view Side-By-Side changes

   Internet Engineering Task Force                          Jamie Jason 
   INTERNET DRAFT                                     Intel Corporation 
   1-March-2001 
   20-July-2001                                             Lee Rafalow 
                                                                    IBM 
                                                            Eric Vyncke 
                                                          Cisco Systems 
    
    
                     IPsec Configuration Policy Model 
                draft-ietf-ipsp-config-policy-model-02.txt 
                draft-ietf-ipsp-config-policy-model-03.txt 
    
    
Status of this Memo 
    
   This document is an Internet-Draft and is in full conformance with 
   all provisions of Section 10 of RFC2026. Internet-Drafts are working 
   documents of the Internet Engineering Task Force (IETF), its areas, 
   and its working groups. Note that other groups may also distribute 
   working documents as Internet-Drafts. 
    
   Internet-Drafts are draft documents valid for a maximum of six 
   months and may be updated, replaced, or obsoleted by other documents 
   at any time. It is inappropriate to use Internet-Drafts as reference 
   material or to cite them other than as "work in progress." 
    
   The list of current Internet-Drafts can be accessed at 
         http://www.ietf.org/ietf/1id-abstracts.txt 
    
   The list of Internet-Draft Shadow Directories can be accessed at 
         http://www.ietf.org/shadow.html. 
    
Abstract 
 
   This document presents an object-oriented model of IPsec policy 
   designed to: 
   o    facilitate agreement about the content and semantics of IPsec 
        policy 
   o    enable derivations of task-specific representations of IPsec 
        policy such as storage schema, distribution representations, 
        and policy specification languages used to configure IPsec-
        enabled endpoints 
   The schema described in this document models the IKE phase one 
   parameters as described in [IKE] and the IKE phase two parameters 
   for the IPsec Domain of Interpretation as described in [COMP, ESP, 
   AH, DOI].  It is based upon the core policy classes as defined in 
   the Policy Core Information Model (PCIM) [PCIM]. 









  
Jason, et al                                                  [Page 1] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
Table of Contents 
 
   Status of this Memo................................................1 
   Abstract...........................................................1 
   Table of Contents..................................................2 
   1. Introduction....................................................7 
   2. UML Conventions.................................................7 
   3. IPsec Policy Model Inheritance Hierarchy........................8 
   4. Policy Classes.................................................13 
   4.1. The Class IPsecPolicyGroup...................................14 
   4.2. The Class SARule.............................................14 SARule.............................................15 
   4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 
   RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 
   PolicyDecisionStrategy............................................15 
   4.2.2 The Property ExecutionStrategy.............................15 
   4.2.3  The Property LimitNegotiation..............................14 LimitNegotiation..............................17 
   4.3. The Class IKERule............................................15 IKERule............................................18 
   4.3.1. The Property IdentityContexts..............................15 IdentityContexts..............................18 
   4.4. The Class IPsecRule..........................................16 
   4.5. The Aggregation Class IPsecPolicyGroupInPolicyGroup..........16 
   4.5.1. The Reference GroupComponent...............................17 
   4.5.2. The Reference PartComponent................................17 
   4.5.3. The Property GroupPriority.................................17 IPsecRule..........................................19 
   4.6. The Association Class IPsecPolicyForEndpoint.................17 IPsecPolicyForEndpoint.................19 
   4.6.1. The Reference Antecedent...................................18 Antecedent...................................19 
   4.6.2. The Reference Dependent....................................18 Dependent....................................19 
   4.7. The Association Class IPsecPolicyForSystem...................18 IPsecPolicyForSystem...................20 
   4.7.1. The Reference Antecedent...................................18 Antecedent...................................20 
   4.7.2. The Reference Dependent....................................18 Dependent....................................20 
   4.8. The Aggregation Class RuleForIKENegotiation..................19 RuleForIKENegotiation..................20 
   4.8.1. The Reference GroupComponent...............................19 Property Priority......................................20 
   4.8.2. The Reference PartComponent................................19 GroupComponent...............................20 
   4.8.3. The Reference PartComponent................................21 
   4.9. The Aggregation Class RuleForIPsecNegotiation................19 RuleForIPsecNegotiation................21 
   4.9.1. The Reference GroupComponent...............................19 Property Priority......................................21 
   4.9.2. The Reference PartComponent................................20 GroupComponent...............................21 
   4.9.3. The Reference PartComponent................................21 
   4.10. The Aggregation Class SAConditionInRule.....................20 SAConditionInRule.....................21 
   4.10.1. The Reference GroupComponent..............................20 Properties GroupNumber and ConditionNegated...........22 
   4.10.2. The Reference PartComponent...............................20 GroupComponent..............................22 
   4.10.3. The Reference PartComponent...............................22 
   4.11. The Aggregation Class SAActionInRule........................20 PolicyActionInSARule..................22 
   4.11.1. The Reference GroupComponent..............................21 GroupComponent..............................22 
   4.11.2. The Reference PartComponent...............................21 PartComponent...............................23 
   4.11.3. The Property ActionOrder..................................21 ActionOrder..................................23 
   5. Condition and Filter Classes...................................22 Classes...................................24 
   5.1. The Class SACondition........................................22 SACondition........................................24 
   5.2. The Class FilterEntry........................................23 IPHeaderFilter.....................................25 
   5.3. The Class CredentialFilterEntry..............................23 CredentialFilterEntry..............................25 
   5.3.1. The Property MatchFieldName................................24 MatchFieldName................................25 
   5.3.2. The Property MatchFieldValue...............................24 MatchFieldValue...............................26 
   5.3.3. The Property CredentialType................................24 CredentialType................................26 
   5.4. The Class IPSOFilterEntry....................................24 IPSOFilterEntry....................................26 
   5.4.1. The Property MatchConditionType............................25 MatchConditionType............................27 
   5.4.2. The Property MatchConditionValue...........................25 MatchConditionValue...........................27 
   5.5. The Class PeerIDPayloadFilterEntry...........................25 PeerIDPayloadFilterEntry...........................27 
   5.5.1. The Property MatchIdentityType.............................26 
   5.5.2. The Property MatchIdentityValue............................26 
   5.6. The Association Class FilterOfSACondition....................27 
   5.6.1. The Reference Antecedent...................................27 MatchIdentityType.............................28 
  
Jason, et al           Expires September 2001 20-January-2002               [Page 2] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   5.5.2. The Property MatchIdentityValue............................28 
   5.6. The Association Class FilterOfSACondition....................29 
   5.6.1. The Reference Antecedent...................................29 
   5.6.2. The Reference Dependent....................................27 Dependent....................................29 
   5.7. The Association Class AcceptCredentialFrom...................27 AcceptCredentialFrom...................29 
   5.7.1. The Reference Antecedent...................................28 Antecedent...................................30 
   5.7.2. The Reference Dependent....................................28 Dependent....................................30 
   6. Action Classes.................................................29 Classes.................................................31 
   6.1. The Class SAAction...........................................30 SAAction...........................................32 
   6.1.1. The Property DoActionLogging...............................30 DoActionLogging...............................32 
   6.1.2. The Property DoPacketLogging...............................30 DoPacketLogging...............................32 
   6.2. The Class SAStaticAction.....................................31 SAStaticAction.....................................33 
   6.2.1. The Property LifetimeSeconds...............................31 LifetimeSeconds...............................33 
   6.3. The Class IPsecBypassAction..................................31 IPsecBypassAction..................................34 
   6.4. The Class IPsecDiscardAction.................................31 IPsecDiscardAction.................................34 
   6.5. The Class IKERejectAction....................................32 IKERejectAction....................................34 
   6.6. The Class PreconfiguredSAAction..............................32 PreconfiguredSAAction..............................34 
   6.6.1. The Property LifetimeKilobytes.............................33 LifetimeKilobytes.............................35 
   6.7. The Class PreconfiguredTransportAction.......................33 PreconfiguredTransportAction.......................35 
   6.8. The Class PreconfiguredTunnelAction..........................33 PreconfiguredTunnelAction..........................36 
   6.8.1. The Property PeerGatewayAddressType........................33 
   6.8.2. The Property PeerGatewayAddress............................34 
   6.8.3. The Property DFHandling....................................34 DFHandling....................................36 
   6.9. The Class SANegotiationAction................................34 SANegotiationAction................................36 
   6.9.1. The Property MinLifetimeSeconds............................35 MinLifetimeSeconds............................37 
   6.9.2. The Property MinLifetimeKilobytes..........................35 MinLifetimeKilobytes..........................37 
   6.9.3. The Property RefreshThresholdSeconds.......................35 RefreshThresholdSeconds.......................37 
   6.9.4. The Property RefreshThresholdKilobytes.....................36 RefreshThresholdKilobytes.....................38 
   6.9.5. The Property IdleDurationSeconds...........................36 IdleDurationSeconds...........................38 
   6.10. The Class IPsecAction.......................................36 IPsecAction.......................................38 
   6.10.1. The Property UsePFS.......................................37 UsePFS.......................................39 
   6.10.2. The Property UseIKEGroup..................................37 UseIKEGroup..................................39 
   6.10.3. The Property GroupId......................................37 GroupId......................................39 
   6.10.4. The Property Granularity..................................38 Granularity..................................40 
   6.10.5. The Property VendorID.....................................38 VendorID.....................................40 
   6.11. The Class IPsecTransportAction..............................38 IPsecTransportAction..............................40 
   6.12. The Class IPsecTunnelAction.................................38 IPsecTunnelAction.................................40 
   6.12.1. The Property DFHandling...................................39 DFHandling...................................41 
   6.13. The Class IKEAction.........................................39 IKEAction.........................................41 
   6.13.1. The Property RefreshThresholdDerivedKeys..................39 RefreshThresholdDerivedKeys..................41 
   6.13.2. The Property ExchangeMode.................................40 ExchangeMode.................................42 
   6.13.3. The Property UseIKEIdentityType...........................40 UseIKEIdentityType...........................42 
   6.13.4. The Property VendorID.....................................40 VendorID.....................................42 
   6.13.5. The Property AggressiveModeGroupId........................41 AggressiveModeGroupId........................42 
   6.14. The Class PeerGateway.......................................41 PeerGateway.......................................43 
   6.14.1. The Property Name.........................................41 Name.........................................43 
   6.14.2. The Property PeerIdentityType.............................41 PeerIdentityType.............................43 
   6.14.3. The Property PeerIdentity.................................42 PeerIdentity.................................44 
   6.15. The Association Class PeerGatewayForTunnel..................42 PeerGatewayForTunnel..................44 
   6.15.1. The Reference Antecedent..................................42 Antecedent..................................44 
   6.15.2. The Reference Dependent...................................43 Dependent...................................44 
   6.15.3. The Property SequenceNumber...............................43 SequenceNumber...............................45 
   6.16. The Aggregation Class ContainedProposal.....................43 ContainedProposal.....................45 
   6.16.1. The Reference GroupComponent..............................43 GroupComponent..............................45 
   6.16.2. The Reference PartComponent...............................44 
   6.16.3. The Property SequenceNumber...............................44 PartComponent...............................45 
  
Jason, et al           Expires September 2001 20-January-2002               [Page 3] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   6.16.3. The Property SequenceNumber...............................45 
   6.17. The Association Class HostedPeerGatewayInformation..........44 HostedPeerGatewayInformation..........46 
   6.17.1. The Reference Antecedent..................................44 Antecedent..................................46 
   6.17.2. The Reference Dependent...................................44 Dependent...................................46 
   6.18. The Association Class TransformOfPreconfiguredAction........44 TransformOfPreconfiguredAction........46 
   6.18.1. The Reference Antecedent..................................45 Antecedent..................................47 
   6.18.2. The Reference Dependent...................................45 Dependent...................................47 
   6.18.3. The Property SPI..........................................45 SPI..........................................47 
   6.18.4. The Property Direction....................................47 
   6.19 The Association Class PeerGatewayForPreconfiguredTunnel......47 
   6.19.1. The Reference Antecedent..................................48 
   6.19.2. The Reference Dependent...................................48 
   7. Proposal and Transform Classes.................................46 Classes.................................49 
   7.1. The Abstract Class SAProposal................................46 SAProposal................................49 
   7.1.1. The Property Name..........................................46 Name..........................................49 
   7.2. The Class IKEProposal........................................47 IKEProposal........................................50 
   7.2.1. The Property LifetimeDerivedKeys...........................47 LifetimeDerivedKeys...........................50 
   7.2.2. The Property CipherAlgorithm...............................47 CipherAlgorithm...............................50 
   7.2.3. The Property HashAlgorithm.................................48 HashAlgorithm.................................51 
   7.2.4. The Property PRFAlgorithm..................................48 PRFAlgorithm..................................51 
   7.2.5. The Property GroupId.......................................48 GroupId.......................................51 
   7.2.6. The Property AuthenticationMethod..........................48 AuthenticationMethod..........................51 
   7.2.7. The Property MaxLifetimeSeconds............................49 MaxLifetimeSeconds............................52 
   7.2.8. The Property MaxLifetimeKilobytes..........................49 MaxLifetimeKilobytes..........................52 
   7.2.9. The Property VendorID......................................49 VendorID......................................52 
   7.3. The Class IPsecProposal......................................49 IPsecProposal......................................52 
   7.4. The Abstract Class SATransform...............................50 SATransform...............................53 
   7.4.1. The Property TransformName.................................50 TransformName.................................53 
   7.4.2. The Property VendorID......................................50 VendorID......................................53 
   7.4.3. The Property MaxLifetimeSeconds............................50 MaxLifetimeSeconds............................53 
   7.4.4. The Property MaxLifetimeKilobytes..........................51 MaxLifetimeKilobytes..........................54 
   7.5. The Class AHTransform........................................51 AHTransform........................................54 
   7.5.1. The Property AHTransformId.................................51 AHTransformId.................................54 
   7.5.2. The Property UseReplayPrevention...........................51 UseReplayPrevention...........................54 
   7.5.3. The Property ReplayPreventionWindowSize....................52 ReplayPreventionWindowSize....................55 
   7.6. The Class ESPTransform.......................................52 ESPTransform.......................................55 
   7.6.1. The Property IntegrityTransformId..........................52 IntegrityTransformId..........................55 
   7.6.2. The Property CipherTransformId.............................52 CipherTransformId.............................55 
   7.6.3. The Property CipherKeyLength...............................53 CipherKeyLength...............................56 
   7.6.4. The Property CipherKeyRounds...............................53 CipherKeyRounds...............................56 
   7.6.5. The Property UseReplayPrevention...........................53 UseReplayPrevention...........................56 
   7.6.6. The Property ReplayPreventionWindowSize....................53 ReplayPreventionWindowSize....................56 
   7.7. The Class IPCOMPTransform....................................54 IPCOMPTransform....................................57 
   7.7.1. The Property Algorithm.....................................54 Algorithm.....................................57 
   7.7.2. The Property DictionarySize................................54 DictionarySize................................57 
   7.7.3. The Property PrivateAlgorithm..............................54 PrivateAlgorithm..............................57 
   7.8. The Association Class SAProposalInSystem.....................54 SAProposalInSystem.....................57 
   7.8.1. The Reference Antecedent...................................55 Antecedent...................................58 
   7.8.2. The Reference Dependent....................................55 Dependent....................................58 
   7.9. The Aggregation Class ContainedTransform.....................55 ContainedTransform.....................58 
   7.9.1. The Reference GroupComponent...............................55 GroupComponent...............................58 
   7.9.2. The Reference PartComponent................................56 PartComponent................................59 
   7.9.3. The Property SequenceNumber................................56 SequenceNumber................................59 
  
Jason, et al           Expires 20-January-2002               [Page 4] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   7.10. The Association Class SATransformInSystem...................56 SATransformInSystem...................59 
   7.10.1. The Reference Antecedent..................................56 Antecedent..................................59 
   7.10.2. The Reference Dependent...................................56 Dependent...................................59 
   8. IKE Service and Identity Classes...............................58 Classes...............................61 
   8.1. The Class IKEService.........................................59 
  
Jason, et al            Expires September 2001                [Page 4] 

Internet Draft     IPsec Configuration Policy Model         March 2001 IKEService.........................................62 
   8.2. The Class PeerIdentityTable..................................59 PeerIdentityTable..................................62 
   8.3.1. The Property Name..........................................59 Name..........................................62 
   8.3. The Class PeerIdentityEntry..................................60 PeerIdentityEntry..................................63 
   8.3.1. The Property PeerIdentity..................................60 PeerIdentity..................................63 
   8.3.2. The Property PeerIdentityType..............................60 PeerIdentityType..............................63 
   8.3.3. The Property PeerAddress...................................60 PeerAddress...................................63 
   8.3.4. The Property PeerAddressType...............................60 PeerAddressType...............................63 
   8.4. The Class AutostartIKEConfiguration..........................61 AutostartIKEConfiguration..........................64 
   8.5. The Class AutostartIKESetting................................61 AutostartIKESetting................................64 
   8.5.1. The Property Phase1Only....................................61 Phase1Only....................................64 
   8.5.2. The Property AddressType...................................62 AddressType...................................65 
   8.5.3. The Property SourceAddress.................................62 SourceAddress.................................65 
   8.5.4. The Property SourcePort....................................62 SourcePort....................................65 
   8.5.5. The Property DestinationAddress............................62 DestinationAddress............................65 
   8.5.6. The Property DestinationPort...............................63 DestinationPort...............................66 
   8.5.7. The Property Protocol......................................63 Protocol......................................66 
   8.6. The Class IKEIdentity........................................63 IKEIdentity........................................66 
   8.6.1. The Property IdentityType..................................64 IdentityType..................................67 
   8.6.2. The Property IdentityValue.................................64 IdentityValue.................................67 
   8.6.3. The Property IdentityContexts..............................64 IdentityContexts..............................67 
   8.7. The Association Class HostedPeerIdentityTable................65 HostedPeerIdentityTable................68 
   8.7.1. The Reference Antecedent...................................65 Antecedent...................................68 
   8.7.2. The Reference Dependent....................................65 Dependent....................................68 
   8.8. The Aggregation Class PeerIdentityMember.....................65 PeerIdentityMember.....................68 
   8.8.1. The Reference Collection...................................65 Collection...................................68 
   8.8.2. The Reference Member.......................................66 Member.......................................69 
   8.9. The Association Class IKEServicePeerGateway..................66 IKEServicePeerGateway..................69 
   8.9.1. The Reference Antecedent...................................66 Antecedent...................................69 
   8.9.2. The Reference Dependent....................................66 Dependent....................................69 
   8.10. The Association Class IKEServicePeerIdentityTable...........66 IKEServicePeerIdentityTable...........69 
   8.10.1. The Reference Antecedent..................................67 Antecedent..................................70 
   8.10.2. The Reference Dependent...................................67 Dependent...................................70 
   8.11. The Association Class IKEAutostartSetting...................67 IKEAutostartSetting...................70 
   8.11.1. The Reference Element.....................................67 Element.....................................70 
   8.11.2. The Reference Setting.....................................67 Setting.....................................70 
   8.12. The Aggregation Class AutostartIKESettingContext............67 AutostartIKESettingContext............70 
   8.12.1. The Reference Context.....................................68 Context.....................................71 
   8.12.2. The Reference Setting.....................................68 Setting.....................................71 
   8.12.3. The Property SequenceNumber...............................68 SequenceNumber...............................71 
   8.13. The Association Class IKEServiceForEndpoint.................68 IKEServiceForEndpoint.................71 
   8.13.1. The Reference Antecedent..................................69 Antecedent..................................72 
   8.13.2. The Reference Dependent...................................69 Dependent...................................72 
   8.14. The Association Class IKEAutostartConfiguration.............69 IKEAutostartConfiguration.............72 
   8.14.1. The Reference Antecedent..................................69 Antecedent..................................72 
   8.14.2. The Reference Dependent...................................69 Dependent...................................72 
   8.14.3. The Property Active.......................................69 Active.......................................72 
   8.15. The Association Class IKEUsesCredentialManagementService....70 IKEUsesCredentialManagementService....73 
   8.15.1. The Reference Antecedent..................................70 Antecedent..................................73 
  
Jason, et al           Expires 20-January-2002               [Page 5] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   8.15.2. The Reference Dependent...................................70 Dependent...................................73 
   8.16. The Association Class EndpointHasLocalIKEIdentity...........70 EndpointHasLocalIKEIdentity...........73 
   8.16.1. The Reference Antecedent..................................71 Antecedent..................................74 
   8.16.2. The Reference Dependent...................................71 Dependent...................................74 
   8.17. The Association Class CollectionHasLocalIKEIdentity.........71 
  
Jason, et al            Expires September 2001                [Page 5] 

Internet Draft     IPsec Configuration Policy Model         March 2001 CollectionHasLocalIKEIdentity.........74 
   8.17.1. The Reference Antecedent..................................71 Antecedent..................................74 
   8.17.2. The Reference Dependent...................................71 Dependent...................................74 
   8.18. The Association Class IKEIdentitysCredential................72 IKEIdentitysCredential................75 
   8.18.1. The Reference Antecedent..................................72 Antecedent..................................75 
   8.18.2. The Reference Dependent...................................72 Dependent...................................75 
   9. Security Considerations........................................72 Implementation Requirements....................................75 
   10. Intellectual Property.........................................72 Security Considerations.......................................79 
   11. Acknowledgments...............................................73 Intellectual Property.........................................80 
   12. References....................................................73 Acknowledgments...............................................80 
   13. Disclaimer....................................................74 References....................................................80 
   14. Authors' Addresses............................................74 Disclaimer....................................................81 
   15. Authors' Addresses............................................81 
   16. Full Copyright Statement......................................74 Statement......................................82 
   Appendix A (DMTF Core Model MOF)..................................75 MOF)..................................82 
   Appendix B (DMTF User Model MOF)..................................90 MOF)..................................97 
   Appendix C (DMTF Network Model MOF)..............................105 MOF)..............................112 
   Appendix D (DMTF Policy Model MOF)...............................121 































  
Jason, et al           Expires September 2001 20-January-2002               [Page 6] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
1. Introduction 
    
   Internet Protocol security (IPsec) policy may assume a variety of 
   forms as it travels from storage to distribution point to decision 
   point.  At each step, it needs to be represented in a way that is 
   convenient for the current task.  For example, the policy could 
   exist as, but is not limited to: 
    
   o   a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in 
       a directory 
   o   an on-the-wire representation over a transport protocol like the 
       Common Object Policy Service (COPS) [COPS, COPSPR] 
   o   a text-based policy specification language [SPSL] suitable for editing 
       by an administrator 
   o   an Extensible Markup Language (XML) document 
    
   Each of these task-specific representations should be derived from a 
   canonical representation that precisely specifies the content and 
   semantics of the IPsec policy.  The purpose of this document is to 
   abstract IPsec policy into a task-independent representation that is 
   not constrained by any particular task-dependent representation. 
    
   This document is organized as follows: 
    
   o   Section 2 provides a quick introduction to the Unified Modeling 
       Language (UML) graphical notation conventions used in this 
       document. 
    
   o   Section 3 provides the inheritance hierarchy that describes 
       where the IPsec policy classes fit into the policy class 
       hierarchy already defined by the Policy Core Information Model 
       (PCIM). 
    
   o   The remainder of the document   Sections 4 through 8 describes the classes class that make up the IPsec 
       policy model. 
    
   o   Section 9 presents the implementation requirements for the 
       classes in the model (i.e., the MUST/MAY/SHOULD status). 
    
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
   document are to be interpreted as described in [KEYWORDS]. 
    
2. UML Conventions 
    
   For this document, a UML static class diagram was chosen as the 
   canonical representation for the IPsec policy model.  The reason 
   behind this decision is that UML provides a graphical, task-
   independent way to model systems.  A treatise on the graphical 
   notation used in UML is beyond the scope of this paper.  However, 
   given the use of ASCII drawing for UML static class diagrams, a 
   description of the notational conventions used in this document is 
   in order: 
    
   o   Boxes represent classes, with class names in brackets ([]) 
       representing an abstract class. 
  
Jason, et al           Expires September 2001 20-January-2002               [Page 7] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   o   Boxes represent classes, with class names in brackets ([]) 
       representing an abstract class. 
   o   A line that terminates with an arrow (<, >, ^, v) denotes 
       inheritance.  The arrow always points to the parent class.  
       Inheritance can also be called generalization or specialization 
       (depending upon the reference point).  A base class is a 
       generalization of a derived class, and a derived class is a 
       specialization of a base class. 
   o   Associations are used to model a relationship between two 
       classes.  Classes that share an association are connected using 
       a line.  A special kind of association is also used:  an 
       aggregation.  An aggregation models a whole-part relationship 
       between two classes.  Associations, and therefore aggregations, 
       can also be modeled as classes. 
   o   A line that begins with an "o" denotes aggregation.  Aggregation 
       denotes containment in which the contained class and the 
       containing class have independent lifetimes. 
   o   Next to a line representing an association appears a 
       cardinality.  Cardinalities indicate the constraints on the 
       number of object instances in a set of relationships.  Every 
       association instance has a single set of references.  The 
       cardinality indicates the number of instances that may refer to 
       a given object instance.  The cardinality may be: 
       - a range in the form "lower bound..upper bound" indicating the 
       minimum and maximum number of objects.  
       - a number that indicates the exact number of objects. 
       - an asterisk indicating any number of objects, including zero.  
       Using an asterisk is shorthand for 0..n. 
       - the letter n indicating from 1 to many.  Using the letter n is 
       shorthand for 1..n. 
   o   A class that has an association may have a "w" next to the line 
       representing the association.  This is called a weak association 
       and is discussed in [PCIM]. 
 

   It should be noted that the UML static class diagram presented is a 
   conceptual view of IPsec policy designed to aid in understanding.  
   It does not necessarily get translated class for class into another 
   representation.  For example, an LDAP implementation may flatten out 
   the representation to fewer classes (because of the inefficiency of 
   following references). 
 
3. IPsec Policy Model Inheritance Hierarchy 
    
   Like PCIM from which it is derived, the IPsec Configuration Policy 
   Model derives from and uses classes defined in the DMTF Common 
   Information Model (CIM).  The following tree represents the 
   inheritance hierarchy for the IPsec policy model classes and how 
   they fit into PCIM and the other DMTF models (see Appendices for 
   descriptions of classes that are not being introduced as part of 
   IPsec model).  CIM classes that are not used as a superclass from 
   which to derive new classes but are only referenced are not included 


  
Jason, et al           Expires 20-January-2002               [Page 8] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   this inheritance hierarchy, but are included in the appropriate 
   appendix. 
    
   ManagedElement (DMTF Core Model - Appendix A) 

  
Jason, et al            Expires September 2001                [Page 8] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   |   
   +--Collection (DMTF Core Model - Appendix A) 
   |  | 
   |  +--PeerIdentityTable 
   | 
   +--ManagedSystemElement (DMTF Core Model - Appendix A) 
   |  |   
   |  +--LogicalElement (DMTF Core Model - Appendix A) 
   |     | 
   |     +--FilterEntryBase (DMTF Network Model - Appendix C) 
   |     |  | 
   |     |  +--CredentialFilterEntry 
   |     |  | 
   |     |  +--IPHeaderFilter (DMTF Network Model - Appendix C) 
   |     |  | 
   |     |  +--IPSOFilterEntry 
   |     |  | 
   |     |  +--PeerIDPayloadFilterEntry 
   |     | 
   |     +--PeerGateway 
   |     | 
   |     +--PeerIdentityEntry 
   |     | 
   |     +--Service (DMTF Core Model - Appendix A) 
   |        | 
   |        +--NetworkService (DMTF Network Model - Appendix C) 
   |           | 
   |           +--IKEService 
   | 
   +--OrganizationalEntity (DMTF User Model - Appendix B) 
   |  | 
   |  +--UserEntity (DMTF User Model - Appendix B) 
   |     | 
   |     +--UsersAccess (DMTF User Model - Appendix B) 
   |        | 
   |        +--IKEIdentity 
   | 
   +--Policy (PCIM) 
   |  | 
   |  +--PolicyAction (PCIM) 
   |  |  | 
   |  |  +--CompoundPolicyAction (DMTF Policy Model - Appendix D) 
   |  |  | 
   |  |  +--SAAction 
   |  |     | 
   |  |     +--SANegotiationAction 
   |  |     |  | 
   |  |     |  +--IKEAction 
   |  |     |  | 
  
Jason, et al           Expires 20-January-2002               [Page 9] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   |  |     |  +--IPsecAction 
   |  |     |     | 
   |  |     |     +--IPsecTransportAction 
   |  |     |     | 
   |  |     |     +--IPsecTunnelAction 
   |  |     | 
   |  |     +--SAStaticAction 
   |  |        | 
  
Jason, et al            Expires September 2001                [Page 9] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   |  |        +--IKERejectAction 
   |  |        | 
   |  |        +--IPsecBypassAction 
   |  |        | 
   |  |        +--IPsecDiscardAction 
   |  |        | 
   |  |        +--PreconfiguredSAAction 
   |  |           | 
   |  |           +--PreconfiguredTransportAction 
   |  |           | 
   |  |           +--PreconfiguredTunnelAction 
   |  | 
   |  +--PolicyCondition (PCIM) 
   |  |  | 
   |  |  +--SACondition 
   |  | 
   |  +--PolicySet (DMTF Policy Model - Appendix D) 
   |  |  | 
   |  |  +--PolicyGroup (PCIM) 
   |  |  |  | 
   |  |  |  +--IPsecPolicyGroup 
   |  |  | 
   |  |  +--PolicyRule (PCIM) 
   |  |     | 
   |  |     +--SARule 
   |  |        | 
   |  |        +--IKERule 
   |  |        | 
   |  |        +--IPsecRule 
   |  | 
   |  +--SAProposal 
   |  |  | 
   |  |  +--IKEProposal 
   |  |  | 
   |  |  +--IPsecProposal 
   |  | 
   |  +--SATransform 
   |     | 
   |     +--AHTransform 
   |     | 
   |     +--ESPTransform 
   |     | 
   |     +--IPCOMPTransform 
   | 
   +--Setting (DMTF Core Model - Appendix A) 
  
Jason, et al           Expires 20-January-2002              [Page 10] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   |  | 
   |  +--SystemSetting (DMTF Core Model - Appendix A) 
   |     | 
   |     +--AutostartIKESetting 
   | 
   +--SystemConfiguration (DMTF Core Model - Appendix A) 
      | 
      +--AutostartIKEConfiguration 
    

  
Jason, et al            Expires September 2001               [Page 10] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   The following tree represents the inheritance hierarchy of the IPsec 
   policy model association classes and how they fit into PCIM and the 
   other DMTF models (see Appendices for description of associations 
   classes that are not being introduced as part of IPsec model). 
    
   Dependency (DMTF Core Model - Appendix A) 
   | 
   +--AcceptCredentialsFrom 
   | 
   +--ElementAsUser (DMTF User Model - Appendix B) 
   |  | 
   |  +--EndpointHasLocalIKEIdentity 
   |  | 
   |  +--CollectionHasLocalIKEIdentity 
   | 
   +--FilterOfSACondition 
   | 
   +--HostedPeerGatewayInformation 
   | 
   +--HostedPeerIdentityTable 
   | 
   +--IKEAutostartConfiguration 
   | 
   +--IKEServiceForEndpoint 
   | 
   +--IKEServicePeerGateway 
   | 
   +--IKEServicePeerIdentityTable 
   | 
   +--IKEUsesCredentialManagementService 
   | 
   +--IPsecPolicyForEndpoint 
   | 
   +--PeerGatewayForTunnel 
   | 
   +--PolicyInSystem (PCIM) 
   +--IPsecPolicyForSystem 
   | 
   +--PeerGatewayForPreconfiguredTunnel 
   | 
   +--PeerGatewayForTunnel 
   |  +--PolicyGroupInSystem 
   +--PolicyInSystem (PCIM) 
   |  | 
   |  +--SAProposalInSystem 
   |  | 
   |  +--SATransformInSystem 
   | 
   +--IPsecPolicyForSystem 
  
Jason, et al           Expires 20-January-2002              [Page 11] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   | 
   +--TransformOfPreconfiguredAction 
   | 
   +--UsersCredential (DMTF User Model - Appendix B) 
      | 
      +--IKEIdentitysCredential 
    
   ElementSetting (DMTF Core Model - Appendix A) 
   | 
  
Jason, et al            Expires September 2001               [Page 11] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   +--IKEAutostartSetting 
    
   MemberOfCollection (DMTF Core Model - Appendix A) 
   | 
   +--PeerIdentityMember 
    
   PolicyComponent (PCIM) 
   | 
   +--ContainedProposal 
   | 
   +--ContainedTransform 
   | 
   +--PolicyActionInPolicyRule (PCIM) 
   |  | 
   |  +--SAActionInRule  +--PolicyActionInSARule 
   | 
   +--PolicyConditionInPolicyRule (PCIM) 
   |  | 
   |  +--SAConditionInRule 
   | 
   +--PolicyGroupInPolicyGroup (PCIM) 
   |  | 
   |  +--IPsecPolicyGroupInPolicyGroup 
   | 
   +--PolicyRuleInPolicyGroup 
   +--PolicySetComponent (DMTF Policy Model - Appendix D) 
      | 
      +--RuleForIKENegotiation 
      | 
      +--RuleForIPsecNegotiation 
    
   SystemSettingContext (DMTF Core Model - Appendix A) 
   | 
   +--AutostartIKESettingContext 















  
Jason, et al           Expires September 2001 20-January-2002              [Page 12] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
4. Policy Classes 
    
   The IPsec policy classes represent the set of policies that are 
   contained on a system. 
    
                                  +--------------+ 
                                  |  PolicySet   |* 
                                  | (Appendix D) |o--+ 
                                  +--------------+   | 
                                        ^    *|      |(a) 
                                        |     +------+ 
                                        | 
     +--------------------+       +-------------+ 
     | IPProtocolEndpoint |       | PolicyGroup | 
     |    (Appendix C)    | 
                         +--------------------+       | *  ([PCIM])   | 
                        (a) 
     +--------------------+       +-------------+ 
              |*                        ^ 
              +-----------------+       | (b) 
                     +------+ 
                                |(b)    | 
                                |      |*       | 0..1 
                                |0..1   |   *+------------------+0..1 
                          +------------------+0..1 (c)  *+------------+ 
                     +---o| 
                          | IPsecPolicyGroup |-----------|   System   | 
                          +------------------+           |(Appendix A)| 
                            1 o          o 1             +------------+ 
                (d)           |          |         (e) 
      +-----------------------+          +---------------------+          +--------------------------+ 
      |                                                             | 
      |               +---------------------------+                 | 
      |               | PolicyTimePeriodCondition |                 | 
      |               |       (see [PCIM])         ([PCIM])          |                 | 
      |               +---------------------------+                 | 
      |                           *|                                | 
      |                            | (f)                            |(f)                             | 
      |                           *o                                | 
      |  +-------------+n     *+--------+*      n+----------+      n+--------------+   | 
      |  | SACondition |------o| SARule |o-------| SAAction PolicyAction |   | 
      |  +-------------+ (g)   +--------+    (h) +----------+ |   ([PCIM])   |   | 
      |                            ^             +--------------+   | 
      |                            |               *|        ^      | 
      |                            |                |(i)     |      | 
      |                            |               *o        |      | 
      |          +-----------------+       +----------------------+ | 
      |          |                 |       | CompoundPolicyAction | | 
      |          |                 |       |                   +--------+--------+     (Appendix D)     | | 
      |          |                 |       +----------------------+ | 
      |    *+---------+     +-----------+*                          | 
      +---------------| 
      +-----| IKERule |     | IPsecRule |------------+ |---------------------------+ 
            +---------+     +-----------+ 
    
   (a)  IPsecPolicyGroupInPolicyGroup  PolicySetComponent (Appendix D) 
   (b)  IPsecPolicyForEndpoint 
   (c)  IPsecPolicyForSystem 
  
Jason, et al           Expires 20-January-2002              [Page 13] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   (d)  RuleForIKENegotiation 
   (e)  RuleForIPsecNegotiation 
   (f)  PolicyRuleValidityPeriod (see [PCIM]) ([PCIM]) 
   (g)  SAConditionInRule 
   (h)  SAActionInRule  PolicyActionInSARule 
   (i)  PolicyActionInPolicyAction 
    
   An IPsecPolicyGroup represents the set of policies that are used on 
   an interface.   This IPsecPolicyGroup SHOULD be associated either 
   directly with the IPProtocolEndpoint class instance that represents 
   the interface (via the IPsecPolicyForEndpoint association) or 

  
Jason, et al            Expires September 2001               [Page 13] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   indirectly (via the IPsecPolicyForSystem association) associated 
   with the System that hosts the interface. 
    
4.1. The Class IPsecPolicyGroup 
    
   The class IPsecPolicyGroup serves as a container of either other 
   IPsecPolicyGroups or a set of IKERules IKE and a set of IPsecRules.  The 
   class definition IPsec rules are used to build or to negotiate the IPsec 
   SADB. The SADB itself is not modeled by this document. 
    
   The rules usage can be described as (see also section 6 about 
   actions): 
    
   o   an egress unprotected packet will first be checked against the 
       SADB. If no match is found, the IPsec rules will be checked. If 
       IKE negotiation is required by an IPsec rule, the corresponding 
       IKE rules will be used if no IKE SA already exists. The
       negotiated or preconfigured SA will then be installed in the 
       SADB. 
   o   An ingress unprotected packet will first be checked against the 
       IPsec SADB. If no match is found, the IPsec rules will be 
       checked for a preconfigured SA. If a preconfigured SA exists, 
       this SA will be installed in the IPsec SADB. 
   o   An ingress protected packet will be checked exactly as an 
       ingress unprotected packet. 
   o   An ingress IKE negotiation packet, which is not part of an 
       existing IKE SA, will be checked against the IKE rules. The 
       negotiated SA will then be installed in the SADB. 
    
4.1. The Class IPsecPolicyGroup 
    
   The class IPsecPolicyGroup serves as a container of either other 
   IPsecPolicyGroups or a set of IKERules and a set of IPsecRules.  The 
   class definition for IPsecPolicyGroup is as follows: 
    
   NAME         IPsecPolicyGroup 
   DESCRIPTION  Either a set of IPsecPolicyGroups or a set of IKERules 
                and a set of IPsecRules. 
   DERIVED FROM PolicyGroup (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   PolicyGroupName (from PolicyGroup) 
                PolicyDescisionStrategy (from PolicySet) 
                 
    
   NOTE:  for derivations of the schema that are used for policy 
   distribution to an IPsec device (for example, COPS-PR), the server 
  
Jason, et al           Expires 20-January-2002              [Page 14] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   may follow all of IPsecPolicyGroupInPolicyGroup PolicySetComponent associations and create one 
   policy group which is simply a set of all of the IKE rules and a set 
   of all of the IPsec rules.  See the section on the 
   IPsecPolicyGroupInPolicyGroup 
   PolicySetComponent aggregation for information on merging multiple 
   IPsecPolicyGroups. 
    
4.2. The Class SARule 
    
   The class SARule serves as a base class for IKERule and IPsecRule.  
   Even though the class is concrete, it MUST not be instantiated.  It 
   defines a common connection point for associations to conditions and 
   actions for both types of rules.  Through its derivation from 
   PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has 
   the PolicyRuleValidityPeriod association. 
    
   An SARule inherits the property Priority from PolicyRule.  Since 
   there is a need for an unambiguous ordering of rules in an IPsec 
   system, all 
    
   Each valid IpsecPolicyGroup MUST contain SARules contained within an IPsecPolicyGroup must that each have a 
   unique associated priority values. number in PolicySetComponent.Priority.  
   The class definition for SARule is as follows: 
    
   NAME         SARule 
   DESCRIPTION  A base class for IKERule and IPsecRule. 
   DERIVED FROM PolicyRule (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   PolicyRuleName (from PolicyRule) 
                Enabled (from PolicyRule) 
                ConditionListType (from PolicyRule) 
                RuleUsage (from PolicyRule) 
                Mandatory (from PolicyRule) 
                SequencedActions (from PolicyRule) 
                ExecutionStrategy (from PolicyRule) 
                PolicyRoles (from PolicyRule) 
                PolicyDecisionStrategy (from PolicySet) 
                LimitNegotiation 
                 
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType, 
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and 
PolicyDecisionStrategy 
    
   For a description of these properties, see Appendix D. 
    
   In SARule subclass instances: 
   - if the property Mandatory exists, it MUST be set to "true" 
   - if the property SequencedActions exists, it MUST be set to 
   "mandatory" 
   - the property PolicyRoles is not used in the device-level model 
   - if the property PolicyDecisionStrategy exists, it must be set to 
   "FirstMatching" 
    
4.2.2  The Property LimitNegotiation ExecutionStrategy 
    

  The ExecutionStrategy properties in the PolicyRule subclasses (and in 

  the CompoundPolicyAction class) determine the behavior of the 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 14] 15] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   The property LimitNegotiation is 
 
 

  contained actions.  It defines the strategy to be used as part of processing either 
   an IKE in executing 

  the sequenced actions aggregated by a rule or an IPsec rule.  
    
   Before proceeding with a phase 1 negotiation, this property is 
   checked to determine if compound action. In 

  the negotiation role case of actions within a rule, the rule matches 
   that defined for the negotiation being undertaken (e.g., Initiator, 
   Responder, or Both). If this check fails (e.g. the current role PolicyActionInSARule 

  aggregation is 
   IKE responder while used to collect the rule specifies IKE initiator), then actions into an ordered set; in 

  the IKE 
   negotiation case of a compound action, the PolicyActionInPolicyAction 

  aggregation is stopped. Note that this only applies used to new IKE phase 
   1 negotiations and has no effect on either renegotiation or refresh 
   operations with peers for which collect the actions into an established SA already exists.  
    
   Before proceeding with a phase 2 negotiation, ordered subset. 

   

   There are three execution strategies: do until success, do all and 
   do until failure.   
    
   ôDo Until Successö causes the LimitNegotiation 
   property execution of actions according to the IPsecRule is first checked 
   ActionOrder property in the aggregation instances until a successful 
   execution of a single action.  These actions may be evaluated to 
   determine if the 
   negotiation role indicated for the rule matches that they are appropriate to execute rather than blindly 
   trying each of the current actions until one succeeds.  For an initiator, 
   they are tried in the ActionOrder until the list is exhausted or one 
   completes successfully.  For example, an IKE initiator may have 
   several IKEActions for the same SACondition. The initiator will try 
   all IKEActions in the order defined by ActionOrder.  I.e. it will 
   possibly try several phase 1 negotiations possibly with different 
   modes (main mode then aggressive mode) and/or with possibly multiple 
   IKE peers.  For a responder, when there is more than one action in 
   the rule with "do until success" condition clause this provides 
   alternative actions depending on the received proposals.  For 
   example, the same IKERule may be used to handle aggressive mode and 
   main mode negotiations with different actions.  The responder uses 
   the first appropriate action in the list of actions. 

   

  ôDo Allö causes the execution all of the actions in aggregated set 

  according to their defined order. The execution continues regardless 

  of failures.  

   

  ôDo Until Failureö causes the execution of all actions according to 

  predefined order until the first failure in execution of an action 

  instance.   

   

  For example, in a nested SAs case the actions of an initiatorÆs rule 

  might be structured as: 

   

  IPsecRule.ExecutionStrategy=ÆDo AllÆ 

  | 

  +---1--- IPsecTunnelAction   // set up SA from host to gateway 

  | 

  +---2--- IPsecTransportAction                                 // set up SA from host thru tunnel 

                                // to remote host 

   

  Another example, showing a rule with fallback actions might be 

  structured as: 

   

  
Jason, et al           Expires 20-January-2002              [Page 16] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 

  IPsecRule.ExecutionStrategy=ÆDo Until SuccessÆ 

  | 

  +---6--- IPsecTransportAction // negotiate SA with peer 

  | 

  +---9--- IPsecBypassAction   // but if you must, allow in the  

                                // clear 

   

  The CompoundPolicyAction class (See Appendix D) may be used in 

  constructing the actions of IKE and IPsec rules when those rules 

  specify both multiple actions and fallback actions.  The 

  ExecutionStrategy property in CompoundPolicyAction is used in 

  conjunction with that in the PolicyRule. 

   

  For example, in nesting SAs with a fallback security gateway, the 

  actions of a rule might be structured as: 

   

  IPsecRule.ExecutionStrategy=ÆDo AllÆ 

  | 

  +---1--- CompoundPolicyAction.ExecutionStrategy=ÆDo Until SuccessÆ 

  |        | 

  |        +---1--- IPsecTunnelAction  // set up SA from host to  

  |        |                           // gateway1 

  |        | 

  |        +---2--- IPsecTunnelAction  // or set up SA to gateway2 

  | 

  +---2--- IPsecTransportAction                                         // then set up SA from host 

                                        // thru tunnel to remote host 

                                         

4.2.3  The Property LimitNegotiation 
    
   The property LimitNegotiation is used as part of processing either 
   an IKE or an IPsec rule.  
    
   Before proceeding with a phase 1 negotiation, this property is 
   checked to determine if the negotiation role of the rule matches 
   that defined for the negotiation being undertaken (e.g., Initiator, 
   Responder, or Both). If this check fails (e.g. the current role is 
   IKE responder while the rule specifies IKE initiator), then the IKE 
   negotiation is stopped. Note that this only applies to new IKE phase 
   1 negotiations and has no effect on either renegotiation or refresh 
   operations with peers for which an established SA already exists.  
    
   Before proceeding with a phase 2 negotiation, the LimitNegotiation 
   property of the IPsecRule is first checked to determine if the 
   negotiation role indicated for the rule matches that of the current 
   negotiation (Initiator, Responder, or Either).  Note that this limit 
   applies only to new phase 2 negotiations.  It is ignored when an 
   attempt is made to refresh an expiring SA (either side can initiate 
   a refresh operation).  The IKE system can determine that the 

  
Jason, et al           Expires 20-January-2002              [Page 17] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   negotiation is a refresh operation by checking to see if the 
   selector information matches that of an existing SA. If 
   LimitNegotiation does not match and the selector corresponds to a 
   new SA, the negotiation is stopped. 
    
   The property is defined as follows: 
    
   NAME         LimitNegotiation 
   DESCRIPTION  Limits the role to be undertaken during negotiation. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 “ û initiator-only 
                2 “ û responder-only 
                3 - both 
    
4.3. The Class IKERule 
    
   The class IKERule associates Conditions and Actions for IKE phase 1 
   negotiations.  The class definition for IKERule is as follows: 
    
   NAME         IKERule 
   DESCRIPTION  Associates Conditions and Actions for IKE phase 1 
                negotiations. 
   DERIVED FROM SARule 
   ABSTRACT     FALSE 
   PROPERTIES   same as SARule, plus 
                IdentityContexts 
    
4.3.1. The Property IdentityContexts 
    
   The IKE service of a security endpoint may have multiple identities 
   for use in different situations.  The combination of the interface 
   (represented by the IPProtocolEndpoint), the identity type (as 
   specified in the IKEAction) and the IdentityContexts specifies a 
   unique identity. 
  
Jason, et al            Expires September 2001               [Page 15] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   The IdentityContexts property specifies the context to select the 
   relevant IKE identity to be used during the further IKEAction.  A 
   context may be a VPN name or other identifier for selecting the 
   appropriate identity for use on the protected IPProtocolEndpoint. 
    
   IdentityContexts is an array of strings.  The multiple values in the 
   array are ORed together in evaluating the IdentityContexts.  Each 
   value in the array may be the composition of multiple context names.  
   So, a single value may be a single context name (e.g., 
   "CompanyXVPN") or it may be combination of contexts.  When an array 
   value is a composition, the individual values are ANDed together for 
   evaluation purposes and the syntax is: 
    
        <ContextName>[&&<ContextName>]*  
   
   where the individual context names appear in alphabetical order 
   (according to the collating sequence for UCS-2).  So, for example, 
   the values "CompanyXVPN", "CompanyYVPN&&TopSecret", 
  
Jason, et al           Expires 20-January-2002              [Page 18] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   "CompanyZVPN&&Confidential" means that, for the appropriate 
   IPProtocolEndpoint and IdentityType, the contexts are matched if the 
   identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or 
   "CompanyZVPN&&Confidential". 
    
   The property is defined as follows: 
    
   NAME         IdentityContexts 
   DESCRIPTION  Specifies the context in which to select the IKE 
                identity. 
   SYNTAX       string array 
    
4.4. The Class IPsecRule 
    
   The class IPsecRule associates Conditions and Actions for IKE phase 
   2 negotiations for the IPsec DOI.  The class definition for 
   IPsecRule is as follows: 
    
   NAME         IKERule         IPsecRule 
   DESCRIPTION  Associates Conditions and Actions for IKE phase 2 
                negotiations for the IPsec DOI. 
   DERIVED FROM SARule 
   ABSTRACT     FALSE 
   PROPERTIES   same as SARule 
    
4.5. 
    
4.6. The Aggregation Association Class IPsecPolicyGroupInPolicyGroup 
    
   The class IPsecPolicyGroupInPolicyGroup allows multiple IPsec 
   policies to be combined into one effective policy.  See [PCIM] for a 
   description of the how policies are merged (see also the property 
   GroupPriority).  The class definition for 
   IPsecPolicyGroupInPolicyGroup is as follows: 
    
   NAME         IPsecPolicyGroupInPolicyGroup 
  
Jason, et al            Expires September 2001               [Page 16] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   DESCRIPTION  Associates a nested IPsecPolicyGroup with the 
                IPsecPolicyGroup that contains it. 
   DERIVED FROM PolicyGroupInPolicyGroup (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   GroupComponent[ref IPsecPolicyGroup[0..n]] 
                PartComponent[ref IPsecPolicyGroup[0..n]] 
                GroupPriority 
    
4.5.1. The Reference GroupComponent 
    
   The property GroupComponent is inherited from 
   PolicyGroupInPolicyGroup and is overridden to refer to an 
   IPsecPolicyGroup instance.  The [0..n] cardinality indicates that a 
   given IPsecPolicyGroup instance may be a part of zero or more 
   containing IPsecPolicyGroup instances (i.e., there may be zero or 
   more GroupComponent references per PartComponent). 
    
4.5.2. The Reference PartComponent 
    
   The property PartComponent is inherited from 
   PolicyGroupInPolicyGroup and is overridden to refer to an 
   IPsecPolicyGroup instance.  The [0..n] cardinality indicates that a 
   given IPsecPolicyGroup instance may contain zero or more 
   IPsecPolicyGroup instances (i.e., there may be zero or more 
   PartComponent references per GroupComponent). 
    
4.5.3. The Property GroupPriority 
    
   Since policy groups, IPsecPolicyGroup, can contain both rules and 
   other policy groups, the relative priorities of the rules of the 
   contained groups are established by setting the GroupPriority 
   property of IPsecPolicyGroupInPolicyGroup as a unique rule priority 
   in the containing group.   
    
   The rules of the nested group are inserted in order at that position 
   (i.e. indicated by GroupPriority) in the containing group's rules 
    
   The property is defined as follows: 
    
   NAME         GroupPriority 
   DESCRIPTION  Specifies the rule priority to be set to all nested 
                rules. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Any value between 1 and 2^16-1 inclusive.  Lower values 
                have higher precedence (i.e., 1 is the highest 
                precedence).  The merging order of two ContainedGroups 
                with the same precedence is undefined. 
 
4.6. The Association Class IPsecPolicyForEndpoint IPsecPolicyForEndpoint 
    
   The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with 
   a specific network interface.  If an IPProtocolEndpoint of a system 
   does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, 
  
Jason, et al            Expires September 2001               [Page 17] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   then the IPsecPolicyForSystem associated IPsecPolicyGroup is used 
   for that endpoint.  The class definition for IPsecPolicyForEndpoint 
   is as follows: 
    
   NAME         IPsecPolicyForEndpoint 
   DESCRIPTION  Associates a policy group to a network interface. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent[ref IPProtocolEndpoint[0..n]] 
                Dependent[ref IPsecPolicyGroup[0..1]] 
    
4.6.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to an IPProtocolEndpoint instance.  The [0..n] 
   cardinality indicates that an IPsecPolicyGroup instance may be 
   associated with zero or more IPProtocolEndpoint instances. 
    
4.6.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IPsecPolicyGroup instance.  The [0..1] 

  
Jason, et al           Expires 20-January-2002              [Page 19] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   cardinality indicates that an IPProtocolEndpoint instance may have 
   an association to at most one IPsecPolicyGroup instance. 
    
4.7. The Association Class IPsecPolicyForSystem 
    
   The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a 
   specific system.  If an IPProtocolEndpoint of a system does not have 
   an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the 
   IPsecPolicyForSystem associated IPsecPolicyGroup is used for that 
   endpoint.  The class definition for IPsecPolicyForSystem is as 
   follows: 
    
   NAME         IPsecPolicyForSystem 
   DESCRIPTION  Default policy group for a system. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent[ref System[0..n]] 
                Dependent[ref IPsecPolicyGroup[0..1]] 
    
4.7.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a System instance.  The [0..n] cardinality 
   indicates that an IPsecPolicyGroup instance may have an association 
   to zero or more System instances. 
    
4.7.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IPsecPolicyGroup instance.  The [0..1] 

  
Jason, et al            Expires September 2001               [Page 18] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   cardinality indicates that a System instance may have an association 
   to at most one IPsecPolicyGroup instance. 
    
4.8. The Aggregation Class RuleForIKENegotiation 
    
   The class RuleForIKENegotiation associates an IKERule with the 
   IPsecPolicyGroup that contains it.  The class definition for 
   RuleForIKENegotiation is as follows: 
 
   NAME         RuleForIKENegotiation 
   DESCRIPTION  Associates an IKERule with the IPsecPolicyGroup that 
                contains it. 
   DERIVED FROM PolicyRuleInPolicyGroup PolicySetComponent (see [PCIM]) Appendix D)
   ABSTRACT     FALSE 
   PROPERTIES   Priority (from PolicySetComponent) 
                GroupComponent [ref IPsecPolicyGroup [1..1]] 
                PartComponent [ref IKERule [0..n]] 
                 
4.8.1. The Property Priority 
 
   For a description of this property, see Appendix D. 
 
4.8.2. The Reference GroupComponent 
  
Jason, et al           Expires 20-January-2002              [Page 20] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   The property GroupComponent is inherited from 
   PolicyRuleInPolicyGroup and is overridden to refer to an 
   IPsecPolicyGroup instance.  The [1..1] cardinality indicates that an 
   IKERule instance may be contained in one and only one 
   IPsecPolicyGroup instance (i.e., IKERules are not shared across 
   IPsecPolicyGroups). 
    
4.8.2. 
    
4.8.3. The Reference PartComponent 
    
   The property PartComponent is inherited from PolicyRuleInPolicyGroup 
   and is overridden to refer to an IKERule instance.  The [0..n] 
   cardinality indicates that an IPsecPolicyGroup instance may contain 
   zero or more IKERule instances. 
    
4.9. The Aggregation Class RuleForIPsecNegotiation 
    
   The class RuleForIPsecNegotiation associates an IPsecRule with the 
   IPsecPolicyGroup that contains it.  The class definition for 
   RuleForIPsecNegotiation is as follows: 
 
   NAME         RuleForIPsecNegotiation 
   DESCRIPTION  Associates an IPsecRule with the IPsecPolicyGroup that 
                contains it. 
   DERIVED FROM PolicyRuleInPolicyGroup PolicySetComponent (see [PCIM]) Appendix D) 
   ABSTRACT     FALSE 
   PROPERTIES   Priority (from PolicySetComponent) 
                GroupComponent [ref IPsecPolicyGroup [1..1]] 
                PartComponent [ref IPsecRule [0..n]] 
 
4.9.1. The Property Priority 
 
   For a description of this property, see Appendix D. 
 
4.9.2. The Reference GroupComponent 
    
   The property GroupComponent is inherited from 
   PolicyRuleInPolicyGroup and is overridden to refer to an 
   IPsecPolicyGroup instance.  The [1..1] cardinality indicates that an 

  
Jason, et al            Expires September 2001               [Page 19] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   IPsecRule instance may be contained in only one IPsecPolicyGroup 
   instance (i.e., IPsecRules are not shared across IPsecPolicyGroups). 
    
4.9.2. 
    
4.9.3. The Reference PartComponent 
    
   The property PartComponent is inherited from PolicyRuleInPolicyGroup 
   and is overridden to refer to an IPsecRule instance.  The [0..n] 
   cardinality indicates that an IPsecPolicyGroup instance may contain 
   zero or more IPsecRules instance. 
    
4.10. The Aggregation Class SAConditionInRule 
    


  
Jason, et al           Expires 20-January-2002              [Page 21] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   The class SAConditionInRule associates an SARule with the 
   SACondition instance(s) that trigger(s) it.  See [PCIM] for the 
   usage for the properties GroupNumber and ConditionNegated.  The class definition 
   for SAConditionInRule is as follows: 
    
   NAME         SAConditionInRule 
   DESCRIPTION  Associates an SARule with the SACondition instance(s) 
                that trigger(s) it. 
   DERIVED FROM PolicyConditionInPolicyRule (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   GroupNumber (from PolicyConditionInPolicyRule) 
                ConditionNegated (from PolicyConditionInPolicyRule) 
                GroupComponent [ref SARule [0..n]] 
                PartComponent [ref SACondition [1..n]]  
                  
4.10.1. The Properties GroupNumber (from PolicyConditionInPolicyRule) and ConditionNegated (from PolicyConditionInPolicyRule) 
                  
4.10.1. 
    
   For a description of these properties, see [PCIM]. 
 
4.10.2. The Reference GroupComponent 
    
   The property GroupComponent is inherited from 
   PolicyConditionInPolicyRule and is overridden to refer to an SARule 
   instance.  The [0..n] cardinality indicates that an SACondition 
   instance may be contained in zero or more SARule instances. 
    
4.10.2. 
    
4.10.3. The Reference PartComponent 
    
   The property PartComponent is inherited from 
   PolicyConditionInPolicyRule and is overridden to refer to an 
   SACondition instance.  The [1..n] cardinality indicates that an 
   SARule instance MUST contain at least one SACondition instance. 
    
4.11. The Aggregation Class SAActionInRule PolicyActionInSARule 
    
   The SAActionInRule PolicyActionInSARule class associates an SARule with its primary 
   SAAction. one or more 
   PolicyAction instances.  In all cases where an SARule is being used, 
   the contained actions MUST be either subclasses of SAAction or 
   instances of CompoundPolicyAction.  For an IKERule, the contained 
   actions MUST be related to phase 1 processing, i.e., IKEAction or 
   IKERejectAction.  Similarly, for an IPsecRule, contained actions 
   MUST be related to phase 2 or preconfigured SA processing, e.g., 
   IPsecTransportAction, IPsecBypassAction, etc.  The class definition 
   for SAActionInRule PolicyActionInSARule is as follows: 
    
   NAME         SAActionInRule         PolicyActionInSARule 
   DESCRIPTION  Associates an SARule with its SAAction(s). PolicyAction(s). 
   DERIVED FROM PolicyActionInPolicyRule (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   GroupComponent [ref SARule [0..n]] 
                PartComponent [ref SAAction PolicyAction [1..n]] 
                ActionOrder (from PolicyActionInPolicyRule) 
                 
4.11.1. The Reference GroupComponent 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 20] 22] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
4.11.1. The Reference GroupComponent 
 
 
    
   The property GroupComponent is inherited from 
   PolicyActionInPolicyRule and is overridden to refer to an SARule 
   instance.  The [0..n] cardinality indicates that an SAAction 
   instance may be contained in zero or more SARule instances. 
    
4.11.2. The Reference PartComponent 
    
   The property PartComponent is inherited from 
   PolicyActionInPolicyRule and is overridden to refer to an SAAction 
   or CompoundPolicyAction instance.  The [1..n] cardinality indicates 
   that an SARule instance MUST contain at least one SAAction or 
   CompoundPolicyAction instance. 
    
4.11.3. The Property ActionOrder 
    
   The property ActionOrder is inherited from the superclass 
   PolicyActionInPolicyRule.  It specifies the relative position of 
   this 
   SAAction PolicyAction in the sequence of actions associated with a 
   PolicyRule.  The ActionOrder MUST be unique so as to provide a 
   deterministic order.  In addition, the actions in an SARule are 
   executed as follows. 
    
   For an initiator, if there is more than one action in the rule, the 
   additional actions are 'backup' actions in the event that the first 
   action is not able to be completed successfully.  They are tried in 
   the ActionOrder until the list is exhausted or one completes 
   successfully.  For example, an IKE initiator may have several 
   IKEActions  See section 4.2.2 ExecutionStrategy for the same SACondition. The initiator will try all 
   IKEActions in the order defined by ActionOrder.  I.e. it will 
   possibly try several phases 1 possibly with different modes (main 
   mode then aggressive mode) and/or with possibly multiple IKE peers. 
    
   For a responder, there can be more than one action in the rule, this 
   provides alternative actions depending 
   discussion on the received proposals.  
   For example, the same IKERule may be used to handle aggressive mode 
   and main mode negotiations with different actions.  The first 
   appropriate action in the list use of actions is used by the responder. ActionOrder property. 
    
   The property is defined as follows: 
    
   [Need an explanation of what the action order means as it replaces 
   the fallback association] 
    
   NAME         ActionOrder 
   DESCRIPTION  Specifies the order of actions. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Any value between 1 and 2^16-1 inclusive.  Lower values 
                have higher precedence (i.e., 1 is the highest 
                precedence).  The merging order of two SAActions with 
                the same precedence is undefined. 




















  
Jason, et al           Expires September 2001 20-January-2002              [Page 21] 23] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
5. Condition and Filter Classes 
    
   The IPsec condition and filter classes are used to build the "if" 
   part of the IKE and IPsec rules. 
    
                             *+-------------+ 
         +--------------------| SACondition | 
         |                    +-------------+ 
         |                         * | 
         |                           |(a) 
         |                         1 | 
         |                    +--------------+ 
         |                    |  FilterList  | 
         |                    | (Appendix C) | 
         |                    +--------------+ 
         |                         1 o 
         |(b)                        |(c) 
         |                         * | 
         |                   +-----------------+ 
         |                   | FilterEntryBase | 
         |                   |  (Appendix C)   | 
         |                   +-----------------+ 
         |                           ^ 
         |                           | 
         |       +--------------+     +----------------+    |    +-----------------------+ 
         |     | FilterEntry IPHeaderFilter |----+----| CredentialFilterEntry | 
         |     |  (Appendix C)  |    |    +-----------------------+ 
         |       +--------------+     +----------------+    | 
         |                           | 
         |    +-----------------+    |    +--------------------------+ 
         |    | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | 
         |    +-----------------+         +--------------------------+ 
         | 
         |           *+-----------------------------+ 
         +------------| CredentialManagementService | 
                      |         (Appendix B)        | 
                      +-----------------------------+ 
    
    
   (a)  FilterOfSACondition 
   (b)  AcceptCredentialsFrom 
   (c)  EntriesInFilterList (see Appendix C) 
    
5.1. The Class SACondition 
    
   The class SACondition defines the conditions of rules for IKE and 
   IPsec negotiations.  Conditions are associated with policy rules via 
   the SAConditionInRule aggregation. It is used as an anchor point to 
   associate various types of filters with policy rules via the 
   FilterOfSACondition association. It also defines whether Credentials 
   can be accepted for a particular policy rule via the 
   AcceptCredentialsFrom association. 
    
  
Jason, et al           Expires September 2001 20-January-2002              [Page 22] 24] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   Associated objects represent components of the condition that may or 
   may not apply at a given rule evaluation.  For example, an 
   AcceptCredentialsFrom evaluation is only performed when a credential 
   is available to be evaluated against the list of trusted credential 
   management services.  Similarly, a PeerIDPayloadFilterEntry may only 
   be evaluated when an IDPayload value is available to compared with 
   the filter.  Condition components that do not have corresponding 
   values with which to evaluate are evaluated as TRUE unless the 
   protocol has completed without providing the required information. 
    
   The class definition for SACondition is as follows: 
    
   NAME         SACondition 
   DESCRIPTION  Defines the preconditions for IKE and IPsec 
                negotiations. 
   DERIVED FROM PolicyCondition (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   PolicyConditionName (from PolicyCondition) 
                  
5.2. The Class FilterEntry IPHeaderFilter 
    
   The class FilterEntry IPHeaderFilter is defined in appendix C with the following 
   notes: 
   note: 
    
   1) since actions in the IPsec Policy Model are not part of the 
      condition side of the rule, the Action property of each 
      FilterEntry is ignored and should be set to "FilterOnly".   
 
   2) to specify 5-tuple filters that are to apply symmetrically (i.e., 
      matches traffic in both directions of the same flow between the 
      two peers), the Direction property of the FilterList should be 
      set to "Mirrored". 
 
5.3. The Class CredentialFilterEntry 
    
   The class CredentialFilterEntry defines an equivalence class that 
   match credentials of IKE peers. Each CredentialFilterEntry includes 
   a MatchFieldName that is interpreted according to the 
   CredentialManagementService(s) associated with the SACondition 
   (AcceptCredentialsFrom).  
    
   These credentials can be X.509 certificates, Kerberos tickets, or 
   other types of credentials obtained during the Phase 1 exchange.  
    
   The class definition for CredentialFilterEntry is as follows: 
    
   NAME         CredentialFilterEntry 
   DESCRIPTION  Specifies a match filter based on the IKE credentials. 
   DERIVED FROM FilterEntryBase (see Appendix C) 
   ABSTRACT     FALSE 
   PROPERTIES   Name (from FilterEntryBase) 
                IsNegated (from FilterEntryBase) 
                MatchFieldName 
                MatchFieldValue 
                CredentialType 
    
5.3.1. The Property MatchFieldName 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 23] 25] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
                MatchFieldValue 
                CredentialType 
    
5.3.1. The Property MatchFieldName 
 
 
    
   The property MatchFieldName specifies the sub-part of the credential 
   to match against MatchFieldValue.  The property is defined as 
   follows: 
    
   NAME         MatchFieldName 
   DESCRIPTION  Specifies which sub-part of the credential to match. 
   SYNTAX       string 
   VALUE         
 
5.3.2. The Property MatchFieldValue 
    
   The property MatchFieldValue specifies the value to compare with the 
   MatchFieldName in a credential to determine if the credential 
   matches this filter entry.  The property is defined as follows: 
    
   NAME         MatchFieldValue 
   DESCRIPTION  Specifies the value to be matched by the 
                MatchFieldName. 
   SYNTAX       string 
   VALUE        NB: If the CredentialFilterEntry corresponds to a 
                DistinguishedName, this value in the CIM class is 
                represented by an ordinary string value.  However, an 
                implementation must convert this string to a DER-
                encoded string before matching against the values 
                extracted from credentials at runtime. 
    
5.3.3. The Property CredentialType 
    
   The property CredentialType specifies the particular type of 
   credential that is being matched.  The property is defined as 
   follows: 
    
   NAME         CredentialType 
   DESCRIPTION  Defines the type of IKE credentials. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - û X.509 Certificate 
                2 - û Kerberos Ticket 
 
5.4. The Class IPSOFilterEntry 
    
   The class IPSOFilterEntry is used to match traffic based on the IP 
   Security Options header values (ClassificationLevel and 
   ProtectionAuthority) as defined in RFC1108. This type of FilterEntry filter 
   entry is used to adjust the IPsec encryption level according to the 
   IPSO classification of the traffic (e.g., secret, confidential, 
   restricted, etc.  The class definition for IPSOFilterEntry is as 
   follows: 
    
  
Jason, et al            Expires September 2001               [Page 24] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   NAME         IPSOFilterEntry 
   DESCRIPTION  Specifies the a match filter based on IP Security 
                Options. 
   DERIVED FROM FilterEntryBase (see Appendix C) 
  
Jason, et al           Expires 20-January-2002              [Page 26] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   ABSTRACT     FALSE 
   PROPERTIES   Name (from FilterEntryBase) 
                IsNegated (from FilterEntryBase) 
                MatchConditionType 
                MatchConditionValue 
    
5.4.1. The Property MatchConditionType 
    
   The property MatchConditionType specifies the IPSO header field that 
   will be matched (e.g., traffic classification level or protection 
   authority).  The property is defined as follows: 
    
   NAME         MatchConditionType 
   DESCRIPTION  Specifies the IPSO header field to be matched. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - û ClassificationLevel 
                2 - û ProtectionAuthority 
 
5.4.2. The Property MatchConditionValue 
    
   The property MatchConditionValue specifies the value of the IPSO 
   header field to be matched against.  The property is defined as 
   follows: 
    
   NAME         MatchConditionValue 
   DESCRIPTION  Specifies the value of the IPSO header field to be 
                matched against. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        For ClassificationLevel, the values are: 
                61 - û TopSecret 
                90 - û Secret 
                150 - û Confidential 
                171 - û Unclassified 
                For ProtectionAuthority, the values are: 
                0 - û GENSER 
                1 - SIOP-ESI 
                2 - û SCI 
                3 - û NSA 
                4 - DOE 
    
5.5. The Class PeerIDPayloadFilterEntry 
    
   The class PeerIDPayloadFilterEntry defines filters used to match ID 
   payload values from the IKE protocol exchange.   
   PeerIDPayloadFilterEntry permits the specification of certain ID 
   payload values such as "*@company.com" or "193.190.125.0/24".   
    
   Obviously this filter applies only to IKERules when acting as a 
   responder.  Moreover, this filter can be applied immediately in the 
  
Jason, et al            Expires September 2001               [Page 25] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   case of aggressive mode but its application is to be delayed in the 
   case of main mode.  The class definition for 
   PeerIDPayloadFilterEntry is as follows: 
    
  
Jason, et al           Expires 20-January-2002              [Page 27] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   NAME         PeerIDPayloadFilterEntry 
   DESCRIPTION  Specifies a match filter based on IKE identity. 
   DERIVED FROM FilterEntryBase (see Appendix C) 
   ABSTRACT     FALSE 
   PROPERTIES   Name (from FilterEntryBase) 
                IsNegated (from FilterEntryBase) 
                MatchIdentityType 
                MatchIdentityValue 
    
5.5.1. The Property MatchIdentityType 
    
   The property MatchIdentityType specifies the type of identity 
   provided by the peer in the ID payload."   The property is defined 
   as follows: 
    
   NAME         MatchIdentityType 
   DESCRIPTION  Specifies the ID payload type. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - IPv4 Address 
                2 - FQDN 
                3 - User FQDN 
                4 - IPv4 Subnet 
                5 - IPv6 Address 
                6 - IPv6 Subnet 
                7 - IPv4 Address Range 
                8 - IPv6 Address Range 
                9 - DER-Encoded ASN.1 X.500 Distinguished Name 
                10 - DER-Encoded ASN.1 X.500 GeneralName 
                11 - Key ID 
 
5.5.2. The Property MatchIdentityValue 
    
   The property MatchIdentityValue specifies the filter value for 
   comparison with the ID payload, e.g., "*@company.com"  The property 
   is defined as follows: 
    
   NAME         MatchIdentityValue 
   DESCRIPTION  Specifies the ID payload value. 
   SYNTAX       string 
   VALUE        NB: The syntax may need to be converted for comparison. 
                If the PeerIDPayloadFilterEntry type is a 
                DistinguishedName, the name in the MatchIdentityValue 
                property is represented by an ordinary string value, 
                but this value must be converted into a DER-encoded 
                string before matching against the values extracted 
                from IKE ID payloads at runtime.  The same applies to 
                IPv4 & IPv6 addresses. 
                 
                Wildcards can be used as well as the prefix notation 
  
Jason, et al            Expires September 2001               [Page 26] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
                for IPv4 addresses: 
                - a MatchIdentityValue of "*@company.com" will match an 
                ID payload of "JDOE@COMPANY.COM" 

  
Jason, et al           Expires 20-January-2002              [Page 28] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
                - a MatchIdentityValue of "193.190.125.0/24" will match 
                an ID payload of 193.190.125.10. 
    
5.6. The Association Class FilterOfSACondition 
    
   The class FilterOfSACondition associates an SACondition with the 
   filter specifications (FilterList) that make up the condition.  The 
   class definition for FilterOfSACondition is as follows: 
    
   NAME         FilterOfSACondition 
   DESCRIPTION  Associates a condition with the filter list that make 
                up the individual condition elements. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref FilterList[1..1]] 
                Dependent [ref SACondition[0..n]] 
    
5.6.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a FilterList instance.  The [1..1] 
   cardinality indicates that an SACondition instance MUST be 
   associated with one and only one FilterList instance. 
    
5.6.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an SACondition instance.  The [0..n] 
   cardinality indicates that a FilterList instance may be associated 
   with zero or more SAConditions instance. 
 
5.7. The Association Class AcceptCredentialFrom 
    
   The class AcceptCredentialFrom specifies which credential management 
   services (e.g., a CertificateAuthority or a Kerberos service) are to 
   be trusted to certify peer credentials.  This is used to validate 
   that the credential being matched in the CredentialFilterEntry is a 
   valid credential that has been supplied by an approved 
   CredentialManagementService.  If a CredentialManagementService is 
   specified and a corresponding CredentialFilterEntry is used, but the 
   credential supplied by the peer is not certified by that 
   CredentialManagementService (or one of the 
   CredentialManagementServices in its trust hierarchy), the 
   CredentialFilterEntry is deemed not to match.  If a credential is 
   certified by a CredentialManagementService in the 
   AcceptCredentialsFrom list of services but there is no 
   CredentialFilterEntry, this is considered equivalent to a 
   CredentialFilterEntry that matches all credentials from those 
   services. 
    
   The class definition for AcceptCredentialFrom is as follows: 
    
   NAME         AcceptCredentialFrom 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 27] 29] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   The class definition for AcceptCredentialFrom is as follows: 
    
   NAME         AcceptCredentialFrom 
 
 
   DESCRIPTION  Associates a condition with the credential management 
                services to be trusted. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref CredentialManagementService[0..n]] 
                Dependent [ref SACondition[0..n]] 
    
5.7.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a CredentialManagementService instance.  The 
   [0..n] cardinality indicates that an SACondition instance may be 
   associated with zero or more CredentialManagementServices instance. 
    
5.7.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an SACondition instance.  The [0..n] 
   cardinality indicates that a CredentialManagementService instance 
   may be associated with zero or more SAConditions instance. 
    
































  
Jason, et al           Expires September 2001 20-January-2002              [Page 28] 30] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
6. Action Classes 
    
   The action classes are used to model the different actions an IPsec 
   device may take when the evaluation of the associated condition 
   results in a match. 
    
                                +----------+ 
                                | SAAction | 
                                +----------+ 
                                     ^ 
                                     | 
                         +-----------+--------------+ 
                         |                          | 
                *+----------------+      +---------------------+* 
                 | SAStaticAction |      | SANegotiationAction |o-----+               
                 +----------------+      +---------------------+      | 
                               ^                     ^                | 
                               |                     |                | 
                               |         +-----------+-------+        | 
                               |         |                   |        | 
       +-------------------+   |   +-------------+     +-----------+  | 
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  | 
       +-------------------+   |   +-------------+     +-----------+  | 
                               |       ^                              | 
      +--------------------+   |       |    +----------------------+  | 
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  | 
      +--------------------+   |       |    +----------------------+  | 
                               |       |                              | 
         +-----------------+   |       |    +-------------------+     | 
         | IKERejectAction |---+       +----| IPsecTunnelAction |     | 
         +-----------------+   |            +-------------------+     | 
                               |                     *|               | 
                               |       +--------------+               | 
                               |       |                              | 
   +-----------------------+   |       |       +--------------+n      | 
   | PreconfiguredSAAction |---+       |(a)    | [SAProposal] |-------+ 
   +-----------------------+           |       +--------------+   (b) 
      *|    ^                          | 
       |    |                          |      *+-------------+ 
              +---------------------+ 
       |    |                          +-------| PeerGateway | 
       |    |                                  +-------------+ 
   +-----------------------------+ 
       |    |  +-----------------------------+   |0..1  *w| 
       | PreconfiguredTransportAction|--+    +--| PreconfiguredTransportAction|   |        |(c) 
       |    |  +-----------------------------+   |       1| 
       |    |                                    |  +--------------+ 
   +-----------------------------+ 
       |    |  +---------------------------+ *   |  |    System    | 
       | PreconfiguredTransportAction|--+    +--| PreconfiguredTunnelAction |-----+  | (Appendix A) | 
   +-----------------------------+ 
       |       +---------------------------+  (e)   +--------------+ 
               *| 
       |   1..3+---------------+ 
       |   2..6+---------------+ 
       +-------| [SATransform] | 
         (d)   +---------------+ 
    
  
Jason, et al           Expires September 2001 20-January-2002              [Page 29] 31] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   (a)  PeerGatewayForTunnel 
   (b)  ContainedProposal 
   (c)  HostedPeerGatewayInformation 
   (d)  TransformOfPreconfiguredAction 
   (e)  PeerGatewayForPreconfiguredTunnel 
    
6.1. The Class SAAction 
    
   The class SAAction serves as the base class for IKE and IPsec 
   actions.  Although the class is concrete, it MUST not be 
   instantiated.  It is used for aggregating different types of actions 
   to IKE and IPsec rules.  The class definition for SAAction is as 
   follows: 
    
   NAME         SAAction 
   DESCRIPTION  The base class for IKE and IPsec actions. 
   DERIVED FROM PolicyAction (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   PolicyActionName (from PolicyAction) 
                DoActionLogging 
                DoPacketLogging 
                 
6.1.1. The Property DoActionLogging 
    
   The property DoActionLogging specifies whether a log message is to 
   be generated when the action is performed (even if performed.  This applies for 
   SANegotiationActions with the action 
   fails). meaning of logging a message when the 
   negotiation is attempted (with the success or failure result). This 
   also applies for SAStaticAction only for PreconfiguredSAAction with 
   the meaning of logging a message when the preconfigured SA is 
   actually installed in the SADB. The property is defined as follows: 
    
   NAME         DoActionLogging 
   DESCRIPTION  Specifies the whether to log when the action is 
                performed. 
   SYNTAX       boolean 
   VALUE        true - a log message is to be generated when action is 
                performed. 
                false - no log message is to be generated when action 
                is performed. 
 
6.1.2. The Property DoPacketLogging 
    
   The property DoPacketLogging specifies whether a log message is to 
   be generated when the resulting security association is used to 
   process the packet.  If the action SANegotiationAction successfully 
   executes and results in the creation of one or several security associations, 
   associations or if the PreconfiguredSAAction executes, the value of 
   DoPacketLogging SHOULD be propagated to an optional field of SADB.  
   This optional field should be used to decide whether a log message 
   is to be generated when the SA is used to process a packet.  For 
   SAStaticActions, a log message is to be generated when the 

  
Jason, et al           Expires 20-January-2002              [Page 32] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed. 
   The property is defined as follows: 
    
    
   NAME         DoPacketLogging 
   DESCRIPTION  Specifies the whether to log when the resulting 
                security association is used to process the packet. 
   SYNTAX       boolean 

  
Jason, et al            Expires September 2001               [Page 30] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   VALUE        true - a log message is to be generated when the 
                resulting security association is used to process the 
                packet. 
                false - no log message is to be generated. 
 
6.2. The Class SAStaticAction 
    
   The class SAStaticAction serves as the base class for IKE and IPsec 
   actions that do not require any negotiation.  Although the class is 
   concrete, it MUST not be instantiated.  The class definition for 
   SAStaticAction is as follows: 
    
   NAME         SAStaticAction 
   DESCRIPTION  The base class for IKE and IPsec actions that do not 
                require any negotiation. 
   DERIVED FROM SAAction 
   ABSTRACT     FALSE 
   PROPERTIES   LifetimeSeconds 
     
6.2.1. The Property LifetimeSeconds 
    
   The property LifetimeSeconds specifies how long the security 
   association derived from this action should be used.  The property 
   is defined as follows: 
    
   NAME         LifetimeSeconds 
   DESCRIPTION  Specifies the amount of time (in seconds) that a 
                security association derived from this action should be 
                used. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that there is not a lifetime 
                associated with this action (i.e., infinite lifetime).  
                A non-zero value is typically used in conjunction with 
                alternate SAActions performed when there is a 
                negotiation failure of some sort. 
    
6.3. The Class IPsecBypassAction 
    
   The class IPsecBypassAction 
    
   Note: if the referenced SAStaticAction object is used when packets are allowed to be 
   processed without applying IPsec encapsulation a 
   PreconfiguredSAAction associated to them.  This is several SATransforms, then the 
   same as stating that packets are allowed to flow in 
   actual lifetime of the clear. preconfigured SA will be the smallest of the 
   value of this LifetimeSeconds property and of the value of the 
   MaxLifetimeSeconds property of the associated SATransform. Except if 
   the value of this LifetimeSeconds property is zero, then there will 
   be no lifetime associated to this SA. 
    

  
Jason, et al           Expires 20-January-2002              [Page 33] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   It is expected that most SAStaticAction instances will have their 
   LifetimeSeconds properties set to zero (meaning no expiration of the 
   resulting SA). 
    
6.3. The Class IPsecBypassAction 
    
   The class IPsecBypassAction is used when packets are allowed to be 
   processed without applying IPsec encapsulation to them.  This is the 
   same as stating that packets are allowed to flow in the clear.  The 
   class definition for IPsecBypassAction is as follows: 
    
   NAME         IPsecBypassAction 
   DESCRIPTION  Specifies that packets are to be allowed to pass in the 
                clear. 
   DERIVED FROM SAStaticAction 
   ABSTRACT     FALSE 
    
6.4. The Class IPsecDiscardAction 
    


  
Jason, et al            Expires September 2001               [Page 31] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   The class IPsecDiscardAction is used when packets are to be 
   discarded.  This is the same as stating that packets are to be 
   denied.  The class definition for IPsecDiscardAction is as follows: 
    
   NAME         IPsecDiscardAction 
   DESCRIPTION  Specifies that packets are to be discarded. 
   DERIVED FROM SAStaticAction 
   ABSTRACT     FALSE 
    
6.5. The Class IKERejectAction 
    
   The class IKERejectAction is used to prevent attempting an IKE 
   negotiation with the peer(s).  The main use of this class is to 
   prevent some denial of service attacks when acting as IKE responder. 
   It goes beyond a plain discard of UDP/500 IKE packets because the 
   SACondition can be based on specific PeerIDPayloadFilterEntry (when 
   aggressive mode is used).  The class definition for IKERejectAction 
   is as follows: 
    
   NAME         IKERejectAction 
   DESCRIPTION  Specifies that an IKE negotiation should not even be 
                attempted or continued. 
   DERIVED FROM SAStaticAction 
   ABSTRACT     FALSE 
    
6.6. The Class PreconfiguredSAAction 
    
   The class PreconfiguredSAAction is used to create a security 
   association using preconfigured, hard-wired algorithms and keys. 
    
   Notes:  
    
   -    the SPI for a PreconfiguredSAAction is contained in the 
     association, TransformOfPreconfiguredAction;   
  
Jason, et al           Expires 20-January-2002              [Page 34] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   -    the session key (if applicable) is contained in an instance of the 
     class SharedSecret (see appendix B). The session key is stored in 
     the property secret, the property protocol contains either "ESP" "ESP-
     encryptö, ôESP-auth" or "AH", the property algorithm contains the 
     algorithm used to protect the secret (can be "PLAINTEXT" if the 
     IPsec entity has no secret storage), the value of property 
     RemoteID is the concatenation of the remote IPsec peer IP address 
     in dotted decimal, of the character "/", of ôINö (resp. ôOUTö) for 
     inbound SA (resp. outbound SA), of the character ô/ö and of the 
     hexadecimal representation of the SPI. 
    
   Although the class is concrete, it MUST not be instantiated.  The 
   class definition for PreconfiguredSAAction is as follows: 
    
   NAME         PreconfiguredSAAction 
   DESCRIPTION  Specifies preconfigured algorithm and keying 
                information for creation of a security association. 
   DERIVED FROM SAStaticAction 
   ABSTRACT     FALSE 
  
Jason, et al            Expires September 2001               [Page 32] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   PROPERTIES   LifetimeKilobytes 
    
6.6.1. The Property LifetimeKilobytes 
    
   The property LifetimeKilobytes specifies a traffic limit in 
   kilobytes that can be consumed before the SA is deleted..  The 
   property is defined as follows: 
    
   NAME         LifetimeKilobytes 
   DESCRIPTION  Specifies the SA lifetime in kilobytes. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that there is not a lifetime 
                associated with this action (i.e., infinite lifetime).  
                A non-zero value is used to indicate that after this 
                amount of kilobytes has been consumed the SA must be 
                deleted from the SADB. 
    
   Note: the actual lifetime of the preconfigured SA will be the 
   smallest of the value of this LifetimeKilobytes property and of the 
   value of the MaxLifetimeSeconds property of the associated 
   SATransform. Except if the value of this LifetimeKilobytes property 
   is zero, then there will be no lifetime associated with this action. 
    
   It is expected that most PreconfiguredSAAction instances will have 
   their LifetimeKilobyte properties set to zero (meaning no expiration 
   of the resulting SA). 
    
6.7. The Class PreconfiguredTransportAction 
    
   The class PreconfiguredTransportAction is used to create an IPsec 
   transport-mode security association using preconfigured, hard-wired 
   algorithms and keys.  The class definition for 
   PreconfiguredTransportAction is as follows: 
  
Jason, et al           Expires 20-January-2002              [Page 35] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   NAME         PreconfiguredTransportAction 
   DESCRIPTION  Specifies preconfigured algorithm and keying 
                information for creation of an IPsec transport security 
                association. 
   DERIVED FROM PreconfiguredSAAction 
   ABSTRACT     FALSE 
    
6.8. The Class PreconfiguredTunnelAction 
    
   The class PreconfiguredTunnelAction is used to create an IPsec 
   tunnel-mode security association using preconfigured, hard-wired 
   algorithms and keys.  The class definition for PreconfiguredSAAction 
   is as follows: 
    
   NAME         PreconfiguredTunnelAction 
   DESCRIPTION  Specifies preconfigured algorithm and keying 
                information for creation of an IPsec tunnel-mode 
                security association. 
   DERIVED FROM PreconfiguredSAAction 
   ABSTRACT     FALSE 
   PROPERTIES   PeerGatewayAddressType 
                PeerGatewayAddress   DFHandling 
 
6.8.1. The Property PeerGatewayAddressType 
    
   The property PeerGatewayAddressType specifies the format of the 
   PeerGatewayAddress property.  Addresses that can be formatted in 
   IPv4 format, must be formatted that way to ensure mixed IPv4/IPv6 
  
Jason, et al            Expires September 2001               [Page 33] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   support.  When the tunnel peer is not a security gateway, this 
   property value is set to 0.  The property is defined as follows: 
    
   NAME         PeerGatewayAddressType 
   DESCRIPTION  Specifies the format of PeerGatewayAddress. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        0 - unknown 
                1 - IPv4 
                2 - IPv6 
 
6.8.2. The Property PeerGatewayAddress 
    
   The property PeerGatewayAddress specifies the IP address of the 
   tunnel peer security gateway formatted according to the appropriate 
   convention as defined in the PeerGatewayAddressType property of this 
   class (e.g., 171.79.6.40).  When the tunnel peer is not a security 
   gateway, this property value is set to NULL.  The property is 
   defined as follows: 
    
   NAME         PeerGatewayAddress 
   DESCRIPTION  Specifies the IP address of the tunnel peer. 
   SYNTAX       string 
   VALUE        When the value is NULL, this is a special meaning: the 
                IP address of the actual remote IKE entity is the 
                destination IP address of the IP packet that triggered 
                the SARule.  Else, the value is a string representation 
                of an IPv4 or IPv6 address. 
 
6.8.3. The Property DFHandling 
    
   The property DFHandling specifies how the Don't Fragment bit of the 
   internal IP header is to be handled during IPsec processing.  The 
   property is defined as follows: 
    
   NAME         DFHandling 
   DESCRIPTION  Specifies the processing of the DF bit. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - û Copy the DF bit from the internal IP header to the 
                external IP header. 
                2 - û Set the DF bit of the external IP header to 1. 
                3 - û Clear the DF bit of the external IP header to 0. 
    
6.9. The Class SANegotiationAction 
    
   The class SANegotiationAction serves as the base class for IKE and 
   IPsec actions that result in a IKE negotiation.  Although the class 
   is concrete, is MUST not be instantiated.  The class definition for 
   SANegotiationAction is as follows: 
    
   NAME         SANegotiationAction 
   DESCRIPTION  A base class for IKE and IPsec actions that specifies 
                the parameters that are common for IKE phase 1 and IKE 
                phase 2 IPsec DOI negotiations. 
   DERIVED FROM SAAction 
   ABSTRACT     FALSE 
   PROPERTIES   MinLifetimeSeconds 
                MinLifetimeKilobytes 
                RefreshThresholdSeconds 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 34] 36] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   DERIVED FROM SAAction 
   ABSTRACT     FALSE 
   PROPERTIES   MinLifetimeSeconds 
                MinLifetimeKilobytes 
                RefreshThresholdSeconds 
 
 
                RefreshThresholdKilobytes 
                IdleDurationSeconds 
    
6.9.1. The Property MinLifetimeSeconds 
    
   The property MinLifetimeSeconds specifies the minimum seconds 
   lifetime that will be accepted from the peer.  MinLifetimeSeconds is 
   used to prevent certain denial of service attacks where the peer 
   requests an arbitrarily low lifetime value, causing renegotiations 
   with correspondingly expensive Diffie-Hellman operations.  The 
   property is defined as follows: 
    
   NAME         MinLifetimeSeconds 
   DESCRIPTION  Specifies the minimum acceptable seconds lifetime. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that there is no minimum 
                value.  A non-zero value specifies the minimum seconds 
                lifetime. 
    
6.9.2. The Property MinLifetimeKilobytes 
    
   The property MinLifetimeKilobytes specifies the minimum kilobytes 
   lifetime that will be accepted from the peer.  MinLifetimeKilobytes 
   is used to prevent certain denial of service attacks where the peer 
   requests an arbitrarily low lifetime value, causing renegotiations 
   with correspondingly expensive Diffie-Hellman operations.  Note that 
   there has been considerable debate regarding the usefulness of 
   applying kilobyte lifetimes to IKE phase 1 security associations, so 
   it is likely that this property will only apply to the sub-class 
   IPsecAction.  The property is defined as follows: 
    
   NAME         MinLifetimeKilobytes 
   DESCRIPTION  Specifies the minimum acceptable kilobytes lifetime. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that there is no minimum 
                value.  A non-zero value specifies the minimum 
                kilobytes lifetime. 
    
    
6.9.3. The Property RefreshThresholdSeconds 
    
   The property RefreshThresholdSeconds specifies what percentage of 
   the seconds lifetime can expire before IKE should attempt to 
   renegotiate the security association.  A random value may be added 
   to the calculated threshold (percentage x seconds lifetime) to 
   reduce the chance of both peers attempting to renegotiate at the 
   same time.  The property is defined as follows: 
    
  
Jason, et al            Expires September 2001               [Page 35] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   NAME         RefreshThresholdSeconds 
   DESCRIPTION  Specifies the percentage of seconds lifetime that has 
                expired before the security association is 
                renegotiated. 
   SYNTAX       unsigned 8-bit integer 
  
Jason, et al           Expires 20-January-2002              [Page 37] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   VALUE        A value between 1 and 100 representing a percentage.  A 
                value of 100 indicates that the security association 
                should not be renegotiated until the seconds lifetime 
                has been reached. 
    
6.9.4. The Property RefreshThresholdKilobytes 
    
   The property RefreshThresholdKilobytes specifies what percentage of 
   the kilobyte lifetime can expire before IKE should attempt to 
   renegotiate the IPsec security association.  A random value may be 
   added to the calculated threshold (percentage x kilobyte lifetime) 
   to reduce the chance of both peers attempting to renegotiate at the 
   same time.  Note, that as with the property MinLifetimeKilobytes, 
   this property is probably only relevant to IPsecAction sub-classes.  
   The property is defined as follows: 
    
   NAME         RefreshThresholdKilobytes 
   DESCRIPTION  Specifies the percentage of kilobyte lifetime that has 
                expired before the IPsec security association is 
                renegotiated. 
   SYNTAX       unsigned 8-bit integer 
   VALUE        A value between 1 and 100 representing a percentage.  A 
                value of 100 indicates that the IPsec security 
                association should not be renegotiated until the 
                kilobyte lifetime has been reached. 
    
6.9.5. The Property IdleDurationSeconds 
    
   The property IdleDurationSeconds specifies how many seconds a 
   security association may remain idle (i.e., no traffic protected 
   using the security association) before it is deleted.  The property 
   is defined as follows: 
    
   NAME         IdleDurationSeconds 
   DESCRIPTION  Specifies how long, in seconds, a security association 
                may remain unused before it is deleted. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that idle detection should 
                not be used for the security association (only the 
                seconds and kilobyte lifetimes will be used).  Any non-
                zero value indicates the number of seconds the security 
                association may remain unused. 
    
6.10. The Class IPsecAction 
    
   The class IPsecAction serves as the base class for IPsec transport 
   and tunnel actions.  It specifies the parameters used for an IKE 
   phase 2 IPsec DOI negotiation.  Although the class is concrete, is 
  
Jason, et al            Expires September 2001               [Page 36] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   MUST not be instantiated.  The class definition for IPsecAction is 
   as follows: 
    
   NAME         IPsecAction 
   DESCRIPTION  A base class for 

  
Jason, et al           Expires 20-January-2002              [Page 38] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   DESCRIPTION  A base class for IPsec transport and tunnel actions 
                that specifies the parameters for IKE phase 2 IPsec DOI 
                negotiations. 
   DERIVED FROM SANegotiationAction 
   ABSTRACT     FALSE 
   PROPERTIES   UsePFS 
                UseIKEGroup 
                GroupId 
                Granularity 
                VendorID 
    
6.10.1. The Property UsePFS 
    
   The property UsePFS specifies whether or not perfect forward secrecy 
   should be used when refreshing keys.  The property is defined as 
   follows: 
    
   NAME         UsePFS 
   DESCRIPTION  Specifies the whether or not to use PFS when refreshing 
                keys. 
   SYNTAX       boolean 
   VALUE        A value of true indicates that PFS should be used.  A 
                value of false indicates that PFS should not be used. 
    
6.10.2. The Property UseIKEGroup 
    
   The property UseIKEGroup specifies whether or not phase 2 should use 
   the same key exchange group as was used in phase 1.  UseIKEGroup is 
   ignored if UsePFS is false.  The property is defined as follows: 
    
   NAME         UseIKEGroup 
   DESCRIPTION  Specifies whether or not to use the same GroupId for 
                phase 2 as was used in phase 1.  If UsePFS is false, 
                then UseIKEGroup is ignored. 
   SYNTAX       boolean 
   VALUE        A value of true indicates that the phase 2 GroupId 
                should be the same as phase 1.  A value of false 
                indicates that the property GroupId will contain the 
                key exchange group to use for phase 2. 
    
6.10.3. The Property GroupId 
    
   The property GroupId specifies the key exchange group to use for 
   phase 2.  GroupId is ignored if (1) the property UsePFS is false, or 
   (2) the property UsePFS is true and the property UseIKEGroup is 
   true.  If the GroupID number is from the vendor-specific range 
   (32768-65535), the property VendorID qualifies the group number.  
   The property is defined as follows: 
    
  
Jason, et al            Expires September 2001               [Page 37] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   NAME         GroupId 
   DESCRIPTION  Specifies the key exchange group to use for phase 2 
                when the property UsePFS is true and the property 
                UseIKEGroup is false. 
  
Jason, et al           Expires 20-January-2002              [Page 39] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Consult [IKE] for valid values. 
    
6.10.4. The Property Granularity 
    
   The property Granularity specifies how the selector for the security 
   association should be derived from the traffic that triggered the 
   negotiation.  The property is defined as follows: 
    
   NAME         Granularity 
   DESCRIPTION  Specifies the how the proposed selector for the 
                security association will be created. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - û subnet: the source and destination subnet masks of 
                the FilterEntry filter entry are used. 
                2 - û address: only the source and destination IP 
                addresses of the triggering packet are used. 
                3 - û protocol: the source and destination IP addresses 
                and the IP protocol of the triggering packet are used. 
                4 - û port: the source and destination IP addresses and 
                the IP protocol and the source and destination layer 4 
                ports of the triggering packet are used. 
    
6.10.5. The Property VendorID 
    
   The property VendorID is used together with the property GroupID 
   (when it is in the vendor-specific range) to identify the key 
   exchange group.  VendorID is ignored unless UsePFS is true and 
   UseIKEGroup is false and GroupID is in the vendor-specific range 
   (32768-65535).  The property is defined as follows: 
    
   NAME         VendorID 
   DESCRIPTION  Specifies the IKE Vendor ID. 
   SYNTAX       string 
    
6.11. The Class IPsecTransportAction 
    
   The class IPsecTransportAction is a subclass of IPsecAction that is 
   used to specify use of an IPsec transport-mode security association.  
   The class definition for IPsecTransportAction is as follows: 
    
   NAME         IPsecTransportAction 
   DESCRIPTION  Specifies that an IPsec transport-mode security 
                association should be negotiated. 
   DERIVED FROM IPsecAction 
   ABSTRACT     FALSE 
    
6.12. The Class IPsecTunnelAction 
    
  
Jason, et al            Expires September 2001               [Page 38] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   The class IPsecTunnelAction is a subclass of IPsecAction that is 
   used to specify use of an IPsec tunnel-mode security association.  
   The class definition for IPsecTunnelAction is as follows: 
    
  
Jason, et al           Expires 20-January-2002              [Page 40] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   NAME         IPsecTunnelAction 
   DESCRIPTION  Specifies that an IPsec tunnel-mode security 
                association should be negotiated. 
   DERIVED FROM IPsecAction 
   ABSTRACT     FALSE 
   PROPERTIES   DFHandling 
    
6.12.1. The Property DFHandling 
    
   The property DFHandling specifies how the tunnel should manage the 
   Don't Fragment (DF) bit.  The property is defined as follows: 
    
   NAME         DFHandling 
   DESCRIPTION  Specifies how to process the DF bit. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - û Copy the DF bit from the internal IP header to the 
                external IP header. 
                2 - û Set the DF bit of the external IP header to 1. 
                3 - û Clear the DF bit of the external IP header to 0. 
    
6.13. The Class IKEAction 
    
   The class IKEAction specifies the parameters that are to be used for 
   IKE phase 1 negotiation.  The class definition for IKEAction is as 
   follows: 
    
   NAME         IKEAction 
   DESCRIPTION  Specifies the IKE phase 1 negotiation parameters. 
   DERIVED FROM SANegotiationAction 
   ABSTRACT     FALSE 
   PROPERTIES   RefreshThresholdDerivedKeys 
                ExchangeMode 
                UseIKEIdentityType 
                VendorID 
                AggressiveModeGroupId 
    
6.13.1. The Property RefreshThresholdDerivedKeys 
    
   The property RefreshThresholdDerivedKeys specifies what percentage 
   of the derived key limit (see the LifetimeDerivedKeys property of 
   IKEProposal) can expire before IKE should attempt to renegotiate the 
   IKE phase 1 security association.  A random value may be added to 
   the calculated threshold (percentage x derived key limit) to reduce 
   the chance of both peers attempting to renegotiate at the same time.  
   The property is defined as follows: 
    
   NAME         RefreshThresholdKilobytes 


  
Jason, et al            Expires September 2001               [Page 39] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   DESCRIPTION  Specifies the percentage of derived key limit that has 
                expired before the IKE phase 1 security association is 
                renegotiated. 
   SYNTAX       unsigned 8-bit integer 
   VALUE        A value between 1 and 100 representing a percentage.  A 
                value of 100 indicates that the IKE phase 1 security 
  
Jason, et al           Expires 20-January-2002              [Page 41] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
                association should not be renegotiated until the 
                derived key limit has been reached. 
    
6.13.2. The Property ExchangeMode 
    
   The property ExchangeMode specifies which IKE mode should be used 
   for IKE phase 1 negotiations.  The property is defined as follows: 
    
   NAME         ExchangeMode 
   DESCRIPTION  Specifies the IKE negotiation mode for phase 1. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - base mode 
                2 - main mode 
                4 - aggressive mode 
    
6.13.3. The Property UseIKEIdentityType 
    
   The property UseIKEIdentityType specifies what IKE identity type 
   should be used when negotiating with the peer.  This information is 
   used in conjunction with the IKE identities available on the system 
   and the IdentityContexts of the matching IKERule.  The property is 
   defined as follows: 
    
   NAME         UseIKEIdentityType 
   DESCRIPTION  Specifies the IKE identity to use during negotiation. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - IPv4 Address 
                2 - FQDN 
                3 - User FQDN 
                4 - IPv4 Subnet 
                5 - IPv6 Address 
                6 - IPv6 Subnet 
                7 - IPv4 Address Range 
                8 - IPv6 Address Range 
                9 - DER-Encoded ASN.1 X.500 Distinguished Name 
                10 - DER-Encoded ASN.1 X.500 GeneralName 
                11 - Key ID 
    
6.13.4. The Property VendorID 
    
   The property VendorID specifies the value to be used in the Vendor 
   ID payload.  The property is defined as follows: 
    
   NAME         VendorID 
   DESCRIPTION  Vendor ID Payload. 
   SYNTAX       string 

  
Jason, et al            Expires September 2001               [Page 40] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   VALUE        A value of NULL means that Vendor ID payload will be 
                neither generated nor accepted. A non-NULL value means 
                that a Vendor ID payload will be generated (when acting 
                as an initiator) or is expected (when acting as a 
                responder). 
    
6.13.5. The Property AggressiveModeGroupId 
  
Jason, et al           Expires 20-January-2002              [Page 42] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   The property AggressiveModeGroupId specifies which group ID is to be 
   used in the first packets of the phase 1 negotiation.  This property 
   is ignored unless the property ExchangeMode is set to 4 (aggressive 
   mode). If the AggressiveModeGroupID number is from the vendor-
   specific range (32768-65535), the property VendorID qualifies the 
   group number.  The property is defined as follows: 
    
   NAME         AggressiveModeGroupId 
   DESCRIPTION  Specifies the group ID to be used for aggressive mode. 
   SYNTAX       unsigned 16-bit integer 
    
6.14. The Class PeerGateway 
    
   The class PeerGateway specifies the security gateway with which the 
   IKE services negotiates.  The class definition for PeerGateway is as 
   follows: 
    
   NAME         PeerGateway 
   DESCRIPTION  Specifies the security gateway with which to negotiate. 
   DERIVED FROM LogicalElement (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Name 
                PeerIdentityType 
                PeerIdentity 
    
6.14.1. The Property Name 
    
   The property Name specifies a user-friendly name for this security 
   gateway.  The property is defined as follows: 
    
   NAME         Name 
   DESCRIPTION  Specifies a user-friendly name for this security 
                gateway. 
   SYNTAX       string 
    
6.14.2. The Property PeerIdentityType 
    
   The property PeerIdentityType specifies the IKE identity type of the 
   security gateway.  The property is defined as follows: 
    
   NAME         PeerIdentityType 
   DESCRIPTION  Specifies the IKE identity type of the security 
                gateway. 
   SYNTAX       unsigned 16-bit integer 

  
Jason, et al            Expires September 2001               [Page 41] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
   VALUE        1 - IPv4 Address 
                2 - FQDN 
                3 - User FQDN 
                4 - IPv4 Subnet 
                5 - IPv6 Address 
                6 - IPv6 Subnet 
                7 - IPv4 Address Range 
                8 - IPv6 Address Range 
  
Jason, et al           Expires 20-January-2002              [Page 43] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
                9 - DER-Encoded ASN.1 X.500 Distinguished Name 
                10 - DER-Encoded ASN.1 X.500 GeneralName 
                11 - Key ID 
    
6.14.3. The Property PeerIdentity 
    
   The property PeerIdentity specifies the IKE identity value of the 
   security gateway.  A conversion may be needed between the 
   PeerIdentity string representation and the real value used in the ID 
   payload (e.g. IP address is to be converted from a dotted decimal 
   string into 4 bytes).  The property is defined as follows: 
    
   NAME         PeerIdentity 
   DESCRIPTION  Specifies the IKE identity value of the security 
                gateway. 
   SYNTAX       string 
    
6.15. The Association Class PeerGatewayForTunnel 
    
   The class PeerGatewayForTunnel associates IPsecTunnelActions with an 
   ordered list of PeerGateways.  The class definition for 
   PeerGatewayForTunnel is as follows: 
    
    
   NAME         PeerGatewayForTunnel 
   DESCRIPTION  Associates IPsecTunnelActions with an ordered list of 
                PeerGateways. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref PeerGateway[0..n]] 
                Dependent [ref IPsecTunnelAction[0..n]] 
                SequenceNumber 
    
6.15.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a PeerGateway instance.  The [0..n] 
   cardinality indicates that there an IPsecTunnelAction instance may 
   be associated with zero or more PeerGateway instances. 
    
   Note: the cardinality 0 has a specific meaning: 
    
        -         when there is no PeerGateway associated to an 
   IPsecTunnelAction, this means that the IKE service acts as a 
   responder and responder, this means that the 
          IKE service will accept phase 1 negotiation with any other 
          security gateway. gateway; 
        -         when the IKE service acts as an initiator, this means that 
          the IKE service will use the destination IP address (of the 
          IP packets which triggered the SARule) as the IP address of 
          the peer IKE entity. 
    
6.15.2. The Reference Dependent 
    

  
Jason, et al           Expires September 2001 20-January-2002              [Page 42] 44] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
6.15.2. The Reference Dependent 
 
 
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IPsecTunnelAction instance.  The [0..n] 
   cardinality indicates that a PeerGateway instance may be associated 
   with zero or more IPsecTunnelAction instances. 
    
6.15.3. The Property SequenceNumber 
    
   The property SequenceNumber specifies the ordering to be used when 
   evaluating PeerGateway instances for a given IPsecTunnelAction.  .  
   The property is defined as follows: 
    
   NAME         SequenceNumber 
   DESCRIPTION  Specifies the order of evaluation for PeerGateways. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Lower values are evaluated first. 
 
6.16. The Aggregation Class ContainedProposal 
    
   The class ContainedProposal associates an ordered list of 
   SAProposals with the SANegotiationAction that aggregates it.  If the 
   referenced SANegotiationAction object is an IKEAction, then the 
   referenced SAProposal object(s) must be IKEProposal(s).  If the 
   referenced SANegotiationAction object is an IPsecTransportAction or 
   an IPsecTunnelAction, then the referenced SAProposal object(s) must 
   be IPsecProposal(s).  The class definition for ContainedProposal is 
   as follows: 
    
   NAME         ContainedProposal 
   DESCRIPTION  Associates an ordered list of SAProposals with an 
                SANegotiationAction. 
   DERIVED FROM PolicyComponent (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   GroupComponent[ref SANegotiationAction[0..n]] 
                PartComponent[ref SAProposal[1..n]] 
                SequenceNumber 
    
6.16.1. The Reference GroupComponent 
    
        -         The property GroupComponent is inherited from PolicyComponent 
          and is overridden to refer to an SANegotiationAction 
          instance.  The [0..n] cardinality indicates that an 
          SAProposal instance may be associated with zero or more 
          SANegotiationAction instances. 
    
   Note: the cardinality 0 has a specific meaning: 
    
        - when the IKE service acts as a responder, this means that the 
          IKE service will accept phase 1 negotiation with any other 
          security gateway; 
        - when the IKE service acts as an initiator, this means that 
          the IKE service will use the destination IP address (of the 

  
Jason, et al            Expires September 2001               [Page 43] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
          IP packets which triggered the SARule) as the IP address of 
          the peer IKE entity. 
    
6.16.2. The Reference PartComponent 
    
   The property PartComponent is inherited from PolicyComponent and is 
   overridden to refer to an SAProposal instance.  The [1..n] 
   cardinality indicates that an SANegotiationAction instance MUST be 
   associated with at least one SAProposal instance. 
    
6.16.3. The Property SequenceNumber 
    
  
Jason, et al           Expires 20-January-2002              [Page 45] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   The property SequenceNumber specifies the order of preference for 
   the SAProposals.  The property is defined as follows: 
    
   NAME         SequenceNumber 
   DESCRIPTION  Specifies the preference order for the SAProposals. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Lower-valued proposals are preferred over proposals 
                with higher values.  For ContainedProposals that 
                reference the same SANegotiationAction, SequenceNumber 
                values must be unique. 
 
6.17. The Association Class HostedPeerGatewayInformation 
    
   The class HostedPeerGatewayInformation weakly associates a 
   PeerGateway with a System.  The class definition for 
   HostedPeerGatewayInformation is as follows: 
    
    
   NAME         HostedPeerGatewayInformation 
   DESCRIPTION  Weakly associates a PeerGateway with a System. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref System[1..1]] 
                Dependent [ref PeerGateway[0..n] [weak]] 
     
6.17.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a System instance.  The [1..1] cardinality 
   indicates that a PeerGateway instance MUST be associated with one 
   and only one System instance. 
    
6.17.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to a PeerGateway instance.  The [0..n] 
   cardinality indicates that a System instance may be associated with 
   zero or more PeerGateway instances. 
    
6.18. The Association Class TransformOfPreconfiguredAction 
    
  
Jason, et al            Expires September 2001               [Page 44] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
    
   The class TransformOfPreconfiguredAction associates a 
   PreconfiguredSAAction with from one two to three six SATransforms that will be 
   applied to the inbound and outbound traffic.  The order of 
   application of the SATransforms is implicitly defined in [IPSEC].  
   The class definition for TransformOfPreconfiguredAction is as 
   follows: 
    
   NAME         TransformOfPreconfiguredAction 
   DESCRIPTION  Associates a PreconfiguredSAAction with from one to 
                three SATransforms. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
  
Jason, et al           Expires 20-January-2002              [Page 46] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   PROPERTIES   Antecedent[ref SATransform[1..3]] SATransform[2..6]] 
                Dependent[ref PreconfiguredSAAction[0..n]] 
                SPI 
                Direction 
    
6.18.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to an SATransform instance.  The [1..3] [2..6] 
   cardinality indicates that an SANegotiationAction instance may be 
   associated with from one two to three six SATransform instances. 
    
6.18.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to a PreconfiguredSAAction instance.  The [0..n] 
   cardinality indicates that an SATransform instance may be associated 
   with zero or more PreconfiguredSAAction instances. 
    
6.18.3. The Property SPI 
    
   The property SPI specifies the SPI to be used by the pre-configured 
   action for the associated transform.  The property is defined as 
   follows: 
    
   NAME         SPI 
   DESCRIPTION  Specifies the SPI to be used with the SATransform. 
   SYNTAX       unsigned 32-bit integer 
 
6.18.4. The Property Direction 
 
   The property Direction specifies whether the SPI property is for 
   inbound or for outbound traffic. The property is defined as follows: 
 
   NAME                         Direction 
   DESCRIPTION Specifies whether the SA is for inbound or outbound 
               traffic. 
   SYNTAX      unsigned 8-bit integer 
   VALUE       1 û this SA is for inbound traffic 
                2 û this SA is for outbound traffic 
    
6.19 The Association Class PeerGatewayForPreconfiguredTunnel 
    
   The class PeerGatewayForPreconfiguredTunnel associates one or one 
   PeerGateway with multiple PreconfiguredTunnelActions. The class 
   definition for PeerGatewayForPreconfiguredTunnel is as follows: 
    
   NAME         PeerGatewayForPreconfiguredTunnel 
   DESCRIPTION  Associates a PeerGateway with multiple 
                PreconfiguredTunnelAction. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 45] 47] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
7. Proposal and Transform Classes 
 
 
   PROPERTIES   Antecedent[ref PeerGateway[0..1]] 
                Dependent[ref PreconfiguredTunnelAction[0..n]] 
                 
6.19.1. The proposal Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and transform classes model the proposal settings is 
   overridden to refer to an 
   IPsec device will use PeerGateway instance.  The [0..1] 
   cardinality indicates that an PreconfiguredTunnelAction instance may 
   be associated with one PeerGteway instance. 
    
6.19.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to a PreconfiguredTunnelAction instance.  The 
   [0..n] cardinality indicates that an PeerGateway instance may be 
   associated with zero or more PreconfiguredSAAction instances. 
    




































  
Jason, et al           Expires 20-January-2002              [Page 48] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
7. Proposal and Transform Classes 
    
   The proposal and transform classes model the proposal settings an 
   IPsec device will use during IKE phase 1 and 2 negotiations. 
    
                             +--------------+*w     1+--------------+ 
                             | [SAProposal] |--------|   System     | 
                             +--------------+  (a)   | (Appendix A) | 
                                    ^                +--------------+ 
                                    |                        |1 
                         +----------------------+            | 
                         |                      |            | 
                  +-------------+       +---------------+    | 
                  | IKEProposal |       | IPsecProposal |    | 
                  +-------------+       +---------------+    | 
                                               *o            | 
                                                |(b)         |(c) 
                                               n|            | 
                                        +---------------+*w  | 
                                        | [SATransform] |----+ 
                                        +---------------+ 
                                                ^ 
                                                | 
               +--------------------+-----------+---------+ 
               |                    |                     | 
        +-------------+     +--------------+     +----------------+ 
        | AHTransform |     | ESPTransform |     |IPCOMPTransform | 
        +-------------+     +--------------+     +----------------+ 
    
   (a)  SAProposalInSystem 
   (b)  ContainedTransform 
   (c)  SATransformInSystem 
    
7.1. The Abstract Class SAProposal 
    
   The abstract class SAProposal serves as the base class for the IKE 
   and IPsec proposal classes.  It specifies the parameters that are 
   common to the two proposal types.  The class definition for 
   SAProposal is as follows: 
    
   NAME         SAProposal 
   DESCRIPTION  Specifies the common proposal parameters for IKE and 
                IPsec security association negotiation. 
   DERIVED FROM Policy ([PCIM]) 
   ABSTRACT     TRUE 
   PROPERTIES   Name 
                  
7.1.1. The Property Name 
    
   The property Name specifies a user-friendly name for the SAProposal.  
   The property is defined as follows: 
    
   NAME         Name 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 46] 49] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   DESCRIPTION  Specifies a user-friendly name for this proposal. 
   SYNTAX       string 
    
7.2. The Class IKEProposal 
    
   The class IKEProposal specifies the proposal parameters necessary to 
   drive an IKE security association negotiation.  The class definition 
   for IKEProposal is as follows: 
    
   NAME         IKEProposal 
   DESCRIPTION  Specifies the proposal parameters for IKE security 
                association negotiation. 
   DERIVED FROM SAProposal 
   ABSTRACT     FALSE 
   PROPERTIES   LifetimeDerivedKeys 
                CipherAlgorithm 
                HashAlgorithm 
                PRFAlgorithm 
                GroupId 
                AuthenticationMethod 
                MaxLifetimeSeconds 
                MaxLifetimeKilobytes 
                VendorID 
    
7.2.1. The Property LifetimeDerivedKeys 
    
   The property LifetimeDerivedKeys specifies the number of times that 
   a phase 1 key will be used to derive a phase 2 key before the phase 
   1 security association needs renegotiated.  Even though this is not 
   a parameter that is sent in an IKE proposal, it is included in the 
   proposal as the number of keys derived may be a result of the 
   strength of the algorithms in the IKE proposal.  The property is 
   defined as follows: 
    
   NAME         LifetimeDerivedKeys 
   DESCRIPTION  Specifies the number of phase 2 keys that can be 
                derived from the phase 1 key. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that there is no limit to the 
                number of phase 2 keys that may be derived from the 
                phase 1 key; instead the seconds and/or kilobytes 
                lifetime will dictate the phase 1 rekeying.  A non-zero 
                value specifies the number of phase 2 keys that can be 
                derived from the phase 1 key. 
    
7.2.2. The Property CipherAlgorithm 
    
   The property CipherAlgorithm specifies the proposed phase 1 security 
   association encryption algorithm.  The property is defined as 
   follows: 
    
   NAME         CipherAlgorithm 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 47] 50] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   DESCRIPTION  Specifies the proposed encryption algorithm for the 
                phase 1 security association. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Consult [IKE] for valid values. 
    
7.2.3. The Property HashAlgorithm 
    
   The property HashAlgorithm specifies the proposed phase 1 security 
   association hash algorithm.  The property is defined as follows: 
    
   NAME         HashAlgorithm 
   DESCRIPTION  Specifies the proposed hash algorithm for the phase 1 
                security association. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Consult [IKE] for valid values. 
    
7.2.4. The Property PRFAlgorithm 
    
   The property PRFAlgorithm specifies the proposed phase 1 security 
   association pseudo-random function.  The property is defined as 
   follows: 
    
   NAME         PRFAlgorithm 
   DESCRIPTION  Specifies the proposed pseudo-random function for the 
                phase 1 security association. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Currently none defined. 
    
7.2.5. The Property GroupId 
    
   The property GroupId specifies the proposed phase 1 security 
   association key exchange group.  This property is ignored for all 
   aggressive mode exchanges.  If the GroupID number is from the 
   vendor-specific range (32768-65535), the property VendorID qualifies 
   the group number.  The property is defined as follows: 
    
   NAME         GroupId 
   DESCRIPTION  Specifies the proposed key exchange group for the phase 
                1 security association. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        0 - û Not applicable: used for aggressive mode.  Consult 
                [IKE] for other valid values. 
    
7.2.6. The Property AuthenticationMethod 
    
   The property AuthenticationMethod specifies the proposed phase 1 
   authentication method.  The property is defined as follows: 
    
   NAME         AuthenticationMethod 
   DESCRIPTION  Specifies the proposed authentication method for the 
                phase 1 security association. 
   SYNTAX       unsigned 16-bit integer 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 48] 51] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   VALUE        0 - a special value that indicates that this particular 
                proposal should be repeated once for each 
                authentication method that corresponds to the 
                credentials installed on the machine.  For example, if 
                the system has a pre-shared key and a certificate, a 
                proposal list could be constructed which includes a 
                proposal that specifies pre-shared key and proposals 
                for any of the public-key authentication methods. 
                Consult [IKE] for valid values. 
    
7.2.7. The Property MaxLifetimeSeconds 
    
   The property MaxLifetimeSeconds specifies the maximum amount of 
   time, in seconds, to propose that a security association will remain 
   valid after its creation.  The property is defined as follows: 
    
   NAME         MaxLifetimeSeconds 
   DESCRIPTION  Specifies the maximum amount of time to propose a 
                security association remain valid. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that the default of 8 hours 
                be used.  A non-zero value indicates the maximum 
                seconds lifetime. 
     
7.2.8. The Property MaxLifetimeKilobytes 
    
   The property MaxLifetimeKilobytes specifies the maximum kilobyte 
   lifetime to propose that a security association will remain valid 
   after its creation.  The property is defined as follows: 
    
   NAME         MaxLifetimeKilobytes 
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a 
                security association remain valid. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that there should be no 
                maximum kilobyte lifetime.  A non-zero value specifies 
                the desired kilobyte lifetime. 
     
7.2.9. The Property VendorID 
    
   The property VendorID further qualifies the key exchange group.  The 
   property is ignored unless the exchange is not in aggressive mode 
   and the property GroupID is in the vendor-specific range.  The 
   property is defined as follows: 
    
   NAME         VendorID 
   DESCRIPTION  Specifies the Vendor ID to further qualify the key 
                exchange group. 
   SYNTAX       string 
    
7.3. The Class IPsecProposal 
    

  
Jason, et al           Expires September 2001 20-January-2002              [Page 49] 52] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   The class IPsecProposal adds no new properties, but inherits 
   proposal properties from SAProposal as well as aggregating the 
   security association transforms necessary for building an IPsec 
   proposal (see the aggregation class ContainedTransform).  The class 
   definition for IPsecProposal is as follows: 
    
   NAME         IPsecProposal 
   DESCRIPTION  Specifies the proposal parameters for IPsec security 
                association negotiation. 
   DERIVED FROM SAProposal 
   ABSTRACT     FALSE 
    
7.4. The Abstract Class SATransform 
    
   The abstract class SATransform serves as the base class for the 
   IPsec transforms that can be used to compose an IPsec proposal or to 
   be used as a pre-configured action.  The class definition for 
   SATransform is as follows: 
    
   NAME         SATransform 
   DESCRIPTION  Base class for the different IPsec transforms. 
   ABSTRACT     TRUE 
   PROPERTIES   TransformName 
                VendorID 
                MaxLifetimeSeconds 
                MaxLifetimeKilobytes 
    
7.4.1. The Property TransformName 
    
   The property TransformName specifies a user-friendly name for the 
   SATransform.  The property is defined as follows: 
    
   NAME         TransformName 
   DESCRIPTION  Specifies a user-friendly name for this transform. 
   SYNTAX       string 
    
7.4.2. The Property VendorID 
    
   The property VendorID specifies the vendor ID for vendor-defined 
   transforms.  The property is defined as follows: 
    
   NAME         VendorID 
   DESCRIPTION  Specifies the vendor ID for vendor-defined transforms. 
   SYNTAX       string 
   VALUE        An empty VendorID string indicates that the transform 
                is a standard one. 
    
7.4.3. The Property MaxLifetimeSeconds 
    
   The property MaxLifetimeSeconds specifies the maximum amount of 
   time, in seconds, to propose that a security association will remain 
   valid after its creation.  The property is defined as follows: 
    
  
Jason, et al           Expires September 2001 20-January-2002              [Page 50] 53] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   NAME         MaxLifetimeSeconds 
   DESCRIPTION  Specifies the maximum amount of time to propose a 
                security association remain valid. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that the default of 8 hours 
                be used.  A non-zero value indicates the maximum 
                seconds lifetime. 
     
7.4.4. The Property MaxLifetimeKilobytes 
    
   The property MaxLifetimeKilobytes specifies the maximum kilobyte 
   lifetime to propose that a security association will remain valid 
   after its creation.  The property is defined as follows: 
    
   NAME         MaxLifetimeKilobytes 
   DESCRIPTION  Specifies the maximum kilobyte lifetime to propose a 
                security association remain valid. 
   SYNTAX       unsigned 32-bit integer 
   VALUE        A value of zero indicates that there should be no 
                maximum kilobyte lifetime.  A non-zero value specifies 
                the desired kilobyte lifetime. 
     
7.5. The Class AHTransform 
    
   The class AHTransform specifies the AH algorithm to propose during 
   IPsec security association negotiation.  The class definition for 
   AHTransform is as follows: 
    
   NAME         AHTransform 
   DESCRIPTION  Specifies the AH algorithm to propose. 
   ABSTRACT     FALSE 
   PROPERTIES   AHTransformId 
                UseReplayPrevention 
                ReplayPreventionWindowSize 
    
7.5.1. The Property AHTransformId 
    
   The property AHTransformId specifies the transform ID of the AH 
   algorithm to propose.  The property is defined as follows: 
    
   NAME         AHTransformId 
   DESCRIPTION  Specifies the transform ID of the AH algorithm. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Consult [DOI] for valid values. 
    
7.5.2. The Property UseReplayPrevention 
    
   The property UseReplayPrevention specifies whether replay prevention 
   detection is to be used.  The property is defined as follows: 
    
   NAME         UseReplayPrevention 
   DESCRIPTION  Specifies whether to enable replay prevention 
                detection. 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 51] 54] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   SYNTAX       boolean 
   VALUE        true - replay prevention detection is enabled. 
                false - replay prevention detection is disabled. 
    
7.5.3. The Property ReplayPreventionWindowSize 
    
   The property ReplayPreventionWindowSize specifies, in bits, the 
   length of the sliding window used by the replay prevention detection 
   mechanism. The value of this property is meaningless if 
   UseReplayPrevention is false. It is assumed that the window size 
   will be power of 2.  The property is defined as follows: 
    
   NAME         ReplayPreventionWindowSize 
   DESCRIPTION  Specifies the length of the window used by replay 
                prevention detection mechanism. 
   SYNTAX       unsigned 32-bit integer 
    
7.6. The Class ESPTransform 
    
   The class ESPTransform specifies the ESP algorithms to propose 
   during IPsec security association negotiation.  The class definition 
   for ESPTransform is as follows: 
    
   NAME         ESPTransform 
   DESCRIPTION  Specifies the ESP algorithms to propose. 
   ABSTRACT     FALSE 
   PROPERTIES   IntegrityTransformId 
                CipherTransformId 
                CipherKeyLength 
                CipherKeyRounds 
                UseReplayPrevention 
                ReplayPreventionWindowSize 
    
7.6.1. The Property IntegrityTransformId 
    
   The property IntegrityTransformId specifies the transform ID of the 
   ESP integrity algorithm to propose.  The property is defined as 
   follows: 
    
   NAME         IntegrityTransformId 
   DESCRIPTION  Specifies the transform ID of the ESP integrity 
                algorithm. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Consult [DOI] for valid values. 
    
7.6.2. The Property CipherTransformId 
    
   The property CipherTransformId specifies the transform ID of the ESP 
   encryption algorithm to propose.  The property is defined as 
   follows: 
    
   NAME         CipherTransformId 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 52] 55] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   DESCRIPTION  Specifies the transform ID of the ESP encryption 
                algorithm. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Consult [DOI] for valid values. 
    
7.6.3. The Property CipherKeyLength 
    
   The property CipherKeyLength specifies, in bits, the key length for 
   the ESP encryption algorithm.  For encryption algorithms that use 
   fixed-length keys, this value is ignored.  The property is defined 
   as follows: 
    
   NAME         CipherKeyLength 
   DESCRIPTION  Specifies the ESP encryption key length in bits. 
   SYNTAX       unsigned 16-bit integer 
    
7.6.4. The Property CipherKeyRounds 
    
   The property CipherKeyRounds specifies the number of key rounds for 
   the ESP encryption algorithm.  For encryption algorithms that use 
   fixed number of key rounds, this value is ignored.  The property is 
   defined as follows: 
    
   NAME         CipherKeyRounds 
   DESCRIPTION  Specifies the number of key rounds for the ESP 
                encryption algorithm. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Currently, key rounds are not defined for any ESP 
                encryption algorithms. 
     
7.6.5. The Property UseReplayPrevention 
    
   The property UseReplayPrevention specifies whether replay prevention 
   detection is to be used.  The property is defined as follows: 
    
   NAME         UseReplayPrevention 
   DESCRIPTION  Specifies whether to enable replay prevention 
                detection. 
   SYNTAX       boolean 
   VALUE        true - replay prevention detection is enabled. 
                false - replay prevention detection is disabled. 
    
7.6.6. The Property ReplayPreventionWindowSize 
    
   The property ReplayPreventionWindowSize specifies, in bits, the 
   length of the sliding window used by the replay prevention detection 
   mechanism. The value of this property is meaningless if 
   UseReplayPrevention is false. It is assumed that the window size 
   will be power of 2.  The property is defined as follows: 
    
   NAME         ReplayPreventionWindowSize 
   DESCRIPTION  Specifies the length of the window used by replay 
                prevention detection mechanism. 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 53] 56] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   SYNTAX       unsigned 32-bit integer 
    
7.7. The Class IPCOMPTransform 
    
   The class IPCOMPTransform specifies the IP compression (IPCOMP) 
   algorithm to propose during IPsec security association negotiation.  
   The class definition for IPCOMPTransform is as follows: 
    
   NAME         IPCOMPTransform 
   DESCRIPTION  Specifies the IPCOMP algorithm to propose. 
   ABSTRACT     FALSE 
   PROPERTIES   Algorithm 
                DictionarySize 
                PrivateAlgorithm 
    
7.7.1. The Property Algorithm 
    
   The property Algorithm specifies the transform ID of the IPCOMP 
   compression algorithm to propose.  The property is defined as 
   follows: 
    
   NAME         Algorithm 
   DESCRIPTION  Specifies the transform ID of the IPCOMP compression 
                algorithm. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        1 - û OUI: a vendor specific algorithm is used and 
                specified in the property PrivateAlgorithm.  Consult 
                [DOI] for other valid values. 
    
7.7.2. The Property DictionarySize 
    
   The property DictionarySize specifies the log2 maximum size of the 
   dictionary for the compression algorithm.  For compression 
   algorithms that have pre-defined dictionary sizes, this value is 
   ignored.  The property is defined as follows: 
    
   NAME         DictionarySize 
   DESCRIPTION  Specifies the log2 maximum size of the dictionary. 
   SYNTAX       unsigned 16-bit integer 
    
7.7.3. The Property PrivateAlgorithm 
    
   The property PrivateAlgorithm specifies a private vendor-specific 
   compression algorithm.  This value is only used when the property 
   Algorithm is 1 (OUI).  The property is defined as follows: 
    
   NAME         PrivateAlgorithm 
   DESCRIPTION  Specifies a private vendor-specific compression 
                algorithm. 
   SYNTAX       unsigned 32-bit integer 
    
7.8. The Association Class SAProposalInSystem 
    
  
Jason, et al           Expires September 2001 20-January-2002              [Page 54] 57] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   The class SAProposalInSystem weakly associates SAProposals with a 
   System.  The class definition for SAProposalInSystem is as follows: 
    
    
   NAME         SAProposalInSystem  
   DESCRIPTION  Weakly associates SAProposals with a System. 
   DERIVED FROM PolicyInSystem (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent[ref System [1..1]] 
                Dependent[ref SAProposal[0..n] [weak]] 
                  
7.8.1. The Reference Antecedent 
    
   The property Antecedent is inherited from PolicyInSystem and is 
   overridden to refer to a System instance.  The [1..1] cardinality 
   indicates that an SAProposal instance MUST be associated with one 
   and only one System instance. 
    
7.8.2. The Reference Dependent 
    
   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SAProposal instance.  The [0..n] 
   cardinality indicates that a System instance may be associated with 
   zero or more SAProposal instances. 
    
7.9. The Aggregation Class ContainedTransform 
    
   The class ContainedTransform associates an IPsecProposal with the 
   set of SATransforms that make up the proposal.  If multiple 
   transforms of the same type are in a proposal, then they are to be 
   logically ORed and the order of preference is dictated by the 
   SequenceNumber property.  Sets of transforms of different types are 
   logically ANDed.  For example, if the ordered proposal list were 
    
   ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) } 
   AH  = { MD5, SHA-1 } 
    
   then the one sending the proposal would want the other side to pick 
   one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND 
   one from the AH transform list (preferably MD5). 
    
   The class definition for ContainedProposal ContainedTransform is as follows: 
    
   NAME         ContainedTransform 
   DESCRIPTION  Associates an IPsecProposal with the set of 
                SATransforms that make up the proposal. 
   DERIVED FROM PolicyComponent (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   GroupComponent[ref IPsecProposal[0..n]] 
                PartComponent[ref SATransform[1..n]] 
                SequenceNumber 
    
7.9.1. The Reference GroupComponent 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 55] 58] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   The property GroupComponent is inherited from PolicyComponent and is 
   overridden to refer to an IPsecProposal instance.  The [0..n] 
   cardinality indicates that an SATransform instance may be associated 
   with zero or more IPsecProposal instances. 
    
7.9.2. The Reference PartComponent 
    
   The property PartComponent is inherited from PolicyComponent and is 
   overridden to refer to an SATransform instance.  The [1..n] 
   cardinality indicates that an IPsecProposal instance MUST be 
   associated with at least one SATransform instance. 
    
7.9.3. The Property SequenceNumber 
    
   The property SequenceNumber specifies the order of preference for 
   the SATransforms of the same type.  The property is defined as 
   follows: 
    
   NAME         SequenceNumber 
   DESCRIPTION  Specifies the preference order for the SATransforms of 
                the same type. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        Lower-valued transforms are preferred over transforms 
                of the same type with higher values.  For 
                ContainedTransforms that reference the same  
                IPsecProposal, SequenceNumber values must be unique. 
    
7.10. The Association Class SATransformInSystem 
    
   The class SATransformInSystem weakly associates SATransforms with a 
   System.  The class definition for SATransformInSystem System is as 
   follows: 
    
    
   NAME         SATransformInSystem  
   DESCRIPTION  Weakly associates SATransforms with a System. 
   DERIVED FROM PolicyInSystem (see [PCIM]) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent[ref System[1..1]] 
                Dependent[ref SATransform[0..n] [weak]] 
                  
7.10.1. The Reference Antecedent 
    
   The property Antecedent is inherited from PolicyInSystem and is 
   overridden to refer to a System instance.  The [1..1] cardinality 
   indicates that an SATransform instance MUST be associated with one 
   and only one System instance. 
    
7.10.2. The Reference Dependent 
    
   The property Dependent is inherited from PolicyInSystem and is 
   overridden to refer to an SATransform instance.  The [0..n] 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 56] 59] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   cardinality indicates that a System instance may be associated with 
   zero or more SATransform instances. 
    


















































  
Jason, et al           Expires September 2001 20-January-2002              [Page 57] 60] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
8. IKE Service and Identity Classes 
    
                +--------------+           +-------------------+ 
                |    System    |           | PeerIdentityEntry | 
                | (Appendix A) |           +-------------------+ 
                +--------------+                     |*w 
                      1| (a)                 (b)     |  
                       +---+            +------------+ 
                           |            | 
                           |*w        1 o 
   +-------------+     +-------------------+    +---------------------+ 
   | PeerGateway |     | PeerIdentityTable |    | AutostartIKESetting | 
   +-------------+     +-------------------+    +---------------------+ 
        *|                          *|               *|    *| 
         +----------------------+    |(d)  +----------+     | 
                  (c)          *|   *|    *|     (e)        | 
                              *+------------+*              |(f) 
             +-----------------| IKEService |-----+         | 
             |      (g)        +------------+     |(h)      | 
         0..1|                      *|           *|        *o 
   +--------------------+            |    +---------------------------+ 
   | IPProtocolEndpoint |            |    | AutostartIKEConfiguration | 
   |    (Appendix C)    |         (i)|    +---------------------------+ 
   +--------------------+            | 
      0..1|                          | 
          |(j)                       +----------------+ 
         *|                                           |* 
   +-------------+* (k)  +------------+ +-----------------------------+ 
   | IKEIdentity |-------| Collection | | CredentialManagementService | 
   +-------------+   0..1|(Appendix A)| |        (Appendix B)         | 
         *|              +------------+ +-----------------------------+ 
          |(l) 
         *| 
   +--------------+ 
   |  Credential  | 
   | (Appendix B) | 
   +--------------+ 
    
   (a)  HostedPeerIdentityTable 
   (b)  PeerIdentityMember 
   (c)  IKEServicePeerGateway 
   (d)  IKEServicePeerIdentityTable 
   (e)  IKEAutostartSetting 
   (f)  AutostartIKESettingContext 
   (g)  IKEServiceForEndpoint 
   (h)  IKEAutostartConfiguration 
   (i)  IKEUsesCredentialManagementService 
   (j)  EndpointHasLocalIKEIdentity 
   (k)  CollectionHasLocalIKEIdentity 
   (l)  IKEIdentitysCredential 
    
   This portion of the model contains additional information that is 
   useful in applying the policy.  The IKEService class MAY be used to 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 58] 61] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   represent the IKE negotiation function in a system. The IKEService 
   uses the various tables that contain information about IKE peers as 
   well as the configuration for specifying security associations that 
   are started automatically.  The information in the PeerGateway, 
   PeerIdentityTable and related classes is necessary to completely 
   specify the policies. 
    
   An interface (represented by an IPProtocolEndpoint) has an 
   IKEService that provides the negotiation services for that 
   interface.  That service MAY also have a list of security 
   associations for that are automatically started at the time the IKE 
   service is initialized. 
    
   The IKEService also has a set of identities that it may use in 
   negotiations with its peers.  Those identities are associated with 
   the interfaces (or collections of interfaces). 
    
8.1. The Class IKEService 
    
   The class IKEService represents the IKE negotiation function.  An 
   instance of this service may provide that negotiation service for 
   one or more interfaces (represented by the IPProtocolEndpoint class) 
   of a System.  There may be multiple instances of IKE services on a 
   System but only one per interface.  The class definition for 
   IKEService is as follows: 
    
   NAME         IKEService 
   DESCRIPTION  IKEService is used to represent the IKE negotiation 
                function. 
   DERIVED FROM NetworkService (see Appendix C) 
   ABSTRACT     FALSE 
    
8.2. The Class PeerIdentityTable 
    
   The class PeerIdentityTable aggregates the table entries that 
   provide mappings between identities and their addresses.  The class 
   definition for PeerIdentityTable is as follows: 
    
   NAME         PeerIdentityTable 
   DESCRIPTION  PeerIdentityTable aggregates PeerIdentityEntry 
                instances to provide a table of identity-address 
                mappings. 
   DERIVED FROM Collection (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Name 
    
8.3.1. The Property Name 
    
   The property Name uniquely identifies the table.  The property is 
   defined as follows: 
    
   NAME         Name 
   DESCRIPTION  Name uniquely identifies the table. 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 59] 62] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   SYNTAX       string 
    
8.3. The Class PeerIdentityEntry 
    
   The class PeerIdentityEntry specifies the mapping between peer 
   identity and their address. The class definition for 
   PeerIdentityEntry is as follows: 
    
   NAME         PeerIdentityEntry 
   DESCRIPTION  PeerIdentityEntry provides a mapping between a peer's 
                identity and address. 
   DERIVED FROM LogicalElement (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   PeerIdentity 
                PeerIdentityType 
                PeerAddress 
                PeerAddressType 
    
8.3.1. The Property PeerIdentity 
    
   The property PeerIdentity contains a string encoding of the Identity 
   payload for the IKE peer.  The property is defined as follows: 
    
   NAME         PeerIdentity 
   DESCRIPTION  The PeerIdentity is the ID payload of a peer. 
   SYNTAX       string 
    
8.3.2. The Property PeerIdentityType 
    
   The property PeerIdentityType is an enumeration that specifies the 
   type of the PeerIdentity.  The property is defined as follows: 
    
   NAME         PeerIdentityType 
   DESCRIPTION  PeerIdentityType is the type of the ID payload of a 
                peer. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        The enumeration values are specified in [DOI] section 
                4.6.2.1. 
    
8.3.3. The Property PeerAddress 
    
   The property PeerAddress specifies the string representation of the 
   IP address of the peer formatted according to the appropriate 
   convention as defined in the PeerAddressType property (e.g., dotted 
   decimal notation).  The property is defined as follows: 
    
   NAME         PeerAddress 
   DESCRIPTION  PeerAddress is the address of the peer with the ID 
                payload. 
   SYNTAX       string 
   VALUE        String representation of an IPv4 or IPv6 address. 
    
8.3.4. The Property PeerAddressType 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 60] 63] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   The property PeerAddressType specifies the format of the PeerAddress 
   property value.  The property is defined as follows: 
    
   NAME         PeerAddressType 
   DESCRIPTION  PeerAddressType is the type of address in PeerAddress. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        0 - Unknown 
                1 - IPv4 
                2 - IPv6 
    
8.4. The Class AutostartIKEConfiguration 
    
   The class AutostartIKEConfiguration groups AutostartIKESetting 
   instances into configuration sets.  When applied, the settings cause 
   an IKE service to automatically start (negotiate or statically set 
   as appropriate) the Security Associations.  The class definition for 
   AutostartIKEConfiguration is as follows: 
    
   NAME         AutostartIKEConfiguration 
   DESCRIPTION  A configuration set of AutostartIKESetting instances to 
                be automatically started by the IKE service. 
   DERIVED FROM SystemConfiguration (see Appendix A) 
   ABSTRACT     FALSE 
    
8.5. The Class AutostartIKESetting 
    
   The class AutostartIKESetting is used to automatically initiate IKE 
   negotiations with peers (or statically create an SA) as specified in 
   the AutostartIKESetting properties.  Appropriate actions are 
   initiated according to the policy that matches the setting 
   parameters. The class definition for AutostartIKESetting is as 
   follows: 
    
   NAME         AutostartIKESetting 
   DESCRIPTION  AutostartIKESetting is used to automatically initiate 
                IKE negotiations with peers or statically create an SA. 
   DERIVED FROM SystemSetting (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Phase1Only 
                AddressType 
                SourceAddress 
                SourcePort 
                DestinationAddress 
                DestinationPort 
                Protocol 
    
8.5.1. The Property Phase1Only 
    
   The property Phase1Only is used to limit the IKE negotiation to just 
   setting up a phase 1 security association.  When set to False, both 
   phase 1 and 2 negotiations are initiated.  
   The property is defined as follows: 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 61] 64] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
   NAME         Phase1Only 
   DESCRIPTION  Used to indicate which security associations to attempt 
                to establish (phase 1 only, or phase 1 and 2). 
   SYNTAX       boolean 
   VALUE        true - attempt to establish a phase 1 security 
                association 
                false - attempt to establish phase 1 and 2 security 
                associations 
    
8.5.2. The Property AddressType 
    
   The property AddressType specifies type of the addresses in the 
   SourceAddress and DestinationAddress properties.  The property is 
   defined as follows: 
    
   NAME         AddressType 
   DESCRIPTION  AddressType is the type of address in SourceAddress and 
                DestinationAddress properties. 
   SYNTAX       unsigned 16-bit integer 
   VALUE        0 - Unknown 
                1 - IPv4 
                2 - IPv6 
    
8.5.3. The Property SourceAddress 
    
   The property SourceAddress specifies the dotted-decimal or colon-
   decimal formatted IP address used as the source address in comparing 
   with policy filter entries and used in any phase 2 negotiations.  
   The property is defined as follows: 
    
   NAME         SourceAddress 
   DESCRIPTION  The source address to compare with the filters to 
                determine the appropriate policy rule. 
   SYNTAX       string 
   VALUE        dotted-decimal or colon-decimal formatted IP address 
    
8.5.4. The Property SourcePort 
    
   The property SourcePort specifies the port number used as the source 
   port in comparing with policy filter entries and used in any phase 2 
   negotiations.  The property is defined as follows: 
    
   NAME         SourcePort 
   DESCRIPTION  The source port to compare with the filters to 
                determine the appropriate policy rule. 
   SYNTAX       unsigned 16-bit integer 
    
8.5.5. The Property DestinationAddress 
    
   The property DestinationAddress specifies the dotted-decimal or 
   colon-decimal formatted IP address used as the destination address 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 62] 65] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   in comparing with policy filter entries and used in any phase 2 
   negotiations.  The property is defined as follows: 
    
   NAME         DestinationAddress 
   DESCRIPTION  The destination address to compare with the filters to 
                determine the appropriate policy rule. 
   SYNTAX       string 
   VALUE        dotted-decimal or colon-decimal formatted IP address 
    
8.5.6. The Property DestinationPort 
    
   The property DestinationPort specifies the port number used as the 
   destination port in comparing with policy filter entries and used in 
   any phase 2 negotiations.  The property is defined as follows: 
    
   NAME         DestinationPort 
   DESCRIPTION  The destination port to compare with the filters to 
                determine the appropriate policy rule. 
   SYNTAX       unsigned 16-bit integer 
 
8.5.7. The Property Protocol 
    
   The property Protocol specifies the protocol number used in 
   comparing with policy filter entries and used in any phase 2 
   negotiations.  The property is defined as follows: 
    
   NAME         Protocol 
   DESCRIPTION  The protocol number used in comparing with policy 
                filter entries. 
   SYNTAX       unsigned 8-bit integer 
    
8.6. The Class IKEIdentity 
    
   The class IKEIdentity is used to represent the identities that may 
   be used for an IPProtocolEndpoint (or collection of 
   IPProtocolEndpoints) to identify the IKE Service in IKE phase 1 
   negotiations.  The policy IKEAction.UseIKEIdentityType specifies 
   which type of the available identities to use in a negotiation 
   exchange and the IKERule.IdentityContexts specifies the match values 
   to be used, along with the local address, in selecting the 
   appropriate identity for a negotiation. The ElementID property value 
   (defined in the parent class, UsersAccess) should be that of either 
   the IPProtocolEndpoint or Collection of endpoints as appropriate.  
   The class definition for IKEIdentity is as follows: 
    
   NAME         IKEIdentity 
   DESCRIPTION  IKEIdentity is used to represent the identities that 
                may be used for an IPProtocolEndpoint (or collection of 
                IPProtocolEndpoints) to identify the IKE Service in IKE 
                phase 1 negotiations. 
   DERIVED FROM UsersAccess (see Appendix B) 
   ABSTRACT     FALSE 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 63] 66] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   PROPERTIES   IdentityType 
                IdentityValue 
                IdentityContexts 
    
8.6.1. The Property IdentityType 
    
   The property IdentityType is an enumeration that specifies the type 
   of the IdentityValue.  The property is defined as follows: 
    
   NAME         IdentityType 
   DESCRIPTION  IdentityType is the type of the IdentityValue. 
   SYNTAX       unsigned 8-bit integer 
   VALUE        The enumeration values are specified in [DOI] section 
                4.6.2.1. 
    
8.6.2. The Property IdentityValue 
    
   The property Identity specifies Value contains a string encoding of 
   the Identity payload.  For IKEIdentity instances that are address 
   types, the IdentityValue string value may be omitted and the 
   associated IPProtocolEndpoint or appropriate member of the 
   Collection of endpoints is used.  The property is defined as 
   follows: 
    
   NAME         IdentityValue 
   DESCRIPTION  IdentityValue contains a string encoding of the 
                Identity payload. 
   SYNTAX       string 
    
8.6.3. The Property IdentityContexts 
    
   The IdentityContexts property is used to constrain the use of 
   IKEIdentity instances to match that specified in the 
   IKERule.IdentityContexts.  The IdentityContexts are formatted as 
   policy roles and role combinations [PCIM].  Each value represents 
   one context or context combination.  Since this is a multi-valued 
   property, more than one context or combination of contexts can be 
   associated with a single IKEIdentity.  Each value is a string of the 
   form:        <ContextName>[&&<ContextName>]* 
   where the individual context names appear in alphabetical order 
   (according to the collating sequence for UCS-2). If one or more 
   values in the IKERule.IdentityContexts array match one or more 
   IKEIdentity.IdentityContexts then the identity's context matches.  
   (That is, each value of the IdentityContext array is an ORed 
   condition.)  In combination with the address of the 
   IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be 
   1 and only 1 IKEIdentity.  The property is defined as follows: 
    
   NAME         IdentityContexts 
   DESCRIPTION  The IKE service of a security endpoint may have 
                multiple identities for use in different situations. 
                The combination of the interface (represented by 
                the IPProtocolEndpoint), the identity type (as 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 64] 67] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
                specified in the IKEAction) and the IdentityContexts 
                selects a unique identity. 
   SYNTAX       string array 
   VALUE        string of the form <ContextName>[&&<ContextName>]* 
    
8.7. The Association Class HostedPeerIdentityTable 
    
   The class HostedPeerIdentityTable provides the name scoping 
   relationship for PeerIdentityTable entries in a System.  The 
   PeerIdentityTable is weak to the System.  The class definition for 
   HostedPeerIdentityTable is as follows: 
    
   NAME         HostedPeerIdentityTable 
   DESCRIPTION  The PeerIdentityTable instances are weak (name scoped 
                by) the owning System. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref System[1..1]] 
                Dependent [ref PeerIdentityTable[0..n] [weak]] 
     
8.7.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a System instance.  The [1..1] cardinality 
   indicates that a PeerIdentityTable instance MUST be associated in a 
   weak relationship with one and only one System instance. 
    
8.7.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to a PeerIdentityTable instance.  The [0..n] 
   cardinality indicates that a System instance may be associated with 
   zero or more PeerIdentityTable instances. 
 
8.8. The Aggregation Class PeerIdentityMember 
    
   The class PeerIdentityMember aggregates PeerIdentityEntry instances 
   into a PeerIdentityTable.  This is a weak aggregation.  The class 
   definition for PeerIdentityMember is as follows: 
 
   NAME         PeerIdentityMember 
   DESCRIPTION  PeerIdentityMember aggregates PeerIdentityEntry 
                instances into a PeerIdentityTable. 
   DERIVED FROM MemberOfCollection (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Collection [ref PeerIdentityTable[1..1]] 
                Member [ref PeerIdentityEntry [0..n] [weak]] 
 
8.8.1. The Reference Collection 
    
   The property Collection is inherited from MemberOfCollection and is 
   overridden to refer to a PeerIdentityTable instance.  The [1..1] 
   cardinality indicates that a PeerIdentityEntry instance MUST be 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 65] 68] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   associated with one and only one PeerIdentityTable instance (i.e., 
   PeerIdentityEntry instances are not shared across 
   PeerIdentityTables). 
    
8.8.2. The Reference Member 
    
   The property Member is inherited from MemberOfCollection and is 
   overridden to refer to a PeerIdentityEntry instance.  The [0..n] 
   cardinality indicates that a PeerIdentityTable instance may be 
   associated with zero or more PeerIdentityEntry instances. 
    
8.9. The Association Class IKEServicePeerGateway 
    
   The class IKEServicePeerGateway provides the association between an 
   IKEService and the list of PeerGateway instances that it uses in 
   negotiating with security gateways.  The class definition for 
   IKEServicePeerGateway is as follows: 
    
   NAME         IKEServicePeerGateway 
   DESCRIPTION  Associates an IKEService and the list of PeerGateway 
                instances that it uses in negotiating with security 
                gateways. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref PeerGateway[0..n]] 
                Dependent [ref IKEService[0..n]] 
     
8.9.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a PeerGateway instance.  The [0..n] 
   cardinality indicates that an IKEService instance may be associated 
   with zero or more PeerGateway instances. 
    
8.9.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IKEService instance.  The [0..n] 
   cardinality indicates that a PeerGateway instance may be associated 
   with zero or more IKEService instances. 
 
8.10. The Association Class IKEServicePeerIdentityTable 
    
   The class IKEServicePeerIdentityTable provides the relationship 
   between an IKEService and a PeerIdentityTable that it uses to map 
   between addresses and identities as required.  The class definition 
   for IKEServicePeerIdentityTable is as follows: 
    
   NAME         IKEServicePeerIdentityTable 
   DESCRIPTION  IKEServicePeerIdentityTable provides the relationship 
                between an IKEService and a PeerIdentityTable that it 
                uses. 
   DERIVED FROM Dependency (see Appendix A) 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 66] 69] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref PeerIdentityTable[0..n]] 
                Dependent [ref IKEService[0..n]] 
     
8.10.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a PeerIdentityTable instance.  The [0..n] 
   cardinality indicates that an IKEService instance may be associated 
   with zero or more PeerIdentityTable instances. 
    
8.10.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IKEService instance.  The [0..n] 
   cardinality indicates that a PeerIdentityTable instance may be 
   associated with zero or more IKEService instances. 
 
8.11. The Association Class IKEAutostartSetting 
    
   The class IKEAutostartSetting associates an AutostartIKESetting with 
   an IKEService that may use it to automatically start an IKE 
   negotiation or create a static SA.  The class definition for 
   IKEAutostartSetting is as follows: 
    
   NAME         IKEAutostartSetting 
   DESCRIPTION  Associates a AutostartIKESetting with an IKEService. 
   DERIVED FROM ElementSetting (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Element [ref IKEService[0..n]] 
                Setting [ref AutostartIKESetting[0..n]] 
     
8.11.1. The Reference Element 
    
   The property Element is inherited from ElementSetting and is 
   overridden to refer to an IKEService instance.  The [0..n] 
   cardinality indicates an AutostartIKESetting instance may be 
   associated with zero or more IKEService instances. 
    
8.11.2. The Reference Setting 
    
   The property Setting is inherited from ElementSetting and is 
   overridden to refer to an AutostartIKESetting instance.  The [0..n] 
   cardinality indicates that an IKEService instance may be associated 
   with zero or more AutostartIKESetting instances. 
 
8.12. The Aggregation Class AutostartIKESettingContext 
    
   The class AutostartIKESettingContext aggregates the settings used to 
   automatically start negotiations or create a static SA into a 
   configuration set.  The class definition for 
   AutostartIKESettingContext is as follows: 
    
  
Jason, et al           Expires September 2001 20-January-2002              [Page 67] 70] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   NAME         AutostartIKESettingContext 
   DESCRIPTION  AutostartIKESettingContext aggregates the 
                AutostartIKESetting instances into a configuration set. 
   DERIVED FROM SystemSettingContext (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Context [ref AutostartIKEConfiguration [0..n]] 
                Setting [ref AutostartIKESetting [0..n]] 
                SequenceNumber 
     
8.12.1. The Reference Context 
    
   The property Context is inherited from SystemSettingContext and is 
   overridden to refer to an AutostartIKEConfiguration instance.  The 
   [0..n] cardinality indicates that an AutostartIKESetting instance 
   may be associated with zero or more AutostartIKEConfiguration 
   instances (i.e., a setting may be in multiple configuration sets). 
    
8.12.2. The Reference Setting 
    
   The property Setting is inherited from SystemSettingContext and is 
   overridden to refer to an AutostartIKESetting instance.  The [0..n] 
   cardinality indicates that an AutostartIKEConfiguration instance may 
   be associated with zero or more AutostartIKESetting instances. 
 
8.12.3. The Property SequenceNumber 
    
   The property SequenceNumber specifies indicates the ordering to be 
   used when starting negotiations or creating a static SA.  A zero 
   value indicates that order is not significant and settings may be 
   applied in parallel with other settings.  All other settings in the 
   configuration are executed in sequence from lower values to high.  
   Sequence numbers need not be unique in an AutostartIKEConfiguration 
   and order is not significant for settings with the same sequence 
   number.  The property is defined as follows: 
    
   NAME         SequenceNumber 
   DESCRIPTION  The sequence in which the settings are applied within a 
                configuration set. 
   SYNTAX       unsigned 16-bit integer 
    
8.13. The Association Class IKEServiceForEndpoint 
    
   The class IKEServiceForEndpoint provides the association showing 
   which IKE service, if any, provides IKE negotiation services for 
   which network interfaces.  The class definition for 
   IKEServiceForEndpoint is as follows: 
    
   NAME         IKEServiceForEndpoint 
   DESCRIPTION  Associates an IPProtocolEndpoint with an IKEService 
                that provides negotiation services for the endpoint. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 68] 71] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   PROPERTIES   Antecedent [ref IKEService[0..1]] 
                Dependent [ref IPProtocolEndpoint[0..n]] 
     
8.13.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to an IKEService instance.  The [0..1] 
   cardinality indicates that an IPProtocolEndpoint instance MUST by 
   associated with at most one IKEService instance. 
    
8.13.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IPProtocolEndpoint that is associated with 
   at most one IKEService.  The [0..n] cardinality indicates an 
   IKEService instance may be associated with zero or more 
   IPProtocolEndpoint instances. 
 
8.14. The Association Class IKEAutostartConfiguration 
    
   The class IKEAutostartConfiguration provides the relationship 
   between an IKEService and a configuration set that it uses to 
   automatically start a set of SAs.  The class definition for 
   IKEAutostartConfiguration is as follows: 
    
   NAME         IKEAutostartConfiguration 
   DESCRIPTION  IKEAutostartConfiguration provides the relationship 
                between an IKEService and an AutostartIKEConfiguration 
                that it uses to automatically start a set of SAs. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref AutostartIKEConfiguration [0..n]] 
                Dependent [ref IKEService [0..n]] 
                Active 
     
8.14.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to an AutostartIKEConfiguration instance.  The 
   [0..n] cardinality indicates that an IKEService instance may be 
   associated with zero or more AutostartIKEConfiguration instances. 
    
8.14.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IKEService instance.  The [0..n] 
   cardinality indicates that an AutostartIKEConfiguration instance may 
   be associated with zero or more IKEService instances. 
 
8.14.3. The Property Active 
    
   The property Active specifies indicates whether the 
   AutostartIKEConfiguration set is currently active for the associated 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 69] 72] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   IKEService.  That is, at boot time, the active configuration is used 
   to automatically start IKE negotiations and create static SAs.  The 
   property is defined as follows: 
    
   NAME         Active 
   DESCRIPTION  Active indicates whether the AutostartIKEConfiguration 
                set is currently active for the associated IKEService. 
   SYNTAX       boolean 
   VALUE        true - AutostartIKEConfiguration is currently active 
                for associated IKEService. 
                false - AutostartIKEConfiguration is currently inactive  
                for associated IKEService. 
    
8.15. The Association Class IKEUsesCredentialManagementService 
    
   The class IKEUsesCredentialManagementService defines the set of 
   CredentialManagementService(s) that are trusted sources of 
   credentials for IKE phase 1 negotiations.  The class definition for 
   IKEUsesCredentialManagementService is as follows: 
    
   NAME         IKEUsesCredentialManagementService 
   DESCRIPTION  Associates the set of CredentialManagementService(s) 
                that are trusted by the IKEService as sources of 
                credentials used in IKE phase 1 negotiations. 
   DERIVED FROM Dependency (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref CredentialManagementService [0..n]] 
                Dependent [ref IKEService [0..n]] 
                  
8.15.1. The Reference Antecedent 
    
   The property Antecedent is inherited from Dependency and is 
   overridden to refer to a CredentialManagementService instance.  The 
   [0..n] cardinality indicates that an IKEService instance may be 
   associated with zero or more CredentialManagementService instances. 
    
8.15.2. The Reference Dependent 
    
   The property Dependent is inherited from Dependency and is 
   overridden to refer to an IKEService instance.  The [0..n] 
   cardinality indicates that a CredentialManagementService instance 
   may be associated with zero or more IKEService instances. 
 
8.16. The Association Class EndpointHasLocalIKEIdentity 
    
   The class EndpointHasLocalIKEIdentity associates an 
   IPProtocolEndpoint with a set of IKEIdentity instances that may be 
   used in negotiating security associations on the endpoint.  An 
   IKEIdentity MUST be associated with either an IPProtocolEndpoint 
   using this association or with a collection of IKEIdentity instances 
   using the CollectionHasLocalIKEIdentity association.  The class 
   definition for EndpointHasLocalIKEIdentity is as follows: 
    
  
Jason, et al           Expires September 2001 20-January-2002              [Page 70] 73] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   NAME         EndpointHasLocalIKEIdentity 
   DESCRIPTION  EndpointHasLocalIKEIdentity associates an 
                IPProtocolEndpoint with a set of IKEIdentity instances. 
   DERIVED FROM ElementAsUser (see Appendix B) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref IPProtocolEndpoint [0..1]] 
                Dependent [ref IKEIdentity [0..n]] 
                  
8.16.1. The Reference Antecedent 
    
   The property Antecedent is inherited from ElementAsUser and is 
   overridden to refer to an IPProtocolEndpoint instance.  The [0..1] 
   cardinality indicates that an IKEIdentity instance MUST be 
   associated with at most one IPProtocolEndpoint instance. 
    
8.16.2. The Reference Dependent 
    
   The property Dependent is inherited from ElementAsUser and is 
   overridden to refer to an IKEIdentity instance.  The [0..n] 
   cardinality indicates that an IPProtocolEndpoint instance may be 
   associated with zero or more IKEIdentity instances. 
 
8.17. The Association Class CollectionHasLocalIKEIdentity 
    
   The class CollectionHasLocalIKEIdentity associates a Collection of  
   IPProtocolEndpoint instances with a set of IKEIdentity instances 
   that may be used in negotiating SAs for endpoints in the collection. 
   An IKEIdentity MUST be associated with either an IPProtocolEndpoint 
   using the EndpointHasLocalIKEIdentity association or with a 
   collection of IKEIdentity instances using this association.  The 
   class definition for CollectionHasLocalIKEIdentity is as follows: 
    
   NAME         CollectionHasLocalIKEIdentity 
   DESCRIPTION  CollectionHasLocalIKEIdentity associates a collection 
                of IPProtocolEndpoint instances with a set of 
                IKEIdentity instances. 
   DERIVED FROM ElementAsUser (see Appendix B) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref Collection [0..1]] 
                Dependent [ref IKEIdentity [0..n]] 
                  
8.17.1. The Reference Antecedent 
    
   The property Antecedent is inherited from ElementAsUser and is 
   overridden to refer to a Collection instance.  The [0..1] 
   cardinality indicates that an IKEIdentity instance MUST be 
   associated with at most one Collection instance. 
    
8.17.2. The Reference Dependent 
    
   The property Dependent is inherited from ElementAsUser and is 
   overridden to refer to an IKEIdentity instance.  The [0..n] 

  
Jason, et al           Expires September 2001 20-January-2002              [Page 71] 74] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   cardinality indicates that a Collection instance may be associated 
   with zero or more IKEIdentity instances. 
 
8.18. The Association Class IKEIdentitysCredential 
    
   The class IKEIdentitysCredential is an association that relates a 
   set of credentials to their corresponding local IKE Identities.  The 
   class definition for IKEIdentitysCredential is as follows: 
    
   NAME         IKEIdentitysCredential 
   DESCRIPTION  IKEIdentitysCredential associates a set of credentials 
                to their corresponding local IKEIdentity. 
   DERIVED FROM UsersCredential (see Appendix A) 
   ABSTRACT     FALSE 
   PROPERTIES   Antecedent [ref Credential [0..n]] 
                Dependent [ref IKEIdentity [0..n]] 
                  
8.18.1. The Reference Antecedent 
    
   The property Antecedent is inherited from UsersCredential and is 
   overridden to refer to a Credential instance.  The [0..n] 
   cardinality indicates that IKEIdentity instance may be associated 
   with zero or more Credential instances. 
    
8.18.2. The Reference Dependent 
    
   The property Dependent is inherited from UsersCredential and is 
   overridden to refer to an IKEIdentity instance.  The [0..n] 
   cardinality indicates that a Credential instance may be associated 
   with zero or more IKEIdentity instances. 
 
9. Security Considerations 
    
   This document describes a schema for IPsec policy.  It does not 
   detail security requirements for storage or delivery of said schema.  
   Storage and delivery security requirements should be detailed in a 
   comprehensive security policy architecture document. 
    
10. Intellectual Property Implementation Requirements 
    
   The IETF takes no position regarding the validity or scope of any 
   intellectual property or other rights that might be claimed to 
   pertain to the implementation or use of the technology described in 
   this document or the extent to following tables specifies which any license under such rights 
   might or might not be available; neither does it represent that it 
   has made any effort to identify any such rights. Information on the 
   IETF's procedures with respect to rights in standards-track and 
   standards-related documentation can be found in BCP-11. 
    
   Copies of claims of rights made available for publication classes, properties, 
   associations and any 
   assurances of licenses to be made available, aggregations MUST or the result of an 
   attempt made to obtain a general license SHOULD or permission for the use MAY be implemented. 
    
   4. Policy Classes 
   4.1. The Class IPsecPolicyGroup................................MUST 
   4.2. The Class SARule..........................................MUST 
   4.2.1. The Property PolicyRuleName..............................MAY 
   4.2.1. The Property Enabled....................................MUST 
   4.2.1. The Property ConditionListType..........................MUST 
   4.2.1. The Property RuleUsage...................................MAY 
   4.2.1. The Property Mandatory...................................MAY 
   4.2.1. The Property SequencedActions...........................MUST 
   4.2.1. The Property PolicyRoles.................................MAY 
   4.2.1. The Property PolicyDecisionStrategy......................MAY 
   4.2.2  The Property ExecutionStrategy..........................MUST 
   4.2.3  The Property LimitNegotiation............................MAY 
   4.3. The Class IKERule.........................................MUST 
   4.3.1. The Property IdentityContexts............................MAY 
   4.4. The Class IPsecRule.......................................MUST 
   4.5.3. The Property GroupPriority..............................MUST 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 72] 75] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   of such proprietary rights by implementers or users of this 
   specification can be obtained from the IETF Secretariat. 
 
 
   4.6. The IETF invites any interested party to bring to its attention any 
   copyrights, patents or patent applications, or other proprietary 
   rights which may cover technology that may be required to practice 
   this standard. Please address the information to the IETF Executive 
   Director. 
    
11. Acknowledgments Association Class IpsecPolicyForEndpoint...............MAY 
   4.6.1. The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, 
   Vic Lortz, and William Dixon for their contributions to this IPsec 
   policy model. 
    
   Additionally, this draft would not have been possible without the 
   preceding IPsec schema drafts.  For that, thanks go out to Rob 
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju 
   Rajan. 
    
12. References 
    
   [IKE] Harkins, D., and D. Carrel, "The Reference Antecedent................................MUST 
   4.6.2. The Reference Dependent.................................MUST 
   4.7. The Association Class IPsecPolicyForSystem.................MAY 
   4.7.1. The Reference Antecedent................................MUST 
   4.7.2. The Reference Dependent.................................MUST 
   4.8. The Aggregation Class RuleForIKENegotiation...............MUST 
   4.8.1. The Property Priority.................................SHOULD 
   4.8.2. The Reference GroupComponent............................MUST 
   4.8.3. The Reference PartComponent.............................MUST 
   4.9. The Aggregation Class RuleForIPsecNegotiation.............MUST 
   4.9.1. The Property Priority.................................SHOULD 
   4.9.2. The Reference GroupComponent............................MUST 
   4.9.3. The Reference PartComponent.............................MUST 
   4.10. The Aggregation Class SAConditionInRule..................MUST 
   4.10.1. The Property GroupNumber.............................SHOULD 
   4.10.1. The Property ConditionNegated........................SHOULD 
   4.10.2. The Reference GroupComponent...........................MUST 
   4.10.3. The Reference PartComponent............................MUST 
   4.11. The Aggregation Class PolicyActionInSARule...............MUST 
   4.11.1. The Reference GroupComponent...........................MUST 
   4.11.2. The Reference PartComponent............................MUST 
   4.11.3. The Property ActionOrder.............................SHOULD 
   5. Condition and Filter Classes 
   5.1. The Class SACondition.....................................MUST 
   5.2. The Class IPHeaderFilter................................SHOULD 
   5.3. The Class CredentialFilterEntry............................MAY 
   5.3.1. The Property MatchFieldName.............................MUST 
   5.3.2. The Property MatchFieldValue............................MUST 
   5.3.3. The Property CredentialType.............................MUST 
   5.4. The Class IPSOFilterEntry..................................MAY 
   5.4.1. The Property MatchConditionType.........................MUST 
   5.4.2. The Property MatchConditionValue........................MUST 
   5.5. The Class PeerIDPayloadFilterEntry.........................MAY 
   5.5.1. The Property MatchIdentityType..........................MUST 
   5.5.2. The Property MatchIdentityValue.........................MUST 
   5.6. The Association Class FilterOfSACondition...............SHOULD 
   5.6.1. The Reference Antecedent................................MUST 
   5.6.2. The Reference Dependent.................................MUST 
   5.7. The Association Class AcceptCredentialFrom.................MAY 
   5.7.1. The Reference Antecedent................................MUST 
   5.7.2. The Reference Dependent.................................MUST 
   6. Action Classes 
   6.1. The Class SAAction........................................MUST 
   6.1.1. The Property DoActionLogging.............................MAY 
   6.1.2. The Property DoPacketLogging.............................MAY 
   6.2. The Class SAStaticAction..................................MUST 
   6.2.1. The Property LifetimeSeconds............................MUST 
   6.3. The Class IPsecBypassAction.............................SHOULD 
   6.4. The Class IPsecDiscardAction............................SHOULD 
   6.5. The Class IKERejectAction..................................MAY 
   6.6. The Class PreconfiguredSAAction...........................MUST 
   6.6.1. The Property LifetimeKilobytes..........................MUST 
  
Jason, et al           Expires 20-January-2002              [Page 76] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   6.7. The Class PreconfiguredTransportAction....................MUST 
   6.8. The Class PreconfiguredTunnelAction.......................MUST 
   6.8.1. The Property DFHandling.................................MUST 
   6.9. The Class SANegotiationAction.............................MUST 
   6.9.1. The Property MinLifetimeSeconds..........................MAY 
   6.9.2. The Property MinLifetimeKilobytes........................MAY 
   6.9.3. The Property RefreshThresholdSeconds.....................MAY 
   6.9.4. The Property RefreshThresholdKilobytes...................MAY 
   6.9.5. The Property IdleDurationSeconds.........................MAY 
   6.10. The Class IPsecAction....................................MUST 
   6.10.1. The Property UsePFS....................................MUST 
   6.10.2. The Property UseIKEGroup................................MAY 
   6.10.3. The Property GroupId...................................MUST 
   6.10.4. The Property Granularity.............................SHOULD 
   6.10.5. The Property VendorID...................................MAY 
   6.11. The Class IPsecTransportAction...........................MUST 
   6.12. The Class IPsecTunnelAction..............................MUST 
   6.12.1. The Property DFHandling................................MUST 
   6.13. The Class IKEAction......................................MUST 
   6.13.1. The Property RefreshThresholdDerivedKeys................MAY 
   6.13.2. The Property ExchangeMode..............................MUST 
   6.13.3. The Property UseIKEIdentityType........................MUST 
   6.13.4. The Property VendorID...................................MAY 
   6.13.5. The Property AggressiveModeGroupId......................MAY 
   6.14. The Class PeerGateway....................................MUST 
   6.14.1. The Property Name....................................SHOULD 
   6.14.2. The Property PeerIdentityType..........................MUST 
   6.14.3. The Property PeerIdentity..............................MUST 
   6.15. The Association Class PeerGatewayForTunnel...............MUST 
   6.15.1. The Reference Antecedent...............................MUST 
   6.15.2. The Reference Dependent................................MUST 
   6.15.3. The Property SequenceNumber..........................SHOULD 
   6.16. The Aggregation Class ContainedProposal..................MUST 
   6.16.1. The Reference GroupComponent...........................MUST 
   6.16.2. The Reference PartComponent............................MUST 
   6.16.3. The Property SequenceNumber............................MUST 
   6.17. The Association Class HostedPeerGatewayInformation........MAY 
   6.17.1. The Reference Antecedent...............................MUST 
   6.17.2. The Reference Dependent................................MUST 
   6.18. The Association Class TransformOfPreconfiguredAction.....MUST 
   6.18.1. The Reference Antecedent...............................MUST 
   6.18.2. The Reference Dependent................................MUST 
   6.18.3. The Property SPI.......................................MUST 
   6.18.4. The Property Direction.................................MUST 
   6.19. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 
   6.19.1. The Reference Antecedent...............................MUST 
   6.19.2. The Reference Dependent................................MUST 
   7. Proposal and Transform Classes 
   7.1. The Abstract Class SAProposal.............................MUST 
   7.1.1. The Property Name.....................................SHOULD 
   7.2. The Class IKEProposal.....................................MUST 
   7.2.1. The Property LifetimeDerivedKeys.........................MAY 
   7.2.2. The Property CipherAlgorithm............................MUST 
  
Jason, et al           Expires 20-January-2002              [Page 77] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   7.2.3. The Property HashAlgorithm..............................MUST 
   7.2.4. The Property PRFAlgorithm................................MAY 
   7.2.5. The Property GroupId....................................MUST 
   7.2.6. The Property AuthenticationMethod.......................MUST 
   7.2.7. The Property MaxLifetimeSeconds.........................MUST 
   7.2.8. The Property MaxLifetimeKilobytes.......................MUST 
   7.2.9. The Property VendorID....................................MAY 
   7.3. The Class IPsecProposal...................................MUST 
   7.4. The Abstract Class SATransform............................MUST 
   7.4.1. The Property TransformName............................SHOULD 
   7.4.2. The Property VendorID....................................MAY 
   7.4.3. The Property MaxLifetimeSeconds.........................MUST 
   7.4.4. The Property MaxLifetimeKilobytes.......................MUST 
   7.5. The Class AHTransform.....................................MUST 
   7.5.1. The Property AHTransformId..............................MUST 
   7.5.2. The Property UseReplayPrevention.........................MAY 
   7.5.3. The Property ReplayPreventionWindowSize..................MAY 
   7.6. The Class ESPTransform....................................MUST 
   7.6.1. The Property IntegrityTransformId.......................MUST 
   7.6.2. The Property CipherTransformId..........................MUST 
   7.6.3. The Property CipherKeyLength.............................MAY 
   7.6.4. The Property CipherKeyRounds.............................MAY 
   7.6.5. The Property UseReplayPrevention.........................MAY 
   7.6.6. The Property ReplayPreventionWindowSize..................MAY 
   7.7. The Class IPCOMPTransform..................................MAY 
   7.7.1. The Property Algorithm..................................MUST 
   7.7.2. The Property DictionarySize..............................MAY 
   7.7.3. The Property PrivateAlgorithm............................MAY 
   7.8. The Association Class SAProposalInSystem...................MAY 
   7.8.1. The Reference Antecedent................................MUST 
   7.8.2. The Reference Dependent.................................MUST 
   7.9. The Aggregation Class ContainedTransform..................MUST 
   7.9.1. The Reference GroupComponent............................MUST 
   7.9.2. The Reference PartComponent.............................MUST 
   7.9.3. The Property SequenceNumber.............................MUST 
   7.10. The Association Class SATransformInSystem.................MAY 
   7.10.1. The Reference Antecedent...............................MUST 
   7.10.2. The Reference Dependent................................MUST 
   8. IKE Service and Identity Classes 
   8.1. The Class IKEService.......................................MAY 
   8.2. The Class PeerIdentityTable................................MAY 
   8.3.1. The Property Name.....................................SHOULD 
   8.3. The Class PeerIdentityEntry................................MAY 
   8.3.1. The Property PeerIdentity.............................SHOULD 
   8.3.2. The Property PeerIdentityType.........................SHOULD 
   8.3.3. The Property PeerAddress..............................SHOULD 
   8.3.4. The Property PeerAddressType..........................SHOULD 
   8.4. The Class AutostartIKEConfiguration........................MAY 
   8.5. The Class AutostartIKESetting..............................MAY 
   8.5.1. The Property Phase1Only..................................MAY 
   8.5.2. The Property AddressType..............................SHOULD 
   8.5.3. The Property SourceAddress..............................MUST 
   8.5.4. The Property SourcePort.................................MUST 
  
Jason, et al           Expires 20-January-2002              [Page 78] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   8.5.5. The Property DestinationAddress.........................MUST 
   8.5.6. The Property DestinationPort............................MUST 
   8.5.7. The Property Protocol...................................MUST 
   8.6. The Class IKEIdentity......................................MAY 
   8.6.1. The Property IdentityType...............................MUST 
   8.6.2. The Property IdentityValue..............................MUST 
   8.6.3. The Property IdentityContexts............................MAY 
   8.7. The Association Class HostedPeerIdentityTable..............MAY 
   8.7.1. The Reference Antecedent................................MUST 
   8.7.2. The Reference Dependent.................................MUST 
   8.8. The Aggregation Class PeerIdentityMember...................MAY 
   8.8.1. The Reference Collection................................MUST 
   8.8.2. The Reference Member....................................MUST 
   8.9. The Association Class IKEServicePeerGateway................MAY 
   8.9.1. The Reference Antecedent................................MUST 
   8.9.2. The Reference Dependent.................................MUST 
   8.10. The Association Class IKEServicePeerIdentityTable.........MAY 
   8.10.1. The Reference Antecedent...............................MUST 
   8.10.2. The Reference Dependent................................MUST 
   8.11. The Association Class IKEAutostartSetting.................MAY 
   8.11.1. The Reference Element..................................MUST 
   8.11.2. The Reference Setting..................................MUST 
   8.12. The Aggregation Class AutostartIKESettingContext..........MAY 
   8.12.1. The Reference Context..................................MUST 
   8.12.2. The Reference Setting..................................MUST 
   8.12.3. The Property SequenceNumber..........................SHOULD 
   8.13. The Association Class IKEServiceForEndpoint...............MAY 
   8.13.1. The Reference Antecedent...............................MUST 
   8.13.2. The Reference Dependent................................MUST 
   8.14. The Association Class IKEAutostartConfiguration...........MAY 
   8.14.1. The Reference Antecedent...............................MUST 
   8.14.2. The Reference Dependent................................MUST 
   8.14.3. The Property Active..................................SHOULD 
   8.15. The Association Class IKEUsesCredentialManagementService..MAY 
   8.15.1. The Reference Antecedent...............................MUST 
   8.15.2. The Reference Dependent................................MUST 
   8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY 
   8.16.1. The Reference Antecedent...............................MUST 
   8.16.2. The Reference Dependent................................MUST 
   8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 
   8.17.1. The Reference Antecedent...............................MUST 
   8.17.2. The Reference Dependent................................MUST 
   8.18. The Association Class IKEIdentitysCredential..............MAY 
   8.18.1. The Reference Antecedent...............................MUST 
   8.18.2. The Reference Dependent................................MUST 
    
    
10. Security Considerations 
    
   This document describes a schema for IPsec policy.  It does not 
   detail security requirements for storage or delivery of said schema.  
   Storage and delivery security requirements should be detailed in a 
   comprehensive security policy architecture document. 
  
Jason, et al           Expires 20-January-2002              [Page 79] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
11. Intellectual Property 
    
   The IETF takes no position regarding the validity or scope of any 
   intellectual property or other rights that might be claimed to 
   pertain to the implementation or use of the technology described in 
   this document or the extent to which any license under such rights 
   might or might not be available; neither does it represent that it 
   has made any effort to identify any such rights. Information on the 
   IETF's procedures with respect to rights in standards-track and 
   standards-related documentation can be found in BCP-11. 
    
   Copies of claims of rights made available for publication and any 
   assurances of licenses to be made available, or the result of an 
   attempt made to obtain a general license or permission for the use 
   of such proprietary rights by implementers or users of this 
   specification can be obtained from the IETF Secretariat. 
    
   The IETF invites any interested party to bring to its attention any 
   copyrights, patents or patent applications, or other proprietary 
   rights which may cover technology that may be required to practice 
   this standard. Please address the information to the IETF Executive 
   Director. 
    
12. Acknowledgments 
    
   The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, 
   Vic Lortz, and William Dixon for their contributions to this IPsec 
   policy model. 
    
   Additionally, this draft would not have been possible without the 
   preceding IPsec schema drafts.  For that, thanks go out to Rob 
   Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju 
   Rajan. 
    
13. References 
    
   [IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)", 
   RFC 2409, November 1998. 
    
   [COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP 
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 
    
   [ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload 
   (ESP)", RFC 2406, November 1998. 
    
   [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 
   2402, November 1998. 
    
   [PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core 
   Information Model -- Version 1 Specification", RFC 3060, February 
   2001. 
    
  
Jason, et al           Expires 20-January-2002              [Page 80] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   [DOI] Piper, D., "The Internet IP Security Domain of Interpretation 
   for ISAKMP", RFC 2407, November 1998. 
    
   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory 
   Access Protocol (v3)", RFC 2251, December 1997. 
    
   [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. 
   Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, 
   January 2000.  Internet-Draft work in progress. 
    
   [COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie, 
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for 
   Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.  
   Internet-Draft work in progress. 
    
   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 
   Requirement Levels", BCP 14, RFC 2119, March 1997. 
    
   [IPSO] Kent, S., "U.S. Department of Defense Security Options for 
   the Internet Protocol", RFC 1108, November 1991. 
    
   [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the 
   Internet Protocol", RFC 2401, November 1998. 
 
14. Disclaimer 
    
   The views and specification herein are those of the authors and are 
   not necessarily those of their employer.  The authors and their 
   employer specifically disclaim responsibility for any problems 
   arising from correct or incorrect implementation or use of this 
   specification. 
    
15. Authors' Addresses 
    
      Jamie Jason 
      Intel Corporation 
      MS JF3-206 
      2111 NE 25th Ave. 
      Hillsboro, OR 97124 
      E-Mail: jamie.jason@intel.com 
    
      Lee Rafalow 
      IBM Corporation, BRQA/502 
      4205 So. Miami Blvd. 
      Research Triangle Park, NC 27709 
      E-mail:  rafalow@raleigh.ibm.com 
    
      Eric Vyncke 
      Cisco Systems 
      Avenue Marcel Thiry, 77 
      B-1200 Brussels 
      Belgium 
      E-mail: evyncke@cisco.com 
  
Jason, et al           Expires 20-January-2002              [Page 81] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    
16. Full Copyright Statement 
    
   Copyright (C) The Internet Society (1999).  All Rights Reserved. 
    
   This document and translations of it maybe copied and furnished to 
   others, and derivative works that comment on or otherwise explain it 
   or assist in its implementation may be prepared, copied, published 
   and distributed, in whole or in part, without restriction of any 
   kind, provided that the above copyright notice and this paragraph 
   are included on all such copies and derivative works.  However, this 
   document itself may not be modified in any way, such as by removing 
   the copyright notice or references to the Internet Society or other 
   Internet organizations, except as needed for the purpose of 
   developing Internet standards in which case the procedures for 
   copyrights defined in the Internet Standards process must be 
   followed, or as required to translate it into languages other then 
   English. 
    
   The limited permissions granted above are perpetual and will not be 
   revoked by the Internet Society or its successors or assigns. 
    
   This document and the information contained herein is provided on an 
   "AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING 
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON 
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF 
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
    
Appendix A (DMTF Core Model MOF) 
    
// ================================================================== 
// ManagedElement 
// ==================================================================  
   [Abstract, Description ( 
   "ManagedElement is an abstract class that provides a common "   
        "superclass (or top of the inheritance tree) for the " 
        "non-association classes in the CIM Schema.")] 
   class CIM_ManagedElement    
   {   
     [MaxLen (64), Description (   
      "The Caption property is a short textual description (one-"     
      "line string) of the object.") ]    
     string Caption;   
     [Description (   
      "The Description property provides a textual description of " 
      "the object.") ]    
     string Description;     
   }; 
 
// ================================================================== 
// Collection  
// ==================================================================  
  
Jason, et al           Expires 20-January-2002              [Page 82] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
  [Abstract, Description (    
   "Collection is an abstract class that provides a common"    
   "superclass for data elements that represent collections of " 
   "ManagedElements and its subclasses.")] 
  class CIM_Collection : CIM_ManagedElement     
  {    
  }; 
 
// ==================================================================  
//    ManagedSystemElement 
// ================================================================== 
        [Abstract, Description ( 
         "CIM_ManagedSystemElement is the base class for the System " 
         "Element hierarchy. Membership Criteria: Any distinguishable " 
         "component of a System is a candidate for inclusion in this " 
         "class. Examples: software components, such as files; and " 
         "devices, such as disk drives and controllers, and physical " 
         "components such as chips and cards.") ]  
class CIM_ManagedSystemElement : CIM_ManagedElement 
{ 
        [Description ( 
         "A datetime value indicating when the object was installed. " 
         "A lack of a value does not indicate that the object is not " 
         "installed."),  
         MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]  
    datetime InstallDate; 
        [MaxLen (256), Description ( 
         "The Name property defines the label by which the object is " 
         "known. When subclassed, the Name property can be overridden " 
         "to be a Key property.") ]  
    string Name; 
         [MaxLen (10), Description (  
         "  A string indicating the current status of the object. "  
         "Various operational and non-operational statuses are "  
         "defined. Operational statuses are \"OK\", \"Degraded\", "  
         "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "  
         "the Element is functioning, but needs attention. Examples "  
         "of \"Stressed\" states are overload, overheated, etc. The "  
         "condition \"Pred Fail\" (failure predicted) indicates that "  
         "an Element is functioning properly but predicting a failure "  
         "in the near future. An example is a SMART-enabled hard "  
         "drive. \n"  
         "  Non-operational statuses can also be specified. These "  
         "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", "  
         "\"Stopped\", "  
         "\"Service\",\"No Contact\" and \"Lost Comm\". \"NonRecover\""  
         "indicates that a non-recoverable error has occurred. "  
         "\"Service\" describes an Element being configured, " 
         "maintained,"  
         "cleaned, or otherwise administered. This status could apply "  
         "during mirror-resilvering of a disk, reload of a user "  
         "permissions list, or other administrative task. Not all " 
         "such "  
  
Jason, et al           Expires 20-January-2002              [Page 83] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "work is on-line, yet the Element is neither \"OK\" nor in "  
         "one of the other states. \"No Contact\" indicates that the "  
         "current instance of the monitoring system has knowledge of "  
         "this Element but has never been able to establish "  
         "communications with it. \"Lost Comm\" indicates that "  
         "the ManagedSystemElement is known to exist and has been "  
         "contacted successfully in the past, but is currently " 
         "unreachable."  
         "\"Stopped\" indicates that the ManagedSystemElement is " 
         "known "  
         "to exist, it is not operational (i.e. it is unable to "  
         "provide service to users), but it has not failed. It " 
         "has purposely "  
         "been made non-operational. The Element "  
         "may have never been \"OK\", the Element may have initiated " 
         "its "  
         "own stop, or a management system may have initiated the " 
         "stop."),  
         ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail",  
             "Starting", "Stopping", "Service", "Stressed",  
             "NonRecover", "No Contact", "Lost Comm", "Stopped"} ]  
    string Status;  
}; 
 
// ================================================================== 
//    LogicalElement 
// ================================================================== 
        [Abstract, Description ( 
         "CIM_LogicalElement is a base class for all the components " 
         "of " 
         "a System that represent abstract system components, such " 
         "as Files, Processes, or system capabilities in the form " 
         "of Logical Devices.") ]  
class CIM_LogicalElement:CIM_ManagedSystemElement 
{ 
}; 
      
// ================================================================== 
//     CIM_SystemConfiguration 
// ================================================================== 
        [Description ( 
         "CIM_SystemConfiguration represents the general concept " 
         "of a CIM_Configuration which is scoped by/weak to a " 
         "System. This class is a peer of CIM_Configuration since " 
         "the key structure of Configuration is currently " 
         "defined and cannot be modified with additional " 
         "properties.")] 
class CIM_SystemConfiguration : CIM_ManagedElement { 
       [Propagated ("CIM_System.CreationClassName"), Key,  
        MaxLen (256), Description ( 
        "The scoping System's CreationClassName.") ]  
    string SystemCreationClassName; 
       [Propagated ("CIM_System.Name"), Key, MaxLen (256), 
  
Jason, et al           Expires 20-January-2002              [Page 84] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        Description ("The scoping System's Name.") ]  
    string SystemName; 
       [Key, MaxLen (256), Description ( 
        "CreationClassName indicates the name of the class or the " 
        "subclass used in the creation of an instance. When used " 
        "with the other key properties of this class, this property " 
        "allows all instances of this class and its subclasses to " 
        "be uniquely identified.") ] 
    string CreationClassName; 
        [Key, MaxLen (256), Description ( 
         "The label by which the Configuration object is known.") ] 
   string Name; 
}; 
 
// =================================================================== 
//    Setting 
// =================================================================== 
        [Abstract, Description ( 
         "The Setting class represents configuration-related and " 
         "operational parameters for one or more ManagedSystem" 
         "Element(s). A ManagedSystemElement may have multiple " 
         "Setting " 
         "objects associated with it. The current operational values " 
         "for an Element's parameters are reflected by properties in " 
         "the Element itself or by properties in its associations. " 
         "These properties do not have to be the same values present " 
         "in the Setting object. For example, a modem may have a " 
         "Setting baud rate of 56Kb/sec but be operating " 
         "at 19.2Kb/sec.") ] 
class CIM_Setting : CIM_ManagedElement 
{ 
        [MaxLen (256), Description ( 
         "The identifier by which the Setting object is known.") ] 
   string SettingID; 
         [Description ( 
         "The VerifyOKToApplyToMSE method is used to verify that " 
         "this Setting can be 'applied' to the referenced Managed" 
         "SystemElement, at the given time or time interval. This " 
         "method takes three input parameters: MSE (the Managed" 
         "SystemElement that is being verified), TimeToApply (which, " 
         "being a datetime, can be either a specific time or a time " 
         "interval), and MustBeCompletedBy (which indicates the " 
         "required completion time for the method). The return " 
         "value should be 0 if it is OK to apply the Setting, 1 if " 
         "the method is not supported, 2 if the Setting can not be " 
         "applied within the specified times, and any other number " 
         "if an error occurred. In a subclass, the " 
         "set of possible return codes could be specified, using a " 
         "ValueMap qualifier on the method. The strings to which the " 
         "ValueMap contents are 'translated' may also be specified in " 
         "the subclass as a Values array qualifier.") ] 
   uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 
  
Jason, et al           Expires 20-January-2002              [Page 85] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        [Description ( 
         "The ApplyToMSE method performs the actual application of " 
         "the Setting to the referenced ManagedSystemElement. It " 
         "takes three input parameters: MSE (the ManagedSystem" 
         "Element to which the Setting is being applied), " 
         "TimeToApply (which, being a datetime, can be either a " 
         "specific time or a time interval), and MustBeCompletedBy " 
         "(which indicates the required completion time for the " 
         "method). Note that the semantics of this method are that " 
         "individual Settings are either wholly applied or not " 
         "applied at all to their target ManagedSystemElement. The " 
         "return value should be 0 if the Setting is successfully " 
         "applied to the referenced ManagedSystemElement, 1 if the " 
         "method is not supported, 2 if the Setting was not applied " 
         "within the specified times, and any other number if an " 
         "error occurred. In a subclass, the set of possible return " 
         "codes could be specified, using a ValueMap qualifier on " 
         "the method. The strings to which the ValueMap contents are " 
         "'translated' may also be specified in the subclass as a " 
         "Values array qualifier.\n" 
         "Note: If an error occurs in applying the Setting to a " 
         "ManagedSystemElement, the Element must be configured as " 
         "when the 'apply' attempt began. That is, the Element " 
         "should NOT be left in an indeterminate state.") ] 
   uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 
        [Description ( 
         "The VerifyOKToApplyToCollection method is used to verify " 
         "that this Setting can be 'applied' to the referenced " 
         "Collection of ManagedSystemElements, at the given time " 
         "or time interval, without causing adverse effects to " 
         "either the Collection itself or its surrounding " 
         "environment. The net effect is to execute the " 
         "VerifyOKToApply method against each of the Elements " 
         "aggregated by the Collection. This method takes three " 
         "input parameters: Collection (the Collection of Managed" 
         "SystemElements that is being verified), TimeToApply (which, " 
         "being a datetime, can be either a specific time or a time " 
         "interval), and MustBeCompletedBy (which indicates the " 
         "required completion time for the method). The return " 
         "value should be 0 if it is OK to apply the Setting, 1 if " 
         "the method is not supported, 2 if the Setting can not be " 
         "applied within the specified times, and any other number if " 
         "an error occurred. One output parameter is defined - " 
         "CanNotApply - which is a string array that lists the keys " 
         "of " 
         "the ManagedSystemElements to which the Setting can NOT be " 
         "applied. This enables those Elements to be revisited and " 
         "either fixed, or other corrective action taken.\n" 
         "In a subclass, the set of possible return codes could be " 
         "specified, using a ValueMap qualifier on the method. The " 
         "strings to which the ValueMap contents are 'translated' may " 
         "also be specified in the subclass as a Values array " 
  
Jason, et al           Expires 20-January-2002              [Page 86] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "qualifier.") ]  
   uint32 VerifyOKToApplyToCollection ( 
    [IN] CIM_CollectionOfMSEs ref Collection, 
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, 
    [OUT] string CanNotApply[]); 
        [Description ( 
         "The ApplyToCollection method performs the application of " 
         "the Setting to the referenced Collection of ManagedSystem" 
         "Elements. The net effect is to execute the ApplyToMSE " 
         "method against each of the Elements aggregated by the " 
         "Collection. If the input value ContinueOnError is FALSE, " 
         "this method applies the Setting to all Elements in the " 
         "Collection until it encounters an error, in which case it " 
         "stops execution, logs the key of the Element that caused " 
         "the error in the CanNotApply array, and issues a return " 
         "code " 
         "of 2. If the input value ContinueOnError is TRUE, then this " 
         "method applies the Setting to all the ManagedSystemElements " 
         "in the Collection, and reports the failed Elements in the " 
         "array, CanNotApply. For the latter, processing will " 
         "continue " 
         "until the method is applied to all Elements in the " 
         "Collection, regardless of any errors encountered. The key " 
         "of " 
         "each ManagedSystemElement to which the Setting could not be " 
         "applied is logged into the CanNotApply array. This method " 
         "takes four input parameters: Collection (the Collection of " 
         "Elements to which the Setting is being applied), " 
         "TimeToApply " 
         "(which, being a datetime, can be either a specific time or " 
         "a " 
         "time interval), ContinueOnError (TRUE means to continue " 
         "processing on encountering an error), and MustBeCompletedBy " 
         "(which indicates the required completion time for the " 
         "method). The return value should be 0 if the Setting is " 
         "successfully applied to the referenced Collection, 1 if the " 
         "method is not supported, 2 if the Setting was not applied " 
         "within the specified times, 3 if the Setting can not be " 
         "applied using the input value for ContinueOnError, and any " 
         "other number if an error occurred. One output parameter is " 
         "defined, CanNotApplystring, which is an array that lists " 
         "the keys of the ManagedSystemElements to which the Setting " 
         "was NOT able to be applied. This output parameter has " 
         "meaning only when the ContinueOnError parameter is TRUE.\n" 
         "In a subclass, the set of possible return codes could be " 
         "specified, using a ValueMap qualifier on the method. The " 
         "strings to which the ValueMap contents are 'translated' may " 
         "also be specified in the subclass as a Values array " 
         "qualifier.\n" 
         "Note: if an error occurs in applying the Setting to a " 
         "ManagedSystemElement in the Collection, the Element must be " 
         "configured as when the 'apply' attempt began. That is, the " 
         "Element should NOT be left in an indeterminate state.") ] 
  
Jason, et al           Expires 20-January-2002              [Page 87] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection,  
    [IN] datetime TimeToApply, [IN] boolean ContinueOnError, 
    [IN] datetime MustBeCompletedBy, [OUT] string CanNotApply[]); 
                 [Description (  
         "The VerifyOKToApplyIncrementalChangeToMSE method "  
         "is used to verify that a subset of the properties in "  
         "this Setting can be 'applied' to the referenced Managed"  
         "SystemElement, at the given time or time interval. This "  
         "method takes four input parameters: MSE (the Managed"  
         "SystemElement that is being verified), TimeToApply (which, "  
         "being a datetime, can be either a specific time or a time "  
         "interval), MustBeCompletedBy (which indicates the "  
         "required completion time for the method), and a "  
         "PropertiesToApply array (which contains a list of the "  
         "property names whose values will be verified. "  
         "If they array is null or empty or constains the string " 
         "\"all\" "  
         "as a property name then all Settings properties shall be "  
         "verified.  If it is set to \"none\" then no Settings " 
         "properties "  
         "will be verified). The return "  
         "value should be 0 if it is OK to apply the Setting, 1 if "  
         "the method is not supported, 2 if the Setting can not be "  
         "applied within the specified times, and any other number "  
         "if an error occurred. In a subclass, the "  
         "set of possible return codes could be specified, using a "  
         "ValueMap qualifier on the method. The strings to which the "  
         "ValueMap contents are 'translated' may also be specified in "  
         "the subclass as a Values array qualifier.") ]  
   uint32 VerifyOKToApplyIncrementalChangeToMSE(  
    [IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply,  
    [IN] datetime MustBeCompletedBy,  
    [IN] string PropertiesToApply[]);  
        [Description (  
         "The ApplyIncrementalChangeToMSE method performs the "  
         "actual application of  a subset of the properties in "  
         "the Setting to the referenced ManagedSystemElement. It "  
         "takes four input parameters: MSE (the ManagedSystem"  
         "Element to which the Setting is being applied), "  
         "TimeToApply (which, being a datetime, can be either a "  
         "specific time or a time interval), MustBeCompletedBy "  
         "(which indicates the required completion time for the "  
         "method), and a "  
         "PropertiesToApply array (which contains a list of the "  
         "property names whose values will be applied. If a "  
         "property is not in this list, it will be ignored by the " 
         "apply. "  
         "If they array is null or empty or constains the string " 
         "\"all\" "  
         "as a property name then all Settings properties shall be "  
         "applied.  If it is set to \"none\" then no Settings " 
         "properties "  
  
Jason, et al           Expires 20-January-2002              [Page 88] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "will be applied. ). "  
         "Note that the semantics of this method are that "  
         "individual Settings are either wholly applied or not "  
         "applied at all to their target ManagedSystemElement. The "  
         "return value should be 0 if the Setting is successfully "  
         "applied to the referenced ManagedSystemElement, 1 if the "  
         "method is not supported, 2 if the Setting was not applied "  
         "within the specified times, and any other number if an "  
         "error occurred. In a subclass, the set of possible return "  
         "codes could be specified, using a ValueMap qualifier on "  
         "the method. The strings to which the ValueMap contents are "  
         "'translated' may also be specified in the subclass as a "  
         "Values array qualifier.\n"  
         "Note: If an error occurs in applying the Setting to a "  
         "ManagedSystemElement, the Element must be configured as "  
         "when the 'apply' attempt began. That is, the Element "  
         "should NOT be left in an indeterminate state.") ]  
   uint32 ApplyIncrementalChangeToMSE(  
    [IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply,  
    [IN] datetime MustBeCompletedBy,  
    [IN] string PropertiesToApply[]);  
        [Description (  
         "The VerifyOKToApplyIncrementalChangeToCollection method "  
         "is used to verify that a subset of the properties in "  
         "this Setting can be 'applied' to the referenced "  
         "Collection of ManagedSystemElements, at the given time "  
         "or time interval, without causing adverse effects to "  
         "either the Collection itself or its surrounding "  
         "environment. The net effect is to execute the "  
         "VerifyOKToApplyIncrementalChangeToMSE method "  
         "against each of the Elements "  
         "aggregated by the Collection. This method takes three "  
         "input parameters: Collection (the Collection of Managed"  
         "SystemElements that is being verified), TimeToApply (which, "  
         "being a datetime, can be either a specific time or a time "  
         "interval), MustBeCompletedBy (which indicates the "  
         "required completion time for the method), and a "  
         "PropertiesToApply array (which contains a list of the "  
         "property names whose values will be verified. "  
         "If they array is null or empty or contains the string " 
         "\"all\" "  
         "as a property name then all Settings properties shall be "  
         "verified.  If it is set to \"none\" then no Settings " 
         "properties "  
         "will be verified). The return "  
         "value should be 0 if it is OK to apply the Setting, 1 if "  
         "the method is not supported, 2 if the Setting can not be "  
         "applied within the specified times, and any other number if "  
         "an error occurred. One output parameter is defined - "  
         "CanNotApply - which is a string array that lists the keys " 
         "of "  
         "the ManagedSystemElements to which the Setting can NOT be "  
  
Jason, et al           Expires 20-January-2002              [Page 89] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "applied. This enables those Elements to be revisited and "  
         "either fixed, or other corrective action taken.\n"  
         "In a subclass, the set of possible return codes could be "  
         "specified, using a ValueMap qualifier on the method. The "  
         "strings to which the ValueMap contents are 'translated' may "  
         "also be specified in the subclass as a Values array "  
         "qualifier.") ]  
   uint32 VerifyOKToApplyIncrementalChangeToCollection (  
    [IN] CIM_CollectionOfMSEs ref Collection,  
    [IN] datetime TimeToApply,  
    [IN] datetime MustBeCompletedBy,  
    [IN] string PropertiesToApply[],  
    [OUT] string CanNotApply[]);  
        [Description (  
         "The ApplyIncrementalChangeToCollection method performs "  
         "the application of a subset of the properties in this "  
         "Setting to the referenced Collection of ManagedSystem"  
         "Elements. The net effect is to execute the "  
         "ApplyIncrementalChangeToMSE "  
         "method against each of the Elements aggregated by the "  
         "Collection. If the input value ContinueOnError is FALSE, "  
         "this method applies the Setting to all Elements in the "  
         "Collection until it encounters an error, in which case it "  
         "stops execution, logs the key of the Element that caused "  
         "the error in the CanNotApply array, and issues a return " 
         "code "  
         "of 2. If the input value ContinueOnError is TRUE, then this "  
         "method applies the Setting to all the ManagedSystemElements "  
         "in the Collection, and reports the failed Elements in the "  
         "array, CanNotApply. For the latter, processing will " 
         "continue "  
         "until the method is applied to all Elements in the "  
         "Collection, regardless of any errors encountered. The key " 
         "of "  
         "each ManagedSystemElement to which the Setting could not be "  
         "applied is logged into the CanNotApply array. This method "  
         "takes four input parameters: Collection (the Collection of "  
         "Elements to which the Setting is being applied), " 
         "TimeToApply "  
         "(which, being a datetime, can be either a specific time or " 
         "a "  
         "time interval), ContinueOnError (TRUE means to continue "  
         "processing on encountering an error), and MustBeCompletedBy "  
         "(which indicates the required completion time for the "  
         "method), and a PropertiesToApply array (which contains a " 
         "list "  
         "of the property names whose values will be applied. If a "  
         "property is not in this list, it will be ignored by " 
         "the apply. "  
         "If they array is null or empty or constains the string " 
         "\"all\" "  
         "as a property name then all Settings properties shall be "  
         "applied.  If it is set to \"none\" then no Settings " 
  
Jason, et al           Expires 20-January-2002              [Page 90] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "properties "  
         "will be applied. ). "  
         "The return value should be 0 if the Setting is "  
         "successfully applied to the referenced Collection, 1 if the "  
         "method is not supported, 2 if the Setting was not applied "  
         "within the specified times, 3 if the Setting can not be "  
         "applied using the input value for ContinueOnError, and any "  
         "other number if an error occurred. One output parameter is "  
         "defined, CanNotApplystring, which is an array that lists "  
         "the keys of the ManagedSystemElements to which the Setting "  
         "was NOT able to be applied. This output parameter has "  
         "meaning only when the ContinueOnError parameter is TRUE.\n"  
         "In a subclass, the set of possible return codes could be "  
         "specified, using a ValueMap qualifier on the method. The "  
         "strings to which the ValueMap contents are 'translated' may "  
         "also be specified in the subclass as a Values array "  
         "qualifier.\n"  
         "Note: if an error occurs in applying the Setting to a "  
         "ManagedSystemElement in the Collection, the Element must be "  
         "configured as when the 'apply' attempt began. That is, the "  
         "Element should NOT be left in an indeterminate state.") ]  
   uint32 ApplyIncrementalChangeToCollection(  
    [IN] CIM_CollectionOfMSEs ref Collection,  
    [IN] datetime TimeToApply,  
    [IN] boolean ContinueOnError,  
    [IN] datetime MustBeCompletedBy,  
    [IN] string PropertiesToApply[],  
    [OUT] string CanNotApply[]);  
   
}; 
 
// ================================================================== 
//     CIM_SystemSetting 
// ================================================================== 
        [Abstract, Description ( 
         "CIM_SystemSetting represents the general concept " 
         "of a CIM_Setting which is scoped by/weak to a System.")] 
class CIM_SystemSetting : CIM_Setting { 
       [Propagated ("CIM_System.CreationClassName"), Key,  
        MaxLen (256), Description ( 
        "The scoping System's CreationClassName.") ]  
    string SystemCreationClassName; 
       [Propagated ("CIM_System.Name"), Key, MaxLen (256), 
        Description ("The scoping System's Name.") ]  
    string SystemName; 
       [Key, MaxLen (256), Description ( 
        "CreationClassName indicates the name of the class or the " 
        "subclass used in the creation of an instance. When used " 
        "with the other key properties of this class, this property " 
        "allows all instances of this class and its subclasses to " 
        "be uniquely identified.") ] 
    string CreationClassName; 
       [Override ("SettingID"), Key, MaxLen (256)] 
  
Jason, et al           Expires 20-January-2002              [Page 91] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    string SettingID; 
}; 
 
// ================================================================== 
//    System 
// ================================================================== 
        [Abstract, Description ( 
         "A CIM_System is a LogicalElement that aggregates an " 
         "enumerable set of Managed System Elements. The aggregation " 
         "operates as a functional whole. Within any particular " 
         "subclass of System, there is a well-defined list of " 
         "Managed System Element classes whose instances must be " 
         "aggregated.") ]  
class CIM_System:CIM_LogicalElement 
{ 
        [Key, MaxLen (256), Description ( 
         "CreationClassName indicates the name of the class or the " 
         "subclass used in the creation of an instance. When used " 
         "with the other key properties of this class, this property " 
         "allows all instances of this class and its subclasses to " 
         "be uniquely identified.") ] 
    string CreationClassName; 
        [Key, MaxLen (256), Override ("Name"), Description ( 
         "The inherited Name serves as key of a System instance in "  
         "an enterprise environment.") ]  
    string Name; 
        [MaxLen (64), Description ( 
         "The System object and its derivatives are Top Level Objects " 
         "of CIM. They provide the scope for numerous components. "  
         "Having unique System keys is required. A heuristic can be " 
         "defined in individual System subclasses to attempt to " 
         "always " 
         "generate the same System Name Key. The NameFormat property " 
         "identifies how the System name was generated, using " 
         "the subclass' heuristic.") ]  
    string NameFormat; 
        [MaxLen (256), Description ( 
         "A string that provides information on how the primary " 
         "system " 
         "owner can be reached (e.g. phone number, email address, " 
           "...)."), 
         MappingStrings {"MIF.DMTF|General Information|001.3"} ]  
    string PrimaryOwnerContact; 
        [MaxLen (64), Description ( 
           "The name of the primary system owner."), 
         MappingStrings {"MIF.DMTF|General Information|001.4"} ]   
    string PrimaryOwnerName; 
        [Description ( 
         "An array (bag) of strings that specify the roles this " 
         "System " 
         "plays in the IT-environment. Subclasses of System may " 
         "override this property to define explicit Roles values. " 
         "Alternately, a Working Group may describe the heuristics, " 
  
Jason, et al           Expires 20-January-2002              [Page 92] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "conventions and guidelines for specifying Roles. For " 
         "example, for an instance of a networking system, the Roles " 
         "property might contain the string, 'Switch' or 'Bridge'.") ] 
    string Roles[]; 
}; 
    
// ================================================================== 
//    Service 
// ==================================================================   
        [Abstract, Description ( 
         "A CIM_Service is a Logical Element that contains the " 
         "information necessary to represent and manage the " 
         "functionality provided by a Device and/or SoftwareFeature. " 
         "A Service is a general-purpose object to configure and " 
         "manage the implementation of functionality.  It is not the " 
         "functionality itself.") ]  
class CIM_Service:CIM_LogicalElement 
{ 
        [Key, MaxLen (256), Description ( 
           "CreationClassName indicates the name of the class or the " 
           "subclass used in the creation of an instance. When used " 
           "with the other key properties of this class, this " 
           "property " 
           "allows all instances of this class and its subclasses to " 
           "be uniquely identified.") ] 
    string CreationClassName; 
        [Override ("Name"), Key, MaxLen (256), 
         Description ( 
         "The Name property uniquely identifies the Service and " 
         "provides an indication of the functionality that is " 
         "managed. This functionality is described in more detail in " 
         "the object's Description property. ") ]  
    string Name; 
        [MaxLen (10), Description ( 
         "StartMode is a string value indicating whether the Service " 
         "is automatically started by a System, Operating System, " 
         "etc. " 
         "or only started upon request."),  
           ValueMap {"Automatic", "Manual"} ]  
    string StartMode; 
        [Description ( 
         "Started is a boolean indicating whether the Service " 
         "has been started (TRUE), or stopped (FALSE).") ]  
    boolean Started; 
        [Propagated ("CIM_System.CreationClassName"), Key,  
           MaxLen (256), Description ( 
         "The scoping System's CreationClassName. ") ]  
    string SystemCreationClassName; 
        [Propagated ("CIM_System.Name"), Key, MaxLen (256), 
         Description ("The scoping System's Name.") ]  
    string SystemName; 
        [Description ( 
         "The StartService method places the Service in the started " 
  
Jason, et al           Expires 20-January-2002              [Page 93] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "state. It returns an integer value of 0 if the Service was " 
         "successfully started, 1 if the request is not supported and " 
         "any other number to indicate an error. In a subclass, the " 
         "set of possible return codes could be specified, using a " 
         "ValueMap qualifier on the method. The strings to which the " 
         "ValueMap contents are 'translated' may also be specified in " 
         "the subclass as a Values array qualifier.") ]  
    uint32 StartService(); 
        [Description ( 
         "The StopService method places the Service in the stopped " 
         "state. It returns an integer value of 0 if the Service was " 
         "successfully stopped, 1 if the request is not supported and " 
         "any other number to indicate an error. In a subclass, the " 
         "set of possible return codes could be specified, using a " 
         "ValueMap qualifier on the method. The strings to which the " 
         "ValueMap contents are 'translated' may also be specified in " 
         "the subclass as a Values array qualifier.") ]  
    uint32 StopService(); 
}; 
      
// ================================================================== 
//    ServiceAccessPoint 
// ================================================================== 
        [Abstract, Description ( 
         "CIM_ServiceAccessPoint represents the ability to utilize or " 
         "invoke a Service.  Access points represent that a Service " 
         "is made available to other entities for use.") ]  
class CIM_ServiceAccessPoint:CIM_LogicalElement 
{ 
        [Key, MaxLen (256), Description ( 
         "CreationClassName indicates the name of the class or the " 
         "subclass used in the creation of an instance. When used " 
         "with the other key properties of this class, this " 
         "property " 
         "allows all instances of this class and its subclasses to " 
         "be uniquely identified.") ] 
    string CreationClassName; 
        [Override ("Name"), Key, MaxLen (256), 
         Description ( 
         "The Name property uniquely identifies the " 
         "ServiceAccessPoint " 
         "and provides an indication of the functionality that is " 
         "managed.  This functionality is described in more detail in " 
         "the object's Description property.") ]  
    string Name; 
        [Propagated ("CIM_System.CreationClassName"), Key,  
           MaxLen (256), Description ( 
         "The scoping System's CreationClassName.") ]  
    string SystemCreationClassName; 
        [Propagated ("CIM_System.Name"), Key, MaxLen (256), 
           Description ("The scoping System's Name.") ]  
    string SystemName; 
}; 
  
Jason, et al           Expires 20-January-2002              [Page 94] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
      
// ================================================================== 
// ===              Association class definitions                 === 
// ================================================================== 
 
// ================================================================== 
//    Component 
// ================================================================== 
        [Association, Abstract, Aggregation, Description ( 
         "CIM_Component is a generic association used to establish " 
         "'part of' relationships between Managed System Elements. " 
         "For " 
         "example, the SystemComponent association defines parts of " 
         "a System.") ]  
class CIM_Component 
{ 
        [Aggregate, Key, Description ( 
         "The parent element in the association.") ]  
    CIM_ManagedSystemElement REF GroupComponent; 
        [Key, Description ("The child element in the association.") ]  
    CIM_ManagedSystemElement REF PartComponent; 
}; 
 
// ================================================================== 
// Dependency    
// ================================================================== 
        [Association, Abstract, Description (    
        "CIM_Dependency is a generic association used to establish "    
        "dependency relationships between ManagedElements.") ]     
class CIM_Dependency     
{    
        [Key, Description (    
        "Antecedent represents the independent object in this "    
        "association.") ]     
  CIM_ManagedElement REF Antecedent;    
        [Key, Description (    
    "Dependent represents the object dependent on the "    
    "Antecedent.") ]     
  CIM_ManagedElement REF Dependent;    
};    
                  
// =================================================================== 
//    ElementSetting 
// =================================================================== 
        [Association, Description ( 
         "ElementSetting represents the association between Managed" 
         "SystemElements and the Setting class(es) defined for them.") 
] 
class CIM_ElementSetting 
{ 
        [Key, Description ("The ManagedSystemElement.") ] 
   CIM_ManagedSystemElement REF Element; 
        [Key, Description ( 
  
Jason, et al           Expires 20-January-2002              [Page 95] 

Internet Key Exchange (IKE)", 
   RFC 2409, November 1998. 
    
   [COMP] Shacham, A., Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "The Setting object associated with the ManagedSystem" 
         "Element.") ] 
   CIM_Setting REF Setting; 
}; 
// ================================================================== 
// MemberOfCollection     
// ================================================================== 
        [Association, Aggregation, Description (    
        "CIM_MemberOfCollection is an aggregation used to establish "    
        "membership of ManagedElements in a Collection." ) ]   
class CIM_MemberOfCollection   
{    
        [Key, Aggregate, Description ( 
         "The Collection that aggregates members") ]     
  CIM_Collection REF Collection; 
        [Key, Description ("The aggregated member of the collection.") 
]     
  CIM_ManagedElement REF Member;    
};    
 
// ================================================================== 
//     CIM_SystemSettingContext 
// ================================================================== 
        [Association, Aggregation, Description ( 
         "This relationship associates System-specific Configuration " 
         "objects with System-specific Setting objects, similar to " 
         "the " 
         "SettingContext association.")] 
class CIM_SystemSettingContext { 
        [Aggregate, Key, Description ( 
         "The Configuration object that aggregates the Setting.") ] 
   CIM_SystemConfiguration REF Context; 
        [Key, Description ("An aggregated Setting.")] 
   CIM_SystemSetting REF Setting; 
}; 


















  
Jason, et al           Expires 20-January-2002              [Page 96] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
Appendix B (DMTF User Model MOF) 
 
// ================================================================== 
// OrganizationalEntity 
// ================================================================== 
   [Abstract, Description (   
   "OrganizationalEntity is an abstract class from which classes " 
   "that fit into an organizational structure are derived.") ] 
class CIM_OrganizationalEntity : CIM_ManagedElement    
   {   
   }; 
 
// ================================================================== 
// UserEntity 
// ================================================================== 
   [Abstract, Description (   
   "UserEntity is an abstract class that represents users.") ] 
class CIM_UserEntity : CIM_OrganizationalEntity  
   {   
   }; 
 
// ================================================================== 
// UsersAccess 
// ================================================================== 
   [Description (   
   "The UsersAccess object class is used to specify a system user " 
   "that permitted access to system resources.  The ManagedElement " 
   "that has access to system resources (represented in the model in " 
   "the ElementAsUser association) may be a person, a service, a " 
   "service access point or any collection thereof. Whereas the " 
   "Account class represents the user's relationship to a system " 
   "from the perspective of the security services of the system, the " 
   "UserAccess class represents the relationships to the systems " 
   "independent of a particular system or service.") ] 
class CIM_UsersAccess: CIM_UserEntity  
   {   
      [Key, MaxLen (256), Description (   
        "CreationClassName indicates the name of the class or the " 
        "subclass used in the creation of an instance. When used " 
        "with the other key properties of this class, this property " 
        "allows all instances of this class and R. Monsour, R. Pereira, M. Thomas, "IP 
   Payload Compression Protocol (IPComp)", RFC 2393, August 1998. 
    
   [ESP] Kent, S., its subclasses to " 
        "be uniquely identified.")] 
   string CreationClassName; 
      [Key, MaxLen (256),Description (   
      "The Name property defines the label by which the object is " 
        "known.")] 
   string Name; 
      [Key, Description ( 
        "The ElementID property uniquely specifies the ManagedElement " 
        "object instance that is the user represented by the " 
        "UsersAccess object instance.  The ElementID is formatted " 
        "similarly to a model path except that the property-value " 
        "pairs are ordered in alphabetical order (US ASCII lexical " 
  
Jason, et al           Expires 20-January-2002              [Page 97] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        "order).")] 
   string ElementID; 
      [Description (  
        "Biometric information used to identify a person.  The " 
        "property value is left null or set to 'N/A' for non-human " 
        "user or a user not using biometric information for " 
        "authentication."), 
        Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger",  
                 "Voice", "DNA-RNA", "EEG"} ] 
   uint16 Biometric[]; 
   }; 
 
// ==================================================================  
//    SecurityService 
// ================================================================== 
        [ Abstract, Description ( 
         "CIM_SecurityService ...") ] 
class CIM_SecurityService:CIM_Service 
{ 
}; 
 
// ==================================================================  
//    AuthenticationService 
// ================================================================== 
   [Description ( 
   "CIM_AuthenticationService verifies users' identities through " 
   "some means.  These services are decomposed into a subclass that " 
   "provides credentials to users and R. Atkinson, "IP Encapsulating Security Payload 
   (ESP)", RFC 2406, November 1998. 
    
   [AH] Kent, S., a subclass that provides for " 
   "the verification of the validity of a credential and, perhaps, " 
   "the appropriateness of its use for access to target resources. " 
   "The persistent state information used from one such verification " 
   "to another is maintained in an Account for that Users Access on " 
   "that AuthenticationService.") ] 
class CIM_AuthenticationService:CIM_SecurityService 
   { 
   }; 
 
// ==================================================================  
//    CredentialManagementService 
// ================================================================== 
   [Description ( 
   "CIM_CredentialManagementService issues credentials and R. Atkinson, "IP Authentication Header", RFC 
   2402, November 1998. 
    
   [PCIM] Moore, B., manages " 
   "the credential lifecycle.") ]  
class CIM_CredentialManagementService:CIM_AuthenticationService 
   { 
   }; 
 
// ==================================================================  
//    CertificateAuthority 
// ================================================================== 
        [Description ("A Certificate Authority (CA) is a credential " 
         "management service that issues and E. Ellesson, J. Strassner, "Policy Core 
   Information cryptographically " 
         "signs certificates thus acting as an trusted third-party " 
  
Jason, et al           Expires 20-January-2002              [Page 98] 

Internet Draft     IPsec Configuration Policy Model -- Version 1 Specification", RFC 3060, February 
   2001. 
    
   [DOI] Piper, D.,         March 2001 
 
 
         "intermediary in establishing trust relationships. The CA " 
         "authenicates the holder of the private key related to the " 
         "certificate's public key; the authenicated entity is " 
         "represented by the UsersAccess class.") ] 
class CIM_CertificateAuthority:CIM_CredentialManagementService 
{ 
        [Description ( 
         "The Internet IP Security Domain CAPolicyStatement describes what care is taken by the " 
         "CertificateAuthority when signing a new certificate.  " 
         "The CAPolicyStatment may be a dot-delimited ASN.1 OID " 
         "string which identifies to the formal policy statement.") ]  
    string CAPolicyStatement; 
        [Description ( "A CRL, or CertificateRevocationList, is a " 
         "list of Interpretation certificates which the CertificateAuthority has " 
         "revoked and which are not yet expired.  Revocation is " 
         "necessary when the private key associated with the public " 
         "key of a certificate is lost or compromised, or when the " 
         "person for whom the certificate is signed no longer is " 
         "entitled to use the certificate."), Octetstring ] 
    string CRL[]; 
        [Description ("Certificate Revocation Lists may be " 
         "available from a number of distribution points.  " 
         "CRLDistributionPoint array values provide URIs for those " 
         "distribution points.")] 
    string CRLDistributionPoint[]; 
        [Description ( "Certificates refer to their issuing CA by " 
         "its Distinguished Name (as defined in X.501)."), DN] 
    string CADistinguishedName; 
        [Description ( "The frequency, expressed in hours, at which " 
           "the CA will update its Certificate Revocation List.  Zero " 
           "implies that the refresh frequency is unknown."), 
           Units("Hours")] 
    uint8 CRLRefreshFrequency; 
        [Description ( "The maximum number of certificates in a " 
         "certificate chain permitted for ISAKMP", RFC 2407, November 1998. 
    
   [LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory 
   Access Protocol (v3)", RFC 2251, December 1997. 
    
   [COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A. 
   Sastry, credentials issued by " 
         "this certificate authority or it's subordinate CAs.\n" 
         "The COPS (Common Open Policy Service) Protocol", RFC 2748, 
   January 2000.  Internet-Draft work MaxChainLength of a superior CA in progress. 
    
   [COPSPR] Chan, K., the trust " 
         "hierarchy should be greater than this value and D. Durham, S. Gai, S. Herzog, K. McCloghrie, 
   F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for 
   Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.  
   Internet-Draft work the " 
         "MaxChainLength of a subordinate CA in progress. the trust hierarchy " 
         "should be less than this value.")] 
    uint8 MaxChainLength; 
}; 
 
// ==================================================================  
//    KerberosKeyDistributionCenter 
// ================================================================== 
        [Description ( 
         "CIM_KerberosKeyDistributionCenter ...") ] 
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService 
{ 
        [Override ("Name"), 
         Description ("The Realm served by this KDC.")]  
    string Name; 
  
Jason, et al           Expires September 2001 20-January-2002              [Page 73] 99] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   [SPSL] Condell, M., and C. Lynn, J. Zao, "Security Policy 
   Specification Language", draft-ietf-ipsp-spsl-00.txt, March 2000.  
   Internet-Draft work in progress. 
    
   [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 
   Requirement Levels", BCP 14, RFC 2119, March 1997. 
    
   [IPSO] Kent, S., "U.S. Department 
 
 
        [Description ("The version of Defense Security Options for 
   the Internet Protocol", RFC 1108, November 1991. 
    
   [IPSEC] Kent, S., and Atkinson, R., "Security Architecture for Kerberos supported by this " 
         "service."), 
         Values {"V4", "V5", "DCE", "MS"} ] 
    uint16 Protocol[]; 
}; 
 
// ==================================================================  
//    Notary 
// ================================================================== 
        [Description ( 
         "CIM_Notary is an AuthenticationService (credential " 
         "management service) which compares the 
   Internet Protocol", RFC 2401, November 1998. 
 
13. Disclaimer 
    
   The views and specification herein are those " 
         "biometric characteristics of a person with the authors and are 
   not necessarily those " 
         "known characteristics of their employer.  The authors an Users Access, and their 
   employer specifically disclaim responsibility for any problems 
   arising from correct or incorrect implementation determines " 
         "whether the person is the UsersAccess.  An example is " 
         "a bank teller who compares a picture ID with the person " 
         "trying to cash a check, or use a biometric login service that " 
         "uses voice recognition to identify a user.") ] 
class CIM_Notary:CIM_CredentialManagementService 
{ 
        [Description ( "The types of this 
   specification. 
    
14. Authors' Addresses 
    
      Jamie Jason 
      Intel Corporation 
      MS JF3-206 
      2111 NE 25th Ave. 
      Hillsboro, OR 97124 
      E-Mail: jamie.jason@intel.com 
    
      Lee Rafalow 
      IBM Corporation, BRQA/502 
      4205 So. Miami Blvd. 
      Research Triangle Park, NC 27709 
      E-mail:  rafalow@raleigh.ibm.com 
    
      Eric Vyncke 
      Cisco Systems 
      Avenue Marcel Thiry, 77 
      B-1200 Brussels 
      Belgium 
      E-mail: evyncke@cisco.com 
    
15. Full Copyright Statement 
    
   Copyright (C) The Internet Society (1999).  All Rights Reserved. 
    
   This document and translations biometric information which " 
           "this Notary can compare."), 
         Values { "N/A", "Other", "Facial", "Retina", "Mark", 
                  "Finger", "Voice", "DNA-RNA", "EEG"} ]  
    uint16 Comparitors; 
        [Description ( 
         "The SealProtocol is how the decision of it maybe copied the Notary is " 
         "recorded for future use by parties who will rely on its " 
         "decision.  For instance, a drivers licence frequently " 
         "includes tamper-resistent coatings and furnished markings to 
   others, and derivative works protect " 
         "the recorded decision that comment on or otherwise explain it 
   or assist in its implementation may be prepared, copied, published a driver, having various " 
         "biometric characteristics of height, weight, hair and distributed, in whole or eye " 
         "color, using a particular name, has features represented in part, without restriction " 
         "a photograph of any 
   kind, provided that their face.")] 
    string SealProtocol; 
        [Description ( 
         "CharterIssued documents when the above copyright notice and this paragraph 
   are included on all such copies and derivative works.  However, this Notary is first " 
         "authorized, by whoever gave it responsibility, to perform " 
         "its service.")] 
    datetime CharterIssued; 
        [Description ( 
         "CharterExpired documents when the Notary is no longer " 
         "authorized, by whoever gave it responsibility, to perform " 
         "its service.")] 
    datetime CharterExpired; 
}; 
 
// ==================================================================  
//    LocalCredentialManagementService 
// ================================================================== 
        [Description ( 
         "CIM_LocalCredentialManagementService is a credential " 
         "management service that provides local system " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 74] 100] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   document itself may not be modified 
 
 
         "management of credentials used by the local system.") ] 
class 
CIM_LocalCredentialManagementService:CIM_CredentialManagementService 
{ 
}; 
 
// ==================================================================  
//    SharedSecretService 
// ================================================================== 
        [Description ( 
         "CIM_SharedSecretService is a service which ascertains " 
         "whether messages received are from the Principal with " 
         "whom a secret is shared.  Examples include a login " 
         "service that proves identity on the basis of knowledge of " 
         "the shared secret, or a transport integrity service (like " 
         "Kerberos provides) that includes a message authenticity " 
         "code that proves each message in any way, the messsage stream came " 
         "from someone who knows the shared secret session key.")] 
class CIM_SharedSecretService:CIM_LocalCredentialManagementService 
{ 
        [MaxLen (256), Description ( 
         "The Algorithm used to convey the shared secret, such as " 
         "HMAC-MD5,or PLAINTEXT.") ]  
    string Algorithm; 
        [Description ( 
         "The Protocol supported by removing the copyright notice or references to SharedSecretService.")] 
    string Protocol; 
}; 
 
// ==================================================================  
//    PublicKeyManagementService 
// ================================================================== 
        [Description ( 
         "CIM_PublicKeyManagementService is a credential management " 
         "service that provides local system management of public " 
         "keys used by the Internet Society local system.") ] 
class 
CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService 
{ 
}; 
 
// ==================================================================  
//    Credential 
// ================================================================== 
        [Abstract, Description ( 
         "Subclasses of CIM_Credential define materials, " 
         "information, or other 
   Internet organizations, except as needed for data which are used to prove the purpose " 
         "identity of 
   developing Internet standards in a CIM_UsersAccess to a particular " 
         "CIM_SecurityService.  Generally, there may be some shared " 
         "information, or credential material which case the procedures for 
   copyrights defined is used to " 
         "identify and authenticate ones self in the Internet Standards process must be 
   followed, of " 
         "gaining access to, or as required permission to translate it into languages other then 
   English. 
    
   The limited permissions granted above are perpetual and will not use, an Account. " 
         "Such credential material may be 
   revoked by the used to authenticate a " 
  
Jason, et al           Expires 20-January-2002             [Page 101] 

Internet Society or its successors or assigns. 
    
   This document Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "users access identity  initially, as done by a " 
         "CIM_AuthenticationService (see later), and the information contained herein is provided additionally on an 
   "AS IS" " 
         "an ongoing basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING 
   TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON 
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF 
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
    
Appendix A (DMTF Core Model MOF) during the course of a connection or " 
         "other  security association, as proof that each received " 
         "message or communication came from the owning user access " 
         "of " 
         "that credential material.") ] 
class CIM_Credential:CIM_ManagedElement 
{ 
}; 
 
// ==================================================================  
// ManagedElement    PublicKeyCertificate 
// ==================================================================  
   [Abstract, Description ( 
   "ManagedElement 
        [Description ("A Public Key Certificate is an abstract class that provides a common credential "   
        "superclass (or top of 
         "that is cryptographically signed by a trusted Certificate " 
         "Authority (CA) and issued to an authenticated entity " 
         "(e.g., human user, service,etc.) called the inheritance tree) for Subject in " 
         "the certificate and represented by the UsersAccess class. " 
        "non-association classes 
         "The public key in the CIM Schema.")] 
   class CIM_ManagedElement    
   {   
     [MaxLen (64), Description (   
      "The Caption property certificate is cryptographically " 
         "related to a short textual description (one-"     
      "line string) of private key that is to be held and kept " 
         "private by the object.") authenticated Subject.  The certificate " 
         "and its related private key can then be used for " 
         "establishing trust relationships and securing " 
         "communications with the Subject.  Refer to the ITU/CCITT " 
         "X.509 standard as an example of such certificates.") ] 
class CIM_PublicKeyCertificate:CIM_Credential 
{ 
         [Propagated ("CIM_System.CreationClassName"),  
          Key, MaxLen (256), Description ("Scoping System")] 
     string Caption;   
     [Description (   
      "The SystemCreationClassName; 
         [Propagated ("CIM_System.Name"),  
          Key, MaxLen (256),Description ("Scoping System")] 
     string SystemName; 
         [Propagated ("CIM_CertificateAuthority.CreationClassName"), 
          Key, MaxLen (256), Description property provides a textual description of " 
      "the object.") ] ("Scoping Service")] 
     string Description;     
   }; 
 
// ================================================================== 
// Collection  
// ==================================================================  
  [Abstract, ServiceCreationClassName; 
         [Propagated ("CIM_CertificateAuthority.Name"),  
          Key, MaxLen (256), Description ("Scoping Service")] 
     string ServiceName;  
         [Key, MaxLen (256), Description (    
   "Collection is an abstract class that provides a common"    
   "superclass 
          "Certificate subject identifier")] 
     string Subject; 
         [MaxLen (256), Description ( 
          "Alternate subject identifier for data elements that represent collections of " 
   "ManagedElements and its subclasses.")] 
  class CIM_Collection : CIM_ManagedElement     
  { the Certificate.")] 
     string AltSubject; 
         [Description ("The DER-encoded raw public key."), Octetstring] 
     uint8 PublicKey[]; 
}; 
 
// ==================================================================  
//    ManagedSystemElement    UnsignedPublicKey 
// ================================================================== 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 75] 102] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        [Abstract, Description 
 
 
        [Description ( 
         "CIM_ManagedSystemElement is the base class for the System 
         "A CIM_UnsignedPublicKey represents an unsigned public " 
         "Element hierarchy. Membership Criteria: Any distinguishable 
         "key credential.  The local UsersAccess (or subclass " 
         "component 
         "thereof) accepts the public key as authentic because of " 
         "a direct trust relationship rather than via a System is third-party " 
         "Certificate Authority.") ] 
class CIM_UnsignedPublicKey:CIM_Credential 
{ 
         [Propagated ("CIM_System.CreationClassName"),  
          Key, MaxLen (256), Description ("Scoping System")] 
     string SystemCreationClassName; 
         [Propagated ("CIM_System.Name"),  
          Key, MaxLen (256),Description ("Scoping System")] 
     string SystemName; 
         [Propagated 
("CIM_PublicKeyManagementService.CreationClassName"), 
          Key, MaxLen (256), Description ("Scoping Service")] 
     string ServiceCreationClassName; 
         [Propagated ("CIM_PublicKeyManagementService.Name"),  
          Key, MaxLen (256), Description ("Scoping Service")] 
     string ServiceName;  
         [Key, MaxLen (256), Description ( 
          "The Identity of the Peer with whom a candidate direct trust " 
          "relationship exists.  The public key may be used for inclusion in this " 
         "class. Examples: software components, such as files; and 
          "security functions with the Peer."), 
         ModelCorrespondence  
           {"CIM_PublicKeyManagementService.PeerIdentityType" } ] 
     string PeerIdentity; 
           [Description ("PeerIdentityType is used to describe the " 
         "devices, such as disk drives and controllers, and physical 
          "type of the PeerIdentity.  The currently defined values " 
           "components such as chips and cards.") 
          "are used for IKE identities."), 
           ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8",  
          "9", "10", "11"}, 
           Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN",  
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",  
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",  
          "DER_ASN1_GN", "KEY_ID"}, 
         ModelCorrespondence  
           {"CIM_PublicKeyManagementService.PeerIdentity" } ]  
class CIM_ManagedSystemElement : CIM_ManagedElement 
{ 
     uint16 PeerIdentityType; 
         [Description ("The DER-encoded raw public key."),  
          Octetstring] 
     uint8 PublicKey[]; 
}; 
 
// ==================================================================  
//    KerberosTicket 
// ================================================================== 
        [Description ( 
         "A datetime value indicating when the object was installed. " 
         "A lack of CIM_KerberosTicket represents a value does not indicate that the object is not " 
         "installed."),  
         MappingStrings {"MIF.DMTF|ComponentID|001.5"} ]  
    datetime InstallDate; 
        [MaxLen (256), Description ( 
         "The Name property defines the label credential issued by which the object is a " 
         "known. When subclassed, the Name property can be overridden 
         "particular Kerberos Key Distribution Center (KDC) " 
         "to be a Key property.") ]  
    string Name; 
         [MaxLen (10), Description (  
         "  A string indicating particular CIM_UsersAccess as the current status result of the object. "  
         "Various operational and non-operational statuses are "  
         "defined. Operational statuses are \"OK\", \"Degraded\", "  
         "\"Stressed\" and \"Pred Fail\". \"Stressed\" indicates that "  
         "the Element is functioning, but needs attention. Examples a "  
         "of \"Stressed\" states 
         "successful authentication process.  There are overload, overheated, etc. The two types of "  
         "condition \"Pred Fail\" (failure predicted) indicates 
  
Jason, et al           Expires 20-January-2002             [Page 103] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "tickets that "  
         "an Element is functioning properly but predicting a failure "  
         "in the near future. An example is KDC may issue to a Users Access - a SMART-enabled hard "  
         "drive. \n" "  Non-operational statuses can also be specified. These 
         "TicketGranting ticket, which is used to protect and "  
         "are \"Error\", \"NonRecover\", \"Starting\", \"Stopping\", 
         "authenticate communications between the Users Access and "  
         "\"Stopped\", 
         "the "  
         "\"Service\",\"No Contact\" 
         "KDC, and \"Lost Comm\". \"NonRecover\""  
         "indicates that a non-recoverable error has occurred. "  
         "\"Service\" describes an Element being configured, Session ticket, which the KDC issues to two " 
         "maintained,"  
         "cleaned, or otherwise administered. This status could apply 
         "Users Access to allow them to communicate with each other. "  
         "during mirror-resilvering of a disk, reload 
          ) ] 
class CIM_KerberosTicket:CIM_Credential 
{ 
         [Propagated ("CIM_System.CreationClassName"), Key,  
         MaxLen (256), Description ("Scoping System")] 
        string SystemCreationClassName; 
         [Propagated ("CIM_System.Name"), Key,  
         MaxLen (256),Description ("Scoping System")] 
        string SystemName; 
         [Key, MaxLen (256), Propagated  
         ("CIM_KerberosKeyDistributionCenter.CreationClassName"),  
         Description ("Scoping Service")] 
        string ServiceCreationClassName; 
         [Propagated ("CIM_KerberosKeyDistributionCenter.Name"),  
         Key, MaxLen (256), 
         Description ("Scoping Service.  The Kerberos KDC Realm of a user "  
         "permissions list, or other administrative task. Not all " 
         "such "  
         "work 
        "CIM_KerberosTicket is on-line, yet used to record the Element is neither \"OK\" nor in security "  
         "one of the other states. \"No Contact\" indicates 
        "authority, or Realm, name so that the tickets issued by "  
         "current instance 
        "different Realms can be separately managed and " 
          "enumerated.")] 
        string ServiceName; 
        [Key, MaxLen (256), Description ("The name of the monitoring system has knowledge of "  
         "this Element but has never been able to establish service "  
         "communications with it. \"Lost Comm\" indicates that 
           "for which this ticket is used.")] 
        string AccessesService; 
        [Key, MaxLen (256), Description ( 
         "RemoteID is the name by which the user is known at " 
         "the ManagedSystemElement KDC security service.")] 
        string RemoteID; 
        datetime Issued; 
        datetime Expires; 
          [Description ( 
          "The Type of CIM_KerberosTicket is known used to exist and has been indicate whether "  
         "contacted successfully 
          "the ticket in question was issued by the past, but is currently Kerberos Key " 
         "unreachable."  
         "\"Stopped\" indicates that 
          "Distribution Center (KDC) to support ongoing communication " 
          "between the ManagedSystemElement is Users Access and the KDC (\"TicketGranting\"), " 
         "known 
          "or was issued by the KDC to support ongoing communication "  
         "to exist, it is not operational (i.e. it 
          "between two Users Access entities (\"Session\")." ), 
          Values {"Session", "TicketGranting"}] 
        uint16 TicketType; 
}; 
 
// ==================================================================  
//    SharedSecret 
// ================================================================== 
        [Description ( 
         "CIM_SharedSecret is unable to the secret shared between a Users " 
         "Access " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 76] 104] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "provide service to users), but it has not failed. It " 
         "has purposely "  
         "been made non-operational. The Element 
 
 
         "and a particular SharedSecret security service.  Secrets " 
         "may have never been \"OK\", be in the Element may have initiated " 
         "its form of a password used for initial "  
         "own stop, 
         "authentication, or as with a management system may have initiated session key, used as part of " 
         "a message authentication code to verify that a message " 
         "originated by the pricinpal with whom the secret is shared. " 
         "stop."),  
         ValueMap {"OK", "Error", "Degraded", "Unknown", "Pred Fail",  
             "Starting", "Stopping", "Service", "Stressed",  
             "NonRecover", "No Contact", "Lost Comm", "Stopped"} ] 
         "It is important to note that SharedSecret is not just the " 
         "password, but rather is the password used with a particular " 
         "security service.")] 
class CIM_SharedSecret:CIM_Credential 
{ 
         [Propagated ("CIM_System.CreationClassName"), Key,  
          MaxLen (256), Description ("Scoping System")] 
     string Status;  
}; 
 
// ================================================================== 
//    LogicalElement 
// ================================================================== 
        [Abstract, SystemCreationClassName; 
         [Propagated ("CIM_System.Name"), Key,  
          MaxLen (256),Description ("Scoping System")] 
     string SystemName; 
         [Key, MaxLen (256), Propagated  
          ("CIM_SharedSecretService.CreationClassName"),  
          Description ("Scoping Service")] 
     string ServiceCreationClassName; 
         [Propagated ("CIM_SharedSecretService.Name"),  
          Key, MaxLen (256), 
          Description ("Scoping Service")] 
     string ServiceName; 
        [Key, MaxLen (256), Description ( 
         "CIM_LogicalElement 
         "RemoteID is a base class for all the components " 
         "of name by which the user is known at " 
         "a System that represent abstract system components, such 
         "the remote secret key authentication service.")] 
     string RemoteID;  
        [Description ( 
         "secret is the secret known by the Users Access.")] 
     string secret; 
        [Description ( 
         "algorithm names the transformation algorithm, if any, used " 
         "as Files, Processes, or system capabilities 
         "to protect passwords before use in the form protocol.  For " 
         "of Logical Devices.") ]  
class CIM_LogicalElement:CIM_ManagedSystemElement 
{ 
         "instance, Kerberos doesn't store passwords as the shared " 
         "secret, but rather, a hash of the password.")] 
     string algorithm; 
        [Description ( 
         "protocol names the protocol with which the SharedSecret is " 
         "used.")] 
     string protocol; 
}; 
 
// ==================================================================  
//     CIM_SystemConfiguration    NamedSharedIKESecret 
// ================================================================== 
        [Description ( 
         "CIM_SystemConfiguration 
         "CIM_NamedSharedIKESecret indirectly represents the general concept " 
         "of a CIM_Configuration which is scoped by/weak to a shared " 
         "System. This class is a peer of CIM_Configuration since 
         "secret credential.  The local identity, IKEIdentity, " 
         "the key structure of Configuration 
         "and the remote peer identity share the secret that is currently " 
         "defined and cannot be modified with additional 
         "named by the SharedSecretName.  The SharedSecretName is " 
         "properties.")] 
         "used SharedSecretService to reference the secret.") ] 
class CIM_SystemConfiguration : CIM_ManagedElement CIM_NamedSharedIKESecret:CIM_Credential 
  
Jason, et al           Expires 20-January-2002             [Page 105] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
{ 
         [Propagated ("CIM_System.CreationClassName"),  
          Key, MaxLen (256), Description ( 
        "The scoping System's CreationClassName.") ] ("Scoping System")] 
     string SystemCreationClassName; 
         [Propagated ("CIM_System.Name"),  
          Key, MaxLen (256),Description ("Scoping System")] 
     string SystemName; 
         [Propagated ("CIM_SharedSecretService.CreationClassName"), 
          Key, MaxLen (256), Description ("The scoping System's Name.") ] ("Scoping Service")] 
     string SystemName; ServiceCreationClassName; 
         [Propagated ("CIM_SharedSecretService.Name"),  
          Key, MaxLen (256), Description ("Scoping Service")] 
     string ServiceName;  
         [Key, MaxLen (256), Description ( 
        "CreationClassName indicates the name of the class or 
          "The local Identity with whom the direct trust " 
        "subclass used in the creation of an instance. When 
          "relationship exists."), 
         ModelCorrespondence  
           {"CIM_NamedSharedIKESecret.LocalIdentityType" } ] 
     string LocalIdentity; 
           [Key, Description ("LocalIdentityType is used " 
        "with the other key properties of this class, this property " 
        "allows all instances of this class and its subclasses to describe " 
        "be uniquely identified.") 
          "the type of the LocalIdentity."), 
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",  
          "9", "10", "11"}, 
           Values {"IPV4_ADDR", "FQDN", "USER_FQDN",  
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",  
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",  
          "DER_ASN1_GN", "KEY_ID"}, 
         ModelCorrespondence  
           {"CIM_NamedSharedIKESecret.LocalIdentity" } ] 
    string CreationClassName; 
    uint16 LocalIdentityType; 
         [Key, MaxLen (256), Description ( 
          "The label by which peer identity with whom the Configuration object direct trust " 
          "relationship exists."), 
         ModelCorrespondence  
           {"CIM_NamedSharedIKESecret.PeerIdentityType" } ] 
     string PeerIdentity; 
           [Key, Description ("PeerIdentityType is known.") used to describe " 
          "the type of the PeerIdentity."), 
           ValueMap {"1", "2", "3", "4", "5", "6", "7", "8",  
          "9", "10", "11"}, 
           Values {"IPV4_ADDR", "FQDN", "USER_FQDN",  
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",  
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",  
          "DER_ASN1_GN", "KEY_ID"}, 
         ModelCorrespondence  
           {"CIM_NamedSharedIKESecret.PeerIdentity" } ] 
     uint16 PeerIdentityType; 
         [Description ("SharedSecretName is an indirect reference " 
          "to a shared secret.  The SecretService does not expose " 
          "the actual secret but rather provides access to the " 
          "secret via a name.")] 
     string SharedSecretName; 
}; 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 77] 106] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   string Name; 
}; 
 
 
 
// =================================================================== ================================================================== 
//    Setting ===              Association class definitions                 === 
// =================================================================== 
        [Abstract, ================================================================== 
 
// ================================================================== 
// ElementAsUser     
// ================================================================== 
   [Association, Description ( 
         "The Setting class represents configuration-related and " 
         "operational parameters for one or more ManagedSystem" 
         "Element(s). A ManagedSystemElement may have multiple " 
         "Setting " 
         "objects associated with it. The current operational values " 
         "for    
   "CIM_ElementAsUser is an Element's parameters are reflected by properties in " 
         "the Element itself or by properties in its associations. " 
         "These properties do not have association used to be the same values present " 
         "in establish the Setting object. For example, a modem may have a " 
         "Setting baud rate 
   "'ownership' of 56Kb/sec but be operating " 
         "at 19.2Kb/sec.") ] 
class CIM_Setting : CIM_ManagedElement 
{ 
        [MaxLen (256), Description ( 
         "The identifier by which the Setting UsersAccess object is known.") ] 
   string SettingID; 
         [Description ( 
         "The VerifyOKToApplyToMSE method is used to verify that " 
         "this Setting can be 'applied' to the referenced Managed" 
         "SystemElement, at the given time or time interval. This " 
         "method takes three input parameters: MSE (the Managed" 
         "SystemElement that is being verified), TimeToApply (which, " 
         "being a datetime, can be either a specific time or a time " 
         "interval), and MustBeCompletedBy (which indicates the " 
         "required completion time for instances.  That is, the method). The return " 
         "value should be 0 if it is OK 
   "ManagedElement may have UsersAccess to apply the Setting, 1 if " 
         "the method is not supported, 2 if the Setting can not be " 
         "applied within the specified times, and any other number systems and, therefore, " 
         "if 
   "be 'users' on those systems.  UsersAccess instances must have an error occurred. In a subclass, the " 
         "set of possible return codes could 
   "'owning' ManagedElement.  Typically, the ManagedElements will be specified, using a " 
         "ValueMap qualifier on the method. The strings 
   "limited to which the Collection, Person, Service and ServiceAccessPoint. " 
         "ValueMap contents are 'translated' may also 
   "Other non-human ManagedElements that might be specified in " 
         "the subclass thought of as " 
   "having UsersAccess (e.g., a Values array qualifier.") ] 
   uint32 VerifyOKToApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 
        [Description ( 
         "The ApplyToMSE method performs the actual application of device or system) have services that " 
         "the Setting 
   "have the UsersAccess.")] 
class CIM_ElementAsUser : CIM_Dependency 
   {    
        [Min (1), Max (1), Override ("Antecedent"),  
        Description ("The ManagedElement that has UsersAccess") ] 
   CIM_ManagedElement REF Antecedent;    
        [Override ("Dependent"),  
        Description ("The 'owned' UsersAccess") ] 
   CIM_UsersAccess REF Dependent;    
   };  
 
// ================================================================== 
// UsersCredential 
// ================================================================== 
   [Association, Description (    
   "CIM_UsersCredential is an association used to establish the referenced ManagedSystemElement. It " 
         "takes three input parameters: MSE (the ManagedSystem" 
         "Element 
   "credentials that may be used for a UsersAccess to which the Setting is being applied), " 
         "TimeToApply (which, being a datetime, can system or " 
   "set of systems. "    )] 
class CIM_UsersCredential : CIM_Dependency 
   {    
        [Override ("Antecedent"),  
        Description ("The issued credential that may be either used.") ] 
   CIM_Credential REF Antecedent;    
        [Override ("Dependent"),  
        Description ("The UsersAccess that has use of a " 
         "specific time or credential") ] 
   CIM_UsersAccess REF Dependent;    
   };    
 
// =================================================================== 
//    PublicPrivateKeyPair 
// =================================================================== 
        [Association, Description ( 
         "This relationship associates a time interval), and MustBeCompletedBy PublicKeyCertificate with " 
         "(which indicates the required completion time for 
         "the Principal who has the " 
         "method). Note that PrivateKey used with the semantics of this method are that " 
         "individual Settings are either wholly applied or 
         "PublicKey.  The PrivateKey is not modeled, since it is not " 
         "applied at all to their target ManagedSystemElement. The 
         "a data element that ever SHOULD be accessible via " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 78] 107] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "return value should be 0 if the Setting is successfully " 
         "applied to the referenced ManagedSystemElement, 1 if the " 
         "method is not supported, 2 if the Setting was not applied " 
         "within the specified times, and any 
 
 
         "management applications, other number if an " 
         "error occurred. In a subclass, the set of possible return " 
         "codes could be specified, using a ValueMap qualifier on than key recovery services, " 
         "the method. The strings to which the ValueMap contents 
         "which are " 
         "'translated' outside our scope.") ] 
class CIM_PublicPrivateKeyPair:CIM_UsersCredential 
{ 
      [ Override ("Antecedent") ] 
   CIM_PublicKeyCertificate REF Antecedent; 
      [ Override ("Dependent") ] 
   CIM_UsersAccess REF Dependent; 
        [Description ( "The Certificate may also be specified in the subclass as a used for signature " 
         "Values array qualifier.\n" 
         "Note: If an error occurs in applying the Setting to a 
        "only " 
         "ManagedSystemElement, the Element must be configured 
        "or for confidentiality as " 
         "when the 'apply' attempt began. That is, the Element " 
         "should NOT be left in an indeterminate state.") well as signature"), 
        Values { "SignOnly", "ConfidentialityOrSignature"} ] 
   uint32 ApplyToMSE([IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy); 
   uint16 Use; 
   boolean NonRepudiation; 
   boolean BackedUp; 
        [Description ( 
         "The VerifyOKToApplyToCollection method ("The repository in which the certificate is used to verify " 
         "that this Setting can be 'applied' to the referenced 
        "backed up.")] 
   string Repository; 
}; 
 
// =================================================================== 
//    CAHasPublicCertificate 
// =================================================================== 
   [Association, Description ( 
   "A CertificateAuthority may have certificates issued by other CAs. " 
         "Collection 
   "This association is essentially an optimization of ManagedSystemElements, at the given time CA having " 
         "or time interval, without causing adverse effects 
   "a UsersAccess instance with an association to a certificate thus " 
         "either the Collection itself or its surrounding " 
         "environment. The net effect is 
   "mapping more closely to execute the " 
         "VerifyOKToApply method against each of the Elements LDAP-based certificate authority " 
         "aggregated 
   "implementations.") ] 
class CIM_CAHasPublicCertificate:CIM_Dependency 
{ 
        [Max (1), Override ("Antecedent"), 
        Description ("The Certificate used by the Collection. This method takes three " 
         "input parameters: Collection (the Collection of Managed" 
         "SystemElements CA")] 
   CIM_PublicKeyCertificate REF Antecedent; 
        [Override ("Dependent"),  
        Description ("The CA that is being verified), TimeToApply (which, " 
         "being a datetime, can be either uses a specific time or Certificate")] 
   CIM_CertificateAuthority REF Dependent; 
}; 
 
 
// =================================================================== 
//    ManagedCredential 
// =================================================================== 
        [Association, Description ( 
         "This relationship associates a time " 
         "interval), and MustBeCompletedBy (which indicates the CredentialManagementService " 
         "required completion time for 
         "with the method). The return " 
         "value should be 0 if Credential it is OK to apply the Setting, 1 if manages.") ] 
class CIM_ManagedCredential:CIM_Dependency 
{ 
        [Override ("Antecedent"), Min (1), Max (1), 
        Description ( "The credential management service")]  
   CIM_CredentialManagementService REF Antecedent; 
        [Override ("Dependent"), 
        Description ( "The managed credential")] 
  
Jason, et al           Expires 20-January-2002             [Page 108] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
   CIM_Credential REF Dependent; 
}; 
 
// =================================================================== 
//    CASignsPublicKeyCertificate 
// =================================================================== 
        [Association, Description ( 
         "This relationship associates a CertificateAuthority with " 
         "the method is not supported, 2 if certificates it signs.") ] 
class CIM_CASignsPublicKeyCertificate:CIM_ManagedCredential 
{ 
        [Override ("Antecedent"), Min (1), Max (1), 
        Description ( "The CA which signed the Setting can not be " 
         "applied within certificate")]  
   CIM_CertificateAuthority REF Antecedent; 
        [Override ("Dependent"), Weak, 
        Description ( "The certificate issued by the specified times, and any other number if " 
         "an error occurred. One output parameter is defined - " 
         "CanNotApply - which is a CA")] 
   CIM_PublicKeyCertificate REF Dependent; 
   string array that lists the keys " 
         "of " 
         "the ManagedSystemElements to which SerialNumber; 
      [ Octetstring ] 
   uint8 Signature[]; 
   datetime Expires; 
   string CRLDistributionPoint[]; 
}; 
 
// ================================================================== 
//    LocallyManagedPublicKey 
// ================================================================== 
        [Association, Description ( 
         "CIM_LocallyManagedPublicKey association provides the Setting can NOT be " 
         "applied. This enables those Elements to be revisited 
         "relationship between a PublicKeyManagementService and an " 
         "either fixed, or other corrective action taken.\n" 
         "In a subclass, the set of possible return codes could be 
         "UnsignedPublicKey.") ] 
class CIM_LocallyManagedPublicKey:CIM_ManagedCredential 
{ 
        [Override ("Antecedent"), Min (1), Max (1),  
         Description ("The PublicKeyManagementService that manages " 
         "specified, using 
         "an unsigned public key.") ]  
    CIM_PublicKeyManagementService REF Antecedent; 
        [Override ("Dependent"), Weak, Description ( 
         "An unsigned public key.") ]  
    CIM_UnsignedPublicKey REF Dependent; 
}; 
 
// =================================================================== 
//    SharedSecretIsShared 
// =================================================================== 
        [Association, Description ( 
         "This relationship associates a ValueMap qualifier on SharedSecretService with the method. The " 
         "strings to which 
         "SecretKey it verifies.") ] 
class CIM_SharedSecretIsShared : CIM_ManagedCredential 
{ 
        [Override ("Antecedent"), Min (1), Max (1), 
        Description ("The credential management service")] 
   CIM_SharedSecretService REF Antecedent; 
  
Jason, et al           Expires 20-January-2002             [Page 109] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        [Override ("Dependent"), Weak, 
        Description ( "The managed credential")] 
   CIM_SharedSecret REF Dependent; 
}; 
 
// ================================================================== 
//    IKESecretIsNamed 
// ================================================================== 
        [Association, Description ( 
         "CIM_IKESecretIsNamed association provides the ValueMap contents are 'translated' may " 
         "also be specified in the subclass as 
         "relationship between a SharedSecretService and a Values array " 
         "qualifier.") 
         "NamedSharedIKESecret.") ]  
   uint32 VerifyOKToApplyToCollection 
class CIM_IKESecretIsNamed:CIM_ManagedCredential 
{ 
        [Override ("Antecedent"), Min (1), Max (1),  
         Description ("The SharedSecretService that manages a " 
         "NamedSharedIKESecret.")]  
    CIM_SharedSecretService REF Antecedent; 
        [Override ("Dependent"), Weak, Description ( 
    [IN] CIM_CollectionOfMSEs ref Collection, 
    [IN] datetime TimeToApply, [IN] datetime MustBeCompletedBy, 
    [OUT] string CanNotApply[]); 
        [Description 
         "The managed NamedSharedIKESecret.") ]  
    CIM_NamedSharedIKESecret  REF Dependent; 
}; 
 
// =================================================================== 
//    KDCIssuesKerberosTicket 
// =================================================================== 
   [Association, Description ( 
   "The ApplyToCollection method performs the application of KDC issues and owns Kerberos tickets.  This association " 
         "the Setting to the referenced Collection of ManagedSystem" 
         "Elements. The net effect is to execute 
   "captures the ApplyToMSE " 
         "method against each of relationship between the Elements aggregated by KDC and its issued tickets." 
   ) ] 
class CIM_KDCIssuesKerberosTicket:CIM_ManagedCredential 
{ 
        [Override ("Antecedent"), Min (1), Max (1), 
        Description ( "The issuing KDC") ]  
   CIM_KerberosKeyDistributionCenter REF Antecedent; 
        [Override ("Dependent"), Weak, 
        Description ( "The managed credential")] 
   CIM_KerberosTicket REF Dependent; 
}; 
 
// =================================================================== 
//    NotaryVerifiesBiometric 
// =================================================================== 
        [Association, Description ( 
         "This relationship associates a Notary service with the " 
         "Collection. If the input value ContinueOnError 
         "Users Access whose biometric information is FALSE, verified.") ] 
class CIM_NotaryVerifiesBiometric : CIM_Dependency 
{ 
        [Override ("Antecedent"),  
        Description ("The Notary service that verifies biometric " 
        "information ") ] 
   CIM_Notary REF Antecedent; 
        [Override ("Dependent"), 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 79] 110] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "this method applies the Setting to all Elements in the 
 
 
        Description ( "The UsersAccess that represents a person using " 
         "Collection until it encounters 
        "biometric information for authentication.")] 
   CIM_UsersAccess REF Dependent; 
}; 

















































  
Jason, et al           Expires 20-January-2002             [Page 111] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
Appendix C (DMTF Network Model MOF) 
    
// ================================================================== 
//     NetworkService 
// ================================================================== 
        [Abstract, Description ( 
         "This is an error, in which case it abstract base class, derived from the Service " 
         "stops execution, logs 
         "class. It serves as the key root of the Element that caused " 
         "the error in the CanNotApply array, and issues a return " 
         "code network service " 
         "of 2. If the input value ContinueOnError is TRUE, then this 
         "hierarchy. Network services represent generic functions " 
         "method applies the Setting to all 
         "that are available from the ManagedSystemElements network that configure and/or " 
         "in the Collection, and reports the failed Elements in 
         "modify the " 
         "array, CanNotApply. traffic being sent. For the latter, processing will example, FTP is not a " 
         "continue 
         "network service, as it simply passes data unchanged from " 
         "until the method is applied 
         "source to all Elements in destination. On the other hand, services " 
         "Collection, regardless 
         "that provide quality of any errors encountered. The key " 
         "of service (e.g., DiffServ) and " 
         "each ManagedSystemElement to which 
         "security (e.g., IPSec) do affect the Setting could not be traffic stream. " 
         "applied is logged into the CanNotApply array. This method 
         "Quality of service, IPSec, and other services are " 
         "takes four input parameters: Collection (the Collection 
         "subclasses of this class. This class hierarchy enables " 
         "Elements 
         "developers to which match services to users, groups, " 
         "and other objects in the Setting network.") ] 
 
class CIM_NetworkService : CIM_Service 
{ 
        [Description ( 
         "This is being applied), " 
         "TimeToApply " 
         "(which, being a datetime, free-form array of strings that provide " 
         "descriptive words and phrases that can be either used in queries " 
         "to help locate and identify instances of this service.") ]  
    string Keywords [ ]; 
        [Description ( 
         "This is a specific time or URL that provides the protocol, network " 
         "a 
         "location, and other service-specific information required " 
         "time interval), ContinueOnError (TRUE means 
         "in order to continue access the service. This should be implemented " 
         "processing on encountering an error), 
         "as a LabeledURI, with syntax DirectoryString and MustBeCompletedBy a " 
         "(which indicates the required completion time 
         "matching rule of CaseExactMatch, for the directory " 
         "method). The return value should be 0 if the Setting 
         "implementors.") ] 
    string ServiceURL; 
        [Description ( 
         "This is a free-form array of strings that specify any " 
         "successfully applied to the referenced Collection, 1 if the 
         "specific pre-conditions that must be met in order for this " 
         "method 
         "service to start correctly. It is not supported, 2 if the Setting was not applied " 
         "within the specified times, 3 if the Setting can not be expected that subclasses " 
         "applied using 
         "will refine the input value for ContinueOnError, inherited StartService() and any StopService()" 
         "methods to suit their own application-specific needs. This " 
         "other number if an error occurred. One output parameter 
         "property is used to specify application-specific conditions " 
         "defined, CanNotApplystring, which 
         "needed by the refined StartService and StopService" 
         "methods.") ] 
    string StartupConditions [ ]; 
         [Description ( 
         "This is an a free-form array of strings that lists specify any " 
         "the keys of the ManagedSystemElements 
         "specific parameters that must be supplied to which the Setting "
         "was NOT able 
         "StartService() method in order for this service to be applied. This output parameter has start " 
         "meaning only when 
         "correctly. It is expected that subclasses will refine the ContinueOnError parameter " 
         "inherited StartService() and StopService() methods to suit " 
         "their own application-specific needs. This property is TRUE.\n" 
         "In a subclass, used " 
         "to specify application-specific parameters needed by the set of possible return codes could " 
  
Jason, et al           Expires 20-January-2002             [Page 112] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "refined StartService and StopService methods.") ] 
    string StartupParameters [ ]; 
}; 
 
// ================================================================== 
//     ProtocolEndpoint 
// ================================================================== 
        [Description ( 
         "A communication point from which data may be sent or " 
         "specified, using a ValueMap qualifier on the method. The 
         "received. ProtocolEndpoints link router interfaces and " 
         "strings 
         "switch ports to LogicalNetworks.") ] 
 
class CIM_ProtocolEndpoint : CIM_ServiceAccessPoint 
{ 
        [Override ("Name"), MaxLen(256), Description ( 
         "A string which the ValueMap contents are 'translated' may identifies this ProtocolEndpoint with either " 
         "also 
         "a port or an interface on a device. To ensure uniqueness, " 
         "the Name property should be specified in prepended or appended with " 
         "information from the subclass as a Values array Type or OtherTypeDescription " 
         "qualifier.\n" 
         "Note: if an error occurs 
         "properties. The method chosen is described in applying the Setting " 
         "NameFormat property of this class.") ] 
    string Name; 
        [MaxLen (256), Description ( 
         "NameFormat contains the naming heuristic that is chosen to a " 
         "ManagedSystemElement in 
         "ensure that the Collection, value of the Element must be Name property is unique. For " 
         "configured as when 
         "example, one might choose to prepend the 'apply' attempt began. That is, name of the port " 
         "Element should NOT be left in 
         "or interface with the Type of ProtocolEndpoint that this " 
         "instance is (e.g., IPv4)followed by an indeterminate state.") underscore.") ] 
   uint32 ApplyToCollection([IN] CIM_CollectionOfMSEs ref Collection,  
    [IN] datetime TimeToApply, [IN] boolean ContinueOnError, 
    [IN] datetime MustBeCompletedBy, [OUT] 
    string CanNotApply[]); 
                 [Description NameFormat; 
        [MaxLen (64), Description (  
         "The VerifyOKToApplyIncrementalChangeToMSE method 
         "ProtocolType is an enumeration that provides additional "  
         "is 
         "information that can be used to verify that a subset help categorize and " 
         "classify different instances of this class."), 
          ValueMap { "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", 
                   "10", "11", "12", "13", "14", "15", "16", "17",  
                   "18", "19", "20", "21"}, 
         Values { "Unknown", "Other", "IPv4", "IPv6", "IPX",  
                 "AppleTalk", "DECnet", "SNA", "CONP", "CLNP", 
                 "VINES", "XNS", "ATM", "Frame Relay", 
                 "Ethernet", "TokenRing", "FDDI", "Infiniband",  
                 "Fibre Channel", "ISDN BRI Endpoint", 
                 "ISDN B Channel Endpoint", "ISDN D Channel Endpoint" 
}, 
          ModelCorrespondence { 
                 "CIM_ProtocolEndpoint.OtherTypeDescription"} ] 
    string ProtocolType; 
        [MaxLen(64), Description ( 
         "A string describing the type of ProtocolEndpoint that this " 
         "instance is when the properties in Type property of this class (or any of "  
         "this Setting can 
         "its  subclasses) is set to 1 (e.g., 'Other'). The format of " 
         "the string inserted in this property should be 'applied' similar in " 
         "format to the referenced Managed"  
         "SystemElement, at values defined for the given time or time interval. Type property. This "  
         "method takes four input parameters: MSE (the Managed"  
         "SystemElement that is being verified), TimeToApply (which, "  
         "being a datetime, can 
         "property should be either a specific time or a time set to NULL when the Type property is " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 80] 113] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "interval), MustBeCompletedBy (which indicates the "  
         "required completion time for the method), and a "  
         "PropertiesToApply array (which contains a list of the "  
         "property names whose values will be verified. "  
         "If they array is null or empty or constains the 
 
 
         "any value other than 1."), 
           ModelCorrespondence {"CIM_ProtocolEndpoint.ProtocolType"} ] 
   string " 
         "\"all\" "  
         "as a property name then all Settings properties shall be "  
         "verified.  If it OtherTypeDescription; 
}; 
 
// ================================================================== 
//     IPProtocolEndpoint 
// ================================================================== 
        [Description ( 
         "A ProtocolEndpoint that is set dedicated to \"none\" then no Settings " 
         "properties "  
         "will be verified). The return running IP.") ] 
 
class CIM_IPProtocolEndpoint : CIM_ProtocolEndpoint 
{ 
        [Description ( 
         "The IP address that this ProtocolEndpoint represents, "  
         "value should be 0 if it is OK 
         "formatted according to apply the Setting, 1 if "  
         "the method is not supported, 2 if the Setting can not be "  
         "applied within the specified times, and any other number appropriate convention as "  
         "if an error occurred. In a subclass, 
         "defined in the "  
         "set AddressType property of possible return codes could be specified, using a "  
         "ValueMap qualifier on the method. The strings to which the this class "  
         "ValueMap contents are 'translated' may also be specified in  
         "  
         "the subclass as a Values array qualifier.") (e.g., 171.79.6.40).") ]  
   uint32 VerifyOKToApplyIncrementalChangeToMSE(  
    [IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply,  
    [IN] datetime MustBeCompletedBy,  
    [IN]  
    string PropertiesToApply[]); Address; 
        [Description ( 
         "The ApplyIncrementalChangeToMSE method performs mask for the "  
         "actual application of  a subset IP address of the properties in this ProtocolEndpoint, "  
         "the Setting 
         "formatted according to the referenced ManagedSystemElement. It appropriate convention as "  
         "takes four input parameters: MSE (the ManagedSystem"  
         "Element to which 
         "defined in the Setting is being applied), "  
         "TimeToApply (which, being a datetime, can be either a AddressType property of this class "  
         "specific time or a time interval), MustBeCompletedBy  
         "  
         "(which indicates (e.g., 255.255.252.0).") ]  
    string SubnetMask; 
        [Description ( 
         "An enumeration that describes the required completion time for format of the address "  
         "method), and a 
         "property. Whenever possible, IPv4-compatible addresses "  
         "PropertiesToApply array (which contains a list 
         "should be used instead of the native IPv6 addresses (see "  
         "property names whose values will be applied. If 
         "RFC 2373, section 2.5.4). In order to have a consistent "  
         "property is not 
         "format for IPv4 addresses in this list, it will be ignored by the " 
         "apply. "  
         "If they array is null or empty or constains the string " 
         "\"all\" "  
         "as a property name then all Settings properties shall be mixed IPv4/v6 environment, "  
         "applied.  If it is set to \"none\" then no Settings 
         "all IPv4 addresses and both IPv4-compatible IPv6 addresses " 
         "properties 
         "and IPv4-mapped IPv6 addresses, per RFC 2373, section "  
         "will 
         "2.5.4, should be applied. ). formatted in standard IPv4 format. "  
         "Note that the semantics of 
         "However, this method are that "  
         "individual Settings are either wholly applied or not "  
         "applied at all to their target ManagedSystemElement. The "  
         "return value should be 0 if (the 2.2) version of the Setting is successfully Network Common "  
         "applied to the referenced ManagedSystemElement, 1 if the 
         "Model will not explicitly support mixed IPv4/IPv6 "  
         "method 
         "environments. This will be added in a future release."), 
        ValueMap { "0", "1", "2" }, 
        Values { "Unknown", "IPv4", "IPv6" } ] 
    uint16 AddressType; 
        [Description ( 
         "It is not supported, 2 if possible to tell from the Setting was not applied address alone if a "  
         "within the specified times, 
         "given IPProtocolEndpoint can support IPv4 and any other number if an IPv6, or "  
         "error occurred. In a subclass, 
         "just one of these. This property explicitly defines the set " 
         "support for different versions of possible return IP that this "  
         "codes could be specified, using a ValueMap qualifier on 
         "IPProtocolEndpoint has. "  
         "the method. The strings 
         "\n\n" 
         "More implementation experience is needed in order to which " 
         "correctly model mixed IPv4/IPv6 networks; therefore, this " 
         "version (2.2) of the ValueMap contents are Network Common Model will not support " 
         "mixed IPv4/IPv6 environments. This will be looked at " 
         "further in a future version."), 
        ValueMap { "0", "1", "2" }, 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 81] 114] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "'translated' may also be specified in the subclass as a "  
         "Values array qualifier.\n"  
         "Note: If an error occurs in applying the Setting to a "  
         "ManagedSystemElement, the Element must be configured as "  
         "when the 'apply' attempt began. That is, the Element "  
         "should NOT be left in an indeterminate state.") 
 
 
        Values { "Unknown", "IPv4 Only", "IPv6 Only" } ]  
   uint32 ApplyIncrementalChangeToMSE(  
    [IN] CIM_ManagedSystemElement ref MSE,  
    [IN] datetime TimeToApply,  
    [IN] datetime MustBeCompletedBy,  
    [IN] string PropertiesToApply[]); 
    uint16 IPVersionSupport; 
}; 
 
// =================================================================== 
//     CIM_FilterEntryBase  
// =================================================================== 
        [Description (  
         "The VerifyOKToApplyIncrementalChangeToCollection method 
         "  
         "is used  FilterEntryBase is an abstract class to verify that a subset of define the properties in naming "  
         "this Setting can be 'applied' 
         "of all filter entries, and to the referenced allow their common "  
         "Collection 
         "aggregation into FilterLists. The FilterEntry subclass " 
         "represents packet filtering. Other types of ManagedSystemElements, at the given time Entries are "  
         "or time interval, without causing adverse effects 
         "possible - for example, to filter security credentials. \n" 
         "  
         "either the Collection itself or its surrounding "  
         "environment. The net effect  FilterEntryBase is weak to execute the network device (e.g., the "  
         "VerifyOKToApplyIncrementalChangeToMSE method 
         "ComputerSystem) that contains it. Hence, the ComputerSystem "  
         "against each 
         "keys are propagated to this class.") ] 
 
class CIM_FilterEntryBase : CIM_LogicalElement 
{ 
        [Propagated ("CIM_ComputerSystem.CreationClassName"), Key,  
           MaxLen (256),  
         Description ( 
          "The scoping ComputerSystem's CreationClassName. ") ]  
    string SystemCreationClassName; 
        [Propagated ("CIM_ComputerSystem.Name"), Key, MaxLen (256), 
         Description ( 
          "The scoping ComputerSystem's Name.") ]  
    string SystemName; 
        [Key, MaxLen (256),  
         Description ( 
          "CreationClassName indicates the name of the Elements class or the "  
         "aggregated by 
          "subclass used in the Collection. This method takes three creation of an instance. When used "  
         "input parameters: Collection (the Collection 
          "with the other key properties of Managed"  
         "SystemElements that is being verified), TimeToApply (which, this class, this property "  
         "being a datetime, can be either a specific time or a time 
          "allows all instances of this class and its subclasses to "  
         "interval), MustBeCompletedBy (which indicates 
          "be uniquely identified.") ] 
    string CreationClassName; 
        [Key, MaxLen (256),  
         Description ( 
          "The Name property defines the "  
         "required completion time for label by which the method), Filter" 
            "Entry is known and a uniquely identified.") ]  
    string Name; 
        [Description ( 
          "Boolean indicating that the match condition described "  
         "PropertiesToApply array (which contains a list 
          "in the properties of the FilterEntryBase subclass "  
         "property names whose values will 
          "should be verified. "  
         "If they array is null or empty or negated.") ] 
    boolean IsNegated; 
}; 
 

// =================================================================== 

//     CIM_IPHeaderFilter  

// =================================================================== 

        [Description ("IPHeaderFilter contains the string all of the " 
         "\"all\" 

  
Jason, et al           Expires 20-January-2002             [Page 115] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 

         "properties necessary to perform filtering on an IP header "  
         "as 

         "or a property name then all Settings properties shall be portion thereof.")] 

class CIM_IPHeaderFilter : CIM_FilterEntryBase  

{ 

        [Description ("IpVersion identifies the version of the IP "  
         "verified.  If it 

         "addresses for IP header filters.  It is set also used to \"none\" then no Settings " 

         "determine the sizes of the OctetStrings in the four " 

         "properties SrcAddress, SrcMask, DestAddress, and DestMask, "  
         "will be verified). The return 

         "as follows:\n" 

         "ipv4(4):  OctetString(SIZE (4))\n" 

         "ipv6(6):  OctetString(SIZE (16|20)), depending on whether\n" 

         "  
         "value should be 0 if it          a scope identifier is OK to apply the Setting, 1 if "  
         "the method present"), 

        ValueMap {"4", "6" }, 

        Values { "IPv4", "IPv6" }, 

        ModelCorrespondence { 

         "CIM_IPHeaderFilter.SrcAddress", 

         "CIM_IPHeaderFilter.SrcMask", 

         "CIM_IPHeaderFilter.DestAddress", 

         "CIM_IPHeaderFilter.DestMask" } ] 

   uint8 IpVersion; 

 

        [Description ("SrcAddress is not supported, 2 if the Setting can not be an OctetString, of a size "  
         "applied within 

         "determined by the specified times, and any other number if value of the IpVersion property, "  
         "an error occurred. One output parameter 

         "representing a source IP address.  This value is defined - compared to" 

         "  
         "CanNotApply - which is a string array that lists the keys source address in the IP header, subject to the mask " 
         "of 

         "represented in the SrcMask property."),  

        OCTETSTRING, 

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 

   uint8 SrcAddress[]; 

 

        [Description ("SrcMask is an OctetString, of a size determined" 

         "  
         "the ManagedSystemElements to which by the Setting can NOT be value of the IpVersion property, representing a mask" 

         "  
         "applied. This enables those Elements to be revisited and used in comparing the source address in the IP header" 

         "  
         "either fixed, or other corrective action taken.\n"  
         "In with the value represented in the SrcAddress property."),  

        OCTETSTRING, 

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 

   uint8 SrcMask[]; 

 

        [Description ("DestAddress is an OctetString, of a subclass, size " 

         "determined by the set value of possible return codes could be the IpVersion property, "  
         "specified, using 

         "representing a ValueMap qualifier on the method. The destination IP address.  This value is "  
         "strings 

         "compared to which the ValueMap contents are 'translated' may "  
         "also be specified destination address in the subclass as a Values array IP header, "  
         "qualifier.") ]  
   uint32 VerifyOKToApplyIncrementalChangeToCollection (  
    [IN] CIM_CollectionOfMSEs ref Collection,  
    [IN] datetime TimeToApply,  
    [IN] datetime MustBeCompletedBy, 

         "subject to the mask represented in the DestMask property."), 

        OCTETSTRING, 

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 

   uint8 DestAddress[]; 

  
Jason, et al           Expires September 2001 20-January-2002             [Page 82] 116] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
    [IN] string PropertiesToApply[],  
    [OUT] string CanNotApply[]); 
 
 

 

        [Description (  
         "The ApplyIncrementalChangeToCollection method performs "  
         "the application ("DestMask is an OctetString, of a subset of the properties in this size "  
         "Setting to 

         "determined by the referenced Collection value of ManagedSystem"  
         "Elements. The net effect is to execute the IpVersion property, "  
         "ApplyIncrementalChangeToMSE 

         "representing a mask to be used in comparing the destination "  
         "method against each of 

         "address in the Elements aggregated by IP header with the "  
         "Collection. If value represented in the input " 

         "DestAddress property."), 

        OCTETSTRING, 

        ModelCorrespondence {"CIM_IPHeaderFilter.IPVersion"}] 

   uint8 DestMask[]; 

 

        [Description ("ProtocolID is an 8-bit unsigned integer, " 

         "representing an IP protocol type.  This value ContinueOnError is FALSE, compared to" 

         "  
         "this method applies the Setting to all Elements Protocol field in the IP header.")] 

   uint8 ProtocolID; 

 

        [Description ("SrcPortStart represents the lower end of a " 

         "range of UDP or TCP source ports.  The upper end of the "  
         "Collection until it encounters an error, in which case it 

         "range is represented by the SrcPortEnd property.  The value "  
         "stops execution, logs 

         "of SrcPortStart MUST be no greater than the key value of " 

         "SrcPortEnd.  A single port is indicated by equal values for " 

         "SrcPortStart and SrcPortEnd.\n" 

         "\n" 

         "A source port filter is evaluated by testing whether the Element that caused "  
         "the error 

         "source port identified in the CanNotApply array, IP header falls within the " 

         "range of values between SrcPortStart and issues a return SrcPortEnd, " 
         "code 

         "including these two end points.")] 

   uint16 SrcPortStart; 

 

        [Description ("SrcPortEnd represents the upper end of a range " 

         "of 2. If UDP or TCP source ports.  The lower end of the input value ContinueOnError range is TRUE, then this "  
         "method applies the Setting to all 

         "represented by the ManagedSystemElements SrcPortStart property.  The value of "  
         "in 

         "SrcPortEnd MUST be no less than the Collection, and reports value of SrcPortStart.  " 

         "A single port is indicated by equal values for SrcPortStart " 

         "and SrcPortEnd.\n" 

         "\n" 

         "A source port filter is evaluated by testing whether the failed Elements " 

         "source port identified in the "  
         "array, CanNotApply. For IP header falls within the latter, processing will " 
         "continue 

         "range of values between SrcPortStart and SrcPortEnd, "  
         "until the method is applied to all Elements in 

         "including these two end points.")] 

   uint16 SrcPortEnd; 

 

        [Description ("DestPortStart represents the lower end of "  
         "Collection, regardless 

         "a range of any errors encountered. UDP or TCP destination ports.  The key " 
         "of "  
         "each ManagedSystemElement to which the Setting could not be upper end of "  
         "applied 

         "the range is logged into represented by the CanNotApply array. This method DestPortEnd property.  The "  
         "takes four input parameters: Collection (the Collection 

         "value of "  
         "Elements to which the Setting is being applied), " 
         "TimeToApply "  
         "(which, being a datetime, can DestPortStart MUST be either a specific time or " 
         "a no greater than the value of "  
         "time interval), ContinueOnError (TRUE means to continue 

         "DestPortEnd.  A single port is indicated by equal values for" 

  
Jason, et al           Expires 20-January-2002             [Page 117] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 

         "  
         "processing on encountering an error), DestPortStart and MustBeCompletedBy DestPortEnd.\n" 

         "\n" 

         "A destination port filter is evaluated by testing whether "  
         "(which indicates the required completion time for 

         "the destination port identified in the IP header falls "  
         "method), 

         "within the range of values between DestPortStart and " 

         "DestPortEnd, including these two end points.")] 

   uint16 DestPortStart; 

 

        [Description ("DestPortEnd represents the upper end of a PropertiesToApply array (which contains a range" 

         " 
         "list of UDP or TCP destination ports.  The lower end of the "  
         "of 

         "range is represented by the property names whose values will DestPortStart property.  The " 

         "value of DestPortEnd MUST be applied. If a no less than the value of "  
         "property 

         "DestPortStart. A single port is not in this list, it will be ignored indicated by equal values " 
         "the apply. "  
         "If they array 

         "for DestPortStart and DestPortEnd.\n" 

         "\n" 

         "A destination port filter is null or empty or constains evaluated by testing whether " 

         "the destination port identified in the string IP header falls " 
         "\"all\" 

         "within the range of values between DestPortStart and "  
         "as a property name then all Settings properties shall be 

         "DestPortEnd, including these two end points.")] 

   uint16 DestPortEnd; 

 

        [Description ("DSCPs are defined as discrete code points, "  
         "applied.  If it 

         "with no inherent structure, there is set to \"none\" then no Settings semantically " 
         "properties 

         "significant relationship between different DSCPs.  "  
         "will be applied. ). 

         "Consequently, there is no provision for specifying a range "  
         "The return value should be 0 if 

         "of DSCPs in this property.  Since, in IPv4, the Setting is DSCP field "  
         "successfully applied 

         "may contain bits to be interpreted as the referenced Collection, 1 if the TOS IP Precedence," 

         "  
         "method this property is not supported, 2 if also used to filter on IP Precedence. " 

         "Similarly, the Setting was not applied IPv6 Traffic Class field is also filtered "  
         "within 

         "using the specified times, 3 if value in this property."),  

        MAXVALUE (63)] 

   uint8 DSCP; 

 

        [Description ("The 20-bit Flow Label field in the Setting can not IPv6 header " 

         "may be used by a source to label sequences of packets for "  
         "applied using 

         "which it requests special handling by the input value for ContinueOnError, and any IPv6 devices, such" 

         "  
         "other number if an error occurred. One output parameter is as non-default quality of service or 'real-time' service.  "  
         "defined, CanNotApplystring, which 

         "In the filter, this 20-bit string is an array that lists encoded in a 24-bit "  
         "the keys of 

         "octetstring by right-adjusting the ManagedSystemElements to which value and padding on the Setting "  
         "was NOT able to be applied. This output parameter has " 

         "left with b'0000'."),  

        OCTETSTRING ] 

   uint8 FlowLabel[]; 

}; 

 
     
// ================================================================== 
//     FilterList 

  
Jason, et al           Expires September 2001 20-January-2002             [Page 83] 118] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "meaning only when the ContinueOnError parameter 
 
 
// ================================================================== 
        [Description ( 
         "A FilterList is TRUE.\n"  
         "In used by network devices to identify routes " 
         "by aggregating a subclass, the set of possible return codes could be "  
         "specified, using a ValueMap qualifier on the method. The "  
         "strings to which the ValueMap contents are 'translated' may "  
         "also be specified in the subclass as FilterEntries into a Values array "  
         "qualifier.\n"  
         "Note: if an error occurs in applying the Setting to unit, called a "  
         "ManagedSystemElement in the Collection, the Element must 
         "FilterList. FilterLists can also be used to accept or deny "  
         "configured as when 
         "routing updates."  
         "\n\n" 
         "A FilterList is weak to the 'apply' attempt began. That is, network device (e.g., the "  
         "Element should NOT be left in an indeterminate state.") ]  
   uint32 ApplyIncrementalChangeToCollection(  
    [IN] CIM_CollectionOfMSEs ref Collection,  
    [IN] datetime TimeToApply,  
    [IN] boolean ContinueOnError,  
    [IN] datetime MustBeCompletedBy,  
    [IN] string PropertiesToApply[],  
    [OUT] string CanNotApply[]);  
   
}; 
 
// ================================================================== 
//     CIM_SystemSetting 
// ================================================================== 
        [Abstract, Description ( 
         "CIM_SystemSetting represents 
         "ComputerSystem) that contains it. Hence, the general concept ComputerSystem " 
         "of a CIM_Setting which is scoped by/weak 
         "keys are propagated to a System.")] this class.") ] 
 
class CIM_SystemSetting CIM_FilterList : CIM_Setting CIM_LogicalElement 
{ 
        [Propagated ("CIM_System.CreationClassName"), ("CIM_ComputerSystem.CreationClassName"), Key,  
           MaxLen (256), Description ( 
         "The scoping System's CreationClassName.") ComputerSystem's CreationClassName. ") ]  
    string SystemCreationClassName; 
 
        [Propagated ("CIM_System.Name"), ("CIM_ComputerSystem.Name"), Key, MaxLen (256), 
         Description ("The scoping System's ComputerSystem's Name.") ]  
    string SystemName; 
 
        [Key, MaxLen (256), Description ( 
        "CreationClassName indicates 
         "The type of class that this instance is.") ] 
    string CreationClassName; 
        [Key, MaxLen(256), Description ( 
         "This is the name of the class FilterList.") ] 
    string Name; 
 
        [Description ( 
         "This defines whether the FilterList is used " 
         "for input, output, or both input and output " 
         "filtering. All values are used with respect to " 
         "the interface for which the FilterList applies. " 
        "subclass 
         "\n\n"  
         "\"Not Applicable\" (0) is used when there is no " 
         "direction applicable to the FilterList.\n" 
         "\"Input\" (1) is used when the FilterList applies " 
         "to packets that are inbound on the related " 
         "interface.\n" 
         "\"Output\" (2) is used when the FilterList applies " 
         "to packets that are outbound on the related " 
         "interface.\n" 
         "\"Both\" (3) is used to indicate that " 
         "the direction is immaterial, e.g., to filter on " 
         "a source subnet regardless of whether the flow is " 
         "inbound or outbound.\n" 
         "\"Mirrored\" (4) is also applicable to " 
         "both inbound and outbound flow processing, but " 
         "indicates that the filter criteria are applied " 
         "asymmetrically to traffic in both directions " 
         "and, thus, specifies the reversal of source and " 
         "destination criteria (as opposed to the equality " 
  
Jason, et al           Expires 20-January-2002             [Page 119] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "of these criteria as indicated by \"Both\"). " 
         "The match conditions in the creation of an instance. When used aggregated " 
         "FilterEntryBase subclass instances are defined " 
         "from the perspective of outbound flows and applied " 
         "to inbound flows as well by reversing the source " 
         "and destination criteria. So, for example, " 
         "consider a FilterList with 3 FilterEntries " 
         "indicating destination port = 80, and source and " 
         "destination addresses of a and b, respectively. " 
         "Then, for the outbound direction, the filter " 
        "with 
         "entries match as specified and the other key properties of this class, this property 'mirror' (for " 
        "allows all instances of this class 
         "the inbound direction) matches on source " 
         "port = 80 and its subclasses to source and destination addresses " 
        "be uniquely identified.") 
         "of b and a, respectively."), 
         Values {"Not Applicable", "Input", "Output", 
               "Both", "Mirrored" } ] 
    string CreationClassName; 
       [Override ("SettingID"), Key, MaxLen (256)] 
    string SettingID; 
    uint16 Direction; 
}; 
 
// ================================================================== 
//    System ===              Association class definitions                 === 
// ================================================================== 
        [Abstract, 
 
// ================================================================== 
//    EntriesInFilterList 
// ================================================================== 
        [Association, Aggregation, Description ( 
         "A CIM_System 
         "This is a LogicalElement that aggregates an " 
         "enumerable set specialization of Managed System Elements. The the CIM_Component aggregation " 
         "operates as a functional whole. Within any particular " 
         "subclass of System, there 
         "which is used to define a well-defined list set of filter entries (subclasses " 
  
Jason, et al            Expires September 2001               [Page 84] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "Managed System Element classes whose instances must be 
         "of FilterEntryBase) that are aggregated by a particular " 
         "aggregated.") 
         "FilterList.") ] 
class CIM_System:CIM_LogicalElement CIM_EntriesInFilterList : CIM_Component 
{ 
        [Key, MaxLen (256), 
        [Aggregate, Max(1), Override ("GroupComponent"), 
         Description ( 
         "CreationClassName indicates the name of the class or the " 
         "subclass used in the creation of an instance. When used " 
         "with 
          "The FilterList, which aggregates the other key properties of this class, this property " 
         "allows all instances of this class and its subclasses to set " 
         "be uniquely identified.") 
          "of FilterEntries.") ] 
    string CreationClassName; 
        [Key, MaxLen (256), Override ("Name"),  
    CIM_FilterList REF GroupComponent; 
        [Override ("PartComponent"),  
         Description ( 
         "The inherited Name serves as key 
          "Any subclass of FilterEntryBase which is a System instance in part of "  
         "an enterprise environment.") 
          "the FilterList.") ]  
    string Name; 
        [MaxLen (64), Description  
    CIM_FilterEntryBase REF PartComponent; 
        [Description ( 
          "The System object and its derivatives are Top Level Objects " 
         "of CIM. They provide order of the scope for numerous components. "  
         "Having unique System keys is required. A heuristic can be " 
         "defined in individual System subclasses to attempt Entry relative to all others in the " 
         "always 
          "FilterList. A value of zero indicates that all the Entries " 
         "generate 
          "should be ANDed together. Use of the same System Name Key. The NameFormat Sequence property " 
         "identifies how 
          "should be consistent across the System name was generated, using List. It is not valid to " 
         "the subclass' heuristic.") 
          "define some Entries as ANDed in the FilterList (Sequence" 
          "=0) while other Entries have a non-zero Sequence number.") ]  
    string NameFormat; 
        [MaxLen (256), 
    uint16 EntrySequence; 
}; 

  
Jason, et al           Expires 20-January-2002             [Page 120] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
Appendix D (DMTF Policy Model MOF) 
    
// ================================================================== 
// Policy 
// ================================================================== 
   [Abstract, Description ( 
         "A string that provides information on how 
   "An abstract class defining the primary common properties of the policy " 
         "system 
   "managed elements derived from CIM_Policy.  The subclasses are " 
         "owner can be reached (e.g. phone number, email address, 
   "used to create rules and groups of rules that work together to " 
           "...)."), 
         MappingStrings {"MIF.DMTF|General Information|001.3"} 
   "form a coherent set of policies within an administrative domain " 
   "or set of domains.") 
   ]  
    string PrimaryOwnerContact; 
        [MaxLen (64), Description 
class CIM_Policy : CIM_ManagedElement 
{ 
        [Description ( 
           "The 
      "A user-friendly name of the primary system owner."), 
         MappingStrings {"MIF.DMTF|General Information|001.4"} this policy-related object.") 
      ] 
   string PrimaryOwnerName; CommonName; 
      [Description ( 
      "An array (bag) of strings that specify the roles this keywords for characterizing / categorizing " 
      "policy objects. Keywords are of one of two types: \n" 
      "- Keywords defined in this and other MOFs, or in DMTF" 
      "white papers. These keywords provide a vendor-" 
      "independent, installation-independent way of " 
         "System 
      "characterizing policy objects. \n" 
      "- Installation-dependent keywords for characterizing " 
         "plays 
      "policy objects. Examples include 'Engineering', " 
      "'Billing', and 'Review in December 2000'. \n" 
      "This MOF defines the IT-environment. Subclasses of System may following keywords:  'UNKNOWN', " 
         "override 
      "'CONFIGURATION', 'USAGE', 'SECURITY', 'SERVICE', " 
      "'MOTIVATIONAL', 'INSTALLATION', and 'EVENT'. These " 
      "concepts are self-explanatory and are further discussed " 
      "in the SLA/Policy White Paper. One additional keyword " 
      "is defined: 'POLICY'. The role of this property keyword is to define explicit Roles values. " 
         "Alternately, a Working Group 
      "identify policy-related instances that may describe the heuristics, not be otherwise " 
         "conventions and guidelines for specifying Roles. For 
      "identifiable, in some implementations. The keyword 'POLICY' " 
         "example, for an instance 
      "is NOT mutually exclusive of a networking system, the Roles other keywords " 
         "property might contain the string, 'Switch' or 'Bridge'.") 
      "specified above.") 
      ] 
   string Roles[]; PolicyKeywords []; 
}; 
 
// ================================================================== 
//    Service PolicySet 
// ================================================================== 
   [Abstract, Description ( 
         "A CIM_Service ("PolicySet is an abstract class that " 
        "represents a Logical Element set of policies that contains form a coherent set.  The " 
        "set of contained policies has a common decision strategy and " 
        "a common set of policy roles.  Subclasses include " 
        "PolicyGroup and PolicyRule.")] 
class CIM_PolicySet : CIM_Policy 
{ 
        [Description ("PolicyDecisionStrategy defines the evaluation " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 85] 121] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "information necessary to represent and manage the " 
         "functionality provided by a Device and/or SoftwareFeature. " 
         "A Service is a general-purpose object to configure and " 
         "manage the implementation of functionality.  It is not the " 
         "functionality itself.") ]  
class CIM_Service:CIM_LogicalElement 
{ 
        [Key, MaxLen (256), Description ( 
           "CreationClassName indicates the name of the class or the " 
           "subclass 
 
 
        "method used for policies contained in the creation of an instance. When used " 
           "with the other key properties of this class, this " 
           "property PolicySet.  " 
           "allows all instances of this class and its subclasses to " 
           "be uniquely identified.") ] 
    string CreationClassName; 
        [Override ("Name"), Key, MaxLen (256), 
         Description ( 
         "The Name property uniquely identifies 
        "FirstMatching enforces the Service and " 
         "provides an indication actions of the functionality first rule that is " 
         "managed. This functionality is described in more detail in " 
         "the object's Description property. ") ]  
    string Name; 
        [MaxLen (10), Description ( 
         "StartMode 
        "evaluates to TRUE.  It is a string value indicating whether the Service " 
         "is automatically started by a System, Operating System, " 
         "etc. " 
         "or only started upon request."), value currently defined."), 
        ValueMap {"Automatic", "Manual"} ]  
    string StartMode; 
        [Description ( 
         "Started is a boolean indicating whether the Service " 
         "has been started (TRUE), or stopped (FALSE).") ]  
    boolean Started; 
        [Propagated ("CIM_System.CreationClassName"), Key,  
           MaxLen (256), Description ( 
         "The scoping System's CreationClassName. ") ]  
    string SystemCreationClassName; 
        [Propagated ("CIM_System.Name"), Key, MaxLen (256), 
         Description ("The scoping System's Name.") { "1" }, 
        Values { "FirstMatching" } 
      ]  
    string SystemName; 
   uint16 PolicyDecisionStrategy; 
        [Description ( 
        "The StartService method places the Service in the started " 
         "state. It returns an integer value of 0 if the Service was " 
         "successfully started, 1 if PolicyRoles property represents the request is not supported roles and role " 
         "any other number to indicate an error. In a subclass, the " 
         "set of possible return codes could be specified, using 
        "combinations associated with a PolicySet.  All contained " 
         "ValueMap qualifier on the method. The strings to which the " 
         "ValueMap contents are 'translated' may also be specified in " 
         "the subclass as a Values array qualifier.") ]  
    uint32 StartService(); 
        [Description ( 
         "The StopService method places the Service in 
        "PolicySet instances inherit the stopped " 
         "state. It returns an integer value values of 0 if the Service was PolicyRoles of " 
  
Jason, et al            Expires September 2001               [Page 86] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "successfully stopped, 1 if 
        "the aggregating PolicySet but the request is values are not supported and copied. " 
         "any other number 
        "A contained PolicySet instance may, however, add additional " 
        "PolicyRoles to indicate an error. In those it inherits from its aggregating " 
        "PolicySet(s)\n" 
        "\n" 
        "Each value represents one role or role combination.  Since " 
        "this is a subclass, the multi-valued property, more than one role or " 
         "set of possible return codes could 
        "combination can be specified, using associated with a single PolicySet.  Each " 
         "ValueMap qualifier on the method. The strings to which 
        "value is a string of the form:\n" 
        " 
         "ValueMap contents are 'translated' may also be specified  <RoleName>[&&<RoleName>]*\n" 
        "where the individual role names appear in alphabetical order " 
         "the subclass as a Values array qualifier.") 
        "(according to the collating sequence for UCS-2).") ]  
    uint32 StopService(); 
    string PolicyRoles []; 
 
}; 
 
 
// ================================================================== 
//    ServiceAccessPoint PolicyGroup 
// ================================================================== 
        [Abstract, Description 
   [Description ( 
         "CIM_ServiceAccessPoint represents the ability to utilize or 
   "An aggregation of PolicySet instances (PolicyGroups and/or " 
         "invoke a Service.  Access points represent 
   "PolicyRules) that a Service have the same decision strategy and inherit " 
         "is 
   "policy roles.   PolicyGroup instances are defined and named " 
         "made available 
   "relative to other entities for use.") the CIM_System that provides their context.")  
   ] 
class CIM_ServiceAccessPoint:CIM_LogicalElement CIM_PolicyGroup : CIM_PolicySet 
{ 
      [Propagated("CIM_System.CreationClassName"), 
         Key, MaxLen (256), 
         Description ("The scoping System's CreationClassName.") 
      ] 
   string SystemCreationClassName; 
      [Propagated("CIM_System.Name"), 
         Key, MaxLen (256), 
         Description ("The scoping System's Name.") 
      ] 
   string SystemName; 
      [Key, MaxLen (256), Description ( 
         "CreationClassName indicates the name of the class or the " 
         "subclass used in the creation of an instance. When used " 
         "with the other key properties of this class, this property " 
           "property " 
  
Jason, et al           Expires 20-January-2002             [Page 122] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "allows all instances of this class and its subclasses to " 
         "be uniquely identified.") ] 
   string CreationClassName; 
        [Override ("Name"), Key, 
      [Key, MaxLen (256), Description ( 
         "The Name property uniquely identifies the " 
         "ServiceAccessPoint " 
         "and provides an indication 
         "A user-friendly name of the functionality that is " 
         "managed.  This functionality is described in more detail in " 
         "the object's Description property.") ]  
    string Name; 
        [Propagated ("CIM_System.CreationClassName"), Key,  
           MaxLen (256), Description ( 
         "The scoping System's CreationClassName.") ]  
    string SystemCreationClassName; 
        [Propagated ("CIM_System.Name"), Key, MaxLen (256), 
           Description ("The scoping System's Name.") this PolicyGroup.") 
      ] 
   string SystemName; PolicyGroupName; 
}; 
 
// ================================================================== 
// ===              Association class definitions                 === 
// ================================================================== 
 
// ================================================================== 
//    Component PolicyRule 
// ================================================================== 
        [Association, Abstract, Aggregation, Description 
   [Description ( 
         "CIM_Component 
   "The central class used for representing the 'If Condition then " 
   "Action' semantics of a policy rule. A PolicyRule condition, in " 
   "the most general sense, is represented as either an ORed set of " 
   "ANDed conditions (Disjunctive Normal Form, or DNF) or an ANDed " 
   "set of ORed conditions (Conjunctive Normal Form, or CNF).  " 
   "Individual conditions may either be negated (NOT C) or " 
   "unnegated (C).  The actions specified by a generic association used PolicyRule are to establish be " 
  
Jason, et al            Expires September 2001               [Page 87] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "'part of' relationships between Managed System Elements. 
   "performed if and only if the PolicyRule condition (whether it " 
         "For 
   "is represented in DNF or CNF) evaluates to TRUE.\n" 
   "\n" 
   "The conditions and actions associated with a PolicyRule are " 
         "example, the SystemComponent association defines parts 
   "modeled, respectively, with subclasses of PolicyCondition and " 
         "a System.") ]  
class CIM_Component 
{ 
        [Aggregate, Key, Description ( 
         "The parent element in 
   "PolicyAction.  These condition and action objects are tied to " 
   "instances of PolicyRule by the association.") ]  
    CIM_ManagedSystemElement REF GroupComponent; 
        [Key, Description ("The child element in PolicyConditionInPolicyRule and " 
   "PolicyActionInPolicyRule aggregations.\n" 
   "\n" 
   "A PolicyRule may also be associated with one or more policy " 
   "time periods, indicating the association.") ]  
    CIM_ManagedSystemElement REF PartComponent; 
}; 
 
// ================================================================== 
// Dependency    
// ================================================================== 
        [Association, Abstract, Description (    
        "CIM_Dependency is a generic association used schedule according to establish which the "    
        "dependency relationships between ManagedElements.") ]     
class CIM_Dependency     
{    
        [Key, Description (    
        "Antecedent represents 
   "policy rule is active and inactive.  In this case it is the independent object in " 
   "PolicyRuleValidityPeriod aggregation that provides this "    
        "association.") ]     
  CIM_ManagedElement REF Antecedent;    
        [Key, Description (    
    "Dependent represents the object dependent on 
   "linkage.\n" 
   "\n" 
   "The PolicyRule class uses the property ConditionListType, to "    
    "Antecedent.") ]     
  CIM_ManagedElement REF Dependent;    
};    
                  
// =================================================================== 
//    ElementSetting 
// =================================================================== 
        [Association, Description ( 
         "ElementSetting represents the association between Managed" 
         "SystemElements and 
   "indicate whether the Setting class(es) defined conditions for them.") 
] 
class CIM_ElementSetting 
{ 
        [Key, Description ("The ManagedSystemElement.") ] 
   CIM_ManagedSystemElement REF Element; 
        [Key, Description ( 
         "The Setting object associated with the ManagedSystem" 
         "Element.") ] 
   CIM_Setting REF Setting; 
}; 
// ================================================================== 
// MemberOfCollection     
// ================================================================== 
        [Association, Aggregation, Description (    
        "CIM_MemberOfCollection rule are in DNF or " 
   "CNF.  The PolicyConditionInPolicyRule aggregation contains " 
   "two additional properties to complete the representation of " 
   "the Rule's conditional expression.  The first of these " 
   "properties is an aggregation used integer to establish partition the referenced "    
        "membership 
   "PolicyConditions into one or more groups, and the second is a " 
   "Boolean to indicate whether a referenced Condition is " 
   "negated.  An example shows how ConditionListType and these " 
   "two additional properties provide a unique representation " 
   "of a set of ManagedElements PolicyConditions in either DNF or CNF.\n" 
   "\n" 
   "Suppose we have a Collection." ) ]   
  
Jason, et al            Expires September 2001               [Page 88] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
class CIM_MemberOfCollection   
{    
        [Key, Aggregate, Description ("The Collection PolicyRule that aggregates 
members") ]     
  CIM_Collection REF Collection; 
        [Key, Description ("The aggregated member five " 
   "PolicyConditions C1  through C5, with the following values " 
   "in the properties of the collection.") 
]     
  CIM_ManagedElement REF Member;    
};    
 
// ================================================================== 
//     CIM_SystemSettingContext 
// ================================================================== 
        [Association, Aggregation, Description ( 
         "This relationship associates System-specific Configuration five PolicyConditionInPolicyRule " 
         "objects with System-specific Setting objects, similar to 
   "associations:\n" 
   " 
         "the    C1:  GroupNumber = 1, ConditionNegated = FALSE\n" 
   " 
         "SettingContext association.")] 
class CIM_SystemSettingContext { 
        [Aggregate, Key, Description ( 
         "The Configuration object that aggregates the Setting.") ] 
   CIM_SystemConfiguration REF Context; 
        [Key, Description ("An aggregated Setting.")] 
   CIM_SystemSetting REF Setting; 
};    C2:  GroupNumber = 1, ConditionNegated = TRUE\n" 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 89] 123] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
Appendix B (DMTF User Model MOF) 
 
// ================================================================== 
// OrganizationalEntity 
// ================================================================== 
   [Abstract, Description (   
   "OrganizationalEntity is an abstract class from which classes 
 
 
   " 
   "that fit into an organizational structure are derived.") ] 
class CIM_OrganizationalEntity : CIM_ManagedElement    
   {   
   }; 
 
// ================================================================== 
// UserEntity 
// ================================================================== 
   [Abstract, Description (   
   "UserEntity    C3:  GroupNumber = 1, ConditionNegated = FALSE\n" 
   "    C4:  GroupNumber = 2, ConditionNegated = FALSE\n" 
   "    C5:  GroupNumber = 2, ConditionNegated = FALSE\n" 
   "\n" 
   "If ConditionListType = DNF, then the overall condition for " 
   "the PolicyRule is:\n" 
   "        (C1 AND (NOT C2) AND C3) OR (C4 AND C5)\n" 
   "\n" 
   "On the other hand, if ConditionListType = CNF, then the " 
   "overall condition for the PolicyRule is:\n" 
   "        (C1 OR (NOT C2) OR C3) AND (C4 OR C5)\n" 
   "\n" 
   "In both cases, there is an abstract class unambiguous specification of " 
   "the overall condition that represents users.") ] 
class CIM_UserEntity : CIM_OrganizationalEntity  
   {   
   }; 
 
// ================================================================== 
// UsersAccess 
// ================================================================== 
   [Description (   
   "The UsersAccess object class is used tested to specify a system user determine whether " 
   "that permitted access 
   "to perform the PolicyActions associated with the PolicyRule.\n" 
   "\n" 
   "PolicyRule instances may also be used to system resources.  The ManagedElement aggregate other " 
   "that has access to system resources (represented in the model 
   "PolicyRules and/or PolicyGroups.  When used in this way to " 
   "the ElementAsUser association) may be a person, a service, a 
   "implement nested rules, the conditions of the aggregating rule " 
   "service access point or any collection thereof. Whereas 
   "apply to the subordinate rules as well.  However, any side " 
   "Account class represents 
   "effects of condition evaluation or the user's relationship to a system execution of actions MUST " 
   "from 
   "NOT affect the perspective result of the security services evaluation of other conditions " 
   "evaluated by the system, rule engine in the same evaluation pass.  That " 
   "UserAccess class represents the relationships to 
   "is, an implementation of a rule engine MAY evaluate all " 
   "conditions in any order before applying the systems priority and " 
   "independent of a particular system or service.") 
   "determining which actions are to be executed.") 
   ] 
class CIM_UsersAccess: CIM_UserEntity CIM_PolicyRule : CIM_PolicySet 
{ 
        [Propagated("CIM_System.CreationClassName"), 
         Key, MaxLen (256), 
         Description ("The scoping System's CreationClassName.") 
        ] 
    string SystemCreationClassName; 
        [Propagated("CIM_System.Name"), 
         Key, MaxLen (256), 
         Description ("The scoping System's Name.") 
        ] 
    string SystemName; 
        [Key, MaxLen (256), Description ( 
        "CreationClassName indicates the name of the class or the " 
        "subclass used in the creation of an instance. When used " 
        "with the other key properties of this class, this property " 
        "allows all instances of this class and its subclasses to " 
        "be uniquely identified.")] identified.") ] 
    string CreationClassName; 
        [Key, MaxLen (256),Description (256), Description (   
      "The Name property defines the label by which the object is " 
        "known.")] 
        "A user-friendly name of this PolicyRule.") 
        ] 
    string Name; 
      [Key, Description PolicyRuleName; 
        [Description ( 
        "The ElementID property uniquely specifies the ManagedElement " 
        "object instance that is the user represented by the " 
        "UsersAccess object instance.  The ElementID 
        "Indicates whether this PolicyRule is formatted administratively " 
        "similarly to a model path except that the property-value " 
        "pairs are ordered in alphabetical order (US ASCII lexical 
        "enabled, administratively disabled, or enabled for " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 90] 124] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        "order).")] 
   string ElementID; 
      [Description (  
        "Biometric information used to identify a person.  The " 
        "property 
 
 
        "debug. When the property has the value 3 (\"enabledFor" 
        "Debug\"), the entity evaluating the PolicyConditions is left null or set " 
        "instructed to 'N/A' evaluate the conditions for non-human " 
        "user or a user the Rule, but not using biometric information for " 
        "authentication."), 
        Values { "N/A", "Other", "Facial", "Retina", "Mark", "Finger",  
                 "Voice", "DNA-RNA", "EEG"} ] 
   uint16 Biometric[]; 
   }; 
 
// ==================================================================  
//    SecurityService 
// ================================================================== 
        [ Abstract, Description ( 
         "CIM_SecurityService ...") ] 
class CIM_SecurityService:CIM_Service 
{ 
}; 
 
// ==================================================================  
//    AuthenticationService 
// ================================================================== 
   [Description ( 
   "CIM_AuthenticationService verifies users' identities through 
        "to perform the actions if the PolicyConditions evaluate to " 
   "some means.  These services are decomposed into 
        "TRUE. This serves as a subclass that " 
   "provides credentials debug vehicle when attempting to users and a subclass that provides for " 
   "the verification of the validity of 
        "determine what policies would execute in a credential and, perhaps, particular " 
   "the appropriateness of its use for access 
        "scenario, without taking any actions to target resources. " 
   "The persistent change state information used from one such verification " 
   "to another 
        "during the debugging. The default value is maintained in an Account for that Users Access on 1 " 
   "that AuthenticationService.") ] 
class CIM_AuthenticationService:CIM_SecurityService 
        "(\"enabled\")."), 
        ValueMap { 
   }; 
 
// ==================================================================  
//    CredentialManagementService 
// ================================================================== 
   [Description ( 
   "CIM_CredentialManagementService issues credentials and manages " 
   "the credential lifecycle.") ]  
class CIM_CredentialManagementService:CIM_AuthenticationService "1", "2", "3" }, 
        Values { 
   }; 
 
// ==================================================================  
//    CertificateAuthority 
// ================================================================== "enabled", "disabled", "enabledForDebug" } 
        ] 
    uint16 Enabled; 
        [Description ("A Certificate Authority (CA) is a credential " 
         "management service that issues and cryptographically " 
         "signs certificates thus acting as an trusted third-party " 
  
Jason, et al            Expires September 2001               [Page 91] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "intermediary in establishing trust relationships. The CA " 
         "authenicates ( 
        "Indicates whether the holder list of the private key related to the PolicyConditions " 
         "certificate's public key; the authenicated entity 
        "associated with this PolicyRule is in disjunctive " 
         "represented by the UsersAccess class.") ] 
class CIM_CertificateAuthority:CIM_CredentialManagementService 
        "normal form (DNF) or conjunctive normal form (CNF)." 
        "The default value is 1 (\"DNF\")."), 
        ValueMap { "1", "2" }, 
        Values { "DNF", "CNF" } 
        ] 
    uint16 ConditionListType; 
        [Description ( 
         "The CAPolicyStatement describes what care is taken by the " 
         "CertificateAuthority when signing a new certificate.  " 
         "The CAPolicyStatment may 
        "A free-form string that can be a dot-delimited ASN.1 OID " 
         "string which identifies used to the formal policy statement.") provide " 
        "guidelines on how this PolicyRule should be used.") 
        ] 
    string CAPolicyStatement; 
        [Description RuleUsage; 
        [DEPRECATED {"CIM_PolicySetComponent.Priority"}, 
        Description ( "A CRL, or CertificateRevocationList, 
        "PolicyRule.Priority is a " 
         "list of certificates which the CertificateAuthority has " 
         "revoked deprecated and which are not yet expired.  Revocation is replaced by " 
         "necessary when the private key associated with 
        "providing the priority for a rule (and a group) in the public " 
         "key 
        "context of the aggregating PolicySet instead of a certificate is lost or compromised, or when the " 
         "person 
        "priority being used for whom the certificate is signed no longer is all aggregating PolicySet " 
         "entitled to use 
        "instances.  Thus, the certificate."), Octetstring ] 
    string CRL[]; 
        [Description ("Certificate Revocation Lists may be " 
         "available from a number assignment of distribution points.  " 
         "CRLDistributionPoint array priority values provide URIs for those is much " 
         "distribution points.")] 
    string CRLDistributionPoint[]; 
        [Description ( "Certificates refer 
        "simpler.\n" 
        "\n" 
        "A non-negative integer for prioritizing this Policy" 
        "Rule relative to their issuing CA by other Rules. A larger value " 
         "its Distinguished Name (as defined in X.501)."), DN] 
    string CADistinguishedName; 
        "indicates a higher priority. The default value is 0.") 
        ] 
    uint16 Priority; 
        [Description ( "The frequency, expressed in hours, at which " 
           "the CA will update its Certificate Revocation List.  Zero " 
           "implies 
        "A flag indicating that the refresh frequency is unknown."), 
           Units("Hours")] 
    uint8 CRLRefreshFrequency; 
        [Description ( "The maximum number evaluation of certificates in a the Policy" 
        "Conditions and execution of PolicyActions (if the " 
         "certificate chain permitted for credentials issued by 
        "Conditions evaluate to TRUE) is required. The " 
         "this certificate authority or it's subordinate CAs.\n" 
         "The MaxChainLength 
        "evaluation of a superior CA in PolicyRule MUST be attempted if the trust " 
         "hierarchy should be greater than this 
        "Mandatory property value and is TRUE.  If the Mandatory " 
         "MaxChainLength 
        "property is FALSE, then the evaluation of a subordinate CA in the trust hierarchy Rule " 
         "should 
        "is 'best effort' and MAY be less than this value.")] 
    uint8 MaxChainLength; 
}; 
 
// ==================================================================  
//    KerberosKeyDistributionCenter 
// ================================================================== ignored.") 
        ] 
    boolean Mandatory; 
        [Description ( 
         "CIM_KerberosKeyDistributionCenter ...") ] 
class CIM_KerberosKeyDistributionCenter:CIM_CredentialManagementService 
{ 
        [Override ("Name"), 
         Description ("The Realm served by this KDC.")]  
    string Name; 
        "This property gives a policy administrator a way " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 92] 125] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        [Description ("The version 
 
 
        "of specifying how the ordering of Kerberos supported by this the PolicyActions " 
         "service."), 
         Values {"V4", "V5", "DCE", "MS"} ] 
    uint16 Protocol[]; 
}; 
 
// ==================================================================  
//    Notary 
// ================================================================== 
        [Description ( 
         "CIM_Notary 
        "associated with this PolicyRule is an AuthenticationService (credential to be interpreted. " 
         "management service) which compares the 
        "Three values are supported:\n" 
        " 
         "biometric characteristics of a person with  o mandatory(1): Do the actions in the indicated " 
         "known characteristics of an Users Access, and determines 
        " 
         "whether    order, or don't do them at all.\n" 
        "  o recommended(2): Do the person is actions in the UsersAccess.  An example is indicated " 
         "a bank teller who compares a picture ID with 
        "    order if you can, but if you can't do them in this " 
        "    order, do them in another order if you can.\n" 
        "  o dontCare(3): Do them -- I don't care about the person " 
         "trying to cash a check, or a biometric login service that 
        " 
         "uses voice recognition to identify a user.") ] 
class CIM_Notary:CIM_CredentialManagementService 
{ 
        [Description (    order.\n" 
        "The types of biometric information which " 
           "this Notary can compare."), default value is 3 (\"dontCare\")."), 
        ValueMap { "1", "2", "3" }, 
        Values { "N/A", "Other", "Facial", "Retina", "Mark", 
                  "Finger", "Voice", "DNA-RNA", "EEG"} "mandatory", "recommended", "dontCare" } 
        ] 
    uint16 Comparitors; SequencedActions; 
        [Description ( 
         "The SealProtocol is how the decision of 
        "ExecutionStrategy defines the Notary is strategy to be used in " 
         "recorded for future use 
        "executing the sequenced actions aggregated by parties who will rely on its " 
         "decision.  For instance, a drivers licence frequently this " 
         "includes tamper-resistent coatings and markings 
        "PolicyRule. There are three execution strategies:\n" 
        "\n" 
        "Do Until Success - execute actions according to protect predefined\n" 
        " 
         "the recorded decision that a driver, having various " 
         "biometric characteristics                   order, until successful execution of height, weight, hair and eye " 
         "color, using a particular name, has features represented in a\n" 
        " 
         "a photograph of their face.")] 
    string SealProtocol; 
        [Description ( 
         "CharterIssued documents when the Notary is first                   single action.\n" 
        "Do All -           execute ALL actions which are part of\n" 
        " 
         "authorized, by whoever gave it responsibility,                   the modeled set, according to perform their\n" 
        " 
         "its service.")] 
    datetime CharterIssued; 
        [Description ( 
         "CharterExpired documents when                   predefined order. Continue doing this,\n" 
        "                   even if one or more of the Notary is no longer actions " 
         "authorized, by whoever gave it responsibility, 
        "                   fails.\n" 
        "Do Until Failure - execute actions according to perform predefined\n" 
        " 
         "its service.")] 
    datetime CharterExpired;                   order, until the first failure in\n" 
        "                   execution of an action instance."), 
        Values {"1", "2", "3"}, 
        ValueMap {"Do Until Success", "Do All", "Do Until Failure"}] 
    uint16 ExecutionStrategy; 
}; 
 
// ================================================================== 
//    LocalCredentialManagementService ReusablePolicyContainer 
// ================================================================== 
   [Description ( 
         "CIM_LocalCredentialManagementService is a credential 
         "A class representing an administratively defined " 
         "management service that provides local system 
         "container for reusable policy-related information. " 
         "This class does not introduce any additional " 
         "properties beyond those in its superclass " 
         "AdminDomain.  It does, however, participate in a " 
         "unique association for containing policy elements." 
         "\n\n" 
         "An instance of this class uses the NameFormat value" 
         "\"ReusablePolicyContainer\".") 
   ] 
class CIM_ReusablePolicyContainer : CIM_AdminDomain 
{ 
}; 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 93] 126] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "management of credentials used by the local system.") ] 
class 
CIM_LocalCredentialManagementService:CIM_CredentialManagementService 
{ 
}; 
 
 
 
 
// ================================================================== 
//    SharedSecretService PolicyRepository  *** deprecated 
// ================================================================== 
        [Description 
   [DEPRECATED{"CIM_ReusablePolicyContainer"},  
           Description ( 
         "CIM_SharedSecretService is a service which ascertains 
         "The term 'PolicyRepository' has been confusing to both " 
         "whether messages received are from 
           "developers and users of the Principal with model.  The replacement class " 
         "whom a secret 
           "name describes model element properly and is shared.  Examples include a login " 
         "service that proves identity on the basis of knowledge of " 
         "the shared secret, or a transport integrity service (like less likely " 
         "Kerberos provides) that includes 
           "to be confused with a message authenticity data repository." 
           "\n\n" 
         "A class representing an administratively defined " 
         "code that proves each message in the messsage stream came 
         "container for reusable policy-related information. " 
         "from someone who knows the shared secret session key.")] 
         "This class CIM_SharedSecretService:CIM_LocalCredentialManagementService 
{ 
        [MaxLen (256), Description ( 
         "The Algorithm used to convey the shared secret, such as does not introduce any additional " 
         "HMAC-MD5,or PLAINTEXT.") ]  
    string Algorithm; 
        [Description ( 
         "The Protocol supported by the SharedSecretService.")] 
    string Protocol; 
}; 
 
// ==================================================================  
//    PublicKeyManagementService 
// ================================================================== 
        [Description ( 
         "CIM_PublicKeyManagementService is 
         "properties beyond those in its superclass " 
         "AdminDomain.  It does, however, participate in a credential management " 
         "service that provides local system management 
         "number of public " 
         "keys used by unique associations." 
         "\n\n" 
         "An instance of this class uses the local system.") NameFormat value" 
         "\"PolicyRepository\".") 
   ] 
class 
CIM_PublicKeyManagementService:CIM_LocalCredentialManagementService CIM_PolicyRepository : CIM_AdminDomain 
{ 
}; 
 
// ================================================================== 
//    Credential PolicyCondition 
// ================================================================== 
   [Abstract, Description ( 
         "Subclasses of CIM_Credential define materials, " 
         "information, or other data which are used to prove the " 
         "identity of a CIM_UsersAccess to 
         "A class representing a particular " 
         "CIM_SecurityService.  Generally, there may be some shared " 
         "information, rule-specific or credential material which is used to " 
         "identify and authenticate ones self in the process of reusable policy " 
         "gaining access to, or permission 
         "condition to use, an Account. " 
         "Such credential material may be used to authenticate evaluated in conjunction with a " 
  
Jason, et al            Expires September 2001               [Page 94] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
         "users access identity  initially, as done by Policy" 
         "Rule. Since all operational details of a PolicyCondition " 
         "CIM_AuthenticationService (see later), and additionally on " 
         "an ongoing basis during the course 
         "are provided in subclasses of a connection or this object, this class is " 
         "other  security association, as proof that each received 
         "abstract.") 
   ] 
class CIM_PolicyCondition : CIM_Policy 
{ 
        [Key, MaxLen (256), Description ( 
          " 
         "message  The name of the class or communication came from the owning user access " 
         "of subclass used in the " 
         "that credential material.") ] 
class CIM_Credential:CIM_ManagedElement 
{ 
}; 
 
// ==================================================================  
//    PublicKeyCertificate 
// ================================================================== 
        [Description ("A Public Key Certificate is a credential 
          "creation of the System object in whose scope this " 
         "that 
          "PolicyCondition is cryptographically signed by a trusted Certificate defined.\n\n" 
          " 
         "Authority (CA) and issued to an authenticated entity  " 
         "(e.g., human user, service,etc.) called 
          "This property helps to identify the Subject System object in " 
         "the certificate and represented by 
          "whose scope this instance of PolicyCondition exists. " 
          "For a rule-specific PolicyCondition, this is the UsersAccess class. System " 
         "The public key in 
          "in whose context the certificate PolicyRule is cryptographically defined. For a " 
         "related to 
          "reusable PolicyCondition, this is the instance of " 
          "PolicyRepository (which is a private key subclass of System) that is to be held and kept " 
         "private by 
          "holds the authenticated Subject.  The certificate Condition.\n\n" 
          " 
         "and its related private key can then be used for  " 
         "establishing trust relationships 
          "Note that this property, and securing " 
         "communications with the Subject.  Refer to the ITU/CCITT analogous property " 
         "X.509 standard as 
          "SystemName, do not represent propagated keys from an example of such certificates.") ] 
class CIM_PublicKeyCertificate:CIM_Credential 
{ 
         [Propagated ("CIM_System.CreationClassName"),  
          Key, MaxLen (256), Description ("Scoping System")] 
     string SystemCreationClassName; 
         [Propagated ("CIM_System.Name"),  
          Key, MaxLen (256),Description ("Scoping System")] 
     string SystemName; 
         [Propagated ("CIM_CertificateAuthority.CreationClassName"), 
          Key, MaxLen (256), Description ("Scoping Service")] 
     string ServiceCreationClassName; 
         [Propagated ("CIM_CertificateAuthority.Name"),  
          Key, MaxLen (256), Description ("Scoping Service")] 
     string ServiceName;  
         [Key, MaxLen (256), Description ( 
          "Certificate subject identifier")] 
     string Subject; 
         [MaxLen (256), Description ( 
          "Alternate subject identifier for the Certificate.")] 
     string AltSubject; 
         [Description ("The DER-encoded raw public key."), Octetstring] 
     uint8 PublicKey[]; 
}; 
 
// ==================================================================  
//    UnsignedPublicKey 
// ================================================================== " 
  
Jason, et al           Expires September 2001 20-January-2002             [Page 95] 127] 

Internet Draft     IPsec Configuration Policy Model         March 2001 
 
 
        [Description ( 
         "A CIM_UnsignedPublicKey represents an unsigned public 
 
 
          "instance of the class System. Instead, they are " 
         "key credential.  The local UsersAccess (or subclass 
          "properties defined in the context of this class, which " 
         "thereof) accepts 
          "repeat the public key as authentic because values from the instance of System to which " 
         "a direct trust relationship rather than 
          "this PolicyCondition is related, either directly via a third-party the " 
         "Certificate Authority.") 
          "PolicyConditionInPolicyRepository association or indirectly" 
          " via the PolicyConditionInPolicyRule aggregation.") 
        ] 
class CIM_UnsignedPublicKey:CIM_Credential 
{ 
         [Propagated ("CIM_System.CreationClassName"),  
          Key, MaxLen (256), Description ("Scoping System")] 
    string SystemCreationClassName; 
         [Propagated ("CIM_System.Name"),  
          Key, MaxLen (256),Description ("Scoping System")] 
     string SystemName; 
         [Propagated 
("CIM_PublicKeyManagementService.CreationClassName"), 
          Key, MaxLen (256), Description ("Scoping Service")] 
     string ServiceCreationClassName; 
         [Propagated ("CIM_PublicKeyManagementService.Name"),  
          Key, 
        [Key, MaxLen (256), Description ("Scoping Service")] ( 
         "  The name of the System object in whose scope this " 
         "PolicyCondition is defined.\n\n" 
         "  " 
         "This property completes the identification of the System " 
         "object in whose scope this instance of PolicyCondition " 
         "exists.  For a rule-specific PolicyCondition, this is the " 
         "System in whose context the PolicyRule is defined.  For a " 
         "reusable PolicyCondition, this is the instance of " 
         "PolicyRepository (which is a subclass of System) that " 
         "holds the Condition.") 
        ] 
    string ServiceName; SystemName; 
        [Key, MaxLen (256), Description ( 
          "The Identity 
         "For a rule-specific PolicyCondition, the " 
         "CreationClassName of the Peer PolicyRule object with whom a direct trust which " 
          "relationship exists.  The public key may 
         "this Condition is associated.  For a reusable Policy" 
         "Condition, a special value, 'NO RULE', should be used for to " 
          "security functions 
         "indicate that this Condition is reusable and not " 
         "associated with the Peer."), 
         ModelCorrespondence  
           {"CIM_PublicKeyManagementService.PeerIdentityType" } a single PolicyRule.") 
        ] 
    string PeerIdentity; 
           [Description ("PeerIdentityType is used to describe PolicyRuleCreationClassName; 
        [Key, MaxLen (256), Description ( 
         "For a rule-specific PolicyCondition, the " 
          "type name of the PeerIdentity.  The currently defined values " 
          "are used for IKE identities."), 
           ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8",  
          "9", "10", "11"}, 
           Values {"Other", "IPV4_ADDR", "FQDN", "USER_FQDN",  
          "IPV4_ADDR_SUBNET", "IPV6_ADDR", "IPV6_ADDR_SUBNET",  
          "IPV4_ADDR_RANGE", "IPV6_ADDR_RANGE", "DER_ASN1_DN",  
          "DER_ASN1_GN", "KEY_ID"}, 
         ModelCorrespondence  
           {"CIM_PublicKeyManagementService.PeerIdentity" } ] 
     uint16 PeerIdentityType; 
         [Description ("The DER-encoded raw public key."),  
          Octetstring] 
     uint8 PublicKey[]; 
}; 
 
// ==================================================================  
//    KerberosTicket 
// ================================================================== 
        [Description ( 
         "A CIM_KerberosTicket represents 
         "the PolicyRule object with which this Condition is " 
         "associated.  For a credential issued by reusable PolicyCondition, a " 
         "particular Kerberos Key Distribution Center (KDC) 
         "special value, 'NO RULE', should be used to indicate " 
         "to 
         "that this Condition is reusable and not associated " 
         "with a particular CIM_UsersAccess as single PolicyRule.") 
        ] 
    string PolicyRuleName; 
        [Key, MaxLen (256), Description ( 
           "Creation