tech-invite   World Map     

3GPP     Specs     Glossaries     Architecture     IMS     UICC       IETF     RFCs     Groups     SIP     ABNFs       Search

RFC 3585

 
 
 

IPsec Configuration Policy Information Model

Part 3 of 4, p. 50 to 79
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 50 
7. Proposal and Transform Classes

   The proposal and transform classes model the proposal settings an
   IPsec device will use during IKE phase 1 and 2 negotiations.

                        +--------------+*w     1+--------------+
                        | [SAProposal] |--------|   System     |
                        +--------------+  (a)   | ([CIMCORE])  |
                               ^                +--------------+
                               |                        |1
                    +----------------------+            |
                    |                      |            |
             +-------------+       +---------------+    |
             | IKEProposal |       | IPsecProposal |    |
             +-------------+       +---------------+    |
                                          *o            |
                                           |(b)         |(c)
                                          n|            |
                                   +---------------+*w  |
                                   | [SATransform] |----+
                                   +---------------+
                                           ^
                                           |
          +--------------------+-----------+---------+
          |                    |                     |
   +-------------+     +--------------+     +----------------+
   | AHTransform |     | ESPTransform |     |IPCOMPTransform |
   +-------------+     +--------------+     +----------------+

      (a)  SAProposalInSystem
      (b)  ContainedTransform
      (c)  SATransformInSystem

7.1. The Abstract Class SAProposal

   The abstract class SAProposal serves as the base class for the IKE
   and IPsec proposal classes.  It specifies the parameters that are
   common to the two proposal types.  The class definition for
   SAProposal is as follows:

      NAME         SAProposal
      DESCRIPTION  Specifies the common proposal parameters for IKE and
                   IPsec security association negotiation.
      DERIVED FROM Policy ([PCIM])
      ABSTRACT     TRUE
      PROPERTIES   Name

Top      Up      ToC       Page 51 
7.1.1. The Property Name

   The property Name specifies a user-friendly name for the SAProposal.
   The property is defined as follows:

      NAME         Name
      DESCRIPTION  Specifies a user-friendly name for this proposal.
      SYNTAX       string

7.2. The Class IKEProposal

   The class IKEProposal specifies the proposal parameters necessary to
   drive an IKE security association negotiation.  The class definition
   for IKEProposal is as follows:

      NAME         IKEProposal
      DESCRIPTION  Specifies the proposal parameters for IKE security
                   association negotiation.
      DERIVED FROM SAProposal
      ABSTRACT     FALSE
      PROPERTIES   CipherAlgorithm
                   HashAlgorithm
                   PRFAlgorithm
                   GroupId
                   AuthenticationMethod
                   MaxLifetimeSeconds
                   MaxLifetimeKilobytes
                   VendorID

7.2.1. The Property CipherAlgorithm

   The property CipherAlgorithm specifies the proposed phase 1 security
   association encryption algorithm.  The property is defined as
   follows:

      NAME         CipherAlgorithm
      DESCRIPTION  Specifies the proposed encryption algorithm for the
                   phase 1 security association.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [IKE] for valid values.

Top      Up      ToC       Page 52 
7.2.2. The Property HashAlgorithm

   The property HashAlgorithm specifies the proposed phase 1 security
   association hash algorithm.  The property is defined as follows:

      NAME         HashAlgorithm
      DESCRIPTION  Specifies the proposed hash algorithm for the phase 1
                   security association.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [IKE] for valid values.

7.2.3. The Property PRFAlgorithm

   The property PRFAlgorithm specifies the proposed phase 1 security
   association pseudo-random function.  The property is defined as
   follows:

      NAME         PRFAlgorithm
      DESCRIPTION  Specifies the proposed pseudo-random function for the
                   phase 1 security association.
      SYNTAX       unsigned 16-bit integer
      VALUE        Currently none defined in [IKE], if [IKE, DOI] are
                   extended, then the values of [IKE, DOI] are to be
                   used for values of PRFAlgorithm.

7.2.4. The Property GroupId

   The property GroupId specifies the proposed phase 1 security
   association key exchange group.  This property is ignored for all
   aggressive mode exchanges.  If the GroupID number is from the
   vendor-specific range (32768-65535), the property VendorID qualifies
   the group number.  The property is defined as follows:

      NAME         GroupId
      DESCRIPTION  Specifies the proposed key exchange group for the
                   phase 1 security association.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [IKE] for valid values.

   Note: The value of this property is to be ignored in aggressive mode.

Top      Up      ToC       Page 53 
7.2.5. The Property AuthenticationMethod

   The property AuthenticationMethod specifies the proposed phase 1
   authentication method.  The property is defined as follows:

      NAME         AuthenticationMethod
      DESCRIPTION  Specifies the proposed authentication method for the
                   phase 1 security association.
      SYNTAX       unsigned 16-bit integer
      VALUE        0 - a special value that indicates that this
                   particular proposal should be repeated once for each
                   authentication method that corresponds to the
                   credentials installed on the machine.  For example,
                   if the system has a pre-shared key and a certificate,
                   a proposal list could be constructed that includes a
                   proposal that specifies a pre-shared key and
                   proposals for any of the public-key authentication
                   methods.  Consult [IKE] for valid values.

7.2.6. The Property MaxLifetimeSeconds

   The property MaxLifetimeSeconds specifies the proposed maximum time,
   in seconds, that a security association will remain valid after its
   creation.  The property is defined as follows:

      NAME         MaxLifetimeSeconds
      DESCRIPTION  Specifies the proposed maximum time that a
                   security association will remain valid.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that the default of 8
                   hours be used.  A non-zero value indicates the
                   maximum seconds lifetime.

   Note: While IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

7.2.7. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the proposed maximum
   kilobyte lifetime that a security association will remain valid after
   its creation.  The property is defined as follows:

      NAME         MaxLifetimeKilobytes
      DESCRIPTION  Specifies the proposed maximum kilobyte lifetime
                   that a security association will remain valid.
      SYNTAX       unsigned 64-bit integer

Top      Up      ToC       Page 54 
      VALUE        A value of zero indicates that there should be no
                   maximum kilobyte lifetime.  A non-zero value
                   specifies the desired kilobyte lifetime.

   Note: While IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

7.2.8. The Property VendorID

   The property VendorID further qualifies the key exchange group.  The
   property is ignored unless the exchange is not in aggressive mode and
   the property GroupID is in the vendor-specific range.  The property
   is defined as follows:

      NAME         VendorID
      DESCRIPTION  Specifies the Vendor ID to further qualify the key
                   exchange group.
      SYNTAX       string

7.3. The Class IPsecProposal

   The class IPsecProposal adds no new properties, but inherits proposal
   properties from SAProposal, as well as aggregating the security
   association transforms necessary for building an IPsec proposal (see
   the aggregation class ContainedTransform).  The class definition for
   IPsecProposal is as follows:

      NAME         IPsecProposal
      DESCRIPTION  Specifies the proposal parameters for IPsec security
                   association negotiation.
      DERIVED FROM SAProposal
      ABSTRACT     FALSE

7.4. The Abstract Class SATransform

   The abstract class SATransform serves as the base class for the IPsec
   transforms that can be used to compose an IPsec proposal or to be
   used as a pre-configured action.  The class definition for
   SATransform is as follows:

      NAME         SATransform
      DESCRIPTION  Base class for the different IPsec transforms.
      ABSTRACT     TRUE
      PROPERTIES   CommonName (from Policy)
                   VendorID
                   MaxLifetimeSeconds
                   MaxLifetimeKilobytes

Top      Up      ToC       Page 55 
7.4.1. The Property CommonName

   The property CommonName is inherited from Policy [PCIM] and specifies
   a user-friendly name for the SATransform.  The property is defined as
   follows:

      NAME         CommonName
      DESCRIPTION  Specifies a user-friendly name for this Policy-
                   related object.
      SYNTAX       string

7.4.2. The Property VendorID

   The property VendorID specifies the vendor ID for vendor-defined
   transforms.  The property is defined as follows:

      NAME         VendorID
      DESCRIPTION  Specifies the vendor ID for vendor-defined
                   transforms.
      SYNTAX       string
      VALUE        An empty VendorID string indicates that the transform
                   is a standard one.

7.4.3. The Property MaxLifetimeSeconds

   The property MaxLifetimeSeconds specifies the proposed maximum time,
   in seconds, that a security association will remain valid after its
   creation.  The property is defined as follows:

      NAME         MaxLifetimeSeconds
      DESCRIPTION  Specifies the proposed maximum time that a
                   security association will remain valid.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that the default of 8 hours
                   be used.  A non-zero value indicates the maximum
                   seconds lifetime.

   Note: While IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

7.4.4. The Property MaxLifetimeKilobytes

   The property MaxLifetimeKilobytes specifies the proposed maximum
   kilobyte lifetime that a security association will remain valid after
   its creation.  The property is defined as follows:

Top      Up      ToC       Page 56 
      NAME         MaxLifetimeKilobytes
      DESCRIPTION  Specifies the proposed maximum kilobyte lifetime
                   that a security association will remain valid.
      SYNTAX       unsigned 64-bit integer
      VALUE        A value of zero indicates that there should be no
                   maximum kilobyte lifetime.  A non-zero value
                   specifies the desired kilobyte lifetime.

   Note: While IKE can negotiate the lifetime as an arbitrary length
   field, the authors have assumed that a 64-bit integer will be
   sufficient.

7.5. The Class AHTransform

   The class AHTransform specifies the AH algorithm to propose during
   IPsec security association negotiation.  The class definition for
   AHTransform is as follows:

      NAME         AHTransform
      DESCRIPTION  Specifies the proposed AH algorithm.
      ABSTRACT     FALSE
      PROPERTIES   AHTransformId
                   UseReplayPrevention
                   ReplayPreventionWindowSize

7.5.1. The Property AHTransformId

   The property AHTransformId specifies the transform ID of the AH
   algorithm.  The property is defined as follows:

      NAME         AHTransformId
      DESCRIPTION  Specifies the transform ID of the AH algorithm.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [DOI] for valid values.

7.5.2. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

      NAME         UseReplayPrevention
      DESCRIPTION  Specifies whether to enable replay prevention
                   detection.
      SYNTAX       boolean
      VALUE        true - replay prevention detection is enabled.
                   false - replay prevention detection is disabled.

Top      Up      ToC       Page 57 
7.5.3. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism.  The value of this property is meaningless if
   UseReplayPrevention is false.  It is assumed that the window size
   will be power of 2.  The property is defined as follows:

      NAME         ReplayPreventionWindowSize
      DESCRIPTION  Specifies the length of the window used by the replay
                   prevention detection mechanism.
      SYNTAX       unsigned 32-bit integer

7.6. The Class ESPTransform

   The class ESPTransform specifies the ESP algorithms to propose
   during IPsec security association negotiation.  The class definition
   for ESPTransform is as follows:

      NAME         ESPTransform
      DESCRIPTION  Specifies the proposed ESP algorithms.
      ABSTRACT     FALSE
      PROPERTIES   IntegrityTransformId
                   CipherTransformId
                   CipherKeyLength
                   CipherKeyRounds
                   UseReplayPrevention
                   ReplayPreventionWindowSize

7.6.1. The Property IntegrityTransformId

   The property IntegrityTransformId specifies the transform ID of the
   ESP integrity algorithm.  The property is defined as follows:

      NAME         IntegrityTransformId
      DESCRIPTION  Specifies the transform ID of the ESP integrity
                   algorithm.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [DOI] for valid values.

Top      Up      ToC       Page 58 
7.6.2. The Property CipherTransformId

   The property CipherTransformId specifies the transform ID of the ESP
   encryption algorithm.  The property is defined as follows:

      NAME         CipherTransformId
      DESCRIPTION  Specifies the transform ID of the ESP encryption
                   algorithm.
      SYNTAX       unsigned 16-bit integer
      VALUE        Consult [DOI] for valid values.

7.6.3. The Property CipherKeyLength

   The property CipherKeyLength specifies, in bits, the key length for
   the ESP encryption algorithm.  For encryption algorithms that use a
   fixed-length keys, this value is ignored.  The property is defined as
   follows:

      NAME         CipherKeyLength
      DESCRIPTION  Specifies the ESP encryption key length in bits.
      SYNTAX       unsigned 16-bit integer

7.6.4. The Property CipherKeyRounds

   The property CipherKeyRounds specifies the number of key rounds for
   the ESP encryption algorithm.  For encryption algorithms that use
   fixed number of key rounds, this value is ignored.  The property is
   defined as follows:

      NAME         CipherKeyRounds
      DESCRIPTION  Specifies the number of key rounds for the ESP
                   encryption algorithm.
      SYNTAX       unsigned 16-bit integer
      VALUE        Currently, key rounds are not defined for any ESP
                   encryption algorithms.

7.6.5. The Property UseReplayPrevention

   The property UseReplayPrevention specifies whether replay prevention
   detection is to be used.  The property is defined as follows:

      NAME         UseReplayPrevention
      DESCRIPTION  Specifies whether to enable replay prevention
                   detection.
      SYNTAX       boolean
      VALUE        true - replay prevention detection is enabled.
                   false - replay prevention detection is disabled.

Top      Up      ToC       Page 59 
7.6.6. The Property ReplayPreventionWindowSize

   The property ReplayPreventionWindowSize specifies, in bits, the
   length of the sliding window used by the replay prevention detection
   mechanism.  The value of this property is meaningless if
   UseReplayPrevention is false.  It is assumed that the window size
   will be power of 2.  The property is defined as follows:

      NAME         ReplayPreventionWindowSize
      DESCRIPTION  Specifies the length of the window used by the replay
                   prevention detection mechanism.
      SYNTAX       unsigned 32-bit integer

7.7. The Class IPCOMPTransform

   The class IPCOMPTransform specifies the IP compression (IPCOMP)
   algorithm to propose during IPsec security association negotiation.
   The class definition for IPCOMPTransform is as follows:

      NAME         IPCOMPTransform
      DESCRIPTION  Specifies the proposed IPCOMP algorithm.
      ABSTRACT     FALSE
      PROPERTIES   Algorithm
                   DictionarySize
                   PrivateAlgorithm

7.7.1. The Property Algorithm

   The property Algorithm specifies the transform ID of the IPCOMP
   compression algorithm.  The property is defined as follows:

      NAME         Algorithm
      DESCRIPTION  Specifies the transform ID of the IPCOMP compression
                   algorithm.
      SYNTAX       unsigned 16-bit integer
      VALUE        1 - OUI: a vendor specific algorithm is used and
                   specified in the property PrivateAlgorithm.  Consult
                   [DOI] for other valid values.

7.7.2. The Property DictionarySize

   The property DictionarySize specifies the log2 maximum size of the
   dictionary for the compression algorithm.  For compression algorithms
   that have pre-defined dictionary sizes, this value is ignored.  The
   property is defined as follows:

Top      Up      ToC       Page 60 
      NAME         DictionarySize
      DESCRIPTION  Specifies the log2 maximum size of the dictionary.
      SYNTAX       unsigned 16-bit integer

7.7.3. The Property PrivateAlgorithm

   The property PrivateAlgorithm specifies a private vendor-specific
   compression algorithm.  This value is only used when the property
   Algorithm is 1 (OUI).  The property is defined as follows:

      NAME         PrivateAlgorithm
      DESCRIPTION  Specifies a private vendor-specific compression
                   algorithm.
      SYNTAX       unsigned 32-bit integer

7.8. The Association Class SAProposalInSystem

   The class SAProposalInSystem weakly associates SAProposals with a
   System.  The class definition for SAProposalInSystem is as follows:

      NAME         SAProposalInSystem
      DESCRIPTION  Weakly associates SAProposals with a System.
      DERIVED FROM PolicyInSystem (see [PCIM])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent[ref System [1..1]]
                   Dependent[ref SAProposal[0..n] [weak]]

7.8.1. The Reference Antecedent

   The property Antecedent is inherited from the PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that an SAProposal instance MUST be associated with one and
   only one System instance.

7.8.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SAProposal instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more SAProposal instances.

7.9. The Aggregation Class ContainedTransform

   The class ContainedTransform associates an IPsecProposal with the set
   of SATransforms that make up the proposal.  If multiple transforms of
   the same type are in a proposal, then they are to be logically ORed
   and the order of preference is dictated by the SequenceNumber
   property.  Sets of transforms of different types are logically ANDed.

Top      Up      ToC       Page 61 
   For example, if the ordered proposal list were

      ESP = { (HMAC-MD5, 3DES), (HMAC-MD5, DES) }
      AH  = { MD5, SHA-1 }

   then the one sending the proposal would want the other side to pick
   one from the ESP transform (preferably (HMAC-MD5, 3DES)) list AND one
   from the AH transform list (preferably MD5).

   The class definition for ContainedTransform is as follows:

      NAME         ContainedTransform
      DESCRIPTION  Associates an IPsecProposal with the set of
                   SATransforms that make up the proposal.
      DERIVED FROM PolicyComponent (see [PCIM])
      ABSTRACT     FALSE
      PROPERTIES   GroupComponent[ref IPsecProposal[0..n]]
                   PartComponent[ref SATransform[1..n]]
                   SequenceNumber

7.9.1. The Reference GroupComponent

   The property GroupComponent is inherited from PolicyComponent and is
   overridden to refer to an IPsecProposal instance.  The [0..n]
   cardinality indicates that an SATransform instance may be associated
   with zero or more IPsecProposal instances.

7.9.2. The Reference PartComponent

   The property PartComponent is inherited from PolicyComponent and is
   overridden to refer to an SATransform instance.  The [1..n]
   cardinality indicates that an IPsecProposal instance MUST be
   associated with at least one SATransform instance.

7.9.3. The Property SequenceNumber

   The property SequenceNumber specifies the order of preference for the
   SATransforms of the same type.  The property is defined as follows:

      NAME         SequenceNumber
      DESCRIPTION  Specifies the preference order for the SATransforms
                   of the same type.
      SYNTAX       unsigned 16-bit integer
      VALUE        Lower-valued transforms are preferred over transforms
                   of the same type with higher values.  For
                   ContainedTransforms that reference the same
                   IPsecProposal, SequenceNumber values must be unique.

Top      Up      ToC       Page 62 
7.10. The Association Class SATransformInSystem

   The class SATransformInSystem weakly associates SATransforms with a
   System.  The class definition for SATransformInSystem System is as
   follows:

      NAME         SATransformInSystem
      DESCRIPTION  Weakly associates SATransforms with a System.
      DERIVED FROM PolicyInSystem (see [PCIM])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent[ref System[1..1]]
                   Dependent[ref SATransform[0..n] [weak]]

7.10.1. The Reference Antecedent

   The property Antecedent is inherited from PolicyInSystem and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that an SATransform instance MUST be associated with one
   and only one System instance.

7.10.2. The Reference Dependent

   The property Dependent is inherited from PolicyInSystem and is
   overridden to refer to an SATransform instance.  The [0..n]
   cardinality indicates that a System instance may be associated with
   zero or more SATransform instances.

Top      Up      ToC       Page 63 
8. IKE Service and Identity Classes

                +--------------+           +-------------------+
                |    System    |           | PeerIdentityEntry |
                |  ([CIMCORE]) |           +-------------------+
                +--------------+                     |*w
                      1| (a)                 (b)     |
                       +---+            +------------+
                           |            |
                           |*w        1 o
   +-------------+     +-------------------+    +---------------------+
   | PeerGateway |     | PeerIdentityTable |    | AutostartIKESetting |
   +-------------+     +-------------------+    +---------------------+
        *|                          *|               *|    *|
         +----------------------+    |(d)  +----------+     |
                  (c)          *|   *|    *|     (e)        |
                              *+------------+*              |(f)
             +-----------------| IKEService |-----+         |
             |      (g)        +------------+     |(h)      |
         0..1|                      *|           *|        *o
   +--------------------+            |    +---------------------------+
   | IPProtocolEndpoint |            |    | AutostartIKEConfiguration |
   |  ([CIMNETWORK])    |         (i)|    +---------------------------+
   +--------------------+            |
      0..1|                          |
          |(j)                       +----------------+
         *|                                           |*
   +-------------+* (k)  +------------+ +-----------------------------+
   | IKEIdentity |-------| Collection | | CredentialManagementService |
   +-------------+   0..1| ([CIMCORE])| |         ([CIMUSER])         |
         *|              +------------+ +-----------------------------+
          |(l)
         *|
   +--------------+
   |  Credential  |
   |  ([CIMUSER]) |
   +--------------+

      (a)  HostedPeerIdentityTable
      (b)  PeerIdentityMember
      (c)  IKEServicePeerGateway
      (d)  IKEServicePeerIdentityTable
      (e)  IKEAutostartSetting
      (f)  AutostartIKESettingContext
      (g)  IKEServiceForEndpoint
      (h)  IKEAutostartConfiguration
      (i)  IKEUsesCredentialManagementService
      (j)  EndpointHasLocalIKEIdentity

Top      Up      ToC       Page 64 
      (k)  CollectionHasLocalIKEIdentity
      (l)  IKEIdentitysCredential

   This portion of the model contains additional information that is
   useful in applying the policy.  The IKEService class MAY be used to
   represent the IKE negotiation function in a system.  The IKEService
   uses the various tables that contain information about IKE peers as
   well as the configuration for specifying security associations that
   are started automatically.  The information in the PeerGateway,
   PeerIdentityTable and related classes is necessary to completely
   specify the policies.

   An interface (represented by an IPProtocolEndpoint) has an IKEService
   that provides the negotiation services for that interface.  That
   service MAY also have a list of security associations automatically
   started at the time the IKE service is initialized.

   The IKEService also has a set of identities that it may use in
   negotiations with its peers.  Those identities are associated with
   the interfaces (or collections of interfaces).

8.1. The Class IKEService

   The class IKEService represents the IKE negotiation function.  An
   instance of this service may provide that negotiation service for one
   or more interfaces (represented by the IPProtocolEndpoint class) of a
   System.  There may be multiple instances of IKE services on a System
   but only one per interface.  The class definition for IKEService is
   as follows:

      NAME         IKEService
      DESCRIPTION  IKEService is used to represent the IKE negotiation
                   function.
      DERIVED FROM Service (see [CIMCORE])
      ABSTRACT     FALSE

8.2. The Class PeerIdentityTable

   The class PeerIdentityTable aggregates the table entries that provide
   mappings between identities and their addresses.  The class
   definition for PeerIdentityTable is as follows:

      NAME         PeerIdentityTable
      DESCRIPTION  PeerIdentityTable aggregates PeerIdentityEntry
                   instances to provide a table of identity-address
                   mappings.
      DERIVED FROM Collection (see [CIMCORE])

Top      Up      ToC       Page 65 
      ABSTRACT     FALSE
      PROPERTIES   Name

8.2.1. The Property Name

   The property Name uniquely identifies the table.  The property is
   defined as follows:

      NAME         Name
      DESCRIPTION  Name uniquely identifies the table.
      SYNTAX       string

8.3. The Class PeerIdentityEntry

   The class PeerIdentityEntry specifies the mapping between peer
   identity and their IP address.  The class definition for
   PeerIdentityEntry is as follows:

      NAME         PeerIdentityEntry
      DESCRIPTION  PeerIdentityEntry provides a mapping between a peer's
                   identity and address.
      DERIVED FROM LogicalElement (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   PeerIdentity
                   PeerIdentityType
                   PeerAddress
                   PeerAddressType

   The pre-shared key to be used with this peer (if applicable) is
   contained in an instance of the class SharedSecret (see [CIMUSER]).
   The pre-shared key is stored in the property Secret, the property
   protocol contains "IKE", the property algorithm contains the
   algorithm used to protect the secret (can be "PLAINTEXT" if the IPsec
   entity has no secret storage), the value of property RemoteID must
   match the PeerIdentity property of the PeerIdentityEntry instance
   describing the IKE peer.

8.3.1. The Property PeerIdentity

   The property PeerIdentity contains a string encoding of the Identity
   payload for the IKE peer.  The property is defined as follows:

      NAME         PeerIdentity
      DESCRIPTION  The PeerIdentity is the ID payload of a peer.
      SYNTAX       string

Top      Up      ToC       Page 66 
8.3.2. The Property PeerIdentityType

   The property PeerIdentityType is an enumeration that specifies the
   type of the PeerIdentity.  The property is defined as follows:

      NAME         PeerIdentityType
      DESCRIPTION  PeerIdentityType is the type of the ID payload of a
                   peer.
      SYNTAX       unsigned 16-bit integer
      VALUE        The enumeration values are specified in [DOI] section
                   4.6.2.1.

8.3.3. The Property PeerAddress

   The property PeerAddress specifies the string representation of the
   IP address of the peer formatted according to the appropriate
   convention as defined in the PeerAddressType property (e.g., dotted
   decimal notation).  The property is defined as follows:

      NAME         PeerAddress
      DESCRIPTION  PeerAddress is the address of the peer with the ID
                   payload.
      SYNTAX       string
      VALUE        String representation of an IPv4 or IPv6 address.

8.3.4. The Property PeerAddressType

   The property PeerAddressType specifies the format of the PeerAddress
   property value.  The property is defined as follows:

      NAME         PeerAddressType
      DESCRIPTION  PeerAddressType is the type of address in
                   PeerAddress.
      SYNTAX       unsigned 16-bit integer
      VALUE        0 - Unknown
                   1 - IPv4
                   2 - IPv6

8.4. The Class AutostartIKEConfiguration

   The class AutostartIKEConfiguration groups AutostartIKESetting
   instances into configuration sets.  When applied, the settings cause
   an IKE service to automatically start (negotiate or statically set as
   appropriate) the Security Associations.  The class definition for
   AutostartIKEConfiguration is as follows:

Top      Up      ToC       Page 67 
      NAME         AutostartIKEConfiguration
      DESCRIPTION  A configuration set of AutostartIKESetting instances
                   to be automatically started by the IKE service.
      DERIVED FROM SystemConfiguration (see [CIMCORE])
      ABSTRACT     FALSE

8.5. The Class AutostartIKESetting

   The class AutostartIKESetting is used to automatically initiate IKE
   negotiations with peers (or statically create an SA) as specified in
   the AutostartIKESetting properties.  Appropriate actions are
   initiated according to the policy that matches the setting
   parameters.  The class definition for AutostartIKESetting is as
   follows:

      NAME         AutostartIKESetting
      DESCRIPTION  AutostartIKESetting is used to automatically initiate
                   IKE negotiations with peers or statically create an
                   SA.
      DERIVED FROM SystemSetting (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Phase1Only
                   AddressType
                   SourceAddress
                   SourcePort
                   DestinationAddress
                   DestinationPort
                   Protocol

8.5.1. The Property Phase1Only

   The property Phase1Only is used to limit the IKE negotiation to a
   phase 1 SA establishment only.  When set to False, both phase 1 and
   phase 2 SAs are negotiated.  The property is defined as follows:

      NAME         Phase1Only
      DESCRIPTION  Used to indicate whether a phase 1 only or both phase
                   1 and phase 2 security associations should attempt
                   establishment.
      SYNTAX       boolean
      VALUE        true - attempt to establish a phase 1 security
                   association
                   false - attempt to establish phase 1 and phase 2
                   security associations

Top      Up      ToC       Page 68 
8.5.2. The Property AddressType

   The property AddressType specifies a type of the addresses in the
   SourceAddress and DestinationAddress properties.  The property is
   defined as follows:

      NAME         AddressType
      DESCRIPTION  AddressType is the type of address in SourceAddress
                   and DestinationAddress properties.
      SYNTAX       unsigned 16-bit integer
      VALUE        0 - Unknown
                   1 - IPv4
                   2 - IPv6

8.5.3. The Property SourceAddress

   The property SourceAddress specifies the dotted-decimal or colon-
   decimal formatted IP address used as the source address in comparing
   with policy filter entries and used in any phase 2 negotiations.  The
   property is defined as follows:

      NAME         SourceAddress
      DESCRIPTION  The source address to compare with the filters to
                   determine the appropriate policy rule.
      SYNTAX       string
      VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.4. The Property SourcePort

   The property SourcePort specifies the port number used as the source
   port in comparing policy filter entries and is used in any phase 2
   negotiations.  The property is defined as follows:

      NAME         SourcePort
      DESCRIPTION  The source port to compare with the filters to
                   determine the appropriate policy rule.
      SYNTAX       unsigned 16-bit integer

8.5.5. The Property DestinationAddress

   The property DestinationAddress specifies the dotted-decimal or
   colon-decimal formatted IP address used as the destination address in
   comparing policy filter entries and is used in any phase 2
   negotiations.  The property is defined as follows:

      NAME         DestinationAddress
      DESCRIPTION  The destination address to compare with the filters
                   to determine the appropriate policy rule.

Top      Up      ToC       Page 69 
      SYNTAX       string
      VALUE        dotted-decimal or colon-decimal formatted IP address

8.5.6. The Property DestinationPort

   The property DestinationPort specifies the port number used as the
   destination port in comparing policy filter entries and is used in
   any phase 2 negotiations.  The property is defined as follows:

      NAME         DestinationPort
      DESCRIPTION  The destination port to compare with the filters to
                   determine the appropriate policy rule.
      SYNTAX       unsigned 16-bit integer

8.5.7. The Property Protocol

   The property Protocol specifies the protocol number used in comparing
   with policy filter entries and is used in any phase 2 negotiations.
   The property is defined as follows:

      NAME         Protocol
      DESCRIPTION  The protocol number used in comparing policy
                   filter entries.
      SYNTAX       unsigned 8-bit integer

8.6. The Class IKEIdentity

   The class IKEIdentity is used to represent the identities that may be
   used for an IPProtocolEndpoint (or collection of IPProtocolEndpoints)
   to identify the IKE Service in IKE phase 1 negotiations.  The policy
   IKEAction.UseIKEIdentityType specifies which type of the available
   identities to use in a negotiation exchange and the
   IKERule.IdentityContexts specifies the match values to be used, along
   with the local address, in selecting the appropriate identity for a
   negotiation.  The ElementID property value (defined in the parent
   class, UsersAccess) should be that of either the IPProtocolEndpoint
   or Collection of endpoints as appropriate.  The class definition for
   IKEIdentity is as follows:

      NAME         IKEIdentity
      DESCRIPTION  IKEIdentity is used to represent the identities that
                   may be used for an IPProtocolEndpoint (or collection
                   of IPProtocolEndpoints) to identify the IKE Service
                   in IKE phase 1 negotiations.
      DERIVED FROM UsersAccess (see [CIMUSER])
      ABSTRACT     FALSE

Top      Up      ToC       Page 70 
      PROPERTIES   IdentityType
                   IdentityValue
                   IdentityContexts

8.6.1. The Property IdentityType

   The property IdentityType is an enumeration that specifies the type
   of the IdentityValue.  The property is defined as follows:

      NAME         IdentityType
      DESCRIPTION  IdentityType is the type of the IdentityValue.
      SYNTAX       unsigned 16-bit integer
      VALUE        The enumeration values are specified in [DOI] section
                   4.6.2.1.

8.6.2. The Property IdentityValue

   The property IdentityValue contains a string encoding of the Identity
   payload.  For IKEIdentity instances that are address types (i.e.,
   IPv4 or IPv6 addresses), the IdentityValue string value MAY be
   omitted; then the associated IPProtocolEndpoint (or appropriate
   member of the Collection of endpoints) is used as the identity value.
   The property is defined as follows:

      NAME         IdentityValue
      DESCRIPTION  IdentityValue contains a string encoding of the
                   Identity payload.
      SYNTAX       string

8.6.3. The Property IdentityContexts

   The IdentityContexts property is used to constrain the use of
   IKEIdentity instances to match that specified in the
   IKERule.IdentityContexts.  The IdentityContexts are formatted as
   policy roles and role combinations [PCIM] & [PCIME].  Each value
   represents one context or context combination.  Since this is a
   multi-valued property, more than one context or combination of
   contexts can be associated with a single IKEIdentity.  Each value is
   a string of the form:

      <ContextName>[&&<ContextName>]*

   where the individual context names appear in alphabetical order
   (according to the collating sequence for UCS-2).  If one or more
   values in the IKERule.IdentityContexts array match one or more
   IKEIdentity.IdentityContexts, then the identity's context matches.
   (That is, each value of the IdentityContext array is an ORed
   condition.)  In combination with the address of the

Top      Up      ToC       Page 71 
   IPProtocolEndpoint and IKEAction.UseIKEIdentityType, there SHOULD be
   exactly one IKEIdentity.  The property is defined as follows:

      NAME         IdentityContexts
      DESCRIPTION  The IKE service of a security endpoint may have
                   multiple identities for use in different situations.
                   The combination of the interface (represented by
                   the IPProtocolEndpoint), the identity type (as
                   specified in the IKEAction) and the IdentityContexts
                   selects a unique identity.
      SYNTAX       string array
      VALUE        string of the form <ContextName>[&&<ContextName>]*

8.7. The Association Class HostedPeerIdentityTable

   The class HostedPeerIdentityTable provides the name scoping
   relationship for PeerIdentityTable entries in a System.  The
   PeerIdentityTable is weak to the System.  The class definition for
   HostedPeerIdentityTable is as follows:

      NAME         HostedPeerIdentityTable
      DESCRIPTION  The PeerIdentityTable instances are weak (name scoped
                   by) the owning System.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref System[1..1]]
                   Dependent [ref PeerIdentityTable[0..n] [weak]]

8.7.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a System instance.  The [1..1] cardinality
   indicates that a PeerIdentityTable instance MUST be associated in a
   weak relationship with one and only one System instance.

8.7.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to a PeerIdentityTable instance.  The [0..n] cardinality
   indicates that a System instance may be associated with zero or more
   PeerIdentityTable instances.

8.8. The Aggregation Class PeerIdentityMember

   The class PeerIdentityMember aggregates PeerIdentityEntry instances
   into a PeerIdentityTable.  This is a weak aggregation.  The class
   definition for PeerIdentityMember is as follows:

Top      Up      ToC       Page 72 
      NAME         PeerIdentityMember
      DESCRIPTION  PeerIdentityMember aggregates PeerIdentityEntry
                   instances into a PeerIdentityTable.
      DERIVED FROM MemberOfCollection (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Collection [ref PeerIdentityTable[1..1]]
                   Member [ref PeerIdentityEntry [0..n] [weak]]

8.8.1. The Reference Collection

   The property Collection is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityTable instance.  The [1..1]
   cardinality indicates that a PeerIdentityEntry instance MUST be
   associated with one and only one PeerIdentityTable instance (i.e.,
   PeerIdentityEntry instances are not shared across
   PeerIdentityTables).

8.8.2. The Reference Member

   The property Member is inherited from MemberOfCollection and is
   overridden to refer to a PeerIdentityEntry instance.  The [0..n]
   cardinality indicates that a PeerIdentityTable instance may be
   associated with zero or more PeerIdentityEntry instances.

8.9. The Association Class IKEServicePeerGateway

   The class IKEServicePeerGateway provides the association between an
   IKEService and the list of PeerGateway instances that it uses in
   negotiating with security gateways.  The class definition for
   IKEServicePeerGateway is as follows:

      NAME         IKEServicePeerGateway
      DESCRIPTION  Associates an IKEService and the list of PeerGateway
                   instances that it uses in negotiating with security
                   gateways.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref PeerGateway[0..n]]
                   Dependent [ref IKEService[0..n]]

8.9.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerGateway instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerGateway instances.

Top      Up      ToC       Page 73 
8.9.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to an IKEService instance.  The [0..n] cardinality indicates
   that a PeerGateway instance may be associated with zero or more
   IKEService instances.

8.10. The Association Class IKEServicePeerIdentityTable

   The class IKEServicePeerIdentityTable provides the relationship
   between an IKEService and a PeerIdentityTable that it uses to map
   between addresses and identities as required.  The class definition
   for IKEServicePeerIdentityTable is as follows:

      NAME         IKEServicePeerIdentityTable
      DESCRIPTION  IKEServicePeerIdentityTable provides the relationship
                   between an IKEService and a PeerIdentityTable that it
                   uses.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref PeerIdentityTable[0..n]]
                   Dependent [ref IKEService[0..n]]

8.10.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a PeerIdentityTable instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more PeerIdentityTable instances.

8.10.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to an IKEService instance.  The [0..n] cardinality indicates
   that a PeerIdentityTable instance may be associated with zero or more
   IKEService instances.

8.11. The Association Class IKEAutostartSetting

   The class IKEAutostartSetting associates an AutostartIKESetting with
   an IKEService that may use it to automatically start an IKE
   negotiation or create a static SA.  The class definition for
   IKEAutostartSetting is as follows:

      NAME         IKEAutostartSetting
      DESCRIPTION  Associates a AutostartIKESetting with an IKEService.
      DERIVED FROM ElementSetting (see [CIMCORE])
      ABSTRACT     FALSE

Top      Up      ToC       Page 74 
      PROPERTIES   Element [ref IKEService[0..n]]
                   Setting [ref AutostartIKESetting[0..n]]

8.11.1. The Reference Element

   The property Element is inherited from ElementSetting and is
   overridden to refer to an IKEService instance.  The [0..n]
   cardinality indicates an AutostartIKESetting instance may be
   associated with zero or more IKEService instances.

8.11.2. The Reference Setting

   The property Setting is inherited from ElementSetting and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an IKEService instance may be associated
   with zero or more AutostartIKESetting instances.

8.12. The Aggregation Class AutostartIKESettingContext

   The class AutostartIKESettingContext aggregates the settings used to
   automatically start negotiations or create a static SA into a
   configuration set.  The class definition for
   AutostartIKESettingContext is as follows:

      NAME         AutostartIKESettingContext
      DESCRIPTION  AutostartIKESettingContext aggregates the
                   AutostartIKESetting instances into a configuration
                   set.
      DERIVED FROM SystemSettingContext (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Context [ref AutostartIKEConfiguration [0..n]]
                   Setting [ref AutostartIKESetting [0..n]]
                   SequenceNumber

8.12.1. The Reference Context

   The property Context is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an AutostartIKESetting instance may
   be associated with zero or more AutostartIKEConfiguration instances
   (i.e., a setting may be in multiple configuration sets).

8.12.2. The Reference Setting

   The property Setting is inherited from SystemSettingContext and is
   overridden to refer to an AutostartIKESetting instance.  The [0..n]
   cardinality indicates that an AutostartIKEConfiguration instance may
   be associated with zero or more AutostartIKESetting instances.

Top      Up      ToC       Page 75 
8.12.3. The Property SequenceNumber

   The property SequenceNumber specifies the ordering to be used when
   starting negotiations or creating a static SA.  A zero value
   indicates that order is not significant and settings may be applied
   in parallel with other settings.  All other settings in the
   configuration are executed in sequence from lower to higher values.
   Sequence numbers need not be unique in an AutostartIKEConfiguration
   and order is not significant for settings with the same sequence
   number.  The property is defined as follows:

      NAME         SequenceNumber
      DESCRIPTION  The sequence in which the settings are applied
                   within a configuration set.
      SYNTAX       unsigned 16-bit integer

8.13. The Association Class IKEServiceForEndpoint

   The class IKEServiceForEndpoint provides the association showing
   which IKE service, if any, provides IKE negotiation services for
   which network interfaces.  The class definition for
   IKEServiceForEndpoint is as follows:

      NAME         IKEServiceForEndpoint
      DESCRIPTION  Associates an IPProtocolEndpoint with an IKEService
                   that provides negotiation services for the endpoint.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref IKEService[0..1]]
                   Dependent [ref IPProtocolEndpoint[0..n]]

8.13.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an IKEService instance.  The [0..1]
   cardinality indicates that an IPProtocolEndpoint instance MUST by
   associated with at most one IKEService instance.

8.13.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to an IPProtocolEndpoint that is associated with at most one
   IKEService.  The [0..n] cardinality indicates an IKEService instance
   may be associated with zero or more IPProtocolEndpoint instances.

Top      Up      ToC       Page 76 
8.14. The Association Class IKEAutostartConfiguration

   The class IKEAutostartConfiguration provides the relationship between
   an IKEService and a configuration set that it uses to automatically
   start a set of SAs.  The class definition for
   IKEAutostartConfiguration is as follows:

      NAME         IKEAutostartConfiguration
      DESCRIPTION  IKEAutostartConfiguration provides the relationship
                   between an IKEService and an
                   AutostartIKEConfiguration that it uses to
                   automatically start a set of SAs.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref AutostartIKEConfiguration [0..n]]
                   Dependent [ref IKEService [0..n]]
                   Active

8.14.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to an AutostartIKEConfiguration instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more AutostartIKEConfiguration instances.

8.14.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to an IKEService instance.  The [0..n] cardinality indicates
   that an AutostartIKEConfiguration instance may be associated with
   zero or more IKEService instances.

8.14.3. The Property Active

   The property Active indicates whether the AutostartIKEConfiguration
   set is currently active for the associated IKEService.  That is, at
   boot time, the active configuration is used to automatically start
   IKE negotiations and create static SAs.  The property is defined as
   follows:

      NAME         Active
      DESCRIPTION  Active indicates whether the
                   AutostartIKEConfiguration set is currently active for
                   the associated IKEService.
      SYNTAX       boolean

Top      Up      ToC       Page 77 
      VALUE        true - AutostartIKEConfiguration is currently active
                   for associated IKEService.
                   false - AutostartIKEConfiguration is currently
                   inactive for associated IKEService.

8.15. The Association Class IKEUsesCredentialManagementService

   The class IKEUsesCredentialManagementService defines the set of
   CredentialManagementService(s) that are trusted sources of
   credentials for IKE phase 1 negotiations.  The class definition for
   IKEUsesCredentialManagementService is as follows:

      NAME         IKEUsesCredentialManagementService
      DESCRIPTION  Associates the set of CredentialManagementService(s)
                   that are trusted by the IKEService as sources of
                   credentials used in IKE phase 1 negotiations.
      DERIVED FROM Dependency (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref CredentialManagementService [0..n]]
                   Dependent [ref IKEService [0..n]]

8.15.1. The Reference Antecedent

   The property Antecedent is inherited from Dependency and is
   overridden to refer to a CredentialManagementService instance.  The
   [0..n] cardinality indicates that an IKEService instance may be
   associated with zero or more CredentialManagementService instances.

8.15.2. The Reference Dependent

   The property Dependent is inherited from Dependency and is overridden
   to refer to an IKEService instance.  The [0..n] cardinality indicates
   that a CredentialManagementService instance may be associated with
   zero or more IKEService instances.

8.16. The Association Class EndpointHasLocalIKEIdentity

   The class EndpointHasLocalIKEIdentity associates an
   IPProtocolEndpoint with a set of IKEIdentity instances that may be
   used in negotiating security associations on the endpoint.  An
   IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using this association or with a collection of IKEIdentity instances
   using the CollectionHasLocalIKEIdentity association.  The class
   definition for EndpointHasLocalIKEIdentity is as follows:

Top      Up      ToC       Page 78 
      NAME         EndpointHasLocalIKEIdentity
      DESCRIPTION  EndpointHasLocalIKEIdentity associates an
                   IPProtocolEndpoint with a set of IKEIdentity
                   instances.
      DERIVED FROM ElementAsUser (see [CIMUSER])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref IPProtocolEndpoint [0..1]]
                   Dependent [ref IKEIdentity [0..n]]

8.16.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to an IPProtocolEndpoint instance.  The [0..1]
   cardinality indicates that an IKEIdentity instance MUST be associated
   with at most one IPProtocolEndpoint instance.

8.16.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that an IPProtocolEndpoint instance may be
   associated with zero or more IKEIdentity instances.

8.17. The Association Class CollectionHasLocalIKEIdentity

   The class CollectionHasLocalIKEIdentity associates a Collection of
   IPProtocolEndpoint instances with a set of IKEIdentity instances that
   may be used in negotiating SAs for endpoints in the collection.  An
   IKEIdentity MUST be associated with either an IPProtocolEndpoint
   using the EndpointHasLocalIKEIdentity association or with a
   collection of IKEIdentity instances using this association.  The
   class definition for CollectionHasLocalIKEIdentity is as follows:

      NAME         CollectionHasLocalIKEIdentity
      DESCRIPTION  CollectionHasLocalIKEIdentity associates a collection
                   of IPProtocolEndpoint instances with a set of
                   IKEIdentity instances.
      DERIVED FROM ElementAsUser (see [CIMUSER])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref Collection [0..1]]
                   Dependent [ref IKEIdentity [0..n]]

8.17.1. The Reference Antecedent

   The property Antecedent is inherited from ElementAsUser and is
   overridden to refer to a Collection instance.  The [0..1] cardinality
   indicates that an IKEIdentity instance MUST be associated with at
   most one Collection instance.

Top      Up      ToC       Page 79 
8.17.2. The Reference Dependent

   The property Dependent is inherited from ElementAsUser and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that a Collection instance may be associated
   with zero or more IKEIdentity instances.

8.18. The Association Class IKEIdentitysCredential

   The class IKEIdentitysCredential is an association that relates a set
   of credentials to their corresponding local IKE Identities.  The
   class definition for IKEIdentitysCredential is as follows:

      NAME         IKEIdentitysCredential
      DESCRIPTION  IKEIdentitysCredential associates a set of
                   credentials to their corresponding local IKEIdentity.
      DERIVED FROM UsersCredential (see [CIMCORE])
      ABSTRACT     FALSE
      PROPERTIES   Antecedent [ref Credential [0..n]]
                   Dependent [ref IKEIdentity [0..n]]

8.18.1. The Reference Antecedent

   The property Antecedent is inherited from UsersCredential and is
   overridden to refer to a Credential instance.  The [0..n] cardinality
   indicates that the IKEIdentity instance may be associated with zero
   or more Credential instances.

8.18.2. The Reference Dependent

   The property Dependent is inherited from UsersCredential and is
   overridden to refer to an IKEIdentity instance.  The [0..n]
   cardinality indicates that a Credential instance may be associated
   with zero or more IKEIdentity instances.



(page 79 continued on part 4)

Next RFC Part