tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 3585

 
 
 

IPsec Configuration Policy Information Model

Part 2 of 4, p. 22 to 49
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 22 
5. Condition and Filter Classes

   The IPsec condition and filter classes are used to build the "if"
   part of the IKE and IPsec rules.

                       *+-------------+
   +--------------------| SACondition |
   |                    +-------------+
   |                         * |
   |                           |(a)
   |                         1 |
   |                   +---------------+
   |                   |  FilterList   |
   |                   |([CIMNETWORK]) |
   |                   +---------------+
   |                         1 o
   |(b)                        |(c)
   |                         * |
   |                   +-----------------+
   |                   | FilterEntryBase |
   |                   | ([CIMNETWORK])  |
   |                   +-----------------+
   |                           ^
   |                           |
   |    +-----------------+    |    +-----------------------+
   |    | IPHeadersFilter |----+----| CredentialFilterEntry |
   |    |   ([PCIME])     |    |    +-----------------------+
   |    +-----------------+    |
   |                           |
   |    +-----------------+    |    +--------------------------+
   |    | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry |
   |    +-----------------+         +--------------------------+
   |
   |           *+-----------------------------+
   +------------| CredentialManagementService |
                |         ([CIMUSER])         |
                +-----------------------------+

      (a)  FilterOfSACondition
      (b)  AcceptCredentialsFrom
      (c)  EntriesInFilterList (see [CIMNETWORK])

Top      Up      ToC       Page 23 
5.1. The Class SACondition

   The class SACondition defines the conditions of rules for IKE and
   IPsec negotiations.  Conditions are associated with policy rules via
   the SAConditionInRule aggregation.  It is used as an anchor point to
   associate various types of filters with policy rules via the
   FilterOfSACondition association.  It also defines whether Credentials
   can be accepted for a particular policy rule via the
   AcceptCredentialsFrom association.

   Associated objects represent components of the condition that may or
   may not apply at a given rule evaluation.  For example, an
   AcceptCredentialsFrom evaluation is only performed when a credential
   is available to be evaluated against the list of trusted credential
   management services.  Similarly, a PeerIDPayloadFilterEntry may only
   be evaluated when an IDPayload value is available to compare with the
   filter.  Condition components that do not have corresponding values
   with which to evaluate are evaluated as TRUE unless the protocol has
   completed without providing the required information.

   The class definition for SACondition is as follows:

      NAME         SACondition
      DESCRIPTION  Defines the preconditions for IKE and IPsec
                   negotiations.
      DERIVED FROM PolicyCondition (see [PCIM])
      ABSTRACT     FALSE
      PROPERTIES   PolicyConditionName (from PolicyCondition)

5.2. The Class IPHeadersFilter

   The class IPHeadersFilter is defined in [PCIME] with the following
   note:

   1) to specify 5-tuple filters that are to apply symmetrically (i.e.,
      matches traffic in both directions of the same flows which is
      quite typical for SPD entries for ingress and egress traffic), the
      Direction property of the FilterList SHOULD be set to "Mirrored".

5.3. The Class CredentialFilterEntry

   The class CredentialFilterEntry defines an equivalence class that
   match credentials of IKE peers.  Each CredentialFilterEntry includes
   a MatchFieldName that is interpreted according to the
   CredentialManagementService(s) associated with the SACondition
   (AcceptCredentialsFrom).

Top      Up      ToC       Page 24 
   These credentials can be X.509 certificates, Kerberos tickets, or
   other types of credentials obtained during the Phase 1 exchange.

   Note: this filter entry will probably be checked while the IKE
   negotiation takes place.  If the check is a failure, then the IKE
   negotiation MUST be stopped, and the result of the IKEAction which
   triggered this negotiation is a failure.

   The class definition for CredentialFilterEntry is as follows:

      NAME         CredentialFilterEntry
      DESCRIPTION  Specifies a match filter based on the IKE
                   credentials.
      DERIVED FROM FilterEntryBase (see [CIMNETWORK])
      ABSTRACT     FALSE
      PROPERTIES   Name (from FilterEntryBase)
                   IsNegated (from FilterEntryBase)
                   MatchFieldName
                   MatchFieldValue
                   CredentialType

5.3.1. The Property MatchFieldName

   The property MatchFieldName specifies the sub-part of the credential
   to match against MatchFieldValue.  The property is defined as
   follows:

      NAME         MatchFieldName
      DESCRIPTION  Specifies which sub-part of the credential to match.
      SYNTAX       string
      VALUE        This is the string representation of a X.509
                   certificate attribute, e.g.:
                   - "serialNumber"
                   - "signatureAlgorithm"
                   - "issuerName"
                   - "subjectName"
                   - "subjectAltName"
                   - ...

5.3.2. The Property MatchFieldValue

   The property MatchFieldValue specifies the value to compare with the
   MatchFieldName in a credential to determine if the credential matches
   this filter entry.  The property is defined as follows:

      NAME         MatchFieldValue
      DESCRIPTION  Specifies the value to be matched by the
                   MatchFieldName.

Top      Up      ToC       Page 25 
      SYNTAX       string
      VALUE        NB: If the CredentialFilterEntry corresponds to a
                   DistinguishedName, this value in the CIM class is
                   represented by an ordinary string value.  However, an
                   implementation must convert this string to a DER-
                   encoded string before matching against the values
                   extracted from credentials at runtime.

   A wildcard mechanism may be used for MatchFieldNames that contain
   character strings.  The MatchFieldValue may contain a wildcard
   character, '*', in the pattern match specification.  For example, if
   the MatchFieldName is "subjectName", then a MatchFieldValue of
   "cn=*,ou=engineering,o=foo,c=be" will successfully match a
   certificate whose subject attribute is "cn=Jane
   Doe,ou=engineering,o=foo,c=be".  The wildcard character can be used
   to represent 0 or more characters as would be displayed to the user
   (i.e., a wildcard pattern match operates on displayable character
   boundaries).

5.3.3. The Property CredentialType

   The property CredentialType specifies the particular type of
   credential that is being matched.  The property is defined as
   follows:

      NAME         CredentialType
      DESCRIPTION  Defines the type of IKE credentials.
      SYNTAX       unsigned 16-bit integer
      VALUE        1 - X.509 Certificate
                   2 - Kerberos Ticket

5.4. The Class IPSOFilterEntry

   The class IPSOFilterEntry is used to match traffic based on the IP
   Security Options [IPSO] header values (ClassificationLevel and
   ProtectionAuthority) as defined in RFC 1108.  This type of filter
   entry is used to adjust the IPsec encryption level according to the
   IPSO classification of the traffic (e.g., secret, confidential,
   restricted, etc.)  The class definition for IPSOFilterEntry is as
   follows:

      NAME         IPSOFilterEntry
      DESCRIPTION  Specifies the a match filter based on IP Security
                   Options.
      DERIVED FROM FilterEntryBase (see [CIMNETWORK])
      ABSTRACT     FALSE

Top      Up      ToC       Page 26 
      PROPERTIES   Name (from FilterEntryBase)
                   IsNegated (from FilterEntryBase)
                   MatchConditionType
                   MatchConditionValue

5.4.1. The Property MatchConditionType

   The property MatchConditionType specifies the IPSO header field that
   will be matched (e.g., traffic classification level or protection
   authority).  The property is defined as follows:

      NAME         MatchConditionType
      DESCRIPTION  Specifies the IPSO header field to be matched.
      SYNTAX       unsigned 16-bit integer
      VALUE        1 - ClassificationLevel
                   2 - ProtectionAuthority

5.4.2. The Property MatchConditionValue

   The property MatchConditionValue specifies the value of the IPSO
   header field to be matched against.  The property is defined as
   follows:

      NAME         MatchConditionValue
      DESCRIPTION  Specifies the value of the IPSO header field to be
                   matched against.
      SYNTAX       unsigned 16-bit integer
      VALUE        The values MUST be one of values listed in RFC 1108
                   (or any further IANA Assigned Numbers document).
                   Some examples for ClassificationLevel are:
                   61 - TopSecret
                   90 - Secret
                   150 - Confidential
                   171 - Unclassified
                   For ProtectionAuthority, some examples are:
                   0 - GENSER
                   1 - SIOP-ESI
                   2 - SCI
                   3 - NSA
                   4 - DOE

5.5. The Class PeerIDPayloadFilterEntry

   The class PeerIDPayloadFilterEntry defines filters used to match ID
   payload values from the IKE protocol exchange.
   PeerIDPayloadFilterEntry permits the specification of certain ID
   payload values such as "*@example.com" or "192.0.2.0/24".

Top      Up      ToC       Page 27 
   Obviously this filter applies only to IKERules when acting as a
   responder.  Moreover, this filter can be applied immediately in the
   case of aggressive mode but its application is to be delayed in the
   case of main mode.  The class definition for PeerIDPayloadFilterEntry
   is as follows:

      NAME         PeerIDPayloadFilterEntry
      DESCRIPTION  Specifies a match filter based on IKE identity.
      DERIVED FROM FilterEntryBase (see [CIMNETWORK])
      ABSTRACT     FALSE
      PROPERTIES   Name (from FilterEntryBase)
                   IsNegated (from FilterEntryBase)
                   MatchIdentityType
                   MatchIdentityValue

5.5.1. The Property MatchIdentityType

   The property MatchIdentityType specifies the type of identity
   provided by the peer in the ID payload.  The property is defined as
   follows:

      NAME         MatchIdentityType
      DESCRIPTION  Specifies the ID payload type.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [DOI] for valid values.

   5.5.2. The Property MatchIdentityValue

   The property MatchIdentityValue specifies the filter value for
   comparison with the ID payload, e.g., "*@example.com".  The property
   is defined as follows:

      NAME         MatchIdentityValue
      DESCRIPTION  Specifies the ID payload value.
      SYNTAX       string
      VALUE        NB: The syntax may need to be converted for
                   comparison.  If the PeerIDPayloadFilterEntry type is
                   a DistinguishedName, the name in the
                   MatchIdentityValue property is represented by an
                   ordinary string value, but this value must be
                   converted into a DER-encoded string before matching
                   against the values extracted from IKE ID payloads at
                   runtime.  The same applies to IPv4 & IPv6 addresses.

Top      Up      ToC       Page 28 
   Different wildcard mechanisms can be used depending on the ID
   payload:

   -  a MatchIdentityValue of "*@example.com" will match a user FQDN ID
      payload of "JDOE@EXAMPLE.COM".

   -  a MatchIdentityValue of "*.example.com" will match a FQDN ID
      payload of "WWW.EXAMPLE.COM".

   -  a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will
      match a DER DN ID payload of "cn=John
      Doe,ou=engineering,o=company,c=us".

   -  a MatchIdentityValue of "193.190.125.0/24" will match an IPv4
      address ID payload of 193.190.125.10.

   -  a MatchIdentityValue of "193.190.125.*" will also match an IPv4
      address ID payload of 193.190.125.10.

   The above wildcard mechanisms MUST be supported for all ID payloads
   supported by the local IKE entity.  The character '*' replaces 0 or
   multiple instances of any character as restricted by the type
   specified by MatchIdentityType.

5.6. The Association Class FilterOfSACondition

   The class FilterOfSACondition associates an SACondition with the
   filter specifications (FilterList) that make up the condition.  The
   class definition for FilterOfSACondition is as follows:

      NAME         FilterOfSACondition
      DESCRIPTION  Associates a condition with the filter list that
                   makes up the individual condition elements.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref FilterList[1..1]]
                   Dependent [ref SACondition[0..n]]

5.6.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a FilterList instance.  The [1..1] cardinality
   indicates that an SACondition instance MUST be associated with one
   and only one FilterList instance.

Top      Up      ToC       Page 29 
5.6.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to an SACondition instance.  The [0..n] cardinality
   indicates that a FilterList instance may be associated with zero or
   more SACondition instances.

5.7. The Association Class AcceptCredentialFrom

   The class AcceptCredentialFrom specifies which credential management
   services (e.g., a CertificateAuthority or a Kerberos service) are to
   be trusted to certify peer credentials.  This is used to assure that
   the credential being matched in the CredentialFilterEntry is a valid
   credential that has been supplied by an approved
   CredentialManagementService.  If a CredentialManagementService is
   specified and a corresponding CredentialFilterEntry is used, but the
   credential supplied by the peer is not certified by that
   CredentialManagementService (or one of the
   CredentialManagementServices in its trust hierarchy), the
   CredentialFilterEntry is deemed not to match.  If a credential is
   certified by a CredentialManagementService in the
   AcceptCredentialsFrom list of services, but there is no
   CredentialFilterEntry, this is considered equivalent to a
   CredentialFilterEntry that matches all credentials from those
   services.

   The class definition for AcceptCredentialFrom is as follows:

      NAME         AcceptCredentialFrom
      DESCRIPTION  Associates a condition with the credential management
                   services to be trusted.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref CredentialManagementService[0..n]]
                   Dependent [ref SACondition[0..n]]

5.7.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an SACondition instance may be
   associated with zero or more CredentialManagementService instances.

Top      Up      ToC       Page 30 
5.7.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to a SACondition instance.  The [0..n] cardinality indicates
   that a CredentialManagementService instance may be associated with
   zero or more SACondition instances.

6. Action Classes

   The action classes are used to model the different actions an IPsec
   device may take when the evaluation of the associated condition
   results in a match.

Top      Up      ToC       Page 31 
                                +----------+
                                | SAAction |
                                +----------+
                                     ^
                                     |
                         +-----------+--------------+
                         |                          |
                         |               +---------------------+
                         |               | SaNegotiationAction |
                         |               +---------------------+
                         |                          ^
                         |                          |
                 +----------------+      +----------------------+*
                 | SAStaticAction |      | IKENegotiationAction |o----+
                 +----------------+      +----------------------+     |
                               ^                     ^                |
                               |                     |                |
                               |         +-----------+-------+        |
                               |         |                   |        |
       +-------------------+   |   +-------------+     +-----------+  |
       | IPsecBypassAction |---+   | IPsecAction |     | IKEAction |  |
       +-------------------+   |   +-------------+     +-----------+  |
                               |       ^                              |
      +--------------------+   |       |    +----------------------+  |
      | IPsecDiscardAction |---+       +----| IPsecTransportAction |  |
      +--------------------+   |       |    +----------------------+  |
                               |       |                              |
         +-----------------+   |       |    +-------------------+     |
         | IKERejectAction |---+       +----| IPsecTunnelAction |     |
         +-----------------+   |            +-------------------+     |
                               |                     *|               |
                               |       +--------------+               |
                               |       |                              |
   +-----------------------+   |       |       +--------------+n      |
   | PreconfiguredSAAction |---+       |(a)    | [SAProposal] |-------+
   +-----------------------+           |       +--------------+   (b)
      *|    ^                          |
       |    |                          |      *+-------------+
       |    |                          +-------| PeerGateway |
       |    |                                  +-------------+
       |    |  +-----------------------------+   |0..1  *w|
       |    +--| PreconfiguredTransportAction|   |        |(c)
       |    |  +-----------------------------+   |       1|
       |    |                                    |  +--------------+
       |    |  +---------------------------+ *   |  |    System    |
       |    +--| PreconfiguredTunnelAction |-----+  |  ([CIMCORE]) |
       |       +---------------------------+  (e)   +--------------+
       |

Top      Up      ToC       Page 32 
       |   2..6+---------------+
       +-------| [SATransform] |
         (d)   +---------------+

      (a)  PeerGatewayForTunnel
      (b)  ContainedProposal
      (c)  HostedPeerGatewayInformation
      (d)  TransformOfPreconfiguredAction
      (e)  PeerGatewayForPreconfiguredTunnel

6.1. The Class SAAction

   The class SAAction is abstract and serves as the base class for IKE
   and IPsec actions.  It is used for aggregating different types of
   actions to IKE and IPsec rules.  The class definition for SAAction is
   as follows:

      NAME         SAAction
      DESCRIPTION  The base class for IKE and IPsec actions.
      DERIVED FROM PolicyAction (see [PCIM])
      ABSTRACT     TRUE
      PROPERTIES   PolicyActionName (from PolicyAction)
                   DoActionLogging
                   DoPacketLogging

6.1.1. The Property DoActionLogging

   The property DoActionLogging specifies whether a log message is to be
   generated when the action is performed.  This applies for
   SANegotiationActions with the meaning of logging a message when the
   negotiation is attempted (with the success or failure result).  This
   also applies for SAStaticAction only for PreconfiguredSAAction with
   the meaning of logging a message when the preconfigured SA is
   actually installed in the SADB.  The property is defined as follows:

      NAME         DoActionLogging
      DESCRIPTION  Specifies the whether to log when the action is
                   performed.
      SYNTAX       boolean
      VALUE        true - a log message is to be generated when action
                   is performed.
                   false - no log message is to be generated when action
                   is performed.

Top      Up      ToC       Page 33 
6.1.2. The Property DoPacketLogging

   The property DoPacketLogging specifies whether a log message is to be
   generated when the resulting security association is used to process
   the packet.  If the SANegotiationAction successfully executes and
   results in the creation of one or several security associations, or
   if the PreconfiguredSAAction executes, the value of DoPacketLogging
   SHOULD be propagated to an optional field of SADB.  This optional
   field should be used to decide whether a log message is to be
   generated when the SA is used to process a packet.  For
   SAStaticActions, a log message is to be generated when the
   IPsecBypassAction, IPsecDiscardAction, or IKERejectAction are
   executed.  The property is defined as follows:

      NAME         DoPacketLogging
      DESCRIPTION  Specifies whether to log when the resulting
                   security association is used to process the packet.
      SYNTAX       boolean
      VALUE        true - a log message is to be generated when the
                   resulting security association is used to process the
                   packet.
                   false - no log message is to be generated.

6.2. The Class SAStaticAction

   The class SAStaticAction is abstract and serves as the base class for
   IKE and IPsec actions that do not require any negotiation.  The class
   definition for SAStaticAction is as follows:

      NAME         SAStaticAction
      DESCRIPTION  The base class for IKE and IPsec actions that do not
                   require any negotiation.
      DERIVED FROM SAAction
      ABSTRACT     TRUE
      PROPERTIES   LifetimeSeconds

6.2.1. The Property LifetimeSeconds

   The property LifetimeSeconds specifies how long the security
   association derived from this action should be used.  The property is
   defined as follows:

      NAME         LifetimeSeconds
      DESCRIPTION  Specifies the amount of time (in seconds) that a
                   security association derived from this action should
                   be used.
      SYNTAX       unsigned 64-bit integer

Top      Up      ToC       Page 34 
      VALUE        A value of zero indicates that there is not a
                   lifetime associated with this action (i.e., infinite
                   lifetime).  A non-zero value is typically used in
                   conjunction with alternate SAActions performed when
                   there is a negotiation failure of some sort.

   Note: if the referenced SAStaticAction object is a
   PreconfiguredSAAction associated to several SATransforms, then the
   actual lifetime of the preconfigured SA will be the lesser of the
   value of this LifetimeSeconds property and of the value of the
   MaxLifetimeSeconds property of the associated SATransform.  If the
   value of this LifetimeSeconds property is zero, then there will be no
   lifetime associated to this SA.

   Note: while some SA negotiation protocols [IKE] can negotiate the
   lifetime as an arbitrary length field, the authors have assumed that
   a 64-bit integer will be sufficient.

   It is expected that most SAStaticAction instances will have their
   LifetimeSeconds properties set to zero (meaning no expiration of the
   resulting SA).

6.3. The Class IPsecBypassAction

   The class IPsecBypassAction is used when packets are allowed to be
   processed without applying IPsec encapsulation to them.  This is the
   same as stating that packets are allowed to flow in the clear.  The
   class definition for IPsecBypassAction is as follows:

      NAME         IPsecBypassAction
      DESCRIPTION  Specifies that packets are to be allowed to pass in
                   the clear.
      DERIVED FROM SAStaticAction
      ABSTRACT     FALSE

6.4. The Class IPsecDiscardAction

   The class IPsecDiscardAction is used when packets are to be
   discarded.  This is the same as stating that packets are to be
   denied.  The class definition for IPsecDiscardAction is as follows:

      NAME         IPsecDiscardAction
      DESCRIPTION  Specifies that packets are to be discarded.
      DERIVED FROM SAStaticAction
      ABSTRACT     FALSE

Top      Up      ToC       Page 35 
6.5. The Class IKERejectAction

   The class IKERejectAction is used to prevent attempting an IKE
   negotiation with the peer(s).  The main use of this class is to
   prevent some denial of service attacks when acting as IKE responder.
   It goes beyond a plain discard of UDP/500 IKE packets because the
   SACondition can be based on specific PeerIDPayloadFilterEntry (when
   aggressive mode is used).  The class definition for IKERejectAction
   is as follows:

      NAME         IKERejectAction
      DESCRIPTION  Specifies that an IKE negotiation should not even be
                   attempted or continued.
      DERIVED FROM SAStaticAction
      ABSTRACT     FALSE

6.6. The Class PreconfiguredSAAction

   The class PreconfiguredSAAction is used to create a security
   association using preconfigured, hard-wired algorithms and keys.

   Notes:

   -  the SPI for a PreconfiguredSAAction is contained in the
      association, TransformOfPreconfiguredAction;

   -  the session key (if applicable) is contained in an instance of the
      class SharedSecret (see [CIMUSER]).  The session key is stored in
      the property Secret, the property protocol contains either "ESP-
      encrypt", "ESP-auth" or "AH", the property algorithm contains the
      algorithm used to protect the secret (can be "PLAINTEXT" if the
      IPsec entity has no secret storage), the value of property
      RemoteID is the concatenation of the remote IPsec peer IP address
      in dotted decimal, of the character "/", of "IN" (respectively
      "OUT") for inbound SA (respectively outbound SA), of the character
      "/", and of the hexadecimal representation of the SPI.

   Although the class is concrete, it MUST not be instantiated.  The
   class definition for PreconfiguredSAAction is as follows:

      NAME         PreconfiguredSAAction
      DESCRIPTION  Specifies preconfigured algorithm and keying
                   information for creation of a security association.
      DERIVED FROM SAStaticAction
      ABSTRACT     TRUE
      PROPERTIES   LifetimeKilobytes

Top      Up      ToC       Page 36 
6.6.1. The Property LifetimeKilobytes

   The property LifetimeKilobytes specifies a traffic limit in kilobytes
   that can be consumed before the SA is deleted.  The property is
   defined as follows:

      NAME         LifetimeKilobytes
      DESCRIPTION  Specifies the SA lifetime in kilobytes.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that there is not a
                   lifetime associated with this action (i.e., infinite
                   lifetime).  A non-zero value is used to indicate that
                   after this number of kilobytes has been consumed the
                   SA must be deleted from the SADB.

   Note: the actual lifetime of the preconfigured SA will be the lesser
   of the value of this LifetimeKilobytes property and of the value of
   the MaxLifetimeSeconds property of the associated SATransform.  If
   the value of this LifetimeKilobytes property is zero, then there will
   be no lifetime associated with this action.

   Note: while some SA negotiation protocols [IKE] can negotiate the
   lifetime as an arbitrary length field, the authors have assumed that
   a 64-bit integer will be sufficient.

   It is expected that most PreconfiguredSAAction instances will have
   their LifetimeKilobyte properties set to zero (meaning no expiration
   of the resulting SA).

6.7. The Class PreconfiguredTransportAction

   The class PreconfiguredTransportAction is used to create an IPsec
   transport-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for
   PreconfiguredTransportAction is as follows:

      NAME         PreconfiguredTransportAction
      DESCRIPTION  Specifies preconfigured algorithm and keying
                   information for creation of an IPsec transport
                   security association.
      DERIVED FROM PreconfiguredSAAction
      ABSTRACT     FALSE

Top      Up      ToC       Page 37 
6.8. The Class PreconfiguredTunnelAction

   The class PreconfiguredTunnelAction is used to create an IPsec
   tunnel-mode security association using preconfigured, hard-wired
   algorithms and keys.  The class definition for PreconfiguredSAAction
   is as follows:

      NAME         PreconfiguredTunnelAction
      DESCRIPTION  Specifies preconfigured algorithm and keying
                   information for creation of an IPsec tunnel-mode
                   security association.
      DERIVED FROM PreconfiguredSAAction
      ABSTRACT     FALSE
      PROPERTIES   DFHandling

6.8.1. The Property DFHandling

   The property DFHandling specifies how the Don't Fragment (DF) bit of
   the internal IP header is to be handled during IPsec processing.  The
   property is defined as follows:

      NAME         DFHandling
      DESCRIPTION  Specifies the processing of the DF bit.
      SYNTAX       unsigned 16-bit integer
      VALUE        1 - Copy the DF bit from the internal IP header to
                   the external IP header.
                   2 - Set the DF bit of the external IP header to 1.
                   3 - Clear the DF bit of the external IP header to 0.

6.9. The Class SANegotiationAction

   The class SANegotiationAction specifies an action requesting security
   policy negotiation.

   This is an abstract class.  Currently, only one security policy
   negotiation protocol action is subclassed from SANegotiationAction:
   the IKENegotiationAction class.  It is nevertheless expected that
   other security policy negotiation protocols will exist and the
   negotiation actions of those new protocols would be modeled as a
   subclass of SANegotiationAction.

      NAME         SANegotiationAction
      DESCRIPTION  Specifies a negotiation action.
      DERIVED FROM SAAction
      ABSTRACT     TRUE

Top      Up      ToC       Page 38 
6.10. The Class IKENegotiationAction

   The class IKENegotiationAction is abstract and serves as the base
   class for IKE and IPsec actions that result in an IKE negotiation.
   The class definition for IKENegotiationAction is as follows:

      NAME         IKENegotiationAction
      DESCRIPTION  A base class for IKE and IPsec actions that specifies
                   the parameters that are common for IKE phase 1 and
                   IKE phase 2 IPsec DOI negotiations.
      DERIVED FROM SANegotiationAction
      ABSTRACT     TRUE
      PROPERTIES   MinLifetimeSeconds
                   MinLifetimeKilobytes
                   IdleDurationSeconds

6.10.1. The Property MinLifetimeSeconds

   The property MinLifetimeSeconds specifies the minimum seconds in a
   lifetime that will be accepted from the peer.  MinLifetimeSeconds is
   used to prevent certain denial of service attacks where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with expensive Diffie-Hellman operations.  The property is defined as
   follows:

      NAME         MinLifetimeSeconds
      DESCRIPTION  Specifies the minimum seconds acceptable in a
                   lifetime.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that there is no minimum
                   value.  A non-zero value specifies the minimum
                   seconds lifetime.

   Note: while IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

6.10.2. The Property MinLifetimeKilobytes

   The property MinLifetimeKilobytes specifies the minimum kilobytes of
   a lifetime that will be accepted from the peer.  MinLifetimeKilobytes
   is used to prevent certain denial of service attacks, where the peer
   requests an arbitrarily low lifetime value, causing renegotiations
   with correspondingly expensive Diffie-Hellman operations.  Note that
   there has been considerable debate regarding the usefulness of
   applying kilobyte lifetimes to IKE phase 1 security associations, so
   it is likely that this property will only apply to the sub-class
   IPsecAction.  The property is defined as follows:

Top      Up      ToC       Page 39 
      NAME         MinLifetimeKilobytes
      DESCRIPTION  Specifies the minimum kilobytes acceptable in a
                   lifetime.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that there is no minimum
                   value.  A non-zero value specifies the minimum
                   kilobytes lifetime.

   Note: While IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

6.10.3. The Property IdleDurationSeconds

   The property IdleDurationSeconds specifies how many seconds a
   security association may remain idle (i.e., no traffic protected
   using the security association) before it is deleted.  The property
   is defined as follows:

      NAME         IdleDurationSeconds
      DESCRIPTION  Specifies how long, in seconds, a security
                   association may remain unused before it is deleted.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that idle detection should
                   not be used for the security association (only the
                   seconds and kilobyte lifetimes will be used).  Any
                   non-zero value indicates the number of seconds the
                   security association may remain unused.

6.11. The Class IPsecAction

   The class IPsecAction serves as the base class for IPsec transport
   and tunnel actions.  It specifies the parameters used for an IKE
   phase 2 IPsec DOI negotiation.  The class definition for IPsecAction
   is as follows:

      NAME         IPsecAction
      DESCRIPTION  A base class for IPsec transport and tunnel actions
                   that specifies the parameters for IKE phase 2 IPsec
                   DOI negotiations.
      DERIVED FROM IKENegotiationAction
      ABSTRACT     TRUE
      PROPERTIES   UsePFS
                   UseIKEGroup
                   GroupId
                   Granularity
                   VendorID

Top      Up      ToC       Page 40 
6.11.1. The Property UsePFS

   The property UsePFS specifies whether or not perfect forward secrecy
   should be used when refreshing keys.  The property is defined as
   follows:

      NAME         UsePFS
      DESCRIPTION  Specifies the whether or not to use PFS when
                   refreshing keys.
      SYNTAX       boolean
      VALUE        A value of true indicates that PFS should be used.  A
                   value of false indicates that PFS should not be used.

6.11.2. The Property UseIKEGroup

   The property UseIKEGroup specifies whether or not phase 2 should use
   the same key exchange group as was used in phase 1.  UseIKEGroup is
   ignored if UsePFS is false.  The property is defined as follows:

      NAME         UseIKEGroup
      DESCRIPTION  Specifies whether or not to use the same GroupId for
                   phase 2 as was used in phase 1.  If UsePFS is false,
                   then UseIKEGroup is ignored.
      SYNTAX       boolean
      VALUE        A value of true indicates that the phase 2 GroupId
                   should be the same as phase 1.  A value of false
                   indicates that the property GroupId will contain the
                   key exchange group to use for phase 2.

6.11.3. The Property GroupId

   The property GroupId specifies the key exchange group to use for
   phase 2.  GroupId is ignored if (1) the property UsePFS is false, or
   (2) the property UsePFS is true and the property UseIKEGroup is true.
   If the GroupID number is from the vendor-specific range (32768-
   65535), the property VendorID qualifies the group number.  The
   property is defined as follows:

      NAME         GroupId
      DESCRIPTION  Specifies the key exchange group to use for phase 2
                   when the property UsePFS is true and the property
                   UseIKEGroup is false.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [IKE] for valid values.

Top      Up      ToC       Page 41 
6.11.4. The Property Granularity

   The property Granularity specifies how the selector for the security
   association should be derived from the traffic that triggered the
   negotiation.  The property is defined as follows:

      NAME         Granularity
      DESCRIPTION  Specifies how the proposed selector for the
                   security association will be created.
      SYNTAX       unsigned 16-bit integer
      VALUE        1 - subnet: the source and destination subnet masks
                   of the filter entry are used.
                   2 - address: only the source and destination IP
                   addresses of the triggering packet are used.
                   3 - protocol: the source and destination IP addresses
                   and the IP protocol of the triggering packet are
                   used.
                   4 - port: the source and destination IP addresses and
                   the IP protocol and the source and destination layer
                   4 ports of the triggering packet are used.

6.11.5. The Property VendorID

   The property VendorID is used together with the property GroupID
   (when it is in the vendor-specific range) to identify the key
   exchange group.  VendorID is ignored unless UsePFS is true and
   UseIKEGroup is false and GroupID is in the vendor-specific range
   (32768-65535).  The property is defined as follows:

      NAME         VendorID
      DESCRIPTION  Specifies the IKE Vendor ID.
      SYNTAX       string

6.12. The Class IPsecTransportAction

   The class IPsecTransportAction is a subclass of IPsecAction that is
   used to specify use of an IPsec transport-mode security association.
   The class definition for IPsecTransportAction is as follows:

      NAME         IPsecTransportAction
      DESCRIPTION  Specifies that an IPsec transport-mode security
                   association should be negotiated.
      DERIVED FROM IPsecAction
      ABSTRACT     FALSE

Top      Up      ToC       Page 42 
6.13. The Class IPsecTunnelAction

   The class IPsecTunnelAction is a subclass of IPsecAction that is used
   to specify use of an IPsec tunnel-mode security association.  The
   class definition for IPsecTunnelAction is as follows:

      NAME         IPsecTunnelAction
      DESCRIPTION  Specifies that an IPsec tunnel-mode security
                   association should be negotiated.
      DERIVED FROM IPsecAction
      ABSTRACT     FALSE
      PROPERTIES   DFHandling

6.13.1. The Property DFHandling

   The property DFHandling specifies how the tunnel should manage the
   Don't Fragment (DF) bit.  The property is defined as follows:

      NAME         DFHandling
      DESCRIPTION  Specifies how to process the DF bit.
      SYNTAX       unsigned 16-bit integer
      VALUE        1 - Copy the DF bit from the internal IP header to
                   the external IP header.
                   2 - Set the DF bit of the external IP header to 1.
                   3 - Clear the DF bit of the external IP header to 0.

6.14. The Class IKEAction

   The class IKEAction specifies the parameters that are to be used for
   IKE phase 1 negotiation.  The class definition for IKEAction is as
   follows:

      NAME         IKEAction
      DESCRIPTION  Specifies the IKE phase 1 negotiation parameters.
      DERIVED FROM IKENegotiationAction
      ABSTRACT     FALSE
      PROPERTIES   ExchangeMode
                   UseIKEIdentityType
                   VendorID
                   AggressiveModeGroupId

Top      Up      ToC       Page 43 
6.14.1. The Property ExchangeMode

   The property ExchangeMode specifies which IKE mode should be used for
   IKE phase 1 negotiations.  The property is defined as follows:

      NAME         ExchangeMode
      DESCRIPTION  Specifies the IKE negotiation mode for phase 1.
      SYNTAX       unsigned 16-bit integer
      VALUE        1 - base mode
                   2 - main mode
                   4 - aggressive mode

6.14.2. The Property UseIKEIdentityType

   The property UseIKEIdentityType specifies what IKE identity type
   should be used when negotiating with the peer.  This information is
   used in conjunction with the IKE identities available on the system
   and the IdentityContexts of the matching IKERule.  The property is
   defined as follows:

      NAME         UseIKEIdentityType
      DESCRIPTION  Specifies the IKE identity to use during negotiation.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [DOI] for valid values.

6.14.3. The Property VendorID

   The property VendorID specifies the value to be used in the Vendor ID
   payload.  The property is defined as follows:

      NAME         VendorID
      DESCRIPTION  Vendor ID Payload.
      SYNTAX       string
      VALUE        A value of NULL means that Vendor ID payload will be
                   neither generated nor accepted.  A non-NULL value
                   means that a Vendor ID payload will be generated
                   (when acting as an initiator) or is expected (when
                   acting as a responder).

6.14.4. The Property AggressiveModeGroupId

   The property AggressiveModeGroupId specifies which group ID is to be
   used in the first packets of the phase 1 negotiation.  This property
   is ignored unless the property ExchangeMode is set to 4 (aggressive
   mode).  If the AggressiveModeGroupID number is from the vendor-
   specific range (32768-65535), the property VendorID qualifies the
   group number.  The property is defined as follows:

Top      Up      ToC       Page 44 
      NAME         AggressiveModeGroupId
      DESCRIPTION  Specifies the group ID to be used for aggressive
                   mode.
      SYNTAX       unsigned 16-bit integer

6.15. The Class PeerGateway

   The class PeerGateway specifies the security gateway with which the
   IKE services negotiates.  The class definition for PeerGateway is as
   follows:

      NAME         PeerGateway
      DESCRIPTION  Specifies the security gateway with which to
                   negotiate.
      DERIVED FROM LogicalElement (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Name
                   PeerIdentityType
                   PeerIdentity

   Note: The class PeerIdentityEntry contains more information about the
   peer (namely its IP address).

6.15.1. The Property Name

   The property Name specifies a user-friendly name for this security
   gateway.  The property is defined as follows:

      NAME         Name
      DESCRIPTION  Specifies a user-friendly name for this security
                   gateway.
      SYNTAX       string

6.15.2. The Property PeerIdentityType

   The property PeerIdentityType specifies the IKE identity type of the
   security gateway.  The property is defined as follows:

      NAME         PeerIdentityType
      DESCRIPTION  Specifies the IKE identity type of the security
                   gateway.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [DOI] for valid values.

Top      Up      ToC       Page 45 
6.15.3. The Property PeerIdentity

   The property PeerIdentity specifies the IKE identity value of the
   security gateway.  Based upon the storage chosen for the task-
   specific mapping of the information model, a conversion may be needed
   from the stored representation of the PeerIdentity string to the real
   value used in the ID payload (e.g., IP address is to be converted
   from a dotted decimal string into 4 bytes).  The property is defined
   as follows:

      NAME         PeerIdentity
      DESCRIPTION  Specifies the IKE identity value of the security
                   gateway.
      SYNTAX       string

6.16. The Association Class PeerGatewayForTunnel

   The class PeerGatewayForTunnel associates IPsecTunnelActions with an
   ordered list of PeerGateways.  The class definition for
   PeerGatewayForTunnel is as follows:

      NAME         PeerGatewayForTunnel
      DESCRIPTION  Associates IPsecTunnelActions with an ordered list of
                   PeerGateways.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                   Dependent [ref IPsecTunnelAction[0..n]]
                   SequenceNumber

6.16.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that an IPsecTunnelAction instance may be
   associated with zero or more PeerGateway instances.

   Note: The cardinality 0 has a specific meaning:

   -  when the IKE service acts as a responder, this means that the IKE
      service will accept phase 1 negotiation with any other security
      gateway;

   -  when the IKE service acts as an initiator, this means that the IKE
      service will use the destination IP address (of the IP packets
      which triggered the SARule) as the IP address of the peer IKE
      entity.

Top      Up      ToC       Page 46 
6.16.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to an IPsecTunnelAction instance.  The [0..n] cardinality
   indicates that a PeerGateway instance may be associated with zero or
   more IPsecTunnelAction instances.

6.16.3. The Property SequenceNumber

   The property SequenceNumber specifies the ordering to be used when
   evaluating PeerGateway instances for a given IPsecTunnelAction.  The
   property is defined as follows:

      NAME         SequenceNumber
      DESCRIPTION  Specifies the order of evaluation for PeerGateways.
      SYNTAX       unsigned 16-bit integer
      VALUE        Lower values are evaluated first.

6.17. The Aggregation Class ContainedProposal

   The class ContainedProposal associates an ordered list of SAProposals
   with the IKENegotiationAction that aggregates it.  If the referenced
   IKENegotiationAction object is an IKEAction, then the referenced
   SAProposal object(s) must be IKEProposal(s).  If the referenced
   IKENegotiationAction object is an IPsecTransportAction or an
   IPsecTunnelAction, then the referenced SAProposal object(s) must be
   IPsecProposal(s).  The class definition for ContainedProposal is as
   follows:

       NAME         ContainedProposal
       DESCRIPTION  Associates an ordered list of SAProposals with an
                    IKENegotiationAction.
       DERIVED FROM PolicyComponent (see [PCIM])
       ABSTRACT     FALSE
       PROPERTIES   GroupComponent[ref IKENegotiationAction[0..n]]
                    PartComponent[ref SAProposal[1..n]]
                    SequenceNumber

6.17.1. The Reference GroupComponent

   -  The property GroupComponent is inherited from PolicyComponent and
      is overridden to refer to an IKENegotiationAction instance.  The
      [0..n] cardinality indicates that an SAProposal instance may be
      associated with zero or more IKENegotiationAction instances.

Top      Up      ToC       Page 47 
6.17.2. The Reference PartComponent

   The property PartComponent is inherited from PolicyComponent and is
   overridden to refer to an SAProposal instance.  The [1..n]
   cardinality indicates that an IKENegotiationAction instance MUST be
   associated with at least one SAProposal instance.

6.17.3. The Property SequenceNumber

   The property SequenceNumber specifies the order of preference for the
   SAProposals.  The property is defined as follows:

      NAME         SequenceNumber
      DESCRIPTION  Specifies the preference order for the SAProposals.
      SYNTAX       unsigned 16-bit integer
      VALUE        Lower-valued proposals are preferred over proposals
                   with higher values.  For ContainedProposals that
                   reference the same IKENegotiationAction,
                   SequenceNumber values must be unique.

6.18. The Association Class HostedPeerGatewayInformation

   The class HostedPeerGatewayInformation weakly associates a
   PeerGateway with a System.  The class definition for
   HostedPeerGatewayInformation is as follows:

      NAME         HostedPeerGatewayInformation
      DESCRIPTION  Weakly associates a PeerGateway with a System.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref System[1..1]]
                   Dependent [ref PeerGateway[0..n] [weak]]

6.18.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that a PeerGateway instance MUST be associated with one and
   only one System instance.

6.18.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to a PeerGateway instance.  The [0..n] cardinality indicates
   that a System instance may be associated with zero or more
   PeerGateway instances.

Top      Up      ToC       Page 48 
6.19. The Association Class TransformOfPreconfiguredAction

   The class TransformOfPreconfiguredAction associates a
   PreconfiguredSAAction with two, four or six SATransforms that will be
   applied to the inbound and outbound traffic.  The order of
   application of the SATransforms is implicitly defined in [IPSEC].
   The class definition for TransformOfPreconfiguredAction is as
   follows:

      NAME         TransformOfPreconfiguredAction
      DESCRIPTION  Associates a PreconfiguredSAAction with from one to
                   three SATransforms.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent[ref SATransform[2..6]]
                   Dependent[ref PreconfiguredSAAction[0..n]]
                   SPI
                   Direction

6.19.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an SATransform instance.  The [2..6]
   cardinality indicates that a PreconfiguredSAAction instance may be
   associated with two to six SATransform instances.

6.19.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to a PreconfiguredSAAction instance.  The [0..n] cardinality
   indicates that a SATransform instance may be associated with zero or
   more PreconfiguredSAAction instances.

6.19.3. The Property SPI

   The property SPI specifies the SPI to be used by the pre-configured
   action for the associated transform.  The property is defined as
   follows:

      NAME         SPI
      DESCRIPTION  Specifies the SPI to be used with the SATransform.
      SYNTAX       unsigned 32-bit integer

Top      Up      ToC       Page 49 
6.19.4. The Property Direction

   The property Direction specifies whether the SPI property is for
   inbound or outbound traffic.  The property is defined as follows:

      NAME         Direction
      DESCRIPTION Specifies whether the SA is for inbound or outbound
                  traffic.
      SYNTAX      unsigned 8-bit integer
      VALUE       1 - this SA is for inbound traffic
                  2 - this SA is for outbound traffic

6.20 The Association Class PeerGatewayForPreconfiguredTunnel

   The class PeerGatewayForPreconfiguredTunnel associates zero or one
   PeerGateways with multiple PreconfiguredTunnelActions.  The class
   definition for PeerGatewayForPreconfiguredTunnel is as follows:

      NAME         PeerGatewayForPreconfiguredTunnel
      DESCRIPTION  Associates a PeerGateway with multiple
                   PreconfiguredTunnelActions.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent[ref PeerGateway[0..1]]
                   Dependent[ref PreconfiguredTunnelAction[0..n]]

6.20.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..1]
   cardinality indicates that a PreconfiguredTunnelAction instance may
   be associated with one PeerGteway instance.

6.20.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to a PreconfiguredTunnelAction instance.  The [0..n]
   cardinality indicates that a PeerGateway instance may be associated
   with zero or more PreconfiguredSAAction instances.


Next RFC Part