draft-ietf-ipsp-config-policy-model-05.txt   draft-ietf-ipsp-config-policy-model-06.txt 
Internet Engineering Task Force Jamie Jason Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation INTERNET DRAFT Intel Corporation
February-2002 Lee Rafalow August-2002 Lee Rafalow
IBM IBM
Eric Vyncke Eric Vyncke
Cisco Systems Cisco Systems
IPsec Configuration Policy Model IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-05.txt draft-ietf-ipsp-config-policy-model-06.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
skipping to change at page 2, line 7 skipping to change at page 2, line 7
protocols could be easily added to the information model by a simple protocols could be easily added to the information model by a simple
extension. Other extensions can further be added easily due to the extension. Other extensions can further be added easily due to the
object-oriented nature of the model. object-oriented nature of the model.
This information model is based upon the core policy classes as This information model is based upon the core policy classes as
defined in the Policy Core Information Model (PCIM) [PCIM] and on defined in the Policy Core Information Model (PCIM) [PCIM] and on
the Policy Core Information Model Extensions (PCIMe) [PCIME]. the Policy Core Information Model Extensions (PCIMe) [PCIME].
Table of Contents Table of Contents
Status of this Memo................................................1 Status of this Memo..............................................1
Abstract...........................................................1 Abstract.........................................................1
Table of Contents..................................................2 Table of Contents................................................2
1. Introduction....................................................6 1. Introduction.................................................10
1. Introduction....................................................6 1. Introduction.................................................10
2. UML Conventions.................................................6 2. UML Conventions..............................................10
3. IPsec Policy Model Inheritance Hierarchy........................7 3. IPsec Policy Model Inheritance Hierarchy......................11
4. Policy Classes.................................................12 4. Policy Classes...............................................16
4.1. The Class IPsecPolicyGroup...................................13 4.1. The Class IPsecPolicyGroup..................................17
4.2. The Class SARule.............................................14 4.2. The Class SARule...........................................18
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy............................................14 PolicyDecisionStrategy..........................................18
4.2.2 The Property ExecutionStrategy.............................14 4.2.2 The Property ExecutionStrategy............................18
4.2.3 The Property LimitNegotiation..............................16 4.2.3 The Property LimitNegotiation.............................20
4.3. The Class IKERule............................................17 4.3. The Class IKERule..........................................21
4.3.1. The Property IdentityContexts..............................17 4.3.1. The Property IdentityContexts.............................21
4.4. The Class IPsecRule..........................................17 4.4. The Class IPsecRule........................................22
4.5. The Association Class IPsecPolicyForEndpoint.................18 4.5. The Association Class IPsecPolicyForEndpoint................22
4.5.1. The Reference Antecedent...................................18 4.5.1. The Reference Antecedent..................................22
4.5.2. The Reference Dependent....................................18 4.5.2. The Reference Dependent...................................22
4.6. The Association Class IPsecPolicyForSystem...................18 4.6. The Association Class IPsecPolicyForSystem..................22
4.6.1. The Reference Antecedent...................................18 4.6.1. The Reference Antecedent..................................23
4.6.2. The Reference Dependent....................................19 4.6.2. The Reference Dependent...................................23
4.7. The Aggregation Class SARuleInPolicyGroup....................19 4.7. The Aggregation Class SARuleInPolicyGroup...................23
4.7.1. The Property Priority......................................19 4.7.1. The Property Priority.....................................23
4.7.2. The Reference GroupComponent...............................19 4.7.2. The Reference GroupComponent..............................23
4.7.3. The Reference PartComponent................................19 4.7.3. The Reference PartComponent...............................23
4.8. The Aggregation Class SAConditionInRule......................19 4.8. The Aggregation Class SAConditionInRule.....................24
4.8.1. The Properties GroupNumber and ConditionNegated............20 4.8.1. The Properties GroupNumber and ConditionNegated...........24
4.8.2. The Reference GroupComponent...............................20 4.8.2. The Reference GroupComponent..............................24
4.8.3. The Reference PartComponent................................20 4.8.3. The Reference PartComponent...............................25
4.9. The Aggregation Class PolicyActionInSARule...................20 4.9. The Aggregation Class PolicyActionInSARule..................25
4.9.1. The Reference GroupComponent...............................20 4.9.1. The Reference GroupComponent..............................25
4.9.2. The Reference PartComponent................................20 4.9.2. The Reference PartComponent...............................25
4.9.3. The Property ActionOrder...................................20 4.9.3. The Property ActionOrder..................................25
5. Condition and Filter Classes...................................22 5. Condition and Filter Classes..................................26
5.1. The Class SACondition........................................22 5.1. The Class SACondition......................................26
5.2. The Class IPHeadersFilter....................................23 5.2. The Class IPHeadersFilter...................................27
5.3. The Class CredentialFilterEntry..............................23 5.3. The Class CredentialFilterEntry.............................27
5.3.1. The Property MatchFieldName................................23 5.3.1. The Property MatchFieldName...............................27
5.3.2. The Property MatchFieldValue...............................24 5.3.2. The Property MatchFieldValue..............................28
5.3.3. The Property CredentialType................................24 5.3.3. The Property CredentialType...............................28
5.4. The Class IPSOFilterEntry....................................24 5.4. The Class IPSOFilterEntry...................................28
5.4.1. The Property MatchConditionType............................25 5.4.1. The Property MatchConditionType...........................29
5.4.2. The Property MatchConditionValue...........................25 5.4.2. The Property MatchConditionValue..........................29
5.5. The Class PeerIDPayloadFilterEntry...........................25 5.5. The Class PeerIDPayloadFilterEntry..........................29
5.5.1. The Property MatchIdentityType.............................25 5.5.1. The Property MatchIdentityType............................30
5.5.2. The Property MatchIdentityValue............................26 5.5.2. The Property MatchIdentityValue...........................30
5.6. The Association Class FilterOfSACondition....................26 5.6. The Association Class FilterOfSACondition...................31
5.6.1. The Reference Antecedent...................................27 5.6.1. The Reference Antecedent..................................31
5.6.2. The Reference Dependent....................................27 5.6.2. The Reference Dependent...................................31
5.7. The Association Class AcceptCredentialFrom...................27 5.7. The Association Class AcceptCredentialFrom..................31
5.7.1. The Reference Antecedent...................................27 5.7.1. The Reference Antecedent..................................32
5.7.2. The Reference Dependent....................................28 5.7.2. The Reference Dependent...................................32
6. Action Classes.................................................28 6. Action Classes...............................................33
6.1. The Class SAAction...........................................29 6.1. The Class SAAction.........................................34
6.1.1. The Property DoActionLogging...............................30 6.1.1. The Property DoActionLogging..............................34
6.1.2. The Property DoPacketLogging...............................30 6.1.2. The Property DoPacketLogging..............................34
6.2. The Class SAStaticAction.....................................30 6.2. The Class SAStaticAction....................................35
6.2.1. The Property LifetimeSeconds...............................31 6.2.1. The Property LifetimeSeconds..............................35
6.3. The Class IPsecBypassAction..................................31 6.3. The Class IPsecBypassAction.................................35
6.4. The Class IPsecDiscardAction.................................31 6.4. The Class IPsecDiscardAction................................35
6.5. The Class IKERejectAction....................................32 6.5. The Class IKERejectAction...................................36
6.6. The Class PreconfiguredSAAction..............................32 6.6. The Class PreconfiguredSAAction.............................36
6.6.1. The Property LifetimeKilobytes.............................32 6.6.1. The Property LifetimeKilobytes............................36
6.7. The Class PreconfiguredTransportAction.......................33 6.7. The Class PreconfiguredTransportAction......................37
6.8. The Class PreconfiguredTunnelAction..........................33 6.8. The Class PreconfiguredTunnelAction.........................37
6.8.1. The Property DFHandling....................................33 6.8.1. The Property DFHandling...................................37
6.9. The Class SANegotiationAction................................33 6.9. The Class SANegotiationAction...............................37
6.10. The Class IKENegotiationAction..............................34 6.10. The Class IKENegotiationAction.............................38
6.10.1. The Property MinLifetimeSeconds...........................34 6.10.1. The Property MinLifetimeSeconds..........................38
6.10.2. The Property MinLifetimeKilobytes.........................34 6.10.2. The Property MinLifetimeKilobytes........................38
6.10.3. The Property IdleDurationSeconds..........................35 6.10.3. The Property IdleDurationSeconds.........................39
6.11. The Class IPsecAction.......................................35 6.11. The Class IPsecAction.....................................40
6.11.1. The Property UsePFS.......................................35 6.11.1. The Property UsePFS.....................................40
6.11.2. The Property UseIKEGroup..................................35 6.11.2. The Property UseIKEGroup.................................40
6.11.3. The Property GroupId......................................36 6.11.3. The Property GroupId.....................................40
6.11.4. The Property Granularity..................................36 6.11.4. The Property Granularity.................................41
6.11.5. The Property VendorID.....................................36 6.11.5. The Property VendorID....................................41
6.12. The Class IPsecTransportAction..............................36 6.12. The Class IPsecTransportAction.............................41
6.13. The Class IPsecTunnelAction.................................37 6.13. The Class IPsecTunnelAction................................41
6.13.1. The Property DFHandling...................................37 6.13.1. The Property DFHandling..................................42
6.14. The Class IKEAction.........................................37 6.14. The Class IKEAction.......................................42
6.14.1. The Property ExchangeMode.................................37 6.14.1. The Property ExchangeMode................................42
6.14.2. The Property UseIKEIdentityType...........................38 6.14.2. The Property UseIKEIdentityType..........................43
6.14.3. The Property VendorID.....................................38 6.14.3. The Property VendorID....................................43
6.14.4. The Property AggressiveModeGroupId........................38 6.14.4. The Property AggressiveModeGroupId.......................43
6.15. The Class PeerGateway.......................................38 6.15. The Class PeerGateway.....................................43
6.15.1. The Property Name.........................................39 6.15.1. The Property Name.......................................44
6.15.2. The Property PeerIdentityType.............................39 6.15.2. The Property PeerIdentityType............................44
6.15.3. The Property PeerIdentity.................................39 6.15.3. The Property PeerIdentity................................44
6.16. The Association Class PeerGatewayForTunnel..................39 6.16. The Association Class PeerGatewayForTunnel.................44
6.16.1. The Reference Antecedent..................................40 6.16.1. The Reference Antecedent.................................45
6.16.2. The Reference Dependent...................................40 6.16.2. The Reference Dependent..................................45
6.16.3. The Property SequenceNumber...............................40 6.16.3. The Property SequenceNumber..............................45
6.17. The Aggregation Class ContainedProposal.....................40 6.17. The Aggregation Class ContainedProposal....................45
6.17.1. The Reference GroupComponent..............................41 6.17.1. The Reference GroupComponent.............................46
6.17.2. The Reference PartComponent...............................41 6.17.2. The Reference PartComponent..............................46
6.17.3. The Property SequenceNumber...............................41 6.17.3. The Property SequenceNumber..............................46
6.18. The Association Class HostedPeerGatewayInformation..........41 6.18. The Association Class HostedPeerGatewayInformation.........46
6.18.1. The Reference Antecedent..................................41 6.18.1. The Reference Antecedent.................................46
6.18.2. The Reference Dependent...................................41 6.18.2. The Reference Dependent..................................46
6.19. The Association Class TransformOfPreconfiguredAction........41 6.19. The Association Class TransformOfPreconfiguredAction.......46
6.19.1. The Reference Antecedent..................................42 6.19.1. The Reference Antecedent.................................47
6.19.2. The Reference Dependent...................................42 6.19.2. The Reference Dependent..................................47
6.19.3. The Property SPI..........................................42 6.19.3. The Property SPI........................................47
6.19.4. The Property Direction....................................42 6.19.4. The Property Direction...................................47
6.20 The Association Class PeerGatewayForPreconfiguredTunnel......42 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......47
6.20.1. The Reference Antecedent..................................43 6.20.1. The Reference Antecedent.................................48
6.20.2. The Reference Dependent...................................43 6.20.2. The Reference Dependent..................................48
7. Proposal and Transform Classes.................................44 7. Proposal and Transform Classes................................49
7.1. The Abstract Class SAProposal................................44 7.1. The Abstract Class SAProposal...............................49
7.1.1. The Property Name..........................................44 7.1.1. The Property Name........................................49
7.2. The Class IKEProposal........................................44 7.2. The Class IKEProposal......................................49
7.2.1. The Property CipherAlgorithm...............................45 7.2.1. The Property CipherAlgorithm..............................50
7.2.2. The Property HashAlgorithm.................................45 7.2.2. The Property HashAlgorithm................................50
7.2.3. The Property PRFAlgorithm..................................45 7.2.3. The Property PRFAlgorithm.................................50
7.2.4. The Property GroupId.......................................45 7.2.4. The Property GroupId.....................................51
7.2.5. The Property AuthenticationMethod..........................46 7.2.5. The Property AuthenticationMethod.........................51
7.2.6. The Property MaxLifetimeSeconds............................46 7.2.6. The Property MaxLifetimeSeconds...........................51
7.2.7. The Property MaxLifetimeKilobytes..........................46 7.2.7. The Property MaxLifetimeKilobytes.........................52
7.2.8. The Property VendorID......................................46 7.2.8. The Property VendorID.....................................52
7.3. The Class IPsecProposal......................................47 7.3. The Class IPsecProposal.....................................52
7.4. The Abstract Class SATransform...............................47 7.4. The Abstract Class SATransform..............................52
7.4.1. The Property TransformName.................................47 7.4.1. The Property CommonName...................................52
7.4.2. The Property VendorID......................................47 7.4.2. The Property VendorID.....................................53
7.4.3. The Property MaxLifetimeSeconds............................47 7.4.3. The Property MaxLifetimeSeconds...........................53
7.4.4. The Property MaxLifetimeKilobytes..........................48 7.4.4. The Property MaxLifetimeKilobytes.........................53
7.5. The Class AHTransform........................................48 7.5. The Class AHTransform......................................53
7.5.1. The Property AHTransformId.................................48 7.5.1. The Property AHTransformId................................54
7.5.2. The Property UseReplayPrevention...........................48 7.5.2. The Property UseReplayPrevention..........................54
7.5.3. The Property ReplayPreventionWindowSize....................48 7.5.3. The Property ReplayPreventionWindowSize...................54
7.6. The Class ESPTransform.......................................49 7.6. The Class ESPTransform.....................................54
7.6.1. The Property IntegrityTransformId..........................49 7.6.1. The Property IntegrityTransformId.........................54
7.6.2. The Property CipherTransformId.............................49 7.6.2. The Property CipherTransformId............................55
7.6.3. The Property CipherKeyLength...............................49 7.6.3. The Property CipherKeyLength..............................55
7.6.4. The Property CipherKeyRounds...............................49 7.6.4. The Property CipherKeyRounds..............................55
7.6.5. The Property UseReplayPrevention...........................50 7.6.5. The Property UseReplayPrevention..........................55
7.6.6. The Property ReplayPreventionWindowSize....................50 7.6.6. The Property ReplayPreventionWindowSize...................55
7.7. The Class IPCOMPTransform....................................50 7.7. The Class IPCOMPTransform...................................56
7.7.1. The Property Algorithm.....................................50 7.7.1. The Property Algorithm....................................56
7.7.2. The Property DictionarySize................................51 7.7.2. The Property DictionarySize...............................56
7.7.3. The Property PrivateAlgorithm..............................51 7.7.3. The Property PrivateAlgorithm.............................56
7.8. The Association Class SAProposalInSystem.....................51 7.8. The Association Class SAProposalInSystem....................56
7.8.1. The Reference Antecedent...................................51 7.8.1. The Reference Antecedent..................................57
7.8.2. The Reference Dependent....................................51 7.8.2. The Reference Dependent...................................57
7.9. The Aggregation Class ContainedTransform.....................51 7.9. The Aggregation Class ContainedTransform....................57
7.9.1. The Reference GroupComponent...............................52 7.9.1. The Reference GroupComponent..............................57
7.9.2. The Reference PartComponent................................52 7.9.2. The Reference PartComponent...............................57
7.9.3. The Property SequenceNumber................................52 7.9.3. The Property SequenceNumber...............................57
7.10. The Association Class SATransformInSystem...................52 7.10. The Association Class SATransformInSystem..................58
7.10.1. The Reference Antecedent..................................53 7.10.1. The Reference Antecedent.................................58
7.10.2. The Reference Dependent...................................53 7.10.2. The Reference Dependent..................................58
8. IKE Service and Identity Classes...............................54 8. IKE Service and Identity Classes..............................59
8.1. The Class IKEService.........................................55 8.1. The Class IKEService.......................................60
8.2. The Class PeerIdentityTable..................................55 8.2. The Class PeerIdentityTable.................................60
8.3.1. The Property Name..........................................55 8.2.1. The Property Name........................................60
8.3. The Class PeerIdentityEntry..................................55 8.3. The Class PeerIdentityEntry.................................60
8.3.1. The Property PeerIdentity..................................56 8.3.1. The Property PeerIdentity.................................61
8.3.2. The Property PeerIdentityType..............................56 8.3.2. The Property PeerIdentityType.............................61
8.3.3. The Property PeerAddress...................................56 8.3.3. The Property PeerAddress..................................61
8.3.4. The Property PeerAddressType...............................56 8.3.4. The Property PeerAddressType..............................61
8.4. The Class AutostartIKEConfiguration..........................56 8.4. The Class AutostartIKEConfiguration.........................61
8.5. The Class AutostartIKESetting................................57 8.5. The Class AutostartIKESetting...............................62
8.5.1. The Property Phase1Only....................................57 8.5.1. The Property Phase1Only...................................62
8.5.2. The Property AddressType...................................57 8.5.2. The Property AddressType..................................62
8.5.3. The Property SourceAddress.................................58 8.5.3. The Property SourceAddress................................63
8.5.4. The Property SourcePort....................................58 8.5.4. The Property SourcePort...................................63
8.5.5. The Property DestinationAddress............................58 8.5.5. The Property DestinationAddress...........................63
8.5.6. The Property DestinationPort...............................58 8.5.6. The Property DestinationPort..............................63
8.5.7. The Property Protocol......................................58 8.5.7. The Property Protocol.....................................63
8.6. The Class IKEIdentity........................................58 8.6. The Class IKEIdentity......................................63
8.6.1. The Property IdentityType..................................59 8.6.1. The Property IdentityType.................................64
8.6.2. The Property IdentityValue.................................59 8.6.2. The Property IdentityValue................................64
8.6.3. The Property IdentityContexts..............................59 8.6.3. The Property IdentityContexts.............................64
8.7. The Association Class HostedPeerIdentityTable................60 8.7. The Association Class HostedPeerIdentityTable...............65
8.7.1. The Reference Antecedent...................................60 8.7.1. The Reference Antecedent..................................65
8.7.2. The Reference Dependent....................................60 8.7.2. The Reference Dependent...................................65
8.8. The Aggregation Class PeerIdentityMember.....................60 8.8. The Aggregation Class PeerIdentityMember....................65
8.8.1. The Reference Collection...................................60 8.8.1. The Reference Collection..................................66
8.8.2. The Reference Member.......................................61 8.8.2. The Reference Member.....................................66
8.9. The Association Class IKEServicePeerGateway..................61 8.9. The Association Class IKEServicePeerGateway.................66
8.9.1. The Reference Antecedent...................................61 8.9.1. The Reference Antecedent..................................66
8.9.2. The Reference Dependent....................................61 8.9.2. The Reference Dependent...................................66
8.10. The Association Class IKEServicePeerIdentityTable...........61 8.10. The Association Class IKEServicePeerIdentityTable..........66
8.10.1. The Reference Antecedent..................................61 8.10.1. The Reference Antecedent.................................67
8.10.2. The Reference Dependent...................................62 8.10.2. The Reference Dependent..................................67
8.11. The Association Class IKEAutostartSetting...................62 8.11. The Association Class IKEAutostartSetting..................67
8.11.1. The Reference Element.....................................62 8.11.1. The Reference Element....................................67
8.11.2. The Reference Setting.....................................62 8.11.2. The Reference Setting....................................67
8.12. The Aggregation Class AutostartIKESettingContext............62 8.12. The Aggregation Class AutostartIKESettingContext...........67
8.12.1. The Reference Context.....................................62 8.12.1. The Reference Context....................................67
8.12.2. The Reference Setting.....................................63 8.12.2. The Reference Setting....................................68
8.12.3. The Property SequenceNumber...............................63 8.12.3. The Property SequenceNumber..............................68
8.13. The Association Class IKEServiceForEndpoint.................63 8.13. The Association Class IKEServiceForEndpoint................68
8.13.1. The Reference Antecedent..................................63 8.13.1. The Reference Antecedent.................................68
8.13.2. The Reference Dependent...................................63 8.13.2. The Reference Dependent..................................68
8.14. The Association Class IKEAutostartConfiguration.............63 8.14. The Association Class IKEAutostartConfiguration............68
8.14.1. The Reference Antecedent..................................64 8.14.1. The Reference Antecedent.................................69
8.14.2. The Reference Dependent...................................64 8.14.2. The Reference Dependent..................................69
8.14.3. The Property Active.......................................64 8.14.3. The Property Active.....................................69
8.15. The Association Class IKEUsesCredentialManagementService....64 8.15. The Association Class IKEUsesCredentialManagementService....69
8.15.1. The Reference Antecedent..................................64 8.15.1. The Reference Antecedent.................................70
8.15.2. The Reference Dependent...................................65 8.15.2. The Reference Dependent..................................70
8.16. The Association Class EndpointHasLocalIKEIdentity...........65 8.16. The Association Class EndpointHasLocalIKEIdentity..........70
8.16.1. The Reference Antecedent..................................65 8.16.1. The Reference Antecedent.................................70
8.16.2. The Reference Dependent...................................65 8.16.2. The Reference Dependent..................................70
8.17. The Association Class CollectionHasLocalIKEIdentity.........65 8.17. The Association Class CollectionHasLocalIKEIdentity........70
8.17.1. The Reference Antecedent..................................66 8.17.1. The Reference Antecedent.................................71
8.17.2. The Reference Dependent...................................66 8.17.2. The Reference Dependent..................................71
8.18. The Association Class IKEIdentitysCredential................66 8.18. The Association Class IKEIdentitysCredential...............71
8.18.1. The Reference Antecedent..................................66 8.18.1. The Reference Antecedent.................................71
8.18.2. The Reference Dependent...................................66 8.18.2. The Reference Dependent..................................71
9. Implementation Requirements....................................66 9. Implementation Requirements...................................71
10. Security Considerations.......................................70 10. Security Considerations.....................................75
11. Intellectual Property.........................................70 11. Intellectual Property.......................................75
12. Acknowledgments...............................................70 12. Acknowledgments.............................................76
13. References....................................................71 13. References..................................................76
14. Disclaimer....................................................71 14. Disclaimer..................................................77
15. Authors' Addresses............................................72 15. Authors' Addresses..........................................77
16. Full Copyright Statement......................................72 16. Full Copyright Statement.....................................77
1. Introduction 1. Introduction
IP security (IPsec) policy may assume a variety of forms as it IP security (IPsec) policy may assume a variety of forms as it
travels from storage to distribution point to decision point. At travels from storage to distribution point to decision point. At
each step, it needs to be represented in a way that is convenient for each step, it needs to be represented in a way that is convenient for
the current task. For example, the policy could exist as, but is not the current task. For example, the policy could exist as, but is not
limited to: limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
skipping to change at page 13, line 56 skipping to change at page 12, line 55
The class IPsecPolicyGroup serves as a container of either other The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of SARules. The class definition for IPsecPolicyGroups or a set of SARules. The class definition for
IPsecPolicyGroup is as follows: IPsecPolicyGroup is as follows:
NAME IPsecPolicyGroup NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of SARules. DESCRIPTION Either a set of IPsecPolicyGroups or a set of SARules.
DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyGroupName (from PolicyGroup) PROPERTIES PolicyGroupName (from PolicyGroup)
PolicyDescisionStrategy (from PolicySet) PolicyDecisionStrategy (from PolicySet)
PolicyRoles (from PolicySet)
NOTE: for derivations of the schema that are used for policy NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server distribution to an IPsec device (for example, COPS-PR), the server
may follow all of PolicySetComponent associations and create one may follow all of PolicySetComponent associations and create one
policy group which is simply a set of all of the IKE rules and a set policy group which is simply a set of all of the IKE rules and a set
of all of the IPsec rules. See the section on the of all of the IPsec rules. See the section on the
PolicySetComponent aggregation for information on merging multiple PolicySetComponent aggregation for information on merging multiple
IPsecPolicyGroups. IPsecPolicyGroups.
4.2. The Class SARule 4.2. The Class SARule
skipping to change at page 14, line 31 skipping to change at page 13, line 29
DESCRIPTION A base class for IKERule and IPsecRule. DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) DERIVED FROM PolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule) PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule) Enabled (from PolicyRule)
ConditionListType (from PolicyRule) ConditionListType (from PolicyRule)
RuleUsage (from PolicyRule) RuleUsage (from PolicyRule)
Mandatory (from PolicyRule) Mandatory (from PolicyRule)
SequencedActions (from PolicyRule) SequencedActions (from PolicyRule)
ExecutionStrategy (from PolicyRule) ExecutionStrategy (from PolicyRule)
PolicyRoles (from PolicyRule) PolicyRoles (from PolicySet)
PolicyDecisionStrategy (from PolicySet) PolicyDecisionStrategy (from PolicySet)
LimitNegotiation LimitNegotiation
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy PolicyDecisionStrategy
For a description of these properties, see [PCIM] and [PCIME]. For a description of these properties, see [PCIM] and [PCIME].
In SARule subclass instances: In SARule subclass instances:
skipping to change at page 19, line 24 skipping to change at page 18, line 17
The class SARuleInPolicyGroup associates a SARule with the The class SARuleInPolicyGroup associates a SARule with the
IPsecPolicyGroup that contains it. The class definition for IPsecPolicyGroup that contains it. The class definition for
SARuleInPolicyGroup is as follows: SARuleInPolicyGroup is as follows:
NAME SARuleInPolicyGroup NAME SARuleInPolicyGroup
DESCRIPTION Associates a SARule with the IPsecPolicyGroup that DESCRIPTION Associates a SARule with the IPsecPolicyGroup that
contains it. contains it.
DERIVED FROM PolicySetComponent (see [PCIME]) DERIVED FROM PolicySetComponent (see [PCIME])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent) PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]] GroupComponent [ref IPsecPolicyGroup [0..n]]
PartComponent [ref SARule [0..n]] PartComponent [ref SARule [0..n]]
Note: an implementation can easily partition the set of SARules Note: an implementation can easily partition the set of SARules
aggregated by a SARuleInPolicyGroup instance into one IKERule aggregated by a SARuleInPolicyGroup instance into one IKERule
instances subset and into one IPsecRule instances subset based on the instances subset and into one IPsecRule instances subset based on the
class type of the component instances (being either IKERule or class type of the component instances (being either IKERule or
IPsecRule instances). IPsecRule instances).
4.7.1. The Property Priority 4.7.1. The Property Priority
For a description of this property, see [PCIME]. For a description of this property, see [PCIME].
4.7.2. The Reference GroupComponent 4.7.2. The Reference GroupComponent
The property GroupComponent is inherited from PolicyRuleInPolicyGroup The property GroupComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IPsecPolicyGroup instance. The and is overridden to refer to an IPsecPolicyGroup instance. The
[1..1] cardinality indicates that a SARule instance may be contained [0..n] cardinality indicates that a SARule instance may be shared
in one and only one IPsecPolicyGroup instance (i.e., SARules are not across multiple IPsecPolicyGroups).
shared across IPsecPolicyGroups).
4.7.3. The Reference PartComponent 4.7.3. The Reference PartComponent
The property PartComponent is inherited from PolicyRuleInPolicyGroup The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to a SARule instance. The [0..n] and is overridden to refer to a SARule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more SARule instances. zero or more SARule instances.
4.8. The Aggregation Class SAConditionInRule 4.8. The Aggregation Class SAConditionInRule
skipping to change at page 22, line 62 skipping to change at page 21, line 62
associate various types of filters with policy rules via the associate various types of filters with policy rules via the
FilterOfSACondition association. It also defines whether Credentials FilterOfSACondition association. It also defines whether Credentials
can be accepted for a particular policy rule via the can be accepted for a particular policy rule via the
AcceptCredentialsFrom association. AcceptCredentialsFrom association.
Associated objects represent components of the condition that may or Associated objects represent components of the condition that may or
may not apply at a given rule evaluation. For example, an may not apply at a given rule evaluation. For example, an
AcceptCredentialsFrom evaluation is only performed when a credential AcceptCredentialsFrom evaluation is only performed when a credential
is available to be evaluated against the list of trusted credential is available to be evaluated against the list of trusted credential
management services. Similarly, a PeerIDPayloadFilterEntry may only management services. Similarly, a PeerIDPayloadFilterEntry may only
be evaluated when an IDPayload value is available to compared with be evaluated when an IDPayload value is available to compare with the
the filter. Condition components that do not have corresponding filter. Condition components that do not have corresponding values
values with which to evaluate are evaluated as TRUE unless the with which to evaluate are evaluated as TRUE unless the protocol has
protocol has completed without providing the required information. completed without providing the required information.
The class definition for SACondition is as follows: The class definition for SACondition is as follows:
NAME SACondition NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations. negotiations.
DERIVED FROM PolicyCondition (see [PCIM]) DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition) PROPERTIES PolicyConditionName (from PolicyCondition)
skipping to change at page 24, line 6 skipping to change at page 22, line 64
The property MatchFieldName specifies the sub-part of the credential The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as to match against MatchFieldValue. The property is defined as
follows: follows:
NAME MatchFieldName NAME MatchFieldName
DESCRIPTION Specifies which sub-part of the credential to match. DESCRIPTION Specifies which sub-part of the credential to match.
SYNTAX string SYNTAX string
VALUE This is the string representation of a X.509 certificate VALUE This is the string representation of a X.509 certificate
attribute, e.g.: attribute, e.g.:
- ˘serialNumber÷ - "serialNumber"
- ˘signatureAlgorithm÷ - "signatureAlgorithm"
- ˘issuerName÷ - "issuerName"
- ˘subjectName÷ - "subjectName"
- ˘subjectAltName÷ - "subjectAltName"
- Ó - ...
5.3.2. The Property MatchFieldValue 5.3.2. The Property MatchFieldValue
The property MatchFieldValue specifies the value to compare with the The property MatchFieldValue specifies the value to compare with the
MatchFieldName in a credential to determine if the credential matches MatchFieldName in a credential to determine if the credential matches
this filter entry. The property is defined as follows: this filter entry. The property is defined as follows:
NAME MatchFieldValue NAME MatchFieldValue
DESCRIPTION Specifies the value to be matched by the MatchFieldName. DESCRIPTION Specifies the value to be matched by the MatchFieldName.
SYNTAX string SYNTAX string
VALUE NB: If the CredentialFilterEntry corresponds to a VALUE NB: If the CredentialFilterEntry corresponds to a
DistinguishedName, this value in the CIM class is DistinguishedName, this value in the CIM class is
represented by an ordinary string value. However, an represented by an ordinary string value. However, an
implementation must convert this string to a DER-encoded implementation must convert this string to a DER-encoded
string before matching against the values extracted from string before matching against the values extracted from
credentials at runtime. credentials at runtime.
A wildcard mechanism can be used in the MatchFieldValue string. E.g., A wildcard mechanism can be used in the MatchFieldValue string. E.g.,
if the MatchFieldName is ˘subjectName÷ then a MatchFieldValue of if the MatchFieldName is "subjectName" then a MatchFieldValue of
˘cn=*,ou=engineering,o=foo,c=be÷ will match successfully a "cn=*,ou=engineering,o=foo,c=be" will match successfully a
certificate whose subject attribute is ˘cn=Jane certificate whose subject attribute is "cn=Jane
Doe,ou=engineering,o=foo,c=be÷. The wildcard character Š*Ă can be Doe,ou=engineering,o=foo,c=be". The wildcard character '*' can be
used to represent 0 or several characters. used to represent 0 or several characters.
5.3.3. The Property CredentialType 5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as credential that is being matched. The property is defined as
follows: follows:
NAME CredentialType NAME CredentialType
DESCRIPTION Defines the type of IKE credentials. DESCRIPTION Defines the type of IKE credentials.
skipping to change at page 25, line 29 skipping to change at page 24, line 24
5.4.2. The Property MatchConditionValue 5.4.2. The Property MatchConditionValue
The property MatchConditionValue specifies the value of the IPSO The property MatchConditionValue specifies the value of the IPSO
header field to be matched against. The property is defined as header field to be matched against. The property is defined as
follows: follows:
NAME MatchConditionValue NAME MatchConditionValue
DESCRIPTION Specifies the value of the IPSO header field to be DESCRIPTION Specifies the value of the IPSO header field to be
matched against. matched against.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE For ClassificationLevel, the values are: VALUE The values MUST be one of values listed in RFC 1108 (or
any further IANA Assigned Numbers document). Some
examples for ClassificationLevel are:
61 - TopSecret 61 - TopSecret
90 - Secret 90 - Secret
150 - Confidential 150 - Confidential
171 - Unclassified 171 - Unclassified
For ProtectionAuthority, the values are: For ProtectionAuthority, some examples are:
0 - GENSER 0 - GENSER
1 - SIOP-ESI 1 - SIOP-ESI
2 - SCI 2 - SCI
3 - NSA 3 - NSA
4 - DOE 4 - DOE
5.5. The Class PeerIDPayloadFilterEntry 5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange. payload values from the IKE protocol exchange.
skipping to change at page 26, line 4 skipping to change at page 24, line 61
NAME PeerIDPayloadFilterEntry NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity. DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchIdentityType MatchIdentityType
MatchIdentityValue MatchIdentityValue
5.5.1. The Property MatchIdentityType 5.5.1. The Property MatchIdentityType
The property MatchIdentityType specifies the type of identity The property MatchIdentityType specifies the type of identity
provided by the peer in the ID payload." The property is defined as provided by the peer in the ID payload. The property is defined as
follows: follows:
NAME MatchIdentityType NAME MatchIdentityType
DESCRIPTION Specifies the ID payload type. DESCRIPTION Specifies the ID payload type.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address VALUE Consult [DOI] for valid values.
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
5.5.2. The Property MatchIdentityValue 5.5.2. The Property MatchIdentityValue
The property MatchIdentityValue specifies the filter value for The property MatchIdentityValue specifies the filter value for
comparison with the ID payload, e.g., *@company.com. The property is comparison with the ID payload, e.g., "*@company.com". The property
defined as follows: is defined as follows:
NAME MatchIdentityValue NAME MatchIdentityValue
DESCRIPTION Specifies the ID payload value. DESCRIPTION Specifies the ID payload value.
SYNTAX string SYNTAX string
VALUE NB: The syntax may need to be converted for comparison. VALUE NB: The syntax may need to be converted for comparison.
If the PeerIDPayloadFilterEntry type is a If the PeerIDPayloadFilterEntry type is a
DistinguishedName, the name in the MatchIdentityValue DistinguishedName, the name in the MatchIdentityValue
property is represented by an ordinary string value, property is represented by an ordinary string value,
but this value must be converted into a DER-encoded but this value must be converted into a DER-encoded
string before matching against the values extracted string before matching against the values extracted
from IKE ID payloads at runtime. The same applies to from IKE ID payloads at runtime. The same applies to
IPv4 & IPv6 addresses. IPv4 & IPv6 addresses.
Different wildcard mechanisms can be used depending on the ID Different wildcard mechanisms can be used depending on the ID
payload: payload:
- a MatchIdentityValue of "*@company.com" will match a user FQDN ID - a MatchIdentityValue of "*@company.com" will match a user FQDN ID
payload of "JDOE@COMPANY.COM" payload of "JDOE@COMPANY.COM"
- a MatchIdentityValue of "*.company.com" will match a FQDN ID - a MatchIdentityValue of "*.company.com" will match a FQDN ID
payload of ˘WWW.COMPANY.COM" payload of "WWW.COMPANY.COM"
- a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will - a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will
match a DER DN ID payload of ˘cn=John match a DER DN ID payload of "cn=John
Doe,ou=engineering,o=company,c=us" Doe,ou=engineering,o=company,c=us"
- a MatchIdentityValue of "193.190.125.0/24" will match an IPv4 - a MatchIdentityValue of "193.190.125.0/24" will match an IPv4
address ID payload of 193.190.125.10 address ID payload of 193.190.125.10
- a MatchIdentityValue of "193.190.125.*" will also match an IPv4 - a MatchIdentityValue of "193.190.125.*" will also match an IPv4
address ID payload of 193.190.125.10. address ID payload of 193.190.125.10.
The above wildcard mechanisms MUST be supported for all ID payloads The above wildcard mechanisms MUST be supported for all ID payloads
supported by the local IKE entity. The character ˘*÷ replaces 0 or supported by the local IKE entity. The character '*' replaces 0 or
multiple instances of any character. multiple instances of any character.
5.6. The Association Class FilterOfSACondition 5.6. The Association Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows: class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that makes DESCRIPTION Associates a condition with the filter list that makes
up the individual condition elements. up the individual condition elements.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[1..1]] PROPERTIES Antecedent [ref FilterList[1..1]]
skipping to change at page 28, line 10 skipping to change at page 26, line 55
5.7.1. The Reference Antecedent 5.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an SACondition instance may be [0..n] cardinality indicates that an SACondition instance may be
associated with zero or more CredentialManagementService instances. associated with zero or more CredentialManagementService instances.
5.7.2. The Reference Dependent 5.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to an SACondition instance. The [0..n] cardinality to refer to a SACondition instance. The [0..n] cardinality indicates
indicates that a CredentialManagementService instance may be that a CredentialManagementService instance may be associated with
associated with zero or more SACondition instances. zero or more SACondition instances.
6. Action Classes 6. Action Classes
The action classes are used to model the different actions an IPsec The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition device may take when the evaluation of the associated condition
results in a match. results in a match.
+----------+ +----------+
| SAAction | | SAAction |
+----------+ +----------+
skipping to change at page 32, line 50 skipping to change at page 30, line 47
(respectively outbound SA), of the character "/" and of the (respectively outbound SA), of the character "/" and of the
hexadecimal representation of the SPI. hexadecimal representation of the SPI.
Although the class is concrete, it MUST not be instantiated. The Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows: class definition for PreconfiguredSAAction is as follows:
NAME PreconfiguredSAAction NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying information DESCRIPTION Specifies preconfigured algorithm and keying information
for creation of a security association. for creation of a security association.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT TRUE
PROPERTIES LifetimeKilobytes PROPERTIES LifetimeKilobytes
6.6.1. The Property LifetimeKilobytes 6.6.1. The Property LifetimeKilobytes
The property LifetimeKilobytes specifies a traffic limit in kilobytes The property LifetimeKilobytes specifies a traffic limit in kilobytes
that can be consumed before the SA is deleted.. The property is that can be consumed before the SA is deleted.. The property is
defined as follows: defined as follows:
NAME LifetimeKilobytes NAME LifetimeKilobytes
DESCRIPTION Specifies the SA lifetime in kilobytes. DESCRIPTION Specifies the SA lifetime in kilobytes.
skipping to change at page 34, line 21 skipping to change at page 32, line 16
NAME SANegotiationAction NAME SANegotiationAction
DESCRIPTION Specifies a negotiation action . DESCRIPTION Specifies a negotiation action .
DERIVED FROM SAAction DERIVED FROM SAAction
ABSTRACT TRUE ABSTRACT TRUE
6.10. The Class IKENegotiationAction 6.10. The Class IKENegotiationAction
The class IKENegotiationAction is abstract and serves as the base The class IKENegotiationAction is abstract and serves as the base
class for IKE and IPsec actions that result in a IKE negotiation. class for IKE and IPsec actions that result in a IKE negotiation.
Although the class is concrete, is MUST not be instantiated. The The class definition for IKENegotiationAction is as follows:
class definition for IKENegotiationAction is as follows:
NAME IKENegotiationAction NAME IKENegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations. phase 2 IPsec DOI negotiations.
DERIVED FROM SANegotiationAction DERIVED FROM SANegotiationAction
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES MinLifetimeSeconds PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes MinLifetimeKilobytes
skipping to change at page 35, line 29 skipping to change at page 33, line 23
VALUE A value of zero indicates that idle detection should not VALUE A value of zero indicates that idle detection should not
be used for the security association (only the seconds be used for the security association (only the seconds
and kilobyte lifetimes will be used). Any non-zero and kilobyte lifetimes will be used). Any non-zero
value indicates the number of seconds the security value indicates the number of seconds the security
association may remain unused. association may remain unused.
6.11. The Class IPsecAction 6.11. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. Although the class is concrete, is phase 2 IPsec DOI negotiation. The class definition for IPsecAction
MUST not be instantiated. The class definition for IPsecAction is as is as follows:
follows:
NAME IPsecAction NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions that DESCRIPTION A base class for IPsec transport and tunnel actions that
specifies the parameters for IKE phase 2 IPsec DOI specifies the parameters for IKE phase 2 IPsec DOI
negotiations. negotiations.
DERIVED FROM IKENegotiationAction DERIVED FROM IKENegotiationAction
ABSTRACT FALSE ABSTRACT TRUE
PROPERTIES UsePFS PROPERTIES UsePFS
UseIKEGroup UseIKEGroup
GroupId GroupId
Granularity Granularity
VendorID VendorID
6.11.1. The Property UsePFS 6.11.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy The property UsePFS specifies whether or not perfect forward secrecy
should be used when refreshing keys. The property is defined as should be used when refreshing keys. The property is defined as
skipping to change at page 38, line 18 skipping to change at page 36, line 4
6.14.2. The Property UseIKEIdentityType 6.14.2. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is should be used when negotiating with the peer. This information is
used in conjunction with the IKE identities available on the system used in conjunction with the IKE identities available on the system
and the IdentityContexts of the matching IKERule. The property is and the IdentityContexts of the matching IKERule. The property is
defined as follows: defined as follows:
NAME UseIKEIdentityType NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation. DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address VALUE Consult [DOI] for valid values.
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
6.14.3. The Property VendorID 6.14.3. The Property VendorID
The property VendorID specifies the value to be used in the Vendor ID The property VendorID specifies the value to be used in the Vendor ID
payload. The property is defined as follows: payload. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Vendor ID Payload. DESCRIPTION Vendor ID Payload.
SYNTAX string SYNTAX string
VALUE A value of NULL means that Vendor ID payload will be VALUE A value of NULL means that Vendor ID payload will be
skipping to change at page 39, line 32 skipping to change at page 37, line 8
SYNTAX string SYNTAX string
6.15.2. The Property PeerIdentityType 6.15.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows: security gateway. The property is defined as follows:
NAME PeerIdentityType NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security gateway. DESCRIPTION Specifies the IKE identity type of the security gateway.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address VALUE Consult [DOI] for valid values.
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID
6.15.3. The Property PeerIdentity 6.15.3. The Property PeerIdentity
The property PeerIdentity specifies the IKE identity value of the The property PeerIdentity specifies the IKE identity value of the
security gateway. A conversion may be needed between the security gateway. A conversion may be needed between the
PeerIdentity string representation and the real value used in the ID PeerIdentity string representation and the real value used in the ID
payload (e.g. IP address is to be converted from a dotted decimal payload (e.g. IP address is to be converted from a dotted decimal
string into 4 bytes). The property is defined as follows: string into 4 bytes). The property is defined as follows:
NAME PeerIdentity NAME PeerIdentity
skipping to change at page 42, line 4 skipping to change at page 39, line 27
only one System instance. only one System instance.
6.18.2. The Reference Dependent 6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to a PeerGateway instance. The [0..n] cardinality indicates to refer to a PeerGateway instance. The [0..n] cardinality indicates
that a System instance may be associated with zero or more that a System instance may be associated with zero or more
PeerGateway instances. PeerGateway instances.
6.19. The Association Class TransformOfPreconfiguredAction 6.19. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with from two to six SATransforms that will be PreconfiguredSAAction with two, four or six SATransforms that will be
applied to the inbound and outbound traffic. The order of applied to the inbound and outbound traffic. The order of
application of the SATransforms is implicitly defined in [IPSEC]. application of the SATransforms is implicitly defined in [IPSEC].
The class definition for TransformOfPreconfiguredAction is as The class definition for TransformOfPreconfiguredAction is as
follows: follows:
NAME TransformOfPreconfiguredAction NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms. three SATransforms.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
skipping to change at page 42, line 59 skipping to change at page 40, line 23
NAME Direction NAME Direction
DESCRIPTION Specifies whether the SA is for inbound or outbound DESCRIPTION Specifies whether the SA is for inbound or outbound
traffic. traffic.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE 1 - this SA is for inbound traffic VALUE 1 - this SA is for inbound traffic
2 - this SA is for outbound traffic 2 - this SA is for outbound traffic
6.20 The Association Class PeerGatewayForPreconfiguredTunnel 6.20 The Association Class PeerGatewayForPreconfiguredTunnel
The class PeerGatewayForPreconfiguredTunnel associates one or one The class PeerGatewayForPreconfiguredTunnel associates zero or one
PeerGateway with multiple PreconfiguredTunnelActions. The class PeerGateway with multiple PreconfiguredTunnelActions. The class
definition for PeerGatewayForPreconfiguredTunnel is as follows: definition for PeerGatewayForPreconfiguredTunnel is as follows:
NAME PeerGatewayForPreconfiguredTunnel NAME PeerGatewayForPreconfiguredTunnel
DESCRIPTION Associates a PeerGateway with multiple DESCRIPTION Associates a PeerGateway with multiple
PreconfiguredTunnelAction. PreconfiguredTunnelAction.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref PeerGateway[0..1]] PROPERTIES Antecedent[ref PeerGateway[0..1]]
Dependent[ref PreconfiguredTunnelAction[0..n]] Dependent[ref PreconfiguredTunnelAction[0..n]]
skipping to change at page 47, line 34 skipping to change at page 44, line 32
7.4. The Abstract Class SATransform 7.4. The Abstract Class SATransform
The abstract class SATransform serves as the base class for the IPsec The abstract class SATransform serves as the base class for the IPsec
transforms that can be used to compose an IPsec proposal or to be transforms that can be used to compose an IPsec proposal or to be
used as a pre-configured action. The class definition for used as a pre-configured action. The class definition for
SATransform is as follows: SATransform is as follows:
NAME SATransform NAME SATransform
DESCRIPTION Base class for the different IPsec transforms. DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES TransformName PROPERTIES CommonName (from Policy)
VendorID VendorID
MaxLifetimeSeconds MaxLifetimeSeconds
MaxLifetimeKilobytes MaxLifetimeKilobytes
7.4.1. The Property TransformName 7.4.1. The Property CommonName
The property TransformName specifies a user-friendly name for the The property CommonName is inherited from Policy [PCIM] and specifies
SATransform. The property is defined as follows: a user-friendly name for the SATransform. The property is defined as
follows:
NAME TransformName NAME CommonName
DESCRIPTION Specifies a user-friendly name for this transform. DESCRIPTION Specifies a user-friendly name for this Policy-related
object.
SYNTAX string SYNTAX string
7.4.2. The Property VendorID 7.4.2. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows: transforms. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms. DESCRIPTION Specifies the vendor ID for vendor-defined transforms.
SYNTAX string SYNTAX string
skipping to change at page 55, line 42 skipping to change at page 52, line 39
mappings between identities and their addresses. The class mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows: definition for PeerIdentityTable is as follows:
NAME PeerIdentityTable NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances
to provide a table of identity-address mappings. to provide a table of identity-address mappings.
DERIVED FROM Collection (see [CIMCORE]) DERIVED FROM Collection (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name PROPERTIES Name
8.3.1. The Property Name 8.2.1. The Property Name
The property Name uniquely identifies the table. The property is The property Name uniquely identifies the table. The property is
defined as follows: defined as follows:
NAME Name NAME Name
DESCRIPTION Name uniquely identifies the table. DESCRIPTION Name uniquely identifies the table.
SYNTAX string SYNTAX string
8.3. The Class PeerIdentityEntry 8.3. The Class PeerIdentityEntry
skipping to change at page 56, line 4 skipping to change at page 52, line 63
NAME PeerIdentityEntry NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address. identity and address.
DERIVED FROM LogicalElement (see [CIMCORE]) DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PeerIdentity PROPERTIES PeerIdentity
PeerIdentityType PeerIdentityType
PeerAddress PeerAddress
PeerAddressType PeerAddressType
The pre-shared key to be used with this peer (if applicable) is The pre-shared key to be used with this peer (if applicable) is
contained in an instance of the class SharedSecret (see [CIMUSER]). contained in an instance of the class SharedSecret (see [CIMUSER]).
The pre-shared key is stored in the property Secret, the property The pre-shared key is stored in the property Secret, the property
protocol contains ˘IKE", the property algorithm contains the protocol contains "IKE", the property algorithm contains the
algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
entity has no secret storage), the value of property RemoteID must entity has no secret storage), the value of property RemoteID must
match the PeerIdentity property of the PeerIdentityEntry instance match the PeerIdentity property of the PeerIdentityEntry instance
describing the IKE peer. describing the IKE peer.
8.3.1. The Property PeerIdentity 8.3.1. The Property PeerIdentity
The property PeerIdentity contains a string encoding of the Identity The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows: payload for the IKE peer. The property is defined as follows:
skipping to change at page 59, line 34 skipping to change at page 56, line 29
IdentityValue IdentityValue
IdentityContexts IdentityContexts
8.6.1. The Property IdentityType 8.6.1. The Property IdentityType
The property IdentityType is an enumeration that specifies the type The property IdentityType is an enumeration that specifies the type
of the IdentityValue. The property is defined as follows: of the IdentityValue. The property is defined as follows:
NAME IdentityType NAME IdentityType
DESCRIPTION IdentityType is the type of the IdentityValue. DESCRIPTION IdentityType is the type of the IdentityValue.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 16-bit integer
VALUE The enumeration values are specified in [DOI] section VALUE The enumeration values are specified in [DOI] section
4.6.2.1. 4.6.2.1.
8.6.2. The Property IdentityValue 8.6.2. The Property IdentityValue
The property IdentityValue contains a string encoding of the Identity The property IdentityValue contains a string encoding of the Identity
payload. For IKEIdentity instances that are address types (i.e. IPv4 payload. For IKEIdentity instances that are address types (i.e. IPv4
or IPv6 addresses), the IdentityValue string value MAY be omitted; or IPv6 addresses), the IdentityValue string value MAY be omitted;
then the associated IPProtocolEndpoint (or appropriate member of the then the associated IPProtocolEndpoint (or appropriate member of the
Collection of endpoints) is used as the identity value. The property Collection of endpoints) is used as the identity value. The property
skipping to change at page 66, line 55 skipping to change at page 63, line 43
overridden to refer to an IKEIdentity instance. The [0..n] overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Credential instance may be associated cardinality indicates that a Credential instance may be associated
with zero or more IKEIdentity instances. with zero or more IKEIdentity instances.
9. Implementation Requirements 9. Implementation Requirements
The following table specifies which classes, properties, associations The following table specifies which classes, properties, associations
and aggregations MUST or SHOULD or MAY be implemented. and aggregations MUST or SHOULD or MAY be implemented.
4. Policy Classes 4. Policy Classes
4.1. The Class IPsecPolicyGroup................................MUST 4.1. The Class IPsecPolicyGroup...............................MUST
4.2. The Class SARule..........................................MUST 4.2. The Class SARule........................................MUST
4.2.1. The Property PolicyRuleName..............................MAY 4.2.1. The Property PolicyRuleName.............................MAY
4.2.1. The Property Enabled....................................MUST 4.2.1. The Property Enabled..................................MUST
4.2.1. The Property ConditionListType..........................MUST 4.2.1. The Property ConditionListType.........................MUST
4.2.1. The Property RuleUsage...................................MAY 4.2.1. The Property RuleUsage..................................MAY
4.2.1. The Property Mandatory...................................MAY 4.2.1. The Property Mandatory..................................MAY
4.2.1. The Property SequencedActions...........................MUST 4.2.1. The Property SequencedActions..........................MUST
4.2.1. The Property PolicyRoles.................................MAY 4.2.1. The Property PolicyRoles................................MAY
4.2.1. The Property PolicyDecisionStrategy......................MAY 4.2.1. The Property PolicyDecisionStrategy.....................MAY
4.2.2 The Property ExecutionStrategy..........................MUST 4.2.2 The Property ExecutionStrategy.........................MUST
4.2.3 The Property LimitNegotiation............................MAY 4.2.3 The Property LimitNegotiation...........................MAY
4.3. The Class IKERule.........................................MUST 4.3. The Class IKERule.......................................MUST
4.3.1. The Property IdentityContexts............................MAY 4.3.1. The Property IdentityContexts...........................MAY
4.4. The Class IPsecRule.......................................MUST 4.4. The Class IPsecRule.....................................MUST
4.5. The Association Class IPsecPolicyForEndpoint...............MAY 4.5. The Association Class IPsecPolicyForEndpoint..............MAY
4.5.1. The Reference Antecedent................................MUST 4.5.1. The Reference Antecedent...............................MUST
4.5.2. The Reference Dependent.................................MUST 4.5.2. The Reference Dependent................................MUST
4.6. The Association Class IPsecPolicyForSystem.................MAY 4.6. The Association Class IPsecPolicyForSystem................MAY
4.6.1. The Reference Antecedent................................MUST 4.6.1. The Reference Antecedent...............................MUST
4.6.2. The Reference Dependent.................................MUST 4.6.2. The Reference Dependent................................MUST
4.7. The Aggregation Class SARuleInPolicyGroup.................MUST 4.7. The Aggregation Class SARuleInPolicyGroup................MUST
4.7.1. The Property Priority.................................SHOULD 4.7.1. The Property Priority................................SHOULD
4.7.2. The Reference GroupComponent............................MUST 4.7.2. The Reference GroupComponent...........................MUST
4.7.3. The Reference PartComponent.............................MUST 4.7.3. The Reference PartComponent............................MUST
4.8. The Aggregation Class SAConditionInRule...................MUST 4.8. The Aggregation Class SAConditionInRule..................MUST
4.8.1. The Property GroupNumber..............................SHOULD 4.8.1. The Property GroupNumber.............................SHOULD
4.8.1. The Property ConditionNegated.........................SHOULD 4.8.1. The Property ConditionNegated........................SHOULD
4.8.2. The Reference GroupComponent............................MUST 4.8.2. The Reference GroupComponent...........................MUST
4.8.3. The Reference PartComponent.............................MUST 4.8.3. The Reference PartComponent............................MUST
4.9. The Aggregation Class PolicyActionInSARule................MUST 4.9. The Aggregation Class PolicyActionInSARule...............MUST
4.9.1. The Reference GroupComponent............................MUST 4.9.1. The Reference GroupComponent...........................MUST
4.9.2. The Reference PartComponent.............................MUST 4.9.2. The Reference PartComponent............................MUST
4.9.3. The Property ActionOrder..............................SHOULD 4.9.3. The Property ActionOrder.............................SHOULD
5. Condition and Filter Classes 5. Condition and Filter Classes
5.1. The Class SACondition.....................................MUST 5.1. The Class SACondition...................................MUST
5.2. The Class IPHeadersFilter...............................SHOULD 5.2. The Class IPHeadersFilter..............................SHOULD
5.3. The Class CredentialFilterEntry............................MAY 5.3. The Class CredentialFilterEntry...........................MAY
5.3.1. The Property MatchFieldName.............................MUST 5.3.1. The Property MatchFieldName............................MUST
5.3.2. The Property MatchFieldValue............................MUST 5.3.2. The Property MatchFieldValue...........................MUST
5.3.3. The Property CredentialType.............................MUST 5.3.3. The Property CredentialType............................MUST
5.4. The Class IPSOFilterEntry..................................MAY 5.4. The Class IPSOFilterEntry.................................MAY
5.4.1. The Property MatchConditionType.........................MUST 5.4.1. The Property MatchConditionType........................MUST
5.4.2. The Property MatchConditionValue........................MUST 5.4.2. The Property MatchConditionValue.......................MUST
5.5. The Class PeerIDPayloadFilterEntry.........................MAY 5.5. The Class PeerIDPayloadFilterEntry........................MAY
5.5.1. The Property MatchIdentityType..........................MUST 5.5.1. The Property MatchIdentityType.........................MUST
5.5.2. The Property MatchIdentityValue.........................MUST 5.5.2. The Property MatchIdentityValue........................MUST
5.6. The Association Class FilterOfSACondition...............SHOULD 5.6. The Association Class FilterOfSACondition..............SHOULD
5.6.1. The Reference Antecedent................................MUST 5.6.1. The Reference Antecedent...............................MUST
5.6.2. The Reference Dependent.................................MUST 5.6.2. The Reference Dependent................................MUST
5.7. The Association Class AcceptCredentialFrom.................MAY 5.7. The Association Class AcceptCredentialFrom................MAY
5.7.1. The Reference Antecedent................................MUST 5.7.1. The Reference Antecedent...............................MUST
5.7.2. The Reference Dependent.................................MUST 5.7.2. The Reference Dependent................................MUST
6. Action Classes 6. Action Classes
6.1. The Class SAAction........................................MUST 6.1. The Class SAAction......................................MUST
6.1.1. The Property DoActionLogging.............................MAY 6.1.1. The Property DoActionLogging............................MAY
6.1.2. The Property DoPacketLogging.............................MAY 6.1.2. The Property DoPacketLogging............................MAY
6.2. The Class SAStaticAction..................................MUST 6.2. The Class SAStaticAction.................................MUST
6.2.1. The Property LifetimeSeconds............................MUST 6.2.1. The Property LifetimeSeconds...........................MUST
6.3. The Class IPsecBypassAction.............................SHOULD 6.3. The Class IPsecBypassAction............................SHOULD
6.4. The Class IPsecDiscardAction............................SHOULD 6.4. The Class IPsecDiscardAction...........................SHOULD
6.5. The Class IKERejectAction..................................MAY 6.5. The Class IKERejectAction.................................MAY
6.6. The Class PreconfiguredSAAction...........................MUST 6.6. The Class PreconfiguredSAAction..........................MUST
6.6.1. The Property LifetimeKilobytes..........................MUST 6.6.1. The Property LifetimeKilobytes.........................MUST
6.7. The Class PreconfiguredTransportAction....................MUST 6.7. The Class PreconfiguredTransportAction...................MUST
6.8. The Class PreconfiguredTunnelAction.......................MUST 6.8. The Class PreconfiguredTunnelAction......................MUST
6.8.1. The Property DFHandling.................................MUST 6.8.1. The Property DFHandling................................MUST
6.9. The Class SANegotiationAction.............................MUST 6.9. The Class SANegotiationAction............................MUST
6.10. The Class IKENegotiationAction...........................MUST 6.10. The Class IKENegotiationAction..........................MUST
6.10.1. The Property MinLifetimeSeconds.........................MAY 6.10.1. The Property MinLifetimeSeconds........................MAY
6.10.2. The Property MinLifetimeKilobytes.......................MAY 6.10.2. The Property MinLifetimeKilobytes......................MAY
6.10.3. The Property IdleDurationSeconds........................MAY
6.11. The Class IPsecAction....................................MUST 6.10.3. The Property IdleDurationSeconds.......................MAY
6.11.1. The Property UsePFS....................................MUST 6.11. The Class IPsecAction..................................MUST
6.11.2. The Property UseIKEGroup................................MAY 6.11.1. The Property UsePFS..................................MUST
6.11.3. The Property GroupId...................................MUST 6.11.2. The Property UseIKEGroup...............................MAY
6.11.4. The Property Granularity.............................SHOULD 6.11.3. The Property GroupId..................................MUST
6.11.5. The Property VendorID...................................MAY 6.11.4. The Property Granularity............................SHOULD
6.12. The Class IPsecTransportAction...........................MUST 6.11.5. The Property VendorID..................................MAY
6.13. The Class IPsecTunnelAction..............................MUST 6.12. The Class IPsecTransportAction..........................MUST
6.13.1. The Property DFHandling................................MUST 6.13. The Class IPsecTunnelAction.............................MUST
6.14. The Class IKEAction......................................MUST 6.13.1. The Property DFHandling...............................MUST
6.14.1. The Property ExchangeMode ............................MUST 6.14. The Class IKEAction....................................MUST
6.14.2. The Property UseIKEIdentityType........................MUST 6.14.1. The Property ExchangeMode ...........................MUST
6.14.3. The Property VendorID...................................MAY 6.14.2. The Property UseIKEIdentityType.......................MUST
6.14.4. The Property AggressiveModeGroupId......................MAY 6.14.3. The Property VendorID..................................MAY
6.15. The Class PeerGateway....................................MUST 6.14.4. The Property AggressiveModeGroupId.....................MAY
6.15.1. The Property Name....................................SHOULD 6.15. The Class PeerGateway..................................MUST
6.15.2. The Property PeerIdentityType..........................MUST 6.15.1. The Property Name..................................SHOULD
6.15.3. The Property PeerIdentity..............................MUST 6.15.2. The Property PeerIdentityType.........................MUST
6.16. The Association Class PeerGatewayForTunnel...............MUST 6.15.3. The Property PeerIdentity.............................MUST
6.16.1. The Reference Antecedent...............................MUST 6.16. The Association Class PeerGatewayForTunnel..............MUST
6.16.2. The Reference Dependent................................MUST 6.16.1. The Reference Antecedent..............................MUST
6.16.3. The Property SequenceNumber..........................SHOULD 6.16.2. The Reference Dependent...............................MUST
6.17. The Aggregation Class ContainedProposal..................MUST 6.16.3. The Property SequenceNumber.........................SHOULD
6.17.1. The Reference GroupComponent...........................MUST 6.17. The Aggregation Class ContainedProposal.................MUST
6.17.2. The Reference PartComponent............................MUST 6.17.1. The Reference GroupComponent..........................MUST
6.17.3. The Property SequenceNumber............................MUST 6.17.2. The Reference PartComponent...........................MUST
6.18. The Association Class HostedPeerGatewayInformation........MAY 6.17.3. The Property SequenceNumber...........................MUST
6.18.1. The Reference Antecedent...............................MUST 6.18. The Association Class HostedPeerGatewayInformation.......MAY
6.18.2. The Reference Dependent................................MUST 6.18.1. The Reference Antecedent..............................MUST
6.19. The Association Class TransformOfPreconfiguredAction.....MUST 6.18.2. The Reference Dependent...............................MUST
6.19.1. The Reference Antecedent...............................MUST 6.19. The Association Class TransformOfPreconfiguredAction....MUST
6.19.2. The Reference Dependent................................MUST 6.19.1. The Reference Antecedent..............................MUST
6.19.3. The Property SPI.......................................MUST 6.19.2. The Reference Dependent...............................MUST
6.19.4. The Property Direction.................................MUST 6.19.3. The Property SPI.....................................MUST
6.19.4. The Property Direction................................MUST
6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
6.20.1. The Reference Antecedent...............................MUST 6.20.1. The Reference Antecedent..............................MUST
6.20.2. The Reference Dependent................................MUST 6.20.2. The Reference Dependent...............................MUST
7. Proposal and Transform Classes 7. Proposal and Transform Classes
7.1. The Abstract Class SAProposal.............................MUST 7.1. The Abstract Class SAProposal............................MUST
7.1.1. The Property Name.....................................SHOULD 7.1.1. The Property Name...................................SHOULD
7.2. The Class IKEProposal.....................................MUST 7.2. The Class IKEProposal...................................MUST
7.2.1. The Property CipherAlgorithm............................MUST 7.2.1. The Property CipherAlgorithm...........................MUST
7.2.2. The Property HashAlgorithm..............................MUST 7.2.2. The Property HashAlgorithm.............................MUST
7.2.3. The Property PRFAlgorithm................................MAY 7.2.3. The Property PRFAlgorithm...............................MAY
7.2.4. The Property GroupId....................................MUST 7.2.4. The Property GroupId..................................MUST
7.2.5. The Property AuthenticationMethod.......................MUST 7.2.5. The Property AuthenticationMethod......................MUST
7.2.6. The Property MaxLifetimeSeconds.........................MUST 7.2.6. The Property MaxLifetimeSeconds........................MUST
7.2.7. The Property MaxLifetimeKilobytes.......................MUST 7.2.7. The Property MaxLifetimeKilobytes......................MUST
7.2.8. The Property VendorID....................................MAY 7.2.8. The Property VendorID...................................MAY
7.3. The Class IPsecProposal...................................MUST 7.3. The Class IPsecProposal..................................MUST
7.4. The Abstract Class SATransform............................MUST 7.4. The Abstract Class SATransform...........................MUST
7.4.1. The Property TransformName............................SHOULD 7.4.1. The Property TransformName...........................SHOULD
7.4.2. The Property VendorID....................................MAY 7.4.2. The Property VendorID...................................MAY
7.4.3. The Property MaxLifetimeSeconds.........................MUST 7.4.3. The Property MaxLifetimeSeconds........................MUST
7.4.4. The Property MaxLifetimeKilobytes.......................MUST 7.4.4. The Property MaxLifetimeKilobytes......................MUST
7.5. The Class AHTransform.....................................MUST 7.5. The Class AHTransform...................................MUST
7.5.1. The Property AHTransformId..............................MUST 7.5.1. The Property AHTransformId.............................MUST
7.5.2. The Property UseReplayPrevention.........................MAY 7.5.2. The Property UseReplayPrevention........................MAY
7.5.3. The Property ReplayPreventionWindowSize..................MAY 7.5.3. The Property ReplayPreventionWindowSize.................MAY
7.6. The Class ESPTransform....................................MUST 7.6. The Class ESPTransform..................................MUST
7.6.1. The Property IntegrityTransformId.......................MUST 7.6.1. The Property IntegrityTransformId......................MUST
7.6.2. The Property CipherTransformId..........................MUST 7.6.2. The Property CipherTransformId.........................MUST
7.6.3. The Property CipherKeyLength.............................MAY 7.6.3. The Property CipherKeyLength............................MAY
7.6.4. The Property CipherKeyRounds.............................MAY 7.6.4. The Property CipherKeyRounds............................MAY
7.6.5. The Property UseReplayPrevention.........................MAY 7.6.5. The Property UseReplayPrevention........................MAY
7.6.6. The Property ReplayPreventionWindowSize..................MAY 7.6.6. The Property ReplayPreventionWindowSize.................MAY
7.7. The Class IPCOMPTransform..................................MAY 7.7. The Class IPCOMPTransform.................................MAY
7.7.1. The Property Algorithm..................................MUST 7.7.1. The Property Algorithm.................................MUST
7.7.2. The Property DictionarySize..............................MAY 7.7.2. The Property DictionarySize.............................MAY
7.7.3. The Property PrivateAlgorithm............................MAY 7.7.3. The Property PrivateAlgorithm...........................MAY
7.8. The Association Class SAProposalInSystem...................MAY 7.8. The Association Class SAProposalInSystem..................MAY
7.8.1. The Reference Antecedent................................MUST 7.8.1. The Reference Antecedent...............................MUST
7.8.2. The Reference Dependent.................................MUST 7.8.2. The Reference Dependent................................MUST
7.9. The Aggregation Class ContainedTransform..................MUST 7.9. The Aggregation Class ContainedTransform.................MUST
7.9.1. The Reference GroupComponent............................MUST 7.9.1. The Reference GroupComponent...........................MUST
7.9.2. The Reference PartComponent.............................MUST 7.9.2. The Reference PartComponent............................MUST
7.9.3. The Property SequenceNumber.............................MUST 7.9.3. The Property SequenceNumber............................MUST
7.10. The Association Class SATransformInSystem.................MAY 7.10. The Association Class SATransformInSystem................MAY
7.10.1. The Reference Antecedent...............................MUST 7.10.1. The Reference Antecedent..............................MUST
7.10.2. The Reference Dependent................................MUST 7.10.2. The Reference Dependent...............................MUST
8. IKE Service and Identity Classes 8. IKE Service and Identity Classes
8.1. The Class IKEService.......................................MAY 8.1. The Class IKEService.....................................MAY
8.2. The Class PeerIdentityTable................................MAY 8.2. The Class PeerIdentityTable...............................MAY
8.3.1. The Property Name.....................................SHOULD 8.3.1. The Property Name...................................SHOULD
8.3. The Class PeerIdentityEntry................................MAY 8.3. The Class PeerIdentityEntry...............................MAY
8.3.1. The Property PeerIdentity.............................SHOULD 8.3.1. The Property PeerIdentity............................SHOULD
8.3.2. The Property PeerIdentityType.........................SHOULD 8.3.2. The Property PeerIdentityType........................SHOULD
8.3.3. The Property PeerAddress..............................SHOULD 8.3.3. The Property PeerAddress.............................SHOULD
8.3.4. The Property PeerAddressType..........................SHOULD 8.3.4. The Property PeerAddressType.........................SHOULD
8.4. The Class AutostartIKEConfiguration........................MAY 8.4. The Class AutostartIKEConfiguration.......................MAY
8.5. The Class AutostartIKESetting..............................MAY 8.5. The Class AutostartIKESetting.............................MAY
8.5.1. The Property Phase1Only..................................MAY 8.5.1. The Property Phase1Only.................................MAY
8.5.2. The Property AddressType..............................SHOULD 8.5.2. The Property AddressType.............................SHOULD
8.5.3. The Property SourceAddress..............................MUST 8.5.3. The Property SourceAddress.............................MUST
8.5.4. The Property SourcePort.................................MUST 8.5.4. The Property SourcePort................................MUST
8.5.5. The Property DestinationAddress.........................MUST 8.5.5. The Property DestinationAddress........................MUST
8.5.6. The Property DestinationPort............................MUST 8.5.6. The Property DestinationPort...........................MUST
8.5.7. The Property Protocol...................................MUST 8.5.7. The Property Protocol..................................MUST
8.6. The Class IKEIdentity......................................MAY 8.6. The Class IKEIdentity....................................MAY
8.6.1. The Property IdentityType...............................MUST 8.6.1. The Property IdentityType..............................MUST
8.6.2. The Property IdentityValue..............................MUST 8.6.2. The Property IdentityValue.............................MUST
8.6.3. The Property IdentityContexts............................MAY 8.6.3. The Property IdentityContexts...........................MAY
8.7. The Association Class HostedPeerIdentityTable..............MAY 8.7. The Association Class HostedPeerIdentityTable.............MAY
8.7.1. The Reference Antecedent................................MUST 8.7.1. The Reference Antecedent...............................MUST
8.7.2. The Reference Dependent.................................MUST 8.7.2. The Reference Dependent................................MUST
8.8. The Aggregation Class PeerIdentityMember...................MAY 8.8. The Aggregation Class PeerIdentityMember..................MAY
8.8.1. The Reference Collection................................MUST 8.8.1. The Reference Collection...............................MUST
8.8.2. The Reference Member....................................MUST 8.8.2. The Reference Member..................................MUST
8.9. The Association Class IKEServicePeerGateway................MAY 8.9. The Association Class IKEServicePeerGateway...............MAY
8.9.1. The Reference Antecedent................................MUST 8.9.1. The Reference Antecedent...............................MUST
8.9.2. The Reference Dependent.................................MUST 8.9.2. The Reference Dependent................................MUST
8.10. The Association Class IKEServicePeerIdentityTable.........MAY 8.10. The Association Class IKEServicePeerIdentityTable........MAY
8.10.1. The Reference Antecedent...............................MUST 8.10.1. The Reference Antecedent..............................MUST
8.10.2. The Reference Dependent................................MUST 8.10.2. The Reference Dependent...............................MUST
8.11. The Association Class IKEAutostartSetting.................MAY 8.11. The Association Class IKEAutostartSetting................MAY
8.11.1. The Reference Element..................................MUST 8.11.1. The Reference Element.................................MUST
8.11.2. The Reference Setting..................................MUST 8.11.2. The Reference Setting.................................MUST
8.12. The Aggregation Class AutostartIKESettingContext..........MAY 8.12. The Aggregation Class AutostartIKESettingContext.........MAY
8.12.1. The Reference Context..................................MUST 8.12.1. The Reference Context.................................MUST
8.12.2. The Reference Setting..................................MUST 8.12.2. The Reference Setting.................................MUST
8.12.3. The Property SequenceNumber..........................SHOULD 8.12.3. The Property SequenceNumber.........................SHOULD
8.13. The Association Class IKEServiceForEndpoint...............MAY 8.13. The Association Class IKEServiceForEndpoint..............MAY
8.13.1. The Reference Antecedent...............................MUST 8.13.1. The Reference Antecedent..............................MUST
8.13.2. The Reference Dependent................................MUST 8.13.2. The Reference Dependent...............................MUST
8.14. The Association Class IKEAutostartConfiguration...........MAY 8.14. The Association Class IKEAutostartConfiguration..........MAY
8.14.1. The Reference Antecedent...............................MUST 8.14.1. The Reference Antecedent..............................MUST
8.14.2. The Reference Dependent................................MUST 8.14.2. The Reference Dependent...............................MUST
8.14.3. The Property Active..................................SHOULD 8.14.3. The Property Active................................SHOULD
8.15. The Association Class IKEUsesCredentialManagementService..MAY 8.15. The Association Class IKEUsesCredentialManagementService..MAY
8.15.1. The Reference Antecedent...............................MUST 8.15.1. The Reference Antecedent..............................MUST
8.15.2. The Reference Dependent................................MUST 8.15.2. The Reference Dependent...............................MUST
8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY 8.16. The Association Class EndpointHasLocalIKEIdentity........MAY
8.16.1. The Reference Antecedent...............................MUST 8.16.1. The Reference Antecedent..............................MUST
8.16.2. The Reference Dependent................................MUST 8.16.2. The Reference Dependent...............................MUST
8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 8.17. The Association Class CollectionHasLocalIKEIdentity......MAY
8.17.1. The Reference Antecedent...............................MUST 8.17.1. The Reference Antecedent..............................MUST
8.17.2. The Reference Dependent................................MUST 8.17.2. The Reference Dependent...............................MUST
8.18. The Association Class IKEIdentitysCredential..............MAY 8.18. The Association Class IKEIdentitysCredential.............MAY
8.18.1. The Reference Antecedent...............................MUST 8.18.1. The Reference Antecedent..............................MUST
8.18.2. The Reference Dependent................................MUST 8.18.2. The Reference Dependent...............................MUST
10. Security Considerations 10. Security Considerations
This document describes a schema for IPsec policy. It does not This document describes a schema for IPsec policy. It does not
detail security requirements for storage or delivery of said schema. detail security requirements for storage or delivery of said schema.
Storage and delivery security requirements should be detailed in a Storage and delivery security requirements should be detailed in a
comprehensive security policy architecture document. comprehensive security policy architecture document.
11. Intellectual Property 11. Intellectual Property
skipping to change at page 70, line 58 skipping to change at page 67, line 43
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF Executive
Director. Director.
12. Acknowledgments 12. Acknowledgments
The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, William Dixon, Man Li and Ricky Charlet for their Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for
contributions to this IPsec policy model. their contributions to this IPsec policy model.
Additionally, this draft would not have been possible without the Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob Adams, preceding IPsec schema drafts. For that, thanks go out to Rob Adams,
Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan.
13. References 13. References
[IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998. RFC 2409, November 1998.
skipping to change at page 71, line 54 skipping to change at page 68, line 40
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[IPSO] Kent, S., "U.S. Department of Defense Security Options for the [IPSO] Kent, S., "U.S. Department of Defense Security Options for the
Internet Protocol", RFC 1108, November 1991. Internet Protocol", RFC 1108, November 1991.
[IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998. Internet Protocol", RFC 2401, November 1998.
[DMTF] Distributed Management Task Force, http://www.dmtf.org/ [DMTF] Distributed Management Task Force, http://www.dmtf.org/
[CIMCORE] DMTF Common Information Model - Core Model v2.5, [CIMCORE] DMTF Common Information Model - Core Model v2.6 which can
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and be found at http://www.dmtf.org/standards/cim_schema_v26.php
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof
[CIMUSER] DMTF Common Information Model - User-Security Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof
[CIMNETWORK] DMTF Common Information Model - Network Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof
[CIMUSER] DMTF Common Information Model - User-Security Model v2.6
which can be found at
http://www.dmtf.org/standards/cim_schema_v26.php
[CIMNETWORK] DMTF Common Information Model - Network Model v2.6 which
can be found at http://www.dmtf.org/standards/cim_schema_v26.php
14. Disclaimer 14. Disclaimer
The views and specification herein are those of the authors and are The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this arising from correct or incorrect implementation or use of this
specification. specification.
15. Authors' Addresses 15. Authors' Addresses
Jamie Jason Jamie Jason
Intel Corporation Intel Corporation
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/