WDIFF

draft-ietf-ipsp-config-policy-model-04.txt --> draft-ietf-ipsp-config-policy-model-05.txt

Internet Engineering Task Force Jamie Jason
INTERNET DRAFT Intel Corporation
November-2001
February-2002 Lee Rafalow
IBM
Eric Vyncke
Cisco Systems

IPsec Configuration Policy Model
draft-ietf-ipsp-config-policy-model-04.txt
draft-ietf-ipsp-config-policy-model-05.txt

Status of this Memo

This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

Abstract

This document presents an object-oriented information model of IPsec
policy designed to:
o facilitate agreement about the content and semantics of IPsec
policy
o enable derivations of task-specific representations of IPsec
policy such as storage schema, distribution representations,
and policy specification languages used to configure IPsec-
enabled endpoints
The schema information model described in this document models the IKE phase one
configuration parameters as described in [IKE] and defined by the IP Security protocol [COMP,
ESP, AH]. The information model also covers the IKE phase two parameters
for found by
the IPsec Domain Internet Key Exchange [DOI, IKE] protocol. Other key exchange
protocols could be easily added to the information model by a simple
extension. Other extensions can further be added easily due to the
object-oriented nature of Interpretation as described in [COMP, ESP,
AH, DOI]. It the model.

This information model is based upon the core policy classes as
defined in the Policy Core Information Model (PCIM) [PCIM] and on
the Policy Core Information Model Extensions (PCIMe) [PCIME].

Jason, et al [Page 1]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

Table of Contents

Status of this Memo................................................1
Abstract...........................................................1
Table of Contents..................................................2
1. Introduction....................................................7 Introduction....................................................6
1. Introduction....................................................6
2. UML Conventions.................................................7 Conventions.................................................6
3. IPsec Policy Model Inheritance Hierarchy........................8 Hierarchy........................7
4. Policy Classes.................................................13 Classes.................................................12
4.1. The Class IPsecPolicyGroup...................................14 IPsecPolicyGroup...................................13
4.2. The Class SARule.............................................15 SARule.............................................14
4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy............................................15
PolicyDecisionStrategy............................................14
4.2.2 The Property ExecutionStrategy.............................16 ExecutionStrategy.............................14
4.2.3 The Property LimitNegotiation..............................17 LimitNegotiation..............................16
4.3. The Class IKERule............................................18 IKERule............................................17
4.3.1. The Property IdentityContexts..............................18 IdentityContexts..............................17
4.4. The Class IPsecRule..........................................19
4.6. IPsecRule..........................................17
4.5. The Association Class IPsecPolicyForEndpoint.................19
4.6.1. IPsecPolicyForEndpoint.................18
4.5.1. The Reference Antecedent...................................20
4.6.2. Antecedent...................................18
4.5.2. The Reference Dependent....................................20
4.7. Dependent....................................18
4.6. The Association Class IPsecPolicyForSystem...................20
4.7.1. The Reference Antecedent...................................20
4.7.2. The Reference Dependent....................................20
4.8. The Aggregation Class RuleForIKENegotiation..................21
4.8.1. The Property Priority......................................21
4.8.2. IPsecPolicyForSystem...................18
4.6.1. The Reference GroupComponent...............................21
4.8.3. Antecedent...................................18
4.6.2. The Reference PartComponent................................21
4.9. Dependent....................................19
4.7. The Aggregation Class RuleForIPsecNegotiation................21
4.9.1. SARuleInPolicyGroup....................19
4.7.1. The Property Priority......................................21
4.9.2. Priority......................................19
4.7.2. The Reference GroupComponent...............................22
4.9.3. GroupComponent...............................19
4.7.3. The Reference PartComponent................................22
4.10. PartComponent................................19
4.8. The Aggregation Class SAConditionInRule.....................22
4.10.1. SAConditionInRule......................19
4.8.1. The Properties GroupNumber and ConditionNegated...........22
4.10.2. ConditionNegated............20
4.8.2. The Reference GroupComponent..............................22
4.10.3. GroupComponent...............................20
4.8.3. The Reference PartComponent...............................22
4.11. PartComponent................................20
4.9. The Aggregation Class PolicyActionInSARule..................22
4.11.1. PolicyActionInSARule...................20
4.9.1. The Reference GroupComponent..............................23
4.11.2. GroupComponent...............................20
4.9.2. The Reference PartComponent...............................23
4.11.3. PartComponent................................20
4.9.3. The Property ActionOrder..................................23 ActionOrder...................................20
5. Condition and Filter Classes...................................24 Classes...................................22
5.1. The Class SACondition........................................24 SACondition........................................22
5.2. The Class IPHeaderFilter.....................................25 IPHeadersFilter....................................23
5.3. The Class CredentialFilterEntry..............................25 CredentialFilterEntry..............................23
5.3.1. The Property MatchFieldName................................25 MatchFieldName................................23
5.3.2. The Property MatchFieldValue...............................26 MatchFieldValue...............................24
5.3.3. The Property CredentialType................................26 CredentialType................................24
5.4. The Class IPSOFilterEntry....................................26 IPSOFilterEntry....................................24
5.4.1. The Property MatchConditionType............................27 MatchConditionType............................25
5.4.2. The Property MatchConditionValue...........................27 MatchConditionValue...........................25
5.5. The Class PeerIDPayloadFilterEntry...........................27 PeerIDPayloadFilterEntry...........................25
5.5.1. The Property MatchIdentityType.............................28

Jason, et al Expires May-2002 [Page 2]

Internet Draft IPsec Configuration Policy Model November 2001 MatchIdentityType.............................25
5.5.2. The Property MatchIdentityValue............................28 MatchIdentityValue............................26
5.6. The Association Class FilterOfSACondition....................29 FilterOfSACondition....................26
5.6.1. The Reference Antecedent...................................29 Antecedent...................................27
5.6.2. The Reference Dependent....................................29 Dependent....................................27
5.7. The Association Class AcceptCredentialFrom...................29 AcceptCredentialFrom...................27
5.7.1. The Reference Antecedent...................................30 Antecedent...................................27
5.7.2. The Reference Dependent....................................30 Dependent....................................28
6. Action Classes.................................................31 Classes.................................................28
6.1. The Class SAAction...........................................32 SAAction...........................................29
6.1.1. The Property DoActionLogging...............................32 DoActionLogging...............................30
6.1.2. The Property DoPacketLogging...............................32 DoPacketLogging...............................30

Jason, et al Expires August-2002 [Page 2]

Internet Draft IPsec Configuration Policy Model February 2002

6.2. The Class SAStaticAction.....................................33 SAStaticAction.....................................30
6.2.1. The Property LifetimeSeconds...............................33 LifetimeSeconds...............................31
6.3. The Class IPsecBypassAction..................................34 IPsecBypassAction..................................31
6.4. The Class IPsecDiscardAction.................................34 IPsecDiscardAction.................................31
6.5. The Class IKERejectAction....................................34 IKERejectAction....................................32
6.6. The Class PreconfiguredSAAction..............................34 PreconfiguredSAAction..............................32
6.6.1. The Property LifetimeKilobytes.............................35 LifetimeKilobytes.............................32
6.7. The Class PreconfiguredTransportAction.......................35 PreconfiguredTransportAction.......................33
6.8. The Class PreconfiguredTunnelAction..........................36 PreconfiguredTunnelAction..........................33
6.8.1. The Property DFHandling....................................36 DFHandling....................................33
6.9. The Class SANegotiationAction................................36 SANegotiationAction................................33
6.10. The Class IKENegotiationAction..............................37 IKENegotiationAction..............................34
6.10.1. The Property MinLifetimeSeconds...........................37 MinLifetimeSeconds...........................34
6.10.2. The Property MinLifetimeKilobytes.........................37 MinLifetimeKilobytes.........................34
6.10.3. The Property RefreshThresholdSeconds......................38
6.10.4. The Property RefreshThresholdKilobytes....................38
6.10.5. The Property IdleDurationSeconds..........................38 IdleDurationSeconds..........................35
6.11. The Class IPsecAction.......................................39 IPsecAction.......................................35
6.11.1. The Property UsePFS.......................................39 UsePFS.......................................35
6.11.2. The Property UseIKEGroup..................................39 UseIKEGroup..................................35
6.11.3. The Property GroupId......................................40 GroupId......................................36
6.11.4. The Property Granularity..................................40 Granularity..................................36
6.11.5. The Property VendorID.....................................40 VendorID.....................................36
6.12. The Class IPsecTransportAction..............................41 IPsecTransportAction..............................36
6.13. The Class IPsecTunnelAction.................................41 IPsecTunnelAction.................................37
6.13.1. The Property DFHandling...................................41 DFHandling...................................37
6.14. The Class IKEAction.........................................41 IKEAction.........................................37
6.14.1. The Property RefreshThresholdDerivedKeys..................42 ExchangeMode.................................37
6.14.2. The Property ExchangeMode.................................42 UseIKEIdentityType...........................38
6.14.3. The Property UseIKEIdentityType...........................42 VendorID.....................................38
6.14.4. The Property VendorID.....................................43
6.14.5. The Property AggressiveModeGroupId........................43 AggressiveModeGroupId........................38
6.15. The Class PeerGateway.......................................43 PeerGateway.......................................38
6.15.1. The Property Name.........................................43 Name.........................................39
6.15.2. The Property PeerIdentityType.............................44 PeerIdentityType.............................39
6.15.3. The Property PeerIdentity.................................44 PeerIdentity.................................39
6.16. The Association Class PeerGatewayForTunnel..................44 PeerGatewayForTunnel..................39
6.16.1. The Reference Antecedent..................................45 Antecedent..................................40
6.16.2. The Reference Dependent...................................45 Dependent...................................40
6.16.3. The Property SequenceNumber...............................45 SequenceNumber...............................40
6.17. The Aggregation Class ContainedProposal.....................45 ContainedProposal.....................40
6.17.1. The Reference GroupComponent..............................46

Jason, et al Expires May-2002 [Page 3]

Internet Draft IPsec Configuration Policy Model November 2001 GroupComponent..............................41
6.17.2. The Reference PartComponent...............................46 PartComponent...............................41
6.17.3. The Property SequenceNumber...............................46 SequenceNumber...............................41
6.18. The Association Class HostedPeerGatewayInformation..........46 HostedPeerGatewayInformation..........41
6.18.1. The Reference Antecedent..................................46 Antecedent..................................41
6.18.2. The Reference Dependent...................................47 Dependent...................................41
6.19. The Association Class TransformOfPreconfiguredAction........47 TransformOfPreconfiguredAction........41
6.19.1. The Reference Antecedent..................................47 Antecedent..................................42
6.19.2. The Reference Dependent...................................47 Dependent...................................42
6.19.3. The Property SPI..........................................47 SPI..........................................42
6.19.4. The Property Direction....................................48 Direction....................................42
6.20 The Association Class PeerGatewayForPreconfiguredTunnel......48 PeerGatewayForPreconfiguredTunnel......42
6.20.1. The Reference Antecedent..................................48 Antecedent..................................43
6.20.2. The Reference Dependent...................................48 Dependent...................................43
7. Proposal and Transform Classes.................................49 Classes.................................44
7.1. The Abstract Class SAProposal................................49 SAProposal................................44
7.1.1. The Property Name..........................................49 Name..........................................44
7.2. The Class IKEProposal........................................50 IKEProposal........................................44
7.2.1. The Property LifetimeDerivedKeys...........................50 CipherAlgorithm...............................45
7.2.2. The Property CipherAlgorithm...............................50 HashAlgorithm.................................45
7.2.3. The Property HashAlgorithm.................................51 PRFAlgorithm..................................45
7.2.4. The Property PRFAlgorithm..................................51 GroupId.......................................45
7.2.5. The Property GroupId.......................................51 AuthenticationMethod..........................46

Jason, et al Expires August-2002 [Page 3]

Internet Draft IPsec Configuration Policy Model February 2002

7.2.6. The Property AuthenticationMethod..........................51 MaxLifetimeSeconds............................46
7.2.7. The Property MaxLifetimeSeconds............................52 MaxLifetimeKilobytes..........................46
7.2.8. The Property MaxLifetimeKilobytes..........................52
7.2.9. The Property VendorID......................................52 VendorID......................................46
7.3. The Class IPsecProposal......................................52 IPsecProposal......................................47
7.4. The Abstract Class SATransform...............................53 SATransform...............................47
7.4.1. The Property TransformName.................................53 TransformName.................................47
7.4.2. The Property VendorID......................................53 VendorID......................................47
7.4.3. The Property MaxLifetimeSeconds............................53 MaxLifetimeSeconds............................47
7.4.4. The Property MaxLifetimeKilobytes..........................54 MaxLifetimeKilobytes..........................48
7.5. The Class AHTransform........................................54 AHTransform........................................48
7.5.1. The Property AHTransformId.................................54 AHTransformId.................................48
7.5.2. The Property UseReplayPrevention...........................54 UseReplayPrevention...........................48
7.5.3. The Property ReplayPreventionWindowSize....................55 ReplayPreventionWindowSize....................48
7.6. The Class ESPTransform.......................................55 ESPTransform.......................................49
7.6.1. The Property IntegrityTransformId..........................55 IntegrityTransformId..........................49
7.6.2. The Property CipherTransformId.............................55 CipherTransformId.............................49
7.6.3. The Property CipherKeyLength...............................56 CipherKeyLength...............................49
7.6.4. The Property CipherKeyRounds...............................56 CipherKeyRounds...............................49
7.6.5. The Property UseReplayPrevention...........................56 UseReplayPrevention...........................50
7.6.6. The Property ReplayPreventionWindowSize....................56 ReplayPreventionWindowSize....................50
7.7. The Class IPCOMPTransform....................................57 IPCOMPTransform....................................50
7.7.1. The Property Algorithm.....................................57 Algorithm.....................................50
7.7.2. The Property DictionarySize................................57 DictionarySize................................51
7.7.3. The Property PrivateAlgorithm..............................57 PrivateAlgorithm..............................51
7.8. The Association Class SAProposalInSystem.....................57 SAProposalInSystem.....................51
7.8.1. The Reference Antecedent...................................58 Antecedent...................................51
7.8.2. The Reference Dependent....................................58 Dependent....................................51
7.9. The Aggregation Class ContainedTransform.....................58 ContainedTransform.....................51
7.9.1. The Reference GroupComponent...............................58 GroupComponent...............................52
7.9.2. The Reference PartComponent................................59

Jason, et al Expires May-2002 [Page 4]

Internet Draft IPsec Configuration Policy Model November 2001 PartComponent................................52
7.9.3. The Property SequenceNumber................................59 SequenceNumber................................52
7.10. The Association Class SATransformInSystem...................59 SATransformInSystem...................52
7.10.1. The Reference Antecedent..................................59 Antecedent..................................53
7.10.2. The Reference Dependent...................................59 Dependent...................................53
8. IKE Service and Identity Classes...............................61 Classes...............................54
8.1. The Class IKEService.........................................62 IKEService.........................................55
8.2. The Class PeerIdentityTable..................................62 PeerIdentityTable..................................55
8.3.1. The Property Name..........................................62 Name..........................................55
8.3. The Class PeerIdentityEntry..................................63 PeerIdentityEntry..................................55
8.3.1. The Property PeerIdentity..................................63 PeerIdentity..................................56
8.3.2. The Property PeerIdentityType..............................63 PeerIdentityType..............................56
8.3.3. The Property PeerAddress...................................63 PeerAddress...................................56
8.3.4. The Property PeerAddressType...............................63 PeerAddressType...............................56
8.4. The Class AutostartIKEConfiguration..........................64 AutostartIKEConfiguration..........................56
8.5. The Class AutostartIKESetting................................64 AutostartIKESetting................................57
8.5.1. The Property Phase1Only....................................64 Phase1Only....................................57
8.5.2. The Property AddressType...................................65 AddressType...................................57
8.5.3. The Property SourceAddress.................................65 SourceAddress.................................58
8.5.4. The Property SourcePort....................................65 SourcePort....................................58
8.5.5. The Property DestinationAddress............................65 DestinationAddress............................58
8.5.6. The Property DestinationPort...............................66 DestinationPort...............................58
8.5.7. The Property Protocol......................................66 Protocol......................................58
8.6. The Class IKEIdentity........................................66 IKEIdentity........................................58
8.6.1. The Property IdentityType..................................67 IdentityType..................................59
8.6.2. The Property IdentityValue.................................67 IdentityValue.................................59
8.6.3. The Property IdentityContexts..............................67 IdentityContexts..............................59
8.7. The Association Class HostedPeerIdentityTable................68 HostedPeerIdentityTable................60
8.7.1. The Reference Antecedent...................................68 Antecedent...................................60
8.7.2. The Reference Dependent....................................68 Dependent....................................60
8.8. The Aggregation Class PeerIdentityMember.....................68 PeerIdentityMember.....................60
8.8.1. The Reference Collection...................................68 Collection...................................60

Jason, et al Expires August-2002 [Page 4]

Internet Draft IPsec Configuration Policy Model February 2002

8.8.2. The Reference Member.......................................69 Member.......................................61
8.9. The Association Class IKEServicePeerGateway..................69 IKEServicePeerGateway..................61
8.9.1. The Reference Antecedent...................................69 Antecedent...................................61
8.9.2. The Reference Dependent....................................69 Dependent....................................61
8.10. The Association Class IKEServicePeerIdentityTable...........69 IKEServicePeerIdentityTable...........61
8.10.1. The Reference Antecedent..................................70 Antecedent..................................61
8.10.2. The Reference Dependent...................................70 Dependent...................................62
8.11. The Association Class IKEAutostartSetting...................70 IKEAutostartSetting...................62
8.11.1. The Reference Element.....................................70 Element.....................................62
8.11.2. The Reference Setting.....................................70 Setting.....................................62
8.12. The Aggregation Class AutostartIKESettingContext............70 AutostartIKESettingContext............62
8.12.1. The Reference Context.....................................71 Context.....................................62
8.12.2. The Reference Setting.....................................71 Setting.....................................63
8.12.3. The Property SequenceNumber...............................71 SequenceNumber...............................63
8.13. The Association Class IKEServiceForEndpoint.................71 IKEServiceForEndpoint.................63
8.13.1. The Reference Antecedent..................................72 Antecedent..................................63
8.13.2. The Reference Dependent...................................72 Dependent...................................63
8.14. The Association Class IKEAutostartConfiguration.............72 IKEAutostartConfiguration.............63
8.14.1. The Reference Antecedent..................................72 Antecedent..................................64
8.14.2. The Reference Dependent...................................72 Dependent...................................64
8.14.3. The Property Active.......................................72 Active.......................................64
8.15. The Association Class IKEUsesCredentialManagementService....73

Jason, et al Expires May-2002 [Page 5]

Internet Draft IPsec Configuration Policy Model November 2001 IKEUsesCredentialManagementService....64
8.15.1. The Reference Antecedent..................................73 Antecedent..................................64
8.15.2. The Reference Dependent...................................73 Dependent...................................65
8.16. The Association Class EndpointHasLocalIKEIdentity...........73 EndpointHasLocalIKEIdentity...........65
8.16.1. The Reference Antecedent..................................74 Antecedent..................................65
8.16.2. The Reference Dependent...................................74 Dependent...................................65
8.17. The Association Class CollectionHasLocalIKEIdentity.........74 CollectionHasLocalIKEIdentity.........65
8.17.1. The Reference Antecedent..................................74 Antecedent..................................66
8.17.2. The Reference Dependent...................................74 Dependent...................................66
8.18. The Association Class IKEIdentitysCredential................75 IKEIdentitysCredential................66
8.18.1. The Reference Antecedent..................................75 Antecedent..................................66
8.18.2. The Reference Dependent...................................75 Dependent...................................66
9. Implementation Requirements....................................75 Requirements....................................66
10. Security Considerations.......................................79 Considerations.......................................70
11. Intellectual Property.........................................80 Property.........................................70
12. Acknowledgments...............................................80 Acknowledgments...............................................70
13. References....................................................80 References....................................................71
14. Disclaimer....................................................81 Disclaimer....................................................71
15. Authors' Addresses............................................82 Addresses............................................72
16. Full Copyright Statement......................................82 Statement......................................72

Jason, et al Expires May-2002 August-2002 [Page 6] 5]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

1. Introduction

Internet Protocol

IP security (IPsec) policy may assume a variety of forms as it
travels from storage to distribution point to decision point. At
each step, it needs to be represented in a way that is convenient for
the current task. For example, the policy could exist as, but is not
limited to:

o a Lightweight Directory Access Protocol (LDAP) [LDAP] schema in
a directory
o an on-the-wire representation over a transport protocol like the
Common Object Policy Service (COPS) [COPS, COPSPR]
o a text-based policy specification language suitable for editing
by an administrator
o an Extensible Markup Language (XML) document

Each of these task-specific representations should be derived from a
canonical representation that precisely specifies the content and
semantics of the IPsec policy. The purpose of this This document is to
abstract IPsec policy into captures this concept
and introduces a task-independent canonical representation that is
not constrained by any particular task-dependent representation.

This for IPsec
policies.

In order to have a simple information model, this document is organized as follows: focuses
mainly on the existing protocols [COMP, ESP, AH, DOI, IKE]. The
model can easily be extended if needed due to its object-oriented
nature.

This document is organized as follows:

o Section 2 provides a quick introduction to the Unified Modeling
Language (UML) graphical notation conventions used in this
document.

o Section 3 provides the inheritance hierarchy that describes
where the IPsec policy classes fit into the policy class
hierarchy already defined by the Policy Core Information Model
(PCIM) and Policy Core Information Model Extensions (PCIMe).

o Sections 4 through 8 describes the class that make up the IPsec
policy model.

o Section 9 presents the implementation requirements for the
classes in the model (i.e., the MUST/MAY/SHOULD status).

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS].

2. UML Conventions

For this document, a UML static class diagram was chosen as the
canonical representation for the IPsec policy model. The reason
behind this decision is that UML provides a graphical, task-
independent way to model systems. A treatise on the graphical
notation used in UML is beyond the scope of this paper. However,
given the use of ASCII drawing for UML static class diagrams, a
description of the notational conventions used in this document is in
order:

Jason, et al Expires May-2002 [Page 7]

Internet Draft IPsec Configuration Policy Model November 2001

o Boxes represent classes, with class names in brackets ([])
representing an abstract class.

Jason, et al Expires August-2002 [Page 6]

Internet Draft IPsec Configuration Policy Model February 2002

o A line that terminates with an arrow (<, >, ^, v) denotes
inheritance. The arrow always points to the parent class.
Inheritance can also be called generalization or specialization
(depending upon the reference point). A base class is a
generalization of a derived class, and a derived class is a
specialization of a base class.
o Associations are used to model a relationship between two
classes. Classes that share an association are connected using
a line. A special kind of association is also used: an
aggregation. An aggregation models a whole-part relationship
between two classes. Associations, and therefore aggregations,
can also be modeled as classes.
o A line that begins with an "o" denotes aggregation. Aggregation
denotes containment in which the contained class and the
containing class have independent lifetimes.
o Next to a line representing an association appears a
cardinality. Cardinalities indicate the constraints on the
number of object instances in a set of relationships. Every
association instance has a single set of references. The
cardinality indicates the number of instances that may refer to
a given object instance. The cardinality may be:
- a range in the form "lower bound..upper bound" indicating the
minimum and maximum number of objects.
- a number that indicates the exact number of objects.
- an asterisk indicating any number of objects, including zero.
Using an asterisk is shorthand for 0..n.
- the letter n indicating from 1 to many. Using the letter n is
shorthand for 1..n.
o A class that has an association may have a "w" next to the line
representing the association. This is called a weak association
and is discussed in [PCIM].

It should be noted that the UML static class diagram presented is a
conceptual view of IPsec policy designed to aid in understanding.
It does not necessarily get translated class for class into another
representation. For example, an LDAP implementation may flatten out
the representation to fewer classes (because of the inefficiency of
following references).

3. IPsec Policy Model Inheritance Hierarchy

Like PCIM and PCIMe from which it is derived, the IPsec Configuration
Policy Model derives from and uses classes defined in the DMTF [DMTF]
Common Information Model (CIM). The following tree represents the
inheritance hierarchy for the IPsec policy model classes and how they
fit into PCIM, PCIMe and the other DMTF models (see Appendices for
descriptions of classes that are not being introduced as part of
IPsec model). CIM classes that are not used as a superclass from
which to derive new classes but are only referenced are not included
this inheritance hierarchy, but can be

Jason, et al Expires May-2002 [Page 8]

Internet Draft IPsec Configuration Policy Model November 2001 found in the appropriate DMTF
document [CIMCORE], [CIMUSER] or [CIMNETWORK].

ManagedElement (DMTF Core Model - [CIMCORE])
|
+--Collection (DMTF Core Model - [CIMCORE])
| |
| +--PeerIdentityTable
|
+--ManagedSystemElement (DMTF Core Model - [CIMCORE])
| |
| +--LogicalElement (DMTF Core Model - [CIMCORE])

Jason, et al Expires August-2002 [Page 7]

Internet Draft IPsec Configuration Policy Model February 2002

Jason, et al Expires May-2002 [Page 9]

Jason, et al Expires August-2002 [Page 8]

Internet Draft IPsec Configuration Policy Model February 2002

Jason, et al Expires May-2002 [Page 10]

Internet Draft IPsec Configuration Policy Model November 2001
| |
| +--SystemSetting (DMTF Core Model - [CIMCORE])
| |
| +--AutostartIKESetting
|
+--SystemConfiguration (DMTF Core Model - [CIMCORE])
|
+--AutostartIKEConfiguration

The following tree represents the inheritance hierarchy of the IPsec
policy model association classes and how they fit into PCIM and the
other DMTF models (see Appendices for description of associations
classes that are not being introduced as part of IPsec model).

Jason, et al Expires August-2002 [Page 9]

Internet Draft IPsec Configuration Policy Model February 2002

Jason, et al Expires May-2002 [Page 11]

Internet Draft IPsec Configuration Policy Model November 2001
|
+--TransformOfPreconfiguredAction
|
+--UsersCredential (DMTF User Model - [CIMUSER])
|
+--IKEIdentitysCredential

ElementSetting (DMTF Core Model - [CIMCORE])
|
+--IKEAutostartSetting

MemberOfCollection (DMTF Core Model - [CIMCORE])
|
+--PeerIdentityMember

Jason, et al Expires August-2002 [Page 10]

Internet Draft IPsec Configuration Policy Model February 2002

SystemSettingContext (DMTF Core Model - [CIMCORE])
|
+--AutostartIKESettingContext

Jason, et al Expires May-2002 August-2002 [Page 12] 11]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

4. Policy Classes

The IPsec policy classes represent the set of policies that are
contained on a system.

+--------------+
| PolicySet |*
| ([PCIMe]) |o--+
+--------------+ |
^ *| |(a)
| +------+
|
+--------------------+ +-------------+
| IPProtocolEndpoint | | PolicyGroup |
| ([CIMNETWORK]) | | ([PCIM]) |
+--------------------+ +-------------+
|* ^
+-----------------+ |
|(b) |
| |
|0..1 |
+------------------+0..1 (c) *+------------+
| IPsecPolicyGroup |-----------| System |
+------------------+ | ([CIMCORE])|
1 o o 1 +------------+
(d) | | (e)
+-----------------------+ +--------------------------+
|
+-----------------+
|
| +---------------------------+
| | | PolicyTimePeriodCondition |
| | | ([PCIM]) |
|
| +---------------------------+
|
| *| |
| |(f) |
| *o |
|
+-------------+ |(e)
*| o*
+-------------+n *+--------+* *+----------+* n+--------------+
|
| | SACondition |------o| |----o| SARule |o-------| PolicyAction | |
|
+-------------+ (f) +----------+ (g) +--------+ (h) | ([PCIM]) | |
|
^ +--------------+
|
| | *| ^
|
| | |(i) | | |(h) |
| *o | |
|
+-----------------+ +----------------------+
| | | | | CompoundPolicyAction |
| | | | | ([PCIMe]) |
| | | | +----------------------+
+---------+ +-----------+
|
| *+---------+ +-----------+* |
+-----| IKERule | | IPsecRule |---------------------------+ |
+---------+ +-----------+

(a) PolicySetComponent ([PCIMe])
(b) IPsecPolicyForEndpoint
(c) IPsecPolicyForSystem

Jason, et al Expires May-2002 [Page 13]

Internet Draft IPsec Configuration Policy Model November 2001
(d) RuleForIKENegotiation SARuleInPolicyGroup
(e) RuleForIPsecNegotiation
(f) PolicyRuleValidityPeriod ([PCIM])
(g)
(f) SAConditionInRule
(h)
(g) PolicyActionInSARule
(i)
(h) PolicyActionInPolicyAction ([PCIMe])

An IPsecPolicyGroup represents the set of policies that are used on
an interface. This IPsecPolicyGroup SHOULD be associated either

Jason, et al Expires August-2002 [Page 12]

Internet Draft IPsec Configuration Policy Model February 2002

directly with the IPProtocolEndpoint class instance that represents
the interface (via the IPsecPolicyForEndpoint association) or
indirectly (via the IPsecPolicyForSystem association) associated
with the System that hosts the interface.

The IKE and IPsec rules are used to build or to negotiate the IPsec
SADB. The IPsec rules represent the Security Policy Database. The
SADB itself is not modeled by this document.

The IKE and IPsec rules usage can be described as (see also section
6 about actions):

o an egress unprotected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked. If
there is no corresponding IPsec SA in the SADB and if IKE
negotiation is required by the IPsec rule, the corresponding IKE
rules will be used. The negotiated or preconfigured SA will then
be installed in the SADB.
o An ingress unprotected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA
and a preconfigured SA exists, this preconfigured SA will be
installed in the IPsec SADB. This behavior should only apply to
bypass and discard actions.
o An ingress protected packet will first be checked against the
IPsec rules. If a match is found, the SADB will be checked for a
corresponding IPsec SA. If there is no corresponding IPsec SA
and a preconfigured SA exists, this preconfigured SA will be
installed in the IPsec SADB.
o An ingress IKE negotiation packet, which is not part of an
existing IKE SA, will be checked against the IKE rules. The
negotiated SA will then be
SACondition for the IKERule will usually be composed of a
PeerIDPayloadFilterEntry (typically for a aggressive mode IKE
negotiation) or a IPHeadersFilter. The negotiated SA will then
be installed in the SADB.

It is expected that when a IKE negotiation has to be initiated when
required by an IPsec rule, the set of IKE rules will be checked. The
IKE rules check will be based on the outgoing IKE packet using
IPHeadersFilter entries (typically using the HdrDstAddress property).

4.1. The Class IPsecPolicyGroup

The class IPsecPolicyGroup serves as a container of either other
IPsecPolicyGroups or a set of IKERules and a set of IPsecRules. SARules. The class definition for
IPsecPolicyGroup is as follows:

NAME IPsecPolicyGroup
DESCRIPTION Either a set of IPsecPolicyGroups or a set of IKERules
and a set of IPsecRules. SARules.
DERIVED FROM PolicyGroup (see [PCIM] & [PCIMe])
ABSTRACT FALSE

Jason, et al Expires May-2002 [Page 14]

Internet Draft IPsec Configuration Policy Model November 2001
PROPERTIES PolicyGroupName (from PolicyGroup)
PolicyDescisionStrategy (from PolicySet)

NOTE: for derivations of the schema that are used for policy
distribution to an IPsec device (for example, COPS-PR), the server
may follow all of PolicySetComponent associations and create one
policy group which is simply a set of all of the IKE rules and a set
of all of the IPsec rules. See the section on the

Jason, et al Expires August-2002 [Page 13]

Internet Draft IPsec Configuration Policy Model February 2002

PolicySetComponent aggregation for information on merging multiple
IPsecPolicyGroups.

4.2. The Class SARule

The class SARule serves as a base class for IKERule and IPsecRule.
Even though the class is concrete, it MUST not be instantiated. It
defines a common connection point for associations to conditions and
actions for both types of rules. Through its derivation from
PolicyRule, an a SARule (and therefore IKERule and IPsecRule) also has
the PolicyRuleValidityPeriod association.

Each valid IpsecPolicyGroup IPsecPolicyGroup MUST contain SARules that each have a
unique associated priority number in PolicySetComponent.Priority.
The class definition for SARule is as follows:

NAME SARule
DESCRIPTION A base class for IKERule and IPsecRule.
DERIVED FROM PolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE
PROPERTIES PolicyRuleName (from PolicyRule)
Enabled (from PolicyRule)
ConditionListType (from PolicyRule)
RuleUsage (from PolicyRule)
Mandatory (from PolicyRule)
SequencedActions (from PolicyRule)
ExecutionStrategy (from PolicyRule)
PolicyRoles (from PolicyRule)
PolicyDecisionStrategy (from PolicySet)
LimitNegotiation

4.2.1. The Properties PolicyRuleName, Enabled, ConditionListType,
RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
PolicyDecisionStrategy

For a description of these properties, see [PCIM] and [PCIME].

In SARule subclass instances:
- if the property Mandatory exists, it MUST be set to "true"
- if the property SequencedActions exists, it MUST be set to
"mandatory"
- the property PolicyRoles is not used in the device-level model
- if the property PolicyDecisionStrategy exists, it must be set to
"FirstMatching"

Jason, et al Expires May-2002 [Page 15]

Internet Draft IPsec Configuration Policy Model November 2001

4.2.2 The Property ExecutionStrategy

The ExecutionStrategy properties in the PolicyRule subclasses (and in
the CompoundPolicyAction class) determine the behavior of the
contained actions. It defines the strategy to be used in executing
the sequenced actions aggregated by a rule or a compound action. In
the case of actions within a rule, the PolicyActionInSARule
aggregation is used to collect the actions into an ordered set; in
the case of a compound action, the PolicyActionInPolicyAction
aggregation is used to collect the actions into an ordered subset.

There are three execution strategies: do until success, do all and do
until failure.

"Do Until Success" causes the execution of actions according to the
ActionOrder property in the aggregation instances until a successful

Jason, et al Expires August-2002 [Page 14]

Internet Draft IPsec Configuration Policy Model February 2002

execution of a single action. These actions may be evaluated to
determine if they are appropriate to execute rather than blindly
trying each of the actions until one succeeds. For an initiator,
they are tried in the ActionOrder until the list is exhausted or one
completes successfully. For example, an IKE initiator may have
several IKEActions for the same SACondition. The initiator will try
all IKEActions in the order defined by ActionOrder. I.e. it will
possibly try several phase 1 negotiations possibly with different
modes (main mode then aggressive mode) and/or with possibly multiple
IKE peers. For a responder, when there is more than one action in
the rule with "do until success" condition clause this provides
alternative actions depending on the received proposals. For
example, the same IKERule may be used to handle aggressive mode and
main mode negotiations with different actions. The responder uses
the first appropriate action in the list of actions.

"Do All" causes the execution all of the actions in aggregated set
according to their defined order. The execution continues regardless
of failures.

"Do Until Failure" causes the execution of all actions according to
predefined order until the first failure in execution of an action
instance. Please note that if all actions are successful then the
aggregated result is a failure. This execution strategy is inherited
from [PCIME] and is not expected to be of any use for IPsec
configuration.

For example, in a nested SAs case the actions of an initiator's rule
might be structured as:

IPsecRule.ExecutionStrategy='Do All'
|
+---1--- IPsecTunnelAction // set up SA from host to gateway
|
+---2--- IPsecTransportAction // set up SA from host through
// tunnel to remote host

Another example, showing a rule with fallback actions might be
structured as:

Jason, et al Expires May-2002 [Page 16]

Internet Draft IPsec Configuration Policy Model November 2001

IPsecRule.ExecutionStrategy='Do Until Success'
|
+---6--- IPsecTransportAction // negotiate SA with peer
|
+---9--- IPsecBypassAction // but if you must, allow in the clear

The CompoundPolicyAction class (See [PCIME]) may be used in
constructing the actions of IKE and IPsec rules when those rules
specify both multiple actions and fallback actions. The
ExecutionStrategy property in CompoundPolicyAction is used in
conjunction with that in the PolicyRule.

For example, in nesting SAs with a fallback security gateway, the
actions of a rule might be structured as:

IPsecRule.ExecutionStrategy='Do All'
|
+---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success'
| |
| +---1--- IPsecTunnelAction // set up SA from host to
| | // gateway1

Jason, et al Expires August-2002 [Page 15]

Internet Draft IPsec Configuration Policy Model February 2002

| |
| +---2--- IPsecTunnelAction // or set up SA to gateway2
|
+---2--- IPsecTransportAction // then set up SA from host
// through tunnel to remote
// host

In the case of "Do All", a couple of actions can be executed
successfully before a subsequent action fails. In this case, some IKE
or IPsec actions may have resulted in SA SAs creation. Even if the net
effect of the aggregated actions is failure, those created SA SAs MAY be
kept or MAY be deleted.

In the case of "Do All", the IPsec selectors to be used during IPsec
SA negotiation are:

- for the last IPsecAction of the aggregation (i.e. usually the
innermost IPsec SA): this is the combination of the IPHeadersFilter
class and of the Granularity property of the IpsecAction; IPsecAction;

- for all other IPsecActions of the aggregation: the selector is the
source IP address being the local IP address and the destination IP
address being the PeerGateway IP address of the following IPsecAction
of the "Do All" aggregation. NB: the granularity is IP address to IP
address.

If the above behavior is not desirable, the alternative is to define
several SARules one for each IPsec SA to be built. This will allow
the definition of specific IPsec selectors for all IpsecActions. IPsecActions.

4.2.3 The Property LimitNegotiation

Jason, et al Expires May-2002 [Page 17]

Internet Draft IPsec Configuration Policy Model November 2001

The property LimitNegotiation is used as part of processing either an
IKE or an IPsec rule.

Before proceeding with a phase 1 negotiation, this property is
checked to determine if the negotiation role of the rule matches that
defined for the negotiation being undertaken (e.g., Initiator,
Responder, or Both). If this check fails (e.g. the current role is
IKE responder while the rule specifies IKE initiator), then the IKE
negotiation is stopped. Note that this only applies to new IKE phase
1 negotiations and has no effect on either renegotiation or refresh
operations with peers for which an established SA already exists.

Before proceeding with a phase 2 negotiation, the LimitNegotiation
property of the IPsecRule is first checked to determine if the
negotiation role indicated for the rule matches that of the current
negotiation (Initiator, Responder, or Either). Note that this limit
applies only to new phase 2 negotiations. It is ignored when an
attempt is made to refresh an expiring SA (either side can initiate a
refresh operation). The IKE system can determine that the
negotiation is a refresh operation by checking to see if the selector
information matches that of an existing SA. If LimitNegotiation does
not match and the selector corresponds to a new SA, the negotiation
is stopped.

The property is defined as follows:

NAME LimitNegotiation
DESCRIPTION Limits the role to be undertaken during negotiation.
SYNTAX unsigned 16-bit integer

Jason, et al Expires August-2002 [Page 16]

Internet Draft IPsec Configuration Policy Model February 2002

VALUE 1 - initiator-only
2 - responder-only
3 - both

4.3. The Class IKERule

The class IKERule associates Conditions and Actions for IKE phase 1
negotiations. The class definition for IKERule is as follows:

NAME IKERule
DESCRIPTION Associates Conditions and Actions for IKE phase 1
negotiations.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule, plus
IdentityContexts

4.3.1. The Property IdentityContexts

The IKE service of a security endpoint may have multiple identities
for use in different situations. The combination of the interface
(represented by the IPProtocolEndpoint), IPProtocolEndpoint or by a collection of
IPProtocolEndpoints), the identity type (as

Jason, et al Expires May-2002 [Page 18]

Internet Draft IPsec Configuration Policy Model November 2001 specified in the
IKEAction) and the IdentityContexts specifies a unique identity.

The IdentityContexts property specifies the context to select the
relevant IKE identity to be used during the further IKEAction. A
context may be a VPN name or other identifier for selecting the
appropriate identity for use on the protected IPProtocolEndpoint. IPProtocolEndpoint (or
collection of IPProtocolEndpoints).

IdentityContexts is an array of strings. The multiple values in the
array are ORed logically OR�d together in evaluating the IdentityContexts.
Each value in the array may be the composition of multiple context
names. So, a single value may be a single context name (e.g.,
"CompanyXVPN") or it may be combination of contexts. When an array
value is a composition, the individual values are ANDed logically AND�d
together for evaluation purposes and the syntax is:

<ContextName>[&&<ContextName>]*

where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). So, for example,
the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
"CompanyZVPN&&Confidential" means that, for the appropriate
IPProtocolEndpoint and IdentityType, the contexts are matched if the
identity specifies "CompanyXVPN" or "CompanyYVPN&&TopSecret" or
"CompanyZVPN&&Confidential".

The property is defined as follows:

NAME IdentityContexts
DESCRIPTION Specifies the context in which to select the IKE
identity.
SYNTAX string array

4.4. The Class IPsecRule

The class IPsecRule associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI. The class definition for IPsecRule
is as follows:

NAME IPsecRule
DESCRIPTION Associates

Jason, et al Expires August-2002 [Page 17]

Internet Draft IPsec Configuration Policy Model February 2002

NAME IPsecRule
DESCRIPTION Associates Conditions and Actions for IKE phase 2
negotiations for the IPsec DOI.
DERIVED FROM SARule
ABSTRACT FALSE
PROPERTIES same as SARule

4.6.

4.5. The Association Class IPsecPolicyForEndpoint

The class IPsecPolicyForEndpoint associates an IPsecPolicyGroup with
a specific network interface. If an IPProtocolEndpoint of a system
does not have an IPsecPolicyForEndpoint-associated IPsecPolicyGroup,
then the IPsecPolicyForSystem associated IPsecPolicyGroup is used

Jason, et al Expires May-2002 [Page 19]

Internet Draft IPsec Configuration Policy Model November 2001 for
that endpoint. The class definition for IPsecPolicyForEndpoint is as
follows:

NAME IPsecPolicyForEndpoint
DESCRIPTION Associates a policy group to a network interface.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]]

4.6.1.

4.5.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to an IPProtocolEndpoint instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may be
associated with zero or more IPProtocolEndpoint instances.

4.6.2.

4.5.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IPsecPolicyGroup instance. The [0..1] cardinality
indicates that an IPProtocolEndpoint instance may have an association
to at most one IPsecPolicyGroup instance.

4.7.

4.6. The Association Class IPsecPolicyForSystem

The class IPsecPolicyForSystem associates an IPsecPolicyGroup with a
specific system. If an IPProtocolEndpoint of a system does not have
an IPsecPolicyForEndpoint-associated IPsecPolicyGroup, then the
IPsecPolicyForSystem associated IPsecPolicyGroup is used for that
endpoint. The class definition for IPsecPolicyForSystem is as
follows:

NAME IPsecPolicyForSystem
DESCRIPTION Default policy group for a system.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System[0..n]]
Dependent[ref IPsecPolicyGroup[0..1]]

4.7.1.

4.6.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [0..n] cardinality
indicates that an IPsecPolicyGroup instance may have an association
to zero or more System instances.

4.7.2.

Jason, et al Expires August-2002 [Page 18]

Internet Draft IPsec Configuration Policy Model February 2002

4.6.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IPsecPolicyGroup instance. The [0..1] cardinality
indicates that a System instance may have an association to at most
one IPsecPolicyGroup instance.

Jason, et al Expires May-2002 [Page 20]

Internet Draft IPsec Configuration Policy Model November 2001

4.8.

4.7. The Aggregation Class RuleForIKENegotiation SARuleInPolicyGroup

The class RuleForIKENegotiation SARuleInPolicyGroup associates an IKERule a SARule with the
IPsecPolicyGroup that contains it. The class definition for
RuleForIKENegotiation
SARuleInPolicyGroup is as follows:

NAME RuleForIKENegotiation SARuleInPolicyGroup
DESCRIPTION Associates an IKERule a SARule with the IPsecPolicyGroup that
contains it.
DERIVED FROM PolicySetComponent (see [PCIME])
ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref IKERule SARule [0..n]]

4.8.1. The Property Priority

For a description of this property, see [PCIME].

4.8.2. The Reference GroupComponent

The property GroupComponent is inherited from
PolicyRuleInPolicyGroup and is overridden to refer to an
IPsecPolicyGroup instance. The [1..1] cardinality indicates that

Note: an
IKERule implementation can easily partition the set of SARules
aggregated by a SARuleInPolicyGroup instance may be contained in into one IKERule
instances subset and only into one
IPsecPolicyGroup instance (i.e., IKERules are not shared across
IPsecPolicyGroups).

4.8.3. The Reference PartComponent

The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IKERule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IKERule instances.

4.9. The Aggregation Class RuleForIPsecNegotiation

The class RuleForIPsecNegotiation associates an IPsecRule with instances subset based on the
IPsecPolicyGroup that contains it. The
class definition for
RuleForIPsecNegotiation is as follows:

NAME RuleForIPsecNegotiation
DESCRIPTION Associates an IPsecRule with type of the IPsecPolicyGroup that
contains it.
DERIVED FROM PolicySetComponent (see [PCIME])
ABSTRACT FALSE
PROPERTIES Priority (from PolicySetComponent)
GroupComponent [ref IPsecPolicyGroup [1..1]]
PartComponent [ref component instances (being either IKERule or
IPsecRule [0..n]]

4.9.1. instances).

4.7.1. The Property Priority

Jason, et al Expires May-2002 [Page 21]

Internet Draft IPsec Configuration Policy Model November 2001

For a description of this property, see [PCIME].

4.9.2.

4.7.2. The Reference GroupComponent

The property GroupComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IPsecPolicyGroup instance. The
[1..1] cardinality indicates that an
IPsecRule a SARule instance may be contained
in one and only one IPsecPolicyGroup instance (i.e., IPsecRules SARules are not
shared across IPsecPolicyGroups).

4.9.3.

4.7.3. The Reference PartComponent

The property PartComponent is inherited from PolicyRuleInPolicyGroup
and is overridden to refer to an IPsecRule a SARule instance. The [0..n]
cardinality indicates that an IPsecPolicyGroup instance may contain
zero or more IPsecRules instance.

4.10. SARule instances.

4.8. The Aggregation Class SAConditionInRule

The class SAConditionInRule associates an SARule with the SACondition
instance(s) that trigger(s) it. The class definition for
SAConditionInRule is as follows:

NAME SAConditionInRule
DESCRIPTION Associates an SARule with the SACondition instance(s)
that trigger(s) it.
DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE
PROPERTIES GroupNumber (from PolicyConditionInPolicyRule)
ConditionNegated (from PolicyConditionInPolicyRule)
GroupComponent [ref SARule [0..n]]

Jason, et al Expires August-2002 [Page 19]

Internet Draft IPsec Configuration Policy Model February 2002

PartComponent [ref SACondition [1..n]]

4.10.1.

4.8.1. The Properties GroupNumber and ConditionNegated

For a description of these properties, see [PCIM].

4.10.2.

4.8.2. The Reference GroupComponent

The property GroupComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SACondition
instance may be contained in zero or more SARule instances.

4.10.3.

Note: the 0 cardinality allows SACondition instances to exist
without being contained in a SARule.

4.8.3. The Reference PartComponent

The property PartComponent is inherited from
PolicyConditionInPolicyRule and is overridden to refer to an
SACondition instance. The [1..n] cardinality indicates that an
SARule instance MUST contain at least one SACondition instance.

4.11.

4.9. The Aggregation Class PolicyActionInSARule

Jason, et al Expires May-2002 [Page 22]

Internet Draft IPsec Configuration Policy Model November 2001

The PolicyActionInSARule class associates an SARule with one or more
PolicyAction instances. In all cases where an SARule is being used,
the contained actions MUST be either subclasses of SAAction or
instances of CompoundPolicyAction. For an IKERule, the contained
actions MUST be related to phase 1 processing, i.e., IKEAction or
IKERejectAction. Similarly, for an IPsecRule, contained actions MUST
be related to phase 2 or preconfigured SA processing, e.g.,
IPsecTransportAction, IPsecBypassAction, etc. The class definition
for PolicyActionInSARule is as follows:

NAME PolicyActionInSARule
DESCRIPTION Associates an SARule with its PolicyAction(s).
DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIMe])
ABSTRACT FALSE
PROPERTIES GroupComponent [ref SARule [0..n]]
PartComponent [ref PolicyAction [1..n]]
ActionOrder (from PolicyActionInPolicyRule)

4.11.1.

4.9.1. The Reference GroupComponent

The property GroupComponent is inherited from
PolicyActionInPolicyRule and is overridden to refer to an SARule
instance. The [0..n] cardinality indicates that an SAAction instance
may be contained in zero or more SARule instances.

4.11.2.

4.9.2. The Reference PartComponent

The property PartComponent is inherited from PolicyActionInPolicyRule
and is overridden to refer to an SAAction or CompoundPolicyAction
instance. The [1..n] cardinality indicates that an SARule instance
MUST contain at least one SAAction or CompoundPolicyAction instance.

4.11.3.

4.9.3. The Property ActionOrder

The property ActionOrder is inherited from the superclass
PolicyActionInPolicyRule. It specifies the relative position of this

Jason, et al Expires August-2002 [Page 20]

Internet Draft IPsec Configuration Policy Model February 2002

PolicyAction in the sequence of actions associated with a PolicyRule.
The ActionOrder MUST be unique so as to provide a deterministic
order. In addition, the actions in an SARule are executed as
follows. See section 4.2.2 ExecutionStrategy for a discussion on the
use of the ActionOrder property.

The property is defined as follows:

NAME ActionOrder
DESCRIPTION Specifies the order of actions.
SYNTAX unsigned 16-bit integer
VALUE Any value between 1 and 2^16-1 inclusive. Lower values
have higher precedence (i.e., 1 is the highest
precedence). The merging order of two SAActions with
the same precedence is undefined.

Jason, et al Expires May-2002 August-2002 [Page 23] 21]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

5. Condition and Filter Classes

The IPsec condition and filter classes are used to build the "if"
part of the IKE and IPsec rules.

*+-------------+
+--------------------| SACondition |
| +-------------+
| * |
| |(a)
| 1 |
| +---------------+
| | FilterList |
| |([CIMNETWORK]) |
| +---------------+
| 1 o
|(b) |(c)
| * |
| +-----------------+
| | FilterEntryBase |
| | ([CIMNETWORK]) |
| +-----------------+
| ^
| |
| +----------------+ +-----------------+ | +-----------------------+
| | IPHeaderFilter IPHeadersFilter |----+----| CredentialFilterEntry |
| | ([PCIME]) | | +-----------------------+
| +----------------+ +-----------------+ |
| |
| +-----------------+ | +--------------------------+
| | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
| +-----------------+ +--------------------------+
|
| *+-----------------------------+
+------------| CredentialManagementService |
| ([CIMUSER]) |
+-----------------------------+

(a) FilterOfSACondition
(b) AcceptCredentialsFrom
(c) EntriesInFilterList (see [CIMNETWORK])

5.1. The Class SACondition

The class SACondition defines the conditions of rules for IKE and
IPsec negotiations. Conditions are associated with policy rules via
the SAConditionInRule aggregation. It is used as an anchor point to
associate various types of filters with policy rules via the
FilterOfSACondition association. It also defines whether Credentials
can be accepted for a particular policy rule via the
AcceptCredentialsFrom association.

Jason, et al Expires May-2002 [Page 24]

Internet Draft IPsec Configuration Policy Model November 2001

Associated objects represent components of the condition that may or
may not apply at a given rule evaluation. For example, an
AcceptCredentialsFrom evaluation is only performed when a credential
is available to be evaluated against the list of trusted credential
management services. Similarly, a PeerIDPayloadFilterEntry may only
be evaluated when an IDPayload value is available to compared with
the filter. Condition components that do not have corresponding

Jason, et al Expires August-2002 [Page 22]

Internet Draft IPsec Configuration Policy Model February 2002

values with which to evaluate are evaluated as TRUE unless the
protocol has completed without providing the required information.

The class definition for SACondition is as follows:

NAME SACondition
DESCRIPTION Defines the preconditions for IKE and IPsec
negotiations.
DERIVED FROM PolicyCondition (see [PCIM])
ABSTRACT FALSE
PROPERTIES PolicyConditionName (from PolicyCondition)

5.2. The Class IPHeaderFilter IPHeadersFilter

The class IPHeaderFilter IPHeadersFilter is defined in [PCIMe] with the following
note:

1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
matches traffic in both directions of the same flow between the
two peers), flows which is
quite typical for SPD entries for ingress and egress traffic),
the Direction property of the FilterList should SHOULD be set to
"Mirrored".

5.3. The Class CredentialFilterEntry

The class CredentialFilterEntry defines an equivalence class that
match credentials of IKE peers. Each CredentialFilterEntry includes a
MatchFieldName that is interpreted according to the
CredentialManagementService(s) associated with the SACondition
(AcceptCredentialsFrom).

These credentials can be X.509 certificates, Kerberos tickets, or
other types of credentials obtained during the Phase 1 exchange.

Note: this filter entry will probably be checked while the IKE
negotiation takes place. If the check is a failure, then the IKE
negotiation MUST be stopped, and the result of the IKEAction which
triggered this negotiation is a failure.

The class definition for CredentialFilterEntry is as follows:

NAME CredentialFilterEntry
DESCRIPTION Specifies a match filter based on the IKE credentials.
DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchFieldName
MatchFieldValue
CredentialType

5.3.1. The Property MatchFieldName

Jason, et al Expires May-2002 [Page 25]

Internet Draft IPsec Configuration Policy Model November 2001

The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as
follows:

NAME MatchFieldName
DESCRIPTION Specifies which sub-part of the credential to match.
SYNTAX string

Jason, et al Expires August-2002 [Page 23]

Internet Draft IPsec Configuration Policy Model February 2002

VALUE This is the string representation of a X.509 certificate
attribute, e.g.:
- �serialNumber�
- �signatureAlgorithm�
- �issuerName�
- �subjectName�
- �subjectAltName�
- �

5.3.2. The Property MatchFieldValue

The property MatchFieldValue specifies the value to compare with the
MatchFieldName in a credential to determine if the credential matches
this filter entry. The property is defined as follows:

NAME MatchFieldValue
DESCRIPTION Specifies the value to be matched by the MatchFieldName.
SYNTAX string
VALUE NB: If the CredentialFilterEntry corresponds to a
DistinguishedName, this value in the CIM class is
represented by an ordinary string value. However, an
implementation must convert this string to a DER-
encoded DER-encoded
string before matching against the values extracted from
credentials at runtime.

A wildcard mechanism can be used in the MatchFieldValue string. E.g.,
if the MatchFieldName is �subjectName� then a MatchFieldValue of
�cn=*,ou=engineering,o=foo,c=be� will match successfully a
certificate whose subject attribute is �cn=Jane
Doe,ou=engineering,o=foo,c=be�. The wildcard character �*� can be
used to represent 0 or several characters.

5.3.3. The Property CredentialType

The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as
follows:

NAME CredentialType
DESCRIPTION Defines the type of IKE credentials.
SYNTAX unsigned 16-bit integer
VALUE 1 - X.509 Certificate
2 - Kerberos Ticket

5.4. The Class IPSOFilterEntry

The class IPSOFilterEntry is used to match traffic based on the IP
Security Options header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC1108. This type of filter entry
is used to adjust the IPsec encryption level according to the IPSO
classification of the traffic (e.g., secret, confidential,
restricted, etc. The class definition for IPSOFilterEntry is as
follows:

NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security
Options.
DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)

Jason, et al Expires May-2002 August-2002 [Page 26] 24]

Internet Draft IPsec Configuration Policy Model November 2001

ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase) February 2002

MatchConditionType
MatchConditionValue

5.4.1. The Property MatchConditionType

The property MatchConditionType specifies the IPSO header field that
will be matched (e.g., traffic classification level or protection
authority). The property is defined as follows:

NAME MatchConditionType
DESCRIPTION Specifies the IPSO header field to be matched.
SYNTAX unsigned 16-bit integer
VALUE 1 - ClassificationLevel
2 - ProtectionAuthority

5.4.2. The Property MatchConditionValue

The property MatchConditionValue specifies the value of the IPSO
header field to be matched against. The property is defined as
follows:

NAME MatchConditionValue
DESCRIPTION Specifies the value of the IPSO header field to be
matched against.
SYNTAX unsigned 16-bit integer
VALUE For ClassificationLevel, the values are:
61 - TopSecret
90 - Secret
150 - Confidential
171 - Unclassified
For ProtectionAuthority, the values are:
0 - GENSER
1 - SIOP-ESI
2 - SCI
3 - NSA
4 - DOE

5.5. The Class PeerIDPayloadFilterEntry

The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange.
PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@company.com" or "193.190.125.0/24".

Obviously this filter applies only to IKERules when acting as a
responder. Moreover, this filter can be applied immediately in the
case of aggressive mode but its application is to be delayed in the
case of main mode. The class definition for PeerIDPayloadFilterEntry
is as follows:

Jason, et al Expires May-2002 [Page 27]

Internet Draft IPsec Configuration Policy Model November 2001

NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchIdentityType
MatchIdentityValue

5.5.1. The Property MatchIdentityType

Jason, et al Expires August-2002 [Page 25]

Internet Draft IPsec Configuration Policy Model February 2002

The property MatchIdentityType specifies the type of identity
provided by the peer in the ID payload." The property is defined as
follows:

NAME MatchIdentityType
DESCRIPTION Specifies the ID payload type.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID

5.5.2. The Property MatchIdentityValue

The property MatchIdentityValue specifies the filter value for
comparison with the ID payload, e.g., "*@company.com" *@company.com. The property is
defined as follows:

NAME MatchIdentityValue
DESCRIPTION Specifies the ID payload value.
SYNTAX string
VALUE NB: The syntax may need to be converted for comparison.
If the PeerIDPayloadFilterEntry type is a
DistinguishedName, the name in the MatchIdentityValue
property is represented by an ordinary string value,
but this value must be converted into a DER-encoded
string before matching against the values extracted
from IKE ID payloads at runtime. The same applies to
IPv4 & IPv6 addresses.

Wildcards

Different wildcard mechanisms can be used as well as depending on the prefix notation
for IPv4 addresses: ID
payload:

- a MatchIdentityValue of "*@company.com" will match a user FQDN ID
payload of "JDOE@COMPANY.COM"

- a MatchIdentityValue of "*.company.com" will match a FQDN ID
payload of �WWW.COMPANY.COM"

- a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will
match a DER DN ID payload of �cn=John
Doe,ou=engineering,o=company,c=us"

- a MatchIdentityValue of "193.190.125.0/24" will match an IPv4
address ID payload of "JDOE@COMPANY.COM"

Jason, et al Expires May-2002 [Page 28]

Internet Draft IPsec Configuration Policy Model November 2001 193.190.125.10

- a MatchIdentityValue of "193.190.125.0/24" "193.190.125.*" will also match an IPv4
address ID payload of 193.190.125.10.

The above wildcard mechanisms MUST be supported for all ID payloads
supported by the local IKE entity. The character �*� replaces 0 or
multiple instances of any character.

5.6. The Association Class FilterOfSACondition

Jason, et al Expires August-2002 [Page 26]

Internet Draft IPsec Configuration Policy Model February 2002

The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows:

NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that make makes
up the individual condition elements.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[1..1]]
Dependent [ref SACondition[0..n]]

5.6.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to a FilterList instance. The [1..1] cardinality
indicates that an SACondition instance MUST be associated with one
and only one FilterList instance.

5.6.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an SACondition instance. The [0..n] cardinality
indicates that a FilterList instance may be associated with zero or
more SAConditions instance. SACondition instances.

5.7. The Association Class AcceptCredentialFrom

The class AcceptCredentialFrom specifies which credential management
services (e.g., a CertificateAuthority or a Kerberos service) are to
be trusted to certify peer credentials. This is used to validate assure that
the credential being matched in the CredentialFilterEntry is a valid
credential that has been supplied by an approved
CredentialManagementService. If a CredentialManagementService is
specified and a corresponding CredentialFilterEntry is used, but the
credential supplied by the peer is not certified by that
CredentialManagementService (or one of the
CredentialManagementServices in its trust hierarchy), the
CredentialFilterEntry is deemed not to match. If a credential is
certified by a CredentialManagementService in the
AcceptCredentialsFrom list of services but there is no
CredentialFilterEntry, this is considered equivalent to a
CredentialFilterEntry that matches all credentials from those
services.

The class definition for AcceptCredentialFrom is as follows:

NAME AcceptCredentialFrom

Jason, et al Expires May-2002 [Page 29]

Internet Draft IPsec Configuration Policy Model November 2001
DESCRIPTION Associates a condition with the credential management
services to be trusted.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService[0..n]]
Dependent [ref SACondition[0..n]]

5.7.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The

Jason, et al Expires August-2002 [Page 27]

Internet Draft IPsec Configuration Policy Model February 2002

[0..n] cardinality indicates that an SACondition instance may be
associated with zero or more CredentialManagementServices instance. CredentialManagementService instances.

5.7.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an SACondition instance. The [0..n] cardinality
indicates that a CredentialManagementService instance may be
associated with zero or more SAConditions instance.

Jason, et al Expires May-2002 [Page 30]

Internet Draft IPsec Configuration Policy Model November 2001 SACondition instances.

6. Action Classes

The action classes are used to model the different actions an IPsec
device may take when the evaluation of the associated condition
results in a match.

Jason, et al Expires August-2002 [Page 28]

Internet Draft IPsec Configuration Policy Model February 2002

+----------+
| SAAction |
+----------+
^
|
+-----------+--------------+
| |
| +---------------------+
| | SaNegotiationAction |
| +---------------------+
| ^
| |
*+----------------+ +----------------------+*
| SAStaticAction | | IKENegotiationAction |o----+
+----------------+ +----------------------+ |
^ ^ |
| | |
| +-----------+-------+ |
| | | |
+-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ |
| ^ |
+--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+--------------------+ | | +----------------------+ |
| | |
+-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ |
| *| |
| +--------------+ |
| | |
+-----------------------+ | | +--------------+n |
| PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+
+-----------------------+ | +--------------+ (b)
*| ^ |
| | | *+-------------+
| | +-------| PeerGateway |
| | +-------------+
| | +-----------------------------+ |0..1 *w|
| +--| PreconfiguredTransportAction| | |(c)
| | +-----------------------------+ | 1|
| | | +--------------+
| | +---------------------------+ * | | System |
| +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) |
| +---------------------------+ (e) +--------------+

Jason, et al Expires May-2002 [Page 31]

Internet Draft IPsec Configuration Policy Model November 2001
|
| 2..6+---------------+
+-------| [SATransform] |
(d) +---------------+

(a) PeerGatewayForTunnel
(b) ContainedProposal
(c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction
(e) PeerGatewayForPreconfiguredTunnel

6.1. The Class SAAction

Jason, et al Expires August-2002 [Page 29]

Internet Draft IPsec Configuration Policy Model February 2002

The class SAAction is abstract and serves as the base class for IKE
and IPsec actions. It is used for aggregating different types of
actions to IKE and IPsec rules. The class definition for SAAction is
as follows:

NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT TRUE
PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging
DoPacketLogging

6.1.1. The Property DoActionLogging

The property DoActionLogging specifies whether a log message is to be
generated when the action is performed. This applies for
SANegotiationActions with the meaning of logging a message when the
negotiation is attempted (with the success or failure result). This
also applies for SAStaticAction only for PreconfiguredSAAction with
the meaning of logging a message when the preconfigured SA is
actually installed in the SADB. The property is defined as follows:

NAME DoActionLogging
DESCRIPTION Specifies the whether to log when the action is
performed.
SYNTAX boolean
VALUE true - a log message is to be generated when action is
performed.
false - no log message is to be generated when action is
performed.

6.1.2. The Property DoPacketLogging

The property DoPacketLogging specifies whether a log message is to be
generated when the resulting security association is used to process
the packet. If the SANegotiationAction successfully executes and
results in the creation of one or several security associations or if
the PreconfiguredSAAction executes, the value of DoPacketLogging
SHOULD be propagated to an optional field of SADB.

Jason, et al Expires May-2002 [Page 32]

Internet Draft IPsec Configuration Policy Model November 2001 This optional
field should be used to decide whether a log message is to be
generated when the SA is used to process a packet. For
SAStaticActions, a log message is to be generated when the
IPsecBypassAction, IPsecDiscardAction, IKERejectAction are executed.
The property is defined as follows:

NAME DoPacketLogging
DESCRIPTION Specifies the whether to log when the resulting security
association is used to process the packet.
SYNTAX boolean
VALUE true - a log message is to be generated when the
resulting security association is used to process the
packet.
false - no log message is to be generated.

6.2. The Class SAStaticAction

The class SAStaticAction is abstract and serves as the base class for
IKE and IPsec actions that do not require any negotiation. The class
definition for SAStaticAction is as follows:

Jason, et al Expires August-2002 [Page 30]

Internet Draft IPsec Configuration Policy Model February 2002

NAME SAStaticAction
DESCRIPTION The base class for IKE and IPsec actions that do not
require any negotiation.
DERIVED FROM SAAction
ABSTRACT TRUE
PROPERTIES LifetimeSeconds

6.2.1. The Property LifetimeSeconds

The property LifetimeSeconds specifies how long the security
association derived from this action should be used. The property is
defined as follows:

NAME LifetimeSeconds
DESCRIPTION Specifies the amount of time (in seconds) that a
security association derived from this action should be
used.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime).
A non-zero value is typically used in conjunction with
alternate SAActions performed when there is a
negotiation failure of some sort.

Note: if the referenced SAStaticAction object is a
PreconfiguredSAAction associated to several SATransforms, then the
actual lifetime of the preconfigured SA will be the smallest lesser of the
value of this LifetimeSeconds property and of the value of the
MaxLifetimeSeconds property of the associated SATransform. Except if If the
value of this LifetimeSeconds property is zero, then there will be
no lifetime associated to this SA.

Jason, et al Expires May-2002 [Page 33]

Internet Draft IPsec Configuration Policy Model November 2001

It is expected that most SAStaticAction instances will have their
LifetimeSeconds properties set to zero (meaning no expiration of the
resulting SA).

6.3. The Class IPsecBypassAction

The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec encapsulation to them. This is the
same as stating that packets are allowed to flow in the clear. The
class definition for IPsecBypassAction is as follows:

NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in the
clear.
DERIVED FROM SAStaticAction
ABSTRACT FALSE

6.4. The Class IPsecDiscardAction

The class IPsecDiscardAction is used when packets are to be
discarded. This is the same as stating that packets are to be
denied. The class definition for IPsecDiscardAction is as follows:

NAME IPsecDiscardAction
DESCRIPTION Specifies that packets are to be discarded.
DERIVED FROM SAStaticAction
ABSTRACT FALSE

Jason, et al Expires August-2002 [Page 31]

Internet Draft IPsec Configuration Policy Model February 2002

6.5. The Class IKERejectAction

The class IKERejectAction is used to prevent attempting an IKE
negotiation with the peer(s). The main use of this class is to
prevent some denial of service attacks when acting as IKE responder.
It goes beyond a plain discard of UDP/500 IKE packets because the
SACondition can be based on specific PeerIDPayloadFilterEntry (when
aggressive mode is used). The class definition for IKERejectAction
is as follows:

NAME IKERejectAction
DESCRIPTION Specifies that an IKE negotiation should not even be
attempted or continued.
DERIVED FROM SAStaticAction
ABSTRACT FALSE

6.6. The Class PreconfiguredSAAction

The class PreconfiguredSAAction is used to create a security
association using preconfigured, hard-wired algorithms and keys.

Notes:

Jason, et al Expires May-2002 [Page 34]

Internet Draft IPsec Configuration Policy Model November 2001

- the SPI for a PreconfiguredSAAction is contained in the
association, TransformOfPreconfiguredAction;

- the session key (if applicable) is contained in an instance of
the class SharedSecret (see [CIMUSER]). The session key is
stored in the property secret, Secret, the property protocol contains
either "ESP-encrypt", "ESP-auth" or "AH", the property
algorithm contains the algorithm used to protect the secret
(can be "PLAINTEXT" if the IPsec entity has no secret storage),
the value of property RemoteID is the concatenation of the
remote IPsec peer IP address in dotted decimal, of the
character "/", of "IN" (resp. (respectively "OUT") for inbound SA (resp.
(respectively outbound SA), of the character "/" and of the
hexadecimal representation of the SPI.

Although the class is concrete, it MUST not be instantiated. The
class definition for PreconfiguredSAAction is as follows:

NAME PreconfiguredSAAction
DESCRIPTION Specifies preconfigured algorithm and keying information
for creation of a security association.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
PROPERTIES LifetimeKilobytes

6.6.1. The Property LifetimeKilobytes

The property LifetimeKilobytes specifies a traffic limit in kilobytes
that can be consumed before the SA is deleted.. The property is
defined as follows:

NAME LifetimeKilobytes
DESCRIPTION Specifies the SA lifetime in kilobytes.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is not a lifetime
associated with this action (i.e., infinite lifetime).
A non-zero value is used to indicate that after this
amount

Jason, et al Expires August-2002 [Page 32]

Internet Draft IPsec Configuration Policy Model February 2002

number of kilobytes has been consumed the SA must be
deleted from the SADB.

Note: the actual lifetime of the preconfigured SA will be the
smallest lesser
of the value of this LifetimeKilobytes property and of the value of
the MaxLifetimeSeconds property of the associated SATransform. Except if If the
value of this LifetimeKilobytes property is zero, then there will be
no lifetime associated with this action.

It is expected that most PreconfiguredSAAction instances will have
their LifetimeKilobyte properties set to zero (meaning no expiration
of the resulting SA).

6.7. The Class PreconfiguredTransportAction

Jason, et al Expires May-2002 [Page 35]

Internet Draft IPsec Configuration Policy Model November 2001

The class PreconfiguredTransportAction is used to create an IPsec
transport-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for
PreconfiguredTransportAction is as follows:

NAME PreconfiguredTransportAction
DESCRIPTION Specifies preconfigured algorithm and keying information
for creation of an IPsec transport security association.
DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE

6.8. The Class PreconfiguredTunnelAction

The class PreconfiguredTunnelAction is used to create an IPsec
tunnel-mode security association using preconfigured, hard-wired
algorithms and keys. The class definition for PreconfiguredSAAction
is as follows:

NAME PreconfiguredTunnelAction
DESCRIPTION Specifies preconfigured algorithm and keying information
for creation of an IPsec tunnel-mode security
association.
DERIVED FROM PreconfiguredSAAction
ABSTRACT FALSE
PROPERTIES DFHandling

6.8.1. The Property DFHandling

The property DFHandling specifies how the Don't Fragment bit of the
internal IP header is to be handled during IPsec processing. The
property is defined as follows:

NAME DFHandling
DESCRIPTION Specifies the processing of the DF bit.
SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header.
2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0.

6.9. The Class SANegotiationAction

The class SANegotiationAction specifies an action requesting security
policy negotiation.

Jason, et al Expires August-2002 [Page 33]

Internet Draft IPsec Configuration Policy Model February 2002

This is an abstract class. Currently, only one security policy
negotiation protocol action is subclassed from SANegotiationAction:
the IKENegotiationAction class. It is nevertheless expected that
other security policy negotiation protocols will exist and the
negotiation actions of those new protocols would be modeled as a
subclass of SANegotiationAction.

Jason, et al Expires May-2002 [Page 36]

Internet Draft IPsec Configuration Policy Model November 2001

NAME SANegotiationAction
DESCRIPTION Specifies a negotiation action .
DERIVED FROM SAAction
ABSTRACT TRUE

6.10. The Class IKENegotiationAction

The class IKENegotiationAction is abstract and serves as the base
class for IKE and IPsec actions that result in a IKE negotiation.
Although the class is concrete, is MUST not be instantiated. The
class definition for IKENegotiationAction is as follows:

NAME IKENegotiationAction
DESCRIPTION A base class for IKE and IPsec actions that specifies
the parameters that are common for IKE phase 1 and IKE
phase 2 IPsec DOI negotiations.
DERIVED FROM SANegotiationAction
ABSTRACT TRUE
PROPERTIES MinLifetimeSeconds
MinLifetimeKilobytes
RefreshThresholdSeconds
RefreshThresholdKilobytes

IdleDurationSeconds

6.10.1. The Property MinLifetimeSeconds

The property MinLifetimeSeconds specifies the minimum seconds
lifetime that will be accepted from the peer. MinLifetimeSeconds is
used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. The property is defined as
follows:

NAME MinLifetimeSeconds
DESCRIPTION Specifies the minimum acceptable seconds lifetime.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum seconds
lifetime.

6.10.2. The Property MinLifetimeKilobytes

The property MinLifetimeKilobytes specifies the minimum kilobytes
lifetime that will be accepted from the peer. MinLifetimeKilobytes
is used to prevent certain denial of service attacks where the peer
requests an arbitrarily low lifetime value, causing renegotiations
with correspondingly expensive Diffie-Hellman operations. Note that
there has been considerable debate regarding the usefulness of
applying kilobyte lifetimes to IKE phase 1 security associations, so
it is likely that this property will only apply to the sub-class
IPsecAction. The property is defined as follows:

NAME MinLifetimeKilobytes

Jason, et al Expires May-2002 [Page 37]

Internet Draft IPsec Configuration Policy Model November 2001
DESCRIPTION Specifies the minimum acceptable kilobytes lifetime.
SYNTAX unsigned 32-bit integer

Jason, et al Expires August-2002 [Page 34]

Internet Draft IPsec Configuration Policy Model February 2002

VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum kilobytes
lifetime.

6.10.3. The Property RefreshThresholdSeconds

The property RefreshThresholdSeconds specifies what percentage of
the seconds lifetime can expire before IKE should attempt to
renegotiate the security association. A random value may be added
to the calculated threshold (percentage x seconds lifetime) to
reduce the chance of both peers attempting to renegotiate at the
same time. The property is defined as follows:

NAME RefreshThresholdSeconds
DESCRIPTION Specifies the percentage of seconds lifetime that has
expired before the security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the security association
should not be renegotiated until the seconds lifetime
has been reached.

6.10.4. The Property RefreshThresholdKilobytes

The property RefreshThresholdKilobytes specifies what percentage of
the kilobyte lifetime can expire before IKE should attempt to
renegotiate the IPsec security association. A random value may be
added to the calculated threshold (percentage x kilobyte lifetime)
to reduce the chance of both peers attempting to renegotiate at the
same time. Note, that as with the property MinLifetimeKilobytes,
this property is probably only relevant to IPsecAction sub-classes.
The property is defined as follows:

NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of kilobyte lifetime that has
expired before the IPsec security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IPsec security
association should not be renegotiated until the
kilobyte lifetime has been reached.

6.10.5. The Property IdleDurationSeconds

The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property
is defined as follows:

Jason, et al Expires May-2002 [Page 38]

Internet Draft IPsec Configuration Policy Model November 2001

NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security association
may remain unused before it is deleted.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that idle detection should not
be used for the security association (only the seconds
and kilobyte lifetimes will be used). Any non-
zero non-zero
value indicates the number of seconds the security
association may remain unused.

6.11. The Class IPsecAction

The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. Although the class is concrete, is
MUST not be instantiated. The class definition for IPsecAction is as
follows:

NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions that
specifies the parameters for IKE phase 2 IPsec DOI
negotiations.
DERIVED FROM IKENegotiationAction
ABSTRACT FALSE
PROPERTIES UsePFS
UseIKEGroup
GroupId
Granularity
VendorID

6.11.1. The Property UsePFS

The property UsePFS specifies whether or not perfect forward secrecy
should be used when refreshing keys. The property is defined as
follows:

NAME UsePFS
DESCRIPTION Specifies the whether or not to use PFS when refreshing
keys.
SYNTAX boolean
VALUE A value of true indicates that PFS should be used. A
value of false indicates that PFS should not be used.

6.11.2. The Property UseIKEGroup

The property UseIKEGroup specifies whether or not phase 2 should use
the same key exchange group as was used in phase 1. UseIKEGroup is
ignored if UsePFS is false. The property is defined as follows:

NAME UseIKEGroup

Jason, et al Expires May-2002 August-2002 [Page 39] 35]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

DESCRIPTION Specifies whether or not to use the same GroupId for
phase 2 as was used in phase 1. If UsePFS is false,
then UseIKEGroup is ignored.
SYNTAX boolean
VALUE A value of true indicates that the phase 2 GroupId
should be the same as phase 1. A value of false
indicates that the property GroupId will contain the key
exchange group to use for phase 2.

6.11.3. The Property GroupId

The property GroupId specifies the key exchange group to use for
phase 2. GroupId is ignored if (1) the property UsePFS is false, or
(2) the property UsePFS is true and the property UseIKEGroup is true.
If the GroupID number is from the vendor-specific range
(32768-65535), (32768-
65535), the property VendorID qualifies the group number. The
property is defined as follows:

NAME GroupId
DESCRIPTION Specifies the key exchange group to use for phase 2 when
the property UsePFS is true and the property UseIKEGroup
is false.
SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values.

6.11.4. The Property Granularity

The property Granularity specifies how the selector for the security
association should be derived from the traffic that triggered the
negotiation. The property is defined as follows:

NAME Granularity
DESCRIPTION Specifies the how the proposed selector for the security
association will be created.
SYNTAX unsigned 16-bit integer
VALUE 1 - subnet: the source and destination subnet masks of
the filter entry are used.
2 - address: only the source and destination IP
addresses of the triggering packet are used.
3 - protocol: the source and destination IP addresses
and the IP protocol of the triggering packet are used.
4 - port: the source and destination IP addresses and
the IP protocol and the source and destination layer 4
ports of the triggering packet are used.

6.11.5. The Property VendorID

The property VendorID is used together with the property GroupID
(when it is in the vendor-specific range) to identify the key
exchange group. VendorID is ignored unless UsePFS is true and
UseIKEGroup is false and GroupID is in the vendor-specific range
(32768-65535). The property is defined as follows:

Jason, et al Expires May-2002 [Page 40]

Internet Draft IPsec Configuration Policy Model November 2001

NAME VendorID
DESCRIPTION Specifies the IKE Vendor ID.
SYNTAX string

6.12. The Class IPsecTransportAction

Jason, et al Expires August-2002 [Page 36]

Internet Draft IPsec Configuration Policy Model February 2002

The class IPsecTransportAction is a subclass of IPsecAction that is
used to specify use of an IPsec transport-mode security association.
The class definition for IPsecTransportAction is as follows:

NAME IPsecTransportAction
DESCRIPTION Specifies that an IPsec transport-mode security
association should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE

6.13. The Class IPsecTunnelAction

The class IPsecTunnelAction is a subclass of IPsecAction that is used
to specify use of an IPsec tunnel-mode security association. The
class definition for IPsecTunnelAction is as follows:

NAME IPsecTunnelAction
DESCRIPTION Specifies that an IPsec tunnel-mode security association
should be negotiated.
DERIVED FROM IPsecAction
ABSTRACT FALSE
PROPERTIES DFHandling

6.13.1. The Property DFHandling

The property DFHandling specifies how the tunnel should manage the
Don't Fragment (DF) bit. The property is defined as follows:

NAME DFHandling
DESCRIPTION Specifies how to process the DF bit.
SYNTAX unsigned 16-bit integer
VALUE 1 - Copy the DF bit from the internal IP header to the
external IP header.
2 - Set the DF bit of the external IP header to 1.
3 - Clear the DF bit of the external IP header to 0.

6.14. The Class IKEAction

The class IKEAction specifies the parameters that are to be used for
IKE phase 1 negotiation. The class definition for IKEAction is as
follows:

NAME IKEAction
DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
DERIVED FROM IKENegotiationAction
ABSTRACT FALSE

Jason, et al Expires May-2002 [Page 41]

Internet Draft IPsec Configuration Policy Model November 2001
PROPERTIES RefreshThresholdDerivedKeys ExchangeMode
UseIKEIdentityType
VendorID
AggressiveModeGroupId

6.14.1. The Property RefreshThresholdDerivedKeys

The property RefreshThresholdDerivedKeys specifies what percentage
of the derived key limit (see the LifetimeDerivedKeys property of
IKEProposal) can expire before IKE should attempt to renegotiate the
IKE phase 1 security association. A random value may be added to
the calculated threshold (percentage x derived key limit) to reduce
the chance of both peers attempting to renegotiate at the same time.
The property is defined as follows:

NAME RefreshThresholdKilobytes
DESCRIPTION Specifies the percentage of derived key limit that has
expired before the IKE phase 1 security association is
renegotiated.
SYNTAX unsigned 8-bit integer
VALUE A value between 1 and 100 representing a percentage. A
value of 100 indicates that the IKE phase 1 security
association should not be renegotiated until the
derived key limit has been reached.

6.14.2. The Property ExchangeMode

The property ExchangeMode specifies which IKE mode should be used for
IKE phase 1 negotiations. The property is defined as follows:

NAME ExchangeMode
DESCRIPTION Specifies the IKE negotiation mode for phase 1.
SYNTAX unsigned 16-bit integer

Jason, et al Expires August-2002 [Page 37]

Internet Draft IPsec Configuration Policy Model February 2002

VALUE 1 - base mode
2 - main mode
4 - aggressive mode

6.14.3.

6.14.2. The Property UseIKEIdentityType

The property UseIKEIdentityType specifies what IKE identity type
should be used when negotiating with the peer. This information is
used in conjunction with the IKE identities available on the system
and the IdentityContexts of the matching IKERule. The property is
defined as follows:

NAME UseIKEIdentityType
DESCRIPTION Specifies the IKE identity to use during negotiation.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet

Jason, et al Expires May-2002 [Page 42]

Internet Draft IPsec Configuration Policy Model November 2001
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID

6.14.4.

6.14.3. The Property VendorID

The property VendorID specifies the value to be used in the Vendor ID
payload. The property is defined as follows:

NAME VendorID
DESCRIPTION Vendor ID Payload.
SYNTAX string
VALUE A value of NULL means that Vendor ID payload will be
neither generated nor accepted. A non-NULL value means
that a Vendor ID payload will be generated (when acting
as an initiator) or is expected (when acting as a
responder).

6.14.5.

6.14.4. The Property AggressiveModeGroupId

The property AggressiveModeGroupId specifies which group ID is to be
used in the first packets of the phase 1 negotiation. This property
is ignored unless the property ExchangeMode is set to 4 (aggressive
mode). If the AggressiveModeGroupID number is from the vendor-
specific range (32768-65535), the property VendorID qualifies the
group number. The property is defined as follows:

NAME AggressiveModeGroupId
DESCRIPTION Specifies the group ID to be used for aggressive mode.
SYNTAX unsigned 16-bit integer

6.15. The Class PeerGateway

The class PeerGateway specifies the security gateway with which the
IKE services negotiates. The class definition for PeerGateway is as
follows:

NAME PeerGateway

Jason, et al Expires August-2002 [Page 38]

Internet Draft IPsec Configuration Policy Model February 2002

DESCRIPTION Specifies the security gateway with which to negotiate.
DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Name
PeerIdentityType
PeerIdentity

Note: the class PeerIdentityEntry contains more information about the
peer (namely its IP address).

6.15.1. The Property Name

The property Name specifies a user-friendly name for this security
gateway. The property is defined as follows:

Jason, et al Expires May-2002 [Page 43]

Internet Draft IPsec Configuration Policy Model November 2001

NAME Name
DESCRIPTION Specifies a user-friendly name for this security
gateway.
SYNTAX string

6.15.2. The Property PeerIdentityType

The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows:

NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security gateway.
SYNTAX unsigned 16-bit integer
VALUE 1 - IPv4 Address
2 - FQDN
3 - User FQDN
4 - IPv4 Subnet
5 - IPv6 Address
6 - IPv6 Subnet
7 - IPv4 Address Range
8 - IPv6 Address Range
9 - DER-Encoded ASN.1 X.500 Distinguished Name
10 - DER-Encoded ASN.1 X.500 GeneralName
11 - Key ID

6.15.3. The Property PeerIdentity

The property PeerIdentity specifies the IKE identity value of the
security gateway. A conversion may be needed between the
PeerIdentity string representation and the real value used in the ID
payload (e.g. IP address is to be converted from a dotted decimal
string into 4 bytes). The property is defined as follows:

NAME PeerIdentity
DESCRIPTION Specifies the IKE identity value of the security
gateway.
SYNTAX string

6.16. The Association Class PeerGatewayForTunnel

The class PeerGatewayForTunnel associates IPsecTunnelActions with an
ordered list of PeerGateways. The class definition for
PeerGatewayForTunnel is as follows:

NAME PeerGatewayForTunnel

Jason, et al Expires August-2002 [Page 39]

Internet Draft IPsec Configuration Policy Model February 2002

DESCRIPTION Associates IPsecTunnelActions with an ordered list of
PeerGateways.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE

Jason, et al Expires May-2002 [Page 44]

Internet Draft IPsec Configuration Policy Model November 2001
PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IPsecTunnelAction[0..n]]
SequenceNumber

6.16.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that there an IPsecTunnelAction instance may be
associated with zero or more PeerGateway instances.

Note: the cardinality 0 has a specific meaning:

- when the IKE service acts as a responder, this means that
the IKE service will accept phase 1 negotiation with any
other security gateway;
- when the IKE service acts as an initiator, this means that
the IKE service will use the destination IP address (of
the IP packets which triggered the SARule) as the IP
address of the peer IKE entity.

6.16.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IPsecTunnelAction instance. The [0..n] cardinality
indicates that a PeerGateway instance may be associated with zero or
more IPsecTunnelAction instances.

6.16.3. The Property SequenceNumber

The property SequenceNumber specifies the ordering to be used when
evaluating PeerGateway instances for a given IPsecTunnelAction. . The
property is defined as follows:

NAME SequenceNumber
DESCRIPTION Specifies the order of evaluation for PeerGateways.
SYNTAX unsigned 16-bit integer
VALUE Lower values are evaluated first.

6.17. The Aggregation Class ContainedProposal

The class ContainedProposal associates an ordered list of SAProposals
with the IKENegotiationAction that aggregates it. If the referenced
IKENegotiationAction object is an IKEAction, then the referenced
SAProposal object(s) must be IKEProposal(s). If the referenced
IKENegotiationAction object is an IPsecTransportAction or an
IPsecTunnelAction, then the referenced SAProposal object(s) must be
IPsecProposal(s). The class definition for ContainedProposal is as
follows:

NAME ContainedProposal
DESCRIPTION Associates an ordered list of SAProposals with an
IKENegotiationAction.
DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE

Jason, et al Expires May-2002 August-2002 [Page 45] 40]

Internet Draft IPsec Configuration Policy Model November 2001

DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE February 2002

PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]]
PartComponent[ref SAProposal[1..n]]
SequenceNumber

6.17.1. The Reference GroupComponent

- The property GroupComponent is inherited from
PolicyComponent and is overridden to refer to an
IKENegotiationAction instance. The [0..n] cardinality
indicates that an SAProposal instance may be associated with
zero or more IKENegotiationAction instances.

6.17.2. The Reference PartComponent

The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SAProposal instance. The [1..n]
cardinality indicates that an IKENegotiationAction instance MUST be
associated with at least one SAProposal instance.

6.17.3. The Property SequenceNumber

The property SequenceNumber specifies the order of preference for the
SAProposals. The property is defined as follows:

NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SAProposals.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued proposals are preferred over proposals with
higher values. For ContainedProposals that reference
the same IKENegotiationAction, SequenceNumber values
must be unique.

6.18. The Association Class HostedPeerGatewayInformation

The class HostedPeerGatewayInformation weakly associates a
PeerGateway with a System. The class definition for
HostedPeerGatewayInformation is as follows:

NAME HostedPeerGatewayInformation
DESCRIPTION Weakly associates a PeerGateway with a System.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerGateway[0..n] [weak]]

6.18.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality

Jason, et al Expires May-2002 [Page 46]

Internet Draft IPsec Configuration Policy Model November 2001
indicates that a PeerGateway instance MUST be associated with one and
only one System instance.

6.18.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to a PeerGateway instance. The [0..n] cardinality indicates
that a System instance may be associated with zero or more
PeerGateway instances.

6.19. The Association Class TransformOfPreconfiguredAction

Jason, et al Expires August-2002 [Page 41]

Internet Draft IPsec Configuration Policy Model February 2002

The class TransformOfPreconfiguredAction associates a
PreconfiguredSAAction with from two to six SATransforms that will be
applied to the inbound and outbound traffic. The order of
application of the SATransforms is implicitly defined in [IPSEC].
The class definition for TransformOfPreconfiguredAction is as
follows:

NAME TransformOfPreconfiguredAction
DESCRIPTION Associates a PreconfiguredSAAction with from one to
three SATransforms.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent[ref SATransform[2..6]]
Dependent[ref PreconfiguredSAAction[0..n]]
SPI
Direction

6.19.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to an SATransform instance. The [2..6]
cardinality indicates that an PreconfiguredSAAction instance may be
associated with from two to six SATransform instances.

6.19.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to a PreconfiguredSAAction instance. The [0..n] cardinality
indicates that an SATransform instance may be associated with zero or
more PreconfiguredSAAction instances.

6.19.3. The Property SPI

The property SPI specifies the SPI to be used by the pre-configured
action for the associated transform. The property is defined as
follows:

NAME SPI
DESCRIPTION Specifies the SPI to be used with the SATransform.
SYNTAX unsigned 32-bit integer

Jason, et al Expires May-2002 [Page 47]

Internet Draft IPsec Configuration Policy Model November 2001

6.19.4. The Property Direction

The property Direction specifies whether the SPI property is for
inbound or for outbound traffic. The property is defined as follows:

NAME Direction
DESCRIPTION Specifies whether the SA is for inbound or outbound
traffic.
SYNTAX unsigned 8-bit integer
VALUE 1 - this SA is for inbound traffic
2 - this SA is for outbound traffic

6.20 The Association Class PeerGatewayForPreconfiguredTunnel

The class PeerGatewayForPreconfiguredTunnel associates one or one
PeerGateway with multiple PreconfiguredTunnelActions. The class
definition for PeerGatewayForPreconfiguredTunnel is as follows:

NAME PeerGatewayForPreconfiguredTunnel

Jason, et al Expires August-2002 [Page 42]

Internet Draft IPsec Configuration Policy Model February 2002

DESCRIPTION Associates a PeerGateway with multiple
PreconfiguredTunnelAction.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent[ref PeerGateway[0..1]]
Dependent[ref PreconfiguredTunnelAction[0..n]]

6.20.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to an PeerGateway instance. The [0..1]
cardinality indicates that an PreconfiguredTunnelAction instance may
be associated with one PeerGteway instance.

6.20.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to a PreconfiguredTunnelAction instance. The [0..n]
cardinality indicates that an PeerGateway instance may be associated
with zero or more PreconfiguredSAAction instances.

Jason, et al Expires May-2002 August-2002 [Page 48] 43]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

7. Proposal and Transform Classes

The proposal and transform classes model the proposal settings an
IPsec device will use during IKE phase 1 and 2 negotiations.

+--------------+*w 1+--------------+
| [SAProposal] |--------| System |
+--------------+ (a) | ([CIMCORE]) |
^ +--------------+
| |1
+----------------------+ |
| | |
+-------------+ +---------------+ |
| IKEProposal | | IPsecProposal | |
+-------------+ +---------------+ |
*o |
|(b) |(c)
n| |
+---------------+*w |
| [SATransform] |----+
+---------------+
^
|
+--------------------+-----------+---------+
| | |
+-------------+ +--------------+ +----------------+
| AHTransform | | ESPTransform | |IPCOMPTransform |
+-------------+ +--------------+ +----------------+

(a) SAProposalInSystem
(b) ContainedTransform
(c) SATransformInSystem

7.1. The Abstract Class SAProposal

The abstract class SAProposal serves as the base class for the IKE
and IPsec proposal classes. It specifies the parameters that are
common to the two proposal types. The class definition for
SAProposal is as follows:

NAME SAProposal
DESCRIPTION Specifies the common proposal parameters for IKE and
IPsec security association negotiation.
DERIVED FROM Policy ([PCIM])
ABSTRACT TRUE
PROPERTIES Name

7.1.1. The Property Name

The property Name specifies a user-friendly name for the SAProposal.
The property is defined as follows:

NAME Name

Jason, et al Expires May-2002 [Page 49]

Internet Draft IPsec Configuration Policy Model November 2001
DESCRIPTION Specifies a user-friendly name for this proposal.
SYNTAX string

7.2. The Class IKEProposal

The class IKEProposal specifies the proposal parameters necessary to
drive an IKE security association negotiation. The class definition
for IKEProposal is as follows:

Jason, et al Expires August-2002 [Page 44]

Internet Draft IPsec Configuration Policy Model February 2002

NAME IKEProposal
DESCRIPTION Specifies the proposal parameters for IKE security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE
PROPERTIES LifetimeDerivedKeys
CipherAlgorithm
HashAlgorithm
PRFAlgorithm
GroupId
AuthenticationMethod
MaxLifetimeSeconds
MaxLifetimeKilobytes
VendorID

7.2.1. The Property LifetimeDerivedKeys

The property LifetimeDerivedKeys specifies the number of times that
a phase 1 key will be used to derive a phase 2 key before the phase
1 security association needs renegotiated. Even though this is not
a parameter that is sent in an IKE proposal, it is included in the
proposal as the number of keys derived may be a result of the
strength of the algorithms in the IKE proposal. The property is
defined as follows:

NAME LifetimeDerivedKeys
DESCRIPTION Specifies the number of phase 2 keys that can be
derived from the phase 1 key.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there is no limit to the
number of phase 2 keys that may be derived from the
phase 1 key; instead the seconds and/or kilobytes
lifetime will dictate the phase 1 rekeying. A non-zero
value specifies the number of phase 2 keys that can be
derived from the phase 1 key.

7.2.2. FROM SAProposal
ABSTRACT FALSE
PROPERTIES CipherAlgorithm
HashAlgorithm
PRFAlgorithm
GroupId
AuthenticationMethod
MaxLifetimeSeconds
MaxLifetimeKilobytes
VendorID

7.2.1. The Property CipherAlgorithm

The property CipherAlgorithm specifies the proposed phase 1 security
association encryption algorithm. The property is defined as
follows:

NAME CipherAlgorithm

Jason, et al Expires May-2002 [Page 50]

Internet Draft IPsec Configuration Policy Model November 2001
DESCRIPTION Specifies the proposed encryption algorithm for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values.

7.2.3.

7.2.2. The Property HashAlgorithm

The property HashAlgorithm specifies the proposed phase 1 security
association hash algorithm. The property is defined as follows:

NAME HashAlgorithm
DESCRIPTION Specifies the proposed hash algorithm for the phase 1
security association.
SYNTAX unsigned 16-bit integer
VALUE Consult [IKE] for valid values.

7.2.4.

7.2.3. The Property PRFAlgorithm

The property PRFAlgorithm specifies the proposed phase 1 security
association pseudo-random function. The property is defined as
follows:

NAME PRFAlgorithm
DESCRIPTION Specifies the proposed pseudo-random function for the
phase 1 security association.
SYNTAX unsigned 16-bit integer
VALUE Currently none defined.

7.2.5. defined in [IKE], if [IKE, DOI] are
extended, then the values of [IKE, DOI] are to be used
for values of PRFAlgorithm.

7.2.4. The Property GroupId

The property GroupId specifies the proposed phase 1 security
association key exchange group. This property is ignored for all
aggressive mode exchanges. If the GroupID number is from the
vendor-specific vendor-
specific range (32768-65535), the property VendorID qualifies the
group number. The property is defined as follows:

NAME GroupId

Jason, et al Expires August-2002 [Page 45]

Internet Draft IPsec Configuration Policy Model February 2002

DESCRIPTION Specifies the proposed key exchange group for the phase
1 security association.
SYNTAX unsigned 16-bit integer
VALUE 0 - Not applicable: used for aggressive mode. Consult [IKE] for other valid values.

7.2.6.

Note: the value of this property is to be ignored when doing
aggressive mode.

7.2.5. The Property AuthenticationMethod

The property AuthenticationMethod specifies the proposed phase 1
authentication method. The property is defined as follows:

NAME AuthenticationMethod
DESCRIPTION Specifies the proposed authentication method for the
phase 1 security association.
SYNTAX unsigned 16-bit integer

Jason, et al Expires May-2002 [Page 51]

Internet Draft IPsec Configuration Policy Model November 2001
VALUE 0 - a special value that indicates that this particular
proposal should be repeated once for each authentication
method that corresponds to the credentials installed on
the machine. For example, if the system has a pre-shared pre-
shared key and a certificate, a proposal list could be
constructed which includes a proposal that specifies
pre-shared key and proposals for any of the public-key
authentication methods.
Consult [IKE] for valid values.

7.2.7.

7.2.6. The Property MaxLifetimeSeconds

The property MaxLifetimeSeconds specifies the maximum amount of time, in
seconds, to propose that a security association will remain valid
after its creation. The property is defined as follows:

NAME MaxLifetimeSeconds
DESCRIPTION Specifies the maximum amount of time to propose a security
association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that the default of 8 hours be
used. A non-zero value indicates the maximum seconds
lifetime.

7.2.8.

7.2.7. The Property MaxLifetimeKilobytes

The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:

NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the maximum kilobyte lifetime to propose a
security association remain valid.
SYNTAX unsigned 32-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value specifies
the desired kilobyte lifetime.

7.2.9.

7.2.8. The Property VendorID

The property VendorID further qualifies the key exchange group. The
property is ignored unless the exchange is not in aggressive mode and
the property GroupID is in the vendor-specific range. The property
is defined as follows:

Jason, et al Expires August-2002 [Page 46]

Internet Draft IPsec Configuration Policy Model February 2002

NAME VendorID
DESCRIPTION Specifies the Vendor ID to further qualify the key
exchange group.
SYNTAX string

7.3. The Class IPsecProposal

Jason, et al Expires May-2002 [Page 52]

Internet Draft IPsec Configuration Policy Model November 2001

The class IPsecProposal adds no new properties, but inherits proposal
properties from SAProposal as well as aggregating the security
association transforms necessary for building an IPsec proposal (see
the aggregation class ContainedTransform). The class definition for
IPsecProposal is as follows:

NAME IPsecProposal
DESCRIPTION Specifies the proposal parameters for IPsec security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE

7.4. The Abstract Class SATransform

The abstract class SATransform serves as the base class for the IPsec
transforms that can be used to compose an IPsec proposal or to be
used as a pre-configured action. The class definition for
SATransform is as follows:

NAME SATransform
DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE
PROPERTIES TransformName
VendorID
MaxLifetimeSeconds
MaxLifetimeKilobytes

7.4.1. The Property TransformName

The property TransformName specifies a user-friendly name for the
SATransform. The property is defined as follows:

NAME TransformName
DESCRIPTION Specifies a user-friendly name for this transform.
SYNTAX string

7.4.2. The Property VendorID

The property VendorID specifies the vendor ID for vendor-defined
transforms. The property is defined as follows:

NAME VendorID
DESCRIPTION Specifies the vendor ID for vendor-defined transforms.
SYNTAX string
VALUE An empty VendorID string indicates that the transform is
a standard one.

7.4.3. The Property MaxLifetimeSeconds

The property MaxLifetimeSeconds specifies the maximum amount of time, in
seconds, to propose that a security association will remain valid
after its creation. The property is defined as follows:

Jason, et al Expires May-2002 August-2002 [Page 53] 47]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

7.4.4. The Property MaxLifetimeKilobytes

The property MaxLifetimeKilobytes specifies the maximum kilobyte
lifetime to propose that a security association will remain valid
after its creation. The property is defined as follows:

7.5. The Class AHTransform

The class AHTransform specifies the AH algorithm to propose during
IPsec security association negotiation. The class definition for
AHTransform is as follows:

NAME AHTransform
DESCRIPTION Specifies the AH algorithm to propose.
ABSTRACT FALSE
PROPERTIES AHTransformId
UseReplayPrevention
ReplayPreventionWindowSize

7.5.1. The Property AHTransformId

The property AHTransformId specifies the transform ID of the AH
algorithm to propose. The property is defined as follows:

NAME AHTransformId
DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.

7.5.2. The Property UseReplayPrevention

The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows:

NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention detection.

Jason, et al Expires May-2002 [Page 54]

Internet Draft IPsec Configuration Policy Model November 2001
SYNTAX boolean
VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.

7.5.3. The Property ReplayPreventionWindowSize

The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if

Jason, et al Expires August-2002 [Page 48]

Internet Draft IPsec Configuration Policy Model February 2002

UseReplayPrevention is false. It is assumed that the window size will
be power of 2. The property is defined as follows:

NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism.
SYNTAX unsigned 32-bit integer

7.6. The Class ESPTransform

The class ESPTransform specifies the ESP algorithms to propose during
IPsec security association negotiation. The class definition for
ESPTransform is as follows:

NAME ESPTransform
DESCRIPTION Specifies the ESP algorithms to propose.
ABSTRACT FALSE
PROPERTIES IntegrityTransformId
CipherTransformId
CipherKeyLength
CipherKeyRounds
UseReplayPrevention
ReplayPreventionWindowSize

7.6.1. The Property IntegrityTransformId

The property IntegrityTransformId specifies the transform ID of the
ESP integrity algorithm to propose. The property is defined as
follows:

NAME IntegrityTransformId
DESCRIPTION Specifies the transform ID of the ESP integrity
algorithm.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.

7.6.2. The Property CipherTransformId

The property CipherTransformId specifies the transform ID of the ESP
encryption algorithm to propose. The property is defined as follows:

NAME CipherTransformId

Jason, et al Expires May-2002 [Page 55]

Internet Draft IPsec Configuration Policy Model November 2001
DESCRIPTION Specifies the transform ID of the ESP encryption
algorithm.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.

7.6.3. The Property CipherKeyLength

The property CipherKeyLength specifies, in bits, the key length for
the ESP encryption algorithm. For encryption algorithms that use
fixed-length keys, this value is ignored. The property is defined as
follows:

NAME CipherKeyLength
DESCRIPTION Specifies the ESP encryption key length in bits.
SYNTAX unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

Jason, et al Expires August-2002 [Page 49]

Internet Draft IPsec Configuration Policy Model February 2002

The property CipherKeyRounds specifies the number of key rounds for
the ESP encryption algorithm. For encryption algorithms that use
fixed number of key rounds, this value is ignored. The property is
defined as follows:

NAME CipherKeyRounds
DESCRIPTION Specifies the number of key rounds for the ESP
encryption algorithm.
SYNTAX unsigned 16-bit integer
VALUE Currently, key rounds are not defined for any ESP
encryption algorithms.

7.6.5. The Property UseReplayPrevention

The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows:

NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention detection.
SYNTAX boolean
VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.

7.6.6. The Property ReplayPreventionWindowSize

The property ReplayPreventionWindowSize specifies, in bits, the
length of the sliding window used by the replay prevention detection
mechanism. The value of this property is meaningless if
UseReplayPrevention is false. It is assumed that the window size will
be power of 2. The property is defined as follows:

NAME ReplayPreventionWindowSize
DESCRIPTION Specifies the length of the window used by replay
prevention detection mechanism.

Jason, et al Expires May-2002 [Page 56]

Internet Draft IPsec Configuration Policy Model November 2001
SYNTAX unsigned 32-bit integer

7.7. The Class IPCOMPTransform

The class IPCOMPTransform specifies the IP compression (IPCOMP)
algorithm to propose during IPsec security association negotiation.
The class definition for IPCOMPTransform is as follows:

NAME IPCOMPTransform
DESCRIPTION Specifies the IPCOMP algorithm to propose.
ABSTRACT FALSE
PROPERTIES Algorithm
DictionarySize
PrivateAlgorithm

7.7.1. The Property Algorithm

The property Algorithm specifies the transform ID of the IPCOMP
compression algorithm to propose. The property is defined as
follows:

NAME Algorithm
DESCRIPTION Specifies the transform ID of the IPCOMP compression
algorithm.
SYNTAX unsigned 16-bit integer

Jason, et al Expires August-2002 [Page 50]

Internet Draft IPsec Configuration Policy Model February 2002

VALUE 1 - OUI: a vendor specific algorithm is used and
specified in the property PrivateAlgorithm. Consult
[DOI] for other valid values.

7.7.2. The Property DictionarySize

The property DictionarySize specifies the log2 maximum size of the
dictionary for the compression algorithm. For compression algorithms
that have pre-defined dictionary sizes, this value is ignored. The
property is defined as follows:

NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

The property PrivateAlgorithm specifies a private vendor-specific
compression algorithm. This value is only used when the property
Algorithm is 1 (OUI). The property is defined as follows:

NAME PrivateAlgorithm
DESCRIPTION Specifies a private vendor-specific compression
algorithm.
SYNTAX unsigned 32-bit integer

7.8. The Association Class SAProposalInSystem

Jason, et al Expires May-2002 [Page 57]

Internet Draft IPsec Configuration Policy Model November 2001

The class SAProposalInSystem weakly associates SAProposals with a
System. The class definition for SAProposalInSystem is as follows:

NAME SAProposalInSystem
DESCRIPTION Weakly associates SAProposals with a System.
DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System [1..1]]
Dependent[ref SAProposal[0..n] [weak]]

7.8.1. The Reference Antecedent

The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that an SAProposal instance MUST be associated with one and
only one System instance.

7.8.2. The Reference Dependent

The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SAProposal instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more SAProposal instances.

7.9. The Aggregation Class ContainedTransform

The class ContainedTransform associates an IPsecProposal with the set
of SATransforms that make up the proposal. If multiple transforms of
the same type are in a proposal, then they are to be logically ORed
and the order of preference is dictated by the SequenceNumber
property. Sets of transforms of different types are logically ANDed.
For example, if the ordered proposal list were

Jason, et al Expires August-2002 [Page 51]

Internet Draft IPsec Configuration Policy Model February 2002

ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 }

then the one sending the proposal would want the other side to pick
one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
from the AH transform list (preferably MD5).

The class definition for ContainedTransform is as follows:

NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of SATransforms
that make up the proposal.
DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]]
SequenceNumber

7.9.1. The Reference GroupComponent

Jason, et al Expires May-2002 [Page 58]

Internet Draft IPsec Configuration Policy Model November 2001

The property GroupComponent is inherited from PolicyComponent and is
overridden to refer to an IPsecProposal instance. The [0..n]
cardinality indicates that an SATransform instance may be associated
with zero or more IPsecProposal instances.

7.9.2. The Reference PartComponent

The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SATransform instance. The [1..n]
cardinality indicates that an IPsecProposal instance MUST be
associated with at least one SATransform instance.

7.9.3. The Property SequenceNumber

The property SequenceNumber specifies the order of preference for the
SATransforms of the same type. The property is defined as follows:

NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms of
the same type.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms of
the same type with higher values. For
ContainedTransforms that reference the same
IPsecProposal, SequenceNumber values must be unique.

7.10. The Association Class SATransformInSystem

The class SATransformInSystem weakly associates SATransforms with a
System. The class definition for SATransformInSystem System is as
follows:

NAME SATransformInSystem
DESCRIPTION Weakly associates SATransforms with a System.
DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System[1..1]]
Dependent[ref SATransform[0..n] [weak]]

Jason, et al Expires August-2002 [Page 52]

Internet Draft IPsec Configuration Policy Model February 2002

7.10.1. The Reference Antecedent

The property Antecedent is inherited from PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that an SATransform instance MUST be associated with one
and only one System instance.

7.10.2. The Reference Dependent

The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SATransform instance. The [0..n]

Jason, et al Expires May-2002 [Page 59]

Internet Draft IPsec Configuration Policy Model November 2001
cardinality indicates that a System instance may be associated with
zero or more SATransform instances.

Jason, et al Expires May-2002 August-2002 [Page 60] 53]

Internet Draft IPsec Configuration Policy Model November 2001 February 2002

8. IKE Service and Identity Classes

+--------------+ +-------------------+
| System | | PeerIdentityEntry |
| ([CIMCORE]) | +-------------------+
+--------------+ |*w
1| (a) (b) |
+---+ +------------+
| |
|*w 1 o
+-------------+ +-------------------+ +---------------------+
| PeerGateway | | PeerIdentityTable | | AutostartIKESetting |
+-------------+ +-------------------+ +---------------------+
*| *| *| *|
+----------------------+ |(d) +----------+ |
(c) *| *| *| (e) |
*+------------+* |(f)
+-----------------| IKEService |-----+ |
| (g) +------------+ |(h) |
0..1| *| *| *o
+--------------------+ | +---------------------------+
| IPProtocolEndpoint | | | AutostartIKEConfiguration |
| ([CIMNETWORK]) | (i)| +---------------------------+
+--------------------+ |
0..1| |
|(j) +----------------+
*| |*
+-------------+* (k) +------------+ +-----------------------------+
| IKEIdentity |-------| Collection | | CredentialManagementService |
+-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) |
*| +------------+ +-----------------------------+
|(l)
*|
+--------------+
| Credential |
| ([CIMUSER]) |
+--------------+

(a) HostedPeerIdentityTable
(b) PeerIdentityMember
(c) IKEServicePeerGateway
(d) IKEServicePeerIdentityTable
(e) IKEAutostartSetting
(f) AutostartIKESettingContext
(g) IKEServiceForEndpoint
(h) IKEAutostartConfiguration
(i) IKEUsesCredentialManagementService
(j) EndpointHasLocalIKEIdentity
(k) CollectionHasLocalIKEIdentity
(l) IKEIdentitysCredential

This portion of the model contains additional information that is
useful in applying the policy. The IKEService class MAY be used to

Jason, et al Expires May-2002 [Page 61]

Internet Draft IPsec Configuration Policy Model November 2001
represent the IKE negotiation function in a system. The IKEService
uses the various tables that contain information about IKE peers as
well as the configuration for specifying security associations that
are started automatically. The information in the PeerGateway,
PeerIdentityTable and related classes is necessary to completely
specify the policies.

Jason, et al Expires August-2002 [Page 54]

Internet Draft IPsec Configuration Policy Model February 2002

An interface (represented by an IPProtocolEndpoint) has an IKEService
that provides the negotiation services for that interface. That
service MAY also have a list of security associations for that are automatically
started at the time the IKE service is initialized.

The IKEService also has a set of identities that it may use in
negotiations with its peers. Those identities are associated with
the interfaces (or collections of interfaces).

8.1. The Class IKEService

The class IKEService represents the IKE negotiation function. An
instance of this service may provide that negotiation service for one
or more interfaces (represented by the IPProtocolEndpoint class) of a
System. There may be multiple instances of IKE services on a System
but only one per interface. The class definition for IKEService is
as follows:

NAME IKEService
DESCRIPTION IKEService is used to represent the IKE negotiation
function.
DERIVED FROM Service (see [CIMCORE])
ABSTRACT FALSE

8.2. The Class PeerIdentityTable

The class PeerIdentityTable aggregates the table entries that provide
mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows:

NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry instances
to provide a table of identity-address mappings.
DERIVED FROM Collection (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Name

8.3.1. The Property Name

The property Name uniquely identifies the table. The property is
defined as follows:

NAME Name
DESCRIPTION Name uniquely identifies the table.

Jason, et al Expires May-2002 [Page 62]

Internet Draft IPsec Configuration Policy Model November 2001
SYNTAX string

8.3. The Class PeerIdentityEntry

The class PeerIdentityEntry specifies the mapping between peer
identity and their IP address. The class definition for
PeerIdentityEntry is as follows:

NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address.
DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES PeerIdentity
PeerIdentityType
PeerAddress
PeerAddressType

Jason, et al Expires August-2002 [Page 55]

Internet Draft IPsec Configuration Policy Model February 2002

The pre-shared key to be used with this peer (if applicable) is
contained in an instance of the class SharedSecret (see [CIMUSER]).
The pre-shared key is stored in the property Secret, the property
protocol contains �IKE", the property algorithm contains the
algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
entity has no secret storage), the value of property RemoteID must
match the PeerIdentity property of the PeerIdentityEntry instance
describing the IKE peer.

8.3.1. The Property PeerIdentity

The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows:

NAME PeerIdentity
DESCRIPTION The PeerIdentity is the ID payload of a peer.
SYNTAX string

8.3.2. The Property PeerIdentityType

The property PeerIdentityType is an enumeration that specifies the
type of the PeerIdentity. The property is defined as follows:

NAME PeerIdentityType
DESCRIPTION PeerIdentityType is the type of the ID payload of a
peer.
SYNTAX unsigned 16-bit integer
VALUE The enumeration values are specified in [DOI] section
4.6.2.1.

8.3.3. The Property PeerAddress

The property PeerAddress specifies the string representation of the
IP address of the peer formatted according to the appropriate
convention as defined in the PeerAddressType property (e.g., dotted
decimal notation). The property is defined as follows:

NAME PeerAddress
DESCRIPTION PeerAddress is the address of the peer with the ID
payload.
SYNTAX string
VALUE String representation of an IPv4 or IPv6 address.

8.3.4. The Property PeerAddressType

Jason, et al Expires May-2002 [Page 63]

Internet Draft IPsec Configuration Policy Model November 2001

The property PeerAddressType specifies the format of the PeerAddress
property value. The property is defined as follows:

NAME PeerAddressType
DESCRIPTION PeerAddressType is the type of address in PeerAddress.
SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown
1 - IPv4
2 - IPv6

8.4. The Class AutostartIKEConfiguration

The class AutostartIKEConfiguration groups AutostartIKESetting
instances into configuration sets. When applied, the settings cause
an IKE service to automatically start (negotiate or statically set as

Jason, et al Expires August-2002 [Page 56]

Internet Draft IPsec Configuration Policy Model February 2002

appropriate) the Security Associations. The class definition for
AutostartIKEConfiguration is as follows:

NAME AutostartIKEConfiguration
DESCRIPTION A configuration set of AutostartIKESetting instances to
be automatically started by the IKE service.
DERIVED FROM SystemConfiguration (see [CIMCORE])
ABSTRACT FALSE

8.5. The Class AutostartIKESetting

The class AutostartIKESetting is used to automatically initiate IKE
negotiations with peers (or statically create an SA) as specified in
the AutostartIKESetting properties. Appropriate actions are
initiated according to the policy that matches the setting
parameters. The class definition for AutostartIKESetting is as
follows:

NAME AutostartIKESetting
DESCRIPTION AutostartIKESetting is used to automatically initiate
IKE negotiations with peers or statically create an SA.
DERIVED FROM SystemSetting (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Phase1Only
AddressType
SourceAddress
SourcePort
DestinationAddress
DestinationPort
Protocol

8.5.1. The Property Phase1Only

The property Phase1Only is used to limit the IKE negotiation to just
setting up a
phase 1 security association. SA establishment only. When set to False, both phase 1 and
phase 2 negotiations SAs are initiated. negotiated.
The property is defined as follows:

Jason, et al Expires May-2002 [Page 64]

Internet Draft IPsec Configuration Policy Model November 2001

NAME Phase1Only
DESCRIPTION Used to indicate which security associations to attempt
to establish (phase 1 only, or phase 1 and 2).
SYNTAX boolean
VALUE true - attempt to establish a phase 1 security
association
false - attempt to establish phase 1 and phase 2
security associations

8.5.2. The Property AddressType

The property AddressType specifies type of the addresses in the
SourceAddress and DestinationAddress properties. The property is
defined as follows:

NAME AddressType
DESCRIPTION AddressType is the type of address in SourceAddress and
DestinationAddress properties.
SYNTAX unsigned 16-bit integer
VALUE 0 - Unknown
1 - IPv4
2 - IPv6

Jason, et al Expires August-2002 [Page 57]

Internet Draft IPsec Configuration Policy Model February 2002

8.5.3. The Property SourceAddress

The property SourceAddress specifies the dotted-decimal or colon-
decimal formatted IP address used as the source address in comparing
with policy filter entries and used in any phase 2 negotiations. The
property is defined as follows:

NAME SourceAddress
DESCRIPTION The source address to compare with the filters to
determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address

8.5.4. The Property SourcePort

The property SourcePort specifies the port number used as the source
port in comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:

NAME SourcePort
DESCRIPTION The source port to compare with the filters to determine
the appropriate policy rule.
SYNTAX unsigned 16-bit integer

8.5.5. The Property DestinationAddress

The property DestinationAddress specifies the dotted-decimal or
colon-decimal formatted IP address used as the destination address

Jason, et al Expires May-2002 [Page 65]

Internet Draft IPsec Configuration Policy Model November 2001 in
comparing with policy filter entries and used in any phase 2
negotiations. The property is defined as follows:

NAME DestinationAddress
DESCRIPTION The destination address to compare with the filters to
determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address

8.5.6. The Property DestinationPort

The property DestinationPort specifies the port number used as the
destination port in comparing with policy filter entries and used in
any phase 2 negotiations. The property is defined as follows:

NAME DestinationPort
DESCRIPTION The destination port to compare with the filters to
determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer

8.5.7. The Property Protocol

The property Protocol specifies the protocol number used in comparing
with policy filter entries and used in any phase 2 negotiations. The
property is defined as follows:

NAME Protocol
DESCRIPTION The protocol number used in comparing with policy filter
entries.
SYNTAX unsigned 8-bit integer

8.6. The Class IKEIdentity

Jason, et al Expires August-2002 [Page 58]

Internet Draft IPsec Configuration Policy Model February 2002

The class IKEIdentity is used to represent the identities that may be
used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints)
to identify the IKE Service in IKE phase 1 negotiations. The policy
IKEAction.UseIKEIdentityType specifies which type of the available
identities to use in a negotiation exchange and the
IKERule.IdentityContexts specifies the match values to be used, along
with the local address, in selecting the appropriate identity for a
negotiation. The ElementID property value (defined in the parent
class, UsersAccess) should be that of either the IPProtocolEndpoint
or Collection of endpoints as appropriate. The class definition for
IKEIdentity is as follows:

NAME IKEIdentity
DESCRIPTION IKEIdentity is used to represent the identities that may
be used for an IPProtocolEndpoint (or collection of
IPProtocolEndpoints) to identify the IKE Service in IKE
phase 1 negotiations.
DERIVED FROM UsersAccess (see [CIMUSER])
ABSTRACT FALSE

Jason, et al Expires May-2002 [Page 66]

Internet Draft IPsec Configuration Policy Model November 2001
PROPERTIES IdentityType
IdentityValue
IdentityContexts

8.6.1. The Property IdentityType

The property IdentityType is an enumeration that specifies the type
of the IdentityValue. The property is defined as follows:

NAME IdentityType
DESCRIPTION IdentityType is the type of the IdentityValue.
SYNTAX unsigned 8-bit integer
VALUE The enumeration values are specified in [DOI] section
4.6.2.1.

8.6.2. The Property IdentityValue

The property Identity specifies Value IdentityValue contains a string encoding of the Identity
payload. For IKEIdentity instances that are address
types, types (i.e. IPv4
or IPv6 addresses), the IdentityValue string value may MAY be omitted and omitted;
then the associated IPProtocolEndpoint or (or appropriate member of the
Collection of endpoints endpoints) is used. used as the identity value. The property
is defined as follows:

NAME IdentityValue
DESCRIPTION IdentityValue contains a string encoding of the Identity
payload.
SYNTAX string

8.6.3. The Property IdentityContexts

The IdentityContexts property is used to constrain the use of
IKEIdentity instances to match that specified in the
IKERule.IdentityContexts. The IdentityContexts are formatted as
policy roles and role combinations [PCIM] & [PCIMe]. Each value
represents one context or context combination. Since this is a
multi-valued property, more than one context or combination of
contexts can be associated with a single IKEIdentity. Each value is
a string of the form: <ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). If one or more
values in the IKERule.IdentityContexts array match one or more

Jason, et al Expires August-2002 [Page 59]

Internet Draft IPsec Configuration Policy Model February 2002

IKEIdentity.IdentityContexts then the identity's context matches.
(That is, each value of the IdentityContext array is an ORed
condition.) In combination with the address of the
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
1 and only 1
exactly one IKEIdentity. The property is defined as follows:

NAME IdentityContexts
DESCRIPTION The IKE service of a security endpoint may have multiple
identities for use in different situations. The
combination of the interface (represented by
the IPProtocolEndpoint), the identity type (as

Jason, et al Expires May-2002 [Page 67]

Internet Draft IPsec Configuration Policy Model November 2001 specified
in the IKEAction) and the IdentityContexts selects a
unique identity.
SYNTAX string array
VALUE string of the form <ContextName>[&&<ContextName>]*

8.7. The Association Class HostedPeerIdentityTable

The class HostedPeerIdentityTable provides the name scoping
relationship for PeerIdentityTable entries in a System. The
PeerIdentityTable is weak to the System. The class definition for
HostedPeerIdentityTable is as follows:

NAME HostedPeerIdentityTable
DESCRIPTION The PeerIdentityTable instances are weak (name scoped
by) the owning System.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerIdentityTable[0..n] [weak]]

8.7.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerIdentityTable instance MUST be associated in a
weak relationship with one and only one System instance.

8.7.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to a PeerIdentityTable instance. The [0..n] cardinality
indicates that a System instance may be associated with zero or more
PeerIdentityTable instances.

8.8. The Aggregation Class PeerIdentityMember

The class PeerIdentityMember aggregates PeerIdentityEntry instances
into a PeerIdentityTable. This is a weak aggregation. The class
definition for PeerIdentityMember is as follows:

NAME PeerIdentityMember
DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
instances into a PeerIdentityTable.
DERIVED FROM MemberOfCollection (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Collection [ref PeerIdentityTable[1..1]]
Member [ref PeerIdentityEntry [0..n] [weak]]

8.8.1. The Reference Collection

Jason, et al Expires August-2002 [Page 60]

Internet Draft IPsec Configuration Policy Model February 2002

The property Collection is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityTable instance. The [1..1]
cardinality indicates that a PeerIdentityEntry instance MUST be

Jason, et al Expires May-2002 [Page 68]

Internet Draft IPsec Configuration Policy Model November 2001
associated with one and only one PeerIdentityTable instance (i.e.,
PeerIdentityEntry instances are not shared across
PeerIdentityTables).

8.8.2. The Reference Member

The property Member is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityEntry instance. The [0..n]
cardinality indicates that a PeerIdentityTable instance may be
associated with zero or more PeerIdentityEntry instances.

8.9. The Association Class IKEServicePeerGateway

The class IKEServicePeerGateway provides the association between an
IKEService and the list of PeerGateway instances that it uses in
negotiating with security gateways. The class definition for
IKEServicePeerGateway is as follows:

NAME IKEServicePeerGateway
DESCRIPTION Associates an IKEService and the list of PeerGateway
instances that it uses in negotiating with security
gateways.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IKEService[0..n]]

8.9.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more PeerGateway instances.

8.9.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates
that a PeerGateway instance may be associated with zero or more
IKEService instances.

8.10. The Association Class IKEServicePeerIdentityTable

The class IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it uses to map
between addresses and identities as required. The class definition
for IKEServicePeerIdentityTable is as follows:

NAME IKEServicePeerIdentityTable
DESCRIPTION IKEServicePeerIdentityTable provides the relationship
between an IKEService and a PeerIdentityTable that it
uses.
DERIVED FROM Dependency (see [CIMCORE])

Jason, et al Expires May-2002 [Page 69]

Internet Draft IPsec Configuration Policy Model November 2001
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerIdentityTable[0..n]]
Dependent [ref IKEService[0..n]]

8.10.1. The Reference Antecedent

Jason, et al Expires August-2002 [Page 61]

Internet Draft IPsec Configuration Policy Model February 2002

The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerIdentityTable instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more PeerIdentityTable instances.

8.10.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates
that a PeerIdentityTable instance may be associated with zero or more
IKEService instances.

8.11. The Association Class IKEAutostartSetting

The class IKEAutostartSetting associates an AutostartIKESetting with
an IKEService that may use it to automatically start an IKE
negotiation or create a static SA. The class definition for
IKEAutostartSetting is as follows:

NAME IKEAutostartSetting
DESCRIPTION Associates a AutostartIKESetting with an IKEService.
DERIVED FROM ElementSetting (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Element [ref IKEService[0..n]]
Setting [ref AutostartIKESetting[0..n]]

8.11.1. The Reference Element

The property Element is inherited from ElementSetting and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates an AutostartIKESetting instance may be
associated with zero or more IKEService instances.

8.11.2. The Reference Setting

The property Setting is inherited from ElementSetting and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more AutostartIKESetting instances.

8.12. The Aggregation Class AutostartIKESettingContext

The class AutostartIKESettingContext aggregates the settings used to
automatically start negotiations or create a static SA into a
configuration set. The class definition for
AutostartIKESettingContext is as follows:

Jason, et al Expires May-2002 [Page 70]

Internet Draft IPsec Configuration Policy Model November 2001

NAME AutostartIKESettingContext
DESCRIPTION AutostartIKESettingContext aggregates the
AutostartIKESetting instances into a configuration set.
DERIVED FROM SystemSettingContext (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
Setting [ref AutostartIKESetting [0..n]]
SequenceNumber

8.12.1. The Reference Context

The property Context is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKEConfiguration instance. The

Jason, et al Expires August-2002 [Page 62]

Internet Draft IPsec Configuration Policy Model February 2002

[0..n] cardinality indicates that an AutostartIKESetting instance may
be associated with zero or more AutostartIKEConfiguration instances
(i.e., a setting may be in multiple configuration sets).

8.12.2. The Reference Setting

The property Setting is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more AutostartIKESetting instances.

8.12.3. The Property SequenceNumber

The property SequenceNumber specifies indicates the ordering to be
used when starting negotiations or creating a static SA. A zero
value indicates that order is not significant and settings may be
applied in parallel with other settings. All other settings in the
configuration are executed in sequence from lower values to high.
Sequence numbers need not be unique in an AutostartIKEConfiguration
and order is not significant for settings with the same sequence
number. The property is defined as follows:

NAME SequenceNumber
DESCRIPTION The sequence in which the settings are applied within a
configuration set.
SYNTAX unsigned 16-bit integer

8.13. The Association Class IKEServiceForEndpoint

The class IKEServiceForEndpoint provides the association showing
which IKE service, if any, provides IKE negotiation services for
which network interfaces. The class definition for
IKEServiceForEndpoint is as follows:

NAME IKEServiceForEndpoint
DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that
provides negotiation services for the endpoint.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE

Jason, et al Expires May-2002 [Page 71]

Internet Draft IPsec Configuration Policy Model November 2001
PROPERTIES Antecedent [ref IKEService[0..1]]
Dependent [ref IPProtocolEndpoint[0..n]]

8.13.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to an IKEService instance. The [0..1]
cardinality indicates that an IPProtocolEndpoint instance MUST by
associated with at most one IKEService instance.

8.13.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IPProtocolEndpoint that is associated with at most one
IKEService. The [0..n] cardinality indicates an IKEService instance
may be associated with zero or more IPProtocolEndpoint instances.

8.14. The Association Class IKEAutostartConfiguration

The class IKEAutostartConfiguration provides the relationship between
an IKEService and a configuration set that it uses to automatically

Jason, et al Expires August-2002 [Page 63]

Internet Draft IPsec Configuration Policy Model February 2002

start a set of SAs. The class definition for
IKEAutostartConfiguration is as follows:

NAME IKEAutostartConfiguration
DESCRIPTION IKEAutostartConfiguration provides the relationship
between an IKEService and an AutostartIKEConfiguration
that it uses to automatically start a set of SAs.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]]
Dependent [ref IKEService [0..n]]
Active

8.14.1. The Reference Antecedent

The property Antecedent is inherited from Dependency and is
overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an IKEService instance may be
associated with zero or more AutostartIKEConfiguration instances.

8.14.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates
that an AutostartIKEConfiguration instance may be associated with
zero or more IKEService instances.

8.14.3. The Property Active

The property Active specifies indicates whether the
AutostartIKEConfiguration set is currently active for the associated

Jason, et al Expires May-2002 [Page 72]

Internet Draft IPsec Configuration Policy Model November 2001
IKEService. That is, at boot time, the active configuration is used
to automatically start IKE negotiations and create static SAs. The
property is defined as follows:

NAME Active
DESCRIPTION Active indicates whether the AutostartIKEConfiguration
set is currently active for the associated IKEService.
SYNTAX boolean
VALUE true - AutostartIKEConfiguration is currently active for
associated IKEService.
false - AutostartIKEConfiguration is currently inactive
for associated IKEService.

8.15. The Association Class IKEUsesCredentialManagementService

The class IKEUsesCredentialManagementService defines the set of
CredentialManagementService(s) that are trusted sources of
credentials for IKE phase 1 negotiations. The class definition for
IKEUsesCredentialManagementService is as follows:

NAME IKEUsesCredentialManagementService
DESCRIPTION Associates the set of CredentialManagementService(s)
that are trusted by the IKEService as sources of
credentials used in IKE phase 1 negotiations.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
Dependent [ref IKEService [0..n]]

8.15.1. The Reference Antecedent

Jason, et al Expires August-2002 [Page 64]

Internet Draft IPsec Configuration Policy Model February 2002

The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an IKEService instance may be
associated with zero or more CredentialManagementService instances.

8.15.2. The Reference Dependent

The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates
that a CredentialManagementService instance may be associated with
zero or more IKEService instances.

8.16. The Association Class EndpointHasLocalIKEIdentity

The class EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances that may be
used in negotiating security associations on the endpoint. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint
using this association or with a collection of IKEIdentity instances
using the CollectionHasLocalIKEIdentity association. The class
definition for EndpointHasLocalIKEIdentity is as follows:

Jason, et al Expires May-2002 [Page 73]

Internet Draft IPsec Configuration Policy Model November 2001

NAME EndpointHasLocalIKEIdentity
DESCRIPTION EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances.
DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE
PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
Dependent [ref IKEIdentity [0..n]]

8.16.1. The Reference Antecedent

The property Antecedent is inherited from ElementAsUser and is
overridden to refer to an IPProtocolEndpoint instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be associated
with at most one IPProtocolEndpoint instance.

8.16.2. The Reference Dependent

The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that an IPProtocolEndpoint instance may be
associated with zero or more IKEIdentity instances.

8.17. The Association Class CollectionHasLocalIKEIdentity

The class CollectionHasLocalIKEIdentity associates a Collection of
IPProtocolEndpoint instances with a set of IKEIdentity instances that
may be used in negotiating SAs for endpoints in the collection. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint
using the EndpointHasLocalIKEIdentity association or with a
collection of IKEIdentity instances using this association. The
class definition for CollectionHasLocalIKEIdentity is as follows:

NAME CollectionHasLocalIKEIdentity
DESCRIPTION CollectionHasLocalIKEIdentity associates a collection of
IPProtocolEndpoint instances with a set of IKEIdentity
instances.
DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE

Jason, et al Expires August-2002 [Page 65]

Internet Draft IPsec Configuration Policy Model February 2002

PROPERTIES Antecedent [ref Collection [0..1]]
Dependent [ref IKEIdentity [0..n]]

8.17.1. The Reference Antecedent

The property Antecedent is inherited from ElementAsUser and is
overridden to refer to a Collection instance. The [0..1] cardinality
indicates that an IKEIdentity instance MUST be associated with at
most one Collection instance.

8.17.2. The Reference Dependent

The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n]

Jason, et al Expires May-2002 [Page 74]

Internet Draft IPsec Configuration Policy Model November 2001 instance. The [0..n]
cardinality indicates that a Collection instance may be associated
with zero or more IKEIdentity instances.

8.18. The Association Class IKEIdentitysCredential

The class IKEIdentitysCredential is an association that relates a set
of credentials to their corresponding local IKE Identities. The
class definition for IKEIdentitysCredential is as follows:

NAME IKEIdentitysCredential
DESCRIPTION IKEIdentitysCredential associates a set of credentials
to their corresponding local IKEIdentity.
DERIVED FROM UsersCredential (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref Credential [0..n]]
Dependent [ref IKEIdentity [0..n]]

8.18.1. The Reference Antecedent

The property Antecedent is inherited from UsersCredential and is
overridden to refer to a Credential instance. The [0..n] cardinality
indicates that IKEIdentity instance may be associated with zero or
more Credential instances.

8.18.2. The Reference Dependent

The property Dependent is inherited from UsersCredential and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that a Credential instance may be associated
with zero or more IKEIdentity instances.

9. Implementation Requirements

The following tables table specifies which classes, properties, associations
and aggregations MUST or SHOULD or MAY be implemented.

4. Policy Classes
4.1. The Class IPsecPolicyGroup................................MUST
4.2. The Class SARule..........................................MUST
4.2.1. The Property PolicyRuleName..............................MAY
4.2.1. The Property Enabled....................................MUST
4.2.1. The Property ConditionListType..........................MUST
4.2.1. The Property RuleUsage...................................MAY
4.2.1. The Property Mandatory...................................MAY
4.2.1. The Property SequencedActions...........................MUST
4.2.1. The Property PolicyRoles.................................MAY
4.2.1. The Property PolicyDecisionStrategy......................MAY

Jason, et al Expires August-2002 [Page 66]

Internet Draft IPsec Configuration Policy Model February 2002

4.2.2 The Property ExecutionStrategy..........................MUST
4.2.3 The Property LimitNegotiation............................MAY
4.3. The Class IKERule.........................................MUST
4.3.1. The Property IdentityContexts............................MAY
4.4. The Class IPsecRule.......................................MUST
4.5.3. The Property GroupPriority..............................MUST

Jason, et al Expires May-2002 [Page 75]

Internet Draft IPsec Configuration Policy Model November 2001

4.6.
4.5. The Association Class IpsecPolicyForEndpoint...............MAY
4.6.1. IPsecPolicyForEndpoint...............MAY
4.5.1. The Reference Antecedent................................MUST
4.6.2.
4.5.2. The Reference Dependent.................................MUST
4.7.
4.6. The Association Class IPsecPolicyForSystem.................MAY
4.7.1.
4.6.1. The Reference Antecedent................................MUST
4.7.2.
4.6.2. The Reference Dependent.................................MUST
4.8. The Aggregation Class RuleForIKENegotiation...............MUST
4.8.1. The Property Priority.................................SHOULD
4.8.2. The Reference GroupComponent............................MUST
4.8.3. The Reference PartComponent.............................MUST
4.9.
4.7. The Aggregation Class RuleForIPsecNegotiation.............MUST
4.9.1. SARuleInPolicyGroup.................MUST
4.7.1. The Property Priority.................................SHOULD
4.9.2.
4.7.2. The Reference GroupComponent............................MUST
4.9.3.
4.7.3. The Reference PartComponent.............................MUST
4.10.
4.8. The Aggregation Class SAConditionInRule..................MUST
4.10.1. SAConditionInRule...................MUST
4.8.1. The Property GroupNumber.............................SHOULD
4.10.1. GroupNumber..............................SHOULD
4.8.1. The Property ConditionNegated........................SHOULD
4.10.2. ConditionNegated.........................SHOULD
4.8.2. The Reference GroupComponent...........................MUST
4.10.3. GroupComponent............................MUST
4.8.3. The Reference PartComponent............................MUST
4.11. PartComponent.............................MUST
4.9. The Aggregation Class PolicyActionInSARule...............MUST
4.11.1. PolicyActionInSARule................MUST
4.9.1. The Reference GroupComponent...........................MUST
4.11.2. GroupComponent............................MUST
4.9.2. The Reference PartComponent............................MUST
4.11.3. PartComponent.............................MUST
4.9.3. The Property ActionOrder.............................SHOULD ActionOrder..............................SHOULD
5. Condition and Filter Classes
5.1. The Class SACondition.....................................MUST
5.2. The Class IPHeaderFilter................................SHOULD IPHeadersFilter...............................SHOULD
5.3. The Class CredentialFilterEntry............................MAY
5.3.1. The Property MatchFieldName.............................MUST
5.3.2. The Property MatchFieldValue............................MUST
5.3.3. The Property CredentialType.............................MUST
5.4. The Class IPSOFilterEntry..................................MAY
5.4.1. The Property MatchConditionType.........................MUST
5.4.2. The Property MatchConditionValue........................MUST
5.5. The Class PeerIDPayloadFilterEntry.........................MAY
5.5.1. The Property MatchIdentityType..........................MUST
5.5.2. The Property MatchIdentityValue.........................MUST
5.6. The Association Class FilterOfSACondition...............SHOULD
5.6.1. The Reference Antecedent................................MUST
5.6.2. The Reference Dependent.................................MUST
5.7. The Association Class AcceptCredentialFrom.................MAY
5.7.1. The Reference Antecedent................................MUST
5.7.2. The Reference Dependent.................................MUST
6. Action Classes
6.1. The Class SAAction........................................MUST
6.1.1. The Property DoActionLogging.............................MAY
6.1.2. The Property DoPacketLogging.............................MAY
6.2. The Class SAStaticAction..................................MUST
6.2.1. The Property LifetimeSeconds............................MUST
6.3. The Class IPsecBypassAction.............................SHOULD
6.4. The Class IPsecDiscardAction............................SHOULD
6.5. The Class IKERejectAction..................................MAY
6.6. The Class PreconfiguredSAAction...........................MUST
6.6.1. The Property LifetimeKilobytes..........................MUST

Jason, et al Expires May-2002 [Page 76]

Internet Draft IPsec Configuration Policy Model November 2001
6.7. The Class PreconfiguredTransportAction....................MUST
6.8. The Class PreconfiguredTunnelAction.......................MUST
6.8.1. The Property DFHandling.................................MUST
6.9. The Class SANegotiationAction.............................MUST
6.10. The Class IKENegotiationAction...........................MUST
6.10.1. The Property MinLifetimeSeconds.........................MAY
6.10.2. The Property MinLifetimeKilobytes.......................MAY

Jason, et al Expires August-2002 [Page 67]

Internet Draft IPsec Configuration Policy Model February 2002

6.10.3. The Property RefreshThresholdSeconds....................MAY
6.10.4. The Property RefreshThresholdKilobytes..................MAY
6.10.5. The Property IdleDurationSeconds........................MAY
6.11. The Class IPsecAction....................................MUST
6.11.1. The Property UsePFS....................................MUST
6.11.2. The Property UseIKEGroup................................MAY
6.11.3. The Property GroupId...................................MUST
6.11.4. The Property Granularity.............................SHOULD
6.11.5. The Property VendorID...................................MAY
6.12. The Class IPsecTransportAction...........................MUST
6.13. The Class IPsecTunnelAction..............................MUST
6.13.1. The Property DFHandling................................MUST
6.14. The Class IKEAction......................................MUST
6.14.1. The Property RefreshThresholdDerivedKeys................MAY ExchangeMode ............................MUST
6.14.2. The Property ExchangeMode..............................MUST
6.14.3. The Property UseIKEIdentityType........................MUST
6.14.4.
6.14.3. The Property VendorID...................................MAY
6.14.5.
6.14.4. The Property AggressiveModeGroupId......................MAY
6.15. The Class PeerGateway....................................MUST
6.15.1. The Property Name....................................SHOULD
6.15.2. The Property PeerIdentityType..........................MUST
6.15.3. The Property PeerIdentity..............................MUST
6.16. The Association Class PeerGatewayForTunnel...............MUST
6.16.1. The Reference Antecedent...............................MUST
6.16.2. The Reference Dependent................................MUST
6.16.3. The Property SequenceNumber..........................SHOULD
6.17. The Aggregation Class ContainedProposal..................MUST
6.17.1. The Reference GroupComponent...........................MUST
6.17.2. The Reference PartComponent............................MUST
6.17.3. The Property SequenceNumber............................MUST
6.18. The Association Class HostedPeerGatewayInformation........MAY
6.18.1. The Reference Antecedent...............................MUST
6.18.2. The Reference Dependent................................MUST
6.19. The Association Class TransformOfPreconfiguredAction.....MUST
6.19.1. The Reference Antecedent...............................MUST
6.19.2. The Reference Dependent................................MUST
6.19.3. The Property SPI.......................................MUST
6.19.4. The Property Direction.................................MUST
6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
6.20.1. The Reference Antecedent...............................MUST
6.20.2. The Reference Dependent................................MUST
7. Proposal and Transform Classes
7.1. The Abstract Class SAProposal.............................MUST
7.1.1. The Property Name.....................................SHOULD
7.2. The Class IKEProposal.....................................MUST
7.2.1. The Property LifetimeDerivedKeys.........................MAY

Jason, et al Expires May-2002 [Page 77]

Internet Draft IPsec Configuration Policy Model November 2001

7.2.2. The Property CipherAlgorithm............................MUST
7.2.3.
7.2.2. The Property HashAlgorithm..............................MUST
7.2.4.
7.2.3. The Property PRFAlgorithm................................MAY
7.2.5.
7.2.4. The Property GroupId....................................MUST
7.2.6.
7.2.5. The Property AuthenticationMethod.......................MUST
7.2.7.
7.2.6. The Property MaxLifetimeSeconds.........................MUST
7.2.8.
7.2.7. The Property MaxLifetimeKilobytes.......................MUST
7.2.9.
7.2.8. The Property VendorID....................................MAY
7.3. The Class IPsecProposal...................................MUST
7.4. The Abstract Class SATransform............................MUST
7.4.1. The Property TransformName............................SHOULD
7.4.2. The Property VendorID....................................MAY
7.4.3. The Property MaxLifetimeSeconds.........................MUST
7.4.4. The Property MaxLifetimeKilobytes.......................MUST
7.5. The Class AHTransform.....................................MUST
7.5.1. The Property AHTransformId..............................MUST
7.5.2. The Property UseReplayPrevention.........................MAY
7.5.3. The Property ReplayPreventionWindowSize..................MAY

Jason, et al Expires August-2002 [Page 68]

Internet Draft IPsec Configuration Policy Model February 2002

7.6. The Class ESPTransform....................................MUST
7.6.1. The Property IntegrityTransformId.......................MUST
7.6.2. The Property CipherTransformId..........................MUST
7.6.3. The Property CipherKeyLength.............................MAY
7.6.4. The Property CipherKeyRounds.............................MAY
7.6.5. The Property UseReplayPrevention.........................MAY
7.6.6. The Property ReplayPreventionWindowSize..................MAY
7.7. The Class IPCOMPTransform..................................MAY
7.7.1. The Property Algorithm..................................MUST
7.7.2. The Property DictionarySize..............................MAY
7.7.3. The Property PrivateAlgorithm............................MAY
7.8. The Association Class SAProposalInSystem...................MAY
7.8.1. The Reference Antecedent................................MUST
7.8.2. The Reference Dependent.................................MUST
7.9. The Aggregation Class ContainedTransform..................MUST
7.9.1. The Reference GroupComponent............................MUST
7.9.2. The Reference PartComponent.............................MUST
7.9.3. The Property SequenceNumber.............................MUST
7.10. The Association Class SATransformInSystem.................MAY
7.10.1. The Reference Antecedent...............................MUST
7.10.2. The Reference Dependent................................MUST
8. IKE Service and Identity Classes
8.1. The Class IKEService.......................................MAY
8.2. The Class PeerIdentityTable................................MAY
8.3.1. The Property Name.....................................SHOULD
8.3. The Class PeerIdentityEntry................................MAY
8.3.1. The Property PeerIdentity.............................SHOULD
8.3.2. The Property PeerIdentityType.........................SHOULD
8.3.3. The Property PeerAddress..............................SHOULD
8.3.4. The Property PeerAddressType..........................SHOULD
8.4. The Class AutostartIKEConfiguration........................MAY
8.5. The Class AutostartIKESetting..............................MAY
8.5.1. The Property Phase1Only..................................MAY
8.5.2. The Property AddressType..............................SHOULD
8.5.3. The Property SourceAddress..............................MUST

Jason, et al Expires May-2002 [Page 78]

Internet Draft IPsec Configuration Policy Model November 2001
8.5.4. The Property SourcePort.................................MUST
8.5.5. The Property DestinationAddress.........................MUST
8.5.6. The Property DestinationPort............................MUST
8.5.7. The Property Protocol...................................MUST
8.6. The Class IKEIdentity......................................MAY
8.6.1. The Property IdentityType...............................MUST
8.6.2. The Property IdentityValue..............................MUST
8.6.3. The Property IdentityContexts............................MAY
8.7. The Association Class HostedPeerIdentityTable..............MAY
8.7.1. The Reference Antecedent................................MUST
8.7.2. The Reference Dependent.................................MUST
8.8. The Aggregation Class PeerIdentityMember...................MAY
8.8.1. The Reference Collection................................MUST
8.8.2. The Reference Member....................................MUST
8.9. The Association Class IKEServicePeerGateway................MAY
8.9.1. The Reference Antecedent................................MUST
8.9.2. The Reference Dependent.................................MUST
8.10. The Association Class IKEServicePeerIdentityTable.........MAY
8.10.1. The Reference Antecedent...............................MUST
8.10.2. The Reference Dependent................................MUST
8.11. The Association Class IKEAutostartSetting.................MAY
8.11.1. The Reference Element..................................MUST
8.11.2. The Reference Setting..................................MUST
8.12. The Aggregation Class AutostartIKESettingContext..........MAY
8.12.1. The Reference Context..................................MUST
8.12.2. The Reference Setting..................................MUST

Jason, et al Expires August-2002 [Page 69]

Internet Draft IPsec Configuration Policy Model February 2002

8.12.3. The Property SequenceNumber..........................SHOULD
8.13. The Association Class IKEServiceForEndpoint...............MAY
8.13.1. The Reference Antecedent...............................MUST
8.13.2. The Reference Dependent................................MUST
8.14. The Association Class IKEAutostartConfiguration...........MAY
8.14.1. The Reference Antecedent...............................MUST
8.14.2. The Reference Dependent................................MUST
8.14.3. The Property Active..................................SHOULD
8.15. The Association Class IKEUsesCredentialManagementService..MAY
8.15.1. The Reference Antecedent...............................MUST
8.15.2. The Reference Dependent................................MUST
8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
8.16.1. The Reference Antecedent...............................MUST
8.16.2. The Reference Dependent................................MUST
8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
8.17.1. The Reference Antecedent...............................MUST
8.17.2. The Reference Dependent................................MUST
8.18. The Association Class IKEIdentitysCredential..............MAY
8.18.1. The Reference Antecedent...............................MUST
8.18.2. The Reference Dependent................................MUST

10. Security Considerations

This document describes a schema for IPsec policy. It does not
detail security requirements for storage or delivery of said schema.

Jason, et al Expires May-2002 [Page 79]

Internet Draft IPsec Configuration Policy Model November 2001
Storage and delivery security requirements should be detailed in a
comprehensive security policy architecture document.

11. Intellectual Property

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11.

Copies of claims of rights made available for publication and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF Secretariat.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.

12. Acknowledgments

The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
Vic Lortz, and William Dixon Dixon, Man Li and Ricky Charlet for their
contributions to this IPsec policy model.

Additionally, this draft would not have been possible without the
preceding IPsec schema drafts. For that, thanks go out to Rob Adams,
Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan.

Jason, et al Expires August-2002 [Page 70]

Internet Draft IPsec Configuration Policy Model February 2002

13. References

[IKE] Harkins, D., and D. Carrel, "The Internet Key Exchange (IKE)",
RFC 2409, November 1998.

[COMP] Shacham, A., and R. Monsour, R. Pereira, M. Thomas, "IP
Payload Compression Protocol (IPComp)", RFC 2393, August 1998.

[ESP] Kent, S., and R. Atkinson, "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998.

[AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402,
November 1998.

Jason, et al Expires May-2002 [Page 80]

Internet Draft IPsec Configuration Policy Model November 2001

[PCIM] Moore, B., and E. Ellesson, J. Strassner, "Policy Core
Information Model -- Version 1 Specification", RFC 3060, February
2001.

[PCIME] Moore, B., Rafalow, L., Ramberg, Y., Snir, Y., Westerinen,
A., Chadha, R., Brunner, M., Cohen, R. and Strassner, J., "Policy
Core Information Model Extensions", draft-ietf-policy-pcim-ext-
05.txt, October 2001 Internet Draft work in progress

[DOI] Piper, D., "The Internet IP Security Domain of Interpretation
for ISAKMP", RFC 2407, November 1998.

[LDAP] Wahl, M., and T. Howes, S. Kille, "Lightweight Directory
Access Protocol (v3)", RFC 2251, December 1997.

[COPS] Boyle, J., and R. Cohen, D. Durham, S. Herzog, R. Rajan, A.
Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748,
January 2000. Internet-Draft work in progress.

[COPSPR] Chan, K., and D. Durham, S. Gai, S. Herzog, K. McCloghrie,
F. Reichmeyer, J. Seligson, A. Smith, R. Yavatkar, "COPS Usage for
Policy Provisioning", draft-ietf-rap-pr-05.txt, October 2000.
Internet-Draft work in progress.

[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.

[IPSO] Kent, S., "U.S. Department of Defense Security Options for the
Internet Protocol", RFC 1108, November 1991.

[IPSEC] Kent, S., and Atkinson, R., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.

[DMTF] Distributed Management Task Force, http://www.dmtf.org/

[CIMCORE] DMTF Common Information Model - Core Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25.mof and
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Core25_Add.mof

[CIMUSER] DMTF Common Information Model - User-Security Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_User25.mof

[CIMNETWORK] DMTF Common Information Model - Network Model v2.5,
http://www.dmtf.org/var/release/CIM_Schema25/CIM_Network25.mof

14. Disclaimer

Jason, et al Expires August-2002 [Page 71]

Internet Draft IPsec Configuration Policy Model February 2002

The views and specification herein are those of the authors and are
not necessarily those of their employer. The authors and their
employer specifically disclaim responsibility for any problems
arising from correct or incorrect implementation or use of this
specification.

Jason, et al Expires May-2002 [Page 81]

Internet Draft IPsec Configuration Policy Model November 2001

15. Authors' Addresses

Jamie Jason
Intel Corporation
MS JF3-206
2111 NE 25th Ave.
Hillsboro, OR 97124
E-Mail: jamie.jason@intel.com

Lee Rafalow
IBM Corporation, BRQA/502
4205 So. Miami Blvd.
Research Triangle Park, NC 27709
E-mail: rafalow@watson.ibm.com

Eric Vyncke
Cisco Systems
Avenue Marcel Thiry, 77
B-1200 Brussels
Belgium
E-mail: evyncke@cisco.com

16. Full Copyright Statement

This document and translations of it maybe copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other then
English.

The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THEINTERNET ENGINEERING
TASK FORCE DISCLIAMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMAITON
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTEIS OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Jason, et al Expires May-2002 August-2002 [Page 82] 72]

----