view Side-By-Side changes
Internet Engineering Task Force Jamie Jason INTERNET DRAFT Intel Corporation11-July-20001-March-2001 Lee Rafalow IBM Eric Vyncke Cisco Systems IPsec Configuration Policy Modeldraft-ietf-ipsp-config-policy-model-01.txtdraft-ietf-ipsp-config-policy-model-02.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document presents an object-oriented model of IPsec policy designed to: o facilitate agreement about the content and semantics of IPsec policy o enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec- enabled endpoints The schema described in this document models the IKE phase one parameters as described in [IKE] and the IKE phase two parameters for the IPsec Domain of Interpretation as described in [COMP, ESP, AH, DOI]. It is based upon the core policy classes as defined in the Policy Core Information Model (PCIM) [PCIM].JasonJason, et al [Page 1] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 Table of Contents Status of this Memo................................................1 Abstract...........................................................1 Table of Contents..................................................2 1.Introduction....................................................5Introduction....................................................7 2. UMLConventions.................................................5Conventions.................................................7 3. IPsec Policy Model InheritanceHeirarchy........................6Hierarchy........................8 4. PolicyClasses..................................................9Classes.................................................13 4.1. The ClassIPsecPolicyGroup....................................9 4.1.1. The Property IKERuleOverridePoint..........................10 4.1.2. The Property IPsecRuleOverridePoint........................10IPsecPolicyGroup...................................14 4.2. The ClassSARule.............................................11SARule.............................................14 4.2.1. The Property LimitNegotiation..............................14 4.3. The ClassIKERule............................................11IKERule............................................15 4.3.1. The Property IdentityContexts..............................15 4.4. The ClassIPsecRule..........................................11IPsecRule..........................................16 4.5. The Aggregation ClassIPsecPolicyGroupInPolicyGroup..........12IPsecPolicyGroupInPolicyGroup..........16 4.5.1. The ReferenceContainingGroup..............................12GroupComponent...............................17 4.5.2. The ReferenceContainedGroup...............................12PartComponent................................17 4.5.3. The PropertyPrecedence....................................12GroupPriority.................................17 4.6. TheCompositionAssociation ClassRuleForIKENegotiation..................12IPsecPolicyForEndpoint.................17 4.6.1. The ReferenceContainingGroup..............................13Antecedent...................................18 4.6.2. The ReferenceContainedRule................................13Dependent....................................18 4.7. TheCompositionAssociation ClassRuleForIPsecNegotiation................13IPsecPolicyForSystem...................18 4.7.1. The ReferenceContainingGroup..............................13Antecedent...................................18 4.7.2. The ReferenceContainedRule................................13Dependent....................................18 4.8. The Aggregation ClassSAConditionInRule......................14RuleForIKENegotiation..................19 4.8.1. The ReferenceContainingRule...............................14GroupComponent...............................19 4.8.2. The ReferenceContainedCondition...........................14 4.8.3. The Property SequenceNumber................................14PartComponent................................19 4.9. The Aggregation ClassSAActionInRule.........................14RuleForIPsecNegotiation................19 4.9.1. The ReferenceContainingRule...............................15GroupComponent...............................19 4.9.2. The ReferenceContainedAction..............................15PartComponent................................20 4.10. The Aggregation ClassFallbackSAActionInRule................15SAConditionInRule.....................20 4.10.1. The ReferenceContainingRule..............................15GroupComponent..............................20 4.10.2. The ReferenceContainedAction.............................15 4.10.3.PartComponent...............................20 4.11. The Aggregation Class SAActionInRule........................20 4.11.1. The Reference GroupComponent..............................21 4.11.2. The Reference PartComponent...............................21 4.11.3. The PropertySequenceNumber...............................16ActionOrder..................................21 5. Condition and FilterClasses...................................17Classes...................................22 5.1. The ClassSACondition........................................18 5.1.1. The Property StartupCondition..............................18SACondition........................................22 5.2. The ClassFilterList.........................................18 5.2.1. The Property Name..........................................19 5.2.2. The Property Direction.....................................19FilterEntry........................................23 5.3. TheAbstractClassFilterEntryBase...........................19CredentialFilterEntry..............................23 5.3.1. The PropertyName..........................................19MatchFieldName................................24 5.3.2. The PropertyIsNegated.....................................19MatchFieldValue...............................24 5.3.3. The Property CredentialType................................24 5.4. TheAbstractClassIPFilterEntry.............................20IPSOFilterEntry....................................24 5.4.1. The Property MatchConditionType............................25 5.4.2. The Property MatchConditionValue...........................25 5.5. TheAbstractClassEndpointFilterEntry.......................20PeerIDPayloadFilterEntry...........................25 5.5.1. The PropertyApplyToDestination............................20 5.6. The Class IPv4AddressFilterEntry.............................20 5.6.1.MatchIdentityType.............................26 5.5.2. The PropertyAddress.......................................21 5.7.MatchIdentityValue............................26 5.6. The Association ClassIPv4RangeFilterEntry...............................21 5.7.1. The Property StartAddress..................................21 5.7.2.FilterOfSACondition....................27 5.6.1. TheProperty EndAddress....................................21 JasonReference Antecedent...................................27 Jason, et al ExpiresJanuarySeptember 2001 [Page 2] Internet Draft IPsec Configuration Policy ModelJuly 2000 5.8. The Class IPv4SubnetFilterEntry..............................21 5.8.1. The Property Address.......................................22 5.8.2.March 2001 5.6.2. TheProperty Mask..........................................22 5.9.Reference Dependent....................................27 5.7. The Association ClassIPv6AddressFilterEntry.............................22 5.9.1.AcceptCredentialFrom...................27 5.7.1. TheProperty Address.......................................22 5.10.Reference Antecedent...................................28 5.7.2. The Reference Dependent....................................28 6. Action Classes.................................................29 6.1. The ClassIPv6RangeFilterEntry..............................22 5.10.1.SAAction...........................................30 6.1.1. The PropertyStartAddress.................................23 5.10.2.DoActionLogging...............................30 6.1.2. The PropertyEndAddress...................................23 5.11.DoPacketLogging...............................30 6.2. The ClassIPv6SubnetFilterEntry.............................23 5.11.1.SAStaticAction.....................................31 6.2.1. The PropertyAddress......................................23 5.11.2.LifetimeSeconds...............................31 6.3. TheProperty Mask.........................................24 5.12.Class IPsecBypassAction..................................31 6.4. The ClassFQDNFilterEntry...................................24 5.12.1.IPsecDiscardAction.................................31 6.5. TheProperty Name.........................................24 5.13.Class IKERejectAction....................................32 6.6. The ClassProtocolFilterEntry...............................24 5.13.1.PreconfiguredSAAction..............................32 6.6.1. The PropertyProtocol.....................................24 5.14.LifetimeKilobytes.............................33 6.7. The ClassUDPFilterEntry....................................25 5.14.1.PreconfiguredTransportAction.......................33 6.8. TheProperty StartPort....................................25 5.14.2.Class PreconfiguredTunnelAction..........................33 6.8.1. The PropertyEndPort......................................25 5.15. The Class TCPFilterEntry....................................25 5.15.1.PeerGatewayAddressType........................33 6.8.2. The PropertyStartPort....................................26 5.15.2.PeerGatewayAddress............................34 6.8.3. The PropertyEndPort......................................26 5.16.DFHandling....................................34 6.9. TheAbstractClassIPSOFilterEntry..........................26 5.17.SANegotiationAction................................34 6.9.1. TheClass ClassificationLevelFilterEntry....................26 5.17.1.Property MinLifetimeSeconds............................35 6.9.2. The PropertyLevel........................................26 5.18.MinLifetimeKilobytes..........................35 6.9.3. TheClass ProtectionAuthorityFilterEntry....................27 5.18.1.Property RefreshThresholdSeconds.......................35 6.9.4. The PropertyAuthority....................................27 5.19.RefreshThresholdKilobytes.....................36 6.9.5. TheClass CredentialFilterEntry.............................27 5.20.Property IdleDurationSeconds...........................36 6.10. TheAggregationClassFilterOfSACondition...................27 5.20.1. The Reference Antecedent..................................28 5.20.2.IPsecAction.......................................36 6.10.1. TheReference Dependent...................................28 5.21.Property UsePFS.......................................37 6.10.2. TheComposition Class EntriesInFilterList...................28 5.21.1.Property UseIKEGroup..................................37 6.10.3. TheReference Antecedent..................................28 5.21.2.Property GroupId......................................37 6.10.4. TheReference Dependent...................................28 5.21.3.Property Granularity..................................38 6.10.5. The PropertyEntrySequence................................29 6. Action Classes.................................................30 6.1.VendorID.....................................38 6.11. The ClassSAAction...........................................30 6.2.IPsecTransportAction..............................38 6.12. The ClassSAStaticAction.....................................30 6.2.1.IPsecTunnelAction.................................38 6.12.1. The PropertyLifetimeSeconds...............................31 6.3.DFHandling...................................39 6.13. The ClassIPsecBypassAction..................................31 6.4.IKEAction.........................................39 6.13.1. TheClass IPsecDiscardAction.................................31 6.4.1.Property RefreshThresholdDerivedKeys..................39 6.13.2. The PropertyDoLogging.....................................32 6.5.ExchangeMode.................................40 6.13.3. TheClass IKERejectAction....................................32 6.5.1.Property UseIKEIdentityType...........................40 6.13.4. The PropertyDoLogging.....................................32 6.6.VendorID.....................................40 6.13.5. TheClass SAPreconfiguredAction..............................32 6.7.Property AggressiveModeGroupId........................41 6.14. The ClassSANegotiationAction................................33 6.7.1.PeerGateway.......................................41 6.14.1. The PropertyMinLifetimeSeconds............................33 6.7.2.Name.........................................41 6.14.2. The PropertyMinLifetimeKilobytes..........................33 6.7.3.PeerIdentityType.............................41 6.14.3. The PropertyRefreshThresholdSeconds.......................34 6.7.4.PeerIdentity.................................42 6.15. TheProperty RefreshThresholdKilobytes.....................34 6.7.5.Association Class PeerGatewayForTunnel..................42 6.15.1. The Reference Antecedent..................................42 6.15.2. The Reference Dependent...................................43 6.15.3. The PropertyIdleDurationSeconds...........................34 6.8.SequenceNumber...............................43 6.16. The Aggregation ClassIPsecAction........................................35 6.8.1.ContainedProposal.....................43 6.16.1. TheProperty UsePFS........................................35 6.8.2.Reference GroupComponent..............................43 6.16.2. The Reference PartComponent...............................44 6.16.3. The PropertyUseIKEGroup...................................35 JasonSequenceNumber...............................44 Jason, et al ExpiresJanuarySeptember 2001 [Page 3] Internet Draft IPsec Configuration Policy ModelJuly 2000 6.8.3. The Property GroupId.......................................35 6.8.4. The Property Granularity...................................36 6.9. The Class IPsecTransportAction...............................36 6.10. The Class IPsecTunnelAction.................................36 6.10.1. The Property PeerGateway..................................37 6.10.2. The Property DFHandling...................................37 6.11.March 2001 6.17. The Association ClassIKEAction.........................................37 6.11.1. The Property RefreshThresholdDerivedKeys..................37 6.11.2.HostedPeerGatewayInformation..........44 6.17.1. TheProperty ExchangeMode.................................38 6.11.3.Reference Antecedent..................................44 6.17.2. TheProperty UseIKEIdentityType...........................38 6.12.Reference Dependent...................................44 6.18. TheAggregationAssociation ClassContainedProposal.....................38 6.12.1.TransformOfPreconfiguredAction........44 6.18.1. The ReferenceGroupComponent..............................39 6.12.2.Antecedent..................................45 6.18.2. The ReferencePartComponent...............................39 6.12.3.Dependent...................................45 6.18.3. The PropertySequenceNumber...............................39SPI..........................................45 7. Proposal and TransformClasses.................................40Classes.................................46 7.1. The Abstract ClassSAProposal................................40SAProposal................................46 7.1.1. The PropertyName..........................................40 7.1.2. The Property MaxLifetimeSeconds............................41 7.1.3. The Property MaxLifetimeKilobytes..........................41Name..........................................46 7.2. The ClassIKEProposal........................................41IKEProposal........................................47 7.2.1. The PropertyLifetimeDerivedKeys...........................41LifetimeDerivedKeys...........................47 7.2.2. The PropertyCipherAlgorithm...............................42CipherAlgorithm...............................47 7.2.3. The PropertyHashAlgorithm.................................42HashAlgorithm.................................48 7.2.4. The PropertyPRFAlgorithm..................................42PRFAlgorithm..................................48 7.2.5. The PropertyGroupId.......................................43GroupId.......................................48 7.2.6. The PropertyAuthenticationMethod..........................43AuthenticationMethod..........................48 7.2.7. The Property MaxLifetimeSeconds............................49 7.2.8. The Property MaxLifetimeKilobytes..........................49 7.2.9. The Property VendorID......................................49 7.3. The ClassIPsecProposal......................................43IPsecProposal......................................49 7.4. The Abstract ClassSATransform...............................44SATransform...............................50 7.4.1. The PropertyName..........................................44 7.4.1.TransformName.................................50 7.4.2. The Property VendorID......................................50 7.4.3. The PropertyVendorID......................................44MaxLifetimeSeconds............................50 7.4.4. The Property MaxLifetimeKilobytes..........................51 7.5. The ClassAHTransform........................................44AHTransform........................................51 7.5.1. The PropertyAHTransformId.................................44AHTransformId.................................51 7.5.2. The Property UseReplayPrevention...........................51 7.5.3. The Property ReplayPreventionWindowSize....................52 7.6. The ClassESPTransform.......................................45ESPTransform.......................................52 7.6.1. The PropertyIntegrityTransformId..........................45IntegrityTransformId..........................52 7.6.2. The PropertyCipherTransformId.............................45CipherTransformId.............................52 7.6.3. The PropertyCipherKeyLength...............................46CipherKeyLength...............................53 7.6.4. The PropertyCipherKeyRounds...............................46CipherKeyRounds...............................53 7.6.5. The Property UseReplayPrevention...........................53 7.6.6. The Property ReplayPreventionWindowSize....................53 7.7. The ClassIPCOMPTransform....................................46IPCOMPTransform....................................54 7.7.1. The PropertyAlgorithm.....................................46Algorithm.....................................54 7.7.2. The PropertyDictionarySize................................47DictionarySize................................54 7.7.3. The PropertyPrivateAlgorithm..............................47PrivateAlgorithm..............................54 7.8. TheAggregationAssociation ClassContainedTransform.....................47SAProposalInSystem.....................54 7.8.1. The ReferenceGroupComponent...............................48Antecedent...................................55 7.8.2. The ReferencePartComponent................................48 7.8.3.Dependent....................................55 7.9. The Aggregation Class ContainedTransform.....................55 7.9.1. The Reference GroupComponent...............................55 7.9.2. The Reference PartComponent................................56 7.9.3. The PropertySequenceNumber................................48SequenceNumber................................56 7.10. The Association Class SATransformInSystem...................56 7.10.1. The Reference Antecedent..................................56 7.10.2. The Reference Dependent...................................56 8.Security Considerations........................................48 9. Intellectual Property..........................................48 10. Acknowledgments...............................................49 11. References....................................................49 12. Disclaimer....................................................50 13. Author's Address..............................................50 14. Full Copyright Statement......................................50 JasonIKE Service and Identity Classes...............................58 8.1. The Class IKEService.........................................59 Jason, et al ExpiresJanuarySeptember 2001 [Page 4] Internet Draft IPsec Configuration Policy ModelJuly 2000 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage toMarch 2001 8.2. The Class PeerIdentityTable..................................59 8.3.1. The Property Name..........................................59 8.3. The Class PeerIdentityEntry..................................60 8.3.1. The Property PeerIdentity..................................60 8.3.2. The Property PeerIdentityType..............................60 8.3.3. The Property PeerAddress...................................60 8.3.4. The Property PeerAddressType...............................60 8.4. The Class AutostartIKEConfiguration..........................61 8.5. The Class AutostartIKESetting................................61 8.5.1. The Property Phase1Only....................................61 8.5.2. The Property AddressType...................................62 8.5.3. The Property SourceAddress.................................62 8.5.4. The Property SourcePort....................................62 8.5.5. The Property DestinationAddress............................62 8.5.6. The Property DestinationPort...............................63 8.5.7. The Property Protocol......................................63 8.6. The Class IKEIdentity........................................63 8.6.1. The Property IdentityType..................................64 8.6.2. The Property IdentityValue.................................64 8.6.3. The Property IdentityContexts..............................64 8.7. The Association Class HostedPeerIdentityTable................65 8.7.1. The Reference Antecedent...................................65 8.7.2. The Reference Dependent....................................65 8.8. The Aggregation Class PeerIdentityMember.....................65 8.8.1. The Reference Collection...................................65 8.8.2. The Reference Member.......................................66 8.9. The Association Class IKEServicePeerGateway..................66 8.9.1. The Reference Antecedent...................................66 8.9.2. The Reference Dependent....................................66 8.10. The Association Class IKEServicePeerIdentityTable...........66 8.10.1. The Reference Antecedent..................................67 8.10.2. The Reference Dependent...................................67 8.11. The Association Class IKEAutostartSetting...................67 8.11.1. The Reference Element.....................................67 8.11.2. The Reference Setting.....................................67 8.12. The Aggregation Class AutostartIKESettingContext............67 8.12.1. The Reference Context.....................................68 8.12.2. The Reference Setting.....................................68 8.12.3. The Property SequenceNumber...............................68 8.13. The Association Class IKEServiceForEndpoint.................68 8.13.1. The Reference Antecedent..................................69 8.13.2. The Reference Dependent...................................69 8.14. The Association Class IKEAutostartConfiguration.............69 8.14.1. The Reference Antecedent..................................69 8.14.2. The Reference Dependent...................................69 8.14.3. The Property Active.......................................69 8.15. The Association Class IKEUsesCredentialManagementService....70 8.15.1. The Reference Antecedent..................................70 8.15.2. The Reference Dependent...................................70 8.16. The Association Class EndpointHasLocalIKEIdentity...........70 8.16.1. The Reference Antecedent..................................71 8.16.2. The Reference Dependent...................................71 8.17. The Association Class CollectionHasLocalIKEIdentity.........71 Jason, et al Expires September 2001 [Page 5] Internet Draft IPsec Configuration Policy Model March 2001 8.17.1. The Reference Antecedent..................................71 8.17.2. The Reference Dependent...................................71 8.18. The Association Class IKEIdentitysCredential................72 8.18.1. The Reference Antecedent..................................72 8.18.2. The Reference Dependent...................................72 9. Security Considerations........................................72 10. Intellectual Property.........................................72 11. Acknowledgments...............................................73 12. References....................................................73 13. Disclaimer....................................................74 14. Authors' Addresses............................................74 15. Full Copyright Statement......................................74 Appendix A (DMTF Core Model MOF)..................................75 Appendix B (DMTF User Model MOF)..................................90 Appendix C (DMTF Network Model MOF)..............................105 Jason, et al Expires September 2001 [Page 6] Internet Draft IPsec Configuration Policy Model March 2001 1. Introduction Internet Protocol security (IPsec) policy may assume a variety of forms as it travels from storage to distribution point to decision point. At each step, it needs to be represented in a way that is convenient for the current task. For example, the policy could exist as, but is not limited to: o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in a directory o an on-the-wire representation over a transport protocol like the Common Object Policy Service (COPS) [COPS, COPSPR] o a text-based policy specification language [SPSL] suitable for editing by an administrator o an Extensible Markup Language (XML) document Each of these task-specific representations should be derived from a canonical representation that precisely specifies the content and semantics of the IPsec policy. The purpose of this document is to abstract IPsec policy into a task-independent representation that is not constrained by any particular task-dependent representation. This document is organized as follows: o Section 2 provides a quick introduction to the Unified Modeling Language (UML) graphical notation conventions used in this document. o Section 3 provides the inheritance hierarchywhichthat describes where the IPsec policy classes fit into the policy class hierarchy already defined byPCIM.the Policy Core Information Model (PCIM). o The remainder of the document describes the classeswhichthat make up the IPsec policy model. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. 2. UML Conventions For this document, a UML static class diagram was chosen as the canonical representation for the IPsec policy model. The reason behind this decision is that UML provides a graphical, task- independent way to model systems. A treatise on the graphical notation used in UML is beyond the scope of this paper. However, given the use of ASCII drawing for UML static class diagrams, a description of the notational conventions used in this document is in order: o Boxes represent classes, with class names in brackets ([]) representinga virtualan abstract class.JasonJason, et al ExpiresJanuarySeptember 2001 [Page5]7] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 o A line that terminates with an arrow (<, >, ^, v) denotes inheritance. The arrow always points to the parent class. Inheritance can also be called generalization or specialization (depending upon the reference point). A base class is a generalization of a derived class, and a derived class is a specialization of a base class. o Associations are used to model a relationship between two classes. Classes that share an association are connected using a line.There are twoA specialkindskind ofassociations - aggregations and compositions. Both modelassociation is also used: an aggregation. An aggregation models a whole-part relationship between two classes. Associations, and thereforeaggregations and compositions,aggregations, can also be modeled as classes. o A line that begins withaan "o" denotes aggregation. Aggregation denotes containment in which the contained class and the containing class have independent lifetimes. oA line that begins with an "x" denotes composition. Composition denotes containment in which the contained class and the contianing class have coincident lifetimes. oNext to a line representing an association appears amultiplicity. Multiplicitiescardinality. Cardinalities indicate the constraints on the number ofobjectsobject instances inthe relationship. The multiplicity may be: -arange in the form "lower bound..upperset of relationships. Every association instance has a single set of references. The cardinality indicates the number of instances that may refer to a given object instance. The cardinality may be: - a range in the form "lower bound..upper bound" indicating the minimum and maximum number of objects. - a number that indicates the exact number of objects. - an asterisk indicating any number of objects, including zero. Using an asterisk is shorthand for 0..n. - the letter n indicating from 1 to many. Using the letter n is shorthand for 1..n. o A class that has an association may have a "w" next to the line representing the association. This is called a weak association and is discussed in [PCIM]. It should be noted that the UML static class diagram presented is a conceptual view of IPsec policy designed to aid in understanding. It does not necessarily get translated class for class into another representation. For example, an LDAP implementation may flatten out the representation to fewer classes (because of the inefficiency of following references). 3. IPsec Policy Model InheritanceHeirarchyHierarchy Like PCIM from which it is derived, the IPsec Configuration Policy Model derives from and uses classes defined in the DMTF Common Information Model (CIM). The followingdiagramtree represents the inheritance hierarchyand howfor the IPsec policy model classes and how they fit intoPCIM. [unrooted] | +--Policy (PCIM) | | | +--PolicyGroup (PCIM) | | | | | +--IPsecPolicyGroup (new class) | | | +--PolicyRule (PCIM) | | | | | +--SARule (new abstract class) | | | JasonPCIM and the other DMTF models (see Appendices for descriptions of classes that are not being introduced as part of IPsec model). CIM classes that are not used as a superclass from which to derive new classes but are only referenced are not included this inheritance hierarchy, but are included in the appropriate appendix. ManagedElement (DMTF Core Model - Appendix A) Jason, et al ExpiresJanuarySeptember 2001 [Page6]8] Internet Draft IPsec Configuration Policy ModelJuly 2000 | | +--IKERule (new class) | | | |March 2001 |+--IPsecRule (new class)+--Collection (DMTF Core Model - Appendix A) | | |+--PolicyCondition (PCIM)+--PeerIdentityTable | +--ManagedSystemElement (DMTF Core Model - Appendix A) | | | +--LogicalElement (DMTF Core Model - Appendix A) |+--SACondition (new class)| | +--FilterEntryBase (DMTF Network Model - Appendix C) |+--PolicyAction (PCIM)| | |+--SAAction (new abstract class)| +--CredentialFilterEntry | |+--SAStaticAction (new abstract class)| | | +--IPSOFilterEntry | |+--IPsecBypassAction (new class)| | | +--PeerIDPayloadFilterEntry | |+--IPsecDiscardAction (new class)| +--PeerGateway | | | +--PeerIdentityEntry |+--IKERejectAction (new class)| | +--Service (DMTF Core Model - Appendix A) | | |+--SAPreconfiguredAction (new class)+--NetworkService (DMTF Network Model - Appendix C) | | |+--SANegotiationAction (new abstract class)+--IKEService | +--OrganizationalEntity (DMTF User Model - Appendix B) | |+--IPsecAction (new abstract class)| +--UserEntity (DMTF User Model - Appendix B) | | | +--UsersAccess (DMTF User Model - Appendix B) |+--IPsecTransportAction (new class)| | +--IKEIdentity | +--Policy (PCIM) | |+--IPsecTunnelAction (new class)| +--PolicyAction (PCIM) | |+--IKEAction (new abstract class)|+--FilterList|+--FilterEntryBase| +--SAAction | |+--IPFilterEntry (new abstract class)| | | +--SANegotiationAction | |+--EndpointFilterEntry (new abstract class)| | | | | +--IKEAction | |+--IPv4AddressFilterEntry (new class)| | | | | +--IPsecAction | |+--IPv4RangeFilterEntry (new class)| | | | | +--IPsecTransportAction | |+--IPv4SubnetFilterEntry (new class)| | | | | +--IPsecTunnelAction | |+--IPv6AddressFilterEntry (new class)| | | +--SAStaticAction | | | Jason, et al Expires September 2001 [Page 9] Internet Draft IPsec Configuration Policy Model March 2001 |+--IPv6RangeFilterEntry (new class)| +--IKERejectAction | | | | | +--IPsecBypassAction |+--IPv6SubnetFilterEntry (new class)| | | | +--IPsecDiscardAction | | |+--FQDNFilterEntry (new class) Jason Expires January 2001 [Page 7] Internet Draft IPsec Configuration Policy Model July 2000| | +--PreconfiguredSAAction | | |+--PortFilterEntry (new class)| | +--PreconfiguredTransportAction | | |+--ProtocolFilterEntry (new class)| | +--PreconfiguredTunnelAction |+--IPSOFilterEntry (new class)| | +--PolicyCondition (PCIM) | | |+--CredentialFilterEntry (new class)| | +--SACondition | | | +--PolicyGroup (PCIM) | | | | | +--IPsecPolicyGroup | | | +--PolicyRule (PCIM) | | | | | +--SARule | | | | | +--IKERule | | | | | +--IPsecRule | | | +--SAProposal(new abstract class)| | | | | +--IKEProposal(new class)| | | | | +--IPsecProposal(new class)| | | +--SATransform(new abstract class)| | | +--AHTransform(new class)|+--ESPTransform (new class)|+--IPCOMPTransform (new class) The following diagram represents the inheritance hierarchy and how the IPsec policy model association classes fit into PCIM. [unrooted]|+--PolicyGroupInPolicyGroup (PCIM)+--ESPTransform | | |+--IPsecPolicyGroupInPolicyGroup (new class)+--IPCOMPTransform |+--PolicyConditionInPolicyRule (PCIM)+--Setting (DMTF Core Model - Appendix A) | | |+--SAConditionInRule (new class)+--SystemSetting (DMTF Core Model - Appendix A) |+--FallbackSAActionInRule (new class)|+--EntriesInFilterList (new class)|+--ContainedProposal (new class)+--AutostartIKESetting |+--IPsecContainedTransform (new class) Jason+--SystemConfiguration (DMTF Core Model - Appendix A) | +--AutostartIKEConfiguration Jason, et al ExpiresJanuarySeptember 2001 [Page8]10] Internet Draft IPsec Configuration Policy ModelJuly 2000 4. Policy ClassesMarch 2001 The following tree represents the inheritance hierarchy of the IPsec policy model association classesrepresentand how they fit into PCIM and thesetother DMTF models (see Appendices for description ofpoliciesassociations classes that arecontained on a system. (a) +------+ | |*not being introduced as part of IPsec model). Dependency (DMTF Core Model - Appendix A) |*+------------------+ +---o| IPsecPolicyGroup+--AcceptCredentialsFrom |+------------------+ 1 x x 1 (b)+--ElementAsUser (DMTF User Model - Appendix B) | |(c) +-----------------------+ +---------------------+| +--EndpointHasLocalIKEIdentity | |+---------------------------+| +--CollectionHasLocalIKEIdentity | +--FilterOfSACondition |PolicyTimePeriodCondition+--HostedPeerGatewayInformation | +--HostedPeerIdentityTable | +--IKEAutostartConfiguration | +--IKEServiceForEndpoint |(defined in [PCIM])+--IKEServicePeerGateway | +--IKEServicePeerIdentityTable | +--IKEUsesCredentialManagementService |+---------------------------++--IPsecPolicyForEndpoint | +--PeerGatewayForTunnel |*|+--PolicyInSystem (PCIM) | | |(d)+--PolicyGroupInSystem (PCIM) | |*o| +--SAProposalInSystem |+-------------+* *+--------+* 1+----------+| | +--SATransformInSystem |SACondition |------o| SARule |o-------| SAAction+--IPsecPolicyForSystem | +--TransformOfPreconfiguredAction | +--UsersCredential (DMTF User Model - Appendix B) |+-------------+ (e) +--------+ (f) +----------++--IKEIdentitysCredential ElementSetting (DMTF Core Model - Appendix A) | Jason, et al Expires September 2001 [Page 11] Internet Draft IPsec Configuration Policy Model March 2001 +--IKEAutostartSetting MemberOfCollection (DMTF Core Model - Appendix A) |^ |*+--PeerIdentityMember PolicyComponent (PCIM) | +--ContainedProposal | +--ContainedTransform |+------++--PolicyActionInPolicyRule (PCIM) | |+--------+--------+|(g)+--SAActionInRule | +--PolicyConditionInPolicyRule (PCIM) | | | +--SAConditionInRule | +--PolicyGroupInPolicyGroup (PCIM) | | | +--IPsecPolicyGroupInPolicyGroup | +--PolicyRuleInPolicyGroup | +--RuleForIKENegotiation | +--RuleForIPsecNegotiation SystemSettingContext (DMTF Core Model - Appendix A) | +--AutostartIKESettingContext Jason, et al Expires September 2001 [Page 12] Internet Draft IPsec Configuration Policy Model March 2001 4. Policy Classes The IPsec policy classes represent the set of policies that are contained on a system. +--------------------+ | IPProtocolEndpoint | | (Appendix C) | +--------------------+ | * | (a) | (b) +------+ | | |* | 0..1 | *+------------------+0..1 (c) *+------------+ +---o| IPsecPolicyGroup |-----------| System | +------------------+ |(Appendix A)| 1 o o 1 +------------+ (d) | | (e) +-----------------------+ +---------------------+ | | | +---------------------------+ | | | PolicyTimePeriodCondition | | | | (see [PCIM]) | | | +---------------------------+ | | *| | | | (f) | | *o | | +-------------+n *+--------+* n+----------+ | | | SACondition |------o| SARule |o-------| SAAction | | | +-------------+ (g) +--------+ (h) +----------+ | | ^ | | | | | +--------+--------+ | | | | | | *+---------+ +-----------+* | +---------------| IKERule | | IPsecRule |------------+ +---------+ +-----------+ (a) IPsecPolicyGroupInPolicyGroup (b)RuleForIKENegotiationIPsecPolicyForEndpoint (c)RuleForIPsecNegotiationIPsecPolicyForSystem (d) RuleForIKENegotiation (e) RuleForIPsecNegotiation (f) PolicyRuleValidityPeriod(defined in(see [PCIM])(e)(g) SAConditionInRule(f)(h) SAActionInRule(g) FallbackSAActionInRuleAn IPsecPolicyGroup represents the set of policies that are used on an interface. This IPsecPolicyGroup SHOULD be associated either directly with the IPProtocolEndpoint class instance that represents the interface (via the IPsecPolicyForEndpoint association) or Jason, et al Expires September 2001 [Page 13] Internet Draft IPsec Configuration Policy Model March 2001 indirectly (via the IPsecPolicyForSystem association) associated with the System that hosts the interface. 4.1. The Class IPsecPolicyGroup The class IPsecPolicyGroup serves as a container of either other IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.Rules contained within an IPsecPolicyGroup MUST have a unique Priority value.The class definition for IPsecPolicyGroup is as follows: NAME IPsecPolicyGroup DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.Jason Expires January 2001 [Page 9] Internet Draft IPsec Configuration Policy Model July 2000DERIVED FROM PolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyGroupName (from PolicyGroup)IKERuleOverridePoint IPsecRuleOverridePointNOTE: for derivations of the schema that are used for policy distribution to an IPsec device (for example, COPS-PR), the server may follow all of IPsecPolicyGroupInPolicyGroup associations and create one policy group which is simply a set of all of the IKE rules and a set of all of the IPsec rules. See the section on the IPsecPolicyGroupInPolicyGroup aggregation for information on merging multiple IPsecPolicyGroups.4.1.1.4.2. TheProperty IKERuleOverridePoint This property specifies the rule priority at which the policy author is willing to allow IKERule insertions byClass SARule The class SARule serves as alocal administrator. For example,base class for IKERule and IPsecRule. Even though theIT department may define the policy onclass is concrete, it MUST not be instantiated. It defines acompany- wide basis, but allow groups or individuals to insert rules into the policy to override defaults. Rules are ordered in decreasing order of their priority (i.e., higher priorities come first). The overridecommon connection pointspecifies that if rules are inserted, they are to be inserted before all rules equalfor associations toor less thanconditions and actions for both types of rules. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has theoverride priority value. For example, assume thatPolicyRuleValidityPeriod association. An SARule inherits the property Priority from PolicyRule. Since there is agroup G1 with IKE rules as follows: G1 = { Rule A (priority 50), Rule B (priority 25), Rule C (priority 15) } The IKE override valueneed forG1 is 20. Now assume that a local administrator wants to insert a setan unambiguous ordering ofIKE rules {Rule D, Rule E} where Rule D has a higher priority than Rule E. The new rules will be added beforerules inG1 with priority equal to or less than 20. So, when evaluating rules, the order of evaluation would be A, B, D, E, C. Note that thean IPsec system, all SARules contained within an IPsecPolicyGroup must have unique priorityof the rules in override set are relative only to the set.values. Thepropertyclass definition for SARule isdefinedas follows: NAMEIKERuleOverridePointSARule DESCRIPTIONSpecifies the rule priority at which the policy author is willing to allowA base class for IKERuleinsertions by a local administrator. SYNTAX unsigned 16-bit integer 4.1.2.and IPsecRule. DERIVED FROM PolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule) LimitNegotiation 4.2.1. The PropertyIPsecRuleOverridePoint This property specifies the rule priority at which the policy author is willing to allow IPsecRule insertions by a local administrator. JasonLimitNegotiation Jason, et al ExpiresJanuarySeptember 2001 [Page10]14] Internet Draft IPsec Configuration Policy ModelJuly 2000 ThisMarch 2001 The propertyis the same as IKERuleOverridePoint except itLimitNegotiation is usedfor theas part of processing either an IKE or an IPsecrules in the IPsecPolicyGroup. Therule. Before proceeding with a phase 1 negotiation, this property is checked to determine if the negotiation role of the rule matches that definedas follows: NAME IPsecRuleOverridePoint DESCRIPTION Specifiesfor the negotiation being undertaken (e.g., Initiator, Responder, or Both). If this check fails (e.g. the current role is IKE responder while the rulepriority at whichspecifies IKE initiator), then thepolicy authorIKE negotiation iswillingstopped. Note that this only applies toallownew IKE phase 1 negotiations and has no effect on either renegotiation or refresh operations with peers for which an established SA already exists. Before proceeding with a phase 2 negotiation, the LimitNegotiation property of the IPsecRuleinsertionsis first checked to determine if the negotiation role indicated for the rule matches that of the current negotiation (Initiator, Responder, or Either). Note that this limit applies only to new phase 2 negotiations. It is ignored when an attempt is made to refresh an expiring SA (either side can initiate a refresh operation). The IKE system can determine that the negotiation is a refresh operation by checking to see if the selector information matches that of an existing SA. If LimitNegotiation does not match and the selector corresponds to alocal administrator.new SA, the negotiation is stopped. The property is defined as follows: NAME LimitNegotiation DESCRIPTION Limits the role to be undertaken during negotiation. SYNTAX unsigned 16-bit integer4.2.VALUE 1 “ initiator-only 2 “ responder-only 3 - both 4.3. The ClassSARuleIKERule The classSARule serves as a base class forIKERule associates Conditions andIPsecRule. Even though the class is concrete, it MUST not be instantiated. It defines a common connection point for associations to conditions and actionsActions forboth types of rules. Each SARule within a given IPsecPolicyGroup must contain a unique priority. Through its derivation from PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has the PolicyRuleValidityPeriod association.IKE phase 1 negotiations. The class definition forSARule is as follows: NAME SARule DESCRIPTION A base class for IKERule and IPsecRule. DERIVED FROM PolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyRuleName (from PolicyRule) Enabled (from PolicyRule) ConditionListType (from PolicyRule) Priority (from PolicyRule) PolicyRoles (from PolicyRule) 4.3. The Class IKERule The class IKERule associates Conditions and Actions for IKE phase 1 negotiations. The class definition for IKERuleIKERule is as follows: NAME IKERule DESCRIPTION Associates Conditions and Actions for IKE phase 1 negotiations. DERIVED FROM SARule ABSTRACT FALSE PROPERTIES same asSARuleSARule, plus IdentityContexts 4.3.1. The Property IdentityContexts The IKE service of a security endpoint may have multiple identities for use in different situations. The combination of the interface (represented by the IPProtocolEndpoint), the identity type (as specified in the IKEAction) and the IdentityContexts specifies a unique identity. Jason, et al Expires September 2001 [Page 15] Internet Draft IPsec Configuration Policy Model March 2001 The IdentityContexts property specifies the context to select the relevant IKE identity to be used during the further IKEAction. A context may be a VPN name or other identifier for selecting the appropriate identity for use on the protected IPProtocolEndpoint. IdentityContexts is an array of strings. The multiple values in the array are ORed together in evaluating the IdentityContexts. Each value in the array may be the composition of multiple context names. So, a single value may be a single context name (e.g., "CompanyXVPN") or it may be combination of contexts. When an array value is a composition, the individual values are ANDed together for evaluation purposes and the syntax is: <ContextName>[&&<ContextName>]* where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). So, for example, the values "CompanyXVPN", "CompanyYVPN&&TopSecret", "CompanyZVPN&&Confidential" means that, for the appropriate IPProtocolEndpoint and IdentityType, the contexts are matched if the identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or "CompanyZVPN&&Confidential". The property is defined as follows: NAME IdentityContexts DESCRIPTION Specifies the context in which to select the IKE identity. SYNTAX string array 4.4. The Class IPsecRule The class IPsecRule associates Conditions and Actions for IKE phase 2 negotiations for the IPsec DOI. The class definition for IPsecRule is as follows: NAME IKERule DESCRIPTION Associates Conditions and Actions for IKE phase 2 negotiations for the IPsec DOI. DERIVED FROM SARuleJason Expires January 2001 [Page 11] Internet Draft IPsec Configuration Policy Model July 2000ABSTRACT FALSE PROPERTIES same as SARule 4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec policies to be combinedtointo one effective policy.When merging policies, rule prioritiesSee [PCIM] for a description of the how policies areused in conjunction withmerged (see also therule override point values to determine insertion points and for rule priority renumbering (if necessary to maintain uniqueness).property GroupPriority). The class definition for IPsecPolicyGroupInPolicyGroup is as follows: NAME IPsecPolicyGroupInPolicyGroup Jason, et al Expires September 2001 [Page 16] Internet Draft IPsec Configuration Policy Model March 2001 DESCRIPTION Associates a nested IPsecPolicyGroup with the IPsecPolicyGroup that contains it. DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingGroup[refGroupComponent[ref IPsecPolicyGroup[0..n]]ContainedGroup[refPartComponent[ref IPsecPolicyGroup[0..n]]PrecedenceGroupPriority 4.5.1. The ReferenceContainingGroupGroupComponent The propertyContainingGroupGroupComponent is inherited from PolicyGroupInPolicyGroup and is overridden tocontain object referencerefer to an IPsecPolicyGroupthat contains one or more IPsecPolicyGroups.instance. The [0..n] cardinality indicates that a given IPsecPolicyGroup instance may be a part of zero or more containing IPsecPolicyGroup instances (i.e., there may be zero or moreIPsecPolicyGroups that contain any given IPsecPolicyGroup.GroupComponent references per PartComponent). 4.5.2. The ReferenceContainedGroupPartComponent The propertyContainedGroupPartComponent is inherited from PolicyGroupInPolicyGroup and is overridden tocontain an object referencerefer to an IPsecPolicyGroupcontained by one or more IPsecPolicyGroups.instance. The [0..n] cardinality indicates thatana given IPsecPolicyGroup instance may contain zero or moreIPsecPolicyGroups.IPsecPolicyGroup instances (i.e., there may be zero or more PartComponent references per GroupComponent). 4.5.3. The PropertyPrecedence TheGroupPriority Since policy groups, IPsecPolicyGroup, can contain both rules and other policy groups, the relative priorities of the rules of the contained groups are established by setting the GroupPriority propertyPrecedence specifiesof IPsecPolicyGroupInPolicyGroup as a unique rule priority in themerge orderingcontaining group. The rules of the nestedIPsecPolicyGroups.group are inserted in order at that position (i.e. indicated by GroupPriority) in the containing group's rules The property is defined as follows: NAMEPrecedenceGroupPriority DESCRIPTION Specifies themerge ordering of therule priority to be set to all nestedIPsecPolicyGroups.rules. SYNTAX unsigned 16-bit integer VALUE Any value between 1 and 2^16-1 inclusive. Lower values have higher precedence (i.e., 1 is the highest precedence). The merging order of two ContainedGroups with the same precedence is undefined. 4.6. TheCompositionAssociation ClassRuleForIKENegotiation JasonIPsecPolicyForEndpoint The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with a specific network interface. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, Jason, et al ExpiresJanuarySeptember 2001 [Page12]17] Internet Draft IPsec Configuration Policy ModelJuly 2000 The class RuleForIKENegotiation associates an IKERule withMarch 2001 then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for thatcontains it.endpoint. The class definition forRuleForIKENegotiationIPsecPolicyForEndpoint is as follows: NAMERuleForIKENegotiationIPsecPolicyForEndpoint DESCRIPTION Associatesan IKERule with the IPsecPolicyGroup that contains it.a policy group to a network interface. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIESContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IKERule [0..n]]Antecedent[ref IPProtocolEndpoint[0..n]] Dependent[ref IPsecPolicyGroup[0..1]] 4.6.1. The ReferenceContainingGroupAntecedent The propertyContainingGroup contains an object referenceAntecedent is inherited from Dependency and is overridden to refer to anIPsecPolicyGroup that contains one or more IKERules.IPProtocolEndpoint instance. The[1..1][0..n] cardinality indicates that anIKERuleIPsecPolicyGroup instance may becontained in only one IPsecPolicyGroup (i.e., IKERules are not shared across IPsecPolicyGroups).associated with zero or more IPProtocolEndpoint instances. 4.6.2. The ReferenceContainedRuleDependent The propertyContainedRule contains an object referenceDependent is inherited from Dependency and is overridden to refer to anIKERule contained by an IPsecPolicyGroup.IPsecPolicyGroup instance. The[0..n][0..1] cardinality indicates that anIPsecPolicyGroupIPProtocolEndpoint instance maycontain zero or more IKERules.have an association to at most one IPsecPolicyGroup instance. 4.7. TheCompositionAssociation ClassRuleForIPsecNegotiationIPsecPolicyForSystem The classRuleForIPsecNegotiationIPsecPolicyForSystem associates anIPsecRuleIPsecPolicyGroup with a specific system. If an IPProtocolEndpoint of a system does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the IPsecPolicyForSystem associated IPsecPolicyGroup is used for thatcontains it.endpoint. The class definition forRuleForIPsecNegotiationIPsecPolicyForSystem is as follows: NAMERuleForIPsecNegotiationIPsecPolicyForSystem DESCRIPTIONAssociates an IPsecRule with the IPsecPolicyGroup that contains it.Default policy group for a system. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIESContainingGroup [ref IPsecPolicyGroup [1..1]] ContainedRule [ref IPsecRule [0..n]]Antecedent[ref System[0..n]] Dependent[ref IPsecPolicyGroup[0..1]] 4.7.1. The ReferenceContainingGroupAntecedent The propertyContainingGroup contains an object referenceAntecedent is inherited from Dependency and is overridden toan IPsecPolicyGroup that contains one or more IPsecRules.refer to a System instance. The[1..1][0..n] cardinality indicates that anIPsecRule may be contained in only oneIPsecPolicyGroup(i.e., IPsecRules are not shared across IPsecPolicyGroups).instance may have an association to zero or more System instances. 4.7.2. The ReferenceContainedRuleDependent The propertyContainedRule contains an object referenceDependent is inherited from Dependency and is overridden to refer to anIPsecRule contained by an IPsecPolicyGroup.IPsecPolicyGroup instance. The[0..n] cardinality Jason[0..1] Jason, et al ExpiresJanuarySeptember 2001 [Page13]18] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 cardinality indicates that a System instance may have an association to at most one IPsecPolicyGroupmay contain zero or more IPsecRules.instance. 4.8. The Aggregation ClassSAConditionInRuleRuleForIKENegotiation The classSAConditionInRuleRuleForIKENegotiation associates anSARuleIKERule with theSACondition instancesIPsecPolicyGroup thattriggercontains it.See [PCIM] for the usage for the properties GroupNumber and ConditionNegated.The class definition forSAConditionInRuleRuleForIKENegotiation is as follows: NAMESAConditionInRuleRuleForIKENegotiation DESCRIPTION Associates anSARuleIKERule with theSACondition instancesIPsecPolicyGroup thattriggercontains it. DERIVED FROMPolicyConditionInPolicyRulePolicyRuleInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingRuleGroupComponent [refSARule [0..n]] ContainedConditionIPsecPolicyGroup [1..1]] PartComponent [refSAConditionIKERule [0..n]]GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) SequenceNumber4.8.1. The ReferenceContainingRuleGroupComponent The propertyContainingRuleGroupComponent is inherited fromPolicyConditionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontain an object referencerefer to anSARule that contains one or more SAConditions.IPsecPolicyGroup instance. The[0..n][1..1] cardinality indicates that anSAConditionIKERule instance may be contained inzero or more SARules.one and only one IPsecPolicyGroup instance (i.e., IKERules are not shared across IPsecPolicyGroups). 4.8.2. The ReferenceContainedConditionPartComponent The propertyContainedConditionPartComponent is inherited fromPolicyConditionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontainrefer to anobject reference to an SACondition that is contained by an SARule.IKERule instance. The [0..n] cardinality indicates that anSARuleIPsecPolicyGroup instance may contain zero or moreSAConditions. 4.8.3. The Property SequenceNumber The property SequenceNumber specifies, for a given rule, the order in which the SACondition instances will be evaluated. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the evaluation order of the SAConditions. SYNTAX unsigned 16-bit integer VALUE Lower valued SAConditions are evaluated first. The order of evaluation of ContainedConditions with the same SequenceNumber value is undefined.IKERule instances. 4.9. The Aggregation ClassSAActionInRule Jason Expires January 2001 [Page 14] Internet Draft IPsec Configuration Policy Model July 2000RuleForIPsecNegotiation TheSAActionInRuleclass RuleForIPsecNegotiation associates anSARuleIPsecRule withits primary SAAction.the IPsecPolicyGroup that contains it. The class definition forSAActionInRuleRuleForIPsecNegotiation is as follows: NAMESAActionInRuleRuleForIPsecNegotiation DESCRIPTION Associates anSARuleIPsecRule withits primary SAAction.the IPsecPolicyGroup that contains it. DERIVED FROMPolicyActionInPolicyRulePolicyRuleInPolicyGroup (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingRule [ref SARule [0..n]] ContainedActionGroupComponent [refSAActionIPsecPolicyGroup [1..1]] PartComponent [ref IPsecRule [0..n]] 4.9.1. The ReferenceContainingRuleGroupComponent The propertyContainingRuleGroupComponent is inherited fromPolicyActionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontain an object referencerefer to anSARule that contains an SAAction.IPsecPolicyGroup instance. The[0..n][1..1] cardinality indicates that anSAActionJason, et al Expires September 2001 [Page 19] Internet Draft IPsec Configuration Policy Model March 2001 IPsecRule instance may be contained inzero or more SARules.only one IPsecPolicyGroup instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 4.9.2. The ReferenceContainedActionPartComponent The propertyContainedActionPartComponent is inherited fromPolicyActionInPolicyRulePolicyRuleInPolicyGroup and is overridden tocontain an object referencerefer to anSAAction that is contained by an SARule.IPsecRule instance. The[1..1][0..n] cardinality indicates that anSARuleIPsecPolicyGroup instance may containonly one SAAction.zero or more IPsecRules instance. 4.10. The Aggregation ClassFallbackSAActionInRuleSAConditionInRule The classFallbackSAActionInRuleSAConditionInRule associates an SARule withits ordered set of fallback actions. Fallback actions allow an administrator to define what action is to be take iftheSAAction referenced by SAActionInRule failsSACondition instance(s) that trigger(s) it. See [PCIM] forany reason.the usage for the properties GroupNumber and ConditionNegated. The class definition forFallbackSAActionInRuleSAConditionInRule is as follows: NAMEFallbackSAActionInRuleSAConditionInRule DESCRIPTION Associates an SARule with theordered set of fallback actionsSACondition instance(s) thatshould be attempted/applied in the case of failure of the primary SAAction. ABSTRACT FALSEtrigger(s) it. DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIESContainingRuleGroupComponent [ref SARule [0..n]]ContaintedActionPartComponent [refSAAction [0..n]] SequenceNumberSACondition [1..n]] GroupNumber (from PolicyConditionInPolicyRule) ConditionNegated (from PolicyConditionInPolicyRule) 4.10.1. The ReferenceContainingRuleGroupComponent The propertyContainingRule contains an object referenceGroupComponent is inherited from PolicyConditionInPolicyRule and is overridden to refer to an SARulethat contains one or more fallback SAActions.instance. The [0..n] cardinality indicates that anfallback SAActionSACondition instance may be contained in zero or moreSARules.SARule instances. 4.10.2. The ReferenceContainedActionPartComponent The propertyContainedAction contains an object referencePartComponent is inherited from PolicyConditionInPolicyRule and is overridden toa fallback SAActionrefer to an SACondition instance. The [1..n] cardinality indicates thatis contained byan SARule instance MUST contain at least oneor more SARules.SACondition instance. 4.11. TheJasonAggregation Class SAActionInRule The SAActionInRule class associates an SARule with its primary SAAction. The class definition for SAActionInRule is as follows: NAME SAActionInRule DESCRIPTION Associates an SARule with its SAAction(s). DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent [ref SARule [0..n]] PartComponent [ref SAAction [1..n]] ActionOrder Jason, et al ExpiresJanuarySeptember 2001 [Page15]20] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 4.11.1. The Reference GroupComponent The property GroupComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SARule instance. The [0..n] cardinality indicates that anSARuleSAAction instance maycontainbe contained in zero or morefallback SAActions. 4.10.3.SARule instances. 4.11.2. The Reference PartComponent The property PartComponent is inherited from PolicyActionInPolicyRule and is overridden to refer to an SAAction instance. The [1..n] cardinality indicates that an SARule instance MUST contain at least one SAAction instance. 4.11.3. The PropertySequenceNumberActionOrder The propertySequenceNumber specifies, for a given rule,ActionOrder specifies theorderrelative position of this SAAction inwhichthefallback SAActions should be attempted. Oncesequence of actions associated with afallback SAAction is successfully applied, then subsequent fallback SAActions should be ignored.PolicyRule. Theproperty is definedActionOrder MUST be unique so asfollows: NAME SequenceNumber DESCRIPTION Specifies the order of attempted application forto provide a deterministic order. In addition, thefallback SAAction. SYNTAX unsigned 16-bit integer VALUE Lower valued fallback SAActionsactions in an SARule areattempted first.executed as follows. For an initiator, if there is more than one action in the rule, the additional actions are 'backup' actions in the event that the first action is not able to be completed successfully. They are tried in the ActionOrder until the list is exhausted or one completes successfully. For example, an IKE initiator may have several IKEActions for the same SACondition. The initiator will try all IKEActions in the order defined by ActionOrder. I.e. it will possibly try several phases 1 possibly with different modes (main mode then aggressive mode) and/or with possibly multiple IKE peers. For a responder, there can be more than one action in the rule, this provides alternative actions depending on the received proposals. For example, the same IKERule may be used to handle aggressive mode and main mode negotiations with different actions. The first appropriate action in the list ofattemptactions is used by the responder. The property is defined as follows: [Need an explanation of what the action order means as it replaces the fallback association] NAME ActionOrder DESCRIPTION Specifies the order of actions. SYNTAX unsigned 16-bit integer VALUE Any value between 1 and 2^16-1 inclusive. Lower values have higher precedence (i.e., 1 is the highest precedence). The merging order ofContainedActionstwo SAActions with the sameSequenceNumber valueprecedence is undefined.JasonJason, et al ExpiresJanuarySeptember 2001 [Page16]21] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 5. Condition and Filter Classes The IPsec condition and filter classes are used to build the "if" part of the IKE and IPsec rules.+-------------+* 0..1+------------+1 *+-------------------+ |*+-------------+ +--------------------| SACondition|o--------| FilterList |x--------| [FilterEntryBase] | +-------------+ (a) +------------+ (b) +-------------------+ ^|+---------------------+------------------------+| +-------------+ | * |+-----------------+ +-------------------+ +-----------------------+|[IPFilterEntry]|(a) | 1 |[IPSOFilterEntry]| +--------------+ |CredentialFilterEntry|+-----------------+ +-------------------+ +-----------------------+ ^ ^FilterList | | |+-------------------+(Appendix C) | | +--------------+ | 1 o |(b) |(c) |+--------------------------------+* |+-| ClassificationLevelFilterEntry| +-----------------+ | |+--------------------------------+FilterEntryBase | | | (Appendix C) |+--------------------------------+|+-| ProtectionAuthorityFilterEntry+-----------------+ | ^ |+--------------------------------+|+-----------------------------------------------+| +--------------+ | +-----------------------++--------------------+|[EndpointFilterEntry]||ProtocolFilterEntry | +-----------------------+ +--------------------+ ^ ^ | +----------------+FilterEntry |----+----| CredentialFilterEntry |+----------------------+|UDPFilterEntry |--+|+----------------+(Appendix C) | | +-----------------------+ |+-----------------++--------------+ |+----------------+| |FQDNFilterEntry |----+|TCPFilterEntry |--++-----------------+ |+----------------+ | +------------------------++--------------------------+ |+------------------------+|IPv4AddressFilterEntryIPSOFilterEntry |----+----|IPv6AddressFilterEntry | +------------------------+ | +------------------------+ | +----------------------+ | +----------------------+PeerIDPayloadFilterEntry |IPv4RangeFilterEntry |----+----| IPv6RangeFilterEntry|+----------------------++-----------------+ +--------------------------+ |+----------------------+|+-----------------------+*+-----------------------------+ +------------| CredentialManagementService |+-----------------------+|IPv4SubnetFilterEntry |----+----| IPv6SubnetFilterEntry(Appendix B) |+-----------------------+ +-----------------------+ Jason Expires January 2001 [Page 17] Internet Draft IPsec Configuration Policy Model July 2000+-----------------------------+ (a) FilterOfSACondition (b) AcceptCredentialsFrom (c) EntriesInFilterList (see Appendix C) 5.1. The Class SACondition The class SACondition defines thepreconditionsconditions of rules for IKE and IPsec negotiations. Conditions are associated with policy rules via the SAConditionInRule aggregation. It is used as an anchor point to associate various types of filters with policy rules via the FilterOfSACondition association. It also defines whether Credentials can be accepted for a particular policy rule via the AcceptCredentialsFrom association. Jason, et al Expires September 2001 [Page 22] Internet Draft IPsec Configuration Policy Model March 2001 Associated objects represent components of the condition that may or may not apply at a given rule evaluation. For example, an AcceptCredentialsFrom evaluation is only performed when a credential is available to be evaluated against the list of trusted credential management services. Similarly, a PeerIDPayloadFilterEntry may only be evaluated when an IDPayload value is available to compared with the filter. Condition components that do not have corresponding values with which to evaluate are evaluated as TRUE unless the protocol has completed without providing the required information. The class definition for SACondition is as follows: NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition)StartupCondition 5.1.1.5.2. TheProperty StartupCondition This property specifies the triggering event that caused the rule evaluation.Class FilterEntry Thepropertyclass FilterEntry is definedas follows: NAME StartupCondition DESCRIPTION Specifiesin appendix C with thetriggering event that causefollowing notes: 1) since actions in therule to be evaluated. SYNTAX unsigned 16-bit integer VALUE 1 (OnBoot) -IPsec Policy Model are not part of therule is triggered after system boot. The FilterList associated withcondition side of theSACondition containsrule, theinformation that willAction property of each FilterEntry is ignored and should beusedset tobuild the selectors. 2 (OnManual) - the rule is triggered manually in response"FilterOnly". 2) touser input. The FilterList associated with the SACondition contains the informationspecify 5-tuple filters thatwill be usedare tobuildapply symmetrically (i.e., matches traffic in both directions of theselectors. 3 (OnDataTraffic) -same flow between therule is triggered when packets without associated security associations are sent or received (traffic directionality is indicated bytwo peers), the Directionfieldproperty of theassociated FilterList). 4 (OnIKEMessage) - the rule is triggered when an incoming request for IKE negotiation is received. 5.2.FilterList should be set to "Mirrored". 5.3. The ClassFilterListCredentialFilterEntry The classFilterList aggregatesCredentialFilterEntry defines anANDed setequivalence class that match credentials offiltersIKE peers. Each CredentialFilterEntry includes a MatchFieldName thatare used for determining when an SACondition evaluatesis interpreted according totrue and therefore itsthe CredentialManagementService(s) associatedSAAction shouldwith the SACondition (AcceptCredentialsFrom). These credentials can beperformed.X.509 certificates, Kerberos tickets, or other types of credentials obtained during the Phase 1 exchange. The class definition forFilterListCredentialFilterEntry is as follows: NAMEFilterListCredentialFilterEntry DESCRIPTIONAggregatesSpecifies aset of filters for condition matching.match filter based on the IKE credentials. DERIVED FROM FilterEntryBase (see Appendix C) ABSTRACT FALSE PROPERTIES NameDirection Jason(from FilterEntryBase) IsNegated (from FilterEntryBase) MatchFieldName Jason, et al ExpiresJanuarySeptember 2001 [Page18]23] Internet Draft IPsec Configuration Policy ModelJuly 2000 5.2.1.March 2001 MatchFieldValue CredentialType 5.3.1. The PropertyName ThisMatchFieldName The property MatchFieldName specifiesa user-friendly name fortheFilterList.sub-part of the credential to match against MatchFieldValue. The property is defined as follows: NAMENameMatchFieldName DESCRIPTION Specifies which sub-part of theuser-friendly name for the FilterList.credential to match. SYNTAX string5.2.2.VALUE 5.3.2. The PropertyDirection ThisMatchFieldValue The property MatchFieldValue specifieswhether ortheFilterList will be used on incoming, outgoing, or bi-directional traffic. Direction is only useful for filter types that inspect traffic parameters and whenvalue to compare with the MatchFieldName in a credential to determine if theStartupConditioncredential matches this filter entry. The property is defined as follows: NAME MatchFieldValue DESCRIPTION Specifies the value to be matched by the MatchFieldName. SYNTAX string VALUE NB: If the CredentialFilterEntry corresponds to a DistinguishedName, this value in theSAConditionCIM class issetrepresented by an ordinary string value. However, an implementation must convert this string toOnDataTraffic (3).a DER- encoded string before matching against the values extracted from credentials at runtime. 5.3.3. The Property CredentialType The property CredentialType specifies the particular type of credential that is being matched. The property is defined as follows: NAMEDirectionCredentialType DESCRIPTIONSpecifies what kindDefines the type oftraffic will be checked - incoming, outgoing, or bi-directional.IKE credentials. SYNTAX unsigned 16-bit integer VALUE 1 -IncomingX.509 Certificate 2 -Outgoing 3 - Bi-directional 5.3.Kerberos Ticket 5.4. TheAbstractClassFilterEntryBaseIPSOFilterEntry Theabstract class FilterEntryBase serves as the baseclassforIPSOFilterEntry is used to match traffic based on thespecific filter class.IP Security Options header values (ClassificationLevel and ProtectionAuthority) as defined in RFC1108. This type of FilterEntry is used to adjust the IPsec encryption level according to the IPSO classification of the traffic (e.g., secret, confidential, restricted, etc. The class definition forFilterEntryBaseIPSOFilterEntry is as follows: Jason, et al Expires September 2001 [Page 24] Internet Draft IPsec Configuration Policy Model March 2001 NAMEFilterEntryBaseIPSOFilterEntry DESCRIPTIONServes asSpecifies thebase class for specifica match filterclasses.based on IP Security Options. DERIVED FROM FilterEntryBase (see Appendix C) ABSTRACTTRUEFALSE PROPERTIES Name (from FilterEntryBase) IsNegated5.3.1.(from FilterEntryBase) MatchConditionType MatchConditionValue 5.4.1. The PropertyName ThisMatchConditionType The property MatchConditionType specifiesa user-friendly name forthefilter.IPSO header field that will be matched (e.g., traffic classification level or protection authority). The property is defined as follows: NAMENameMatchConditionType DESCRIPTION Specifies theuser-friendly name for the filter.IPSO header field to be matched. SYNTAXstring 5.3.2.unsigned 16-bit integer VALUE 1 - ClassificationLevel 2 - ProtectionAuthority 5.4.2. The PropertyIsNegated ThisMatchConditionValue The property MatchConditionValue specifieswhether or not the result oftheboolean resultvalue of thefilter evaluation shouldIPSO header field to benegated.matched against. The property is defined as follows: NAMEIsNegated Jason Expires January 2001 [Page 19] Internet Draft IPsec Configuration Policy Model July 2000MatchConditionValue DESCRIPTION Specifieswhether or not to negate the result of the evaluation ofthefilter. SYNTAX boolean VALUE Avalue oftrue means that the boolean result ofthefilter evaluation of the filter willIPSO header field to benegated. A value of false means that the boolean result ofmatched against. SYNTAX unsigned 16-bit integer VALUE For ClassificationLevel, theevaluation ofvalues are: 61 - TopSecret 90 - Secret 150 - Confidential 171 - Unclassified For ProtectionAuthority, thefilter will not be altered. 5.4.values are: 0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE 5.5. TheAbstractClassIPFilterEntryPeerIDPayloadFilterEntry Theabstract class IPFilterEntry serves as a baseclassfor filter entries which arePeerIDPayloadFilterEntry defines filters used to matchagainstID payload values from the5-tuple (i.e., source and destination address, protocol, and source and destination port) information in the IP packet. The class definition for IPFilterEntry is as follows: NAME IPFilterEntry DESCRIPTION Serves asIKE protocol exchange. PeerIDPayloadFilterEntry permits thebase class for IP 5-tuple filters. DERIVED FROM FilterEntryBase ABSTRACT TRUE 5.5. The Abstract Class EndpointFilterEntry The abstract class EndpointFilterEntry serves as a base class for filters which match against IP addresses (source or destination). The class definition for EndpointFilterEntry is as follows: NAME EndpointFilterEntry DESCRIPTION Servesspecification of certain ID payload values such asthe base class for filters which match against IP addresses. DERIVED FROM IPFilterEntry ABSTRACT TRUE PROPERTIES ApplyToDestination 5.5.1. The Property ApplyToDestination This property specifies whether"*@company.com" ornot the address"193.190.125.0/24". Obviously this filter applies only totest against is the source or the destination IP address. The property is definedIKERules when acting asfollows: NAME ApplyToDestination DESCRIPTION Specifies which IP address to test, source or destination. SYNTAX boolean VALUE A value of true means that the destination IP address should be tested against. A value of false means that the source IP address should be tested against. 5.6. The Class IPv4AddressFilterEntry The class IPv4AddressFilterEntry specifiesa responder. Moreover, this filterthat will match against a single IPv4 address. The class definition for IPv4AddressFilterEntry is as follows: Jasoncan be applied immediately in the Jason, et al ExpiresJanuarySeptember 2001 [Page20]25] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 case of aggressive mode but its application is to be delayed in the case of main mode. The class definition for PeerIDPayloadFilterEntry is as follows: NAMEIPv4AddressFilterEntryPeerIDPayloadFilterEntry DESCRIPTIONDefines theSpecifies a match filterfor an IPv4 address.based on IKE identity. DERIVED FROMEndpointFilterEntryFilterEntryBase (see Appendix C) ABSTRACT FALSE PROPERTIESAddress 5.6.1.Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchIdentityType MatchIdentityValue 5.5.1. The PropertyAddress ThisMatchIdentityType The property MatchIdentityType specifies theIPv4 address that will be usedtype of identity provided by the peer in theequality test.ID payload." The property is defined as follows: NAMEAddressMatchIdentityType DESCRIPTION Specifies theIPv4 address to match against.ID payload type. SYNTAX unsigned32-bit16-bit integer5.7. The Class IPv4RangeFilterEntry The class IPv4RangeFilterEntry specifies a filter for testing if anVALUE 1 - IPv4address is between the start address and end address inclusively. The class definition for IPv4RangeFilterEntry is as follows: NAME IPv4RangeFilterEntry DESCRIPTION Defines the match filter for anAddress 2 - FQDN 3 - User FQDN 4 - IPv4address range. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES StartAddress EndAddress 5.7.1.Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 5.5.2. The PropertyStartAddress ThisMatchIdentityValue The property MatchIdentityValue specifies thefirst IPv4 address infilter value for comparison with theaddress range.ID payload, e.g., "*@company.com" The property is defined as follows: NAMEStartAddressMatchIdentityValue DESCRIPTION Specifies thestart of the IPv4 address range.ID payload value. SYNTAXunsigned 32-bit integer 5.7.2.string VALUE NB: TheProperty EndAddress This property specifiessyntax may need to be converted for comparison. If thelast IPv4 addressPeerIDPayloadFilterEntry type is a DistinguishedName, the name in theaddress range. TheMatchIdentityValue property isdefined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv4 address. SYNTAX unsigned 32-bit integer VALUE EndAddressrepresented by an ordinary string value, but this value must begreater than or equal to StartAddress. 5.8.converted into a DER-encoded string before matching against the values extracted from IKE ID payloads at runtime. TheClass IPv4SubnetFilterEntry Jasonsame applies to IPv4 & IPv6 addresses. Wildcards can be used as well as the prefix notation Jason, et al ExpiresJanuarySeptember 2001 [Page21]26] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 for IPv4 addresses: - a MatchIdentityValue of "*@company.com" will match an ID payload of "JDOE@COMPANY.COM" - a MatchIdentityValue of "193.190.125.0/24" will match an ID payload of 193.190.125.10. 5.6. The Association Class FilterOfSACondition The classIPv4SubnetFilterEntry specifies a filter for testing ifFilterOfSACondition associates anIPv4 address is inSACondition with thespecified subnet.filter specifications (FilterList) that make up the condition. The class definition forIPv4SubnetFilterEntryFilterOfSACondition is as follows: NAMEIPv4SubnetFilterEntryFilterOfSACondition DESCRIPTIONDefinesAssociates a condition with thematchfilterfor an IPv4 subnet.list that make up the individual condition elements. DERIVED FROMEndpointFilterEntryDependency (see Appendix A) ABSTRACT FALSE PROPERTIESAddress Mask 5.8.1.Antecedent [ref FilterList[1..1]] Dependent [ref SACondition[0..n]] 5.6.1. TheProperty Address This property specifies the IPv4 subnet.Reference Antecedent The property Antecedent isdefined as follows: NAME Address DESCRIPTION Specifies the IPv4 subnet. SYNTAX unsigned 32-bit integer 5.8.2.inherited from Dependency and is overridden to refer to a FilterList instance. TheProperty Mask This property specifies the IPv4 mask.[1..1] cardinality indicates that an SACondition instance MUST be associated with one and only one FilterList instance. 5.6.2. The Reference Dependent The property Dependent isdefined as follows: NAME Mask DESCRIPTION Specifies the IPv4 mask. SYNTAX unsigned 32-bit integer VALUE A special value of 0.0.0.0, coupled withinherited from Dependency and is overridden to refer to anAddress value of 0.0.0.0 canSACondition instance. The [0..n] cardinality indicates that a FilterList instance may beused to specify all addresses. 5.9.associated with zero or more SAConditions instance. 5.7. The Association ClassIPv6AddressFilterEntryAcceptCredentialFrom The classIPv6AddressFilterEntryAcceptCredentialFrom specifies which credential management services (e.g., afilter that will match againstCertificateAuthority or asingle IPv6 address. The class definition for IPv6AddressFilterEntryKerberos service) are to be trusted to certify peer credentials. This isas follows: NAME IPv6AddressFilterEntry DESCRIPTION Definesused to validate that thematch filter forcredential being matched in the CredentialFilterEntry is a valid credential that has been supplied by anIPv4 address. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address 5.9.1. The Property Address This property specifiesapproved CredentialManagementService. If a CredentialManagementService is specified and a corresponding CredentialFilterEntry is used, but theIPv6 addresscredential supplied by the peer is not certified by thatwill be usedCredentialManagementService (or one of the CredentialManagementServices in its trust hierarchy), theequality test. The propertyCredentialFilterEntry isdefined as follows: NAME Address DESCRIPTION Specifiesdeemed not to match. If a credential is certified by a CredentialManagementService in theIPv6 addressAcceptCredentialsFrom list of services but there is no CredentialFilterEntry, this is considered equivalent tomatch against. SYNTAX byte[16] 5.10. The Class IPv6RangeFilterEntry Jasona CredentialFilterEntry that matches all credentials from those services. Jason, et al ExpiresJanuarySeptember 2001 [Page22]27] Internet Draft IPsec Configuration Policy ModelJuly 2000March 2001 The classIPv6RangeFilterEntry specifies a filterdefinition fortesting if an IPv6 address is between the start address and end address inclusively. The class definition for IPv6RangeFilterEntryAcceptCredentialFrom is as follows: NAMEIPv6RangeFilterEntryAcceptCredentialFrom DESCRIPTIONDefinesAssociates a condition with thematch filter for an IPv6 address range.credential management services to be trusted. DERIVED FROMEndpointFilterEntryDependency (see Appendix A) ABSTRACT FALSE PROPERTIESStartAddress EndAddress 5.10.1.Antecedent [ref CredentialManagementService[0..n]] Dependent [ref SACondition[0..n]] 5.7.1. TheProperty StartAddress This property specifies the first IPv6 address in the address range.Reference Antecedent The property Antecedent isdefined as follows: NAME StartAddress DESCRIPTION Specifies the start of the IPv6 address range. SYNTAX byte[16] 5.10.2. The Property EndAddress This property specifies the last IPv6 address in the address range. The propertyinherited from Dependency and isdefined as follows: NAME EndAddress DESCRIPTION Specifies the end of the IPv6 address. SYNTAX byte[16] VALUE EndAddress must be greater than or equaloverridden to refer toStartAddress. 5.11. The Class IPv6SubnetFilterEntry The class IPv6SubnetFilterEntry specifiesafilter for testing if an IPv6 address is in the specified subnet.CredentialManagementService instance. Theclass definition for IPv4SubnetFilterEntry is as follows: NAME IPv6SubnetFilterEntry DESCRIPTION Defines the match filter for[0..n] cardinality indicates that anIPv6 subnet. DERIVED FROM EndpointFilterEntry ABSTRACT FALSE PROPERTIES Address Mask 5.11.1.SACondition instance may be associated with zero or more CredentialManagementServices instance. 5.7.2. TheProperty Address This property specifies the IPv6 subnet.Reference Dependent The property Dependent isdefined as follows: NAME Address DESCRIPTION Specifies the IPv6 subnet. Jasoninherited from Dependency and is overridden to refer to an SACondition instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more SAConditions instance. Jason, et al ExpiresJanuarySeptember 2001 [Page23]28] Internet Draft IPsec Configuration Policy ModelJuly 2000 SYNTAX byte[16] 5.11.2. The Property Mask This property specifies the IPv6 mask.March 2001 6. Action Classes Theproperty is defined as follows: NAME Mask DESCRIPTION Specifiesaction classes are used to model theIPv6 mask. SYNTAX byte[16] VALUE A special value of 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0, coupled withdifferent actions anAddress valueIPsec device may take when the evaluation of0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 can be used to specify all addresses. 5.12. The Class FQDNFilterEntry The class FQDNFilterEntry specifies a filter for mathcing againstthe associated condition results in asingle or wild-carded DNS name.match. +----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | *+----------------+ +---------------------+* | SAStaticAction | | SANegotiationAction |o-----+ +----------------+ +---------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | *| | | +--------------+ | | | | +-----------------------+ | | +--------------+n | | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ +-----------------------+ | +--------------+ (b) ^ | | | *+-------------+ +---------------------+ +-------| PeerGateway | | +-------------+ +-----------------------------+ | *w| | PreconfiguredTransportAction|--+ |(c) +-----------------------------+ | 1| | +--------------+ +-----------------------------+ | | System | | PreconfiguredTransportAction|--+ | (Appendix A) | +-----------------------------+ +--------------+ *| | 1..3+---------------+ +-------| [SATransform] | (d) +---------------+ Jason, et al Expires September 2001 [Page 29] Internet Draft IPsec Configuration Policy Model March 2001 (a) PeerGatewayForTunnel (b) ContainedProposal (c) HostedPeerGatewayInformation (d) TransformOfPreconfiguredAction 6.1. The Class SAAction The class SAAction serves as the base class for IKE and IPsec actions. Although the class is concrete, it MUST not be instantiated. It is used for aggregating different types of actions to IKE and IPsec rules. The class definition forFQDNFilterEntrySAAction is as follows: NAMEFQDNFilterEntrySAAction DESCRIPTIONDefines the match filterThe base class fora DNS name.IKE and IPsec actions. DERIVED FROMEndpointFilterEntryPolicyAction (see [PCIM]) ABSTRACT FALSE PROPERTIESName 5.12.1.PolicyActionName (from PolicyAction) DoActionLogging DoPacketLogging 6.1.1. The PropertyName ThisDoActionLogging The property DoActionLogging specifiesthe DNS namewhether a log message is tomatch against.be generated when the action is performed (even if the action fails). The property is defined as follows: NAMEAddressDoActionLogging DESCRIPTION Specifies theDNS name. SYNTAX string VALUE The DNS name canwhether to log when the action is performed. SYNTAX boolean VALUE true - a log message is to befully qualified (for example, foo.intel.com) or partially qualified (*.intel.com). 5.13.generated when action is performed. false - no log message is to be generated when action is performed. 6.1.2. TheClass ProtocolFilterEntryProperty DoPacketLogging Theclass ProtocolFilterEntryproperty DoPacketLogging specifies whether afilter for testing againstlog message is to be generated when the resulting security association is used to process the packet. If the action successfully executes and results in the creation of one or several security associations, the value of DoPacketLogging SHOULD be propagated to anIP protocol.optional field of SADB. This optional field should be used to decide whether a log message is to be generated when the SA is used to process a packet. Theclass definition for ProtocolFilterEntryproperty is defined as follows: NAMEProtocolFilterEntryDoPacketLogging DESCRIPTIONDefines a match filter for IP protocol. DERIVED FROM IPFilterEntry ABSTRACT FALSE PROPERTIES Protocol 5.13.1. The Property Protocol JasonSpecifies the whether to log when the resulting security association is used to process the packet. SYNTAX boolean Jason, et al ExpiresJanuarySeptember 2001 [Page24]30] Internet Draft IPsec Configuration Policy ModelJuly 2000 This property specifies the IP protocol to match against. The propertyMarch 2001 VALUE true - a log message isdefined as follows: NAME Protocol DESCRIPTION Specifiesto be generated when theIP protocol. SYNTAX unsigned 8-bit integer VALUE A value of zero matches against any protocol. Any other valueresulting security association is used to process theIP protocol number. 5.14.packet. false - no log message is to be generated. 6.2. The ClassUDPFilterEntrySAStaticAction The classUDPFilterEntry specifies a filter for testing if a UDP port is betweenSAStaticAction serves as thestart portbase class for IKE andend port inclusively. It is assumedIPsec actions that do not require any negotiation. Although theProtocol property from the ProtocolFilterEntryclasswill contain the value 17 (i.e., UDP).is concrete, it MUST not be instantiated. The class definition forUDPFilterEntrySAStaticAction is as follows: NAMEUDPFilterEntrySAStaticAction DESCRIPTIONDefines the match filterThe base class fora UDP port range.IKE and IPsec actions that do not require any negotiation. DERIVED FROMProtocolFilterEntrySAAction ABSTRACT FALSE PROPERTIESStartPort EndPort 5.14.1.LifetimeSeconds 6.2.1. The PropertyStartPort ThisLifetimeSeconds The property LifetimeSeconds specifies how long thefirst port in the UDP port range.security association derived from this action should be used. The property is defined as follows: NAMEStartPortLifetimeSeconds DESCRIPTION Specifies thestartamount ofthe UDP port range.time (in seconds) that a security association derived from this action should be used. SYNTAX unsigned16-bit32-bit integer5.14.2. The Property EndPort This property specifies the last portVALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is typically used inthe UDP port range. The propertyconjunction with alternate SAActions performed when there isdefined as follows: NAME EndPort DESCRIPTION Specifies the enda negotiation failure ofthe UDP port range. SYNTAX unsigned 16-bit integer VALUE EndPort must be greater than or equal to StartPort. 5.15.some sort. 6.3. The ClassTCPFilterEntryIPsecBypassAction The classTCPFilterEntry specifies a filter for testing if a TCP portIPsecBypassAction isbetween the start port and end port inclusively. Itused when packets are allowed to be processed without applying IPsec encapsulation to them. This isassumed that the Protocol property fromtheProtocolFilterEntry class will containsame as stating that packets are allowed to flow in thevalue 6 (i.e., TCP).clear. The class definition forTCPFilterEntryIPsecBypassAction is as follows: NAMETCPFilterEntryIPsecBypassAction DESCRIPTIONDefinesSpecifies that packets are to be allowed to pass in thematch filter for a TCP port range. Jasonclear. DERIVED FROM SAStaticAction ABSTRACT FALSE 6.4. The Class IPsecDiscardAction Jason, et al ExpiresJanuarySeptember 2001 [Page25]31] Internet Draft IPsec Configuration Policy ModelJuly 2000 DERIVED FROM ProtocolFilterEntry ABSTRACT FALSE PROPERTIES StartPort EndPort 5.15.1.March 2001 TheProperty StartPortclass IPsecDiscardAction is used when packets are to be discarded. Thisproperty specifies the first port in the TCP port range. The propertyisdefined as follows: NAME StartPort DESCRIPTION Specifiesthestart of the TCP port range. SYNTAX unsigned 16-bit integer 5.15.2. The Property EndPort This property specifies the last port in the TCP port range.same as stating that packets are to be denied. Thepropertyclass definition for IPsecDiscardAction isdefinedas follows: NAMEEndPortIPsecDiscardAction DESCRIPTION Specifiesthe end of the TCP port range. SYNTAX unsigned 16-bit integer VALUE EndPort must be greater than or equalthat packets are toStartPort. 5.16.be discarded. DERIVED FROM SAStaticAction ABSTRACT FALSE 6.5. TheAbstractClassIPSOFilterEntryIKERejectAction TheabstractclassIPSOFilterEntry servesIKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The main use of this class is to prevent some denial of service attacks when acting as IKE responder. It goes beyond abase class forplain discard of UDP/500 IKE packets because theIP Security Option (IPSO) filters.SACondition can be based on specific PeerIDPayloadFilterEntry (when aggressive mode is used). The class definition forIPSOFilterEntryIKERejectAction is as follows: NAMEIPSOFilterEntryIKERejectAction DESCRIPTIONServes as the base class for the IPSO filters.Specifies that an IKE negotiation should not even be attempted or continued. DERIVED FROMFilterEntryBaseSAStaticAction ABSTRACTTRUE 5.17.FALSE 6.6. The ClassClassificationLevelFilterEntryPreconfiguredSAAction The classClassificationLevelFilterEntry specifiesPreconfiguredSAAction is used to create afilter for matching againstsecurity association using preconfigured, hard-wired algorithms and keys. Notes: - theclassification level IPSO field type. The class definitionSPI forClassificationLevelFilterEntrya PreconfiguredSAAction isas follows: NAME ClassificationLevelFilterEntry DESCRIPTION Definescontained in thefilter forassociation, TransformOfPreconfiguredAction; - theIPSO classification level. DERIVED FROM IPSOFilterEntry ABSTRACT FALSE PROPERTIES Level 5.17.1.session key (if applicable) is contained in an instance of the class SharedSecret (see appendix B). TheProperty Level Thissession key is stored in the propertyspecifiessecret, theclassification levelproperty protocol contains either "ESP" or "AH", the property algorithm contains the algorithm used tomatch against. Theprotect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID isdefined as follows: NAME Level Jason Expires January 2001 [Page 26] Internet Draft IPsec Configuration Policy Model July 2000 DESCRIPTION Specifiestheclassification level. SYNTAX unsigned 16-bit integer VALUE 61 - Top Secret 90 - Secret 150 - Confidential 171 - Unclassified 5.18. The Class ProtectionAuthorityFilterEntry The class ProtectionAuthorityFilterEntry specifies a filter for matching againstconcatenation of theprotection authority IPSO field type.remote IPsec peer IP address in dotted decimal, of the character "/", and of the hexadecimal representation of the SPI. Although the class is concrete, it MUST not be instantiated. The class definition forProtectionAuthorityFilterEntryPreconfiguredSAAction is as follows: NAMEProtectionAuthorityFilterEntryPreconfiguredSAAction DESCRIPTIONDefines the filterSpecifies preconfigured algorithm and keying information forthe IPSO protection authority.creation of a security association. DERIVED FROMIPSOFilterEntrySAStaticAction ABSTRACT FALSE Jason, et al Expires September 2001 [Page 32] Internet Draft IPsec Configuration Policy Model March 2001 PROPERTIESAuthority 5.18.1.LifetimeKilobytes 6.6.1. The PropertyAuthority ThisLifetimeKilobytes The property LifetimeKilobytes specifies a traffic limit in kilobytes that can be consumed before theprotection authority to match against.SA is deleted.. The property is defined as follows: NAMEAuthorityLifetimeKilobytes DESCRIPTION Specifies theprotection authority.SA lifetime in kilobytes. SYNTAX unsigned16-bit32-bit integer VALUE0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE 5.19. The Class CredentialFilterEntry The class CredentialFilterEntry definesA value of zero indicates that there is not afilter for matching against credential informationlifetime associated with this action (i.e., infinite lifetime). A non-zero value is used to indicate thatwas obtained duringafter this amount of kilobytes has been consumed theIKE phase 1 negotiation. This information canSA must beidentity information (such as User FQDN) or information retrieved from credential information (for example, fieldsdeleted froma certificate). This information can bethe SADB. 6.7. The Class PreconfiguredTransportAction The class PreconfiguredTransportAction is usedas a form of access control.to create an IPsec transport-mode security association using preconfigured, hard-wired algorithms and keys. The class definition forCredentialFilterEntryPreconfiguredTransportAction is as follows: NAMECredentialFilterEntryPreconfiguredTransportAction DESCRIPTIONDefines the filterSpecifies preconfigured algorithm and keying information formatching against IKE phase 1 credential/identity information.creation of an IPsec transport security association. DERIVED FROMFilterBaseEntryPreconfiguredSAAction ABSTRACT FALSEPROPERTIES To Be Determined... 5.20.6.8. TheAggregationClassFilterOfSACondition Jason Expires January 2001 [Page 27] Internet Draft IPsec Configuration Policy Model July 2000PreconfiguredTunnelAction The classFilterOfSACondition associatesPreconfiguredTunnelAction is used to create anSACondition with the filter specifications (FilterList) that make up the condition.IPsec tunnel-mode security association using preconfigured, hard-wired algorithms and keys. The class definition forFilterOfSAConditionPreconfiguredSAAction is as follows: NAMEFilterOfSAConditionPreconfiguredTunnelAction DESCRIPTIONAssociates a condition with the filter list that make up the individual condition elements.Specifies preconfigured algorithm and keying information for creation of an IPsec tunnel-mode security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE PROPERTIESAntecedent [ref FilterList[0..1]] Dependent [ref SACondition [0..n]] 5.20.1.PeerGatewayAddressType PeerGatewayAddress DFHandling 6.8.1. TheReference AntecedentProperty PeerGatewayAddressType The propertyAntecedent contains an object reference to a FilterListPeerGatewayAddressType specifies the format of the PeerGatewayAddress property. Addresses thatis containedcan be formatted inone or more SAConditions. The [0..1] cardinality indicatesIPv4 format, must be formatted thatan SACondition may have zero or one FilterList. 5.20.2. The Reference Dependent The property Dependent contains an object referenceway toan SACondition that contains an FilterList. The [0..n] cardinality indicates that a FilterList may be contained in zero or more SAConditions. 5.21. The Composition Class EntriesInFilterList The class EntriesInFilterList associatesensure mixed IPv4/IPv6 Jason, et al Expires September 2001 [Page 33] Internet Draft IPsec Configuration Policy Model March 2001 support. When theindividual FilterEntryBases withtunnel peer is not aFilterList. Together these individual FilterEntryBases can create complex conditions.security gateway, this property value is set to 0. Theclass definition for EntriesInFilterListproperty is defined as follows: NAMEEntriesInFilterListPeerGatewayAddressType DESCRIPTIONAssociates a FilterList withSpecifies thesetformat ofindividual filters. ABSTRACT FALSE PROPERTIES Antecedent [ref FilterEntryBase[0..n]] Dependent [ref FilterList [1..1]] EntrySequence 5.21.1.PeerGatewayAddress. SYNTAX unsigned 16-bit integer VALUE 0 - unknown 1 - IPv4 2 - IPv6 6.8.2. TheReference AntecedentProperty PeerGatewayAddress The propertyAntecedent contains an object referencePeerGatewayAddress specifies the IP address of the tunnel peer security gateway formatted according toa FilterEntryBase that is containedthe appropriate convention as defined in the PeerGatewayAddressType property of this class (e.g., 171.79.6.40). When the tunnel peer is not aFilterList. The [0..n] cardinality indicates that a FilterList may have zero or more FilterEntryBases. 5.21.2. The Reference Dependent Thesecurity gateway, this propertyDependent contains an object referencevalue is set toa FilterList that contains zero or more FilterEntryBases.NULL. The[1..1] cardinality indicatesproperty is defined as follows: NAME PeerGatewayAddress DESCRIPTION Specifies the IP address of the tunnel peer. SYNTAX string VALUE When the value is NULL, this is a special meaning: the IP address of the actual remote IKE entity is the destination IP address of the IP packet that triggered the SARule. Else, the value is aFilterEntryBase may be contained in one and only Jason Expires January 2001 [Page 28] Internet Draft IPsec Configuration Policy Model July 2000 one FilterLists (i.e., FilterEntryBases cannot be shared between FilterLists). 5.21.3.string representation of an IPv4 or IPv6 address. 6.8.3. The PropertyEntrySequenceDFHandling The propertyEntrySequence specifies, for a given FilterList,DFHandling specifies how theorder in whichDon't Fragment bit of thefilters shouldinternal IP header is to bechecked.handled during IPsec processing. The property is defined as follows: NAMEEntrySequenceDFHandling DESCRIPTION Specifies theorder to checkprocessing of thefilters in a FilterList.DF bit. SYNTAX unsigned 16-bit integer VALUELower valued filters are checked first. The order of checking of FilterEntryBases with1 - Copy thesame EntrySequence value is undefined. Jason Expires January 2001 [Page 29] Internet Draft IPsec Configuration Policy Model July 2000 6. Action Classes The action classes are usedDF bit from the internal IP header tomodelthedifferent actions an IPsec device may take whenexternal IP header. 2 - Set theevaluationDF bit of theassociated condition resultsexternal IP header to 1. 3 - Clear the DF bit of the external IP header to 0. 6.9. The Class SANegotiationAction The class SANegotiationAction serves as the base class for IKE and IPsec actions that result in amatch. +----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | +----------------+ +---------------------+* | SAStaticAction | | SANegotiationAction |o-----+ +----------------+ +---------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | | +-----------------------+ | +--------------+n | | SAPreconfiguredAction |---+ | [SAProposal] |-------+ +-----------------------+ +--------------+ (a) (a) ContainedProposal 6.1. The Class SAAction The class SAAction serves as the base class forIKEand IPsec actions.negotiation. Although the class is concrete,itis MUST not be instantiated. The class definition forSAActionSANegotiationAction is as follows: NAMESAActionSANegotiationAction DESCRIPTIONTheA base class for IKE and IPsecactions. DERIVED FROM PolicyAction (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyActionName (from PolicyAction) 6.2. The Class SAStaticAction Jasonactions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. Jason, et al ExpiresJanuarySeptember 2001 [Page30]34] Internet Draft IPsec Configuration Policy ModelJuly 2000 The class SAStaticAction serves as the base class for IKE and IPsec actions that do not require any negotation. Although the class is concrete, it MUST not be instantiated. The class definition for SAStaticAction is as follows: NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation.March 2001 DERIVED FROM SAAction ABSTRACT FALSE PROPERTIESLifetimeSeconds 6.2.1.MinLifetimeSeconds MinLifetimeKilobytes RefreshThresholdSeconds RefreshThresholdKilobytes IdleDurationSeconds 6.9.1. The PropertyLifetimeSecondsMinLifetimeSeconds The propertyLifetimeSecondsMinLifetimeSeconds specifieshow longthesecurity association derived from this action shouldminimum seconds lifetime that will beused. The property is defined as follows: NAME LifetimeSeconds DESCRIPTION Specifiesaccepted from theamount of time (in seconds) that a security association derived from this action should be used.peer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeSeconds DESCRIPTION Specifies the minimum acceptable seconds lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there isnot a lifetime associated with this action (i.e., infinite lifetime).no minimum value. Anono-zeronon-zero valueis typically used in conjunction with fallback actions performed when there is a negotiation failure of some sort. 6.3.specifies the minimum seconds lifetime. 6.9.2. TheClass IPsecBypassActionProperty MinLifetimeKilobytes Theclass IPsecBypassActionproperty MinLifetimeKilobytes specifies the minimum kilobytes lifetime that will be accepted from the peer. MinLifetimeKilobytes is usedwhen packets are allowedtobe processed withoutprevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. Note that there has been considerable debate regarding the usefulness of applyingIPseckilobyte lifetimes tothem. ThisIKE phase 1 security associations, so it isthe same as statinglikely thatpackets are allowedthis property will only apply toflow intheclear.sub-class IPsecAction. Theclass definition for IPsecBypassActionproperty is defined as follows: NAMEIPsecBypassActionMinLifetimeKilobytes DESCRIPTION Specifies the minimum acceptable kilobytes lifetime. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates thatpackets are to be allowed to pass inthere is no minimum value. A non-zero value specifies theclear. DERIVED FROM SAStaticAction ABSTRACT FALSE 6.4.minimum kilobytes lifetime. 6.9.3. TheClass IPsecDiscardActionProperty RefreshThresholdSeconds Theclass IPsecDiscardAction is used when packets areproperty RefreshThresholdSeconds specifies what percentage of the seconds lifetime can expire before IKE should attempt tobe discarded. This isrenegotiate thesame as stating that packets are tosecurity association. A random value may bedenied.added to the calculated threshold (percentage x seconds lifetime) to reduce the chance of both peers attempting to renegotiate at the same time. Theclass definition for IPsecDiscardActionproperty is defined as follows:NAME IPsecDiscardAction DESCRIPTION Specifies that packets are to be discarded. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging JasonJason, et al ExpiresJanuarySeptember 2001 [Page31]35] Internet Draft IPsec Configuration Policy ModelJuly 2000 6.4.1.March 2001 NAME RefreshThresholdSeconds DESCRIPTION Specifies the percentage of seconds lifetime that has expired before the security association is renegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the security association should not be renegotiated until the seconds lifetime has been reached. 6.9.4. The PropertyDoLoggingRefreshThresholdKilobytes The propertyDoLoggingRefreshThresholdKilobytes specifieswhether or not an audit messagewhat percentage of the kilobyte lifetime can expire before IKE should attempt to renegotiate the IPsec security association. A random value may belogged when a packetadded to the calculated threshold (percentage x kilobyte lifetime) to reduce the chance of both peers attempting to renegotiate at the same time. Note, that as with the property MinLifetimeKilobytes, this property isdiscarded.probably only relevant to IPsecAction sub-classes. The property is defined as follows: NAMEDoLoggingRefreshThresholdKilobytes DESCRIPTION Specifiesif an audit message should be logged when a packetthe percentage of kilobyte lifetime that has expired before the IPsec security association isdiscarded.renegotiated. SYNTAXbooleanunsigned 8-bit integer VALUE A valueof true indicates that logging should be done for this action.between 1 and 100 representing a percentage. A value offalse100 indicatesloggingthat the IPsec security association should not bedone for this action. 6.5.renegotiated until the kilobyte lifetime has been reached. 6.9.5. TheClass IKERejectAction The class IKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The class definition for IKERejectAction is as follows: NAME IKERejectAction DESCRIPTION Specifies that an IKE negotiation should not even be attempted. DERIVED FROM SAStaticAction ABSTRACT FALSE PROPERTIES DoLogging 6.5.1. The Property DoLoggingProperty IdleDurationSeconds The propertyDoLoggingIdleDurationSeconds specifieswhether or not an audit message should be logged whenhow many seconds adeterminationsecurity association may remain idle (i.e., no traffic protected using the security association) before it ismade to prevent an IKE negotiation.deleted. The property is defined as follows: NAMEDoLoggingIdleDurationSeconds DESCRIPTION Specifiesif an audit message should be logged when IKE negotiationhow long, in seconds, a security association may remain unused before it isprohibited.deleted. SYNTAXbooleanunsigned 32-bit integer VALUE A value oftruezero indicates thatlogging should be done for this action. A value of false indicates loggingidle detection should not bedone for this action. 6.6. The Class SAPreconfiguredAction The class SAPreconfiguredAction isusedto create afor the security associationusing preconfigured, hard-wired algorithms and keys. The class definition for SAPreconfiguredAction is as follows: NAME SAPreconfiguredAction DESCRIPTION Specifies preconfigured algorithm(only the seconds andkeying information for creationkilobyte lifetimes will be used). Any non- zero value indicates the number ofaseconds the securityassociation. DERIVED FROM SAStaticAction ABSTRACT FALSE Jason Expires January 2001 [Page 32] Internet Draft IPsec Configuration Policy Model July 2000 PROPERTIES To Be Determined... 6.7.association may remain unused. 6.10. The ClassSANegotiationActionIPsecAction The classSANegotiationActionIPsecAction serves as the base class forIKE andIPsecactions which result in atransport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. Although the class is concrete, is Jason, et al Expires September 2001 [Page 36] Internet Draft IPsec Configuration Policy Model March 2001 MUST not be instantiated. The class definition forSANegotiationActionIPsecAction is as follows: NAMESANegotiationActionIPsecAction DESCRIPTION A base class forIKE andIPsec transport and tunnel actions that specifies the parametersthat are commonfor IKE phase1 and IKE phase2 IPsec DOI negotiations. DERIVED FROMSAActionSANegotiationAction ABSTRACT FALSE PROPERTIESMinLifetimeSeconds MinLifetimeKilobytes RefreshThresholdSeconds RefreshThresholdKilobytes IdleDurationSeconds 6.7.1. The Property MinLifetimeSeconds TheUsePFS UseIKEGroup GroupId Granularity VendorID 6.10.1. The Property UsePFS The propertyMinLifetimeSecondsUsePFS specifiesthe minimum seconds lifetime that willwhether or not perfect forward secrecy should beaccepted from the peer. MinLifetimeSeconds isusedto prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations.when refreshing keys. The property is defined as follows: NAMEMinLifetimeSecondsUsePFS DESCRIPTION Specifies theminimum acceptable seconds lifetime.whether or not to use PFS when refreshing keys. SYNTAXunsigned 32-bit integerboolean VALUE A value ofzerotrue indicates thatthere is no minimum value.PFS should be used. Anon-zerovaluespecifies the minimum seconds lifetime. 6.7.2.of false indicates that PFS should not be used. 6.10.2. The PropertyMinLifetimeKilobytesUseIKEGroup The propertyMinLifetimeKilobytesUseIKEGroup specifies whether or not phase 2 should use theminimum kilobyte lifetime that will be accepted from the peer. MinLifetimeKilobytes issame key exchange group as was usedto prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations.in phase 1. UseIKEGroup is ignored if UsePFS is false. The property is defined as follows: NAMEMinLifetimeKilobytesUseIKEGroup DESCRIPTION Specifies whether or not to use theminimum acceptable kilobyte lifetime.same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAXunsigned 32-bit integerboolean VALUE A value ofzerotrue indicates thatthere is no minimum value.the phase 2 GroupId should be the same as phase 1. Anon-zerovaluespecifiesof false indicates that theminimum kilobyte lifetime. Jason Expires January 2001 [Page 33] Internet Draft IPsec Configuration Policy Model July 2000 6.7.3.property GroupId will contain the key exchange group to use for phase 2. 6.10.3. The PropertyRefreshThresholdSecondsGroupId The propertyRefreshThresholdSecondsGroupId specifieswhat percentage oftheseconds lifetime can expire before IKE should attemptkey exchange group torenegotiateuse for phase 2. GroupId is ignored if (1) theIPsec security association. A random value may be added toproperty UsePFS is false, or (2) thecalculated threshold (percentage x seconds lifetime) to reduceproperty UsePFS is true and thechance of both peers attempting to renegotiate atproperty UseIKEGroup is true. If thesame time.GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: Jason, et al Expires September 2001 [Page 37] Internet Draft IPsec Configuration Policy Model March 2001 NAMERefreshThresholdSecondsGroupId DESCRIPTION Specifies thepercentage of seconds lifetime that has expired beforekey exchange group to use for phase 2 when theIPsec security associationproperty UsePFS isrenegotiated.true and the property UseIKEGroup is false. SYNTAX unsigned8-bit16-bit integer VALUEA value between 1 and 100 representing a percentage. A value of 100 indicates that the IPsec security association should not be renegotiated until the seconds lifetime has been reached. 6.7.4.Consult [IKE] for valid values. 6.10.4. The PropertyRefreshThresholdKilobytesGranularity The propertyRefreshThresholdKilobytesGranularity specifieswhat percentage ofhow thekilobyte lifetime can expire before IKE should attempt to renegotiateselector for theIPsecsecurityassociation. A random value mayassociation should beadded to the calculated threshold (percentage x kilobyte lifetime) to reducederived from thechance of both peers attempting to renegotiate attraffic that triggered thesame time.negotiation. The property is defined as follows: NAMERefreshThresholdKilobytesGranularity DESCRIPTION Specifies thepercentage of kilobyte lifetime that has expired beforehow the proposed selector for theIPsecsecurity associationis renegotiated.will be created. SYNTAX unsigned8-bit16-bit integer VALUEA value between1 - subnet: the source and100 representing a percentage. A valuedestination subnet masks of100 indicates thattheIPsec security association should not be renegotiated untilFilterEntry are used. 2 - address: only thekilobyte lifetime has been reached. 6.7.5.source and destination IP addresses of the triggering packet are used. 3 - protocol: the source and destination IP addresses and the IP protocol of the triggering packet are used. 4 - port: the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used. 6.10.5. The PropertyIdleDurationSecondsVendorID The propertyIdleDurationSeconds specifies how many seconds a security association may remain idle (i.e., no traffic protected usingVendorID is used together with thesecurity association) beforeproperty GroupID (when it isdeleted.in the vendor-specific range) to identify the key exchange group. VendorID is ignored unless UsePFS is true and UseIKEGroup is false and GroupID is in the vendor-specific range (32768-65535). The property is defined as follows: NAMEIdleDurationSecondsVendorID DESCRIPTION Specifieshow long, in seconds, a security association may remain unused before it is deleted.the IKE Vendor ID. SYNTAXunsigned 32-bit integer VALUE A valuestring 6.11. The Class IPsecTransportAction The class IPsecTransportAction is a subclass ofzero indicatesIPsecAction thatidle detection should not beis usedfor theto specify use of an IPsec transport-mode security association.Any non-zero JasonThe class definition for IPsecTransportAction is as follows: NAME IPsecTransportAction DESCRIPTION Specifies that an IPsec transport-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE 6.12. The Class IPsecTunnelAction Jason, et al ExpiresJanuarySeptember 2001 [Page34]38] Internet Draft IPsec Configuration Policy ModelJuly 2000 value indicates the number of seconds the security association may remain unused. 6.8. The Class IPsecActionMarch 2001 The class IPsecTunnelAction is a subclass of IPsecActionserves as the base class for IPsec transport and tunnel actions. It specifies the parametersthat is usedforto specify use of anIKE phase 2IPsecDOI negotiation. Although the class is concrete, is MUST not be instantiated.tunnel-mode security association. The class definition forIPsecActionIPsecTunnelAction is as follows: NAMEIPsecActionIPsecTunnelAction DESCRIPTIONA base class for IPsec transport and tunnel actionsSpecifies thatspecifies the parameters for IKE phase 2an IPsecDOI negotiations.tunnel-mode security association should be negotiated. DERIVED FROMSANegotiationActionIPsecAction ABSTRACT FALSE PROPERTIESUsePFS UseIKEGroup GroupId Granularity 6.8.1.DFHandling 6.12.1. The PropertyUsePFSDFHandling The propertyUsePFSDFHandling specifieswhether or not perfect forward secrecyhow the tunnel shouldbe used when refreshing keys.manage the Don't Fragment (DF) bit. The property is defined as follows: NAMEUsePFSDFHandling DESCRIPTION Specifiesthe whether or nothow touse PFS.process the DF bit. SYNTAXbooleanunsigned 16-bit integer VALUEA value1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit oftrue indicates that PFS should be used. A valuethe external IP header to 1. 3 - Clear the DF bit offalse indicates that PFS should not be used. 6.8.2.the external IP header to 0. 6.13. TheProperty UseIKEGroupClass IKEAction Theproperty UseIKEGroupclass IKEAction specifieswhether or not phase 2 should usethesame Diffie-Hellman as wasparameters that are to be usedinfor IKE phase1. UseIKEGroup is ignored if UsePFS is false.1 negotiation. Thepropertyclass definition for IKEAction isdefinedas follows: NAMEUseIKEGroupIKEAction DESCRIPTION Specifieswhether or not to usethesame GroupId for phase 2 as was used inIKE phase1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAX boolean VALUE A value1 negotiation parameters. DERIVED FROM SANegotiationAction ABSTRACT FALSE PROPERTIES RefreshThresholdDerivedKeys ExchangeMode UseIKEIdentityType VendorID AggressiveModeGroupId 6.13.1. The Property RefreshThresholdDerivedKeys The property RefreshThresholdDerivedKeys specifies what percentage oftrue indicates thatthephase 2 GroupIdderived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE shouldbeattempt to renegotiate thesame asIKE phase1. A1 security association. A random valueof false indicates thatmay be added to theproperty GroupId will containcalculated threshold (percentage x derived key limit) to reduce theDiffie-Hellman groupchance of both peers attempting touse for phase 2. 6.8.3.renegotiate at the same time. TheProperty GroupId Jasonproperty is defined as follows: NAME RefreshThresholdKilobytes Jason, et al ExpiresJanuarySeptember 2001 [Page35]39] Internet Draft IPsec Configuration Policy ModelJuly 2000 The property GroupId specifies the Diffie-Hellman group to use for phase 2. GroupId is ignored if (1)March 2001 DESCRIPTION Specifies theproperty UsePFS is false, or (2)percentage of derived key limit that has expired before theproperty UsePFSIKE phase 1 security association istruerenegotiated. SYNTAX unsigned 8-bit integer VALUE A value between 1 and 100 representing a percentage. A value of 100 indicates that the IKE phase 1 security association should not be renegotiated until the derived key limit has been reached. 6.13.2. The Property ExchangeMode The propertyUseIKEGroup is true.ExchangeMode specifies which IKE mode should be used for IKE phase 1 negotiations. The property is defined as follows: NAMEGroupIdExchangeMode DESCRIPTION Specifies theDiffie-Hellman group to useIKE negotiation mode for phase2 when the property UsePFS is true and the property UseIKEGroup is false.1. SYNTAX unsigned 16-bit integer VALUE 1 -768-bit MODP groupbase mode 2 -1024-bit MODP group 3 - EC2N group on GP[2^155]main mode 4 -EC2N group on GP[2^185] 5 - 1536-bit MODP group 6.8.4.aggressive mode 6.13.3. The PropertyGranularityUseIKEIdentityType The propertyGranularityUseIKEIdentityType specifieswhether the proposed selector for the security associationwhat IKE identity type should bederived fromused when negotiating with thetraffic that triggeredpeer. This information is used in conjunction with thenegotiation (Narrow) or fromIKE identities available on theFilterList ofsystem and theCondition(s) that matchedIdentityContexts of therule (Wide).matching IKERule. The property is defined as follows: NAMEGranularityUseIKEIdentityType DESCRIPTION Specifies thehow the proposed selector for the security association will be created.IKE identity to use during negotiation. SYNTAX unsigned8-bit16-bit integer VALUE 1 - IPv4 Address 2 - FQDN 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.13.4. Theselector is created by using the FilterList information fromProperty VendorID The property VendorID specifies thecondition that matchedvalue to be used in thetraffic parameters. ThisVendor ID payload. The property iscalled a Wide selectordefined asit could for instance containfollows: NAME VendorID DESCRIPTION Vendor ID Payload. SYNTAX string Jason, et al Expires September 2001 [Page 40] Internet Draft IPsec Configuration Policy Model March 2001 VALUE A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that aIP subnetVendor ID payload will be generated (when acting as an initiator) orrange. 2 -is expected (when acting as a responder). 6.13.5. TheselectorProperty AggressiveModeGroupId The property AggressiveModeGroupId specifies which group ID iscreated by using the traffic parameters (i.e.,to be used in the5-tuplefirst packets of thetraffic).phase 1 negotiation. This property iscalled a Narrow selector. 6.9.ignored unless the property ExchangeMode is set to 4 (aggressive mode). If the AggressiveModeGroupID number is from the vendor- specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME AggressiveModeGroupId DESCRIPTION Specifies the group ID to be used for aggressive mode. SYNTAX unsigned 16-bit integer 6.14. The ClassIPsecTransportActionPeerGateway The classIPsecTransportAction is a subclass of IPsecAction that is used to specify use of an IPsec transport modePeerGateway specifies the securityassociation.gateway with which the IKE services negotiates. The class definition forIPsecTransportActionPeerGateway is as follows: NAMEIPsecTransportActionPeerGateway DESCRIPTION Specifiesthat an IPsec transport modethe securityassociation should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE 6.10. The Class IPsecTunnelAction The class IPsecTunnelAction is a subclass of IPsecAction that is usedgateway with which tospecify use of an IPsec tunnel mode security association. The class definition for IPsecTunnelAction is as follows: Jason Expires January 2001 [Page 36] Internet Draft IPsec Configuration Policy Model July 2000 NAME IPsecTunnelAction DESCRIPTION Specifies that an IPsec tunnel mode security association should be negotiated.negotiate. DERIVED FROMIPsecActionLogicalElement (see Appendix A) ABSTRACT FALSE PROPERTIESPeerGateway DFHandling 6.10.1.Name PeerIdentityType PeerIdentity 6.14.1. The PropertyPeerGatewayName The propertyPeerGatewayName specifiesthe IP address or DNSa user-friendly nameof the peerfor this security gateway. The property is defined as follows: NAMEPeerGatewayName DESCRIPTION Specifiespeer gateway's IP address or DNS name.a user-friendly name for this security gateway. SYNTAX stringVALUE Either (1) IPv4 address in dotted quad format, (2) IPv6 address in ... format, or (3) a DNS name. 6.10.2.6.14.2. The PropertyDFHandlingPeerIdentityType The propertyDFHandlingPeerIdentityType specifieshowtheDon't Fragment (DF) bit should be managed byIKE identity type of thetunnel.security gateway. The property is defined as follows: NAMEDFHandlingPeerIdentityType DESCRIPTION Specifies theDF bit is managed byIKE identity type of thetunnel.security gateway. SYNTAX unsigned8-bit16-bit integer Jason, et al Expires September 2001 [Page 41] Internet Draft IPsec Configuration Policy Model March 2001 VALUE 1 -DF bit is copied.IPv4 Address 2 -DF bit is set.FQDN 3 -DF bit is cleared. 6.11.User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.14.3. TheClass IKEActionProperty PeerIdentity Theclass IKEActionproperty PeerIdentity specifies theparameters that are toIKE identity value of the security gateway. A conversion may be needed between the PeerIdentity string representation and the real value usedfor IKE phase 1 negotiation. The class definition for IKEActionin the ID payload (e.g. IP address is to be converted from a dotted decimal string into 4 bytes). The property is defined as follows: NAMEIKEActionPeerIdentity DESCRIPTION Specifies the IKEphase 1 negotiation parameters.identity value of the security gateway. SYNTAX string 6.15. The Association Class PeerGatewayForTunnel The class PeerGatewayForTunnel associates IPsecTunnelActions with an ordered list of PeerGateways. The class definition for PeerGatewayForTunnel is as follows: NAME PeerGatewayForTunnel DESCRIPTION Associates IPsecTunnelActions with an ordered list of PeerGateways. DERIVED FROMSANegotiationActionDependency (see Appendix A) ABSTRACT FALSE PROPERTIESRefreshThresholdDerivedKeys ExchangeMode UseIKEIdentityType 6.11.1.Antecedent [ref PeerGateway[0..n]] Dependent [ref IPsecTunnelAction[0..n]] SequenceNumber 6.15.1. TheProperty RefreshThresholdDerivedKeysReference Antecedent The propertyRefreshThresholdDerivedKeys specifies what percentage of the derived key limit (see the LifetimeDerivedKeys property of IKEProposal) can expire before IKE should attemptAntecedent is inherited from Dependency and is overridden torenegotiaterefer to a PeerGateway instance. The [0..n] cardinality indicates that there an IPsecTunnelAction instance may be associated with zero or more PeerGateway instances. Note: when there is no PeerGateway associated to an IPsecTunnelAction, this means that the IKE service acts as a responder and will accept phase 1 negotiation with any other securityassociation. A random value may be added to Jasongateway. Jason, et al ExpiresJanuarySeptember 2001 [Page37]42] Internet Draft IPsec Configuration Policy ModelJuly 2000 the calculated threshold (percentage x derived key limit)March 2001 6.15.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden toreduce the chance of both peers attemptingrefer torenegotiate atan IPsecTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IPsecTunnelAction instances. 6.15.3. The Property SequenceNumber The property SequenceNumber specifies thesame time.ordering to be used when evaluating PeerGateway instances for a given IPsecTunnelAction. . The property is defined as follows: NAMERefreshThresholdKilobytesSequenceNumber DESCRIPTION Specifies thepercentageorder ofderived key limit that has expired before the IKE phase 1 security association is renegotiated.evaluation for PeerGateways. SYNTAX unsigned8-bit16-bit integer VALUEA value between 1 and 100 representing a percentage. A value of 100 indicates that the IKE phase 1 security association should not be renegotiated until the derived key limit has been reached. 6.11.2. The Property ExchangeMode The property ExchangeMode specifies which IKE mode should be used for IKE phase 1 key negotiations. The property is defined as follows: NAME ExchangeMode DESCRIPTION Specifies the IKE negotiation mode for phase 1. SYNTAX unsigned 16-bit integer VALUE 1 - base mode 2 - main mode 4 - aggressive mode 6.11.3. The Property UseIKEIdentityType The property UseIKEIdentityType specifies what IKE identity type should be used when negotiating with the peer. This information is used in conjunction the IKE identities available on the system. The property is defined as follows: NAME UseIKEIdentityType DESCRIPTION Specifies the IKE identity to use during negotiation. SYNTAX unsigned 16-bit integer VALUE 1 - IPv4 Address 2 - FQDN 3 - User FQDN 4 - IPv4 Subnet 5 - IPv6 Address 6 - IPv6 Subnet 7 - IPv4 Address Range 8 - IPv6 Address Range 9 - DER-Encoded ASN.1 X.500 Distinguished Name 10 - DER-Encoded ASN.1 X.500 GeneralName 11 - Key ID 6.12.Lower values are evaluated first. 6.16. The Aggregation Class ContainedProposal The class ContainedProposal associates an ordered list of SAProposals with the SANegotiationAction thatcontainsaggregates it. If theJason Expires January 2001 [Page 38] Internet Draft IPsec Configuration Policy Model July 2000referenced SANegotiationAction object is an IKEAction, then the referenced SAProposalobjectobject(s) must bean IKEProposal.IKEProposal(s). If the referenced SANegotiationAction object is an IPsecTransportAction or an IPsecTunnelAction, then the referenced SAProposalobjectobject(s) must bean IPsecProposal.IPsecProposal(s). The class definition for ContainedProposal is as follows: NAME ContainedProposal DESCRIPTION Associates an ordered list of SAProposals with an SANegotiationAction. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref SANegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber6.12.1.6.16.1. The Reference GroupComponent The property GroupComponentcontains an object referenceis inherited from PolicyComponent and is overridden to refer to an SANegotiationActionthat contains one or more SAProposals.instance. The [0..n] cardinality indicates thattherean SAProposal instance may be associated with zero or moreSANegotiationActionsSANegotiationAction instances. Note: the cardinality 0 has a specific meaning: - when the IKE service acts as a responder, this means thatcontainthe IKE service will accept phase 1 negotiation with anygiven SAProposal. 6.12.2. The Reference PartComponent Theother security gateway; - when the IKE service acts as an initiator, this means that the IKE service will use the destination IP address (of the Jason, et al Expires September 2001 [Page 43] Internet Draft IPsec Configuration Policy Model March 2001 IP packets which triggered the SARule) as the IP address of the peer IKE entity. 6.16.2. The Reference PartComponent The property PartComponentcontains an object referenceis inherited from PolicyComponent and is overridden to refer to an SAProposalcontained by one or more SANegotiationActions.instance. The [1..n] cardinality indicates that an SANegotiationAction instance MUSTcontainbe associated with at least oneSAProposal. 6.12.3.SAProposal instance. 6.16.3. The Property SequenceNumber The property SequenceNumber specifies the order of preference for the SAProposals. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SAProposals. SYNTAX unsigned 16-bit integer VALUE Lower-valued proposals are preferred over proposals with higher values.If two proposals haveFor ContainedProposals that reference the same SANegotiationAction, SequenceNumbervalue, then the order of preference is undefined. Jason Expires January 2001 [Page 39] Internet Draft IPsec Configuration Policy Model July 2000 7. Proposal and Transform Classes The proposal and transform classes model the proposal settings an IPsec device will use during IKE phase 1 and 2 negotiations. +--------------+ | [SAProposal] | +--------------+ ^ | +----------------------+ | | +-------------+ +---------------+ | IKEProposal | | IPsecProposal | +-------------+ +---------------+ *o | (a) n| +---------------+ | [SATransform] | +---------------+ ^ | +--------------------+-----------+---------+ | | | +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform | +-------------+ +--------------+ +----------------+ (a) ContainedTransform 7.1.values must be unique. 6.17. TheAbstractAssociation ClassSAProposalHostedPeerGatewayInformation Theabstract class SAProposal serves as the baseclassfor the IKE and IPsec proposal classes. It specifies the parameters that are common to the two proposal types.HostedPeerGatewayInformation weakly associates a PeerGateway with a System. The class definition forSAProposalHostedPeerGatewayInformation is as follows: NAMESAProposalHostedPeerGatewayInformation DESCRIPTIONSpecifies the common proposal parameters for IKE and IPsec security association negotiation.Weakly associates a PeerGateway with a System. DERIVED FROM Dependency (see Appendix A) ABSTRACTTRUEFALSE PROPERTIESName MaxLifetimeSeconds MaxLifetimeKilobytes 7.1.1.Antecedent [ref System[1..1]] Dependent [ref PeerGateway[0..n] [weak]] 6.17.1. TheProperty NameReference Antecedent The propertyName specifies a user-friendly name for the SAProposal.Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerGateway instance MUST be associated with one and only one System instance. 6.17.2. The Reference Dependent The property Dependent isdefined as follows: NAME Name DESCRIPTION Specifiesinherited from Dependency and is overridden to refer to auser-friendly name for this proposal. JasonPeerGateway instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerGateway instances. 6.18. The Association Class TransformOfPreconfiguredAction Jason, et al ExpiresJanuarySeptember 2001 [Page40]44] Internet Draft IPsec Configuration Policy ModelJuly 2000 SYNTAX string 7.1.2. The Property MaxLifetimeSecondsMarch 2001 Theproperty MaxLifetimeSeconds specifies the maximum amount of time, in seconds,class TransformOfPreconfiguredAction associates a PreconfiguredSAAction with from one toproposethree SATransforms thata security associationwillremain valid after its creation.be applied to the traffic. Thepropertyorder of application of the SATransforms is implicitly defined in [IPSEC]. The class definition for TransformOfPreconfiguredAction is as follows: NAMEMaxLifetimeSecondsTransformOfPreconfiguredAction DESCRIPTIONSpecifies the maximum amount of time to proposeAssociates asecurity association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zeroPreconfiguredSAAction with from one to three SATransforms. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent[ref SATransform[1..3]] Dependent[ref PreconfiguredSAAction[0..n]] SPI 6.18.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an SATransform instance. The [1..3] cardinality indicates thatthe default of 8 hoursan SANegotiationAction instance may beused. A non-zero valueassociated with from one to three SATransform instances. 6.18.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredSAAction instance. The [0..n] cardinality indicatesthe maximum seconds lifetime. 7.1.3.that an SATransform instance may be associated with zero or more PreconfiguredSAAction instances. 6.18.3. The PropertyMaxLifetimeKilobytesSPI The propertyMaxLifetimeKilobytesSPI specifies themaximum kilobyte lifetimeSPI topropose that a security association will remain valid after its creation.be used by the pre-configured action for the associated transform. The property is defined as follows: NAMEMaxLifetimeKilobytesSPI DESCRIPTION Specifies themaximum kilobyte lifetimeSPI topropose a security association remain valid.be used with the SATransform. SYNTAX unsigned 32-bit integerVALUE A value of zero indicatesJason, et al Expires September 2001 [Page 45] Internet Draft IPsec Configuration Policy Model March 2001 7. Proposal and Transform Classes The proposal and transform classes model the proposal settings an IPsec device will use during IKE phase 1 and 2 negotiations. +--------------+*w 1+--------------+ | [SAProposal] |--------| System | +--------------+ (a) | (Appendix A) | ^ +--------------+ | |1 +----------------------+ | | | | +-------------+ +---------------+ | | IKEProposal | | IPsecProposal | | +-------------+ +---------------+ | *o | |(b) |(c) n| | +---------------+*w | | [SATransform] |----+ +---------------+ ^ | +--------------------+-----------+---------+ | | | +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform | +-------------+ +--------------+ +----------------+ (a) SAProposalInSystem (b) ContainedTransform (c) SATransformInSystem 7.1. The Abstract Class SAProposal The abstract class SAProposal serves as the base class for the IKE and IPsec proposal classes. It specifies the parameters thatthere should be no maximum kilobyte lifetime. A non-zero valueare common to the two proposal types. The class definition for SAProposal is as follows: NAME SAProposal DESCRIPTION Specifies the common proposal parameters for IKE and IPsec security association negotiation. DERIVED FROM Policy ([PCIM]) ABSTRACT TRUE PROPERTIES Name 7.1.1. The Property Name The property Name specifies a user-friendly name for thedesired kilobyte lifetime.SAProposal. The property is defined as follows: NAME Name Jason, et al Expires September 2001 [Page 46] Internet Draft IPsec Configuration Policy Model March 2001 DESCRIPTION Specifies a user-friendly name for this proposal. SYNTAX string 7.2. The Class IKEProposal The class IKEProposal specifies the proposal parameters necessary to drive an IKE security association negotiation. The class definition for IKEProposal is as follows: NAME IKEProposal DESCRIPTION Specifies the proposal parameters for IKE security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE PROPERTIES LifetimeDerivedKeys CipherAlgorithm HashAlgorithm PRFAlgorithm GroupId AuthenticationMethod MaxLifetimeSeconds MaxLifetimeKilobytes VendorID 7.2.1. The Property LifetimeDerivedKeys The property LifetimeDerivedKeys specifies the number of times that a phase 1 key will be used to derive a phase 2 key before the phase 1 security association needs renegotiated. Even though this is notJason Expires January 2001 [Page 41] Internet Draft IPsec Configuration Policy Model July 2000a parameter that is sent in an IKE proposal, it is included in the proposal as the number of keys derived may be a result of the strength of the algorithms in the IKEpropsoal.proposal. The property is defined as follows: NAME LifetimeDerivedKeys DESCRIPTION Specifies the number of phase 2 keys that can be derived from the phase 1 key. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there is no limit to the number of phase 2 keyswhichthat may be derived from the phase 1 key; instead the seconds and/or kilobytes lifetime will dictate the phase 1 rekeying. A non-zero value specifies the number of phase 2 keys that can be derived from the phase 1 key. 7.2.2. The Property CipherAlgorithm The property CipherAlgorithm specifies the proposed phase 1 security association encryption algorithm. The property is defined as follows: NAME CipherAlgorithmDESCRIPTION Specifies the proposedJason, et al Expires September 2001 [Page 47] Internet Draft IPsec Configuration Policy Model March 2001 DESCRIPTION Specifies the proposed encryption algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE1 - DES-CBC 2 - IDEA-CBC 3 - Blowfish-CBC 4 - RC5-R16-B64-CBC 5 - 3DES-CBC 6 - CAST-CBCConsult [IKE] for valid values. 7.2.3. The Property HashAlgorithm The property HashAlgorithm specifies the proposed phase 1 securityassocationassociation hash algorithm. The property is defined as follows: NAME HashAlgorithm DESCRIPTION Specifies the proposed hash algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE1 - MD5 2 - SHA-1 3 - TigerConsult [IKE] for valid values. 7.2.4. The Property PRFAlgorithm The property PRFAlgorithm specifies the proposed phase 1 security associationpsuedo-randompseudo-random function. The property is defined as follows: NAME PRFAlgorithmJason Expires January 2001 [Page 42] Internet Draft IPsec Configuration Policy Model July 2000DESCRIPTION Specifies the proposedpsuedo-randompseudo-random function for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Currently none defined. 7.2.5. The Property GroupId The property GroupId specifies the proposed phase 1 securityassocation Diffie-Hellmanassociation key exchange group. This property is ignored for all aggressive mode exchanges. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the proposedDiffie-Hellmankey exchange group for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE1 - 768-bit MODP group 2 - 1024-bit MODP group 3 - EC2N group on GP[2^155] 4 - EC2N group on GP[2^185] 50 -1536-bit MODP groupNot applicable: used for aggressive mode. Consult [IKE] for other valid values. 7.2.6. The Property AuthenticationMethod The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows: NAME AuthenticationMethod DESCRIPTION Specifies the proposed authentication method for the phase 1 security association. SYNTAX unsigned 16-bit integer Jason, et al Expires September 2001 [Page 48] Internet Draft IPsec Configuration Policy Model March 2001 VALUE 0 - a special valuewhichthat indicates that this particular proposal should be repeated once for each authentication method that corresponds to the credentials installed on the machine. For example, if the system has a pre-shared key and a certificate, a proposal list could be constructed which includes a proposal that specifies pre-shared key and proposals for any of the public-key authentication methods.1 - Pre-shared key 2 - DSS signatures 3 - RSA signatures 4 - Encryption with RSA 5 - Revised encryption with RSA 6 - Kerberos (has this number been assigned???) 7.3.Consult [IKE] for valid values. 7.2.7. TheClass IPsecProposalProperty MaxLifetimeSeconds Theclass IPsecProposal adds no new properties, but inherits proposal propoerties from SAProposal as well as aggregatingproperty MaxLifetimeSeconds specifies the maximum amount of time, in seconds, to propose that a security associationtransforms necessary for building an IPsec proposal (see the aggregation class ContainedTransform).will remain valid after its creation. Theclass definition for IPsecProposalproperty is defined as follows:Jason Expires January 2001 [Page 43] Internet Draft IPsec Configuration Policy Model July 2000NAMEIPsecProposalMaxLifetimeSeconds DESCRIPTION Specifies theproposal parameters for IPsecmaximum amount of time to propose a security associationnegotiation. DERIVED FROM SAProposal ABSTRACT FALSE 7.4. The Abstract Class SATransform The abstract class SATransform serves as the base class for the IPsec transforms that can be usedremain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. 7.2.8. The Property MaxLifetimeKilobytes The property MaxLifetimeKilobytes specifies the maximum kilobyte lifetime to propose that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeKilobytes DESCRIPTION Specifies the maximum kilobyte lifetime to propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime. 7.2.9. The Property VendorID The property VendorID further qualifies the key exchange group. The property is ignored unless the exchange is not in aggressive mode and the property GroupID is in the vendor-specific range. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the Vendor ID to further qualify the key exchange group. SYNTAX string 7.3. The Class IPsecProposal Jason, et al Expires September 2001 [Page 49] Internet Draft IPsec Configuration Policy Model March 2001 The class IPsecProposal adds no new properties, but inherits proposal properties from SAProposal as well as aggregating the security association transforms necessary for building an IPsec proposal (see the aggregation class ContainedTransform). The class definition for IPsecProposal is as follows: NAME IPsecProposal DESCRIPTION Specifies the proposal parameters for IPsec security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE 7.4. The Abstract Class SATransform The abstract class SATransform serves as the base class for the IPsec transforms that can be used to compose an IPsecproposal.proposal or to be used as a pre-configured action. The class definition for SATransform is as follows: NAME SATransform DESCRIPTION Base class for the different IPsec transforms. ABSTRACT TRUE PROPERTIESNameTransformName VendorID MaxLifetimeSeconds MaxLifetimeKilobytes 7.4.1. The PropertyNameTransformName The propertyNameTransformName specifies a user-friendly name for the SATransform. The property is defined as follows: NAMENameTransformName DESCRIPTION Specifies a user-friendly name for this transform. SYNTAX string7.4.1.7.4.2. The Property VendorID The property VendorID specifies the vendor ID for vendor-defined transforms. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the vendor ID for vendor-defined transforms. SYNTAX string VALUE An empty VendorID string indicates that the transform isone of the previously-defined ones. 7.5.a standard one. 7.4.3. TheClass AHTransformProperty MaxLifetimeSeconds Theclass AHTransformproperty MaxLifetimeSeconds specifies theAH algorithmmaximum amount of time, in seconds, to proposeduring IPsecthat a security associationnegotiation.will remain valid after its creation. Theclass definition for AHTransformproperty is defined as follows: Jason, et al Expires September 2001 [Page 50] Internet Draft IPsec Configuration Policy Model March 2001 NAMEAHTransformMaxLifetimeSeconds DESCRIPTION Specifies theAH algorithmmaximum amount of time topropose. ABSTRACT FALSE PROPERTIES AHTransformId 7.5.1.propose a security association remain valid. SYNTAX unsigned 32-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. 7.4.4. The PropertyAHTransformIdMaxLifetimeKilobytes The propertyAHTransformIdMaxLifetimeKilobytes specifies thetransform ID of the AH algorithmmaximum kilobyte lifetime topropose.propose that a security association will remain valid after its creation. The property is defined as follows:Jason Expires January 2001 [Page 44] Internet Draft IPsec Configuration Policy Model July 2000NAMEAHTransformIdMaxLifetimeKilobytes DESCRIPTION Specifies thetransform ID of the AH algorithm.maximum kilobyte lifetime to propose a security association remain valid. SYNTAX unsigned16-bit32-bit integer VALUE2 - MD5 3 - SHA-1 4 - DES 7.6.A value of zero indicates that there should be no maximum kilobyte lifetime. A non-zero value specifies the desired kilobyte lifetime. 7.5. The ClassESPTransformAHTransform The classESPTransformAHTransform specifies theESP algorithmsAH algorithm to propose during IPsec security association negotiation. The class definition forESPTransformAHTransform is as follows: NAMEESPTransformAHTransform DESCRIPTION Specifies theESP algorithmsAH algorithm to propose. ABSTRACT FALSE PROPERTIESIntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds 7.6.1.AHTransformId UseReplayPrevention ReplayPreventionWindowSize 7.5.1. The PropertyIntegrityTransformIdAHTransformId The propertyIntegrityTransformIdAHTransformId specifies the transform ID of theESP integrityAH algorithm to propose. The property is defined as follows: NAMEIntegrityTransformIdAHTransformId DESCRIPTION Specifies the transform ID of theESP integrityAH algorithm. SYNTAX unsigned 16-bit integer VALUE0 - None 1 - HMAC-MD5 2 - HMAC-SHA 3 - DES-MAC 4 - KPDK 7.6.2.Consult [DOI] for valid values. 7.5.2. The PropertyCipherTransformIdUseReplayPrevention The propertyCipherTransformIdUseReplayPrevention specifiesthe transform ID of the ESP encryption algorithmwhether replay prevention detection is topropose.be used. The property is defined as follows: NAMECipherTransformIdUseReplayPrevention DESCRIPTION Specifiesthe transform ID of the ESP encryption algorithm.whether to enable replay prevention detection. Jason, et al Expires September 2001 [Page 51] Internet Draft IPsec Configuration Policy Model March 2001 SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled. 7.5.3. The Property ReplayPreventionWindowSize The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by replay prevention detection mechanism. SYNTAX unsigned 32-bit integer 7.6. The Class ESPTransform The class ESPTransform specifies the ESP algorithms to propose during IPsec security association negotiation. The class definition for ESPTransform is as follows: NAME ESPTransform DESCRIPTION Specifies the ESP algorithms to propose. ABSTRACT FALSE PROPERTIES IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds UseReplayPrevention ReplayPreventionWindowSize 7.6.1. The Property IntegrityTransformId The property IntegrityTransformId specifies the transform ID of the ESP integrity algorithm to propose. The property is defined as follows: NAME IntegrityTransformId DESCRIPTION Specifies the transform ID of the ESP integrity algorithm. SYNTAX unsigned 16-bit integer VALUE1 - DES IV64 2 - DES 3 - 3DES 4 - RC5 5 - IDEA JasonConsult [DOI] for valid values. 7.6.2. The Property CipherTransformId The property CipherTransformId specifies the transform ID of the ESP encryption algorithm to propose. The property is defined as follows: NAME CipherTransformId Jason, et al ExpiresJanuarySeptember 2001 [Page45]52] Internet Draft IPsec Configuration Policy ModelJuly 2000 6 - CAST 7 - Blowfish 8 - 3IDEA 9 - DES IV32 10 - RC4 11 - NULLMarch 2001 DESCRIPTION Specifies the transform ID of the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values. 7.6.3. The Property CipherKeyLength The property CipherKeyLength specifies, in bits, the key length for the ESP encryption algorithm. For encryption algorithmswhichthat use fixed-length keys, this value is ignored. The property is defined as follows: NAME CipherKeyLength DESCRIPTION Specifies the ESP encryption key length in bits. SYNTAX unsigned 16-bit integer 7.6.4. The Property CipherKeyRounds The property CipherKeyRounds specifies the number of key rounds for the ESP encryption algorithm. For encryption algorithms that use fixed number of key rounds, this value is ignored. The property is defined as follows: NAME CipherKeyRounds DESCRIPTION Specifies the number of key rounds for the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Currently, key rounds are not defined for any ESP encryption algorithms.7.7.7.6.5. TheClass IPCOMPTransformProperty UseReplayPrevention Theclass IPCOMPTransformproperty UseReplayPrevention specifiesthewhether replay prevention detection is to be used. The property is defined as follows: NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled. 7.6.6. The Property ReplayPreventionWindowSize The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by replay prevention detection mechanism. Jason, et al Expires September 2001 [Page 53] Internet Draft IPsec Configuration Policy Model March 2001 SYNTAX unsigned 32-bit integer 7.7. The Class IPCOMPTransform The class IPCOMPTransform specifies the IP compression (IPCOMP) algorithm to propose during IPsec security association negotiation. The class definition for IPCOMPTransform is as follows: NAME IPCOMPTransform DESCRIPTION Specifies the IPCOMP algorithm to propose. ABSTRACT FALSE PROPERTIES Algorithm DictionarySize PrivateAlgorithm 7.7.1. The Property Algorithm The property Algorithm specifies the transform ID of the IPCOMP compression algorithm to propose. The property is defined as follows: NAME Algorithm DESCRIPTION Specifies the transform ID of the IPCOMP compression algorithm. SYNTAX unsigned 16-bit integerJason Expires January 2001 [Page 46] Internet Draft IPsec Configuration Policy Model July 2000VALUE 1 -OUI (the property PrivateAlgorithm will contain the vendor-specificOUI: a vendor specific algorithmto use) 2 - DEFLATE 3 - LZS 4 - V42BIS (has this number been assigned ???)is used and specified in the property PrivateAlgorithm. Consult [DOI] for other valid values. 7.7.2. The Property DictionarySize The property DictionarySize specifies the log2 maximum size of thedictiondictionary for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value isignores.ignored. The property is defined as follows: NAME DictionarySize DESCRIPTION Specifies the log2 maximum size of the dictionary. SYNTAX unsigned 16-bit integer 7.7.3. The Property PrivateAlgorithm The property PrivateAlgorithm specifies a private vendor-specific compression algorithm. This value is only used when the property Algorithm is 1 (OUI). The property is defined as follows: NAME PrivateAlgorithm DESCRIPTION Specifies a private vendor-specific compression algorithm. SYNTAX unsigned 32-bit integer 7.8. The Association Class SAProposalInSystem Jason, et al Expires September 2001 [Page 54] Internet Draft IPsec Configuration Policy Model March 2001 The class SAProposalInSystem weakly associates SAProposals with a System. The class definition for SAProposalInSystem is as follows: NAME SAProposalInSystem DESCRIPTION Weakly associates SAProposals with a System. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System [1..1]] Dependent[ref SAProposal[0..n] [weak]] 7.8.1. The Reference Antecedent The property Antecedent is inherited from PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates that an SAProposal instance MUST be associated with one and only one System instance. 7.8.2. The Reference Dependent The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SAProposal instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SAProposal instances. 7.9. The Aggregation Class ContainedTransform The class ContainedTransform associates an IPsecProposal with the set of SATransforms that make up the proposal. If multipletranformstransforms of the same type are in a proposal, then they are to be logically ORed and the order of preference is dictated by the SequenceNumber property. Sets of transforms of different types are logically ANDed. For example, if the ordered proposal list were ESP = { (HMAC-MD5,DES),3DES), (HMAC-MD5,3DES)DES) } AH = { MD5, SHA-1 } then the one sending the proposalwantswould want the other side to pick one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one from the AH transformlist.list (preferably MD5). The class definition for ContainedProposal is as follows: NAME ContainedTransform DESCRIPTION Associates an IPsecProposal with the set of SATransforms that make up the proposal. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref IPsecProposal[0..n]] PartComponent[ref SATransform[1..n]] SequenceNumberJason7.9.1. The Reference GroupComponent Jason, et al ExpiresJanuarySeptember 2001 [Page47]55] Internet Draft IPsec Configuration Policy ModelJuly 2000 7.8.1. The Reference GroupComponentMarch 2001 The property GroupComponentcontains an object referenceis inherited from PolicyComponent and is overridden to refer to an IPsecProposalthat contains one or more SATransforms.instance. The [0..n] cardinality indicates thattherean SATransform instance may be associated with zero or moreIPsecProposals that contain any given SATransform. 7.8.2.IPsecProposal instances. 7.9.2. The Reference PartComponent The property PartComponentcontains an object referenceis inherited from PolicyComponent and is overridden to refer to an SATransformcontained by one or more IPsecProposals.instance. The [1..n] cardinality indicates that anIPsecPropsalIPsecProposal instance MUSTcontainbe associated with at least oneSATransform. 7.8.3.SATransform instance. 7.9.3. The Property SequenceNumber The property SequenceNumber specifies the order of preference for the SATransforms of the same type. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SATransforms of the same type. SYNTAX unsigned 16-bit integer VALUE Lower-valued transforms are preferred over transforms of the same type with higher values.If two transforms of the same type haveFor ContainedTransforms that reference the same IPsecProposal, SequenceNumbervalue, then the order of preference is undefined. 8. Security Considerations This document describesvalues must be unique. 7.10. The Association Class SATransformInSystem The class SATransformInSystem weakly associates SATransforms with aschema for IPsec policy. It does not detail security requirementsSystem. The class definition forstorage or delivery of said schema. Storage and delivery security requirements should be detailed inSATransformInSystem System is as follows: NAME SATransformInSystem DESCRIPTION Weakly associates SATransforms with acomprehensive security policy architecture document. 9. Intellectual PropertySystem. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref SATransform[0..n] [weak]] 7.10.1. The Reference Antecedent TheIETF takes no position regarding the validity or scope of any intellectualpropertyor other rights that might be claimed to pertainAntecedent is inherited from PolicyInSystem and is overridden tothe implementation or use of the technology described in this document or the extentrefer towhich any license under such rights might or might not be available; neither does it representa System instance. The [1..1] cardinality indicates thatit has made any effort to identify any such rights. Information on the IETF's proceduresan SATransform instance MUST be associated withrespect to rights in standards-trackone andstandards-related documentation can be found in BCP-11. Copies of claims of rights made available for publicationonly one System instance. 7.10.2. The Reference Dependent The property Dependent is inherited from PolicyInSystem andany assurances of licensesis overridden tobe made available, or the result of an attempt maderefer toobtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. Jasonan SATransform instance. The [0..n] Jason, et al ExpiresJanuarySeptember 2001 [Page48]56] Internet Draft IPsec Configuration Policy ModelJuly 2000 The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technologyMarch 2001 cardinality indicates that a System instance may berequired to practice this standard. Please addressassociated with zero or more SATransform instances. Jason, et al Expires September 2001 [Page 57] Internet Draft IPsec Configuration Policy Model March 2001 8. IKE Service and Identity Classes +--------------+ +-------------------+ | System | | PeerIdentityEntry | | (Appendix A) | +-------------------+ +--------------+ |*w 1| (a) (b) | +---+ +------------+ | | |*w 1 o +-------------+ +-------------------+ +---------------------+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | +-------------+ +-------------------+ +---------------------+ *| *| *| *| +----------------------+ |(d) +----------+ | (c) *| *| *| (e) | *+------------+* |(f) +-----------------| IKEService |-----+ | | (g) +------------+ |(h) | 0..1| *| *| *o +--------------------+ | +---------------------------+ | IPProtocolEndpoint | | | AutostartIKEConfiguration | | (Appendix C) | (i)| +---------------------------+ +--------------------+ | 0..1| | |(j) +----------------+ *| |* +-------------+* (k) +------------+ +-----------------------------+ | IKEIdentity |-------| Collection | | CredentialManagementService | +-------------+ 0..1|(Appendix A)| | (Appendix B) | *| +------------+ +-----------------------------+ |(l) *| +--------------+ | Credential | | (Appendix B) | +--------------+ (a) HostedPeerIdentityTable (b) PeerIdentityMember (c) IKEServicePeerGateway (d) IKEServicePeerIdentityTable (e) IKEAutostartSetting (f) AutostartIKESettingContext (g) IKEServiceForEndpoint (h) IKEAutostartConfiguration (i) IKEUsesCredentialManagementService (j) EndpointHasLocalIKEIdentity (k) CollectionHasLocalIKEIdentity (l) IKEIdentitysCredential This portion of the model contains additional informationtothat is useful in applying theIETF Executive Director. 10. Acknowledgmentspolicy. Theauthor would likeIKEService class MAY be used tothank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz, and WilliamJason, et al Expires September 2001 [Page 58] Internet Draft IPsec Configuration Policy Model March 2001 represent the IKE negotiation function in a system. The IKEService uses the various tables that contain information about IKE peers as well as the configuration for specifying security associations that are started automatically. The information in the PeerGateway, PeerIdentityTable and related classes is necessary to completely specify the policies. An interface (represented by an IPProtocolEndpoint) has an IKEService that provides the negotiation services for that interface. That service MAY also have a list of security associations for that are automatically started at the time the IKE service is initialized. The IKEService also has a set of identities that it may use in negotiations with its peers. Those identities are associated with the interfaces (or collections of interfaces). 8.1. The Class IKEService The class IKEService represents the IKE negotiation function. An instance of this service may provide that negotiation service for one or more interfaces (represented by the IPProtocolEndpoint class) of a System. There may be multiple instances of IKE services on a System but only one per interface. The class definition for IKEService is as follows: NAME IKEService DESCRIPTION IKEService is used to represent the IKE negotiation function. DERIVED FROM NetworkService (see Appendix C) ABSTRACT FALSE 8.2. The Class PeerIdentityTable The class PeerIdentityTable aggregates the table entries that provide mappings between identities and their addresses. The class definition for PeerIdentityTable is as follows: NAME PeerIdentityTable DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances to provide a table of identity-address mappings. DERIVED FROM Collection (see Appendix A) ABSTRACT FALSE PROPERTIES Name 8.3.1. The Property Name The property Name uniquely identifies the table. The property is defined as follows: NAME Name DESCRIPTION Name uniquely identifies the table. Jason, et al Expires September 2001 [Page 59] Internet Draft IPsec Configuration Policy Model March 2001 SYNTAX string 8.3. The Class PeerIdentityEntry The class PeerIdentityEntry specifies the mapping between peer identity and their address. The class definition for PeerIdentityEntry is as follows: NAME PeerIdentityEntry DESCRIPTION PeerIdentityEntry provides a mapping between a peer's identity and address. DERIVED FROM LogicalElement (see Appendix A) ABSTRACT FALSE PROPERTIES PeerIdentity PeerIdentityType PeerAddress PeerAddressType 8.3.1. The Property PeerIdentity The property PeerIdentity contains a string encoding of the Identity payload for the IKE peer. The property is defined as follows: NAME PeerIdentity DESCRIPTION The PeerIdentity is the ID payload of a peer. SYNTAX string 8.3.2. The Property PeerIdentityType The property PeerIdentityType is an enumeration that specifies the type of the PeerIdentity. The property is defined as follows: NAME PeerIdentityType DESCRIPTION PeerIdentityType is the type of the ID payload of a peer. SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1. 8.3.3. The Property PeerAddress The property PeerAddress specifies the string representation of the IP address of the peer formatted according to the appropriate convention as defined in the PeerAddressType property (e.g., dotted decimal notation). The property is defined as follows: NAME PeerAddress DESCRIPTION PeerAddress is the address of the peer with the ID payload. SYNTAX string VALUE String representation of an IPv4 or IPv6 address. 8.3.4. The Property PeerAddressType Jason, et al Expires September 2001 [Page 60] Internet Draft IPsec Configuration Policy Model March 2001 The property PeerAddressType specifies the format of the PeerAddress property value. The property is defined as follows: NAME PeerAddressType DESCRIPTION PeerAddressType is the type of address in PeerAddress. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6 8.4. The Class AutostartIKEConfiguration The class AutostartIKEConfiguration groups AutostartIKESetting instances into configuration sets. When applied, the settings cause an IKE service to automatically start (negotiate or statically set as appropriate) the Security Associations. The class definition for AutostartIKEConfiguration is as follows: NAME AutostartIKEConfiguration DESCRIPTION A configuration set of AutostartIKESetting instances to be automatically started by the IKE service. DERIVED FROM SystemConfiguration (see Appendix A) ABSTRACT FALSE 8.5. The Class AutostartIKESetting The class AutostartIKESetting is used to automatically initiate IKE negotiations with peers (or statically create an SA) as specified in the AutostartIKESetting properties. Appropriate actions are initiated according to the policy that matches the setting parameters. The class definition for AutostartIKESetting is as follows: NAME AutostartIKESetting DESCRIPTION AutostartIKESetting is used to automatically initiate IKE negotiations with peers or statically create an SA. DERIVED FROM SystemSetting (see Appendix A) ABSTRACT FALSE PROPERTIES Phase1Only AddressType SourceAddress SourcePort DestinationAddress DestinationPort Protocol 8.5.1. The Property Phase1Only The property Phase1Only is used to limit the IKE negotiation to just setting up a phase 1 security association. When set to False, both phase 1 and 2 negotiations are initiated. The property is defined as follows: Jason, et al Expires September 2001 [Page 61] Internet Draft IPsec Configuration Policy Model March 2001 NAME Phase1Only DESCRIPTION Used to indicate which security associations to attempt to establish (phase 1 only, or phase 1 and 2). SYNTAX boolean VALUE true - attempt to establish a phase 1 security association false - attempt to establish phase 1 and 2 security associations 8.5.2. The Property AddressType The property AddressType specifies type of the addresses in the SourceAddress and DestinationAddress properties. The property is defined as follows: NAME AddressType DESCRIPTION AddressType is the type of address in SourceAddress and DestinationAddress properties. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv6 8.5.3. The Property SourceAddress The property SourceAddress specifies the dotted-decimal or colon- decimal formatted IP address used as the source address in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME SourceAddress DESCRIPTION The source address to compare with the filters to determine the appropriate policy rule. SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address 8.5.4. The Property SourcePort The property SourcePort specifies the port number used as the source port in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME SourcePort DESCRIPTION The source port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer 8.5.5. The Property DestinationAddress The property DestinationAddress specifies the dotted-decimal or colon-decimal formatted IP address used as the destination address Jason, et al Expires September 2001 [Page 62] Internet Draft IPsec Configuration Policy Model March 2001 in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME DestinationAddress DESCRIPTION The destination address to compare with the filters to determine the appropriate policy rule. SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address 8.5.6. The Property DestinationPort The property DestinationPort specifies the port number used as the destination port in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME DestinationPort DESCRIPTION The destination port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer 8.5.7. The Property Protocol The property Protocol specifies the protocol number used in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME Protocol DESCRIPTION The protocol number used in comparing with policy filter entries. SYNTAX unsigned 8-bit integer 8.6. The Class IKEIdentity The class IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. The policy IKEAction.UseIKEIdentityType specifies which type of the available identities to use in a negotiation exchange and the IKERule.IdentityContexts specifies the match values to be used, along with the local address, in selecting the appropriate identity for a negotiation. The ElementID property value (defined in the parent class, UsersAccess) should be that of either the IPProtocolEndpoint or Collection of endpoints as appropriate. The class definition for IKEIdentity is as follows: NAME IKEIdentity DESCRIPTION IKEIdentity is used to represent the identities that may be used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 negotiations. DERIVED FROM UsersAccess (see Appendix B) ABSTRACT FALSE Jason, et al Expires September 2001 [Page 63] Internet Draft IPsec Configuration Policy Model March 2001 PROPERTIES IdentityType IdentityValue IdentityContexts 8.6.1. The Property IdentityType The property IdentityType is an enumeration that specifies the type of the IdentityValue. The property is defined as follows: NAME IdentityType DESCRIPTION IdentityType is the type of the IdentityValue. SYNTAX unsigned 8-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1. 8.6.2. The Property IdentityValue The property Identity specifies Value contains a string encoding of the Identity payload. For IKEIdentity instances that are address types, the IdentityValue string value may be omitted and the associated IPProtocolEndpoint or appropriate member of the Collection of endpoints is used. The property is defined as follows: NAME IdentityValue DESCRIPTION IdentityValue contains a string encoding of the Identity payload. SYNTAX string 8.6.3. The Property IdentityContexts The IdentityContexts property is used to constrain the use of IKEIdentity instances to match that specified in the IKERule.IdentityContexts. The IdentityContexts are formatted as policy roles and role combinations [PCIM]. Each value represents one context or context combination. Since this is a multi-valued property, more than one context or combination of contexts can be associated with a single IKEIdentity. Each value is a string of the form: <ContextName>[&&<ContextName>]* where the individual context names appear in alphabetical order (according to the collating sequence for UCS-2). If one or more values in the IKERule.IdentityContexts array match one or more IKEIdentity.IdentityContexts then the identity's context matches. (That is, each value of the IdentityContext array is an ORed condition.) In combination with the address of the IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 1 and only 1 IKEIdentity. The property is defined as follows: NAME IdentityContexts DESCRIPTION The IKE service of a security endpoint may have multiple identities for use in different situations. The combination of the interface (represented by the IPProtocolEndpoint), the identity type (as Jason, et al Expires September 2001 [Page 64] Internet Draft IPsec Configuration Policy Model March 2001 specified in the IKEAction) and the IdentityContexts selects a unique identity. SYNTAX string array VALUE string of the form <ContextName>[&&<ContextName>]* 8.7. The Association Class HostedPeerIdentityTable The class HostedPeerIdentityTable provides the name scoping relationship for PeerIdentityTable entries in a System. The PeerIdentityTable is weak to the System. The class definition for HostedPeerIdentityTable is as follows: NAME HostedPeerIdentityTable DESCRIPTION The PeerIdentityTable instances are weak (name scoped by) the owning System. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerIdentityTable[0..n] [weak]] 8.7.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerIdentityTable instance MUST be associated in a weak relationship with one and only one System instance. 8.7.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerIdentityTable instances. 8.8. The Aggregation Class PeerIdentityMember The class PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. This is a weak aggregation. The class definition for PeerIdentityMember is as follows: NAME PeerIdentityMember DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry instances into a PeerIdentityTable. DERIVED FROM MemberOfCollection (see Appendix A) ABSTRACT FALSE PROPERTIES Collection [ref PeerIdentityTable[1..1]] Member [ref PeerIdentityEntry [0..n] [weak]] 8.8.1. The Reference Collection The property Collection is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityTable instance. The [1..1] cardinality indicates that a PeerIdentityEntry instance MUST be Jason, et al Expires September 2001 [Page 65] Internet Draft IPsec Configuration Policy Model March 2001 associated with one and only one PeerIdentityTable instance (i.e., PeerIdentityEntry instances are not shared across PeerIdentityTables). 8.8.2. The Reference Member The property Member is inherited from MemberOfCollection and is overridden to refer to a PeerIdentityEntry instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more PeerIdentityEntry instances. 8.9. The Association Class IKEServicePeerGateway The class IKEServicePeerGateway provides the association between an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. The class definition for IKEServicePeerGateway is as follows: NAME IKEServicePeerGateway DESCRIPTION Associates an IKEService and the list of PeerGateway instances that it uses in negotiating with security gateways. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IKEService[0..n]] 8.9.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerGateway instances. 8.9.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IKEService instances. 8.10. The Association Class IKEServicePeerIdentityTable The class IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses to map between addresses and identities as required. The class definition for IKEServicePeerIdentityTable is as follows: NAME IKEServicePeerIdentityTable DESCRIPTION IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses. DERIVED FROM Dependency (see Appendix A) Jason, et al Expires September 2001 [Page 66] Internet Draft IPsec Configuration Policy Model March 2001 ABSTRACT FALSE PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] Dependent [ref IKEService[0..n]] 8.10.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerIdentityTable instances. 8.10.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more IKEService instances. 8.11. The Association Class IKEAutostartSetting The class IKEAutostartSetting associates an AutostartIKESetting with an IKEService that may use it to automatically start an IKE negotiation or create a static SA. The class definition for IKEAutostartSetting is as follows: NAME IKEAutostartSetting DESCRIPTION Associates a AutostartIKESetting with an IKEService. DERIVED FROM ElementSetting (see Appendix A) ABSTRACT FALSE PROPERTIES Element [ref IKEService[0..n]] Setting [ref AutostartIKESetting[0..n]] 8.11.1. The Reference Element The property Element is inherited from ElementSetting and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates an AutostartIKESetting instance may be associated with zero or more IKEService instances. 8.11.2. The Reference Setting The property Setting is inherited from ElementSetting and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKESetting instances. 8.12. The Aggregation Class AutostartIKESettingContext The class AutostartIKESettingContext aggregates the settings used to automatically start negotiations or create a static SA into a configuration set. The class definition for AutostartIKESettingContext is as follows: Jason, et al Expires September 2001 [Page 67] Internet Draft IPsec Configuration Policy Model March 2001 NAME AutostartIKESettingContext DESCRIPTION AutostartIKESettingContext aggregates the AutostartIKESetting instances into a configuration set. DERIVED FROM SystemSettingContext (see Appendix A) ABSTRACT FALSE PROPERTIES Context [ref AutostartIKEConfiguration [0..n]] Setting [ref AutostartIKESetting [0..n]] SequenceNumber 8.12.1. The Reference Context The property Context is inherited from SystemSettingContext and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an AutostartIKESetting instance may be associated with zero or more AutostartIKEConfiguration instances (i.e., a setting may be in multiple configuration sets). 8.12.2. The Reference Setting The property Setting is inherited from SystemSettingContext and is overridden to refer to an AutostartIKESetting instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more AutostartIKESetting instances. 8.12.3. The Property SequenceNumber The property SequenceNumber specifies indicates the ordering to be used when starting negotiations or creating a static SA. A zero value indicates that order is not significant and settings may be applied in parallel with other settings. All other settings in the configuration are executed in sequence from lower values to high. Sequence numbers need not be unique in an AutostartIKEConfiguration and order is not significant for settings with the same sequence number. The property is defined as follows: NAME SequenceNumber DESCRIPTION The sequence in which the settings are applied within a configuration set. SYNTAX unsigned 16-bit integer 8.13. The Association Class IKEServiceForEndpoint The class IKEServiceForEndpoint provides the association showing which IKE service, if any, provides IKE negotiation services for which network interfaces. The class definition for IKEServiceForEndpoint is as follows: NAME IKEServiceForEndpoint DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that provides negotiation services for the endpoint. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE Jason, et al Expires September 2001 [Page 68] Internet Draft IPsec Configuration Policy Model March 2001 PROPERTIES Antecedent [ref IKEService[0..1]] Dependent [ref IPProtocolEndpoint[0..n]] 8.13.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..1] cardinality indicates that an IPProtocolEndpoint instance MUST by associated with at most one IKEService instance. 8.13.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IPProtocolEndpoint that is associated with at most one IKEService. The [0..n] cardinality indicates an IKEService instance may be associated with zero or more IPProtocolEndpoint instances. 8.14. The Association Class IKEAutostartConfiguration The class IKEAutostartConfiguration provides the relationship between an IKEService and a configuration set that it uses to automatically start a set of SAs. The class definition for IKEAutostartConfiguration is as follows: NAME IKEAutostartConfiguration DESCRIPTION IKEAutostartConfiguration provides the relationship between an IKEService and an AutostartIKEConfiguration that it uses to automatically start a set of SAs. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] Dependent [ref IKEService [0..n]] Active 8.14.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKEConfiguration instances. 8.14.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more IKEService instances. 8.14.3. The Property Active The property Active specifies indicates whether the AutostartIKEConfiguration set is currently active for the associated Jason, et al Expires September 2001 [Page 69] Internet Draft IPsec Configuration Policy Model March 2001 IKEService. That is, at boot time, the active configuration is used to automatically start IKE negotiations and create static SAs. The property is defined as follows: NAME Active DESCRIPTION Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. SYNTAX boolean VALUE true - AutostartIKEConfiguration is currently active for associated IKEService. false - AutostartIKEConfiguration is currently inactive for associated IKEService. 8.15. The Association Class IKEUsesCredentialManagementService The class IKEUsesCredentialManagementService defines the set of CredentialManagementService(s) that are trusted sources of credentials for IKE phase 1 negotiations. The class definition for IKEUsesCredentialManagementService is as follows: NAME IKEUsesCredentialManagementService DESCRIPTION Associates the set of CredentialManagementService(s) that are trusted by the IKEService as sources of credentials used in IKE phase 1 negotiations. DERIVED FROM Dependency (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService [0..n]] Dependent [ref IKEService [0..n]] 8.15.1. The Reference Antecedent The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more CredentialManagementService instances. 8.15.2. The Reference Dependent The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more IKEService instances. 8.16. The Association Class EndpointHasLocalIKEIdentity The class EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances that may be used in negotiating security associations on the endpoint. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using this association or with a collection of IKEIdentity instances using the CollectionHasLocalIKEIdentity association. The class definition for EndpointHasLocalIKEIdentity is as follows: Jason, et al Expires September 2001 [Page 70] Internet Draft IPsec Configuration Policy Model March 2001 NAME EndpointHasLocalIKEIdentity DESCRIPTION EndpointHasLocalIKEIdentity associates an IPProtocolEndpoint with a set of IKEIdentity instances. DERIVED FROM ElementAsUser (see Appendix B) ABSTRACT FALSE PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]] Dependent [ref IKEIdentity [0..n]] 8.16.1. The Reference Antecedent The property Antecedent is inherited from ElementAsUser and is overridden to refer to an IPProtocolEndpoint instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one IPProtocolEndpoint instance. 8.16.2. The Reference Dependent The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that an IPProtocolEndpoint instance may be associated with zero or more IKEIdentity instances. 8.17. The Association Class CollectionHasLocalIKEIdentity The class CollectionHasLocalIKEIdentity associates a Collection of IPProtocolEndpoint instances with a set of IKEIdentity instances that may be used in negotiating SAs for endpoints in the collection. An IKEIdentity MUST be associated with either an IPProtocolEndpoint using the EndpointHasLocalIKEIdentity association or with a collection of IKEIdentity instances using this association. The class definition for CollectionHasLocalIKEIdentity is as follows: NAME CollectionHasLocalIKEIdentity DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of IPProtocolEndpoint instances with a set of IKEIdentity instances. DERIVED FROM ElementAsUser (see Appendix B) ABSTRACT FALSE PROPERTIES Antecedent [ref Collection [0..1]] Dependent [ref IKEIdentity [0..n]] 8.17.1. The Reference Antecedent The property Antecedent is inherited from ElementAsUser and is overridden to refer to a Collection instance. The [0..1] cardinality indicates that an IKEIdentity instance MUST be associated with at most one Collection instance. 8.17.2. The Reference Dependent The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] Jason, et al Expires September 2001 [Page 71] Internet Draft IPsec Configuration Policy Model March 2001 cardinality indicates that a Collection instance may be associated with zero or more IKEIdentity instances. 8.18. The Association Class IKEIdentitysCredential The class IKEIdentitysCredential is an association that relates a set of credentials to their corresponding local IKE Identities. The class definition for IKEIdentitysCredential is as follows: NAME IKEIdentitysCredential DESCRIPTION IKEIdentitysCredential associates a set of credentials to their corresponding local IKEIdentity. DERIVED FROM UsersCredential (see Appendix A) ABSTRACT FALSE PROPERTIES Antecedent [ref Credential [0..n]] Dependent [ref IKEIdentity [0..n]] 8.18.1. The Reference Antecedent The property Antecedent is inherited from UsersCredential and is overridden to refer to a Credential instance. The [0..n] cardinality indicates that IKEIdentity instance may be associated with zero or more Credential instances. 8.18.2. The Reference Dependent The property Dependent is inherited from UsersCredential and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Credential instance may be associated with zero or more IKEIdentity instances. 9. Security Considerations This document describes a schema for IPsec policy. It does not detail security requirements for storage or delivery of said schema. Storage and delivery security requirements should be detailed in a comprehensive security policy architecture document. 10. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use Jason, et al Expires September 2001 [Page 72] Internet Draft IPsec Configuration Policy Model March 2001 of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 11. Acknowledgments The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz, and William Dixon for theircontributionscontributions to this IPsec policy model. Additionally, this draft would not have been possible without the preceding IPsec schema drafts. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. 12. References [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. [DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. Internet-Draft work in progress. [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000. Internet-Draft work in progress. Jason, et al Expires September 2001 [Page 73] Internet Draft IPsec Configuration Policy Model March 2001 [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000. Internet-Draft work in progress. [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [IPSO] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991. [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the Internet Protocol", RFC 2401, November 1998. 13. Disclaimer The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification. 14. Authors' Addresses Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 E-Mail: jamie.jason@intel.com Lee Rafalow IBM Corporation, BRQA/502 4205 So. Miami Blvd. Research Triangle Park, NC 27709 E-mail: rafalow@raleigh.ibm.com Eric Vyncke Cisco Systems Avenue Marcel Thiry, 77 B-1200 Brussels Belgium E-mail: evyncke@cisco.com 15. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This document and translations of it maybe copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this Jason, et al Expires September 2001 [Page 74] Internet Draft IPsec Configuration Policy Model March 2001 document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other then English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Appendix A (DMTF Core Model MOF) // ================================================================== // ManagedElement // ================================================================== [Abstract, Description ( "ManagedElement is an abstract class that provides a common " "superclass (or top of the inheritance tree) for the " "non-association classes in the CIM Schema.")] class CIM_ManagedElement { [MaxLen (64), Description ( "The Caption property is a short textual description (one-" "line string) of the object.") ] string Caption; [Description ( "The Description property provides a textual description of " "the object.") ] string Description; }; // ================================================================== // Collection // ================================================================== [Abstract, Description ( "Collection is an abstract class that provides a common" "superclass for data elements that represent collections of " "ManagedElements and its subclasses.")] class CIM_Collection : CIM_ManagedElement { }; // ================================================================== // ManagedSystemElement // ================================================================== Jason, et al Expires September 2001 [Page 75] Internet Draft IPsec Configuration Policy Model March 2001 [Abstract, Description ( "CIM_ManagedSystemElement is the base class for the System " "Element hierarchy. Membership Criteria: Any distinguishable " "component of a System is a candidate for inclusion in this " "class. Examples: software components, such as files; and " "devices, such as disk drives and controllers, and physical " "components such as chips and cards.") ] class CIM_ManagedSystemElement : CIM_ManagedElement { [Description ( "A datetime value indicating when the object was installed. " "A lack of a value does not indicate that the object is not " "installed."), MappingStrings {"MIF.DMTF|ComponentID|001.5"} ] datetime InstallDate; [MaxLen (256), Description ( "The Name property defines the label by which the object is " "known. When subclassed, the Name property can be overridden " "to be a Key property.") ] string Name; [MaxLen (10), Description ( " A string indicating the current status of the object. " "Various operational and non-operational statuses are " "defined. Operational statuses are \"OK\", \"Degraded\", " "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that " "the Element is functioning, but needs attention. Examples " "of \"Stressed\" states are overload, overheated, etc. The " "condition \"Pred Fail\" (failure predicted) indicates that " "an Element is functioning properly but predicting a failure " "in the near future. An example is a SMART-enabled hard " "drive. \n" " Non-operational statuses can also be specified. These " "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", " "\"Stopped\", " "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\"" "indicates that a non-recoverable error has occurred. " "\"Service\" describes an Element being configured, " "maintained," "cleaned, or otherwise administered. This status could apply " "during mirror-resilvering of a disk, reload of a user " "permissions list, or other administrative task. Not all " "such " "work is on-line, yet the Element is neither \"OK\" nor in " "one of the other states. \"No Contact\" indicates that the " "current instance of the monitoring system has knowledge of " "this Element but has never been able to establish " "communications with it. \"Lost Comm\" indicates that " "the ManagedSystemElement is known to exist and has been " "contacted successfully in the past, but is currently " "unreachable." "\"Stopped\" indicates that the ManagedSystemElement is " "known " "to exist, it is not operational (i.e. it is unable to " Jason, et al Expires September 2001 [Page 76] Internet Draft IPsec Configuration Policy Model March 2001 "provide service to users), but it has not failed. It " "has purposely " "been made non-operational. The Element " "may have never been \"OK\", the Element may have initiated " "its " "own stop, or a management system may have initiated the " "stop."), ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail", "Starting", "Stopping", "Service", "Stressed", "NonRecover", "No Contact", "Lost Comm", "Stopped"} ] string Status; }; // ================================================================== // LogicalElement // ================================================================== [Abstract, Description ( "CIM_LogicalElement is a base class for all the components " "of " "a System that represent abstract system components, such " "as Files, Processes, or system capabilities in the form " "of Logical Devices.") ] class CIM_LogicalElement:CIM_ManagedSystemElement { }; // ================================================================== // CIM_SystemConfiguration // ================================================================== [Description ( "CIM_SystemConfiguration represents the general concept " "of a CIM_Configuration which is scoped by/weak to a " "System. This class is a peer of CIM_Configuration since " "the key structure of Configuration is currently " "defined and cannot be modified with additional " "properties.")] class CIM_SystemConfiguration : CIM_ManagedElement { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName.") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Key, MaxLen (256), Description ( "The label by which the Configuration object is known.") ] Jason, et al Expires September 2001 [Page 77] Internet Draft IPsec Configuration Policy Model March 2001 string Name; }; // =================================================================== // Setting // =================================================================== [Abstract, Description ( "The Setting class represents configuration-related and " "operational parameters for one or more ManagedSystem" "Element(s). A ManagedSystemElement may have multiple " "Setting " "objects associated with it. The current operational values " "for an Element's parameters are reflected by properties in " "the Element itself or by properties in its associations. " "These properties do not have to be the same values present " "in the Setting object. For example, a modem may have a " "Setting baud rate of 56Kb/sec but be operating " "at 19.2Kb/sec.") ] class CIM_Setting : CIM_ManagedElement { [MaxLen (256), Description ( "The identifier by which the Setting object is known.") ] string SettingID; [Description ( "The VerifyOKToApplyToMSE method is used to verify that " "this Setting can be 'applied' to the referenced Managed" "SystemElement, at the given time or time interval. This " "method takes three input parameters: MSE (the Managed" "SystemElement that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " "interval), and MustBeCompletedBy (which indicates the " "required completion time for the method). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number " "if an error occurred. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); [Description ( "The ApplyToMSE method performs the actual application of " "the Setting to the referenced ManagedSystemElement. It " "takes three input parameters: MSE (the ManagedSystem" "Element to which the Setting is being applied), " "TimeToApply (which, being a datetime, can be either a " "specific time or a time interval), and MustBeCompletedBy " "(which indicates the required completion time for the " "method). Note that the semantics of this method are that " "individual Settings are either wholly applied or not " "applied at all to their target ManagedSystemElement. The " Jason, et al Expires September 2001 [Page 78] Internet Draft IPsec Configuration Policy Model March 2001 "return value should be 0 if the Setting is successfully " "applied to the referenced ManagedSystemElement, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, and any other number if an " "error occurred. In a subclass, the set of possible return " "codes could be specified, using a ValueMap qualifier on " "the method. The strings to which the ValueMap contents are " "'translated' may also be specified in the subclass as a " "Values array qualifier.\n" "Note: If an error occurs in applying the Setting to a " "ManagedSystemElement, the Element must be configured as " "when the 'apply' attempt began. That is, the Element " "should NOT be left in an indeterminate state.") ] uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); [Description ( "The VerifyOKToApplyToCollection method is used to verify " "that this Setting can be 'applied' to the referenced " "Collection of ManagedSystemElements, at the given time " "or time interval, without causing adverse effects to " "either the Collection itself or its surrounding " "environment. The net effect is to execute the " "VerifyOKToApply method against each of the Elements " "aggregated by the Collection. This method takes three " "input parameters: Collection (the Collection of Managed" "SystemElements that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " "interval), and MustBeCompletedBy (which indicates the " "required completion time for the method). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number if " "an error occurred. One output parameter is defined - " "CanNotApply - which is a string array that lists the keys " "of " "the ManagedSystemElements to which the Setting can NOT be " "applied. This enables those Elements to be revisited and " "either fixed, or other corrective action taken.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.") ] uint32 VerifyOKToApplyToCollection ( [IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); [Description ( "The ApplyToCollection method performs the application of " "the Setting to the referenced Collection of ManagedSystem" "Elements. The net effect is to execute the ApplyToMSE " "method against each of the Elements aggregated by the " "Collection. If the input value ContinueOnError is FALSE, " Jason, et al Expires September 2001 [Page 79] Internet Draft IPsec Configuration Policy Model March 2001 "this method applies the Setting to all Elements in the " "Collection until it encounters an error, in which case it " "stops execution, logs the key of the Element that caused " "the error in the CanNotApply array, and issues a return " "code " "of 2. If the input value ContinueOnError is TRUE, then this " "method applies the Setting to all the ManagedSystemElements " "in the Collection, and reports the failed Elements in the " "array, CanNotApply. For the latter, processing will " "continue " "until the method is applied to all Elements in the " "Collection, regardless of any errors encountered. The key " "of " "each ManagedSystemElement to which the Setting could not be " "applied is logged into the CanNotApply array. This method " "takes four input parameters: Collection (the Collection of " "Elements to which the Setting is being applied), " "TimeToApply " "(which, being a datetime, can be either a specific time or " "a " "time interval), ContinueOnError (TRUE means to continue " "processing on encountering an error), and MustBeCompletedBy " "(which indicates the required completion time for the " "method). The return value should be 0 if the Setting is " "successfully applied to the referenced Collection, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, 3 if the Setting can not be " "applied using the input value for ContinueOnError, and any " "other number if an error occurred. One output parameter is " "defined, CanNotApplystring, which is an array that lists " "the keys of the ManagedSystemElements to which the Setting " "was NOT able to be applied. This output parameter has " "meaning only when the ContinueOnError parameter is TRUE.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.\n" "Note: if an error occurs in applying the Setting to a " "ManagedSystemElement in the Collection, the Element must be " "configured as when the 'apply' attempt began. That is, the " "Element should NOT be left in an indeterminate state.") ] uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] boolean ContinueOnError, [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); [Description ( "The VerifyOKToApplyIncrementalChangeToMSE method " "is used to verify that a subset of the properties in " "this Setting can be 'applied' to the referenced Managed" "SystemElement, at the given time or time interval. This " "method takes four input parameters: MSE (the Managed" "SystemElement that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " Jason, et al Expires September 2001 [Page 80] Internet Draft IPsec Configuration Policy Model March 2001 "interval), MustBeCompletedBy (which indicates the " "required completion time for the method), and a " "PropertiesToApply array (which contains a list of the " "property names whose values will be verified. " "If they array is null or empty or constains the string " "\"all\" " "as a property name then all Settings properties shall be " "verified. If it is set to \"none\" then no Settings " "properties " "will be verified). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number " "if an error occurred. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 VerifyOKToApplyIncrementalChangeToMSE( [IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, [IN] string PropertiesToApply[]); [Description ( "The ApplyIncrementalChangeToMSE method performs the " "actual application of a subset of the properties in " "the Setting to the referenced ManagedSystemElement. It " "takes four input parameters: MSE (the ManagedSystem" "Element to which the Setting is being applied), " "TimeToApply (which, being a datetime, can be either a " "specific time or a time interval), MustBeCompletedBy " "(which indicates the required completion time for the " "method), and a " "PropertiesToApply array (which contains a list of the " "property names whose values will be applied. If a " "property is not in this list, it will be ignored by the " "apply. " "If they array is null or empty or constains the string " "\"all\" " "as a property name then all Settings properties shall be " "applied. If it is set to \"none\" then no Settings " "properties " "will be applied. ). " "Note that the semantics of this method are that " "individual Settings are either wholly applied or not " "applied at all to their target ManagedSystemElement. The " "return value should be 0 if the Setting is successfully " "applied to the referenced ManagedSystemElement, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, and any other number if an " "error occurred. In a subclass, the set of possible return " "codes could be specified, using a ValueMap qualifier on " "the method. The strings to which the ValueMap contents are " Jason, et al Expires September 2001 [Page 81] Internet Draft IPsec Configuration Policy Model March 2001 "'translated' may also be specified in the subclass as a " "Values array qualifier.\n" "Note: If an error occurs in applying the Setting to a " "ManagedSystemElement, the Element must be configured as " "when the 'apply' attempt began. That is, the Element " "should NOT be left in an indeterminate state.") ] uint32 ApplyIncrementalChangeToMSE( [IN] CIM_ManagedSystemElement ref MSE, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, [IN] string PropertiesToApply[]); [Description ( "The VerifyOKToApplyIncrementalChangeToCollection method " "is used to verify that a subset of the properties in " "this Setting can be 'applied' to the referenced " "Collection of ManagedSystemElements, at the given time " "or time interval, without causing adverse effects to " "either the Collection itself or its surrounding " "environment. The net effect is to execute the " "VerifyOKToApplyIncrementalChangeToMSE method " "against each of the Elements " "aggregated by the Collection. This method takes three " "input parameters: Collection (the Collection of Managed" "SystemElements that is being verified), TimeToApply (which, " "being a datetime, can be either a specific time or a time " "interval), MustBeCompletedBy (which indicates the " "required completion time for the method), and a " "PropertiesToApply array (which contains a list of the " "property names whose values will be verified. " "If they array is null or empty or contains the string " "\"all\" " "as a property name then all Settings properties shall be " "verified. If it is set to \"none\" then no Settings " "properties " "will be verified). The return " "value should be 0 if it is OK to apply the Setting, 1 if " "the method is not supported, 2 if the Setting can not be " "applied within the specified times, and any other number if " "an error occurred. One output parameter is defined - " "CanNotApply - which is a string array that lists the keys " "of " "the ManagedSystemElements to which the Setting can NOT be " "applied. This enables those Elements to be revisited and " "either fixed, or other corrective action taken.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.") ] uint32 VerifyOKToApplyIncrementalChangeToCollection ( [IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, Jason, et al Expires September 2001 [Page 82] Internet Draft IPsec Configuration Policy Model March 2001 [IN] string PropertiesToApply[], [OUT] string CanNotApply[]); [Description ( "The ApplyIncrementalChangeToCollection method performs " "the application of a subset of the properties in this " "Setting to the referenced Collection of ManagedSystem" "Elements. The net effect is to execute the " "ApplyIncrementalChangeToMSE " "method against each of the Elements aggregated by the " "Collection. If the input value ContinueOnError is FALSE, " "this method applies the Setting to all Elements in the " "Collection until it encounters an error, in which case it " "stops execution, logs the key of the Element that caused " "the error in the CanNotApply array, and issues a return " "code " "of 2. If the input value ContinueOnError is TRUE, then this " "method applies the Setting to all the ManagedSystemElements " "in the Collection, and reports the failed Elements in the " "array, CanNotApply. For the latter, processing will " "continue " "until the method is applied to all Elements in the " "Collection, regardless of any errors encountered. The key " "of " "each ManagedSystemElement to which the Setting could not be " "applied is logged into the CanNotApply array. This method " "takes four input parameters: Collection (the Collection of " "Elements to which the Setting is being applied), " "TimeToApply " "(which, being a datetime, can be either a specific time or " "a " "time interval), ContinueOnError (TRUE means to continue " "processing on encountering an error), and MustBeCompletedBy " "(which indicates the required completion time for the " "method), and a PropertiesToApply array (which contains a " "list " "of the property names whose values will be applied. If a " "property is not in this list, it will be ignored by " "the apply. " "If they array is null or empty or constains the string " "\"all\" " "as a property name then all Settings properties shall be " "applied. If it is set to \"none\" then no Settings " "properties " "will be applied. ). " "The return value should be 0 if the Setting is " "successfully applied to the referenced Collection, 1 if the " "method is not supported, 2 if the Setting was not applied " "within the specified times, 3 if the Setting can not be " "applied using the input value for ContinueOnError, and any " "other number if an error occurred. One output parameter is " "defined, CanNotApplystring, which is an array that lists " "the keys of the ManagedSystemElements to which the Setting " "was NOT able to be applied. This output parameter has " Jason, et al Expires September 2001 [Page 83] Internet Draft IPsec Configuration Policy Model March 2001 "meaning only when the ContinueOnError parameter is TRUE.\n" "In a subclass, the set of possible return codes could be " "specified, using a ValueMap qualifier on the method. The " "strings to which the ValueMap contents are 'translated' may " "also be specified in the subclass as a Values array " "qualifier.\n" "Note: if an error occurs in applying the Setting to a " "ManagedSystemElement in the Collection, the Element must be " "configured as when the 'apply' attempt began. That is, the " "Element should NOT be left in an indeterminate state.") ] uint32 ApplyIncrementalChangeToCollection( [IN] CIM_CollectionOfMSEs ref Collection, [IN] datetime TimeToApply, [IN] boolean ContinueOnError, [IN] datetime MustBeCompletedBy, [IN] string PropertiesToApply[], [OUT] string CanNotApply[]); }; // ================================================================== // CIM_SystemSetting // ================================================================== [Abstract, Description ( "CIM_SystemSetting represents the general concept " "of a CIM_Setting which is scoped by/weak to a System.")] class CIM_SystemSetting : CIM_Setting { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName.") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Override ("SettingID"), Key, MaxLen (256)] string SettingID; }; // ================================================================== // System // ================================================================== [Abstract, Description ( "A CIM_System is a LogicalElement that aggregates an " "enumerable set of Managed System Elements. The aggregation " "operates as a functional whole. Within any particular " "subclass of System, there is a well-defined list of " Jason, et al Expires September 2001 [Page 84] Internet Draft IPsec Configuration Policy Model March 2001 "Managed System Element classes whose instances must be " "aggregated.") ] class CIM_System:CIM_LogicalElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Key, MaxLen (256), Override ("Name"), Description ( "The inherited Name serves as key of a System instance in " "an enterprise environment.") ] string Name; [MaxLen (64), Description ( "The System object and its derivatives are Top Level Objects " "of CIM. They provide the scope for numerous components. " "Having unique System keys is required. A heuristic can be " "defined in individual System subclasses to attempt to " "always " "generate the same System Name Key. The NameFormat property " "identifies how the System name was generated, using " "the subclass' heuristic.") ] string NameFormat; [MaxLen (256), Description ( "A string that provides information on how the primary " "system " "owner can be reached (e.g. phone number, email address, " "...)."), MappingStrings {"MIF.DMTF|General Information|001.3"} ] string PrimaryOwnerContact; [MaxLen (64), Description ( "The name of the primary system owner."), MappingStrings {"MIF.DMTF|General Information|001.4"} ] string PrimaryOwnerName; [Description ( "An array (bag) of strings that specify the roles this " "System " "plays in the IT-environment. Subclasses of System may " "override this property to define explicit Roles values. " "Alternately, a Working Group may describe the heuristics, " "conventions and guidelines for specifying Roles. For " "example, for an instance of a networking system, the Roles " "property might contain the string, 'Switch' or 'Bridge'.") ] string Roles[]; }; // ================================================================== // Service // ================================================================== [Abstract, Description ( "A CIM_Service is a Logical Element that contains the " Jason, et al Expires September 2001 [Page 85] Internet Draft IPsec Configuration Policy Model March 2001 "information necessary to represent and manage the " "functionality provided by a Device and/or SoftwareFeature. " "A Service is a general-purpose object to configure and " "manage the implementation of functionality. It is not the " "functionality itself.") ] class CIM_Service:CIM_LogicalElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this " "property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Override ("Name"), Key, MaxLen (256), Description ( "The Name property uniquely identifies the Service and " "provides an indication of the functionality that is " "managed. This functionality is described in more detail in " "the object's Description property. ") ] string Name; [MaxLen (10), Description ( "StartMode is a string value indicating whether the Service " "is automatically started by a System, Operating System, " "etc. " "or only started upon request."), ValueMap {"Automatic", "Manual"} ] string StartMode; [Description ( "Started is a boolean indicating whether the Service " "has been started (TRUE), or stopped (FALSE).") ] boolean Started; [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName. ") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; [Description ( "The StartService method places the Service in the started " "state. It returns an integer value of 0 if the Service was " "successfully started, 1 if the request is not supported and " "any other number to indicate an error. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 StartService(); [Description ( "The StopService method places the Service in the stopped " "state. It returns an integer value of 0 if the Service was " Jason, et al Expires September 2001 [Page 86] Internet Draft IPsec Configuration Policy Model March 2001 "successfully stopped, 1 if the request is not supported and " "any other number to indicate an error. In a subclass, the " "set of possible return codes could be specified, using a " "ValueMap qualifier on the method. The strings to which the " "ValueMap contents are 'translated' may also be specified in " "the subclass as a Values array qualifier.") ] uint32 StopService(); }; // ================================================================== // ServiceAccessPoint // ================================================================== [Abstract, Description ( "CIM_ServiceAccessPoint represents the ability to utilize or " "invoke a Service. Access points represent that a Service " "is " "made available to other entities for use.") ] class CIM_ServiceAccessPoint:CIM_LogicalElement { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this " "property " "allows all instances of this class and its subclasses to " "be uniquely identified.") ] string CreationClassName; [Override ("Name"), Key, MaxLen (256), Description ( "The Name property uniquely identifies the " "ServiceAccessPoint " "and provides an indication of the functionality that is " "managed. This functionality is described in more detail in " "the object's Description property.") ] string Name; [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ( "The scoping System's CreationClassName.") ] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256), Description ("The scoping System's Name.") ] string SystemName; }; // ================================================================== // === Association class definitions === // ================================================================== // ================================================================== // Component // ================================================================== [Association, Abstract, Aggregation, Description ( "CIM_Component is a generic association used to establish " Jason, et al Expires September 2001 [Page 87] Internet Draft IPsec Configuration Policy Model March 2001 "'part of' relationships between Managed System Elements. " "For " "example, the SystemComponent association defines parts of " "a System.") ] class CIM_Component { [Aggregate, Key, Description ( "The parent element in the association.") ] CIM_ManagedSystemElement REF GroupComponent; [Key, Description ("The child element in the association.") ] CIM_ManagedSystemElement REF PartComponent; }; // ================================================================== // Dependency // ================================================================== [Association, Abstract, Description ( "CIM_Dependency is a generic association used to establish " "dependency relationships between ManagedElements.") ] class CIM_Dependency { [Key, Description ( "Antecedent represents the independent object in this " "association.") ] CIM_ManagedElement REF Antecedent; [Key, Description ( "Dependent represents the object dependent on the " "Antecedent.") ] CIM_ManagedElement REF Dependent; }; // =================================================================== // ElementSetting // =================================================================== [Association, Description ( "ElementSetting represents the association between Managed" "SystemElements and the Setting class(es) defined for them.") ] class CIM_ElementSetting { [Key, Description ("The ManagedSystemElement.") ] CIM_ManagedSystemElement REF Element; [Key, Description ( "The Setting object associated with the ManagedSystem" "Element.") ] CIM_Setting REF Setting; }; // ================================================================== // MemberOfCollection // ================================================================== [Association, Aggregation, Description ( "CIM_MemberOfCollection is an aggregation used to establish " "membership of ManagedElements in a Collection." ) ] Jason, et al Expires September 2001 [Page 88] Internet Draft IPsec Configuration Policy Model March 2001 class CIM_MemberOfCollection { [Key, Aggregate, Description ("The Collection that aggregates members") ] CIM_Collection REF Collection; [Key, Description ("The aggregated member of the collection.") ] CIM_ManagedElement REF Member; }; // ================================================================== // CIM_SystemSettingContext // ================================================================== [Association, Aggregation, Description ( "This relationship associates System-specific Configuration " "objects with System-specific Setting objects, similar to " "the " "SettingContext association.")] class CIM_SystemSettingContext { [Aggregate, Key, Description ( "The Configuration object that aggregates the Setting.") ] CIM_SystemConfiguration REF Context; [Key, Description ("An aggregated Setting.")] CIM_SystemSetting REF Setting; }; Jason, et al Expires September 2001 [Page 89] Internet Draft IPsec Configuration Policy Model March 2001 Appendix B (DMTF User Model MOF) // ================================================================== // OrganizationalEntity // ================================================================== [Abstract, Description ( "OrganizationalEntity is an abstract class from which classes " "that fit into an organizational structure are derived.") ] class CIM_OrganizationalEntity : CIM_ManagedElement { }; // ================================================================== // UserEntity // ================================================================== [Abstract, Description ( "UserEntity is an abstract class that represents users.") ] class CIM_UserEntity : CIM_OrganizationalEntity { }; // ================================================================== // UsersAccess // ================================================================== [Description ( "The UsersAccess object class is used to specify a system user " "that permitted access to system resources. The ManagedElement " "that has access to system resources (represented in the model in " "the ElementAsUser association) may be a person, a service, a " "service access point or any collection thereof. Whereas the " "Account class represents the user's relationship to a system " "from the perspective of the security services of the system, the " "UserAccess class represents the relationships to the systems " "independent of a particular system or service.") ] class CIM_UsersAccess: CIM_UserEntity { [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, this property " "allows all instances of this class and its subclasses to " "be uniquely identified.")] string CreationClassName; [Key, MaxLen (256),Description ( "The Name property defines the label by which the object is " "known.")] string Name; [Key, Description ( "The ElementID property uniquely specifies the ManagedElement " "object instance that is the user represented by the " "UsersAccess object instance. The ElementID is formatted " "similarly to a model path except that the property-value " "pairs are ordered in alphabetical order (US ASCII lexical " Jason, et al Expires September 2001 [Page 90] Internet Draft IPsec Configuration Policy Model March 2001 "order).")] string ElementID; [Description ( "Biometric information used to identify a person. The " "property value is left null or set to 'N/A' for non-human " "user or a user not using biometric information for " "authentication."), Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", "Voice", "DNA-RNA", "EEG"} ] uint16 Biometric[]; }; // ================================================================== // SecurityService // ================================================================== [ Abstract, Description ( "CIM_SecurityService ...") ] class CIM_SecurityService:CIM_Service { }; // ================================================================== // AuthenticationService // ================================================================== [Description ( "CIM_AuthenticationService verifies users' identities through " "some means. These services are decomposed into a subclass that " "provides credentials to users and a subclass that provides for " "the verification of the validity of a credential and, perhaps, " "the appropriateness of its use for access to target resources. " "The persistent state information used from one such verification " "to another is maintained in an Account for that Users Access on " "that AuthenticationService.") ] class CIM_AuthenticationService:CIM_SecurityService { }; // ================================================================== // CredentialManagementService // ================================================================== [Description ( "CIM_CredentialManagementService issues credentials and manages " "the credential lifecycle.") ] class CIM_CredentialManagementService:CIM_AuthenticationService { }; // ================================================================== // CertificateAuthority // ================================================================== [Description ("A Certificate Authority (CA) is a credential " "management service that issues and cryptographically " "signs certificates thus acting as an trusted third-party " Jason, et al Expires September 2001 [Page 91] Internet Draft IPsec Configuration Policy Model March 2001 "intermediary in establishing trust relationships. The CA " "authenicates the holder of the private key related to the " "certificate's public key; the authenicated entity is " "represented by the UsersAccess class.") ] class CIM_CertificateAuthority:CIM_CredentialManagementService { [Description ( "The CAPolicyStatement describes what care is taken by the " "CertificateAuthority when signing a new certificate. " "The CAPolicyStatment may be a dot-delimited ASN.1 OID " "string which identifies to the formal policy statement.") ] string CAPolicyStatement; [Description ( "A CRL, or CertificateRevocationList, is a " "list of certificates which the CertificateAuthority has " "revoked and which are not yet expired. Revocation is " "necessary when the private key associated with the public " "key of a certificate is lost or compromised, or when the " "person for whom the certificate is signed no longer is " "entitled to use the certificate."), Octetstring ] string CRL[]; [Description ("Certificate Revocation Lists may be " "available from a number of distribution points. " "CRLDistributionPoint array values provide URIs for those " "distribution points.")] string CRLDistributionPoint[]; [Description ( "Certificates refer to their issuing CA by " "its Distinguished Name (as defined in X.501)."), DN] string CADistinguishedName; [Description ( "The frequency, expressed in hours, at which " "the CA will update its Certificate Revocation List. Zero " "implies that the refresh frequency is unknown."), Units("Hours")] uint8 CRLRefreshFrequency; [Description ( "The maximum number of certificates in a " "certificate chain permitted for credentials issued by " "this certificate authority or it's subordinate CAs.\n" "The MaxChainLength of a superior CA in the trust " "hierarchy should be greater than this value and the " "MaxChainLength of a subordinate CA in the trust hierarchy " "should be less than this value.")] uint8 MaxChainLength; }; // ================================================================== // KerberosKeyDistributionCenter // ================================================================== [Description ( "CIM_KerberosKeyDistributionCenter ...") ] class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService { [Override ("Name"), Description ("The Realm served by this KDC.")] string Name; Jason, et al Expires September 2001 [Page 92] Internet Draft IPsec Configuration Policy Model March 2001 [Description ("The version of Kerberos supported by this " "service."), Values {"V4", "V5", "DCE", "MS"} ] uint16 Protocol[]; }; // ================================================================== // Notary // ================================================================== [Description ( "CIM_Notary is an AuthenticationService (credential " "management service) which compares the " "biometric characteristics of a person with the " "known characteristics of an Users Access, and determines " "whether the person is the UsersAccess. An example is " "a bank teller who compares a picture ID with the person " "trying to cash a check, or a biometric login service that " "uses voice recognition to identify a user.") ] class CIM_Notary:CIM_CredentialManagementService { [Description ( "The types of biometric information which " "this Notary can compare."), Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger", "Voice", "DNA-RNA", "EEG"} ] uint16 Comparitors; [Description ( "The SealProtocol is how the decision of the Notary is " "recorded for future use by parties who will rely on its " "decision. For instance, a drivers licence frequently " "includes tamper-resistent coatings and markings to protect " "the recorded decision that a driver, having various " "biometric characteristics of height, weight, hair and eye " "color, using a particular name, has features represented in " "a photograph of their face.")] string SealProtocol; [Description ( "CharterIssued documents when the Notary is first " "authorized, by whoever gave it responsibility, to perform " "its service.")] datetime CharterIssued; [Description ( "CharterExpired documents when the Notary is no longer " "authorized, by whoever gave it responsibility, to perform " "its service.")] datetime CharterExpired; }; // ================================================================== // LocalCredentialManagementService // ================================================================== [Description ( "CIM_LocalCredentialManagementService is a credential " "management service that provides local system " Jason, et al Expires September 2001 [Page 93] Internet Draft IPsec Configuration Policy Model March 2001 "management of credentials used by the local system.") ] class CIM_LocalCredentialManagementService:CIM_CredentialManagementService { }; // ================================================================== // SharedSecretService // ================================================================== [Description ( "CIM_SharedSecretService is a service which ascertains " "whether messages received are from the Principal with " "whom a secret is shared. Examples include a login " "service that proves identity on the basis of knowledge of " "the shared secret, or a transport integrity service (like " "Kerberos provides) that includes a message authenticity " "code that proves each message in the messsage stream came " "from someone who knows the shared secret session key.")] class CIM_SharedSecretService:CIM_LocalCredentialManagementService { [MaxLen (256), Description ( "The Algorithm used to convey the shared secret, such as " "HMAC-MD5,or PLAINTEXT.") ] string Algorithm; [Description ( "The Protocol supported by the SharedSecretService.")] string Protocol; }; // ================================================================== // PublicKeyManagementService // ================================================================== [Description ( "CIM_PublicKeyManagementService is a credential management " "service that provides local system management of public " "keys used by the local system.") ] class CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService { }; // ================================================================== // Credential // ================================================================== [Abstract, Description ( "Subclasses of CIM_Credential define materials, " "information, or other data which are used to prove the " "identity of a CIM_UsersAccess to a particular " "CIM_SecurityService. Generally, there may be some shared " "information, or credential material which is used to " "identify and authenticate ones self in the process of " "gaining access to, or permission to use, an Account. " "Such credential material may be used to authenticate a " Jason, et al Expires September 2001 [Page 94] Internet Draft IPsec Configuration Policy Model March 2001 "users access identity initially, as done by a " "CIM_AuthenticationService (see later), and additionally on " "an ongoing basis during the course of a connection or " "other security association, as proof that each received " "message or communication came from the owning user access " "of " "that credential material.") ] class CIM_Credential:CIM_ManagedElement { }; // ================================================================== // PublicKeyCertificate // ================================================================== [Description ("A Public Key Certificate is a credential " "that is cryptographically signed by a trusted Certificate " "Authority (CA) and issued to an authenticated entity " "(e.g., human user, service,etc.) called the Subject in " "the certificate and represented by the UsersAccess class. " "The public key in the certificate is cryptographically " "related to a private key that is to be held and kept " "private by the authenticated Subject. The certificate " "and its related private key can then be used for " "establishing trust relationships and securing " "communications with the Subject. Refer to the ITU/CCITT " "X.509 standard as an example of such certificates.") ] class CIM_PublicKeyCertificate:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Propagated ("CIM_CertificateAuthority.CreationClassName"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_CertificateAuthority.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "Certificate subject identifier")] string Subject; [MaxLen (256), Description ( "Alternate subject identifier for the Certificate.")] string AltSubject; [Description ("The DER-encoded raw public key."), Octetstring] uint8 PublicKey[]; }; // ================================================================== // UnsignedPublicKey // ================================================================== Jason, et al Expires September 2001 [Page 95] Internet Draft IPsec Configuration Policy Model March 2001 [Description ( "A CIM_UnsignedPublicKey represents an unsigned public " "key credential. The local UsersAccess (or subclass " "thereof) accepts the public key as authentic because of " "a direct trust relationship rather than via a third-party " "Certificate Authority.") ] class CIM_UnsignedPublicKey:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Propagated ("CIM_PublicKeyManagementService.CreationClassName"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_PublicKeyManagementService.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "The Identity of the Peer with whom a direct trust " "relationship exists. The public key may be used for " "security functions with the Peer."), ModelCorrespondence {"CIM_PublicKeyManagementService.PeerIdentityType" } ] string PeerIdentity; [Description ("PeerIdentityType is used to describe the " "type of the PeerIdentity. The currently defined values " "are used for IKE identities."), ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, ModelCorrespondence {"CIM_PublicKeyManagementService.PeerIdentity" } ] uint16 PeerIdentityType; [Description ("The DER-encoded raw public key."), Octetstring] uint8 PublicKey[]; }; // ================================================================== // KerberosTicket // ================================================================== [Description ( "A CIM_KerberosTicket represents a credential issued by a " "particular Kerberos Key Distribution Center (KDC) " "to a particular CIM_UsersAccess as the result of a " "successful authentication process. There are two types of " Jason, et al Expires September 2001 [Page 96] Internet Draft IPsec Configuration Policy Model March 2001 "tickets that a KDC may issue to a Users Access - a " "TicketGranting ticket, which is used to protect and " "authenticate communications between the Users Access and " "the " "KDC, and a Session ticket, which the KDC issues to two " "Users Access to allow them to communicate with each other. " ) ] class CIM_KerberosTicket:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Key, MaxLen (256), Propagated ("CIM_KerberosKeyDistributionCenter.CreationClassName"), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_KerberosKeyDistributionCenter.Name"), Key, MaxLen (256), Description ("Scoping Service. The Kerberos KDC Realm of " "CIM_KerberosTicket is used to record the security " "authority, or Realm, name so that tickets issued by " "different Realms can be separately managed and " "enumerated.")] string ServiceName; [Key, MaxLen (256), Description ("The name of the service " "for which this ticket is used.")] string AccessesService; [Key, MaxLen (256), Description ( "RemoteID is the name by which the user is known at " "the KDC security service.")] string RemoteID; datetime Issued; datetime Expires; [Description ( "The Type of CIM_KerberosTicket is used to indicate whether " "the ticket in question was issued by the Kerberos Key " "Distribution Center (KDC) to support ongoing communication " "between the Users Access and the KDC (\"TicketGranting\"), " "or was issued by the KDC to support ongoing communication " "between two Users Access entities (\"Session\")." ), Values {"Session", "TicketGranting"}] uint16 TicketType; }; // ================================================================== // SharedSecret // ================================================================== [Description ( "CIM_SharedSecret is the secret shared between a Users " "Access " Jason, et al Expires September 2001 [Page 97] Internet Draft IPsec Configuration Policy Model March 2001 "and a particular SharedSecret security service. Secrets " "may be in the form of a password used for initial " "authentication, or as with a session key, used as part of " "a message authentication code to verify that a message " "originated by the pricinpal with whom the secret is shared. " "It is important to note that SharedSecret is not just the " "password, but rather is the password used with a particular " "security service.")] class CIM_SharedSecret:CIM_Credential { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Key, MaxLen (256), Propagated ("CIM_SharedSecretService.CreationClassName"), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_SharedSecretService.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "RemoteID is the name by which the user is known at " "the remote secret key authentication service.")] string RemoteID; [Description ( "secret is the secret known by the Users Access.")] string secret; [Description ( "algorithm names the transformation algorithm, if any, used " "to protect passwords before use in the protocol. For " "instance, Kerberos doesn't store passwords as the shared " "secret, but rather, a hash of the password.")] string algorithm; [Description ( "protocol names the protocol with which the SharedSecret is " "used.")] string protocol; }; // ================================================================== // NamedSharedIKESecret // ================================================================== [Description ( "CIM_NamedSharedIKESecret indirectly represents a shared " "secret credential. The local identity, IKEIdentity, " "and the remote peer identity share the secret that is " "named by the SharedSecretName. The SharedSecretName is " "used SharedSecretService to reference the secret.") ] class CIM_NamedSharedIKESecret:CIM_Credential Jason, et al Expires September 2001 [Page 98] Internet Draft IPsec Configuration Policy Model March 2001 { [Propagated ("CIM_System.CreationClassName"), Key, MaxLen (256), Description ("Scoping System")] string SystemCreationClassName; [Propagated ("CIM_System.Name"), Key, MaxLen (256),Description ("Scoping System")] string SystemName; [Propagated ("CIM_SharedSecretService.CreationClassName"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceCreationClassName; [Propagated ("CIM_SharedSecretService.Name"), Key, MaxLen (256), Description ("Scoping Service")] string ServiceName; [Key, MaxLen (256), Description ( "The local Identity with whom the direct trust " "relationship exists."), ModelCorrespondence {"CIM_NamedSharedIKESecret.LocalIdentityType" } ] string LocalIdentity; [Key, Description ("LocalIdentityType is used to describe " "the type of the LocalIdentity."), ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, ModelCorrespondence {"CIM_NamedSharedIKESecret.LocalIdentity" } ] uint16 LocalIdentityType; [Key, MaxLen (256), Description ( "The peer identity with whom the direct trust " "relationship exists."), ModelCorrespondence {"CIM_NamedSharedIKESecret.PeerIdentityType" } ] string PeerIdentity; [Key, Description ("PeerIdentityType is used to describe " "the type of the PeerIdentity."), ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11"}, Values {"IPV4_ADDR", "FQDN", "USER_FQDN", "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET", "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN", "DER_ASN1_GN", "KEY_ID"}, ModelCorrespondence {"CIM_NamedSharedIKESecret.PeerIdentity" } ] uint16 PeerIdentityType; [Description ("SharedSecretName is an indirect reference " "to a shared secret. The SecretService does not expose " "the actual secret but rather provides access to the " "secret via a name.")] string SharedSecretName; }; Jason, et al Expires September 2001 [Page 99] Internet Draft IPsec Configuration Policy Model March 2001 // ================================================================== // === Association class definitions === // ================================================================== // ================================================================== // ElementAsUser // ================================================================== [Association, Description ( "CIM_ElementAsUser is an association used to establish the " "'ownership' of UsersAccess object instances. That is, the " "ManagedElement may have UsersAccess to systems and, therefore, " "be 'users' on those systems. UsersAccess instances must have an " "'owning' ManagedElement. Typically, the ManagedElements will be " "limited to Collection, Person, Service and ServiceAccessPoint. " "Other non-human ManagedElements that might be thought of as " "having UsersAccess (e.g., a device or system) have services that " "have the UsersAccess.")] class CIM_ElementAsUser : CIM_Dependency { [Min (1), Max (1), Override ("Antecedent"), Description ("The ManagedElement that has UsersAccess") ] CIM_ManagedElement REF Antecedent; [Override ("Dependent"), Description ("The 'owned' UsersAccess") ] CIM_UsersAccess REF Dependent; }; // ================================================================== // UsersCredential // ================================================================== [Association, Description ( "CIM_UsersCredential is an association used to establish the " "credentials that may be used for a UsersAccess to a system or " "set of systems. " )] class CIM_UsersCredential : CIM_Dependency { [Override ("Antecedent"), Description ("The issued credential that may be used.") ] CIM_Credential REF Antecedent; [Override ("Dependent"), Description ("The UsersAccess that has use of a credential") ] CIM_UsersAccess REF Dependent; }; // =================================================================== // PublicPrivateKeyPair // =================================================================== [Association, Description ( "This relationship associates a PublicKeyCertificate with " "the Principal who has the PrivateKey used with the " "PublicKey. The PrivateKey is not modeled, since it is not " "a data element that ever SHOULD be accessible via " Jason, et al Expires September 2001 [Page 100] Internet Draft IPsec Configuration Policy Model March 2001 "management applications, other than key recovery services, " "which are outside our scope.") ] class CIM_PublicPrivateKeyPair:CIM_UsersCredential { [ Override ("Antecedent") ] CIM_PublicKeyCertificate REF Antecedent; [ Override ("Dependent") ] CIM_UsersAccess REF Dependent; [Description ( "The Certificate may be used for signature " "only " "or for confidentiality as well as signature"), Values { "SignOnly", "ConfidentialityOrSignature"} ] uint16 Use; boolean NonRepudiation; boolean BackedUp; [Description ("The repository in which the certificate is " "backed up.")] string Repository; }; // =================================================================== // CAHasPublicCertificate // =================================================================== [Association, Description ( "A CertificateAuthority may have certificates issued by other CAs. " "This association is essentially an optimization of the CA having " "a UsersAccess instance with an association to a certificate thus " "mapping more closely to LDAP-based certificate authority " "implementations.") ] class CIM_CAHasPublicCertificate:CIM_Dependency { [Max (1), Override ("Antecedent"), Description ("The Certificate used by the CA")] CIM_PublicKeyCertificate REF Antecedent; [Override ("Dependent"), Description ("The CA that uses a Certificate")] CIM_CertificateAuthority REF Dependent; }; // =================================================================== // ManagedCredential // =================================================================== [Association, Description ( "This relationship associates a CredentialManagementService " "with the Credential it manages.") ] class CIM_ManagedCredential:CIM_Dependency { [Override ("Antecedent"), Min (1), Max (1), Description ( "The credential management service")] CIM_CredentialManagementService REF Antecedent; [Override ("Dependent"), Description ( "The managed credential")] Jason, et al Expires September 2001 [Page 101] Internet Draft IPsec Configuration Policy Model March 2001 CIM_Credential REF Dependent; }; // =================================================================== // CASignsPublicKeyCertificate // =================================================================== [Association, Description ( "This relationship associates a CertificateAuthority with " "the certificates it signs.") ] class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ( "The CA which signed the certificate")] CIM_CertificateAuthority REF Antecedent; [Override ("Dependent"), Weak, Description ( "The certificate issued by the CA")] CIM_PublicKeyCertificate REF Dependent; string SerialNumber; [ Octetstring ] uint8 Signature[]; datetime Expires; string CRLDistributionPoint[]; }; // ================================================================== // LocallyManagedPublicKey // ================================================================== [Association, Description ( "CIM_LocallyManagedPublicKey association provides the " "relationship between a PublicKeyManagementService and an " "UnsignedPublicKey.") ] class CIM_LocallyManagedPublicKey:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The PublicKeyManagementService that manages " "an unsigned public key.") ] CIM_PublicKeyManagementService REF Antecedent; [Override ("Dependent"), Weak, Description ( "An unsigned public key.") ] CIM_UnsignedPublicKey REF Dependent; }; // =================================================================== // SharedSecretIsShared // =================================================================== [Association, Description ( "This relationship associates a SharedSecretService with the " "SecretKey it verifies.") ] class CIM_SharedSecretIsShared : CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The credential management service")] CIM_SharedSecretService REF Antecedent; Jason, et al Expires September 2001 [Page 102] Internet Draft IPsec Configuration Policy Model March 2001 [Override ("Dependent"), Weak, Description ( "The managed credential")] CIM_SharedSecret REF Dependent; }; // ================================================================== // IKESecretIsNamed // ================================================================== [Association, Description ( "CIM_IKESecretIsNamed association provides the " "relationship between a SharedSecretService and a " "NamedSharedIKESecret.") ] class CIM_IKESecretIsNamed:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ("The SharedSecretService that manages a " "NamedSharedIKESecret.")] CIM_SharedSecretService REF Antecedent; [Override ("Dependent"), Weak, Description ( "The managed NamedSharedIKESecret.") ] CIM_NamedSharedIKESecret REF Dependent; }; // =================================================================== // KDCIssuesKerberosTicket // =================================================================== [Association, Description ( "The KDC issues and owns Kerberos tickets. This association " "captures the relationship between the KDC and its issued tickets." ) ] class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential { [Override ("Antecedent"), Min (1), Max (1), Description ( "The issuing KDC") ] CIM_KerberosKeyDistributionCenter REF Antecedent; [Override ("Dependent"), Weak, Description ( "The managed credential")] CIM_KerberosTicket REF Dependent; }; // =================================================================== // NotaryVerifiesBiometric // =================================================================== [Association, Description ( "This relationship associates a Notary service with the " "Users Access whose biometric information is verified.") ] class CIM_NotaryVerifiesBiometric : CIM_Dependency { [Override ("Antecedent"), Description ("The Notary service that verifies biometric " "information ") ] CIM_Notary REF Antecedent; [Override ("Dependent"), Jason, et al Expires September 2001 [Page 103] Internet Draft IPsec Configuration Policy Model March 2001 Description ( "The UsersAccess that represents a person using " "biometric information for authentication.")] CIM_UsersAccess REF Dependent; }; Jason, et al Expires September 2001 [Page 104] Internet Draft IPsec Configuration Policy Model March 2001 Appendix C (DMTF Network Model MOF) // ================================================================== // NetworkService // ================================================================== [Abstract, Description ( "This is an abstract base class, derived from the Service " "class. It serves as the root of the network service " "hierarchy. Network services represent generic functions " "that are available from the network that configure and/or " "modify the traffic being sent. For example, FTP is not a " "network service, as it simply passes data unchanged from " "source to destination. On the other hand, services " "that provide quality of service (e.g., DiffServ) and " "security (e.g., IPSec) do affect the traffic stream. " "Quality of service, IPSec, and other services are " "subclasses of this class. This class hierarchy enables " "developers to match services to users, groups, " "and other objects in the network.") ] class CIM_NetworkService : CIM_Service { [Description ( "This is a free-form array of strings that provide " "descriptive words and phrases that can be used in queries " "to help locate and identify instances of this service.") ] string Keywords [ ]; [Description ( "This is a URL that provides the protocol, network " "location, and other service-specific information required " "in order to access the service. This should be implemented " "as a LabeledURI, with syntax DirectoryString and a " "matching rule of CaseExactMatch, for directory " "implementors.") ] string ServiceURL; [Description ( "This is a free-form array of strings that specify any " "specific pre-conditions that must be met in order for this " "service to start correctly. It is expected that subclasses " "will refine the inherited StartService() and StopService()" "methods to suit their own application-specific needs. This " "property is used to specify application-specific conditions " "needed by the refined StartService and StopService" "methods.") ] string StartupConditions [ ]; [Description ( "This is a free-form array of strings that specify any " "specific parameters that must be supplied to the " "StartService() method in order for this service to start " "correctly. It is expected that subclasses will refine the " "inherited StartService() and StopService() methods to suit " "their own application-specific needs. This property is used " "to specify application-specific parameters needed by the " Jason, et al Expires September 2001 [Page 105] Internet Draft IPsec Configuration Policy Model March 2001 "refined StartService and StopService methods.") ] string StartupParameters [ ]; }; // ================================================================== // ProtocolEndpoint // ================================================================== [Description ( "A communication point from which data may be sent or " "received. ProtocolEndpoints link router interfaces and " "switch ports to LogicalNetworks.") ] class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint { [Override ("Name"), MaxLen(256), Description ( "A string which identifies this ProtocolEndpoint with either " "a port or an interface on a device. To ensure uniqueness, " "the Name property should be prepended or appended with " "information from the Type or OtherTypeDescription " "properties. The method chosen is described in the " "NameFormat property of this class.") ] string Name; [MaxLen (256), Description ( "NameFormat contains the naming heuristic that is chosen to " "ensure that the value of the Name property is unique. For " "example, one might choose to prepend the name of the port " "or interface with the Type of ProtocolEndpoint that this " "instance is (e.g., IPv4)followed by an underscore.") ] string NameFormat; [MaxLen (64), Description ( "ProtocolType is an enumeration that provides additional " "information that can be used to help categorize and " "classify different instances of this class."), ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21"}, Values { "Unknown", "Other", "IPv4", "IPv6", "IPX", "AppleTalk", "DECnet", "SNA", "CONP", "CLNP", "VINES", "XNS", "ATM", "Frame Relay", "Ethernet", "TokenRing", "FDDI", "Infiniband", "Fibre Channel", "ISDN BRI Endpoint", "ISDN B Channel Endpoint", "ISDN D Channel Endpoint" }, ModelCorrespondence { "CIM_ProtocolEndpoint.OtherTypeDescription"} ] string ProtocolType; [MaxLen(64), Description ( "A string describing the type of ProtocolEndpoint that this " "instance is when the Type property of this class (or any of " "its subclasses) is set to 1 (e.g., 'Other'). The format of " "the string inserted in this property should be similar in " "format to the values defined for the Type property. This " "property should be set to NULL when the Type property is " Jason, et al Expires September 2001 [Page 106] Internet Draft IPsec Configuration Policy Model March 2001 "any value other than 1."), ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ] string OtherTypeDescription; }; // ================================================================== // IPProtocolEndpoint // ================================================================== [Description ( "A ProtocolEndpoint that is dedicated to running IP.") ] class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint { [Description ( "The IP address that this ProtocolEndpoint represents, " "formatted according to the appropriate convention as " "defined in the AddressType property of this class " " (e.g., 171.79.6.40).") ] string Address; [Description ( "The mask for the IP address of this ProtocolEndpoint, " "formatted according to the appropriate convention as " "defined in the AddressType property of this class " " (e.g., 255.255.252.0).") ] string SubnetMask; [Description ( "An enumeration that describes the format of the address " "property. Whenever possible, IPv4-compatible addresses " "should be used instead of native IPv6 addresses (see " "RFC 2373, section 2.5.4). In order to have a consistent " "format for IPv4 addresses in a mixed IPv4/v6 environment, " "all IPv4 addresses and both IPv4-compatible IPv6 addresses " "and IPv4-mapped IPv6 addresses, per RFC 2373, section " "2.5.4, should be formatted in standard IPv4 format. " "However, this (the 2.2) version of the Network Common " "Model will not explicitly support mixed IPv4/IPv6 " "environments. This will be added in a future release."), ValueMap { "0", "1", "2" }, Values { "Unknown", "IPv4", "IPv6" } ] uint16 AddressType; [Description ( "It is not possible to tell from the address alone if a " "given IPProtocolEndpoint can support IPv4 and IPv6, or " "just one of these. This property explicitly defines the " "support for different versions of IP that this " "IPProtocolEndpoint has. " "\n\n" "More implementation experience is needed in order to " "correctly model mixed IPv4/IPv6 networks; therefore, this " "version (2.2) of the Network Common Model will not support " "mixed IPv4/IPv6 environments. This will be looked at " "further in a future version."), ValueMap { "0", "1", "2" }, Jason, et al Expires September 2001 [Page 107] Internet Draft IPsec Configuration Policy Model March 2001 Values { "Unknown", "IPv4 Only", "IPv6 Only" } ] uint16 IPVersionSupport; }; // =================================================================== // CIM_FilterEntryBase // =================================================================== [Description ( " FilterEntryBase is an abstract class to define the naming " "of all filter entries, and to allow their common " "aggregation into FilterLists. The FilterEntry subclass " "represents packet filtering. Other types of Entries are " "possible - for example, to filter security credentials. \n" " FilterEntryBase is weak to the network device (e.g., the " "ComputerSystem) that contains it. Hence, the ComputerSystem " "keys are propagated to thisIPsec policy model. Additionally,class.") ] class CIM_FilterEntryBase : CIM_LogicalElement { [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, MaxLen (256), Description ( "The scoping ComputerSystem's CreationClassName. ") ] string SystemCreationClassName; [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), Description ( "The scoping ComputerSystem's Name.") ] string SystemName; [Key, MaxLen (256), Description ( "CreationClassName indicates the name of the class or the " "subclass used in the creation of an instance. When used " "with the other key properties of this class, thisdraft would not have been possible without the preceding IPsec schema drafts. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan. 11. References [IKE] Harkins, D.,property " "allows all instances of this class andD. Carrel,its subclasses to " "be uniquely identified.") ] string CreationClassName; [Key, MaxLen (256), Description ( "TheInternet Key Exchange (IKE)", RFC 2409, November 1998. [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 2393, August 1998. [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [PCIM] Moore, B.,Name property defines the label by which the Filter" "Entry is known andE. Ellesson, J. Strassner, "Policy Core Informationuniquely identified.") ] string Name; [Description ( "Boolean indicating that the match condition described " "in the properties of the FilterEntryBase subclass " "should be negated.") ] boolean IsNegated; }; // ================================================================== // FilterEntry // ================================================================== [Description ( "A FilterEntry is used by network devices to identify " Jason, et al Expires September 2001 [Page 108] Internet Draft IPsec Configuration Policy Model-- Version 1 Specification", draft-ietf-policy- core-infor-model-06.txt, May 2000. Internet-Draft workMarch 2001 "traffic and either forward them (with possibly further " "processing) to their destination, or to deny their " "forwarding. They are the building block of FilterLists." "\n\n" "This class is oriented towards packet filtering. Other " "subclasses of FilterEntryBase can be defined to do other " "types of filtering. " "\n\n" "A FilterEntry is weak to the network device (e.g., the " "ComputerSystem) that contains it. Hence, the ComputerSystem " "keys are propagated to this class.") ] class CIM_FilterEntry : CIM_FilterEntryBase { [Description ( "This defines the type of traffic that is being filtered. " "This will affect the filtering rules inprogress. [DOI] Piper, D., "The Internet IP Security Domainthe MatchCondition " "property ofInterpretation for ISAKMP", RFC 2407, November 1998. [LDAP] Wahl, M.,this class."), ValueMap { "0", "1", "2", "3" }, Values { "Unknown", "IPv4", "IPX", "IPv6" } ] uint16 TrafficType; [Description ( "This specifies one of a set of ways to identify traffic. " "if the value is 1 (e.g., 'Other'), then the specific " "type of filtering is specified in the " "OtherMatchConditionType property of this class."), ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10", "11", "12" }, Values {"Other", "Source Address andT. Howes, S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [COPS] Boyle, J.,Mask", "Destination Address andR. Cohen, D. Durham, S. Herzog, R. Rajan, A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. Internet-Draft workMask", "Source Port", "Source Port Range", "Destination Port", "Destination Port Range", "Protocol Type", "Protocol Type and Option", "DSCP", "ToS Value", "802.1P Priority Value" }, ModelCorrespondence { "CIM_FilterEntry.OtherMatchConditionType" } ] uint16 MatchConditionType; [Description ( "If the value of the MatchConditionType property inprogress. [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for Policy Provisioning", draft-ietf-rap-pr-02.txt, March 2000. Internet-Draft workthis " "class is 1 (e.g., 'Other'), then the specific type of " "filtering is specified inprogress. [SPSL] Condell, M., and C. Lynn, J. Zao, "Securitythis property."), ModelCorrespondence { "CIM_FilterEntry.MatchConditionType" } ] string OtherMatchConditionType; [Description ( "This is the value of the condition that filters the " "traffic. It corresponds to the condition specified in the " "MatchConditionType property. If, however, the value of the " "MatchConditionProperty is 1, then it corresponds to the " "condition specified in the OtherMatchConditionType " "property.") ] string MatchConditionValue; [Description ( Jason, et al Expires September 2001 [Page 109] Internet Draft IPsec Configuration PolicySpecification Language", draft-ietf-ipsp-spsl-00.txt,Model March2000. Internet-Draft work2001 "This defines whether the action should be to forward or " "deny traffic meeting the match condition specified inprogress. Jason" "this filter."), ValueMap { "1", "2" }, Values { "Permit", "Deny" } ] uint16 Action; [Description ( "This defines whether this FilterEntry is the default " "entry to use by its FilterList.") ] boolean DefaultFilter; [Description ( "This defines the traffic class that is being matched by " "this FilterEntry. Note that FilterEntries are aggregated " "into FilterLists by the EntriesInFilterList " "relationship. If the EntrySequence property of the " "aggregation is set to 0, this means that all the Filter" "Entries should be ANDed together. Consequently, the " "TrafficClass property of each of the aggregated Entries " "should be set to the same value."), ModelCorrespondence { "CIM_NextService.TrafficClass" } ] string TrafficClass; }; // ================================================================== // FilterList // ================================================================== [Description ( "A FilterList is used by network devices to identify routes " "by aggregating a set of FilterEntries into a unit, called a " "FilterList. FilterLists can also be used to accept or deny " "routing updates." "\n\n" "A FilterList is weak to the network device (e.g., the " "ComputerSystem) that contains it. Hence, the ComputerSystem " "keys are propagated to this class.") ] class CIM_FilterList : CIM_LogicalElement { [Propagated ("CIM_ComputerSystem.CreationClassName"), Key, MaxLen (256), Description ( "The scoping ComputerSystem's CreationClassName. ") ] string SystemCreationClassName; [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), Description ("The scoping ComputerSystem's Name.") ] string SystemName; [Key, Description ( "The type of class that this instance is.") ] string CreationClassName; [Key, MaxLen(256), Description ( "This is the name of the FilterList.") ] string Name; Jason, et al ExpiresJanuarySeptember 2001 [Page49]110] Internet Draft IPsec Configuration Policy ModelJuly 2000 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119,March1997. 12. Disclaimer The views2001 [Description ( "This defines whether the FilterList is used " "for input, output, or both input andspecification hereinoutput " "filtering. All values arethose ofused with respect to " "the interface for which theauthors andFilterList applies. " "\n\n" "\"Not Applicable\" (0) is used when there is no " "direction applicable to the FilterList.\n" "\"Input\" (1) is used when the FilterList applies " "to packets that arenot necessarily thoseinbound on the related " "interface.\n" "\"Output\" (2) is used when the FilterList applies " "to packets that are outbound on the related " "interface.\n" "\"Both\" (3) is used to indicate that " "the direction is immaterial, e.g., to filter on " "a source subnet regardless oftheir employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementationwhether the flow is " "inbound oruse of this specification. 13. Author's Address Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 Phone: +1-503-264-9531 Fax: +1-503-264-9428 E-Mail: jamie.jason@intel.com 14. Full Copyright Statement Copyright (C) The Internet Society (1999). All Rights Reserved. This documentoutbound.\n" "\"Mirrored\" (4) is also applicable to " "both inbound andtranslationsoutbound flow processing, but " "indicates that the filter criteria are applied " "asymmetrically to traffic in both directions " "and, thus, specifies the reversal ofit maybe copiedsource andfurnished" "destination criteria (as opposed toothers, and derivative works that comment on or otherwise explain it or assistthe equality " "of these criteria as indicated by \"Both\"). " "The match conditions inits implementation may be prepared, copied, publishedthe aggregated " "FilterEntryBase subclass instances are defined " "from the perspective of outbound flows and applied " "to inbound flows as well by reversing the source " "and destination criteria. So, for example, " "consider a FilterList with 3 FilterEntries " "indicating destination port = 80, and source anddistributed, in whole or in part, without restriction" "destination addresses ofany kind, provided thata and b, respectively. " "Then, for theabove copyright noticeoutbound direction, the filter " "entries match as specified andthis paragraph are includedthe 'mirror' (for " "the inbound direction) matches onall such copiessource " "port = 80 andderivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references tosource and destination addresses " "of b and a, respectively."), Values {"Not Applicable", "Input", "Output", "Both", "Mirrored" } ] uint16 Direction; }; // ================================================================== // === Association class definitions === // ================================================================== // ================================================================== // EntriesInFilterList // ================================================================== [Association, Aggregation, Description ( "This is a specialization of the CIM_Component aggregation " Jason, et al Expires September 2001 [Page 111] InternetSociety or other Internet organizations, except as needed forDraft IPsec Configuration Policy Model March 2001 "which is used to define a set of filter entries (subclasses " "of FilterEntryBase) that are aggregated by a particular " "FilterList.") ] class CIM_EntriesInFilterList : CIM_Component { [Aggregate, Max(1), Override ("GroupComponent"), Description ( "The FilterList, which aggregates thepurposeset " "of FilterEntries.") ] CIM_FilterList REF GroupComponent; [Override ("PartComponent"), Description ( "Any subclass ofdeveloping Internet standards inFilterEntryBase whichcaseis a part of " "the FilterList.") ] CIM_FilterEntryBase REF PartComponent; [Description ( "The order of theprocedures for copyrights definedEntry relative to all others in theInternet Standards process must be followed, or as required to translate it into languages other then English. The limited permissions granted above are perpetual and will not" "FilterList. A value of zero indicates that all the Entries " "should berevoked byANDed together. Use of theInternet Society or its successors or assigns. This document andSequence property " "should be consistent across theinformation contained hereinList. It isprovided on an "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Jasonnot valid to " "define some Entries as ANDed in the FilterList (Sequence" "=0) while other Entries have a non-zero Sequence number.") ] uint16 EntrySequence; }; Jason, et al ExpiresJanuarySeptember 2001 [Page50]112] ----