9. Implementation Requirements
The following table specifies which classes, properties, associations and aggregations MUST or SHOULD or MAY be implemented. 4. Policy Classes 4.1. The Class SARule..........................................MUST 4.1.1. The Property PolicyRuleName..............................MAY 4.1.1. The Property Enabled....................................MUST 4.1.1. The Property ConditionListType..........................MUST 4.1.1. The Property RuleUsage...................................MAY 4.1.1. The Property Mandatory...................................MAY 4.1.1. The Property SequencedActions...........................MUST
4.1.1. The Property PolicyRoles.................................MAY 4.1.1. The Property PolicyDecisionStrategy......................MAY 4.1.2 The Property ExecutionStrategy..........................MUST 4.1.3 The Property LimitNegotiation............................MAY 4.2. The Class IKERule.........................................MUST 4.2.1. The Property IdentityContexts............................MAY 4.3. The Class IPsecRule.......................................MUST 4.4. The Association Class IPsecPolicyForEndpoint...............MAY 4.4.1. The Reference Antecedent................................MUST 4.4.2. The Reference Dependent.................................MUST 4.5. The Association Class IPsecPolicyForSystem.................MAY 4.5.1. The Reference Antecedent................................MUST 4.5.2. The Reference Dependent.................................MUST 4.6. The Aggregation Class SAConditionInRule...................MUST 4.6.1. The Property GroupNumber..............................SHOULD 4.6.1. The Property ConditionNegated.........................SHOULD 4.6.2. The Reference GroupComponent............................MUST 4.6.3. The Reference PartComponent.............................MUST 4.7. The Aggregation Class PolicyActionInSARule................MUST 4.7.1. The Reference GroupComponent............................MUST 4.7.2. The Reference PartComponent.............................MUST 4.7.3. The Property ActionOrder..............................SHOULD 5. Condition and Filter Classes 5.1. The Class SACondition.....................................MUST 5.2. The Class IPHeadersFilter...............................SHOULD 5.3. The Class CredentialFilterEntry............................MAY 5.3.1. The Property MatchFieldName.............................MUST 5.3.2. The Property MatchFieldValue............................MUST 5.3.3. The Property CredentialType.............................MUST 5.4. The Class IPSOFilterEntry..................................MAY 5.4.1. The Property MatchConditionType.........................MUST 5.4.2. The Property MatchConditionValue........................MUST 5.5. The Class PeerIDPayloadFilterEntry.........................MAY 5.5.1. The Property MatchIdentityType..........................MUST 5.5.2. The Property MatchIdentityValue.........................MUST 5.6. The Association Class FilterOfSACondition...............SHOULD 5.6.1. The Reference Antecedent................................MUST 5.6.2. The Reference Dependent.................................MUST 5.7. The Association Class AcceptCredentialFrom.................MAY 5.7.1. The Reference Antecedent................................MUST 5.7.2. The Reference Dependent.................................MUST 6. Action Classes 6.1. The Class SAAction........................................MUST 6.1.1. The Property DoActionLogging.............................MAY 6.1.2. The Property DoPacketLogging.............................MAY 6.2. The Class SAStaticAction..................................MUST 6.2.1. The Property LifetimeSeconds............................MUST 6.3. The Class IPsecBypassAction.............................SHOULD
6.4. The Class IPsecDiscardAction............................SHOULD 6.5. The Class IKERejectAction..................................MAY 6.6. The Class PreconfiguredSAAction...........................MUST 6.6.1. The Property LifetimeKilobytes..........................MUST 6.7. The Class PreconfiguredTransportAction....................MUST 6.8. The Class PreconfiguredTunnelAction.......................MUST 6.8.1. The Property DFHandling.................................MUST 6.9. The Class SANegotiationAction.............................MUST 6.10. The Class IKENegotiationAction...........................MUST 6.10.1. The Property MinLifetimeSeconds.........................MAY 6.10.2. The Property MinLifetimeKilobytes.......................MAY 6.10.3. The Property IdleDurationSeconds........................MAY 6.11. The Class IPsecAction....................................MUST 6.11.1. The Property UsePFS....................................MUST 6.11.2. The Property UseIKEGroup................................MAY 6.11.3. The Property GroupId...................................MUST 6.11.4. The Property Granularity.............................SHOULD 6.11.5. The Property VendorID...................................MAY 6.12. The Class IPsecTransportAction...........................MUST 6.13. The Class IPsecTunnelAction..............................MUST 6.13.1. The Property DFHandling................................MUST 6.14. The Class IKEAction......................................MUST 6.14.1. The Property ExchangeMode ............................MUST 6.14.2. The Property UseIKEIdentityType........................MUST 6.14.3. The Property VendorID...................................MAY 6.14.4. The Property AggressiveModeGroupId......................MAY 6.15. The Class PeerGateway....................................MUST 6.15.1. The Property Name....................................SHOULD 6.15.2. The Property PeerIdentityType..........................MUST 6.15.3. The Property PeerIdentity..............................MUST 6.16. The Association Class PeerGatewayForTunnel...............MUST 6.16.1. The Reference Antecedent...............................MUST 6.16.2. The Reference Dependent................................MUST 6.16.3. The Property SequenceNumber..........................SHOULD 6.17. The Aggregation Class ContainedProposal..................MUST 6.17.1. The Reference GroupComponent...........................MUST 6.17.2. The Reference PartComponent............................MUST 6.17.3. The Property SequenceNumber............................MUST 6.18. The Association Class HostedPeerGatewayInformation........MAY 6.18.1. The Reference Antecedent...............................MUST 6.18.2. The Reference Dependent................................MUST 6.19. The Association Class TransformOfPreconfiguredAction.....MUST 6.19.1. The Reference Antecedent...............................MUST 6.19.2. The Reference Dependent................................MUST 6.19.3. The Property SPI.......................................MUST 6.19.4. The Property Direction.................................MUST 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST 6.20.1. The Reference Antecedent...............................MUST
6.20.2. The Reference Dependent................................MUST 7. Proposal and Transform Classes 7.1. The Abstract Class SAProposal.............................MUST 7.1.1. The Property Name.....................................SHOULD 7.2 The Class IKEProposal......................................MUST 7.2.1. The Property CipherAlgorithm............................MUST 7.2.2. The Property HashAlgorithm..............................MUST 7.2.3. The Property PRFAlgorithm................................MAY 7.2.4. The Property GroupId....................................MUST 7.2.5. The Property AuthenticationMethod.......................MUST 7.2.6. The Property MaxLifetimeSeconds.........................MUST 7.2.7. The Property MaxLifetimeKilobytes.......................MUST 7.2.8. The Property VendorID....................................MAY 7.3. The Class IPsecProposal...................................MUST 7.4. The Abstract Class SATransform............................MUST 7.4.1. The Property TransformName............................SHOULD 7.4.2. The Property VendorID....................................MAY 7.4.3. The Property MaxLifetimeSeconds.........................MUST 7.4.4. The Property MaxLifetimeKilobytes.......................MUST 7.5. The Class AHTransform.....................................MUST 7.5.1. The Property AHTransformId..............................MUST 7.5.2. The Property UseReplayPrevention.........................MAY 7.5.3. The Property ReplayPreventionWindowSize..................MAY 7.6. The Class ESPTransform....................................MUST 7.6.1. The Property IntegrityTransformId.......................MUST 7.6.2. The Property CipherTransformId..........................MUST 7.6.3. The Property CipherKeyLength.............................MAY 7.6.4. The Property CipherKeyRounds.............................MAY 7.6.5. The Property UseReplayPrevention.........................MAY 7.6.6. The Property ReplayPreventionWindowSize..................MAY 7.7. The Class IPCOMPTransform..................................MAY 7.7.1. The Property Algorithm..................................MUST 7.7.2. The Property DictionarySize..............................MAY 7.7.3. The Property PrivateAlgorithm............................MAY 7.8. The Association Class SAProposalInSystem...................MAY 7.8.1. The Reference Antecedent................................MUST 7.8.2. The Reference Dependent.................................MUST 7.9. The Aggregation Class ContainedTransform..................MUST 7.9.1. The Reference GroupComponent............................MUST 7.9.2. The Reference PartComponent.............................MUST 7.9.3. The Property SequenceNumber.............................MUST 7.10. The Association Class SATransformInSystem.................MAY 7.10.1. The Reference Antecedent...............................MUST 7.10.2. The Reference Dependent................................MUST 8. IKE Service and Identity Classes 8.1. The Class IKEService.......................................MAY 8.2. The Class PeerIdentityTable................................MAY 8.3.1. The Property Name.....................................SHOULD
8.3. The Class PeerIdentityEntry................................MAY 8.3.1. The Property PeerIdentity.............................SHOULD 8.3.2. The Property PeerIdentityType.........................SHOULD 8.3.3. The Property PeerAddress..............................SHOULD 8.3.4. The Property PeerAddressType..........................SHOULD 8.4. The Class AutostartIKEConfiguration........................MAY 8.5. The Class AutostartIKESetting..............................MAY 8.5.1. The Property Phase1Only..................................MAY 8.5.2. The Property AddressType..............................SHOULD 8.5.3. The Property SourceAddress..............................MUST 8.5.4. The Property SourcePort.................................MUST 8.5.5. The Property DestinationAddress.........................MUST 8.5.6. The Property DestinationPort............................MUST 8.5.7. The Property Protocol...................................MUST 8.6. The Class IKEIdentity......................................MAY 8.6.1. The Property IdentityType...............................MUST 8.6.2. The Property IdentityValue..............................MUST 8.6.3. The Property IdentityContexts............................MAY 8.7. The Association Class HostedPeerIdentityTable..............MAY 8.7.1. The Reference Antecedent................................MUST 8.7.2. The Reference Dependent.................................MUST 8.8. The Aggregation Class PeerIdentityMember...................MAY 8.8.1. The Reference Collection................................MUST 8.8.2. The Reference Member....................................MUST 8.9. The Association Class IKEServicePeerGateway................MAY 8.9.1. The Reference Antecedent................................MUST 8.9.2. The Reference Dependent.................................MUST 8.10. The Association Class IKEServicePeerIdentityTable.........MAY 8.10.1. The Reference Antecedent...............................MUST 8.10.2. The Reference Dependent................................MUST 8.11. The Association Class IKEAutostartSetting.................MAY 8.11.1. The Reference Element..................................MUST 8.11.2. The Reference Setting..................................MUST 8.12. The Aggregation Class AutostartIKESettingContext..........MAY 8.12.1. The Reference Context..................................MUST 8.12.2. The Reference Setting..................................MUST 8.12.3. The Property SequenceNumber..........................SHOULD 8.13. The Association Class IKEServiceForEndpoint...............MAY 8.13.1. The Reference Antecedent...............................MUST 8.13.2. The Reference Dependent................................MUST 8.14. The Association Class IKEAutostartConfiguration...........MAY 8.14.1. The Reference Antecedent...............................MUST 8.14.2. The Reference Dependent................................MUST 8.14.3. The Property Active..................................SHOULD 8.15. The Association Class IKEUsesCredentialManagementService..MAY 8.15.1. The Reference Antecedent...............................MUST 8.15.2. The Reference Dependent................................MUST 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
8.16.1. The Reference Antecedent...............................MUST 8.16.2. The Reference Dependent................................MUST 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY 8.17.1. The Reference Antecedent...............................MUST 8.17.2. The Reference Dependent................................MUST 8.18. The Association Class IKEIdentitysCredential..............MAY 8.18.1. The Reference Antecedent...............................MUST 8.18.2. The Reference Dependent................................MUST10. Security Considerations
This document only describes an information model for IPsec policy. It does not detail security requirements for storage or delivery of said information. Physical models derived from this information model MUST implement the relevant security for storage and delivery. Most of the classes (e.g., IpHeadersFilter, SAAction,...) MUST at least provided the integrity service; other pieces of information MUST also receive the confidentiality service (e.g., SharedSecret as described in the classes PeerIdentityEntry and PreconfiguredSAAction).11. Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.
12. References
12.1. Normative References
[COMP] Shacham, A., Monsour, B., Pereira, R. and M. Thomas, "IP Payload Compression Protocol (IPComp)", RFC 3173, September 2001. [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security Payload (ESP)", RFC 2406, November 1998. [AH] Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [DOI] Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407, November 1998. [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [PCIM] Moore, B., Ellesson, E., Strassner, J. and A. Westerinen, "Policy Core Information Model -- Version 1 Specification", RFC 3060, February 2001. [PCIME] Moore, B., Editor, "Policy Core Information Model (PCIM) Extensions", RFC 3460, January 2003. [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [CIMCORE] DMTF Common Information Model - Core Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_Core25.mof [CIMUSER] DMTF Common Information Model - User-Security Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_User25.mof [CIMNETWORK] DMTF Common Information Model - Network Model v2.5 which can be found at http://www.dmtf.org/standards/CIM_Schema25/ CIM_Network25.mof [IPSO] Kent, S., "U.S. Department of Defense Security Options for the Internet Protocol", RFC 1108, November 1991.
[IPSEC] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998.12.2. Informative References
[LDAP] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997. [COPS] Durham, D., Ed., Boyle, J., Cohen, R., Herzog, S., Rajan, R. and A. Sastry, "The COPS (Common Open Policy Service) Protocol", RFC 2748, January 2000. [COPSPR] Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie, K., Herzog, S., Reichmeyer, R., Yavatkar, R. and A. Smith, "COPS Usage for Policy Provisioning (COPS-PR)", RFC 3084, March 2001. [DMTF] Distributed Management Task Force, http://www.dmtf.org/13. Disclaimer
The views and specification herein are those of the authors and are not necessarily those of their employer. The authors and their employer specifically disclaim responsibility for any problems arising from correct or incorrect implementation or use of this specification.14. Acknowledgments
The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire, Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for their contributions to this IPsec policy model. Additionally, this document would not have been possible without the preceding IPsec schema documents. For that, thanks go out to Rob Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju Rajan.
15. Authors' Addresses
Jamie Jason Intel Corporation MS JF3-206 2111 NE 25th Ave. Hillsboro, OR 97124 EMail: jamie.jason@intel.com Lee Rafalow IBM Corporation, BRQA/502 4205 So. Miami Blvd. Research Triangle Park, NC 27709 EMail: rafalow@watson.ibm.com Eric Vyncke Cisco Systems 7 De Kleetlaan B-1831 Diegem Belgium EMail: evyncke@cisco.com
16. Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.