view Side-By-Side changes
Date: Tue, 09 Apr 2002 04:24:30 GMT Server: Apache/1.3.20 (Unix) Last-Modified: Tue, 14 Mar 2000 15:43:00 GMT ETag: "2f54da-10f39-38ce5e04" Accept-Ranges: bytes Content-Length: 69433 Connection: close Content-Type: text/plain Internet Engineering Task Force Jamie Jason INTERNET DRAFT IntelCoroporation 9-March-2000Corporation 11-July-2000 IPsec Configuration Policy Modeldraft-ietf-ipsp-config-policy-model-00.txtdraft-ietf-ipsp-config-policy-model-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document presents an object-oriented model oflow-levelIPsec policy designed to: o facilitate agreement about the content and semantics of IPsec policy o enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec- enabled endpoints The schema described in this document models the IKE phase one parameters as described in[1][IKE] and the IKE phase two parameters for the IPsec Domain of Interpretation as described in[2, 3, 4, 5].[COMP, ESP, AH, DOI]. It is based upon the core policy classes as defined in the Policy Core Information Model (PCIM) [PCIM]. Jason [Page 1] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000 Table of Contents Status of this Memo................................................1 Abstract...........................................................1 Table of Contents..................................................2 1.Introduction....................................................4Introduction....................................................5 2. UMLConventions.................................................4Conventions.................................................5 3.Endpoint Classes................................................6 3.1.IPsec Policy Model Inheritance Heirarchy........................6 4. Policy Classes..................................................9 4.1. The ClassEndpoint............................................6 3.2.IPsecPolicyGroup....................................9 4.1.1. The Property IKERuleOverridePoint..........................10 4.1.2. The Property IPsecRuleOverridePoint........................10 4.2. The ClassFQDNEndpoint........................................6 3.3.SARule.............................................11 4.3. The ClassIPv4Endpoint........................................6 3.4.IKERule............................................11 4.4. The ClassIPv6Endpoint........................................7 4. IPsec Policy Classes............................................8 4.1.IPsecRule..........................................11 4.5. The Aggregation ClassIPsecPolicyList.....................................9 4.2.IPsecPolicyGroupInPolicyGroup..........12 4.5.1. The Reference ContainingGroup..............................12 4.5.2. The Reference ContainedGroup...............................12 4.5.3. The Property Precedence....................................12 4.6. The Composition ClassIPsecPolicy.........................................9 4.3.RuleForIKENegotiation..................12 4.6.1. The Reference ContainingGroup..............................13 4.6.2. The Reference ContainedRule................................13 4.7. The Composition ClassIPInterface.........................................9 5. IPsec Rule Classes.............................................10 5.1.RuleForIPsecNegotiation................13 4.7.1. The Reference ContainingGroup..............................13 4.7.2. The Reference ContainedRule................................13 4.8. The Aggregation ClassSecurityAssociationRule............................10 6. IPSec Condition Classes........................................11 6.1.SAConditionInRule......................14 4.8.1. The Reference ContainingRule...............................14 4.8.2. The Reference ContainedCondition...........................14 4.8.3. The Property SequenceNumber................................14 4.9. The Aggregation ClassSecurityAssociationCondition.......................11 6.2.SAActionInRule.........................14 4.9.1. The Reference ContainingRule...............................15 4.9.2. The Reference ContainedAction..............................15 4.10. The Aggregation ClassSecurityAssociationConditionExpression.............12 7. IPSecFallbackSAActionInRule................15 4.10.1. The Reference ContainingRule..............................15 4.10.2. The Reference ContainedAction.............................15 4.10.3. The Property SequenceNumber...............................16 5. Condition and FilterClasses...........................................13 7.1.Classes...................................17 5.1. The ClassSecurityAssociationFilter..........................13 7.2.SACondition........................................18 5.1.1. TheClass PortFilter.........................................14 7.3.Property StartupCondition..............................18 5.2. The ClassPortRangeFilter....................................14 7.4.FilterList.........................................18 5.2.1. The Property Name..........................................19 5.2.2. The Property Direction.....................................19 5.3. The Abstract ClassProtocolFilter.....................................14 7.5.FilterEntryBase...........................19 5.3.1. The Property Name..........................................19 5.3.2. The Property IsNegated.....................................19 5.4. The Abstract ClassAddressFilter......................................15 7.6.IPFilterEntry.............................20 5.5. The Abstract ClassEndpointFilter.....................................15 7.7.EndpointFilterEntry.......................20 5.5.1. The Property ApplyToDestination............................20 5.6. The ClassIPv4RangeFilter....................................15 7.8.IPv4AddressFilterEntry.............................20 5.6.1. The Property Address.......................................21 5.7. The ClassIPv6RangeFilter....................................16 8. IKE andIPv4RangeFilterEntry...............................21 5.7.1. The Property StartAddress..................................21 5.7.2. The Property EndAddress....................................21 Jason Expires January 2001 [Page 2] Internet Draft IPsecAction Classes...................................17 8.1.Configuration Policy Model July 2000 5.8. The Class IPv4SubnetFilterEntry..............................21 5.8.1. The Property Address.......................................22 5.8.2. The Property Mask..........................................22 5.9. The Class IPv6AddressFilterEntry.............................22 5.9.1. The Property Address.......................................22 5.10. The ClassSecurityAssociationAction..........................18 8.2.IPv6RangeFilterEntry..............................22 5.10.1. The Property StartAddress.................................23 5.10.2. The Property EndAddress...................................23 5.11. The ClassIKEAction..........................................19 8.3.IPv6SubnetFilterEntry.............................23 5.11.1. The Property Address......................................23 5.11.2. The Property Mask.........................................24 5.12. The ClassIPsecAction........................................20 8.4.FQDNFilterEntry...................................24 5.12.1. The Property Name.........................................24 5.13. The ClassIPsecTransportAction...............................20 8.5.ProtocolFilterEntry...............................24 5.13.1. The Property Protocol.....................................24 5.14. The ClassIPsecTunnelAction..................................21 8.6.UDPFilterEntry....................................25 5.14.1. The Property StartPort....................................25 5.14.2. The Property EndPort......................................25 5.15. The ClassIPsecBypassAction..................................21 8.6.TCPFilterEntry....................................25 5.15.1. The Property StartPort....................................26 5.15.2. The Property EndPort......................................26 5.16. The Abstract ClassIPsecDiscardAction.................................21 9. IKE and IPsec Proposal Classes.................................21 9.1.IPSOFilterEntry..........................26 5.17. The ClassSecurityAssociationProposal........................22 9.2.ClassificationLevelFilterEntry....................26 5.17.1. The Property Level........................................26 5.18. The ClassIKEProposal........................................22 9.3.ProtectionAuthorityFilterEntry....................27 5.18.1. The Property Authority....................................27 5.19. The ClassIPsecProposal......................................23 9.4.CredentialFilterEntry.............................27 5.20. The Aggregation ClassIPsecTransform.....................................24 9.5.FilterOfSACondition...................27 5.20.1. The Reference Antecedent..................................28 5.20.2. The Reference Dependent...................................28 5.21. The Composition ClassESPTransform.......................................24 9.6.EntriesInFilterList...................28 5.21.1. The Reference Antecedent..................................28 5.21.2. The Reference Dependent...................................28 5.21.3. The Property EntrySequence................................29 6. Action Classes.................................................30 6.1. The ClassAHTransform........................................25 9.7.SAAction...........................................30 6.2. The ClassIPCompTransform....................................25 10. Diffie-Hellman Classes........................................26 10.1.SAStaticAction.....................................30 6.2.1. The Property LifetimeSeconds...............................31 6.3. The ClassDiffieHellmanGroup................................27 10.2.IPsecBypassAction..................................31 6.4. The ClassNewGroupInfo......................................27 10.3.IPsecDiscardAction.................................31 6.4.1. The Property DoLogging.....................................32 6.5. The ClassNewMODPGroupInfo..................................27 10.4.IKERejectAction....................................32 6.5.1. The Property DoLogging.....................................32 6.6. The ClassNewECGroupInfo....................................27 10.5.SAPreconfiguredAction..............................32 6.7. The ClassNewEC2NGroupInfo..................................28 10.6.SANegotiationAction................................33 6.7.1. The Property MinLifetimeSeconds............................33 6.7.2. The Property MinLifetimeKilobytes..........................33 6.7.3. The Property RefreshThresholdSeconds.......................34 6.7.4. The Property RefreshThresholdKilobytes.....................34 6.7.5. The Property IdleDurationSeconds...........................34 6.8. The ClassNewECPGroupInfo...................................28 Jason Expires September 2000 [Page 2] Internet Draft IPsec Configuration Policy Model March 2000 11. Security Considerations.......................................28 12. Intellectual Property.........................................28 13. Acknowledgments...............................................29 14. References....................................................29 15. Disclaimer....................................................30 16. Author's Address..............................................30 17. Full Copyright Statement......................................30IPsecAction........................................35 6.8.1. The Property UsePFS........................................35 6.8.2. The Property UseIKEGroup...................................35 Jason ExpiresSeptember 2000January 2001 [Page 3] Internet Draft IPsec Configuration Policy ModelMarchJuly 20001. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the6.8.3. The Property GroupId.......................................35 6.8.4. The Property Granularity...................................36 6.9. The Class IPsecTransportAction...............................36 6.10. The Class IPsecTunnelAction.................................36 6.10.1. The Property PeerGateway..................................37 6.10.2. The Property DFHandling...................................37 6.11. The Class IKEAction.........................................37 6.11.1. The Property RefreshThresholdDerivedKeys..................37 6.11.2. The Property ExchangeMode.................................38 6.11.3. The Property UseIKEIdentityType...........................38 6.12. The Aggregation Class ContainedProposal.....................38 6.12.1. The Reference GroupComponent..............................39 6.12.2. The Reference PartComponent...............................39 6.12.3. The Property SequenceNumber...............................39 7. Proposal and Transform Classes.................................40 7.1. The Abstract Class SAProposal................................40 7.1.1. The Property Name..........................................40 7.1.2. The Property MaxLifetimeSeconds............................41 7.1.3. The Property MaxLifetimeKilobytes..........................41 7.2. The Class IKEProposal........................................41 7.2.1. The Property LifetimeDerivedKeys...........................41 7.2.2. The Property CipherAlgorithm...............................42 7.2.3. The Property HashAlgorithm.................................42 7.2.4. The Property PRFAlgorithm..................................42 7.2.5. The Property GroupId.......................................43 7.2.6. The Property AuthenticationMethod..........................43 7.3. The Class IPsecProposal......................................43 7.4. The Abstract Class SATransform...............................44 7.4.1. The Property Name..........................................44 7.4.1. The Property VendorID......................................44 7.5. The Class AHTransform........................................44 7.5.1. The Property AHTransformId.................................44 7.6. The Class ESPTransform.......................................45 7.6.1. The Property IntegrityTransformId..........................45 7.6.2. The Property CipherTransformId.............................45 7.6.3. The Property CipherKeyLength...............................46 7.6.4. The Property CipherKeyRounds...............................46 7.7. The Class IPCOMPTransform....................................46 7.7.1. The Property Algorithm.....................................46 7.7.2. The Property DictionarySize................................47 7.7.3. The Property PrivateAlgorithm..............................47 7.8. The Aggregation Class ContainedTransform.....................47 7.8.1. The Reference GroupComponent...............................48 7.8.2. The Reference PartComponent................................48 7.8.3. The Property SequenceNumber................................48 8. Security Considerations........................................48 9. Intellectual Property..........................................48 10. Acknowledgments...............................................49 11. References....................................................49 12. Disclaimer....................................................50 13. Author's Address..............................................50 14. Full Copyright Statement......................................50 Jason Expires January 2001 [Page 4] Internet Draft IPsec Configuration Policy Model July 2000 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a Lightweight Directory Access Protocol (LDAP)[6][LDAP] schema in a directory o an on-the-wire representation over a transport protocol like the Common Object Policy Service (COPS)[7][COPS, COPSPR] o a text-based policy specification language[8][SPSL] suitable for editing by an administrator o an Extensible Markup Language (XML) document Each of these task-specific representations should be derived from a canonical representation that precisely specifies the content and semantics of the IPsec policy. The purpose of this document is to abstract IPsec policy into a task-independent representation that is not constrained by any particular task-dependent representation. This document is organized as follows: o Section 2 provides a quick introduction to the Unified Modeling Language (UML) graphical notation conventions used in this document. o Section 3definesprovides theendpoint class, a utility class that is used as a building block for other classes. o Section 4 definesinheritance hierarchy which describes where the IPsec policyand associated classes. o Section 5 defines the rule class. o Section 6 definesclasses fit into thecondition and condition expression classes.policy class hierarchy already defined by PCIM. oSection 7 definesThe remainder of thefilter classes. o Section 8 definesdocument describes theIKE and IPsec action classes. o Section 9 definesclasses which make up theIKE andIPsecproposal classes. o Section 10 defines the Diffie-Hellman group class.policy model. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in[9].[KEYWORDS]. 2. UML ConventionsJason Expires September 2000 [Page 4] Internet Draft IPsec Configuration Policy Model March 2000For this document, a UML static class diagram was chosen as the canonical representation for the IPsec policy model. The reason behind this decision is that UML provides atask-independentgraphical, task- independent way to model systems. A treatise on the graphical notation used in UML is beyond the scope of this paper. However, given the use of ASCII drawing for UML static class diagrams, a description of the notational conventions used in this document is in order: o Boxes represent classes, with class names in brackets ([]) representing a virtual class.For example, inJason Expires January 2001 [Page 5] Internet Draft IPsec Configuration Policy Model July 2000 o A line that terminates with an arrow (<, >, ^, v) denotes inheritance. The arrow always points to theaction classes diagram, IKEActionparent class. Inheritance can also be called generalization or specialization (depending upon the reference point). A base class is aconcretegeneralization of a derived class, and a derived classwhile SecurityAssociationActionis avirtualspecialization of a base class. o Associations are used model a relationship between two classes. Classes that share an association are connected using a line. There are two special kinds of associations - aggregations and compositions. Both model a whole-part relationship between two classes. Associations, and therefore aggregations and compositions, can also be modeled as classes. o A line thatterminatesbegins with a "o" denotes aggregation. Aggregation denotesclasses with independent lifetimes. An aggregated object exists independently of the object that references it. For example,containment in which theaction classes diagram a SecurityAssocationProposal object exists independently ofcontained class and theSecurityAssociationAction object which references it.containing class have independent lifetimes. o A line thatterminatesbegins with an "x" denotes composition. Composition denotesclasses with coincident lifetimes. This implies that the lifetime ofcontainment in which the containedobject is the same asclass and theobject that contains it.contianing class have coincident lifetimes. o Next to a line representing an association appears a multiplicity. Multiplicities indicate the number of objectscontained (or referenced) as well asin thenumber of object that can contain (or reference) a particular object.relationship. The multiplicity may be: - a range in the form "lower bound..upper bound" indicating the minimum and maximum number of objects.For example, in the action classes diagram, an IPsecAction may contain either 0 or 1 DiffieHellmanGroup objects(essentially noting that the DiffieHellmanGroup is optional).- a number that indicates the exact number of objects.For example, in the proposal classes diagram, an IKEProposal has 1 and only 1 DiffieHellmanGroup. Using a number is equivalent to number..number.- an asterisk indicating any number of objects, including zero.For example, in the action classes diagram, a SecurityAssociationProposal object may be referenced by 0 to n SecurityAssociationAction objects.Using an asterisk isequivalent toshorthand for 0..n. - the letter n indicating from 1 to many.For example, in the action classes diagram, a SecurityAssociationAction references 1 to many SecurityAssociationProposals.Using the letter n isequivalent toshorthand for 1..n.o A line that terminates with an arrow (<, , ^, v) denotes generalization (inheritance) with the arrow pointing to the parent class. For example, in the action classes diagram the SecurityAssociationAction class is a generalization of the IKEAction class (or said another way, the IKEAction class derives from the SecurityAssociationAction class). o Occasionally there may be some text, or a reference to some text, enclosed by braces ({}). This indicates a constraint. Constraints are used to constrain the meaning of diagram so that Jason Expires September 2000 [Page 5] Internet Draft IPsec Configuration Policy Model March 2000 a diagram does not provide the ability to define something that does not make sense. For example, in the action classes diagram there is a constraint placed upon the DiffieHellmanGroup class such that it is only used if the IPsecAction specifies the user of Perfect Forward Secrecy. It should be notedIt should be noted that the UML static class diagram presented is a conceptual view of IPsec policy designed to aid in understanding. It does not necessarily get translated class for class into another representation. For example, an LDAP implementation may flatten out the representation to fewer classes (because of the inefficiency of following references). 3.Endpoint Classes An endpoint is an abstraction used to represent an IP address or hostname. This class is used as a building block in further classes. +----------+IPsec Policy Model Inheritance Heirarchy The following diagram represents the inheritance hierarchy and how the IPsec policy model classes fit into PCIM. [unrooted] | +--Policy (PCIM) ||[Endpoint]|| |+----------+ ^+--PolicyGroup (PCIM) |+---------------------------+--------------------------+| | |+------------+ +------------+ +------------+| +--IPsecPolicyGroup (new class) | | | +--PolicyRule (PCIM) | ||FQDNEndpoint| |IPv4Endpoint| |IPv6Endpoint|| | | +--SARule (new abstract class) | | |+------------+ +------------+ +------------+ 3.1. The Class Endpoint The Endpoint class is used as an abstract base class from which concrete endpoint classes are expected to derive from. 3.2. The Class FQDNEndpoint The FQDNEndpoint class is used to represent endpoints that can be expressed using a DNS name. It contains the following attribute: NAME name DESCRIPTION Either a fully-qualified or wild-carded (partially or fully) domain name. TYPE string VALUE MAY either be fully-qualified (for example, runner.jf.intel.com) or wild-carded (for example, *.intel.com). 3.3. The Class IPv4EndpointJason ExpiresSeptember 2000January 2001 [Page 6] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000The IPv4Endpoint class is used to represent endpoints that can be expressed using an IPv4 address. It contains the following attribute: NAME address DESCRIPTION The IPv4 address. TYPE unsigned 32-bit integer VALUE 0x00000000 (i.e., 0.0.0.0) - used to specify any IP address (i.e., a totally wild-carded address or "*"). Any other value specifies an IPv4 address. 3.4. The Class IPv6Endpoint The IPv6Endpoint class is used to represent endpoints that can be expressed using an IPv6 address. It contains the following attribute: NAME address DESCRIPTION The IPv6 address. TYPE octet[16] VALUE all zero's (i.e., 0:0:0:0:0:0:0:0) - used to specify any IP address (i.e., a totally wild-carded address or "*"). Any other value specifies an IPv6 address.| | +--IKERule (new class) | | | | | +--IPsecRule (new class) | | | +--PolicyCondition (PCIM) | | | | | +--SACondition (new class) | | | +--PolicyAction (PCIM) | | | +--SAAction (new abstract class) | | | +--SAStaticAction (new abstract class) | | | | | +--IPsecBypassAction (new class) | | | | | +--IPsecDiscardAction (new class) | | | | | +--IKERejectAction (new class) | | | | | +--SAPreconfiguredAction (new class) | | | +--SANegotiationAction (new abstract class) | | | +--IPsecAction (new abstract class) | | | | | +--IPsecTransportAction (new class) | | | | | +--IPsecTunnelAction (new class) | | | +--IKEAction (new abstract class) | +--FilterList | +--FilterEntryBase | | | +--IPFilterEntry (new abstract class) | | | | | +--EndpointFilterEntry (new abstract class) | | | | | | | +--IPv4AddressFilterEntry (new class) | | | | | | | +--IPv4RangeFilterEntry (new class) | | | | | | | +--IPv4SubnetFilterEntry (new class) | | | | | | | +--IPv6AddressFilterEntry (new class) | | | | | | | +--IPv6RangeFilterEntry (new class) | | | | | | | +--IPv6SubnetFilterEntry (new class) | | | | | | | +--FQDNFilterEntry (new class) Jason ExpiresSeptember 2000January 2001 [Page 7] Internet Draft IPsec Configuration Policy ModelMarchJuly 20004. IPsec Policy Classes The IPsec policy classes represent the set of policies that are contained on a system. In addition, they indicate the active policies as well as associate a policy with a particular interface on a system +---------------+| ||IPsecPolicyList|| |+---------------+ * o | (a)| | * | +-----------+ +-----------+ | |* (b) *|||IPsecPolicy|o-----------|IPInterface|+--PortFilterEntry (new class) | |{1}| |+-----------+ +-----------+ 1 x x 1 1 x| +--ProtocolFilterEntry (new class) | |(c)|{2} {3}|(d) (e)|{4}| +--IPSOFilterEntry (new class) | |*| +--CredentialFilterEntry (new class) |* 1+--SAProposal (new abstract class) |+----------------------+ +----------+| | +--IKEProposal (new class) | ||SecurityAssocationRule| |[Endpoint]|| +--IPsecProposal (new class) | +--SATransform (new abstract class) || +----------------------+ +----------+ (a) Policies (b) TargetedInterface (c) IKERules (d) IPsecRules (e) Identity {1} 1. If the policy is marked as enabled, then+--AHTransform (new class) | +--ESPTransform (new class) | +--IPCOMPTransform (new class) The following diagram represents theIPsecPolicy object MUST reference an IPInterface object. 2. For each interface, there is only one IPsec policy marked as enabled. {2} IKE rules are orderedinheritance hierarchy andare considered logically ORed. Rule search will stop once a rule that matcheshow theinput criteria is found. {3}IPsecrules are ordered and are considered logically ORed. Rule search will stop once a rule that matches the input criteria is found. {4} If the endpoint type is an FQDN, then the DNS name MUST be fully-qualifed (i.e., no wild-card values allowed). If the endpoint type is an IPv4 or IPv6 address, then the address value MUST NOT be the wild-card address.policy model association classes fit into PCIM. [unrooted] | +--PolicyGroupInPolicyGroup (PCIM) | | | +--IPsecPolicyGroupInPolicyGroup (new class) | +--PolicyConditionInPolicyRule (PCIM) | | | +--SAConditionInRule (new class) | +--FallbackSAActionInRule (new class) | +--EntriesInFilterList (new class) | +--ContainedProposal (new class) | +--IPsecContainedTransform (new class) Jason ExpiresSeptember 2000January 2001 [Page 8] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000 4. Policy Classes The IPsec policy classes represent the set of policies that are contained on a system. (a) +------+ | |* | *+------------------+ +---o| IPsecPolicyGroup | +------------------+ 1 x x 1 (b) | | (c) +-----------------------+ +---------------------+ | | | +---------------------------+ | | | PolicyTimePeriodCondition | | | | (defined in [PCIM]) | | | +---------------------------+ | | *| | | | (d) | | *o | | +-------------+* *+--------+* 1+----------+ | | | SACondition |------o| SARule |o-------| SAAction | | | +-------------+ (e) +--------+ (f) +----------+ | | ^ |* | | | +------+ | | +--------+--------+ | (g) | | | | *o | | *+---------+ +-----------+* | +---------------| IKERule | | IPsecRule |------------+ +---------+ +-----------+ (a) IPsecPolicyGroupInPolicyGroup (b) RuleForIKENegotiation (c) RuleForIPsecNegotiation (d) PolicyRuleValidityPeriod (defined in [PCIM]) (e) SAConditionInRule (f) SAActionInRule (g) FallbackSAActionInRule 4.1. The ClassIPsecPolicyListIPsecPolicyGroup TheIPsecPolicyListclassisIPsecPolicyGroup serves as a containerfor allofthe policies on a particular system. It contains the following reference: NAME Policies DESCRIPTION The policies installed oneither other IPsecPolicyGroups or aparticular system. Note that there isset of IKERules and adistinction betweenset of IPsecRules. Rules contained within an IPsecPolicyGroup MUST have apolicy being installed onunique Priority value. The class definition for IPsecPolicyGroup is as follows: NAME IPsecPolicyGroup DESCRIPTION Either asystemset of IPsecPolicyGroups or a set of IKERules andactually being actively enforceda set of IPsecRules. Jason Expires January 2001 [Page 9] Internet Draft IPsec Configuration Policy Model July 2000 DERIVED FROM PolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyGroupName (from PolicyGroup) IKERuleOverridePoint IPsecRuleOverridePoint NOTE: for derivations of theIPsecPolicy class). Note: an IPsecPolicyList MAY contain no policies. Additionally, a policy MAY be defined which is not in any policy list. The latter case is only relevantschema that are used fora management station - in other words,policy distribution to an IPsec device (for example, COPS-PR), the server may follow all of IPsecPolicyGroupInPolicyGroup associations and create one policyhas been created but it has not yet been targeted to a system. 4.2. The Class IPsecPolicy The IPsecPolicy classgroup which is simply acontainer forset of all of the IKE rulesused to enforce the policy. It contains the following attribute/references: NAME enabled DESCRIPTION Indicates whether or not the policy is enabled (i.e., is actively being enforced). As stated inand a set of all of theconstraint {1}, ifIPsec rules. See thepolicy is enabled, it MUST be associated with a particular interfacesection on thesystem. This allowsIPsecPolicyGroupInPolicyGroup aggregation fordifferent policies to be enforcedinformation ondifferent interfaces. TYPE boolean VALUE true - policy is currently enabled false - policy is currently disabled NAME TargetedInterface DESCRIPTIONmerging multiple IPsecPolicyGroups. 4.1.1. Theinterface onProperty IKERuleOverridePoint This property specifies thesystem forrule priority at whichthisthe policy author is willing tobe enforced. As stated inallow IKERule insertions by a local administrator. For example, the IT department may define theconstraint {1}, for each interface there is only onepolicyenabled at any one given time. NAME IKERules DESCRIPTION The rules which govern when and howon a company- wide basis, but allow groups or individuals toperform IKE phase 1 negotiation. Theseinsert rulesare an ordered list and are logically ORed. When processing the rules, the first rule matched isinto theone used. NAME IPsecRules DESCRIPTION The rules which govern when and howpolicy toperform IKE phase 2 negotiation. These rulesoverride defaults. Rules areanorderedlist and are logically ORed. When processingin decreasing order of their priority (i.e., higher priorities come first). The override point specifies that if rules are inserted, they are to be inserted before all rules equal to or less than the override priority value. For example, assume that there is a group G1 with IKE rules as follows: G1 = { Rule A (priority 50), Rule B (priority 25), Rule C (priority 15) } The IKE override value for G1 is 20. Now assume that a local administrator wants to insert a set of IKE rules {Rule D, Rule E} where Rule D has a higher priority than Rule E. The new rules will be added before rules in G1 with priority equal to or less than 20. So, when evaluating rules, thefirst rule matchedorder of evaluation would be A, B, D, E, C. Note that the priority of the rules in override set are relative only to the set. The property is defined as follows: NAME IKERuleOverridePoint DESCRIPTION Specifies theone used. 4.3.rule priority at which the policy author is willing to allow IKERule insertions by a local administrator. SYNTAX unsigned 16-bit integer 4.1.2. TheClass IPInterfaceProperty IPsecRuleOverridePoint This property specifies the rule priority at which the policy author is willing to allow IPsecRule insertions by a local administrator. Jason ExpiresSeptember 2000January 2001 [Page9]10] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000The IPInterface classThis property is the same as IKERuleOverridePoint except it is usedto represent an interface onfor thesystem. It containsIPsec rules in thefollowing reference:IPsecPolicyGroup. The property is defined as follows: NAMEIdentityIPsecRuleOverridePoint DESCRIPTIONIndicatesSpecifies theIP address or DNS name assigned torule priority at which theinterface. No wild-card values are allowedpolicy author is willing to allow IPsecRule insertions by a local administrator. SYNTAX unsigned 16-bit integer 4.2. The Class SARule The class SARule serves as a base class for IKERule and IPsecRule. Even though theendpoint object. 5. IPsec Rule Classes The IPsec ruleclass isusedconcrete, it MUST not be instantiated. It defines a common connection point for associations toassociateconditions and actions for both types of rules. Each SARule within acondition withgiven IPsecPolicyGroup must contain a unique priority. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has theaction whichPolicyRuleValidityPeriod association. The class definition for SARule isto be performed when the condition evaluates to true. +-----------------------+ | | |SecurityAssociationRule| | | +-----------------------+ * o o * | | +----------+ +-----------+ | (a) (b) | 1 | | 1 +----------------------------+ +---------------------------+ | | | | |SecurityAssociationCondition| |[SecurityAssociationAction]| | | | | +----------------------------+ +---------------------------+ (a) Condition (b) Action 5.1.as follows: NAME SARule DESCRIPTION A base class for IKERule and IPsecRule. DERIVED FROM PolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule) Priority (from PolicyRule) PolicyRoles (from PolicyRule) 4.3. The ClassSecurityAssociationRuleIKERule TheSecurityAssociationRuleclass IKERule associates Conditions and Actions for IKE phase 1 negotiations. The class definition for IKERule isused to associate a condition with the IKE/IPsec action information that is to be used during the negotiation. It contains the following attribute/references: NAME enabled DESCRIPTION Indicates whether or not the rule is enabled. TYPE boolean VALUE true - rule is currently enabled false - rule is currently disabledas follows: NAMEConditionIKERule DESCRIPTION Associates Conditions and Actions for IKE phase 1 negotiations. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same as SARule 4.4. Thecondition, when evaluated against the given input, that MUST evaluate to true in orderClass IPsecRule The class IPsecRule associates Conditions and Actions for IKE phase 2 negotiations for theassociated action to be performed.IPsec DOI. The class definition for IPsecRule is as follows: NAMEActionIKERule DESCRIPTIONThe security association negotiation parameters to use whenAssociates Conditions and Actions for IKE phase 2 negotiations for theassociated condition evaluates to true.IPsec DOI. DERIVED FROM SARule Jason ExpiresSeptember 2000January 2001 [Page10]11] Internet Draft IPsec Configuration Policy ModelMarchJuly 20006. IPSec Condition ClassesABSTRACT FALSE PROPERTIES same as SARule 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup TheconditionclassisIPsecPolicyGroupInPolicyGroup allows multiple IPsec policies to be combined to into one effective policy. When merging policies, rule priorities are used in conjunction with the rule override point values to determinewheninsertion points and for rule priority renumbering (if necessary to maintain uniqueness). The class definition for IPsecPolicyGroupInPolicyGroup is as follows: NAME IPsecPolicyGroupInPolicyGroup DESCRIPTION Associates a nested IPsecPolicyGroup with theassociated IKE or IPsec actionIPsecPolicyGroup that contains it. DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIES ContainingGroup[ref IPsecPolicyGroup[0..n]] ContainedGroup[ref IPsecPolicyGroup[0..n]] Precedence 4.5.1. The Reference ContainingGroup The property ContainingGroup is inherited from PolicyGroupInPolicyGroup and is overridden to contain object reference to an IPsecPolicyGroup that contains one or more IPsecPolicyGroups. The [0..n] cardinality indicates that there may beperformed. +----------------------------+ | | |SecurityAssociationCondition| | | +----------------------------+ 1 x | {1}|(a) | * | +--------------------------------------+ | | |SecurityAssociationConditionExpression| | | +--------------------------------------+ 1 | | {2}|(b) | * | +---------------------------+ | | |[SecurityAssociationFilter]| | | +---------------------------+ (a) Expressions (b) Filters {1} If using disjunctive normal form (DNF), each expression is logically ORed. If using conjunctive normal form (CNF), each expression is logically ANDed. {2} If using DNF, each filterzero or more IPsecPolicyGroups that contain any given IPsecPolicyGroup. 4.5.2. The Reference ContainedGroup The property ContainedGroup islogically ANDed. If using CNF, each filterinherited from PolicyGroupInPolicyGroup and islogically ORed. 6.1.overridden to contain an object reference to an IPsecPolicyGroup contained by one or more IPsecPolicyGroups. TheClass SecurityAssociationCondition[0..n] cardinality indicates that an IPsecPolicyGroup may contain zero or more IPsecPolicyGroups. 4.5.3. TheSecurityAssociationCondition classProperty Precedence The property Precedence specifies thecriteria that is applied tomerge ordering of theinput information to determine if a particular conditionnested IPsecPolicyGroups. The property ismet. It contains the following attributes/references:defined as follows: NAMEnegatedPrecedence DESCRIPTIONIndicates whether or notSpecifies theresultmerge ordering of therule evaluation is to be negated. TYPE booleannested IPsecPolicyGroups. SYNTAX unsigned 16-bit integer VALUEtrue - condition evaluation resultAny value between 1 and 2^16-1 inclusive. Lower values have higher precedence (i.e., 1 isto be negatedthe highest precedence). The merging order of two ContainedGroups with the same precedence is undefined. 4.6. The Composition Class RuleForIKENegotiation Jason ExpiresSeptember 2000January 2001 [Page11]12] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000false - condition evaluation resultThe class RuleForIKENegotiation associates an IKERule with the IPsecPolicyGroup that contains it. The class definition for RuleForIKENegotiation isnot to be negatedas follows: NAMEuseDNFRuleForIKENegotiation DESCRIPTIONIndicates whether or notAssociates an IKERule with therule is specified in DNF or CNF form. TYPE boolean VALUE true - condition is expressed as DNF.IPsecPolicyGroup that contains it. ABSTRACT FALSE PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IKERule [0..n]] 4.6.1. Theexpressions within the condition are logically ORed.Reference ContainingGroup Thefilters withinproperty ContainingGroup contains anexpression are logically ANDed. false - condition is expressed as CNF.object reference to an IPsecPolicyGroup that contains one or more IKERules. Theexpressions within the condition[1..1] cardinality indicates that an IKERule may be contained in only one IPsecPolicyGroup (i.e., IKERules arelogically ANDed.not shared across IPsecPolicyGroups). 4.6.2. Thefilters withinReference ContainedRule The property ContainedRule contains anexpression are logically ORed. 6.2.object reference to an IKERule contained by an IPsecPolicyGroup. The [0..n] cardinality indicates that an IPsecPolicyGroup may contain zero or more IKERules. 4.7. The Composition ClassSecurityAssociationConditionExpressionRuleForIPsecNegotiation TheSecurityAssociationConditionExpressionclassis used to combine several filters, which together constitute one logical expression. It containsRuleForIPsecNegotiation associates an IPsecRule with thefollowing reference:IPsecPolicyGroup that contains it. The class definition for RuleForIPsecNegotiation is as follows: NAMEFiltersRuleForIPsecNegotiation DESCRIPTION Associates an IPsecRule with the IPsecPolicyGroup that contains it. ABSTRACT FALSE PROPERTIES ContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IPsecRule [0..n]] 4.7.1. Theset of filters, which combined, are usedReference ContainingGroup The property ContainingGroup contains an object reference torepresent the expression. When using DNF, these filters are logically ANDed. When using CNF, these filtersan IPsecPolicyGroup that contains one or more IPsecRules. The [1..1] cardinality indicates that an IPsecRule may be contained in only one IPsecPolicyGroup (i.e., IPsecRules arelogically ORed.not shared across IPsecPolicyGroups). 4.7.2. The Reference ContainedRule The property ContainedRule contains an object reference to an IPsecRule contained by an IPsecPolicyGroup. The [0..n] cardinality Jason ExpiresSeptember 2000January 2001 [Page12]13] Internet Draft IPsec Configuration Policy ModelMarchJuly 20007. IPSec Filter Classesindicates that an IPsecPolicyGroup may contain zero or more IPsecRules. 4.8. Thefilter classes are used to specify individual criteria which MUST be met before a condition will evaluate to true. +---------------------------+ | | |[SecurityAssociationFilter]| | | +---------------------------+ ^ | +----------------+---------+-------+-----------------+ {1}| | | | +-------------+ +----------+ +---------------+ +--------------+ | | | | | | | | |AddressFilter| |PortFilter| |PortRangeFilter| |ProtocolFilter| | | | | | | | | +-------------+ +----------+ +---------------+ +--------------+ ^ | +----------------------+---------------------+ | | | +--------------+ +---------------+ +---------------+ | | | | | | |EndpointFilter| |IPv4RangeFilter| |IPv6RangeFilter| | | | | | | +--------------+ +---------------+ +---------------+ 1 x | (a)| | 1 | +----------+ | | |[Endpoint]| | | +----------+ (a) Identity {1} WhenAggregation Class SAConditionInRule The class SAConditionInRule associates an SARule with therule isSACondition instances that trigger it. See [PCIM] foran IKE phase one negotiation,theAddressFilter isusage for theonly type of filter allowed. 7.1. The Class SecurityAssociationFilterproperties GroupNumber and ConditionNegated. TheSecurityAssociationFilterclass definition for SAConditionInRule isusedasan abstract base class from which all concrete filter class are expected to derive from. It contains the following attribute:follows: NAMEnegatedSAConditionInRule DESCRIPTIONIndicates whether or not the result ofAssociates an SARule with thefilter evaluationSACondition instances that trigger it. DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES ContainingRule [ref SARule [0..n]] ContainedCondition [ref SACondition [0..n]] GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) SequenceNumber 4.8.1. The Reference ContainingRule The property ContainingRule is inherited from PolicyConditionInPolicyRule and is overridden tobe negated. Jason Expires September 2000 [Page 13] Internet Draft IPsec Configuration Policy Model March 2000 TYPE boolean VALUE true - filter evaluation is to be negated false - filter evaluation is notcontain an object reference to an SARule that contains one or more SAConditions. The [0..n] cardinality indicates that an SACondition may benegated 7.2.contained in zero or more SARules. 4.8.2. TheClass PortFilterReference ContainedCondition ThePortFilter class specifies a filter thatproperty ContainedCondition isbased upon a single port value. It contains the following attributes: NAME applyToSource DESCRIPTION Indicates whether or not the port specifiedinherited from PolicyConditionInPolicyRule and is overridden tobe interpreted as a source portcontain an object reference to an SACondition that is contained by an SARule. The [0..n] cardinality indicates that an SARule may contain zero or more SAConditions. 4.8.3. The Property SequenceNumber The property SequenceNumber specifies, for adestination port. TYPE boolean VALUE true -given rule, theport specified is to be interpreted as a source port false -order in which theport specified is toSACondition instances will beinterpretedevaluated. The property is defined asa destination portfollows: NAMEportSequenceNumber DESCRIPTION Specifies theport value. TYPEevaluation order of the SAConditions. SYNTAX unsigned 16-bit integer VALUE0 - wild-card port (i.e., any port matches). Any otherLower valued SAConditions are evaluated first. The order of evaluation of ContainedConditions with the same SequenceNumber valuespecifies a specific port. 7.3.is undefined. 4.9. The Aggregation ClassPortRangeFilterSAActionInRule Jason Expires January 2001 [Page 14] Internet Draft IPsec Configuration Policy Model July 2000 ThePortRangeFilterSAActionInRule classspecifies a filter that is based upon a range of port values.associates an SARule with its primary SAAction. Theport rangeclass definition for SAActionInRule isto be interpretedasinclusive. It contains the following attributes:follows: NAMEapplyToSourceSAActionInRule DESCRIPTIONIndicates whether or not the port specifiedAssociates an SARule with its primary SAAction. DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES ContainingRule [ref SARule [0..n]] ContainedAction [ref SAAction [1..1]] 4.9.1. The Reference ContainingRule The property ContainingRule isto be interpreted as a source port range or a destination port range. TYPE boolean VALUE true - the port range specifiedinherited from PolicyActionInPolicyRule and is overridden to contain an object reference to an SARule that contains an SAAction. The [0..n] cardinality indicates that an SAAction may beinterpreted as a source port range false - the port range specifiedcontained in zero or more SARules. 4.9.2. The Reference ContainedAction The property ContainedAction is inherited from PolicyActionInPolicyRule and is overridden to contain an object reference to an SAAction that is contained by an SARule. The [1..1] cardinality indicates that an SARule may contain only one SAAction. 4.10. The Aggregation Class FallbackSAActionInRule The class FallbackSAActionInRule associates an SARule with its ordered set of fallback actions. Fallback actions allow an administrator to define what action is to beinterpretedtake if the SAAction referenced by SAActionInRule fails for any reason. The class definition for FallbackSAActionInRule is asa destination port rangefollows: NAMEfirstPortFallbackSAActionInRule DESCRIPTIONSpecifiesAssociates an SARule with thefirst portordered set of fallback actions that should be attempted/applied in therange. TYPE unsigned 16-bit integer NAME lastPort DESCRIPTION Specifies the last port incase of failure of therange. TYPE unsigned 16-bit integer VALUEprimary SAAction. ABSTRACT FALSE PROPERTIES ContainingRule [ref SARule [0..n]] ContaintedAction [ref SAAction [0..n]] SequenceNumber 4.10.1. ThelastPort attribute value MUSTReference ContainingRule The property ContainingRule contains an object reference to an SARule that contains one or more fallback SAActions. The [0..n] cardinality indicates that an fallback SAAction may begreater thancontained in zero orequalmore SARules. 4.10.2. The Reference ContainedAction The property ContainedAction contains an object reference tothe firstPort attribute value. 7.4.a fallback SAAction that is contained by one or more SARules. TheClass ProtocolFilterJason ExpiresSeptember 2000January 2001 [Page14]15] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000 [0..n] cardinality indicates that an SARule may contain zero or more fallback SAActions. 4.10.3. TheProtocolFilter class specifiesProperty SequenceNumber The property SequenceNumber specifies, for afilter that is based upongiven rule, theIP protocol. It containsorder in which thefollowing attribute:fallback SAActions should be attempted. Once a fallback SAAction is successfully applied, then subsequent fallback SAActions should be ignored. The property is defined as follows: NAMEprotocolSequenceNumber DESCRIPTION Specifies theIP protocol value. TYPEorder of attempted application for the fallback SAAction. SYNTAX unsigned8-bit16-bit integer VALUE0 - wild-card protocol (i.e., any protocol). Any other value specifies a specific protocol. Note: if using DNF, it does not make sense to use a PortFilter or PortRangeFilter when using a ProtocolFilter that is not either UDP or TCP. 7.5. The Class AddressFilterLower valued fallback SAActions are attempted first. TheAddressFilter classorder of attempt of ContainedActions with the same SequenceNumber value isused to represent filters which use a system's address orundefined. Jason Expires January 2001 [Page 16] Internet Draft IPsec Configuration Policy Model July 2000 5. Condition and Filter Classes The IPsec condition and filter classes are used to build the "if" part of the IKE and IPsec rules. +-------------+* 0..1+------------+1 *+-------------------+ | SACondition |o--------| FilterList |x--------| [FilterEntryBase] | +-------------+ (a) +------------+ (b) +-------------------+ ^ | +---------------------+------------------------+ | | | +-----------------+ +-------------------+ +-----------------------+ | [IPFilterEntry] | | [IPSOFilterEntry] | | CredentialFilterEntry | +-----------------+ +-------------------+ +-----------------------+ ^ ^ | | | +-------------------+ | | | | +--------------------------------+ | +-| ClassificationLevelFilterEntry | | | +--------------------------------+ | | | | +--------------------------------+ | +-| ProtectionAuthorityFilterEntry | | +--------------------------------+ | +-----------------------------------------------+ | | +-----------------------+ +--------------------+ | [EndpointFilterEntry] | |ProtocolFilterEntry | +-----------------------+ +--------------------+ ^ ^ | +----------------+ | +----------------------+ | UDPFilterEntry |--+ | +----------------+ | | | +-----------------+ | +----------------+ | | FQDNFilterEntry |----+ | TCPFilterEntry |--+ +-----------------+ | +----------------+ | +------------------------+ | +------------------------+ | IPv4AddressFilterEntry |----+----| IPv6AddressFilterEntry | +------------------------+ | +------------------------+ | +----------------------+ | +----------------------+ | IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry | +----------------------+ | +----------------------+ | +-----------------------+ | +-----------------------+ | IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry | +-----------------------+ +-----------------------+ Jason Expires January 2001 [Page 17] Internet Draft IPsec Configuration Policy Model July 2000 (a) FilterOfSACondition (b) EntriesInFilterList 5.1. The Class SACondition The class SACondition defines the preconditions for IKE and IPsec negotiations. The class definition for SACondition is as follows: NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition) StartupCondition 5.1.1. The Property StartupCondition This property specifies the triggering event that caused the rule evaluation. The property is defined as follows: NAME StartupCondition DESCRIPTION Specifies the triggering event that cause the rule to be evaluated. SYNTAX unsigned 16-bit integer VALUE 1 (OnBoot) - the rule is triggered after system boot. The FilterList associated with the SACondition contains the information that will be used to build the selectors. 2 (OnManual) - the rule is triggered manually in response to user input. The FilterList associated with the SACondition contains the information that will be used to build the selectors. 3 (OnDataTraffic) - the rule is triggered when packets without associated security associations are sent or received (traffic directionality is indicated by the Direction field of the associated FilterList). 4 (OnIKEMessage) - the rule is triggered when an incoming request for IKE negotiation is received. 5.2. The Class FilterList The class FilterList aggregates an ANDed set of filters that are used for determining when an SACondition evaluates to true and therefore its associated SAAction should be performed. The class definition for FilterList is as follows: NAME FilterList DESCRIPTION Aggregates a set of filters for condition matching. ABSTRACT FALSE PROPERTIES Name Direction Jason Expires January 2001 [Page 18] Internet Draft IPsec Configuration Policy Model July 2000 5.2.1. The Property Name This property specifies a user-friendly name for the FilterList. The property is defined as follows: NAME Name DESCRIPTION Specifies the user-friendly name for the FilterList. SYNTAX string 5.2.2. The Property Direction This property specifies whether or the FilterList will be used on incoming, outgoing, or bi-directional traffic. Direction is only useful for filter types that inspect traffic parameters and when the StartupCondition property in the SACondition is set to OnDataTraffic (3). The property is defined as follows: NAME Direction DESCRIPTION Specifies what kind of traffic will be checked - incoming, outgoing, or bi-directional. SYNTAX unsigned 16-bit integer VALUE 1 - Incoming 2 - Outgoing 3 - Bi-directional 5.3. The Abstract Class FilterEntryBase The abstract class FilterEntryBase serves as the base class for the specific filter class. The class definition for FilterEntryBase is as follows: NAME FilterEntryBase DESCRIPTION Serves as the base class for specific filter classes. ABSTRACT TRUE PROPERTIES Name IsNegated 5.3.1. The Property Name This property specifies a user-friendly name for the filter. The property is defined as follows: NAME Name DESCRIPTION Specifies the user-friendly name for the filter. SYNTAX string 5.3.2. The Property IsNegated This property specifies whether or not the result of the boolean result of the filter evaluation should be negated. The property is defined as follows: NAME IsNegated Jason Expires January 2001 [Page 19] Internet Draft IPsec Configuration Policy Model July 2000 DESCRIPTION Specifies whether or not to negate the result of the evaluation of the filter. SYNTAX boolean VALUE A value of true means that the boolean result of the filter evaluation of the filter will be negated. A value of false means that the boolean result of the evaluation of the filter will not be altered. 5.4. The Abstract Class IPFilterEntry The abstract class IPFilterEntry serves as a base class for filter entries which are used to match against the 5-tuple (i.e., source and destination address, protocol, and source and destination port) information in the IP packet. The class definition for IPFilterEntry is as follows: NAME IPFilterEntry DESCRIPTION Serves as the base class for IP 5-tuple filters. DERIVED FROM FilterEntryBase ABSTRACT TRUE 5.5. The Abstract Class EndpointFilterEntry The abstract class EndpointFilterEntry serves as a base class for filters which match against IP addresses (source or destination). The class definition for EndpointFilterEntry is as follows: NAME EndpointFilterEntry DESCRIPTION Serves as the base class for filters which match against IP addresses. DERIVED FROM IPFilterEntry ABSTRACT TRUE PROPERTIES ApplyToDestination 5.5.1. The Property ApplyToDestination This property specifies whether or not the address to test against is the source or the destination IP address. The property is defined as follows: NAME ApplyToDestination DESCRIPTION Specifies which IP address to test, source or destination. SYNTAX boolean VALUE A value of true means that the destination IP address should be tested against. A value of false means that the source IP address should be tested against. 5.6. The Class IPv4AddressFilterEntry The class IPv4AddressFilterEntry specifies a filter that will match against a single IPv4 address. The class definition for IPv4AddressFilterEntry is as follows: Jason Expires January 2001 [Page 20] Internet Draft IPsec Configuration Policy Model July 2000 NAME IPv4AddressFilterEntry DESCRIPTION Defines the match filter for an IPv4 address. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address 5.6.1. The Property Address This property specifies the IPv4 address that will be used in the equality test. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv4 address to match against. SYNTAX unsigned 32-bit integer 5.7. The Class IPv4RangeFilterEntry The class IPv4RangeFilterEntry specifies a filter for testing if an IPv4 address is between the start address and end address inclusively. The class definition for IPv4RangeFilterEntry is as follows: NAME IPv4RangeFilterEntry DESCRIPTION Defines the match filter for an IPv4 address range. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES StartAddress EndAddress 5.7.1. The Property StartAddress This property specifies the first IPv4 address in the address range. The property is defined as follows: NAME StartAddress DESCRIPTION Specifies the start of the IPv4 address range. SYNTAX unsigned 32-bit integer 5.7.2. The Property EndAddress This property specifies the last IPv4 address in the address range. The property is defined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv4 address. SYNTAX unsigned 32-bit integer VALUE EndAddress must be greater than or equal to StartAddress. 5.8. The Class IPv4SubnetFilterEntry Jason Expires January 2001 [Page 21] Internet Draft IPsec Configuration Policy Model July 2000 The class IPv4SubnetFilterEntry specifies a filter for testing if an IPv4 address is in the specified subnet. The class definition for IPv4SubnetFilterEntry is as follows: NAME IPv4SubnetFilterEntry DESCRIPTION Defines the match filter for an IPv4 subnet. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address Mask 5.8.1. The Property Address This property specifies the IPv4 subnet. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv4 subnet. SYNTAX unsigned 32-bit integer 5.8.2. The Property Mask This property specifies the IPv4 mask. The property is defined as follows: NAME Mask DESCRIPTION Specifies the IPv4 mask. SYNTAX unsigned 32-bit integer VALUE A special value of 0.0.0.0, coupled with an Address value of 0.0.0.0 can be used to specify all addresses. 5.9. The Class IPv6AddressFilterEntry The class IPv6AddressFilterEntry specifies a filter that will match against a single IPv6 address. The class definition for IPv6AddressFilterEntry is as follows: NAME IPv6AddressFilterEntry DESCRIPTION Defines the match filter for an IPv4 address. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address 5.9.1. The Property Address This property specifies the IPv6 address that will be used in the equality test. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv6 address to match against. SYNTAX byte[16] 5.10. The Class IPv6RangeFilterEntry Jason Expires January 2001 [Page 22] Internet Draft IPsec Configuration Policy Model July 2000 The class IPv6RangeFilterEntry specifies a filter for testing if an IPv6 address is between the start address and end address inclusively. The class definition for IPv6RangeFilterEntry is as follows: NAME IPv6RangeFilterEntry DESCRIPTION Defines the match filter for an IPv6 address range. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES StartAddress EndAddress 5.10.1. The Property StartAddress This property specifies the first IPv6 address in the address range. The property is defined as follows: NAME StartAddress DESCRIPTION Specifies the start of the IPv6 address range. SYNTAX byte[16] 5.10.2. The Property EndAddress This property specifies the last IPv6 address in the address range. The property is defined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv6 address. SYNTAX byte[16] VALUE EndAddress must be greater than or equal to StartAddress. 5.11. The Class IPv6SubnetFilterEntry The class IPv6SubnetFilterEntry specifies a filter for testing if an IPv6 address is in the specified subnet. The class definition for IPv4SubnetFilterEntry is as follows: NAME IPv6SubnetFilterEntry DESCRIPTION Defines the match filter for an IPv6 subnet. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address Mask 5.11.1. The Property Address This property specifies the IPv6 subnet. The property is defined as follows: NAME Address DESCRIPTION Specifies the IPv6 subnet. Jason Expires January 2001 [Page 23] Internet Draft IPsec Configuration Policy Model July 2000 SYNTAX byte[16] 5.11.2. The Property Mask This property specifies the IPv6 mask. The property is defined as follows: NAME Mask DESCRIPTION Specifies the IPv6 mask. SYNTAX byte[16] VALUE A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0, coupled with an Address value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify all addresses. 5.12. The Class FQDNFilterEntry The class FQDNFilterEntry specifies a filter for mathcing against a single or wild-carded DNS name. The class definition for FQDNFilterEntry is as follows: NAME FQDNFilterEntry DESCRIPTION Defines the match filter for a DNS name. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Name 5.12.1. The Property Name This property specifies the DNS name to match against. The property is defined as follows: NAME Address DESCRIPTION Specifies the DNS name. SYNTAX string VALUE The DNS name can be fully qualified (for example, foo.intel.com) or partially qualified (*.intel.com). 5.13. The Class ProtocolFilterEntry The class ProtocolFilterEntry specifies a filter for testing against an IP protocol. The class definition for ProtocolFilterEntry is as follows: NAME ProtocolFilterEntry DESCRIPTION Defines a match filter for IP protocol. DERIVED FROM IPFilterEntry ABSTRACT FALSE PROPERTIES Protocol 5.13.1. The Property Protocol Jason Expires January 2001 [Page 24] Internet Draft IPsec Configuration Policy Model July 2000 This property specifies the IP protocol to match against. The property is defined as follows: NAME Protocol DESCRIPTION Specifies the IP protocol. SYNTAX unsigned 8-bit integer VALUE A value of zero matches against any protocol. Any other value is the IP protocol number. 5.14. The Class UDPFilterEntry The class UDPFilterEntry specifies a filter for testing if a UDP port is between the start port and end port inclusively. It is assumed that the Protocol property from the ProtocolFilterEntry class will contain the value 17 (i.e., UDP). The class definition for UDPFilterEntry is as follows: NAME UDPFilterEntry DESCRIPTION Defines the match filter for a UDP port range. DERIVED FROM ProtocolFilterEntry ABSTRACT FALSE PROPERTIES StartPort EndPort 5.14.1. The Property StartPort This property specifies the first port in the UDP port range. The property is defined as follows: NAME StartPort DESCRIPTION Specifies the start of the UDP port range. SYNTAX unsigned 16-bit integer 5.14.2. The Property EndPort This property specifies the last port in the UDP port range. The property is defined as follows: NAME EndPort DESCRIPTION Specifies the end of the UDP port range. SYNTAX unsigned 16-bit integer VALUE EndPort must be greater than or equal to StartPort. 5.15. The Class TCPFilterEntry The class TCPFilterEntry specifies a filter for testing if a TCP port is between the start port and end port inclusively. It is assumed that the Protocol property from the ProtocolFilterEntry class will contain the value 6 (i.e., TCP). The class definition for TCPFilterEntry is as follows: NAME TCPFilterEntry DESCRIPTION Defines the match filter for a TCP port range. Jason Expires January 2001 [Page 25] Internet Draft IPsec Configuration Policy Model July 2000 DERIVED FROM ProtocolFilterEntry ABSTRACT FALSE PROPERTIES StartPort EndPort 5.15.1. The Property StartPort This property specifies the first port in the TCP port range. The property is defined as follows: NAME StartPort DESCRIPTION Specifies the start of the TCP port range. SYNTAX unsigned 16-bit integer 5.15.2. The Property EndPort This property specifies the last port in the TCP port range. The property is defined as follows: NAME EndPort DESCRIPTION Specifies the end of the TCP port range. SYNTAX unsigned 16-bit integer VALUE EndPort must be greater than or equal to StartPort. 5.16. The Abstract Class IPSOFilterEntry The abstract class IPSOFilterEntry serves as a base class for the IP Security Option (IPSO) filters. The class definition for IPSOFilterEntry is as follows: NAME IPSOFilterEntry DESCRIPTION Serves as the base class for the IPSO filters. DERIVED FROM FilterEntryBase ABSTRACT TRUE 5.17. The Class ClassificationLevelFilterEntry The class ClassificationLevelFilterEntry specifies a filter for matching against the classification level IPSO field type. The class definition for ClassificationLevelFilterEntry is as follows: NAME ClassificationLevelFilterEntry DESCRIPTION Defines the filter for the IPSO classification level. DERIVED FROM IPSOFilterEntry ABSTRACT FALSE PROPERTIES Level 5.17.1. The Property Level This property specifies the classification level to match against. The property is defined as follows: NAME Level Jason Expires January 2001 [Page 26] Internet Draft IPsec Configuration Policy Model July 2000 DESCRIPTION Specifies the classification level. SYNTAX unsigned 16-bit integer VALUE 61 - Top Secret 90 - Secret 150 - Confidential 171 - Unclassified 5.18. The Class ProtectionAuthorityFilterEntry The class ProtectionAuthorityFilterEntry specifies a filter for matching against the protection authority IPSO field type. The class definition for ProtectionAuthorityFilterEntry is as follows: NAME ProtectionAuthorityFilterEntry DESCRIPTION Defines the filter for the IPSO protection authority. DERIVED FROM IPSOFilterEntry ABSTRACT FALSE PROPERTIES Authority 5.18.1. The Property Authority This property specifies the protection authority to match against. The property is defined as follows: NAME Authority DESCRIPTION Specifies the protection authority. SYNTAX unsigned 16-bit integer VALUE 0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE 5.19. The Class CredentialFilterEntry The class CredentialFilterEntry defines a filter for matching against credential information that was obtained during the IKE phase 1 negotiation. This information can be identity information (such as User FQDN) or information retrieved from credential information (for example, fields from a certificate). This information can be used as a form of access control. The class definition for CredentialFilterEntry is as follows: NAME CredentialFilterEntry DESCRIPTION Defines the filter for matching against IKE phase 1 credential/identity information. DERIVED FROM FilterBaseEntry ABSTRACT FALSE PROPERTIES To Be Determined... 5.20. The Aggregation Class FilterOfSACondition Jason Expires January 2001 [Page 27] Internet Draft IPsec Configuration Policy Model July 2000 The class FilterOfSACondition associates an SACondition with the filter specifications (FilterList) that make up the condition. The class definition for FilterOfSACondition is as follows: NAME FilterOfSACondition DESCRIPTION Associates a condition with the filter list that make up the individual condition elements. ABSTRACT FALSE PROPERTIES Antecedent [ref FilterList[0..1]] Dependent [ref SACondition [0..n]] 5.20.1. The Reference Antecedent The property Antecedent contains an object reference to a FilterList that is contained in one or more SAConditions. The [0..1] cardinality indicates that an SACondition may have zero or one FilterList. 5.20.2. The Reference Dependent The property Dependent contains an object reference to an SACondition that contains an FilterList. The [0..n] cardinality indicates that a FilterList may be contained in zero or more SAConditions. 5.21. The Composition Class EntriesInFilterList The class EntriesInFilterList associates the individual FilterEntryBases with a FilterList. Together these individual FilterEntryBases can create complex conditions. The class definition for EntriesInFilterList is as follows: NAME EntriesInFilterList DESCRIPTION Associates a FilterList with the set of individual filters. ABSTRACT FALSE PROPERTIES Antecedent [ref FilterEntryBase[0..n]] Dependent [ref FilterList [1..1]] EntrySequence 5.21.1. The Reference Antecedent The property Antecedent contains an object reference to a FilterEntryBase that is contained in a FilterList. The [0..n] cardinality indicates that a FilterList may have zero or more FilterEntryBases. 5.21.2. The Reference Dependent The property Dependent contains an object reference to a FilterList that contains zero or more FilterEntryBases. The [1..1] cardinality indicates that a FilterEntryBase may be contained in one and only Jason Expires January 2001 [Page 28] Internet Draft IPsec Configuration Policy Model July 2000 one FilterLists (i.e., FilterEntryBases cannot be shared between FilterLists). 5.21.3. The Property EntrySequence The property EntrySequence specifies, for a given FilterList, the order in which the filters should be checked. The property is defined as follows: NAME EntrySequence DESCRIPTION Specifies the order to check the filters in a FilterList. SYNTAX unsigned 16-bit integer VALUE Lower valued filters are checked first. The order of checking of FilterEntryBases with the same EntrySequence value is undefined. Jason Expires January 2001 [Page 29] Internet Draft IPsec Configuration Policy Model July 2000 6. Action Classes The action classes are used to model the different actions an IPsec device may take when the evaluation of the associated condition results in a match. +----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | +----------------+ +---------------------+* | SAStaticAction | | SANegotiationAction |o-----+ +----------------+ +---------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | | +-----------------------+ | +--------------+n | | SAPreconfiguredAction |---+ | [SAProposal] |-------+ +-----------------------+ +--------------+ (a) (a) ContainedProposal 6.1. The Class SAAction The class SAAction serves as the base class for IKE and IPsec actions. Although the class is concrete, it MUST not be instantiated. The class definition for SAAction is as follows: NAME SAAction DESCRIPTION The base class for IKE and IPsec actions. DERIVED FROM PolicyAction (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyActionName (from PolicyAction) 6.2. The Class SAStaticAction Jason Expires January 2001 [Page 30] Internet Draft IPsec Configuration Policy Model July 2000 The class SAStaticAction serves as the base class for IKE and IPsec actions that do not require any negotation. Although the class is concrete, it MUST not be instantiated. The class definition for SAStaticAction is as follows: NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation. DERIVED FROM SAAction ABSTRACT FALSE PROPERTIES LifetimeSeconds 6.2.1. The Property LifetimeSeconds The property LifetimeSeconds specifies how long the security association derived from this action should be used. The property is defined as follows: NAME LifetimeSeconds DESCRIPTION Specifies the amount of time (in seconds) that a security association derived from this action should be used. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A nono-zero value is typically used in conjunction with fallback actions performed when there is a negotiation failure of some sort. 6.3. The Class IPsecBypassAction The class IPsecBypassAction is used when packets are allowed to be processed without applying IPsec to them. This is the same as stating that packets are allowed to flow in the clear. The class definition for IPsecBypassAction is as follows: NAME IPsecBypassAction DESCRIPTION Specifies that packets are to be allowed to pass in the clear. DERIVED FROM SAStaticAction ABSTRACT FALSE 6.4. The Class IPsecDiscardAction The class IPsecDiscardAction is used when packets are to be discarded. This is the same as stating that packets are to be denied. The class definition for IPsecDiscardAction is as follows: NAME IPsecDiscardAction DESCRIPTION Specifies that packets are to be discarded. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging Jason Expires January 2001 [Page 31] Internet Draft IPsec Configuration Policy Model July 2000 6.4.1. The Property DoLogging The property DoLogging specifies whether or not an audit message should be logged when a packet is discarded. The property is defined as follows: NAME DoLogging DESCRIPTION Specifies if an audit message should be logged when a packet is discarded. SYNTAX boolean VALUE A value of true indicates that logging should be done for this action. A value of false indicates logging should not be done for this action. 6.5. The Class IKERejectAction The class IKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The class definition for IKERejectAction is as follows: NAME IKERejectAction DESCRIPTION Specifies that an IKE negotiation should not even be attempted. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging 6.5.1. The Property DoLogging The property DoLogging specifies whether or not an audit message should be logged when a determination is made to prevent an IKE negotiation. The property is defined as follows: NAME DoLogging DESCRIPTION Specifies if an audit message should be logged when IKE negotiation is prohibited. SYNTAX boolean VALUE A value of true indicates that logging should be done for this action. A value of false indicates logging should not be done for this action. 6.6. The Class SAPreconfiguredAction The class SAPreconfiguredAction is used to create a security association using preconfigured, hard-wired algorithms and keys. The class definition for SAPreconfiguredAction is as follows: NAME SAPreconfiguredAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of afilter. Itsecurity association. DERIVED FROM SAStaticAction ABSTRACT FALSE Jason Expires January 2001 [Page 32] Internet Draft IPsec Configuration Policy Model July 2000 PROPERTIES To Be Determined... 6.7. The Class SANegotiationAction The class SANegotiationAction serves as the base class for IKE and IPsec actions which result in a IKE negotiation. Although the class is concrete, is MUST not be instantiated. The class definition for SANegotiationAction is as follows: NAME SANegotiationAction DESCRIPTION A base class for IKE and IPsec actions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. DERIVED FROM SAAction ABSTRACT FALSE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes RefreshThresholdSeconds RefreshThresholdKilobytes IdleDurationSeconds 6.7.1. The Property MinLifetimeSeconds The property MinLifetimeSeconds specifies the minimum seconds lifetime that will be accepted from the peer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeSeconds DESCRIPTION Specifies the minimum acceptable seconds lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum seconds lifetime. 6.7.2. The Property MinLifetimeKilobytes The property MinLifetimeKilobytes specifies the minimum kilobyte lifetime that will be accepted from the peer. MinLifetimeKilobytes is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeKilobytes DESCRIPTION Specifies the minimum acceptable kilobyte lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there isused as an abstract base class from which specific address-based filters will be derived.no minimum value. A non-zero value specifies the minimum kilobyte lifetime. Jason Expires January 2001 [Page 33] Internet Draft IPsec Configuration Policy Model July 2000 6.7.3. Theaddress filters are always usedProperty RefreshThresholdSeconds The property RefreshThresholdSeconds specifies what percentage of the seconds lifetime can expire before IKE should attempt tospecifyrenegotiate the IPsec security association. A random value may be added to the calculated threshold (percentage x seconds lifetime) to reduce theaddress/hostnamechance of both peers attempting to renegotiate at thedestination machine.same time. Thereasonproperty is defined as follows: NAME RefreshThresholdSeconds DESCRIPTION Specifies the percentage of seconds lifetime that has expired before the IPsec security associationof a policy withis renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing aparticular interface impliespercentage. A value of 100 indicates that thesource address/hostname - one could look atIPsec security association should not be renegotiated until thepolicy to interface mapping as another typeseconds lifetime has been reached. 6.7.4. The Property RefreshThresholdKilobytes The property RefreshThresholdKilobytes specifies what percentage offilter. Note: forthe kilobyte lifetime can expire before IKErules, these areshould attempt to renegotiate theonly filter type allowed. 7.6. The Class EndpointFilter The EndpointFilter class is usedIPsec security association. A random value may be added torepresent a filter that specifies an individual interface on one system. It is usedthe calculated threshold (percentage x kilobyte lifetime) tospecify an FQDN, an IPv4 address, or an IPv6 address. It containsreduce thefollowing reference:chance of both peers attempting to renegotiate at the same time. The property is defined as follows: NAMEIdentityRefreshThresholdKilobytes DESCRIPTION Specifies theFQDN or IP address to use forpercentage of kilobyte lifetime that has expired before thefilter. TheIPsec security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A valueMAYof 100 indicates that the IPsec security association should not bewild-carded (seerenegotiated until theEndpoint class description). 7.7.kilobyte lifetime has been reached. 6.7.5. TheClass IPv4RangeFilterProperty IdleDurationSeconds TheIPv4RangeFilter is used to represent a filter thatproperty IdleDurationSeconds specifies how many seconds arange of IPv4 address.security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. Therangeproperty isto be interpreteddefined asinclusive. It contains the following attributes: NAME firstAddress DESCRIPTION Specifies the first address in the range. TYPE unsigned 32-bit valuefollows: NAMElastAddressIdleDurationSeconds DESCRIPTION Specifiesthe last addresshow long, inthe range. TYPEseconds, a security association may remain unused before it is deleted. SYNTAX unsigned 32-bitvalueinteger VALUEThe lastAddress attributeA valueMUSTof zero indicates that idle detection should not begreater than or equal toused for thefirstAddress attribute value.security association. Any non-zero Jason ExpiresSeptember 2000January 2001 [Page15]34] Internet Draft IPsec Configuration Policy ModelMarchJuly 20007.8.value indicates the number of seconds the security association may remain unused. 6.8. The ClassIPv6RangeFilterIPsecAction The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is MUST not be instantiated. TheIPv6RangeFilterclass definition for IPsecAction is as follows: NAME IPsecAction DESCRIPTION A base class for IPsec transport and tunnel actions that specifies the parameters for IKE phase 2 IPsec DOI negotiations. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES UsePFS UseIKEGroup GroupId Granularity 6.8.1. The Property UsePFS The property UsePFS specifies whether or not perfect forward secrecy should be used when refreshing keys. The property is defined as follows: NAME UsePFS DESCRIPTION Specifies the whether or not torepresent a filteruse PFS. SYNTAX boolean VALUE A value of true indicates thatspecifies a rangePFS should be used. A value ofIPv6 address.false indicates that PFS should not be used. 6.8.2. The Property UseIKEGroup The property UseIKEGroup specifies whether or not phase 2 should use the same Diffie-Hellman as was used in phase 1. UseIKEGroup is ignored if UsePFS is false. Therangeproperty isto be interpreteddefined asinclusive. It contains the following attributes: NAME firstAddress DESCRIPTION Specifies the first address in the range. TYPE octet[16]follows: NAMElastAddressUseIKEGroup DESCRIPTION Specifies whether or not to use thelast addresssame GroupId for phase 2 as was used inthe range. TYPE octet[16]phase 1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAX boolean VALUEThe lastAddress attributeA valueMUSTof true indicates that the phase 2 GroupId should begreater than or equal tothefirstAddress attribute value. Jason Expires September 2000 [Page 16] Internet Draft IPsec Configuration Policy Model March 2000 8. IKE and IPsec Action Classes An action is a setsame as phase 1. A value ofproposals combined with the security association level informationfalse indicates thatis usedthe property GroupId will contain the Diffie-Hellman group toprotect a particular flow. +---------------------------+ | | |[SecurityAssociationAction]| | |o---+ +---------------------------+* | ^ (a)|{1} | n| | +-----------------------------+ | | | | |[SecurityAssociationProposal]| | | | | +-----------------------------+ | +---------+ | | | | |IKEAction|---+ | | | +---------+ | | +-----------+ | +------------------+ | |---+ | | |IPsecAction| (b) 0..1|DiffieHellmanGroup| | |o--------------| | +-----------+* {2} +------------------+ ^ | +--------+------------+-----------+------------+ | | | | +--------------------+ +-----------------+ | +-----------------+ | | | | | | | |IPsecTransportAction| |IPsecTunnelAction| | |IPsecBypassAction| | | | | | | | +--------------------+ +-----------------+ | +-----------------+ 1 x | | | (c)|{3} +------------+ | | +----------+ +------------------+ | | | | |[Endpoint]| |IPsecDiscardAction| | | | | +----------+ +------------------+ (a) Proposals (b) IPsecGroup (c) RemoteGatewayuse for phase 2. 6.8.3. The Property GroupId Jason ExpiresSeptember 2000January 2001 [Page17]35] Internet Draft IPsec Configuration Policy ModelMarch 2000 {1} 1. For an IKEAction object, these MUST be IKEPropsal objects. For an IPsecAction object, these MUST be IPsec Action objects. 2. SecurityAssociationProposal objects are ordered from most preferable to least preferable and are logically ORed. The mechanism by which ordering is accomplished is dependent upon the specific derivation ofJuly 2000 The property GroupId specifies theIPsec schema. {2} If not using Perfect Forward Secrecy (PFS), thenDiffie-Hellman group to use for phase 2. GroupId is ignored if (1) theDiffieHellmanGroup object either does not exist orproperty UsePFS isignored. Otherwise (PFSfalse, or (2) the property UsePFS isused) iftrue and theDiffieHellmanGroup objectproperty UseIKEGroup isnot present, thentrue. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the Diffie-HellmanGroup from Phase 1 will be used for Phase 2. Otherwise,group to use for phase 2 when theDiffieHellmanGroup object. {3} Ifproperty UsePFS is true and theendpoint typeproperty UseIKEGroup isan FQDN, thenfalse. SYNTAX unsigned 16-bit integer VALUE 1 - 768-bit MODP group 2 - 1024-bit MODP group 3 - EC2N group on GP[2^155] 4 - EC2N group on GP[2^185] 5 - 1536-bit MODP group 6.8.4. The Property Granularity The property Granularity specifies whether theDNS name MUSTproposed selector for the security association should befully-qualifed (i.e., no wild-card values allowed). Ifderived from theendpoint type is an IPv4 or IPv6 address, thentraffic that triggered theaddress MUST NOT benegotiation (Narrow) or from thewild-card value. 8.1. The Class SecurityAssociationAction The SecurityAssociationAction class containsFilterList of theparametersCondition(s) thatare common between the IKE and IPsec action classes. It containsmatched thefollowing attributes/references:rule (Wide). The property is defined as follows: NAMErefreshThresholdSecondsGranularity DESCRIPTION Specifies thepercentage of expiration (in other words,how therefresh threshold) of an established SA's seconds lifetime at which to begin renegotiation ofproposed selector for theSA. TYPEsecurity association will be created. SYNTAX unsigned 8-bit integer VALUEValid values are in the range1to 100 inclusive. A value of 100 means- The selector is created by using the FilterList information from the condition thatrenegotiation does not occur untilmatched theseconds lifetime value has expired. refreshThresholdSecondstraffic parameters. This isnotcalled anegotiated parameter. NAME refreshThresholdKilobytes DESCRIPTION Specifies the percentage of expiration of an established SA's kilobyte lifetime at which to begin renegotiation of the SA. TYPE integer VALUE Valid values are inWide selector as it could for instance contain a IP subnet or range. 2 - The selector is created by using therange 1 to 100 inclusive. A valuetraffic parameters (i.e., the 5-tuple of100 means that renegotiation does not occur untilthekilobyte lifetime value has expired. refreshThresholdKilobytestraffic). This is called a Narrow selector. 6.9. The Class IPsecTransportAction The class IPsecTransportAction isnotanegotiated parameter.subclass of IPsecAction that is used to specify use of an IPsec transport mode security association. The class definition for IPsecTransportAction is as follows: NAMEminLifetimeSecondsIPsecTransportAction DESCRIPTION Specifiesthe minimum SA seconds lifetimethatwill be accepted from a peer while negotiatinganSA based upon this action.IPsec transport mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE 6.10. ThepurposeClass IPsecTunnelAction The class IPsecTunnelAction is a subclass ofthis valueIPsecAction that is used toprevent denial-of-service attacks in which a peer can selectspecify use of anarbitrarily low seconds lifetime, causing the IKE server to perform renegotiations with correspondingly expensive Diffie-Hellman calculations.IPsec tunnel mode security association. The class definition for IPsecTunnelAction is as follows: Jason ExpiresSeptember 2000January 2001 [Page18]36] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000TYPE unsigned 32-bit integer VALUE 0 - indicates that there is no minimum lifetime enforced. Any other value specifies a required minimum seconds lifetime. minLifetimeSeconds is not a negotiated parameter.NAMEminLifetimeKilobytesIPsecTunnelAction DESCRIPTION Specifiesthe minimum kilobyte lifetimethatwill be accepted from a negotiating peer while negotiatinganSA based upon this action.IPsec tunnel mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES PeerGateway DFHandling 6.10.1. ThepurposeProperty PeerGateway The property PeerGateway specifies the IP address or DNS name ofthis valuethe peer gateway. The property isto prevent denial-of-service attacks in which adefined as follows: NAME PeerGateway DESCRIPTION Specifies peercan select an arbitrarily low kilobyte lifetime, causing the IKE server to perform renegotiations with correspondingly expensive Diffie-Hellman calculations. TYPE unsigned 32-bit integergateway's IP address or DNS name. SYNTAX string VALUE0 - indicates that there is no minimum lifetime enforced. Any other value specifiesEither (1) IPv4 address in dotted quad format, (2) IPv6 address in ... format, or (3) arequired minimum kilobyte lifetime. minLifetimeKilobytesDNS name. 6.10.2. The Property DFHandling The property DFHandling specifies how the Don't Fragment (DF) bit should be managed by the tunnel. The property isnot a negotiated parameter.defined as follows: NAMEtrafficIdleTimeDFHandling DESCRIPTION Specifies theamount of time in seconds an SA, negotiated using the containing action object, may remain idle (in other words, no traffic protectedDF bit is managed by theSA) before it is deleted. TYPEtunnel. SYNTAX unsigned32-bit8-bit integer VALUE01 -thereDF bit isno idle time detection. In other words, the expiration of the SAcopied. 2 - DF bit issolely dependent upon the expiration of one of the lifetime values. Any other valueset. 3 - DF bit is cleared. 6.11. The Class IKEAction The class IKEAction specifies thenumber of seconds the SA may remain idle before it canparameters that are to beforcibly expired. trafficIdleTimeused for IKE phase 1 negotiation. The class definition for IKEAction isnot a negotiated parameter.as follows: NAMEProposalsIKEAction DESCRIPTION Specifiesa logically ORed set of proposals, ORDERED from most preferable to least prefereable, which are used duringthe IKE phase 1 negotiation parameters. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES RefreshThresholdDerivedKeys ExchangeMode UseIKEIdentityType 6.11.1. The Property RefreshThresholdDerivedKeys The property RefreshThresholdDerivedKeys specifies what percentage of theSA. If the action is an IKEAction, then the set will contain IKEProposal objects. If the action is an IPsecAction, thenderived key limit (see theset will contain IPsecProposal objects. A SecurityAssociationAction object will reference oneLifetimeDerivedKeys property of IKEProposal) can expire before IKE should attempt tomany SecurityAssociationProposal objects.renegotiate the IKE phase 1 security association. ASecurityAssociationProposal object MAYrandom value may bereferenced by zeroadded tomany SecurityAssociationAction objects. See section 9 for a description of the SecurityAssociationProposal and derived classes. 8.2. The Class IKEActionJason ExpiresSeptember 2000January 2001 [Page19]37] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000IKEActionthe calculated threshold (percentage x derived key limit) to reduce the chance of both peers attempting to renegotiate at the same time. The property isa specializationdefined as follows: NAME RefreshThresholdKilobytes DESCRIPTION Specifies the percentage of derived key limit that has expired before theSecurityAssociationAction classIKE phase 1 security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 andspecifies100 representing a percentage. A value of 100 indicates that theparameters unique to anIKEaction. It containsphase 1 security association should not be renegotiated until thefollowing attributes:derived key limit has been reached. 6.11.2. The Property ExchangeMode The property ExchangeMode specifies which IKE mode should be used for IKE phase 1 key negotiations. The property is defined as follows: NAMEexchangeModeExchangeMode DESCRIPTION Specifies the IKE negotiation modethat the IKE server will usefor phaseone. TYPE1. SYNTAX unsigned 16-bit integer VALUE 1 - base mode 2 - main mode 4 - aggressive modeNAME refreshThresholdDerivedKeys DESCRIPTION Specifies the percentage of expiration of an established IKE SA's derived keys lifetime at which to begin renegotiation of the SA. TYPE integer VALUE Valid values are in the range 1 to 100 inclusive. A value of 100 means that renegotiation does not occur until the derived key lifetime value has expired. refreshThresholdDerivedKeys is not a negotiated parameter. 8.3.6.11.3. TheClass IPsecAction IPsecAction is a specialization of the SecurityAssociationAction class andProperty UseIKEIdentityType The property UseIKEIdentityType specifiesthe parameters unique to an IPsec action. It contains the following attributes/references: NAME usePfs DESCRIPTION Specifies whether or not PFSwhat IKE identity type should be used when negotiating with thephase two IPsec SA. TYPE boolean VALUE true false NAME IPsecGroup DESCRIPTION If PFS should bepeer. This information is usedduringin conjunction the IKEphase two, this specifiesidentities available on theDiffie-Hellman group to use.system. TheDiffieHellmanGroup classproperty isdescribed in section 10. DEFAULT Since an IPsecAction object MAY optionally contain a IPsecGroup object, absence of one when using PFS indicates thatdefined as follows: NAME UseIKEIdentityType DESCRIPTION Specifies the IKEphase two negotiation shouldidentity to usethe same Diffie-Hellman group that was agreed uponduringthe IKE phase onenegotiation.8.4.SYNTAX unsigned 16-bit integer VALUE 1 - IPv4 Address 2 - FQDN 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.12. The Aggregation ClassIPsecTransportAction IPsecTransportAction is a specializationContainedProposal The class ContainedProposal associates an ordered list ofIPsecAction, but does not add any attributes. It is used to signify thatSAProposals with thephase two action will be forSANegotiationAction that contains it. If thenegotiation of an IPsec transport mode SA.Jason ExpiresSeptember 2000January 2001 [Page20]38] Internet Draft IPsec Configuration Policy ModelMarchJuly 20008.5. The Class IPsecTunnelAction IPsecTunnelAction is a specialization of IPsecAction thatreferenced SANegotiationAction object isused to signify thatan IKEAction, then thephase two action willreferenced SAProposal object must befor the negotiation ofanIPsec tunnel mode SA. It contains the following reference: NAME RemoteGateway DESCRIPTION The identity of the point where the tunnel terminates onIKEProposal. If theremote gateway. Note: since a particular IPsec policyreferenced SANegotiationAction object isdirectly associated with a particular interface in the system,an IPsecTransportAction or an IPsecTunnelAction, then thelocal gateway identity canreferenced SAProposal object must beimplicitly determined from this information. 8.6.an IPsecProposal. TheClass IPsecBypassAction IPsecBypassActionclass definition for ContainedProposal isa specializationas follows: NAME ContainedProposal DESCRIPTION Associates an ordered list ofIPsecAction, but does not add any attributes. It is usedSAProposals with an SANegotiationAction. ABSTRACT FALSE PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber 6.12.1. The Reference GroupComponent The property GroupComponent contains an object reference tosignifyan SANegotiationAction thatthe traffic is tocontains one or more SAProposals. The [0..n] cardinality indicates that there may beallowedzero or more SANegotiationActions that contain any given SAProposal. 6.12.2. The Reference PartComponent The property PartComponent contains an object reference topass inan SAProposal contained by one or more SANegotiationActions. The [1..n] cardinality indicates that an SANegotiationAction MUST contain at least one SAProposal. 6.12.3. The Property SequenceNumber The property SequenceNumber specifies theclear. 8.6.order of preference for the SAProposals. TheClass IPsecDiscardAction IPsecDiscardActionproperty isa specializationdefined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SAProposals. SYNTAX unsigned 16-bit integer VALUE Lower-valued proposals are preferred over proposals with higher values. If two proposals have the same SequenceNumber value, then the order ofIPsecAction, but does not add any attributes. Itpreference isused to signify that the traffic should be denied. 9. IKE andundefined. Jason Expires January 2001 [Page 39] Internet Draft IPsec Configuration Policy Model July 2000 7. Proposal and Transform ClassesAThe proposalcontainsand transform classes model thesecurity parameters thatproposal settings an IPsec device willbe useduse duringtheIKE phaseone1 andtwo2 negotiations.+-----------------------------+ | | |[SecurityAssociationProposal]|+--------------+ | [SAProposal] |+-----------------------------++--------------+ ^ |+---------------------------++----------------------+ | | +-------------++-----------+ | | | | |IPsecProposal| |IKEProposal|+---------------+ | IKEProposal | | IPsecProposal | +-------------++-----------+ * o * o |(a) |(b) n | 1 | +----------------+ +------------------+ | | | | |[IPsecTransform]| |DiffieHellmanGroup| | | | | +----------------+ +------------------+ Jason Expires September 2000 [Page 21] Internet Draft IPsec Configuration Policy Model March 2000 ^ | +-------------+------------------+ | | | +------------+ +-----------++---------------+ *o | (a) n| +---------------+ | [SATransform] | +---------------+ ^ | +--------------------+-----------+---------+ | ||ESPTransform| |AHTransform| |IPCompTransform|| +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform |+------------+ +-----------+ +---------------++-------------+ +--------------+ +----------------+ (a)Transforms (b) IkeDhGroup 9.1.ContainedTransform 7.1. The Abstract ClassSecurityAssociationProposalSAProposal TheSecurityAssociationProposalabstract classcontainsSAProposal serves as the base class for the IKE and IPsec proposal classes. It specifies the parameters that are commonbetweento the two proposal types. The class definition for SAProposal is as follows: NAME SAProposal DESCRIPTION Specifies the common proposal parameters for IKE and IPsecproposal classes. It containssecurity association negotiation. ABSTRACT TRUE PROPERTIES Name MaxLifetimeSeconds MaxLifetimeKilobytes 7.1.1. The Property Name The property Name specifies a user-friendly name for thefollowing attributes:SAProposal. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this proposal. Jason Expires January 2001 [Page 40] Internet Draft IPsec Configuration Policy Model July 2000 SYNTAX string 7.1.2. The Property MaxLifetimeSeconds The property MaxLifetimeSeconds specifies the maximum amount of time, in seconds, to propose that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the maximum amount of time to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. 7.1.3. The Property MaxLifetimeKilobytes The property MaxLifetimeKilobytes specifies the maximum kilobyte lifetime to propose that a security association will remain valid after its creation. The property is defined as follows: NAMElifetimeSecondsMaxLifetimeKilobytes DESCRIPTION Specifies thesecondsmaximum kilobyte lifetimefor this particular proposal. This value is used when sending this proposaltothe negotiating peer. Additionally, it may be used, possibly in conjunction with the minimum seconds lifetime value, when selectingpropose aproposal from the negotiating peer. TYPEsecurity association remain valid. SYNTAX unsigned 32-bit integer VALUE0 -A value of zero indicates thatthe lifetimethere should be no maximum kilobyte lifetime. A non-zero valuedefaultsspecifies the desired kilobyte lifetime. 7.2. The Class IKEProposal The class IKEProposal specifies the proposal parameters necessary to8 hours (28,800 seconds).drive an IKE security association negotiation. The class definition for IKEProposal is as follows: NAMElifetimeKilobytesIKEProposal DESCRIPTION Specifies thekilobyte lifetimeproposal parameters forthis particular proposal. This value isIKE security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE PROPERTIES LifetimeDerivedKeys CipherAlgorithm HashAlgorithm PRFAlgorithm GroupId AuthenticationMethod 7.2.1. The Property LifetimeDerivedKeys The property LifetimeDerivedKeys specifies the number of times that a phase 1 key will be usedwhen sending this proposalto derive a phase 2 key before thenegotiating peer. Additionally,phase 1 security association needs renegotiated. Even though this is not Jason Expires January 2001 [Page 41] Internet Draft IPsec Configuration Policy Model July 2000 a parameter that is sent in an IKE proposal, it is included in the proposal as the number of keys derived may beused, possiblya result of the strength of the algorithms inconjunction withtheminimum kilobyte lifetime value, when selecting a proposalIKE propsoal. The property is defined as follows: NAME LifetimeDerivedKeys DESCRIPTION Specifies the number of phase 2 keys that can be derived from thenegotiating peer. TYPEphase 1 key. SYNTAX unsigned 32-bit integer VALUE0 -A value of zero indicates that there is nokilobyte lifetime. 9.2. The Class IKEProposal IKEProposal is a specializationlimit to the number of phase 2 keys which may be derived from theSecurityAssociationProposal class andphase 1 key; instead the seconds and/or kilobytes lifetime will dictate the phase 1 rekeying. A non-zero value specifies theparameters unique tonumber of phase 2 keys that can be derived from theIKE proposal. It containsphase 1 key. 7.2.2. The Property CipherAlgorithm The property CipherAlgorithm specifies thefollowing attributes/references:proposed phase 1 security association encryption algorithm. The property is defined as follows: NAMEcipherAlgorithmCipherAlgorithm DESCRIPTION Specifies the proposed encryption algorithm for theIKE server will propose. TYPEphase 1 security association. SYNTAX unsigned 16-bit integer VALUE 1 - DES-CBC 2 - IDEA-CBC 3 - Blowfish-CBCJason Expires September 2000 [Page 22] Internet Draft IPsec Configuration Policy Model March 20004 - RC5-R16-B64-CBC 5 - 3DES-CBC 6 - CAST-CBC 7.2.3. The Property HashAlgorithm The property HashAlgorithm specifies the proposed phase 1 security assocation hash algorithm. The property is defined as follows: NAMEhashAlgorithmHashAlgorithm DESCRIPTION Specifies the proposed hash algorithm for theIKE server will propose. TYPEphase 1 security association. SYNTAX unsigned 16-bit integer VALUE 1 - MD5 2 - SHA-1 3 - Tiger 7.2.4. The Property PRFAlgorithm The property PRFAlgorithm specifies the proposed phase 1 security association psuedo-random function. The property is defined as follows: NAME PRFAlgorithm Jason Expires January 2001 [Page 42] Internet Draft IPsec Configuration Policy Model July 2000 DESCRIPTION Specifies the proposed psuedo-random function for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Currently none defined. 7.2.5. The Property GroupId The property GroupId specifies the proposed phase 1 security assocation Diffie-Hellman group. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the proposed Diffie-Hellman group for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE 1 - 768-bit MODP group 2 - 1024-bit MODP group 3 - EC2N group on GP[2^155] 4 - EC2N group on GP[2^185] 5 - 1536-bit MODP group 7.2.6. The Property AuthenticationMethod The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows: NAMEauthenticationMethodAuthenticationMethod DESCRIPTION Specifies the proposed authentication method for theIKE server will propose. TYPEphase 1 security association. SYNTAX unsigned 16-bit integer VALUE 0 - a special value which indicates that this particular proposal should be repeated once for each authentication method that corresponds to the credentials installed on the machine. For example, if the system has a pre-shared key and a certificate, a proposal list could be constructed which includes a proposal that specifies pre-shared key and proposals for any of the public-key authentication methods. 1 -Preshared KeyPre-shared key 2 - DSSSignaturessignatures 3 - RSASignaturessignatures 4 -RSAEncryption with RSA 5 - Revised encryption with RSAEncryption6 -El-Gamal Encryption 7 - Revised El-Gamal Encyrption 65001 -Kerberos (has this number been assigned???) 7.3. The Class IPsecProposal The class IPsecProposal adds no new properties, but inherits proposal propoerties from SAProposal as well as aggregating the security association transforms necessary for building an IPsec proposal (see the aggregation class ContainedTransform). The class definition for IPsecProposal is as follows: Jason Expires January 2001 [Page 43] Internet Draft IPsec Configuration Policy Model July 2000 NAMElifetimeDerivedKeysIPsecProposal DESCRIPTION Specifies thenumber of timesproposal parameters for IPsec security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE 7.4. The Abstract Class SATransform The abstract class SATransform serves as theIKE phase one key may be used to derive an IKE phase two key. TYPE unsigned 32-bit integer VALUE 0 - indicates thatbase class for thenumber of times a IKE phase one key mayIPsec transforms that can be used toderivecompose anIKE phase two keyIPsec proposal. The class definition for SATransform islimited byas follows: NAME SATransform DESCRIPTION Base class for theseconds and/or kilobyte lifetimes. lifetimeDerivedKeys is notdifferent IPsec transforms. ABSTRACT TRUE PROPERTIES Name VendorID 7.4.1. The Property Name The property Name specifies anegotiated parameter. Although this value is not negotiated, it is included withuser-friendly name for theproposal informationSATransform. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this transform. SYNTAX string 7.4.1. The Property VendorID The property VendorID specifies thevaluevendor ID for vendor-defined transforms. The property isdependent upon the strength of the security parameters in the proposal.defined as follows: NAMEprfAlgorithmVendorID DESCRIPTION Specifies thePsuedo-Random Function (PRF) the IKE server will propose. TYPE unsigned 16-bit integervendor ID for vendor-defined transforms. SYNTAX string VALUEAt this time, there are no negotiable PRFs defined.An empty VendorID string indicates that the transform is one of the previously-defined ones. 7.5. The Class AHTransform The class AHTransform specifies the AH algorithm to propose during IPsec security association negotiation. The class definition for AHTransform is as follows: NAMEIkeDhGroupAHTransform DESCRIPTION Specifies theDiffie-Hellman group thatAH algorithm to propose. ABSTRACT FALSE PROPERTIES AHTransformId 7.5.1. The Property AHTransformId The property AHTransformId specifies theIKE server willtransform ID of the AH algorithm to propose. TheDiffieHellmanGroup classproperty is definedin section 10. 9.3. The Class IPsecProposalas follows: Jason ExpiresSeptember 2000January 2001 [Page23]44] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000IPsecProposal is a specialization of the SecurityAssociationProposal class and specifies the parameters unique to the IPsec proposal. It contains the following reference:NAMETransformsAHTransformId DESCRIPTION Specifiesa set of IPsecTransform objects that represent the Encapsulating Security Payload (ESP), Authentication Header (AH), and IP Payload Compression Protocol (IPComp) parameters that are to used to create an IPsec proposal. Transforms of the same type are to be grouped together and logically ORed andtheorder of the transforms of the same type MUST be preserved. Thetransformgroups are to be logically ANDed. For example, if the proposal had the following setID oftransforms {ESP=DES,AH=MD5,ESP=3-DES,ESP=RC5,AH=SHA-1},theproposal would be ((ESP = DES or 3-DES or RC5) and (AH =AH algorithm. SYNTAX unsigned 16-bit integer VALUE 2 - MD5or SHA-1)). An IPsecProposal object MAY reference one to many IPsecTransform objects. An IPsecTransform object MAY be referenced by zero to many IPsecProposal objects. 9.4.3 - SHA-1 4 - DES 7.6. The ClassIPsecTransformESPTransform TheIPsecTransformclasscontains no properties and exists only for the purpose of modelingESPTransform specifies theis-a-kind-of relationship forESP algorithms to propose during IPsectransforms. For example, an ESPTransform is a kind of IPsecTransform. 9.5.security association negotiation. TheClass ESPTransformclass definition for ESPTransform isa specialization of an IPsecTransform. It specifiesas follows: NAME ESPTransform DESCRIPTION Specifies theparameters for one IPSecESP algorithms to propose. ABSTRACT FALSE PROPERTIES IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds 7.6.1. The Property IntegrityTransformId The property IntegrityTransformId specifies the transformwithin an IPsec proposal. It containsID of thefollowing attributes:ESP integrity algorithm to propose. The property is defined as follows: NAMEintegrityTransformIdIntegrityTransformId DESCRIPTION Specifies the transform ID of the ESP integrityalgorithm to propose. TYPEalgorithm. SYNTAX unsigned 16-bit integer VALUE 0 - None 1 -HMAC MD5HMAC-MD5 2 -HMAC SHA-1HMAC-SHA 3 -HMAC DESDES-MAC 4 - KPDKNAME cipherTransformId DESCRIPTION Specifies7.6.2. The Property CipherTransformId The property CipherTransformId specifies the transform ID of the ESPcipher/encryptionencryption algorithm to propose.TYPEThe property is defined as follows: NAME CipherTransformId DESCRIPTION Specifies the transform ID of the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE 1 - DES IV64 2 - DES 3 -3-DES3DES 4 - RC5 5 - IDEA6 - CAST 7 - BlowfishJason ExpiresSeptember 2000January 2001 [Page24]45] Internet Draft IPsec Configuration Policy ModelMarchJuly 2000 6 - CAST 7 - Blowfish 8 -3-IDEA3IDEA 9 - DES IV32 10 - RC4 11 - NULLNAME cipherKeyRounds DESCRIPTION Specifies7.6.3. The Property CipherKeyLength The property CipherKeyLength specifies, in bits, thenumber ofkeyroundslength for the ESPcipher algorithm specified by the attribute cipherTransformId. TYPE unsigned 16-bit integer VALUE Atencryption algorithm. For encryption algorithms which use fixed-length keys, thistime, there are no cipher key roundsvalue is ignored. The property is definedfor any IPsec ESP algorithms.as follows: NAMEcipherKeyLengthCipherKeyLength DESCRIPTION Specifies thelength of theESPcipher key, in bits. If cipherTansformId specifies a cipher with a fixed- length key, cipherKeyLength is ignored. TYPE unsigned 16-bit integer VALUE 0 - the cipher algorithm specified by the cipherTransformId attribute implies the key length. Any other value specifies aencryption keylength,length in bits.9.6. The Class AHTransform AHTransform is a specialization of an IPsecTransform. It specifies the parameters for one AH transform within an IPsec proposal. It contains the following property: NAME transformId DESCRIPTION Specifies the AH hash algorithm to propose. TYPESYNTAX unsigned 16-bit integerVALUE 2 - MD5 3 - SHA-1 4 - DES 9.7.7.6.4. TheClass IPCompTransform IPCompTransform is a specialization of an IPsecTransform. ItProperty CipherKeyRounds The property CipherKeyRounds specifies theparameters for one IPComp transform within an IPsec proposal. It contains the following properties: NAME algorithm DESCRIPTION Specifies the IPComp compression algorithm to propose. TYPE unsigned 16-bit integer VALUE 1 - OUI (privateAlgorithm MUST contain a valid value) 2 - Deflate 3 - LZS NAME dictionarySize DESCRIPTION Specifies the dictionary sizenumber of key rounds for thecompressionESP encryption algorithm.TYPE unsigned 16-bit integer VALUE 0 - the compression algorithm specified by the algorithm attribute dictates the dictionary size. Jason Expires September 2000 [Page 25] Internet Draft IPsec Configuration Policy Model March 2000 Any other valueThe property isto be interpreted indefined as follows: NAME CipherKeyRounds DESCRIPTION Specifies thecontextnumber of key rounds for thecompressionESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Currently, key rounds are not defined for any ESP encryption algorithms. 7.7. The Class IPCOMPTransform The class IPCOMPTransform specifies the IP compression (IPCOMP) algorithm to propose during IPsec security association negotiation. The class definition for IPCOMPTransform is as follows: NAMEprivateAlgorithmIPCOMPTransform DESCRIPTIONIfSpecifies the IPCOMP algorithmattributeto propose. ABSTRACT FALSE PROPERTIES Algorithm DictionarySize PrivateAlgorithm 7.7.1. The Property Algorithm The property Algorithm specifies theuse of a proprietary compressiontransform(OUI = 1), then this specifiesID of thespecific vendorIPCOMP compression algorithmthat will be used. Otherwise, this value is ignored. TYPE unsigned 32-bit integer 10. Diffie-Hellman Classes The Diffie-Hellman classes are usedtodefinepropose. The property is defined as follows: NAME Algorithm DESCRIPTION Specifies theDiffie-Hellman attributes that are used during phase one (and possibly phase two)transform ID of theIKE negotiation. +------------------+ | | |DiffieHellmanGroup| | | +------------------+ * o (a) | {1} 0..1 | +--------------+ | | |[NewGroupInfo]| | | +--------------+ ^ | +----------------+----------------+ | | +----------------+ +----------------+ | | | | |NewMODPGroupInfo| |[NewECGroupInfo]| | | | | +----------------+ +----------------+ ^ | +-----------+----------+ | | +----------------+ +---------------+ | | | | |NewEC2NGroupInfo| |NewECPGroupInfo| | | | | +----------------+ +---------------+ (a) ExplicitGroupInfo {1} If the Diffie-Hellman Group is a well-known group (or previously agreed upon private group), then the NewGroupInfo object doesn't exist (or is ignored).IPCOMP compression algorithm. SYNTAX unsigned 16-bit integer Jason ExpiresSeptember 2000January 2001 [Page26]46] Internet Draft IPsec Configuration Policy ModelMarchJuly 200010.1. The Class DiffieHellmanGroup DiffieHellmanGroup describes the specific Diffie-Hellman Group that will be proposed. It contains the following properties: NAME groupDescription DESCRIPTION Specifies the Diffie-Hellman Group to propose. TYPE unsigned 16-bit integerVALUE 1 -768-bit MODP groupOUI (the property PrivateAlgorithm will contain the vendor-specific algorithm to use) 2 -1024-bit MODP groupDEFLATE 3 -EC2N group on GP[2^155]LZS 4 -EC2N group on GP[2^185] 5 - 1536-bit MODP groupV42BIS (has this number been assigned ???) 7.7.2. The Property DictionarySize The property DictionarySize specifies the log2 maximum size of the diction for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value is ignores. The property is defined as follows: NAMEExplicitGroupInfoDictionarySize DESCRIPTION SpecifiesDiffie-Hellman Group information if groupDescription is not onethe log2 maximum size of thewell-known values ordictionary. SYNTAX unsigned 16-bit integer 7.7.3. The Property PrivateAlgorithm The property PrivateAlgorithm specifies apreviously agreed uponprivategroup. If groupDescriptionvendor-specific compression algorithm. This value isone ofonly used when thewell-known values orproperty Algorithm is 1 (OUI). The property is defined as follows: NAME PrivateAlgorithm DESCRIPTION Specifies apreviously agreed uponprivategroup, the NewGroupInfo object will not exist or it is ignored. 10.2.vendor-specific compression algorithm. SYNTAX unsigned 32-bit integer 7.8. The Aggregation ClassNewGroupInfo NewGroupInfo is the abstract base class for the concrete new group information classes.ContainedTransform Thespecific derivedclassimpliesContainedTransform associates an IPsecProposal with thegroup type value. 10.3. The Class NewMODPGroupInfo NewMODPGroupInfo specifiesset of SATransforms that make up theDiffie-Hellman group information forproposal. If multiple tranforms of the same type are in aMODP group thatproposal, then they are to be logically ORed and the order of preference isproposed during new group mode. It containsdictated by thefollowing properties: NAME prime DESCRIPTION SpecifiesSequenceNumber property. Sets of transforms of different types are logically ANDed. For example, if theprime forproposal list were ESP = { (HMAC-MD5, DES), (HMAC-MD5, 3DES) } AH = { MD5, SHA-1 } then theMODP group. TYPE byte stringone sending the proposal wants the other side to pick one from the ESP transform list AND one from the AH transform list. The class definition for ContainedProposal is as follows: NAMEgeneratorContainedTransform DESCRIPTIONSpecifiesAssociates an IPsecProposal with thegenerator forset of SATransforms that make up theMODP group. TYPE byte string 10.4.proposal. ABSTRACT FALSE PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PartComponent[ref SATransform[1..n]] SequenceNumber Jason Expires January 2001 [Page 47] Internet Draft IPsec Configuration Policy Model July 2000 7.8.1. TheClass NewECGroupInfo NewECGroupInfo isReference GroupComponent The property GroupComponent contains anabstract classobject reference to an IPsecProposal that contains one or more SATransforms. The [0..n] cardinality indicates that there may be zero or more IPsecProposals that contain any given SATransform. 7.8.2. The Reference PartComponent The property PartComponent contains an object reference to an SATransform contained by one or more IPsecProposals. The [1..n] cardinality indicates thatspecifies the Diffie- Hellman group information foranelliptic curve group that is proposed during new group mode. It contains the following properties: NAME polynomial DESCRIPTION SpecifiesIPsecPropsal MUST contain at least one SATransform. 7.8.3. The Property SequenceNumber The property SequenceNumber specifies thepolynomialorder of preference for theelliptic curve group. TYPE byte string Jason Expires September 2000 [Page 27] Internet Draft IPsec Configuration Policy Model March 2000 NAME fieldSize DESCRIPTION Specifies the field size forSATransforms of theelliptic curve group. TYPE unsigned 32-bit integersame type. The property is defined as follows: NAMEorderSequenceNumber DESCRIPTION Specifies the preference order for theelliptic curve group. TYPESATransforms of the same type. SYNTAX unsigned32-bit16-bit integerNAME generatorOne DESCRIPTION Specifies generator one forVALUE Lower-valued transforms are preferred over transforms of theelliptic curve group. TYPE byte string NAME generatorTwo DESCRIPTION Specifies generatorsame type with higher values. If twofor the elliptic curve group. TYPE byte string NAME curveA DESCRIPTION Specifies curve A fortransforms of theelliptic curve group. TYPE byte string NAME curveB DESCRIPTION Specifies curve B forsame type have theelliptic curve group. TYPE byte string 10.5. The Class NewEC2NGroupInfo NewEC2NGroupInfo is a class that represents a new EC2N group. It contains no properties and exists only to implysame SequenceNumber value, then thegroup type. 10.6. The Class NewECPGroupInfo NewECPGroupInfoorder of preference isa class that represents a new ECP group. It contains no properties and exists only to imply the group type. 11.undefined. 8. Security Considerations This document describes a schema for IPsec policy. It does not detail security requirements for storage or delivery of said schema. Storage and delivery security requirements should be detailed in a comprehensive security policy architecture document.12.9. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11.Jason Expires September 2000 [Page 28] Internet Draft IPsec Configuration Policy Model March 2000Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. Jason Expires January 2001 [Page 48] Internet Draft IPsec Configuration Policy Model July 2000 The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.13.10. Acknowledgments The author would like to thank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz, and William Dixon for their contributions to this IPsec policy model. Additionally, this draft would not have been possible without the preceding IPsec schema drafts. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan.14.11. References[1][IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.[2][COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998.[3][ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998.[4][AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998.[5][PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", draft-ietf-policy- core-infor-model-06.txt, May 2000. Internet-Draft work in progress. [DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998.[6][LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.[7][COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. Internet-Draft work in progress.[8][COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000. Internet-Draft work in progress. [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy Specification Language",draft-ietf-ipsec-spsl-01.txt, July 1999.draft-ietf-ipsp-spsl-00.txt, March 2000. Internet-Draft work in progress.[9]Jason Expires January 2001 [Page 49] Internet Draft IPsec Configuration Policy Model July 2000 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.Jason Expires September 2000 [Page 29] Internet Draft IPsec Configuration Policy Model March 2000 15.12. Disclaimer The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification.16.13. Author's Address Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1-503-264-9531 Fax: +1-503-264-9428 E-Mail: jamie.jason@intel.com17.14. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it maybe copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other then English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Jason ExpiresSeptember 2000January 2001 [Page30]50] ----