draft-ietf-ipsp-config-policy-model-06.txt   rfc3585.txt 
Internet Engineering Task Force Jamie Jason Network Working Group J. Jason
INTERNET DRAFT Intel Corporation Request for Comments: 3585 Intel Corporation
August-2002 Lee Rafalow Category: Standards Track L. Rafalow
IBM IBM
Eric Vyncke E. Vyncke
Cisco Systems Cisco Systems
August 2003
IPsec Configuration Policy Model IPsec Configuration Policy Information Model
draft-ietf-ipsp-config-policy-model-06.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document specifies an Internet standards track protocol for the
all provisions of Section 10 of RFC2026. Internet-Drafts are working Internet community, and requests discussion and suggestions for
documents of the Internet Engineering Task Force (IETF), its areas, improvements. Please refer to the current edition of the "Internet
and its working groups. Note that other groups may also distribute Official Protocol Standards" (STD 1) for the standardization state
working documents as Internet-Drafts. and status of this protocol. Distribution of this memo is unlimited.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Copyright Notice
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at Copyright (C) The Internet Society (2003). All Rights Reserved.
http://www.ietf.org/shadow.html.
Abstract Abstract
This document presents an object-oriented information model of IPsec This document presents an object-oriented information model of IP
policy designed to: Security (IPsec) policy designed to facilitate agreement about the
o facilitate agreement about the content and semantics of IPsec content and semantics of IPsec policy, and enable derivations of
policy task-specific representations of IPsec policy such as storage schema,
o enable derivations of task-specific representations of IPsec distribution representations, and policy specification languages used
policy such as storage schema, distribution representations, to configure IPsec-enabled endpoints. The information model
and policy specification languages used to configure IPsec- described in this document models the configuration parameters
enabled endpoints defined by IPSec. The information model also covers the parameters
The information model described in this document models the found by the Internet Key Exchange protocol (IKE). Other key
configuration parameters defined by the IP Security protocol [COMP, exchange protocols could easily be added to the information model by
ESP, AH]. The information model also covers the parameters found by a simple extension. Further extensions can further be added easily
the Internet Key Exchange [DOI, IKE] protocol. Other key exchange due to the object-oriented nature of the model.
protocols could be easily added to the information model by a simple
extension. Other extensions can further be added easily due to the
object-oriented nature of the model.
This information model is based upon the core policy classes as This information model is based upon the core policy classes as
defined in the Policy Core Information Model (PCIM) [PCIM] and on defined in the Policy Core Information Model (PCIM) and in the Policy
the Policy Core Information Model Extensions (PCIMe) [PCIME]. Core Information Model Extensions (PCIMe).
Table of Contents Table of Contents
Status of this Memo..............................................1 1. Introduction.................................................. 3
Abstract.........................................................1 2. UML Conventions............................................... 4
Table of Contents................................................2 3. IPsec Policy Model Inheritance Hierarchy...................... 6
1. Introduction.................................................10 4. Policy Classes................................................ 11
1. Introduction.................................................10 4.1. The Class SARule........................................ 13
2. UML Conventions..............................................10 4.2. The Class IKERule....................................... 17
3. IPsec Policy Model Inheritance Hierarchy......................11 4.3. The Class IPsecRule..................................... 18
4. Policy Classes...............................................16 4.4. The Association Class IPsecPolicyForEndpoint............ 18
4.1. The Class IPsecPolicyGroup..................................17 4.5. The Association Class IPsecPolicyForSystem.............. 19
4.2. The Class SARule...........................................18 4.6. The Aggregation Class SAConditionInRule................. 19
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 4.7. The Aggregation Class PolicyActionInSARule.............. 20
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 5. Condition and Filter Classes.................................. 22
PolicyDecisionStrategy..........................................18 5.1. The Class SACondition................................... 23
4.2.2 The Property ExecutionStrategy............................18 5.2. The Class IPHeadersFilter............................... 23
4.2.3 The Property LimitNegotiation.............................20 5.3. The Class CredentialFilterEntry......................... 23
4.3. The Class IKERule..........................................21 5.4. The Class IPSOFilterEntry............................... 25
4.3.1. The Property IdentityContexts.............................21 5.5. The Class PeerIDPayloadFilterEntry...................... 26
4.4. The Class IPsecRule........................................22 5.6. The Association Class FilterOfSACondition............... 28
4.5. The Association Class IPsecPolicyForEndpoint................22 5.7. The Association Class AcceptCredentialFrom.............. 29
4.5.1. The Reference Antecedent..................................22 6. Action Classes................................................ 30
4.5.2. The Reference Dependent...................................22 6.1. The Class SAAction...................................... 32
4.6. The Association Class IPsecPolicyForSystem..................22 6.2. The Class SAStaticAction................................ 33
4.6.1. The Reference Antecedent..................................23 6.3. The Class IPsecBypassAction............................. 34
4.6.2. The Reference Dependent...................................23 6.4. The Class IPsecDiscardAction............................ 34
4.7. The Aggregation Class SARuleInPolicyGroup...................23 6.5. The Class IKERejectAction............................... 35
4.7.1. The Property Priority.....................................23 6.6. The Class PreconfiguredSAAction......................... 35
4.7.2. The Reference GroupComponent..............................23 6.7. The Class PreconfiguredTransportAction.................. 36
4.7.3. The Reference PartComponent...............................23 6.8. The Class PreconfiguredTunnelAction..................... 37
4.8. The Aggregation Class SAConditionInRule.....................24 6.9. The Class SANegotiationAction........................... 37
4.8.1. The Properties GroupNumber and ConditionNegated...........24 6.10. The Class IKENegotiationAction.......................... 38
4.8.2. The Reference GroupComponent..............................24 6.11. The Class IPsecAction................................... 39
4.8.3. The Reference PartComponent...............................25 6.12. The Class IPsecTransportAction.......................... 41
4.9. The Aggregation Class PolicyActionInSARule..................25 6.13. The Class IPsecTunnelAction............................. 42
4.9.1. The Reference GroupComponent..............................25 6.14. The Class IKEAction..................................... 42
4.9.2. The Reference PartComponent...............................25 6.15. The Class PeerGateway................................... 44
4.9.3. The Property ActionOrder..................................25 6.16. The Association Class PeerGatewayForTunnel.............. 45
5. Condition and Filter Classes..................................26 6.17. The Aggregation Class ContainedProposal................. 46
5.1. The Class SACondition......................................26 6.18. The Association Class HostedPeerGatewayInformation...... 47
5.2. The Class IPHeadersFilter...................................27 6.19. The Association Class TransformOfPreconfiguredAction.... 48
5.3. The Class CredentialFilterEntry.............................27 6.20 The Association Class PeerGatewayForPreconfiguredTunnel. 49
5.3.1. The Property MatchFieldName...............................27 7. Proposal and Transform Classes................................ 50
5.3.2. The Property MatchFieldValue..............................28 7.1. The Abstract Class SAProposal........................... 50
5.3.3. The Property CredentialType...............................28 7.2. The Class IKEProposal................................... 51
5.4. The Class IPSOFilterEntry...................................28 7.3. The Class IPsecProposal................................. 54
5.4.1. The Property MatchConditionType...........................29 7.4. The Abstract Class SATransform.......................... 54
5.4.2. The Property MatchConditionValue..........................29 7.5. The Class AHTransform................................... 56
5.5. The Class PeerIDPayloadFilterEntry..........................29 7.6. The Class ESPTransform.................................. 57
5.5.1. The Property MatchIdentityType............................30 7.7. The Class IPCOMPTransform............................... 59
5.5.2. The Property MatchIdentityValue...........................30 7.8. The Association Class SAProposalInSystem................ 60
5.6. The Association Class FilterOfSACondition...................31 7.9. The Aggregation Class ContainedTransform................ 60
5.6.1. The Reference Antecedent..................................31 7.10. The Association Class SATransformInSystem............... 62
5.6.2. The Reference Dependent...................................31 8. IKE Service and Identity Classes.............................. 63
5.7. The Association Class AcceptCredentialFrom..................31 8.1. The Class IKEService.................................... 64
5.7.1. The Reference Antecedent..................................32 8.2. The Class PeerIdentityTable............................. 64
5.7.2. The Reference Dependent...................................32 8.3. The Class PeerIdentityEntry............................. 65
6. Action Classes...............................................33 8.4. The Class AutostartIKEConfiguration..................... 66
6.1. The Class SAAction.........................................34 8.5. The Class AutostartIKESetting........................... 67
6.1.1. The Property DoActionLogging..............................34 8.6. The Class IKEIdentity................................... 69
6.1.2. The Property DoPacketLogging..............................34 8.7. The Association Class HostedPeerIdentityTable........... 71
6.2. The Class SAStaticAction....................................35 8.8. The Aggregation Class PeerIdentityMember................ 71
6.2.1. The Property LifetimeSeconds..............................35 8.9. The Association Class IKEServicePeerGateway............. 72
6.3. The Class IPsecBypassAction.................................35 8.10. The Association Class IKEServicePeerIdentityTable....... 73
6.4. The Class IPsecDiscardAction................................35 8.11. The Association Class IKEAutostartSetting............... 73
6.5. The Class IKERejectAction...................................36 8.12. The Aggregation Class AutostartIKESettingContext........ 74
6.6. The Class PreconfiguredSAAction.............................36 8.13. The Association Class IKEServiceForEndpoint............. 75
6.6.1. The Property LifetimeKilobytes............................36 8.14. The Association Class IKEAutostartConfiguration......... 76
6.7. The Class PreconfiguredTransportAction......................37 8.15. The Association Class IKEUsesCredentialManagementService 77
6.8. The Class PreconfiguredTunnelAction.........................37 8.16. The Association Class EndpointHasLocalIKEIdentity....... 77
6.8.1. The Property DFHandling...................................37 8.17. The Association Class CollectionHasLocalIKEIdentity..... 78
6.9. The Class SANegotiationAction...............................37 8.18. The Association Class IKEIdentitysCredential............ 79
6.10. The Class IKENegotiationAction.............................38 9. Implementation Requirements................................... 79
6.10.1. The Property MinLifetimeSeconds..........................38 10. Security Considerations....................................... 84
6.10.2. The Property MinLifetimeKilobytes........................38 11. Intellectual Property Statement............................... 84
6.10.3. The Property IdleDurationSeconds.........................39 12. References ................................................... 85
6.11. The Class IPsecAction.....................................40 12.1. Normative References.................................... 85
6.11.1. The Property UsePFS.....................................40 12.2. Informative References.................................. 86
6.11.2. The Property UseIKEGroup.................................40 13. Disclaimer.................................................... 86
6.11.3. The Property GroupId.....................................40 14. Acknowledgments............................................... 86
6.11.4. The Property Granularity.................................41 15. Authors' Addresses............................................ 87
6.11.5. The Property VendorID....................................41 16. Full Copyright Statement...................................... 88
6.12. The Class IPsecTransportAction.............................41
6.13. The Class IPsecTunnelAction................................41
6.13.1. The Property DFHandling..................................42
6.14. The Class IKEAction.......................................42
6.14.1. The Property ExchangeMode................................42
6.14.2. The Property UseIKEIdentityType..........................43
6.14.3. The Property VendorID....................................43
6.14.4. The Property AggressiveModeGroupId.......................43
6.15. The Class PeerGateway.....................................43
6.15.1. The Property Name.......................................44
6.15.2. The Property PeerIdentityType............................44
6.15.3. The Property PeerIdentity................................44
6.16. The Association Class PeerGatewayForTunnel.................44
6.16.1. The Reference Antecedent.................................45
6.16.2. The Reference Dependent..................................45
6.16.3. The Property SequenceNumber..............................45
6.17. The Aggregation Class ContainedProposal....................45
6.17.1. The Reference GroupComponent.............................46
6.17.2. The Reference PartComponent..............................46
6.17.3. The Property SequenceNumber..............................46
6.18. The Association Class HostedPeerGatewayInformation.........46
6.18.1. The Reference Antecedent.................................46
6.18.2. The Reference Dependent..................................46
6.19. The Association Class TransformOfPreconfiguredAction.......46
6.19.1. The Reference Antecedent.................................47
6.19.2. The Reference Dependent..................................47
6.19.3. The Property SPI........................................47
6.19.4. The Property Direction...................................47
6.20 The Association Class PeerGatewayForPreconfiguredTunnel......47
6.20.1. The Reference Antecedent.................................48
6.20.2. The Reference Dependent..................................48
7. Proposal and Transform Classes................................49
7.1. The Abstract Class SAProposal...............................49
7.1.1. The Property Name........................................49
7.2. The Class IKEProposal......................................49
7.2.1. The Property CipherAlgorithm..............................50
7.2.2. The Property HashAlgorithm................................50
7.2.3. The Property PRFAlgorithm.................................50
7.2.4. The Property GroupId.....................................51
7.2.5. The Property AuthenticationMethod.........................51
7.2.6. The Property MaxLifetimeSeconds...........................51
7.2.7. The Property MaxLifetimeKilobytes.........................52
7.2.8. The Property VendorID.....................................52
7.3. The Class IPsecProposal.....................................52
7.4. The Abstract Class SATransform..............................52
7.4.1. The Property CommonName...................................52
7.4.2. The Property VendorID.....................................53
7.4.3. The Property MaxLifetimeSeconds...........................53
7.4.4. The Property MaxLifetimeKilobytes.........................53
7.5. The Class AHTransform......................................53
7.5.1. The Property AHTransformId................................54
7.5.2. The Property UseReplayPrevention..........................54
7.5.3. The Property ReplayPreventionWindowSize...................54
7.6. The Class ESPTransform.....................................54
7.6.1. The Property IntegrityTransformId.........................54
7.6.2. The Property CipherTransformId............................55
7.6.3. The Property CipherKeyLength..............................55
7.6.4. The Property CipherKeyRounds..............................55
7.6.5. The Property UseReplayPrevention..........................55
7.6.6. The Property ReplayPreventionWindowSize...................55
7.7. The Class IPCOMPTransform...................................56
7.7.1. The Property Algorithm....................................56
7.7.2. The Property DictionarySize...............................56
7.7.3. The Property PrivateAlgorithm.............................56
7.8. The Association Class SAProposalInSystem....................56
7.8.1. The Reference Antecedent..................................57
7.8.2. The Reference Dependent...................................57
7.9. The Aggregation Class ContainedTransform....................57
7.9.1. The Reference GroupComponent..............................57
7.9.2. The Reference PartComponent...............................57
7.9.3. The Property SequenceNumber...............................57
7.10. The Association Class SATransformInSystem..................58
7.10.1. The Reference Antecedent.................................58
7.10.2. The Reference Dependent..................................58
8. IKE Service and Identity Classes..............................59
8.1. The Class IKEService.......................................60
8.2. The Class PeerIdentityTable.................................60
8.2.1. The Property Name........................................60
8.3. The Class PeerIdentityEntry.................................60
8.3.1. The Property PeerIdentity.................................61
8.3.2. The Property PeerIdentityType.............................61
8.3.3. The Property PeerAddress..................................61
8.3.4. The Property PeerAddressType..............................61
8.4. The Class AutostartIKEConfiguration.........................61
8.5. The Class AutostartIKESetting...............................62
8.5.1. The Property Phase1Only...................................62
8.5.2. The Property AddressType..................................62
8.5.3. The Property SourceAddress................................63
8.5.4. The Property SourcePort...................................63
8.5.5. The Property DestinationAddress...........................63
8.5.6. The Property DestinationPort..............................63
8.5.7. The Property Protocol.....................................63
8.6. The Class IKEIdentity......................................63
8.6.1. The Property IdentityType.................................64
8.6.2. The Property IdentityValue................................64
8.6.3. The Property IdentityContexts.............................64
8.7. The Association Class HostedPeerIdentityTable...............65
8.7.1. The Reference Antecedent..................................65
8.7.2. The Reference Dependent...................................65
8.8. The Aggregation Class PeerIdentityMember....................65
8.8.1. The Reference Collection..................................66
8.8.2. The Reference Member.....................................66
8.9. The Association Class IKEServicePeerGateway.................66
8.9.1. The Reference Antecedent..................................66
8.9.2. The Reference Dependent...................................66
8.10. The Association Class IKEServicePeerIdentityTable..........66
8.10.1. The Reference Antecedent.................................67
8.10.2. The Reference Dependent..................................67
8.11. The Association Class IKEAutostartSetting..................67
8.11.1. The Reference Element....................................67
8.11.2. The Reference Setting....................................67
8.12. The Aggregation Class AutostartIKESettingContext...........67
8.12.1. The Reference Context....................................67
8.12.2. The Reference Setting....................................68
8.12.3. The Property SequenceNumber..............................68
8.13. The Association Class IKEServiceForEndpoint................68
8.13.1. The Reference Antecedent.................................68
8.13.2. The Reference Dependent..................................68
8.14. The Association Class IKEAutostartConfiguration............68
8.14.1. The Reference Antecedent.................................69
8.14.2. The Reference Dependent..................................69
8.14.3. The Property Active.....................................69
8.15. The Association Class IKEUsesCredentialManagementService....69
8.15.1. The Reference Antecedent.................................70
8.15.2. The Reference Dependent..................................70
8.16. The Association Class EndpointHasLocalIKEIdentity..........70
8.16.1. The Reference Antecedent.................................70
8.16.2. The Reference Dependent..................................70
8.17. The Association Class CollectionHasLocalIKEIdentity........70
8.17.1. The Reference Antecedent.................................71
8.17.2. The Reference Dependent..................................71
8.18. The Association Class IKEIdentitysCredential...............71
8.18.1. The Reference Antecedent.................................71
8.18.2. The Reference Dependent..................................71
9. Implementation Requirements...................................71
10. Security Considerations.....................................75
11. Intellectual Property.......................................75
12. Acknowledgments.............................................76
13. References..................................................76
14. Disclaimer..................................................77
15. Authors' Addresses..........................................77
16. Full Copyright Statement.....................................77
1. Introduction 1. Introduction
IP security (IPsec) policy may assume a variety of forms as it IP security (IPsec) policy may assume a variety of forms as it
travels from storage to distribution point to decision point. At travels from storage, to distribution, to decision points. At each
each step, it needs to be represented in a way that is convenient for step, it needs to be represented in a way that is convenient for the
the current task. For example, the policy could exist as, but is not current task. For example, the policy could exist as, but is not
limited to: limited to:
o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in o A Lightweight Directory Access Protocol (LDAP) [LDAP] schema in a
a directory directory.
o an on-the-wire representation over a transport protocol like the
Common Object Policy Service (COPS) [COPS, COPSPR] o An on-the-wire representation over a transport protocol like the
o a text-based policy specification language suitable for editing Common Object Policy Service (COPS) [COPS, COPSPR].
by an administrator
o an Extensible Markup Language (XML) document o A text-based policy specification language suitable for editing by
an administrator.
o An Extensible Markup Language (XML) document.
Each of these task-specific representations should be derived from a Each of these task-specific representations should be derived from a
canonical representation that precisely specifies the content and canonical representation that precisely specifies the content and
semantics of the IPsec policy. This document captures this concept semantics of the IPsec policy. This document captures this concept
and introduces a task-independent canonical representation for IPsec and introduces a task-independent canonical representation for IPsec
policies. policies.
In order to have a simple information model, this document focuses This document focuses mainly on the existing protocols [COMP, ESP,
mainly on the existing protocols [COMP, ESP, AH, DOI, IKE]. The AH, DOI, IKE]. The model can easily be extended if needed due to its
model can easily be extended if needed due to its object-oriented object-oriented nature.
nature.
This document is organized as follows: This document is organized as follows:
o Section 2 provides a quick introduction to the Unified Modeling o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this Language (UML) graphical notation conventions used in this
document. document.
o Section 3 provides the inheritance hierarchy that describes o Section 3 provides the inheritance hierarchy that describes where
where the IPsec policy classes fit into the policy class the IPsec policy classes fit into the policy class hierarchy
hierarchy already defined by the Policy Core Information Model already defined by the Policy Core Information Model (PCIM) and
(PCIM) and Policy Core Information Model Extensions (PCIMe). Policy Core Information Model Extensions (PCIMe).
o Sections 4 through 8 describes the class that make up the IPsec o Sections 4 through 8 describe the classes that make up the IPsec
policy model. policy model.
o Section 9 presents the implementation requirements for the o Section 9 presents the implementation requirements for the classes
classes in the model (i.e., the MUST/MAY/SHOULD status). in the model (i.e., the MUST/MAY/SHOULD status).
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
2. UML Conventions 2. UML Conventions
For this document, a UML static class diagram was chosen as the For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason canonical representation for the IPsec policy model, because UML
behind this decision is that UML provides a graphical, task- provides a graphical, task-independent way to model systems. A
independent way to model systems. A treatise on the graphical treatise on the graphical notation used in UML is beyond the scope of
notation used in UML is beyond the scope of this paper. However, this paper. However, given the use of ASCII drawing for UML static
given the use of ASCII drawing for UML static class diagrams, a class diagrams, a description of the notational conventions used in
description of the notational conventions used in this document is in this document is in order:
order:
o Boxes represent classes, with class names in brackets ([]) o Boxes represent classes, with class names in brackets ([])
representing an abstract class. representing an abstract class.
o A line that terminates with an arrow (<, >, ^, v) denotes o A line that terminates with an arrow (<, >, ^, v) denotes
inheritance. The arrow always points to the parent class. inheritance. The arrow always points to the parent class.
Inheritance can also be called generalization or specialization Inheritance can also be called generalization or specialization
(depending upon the reference point). A base class is a (depending upon the reference point). A base class is a
generalization of a derived class, and a derived class is a generalization of a derived class, and a derived class is a
specialization of a base class. specialization of a base class.
o Associations are used to model a relationship between two
classes. Classes that share an association are connected using o Associations are used to model a relationship between two classes.
a line. A special kind of association is also used: an Classes that share an association are connected using a line. A
aggregation. An aggregation models a whole-part relationship special kind of association is also used: an aggregation. An
between two classes. Associations, and therefore aggregations, aggregation models a whole-part relationship between two classes.
can also be modeled as classes. Associations, and therefore aggregations, are also modeled as
o A line that begins with an "o" denotes aggregation. Aggregation classes.
denotes containment in which the contained class and the
containing class have independent lifetimes. o A line that begins with an "o" denotes aggregation. Aggregation
o Next to a line representing an association appears a denotes containment in which the contained class and the
cardinality. Cardinalities indicate the constraints on the containing class have independent lifetimes.
number of object instances in a set of relationships. Every
association instance has a single set of references. The o At each end of a line representing an association appears a
cardinality indicates the number of instances that may refer to cardinality (i.e., each association has 2 cardinalities).
a given object instance. The cardinality may be: Cardinalities indicate the constraints on the number of object
- a range in the form "lower bound..upper bound" indicating the instances in a set of relationships. The cardinality on a given
minimum and maximum number of objects. end of an association indicates the number of different object
- a number that indicates the exact number of objects. instances of that class that may be associated with a single
- an asterisk indicating any number of objects, including zero. object instance of the class on the other end of the association.
Using an asterisk is shorthand for 0..n. The cardinality may be:
- the letter n indicating from 1 to many. Using the letter n is
shorthand for 1..n. - a range in the form "lower bound..upper bound" indicating the
o A class that has an association may have a "w" next to the line minimum and maximum number of objects.
representing the association. This is called a weak association
and is discussed in [PCIM]. - a number that indicates the exact number of objects.
- an asterisk indicating any number of objects, including zero.
An asterisk is shorthand for 0..n.
- the letter n indicating from 1 to many. The letter n is
shorthand for 1..n.
o A class that has an association may have a "w" next to the line
representing the association. This is called a weak association
and is discussed in [PCIM].
It should be noted that the UML static class diagram presented is a It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding. conceptual view of IPsec policy designed to aid in understanding. It
It does not necessarily get translated class for class into another does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of the representation to fewer classes (because of the inefficiency of
following references). following references).
3. IPsec Policy Model Inheritance Hierarchy 3. IPsec Policy Model Inheritance Hierarchy
Like PCIM and PCIMe from which it is derived, the IPsec Configuration Like PCIM and PCIMe, the IPsec Configuration Policy Model derives
Policy Model derives from and uses classes defined in the DMTF [DMTF] from and uses classes defined in the DMTF [DMTF] Common Information
Common Information Model (CIM). The following tree represents the Model (CIM). The following tree represents the inheritance hierarchy
inheritance hierarchy for the IPsec policy model classes and how they for the IPsec Policy Model classes and how they fit into PCIM, PCIMe
fit into PCIM, PCIMe and the other DMTF models (see Appendices for and the other DMTF models (see Appendices for descriptions of classes
descriptions of classes that are not being introduced as part of that are not being introduced as part of IPsec model). CIM classes
IPsec model). CIM classes that are not used as a superclass from that are not used as a superclass to derive new classes, but are used
which to derive new classes but are only referenced are not included only as references, are not included in this inheritance hierarchy,
this inheritance hierarchy, but can be found in the appropriate DMTF but can be found in the appropriate DMTF document: Core Model
document [CIMCORE], [CIMUSER] or [CIMNETWORK]. [CIMCORE], User Model [CIMUSER] or, Network Model [CIMNETWORK].
ManagedElement (DMTF Core Model - [CIMCORE]) ManagedElement (DMTF Core Model)
| |
+--Collection (DMTF Core Model - [CIMCORE]) +--Collection (DMTF Core Model)
| | | |
| +--PeerIdentityTable | +--PeerIdentityTable
| |
+--ManagedSystemElement (DMTF Core Model - [CIMCORE]) +--ManagedSystemElement (DMTF Core Model)
| | | |
| +--LogicalElement (DMTF Core Model - [CIMCORE]) | +--LogicalElement (DMTF Core Model)
| | | |
| +--FilterEntryBase (DMTF Network Model - [CIMNETWORK]) | +--FilterEntryBase (DMTF Network Model)
| | | | | |
| | +--CredentialFilterEntry | | +--CredentialFilterEntry
| | | | | |
| | +--IPHeadersFilter (PCIMe) | | +--IPHeadersFilter (PCIMe)
| | | | | |
| | +--IPSOFilterEntry | | +--IPSOFilterEntry
| | | | | |
| | +--PeerIDPayloadFilterEntry | | +--PeerIDPayloadFilterEntry
| | | |
| +--PeerGateway | +--PeerGateway
| | | |
| +--PeerIdentityEntry | +--PeerIdentityEntry
| | | |
| +--Service (DMTF Core Model - [CIMCORE]) | +--Service (DMTF Core Model)
| | | |
| +--IKEService | +--IKEService
| |
+--OrganizationalEntity (DMTF User Model - [CIMUSER]) +--OrganizationalEntity (DMTF User Model)
| | | |
| +--UserEntity (DMTF User Model - [CIMUSER]) | +--UserEntity (DMTF User Model)
| | | |
| +--UsersAccess (DMTF User Model - [CIMUSER]) | +--UsersAccess (DMTF User Model)
| | | |
| +--IKEIdentity | +--IKEIdentity
| |
+--Policy (PCIM) +--Policy (PCIM)
| | | |
| +--PolicyAction (PCIM) | +--PolicyAction (PCIM)
| | | | | |
| | +--CompoundPolicyAction (PCIMe) | | +--CompoundPolicyAction (PCIMe)
| | | | | |
| | +--SAAction | | +--SAAction
| | | | | |
| | +--SANegotiationAction | | +--SANegotiationAction
| | | | | | | |
| | | +--IKENegotiationAction | | | +--IKENegotiationAction
| | | | | | | |
| | | +--IKEAction | | | +--IKEAction
| | | | | | | |
| | | +--IPsecAction | | | +--IPsecAction
| | | | | | | |
| | | +--IPsecTransportAction | | | +--IPsecTransportAction
| | | | | | | |
| | | +--IPsecTunnelAction | | | +--IPsecTunnelAction
| | | | | |
| | +--SAStaticAction | | +--SAStaticAction
| | | | | |
| | +--IKERejectAction | | +--IKERejectAction
| | | | | |
| | +--IPsecBypassAction | | +--IPsecBypassAction
| | | | | |
| | +--IPsecDiscardAction | | +--IPsecDiscardAction
| | | | | |
| | +--PreconfiguredSAAction | | +--PreconfiguredSAAction
| | | | | |
| | +--PreconfiguredTransportAction | | +--PreconfiguredTransportAction
| | | | | |
| | +--PreconfiguredTunnelAction | | +--PreconfiguredTunnelAction
| | | |
| +--PolicyCondition (PCIM) | +--PolicyCondition (PCIM)
| | | | | |
| | +--SACondition | | +--SACondition
| | | |
| +--PolicySet (PCIMe) | +--PolicySet (PCIMe)
| | | | | |
| | +--PolicyGroup (PCIM & PCIMe) | | +--PolicyGroup (PCIM & PCIMe)
| | | | | | |
| | | +--IPsecPolicyGroup | | +--PolicyRule (PCIM & PCIMe)
| | | | | |
| | +--PolicyRule (PCIM & PCIMe) | | +--SARule
| | | | | |
| | +--SARule | | +--IKERule
| | | | | |
| | +--IKERule | | +--IPsecRule
| | | | |
| | +--IPsecRule | +--SAProposal
| | | | |
| +--SAProposal | | +--IKEProposal
| | | | | |
| | +--IKEProposal | | +--IPsecProposal
| | | | |
| | +--IPsecProposal | +--SATransform
| | | |
| +--SATransform | +--AHTransform
| | | |
| +--AHTransform | +--ESPTransform
| | | |
| +--ESPTransform | +--IPCOMPTransform
| | |
| +--IPCOMPTransform +--Setting (DMTF Core Model)
| | |
+--Setting (DMTF Core Model - [CIMCORE]) | +--SystemSetting (DMTF Core Model)
| | | |
| +--SystemSetting (DMTF Core Model - [CIMCORE]) | +--AutostartIKESetting
| | |
| +--AutostartIKESetting +--SystemConfiguration (DMTF Core Model)
| |
+--SystemConfiguration (DMTF Core Model - [CIMCORE]) +--AutostartIKEConfiguration
|
+--AutostartIKEConfiguration
The following tree represents the inheritance hierarchy of the IPsec The following tree represents the inheritance hierarchy of the IPsec
policy model association classes and how they fit into PCIM and the policy model association classes and how they fit into PCIM and the
other DMTF models (see Appendices for description of associations other DMTF models (see Appendices for description of association
classes that are not being introduced as part of IPsec model). classes that are not being introduced as part of IPsec model).
Dependency (DMTF Core Model - [CIMCORE]) Dependency (DMTF Core Model)
| |
+--AcceptCredentialsFrom +--AcceptCredentialsFrom
| |
+--ElementAsUser (DMTF User Model - [CIMUSER]) +--ElementAsUser (DMTF User Model)
| | | |
| +--EndpointHasLocalIKEIdentity | +--EndpointHasLocalIKEIdentity
| | | |
| +--CollectionHasLocalIKEIdentity | +--CollectionHasLocalIKEIdentity
| |
+--FilterOfSACondition +--FilterOfSACondition
| |
+--HostedPeerGatewayInformation +--HostedPeerGatewayInformation
| |
+--HostedPeerIdentityTable +--HostedPeerIdentityTable
| |
+--IKEAutostartConfiguration +--IKEAutostartConfiguration
| |
+--IKEServiceForEndpoint +--IKEServiceForEndpoint
| |
+--IKEServicePeerGateway +--IKEServicePeerGateway
| |
+--IKEServicePeerIdentityTable +--IKEServicePeerIdentityTable
| |
+--IKEUsesCredentialManagementService +--IKEUsesCredentialManagementService
| |
+--IPsecPolicyForEndpoint +--IPsecPolicyForEndpoint
| |
+--IPsecPolicyForSystem +--IPsecPolicyForSystem
| |
+--PeerGatewayForPreconfiguredTunnel +--PeerGatewayForPreconfiguredTunnel
| |
+--PeerGatewayForTunnel +--PeerGatewayForTunnel
| |
+--PolicyInSystem (PCIM) +--PolicyInSystem (PCIM)
| | | |
| +--SAProposalInSystem | +--SAProposalInSystem
| | | |
| +--SATransformInSystem | +--SATransformInSystem
| |
+--TransformOfPreconfiguredAction +--TransformOfPreconfiguredAction
| |
+--UsersCredential (DMTF User Model - [CIMUSER]) +--UsersCredential (DMTF User Model)
| |
+--IKEIdentitysCredential +--IKEIdentitysCredential
ElementSetting (DMTF Core Model - [CIMCORE]) ElementSetting (DMTF Core Model)
| |
+--IKEAutostartSetting +--IKEAutostartSetting
MemberOfCollection (DMTF Core Model - [CIMCORE]) MemberOfCollection (DMTF Core Model)
| |
+--PeerIdentityMember +--PeerIdentityMember
PolicyComponent (PCIM) PolicyComponent (PCIM)
| |
+--ContainedProposal +--ContainedProposal
| |
+--ContainedTransform +--ContainedTransform
| |
+--PolicyActionStructure (PCIMe) +--PolicyActionStructure (PCIMe)
| | | |
| +--PolicyActionInPolicyRule (PCIM & PCIMe) | +--PolicyActionInPolicyRule (PCIM & PCIMe)
| | | |
| +--PolicyActionInSARule | +--PolicyActionInSARule
| |
+--PolicyConditionStructure (PCIMe) +--PolicyConditionStructure (PCIMe)
| | | |
| +--PolicyConditionInPolicyRule (PCIM & PCIMe) | +--PolicyConditionInPolicyRule (PCIM & PCIMe)
| | | |
| +--SAConditionInRule | +--SAConditionInRule
| |
+--PolicySetComponent (PCIMe) +--PolicySetComponent (PCIMe)
|
+--SARuleInPolicyGroup
SystemSettingContext (DMTF Core Model - [CIMCORE]) SystemSettingContext (DMTF Core Model)
| |
+--AutostartIKESettingContext +--AutostartIKESettingContext
4. Policy Classes 4. Policy Classes
The IPsec policy classes represent the set of policies that are The IPsec policy classes represent the set of policies that are
contained on a system. contained on a system.
+--------------+ +--------------+
| PolicySet |* | [PolicySet] |*
| ([PCIMe]) |o--+ | ([PCIME]) |o--+
+--------------+ | +--------------+ |
^ *| |(a) ^ *| |(a)
| +------+ | +------+
| +--------------------------+
+--------------------+ +-------------+ | |
| IPProtocolEndpoint | | PolicyGroup | +-------------+ +--------------+
| ([CIMNETWORK]) | | ([PCIM]) | | PolicyGroup |0..1 | PolicyRule |*
+--------------------+ +-------------+ | ([PCIM]) |-----+ | ([PCIM]) |o--+
|* ^ +-------------+ | +--------------+ |(d)
+-----------------+ | 0..1| | ^ |
|(b) | |(b) | | |*
| | *| | | +---------------------------+
|0..1 | +--------------------+ |(c) | | PolicyTimePeriodCondition |
+------------------+0..1 (c) *+------------+ | IPProtocolEndpoint | | | | ([PCIM]) |
| IPsecPolicyGroup |-----------| System | | ([CIMNETWORK]) | | | +---------------------------+
+------------------+ | ([CIMCORE])| +--------------------+ | |
1 o +------------+ +------------+ | *+----------+*
(d) | | System |----+ +-o| SARule |o-------+
+-----------------+ | ([CIMCORE])|* | +----------+ |(f)
| +------------+ | ^ |
| +---------------------------+ (e)| | |n
| | PolicyTimePeriodCondition | +-------------+n | | +--------------+
| | ([PCIM]) | | SACondition |--------+ | |[PolicyAction]|
| +---------------------------+ +-------------+ | | ([PCIM]) |
| *| | +--------------+
+-------------+ |(e) | *| ^
*| o* | |(g) |
+-------------+n *+----------+* n+--------------+ | | +-------+
| SACondition |----o| SARule |o-------| PolicyAction | | *o | |
+-------------+ (f) +----------+ (g) | ([PCIM]) | | +----------------------+ |
^ +--------------+ | | CompoundPolicyAction | |
| *| ^ | | ([PCIME]) | |
| |(h) | | +----------------------+ |
| *o | | |
+-----------------+ +----------------------+ +---------+----+ +---------+
| | | CompoundPolicyAction | | | |
| | | ([PCIMe]) | +---------+ +-----------+ +----------+
| | +----------------------+ | IKERule | | IPsecRule | | SAAction |
+---------+ +-----------+ +---------+ +-----------+ +----------+
| IKERule | | IPsecRule |
+---------+ +-----------+
(a) PolicySetComponent ([PCIMe]) (a) PolicySetComponent ([PCIME])
(b) IPsecPolicyForEndpoint (b) IPsecPolicyForEndpoint
(c) IPsecPolicyForSystem (c) IPsecPolicyForSystem
(d) SARuleInPolicyGroup (d) PolicyRuleValidityPeriod ([PCIM])
(e) PolicyRuleValidityPeriod ([PCIM]) (e) SAConditionInRule
(f) SAConditionInRule (f) PolicyActionInSARule
(g) PolicyActionInSARule (g) PolicyActionInPolicyAction ([PCIME])
(h) PolicyActionInPolicyAction ([PCIMe])
An IPsecPolicyGroup represents the set of policies that are used on A PolicyGroup represents the set of policies that are used on an
an interface. This IPsecPolicyGroup SHOULD be associated either interface. This PolicyGroup SHOULD be associated either directly
directly with the IPProtocolEndpoint class instance that represents with the IPProtocolEndpoint class instance that represents the
the interface (via the IPsecPolicyForEndpoint association) or interface (via the IPsecPolicyForEndpoint association) or indirectly
indirectly (via the IPsecPolicyForSystem association) associated (via the IPsecPolicyForSystem association) associated with the System
with the System that hosts the interface. that hosts the interface.
The IKE and IPsec rules are used to build or to negotiate the IPsec The IKE and IPsec rules are used to build or to negotiate the IPsec
SADB. The IPsec rules represent the Security Policy Database. The Security Association Database (SADB). The IPsec rules represent the
SADB itself is not modeled by this document. Security Policy Database. The SADB itself is not modeled by this
document.
The IKE and IPsec rules usage can be described as (see also section The IKE and IPsec rules can be described as (also see section 6 about
6 about actions): actions):
o an egress unprotected packet will first be checked against the o An egress unprotected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked. If IPsec rules. If a match is found, the SADB will be checked. If
there is no corresponding IPsec SA in the SADB and if IKE there is no corresponding IPsec SA in the SADB, and if IKE
negotiation is required by the IPsec rule, the corresponding IKE negotiation is required by the IPsec rule, the corresponding IKE
rules will be used. The negotiated or preconfigured SA will then rules will be used. The negotiated or preconfigured SA will then
be installed in the SADB. be installed in the SADB.
o An ingress unprotected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA
and a preconfigured SA exists, this preconfigured SA will be
installed in the IPsec SADB. This behavior should only apply to
bypass and discard actions.
o An ingress protected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA
and a preconfigured SA exists, this preconfigured SA will be
installed in the IPsec SADB.
o An ingress IKE negotiation packet, which is not part of an
existing IKE SA, will be checked against the IKE rules. The
SACondition for the IKERule will usually be composed of a
PeerIDPayloadFilterEntry (typically for a aggressive mode IKE
negotiation) or a IPHeadersFilter. The negotiated SA will then
be installed in the SADB.
It is expected that when a IKE negotiation has to be initiated when o An ingress unprotected packet will first be checked against the
required by an IPsec rule, the set of IKE rules will be checked. The IPsec rules. If a match is found, the SADB will be checked for a
IKE rules check will be based on the outgoing IKE packet using corresponding IPsec SA. If there is no corresponding IPsec SA and
IPHeadersFilter entries (typically using the HdrDstAddress property). a preconfigured SA exists, this preconfigured SA will be installed
in the IPsec SADB. This behavior should only apply to bypass and
discard actions.
4.1. The Class IPsecPolicyGroup o An ingress protected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA and
a preconfigured SA exists, this preconfigured SA will be installed
in the IPsec SADB.
The class IPsecPolicyGroup serves as a container of either other o An ingress IKE negotiation packet, which is not part of an
IPsecPolicyGroups or a set of SARules. The class definition for existing IKE SA, will be checked against the IKE rules. The
IPsecPolicyGroup is as follows: SACondition for the IKERule will usually be composed of a
PeerIDPayloadFilterEntry (typically for an aggressive mode IKE
negotiation) or an IPHeadersFilter. The negotiated SA will then
be installed in the SADB.
NAME IPsecPolicyGroup It is expected that when an IKE negotiation is required to be
DESCRIPTION Either a set of IPsecPolicyGroups or a set of SARules. initiated by an IPsec rule, the set of IKE rules will be checked.
DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe]) The IKE rules check will be based on the outgoing IKE packet using
ABSTRACT FALSE IPHeadersFilter entries (typically using the HdrDstAddress property).
PROPERTIES PolicyGroupName (from PolicyGroup)
PolicyDecisionStrategy (from PolicySet)
PolicyRoles (from PolicySet)
NOTE: for derivations of the schema that are used for policy 4.1. The Class SARule
distribution to an IPsec device (for example, COPS-PR), the server
may follow all of PolicySetComponent associations and create one
policy group which is simply a set of all of the IKE rules and a set
of all of the IPsec rules. See the section on the
PolicySetComponent aggregation for information on merging multiple
IPsecPolicyGroups.
4.2. The Class SARule The class SARule serves as a base class for IKERule and IPsecRule.
Even though the class is concrete, it MUST not be instantiated. It
defines a common connection point for associations to conditions and
actions for both types of rules. Through its derivation from
PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
the PolicyRuleValidityPeriod association.
The class SARule serves as a base class for IKERule and IPsecRule. Each SARule in a valid PolicyGroup MUST have a unique associated
Even though the class is concrete, it MUST not be instantiated. It priority number in the PolicySetComponent.Priority. The class
defines a common connection point for associations to conditions and definition for SARule is as follows:
actions for both types of rules. Through its derivation from
PolicyRule, a SARule (and therefore IKERule and IPsecRule) also has
the PolicyRuleValidityPeriod association.
Each valid IPsecPolicyGroup MUST contain SARules that each have a NAME SARule
unique associated priority number in PolicySetComponent.Priority. DESCRIPTION A base class for IKERule and IPsecRule.
The class definition for SARule is as follows: DERIVED FROM PolicyRule (see [PCIM] & [PCIME])
ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule)
ConditionListType (from PolicyRule)
RuleUsage (from PolicyRule)
Mandatory (from PolicyRule)
SequencedActions (from PolicyRule)
ExecutionStrategy (from PolicyRule)
PolicyRoles (from PolicySet)
PolicyDecisionStrategy (from PolicySet)
LimitNegotiation
NAME SARule 4.1.1. The Properties PolicyRuleName, Enabled, ConditionListType,
DESCRIPTION A base class for IKERule and IPsecRule. RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
DERIVED FROM PolicyRule (see [PCIM] & [PCIMe]) PolicyDecisionStrategy
ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule)
ConditionListType (from PolicyRule)
RuleUsage (from PolicyRule)
Mandatory (from PolicyRule)
SequencedActions (from PolicyRule)
ExecutionStrategy (from PolicyRule)
PolicyRoles (from PolicySet)
PolicyDecisionStrategy (from PolicySet)
LimitNegotiation
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, For a description of these properties, see [PCIM] and [PCIME].
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy
For a description of these properties, see [PCIM] and [PCIME]. In SARule subclass instances:
In SARule subclass instances: - if the property Mandatory exists, it MUST be set to "true".
- if the property Mandatory exists, it MUST be set to "true"
- if the property SequencedActions exists, it MUST be set to
"mandatory"
- the property PolicyRoles is not used in the device-level model
- if the property PolicyDecisionStrategy exists, it must be set to
"FirstMatching"
4.2.2 The Property ExecutionStrategy - if the property SequencedActions exists, it MUST be set to
"mandatory".
The ExecutionStrategy properties in the PolicyRule subclasses (and in - the property PolicyRoles is not used in the device-level model.
the CompoundPolicyAction class) determine the behavior of the
contained actions. It defines the strategy to be used in executing
the sequenced actions aggregated by a rule or a compound action. In
the case of actions within a rule, the PolicyActionInSARule
aggregation is used to collect the actions into an ordered set; in
the case of a compound action, the PolicyActionInPolicyAction
aggregation is used to collect the actions into an ordered subset.
There are three execution strategies: do until success, do all and do - if the property PolicyDecisionStrategy exists, it must be set to
until failure. "FirstMatching".
"Do Until Success" causes the execution of actions according to the 4.1.2. The Property ExecutionStrategy
ActionOrder property in the aggregation instances until a successful
execution of a single action. These actions may be evaluated to
determine if they are appropriate to execute rather than blindly
trying each of the actions until one succeeds. For an initiator,
they are tried in the ActionOrder until the list is exhausted or one
completes successfully. For example, an IKE initiator may have
several IKEActions for the same SACondition. The initiator will try
all IKEActions in the order defined by ActionOrder. I.e. it will
possibly try several phase 1 negotiations possibly with different
modes (main mode then aggressive mode) and/or with possibly multiple
IKE peers. For a responder, when there is more than one action in
the rule with "do until success" condition clause this provides
alternative actions depending on the received proposals. For
example, the same IKERule may be used to handle aggressive mode and
main mode negotiations with different actions. The responder uses
the first appropriate action in the list of actions.
"Do All" causes the execution all of the actions in aggregated set The ExecutionStrategy properties in the PolicyRule subclasses (and in
according to their defined order. The execution continues regardless the CompoundPolicyAction class) determine the behavior of the
of failures. contained actions. It defines the strategy to be used in executing
the sequenced actions aggregated by a rule or a compound action. In
the case of actions within a rule, the PolicyActionInSARule
aggregation is used to collect the actions into an ordered set; in
the case of a compound action, the PolicyActionInPolicyAction
aggregation is used to collect the actions into an ordered subset.
"Do Until Failure" causes the execution of all actions according to There are three execution strategies: do until success, do all, and
predefined order until the first failure in execution of an action do until failure.
instance. Please note that if all actions are successful then the
aggregated result is a failure. This execution strategy is inherited
from [PCIME] and is not expected to be of any use for IPsec
configuration.
For example, in a nested SAs case the actions of an initiator's rule "Do Until Success" causes the execution of actions according to the
might be structured as: ActionOrder property in the aggregation instances until a successful
execution of a single action. These actions may be evaluated to
determine if they are appropriate to execute rather than blindly
trying each of the actions until one succeeds. For an initiator,
they are tried in the ActionOrder until the list is exhausted or one
completes successfully. For example, an IKE initiator may have
several IKEActions for the same SACondition. The initiator will try
all IKEActions in the order defined by ActionOrder. I.e., it will
possibly try several phase 1 negotiations with different modes (main
mode then aggressive mode) and/or with multiple IKE peers. For a
responder, when there is more than one action in the rule with "do
until success" condition clause, this provides alternative actions
depending on the received proposals. For example, the same IKERule
may be used to handle aggressive mode and main mode negotiations with
different actions. The responder uses the first appropriate action
in the list of actions.
IPsecRule.ExecutionStrategy='Do All' "Do All" causes the execution of all the actions in the aggregated
| set according to their defined order. The execution continues
+---1--- IPsecTunnelAction // set up SA from host to gateway regardless of failures.
|
+---2--- IPsecTransportAction // set up SA from host through
// tunnel to remote host
Another example, showing a rule with fallback actions might be "Do Until Failure" causes the execution of all actions according to a
structured as: predefined order until the first failure in execution of an action
instance. Please note that if all actions are successful, then the
aggregated result is a failure. This execution strategy is inherited
from [PCIME] and is not expected to be of any use for IPsec
configuration.
IPsecRule.ExecutionStrategy='Do Until Success' For example, in a nested SAs case, the actions of an initiator's rule
| might be structured as:
+---6--- IPsecTransportAction // negotiate SA with peer
|
+---9--- IPsecBypassAction // but if you must, allow in the clear
The CompoundPolicyAction class (See [PCIME]) may be used in IPsecRule.ExecutionStrategy='Do All'
constructing the actions of IKE and IPsec rules when those rules |
specify both multiple actions and fallback actions. The +---1--- IPsecTunnelAction // set up SA from host to gateway
ExecutionStrategy property in CompoundPolicyAction is used in |
conjunction with that in the PolicyRule. +---2--- IPsecTransportAction // set up SA from host through
// tunnel to remote host
For example, in nesting SAs with a fallback security gateway, the Another example, showing a rule with fallback actions might be
actions of a rule might be structured as: structured as:
IPsecRule.ExecutionStrategy='Do All' IPsecRule.ExecutionStrategy='Do Until Success'
| |
+---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success' +---6--- IPsecTransportAction // negotiate SA with peer
| | |
| +---1--- IPsecTunnelAction // set up SA from host to +---9--- IPsecBypassAction // but if you must, allow in the clear
| | // gateway1
| |
| +---2--- IPsecTunnelAction // or set up SA to gateway2
|
+---2--- IPsecTransportAction // then set up SA from host
// through tunnel to remote
// host
In the case of "Do All", a couple of actions can be executed The CompoundPolicyAction class (See [PCIME]) may be used in
successfully before a subsequent action fails. In this case, some IKE constructing the actions of IKE and IPsec rules when those rules
or IPsec actions may have resulted in SAs creation. Even if the net specify both multiple actions and fallback actions. The
effect of the aggregated actions is failure, those created SAs MAY be ExecutionStrategy property in CompoundPolicyAction is used in
kept or MAY be deleted. conjunction with that in the PolicyRule.
In the case of "Do All", the IPsec selectors to be used during IPsec For example, in nesting SAs with a fallback security gateway, the
SA negotiation are: actions of a rule might be structured as:
- for the last IPsecAction of the aggregation (i.e. usually the IPsecRule.ExecutionStrategy='Do All'
innermost IPsec SA): this is the combination of the IPHeadersFilter |
class and of the Granularity property of the IPsecAction; +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success'
| |
| +---1--- IPsecTunnelAction // set up SA from host to
| | // gateway1
| |
| +---2--- IPsecTunnelAction // or set up SA to gateway2
|
+---2--- IPsecTransportAction // then set up SA from host
// through tunnel to remote
// host
- for all other IPsecActions of the aggregation: the selector is the In the case of "Do All", a couple of actions can be executed
source IP address being the local IP address and the destination IP successfully before a subsequent action fails. In this case, some
address being the PeerGateway IP address of the following IPsecAction IKE or IPsec actions may have resulted in SAs creation. Even if the
of the "Do All" aggregation. NB: the granularity is IP address to IP net effect of the aggregated actions is failure, those created SAs
address. MAY be kept or MAY be deleted.
If the above behavior is not desirable, the alternative is to define In the case of "Do All", the IPsec selectors to be used during IPsec
several SARules one for each IPsec SA to be built. This will allow SA negotiation are:
the definition of specific IPsec selectors for all IPsecActions.
4.2.3 The Property LimitNegotiation - for the last IPsecAction of the aggregation (i.e., usually the
innermost IPsec SA): this is the combination of the
IPHeadersFilter class and of the Granularity property of the
IPsecAction.
The property LimitNegotiation is used as part of processing either an - for all other IPsecActions of the aggregation: the selector is the
IKE or an IPsec rule. source IP address which is the local IP address, and the
destination IP address is the PeerGateway IP address of the
following IPsecAction of the "Do All" aggregation. NB: the
granularity is IP address to IP address.
Before proceeding with a phase 1 negotiation, this property is If the above behavior is not desirable, the alternative is to define
checked to determine if the negotiation role of the rule matches that several SARules, one for each IPsec SA to be built. This will allow
defined for the negotiation being undertaken (e.g., Initiator, the definition of specific IPsec selectors for all IPsecActions.
Responder, or Both). If this check fails (e.g. the current role is
IKE responder while the rule specifies IKE initiator), then the IKE
negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists.
Before proceeding with a phase 2 negotiation, the LimitNegotiation 4.1.3 The Property LimitNegotiation
property of the IPsecRule is first checked to determine if the
negotiation role indicated for the rule matches that of the current
negotiation (Initiator, Responder, or Either). Note that this limit
applies only to new phase 2 negotiations. It is ignored when an
attempt is made to refresh an expiring SA (either side can initiate a
refresh operation). The IKE system can determine that the
negotiation is a refresh operation by checking to see if the selector
information matches that of an existing SA. If LimitNegotiation does
not match and the selector corresponds to a new SA, the negotiation
is stopped.
The property is defined as follows: The property LimitNegotiation is used as part of processing either an
IKE or an IPsec rule.
NAME LimitNegotiation Before proceeding with a phase 1 negotiation, this property is
DESCRIPTION Limits the role to be undertaken during negotiation. checked to determine whether the negotiation role of the rule matches
SYNTAX unsigned 16-bit integer that defined for the negotiation being undertaken (e.g., Initiator,
VALUE 1 - initiator-only Responder, or Both). If this check fails (e.g., the current role is
2 - responder-only IKE responder, while the rule specifies IKE initiator), then the IKE
3 - both negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists.
4.3. The Class IKERule Before proceeding with a phase 2 negotiation, the LimitNegotiation
The class IKERule associates Conditions and Actions for IKE phase 1 property of the IPsecRule is first checked to determine if the
negotiations. The class definition for IKERule is as follows: negotiation role indicated for the rule matches that of the current
negotiation (Initiator, Responder, or Either). Note that this limit
applies only to new phase 2 negotiations. It is ignored when an
attempt is made to refresh an expiring SA (either side can initiate a
refresh operation). The IKE system can determine that the
negotiation is a refresh operation by checking to see if the selector
information matches that of an existing SA. If LimitNegotiation does
not match and the selector corresponds to a new SA, the negotiation
is stopped.
NAME IKERule The property is defined as follows:
DESCRIPTION Associates Conditions and Actions for IKE phase 1
negotiations.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule, plus
IdentityContexts
4.3.1. The Property IdentityContexts NAME LimitNegotiation
DESCRIPTION Limits the role to be undertaken during negotiation.
SYNTAX unsigned 16-bit integer
VALUE 1 - initiator-only
2 - responder-only
3 - both
The IKE service of a security endpoint may have multiple identities 4.2. The Class IKERule
for use in different situations. The combination of the interface
(represented by the IPProtocolEndpoint or by a collection of
IPProtocolEndpoints), the identity type (as specified in the
IKEAction) and the IdentityContexts specifies a unique identity.
The IdentityContexts property specifies the context to select the The class IKERule associates Conditions and Actions for IKE phase 1
relevant IKE identity to be used during the further IKEAction. A negotiations. The class definition for IKERule is as follows:
context may be a VPN name or other identifier for selecting the
appropriate identity for use on the protected IPProtocolEndpoint (or
collection of IPProtocolEndpoints).
IdentityContexts is an array of strings. The multiple values in the NAME IKERule
array are logically ORd together in evaluating the IdentityContexts. DESCRIPTION Associates Conditions and Actions for IKE phase 1
Each value in the array may be the composition of multiple context negotiations.
names. So, a single value may be a single context name (e.g., DERIVED FROM SARule
"CompanyXVPN") or it may be combination of contexts. When an array ABSTRACT FALSE
value is a composition, the individual values are logically ANDd PROPERTIES same as SARule, plus
together for evaluation purposes and the syntax is: IdentityContexts
<ContextName>[&&<ContextName>]* 4.2.1. The Property IdentityContexts
The IKE service of a security endpoint may have multiple identities
for use in different situations. The combination of the interface
(represented by the IPProtocolEndpoint or by a collection of
IPProtocolEndpoints), the identity type (as specified in the
IKEAction), and the IdentityContexts specifies a unique identity.
The IdentityContexts property specifies the context to select the
relevant IKE identity to be used during the further IKEAction. A
context may be a VPN name or other identifier for selecting the
appropriate identity for use on the protected IPProtocolEndpoint (or
collection of IPProtocolEndpoints).
IdentityContexts is an array of strings. The multiple values in the
array are logically ORed together in evaluating the IdentityContexts.
Each value in the array may be the composition of multiple context
names. So, a single value may be a single context name (e.g.,
"CompanyXVPN"), or it may be combination of contexts. When an array
value is a composition, the individual values are logically ANDed
together for evaluation purposes and the syntax is:
<ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). So, for example, (according to the collating sequence for UCS-2). So, for example,
the values "CompanyXVPN", "CompanyYVPN&&TopSecret", the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
"CompanyZVPN&&Confidential" means that, for the appropriate "CompanyZVPN&&Confidential" means that, for the appropriate
IPProtocolEndpoint and IdentityType, the contexts are matched if the IPProtocolEndpoint and IdentityType, the contexts are matched if the
identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or identity specifies "CompanyXVPN", "CompanyYVPN&&TopSecret", or
"CompanyZVPN&&Confidential". "CompanyZVPN&&Confidential".
The property is defined as follows: The property is defined as follows:
NAME IdentityContexts
DESCRIPTION Specifies the context in which to select the IKE
identity.
SYNTAX string array
4.4. The Class IPsecRule
The class IPsecRule associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI. The class definition for IPsecRule
is as follows:
NAME IPsecRule
DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule
4.5. The Association Class IPsecPolicyForEndpoint
The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
a specific network interface. If an IPProtocolEndpoint of a system
does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for
that endpoint. The class definition for IPsecPolicyForEndpoint is as
follows:
NAME IPsecPolicyForEndpoint
DESCRIPTION Associates a policy group to a network interface.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]]
4.5.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may be
associated with zero or more IPProtocolEndpoint instances.
4.5.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden NAME IdentityContexts
to refer to an IPsecPolicyGroup instance. The [0..1] cardinality DESCRIPTION Specifies the context in which to select the IKE
indicates that an IPProtocolEndpoint instance may have an association identity.
to at most one IPsecPolicyGroup instance. SYNTAX string array
4.6. The Association Class IPsecPolicyForSystem 4.3. The Class IPsecRule
The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a The class IPsecRule associates Conditions and Actions for IKE phase 2
specific system. If an IPProtocolEndpoint of a system does not have negotiations for the IPsec DOI. The class definition for IPsecRule
an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the is as follows:
IPsecPolicyForSystem associated IPsecPolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForSystem is as
follows:
NAME IPsecPolicyForSystem NAME IPsecRule
DESCRIPTION Default policy group for a system. DESCRIPTION Associates Conditions and Actions for IKE phase 2
DERIVED FROM Dependency (see [CIMCORE]) negotiations for the IPsec DOI.
ABSTRACT FALSE DERIVED FROM SARule
PROPERTIES Antecedent[ref System[0..n]] ABSTRACT FALSE
Dependent[ref IPsecPolicyGroup[0..1]] PROPERTIES same as SARule
4.6.1. The Reference Antecedent 4.4. The Association Class IPsecPolicyForEndpoint
The property Antecedent is inherited from Dependency and is The class IPsecPolicyForEndpoint associates a PolicyGroup with a
overridden to refer to a System instance. The [0..n] cardinality specific network interface. If an IPProtocolEndpoint of a system
indicates that an IPsecPolicyGroup instance may have an association does not have an IPsecPolicyForEndpoint-associated PolicyGroup, then
to zero or more System instances. the IPsecPolicyForSystem associated PolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForEndpoint is as
follows:
4.6.2. The Reference Dependent NAME IPsecPolicyForEndpoint
DESCRIPTION Associates a policy group to a network interface.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
Dependent[ref PolicyGroup[0..1]]
The property Dependent is inherited from Dependency and is overridden 4.4.1. The Reference Antecedent
to refer to an IPsecPolicyGroup instance. The [0..1] cardinality
indicates that a System instance may have an association to at most
one IPsecPolicyGroup instance.
4.7. The Aggregation Class SARuleInPolicyGroup The property Antecedent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint instance. The [0..n]
cardinality indicates that a PolicyGroup instance may be associated
with zero or more IPProtocolEndpoint instances.
The class SARuleInPolicyGroup associates a SARule with the 4.4.2. The Reference Dependent
IPsecPolicyGroup that contains it. The class definition for
SARuleInPolicyGroup is as follows:
NAME SARuleInPolicyGroup The property Dependent is inherited from Dependency and is overridden
DESCRIPTION Associates a SARule with the IPsecPolicyGroup that to refer to a PolicyGroup instance. The [0..1] cardinality indicates
contains it. that an IPProtocolEndpoint instance may have an association to at
DERIVED FROM PolicySetComponent (see [PCIME]) most one PolicyGroup instance.
ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [0..n]]
PartComponent [ref SARule [0..n]]
Note: an implementation can easily partition the set of SARules 4.5. The Association Class IPsecPolicyForSystem
aggregated by a SARuleInPolicyGroup instance into one IKERule
instances subset and into one IPsecRule instances subset based on the
class type of the component instances (being either IKERule or
IPsecRule instances).
4.7.1. The Property Priority The class IPsecPolicyForSystem associates a PolicyGroup with a
specific system. If an IPProtocolEndpoint of a system does not have
an IPsecPolicyForEndpoint-associated PolicyGroup, then the
IPsecPolicyForSystem associated PolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForSystem is as
follows:
For a description of this property, see [PCIME]. NAME IPsecPolicyForSystem
DESCRIPTION Default policy group for a system.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System[0..n]]
Dependent[ref PolicyGroup[0..1]]
4.7.2. The Reference GroupComponent 4.5.1. The Reference Antecedent
The property GroupComponent is inherited from PolicyRuleInPolicyGroup The property Antecedent is inherited from Dependency and is
and is overridden to refer to an IPsecPolicyGroup instance. The overridden to refer to a System instance. The [0..n] cardinality
[0..n] cardinality indicates that a SARule instance may be shared indicates that a PolicyGroup instance may have an association to zero
across multiple IPsecPolicyGroups). or more System instances.
4.7.3. The Reference PartComponent 4.5.2. The Reference Dependent
The property PartComponent is inherited from PolicyRuleInPolicyGroup The property Dependent is inherited from Dependency and is overridden
and is overridden to refer to a SARule instance. The [0..n] to refer to a PolicyGroup instance. The [0..1] cardinality indicates
cardinality indicates that an IPsecPolicyGroup instance may contain that a System instance may have an association to at most one
zero or more SARule instances. PolicyGroup instance.
4.8. The Aggregation Class SAConditionInRule 4.6. The Aggregation Class SAConditionInRule
The class SAConditionInRule associates an SARule with the SACondition The class SAConditionInRule associates an SARule with the SACondition
instance(s) that trigger(s) it. The class definition for instance(s) that trigger(s) it. The class definition for
SAConditionInRule is as follows: SAConditionInRule is as follows:
NAME SAConditionInRule NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instance(s) DESCRIPTION Associates an SARule with the SACondition instance(s)
that trigger(s) it. that trigger(s) it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe]) DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIME])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupNumber (from PolicyConditionInPolicyRule) PROPERTIES GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule)
GroupComponent [ref SARule [0..n]] GroupComponent [ref SARule [0..n]]
PartComponent [ref SACondition [1..n]] PartComponent [ref SACondition [1..n]]
4.8.1. The Properties GroupNumber and ConditionNegated 4.6.1. The Properties GroupNumber and ConditionNegated
For a description of these properties, see [PCIM]. For a description of these properties, see [PCIM].
4.8.2. The Reference GroupComponent 4.6.2. The Reference GroupComponent
The property GroupComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SACondition
instance may be contained in zero or more SARule instances.
Note: the 0 cardinality allows SACondition instances to exist The property GroupComponent is inherited from
without being contained in a SARule. PolicyConditionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SACondition
instance may be contained in zero or more SARule instances.
4.8.3. The Reference PartComponent 4.6.3. The Reference PartComponent
The property PartComponent is inherited from The property PartComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an PolicyConditionInPolicyRule and is overridden to refer to an
SACondition instance. The [1..n] cardinality indicates that an SACondition instance. The [1..n] cardinality indicates that an
SARule instance MUST contain at least one SACondition instance. SARule instance MUST contain at least one SACondition instance.
4.9. The Aggregation Class PolicyActionInSARule 4.7. The Aggregation Class PolicyActionInSARule
The PolicyActionInSARule class associates an SARule with one or more The PolicyActionInSARule class associates an SARule with one or more
PolicyAction instances. In all cases where an SARule is being used, PolicyAction instances. In all cases where an SARule is being used,
the contained actions MUST be either subclasses of SAAction or the contained actions MUST be either subclasses of SAAction or
instances of CompoundPolicyAction. For an IKERule, the contained instances of CompoundPolicyAction. For an IKERule, the contained
actions MUST be related to phase 1 processing, i.e., IKEAction or actions MUST be related to phase 1 processing, i.e., IKEAction or
IKERejectAction. Similarly, for an IPsecRule, contained actions MUST IKERejectAction. Similarly, for an IPsecRule, contained actions MUST
be related to phase 2 or preconfigured SA processing, e.g., be related to phase 2 or preconfigured SA processing, e.g.,
IPsecTransportAction, IPsecBypassAction, etc. The class definition IPsecTransportAction, IPsecBypassAction, etc. The class definition
for PolicyActionInSARule is as follows: for PolicyActionInSARule is as follows:
NAME PolicyActionInSARule NAME PolicyActionInSARule
DESCRIPTION Associates an SARule with its PolicyAction(s). DESCRIPTION Associates an SARule with its PolicyAction(s).
DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe]) DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIME])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]] PROPERTIES GroupComponent [ref SARule [0..n]]
PartComponent [ref PolicyAction [1..n]] PartComponent [ref PolicyAction [1..n]]
ActionOrder (from PolicyActionInPolicyRule) ActionOrder (from PolicyActionInPolicyRule)
4.9.1. The Reference GroupComponent 4.7.1. The Reference GroupComponent
The property GroupComponent is inherited from The property GroupComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SARule PolicyActionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SAAction instance instance. The [0..n] cardinality indicates that an SAAction instance
may be contained in zero or more SARule instances. may be contained in zero or more SARule instances.
4.9.2. The Reference PartComponent 4.7.2. The Reference PartComponent
The property PartComponent is inherited from PolicyActionInPolicyRule The property PartComponent is inherited from PolicyActionInPolicyRule
and is overridden to refer to an SAAction or CompoundPolicyAction and is overridden to refer to an SAAction or CompoundPolicyAction
instance. The [1..n] cardinality indicates that an SARule instance instance. The [1..n] cardinality indicates that an SARule instance
MUST contain at least one SAAction or CompoundPolicyAction instance. MUST contain at least one SAAction or CompoundPolicyAction instance.
4.9.3. The Property ActionOrder 4.7.3. The Property ActionOrder
The property ActionOrder is inherited from the superclass The property ActionOrder is inherited from the superclass
PolicyActionInPolicyRule. It specifies the relative position of this PolicyActionInPolicyRule. It specifies the relative position of this
PolicyAction in the sequence of actions associated with a PolicyRule. PolicyAction in the sequence of actions associated with a PolicyRule.
The ActionOrder MUST be unique so as to provide a deterministic The ActionOrder MUST be unique so as to provide a deterministic
order. In addition, the actions in an SARule are executed as order. In addition, the actions in an SARule are executed as
follows. See section 4.2.2 ExecutionStrategy for a discussion on the follows. See section 4.2.2, ExecutionStrategy, for a discussion on
use of the ActionOrder property. the use of the ActionOrder property.
The property is defined as follows: The property is defined as follows:
NAME ActionOrder NAME ActionOrder
DESCRIPTION Specifies the order of actions. DESCRIPTION Specifies the order of actions.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values VALUE Any value between 1 and 2^16-1 inclusive. Lower
have higher precedence (i.e., 1 is the highest values have higher precedence (i.e., 1 is the
precedence). The merging order of two SAActions with highest precedence). The merging order of two
the same precedence is undefined. SAActions with the same precedence is undefined.
5. Condition and Filter Classes 5. Condition and Filter Classes
The IPsec condition and filter classes are used to build the "if" The IPsec condition and filter classes are used to build the "if"
part of the IKE and IPsec rules. part of the IKE and IPsec rules.
*+-------------+ *+-------------+
+--------------------| SACondition | +--------------------| SACondition |
| +-------------+ | +-------------+
| * | | * |
| |(a) | |(a)
| 1 | | 1 |
| +---------------+ | +---------------+
| | FilterList | | | FilterList |
| |([CIMNETWORK]) | | |([CIMNETWORK]) |
| +---------------+ | +---------------+
| 1 o | 1 o
|(b) |(c) |(b) |(c)
| * | | * |
| +-----------------+ | +-----------------+
| | FilterEntryBase | | | FilterEntryBase |
| | ([CIMNETWORK]) | | | ([CIMNETWORK]) |
| +-----------------+ | +-----------------+
| ^ | ^
| | | |
| +-----------------+ | +-----------------------+ | +-----------------+ | +-----------------------+
| | IPHeadersFilter |----+----| CredentialFilterEntry | | | IPHeadersFilter |----+----| CredentialFilterEntry |
| | ([PCIME]) | | +-----------------------+ | | ([PCIME]) | | +-----------------------+
| +-----------------+ | | +-----------------+ |
| | | |
| +-----------------+ | +--------------------------+ | +-----------------+ | +--------------------------+
| | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
| +-----------------+ +--------------------------+ | +-----------------+ +--------------------------+
| |
| *+-----------------------------+ | *+-----------------------------+
+------------| CredentialManagementService | +------------| CredentialManagementService |
| ([CIMUSER]) | | ([CIMUSER]) |
+-----------------------------+ +-----------------------------+
(a) FilterOfSACondition (a) FilterOfSACondition
(b) AcceptCredentialsFrom (b) AcceptCredentialsFrom
(c) EntriesInFilterList (see [CIMNETWORK]) (c) EntriesInFilterList (see [CIMNETWORK])
5.1. The Class SACondition 5.1. The Class SACondition
The class SACondition defines the conditions of rules for IKE and The class SACondition defines the conditions of rules for IKE and
IPsec negotiations. Conditions are associated with policy rules via IPsec negotiations. Conditions are associated with policy rules via
the SAConditionInRule aggregation. It is used as an anchor point to the SAConditionInRule aggregation. It is used as an anchor point to
associate various types of filters with policy rules via the associate various types of filters with policy rules via the
FilterOfSACondition association. It also defines whether Credentials FilterOfSACondition association. It also defines whether Credentials
can be accepted for a particular policy rule via the can be accepted for a particular policy rule via the
AcceptCredentialsFrom association. AcceptCredentialsFrom association.
Associated objects represent components of the condition that may or Associated objects represent components of the condition that may or
may not apply at a given rule evaluation. For example, an may not apply at a given rule evaluation. For example, an
AcceptCredentialsFrom evaluation is only performed when a credential AcceptCredentialsFrom evaluation is only performed when a credential
is available to be evaluated against the list of trusted credential is available to be evaluated against the list of trusted credential
management services. Similarly, a PeerIDPayloadFilterEntry may only management services. Similarly, a PeerIDPayloadFilterEntry may only
be evaluated when an IDPayload value is available to compare with the be evaluated when an IDPayload value is available to compare with the
filter. Condition components that do not have corresponding values filter. Condition components that do not have corresponding values
with which to evaluate are evaluated as TRUE unless the protocol has with which to evaluate are evaluated as TRUE unless the protocol has
completed without providing the required information. completed without providing the required information.
The class definition for SACondition is as follows: The class definition for SACondition is as follows:
NAME SACondition NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations. negotiations.
DERIVED FROM PolicyCondition (see [PCIM]) DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition) PROPERTIES PolicyConditionName (from PolicyCondition)
5.2. The Class IPHeadersFilter 5.2. The Class IPHeadersFilter
The class IPHeadersFilter is defined in [PCIMe] with the following The class IPHeadersFilter is defined in [PCIME] with the following
note: note:
1) to specify 5-tuple filters that are to apply symmetrically (i.e., 1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
matches traffic in both directions of the same flows which is matches traffic in both directions of the same flows which is
quite typical for SPD entries for ingress and egress traffic), quite typical for SPD entries for ingress and egress traffic), the
the Direction property of the FilterList SHOULD be set to Direction property of the FilterList SHOULD be set to "Mirrored".
"Mirrored".
5.3. The Class CredentialFilterEntry 5.3. The Class CredentialFilterEntry
The class CredentialFilterEntry defines an equivalence class that The class CredentialFilterEntry defines an equivalence class that
match credentials of IKE peers. Each CredentialFilterEntry includes a match credentials of IKE peers. Each CredentialFilterEntry includes
MatchFieldName that is interpreted according to the a MatchFieldName that is interpreted according to the
CredentialManagementService(s) associated with the SACondition CredentialManagementService(s) associated with the SACondition
(AcceptCredentialsFrom). (AcceptCredentialsFrom).
These credentials can be X.509 certificates, Kerberos tickets, or These credentials can be X.509 certificates, Kerberos tickets, or
other types of credentials obtained during the Phase 1 exchange. other types of credentials obtained during the Phase 1 exchange.
Note: this filter entry will probably be checked while the IKE Note: this filter entry will probably be checked while the IKE
negotiation takes place. If the check is a failure, then the IKE negotiation takes place. If the check is a failure, then the IKE
negotiation MUST be stopped, and the result of the IKEAction which negotiation MUST be stopped, and the result of the IKEAction which
triggered this negotiation is a failure. triggered this negotiation is a failure.
The class definition for CredentialFilterEntry is as follows: The class definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry NAME CredentialFilterEntry
DESCRIPTION Specifies a match filter based on the IKE credentials. DESCRIPTION Specifies a match filter based on the IKE
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) credentials.
ABSTRACT FALSE DERIVED FROM FilterEntryBase (see [CIMNETWORK])
PROPERTIES Name (from FilterEntryBase) ABSTRACT FALSE
IsNegated (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
MatchFieldName IsNegated (from FilterEntryBase)
MatchFieldValue MatchFieldName
CredentialType MatchFieldValue
CredentialType
5.3.1. The Property MatchFieldName 5.3.1. The Property MatchFieldName
The property MatchFieldName specifies the sub-part of the credential The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as to match against MatchFieldValue. The property is defined as
follows: follows:
NAME MatchFieldName NAME MatchFieldName
DESCRIPTION Specifies which sub-part of the credential to match. DESCRIPTION Specifies which sub-part of the credential to match.
SYNTAX string SYNTAX string
VALUE This is the string representation of a X.509 certificate VALUE This is the string representation of a X.509
attribute, e.g.: certificate attribute, e.g.:
- "serialNumber" - "serialNumber"
- "signatureAlgorithm" - "signatureAlgorithm"
- "issuerName" - "issuerName"
- "subjectName" - "subjectName"
- "subjectAltName" - "subjectAltName"
- ... - ...
5.3.2. The Property MatchFieldValue 5.3.2. The Property MatchFieldValue
The property MatchFieldValue specifies the value to compare with the The property MatchFieldValue specifies the value to compare with the
MatchFieldName in a credential to determine if the credential matches MatchFieldName in a credential to determine if the credential matches
this filter entry. The property is defined as follows: this filter entry. The property is defined as follows:
NAME MatchFieldValue NAME MatchFieldValue
DESCRIPTION Specifies the value to be matched by the MatchFieldName. DESCRIPTION Specifies the value to be matched by the
SYNTAX string MatchFieldName.
VALUE NB: If the CredentialFilterEntry corresponds to a
DistinguishedName, this value in the CIM class is
represented by an ordinary string value. However, an
implementation must convert this string to a DER-encoded
string before matching against the values extracted from
credentials at runtime.
A wildcard mechanism can be used in the MatchFieldValue string. E.g., SYNTAX string
if the MatchFieldName is "subjectName" then a MatchFieldValue of VALUE NB: If the CredentialFilterEntry corresponds to a
"cn=*,ou=engineering,o=foo,c=be" will match successfully a DistinguishedName, this value in the CIM class is
certificate whose subject attribute is "cn=Jane represented by an ordinary string value. However, an
Doe,ou=engineering,o=foo,c=be". The wildcard character '*' can be implementation must convert this string to a DER-
used to represent 0 or several characters. encoded string before matching against the values
extracted from credentials at runtime.
A wildcard mechanism may be used for MatchFieldNames that contain
character strings. The MatchFieldValue may contain a wildcard
character, '*', in the pattern match specification. For example, if
the MatchFieldName is "subjectName", then a MatchFieldValue of
"cn=*,ou=engineering,o=foo,c=be" will successfully match a
certificate whose subject attribute is "cn=Jane
Doe,ou=engineering,o=foo,c=be". The wildcard character can be used
to represent 0 or more characters as would be displayed to the user
(i.e., a wildcard pattern match operates on displayable character
boundaries).
5.3.3. The Property CredentialType 5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as credential that is being matched. The property is defined as
follows: follows:
NAME CredentialType NAME CredentialType
DESCRIPTION Defines the type of IKE credentials. DESCRIPTION Defines the type of IKE credentials.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - X.509 Certificate VALUE 1 - X.509 Certificate
2 - Kerberos Ticket 2 - Kerberos Ticket
5.4. The Class IPSOFilterEntry 5.4. The Class IPSOFilterEntry
The class IPSOFilterEntry is used to match traffic based on the IP The class IPSOFilterEntry is used to match traffic based on the IP
Security Options header values (ClassificationLevel and Security Options [IPSO] header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC1108. This type of filter entry ProtectionAuthority) as defined in RFC 1108. This type of filter
is used to adjust the IPsec encryption level according to the IPSO entry is used to adjust the IPsec encryption level according to the
classification of the traffic (e.g., secret, confidential, IPSO classification of the traffic (e.g., secret, confidential,
restricted, etc. The class definition for IPSOFilterEntry is as restricted, etc.) The class definition for IPSOFilterEntry is as
follows: follows:
NAME IPSOFilterEntry NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security DESCRIPTION Specifies the a match filter based on IP Security
Options. Options.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchConditionType MatchConditionType
MatchConditionValue MatchConditionValue
5.4.1. The Property MatchConditionType 5.4.1. The Property MatchConditionType
The property MatchConditionType specifies the IPSO header field that
will be matched (e.g., traffic classification level or protection
authority). The property is defined as follows:
NAME MatchConditionType The property MatchConditionType specifies the IPSO header field that
DESCRIPTION Specifies the IPSO header field to be matched. will be matched (e.g., traffic classification level or protection
SYNTAX unsigned 16-bit integer authority). The property is defined as follows:
VALUE 1 - ClassificationLevel
2 - ProtectionAuthority NAME MatchConditionType
DESCRIPTION Specifies the IPSO header field to be matched.
SYNTAX unsigned 16-bit integer
VALUE 1 - ClassificationLevel
2 - ProtectionAuthority
5.4.2. The Property MatchConditionValue 5.4.2. The Property MatchConditionValue
The property MatchConditionValue specifies the value of the IPSO The property MatchConditionValue specifies the value of the IPSO
header field to be matched against. The property is defined as header field to be matched against. The property is defined as
follows: follows:
NAME MatchConditionValue NAME MatchConditionValue
DESCRIPTION Specifies the value of the IPSO header field to be DESCRIPTION Specifies the value of the IPSO header field to be
matched against. matched against.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE The values MUST be one of values listed in RFC 1108 (or VALUE The values MUST be one of values listed in RFC 1108
any further IANA Assigned Numbers document). Some (or any further IANA Assigned Numbers document).
examples for ClassificationLevel are: Some examples for ClassificationLevel are:
61 - TopSecret 61 - TopSecret
90 - Secret 90 - Secret
150 - Confidential 150 - Confidential
171 - Unclassified 171 - Unclassified
For ProtectionAuthority, some examples are: For ProtectionAuthority, some examples are:
0 - GENSER 0 - GENSER
1 - SIOP-ESI 1 - SIOP-ESI
2 - SCI 2 - SCI
3 - NSA 3 - NSA
4 - DOE 4 - DOE
5.5. The Class PeerIDPayloadFilterEntry 5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange. payload values from the IKE protocol exchange.
PeerIDPayloadFilterEntry permits the specification of certain ID PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@company.com" or "193.190.125.0/24". payload values such as "*@example.com" or "192.0.2.0/24".
Obviously this filter applies only to IKERules when acting as a Obviously this filter applies only to IKERules when acting as a
responder. Moreover, this filter can be applied immediately in the responder. Moreover, this filter can be applied immediately in the
case of aggressive mode but its application is to be delayed in the case of aggressive mode but its application is to be delayed in the
case of main mode. The class definition for PeerIDPayloadFilterEntry case of main mode. The class definition for PeerIDPayloadFilterEntry
is as follows: is as follows:
NAME PeerIDPayloadFilterEntry NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity. DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see [CIMNETWORK]) DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) IsNegated (from FilterEntryBase)
MatchIdentityType MatchIdentityType
MatchIdentityValue MatchIdentityValue
5.5.1. The Property MatchIdentityType 5.5.1. The Property MatchIdentityType
The property MatchIdentityType specifies the type of identity The property MatchIdentityType specifies the type of identity
provided by the peer in the ID payload. The property is defined as provided by the peer in the ID payload. The property is defined as
follows: follows:
NAME MatchIdentityType NAME MatchIdentityType
DESCRIPTION Specifies the ID payload type. DESCRIPTION Specifies the ID payload type.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values. VALUE Consult [DOI] for valid values.
5.5.2. The Property MatchIdentityValue 5.5.2. The Property MatchIdentityValue
The property MatchIdentityValue specifies the filter value for The property MatchIdentityValue specifies the filter value for
comparison with the ID payload, e.g., "*@company.com". The property comparison with the ID payload, e.g., "*@example.com". The property
is defined as follows: is defined as follows:
NAME MatchIdentityValue NAME MatchIdentityValue
DESCRIPTION Specifies the ID payload value. DESCRIPTION Specifies the ID payload value.
SYNTAX string SYNTAX string
VALUE NB: The syntax may need to be converted for comparison. VALUE NB: The syntax may need to be converted for
If the PeerIDPayloadFilterEntry type is a comparison. If the PeerIDPayloadFilterEntry type is
DistinguishedName, the name in the MatchIdentityValue a DistinguishedName, the name in the
property is represented by an ordinary string value, MatchIdentityValue property is represented by an
but this value must be converted into a DER-encoded ordinary string value, but this value must be
string before matching against the values extracted converted into a DER-encoded string before matching
from IKE ID payloads at runtime. The same applies to against the values extracted from IKE ID payloads at
IPv4 & IPv6 addresses. runtime. The same applies to IPv4 & IPv6 addresses.
Different wildcard mechanisms can be used depending on the ID Different wildcard mechanisms can be used depending on the ID
payload: payload:
- a MatchIdentityValue of "*@company.com" will match a user FQDN ID - a MatchIdentityValue of "*@example.com" will match a user FQDN ID
payload of "JDOE@COMPANY.COM" payload of "JDOE@EXAMPLE.COM".
- a MatchIdentityValue of "*.company.com" will match a FQDN ID - a MatchIdentityValue of "*.example.com" will match a FQDN ID
payload of "WWW.COMPANY.COM" payload of "WWW.EXAMPLE.COM".
- a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will - a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will
match a DER DN ID payload of "cn=John match a DER DN ID payload of "cn=John
Doe,ou=engineering,o=company,c=us" Doe,ou=engineering,o=company,c=us".
- a MatchIdentityValue of "193.190.125.0/24" will match an IPv4 - a MatchIdentityValue of "193.190.125.0/24" will match an IPv4
address ID payload of 193.190.125.10 address ID payload of 193.190.125.10.
- a MatchIdentityValue of "193.190.125.*" will also match an IPv4 - a MatchIdentityValue of "193.190.125.*" will also match an IPv4
address ID payload of 193.190.125.10. address ID payload of 193.190.125.10.
The above wildcard mechanisms MUST be supported for all ID payloads The above wildcard mechanisms MUST be supported for all ID payloads
supported by the local IKE entity. The character '*' replaces 0 or supported by the local IKE entity. The character '*' replaces 0 or
multiple instances of any character. multiple instances of any character as restricted by the type
specified by MatchIdentityType.
5.6. The Association Class FilterOfSACondition 5.6. The Association Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows: class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that makes DESCRIPTION Associates a condition with the filter list that
up the individual condition elements. makes up the individual condition elements.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[1..1]] PROPERTIES Antecedent [ref FilterList[1..1]]
Dependent [ref SACondition[0..n]] Dependent [ref SACondition[0..n]]
5.6.1. The Reference Antecedent 5.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a FilterList instance. The [1..1] cardinality The property Antecedent is inherited from Dependency and is
indicates that an SACondition instance MUST be associated with one overridden to refer to a FilterList instance. The [1..1] cardinality
and only one FilterList instance. indicates that an SACondition instance MUST be associated with one
and only one FilterList instance.
5.6.2. The Reference Dependent 5.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to an SACondition instance. The [0..n] cardinality to refer to an SACondition instance. The [0..n] cardinality
indicates that a FilterList instance may be associated with zero or indicates that a FilterList instance may be associated with zero or
more SACondition instances. more SACondition instances.
5.7. The Association Class AcceptCredentialFrom 5.7. The Association Class AcceptCredentialFrom
The class AcceptCredentialFrom specifies which credential management The class AcceptCredentialFrom specifies which credential management
services (e.g., a CertificateAuthority or a Kerberos service) are to services (e.g., a CertificateAuthority or a Kerberos service) are to
be trusted to certify peer credentials. This is used to assure that be trusted to certify peer credentials. This is used to assure that
the credential being matched in the CredentialFilterEntry is a valid the credential being matched in the CredentialFilterEntry is a valid
credential that has been supplied by an approved credential that has been supplied by an approved
CredentialManagementService. If a CredentialManagementService is CredentialManagementService. If a CredentialManagementService is
specified and a corresponding CredentialFilterEntry is used, but the specified and a corresponding CredentialFilterEntry is used, but the
credential supplied by the peer is not certified by that credential supplied by the peer is not certified by that
CredentialManagementService (or one of the CredentialManagementService (or one of the
CredentialManagementServices in its trust hierarchy), the CredentialManagementServices in its trust hierarchy), the
CredentialFilterEntry is deemed not to match. If a credential is CredentialFilterEntry is deemed not to match. If a credential is
certified by a CredentialManagementService in the certified by a CredentialManagementService in the
AcceptCredentialsFrom list of services but there is no AcceptCredentialsFrom list of services, but there is no
CredentialFilterEntry, this is considered equivalent to a CredentialFilterEntry, this is considered equivalent to a
CredentialFilterEntry that matches all credentials from those CredentialFilterEntry that matches all credentials from those
services. services.
The class definition for AcceptCredentialFrom is as follows: The class definition for AcceptCredentialFrom is as follows:
NAME AcceptCredentialFrom NAME AcceptCredentialFrom
DESCRIPTION Associates a condition with the credential management DESCRIPTION Associates a condition with the credential management
services to be trusted. services to be trusted.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService[0..n]] PROPERTIES Antecedent [ref CredentialManagementService[0..n]]
Dependent [ref SACondition[0..n]] Dependent [ref SACondition[0..n]]
5.7.1. The Reference Antecedent 5.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an SACondition instance may be [0..n] cardinality indicates that an SACondition instance may be
associated with zero or more CredentialManagementService instances. associated with zero or more CredentialManagementService instances.
5.7.2. The Reference Dependent 5.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to a SACondition instance. The [0..n] cardinality indicates to refer to a SACondition instance. The [0..n] cardinality indicates
that a CredentialManagementService instance may be associated with that a CredentialManagementService instance may be associated with
zero or more SACondition instances. zero or more SACondition instances.
6. Action Classes 6. Action Classes
The action classes are used to model the different actions an IPsec The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition device may take when the evaluation of the associated condition
results in a match. results in a match.
+----------+ +----------+
| SAAction | | SAAction |
+----------+ +----------+
^ ^
| |
+-----------+--------------+ +-----------+--------------+
| | | |
| +---------------------+ | +---------------------+
| | SaNegotiationAction | | | SaNegotiationAction |
| +---------------------+ | +---------------------+
| ^ | ^
| | | |
*+----------------+ +----------------------+* +----------------+ +----------------------+*
| SAStaticAction | | IKENegotiationAction |o----+ | SAStaticAction | | IKENegotiationAction |o----+
+----------------+ +----------------------+ | +----------------+ +----------------------+ |
^ ^ | ^ ^ |
| | | | | |
| +-----------+-------+ | | +-----------+-------+ |
| | | | | | | |
+-------------------+ | +-------------+ +-----------+ | +-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ | +-------------------+ | +-------------+ +-----------+ |
| ^ | | ^ |
+--------------------+ | | +----------------------+ | +--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | | | IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+--------------------+ | | +----------------------+ | +--------------------+ | | +----------------------+ |
| | | | | |
+-----------------+ | | +-------------------+ | +-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | | | IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ | +-----------------+ | +-------------------+ |
| *| | | *| |
| +--------------+ | | +--------------+ |
| | | | | |
+-----------------------+ | | +--------------+n | +-----------------------+ | | +--------------+n |
| PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+
+-----------------------+ | +--------------+ (b) +-----------------------+ | +--------------+ (b)
*| ^ | *| ^ |
| | | *+-------------+ | | | *+-------------+
| | +-------| PeerGateway | | | +-------| PeerGateway |
| | +-------------+ | | +-------------+
| | +-----------------------------+ |0..1 *w| | | +-----------------------------+ |0..1 *w|
| +--| PreconfiguredTransportAction| | |(c) | +--| PreconfiguredTransportAction| | |(c)
| | +-----------------------------+ | 1| | | +-----------------------------+ | 1|
| | | +--------------+ | | | +--------------+
| | +---------------------------+ * | | System | | | +---------------------------+ * | | System |
| +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) |
| +---------------------------+ (e) +--------------+ | +---------------------------+ (e) +--------------+
| |
| 2..6+---------------+ | 2..6+---------------+
+-------| [SATransform] | +-------| [SATransform] |
(d) +---------------+ (d) +---------------+
(a) PeerGatewayForTunnel (a) PeerGatewayForTunnel
(b) ContainedProposal (b) ContainedProposal
(c) HostedPeerGatewayInformation (c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction (d) TransformOfPreconfiguredAction
(e) PeerGatewayForPreconfiguredTunnel (e) PeerGatewayForPreconfiguredTunnel
6.1. The Class SAAction 6.1. The Class SAAction
The class SAAction is abstract and serves as the base class for IKE The class SAAction is abstract and serves as the base class for IKE
and IPsec actions. It is used for aggregating different types of and IPsec actions. It is used for aggregating different types of
actions to IKE and IPsec rules. The class definition for SAAction is actions to IKE and IPsec rules. The class definition for SAAction is
as follows: as follows:
NAME SAAction NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions. DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM]) DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES PolicyActionName (from PolicyAction) PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging DoActionLogging
DoPacketLogging DoPacketLogging
6.1.1. The Property DoActionLogging 6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to be The property DoActionLogging specifies whether a log message is to be
generated when the action is performed. This applies for generated when the action is performed. This applies for
SANegotiationActions with the meaning of logging a message when the SANegotiationActions with the meaning of logging a message when the
negotiation is attempted (with the success or failure result). This negotiation is attempted (with the success or failure result). This
also applies for SAStaticAction only for PreconfiguredSAAction with also applies for SAStaticAction only for PreconfiguredSAAction with
the meaning of logging a message when the preconfigured SA is the meaning of logging a message when the preconfigured SA is
actually installed in the SADB. The property is defined as follows: actually installed in the SADB. The property is defined as follows:
NAME DoActionLogging NAME DoActionLogging
DESCRIPTION Specifies the whether to log when the action is DESCRIPTION Specifies the whether to log when the action is
performed. performed.
SYNTAX boolean SYNTAX boolean
VALUE true - a log message is to be generated when action is VALUE true - a log message is to be generated when action
performed. is performed.
false - no log message is to be generated when action is false - no log message is to be generated when action
performed. is performed.
6.1.2. The Property DoPacketLogging 6.1.2. The Property DoPacketLogging
The property DoPacketLogging specifies whether a log message is to be The property DoPacketLogging specifies whether a log message is to be
generated when the resulting security association is used to process generated when the resulting security association is used to process
the packet. If the SANegotiationAction successfully executes and the packet. If the SANegotiationAction successfully executes and
results in the creation of one or several security associations or if results in the creation of one or several security associations, or
the PreconfiguredSAAction executes, the value of DoPacketLogging if the PreconfiguredSAAction executes, the value of DoPacketLogging
SHOULD be propagated to an optional field of SADB. This optional SHOULD be propagated to an optional field of SADB. This optional
field should be used to decide whether a log message is to be field should be used to decide whether a log message is to be
generated when the SA is used to process a packet. For generated when the SA is used to process a packet. For
SAStaticActions, a log message is to be generated when the SAStaticActions, a log message is to be generated when the
IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed. IPsecBypassAction, IPsecDiscardAction, or IKERejectAction are
The property is defined as follows: executed. The property is defined as follows:
NAME DoPacketLogging NAME DoPacketLogging
DESCRIPTION Specifies the whether to log when the resulting security DESCRIPTION Specifies whether to log when the resulting
association is used to process the packet. security association is used to process the packet.
SYNTAX boolean SYNTAX boolean
VALUE true - a log message is to be generated when the VALUE true - a log message is to be generated when the
resulting security association is used to process the resulting security association is used to process the
packet. packet.
false - no log message is to be generated. false - no log message is to be generated.
6.2. The Class SAStaticAction 6.2. The Class SAStaticAction
The class SAStaticAction is abstract and serves as the base class for The class SAStaticAction is abstract and serves as the base class for
IKE and IPsec actions that do not require any negotiation. The class IKE and IPsec actions that do not require any negotiation. The class
definition for SAStaticAction is as follows: definition for SAStaticAction is as follows:
NAME SAStaticAction NAME SAStaticAction
DESCRIPTION The base class for IKE and IPsec actions that do not DESCRIPTION The base class for IKE and IPsec actions that do not
require any negotiation. require any negotiation.
DERIVED FROM SAAction DERIVED FROM SAAction
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES LifetimeSeconds PROPERTIES LifetimeSeconds
6.2.1. The Property LifetimeSeconds 6.2.1. The Property LifetimeSeconds
The property LifetimeSeconds specifies how long the security The property LifetimeSeconds specifies how long the security
association derived from this action should be used. The property is association derived from this action should be used. The property is
defined as follows: defined as follows:
NAME LifetimeSeconds NAME LifetimeSeconds
DESCRIPTION Specifies the amount of time (in seconds) that a DESCRIPTION Specifies the amount of time (in seconds) that a
security association derived from this action should be security association derived from this action should
used. be used.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there is not a lifetime VALUE A value of zero indicates that there is not a
associated with this action (i.e., infinite lifetime). lifetime associated with this action (i.e., infinite
A non-zero value is typically used in conjunction with lifetime). A non-zero value is typically used in
alternate SAActions performed when there is a conjunction with alternate SAActions performed when
negotiation failure of some sort. there is a negotiation failure of some sort.
Note: if the referenced SAStaticAction object is a Note: if the referenced SAStaticAction object is a
PreconfiguredSAAction associated to several SATransforms, then the PreconfiguredSAAction associated to several SATransforms, then the
actual lifetime of the preconfigured SA will be the lesser of the actual lifetime of the preconfigured SA will be the lesser of the
value of this LifetimeSeconds property and of the value of the value of this LifetimeSeconds property and of the value of the
MaxLifetimeSeconds property of the associated SATransform. If the MaxLifetimeSeconds property of the associated SATransform. If the
value of this LifetimeSeconds property is zero, then there will be value of this LifetimeSeconds property is zero, then there will be no
no lifetime associated to this SA. lifetime associated to this SA.
It is expected that most SAStaticAction instances will have their Note: while some SA negotiation protocols [IKE] can negotiate the
lifetime as an arbitrary length field, the authors have assumed that
a 64-bit integer will be sufficient.
It is expected that most SAStaticAction instances will have their
LifetimeSeconds properties set to zero (meaning no expiration of the LifetimeSeconds properties set to zero (meaning no expiration of the
resulting SA). resulting SA).
6.3. The Class IPsecBypassAction 6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec encapsulation to them. This is the processed without applying IPsec encapsulation to them. This is the
same as stating that packets are allowed to flow in the clear. The same as stating that packets are allowed to flow in the clear. The
class definition for IPsecBypassAction is as follows: class definition for IPsecBypassAction is as follows:
NAME IPsecBypassAction NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in the DESCRIPTION Specifies that packets are to be allowed to pass in
clear. the clear.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
6.4. The Class IPsecDiscardAction 6.4. The Class IPsecDiscardAction
The class IPsecDiscardAction is used when packets are to be The class IPsecDiscardAction is used when packets are to be
discarded. This is the same as stating that packets are to be discarded. This is the same as stating that packets are to be
denied. The class definition for IPsecDiscardAction is as follows: denied. The class definition for IPsecDiscardAction is as follows:
NAME IPsecDiscardAction NAME IPsecDiscardAction
DESCRIPTION Specifies that packets are to be discarded. DESCRIPTION Specifies that packets are to be discarded.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT FALSE ABSTRACT FALSE
6.5. The Class IKERejectAction 6.5. The Class IKERejectAction
The class IKERejectAction is used to prevent attempting an IKE
negotiation with the peer(s). The main use of this class is to
prevent some denial of service attacks when acting as IKE responder.
It goes beyond a plain discard of UDP/500 IKE packets because the
SACondition can be based on specific PeerIDPayloadFilterEntry (when
aggressive mode is used). The class definition for IKERejectAction
is as follows:
NAME IKERejectAction The class IKERejectAction is used to prevent attempting an IKE
DESCRIPTION Specifies that an IKE negotiation should not even be negotiation with the peer(s). The main use of this class is to
attempted or continued. prevent some denial of service attacks when acting as IKE responder.
DERIVED FROM SAStaticAction It goes beyond a plain discard of UDP/500 IKE packets because the
ABSTRACT FALSE SACondition can be based on specific PeerIDPayloadFilterEntry (when
aggressive mode is used). The class definition for IKERejectAction
is as follows:
NAME IKERejectAction
DESCRIPTION Specifies that an IKE negotiation should not even be
attempted or continued.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.6. The Class PreconfiguredSAAction 6.6. The Class PreconfiguredSAAction
The class PreconfiguredSAAction is used to create a security The class PreconfiguredSAAction is used to create a security
association using preconfigured, hard-wired algorithms and keys. association using preconfigured, hard-wired algorithms and keys.
Notes: Notes:
- the SPI for a PreconfiguredSAAction is contained in the - the SPI for a PreconfiguredSAAction is contained in the
association, TransformOfPreconfiguredAction; association, TransformOfPreconfiguredAction;
- the session key (if applicable) is contained in an instance of - the session key (if applicable) is contained in an instance of the
the class SharedSecret (see [CIMUSER]). The session key is class SharedSecret (see [CIMUSER]). The session key is stored in
stored in the property Secret, the property protocol contains the property Secret, the property protocol contains either "ESP-
either "ESP-encrypt", "ESP-auth" or "AH", the property encrypt", "ESP-auth" or "AH", the property algorithm contains the
algorithm contains the algorithm used to protect the secret algorithm used to protect the secret (can be "PLAINTEXT" if the
(can be "PLAINTEXT" if the IPsec entity has no secret storage), IPsec entity has no secret storage), the value of property
the value of property RemoteID is the concatenation of the RemoteID is the concatenation of the remote IPsec peer IP address
remote IPsec peer IP address in dotted decimal, of the in dotted decimal, of the character "/", of "IN" (respectively
character "/", of "IN" (respectively "OUT") for inbound SA "OUT") for inbound SA (respectively outbound SA), of the character
(respectively outbound SA), of the character "/" and of the "/", and of the hexadecimal representation of the SPI.
hexadecimal representation of the SPI.
Although the class is concrete, it MUST not be instantiated. The Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows: class definition for PreconfiguredSAAction is as follows:
NAME PreconfiguredSAAction NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying information DESCRIPTION Specifies preconfigured algorithm and keying
for creation of a security association. information for creation of a security association.
DERIVED FROM SAStaticAction DERIVED FROM SAStaticAction
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES LifetimeKilobytes PROPERTIES LifetimeKilobytes
6.6.1. The Property LifetimeKilobytes 6.6.1. The Property LifetimeKilobytes
The property LifetimeKilobytes specifies a traffic limit in kilobytes The property LifetimeKilobytes specifies a traffic limit in kilobytes
that can be consumed before the SA is deleted.. The property is that can be consumed before the SA is deleted. The property is
defined as follows: defined as follows:
NAME LifetimeKilobytes NAME LifetimeKilobytes
DESCRIPTION Specifies the SA lifetime in kilobytes. DESCRIPTION Specifies the SA lifetime in kilobytes.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there is not a lifetime VALUE A value of zero indicates that there is not a
associated with this action (i.e., infinite lifetime). lifetime associated with this action (i.e., infinite
A non-zero value is used to indicate that after this lifetime). A non-zero value is used to indicate that
number of kilobytes has been consumed the SA must be after this number of kilobytes has been consumed the
deleted from the SADB. SA must be deleted from the SADB.
Note: the actual lifetime of the preconfigured SA will be the lesser Note: the actual lifetime of the preconfigured SA will be the lesser
of the value of this LifetimeKilobytes property and of the value of of the value of this LifetimeKilobytes property and of the value of
the MaxLifetimeSeconds property of the associated SATransform. If the the MaxLifetimeSeconds property of the associated SATransform. If
value of this LifetimeKilobytes property is zero, then there will be the value of this LifetimeKilobytes property is zero, then there will
no lifetime associated with this action. be no lifetime associated with this action.
It is expected that most PreconfiguredSAAction instances will have Note: while some SA negotiation protocols [IKE] can negotiate the
their LifetimeKilobyte properties set to zero (meaning no expiration lifetime as an arbitrary length field, the authors have assumed that
of the resulting SA). a 64-bit integer will be sufficient.
It is expected that most PreconfiguredSAAction instances will have
their LifetimeKilobyte properties set to zero (meaning no expiration
of the resulting SA).
6.7. The Class PreconfiguredTransportAction 6.7. The Class PreconfiguredTransportAction
The class PreconfiguredTransportAction is used to create an IPsec The class PreconfiguredTransportAction is used to create an IPsec
transport-mode security association using preconfigured, hard-wired transport-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for algorithms and keys. The class definition for
PreconfiguredTransportAction is as follows: PreconfiguredTransportAction is as follows:
NAME PreconfiguredTransportAction NAME PreconfiguredTransportAction
DESCRIPTION Specifies preconfigured algorithm and keying information DESCRIPTION Specifies preconfigured algorithm and keying
for creation of an IPsec transport security association. information for creation of an IPsec transport
DERIVED FROM PreconfiguredSAAction security association.
ABSTRACT FALSE DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE
6.8. The Class PreconfiguredTunnelAction 6.8. The Class PreconfiguredTunnelAction
The class PreconfiguredTunnelAction is used to create an IPsec The class PreconfiguredTunnelAction is used to create an IPsec
tunnel-mode security association using preconfigured, hard-wired tunnel-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for PreconfiguredSAAction algorithms and keys. The class definition for PreconfiguredSAAction
is as follows: is as follows:
NAME PreconfiguredTunnelAction NAME PreconfiguredTunnelAction
DESCRIPTION Specifies preconfigured algorithm and keying information DESCRIPTION Specifies preconfigured algorithm and keying
for creation of an IPsec tunnel-mode security information for creation of an IPsec tunnel-mode
association. security association.
DERIVED FROM PreconfiguredSAAction DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES DFHandling PROPERTIES DFHandling
6.8.1. The Property DFHandling 6.8.1. The Property DFHandling
The property DFHandling specifies how the Don't Fragment bit of the The property DFHandling specifies how the Don't Fragment (DF) bit of
internal IP header is to be handled during IPsec processing. The the internal IP header is to be handled during IPsec processing. The
property is defined as follows: property is defined as follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies the processing of the DF bit. DESCRIPTION Specifies the processing of the DF bit.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the VALUE 1 - Copy the DF bit from the internal IP header to
external IP header. the external IP header.
2 - Set the DF bit of the external IP header to 1. 2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0. 3 - Clear the DF bit of the external IP header to 0.
6.9. The Class SANegotiationAction 6.9. The Class SANegotiationAction
The class SANegotiationAction specifies an action requesting security The class SANegotiationAction specifies an action requesting security
policy negotiation. policy negotiation.
This is an abstract class. Currently, only one security policy This is an abstract class. Currently, only one security policy
negotiation protocol action is subclassed from SANegotiationAction: negotiation protocol action is subclassed from SANegotiationAction:
the IKENegotiationAction class. It is nevertheless expected that the IKENegotiationAction class. It is nevertheless expected that
other security policy negotiation protocols will exist and the other security policy negotiation protocols will exist and the
negotiation actions of those new protocols would be modeled as a negotiation actions of those new protocols would be modeled as a
subclass of SANegotiationAction. subclass of SANegotiationAction.
NAME SANegotiationAction NAME SANegotiationAction
DESCRIPTION Specifies a negotiation action . DESCRIPTION Specifies a negotiation action.
DERIVED FROM SAAction DERIVED FROM SAAction
ABSTRACT TRUE ABSTRACT TRUE
6.10. The Class IKENegotiationAction 6.10. The Class IKENegotiationAction
The class IKENegotiationAction is abstract and serves as the base The class IKENegotiationAction is abstract and serves as the base
class for IKE and IPsec actions that result in a IKE negotiation. class for IKE and IPsec actions that result in an IKE negotiation.
The class definition for IKENegotiationAction is as follows: The class definition for IKENegotiationAction is as follows:
NAME IKENegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations.
DERIVED FROM SANegotiationAction
ABSTRACT TRUE
PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes
IdleDurationSeconds NAME IKENegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and
IKE phase 2 IPsec DOI negotiations.
DERIVED FROM SANegotiationAction
ABSTRACT TRUE
PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes
IdleDurationSeconds
6.10.1. The Property MinLifetimeSeconds 6.10.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds The property MinLifetimeSeconds specifies the minimum seconds in a
lifetime that will be accepted from the peer. MinLifetimeSeconds is lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations requests an arbitrarily low lifetime value, causing renegotiations
with expensive Diffie-Hellman operations. The property is defined as with expensive Diffie-Hellman operations. The property is defined as
follows: follows:
NAME MinLifetimeSeconds NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime. DESCRIPTION Specifies the minimum seconds acceptable in a
SYNTAX unsigned 32-bit integer lifetime.
VALUE A value of zero indicates that there is no minimum SYNTAX unsigned 64-bit integer
value. A non-zero value specifies the minimum seconds VALUE A value of zero indicates that there is no minimum
lifetime. value. A non-zero value specifies the minimum
seconds lifetime.
Note: while IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
6.10.2. The Property MinLifetimeKilobytes 6.10.2. The Property MinLifetimeKilobytes
The property MinLifetimeKilobytes specifies the minimum kilobytes The property MinLifetimeKilobytes specifies the minimum kilobytes of
lifetime that will be accepted from the peer. MinLifetimeKilobytes a lifetime that will be accepted from the peer. MinLifetimeKilobytes
is used to prevent certain denial of service attacks where the peer is used to prevent certain denial of service attacks, where the peer
requests an arbitrarily low lifetime value, causing renegotiations requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. Note that with correspondingly expensive Diffie-Hellman operations. Note that
there has been considerable debate regarding the usefulness of there has been considerable debate regarding the usefulness of
applying kilobyte lifetimes to IKE phase 1 security associations, so applying kilobyte lifetimes to IKE phase 1 security associations, so
it is likely that this property will only apply to the sub-class it is likely that this property will only apply to the sub-class
IPsecAction. The property is defined as follows: IPsecAction. The property is defined as follows:
NAME MinLifetimeKilobytes NAME MinLifetimeKilobytes
DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. DESCRIPTION Specifies the minimum kilobytes acceptable in a
SYNTAX unsigned 32-bit integer lifetime.
VALUE A value of zero indicates that there is no minimum SYNTAX unsigned 64-bit integer
value. A non-zero value specifies the minimum kilobytes VALUE A value of zero indicates that there is no minimum
lifetime. value. A non-zero value specifies the minimum
kilobytes lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
6.10.3. The Property IdleDurationSeconds 6.10.3. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property
is defined as follows:
NAME IdleDurationSeconds The property IdleDurationSeconds specifies how many seconds a
DESCRIPTION Specifies how long, in seconds, a security association security association may remain idle (i.e., no traffic protected
may remain unused before it is deleted. using the security association) before it is deleted. The property
SYNTAX unsigned 32-bit integer is defined as follows:
VALUE A value of zero indicates that idle detection should not
be used for the security association (only the seconds NAME IdleDurationSeconds
and kilobyte lifetimes will be used). Any non-zero DESCRIPTION Specifies how long, in seconds, a security
value indicates the number of seconds the security association may remain unused before it is deleted.
association may remain unused. SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that idle detection should
not be used for the security association (only the
seconds and kilobyte lifetimes will be used). Any
non-zero value indicates the number of seconds the
security association may remain unused.
6.11. The Class IPsecAction 6.11. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. The class definition for IPsecAction phase 2 IPsec DOI negotiation. The class definition for IPsecAction
is as follows: is as follows:
NAME IPsecAction NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions that DESCRIPTION A base class for IPsec transport and tunnel actions
specifies the parameters for IKE phase 2 IPsec DOI that specifies the parameters for IKE phase 2 IPsec
negotiations. DOI negotiations.
DERIVED FROM IKENegotiationAction DERIVED FROM IKENegotiationAction
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES UsePFS PROPERTIES UsePFS
UseIKEGroup UseIKEGroup
GroupId GroupId
Granularity Granularity
VendorID VendorID
6.11.1. The Property UsePFS 6.11.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy The property UsePFS specifies whether or not perfect forward secrecy
should be used when refreshing keys. The property is defined as should be used when refreshing keys. The property is defined as
follows: follows:
NAME UsePFS NAME UsePFS
DESCRIPTION Specifies the whether or not to use PFS when refreshing DESCRIPTION Specifies the whether or not to use PFS when
keys. refreshing keys.
SYNTAX boolean SYNTAX boolean
VALUE A value of true indicates that PFS should be used. A VALUE A value of true indicates that PFS should be used. A
value of false indicates that PFS should not be used. value of false indicates that PFS should not be used.
6.11.2. The Property UseIKEGroup 6.11.2. The Property UseIKEGroup
The property UseIKEGroup specifies whether or not phase 2 should use The property UseIKEGroup specifies whether or not phase 2 should use
the same key exchange group as was used in phase 1. UseIKEGroup is the same key exchange group as was used in phase 1. UseIKEGroup is
ignored if UsePFS is false. The property is defined as follows: ignored if UsePFS is false. The property is defined as follows:
NAME UseIKEGroup NAME UseIKEGroup
DESCRIPTION Specifies whether or not to use the same GroupId for DESCRIPTION Specifies whether or not to use the same GroupId for
phase 2 as was used in phase 1. If UsePFS is false, phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored. then UseIKEGroup is ignored.
SYNTAX boolean SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false should be the same as phase 1. A value of false
indicates that the property GroupId will contain the key indicates that the property GroupId will contain the
exchange group to use for phase 2. key exchange group to use for phase 2.
6.11.3. The Property GroupId 6.11.3. The Property GroupId
The property GroupId specifies the key exchange group to use for The property GroupId specifies the key exchange group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is true. (2) the property UsePFS is true and the property UseIKEGroup is true.
If the GroupID number is from the vendor-specific range (32768- If the GroupID number is from the vendor-specific range (32768-
65535), the property VendorID qualifies the group number. The 65535), the property VendorID qualifies the group number. The
property is defined as follows: property is defined as follows:
NAME GroupId NAME GroupId
DESCRIPTION Specifies the key exchange group to use for phase 2 when DESCRIPTION Specifies the key exchange group to use for phase 2
the property UsePFS is true and the property UseIKEGroup when the property UsePFS is true and the property
is false. UseIKEGroup is false.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values. VALUE Consult [IKE] for valid values.
6.11.4. The Property Granularity 6.11.4. The Property Granularity
The property Granularity specifies how the selector for the security The property Granularity specifies how the selector for the security
association should be derived from the traffic that triggered the association should be derived from the traffic that triggered the
negotiation. The property is defined as follows: negotiation. The property is defined as follows:
NAME Granularity NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the security DESCRIPTION Specifies how the proposed selector for the
association will be created. security association will be created.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - subnet: the source and destination subnet masks of VALUE 1 - subnet: the source and destination subnet masks
the filter entry are used. of the filter entry are used.
2 - address: only the source and destination IP 2 - address: only the source and destination IP
addresses of the triggering packet are used. addresses of the triggering packet are used.
3 - protocol: the source and destination IP addresses 3 - protocol: the source and destination IP addresses
and the IP protocol of the triggering packet are used. and the IP protocol of the triggering packet are
4 - port: the source and destination IP addresses and used.
the IP protocol and the source and destination layer 4 4 - port: the source and destination IP addresses and
ports of the triggering packet are used. the IP protocol and the source and destination layer
4 ports of the triggering packet are used.
6.11.5. The Property VendorID 6.11.5. The Property VendorID
The property VendorID is used together with the property GroupID The property VendorID is used together with the property GroupID
(when it is in the vendor-specific range) to identify the key (when it is in the vendor-specific range) to identify the key
exchange group. VendorID is ignored unless UsePFS is true and exchange group. VendorID is ignored unless UsePFS is true and
UseIKEGroup is false and GroupID is in the vendor-specific range UseIKEGroup is false and GroupID is in the vendor-specific range
(32768-65535). The property is defined as follows: (32768-65535). The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the IKE Vendor ID. DESCRIPTION Specifies the IKE Vendor ID.
SYNTAX string SYNTAX string
6.12. The Class IPsecTransportAction 6.12. The Class IPsecTransportAction
The class IPsecTransportAction is a subclass of IPsecAction that is The class IPsecTransportAction is a subclass of IPsecAction that is
used to specify use of an IPsec transport-mode security association. used to specify use of an IPsec transport-mode security association.
The class definition for IPsecTransportAction is as follows: The class definition for IPsecTransportAction is as follows:
NAME IPsecTransportAction NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport-mode security DESCRIPTION Specifies that an IPsec transport-mode security
association should be negotiated. association should be negotiated.
DERIVED FROM IPsecAction DERIVED FROM IPsecAction
ABSTRACT FALSE ABSTRACT FALSE
6.13. The Class IPsecTunnelAction 6.13. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is used
to specify use of an IPsec tunnel-mode security association. The
class definition for IPsecTunnelAction is as follows:
NAME IPsecTunnelAction The class IPsecTunnelAction is a subclass of IPsecAction that is used
DESCRIPTION Specifies that an IPsec tunnel-mode security association to specify use of an IPsec tunnel-mode security association. The
should be negotiated. class definition for IPsecTunnelAction is as follows:
DERIVED FROM IPsecAction
ABSTRACT FALSE NAME IPsecTunnelAction
PROPERTIES DFHandling DESCRIPTION Specifies that an IPsec tunnel-mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
PROPERTIES DFHandling
6.13.1. The Property DFHandling 6.13.1. The Property DFHandling
The property DFHandling specifies how the tunnel should manage the The property DFHandling specifies how the tunnel should manage the
Don't Fragment (DF) bit. The property is defined as follows: Don't Fragment (DF) bit. The property is defined as follows:
NAME DFHandling NAME DFHandling
DESCRIPTION Specifies how to process the DF bit. DESCRIPTION Specifies how to process the DF bit.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the VALUE 1 - Copy the DF bit from the internal IP header to
external IP header. the external IP header.
2 - Set the DF bit of the external IP header to 1. 2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0. 3 - Clear the DF bit of the external IP header to 0.
6.14. The Class IKEAction 6.14. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as IKE phase 1 negotiation. The class definition for IKEAction is as
follows: follows:
NAME IKEAction NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM IKENegotiationAction DERIVED FROM IKENegotiationAction
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES ExchangeMode PROPERTIES ExchangeMode
UseIKEIdentityType UseIKEIdentityType
VendorID VendorID
AggressiveModeGroupId AggressiveModeGroupId
6.14.1. The Property ExchangeMode 6.14.1. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used for The property ExchangeMode specifies which IKE mode should be used for
IKE phase 1 negotiations. The property is defined as follows: IKE phase 1 negotiations. The property is defined as follows:
NAME ExchangeMode NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1. DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - base mode VALUE 1 - base mode
2 - main mode 2 - main mode
4 - aggressive mode 4 - aggressive mode
6.14.2. The Property UseIKEIdentityType 6.14.2. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is should be used when negotiating with the peer. This information is
used in conjunction with the IKE identities available on the system used in conjunction with the IKE identities available on the system
and the IdentityContexts of the matching IKERule. The property is and the IdentityContexts of the matching IKERule. The property is
defined as follows: defined as follows:
NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer NAME UseIKEIdentityType
VALUE Consult [DOI] for valid values. DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
6.14.3. The Property VendorID 6.14.3. The Property VendorID
The property VendorID specifies the value to be used in the Vendor ID The property VendorID specifies the value to be used in the Vendor ID
payload. The property is defined as follows: payload. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Vendor ID Payload. DESCRIPTION Vendor ID Payload.
SYNTAX string SYNTAX string
VALUE A value of NULL means that Vendor ID payload will be VALUE A value of NULL means that Vendor ID payload will be
neither generated nor accepted. A non-NULL value means neither generated nor accepted. A non-NULL value
that a Vendor ID payload will be generated (when acting means that a Vendor ID payload will be generated
as an initiator) or is expected (when acting as a (when acting as an initiator) or is expected (when
responder). acting as a responder).
6.14.4. The Property AggressiveModeGroupId 6.14.4. The Property AggressiveModeGroupId
The property AggressiveModeGroupId specifies which group ID is to be The property AggressiveModeGroupId specifies which group ID is to be
used in the first packets of the phase 1 negotiation. This property used in the first packets of the phase 1 negotiation. This property
is ignored unless the property ExchangeMode is set to 4 (aggressive is ignored unless the property ExchangeMode is set to 4 (aggressive
mode). If the AggressiveModeGroupID number is from the vendor- mode). If the AggressiveModeGroupID number is from the vendor-
specific range (32768-65535), the property VendorID qualifies the specific range (32768-65535), the property VendorID qualifies the
group number. The property is defined as follows: group number. The property is defined as follows:
NAME AggressiveModeGroupId NAME AggressiveModeGroupId
DESCRIPTION Specifies the group ID to be used for aggressive mode. DESCRIPTION Specifies the group ID to be used for aggressive
SYNTAX unsigned 16-bit integer mode.
SYNTAX unsigned 16-bit integer
6.15. The Class PeerGateway 6.15. The Class PeerGateway
The class PeerGateway specifies the security gateway with which the The class PeerGateway specifies the security gateway with which the
IKE services negotiates. The class definition for PeerGateway is as IKE services negotiates. The class definition for PeerGateway is as
follows: follows:
NAME PeerGateway NAME PeerGateway
DESCRIPTION Specifies the security gateway with which to negotiate. DESCRIPTION Specifies the security gateway with which to
DERIVED FROM LogicalElement (see [CIMCORE]) negotiate.
ABSTRACT FALSE DERIVED FROM LogicalElement (see [CIMCORE])
PROPERTIES Name ABSTRACT FALSE
PeerIdentityType PROPERTIES Name
PeerIdentity PeerIdentityType
PeerIdentity
Note: the class PeerIdentityEntry contains more information about the Note: The class PeerIdentityEntry contains more information about the
peer (namely its IP address). peer (namely its IP address).
6.15.1. The Property Name 6.15.1. The Property Name
The property Name specifies a user-friendly name for this security The property Name specifies a user-friendly name for this security
gateway. The property is defined as follows: gateway. The property is defined as follows:
NAME Name NAME Name
DESCRIPTION Specifies a user-friendly name for this security DESCRIPTION Specifies a user-friendly name for this security
gateway. gateway.
SYNTAX string SYNTAX string
6.15.2. The Property PeerIdentityType 6.15.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows: security gateway. The property is defined as follows:
NAME PeerIdentityType NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security gateway. DESCRIPTION Specifies the IKE identity type of the security
SYNTAX unsigned 16-bit integer gateway.
VALUE Consult [DOI] for valid values. SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
6.15.3. The Property PeerIdentity 6.15.3. The Property PeerIdentity
The property PeerIdentity specifies the IKE identity value of the The property PeerIdentity specifies the IKE identity value of the
security gateway. A conversion may be needed between the security gateway. Based upon the storage chosen for the task-
PeerIdentity string representation and the real value used in the ID specific mapping of the information model, a conversion may be needed
payload (e.g. IP address is to be converted from a dotted decimal from the stored representation of the PeerIdentity string to the real
string into 4 bytes). The property is defined as follows: value used in the ID payload (e.g., IP address is to be converted
from a dotted decimal string into 4 bytes). The property is defined
as follows:
NAME PeerIdentity NAME PeerIdentity
DESCRIPTION Specifies the IKE identity value of the security DESCRIPTION Specifies the IKE identity value of the security
gateway. gateway.
SYNTAX string SYNTAX string
6.16. The Association Class PeerGatewayForTunnel 6.16. The Association Class PeerGatewayForTunnel
The class PeerGatewayForTunnel associates IPsecTunnelActions with an The class PeerGatewayForTunnel associates IPsecTunnelActions with an
ordered list of PeerGateways. The class definition for ordered list of PeerGateways. The class definition for
PeerGatewayForTunnel is as follows: PeerGatewayForTunnel is as follows:
NAME PeerGatewayForTunnel NAME PeerGatewayForTunnel
DESCRIPTION Associates IPsecTunnelActions with an ordered list of DESCRIPTION Associates IPsecTunnelActions with an ordered list of
PeerGateways. PeerGateways.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]] PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IPsecTunnelAction[0..n]] Dependent [ref IPsecTunnelAction[0..n]]
SequenceNumber SequenceNumber
6.16.1. The Reference Antecedent 6.16.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that there an IPsecTunnelAction instance may be cardinality indicates that an IPsecTunnelAction instance may be
associated with zero or more PeerGateway instances. associated with zero or more PeerGateway instances.
Note: the cardinality 0 has a specific meaning: Note: The cardinality 0 has a specific meaning:
- when the IKE service acts as a responder, this means that - when the IKE service acts as a responder, this means that the IKE
the IKE service will accept phase 1 negotiation with any service will accept phase 1 negotiation with any other security
other security gateway; gateway;
- when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of - when the IKE service acts as an initiator, this means that the IKE
the IP packets which triggered the SARule) as the IP service will use the destination IP address (of the IP packets
address of the peer IKE entity. which triggered the SARule) as the IP address of the peer IKE
entity.
6.16.2. The Reference Dependent 6.16.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to an IPsecTunnelAction instance. The [0..n] cardinality to refer to an IPsecTunnelAction instance. The [0..n] cardinality
indicates that a PeerGateway instance may be associated with zero or indicates that a PeerGateway instance may be associated with zero or
more IPsecTunnelAction instances. more IPsecTunnelAction instances.
6.16.3. The Property SequenceNumber 6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when
evaluating PeerGateway instances for a given IPsecTunnelAction. The
property is defined as follows:
NAME SequenceNumber The property SequenceNumber specifies the ordering to be used when
DESCRIPTION Specifies the order of evaluation for PeerGateways. evaluating PeerGateway instances for a given IPsecTunnelAction. The
SYNTAX unsigned 16-bit integer property is defined as follows:
VALUE Lower values are evaluated first.
NAME SequenceNumber
DESCRIPTION Specifies the order of evaluation for PeerGateways.
SYNTAX unsigned 16-bit integer
VALUE Lower values are evaluated first.
6.17. The Aggregation Class ContainedProposal 6.17. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of SAProposals The class ContainedProposal associates an ordered list of SAProposals
with the IKENegotiationAction that aggregates it. If the referenced with the IKENegotiationAction that aggregates it. If the referenced
IKENegotiationAction object is an IKEAction, then the referenced IKENegotiationAction object is an IKEAction, then the referenced
SAProposal object(s) must be IKEProposal(s). If the referenced SAProposal object(s) must be IKEProposal(s). If the referenced
IKENegotiationAction object is an IPsecTransportAction or an IKENegotiationAction object is an IPsecTransportAction or an
IPsecTunnelAction, then the referenced SAProposal object(s) must be IPsecTunnelAction, then the referenced SAProposal object(s) must be
IPsecProposal(s). The class definition for ContainedProposal is as IPsecProposal(s). The class definition for ContainedProposal is as
follows: follows:
NAME ContainedProposal NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an DESCRIPTION Associates an ordered list of SAProposals with an
IKENegotiationAction. IKENegotiationAction.
DERIVED FROM PolicyComponent (see [PCIM]) DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]] PartComponent[ref SAProposal[1..n]]
SequenceNumber SequenceNumber
6.17.1. The Reference GroupComponent 6.17.1. The Reference GroupComponent
- The property GroupComponent is inherited from - The property GroupComponent is inherited from PolicyComponent and
PolicyComponent and is overridden to refer to an is overridden to refer to an IKENegotiationAction instance. The
IKENegotiationAction instance. The [0..n] cardinality [0..n] cardinality indicates that an SAProposal instance may be
indicates that an SAProposal instance may be associated with associated with zero or more IKENegotiationAction instances.
zero or more IKENegotiationAction instances.
6.17.2. The Reference PartComponent 6.17.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SAProposal instance. The [1..n] overridden to refer to an SAProposal instance. The [1..n]
cardinality indicates that an IKENegotiationAction instance MUST be cardinality indicates that an IKENegotiationAction instance MUST be
associated with at least one SAProposal instance. associated with at least one SAProposal instance.
6.17.3. The Property SequenceNumber 6.17.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for the The property SequenceNumber specifies the order of preference for the
SAProposals. The property is defined as follows: SAProposals. The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals. DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals with VALUE Lower-valued proposals are preferred over proposals
higher values. For ContainedProposals that reference with higher values. For ContainedProposals that
the same IKENegotiationAction, SequenceNumber values reference the same IKENegotiationAction,
must be unique. SequenceNumber values must be unique.
6.18. The Association Class HostedPeerGatewayInformation 6.18. The Association Class HostedPeerGatewayInformation
The class HostedPeerGatewayInformation weakly associates a The class HostedPeerGatewayInformation weakly associates a
PeerGateway with a System. The class definition for PeerGateway with a System. The class definition for
HostedPeerGatewayInformation is as follows: HostedPeerGatewayInformation is as follows:
NAME HostedPeerGatewayInformation NAME HostedPeerGatewayInformation
DESCRIPTION Weakly associates a PeerGateway with a System. DESCRIPTION Weakly associates a PeerGateway with a System.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]] PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerGateway[0..n] [weak]] Dependent [ref PeerGateway[0..n] [weak]]
6.18.1. The Reference Antecedent 6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerGateway instance MUST be associated with one and indicates that a PeerGateway instance MUST be associated with one and
only one System instance. only one System instance.
6.18.2. The Reference Dependent 6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to a PeerGateway instance. The [0..n] cardinality indicates to refer to a PeerGateway instance. The [0..n] cardinality indicates
that a System instance may be associated with zero or more that a System instance may be associated with zero or more
PeerGateway instances. PeerGateway instances.
6.19. The Association Class TransformOfPreconfiguredAction 6.19. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with two, four or six SATransforms that will be PreconfiguredSAAction with two, four or six SATransforms that will be
applied to the inbound and outbound traffic. The order of applied to the inbound and outbound traffic. The order of
application of the SATransforms is implicitly defined in [IPSEC]. application of the SATransforms is implicitly defined in [IPSEC].
The class definition for TransformOfPreconfiguredAction is as The class definition for TransformOfPreconfiguredAction is as
follows: follows:
NAME TransformOfPreconfiguredAction NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms. three SATransforms.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref SATransform[2..6]] PROPERTIES Antecedent[ref SATransform[2..6]]
Dependent[ref PreconfiguredSAAction[0..n]] Dependent[ref PreconfiguredSAAction[0..n]]
SPI SPI
Direction Direction
6.19.1. The Reference Antecedent 6.19.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an SATransform instance. The [2..6] overridden to refer to an SATransform instance. The [2..6]
cardinality indicates that an PreconfiguredSAAction instance may be cardinality indicates that a PreconfiguredSAAction instance may be
associated with from two to six SATransform instances. associated with two to six SATransform instances.
6.19.2. The Reference Dependent 6.19.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to a PreconfiguredSAAction instance. The [0..n] cardinality to refer to a PreconfiguredSAAction instance. The [0..n] cardinality
indicates that an SATransform instance may be associated with zero or indicates that a SATransform instance may be associated with zero or
more PreconfiguredSAAction instances. more PreconfiguredSAAction instances.
6.19.3. The Property SPI 6.19.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured The property SPI specifies the SPI to be used by the pre-configured
action for the associated transform. The property is defined as action for the associated transform. The property is defined as
follows: follows:
NAME SPI NAME SPI
DESCRIPTION Specifies the SPI to be used with the SATransform. DESCRIPTION Specifies the SPI to be used with the SATransform.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
6.19.4. The Property Direction 6.19.4. The Property Direction
The property Direction specifies whether the SPI property is for The property Direction specifies whether the SPI property is for
inbound or for outbound traffic. The property is defined as follows: inbound or outbound traffic. The property is defined as follows:
NAME Direction NAME Direction
DESCRIPTION Specifies whether the SA is for inbound or outbound DESCRIPTION Specifies whether the SA is for inbound or outbound
traffic. traffic.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
VALUE 1 - this SA is for inbound traffic VALUE 1 - this SA is for inbound traffic
2 - this SA is for outbound traffic 2 - this SA is for outbound traffic
6.20 The Association Class PeerGatewayForPreconfiguredTunnel 6.20 The Association Class PeerGatewayForPreconfiguredTunnel
The class PeerGatewayForPreconfiguredTunnel associates zero or one The class PeerGatewayForPreconfiguredTunnel associates zero or one
PeerGateway with multiple PreconfiguredTunnelActions. The class PeerGateways with multiple PreconfiguredTunnelActions. The class
definition for PeerGatewayForPreconfiguredTunnel is as follows: definition for PeerGatewayForPreconfiguredTunnel is as follows:
NAME PeerGatewayForPreconfiguredTunnel NAME PeerGatewayForPreconfiguredTunnel
DESCRIPTION Associates a PeerGateway with multiple DESCRIPTION Associates a PeerGateway with multiple
PreconfiguredTunnelAction. PreconfiguredTunnelActions.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref PeerGateway[0..1]] PROPERTIES Antecedent[ref PeerGateway[0..1]]
Dependent[ref PreconfiguredTunnelAction[0..n]] Dependent[ref PreconfiguredTunnelAction[0..n]]
6.20.1. The Reference Antecedent 6.20.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an PeerGateway instance. The [0..1] overridden to refer to a PeerGateway instance. The [0..1]
cardinality indicates that an PreconfiguredTunnelAction instance may cardinality indicates that a PreconfiguredTunnelAction instance may
be associated with one PeerGteway instance. be associated with one PeerGteway instance.
6.20.2. The Reference Dependent 6.20.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to a PreconfiguredTunnelAction instance. The [0..n] to refer to a PreconfiguredTunnelAction instance. The [0..n]
cardinality indicates that an PeerGateway instance may be associated cardinality indicates that a PeerGateway instance may be associated
with zero or more PreconfiguredSAAction instances. with zero or more PreconfiguredSAAction instances.
7. Proposal and Transform Classes 7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations. IPsec device will use during IKE phase 1 and 2 negotiations.
+--------------+*w 1+--------------+ +--------------+*w 1+--------------+
| [SAProposal] |--------| System | | [SAProposal] |--------| System |
+--------------+ (a) | ([CIMCORE]) | +--------------+ (a) | ([CIMCORE]) |
^ +--------------+ ^ +--------------+
| |1 | |1
+----------------------+ | +----------------------+ |
| | | | | |
+-------------+ +---------------+ | +-------------+ +---------------+ |
| IKEProposal | | IPsecProposal | | | IKEProposal | | IPsecProposal | |
+-------------+ +---------------+ | +-------------+ +---------------+ |
*o | *o |
|(b) |(c) |(b) |(c)
n| | n| |
+---------------+*w | +---------------+*w |
| [SATransform] |----+ | [SATransform] |----+
+---------------+ +---------------+
^ ^
| |
+--------------------+-----------+---------+ +--------------------+-----------+---------+
| | | | | |
+-------------+ +--------------+ +----------------+ +-------------+ +--------------+ +----------------+
| AHTransform | | ESPTransform | |IPCOMPTransform | | AHTransform | | ESPTransform | |IPCOMPTransform |
+-------------+ +--------------+ +----------------+ +-------------+ +--------------+ +----------------+
(a) SAProposalInSystem (a) SAProposalInSystem
(b) ContainedTransform (b) ContainedTransform
(c) SATransformInSystem (c) SATransformInSystem
7.1. The Abstract Class SAProposal 7.1. The Abstract Class SAProposal
The abstract class SAProposal serves as the base class for the IKE The abstract class SAProposal serves as the base class for the IKE
and IPsec proposal classes. It specifies the parameters that are and IPsec proposal classes. It specifies the parameters that are
common to the two proposal types. The class definition for common to the two proposal types. The class definition for
SAProposal is as follows: SAProposal is as follows:
NAME SAProposal NAME SAProposal
DESCRIPTION Specifies the common proposal parameters for IKE and DESCRIPTION Specifies the common proposal parameters for IKE and
IPsec security association negotiation. IPsec security association negotiation.
DERIVED FROM Policy ([PCIM]) DERIVED FROM Policy ([PCIM])
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES Name PROPERTIES Name
7.1.1. The Property Name 7.1.1. The Property Name
The property Name specifies a user-friendly name for the SAProposal. The property Name specifies a user-friendly name for the SAProposal.
The property is defined as follows: The property is defined as follows:
NAME Name NAME Name
DESCRIPTION Specifies a user-friendly name for this proposal. DESCRIPTION Specifies a user-friendly name for this proposal.
SYNTAX string SYNTAX string
7.2. The Class IKEProposal 7.2. The Class IKEProposal
The class IKEProposal specifies the proposal parameters necessary to The class IKEProposal specifies the proposal parameters necessary to
drive an IKE security association negotiation. The class definition drive an IKE security association negotiation. The class definition
for IKEProposal is as follows: for IKEProposal is as follows:
NAME IKEProposal NAME IKEProposal
DESCRIPTION Specifies the proposal parameters for IKE security DESCRIPTION Specifies the proposal parameters for IKE security
association negotiation. association negotiation.
DERIVED FROM SAProposal DERIVED FROM SAProposal
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES CipherAlgorithm PROPERTIES CipherAlgorithm
HashAlgorithm HashAlgorithm
PRFAlgorithm PRFAlgorithm
GroupId GroupId
AuthenticationMethod AuthenticationMethod
MaxLifetimeSeconds MaxLifetimeSeconds
MaxLifetimeKilobytes MaxLifetimeKilobytes
VendorID VendorID
7.2.1. The Property CipherAlgorithm 7.2.1. The Property CipherAlgorithm
The property CipherAlgorithm specifies the proposed phase 1 security The property CipherAlgorithm specifies the proposed phase 1 security
association encryption algorithm. The property is defined as association encryption algorithm. The property is defined as
follows: follows:
NAME CipherAlgorithm NAME CipherAlgorithm
DESCRIPTION Specifies the proposed encryption algorithm for the DESCRIPTION Specifies the proposed encryption algorithm for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values. VALUE Consult [IKE] for valid values.
7.2.2. The Property HashAlgorithm 7.2.2. The Property HashAlgorithm
The property HashAlgorithm specifies the proposed phase 1 security The property HashAlgorithm specifies the proposed phase 1 security
association hash algorithm. The property is defined as follows: association hash algorithm. The property is defined as follows:
NAME HashAlgorithm NAME HashAlgorithm
DESCRIPTION Specifies the proposed hash algorithm for the phase 1 DESCRIPTION Specifies the proposed hash algorithm for the phase 1
security association. security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values. VALUE Consult [IKE] for valid values.
7.2.3. The Property PRFAlgorithm 7.2.3. The Property PRFAlgorithm
The property PRFAlgorithm specifies the proposed phase 1 security The property PRFAlgorithm specifies the proposed phase 1 security
association pseudo-random function. The property is defined as association pseudo-random function. The property is defined as
follows: follows:
NAME PRFAlgorithm NAME PRFAlgorithm
DESCRIPTION Specifies the proposed pseudo-random function for the DESCRIPTION Specifies the proposed pseudo-random function for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Currently none defined in [IKE], if [IKE, DOI] are VALUE Currently none defined in [IKE], if [IKE, DOI] are
extended, then the values of [IKE, DOI] are to be used extended, then the values of [IKE, DOI] are to be
for values of PRFAlgorithm. used for values of PRFAlgorithm.
7.2.4. The Property GroupId 7.2.4. The Property GroupId
The property GroupId specifies the proposed phase 1 security The property GroupId specifies the proposed phase 1 security
association key exchange group. This property is ignored for all association key exchange group. This property is ignored for all
aggressive mode exchanges. If the GroupID number is from the vendor- aggressive mode exchanges. If the GroupID number is from the
specific range (32768-65535), the property VendorID qualifies the vendor-specific range (32768-65535), the property VendorID qualifies
group number. The property is defined as follows: the group number. The property is defined as follows:
NAME GroupId
DESCRIPTION Specifies the proposed key exchange group for the phase
1 security association.
SYNTAX unsigned 16-bit integer NAME GroupId
VALUE Consult [IKE] for valid values. DESCRIPTION Specifies the proposed key exchange group for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values.
Note: the value of this property is to be ignored when doing Note: The value of this property is to be ignored in aggressive mode.
aggressive mode.
7.2.5. The Property AuthenticationMethod 7.2.5. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1 The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows: authentication method. The property is defined as follows:
NAME AuthenticationMethod NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association. phase 1 security association.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - a special value that indicates that this particular VALUE 0 - a special value that indicates that this
proposal should be repeated once for each authentication particular proposal should be repeated once for each
method that corresponds to the credentials installed on authentication method that corresponds to the
the machine. For example, if the system has a pre- credentials installed on the machine. For example,
shared key and a certificate, a proposal list could be if the system has a pre-shared key and a certificate,
constructed which includes a proposal that specifies a proposal list could be constructed that includes a
pre-shared key and proposals for any of the public-key proposal that specifies a pre-shared key and
authentication methods. proposals for any of the public-key authentication
Consult [IKE] for valid values. methods. Consult [IKE] for valid values.
7.2.6. The Property MaxLifetimeSeconds 7.2.6. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum time, in The property MaxLifetimeSeconds specifies the proposed maximum time,
seconds, to propose that a security association will remain valid in seconds, that a security association will remain valid after its
after its creation. The property is defined as follows: creation. The property is defined as follows:
NAME MaxLifetimeSeconds NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum time to propose a security DESCRIPTION Specifies the proposed maximum time that a
association remain valid. security association will remain valid.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that the default of 8 hours be VALUE A value of zero indicates that the default of 8
used. A non-zero value indicates the maximum seconds hours be used. A non-zero value indicates the
lifetime. maximum seconds lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
7.2.7. The Property MaxLifetimeKilobytes 7.2.7. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte The property MaxLifetimeKilobytes specifies the proposed maximum
lifetime to propose that a security association will remain valid kilobyte lifetime that a security association will remain valid after
after its creation. The property is defined as follows: its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a DESCRIPTION Specifies the proposed maximum kilobyte lifetime
security association remain valid. that a security association will remain valid.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there should be no VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies maximum kilobyte lifetime. A non-zero value
the desired kilobyte lifetime. specifies the desired kilobyte lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
7.2.8. The Property VendorID 7.2.8. The Property VendorID
The property VendorID further qualifies the key exchange group. The The property VendorID further qualifies the key exchange group. The
property is ignored unless the exchange is not in aggressive mode and property is ignored unless the exchange is not in aggressive mode and
the property GroupID is in the vendor-specific range. The property the property GroupID is in the vendor-specific range. The property
is defined as follows: is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the Vendor ID to further qualify the key DESCRIPTION Specifies the Vendor ID to further qualify the key
exchange group. exchange group.
SYNTAX string SYNTAX string
7.3. The Class IPsecProposal 7.3. The Class IPsecProposal
The class IPsecProposal adds no new properties, but inherits proposal The class IPsecProposal adds no new properties, but inherits proposal
properties from SAProposal as well as aggregating the security properties from SAProposal, as well as aggregating the security
association transforms necessary for building an IPsec proposal (see association transforms necessary for building an IPsec proposal (see
the aggregation class ContainedTransform). The class definition for the aggregation class ContainedTransform). The class definition for
IPsecProposal is as follows: IPsecProposal is as follows:
NAME IPsecProposal NAME IPsecProposal
DESCRIPTION Specifies the proposal parameters for IPsec security DESCRIPTION Specifies the proposal parameters for IPsec security
association negotiation. association negotiation.
DERIVED FROM SAProposal DERIVED FROM SAProposal
ABSTRACT FALSE ABSTRACT FALSE
7.4. The Abstract Class SATransform 7.4. The Abstract Class SATransform
The abstract class SATransform serves as the base class for the IPsec The abstract class SATransform serves as the base class for the IPsec
transforms that can be used to compose an IPsec proposal or to be transforms that can be used to compose an IPsec proposal or to be
used as a pre-configured action. The class definition for used as a pre-configured action. The class definition for
SATransform is as follows: SATransform is as follows:
NAME SATransform NAME SATransform
DESCRIPTION Base class for the different IPsec transforms. DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE ABSTRACT TRUE
PROPERTIES CommonName (from Policy) PROPERTIES CommonName (from Policy)
VendorID VendorID
MaxLifetimeSeconds MaxLifetimeSeconds
MaxLifetimeKilobytes MaxLifetimeKilobytes
7.4.1. The Property CommonName 7.4.1. The Property CommonName
The property CommonName is inherited from Policy [PCIM] and specifies The property CommonName is inherited from Policy [PCIM] and specifies
a user-friendly name for the SATransform. The property is defined as a user-friendly name for the SATransform. The property is defined as
follows: follows:
NAME CommonName NAME CommonName
DESCRIPTION Specifies a user-friendly name for this Policy-related DESCRIPTION Specifies a user-friendly name for this Policy-
object. related object.
SYNTAX string SYNTAX string
7.4.2. The Property VendorID 7.4.2. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows: transforms. The property is defined as follows:
NAME VendorID NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms. DESCRIPTION Specifies the vendor ID for vendor-defined
SYNTAX string transforms.
VALUE An empty VendorID string indicates that the transform is SYNTAX string
a standard one. VALUE An empty VendorID string indicates that the transform
is a standard one.
7.4.3. The Property MaxLifetimeSeconds 7.4.3. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the maximum time, in The property MaxLifetimeSeconds specifies the proposed maximum time,
seconds, to propose that a security association will remain valid in seconds, that a security association will remain valid after its
after its creation. The property is defined as follows: creation. The property is defined as follows:
NAME MaxLifetimeSeconds NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum time to propose a security DESCRIPTION Specifies the proposed maximum time that a
association remain valid. security association will remain valid.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that the default of 8 hours be VALUE A value of zero indicates that the default of 8 hours
used. A non-zero value indicates the maximum seconds be used. A non-zero value indicates the maximum
lifetime. seconds lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
7.4.4. The Property MaxLifetimeKilobytes 7.4.4. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the maximum kilobyte The property MaxLifetimeKilobytes specifies the proposed maximum
lifetime to propose that a security association will remain valid kilobyte lifetime that a security association will remain valid after
after its creation. The property is defined as follows: its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a DESCRIPTION Specifies the proposed maximum kilobyte lifetime
security association remain valid. that a security association will remain valid.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there should be no VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies maximum kilobyte lifetime. A non-zero value
the desired kilobyte lifetime. specifies the desired kilobyte lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
7.5. The Class AHTransform 7.5. The Class AHTransform
The class AHTransform specifies the AH algorithm to propose during The class AHTransform specifies the AH algorithm to propose during
IPsec security association negotiation. The class definition for IPsec security association negotiation. The class definition for
AHTransform is as follows: AHTransform is as follows:
NAME AHTransform NAME AHTransform
DESCRIPTION Specifies the AH algorithm to propose. DESCRIPTION Specifies the proposed AH algorithm.
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES AHTransformId PROPERTIES AHTransformId
UseReplayPrevention UseReplayPrevention
ReplayPreventionWindowSize ReplayPreventionWindowSize
7.5.1. The Property AHTransformId 7.5.1. The Property AHTransformId
The property AHTransformId specifies the transform ID of the AH The property AHTransformId specifies the transform ID of the AH
algorithm to propose. The property is defined as follows: algorithm. The property is defined as follows:
NAME AHTransformId NAME AHTransformId
DESCRIPTION Specifies the transform ID of the AH algorithm. DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values. VALUE Consult [DOI] for valid values.
7.5.2. The Property UseReplayPrevention 7.5.2. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows: detection is to be used. The property is defined as follows:
NAME UseReplayPrevention NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention detection. DESCRIPTION Specifies whether to enable replay prevention
SYNTAX boolean detection.
VALUE true - replay prevention detection is enabled. SYNTAX boolean
false - replay prevention detection is disabled. VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.
7.5.3. The Property ReplayPreventionWindowSize 7.5.3. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size will UseReplayPrevention is false. It is assumed that the window size
be power of 2. The property is defined as follows: will be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay DESCRIPTION Specifies the length of the window used by the replay
prevention detection mechanism. prevention detection mechanism.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
7.6. The Class ESPTransform 7.6. The Class ESPTransform
The class ESPTransform specifies the ESP algorithms to propose during The class ESPTransform specifies the ESP algorithms to propose
IPsec security association negotiation. The class definition for during IPsec security association negotiation. The class definition
ESPTransform is as follows: for ESPTransform is as follows:
NAME ESPTransform NAME ESPTransform
DESCRIPTION Specifies the ESP algorithms to propose. DESCRIPTION Specifies the proposed ESP algorithms.
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES IntegrityTransformId PROPERTIES IntegrityTransformId
CipherTransformId CipherTransformId
CipherKeyLength CipherKeyLength
CipherKeyRounds CipherKeyRounds
UseReplayPrevention UseReplayPrevention
ReplayPreventionWindowSize ReplayPreventionWindowSize
7.6.1. The Property IntegrityTransformId 7.6.1. The Property IntegrityTransformId
The property IntegrityTransformId specifies the transform ID of the The property IntegrityTransformId specifies the transform ID of the
ESP integrity algorithm to propose. The property is defined as ESP integrity algorithm. The property is defined as follows:
follows:
NAME IntegrityTransformId NAME IntegrityTransformId
DESCRIPTION Specifies the transform ID of the ESP integrity DESCRIPTION Specifies the transform ID of the ESP integrity
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values. VALUE Consult [DOI] for valid values.
7.6.2. The Property CipherTransformId 7.6.2. The Property CipherTransformId
The property CipherTransformId specifies the transform ID of the ESP The property CipherTransformId specifies the transform ID of the ESP
encryption algorithm to propose. The property is defined as follows: encryption algorithm. The property is defined as follows:
NAME CipherTransformId NAME CipherTransformId
DESCRIPTION Specifies the transform ID of the ESP encryption DESCRIPTION Specifies the transform ID of the ESP encryption
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values. VALUE Consult [DOI] for valid values.
7.6.3. The Property CipherKeyLength 7.6.3. The Property CipherKeyLength
The property CipherKeyLength specifies, in bits, the key length for The property CipherKeyLength specifies, in bits, the key length for
the ESP encryption algorithm. For encryption algorithms that use the ESP encryption algorithm. For encryption algorithms that use a
fixed-length keys, this value is ignored. The property is defined as fixed-length keys, this value is ignored. The property is defined as
follows: follows:
NAME CipherKeyLength NAME CipherKeyLength
DESCRIPTION Specifies the ESP encryption key length in bits. DESCRIPTION Specifies the ESP encryption key length in bits.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
7.6.4. The Property CipherKeyRounds 7.6.4. The Property CipherKeyRounds
The property CipherKeyRounds specifies the number of key rounds for The property CipherKeyRounds specifies the number of key rounds for
the ESP encryption algorithm. For encryption algorithms that use the ESP encryption algorithm. For encryption algorithms that use
fixed number of key rounds, this value is ignored. The property is fixed number of key rounds, this value is ignored. The property is
defined as follows: defined as follows:
NAME CipherKeyRounds NAME CipherKeyRounds
DESCRIPTION Specifies the number of key rounds for the ESP DESCRIPTION Specifies the number of key rounds for the ESP
encryption algorithm. encryption algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP VALUE Currently, key rounds are not defined for any ESP
encryption algorithms. encryption algorithms.
7.6.5. The Property UseReplayPrevention 7.6.5. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows: detection is to be used. The property is defined as follows:
NAME UseReplayPrevention NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention detection. DESCRIPTION Specifies whether to enable replay prevention
SYNTAX boolean detection.
VALUE true - replay prevention detection is enabled. SYNTAX boolean
false - replay prevention detection is disabled. VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.
7.6.6. The Property ReplayPreventionWindowSize 7.6.6. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size will UseReplayPrevention is false. It is assumed that the window size
be power of 2. The property is defined as follows: will be power of 2. The property is defined as follows:
NAME ReplayPreventionWindowSize NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay DESCRIPTION Specifies the length of the window used by the replay
prevention detection mechanism. prevention detection mechanism.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
7.7. The Class IPCOMPTransform 7.7. The Class IPCOMPTransform
The class IPCOMPTransform specifies the IP compression (IPCOMP) The class IPCOMPTransform specifies the IP compression (IPCOMP)
algorithm to propose during IPsec security association negotiation. algorithm to propose during IPsec security association negotiation.
The class definition for IPCOMPTransform is as follows: The class definition for IPCOMPTransform is as follows:
NAME IPCOMPTransform NAME IPCOMPTransform
DESCRIPTION Specifies the IPCOMP algorithm to propose. DESCRIPTION Specifies the proposed IPCOMP algorithm.
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Algorithm PROPERTIES Algorithm
DictionarySize DictionarySize
PrivateAlgorithm PrivateAlgorithm
7.7.1. The Property Algorithm 7.7.1. The Property Algorithm
The property Algorithm specifies the transform ID of the IPCOMP The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as compression algorithm. The property is defined as follows:
follows:
NAME Algorithm NAME Algorithm
DESCRIPTION Specifies the transform ID of the IPCOMP compression DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm. algorithm.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 1 - OUI: a vendor specific algorithm is used and VALUE 1 - OUI: a vendor specific algorithm is used and
specified in the property PrivateAlgorithm. Consult specified in the property PrivateAlgorithm. Consult
[DOI] for other valid values. [DOI] for other valid values.
7.7.2. The Property DictionarySize 7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the
dictionary for the compression algorithm. For compression algorithms
that have pre-defined dictionary sizes, this value is ignored. The
property is defined as follows:
NAME DictionarySize The property DictionarySize specifies the log2 maximum size of the
DESCRIPTION Specifies the log2 maximum size of the dictionary. dictionary for the compression algorithm. For compression algorithms
SYNTAX unsigned 16-bit integer that have pre-defined dictionary sizes, this value is ignored. The
property is defined as follows:
NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer
7.7.3. The Property PrivateAlgorithm 7.7.3. The Property PrivateAlgorithm
The property PrivateAlgorithm specifies a private vendor-specific The property PrivateAlgorithm specifies a private vendor-specific
compression algorithm. This value is only used when the property compression algorithm. This value is only used when the property
Algorithm is 1 (OUI). The property is defined as follows: Algorithm is 1 (OUI). The property is defined as follows:
NAME PrivateAlgorithm NAME PrivateAlgorithm
DESCRIPTION Specifies a private vendor-specific compression DESCRIPTION Specifies a private vendor-specific compression
algorithm. algorithm.
SYNTAX unsigned 32-bit integer SYNTAX unsigned 32-bit integer
7.8. The Association Class SAProposalInSystem 7.8. The Association Class SAProposalInSystem
The class SAProposalInSystem weakly associates SAProposals with a The class SAProposalInSystem weakly associates SAProposals with a
System. The class definition for SAProposalInSystem is as follows: System. The class definition for SAProposalInSystem is as follows:
NAME SAProposalInSystem NAME SAProposalInSystem
DESCRIPTION Weakly associates SAProposals with a System. DESCRIPTION Weakly associates SAProposals with a System.
DERIVED FROM PolicyInSystem (see [PCIM]) DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref System [1..1]] PROPERTIES Antecedent[ref System [1..1]]
Dependent[ref SAProposal[0..n] [weak]] Dependent[ref SAProposal[0..n] [weak]]
7.8.1. The Reference Antecedent 7.8.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is The property Antecedent is inherited from the PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that an SAProposal instance MUST be associated with one and indicates that an SAProposal instance MUST be associated with one and
only one System instance. only one System instance.
7.8.2. The Reference Dependent 7.8.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SAProposal instance. The [0..n] overridden to refer to an SAProposal instance. The [0..n]
cardinality indicates that a System instance may be associated with cardinality indicates that a System instance may be associated with
zero or more SAProposal instances. zero or more SAProposal instances.
7.9. The Aggregation Class ContainedTransform 7.9. The Aggregation Class ContainedTransform
The class ContainedTransform associates an IPsecProposal with the set The class ContainedTransform associates an IPsecProposal with the set
of SATransforms that make up the proposal. If multiple transforms of of SATransforms that make up the proposal. If multiple transforms of
the same type are in a proposal, then they are to be logically ORed the same type are in a proposal, then they are to be logically ORed
and the order of preference is dictated by the SequenceNumber and the order of preference is dictated by the SequenceNumber
property. Sets of transforms of different types are logically ANDed. property. Sets of transforms of different types are logically ANDed.
For example, if the ordered proposal list were
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } For example, if the ordered proposal list were
AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to pick ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one AH = { MD5, SHA-1 }
from the AH transform list (preferably MD5).
The class definition for ContainedTransform is as follows: then the one sending the proposal would want the other side to pick
one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
from the AH transform list (preferably MD5).
NAME ContainedTransform The class definition for ContainedTransform is as follows:
DESCRIPTION Associates an IPsecProposal with the set of SATransforms
that make up the proposal. NAME ContainedTransform
DERIVED FROM PolicyComponent (see [PCIM]) DESCRIPTION Associates an IPsecProposal with the set of
ABSTRACT FALSE SATransforms that make up the proposal.
PROPERTIES GroupComponent[ref IPsecProposal[0..n]] DERIVED FROM PolicyComponent (see [PCIM])
PartComponent[ref SATransform[1..n]] ABSTRACT FALSE
SequenceNumber PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]]
SequenceNumber
7.9.1. The Reference GroupComponent 7.9.1. The Reference GroupComponent
The property GroupComponent is inherited from PolicyComponent and is The property GroupComponent is inherited from PolicyComponent and is
overridden to refer to an IPsecProposal instance. The [0..n] overridden to refer to an IPsecProposal instance. The [0..n]
cardinality indicates that an SATransform instance may be associated cardinality indicates that an SATransform instance may be associated
with zero or more IPsecProposal instances. with zero or more IPsecProposal instances.
7.9.2. The Reference PartComponent 7.9.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SATransform instance. The [1..n] overridden to refer to an SATransform instance. The [1..n]
cardinality indicates that an IPsecProposal instance MUST be cardinality indicates that an IPsecProposal instance MUST be
associated with at least one SATransform instance. associated with at least one SATransform instance.
7.9.3. The Property SequenceNumber 7.9.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for the The property SequenceNumber specifies the order of preference for the
SATransforms of the same type. The property is defined as follows: SATransforms of the same type. The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms of DESCRIPTION Specifies the preference order for the SATransforms
the same type. of the same type.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms of VALUE Lower-valued transforms are preferred over transforms
the same type with higher values. For of the same type with higher values. For
ContainedTransforms that reference the same ContainedTransforms that reference the same
IPsecProposal, SequenceNumber values must be unique. IPsecProposal, SequenceNumber values must be unique.
7.10. The Association Class SATransformInSystem 7.10. The Association Class SATransformInSystem
The class SATransformInSystem weakly associates SATransforms with a The class SATransformInSystem weakly associates SATransforms with a
System. The class definition for SATransformInSystem System is as System. The class definition for SATransformInSystem System is as
follows: follows:
NAME SATransformInSystem NAME SATransformInSystem
DESCRIPTION Weakly associates SATransforms with a System. DESCRIPTION Weakly associates SATransforms with a System.
DERIVED FROM PolicyInSystem (see [PCIM]) DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent[ref System[1..1]] PROPERTIES Antecedent[ref System[1..1]]
Dependent[ref SATransform[0..n] [weak]] Dependent[ref SATransform[0..n] [weak]]
7.10.1. The Reference Antecedent 7.10.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that an SATransform instance MUST be associated with one indicates that an SATransform instance MUST be associated with one
and only one System instance. and only one System instance.
7.10.2. The Reference Dependent 7.10.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SATransform instance. The [0..n] The property Dependent is inherited from PolicyInSystem and is
cardinality indicates that a System instance may be associated with overridden to refer to an SATransform instance. The [0..n]
zero or more SATransform instances. cardinality indicates that a System instance may be associated with
zero or more SATransform instances.
8. IKE Service and Identity Classes 8. IKE Service and Identity Classes
+--------------+ +-------------------+ +--------------+ +-------------------+
| System | | PeerIdentityEntry | | System | | PeerIdentityEntry |
| ([CIMCORE]) | +-------------------+ | ([CIMCORE]) | +-------------------+
+--------------+ |*w +--------------+ |*w
1| (a) (b) | 1| (a) (b) |
+---+ +------------+ +---+ +------------+
| | | |
|*w 1 o |*w 1 o
+-------------+ +-------------------+ +---------------------+ +-------------+ +-------------------+ +---------------------+
| PeerGateway | | PeerIdentityTable | | AutostartIKESetting | | PeerGateway | | PeerIdentityTable | | AutostartIKESetting |
+-------------+ +-------------------+ +---------------------+ +-------------+ +-------------------+ +---------------------+
*| *| *| *| *| *| *| *|
+----------------------+ |(d) +----------+ | +----------------------+ |(d) +----------+ |
(c) *| *| *| (e) | (c) *| *| *| (e) |
*+------------+* |(f) *+------------+* |(f)
+-----------------| IKEService |-----+ | +-----------------| IKEService |-----+ |
| (g) +------------+ |(h) | | (g) +------------+ |(h) |
0..1| *| *| *o 0..1| *| *| *o
+--------------------+ | +---------------------------+ +--------------------+ | +---------------------------+
| IPProtocolEndpoint | | | AutostartIKEConfiguration | | IPProtocolEndpoint | | | AutostartIKEConfiguration |
| ([CIMNETWORK]) | (i)| +---------------------------+ | ([CIMNETWORK]) | (i)| +---------------------------+
+--------------------+ | +--------------------+ |
0..1| | 0..1| |
|(j) +----------------+ |(j) +----------------+
*| |* *| |*
+-------------+* (k) +------------+ +-----------------------------+ +-------------+* (k) +------------+ +-----------------------------+
| IKEIdentity |-------| Collection | | CredentialManagementService | | IKEIdentity |-------| Collection | | CredentialManagementService |
+-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) |
*| +------------+ +-----------------------------+ *| +------------+ +-----------------------------+
|(l) |(l)
*| *|
+--------------+ +--------------+
| Credential | | Credential |
| ([CIMUSER]) | | ([CIMUSER]) |
+--------------+ +--------------+
(a) HostedPeerIdentityTable (a) HostedPeerIdentityTable
(b) PeerIdentityMember (b) PeerIdentityMember
(c) IKEServicePeerGateway (c) IKEServicePeerGateway
(d) IKEServicePeerIdentityTable (d) IKEServicePeerIdentityTable
(e) IKEAutostartSetting (e) IKEAutostartSetting
(f) AutostartIKESettingContext (f) AutostartIKESettingContext
(g) IKEServiceForEndpoint (g) IKEServiceForEndpoint
(h) IKEAutostartConfiguration (h) IKEAutostartConfiguration
(i) IKEUsesCredentialManagementService (i) IKEUsesCredentialManagementService
(j) EndpointHasLocalIKEIdentity (j) EndpointHasLocalIKEIdentity
(k) CollectionHasLocalIKEIdentity (k) CollectionHasLocalIKEIdentity
(l) IKEIdentitysCredential (l) IKEIdentitysCredential
This portion of the model contains additional information that is This portion of the model contains additional information that is
useful in applying the policy. The IKEService class MAY be used to useful in applying the policy. The IKEService class MAY be used to
represent the IKE negotiation function in a system. The IKEService represent the IKE negotiation function in a system. The IKEService
uses the various tables that contain information about IKE peers as uses the various tables that contain information about IKE peers as
well as the configuration for specifying security associations that well as the configuration for specifying security associations that
are started automatically. The information in the PeerGateway, are started automatically. The information in the PeerGateway,
PeerIdentityTable and related classes is necessary to completely PeerIdentityTable and related classes is necessary to completely
specify the policies. specify the policies.
An interface (represented by an IPProtocolEndpoint) has an IKEService An interface (represented by an IPProtocolEndpoint) has an IKEService
that provides the negotiation services for that interface. That that provides the negotiation services for that interface. That
service MAY also have a list of security associations automatically service MAY also have a list of security associations automatically
started at the time the IKE service is initialized. started at the time the IKE service is initialized.
The IKEService also has a set of identities that it may use in The IKEService also has a set of identities that it may use in
negotiations with its peers. Those identities are associated with negotiations with its peers. Those identities are associated with
the interfaces (or collections of interfaces). the interfaces (or collections of interfaces).
8.1. The Class IKEService 8.1. The Class IKEService
The class IKEService represents the IKE negotiation function. An The class IKEService represents the IKE negotiation function. An
instance of this service may provide that negotiation service for one instance of this service may provide that negotiation service for one
or more interfaces (represented by the IPProtocolEndpoint class) of a or more interfaces (represented by the IPProtocolEndpoint class) of a
System. There may be multiple instances of IKE services on a System System. There may be multiple instances of IKE services on a System
but only one per interface. The class definition for IKEService is but only one per interface. The class definition for IKEService is
as follows: as follows:
NAME IKEService NAME IKEService
DESCRIPTION IKEService is used to represent the IKE negotiation DESCRIPTION IKEService is used to represent the IKE negotiation
function. function.
DERIVED FROM Service (see [CIMCORE]) DERIVED FROM Service (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
8.2. The Class PeerIdentityTable 8.2. The Class PeerIdentityTable
The class PeerIdentityTable aggregates the table entries that provide The class PeerIdentityTable aggregates the table entries that provide
mappings between identities and their addresses. The class mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows: definition for PeerIdentityTable is as follows:
NAME PeerIdentityTable NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry
to provide a table of identity-address mappings. instances to provide a table of identity-address
DERIVED FROM Collection (see [CIMCORE]) mappings.
ABSTRACT FALSE DERIVED FROM Collection (see [CIMCORE])
PROPERTIES Name ABSTRACT FALSE
PROPERTIES Name
8.2.1. The Property Name 8.2.1. The Property Name
The property Name uniquely identifies the table. The property is The property Name uniquely identifies the table. The property is
defined as follows: defined as follows:
NAME Name NAME Name
DESCRIPTION Name uniquely identifies the table. DESCRIPTION Name uniquely identifies the table.
SYNTAX string SYNTAX string
8.3. The Class PeerIdentityEntry 8.3. The Class PeerIdentityEntry
The class PeerIdentityEntry specifies the mapping between peer The class PeerIdentityEntry specifies the mapping between peer
identity and their IP address. The class definition for identity and their IP address. The class definition for
PeerIdentityEntry is as follows: PeerIdentityEntry is as follows:
NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address.
DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES PeerIdentity
PeerIdentityType
PeerAddress
PeerAddressType
The pre-shared key to be used with this peer (if applicable) is NAME PeerIdentityEntry
contained in an instance of the class SharedSecret (see [CIMUSER]). DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address.
DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES PeerIdentity
PeerIdentityType
PeerAddress
PeerAddressType
The pre-shared key is stored in the property Secret, the property The pre-shared key to be used with this peer (if applicable) is
protocol contains "IKE", the property algorithm contains the contained in an instance of the class SharedSecret (see [CIMUSER]).
algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec The pre-shared key is stored in the property Secret, the property
entity has no secret storage), the value of property RemoteID must protocol contains "IKE", the property algorithm contains the
match the PeerIdentity property of the PeerIdentityEntry instance algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
describing the IKE peer. entity has no secret storage), the value of property RemoteID must
match the PeerIdentity property of the PeerIdentityEntry instance
describing the IKE peer.
8.3.1. The Property PeerIdentity 8.3.1. The Property PeerIdentity
The property PeerIdentity contains a string encoding of the Identity The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows: payload for the IKE peer. The property is defined as follows:
NAME PeerIdentity NAME PeerIdentity
DESCRIPTION The PeerIdentity is the ID payload of a peer. DESCRIPTION The PeerIdentity is the ID payload of a peer.
SYNTAX string SYNTAX string
8.3.2. The Property PeerIdentityType 8.3.2. The Property PeerIdentityType
The property PeerIdentityType is an enumeration that specifies the The property PeerIdentityType is an enumeration that specifies the
type of the PeerIdentity. The property is defined as follows: type of the PeerIdentity. The property is defined as follows:
NAME PeerIdentityType NAME PeerIdentityType
DESCRIPTION PeerIdentityType is the type of the ID payload of a DESCRIPTION PeerIdentityType is the type of the ID payload of a
peer. peer.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE The enumeration values are specified in [DOI] section VALUE The enumeration values are specified in [DOI] section
4.6.2.1. 4.6.2.1.
8.3.3. The Property PeerAddress 8.3.3. The Property PeerAddress
The property PeerAddress specifies the string representation of the The property PeerAddress specifies the string representation of the
IP address of the peer formatted according to the appropriate IP address of the peer formatted according to the appropriate
convention as defined in the PeerAddressType property (e.g., dotted convention as defined in the PeerAddressType property (e.g., dotted
decimal notation). The property is defined as follows: decimal notation). The property is defined as follows:
NAME PeerAddress NAME PeerAddress
DESCRIPTION PeerAddress is the address of the peer with the ID DESCRIPTION PeerAddress is the address of the peer with the ID
payload. payload.
SYNTAX string SYNTAX string
VALUE String representation of an IPv4 or IPv6 address. VALUE String representation of an IPv4 or IPv6 address.
8.3.4. The Property PeerAddressType 8.3.4. The Property PeerAddressType
The property PeerAddressType specifies the format of the PeerAddress The property PeerAddressType specifies the format of the PeerAddress
property value. The property is defined as follows: property value. The property is defined as follows:
NAME PeerAddressType NAME PeerAddressType
DESCRIPTION PeerAddressType is the type of address in PeerAddress. DESCRIPTION PeerAddressType is the type of address in
SYNTAX unsigned 16-bit integer PeerAddress.
VALUE 0 - Unknown SYNTAX unsigned 16-bit integer
1 - IPv4 VALUE 0 - Unknown
2 - IPv6 1 - IPv4
2 - IPv6
8.4. The Class AutostartIKEConfiguration 8.4. The Class AutostartIKEConfiguration
The class AutostartIKEConfiguration groups AutostartIKESetting The class AutostartIKEConfiguration groups AutostartIKESetting
instances into configuration sets. When applied, the settings cause instances into configuration sets. When applied, the settings cause
an IKE service to automatically start (negotiate or statically set as an IKE service to automatically start (negotiate or statically set as
appropriate) the Security Associations. The class definition for appropriate) the Security Associations. The class definition for
AutostartIKEConfiguration is as follows: AutostartIKEConfiguration is as follows:
NAME AutostartIKEConfiguration NAME AutostartIKEConfiguration
DESCRIPTION A configuration set of AutostartIKESetting instances to DESCRIPTION A configuration set of AutostartIKESetting instances
be automatically started by the IKE service. to be automatically started by the IKE service.
DERIVED FROM SystemConfiguration (see [CIMCORE]) DERIVED FROM SystemConfiguration (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
8.5. The Class AutostartIKESetting 8.5. The Class AutostartIKESetting
The class AutostartIKESetting is used to automatically initiate IKE The class AutostartIKESetting is used to automatically initiate IKE
negotiations with peers (or statically create an SA) as specified in negotiations with peers (or statically create an SA) as specified in
the AutostartIKESetting properties. Appropriate actions are the AutostartIKESetting properties. Appropriate actions are
initiated according to the policy that matches the setting initiated according to the policy that matches the setting
parameters. The class definition for AutostartIKESetting is as parameters. The class definition for AutostartIKESetting is as
follows: follows:
NAME AutostartIKESetting NAME AutostartIKESetting
DESCRIPTION AutostartIKESetting is used to automatically initiate DESCRIPTION AutostartIKESetting is used to automatically initiate
IKE negotiations with peers or statically create an SA. IKE negotiations with peers or statically create an
DERIVED FROM SystemSetting (see [CIMCORE]) SA.
ABSTRACT FALSE DERIVED FROM SystemSetting (see [CIMCORE])
PROPERTIES Phase1Only ABSTRACT FALSE
AddressType PROPERTIES Phase1Only
SourceAddress AddressType
SourcePort SourceAddress
DestinationAddress SourcePort
DestinationPort DestinationAddress
Protocol DestinationPort
Protocol
8.5.1. The Property Phase1Only 8.5.1. The Property Phase1Only
The property Phase1Only is used to limit the IKE negotiation to a The property Phase1Only is used to limit the IKE negotiation to a
phase 1 SA establishment only. When set to False, both phase 1 and phase 1 SA establishment only. When set to False, both phase 1 and
phase 2 SAs are negotiated. phase 2 SAs are negotiated. The property is defined as follows:
The property is defined as follows:
NAME Phase1Only NAME Phase1Only
DESCRIPTION Used to indicate which security associations to attempt DESCRIPTION Used to indicate whether a phase 1 only or both phase
to establish (phase 1 only, or phase 1 and 2). 1 and phase 2 security associations should attempt
SYNTAX boolean establishment.
VALUE true - attempt to establish a phase 1 security SYNTAX boolean
association VALUE true - attempt to establish a phase 1 security
false - attempt to establish phase 1 and phase 2 association
security associations false - attempt to establish phase 1 and phase 2
security associations
8.5.2. The Property AddressType 8.5.2. The Property AddressType
The property AddressType specifies type of the addresses in the The property AddressType specifies a type of the addresses in the
SourceAddress and DestinationAddress properties. The property is SourceAddress and DestinationAddress properties. The property is
defined as follows: defined as follows:
NAME AddressType NAME AddressType
DESCRIPTION AddressType is the type of address in SourceAddress and DESCRIPTION AddressType is the type of address in SourceAddress
DestinationAddress properties. and DestinationAddress properties.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown VALUE 0 - Unknown
1 - IPv4 1 - IPv4
2 - IPv6 2 - IPv6
8.5.3. The Property SourceAddress 8.5.3. The Property SourceAddress
The property SourceAddress specifies the dotted-decimal or colon- The property SourceAddress specifies the dotted-decimal or colon-
decimal formatted IP address used as the source address in comparing decimal formatted IP address used as the source address in comparing
with policy filter entries and used in any phase 2 negotiations. The with policy filter entries and used in any phase 2 negotiations. The
property is defined as follows: property is defined as follows:
NAME SourceAddress NAME SourceAddress
DESCRIPTION The source address to compare with the filters to DESCRIPTION The source address to compare with the filters to
determine the appropriate policy rule. determine the appropriate policy rule.
SYNTAX string SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address VALUE dotted-decimal or colon-decimal formatted IP address
8.5.4. The Property SourcePort 8.5.4. The Property SourcePort
The property SourcePort specifies the port number used as the source The property SourcePort specifies the port number used as the source
port in comparing with policy filter entries and used in any phase 2 port in comparing policy filter entries and is used in any phase 2
negotiations. The property is defined as follows: negotiations. The property is defined as follows:
NAME SourcePort NAME SourcePort
DESCRIPTION The source port to compare with the filters to determine DESCRIPTION The source port to compare with the filters to
the appropriate policy rule. determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
8.5.5. The Property DestinationAddress 8.5.5. The Property DestinationAddress
The property DestinationAddress specifies the dotted-decimal or The property DestinationAddress specifies the dotted-decimal or
colon-decimal formatted IP address used as the destination address in colon-decimal formatted IP address used as the destination address in
comparing with policy filter entries and used in any phase 2 comparing policy filter entries and is used in any phase 2
negotiations. The property is defined as follows: negotiations. The property is defined as follows:
NAME DestinationAddress NAME DestinationAddress
DESCRIPTION The destination address to compare with the filters to DESCRIPTION The destination address to compare with the filters
determine the appropriate policy rule. to determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address
8.5.6. The Property DestinationPort 8.5.6. The Property DestinationPort
The property DestinationPort specifies the port number used as the The property DestinationPort specifies the port number used as the
destination port in comparing with policy filter entries and used in destination port in comparing policy filter entries and is used in
any phase 2 negotiations. The property is defined as follows: any phase 2 negotiations. The property is defined as follows:
NAME DestinationPort NAME DestinationPort
DESCRIPTION The destination port to compare with the filters to DESCRIPTION The destination port to compare with the filters to
determine the appropriate policy rule. determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
8.5.7. The Property Protocol 8.5.7. The Property Protocol
The property Protocol specifies the protocol number used in comparing The property Protocol specifies the protocol number used in comparing
with policy filter entries and used in any phase 2 negotiations. The with policy filter entries and is used in any phase 2 negotiations.
property is defined as follows: The property is defined as follows:
NAME Protocol NAME Protocol
DESCRIPTION The protocol number used in comparing with policy filter DESCRIPTION The protocol number used in comparing policy
entries. filter entries.
SYNTAX unsigned 8-bit integer SYNTAX unsigned 8-bit integer
8.6. The Class IKEIdentity 8.6. The Class IKEIdentity
The class IKEIdentity is used to represent the identities that may be The class IKEIdentity is used to represent the identities that may be
used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints)
to identify the IKE Service in IKE phase 1 negotiations. The policy to identify the IKE Service in IKE phase 1 negotiations. The policy
IKEAction.UseIKEIdentityType specifies which type of the available IKEAction.UseIKEIdentityType specifies which type of the available
identities to use in a negotiation exchange and the identities to use in a negotiation exchange and the
IKERule.IdentityContexts specifies the match values to be used, along IKERule.IdentityContexts specifies the match values to be used, along
with the local address, in selecting the appropriate identity for a with the local address, in selecting the appropriate identity for a
negotiation. The ElementID property value (defined in the parent negotiation. The ElementID property value (defined in the parent
class, UsersAccess) should be that of either the IPProtocolEndpoint class, UsersAccess) should be that of either the IPProtocolEndpoint
or Collection of endpoints as appropriate. The class definition for or Collection of endpoints as appropriate. The class definition for
IKEIdentity is as follows: IKEIdentity is as follows:
NAME IKEIdentity NAME IKEIdentity
DESCRIPTION IKEIdentity is used to represent the identities that may DESCRIPTION IKEIdentity is used to represent the identities that
be used for an IPProtocolEndpoint (or collection of may be used for an IPProtocolEndpoint (or collection
IPProtocolEndpoints) to identify the IKE Service in IKE of IPProtocolEndpoints) to identify the IKE Service
phase 1 negotiations. in IKE phase 1 negotiations.
DERIVED FROM UsersAccess (see [CIMUSER]) DERIVED FROM UsersAccess (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES IdentityType PROPERTIES IdentityType
IdentityValue IdentityValue
IdentityContexts IdentityContexts
8.6.1. The Property IdentityType 8.6.1. The Property IdentityType
The property IdentityType is an enumeration that specifies the type The property IdentityType is an enumeration that specifies the type
of the IdentityValue. The property is defined as follows: of the IdentityValue. The property is defined as follows:
NAME IdentityType NAME IdentityType
DESCRIPTION IdentityType is the type of the IdentityValue. DESCRIPTION IdentityType is the type of the IdentityValue.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
VALUE The enumeration values are specified in [DOI] section VALUE The enumeration values are specified in [DOI] section
4.6.2.1. 4.6.2.1.
8.6.2. The Property IdentityValue 8.6.2. The Property IdentityValue
The property IdentityValue contains a string encoding of the Identity The property IdentityValue contains a string encoding of the Identity
payload. For IKEIdentity instances that are address types (i.e. IPv4 payload. For IKEIdentity instances that are address types (i.e.,
or IPv6 addresses), the IdentityValue string value MAY be omitted; IPv4 or IPv6 addresses), the IdentityValue string value MAY be
then the associated IPProtocolEndpoint (or appropriate member of the omitted; then the associated IPProtocolEndpoint (or appropriate
Collection of endpoints) is used as the identity value. The property member of the Collection of endpoints) is used as the identity value.
is defined as follows: The property is defined as follows:
NAME IdentityValue NAME IdentityValue
DESCRIPTION IdentityValue contains a string encoding of the Identity DESCRIPTION IdentityValue contains a string encoding of the
payload. Identity payload.
SYNTAX string SYNTAX string
8.6.3. The Property IdentityContexts 8.6.3. The Property IdentityContexts
The IdentityContexts property is used to constrain the use of The IdentityContexts property is used to constrain the use of
IKEIdentity instances to match that specified in the IKEIdentity instances to match that specified in the
IKERule.IdentityContexts. The IdentityContexts are formatted as IKERule.IdentityContexts. The IdentityContexts are formatted as
policy roles and role combinations [PCIM] & [PCIMe]. Each value policy roles and role combinations [PCIM] & [PCIME]. Each value
represents one context or context combination. Since this is a represents one context or context combination. Since this is a
multi-valued property, more than one context or combination of multi-valued property, more than one context or combination of
contexts can be associated with a single IKEIdentity. Each value is contexts can be associated with a single IKEIdentity. Each value is
a string of the form: <ContextName>[&&<ContextName>]* a string of the form:
where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). If one or more
values in the IKERule.IdentityContexts array match one or more
IKEIdentity.IdentityContexts then the identity's context matches.
(That is, each value of the IdentityContext array is an ORed
condition.) In combination with the address of the
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
exactly one IKEIdentity. The property is defined as follows:
NAME IdentityContexts <ContextName>[&&<ContextName>]*
DESCRIPTION The IKE service of a security endpoint may have multiple
identities for use in different situations. The where the individual context names appear in alphabetical order
combination of the interface (represented by (according to the collating sequence for UCS-2). If one or more
the IPProtocolEndpoint), the identity type (as specified values in the IKERule.IdentityContexts array match one or more
in the IKEAction) and the IdentityContexts selects a IKEIdentity.IdentityContexts, then the identity's context matches.
unique identity. (That is, each value of the IdentityContext array is an ORed
SYNTAX string array condition.) In combination with the address of the
VALUE string of the form <ContextName>[&&<ContextName>]* IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
exactly one IKEIdentity. The property is defined as follows:
NAME IdentityContexts
DESCRIPTION The IKE service of a security endpoint may have
multiple identities for use in different situations.
The combination of the interface (represented by
the IPProtocolEndpoint), the identity type (as
specified in the IKEAction) and the IdentityContexts
selects a unique identity.
SYNTAX string array
VALUE string of the form <ContextName>[&&<ContextName>]*
8.7. The Association Class HostedPeerIdentityTable 8.7. The Association Class HostedPeerIdentityTable
The class HostedPeerIdentityTable provides the name scoping The class HostedPeerIdentityTable provides the name scoping
relationship for PeerIdentityTable entries in a System. The relationship for PeerIdentityTable entries in a System. The
PeerIdentityTable is weak to the System. The class definition for PeerIdentityTable is weak to the System. The class definition for
HostedPeerIdentityTable is as follows: HostedPeerIdentityTable is as follows:
NAME HostedPeerIdentityTable NAME HostedPeerIdentityTable
DESCRIPTION The PeerIdentityTable instances are weak (name scoped DESCRIPTION The PeerIdentityTable instances are weak (name scoped
by) the owning System. by) the owning System.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]] PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerIdentityTable[0..n] [weak]] Dependent [ref PeerIdentityTable[0..n] [weak]]
8.7.1. The Reference Antecedent 8.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerIdentityTable instance MUST be associated in a indicates that a PeerIdentityTable instance MUST be associated in a
weak relationship with one and only one System instance. weak relationship with one and only one System instance.
8.7.2. The Reference Dependent 8.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to a PeerIdentityTable instance. The [0..n] cardinality to refer to a PeerIdentityTable instance. The [0..n] cardinality
indicates that a System instance may be associated with zero or more indicates that a System instance may be associated with zero or more
PeerIdentityTable instances. PeerIdentityTable instances.
8.8. The Aggregation Class PeerIdentityMember 8.8. The Aggregation Class PeerIdentityMember
The class PeerIdentityMember aggregates PeerIdentityEntry instances The class PeerIdentityMember aggregates PeerIdentityEntry instances
into a PeerIdentityTable. This is a weak aggregation. The class into a PeerIdentityTable. This is a weak aggregation. The class
definition for PeerIdentityMember is as follows: definition for PeerIdentityMember is as follows:
NAME PeerIdentityMember NAME PeerIdentityMember
DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
instances into a PeerIdentityTable. instances into a PeerIdentityTable.
DERIVED FROM MemberOfCollection (see [CIMCORE]) DERIVED FROM MemberOfCollection (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Collection [ref PeerIdentityTable[1..1]] PROPERTIES Collection [ref PeerIdentityTable[1..1]]
Member [ref PeerIdentityEntry [0..n] [weak]] Member [ref PeerIdentityEntry [0..n] [weak]]
8.8.1. The Reference Collection 8.8.1. The Reference Collection
The property Collection is inherited from MemberOfCollection and is The property Collection is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityTable instance. The [1..1] overridden to refer to a PeerIdentityTable instance. The [1..1]
cardinality indicates that a PeerIdentityEntry instance MUST be cardinality indicates that a PeerIdentityEntry instance MUST be
associated with one and only one PeerIdentityTable instance (i.e., associated with one and only one PeerIdentityTable instance (i.e.,
PeerIdentityEntry instances are not shared across PeerIdentityEntry instances are not shared across
PeerIdentityTables). PeerIdentityTables).
8.8.2. The Reference Member 8.8.2. The Reference Member
The property Member is inherited from MemberOfCollection and is The property Member is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityEntry instance. The [0..n] overridden to refer to a PeerIdentityEntry instance. The [0..n]
cardinality indicates that a PeerIdentityTable instance may be cardinality indicates that a PeerIdentityTable instance may be
associated with zero or more PeerIdentityEntry instances. associated with zero or more PeerIdentityEntry instances.
8.9. The Association Class IKEServicePeerGateway 8.9. The Association Class IKEServicePeerGateway
The class IKEServicePeerGateway provides the association between an The class IKEServicePeerGateway provides the association between an
IKEService and the list of PeerGateway instances that it uses in IKEService and the list of PeerGateway instances that it uses in
negotiating with security gateways. The class definition for negotiating with security gateways. The class definition for
IKEServicePeerGateway is as follows: IKEServicePeerGateway is as follows:
NAME IKEServicePeerGateway NAME IKEServicePeerGateway
DESCRIPTION Associates an IKEService and the list of PeerGateway DESCRIPTION Associates an IKEService and the list of PeerGateway
instances that it uses in negotiating with security instances that it uses in negotiating with security
gateways. gateways.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]] PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IKEService[0..n]] Dependent [ref IKEService[0..n]]
8.9.1. The Reference Antecedent 8.9.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n] overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that an IKEService instance may be associated cardinality indicates that an IKEService instance may be associated
with zero or more PeerGateway instances. with zero or more PeerGateway instances.
8.9.2. The Reference Dependent 8.9.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates to refer to an IKEService instance. The [0..n] cardinality indicates
that a PeerGateway instance may be associated with zero or more that a PeerGateway instance may be associated with zero or more
IKEService instances. IKEService instances.
8.10. The Association Class IKEServicePeerIdentityTable 8.10. The Association Class IKEServicePeerIdentityTable
The class IKEServicePeerIdentityTable provides the relationship The class IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it uses to map between an IKEService and a PeerIdentityTable that it uses to map
between addresses and identities as required. The class definition between addresses and identities as required. The class definition
for IKEServicePeerIdentityTable is as follows: for IKEServicePeerIdentityTable is as follows:
NAME IKEServicePeerIdentityTable NAME IKEServicePeerIdentityTable
DESCRIPTION IKEServicePeerIdentityTable provides the relationship DESCRIPTION IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it between an IKEService and a PeerIdentityTable that it
uses. uses.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] PROPERTIES Antecedent [ref PeerIdentityTable[0..n]]
Dependent [ref IKEService[0..n]] Dependent [ref IKEService[0..n]]
8.10.1. The Reference Antecedent 8.10.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n] overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that an IKEService instance may be associated cardinality indicates that an IKEService instance may be associated
with zero or more PeerIdentityTable instances. with zero or more PeerIdentityTable instances.
8.10.2. The Reference Dependent 8.10.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates The property Dependent is inherited from Dependency and is overridden
that a PeerIdentityTable instance may be associated with zero or more to refer to an IKEService instance. The [0..n] cardinality indicates
IKEService instances. that a PeerIdentityTable instance may be associated with zero or more
IKEService instances.
8.11. The Association Class IKEAutostartSetting 8.11. The Association Class IKEAutostartSetting
The class IKEAutostartSetting associates an AutostartIKESetting with The class IKEAutostartSetting associates an AutostartIKESetting with
an IKEService that may use it to automatically start an IKE an IKEService that may use it to automatically start an IKE
negotiation or create a static SA. The class definition for negotiation or create a static SA. The class definition for
IKEAutostartSetting is as follows: IKEAutostartSetting is as follows:
NAME IKEAutostartSetting NAME IKEAutostartSetting
DESCRIPTION Associates a AutostartIKESetting with an IKEService. DESCRIPTION Associates a AutostartIKESetting with an IKEService.
DERIVED FROM ElementSetting (see [CIMCORE]) DERIVED FROM ElementSetting (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Element [ref IKEService[0..n]] PROPERTIES Element [ref IKEService[0..n]]
Setting [ref AutostartIKESetting[0..n]] Setting [ref AutostartIKESetting[0..n]]
8.11.1. The Reference Element 8.11.1. The Reference Element
The property Element is inherited from ElementSetting and is The property Element is inherited from ElementSetting and is
overridden to refer to an IKEService instance. The [0..n] overridden to refer to an IKEService instance. The [0..n]
cardinality indicates an AutostartIKESetting instance may be cardinality indicates an AutostartIKESetting instance may be
associated with zero or more IKEService instances. associated with zero or more IKEService instances.
8.11.2. The Reference Setting 8.11.2. The Reference Setting
The property Setting is inherited from ElementSetting and is The property Setting is inherited from ElementSetting and is
overridden to refer to an AutostartIKESetting instance. The [0..n] overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an IKEService instance may be associated cardinality indicates that an IKEService instance may be associated
with zero or more AutostartIKESetting instances. with zero or more AutostartIKESetting instances.
8.12. The Aggregation Class AutostartIKESettingContext 8.12. The Aggregation Class AutostartIKESettingContext
The class AutostartIKESettingContext aggregates the settings used to The class AutostartIKESettingContext aggregates the settings used to
automatically start negotiations or create a static SA into a automatically start negotiations or create a static SA into a
configuration set. The class definition for configuration set. The class definition for
AutostartIKESettingContext is as follows: AutostartIKESettingContext is as follows:
NAME AutostartIKESettingContext NAME AutostartIKESettingContext
DESCRIPTION AutostartIKESettingContext aggregates the DESCRIPTION AutostartIKESettingContext aggregates the
AutostartIKESetting instances into a configuration set. AutostartIKESetting instances into a configuration
DERIVED FROM SystemSettingContext (see [CIMCORE]) set.
ABSTRACT FALSE DERIVED FROM SystemSettingContext (see [CIMCORE])
PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] ABSTRACT FALSE
Setting [ref AutostartIKESetting [0..n]] PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
SequenceNumber Setting [ref AutostartIKESetting [0..n]]
SequenceNumber
8.12.1. The Reference Context 8.12.1. The Reference Context
The property Context is inherited from SystemSettingContext and is The property Context is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKEConfiguration instance. The overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an AutostartIKESetting instance may [0..n] cardinality indicates that an AutostartIKESetting instance may
be associated with zero or more AutostartIKEConfiguration instances be associated with zero or more AutostartIKEConfiguration instances
(i.e., a setting may be in multiple configuration sets). (i.e., a setting may be in multiple configuration sets).
8.12.2. The Reference Setting 8.12.2. The Reference Setting
The property Setting is inherited from SystemSettingContext and is The property Setting is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKESetting instance. The [0..n] overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more AutostartIKESetting instances. be associated with zero or more AutostartIKESetting instances.
8.12.3. The Property SequenceNumber 8.12.3. The Property SequenceNumber
The property SequenceNumber specifies indicates the ordering to be The property SequenceNumber specifies the ordering to be used when
used when starting negotiations or creating a static SA. A zero starting negotiations or creating a static SA. A zero value
value indicates that order is not significant and settings may be indicates that order is not significant and settings may be applied
applied in parallel with other settings. All other settings in the in parallel with other settings. All other settings in the
configuration are executed in sequence from lower values to high. configuration are executed in sequence from lower to higher values.
Sequence numbers need not be unique in an AutostartIKEConfiguration Sequence numbers need not be unique in an AutostartIKEConfiguration
and order is not significant for settings with the same sequence and order is not significant for settings with the same sequence
number. The property is defined as follows: number. The property is defined as follows:
NAME SequenceNumber NAME SequenceNumber
DESCRIPTION The sequence in which the settings are applied within a DESCRIPTION The sequence in which the settings are applied
configuration set. within a configuration set.
SYNTAX unsigned 16-bit integer SYNTAX unsigned 16-bit integer
8.13. The Association Class IKEServiceForEndpoint 8.13. The Association Class IKEServiceForEndpoint
The class IKEServiceForEndpoint provides the association showing The class IKEServiceForEndpoint provides the association showing
which IKE service, if any, provides IKE negotiation services for which IKE service, if any, provides IKE negotiation services for
which network interfaces. The class definition for which network interfaces. The class definition for
IKEServiceForEndpoint is as follows: IKEServiceForEndpoint is as follows:
NAME IKEServiceForEndpoint NAME IKEServiceForEndpoint
DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that DESCRIPTION Associates an IPProtocolEndpoint with an IKEService
provides negotiation services for the endpoint. that provides negotiation services for the endpoint.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref IKEService[0..1]] PROPERTIES Antecedent [ref IKEService[0..1]]
Dependent [ref IPProtocolEndpoint[0..n]] Dependent [ref IPProtocolEndpoint[0..n]]
8.13.1. The Reference Antecedent 8.13.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..1] overridden to refer to an IKEService instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance MUST by cardinality indicates that an IPProtocolEndpoint instance MUST by
associated with at most one IKEService instance. associated with at most one IKEService instance.
8.13.2. The Reference Dependent 8.13.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to an IPProtocolEndpoint that is associated with at most one to refer to an IPProtocolEndpoint that is associated with at most one
IKEService. The [0..n] cardinality indicates an IKEService instance IKEService. The [0..n] cardinality indicates an IKEService instance
may be associated with zero or more IPProtocolEndpoint instances. may be associated with zero or more IPProtocolEndpoint instances.
8.14. The Association Class IKEAutostartConfiguration 8.14. The Association Class IKEAutostartConfiguration
The class IKEAutostartConfiguration provides the relationship between The class IKEAutostartConfiguration provides the relationship between
an IKEService and a configuration set that it uses to automatically an IKEService and a configuration set that it uses to automatically
start a set of SAs. The class definition for start a set of SAs. The class definition for
IKEAutostartConfiguration is as follows: IKEAutostartConfiguration is as follows:
NAME IKEAutostartConfiguration NAME IKEAutostartConfiguration
DESCRIPTION IKEAutostartConfiguration provides the relationship DESCRIPTION IKEAutostartConfiguration provides the relationship
between an IKEService and an AutostartIKEConfiguration between an IKEService and an
that it uses to automatically start a set of SAs. AutostartIKEConfiguration that it uses to
DERIVED FROM Dependency (see [CIMCORE]) automatically start a set of SAs.
ABSTRACT FALSE DERIVED FROM Dependency (see [CIMCORE])
PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] ABSTRACT FALSE
Dependent [ref IKEService [0..n]] PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]]
Active Dependent [ref IKEService [0..n]]
Active
8.14.1. The Reference Antecedent 8.14.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to an AutostartIKEConfiguration instance. The overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an IKEService instance may be [0..n] cardinality indicates that an IKEService instance may be
associated with zero or more AutostartIKEConfiguration instances. associated with zero or more AutostartIKEConfiguration instances.
8.14.2. The Reference Dependent 8.14.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates to refer to an IKEService instance. The [0..n] cardinality indicates
that an AutostartIKEConfiguration instance may be associated with that an AutostartIKEConfiguration instance may be associated with
zero or more IKEService instances. zero or more IKEService instances.
8.14.3. The Property Active 8.14.3. The Property Active
The property Active specifies indicates whether the The property Active indicates whether the AutostartIKEConfiguration
AutostartIKEConfiguration set is currently active for the associated set is currently active for the associated IKEService. That is, at
IKEService. That is, at boot time, the active configuration is used boot time, the active configuration is used to automatically start
to automatically start IKE negotiations and create static SAs. The IKE negotiations and create static SAs. The property is defined as
property is defined as follows: follows:
NAME Active NAME Active
DESCRIPTION Active indicates whether the AutostartIKEConfiguration DESCRIPTION Active indicates whether the
set is currently active for the associated IKEService. AutostartIKEConfiguration set is currently active for
SYNTAX boolean the associated IKEService.
VALUE true - AutostartIKEConfiguration is currently active for SYNTAX boolean
associated IKEService. VALUE true - AutostartIKEConfiguration is currently active
false - AutostartIKEConfiguration is currently inactive for associated IKEService.
for associated IKEService. false - AutostartIKEConfiguration is currently
inactive for associated IKEService.
8.15. The Association Class IKEUsesCredentialManagementService 8.15. The Association Class IKEUsesCredentialManagementService
The class IKEUsesCredentialManagementService defines the set of The class IKEUsesCredentialManagementService defines the set of
CredentialManagementService(s) that are trusted sources of CredentialManagementService(s) that are trusted sources of
credentials for IKE phase 1 negotiations. The class definition for credentials for IKE phase 1 negotiations. The class definition for
IKEUsesCredentialManagementService is as follows: IKEUsesCredentialManagementService is as follows:
NAME IKEUsesCredentialManagementService NAME IKEUsesCredentialManagementService
DESCRIPTION Associates the set of CredentialManagementService(s) DESCRIPTION Associates the set of CredentialManagementService(s)
that are trusted by the IKEService as sources of that are trusted by the IKEService as sources of
credentials used in IKE phase 1 negotiations. credentials used in IKE phase 1 negotiations.
DERIVED FROM Dependency (see [CIMCORE]) DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService [0..n]] PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
Dependent [ref IKEService [0..n]] Dependent [ref IKEService [0..n]]
8.15.1. The Reference Antecedent 8.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an IKEService instance may be [0..n] cardinality indicates that an IKEService instance may be
associated with zero or more CredentialManagementService instances. associated with zero or more CredentialManagementService instances.
8.15.2. The Reference Dependent 8.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates to refer to an IKEService instance. The [0..n] cardinality indicates
that a CredentialManagementService instance may be associated with that a CredentialManagementService instance may be associated with
zero or more IKEService instances. zero or more IKEService instances.
8.16. The Association Class EndpointHasLocalIKEIdentity 8.16. The Association Class EndpointHasLocalIKEIdentity
The class EndpointHasLocalIKEIdentity associates an The class EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances that may be IPProtocolEndpoint with a set of IKEIdentity instances that may be
used in negotiating security associations on the endpoint. An used in negotiating security associations on the endpoint. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint IKEIdentity MUST be associated with either an IPProtocolEndpoint
using this association or with a collection of IKEIdentity instances using this association or with a collection of IKEIdentity instances
using the CollectionHasLocalIKEIdentity association. The class using the CollectionHasLocalIKEIdentity association. The class
definition for EndpointHasLocalIKEIdentity is as follows: definition for EndpointHasLocalIKEIdentity is as follows:
NAME EndpointHasLocalIKEIdentity NAME EndpointHasLocalIKEIdentity
DESCRIPTION EndpointHasLocalIKEIdentity associates an DESCRIPTION EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances. IPProtocolEndpoint with a set of IKEIdentity
DERIVED FROM ElementAsUser (see [CIMUSER]) instances.
ABSTRACT FALSE DERIVED FROM ElementAsUser (see [CIMUSER])
PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] ABSTRACT FALSE
Dependent [ref IKEIdentity [0..n]] PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
Dependent [ref IKEIdentity [0..n]]
8.16.1. The Reference Antecedent 8.16.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is The property Antecedent is inherited from ElementAsUser and is
overridden to refer to an IPProtocolEndpoint instance. The [0..1] overridden to refer to an IPProtocolEndpoint instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be associated cardinality indicates that an IKEIdentity instance MUST be associated
with at most one IPProtocolEndpoint instance. with at most one IPProtocolEndpoint instance.
8.16.2. The Reference Dependent 8.16.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n] overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that an IPProtocolEndpoint instance may be cardinality indicates that an IPProtocolEndpoint instance may be
associated with zero or more IKEIdentity instances. associated with zero or more IKEIdentity instances.
8.17. The Association Class CollectionHasLocalIKEIdentity 8.17. The Association Class CollectionHasLocalIKEIdentity
The class CollectionHasLocalIKEIdentity associates a Collection of The class CollectionHasLocalIKEIdentity associates a Collection of
IPProtocolEndpoint instances with a set of IKEIdentity instances that IPProtocolEndpoint instances with a set of IKEIdentity instances that
may be used in negotiating SAs for endpoints in the collection. An may be used in negotiating SAs for endpoints in the collection. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint IKEIdentity MUST be associated with either an IPProtocolEndpoint
using the EndpointHasLocalIKEIdentity association or with a using the EndpointHasLocalIKEIdentity association or with a
collection of IKEIdentity instances using this association. The collection of IKEIdentity instances using this association. The
class definition for CollectionHasLocalIKEIdentity is as follows: class definition for CollectionHasLocalIKEIdentity is as follows:
NAME CollectionHasLocalIKEIdentity NAME CollectionHasLocalIKEIdentity
DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of DESCRIPTION CollectionHasLocalIKEIdentity associates a collection
IPProtocolEndpoint instances with a set of IKEIdentity of IPProtocolEndpoint instances with a set of
instances. IKEIdentity instances.
DERIVED FROM ElementAsUser (see [CIMUSER]) DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref Collection [0..1]] PROPERTIES Antecedent [ref Collection [0..1]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.17.1. The Reference Antecedent 8.17.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is The property Antecedent is inherited from ElementAsUser and is
overridden to refer to a Collection instance. The [0..1] cardinality overridden to refer to a Collection instance. The [0..1] cardinality
indicates that an IKEIdentity instance MUST be associated with at indicates that an IKEIdentity instance MUST be associated with at
most one Collection instance. most one Collection instance.
8.17.2. The Reference Dependent 8.17.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n] The property Dependent is inherited from ElementAsUser and is
cardinality indicates that a Collection instance may be associated overridden to refer to an IKEIdentity instance. The [0..n]
with zero or more IKEIdentity instances. cardinality indicates that a Collection instance may be associated
with zero or more IKEIdentity instances.
8.18. The Association Class IKEIdentitysCredential 8.18. The Association Class IKEIdentitysCredential
The class IKEIdentitysCredential is an association that relates a set The class IKEIdentitysCredential is an association that relates a set
of credentials to their corresponding local IKE Identities. The of credentials to their corresponding local IKE Identities. The
class definition for IKEIdentitysCredential is as follows: class definition for IKEIdentitysCredential is as follows:
NAME IKEIdentitysCredential NAME IKEIdentitysCredential
DESCRIPTION IKEIdentitysCredential associates a set of credentials DESCRIPTION IKEIdentitysCredential associates a set of
to their corresponding local IKEIdentity. credentials to their corresponding local IKEIdentity.
DERIVED FROM UsersCredential (see [CIMCORE]) DERIVED FROM UsersCredential (see [CIMCORE])
ABSTRACT FALSE ABSTRACT FALSE
PROPERTIES Antecedent [ref Credential [0..n]] PROPERTIES Antecedent [ref Credential [0..n]]
Dependent [ref IKEIdentity [0..n]] Dependent [ref IKEIdentity [0..n]]
8.18.1. The Reference Antecedent 8.18.1. The Reference Antecedent
The property Antecedent is inherited from UsersCredential and is The property Antecedent is inherited from UsersCredential and is
overridden to refer to a Credential instance. The [0..n] cardinality overridden to refer to a Credential instance. The [0..n] cardinality
indicates that IKEIdentity instance may be associated with zero or indicates that the IKEIdentity instance may be associated with zero
more Credential instances. or more Credential instances.
8.18.2. The Reference Dependent 8.18.2. The Reference Dependent
The property Dependent is inherited from UsersCredential and is The property Dependent is inherited from UsersCredential and is
overridden to refer to an IKEIdentity instance. The [0..n] overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Credential instance may be associated cardinality indicates that a Credential instance may be associated
with zero or more IKEIdentity instances. with zero or more IKEIdentity instances.
9. Implementation Requirements 9. Implementation Requirements
The following table specifies which classes, properties, associations The following table specifies which classes, properties, associations
and aggregations MUST or SHOULD or MAY be implemented. and aggregations MUST or SHOULD or MAY be implemented.
4. Policy Classes
4.1. The Class IPsecPolicyGroup...............................MUST
4.2. The Class SARule........................................MUST
4.2.1. The Property PolicyRuleName.............................MAY
4.2.1. The Property Enabled..................................MUST
4.2.1. The Property ConditionListType.........................MUST
4.2.1. The Property RuleUsage..................................MAY
4.2.1. The Property Mandatory..................................MAY
4.2.1. The Property SequencedActions..........................MUST
4.2.1. The Property PolicyRoles................................MAY
4.2.1. The Property PolicyDecisionStrategy.....................MAY
4.2.2 The Property ExecutionStrategy.........................MUST
4.2.3 The Property LimitNegotiation...........................MAY
4.3. The Class IKERule.......................................MUST
4.3.1. The Property IdentityContexts...........................MAY
4.4. The Class IPsecRule.....................................MUST
4.5. The Association Class IPsecPolicyForEndpoint..............MAY
4.5.1. The Reference Antecedent...............................MUST
4.5.2. The Reference Dependent................................MUST
4.6. The Association Class IPsecPolicyForSystem................MAY
4.6.1. The Reference Antecedent...............................MUST
4.6.2. The Reference Dependent................................MUST
4.7. The Aggregation Class SARuleInPolicyGroup................MUST
4.7.1. The Property Priority................................SHOULD
4.7.2. The Reference GroupComponent...........................MUST
4.7.3. The Reference PartComponent............................MUST
4.8. The Aggregation Class SAConditionInRule..................MUST
4.8.1. The Property GroupNumber.............................SHOULD
4.8.1. The Property ConditionNegated........................SHOULD
4.8.2. The Reference GroupComponent...........................MUST
4.8.3. The Reference PartComponent............................MUST
4.9. The Aggregation Class PolicyActionInSARule...............MUST
4.9.1. The Reference GroupComponent...........................MUST
4.9.2. The Reference PartComponent............................MUST
4.9.3. The Property ActionOrder.............................SHOULD
5. Condition and Filter Classes
5.1. The Class SACondition...................................MUST
5.2. The Class IPHeadersFilter..............................SHOULD
5.3. The Class CredentialFilterEntry...........................MAY
5.3.1. The Property MatchFieldName............................MUST
5.3.2. The Property MatchFieldValue...........................MUST
5.3.3. The Property CredentialType............................MUST
5.4. The Class IPSOFilterEntry.................................MAY
5.4.1. The Property MatchConditionType........................MUST
5.4.2. The Property MatchConditionValue.......................MUST
5.5. The Class PeerIDPayloadFilterEntry........................MAY
5.5.1. The Property MatchIdentityType.........................MUST
5.5.2. The Property MatchIdentityValue........................MUST
5.6. The Association Class FilterOfSACondition..............SHOULD
5.6.1. The Reference Antecedent...............................MUST
5.6.2. The Reference Dependent................................MUST
5.7. The Association Class AcceptCredentialFrom................MAY
5.7.1. The Reference Antecedent...............................MUST
5.7.2. The Reference Dependent................................MUST
6. Action Classes
6.1. The Class SAAction......................................MUST
6.1.1. The Property DoActionLogging............................MAY
6.1.2. The Property DoPacketLogging............................MAY
6.2. The Class SAStaticAction.................................MUST
6.2.1. The Property LifetimeSeconds...........................MUST
6.3. The Class IPsecBypassAction............................SHOULD
6.4. The Class IPsecDiscardAction...........................SHOULD
6.5. The Class IKERejectAction.................................MAY
6.6. The Class PreconfiguredSAAction..........................MUST
6.6.1. The Property LifetimeKilobytes.........................MUST
6.7. The Class PreconfiguredTransportAction...................MUST
6.8. The Class PreconfiguredTunnelAction......................MUST
6.8.1. The Property DFHandling................................MUST
6.9. The Class SANegotiationAction............................MUST
6.10. The Class IKENegotiationAction..........................MUST
6.10.1. The Property MinLifetimeSeconds........................MAY
6.10.2. The Property MinLifetimeKilobytes......................MAY
6.10.3. The Property IdleDurationSeconds.......................MAY 4. Policy Classes
6.11. The Class IPsecAction..................................MUST 4.1. The Class SARule..........................................MUST
6.11.1. The Property UsePFS..................................MUST 4.1.1. The Property PolicyRuleName..............................MAY
6.11.2. The Property UseIKEGroup...............................MAY 4.1.1. The Property Enabled....................................MUST
6.11.3. The Property GroupId..................................MUST 4.1.1. The Property ConditionListType..........................MUST
6.11.4. The Property Granularity............................SHOULD 4.1.1. The Property RuleUsage...................................MAY
6.11.5. The Property VendorID..................................MAY 4.1.1. The Property Mandatory...................................MAY
6.12. The Class IPsecTransportAction..........................MUST 4.1.1. The Property SequencedActions...........................MUST
6.13. The Class IPsecTunnelAction.............................MUST 4.1.1. The Property PolicyRoles.................................MAY
6.13.1. The Property DFHandling...............................MUST 4.1.1. The Property PolicyDecisionStrategy......................MAY
6.14. The Class IKEAction....................................MUST 4.1.2 The Property ExecutionStrategy..........................MUST
6.14.1. The Property ExchangeMode ...........................MUST 4.1.3 The Property LimitNegotiation............................MAY
6.14.2. The Property UseIKEIdentityType.......................MUST 4.2. The Class IKERule.........................................MUST
6.14.3. The Property VendorID..................................MAY 4.2.1. The Property IdentityContexts............................MAY
6.14.4. The Property AggressiveModeGroupId.....................MAY 4.3. The Class IPsecRule.......................................MUST
6.15. The Class PeerGateway..................................MUST 4.4. The Association Class IPsecPolicyForEndpoint...............MAY
6.15.1. The Property Name..................................SHOULD 4.4.1. The Reference Antecedent................................MUST
6.15.2. The Property PeerIdentityType.........................MUST 4.4.2. The Reference Dependent.................................MUST
6.15.3. The Property PeerIdentity.............................MUST 4.5. The Association Class IPsecPolicyForSystem.................MAY
6.16. The Association Class PeerGatewayForTunnel..............MUST 4.5.1. The Reference Antecedent................................MUST
6.16.1. The Reference Antecedent..............................MUST 4.5.2. The Reference Dependent.................................MUST
6.16.2. The Reference Dependent...............................MUST 4.6. The Aggregation Class SAConditionInRule...................MUST
6.16.3. The Property SequenceNumber.........................SHOULD 4.6.1. The Property GroupNumber..............................SHOULD
6.17. The Aggregation Class ContainedProposal.................MUST 4.6.1. The Property ConditionNegated.........................SHOULD
6.17.1. The Reference GroupComponent..........................MUST 4.6.2. The Reference GroupComponent............................MUST
6.17.2. The Reference PartComponent...........................MUST 4.6.3. The Reference PartComponent.............................MUST
6.17.3. The Property SequenceNumber...........................MUST 4.7. The Aggregation Class PolicyActionInSARule................MUST
6.18. The Association Class HostedPeerGatewayInformation.......MAY 4.7.1. The Reference GroupComponent............................MUST
6.18.1. The Reference Antecedent..............................MUST 4.7.2. The Reference PartComponent.............................MUST
6.18.2. The Reference Dependent...............................MUST 4.7.3. The Property ActionOrder..............................SHOULD
6.19. The Association Class TransformOfPreconfiguredAction....MUST 5. Condition and Filter Classes
6.19.1. The Reference Antecedent..............................MUST 5.1. The Class SACondition.....................................MUST
6.19.2. The Reference Dependent...............................MUST 5.2. The Class IPHeadersFilter...............................SHOULD
6.19.3. The Property SPI.....................................MUST 5.3. The Class CredentialFilterEntry............................MAY
6.19.4. The Property Direction................................MUST 5.3.1. The Property MatchFieldName.............................MUST
6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 5.3.2. The Property MatchFieldValue............................MUST
6.20.1. The Reference Antecedent..............................MUST 5.3.3. The Property CredentialType.............................MUST
6.20.2. The Reference Dependent...............................MUST 5.4. The Class IPSOFilterEntry..................................MAY
7. Proposal and Transform Classes 5.4.1. The Property MatchConditionType.........................MUST
7.1. The Abstract Class SAProposal............................MUST 5.4.2. The Property MatchConditionValue........................MUST
7.1.1. The Property Name...................................SHOULD 5.5. The Class PeerIDPayloadFilterEntry.........................MAY
7.2. The Class IKEProposal...................................MUST 5.5.1. The Property MatchIdentityType..........................MUST
7.2.1. The Property CipherAlgorithm...........................MUST 5.5.2. The Property MatchIdentityValue.........................MUST
7.2.2. The Property HashAlgorithm.............................MUST 5.6. The Association Class FilterOfSACondition...............SHOULD
7.2.3. The Property PRFAlgorithm...............................MAY 5.6.1. The Reference Antecedent................................MUST
7.2.4. The Property GroupId..................................MUST 5.6.2. The Reference Dependent.................................MUST
7.2.5. The Property AuthenticationMethod......................MUST 5.7. The Association Class AcceptCredentialFrom.................MAY
7.2.6. The Property MaxLifetimeSeconds........................MUST 5.7.1. The Reference Antecedent................................MUST
7.2.7. The Property MaxLifetimeKilobytes......................MUST 5.7.2. The Reference Dependent.................................MUST
7.2.8. The Property VendorID...................................MAY 6. Action Classes
7.3. The Class IPsecProposal..................................MUST 6.1. The Class SAAction........................................MUST
7.4. The Abstract Class SATransform...........................MUST 6.1.1. The Property DoActionLogging.............................MAY
7.4.1. The Property TransformName...........................SHOULD 6.1.2. The Property DoPacketLogging.............................MAY
7.4.2. The Property VendorID...................................MAY 6.2. The Class SAStaticAction..................................MUST
7.4.3. The Property MaxLifetimeSeconds........................MUST 6.2.1. The Property LifetimeSeconds............................MUST
7.4.4. The Property MaxLifetimeKilobytes......................MUST 6.3. The Class IPsecBypassAction.............................SHOULD
7.5. The Class AHTransform...................................MUST 6.4. The Class IPsecDiscardAction............................SHOULD
7.5.1. The Property AHTransformId.............................MUST 6.5. The Class IKERejectAction..................................MAY
7.5.2. The Property UseReplayPrevention........................MAY 6.6. The Class PreconfiguredSAAction...........................MUST
7.5.3. The Property ReplayPreventionWindowSize.................MAY 6.6.1. The Property LifetimeKilobytes..........................MUST
7.6. The Class ESPTransform..................................MUST 6.7. The Class PreconfiguredTransportAction....................MUST
7.6.1. The Property IntegrityTransformId......................MUST 6.8. The Class PreconfiguredTunnelAction.......................MUST
7.6.2. The Property CipherTransformId.........................MUST 6.8.1. The Property DFHandling.................................MUST
7.6.3. The Property CipherKeyLength............................MAY 6.9. The Class SANegotiationAction.............................MUST
7.6.4. The Property CipherKeyRounds............................MAY 6.10. The Class IKENegotiationAction...........................MUST
7.6.5. The Property UseReplayPrevention........................MAY 6.10.1. The Property MinLifetimeSeconds.........................MAY
7.6.6. The Property ReplayPreventionWindowSize.................MAY 6.10.2. The Property MinLifetimeKilobytes.......................MAY
7.7. The Class IPCOMPTransform.................................MAY 6.10.3. The Property IdleDurationSeconds........................MAY
7.7.1. The Property Algorithm.................................MUST 6.11. The Class IPsecAction....................................MUST
7.7.2. The Property DictionarySize.............................MAY 6.11.1. The Property UsePFS....................................MUST
7.7.3. The Property PrivateAlgorithm...........................MAY 6.11.2. The Property UseIKEGroup................................MAY
7.8. The Association Class SAProposalInSystem..................MAY 6.11.3. The Property GroupId...................................MUST
7.8.1. The Reference Antecedent...............................MUST 6.11.4. The Property Granularity.............................SHOULD
7.8.2. The Reference Dependent................................MUST 6.11.5. The Property VendorID...................................MAY
7.9. The Aggregation Class ContainedTransform.................MUST 6.12. The Class IPsecTransportAction...........................MUST
7.9.1. The Reference GroupComponent...........................MUST 6.13. The Class IPsecTunnelAction..............................MUST
7.9.2. The Reference PartComponent............................MUST 6.13.1. The Property DFHandling................................MUST
7.9.3. The Property SequenceNumber............................MUST 6.14. The Class IKEAction......................................MUST
7.10. The Association Class SATransformInSystem................MAY 6.14.1. The Property ExchangeMode ............................MUST
7.10.1. The Reference Antecedent..............................MUST 6.14.2. The Property UseIKEIdentityType........................MUST
7.10.2. The Reference Dependent...............................MUST 6.14.3. The Property VendorID...................................MAY
8. IKE Service and Identity Classes 6.14.4. The Property AggressiveModeGroupId......................MAY
8.1. The Class IKEService.....................................MAY 6.15. The Class PeerGateway....................................MUST
8.2. The Class PeerIdentityTable...............................MAY 6.15.1. The Property Name....................................SHOULD
8.3.1. The Property Name...................................SHOULD 6.15.2. The Property PeerIdentityType..........................MUST
8.3. The Class PeerIdentityEntry...............................MAY 6.15.3. The Property PeerIdentity..............................MUST
8.3.1. The Property PeerIdentity............................SHOULD 6.16. The Association Class PeerGatewayForTunnel...............MUST
8.3.2. The Property PeerIdentityType........................SHOULD 6.16.1. The Reference Antecedent...............................MUST
8.3.3. The Property PeerAddress.............................SHOULD 6.16.2. The Reference Dependent................................MUST
8.3.4. The Property PeerAddressType.........................SHOULD 6.16.3. The Property SequenceNumber..........................SHOULD
8.4. The Class AutostartIKEConfiguration.......................MAY 6.17. The Aggregation Class ContainedProposal..................MUST
8.5. The Class AutostartIKESetting.............................MAY 6.17.1. The Reference GroupComponent...........................MUST
8.5.1. The Property Phase1Only.................................MAY 6.17.2. The Reference PartComponent............................MUST
8.5.2. The Property AddressType.............................SHOULD 6.17.3. The Property SequenceNumber............................MUST
8.5.3. The Property SourceAddress.............................MUST 6.18. The Association Class HostedPeerGatewayInformation........MAY
8.5.4. The Property SourcePort................................MUST 6.18.1. The Reference Antecedent...............................MUST
8.5.5. The Property DestinationAddress........................MUST 6.18.2. The Reference Dependent................................MUST
8.5.6. The Property DestinationPort...........................MUST 6.19. The Association Class TransformOfPreconfiguredAction.....MUST
8.5.7. The Property Protocol..................................MUST 6.19.1. The Reference Antecedent...............................MUST
8.6. The Class IKEIdentity....................................MAY 6.19.2. The Reference Dependent................................MUST
8.6.1. The Property IdentityType..............................MUST 6.19.3. The Property SPI.......................................MUST
8.6.2. The Property IdentityValue.............................MUST 6.19.4. The Property Direction.................................MUST
8.6.3. The Property IdentityContexts...........................MAY 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
8.7. The Association Class HostedPeerIdentityTable.............MAY 6.20.1. The Reference Antecedent...............................MUST
8.7.1. The Reference Antecedent...............................MUST 6.20.2. The Reference Dependent................................MUST
8.7.2. The Reference Dependent................................MUST 7. Proposal and Transform Classes
8.8. The Aggregation Class PeerIdentityMember..................MAY 7.1. The Abstract Class SAProposal.............................MUST
8.8.1. The Reference Collection...............................MUST 7.1.1. The Property Name.....................................SHOULD
8.8.2. The Reference Member..................................MUST 7.2 The Class IKEProposal......................................MUST
8.9. The Association Class IKEServicePeerGateway...............MAY 7.2.1. The Property CipherAlgorithm............................MUST
8.9.1. The Reference Antecedent...............................MUST 7.2.2. The Property HashAlgorithm..............................MUST
8.9.2. The Reference Dependent................................MUST 7.2.3. The Property PRFAlgorithm................................MAY
8.10. The Association Class IKEServicePeerIdentityTable........MAY 7.2.4. The Property GroupId....................................MUST
8.10.1. The Reference Antecedent..............................MUST 7.2.5. The Property AuthenticationMethod.......................MUST
8.10.2. The Reference Dependent...............................MUST 7.2.6. The Property MaxLifetimeSeconds.........................MUST
8.11. The Association Class IKEAutostartSetting................MAY 7.2.7. The Property MaxLifetimeKilobytes.......................MUST
8.11.1. The Reference Element.................................MUST 7.2.8. The Property VendorID....................................MAY
8.11.2. The Reference Setting.................................MUST 7.3. The Class IPsecProposal...................................MUST
8.12. The Aggregation Class AutostartIKESettingContext.........MAY 7.4. The Abstract Class SATransform............................MUST
8.12.1. The Reference Context.................................MUST 7.4.1. The Property TransformName............................SHOULD
8.12.2. The Reference Setting.................................MUST 7.4.2. The Property VendorID....................................MAY
8.12.3. The Property SequenceNumber.........................SHOULD 7.4.3. The Property MaxLifetimeSeconds.........................MUST
8.13. The Association Class IKEServiceForEndpoint..............MAY 7.4.4. The Property MaxLifetimeKilobytes.......................MUST
8.13.1. The Reference Antecedent..............................MUST 7.5. The Class AHTransform.....................................MUST
8.13.2. The Reference Dependent...............................MUST 7.5.1. The Property AHTransformId..............................MUST
8.14. The Association Class IKEAutostartConfiguration..........MAY 7.5.2. The Property UseReplayPrevention.........................MAY
8.14.1. The Reference Antecedent..............................MUST 7.5.3. The Property ReplayPreventionWindowSize..................MAY
8.14.2. The Reference Dependent...............................MUST 7.6. The Class ESPTransform....................................MUST
8.14.3. The Property Active................................SHOULD 7.6.1. The Property IntegrityTransformId.......................MUST
8.15. The Association Class IKEUsesCredentialManagementService..MAY 7.6.2. The Property CipherTransformId..........................MUST
8.15.1. The Reference Antecedent..............................MUST 7.6.3. The Property CipherKeyLength.............................MAY
8.15.2. The Reference Dependent...............................MUST 7.6.4. The Property CipherKeyRounds.............................MAY
8.16. The Association Class EndpointHasLocalIKEIdentity........MAY 7.6.5. The Property UseReplayPrevention.........................MAY
8.16.1. The Reference Antecedent..............................MUST 7.6.6. The Property ReplayPreventionWindowSize..................MAY
8.16.2. The Reference Dependent...............................MUST 7.7. The Class IPCOMPTransform..................................MAY
8.17. The Association Class CollectionHasLocalIKEIdentity......MAY 7.7.1. The Property Algorithm..................................MUST
8.17.1. The Reference Antecedent..............................MUST 7.7.2. The Property DictionarySize..............................MAY
8.17.2. The Reference Dependent...............................MUST 7.7.3. The Property PrivateAlgorithm............................MAY
8.18. The Association Class IKEIdentitysCredential.............MAY 7.8. The Association Class SAProposalInSystem...................MAY
8.18.1. The Reference Antecedent..............................MUST 7.8.1. The Reference Antecedent................................MUST
8.18.2. The Reference Dependent...............................MUST 7.8.2. The Reference Dependent.................................MUST
7.9. The Aggregation Class ContainedTransform..................MUST
7.9.1. The Reference GroupComponent............................MUST
7.9.2. The Reference PartComponent.............................MUST
7.9.3. The Property SequenceNumber.............................MUST
7.10. The Association Class SATransformInSystem.................MAY
7.10.1. The Reference Antecedent...............................MUST
7.10.2. The Reference Dependent................................MUST
8. IKE Service and Identity Classes
8.1. The Class IKEService.......................................MAY
8.2. The Class PeerIdentityTable................................MAY
8.3.1. The Property Name.....................................SHOULD
8.3. The Class PeerIdentityEntry................................MAY
8.3.1. The Property PeerIdentity.............................SHOULD
8.3.2. The Property PeerIdentityType.........................SHOULD
8.3.3. The Property PeerAddress..............................SHOULD
8.3.4. The Property PeerAddressType..........................SHOULD
8.4. The Class AutostartIKEConfiguration........................MAY
8.5. The Class AutostartIKESetting..............................MAY
8.5.1. The Property Phase1Only..................................MAY
8.5.2. The Property AddressType..............................SHOULD
8.5.3. The Property SourceAddress..............................MUST
8.5.4. The Property SourcePort.................................MUST
8.5.5. The Property DestinationAddress.........................MUST
8.5.6. The Property DestinationPort............................MUST
8.5.7. The Property Protocol...................................MUST
8.6. The Class IKEIdentity......................................MAY
8.6.1. The Property IdentityType...............................MUST
8.6.2. The Property IdentityValue..............................MUST
8.6.3. The Property IdentityContexts............................MAY
8.7. The Association Class HostedPeerIdentityTable..............MAY
8.7.1. The Reference Antecedent................................MUST
8.7.2. The Reference Dependent.................................MUST
8.8. The Aggregation Class PeerIdentityMember...................MAY
8.8.1. The Reference Collection................................MUST
8.8.2. The Reference Member....................................MUST
8.9. The Association Class IKEServicePeerGateway................MAY
8.9.1. The Reference Antecedent................................MUST
8.9.2. The Reference Dependent.................................MUST
8.10. The Association Class IKEServicePeerIdentityTable.........MAY
8.10.1. The Reference Antecedent...............................MUST
8.10.2. The Reference Dependent................................MUST
8.11. The Association Class IKEAutostartSetting.................MAY
8.11.1. The Reference Element..................................MUST
8.11.2. The Reference Setting..................................MUST
8.12. The Aggregation Class AutostartIKESettingContext..........MAY
8.12.1. The Reference Context..................................MUST
8.12.2. The Reference Setting..................................MUST
8.12.3. The Property SequenceNumber..........................SHOULD
8.13. The Association Class IKEServiceForEndpoint...............MAY
8.13.1. The Reference Antecedent...............................MUST
8.13.2. The Reference Dependent................................MUST
8.14. The Association Class IKEAutostartConfiguration...........MAY
8.14.1. The Reference Antecedent...............................MUST
8.14.2. The Reference Dependent................................MUST
8.14.3. The Property Active..................................SHOULD
8.15. The Association Class IKEUsesCredentialManagementService..MAY
8.15.1. The Reference Antecedent...............................MUST
8.15.2. The Reference Dependent................................MUST
8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
8.16.1. The Reference Antecedent...............................MUST
8.16.2. The Reference Dependent................................MUST
8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
8.17.1. The Reference Antecedent...............................MUST
8.17.2. The Reference Dependent................................MUST
8.18. The Association Class IKEIdentitysCredential..............MAY
8.18.1. The Reference Antecedent...............................MUST
8.18.2. The Reference Dependent................................MUST
10. Security Considerations 10. Security Considerations
This document describes a schema for IPsec policy. It does not This document only describes an information model for IPsec policy.
detail security requirements for storage or delivery of said schema. It does not detail security requirements for storage or delivery of
Storage and delivery security requirements should be detailed in a said information.
comprehensive security policy architecture document.
11. Intellectual Property Physical models derived from this information model MUST implement
the relevant security for storage and delivery. Most of the classes
(e.g., IpHeadersFilter, SAAction,...) MUST at least provided the
integrity service; other pieces of information MUST also receive the
confidentiality service (e.g., SharedSecret as described in the