RFC 3585
IPsec Configuration Policy Information Model
Pages: 88
Proposed Standard
Proposed Standard
Part 2 of 4 – Pages 22 to 49
5. Condition and Filter Classes
The IPsec condition and filter classes are used to build the "if" part of the IKE and IPsec rules. *+-------------+ +--------------------| SACondition | | +-------------+ | * | | |(a) | 1 | | +---------------+ | | FilterList | | |([CIMNETWORK]) | | +---------------+ | 1 o |(b) |(c) | * | | +-----------------+ | | FilterEntryBase | | | ([CIMNETWORK]) | | +-----------------+ | ^ | | | +-----------------+ | +-----------------------+ | | IPHeadersFilter |----+----| CredentialFilterEntry | | | ([PCIME]) | | +-----------------------+ | +-----------------+ | | | | +-----------------+ | +--------------------------+ | | IPSOFilterEntry |----+----| PeerIDPayloadFilterEntry | | +-----------------+ +--------------------------+ | | *+-----------------------------+ +------------| CredentialManagementService | | ([CIMUSER]) | +-----------------------------+ (a) FilterOfSACondition (b) AcceptCredentialsFrom (c) EntriesInFilterList (see [CIMNETWORK])
5.1. The Class SACondition
The class SACondition defines the conditions of rules for IKE and IPsec negotiations. Conditions are associated with policy rules via the SAConditionInRule aggregation. It is used as an anchor point to associate various types of filters with policy rules via the FilterOfSACondition association. It also defines whether Credentials can be accepted for a particular policy rule via the AcceptCredentialsFrom association. Associated objects represent components of the condition that may or may not apply at a given rule evaluation. For example, an AcceptCredentialsFrom evaluation is only performed when a credential is available to be evaluated against the list of trusted credential management services. Similarly, a PeerIDPayloadFilterEntry may only be evaluated when an IDPayload value is available to compare with the filter. Condition components that do not have corresponding values with which to evaluate are evaluated as TRUE unless the protocol has completed without providing the required information. The class definition for SACondition is as follows: NAME SACondition DESCRIPTION Defines the preconditions for IKE and IPsec negotiations. DERIVED FROM PolicyCondition (see [PCIM]) ABSTRACT FALSE PROPERTIES PolicyConditionName (from PolicyCondition)5.2. The Class IPHeadersFilter
The class IPHeadersFilter is defined in [PCIME] with the following note: 1) to specify 5-tuple filters that are to apply symmetrically (i.e., matches traffic in both directions of the same flows which is quite typical for SPD entries for ingress and egress traffic), the Direction property of the FilterList SHOULD be set to "Mirrored".5.3. The Class CredentialFilterEntry
The class CredentialFilterEntry defines an equivalence class that match credentials of IKE peers. Each CredentialFilterEntry includes a MatchFieldName that is interpreted according to the CredentialManagementService(s) associated with the SACondition (AcceptCredentialsFrom).
These credentials can be X.509 certificates, Kerberos tickets, or
other types of credentials obtained during the Phase 1 exchange.
Note: this filter entry will probably be checked while the IKE
negotiation takes place. If the check is a failure, then the IKE
negotiation MUST be stopped, and the result of the IKEAction which
triggered this negotiation is a failure.
The class definition for CredentialFilterEntry is as follows:
NAME CredentialFilterEntry
DESCRIPTION Specifies a match filter based on the IKE
credentials.
DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchFieldName
MatchFieldValue
CredentialType
5.3.1. The Property MatchFieldName
The property MatchFieldName specifies the sub-part of the credential
to match against MatchFieldValue. The property is defined as
follows:
NAME MatchFieldName
DESCRIPTION Specifies which sub-part of the credential to match.
SYNTAX string
VALUE This is the string representation of a X.509
certificate attribute, e.g.:
- "serialNumber"
- "signatureAlgorithm"
- "issuerName"
- "subjectName"
- "subjectAltName"
- ...
5.3.2. The Property MatchFieldValue
The property MatchFieldValue specifies the value to compare with the
MatchFieldName in a credential to determine if the credential matches
this filter entry. The property is defined as follows:
NAME MatchFieldValue
DESCRIPTION Specifies the value to be matched by the
MatchFieldName.
SYNTAX string
VALUE NB: If the CredentialFilterEntry corresponds to a
DistinguishedName, this value in the CIM class is
represented by an ordinary string value. However, an
implementation must convert this string to a DER-
encoded string before matching against the values
extracted from credentials at runtime.
A wildcard mechanism may be used for MatchFieldNames that contain
character strings. The MatchFieldValue may contain a wildcard
character, '*', in the pattern match specification. For example, if
the MatchFieldName is "subjectName", then a MatchFieldValue of
"cn=*,ou=engineering,o=foo,c=be" will successfully match a
certificate whose subject attribute is "cn=Jane
Doe,ou=engineering,o=foo,c=be". The wildcard character can be used
to represent 0 or more characters as would be displayed to the user
(i.e., a wildcard pattern match operates on displayable character
boundaries).
5.3.3. The Property CredentialType
The property CredentialType specifies the particular type of
credential that is being matched. The property is defined as
follows:
NAME CredentialType
DESCRIPTION Defines the type of IKE credentials.
SYNTAX unsigned 16-bit integer
VALUE 1 - X.509 Certificate
2 - Kerberos Ticket
5.4. The Class IPSOFilterEntry
The class IPSOFilterEntry is used to match traffic based on the IP
Security Options [IPSO] header values (ClassificationLevel and
ProtectionAuthority) as defined in RFC 1108. This type of filter
entry is used to adjust the IPsec encryption level according to the
IPSO classification of the traffic (e.g., secret, confidential,
restricted, etc.) The class definition for IPSOFilterEntry is as
follows:
NAME IPSOFilterEntry
DESCRIPTION Specifies the a match filter based on IP Security
Options.
DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchConditionType
MatchConditionValue
5.4.1. The Property MatchConditionType
The property MatchConditionType specifies the IPSO header field that
will be matched (e.g., traffic classification level or protection
authority). The property is defined as follows:
NAME MatchConditionType
DESCRIPTION Specifies the IPSO header field to be matched.
SYNTAX unsigned 16-bit integer
VALUE 1 - ClassificationLevel
2 - ProtectionAuthority
5.4.2. The Property MatchConditionValue
The property MatchConditionValue specifies the value of the IPSO
header field to be matched against. The property is defined as
follows:
NAME MatchConditionValue
DESCRIPTION Specifies the value of the IPSO header field to be
matched against.
SYNTAX unsigned 16-bit integer
VALUE The values MUST be one of values listed in RFC 1108
(or any further IANA Assigned Numbers document).
Some examples for ClassificationLevel are:
61 - TopSecret
90 - Secret
150 - Confidential
171 - Unclassified
For ProtectionAuthority, some examples are:
0 - GENSER
1 - SIOP-ESI
2 - SCI
3 - NSA
4 - DOE
5.5. The Class PeerIDPayloadFilterEntry
The class PeerIDPayloadFilterEntry defines filters used to match ID
payload values from the IKE protocol exchange.
PeerIDPayloadFilterEntry permits the specification of certain ID
payload values such as "*@example.com" or "192.0.2.0/24".
Obviously this filter applies only to IKERules when acting as a
responder. Moreover, this filter can be applied immediately in the
case of aggressive mode but its application is to be delayed in the
case of main mode. The class definition for PeerIDPayloadFilterEntry
is as follows:
NAME PeerIDPayloadFilterEntry
DESCRIPTION Specifies a match filter based on IKE identity.
DERIVED FROM FilterEntryBase (see [CIMNETWORK])
ABSTRACT FALSE
PROPERTIES Name (from FilterEntryBase)
IsNegated (from FilterEntryBase)
MatchIdentityType
MatchIdentityValue
5.5.1. The Property MatchIdentityType
The property MatchIdentityType specifies the type of identity
provided by the peer in the ID payload. The property is defined as
follows:
NAME MatchIdentityType
DESCRIPTION Specifies the ID payload type.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
5.5.2. The Property MatchIdentityValue
The property MatchIdentityValue specifies the filter value for
comparison with the ID payload, e.g., "*@example.com". The property
is defined as follows:
NAME MatchIdentityValue
DESCRIPTION Specifies the ID payload value.
SYNTAX string
VALUE NB: The syntax may need to be converted for
comparison. If the PeerIDPayloadFilterEntry type is
a DistinguishedName, the name in the
MatchIdentityValue property is represented by an
ordinary string value, but this value must be
converted into a DER-encoded string before matching
against the values extracted from IKE ID payloads at
runtime. The same applies to IPv4 & IPv6 addresses.
Different wildcard mechanisms can be used depending on the ID
payload:
- a MatchIdentityValue of "*@example.com" will match a user FQDN ID
payload of "JDOE@EXAMPLE.COM".
- a MatchIdentityValue of "*.example.com" will match a FQDN ID
payload of "WWW.EXAMPLE.COM".
- a MatchIdentityValue of "cn=*,ou=engineering,o=company,c=us" will
match a DER DN ID payload of "cn=John
Doe,ou=engineering,o=company,c=us".
- a MatchIdentityValue of "193.190.125.0/24" will match an IPv4
address ID payload of 193.190.125.10.
- a MatchIdentityValue of "193.190.125.*" will also match an IPv4
address ID payload of 193.190.125.10.
The above wildcard mechanisms MUST be supported for all ID payloads
supported by the local IKE entity. The character '*' replaces 0 or
multiple instances of any character as restricted by the type
specified by MatchIdentityType.
5.6. The Association Class FilterOfSACondition
The class FilterOfSACondition associates an SACondition with the
filter specifications (FilterList) that make up the condition. The
class definition for FilterOfSACondition is as follows:
NAME FilterOfSACondition
DESCRIPTION Associates a condition with the filter list that
makes up the individual condition elements.
DERIVED FROM Dependency (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Antecedent [ref FilterList[1..1]]
Dependent [ref SACondition[0..n]]
5.6.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is
overridden to refer to a FilterList instance. The [1..1] cardinality
indicates that an SACondition instance MUST be associated with one
and only one FilterList instance.
5.6.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an SACondition instance. The [0..n] cardinality indicates that a FilterList instance may be associated with zero or more SACondition instances.5.7. The Association Class AcceptCredentialFrom
The class AcceptCredentialFrom specifies which credential management services (e.g., a CertificateAuthority or a Kerberos service) are to be trusted to certify peer credentials. This is used to assure that the credential being matched in the CredentialFilterEntry is a valid credential that has been supplied by an approved CredentialManagementService. If a CredentialManagementService is specified and a corresponding CredentialFilterEntry is used, but the credential supplied by the peer is not certified by that CredentialManagementService (or one of the CredentialManagementServices in its trust hierarchy), the CredentialFilterEntry is deemed not to match. If a credential is certified by a CredentialManagementService in the AcceptCredentialsFrom list of services, but there is no CredentialFilterEntry, this is considered equivalent to a CredentialFilterEntry that matches all credentials from those services. The class definition for AcceptCredentialFrom is as follows: NAME AcceptCredentialFrom DESCRIPTION Associates a condition with the credential management services to be trusted. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref CredentialManagementService[0..n]] Dependent [ref SACondition[0..n]]5.7.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a CredentialManagementService instance. The [0..n] cardinality indicates that an SACondition instance may be associated with zero or more CredentialManagementService instances.
5.7.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a SACondition instance. The [0..n] cardinality indicates that a CredentialManagementService instance may be associated with zero or more SACondition instances.6. Action Classes
The action classes are used to model the different actions an IPsec device may take when the evaluation of the associated condition results in a match.
+----------+
| SAAction |
+----------+
^
|
+-----------+--------------+
| |
| +---------------------+
| | SaNegotiationAction |
| +---------------------+
| ^
| |
+----------------+ +----------------------+*
| SAStaticAction | | IKENegotiationAction |o----+
+----------------+ +----------------------+ |
^ ^ |
| | |
| +-----------+-------+ |
| | | |
+-------------------+ | +-------------+ +-----------+ |
| IPsecBypassAction |---+ | IPsecAction | | IKEAction | |
+-------------------+ | +-------------+ +-----------+ |
| ^ |
+--------------------+ | | +----------------------+ |
| IPsecDiscardAction |---+ +----| IPsecTransportAction | |
+--------------------+ | | +----------------------+ |
| | |
+-----------------+ | | +-------------------+ |
| IKERejectAction |---+ +----| IPsecTunnelAction | |
+-----------------+ | +-------------------+ |
| *| |
| +--------------+ |
| | |
+-----------------------+ | | +--------------+n |
| PreconfiguredSAAction |---+ |(a) | [SAProposal] |-------+
+-----------------------+ | +--------------+ (b)
*| ^ |
| | | *+-------------+
| | +-------| PeerGateway |
| | +-------------+
| | +-----------------------------+ |0..1 *w|
| +--| PreconfiguredTransportAction| | |(c)
| | +-----------------------------+ | 1|
| | | +--------------+
| | +---------------------------+ * | | System |
| +--| PreconfiguredTunnelAction |-----+ | ([CIMCORE]) |
| +---------------------------+ (e) +--------------+
|
| 2..6+---------------+
+-------| [SATransform] |
(d) +---------------+
(a) PeerGatewayForTunnel
(b) ContainedProposal
(c) HostedPeerGatewayInformation
(d) TransformOfPreconfiguredAction
(e) PeerGatewayForPreconfiguredTunnel
6.1. The Class SAAction
The class SAAction is abstract and serves as the base class for IKE
and IPsec actions. It is used for aggregating different types of
actions to IKE and IPsec rules. The class definition for SAAction is
as follows:
NAME SAAction
DESCRIPTION The base class for IKE and IPsec actions.
DERIVED FROM PolicyAction (see [PCIM])
ABSTRACT TRUE
PROPERTIES PolicyActionName (from PolicyAction)
DoActionLogging
DoPacketLogging
6.1.1. The Property DoActionLogging
The property DoActionLogging specifies whether a log message is to be
generated when the action is performed. This applies for
SANegotiationActions with the meaning of logging a message when the
negotiation is attempted (with the success or failure result). This
also applies for SAStaticAction only for PreconfiguredSAAction with
the meaning of logging a message when the preconfigured SA is
actually installed in the SADB. The property is defined as follows:
NAME DoActionLogging
DESCRIPTION Specifies the whether to log when the action is
performed.
SYNTAX boolean
VALUE true - a log message is to be generated when action
is performed.
false - no log message is to be generated when action
is performed.
6.1.2. The Property DoPacketLogging
The property DoPacketLogging specifies whether a log message is to be generated when the resulting security association is used to process the packet. If the SANegotiationAction successfully executes and results in the creation of one or several security associations, or if the PreconfiguredSAAction executes, the value of DoPacketLogging SHOULD be propagated to an optional field of SADB. This optional field should be used to decide whether a log message is to be generated when the SA is used to process a packet. For SAStaticActions, a log message is to be generated when the IPsecBypassAction, IPsecDiscardAction, or IKERejectAction are executed. The property is defined as follows: NAME DoPacketLogging DESCRIPTION Specifies whether to log when the resulting security association is used to process the packet. SYNTAX boolean VALUE true - a log message is to be generated when the resulting security association is used to process the packet. false - no log message is to be generated.6.2. The Class SAStaticAction
The class SAStaticAction is abstract and serves as the base class for IKE and IPsec actions that do not require any negotiation. The class definition for SAStaticAction is as follows: NAME SAStaticAction DESCRIPTION The base class for IKE and IPsec actions that do not require any negotiation. DERIVED FROM SAAction ABSTRACT TRUE PROPERTIES LifetimeSeconds6.2.1. The Property LifetimeSeconds
The property LifetimeSeconds specifies how long the security association derived from this action should be used. The property is defined as follows: NAME LifetimeSeconds DESCRIPTION Specifies the amount of time (in seconds) that a security association derived from this action should be used. SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there is not a
lifetime associated with this action (i.e., infinite
lifetime). A non-zero value is typically used in
conjunction with alternate SAActions performed when
there is a negotiation failure of some sort.
Note: if the referenced SAStaticAction object is a
PreconfiguredSAAction associated to several SATransforms, then the
actual lifetime of the preconfigured SA will be the lesser of the
value of this LifetimeSeconds property and of the value of the
MaxLifetimeSeconds property of the associated SATransform. If the
value of this LifetimeSeconds property is zero, then there will be no
lifetime associated to this SA.
Note: while some SA negotiation protocols [IKE] can negotiate the
lifetime as an arbitrary length field, the authors have assumed that
a 64-bit integer will be sufficient.
It is expected that most SAStaticAction instances will have their
LifetimeSeconds properties set to zero (meaning no expiration of the
resulting SA).
6.3. The Class IPsecBypassAction
The class IPsecBypassAction is used when packets are allowed to be
processed without applying IPsec encapsulation to them. This is the
same as stating that packets are allowed to flow in the clear. The
class definition for IPsecBypassAction is as follows:
NAME IPsecBypassAction
DESCRIPTION Specifies that packets are to be allowed to pass in
the clear.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.4. The Class IPsecDiscardAction
The class IPsecDiscardAction is used when packets are to be
discarded. This is the same as stating that packets are to be
denied. The class definition for IPsecDiscardAction is as follows:
NAME IPsecDiscardAction
DESCRIPTION Specifies that packets are to be discarded.
DERIVED FROM SAStaticAction
ABSTRACT FALSE
6.5. The Class IKERejectAction
The class IKERejectAction is used to prevent attempting an IKE negotiation with the peer(s). The main use of this class is to prevent some denial of service attacks when acting as IKE responder. It goes beyond a plain discard of UDP/500 IKE packets because the SACondition can be based on specific PeerIDPayloadFilterEntry (when aggressive mode is used). The class definition for IKERejectAction is as follows: NAME IKERejectAction DESCRIPTION Specifies that an IKE negotiation should not even be attempted or continued. DERIVED FROM SAStaticAction ABSTRACT FALSE6.6. The Class PreconfiguredSAAction
The class PreconfiguredSAAction is used to create a security association using preconfigured, hard-wired algorithms and keys. Notes: - the SPI for a PreconfiguredSAAction is contained in the association, TransformOfPreconfiguredAction; - the session key (if applicable) is contained in an instance of the class SharedSecret (see [CIMUSER]). The session key is stored in the property Secret, the property protocol contains either "ESP- encrypt", "ESP-auth" or "AH", the property algorithm contains the algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec entity has no secret storage), the value of property RemoteID is the concatenation of the remote IPsec peer IP address in dotted decimal, of the character "/", of "IN" (respectively "OUT") for inbound SA (respectively outbound SA), of the character "/", and of the hexadecimal representation of the SPI. Although the class is concrete, it MUST not be instantiated. The class definition for PreconfiguredSAAction is as follows: NAME PreconfiguredSAAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of a security association. DERIVED FROM SAStaticAction ABSTRACT TRUE PROPERTIES LifetimeKilobytes
6.6.1. The Property LifetimeKilobytes
The property LifetimeKilobytes specifies a traffic limit in kilobytes that can be consumed before the SA is deleted. The property is defined as follows: NAME LifetimeKilobytes DESCRIPTION Specifies the SA lifetime in kilobytes. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is not a lifetime associated with this action (i.e., infinite lifetime). A non-zero value is used to indicate that after this number of kilobytes has been consumed the SA must be deleted from the SADB. Note: the actual lifetime of the preconfigured SA will be the lesser of the value of this LifetimeKilobytes property and of the value of the MaxLifetimeSeconds property of the associated SATransform. If the value of this LifetimeKilobytes property is zero, then there will be no lifetime associated with this action. Note: while some SA negotiation protocols [IKE] can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient. It is expected that most PreconfiguredSAAction instances will have their LifetimeKilobyte properties set to zero (meaning no expiration of the resulting SA).6.7. The Class PreconfiguredTransportAction
The class PreconfiguredTransportAction is used to create an IPsec transport-mode security association using preconfigured, hard-wired algorithms and keys. The class definition for PreconfiguredTransportAction is as follows: NAME PreconfiguredTransportAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of an IPsec transport security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE
6.8. The Class PreconfiguredTunnelAction
The class PreconfiguredTunnelAction is used to create an IPsec tunnel-mode security association using preconfigured, hard-wired algorithms and keys. The class definition for PreconfiguredSAAction is as follows: NAME PreconfiguredTunnelAction DESCRIPTION Specifies preconfigured algorithm and keying information for creation of an IPsec tunnel-mode security association. DERIVED FROM PreconfiguredSAAction ABSTRACT FALSE PROPERTIES DFHandling6.8.1. The Property DFHandling
The property DFHandling specifies how the Don't Fragment (DF) bit of the internal IP header is to be handled during IPsec processing. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies the processing of the DF bit. SYNTAX unsigned 16-bit integer VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0.6.9. The Class SANegotiationAction
The class SANegotiationAction specifies an action requesting security policy negotiation. This is an abstract class. Currently, only one security policy negotiation protocol action is subclassed from SANegotiationAction: the IKENegotiationAction class. It is nevertheless expected that other security policy negotiation protocols will exist and the negotiation actions of those new protocols would be modeled as a subclass of SANegotiationAction. NAME SANegotiationAction DESCRIPTION Specifies a negotiation action. DERIVED FROM SAAction ABSTRACT TRUE
6.10. The Class IKENegotiationAction
The class IKENegotiationAction is abstract and serves as the base class for IKE and IPsec actions that result in an IKE negotiation. The class definition for IKENegotiationAction is as follows: NAME IKENegotiationAction DESCRIPTION A base class for IKE and IPsec actions that specifies the parameters that are common for IKE phase 1 and IKE phase 2 IPsec DOI negotiations. DERIVED FROM SANegotiationAction ABSTRACT TRUE PROPERTIES MinLifetimeSeconds MinLifetimeKilobytes IdleDurationSeconds6.10.1. The Property MinLifetimeSeconds
The property MinLifetimeSeconds specifies the minimum seconds in a lifetime that will be accepted from the peer. MinLifetimeSeconds is used to prevent certain denial of service attacks where the peer requests an arbitrarily low lifetime value, causing renegotiations with expensive Diffie-Hellman operations. The property is defined as follows: NAME MinLifetimeSeconds DESCRIPTION Specifies the minimum seconds acceptable in a lifetime. SYNTAX unsigned 64-bit integer VALUE A value of zero indicates that there is no minimum value. A non-zero value specifies the minimum seconds lifetime. Note: while IKE can negotiate the lifetime as an arbitrary length field, the authors have assumed that a 64-bit integer will be sufficient.6.10.2. The Property MinLifetimeKilobytes
The property MinLifetimeKilobytes specifies the minimum kilobytes of a lifetime that will be accepted from the peer. MinLifetimeKilobytes is used to prevent certain denial of service attacks, where the peer requests an arbitrarily low lifetime value, causing renegotiations with correspondingly expensive Diffie-Hellman operations. Note that there has been considerable debate regarding the usefulness of applying kilobyte lifetimes to IKE phase 1 security associations, so it is likely that this property will only apply to the sub-class IPsecAction. The property is defined as follows:
NAME MinLifetimeKilobytes
DESCRIPTION Specifies the minimum kilobytes acceptable in a
lifetime.
SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that there is no minimum
value. A non-zero value specifies the minimum
kilobytes lifetime.
Note: While IKE can negotiate the lifetime as an arbitrary length
field, the authors have assumed that a 64-bit integer will be
sufficient.
6.10.3. The Property IdleDurationSeconds
The property IdleDurationSeconds specifies how many seconds a
security association may remain idle (i.e., no traffic protected
using the security association) before it is deleted. The property
is defined as follows:
NAME IdleDurationSeconds
DESCRIPTION Specifies how long, in seconds, a security
association may remain unused before it is deleted.
SYNTAX unsigned 64-bit integer
VALUE A value of zero indicates that idle detection should
not be used for the security association (only the
seconds and kilobyte lifetimes will be used). Any
non-zero value indicates the number of seconds the
security association may remain unused.
6.11. The Class IPsecAction
The class IPsecAction serves as the base class for IPsec transport
and tunnel actions. It specifies the parameters used for an IKE
phase 2 IPsec DOI negotiation. The class definition for IPsecAction
is as follows:
NAME IPsecAction
DESCRIPTION A base class for IPsec transport and tunnel actions
that specifies the parameters for IKE phase 2 IPsec
DOI negotiations.
DERIVED FROM IKENegotiationAction
ABSTRACT TRUE
PROPERTIES UsePFS
UseIKEGroup
GroupId
Granularity
VendorID
6.11.1. The Property UsePFS
The property UsePFS specifies whether or not perfect forward secrecy should be used when refreshing keys. The property is defined as follows: NAME UsePFS DESCRIPTION Specifies the whether or not to use PFS when refreshing keys. SYNTAX boolean VALUE A value of true indicates that PFS should be used. A value of false indicates that PFS should not be used.6.11.2. The Property UseIKEGroup
The property UseIKEGroup specifies whether or not phase 2 should use the same key exchange group as was used in phase 1. UseIKEGroup is ignored if UsePFS is false. The property is defined as follows: NAME UseIKEGroup DESCRIPTION Specifies whether or not to use the same GroupId for phase 2 as was used in phase 1. If UsePFS is false, then UseIKEGroup is ignored. SYNTAX boolean VALUE A value of true indicates that the phase 2 GroupId should be the same as phase 1. A value of false indicates that the property GroupId will contain the key exchange group to use for phase 2.6.11.3. The Property GroupId
The property GroupId specifies the key exchange group to use for phase 2. GroupId is ignored if (1) the property UsePFS is false, or (2) the property UsePFS is true and the property UseIKEGroup is true. If the GroupID number is from the vendor-specific range (32768- 65535), the property VendorID qualifies the group number. The property is defined as follows: NAME GroupId DESCRIPTION Specifies the key exchange group to use for phase 2 when the property UsePFS is true and the property UseIKEGroup is false. SYNTAX unsigned 16-bit integer VALUE Consult [IKE] for valid values.
6.11.4. The Property Granularity
The property Granularity specifies how the selector for the security association should be derived from the traffic that triggered the negotiation. The property is defined as follows: NAME Granularity DESCRIPTION Specifies how the proposed selector for the security association will be created. SYNTAX unsigned 16-bit integer VALUE 1 - subnet: the source and destination subnet masks of the filter entry are used. 2 - address: only the source and destination IP addresses of the triggering packet are used. 3 - protocol: the source and destination IP addresses and the IP protocol of the triggering packet are used. 4 - port: the source and destination IP addresses and the IP protocol and the source and destination layer 4 ports of the triggering packet are used.6.11.5. The Property VendorID
The property VendorID is used together with the property GroupID (when it is in the vendor-specific range) to identify the key exchange group. VendorID is ignored unless UsePFS is true and UseIKEGroup is false and GroupID is in the vendor-specific range (32768-65535). The property is defined as follows: NAME VendorID DESCRIPTION Specifies the IKE Vendor ID. SYNTAX string6.12. The Class IPsecTransportAction
The class IPsecTransportAction is a subclass of IPsecAction that is used to specify use of an IPsec transport-mode security association. The class definition for IPsecTransportAction is as follows: NAME IPsecTransportAction DESCRIPTION Specifies that an IPsec transport-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE
6.13. The Class IPsecTunnelAction
The class IPsecTunnelAction is a subclass of IPsecAction that is used to specify use of an IPsec tunnel-mode security association. The class definition for IPsecTunnelAction is as follows: NAME IPsecTunnelAction DESCRIPTION Specifies that an IPsec tunnel-mode security association should be negotiated. DERIVED FROM IPsecAction ABSTRACT FALSE PROPERTIES DFHandling6.13.1. The Property DFHandling
The property DFHandling specifies how the tunnel should manage the Don't Fragment (DF) bit. The property is defined as follows: NAME DFHandling DESCRIPTION Specifies how to process the DF bit. SYNTAX unsigned 16-bit integer VALUE 1 - Copy the DF bit from the internal IP header to the external IP header. 2 - Set the DF bit of the external IP header to 1. 3 - Clear the DF bit of the external IP header to 0.6.14. The Class IKEAction
The class IKEAction specifies the parameters that are to be used for IKE phase 1 negotiation. The class definition for IKEAction is as follows: NAME IKEAction DESCRIPTION Specifies the IKE phase 1 negotiation parameters. DERIVED FROM IKENegotiationAction ABSTRACT FALSE PROPERTIES ExchangeMode UseIKEIdentityType VendorID AggressiveModeGroupId
6.14.1. The Property ExchangeMode
The property ExchangeMode specifies which IKE mode should be used for IKE phase 1 negotiations. The property is defined as follows: NAME ExchangeMode DESCRIPTION Specifies the IKE negotiation mode for phase 1. SYNTAX unsigned 16-bit integer VALUE 1 - base mode 2 - main mode 4 - aggressive mode6.14.2. The Property UseIKEIdentityType
The property UseIKEIdentityType specifies what IKE identity type should be used when negotiating with the peer. This information is used in conjunction with the IKE identities available on the system and the IdentityContexts of the matching IKERule. The property is defined as follows: NAME UseIKEIdentityType DESCRIPTION Specifies the IKE identity to use during negotiation. SYNTAX unsigned 16-bit integer VALUE Consult [DOI] for valid values.6.14.3. The Property VendorID
The property VendorID specifies the value to be used in the Vendor ID payload. The property is defined as follows: NAME VendorID DESCRIPTION Vendor ID Payload. SYNTAX string VALUE A value of NULL means that Vendor ID payload will be neither generated nor accepted. A non-NULL value means that a Vendor ID payload will be generated (when acting as an initiator) or is expected (when acting as a responder).6.14.4. The Property AggressiveModeGroupId
The property AggressiveModeGroupId specifies which group ID is to be used in the first packets of the phase 1 negotiation. This property is ignored unless the property ExchangeMode is set to 4 (aggressive mode). If the AggressiveModeGroupID number is from the vendor- specific range (32768-65535), the property VendorID qualifies the group number. The property is defined as follows:
NAME AggressiveModeGroupId
DESCRIPTION Specifies the group ID to be used for aggressive
mode.
SYNTAX unsigned 16-bit integer
6.15. The Class PeerGateway
The class PeerGateway specifies the security gateway with which the
IKE services negotiates. The class definition for PeerGateway is as
follows:
NAME PeerGateway
DESCRIPTION Specifies the security gateway with which to
negotiate.
DERIVED FROM LogicalElement (see [CIMCORE])
ABSTRACT FALSE
PROPERTIES Name
PeerIdentityType
PeerIdentity
Note: The class PeerIdentityEntry contains more information about the
peer (namely its IP address).
6.15.1. The Property Name
The property Name specifies a user-friendly name for this security
gateway. The property is defined as follows:
NAME Name
DESCRIPTION Specifies a user-friendly name for this security
gateway.
SYNTAX string
6.15.2. The Property PeerIdentityType
The property PeerIdentityType specifies the IKE identity type of the
security gateway. The property is defined as follows:
NAME PeerIdentityType
DESCRIPTION Specifies the IKE identity type of the security
gateway.
SYNTAX unsigned 16-bit integer
VALUE Consult [DOI] for valid values.
6.15.3. The Property PeerIdentity
The property PeerIdentity specifies the IKE identity value of the security gateway. Based upon the storage chosen for the task- specific mapping of the information model, a conversion may be needed from the stored representation of the PeerIdentity string to the real value used in the ID payload (e.g., IP address is to be converted from a dotted decimal string into 4 bytes). The property is defined as follows: NAME PeerIdentity DESCRIPTION Specifies the IKE identity value of the security gateway. SYNTAX string6.16. The Association Class PeerGatewayForTunnel
The class PeerGatewayForTunnel associates IPsecTunnelActions with an ordered list of PeerGateways. The class definition for PeerGatewayForTunnel is as follows: NAME PeerGatewayForTunnel DESCRIPTION Associates IPsecTunnelActions with an ordered list of PeerGateways. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref PeerGateway[0..n]] Dependent [ref IPsecTunnelAction[0..n]] SequenceNumber6.16.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that an IPsecTunnelAction instance may be associated with zero or more PeerGateway instances. Note: The cardinality 0 has a specific meaning: - when the IKE service acts as a responder, this means that the IKE service will accept phase 1 negotiation with any other security gateway; - when the IKE service acts as an initiator, this means that the IKE service will use the destination IP address (of the IP packets which triggered the SARule) as the IP address of the peer IKE entity.
6.16.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to an IPsecTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more IPsecTunnelAction instances.6.16.3. The Property SequenceNumber
The property SequenceNumber specifies the ordering to be used when evaluating PeerGateway instances for a given IPsecTunnelAction. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the order of evaluation for PeerGateways. SYNTAX unsigned 16-bit integer VALUE Lower values are evaluated first.6.17. The Aggregation Class ContainedProposal
The class ContainedProposal associates an ordered list of SAProposals with the IKENegotiationAction that aggregates it. If the referenced IKENegotiationAction object is an IKEAction, then the referenced SAProposal object(s) must be IKEProposal(s). If the referenced IKENegotiationAction object is an IPsecTransportAction or an IPsecTunnelAction, then the referenced SAProposal object(s) must be IPsecProposal(s). The class definition for ContainedProposal is as follows: NAME ContainedProposal DESCRIPTION Associates an ordered list of SAProposals with an IKENegotiationAction. DERIVED FROM PolicyComponent (see [PCIM]) ABSTRACT FALSE PROPERTIES GroupComponent[ref IKENegotiationAction[0..n]] PartComponent[ref SAProposal[1..n]] SequenceNumber6.17.1. The Reference GroupComponent
- The property GroupComponent is inherited from PolicyComponent and is overridden to refer to an IKENegotiationAction instance. The [0..n] cardinality indicates that an SAProposal instance may be associated with zero or more IKENegotiationAction instances.
6.17.2. The Reference PartComponent
The property PartComponent is inherited from PolicyComponent and is overridden to refer to an SAProposal instance. The [1..n] cardinality indicates that an IKENegotiationAction instance MUST be associated with at least one SAProposal instance.6.17.3. The Property SequenceNumber
The property SequenceNumber specifies the order of preference for the SAProposals. The property is defined as follows: NAME SequenceNumber DESCRIPTION Specifies the preference order for the SAProposals. SYNTAX unsigned 16-bit integer VALUE Lower-valued proposals are preferred over proposals with higher values. For ContainedProposals that reference the same IKENegotiationAction, SequenceNumber values must be unique.6.18. The Association Class HostedPeerGatewayInformation
The class HostedPeerGatewayInformation weakly associates a PeerGateway with a System. The class definition for HostedPeerGatewayInformation is as follows: NAME HostedPeerGatewayInformation DESCRIPTION Weakly associates a PeerGateway with a System. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent [ref System[1..1]] Dependent [ref PeerGateway[0..n] [weak]]6.18.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a System instance. The [1..1] cardinality indicates that a PeerGateway instance MUST be associated with one and only one System instance.6.18.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..n] cardinality indicates that a System instance may be associated with zero or more PeerGateway instances.
6.19. The Association Class TransformOfPreconfiguredAction
The class TransformOfPreconfiguredAction associates a PreconfiguredSAAction with two, four or six SATransforms that will be applied to the inbound and outbound traffic. The order of application of the SATransforms is implicitly defined in [IPSEC]. The class definition for TransformOfPreconfiguredAction is as follows: NAME TransformOfPreconfiguredAction DESCRIPTION Associates a PreconfiguredSAAction with from one to three SATransforms. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref SATransform[2..6]] Dependent[ref PreconfiguredSAAction[0..n]] SPI Direction6.19.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to an SATransform instance. The [2..6] cardinality indicates that a PreconfiguredSAAction instance may be associated with two to six SATransform instances.6.19.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredSAAction instance. The [0..n] cardinality indicates that a SATransform instance may be associated with zero or more PreconfiguredSAAction instances.6.19.3. The Property SPI
The property SPI specifies the SPI to be used by the pre-configured action for the associated transform. The property is defined as follows: NAME SPI DESCRIPTION Specifies the SPI to be used with the SATransform. SYNTAX unsigned 32-bit integer
6.19.4. The Property Direction
The property Direction specifies whether the SPI property is for inbound or outbound traffic. The property is defined as follows: NAME Direction DESCRIPTION Specifies whether the SA is for inbound or outbound traffic. SYNTAX unsigned 8-bit integer VALUE 1 - this SA is for inbound traffic 2 - this SA is for outbound traffic6.20 The Association Class PeerGatewayForPreconfiguredTunnel
The class PeerGatewayForPreconfiguredTunnel associates zero or one PeerGateways with multiple PreconfiguredTunnelActions. The class definition for PeerGatewayForPreconfiguredTunnel is as follows: NAME PeerGatewayForPreconfiguredTunnel DESCRIPTION Associates a PeerGateway with multiple PreconfiguredTunnelActions. DERIVED FROM Dependency (see [CIMCORE]) ABSTRACT FALSE PROPERTIES Antecedent[ref PeerGateway[0..1]] Dependent[ref PreconfiguredTunnelAction[0..n]]6.20.1. The Reference Antecedent
The property Antecedent is inherited from Dependency and is overridden to refer to a PeerGateway instance. The [0..1] cardinality indicates that a PreconfiguredTunnelAction instance may be associated with one PeerGteway instance.6.20.2. The Reference Dependent
The property Dependent is inherited from Dependency and is overridden to refer to a PreconfiguredTunnelAction instance. The [0..n] cardinality indicates that a PeerGateway instance may be associated with zero or more PreconfiguredSAAction instances.