5. Condition and Filter Classes
The IPsec condition and filter classes are used to build the "if" part of the IKE and IPsec rules. *+-------------+ +--------------------| SACondition | | +-------------+ | * | | |(a) | 1 | | +---------------+ | | FilterList | | |([CIMNETWORK]) | | +---------------+ | 1 o |(b) |(c) | * | | +-----------------+ | | FilterEntryBase | | | ([CIMNETWORK]) | | +-----------------+ | ^ | | | +-----------------+ | +-----------------------+ | | IPHeadersFilter |----+----| CredentialFilterEntry | | | ([PCIME]) | | +-----------------------+ | +-----------------+ | | | | +-----------------+ | +--------------------------+ | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | +-----------------+ +--------------------------+ | | *+-----------------------------+ +------------| CredentialManagementService | | ([CIMUSER]) | +-----------------------------+ (a) FilterOfSACondition (b) AcceptCredentialsFrom (c) EntriesInFilterList (see [CIMNETWORK])
5.1. The Class SACondition
The class SACondition defines the conditions of rules for IKE and IPsec negotiations. Conditions are associated with policy rules via the SAConditionInRule aggregation. It is used as an anchor point to associate various types of filters with policy rules via the FilterOfSACondition association. It also defines whether Credentials can be accepted for a particular policy rule via the AcceptCredentialsFrom association. Associated objects represent components of the condition that may or may not apply at a given rule evaluation. For example, an AcceptCredentialsFrom evaluation is only performed when a credential is available to be evaluated against the list of trusted credential management services. Similarly, a PeerIDPayloadFilterEntry may only be evaluated when an IDPayload value is available to compare with the filter. Condition components that do not have corresponding values with which to evaluate are evaluated as TRUE unless the protocol has completed without providing the required information. The class definition for SACondition is as follows: NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition)5.2. The Class IPHeadersFilter
The class IPHeadersFilter is defined in [PCIME] with the following note: 1) to specify 5-tuple filters that are to apply symmetrically (i.e., matches traffic in both directions of the same flows which is quite typical for SPD entries for ingress and egress traffic), the Direction property of the FilterList SHOULD be set to "Mirrored".5.3. The Class CredentialFilterEntry
The class CredentialFilterEntry defines an equivalence class that match credentials of IKE peers. Each CredentialFilterEntry includes a MatchFieldName that is interpreted according to the CredentialManagementService(s) associated with the SACondition (AcceptCredentialsFrom).
These credentials can be X.509 certificates, Kerberos tickets, or other types of credentials obtained during the Phase 1 exchange. Note: this filter entry will probably be checked while the IKE negotiation takes place. If the check is a failure, then the IKE negotiation MUST be stopped, and the result of the IKEAction which triggered this negotiation is a failure. The class definition for CredentialFilterEntry is as follows: NAME CredentialFilterEntry DESCRIPTION Specifies a match filter based on the IKE credentials. DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchFieldName MatchFieldValue CredentialType5.3.1. The Property MatchFieldName
The property MatchFieldName specifies the sub-part of the credential to match against MatchFieldValue. The property is defined as follows: NAME MatchFieldName DESCRIPTION Specifies which sub-part of the credential to match. SYNTAX string VALUE This is the string representation of a X.509 certificate attribute, e.g.: - "serialNumber" - "signatureAlgorithm" - "issuerName" - "subjectName" - "subjectAltName" - ...5.3.2. The Property MatchFieldValue
The property MatchFieldValue specifies the value to compare with the MatchFieldName in a credential to determine if the credential matches this filter entry. The property is defined as follows: NAME MatchFieldValue DESCRIPTION Specifies the value to be matched by the MatchFieldName.
SYNTAX string VALUE NB: If the CredentialFilterEntry corresponds to a DistinguishedName, this value in the CIM class is represented by an ordinary string value. However, an implementation must convert this string to a DER- encoded string before matching against the values extracted from credentials at runtime. A wildcard mechanism may be used for MatchFieldNames that contain character strings. The MatchFieldValue may contain a wildcard character, '*', in the pattern match specification. For example, if the MatchFieldName is "subjectName", then a MatchFieldValue of "cn=*,ou=engineering,o=foo,c=be" will successfully match a certificate whose subject attribute is "cn=Jane Doe,ou=engineering,o=foo,c=be". The wildcard character can be used to represent 0 or more characters as would be displayed to the user (i.e., a wildcard pattern match operates on displayable character boundaries).5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of credential that is being matched. The property is defined as follows: NAME CredentialType DESCRIPTION Defines the type of IKE credentials. SYNTAX unsigned 16-bit integer VALUE 1 - X.509 Certificate 2 - Kerberos Ticket5.4. The Class IPSOFilterEntry
The class IPSOFilterEntry is used to match traffic based on the IP Security Options [IPSO] header values (ClassificationLevel and ProtectionAuthority) as defined in RFC 1108. This type of filter entry is used to adjust the IPsec encryption level according to the IPSO classification of the traffic (e.g., secret, confidential, restricted, etc.) The class definition for IPSOFilterEntry is as follows: NAME IPSOFilterEntry DESCRIPTION Specifies the a match filter based on IP Security Options. DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchConditionType MatchConditionValue5.4.1. The Property MatchConditionType
The property MatchConditionType specifies the IPSO header field that will be matched (e.g., traffic classification level or protection authority). The property is defined as follows: NAME MatchConditionType DESCRIPTION Specifies the IPSO header field to be matched. SYNTAX unsigned 16-bit integer VALUE 1 - ClassificationLevel 2 - ProtectionAuthority5.4.2. The Property MatchConditionValue
The property MatchConditionValue specifies the value of the IPSO header field to be matched against. The property is defined as follows: NAME MatchConditionValue DESCRIPTION Specifies the value of the IPSO header field to be matched against. SYNTAX unsigned 16-bit integer VALUE The values MUST be one of values listed in RFC 1108 (or any further IANA Assigned Numbers document). Some examples for ClassificationLevel are: 61 - TopSecret 90 - Secret 150 - Confidential 171 - Unclassified For ProtectionAuthority, some examples are: 0 - GENSER 1 - SIOP-ESI 2 - SCI 3 - NSA 4 - DOE5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID payload values from the IKE protocol exchange. PeerIDPayloadFilterEntry permits the specification of certain ID payload values such as "*@example.com" or "192.0.2.0/24".
Obviously this filter applies only to IKERules when acting as a responder. Moreover, this filter can be applied immediately in the case of aggressive mode but its application is to be delayed in the case of main mode. The class definition for PeerIDPayloadFilterEntry is as follows: NAME PeerIDPayloadFilterEntry DESCRIPTION Specifies a match filter based on IKE identity. DERIVED FROM FilterEntryBase (see [CIMNETWORK]) ABSTRACT FALSE PROPERTIES Name (from FilterEntryBase) IsNegated (from FilterEntryBase) MatchIdentityType MatchIdentityValue5.5.1. The Property MatchIdentityType
The property MatchIdentityType specifies the type of identity provided by the peer in the ID payload. The property is defined as follows: NAME MatchIdentityType DESCRIPTION Specifies the ID payload type. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values. 5.5.2. The Property MatchIdentityValue The property MatchIdentityValue specifies the filter value for comparison with the ID payload, e.g., "*@example.com". The property is defined as follows: NAME MatchIdentityValue DESCRIPTION Specifies the ID payload value. SYNTAX string VALUE NB: The syntax may need to be converted for comparison. If the PeerIDPayloadFilterEntry type is a DistinguishedName, the name in the MatchIdentityValue property is represented by an ordinary string value, but this value must be converted into a DER-encoded string before matching against the values extracted from IKE ID payloads at runtime. The same applies to IPv4 & IPv6 addresses.
Different wildcard mechanisms can be used depending on the ID payload: - a MatchIdentityValue of "*@example.com" will match a user FQDN ID payload of "JDOE@EXAMPLE.COM". - a MatchIdentityValue of "*.example.com" will match a FQDN ID payload of "WWW.EXAMPLE.COM". - a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will match a DER DN ID payload of "cn=John Doe,ou=engineering,o=company,c=us". - a MatchIdentityValue of "193.190.125.0/24" will match an IPv4 address ID payload of 193.190.125.10. - a MatchIdentityValue of "193.190.125.*" will also match an IPv4 address ID payload of 193.190.125.10. The above wildcard mechanisms MUST be supported for all ID payloads supported by the local IKE entity. The character '*' replaces 0 or multiple instances of any character as restricted by the type specified by MatchIdentityType.5.6. The Association Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the filter specifications (FilterList) that make up the condition. The class definition for FilterOfSACondition is as follows: NAME FilterOfSACondition DESCRIPTION Associates a condition with the filter list that makes up the individual condition elements. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref FilterList[1..1]] Dependent [ref SACondition[0..n]]5.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a FilterList instance. The [1..1] cardinality indicates that an SACondition instance MUST be associated with one and only one FilterList instance.
5.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an SACondition instance. The [0..n] cardinality indicates that a FilterList instance may be associated with zero or more SACondition instances.5.7. The Association Class AcceptCredentialFrom
The class AcceptCredentialFrom specifies which credential management services (e.g., a CertificateAuthority or a Kerberos service) are to be trusted to certify peer credentials. This is used to assure that the credential being matched in the CredentialFilterEntry is a valid credential that has been supplied by an approved CredentialManagementService. If a CredentialManagementService is specified and a corresponding CredentialFilterEntry is used, but the credential supplied by the peer is not certified by that CredentialManagementService (or one of the CredentialManagementServices in its trust hierarchy), the CredentialFilterEntry is deemed not to match. If a credential is certified by a CredentialManagementService in the AcceptCredentialsFrom list of services, but there is no CredentialFilterEntry, this is considered equivalent to a CredentialFilterEntry that matches all credentials from those services. The class definition for AcceptCredentialFrom is as follows: NAME AcceptCredentialFrom DESCRIPTION Associates a condition with the credential management services to be trusted. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService[0..n]] Dependent [ref SACondition[0..n]]5.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an SACondition instance may be associated with zero or more CredentialManagementService instances.
5.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a SACondition instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more SACondition instances.6. Action Classes
The action classes are used to model the different actions an IPsec device may take when the evaluation of the associated condition results in a match.
+----------+ | SAAction | +----------+ ^ | +-----------+--------------+ | | | +---------------------+ | | SaNegotiationAction | | +---------------------+ | ^ | | +----------------+ +----------------------+* | SAStaticAction | | IKENegotiationAction |o----+ +----------------+ +----------------------+ | ^ ^ | | | | | +-----------+-------+ | | | | | +-------------------+ | +-------------+ +-----------+ | | IPsecBypassAction |---+ | IPsecAction | | IKEAction | | +-------------------+ | +-------------+ +-----------+ | | ^ | +--------------------+ | | +----------------------+ | | IPsecDiscardAction |---+ +----| IPsecTransportAction | | +--------------------+ | | +----------------------+ | | | | +-----------------+ | | +-------------------+ | | IKERejectAction |---+ +----| IPsecTunnelAction | | +-----------------+ | +-------------------+ | | *| | | +--------------+ | | | | +-----------------------+ | | +--------------+n | | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+ +-----------------------+ | +--------------+ (b) *| ^ | | | | *+-------------+ | | +-------| PeerGateway | | | +-------------+ | | +-----------------------------+ |0..1 *w| | +--| PreconfiguredTransportAction| | |(c) | | +-----------------------------+ | 1| | | | +--------------+ | | +---------------------------+ * | | System | | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) | | +---------------------------+ (e) +--------------+ |
| 2..6+---------------+ +-------| [SATransform] | (d) +---------------+ (a) PeerGatewayForTunnel (b) ContainedProposal (c) HostedPeerGatewayInformation (d) TransformOfPreconfiguredAction (e) PeerGatewayForPreconfiguredTunnel6.1. The Class SAAction
The class SAAction is abstract and serves as the base class for IKE and IPsec actions. It is used for aggregating different types of actions to IKE and IPsec rules. The class definition for SAAction is as follows: NAME SAAction DESCRIPTION The base class for IKE and IPsec actions. DERIVED FROM PolicyAction (see [PCIM]) ABSTRACT TRUE PROPERTIES PolicyActionName (from PolicyAction) DoActionLogging DoPacketLogging6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to be generated when the action is performed. This applies for SANegotiationActions with the meaning of logging a message when the negotiation is attempted (with the success or failure result). This also applies for SAStaticAction only for PreconfiguredSAAction with the meaning of logging a message when the preconfigured SA is actually installed in the SADB. The property is defined as follows: NAME DoActionLogging DESCRIPTION Specifies the whether to log when the action is performed. SYNTAX boolean VALUE true - a log message is to be generated when action is performed. false - no log message is to be generated when action is performed.
6.1.2. The Property DoPacketLogging
The property DoPacketLogging specifies whether a log message is to be generated when the resulting security association is used to process the packet. If the SANegotiationAction successfully executes and results in the creation of one or several security associations, or if the PreconfiguredSAAction executes, the value of DoPacketLogging SHOULD be propagated to an optional field of SADB. This optional field should be used to decide whether a log message is to be generated when the SA is used to process a packet. For SAStaticActions, a log message is to be generated when the IPsecBypassAction, IPsecDiscardAction, or IKERejectAction are executed. The property is defined as follows: NAME DoPacketLogging DESCRIPTION Specifies whether to log when the resulting security association is used to process the packet. SYNTAX boolean VALUE true - a log message is to be generated when the resulting security association is used to process the packet. false - no log message is to be generated.6.2. The Class SAStaticAction
The class SAStaticAction is abstract and serves as the base class for IKE and IPsec actions that do not require any negotiation. The class definition for SAStaticAction is as follows: NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation. DERIVED FROM SAAction ABSTRACT TRUE PROPERTIES LifetimeSeconds6.2.1. The Property LifetimeSeconds
The property LifetimeSeconds specifies how long the security association derived from this action should be used. The property is defined as follows: NAME LifetimeSeconds DESCRIPTION Specifies the amount of time (in seconds) that a security association derived from this action should be used. SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is typically used in conjunction with alternate SAActions performed when there is a negotiation failure of some sort. Note: if the referenced SAStaticAction object is a PreconfiguredSAAction associated to several SATransforms, then the actual lifetime of the preconfigured SA will be the lesser of the value of this LifetimeSeconds property and of the value of the MaxLifetimeSeconds property of the associated SATransform. If the value of this LifetimeSeconds property is zero, then there will be no lifetime associated to this SA. Note: while some SA negotiation protocols [IKE] can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient. It is expected that most SAStaticAction instances will have their LifetimeSeconds properties set to zero (meaning no expiration of the resulting SA).6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be processed without applying IPsec encapsulation to them. This is the same as stating that packets are allowed to flow in the clear. The class definition for IPsecBypassAction is as follows: NAME IPsecBypassAction DESCRIPTION Specifies that packets are to be allowed to pass in the clear. DERIVED FROM SAStaticAction ABSTRACT FALSE6.4. The Class IPsecDiscardAction
The class IPsecDiscardAction is used when packets are to be discarded. This is the same as stating that packets are to be denied. The class definition for IPsecDiscardAction is as follows: NAME IPsecDiscardAction DESCRIPTION Specifies that packets are to be discarded. DERIVED FROM SAStaticAction ABSTRACT FALSE
6.5. The Class IKERejectAction
The class IKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The main use of this class is to prevent some denial of service attacks when acting as IKE responder. It goes beyond a plain discard of UDP/500 IKE packets because the SACondition can be based on specific PeerIDPayloadFilterEntry (when aggressive mode is used). The class definition for IKERejectAction is as follows: NAME IKERejectAction DESCRIPTION Specifies that an IKE negotiation should not even be attempted or continued. DERIVED FROM SAStaticAction ABSTRACT FALSE6.6. The Class PreconfiguredSAAction
The class PreconfiguredSAAction is used to create a security association using preconfigured, hard-wired algorithms and keys. Notes: - the SPI for a PreconfiguredSAAction is contained in the association, TransformOfPreconfiguredAction; - the session key (if applicable) is contained in an instance of the class SharedSecret (see [CIMUSER]). The session key is stored in the property Secret, the property protocol contains either "ESP- encrypt", "ESP-auth" or "AH", the property algorithm contains the algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID is the concatenation of the remote IPsec peer IP address in dotted decimal, of the character "/", of "IN" (respectively "OUT") for inbound SA (respectively outbound SA), of the character "/", and of the hexadecimal representation of the SPI. Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: NAME PreconfiguredSAAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of a security association. DERIVED FROM SAStaticAction ABSTRACT TRUE PROPERTIES LifetimeKilobytes
6.6.1. The Property LifetimeKilobytes
The property LifetimeKilobytes specifies a traffic limit in kilobytes that can be consumed before the SA is deleted. The property is defined as follows: NAME LifetimeKilobytes DESCRIPTION Specifies the SA lifetime in kilobytes. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is used to indicate that after this number of kilobytes has been consumed the SA must be deleted from the SADB. Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this LifetimeKilobytes property and of the value of the MaxLifetimeSeconds property of the associated SATransform. If the value of this LifetimeKilobytes property is zero, then there will be no lifetime associated with this action. Note: while some SA negotiation protocols [IKE] can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient. It is expected that most PreconfiguredSAAction instances will have their LifetimeKilobyte properties set to zero (meaning no expiration of the resulting SA).6.7. The Class PreconfiguredTransportAction
The class PreconfiguredTransportAction is used to create an IPsec transport-mode security association using preconfigured, hard-wired algorithms and keys. The class definition for PreconfiguredTransportAction is as follows: NAME PreconfiguredTransportAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of an IPsec transport security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE
6.8. The Class PreconfiguredTunnelAction
The class PreconfiguredTunnelAction is used to create an IPsec tunnel-mode security association using preconfigured, hard-wired algorithms and keys. The class definition for PreconfiguredSAAction is as follows: NAME PreconfiguredTunnelAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of an IPsec tunnel-mode security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE PROPERTIES DFHandling6.8.1. The Property DFHandling
The property DFHandling specifies how the Don't Fragment (DF) bit of the internal IP header is to be handled during IPsec processing. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies the processing of the DF bit. SYNTAX unsigned 16-bit integer VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0.6.9. The Class SANegotiationAction
The class SANegotiationAction specifies an action requesting security policy negotiation. This is an abstract class. Currently, only one security policy negotiation protocol action is subclassed from SANegotiationAction: the IKENegotiationAction class. It is nevertheless expected that other security policy negotiation protocols will exist and the negotiation actions of those new protocols would be modeled as a subclass of SANegotiationAction. NAME SANegotiationAction DESCRIPTION Specifies a negotiation action. DERIVED FROM SAAction ABSTRACT TRUE
6.10. The Class IKENegotiationAction
The class IKENegotiationAction is abstract and serves as the base class for IKE and IPsec actions that result in an IKE negotiation. The class definition for IKENegotiationAction is as follows: NAME IKENegotiationAction DESCRIPTION A base class for IKE and IPsec actions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. DERIVED FROM SANegotiationAction ABSTRACT TRUE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes IdleDurationSeconds6.10.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds in a lifetime that will be accepted from the peer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeSeconds DESCRIPTION Specifies the minimum seconds acceptable in a lifetime. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum seconds lifetime. Note: while IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.6.10.2. The Property MinLifetimeKilobytes
The property MinLifetimeKilobytes specifies the minimum kilobytes of a lifetime that will be accepted from the peer. MinLifetimeKilobytes is used to prevent certain denial of service attacks, where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. Note that there has been considerable debate regarding the usefulness of applying kilobyte lifetimes to IKE phase 1 security associations, so it is likely that this property will only apply to the sub-class IPsecAction. The property is defined as follows:
NAME MinLifetimeKilobytes DESCRIPTION Specifies the minimum kilobytes acceptable in a lifetime. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum kilobytes lifetime. Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.6.10.3. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a security association may remain idle (i.e., no traffic protected using the security association) before it is deleted. The property is defined as follows: NAME IdleDurationSeconds DESCRIPTION Specifies how long, in seconds, a security association may remain unused before it is deleted. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that idle detection should not be used for the security association (only the seconds and kilobyte lifetimes will be used). Any non-zero value indicates the number of seconds the security association may remain unused.6.11. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport and tunnel actions. It specifies the parameters used for an IKE phase 2 IPsec DOI negotiation. The class definition for IPsecAction is as follows: NAME IPsecAction DESCRIPTION A base class for IPsec transport and tunnel actions that specifies the parameters for IKE phase 2 IPsec DOI negotiations. DERIVED FROM IKENegotiationAction ABSTRACT TRUE PROPERTIES UsePFS UseIKEGroup GroupId Granularity VendorID
6.11.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy should be used when refreshing keys. The property is defined as follows: NAME UsePFS DESCRIPTION Specifies the whether or not to use PFS when refreshing keys. SYNTAX boolean VALUE A value of true indicates that PFS should be used. A value of false indicates that PFS should not be used.6.11.2. The Property UseIKEGroup
The property UseIKEGroup specifies whether or not phase 2 should use the same key exchange group as was used in phase 1. UseIKEGroup is ignored if UsePFS is false. The property is defined as follows: NAME UseIKEGroup DESCRIPTION Specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAX boolean VALUE A value of true indicates that the phase 2 GroupId should be the same as phase 1. A value of false indicates that the property GroupId will contain the key exchange group to use for phase 2.6.11.3. The Property GroupId
The property GroupId specifies the key exchange group to use for phase 2. GroupId is ignored if (1) the property UsePFS is false, or (2) the property UsePFS is true and the property UseIKEGroup is true. If the GroupID number is from the vendor-specific range (32768- 65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the key exchange group to use for phase 2 when the property UsePFS is true and the property UseIKEGroup is false. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
6.11.4. The Property Granularity
The property Granularity specifies how the selector for the security association should be derived from the traffic that triggered the negotiation. The property is defined as follows: NAME Granularity DESCRIPTION Specifies how the proposed selector for the security association will be created. SYNTAX unsigned 16-bit integer VALUE 1 - subnet: the source and destination subnet masks of the filter entry are used. 2 - address: only the source and destination IP addresses of the triggering packet are used. 3 - protocol: the source and destination IP addresses and the IP protocol of the triggering packet are used. 4 - port: the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used.6.11.5. The Property VendorID
The property VendorID is used together with the property GroupID (when it is in the vendor-specific range) to identify the key exchange group. VendorID is ignored unless UsePFS is true and UseIKEGroup is false and GroupID is in the vendor-specific range (32768-65535). The property is defined as follows: NAME VendorID DESCRIPTION Specifies the IKE Vendor ID. SYNTAX string6.12. The Class IPsecTransportAction
The class IPsecTransportAction is a subclass of IPsecAction that is used to specify use of an IPsec transport-mode security association. The class definition for IPsecTransportAction is as follows: NAME IPsecTransportAction DESCRIPTION Specifies that an IPsec transport-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE
6.13. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is used to specify use of an IPsec tunnel-mode security association. The class definition for IPsecTunnelAction is as follows: NAME IPsecTunnelAction DESCRIPTION Specifies that an IPsec tunnel-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES DFHandling6.13.1. The Property DFHandling
The property DFHandling specifies how the tunnel should manage the Don't Fragment (DF) bit. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies how to process the DF bit. SYNTAX unsigned 16-bit integer VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0.6.14. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for IKE phase 1 negotiation. The class definition for IKEAction is as follows: NAME IKEAction DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DERIVED FROM IKENegotiationAction ABSTRACT FALSE PROPERTIES ExchangeMode UseIKEIdentityType VendorID AggressiveModeGroupId
6.14.1. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used for IKE phase 1 negotiations. The property is defined as follows: NAME ExchangeMode DESCRIPTION Specifies the IKE negotiation mode for phase 1. SYNTAX unsigned 16-bit integer VALUE 1 - base mode 2 - main mode 4 - aggressive mode6.14.2. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type should be used when negotiating with the peer. This information is used in conjunction with the IKE identities available on the system and the IdentityContexts of the matching IKERule. The property is defined as follows: NAME UseIKEIdentityType DESCRIPTION Specifies the IKE identity to use during negotiation. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.6.14.3. The Property VendorID
The property VendorID specifies the value to be used in the Vendor ID payload. The property is defined as follows: NAME VendorID DESCRIPTION Vendor ID Payload. SYNTAX string VALUE A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder).6.14.4. The Property AggressiveModeGroupId
The property AggressiveModeGroupId specifies which group ID is to be used in the first packets of the phase 1 negotiation. This property is ignored unless the property ExchangeMode is set to 4 (aggressive mode). If the AggressiveModeGroupID number is from the vendor- specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows:
NAME AggressiveModeGroupId DESCRIPTION Specifies the group ID to be used for aggressive mode. SYNTAX unsigned 16-bit integer6.15. The Class PeerGateway
The class PeerGateway specifies the security gateway with which the IKE services negotiates. The class definition for PeerGateway is as follows: NAME PeerGateway DESCRIPTION Specifies the security gateway with which to negotiate. DERIVED FROM LogicalElement (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Name PeerIdentityType PeerIdentity Note: The class PeerIdentityEntry contains more information about the peer (namely its IP address).6.15.1. The Property Name
The property Name specifies a user-friendly name for this security gateway. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this security gateway. SYNTAX string6.15.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the security gateway. The property is defined as follows: NAME PeerIdentityType DESCRIPTION Specifies the IKE identity type of the security gateway. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
6.15.3. The Property PeerIdentity
The property PeerIdentity specifies the IKE identity value of the security gateway. Based upon the storage chosen for the task- specific mapping of the information model, a conversion may be needed from the stored representation of the PeerIdentity string to the real value used in the ID payload (e.g., IP address is to be converted from a dotted decimal string into 4 bytes). The property is defined as follows: NAME PeerIdentity DESCRIPTION Specifies the IKE identity value of the security gateway. SYNTAX string6.16. The Association Class PeerGatewayForTunnel
The class PeerGatewayForTunnel associates IPsecTunnelActions with an ordered list of PeerGateways. The class definition for PeerGatewayForTunnel is as follows: NAME PeerGatewayForTunnel DESCRIPTION Associates IPsecTunnelActions with an ordered list of PeerGateways. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IPsecTunnelAction[0..n]] SequenceNumber6.16.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IPsecTunnelAction instance may be associated with zero or more PeerGateway instances. Note: The cardinality 0 has a specific meaning: - when the IKE service acts as a responder, this means that the IKE service will accept phase 1 negotiation with any other security gateway; - when the IKE service acts as an initiator, this means that the IKE service will use the destination IP address (of the IP packets which triggered the SARule) as the IP address of the peer IKE entity.
6.16.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an IPsecTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IPsecTunnelAction instances.6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when evaluating PeerGateway instances for a given IPsecTunnelAction. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the order of evaluation for PeerGateways. SYNTAX unsigned 16-bit integer VALUE Lower values are evaluated first.6.17. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of SAProposals with the IKENegotiationAction that aggregates it. If the referenced IKENegotiationAction object is an IKEAction, then the referenced SAProposal object(s) must be IKEProposal(s). If the referenced IKENegotiationAction object is an IPsecTransportAction or an IPsecTunnelAction, then the referenced SAProposal object(s) must be IPsecProposal(s). The class definition for ContainedProposal is as follows: NAME ContainedProposal DESCRIPTION Associates an ordered list of SAProposals with an IKENegotiationAction. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber6.17.1. The Reference GroupComponent
- The property GroupComponent is inherited from PolicyComponent and is overridden to refer to an IKENegotiationAction instance. The [0..n] cardinality indicates that an SAProposal instance may be associated with zero or more IKENegotiationAction instances.
6.17.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is overridden to refer to an SAProposal instance. The [1..n] cardinality indicates that an IKENegotiationAction instance MUST be associated with at least one SAProposal instance.6.17.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for the SAProposals. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SAProposals. SYNTAX unsigned 16-bit integer VALUE Lower-valued proposals are preferred over proposals with higher values. For ContainedProposals that reference the same IKENegotiationAction, SequenceNumber values must be unique.6.18. The Association Class HostedPeerGatewayInformation
The class HostedPeerGatewayInformation weakly associates a PeerGateway with a System. The class definition for HostedPeerGatewayInformation is as follows: NAME HostedPeerGatewayInformation DESCRIPTION Weakly associates a PeerGateway with a System. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerGateway[0..n] [weak]]6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerGateway instance MUST be associated with one and only one System instance.6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerGateway instances.
6.19. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a PreconfiguredSAAction with two, four or six SATransforms that will be applied to the inbound and outbound traffic. The order of application of the SATransforms is implicitly defined in [IPSEC]. The class definition for TransformOfPreconfiguredAction is as follows: NAME TransformOfPreconfiguredAction DESCRIPTION Associates a PreconfiguredSAAction with from one to three SATransforms. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref SATransform[2..6]] Dependent[ref PreconfiguredSAAction[0..n]] SPI Direction6.19.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to an SATransform instance. The [2..6] cardinality indicates that a PreconfiguredSAAction instance may be associated with two to six SATransform instances.6.19.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredSAAction instance. The [0..n] cardinality indicates that a SATransform instance may be associated with zero or more PreconfiguredSAAction instances.6.19.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured action for the associated transform. The property is defined as follows: NAME SPI DESCRIPTION Specifies the SPI to be used with the SATransform. SYNTAX unsigned 32-bit integer
6.19.4. The Property Direction
The property Direction specifies whether the SPI property is for inbound or outbound traffic. The property is defined as follows: NAME Direction DESCRIPTION Specifies whether the SA is for inbound or outbound traffic. SYNTAX unsigned 8-bit integer VALUE 1 - this SA is for inbound traffic 2 - this SA is for outbound traffic6.20 The Association Class PeerGatewayForPreconfiguredTunnel
The class PeerGatewayForPreconfiguredTunnel associates zero or one PeerGateways with multiple PreconfiguredTunnelActions. The class definition for PeerGatewayForPreconfiguredTunnel is as follows: NAME PeerGatewayForPreconfiguredTunnel DESCRIPTION Associates a PeerGateway with multiple PreconfiguredTunnelActions. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref PeerGateway[0..1]] Dependent[ref PreconfiguredTunnelAction[0..n]]6.20.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..1] cardinality indicates that a PreconfiguredTunnelAction instance may be associated with one PeerGteway instance.6.20.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more PreconfiguredSAAction instances.