RFC 3585
IPsec Configuration Policy Information Model
Pages: 88
Proposed Standard
Proposed Standard
Part 3 of 4 – Pages 50 to 79
7. Proposal and Transform Classes
The proposal and transform classes model the proposal settings an IPsec device will use during IKE phase 1 and 2 negotiations. +--------------+*w 1+--------------+ | [SAProposal] |--------| System | +--------------+ (a) | ([CIMCORE]) | ^ +--------------+ | |1 +----------------------+ | | | | +-------------+ +---------------+ | | IKEProposal | | IPsecProposal | | +-------------+ +---------------+ | *o | |(b) |(c) n| | +---------------+*w | | [SATransform] |----+ +---------------+ ^ | +--------------------+-----------+---------+ | | | +-------------+ +--------------+ +----------------+ | AHTransform | | ESPTransform | |IPCOMPTransform | +-------------+ +--------------+ +----------------+ (a) SAProposalInSystem (b) ContainedTransform (c) SATransformInSystem7.1. The Abstract Class SAProposal
The abstract class SAProposal serves as the base class for the IKE and IPsec proposal classes. It specifies the parameters that are common to the two proposal types. The class definition for SAProposal is as follows: NAME SAProposal DESCRIPTION Specifies the common proposal parameters for IKE and IPsec security association negotiation. DERIVED FROM Policy ([PCIM]) ABSTRACT TRUE PROPERTIES Name
7.1.1. The Property Name
The property Name specifies a user-friendly name for the SAProposal. The property is defined as follows: NAME Name DESCRIPTION Specifies a user-friendly name for this proposal. SYNTAX string7.2. The Class IKEProposal
The class IKEProposal specifies the proposal parameters necessary to drive an IKE security association negotiation. The class definition for IKEProposal is as follows: NAME IKEProposal DESCRIPTION Specifies the proposal parameters for IKE security association negotiation. DERIVED FROM SAProposal ABSTRACT FALSE PROPERTIES CipherAlgorithm HashAlgorithm PRFAlgorithm GroupId AuthenticationMethod MaxLifetimeSeconds MaxLifetimeKilobytes VendorID7.2.1. The Property CipherAlgorithm
The property CipherAlgorithm specifies the proposed phase 1 security association encryption algorithm. The property is defined as follows: NAME CipherAlgorithm DESCRIPTION Specifies the proposed encryption algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
7.2.2. The Property HashAlgorithm
The property HashAlgorithm specifies the proposed phase 1 security association hash algorithm. The property is defined as follows: NAME HashAlgorithm DESCRIPTION Specifies the proposed hash algorithm for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.7.2.3. The Property PRFAlgorithm
The property PRFAlgorithm specifies the proposed phase 1 security association pseudo-random function. The property is defined as follows: NAME PRFAlgorithm DESCRIPTION Specifies the proposed pseudo-random function for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Currently none defined in [IKE], if [IKE, DOI] are extended, then the values of [IKE, DOI] are to be used for values of PRFAlgorithm.7.2.4. The Property GroupId
The property GroupId specifies the proposed phase 1 security association key exchange group. This property is ignored for all aggressive mode exchanges. If the GroupID number is from the vendor-specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the proposed key exchange group for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values. Note: The value of this property is to be ignored in aggressive mode.
7.2.5. The Property AuthenticationMethod
The property AuthenticationMethod specifies the proposed phase 1 authentication method. The property is defined as follows: NAME AuthenticationMethod DESCRIPTION Specifies the proposed authentication method for the phase 1 security association. SYNTAX unsigned 16-bit integer VALUE 0 - a special value that indicates that this particular proposal should be repeated once for each authentication method that corresponds to the credentials installed on the machine. For example, if the system has a pre-shared key and a certificate, a proposal list could be constructed that includes a proposal that specifies a pre-shared key and proposals for any of the public-key authentication methods. Consult [IKE] for valid values.7.2.6. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the proposed maximum time, in seconds, that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the proposed maximum time that a security association will remain valid. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.7.2.7. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the proposed maximum kilobyte lifetime that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeKilobytes DESCRIPTION Specifies the proposed maximum kilobyte lifetime that a security association will remain valid. SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value
specifies the desired kilobyte lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
7.2.8. The Property VendorID
The property VendorID further qualifies the key exchange group. The
property is ignored unless the exchange is not in aggressive mode and
the property GroupID is in the vendor-specific range. The property
is defined as follows:
NAME VendorID
DESCRIPTION Specifies the Vendor ID to further qualify the key
exchange group.
SYNTAX string
7.3. The Class IPsecProposal
The class IPsecProposal adds no new properties, but inherits proposal
properties from SAProposal, as well as aggregating the security
association transforms necessary for building an IPsec proposal (see
the aggregation class ContainedTransform). The class definition for
IPsecProposal is as follows:
NAME IPsecProposal
DESCRIPTION Specifies the proposal parameters for IPsec security
association negotiation.
DERIVED FROM SAProposal
ABSTRACT FALSE
7.4. The Abstract Class SATransform
The abstract class SATransform serves as the base class for the IPsec
transforms that can be used to compose an IPsec proposal or to be
used as a pre-configured action. The class definition for
SATransform is as follows:
NAME SATransform
DESCRIPTION Base class for the different IPsec transforms.
ABSTRACT TRUE
PROPERTIES CommonName (from Policy)
VendorID
MaxLifetimeSeconds
MaxLifetimeKilobytes
7.4.1. The Property CommonName
The property CommonName is inherited from Policy [PCIM] and specifies a user-friendly name for the SATransform. The property is defined as follows: NAME CommonName DESCRIPTION Specifies a user-friendly name for this Policy- related object. SYNTAX string7.4.2. The Property VendorID
The property VendorID specifies the vendor ID for vendor-defined transforms. The property is defined as follows: NAME VendorID DESCRIPTION Specifies the vendor ID for vendor-defined transforms. SYNTAX string VALUE An empty VendorID string indicates that the transform is a standard one.7.4.3. The Property MaxLifetimeSeconds
The property MaxLifetimeSeconds specifies the proposed maximum time, in seconds, that a security association will remain valid after its creation. The property is defined as follows: NAME MaxLifetimeSeconds DESCRIPTION Specifies the proposed maximum time that a security association will remain valid. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that the default of 8 hours be used. A non-zero value indicates the maximum seconds lifetime. Note: While IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.7.4.4. The Property MaxLifetimeKilobytes
The property MaxLifetimeKilobytes specifies the proposed maximum kilobyte lifetime that a security association will remain valid after its creation. The property is defined as follows:
NAME MaxLifetimeKilobytes
DESCRIPTION Specifies the proposed maximum kilobyte lifetime
that a security association will remain valid.
SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there should be no
maximum kilobyte lifetime. A non-zero value
specifies the desired kilobyte lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
7.5. The Class AHTransform
The class AHTransform specifies the AH algorithm to propose during
IPsec security association negotiation. The class definition for
AHTransform is as follows:
NAME AHTransform
DESCRIPTION Specifies the proposed AH algorithm.
ABSTRACT FALSE
PROPERTIES AHTransformId
UseReplayPrevention
ReplayPreventionWindowSize
7.5.1. The Property AHTransformId
The property AHTransformId specifies the transform ID of the AH
algorithm. The property is defined as follows:
NAME AHTransformId
DESCRIPTION Specifies the transform ID of the AH algorithm.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
7.5.2. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention
detection is to be used. The property is defined as follows:
NAME UseReplayPrevention
DESCRIPTION Specifies whether to enable replay prevention
detection.
SYNTAX boolean
VALUE true - replay prevention detection is enabled.
false - replay prevention detection is disabled.
7.5.3. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by the replay prevention detection mechanism. SYNTAX unsigned 32-bit integer7.6. The Class ESPTransform
The class ESPTransform specifies the ESP algorithms to propose during IPsec security association negotiation. The class definition for ESPTransform is as follows: NAME ESPTransform DESCRIPTION Specifies the proposed ESP algorithms. ABSTRACT FALSE PROPERTIES IntegrityTransformId CipherTransformId CipherKeyLength CipherKeyRounds UseReplayPrevention ReplayPreventionWindowSize7.6.1. The Property IntegrityTransformId
The property IntegrityTransformId specifies the transform ID of the ESP integrity algorithm. The property is defined as follows: NAME IntegrityTransformId DESCRIPTION Specifies the transform ID of the ESP integrity algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.
7.6.2. The Property CipherTransformId
The property CipherTransformId specifies the transform ID of the ESP encryption algorithm. The property is defined as follows: NAME CipherTransformId DESCRIPTION Specifies the transform ID of the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.7.6.3. The Property CipherKeyLength
The property CipherKeyLength specifies, in bits, the key length for the ESP encryption algorithm. For encryption algorithms that use a fixed-length keys, this value is ignored. The property is defined as follows: NAME CipherKeyLength DESCRIPTION Specifies the ESP encryption key length in bits. SYNTAX unsigned 16-bit integer7.6.4. The Property CipherKeyRounds
The property CipherKeyRounds specifies the number of key rounds for the ESP encryption algorithm. For encryption algorithms that use fixed number of key rounds, this value is ignored. The property is defined as follows: NAME CipherKeyRounds DESCRIPTION Specifies the number of key rounds for the ESP encryption algorithm. SYNTAX unsigned 16-bit integer VALUE Currently, key rounds are not defined for any ESP encryption algorithms.7.6.5. The Property UseReplayPrevention
The property UseReplayPrevention specifies whether replay prevention detection is to be used. The property is defined as follows: NAME UseReplayPrevention DESCRIPTION Specifies whether to enable replay prevention detection. SYNTAX boolean VALUE true - replay prevention detection is enabled. false - replay prevention detection is disabled.
7.6.6. The Property ReplayPreventionWindowSize
The property ReplayPreventionWindowSize specifies, in bits, the length of the sliding window used by the replay prevention detection mechanism. The value of this property is meaningless if UseReplayPrevention is false. It is assumed that the window size will be power of 2. The property is defined as follows: NAME ReplayPreventionWindowSize DESCRIPTION Specifies the length of the window used by the replay prevention detection mechanism. SYNTAX unsigned 32-bit integer7.7. The Class IPCOMPTransform
The class IPCOMPTransform specifies the IP compression (IPCOMP) algorithm to propose during IPsec security association negotiation. The class definition for IPCOMPTransform is as follows: NAME IPCOMPTransform DESCRIPTION Specifies the proposed IPCOMP algorithm. ABSTRACT FALSE PROPERTIES Algorithm DictionarySize PrivateAlgorithm7.7.1. The Property Algorithm
The property Algorithm specifies the transform ID of the IPCOMP compression algorithm. The property is defined as follows: NAME Algorithm DESCRIPTION Specifies the transform ID of the IPCOMP compression algorithm. SYNTAX unsigned 16-bit integer VALUE 1 - OUI: a vendor specific algorithm is used and specified in the property PrivateAlgorithm. Consult [DOI] for other valid values.7.7.2. The Property DictionarySize
The property DictionarySize specifies the log2 maximum size of the dictionary for the compression algorithm. For compression algorithms that have pre-defined dictionary sizes, this value is ignored. The property is defined as follows:
NAME DictionarySize
DESCRIPTION Specifies the log2 maximum size of the dictionary.
SYNTAX unsigned 16-bit integer
7.7.3. The Property PrivateAlgorithm
The property PrivateAlgorithm specifies a private vendor-specific
compression algorithm. This value is only used when the property
Algorithm is 1 (OUI). The property is defined as follows:
NAME PrivateAlgorithm
DESCRIPTION Specifies a private vendor-specific compression
algorithm.
SYNTAX unsigned 32-bit integer
7.8. The Association Class SAProposalInSystem
The class SAProposalInSystem weakly associates SAProposals with a
System. The class definition for SAProposalInSystem is as follows:
NAME SAProposalInSystem
DESCRIPTION Weakly associates SAProposals with a System.
DERIVED FROM PolicyInSystem (see [PCIM])
ABSTRACT FALSE
PROPERTIES Antecedent[ref System [1..1]]
Dependent[ref SAProposal[0..n] [weak]]
7.8.1. The Reference Antecedent
The property Antecedent is inherited from the PolicyInSystem and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that an SAProposal instance MUST be associated with one and
only one System instance.
7.8.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is
overridden to refer to an SAProposal instance. The [0..n]
cardinality indicates that a System instance may be associated with
zero or more SAProposal instances.
7.9. The Aggregation Class ContainedTransform
The class ContainedTransform associates an IPsecProposal with the set
of SATransforms that make up the proposal. If multiple transforms of
the same type are in a proposal, then they are to be logically ORed
and the order of preference is dictated by the SequenceNumber
property. Sets of transforms of different types are logically ANDed.
For example, if the ordered proposal list were
ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
AH = { MD5, SHA-1 }
then the one sending the proposal would want the other side to pick
one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
from the AH transform list (preferably MD5).
The class definition for ContainedTransform is as follows:
NAME ContainedTransform
DESCRIPTION Associates an IPsecProposal with the set of
SATransforms that make up the proposal.
DERIVED FROM PolicyComponent (see [PCIM])
ABSTRACT FALSE
PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
PartComponent[ref SATransform[1..n]]
SequenceNumber
7.9.1. The Reference GroupComponent
The property GroupComponent is inherited from PolicyComponent and is
overridden to refer to an IPsecProposal instance. The [0..n]
cardinality indicates that an SATransform instance may be associated
with zero or more IPsecProposal instances.
7.9.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is
overridden to refer to an SATransform instance. The [1..n]
cardinality indicates that an IPsecProposal instance MUST be
associated with at least one SATransform instance.
7.9.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for the
SATransforms of the same type. The property is defined as follows:
NAME SequenceNumber
DESCRIPTION Specifies the preference order for the SATransforms
of the same type.
SYNTAX unsigned 16-bit integer
VALUE Lower-valued transforms are preferred over transforms
of the same type with higher values. For
ContainedTransforms that reference the same
IPsecProposal, SequenceNumber values must be unique.
7.10. The Association Class SATransformInSystem
The class SATransformInSystem weakly associates SATransforms with a System. The class definition for SATransformInSystem System is as follows: NAME SATransformInSystem DESCRIPTION Weakly associates SATransforms with a System. DERIVED FROM PolicyInSystem (see [PCIM]) ABSTRACT FALSE PROPERTIES Antecedent[ref System[1..1]] Dependent[ref SATransform[0..n] [weak]]7.10.1. The Reference Antecedent
The property Antecedent is inherited from PolicyInSystem and is overridden to refer to a System instance. The [1..1] cardinality indicates that an SATransform instance MUST be associated with one and only one System instance.7.10.2. The Reference Dependent
The property Dependent is inherited from PolicyInSystem and is overridden to refer to an SATransform instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more SATransform instances.
8. IKE Service and Identity Classes
+--------------+ +-------------------+ | System | | PeerIdentityEntry | | ([CIMCORE]) | +-------------------+ +--------------+ |*w 1| (a) (b) | +---+ +------------+ | | |*w 1 o +-------------+ +-------------------+ +---------------------+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting | +-------------+ +-------------------+ +---------------------+ *| *| *| *| +----------------------+ |(d) +----------+ | (c) *| *| *| (e) | *+------------+* |(f) +-----------------| IKEService |-----+ | | (g) +------------+ |(h) | 0..1| *| *| *o +--------------------+ | +---------------------------+ | IPProtocolEndpoint | | | AutostartIKEConfiguration | | ([CIMNETWORK]) | (i)| +---------------------------+ +--------------------+ | 0..1| | |(j) +----------------+ *| |* +-------------+* (k) +------------+ +-----------------------------+ | IKEIdentity |-------| Collection | | CredentialManagementService | +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) | *| +------------+ +-----------------------------+ |(l) *| +--------------+ | Credential | | ([CIMUSER]) | +--------------+ (a) HostedPeerIdentityTable (b) PeerIdentityMember (c) IKEServicePeerGateway (d) IKEServicePeerIdentityTable (e) IKEAutostartSetting (f) AutostartIKESettingContext (g) IKEServiceForEndpoint (h) IKEAutostartConfiguration (i) IKEUsesCredentialManagementService (j) EndpointHasLocalIKEIdentity
(k) CollectionHasLocalIKEIdentity
(l) IKEIdentitysCredential
This portion of the model contains additional information that is
useful in applying the policy. The IKEService class MAY be used to
represent the IKE negotiation function in a system. The IKEService
uses the various tables that contain information about IKE peers as
well as the configuration for specifying security associations that
are started automatically. The information in the PeerGateway,
PeerIdentityTable and related classes is necessary to completely
specify the policies.
An interface (represented by an IPProtocolEndpoint) has an IKEService
that provides the negotiation services for that interface. That
service MAY also have a list of security associations automatically
started at the time the IKE service is initialized.
The IKEService also has a set of identities that it may use in
negotiations with its peers. Those identities are associated with
the interfaces (or collections of interfaces).
8.1. The Class IKEService
The class IKEService represents the IKE negotiation function. An
instance of this service may provide that negotiation service for one
or more interfaces (represented by the IPProtocolEndpoint class) of a
System. There may be multiple instances of IKE services on a System
but only one per interface. The class definition for IKEService is
as follows:
NAME IKEService
DESCRIPTION IKEService is used to represent the IKE negotiation
function.
DERIVED FROM Service (see [CIMCORE])
ABSTRACT FALSE
8.2. The Class PeerIdentityTable
The class PeerIdentityTable aggregates the table entries that provide
mappings between identities and their addresses. The class
definition for PeerIdentityTable is as follows:
NAME PeerIdentityTable
DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry
instances to provide a table of identity-address
mappings.
DERIVED FROM Collection (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Name
8.2.1. The Property Name
The property Name uniquely identifies the table. The property is
defined as follows:
NAME Name
DESCRIPTION Name uniquely identifies the table.
SYNTAX string
8.3. The Class PeerIdentityEntry
The class PeerIdentityEntry specifies the mapping between peer
identity and their IP address. The class definition for
PeerIdentityEntry is as follows:
NAME PeerIdentityEntry
DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
identity and address.
DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES PeerIdentity
PeerIdentityType
PeerAddress
PeerAddressType
The pre-shared key to be used with this peer (if applicable) is
contained in an instance of the class SharedSecret (see [CIMUSER]).
The pre-shared key is stored in the property Secret, the property
protocol contains "IKE", the property algorithm contains the
algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
entity has no secret storage), the value of property RemoteID must
match the PeerIdentity property of the PeerIdentityEntry instance
describing the IKE peer.
8.3.1. The Property PeerIdentity
The property PeerIdentity contains a string encoding of the Identity
payload for the IKE peer. The property is defined as follows:
NAME PeerIdentity
DESCRIPTION The PeerIdentity is the ID payload of a peer.
SYNTAX string
8.3.2. The Property PeerIdentityType
The property PeerIdentityType is an enumeration that specifies the type of the PeerIdentity. The property is defined as follows: NAME PeerIdentityType DESCRIPTION PeerIdentityType is the type of the ID payload of a peer. SYNTAX unsigned 16-bit integer VALUE The enumeration values are specified in [DOI] section 4.6.2.1.8.3.3. The Property PeerAddress
The property PeerAddress specifies the string representation of the IP address of the peer formatted according to the appropriate convention as defined in the PeerAddressType property (e.g., dotted decimal notation). The property is defined as follows: NAME PeerAddress DESCRIPTION PeerAddress is the address of the peer with the ID payload. SYNTAX string VALUE String representation of an IPv4 or IPv6 address.8.3.4. The Property PeerAddressType
The property PeerAddressType specifies the format of the PeerAddress property value. The property is defined as follows: NAME PeerAddressType DESCRIPTION PeerAddressType is the type of address in PeerAddress. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv68.4. The Class AutostartIKEConfiguration
The class AutostartIKEConfiguration groups AutostartIKESetting instances into configuration sets. When applied, the settings cause an IKE service to automatically start (negotiate or statically set as appropriate) the Security Associations. The class definition for AutostartIKEConfiguration is as follows:
NAME AutostartIKEConfiguration
DESCRIPTION A configuration set of AutostartIKESetting instances
to be automatically started by the IKE service.
DERIVED FROM SystemConfiguration (see [CIMCORE])
ABSTRACT FALSE
8.5. The Class AutostartIKESetting
The class AutostartIKESetting is used to automatically initiate IKE
negotiations with peers (or statically create an SA) as specified in
the AutostartIKESetting properties. Appropriate actions are
initiated according to the policy that matches the setting
parameters. The class definition for AutostartIKESetting is as
follows:
NAME AutostartIKESetting
DESCRIPTION AutostartIKESetting is used to automatically initiate
IKE negotiations with peers or statically create an
SA.
DERIVED FROM SystemSetting (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Phase1Only
AddressType
SourceAddress
SourcePort
DestinationAddress
DestinationPort
Protocol
8.5.1. The Property Phase1Only
The property Phase1Only is used to limit the IKE negotiation to a
phase 1 SA establishment only. When set to False, both phase 1 and
phase 2 SAs are negotiated. The property is defined as follows:
NAME Phase1Only
DESCRIPTION Used to indicate whether a phase 1 only or both phase
1 and phase 2 security associations should attempt
establishment.
SYNTAX boolean
VALUE true - attempt to establish a phase 1 security
association
false - attempt to establish phase 1 and phase 2
security associations
8.5.2. The Property AddressType
The property AddressType specifies a type of the addresses in the SourceAddress and DestinationAddress properties. The property is defined as follows: NAME AddressType DESCRIPTION AddressType is the type of address in SourceAddress and DestinationAddress properties. SYNTAX unsigned 16-bit integer VALUE 0 - Unknown 1 - IPv4 2 - IPv68.5.3. The Property SourceAddress
The property SourceAddress specifies the dotted-decimal or colon- decimal formatted IP address used as the source address in comparing with policy filter entries and used in any phase 2 negotiations. The property is defined as follows: NAME SourceAddress DESCRIPTION The source address to compare with the filters to determine the appropriate policy rule. SYNTAX string VALUE dotted-decimal or colon-decimal formatted IP address8.5.4. The Property SourcePort
The property SourcePort specifies the port number used as the source port in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows: NAME SourcePort DESCRIPTION The source port to compare with the filters to determine the appropriate policy rule. SYNTAX unsigned 16-bit integer8.5.5. The Property DestinationAddress
The property DestinationAddress specifies the dotted-decimal or colon-decimal formatted IP address used as the destination address in comparing policy filter entries and is used in any phase 2 negotiations. The property is defined as follows: NAME DestinationAddress DESCRIPTION The destination address to compare with the filters to determine the appropriate policy rule.
SYNTAX string
VALUE dotted-decimal or colon-decimal formatted IP address
8.5.6. The Property DestinationPort
The property DestinationPort specifies the port number used as the
destination port in comparing policy filter entries and is used in
any phase 2 negotiations. The property is defined as follows:
NAME DestinationPort
DESCRIPTION The destination port to compare with the filters to
determine the appropriate policy rule.
SYNTAX unsigned 16-bit integer
8.5.7. The Property Protocol
The property Protocol specifies the protocol number used in comparing
with policy filter entries and is used in any phase 2 negotiations.
The property is defined as follows:
NAME Protocol
DESCRIPTION The protocol number used in comparing policy
filter entries.
SYNTAX unsigned 8-bit integer
8.6. The Class IKEIdentity
The class IKEIdentity is used to represent the identities that may be
used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints)
to identify the IKE Service in IKE phase 1 negotiations. The policy
IKEAction.UseIKEIdentityType specifies which type of the available
identities to use in a negotiation exchange and the
IKERule.IdentityContexts specifies the match values to be used, along
with the local address, in selecting the appropriate identity for a
negotiation. The ElementID property value (defined in the parent
class, UsersAccess) should be that of either the IPProtocolEndpoint
or Collection of endpoints as appropriate. The class definition for
IKEIdentity is as follows:
NAME IKEIdentity
DESCRIPTION IKEIdentity is used to represent the identities that
may be used for an IPProtocolEndpoint (or collection
of IPProtocolEndpoints) to identify the IKE Service
in IKE phase 1 negotiations.
DERIVED FROM UsersAccess (see [CIMUSER])
ABSTRACT FALSE
PROPERTIES IdentityType
IdentityValue
IdentityContexts
8.6.1. The Property IdentityType
The property IdentityType is an enumeration that specifies the type
of the IdentityValue. The property is defined as follows:
NAME IdentityType
DESCRIPTION IdentityType is the type of the IdentityValue.
SYNTAX unsigned 16-bit integer
VALUE The enumeration values are specified in [DOI] section
4.6.2.1.
8.6.2. The Property IdentityValue
The property IdentityValue contains a string encoding of the Identity
payload. For IKEIdentity instances that are address types (i.e.,
IPv4 or IPv6 addresses), the IdentityValue string value MAY be
omitted; then the associated IPProtocolEndpoint (or appropriate
member of the Collection of endpoints) is used as the identity value.
The property is defined as follows:
NAME IdentityValue
DESCRIPTION IdentityValue contains a string encoding of the
Identity payload.
SYNTAX string
8.6.3. The Property IdentityContexts
The IdentityContexts property is used to constrain the use of
IKEIdentity instances to match that specified in the
IKERule.IdentityContexts. The IdentityContexts are formatted as
policy roles and role combinations [PCIM] & [PCIME]. Each value
represents one context or context combination. Since this is a
multi-valued property, more than one context or combination of
contexts can be associated with a single IKEIdentity. Each value is
a string of the form:
<ContextName>[&&<ContextName>]*
where the individual context names appear in alphabetical order
(according to the collating sequence for UCS-2). If one or more
values in the IKERule.IdentityContexts array match one or more
IKEIdentity.IdentityContexts, then the identity's context matches.
(That is, each value of the IdentityContext array is an ORed
condition.) In combination with the address of the
IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
exactly one IKEIdentity. The property is defined as follows:
NAME IdentityContexts
DESCRIPTION The IKE service of a security endpoint may have
multiple identities for use in different situations.
The combination of the interface (represented by
the IPProtocolEndpoint), the identity type (as
specified in the IKEAction) and the IdentityContexts
selects a unique identity.
SYNTAX string array
VALUE string of the form <ContextName>[&&<ContextName>]*
8.7. The Association Class HostedPeerIdentityTable
The class HostedPeerIdentityTable provides the name scoping
relationship for PeerIdentityTable entries in a System. The
PeerIdentityTable is weak to the System. The class definition for
HostedPeerIdentityTable is as follows:
NAME HostedPeerIdentityTable
DESCRIPTION The PeerIdentityTable instances are weak (name scoped
by) the owning System.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref System[1..1]]
Dependent [ref PeerIdentityTable[0..n] [weak]]
8.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a System instance. The [1..1] cardinality
indicates that a PeerIdentityTable instance MUST be associated in a
weak relationship with one and only one System instance.
8.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden
to refer to a PeerIdentityTable instance. The [0..n] cardinality
indicates that a System instance may be associated with zero or more
PeerIdentityTable instances.
8.8. The Aggregation Class PeerIdentityMember
The class PeerIdentityMember aggregates PeerIdentityEntry instances
into a PeerIdentityTable. This is a weak aggregation. The class
definition for PeerIdentityMember is as follows:
NAME PeerIdentityMember
DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
instances into a PeerIdentityTable.
DERIVED FROM MemberOfCollection (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Collection [ref PeerIdentityTable[1..1]]
Member [ref PeerIdentityEntry [0..n] [weak]]
8.8.1. The Reference Collection
The property Collection is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityTable instance. The [1..1]
cardinality indicates that a PeerIdentityEntry instance MUST be
associated with one and only one PeerIdentityTable instance (i.e.,
PeerIdentityEntry instances are not shared across
PeerIdentityTables).
8.8.2. The Reference Member
The property Member is inherited from MemberOfCollection and is
overridden to refer to a PeerIdentityEntry instance. The [0..n]
cardinality indicates that a PeerIdentityTable instance may be
associated with zero or more PeerIdentityEntry instances.
8.9. The Association Class IKEServicePeerGateway
The class IKEServicePeerGateway provides the association between an
IKEService and the list of PeerGateway instances that it uses in
negotiating with security gateways. The class definition for
IKEServicePeerGateway is as follows:
NAME IKEServicePeerGateway
DESCRIPTION Associates an IKEService and the list of PeerGateway
instances that it uses in negotiating with security
gateways.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref PeerGateway[0..n]]
Dependent [ref IKEService[0..n]]
8.9.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a PeerGateway instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more PeerGateway instances.
8.9.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IKEService instances.8.10. The Association Class IKEServicePeerIdentityTable
The class IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses to map between addresses and identities as required. The class definition for IKEServicePeerIdentityTable is as follows: NAME IKEServicePeerIdentityTable DESCRIPTION IKEServicePeerIdentityTable provides the relationship between an IKEService and a PeerIdentityTable that it uses. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerIdentityTable[0..n]] Dependent [ref IKEService[0..n]]8.10.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerIdentityTable instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more PeerIdentityTable instances.8.10.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that a PeerIdentityTable instance may be associated with zero or more IKEService instances.8.11. The Association Class IKEAutostartSetting
The class IKEAutostartSetting associates an AutostartIKESetting with an IKEService that may use it to automatically start an IKE negotiation or create a static SA. The class definition for IKEAutostartSetting is as follows: NAME IKEAutostartSetting DESCRIPTION Associates a AutostartIKESetting with an IKEService. DERIVED FROM ElementSetting (see [CIMCORE]) ABSTRACT FALSE
PROPERTIES Element [ref IKEService[0..n]]
Setting [ref AutostartIKESetting[0..n]]
8.11.1. The Reference Element
The property Element is inherited from ElementSetting and is
overridden to refer to an IKEService instance. The [0..n]
cardinality indicates an AutostartIKESetting instance may be
associated with zero or more IKEService instances.
8.11.2. The Reference Setting
The property Setting is inherited from ElementSetting and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an IKEService instance may be associated
with zero or more AutostartIKESetting instances.
8.12. The Aggregation Class AutostartIKESettingContext
The class AutostartIKESettingContext aggregates the settings used to
automatically start negotiations or create a static SA into a
configuration set. The class definition for
AutostartIKESettingContext is as follows:
NAME AutostartIKESettingContext
DESCRIPTION AutostartIKESettingContext aggregates the
AutostartIKESetting instances into a configuration
set.
DERIVED FROM SystemSettingContext (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
Setting [ref AutostartIKESetting [0..n]]
SequenceNumber
8.12.1. The Reference Context
The property Context is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKEConfiguration instance. The
[0..n] cardinality indicates that an AutostartIKESetting instance may
be associated with zero or more AutostartIKEConfiguration instances
(i.e., a setting may be in multiple configuration sets).
8.12.2. The Reference Setting
The property Setting is inherited from SystemSettingContext and is
overridden to refer to an AutostartIKESetting instance. The [0..n]
cardinality indicates that an AutostartIKEConfiguration instance may
be associated with zero or more AutostartIKESetting instances.
8.12.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when starting negotiations or creating a static SA. A zero value indicates that order is not significant and settings may be applied in parallel with other settings. All other settings in the configuration are executed in sequence from lower to higher values. Sequence numbers need not be unique in an AutostartIKEConfiguration and order is not significant for settings with the same sequence number. The property is defined as follows: NAME SequenceNumber DESCRIPTION The sequence in which the settings are applied within a configuration set. SYNTAX unsigned 16-bit integer8.13. The Association Class IKEServiceForEndpoint
The class IKEServiceForEndpoint provides the association showing which IKE service, if any, provides IKE negotiation services for which network interfaces. The class definition for IKEServiceForEndpoint is as follows: NAME IKEServiceForEndpoint DESCRIPTION Associates an IPProtocolEndpoint with an IKEService that provides negotiation services for the endpoint. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref IKEService[0..1]] Dependent [ref IPProtocolEndpoint[0..n]]8.13.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..1] cardinality indicates that an IPProtocolEndpoint instance MUST by associated with at most one IKEService instance.8.13.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an IPProtocolEndpoint that is associated with at most one IKEService. The [0..n] cardinality indicates an IKEService instance may be associated with zero or more IPProtocolEndpoint instances.
8.14. The Association Class IKEAutostartConfiguration
The class IKEAutostartConfiguration provides the relationship between an IKEService and a configuration set that it uses to automatically start a set of SAs. The class definition for IKEAutostartConfiguration is as follows: NAME IKEAutostartConfiguration DESCRIPTION IKEAutostartConfiguration provides the relationship between an IKEService and an AutostartIKEConfiguration that it uses to automatically start a set of SAs. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]] Dependent [ref IKEService [0..n]] Active8.14.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to an AutostartIKEConfiguration instance. The [0..n] cardinality indicates that an IKEService instance may be associated with zero or more AutostartIKEConfiguration instances.8.14.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an IKEService instance. The [0..n] cardinality indicates that an AutostartIKEConfiguration instance may be associated with zero or more IKEService instances.8.14.3. The Property Active
The property Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. That is, at boot time, the active configuration is used to automatically start IKE negotiations and create static SAs. The property is defined as follows: NAME Active DESCRIPTION Active indicates whether the AutostartIKEConfiguration set is currently active for the associated IKEService. SYNTAX boolean
VALUE true - AutostartIKEConfiguration is currently active
for associated IKEService.
false - AutostartIKEConfiguration is currently
inactive for associated IKEService.
8.15. The Association Class IKEUsesCredentialManagementService
The class IKEUsesCredentialManagementService defines the set of
CredentialManagementService(s) that are trusted sources of
credentials for IKE phase 1 negotiations. The class definition for
IKEUsesCredentialManagementService is as follows:
NAME IKEUsesCredentialManagementService
DESCRIPTION Associates the set of CredentialManagementService(s)
that are trusted by the IKEService as sources of
credentials used in IKE phase 1 negotiations.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
Dependent [ref IKEService [0..n]]
8.15.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a CredentialManagementService instance. The
[0..n] cardinality indicates that an IKEService instance may be
associated with zero or more CredentialManagementService instances.
8.15.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden
to refer to an IKEService instance. The [0..n] cardinality indicates
that a CredentialManagementService instance may be associated with
zero or more IKEService instances.
8.16. The Association Class EndpointHasLocalIKEIdentity
The class EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity instances that may be
used in negotiating security associations on the endpoint. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint
using this association or with a collection of IKEIdentity instances
using the CollectionHasLocalIKEIdentity association. The class
definition for EndpointHasLocalIKEIdentity is as follows:
NAME EndpointHasLocalIKEIdentity
DESCRIPTION EndpointHasLocalIKEIdentity associates an
IPProtocolEndpoint with a set of IKEIdentity
instances.
DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE
PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
Dependent [ref IKEIdentity [0..n]]
8.16.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is
overridden to refer to an IPProtocolEndpoint instance. The [0..1]
cardinality indicates that an IKEIdentity instance MUST be associated
with at most one IPProtocolEndpoint instance.
8.16.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is
overridden to refer to an IKEIdentity instance. The [0..n]
cardinality indicates that an IPProtocolEndpoint instance may be
associated with zero or more IKEIdentity instances.
8.17. The Association Class CollectionHasLocalIKEIdentity
The class CollectionHasLocalIKEIdentity associates a Collection of
IPProtocolEndpoint instances with a set of IKEIdentity instances that
may be used in negotiating SAs for endpoints in the collection. An
IKEIdentity MUST be associated with either an IPProtocolEndpoint
using the EndpointHasLocalIKEIdentity association or with a
collection of IKEIdentity instances using this association. The
class definition for CollectionHasLocalIKEIdentity is as follows:
NAME CollectionHasLocalIKEIdentity
DESCRIPTION CollectionHasLocalIKEIdentity associates a collection
of IPProtocolEndpoint instances with a set of
IKEIdentity instances.
DERIVED FROM ElementAsUser (see [CIMUSER])
ABSTRACT FALSE
PROPERTIES Antecedent [ref Collection [0..1]]
Dependent [ref IKEIdentity [0..n]]
8.17.1. The Reference Antecedent
The property Antecedent is inherited from ElementAsUser and is
overridden to refer to a Collection instance. The [0..1] cardinality
indicates that an IKEIdentity instance MUST be associated with at
most one Collection instance.
8.17.2. The Reference Dependent
The property Dependent is inherited from ElementAsUser and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Collection instance may be associated with zero or more IKEIdentity instances.8.18. The Association Class IKEIdentitysCredential
The class IKEIdentitysCredential is an association that relates a set of credentials to their corresponding local IKE Identities. The class definition for IKEIdentitysCredential is as follows: NAME IKEIdentitysCredential DESCRIPTION IKEIdentitysCredential associates a set of credentials to their corresponding local IKEIdentity. DERIVED FROM UsersCredential (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref Credential [0..n]] Dependent [ref IKEIdentity [0..n]]8.18.1. The Reference Antecedent
The property Antecedent is inherited from UsersCredential and is overridden to refer to a Credential instance. The [0..n] cardinality indicates that the IKEIdentity instance may be associated with zero or more Credential instances.8.18.2. The Reference Dependent
The property Dependent is inherited from UsersCredential and is overridden to refer to an IKEIdentity instance. The [0..n] cardinality indicates that a Credential instance may be associated with zero or more IKEIdentity instances.
(page 79 continued on part 4)