summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3585.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3585.txt')
-rw-r--r--doc/rfc/rfc3585.txt4931
1 files changed, 4931 insertions, 0 deletions
diff --git a/doc/rfc/rfc3585.txt b/doc/rfc/rfc3585.txt
new file mode 100644
index 0000000..1954a85
--- /dev/null
+++ b/doc/rfc/rfc3585.txt
@@ -0,0 +1,4931 @@
+
+
+
+
+
+
+Network Working Group J. Jason
+Request for Comments: 3585 Intel Corporation
+Category: Standards Track L. Rafalow
+ IBM
+ E. Vyncke
+ Cisco Systems
+ August 2003
+
+
+ IPsec Configuration Policy Information Model
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ This document presents an object-oriented information model of IP
+ Security (IPsec) policy designed to facilitate agreement about the
+ content and semantics of IPsec policy, and enable derivations of
+ task-specific representations of IPsec policy such as storage schema,
+ distribution representations, and policy specification languages used
+ to configure IPsec-enabled endpoints. The information model
+ described in this document models the configuration parameters
+ defined by IPSec. The information model also covers the parameters
+ found by the Internet Key Exchange protocol (IKE). Other key
+ exchange protocols could easily be added to the information model by
+ a simple extension. Further extensions can further be added easily
+ due to the object-oriented nature of the model.
+
+ This information model is based upon the core policy classes as
+ defined in the Policy Core Information Model (PCIM) and in the Policy
+ Core Information Model Extensions (PCIMe).
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 1]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+Table of Contents
+
+ 1. Introduction.................................................. 3
+ 2. UML Conventions............................................... 4
+ 3. IPsec Policy Model Inheritance Hierarchy...................... 6
+ 4. Policy Classes................................................ 11
+ 4.1. The Class SARule........................................ 13
+ 4.2. The Class IKERule....................................... 17
+ 4.3. The Class IPsecRule..................................... 18
+ 4.4. The Association Class IPsecPolicyForEndpoint............ 18
+ 4.5. The Association Class IPsecPolicyForSystem.............. 19
+ 4.6. The Aggregation Class SAConditionInRule................. 19
+ 4.7. The Aggregation Class PolicyActionInSARule.............. 20
+ 5. Condition and Filter Classes.................................. 22
+ 5.1. The Class SACondition................................... 23
+ 5.2. The Class IPHeadersFilter............................... 23
+ 5.3. The Class CredentialFilterEntry......................... 23
+ 5.4. The Class IPSOFilterEntry............................... 25
+ 5.5. The Class PeerIDPayloadFilterEntry...................... 26
+ 5.6. The Association Class FilterOfSACondition............... 28
+ 5.7. The Association Class AcceptCredentialFrom.............. 29
+ 6. Action Classes................................................ 30
+ 6.1. The Class SAAction...................................... 32
+ 6.2. The Class SAStaticAction................................ 33
+ 6.3. The Class IPsecBypassAction............................. 34
+ 6.4. The Class IPsecDiscardAction............................ 34
+ 6.5. The Class IKERejectAction............................... 35
+ 6.6. The Class PreconfiguredSAAction......................... 35
+ 6.7. The Class PreconfiguredTransportAction.................. 36
+ 6.8. The Class PreconfiguredTunnelAction..................... 37
+ 6.9. The Class SANegotiationAction........................... 37
+ 6.10. The Class IKENegotiationAction.......................... 38
+ 6.11. The Class IPsecAction................................... 39
+ 6.12. The Class IPsecTransportAction.......................... 41
+ 6.13. The Class IPsecTunnelAction............................. 42
+ 6.14. The Class IKEAction..................................... 42
+ 6.15. The Class PeerGateway................................... 44
+ 6.16. The Association Class PeerGatewayForTunnel.............. 45
+ 6.17. The Aggregation Class ContainedProposal................. 46
+ 6.18. The Association Class HostedPeerGatewayInformation...... 47
+ 6.19. The Association Class TransformOfPreconfiguredAction.... 48
+ 6.20 The Association Class PeerGatewayForPreconfiguredTunnel. 49
+ 7. Proposal and Transform Classes................................ 50
+ 7.1. The Abstract Class SAProposal........................... 50
+ 7.2. The Class IKEProposal................................... 51
+ 7.3. The Class IPsecProposal................................. 54
+ 7.4. The Abstract Class SATransform.......................... 54
+ 7.5. The Class AHTransform................................... 56
+
+
+
+Jason, et al. Standards Track [Page 2]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ 7.6. The Class ESPTransform.................................. 57
+ 7.7. The Class IPCOMPTransform............................... 59
+ 7.8. The Association Class SAProposalInSystem................ 60
+ 7.9. The Aggregation Class ContainedTransform................ 60
+ 7.10. The Association Class SATransformInSystem............... 62
+ 8. IKE Service and Identity Classes.............................. 63
+ 8.1. The Class IKEService.................................... 64
+ 8.2. The Class PeerIdentityTable............................. 64
+ 8.3. The Class PeerIdentityEntry............................. 65
+ 8.4. The Class AutostartIKEConfiguration..................... 66
+ 8.5. The Class AutostartIKESetting........................... 67
+ 8.6. The Class IKEIdentity................................... 69
+ 8.7. The Association Class HostedPeerIdentityTable........... 71
+ 8.8. The Aggregation Class PeerIdentityMember................ 71
+ 8.9. The Association Class IKEServicePeerGateway............. 72
+ 8.10. The Association Class IKEServicePeerIdentityTable....... 73
+ 8.11. The Association Class IKEAutostartSetting............... 73
+ 8.12. The Aggregation Class AutostartIKESettingContext........ 74
+ 8.13. The Association Class IKEServiceForEndpoint............. 75
+ 8.14. The Association Class IKEAutostartConfiguration......... 76
+ 8.15. The Association Class IKEUsesCredentialManagementService 77
+ 8.16. The Association Class EndpointHasLocalIKEIdentity....... 77
+ 8.17. The Association Class CollectionHasLocalIKEIdentity..... 78
+ 8.18. The Association Class IKEIdentitysCredential............ 79
+ 9. Implementation Requirements................................... 79
+ 10. Security Considerations....................................... 84
+ 11. Intellectual Property Statement............................... 84
+ 12. References ................................................... 85
+ 12.1. Normative References.................................... 85
+ 12.2. Informative References.................................. 86
+ 13. Disclaimer.................................................... 86
+ 14. Acknowledgments............................................... 86
+ 15. Authors' Addresses............................................ 87
+ 16. Full Copyright Statement...................................... 88
+
+1. Introduction
+
+ IP security (IPsec) policy may assume a variety of forms as it
+ travels from storage, to distribution, to decision points. At each
+ step, it needs to be represented in a way that is convenient for the
+ current task. For example, the policy could exist as, but is not
+ limited to:
+
+ o A Lightweight Directory Access Protocol (LDAP) [LDAP] schema in a
+ directory.
+
+ o An on-the-wire representation over a transport protocol like the
+ Common Object Policy Service (COPS) [COPS, COPSPR].
+
+
+
+Jason, et al. Standards Track [Page 3]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ o A text-based policy specification language suitable for editing by
+ an administrator.
+
+ o An Extensible Markup Language (XML) document.
+
+ Each of these task-specific representations should be derived from a
+ canonical representation that precisely specifies the content and
+ semantics of the IPsec policy. This document captures this concept
+ and introduces a task-independent canonical representation for IPsec
+ policies.
+
+ This document focuses mainly on the existing protocols [COMP, ESP,
+ AH, DOI, IKE]. The model can easily be extended if needed due to its
+ object-oriented nature.
+
+ This document is organized as follows:
+
+ o Section 2 provides a quick introduction to the Unified Modeling
+ Language (UML) graphical notation conventions used in this
+ document.
+
+ o Section 3 provides the inheritance hierarchy that describes where
+ the IPsec policy classes fit into the policy class hierarchy
+ already defined by the Policy Core Information Model (PCIM) and
+ Policy Core Information Model Extensions (PCIMe).
+
+ o Sections 4 through 8 describe the classes that make up the IPsec
+ policy model.
+
+ o Section 9 presents the implementation requirements for the classes
+ in the model (i.e., the MUST/MAY/SHOULD status).
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [KEYWORDS].
+
+2. UML Conventions
+
+ For this document, a UML static class diagram was chosen as the
+ canonical representation for the IPsec policy model, because UML
+ provides a graphical, task-independent way to model systems. A
+ treatise on the graphical notation used in UML is beyond the scope of
+ this paper. However, given the use of ASCII drawing for UML static
+ class diagrams, a description of the notational conventions used in
+ this document is in order:
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 4]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ o Boxes represent classes, with class names in brackets ([])
+ representing an abstract class.
+
+ o A line that terminates with an arrow (<, >, ^, v) denotes
+ inheritance. The arrow always points to the parent class.
+ Inheritance can also be called generalization or specialization
+ (depending upon the reference point). A base class is a
+ generalization of a derived class, and a derived class is a
+ specialization of a base class.
+
+ o Associations are used to model a relationship between two classes.
+ Classes that share an association are connected using a line. A
+ special kind of association is also used: an aggregation. An
+ aggregation models a whole-part relationship between two classes.
+ Associations, and therefore aggregations, are also modeled as
+ classes.
+
+ o A line that begins with an "o" denotes aggregation. Aggregation
+ denotes containment in which the contained class and the
+ containing class have independent lifetimes.
+
+ o At each end of a line representing an association appears a
+ cardinality (i.e., each association has 2 cardinalities).
+ Cardinalities indicate the constraints on the number of object
+ instances in a set of relationships. The cardinality on a given
+ end of an association indicates the number of different object
+ instances of that class that may be associated with a single
+ object instance of the class on the other end of the association.
+ The cardinality may be:
+
+ - a range in the form "lower bound..upper bound" indicating the
+ minimum and maximum number of objects.
+
+ - a number that indicates the exact number of objects.
+
+ - an asterisk indicating any number of objects, including zero.
+ An asterisk is shorthand for 0..n.
+
+ - the letter n indicating from 1 to many. The letter n is
+ shorthand for 1..n.
+
+ o A class that has an association may have a "w" next to the line
+ representing the association. This is called a weak association
+ and is discussed in [PCIM].
+
+ It should be noted that the UML static class diagram presented is a
+ conceptual view of IPsec policy designed to aid in understanding. It
+ does not necessarily get translated class for class into another
+
+
+
+Jason, et al. Standards Track [Page 5]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ representation. For example, an LDAP implementation may flatten out
+ the representation to fewer classes (because of the inefficiency of
+ following references).
+
+3. IPsec Policy Model Inheritance Hierarchy
+
+ Like PCIM and PCIMe, the IPsec Configuration Policy Model derives
+ from and uses classes defined in the DMTF [DMTF] Common Information
+ Model (CIM). The following tree represents the inheritance hierarchy
+ for the IPsec Policy Model classes and how they fit into PCIM, PCIMe
+ and the other DMTF models (see Appendices for descriptions of classes
+ that are not being introduced as part of IPsec model). CIM classes
+ that are not used as a superclass to derive new classes, but are used
+ only as references, are not included in this inheritance hierarchy,
+ but can be found in the appropriate DMTF document: Core Model
+ [CIMCORE], User Model [CIMUSER] or, Network Model [CIMNETWORK].
+
+ ManagedElement (DMTF Core Model)
+ |
+ +--Collection (DMTF Core Model)
+ | |
+ | +--PeerIdentityTable
+ |
+ +--ManagedSystemElement (DMTF Core Model)
+ | |
+ | +--LogicalElement (DMTF Core Model)
+ | |
+ | +--FilterEntryBase (DMTF Network Model)
+ | | |
+ | | +--CredentialFilterEntry
+ | | |
+ | | +--IPHeadersFilter (PCIMe)
+ | | |
+ | | +--IPSOFilterEntry
+ | | |
+ | | +--PeerIDPayloadFilterEntry
+ | |
+ | +--PeerGateway
+ | |
+ | +--PeerIdentityEntry
+ | |
+ | +--Service (DMTF Core Model)
+ | |
+ | +--IKEService
+ |
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 6]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ +--OrganizationalEntity (DMTF User Model)
+ | |
+ | +--UserEntity (DMTF User Model)
+ | |
+ | +--UsersAccess (DMTF User Model)
+ | |
+ | +--IKEIdentity
+ |
+ +--Policy (PCIM)
+ | |
+ | +--PolicyAction (PCIM)
+ | | |
+ | | +--CompoundPolicyAction (PCIMe)
+ | | |
+ | | +--SAAction
+ | | |
+ | | +--SANegotiationAction
+ | | | |
+ | | | +--IKENegotiationAction
+ | | | |
+ | | | +--IKEAction
+ | | | |
+ | | | +--IPsecAction
+ | | | |
+ | | | +--IPsecTransportAction
+ | | | |
+ | | | +--IPsecTunnelAction
+ | | |
+ | | +--SAStaticAction
+ | | |
+ | | +--IKERejectAction
+ | | |
+ | | +--IPsecBypassAction
+ | | |
+ | | +--IPsecDiscardAction
+ | | |
+ | | +--PreconfiguredSAAction
+ | | |
+ | | +--PreconfiguredTransportAction
+ | | |
+ | | +--PreconfiguredTunnelAction
+ | |
+ | +--PolicyCondition (PCIM)
+ | | |
+ | | +--SACondition
+ | |
+ | +--PolicySet (PCIMe)
+ | | |
+
+
+
+Jason, et al. Standards Track [Page 7]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ | | +--PolicyGroup (PCIM & PCIMe)
+ | | |
+ | | +--PolicyRule (PCIM & PCIMe)
+ | | |
+ | | +--SARule
+ | | |
+ | | +--IKERule
+ | | |
+ | | +--IPsecRule
+ | |
+ | +--SAProposal
+ | | |
+ | | +--IKEProposal
+ | | |
+ | | +--IPsecProposal
+ | |
+ | +--SATransform
+ | |
+ | +--AHTransform
+ | |
+ | +--ESPTransform
+ | |
+ | +--IPCOMPTransform
+ |
+ +--Setting (DMTF Core Model)
+ | |
+ | +--SystemSetting (DMTF Core Model)
+ | |
+ | +--AutostartIKESetting
+ |
+ +--SystemConfiguration (DMTF Core Model)
+ |
+ +--AutostartIKEConfiguration
+
+ The following tree represents the inheritance hierarchy of the IPsec
+ policy model association classes and how they fit into PCIM and the
+ other DMTF models (see Appendices for description of association
+ classes that are not being introduced as part of IPsec model).
+
+ Dependency (DMTF Core Model)
+ |
+ +--AcceptCredentialsFrom
+ |
+ +--ElementAsUser (DMTF User Model)
+ | |
+ | +--EndpointHasLocalIKEIdentity
+ | |
+ | +--CollectionHasLocalIKEIdentity
+
+
+
+Jason, et al. Standards Track [Page 8]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ |
+ +--FilterOfSACondition
+ |
+ +--HostedPeerGatewayInformation
+ |
+ +--HostedPeerIdentityTable
+ |
+ +--IKEAutostartConfiguration
+ |
+ +--IKEServiceForEndpoint
+ |
+ +--IKEServicePeerGateway
+ |
+ +--IKEServicePeerIdentityTable
+ |
+ +--IKEUsesCredentialManagementService
+ |
+ +--IPsecPolicyForEndpoint
+ |
+ +--IPsecPolicyForSystem
+ |
+ +--PeerGatewayForPreconfiguredTunnel
+ |
+ +--PeerGatewayForTunnel
+ |
+ +--PolicyInSystem (PCIM)
+ | |
+ | +--SAProposalInSystem
+ | |
+ | +--SATransformInSystem
+ |
+ +--TransformOfPreconfiguredAction
+ |
+ +--UsersCredential (DMTF User Model)
+ |
+ +--IKEIdentitysCredential
+
+ ElementSetting (DMTF Core Model)
+ |
+ +--IKEAutostartSetting
+
+ MemberOfCollection (DMTF Core Model)
+ |
+ +--PeerIdentityMember
+
+ PolicyComponent (PCIM)
+ |
+
+
+
+
+Jason, et al. Standards Track [Page 9]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ +--ContainedProposal
+ |
+ +--ContainedTransform
+ |
+ +--PolicyActionStructure (PCIMe)
+ | |
+ | +--PolicyActionInPolicyRule (PCIM & PCIMe)
+ | |
+ | +--PolicyActionInSARule
+ |
+ +--PolicyConditionStructure (PCIMe)
+ | |
+ | +--PolicyConditionInPolicyRule (PCIM & PCIMe)
+ | |
+ | +--SAConditionInRule
+ |
+ +--PolicySetComponent (PCIMe)
+
+ SystemSettingContext (DMTF Core Model)
+ |
+ +--AutostartIKESettingContext
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 10]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+4. Policy Classes
+
+ The IPsec policy classes represent the set of policies that are
+ contained on a system.
+
+ +--------------+
+ | [PolicySet] |*
+ | ([PCIME]) |o--+
+ +--------------+ |
+ ^ *| |(a)
+ | +------+
+ +--------------------------+
+ | |
+ +-------------+ +--------------+
+ | PolicyGroup |0..1 | PolicyRule |*
+ | ([PCIM]) |-----+ | ([PCIM]) |o--+
+ +-------------+ | +--------------+ |(d)
+ 0..1| | ^ |
+ |(b) | | |*
+ *| | | +---------------------------+
+ +--------------------+ |(c) | | PolicyTimePeriodCondition |
+ | IPProtocolEndpoint | | | | ([PCIM]) |
+ | ([CIMNETWORK]) | | | +---------------------------+
+ +--------------------+ | |
+ +------------+ | *+----------+*
+ | System |----+ +-o| SARule |o-------+
+ | ([CIMCORE])|* | +----------+ |(f)
+ +------------+ | ^ |
+ (e)| | |n
+ +-------------+n | | +--------------+
+ | SACondition |--------+ | |[PolicyAction]|
+ +-------------+ | | ([PCIM]) |
+ | +--------------+
+ | *| ^
+ | |(g) |
+ | | +-------+
+ | *o | |
+ | +----------------------+ |
+ | | CompoundPolicyAction | |
+ | | ([PCIME]) | |
+ | +----------------------+ |
+ | |
+ +---------+----+ +---------+
+ | | |
+ +---------+ +-----------+ +----------+
+ | IKERule | | IPsecRule | | SAAction |
+ +---------+ +-----------+ +----------+
+
+
+
+
+Jason, et al. Standards Track [Page 11]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ (a) PolicySetComponent ([PCIME])
+ (b) IPsecPolicyForEndpoint
+ (c) IPsecPolicyForSystem
+ (d) PolicyRuleValidityPeriod ([PCIM])
+ (e) SAConditionInRule
+ (f) PolicyActionInSARule
+ (g) PolicyActionInPolicyAction ([PCIME])
+
+ A PolicyGroup represents the set of policies that are used on an
+ interface. This PolicyGroup SHOULD be associated either directly
+ with the IPProtocolEndpoint class instance that represents the
+ interface (via the IPsecPolicyForEndpoint association) or indirectly
+ (via the IPsecPolicyForSystem association) associated with the System
+ that hosts the interface.
+
+ The IKE and IPsec rules are used to build or to negotiate the IPsec
+ Security Association Database (SADB). The IPsec rules represent the
+ Security Policy Database. The SADB itself is not modeled by this
+ document.
+
+ The IKE and IPsec rules can be described as (also see section 6 about
+ actions):
+
+ o An egress unprotected packet will first be checked against the
+ IPsec rules. If a match is found, the SADB will be checked. If
+ there is no corresponding IPsec SA in the SADB, and if IKE
+ negotiation is required by the IPsec rule, the corresponding IKE
+ rules will be used. The negotiated or preconfigured SA will then
+ be installed in the SADB.
+
+ o An ingress unprotected packet will first be checked against the
+ IPsec rules. If a match is found, the SADB will be checked for a
+ corresponding IPsec SA. If there is no corresponding IPsec SA and
+ a preconfigured SA exists, this preconfigured SA will be installed
+ in the IPsec SADB. This behavior should only apply to bypass and
+ discard actions.
+
+ o An ingress protected packet will first be checked against the
+ IPsec rules. If a match is found, the SADB will be checked for a
+ corresponding IPsec SA. If there is no corresponding IPsec SA and
+ a preconfigured SA exists, this preconfigured SA will be installed
+ in the IPsec SADB.
+
+ o An ingress IKE negotiation packet, which is not part of an
+ existing IKE SA, will be checked against the IKE rules. The
+ SACondition for the IKERule will usually be composed of a
+ PeerIDPayloadFilterEntry (typically for an aggressive mode IKE
+
+
+
+
+Jason, et al. Standards Track [Page 12]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ negotiation) or an IPHeadersFilter. The negotiated SA will then
+ be installed in the SADB.
+
+ It is expected that when an IKE negotiation is required to be
+ initiated by an IPsec rule, the set of IKE rules will be checked.
+ The IKE rules check will be based on the outgoing IKE packet using
+ IPHeadersFilter entries (typically using the HdrDstAddress property).
+
+4.1. The Class SARule
+
+ The class SARule serves as a base class for IKERule and IPsecRule.
+ Even though the class is concrete, it MUST not be instantiated. It
+ defines a common connection point for associations to conditions and
+ actions for both types of rules. Through its derivation from
+ PolicyRule, an SARule (and therefore IKERule and IPsecRule) also has
+ the PolicyRuleValidityPeriod association.
+
+ Each SARule in a valid PolicyGroup MUST have a unique associated
+ priority number in the PolicySetComponent.Priority. The class
+ definition for SARule is as follows:
+
+ NAME SARule
+ DESCRIPTION A base class for IKERule and IPsecRule.
+ DERIVED FROM PolicyRule (see [PCIM] & [PCIME])
+ ABSTRACT FALSE
+ PROPERTIES PolicyRuleName (from PolicyRule)
+ Enabled (from PolicyRule)
+ ConditionListType (from PolicyRule)
+ RuleUsage (from PolicyRule)
+ Mandatory (from PolicyRule)
+ SequencedActions (from PolicyRule)
+ ExecutionStrategy (from PolicyRule)
+ PolicyRoles (from PolicySet)
+ PolicyDecisionStrategy (from PolicySet)
+ LimitNegotiation
+
+4.1.1. The Properties PolicyRuleName, Enabled, ConditionListType,
+ RuleUsage, Mandatory, SequencedActions, PolicyRoles, and
+ PolicyDecisionStrategy
+
+ For a description of these properties, see [PCIM] and [PCIME].
+
+ In SARule subclass instances:
+
+ - if the property Mandatory exists, it MUST be set to "true".
+
+ - if the property SequencedActions exists, it MUST be set to
+ "mandatory".
+
+
+
+Jason, et al. Standards Track [Page 13]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ - the property PolicyRoles is not used in the device-level model.
+
+ - if the property PolicyDecisionStrategy exists, it must be set to
+ "FirstMatching".
+
+4.1.2. The Property ExecutionStrategy
+
+ The ExecutionStrategy properties in the PolicyRule subclasses (and in
+ the CompoundPolicyAction class) determine the behavior of the
+ contained actions. It defines the strategy to be used in executing
+ the sequenced actions aggregated by a rule or a compound action. In
+ the case of actions within a rule, the PolicyActionInSARule
+ aggregation is used to collect the actions into an ordered set; in
+ the case of a compound action, the PolicyActionInPolicyAction
+ aggregation is used to collect the actions into an ordered subset.
+
+ There are three execution strategies: do until success, do all, and
+ do until failure.
+
+ "Do Until Success" causes the execution of actions according to the
+ ActionOrder property in the aggregation instances until a successful
+ execution of a single action. These actions may be evaluated to
+ determine if they are appropriate to execute rather than blindly
+ trying each of the actions until one succeeds. For an initiator,
+ they are tried in the ActionOrder until the list is exhausted or one
+ completes successfully. For example, an IKE initiator may have
+ several IKEActions for the same SACondition. The initiator will try
+ all IKEActions in the order defined by ActionOrder. I.e., it will
+ possibly try several phase 1 negotiations with different modes (main
+ mode then aggressive mode) and/or with multiple IKE peers. For a
+ responder, when there is more than one action in the rule with "do
+ until success" condition clause, this provides alternative actions
+ depending on the received proposals. For example, the same IKERule
+ may be used to handle aggressive mode and main mode negotiations with
+ different actions. The responder uses the first appropriate action
+ in the list of actions.
+
+ "Do All" causes the execution of all the actions in the aggregated
+ set according to their defined order. The execution continues
+ regardless of failures.
+
+ "Do Until Failure" causes the execution of all actions according to a
+ predefined order until the first failure in execution of an action
+ instance. Please note that if all actions are successful, then the
+ aggregated result is a failure. This execution strategy is inherited
+ from [PCIME] and is not expected to be of any use for IPsec
+ configuration.
+
+
+
+
+Jason, et al. Standards Track [Page 14]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ For example, in a nested SAs case, the actions of an initiator's rule
+ might be structured as:
+
+ IPsecRule.ExecutionStrategy='Do All'
+ |
+ +---1--- IPsecTunnelAction // set up SA from host to gateway
+ |
+ +---2--- IPsecTransportAction // set up SA from host through
+ // tunnel to remote host
+
+ Another example, showing a rule with fallback actions might be
+ structured as:
+
+ IPsecRule.ExecutionStrategy='Do Until Success'
+ |
+ +---6--- IPsecTransportAction // negotiate SA with peer
+ |
+ +---9--- IPsecBypassAction // but if you must, allow in the clear
+
+ The CompoundPolicyAction class (See [PCIME]) may be used in
+ constructing the actions of IKE and IPsec rules when those rules
+ specify both multiple actions and fallback actions. The
+ ExecutionStrategy property in CompoundPolicyAction is used in
+ conjunction with that in the PolicyRule.
+
+ For example, in nesting SAs with a fallback security gateway, the
+ actions of a rule might be structured as:
+
+ IPsecRule.ExecutionStrategy='Do All'
+ |
+ +---1--- CompoundPolicyAction.ExecutionStrategy='Do Until Success'
+ | |
+ | +---1--- IPsecTunnelAction // set up SA from host to
+ | | // gateway1
+ | |
+ | +---2--- IPsecTunnelAction // or set up SA to gateway2
+ |
+ +---2--- IPsecTransportAction // then set up SA from host
+ // through tunnel to remote
+ // host
+
+ In the case of "Do All", a couple of actions can be executed
+ successfully before a subsequent action fails. In this case, some
+ IKE or IPsec actions may have resulted in SAs creation. Even if the
+ net effect of the aggregated actions is failure, those created SAs
+ MAY be kept or MAY be deleted.
+
+
+
+
+
+Jason, et al. Standards Track [Page 15]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ In the case of "Do All", the IPsec selectors to be used during IPsec
+ SA negotiation are:
+
+ - for the last IPsecAction of the aggregation (i.e., usually the
+ innermost IPsec SA): this is the combination of the
+ IPHeadersFilter class and of the Granularity property of the
+ IPsecAction.
+
+ - for all other IPsecActions of the aggregation: the selector is the
+ source IP address which is the local IP address, and the
+ destination IP address is the PeerGateway IP address of the
+ following IPsecAction of the "Do All" aggregation. NB: the
+ granularity is IP address to IP address.
+
+ If the above behavior is not desirable, the alternative is to define
+ several SARules, one for each IPsec SA to be built. This will allow
+ the definition of specific IPsec selectors for all IPsecActions.
+
+4.1.3 The Property LimitNegotiation
+
+ The property LimitNegotiation is used as part of processing either an
+ IKE or an IPsec rule.
+
+ Before proceeding with a phase 1 negotiation, this property is
+ checked to determine whether the negotiation role of the rule matches
+ that defined for the negotiation being undertaken (e.g., Initiator,
+ Responder, or Both). If this check fails (e.g., the current role is
+ IKE responder, while the rule specifies IKE initiator), then the IKE
+ negotiation is stopped. Note that this only applies to new IKE phase
+ 1 negotiations and has no effect on either renegotiation or refresh
+ operations with peers for which an established SA already exists.
+
+ Before proceeding with a phase 2 negotiation, the LimitNegotiation
+ property of the IPsecRule is first checked to determine if the
+ negotiation role indicated for the rule matches that of the current
+ negotiation (Initiator, Responder, or Either). Note that this limit
+ applies only to new phase 2 negotiations. It is ignored when an
+ attempt is made to refresh an expiring SA (either side can initiate a
+ refresh operation). The IKE system can determine that the
+ negotiation is a refresh operation by checking to see if the selector
+ information matches that of an existing SA. If LimitNegotiation does
+ not match and the selector corresponds to a new SA, the negotiation
+ is stopped.
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 16]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ The property is defined as follows:
+
+ NAME LimitNegotiation
+ DESCRIPTION Limits the role to be undertaken during negotiation.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - initiator-only
+ 2 - responder-only
+ 3 - both
+
+4.2. The Class IKERule
+
+ The class IKERule associates Conditions and Actions for IKE phase 1
+ negotiations. The class definition for IKERule is as follows:
+
+ NAME IKERule
+ DESCRIPTION Associates Conditions and Actions for IKE phase 1
+ negotiations.
+ DERIVED FROM SARule
+ ABSTRACT FALSE
+ PROPERTIES same as SARule, plus
+ IdentityContexts
+
+4.2.1. The Property IdentityContexts
+
+ The IKE service of a security endpoint may have multiple identities
+ for use in different situations. The combination of the interface
+ (represented by the IPProtocolEndpoint or by a collection of
+ IPProtocolEndpoints), the identity type (as specified in the
+ IKEAction), and the IdentityContexts specifies a unique identity.
+
+ The IdentityContexts property specifies the context to select the
+ relevant IKE identity to be used during the further IKEAction. A
+ context may be a VPN name or other identifier for selecting the
+ appropriate identity for use on the protected IPProtocolEndpoint (or
+ collection of IPProtocolEndpoints).
+
+ IdentityContexts is an array of strings. The multiple values in the
+ array are logically ORed together in evaluating the IdentityContexts.
+ Each value in the array may be the composition of multiple context
+ names. So, a single value may be a single context name (e.g.,
+ "CompanyXVPN"), or it may be combination of contexts. When an array
+ value is a composition, the individual values are logically ANDed
+ together for evaluation purposes and the syntax is:
+
+ <ContextName>[&&<ContextName>]*
+
+ where the individual context names appear in alphabetical order
+ (according to the collating sequence for UCS-2). So, for example,
+
+
+
+Jason, et al. Standards Track [Page 17]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ the values "CompanyXVPN", "CompanyYVPN&&TopSecret",
+ "CompanyZVPN&&Confidential" means that, for the appropriate
+ IPProtocolEndpoint and IdentityType, the contexts are matched if the
+ identity specifies "CompanyXVPN", "CompanyYVPN&&TopSecret", or
+ "CompanyZVPN&&Confidential".
+
+ The property is defined as follows:
+
+ NAME IdentityContexts
+ DESCRIPTION Specifies the context in which to select the IKE
+ identity.
+ SYNTAX string array
+
+4.3. The Class IPsecRule
+
+ The class IPsecRule associates Conditions and Actions for IKE phase 2
+ negotiations for the IPsec DOI. The class definition for IPsecRule
+ is as follows:
+
+ NAME IPsecRule
+ DESCRIPTION Associates Conditions and Actions for IKE phase 2
+ negotiations for the IPsec DOI.
+ DERIVED FROM SARule
+ ABSTRACT FALSE
+ PROPERTIES same as SARule
+
+4.4. The Association Class IPsecPolicyForEndpoint
+
+ The class IPsecPolicyForEndpoint associates a PolicyGroup with a
+ specific network interface. If an IPProtocolEndpoint of a system
+ does not have an IPsecPolicyForEndpoint-associated PolicyGroup, then
+ the IPsecPolicyForSystem associated PolicyGroup is used for that
+ endpoint. The class definition for IPsecPolicyForEndpoint is as
+ follows:
+
+ NAME IPsecPolicyForEndpoint
+ DESCRIPTION Associates a policy group to a network interface.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref IPProtocolEndpoint[0..n]]
+ Dependent[ref PolicyGroup[0..1]]
+
+4.4.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to an IPProtocolEndpoint instance. The [0..n]
+ cardinality indicates that a PolicyGroup instance may be associated
+ with zero or more IPProtocolEndpoint instances.
+
+
+
+Jason, et al. Standards Track [Page 18]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+4.4.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to a PolicyGroup instance. The [0..1] cardinality indicates
+ that an IPProtocolEndpoint instance may have an association to at
+ most one PolicyGroup instance.
+
+4.5. The Association Class IPsecPolicyForSystem
+
+ The class IPsecPolicyForSystem associates a PolicyGroup with a
+ specific system. If an IPProtocolEndpoint of a system does not have
+ an IPsecPolicyForEndpoint-associated PolicyGroup, then the
+ IPsecPolicyForSystem associated PolicyGroup is used for that
+ endpoint. The class definition for IPsecPolicyForSystem is as
+ follows:
+
+ NAME IPsecPolicyForSystem
+ DESCRIPTION Default policy group for a system.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref System[0..n]]
+ Dependent[ref PolicyGroup[0..1]]
+
+4.5.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a System instance. The [0..n] cardinality
+ indicates that a PolicyGroup instance may have an association to zero
+ or more System instances.
+
+4.5.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to a PolicyGroup instance. The [0..1] cardinality indicates
+ that a System instance may have an association to at most one
+ PolicyGroup instance.
+
+4.6. The Aggregation Class SAConditionInRule
+
+ The class SAConditionInRule associates an SARule with the SACondition
+ instance(s) that trigger(s) it. The class definition for
+ SAConditionInRule is as follows:
+
+ NAME SAConditionInRule
+ DESCRIPTION Associates an SARule with the SACondition instance(s)
+ that trigger(s) it.
+ DERIVED FROM PolicyConditionInPolicyRule (see [PCIM] & [PCIME])
+ ABSTRACT FALSE
+
+
+
+Jason, et al. Standards Track [Page 19]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ PROPERTIES GroupNumber (from PolicyConditionInPolicyRule)
+ ConditionNegated (from PolicyConditionInPolicyRule)
+ GroupComponent [ref SARule [0..n]]
+ PartComponent [ref SACondition [1..n]]
+
+4.6.1. The Properties GroupNumber and ConditionNegated
+
+ For a description of these properties, see [PCIM].
+
+4.6.2. The Reference GroupComponent
+
+ The property GroupComponent is inherited from
+ PolicyConditionInPolicyRule and is overridden to refer to an SARule
+ instance. The [0..n] cardinality indicates that an SACondition
+ instance may be contained in zero or more SARule instances.
+
+4.6.3. The Reference PartComponent
+
+ The property PartComponent is inherited from
+ PolicyConditionInPolicyRule and is overridden to refer to an
+ SACondition instance. The [1..n] cardinality indicates that an
+ SARule instance MUST contain at least one SACondition instance.
+
+4.7. The Aggregation Class PolicyActionInSARule
+
+ The PolicyActionInSARule class associates an SARule with one or more
+ PolicyAction instances. In all cases where an SARule is being used,
+ the contained actions MUST be either subclasses of SAAction or
+ instances of CompoundPolicyAction. For an IKERule, the contained
+ actions MUST be related to phase 1 processing, i.e., IKEAction or
+ IKERejectAction. Similarly, for an IPsecRule, contained actions MUST
+ be related to phase 2 or preconfigured SA processing, e.g.,
+ IPsecTransportAction, IPsecBypassAction, etc. The class definition
+ for PolicyActionInSARule is as follows:
+
+ NAME PolicyActionInSARule
+ DESCRIPTION Associates an SARule with its PolicyAction(s).
+ DERIVED FROM PolicyActionInPolicyRule (see [PCIM] & [PCIME])
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent [ref SARule [0..n]]
+ PartComponent [ref PolicyAction [1..n]]
+ ActionOrder (from PolicyActionInPolicyRule)
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 20]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+4.7.1. The Reference GroupComponent
+
+ The property GroupComponent is inherited from
+ PolicyActionInPolicyRule and is overridden to refer to an SARule
+ instance. The [0..n] cardinality indicates that an SAAction instance
+ may be contained in zero or more SARule instances.
+
+4.7.2. The Reference PartComponent
+
+ The property PartComponent is inherited from PolicyActionInPolicyRule
+ and is overridden to refer to an SAAction or CompoundPolicyAction
+ instance. The [1..n] cardinality indicates that an SARule instance
+ MUST contain at least one SAAction or CompoundPolicyAction instance.
+
+4.7.3. The Property ActionOrder
+
+ The property ActionOrder is inherited from the superclass
+ PolicyActionInPolicyRule. It specifies the relative position of this
+ PolicyAction in the sequence of actions associated with a PolicyRule.
+ The ActionOrder MUST be unique so as to provide a deterministic
+ order. In addition, the actions in an SARule are executed as
+ follows. See section 4.2.2, ExecutionStrategy, for a discussion on
+ the use of the ActionOrder property.
+
+ The property is defined as follows:
+
+ NAME ActionOrder
+ DESCRIPTION Specifies the order of actions.
+ SYNTAX unsigned 16-bit integer
+ VALUE Any value between 1 and 2^16-1 inclusive. Lower
+ values have higher precedence (i.e., 1 is the
+ highest precedence). The merging order of two
+ SAActions with the same precedence is undefined.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 21]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+5. Condition and Filter Classes
+
+ The IPsec condition and filter classes are used to build the "if"
+ part of the IKE and IPsec rules.
+
+ *+-------------+
+ +--------------------| SACondition |
+ | +-------------+
+ | * |
+ | |(a)
+ | 1 |
+ | +---------------+
+ | | FilterList |
+ | |([CIMNETWORK]) |
+ | +---------------+
+ | 1 o
+ |(b) |(c)
+ | * |
+ | +-----------------+
+ | | FilterEntryBase |
+ | | ([CIMNETWORK]) |
+ | +-----------------+
+ | ^
+ | |
+ | +-----------------+ | +-----------------------+
+ | | IPHeadersFilter |----+----| CredentialFilterEntry |
+ | | ([PCIME]) | | +-----------------------+
+ | +-----------------+ |
+ | |
+ | +-----------------+ | +--------------------------+
+ | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
+ | +-----------------+ +--------------------------+
+ |
+ | *+-----------------------------+
+ +------------| CredentialManagementService |
+ | ([CIMUSER]) |
+ +-----------------------------+
+
+ (a) FilterOfSACondition
+ (b) AcceptCredentialsFrom
+ (c) EntriesInFilterList (see [CIMNETWORK])
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 22]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+5.1. The Class SACondition
+
+ The class SACondition defines the conditions of rules for IKE and
+ IPsec negotiations. Conditions are associated with policy rules via
+ the SAConditionInRule aggregation. It is used as an anchor point to
+ associate various types of filters with policy rules via the
+ FilterOfSACondition association. It also defines whether Credentials
+ can be accepted for a particular policy rule via the
+ AcceptCredentialsFrom association.
+
+ Associated objects represent components of the condition that may or
+ may not apply at a given rule evaluation. For example, an
+ AcceptCredentialsFrom evaluation is only performed when a credential
+ is available to be evaluated against the list of trusted credential
+ management services. Similarly, a PeerIDPayloadFilterEntry may only
+ be evaluated when an IDPayload value is available to compare with the
+ filter. Condition components that do not have corresponding values
+ with which to evaluate are evaluated as TRUE unless the protocol has
+ completed without providing the required information.
+
+ The class definition for SACondition is as follows:
+
+ NAME SACondition
+ DESCRIPTION Defines the preconditions for IKE and IPsec
+ negotiations.
+ DERIVED FROM PolicyCondition (see [PCIM])
+ ABSTRACT FALSE
+ PROPERTIES PolicyConditionName (from PolicyCondition)
+
+5.2. The Class IPHeadersFilter
+
+ The class IPHeadersFilter is defined in [PCIME] with the following
+ note:
+
+ 1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
+ matches traffic in both directions of the same flows which is
+ quite typical for SPD entries for ingress and egress traffic), the
+ Direction property of the FilterList SHOULD be set to "Mirrored".
+
+5.3. The Class CredentialFilterEntry
+
+ The class CredentialFilterEntry defines an equivalence class that
+ match credentials of IKE peers. Each CredentialFilterEntry includes
+ a MatchFieldName that is interpreted according to the
+ CredentialManagementService(s) associated with the SACondition
+ (AcceptCredentialsFrom).
+
+
+
+
+
+Jason, et al. Standards Track [Page 23]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ These credentials can be X.509 certificates, Kerberos tickets, or
+ other types of credentials obtained during the Phase 1 exchange.
+
+ Note: this filter entry will probably be checked while the IKE
+ negotiation takes place. If the check is a failure, then the IKE
+ negotiation MUST be stopped, and the result of the IKEAction which
+ triggered this negotiation is a failure.
+
+ The class definition for CredentialFilterEntry is as follows:
+
+ NAME CredentialFilterEntry
+ DESCRIPTION Specifies a match filter based on the IKE
+ credentials.
+ DERIVED FROM FilterEntryBase (see [CIMNETWORK])
+ ABSTRACT FALSE
+ PROPERTIES Name (from FilterEntryBase)
+ IsNegated (from FilterEntryBase)
+ MatchFieldName
+ MatchFieldValue
+ CredentialType
+
+5.3.1. The Property MatchFieldName
+
+ The property MatchFieldName specifies the sub-part of the credential
+ to match against MatchFieldValue. The property is defined as
+ follows:
+
+ NAME MatchFieldName
+ DESCRIPTION Specifies which sub-part of the credential to match.
+ SYNTAX string
+ VALUE This is the string representation of a X.509
+ certificate attribute, e.g.:
+ - "serialNumber"
+ - "signatureAlgorithm"
+ - "issuerName"
+ - "subjectName"
+ - "subjectAltName"
+ - ...
+
+5.3.2. The Property MatchFieldValue
+
+ The property MatchFieldValue specifies the value to compare with the
+ MatchFieldName in a credential to determine if the credential matches
+ this filter entry. The property is defined as follows:
+
+ NAME MatchFieldValue
+ DESCRIPTION Specifies the value to be matched by the
+ MatchFieldName.
+
+
+
+Jason, et al. Standards Track [Page 24]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ SYNTAX string
+ VALUE NB: If the CredentialFilterEntry corresponds to a
+ DistinguishedName, this value in the CIM class is
+ represented by an ordinary string value. However, an
+ implementation must convert this string to a DER-
+ encoded string before matching against the values
+ extracted from credentials at runtime.
+
+ A wildcard mechanism may be used for MatchFieldNames that contain
+ character strings. The MatchFieldValue may contain a wildcard
+ character, '*', in the pattern match specification. For example, if
+ the MatchFieldName is "subjectName", then a MatchFieldValue of
+ "cn=*,ou=engineering,o=foo,c=be" will successfully match a
+ certificate whose subject attribute is "cn=Jane
+ Doe,ou=engineering,o=foo,c=be". The wildcard character can be used
+ to represent 0 or more characters as would be displayed to the user
+ (i.e., a wildcard pattern match operates on displayable character
+ boundaries).
+
+5.3.3. The Property CredentialType
+
+ The property CredentialType specifies the particular type of
+ credential that is being matched. The property is defined as
+ follows:
+
+ NAME CredentialType
+ DESCRIPTION Defines the type of IKE credentials.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - X.509 Certificate
+ 2 - Kerberos Ticket
+
+5.4. The Class IPSOFilterEntry
+
+ The class IPSOFilterEntry is used to match traffic based on the IP
+ Security Options [IPSO] header values (ClassificationLevel and
+ ProtectionAuthority) as defined in RFC 1108. This type of filter
+ entry is used to adjust the IPsec encryption level according to the
+ IPSO classification of the traffic (e.g., secret, confidential,
+ restricted, etc.) The class definition for IPSOFilterEntry is as
+ follows:
+
+ NAME IPSOFilterEntry
+ DESCRIPTION Specifies the a match filter based on IP Security
+ Options.
+ DERIVED FROM FilterEntryBase (see [CIMNETWORK])
+ ABSTRACT FALSE
+
+
+
+
+
+Jason, et al. Standards Track [Page 25]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ PROPERTIES Name (from FilterEntryBase)
+ IsNegated (from FilterEntryBase)
+ MatchConditionType
+ MatchConditionValue
+
+5.4.1. The Property MatchConditionType
+
+ The property MatchConditionType specifies the IPSO header field that
+ will be matched (e.g., traffic classification level or protection
+ authority). The property is defined as follows:
+
+ NAME MatchConditionType
+ DESCRIPTION Specifies the IPSO header field to be matched.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - ClassificationLevel
+ 2 - ProtectionAuthority
+
+5.4.2. The Property MatchConditionValue
+
+ The property MatchConditionValue specifies the value of the IPSO
+ header field to be matched against. The property is defined as
+ follows:
+
+ NAME MatchConditionValue
+ DESCRIPTION Specifies the value of the IPSO header field to be
+ matched against.
+ SYNTAX unsigned 16-bit integer
+ VALUE The values MUST be one of values listed in RFC 1108
+ (or any further IANA Assigned Numbers document).
+ Some examples for ClassificationLevel are:
+ 61 - TopSecret
+ 90 - Secret
+ 150 - Confidential
+ 171 - Unclassified
+ For ProtectionAuthority, some examples are:
+ 0 - GENSER
+ 1 - SIOP-ESI
+ 2 - SCI
+ 3 - NSA
+ 4 - DOE
+
+5.5. The Class PeerIDPayloadFilterEntry
+
+ The class PeerIDPayloadFilterEntry defines filters used to match ID
+ payload values from the IKE protocol exchange.
+ PeerIDPayloadFilterEntry permits the specification of certain ID
+ payload values such as "*@example.com" or "192.0.2.0/24".
+
+
+
+
+Jason, et al. Standards Track [Page 26]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ Obviously this filter applies only to IKERules when acting as a
+ responder. Moreover, this filter can be applied immediately in the
+ case of aggressive mode but its application is to be delayed in the
+ case of main mode. The class definition for PeerIDPayloadFilterEntry
+ is as follows:
+
+ NAME PeerIDPayloadFilterEntry
+ DESCRIPTION Specifies a match filter based on IKE identity.
+ DERIVED FROM FilterEntryBase (see [CIMNETWORK])
+ ABSTRACT FALSE
+ PROPERTIES Name (from FilterEntryBase)
+ IsNegated (from FilterEntryBase)
+ MatchIdentityType
+ MatchIdentityValue
+
+5.5.1. The Property MatchIdentityType
+
+ The property MatchIdentityType specifies the type of identity
+ provided by the peer in the ID payload. The property is defined as
+ follows:
+
+ NAME MatchIdentityType
+ DESCRIPTION Specifies the ID payload type.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [DOI] for valid values.
+
+ 5.5.2. The Property MatchIdentityValue
+
+ The property MatchIdentityValue specifies the filter value for
+ comparison with the ID payload, e.g., "*@example.com". The property
+ is defined as follows:
+
+ NAME MatchIdentityValue
+ DESCRIPTION Specifies the ID payload value.
+ SYNTAX string
+ VALUE NB: The syntax may need to be converted for
+ comparison. If the PeerIDPayloadFilterEntry type is
+ a DistinguishedName, the name in the
+ MatchIdentityValue property is represented by an
+ ordinary string value, but this value must be
+ converted into a DER-encoded string before matching
+ against the values extracted from IKE ID payloads at
+ runtime. The same applies to IPv4 & IPv6 addresses.
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 27]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ Different wildcard mechanisms can be used depending on the ID
+ payload:
+
+ - a MatchIdentityValue of "*@example.com" will match a user FQDN ID
+ payload of "JDOE@EXAMPLE.COM".
+
+ - a MatchIdentityValue of "*.example.com" will match a FQDN ID
+ payload of "WWW.EXAMPLE.COM".
+
+ - a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will
+ match a DER DN ID payload of "cn=John
+ Doe,ou=engineering,o=company,c=us".
+
+ - a MatchIdentityValue of "193.190.125.0/24" will match an IPv4
+ address ID payload of 193.190.125.10.
+
+ - a MatchIdentityValue of "193.190.125.*" will also match an IPv4
+ address ID payload of 193.190.125.10.
+
+ The above wildcard mechanisms MUST be supported for all ID payloads
+ supported by the local IKE entity. The character '*' replaces 0 or
+ multiple instances of any character as restricted by the type
+ specified by MatchIdentityType.
+
+5.6. The Association Class FilterOfSACondition
+
+ The class FilterOfSACondition associates an SACondition with the
+ filter specifications (FilterList) that make up the condition. The
+ class definition for FilterOfSACondition is as follows:
+
+ NAME FilterOfSACondition
+ DESCRIPTION Associates a condition with the filter list that
+ makes up the individual condition elements.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref FilterList[1..1]]
+ Dependent [ref SACondition[0..n]]
+
+5.6.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a FilterList instance. The [1..1] cardinality
+ indicates that an SACondition instance MUST be associated with one
+ and only one FilterList instance.
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 28]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+5.6.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to an SACondition instance. The [0..n] cardinality
+ indicates that a FilterList instance may be associated with zero or
+ more SACondition instances.
+
+5.7. The Association Class AcceptCredentialFrom
+
+ The class AcceptCredentialFrom specifies which credential management
+ services (e.g., a CertificateAuthority or a Kerberos service) are to
+ be trusted to certify peer credentials. This is used to assure that
+ the credential being matched in the CredentialFilterEntry is a valid
+ credential that has been supplied by an approved
+ CredentialManagementService. If a CredentialManagementService is
+ specified and a corresponding CredentialFilterEntry is used, but the
+ credential supplied by the peer is not certified by that
+ CredentialManagementService (or one of the
+ CredentialManagementServices in its trust hierarchy), the
+ CredentialFilterEntry is deemed not to match. If a credential is
+ certified by a CredentialManagementService in the
+ AcceptCredentialsFrom list of services, but there is no
+ CredentialFilterEntry, this is considered equivalent to a
+ CredentialFilterEntry that matches all credentials from those
+ services.
+
+ The class definition for AcceptCredentialFrom is as follows:
+
+ NAME AcceptCredentialFrom
+ DESCRIPTION Associates a condition with the credential management
+ services to be trusted.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref CredentialManagementService[0..n]]
+ Dependent [ref SACondition[0..n]]
+
+5.7.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a CredentialManagementService instance. The
+ [0..n] cardinality indicates that an SACondition instance may be
+ associated with zero or more CredentialManagementService instances.
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 29]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+5.7.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to a SACondition instance. The [0..n] cardinality indicates
+ that a CredentialManagementService instance may be associated with
+ zero or more SACondition instances.
+
+6. Action Classes
+
+ The action classes are used to model the different actions an IPsec
+ device may take when the evaluation of the associated condition
+ results in a match.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 30]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ +----------+
+ | SAAction |
+ +----------+
+ ^
+ |
+ +-----------+--------------+
+ | |
+ | +---------------------+
+ | | SaNegotiationAction |
+ | +---------------------+
+ | ^
+ | |
+ +----------------+ +----------------------+*
+ | SAStaticAction | | IKENegotiationAction |o----+
+ +----------------+ +----------------------+ |
+ ^ ^ |
+ | | |
+ | +-----------+-------+ |
+ | | | |
+ +-------------------+ | +-------------+ +-----------+ |
+ | IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+ +-------------------+ | +-------------+ +-----------+ |
+ | ^ |
+ +--------------------+ | | +----------------------+ |
+ | IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+ +--------------------+ | | +----------------------+ |
+ | | |
+ +-----------------+ | | +-------------------+ |
+ | IKERejectAction |---+ +----| IPsecTunnelAction | |
+ +-----------------+ | +-------------------+ |
+ | *| |
+ | +--------------+ |
+ | | |
+ +-----------------------+ | | +--------------+n |
+ | PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+
+ +-----------------------+ | +--------------+ (b)
+ *| ^ |
+ | | | *+-------------+
+ | | +-------| PeerGateway |
+ | | +-------------+
+ | | +-----------------------------+ |0..1 *w|
+ | +--| PreconfiguredTransportAction| | |(c)
+ | | +-----------------------------+ | 1|
+ | | | +--------------+
+ | | +---------------------------+ * | | System |
+ | +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) |
+ | +---------------------------+ (e) +--------------+
+ |
+
+
+
+Jason, et al. Standards Track [Page 31]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ | 2..6+---------------+
+ +-------| [SATransform] |
+ (d) +---------------+
+
+ (a) PeerGatewayForTunnel
+ (b) ContainedProposal
+ (c) HostedPeerGatewayInformation
+ (d) TransformOfPreconfiguredAction
+ (e) PeerGatewayForPreconfiguredTunnel
+
+6.1. The Class SAAction
+
+ The class SAAction is abstract and serves as the base class for IKE
+ and IPsec actions. It is used for aggregating different types of
+ actions to IKE and IPsec rules. The class definition for SAAction is
+ as follows:
+
+ NAME SAAction
+ DESCRIPTION The base class for IKE and IPsec actions.
+ DERIVED FROM PolicyAction (see [PCIM])
+ ABSTRACT TRUE
+ PROPERTIES PolicyActionName (from PolicyAction)
+ DoActionLogging
+ DoPacketLogging
+
+6.1.1. The Property DoActionLogging
+
+ The property DoActionLogging specifies whether a log message is to be
+ generated when the action is performed. This applies for
+ SANegotiationActions with the meaning of logging a message when the
+ negotiation is attempted (with the success or failure result). This
+ also applies for SAStaticAction only for PreconfiguredSAAction with
+ the meaning of logging a message when the preconfigured SA is
+ actually installed in the SADB. The property is defined as follows:
+
+ NAME DoActionLogging
+ DESCRIPTION Specifies the whether to log when the action is
+ performed.
+ SYNTAX boolean
+ VALUE true - a log message is to be generated when action
+ is performed.
+ false - no log message is to be generated when action
+ is performed.
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 32]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.1.2. The Property DoPacketLogging
+
+ The property DoPacketLogging specifies whether a log message is to be
+ generated when the resulting security association is used to process
+ the packet. If the SANegotiationAction successfully executes and
+ results in the creation of one or several security associations, or
+ if the PreconfiguredSAAction executes, the value of DoPacketLogging
+ SHOULD be propagated to an optional field of SADB. This optional
+ field should be used to decide whether a log message is to be
+ generated when the SA is used to process a packet. For
+ SAStaticActions, a log message is to be generated when the
+ IPsecBypassAction, IPsecDiscardAction, or IKERejectAction are
+ executed. The property is defined as follows:
+
+ NAME DoPacketLogging
+ DESCRIPTION Specifies whether to log when the resulting
+ security association is used to process the packet.
+ SYNTAX boolean
+ VALUE true - a log message is to be generated when the
+ resulting security association is used to process the
+ packet.
+ false - no log message is to be generated.
+
+6.2. The Class SAStaticAction
+
+ The class SAStaticAction is abstract and serves as the base class for
+ IKE and IPsec actions that do not require any negotiation. The class
+ definition for SAStaticAction is as follows:
+
+ NAME SAStaticAction
+ DESCRIPTION The base class for IKE and IPsec actions that do not
+ require any negotiation.
+ DERIVED FROM SAAction
+ ABSTRACT TRUE
+ PROPERTIES LifetimeSeconds
+
+6.2.1. The Property LifetimeSeconds
+
+ The property LifetimeSeconds specifies how long the security
+ association derived from this action should be used. The property is
+ defined as follows:
+
+ NAME LifetimeSeconds
+ DESCRIPTION Specifies the amount of time (in seconds) that a
+ security association derived from this action should
+ be used.
+ SYNTAX unsigned 64-bit integer
+
+
+
+
+Jason, et al. Standards Track [Page 33]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ VALUE A value of zero indicates that there is not a
+ lifetime associated with this action (i.e., infinite
+ lifetime). A non-zero value is typically used in
+ conjunction with alternate SAActions performed when
+ there is a negotiation failure of some sort.
+
+ Note: if the referenced SAStaticAction object is a
+ PreconfiguredSAAction associated to several SATransforms, then the
+ actual lifetime of the preconfigured SA will be the lesser of the
+ value of this LifetimeSeconds property and of the value of the
+ MaxLifetimeSeconds property of the associated SATransform. If the
+ value of this LifetimeSeconds property is zero, then there will be no
+ lifetime associated to this SA.
+
+ Note: while some SA negotiation protocols [IKE] can negotiate the
+ lifetime as an arbitrary length field, the authors have assumed that
+ a 64-bit integer will be sufficient.
+
+ It is expected that most SAStaticAction instances will have their
+ LifetimeSeconds properties set to zero (meaning no expiration of the
+ resulting SA).
+
+6.3. The Class IPsecBypassAction
+
+ The class IPsecBypassAction is used when packets are allowed to be
+ processed without applying IPsec encapsulation to them. This is the
+ same as stating that packets are allowed to flow in the clear. The
+ class definition for IPsecBypassAction is as follows:
+
+ NAME IPsecBypassAction
+ DESCRIPTION Specifies that packets are to be allowed to pass in
+ the clear.
+ DERIVED FROM SAStaticAction
+ ABSTRACT FALSE
+
+6.4. The Class IPsecDiscardAction
+
+ The class IPsecDiscardAction is used when packets are to be
+ discarded. This is the same as stating that packets are to be
+ denied. The class definition for IPsecDiscardAction is as follows:
+
+ NAME IPsecDiscardAction
+ DESCRIPTION Specifies that packets are to be discarded.
+ DERIVED FROM SAStaticAction
+ ABSTRACT FALSE
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 34]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.5. The Class IKERejectAction
+
+ The class IKERejectAction is used to prevent attempting an IKE
+ negotiation with the peer(s). The main use of this class is to
+ prevent some denial of service attacks when acting as IKE responder.
+ It goes beyond a plain discard of UDP/500 IKE packets because the
+ SACondition can be based on specific PeerIDPayloadFilterEntry (when
+ aggressive mode is used). The class definition for IKERejectAction
+ is as follows:
+
+ NAME IKERejectAction
+ DESCRIPTION Specifies that an IKE negotiation should not even be
+ attempted or continued.
+ DERIVED FROM SAStaticAction
+ ABSTRACT FALSE
+
+6.6. The Class PreconfiguredSAAction
+
+ The class PreconfiguredSAAction is used to create a security
+ association using preconfigured, hard-wired algorithms and keys.
+
+ Notes:
+
+ - the SPI for a PreconfiguredSAAction is contained in the
+ association, TransformOfPreconfiguredAction;
+
+ - the session key (if applicable) is contained in an instance of the
+ class SharedSecret (see [CIMUSER]). The session key is stored in
+ the property Secret, the property protocol contains either "ESP-
+ encrypt", "ESP-auth" or "AH", the property algorithm contains the
+ algorithm used to protect the secret (can be "PLAINTEXT" if the
+ IPsec entity has no secret storage), the value of property
+ RemoteID is the concatenation of the remote IPsec peer IP address
+ in dotted decimal, of the character "/", of "IN" (respectively
+ "OUT") for inbound SA (respectively outbound SA), of the character
+ "/", and of the hexadecimal representation of the SPI.
+
+ Although the class is concrete, it MUST not be instantiated. The
+ class definition for PreconfiguredSAAction is as follows:
+
+ NAME PreconfiguredSAAction
+ DESCRIPTION Specifies preconfigured algorithm and keying
+ information for creation of a security association.
+ DERIVED FROM SAStaticAction
+ ABSTRACT TRUE
+ PROPERTIES LifetimeKilobytes
+
+
+
+
+
+Jason, et al. Standards Track [Page 35]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.6.1. The Property LifetimeKilobytes
+
+ The property LifetimeKilobytes specifies a traffic limit in kilobytes
+ that can be consumed before the SA is deleted. The property is
+ defined as follows:
+
+ NAME LifetimeKilobytes
+ DESCRIPTION Specifies the SA lifetime in kilobytes.
+ SYNTAX unsigned 64-bit integer
+ VALUE A value of zero indicates that there is not a
+ lifetime associated with this action (i.e., infinite
+ lifetime). A non-zero value is used to indicate that
+ after this number of kilobytes has been consumed the
+ SA must be deleted from the SADB.
+
+ Note: the actual lifetime of the preconfigured SA will be the lesser
+ of the value of this LifetimeKilobytes property and of the value of
+ the MaxLifetimeSeconds property of the associated SATransform. If
+ the value of this LifetimeKilobytes property is zero, then there will
+ be no lifetime associated with this action.
+
+ Note: while some SA negotiation protocols [IKE] can negotiate the
+ lifetime as an arbitrary length field, the authors have assumed that
+ a 64-bit integer will be sufficient.
+
+ It is expected that most PreconfiguredSAAction instances will have
+ their LifetimeKilobyte properties set to zero (meaning no expiration
+ of the resulting SA).
+
+6.7. The Class PreconfiguredTransportAction
+
+ The class PreconfiguredTransportAction is used to create an IPsec
+ transport-mode security association using preconfigured, hard-wired
+ algorithms and keys. The class definition for
+ PreconfiguredTransportAction is as follows:
+
+ NAME PreconfiguredTransportAction
+ DESCRIPTION Specifies preconfigured algorithm and keying
+ information for creation of an IPsec transport
+ security association.
+ DERIVED FROM PreconfiguredSAAction
+ ABSTRACT FALSE
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 36]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.8. The Class PreconfiguredTunnelAction
+
+ The class PreconfiguredTunnelAction is used to create an IPsec
+ tunnel-mode security association using preconfigured, hard-wired
+ algorithms and keys. The class definition for PreconfiguredSAAction
+ is as follows:
+
+ NAME PreconfiguredTunnelAction
+ DESCRIPTION Specifies preconfigured algorithm and keying
+ information for creation of an IPsec tunnel-mode
+ security association.
+ DERIVED FROM PreconfiguredSAAction
+ ABSTRACT FALSE
+ PROPERTIES DFHandling
+
+6.8.1. The Property DFHandling
+
+ The property DFHandling specifies how the Don't Fragment (DF) bit of
+ the internal IP header is to be handled during IPsec processing. The
+ property is defined as follows:
+
+ NAME DFHandling
+ DESCRIPTION Specifies the processing of the DF bit.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - Copy the DF bit from the internal IP header to
+ the external IP header.
+ 2 - Set the DF bit of the external IP header to 1.
+ 3 - Clear the DF bit of the external IP header to 0.
+
+6.9. The Class SANegotiationAction
+
+ The class SANegotiationAction specifies an action requesting security
+ policy negotiation.
+
+ This is an abstract class. Currently, only one security policy
+ negotiation protocol action is subclassed from SANegotiationAction:
+ the IKENegotiationAction class. It is nevertheless expected that
+ other security policy negotiation protocols will exist and the
+ negotiation actions of those new protocols would be modeled as a
+ subclass of SANegotiationAction.
+
+ NAME SANegotiationAction
+ DESCRIPTION Specifies a negotiation action.
+ DERIVED FROM SAAction
+ ABSTRACT TRUE
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 37]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.10. The Class IKENegotiationAction
+
+ The class IKENegotiationAction is abstract and serves as the base
+ class for IKE and IPsec actions that result in an IKE negotiation.
+ The class definition for IKENegotiationAction is as follows:
+
+ NAME IKENegotiationAction
+ DESCRIPTION A base class for IKE and IPsec actions that specifies
+ the parameters that are common for IKE phase 1 and
+ IKE phase 2 IPsec DOI negotiations.
+ DERIVED FROM SANegotiationAction
+ ABSTRACT TRUE
+ PROPERTIES MinLifetimeSeconds
+ MinLifetimeKilobytes
+ IdleDurationSeconds
+
+6.10.1. The Property MinLifetimeSeconds
+
+ The property MinLifetimeSeconds specifies the minimum seconds in a
+ lifetime that will be accepted from the peer. MinLifetimeSeconds is
+ used to prevent certain denial of service attacks where the peer
+ requests an arbitrarily low lifetime value, causing renegotiations
+ with expensive Diffie-Hellman operations. The property is defined as
+ follows:
+
+ NAME MinLifetimeSeconds
+ DESCRIPTION Specifies the minimum seconds acceptable in a
+ lifetime.
+ SYNTAX unsigned 64-bit integer
+ VALUE A value of zero indicates that there is no minimum
+ value. A non-zero value specifies the minimum
+ seconds lifetime.
+
+ Note: while IKE can negotiate the lifetime as an arbitrary length
+ field, the authors have assumed that a 64-bit integer will be
+ sufficient.
+
+6.10.2. The Property MinLifetimeKilobytes
+
+ The property MinLifetimeKilobytes specifies the minimum kilobytes of
+ a lifetime that will be accepted from the peer. MinLifetimeKilobytes
+ is used to prevent certain denial of service attacks, where the peer
+ requests an arbitrarily low lifetime value, causing renegotiations
+ with correspondingly expensive Diffie-Hellman operations. Note that
+ there has been considerable debate regarding the usefulness of
+ applying kilobyte lifetimes to IKE phase 1 security associations, so
+ it is likely that this property will only apply to the sub-class
+ IPsecAction. The property is defined as follows:
+
+
+
+Jason, et al. Standards Track [Page 38]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ NAME MinLifetimeKilobytes
+ DESCRIPTION Specifies the minimum kilobytes acceptable in a
+ lifetime.
+ SYNTAX unsigned 64-bit integer
+ VALUE A value of zero indicates that there is no minimum
+ value. A non-zero value specifies the minimum
+ kilobytes lifetime.
+
+ Note: While IKE can negotiate the lifetime as an arbitrary length
+ field, the authors have assumed that a 64-bit integer will be
+ sufficient.
+
+6.10.3. The Property IdleDurationSeconds
+
+ The property IdleDurationSeconds specifies how many seconds a
+ security association may remain idle (i.e., no traffic protected
+ using the security association) before it is deleted. The property
+ is defined as follows:
+
+ NAME IdleDurationSeconds
+ DESCRIPTION Specifies how long, in seconds, a security
+ association may remain unused before it is deleted.
+ SYNTAX unsigned 64-bit integer
+ VALUE A value of zero indicates that idle detection should
+ not be used for the security association (only the
+ seconds and kilobyte lifetimes will be used). Any
+ non-zero value indicates the number of seconds the
+ security association may remain unused.
+
+6.11. The Class IPsecAction
+
+ The class IPsecAction serves as the base class for IPsec transport
+ and tunnel actions. It specifies the parameters used for an IKE
+ phase 2 IPsec DOI negotiation. The class definition for IPsecAction
+ is as follows:
+
+ NAME IPsecAction
+ DESCRIPTION A base class for IPsec transport and tunnel actions
+ that specifies the parameters for IKE phase 2 IPsec
+ DOI negotiations.
+ DERIVED FROM IKENegotiationAction
+ ABSTRACT TRUE
+ PROPERTIES UsePFS
+ UseIKEGroup
+ GroupId
+ Granularity
+ VendorID
+
+
+
+
+Jason, et al. Standards Track [Page 39]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.11.1. The Property UsePFS
+
+ The property UsePFS specifies whether or not perfect forward secrecy
+ should be used when refreshing keys. The property is defined as
+ follows:
+
+ NAME UsePFS
+ DESCRIPTION Specifies the whether or not to use PFS when
+ refreshing keys.
+ SYNTAX boolean
+ VALUE A value of true indicates that PFS should be used. A
+ value of false indicates that PFS should not be used.
+
+6.11.2. The Property UseIKEGroup
+
+ The property UseIKEGroup specifies whether or not phase 2 should use
+ the same key exchange group as was used in phase 1. UseIKEGroup is
+ ignored if UsePFS is false. The property is defined as follows:
+
+ NAME UseIKEGroup
+ DESCRIPTION Specifies whether or not to use the same GroupId for
+ phase 2 as was used in phase 1. If UsePFS is false,
+ then UseIKEGroup is ignored.
+ SYNTAX boolean
+ VALUE A value of true indicates that the phase 2 GroupId
+ should be the same as phase 1. A value of false
+ indicates that the property GroupId will contain the
+ key exchange group to use for phase 2.
+
+6.11.3. The Property GroupId
+
+ The property GroupId specifies the key exchange group to use for
+ phase 2. GroupId is ignored if (1) the property UsePFS is false, or
+ (2) the property UsePFS is true and the property UseIKEGroup is true.
+ If the GroupID number is from the vendor-specific range (32768-
+ 65535), the property VendorID qualifies the group number. The
+ property is defined as follows:
+
+ NAME GroupId
+ DESCRIPTION Specifies the key exchange group to use for phase 2
+ when the property UsePFS is true and the property
+ UseIKEGroup is false.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [IKE] for valid values.
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 40]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.11.4. The Property Granularity
+
+ The property Granularity specifies how the selector for the security
+ association should be derived from the traffic that triggered the
+ negotiation. The property is defined as follows:
+
+ NAME Granularity
+ DESCRIPTION Specifies how the proposed selector for the
+ security association will be created.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - subnet: the source and destination subnet masks
+ of the filter entry are used.
+ 2 - address: only the source and destination IP
+ addresses of the triggering packet are used.
+ 3 - protocol: the source and destination IP addresses
+ and the IP protocol of the triggering packet are
+ used.
+ 4 - port: the source and destination IP addresses and
+ the IP protocol and the source and destination layer
+ 4 ports of the triggering packet are used.
+
+6.11.5. The Property VendorID
+
+ The property VendorID is used together with the property GroupID
+ (when it is in the vendor-specific range) to identify the key
+ exchange group. VendorID is ignored unless UsePFS is true and
+ UseIKEGroup is false and GroupID is in the vendor-specific range
+ (32768-65535). The property is defined as follows:
+
+ NAME VendorID
+ DESCRIPTION Specifies the IKE Vendor ID.
+ SYNTAX string
+
+6.12. The Class IPsecTransportAction
+
+ The class IPsecTransportAction is a subclass of IPsecAction that is
+ used to specify use of an IPsec transport-mode security association.
+ The class definition for IPsecTransportAction is as follows:
+
+ NAME IPsecTransportAction
+ DESCRIPTION Specifies that an IPsec transport-mode security
+ association should be negotiated.
+ DERIVED FROM IPsecAction
+ ABSTRACT FALSE
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 41]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.13. The Class IPsecTunnelAction
+
+ The class IPsecTunnelAction is a subclass of IPsecAction that is used
+ to specify use of an IPsec tunnel-mode security association. The
+ class definition for IPsecTunnelAction is as follows:
+
+ NAME IPsecTunnelAction
+ DESCRIPTION Specifies that an IPsec tunnel-mode security
+ association should be negotiated.
+ DERIVED FROM IPsecAction
+ ABSTRACT FALSE
+ PROPERTIES DFHandling
+
+6.13.1. The Property DFHandling
+
+ The property DFHandling specifies how the tunnel should manage the
+ Don't Fragment (DF) bit. The property is defined as follows:
+
+ NAME DFHandling
+ DESCRIPTION Specifies how to process the DF bit.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - Copy the DF bit from the internal IP header to
+ the external IP header.
+ 2 - Set the DF bit of the external IP header to 1.
+ 3 - Clear the DF bit of the external IP header to 0.
+
+6.14. The Class IKEAction
+
+ The class IKEAction specifies the parameters that are to be used for
+ IKE phase 1 negotiation. The class definition for IKEAction is as
+ follows:
+
+ NAME IKEAction
+ DESCRIPTION Specifies the IKE phase 1 negotiation parameters.
+ DERIVED FROM IKENegotiationAction
+ ABSTRACT FALSE
+ PROPERTIES ExchangeMode
+ UseIKEIdentityType
+ VendorID
+ AggressiveModeGroupId
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 42]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.14.1. The Property ExchangeMode
+
+ The property ExchangeMode specifies which IKE mode should be used for
+ IKE phase 1 negotiations. The property is defined as follows:
+
+ NAME ExchangeMode
+ DESCRIPTION Specifies the IKE negotiation mode for phase 1.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - base mode
+ 2 - main mode
+ 4 - aggressive mode
+
+6.14.2. The Property UseIKEIdentityType
+
+ The property UseIKEIdentityType specifies what IKE identity type
+ should be used when negotiating with the peer. This information is
+ used in conjunction with the IKE identities available on the system
+ and the IdentityContexts of the matching IKERule. The property is
+ defined as follows:
+
+ NAME UseIKEIdentityType
+ DESCRIPTION Specifies the IKE identity to use during negotiation.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [DOI] for valid values.
+
+6.14.3. The Property VendorID
+
+ The property VendorID specifies the value to be used in the Vendor ID
+ payload. The property is defined as follows:
+
+ NAME VendorID
+ DESCRIPTION Vendor ID Payload.
+ SYNTAX string
+ VALUE A value of NULL means that Vendor ID payload will be
+ neither generated nor accepted. A non-NULL value
+ means that a Vendor ID payload will be generated
+ (when acting as an initiator) or is expected (when
+ acting as a responder).
+
+6.14.4. The Property AggressiveModeGroupId
+
+ The property AggressiveModeGroupId specifies which group ID is to be
+ used in the first packets of the phase 1 negotiation. This property
+ is ignored unless the property ExchangeMode is set to 4 (aggressive
+ mode). If the AggressiveModeGroupID number is from the vendor-
+ specific range (32768-65535), the property VendorID qualifies the
+ group number. The property is defined as follows:
+
+
+
+
+Jason, et al. Standards Track [Page 43]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ NAME AggressiveModeGroupId
+ DESCRIPTION Specifies the group ID to be used for aggressive
+ mode.
+ SYNTAX unsigned 16-bit integer
+
+6.15. The Class PeerGateway
+
+ The class PeerGateway specifies the security gateway with which the
+ IKE services negotiates. The class definition for PeerGateway is as
+ follows:
+
+ NAME PeerGateway
+ DESCRIPTION Specifies the security gateway with which to
+ negotiate.
+ DERIVED FROM LogicalElement (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Name
+ PeerIdentityType
+ PeerIdentity
+
+ Note: The class PeerIdentityEntry contains more information about the
+ peer (namely its IP address).
+
+6.15.1. The Property Name
+
+ The property Name specifies a user-friendly name for this security
+ gateway. The property is defined as follows:
+
+ NAME Name
+ DESCRIPTION Specifies a user-friendly name for this security
+ gateway.
+ SYNTAX string
+
+6.15.2. The Property PeerIdentityType
+
+ The property PeerIdentityType specifies the IKE identity type of the
+ security gateway. The property is defined as follows:
+
+ NAME PeerIdentityType
+ DESCRIPTION Specifies the IKE identity type of the security
+ gateway.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [DOI] for valid values.
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 44]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.15.3. The Property PeerIdentity
+
+ The property PeerIdentity specifies the IKE identity value of the
+ security gateway. Based upon the storage chosen for the task-
+ specific mapping of the information model, a conversion may be needed
+ from the stored representation of the PeerIdentity string to the real
+ value used in the ID payload (e.g., IP address is to be converted
+ from a dotted decimal string into 4 bytes). The property is defined
+ as follows:
+
+ NAME PeerIdentity
+ DESCRIPTION Specifies the IKE identity value of the security
+ gateway.
+ SYNTAX string
+
+6.16. The Association Class PeerGatewayForTunnel
+
+ The class PeerGatewayForTunnel associates IPsecTunnelActions with an
+ ordered list of PeerGateways. The class definition for
+ PeerGatewayForTunnel is as follows:
+
+ NAME PeerGatewayForTunnel
+ DESCRIPTION Associates IPsecTunnelActions with an ordered list of
+ PeerGateways.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref PeerGateway[0..n]]
+ Dependent [ref IPsecTunnelAction[0..n]]
+ SequenceNumber
+
+6.16.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a PeerGateway instance. The [0..n]
+ cardinality indicates that an IPsecTunnelAction instance may be
+ associated with zero or more PeerGateway instances.
+
+ Note: The cardinality 0 has a specific meaning:
+
+ - when the IKE service acts as a responder, this means that the IKE
+ service will accept phase 1 negotiation with any other security
+ gateway;
+
+ - when the IKE service acts as an initiator, this means that the IKE
+ service will use the destination IP address (of the IP packets
+ which triggered the SARule) as the IP address of the peer IKE
+ entity.
+
+
+
+
+Jason, et al. Standards Track [Page 45]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.16.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to an IPsecTunnelAction instance. The [0..n] cardinality
+ indicates that a PeerGateway instance may be associated with zero or
+ more IPsecTunnelAction instances.
+
+6.16.3. The Property SequenceNumber
+
+ The property SequenceNumber specifies the ordering to be used when
+ evaluating PeerGateway instances for a given IPsecTunnelAction. The
+ property is defined as follows:
+
+ NAME SequenceNumber
+ DESCRIPTION Specifies the order of evaluation for PeerGateways.
+ SYNTAX unsigned 16-bit integer
+ VALUE Lower values are evaluated first.
+
+6.17. The Aggregation Class ContainedProposal
+
+ The class ContainedProposal associates an ordered list of SAProposals
+ with the IKENegotiationAction that aggregates it. If the referenced
+ IKENegotiationAction object is an IKEAction, then the referenced
+ SAProposal object(s) must be IKEProposal(s). If the referenced
+ IKENegotiationAction object is an IPsecTransportAction or an
+ IPsecTunnelAction, then the referenced SAProposal object(s) must be
+ IPsecProposal(s). The class definition for ContainedProposal is as
+ follows:
+
+ NAME ContainedProposal
+ DESCRIPTION Associates an ordered list of SAProposals with an
+ IKENegotiationAction.
+ DERIVED FROM PolicyComponent (see [PCIM])
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]]
+ PartComponent[ref SAProposal[1..n]]
+ SequenceNumber
+
+6.17.1. The Reference GroupComponent
+
+ - The property GroupComponent is inherited from PolicyComponent and
+ is overridden to refer to an IKENegotiationAction instance. The
+ [0..n] cardinality indicates that an SAProposal instance may be
+ associated with zero or more IKENegotiationAction instances.
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 46]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.17.2. The Reference PartComponent
+
+ The property PartComponent is inherited from PolicyComponent and is
+ overridden to refer to an SAProposal instance. The [1..n]
+ cardinality indicates that an IKENegotiationAction instance MUST be
+ associated with at least one SAProposal instance.
+
+6.17.3. The Property SequenceNumber
+
+ The property SequenceNumber specifies the order of preference for the
+ SAProposals. The property is defined as follows:
+
+ NAME SequenceNumber
+ DESCRIPTION Specifies the preference order for the SAProposals.
+ SYNTAX unsigned 16-bit integer
+ VALUE Lower-valued proposals are preferred over proposals
+ with higher values. For ContainedProposals that
+ reference the same IKENegotiationAction,
+ SequenceNumber values must be unique.
+
+6.18. The Association Class HostedPeerGatewayInformation
+
+ The class HostedPeerGatewayInformation weakly associates a
+ PeerGateway with a System. The class definition for
+ HostedPeerGatewayInformation is as follows:
+
+ NAME HostedPeerGatewayInformation
+ DESCRIPTION Weakly associates a PeerGateway with a System.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref System[1..1]]
+ Dependent [ref PeerGateway[0..n] [weak]]
+
+6.18.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a System instance. The [1..1] cardinality
+ indicates that a PeerGateway instance MUST be associated with one and
+ only one System instance.
+
+6.18.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to a PeerGateway instance. The [0..n] cardinality indicates
+ that a System instance may be associated with zero or more
+ PeerGateway instances.
+
+
+
+
+
+Jason, et al. Standards Track [Page 47]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.19. The Association Class TransformOfPreconfiguredAction
+
+ The class TransformOfPreconfiguredAction associates a
+ PreconfiguredSAAction with two, four or six SATransforms that will be
+ applied to the inbound and outbound traffic. The order of
+ application of the SATransforms is implicitly defined in [IPSEC].
+ The class definition for TransformOfPreconfiguredAction is as
+ follows:
+
+ NAME TransformOfPreconfiguredAction
+ DESCRIPTION Associates a PreconfiguredSAAction with from one to
+ three SATransforms.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref SATransform[2..6]]
+ Dependent[ref PreconfiguredSAAction[0..n]]
+ SPI
+ Direction
+
+6.19.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to an SATransform instance. The [2..6]
+ cardinality indicates that a PreconfiguredSAAction instance may be
+ associated with two to six SATransform instances.
+
+6.19.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to a PreconfiguredSAAction instance. The [0..n] cardinality
+ indicates that a SATransform instance may be associated with zero or
+ more PreconfiguredSAAction instances.
+
+6.19.3. The Property SPI
+
+ The property SPI specifies the SPI to be used by the pre-configured
+ action for the associated transform. The property is defined as
+ follows:
+
+ NAME SPI
+ DESCRIPTION Specifies the SPI to be used with the SATransform.
+ SYNTAX unsigned 32-bit integer
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 48]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+6.19.4. The Property Direction
+
+ The property Direction specifies whether the SPI property is for
+ inbound or outbound traffic. The property is defined as follows:
+
+ NAME Direction
+ DESCRIPTION Specifies whether the SA is for inbound or outbound
+ traffic.
+ SYNTAX unsigned 8-bit integer
+ VALUE 1 - this SA is for inbound traffic
+ 2 - this SA is for outbound traffic
+
+6.20 The Association Class PeerGatewayForPreconfiguredTunnel
+
+ The class PeerGatewayForPreconfiguredTunnel associates zero or one
+ PeerGateways with multiple PreconfiguredTunnelActions. The class
+ definition for PeerGatewayForPreconfiguredTunnel is as follows:
+
+ NAME PeerGatewayForPreconfiguredTunnel
+ DESCRIPTION Associates a PeerGateway with multiple
+ PreconfiguredTunnelActions.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref PeerGateway[0..1]]
+ Dependent[ref PreconfiguredTunnelAction[0..n]]
+
+6.20.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a PeerGateway instance. The [0..1]
+ cardinality indicates that a PreconfiguredTunnelAction instance may
+ be associated with one PeerGteway instance.
+
+6.20.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to a PreconfiguredTunnelAction instance. The [0..n]
+ cardinality indicates that a PeerGateway instance may be associated
+ with zero or more PreconfiguredSAAction instances.
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 49]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7. Proposal and Transform Classes
+
+ The proposal and transform classes model the proposal settings an
+ IPsec device will use during IKE phase 1 and 2 negotiations.
+
+ +--------------+*w 1+--------------+
+ | [SAProposal] |--------| System |
+ +--------------+ (a) | ([CIMCORE]) |
+ ^ +--------------+
+ | |1
+ +----------------------+ |
+ | | |
+ +-------------+ +---------------+ |
+ | IKEProposal | | IPsecProposal | |
+ +-------------+ +---------------+ |
+ *o |
+ |(b) |(c)
+ n| |
+ +---------------+*w |
+ | [SATransform] |----+
+ +---------------+
+ ^
+ |
+ +--------------------+-----------+---------+
+ | | |
+ +-------------+ +--------------+ +----------------+
+ | AHTransform | | ESPTransform | |IPCOMPTransform |
+ +-------------+ +--------------+ +----------------+
+
+ (a) SAProposalInSystem
+ (b) ContainedTransform
+ (c) SATransformInSystem
+
+7.1. The Abstract Class SAProposal
+
+ The abstract class SAProposal serves as the base class for the IKE
+ and IPsec proposal classes. It specifies the parameters that are
+ common to the two proposal types. The class definition for
+ SAProposal is as follows:
+
+ NAME SAProposal
+ DESCRIPTION Specifies the common proposal parameters for IKE and
+ IPsec security association negotiation.
+ DERIVED FROM Policy ([PCIM])
+ ABSTRACT TRUE
+ PROPERTIES Name
+
+
+
+
+
+Jason, et al. Standards Track [Page 50]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7.1.1. The Property Name
+
+ The property Name specifies a user-friendly name for the SAProposal.
+ The property is defined as follows:
+
+ NAME Name
+ DESCRIPTION Specifies a user-friendly name for this proposal.
+ SYNTAX string
+
+7.2. The Class IKEProposal
+
+ The class IKEProposal specifies the proposal parameters necessary to
+ drive an IKE security association negotiation. The class definition
+ for IKEProposal is as follows:
+
+ NAME IKEProposal
+ DESCRIPTION Specifies the proposal parameters for IKE security
+ association negotiation.
+ DERIVED FROM SAProposal
+ ABSTRACT FALSE
+ PROPERTIES CipherAlgorithm
+ HashAlgorithm
+ PRFAlgorithm
+ GroupId
+ AuthenticationMethod
+ MaxLifetimeSeconds
+ MaxLifetimeKilobytes
+ VendorID
+
+7.2.1. The Property CipherAlgorithm
+
+ The property CipherAlgorithm specifies the proposed phase 1 security
+ association encryption algorithm. The property is defined as
+ follows:
+
+ NAME CipherAlgorithm
+ DESCRIPTION Specifies the proposed encryption algorithm for the
+ phase 1 security association.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [IKE] for valid values.
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 51]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7.2.2. The Property HashAlgorithm
+
+ The property HashAlgorithm specifies the proposed phase 1 security
+ association hash algorithm. The property is defined as follows:
+
+ NAME HashAlgorithm
+ DESCRIPTION Specifies the proposed hash algorithm for the phase 1
+ security association.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [IKE] for valid values.
+
+7.2.3. The Property PRFAlgorithm
+
+ The property PRFAlgorithm specifies the proposed phase 1 security
+ association pseudo-random function. The property is defined as
+ follows:
+
+ NAME PRFAlgorithm
+ DESCRIPTION Specifies the proposed pseudo-random function for the
+ phase 1 security association.
+ SYNTAX unsigned 16-bit integer
+ VALUE Currently none defined in [IKE], if [IKE, DOI] are
+ extended, then the values of [IKE, DOI] are to be
+ used for values of PRFAlgorithm.
+
+7.2.4. The Property GroupId
+
+ The property GroupId specifies the proposed phase 1 security
+ association key exchange group. This property is ignored for all
+ aggressive mode exchanges. If the GroupID number is from the
+ vendor-specific range (32768-65535), the property VendorID qualifies
+ the group number. The property is defined as follows:
+
+ NAME GroupId
+ DESCRIPTION Specifies the proposed key exchange group for the
+ phase 1 security association.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [IKE] for valid values.
+
+ Note: The value of this property is to be ignored in aggressive mode.
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 52]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7.2.5. The Property AuthenticationMethod
+
+ The property AuthenticationMethod specifies the proposed phase 1
+ authentication method. The property is defined as follows:
+
+ NAME AuthenticationMethod
+ DESCRIPTION Specifies the proposed authentication method for the
+ phase 1 security association.
+ SYNTAX unsigned 16-bit integer
+ VALUE 0 - a special value that indicates that this
+ particular proposal should be repeated once for each
+ authentication method that corresponds to the
+ credentials installed on the machine. For example,
+ if the system has a pre-shared key and a certificate,
+ a proposal list could be constructed that includes a
+ proposal that specifies a pre-shared key and
+ proposals for any of the public-key authentication
+ methods. Consult [IKE] for valid values.
+
+7.2.6. The Property MaxLifetimeSeconds
+
+ The property MaxLifetimeSeconds specifies the proposed maximum time,
+ in seconds, that a security association will remain valid after its
+ creation. The property is defined as follows:
+
+ NAME MaxLifetimeSeconds
+ DESCRIPTION Specifies the proposed maximum time that a
+ security association will remain valid.
+ SYNTAX unsigned 64-bit integer
+ VALUE A value of zero indicates that the default of 8
+ hours be used. A non-zero value indicates the
+ maximum seconds lifetime.
+
+ Note: While IKE can negotiate the lifetime as an arbitrary length
+ field, the authors have assumed that a 64-bit integer will be
+ sufficient.
+
+7.2.7. The Property MaxLifetimeKilobytes
+
+ The property MaxLifetimeKilobytes specifies the proposed maximum
+ kilobyte lifetime that a security association will remain valid after
+ its creation. The property is defined as follows:
+
+ NAME MaxLifetimeKilobytes
+ DESCRIPTION Specifies the proposed maximum kilobyte lifetime
+ that a security association will remain valid.
+ SYNTAX unsigned 64-bit integer
+
+
+
+
+Jason, et al. Standards Track [Page 53]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ VALUE A value of zero indicates that there should be no
+ maximum kilobyte lifetime. A non-zero value
+ specifies the desired kilobyte lifetime.
+
+ Note: While IKE can negotiate the lifetime as an arbitrary length
+ field, the authors have assumed that a 64-bit integer will be
+ sufficient.
+
+7.2.8. The Property VendorID
+
+ The property VendorID further qualifies the key exchange group. The
+ property is ignored unless the exchange is not in aggressive mode and
+ the property GroupID is in the vendor-specific range. The property
+ is defined as follows:
+
+ NAME VendorID
+ DESCRIPTION Specifies the Vendor ID to further qualify the key
+ exchange group.
+ SYNTAX string
+
+7.3. The Class IPsecProposal
+
+ The class IPsecProposal adds no new properties, but inherits proposal
+ properties from SAProposal, as well as aggregating the security
+ association transforms necessary for building an IPsec proposal (see
+ the aggregation class ContainedTransform). The class definition for
+ IPsecProposal is as follows:
+
+ NAME IPsecProposal
+ DESCRIPTION Specifies the proposal parameters for IPsec security
+ association negotiation.
+ DERIVED FROM SAProposal
+ ABSTRACT FALSE
+
+7.4. The Abstract Class SATransform
+
+ The abstract class SATransform serves as the base class for the IPsec
+ transforms that can be used to compose an IPsec proposal or to be
+ used as a pre-configured action. The class definition for
+ SATransform is as follows:
+
+ NAME SATransform
+ DESCRIPTION Base class for the different IPsec transforms.
+ ABSTRACT TRUE
+ PROPERTIES CommonName (from Policy)
+ VendorID
+ MaxLifetimeSeconds
+ MaxLifetimeKilobytes
+
+
+
+Jason, et al. Standards Track [Page 54]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+
+7.4.1. The Property CommonName
+
+ The property CommonName is inherited from Policy [PCIM] and specifies
+ a user-friendly name for the SATransform. The property is defined as
+ follows:
+
+ NAME CommonName
+ DESCRIPTION Specifies a user-friendly name for this Policy-
+ related object.
+ SYNTAX string
+
+7.4.2. The Property VendorID
+
+ The property VendorID specifies the vendor ID for vendor-defined
+ transforms. The property is defined as follows:
+
+ NAME VendorID
+ DESCRIPTION Specifies the vendor ID for vendor-defined
+ transforms.
+ SYNTAX string
+ VALUE An empty VendorID string indicates that the transform
+ is a standard one.
+
+7.4.3. The Property MaxLifetimeSeconds
+
+ The property MaxLifetimeSeconds specifies the proposed maximum time,
+ in seconds, that a security association will remain valid after its
+ creation. The property is defined as follows:
+
+ NAME MaxLifetimeSeconds
+ DESCRIPTION Specifies the proposed maximum time that a
+ security association will remain valid.
+ SYNTAX unsigned 64-bit integer
+ VALUE A value of zero indicates that the default of 8 hours
+ be used. A non-zero value indicates the maximum
+ seconds lifetime.
+
+ Note: While IKE can negotiate the lifetime as an arbitrary length
+ field, the authors have assumed that a 64-bit integer will be
+ sufficient.
+
+7.4.4. The Property MaxLifetimeKilobytes
+
+ The property MaxLifetimeKilobytes specifies the proposed maximum
+ kilobyte lifetime that a security association will remain valid after
+ its creation. The property is defined as follows:
+
+
+
+
+Jason, et al. Standards Track [Page 55]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ NAME MaxLifetimeKilobytes
+ DESCRIPTION Specifies the proposed maximum kilobyte lifetime
+ that a security association will remain valid.
+ SYNTAX unsigned 64-bit integer
+ VALUE A value of zero indicates that there should be no
+ maximum kilobyte lifetime. A non-zero value
+ specifies the desired kilobyte lifetime.
+
+ Note: While IKE can negotiate the lifetime as an arbitrary length
+ field, the authors have assumed that a 64-bit integer will be
+ sufficient.
+
+7.5. The Class AHTransform
+
+ The class AHTransform specifies the AH algorithm to propose during
+ IPsec security association negotiation. The class definition for
+ AHTransform is as follows:
+
+ NAME AHTransform
+ DESCRIPTION Specifies the proposed AH algorithm.
+ ABSTRACT FALSE
+ PROPERTIES AHTransformId
+ UseReplayPrevention
+ ReplayPreventionWindowSize
+
+7.5.1. The Property AHTransformId
+
+ The property AHTransformId specifies the transform ID of the AH
+ algorithm. The property is defined as follows:
+
+ NAME AHTransformId
+ DESCRIPTION Specifies the transform ID of the AH algorithm.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [DOI] for valid values.
+
+7.5.2. The Property UseReplayPrevention
+
+ The property UseReplayPrevention specifies whether replay prevention
+ detection is to be used. The property is defined as follows:
+
+ NAME UseReplayPrevention
+ DESCRIPTION Specifies whether to enable replay prevention
+ detection.
+ SYNTAX boolean
+ VALUE true - replay prevention detection is enabled.
+ false - replay prevention detection is disabled.
+
+
+
+
+
+Jason, et al. Standards Track [Page 56]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7.5.3. The Property ReplayPreventionWindowSize
+
+ The property ReplayPreventionWindowSize specifies, in bits, the
+ length of the sliding window used by the replay prevention detection
+ mechanism. The value of this property is meaningless if
+ UseReplayPrevention is false. It is assumed that the window size
+ will be power of 2. The property is defined as follows:
+
+ NAME ReplayPreventionWindowSize
+ DESCRIPTION Specifies the length of the window used by the replay
+ prevention detection mechanism.
+ SYNTAX unsigned 32-bit integer
+
+7.6. The Class ESPTransform
+
+ The class ESPTransform specifies the ESP algorithms to propose
+ during IPsec security association negotiation. The class definition
+ for ESPTransform is as follows:
+
+ NAME ESPTransform
+ DESCRIPTION Specifies the proposed ESP algorithms.
+ ABSTRACT FALSE
+ PROPERTIES IntegrityTransformId
+ CipherTransformId
+ CipherKeyLength
+ CipherKeyRounds
+ UseReplayPrevention
+ ReplayPreventionWindowSize
+
+7.6.1. The Property IntegrityTransformId
+
+ The property IntegrityTransformId specifies the transform ID of the
+ ESP integrity algorithm. The property is defined as follows:
+
+ NAME IntegrityTransformId
+ DESCRIPTION Specifies the transform ID of the ESP integrity
+ algorithm.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [DOI] for valid values.
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 57]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7.6.2. The Property CipherTransformId
+
+ The property CipherTransformId specifies the transform ID of the ESP
+ encryption algorithm. The property is defined as follows:
+
+ NAME CipherTransformId
+ DESCRIPTION Specifies the transform ID of the ESP encryption
+ algorithm.
+ SYNTAX unsigned 16-bit integer
+ VALUE Consult [DOI] for valid values.
+
+7.6.3. The Property CipherKeyLength
+
+ The property CipherKeyLength specifies, in bits, the key length for
+ the ESP encryption algorithm. For encryption algorithms that use a
+ fixed-length keys, this value is ignored. The property is defined as
+ follows:
+
+ NAME CipherKeyLength
+ DESCRIPTION Specifies the ESP encryption key length in bits.
+ SYNTAX unsigned 16-bit integer
+
+7.6.4. The Property CipherKeyRounds
+
+ The property CipherKeyRounds specifies the number of key rounds for
+ the ESP encryption algorithm. For encryption algorithms that use
+ fixed number of key rounds, this value is ignored. The property is
+ defined as follows:
+
+ NAME CipherKeyRounds
+ DESCRIPTION Specifies the number of key rounds for the ESP
+ encryption algorithm.
+ SYNTAX unsigned 16-bit integer
+ VALUE Currently, key rounds are not defined for any ESP
+ encryption algorithms.
+
+7.6.5. The Property UseReplayPrevention
+
+ The property UseReplayPrevention specifies whether replay prevention
+ detection is to be used. The property is defined as follows:
+
+ NAME UseReplayPrevention
+ DESCRIPTION Specifies whether to enable replay prevention
+ detection.
+ SYNTAX boolean
+ VALUE true - replay prevention detection is enabled.
+ false - replay prevention detection is disabled.
+
+
+
+
+Jason, et al. Standards Track [Page 58]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7.6.6. The Property ReplayPreventionWindowSize
+
+ The property ReplayPreventionWindowSize specifies, in bits, the
+ length of the sliding window used by the replay prevention detection
+ mechanism. The value of this property is meaningless if
+ UseReplayPrevention is false. It is assumed that the window size
+ will be power of 2. The property is defined as follows:
+
+ NAME ReplayPreventionWindowSize
+ DESCRIPTION Specifies the length of the window used by the replay
+ prevention detection mechanism.
+ SYNTAX unsigned 32-bit integer
+
+7.7. The Class IPCOMPTransform
+
+ The class IPCOMPTransform specifies the IP compression (IPCOMP)
+ algorithm to propose during IPsec security association negotiation.
+ The class definition for IPCOMPTransform is as follows:
+
+ NAME IPCOMPTransform
+ DESCRIPTION Specifies the proposed IPCOMP algorithm.
+ ABSTRACT FALSE
+ PROPERTIES Algorithm
+ DictionarySize
+ PrivateAlgorithm
+
+7.7.1. The Property Algorithm
+
+ The property Algorithm specifies the transform ID of the IPCOMP
+ compression algorithm. The property is defined as follows:
+
+ NAME Algorithm
+ DESCRIPTION Specifies the transform ID of the IPCOMP compression
+ algorithm.
+ SYNTAX unsigned 16-bit integer
+ VALUE 1 - OUI: a vendor specific algorithm is used and
+ specified in the property PrivateAlgorithm. Consult
+ [DOI] for other valid values.
+
+7.7.2. The Property DictionarySize
+
+ The property DictionarySize specifies the log2 maximum size of the
+ dictionary for the compression algorithm. For compression algorithms
+ that have pre-defined dictionary sizes, this value is ignored. The
+ property is defined as follows:
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 59]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ NAME DictionarySize
+ DESCRIPTION Specifies the log2 maximum size of the dictionary.
+ SYNTAX unsigned 16-bit integer
+
+7.7.3. The Property PrivateAlgorithm
+
+ The property PrivateAlgorithm specifies a private vendor-specific
+ compression algorithm. This value is only used when the property
+ Algorithm is 1 (OUI). The property is defined as follows:
+
+ NAME PrivateAlgorithm
+ DESCRIPTION Specifies a private vendor-specific compression
+ algorithm.
+ SYNTAX unsigned 32-bit integer
+
+7.8. The Association Class SAProposalInSystem
+
+ The class SAProposalInSystem weakly associates SAProposals with a
+ System. The class definition for SAProposalInSystem is as follows:
+
+ NAME SAProposalInSystem
+ DESCRIPTION Weakly associates SAProposals with a System.
+ DERIVED FROM PolicyInSystem (see [PCIM])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref System [1..1]]
+ Dependent[ref SAProposal[0..n] [weak]]
+
+7.8.1. The Reference Antecedent
+
+ The property Antecedent is inherited from the PolicyInSystem and is
+ overridden to refer to a System instance. The [1..1] cardinality
+ indicates that an SAProposal instance MUST be associated with one and
+ only one System instance.
+
+7.8.2. The Reference Dependent
+
+ The property Dependent is inherited from PolicyInSystem and is
+ overridden to refer to an SAProposal instance. The [0..n]
+ cardinality indicates that a System instance may be associated with
+ zero or more SAProposal instances.
+
+7.9. The Aggregation Class ContainedTransform
+
+ The class ContainedTransform associates an IPsecProposal with the set
+ of SATransforms that make up the proposal. If multiple transforms of
+ the same type are in a proposal, then they are to be logically ORed
+ and the order of preference is dictated by the SequenceNumber
+ property. Sets of transforms of different types are logically ANDed.
+
+
+
+Jason, et al. Standards Track [Page 60]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ For example, if the ordered proposal list were
+
+ ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
+ AH = { MD5, SHA-1 }
+
+ then the one sending the proposal would want the other side to pick
+ one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
+ from the AH transform list (preferably MD5).
+
+ The class definition for ContainedTransform is as follows:
+
+ NAME ContainedTransform
+ DESCRIPTION Associates an IPsecProposal with the set of
+ SATransforms that make up the proposal.
+ DERIVED FROM PolicyComponent (see [PCIM])
+ ABSTRACT FALSE
+ PROPERTIES GroupComponent[ref IPsecProposal[0..n]]
+ PartComponent[ref SATransform[1..n]]
+ SequenceNumber
+
+7.9.1. The Reference GroupComponent
+
+ The property GroupComponent is inherited from PolicyComponent and is
+ overridden to refer to an IPsecProposal instance. The [0..n]
+ cardinality indicates that an SATransform instance may be associated
+ with zero or more IPsecProposal instances.
+
+7.9.2. The Reference PartComponent
+
+ The property PartComponent is inherited from PolicyComponent and is
+ overridden to refer to an SATransform instance. The [1..n]
+ cardinality indicates that an IPsecProposal instance MUST be
+ associated with at least one SATransform instance.
+
+7.9.3. The Property SequenceNumber
+
+ The property SequenceNumber specifies the order of preference for the
+ SATransforms of the same type. The property is defined as follows:
+
+ NAME SequenceNumber
+ DESCRIPTION Specifies the preference order for the SATransforms
+ of the same type.
+ SYNTAX unsigned 16-bit integer
+ VALUE Lower-valued transforms are preferred over transforms
+ of the same type with higher values. For
+ ContainedTransforms that reference the same
+ IPsecProposal, SequenceNumber values must be unique.
+
+
+
+
+Jason, et al. Standards Track [Page 61]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+7.10. The Association Class SATransformInSystem
+
+ The class SATransformInSystem weakly associates SATransforms with a
+ System. The class definition for SATransformInSystem System is as
+ follows:
+
+ NAME SATransformInSystem
+ DESCRIPTION Weakly associates SATransforms with a System.
+ DERIVED FROM PolicyInSystem (see [PCIM])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent[ref System[1..1]]
+ Dependent[ref SATransform[0..n] [weak]]
+
+7.10.1. The Reference Antecedent
+
+ The property Antecedent is inherited from PolicyInSystem and is
+ overridden to refer to a System instance. The [1..1] cardinality
+ indicates that an SATransform instance MUST be associated with one
+ and only one System instance.
+
+7.10.2. The Reference Dependent
+
+ The property Dependent is inherited from PolicyInSystem and is
+ overridden to refer to an SATransform instance. The [0..n]
+ cardinality indicates that a System instance may be associated with
+ zero or more SATransform instances.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 62]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+8. IKE Service and Identity Classes
+
+ +--------------+ +-------------------+
+ | System | | PeerIdentityEntry |
+ | ([CIMCORE]) | +-------------------+
+ +--------------+ |*w
+ 1| (a) (b) |
+ +---+ +------------+
+ | |
+ |*w 1 o
+ +-------------+ +-------------------+ +---------------------+
+ | PeerGateway | | PeerIdentityTable | | AutostartIKESetting |
+ +-------------+ +-------------------+ +---------------------+
+ *| *| *| *|
+ +----------------------+ |(d) +----------+ |
+ (c) *| *| *| (e) |
+ *+------------+* |(f)
+ +-----------------| IKEService |-----+ |
+ | (g) +------------+ |(h) |
+ 0..1| *| *| *o
+ +--------------------+ | +---------------------------+
+ | IPProtocolEndpoint | | | AutostartIKEConfiguration |
+ | ([CIMNETWORK]) | (i)| +---------------------------+
+ +--------------------+ |
+ 0..1| |
+ |(j) +----------------+
+ *| |*
+ +-------------+* (k) +------------+ +-----------------------------+
+ | IKEIdentity |-------| Collection | | CredentialManagementService |
+ +-------------+ 0..1| ([CIMCORE])| | ([CIMUSER]) |
+ *| +------------+ +-----------------------------+
+ |(l)
+ *|
+ +--------------+
+ | Credential |
+ | ([CIMUSER]) |
+ +--------------+
+
+ (a) HostedPeerIdentityTable
+ (b) PeerIdentityMember
+ (c) IKEServicePeerGateway
+ (d) IKEServicePeerIdentityTable
+ (e) IKEAutostartSetting
+ (f) AutostartIKESettingContext
+ (g) IKEServiceForEndpoint
+ (h) IKEAutostartConfiguration
+ (i) IKEUsesCredentialManagementService
+ (j) EndpointHasLocalIKEIdentity
+
+
+
+Jason, et al. Standards Track [Page 63]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ (k) CollectionHasLocalIKEIdentity
+ (l) IKEIdentitysCredential
+
+ This portion of the model contains additional information that is
+ useful in applying the policy. The IKEService class MAY be used to
+ represent the IKE negotiation function in a system. The IKEService
+ uses the various tables that contain information about IKE peers as
+ well as the configuration for specifying security associations that
+ are started automatically. The information in the PeerGateway,
+ PeerIdentityTable and related classes is necessary to completely
+ specify the policies.
+
+ An interface (represented by an IPProtocolEndpoint) has an IKEService
+ that provides the negotiation services for that interface. That
+ service MAY also have a list of security associations automatically
+ started at the time the IKE service is initialized.
+
+ The IKEService also has a set of identities that it may use in
+ negotiations with its peers. Those identities are associated with
+ the interfaces (or collections of interfaces).
+
+8.1. The Class IKEService
+
+ The class IKEService represents the IKE negotiation function. An
+ instance of this service may provide that negotiation service for one
+ or more interfaces (represented by the IPProtocolEndpoint class) of a
+ System. There may be multiple instances of IKE services on a System
+ but only one per interface. The class definition for IKEService is
+ as follows:
+
+ NAME IKEService
+ DESCRIPTION IKEService is used to represent the IKE negotiation
+ function.
+ DERIVED FROM Service (see [CIMCORE])
+ ABSTRACT FALSE
+
+8.2. The Class PeerIdentityTable
+
+ The class PeerIdentityTable aggregates the table entries that provide
+ mappings between identities and their addresses. The class
+ definition for PeerIdentityTable is as follows:
+
+ NAME PeerIdentityTable
+ DESCRIPTION PeerIdentityTable aggregates PeerIdentityEntry
+ instances to provide a table of identity-address
+ mappings.
+ DERIVED FROM Collection (see [CIMCORE])
+
+
+
+
+Jason, et al. Standards Track [Page 64]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ ABSTRACT FALSE
+ PROPERTIES Name
+
+8.2.1. The Property Name
+
+ The property Name uniquely identifies the table. The property is
+ defined as follows:
+
+ NAME Name
+ DESCRIPTION Name uniquely identifies the table.
+ SYNTAX string
+
+8.3. The Class PeerIdentityEntry
+
+ The class PeerIdentityEntry specifies the mapping between peer
+ identity and their IP address. The class definition for
+ PeerIdentityEntry is as follows:
+
+ NAME PeerIdentityEntry
+ DESCRIPTION PeerIdentityEntry provides a mapping between a peer's
+ identity and address.
+ DERIVED FROM LogicalElement (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES PeerIdentity
+ PeerIdentityType
+ PeerAddress
+ PeerAddressType
+
+ The pre-shared key to be used with this peer (if applicable) is
+ contained in an instance of the class SharedSecret (see [CIMUSER]).
+ The pre-shared key is stored in the property Secret, the property
+ protocol contains "IKE", the property algorithm contains the
+ algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
+ entity has no secret storage), the value of property RemoteID must
+ match the PeerIdentity property of the PeerIdentityEntry instance
+ describing the IKE peer.
+
+8.3.1. The Property PeerIdentity
+
+ The property PeerIdentity contains a string encoding of the Identity
+ payload for the IKE peer. The property is defined as follows:
+
+ NAME PeerIdentity
+ DESCRIPTION The PeerIdentity is the ID payload of a peer.
+ SYNTAX string
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 65]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+8.3.2. The Property PeerIdentityType
+
+ The property PeerIdentityType is an enumeration that specifies the
+ type of the PeerIdentity. The property is defined as follows:
+
+ NAME PeerIdentityType
+ DESCRIPTION PeerIdentityType is the type of the ID payload of a
+ peer.
+ SYNTAX unsigned 16-bit integer
+ VALUE The enumeration values are specified in [DOI] section
+ 4.6.2.1.
+
+8.3.3. The Property PeerAddress
+
+ The property PeerAddress specifies the string representation of the
+ IP address of the peer formatted according to the appropriate
+ convention as defined in the PeerAddressType property (e.g., dotted
+ decimal notation). The property is defined as follows:
+
+ NAME PeerAddress
+ DESCRIPTION PeerAddress is the address of the peer with the ID
+ payload.
+ SYNTAX string
+ VALUE String representation of an IPv4 or IPv6 address.
+
+8.3.4. The Property PeerAddressType
+
+ The property PeerAddressType specifies the format of the PeerAddress
+ property value. The property is defined as follows:
+
+ NAME PeerAddressType
+ DESCRIPTION PeerAddressType is the type of address in
+ PeerAddress.
+ SYNTAX unsigned 16-bit integer
+ VALUE 0 - Unknown
+ 1 - IPv4
+ 2 - IPv6
+
+8.4. The Class AutostartIKEConfiguration
+
+ The class AutostartIKEConfiguration groups AutostartIKESetting
+ instances into configuration sets. When applied, the settings cause
+ an IKE service to automatically start (negotiate or statically set as
+ appropriate) the Security Associations. The class definition for
+ AutostartIKEConfiguration is as follows:
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 66]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ NAME AutostartIKEConfiguration
+ DESCRIPTION A configuration set of AutostartIKESetting instances
+ to be automatically started by the IKE service.
+ DERIVED FROM SystemConfiguration (see [CIMCORE])
+ ABSTRACT FALSE
+
+8.5. The Class AutostartIKESetting
+
+ The class AutostartIKESetting is used to automatically initiate IKE
+ negotiations with peers (or statically create an SA) as specified in
+ the AutostartIKESetting properties. Appropriate actions are
+ initiated according to the policy that matches the setting
+ parameters. The class definition for AutostartIKESetting is as
+ follows:
+
+ NAME AutostartIKESetting
+ DESCRIPTION AutostartIKESetting is used to automatically initiate
+ IKE negotiations with peers or statically create an
+ SA.
+ DERIVED FROM SystemSetting (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Phase1Only
+ AddressType
+ SourceAddress
+ SourcePort
+ DestinationAddress
+ DestinationPort
+ Protocol
+
+8.5.1. The Property Phase1Only
+
+ The property Phase1Only is used to limit the IKE negotiation to a
+ phase 1 SA establishment only. When set to False, both phase 1 and
+ phase 2 SAs are negotiated. The property is defined as follows:
+
+ NAME Phase1Only
+ DESCRIPTION Used to indicate whether a phase 1 only or both phase
+ 1 and phase 2 security associations should attempt
+ establishment.
+ SYNTAX boolean
+ VALUE true - attempt to establish a phase 1 security
+ association
+ false - attempt to establish phase 1 and phase 2
+ security associations
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 67]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+8.5.2. The Property AddressType
+
+ The property AddressType specifies a type of the addresses in the
+ SourceAddress and DestinationAddress properties. The property is
+ defined as follows:
+
+ NAME AddressType
+ DESCRIPTION AddressType is the type of address in SourceAddress
+ and DestinationAddress properties.
+ SYNTAX unsigned 16-bit integer
+ VALUE 0 - Unknown
+ 1 - IPv4
+ 2 - IPv6
+
+8.5.3. The Property SourceAddress
+
+ The property SourceAddress specifies the dotted-decimal or colon-
+ decimal formatted IP address used as the source address in comparing
+ with policy filter entries and used in any phase 2 negotiations. The
+ property is defined as follows:
+
+ NAME SourceAddress
+ DESCRIPTION The source address to compare with the filters to
+ determine the appropriate policy rule.
+ SYNTAX string
+ VALUE dotted-decimal or colon-decimal formatted IP address
+
+8.5.4. The Property SourcePort
+
+ The property SourcePort specifies the port number used as the source
+ port in comparing policy filter entries and is used in any phase 2
+ negotiations. The property is defined as follows:
+
+ NAME SourcePort
+ DESCRIPTION The source port to compare with the filters to
+ determine the appropriate policy rule.
+ SYNTAX unsigned 16-bit integer
+
+8.5.5. The Property DestinationAddress
+
+ The property DestinationAddress specifies the dotted-decimal or
+ colon-decimal formatted IP address used as the destination address in
+ comparing policy filter entries and is used in any phase 2
+ negotiations. The property is defined as follows:
+
+ NAME DestinationAddress
+ DESCRIPTION The destination address to compare with the filters
+ to determine the appropriate policy rule.
+
+
+
+Jason, et al. Standards Track [Page 68]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ SYNTAX string
+ VALUE dotted-decimal or colon-decimal formatted IP address
+
+8.5.6. The Property DestinationPort
+
+ The property DestinationPort specifies the port number used as the
+ destination port in comparing policy filter entries and is used in
+ any phase 2 negotiations. The property is defined as follows:
+
+ NAME DestinationPort
+ DESCRIPTION The destination port to compare with the filters to
+ determine the appropriate policy rule.
+ SYNTAX unsigned 16-bit integer
+
+8.5.7. The Property Protocol
+
+ The property Protocol specifies the protocol number used in comparing
+ with policy filter entries and is used in any phase 2 negotiations.
+ The property is defined as follows:
+
+ NAME Protocol
+ DESCRIPTION The protocol number used in comparing policy
+ filter entries.
+ SYNTAX unsigned 8-bit integer
+
+8.6. The Class IKEIdentity
+
+ The class IKEIdentity is used to represent the identities that may be
+ used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints)
+ to identify the IKE Service in IKE phase 1 negotiations. The policy
+ IKEAction.UseIKEIdentityType specifies which type of the available
+ identities to use in a negotiation exchange and the
+ IKERule.IdentityContexts specifies the match values to be used, along
+ with the local address, in selecting the appropriate identity for a
+ negotiation. The ElementID property value (defined in the parent
+ class, UsersAccess) should be that of either the IPProtocolEndpoint
+ or Collection of endpoints as appropriate. The class definition for
+ IKEIdentity is as follows:
+
+ NAME IKEIdentity
+ DESCRIPTION IKEIdentity is used to represent the identities that
+ may be used for an IPProtocolEndpoint (or collection
+ of IPProtocolEndpoints) to identify the IKE Service
+ in IKE phase 1 negotiations.
+ DERIVED FROM UsersAccess (see [CIMUSER])
+ ABSTRACT FALSE
+
+
+
+
+
+Jason, et al. Standards Track [Page 69]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ PROPERTIES IdentityType
+ IdentityValue
+ IdentityContexts
+
+8.6.1. The Property IdentityType
+
+ The property IdentityType is an enumeration that specifies the type
+ of the IdentityValue. The property is defined as follows:
+
+ NAME IdentityType
+ DESCRIPTION IdentityType is the type of the IdentityValue.
+ SYNTAX unsigned 16-bit integer
+ VALUE The enumeration values are specified in [DOI] section
+ 4.6.2.1.
+
+8.6.2. The Property IdentityValue
+
+ The property IdentityValue contains a string encoding of the Identity
+ payload. For IKEIdentity instances that are address types (i.e.,
+ IPv4 or IPv6 addresses), the IdentityValue string value MAY be
+ omitted; then the associated IPProtocolEndpoint (or appropriate
+ member of the Collection of endpoints) is used as the identity value.
+ The property is defined as follows:
+
+ NAME IdentityValue
+ DESCRIPTION IdentityValue contains a string encoding of the
+ Identity payload.
+ SYNTAX string
+
+8.6.3. The Property IdentityContexts
+
+ The IdentityContexts property is used to constrain the use of
+ IKEIdentity instances to match that specified in the
+ IKERule.IdentityContexts. The IdentityContexts are formatted as
+ policy roles and role combinations [PCIM] & [PCIME]. Each value
+ represents one context or context combination. Since this is a
+ multi-valued property, more than one context or combination of
+ contexts can be associated with a single IKEIdentity. Each value is
+ a string of the form:
+
+ <ContextName>[&&<ContextName>]*
+
+ where the individual context names appear in alphabetical order
+ (according to the collating sequence for UCS-2). If one or more
+ values in the IKERule.IdentityContexts array match one or more
+ IKEIdentity.IdentityContexts, then the identity's context matches.
+ (That is, each value of the IdentityContext array is an ORed
+ condition.) In combination with the address of the
+
+
+
+Jason, et al. Standards Track [Page 70]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
+ exactly one IKEIdentity. The property is defined as follows:
+
+ NAME IdentityContexts
+ DESCRIPTION The IKE service of a security endpoint may have
+ multiple identities for use in different situations.
+ The combination of the interface (represented by
+ the IPProtocolEndpoint), the identity type (as
+ specified in the IKEAction) and the IdentityContexts
+ selects a unique identity.
+ SYNTAX string array
+ VALUE string of the form <ContextName>[&&<ContextName>]*
+
+8.7. The Association Class HostedPeerIdentityTable
+
+ The class HostedPeerIdentityTable provides the name scoping
+ relationship for PeerIdentityTable entries in a System. The
+ PeerIdentityTable is weak to the System. The class definition for
+ HostedPeerIdentityTable is as follows:
+
+ NAME HostedPeerIdentityTable
+ DESCRIPTION The PeerIdentityTable instances are weak (name scoped
+ by) the owning System.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref System[1..1]]
+ Dependent [ref PeerIdentityTable[0..n] [weak]]
+
+8.7.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a System instance. The [1..1] cardinality
+ indicates that a PeerIdentityTable instance MUST be associated in a
+ weak relationship with one and only one System instance.
+
+8.7.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to a PeerIdentityTable instance. The [0..n] cardinality
+ indicates that a System instance may be associated with zero or more
+ PeerIdentityTable instances.
+
+8.8. The Aggregation Class PeerIdentityMember
+
+ The class PeerIdentityMember aggregates PeerIdentityEntry instances
+ into a PeerIdentityTable. This is a weak aggregation. The class
+ definition for PeerIdentityMember is as follows:
+
+
+
+
+Jason, et al. Standards Track [Page 71]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ NAME PeerIdentityMember
+ DESCRIPTION PeerIdentityMember aggregates PeerIdentityEntry
+ instances into a PeerIdentityTable.
+ DERIVED FROM MemberOfCollection (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Collection [ref PeerIdentityTable[1..1]]
+ Member [ref PeerIdentityEntry [0..n] [weak]]
+
+8.8.1. The Reference Collection
+
+ The property Collection is inherited from MemberOfCollection and is
+ overridden to refer to a PeerIdentityTable instance. The [1..1]
+ cardinality indicates that a PeerIdentityEntry instance MUST be
+ associated with one and only one PeerIdentityTable instance (i.e.,
+ PeerIdentityEntry instances are not shared across
+ PeerIdentityTables).
+
+8.8.2. The Reference Member
+
+ The property Member is inherited from MemberOfCollection and is
+ overridden to refer to a PeerIdentityEntry instance. The [0..n]
+ cardinality indicates that a PeerIdentityTable instance may be
+ associated with zero or more PeerIdentityEntry instances.
+
+8.9. The Association Class IKEServicePeerGateway
+
+ The class IKEServicePeerGateway provides the association between an
+ IKEService and the list of PeerGateway instances that it uses in
+ negotiating with security gateways. The class definition for
+ IKEServicePeerGateway is as follows:
+
+ NAME IKEServicePeerGateway
+ DESCRIPTION Associates an IKEService and the list of PeerGateway
+ instances that it uses in negotiating with security
+ gateways.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref PeerGateway[0..n]]
+ Dependent [ref IKEService[0..n]]
+
+8.9.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a PeerGateway instance. The [0..n]
+ cardinality indicates that an IKEService instance may be associated
+ with zero or more PeerGateway instances.
+
+
+
+
+
+Jason, et al. Standards Track [Page 72]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+8.9.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to an IKEService instance. The [0..n] cardinality indicates
+ that a PeerGateway instance may be associated with zero or more
+ IKEService instances.
+
+8.10. The Association Class IKEServicePeerIdentityTable
+
+ The class IKEServicePeerIdentityTable provides the relationship
+ between an IKEService and a PeerIdentityTable that it uses to map
+ between addresses and identities as required. The class definition
+ for IKEServicePeerIdentityTable is as follows:
+
+ NAME IKEServicePeerIdentityTable
+ DESCRIPTION IKEServicePeerIdentityTable provides the relationship
+ between an IKEService and a PeerIdentityTable that it
+ uses.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref PeerIdentityTable[0..n]]
+ Dependent [ref IKEService[0..n]]
+
+8.10.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a PeerIdentityTable instance. The [0..n]
+ cardinality indicates that an IKEService instance may be associated
+ with zero or more PeerIdentityTable instances.
+
+8.10.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to an IKEService instance. The [0..n] cardinality indicates
+ that a PeerIdentityTable instance may be associated with zero or more
+ IKEService instances.
+
+8.11. The Association Class IKEAutostartSetting
+
+ The class IKEAutostartSetting associates an AutostartIKESetting with
+ an IKEService that may use it to automatically start an IKE
+ negotiation or create a static SA. The class definition for
+ IKEAutostartSetting is as follows:
+
+ NAME IKEAutostartSetting
+ DESCRIPTION Associates a AutostartIKESetting with an IKEService.
+ DERIVED FROM ElementSetting (see [CIMCORE])
+ ABSTRACT FALSE
+
+
+
+Jason, et al. Standards Track [Page 73]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ PROPERTIES Element [ref IKEService[0..n]]
+ Setting [ref AutostartIKESetting[0..n]]
+
+8.11.1. The Reference Element
+
+ The property Element is inherited from ElementSetting and is
+ overridden to refer to an IKEService instance. The [0..n]
+ cardinality indicates an AutostartIKESetting instance may be
+ associated with zero or more IKEService instances.
+
+8.11.2. The Reference Setting
+
+ The property Setting is inherited from ElementSetting and is
+ overridden to refer to an AutostartIKESetting instance. The [0..n]
+ cardinality indicates that an IKEService instance may be associated
+ with zero or more AutostartIKESetting instances.
+
+8.12. The Aggregation Class AutostartIKESettingContext
+
+ The class AutostartIKESettingContext aggregates the settings used to
+ automatically start negotiations or create a static SA into a
+ configuration set. The class definition for
+ AutostartIKESettingContext is as follows:
+
+ NAME AutostartIKESettingContext
+ DESCRIPTION AutostartIKESettingContext aggregates the
+ AutostartIKESetting instances into a configuration
+ set.
+ DERIVED FROM SystemSettingContext (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Context [ref AutostartIKEConfiguration [0..n]]
+ Setting [ref AutostartIKESetting [0..n]]
+ SequenceNumber
+
+8.12.1. The Reference Context
+
+ The property Context is inherited from SystemSettingContext and is
+ overridden to refer to an AutostartIKEConfiguration instance. The
+ [0..n] cardinality indicates that an AutostartIKESetting instance may
+ be associated with zero or more AutostartIKEConfiguration instances
+ (i.e., a setting may be in multiple configuration sets).
+
+8.12.2. The Reference Setting
+
+ The property Setting is inherited from SystemSettingContext and is
+ overridden to refer to an AutostartIKESetting instance. The [0..n]
+ cardinality indicates that an AutostartIKEConfiguration instance may
+ be associated with zero or more AutostartIKESetting instances.
+
+
+
+Jason, et al. Standards Track [Page 74]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+8.12.3. The Property SequenceNumber
+
+ The property SequenceNumber specifies the ordering to be used when
+ starting negotiations or creating a static SA. A zero value
+ indicates that order is not significant and settings may be applied
+ in parallel with other settings. All other settings in the
+ configuration are executed in sequence from lower to higher values.
+ Sequence numbers need not be unique in an AutostartIKEConfiguration
+ and order is not significant for settings with the same sequence
+ number. The property is defined as follows:
+
+ NAME SequenceNumber
+ DESCRIPTION The sequence in which the settings are applied
+ within a configuration set.
+ SYNTAX unsigned 16-bit integer
+
+8.13. The Association Class IKEServiceForEndpoint
+
+ The class IKEServiceForEndpoint provides the association showing
+ which IKE service, if any, provides IKE negotiation services for
+ which network interfaces. The class definition for
+ IKEServiceForEndpoint is as follows:
+
+ NAME IKEServiceForEndpoint
+ DESCRIPTION Associates an IPProtocolEndpoint with an IKEService
+ that provides negotiation services for the endpoint.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref IKEService[0..1]]
+ Dependent [ref IPProtocolEndpoint[0..n]]
+
+8.13.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to an IKEService instance. The [0..1]
+ cardinality indicates that an IPProtocolEndpoint instance MUST by
+ associated with at most one IKEService instance.
+
+8.13.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to an IPProtocolEndpoint that is associated with at most one
+ IKEService. The [0..n] cardinality indicates an IKEService instance
+ may be associated with zero or more IPProtocolEndpoint instances.
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 75]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+8.14. The Association Class IKEAutostartConfiguration
+
+ The class IKEAutostartConfiguration provides the relationship between
+ an IKEService and a configuration set that it uses to automatically
+ start a set of SAs. The class definition for
+ IKEAutostartConfiguration is as follows:
+
+ NAME IKEAutostartConfiguration
+ DESCRIPTION IKEAutostartConfiguration provides the relationship
+ between an IKEService and an
+ AutostartIKEConfiguration that it uses to
+ automatically start a set of SAs.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref AutostartIKEConfiguration [0..n]]
+ Dependent [ref IKEService [0..n]]
+ Active
+
+8.14.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to an AutostartIKEConfiguration instance. The
+ [0..n] cardinality indicates that an IKEService instance may be
+ associated with zero or more AutostartIKEConfiguration instances.
+
+8.14.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to an IKEService instance. The [0..n] cardinality indicates
+ that an AutostartIKEConfiguration instance may be associated with
+ zero or more IKEService instances.
+
+8.14.3. The Property Active
+
+ The property Active indicates whether the AutostartIKEConfiguration
+ set is currently active for the associated IKEService. That is, at
+ boot time, the active configuration is used to automatically start
+ IKE negotiations and create static SAs. The property is defined as
+ follows:
+
+ NAME Active
+ DESCRIPTION Active indicates whether the
+ AutostartIKEConfiguration set is currently active for
+ the associated IKEService.
+ SYNTAX boolean
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 76]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ VALUE true - AutostartIKEConfiguration is currently active
+ for associated IKEService.
+ false - AutostartIKEConfiguration is currently
+ inactive for associated IKEService.
+
+8.15. The Association Class IKEUsesCredentialManagementService
+
+ The class IKEUsesCredentialManagementService defines the set of
+ CredentialManagementService(s) that are trusted sources of
+ credentials for IKE phase 1 negotiations. The class definition for
+ IKEUsesCredentialManagementService is as follows:
+
+ NAME IKEUsesCredentialManagementService
+ DESCRIPTION Associates the set of CredentialManagementService(s)
+ that are trusted by the IKEService as sources of
+ credentials used in IKE phase 1 negotiations.
+ DERIVED FROM Dependency (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref CredentialManagementService [0..n]]
+ Dependent [ref IKEService [0..n]]
+
+8.15.1. The Reference Antecedent
+
+ The property Antecedent is inherited from Dependency and is
+ overridden to refer to a CredentialManagementService instance. The
+ [0..n] cardinality indicates that an IKEService instance may be
+ associated with zero or more CredentialManagementService instances.
+
+8.15.2. The Reference Dependent
+
+ The property Dependent is inherited from Dependency and is overridden
+ to refer to an IKEService instance. The [0..n] cardinality indicates
+ that a CredentialManagementService instance may be associated with
+ zero or more IKEService instances.
+
+8.16. The Association Class EndpointHasLocalIKEIdentity
+
+ The class EndpointHasLocalIKEIdentity associates an
+ IPProtocolEndpoint with a set of IKEIdentity instances that may be
+ used in negotiating security associations on the endpoint. An
+ IKEIdentity MUST be associated with either an IPProtocolEndpoint
+ using this association or with a collection of IKEIdentity instances
+ using the CollectionHasLocalIKEIdentity association. The class
+ definition for EndpointHasLocalIKEIdentity is as follows:
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 77]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ NAME EndpointHasLocalIKEIdentity
+ DESCRIPTION EndpointHasLocalIKEIdentity associates an
+ IPProtocolEndpoint with a set of IKEIdentity
+ instances.
+ DERIVED FROM ElementAsUser (see [CIMUSER])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref IPProtocolEndpoint [0..1]]
+ Dependent [ref IKEIdentity [0..n]]
+
+8.16.1. The Reference Antecedent
+
+ The property Antecedent is inherited from ElementAsUser and is
+ overridden to refer to an IPProtocolEndpoint instance. The [0..1]
+ cardinality indicates that an IKEIdentity instance MUST be associated
+ with at most one IPProtocolEndpoint instance.
+
+8.16.2. The Reference Dependent
+
+ The property Dependent is inherited from ElementAsUser and is
+ overridden to refer to an IKEIdentity instance. The [0..n]
+ cardinality indicates that an IPProtocolEndpoint instance may be
+ associated with zero or more IKEIdentity instances.
+
+8.17. The Association Class CollectionHasLocalIKEIdentity
+
+ The class CollectionHasLocalIKEIdentity associates a Collection of
+ IPProtocolEndpoint instances with a set of IKEIdentity instances that
+ may be used in negotiating SAs for endpoints in the collection. An
+ IKEIdentity MUST be associated with either an IPProtocolEndpoint
+ using the EndpointHasLocalIKEIdentity association or with a
+ collection of IKEIdentity instances using this association. The
+ class definition for CollectionHasLocalIKEIdentity is as follows:
+
+ NAME CollectionHasLocalIKEIdentity
+ DESCRIPTION CollectionHasLocalIKEIdentity associates a collection
+ of IPProtocolEndpoint instances with a set of
+ IKEIdentity instances.
+ DERIVED FROM ElementAsUser (see [CIMUSER])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref Collection [0..1]]
+ Dependent [ref IKEIdentity [0..n]]
+
+8.17.1. The Reference Antecedent
+
+ The property Antecedent is inherited from ElementAsUser and is
+ overridden to refer to a Collection instance. The [0..1] cardinality
+ indicates that an IKEIdentity instance MUST be associated with at
+ most one Collection instance.
+
+
+
+Jason, et al. Standards Track [Page 78]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+8.17.2. The Reference Dependent
+
+ The property Dependent is inherited from ElementAsUser and is
+ overridden to refer to an IKEIdentity instance. The [0..n]
+ cardinality indicates that a Collection instance may be associated
+ with zero or more IKEIdentity instances.
+
+8.18. The Association Class IKEIdentitysCredential
+
+ The class IKEIdentitysCredential is an association that relates a set
+ of credentials to their corresponding local IKE Identities. The
+ class definition for IKEIdentitysCredential is as follows:
+
+ NAME IKEIdentitysCredential
+ DESCRIPTION IKEIdentitysCredential associates a set of
+ credentials to their corresponding local IKEIdentity.
+ DERIVED FROM UsersCredential (see [CIMCORE])
+ ABSTRACT FALSE
+ PROPERTIES Antecedent [ref Credential [0..n]]
+ Dependent [ref IKEIdentity [0..n]]
+
+8.18.1. The Reference Antecedent
+
+ The property Antecedent is inherited from UsersCredential and is
+ overridden to refer to a Credential instance. The [0..n] cardinality
+ indicates that the IKEIdentity instance may be associated with zero
+ or more Credential instances.
+
+8.18.2. The Reference Dependent
+
+ The property Dependent is inherited from UsersCredential and is
+ overridden to refer to an IKEIdentity instance. The [0..n]
+ cardinality indicates that a Credential instance may be associated
+ with zero or more IKEIdentity instances.
+
+9. Implementation Requirements
+
+ The following table specifies which classes, properties, associations
+ and aggregations MUST or SHOULD or MAY be implemented.
+
+ 4. Policy Classes
+ 4.1. The Class SARule..........................................MUST
+ 4.1.1. The Property PolicyRuleName..............................MAY
+ 4.1.1. The Property Enabled....................................MUST
+ 4.1.1. The Property ConditionListType..........................MUST
+ 4.1.1. The Property RuleUsage...................................MAY
+ 4.1.1. The Property Mandatory...................................MAY
+ 4.1.1. The Property SequencedActions...........................MUST
+
+
+
+Jason, et al. Standards Track [Page 79]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ 4.1.1. The Property PolicyRoles.................................MAY
+ 4.1.1. The Property PolicyDecisionStrategy......................MAY
+ 4.1.2 The Property ExecutionStrategy..........................MUST
+ 4.1.3 The Property LimitNegotiation............................MAY
+ 4.2. The Class IKERule.........................................MUST
+ 4.2.1. The Property IdentityContexts............................MAY
+ 4.3. The Class IPsecRule.......................................MUST
+ 4.4. The Association Class IPsecPolicyForEndpoint...............MAY
+ 4.4.1. The Reference Antecedent................................MUST
+ 4.4.2. The Reference Dependent.................................MUST
+ 4.5. The Association Class IPsecPolicyForSystem.................MAY
+ 4.5.1. The Reference Antecedent................................MUST
+ 4.5.2. The Reference Dependent.................................MUST
+ 4.6. The Aggregation Class SAConditionInRule...................MUST
+ 4.6.1. The Property GroupNumber..............................SHOULD
+ 4.6.1. The Property ConditionNegated.........................SHOULD
+ 4.6.2. The Reference GroupComponent............................MUST
+ 4.6.3. The Reference PartComponent.............................MUST
+ 4.7. The Aggregation Class PolicyActionInSARule................MUST
+ 4.7.1. The Reference GroupComponent............................MUST
+ 4.7.2. The Reference PartComponent.............................MUST
+ 4.7.3. The Property ActionOrder..............................SHOULD
+ 5. Condition and Filter Classes
+ 5.1. The Class SACondition.....................................MUST
+ 5.2. The Class IPHeadersFilter...............................SHOULD
+ 5.3. The Class CredentialFilterEntry............................MAY
+ 5.3.1. The Property MatchFieldName.............................MUST
+ 5.3.2. The Property MatchFieldValue............................MUST
+ 5.3.3. The Property CredentialType.............................MUST
+ 5.4. The Class IPSOFilterEntry..................................MAY
+ 5.4.1. The Property MatchConditionType.........................MUST
+ 5.4.2. The Property MatchConditionValue........................MUST
+ 5.5. The Class PeerIDPayloadFilterEntry.........................MAY
+ 5.5.1. The Property MatchIdentityType..........................MUST
+ 5.5.2. The Property MatchIdentityValue.........................MUST
+ 5.6. The Association Class FilterOfSACondition...............SHOULD
+ 5.6.1. The Reference Antecedent................................MUST
+ 5.6.2. The Reference Dependent.................................MUST
+ 5.7. The Association Class AcceptCredentialFrom.................MAY
+ 5.7.1. The Reference Antecedent................................MUST
+ 5.7.2. The Reference Dependent.................................MUST
+ 6. Action Classes
+ 6.1. The Class SAAction........................................MUST
+ 6.1.1. The Property DoActionLogging.............................MAY
+ 6.1.2. The Property DoPacketLogging.............................MAY
+ 6.2. The Class SAStaticAction..................................MUST
+ 6.2.1. The Property LifetimeSeconds............................MUST
+ 6.3. The Class IPsecBypassAction.............................SHOULD
+
+
+
+Jason, et al. Standards Track [Page 80]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ 6.4. The Class IPsecDiscardAction............................SHOULD
+ 6.5. The Class IKERejectAction..................................MAY
+ 6.6. The Class PreconfiguredSAAction...........................MUST
+ 6.6.1. The Property LifetimeKilobytes..........................MUST
+ 6.7. The Class PreconfiguredTransportAction....................MUST
+ 6.8. The Class PreconfiguredTunnelAction.......................MUST
+ 6.8.1. The Property DFHandling.................................MUST
+ 6.9. The Class SANegotiationAction.............................MUST
+ 6.10. The Class IKENegotiationAction...........................MUST
+ 6.10.1. The Property MinLifetimeSeconds.........................MAY
+ 6.10.2. The Property MinLifetimeKilobytes.......................MAY
+ 6.10.3. The Property IdleDurationSeconds........................MAY
+ 6.11. The Class IPsecAction....................................MUST
+ 6.11.1. The Property UsePFS....................................MUST
+ 6.11.2. The Property UseIKEGroup................................MAY
+ 6.11.3. The Property GroupId...................................MUST
+ 6.11.4. The Property Granularity.............................SHOULD
+ 6.11.5. The Property VendorID...................................MAY
+ 6.12. The Class IPsecTransportAction...........................MUST
+ 6.13. The Class IPsecTunnelAction..............................MUST
+ 6.13.1. The Property DFHandling................................MUST
+ 6.14. The Class IKEAction......................................MUST
+ 6.14.1. The Property ExchangeMode ............................MUST
+ 6.14.2. The Property UseIKEIdentityType........................MUST
+ 6.14.3. The Property VendorID...................................MAY
+ 6.14.4. The Property AggressiveModeGroupId......................MAY
+ 6.15. The Class PeerGateway....................................MUST
+ 6.15.1. The Property Name....................................SHOULD
+ 6.15.2. The Property PeerIdentityType..........................MUST
+ 6.15.3. The Property PeerIdentity..............................MUST
+ 6.16. The Association Class PeerGatewayForTunnel...............MUST
+ 6.16.1. The Reference Antecedent...............................MUST
+ 6.16.2. The Reference Dependent................................MUST
+ 6.16.3. The Property SequenceNumber..........................SHOULD
+ 6.17. The Aggregation Class ContainedProposal..................MUST
+ 6.17.1. The Reference GroupComponent...........................MUST
+ 6.17.2. The Reference PartComponent............................MUST
+ 6.17.3. The Property SequenceNumber............................MUST
+ 6.18. The Association Class HostedPeerGatewayInformation........MAY
+ 6.18.1. The Reference Antecedent...............................MUST
+ 6.18.2. The Reference Dependent................................MUST
+ 6.19. The Association Class TransformOfPreconfiguredAction.....MUST
+ 6.19.1. The Reference Antecedent...............................MUST
+ 6.19.2. The Reference Dependent................................MUST
+ 6.19.3. The Property SPI.......................................MUST
+ 6.19.4. The Property Direction.................................MUST
+ 6.20. The Association Class PeerGatewayForPreconfiguredTunnel..MUST
+ 6.20.1. The Reference Antecedent...............................MUST
+
+
+
+Jason, et al. Standards Track [Page 81]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ 6.20.2. The Reference Dependent................................MUST
+ 7. Proposal and Transform Classes
+ 7.1. The Abstract Class SAProposal.............................MUST
+ 7.1.1. The Property Name.....................................SHOULD
+ 7.2 The Class IKEProposal......................................MUST
+ 7.2.1. The Property CipherAlgorithm............................MUST
+ 7.2.2. The Property HashAlgorithm..............................MUST
+ 7.2.3. The Property PRFAlgorithm................................MAY
+ 7.2.4. The Property GroupId....................................MUST
+ 7.2.5. The Property AuthenticationMethod.......................MUST
+ 7.2.6. The Property MaxLifetimeSeconds.........................MUST
+ 7.2.7. The Property MaxLifetimeKilobytes.......................MUST
+ 7.2.8. The Property VendorID....................................MAY
+ 7.3. The Class IPsecProposal...................................MUST
+ 7.4. The Abstract Class SATransform............................MUST
+ 7.4.1. The Property TransformName............................SHOULD
+ 7.4.2. The Property VendorID....................................MAY
+ 7.4.3. The Property MaxLifetimeSeconds.........................MUST
+ 7.4.4. The Property MaxLifetimeKilobytes.......................MUST
+ 7.5. The Class AHTransform.....................................MUST
+ 7.5.1. The Property AHTransformId..............................MUST
+ 7.5.2. The Property UseReplayPrevention.........................MAY
+ 7.5.3. The Property ReplayPreventionWindowSize..................MAY
+ 7.6. The Class ESPTransform....................................MUST
+ 7.6.1. The Property IntegrityTransformId.......................MUST
+ 7.6.2. The Property CipherTransformId..........................MUST
+ 7.6.3. The Property CipherKeyLength.............................MAY
+ 7.6.4. The Property CipherKeyRounds.............................MAY
+ 7.6.5. The Property UseReplayPrevention.........................MAY
+ 7.6.6. The Property ReplayPreventionWindowSize..................MAY
+ 7.7. The Class IPCOMPTransform..................................MAY
+ 7.7.1. The Property Algorithm..................................MUST
+ 7.7.2. The Property DictionarySize..............................MAY
+ 7.7.3. The Property PrivateAlgorithm............................MAY
+ 7.8. The Association Class SAProposalInSystem...................MAY
+ 7.8.1. The Reference Antecedent................................MUST
+ 7.8.2. The Reference Dependent.................................MUST
+ 7.9. The Aggregation Class ContainedTransform..................MUST
+ 7.9.1. The Reference GroupComponent............................MUST
+ 7.9.2. The Reference PartComponent.............................MUST
+ 7.9.3. The Property SequenceNumber.............................MUST
+ 7.10. The Association Class SATransformInSystem.................MAY
+ 7.10.1. The Reference Antecedent...............................MUST
+ 7.10.2. The Reference Dependent................................MUST
+ 8. IKE Service and Identity Classes
+ 8.1. The Class IKEService.......................................MAY
+ 8.2. The Class PeerIdentityTable................................MAY
+ 8.3.1. The Property Name.....................................SHOULD
+
+
+
+Jason, et al. Standards Track [Page 82]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ 8.3. The Class PeerIdentityEntry................................MAY
+ 8.3.1. The Property PeerIdentity.............................SHOULD
+ 8.3.2. The Property PeerIdentityType.........................SHOULD
+ 8.3.3. The Property PeerAddress..............................SHOULD
+ 8.3.4. The Property PeerAddressType..........................SHOULD
+ 8.4. The Class AutostartIKEConfiguration........................MAY
+ 8.5. The Class AutostartIKESetting..............................MAY
+ 8.5.1. The Property Phase1Only..................................MAY
+ 8.5.2. The Property AddressType..............................SHOULD
+ 8.5.3. The Property SourceAddress..............................MUST
+ 8.5.4. The Property SourcePort.................................MUST
+ 8.5.5. The Property DestinationAddress.........................MUST
+ 8.5.6. The Property DestinationPort............................MUST
+ 8.5.7. The Property Protocol...................................MUST
+ 8.6. The Class IKEIdentity......................................MAY
+ 8.6.1. The Property IdentityType...............................MUST
+ 8.6.2. The Property IdentityValue..............................MUST
+ 8.6.3. The Property IdentityContexts............................MAY
+ 8.7. The Association Class HostedPeerIdentityTable..............MAY
+ 8.7.1. The Reference Antecedent................................MUST
+ 8.7.2. The Reference Dependent.................................MUST
+ 8.8. The Aggregation Class PeerIdentityMember...................MAY
+ 8.8.1. The Reference Collection................................MUST
+ 8.8.2. The Reference Member....................................MUST
+ 8.9. The Association Class IKEServicePeerGateway................MAY
+ 8.9.1. The Reference Antecedent................................MUST
+ 8.9.2. The Reference Dependent.................................MUST
+ 8.10. The Association Class IKEServicePeerIdentityTable.........MAY
+ 8.10.1. The Reference Antecedent...............................MUST
+ 8.10.2. The Reference Dependent................................MUST
+ 8.11. The Association Class IKEAutostartSetting.................MAY
+ 8.11.1. The Reference Element..................................MUST
+ 8.11.2. The Reference Setting..................................MUST
+ 8.12. The Aggregation Class AutostartIKESettingContext..........MAY
+ 8.12.1. The Reference Context..................................MUST
+ 8.12.2. The Reference Setting..................................MUST
+ 8.12.3. The Property SequenceNumber..........................SHOULD
+ 8.13. The Association Class IKEServiceForEndpoint...............MAY
+ 8.13.1. The Reference Antecedent...............................MUST
+ 8.13.2. The Reference Dependent................................MUST
+ 8.14. The Association Class IKEAutostartConfiguration...........MAY
+ 8.14.1. The Reference Antecedent...............................MUST
+ 8.14.2. The Reference Dependent................................MUST
+ 8.14.3. The Property Active..................................SHOULD
+ 8.15. The Association Class IKEUsesCredentialManagementService..MAY
+ 8.15.1. The Reference Antecedent...............................MUST
+ 8.15.2. The Reference Dependent................................MUST
+ 8.16. The Association Class EndpointHasLocalIKEIdentity.........MAY
+
+
+
+Jason, et al. Standards Track [Page 83]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ 8.16.1. The Reference Antecedent...............................MUST
+ 8.16.2. The Reference Dependent................................MUST
+ 8.17. The Association Class CollectionHasLocalIKEIdentity.......MAY
+ 8.17.1. The Reference Antecedent...............................MUST
+ 8.17.2. The Reference Dependent................................MUST
+ 8.18. The Association Class IKEIdentitysCredential..............MAY
+ 8.18.1. The Reference Antecedent...............................MUST
+ 8.18.2. The Reference Dependent................................MUST
+
+10. Security Considerations
+
+ This document only describes an information model for IPsec policy.
+ It does not detail security requirements for storage or delivery of
+ said information.
+
+ Physical models derived from this information model MUST implement
+ the relevant security for storage and delivery. Most of the classes
+ (e.g., IpHeadersFilter, SAAction,...) MUST at least provided the
+ integrity service; other pieces of information MUST also receive the
+ confidentiality service (e.g., SharedSecret as described in the
+ classes PeerIdentityEntry and PreconfiguredSAAction).
+
+11. Intellectual Property Statement
+
+ The IETF takes no position regarding the validity or scope of any
+ intellectual property or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; neither does it represent that it
+ has made any effort to identify any such rights. Information on the
+ IETF's procedures with respect to rights in standards-track and
+ standards-related documentation can be found in BCP-11.
+
+ Copies of claims of rights made available for publication and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF Secretariat.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights which may cover technology that may be required to practice
+ this standard. Please address the information to the IETF Executive
+ Director.
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 84]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+12. References
+
+12.1. Normative References
+
+ [COMP] Shacham, A., Monsour, B., Pereira, R. and M. Thomas, "IP
+ Payload Compression Protocol (IPComp)", RFC 3173,
+ September 2001.
+
+ [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
+ Payload (ESP)", RFC 2406, November 1998.
+
+ [AH] Kent, S. and R. Atkinson, "IP Authentication Header",
+ RFC 2402, November 1998.
+
+ [DOI] Piper, D., "The Internet IP Security Domain of
+ Interpretation for ISAKMP", RFC 2407, November 1998.
+
+ [IKE] Harkins, D. and D. Carrel, "The Internet Key Exchange
+ (IKE)", RFC 2409, November 1998.
+
+ [PCIM] Moore, B., Ellesson, E., Strassner, J. and A.
+ Westerinen, "Policy Core Information Model -- Version 1
+ Specification", RFC 3060, February 2001.
+
+ [PCIME] Moore, B., Editor, "Policy Core Information Model (PCIM)
+ Extensions", RFC 3460, January 2003.
+
+ [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [CIMCORE] DMTF Common Information Model - Core Model v2.5 which
+ can be found at
+ http://www.dmtf.org/standards/CIM_Schema25/
+ CIM_Core25.mof
+
+ [CIMUSER] DMTF Common Information Model - User-Security Model v2.5
+ which can be found at
+ http://www.dmtf.org/standards/CIM_Schema25/
+ CIM_User25.mof
+
+ [CIMNETWORK] DMTF Common Information Model - Network Model v2.5
+ which can be found at
+ http://www.dmtf.org/standards/CIM_Schema25/
+ CIM_Network25.mof
+
+ [IPSO] Kent, S., "U.S. Department of Defense Security Options
+ for the Internet Protocol", RFC 1108, November 1991.
+
+
+
+
+Jason, et al. Standards Track [Page 85]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+ [IPSEC] Kent, S. and R. Atkinson, "Security Architecture for the
+ Internet Protocol", RFC 2401, November 1998.
+
+12.2. Informative References
+
+ [LDAP] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
+ Access Protocol (v3)", RFC 2251, December 1997.
+
+ [COPS] Durham, D., Ed., Boyle, J., Cohen, R., Herzog, S.,
+ Rajan, R. and A. Sastry, "The COPS (Common Open Policy
+ Service) Protocol", RFC 2748, January 2000.
+
+ [COPSPR] Chan, K., Seligson, J., Durham, D., Gai, S., McCloghrie,
+ K., Herzog, S., Reichmeyer, R., Yavatkar, R. and A.
+ Smith, "COPS Usage for Policy Provisioning (COPS-PR)",
+ RFC 3084, March 2001.
+
+ [DMTF] Distributed Management Task Force, http://www.dmtf.org/
+
+13. Disclaimer
+
+ The views and specification herein are those of the authors and are
+ not necessarily those of their employer. The authors and their
+ employer specifically disclaim responsibility for any problems
+ arising from correct or incorrect implementation or use of this
+ specification.
+
+14. Acknowledgments
+
+ The authors would like to thank Mike Jeronimo, Ylian Saint-Hilaire,
+ Vic Lortz, William Dixon, Man Li, Wes Hardaker and Ricky Charlet for
+ their contributions to this IPsec policy model.
+
+ Additionally, this document would not have been possible without the
+ preceding IPsec schema documents. For that, thanks go out to Rob
+ Adams, Partha Bhattacharya, William Dixon, Roy Pereira, and Raju
+ Rajan.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 86]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+15. Authors' Addresses
+
+ Jamie Jason
+ Intel Corporation
+ MS JF3-206
+ 2111 NE 25th Ave.
+ Hillsboro, OR 97124
+
+ EMail: jamie.jason@intel.com
+
+
+ Lee Rafalow
+ IBM Corporation, BRQA/502
+ 4205 So. Miami Blvd.
+ Research Triangle Park, NC 27709
+
+ EMail: rafalow@watson.ibm.com
+
+
+ Eric Vyncke
+ Cisco Systems
+ 7 De Kleetlaan
+ B-1831 Diegem
+ Belgium
+
+ EMail: evyncke@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 87]
+
+RFC 3585 IPsec Configuration Policy Model August 2003
+
+
+16. Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assignees.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Jason, et al. Standards Track [Page 88]
+