draft-ietf-ipsp-config-policy-model-04.txt   draft-ietf-ipsp-config-policy-model-05.txt 
Internet Engineering Task Force Jamie Jason Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation INTERNET DRAFT Intel Corporation
November-2001 Lee Rafalow February-2002 Lee Rafalow
IBM IBM
Eric Vyncke Eric Vyncke
Cisco Systems Cisco Systems
IPsec Configuration Policy Model IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-04.txt draft-ietf-ipsp-config-policy-model-05.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six months
months and may be updated, replaced, or obsoleted by other documents and may be updated, replaced, or obsoleted by other documents at any
at any time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract Abstract
This document presents an object-oriented model of IPsec policy This document presents an object-oriented information model of IPsec
designed to: policy designed to:
o facilitate agreement about the content and semantics of IPsec o facilitate agreement about the content and semantics of IPsec
policy policy
o enable derivations of task-specific representations of IPsec o enable derivations of task-specific representations of IPsec
policy such as storage schema, distribution representations, policy such as storage schema, distribution representations,
and policy specification languages used to configure IPsec- and policy specification languages used to configure IPsec-
enabled endpoints enabled endpoints
The schema described in this document models the IKE phase one The information model described in this document models the
parameters as described in [IKE] and the IKE phase two parameters configuration parameters defined by the IP Security protocol [COMP,
for the IPsec Domain of Interpretation as described in [COMP, ESP, ESP, AH]. The information model also covers the parameters found by
AH, DOI]. It is based upon the core policy classes as defined in the Internet Key Exchange [DOI, IKE] protocol. Other key exchange
the Policy Core Information Model (PCIM) [PCIM] and on the Policy protocols could be easily added to the information model by a simple
Core Information Model Extensions (PCIMe) [PCIME]. extension. Other extensions can further be added easily due to the
object-oriented nature of the model.
This information model is based upon the core policy classes as
defined in the Policy Core Information Model (PCIM) [PCIM] and on
the Policy Core Information Model Extensions (PCIMe) [PCIME].
Table of Contents Table of Contents
Status of this Memo................................................1 Status of this Memo................................................1
Abstract...........................................................1 Abstract...........................................................1
Table of Contents..................................................2 Table of Contents..................................................2
1. Introduction....................................................7 1. Introduction....................................................6
2. UML Conventions.................................................7 1. Introduction....................................................6
3. IPsec Policy Model Inheritance Hierarchy........................8 2. UML Conventions.................................................6
4. Policy Classes.................................................13 3. IPsec Policy Model Inheritance Hierarchy........................7
4.1. The Class IPsecPolicyGroup...................................14 4. Policy Classes.................................................12
4.2. The Class SARule.............................................15 4.1. The Class IPsecPolicyGroup...................................13
4.2. The Class SARule.............................................14
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy............................................15 PolicyDecisionStrategy............................................14
4.2.2 The Property ExecutionStrategy.............................16 4.2.2 The Property ExecutionStrategy.............................14
4.2.3 The Property LimitNegotiation..............................17 4.2.3 The Property LimitNegotiation..............................16
4.3. The Class IKERule............................................18 4.3. The Class IKERule............................................17
4.3.1. The Property IdentityContexts..............................18 4.3.1. The Property IdentityContexts..............................17
4.4. The Class IPsecRule..........................................19 4.4. The Class IPsecRule..........................................17
4.6. The Association Class IPsecPolicyForEndpoint.................19 4.5. The Association Class IPsecPolicyForEndpoint.................18
4.6.1. The Reference Antecedent...................................20 4.5.1. The Reference Antecedent...................................18
4.6.2. The Reference Dependent....................................20 4.5.2. The Reference Dependent....................................18
4.7. The Association Class IPsecPolicyForSystem...................20 4.6. The Association Class IPsecPolicyForSystem...................18
4.7.1. The Reference Antecedent...................................20 4.6.1. The Reference Antecedent...................................18
4.7.2. The Reference Dependent....................................20 4.6.2. The Reference Dependent....................................19
4.8. The Aggregation Class RuleForIKENegotiation..................21 4.7. The Aggregation Class SARuleInPolicyGroup....................19
4.8.1. The Property Priority......................................21 4.7.1. The Property Priority......................................19
4.8.2. The Reference GroupComponent...............................21 4.7.2. The Reference GroupComponent...............................19
4.8.3. The Reference PartComponent................................21 4.7.3. The Reference PartComponent................................19
4.9. The Aggregation Class RuleForIPsecNegotiation................21 4.8. The Aggregation Class SAConditionInRule......................19
4.9.1. The Property Priority......................................21 4.8.1. The Properties GroupNumber and ConditionNegated............20
4.9.2. The Reference GroupComponent...............................22 4.8.2. The Reference GroupComponent...............................20
4.9.3. The Reference PartComponent................................22 4.8.3. The Reference PartComponent................................20
4.10. The Aggregation Class SAConditionInRule.....................22 4.9. The Aggregation Class PolicyActionInSARule...................20
4.10.1. The Properties GroupNumber and ConditionNegated...........22 4.9.1. The Reference GroupComponent...............................20
4.10.2. The Reference GroupComponent..............................22 4.9.2. The Reference PartComponent................................20
4.10.3. The Reference PartComponent...............................22 4.9.3. The Property ActionOrder...................................20
4.11. The Aggregation Class PolicyActionInSARule..................22 5. Condition and Filter Classes...................................22
4.11.1. The Reference GroupComponent..............................23 5.1. The Class SACondition........................................22
4.11.2. The Reference PartComponent...............................23 5.2. The Class IPHeadersFilter....................................23
4.11.3. The Property ActionOrder..................................23 5.3. The Class CredentialFilterEntry..............................23
5. Condition and Filter Classes...................................24 5.3.1. The Property MatchFieldName................................23
5.1. The Class SACondition........................................24 5.3.2. The Property MatchFieldValue...............................24
5.2. The Class IPHeaderFilter.....................................25 5.3.3. The Property CredentialType................................24
5.3. The Class CredentialFilterEntry..............................25 5.4. The Class IPSOFilterEntry....................................24
5.3.1. The Property MatchFieldName................................25 5.4.1. The Property MatchConditionType............................25
5.3.2. The Property MatchFieldValue...............................26 5.4.2. The Property MatchConditionValue...........................25
5.3.3. The Property CredentialType................................26 5.5. The Class PeerIDPayloadFilterEntry...........................25
5.4. The Class IPSOFilterEntry....................................26 5.5.1. The Property MatchIdentityType.............................25
5.4.1. The Property MatchConditionType............................27 5.5.2. The Property MatchIdentityValue............................26
5.4.2. The Property MatchConditionValue...........................27 5.6. The Association Class FilterOfSACondition....................26
5.5. The Class PeerIDPayloadFilterEntry...........................27 5.6.1. The Reference Antecedent...................................27
5.5.1. The Property MatchIdentityType.............................28 5.6.2. The Reference Dependent....................................27
5.5.2. The Property MatchIdentityValue............................28 5.7. The Association Class AcceptCredentialFrom...................27
5.6. The Association Class FilterOfSACondition....................29 5.7.1. The Reference Antecedent...................................27
5.6.1. The Reference Antecedent...................................29 5.7.2. The Reference Dependent....................................28
5.6.2. The Reference Dependent....................................29 6. Action Classes.................................................28
5.7. The Association Class AcceptCredentialFrom...................29 6.1. The Class SAAction...........................................29
5.7.1. The Reference Antecedent...................................30 6.1.1. The Property DoActionLogging...............................30
5.7.2. The Reference Dependent....................................30 6.1.2. The Property DoPacketLogging...............................30
6. Action Classes.................................................31 6.2. The Class SAStaticAction.....................................30
6.1. The Class SAAction...........................................32 6.2.1. The Property LifetimeSeconds...............................31
6.1.1. The Property DoActionLogging...............................32 6.3. The Class IPsecBypassAction..................................31
6.1.2. The Property DoPacketLogging...............................32 6.4. The Class IPsecDiscardAction.................................31
6.2. The Class SAStaticAction.....................................33 6.5. The Class IKERejectAction....................................32
6.2.1. The Property LifetimeSeconds...............................33 6.6. The Class PreconfiguredSAAction..............................32
6.3. The Class IPsecBypassAction..................................34 6.6.1. The Property LifetimeKilobytes.............................32
6.4. The Class IPsecDiscardAction.................................34 6.7. The Class PreconfiguredTransportAction.......................33
6.5. The Class IKERejectAction....................................34 6.8. The Class PreconfiguredTunnelAction..........................33
6.6. The Class PreconfiguredSAAction..............................34 6.8.1. The Property DFHandling....................................33
6.6.1. The Property LifetimeKilobytes.............................35 6.9. The Class SANegotiationAction................................33
6.7. The Class PreconfiguredTransportAction.......................35 6.10. The Class IKENegotiationAction..............................34
6.8. The Class PreconfiguredTunnelAction..........................36 6.10.1. The Property MinLifetimeSeconds...........................34
6.8.1. The Property DFHandling....................................36 6.10.2. The Property MinLifetimeKilobytes.........................34
6.9. The Class SANegotiationAction................................36 6.10.3. The Property IdleDurationSeconds..........................35
6.10. The Class IKENegotiationAction..............................37 6.11. The Class IPsecAction.......................................35
6.10.1. The Property MinLifetimeSeconds...........................37 6.11.1. The Property UsePFS.......................................35
6.10.2. The Property MinLifetimeKilobytes.........................37 6.11.2. The Property UseIKEGroup..................................35
6.10.3. The Property RefreshThresholdSeconds......................38 6.11.3. The Property GroupId......................................36
6.10.4. The Property RefreshThresholdKilobytes....................38 6.11.4. The Property Granularity..................................36
6.10.5. The Property IdleDurationSeconds..........................38 6.11.5. The Property VendorID.....................................36
6.11. The Class IPsecAction.......................................39 6.12. The Class IPsecTransportAction..............................36
6.11.1. The Property UsePFS.......................................39 6.13. The Class IPsecTunnelAction.................................37
6.11.2. The Property UseIKEGroup..................................39 6.13.1. The Property DFHandling...................................37
6.11.3. The Property GroupId......................................40 6.14. The Class IKEAction.........................................37
6.11.4. The Property Granularity..................................40 6.14.1. The Property ExchangeMode.................................37
6.11.5. The Property VendorID.....................................40 6.14.2. The Property UseIKEIdentityType...........................38
6.12. The Class IPsecTransportAction..............................41 6.14.3. The Property VendorID.....................................38
6.13. The Class IPsecTunnelAction.................................41 6.14.4. The Property AggressiveModeGroupId........................38
6.13.1. The Property DFHandling...................................41 6.15. The Class PeerGateway.......................................38
6.14. The Class IKEAction.........................................41 6.15.1. The Property Name.........................................39
6.14.1. The Property RefreshThresholdDerivedKeys..................42 6.15.2. The Property PeerIdentityType.............................39
6.14.2. The Property ExchangeMode.................................42 6.15.3. The Property PeerIdentity.................................39
6.14.3. The Property UseIKEIdentityType...........................42 6.16. The Association Class PeerGatewayForTunnel..................39
6.14.4. The Property VendorID.....................................43 6.16.1. The Reference Antecedent..................................40
6.14.5. The Property AggressiveModeGroupId........................43 6.16.2. The Reference Dependent...................................40
6.15. The Class PeerGateway.......................................43 6.16.3. The Property SequenceNumber...............................40
6.15.1. The Property Name.........................................43 6.17. The Aggregation Class ContainedProposal.....................40
6.15.2. The Property PeerIdentityType.............................44 6.17.1. The Reference GroupComponent..............................41
6.15.3. The Property PeerIdentity.................................44 6.17.2. The Reference PartComponent...............................41
6.16. The Association Class PeerGatewayForTunnel..................44 6.17.3. The Property SequenceNumber...............................41
6.16.1. The Reference Antecedent..................................45 6.18. The Association Class HostedPeerGatewayInformation..........41
6.16.2. The Reference Dependent...................................45 6.18.1. The Reference Antecedent..................................41
6.16.3. The Property SequenceNumber...............................45 6.18.2. The Reference Dependent...................................41
6.17. The Aggregation Class ContainedProposal.....................45 6.19. The Association Class TransformOfPreconfiguredAction........41
6.17.1. The Reference GroupComponent..............................46 6.19.1. The Reference Antecedent..................................42
6.17.2. The Reference PartComponent...............................46 6.19.2. The Reference Dependent...................................42
6.17.3. The Property SequenceNumber...............................46 6.19.3. The Property SPI..........................................42
6.18. The Association Class HostedPeerGatewayInformation..........46 6.19.4. The Property Direction....................................42
6.18.1. The Reference Antecedent..................................46 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......42
6.18.2. The Reference Dependent...................................47 6.20.1. The Reference Antecedent..................................43
6.19. The Association Class TransformOfPreconfiguredAction........47 6.20.2. The Reference Dependent...................................43
6.19.1. The Reference Antecedent..................................47 7. Proposal and Transform Classes.................................44
6.19.2. The Reference Dependent...................................47 7.1. The Abstract Class SAProposal................................44
6.19.3. The Property SPI..........................................47 7.1.1. The Property Name..........................................44
6.19.4. The Property Direction....................................48 7.2. The Class IKEProposal........................................44
6.20 The Association Class PeerGatewayForPreconfiguredTunnel......48 7.2.1. The Property CipherAlgorithm...............................45
6.20.1. The Reference Antecedent..................................48 7.2.2. The Property HashAlgorithm.................................45
6.20.2. The Reference Dependent...................................48 7.2.3. The Property PRFAlgorithm..................................45
7. Proposal and Transform Classes.................................49 7.2.4. The Property GroupId.......................................45
7.1. The Abstract Class SAProposal................................49 7.2.5. The Property AuthenticationMethod..........................46
7.1.1. The Property Name..........................................49 7.2.6. The Property MaxLifetimeSeconds............................46
7.2. The Class IKEProposal........................................50 7.2.7. The Property MaxLifetimeKilobytes..........................46
7.2.1. The Property LifetimeDerivedKeys...........................50 7.2.8. The Property VendorID......................................46
7.2.2. The Property CipherAlgorithm...............................50 7.3. The Class IPsecProposal......................................47
7.2.3. The Property HashAlgorithm.................................51 7.4. The Abstract Class SATransform...............................47
7.2.4. The Property PRFAlgorithm..................................51 7.4.1. The Property TransformName.................................47
7.2.5. The Property GroupId.......................................51 7.4.2. The Property VendorID......................................47
7.2.6. The Property AuthenticationMethod..........................51 7.4.3. The Property MaxLifetimeSeconds............................47
7.2.7. The Property MaxLifetimeSeconds............................52 7.4.4. The Property MaxLifetimeKilobytes..........................48
7.2.8. The Property MaxLifetimeKilobytes..........................52 7.5. The Class AHTransform........................................48
7.2.9. The Property VendorID......................................52 7.5.1. The Property AHTransformId.................................48
7.3. The Class IPsecProposal......................................52 7.5.2. The Property UseReplayPrevention...........................48
7.4. The Abstract Class SATransform...............................53 7.5.3. The Property ReplayPreventionWindowSize....................48
7.4.1. The Property TransformName.................................53 7.6. The Class ESPTransform.......................................49
7.4.2. The Property VendorID......................................53 7.6.1. The Property IntegrityTransformId..........................49
7.4.3. The Property MaxLifetimeSeconds............................53 7.6.2. The Property CipherTransformId.............................49
7.4.4. The Property MaxLifetimeKilobytes..........................54 7.6.3. The Property CipherKeyLength...............................49
7.5. The Class AHTransform........................................54 7.6.4. The Property CipherKeyRounds...............................49
7.5.1. The Property AHTransformId.................................54 7.6.5. The Property UseReplayPrevention...........................50
7.5.2. The Property UseReplayPrevention...........................54 7.6.6. The Property ReplayPreventionWindowSize....................50
7.5.3. The Property ReplayPreventionWindowSize....................55 7.7. The Class IPCOMPTransform....................................50
7.6. The Class ESPTransform.......................................55 7.7.1. The Property Algorithm.....................................50
7.6.1. The Property IntegrityTransformId..........................55 7.7.2. The Property DictionarySize................................51
7.6.2. The Property CipherTransformId.............................55 7.7.3. The Property PrivateAlgorithm..............................51
7.6.3. The Property CipherKeyLength...............................56 7.8. The Association Class SAProposalInSystem.....................51
7.6.4. The Property CipherKeyRounds...............................56 7.8.1. The Reference Antecedent...................................51
7.6.5. The Property UseReplayPrevention...........................56 7.8.2. The Reference Dependent....................................51
7.6.6. The Property ReplayPreventionWindowSize....................56 7.9. The Aggregation Class ContainedTransform.....................51
7.7. The Class IPCOMPTransform....................................57 7.9.1. The Reference GroupComponent...............................52
7.7.1. The Property Algorithm.....................................57 7.9.2. The Reference PartComponent................................52
7.7.2. The Property DictionarySize................................57 7.9.3. The Property SequenceNumber................................52
7.7.3. The Property PrivateAlgorithm..............................57 7.10. The Association Class SATransformInSystem...................52
7.8. The Association Class SAProposalInSystem.....................57 7.10.1. The Reference Antecedent..................................53
7.8.1. The Reference Antecedent...................................58 7.10.2. The Reference Dependent...................................53
7.8.2. The Reference Dependent....................................58 8. IKE Service and Identity Classes...............................54
7.9. The Aggregation Class ContainedTransform.....................58 8.1. The Class IKEService.........................................55
7.9.1. The Reference GroupComponent...............................58 8.2. The Class PeerIdentityTable..................................55
7.9.2. The Reference PartComponent................................59 8.3.1. The Property Name..........................................55
7.9.3. The Property SequenceNumber................................59 8.3. The Class PeerIdentityEntry..................................55
7.10. The Association Class SATransformInSystem...................59 8.3.1. The Property PeerIdentity..................................56
7.10.1. The Reference Antecedent..................................59 8.3.2. The Property PeerIdentityType..............................56
7.10.2. The Reference Dependent...................................59 8.3.3. The Property PeerAddress...................................56
8. IKE Service and Identity Classes...............................61 8.3.4. The Property PeerAddressType...............................56
8.1. The Class IKEService.........................................62 8.4. The Class AutostartIKEConfiguration..........................56
8.2. The Class PeerIdentityTable..................................62 8.5. The Class AutostartIKESetting................................57
8.3.1. The Property Name..........................................62 8.5.1. The Property Phase1Only....................................57
8.3. The Class PeerIdentityEntry..................................63 8.5.2. The Property AddressType...................................57
8.3.1. The Property PeerIdentity..................................63 8.5.3. The Property SourceAddress.................................58
8.3.2. The Property PeerIdentityType..............................63 8.5.4. The Property SourcePort....................................58
8.3.3. The Property PeerAddress...................................63 8.5.5. The Property DestinationAddress............................58
8.3.4. The Property PeerAddressType...............................63 8.5.6. The Property DestinationPort...............................58
8.4. The Class AutostartIKEConfiguration..........................64 8.5.7. The Property Protocol......................................58
8.5. The Class AutostartIKESetting................................64 8.6. The Class IKEIdentity........................................58
8.5.1. The Property Phase1Only....................................64 8.6.1. The Property IdentityType..................................59
8.5.2. The Property AddressType...................................65 8.6.2. The Property IdentityValue.................................59
8.5.3. The Property SourceAddress.................................65 8.6.3. The Property IdentityContexts..............................59
8.5.4. The Property SourcePort....................................65 8.7. The Association Class HostedPeerIdentityTable................60
8.5.5. The Property DestinationAddress............................65 8.7.1. The Reference Antecedent...................................60
8.5.6. The Property DestinationPort...............................66 8.7.2. The Reference Dependent....................................60
8.5.7. The Property Protocol......................................66 8.8. The Aggregation Class PeerIdentityMember.....................60
8.6. The Class IKEIdentity........................................66 8.8.1. The Reference Collection...................................60
8.6.1. The Property IdentityType..................................67 8.8.2. The Reference Member.......................................61
8.6.2. The Property IdentityValue.................................67 8.9. The Association Class IKEServicePeerGateway..................61
8.6.3. The Property IdentityContexts..............................67 8.9.1. The Reference Antecedent...................................61
8.7. The Association Class HostedPeerIdentityTable................68 8.9.2. The Reference Dependent....................................61
8.7.1. The Reference Antecedent...................................68 8.10. The Association Class IKEServicePeerIdentityTable...........61
8.7.2. The Reference Dependent....................................68 8.10.1. The Reference Antecedent..................................61
8.8. The Aggregation Class PeerIdentityMember.....................68 8.10.2. The Reference Dependent...................................62
8.8.1. The Reference Collection...................................68 8.11. The Association Class IKEAutostartSetting...................62
8.8.2. The Reference Member.......................................69 8.11.1. The Reference Element.....................................62
8.9. The Association Class IKEServicePeerGateway..................69 8.11.2. The Reference Setting.....................................62
8.9.1. The Reference Antecedent...................................69 8.12. The Aggregation Class AutostartIKESettingContext............62
8.9.2. The Reference Dependent....................................69 8.12.1. The Reference Context.....................................62
8.10. The Association Class IKEServicePeerIdentityTable...........69 8.12.2. The Reference Setting.....................................63
8.10.1. The Reference Antecedent..................................70 8.12.3. The Property SequenceNumber...............................63
8.10.2. The Reference Dependent...................................70 8.13. The Association Class IKEServiceForEndpoint.................63
8.11. The Association Class IKEAutostartSetting...................70 8.13.1. The Reference Antecedent..................................63
8.11.1. The Reference Element.....................................70 8.13.2. The Reference Dependent...................................63
8.11.2. The Reference Setting.....................................70 8.14. The Association Class IKEAutostartConfiguration.............63
8.12. The Aggregation Class AutostartIKESettingContext............70 8.14.1. The Reference Antecedent..................................64
8.12.1. The Reference Context.....................................71 8.14.2. The Reference Dependent...................................64
8.12.2. The Reference Setting.....................................71 8.14.3. The Property Active.......................................64
8.12.3. The Property SequenceNumber...............................71 8.15. The Association Class IKEUsesCredentialManagementService....64
8.13. The Association Class IKEServiceForEndpoint.................71 8.15.1. The Reference Antecedent..................................64
8.13.1. The Reference Antecedent..................................72 8.15.2. The Reference Dependent...................................65
8.13.2. The Reference Dependent...................................72 8.16. The Association Class EndpointHasLocalIKEIdentity...........65
8.14. The Association Class IKEAutostartConfiguration.............72 8.16.1. The Reference Antecedent..................................65
8.14.1. The Reference Antecedent..................................72 8.16.2. The Reference Dependent...................................65
8.14.2. The Reference Dependent...................................72 8.17. The Association Class CollectionHasLocalIKEIdentity.........65
8.14.3. The Property Active.......................................72 8.17.1. The Reference Antecedent..................................66
8.15. The Association Class IKEUsesCredentialManagementService....73 8.17.2. The Reference Dependent...................................66
8.15.1. The Reference Antecedent..................................73 8.18. The Association Class IKEIdentitysCredential................66
8.15.2. The Reference Dependent...................................73 8.18.1. The Reference Antecedent..................................66
8.16. The Association Class EndpointHasLocalIKEIdentity...........73 8.18.2. The Reference Dependent...................................66
8.16.1. The Reference Antecedent..................................74 9. Implementation Requirements....................................66
8.16.2. The Reference Dependent...................................74 10. Security Considerations.......................................70
8.17. The Association Class CollectionHasLocalIKEIdentity.........74 11. Intellectual Property.........................................70
8.17.1. The Reference Antecedent..................................74 12. Acknowledgments...............................................70
8.17.2. The Reference Dependent...................................74 13. References....................................................71
8.18. The Association Class IKEIdentitysCredential................75 14. Disclaimer....................................................71
8.18.1. The Reference Antecedent..................................75 15. Authors' Addresses............................................72
8.18.2. The Reference Dependent...................................75 16. Full Copyright Statement......................................72
9. Implementation Requirements....................................75
10. Security Considerations.......................................79
11. Intellectual Property.........................................80
12. Acknowledgments...............................................80
13. References....................................................80
14. Disclaimer....................................................81
15. Authors' Addresses............................................82
16. Full Copyright Statement......................................82
1. Introduction 1. Introduction
Internet Protocol security (IPsec) policy may assume a variety of IP security (IPsec) policy may assume a variety of forms as it
forms as it travels from storage to distribution point to decision travels from storage to distribution point to decision point. At
point. At each step, it needs to be represented in a way that is each step, it needs to be represented in a way that is convenient for
convenient for the current task. For example, the policy could the current task. For example, the policy could exist as, but is not
exist as, but is not limited to: limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
a directory a directory
o an on-the-wire representation over a transport protocol like the o an on-the-wire representation over a transport protocol like the
Common Object Policy Service (COPS) [COPS, COPSPR] Common Object Policy Service (COPS) [COPS, COPSPR]
o a text-based policy specification language suitable for editing o a text-based policy specification language suitable for editing
by an administrator by an administrator
o an Extensible Markup Language (XML) document o an Extensible Markup Language (XML) document
Each of these task-specific representations should be derived from a Each of these task-specific representations should be derived from a
canonical representation that precisely specifies the content and canonical representation that precisely specifies the content and
semantics of the IPsec policy. The purpose of this document is to semantics of the IPsec policy. This document captures this concept
abstract IPsec policy into a task-independent representation that is and introduces a task-independent canonical representation for IPsec
not constrained by any particular task-dependent representation. policies.
In order to have a simple information model, this document focuses
mainly on the existing protocols [COMP, ESP, AH, DOI, IKE]. The
model can easily be extended if needed due to its object-oriented
nature.
This document is organized as follows: This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this Language (UML) graphical notation conventions used in this
document. document.
o Section 3 provides the inheritance hierarchy that describes o Section 3 provides the inheritance hierarchy that describes
where the IPsec policy classes fit into the policy class where the IPsec policy classes fit into the policy class
hierarchy already defined by the Policy Core Information Model hierarchy already defined by the Policy Core Information Model
skipping to change at page 7, line 56 skipping to change at page 6, line 61
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
2. UML Conventions 2. UML Conventions
For this document, a UML static class diagram was chosen as the For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason canonical representation for the IPsec policy model. The reason
behind this decision is that UML provides a graphical, task- behind this decision is that UML provides a graphical, task-
independent way to model systems. A treatise on the graphical independent way to model systems. A treatise on the graphical
notation used in UML is beyond the scope of this paper. However, notation used in UML is beyond the scope of this paper. However,
given the use of ASCII drawing for UML static class diagrams, a given the use of ASCII drawing for UML static class diagrams, a
description of the notational conventions used in this document is description of the notational conventions used in this document is in
in order: order:
o Boxes represent classes, with class names in brackets ([]) o Boxes represent classes, with class names in brackets ([])
representing an abstract class. representing an abstract class.
o A line that terminates with an arrow (<, >, ^, v) denotes o A line that terminates with an arrow (<, >, ^, v) denotes
inheritance. The arrow always points to the parent class. inheritance. The arrow always points to the parent class.
Inheritance can also be called generalization or specialization Inheritance can also be called generalization or specialization
(depending upon the reference point). A base class is a (depending upon the reference point). A base class is a
generalization of a derived class, and a derived class is a generalization of a derived class, and a derived class is a
specialization of a base class. specialization of a base class.
o Associations are used to model a relationship between two o Associations are used to model a relationship between two
classes. Classes that share an association are connected using classes. Classes that share an association are connected using
a line. A special kind of association is also used: an a line. A special kind of association is also used: an
aggregation. An aggregation models a whole-part relationship aggregation. An aggregation models a whole-part relationship
skipping to change at page 8, line 48 skipping to change at page 7, line 46
It should be noted that the UML static class diagram presented is a It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding. conceptual view of IPsec policy designed to aid in understanding.
It does not necessarily get translated class for class into another It does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of the representation to fewer classes (because of the inefficiency of
following references). following references).
3. IPsec Policy Model Inheritance Hierarchy 3. IPsec Policy Model Inheritance Hierarchy
Like PCIM and PCIMe from which it is derived, the IPsec Like PCIM and PCIMe from which it is derived, the IPsec Configuration
Configuration Policy Model derives from and uses classes defined in Policy Model derives from and uses classes defined in the DMTF [DMTF]
the DMTF [DMTF] Common Information Model (CIM). The following tree Common Information Model (CIM). The following tree represents the
represents the inheritance hierarchy for the IPsec policy model inheritance hierarchy for the IPsec policy model classes and how they
classes and how they fit into PCIM, PCIMe and the other DMTF models fit into PCIM, PCIMe and the other DMTF models (see Appendices for
(see Appendices for descriptions of classes that are not being descriptions of classes that are not being introduced as part of
introduced as part of IPsec model). CIM classes that are not used IPsec model). CIM classes that are not used as a superclass from
as a superclass from which to derive new classes but are only which to derive new classes but are only referenced are not included
referenced are not included this inheritance hierarchy, but can be this inheritance hierarchy, but can be found in the appropriate DMTF
found in the appropriate DMTF document [CIMCORE], [CIMUSER] or document [CIMCORE], [CIMUSER] or [CIMNETWORK].
[CIMNETWORK].
ManagedElement (DMTF Core Model - [CIMCORE]) ManagedElement (DMTF Core Model - [CIMCORE])
| |
+--Collection (DMTF Core Model - [CIMCORE]) +--Collection (DMTF Core Model - [CIMCORE])
| | | |
| +--PeerIdentityTable | +--PeerIdentityTable
| |
+--ManagedSystemElement (DMTF Core Model - [CIMCORE]) +--ManagedSystemElement (DMTF Core Model - [CIMCORE])
| | | |
| +--LogicalElement (DMTF Core Model - [CIMCORE]) | +--LogicalElement (DMTF Core Model - [CIMCORE])
| | | |
| +--FilterEntryBase (DMTF Network Model - [CIMNETWORK]) | +--FilterEntryBase (DMTF Network Model - [CIMNETWORK])
| | | | | |
| | +--CredentialFilterEntry | | +--CredentialFilterEntry
| | | | | |
| | +--IPHeaderFilter (PCIMe) | | +--IPHeadersFilter (PCIMe)
| | | | | |
| | +--IPSOFilterEntry | | +--IPSOFilterEntry
| | | | | |
| | +--PeerIDPayloadFilterEntry | | +--PeerIDPayloadFilterEntry
| | | |
| +--PeerGateway | +--PeerGateway
| | | |
| +--PeerIdentityEntry | +--PeerIdentityEntry
| | | |
| +--Service (DMTF Core Model - [CIMCORE]) | +--Service (DMTF Core Model - [CIMCORE])
skipping to change at page 12, line 39 skipping to change at page 10, line 64
| +--PolicyActionInSARule | +--PolicyActionInSARule
| |
+--PolicyConditionStructure (PCIMe) +--PolicyConditionStructure (PCIMe)
| | | |
| +--PolicyConditionInPolicyRule (PCIM & PCIMe) | +--PolicyConditionInPolicyRule (PCIM & PCIMe)
| | | |
| +--SAConditionInRule | +--SAConditionInRule
| |
+--PolicySetComponent (PCIMe) +--PolicySetComponent (PCIMe)
| |
+--RuleForIKENegotiation +--SARuleInPolicyGroup
|
+--RuleForIPsecNegotiation
SystemSettingContext (DMTF Core Model - [CIMCORE]) SystemSettingContext (DMTF Core Model - [CIMCORE])
| |
+--AutostartIKESettingContext +--AutostartIKESettingContext
4. Policy Classes 4. Policy Classes
The IPsec policy classes represent the set of policies that are The IPsec policy classes represent the set of policies that are
contained on a system. contained on a system.
+--------------+ +--------------+
skipping to change at page 13, line 29 skipping to change at page 12, line 29
| ([CIMNETWORK]) | | ([PCIM]) | | ([CIMNETWORK]) | | ([PCIM]) |
+--------------------+ +-------------+ +--------------------+ +-------------+
|* ^ |* ^
+-----------------+ | +-----------------+ |
|(b) | |(b) |
| | | |
|0..1 | |0..1 |
+------------------+0..1 (c) *+------------+ +------------------+0..1 (c) *+------------+
| IPsecPolicyGroup |-----------| System | | IPsecPolicyGroup |-----------| System |
+------------------+ | ([CIMCORE])| +------------------+ | ([CIMCORE])|
1 o o 1 +------------+ 1 o +------------+
(d) | | (e) (d) |
+-----------------------+ +--------------------------+ +-----------------+
| | |
| +---------------------------+ | | +---------------------------+
| | PolicyTimePeriodCondition | | | | PolicyTimePeriodCondition |
| | ([PCIM]) | | | | ([PCIM]) |
| +---------------------------+ | | +---------------------------+
| *| | | *|
| |(f) | +-------------+ |(e)
*| o*
+-------------+n *+----------+* n+--------------+
| SACondition |----o| SARule |o-------| PolicyAction |
+-------------+ (f) +----------+ (g) | ([PCIM]) |
^ +--------------+
| *| ^
| |(h) |
| *o | | *o |
| +-------------+n *+--------+* n+--------------+ | +-----------------+ +----------------------+
| | SACondition |------o| SARule |o-------| PolicyAction | | | | | CompoundPolicyAction |
| +-------------+ (g) +--------+ (h) | ([PCIM]) | | | | | ([PCIMe]) |
| ^ +--------------+ | | | +----------------------+
| | *| ^ | +---------+ +-----------+
| | |(i) | | | IKERule | | IPsecRule |
| | *o | |
| +-----------------+ +----------------------+ |
| | | | CompoundPolicyAction | |
| | | | ([PCIMe]) | |
| | | +----------------------+ |
| *+---------+ +-----------+* |
+-----| IKERule | | IPsecRule |---------------------------+
+---------+ +-----------+ +---------+ +-----------+
(a) PolicySetComponent ([PCIMe]) (a) PolicySetComponent ([PCIMe])
(b) IPsecPolicyForEndpoint (b) IPsecPolicyForEndpoint
(c) IPsecPolicyForSystem (c) IPsecPolicyForSystem
(d) RuleForIKENegotiation (d) SARuleInPolicyGroup
(e) RuleForIPsecNegotiation (e) PolicyRuleValidityPeriod ([PCIM])
(f) PolicyRuleValidityPeriod ([PCIM]) (f) SAConditionInRule
(g) SAConditionInRule (g) PolicyActionInSARule
(h) PolicyActionInSARule (h) PolicyActionInPolicyAction ([PCIMe])
(i) PolicyActionInPolicyAction ([PCIMe])
An IPsecPolicyGroup represents the set of policies that are used on An IPsecPolicyGroup represents the set of policies that are used on
an interface. This IPsecPolicyGroup SHOULD be associated either an interface. This IPsecPolicyGroup SHOULD be associated either
directly with the IPProtocolEndpoint class instance that represents directly with the IPProtocolEndpoint class instance that represents
the interface (via the IPsecPolicyForEndpoint association) or the interface (via the IPsecPolicyForEndpoint association) or
indirectly (via the IPsecPolicyForSystem association) associated indirectly (via the IPsecPolicyForSystem association) associated
with the System that hosts the interface. with the System that hosts the interface.
The IKE and IPsec rules are used to build or to negotiate the IPsec The IKE and IPsec rules are used to build or to negotiate the IPsec
SADB. The IPsec rules represent the Security Policy Database. The SADB. The IPsec rules represent the Security Policy Database. The
SADB itself is not modeled by this document. SADB itself is not modeled by this document.
The rules usage can be described as (see also section 6 about The IKE and IPsec rules usage can be described as (see also section
actions): 6 about actions):
o an egress unprotected packet will first be checked against the o an egress unprotected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked. If IPsec rules. If a match is found, the SADB will be checked. If
there is no corresponding IPsec SA in the SADB and if IKE there is no corresponding IPsec SA in the SADB and if IKE
negotiation is required by the IPsec rule, the corresponding IKE negotiation is required by the IPsec rule, the corresponding IKE
rules will be used. The negotiated or preconfigured SA will then rules will be used. The negotiated or preconfigured SA will then
be installed in the SADB. be installed in the SADB.
o An ingress unprotected packet will first be checked against the o An ingress unprotected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA corresponding IPsec SA. If there is no corresponding IPsec SA
and a preconfigured SA exists, this preconfigured SA will be and a preconfigured SA exists, this preconfigured SA will be
installed in the IPsec SADB. This behavior should only apply to installed in the IPsec SADB. This behavior should only apply to
bypass and discard actions. bypass and discard actions.
o An ingress protected packet will first be checked against the o An ingress protected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA corresponding IPsec SA. If there is no corresponding IPsec SA
and a preconfigured SA exists, this preconfigured SA will be and a preconfigured SA exists, this preconfigured SA will be
installed in the IPsec SADB. installed in the IPsec SADB.
o An ingress IKE negotiation packet, which is not part of an o An ingress IKE negotiation packet, which is not part of an
existing IKE SA, will be checked against the IKE rules. The existing IKE SA, will be checked against the IKE rules. The
negotiated SA will then be installed in the SADB. SACondition for the IKERule will usually be composed of a
PeerIDPayloadFilterEntry (typically for a aggressive mode IKE
negotiation) or a IPHeadersFilter. The negotiated SA will then
be installed in the SADB.
It is expected that when a IKE negotiation has to be initiated when
required by an IPsec rule, the set of IKE rules will be checked. The
IKE rules check will be based on the outgoing IKE packet using
IPHeadersFilter entries (typically using the HdrDstAddress property).
4.1. The Class IPsecPolicyGroup 4.1. The Class IPsecPolicyGroup
The class IPsecPolicyGroup serves as a container of either other The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. The IPsecPolicyGroups or a set of SARules. The class definition for
class definition for IPsecPolicyGroup is as follows: IPsecPolicyGroup is as follows:
NAME IPsecPolicyGroup NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules DESCRIPTION Either a set of IPsecPolicyGroups or a set of SARules.
and a set of IPsecRules.
DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup) PROPERTIES PolicyGroupName (from PolicyGroup)
PolicyDescisionStrategy (from PolicySet) PolicyDescisionStrategy (from PolicySet)
NOTE: for derivations of the schema that are used for policy NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server distribution to an IPsec device (for example, COPS-PR), the server
may follow all of PolicySetComponent associations and create one may follow all of PolicySetComponent associations and create one
policy group which is simply a set of all of the IKE rules and a set policy group which is simply a set of all of the IKE rules and a set
of all of the IPsec rules. See the section on the of all of the IPsec rules. See the section on the
PolicySetComponent aggregation for information on merging multiple PolicySetComponent aggregation for information on merging multiple
IPsecPolicyGroups. IPsecPolicyGroups.
4.2. The Class SARule 4.2. The Class SARule
The class SARule serves as a base class for IKERule and IPsecRule. The class SARule serves as a base class for IKERule and IPsecRule.
Even though the class is concrete, it MUST not be instantiated. It Even though the class is concrete, it MUST not be instantiated. It
defines a common connection point for associations to conditions and defines a common connection point for associations to conditions and
actions for both types of rules. Through its derivation from actions for both types of rules. Through its derivation from
PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has PolicyRule, a SARule (and therefore IKERule and IPsecRule) also has
the PolicyRuleValidityPeriod association. the PolicyRuleValidityPeriod association.
Each valid IpsecPolicyGroup MUST contain SARules that each have a Each valid IPsecPolicyGroup MUST contain SARules that each have a
unique associated priority number in PolicySetComponent.Priority. unique associated priority number in PolicySetComponent.Priority.
The class definition for SARule is as follows: The class definition for SARule is as follows:
NAME SARule NAME SARule
DESCRIPTION A base class for IKERule and IPsecRule. DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) DERIVED FROM PolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule) PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule) Enabled (from PolicyRule)
ConditionListType (from PolicyRule) ConditionListType (from PolicyRule)
skipping to change at page 16, line 7 skipping to change at page 14, line 51
In SARule subclass instances: In SARule subclass instances:
- if the property Mandatory exists, it MUST be set to "true" - if the property Mandatory exists, it MUST be set to "true"
- if the property SequencedActions exists, it MUST be set to - if the property SequencedActions exists, it MUST be set to
"mandatory" "mandatory"
- the property PolicyRoles is not used in the device-level model - the property PolicyRoles is not used in the device-level model
- if the property PolicyDecisionStrategy exists, it must be set to - if the property PolicyDecisionStrategy exists, it must be set to
"FirstMatching" "FirstMatching"
4.2.2 The Property ExecutionStrategy 4.2.2 The Property ExecutionStrategy
The ExecutionStrategy properties in the PolicyRule subclasses (and The ExecutionStrategy properties in the PolicyRule subclasses (and in
in the CompoundPolicyAction class) determine the behavior of the the CompoundPolicyAction class) determine the behavior of the
contained actions. It defines the strategy to be used in executing contained actions. It defines the strategy to be used in executing
the sequenced actions aggregated by a rule or a compound action. In the sequenced actions aggregated by a rule or a compound action. In
the case of actions within a rule, the PolicyActionInSARule the case of actions within a rule, the PolicyActionInSARule
aggregation is used to collect the actions into an ordered set; in aggregation is used to collect the actions into an ordered set; in
the case of a compound action, the PolicyActionInPolicyAction the case of a compound action, the PolicyActionInPolicyAction
aggregation is used to collect the actions into an ordered subset. aggregation is used to collect the actions into an ordered subset.
There are three execution strategies: do until success, do all and There are three execution strategies: do until success, do all and do
do until failure. until failure.
"Do Until Success" causes the execution of actions according to the "Do Until Success" causes the execution of actions according to the
ActionOrder property in the aggregation instances until a successful ActionOrder property in the aggregation instances until a successful
execution of a single action. These actions may be evaluated to execution of a single action. These actions may be evaluated to
determine if they are appropriate to execute rather than blindly determine if they are appropriate to execute rather than blindly
trying each of the actions until one succeeds. For an initiator, trying each of the actions until one succeeds. For an initiator,
they are tried in the ActionOrder until the list is exhausted or one they are tried in the ActionOrder until the list is exhausted or one
completes successfully. For example, an IKE initiator may have completes successfully. For example, an IKE initiator may have
several IKEActions for the same SACondition. The initiator will try several IKEActions for the same SACondition. The initiator will try
all IKEActions in the order defined by ActionOrder. I.e. it will all IKEActions in the order defined by ActionOrder. I.e. it will
skipping to change at page 16, line 43 skipping to change at page 15, line 26
example, the same IKERule may be used to handle aggressive mode and example, the same IKERule may be used to handle aggressive mode and
main mode negotiations with different actions. The responder uses main mode negotiations with different actions. The responder uses
the first appropriate action in the list of actions. the first appropriate action in the list of actions.
"Do All" causes the execution all of the actions in aggregated set "Do All" causes the execution all of the actions in aggregated set
according to their defined order. The execution continues regardless according to their defined order. The execution continues regardless
of failures. of failures.
"Do Until Failure" causes the execution of all actions according to "Do Until Failure" causes the execution of all actions according to
predefined order until the first failure in execution of an action predefined order until the first failure in execution of an action
instance. instance. Please note that if all actions are successful then the
aggregated result is a failure. This execution strategy is inherited
from [PCIME] and is not expected to be of any use for IPsec
configuration.
For example, in a nested SAs case the actions of an initiator's rule For example, in a nested SAs case the actions of an initiator's rule
might be structured as: might be structured as:
IPsecRule.ExecutionStrategy='Do All' IPsecRule.ExecutionStrategy='Do All'
| |
+---1--- IPsecTunnelAction // set up SA from host to gateway +---1--- IPsecTunnelAction // set up SA from host to gateway
| |
+---2--- IPsecTransportAction // set up SA from host through +---2--- IPsecTransportAction // set up SA from host through
// tunnel to remote host // tunnel to remote host
skipping to change at page 17, line 34 skipping to change at page 16, line 12
| +---1--- IPsecTunnelAction // set up SA from host to | +---1--- IPsecTunnelAction // set up SA from host to
| | // gateway1 | | // gateway1
| | | |
| +---2--- IPsecTunnelAction // or set up SA to gateway2 | +---2--- IPsecTunnelAction // or set up SA to gateway2
| |
+---2--- IPsecTransportAction // then set up SA from host +---2--- IPsecTransportAction // then set up SA from host
// through tunnel to remote // through tunnel to remote
// host // host
In the case of "Do All", a couple of actions can be executed In the case of "Do All", a couple of actions can be executed
successfully before a subsequent action fails. In this case, some successfully before a subsequent action fails. In this case, some IKE
IKE or IPsec actions may have resulted in SA creation. Even if the or IPsec actions may have resulted in SAs creation. Even if the net
net effect of the aggregated actions is failure, those created SA effect of the aggregated actions is failure, those created SAs MAY be
MAY be kept or MAY be deleted. kept or MAY be deleted.
In the case of "Do All", the IPsec selectors to be used during IPsec In the case of "Do All", the IPsec selectors to be used during IPsec
SA negotiation are: SA negotiation are:
for the last IPsecAction of the aggregation (i.e. usually the - for the last IPsecAction of the aggregation (i.e. usually the
innermost IPsec SA): this is the combination of the IPHeadersFilter innermost IPsec SA): this is the combination of the IPHeadersFilter
class and of the Granularity property of the IpsecAction; class and of the Granularity property of the IPsecAction;
for all other IPsecActions of the aggregation: the selector is the - for all other IPsecActions of the aggregation: the selector is the
source IP address being the local IP address and the destination IP source IP address being the local IP address and the destination IP
address being the PeerGateway IP address of the following address being the PeerGateway IP address of the following IPsecAction
IPsecAction of the "Do All" aggregation. NB: the granularity is IP of the "Do All" aggregation. NB: the granularity is IP address to IP
address to IP address. address.
If the above behavior is not desirable, the alternative is to define If the above behavior is not desirable, the alternative is to define
several SARules one for each IPsec SA to be built. This will allow several SARules one for each IPsec SA to be built. This will allow
the definition of specific IPsec selectors for all IpsecActions. the definition of specific IPsec selectors for all IPsecActions.
4.2.3 The Property LimitNegotiation 4.2.3 The Property LimitNegotiation
The property LimitNegotiation is used as part of processing either
an IKE or an IPsec rule. The property LimitNegotiation is used as part of processing either an
IKE or an IPsec rule.
Before proceeding with a phase 1 negotiation, this property is Before proceeding with a phase 1 negotiation, this property is
checked to determine if the negotiation role of the rule matches checked to determine if the negotiation role of the rule matches that
that defined for the negotiation being undertaken (e.g., Initiator, defined for the negotiation being undertaken (e.g., Initiator,
Responder, or Both). If this check fails (e.g. the current role is Responder, or Both). If this check fails (e.g. the current role is
IKE responder while the rule specifies IKE initiator), then the IKE IKE responder while the rule specifies IKE initiator), then the IKE
negotiation is stopped. Note that this only applies to new IKE phase negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh 1 negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists. operations with peers for which an established SA already exists.
Before proceeding with a phase 2 negotiation, the LimitNegotiation Before proceeding with a phase 2 negotiation, the LimitNegotiation
property of the IPsecRule is first checked to determine if the property of the IPsecRule is first checked to determine if the
negotiation role indicated for the rule matches that of the current negotiation role indicated for the rule matches that of the current
negotiation (Initiator, Responder, or Either). Note that this limit negotiation (Initiator, Responder, or Either). Note that this limit
applies only to new phase 2 negotiations. It is ignored when an applies only to new phase 2 negotiations. It is ignored when an
attempt is made to refresh an expiring SA (either side can initiate attempt is made to refresh an expiring SA (either side can initiate a
a refresh operation). The IKE system can determine that the refresh operation). The IKE system can determine that the
negotiation is a refresh operation by checking to see if the negotiation is a refresh operation by checking to see if the selector
selector information matches that of an existing SA. If information matches that of an existing SA. If LimitNegotiation does
LimitNegotiation does not match and the selector corresponds to a not match and the selector corresponds to a new SA, the negotiation
new SA, the negotiation is stopped. is stopped.
The property is defined as follows: The property is defined as follows:
NAME LimitNegotiation NAME LimitNegotiation
DESCRIPTION Limits the role to be undertaken during negotiation. DESCRIPTION Limits the role to be undertaken during negotiation.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - initiator-only VALUE 1 - initiator-only
2 - responder-only 2 - responder-only
3 - both 3 - both
skipping to change at page 18, line 54 skipping to change at page 17, line 25
negotiations. negotiations.
DERIVED FROM SARule DERIVED FROM SARule
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES same as SARule, plus PROPERTIES same as SARule, plus
IdentityContexts IdentityContexts
4.3.1. The Property IdentityContexts 4.3.1. The Property IdentityContexts
The IKE service of a security endpoint may have multiple identities The IKE service of a security endpoint may have multiple identities
for use in different situations. The combination of the interface for use in different situations. The combination of the interface
(represented by the IPProtocolEndpoint), the identity type (as (represented by the IPProtocolEndpoint or by a collection of
specified in the IKEAction) and the IdentityContexts specifies a IPProtocolEndpoints), the identity type (as specified in the
unique identity. IKEAction) and the IdentityContexts specifies a unique identity.
The IdentityContexts property specifies the context to select the The IdentityContexts property specifies the context to select the
relevant IKE identity to be used during the further IKEAction. A relevant IKE identity to be used during the further IKEAction. A
context may be a VPN name or other identifier for selecting the context may be a VPN name or other identifier for selecting the
appropriate identity for use on the protected IPProtocolEndpoint. appropriate identity for use on the protected IPProtocolEndpoint (or
collection of IPProtocolEndpoints).
IdentityContexts is an array of strings. The multiple values in the IdentityContexts is an array of strings. The multiple values in the
array are ORed together in evaluating the IdentityContexts. Each array are logically ORĂd together in evaluating the IdentityContexts.
value in the array may be the composition of multiple context names. Each value in the array may be the composition of multiple context
So, a single value may be a single context name (e.g., names. So, a single value may be a single context name (e.g.,
"CompanyXVPN") or it may be combination of contexts. When an array "CompanyXVPN") or it may be combination of contexts. When an array
value is a composition, the individual values are ANDed together for value is a composition, the individual values are logically ANDĂd
evaluation purposes and the syntax is: together for evaluation purposes and the syntax is:
<ContextName>[&&<ContextName>]* <ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). So, for example, (according to the collating sequence for UCS-2). So, for example,
the values "CompanyXVPN", "CompanyYVPN&&TopSecret", the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
"CompanyZVPN&&Confidential" means that, for the appropriate "CompanyZVPN&&Confidential" means that, for the appropriate
IPProtocolEndpoint and IdentityType, the contexts are matched if the IPProtocolEndpoint and IdentityType, the contexts are matched if the
identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
"CompanyZVPN&&Confidential". "CompanyZVPN&&Confidential".
The property is defined as follows: The property is defined as follows:
NAME IdentityContexts NAME IdentityContexts
DESCRIPTION Specifies the context in which to select the IKE DESCRIPTION Specifies the context in which to select the IKE
identity. identity.
SYNTAX string array SYNTAX string array
4.4. The Class IPsecRule 4.4. The Class IPsecRule
The class IPsecRule associates Conditions and Actions for IKE phase The class IPsecRule associates Conditions and Actions for IKE phase 2
2 negotiations for the IPsec DOI. The class definition for negotiations for the IPsec DOI. The class definition for IPsecRule
IPsecRule is as follows: is as follows:
NAME IPsecRule NAME IPsecRule
DESCRIPTION Associates Conditions and Actions for IKE phase 2 DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI. negotiations for the IPsec DOI.
DERIVED FROM SARule DERIVED FROM SARule
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES same as SARule PROPERTIES same as SARule
4.6. The Association Class IPsecPolicyForEndpoint 4.5. The Association Class IPsecPolicyForEndpoint
The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
a specific network interface. If an IPProtocolEndpoint of a system a specific network interface. If an IPProtocolEndpoint of a system
does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
then the IPsecPolicyForSystem associated IPsecPolicyGroup is used then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for
for that endpoint. The class definition for IPsecPolicyForEndpoint that endpoint. The class definition for IPsecPolicyForEndpoint is as
is as follows: follows:
NAME IPsecPolicyForEndpoint NAME IPsecPolicyForEndpoint
DESCRIPTION Associates a policy group to a network interface. DESCRIPTION Associates a policy group to a network interface.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]] PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]] Dependent[ref IPsecPolicyGroup[0..1]]
4.6.1. The Reference Antecedent 4.5.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint instance. The [0..n] overridden to refer to an IPProtocolEndpoint instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may be cardinality indicates that an IPsecPolicyGroup instance may be
associated with zero or more IPProtocolEndpoint instances. associated with zero or more IPProtocolEndpoint instances.
4.6.2. The Reference Dependent 4.5.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IPsecPolicyGroup instance. The [0..1] to refer to an IPsecPolicyGroup instance. The [0..1] cardinality
cardinality indicates that an IPProtocolEndpoint instance may have indicates that an IPProtocolEndpoint instance may have an association
an association to at most one IPsecPolicyGroup instance. to at most one IPsecPolicyGroup instance.
4.7. The Association Class IPsecPolicyForSystem 4.6. The Association Class IPsecPolicyForSystem
The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a
specific system. If an IPProtocolEndpoint of a system does not have specific system. If an IPProtocolEndpoint of a system does not have
an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
IPsecPolicyForSystem associated IPsecPolicyGroup is used for that IPsecPolicyForSystem associated IPsecPolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForSystem is as endpoint. The class definition for IPsecPolicyForSystem is as
follows: follows:
NAME IPsecPolicyForSystem NAME IPsecPolicyForSystem
DESCRIPTION Default policy group for a system. DESCRIPTION Default policy group for a system.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref System[0..n]] PROPERTIES Antecedent[ref System[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]] Dependent[ref IPsecPolicyGroup[0..1]]
4.7.1. The Reference Antecedent 4.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [0..n] cardinality overridden to refer to a System instance. The [0..n] cardinality
indicates that an IPsecPolicyGroup instance may have an association indicates that an IPsecPolicyGroup instance may have an association
to zero or more System instances. to zero or more System instances.
4.7.2. The Reference Dependent 4.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IPsecPolicyGroup instance. The [0..1] to refer to an IPsecPolicyGroup instance. The [0..1] cardinality
cardinality indicates that a System instance may have an association indicates that a System instance may have an association to at most
to at most one IPsecPolicyGroup instance. one IPsecPolicyGroup instance.
4.8. The Aggregation Class RuleForIKENegotiation 4.7. The Aggregation Class SARuleInPolicyGroup
The class RuleForIKENegotiation associates an IKERule with the The class SARuleInPolicyGroup associates a SARule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation is as follows: SARuleInPolicyGroup is as follows:
NAME RuleForIKENegotiation NAME SARuleInPolicyGroup
DESCRIPTION Associates an IKERule with the IPsecPolicyGroup that DESCRIPTION Associates a SARule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicySetComponent (see [PCIME]) DERIVED FROM PolicySetComponent (see [PCIME])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent) PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]] GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IKERule [0..n]] PartComponent [ref SARule [0..n]]
4.8.1. The Property Priority
For a description of this property, see [PCIME].
4.8.2. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an
IKERule instance may be contained in one and only one
IPsecPolicyGroup instance (i.e., IKERules are not shared across
IPsecPolicyGroups).
4.8.3. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IKERule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IKERule instances.
4.9. The Aggregation Class RuleForIPsecNegotiation
The class RuleForIPsecNegotiation associates an IPsecRule with the Note: an implementation can easily partition the set of SARules
IPsecPolicyGroup that contains it. The class definition for aggregated by a SARuleInPolicyGroup instance into one IKERule
RuleForIPsecNegotiation is as follows: instances subset and into one IPsecRule instances subset based on the
class type of the component instances (being either IKERule or
IPsecRule instances).
NAME RuleForIPsecNegotiation 4.7.1. The Property Priority
DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that
contains it.
DERIVED FROM PolicySetComponent (see [PCIME])
ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IPsecRule [0..n]]
4.9.1. The Property Priority
For a description of this property, see [PCIME]. For a description of this property, see [PCIME].
4.9.2. The Reference GroupComponent 4.7.2. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from PolicyRuleInPolicyGroup
PolicyRuleInPolicyGroup and is overridden to refer to an and is overridden to refer to an IPsecPolicyGroup instance. The
IPsecPolicyGroup instance. The [1..1] cardinality indicates that an [1..1] cardinality indicates that a SARule instance may be contained
IPsecRule instance may be contained in only one IPsecPolicyGroup in one and only one IPsecPolicyGroup instance (i.e., SARules are not
instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). shared across IPsecPolicyGroups).
4.9.3. The Reference PartComponent 4.7.3. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IPsecRule instance. The [0..n] and is overridden to refer to a SARule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IPsecRules instance. zero or more SARule instances.
4.10. The Aggregation Class SAConditionInRule 4.8. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the The class SAConditionInRule associates an SARule with the SACondition
SACondition instance(s) that trigger(s) it. The class definition instance(s) that trigger(s) it. The class definition for
for SAConditionInRule is as follows: SAConditionInRule is as follows:
NAME SAConditionInRule NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instance(s) DESCRIPTION Associates an SARule with the SACondition instance(s)
that trigger(s) it. that trigger(s) it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe]) DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) PROPERTIES GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule)
GroupComponent [ref SARule [0..n]] GroupComponent [ref SARule [0..n]]
PartComponent [ref SACondition [1..n]] PartComponent [ref SACondition [1..n]]
4.10.1. The Properties GroupNumber and ConditionNegated 4.8.1. The Properties GroupNumber and ConditionNegated
For a description of these properties, see [PCIM]. For a description of these properties, see [PCIM].
4.10.2. The Reference GroupComponent 4.8.2. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an SARule PolicyConditionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SACondition instance. The [0..n] cardinality indicates that an SACondition
instance may be contained in zero or more SARule instances. instance may be contained in zero or more SARule instances.
4.10.3. The Reference PartComponent Note: the 0 cardinality allows SACondition instances to exist
without being contained in a SARule.
4.8.3. The Reference PartComponent
The property PartComponent is inherited from The property PartComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an PolicyConditionInPolicyRule and is overridden to refer to an
SACondition instance. The [1..n] cardinality indicates that an SACondition instance. The [1..n] cardinality indicates that an
SARule instance MUST contain at least one SACondition instance. SARule instance MUST contain at least one SACondition instance.
4.11. The Aggregation Class PolicyActionInSARule 4.9. The Aggregation Class PolicyActionInSARule
The PolicyActionInSARule class associates an SARule with one or more The PolicyActionInSARule class associates an SARule with one or more
PolicyAction instances. In all cases where an SARule is being used, PolicyAction instances. In all cases where an SARule is being used,
the contained actions MUST be either subclasses of SAAction or the contained actions MUST be either subclasses of SAAction or
instances of CompoundPolicyAction. For an IKERule, the contained instances of CompoundPolicyAction. For an IKERule, the contained
actions MUST be related to phase 1 processing, i.e., IKEAction or actions MUST be related to phase 1 processing, i.e., IKEAction or
IKERejectAction. Similarly, for an IPsecRule, contained actions IKERejectAction. Similarly, for an IPsecRule, contained actions MUST
MUST be related to phase 2 or preconfigured SA processing, e.g., be related to phase 2 or preconfigured SA processing, e.g.,
IPsecTransportAction, IPsecBypassAction, etc. The class definition IPsecTransportAction, IPsecBypassAction, etc. The class definition
for PolicyActionInSARule is as follows: for PolicyActionInSARule is as follows:
NAME PolicyActionInSARule NAME PolicyActionInSARule
DESCRIPTION Associates an SARule with its PolicyAction(s). DESCRIPTION Associates an SARule with its PolicyAction(s).
DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe]) DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]] PROPERTIES GroupComponent [ref SARule [0..n]]
PartComponent [ref PolicyAction [1..n]] PartComponent [ref PolicyAction [1..n]]
ActionOrder (from PolicyActionInPolicyRule) ActionOrder (from PolicyActionInPolicyRule)
4.11.1. The Reference GroupComponent 4.9.1. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SARule PolicyActionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SAAction instance. The [0..n] cardinality indicates that an SAAction instance
instance may be contained in zero or more SARule instances. may be contained in zero or more SARule instances.
4.11.2. The Reference PartComponent 4.9.2. The Reference PartComponent
The property PartComponent is inherited from The property PartComponent is inherited from PolicyActionInPolicyRule
PolicyActionInPolicyRule and is overridden to refer to an SAAction and is overridden to refer to an SAAction or CompoundPolicyAction
or CompoundPolicyAction instance. The [1..n] cardinality indicates instance. The [1..n] cardinality indicates that an SARule instance
that an SARule instance MUST contain at least one SAAction or MUST contain at least one SAAction or CompoundPolicyAction instance.
CompoundPolicyAction instance.
4.11.3. The Property ActionOrder 4.9.3. The Property ActionOrder
The property ActionOrder is inherited from the superclass The property ActionOrder is inherited from the superclass
PolicyActionInPolicyRule. It specifies the relative position of PolicyActionInPolicyRule. It specifies the relative position of this
this PolicyAction in the sequence of actions associated with a PolicyAction in the sequence of actions associated with a PolicyRule.
PolicyRule. The ActionOrder MUST be unique so as to provide a The ActionOrder MUST be unique so as to provide a deterministic
deterministic order. In addition, the actions in an SARule are order. In addition, the actions in an SARule are executed as
executed as follows. See section 4.2.2 ExecutionStrategy for a follows. See section 4.2.2 ExecutionStrategy for a discussion on the
discussion on the use of the ActionOrder property. use of the ActionOrder property.
The property is defined as follows: The property is defined as follows:
NAME ActionOrder NAME ActionOrder
DESCRIPTION Specifies the order of actions. DESCRIPTION Specifies the order of actions.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest have higher precedence (i.e., 1 is the highest
precedence). The merging order of two SAActions with precedence). The merging order of two SAActions with
the same precedence is undefined. the same precedence is undefined.
skipping to change at page 24, line 29 skipping to change at page 22, line 29
| +---------------+ | +---------------+
| 1 o | 1 o
|(b) |(c) |(b) |(c)
| * | | * |
| +-----------------+ | +-----------------+
| | FilterEntryBase | | | FilterEntryBase |
| | ([CIMNETWORK]) | | | ([CIMNETWORK]) |
| +-----------------+ | +-----------------+
| ^ | ^
| | | |
| +----------------+ | +-----------------------+ | +-----------------+ | +-----------------------+
| | IPHeaderFilter |----+----| CredentialFilterEntry | | | IPHeadersFilter |----+----| CredentialFilterEntry |
| | ([PCIME]) | | +-----------------------+ | | ([PCIME]) | | +-----------------------+
| +----------------+ | | +-----------------+ |
| | | |
| +-----------------+ | +--------------------------+ | +-----------------+ | +--------------------------+
| | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
| +-----------------+ +--------------------------+ | +-----------------+ +--------------------------+
| |
| *+-----------------------------+ | *+-----------------------------+
+------------| CredentialManagementService | +------------| CredentialManagementService |
| ([CIMUSER]) | | ([CIMUSER]) |
+-----------------------------+ +-----------------------------+
skipping to change at page 25, line 24 skipping to change at page 23, line 16
The class definition for SACondition is as follows: The class definition for SACondition is as follows:
NAME SACondition NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations. negotiations.
DERIVED FROM PolicyCondition (see [PCIM]) DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition) PROPERTIES PolicyConditionName (from PolicyCondition)
5.2. The Class IPHeaderFilter 5.2. The Class IPHeadersFilter
The class IPHeaderFilter is defined in [PCIMe] with the following The class IPHeadersFilter is defined in [PCIMe] with the following
note: note:
1) to specify 5-tuple filters that are to apply symmetrically (i.e., 1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
matches traffic in both directions of the same flow between the matches traffic in both directions of the same flows which is
two peers), the Direction property of the FilterList should be quite typical for SPD entries for ingress and egress traffic),
set to "Mirrored". the Direction property of the FilterList SHOULD be set to
"Mirrored".
5.3. The Class CredentialFilterEntry 5.3. The Class CredentialFilterEntry
The class CredentialFilterEntry defines an equivalence class that The class CredentialFilterEntry defines an equivalence class that
match credentials of IKE peers. Each CredentialFilterEntry includes match credentials of IKE peers. Each CredentialFilterEntry includes a
a MatchFieldName that is interpreted according to the MatchFieldName that is interpreted according to the
CredentialManagementService(s) associated with the SACondition CredentialManagementService(s) associated with the SACondition
(AcceptCredentialsFrom). (AcceptCredentialsFrom).
These credentials can be X.509 certificates, Kerberos tickets, or These credentials can be X.509 certificates, Kerberos tickets, or
other types of credentials obtained during the Phase 1 exchange. other types of credentials obtained during the Phase 1 exchange.
Note: this filter entry will probably be checked while the IKE
negotiation takes place. If the check is a failure, then the IKE
negotiation MUST be stopped, and the result of the IKEAction which
triggered this negotiation is a failure.
The class definition for CredentialFilterEntry is as follows: The class definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry NAME CredentialFilterEntry
DESCRIPTION Specifies a match filter based on the IKE credentials. DESCRIPTION Specifies a match filter based on the IKE credentials.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchFieldName MatchFieldName
MatchFieldValue MatchFieldValue
skipping to change at page 26, line 4 skipping to change at page 23, line 56
DESCRIPTION Specifies a match filter based on the IKE credentials. DESCRIPTION Specifies a match filter based on the IKE credentials.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchFieldName MatchFieldName
MatchFieldValue MatchFieldValue
CredentialType CredentialType
5.3.1. The Property MatchFieldName 5.3.1. The Property MatchFieldName
The property MatchFieldName specifies the sub-part of the credential The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as to match against MatchFieldValue. The property is defined as
follows: follows:
NAME MatchFieldName NAME MatchFieldName
DESCRIPTION Specifies which sub-part of the credential to match. DESCRIPTION Specifies which sub-part of the credential to match.
SYNTAX string SYNTAX string
VALUE VALUE This is the string representation of a X.509 certificate
attribute, e.g.:
- ˘serialNumber÷
- ˘signatureAlgorithm÷
- ˘issuerName÷
- ˘subjectName÷
- ˘subjectAltName÷
- Ó
5.3.2. The Property MatchFieldValue 5.3.2. The Property MatchFieldValue
The property MatchFieldValue specifies the value to compare with the The property MatchFieldValue specifies the value to compare with the
MatchFieldName in a credential to determine if the credential MatchFieldName in a credential to determine if the credential matches
matches this filter entry. The property is defined as follows: this filter entry. The property is defined as follows:
NAME MatchFieldValue NAME MatchFieldValue
DESCRIPTION Specifies the value to be matched by the DESCRIPTION Specifies the value to be matched by the MatchFieldName.
MatchFieldName.
SYNTAX string SYNTAX string
VALUE NB: If the CredentialFilterEntry corresponds to a VALUE NB: If the CredentialFilterEntry corresponds to a
DistinguishedName, this value in the CIM class is DistinguishedName, this value in the CIM class is
represented by an ordinary string value. However, an represented by an ordinary string value. However, an
implementation must convert this string to a DER- implementation must convert this string to a DER-encoded
encoded string before matching against the values string before matching against the values extracted from
extracted from credentials at runtime. credentials at runtime.
A wildcard mechanism can be used in the MatchFieldValue string. E.g.,
if the MatchFieldName is ˘subjectName÷ then a MatchFieldValue of
˘cn=*,ou=engineering,o=foo,c=be÷ will match successfully a
certificate whose subject attribute is ˘cn=Jane
Doe,ou=engineering,o=foo,c=be÷. The wildcard character Š*Ă can be
used to represent 0 or several characters.
5.3.3. The Property CredentialType 5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as credential that is being matched. The property is defined as
follows: follows:
NAME CredentialType NAME CredentialType
DESCRIPTION Defines the type of IKE credentials. DESCRIPTION Defines the type of IKE credentials.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - X.509 Certificate VALUE 1 - X.509 Certificate
2 - Kerberos Ticket 2 - Kerberos Ticket
5.4. The Class IPSOFilterEntry 5.4. The Class IPSOFilterEntry
The class IPSOFilterEntry is used to match traffic based on the IP The class IPSOFilterEntry is used to match traffic based on the IP
Security Options header values (ClassificationLevel and Security Options header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC1108. This type of filter ProtectionAuthority) as defined in RFC1108. This type of filter entry
entry is used to adjust the IPsec encryption level according to the is used to adjust the IPsec encryption level according to the IPSO
IPSO classification of the traffic (e.g., secret, confidential, classification of the traffic (e.g., secret, confidential,
restricted, etc. The class definition for IPSOFilterEntry is as restricted, etc. The class definition for IPSOFilterEntry is as
follows: follows:
NAME IPSOFilterEntry NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security DESCRIPTION Specifies the a match filter based on IP Security
Options. Options.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
skipping to change at page 27, line 54 skipping to change at page 25, line 51
5.5. The Class PeerIDPayloadFilterEntry 5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange. payload values from the IKE protocol exchange.
PeerIDPayloadFilterEntry permits the specification of certain ID PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@company.com" or "193.190.125.0/24". payload values such as "*@company.com" or "193.190.125.0/24".
Obviously this filter applies only to IKERules when acting as a Obviously this filter applies only to IKERules when acting as a
responder. Moreover, this filter can be applied immediately in the responder. Moreover, this filter can be applied immediately in the
case of aggressive mode but its application is to be delayed in the case of aggressive mode but its application is to be delayed in the
case of main mode. The class definition for case of main mode. The class definition for PeerIDPayloadFilterEntry
PeerIDPayloadFilterEntry is as follows: is as follows:
NAME PeerIDPayloadFilterEntry NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity. DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchIdentityType MatchIdentityType
MatchIdentityValue MatchIdentityValue
skipping to change at page 28, line 15 skipping to change at page 26, line 4
NAME PeerIDPayloadFilterEntry NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity. DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchIdentityType MatchIdentityType
MatchIdentityValue MatchIdentityValue
5.5.1. The Property MatchIdentityType 5.5.1. The Property MatchIdentityType
The property MatchIdentityType specifies the type of identity The property MatchIdentityType specifies the type of identity
provided by the peer in the ID payload." The property is defined provided by the peer in the ID payload." The property is defined as
as follows: follows:
NAME MatchIdentityType NAME MatchIdentityType
DESCRIPTION Specifies the ID payload type. DESCRIPTION Specifies the ID payload type.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address VALUE 1 - IPv4 Address
2 - FQDN 2 - FQDN
3 - User FQDN 3 - User FQDN
4 - IPv4 Subnet 4 - IPv4 Subnet
5 - IPv6 Address 5 - IPv6 Address
6 - IPv6 Subnet 6 - IPv6 Subnet
7 - IPv4 Address Range 7 - IPv4 Address Range
8 - IPv6 Address Range 8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name 9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName 10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID 11 - Key ID
5.5.2. The Property MatchIdentityValue 5.5.2. The Property MatchIdentityValue
The property MatchIdentityValue specifies the filter value for The property MatchIdentityValue specifies the filter value for
comparison with the ID payload, e.g., "*@company.com" The property comparison with the ID payload, e.g., *@company.com. The property is
is defined as follows: defined as follows:
NAME MatchIdentityValue NAME MatchIdentityValue
DESCRIPTION Specifies the ID payload value. DESCRIPTION Specifies the ID payload value.
SYNTAX string SYNTAX string
VALUE NB: The syntax may need to be converted for comparison. VALUE NB: The syntax may need to be converted for comparison.
If the PeerIDPayloadFilterEntry type is a If the PeerIDPayloadFilterEntry type is a
DistinguishedName, the name in the MatchIdentityValue DistinguishedName, the name in the MatchIdentityValue
property is represented by an ordinary string value, property is represented by an ordinary string value,
but this value must be converted into a DER-encoded but this value must be converted into a DER-encoded
string before matching against the values extracted string before matching against the values extracted
from IKE ID payloads at runtime. The same applies to from IKE ID payloads at runtime. The same applies to
IPv4 & IPv6 addresses. IPv4 & IPv6 addresses.
Wildcards can be used as well as the prefix notation Different wildcard mechanisms can be used depending on the ID
for IPv4 addresses: payload:
- a MatchIdentityValue of "*@company.com" will match an
ID payload of "JDOE@COMPANY.COM"
- a MatchIdentityValue of "193.190.125.0/24" will match
an ID payload of 193.190.125.10.
5.6. The Association Class FilterOfSACondition - a MatchIdentityValue of "*@company.com" will match a user FQDN ID
payload of "JDOE@COMPANY.COM"
- a MatchIdentityValue of "*.company.com" will match a FQDN ID
payload of ˘WWW.COMPANY.COM"
- a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will
match a DER DN ID payload of ˘cn=John
Doe,ou=engineering,o=company,c=us"
- a MatchIdentityValue of "193.190.125.0/24" will match an IPv4
address ID payload of 193.190.125.10
- a MatchIdentityValue of "193.190.125.*" will also match an IPv4
address ID payload of 193.190.125.10.
The above wildcard mechanisms MUST be supported for all ID payloads
supported by the local IKE entity. The character ˘*÷ replaces 0 or
multiple instances of any character.
5.6. The Association Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows: class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that make DESCRIPTION Associates a condition with the filter list that makes
up the individual condition elements. up the individual condition elements.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[1..1]] PROPERTIES Antecedent [ref FilterList[1..1]]
Dependent [ref SACondition[0..n]] Dependent [ref SACondition[0..n]]
5.6.1. The Reference Antecedent 5.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a FilterList instance. The [1..1] overridden to refer to a FilterList instance. The [1..1] cardinality
cardinality indicates that an SACondition instance MUST be indicates that an SACondition instance MUST be associated with one
associated with one and only one FilterList instance. and only one FilterList instance.
5.6.2. The Reference Dependent 5.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an SACondition instance. The [0..n] to refer to an SACondition instance. The [0..n] cardinality
cardinality indicates that a FilterList instance may be associated indicates that a FilterList instance may be associated with zero or
with zero or more SAConditions instance. more SACondition instances.
5.7. The Association Class AcceptCredentialFrom 5.7. The Association Class AcceptCredentialFrom
The class AcceptCredentialFrom specifies which credential management The class AcceptCredentialFrom specifies which credential management
services (e.g., a CertificateAuthority or a Kerberos service) are to services (e.g., a CertificateAuthority or a Kerberos service) are to
be trusted to certify peer credentials. This is used to validate be trusted to certify peer credentials. This is used to assure that
that the credential being matched in the CredentialFilterEntry is a the credential being matched in the CredentialFilterEntry is a valid
valid credential that has been supplied by an approved credential that has been supplied by an approved
CredentialManagementService. If a CredentialManagementService is CredentialManagementService. If a CredentialManagementService is
specified and a corresponding CredentialFilterEntry is used, but the specified and a corresponding CredentialFilterEntry is used, but the
credential supplied by the peer is not certified by that credential supplied by the peer is not certified by that
CredentialManagementService (or one of the CredentialManagementService (or one of the
CredentialManagementServices in its trust hierarchy), the CredentialManagementServices in its trust hierarchy), the
CredentialFilterEntry is deemed not to match. If a credential is CredentialFilterEntry is deemed not to match. If a credential is
certified by a CredentialManagementService in the certified by a CredentialManagementService in the
AcceptCredentialsFrom list of services but there is no AcceptCredentialsFrom list of services but there is no
CredentialFilterEntry, this is considered equivalent to a CredentialFilterEntry, this is considered equivalent to a
CredentialFilterEntry that matches all credentials from those CredentialFilterEntry that matches all credentials from those
skipping to change at page 30, line 16 skipping to change at page 28, line 5
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService[0..n]] PROPERTIES Antecedent [ref CredentialManagementService[0..n]]
Dependent [ref SACondition[0..n]] Dependent [ref SACondition[0..n]]
5.7.1. The Reference Antecedent 5.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an SACondition instance may be [0..n] cardinality indicates that an SACondition instance may be
associated with zero or more CredentialManagementServices instance. associated with zero or more CredentialManagementService instances.
5.7.2. The Reference Dependent 5.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an SACondition instance. The [0..n] to refer to an SACondition instance. The [0..n] cardinality
cardinality indicates that a CredentialManagementService instance indicates that a CredentialManagementService instance may be
may be associated with zero or more SAConditions instance. associated with zero or more SACondition instances.
6. Action Classes 6. Action Classes
The action classes are used to model the different actions an IPsec The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition device may take when the evaluation of the associated condition
results in a match. results in a match.
+----------+ +----------+
| SAAction | | SAAction |
+----------+ +----------+
skipping to change at page 32, line 16 skipping to change at page 30, line 4
+-------| [SATransform] | +-------| [SATransform] |
(d) +---------------+ (d) +---------------+
(a) PeerGatewayForTunnel (a) PeerGatewayForTunnel
(b) ContainedProposal (b) ContainedProposal
(c) HostedPeerGatewayInformation (c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction (d) TransformOfPreconfiguredAction
(e) PeerGatewayForPreconfiguredTunnel (e) PeerGatewayForPreconfiguredTunnel
6.1. The Class SAAction 6.1. The Class SAAction
The class SAAction is abstract and serves as the base class for IKE The class SAAction is abstract and serves as the base class for IKE
and IPsec actions. It is used for aggregating different types of and IPsec actions. It is used for aggregating different types of
actions to IKE and IPsec rules. The class definition for SAAction actions to IKE and IPsec rules. The class definition for SAAction is
is as follows: as follows:
NAME SAAction NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions. DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM]) DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES PolicyActionName (from PolicyAction) PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging DoActionLogging
DoPacketLogging DoPacketLogging
6.1.1. The Property DoActionLogging 6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to The property DoActionLogging specifies whether a log message is to be
be generated when the action is performed. This applies for generated when the action is performed. This applies for
SANegotiationActions with the meaning of logging a message when the SANegotiationActions with the meaning of logging a message when the
negotiation is attempted (with the success or failure result). This negotiation is attempted (with the success or failure result). This
also applies for SAStaticAction only for PreconfiguredSAAction with also applies for SAStaticAction only for PreconfiguredSAAction with
the meaning of logging a message when the preconfigured SA is the meaning of logging a message when the preconfigured SA is
actually installed in the SADB. The property is defined as follows: actually installed in the SADB. The property is defined as follows:
NAME DoActionLogging NAME DoActionLogging
DESCRIPTION Specifies the whether to log when the action is DESCRIPTION Specifies the whether to log when the action is
performed. performed.
SYNTAX boolean SYNTAX boolean
VALUE true - a log message is to be generated when action is VALUE true - a log message is to be generated when action is
performed. performed.
false - no log message is to be generated when action false - no log message is to be generated when action is
is performed. performed.
6.1.2. The Property DoPacketLogging 6.1.2. The Property DoPacketLogging
The property DoPacketLogging specifies whether a log message is to The property DoPacketLogging specifies whether a log message is to be
be generated when the resulting security association is used to generated when the resulting security association is used to process
process the packet. If the SANegotiationAction successfully the packet. If the SANegotiationAction successfully executes and
executes and results in the creation of one or several security results in the creation of one or several security associations or if
associations or if the PreconfiguredSAAction executes, the value of the PreconfiguredSAAction executes, the value of DoPacketLogging
DoPacketLogging SHOULD be propagated to an optional field of SADB. SHOULD be propagated to an optional field of SADB. This optional
field should be used to decide whether a log message is to be
This optional field should be used to decide whether a log message generated when the SA is used to process a packet. For
is to be generated when the SA is used to process a packet. For
SAStaticActions, a log message is to be generated when the SAStaticActions, a log message is to be generated when the
IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed. IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed.
The property is defined as follows: The property is defined as follows:
NAME DoPacketLogging NAME DoPacketLogging
DESCRIPTION Specifies the whether to log when the resulting DESCRIPTION Specifies the whether to log when the resulting security
security association is used to process the packet. association is used to process the packet.
SYNTAX boolean SYNTAX boolean
VALUE true - a log message is to be generated when the VALUE true - a log message is to be generated when the
resulting security association is used to process the resulting security association is used to process the
packet. packet.
false - no log message is to be generated. false - no log message is to be generated.
6.2. The Class SAStaticAction 6.2. The Class SAStaticAction
The class SAStaticAction is abstract and serves as the base class The class SAStaticAction is abstract and serves as the base class for
for IKE and IPsec actions that do not require any negotiation. The IKE and IPsec actions that do not require any negotiation. The class
class definition for SAStaticAction is as follows: definition for SAStaticAction is as follows:
NAME SAStaticAction NAME SAStaticAction
DESCRIPTION The base class for IKE and IPsec actions that do not DESCRIPTION The base class for IKE and IPsec actions that do not
require any negotiation. require any negotiation.
DERIVED FROM SAAction DERIVED FROM SAAction
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES LifetimeSeconds PROPERTIES LifetimeSeconds
6.2.1. The Property LifetimeSeconds 6.2.1. The Property LifetimeSeconds
The property LifetimeSeconds specifies how long the security The property LifetimeSeconds specifies how long the security
association derived from this action should be used. The property association derived from this action should be used. The property is
is defined as follows: defined as follows:
NAME LifetimeSeconds NAME LifetimeSeconds
DESCRIPTION Specifies the amount of time (in seconds) that a DESCRIPTION Specifies the amount of time (in seconds) that a
security association derived from this action should be security association derived from this action should be
used. used.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime). associated with this action (i.e., infinite lifetime).
A non-zero value is typically used in conjunction with A non-zero value is typically used in conjunction with
alternate SAActions performed when there is a alternate SAActions performed when there is a
negotiation failure of some sort. negotiation failure of some sort.
Note: if the referenced SAStaticAction object is a Note: if the referenced SAStaticAction object is a
PreconfiguredSAAction associated to several SATransforms, then the PreconfiguredSAAction associated to several SATransforms, then the
actual lifetime of the preconfigured SA will be the smallest of the actual lifetime of the preconfigured SA will be the lesser of the
value of this LifetimeSeconds property and of the value of the value of this LifetimeSeconds property and of the value of the
MaxLifetimeSeconds property of the associated SATransform. Except if MaxLifetimeSeconds property of the associated SATransform. If the
the value of this LifetimeSeconds property is zero, then there will value of this LifetimeSeconds property is zero, then there will be
be no lifetime associated to this SA. no lifetime associated to this SA.
It is expected that most SAStaticAction instances will have their It is expected that most SAStaticAction instances will have their
LifetimeSeconds properties set to zero (meaning no expiration of the LifetimeSeconds properties set to zero (meaning no expiration of the
resulting SA). resulting SA).
6.3. The Class IPsecBypassAction 6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec encapsulation to them. This is the processed without applying IPsec encapsulation to them. This is the
same as stating that packets are allowed to flow in the clear. The same as stating that packets are allowed to flow in the clear. The
skipping to change at page 35, line 10 skipping to change at page 32, line 33
The class PreconfiguredSAAction is used to create a security The class PreconfiguredSAAction is used to create a security
association using preconfigured, hard-wired algorithms and keys. association using preconfigured, hard-wired algorithms and keys.
Notes: Notes:
- the SPI for a PreconfiguredSAAction is contained in the - the SPI for a PreconfiguredSAAction is contained in the
association, TransformOfPreconfiguredAction; association, TransformOfPreconfiguredAction;
- the session key (if applicable) is contained in an instance of - the session key (if applicable) is contained in an instance of
the class SharedSecret (see [CIMUSER]). The session key is the class SharedSecret (see [CIMUSER]). The session key is
stored in the property secret, the property protocol contains stored in the property Secret, the property protocol contains
either "ESP-encrypt", "ESP-auth" or "AH", the property either "ESP-encrypt", "ESP-auth" or "AH", the property
algorithm contains the algorithm used to protect the secret algorithm contains the algorithm used to protect the secret
(can be "PLAINTEXT" if the IPsec entity has no secret storage), (can be "PLAINTEXT" if the IPsec entity has no secret storage),
the value of property RemoteID is the concatenation of the the value of property RemoteID is the concatenation of the
remote IPsec peer IP address in dotted decimal, of the remote IPsec peer IP address in dotted decimal, of the
character "/", of "IN" (resp. "OUT") for inbound SA (resp. character "/", of "IN" (respectively "OUT") for inbound SA
outbound SA), of the character "/" and of the hexadecimal (respectively outbound SA), of the character "/" and of the
representation of the SPI. hexadecimal representation of the SPI.
Although the class is concrete, it MUST not be instantiated. The Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows: class definition for PreconfiguredSAAction is as follows:
NAME PreconfiguredSAAction NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying information
information for creation of a security association. for creation of a security association.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES LifetimeKilobytes PROPERTIES LifetimeKilobytes
6.6.1. The Property LifetimeKilobytes 6.6.1. The Property LifetimeKilobytes
The property LifetimeKilobytes specifies a traffic limit in The property LifetimeKilobytes specifies a traffic limit in kilobytes
kilobytes that can be consumed before the SA is deleted.. The that can be consumed before the SA is deleted.. The property is
property is defined as follows: defined as follows:
NAME LifetimeKilobytes NAME LifetimeKilobytes
DESCRIPTION Specifies the SA lifetime in kilobytes. DESCRIPTION Specifies the SA lifetime in kilobytes.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime). associated with this action (i.e., infinite lifetime).
A non-zero value is used to indicate that after this A non-zero value is used to indicate that after this
amount of kilobytes has been consumed the SA must be number of kilobytes has been consumed the SA must be
deleted from the SADB. deleted from the SADB.
Note: the actual lifetime of the preconfigured SA will be the Note: the actual lifetime of the preconfigured SA will be the lesser
smallest of the value of this LifetimeKilobytes property and of the of the value of this LifetimeKilobytes property and of the value of
value of the MaxLifetimeSeconds property of the associated the MaxLifetimeSeconds property of the associated SATransform. If the
SATransform. Except if the value of this LifetimeKilobytes property value of this LifetimeKilobytes property is zero, then there will be
is zero, then there will be no lifetime associated with this action. no lifetime associated with this action.
It is expected that most PreconfiguredSAAction instances will have It is expected that most PreconfiguredSAAction instances will have
their LifetimeKilobyte properties set to zero (meaning no expiration their LifetimeKilobyte properties set to zero (meaning no expiration
of the resulting SA). of the resulting SA).
6.7. The Class PreconfiguredTransportAction 6.7. The Class PreconfiguredTransportAction
The class PreconfiguredTransportAction is used to create an IPsec The class PreconfiguredTransportAction is used to create an IPsec
transport-mode security association using preconfigured, hard-wired transport-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for algorithms and keys. The class definition for
PreconfiguredTransportAction is as follows: PreconfiguredTransportAction is as follows:
NAME PreconfiguredTransportAction NAME PreconfiguredTransportAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying information
information for creation of an IPsec transport security for creation of an IPsec transport security association.
association.
DERIVED FROM PreconfiguredSAAction DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE ABSTRACT FALSE
6.8. The Class PreconfiguredTunnelAction 6.8. The Class PreconfiguredTunnelAction
The class PreconfiguredTunnelAction is used to create an IPsec The class PreconfiguredTunnelAction is used to create an IPsec
tunnel-mode security association using preconfigured, hard-wired tunnel-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for PreconfiguredSAAction algorithms and keys. The class definition for PreconfiguredSAAction
is as follows: is as follows:
NAME PreconfiguredTunnelAction NAME PreconfiguredTunnelAction
DESCRIPTION Specifies preconfigured algorithm and keying DESCRIPTION Specifies preconfigured algorithm and keying information
information for creation of an IPsec tunnel-mode for creation of an IPsec tunnel-mode security
security association. association.
DERIVED FROM PreconfiguredSAAction DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES DFHandling PROPERTIES DFHandling
6.8.1. The Property DFHandling 6.8.1. The Property DFHandling
The property DFHandling specifies how the Don't Fragment bit of the The property DFHandling specifies how the Don't Fragment bit of the
internal IP header is to be handled during IPsec processing. The internal IP header is to be handled during IPsec processing. The
property is defined as follows: property is defined as follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies the processing of the DF bit. DESCRIPTION Specifies the processing of the DF bit.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header. external IP header.
2 - Set the DF bit of the external IP header to 1. 2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0. 3 - Clear the DF bit of the external IP header to 0.
6.9. The Class SANegotiationAction 6.9. The Class SANegotiationAction
The class SANegotiationAction specifies an action requesting The class SANegotiationAction specifies an action requesting security
security policy negotiation. policy negotiation.
This is an abstract class. Currently, only one security policy This is an abstract class. Currently, only one security policy
negotiation protocol action is subclassed from SANegotiationAction: negotiation protocol action is subclassed from SANegotiationAction:
the IKENegotiationAction class. It is nevertheless expected that the IKENegotiationAction class. It is nevertheless expected that
other security policy negotiation protocols will exist and the other security policy negotiation protocols will exist and the
negotiation actions of those new protocols would be modeled as a negotiation actions of those new protocols would be modeled as a
subclass of SANegotiationAction. subclass of SANegotiationAction.
NAME SANegotiationAction NAME SANegotiationAction
DESCRIPTION Specifies a negotiation action . DESCRIPTION Specifies a negotiation action .
skipping to change at page 37, line 25 skipping to change at page 34, line 32
class definition for IKENegotiationAction is as follows: class definition for IKENegotiationAction is as follows:
NAME IKENegotiationAction NAME IKENegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations. phase 2 IPsec DOI negotiations.
DERIVED FROM SANegotiationAction DERIVED FROM SANegotiationAction
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES MinLifetimeSeconds PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes MinLifetimeKilobytes
RefreshThresholdSeconds
RefreshThresholdKilobytes
IdleDurationSeconds IdleDurationSeconds
6.10.1. The Property MinLifetimeSeconds 6.10.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds The property MinLifetimeSeconds specifies the minimum seconds
lifetime that will be accepted from the peer. MinLifetimeSeconds is lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The with expensive Diffie-Hellman operations. The property is defined as
property is defined as follows: follows:
NAME MinLifetimeSeconds NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime. DESCRIPTION Specifies the minimum acceptable seconds lifetime.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum seconds value. A non-zero value specifies the minimum seconds
lifetime. lifetime.
6.10.2. The Property MinLifetimeKilobytes 6.10.2. The Property MinLifetimeKilobytes
skipping to change at page 38, line 7 skipping to change at page 35, line 5
with correspondingly expensive Diffie-Hellman operations. Note that with correspondingly expensive Diffie-Hellman operations. Note that
there has been considerable debate regarding the usefulness of there has been considerable debate regarding the usefulness of
applying kilobyte lifetimes to IKE phase 1 security associations, so applying kilobyte lifetimes to IKE phase 1 security associations, so
it is likely that this property will only apply to the sub-class it is likely that this property will only apply to the sub-class
IPsecAction. The property is defined as follows: IPsecAction. The property is defined as follows:
NAME MinLifetimeKilobytes NAME MinLifetimeKilobytes
DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. DESCRIPTION Specifies the minimum acceptable kilobytes lifetime.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum value. A non-zero value specifies the minimum kilobytes
kilobytes lifetime. lifetime.
6.10.3. The Property RefreshThresholdSeconds
The property RefreshThresholdSeconds specifies what percentage of
the seconds lifetime can expire before IKE should attempt to
renegotiate the security association. A random value may be added
to the calculated threshold (percentage x seconds lifetime) to
reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows:
NAME RefreshThresholdSeconds
DESCRIPTION Specifies the percentage of seconds lifetime that has
expired before the security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the security association
should not be renegotiated until the seconds lifetime
has been reached.
6.10.4. The Property RefreshThresholdKilobytes
The property RefreshThresholdKilobytes specifies what percentage of
the kilobyte lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be
added to the calculated threshold (percentage x kilobyte lifetime)
to reduce the chance of both peers attempting to renegotiate at the
same time. Note, that as with the property MinLifetimeKilobytes,
this property is probably only relevant to IPsecAction sub-classes.
The property is defined as follows:
NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of kilobyte lifetime that has
expired before the IPsec security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security
association should not be renegotiated until the
kilobyte lifetime has been reached.
6.10.5. The Property IdleDurationSeconds 6.10.3. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property using the security association) before it is deleted. The property
is defined as follows: is defined as follows:
NAME IdleDurationSeconds NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security association DESCRIPTION Specifies how long, in seconds, a security association
may remain unused before it is deleted. may remain unused before it is deleted.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that idle detection should VALUE A value of zero indicates that idle detection should not
not be used for the security association (only the be used for the security association (only the seconds
seconds and kilobyte lifetimes will be used). Any non- and kilobyte lifetimes will be used). Any non-zero
zero value indicates the number of seconds the security value indicates the number of seconds the security
association may remain unused. association may remain unused.
6.11. The Class IPsecAction 6.11. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. Although the class is concrete, is phase 2 IPsec DOI negotiation. Although the class is concrete, is
MUST not be instantiated. The class definition for IPsecAction is MUST not be instantiated. The class definition for IPsecAction is as
as follows: follows:
NAME IPsecAction NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions DESCRIPTION A base class for IPsec transport and tunnel actions that
that specifies the parameters for IKE phase 2 IPsec DOI specifies the parameters for IKE phase 2 IPsec DOI
negotiations. negotiations.
DERIVED FROM IKENegotiationAction DERIVED FROM IKENegotiationAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES UsePFS PROPERTIES UsePFS
UseIKEGroup UseIKEGroup
GroupId GroupId
Granularity Granularity
VendorID VendorID
6.11.1. The Property UsePFS 6.11.1. The Property UsePFS
skipping to change at page 40, line 10 skipping to change at page 36, line 10
the same key exchange group as was used in phase 1. UseIKEGroup is the same key exchange group as was used in phase 1. UseIKEGroup is
ignored if UsePFS is false. The property is defined as follows: ignored if UsePFS is false. The property is defined as follows:
NAME UseIKEGroup NAME UseIKEGroup
DESCRIPTION Specifies whether or not to use the same GroupId for DESCRIPTION Specifies whether or not to use the same GroupId for
phase 2 as was used in phase 1. If UsePFS is false, phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored. then UseIKEGroup is ignored.
SYNTAX boolean SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false should be the same as phase 1. A value of false
indicates that the property GroupId will contain the indicates that the property GroupId will contain the key
key exchange group to use for phase 2. exchange group to use for phase 2.
6.11.3. The Property GroupId 6.11.3. The Property GroupId
The property GroupId specifies the key exchange group to use for The property GroupId specifies the key exchange group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is (2) the property UsePFS is true and the property UseIKEGroup is true.
true. If the GroupID number is from the vendor-specific range If the GroupID number is from the vendor-specific range (32768-
(32768-65535), the property VendorID qualifies the group number. 65535), the property VendorID qualifies the group number. The
The property is defined as follows: property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the key exchange group to use for phase 2 DESCRIPTION Specifies the key exchange group to use for phase 2 when
when the property UsePFS is true and the property the property UsePFS is true and the property UseIKEGroup
UseIKEGroup is false. is false.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values. VALUE Consult [IKE] for valid values.
6.11.4. The Property Granularity 6.11.4. The Property Granularity
The property Granularity specifies how the selector for the security The property Granularity specifies how the selector for the security
association should be derived from the traffic that triggered the association should be derived from the traffic that triggered the
negotiation. The property is defined as follows: negotiation. The property is defined as follows:
NAME Granularity NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the DESCRIPTION Specifies the how the proposed selector for the security
security association will be created. association will be created.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - subnet: the source and destination subnet masks of VALUE 1 - subnet: the source and destination subnet masks of
the filter entry are used. the filter entry are used.
2 - address: only the source and destination IP 2 - address: only the source and destination IP
addresses of the triggering packet are used. addresses of the triggering packet are used.
3 - protocol: the source and destination IP addresses 3 - protocol: the source and destination IP addresses
and the IP protocol of the triggering packet are used. and the IP protocol of the triggering packet are used.
4 - port: the source and destination IP addresses and 4 - port: the source and destination IP addresses and
the IP protocol and the source and destination layer 4 the IP protocol and the source and destination layer 4
ports of the triggering packet are used. ports of the triggering packet are used.
skipping to change at page 41, line 23 skipping to change at page 37, line 16
The class definition for IPsecTransportAction is as follows: The class definition for IPsecTransportAction is as follows:
NAME IPsecTransportAction NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport-mode security DESCRIPTION Specifies that an IPsec transport-mode security
association should be negotiated. association should be negotiated.
DERIVED FROM IPsecAction DERIVED FROM IPsecAction
ABSTRACT FALSE ABSTRACT FALSE
6.13. The Class IPsecTunnelAction 6.13. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is The class IPsecTunnelAction is a subclass of IPsecAction that is used
used to specify use of an IPsec tunnel-mode security association. to specify use of an IPsec tunnel-mode security association. The
The class definition for IPsecTunnelAction is as follows: class definition for IPsecTunnelAction is as follows:
NAME IPsecTunnelAction NAME IPsecTunnelAction
DESCRIPTION Specifies that an IPsec tunnel-mode security DESCRIPTION Specifies that an IPsec tunnel-mode security association
association should be negotiated. should be negotiated.
DERIVED FROM IPsecAction DERIVED FROM IPsecAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES DFHandling PROPERTIES DFHandling
6.13.1. The Property DFHandling 6.13.1. The Property DFHandling
The property DFHandling specifies how the tunnel should manage the The property DFHandling specifies how the tunnel should manage the
Don't Fragment (DF) bit. The property is defined as follows: Don't Fragment (DF) bit. The property is defined as follows:
NAME DFHandling NAME DFHandling
skipping to change at page 42, line 4 skipping to change at page 37, line 50
6.14. The Class IKEAction 6.14. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as IKE phase 1 negotiation. The class definition for IKEAction is as
follows: follows:
NAME IKEAction NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM IKENegotiationAction DERIVED FROM IKENegotiationAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES RefreshThresholdDerivedKeys PROPERTIES ExchangeMode
ExchangeMode
UseIKEIdentityType UseIKEIdentityType
VendorID VendorID
AggressiveModeGroupId AggressiveModeGroupId
6.14.1. The Property RefreshThresholdDerivedKeys 6.14.1. The Property ExchangeMode
The property RefreshThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys property of
IKEProposal) can expire before IKE should attempt to renegotiate the
IKE phase 1 security association. A random value may be added to
the calculated threshold (percentage x derived key limit) to reduce
the chance of both peers attempting to renegotiate at the same time.
The property is defined as follows:
NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of derived key limit that has
expired before the IKE phase 1 security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IKE phase 1 security
association should not be renegotiated until the
derived key limit has been reached.
6.14.2. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used The property ExchangeMode specifies which IKE mode should be used for
for IKE phase 1 negotiations. The property is defined as follows: IKE phase 1 negotiations. The property is defined as follows:
NAME ExchangeMode NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1. DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - base mode VALUE 1 - base mode
2 - main mode 2 - main mode
4 - aggressive mode 4 - aggressive mode
6.14.3. The Property UseIKEIdentityType 6.14.2. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is should be used when negotiating with the peer. This information is
used in conjunction with the IKE identities available on the system used in conjunction with the IKE identities available on the system
and the IdentityContexts of the matching IKERule. The property is and the IdentityContexts of the matching IKERule. The property is
defined as follows: defined as follows:
NAME UseIKEIdentityType NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation. DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
skipping to change at page 43, line 12 skipping to change at page 38, line 31
3 - User FQDN 3 - User FQDN
4 - IPv4 Subnet 4 - IPv4 Subnet
5 - IPv6 Address 5 - IPv6 Address
6 - IPv6 Subnet 6 - IPv6 Subnet
7 - IPv4 Address Range 7 - IPv4 Address Range
8 - IPv6 Address Range 8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name 9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName 10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID 11 - Key ID
6.14.4. The Property VendorID 6.14.3. The Property VendorID
The property VendorID specifies the value to be used in the Vendor The property VendorID specifies the value to be used in the Vendor ID
ID payload. The property is defined as follows: payload. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Vendor ID Payload. DESCRIPTION Vendor ID Payload.
SYNTAX string SYNTAX string
VALUE A value of NULL means that Vendor ID payload will be VALUE A value of NULL means that Vendor ID payload will be
neither generated nor accepted. A non-NULL value means neither generated nor accepted. A non-NULL value means
that a Vendor ID payload will be generated (when acting that a Vendor ID payload will be generated (when acting
as an initiator) or is expected (when acting as a as an initiator) or is expected (when acting as a
responder). responder).
6.14.5. The Property AggressiveModeGroupId 6.14.4. The Property AggressiveModeGroupId
The property AggressiveModeGroupId specifies which group ID is to be The property AggressiveModeGroupId specifies which group ID is to be
used in the first packets of the phase 1 negotiation. This property used in the first packets of the phase 1 negotiation. This property
is ignored unless the property ExchangeMode is set to 4 (aggressive is ignored unless the property ExchangeMode is set to 4 (aggressive
mode). If the AggressiveModeGroupID number is from the vendor- mode). If the AggressiveModeGroupID number is from the vendor-
specific range (32768-65535), the property VendorID qualifies the specific range (32768-65535), the property VendorID qualifies the
group number. The property is defined as follows: group number. The property is defined as follows:
NAME AggressiveModeGroupId NAME AggressiveModeGroupId
DESCRIPTION Specifies the group ID to be used for aggressive mode. DESCRIPTION Specifies the group ID to be used for aggressive mode.
skipping to change at page 43, line 53 skipping to change at page 39, line 11
follows: follows:
NAME PeerGateway NAME PeerGateway
DESCRIPTION Specifies the security gateway with which to negotiate. DESCRIPTION Specifies the security gateway with which to negotiate.
DERIVED FROM LogicalElement (see [CIMCORE]) DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name PROPERTIES Name
PeerIdentityType PeerIdentityType
PeerIdentity PeerIdentity
Note: the class PeerIdentityEntry contains more information about the
peer (namely its IP address).
6.15.1. The Property Name 6.15.1. The Property Name
The property Name specifies a user-friendly name for this security The property Name specifies a user-friendly name for this security
gateway. The property is defined as follows: gateway. The property is defined as follows:
NAME Name NAME Name
DESCRIPTION Specifies a user-friendly name for this security DESCRIPTION Specifies a user-friendly name for this security
gateway. gateway.
SYNTAX string SYNTAX string
6.15.2. The Property PeerIdentityType 6.15.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows: security gateway. The property is defined as follows:
NAME PeerIdentityType NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security DESCRIPTION Specifies the IKE identity type of the security gateway.
gateway.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address VALUE 1 - IPv4 Address
2 - FQDN 2 - FQDN
3 - User FQDN 3 - User FQDN
4 - IPv4 Subnet 4 - IPv4 Subnet
5 - IPv6 Address 5 - IPv6 Address
6 - IPv6 Subnet 6 - IPv6 Subnet
7 - IPv4 Address Range 7 - IPv4 Address Range
8 - IPv6 Address Range 8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name 9 - DER-Encoded ASN.1 X.500 Distinguished Name
skipping to change at page 45, line 12 skipping to change at page 40, line 16
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]] PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IPsecTunnelAction[0..n]] Dependent [ref IPsecTunnelAction[0..n]]
SequenceNumber SequenceNumber
6.16.1. The Reference Antecedent 6.16.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that there an IPsecTunnelAction instance may cardinality indicates that there an IPsecTunnelAction instance may be
be associated with zero or more PeerGateway instances. associated with zero or more PeerGateway instances.
Note: the cardinality 0 has a specific meaning: Note: the cardinality 0 has a specific meaning:
- when the IKE service acts as a responder, this means that - when the IKE service acts as a responder, this means that
the IKE service will accept phase 1 negotiation with any the IKE service will accept phase 1 negotiation with any
other security gateway; other security gateway;
- when the IKE service acts as an initiator, this means that - when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of the IKE service will use the destination IP address (of
the IP packets which triggered the SARule) as the IP the IP packets which triggered the SARule) as the IP
address of the peer IKE entity. address of the peer IKE entity.
6.16.2. The Reference Dependent 6.16.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IPsecTunnelAction instance. The [0..n] to refer to an IPsecTunnelAction instance. The [0..n] cardinality
cardinality indicates that a PeerGateway instance may be associated indicates that a PeerGateway instance may be associated with zero or
with zero or more IPsecTunnelAction instances. more IPsecTunnelAction instances.
6.16.3. The Property SequenceNumber 6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when The property SequenceNumber specifies the ordering to be used when
evaluating PeerGateway instances for a given IPsecTunnelAction. . evaluating PeerGateway instances for a given IPsecTunnelAction. The
The property is defined as follows: property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the order of evaluation for PeerGateways. DESCRIPTION Specifies the order of evaluation for PeerGateways.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower values are evaluated first. VALUE Lower values are evaluated first.
6.17. The Aggregation Class ContainedProposal 6.17. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of The class ContainedProposal associates an ordered list of SAProposals
SAProposals with the IKENegotiationAction that aggregates it. If with the IKENegotiationAction that aggregates it. If the referenced
the referenced IKENegotiationAction object is an IKEAction, then the IKENegotiationAction object is an IKEAction, then the referenced
referenced SAProposal object(s) must be IKEProposal(s). If the SAProposal object(s) must be IKEProposal(s). If the referenced
referenced IKENegotiationAction object is an IPsecTransportAction or IKENegotiationAction object is an IPsecTransportAction or an
an IPsecTunnelAction, then the referenced SAProposal object(s) must IPsecTunnelAction, then the referenced SAProposal object(s) must be
be IPsecProposal(s). The class definition for ContainedProposal is IPsecProposal(s). The class definition for ContainedProposal is as
as follows: follows:
NAME ContainedProposal NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an DESCRIPTION Associates an ordered list of SAProposals with an
IKENegotiationAction. IKENegotiationAction.
DERIVED FROM PolicyComponent (see [PCIM]) DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]] PartComponent[ref SAProposal[1..n]]
SequenceNumber SequenceNumber
6.17.1. The Reference GroupComponent 6.17.1. The Reference GroupComponent
- The property GroupComponent is inherited from - The property GroupComponent is inherited from
PolicyComponent and is overridden to refer to an PolicyComponent and is overridden to refer to an
skipping to change at page 46, line 28 skipping to change at page 41, line 25
6.17.2. The Reference PartComponent 6.17.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SAProposal instance. The [1..n] overridden to refer to an SAProposal instance. The [1..n]
cardinality indicates that an IKENegotiationAction instance MUST be cardinality indicates that an IKENegotiationAction instance MUST be
associated with at least one SAProposal instance. associated with at least one SAProposal instance.
6.17.3. The Property SequenceNumber 6.17.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for The property SequenceNumber specifies the order of preference for the
the SAProposals. The property is defined as follows: SAProposals. The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals. DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals VALUE Lower-valued proposals are preferred over proposals with
with higher values. For ContainedProposals that higher values. For ContainedProposals that reference
reference the same IKENegotiationAction, SequenceNumber the same IKENegotiationAction, SequenceNumber values
values must be unique. must be unique.
6.18. The Association Class HostedPeerGatewayInformation 6.18. The Association Class HostedPeerGatewayInformation
The class HostedPeerGatewayInformation weakly associates a The class HostedPeerGatewayInformation weakly associates a
PeerGateway with a System. The class definition for PeerGateway with a System. The class definition for
HostedPeerGatewayInformation is as follows: HostedPeerGatewayInformation is as follows:
NAME HostedPeerGatewayInformation NAME HostedPeerGatewayInformation
DESCRIPTION Weakly associates a PeerGateway with a System. DESCRIPTION Weakly associates a PeerGateway with a System.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]] PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerGateway[0..n] [weak]] Dependent [ref PeerGateway[0..n] [weak]]
6.18.1. The Reference Antecedent 6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerGateway instance MUST be associated with one indicates that a PeerGateway instance MUST be associated with one and
and only one System instance. only one System instance.
6.18.2. The Reference Dependent 6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to a PeerGateway instance. The [0..n] to refer to a PeerGateway instance. The [0..n] cardinality indicates
cardinality indicates that a System instance may be associated with that a System instance may be associated with zero or more
zero or more PeerGateway instances. PeerGateway instances.
6.19. The Association Class TransformOfPreconfiguredAction 6.19. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with from two to six SATransforms that will be PreconfiguredSAAction with from two to six SATransforms that will be
applied to the inbound and outbound traffic. The order of applied to the inbound and outbound traffic. The order of
application of the SATransforms is implicitly defined in [IPSEC]. application of the SATransforms is implicitly defined in [IPSEC].
The class definition for TransformOfPreconfiguredAction is as The class definition for TransformOfPreconfiguredAction is as
follows: follows:
NAME TransformOfPreconfiguredAction NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms. three SATransforms.
skipping to change at page 47, line 42 skipping to change at page 42, line 30
6.19.1. The Reference Antecedent 6.19.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an SATransform instance. The [2..6] overridden to refer to an SATransform instance. The [2..6]
cardinality indicates that an PreconfiguredSAAction instance may be cardinality indicates that an PreconfiguredSAAction instance may be
associated with from two to six SATransform instances. associated with from two to six SATransform instances.
6.19.2. The Reference Dependent 6.19.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to a PreconfiguredSAAction instance. The [0..n] to refer to a PreconfiguredSAAction instance. The [0..n] cardinality
cardinality indicates that an SATransform instance may be associated indicates that an SATransform instance may be associated with zero or
with zero or more PreconfiguredSAAction instances. more PreconfiguredSAAction instances.
6.19.3. The Property SPI 6.19.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured The property SPI specifies the SPI to be used by the pre-configured
action for the associated transform. The property is defined as action for the associated transform. The property is defined as
follows: follows:
NAME SPI NAME SPI
DESCRIPTION Specifies the SPI to be used with the SATransform. DESCRIPTION Specifies the SPI to be used with the SATransform.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
skipping to change at page 48, line 40 skipping to change at page 43, line 20
6.20.1. The Reference Antecedent 6.20.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an PeerGateway instance. The [0..1] overridden to refer to an PeerGateway instance. The [0..1]
cardinality indicates that an PreconfiguredTunnelAction instance may cardinality indicates that an PreconfiguredTunnelAction instance may
be associated with one PeerGteway instance. be associated with one PeerGteway instance.
6.20.2. The Reference Dependent 6.20.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to a PreconfiguredTunnelAction instance. The to refer to a PreconfiguredTunnelAction instance. The [0..n]
[0..n] cardinality indicates that an PeerGateway instance may be cardinality indicates that an PeerGateway instance may be associated
associated with zero or more PreconfiguredSAAction instances. with zero or more PreconfiguredSAAction instances.
7. Proposal and Transform Classes 7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations. IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+*w 1+--------------+ +--------------+*w 1+--------------+
| [SAProposal] |--------| System | | [SAProposal] |--------| System |
+--------------+ (a) | ([CIMCORE]) | +--------------+ (a) | ([CIMCORE]) |
^ +--------------+ ^ +--------------+
skipping to change at page 50, line 18 skipping to change at page 45, line 10
The class IKEProposal specifies the proposal parameters necessary to The class IKEProposal specifies the proposal parameters necessary to
drive an IKE security association negotiation. The class definition drive an IKE security association negotiation. The class definition
for IKEProposal is as follows: for IKEProposal is as follows:
NAME IKEProposal NAME IKEProposal
DESCRIPTION Specifies the proposal parameters for IKE security DESCRIPTION Specifies the proposal parameters for IKE security
association negotiation. association negotiation.
DERIVED FROM SAProposal DERIVED FROM SAProposal
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES LifetimeDerivedKeys PROPERTIES CipherAlgorithm
CipherAlgorithm
HashAlgorithm HashAlgorithm
PRFAlgorithm PRFAlgorithm
GroupId GroupId
AuthenticationMethod AuthenticationMethod
MaxLifetimeSeconds MaxLifetimeSeconds
MaxLifetimeKilobytes MaxLifetimeKilobytes
VendorID VendorID
7.2.1. The Property LifetimeDerivedKeys 7.2.1. The Property CipherAlgorithm
The property LifetimeDerivedKeys specifies the number of times that
a phase 1 key will be used to derive a phase 2 key before the phase
1 security association needs renegotiated. Even though this is not
a parameter that is sent in an IKE proposal, it is included in the
proposal as the number of keys derived may be a result of the
strength of the algorithms in the IKE proposal. The property is
defined as follows:
NAME LifetimeDerivedKeys
DESCRIPTION Specifies the number of phase 2 keys that can be
derived from the phase 1 key.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no limit to the
number of phase 2 keys that may be derived from the
phase 1 key; instead the seconds and/or kilobytes
lifetime will dictate the phase 1 rekeying. A non-zero
value specifies the number of phase 2 keys that can be
derived from the phase 1 key.
7.2.2. The Property CipherAlgorithm
The property CipherAlgorithm specifies the proposed phase 1 security The property CipherAlgorithm specifies the proposed phase 1 security
association encryption algorithm. The property is defined as association encryption algorithm. The property is defined as
follows: follows:
NAME CipherAlgorithm NAME CipherAlgorithm
DESCRIPTION Specifies the proposed encryption algorithm for the DESCRIPTION Specifies the proposed encryption algorithm for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values. VALUE Consult [IKE] for valid values.
7.2.3. The Property HashAlgorithm 7.2.2. The Property HashAlgorithm
The property HashAlgorithm specifies the proposed phase 1 security The property HashAlgorithm specifies the proposed phase 1 security
association hash algorithm. The property is defined as follows: association hash algorithm. The property is defined as follows:
NAME HashAlgorithm NAME HashAlgorithm
DESCRIPTION Specifies the proposed hash algorithm for the phase 1 DESCRIPTION Specifies the proposed hash algorithm for the phase 1
security association. security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values. VALUE Consult [IKE] for valid values.
7.2.4. The Property PRFAlgorithm 7.2.3. The Property PRFAlgorithm
The property PRFAlgorithm specifies the proposed phase 1 security The property PRFAlgorithm specifies the proposed phase 1 security
association pseudo-random function. The property is defined as association pseudo-random function. The property is defined as
follows: follows:
NAME PRFAlgorithm NAME PRFAlgorithm
DESCRIPTION Specifies the proposed pseudo-random function for the DESCRIPTION Specifies the proposed pseudo-random function for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Currently none defined. VALUE Currently none defined in [IKE], if [IKE, DOI] are
extended, then the values of [IKE, DOI] are to be used
for values of PRFAlgorithm.
7.2.5. The Property GroupId 7.2.4. The Property GroupId
The property GroupId specifies the proposed phase 1 security The property GroupId specifies the proposed phase 1 security
association key exchange group. This property is ignored for all association key exchange group. This property is ignored for all
aggressive mode exchanges. If the GroupID number is from the aggressive mode exchanges. If the GroupID number is from the vendor-
vendor-specific range (32768-65535), the property VendorID qualifies specific range (32768-65535), the property VendorID qualifies the
the group number. The property is defined as follows: group number. The property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the proposed key exchange group for the phase DESCRIPTION Specifies the proposed key exchange group for the phase
1 security association. 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - Not applicable: used for aggressive mode. Consult VALUE Consult [IKE] for valid values.
[IKE] for other valid values.
7.2.6. The Property AuthenticationMethod Note: the value of this property is to be ignored when doing
aggressive mode.
7.2.5. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1 The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows: authentication method. The property is defined as follows:
NAME AuthenticationMethod NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - a special value that indicates that this particular VALUE 0 - a special value that indicates that this particular
proposal should be repeated once for each proposal should be repeated once for each authentication
authentication method that corresponds to the method that corresponds to the credentials installed on
credentials installed on the machine. For example, if the machine. For example, if the system has a pre-
the system has a pre-shared key and a certificate, a shared key and a certificate, a proposal list could be
proposal list could be constructed which includes a constructed which includes a proposal that specifies
proposal that specifies pre-shared key and proposals pre-shared key and proposals for any of the public-key
for any of the public-key authentication methods. authentication methods.
Consult [IKE] for valid values. Consult [IKE] for valid values.
7.2.7. The Property MaxLifetimeSeconds 7.2.6. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of The property MaxLifetimeSeconds specifies the maximum time, in
time, in seconds, to propose that a security association will remain seconds, to propose that a security association will remain valid
valid after its creation. The property is defined as follows: after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a DESCRIPTION Specifies the maximum time to propose a security
security association remain valid. association remain valid.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours VALUE A value of zero indicates that the default of 8 hours be
be used. A non-zero value indicates the maximum used. A non-zero value indicates the maximum seconds
seconds lifetime. lifetime.
7.2.8. The Property MaxLifetimeKilobytes 7.2.7. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows: after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid. security association remain valid.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime. the desired kilobyte lifetime.
7.2.9. The Property VendorID 7.2.8. The Property VendorID
The property VendorID further qualifies the key exchange group. The The property VendorID further qualifies the key exchange group. The
property is ignored unless the exchange is not in aggressive mode property is ignored unless the exchange is not in aggressive mode and
and the property GroupID is in the vendor-specific range. The the property GroupID is in the vendor-specific range. The property
property is defined as follows: is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the Vendor ID to further qualify the key DESCRIPTION Specifies the Vendor ID to further qualify the key
exchange group. exchange group.
SYNTAX string SYNTAX string
7.3. The Class IPsecProposal 7.3. The Class IPsecProposal
The class IPsecProposal adds no new properties, but inherits
proposal properties from SAProposal as well as aggregating the The class IPsecProposal adds no new properties, but inherits proposal
security association transforms necessary for building an IPsec properties from SAProposal as well as aggregating the security
proposal (see the aggregation class ContainedTransform). The class association transforms necessary for building an IPsec proposal (see
definition for IPsecProposal is as follows: the aggregation class ContainedTransform). The class definition for
IPsecProposal is as follows:
NAME IPsecProposal NAME IPsecProposal
DESCRIPTION Specifies the proposal parameters for IPsec security DESCRIPTION Specifies the proposal parameters for IPsec security
association negotiation. association negotiation.
DERIVED FROM SAProposal DERIVED FROM SAProposal
ABSTRACT FALSE ABSTRACT FALSE
7.4. The Abstract Class SATransform 7.4. The Abstract Class SATransform
The abstract class SATransform serves as the base class for the The abstract class SATransform serves as the base class for the IPsec
IPsec transforms that can be used to compose an IPsec proposal or to transforms that can be used to compose an IPsec proposal or to be
be used as a pre-configured action. The class definition for used as a pre-configured action. The class definition for
SATransform is as follows: SATransform is as follows:
NAME SATransform NAME SATransform
DESCRIPTION Base class for the different IPsec transforms. DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES TransformName PROPERTIES TransformName
VendorID VendorID
MaxLifetimeSeconds MaxLifetimeSeconds
MaxLifetimeKilobytes MaxLifetimeKilobytes
skipping to change at page 53, line 48 skipping to change at page 47, line 56
SYNTAX string SYNTAX string
7.4.2. The Property VendorID 7.4.2. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows: transforms. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms. DESCRIPTION Specifies the vendor ID for vendor-defined transforms.
SYNTAX string SYNTAX string
VALUE An empty VendorID string indicates that the transform VALUE An empty VendorID string indicates that the transform is
is a standard one. a standard one.
7.4.3. The Property MaxLifetimeSeconds 7.4.3. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum amount of The property MaxLifetimeSeconds specifies the maximum time, in
time, in seconds, to propose that a security association will remain seconds, to propose that a security association will remain valid
valid after its creation. The property is defined as follows: after its creation. The property is defined as follows:
NAME MaxLifetimeSeconds NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a DESCRIPTION Specifies the maximum time to propose a security
security association remain valid. association remain valid.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours VALUE A value of zero indicates that the default of 8 hours be
be used. A non-zero value indicates the maximum used. A non-zero value indicates the maximum seconds
seconds lifetime. lifetime.
7.4.4. The Property MaxLifetimeKilobytes 7.4.4. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows: after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid. security association remain valid.
skipping to change at page 54, line 56 skipping to change at page 48, line 56
DESCRIPTION Specifies the transform ID of the AH algorithm. DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values. VALUE Consult [DOI] for valid values.
7.5.2. The Property UseReplayPrevention 7.5.2. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows: detection is to be used. The property is defined as follows:
NAME UseReplayPrevention NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention DESCRIPTION Specifies whether to enable replay prevention detection.
detection.
SYNTAX boolean SYNTAX boolean
VALUE true - replay prevention detection is enabled. VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled. false - replay prevention detection is disabled.
7.5.3. The Property ReplayPreventionWindowSize 7.5.3. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size UseReplayPrevention is false. It is assumed that the window size will
will be power of 2. The property is defined as follows: be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism. prevention detection mechanism.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
7.6. The Class ESPTransform 7.6. The Class ESPTransform
The class ESPTransform specifies the ESP algorithms to propose The class ESPTransform specifies the ESP algorithms to propose during
during IPsec security association negotiation. The class definition IPsec security association negotiation. The class definition for
for ESPTransform is as follows: ESPTransform is as follows:
NAME ESPTransform NAME ESPTransform
DESCRIPTION Specifies the ESP algorithms to propose. DESCRIPTION Specifies the ESP algorithms to propose.
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES IntegrityTransformId PROPERTIES IntegrityTransformId
CipherTransformId CipherTransformId
CipherKeyLength CipherKeyLength
CipherKeyRounds CipherKeyRounds
UseReplayPrevention UseReplayPrevention
ReplayPreventionWindowSize ReplayPreventionWindowSize
skipping to change at page 55, line 53 skipping to change at page 49, line 43
NAME IntegrityTransformId NAME IntegrityTransformId
DESCRIPTION Specifies the transform ID of the ESP integrity DESCRIPTION Specifies the transform ID of the ESP integrity
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values. VALUE Consult [DOI] for valid values.
7.6.2. The Property CipherTransformId 7.6.2. The Property CipherTransformId
The property CipherTransformId specifies the transform ID of the ESP The property CipherTransformId specifies the transform ID of the ESP
encryption algorithm to propose. The property is defined as encryption algorithm to propose. The property is defined as follows:
follows:
NAME CipherTransformId NAME CipherTransformId
DESCRIPTION Specifies the transform ID of the ESP encryption DESCRIPTION Specifies the transform ID of the ESP encryption
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values. VALUE Consult [DOI] for valid values.
7.6.3. The Property CipherKeyLength 7.6.3. The Property CipherKeyLength
The property CipherKeyLength specifies, in bits, the key length for The property CipherKeyLength specifies, in bits, the key length for
the ESP encryption algorithm. For encryption algorithms that use the ESP encryption algorithm. For encryption algorithms that use
fixed-length keys, this value is ignored. The property is defined fixed-length keys, this value is ignored. The property is defined as
as follows: follows:
NAME CipherKeyLength NAME CipherKeyLength
DESCRIPTION Specifies the ESP encryption key length in bits. DESCRIPTION Specifies the ESP encryption key length in bits.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
7.6.4. The Property CipherKeyRounds 7.6.4. The Property CipherKeyRounds
The property CipherKeyRounds specifies the number of key rounds for The property CipherKeyRounds specifies the number of key rounds for
the ESP encryption algorithm. For encryption algorithms that use the ESP encryption algorithm. For encryption algorithms that use
fixed number of key rounds, this value is ignored. The property is fixed number of key rounds, this value is ignored. The property is
defined as follows: defined as follows:
NAME CipherKeyRounds NAME CipherKeyRounds
DESCRIPTION Specifies the number of key rounds for the ESP DESCRIPTION Specifies the number of key rounds for the ESP
encryption algorithm. encryption algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP VALUE Currently, key rounds are not defined for any ESP
skipping to change at page 56, line 40 skipping to change at page 50, line 22
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP VALUE Currently, key rounds are not defined for any ESP
encryption algorithms. encryption algorithms.
7.6.5. The Property UseReplayPrevention 7.6.5. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows: detection is to be used. The property is defined as follows:
NAME UseReplayPrevention NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention DESCRIPTION Specifies whether to enable replay prevention detection.
detection.
SYNTAX boolean SYNTAX boolean
VALUE true - replay prevention detection is enabled. VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled. false - replay prevention detection is disabled.
7.6.6. The Property ReplayPreventionWindowSize 7.6.6. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size UseReplayPrevention is false. It is assumed that the window size will
will be power of 2. The property is defined as follows: be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism. prevention detection mechanism.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
7.7. The Class IPCOMPTransform 7.7. The Class IPCOMPTransform
The class IPCOMPTransform specifies the IP compression (IPCOMP) The class IPCOMPTransform specifies the IP compression (IPCOMP)
algorithm to propose during IPsec security association negotiation. algorithm to propose during IPsec security association negotiation.
The class definition for IPCOMPTransform is as follows: The class definition for IPCOMPTransform is as follows:
NAME IPCOMPTransform NAME IPCOMPTransform
DESCRIPTION Specifies the IPCOMP algorithm to propose. DESCRIPTION Specifies the IPCOMP algorithm to propose.
skipping to change at page 57, line 37 skipping to change at page 51, line 11
DESCRIPTION Specifies the transform ID of the IPCOMP compression DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - OUI: a vendor specific algorithm is used and VALUE 1 - OUI: a vendor specific algorithm is used and
specified in the property PrivateAlgorithm. Consult specified in the property PrivateAlgorithm. Consult
[DOI] for other valid values. [DOI] for other valid values.
7.7.2. The Property DictionarySize 7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the The property DictionarySize specifies the log2 maximum size of the
dictionary for the compression algorithm. For compression dictionary for the compression algorithm. For compression algorithms
algorithms that have pre-defined dictionary sizes, this value is that have pre-defined dictionary sizes, this value is ignored. The
ignored. The property is defined as follows: property is defined as follows:
NAME DictionarySize NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary. DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
7.7.3. The Property PrivateAlgorithm 7.7.3. The Property PrivateAlgorithm
The property PrivateAlgorithm specifies a private vendor-specific The property PrivateAlgorithm specifies a private vendor-specific
compression algorithm. This value is only used when the property compression algorithm. This value is only used when the property
Algorithm is 1 (OUI). The property is defined as follows: Algorithm is 1 (OUI). The property is defined as follows:
skipping to change at page 58, line 18 skipping to change at page 51, line 46
DESCRIPTION Weakly associates SAProposals with a System. DESCRIPTION Weakly associates SAProposals with a System.
DERIVED FROM PolicyInSystem (see [PCIM]) DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref System [1..1]] PROPERTIES Antecedent[ref System [1..1]]
Dependent[ref SAProposal[0..n] [weak]] Dependent[ref SAProposal[0..n] [weak]]
7.8.1. The Reference Antecedent 7.8.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that an SAProposal instance MUST be associated with one indicates that an SAProposal instance MUST be associated with one and
and only one System instance. only one System instance.
7.8.2. The Reference Dependent 7.8.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SAProposal instance. The [0..n] overridden to refer to an SAProposal instance. The [0..n]
cardinality indicates that a System instance may be associated with cardinality indicates that a System instance may be associated with
zero or more SAProposal instances. zero or more SAProposal instances.
7.9. The Aggregation Class ContainedTransform 7.9. The Aggregation Class ContainedTransform
The class ContainedTransform associates an IPsecProposal with the The class ContainedTransform associates an IPsecProposal with the set
set of SATransforms that make up the proposal. If multiple of SATransforms that make up the proposal. If multiple transforms of
transforms of the same type are in a proposal, then they are to be the same type are in a proposal, then they are to be logically ORed
logically ORed and the order of preference is dictated by the and the order of preference is dictated by the SequenceNumber
SequenceNumber property. Sets of transforms of different types are property. Sets of transforms of different types are logically ANDed.
logically ANDed. For example, if the ordered proposal list were For example, if the ordered proposal list were
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 } AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to pick then the one sending the proposal would want the other side to pick
one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
one from the AH transform list (preferably MD5). from the AH transform list (preferably MD5).
The class definition for ContainedTransform is as follows: The class definition for ContainedTransform is as follows:
NAME ContainedTransform NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of DESCRIPTION Associates an IPsecProposal with the set of SATransforms
SATransforms that make up the proposal. that make up the proposal.
DERIVED FROM PolicyComponent (see [PCIM]) DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]] PartComponent[ref SATransform[1..n]]
SequenceNumber SequenceNumber
7.9.1. The Reference GroupComponent 7.9.1. The Reference GroupComponent
The property GroupComponent is inherited from PolicyComponent and is The property GroupComponent is inherited from PolicyComponent and is
overridden to refer to an IPsecProposal instance. The [0..n] overridden to refer to an IPsecProposal instance. The [0..n]
cardinality indicates that an SATransform instance may be associated cardinality indicates that an SATransform instance may be associated
with zero or more IPsecProposal instances. with zero or more IPsecProposal instances.
7.9.2. The Reference PartComponent 7.9.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SATransform instance. The [1..n] overridden to refer to an SATransform instance. The [1..n]
cardinality indicates that an IPsecProposal instance MUST be cardinality indicates that an IPsecProposal instance MUST be
skipping to change at page 59, line 18 skipping to change at page 52, line 38
7.9.2. The Reference PartComponent 7.9.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SATransform instance. The [1..n] overridden to refer to an SATransform instance. The [1..n]
cardinality indicates that an IPsecProposal instance MUST be cardinality indicates that an IPsecProposal instance MUST be
associated with at least one SATransform instance. associated with at least one SATransform instance.
7.9.3. The Property SequenceNumber 7.9.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for The property SequenceNumber specifies the order of preference for the
the SATransforms of the same type. The property is defined as SATransforms of the same type. The property is defined as follows:
follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms of DESCRIPTION Specifies the preference order for the SATransforms of
the same type. the same type.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms VALUE Lower-valued transforms are preferred over transforms of
of the same type with higher values. For the same type with higher values. For
ContainedTransforms that reference the same ContainedTransforms that reference the same
IPsecProposal, SequenceNumber values must be unique. IPsecProposal, SequenceNumber values must be unique.
7.10. The Association Class SATransformInSystem 7.10. The Association Class SATransformInSystem
The class SATransformInSystem weakly associates SATransforms with a The class SATransformInSystem weakly associates SATransforms with a
System. The class definition for SATransformInSystem System is as System. The class definition for SATransformInSystem System is as
follows: follows:
NAME SATransformInSystem NAME SATransformInSystem
skipping to change at page 62, line 11 skipping to change at page 55, line 5
This portion of the model contains additional information that is This portion of the model contains additional information that is
useful in applying the policy. The IKEService class MAY be used to useful in applying the policy. The IKEService class MAY be used to
represent the IKE negotiation function in a system. The IKEService represent the IKE negotiation function in a system. The IKEService
uses the various tables that contain information about IKE peers as uses the various tables that contain information about IKE peers as
well as the configuration for specifying security associations that well as the configuration for specifying security associations that
are started automatically. The information in the PeerGateway, are started automatically. The information in the PeerGateway,
PeerIdentityTable and related classes is necessary to completely PeerIdentityTable and related classes is necessary to completely
specify the policies. specify the policies.
An interface (represented by an IPProtocolEndpoint) has an An interface (represented by an IPProtocolEndpoint) has an IKEService
IKEService that provides the negotiation services for that that provides the negotiation services for that interface. That
interface. That service MAY also have a list of security service MAY also have a list of security associations automatically
associations for that are automatically started at the time the IKE started at the time the IKE service is initialized.
service is initialized.
The IKEService also has a set of identities that it may use in The IKEService also has a set of identities that it may use in
negotiations with its peers. Those identities are associated with negotiations with its peers. Those identities are associated with
the interfaces (or collections of interfaces). the interfaces (or collections of interfaces).
8.1. The Class IKEService 8.1. The Class IKEService
The class IKEService represents the IKE negotiation function. An The class IKEService represents the IKE negotiation function. An
instance of this service may provide that negotiation service for instance of this service may provide that negotiation service for one
one or more interfaces (represented by the IPProtocolEndpoint class) or more interfaces (represented by the IPProtocolEndpoint class) of a
of a System. There may be multiple instances of IKE services on a System. There may be multiple instances of IKE services on a System
System but only one per interface. The class definition for but only one per interface. The class definition for IKEService is
IKEService is as follows: as follows:
NAME IKEService NAME IKEService
DESCRIPTION IKEService is used to represent the IKE negotiation DESCRIPTION IKEService is used to represent the IKE negotiation
function. function.
DERIVED FROM Service (see [CIMCORE]) DERIVED FROM Service (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
8.2. The Class PeerIdentityTable 8.2. The Class PeerIdentityTable
The class PeerIdentityTable aggregates the table entries that The class PeerIdentityTable aggregates the table entries that provide
provide mappings between identities and their addresses. The class mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows: definition for PeerIdentityTable is as follows:
NAME PeerIdentityTable NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances
instances to provide a table of identity-address to provide a table of identity-address mappings.
mappings.
DERIVED FROM Collection (see [CIMCORE]) DERIVED FROM Collection (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name PROPERTIES Name
8.3.1. The Property Name 8.3.1. The Property Name
The property Name uniquely identifies the table. The property is The property Name uniquely identifies the table. The property is
defined as follows: defined as follows:
NAME Name NAME Name
skipping to change at page 63, line 4 skipping to change at page 55, line 49
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name PROPERTIES Name
8.3.1. The Property Name 8.3.1. The Property Name
The property Name uniquely identifies the table. The property is The property Name uniquely identifies the table. The property is
defined as follows: defined as follows:
NAME Name NAME Name
DESCRIPTION Name uniquely identifies the table. DESCRIPTION Name uniquely identifies the table.
SYNTAX string SYNTAX string
8.3. The Class PeerIdentityEntry 8.3. The Class PeerIdentityEntry
The class PeerIdentityEntry specifies the mapping between peer The class PeerIdentityEntry specifies the mapping between peer
identity and their address. The class definition for identity and their IP address. The class definition for
PeerIdentityEntry is as follows: PeerIdentityEntry is as follows:
NAME PeerIdentityEntry NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address. identity and address.
DERIVED FROM LogicalElement (see [CIMCORE]) DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PeerIdentity PROPERTIES PeerIdentity
PeerIdentityType PeerIdentityType
PeerAddress PeerAddress
PeerAddressType PeerAddressType
The pre-shared key to be used with this peer (if applicable) is
contained in an instance of the class SharedSecret (see [CIMUSER]).
The pre-shared key is stored in the property Secret, the property
protocol contains ˘IKE", the property algorithm contains the
algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
entity has no secret storage), the value of property RemoteID must
match the PeerIdentity property of the PeerIdentityEntry instance
describing the IKE peer.
8.3.1. The Property PeerIdentity 8.3.1. The Property PeerIdentity
The property PeerIdentity contains a string encoding of the Identity The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows: payload for the IKE peer. The property is defined as follows:
NAME PeerIdentity NAME PeerIdentity
DESCRIPTION The PeerIdentity is the ID payload of a peer. DESCRIPTION The PeerIdentity is the ID payload of a peer.
SYNTAX string SYNTAX string
skipping to change at page 64, line 18 skipping to change at page 56, line 63
DESCRIPTION PeerAddressType is the type of address in PeerAddress. DESCRIPTION PeerAddressType is the type of address in PeerAddress.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown VALUE 0 - Unknown
1 - IPv4 1 - IPv4
2 - IPv6 2 - IPv6
8.4. The Class AutostartIKEConfiguration 8.4. The Class AutostartIKEConfiguration
The class AutostartIKEConfiguration groups AutostartIKESetting The class AutostartIKEConfiguration groups AutostartIKESetting
instances into configuration sets. When applied, the settings cause instances into configuration sets. When applied, the settings cause
an IKE service to automatically start (negotiate or statically set an IKE service to automatically start (negotiate or statically set as
as appropriate) the Security Associations. The class definition for appropriate) the Security Associations. The class definition for
AutostartIKEConfiguration is as follows: AutostartIKEConfiguration is as follows:
NAME AutostartIKEConfiguration NAME AutostartIKEConfiguration
DESCRIPTION A configuration set of AutostartIKESetting instances to DESCRIPTION A configuration set of AutostartIKESetting instances to
be automatically started by the IKE service. be automatically started by the IKE service.
DERIVED FROM SystemConfiguration (see [CIMCORE]) DERIVED FROM SystemConfiguration (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
8.5. The Class AutostartIKESetting 8.5. The Class AutostartIKESetting
skipping to change at page 64, line 52 skipping to change at page 57, line 37
PROPERTIES Phase1Only PROPERTIES Phase1Only
AddressType AddressType
SourceAddress SourceAddress
SourcePort SourcePort
DestinationAddress DestinationAddress
DestinationPort DestinationPort
Protocol Protocol
8.5.1. The Property Phase1Only 8.5.1. The Property Phase1Only
The property Phase1Only is used to limit the IKE negotiation to just The property Phase1Only is used to limit the IKE negotiation to a
setting up a phase 1 security association. When set to False, both phase 1 SA establishment only. When set to False, both phase 1 and
phase 1 and 2 negotiations are initiated. phase 2 SAs are negotiated.
The property is defined as follows: The property is defined as follows:
NAME Phase1Only NAME Phase1Only
DESCRIPTION Used to indicate which security associations to attempt DESCRIPTION Used to indicate which security associations to attempt
to establish (phase 1 only, or phase 1 and 2). to establish (phase 1 only, or phase 1 and 2).
SYNTAX boolean SYNTAX boolean
VALUE true - attempt to establish a phase 1 security VALUE true - attempt to establish a phase 1 security
association association
false - attempt to establish phase 1 and 2 security false - attempt to establish phase 1 and phase 2
associations security associations
8.5.2. The Property AddressType 8.5.2. The Property AddressType
The property AddressType specifies type of the addresses in the The property AddressType specifies type of the addresses in the
SourceAddress and DestinationAddress properties. The property is SourceAddress and DestinationAddress properties. The property is
defined as follows: defined as follows:
NAME AddressType NAME AddressType
DESCRIPTION AddressType is the type of address in SourceAddress and DESCRIPTION AddressType is the type of address in SourceAddress and
DestinationAddress properties. DestinationAddress properties.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown VALUE 0 - Unknown
1 - IPv4 1 - IPv4
2 - IPv6 2 - IPv6
8.5.3. The Property SourceAddress 8.5.3. The Property SourceAddress
The property SourceAddress specifies the dotted-decimal or colon- The property SourceAddress specifies the dotted-decimal or colon-
decimal formatted IP address used as the source address in comparing decimal formatted IP address used as the source address in comparing
with policy filter entries and used in any phase 2 negotiations. with policy filter entries and used in any phase 2 negotiations. The
The property is defined as follows: property is defined as follows:
NAME SourceAddress NAME SourceAddress
DESCRIPTION The source address to compare with the filters to DESCRIPTION The source address to compare with the filters to
determine the appropriate policy rule. determine the appropriate policy rule.
SYNTAX string SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address VALUE dotted-decimal or colon-decimal formatted IP address
8.5.4. The Property SourcePort 8.5.4. The Property SourcePort
The property SourcePort specifies the port number used as the source The property SourcePort specifies the port number used as the source
port in comparing with policy filter entries and used in any phase 2 port in comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows: negotiations. The property is defined as follows:
NAME SourcePort NAME SourcePort
DESCRIPTION The source port to compare with the filters to DESCRIPTION The source port to compare with the filters to determine
determine the appropriate policy rule. the appropriate policy rule.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
8.5.5. The Property DestinationAddress 8.5.5. The Property DestinationAddress
The property DestinationAddress specifies the dotted-decimal or The property DestinationAddress specifies the dotted-decimal or
colon-decimal formatted IP address used as the destination address colon-decimal formatted IP address used as the destination address in
in comparing with policy filter entries and used in any phase 2 comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows: negotiations. The property is defined as follows:
NAME DestinationAddress NAME DestinationAddress
DESCRIPTION The destination address to compare with the filters to DESCRIPTION The destination address to compare with the filters to
determine the appropriate policy rule. determine the appropriate policy rule.
SYNTAX string SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address VALUE dotted-decimal or colon-decimal formatted IP address
8.5.6. The Property DestinationPort 8.5.6. The Property DestinationPort
skipping to change at page 66, line 26 skipping to change at page 58, line 55
destination port in comparing with policy filter entries and used in destination port in comparing with policy filter entries and used in
any phase 2 negotiations. The property is defined as follows: any phase 2 negotiations. The property is defined as follows:
NAME DestinationPort NAME DestinationPort
DESCRIPTION The destination port to compare with the filters to DESCRIPTION The destination port to compare with the filters to
determine the appropriate policy rule. determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
8.5.7. The Property Protocol 8.5.7. The Property Protocol
The property Protocol specifies the protocol number used in The property Protocol specifies the protocol number used in comparing
comparing with policy filter entries and used in any phase 2 with policy filter entries and used in any phase 2 negotiations. The
negotiations. The property is defined as follows: property is defined as follows:
NAME Protocol NAME Protocol
DESCRIPTION The protocol number used in comparing with policy DESCRIPTION The protocol number used in comparing with policy filter
filter entries. entries.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
8.6. The Class IKEIdentity 8.6. The Class IKEIdentity
The class IKEIdentity is used to represent the identities that may be
The class IKEIdentity is used to represent the identities that may used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints)
be used for an IPProtocolEndpoint (or collection of to identify the IKE Service in IKE phase 1 negotiations. The policy
IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 IKEAction.UseIKEIdentityType specifies which type of the available
negotiations. The policy IKEAction.UseIKEIdentityType specifies identities to use in a negotiation exchange and the
which type of the available identities to use in a negotiation IKERule.IdentityContexts specifies the match values to be used, along
exchange and the IKERule.IdentityContexts specifies the match values with the local address, in selecting the appropriate identity for a
to be used, along with the local address, in selecting the negotiation. The ElementID property value (defined in the parent
appropriate identity for a negotiation. The ElementID property value class, UsersAccess) should be that of either the IPProtocolEndpoint
(defined in the parent class, UsersAccess) should be that of either or Collection of endpoints as appropriate. The class definition for
the IPProtocolEndpoint or Collection of endpoints as appropriate. IKEIdentity is as follows:
The class definition for IKEIdentity is as follows:
NAME IKEIdentity NAME IKEIdentity
DESCRIPTION IKEIdentity is used to represent the identities that DESCRIPTION IKEIdentity is used to represent the identities that may
may be used for an IPProtocolEndpoint (or collection of be used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify the IKE Service in IKE IPProtocolEndpoints) to identify the IKE Service in IKE
phase 1 negotiations. phase 1 negotiations.
DERIVED FROM UsersAccess (see [CIMUSER]) DERIVED FROM UsersAccess (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES IdentityType PROPERTIES IdentityType
IdentityValue IdentityValue
IdentityContexts IdentityContexts
8.6.1. The Property IdentityType 8.6.1. The Property IdentityType
skipping to change at page 67, line 21 skipping to change at page 59, line 40
of the IdentityValue. The property is defined as follows: of the IdentityValue. The property is defined as follows:
NAME IdentityType NAME IdentityType
DESCRIPTION IdentityType is the type of the IdentityValue. DESCRIPTION IdentityType is the type of the IdentityValue.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE The enumeration values are specified in [DOI] section VALUE The enumeration values are specified in [DOI] section
4.6.2.1. 4.6.2.1.
8.6.2. The Property IdentityValue 8.6.2. The Property IdentityValue
The property Identity specifies Value contains a string encoding of The property IdentityValue contains a string encoding of the Identity
the Identity payload. For IKEIdentity instances that are address payload. For IKEIdentity instances that are address types (i.e. IPv4
types, the IdentityValue string value may be omitted and the or IPv6 addresses), the IdentityValue string value MAY be omitted;
associated IPProtocolEndpoint or appropriate member of the then the associated IPProtocolEndpoint (or appropriate member of the
Collection of endpoints is used. The property is defined as Collection of endpoints) is used as the identity value. The property
follows: is defined as follows:
NAME IdentityValue NAME IdentityValue
DESCRIPTION IdentityValue contains a string encoding of the DESCRIPTION IdentityValue contains a string encoding of the Identity
Identity payload. payload.
SYNTAX string SYNTAX string
8.6.3. The Property IdentityContexts 8.6.3. The Property IdentityContexts
The IdentityContexts property is used to constrain the use of The IdentityContexts property is used to constrain the use of
IKEIdentity instances to match that specified in the IKEIdentity instances to match that specified in the
IKERule.IdentityContexts. The IdentityContexts are formatted as IKERule.IdentityContexts. The IdentityContexts are formatted as
policy roles and role combinations [PCIM] & [PCIMe]. Each value policy roles and role combinations [PCIM] & [PCIMe]. Each value
represents one context or context combination. Since this is a represents one context or context combination. Since this is a
multi-valued property, more than one context or combination of multi-valued property, more than one context or combination of
contexts can be associated with a single IKEIdentity. Each value is contexts can be associated with a single IKEIdentity. Each value is
a string of the form: <ContextName>[&&<ContextName>]* a string of the form: <ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). If one or more (according to the collating sequence for UCS-2). If one or more
values in the IKERule.IdentityContexts array match one or more values in the IKERule.IdentityContexts array match one or more
IKEIdentity.IdentityContexts then the identity's context matches. IKEIdentity.IdentityContexts then the identity's context matches.
(That is, each value of the IdentityContext array is an ORed (That is, each value of the IdentityContext array is an ORed
condition.) In combination with the address of the condition.) In combination with the address of the
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
1 and only 1 IKEIdentity. The property is defined as follows: exactly one IKEIdentity. The property is defined as follows:
NAME IdentityContexts NAME IdentityContexts
DESCRIPTION The IKE service of a security endpoint may have DESCRIPTION The IKE service of a security endpoint may have multiple
multiple identities for use in different situations. identities for use in different situations. The
The combination of the interface (represented by combination of the interface (represented by
the IPProtocolEndpoint), the identity type (as the IPProtocolEndpoint), the identity type (as specified
specified in the IKEAction) and the IdentityContexts in the IKEAction) and the IdentityContexts selects a
selects a unique identity. unique identity.
SYNTAX string array SYNTAX string array
VALUE string of the form <ContextName>[&&<ContextName>]* VALUE string of the form <ContextName>[&&<ContextName>]*
8.7. The Association Class HostedPeerIdentityTable 8.7. The Association Class HostedPeerIdentityTable
The class HostedPeerIdentityTable provides the name scoping The class HostedPeerIdentityTable provides the name scoping
relationship for PeerIdentityTable entries in a System. The relationship for PeerIdentityTable entries in a System. The
PeerIdentityTable is weak to the System. The class definition for PeerIdentityTable is weak to the System. The class definition for
HostedPeerIdentityTable is as follows: HostedPeerIdentityTable is as follows:
skipping to change at page 68, line 33 skipping to change at page 60, line 44
8.7.1. The Reference Antecedent 8.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerIdentityTable instance MUST be associated in a indicates that a PeerIdentityTable instance MUST be associated in a
weak relationship with one and only one System instance. weak relationship with one and only one System instance.
8.7.2. The Reference Dependent 8.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to a PeerIdentityTable instance. The [0..n] to refer to a PeerIdentityTable instance. The [0..n] cardinality
cardinality indicates that a System instance may be associated with indicates that a System instance may be associated with zero or more
zero or more PeerIdentityTable instances. PeerIdentityTable instances.
8.8. The Aggregation Class PeerIdentityMember 8.8. The Aggregation Class PeerIdentityMember
The class PeerIdentityMember aggregates PeerIdentityEntry instances The class PeerIdentityMember aggregates PeerIdentityEntry instances
into a PeerIdentityTable. This is a weak aggregation. The class into a PeerIdentityTable. This is a weak aggregation. The class
definition for PeerIdentityMember is as follows: definition for PeerIdentityMember is as follows:
NAME PeerIdentityMember NAME PeerIdentityMember
DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
instances into a PeerIdentityTable. instances into a PeerIdentityTable.
skipping to change at page 69, line 40 skipping to change at page 61, line 43
8.9.1. The Reference Antecedent 8.9.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that an IKEService instance may be associated cardinality indicates that an IKEService instance may be associated
with zero or more PeerGateway instances. with zero or more PeerGateway instances.
8.9.2. The Reference Dependent 8.9.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IKEService instance. The [0..n] to refer to an IKEService instance. The [0..n] cardinality indicates
cardinality indicates that a PeerGateway instance may be associated that a PeerGateway instance may be associated with zero or more
with zero or more IKEService instances. IKEService instances.
8.10. The Association Class IKEServicePeerIdentityTable 8.10. The Association Class IKEServicePeerIdentityTable
The class IKEServicePeerIdentityTable provides the relationship The class IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it uses to map between an IKEService and a PeerIdentityTable that it uses to map
between addresses and identities as required. The class definition between addresses and identities as required. The class definition
for IKEServicePeerIdentityTable is as follows: for IKEServicePeerIdentityTable is as follows:
NAME IKEServicePeerIdentityTable NAME IKEServicePeerIdentityTable
DESCRIPTION IKEServicePeerIdentityTable provides the relationship DESCRIPTION IKEServicePeerIdentityTable provides the relationship
skipping to change at page 70, line 9 skipping to change at page 62, line 4
NAME IKEServicePeerIdentityTable NAME IKEServicePeerIdentityTable
DESCRIPTION IKEServicePeerIdentityTable provides the relationship DESCRIPTION IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it between an IKEService and a PeerIdentityTable that it
uses. uses.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] PROPERTIES Antecedent [ref PeerIdentityTable[0..n]]
Dependent [ref IKEService[0..n]] Dependent [ref IKEService[0..n]]
8.10.1. The Reference Antecedent 8.10.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n] overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that an IKEService instance may be associated cardinality indicates that an IKEService instance may be associated
with zero or more PeerIdentityTable instances. with zero or more PeerIdentityTable instances.
8.10.2. The Reference Dependent 8.10.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IKEService instance. The [0..n] to refer to an IKEService instance. The [0..n] cardinality indicates
cardinality indicates that a PeerIdentityTable instance may be that a PeerIdentityTable instance may be associated with zero or more
associated with zero or more IKEService instances. IKEService instances.
8.11. The Association Class IKEAutostartSetting 8.11. The Association Class IKEAutostartSetting
The class IKEAutostartSetting associates an AutostartIKESetting with The class IKEAutostartSetting associates an AutostartIKESetting with
an IKEService that may use it to automatically start an IKE an IKEService that may use it to automatically start an IKE
negotiation or create a static SA. The class definition for negotiation or create a static SA. The class definition for
IKEAutostartSetting is as follows: IKEAutostartSetting is as follows:
NAME IKEAutostartSetting NAME IKEAutostartSetting
DESCRIPTION Associates a AutostartIKESetting with an IKEService. DESCRIPTION Associates a AutostartIKESetting with an IKEService.
skipping to change at page 71, line 18 skipping to change at page 63, line 4
DERIVED FROM SystemSettingContext (see [CIMCORE]) DERIVED FROM SystemSettingContext (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
Setting [ref AutostartIKESetting [0..n]] Setting [ref AutostartIKESetting [0..n]]
SequenceNumber SequenceNumber
8.12.1. The Reference Context 8.12.1. The Reference Context
The property Context is inherited from SystemSettingContext and is The property Context is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKEConfiguration instance. The overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an AutostartIKESetting instance [0..n] cardinality indicates that an AutostartIKESetting instance may
may be associated with zero or more AutostartIKEConfiguration be associated with zero or more AutostartIKEConfiguration instances
instances (i.e., a setting may be in multiple configuration sets). (i.e., a setting may be in multiple configuration sets).
8.12.2. The Reference Setting 8.12.2. The Reference Setting
The property Setting is inherited from SystemSettingContext and is The property Setting is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKESetting instance. The [0..n] overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more AutostartIKESetting instances. be associated with zero or more AutostartIKESetting instances.
8.12.3. The Property SequenceNumber 8.12.3. The Property SequenceNumber
skipping to change at page 71, line 53 skipping to change at page 63, line 39
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
8.13. The Association Class IKEServiceForEndpoint 8.13. The Association Class IKEServiceForEndpoint
The class IKEServiceForEndpoint provides the association showing The class IKEServiceForEndpoint provides the association showing
which IKE service, if any, provides IKE negotiation services for which IKE service, if any, provides IKE negotiation services for
which network interfaces. The class definition for which network interfaces. The class definition for
IKEServiceForEndpoint is as follows: IKEServiceForEndpoint is as follows:
NAME IKEServiceForEndpoint NAME IKEServiceForEndpoint
DESCRIPTION Associates an IPProtocolEndpoint with an IKEService DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that
that provides negotiation services for the endpoint. provides negotiation services for the endpoint.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref IKEService[0..1]] PROPERTIES Antecedent [ref IKEService[0..1]]
Dependent [ref IPProtocolEndpoint[0..n]] Dependent [ref IPProtocolEndpoint[0..n]]
8.13.1. The Reference Antecedent 8.13.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..1] overridden to refer to an IKEService instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance MUST by cardinality indicates that an IPProtocolEndpoint instance MUST by
associated with at most one IKEService instance. associated with at most one IKEService instance.
8.13.2. The Reference Dependent 8.13.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IPProtocolEndpoint that is associated with to refer to an IPProtocolEndpoint that is associated with at most one
at most one IKEService. The [0..n] cardinality indicates an IKEService. The [0..n] cardinality indicates an IKEService instance
IKEService instance may be associated with zero or more may be associated with zero or more IPProtocolEndpoint instances.
IPProtocolEndpoint instances.
8.14. The Association Class IKEAutostartConfiguration 8.14. The Association Class IKEAutostartConfiguration
The class IKEAutostartConfiguration provides the relationship The class IKEAutostartConfiguration provides the relationship between
between an IKEService and a configuration set that it uses to an IKEService and a configuration set that it uses to automatically
automatically start a set of SAs. The class definition for start a set of SAs. The class definition for
IKEAutostartConfiguration is as follows: IKEAutostartConfiguration is as follows:
NAME IKEAutostartConfiguration NAME IKEAutostartConfiguration
DESCRIPTION IKEAutostartConfiguration provides the relationship DESCRIPTION IKEAutostartConfiguration provides the relationship
between an IKEService and an AutostartIKEConfiguration between an IKEService and an AutostartIKEConfiguration
that it uses to automatically start a set of SAs. that it uses to automatically start a set of SAs.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]]
Dependent [ref IKEService [0..n]] Dependent [ref IKEService [0..n]]
skipping to change at page 72, line 48 skipping to change at page 64, line 26
8.14.1. The Reference Antecedent 8.14.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an AutostartIKEConfiguration instance. The overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an IKEService instance may be [0..n] cardinality indicates that an IKEService instance may be
associated with zero or more AutostartIKEConfiguration instances. associated with zero or more AutostartIKEConfiguration instances.
8.14.2. The Reference Dependent 8.14.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IKEService instance. The [0..n] to refer to an IKEService instance. The [0..n] cardinality indicates
cardinality indicates that an AutostartIKEConfiguration instance may that an AutostartIKEConfiguration instance may be associated with
be associated with zero or more IKEService instances. zero or more IKEService instances.
8.14.3. The Property Active 8.14.3. The Property Active
The property Active specifies indicates whether the The property Active specifies indicates whether the
AutostartIKEConfiguration set is currently active for the associated AutostartIKEConfiguration set is currently active for the associated
IKEService. That is, at boot time, the active configuration is used IKEService. That is, at boot time, the active configuration is used
to automatically start IKE negotiations and create static SAs. The to automatically start IKE negotiations and create static SAs. The
property is defined as follows: property is defined as follows:
NAME Active NAME Active
DESCRIPTION Active indicates whether the AutostartIKEConfiguration DESCRIPTION Active indicates whether the AutostartIKEConfiguration
set is currently active for the associated IKEService. set is currently active for the associated IKEService.
SYNTAX boolean SYNTAX boolean
VALUE true - AutostartIKEConfiguration is currently active VALUE true - AutostartIKEConfiguration is currently active for
for associated IKEService. associated IKEService.
false - AutostartIKEConfiguration is currently inactive false - AutostartIKEConfiguration is currently inactive
for associated IKEService. for associated IKEService.
8.15. The Association Class IKEUsesCredentialManagementService 8.15. The Association Class IKEUsesCredentialManagementService
The class IKEUsesCredentialManagementService defines the set of The class IKEUsesCredentialManagementService defines the set of
CredentialManagementService(s) that are trusted sources of CredentialManagementService(s) that are trusted sources of
credentials for IKE phase 1 negotiations. The class definition for credentials for IKE phase 1 negotiations. The class definition for
IKEUsesCredentialManagementService is as follows: IKEUsesCredentialManagementService is as follows:
skipping to change at page 73, line 34 skipping to change at page 65, line 4
NAME IKEUsesCredentialManagementService NAME IKEUsesCredentialManagementService
DESCRIPTION Associates the set of CredentialManagementService(s) DESCRIPTION Associates the set of CredentialManagementService(s)
that are trusted by the IKEService as sources of that are trusted by the IKEService as sources of
credentials used in IKE phase 1 negotiations. credentials used in IKE phase 1 negotiations.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService [0..n]] PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
Dependent [ref IKEService [0..n]] Dependent [ref IKEService [0..n]]
8.15.1. The Reference Antecedent 8.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an IKEService instance may be [0..n] cardinality indicates that an IKEService instance may be
associated with zero or more CredentialManagementService instances. associated with zero or more CredentialManagementService instances.
8.15.2. The Reference Dependent 8.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is The property Dependent is inherited from Dependency and is overridden
overridden to refer to an IKEService instance. The [0..n] to refer to an IKEService instance. The [0..n] cardinality indicates
cardinality indicates that a CredentialManagementService instance that a CredentialManagementService instance may be associated with
may be associated with zero or more IKEService instances. zero or more IKEService instances.
8.16. The Association Class EndpointHasLocalIKEIdentity 8.16. The Association Class EndpointHasLocalIKEIdentity
The class EndpointHasLocalIKEIdentity associates an The class EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances that may be IPProtocolEndpoint with a set of IKEIdentity instances that may be
used in negotiating security associations on the endpoint. An used in negotiating security associations on the endpoint. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint IKEIdentity MUST be associated with either an IPProtocolEndpoint
using this association or with a collection of IKEIdentity instances using this association or with a collection of IKEIdentity instances
using the CollectionHasLocalIKEIdentity association. The class using the CollectionHasLocalIKEIdentity association. The class
definition for EndpointHasLocalIKEIdentity is as follows: definition for EndpointHasLocalIKEIdentity is as follows:
skipping to change at page 74, line 17 skipping to change at page 65, line 38
IPProtocolEndpoint with a set of IKEIdentity instances. IPProtocolEndpoint with a set of IKEIdentity instances.
DERIVED FROM ElementAsUser (see [CIMUSER]) DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.16.1. The Reference Antecedent 8.16.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is The property Antecedent is inherited from ElementAsUser and is
overridden to refer to an IPProtocolEndpoint instance. The [0..1] overridden to refer to an IPProtocolEndpoint instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be cardinality indicates that an IKEIdentity instance MUST be associated
associated with at most one IPProtocolEndpoint instance. with at most one IPProtocolEndpoint instance.
8.16.2. The Reference Dependent 8.16.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n] overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that an IPProtocolEndpoint instance may be cardinality indicates that an IPProtocolEndpoint instance may be
associated with zero or more IKEIdentity instances. associated with zero or more IKEIdentity instances.
8.17. The Association Class CollectionHasLocalIKEIdentity 8.17. The Association Class CollectionHasLocalIKEIdentity
The class CollectionHasLocalIKEIdentity associates a Collection of The class CollectionHasLocalIKEIdentity associates a Collection of
IPProtocolEndpoint instances with a set of IKEIdentity instances IPProtocolEndpoint instances with a set of IKEIdentity instances that
that may be used in negotiating SAs for endpoints in the collection. may be used in negotiating SAs for endpoints in the collection. An
An IKEIdentity MUST be associated with either an IPProtocolEndpoint IKEIdentity MUST be associated with either an IPProtocolEndpoint
using the EndpointHasLocalIKEIdentity association or with a using the EndpointHasLocalIKEIdentity association or with a
collection of IKEIdentity instances using this association. The collection of IKEIdentity instances using this association. The
class definition for CollectionHasLocalIKEIdentity is as follows: class definition for CollectionHasLocalIKEIdentity is as follows:
NAME CollectionHasLocalIKEIdentity NAME CollectionHasLocalIKEIdentity
DESCRIPTION CollectionHasLocalIKEIdentity associates a collection DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of
of IPProtocolEndpoint instances with a set of IPProtocolEndpoint instances with a set of IKEIdentity
IKEIdentity instances. instances.
DERIVED FROM ElementAsUser (see [CIMUSER]) DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref Collection [0..1]] PROPERTIES Antecedent [ref Collection [0..1]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.17.1. The Reference Antecedent 8.17.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is The property Antecedent is inherited from ElementAsUser and is
overridden to refer to a Collection instance. The [0..1] overridden to refer to a Collection instance. The [0..1] cardinality
cardinality indicates that an IKEIdentity instance MUST be indicates that an IKEIdentity instance MUST be associated with at
associated with at most one Collection instance. most one Collection instance.
8.17.2. The Reference Dependent 8.17.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n] overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Collection instance may be associated cardinality indicates that a Collection instance may be associated
with zero or more IKEIdentity instances. with zero or more IKEIdentity instances.
8.18. The Association Class IKEIdentitysCredential 8.18. The Association Class IKEIdentitysCredential
The class IKEIdentitysCredential is an association that relates a The class IKEIdentitysCredential is an association that relates a set
set of credentials to their corresponding local IKE Identities. The of credentials to their corresponding local IKE Identities. The
class definition for IKEIdentitysCredential is as follows: class definition for IKEIdentitysCredential is as follows:
NAME IKEIdentitysCredential NAME IKEIdentitysCredential
DESCRIPTION IKEIdentitysCredential associates a set of credentials DESCRIPTION IKEIdentitysCredential associates a set of credentials
to their corresponding local IKEIdentity. to their corresponding local IKEIdentity.
DERIVED FROM UsersCredential (see [CIMCORE]) DERIVED FROM UsersCredential (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref Credential [0..n]] PROPERTIES Antecedent [ref Credential [0..n]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.18.1. The Reference Antecedent 8.18.1. The Reference Antecedent
The property Antecedent is inherited from UsersCredential and is The property Antecedent is inherited from UsersCredential and is
overridden to refer to a Credential instance. The [0..n] overridden to refer to a Credential instance. The [0..n] cardinality
cardinality indicates that IKEIdentity instance may be associated indicates that IKEIdentity instance may be associated with zero or
with zero or more Credential instances. more Credential instances.
8.18.2. The Reference Dependent 8.18.2. The Reference Dependent
The property Dependent is inherited from UsersCredential and is The property Dependent is inherited from UsersCredential and is
overridden to refer to an IKEIdentity instance. The [0..n] overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Credential instance may be associated cardinality indicates that a Credential instance may be associated
with zero or more IKEIdentity instances. with zero or more IKEIdentity instances.
9. Implementation Requirements 9. Implementation Requirements
The following tables specifies which classes, properties, The following table specifies which classes, properties, associations
associations and aggregations MUST or SHOULD or MAY be implemented. and aggregations MUST or SHOULD or MAY be implemented.
4. Policy Classes 4. Policy Classes
4.1. The Class IPsecPolicyGroup................................MUST 4.1. The Class IPsecPolicyGroup................................MUST
4.2. The Class SARule..........................................MUST 4.2. The Class SARule..........................................MUST
4.2.1. The Property PolicyRuleName..............................MAY 4.2.1. The Property PolicyRuleName..............................MAY
4.2.1. The Property Enabled....................................MUST 4.2.1. The Property Enabled....................................MUST
4.2.1. The Property ConditionListType..........................MUST 4.2.1. The Property ConditionListType..........................MUST
4.2.1. The Property RuleUsage...................................MAY 4.2.1. The Property RuleUsage...................................MAY
4.2.1. The Property Mandatory...................................MAY 4.2.1. The Property Mandatory...................................MAY
4.2.1. The Property SequencedActions...........................MUST 4.2.1. The Property SequencedActions...........................MUST
4.2.1. The Property PolicyRoles.................................MAY 4.2.1. The Property PolicyRoles.................................MAY
4.2.1. The Property PolicyDecisionStrategy......................MAY 4.2.1. The Property PolicyDecisionStrategy......................MAY
4.2.2 The Property ExecutionStrategy..........................MUST 4.2.2 The Property ExecutionStrategy..........................MUST
4.2.3 The Property LimitNegotiation............................MAY 4.2.3 The Property LimitNegotiation............................MAY
4.3. The Class IKERule.........................................MUST 4.3. The Class IKERule.........................................MUST
4.3.1. The Property IdentityContexts............................MAY 4.3.1. The Property IdentityContexts............................MAY
4.4. The Class IPsecRule.......................................MUST 4.4. The Class IPsecRule.......................................MUST
4.5.3. The Property GroupPriority..............................MUST 4.5. The Association Class IPsecPolicyForEndpoint...............MAY
4.6. The Association Class IpsecPolicyForEndpoint...............MAY 4.5.1. The Reference Antecedent................................MUST
4.5.2. The Reference Dependent.................................MUST
4.6. The Association Class IPsecPolicyForSystem.................MAY
4.6.1. The Reference Antecedent................................MUST 4.6.1. The Reference Antecedent................................MUST
4.6.2. The Reference Dependent.................................MUST 4.6.2. The Reference Dependent.................................MUST
4.7. The Association Class IPsecPolicyForSystem.................MAY 4.7. The Aggregation Class SARuleInPolicyGroup.................MUST
4.7.1. The Reference Antecedent................................MUST 4.7.1. The Property Priority.................................SHOULD
4.7.2. The Reference Dependent.................................MUST 4.7.2. The Reference GroupComponent............................MUST
4.8. The Aggregation Class RuleForIKENegotiation...............MUST 4.7.3. The Reference PartComponent.............................MUST
4.8.1. The Property Priority.................................SHOULD 4.8. The Aggregation Class SAConditionInRule...................MUST
4.8.1. The Property GroupNumber..............................SHOULD
4.8.1. The Property ConditionNegated.........................SHOULD
4.8.2. The Reference GroupComponent............................MUST 4.8.2. The Reference GroupComponent............................MUST
4.8.3. The Reference PartComponent.............................MUST 4.8.3. The Reference PartComponent.............................MUST
4.9. The Aggregation Class RuleForIPsecNegotiation.............MUST 4.9. The Aggregation Class PolicyActionInSARule................MUST
4.9.1. The Property Priority.................................SHOULD 4.9.1. The Reference GroupComponent............................MUST
4.9.2. The Reference GroupComponent............................MUST 4.9.2. The Reference PartComponent.............................MUST
4.9.3. The Reference PartComponent.............................MUST 4.9.3. The Property ActionOrder..............................SHOULD
4.10. The Aggregation Class SAConditionInRule..................MUST
4.10.1. The Property GroupNumber.............................SHOULD
4.10.1. The Property ConditionNegated........................SHOULD
4.10.2. The Reference GroupComponent...........................MUST
4.10.3. The Reference PartComponent............................MUST
4.11. The Aggregation Class PolicyActionInSARule...............MUST
4.11.1. The Reference GroupComponent...........................MUST
4.11.2. The Reference PartComponent............................MUST
4.11.3. The Property ActionOrder.............................SHOULD
5. Condition and Filter Classes 5. Condition and Filter Classes
5.1. The Class SACondition.....................................MUST 5.1. The Class SACondition.....................................MUST
5.2. The Class IPHeaderFilter................................SHOULD 5.2. The Class IPHeadersFilter...............................SHOULD
5.3. The Class CredentialFilterEntry............................MAY 5.3. The Class CredentialFilterEntry............................MAY
5.3.1. The Property MatchFieldName.............................MUST 5.3.1. The Property MatchFieldName.............................MUST
5.3.2. The Property MatchFieldValue............................MUST 5.3.2. The Property MatchFieldValue............................MUST
5.3.3. The Property CredentialType.............................MUST 5.3.3. The Property CredentialType.............................MUST
5.4. The Class IPSOFilterEntry..................................MAY 5.4. The Class IPSOFilterEntry..................................MAY
5.4.1. The Property MatchConditionType.........................MUST 5.4.1. The Property MatchConditionType.........................MUST
5.4.2. The Property MatchConditionValue........................MUST 5.4.2. The Property MatchConditionValue........................MUST
5.5. The Class PeerIDPayloadFilterEntry.........................MAY 5.5. The Class PeerIDPayloadFilterEntry.........................MAY
5.5.1. The Property MatchIdentityType..........................MUST 5.5.1. The Property MatchIdentityType..........................MUST
5.5.2. The Property MatchIdentityValue.........................MUST 5.5.2. The Property MatchIdentityValue.........................MUST
skipping to change at page 77, line 11 skipping to change at page 68, line 4
6.5. The Class IKERejectAction..................................MAY 6.5. The Class IKERejectAction..................................MAY
6.6. The Class PreconfiguredSAAction...........................MUST 6.6. The Class PreconfiguredSAAction...........................MUST
6.6.1. The Property LifetimeKilobytes..........................MUST 6.6.1. The Property LifetimeKilobytes..........................MUST
6.7. The Class PreconfiguredTransportAction....................MUST 6.7. The Class PreconfiguredTransportAction....................MUST
6.8. The Class PreconfiguredTunnelAction.......................MUST 6.8. The Class PreconfiguredTunnelAction.......................MUST
6.8.1. The Property DFHandling.................................MUST 6.8.1. The Property DFHandling.................................MUST
6.9. The Class SANegotiationAction.............................MUST 6.9. The Class SANegotiationAction.............................MUST
6.10. The Class IKENegotiationAction...........................MUST 6.10. The Class IKENegotiationAction...........................MUST
6.10.1. The Property MinLifetimeSeconds.........................MAY 6.10.1. The Property MinLifetimeSeconds.........................MAY
6.10.2. The Property MinLifetimeKilobytes.......................MAY 6.10.2. The Property MinLifetimeKilobytes.......................MAY
6.10.3. The Property RefreshThresholdSeconds....................MAY 6.10.3. The Property IdleDurationSeconds........................MAY
6.10.4. The Property RefreshThresholdKilobytes..................MAY
6.10.5. The Property IdleDurationSeconds........................MAY
6.11. The Class IPsecAction....................................MUST 6.11. The Class IPsecAction....................................MUST
6.11.1. The Property UsePFS....................................MUST 6.11.1. The Property UsePFS....................................MUST
6.11.2. The Property UseIKEGroup................................MAY 6.11.2. The Property UseIKEGroup................................MAY
6.11.3. The Property GroupId...................................MUST 6.11.3. The Property GroupId...................................MUST
6.11.4. The Property Granularity.............................SHOULD 6.11.4. The Property Granularity.............................SHOULD
6.11.5. The Property VendorID...................................MAY 6.11.5. The Property VendorID...................................MAY
6.12. The Class IPsecTransportAction...........................MUST 6.12. The Class IPsecTransportAction...........................MUST
6.13. The Class IPsecTunnelAction..............................MUST 6.13. The Class IPsecTunnelAction..............................MUST
6.13.1. The Property DFHandling................................MUST 6.13.1. The Property DFHandling................................MUST
6.14. The Class IKEAction......................................MUST 6.14. The Class IKEAction......................................MUST
6.14.1. The Property RefreshThresholdDerivedKeys................MAY 6.14.1. The Property ExchangeMode ............................MUST
6.14.2. The Property ExchangeMode..............................MUST 6.14.2. The Property UseIKEIdentityType........................MUST
6.14.3. The Property UseIKEIdentityType........................MUST 6.14.3. The Property VendorID...................................MAY
6.14.4. The Property VendorID...................................MAY 6.14.4. The Property AggressiveModeGroupId......................MAY
6.14.5. The Property AggressiveModeGroupId......................MAY
6.15. The Class PeerGateway....................................MUST 6.15. The Class PeerGateway....................................MUST
6.15.1. The Property Name....................................SHOULD 6.15.1. The Property Name....................................SHOULD
6.15.2. The Property PeerIdentityType..........................MUST 6.15.2. The Property PeerIdentityType..........................MUST
6.15.3. The Property PeerIdentity..............................MUST 6.15.3. The Property PeerIdentity..............................MUST
6.16. The Association Class PeerGatewayForTunnel...............MUST 6.16. The Association Class PeerGatewayForTunnel...............MUST
6.16.1. The Reference Antecedent...............................MUST 6.16.1. The Reference Antecedent...............................MUST
6.16.2. The Reference Dependent................................MUST 6.16.2. The Reference Dependent................................MUST
6.16.3. The Property SequenceNumber..........................SHOULD 6.16.3. The Property SequenceNumber..........................SHOULD
6.17. The Aggregation Class ContainedProposal..................MUST 6.17. The Aggregation Class ContainedProposal..................MUST
6.17.1. The Reference GroupComponent...........................MUST 6.17.1. The Reference GroupComponent...........................MUST
skipping to change at page 77, line 56 skipping to change at page 68, line 46
6.19.2. The Reference Dependent................................MUST 6.19.2. The Reference Dependent................................MUST
6.19.3. The Property SPI.......................................MUST 6.19.3. The Property SPI.......................................MUST
6.19.4. The Property Direction.................................MUST 6.19.4. The Property Direction.................................MUST
6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
6.20.1. The Reference Antecedent...............................MUST 6.20.1. The Reference Antecedent...............................MUST
6.20.2. The Reference Dependent................................MUST 6.20.2. The Reference Dependent................................MUST
7. Proposal and Transform Classes 7. Proposal and Transform Classes
7.1. The Abstract Class SAProposal.............................MUST 7.1. The Abstract Class SAProposal.............................MUST
7.1.1. The Property Name.....................................SHOULD 7.1.1. The Property Name.....................................SHOULD
7.2. The Class IKEProposal.....................................MUST 7.2. The Class IKEProposal.....................................MUST
7.2.1. The Property LifetimeDerivedKeys.........................MAY 7.2.1. The Property CipherAlgorithm............................MUST
7.2.2. The Property CipherAlgorithm............................MUST 7.2.2. The Property HashAlgorithm..............................MUST
7.2.3. The Property HashAlgorithm..............................MUST 7.2.3. The Property PRFAlgorithm................................MAY
7.2.4. The Property PRFAlgorithm................................MAY 7.2.4. The Property GroupId....................................MUST
7.2.5. The Property GroupId....................................MUST 7.2.5. The Property AuthenticationMethod.......................MUST
7.2.6. The Property AuthenticationMethod.......................MUST 7.2.6. The Property MaxLifetimeSeconds.........................MUST
7.2.7. The Property MaxLifetimeSeconds.........................MUST 7.2.7. The Property MaxLifetimeKilobytes.......................MUST
7.2.8. The Property MaxLifetimeKilobytes.......................MUST 7.2.8. The Property VendorID....................................MAY
7.2.9. The Property VendorID....................................MAY
7.3. The Class IPsecProposal...................................MUST 7.3. The Class IPsecProposal...................................MUST
7.4. The Abstract Class SATransform............................MUST 7.4. The Abstract Class SATransform............................MUST
7.4.1. The Property TransformName............................SHOULD 7.4.1. The Property TransformName............................SHOULD
7.4.2. The Property VendorID....................................MAY 7.4.2. The Property VendorID....................................MAY
7.4.3. The Property MaxLifetimeSeconds.........................MUST 7.4.3. The Property MaxLifetimeSeconds.........................MUST
7.4.4. The Property MaxLifetimeKilobytes.......................MUST 7.4.4. The Property MaxLifetimeKilobytes.......................MUST
7.5. The Class AHTransform.....................................MUST 7.5. The Class AHTransform.....................................MUST
7.5.1. The Property AHTransformId..............................MUST 7.5.1. The Property AHTransformId..............................MUST
7.5.2. The Property UseReplayPrevention.........................MAY 7.5.2. The Property UseReplayPrevention.........................MAY
7.5.3. The Property ReplayPreventionWindowSize..................MAY 7.5.3. The Property ReplayPreventionWindowSize..................MAY
skipping to change at page 80, line 21 skipping to change at page 70, line 45
intellectual property or other rights that might be claimed to intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. standards-related documentation can be found in BCP-11.
Copies of claims of rights made available for publication and any Copies of claims of rights made available for publication and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use attempt made to obtain a general license or permission for the use of
of such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat. specification can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
12. Acknowledgments 12. Acknowledgments
The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, and William Dixon for their contributions to this IPsec Vic Lortz, William Dixon, Man Li and Ricky Charlet for their
policy model. contributions to this IPsec policy model.
Additionally, this draft would not have been possible without the Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob preceding IPsec schema drafts. For that, thanks go out to Rob Adams,
Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan.
Rajan.
13. References 13. References
[IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998. RFC 2409, November 1998.
[COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August 1998. Payload Compression Protocol (IPComp)", RFC 2393, August 1998.
[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998. (ESP)", RFC 2406, November 1998.
[AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402,
2402, November 1998. November 1998.
[PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
Information Model -- Version 1 Specification", RFC 3060, February Information Model -- Version 1 Specification", RFC 3060, February
2001. 2001.
[PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen, [PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen,
A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy
Core Information Model Extensions", draft-ietf-policy-pcim-ext- Core Information Model Extensions", draft-ietf-policy-pcim-ext-
05.txt, October 2001 Internet Draft work in progress 05.txt, October 2001 Internet Draft work in progress
skipping to change at page 81, line 32 skipping to change at page 71, line 46
January 2000. Internet-Draft work in progress. January 2000. Internet-Draft work in progress.
[COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
Internet-Draft work in progress. Internet-Draft work in progress.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[IPSO] Kent, S., "U.S. Department of Defense Security Options for [IPSO] Kent, S., "U.S. Department of Defense Security Options for the
the Internet Protocol", RFC 1108, November 1991. Internet Protocol", RFC 1108, November 1991.
[IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998. Internet Protocol", RFC 2401, November 1998.
[DMTF] Distributed Management Task Force, http://www.dmtf.org/ [DMTF] Distributed Management Task Force, http://www.dmtf.org/
[CIMCORE] DMTF Common Information Model - Core Model v2.5, [CIMCORE] DMTF Common Information Model - Core Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof
skipping to change at page 82, line 35 skipping to change at page 72, line 40
E-mail: evyncke@cisco.com E-mail: evyncke@cisco.com
16. Full Copyright Statement 16. Full Copyright Statement
Copyright (C) The Internet Society (1999). All Rights Reserved. Copyright (C) The Internet Society (1999). All Rights Reserved.
This document and translations of it maybe copied and furnished to This document and translations of it maybe copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph are
are included on all such copies and derivative works. However, this included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other then followed, or as required to translate it into languages other then
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/