeerIdentityTable[0..n] [weak]] | | Dependent [ref PeerIdentityTable[0..n] [weak]] | |
| | | | |
| 8.7.1. The Reference Antecedent | | 8.7.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a System instance. The [1..1] cardinality | | overridden to refer to a System instance. The [1..1] cardinality | |
| indicates that a PeerIdentityTable instance MUST be associated in a | | indicates that a PeerIdentityTable instance MUST be associated in a | |
| weak relationship with one and only one System instance. | | weak relationship with one and only one System instance. | |
| | | | |
| skipping to change at page 68, line 47 | | skipping to change at page 68, line 47 | |
| | | | |
| 8.8. The Aggregation Class PeerIdentityMember | | 8.8. The Aggregation Class PeerIdentityMember | |
| | | | |
| The class PeerIdentityMember aggregates PeerIdentityEntry instances | | The class PeerIdentityMember aggregates PeerIdentityEntry instances | |
| into a PeerIdentityTable. This is a weak aggregation. The class | | into a PeerIdentityTable. This is a weak aggregation. The class | |
| definition for PeerIdentityMember is as follows: | | definition for PeerIdentityMember is as follows: | |
| | | | |
| NAME PeerIdentityMember | | NAME PeerIdentityMember | |
| DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry | | DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry | |
| instances into a PeerIdentityTable. | | instances into a PeerIdentityTable. | |
|
| DERIVED FROM MemberOfCollection (see Appendix A) | | DERIVED FROM MemberOfCollection (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Collection [ref PeerIdentityTable[1..1]] | | PROPERTIES Collection [ref PeerIdentityTable[1..1]] | |
| Member [ref PeerIdentityEntry [0..n] [weak]] | | Member [ref PeerIdentityEntry [0..n] [weak]] | |
| | | | |
| 8.8.1. The Reference Collection | | 8.8.1. The Reference Collection | |
| | | | |
| The property Collection is inherited from MemberOfCollection and is | | The property Collection is inherited from MemberOfCollection and is | |
| overridden to refer to a PeerIdentityTable instance. The [1..1] | | overridden to refer to a PeerIdentityTable instance. The [1..1] | |
| cardinality indicates that a PeerIdentityEntry instance MUST be | | cardinality indicates that a PeerIdentityEntry instance MUST be | |
| associated with one and only one PeerIdentityTable instance (i.e., | | associated with one and only one PeerIdentityTable instance (i.e., | |
| | | | |
| skipping to change at page 69, line 26 | | skipping to change at page 69, line 26 | |
| | | | |
| The class IKEServicePeerGateway provides the association between an | | The class IKEServicePeerGateway provides the association between an | |
| IKEService and the list of PeerGateway instances that it uses in | | IKEService and the list of PeerGateway instances that it uses in | |
| negotiating with security gateways. The class definition for | | negotiating with security gateways. The class definition for | |
| IKEServicePeerGateway is as follows: | | IKEServicePeerGateway is as follows: | |
| | | | |
| NAME IKEServicePeerGateway | | NAME IKEServicePeerGateway | |
| DESCRIPTION Associates an IKEService and the list of PeerGateway | | DESCRIPTION Associates an IKEService and the list of PeerGateway | |
| instances that it uses in negotiating with security | | instances that it uses in negotiating with security | |
| gateways. | | gateways. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref PeerGateway[0..n]] | | PROPERTIES Antecedent [ref PeerGateway[0..n]] | |
| Dependent [ref IKEService[0..n]] | | Dependent [ref IKEService[0..n]] | |
| | | | |
| 8.9.1. The Reference Antecedent | | 8.9.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a PeerGateway instance. The [0..n] | | overridden to refer to a PeerGateway instance. The [0..n] | |
| cardinality indicates that an IKEService instance may be associated | | cardinality indicates that an IKEService instance may be associated | |
| with zero or more PeerGateway instances. | | with zero or more PeerGateway instances. | |
| | | | |
| skipping to change at page 69, line 56 | | skipping to change at page 69, line 56 | |
| | | | |
| The class IKEServicePeerIdentityTable provides the relationship | | The class IKEServicePeerIdentityTable provides the relationship | |
| between an IKEService and a PeerIdentityTable that it uses to map | | between an IKEService and a PeerIdentityTable that it uses to map | |
| between addresses and identities as required. The class definition | | between addresses and identities as required. The class definition | |
| for IKEServicePeerIdentityTable is as follows: | | for IKEServicePeerIdentityTable is as follows: | |
| | | | |
| NAME IKEServicePeerIdentityTable | | NAME IKEServicePeerIdentityTable | |
| DESCRIPTION IKEServicePeerIdentityTable provides the relationship | | DESCRIPTION IKEServicePeerIdentityTable provides the relationship | |
| between an IKEService and a PeerIdentityTable that it | | between an IKEService and a PeerIdentityTable that it | |
| uses. | | uses. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] | | PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] | |
| Dependent [ref IKEService[0..n]] | | Dependent [ref IKEService[0..n]] | |
| | | | |
| 8.10.1. The Reference Antecedent | | 8.10.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a PeerIdentityTable instance. The [0..n] | | overridden to refer to a PeerIdentityTable instance. The [0..n] | |
| cardinality indicates that an IKEService instance may be associated | | cardinality indicates that an IKEService instance may be associated | |
| with zero or more PeerIdentityTable instances. | | with zero or more PeerIdentityTable instances. | |
| | | | |
| skipping to change at page 70, line 31 | | skipping to change at page 70, line 31 | |
| | | | |
| 8.11. The Association Class IKEAutostartSetting | | 8.11. The Association Class IKEAutostartSetting | |
| | | | |
| The class IKEAutostartSetting associates an AutostartIKESetting with | | The class IKEAutostartSetting associates an AutostartIKESetting with | |
| an IKEService that may use it to automatically start an IKE | | an IKEService that may use it to automatically start an IKE | |
| negotiation or create a static SA. The class definition for | | negotiation or create a static SA. The class definition for | |
| IKEAutostartSetting is as follows: | | IKEAutostartSetting is as follows: | |
| | | | |
| NAME IKEAutostartSetting | | NAME IKEAutostartSetting | |
| DESCRIPTION Associates a AutostartIKESetting with an IKEService. | | DESCRIPTION Associates a AutostartIKESetting with an IKEService. | |
|
| DERIVED FROM ElementSetting (see Appendix A) | | DERIVED FROM ElementSetting (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Element [ref IKEService[0..n]] | | PROPERTIES Element [ref IKEService[0..n]] | |
| Setting [ref AutostartIKESetting[0..n]] | | Setting [ref AutostartIKESetting[0..n]] | |
| | | | |
| 8.11.1. The Reference Element | | 8.11.1. The Reference Element | |
| | | | |
| The property Element is inherited from ElementSetting and is | | The property Element is inherited from ElementSetting and is | |
| overridden to refer to an IKEService instance. The [0..n] | | overridden to refer to an IKEService instance. The [0..n] | |
| cardinality indicates an AutostartIKESetting instance may be | | cardinality indicates an AutostartIKESetting instance may be | |
| associated with zero or more IKEService instances. | | associated with zero or more IKEService instances. | |
| | | | |
| skipping to change at page 71, line 8 | | skipping to change at page 71, line 8 | |
| 8.12. The Aggregation Class AutostartIKESettingContext | | 8.12. The Aggregation Class AutostartIKESettingContext | |
| | | | |
| The class AutostartIKESettingContext aggregates the settings used to | | The class AutostartIKESettingContext aggregates the settings used to | |
| automatically start negotiations or create a static SA into a | | automatically start negotiations or create a static SA into a | |
| configuration set. The class definition for | | configuration set. The class definition for | |
| AutostartIKESettingContext is as follows: | | AutostartIKESettingContext is as follows: | |
| | | | |
| NAME AutostartIKESettingContext | | NAME AutostartIKESettingContext | |
| DESCRIPTION AutostartIKESettingContext aggregates the | | DESCRIPTION AutostartIKESettingContext aggregates the | |
| AutostartIKESetting instances into a configuration set. | | AutostartIKESetting instances into a configuration set. | |
|
| DERIVED FROM SystemSettingContext (see Appendix A) | | DERIVED FROM SystemSettingContext (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] | | PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] | |
| Setting [ref AutostartIKESetting [0..n]] | | Setting [ref AutostartIKESetting [0..n]] | |
| SequenceNumber | | SequenceNumber | |
| | | | |
| 8.12.1. The Reference Context | | 8.12.1. The Reference Context | |
| | | | |
| The property Context is inherited from SystemSettingContext and is | | The property Context is inherited from SystemSettingContext and is | |
| overridden to refer to an AutostartIKEConfiguration instance. The | | overridden to refer to an AutostartIKEConfiguration instance. The | |
| [0..n] cardinality indicates that an AutostartIKESetting instance | | [0..n] cardinality indicates that an AutostartIKESetting instance | |
| | | | |
| skipping to change at page 71, line 55 | | skipping to change at page 71, line 55 | |
| 8.13. The Association Class IKEServiceForEndpoint | | 8.13. The Association Class IKEServiceForEndpoint | |
| | | | |
| The class IKEServiceForEndpoint provides the association showing | | The class IKEServiceForEndpoint provides the association showing | |
| which IKE service, if any, provides IKE negotiation services for | | which IKE service, if any, provides IKE negotiation services for | |
| which network interfaces. The class definition for | | which network interfaces. The class definition for | |
| IKEServiceForEndpoint is as follows: | | IKEServiceForEndpoint is as follows: | |
| | | | |
| NAME IKEServiceForEndpoint | | NAME IKEServiceForEndpoint | |
| DESCRIPTION Associates an IPProtocolEndpoint with an IKEService | | DESCRIPTION Associates an IPProtocolEndpoint with an IKEService | |
| that provides negotiation services for the endpoint. | | that provides negotiation services for the endpoint. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref IKEService[0..1]] | | PROPERTIES Antecedent [ref IKEService[0..1]] | |
| Dependent [ref IPProtocolEndpoint[0..n]] | | Dependent [ref IPProtocolEndpoint[0..n]] | |
| | | | |
| 8.13.1. The Reference Antecedent | | 8.13.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to an IKEService instance. The [0..1] | | overridden to refer to an IKEService instance. The [0..1] | |
| cardinality indicates that an IPProtocolEndpoint instance MUST by | | cardinality indicates that an IPProtocolEndpoint instance MUST by | |
| associated with at most one IKEService instance. | | associated with at most one IKEService instance. | |
| | | | |
| skipping to change at page 72, line 33 | | skipping to change at page 72, line 33 | |
| | | | |
| The class IKEAutostartConfiguration provides the relationship | | The class IKEAutostartConfiguration provides the relationship | |
| between an IKEService and a configuration set that it uses to | | between an IKEService and a configuration set that it uses to | |
| automatically start a set of SAs. The class definition for | | automatically start a set of SAs. The class definition for | |
| IKEAutostartConfiguration is as follows: | | IKEAutostartConfiguration is as follows: | |
| | | | |
| NAME IKEAutostartConfiguration | | NAME IKEAutostartConfiguration | |
| DESCRIPTION IKEAutostartConfiguration provides the relationship | | DESCRIPTION IKEAutostartConfiguration provides the relationship | |
| between an IKEService and an AutostartIKEConfiguration | | between an IKEService and an AutostartIKEConfiguration | |
| that it uses to automatically start a set of SAs. | | that it uses to automatically start a set of SAs. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] | | PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] | |
| Dependent [ref IKEService [0..n]] | | Dependent [ref IKEService [0..n]] | |
| Active | | Active | |
| | | | |
| 8.14.1. The Reference Antecedent | | 8.14.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to an AutostartIKEConfiguration instance. The | | overridden to refer to an AutostartIKEConfiguration instance. The | |
| [0..n] cardinality indicates that an IKEService instance may be | | [0..n] cardinality indicates that an IKEService instance may be | |
| | | | |
| skipping to change at page 73, line 28 | | skipping to change at page 73, line 28 | |
| | | | |
| The class IKEUsesCredentialManagementService defines the set of | | The class IKEUsesCredentialManagementService defines the set of | |
| CredentialManagementService(s) that are trusted sources of | | CredentialManagementService(s) that are trusted sources of | |
| credentials for IKE phase 1 negotiations. The class definition for | | credentials for IKE phase 1 negotiations. The class definition for | |
| IKEUsesCredentialManagementService is as follows: | | IKEUsesCredentialManagementService is as follows: | |
| | | | |
| NAME IKEUsesCredentialManagementService | | NAME IKEUsesCredentialManagementService | |
| DESCRIPTION Associates the set of CredentialManagementService(s) | | DESCRIPTION Associates the set of CredentialManagementService(s) | |
| that are trusted by the IKEService as sources of | | that are trusted by the IKEService as sources of | |
| credentials used in IKE phase 1 negotiations. | | credentials used in IKE phase 1 negotiations. | |
|
| DERIVED FROM Dependency (see Appendix A) | | DERIVED FROM Dependency (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref CredentialManagementService [0..n]] | | PROPERTIES Antecedent [ref CredentialManagementService [0..n]] | |
| Dependent [ref IKEService [0..n]] | | Dependent [ref IKEService [0..n]] | |
| | | | |
| 8.15.1. The Reference Antecedent | | 8.15.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from Dependency and is | | The property Antecedent is inherited from Dependency and is | |
| overridden to refer to a CredentialManagementService instance. The | | overridden to refer to a CredentialManagementService instance. The | |
| [0..n] cardinality indicates that an IKEService instance may be | | [0..n] cardinality indicates that an IKEService instance may be | |
| associated with zero or more CredentialManagementService instances. | | associated with zero or more CredentialManagementService instances. | |
| | | | |
| skipping to change at page 74, line 8 | | skipping to change at page 74, line 8 | |
| IPProtocolEndpoint with a set of IKEIdentity instances that may be | | IPProtocolEndpoint with a set of IKEIdentity instances that may be | |
| used in negotiating security associations on the endpoint. An | | used in negotiating security associations on the endpoint. An | |
| IKEIdentity MUST be associated with either an IPProtocolEndpoint | | IKEIdentity MUST be associated with either an IPProtocolEndpoint | |
| using this association or with a collection of IKEIdentity instances | | using this association or with a collection of IKEIdentity instances | |
| using the CollectionHasLocalIKEIdentity association. The class | | using the CollectionHasLocalIKEIdentity association. The class | |
| definition for EndpointHasLocalIKEIdentity is as follows: | | definition for EndpointHasLocalIKEIdentity is as follows: | |
| | | | |
| NAME EndpointHasLocalIKEIdentity | | NAME EndpointHasLocalIKEIdentity | |
| DESCRIPTION EndpointHasLocalIKEIdentity associates an | | DESCRIPTION EndpointHasLocalIKEIdentity associates an | |
| IPProtocolEndpoint with a set of IKEIdentity instances. | | IPProtocolEndpoint with a set of IKEIdentity instances. | |
|
| DERIVED FROM ElementAsUser (see Appendix B) | | DERIVED FROM ElementAsUser (see [CIMUSER]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] | | PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] | |
| Dependent [ref IKEIdentity [0..n]] | | Dependent [ref IKEIdentity [0..n]] | |
| | | | |
| 8.16.1. The Reference Antecedent | | 8.16.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from ElementAsUser and is | | The property Antecedent is inherited from ElementAsUser and is | |
| overridden to refer to an IPProtocolEndpoint instance. The [0..1] | | overridden to refer to an IPProtocolEndpoint instance. The [0..1] | |
| cardinality indicates that an IKEIdentity instance MUST be | | cardinality indicates that an IKEIdentity instance MUST be | |
| associated with at most one IPProtocolEndpoint instance. | | associated with at most one IPProtocolEndpoint instance. | |
| | | | |
| skipping to change at page 74, line 41 | | skipping to change at page 74, line 41 | |
| that may be used in negotiating SAs for endpoints in the collection. | | that may be used in negotiating SAs for endpoints in the collection. | |
| An IKEIdentity MUST be associated with either an IPProtocolEndpoint | | An IKEIdentity MUST be associated with either an IPProtocolEndpoint | |
| using the EndpointHasLocalIKEIdentity association or with a | | using the EndpointHasLocalIKEIdentity association or with a | |
| collection of IKEIdentity instances using this association. The | | collection of IKEIdentity instances using this association. The | |
| class definition for CollectionHasLocalIKEIdentity is as follows: | | class definition for CollectionHasLocalIKEIdentity is as follows: | |
| | | | |
| NAME CollectionHasLocalIKEIdentity | | NAME CollectionHasLocalIKEIdentity | |
| DESCRIPTION CollectionHasLocalIKEIdentity associates a collection | | DESCRIPTION CollectionHasLocalIKEIdentity associates a collection | |
| of IPProtocolEndpoint instances with a set of | | of IPProtocolEndpoint instances with a set of | |
| IKEIdentity instances. | | IKEIdentity instances. | |
|
| DERIVED FROM ElementAsUser (see Appendix B) | | DERIVED FROM ElementAsUser (see [CIMUSER]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref Collection [0..1]] | | PROPERTIES Antecedent [ref Collection [0..1]] | |
| Dependent [ref IKEIdentity [0..n]] | | Dependent [ref IKEIdentity [0..n]] | |
| | | | |
| 8.17.1. The Reference Antecedent | | 8.17.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from ElementAsUser and is | | The property Antecedent is inherited from ElementAsUser and is | |
| overridden to refer to a Collection instance. The [0..1] | | overridden to refer to a Collection instance. The [0..1] | |
| cardinality indicates that an IKEIdentity instance MUST be | | cardinality indicates that an IKEIdentity instance MUST be | |
| associated with at most one Collection instance. | | associated with at most one Collection instance. | |
| | | | |
| skipping to change at page 75, line 16 | | skipping to change at page 75, line 16 | |
| | | | |
| 8.18. The Association Class IKEIdentitysCredential | | 8.18. The Association Class IKEIdentitysCredential | |
| | | | |
| The class IKEIdentitysCredential is an association that relates a | | The class IKEIdentitysCredential is an association that relates a | |
| set of credentials to their corresponding local IKE Identities. The | | set of credentials to their corresponding local IKE Identities. The | |
| class definition for IKEIdentitysCredential is as follows: | | class definition for IKEIdentitysCredential is as follows: | |
| | | | |
| NAME IKEIdentitysCredential | | NAME IKEIdentitysCredential | |
| DESCRIPTION IKEIdentitysCredential associates a set of credentials | | DESCRIPTION IKEIdentitysCredential associates a set of credentials | |
| to their corresponding local IKEIdentity. | | to their corresponding local IKEIdentity. | |
|
| DERIVED FROM UsersCredential (see Appendix A) | | DERIVED FROM UsersCredential (see [CIMCORE]) | |
| ABSTRACT FALSE | | ABSTRACT FALSE | |
| PROPERTIES Antecedent [ref Credential [0..n]] | | PROPERTIES Antecedent [ref Credential [0..n]] | |
| Dependent [ref IKEIdentity [0..n]] | | Dependent [ref IKEIdentity [0..n]] | |
| | | | |
| 8.18.1. The Reference Antecedent | | 8.18.1. The Reference Antecedent | |
| | | | |
| The property Antecedent is inherited from UsersCredential and is | | The property Antecedent is inherited from UsersCredential and is | |
| overridden to refer to a Credential instance. The [0..n] | | overridden to refer to a Credential instance. The [0..n] | |
| cardinality indicates that IKEIdentity instance may be associated | | cardinality indicates that IKEIdentity instance may be associated | |
| with zero or more Credential instances. | | with zero or more Credential instances. | |
| | | | |
| skipping to change at page 77, line 8 | | skipping to change at page 77, line 8 | |
| 6.2.1. The Property LifetimeSeconds............................MUST | | 6.2.1. The Property LifetimeSeconds............................MUST | |
| 6.3. The Class IPsecBypassAction.............................SHOULD | | 6.3. The Class IPsecBypassAction.............................SHOULD | |
| 6.4. The Class IPsecDiscardAction............................SHOULD | | 6.4. The Class IPsecDiscardAction............................SHOULD | |
| 6.5. The Class IKERejectAction..................................MAY | | 6.5. The Class IKERejectAction..................................MAY | |
| 6.6. The Class PreconfiguredSAAction...........................MUST | | 6.6. The Class PreconfiguredSAAction...........................MUST | |
| 6.6.1. The Property LifetimeKilobytes..........................MUST | | 6.6.1. The Property LifetimeKilobytes..........................MUST | |
| 6.7. The Class PreconfiguredTransportAction....................MUST | | 6.7. The Class PreconfiguredTransportAction....................MUST | |
| 6.8. The Class PreconfiguredTunnelAction.......................MUST | | 6.8. The Class PreconfiguredTunnelAction.......................MUST | |
| 6.8.1. The Property DFHandling.................................MUST | | 6.8.1. The Property DFHandling.................................MUST | |
| 6.9. The Class SANegotiationAction.............................MUST | | 6.9. The Class SANegotiationAction.............................MUST | |
|
| 6.9.1. The Property MinLifetimeSeconds..........................MAY | | 6.10. The Class IKENegotiationAction...........................MUST | |
| 6.9.2. The Property MinLifetimeKilobytes........................MAY | | 6.10.1. The Property MinLifetimeSeconds.........................MAY | |
| 6.9.3. The Property RefreshThresholdSeconds.....................MAY | | 6.10.2. The Property MinLifetimeKilobytes.......................MAY | |
| 6.9.4. The Property RefreshThresholdKilobytes...................MAY | | 6.10.3. The Property RefreshThresholdSeconds....................MAY | |
| 6.9.5. The Property IdleDurationSeconds.........................MAY | | 6.10.4. The Property RefreshThresholdKilobytes..................MAY | |
| 6.10. The Class IPsecAction....................................MUST | | 6.10.5. The Property IdleDurationSeconds........................MAY | |
| 6.10.1. The Property UsePFS....................................MUST | | 6.11. The Class IPsecAction....................................MUST | |
| 6.10.2. The Property UseIKEGroup................................MAY | | 6.11.1. The Property UsePFS....................................MUST | |
| 6.10.3. The Property GroupId...................................MUST | | 6.11.2. The Property UseIKEGroup................................MAY | |
| 6.10.4. The Property Granularity.............................SHOULD | | 6.11.3. The Property GroupId...................................MUST | |
| 6.10.5. The Property VendorID...................................MAY | | 6.11.4. The Property Granularity.............................SHOULD | |
| 6.11. The Class IPsecTransportAction...........................MUST | | 6.11.5. The Property VendorID...................................MAY | |
| 6.12. The Class IPsecTunnelAction..............................MUST | | 6.12. The Class IPsecTransportAction...........................MUST | |
| 6.12.1. The Property DFHandling................................MUST | | 6.13. The Class IPsecTunnelAction..............................MUST | |
| 6.13. The Class IKEAction......................................MUST | | 6.13.1. The Property DFHandling................................MUST | |
| 6.13.1. The Property RefreshThresholdDerivedKeys................MAY | | 6.14. The Class IKEAction......................................MUST | |
| 6.13.2. The Property ExchangeMode..............................MUST | | 6.14.1. The Property RefreshThresholdDerivedKeys................MAY | |
| 6.13.3. The Property UseIKEIdentityType........................MUST | | 6.14.2. The Property ExchangeMode..............................MUST | |
| 6.13.4. The Property VendorID...................................MAY | | 6.14.3. The Property UseIKEIdentityType........................MUST | |
| 6.13.5. The Property AggressiveModeGroupId......................MAY | | 6.14.4. The Property VendorID...................................MAY | |
| 6.14. The Class PeerGateway....................................MUST | | 6.14.5. The Property AggressiveModeGroupId......................MAY | |
| 6.14.1. The Property Name....................................SHOULD | | 6.15. The Class PeerGateway....................................MUST | |
| 6.14.2. The Property PeerIdentityType..........................MUST | | 6.15.1. The Property Name....................................SHOULD | |
| 6.14.3. The Property PeerIdentity..............................MUST | | 6.15.2. The Property PeerIdentityType..........................MUST | |
| 6.15. The Association Class PeerGatewayForTunnel...............MUST | | 6.15.3. The Property PeerIdentity..............................MUST | |
| 6.15.1. The Reference Antecedent...............................MUST | | 6.16. The Association Class PeerGatewayForTunnel...............MUST | |
| 6.15.2. The Reference Dependent................................MUST | | 6.16.1. The Reference Antecedent...............................MUST | |
| 6.15.3. The Property SequenceNumber..........................SHOULD | | 6.16.2. The Reference Dependent................................MUST | |
| 6.16. The Aggregation Class ContainedProposal..................MUST | | 6.16.3. The Property SequenceNumber..........................SHOULD | |
| 6.16.1. The Reference GroupComponent...........................MUST | | 6.17. The Aggregation Class ContainedProposal..................MUST | |
| 6.16.2. The Reference PartComponent............................MUST | | 6.17.1. The Reference GroupComponent...........................MUST | |
| 6.16.3. The Property SequenceNumber............................MUST | | 6.17.2. The Reference PartComponent............................MUST | |
| 6.17. The Association Class HostedPeerGatewayInformation........MAY | | 6.17.3. The Property SequenceNumber............................MUST | |
| 6.17.1. The Reference Antecedent...............................MUST | | 6.18. The Association Class HostedPeerGatewayInformation........MAY | |
| 6.17.2. The Reference Dependent................................MUST | | | |
| 6.18. The Association Class TransformOfPreconfiguredAction.....MUST | | | |
| 6.18.1. The Reference Antecedent...............................MUST | | 6.18.1. The Reference Antecedent...............................MUST | |
| 6.18.2. The Reference Dependent................................MUST | | 6.18.2. The Reference Dependent................................MUST | |
|
| 6.18.3. The Property SPI.......................................MUST | | 6.19. The Association Class TransformOfPreconfiguredAction.....MUST | |
| 6.18.4. The Property Direction.................................MUST | | | |
| 6.19. The Association Class PeerGatewayForPreconfiguredTunnel..MUST | | | |
| 6.19.1. The Reference Antecedent...............................MUST | | 6.19.1. The Reference Antecedent...............................MUST | |
| 6.19.2. The Reference Dependent................................MUST | | 6.19.2. The Reference Dependent................................MUST | |
|
| | | 6.19.3. The Property SPI.......................................MUST | |
| | | 6.19.4. The Property Direction.................................MUST | |
| | | 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST | |
| | | 6.20.1. The Reference Antecedent...............................MUST | |
| | | 6.20.2. The Reference Dependent................................MUST | |
| 7. Proposal and Transform Classes | | 7. Proposal and Transform Classes | |
| 7.1. The Abstract Class SAProposal.............................MUST | | 7.1. The Abstract Class SAProposal.............................MUST | |
| 7.1.1. The Property Name.....................................SHOULD | | 7.1.1. The Property Name.....................................SHOULD | |
| 7.2. The Class IKEProposal.....................................MUST | | 7.2. The Class IKEProposal.....................................MUST | |
| 7.2.1. The Property LifetimeDerivedKeys.........................MAY | | 7.2.1. The Property LifetimeDerivedKeys.........................MAY | |
| 7.2.2. The Property CipherAlgorithm............................MUST | | 7.2.2. The Property CipherAlgorithm............................MUST | |
| 7.2.3. The Property HashAlgorithm..............................MUST | | 7.2.3. The Property HashAlgorithm..............................MUST | |
| 7.2.4. The Property PRFAlgorithm................................MAY | | 7.2.4. The Property PRFAlgorithm................................MAY | |
| 7.2.5. The Property GroupId....................................MUST | | 7.2.5. The Property GroupId....................................MUST | |
| 7.2.6. The Property AuthenticationMethod.......................MUST | | 7.2.6. The Property AuthenticationMethod.......................MUST | |
| | | | |
| skipping to change at page 81, line 5 | | skipping to change at page 81, line 9 | |
| [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload | | [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload | |
| (ESP)", RFC 2406, November 1998. | | (ESP)", RFC 2406, November 1998. | |
| | | | |
| [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC | | [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC | |
| 2402, November 1998. | | 2402, November 1998. | |
| | | | |
| [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core | | [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core | |
| Information Model -- Version 1 Specification", RFC 3060, February | | Information Model -- Version 1 Specification", RFC 3060, February | |
| 2001. | | 2001. | |
| | | | |
|
| | | [PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen, | |
| | | A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy | |
| | | Core Information Model Extensions", draft-ietf-policy-pcim-ext- | |
| | | 05.txt, October 2001 Internet Draft work in progress | |
| | | | |
| [DOI] Piper, D., "The Internet IP Security Domain of Interpretation | | [DOI] Piper, D., "The Internet IP Security Domain of Interpretation | |
| for ISAKMP", RFC 2407, November 1998. | | for ISAKMP", RFC 2407, November 1998. | |
| | | | |
| [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory | | [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory | |
| Access Protocol (v3)", RFC 2251, December 1997. | | Access Protocol (v3)", RFC 2251, December 1997. | |
| | | | |
| [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. | | [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. | |
| Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, | | Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, | |
| January 2000. Internet-Draft work in progress. | | January 2000. Internet-Draft work in progress. | |
| | | | |
| | | | |
| skipping to change at page 81, line 29 | | skipping to change at page 81, line 38 | |
| | | | |
| [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate | | [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate | |
| Requirement Levels", BCP 14, RFC 2119, March 1997. | | Requirement Levels", BCP 14, RFC 2119, March 1997. | |
| | | | |
| [IPSO] Kent, S., "U.S. Department of Defense Security Options for | | [IPSO] Kent, S., "U.S. Department of Defense Security Options for | |
| the Internet Protocol", RFC 1108, November 1991. | | the Internet Protocol", RFC 1108, November 1991. | |
| | | | |
| [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the | | [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the | |
| Internet Protocol", RFC 2401, November 1998. | | Internet Protocol", RFC 2401, November 1998. | |
| | | | |
|
| | | [DMTF] Distributed Management Task Force, http://www.dmtf.org/ | |
| | | | |
| | | [CIMCORE] DMTF Common Information Model - Core Model v2.5, | |
| | | http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and | |
| | | http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof | |
| | | | |
| | | [CIMUSER] DMTF Common Information Model - User-Security Model v2.5, | |
| | | http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof | |
| | | | |
| | | [CIMNETWORK] DMTF Common Information Model - Network Model v2.5, | |
| | | http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof | |
| | | | |
| 14. Disclaimer | | 14. Disclaimer | |
| | | | |
| The views and specification herein are those of the authors and are | | The views and specification herein are those of the authors and are | |
| not necessarily those of their employer. The authors and their | | not necessarily those of their employer. The authors and their | |
| employer specifically disclaim responsibility for any problems | | employer specifically disclaim responsibility for any problems | |
| arising from correct or incorrect implementation or use of this | | arising from correct or incorrect implementation or use of this | |
| specification. | | specification. | |
| | | | |
| 15. Authors' Addresses | | 15. Authors' Addresses | |
| | | | |
| | | | |
| skipping to change at page 81, line 50 | | skipping to change at page 82, line 18 | |
| Intel Corporation | | Intel Corporation | |
| MS JF3-206 | | MS JF3-206 | |
| 2111 NE 25th Ave. | | 2111 NE 25th Ave. | |
| Hillsboro, OR 97124 | | Hillsboro, OR 97124 | |
| E-Mail: jamie.jason@intel.com | | E-Mail: jamie.jason@intel.com | |
| | | | |
| Lee Rafalow | | Lee Rafalow | |
| IBM Corporation, BRQA/502 | | IBM Corporation, BRQA/502 | |
| 4205 So. Miami Blvd. | | 4205 So. Miami Blvd. | |
| Research Triangle Park, NC 27709 | | Research Triangle Park, NC 27709 | |
|
| E-mail: rafalow@raleigh.ibm.com | | E-mail: rafalow@watson.ibm.com | |
| | | | |
| Eric Vyncke | | Eric Vyncke | |
| Cisco Systems | | Cisco Systems | |
| Avenue Marcel Thiry, 77 | | Avenue Marcel Thiry, 77 | |
| B-1200 Brussels | | B-1200 Brussels | |
| Belgium | | Belgium | |
| E-mail: evyncke@cisco.com | | E-mail: evyncke@cisco.com | |
| | | | |
| 16. Full Copyright Statement | | 16. Full Copyright Statement | |
| | | | |
| | | | |
| skipping to change at page 82, line 32 | | skipping to change at line 4166 | |
| | | | |
| The limited permissions granted above are perpetual and will not be | | The limited permissions granted above are perpetual and will not be | |
| revoked by the Internet Society or its successors or assigns. | | revoked by the Internet Society or its successors or assigns. | |
| | | | |
| This document and the information contained herein is provided on an | | This document and the information contained herein is provided on an | |
| "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING | | "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING | |
| TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING | | TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING | |
| BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON | | BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON | |
| HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF | | HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF | |
| MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | | MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |
|
| | | | |
| Appendix A (DMTF Core Model MOF) | | | |
| | | | |
| // ================================================================== | | | |
| // ManagedElement | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "ManagedElement is an abstract class that provides a common " | | | |
| "superclass (or top of the inheritance tree) for the " | | | |
| "non-association classes in the CIM Schema.")] | | | |
| class CIM_ManagedElement | | | |
| { | | | |
| [MaxLen (64), Description ( | | | |
| "The Caption property is a short textual description (one-" | | | |
| "line string) of the object.") ] | | | |
| string Caption; | | | |
| [Description ( | | | |
| "The Description property provides a textual description of " | | | |
| "the object.") ] | | | |
| string Description; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // Collection | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "Collection is an abstract class that provides a common" | | | |
| "superclass for data elements that represent collections of " | | | |
| "ManagedElements and its subclasses.")] | | | |
| class CIM_Collection : CIM_ManagedElement | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // ManagedSystemElement | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "CIM_ManagedSystemElement is the base class for the System " | | | |
| "Element hierarchy. Membership Criteria: Any distinguishable " | | | |
| "component of a System is a candidate for inclusion in this " | | | |
| "class. Examples: software components, such as files; and " | | | |
| "devices, such as disk drives and controllers, and physical " | | | |
| "components such as chips and cards.") ] | | | |
| class CIM_ManagedSystemElement : CIM_ManagedElement | | | |
| { | | | |
| [Description ( | | | |
| "A datetime value indicating when the object was installed. " | | | |
| "A lack of a value does not indicate that the object is not " | | | |
| "installed."), | | | |
| MappingStrings {"MIF.DMTF|ComponentID|001.5"} ] | | | |
| datetime InstallDate; | | | |
| [MaxLen (256), Description ( | | | |
| "The Name property defines the label by which the object is " | | | |
| "known. When subclassed, the Name property can be overridden " | | | |
| "to be a Key property.") ] | | | |
| string Name; | | | |
| [MaxLen (10), Description ( | | | |
| " A string indicating the current status of the object. " | | | |
| "Various operational and non-operational statuses are " | | | |
| "defined. Operational statuses are \"OK\", \"Degraded\", " | | | |
| "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that " | | | |
| "the Element is functioning, but needs attention. Examples " | | | |
| "of \"Stressed\" states are overload, overheated, etc. The " | | | |
| "condition \"Pred Fail\" (failure predicted) indicates that " | | | |
| "an Element is functioning properly but predicting a failure " | | | |
| "in the near future. An example is a SMART-enabled hard " | | | |
| "drive. \n" | | | |
| " Non-operational statuses can also be specified. These " | | | |
| "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", " | | | |
| "\"Stopped\", " | | | |
| "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\"" | | | |
| "indicates that a non-recoverable error has occurred. " | | | |
| "\"Service\" describes an Element being configured, " | | | |
| "maintained," | | | |
| "cleaned, or otherwise administered. This status could apply " | | | |
| "during mirror-resilvering of a disk, reload of a user " | | | |
| "permissions list, or other administrative task. Not all " | | | |
| "such " | | | |
| "work is on-line, yet the Element is neither \"OK\" nor in " | | | |
| "one of the other states. \"No Contact\" indicates that the " | | | |
| "current instance of the monitoring system has knowledge of " | | | |
| "this Element but has never been able to establish " | | | |
| "communications with it. \"Lost Comm\" indicates that " | | | |
| "the ManagedSystemElement is known to exist and has been " | | | |
| "contacted successfully in the past, but is currently " | | | |
| "unreachable." | | | |
| "\"Stopped\" indicates that the ManagedSystemElement is " | | | |
| "known " | | | |
| "to exist, it is not operational (i.e. it is unable to " | | | |
| "provide service to users), but it has not failed. It " | | | |
| "has purposely " | | | |
| "been made non-operational. The Element " | | | |
| "may have never been \"OK\", the Element may have initiated " | | | |
| "its " | | | |
| "own stop, or a management system may have initiated the " | | | |
| "stop."), | | | |
| ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail", | | | |
| "Starting", "Stopping", "Service", "Stressed", | | | |
| "NonRecover", "No Contact", "Lost Comm", "Stopped"} ] | | | |
| string Status; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // LogicalElement | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "CIM_LogicalElement is a base class for all the components " | | | |
| "of " | | | |
| "a System that represent abstract system components, such " | | | |
| "as Files, Processes, or system capabilities in the form " | | | |
| "of Logical Devices.") ] | | | |
| class CIM_LogicalElement:CIM_ManagedSystemElement | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // CIM_SystemConfiguration | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_SystemConfiguration represents the general concept " | | | |
| "of a CIM_Configuration which is scoped by/weak to a " | | | |
| "System. This class is a peer of CIM_Configuration since " | | | |
| "the key structure of Configuration is currently " | | | |
| "defined and cannot be modified with additional " | | | |
| "properties.")] | | | |
| class CIM_SystemConfiguration : CIM_ManagedElement { | | | |
| [Propagated ("CIM_System.CreationClassName"), Key, | | | |
| MaxLen (256), Description ( | | | |
| "The scoping System's CreationClassName.") ] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), Key, MaxLen (256), | | | |
| Description ("The scoping System's Name.") ] | | | |
| string SystemName; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "CreationClassName indicates the name of the class or the " | | | |
| "subclass used in the creation of an instance. When used " | | | |
| "with the other key properties of this class, this property " | | | |
| "allows all instances of this class and its subclasses to " | | | |
| "be uniquely identified.") ] | | | |
| string CreationClassName; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "The label by which the Configuration object is known.") ] | | | |
| string Name; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // Setting | | | |
| // =================================================================== | | | |
| [Abstract, Description ( | | | |
| "The Setting class represents configuration-related and " | | | |
| "operational parameters for one or more ManagedSystem" | | | |
| "Element(s). A ManagedSystemElement may have multiple " | | | |
| "Setting " | | | |
| "objects associated with it. The current operational values " | | | |
| "for an Element's parameters are reflected by properties in " | | | |
| "the Element itself or by properties in its associations. " | | | |
| "These properties do not have to be the same values present " | | | |
| "in the Setting object. For example, a modem may have a " | | | |
| "Setting baud rate of 56Kb/sec but be operating " | | | |
| "at 19.2Kb/sec.") ] | | | |
| class CIM_Setting : CIM_ManagedElement | | | |
| { | | | |
| [MaxLen (256), Description ( | | | |
| "The identifier by which the Setting object is known.") ] | | | |
| string SettingID; | | | |
| [Description ( | | | |
| "The VerifyOKToApplyToMSE method is used to verify that " | | | |
| "this Setting can be 'applied' to the referenced Managed" | | | |
| "SystemElement, at the given time or time interval. This " | | | |
| "method takes three input parameters: MSE (the Managed" | | | |
| "SystemElement that is being verified), TimeToApply (which, " | | | |
| "being a datetime, can be either a specific time or a time " | | | |
| "interval), and MustBeCompletedBy (which indicates the " | | | |
| "required completion time for the method). The return " | | | |
| "value should be 0 if it is OK to apply the Setting, 1 if " | | | |
| "the method is not supported, 2 if the Setting can not be " | | | |
| "applied within the specified times, and any other number " | | | |
| "if an error occurred. In a subclass, the " | | | |
| "set of possible return codes could be specified, using a " | | | |
| "ValueMap qualifier on the method. The strings to which the " | | | |
| "ValueMap contents are 'translated' may also be specified in " | | | |
| "the subclass as a Values array qualifier.") ] | | | |
| uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, | | | |
| [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); | | | |
| [Description ( | | | |
| "The ApplyToMSE method performs the actual application of " | | | |
| "the Setting to the referenced ManagedSystemElement. It " | | | |
| "takes three input parameters: MSE (the ManagedSystem" | | | |
| "Element to which the Setting is being applied), " | | | |
| "TimeToApply (which, being a datetime, can be either a " | | | |
| "specific time or a time interval), and MustBeCompletedBy " | | | |
| "(which indicates the required completion time for the " | | | |
| "method). Note that the semantics of this method are that " | | | |
| "individual Settings are either wholly applied or not " | | | |
| "applied at all to their target ManagedSystemElement. The " | | | |
| "return value should be 0 if the Setting is successfully " | | | |
| "applied to the referenced ManagedSystemElement, 1 if the " | | | |
| "method is not supported, 2 if the Setting was not applied " | | | |
| "within the specified times, and any other number if an " | | | |
| "error occurred. In a subclass, the set of possible return " | | | |
| "codes could be specified, using a ValueMap qualifier on " | | | |
| "the method. The strings to which the ValueMap contents are " | | | |
| "'translated' may also be specified in the subclass as a " | | | |
| "Values array qualifier.\n" | | | |
| "Note: If an error occurs in applying the Setting to a " | | | |
| "ManagedSystemElement, the Element must be configured as " | | | |
| "when the 'apply' attempt began. That is, the Element " | | | |
| "should NOT be left in an indeterminate state.") ] | | | |
| uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, | | | |
| [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); | | | |
| [Description ( | | | |
| "The VerifyOKToApplyToCollection method is used to verify " | | | |
| "that this Setting can be 'applied' to the referenced " | | | |
| "Collection of ManagedSystemElements, at the given time " | | | |
| "or time interval, without causing adverse effects to " | | | |
| "either the Collection itself or its surrounding " | | | |
| "environment. The net effect is to execute the " | | | |
| "VerifyOKToApply method against each of the Elements " | | | |
| "aggregated by the Collection. This method takes three " | | | |
| "input parameters: Collection (the Collection of Managed" | | | |
| "SystemElements that is being verified), TimeToApply (which, " | | | |
| "being a datetime, can be either a specific time or a time " | | | |
| "interval), and MustBeCompletedBy (which indicates the " | | | |
| "required completion time for the method). The return " | | | |
| "value should be 0 if it is OK to apply the Setting, 1 if " | | | |
| "the method is not supported, 2 if the Setting can not be " | | | |
| "applied within the specified times, and any other number if " | | | |
| "an error occurred. One output parameter is defined - " | | | |
| "CanNotApply - which is a string array that lists the keys " | | | |
| "of " | | | |
| "the ManagedSystemElements to which the Setting can NOT be " | | | |
| "applied. This enables those Elements to be revisited and " | | | |
| "either fixed, or other corrective action taken.\n" | | | |
| "In a subclass, the set of possible return codes could be " | | | |
| "specified, using a ValueMap qualifier on the method. The " | | | |
| "strings to which the ValueMap contents are 'translated' may " | | | |
| "also be specified in the subclass as a Values array " | | | |
| "qualifier.") ] | | | |
| uint32 VerifyOKToApplyToCollection ( | | | |
| [IN] CIM_CollectionOfMSEs ref Collection, | | | |
| [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, | | | |
| [OUT] string CanNotApply[]); | | | |
| [Description ( | | | |
| "The ApplyToCollection method performs the application of " | | | |
| "the Setting to the referenced Collection of ManagedSystem" | | | |
| "Elements. The net effect is to execute the ApplyToMSE " | | | |
| "method against each of the Elements aggregated by the " | | | |
| "Collection. If the input value ContinueOnError is FALSE, " | | | |
| "this method applies the Setting to all Elements in the " | | | |
| "Collection until it encounters an error, in which case it " | | | |
| "stops execution, logs the key of the Element that caused " | | | |
| "the error in the CanNotApply array, and issues a return " | | | |
| "code " | | | |
| "of 2. If the input value ContinueOnError is TRUE, then this " | | | |
| "method applies the Setting to all the ManagedSystemElements " | | | |
| "in the Collection, and reports the failed Elements in the " | | | |
| "array, CanNotApply. For the latter, processing will " | | | |
| "continue " | | | |
| "until the method is applied to all Elements in the " | | | |
| "Collection, regardless of any errors encountered. The key " | | | |
| "of " | | | |
| "each ManagedSystemElement to which the Setting could not be " | | | |
| "applied is logged into the CanNotApply array. This method " | | | |
| "takes four input parameters: Collection (the Collection of " | | | |
| "Elements to which the Setting is being applied), " | | | |
| "TimeToApply " | | | |
| "(which, being a datetime, can be either a specific time or " | | | |
| "a " | | | |
| "time interval), ContinueOnError (TRUE means to continue " | | | |
| "processing on encountering an error), and MustBeCompletedBy " | | | |
| "(which indicates the required completion time for the " | | | |
| "method). The return value should be 0 if the Setting is " | | | |
| "successfully applied to the referenced Collection, 1 if the " | | | |
| "method is not supported, 2 if the Setting was not applied " | | | |
| "within the specified times, 3 if the Setting can not be " | | | |
| "applied using the input value for ContinueOnError, and any " | | | |
| "other number if an error occurred. One output parameter is " | | | |
| "defined, CanNotApplystring, which is an array that lists " | | | |
| "the keys of the ManagedSystemElements to which the Setting " | | | |
| "was NOT able to be applied. This output parameter has " | | | |
| "meaning only when the ContinueOnError parameter is TRUE.\n" | | | |
| "In a subclass, the set of possible return codes could be " | | | |
| "specified, using a ValueMap qualifier on the method. The " | | | |
| "strings to which the ValueMap contents are 'translated' may " | | | |
| "also be specified in the subclass as a Values array " | | | |
| "qualifier.\n" | | | |
| "Note: if an error occurs in applying the Setting to a " | | | |
| "ManagedSystemElement in the Collection, the Element must be " | | | |
| "configured as when the 'apply' attempt began. That is, the " | | | |
| "Element should NOT be left in an indeterminate state.") ] | | | |
| uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection, | | | |
| [IN] datetime TimeToApply, [IN] boolean ContinueOnError, | | | |
| [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); | | | |
| [Description ( | | | |
| "The VerifyOKToApplyIncrementalChangeToMSE method " | | | |
| "is used to verify that a subset of the properties in " | | | |
| "this Setting can be 'applied' to the referenced Managed" | | | |
| "SystemElement, at the given time or time interval. This " | | | |
| "method takes four input parameters: MSE (the Managed" | | | |
| "SystemElement that is being verified), TimeToApply (which, " | | | |
| "being a datetime, can be either a specific time or a time " | | | |
| "interval), MustBeCompletedBy (which indicates the " | | | |
| "required completion time for the method), and a " | | | |
| "PropertiesToApply array (which contains a list of the " | | | |
| "property names whose values will be verified. " | | | |
| "If they array is null or empty or constains the string " | | | |
| "\"all\" " | | | |
| "as a property name then all Settings properties shall be " | | | |
| "verified. If it is set to \"none\" then no Settings " | | | |
| "properties " | | | |
| "will be verified). The return " | | | |
| "value should be 0 if it is OK to apply the Setting, 1 if " | | | |
| "the method is not supported, 2 if the Setting can not be " | | | |
| "applied within the specified times, and any other number " | | | |
| "if an error occurred. In a subclass, the " | | | |
| "set of possible return codes could be specified, using a " | | | |
| "ValueMap qualifier on the method. The strings to which the " | | | |
| "ValueMap contents are 'translated' may also be specified in " | | | |
| "the subclass as a Values array qualifier.") ] | | | |
| uint32 VerifyOKToApplyIncrementalChangeToMSE( | | | |
| [IN] CIM_ManagedSystemElement ref MSE, | | | |
| [IN] datetime TimeToApply, | | | |
| [IN] datetime MustBeCompletedBy, | | | |
| [IN] string PropertiesToApply[]); | | | |
| [Description ( | | | |
| "The ApplyIncrementalChangeToMSE method performs the " | | | |
| "actual application of a subset of the properties in " | | | |
| "the Setting to the referenced ManagedSystemElement. It " | | | |
| "takes four input parameters: MSE (the ManagedSystem" | | | |
| "Element to which the Setting is being applied), " | | | |
| "TimeToApply (which, being a datetime, can be either a " | | | |
| "specific time or a time interval), MustBeCompletedBy " | | | |
| "(which indicates the required completion time for the " | | | |
| "method), and a " | | | |
| "PropertiesToApply array (which contains a list of the " | | | |
| "property names whose values will be applied. If a " | | | |
| "property is not in this list, it will be ignored by the " | | | |
| "apply. " | | | |
| "If they array is null or empty or constains the string " | | | |
| "\"all\" " | | | |
| "as a property name then all Settings properties shall be " | | | |
| "applied. If it is set to \"none\" then no Settings " | | | |
| "properties " | | | |
| "will be applied. ). " | | | |
| "Note that the semantics of this method are that " | | | |
| "individual Settings are either wholly applied or not " | | | |
| "applied at all to their target ManagedSystemElement. The " | | | |
| "return value should be 0 if the Setting is successfully " | | | |
| "applied to the referenced ManagedSystemElement, 1 if the " | | | |
| "method is not supported, 2 if the Setting was not applied " | | | |
| "within the specified times, and any other number if an " | | | |
| "error occurred. In a subclass, the set of possible return " | | | |
| "codes could be specified, using a ValueMap qualifier on " | | | |
| "the method. The strings to which the ValueMap contents are " | | | |
| "'translated' may also be specified in the subclass as a " | | | |
| "Values array qualifier.\n" | | | |
| "Note: If an error occurs in applying the Setting to a " | | | |
| "ManagedSystemElement, the Element must be configured as " | | | |
| "when the 'apply' attempt began. That is, the Element " | | | |
| "should NOT be left in an indeterminate state.") ] | | | |
| uint32 ApplyIncrementalChangeToMSE( | | | |
| [IN] CIM_ManagedSystemElement ref MSE, | | | |
| [IN] datetime TimeToApply, | | | |
| [IN] datetime MustBeCompletedBy, | | | |
| [IN] string PropertiesToApply[]); | | | |
| [Description ( | | | |
| "The VerifyOKToApplyIncrementalChangeToCollection method " | | | |
| "is used to verify that a subset of the properties in " | | | |
| "this Setting can be 'applied' to the referenced " | | | |
| "Collection of ManagedSystemElements, at the given time " | | | |
| "or time interval, without causing adverse effects to " | | | |
| "either the Collection itself or its surrounding " | | | |
| "environment. The net effect is to execute the " | | | |
| "VerifyOKToApplyIncrementalChangeToMSE method " | | | |
| "against each of the Elements " | | | |
| "aggregated by the Collection. This method takes three " | | | |
| "input parameters: Collection (the Collection of Managed" | | | |
| "SystemElements that is being verified), TimeToApply (which, " | | | |
| "being a datetime, can be either a specific time or a time " | | | |
| "interval), MustBeCompletedBy (which indicates the " | | | |
| "required completion time for the method), and a " | | | |
| "PropertiesToApply array (which contains a list of the " | | | |
| "property names whose values will be verified. " | | | |
| "If they array is null or empty or contains the string " | | | |
| "\"all\" " | | | |
| "as a property name then all Settings properties shall be " | | | |
| "verified. If it is set to \"none\" then no Settings " | | | |
| "properties " | | | |
| "will be verified). The return " | | | |
| "value should be 0 if it is OK to apply the Setting, 1 if " | | | |
| "the method is not supported, 2 if the Setting can not be " | | | |
| "applied within the specified times, and any other number if " | | | |
| "an error occurred. One output parameter is defined - " | | | |
| "CanNotApply - which is a string array that lists the keys " | | | |
| "of " | | | |
| "the ManagedSystemElements to which the Setting can NOT be " | | | |
| "applied. This enables those Elements to be revisited and " | | | |
| "either fixed, or other corrective action taken.\n" | | | |
| "In a subclass, the set of possible return codes could be " | | | |
| "specified, using a ValueMap qualifier on the method. The " | | | |
| "strings to which the ValueMap contents are 'translated' may " | | | |
| "also be specified in the subclass as a Values array " | | | |
| "qualifier.") ] | | | |
| uint32 VerifyOKToApplyIncrementalChangeToCollection ( | | | |
| [IN] CIM_CollectionOfMSEs ref Collection, | | | |
| [IN] datetime TimeToApply, | | | |
| [IN] datetime MustBeCompletedBy, | | | |
| [IN] string PropertiesToApply[], | | | |
| [OUT] string CanNotApply[]); | | | |
| [Description ( | | | |
| "The ApplyIncrementalChangeToCollection method performs " | | | |
| "the application of a subset of the properties in this " | | | |
| "Setting to the referenced Collection of ManagedSystem" | | | |
| "Elements. The net effect is to execute the " | | | |
| "ApplyIncrementalChangeToMSE " | | | |
| "method against each of the Elements aggregated by the " | | | |
| "Collection. If the input value ContinueOnError is FALSE, " | | | |
| "this method applies the Setting to all Elements in the " | | | |
| "Collection until it encounters an error, in which case it " | | | |
| "stops execution, logs the key of the Element that caused " | | | |
| "the error in the CanNotApply array, and issues a return " | | | |
| "code " | | | |
| "of 2. If the input value ContinueOnError is TRUE, then this " | | | |
| "method applies the Setting to all the ManagedSystemElements " | | | |
| "in the Collection, and reports the failed Elements in the " | | | |
| "array, CanNotApply. For the latter, processing will " | | | |
| "continue " | | | |
| "until the method is applied to all Elements in the " | | | |
| "Collection, regardless of any errors encountered. The key " | | | |
| "of " | | | |
| "each ManagedSystemElement to which the Setting could not be " | | | |
| "applied is logged into the CanNotApply array. This method " | | | |
| "takes four input parameters: Collection (the Collection of " | | | |
| "Elements to which the Setting is being applied), " | | | |
| "TimeToApply " | | | |
| "(which, being a datetime, can be either a specific time or " | | | |
| "a " | | | |
| "time interval), ContinueOnError (TRUE means to continue " | | | |
| "processing on encountering an error), and MustBeCompletedBy " | | | |
| "(which indicates the required completion time for the " | | | |
| "method), and a PropertiesToApply array (which contains a " | | | |
| "list " | | | |
| "of the property names whose values will be applied. If a " | | | |
| "property is not in this list, it will be ignored by " | | | |
| "the apply. " | | | |
| "If they array is null or empty or constains the string " | | | |
| "\"all\" " | | | |
| "as a property name then all Settings properties shall be " | | | |
| "applied. If it is set to \"none\" then no Settings " | | | |
| "properties " | | | |
| "will be applied. ). " | | | |
| "The return value should be 0 if the Setting is " | | | |
| "successfully applied to the referenced Collection, 1 if the " | | | |
| "method is not supported, 2 if the Setting was not applied " | | | |
| "within the specified times, 3 if the Setting can not be " | | | |
| "applied using the input value for ContinueOnError, and any " | | | |
| "other number if an error occurred. One output parameter is " | | | |
| "defined, CanNotApplystring, which is an array that lists " | | | |
| "the keys of the ManagedSystemElements to which the Setting " | | | |
| "was NOT able to be applied. This output parameter has " | | | |
| "meaning only when the ContinueOnError parameter is TRUE.\n" | | | |
| "In a subclass, the set of possible return codes could be " | | | |
| "specified, using a ValueMap qualifier on the method. The " | | | |
| "strings to which the ValueMap contents are 'translated' may " | | | |
| "also be specified in the subclass as a Values array " | | | |
| "qualifier.\n" | | | |
| "Note: if an error occurs in applying the Setting to a " | | | |
| "ManagedSystemElement in the Collection, the Element must be " | | | |
| "configured as when the 'apply' attempt began. That is, the " | | | |
| "Element should NOT be left in an indeterminate state.") ] | | | |
| uint32 ApplyIncrementalChangeToCollection( | | | |
| [IN] CIM_CollectionOfMSEs ref Collection, | | | |
| [IN] datetime TimeToApply, | | | |
| [IN] boolean ContinueOnError, | | | |
| [IN] datetime MustBeCompletedBy, | | | |
| [IN] string PropertiesToApply[], | | | |
| [OUT] string CanNotApply[]); | | | |
| | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // CIM_SystemSetting | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "CIM_SystemSetting represents the general concept " | | | |
| "of a CIM_Setting which is scoped by/weak to a System.")] | | | |
| class CIM_SystemSetting : CIM_Setting { | | | |
| [Propagated ("CIM_System.CreationClassName"), Key, | | | |
| MaxLen (256), Description ( | | | |
| "The scoping System's CreationClassName.") ] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), Key, MaxLen (256), | | | |
| Description ("The scoping System's Name.") ] | | | |
| string SystemName; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "CreationClassName indicates the name of the class or the " | | | |
| "subclass used in the creation of an instance. When used " | | | |
| "with the other key properties of this class, this property " | | | |
| "allows all instances of this class and its subclasses to " | | | |
| "be uniquely identified.") ] | | | |
| string CreationClassName; | | | |
| [Override ("SettingID"), Key, MaxLen (256)] | | | |
| string SettingID; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // System | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "A CIM_System is a LogicalElement that aggregates an " | | | |
| "enumerable set of Managed System Elements. The aggregation " | | | |
| "operates as a functional whole. Within any particular " | | | |
| "subclass of System, there is a well-defined list of " | | | |
| "Managed System Element classes whose instances must be " | | | |
| "aggregated.") ] | | | |
| class CIM_System:CIM_LogicalElement | | | |
| { | | | |
| [Key, MaxLen (256), Description ( | | | |
| "CreationClassName indicates the name of the class or the " | | | |
| "subclass used in the creation of an instance. When used " | | | |
| "with the other key properties of this class, this property " | | | |
| "allows all instances of this class and its subclasses to " | | | |
| "be uniquely identified.") ] | | | |
| string CreationClassName; | | | |
| [Key, MaxLen (256), Override ("Name"), Description ( | | | |
| "The inherited Name serves as key of a System instance in " | | | |
| "an enterprise environment.") ] | | | |
| string Name; | | | |
| [MaxLen (64), Description ( | | | |
| "The System object and its derivatives are Top Level Objects " | | | |
| "of CIM. They provide the scope for numerous components. " | | | |
| "Having unique System keys is required. A heuristic can be " | | | |
| "defined in individual System subclasses to attempt to " | | | |
| "always " | | | |
| "generate the same System Name Key. The NameFormat property " | | | |
| "identifies how the System name was generated, using " | | | |
| "the subclass' heuristic.") ] | | | |
| string NameFormat; | | | |
| [MaxLen (256), Description ( | | | |
| "A string that provides information on how the primary " | | | |
| "system " | | | |
| "owner can be reached (e.g. phone number, email address, " | | | |
| "...)."), | | | |
| MappingStrings {"MIF.DMTF|General Information|001.3"} ] | | | |
| string PrimaryOwnerContact; | | | |
| [MaxLen (64), Description ( | | | |
| "The name of the primary system owner."), | | | |
| MappingStrings {"MIF.DMTF|General Information|001.4"} ] | | | |
| string PrimaryOwnerName; | | | |
| [Description ( | | | |
| "An array (bag) of strings that specify the roles this " | | | |
| "System " | | | |
| "plays in the IT-environment. Subclasses of System may " | | | |
| "override this property to define explicit Roles values. " | | | |
| "Alternately, a Working Group may describe the heuristics, " | | | |
| "conventions and guidelines for specifying Roles. For " | | | |
| "example, for an instance of a networking system, the Roles " | | | |
| "property might contain the string, 'Switch' or 'Bridge'.") ] | | | |
| string Roles[]; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // Service | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "A CIM_Service is a Logical Element that contains the " | | | |
| "information necessary to represent and manage the " | | | |
| "functionality provided by a Device and/or SoftwareFeature. " | | | |
| "A Service is a general-purpose object to configure and " | | | |
| "manage the implementation of functionality. It is not the " | | | |
| "functionality itself.") ] | | | |
| class CIM_Service:CIM_LogicalElement | | | |
| { | | | |
| [Key, MaxLen (256), Description ( | | | |
| "CreationClassName indicates the name of the class or the " | | | |
| "subclass used in the creation of an instance. When used " | | | |
| "with the other key properties of this class, this " | | | |
| "property " | | | |
| "allows all instances of this class and its subclasses to " | | | |
| "be uniquely identified.") ] | | | |
| string CreationClassName; | | | |
| [Override ("Name"), Key, MaxLen (256), | | | |
| Description ( | | | |
| "The Name property uniquely identifies the Service and " | | | |
| "provides an indication of the functionality that is " | | | |
| "managed. This functionality is described in more detail in " | | | |
| "the object's Description property. ") ] | | | |
| string Name; | | | |
| [MaxLen (10), Description ( | | | |
| "StartMode is a string value indicating whether the Service " | | | |
| "is automatically started by a System, Operating System, " | | | |
| "etc. " | | | |
| "or only started upon request."), | | | |
| ValueMap {"Automatic", "Manual"} ] | | | |
| string StartMode; | | | |
| [Description ( | | | |
| "Started is a boolean indicating whether the Service " | | | |
| "has been started (TRUE), or stopped (FALSE).") ] | | | |
| boolean Started; | | | |
| [Propagated ("CIM_System.CreationClassName"), Key, | | | |
| MaxLen (256), Description ( | | | |
| "The scoping System's CreationClassName. ") ] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), Key, MaxLen (256), | | | |
| Description ("The scoping System's Name.") ] | | | |
| string SystemName; | | | |
| [Description ( | | | |
| "The StartService method places the Service in the started " | | | |
| "state. It returns an integer value of 0 if the Service was " | | | |
| "successfully started, 1 if the request is not supported and " | | | |
| "any other number to indicate an error. In a subclass, the " | | | |
| "set of possible return codes could be specified, using a " | | | |
| "ValueMap qualifier on the method. The strings to which the " | | | |
| "ValueMap contents are 'translated' may also be specified in " | | | |
| "the subclass as a Values array qualifier.") ] | | | |
| uint32 StartService(); | | | |
| [Description ( | | | |
| "The StopService method places the Service in the stopped " | | | |
| "state. It returns an integer value of 0 if the Service was " | | | |
| "successfully stopped, 1 if the request is not supported and " | | | |
| "any other number to indicate an error. In a subclass, the " | | | |
| "set of possible return codes could be specified, using a " | | | |
| "ValueMap qualifier on the method. The strings to which the " | | | |
| "ValueMap contents are 'translated' may also be specified in " | | | |
| "the subclass as a Values array qualifier.") ] | | | |
| uint32 StopService(); | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // ServiceAccessPoint | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "CIM_ServiceAccessPoint represents the ability to utilize or " | | | |
| "invoke a Service. Access points represent that a Service " | | | |
| "is made available to other entities for use.") ] | | | |
| class CIM_ServiceAccessPoint:CIM_LogicalElement | | | |
| { | | | |
| [Key, MaxLen (256), Description ( | | | |
| "CreationClassName indicates the name of the class or the " | | | |
| "subclass used in the creation of an instance. When used " | | | |
| "with the other key properties of this class, this " | | | |
| "property " | | | |
| "allows all instances of this class and its subclasses to " | | | |
| "be uniquely identified.") ] | | | |
| string CreationClassName; | | | |
| [Override ("Name"), Key, MaxLen (256), | | | |
| Description ( | | | |
| "The Name property uniquely identifies the " | | | |
| "ServiceAccessPoint " | | | |
| "and provides an indication of the functionality that is " | | | |
| "managed. This functionality is described in more detail in " | | | |
| "the object's Description property.") ] | | | |
| string Name; | | | |
| [Propagated ("CIM_System.CreationClassName"), Key, | | | |
| MaxLen (256), Description ( | | | |
| "The scoping System's CreationClassName.") ] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), Key, MaxLen (256), | | | |
| Description ("The scoping System's Name.") ] | | | |
| string SystemName; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // === Association class definitions === | | | |
| // ================================================================== | | | |
| | | | |
| // ================================================================== | | | |
| // Component | | | |
| // ================================================================== | | | |
| [Association, Abstract, Aggregation, Description ( | | | |
| "CIM_Component is a generic association used to establish " | | | |
| "'part of' relationships between Managed System Elements. " | | | |
| "For " | | | |
| "example, the SystemComponent association defines parts of " | | | |
| "a System.") ] | | | |
| class CIM_Component | | | |
| { | | | |
| [Aggregate, Key, Description ( | | | |
| "The parent element in the association.") ] | | | |
| CIM_ManagedSystemElement REF GroupComponent; | | | |
| [Key, Description ("The child element in the association.") ] | | | |
| CIM_ManagedSystemElement REF PartComponent; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // Dependency | | | |
| // ================================================================== | | | |
| [Association, Abstract, Description ( | | | |
| "CIM_Dependency is a generic association used to establish " | | | |
| "dependency relationships between ManagedElements.") ] | | | |
| class CIM_Dependency | | | |
| { | | | |
| [Key, Description ( | | | |
| "Antecedent represents the independent object in this " | | | |
| "association.") ] | | | |
| CIM_ManagedElement REF Antecedent; | | | |
| [Key, Description ( | | | |
| "Dependent represents the object dependent on the " | | | |
| "Antecedent.") ] | | | |
| CIM_ManagedElement REF Dependent; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // ElementSetting | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "ElementSetting represents the association between Managed" | | | |
| "SystemElements and the Setting class(es) defined for them.") | | | |
| ] | | | |
| class CIM_ElementSetting | | | |
| { | | | |
| [Key, Description ("The ManagedSystemElement.") ] | | | |
| CIM_ManagedSystemElement REF Element; | | | |
| [Key, Description ( | | | |
| "The Setting object associated with the ManagedSystem" | | | |
| "Element.") ] | | | |
| CIM_Setting REF Setting; | | | |
| }; | | | |
| // ================================================================== | | | |
| // MemberOfCollection | | | |
| // ================================================================== | | | |
| [Association, Aggregation, Description ( | | | |
| "CIM_MemberOfCollection is an aggregation used to establish " | | | |
| "membership of ManagedElements in a Collection." ) ] | | | |
| class CIM_MemberOfCollection | | | |
| { | | | |
| [Key, Aggregate, Description ( | | | |
| "The Collection that aggregates members") ] | | | |
| CIM_Collection REF Collection; | | | |
| [Key, Description ("The aggregated member of the collection.") | | | |
| ] | | | |
| CIM_ManagedElement REF Member; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // CIM_SystemSettingContext | | | |
| // ================================================================== | | | |
| [Association, Aggregation, Description ( | | | |
| "This relationship associates System-specific Configuration " | | | |
| "objects with System-specific Setting objects, similar to " | | | |
| "the " | | | |
| "SettingContext association.")] | | | |
| class CIM_SystemSettingContext { | | | |
| [Aggregate, Key, Description ( | | | |
| "The Configuration object that aggregates the Setting.") ] | | | |
| CIM_SystemConfiguration REF Context; | | | |
| [Key, Description ("An aggregated Setting.")] | | | |
| CIM_SystemSetting REF Setting; | | | |
| }; | | | |
| | | | |
| Appendix B (DMTF User Model MOF) | | | |
| | | | |
| // ================================================================== | | | |
| // OrganizationalEntity | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "OrganizationalEntity is an abstract class from which classes " | | | |
| "that fit into an organizational structure are derived.") ] | | | |
| class CIM_OrganizationalEntity : CIM_ManagedElement | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // UserEntity | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "UserEntity is an abstract class that represents users.") ] | | | |
| class CIM_UserEntity : CIM_OrganizationalEntity | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // UsersAccess | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "The UsersAccess object class is used to specify a system user " | | | |
| "that permitted access to system resources. The ManagedElement " | | | |
| "that has access to system resources (represented in the model in " | | | |
| "the ElementAsUser association) may be a person, a service, a " | | | |
| "service access point or any collection thereof. Whereas the " | | | |
| "Account class represents the user's relationship to a system " | | | |
| "from the perspective of the security services of the system, the " | | | |
| "UserAccess class represents the relationships to the systems " | | | |
| "independent of a particular system or service.") ] | | | |
| class CIM_UsersAccess: CIM_UserEntity | | | |
| { | | | |
| [Key, MaxLen (256), Description ( | | | |
| "CreationClassName indicates the name of the class or the " | | | |
| "subclass used in the creation of an instance. When used " | | | |
| "with the other key properties of this class, this property " | | | |
| "allows all instances of this class and its subclasses to " | | | |
| "be uniquely identified.")] | | | |
| string CreationClassName; | | | |
| [Key, MaxLen (256),Description ( | | | |
| "The Name property defines the label by which the object is " | | | |
| "known.")] | | | |
| string Name; | | | |
| [Key, Description ( | | | |
| "The ElementID property uniquely specifies the ManagedElement " | | | |
| "object instance that is the user represented by the " | | | |
| "UsersAccess object instance. The ElementID is formatted " | | | |
| "similarly to a model path except that the property-value " | | | |
| "pairs are ordered in alphabetical order (US ASCII lexical " | | | |
| "order).")] | | | |
| string ElementID; | | | |
| [Description ( | | | |
| "Biometric information used to identify a person. The " | | | |
| "property value is left null or set to 'N/A' for non-human " | | | |
| "user or a user not using biometric information for " | | | |
| "authentication."), | | | |
| Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", | | | |
| "Voice", "DNA-RNA", "EEG"} ] | | | |
| uint16 Biometric[]; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // SecurityService | | | |
| // ================================================================== | | | |
| [ Abstract, Description ( | | | |
| "CIM_SecurityService ...") ] | | | |
| class CIM_SecurityService:CIM_Service | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // AuthenticationService | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_AuthenticationService verifies users' identities through " | | | |
| "some means. These services are decomposed into a subclass that " | | | |
| "provides credentials to users and a subclass that provides for " | | | |
| "the verification of the validity of a credential and, perhaps, " | | | |
| "the appropriateness of its use for access to target resources. " | | | |
| "The persistent state information used from one such verification " | | | |
| "to another is maintained in an Account for that Users Access on " | | | |
| "that AuthenticationService.") ] | | | |
| class CIM_AuthenticationService:CIM_SecurityService | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // CredentialManagementService | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_CredentialManagementService issues credentials and manages " | | | |
| "the credential lifecycle.") ] | | | |
| class CIM_CredentialManagementService:CIM_AuthenticationService | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // CertificateAuthority | | | |
| // ================================================================== | | | |
| [Description ("A Certificate Authority (CA) is a credential " | | | |
| "management service that issues and cryptographically " | | | |
| "signs certificates thus acting as an trusted third-party " | | | |
| "intermediary in establishing trust relationships. The CA " | | | |
| "authenicates the holder of the private key related to the " | | | |
| "certificate's public key; the authenicated entity is " | | | |
| "represented by the UsersAccess class.") ] | | | |
| class CIM_CertificateAuthority:CIM_CredentialManagementService | | | |
| { | | | |
| [Description ( | | | |
| "The CAPolicyStatement describes what care is taken by the " | | | |
| "CertificateAuthority when signing a new certificate. " | | | |
| "The CAPolicyStatment may be a dot-delimited ASN.1 OID " | | | |
| "string which identifies to the formal policy statement.") ] | | | |
| string CAPolicyStatement; | | | |
| [Description ( "A CRL, or CertificateRevocationList, is a " | | | |
| "list of certificates which the CertificateAuthority has " | | | |
| "revoked and which are not yet expired. Revocation is " | | | |
| "necessary when the private key associated with the public " | | | |
| "key of a certificate is lost or compromised, or when the " | | | |
| "person for whom the certificate is signed no longer is " | | | |
| "entitled to use the certificate."), Octetstring ] | | | |
| string CRL[]; | | | |
| [Description ("Certificate Revocation Lists may be " | | | |
| "available from a number of distribution points. " | | | |
| "CRLDistributionPoint array values provide URIs for those " | | | |
| "distribution points.")] | | | |
| string CRLDistributionPoint[]; | | | |
| [Description ( "Certificates refer to their issuing CA by " | | | |
| "its Distinguished Name (as defined in X.501)."), DN] | | | |
| string CADistinguishedName; | | | |
| [Description ( "The frequency, expressed in hours, at which " | | | |
| "the CA will update its Certificate Revocation List. Zero " | | | |
| "implies that the refresh frequency is unknown."), | | | |
| Units("Hours")] | | | |
| uint8 CRLRefreshFrequency; | | | |
| [Description ( "The maximum number of certificates in a " | | | |
| "certificate chain permitted for credentials issued by " | | | |
| "this certificate authority or it's subordinate CAs.\n" | | | |
| "The MaxChainLength of a superior CA in the trust " | | | |
| "hierarchy should be greater than this value and the " | | | |
| "MaxChainLength of a subordinate CA in the trust hierarchy " | | | |
| "should be less than this value.")] | | | |
| uint8 MaxChainLength; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // KerberosKeyDistributionCenter | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_KerberosKeyDistributionCenter ...") ] | | | |
| class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService | | | |
| { | | | |
| [Override ("Name"), | | | |
| Description ("The Realm served by this KDC.")] | | | |
| string Name; | | | |
| [Description ("The version of Kerberos supported by this " | | | |
| "service."), | | | |
| Values {"V4", "V5", "DCE", "MS"} ] | | | |
| uint16 Protocol[]; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // Notary | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_Notary is an AuthenticationService (credential " | | | |
| "management service) which compares the " | | | |
| "biometric characteristics of a person with the " | | | |
| "known characteristics of an Users Access, and determines " | | | |
| "whether the person is the UsersAccess. An example is " | | | |
| "a bank teller who compares a picture ID with the person " | | | |
| "trying to cash a check, or a biometric login service that " | | | |
| "uses voice recognition to identify a user.") ] | | | |
| class CIM_Notary:CIM_CredentialManagementService | | | |
| { | | | |
| [Description ( "The types of biometric information which " | | | |
| "this Notary can compare."), | | | |
| Values { "N/A", "Other", "Facial", "Retina", "Mark", | | | |
| "Finger", "Voice", "DNA-RNA", "EEG"} ] | | | |
| uint16 Comparitors; | | | |
| [Description ( | | | |
| "The SealProtocol is how the decision of the Notary is " | | | |
| "recorded for future use by parties who will rely on its " | | | |
| "decision. For instance, a drivers licence frequently " | | | |
| "includes tamper-resistent coatings and markings to protect " | | | |
| "the recorded decision that a driver, having various " | | | |
| "biometric characteristics of height, weight, hair and eye " | | | |
| "color, using a particular name, has features represented in " | | | |
| "a photograph of their face.")] | | | |
| string SealProtocol; | | | |
| [Description ( | | | |
| "CharterIssued documents when the Notary is first " | | | |
| "authorized, by whoever gave it responsibility, to perform " | | | |
| "its service.")] | | | |
| datetime CharterIssued; | | | |
| [Description ( | | | |
| "CharterExpired documents when the Notary is no longer " | | | |
| "authorized, by whoever gave it responsibility, to perform " | | | |
| "its service.")] | | | |
| datetime CharterExpired; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // LocalCredentialManagementService | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_LocalCredentialManagementService is a credential " | | | |
| "management service that provides local system " | | | |
| "management of credentials used by the local system.") ] | | | |
| class | | | |
| CIM_LocalCredentialManagementService:CIM_CredentialManagementService | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // SharedSecretService | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_SharedSecretService is a service which ascertains " | | | |
| "whether messages received are from the Principal with " | | | |
| "whom a secret is shared. Examples include a login " | | | |
| "service that proves identity on the basis of knowledge of " | | | |
| "the shared secret, or a transport integrity service (like " | | | |
| "Kerberos provides) that includes a message authenticity " | | | |
| "code that proves each message in the messsage stream came " | | | |
| "from someone who knows the shared secret session key.")] | | | |
| class CIM_SharedSecretService:CIM_LocalCredentialManagementService | | | |
| { | | | |
| [MaxLen (256), Description ( | | | |
| "The Algorithm used to convey the shared secret, such as " | | | |
| "HMAC-MD5,or PLAINTEXT.") ] | | | |
| string Algorithm; | | | |
| [Description ( | | | |
| "The Protocol supported by the SharedSecretService.")] | | | |
| string Protocol; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // PublicKeyManagementService | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_PublicKeyManagementService is a credential management " | | | |
| "service that provides local system management of public " | | | |
| "keys used by the local system.") ] | | | |
| class | | | |
| CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // Credential | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "Subclasses of CIM_Credential define materials, " | | | |
| "information, or other data which are used to prove the " | | | |
| "identity of a CIM_UsersAccess to a particular " | | | |
| "CIM_SecurityService. Generally, there may be some shared " | | | |
| "information, or credential material which is used to " | | | |
| "identify and authenticate ones self in the process of " | | | |
| "gaining access to, or permission to use, an Account. " | | | |
| "Such credential material may be used to authenticate a " | | | |
| "users access identity initially, as done by a " | | | |
| "CIM_AuthenticationService (see later), and additionally on " | | | |
| "an ongoing basis during the course of a connection or " | | | |
| "other security association, as proof that each received " | | | |
| "message or communication came from the owning user access " | | | |
| "of " | | | |
| "that credential material.") ] | | | |
| class CIM_Credential:CIM_ManagedElement | | | |
| { | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // PublicKeyCertificate | | | |
| // ================================================================== | | | |
| [Description ("A Public Key Certificate is a credential " | | | |
| "that is cryptographically signed by a trusted Certificate " | | | |
| "Authority (CA) and issued to an authenticated entity " | | | |
| "(e.g., human user, service,etc.) called the Subject in " | | | |
| "the certificate and represented by the UsersAccess class. " | | | |
| "The public key in the certificate is cryptographically " | | | |
| "related to a private key that is to be held and kept " | | | |
| "private by the authenticated Subject. The certificate " | | | |
| "and its related private key can then be used for " | | | |
| "establishing trust relationships and securing " | | | |
| "communications with the Subject. Refer to the ITU/CCITT " | | | |
| "X.509 standard as an example of such certificates.") ] | | | |
| class CIM_PublicKeyCertificate:CIM_Credential | | | |
| { | | | |
| [Propagated ("CIM_System.CreationClassName"), | | | |
| Key, MaxLen (256), Description ("Scoping System")] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), | | | |
| Key, MaxLen (256),Description ("Scoping System")] | | | |
| string SystemName; | | | |
| [Propagated ("CIM_CertificateAuthority.CreationClassName"), | | | |
| Key, MaxLen (256), Description ("Scoping Service")] | | | |
| string ServiceCreationClassName; | | | |
| [Propagated ("CIM_CertificateAuthority.Name"), | | | |
| Key, MaxLen (256), Description ("Scoping Service")] | | | |
| string ServiceName; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "Certificate subject identifier")] | | | |
| string Subject; | | | |
| [MaxLen (256), Description ( | | | |
| "Alternate subject identifier for the Certificate.")] | | | |
| string AltSubject; | | | |
| [Description ("The DER-encoded raw public key."), Octetstring] | | | |
| uint8 PublicKey[]; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // UnsignedPublicKey | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "A CIM_UnsignedPublicKey represents an unsigned public " | | | |
| "key credential. The local UsersAccess (or subclass " | | | |
| "thereof) accepts the public key as authentic because of " | | | |
| "a direct trust relationship rather than via a third-party " | | | |
| "Certificate Authority.") ] | | | |
| class CIM_UnsignedPublicKey:CIM_Credential | | | |
| { | | | |
| [Propagated ("CIM_System.CreationClassName"), | | | |
| Key, MaxLen (256), Description ("Scoping System")] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), | | | |
| Key, MaxLen (256),Description ("Scoping System")] | | | |
| string SystemName; | | | |
| [Propagated | | | |
| ("CIM_PublicKeyManagementService.CreationClassName"), | | | |
| Key, MaxLen (256), Description ("Scoping Service")] | | | |
| string ServiceCreationClassName; | | | |
| [Propagated ("CIM_PublicKeyManagementService.Name"), | | | |
| Key, MaxLen (256), Description ("Scoping Service")] | | | |
| string ServiceName; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "The Identity of the Peer with whom a direct trust " | | | |
| "relationship exists. The public key may be used for " | | | |
| "security functions with the Peer."), | | | |
| ModelCorrespondence | | | |
| {"CIM_PublicKeyManagementService.PeerIdentityType" } ] | | | |
| string PeerIdentity; | | | |
| [Description ("PeerIdentityType is used to describe the " | | | |
| "type of the PeerIdentity. The currently defined values " | | | |
| "are used for IKE identities."), | | | |
| ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", | | | |
| "9", "10", "11"}, | | | |
| Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", | | | |
| "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", | | | |
| "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", | | | |
| "DER_ASN1_GN", "KEY_ID"}, | | | |
| ModelCorrespondence | | | |
| {"CIM_PublicKeyManagementService.PeerIdentity" } ] | | | |
| uint16 PeerIdentityType; | | | |
| [Description ("The DER-encoded raw public key."), | | | |
| Octetstring] | | | |
| uint8 PublicKey[]; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // KerberosTicket | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "A CIM_KerberosTicket represents a credential issued by a " | | | |
| "particular Kerberos Key Distribution Center (KDC) " | | | |
| "to a particular CIM_UsersAccess as the result of a " | | | |
| "successful authentication process. There are two types of " | | | |
| "tickets that a KDC may issue to a Users Access - a " | | | |
| "TicketGranting ticket, which is used to protect and " | | | |
| "authenticate communications between the Users Access and " | | | |
| "the " | | | |
| "KDC, and a Session ticket, which the KDC issues to two " | | | |
| "Users Access to allow them to communicate with each other. " | | | |
| ) ] | | | |
| class CIM_KerberosTicket:CIM_Credential | | | |
| { | | | |
| [Propagated ("CIM_System.CreationClassName"), Key, | | | |
| MaxLen (256), Description ("Scoping System")] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), Key, | | | |
| MaxLen (256),Description ("Scoping System")] | | | |
| string SystemName; | | | |
| [Key, MaxLen (256), Propagated | | | |
| ("CIM_KerberosKeyDistributionCenter.CreationClassName"), | | | |
| Description ("Scoping Service")] | | | |
| string ServiceCreationClassName; | | | |
| [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), | | | |
| Key, MaxLen (256), | | | |
| Description ("Scoping Service. The Kerberos KDC Realm of " | | | |
| "CIM_KerberosTicket is used to record the security " | | | |
| "authority, or Realm, name so that tickets issued by " | | | |
| "different Realms can be separately managed and " | | | |
| "enumerated.")] | | | |
| string ServiceName; | | | |
| [Key, MaxLen (256), Description ("The name of the service " | | | |
| "for which this ticket is used.")] | | | |
| string AccessesService; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "RemoteID is the name by which the user is known at " | | | |
| "the KDC security service.")] | | | |
| string RemoteID; | | | |
| datetime Issued; | | | |
| datetime Expires; | | | |
| [Description ( | | | |
| "The Type of CIM_KerberosTicket is used to indicate whether " | | | |
| "the ticket in question was issued by the Kerberos Key " | | | |
| "Distribution Center (KDC) to support ongoing communication " | | | |
| "between the Users Access and the KDC (\"TicketGranting\"), " | | | |
| "or was issued by the KDC to support ongoing communication " | | | |
| "between two Users Access entities (\"Session\")." ), | | | |
| Values {"Session", "TicketGranting"}] | | | |
| uint16 TicketType; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // SharedSecret | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_SharedSecret is the secret shared between a Users " | | | |
| "Access " | | | |
| "and a particular SharedSecret security service. Secrets " | | | |
| "may be in the form of a password used for initial " | | | |
| "authentication, or as with a session key, used as part of " | | | |
| "a message authentication code to verify that a message " | | | |
| "originated by the pricinpal with whom the secret is shared. " | | | |
| "It is important to note that SharedSecret is not just the " | | | |
| "password, but rather is the password used with a particular " | | | |
| "security service.")] | | | |
| class CIM_SharedSecret:CIM_Credential | | | |
| { | | | |
| [Propagated ("CIM_System.CreationClassName"), Key, | | | |
| MaxLen (256), Description ("Scoping System")] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), Key, | | | |
| MaxLen (256),Description ("Scoping System")] | | | |
| string SystemName; | | | |
| [Key, MaxLen (256), Propagated | | | |
| ("CIM_SharedSecretService.CreationClassName"), | | | |
| Description ("Scoping Service")] | | | |
| string ServiceCreationClassName; | | | |
| [Propagated ("CIM_SharedSecretService.Name"), | | | |
| Key, MaxLen (256), | | | |
| Description ("Scoping Service")] | | | |
| string ServiceName; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "RemoteID is the name by which the user is known at " | | | |
| "the remote secret key authentication service.")] | | | |
| string RemoteID; | | | |
| [Description ( | | | |
| "secret is the secret known by the Users Access.")] | | | |
| string secret; | | | |
| [Description ( | | | |
| "algorithm names the transformation algorithm, if any, used " | | | |
| "to protect passwords before use in the protocol. For " | | | |
| "instance, Kerberos doesn't store passwords as the shared " | | | |
| "secret, but rather, a hash of the password.")] | | | |
| string algorithm; | | | |
| [Description ( | | | |
| "protocol names the protocol with which the SharedSecret is " | | | |
| "used.")] | | | |
| string protocol; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // NamedSharedIKESecret | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "CIM_NamedSharedIKESecret indirectly represents a shared " | | | |
| "secret credential. The local identity, IKEIdentity, " | | | |
| "and the remote peer identity share the secret that is " | | | |
| "named by the SharedSecretName. The SharedSecretName is " | | | |
| "used SharedSecretService to reference the secret.") ] | | | |
| class CIM_NamedSharedIKESecret:CIM_Credential | | | |
| | | | |
| { | | | |
| [Propagated ("CIM_System.CreationClassName"), | | | |
| Key, MaxLen (256), Description ("Scoping System")] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_System.Name"), | | | |
| Key, MaxLen (256),Description ("Scoping System")] | | | |
| string SystemName; | | | |
| [Propagated ("CIM_SharedSecretService.CreationClassName"), | | | |
| Key, MaxLen (256), Description ("Scoping Service")] | | | |
| string ServiceCreationClassName; | | | |
| [Propagated ("CIM_SharedSecretService.Name"), | | | |
| Key, MaxLen (256), Description ("Scoping Service")] | | | |
| string ServiceName; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "The local Identity with whom the direct trust " | | | |
| "relationship exists."), | | | |
| ModelCorrespondence | | | |
| {"CIM_NamedSharedIKESecret.LocalIdentityType" } ] | | | |
| string LocalIdentity; | | | |
| [Key, Description ("LocalIdentityType is used to describe " | | | |
| "the type of the LocalIdentity."), | | | |
| ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", | | | |
| "9", "10", "11"}, | | | |
| Values {"IPV4_ADDR", "FQDN", "USER_FQDN", | | | |
| "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", | | | |
| "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", | | | |
| "DER_ASN1_GN", "KEY_ID"}, | | | |
| ModelCorrespondence | | | |
| {"CIM_NamedSharedIKESecret.LocalIdentity" } ] | | | |
| uint16 LocalIdentityType; | | | |
| [Key, MaxLen (256), Description ( | | | |
| "The peer identity with whom the direct trust " | | | |
| "relationship exists."), | | | |
| ModelCorrespondence | | | |
| {"CIM_NamedSharedIKESecret.PeerIdentityType" } ] | | | |
| string PeerIdentity; | | | |
| [Key, Description ("PeerIdentityType is used to describe " | | | |
| "the type of the PeerIdentity."), | | | |
| ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", | | | |
| "9", "10", "11"}, | | | |
| Values {"IPV4_ADDR", "FQDN", "USER_FQDN", | | | |
| "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", | | | |
| "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", | | | |
| "DER_ASN1_GN", "KEY_ID"}, | | | |
| ModelCorrespondence | | | |
| {"CIM_NamedSharedIKESecret.PeerIdentity" } ] | | | |
| uint16 PeerIdentityType; | | | |
| [Description ("SharedSecretName is an indirect reference " | | | |
| "to a shared secret. The SecretService does not expose " | | | |
| "the actual secret but rather provides access to the " | | | |
| "secret via a name.")] | | | |
| string SharedSecretName; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // === Association class definitions === | | | |
| // ================================================================== | | | |
| | | | |
| // ================================================================== | | | |
| // ElementAsUser | | | |
| // ================================================================== | | | |
| [Association, Description ( | | | |
| "CIM_ElementAsUser is an association used to establish the " | | | |
| "'ownership' of UsersAccess object instances. That is, the " | | | |
| "ManagedElement may have UsersAccess to systems and, therefore, " | | | |
| "be 'users' on those systems. UsersAccess instances must have an " | | | |
| "'owning' ManagedElement. Typically, the ManagedElements will be " | | | |
| "limited to Collection, Person, Service and ServiceAccessPoint. " | | | |
| "Other non-human ManagedElements that might be thought of as " | | | |
| "having UsersAccess (e.g., a device or system) have services that " | | | |
| "have the UsersAccess.")] | | | |
| class CIM_ElementAsUser : CIM_Dependency | | | |
| { | | | |
| [Min (1), Max (1), Override ("Antecedent"), | | | |
| Description ("The ManagedElement that has UsersAccess") ] | | | |
| CIM_ManagedElement REF Antecedent; | | | |
| [Override ("Dependent"), | | | |
| Description ("The 'owned' UsersAccess") ] | | | |
| CIM_UsersAccess REF Dependent; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // UsersCredential | | | |
| // ================================================================== | | | |
| [Association, Description ( | | | |
| "CIM_UsersCredential is an association used to establish the " | | | |
| "credentials that may be used for a UsersAccess to a system or " | | | |
| "set of systems. " )] | | | |
| class CIM_UsersCredential : CIM_Dependency | | | |
| { | | | |
| [Override ("Antecedent"), | | | |
| Description ("The issued credential that may be used.") ] | | | |
| CIM_Credential REF Antecedent; | | | |
| [Override ("Dependent"), | | | |
| Description ("The UsersAccess that has use of a credential") ] | | | |
| CIM_UsersAccess REF Dependent; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // PublicPrivateKeyPair | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "This relationship associates a PublicKeyCertificate with " | | | |
| "the Principal who has the PrivateKey used with the " | | | |
| "PublicKey. The PrivateKey is not modeled, since it is not " | | | |
| "a data element that ever SHOULD be accessible via " | | | |
| "management applications, other than key recovery services, " | | | |
| "which are outside our scope.") ] | | | |
| class CIM_PublicPrivateKeyPair:CIM_UsersCredential | | | |
| { | | | |
| [ Override ("Antecedent") ] | | | |
| CIM_PublicKeyCertificate REF Antecedent; | | | |
| [ Override ("Dependent") ] | | | |
| CIM_UsersAccess REF Dependent; | | | |
| [Description ( "The Certificate may be used for signature " | | | |
| "only " | | | |
| "or for confidentiality as well as signature"), | | | |
| Values { "SignOnly", "ConfidentialityOrSignature"} ] | | | |
| uint16 Use; | | | |
| boolean NonRepudiation; | | | |
| boolean BackedUp; | | | |
| [Description ("The repository in which the certificate is " | | | |
| "backed up.")] | | | |
| string Repository; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // CAHasPublicCertificate | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "A CertificateAuthority may have certificates issued by other CAs. " | | | |
| "This association is essentially an optimization of the CA having " | | | |
| "a UsersAccess instance with an association to a certificate thus " | | | |
| "mapping more closely to LDAP-based certificate authority " | | | |
| "implementations.") ] | | | |
| class CIM_CAHasPublicCertificate:CIM_Dependency | | | |
| { | | | |
| [Max (1), Override ("Antecedent"), | | | |
| Description ("The Certificate used by the CA")] | | | |
| CIM_PublicKeyCertificate REF Antecedent; | | | |
| [Override ("Dependent"), | | | |
| Description ("The CA that uses a Certificate")] | | | |
| CIM_CertificateAuthority REF Dependent; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // ManagedCredential | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "This relationship associates a CredentialManagementService " | | | |
| "with the Credential it manages.") ] | | | |
| class CIM_ManagedCredential:CIM_Dependency | | | |
| { | | | |
| [Override ("Antecedent"), Min (1), Max (1), | | | |
| Description ( "The credential management service")] | | | |
| CIM_CredentialManagementService REF Antecedent; | | | |
| [Override ("Dependent"), | | | |
| Description ( "The managed credential")] | | | |
| CIM_Credential REF Dependent; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // CASignsPublicKeyCertificate | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "This relationship associates a CertificateAuthority with " | | | |
| "the certificates it signs.") ] | | | |
| class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential | | | |
| { | | | |
| [Override ("Antecedent"), Min (1), Max (1), | | | |
| Description ( "The CA which signed the certificate")] | | | |
| CIM_CertificateAuthority REF Antecedent; | | | |
| [Override ("Dependent"), Weak, | | | |
| Description ( "The certificate issued by the CA")] | | | |
| CIM_PublicKeyCertificate REF Dependent; | | | |
| string SerialNumber; | | | |
| [ Octetstring ] | | | |
| uint8 Signature[]; | | | |
| datetime Expires; | | | |
| string CRLDistributionPoint[]; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // LocallyManagedPublicKey | | | |
| // ================================================================== | | | |
| [Association, Description ( | | | |
| "CIM_LocallyManagedPublicKey association provides the " | | | |
| "relationship between a PublicKeyManagementService and an " | | | |
| "UnsignedPublicKey.") ] | | | |
| class CIM_LocallyManagedPublicKey:CIM_ManagedCredential | | | |
| { | | | |
| [Override ("Antecedent"), Min (1), Max (1), | | | |
| Description ("The PublicKeyManagementService that manages " | | | |
| "an unsigned public key.") ] | | | |
| CIM_PublicKeyManagementService REF Antecedent; | | | |
| [Override ("Dependent"), Weak, Description ( | | | |
| "An unsigned public key.") ] | | | |
| CIM_UnsignedPublicKey REF Dependent; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // SharedSecretIsShared | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "This relationship associates a SharedSecretService with the " | | | |
| "SecretKey it verifies.") ] | | | |
| class CIM_SharedSecretIsShared : CIM_ManagedCredential | | | |
| { | | | |
| [Override ("Antecedent"), Min (1), Max (1), | | | |
| Description ("The credential management service")] | | | |
| CIM_SharedSecretService REF Antecedent; | | | |
| [Override ("Dependent"), Weak, | | | |
| Description ( "The managed credential")] | | | |
| CIM_SharedSecret REF Dependent; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // IKESecretIsNamed | | | |
| // ================================================================== | | | |
| [Association, Description ( | | | |
| "CIM_IKESecretIsNamed association provides the " | | | |
| "relationship between a SharedSecretService and a " | | | |
| "NamedSharedIKESecret.") ] | | | |
| class CIM_IKESecretIsNamed:CIM_ManagedCredential | | | |
| { | | | |
| [Override ("Antecedent"), Min (1), Max (1), | | | |
| Description ("The SharedSecretService that manages a " | | | |
| "NamedSharedIKESecret.")] | | | |
| CIM_SharedSecretService REF Antecedent; | | | |
| [Override ("Dependent"), Weak, Description ( | | | |
| "The managed NamedSharedIKESecret.") ] | | | |
| CIM_NamedSharedIKESecret REF Dependent; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // KDCIssuesKerberosTicket | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "The KDC issues and owns Kerberos tickets. This association " | | | |
| "captures the relationship between the KDC and its issued tickets." | | | |
| ) ] | | | |
| class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential | | | |
| { | | | |
| [Override ("Antecedent"), Min (1), Max (1), | | | |
| Description ( "The issuing KDC") ] | | | |
| CIM_KerberosKeyDistributionCenter REF Antecedent; | | | |
| [Override ("Dependent"), Weak, | | | |
| Description ( "The managed credential")] | | | |
| CIM_KerberosTicket REF Dependent; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // NotaryVerifiesBiometric | | | |
| // =================================================================== | | | |
| [Association, Description ( | | | |
| "This relationship associates a Notary service with the " | | | |
| "Users Access whose biometric information is verified.") ] | | | |
| class CIM_NotaryVerifiesBiometric : CIM_Dependency | | | |
| { | | | |
| [Override ("Antecedent"), | | | |
| Description ("The Notary service that verifies biometric " | | | |
| "information ") ] | | | |
| CIM_Notary REF Antecedent; | | | |
| [Override ("Dependent"), | | | |
| Description ( "The UsersAccess that represents a person using " | | | |
| "biometric information for authentication.")] | | | |
| CIM_UsersAccess REF Dependent; | | | |
| }; | | | |
| | | | |
| Appendix C (DMTF Network Model MOF) | | | |
| | | | |
| // ================================================================== | | | |
| // NetworkService | | | |
| // ================================================================== | | | |
| [Abstract, Description ( | | | |
| "This is an abstract base class, derived from the Service " | | | |
| "class. It serves as the root of the network service " | | | |
| "hierarchy. Network services represent generic functions " | | | |
| "that are available from the network that configure and/or " | | | |
| "modify the traffic being sent. For example, FTP is not a " | | | |
| "network service, as it simply passes data unchanged from " | | | |
| "source to destination. On the other hand, services " | | | |
| "that provide quality of service (e.g., DiffServ) and " | | | |
| "security (e.g., IPSec) do affect the traffic stream. " | | | |
| "Quality of service, IPSec, and other services are " | | | |
| "subclasses of this class. This class hierarchy enables " | | | |
| "developers to match services to users, groups, " | | | |
| "and other objects in the network.") ] | | | |
| | | | |
| class CIM_NetworkService : CIM_Service | | | |
| { | | | |
| [Description ( | | | |
| "This is a free-form array of strings that provide " | | | |
| "descriptive words and phrases that can be used in queries " | | | |
| "to help locate and identify instances of this service.") ] | | | |
| string Keywords [ ]; | | | |
| [Description ( | | | |
| "This is a URL that provides the protocol, network " | | | |
| "location, and other service-specific information required " | | | |
| "in order to access the service. This should be implemented " | | | |
| "as a LabeledURI, with syntax DirectoryString and a " | | | |
| "matching rule of CaseExactMatch, for directory " | | | |
| "implementors.") ] | | | |
| string ServiceURL; | | | |
| [Description ( | | | |
| "This is a free-form array of strings that specify any " | | | |
| "specific pre-conditions that must be met in order for this " | | | |
| "service to start correctly. It is expected that subclasses " | | | |
| "will refine the inherited StartService() and StopService()" | | | |
| "methods to suit their own application-specific needs. This " | | | |
| "property is used to specify application-specific conditions " | | | |
| "needed by the refined StartService and StopService" | | | |
| "methods.") ] | | | |
| string StartupConditions [ ]; | | | |
| [Description ( | | | |
| "This is a free-form array of strings that specify any " | | | |
| "specific parameters that must be supplied to the " | | | |
| "StartService() method in order for this service to start " | | | |
| "correctly. It is expected that subclasses will refine the " | | | |
| "inherited StartService() and StopService() methods to suit " | | | |
| "their own application-specific needs. This property is used " | | | |
| "to specify application-specific parameters needed by the " | | | |
| "refined StartService and StopService methods.") ] | | | |
| string StartupParameters [ ]; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // ProtocolEndpoint | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "A communication point from which data may be sent or " | | | |
| "received. ProtocolEndpoints link router interfaces and " | | | |
| "switch ports to LogicalNetworks.") ] | | | |
| | | | |
| class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint | | | |
| { | | | |
| [Override ("Name"), MaxLen(256), Description ( | | | |
| "A string which identifies this ProtocolEndpoint with either " | | | |
| "a port or an interface on a device. To ensure uniqueness, " | | | |
| "the Name property should be prepended or appended with " | | | |
| "information from the Type or OtherTypeDescription " | | | |
| "properties. The method chosen is described in the " | | | |
| "NameFormat property of this class.") ] | | | |
| string Name; | | | |
| [MaxLen (256), Description ( | | | |
| "NameFormat contains the naming heuristic that is chosen to " | | | |
| "ensure that the value of the Name property is unique. For " | | | |
| "example, one might choose to prepend the name of the port " | | | |
| "or interface with the Type of ProtocolEndpoint that this " | | | |
| "instance is (e.g., IPv4)followed by an underscore.") ] | | | |
| string NameFormat; | | | |
| [MaxLen (64), Description ( | | | |
| "ProtocolType is an enumeration that provides additional " | | | |
| "information that can be used to help categorize and " | | | |
| "classify different instances of this class."), | | | |
| ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", | | | |
| "10", "11", "12", "13", "14", "15", "16", "17", | | | |
| "18", "19", "20", "21"}, | | | |
| Values { "Unknown", "Other", "IPv4", "IPv6", "IPX", | | | |
| "AppleTalk", "DECnet", "SNA", "CONP", "CLNP", | | | |
| "VINES", "XNS", "ATM", "Frame Relay", | | | |
| "Ethernet", "TokenRing", "FDDI", "Infiniband", | | | |
| "Fibre Channel", "ISDN BRI Endpoint", | | | |
| "ISDN B Channel Endpoint", "ISDN D Channel Endpoint" | | | |
| }, | | | |
| ModelCorrespondence { | | | |
| "CIM_ProtocolEndpoint.OtherTypeDescription"} ] | | | |
| string ProtocolType; | | | |
| [MaxLen(64), Description ( | | | |
| "A string describing the type of ProtocolEndpoint that this " | | | |
| "instance is when the Type property of this class (or any of " | | | |
| "its subclasses) is set to 1 (e.g., 'Other'). The format of " | | | |
| "the string inserted in this property should be similar in " | | | |
| "format to the values defined for the Type property. This " | | | |
| "property should be set to NULL when the Type property is " | | | |
| "any value other than 1."), | | | |
| ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ] | | | |
| string OtherTypeDescription; | | | |
| }; | | | |
| | | | |
| // ================================================================== | | | |
| // IPProtocolEndpoint | | | |
| // ================================================================== | | | |
| [Description ( | | | |
| "A ProtocolEndpoint that is dedicated to running IP.") ] | | | |
| | | | |
| class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint | | | |
| { | | | |
| [Description ( | | | |
| "The IP address that this ProtocolEndpoint represents, " | | | |
| "formatted according to the appropriate convention as " | | | |
| "defined in the AddressType property of this class " | | | |
| " (e.g., 171.79.6.40).") ] | | | |
| string Address; | | | |
| [Description ( | | | |
| "The mask for the IP address of this ProtocolEndpoint, " | | | |
| "formatted according to the appropriate convention as " | | | |
| "defined in the AddressType property of this class " | | | |
| " (e.g., 255.255.252.0).") ] | | | |
| string SubnetMask; | | | |
| [Description ( | | | |
| "An enumeration that describes the format of the address " | | | |
| "property. Whenever possible, IPv4-compatible addresses " | | | |
| "should be used instead of native IPv6 addresses (see " | | | |
| "RFC 2373, section 2.5.4). In order to have a consistent " | | | |
| "format for IPv4 addresses in a mixed IPv4/v6 environment, " | | | |
| "all IPv4 addresses and both IPv4-compatible IPv6 addresses " | | | |
| "and IPv4-mapped IPv6 addresses, per RFC 2373, section " | | | |
| "2.5.4, should be formatted in standard IPv4 format. " | | | |
| "However, this (the 2.2) version of the Network Common " | | | |
| "Model will not explicitly support mixed IPv4/IPv6 " | | | |
| "environments. This will be added in a future release."), | | | |
| ValueMap { "0", "1", "2" }, | | | |
| Values { "Unknown", "IPv4", "IPv6" } ] | | | |
| uint16 AddressType; | | | |
| [Description ( | | | |
| "It is not possible to tell from the address alone if a " | | | |
| "given IPProtocolEndpoint can support IPv4 and IPv6, or " | | | |
| "just one of these. This property explicitly defines the " | | | |
| "support for different versions of IP that this " | | | |
| "IPProtocolEndpoint has. " | | | |
| "\n\n" | | | |
| "More implementation experience is needed in order to " | | | |
| "correctly model mixed IPv4/IPv6 networks; therefore, this " | | | |
| "version (2.2) of the Network Common Model will not support " | | | |
| "mixed IPv4/IPv6 environments. This will be looked at " | | | |
| "further in a future version."), | | | |
| ValueMap { "0", "1", "2" }, | | | |
| Values { "Unknown", "IPv4 Only", "IPv6 Only" } ] | | | |
| uint16 IPVersionSupport; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| // CIM_FilterEntryBase | | | |
| // =================================================================== | | | |
| [Description ( | | | |
| " FilterEntryBase is an abstract class to define the naming " | | | |
| "of all filter entries, and to allow their common " | | | |
| "aggregation into FilterLists. The FilterEntry subclass " | | | |
| "represents packet filtering. Other types of Entries are " | | | |
| "possible - for example, to filter security credentials. \n" | | | |
| " FilterEntryBase is weak to the network device (e.g., the " | | | |
| "ComputerSystem) that contains it. Hence, the ComputerSystem " | | | |
| "keys are propagated to this class.") ] | | | |
| | | | |
| class CIM_FilterEntryBase : CIM_LogicalElement | | | |
| { | | | |
| [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, | | | |
| MaxLen (256), | | | |
| Description ( | | | |
| "The scoping ComputerSystem's CreationClassName. ") ] | | | |
| string SystemCreationClassName; | | | |
| [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), | | | |
| Description ( | | | |
| "The scoping ComputerSystem's Name.") ] | | | |
| string SystemName; | | | |
| [Key, MaxLen (256), | | | |
| Description ( | | | |
| "CreationClassName indicates the name of the class or the " | | | |
| "subclass used in the creation of an instance. When used " | | | |
| "with the other key properties of this class, this property " | | | |
| "allows all instances of this class and its subclasses to " | | | |
| "be uniquely identified.") ] | | | |
| string CreationClassName; | | | |
| [Key, MaxLen (256), | | | |
| Description ( | | | |
| "The Name property defines the label by which the Filter" | | | |
| "Entry is known and uniquely identified.") ] | | | |
| string Name; | | | |
| [Description ( | | | |
| "Boolean indicating that the match condition described " | | | |
| "in the properties of the FilterEntryBase subclass " | | | |
| "should be negated.") ] | | | |
| boolean IsNegated; | | | |
| }; | | | |
| | | | |
| // =================================================================== | | | |
| | | | |
| // CIM_IPHeaderFilter | | | |
| | | | |
| // =================================================================== | | | |
| | | | |
| [Description ("IPHeaderFilter contains the all of the " | | | |
| "properties necessary to perform filtering on an IP header " | | | |
| | | | |
| "or a portion thereof.")] | | | |
| | | | |
| class CIM_IPHeaderFilter : CIM_FilterEntryBase | | | |
| | | | |
| { | | | |
| | | | |
| [Description ("IpVersion identifies the version of the IP " | | | |
| | | | |
| "addresses for IP header filters. It is also used to " | | | |
| | | | |
| "determine the sizes of the OctetStrings in the four " | | | |
| | | | |
| "properties SrcAddress, SrcMask, DestAddress, and DestMask, " | | | |
| | | | |
| "as follows:\n" | | | |
| | | | |
| "ipv4(4): OctetString(SIZE (4))\n" | | | |
| | | | |
| "ipv6(6): OctetString(SIZE (16|20)), depending on whether\n" | | | |
| | | | |
| " a scope identifier is present"), | | | |
| | | | |
| ValueMap {"4", "6" }, | | | |
| | | | |
| Values { "IPv4", "IPv6" }, | | | |
| | | | |
| ModelCorrespondence { | | | |
| | | | |
| "CIM_IPHeaderFilter.SrcAddress", | | | |
| | | | |
| "CIM_IPHeaderFilter.SrcMask", | | | |
| | | | |
| "CIM_IPHeaderFilter.DestAddress", | | | |
| | | | |
| "CIM_IPHeaderFilter.DestMask" } ] | | | |
| | | | |
| uint8 IpVersion; | | | |
| | | | |
| [Description ("SrcAddress is an OctetString, of a size " | | | |
| | | | |
| "determined by the value of the IpVersion property, " | | | |
| | | | |
| "representing a source IP address. This value is compared to" | | | |
| | | | |
| " the source address in the IP header, subject to the mask " | | | |
| | | | |
| "represented in the SrcMask property."), | | | |
| | | | |
| OCTETSTRING, | | | |
| | | | |
| ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] | | | |
| | | | |
| uint8 SrcAddress[]; | | | |
| | | | |
| [Description ("SrcMask is an OctetString, of a size determined" | | | |
| | | | |
| " by the value of the IpVersion property, representing a mask" | | | |
| | | | |
| " to be used in comparing the source address in the IP header" | | | |
| | | | |
| " with the value represented in the SrcAddress property."), | | | |
| | | | |
| OCTETSTRING, | | | |
| | | | |
| ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] | | | |
| | | | |
| uint8 SrcMask[]; | | | |
| | | | |
| [Description ("DestAddress is an OctetString, of a size " | | | |
| | | | |
| "determined by the value of the IpVersion property, " | | | |
| | | | |
| "representing a destination IP address. This value is " | | | |
| | | | |
| "compared to the destination address in the IP header, " | | | |
| | | | |
| "subject to the mask represented in the DestMask property."), | | | |
| | | | |
| OCTETSTRING, | | | |
| | | | |
| ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] | | | |
| | | | |
| uint8 DestAddress[]; | | | |
| [Description ("DestMask is an OctetString, of a size " | | | |
| | | | |
| "determined by the value of the IpVersion property, " | | | |
| | | | |
| "representing a mask to be used in comparing the destination " | | | |
| | | | |
| "address in the IP header with the value represented in the " | | | |
| | | | |
| "DestAddress property."), | | | |
| | | | |
| OCTETSTRING, | | | |
| | | | |
| ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] | | | |
| | | | |
| uint8 DestMask[]; | | | |
| | | | |
| [Description ("ProtocolID is an 8-bit unsigned integer, " | | | |
| | | | |
| "representing an IP protocol type. This value is compared to" | | | |
| | | | |
| " the Protocol field in the IP header.")] | | | |
| | | | |
| uint8 ProtocolID; | | | |
| | | | |
| [Description ("SrcPortStart represents the lower end of a " | | | |
| | | | |
| "range of UDP or TCP source ports. The upper end of the " | | | |
| | | | |
| "range is represented by the SrcPortEnd property. The value " | | | |
| | | | |
| "of SrcPortStart MUST be no greater than the value of " | | | |
| | | | |
| "SrcPortEnd. A single port is indicated by equal values for " | | | |
| | | | |
| "SrcPortStart and SrcPortEnd.\n" | | | |
| | | | |
| "\n" | | | |
| | | | |
| "A source port filter is evaluated by testing whether the " | | | |
| | | | |
| "source port identified in the IP header falls within the " | | | |
| | | | |
| "range of values between SrcPortStart and SrcPortEnd, " | | | |
| | | | |
| "including these two end points.")] | | | |
| | | | |
| uint16 SrcPortStart; | | | |
| | | | |
| [Description ("SrcPortEnd represents the upper end of a range " | | | |
| | | | |
| "of UDP or TCP source ports. The lower end of the range is " | | |