--- 1/draft-ietf-ipsp-config-policy-model-05.txt 2006-02-04 23:59:54.000000000 +0100 +++ 2/draft-ietf-ipsp-config-policy-model-06.txt 2006-02-04 23:59:54.000000000 +0100 @@ -1,20 +1,20 @@ Internet Engineering Task Force Jamie Jason INTERNET DRAFT Intel Corporation - February-2002 Lee Rafalow + August-2002 Lee Rafalow IBM Eric Vyncke Cisco Systems IPsec Configuration Policy Model - draft-ietf-ipsp-config-policy-model-05.txt + draft-ietf-ipsp-config-policy-model-06.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months @@ -45,242 +45,242 @@ protocols could be easily added to the information model by a simple extension. Other extensions can further be added easily due to the object-oriented nature of the model. This information model is based upon the core policy classes as defined in the Policy Core Information Model (PCIM) [PCIM] and on the Policy Core Information Model Extensions (PCIMe) [PCIME]. Table of Contents - Status of this Memo................................................1 - Abstract...........................................................1 - Table of Contents..................................................2 - 1. Introduction....................................................6 - 1. Introduction....................................................6 - 2. UML Conventions.................................................6 - 3. IPsec Policy Model Inheritance Hierarchy........................7 - 4. Policy Classes.................................................12 - 4.1. The Class IPsecPolicyGroup...................................13 - 4.2. The Class SARule.............................................14 + Status of this Memo..............................................1 + Abstract.........................................................1 + Table of Contents................................................2 + 1. Introduction.................................................10 + 1. Introduction.................................................10 + 2. UML Conventions..............................................10 + 3. IPsec Policy Model Inheritance Hierarchy......................11 + 4. Policy Classes...............................................16 + 4.1. The Class IPsecPolicyGroup..................................17 + 4.2. The Class SARule...........................................18 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, RuleUsage, Mandatory, SequencedActions, PolicyRoles, and - PolicyDecisionStrategy............................................14 - 4.2.2 The Property ExecutionStrategy.............................14 - 4.2.3 The Property LimitNegotiation..............................16 - 4.3. The Class IKERule............................................17 - 4.3.1. The Property IdentityContexts..............................17 - 4.4. The Class IPsecRule..........................................17 - 4.5. The Association Class IPsecPolicyForEndpoint.................18 - 4.5.1. The Reference Antecedent...................................18 - 4.5.2. The Reference Dependent....................................18 - 4.6. The Association Class IPsecPolicyForSystem...................18 - 4.6.1. The Reference Antecedent...................................18 - 4.6.2. The Reference Dependent....................................19 - 4.7. The Aggregation Class SARuleInPolicyGroup....................19 - 4.7.1. The Property Priority......................................19 - 4.7.2. The Reference GroupComponent...............................19 - 4.7.3. The Reference PartComponent................................19 - 4.8. The Aggregation Class SAConditionInRule......................19 - 4.8.1. The Properties GroupNumber and ConditionNegated............20 - 4.8.2. The Reference GroupComponent...............................20 - 4.8.3. The Reference PartComponent................................20 - 4.9. The Aggregation Class PolicyActionInSARule...................20 - 4.9.1. The Reference GroupComponent...............................20 - 4.9.2. The Reference PartComponent................................20 - 4.9.3. The Property ActionOrder...................................20 - 5. Condition and Filter Classes...................................22 - 5.1. The Class SACondition........................................22 - 5.2. The Class IPHeadersFilter....................................23 - 5.3. The Class CredentialFilterEntry..............................23 - 5.3.1. The Property MatchFieldName................................23 - 5.3.2. The Property MatchFieldValue...............................24 - 5.3.3. The Property CredentialType................................24 - 5.4. The Class IPSOFilterEntry....................................24 - 5.4.1. The Property MatchConditionType............................25 - 5.4.2. The Property MatchConditionValue...........................25 - 5.5. The Class PeerIDPayloadFilterEntry...........................25 - 5.5.1. The Property MatchIdentityType.............................25 - 5.5.2. The Property MatchIdentityValue............................26 - 5.6. The Association Class FilterOfSACondition....................26 - 5.6.1. The Reference Antecedent...................................27 - 5.6.2. The Reference Dependent....................................27 - 5.7. The Association Class AcceptCredentialFrom...................27 - 5.7.1. The Reference Antecedent...................................27 - 5.7.2. The Reference Dependent....................................28 - 6. Action Classes.................................................28 - 6.1. The Class SAAction...........................................29 - 6.1.1. The Property DoActionLogging...............................30 - 6.1.2. The Property DoPacketLogging...............................30 - 6.2. The Class SAStaticAction.....................................30 - 6.2.1. The Property LifetimeSeconds...............................31 - 6.3. The Class IPsecBypassAction..................................31 - 6.4. The Class IPsecDiscardAction.................................31 - 6.5. The Class IKERejectAction....................................32 - 6.6. The Class PreconfiguredSAAction..............................32 - 6.6.1. The Property LifetimeKilobytes.............................32 - 6.7. The Class PreconfiguredTransportAction.......................33 - 6.8. The Class PreconfiguredTunnelAction..........................33 - 6.8.1. The Property DFHandling....................................33 - 6.9. The Class SANegotiationAction................................33 - 6.10. The Class IKENegotiationAction..............................34 - 6.10.1. The Property MinLifetimeSeconds...........................34 - 6.10.2. The Property MinLifetimeKilobytes.........................34 - 6.10.3. The Property IdleDurationSeconds..........................35 - 6.11. The Class IPsecAction.......................................35 - 6.11.1. The Property UsePFS.......................................35 - 6.11.2. The Property UseIKEGroup..................................35 - 6.11.3. The Property GroupId......................................36 - 6.11.4. The Property Granularity..................................36 - 6.11.5. The Property VendorID.....................................36 - 6.12. The Class IPsecTransportAction..............................36 - 6.13. The Class IPsecTunnelAction.................................37 - 6.13.1. The Property DFHandling...................................37 - 6.14. The Class IKEAction.........................................37 - 6.14.1. The Property ExchangeMode.................................37 - 6.14.2. The Property UseIKEIdentityType...........................38 - 6.14.3. The Property VendorID.....................................38 - 6.14.4. The Property AggressiveModeGroupId........................38 - 6.15. The Class PeerGateway.......................................38 - 6.15.1. The Property Name.........................................39 - 6.15.2. The Property PeerIdentityType.............................39 - 6.15.3. The Property PeerIdentity.................................39 - 6.16. The Association Class PeerGatewayForTunnel..................39 - 6.16.1. The Reference Antecedent..................................40 - 6.16.2. The Reference Dependent...................................40 - 6.16.3. The Property SequenceNumber...............................40 - 6.17. The Aggregation Class ContainedProposal.....................40 - 6.17.1. The Reference GroupComponent..............................41 - 6.17.2. The Reference PartComponent...............................41 - 6.17.3. The Property SequenceNumber...............................41 - 6.18. The Association Class HostedPeerGatewayInformation..........41 - 6.18.1. The Reference Antecedent..................................41 - 6.18.2. The Reference Dependent...................................41 - 6.19. The Association Class TransformOfPreconfiguredAction........41 - 6.19.1. The Reference Antecedent..................................42 - 6.19.2. The Reference Dependent...................................42 - 6.19.3. The Property SPI..........................................42 - 6.19.4. The Property Direction....................................42 - 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......42 - 6.20.1. The Reference Antecedent..................................43 - 6.20.2. The Reference Dependent...................................43 - 7. Proposal and Transform Classes.................................44 - 7.1. The Abstract Class SAProposal................................44 - 7.1.1. The Property Name..........................................44 - 7.2. The Class IKEProposal........................................44 - 7.2.1. The Property CipherAlgorithm...............................45 - 7.2.2. The Property HashAlgorithm.................................45 - 7.2.3. The Property PRFAlgorithm..................................45 - 7.2.4. The Property GroupId.......................................45 - 7.2.5. The Property AuthenticationMethod..........................46 - 7.2.6. The Property MaxLifetimeSeconds............................46 - 7.2.7. The Property MaxLifetimeKilobytes..........................46 - 7.2.8. The Property VendorID......................................46 - 7.3. The Class IPsecProposal......................................47 - 7.4. The Abstract Class SATransform...............................47 - 7.4.1. The Property TransformName.................................47 - 7.4.2. The Property VendorID......................................47 - 7.4.3. The Property MaxLifetimeSeconds............................47 - 7.4.4. The Property MaxLifetimeKilobytes..........................48 - 7.5. The Class AHTransform........................................48 - 7.5.1. The Property AHTransformId.................................48 - 7.5.2. The Property UseReplayPrevention...........................48 - 7.5.3. The Property ReplayPreventionWindowSize....................48 - 7.6. The Class ESPTransform.......................................49 - 7.6.1. The Property IntegrityTransformId..........................49 - 7.6.2. The Property CipherTransformId.............................49 - 7.6.3. The Property CipherKeyLength...............................49 - 7.6.4. The Property CipherKeyRounds...............................49 - 7.6.5. The Property UseReplayPrevention...........................50 - 7.6.6. The Property ReplayPreventionWindowSize....................50 - 7.7. The Class IPCOMPTransform....................................50 - 7.7.1. The Property Algorithm.....................................50 - 7.7.2. The Property DictionarySize................................51 - 7.7.3. The Property PrivateAlgorithm..............................51 - 7.8. The Association Class SAProposalInSystem.....................51 - 7.8.1. The Reference Antecedent...................................51 - 7.8.2. The Reference Dependent....................................51 - 7.9. The Aggregation Class ContainedTransform.....................51 - 7.9.1. The Reference GroupComponent...............................52 - 7.9.2. The Reference PartComponent................................52 - 7.9.3. The Property SequenceNumber................................52 - 7.10. The Association Class SATransformInSystem...................52 - 7.10.1. The Reference Antecedent..................................53 - 7.10.2. The Reference Dependent...................................53 - 8. IKE Service and Identity Classes...............................54 - 8.1. The Class IKEService.........................................55 - 8.2. The Class PeerIdentityTable..................................55 - 8.3.1. The Property Name..........................................55 - 8.3. The Class PeerIdentityEntry..................................55 - 8.3.1. The Property PeerIdentity..................................56 - 8.3.2. The Property PeerIdentityType..............................56 - 8.3.3. The Property PeerAddress...................................56 - 8.3.4. The Property PeerAddressType...............................56 - 8.4. The Class AutostartIKEConfiguration..........................56 - 8.5. The Class AutostartIKESetting................................57 - 8.5.1. The Property Phase1Only....................................57 - 8.5.2. The Property AddressType...................................57 - 8.5.3. The Property SourceAddress.................................58 - 8.5.4. The Property SourcePort....................................58 - 8.5.5. The Property DestinationAddress............................58 - 8.5.6. The Property DestinationPort...............................58 - 8.5.7. The Property Protocol......................................58 - 8.6. The Class IKEIdentity........................................58 - 8.6.1. The Property IdentityType..................................59 - 8.6.2. The Property IdentityValue.................................59 - 8.6.3. The Property IdentityContexts..............................59 - 8.7. The Association Class HostedPeerIdentityTable................60 - 8.7.1. The Reference Antecedent...................................60 - 8.7.2. The Reference Dependent....................................60 - 8.8. The Aggregation Class PeerIdentityMember.....................60 - 8.8.1. The Reference Collection...................................60 - 8.8.2. The Reference Member.......................................61 - 8.9. The Association Class IKEServicePeerGateway..................61 - 8.9.1. The Reference Antecedent...................................61 - 8.9.2. The Reference Dependent....................................61 - 8.10. The Association Class IKEServicePeerIdentityTable...........61 - 8.10.1. The Reference Antecedent..................................61 - 8.10.2. The Reference Dependent...................................62 - 8.11. The Association Class IKEAutostartSetting...................62 - 8.11.1. The Reference Element.....................................62 - 8.11.2. The Reference Setting.....................................62 - 8.12. The Aggregation Class AutostartIKESettingContext............62 - 8.12.1. The Reference Context.....................................62 - 8.12.2. The Reference Setting.....................................63 - 8.12.3. The Property SequenceNumber...............................63 - 8.13. The Association Class IKEServiceForEndpoint.................63 - 8.13.1. The Reference Antecedent..................................63 - 8.13.2. The Reference Dependent...................................63 - 8.14. The Association Class IKEAutostartConfiguration.............63 - 8.14.1. The Reference Antecedent..................................64 - 8.14.2. The Reference Dependent...................................64 - 8.14.3. The Property Active.......................................64 - 8.15. The Association Class IKEUsesCredentialManagementService....64 - 8.15.1. The Reference Antecedent..................................64 - 8.15.2. The Reference Dependent...................................65 - 8.16. The Association Class EndpointHasLocalIKEIdentity...........65 - 8.16.1. The Reference Antecedent..................................65 - 8.16.2. The Reference Dependent...................................65 - 8.17. The Association Class CollectionHasLocalIKEIdentity.........65 - 8.17.1. The Reference Antecedent..................................66 - 8.17.2. The Reference Dependent...................................66 - 8.18. The Association Class IKEIdentitysCredential................66 - 8.18.1. The Reference Antecedent..................................66 - 8.18.2. The Reference Dependent...................................66 - 9. Implementation Requirements....................................66 - 10. Security Considerations.......................................70 - 11. Intellectual Property.........................................70 - 12. Acknowledgments...............................................70 - 13. References....................................................71 - 14. Disclaimer....................................................71 - 15. Authors' Addresses............................................72 - 16. Full Copyright Statement......................................72 + PolicyDecisionStrategy..........................................18 + 4.2.2 The Property ExecutionStrategy............................18 + 4.2.3 The Property LimitNegotiation.............................20 + 4.3. The Class IKERule..........................................21 + 4.3.1. The Property IdentityContexts.............................21 + 4.4. The Class IPsecRule........................................22 + 4.5. The Association Class IPsecPolicyForEndpoint................22 + 4.5.1. The Reference Antecedent..................................22 + 4.5.2. The Reference Dependent...................................22 + 4.6. The Association Class IPsecPolicyForSystem..................22 + 4.6.1. The Reference Antecedent..................................23 + 4.6.2. The Reference Dependent...................................23 + 4.7. The Aggregation Class SARuleInPolicyGroup...................23 + 4.7.1. The Property Priority.....................................23 + 4.7.2. The Reference GroupComponent..............................23 + 4.7.3. The Reference PartComponent...............................23 + 4.8. The Aggregation Class SAConditionInRule.....................24 + 4.8.1. The Properties GroupNumber and ConditionNegated...........24 + 4.8.2. The Reference GroupComponent..............................24 + 4.8.3. The Reference PartComponent...............................25 + 4.9. The Aggregation Class PolicyActionInSARule..................25 + 4.9.1. The Reference GroupComponent..............................25 + 4.9.2. The Reference PartComponent...............................25 + 4.9.3. The Property ActionOrder..................................25 + 5. Condition and Filter Classes..................................26 + 5.1. The Class SACondition......................................26 + 5.2. The Class IPHeadersFilter...................................27 + 5.3. The Class CredentialFilterEntry.............................27 + 5.3.1. The Property MatchFieldName...............................27 + 5.3.2. The Property MatchFieldValue..............................28 + 5.3.3. The Property CredentialType...............................28 + 5.4. The Class IPSOFilterEntry...................................28 + 5.4.1. The Property MatchConditionType...........................29 + 5.4.2. The Property MatchConditionValue..........................29 + 5.5. The Class PeerIDPayloadFilterEntry..........................29 + 5.5.1. The Property MatchIdentityType............................30 + 5.5.2. The Property MatchIdentityValue...........................30 + 5.6. The Association Class FilterOfSACondition...................31 + 5.6.1. The Reference Antecedent..................................31 + 5.6.2. The Reference Dependent...................................31 + 5.7. The Association Class AcceptCredentialFrom..................31 + 5.7.1. The Reference Antecedent..................................32 + 5.7.2. The Reference Dependent...................................32 + 6. Action Classes...............................................33 + 6.1. The Class SAAction.........................................34 + 6.1.1. The Property DoActionLogging..............................34 + 6.1.2. The Property DoPacketLogging..............................34 + 6.2. The Class SAStaticAction....................................35 + 6.2.1. The Property LifetimeSeconds..............................35 + 6.3. The Class IPsecBypassAction.................................35 + 6.4. The Class IPsecDiscardAction................................35 + 6.5. The Class IKERejectAction...................................36 + 6.6. The Class PreconfiguredSAAction.............................36 + 6.6.1. The Property LifetimeKilobytes............................36 + 6.7. The Class PreconfiguredTransportAction......................37 + 6.8. The Class PreconfiguredTunnelAction.........................37 + 6.8.1. The Property DFHandling...................................37 + 6.9. The Class SANegotiationAction...............................37 + 6.10. The Class IKENegotiationAction.............................38 + 6.10.1. The Property MinLifetimeSeconds..........................38 + 6.10.2. The Property MinLifetimeKilobytes........................38 + 6.10.3. The Property IdleDurationSeconds.........................39 + 6.11. The Class IPsecAction.....................................40 + 6.11.1. The Property UsePFS.....................................40 + 6.11.2. The Property UseIKEGroup.................................40 + 6.11.3. The Property GroupId.....................................40 + 6.11.4. The Property Granularity.................................41 + 6.11.5. The Property VendorID....................................41 + 6.12. The Class IPsecTransportAction.............................41 + 6.13. The Class IPsecTunnelAction................................41 + 6.13.1. The Property DFHandling..................................42 + 6.14. The Class IKEAction.......................................42 + 6.14.1. The Property ExchangeMode................................42 + 6.14.2. The Property UseIKEIdentityType..........................43 + 6.14.3. The Property VendorID....................................43 + 6.14.4. The Property AggressiveModeGroupId.......................43 + 6.15. The Class PeerGateway.....................................43 + 6.15.1. The Property Name.......................................44 + 6.15.2. The Property PeerIdentityType............................44 + 6.15.3. The Property PeerIdentity................................44 + 6.16. The Association Class PeerGatewayForTunnel.................44 + 6.16.1. The Reference Antecedent.................................45 + 6.16.2. The Reference Dependent..................................45 + 6.16.3. The Property SequenceNumber..............................45 + 6.17. The Aggregation Class ContainedProposal....................45 + 6.17.1. The Reference GroupComponent.............................46 + 6.17.2. The Reference PartComponent..............................46 + 6.17.3. The Property SequenceNumber..............................46 + 6.18. The Association Class HostedPeerGatewayInformation.........46 + 6.18.1. The Reference Antecedent.................................46 + 6.18.2. The Reference Dependent..................................46 + 6.19. The Association Class TransformOfPreconfiguredAction.......46 + 6.19.1. The Reference Antecedent.................................47 + 6.19.2. The Reference Dependent..................................47 + 6.19.3. The Property SPI........................................47 + 6.19.4. The Property Direction...................................47 + 6.20 The Association Class PeerGatewayForPreconfiguredTunnel......47 + 6.20.1. The Reference Antecedent.................................48 + 6.20.2. The Reference Dependent..................................48 + 7. Proposal and Transform Classes................................49 + 7.1. The Abstract Class SAProposal...............................49 + 7.1.1. The Property Name........................................49 + 7.2. The Class IKEProposal......................................49 + 7.2.1. The Property CipherAlgorithm..............................50 + 7.2.2. The Property HashAlgorithm................................50 + 7.2.3. The Property PRFAlgorithm.................................50 + 7.2.4. The Property GroupId.....................................51 + 7.2.5. The Property AuthenticationMethod.........................51 + 7.2.6. The Property MaxLifetimeSeconds...........................51 + 7.2.7. The Property MaxLifetimeKilobytes.........................52 + 7.2.8. The Property VendorID.....................................52 + 7.3. The Class IPsecProposal.....................................52 + 7.4. The Abstract Class SATransform..............................52 + 7.4.1. The Property CommonName...................................52 + 7.4.2. The Property VendorID.....................................53 + 7.4.3. The Property MaxLifetimeSeconds...........................53 + 7.4.4. The Property MaxLifetimeKilobytes.........................53 + 7.5. The Class AHTransform......................................53 + 7.5.1. The Property AHTransformId................................54 + 7.5.2. The Property UseReplayPrevention..........................54 + 7.5.3. The Property ReplayPreventionWindowSize...................54 + 7.6. The Class ESPTransform.....................................54 + 7.6.1. The Property IntegrityTransformId.........................54 + 7.6.2. The Property CipherTransformId............................55 + 7.6.3. The Property CipherKeyLength..............................55 + 7.6.4. The Property CipherKeyRounds..............................55 + 7.6.5. The Property UseReplayPrevention..........................55 + 7.6.6. The Property ReplayPreventionWindowSize...................55 + 7.7. The Class IPCOMPTransform...................................56 + 7.7.1. The Property Algorithm....................................56 + 7.7.2. The Property DictionarySize...............................56 + 7.7.3. The Property PrivateAlgorithm.............................56 + 7.8. The Association Class SAProposalInSystem....................56 + 7.8.1. The Reference Antecedent..................................57 + 7.8.2. The Reference Dependent...................................57 + 7.9. The Aggregation Class ContainedTransform....................57 + 7.9.1. The Reference GroupComponent..............................57 + 7.9.2. The Reference PartComponent...............................57 + 7.9.3. The Property SequenceNumber...............................57 + 7.10. The Association Class SATransformInSystem..................58 + 7.10.1. The Reference Antecedent.................................58 + 7.10.2. The Reference Dependent..................................58 + 8. IKE Service and Identity Classes..............................59 + 8.1. The Class IKEService.......................................60 + 8.2. The Class PeerIdentityTable.................................60 + 8.2.1. The Property Name........................................60 + 8.3. The Class PeerIdentityEntry.................................60 + 8.3.1. The Property PeerIdentity.................................61 + 8.3.2. The Property PeerIdentityType.............................61 + 8.3.3. The Property PeerAddress..................................61 + 8.3.4. The Property PeerAddressType..............................61 + 8.4. The Class AutostartIKEConfiguration.........................61 + 8.5. The Class AutostartIKESetting...............................62 + 8.5.1. The Property Phase1Only...................................62 + 8.5.2. The Property AddressType..................................62 + 8.5.3. The Property SourceAddress................................63 + 8.5.4. The Property SourcePort...................................63 + 8.5.5. The Property DestinationAddress...........................63 + 8.5.6. The Property DestinationPort..............................63 + 8.5.7. The Property Protocol.....................................63 + 8.6. The Class IKEIdentity......................................63 + 8.6.1. The Property IdentityType.................................64 + 8.6.2. The Property IdentityValue................................64 + 8.6.3. The Property IdentityContexts.............................64 + 8.7. The Association Class HostedPeerIdentityTable...............65 + 8.7.1. The Reference Antecedent..................................65 + 8.7.2. The Reference Dependent...................................65 + 8.8. The Aggregation Class PeerIdentityMember....................65 + 8.8.1. The Reference Collection..................................66 + 8.8.2. The Reference Member.....................................66 + 8.9. The Association Class IKEServicePeerGateway.................66 + 8.9.1. The Reference Antecedent..................................66 + 8.9.2. The Reference Dependent...................................66 + 8.10. The Association Class IKEServicePeerIdentityTable..........66 + 8.10.1. The Reference Antecedent.................................67 + 8.10.2. The Reference Dependent..................................67 + 8.11. The Association Class IKEAutostartSetting..................67 + 8.11.1. The Reference Element....................................67 + 8.11.2. The Reference Setting....................................67 + 8.12. The Aggregation Class AutostartIKESettingContext...........67 + 8.12.1. The Reference Context....................................67 + 8.12.2. The Reference Setting....................................68 + 8.12.3. The Property SequenceNumber..............................68 + 8.13. The Association Class IKEServiceForEndpoint................68 + 8.13.1. The Reference Antecedent.................................68 + 8.13.2. The Reference Dependent..................................68 + 8.14. The Association Class IKEAutostartConfiguration............68 + 8.14.1. The Reference Antecedent.................................69 + 8.14.2. The Reference Dependent..................................69 + 8.14.3. The Property Active.....................................69 + 8.15. The Association Class IKEUsesCredentialManagementService....69 + 8.15.1. The Reference Antecedent.................................70 + 8.15.2. The Reference Dependent..................................70 + 8.16. The Association Class EndpointHasLocalIKEIdentity..........70 + 8.16.1. The Reference Antecedent.................................70 + 8.16.2. The Reference Dependent..................................70 + 8.17. The Association Class CollectionHasLocalIKEIdentity........70 + 8.17.1. The Reference Antecedent.................................71 + 8.17.2. The Reference Dependent..................................71 + 8.18. The Association Class IKEIdentitysCredential...............71 + 8.18.1. The Reference Antecedent.................................71 + 8.18.2. The Reference Dependent..................................71 + 9. Implementation Requirements...................................71 + 10. Security Considerations.....................................75 + 11. Intellectual Property.......................................75 + 12. Acknowledgments.............................................76 + 13. References..................................................76 + 14. Disclaimer..................................................77 + 15. Authors' Addresses..........................................77 + 16. Full Copyright Statement.....................................77 1. Introduction IP security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in @@ -691,21 +692,22 @@ The class IPsecPolicyGroup serves as a container of either other IPsecPolicyGroups or a set of SARules. The class definition for IPsecPolicyGroup is as follows: NAME IPsecPolicyGroup DESCRIPTION Either a set of IPsecPolicyGroups or a set of SARules. DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) ABSTRACT FALSE PROPERTIES PolicyGroupName (from PolicyGroup) - PolicyDescisionStrategy (from PolicySet) + PolicyDecisionStrategy (from PolicySet) + PolicyRoles (from PolicySet) NOTE: for derivations of the schema that are used for policy distribution to an IPsec device (for example, COPS-PR), the server may follow all of PolicySetComponent associations and create one policy group which is simply a set of all of the IKE rules and a set of all of the IPsec rules. See the section on the PolicySetComponent aggregation for information on merging multiple IPsecPolicyGroups. 4.2. The Class SARule @@ -725,21 +727,21 @@ DESCRIPTION A base class for IKERule and IPsecRule. DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule) RuleUsage (from PolicyRule) Mandatory (from PolicyRule) SequencedActions (from PolicyRule) ExecutionStrategy (from PolicyRule) - PolicyRoles (from PolicyRule) + PolicyRoles (from PolicySet) PolicyDecisionStrategy (from PolicySet) LimitNegotiation 4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, RuleUsage, Mandatory, SequencedActions, PolicyRoles, and PolicyDecisionStrategy For a description of these properties, see [PCIM] and [PCIME]. In SARule subclass instances: @@ -1022,40 +1023,39 @@ The class SARuleInPolicyGroup associates a SARule with the IPsecPolicyGroup that contains it. The class definition for SARuleInPolicyGroup is as follows: NAME SARuleInPolicyGroup DESCRIPTION Associates a SARule with the IPsecPolicyGroup that contains it. DERIVED FROM PolicySetComponent (see [PCIME]) ABSTRACT FALSE PROPERTIES Priority (from PolicySetComponent) - GroupComponent [ref IPsecPolicyGroup [1..1]] + GroupComponent [ref IPsecPolicyGroup [0..n]] PartComponent [ref SARule [0..n]] Note: an implementation can easily partition the set of SARules aggregated by a SARuleInPolicyGroup instance into one IKERule instances subset and into one IPsecRule instances subset based on the class type of the component instances (being either IKERule or IPsecRule instances). 4.7.1. The Property Priority For a description of this property, see [PCIME]. 4.7.2. The Reference GroupComponent The property GroupComponent is inherited from PolicyRuleInPolicyGroup and is overridden to refer to an IPsecPolicyGroup instance. The - [1..1] cardinality indicates that a SARule instance may be contained - in one and only one IPsecPolicyGroup instance (i.e., SARules are not - shared across IPsecPolicyGroups). + [0..n] cardinality indicates that a SARule instance may be shared + across multiple IPsecPolicyGroups). 4.7.3. The Reference PartComponent The property PartComponent is inherited from PolicyRuleInPolicyGroup and is overridden to refer to a SARule instance. The [0..n] cardinality indicates that an IPsecPolicyGroup instance may contain zero or more SARule instances. 4.8. The Aggregation Class SAConditionInRule @@ -1198,24 +1197,24 @@ associate various types of filters with policy rules via the FilterOfSACondition association. It also defines whether Credentials can be accepted for a particular policy rule via the AcceptCredentialsFrom association. Associated objects represent components of the condition that may or may not apply at a given rule evaluation. For example, an AcceptCredentialsFrom evaluation is only performed when a credential is available to be evaluated against the list of trusted credential management services. Similarly, a PeerIDPayloadFilterEntry may only - be evaluated when an IDPayload value is available to compared with - the filter. Condition components that do not have corresponding - values with which to evaluate are evaluated as TRUE unless the - protocol has completed without providing the required information. + be evaluated when an IDPayload value is available to compare with the + filter. Condition components that do not have corresponding values + with which to evaluate are evaluated as TRUE unless the protocol has + completed without providing the required information. The class definition for SACondition is as follows: NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition) @@ -1262,48 +1261,48 @@ The property MatchFieldName specifies the sub-part of the credential to match against MatchFieldValue. The property is defined as follows: NAME MatchFieldName DESCRIPTION Specifies which sub-part of the credential to match. SYNTAX string VALUE This is the string representation of a X.509 certificate attribute, e.g.: - - ôserialNumberö - - ôsignatureAlgorithmö - - ôissuerNameö - - ôsubjectNameö - - ôsubjectAltNameö - - à + - "serialNumber" + - "signatureAlgorithm" + - "issuerName" + - "subjectName" + - "subjectAltName" + - ... 5.3.2. The Property MatchFieldValue The property MatchFieldValue specifies the value to compare with the MatchFieldName in a credential to determine if the credential matches this filter entry. The property is defined as follows: NAME MatchFieldValue DESCRIPTION Specifies the value to be matched by the MatchFieldName. SYNTAX string VALUE NB: If the CredentialFilterEntry corresponds to a DistinguishedName, this value in the CIM class is represented by an ordinary string value. However, an implementation must convert this string to a DER-encoded string before matching against the values extracted from credentials at runtime. A wildcard mechanism can be used in the MatchFieldValue string. E.g., - if the MatchFieldName is ôsubjectNameö then a MatchFieldValue of - ôcn=*,ou=engineering,o=foo,c=beö will match successfully a - certificate whose subject attribute is ôcn=Jane - Doe,ou=engineering,o=foo,c=beö. The wildcard character æ*Æ can be + if the MatchFieldName is "subjectName" then a MatchFieldValue of + "cn=*,ou=engineering,o=foo,c=be" will match successfully a + certificate whose subject attribute is "cn=Jane + Doe,ou=engineering,o=foo,c=be". The wildcard character '*' can be used to represent 0 or several characters. 5.3.3. The Property CredentialType The property CredentialType specifies the particular type of credential that is being matched. The property is defined as follows: NAME CredentialType DESCRIPTION Defines the type of IKE credentials. @@ -1346,26 +1344,28 @@ 5.4.2. The Property MatchConditionValue The property MatchConditionValue specifies the value of the IPSO header field to be matched against. The property is defined as follows: NAME MatchConditionValue DESCRIPTION Specifies the value of the IPSO header field to be matched against. SYNTAX unsigned 16-bit integer - VALUE For ClassificationLevel, the values are: + VALUE The values MUST be one of values listed in RFC 1108 (or + any further IANA Assigned Numbers document). Some + examples for ClassificationLevel are: 61 - TopSecret 90 - Secret 150 - Confidential 171 - Unclassified - For ProtectionAuthority, the values are: + For ProtectionAuthority, some examples are: 0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE 5.5. The Class PeerIDPayloadFilterEntry The class PeerIDPayloadFilterEntry defines filters used to match ID payload values from the IKE protocol exchange. @@ -1381,81 +1381,73 @@ NAME PeerIDPayloadFilterEntry DESCRIPTION Specifies a match filter based on IKE identity. DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchIdentityType MatchIdentityValue 5.5.1. The Property MatchIdentityType + The property MatchIdentityType specifies the type of identity - provided by the peer in the ID payload." The property is defined as + provided by the peer in the ID payload. The property is defined as follows: NAME MatchIdentityType DESCRIPTION Specifies the ID payload type. SYNTAX unsigned 16-bit integer - VALUE 1 - IPv4 Address - 2 - FQDN - 3 - User FQDN - 4 - IPv4 Subnet - 5 - IPv6 Address - 6 - IPv6 Subnet - 7 - IPv4 Address Range - 8 - IPv6 Address Range - 9 - DER-Encoded ASN.1 X.500 Distinguished Name - 10 - DER-Encoded ASN.1 X.500 GeneralName - 11 - Key ID + VALUE Consult [DOI] for valid values. 5.5.2. The Property MatchIdentityValue The property MatchIdentityValue specifies the filter value for - comparison with the ID payload, e.g., *@company.com. The property is - defined as follows: + comparison with the ID payload, e.g., "*@company.com". The property + is defined as follows: NAME MatchIdentityValue DESCRIPTION Specifies the ID payload value. SYNTAX string VALUE NB: The syntax may need to be converted for comparison. If the PeerIDPayloadFilterEntry type is a DistinguishedName, the name in the MatchIdentityValue property is represented by an ordinary string value, but this value must be converted into a DER-encoded string before matching against the values extracted from IKE ID payloads at runtime. The same applies to IPv4 & IPv6 addresses. Different wildcard mechanisms can be used depending on the ID payload: - a MatchIdentityValue of "*@company.com" will match a user FQDN ID payload of "JDOE@COMPANY.COM" - a MatchIdentityValue of "*.company.com" will match a FQDN ID - payload of ôWWW.COMPANY.COM" + payload of "WWW.COMPANY.COM" - a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will - match a DER DN ID payload of ôcn=John + match a DER DN ID payload of "cn=John Doe,ou=engineering,o=company,c=us" - a MatchIdentityValue of "193.190.125.0/24" will match an IPv4 address ID payload of 193.190.125.10 - a MatchIdentityValue of "193.190.125.*" will also match an IPv4 address ID payload of 193.190.125.10. The above wildcard mechanisms MUST be supported for all ID payloads - supported by the local IKE entity. The character ô*ö replaces 0 or + supported by the local IKE entity. The character '*' replaces 0 or multiple instances of any character. 5.6. The Association Class FilterOfSACondition + The class FilterOfSACondition associates an SACondition with the filter specifications (FilterList) that make up the condition. The class definition for FilterOfSACondition is as follows: NAME FilterOfSACondition DESCRIPTION Associates a condition with the filter list that makes up the individual condition elements. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref FilterList[1..1]] @@ -1507,23 +1498,23 @@ 5.7.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an SACondition instance may be associated with zero or more CredentialManagementService instances. 5.7.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden - to refer to an SACondition instance. The [0..n] cardinality - indicates that a CredentialManagementService instance may be - associated with zero or more SACondition instances. + to refer to a SACondition instance. The [0..n] cardinality indicates + that a CredentialManagementService instance may be associated with + zero or more SACondition instances. 6. Action Classes The action classes are used to model the different actions an IPsec device may take when the evaluation of the associated condition results in a match. +----------+ | SAAction | +----------+ @@ -1742,21 +1733,21 @@ (respectively outbound SA), of the character "/" and of the hexadecimal representation of the SPI. Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: NAME PreconfiguredSAAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of a security association. DERIVED FROM SAStaticAction - ABSTRACT FALSE + ABSTRACT TRUE PROPERTIES LifetimeKilobytes 6.6.1. The Property LifetimeKilobytes The property LifetimeKilobytes specifies a traffic limit in kilobytes that can be consumed before the SA is deleted.. The property is defined as follows: NAME LifetimeKilobytes DESCRIPTION Specifies the SA lifetime in kilobytes. @@ -1833,22 +1824,21 @@ NAME SANegotiationAction DESCRIPTION Specifies a negotiation action . DERIVED FROM SAAction ABSTRACT TRUE 6.10. The Class IKENegotiationAction The class IKENegotiationAction is abstract and serves as the base class for IKE and IPsec actions that result in a IKE negotiation. - Although the class is concrete, is MUST not be instantiated. The - class definition for IKENegotiationAction is as follows: + The class definition for IKENegotiationAction is as follows: NAME IKENegotiationAction DESCRIPTION A base class for IKE and IPsec actions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. DERIVED FROM SANegotiationAction ABSTRACT TRUE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes @@ -1903,30 +1892,29 @@ VALUE A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used). Any non-zero value indicates the number of seconds the security association may remain unused. 6.11. The Class IPsecAction The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE - phase 2 IPsec DOI negotiation. Although the class is concrete, is - MUST not be instantiated. The class definition for IPsecAction is as - follows: + phase 2 IPsec DOI negotiation. The class definition for IPsecAction + is as follows: NAME IPsecAction DESCRIPTION A base class for IPsec transport and tunnel actions that specifies the parameters for IKE phase 2 IPsec DOI negotiations. DERIVED FROM IKENegotiationAction - ABSTRACT FALSE + ABSTRACT TRUE PROPERTIES UsePFS UseIKEGroup GroupId Granularity VendorID 6.11.1. The Property UsePFS The property UsePFS specifies whether or not perfect forward secrecy should be used when refreshing keys. The property is defined as @@ -2070,32 +2058,23 @@ 6.14.2. The Property UseIKEIdentityType The property UseIKEIdentityType specifies what IKE identity type should be used when negotiating with the peer. This information is used in conjunction with the IKE identities available on the system and the IdentityContexts of the matching IKERule. The property is defined as follows: NAME UseIKEIdentityType DESCRIPTION Specifies the IKE identity to use during negotiation. + SYNTAX unsigned 16-bit integer - VALUE 1 - IPv4 Address - 2 - FQDN - 3 - User FQDN - 4 - IPv4 Subnet - 5 - IPv6 Address - 6 - IPv6 Subnet - 7 - IPv4 Address Range - 8 - IPv6 Address Range - 9 - DER-Encoded ASN.1 X.500 Distinguished Name - 10 - DER-Encoded ASN.1 X.500 GeneralName - 11 - Key ID + VALUE Consult [DOI] for valid values. 6.14.3. The Property VendorID The property VendorID specifies the value to be used in the Vendor ID payload. The property is defined as follows: NAME VendorID DESCRIPTION Vendor ID Payload. SYNTAX string VALUE A value of NULL means that Vendor ID payload will be @@ -2145,31 +2124,21 @@ SYNTAX string 6.15.2. The Property PeerIdentityType The property PeerIdentityType specifies the IKE identity type of the security gateway. The property is defined as follows: NAME PeerIdentityType DESCRIPTION Specifies the IKE identity type of the security gateway. SYNTAX unsigned 16-bit integer - VALUE 1 - IPv4 Address - 2 - FQDN - 3 - User FQDN - 4 - IPv4 Subnet - 5 - IPv6 Address - 6 - IPv6 Subnet - 7 - IPv4 Address Range - 8 - IPv6 Address Range - 9 - DER-Encoded ASN.1 X.500 Distinguished Name - 10 - DER-Encoded ASN.1 X.500 GeneralName - 11 - Key ID + VALUE Consult [DOI] for valid values. 6.15.3. The Property PeerIdentity The property PeerIdentity specifies the IKE identity value of the security gateway. A conversion may be needed between the PeerIdentity string representation and the real value used in the ID payload (e.g. IP address is to be converted from a dotted decimal string into 4 bytes). The property is defined as follows: NAME PeerIdentity @@ -2296,22 +2264,23 @@ only one System instance. 6.18.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerGateway instances. 6.19. The Association Class TransformOfPreconfiguredAction + The class TransformOfPreconfiguredAction associates a - PreconfiguredSAAction with from two to six SATransforms that will be + PreconfiguredSAAction with two, four or six SATransforms that will be applied to the inbound and outbound traffic. The order of application of the SATransforms is implicitly defined in [IPSEC]. The class definition for TransformOfPreconfiguredAction is as follows: NAME TransformOfPreconfiguredAction DESCRIPTION Associates a PreconfiguredSAAction with from one to three SATransforms. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE @@ -2351,21 +2320,21 @@ NAME Direction DESCRIPTION Specifies whether the SA is for inbound or outbound traffic. SYNTAX unsigned 8-bit integer VALUE 1 - this SA is for inbound traffic 2 - this SA is for outbound traffic 6.20 The Association Class PeerGatewayForPreconfiguredTunnel - The class PeerGatewayForPreconfiguredTunnel associates one or one + The class PeerGatewayForPreconfiguredTunnel associates zero or one PeerGateway with multiple PreconfiguredTunnelActions. The class definition for PeerGatewayForPreconfiguredTunnel is as follows: NAME PeerGatewayForPreconfiguredTunnel DESCRIPTION Associates a PeerGateway with multiple PreconfiguredTunnelAction. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref PeerGateway[0..1]] Dependent[ref PreconfiguredTunnelAction[0..n]] @@ -2590,32 +2560,34 @@ 7.4. The Abstract Class SATransform The abstract class SATransform serves as the base class for the IPsec transforms that can be used to compose an IPsec proposal or to be used as a pre-configured action. The class definition for SATransform is as follows: NAME SATransform DESCRIPTION Base class for the different IPsec transforms. ABSTRACT TRUE - PROPERTIES TransformName + PROPERTIES CommonName (from Policy) VendorID MaxLifetimeSeconds MaxLifetimeKilobytes -7.4.1. The Property TransformName +7.4.1. The Property CommonName - The property TransformName specifies a user-friendly name for the - SATransform. The property is defined as follows: + The property CommonName is inherited from Policy [PCIM] and specifies + a user-friendly name for the SATransform. The property is defined as + follows: - NAME TransformName - DESCRIPTION Specifies a user-friendly name for this transform. + NAME CommonName + DESCRIPTION Specifies a user-friendly name for this Policy-related + object. SYNTAX string 7.4.2. The Property VendorID The property VendorID specifies the vendor ID for vendor-defined transforms. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the vendor ID for vendor-defined transforms. SYNTAX string @@ -3030,21 +3002,21 @@ mappings between identities and their addresses. The class definition for PeerIdentityTable is as follows: NAME PeerIdentityTable DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances to provide a table of identity-address mappings. DERIVED FROM Collection (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Name -8.3.1. The Property Name +8.2.1. The Property Name The property Name uniquely identifies the table. The property is defined as follows: NAME Name DESCRIPTION Name uniquely identifies the table. SYNTAX string 8.3. The Class PeerIdentityEntry @@ -3054,24 +3026,26 @@ NAME PeerIdentityEntry DESCRIPTION PeerIdentityEntry provides a mapping between a peer's identity and address. DERIVED FROM LogicalElement (see [CIMCORE]) ABSTRACT FALSE PROPERTIES PeerIdentity PeerIdentityType PeerAddress PeerAddressType + The pre-shared key to be used with this peer (if applicable) is contained in an instance of the class SharedSecret (see [CIMUSER]). + The pre-shared key is stored in the property Secret, the property - protocol contains ôIKE", the property algorithm contains the + protocol contains "IKE", the property algorithm contains the algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID must match the PeerIdentity property of the PeerIdentityEntry instance describing the IKE peer. 8.3.1. The Property PeerIdentity The property PeerIdentity contains a string encoding of the Identity payload for the IKE peer. The property is defined as follows: @@ -3265,21 +3240,21 @@ IdentityValue IdentityContexts 8.6.1. The Property IdentityType The property IdentityType is an enumeration that specifies the type of the IdentityValue. The property is defined as follows: NAME IdentityType DESCRIPTION IdentityType is the type of the IdentityValue. - SYNTAX unsigned 8-bit integer + SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1. 8.6.2. The Property IdentityValue The property IdentityValue contains a string encoding of the Identity payload. For IKEIdentity instances that are address types (i.e. IPv4 or IPv6 addresses), the IdentityValue string value MAY be omitted; then the associated IPProtocolEndpoint (or appropriate member of the Collection of endpoints) is used as the identity value. The property @@ -3709,232 +3685,233 @@ overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Credential instance may be associated with zero or more IKEIdentity instances. 9. Implementation Requirements The following table specifies which classes, properties, associations and aggregations MUST or SHOULD or MAY be implemented. 4. Policy Classes - 4.1. The Class IPsecPolicyGroup................................MUST - 4.2. The Class SARule..........................................MUST - 4.2.1. The Property PolicyRuleName..............................MAY - 4.2.1. The Property Enabled....................................MUST - 4.2.1. The Property ConditionListType..........................MUST - 4.2.1. The Property RuleUsage...................................MAY - 4.2.1. The Property Mandatory...................................MAY - 4.2.1. The Property SequencedActions...........................MUST - 4.2.1. The Property PolicyRoles.................................MAY - 4.2.1. The Property PolicyDecisionStrategy......................MAY - 4.2.2 The Property ExecutionStrategy..........................MUST - 4.2.3 The Property LimitNegotiation............................MAY - 4.3. The Class IKERule.........................................MUST - 4.3.1. The Property IdentityContexts............................MAY - 4.4. The Class IPsecRule.......................................MUST - 4.5. The Association Class IPsecPolicyForEndpoint...............MAY - 4.5.1. The Reference Antecedent................................MUST - 4.5.2. The Reference Dependent.................................MUST - 4.6. The Association Class IPsecPolicyForSystem.................MAY - 4.6.1. The Reference Antecedent................................MUST - 4.6.2. The Reference Dependent.................................MUST - 4.7. The Aggregation Class SARuleInPolicyGroup.................MUST - 4.7.1. The Property Priority.................................SHOULD - 4.7.2. The Reference GroupComponent............................MUST - 4.7.3. The Reference PartComponent.............................MUST - 4.8. The Aggregation Class SAConditionInRule...................MUST - 4.8.1. The Property GroupNumber..............................SHOULD - 4.8.1. The Property ConditionNegated.........................SHOULD - 4.8.2. The Reference GroupComponent............................MUST - 4.8.3. The Reference PartComponent.............................MUST - 4.9. The Aggregation Class PolicyActionInSARule................MUST - 4.9.1. The Reference GroupComponent............................MUST - 4.9.2. The Reference PartComponent.............................MUST - 4.9.3. The Property ActionOrder..............................SHOULD + 4.1. The Class IPsecPolicyGroup...............................MUST + 4.2. The Class SARule........................................MUST + 4.2.1. The Property PolicyRuleName.............................MAY + 4.2.1. The Property Enabled..................................MUST + 4.2.1. The Property ConditionListType.........................MUST + 4.2.1. The Property RuleUsage..................................MAY + 4.2.1. The Property Mandatory..................................MAY + 4.2.1. The Property SequencedActions..........................MUST + 4.2.1. The Property PolicyRoles................................MAY + 4.2.1. The Property PolicyDecisionStrategy.....................MAY + 4.2.2 The Property ExecutionStrategy.........................MUST + 4.2.3 The Property LimitNegotiation...........................MAY + 4.3. The Class IKERule.......................................MUST + 4.3.1. The Property IdentityContexts...........................MAY + 4.4. The Class IPsecRule.....................................MUST + 4.5. The Association Class IPsecPolicyForEndpoint..............MAY + 4.5.1. The Reference Antecedent...............................MUST + 4.5.2. The Reference Dependent................................MUST + 4.6. The Association Class IPsecPolicyForSystem................MAY + 4.6.1. The Reference Antecedent...............................MUST + 4.6.2. The Reference Dependent................................MUST + 4.7. The Aggregation Class SARuleInPolicyGroup................MUST + 4.7.1. The Property Priority................................SHOULD + 4.7.2. The Reference GroupComponent...........................MUST + 4.7.3. The Reference PartComponent............................MUST + 4.8. The Aggregation Class SAConditionInRule..................MUST + 4.8.1. The Property GroupNumber.............................SHOULD + 4.8.1. The Property ConditionNegated........................SHOULD + 4.8.2. The Reference GroupComponent...........................MUST + 4.8.3. The Reference PartComponent............................MUST + 4.9. The Aggregation Class PolicyActionInSARule...............MUST + 4.9.1. The Reference GroupComponent...........................MUST + 4.9.2. The Reference PartComponent............................MUST + 4.9.3. The Property ActionOrder.............................SHOULD 5. Condition and Filter Classes - 5.1. The Class SACondition.....................................MUST - 5.2. The Class IPHeadersFilter...............................SHOULD - 5.3. The Class CredentialFilterEntry............................MAY - 5.3.1. The Property MatchFieldName.............................MUST - 5.3.2. The Property MatchFieldValue............................MUST - 5.3.3. The Property CredentialType.............................MUST - 5.4. The Class IPSOFilterEntry..................................MAY - 5.4.1. The Property MatchConditionType.........................MUST - 5.4.2. The Property MatchConditionValue........................MUST - 5.5. The Class PeerIDPayloadFilterEntry.........................MAY - 5.5.1. The Property MatchIdentityType..........................MUST - 5.5.2. The Property MatchIdentityValue.........................MUST - 5.6. The Association Class FilterOfSACondition...............SHOULD - 5.6.1. The Reference Antecedent................................MUST - 5.6.2. The Reference Dependent.................................MUST - 5.7. The Association Class AcceptCredentialFrom.................MAY - 5.7.1. The Reference Antecedent................................MUST - 5.7.2. The Reference Dependent.................................MUST + 5.1. The Class SACondition...................................MUST + 5.2. The Class IPHeadersFilter..............................SHOULD + 5.3. The Class CredentialFilterEntry...........................MAY + 5.3.1. The Property MatchFieldName............................MUST + 5.3.2. The Property MatchFieldValue...........................MUST + 5.3.3. The Property CredentialType............................MUST + 5.4. The Class IPSOFilterEntry.................................MAY + 5.4.1. The Property MatchConditionType........................MUST + 5.4.2. The Property MatchConditionValue.......................MUST + 5.5. The Class PeerIDPayloadFilterEntry........................MAY + 5.5.1. The Property MatchIdentityType.........................MUST + 5.5.2. The Property MatchIdentityValue........................MUST + 5.6. The Association Class FilterOfSACondition..............SHOULD + 5.6.1. The Reference Antecedent...............................MUST + 5.6.2. The Reference Dependent................................MUST + 5.7. The Association Class AcceptCredentialFrom................MAY + 5.7.1. The Reference Antecedent...............................MUST + 5.7.2. The Reference Dependent................................MUST 6. Action Classes - 6.1. The Class SAAction........................................MUST - 6.1.1. The Property DoActionLogging.............................MAY - 6.1.2. The Property DoPacketLogging.............................MAY - 6.2. The Class SAStaticAction..................................MUST - 6.2.1. The Property LifetimeSeconds............................MUST - 6.3. The Class IPsecBypassAction.............................SHOULD - 6.4. The Class IPsecDiscardAction............................SHOULD - 6.5. The Class IKERejectAction..................................MAY - 6.6. The Class PreconfiguredSAAction...........................MUST - 6.6.1. The Property LifetimeKilobytes..........................MUST - 6.7. The Class PreconfiguredTransportAction....................MUST - 6.8. The Class PreconfiguredTunnelAction.......................MUST - 6.8.1. The Property DFHandling.................................MUST - 6.9. The Class SANegotiationAction.............................MUST - 6.10. The Class IKENegotiationAction...........................MUST - 6.10.1. The Property MinLifetimeSeconds.........................MAY - 6.10.2. The Property MinLifetimeKilobytes.......................MAY - 6.10.3. The Property IdleDurationSeconds........................MAY - 6.11. The Class IPsecAction....................................MUST - 6.11.1. The Property UsePFS....................................MUST - 6.11.2. The Property UseIKEGroup................................MAY - 6.11.3. The Property GroupId...................................MUST - 6.11.4. The Property Granularity.............................SHOULD - 6.11.5. The Property VendorID...................................MAY - 6.12. The Class IPsecTransportAction...........................MUST - 6.13. The Class IPsecTunnelAction..............................MUST - 6.13.1. The Property DFHandling................................MUST - 6.14. The Class IKEAction......................................MUST - 6.14.1. The Property ExchangeMode ............................MUST - 6.14.2. The Property UseIKEIdentityType........................MUST - 6.14.3. The Property VendorID...................................MAY - 6.14.4. The Property AggressiveModeGroupId......................MAY - 6.15. The Class PeerGateway....................................MUST - 6.15.1. The Property Name....................................SHOULD - 6.15.2. The Property PeerIdentityType..........................MUST - 6.15.3. The Property PeerIdentity..............................MUST - 6.16. The Association Class PeerGatewayForTunnel...............MUST - 6.16.1. The Reference Antecedent...............................MUST - 6.16.2. The Reference Dependent................................MUST - 6.16.3. The Property SequenceNumber..........................SHOULD - 6.17. The Aggregation Class ContainedProposal..................MUST - 6.17.1. The Reference GroupComponent...........................MUST - 6.17.2. The Reference PartComponent............................MUST - 6.17.3. The Property SequenceNumber............................MUST - 6.18. The Association Class HostedPeerGatewayInformation........MAY - 6.18.1. The Reference Antecedent...............................MUST - 6.18.2. The Reference Dependent................................MUST - 6.19. The Association Class TransformOfPreconfiguredAction.....MUST - 6.19.1. The Reference Antecedent...............................MUST - 6.19.2. The Reference Dependent................................MUST - 6.19.3. The Property SPI.......................................MUST - 6.19.4. The Property Direction.................................MUST + 6.1. The Class SAAction......................................MUST + 6.1.1. The Property DoActionLogging............................MAY + 6.1.2. The Property DoPacketLogging............................MAY + 6.2. The Class SAStaticAction.................................MUST + 6.2.1. The Property LifetimeSeconds...........................MUST + 6.3. The Class IPsecBypassAction............................SHOULD + 6.4. The Class IPsecDiscardAction...........................SHOULD + 6.5. The Class IKERejectAction.................................MAY + 6.6. The Class PreconfiguredSAAction..........................MUST + 6.6.1. The Property LifetimeKilobytes.........................MUST + 6.7. The Class PreconfiguredTransportAction...................MUST + 6.8. The Class PreconfiguredTunnelAction......................MUST + 6.8.1. The Property DFHandling................................MUST + 6.9. The Class SANegotiationAction............................MUST + 6.10. The Class IKENegotiationAction..........................MUST + 6.10.1. The Property MinLifetimeSeconds........................MAY + 6.10.2. The Property MinLifetimeKilobytes......................MAY + + 6.10.3. The Property IdleDurationSeconds.......................MAY + 6.11. The Class IPsecAction..................................MUST + 6.11.1. The Property UsePFS..................................MUST + 6.11.2. The Property UseIKEGroup...............................MAY + 6.11.3. The Property GroupId..................................MUST + 6.11.4. The Property Granularity............................SHOULD + 6.11.5. The Property VendorID..................................MAY + 6.12. The Class IPsecTransportAction..........................MUST + 6.13. The Class IPsecTunnelAction.............................MUST + 6.13.1. The Property DFHandling...............................MUST + 6.14. The Class IKEAction....................................MUST + 6.14.1. The Property ExchangeMode ...........................MUST + 6.14.2. The Property UseIKEIdentityType.......................MUST + 6.14.3. The Property VendorID..................................MAY + 6.14.4. The Property AggressiveModeGroupId.....................MAY + 6.15. The Class PeerGateway..................................MUST + 6.15.1. The Property Name..................................SHOULD + 6.15.2. The Property PeerIdentityType.........................MUST + 6.15.3. The Property PeerIdentity.............................MUST + 6.16. The Association Class PeerGatewayForTunnel..............MUST + 6.16.1. The Reference Antecedent..............................MUST + 6.16.2. The Reference Dependent...............................MUST + 6.16.3. The Property SequenceNumber.........................SHOULD + 6.17. The Aggregation Class ContainedProposal.................MUST + 6.17.1. The Reference GroupComponent..........................MUST + 6.17.2. The Reference PartComponent...........................MUST + 6.17.3. The Property SequenceNumber...........................MUST + 6.18. The Association Class HostedPeerGatewayInformation.......MAY + 6.18.1. The Reference Antecedent..............................MUST + 6.18.2. The Reference Dependent...............................MUST + 6.19. The Association Class TransformOfPreconfiguredAction....MUST + 6.19.1. The Reference Antecedent..............................MUST + 6.19.2. The Reference Dependent...............................MUST + 6.19.3. The Property SPI.....................................MUST + 6.19.4. The Property Direction................................MUST 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST - 6.20.1. The Reference Antecedent...............................MUST - 6.20.2. The Reference Dependent................................MUST + 6.20.1. The Reference Antecedent..............................MUST + 6.20.2. The Reference Dependent...............................MUST 7. Proposal and Transform Classes - 7.1. The Abstract Class SAProposal.............................MUST - 7.1.1. The Property Name.....................................SHOULD - 7.2. The Class IKEProposal.....................................MUST - 7.2.1. The Property CipherAlgorithm............................MUST - 7.2.2. The Property HashAlgorithm..............................MUST - 7.2.3. The Property PRFAlgorithm................................MAY - 7.2.4. The Property GroupId....................................MUST - 7.2.5. The Property AuthenticationMethod.......................MUST - 7.2.6. The Property MaxLifetimeSeconds.........................MUST - 7.2.7. The Property MaxLifetimeKilobytes.......................MUST - 7.2.8. The Property VendorID....................................MAY - 7.3. The Class IPsecProposal...................................MUST - 7.4. The Abstract Class SATransform............................MUST - 7.4.1. The Property TransformName............................SHOULD - 7.4.2. The Property VendorID....................................MAY - 7.4.3. The Property MaxLifetimeSeconds.........................MUST - 7.4.4. The Property MaxLifetimeKilobytes.......................MUST - 7.5. The Class AHTransform.....................................MUST - 7.5.1. The Property AHTransformId..............................MUST - 7.5.2. The Property UseReplayPrevention.........................MAY - 7.5.3. The Property ReplayPreventionWindowSize..................MAY - 7.6. The Class ESPTransform....................................MUST - 7.6.1. The Property IntegrityTransformId.......................MUST - 7.6.2. The Property CipherTransformId..........................MUST - 7.6.3. The Property CipherKeyLength.............................MAY - 7.6.4. The Property CipherKeyRounds.............................MAY - 7.6.5. The Property UseReplayPrevention.........................MAY - 7.6.6. The Property ReplayPreventionWindowSize..................MAY - 7.7. The Class IPCOMPTransform..................................MAY - 7.7.1. The Property Algorithm..................................MUST - 7.7.2. The Property DictionarySize..............................MAY - 7.7.3. The Property PrivateAlgorithm............................MAY - 7.8. The Association Class SAProposalInSystem...................MAY - 7.8.1. The Reference Antecedent................................MUST - 7.8.2. The Reference Dependent.................................MUST - 7.9. The Aggregation Class ContainedTransform..................MUST - 7.9.1. The Reference GroupComponent............................MUST - 7.9.2. The Reference PartComponent.............................MUST - 7.9.3. The Property SequenceNumber.............................MUST - 7.10. The Association Class SATransformInSystem.................MAY - 7.10.1. The Reference Antecedent...............................MUST - 7.10.2. The Reference Dependent................................MUST + 7.1. The Abstract Class SAProposal............................MUST + 7.1.1. The Property Name...................................SHOULD + 7.2. The Class IKEProposal...................................MUST + 7.2.1. The Property CipherAlgorithm...........................MUST + 7.2.2. The Property HashAlgorithm.............................MUST + 7.2.3. The Property PRFAlgorithm...............................MAY + 7.2.4. The Property GroupId..................................MUST + 7.2.5. The Property AuthenticationMethod......................MUST + 7.2.6. The Property MaxLifetimeSeconds........................MUST + 7.2.7. The Property MaxLifetimeKilobytes......................MUST + 7.2.8. The Property VendorID...................................MAY + 7.3. The Class IPsecProposal..................................MUST + 7.4. The Abstract Class SATransform...........................MUST + 7.4.1. The Property TransformName...........................SHOULD + 7.4.2. The Property VendorID...................................MAY + 7.4.3. The Property MaxLifetimeSeconds........................MUST + 7.4.4. The Property MaxLifetimeKilobytes......................MUST + 7.5. The Class AHTransform...................................MUST + 7.5.1. The Property AHTransformId.............................MUST + 7.5.2. The Property UseReplayPrevention........................MAY + 7.5.3. The Property ReplayPreventionWindowSize.................MAY + 7.6. The Class ESPTransform..................................MUST + 7.6.1. The Property IntegrityTransformId......................MUST + 7.6.2. The Property CipherTransformId.........................MUST + 7.6.3. The Property CipherKeyLength............................MAY + 7.6.4. The Property CipherKeyRounds............................MAY + 7.6.5. The Property UseReplayPrevention........................MAY + 7.6.6. The Property ReplayPreventionWindowSize.................MAY + 7.7. The Class IPCOMPTransform.................................MAY + 7.7.1. The Property Algorithm.................................MUST + 7.7.2. The Property DictionarySize.............................MAY + 7.7.3. The Property PrivateAlgorithm...........................MAY + 7.8. The Association Class SAProposalInSystem..................MAY + 7.8.1. The Reference Antecedent...............................MUST + 7.8.2. The Reference Dependent................................MUST + 7.9. The Aggregation Class ContainedTransform.................MUST + 7.9.1. The Reference GroupComponent...........................MUST + 7.9.2. The Reference PartComponent............................MUST + 7.9.3. The Property SequenceNumber............................MUST + 7.10. The Association Class SATransformInSystem................MAY + 7.10.1. The Reference Antecedent..............................MUST + 7.10.2. The Reference Dependent...............................MUST 8. IKE Service and Identity Classes - 8.1. The Class IKEService.......................................MAY - 8.2. The Class PeerIdentityTable................................MAY - 8.3.1. The Property Name.....................................SHOULD - 8.3. The Class PeerIdentityEntry................................MAY - 8.3.1. The Property PeerIdentity.............................SHOULD - 8.3.2. The Property PeerIdentityType.........................SHOULD - 8.3.3. The Property PeerAddress..............................SHOULD - 8.3.4. The Property PeerAddressType..........................SHOULD - 8.4. The Class AutostartIKEConfiguration........................MAY - 8.5. The Class AutostartIKESetting..............................MAY - 8.5.1. The Property Phase1Only..................................MAY - 8.5.2. The Property AddressType..............................SHOULD - 8.5.3. The Property SourceAddress..............................MUST - 8.5.4. The Property SourcePort.................................MUST - 8.5.5. The Property DestinationAddress.........................MUST - 8.5.6. The Property DestinationPort............................MUST - 8.5.7. The Property Protocol...................................MUST - 8.6. The Class IKEIdentity......................................MAY - 8.6.1. The Property IdentityType...............................MUST - 8.6.2. The Property IdentityValue..............................MUST - 8.6.3. The Property IdentityContexts............................MAY - 8.7. The Association Class HostedPeerIdentityTable..............MAY - 8.7.1. The Reference Antecedent................................MUST - 8.7.2. The Reference Dependent.................................MUST - 8.8. The Aggregation Class PeerIdentityMember...................MAY - 8.8.1. The Reference Collection................................MUST - 8.8.2. The Reference Member....................................MUST - 8.9. The Association Class IKEServicePeerGateway................MAY - 8.9.1. The Reference Antecedent................................MUST - 8.9.2. The Reference Dependent.................................MUST - 8.10. The Association Class IKEServicePeerIdentityTable.........MAY - 8.10.1. The Reference Antecedent...............................MUST - 8.10.2. The Reference Dependent................................MUST - 8.11. The Association Class IKEAutostartSetting.................MAY - 8.11.1. The Reference Element..................................MUST - 8.11.2. The Reference Setting..................................MUST - 8.12. The Aggregation Class AutostartIKESettingContext..........MAY - 8.12.1. The Reference Context..................................MUST - 8.12.2. The Reference Setting..................................MUST - 8.12.3. The Property SequenceNumber..........................SHOULD - 8.13. The Association Class IKEServiceForEndpoint...............MAY - 8.13.1. The Reference Antecedent...............................MUST - 8.13.2. The Reference Dependent................................MUST - 8.14. The Association Class IKEAutostartConfiguration...........MAY - 8.14.1. The Reference Antecedent...............................MUST - 8.14.2. The Reference Dependent................................MUST - 8.14.3. The Property Active..................................SHOULD + 8.1. The Class IKEService.....................................MAY + 8.2. The Class PeerIdentityTable...............................MAY + 8.3.1. The Property Name...................................SHOULD + 8.3. The Class PeerIdentityEntry...............................MAY + 8.3.1. The Property PeerIdentity............................SHOULD + 8.3.2. The Property PeerIdentityType........................SHOULD + 8.3.3. The Property PeerAddress.............................SHOULD + 8.3.4. The Property PeerAddressType.........................SHOULD + 8.4. The Class AutostartIKEConfiguration.......................MAY + 8.5. The Class AutostartIKESetting.............................MAY + 8.5.1. The Property Phase1Only.................................MAY + 8.5.2. The Property AddressType.............................SHOULD + 8.5.3. The Property SourceAddress.............................MUST + 8.5.4. The Property SourcePort................................MUST + 8.5.5. The Property DestinationAddress........................MUST + 8.5.6. The Property DestinationPort...........................MUST + 8.5.7. The Property Protocol..................................MUST + 8.6. The Class IKEIdentity....................................MAY + 8.6.1. The Property IdentityType..............................MUST + 8.6.2. The Property IdentityValue.............................MUST + 8.6.3. The Property IdentityContexts...........................MAY + 8.7. The Association Class HostedPeerIdentityTable.............MAY + 8.7.1. The Reference Antecedent...............................MUST + 8.7.2. The Reference Dependent................................MUST + 8.8. The Aggregation Class PeerIdentityMember..................MAY + 8.8.1. The Reference Collection...............................MUST + 8.8.2. The Reference Member..................................MUST + 8.9. The Association Class IKEServicePeerGateway...............MAY + 8.9.1. The Reference Antecedent...............................MUST + 8.9.2. The Reference Dependent................................MUST + 8.10. The Association Class IKEServicePeerIdentityTable........MAY + 8.10.1. The Reference Antecedent..............................MUST + 8.10.2. The Reference Dependent...............................MUST + 8.11. The Association Class IKEAutostartSetting................MAY + 8.11.1. The Reference Element.................................MUST + 8.11.2. The Reference Setting.................................MUST + 8.12. The Aggregation Class AutostartIKESettingContext.........MAY + 8.12.1. The Reference Context.................................MUST + 8.12.2. The Reference Setting.................................MUST + 8.12.3. The Property SequenceNumber.........................SHOULD + 8.13. The Association Class IKEServiceForEndpoint..............MAY + 8.13.1. The Reference Antecedent..............................MUST + 8.13.2. The Reference Dependent...............................MUST + 8.14. The Association Class IKEAutostartConfiguration..........MAY + 8.14.1. The Reference Antecedent..............................MUST + 8.14.2. The Reference Dependent...............................MUST + 8.14.3. The Property Active................................SHOULD 8.15. The Association Class IKEUsesCredentialManagementService..MAY - 8.15.1. The Reference Antecedent...............................MUST - 8.15.2. The Reference Dependent................................MUST - 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY - 8.16.1. The Reference Antecedent...............................MUST - 8.16.2. The Reference Dependent................................MUST - 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY - 8.17.1. The Reference Antecedent...............................MUST - 8.17.2. The Reference Dependent................................MUST - 8.18. The Association Class IKEIdentitysCredential..............MAY - 8.18.1. The Reference Antecedent...............................MUST - 8.18.2. The Reference Dependent................................MUST + 8.15.1. The Reference Antecedent..............................MUST + 8.15.2. The Reference Dependent...............................MUST + 8.16. The Association Class EndpointHasLocalIKEIdentity........MAY + 8.16.1. The Reference Antecedent..............................MUST + 8.16.2. The Reference Dependent...............................MUST + 8.17. The Association Class CollectionHasLocalIKEIdentity......MAY + 8.17.1. The Reference Antecedent..............................MUST + 8.17.2. The Reference Dependent...............................MUST + 8.18. The Association Class IKEIdentitysCredential.............MAY + 8.18.1. The Reference Antecedent..............................MUST + 8.18.2. The Reference Dependent...............................MUST 10. Security Considerations This document describes a schema for IPsec policy. It does not detail security requirements for storage or delivery of said schema. Storage and delivery security requirements should be detailed in a comprehensive security policy architecture document. 11. Intellectual Property @@ -3955,22 +3932,22 @@ The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 12. Acknowledgments The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, - Vic Lortz, William Dixon, Man Li and Ricky Charlet for their - contributions to this IPsec policy model. + Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for + their contributions to this IPsec policy model. Additionally, this draft would not have been possible without the preceding IPsec schema drafts. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. 13. References [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. @@ -4011,31 +3988,30 @@ Requirement Levels", BCP 14, RFC 2119, March 1997. [IPSO] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991. [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [DMTF] Distributed Management Task Force, http://www.dmtf.org/ - [CIMCORE] DMTF Common Information Model - Core Model v2.5, - http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and - http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof - - [CIMUSER] DMTF Common Information Model - User-Security Model v2.5, - http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof - - [CIMNETWORK] DMTF Common Information Model - Network Model v2.5, - http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof + [CIMCORE] DMTF Common Information Model - Core Model v2.6 which can + be found at http://www.dmtf.org/standards/cim_schema_v26.php + [CIMUSER] DMTF Common Information Model - User-Security Model v2.6 + which can be found at + http://www.dmtf.org/standards/cim_schema_v26.php + [CIMNETWORK] DMTF Common Information Model - Network Model v2.6 which + can be found at http://www.dmtf.org/standards/cim_schema_v26.php 14. Disclaimer + The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification. 15. Authors' Addresses Jamie Jason Intel Corporation